From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- security/nss/lib/softoken/Makefile | 76 + security/nss/lib/softoken/config.mk | 65 + security/nss/lib/softoken/exports.gyp | 44 + security/nss/lib/softoken/fips_algorithms.h | 182 + security/nss/lib/softoken/fipsaudt.c | 321 + security/nss/lib/softoken/fipstest.c | 797 ++ security/nss/lib/softoken/fipstokn.c | 2080 ++++++ security/nss/lib/softoken/jpakesftk.c | 359 + security/nss/lib/softoken/kbkdf.c | 1520 ++++ security/nss/lib/softoken/legacydb/Makefile | 60 + security/nss/lib/softoken/legacydb/cdbhdl.h | 51 + security/nss/lib/softoken/legacydb/config.mk | 50 + security/nss/lib/softoken/legacydb/dbmshim.c | 539 ++ security/nss/lib/softoken/legacydb/keydb.c | 2274 ++++++ security/nss/lib/softoken/legacydb/keydbi.h | 52 + security/nss/lib/softoken/legacydb/legacydb.gyp | 66 + security/nss/lib/softoken/legacydb/lgattr.c | 1782 +++++ security/nss/lib/softoken/legacydb/lgcreate.c | 1020 +++ security/nss/lib/softoken/legacydb/lgdb.h | 177 + security/nss/lib/softoken/legacydb/lgdestroy.c | 110 + security/nss/lib/softoken/legacydb/lgfind.c | 912 +++ security/nss/lib/softoken/legacydb/lgfips.c | 120 + security/nss/lib/softoken/legacydb/lginit.c | 661 ++ security/nss/lib/softoken/legacydb/lgutil.c | 399 + security/nss/lib/softoken/legacydb/lowcert.c | 854 +++ security/nss/lib/softoken/legacydb/lowkey.c | 388 + security/nss/lib/softoken/legacydb/lowkeyi.h | 148 + security/nss/lib/softoken/legacydb/lowkeyti.h | 130 + security/nss/lib/softoken/legacydb/manifest.mn | 32 + security/nss/lib/softoken/legacydb/nssdbm.def | 31 + security/nss/lib/softoken/legacydb/nssdbm.rc | 68 + security/nss/lib/softoken/legacydb/pcert.h | 228 + security/nss/lib/softoken/legacydb/pcertdb.c | 5350 ++++++++++++++ security/nss/lib/softoken/legacydb/pcertt.h | 418 ++ security/nss/lib/softoken/legacydb/pk11db.c | 731 ++ security/nss/lib/softoken/lgglue.c | 422 ++ security/nss/lib/softoken/lgglue.h | 59 + security/nss/lib/softoken/lowkey.c | 544 ++ security/nss/lib/softoken/lowkeyi.h | 70 + security/nss/lib/softoken/lowkeyti.h | 100 + security/nss/lib/softoken/lowpbe.c | 1820 +++++ security/nss/lib/softoken/lowpbe.h | 112 + security/nss/lib/softoken/manifest.mn | 70 + security/nss/lib/softoken/padbuf.c | 49 + security/nss/lib/softoken/pkcs11.c | 5416 ++++++++++++++ security/nss/lib/softoken/pkcs11c.c | 8965 +++++++++++++++++++++++ security/nss/lib/softoken/pkcs11i.h | 977 +++ security/nss/lib/softoken/pkcs11ni.h | 20 + security/nss/lib/softoken/pkcs11u.c | 2563 +++++++ security/nss/lib/softoken/sdb.c | 2469 +++++++ security/nss/lib/softoken/sdb.h | 101 + security/nss/lib/softoken/sftkdb.c | 3047 ++++++++ security/nss/lib/softoken/sftkdb.h | 75 + security/nss/lib/softoken/sftkdbt.h | 12 + security/nss/lib/softoken/sftkdbti.h | 82 + security/nss/lib/softoken/sftkdhverify.c | 6845 +++++++++++++++++ security/nss/lib/softoken/sftkhmac.c | 477 ++ security/nss/lib/softoken/sftkike.c | 1419 ++++ security/nss/lib/softoken/sftkmessage.c | 377 + security/nss/lib/softoken/sftkpars.c | 268 + security/nss/lib/softoken/sftkpwd.c | 1485 ++++ security/nss/lib/softoken/softkver.c | 18 + security/nss/lib/softoken/softkver.h | 27 + security/nss/lib/softoken/softoken.gyp | 111 + security/nss/lib/softoken/softoken.h | 280 + security/nss/lib/softoken/softokn.def | 39 + security/nss/lib/softoken/softokn.rc | 68 + security/nss/lib/softoken/softoknt.h | 46 + security/nss/lib/softoken/tlsprf.c | 198 + 69 files changed, 60726 insertions(+) create mode 100644 security/nss/lib/softoken/Makefile create mode 100644 security/nss/lib/softoken/config.mk create mode 100644 security/nss/lib/softoken/exports.gyp create mode 100644 security/nss/lib/softoken/fips_algorithms.h create mode 100644 security/nss/lib/softoken/fipsaudt.c create mode 100644 security/nss/lib/softoken/fipstest.c create mode 100644 security/nss/lib/softoken/fipstokn.c create mode 100644 security/nss/lib/softoken/jpakesftk.c create mode 100644 security/nss/lib/softoken/kbkdf.c create mode 100644 security/nss/lib/softoken/legacydb/Makefile create mode 100644 security/nss/lib/softoken/legacydb/cdbhdl.h create mode 100644 security/nss/lib/softoken/legacydb/config.mk create mode 100644 security/nss/lib/softoken/legacydb/dbmshim.c create mode 100644 security/nss/lib/softoken/legacydb/keydb.c create mode 100644 security/nss/lib/softoken/legacydb/keydbi.h create mode 100644 security/nss/lib/softoken/legacydb/legacydb.gyp create mode 100644 security/nss/lib/softoken/legacydb/lgattr.c create mode 100644 security/nss/lib/softoken/legacydb/lgcreate.c create mode 100644 security/nss/lib/softoken/legacydb/lgdb.h create mode 100644 security/nss/lib/softoken/legacydb/lgdestroy.c create mode 100644 security/nss/lib/softoken/legacydb/lgfind.c create mode 100644 security/nss/lib/softoken/legacydb/lgfips.c create mode 100644 security/nss/lib/softoken/legacydb/lginit.c create mode 100644 security/nss/lib/softoken/legacydb/lgutil.c create mode 100644 security/nss/lib/softoken/legacydb/lowcert.c create mode 100644 security/nss/lib/softoken/legacydb/lowkey.c create mode 100644 security/nss/lib/softoken/legacydb/lowkeyi.h create mode 100644 security/nss/lib/softoken/legacydb/lowkeyti.h create mode 100644 security/nss/lib/softoken/legacydb/manifest.mn create mode 100644 security/nss/lib/softoken/legacydb/nssdbm.def create mode 100644 security/nss/lib/softoken/legacydb/nssdbm.rc create mode 100644 security/nss/lib/softoken/legacydb/pcert.h create mode 100644 security/nss/lib/softoken/legacydb/pcertdb.c create mode 100644 security/nss/lib/softoken/legacydb/pcertt.h create mode 100644 security/nss/lib/softoken/legacydb/pk11db.c create mode 100644 security/nss/lib/softoken/lgglue.c create mode 100644 security/nss/lib/softoken/lgglue.h create mode 100644 security/nss/lib/softoken/lowkey.c create mode 100644 security/nss/lib/softoken/lowkeyi.h create mode 100644 security/nss/lib/softoken/lowkeyti.h create mode 100644 security/nss/lib/softoken/lowpbe.c create mode 100644 security/nss/lib/softoken/lowpbe.h create mode 100644 security/nss/lib/softoken/manifest.mn create mode 100644 security/nss/lib/softoken/padbuf.c create mode 100644 security/nss/lib/softoken/pkcs11.c create mode 100644 security/nss/lib/softoken/pkcs11c.c create mode 100644 security/nss/lib/softoken/pkcs11i.h create mode 100644 security/nss/lib/softoken/pkcs11ni.h create mode 100644 security/nss/lib/softoken/pkcs11u.c create mode 100644 security/nss/lib/softoken/sdb.c create mode 100644 security/nss/lib/softoken/sdb.h create mode 100644 security/nss/lib/softoken/sftkdb.c create mode 100644 security/nss/lib/softoken/sftkdb.h create mode 100644 security/nss/lib/softoken/sftkdbt.h create mode 100644 security/nss/lib/softoken/sftkdbti.h create mode 100644 security/nss/lib/softoken/sftkdhverify.c create mode 100644 security/nss/lib/softoken/sftkhmac.c create mode 100644 security/nss/lib/softoken/sftkike.c create mode 100644 security/nss/lib/softoken/sftkmessage.c create mode 100644 security/nss/lib/softoken/sftkpars.c create mode 100644 security/nss/lib/softoken/sftkpwd.c create mode 100644 security/nss/lib/softoken/softkver.c create mode 100644 security/nss/lib/softoken/softkver.h create mode 100644 security/nss/lib/softoken/softoken.gyp create mode 100644 security/nss/lib/softoken/softoken.h create mode 100644 security/nss/lib/softoken/softokn.def create mode 100644 security/nss/lib/softoken/softokn.rc create mode 100644 security/nss/lib/softoken/softoknt.h create mode 100644 security/nss/lib/softoken/tlsprf.c (limited to 'security/nss/lib/softoken') diff --git a/security/nss/lib/softoken/Makefile b/security/nss/lib/softoken/Makefile new file mode 100644 index 0000000000..68ad05753e --- /dev/null +++ b/security/nss/lib/softoken/Makefile @@ -0,0 +1,76 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +ifdef NSS_NO_INIT_SUPPORT + DEFINES += -DNSS_NO_INIT_SUPPORT +endif +ifeq ($(OS_TARGET),Linux) +ifeq ($(CPU_ARCH),ppc) +ifdef USE_64 + DEFINES += -DNSS_NO_INIT_SUPPORT +endif # USE_64 +endif # ppc +endif # Linux + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include config.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + +ifdef NSS_DISABLE_DBM +DIRS= +endif + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +# indicates dependency on freebl static lib +$(SHARED_LIBRARY): $(CRYPTOLIB) + +# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile +# pkcs11c.c in 64-bit mode for unknown reasons. A workaround is +# to compile it with optimizations turned on. (Bugzilla bug #63815) +ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3) +ifeq ($(USE_64),1) +ifndef BUILD_OPT +$(OBJDIR)/pkcs11.o: pkcs11.c | $$(@D)/d + $(CC) -o $@ -c -O2 $(CFLAGS) $< + +$(OBJDIR)/pkcs11c.o: pkcs11c.c | $$(@D)/d + $(CC) -o $@ -c -O2 $(CFLAGS) $< +endif +endif +endif diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk new file mode 100644 index 0000000000..339f804938 --- /dev/null +++ b/security/nss/lib/softoken/config.mk @@ -0,0 +1,65 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) +CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) + +EXTRA_LIBS += \ + $(CRYPTOLIB) \ + $(NULL) + +# can't do this in manifest.mn because OS_TARGET isn't defined there. +ifeq (,$(filter-out WIN%,$(OS_TARGET))) + +ifdef NS_USE_GCC +EXTRA_SHARED_LIBS += \ + -L$(SQLITE_LIB_DIR) \ + -l$(SQLITE_LIB_NAME) \ + -L$(NSSUTIL_LIB_DIR) \ + -lnssutil3 \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +else # ! NS_USE_GCC + +EXTRA_SHARED_LIBS += \ + $(SQLITE_LIB_DIR)/$(SQLITE_LIB_NAME).lib \ + $(NSSUTIL_LIB_DIR)/nssutil3.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \ + $(NULL) +endif # NS_USE_GCC + +else + +# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS) +# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. +EXTRA_SHARED_LIBS += \ + -L$(SQLITE_LIB_DIR) \ + -l$(SQLITE_LIB_NAME) \ + -L$(NSSUTIL_LIB_DIR) \ + -lnssutil3 \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +endif + +ifeq ($(OS_TARGET),AIX) +OS_LIBS += -lpthread +endif + +ifdef NSS_ENABLE_FIPS_INDICATORS +DEFINES += -DNSS_ENABLE_FIPS_INDICATORS +endif + +ifdef NSS_FIPS_MODULE_ID +DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\" +endif + diff --git a/security/nss/lib/softoken/exports.gyp b/security/nss/lib/softoken/exports.gyp new file mode 100644 index 0000000000..82b9817e6e --- /dev/null +++ b/security/nss/lib/softoken/exports.gyp @@ -0,0 +1,44 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'lib_softoken_exports', + 'type': 'none', + 'copies': [ + { + 'files': [ + 'lowkeyi.h', + 'lowkeyti.h' + ], + 'destination': '<(nss_public_dist_dir)/<(module)' + }, + { + 'files': [ + 'pkcs11ni.h', + 'sdb.h', + 'sftkdbt.h', + 'softkver.h', + 'softoken.h', + 'softoknt.h' + ], + 'destination': '<(nss_private_dist_dir)/<(module)', + 'conditions': [ + [ 'disable_dbm==0', { + 'files': [ + 'lgglue.h', + ] + }] + ] + } + ] + } + ], + 'variables': { + 'module': 'nss' + } +} diff --git a/security/nss/lib/softoken/fips_algorithms.h b/security/nss/lib/softoken/fips_algorithms.h new file mode 100644 index 0000000000..5ead006d57 --- /dev/null +++ b/security/nss/lib/softoken/fips_algorithms.h @@ -0,0 +1,182 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Vendors should replace this header file with the file containing those + * algorithms which have NIST algorithm Certificates. + */ + +/* handle special cases. Classes require existing code to already be + * in place for that class */ +typedef enum { + SFTKFIPSNone = 0, + SFTKFIPSDH, /* allow only specific primes */ + SFTKFIPSECC, /* not just keys but specific curves */ + SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */ + SFTKFIPSRSAPSS +} SFTKFIPSSpecialClass; + +typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList; +struct SFTKFIPSAlgorithmListStr { + CK_MECHANISM_TYPE type; + CK_MECHANISM_INFO info; + CK_ULONG step; + SFTKFIPSSpecialClass special; +}; + +SFTKFIPSAlgorithmList sftk_fips_mechs[] = { +/* A sample set of algorithms to allow basic testing in our continous + * testing infrastructure. The vendor version should replace this with + * a version that matches their algorithm testing and security policy */ +/* NOTE, This looks a lot like the PKCS #11 mechanism list in pkcs11.c, it + * differs in the following ways: + * 1) the addition of step and class elements to help restrict + * the supported key sizes and types. + * 2) The mechanism flags are restricted to only those that map to + * fips approved operations. + * 3) All key sizes are in bits, independent of mechanism. + * 4) You can add more then one entry for the same mechanism to handle + * multiple descrete keys where the MIN/MAX/STEP semantics doesn't apply + * or where different operations have different key requirements. + * This table does not encode all the modules legal FIPS semantics, only + * those semantics that might possibly change due to algorithms dropping + * of the security policy late in the process. */ +/* handy common flag types */ +#define CKF_KPG CKF_GENERATE_KEY_PAIR +#define CKF_GEN CKF_GENERATE +#define CKF_SGN (CKF_SIGN | CKF_VERIFY) +#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_KEK (CKF_WRAP | CKF_UNWRAP) +#define CKF_KEA CKF_DERIVE +#define CKF_KDF CKF_DERIVE +#define CKF_HSH CKF_DIGEST +#define CK_MAX 0xffffffffUL +/* mechanisms using the same key types share the same key type + * limits */ +#define RSA_FB_KEY 2048, 4096 /* min, max */ +#define RSA_FB_STEP 1 +#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */ +#define RSA_LEGACY_FB_STEP 256 +#define DSA_FB_KEY 2048, 4096 /* min, max */ +#define DSA_FB_STEP 1024 +#define DH_FB_KEY 2048, 4096 /* min, max */ +#define DH_FB_STEP 1024 +#define EC_FB_KEY 256, 521 /* min, max */ +#define EC_FB_STEP 1 /* key limits handled by special operation */ +#define AES_FB_KEY 128, 256 +#define AES_FB_STEP 64 + { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + /* -------------- RSA Multipart Signing Operations -------------------- */ + { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + /* ------------------------- DSA Operations --------------------------- */ + { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, + /* -------------------- Diffie Hellman Operations --------------------- */ + /* no diffie hellman yet */ + { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH }, + { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH }, + /* -------------------- Elliptic Curve Operations --------------------- */ + { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + /* ------------------------- RC2 Operations --------------------------- */ + /* ------------------------- AES Operations --------------------------- */ + { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD }, + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone }, + /* ------------------------- Hashing Operations ----------------------- */ + { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA256_HMAC, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA256_HMAC_GENERAL, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA384_HMAC, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA384_HMAC_GENERAL, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, + /* --------------------- Secret Key Operations ------------------------ */ + { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone }, + /* ---------------------- SSL/TLS operations ------------------------- */ + { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA384_KEY_DERIVATION, { 192, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, + /* sigh, is this algorithm really tested. ssl doesn't seem to have a + * way of turning the extension off */ + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + + /* ------------------------- HKDF Operations -------------------------- */ + { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, + /* ------------------ NIST 800-108 Key Derivations ------------------- */ + { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + /* --------------------IPSEC ----------------------- */ + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, + /* ------------------ PBE Key Derivations ------------------- */ + { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone } +}; +const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs); diff --git a/security/nss/lib/softoken/fipsaudt.c b/security/nss/lib/softoken/fipsaudt.c new file mode 100644 index 0000000000..e0fd641eb8 --- /dev/null +++ b/security/nss/lib/softoken/fipsaudt.c @@ -0,0 +1,321 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * This file implements audit logging required by FIPS 140-2 Security + * Level 2. + */ + +#include "prprf.h" +#include "softoken.h" + +/* + * Print the value of the returned object handle in the output buffer + * on a successful return of the PKCS #11 function. If the PKCS #11 + * function failed or the pointer to object handle is NULL (which is + * the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty + * string is stored in the output buffer. + * + * out: the output buffer + * outlen: the length of the output buffer + * argName: the name of the "pointer to object handle" argument + * phObject: the pointer to object handle + * rv: the return value of the PKCS #11 function + */ +static void +sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen, + const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv) +{ + if ((rv == CKR_OK) && phObject) { + PR_snprintf(out, outlen, + " *%s=0x%08lX", argName, (PRUint32)*phObject); + } else { + PORT_Assert(outlen != 0); + out[0] = '\0'; + } +} + +/* + * MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism, + * which uses <= 49 bytes. + */ +#define MECHANISM_BUFSIZE 64 + +static void +sftk_PrintMechanism(char *out, PRUint32 outlen, + CK_MECHANISM_PTR pMechanism) +{ + if (pMechanism) { + /* + * If we change the format string, we need to make sure + * MECHANISM_BUFSIZE is still large enough. We allow + * 20 bytes for %p on a 64-bit platform. + */ + PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}", + pMechanism, (PRUint32)pMechanism->mechanism); + } else { + PR_snprintf(out, outlen, "%p", pMechanism); + } +} + +void +sftk_AuditCreateObject(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phObject, CK_RV rv) +{ + char msg[256]; + char shObject[32]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintReturnedObjectHandle(shObject, sizeof shObject, + "phObject", phObject, rv); + PR_snprintf(msg, sizeof msg, + "C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, " + "phObject=%p)=0x%08lX%s", + (PRUint32)hSession, pTemplate, (PRUint32)ulCount, + phObject, (PRUint32)rv, shObject); + sftk_LogAuditMessage(severity, NSS_AUDIT_LOAD_KEY, msg); +} + +void +sftk_AuditCopyObject(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv) +{ + char msg[256]; + char shNewObject[32]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject, + "phNewObject", phNewObject, rv); + PR_snprintf(msg, sizeof msg, + "C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, " + "pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s", + (PRUint32)hSession, (PRUint32)hObject, + pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject); + sftk_LogAuditMessage(severity, NSS_AUDIT_COPY_KEY, msg); +} + +/* WARNING: hObject has been destroyed and can only be printed. */ +void +sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_RV rv) +{ + char msg[256]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + PR_snprintf(msg, sizeof msg, + "C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX", + (PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_DESTROY_KEY, msg); +} + +void +sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv) +{ + char msg[256]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + PR_snprintf(msg, sizeof msg, + "C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, " + "pulSize=%p)=0x%08lX", + (PRUint32)hSession, (PRUint32)hObject, + pulSize, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg); +} + +void +sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, CK_RV rv) +{ + char msg[256]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + PR_snprintf(msg, sizeof msg, + "C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, " + "pTemplate=%p, ulCount=%lu)=0x%08lX", + (PRUint32)hSession, (PRUint32)hObject, + pTemplate, (PRUint32)ulCount, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg); +} + +void +sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, CK_RV rv) +{ + char msg[256]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + PR_snprintf(msg, sizeof msg, + "C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, " + "pTemplate=%p, ulCount=%lu)=0x%08lX", + (PRUint32)hSession, (PRUint32)hObject, + pTemplate, (PRUint32)ulCount, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_CHANGE_KEY, msg); +} + +void +sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv) +{ + char msg[256]; + char mech[MECHANISM_BUFSIZE]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintMechanism(mech, sizeof mech, pMechanism); + PR_snprintf(msg, sizeof msg, + "C_%sInit(hSession=0x%08lX, pMechanism=%s, " + "hKey=0x%08lX)=0x%08lX", + opName, (PRUint32)hSession, mech, + (PRUint32)hKey, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_CRYPT, msg); +} + +void +sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv) +{ + char msg[256]; + char mech[MECHANISM_BUFSIZE]; + char shKey[32]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintMechanism(mech, sizeof mech, pMechanism); + sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv); + PR_snprintf(msg, sizeof msg, + "C_GenerateKey(hSession=0x%08lX, pMechanism=%s, " + "pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s", + (PRUint32)hSession, mech, + pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey); + sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg); +} + +void +sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey, + CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv) +{ + char msg[512]; + char mech[MECHANISM_BUFSIZE]; + char shPublicKey[32]; + char shPrivateKey[32]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintMechanism(mech, sizeof mech, pMechanism); + sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey, + "phPublicKey", phPublicKey, rv); + sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey, + "phPrivateKey", phPrivateKey, rv); + PR_snprintf(msg, sizeof msg, + "C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, " + "pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, " + "pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, " + "phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s", + (PRUint32)hSession, mech, + pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount, + pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount, + phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey); + sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg); +} + +void +sftk_AuditWrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey, + CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey, + CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv) +{ + char msg[256]; + char mech[MECHANISM_BUFSIZE]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintMechanism(mech, sizeof mech, pMechanism); + PR_snprintf(msg, sizeof msg, + "C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, " + "hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX", + (PRUint32)hSession, mech, (PRUint32)hWrappingKey, + (PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_WRAP_KEY, msg); +} + +void +sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey, + CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey, CK_RV rv) +{ + char msg[256]; + char mech[MECHANISM_BUFSIZE]; + char shKey[32]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintMechanism(mech, sizeof mech, pMechanism); + sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv); + PR_snprintf(msg, sizeof msg, + "C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, " + "hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, " + "pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s", + (PRUint32)hSession, mech, + (PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen, + pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey); + sftk_LogAuditMessage(severity, NSS_AUDIT_UNWRAP_KEY, msg); +} + +void +sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey, CK_RV rv) +{ + char msg[512]; + char mech[MECHANISM_BUFSIZE]; + char shKey[32]; + char sTlsKeys[128]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + sftk_PrintMechanism(mech, sizeof mech, pMechanism); + sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv); + if ((rv == CKR_OK) && + (pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) { + CK_SSL3_KEY_MAT_PARAMS *param = + (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter; + CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial; + PR_snprintf(sTlsKeys, sizeof sTlsKeys, + " hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX" + " hClientKey=0x%08lX hServerKey=0x%08lX", + (PRUint32)keymat->hClientMacSecret, + (PRUint32)keymat->hServerMacSecret, + (PRUint32)keymat->hClientKey, + (PRUint32)keymat->hServerKey); + } else { + sTlsKeys[0] = '\0'; + } + PR_snprintf(msg, sizeof msg, + "C_DeriveKey(hSession=0x%08lX, pMechanism=%s, " + "hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, " + "phKey=%p)=0x%08lX%s%s", + (PRUint32)hSession, mech, + (PRUint32)hBaseKey, pTemplate, (PRUint32)ulAttributeCount, + phKey, (PRUint32)rv, shKey, sTlsKeys); + sftk_LogAuditMessage(severity, NSS_AUDIT_DERIVE_KEY, msg); +} + +void +sftk_AuditDigestKey(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hKey, CK_RV rv) +{ + char msg[256]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + + PR_snprintf(msg, sizeof msg, + "C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX", + (PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_DIGEST_KEY, msg); +} diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c new file mode 100644 index 0000000000..6010a50d6c --- /dev/null +++ b/security/nss/lib/softoken/fipstest.c @@ -0,0 +1,797 @@ +/* + * PKCS #11 FIPS Power-Up Self Test. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef NSS_FIPS_DISABLED +#include "seccomon.h" +#include "blapi.h" +#include "softoken.h" +#include "lowkeyi.h" +#include "secoid.h" +#include "secerr.h" +#include "pkcs11i.h" +#include "lowpbe.h" + +/* + * different platforms have different ways of calling and initial entry point + * when the dll/.so is loaded. Most platforms support either a posix pragma + * or the GCC attribute. Some platforms suppor a pre-defined name, and some + * platforms have a link line way of invoking this function. + */ + +/* The pragma */ +#if defined(USE_INIT_PRAGMA) +#pragma init(sftk_startup_tests) +#endif + +/* GCC Attribute */ +#if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT) +#define INIT_FUNCTION __attribute__((constructor)) +#else +#define INIT_FUNCTION +#endif + +static void INIT_FUNCTION sftk_startup_tests(void); + +/* Windows pre-defined entry */ +#if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT) +#include + +BOOL WINAPI +DllMain( + HINSTANCE hinstDLL, // handle to DLL module + DWORD fdwReason, // reason for calling function + LPVOID lpReserved) // reserved +{ + // Perform actions based on the reason for calling. + switch (fdwReason) { + case DLL_PROCESS_ATTACH: + // Initialize once for each new process. + // Return FALSE to fail DLL load. + sftk_startup_tests(); + break; + + case DLL_THREAD_ATTACH: + // Do thread-specific initialization. + break; + + case DLL_THREAD_DETACH: + // Do thread-specific cleanup. + break; + + case DLL_PROCESS_DETACH: + // Perform any necessary cleanup. + break; + } + return TRUE; // Successful DLL_PROCESS_ATTACH. +} +#endif + +/* FIPS preprocessor directives for RSA. */ +#define FIPS_RSA_TYPE siBuffer +#define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */ +#define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */ +#define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_COEFFICIENT_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_PRIME0_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_PRIME1_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_EXPONENT0_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_EXPONENT1_LENGTH 128 /* 1024-bits */ +#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_ENCRYPT_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_DECRYPT_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_SIGNATURE_LENGTH 256 /* 2048-bits */ +#define FIPS_RSA_MODULUS_LENGTH 256 /* 2048-bits */ + +/* +* Test the softoken RSA_HashSign and RSH_HashCheckSign. +*/ +static SECStatus +sftk_fips_RSA_PowerUpSigSelfTest(HASH_HashType shaAlg, + NSSLOWKEYPublicKey *rsa_public_key, + NSSLOWKEYPrivateKey *rsa_private_key, + const unsigned char *rsa_known_msg, + const unsigned int rsa_kmsg_length, + const unsigned char *rsa_known_signature) +{ + SECOidTag shaOid; /* SHA OID */ + unsigned char sha[HASH_LENGTH_MAX]; /* SHA digest */ + unsigned int shaLength = 0; /* length of SHA */ + unsigned int rsa_bytes_signed; + unsigned char rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH]; + SECStatus rv; + + if (shaAlg == HASH_AlgSHA1) { + if (SHA1_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) { + goto loser; + } + shaLength = SHA1_LENGTH; + shaOid = SEC_OID_SHA1; + } else if (shaAlg == HASH_AlgSHA256) { + if (SHA256_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) { + goto loser; + } + shaLength = SHA256_LENGTH; + shaOid = SEC_OID_SHA256; + } else if (shaAlg == HASH_AlgSHA384) { + if (SHA384_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) { + goto loser; + } + shaLength = SHA384_LENGTH; + shaOid = SEC_OID_SHA384; + } else if (shaAlg == HASH_AlgSHA512) { + if (SHA512_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) { + goto loser; + } + shaLength = SHA512_LENGTH; + shaOid = SEC_OID_SHA512; + } else { + goto loser; + } + + /*************************************************/ + /* RSA Single-Round Known Answer Signature Test. */ + /*************************************************/ + + /* Perform RSA signature with the RSA private key. */ + rv = RSA_HashSign(shaOid, + rsa_private_key, + rsa_computed_signature, + &rsa_bytes_signed, + FIPS_RSA_SIGNATURE_LENGTH, + sha, + shaLength); + + if ((rv != SECSuccess) || + (rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH) || + (PORT_Memcmp(rsa_computed_signature, rsa_known_signature, + FIPS_RSA_SIGNATURE_LENGTH) != 0)) { + goto loser; + } + + /****************************************************/ + /* RSA Single-Round Known Answer Verification Test. */ + /****************************************************/ + + /* Perform RSA verification with the RSA public key. */ + rv = RSA_HashCheckSign(shaOid, + rsa_public_key, + rsa_computed_signature, + rsa_bytes_signed, + sha, + shaLength); + + if (rv != SECSuccess) { + goto loser; + } + return (SECSuccess); + +loser: + + return (SECFailure); +} + +static SECStatus +sftk_fips_RSA_PowerUpSelfTest(void) +{ + /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */ + static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = { + 0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5, + 0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2, + 0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e, + 0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88, + 0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed, + 0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f, + 0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9, + 0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e, + 0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7, + 0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7, + 0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8, + 0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2, + 0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57, + 0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6, + 0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d, + 0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20, + 0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9, + 0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d, + 0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7, + 0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e, + 0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15, + 0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12, + 0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4, + 0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e, + 0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77, + 0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53, + 0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0, + 0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46, + 0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39, + 0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4, + 0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43, + 0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b + }; + + /* RSA Known Public Key Values (24-bits). */ + static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 0x01, 0x00, 0x01 }; + /* RSA Known Private Key Values (version is 8-bits), */ + /* (private exponent is 2048-bits), */ + /* (private prime0 is 1024-bits), */ + /* (private prime1 is 1024-bits), */ + /* (private prime exponent0 is 1024-bits), */ + /* (private prime exponent1 is 1024-bits), */ + /* and (private coefficient is 1024-bits). */ + static const PRUint8 rsa_version[] = { 0x00 }; + + static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = { + 0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c, + 0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67, + 0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5, + 0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff, + 0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35, + 0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83, + 0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0, + 0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00, + 0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e, + 0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7, + 0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67, + 0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84, + 0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4, + 0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54, + 0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9, + 0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c, + 0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06, + 0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a, + 0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7, + 0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8, + 0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95, + 0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02, + 0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb, + 0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c, + 0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38, + 0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44, + 0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23, + 0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e, + 0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d, + 0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21, + 0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48, + 0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81 + }; + + static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = { + 0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40, + 0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96, + 0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f, + 0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96, + 0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d, + 0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc, + 0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58, + 0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38, + 0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85, + 0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6, + 0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4, + 0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f, + 0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19, + 0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4, + 0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95, + 0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05 + }; + static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = { + 0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06, + 0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c, + 0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8, + 0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34, + 0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36, + 0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88, + 0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9, + 0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd, + 0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b, + 0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35, + 0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a, + 0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70, + 0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05, + 0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed, + 0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9, + 0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf + }; + static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = { + 0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1, + 0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a, + 0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9, + 0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37, + 0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d, + 0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c, + 0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59, + 0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01, + 0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda, + 0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63, + 0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde, + 0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62, + 0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5, + 0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2, + 0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8, + 0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d + }; + static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = { + 0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b, + 0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea, + 0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44, + 0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02, + 0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c, + 0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a, + 0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4, + 0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb, + 0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea, + 0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07, + 0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97, + 0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55, + 0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4, + 0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7, + 0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40, + 0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59 + }; + static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = { + 0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96, + 0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3, + 0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91, + 0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83, + 0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b, + 0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b, + 0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0, + 0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a, + 0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5, + 0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd, + 0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37, + 0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22, + 0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21, + 0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1, + 0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2, + 0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02 + }; + + /* RSA Known Plaintext Message (1024-bits). */ + static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = { + "Known plaintext message utilized" + "for RSA Encryption & Decryption" + "blocks SHA256, SHA384 and " + "SHA512 RSA Signature KAT tests. " + "Known plaintext message utilized" + "for RSA Encryption & Decryption" + "blocks SHA256, SHA384 and " + "SHA512 RSA Signature KAT tests." + }; + + /* RSA Known Signed Hash (2048-bits). */ + static const PRUint8 rsa_known_sha256_signature[] = { + 0x8c, 0x2d, 0x2e, 0xfb, 0x37, 0xb5, 0x6f, 0x38, + 0x9f, 0x06, 0x5a, 0xf3, 0x8c, 0xa0, 0xd0, 0x7a, + 0xde, 0xcf, 0xf9, 0x14, 0x95, 0x59, 0xd3, 0x5f, + 0x51, 0x5d, 0x5d, 0xad, 0xd8, 0x71, 0x33, 0x50, + 0x1d, 0x03, 0x3b, 0x3a, 0x32, 0x00, 0xb4, 0xde, + 0x7f, 0xe4, 0xb1, 0xe5, 0x6b, 0x83, 0xf4, 0x80, + 0x10, 0x3b, 0xb8, 0x8a, 0xdb, 0xe8, 0x0a, 0x42, + 0x9e, 0x8d, 0xd7, 0xbe, 0xed, 0xde, 0x5a, 0x3d, + 0xc6, 0xdb, 0xfe, 0x49, 0x6a, 0xe9, 0x1e, 0x75, + 0x66, 0xf1, 0x3f, 0x9e, 0x3f, 0xff, 0x05, 0x65, + 0xde, 0xca, 0x62, 0x62, 0xf3, 0xec, 0x53, 0x09, + 0xa0, 0x37, 0xd5, 0x66, 0x62, 0x72, 0x14, 0xb6, + 0x51, 0x32, 0x67, 0x50, 0xc1, 0xe1, 0x2f, 0x9e, + 0x98, 0x4e, 0x53, 0x96, 0x55, 0x4b, 0xc4, 0x92, + 0xc3, 0xb4, 0x80, 0xf0, 0x35, 0xc9, 0x00, 0x4b, + 0x5c, 0x85, 0x92, 0xb1, 0xe8, 0x6e, 0xa5, 0x51, + 0x38, 0x9f, 0xc9, 0x11, 0xb6, 0x14, 0xdf, 0x34, + 0x64, 0x40, 0x82, 0x82, 0xde, 0x16, 0x69, 0x93, + 0x89, 0x4e, 0x5c, 0x32, 0xf2, 0x0a, 0x4e, 0x9e, + 0xbd, 0x63, 0x99, 0x4f, 0xf3, 0x15, 0x90, 0xc2, + 0xfe, 0x6f, 0xb7, 0xf4, 0xad, 0xd4, 0x8e, 0x0b, + 0xd2, 0xf5, 0x22, 0xd2, 0x71, 0x65, 0x13, 0xf7, + 0x82, 0x7b, 0x75, 0xb6, 0xc1, 0xb4, 0x45, 0xbd, + 0x8f, 0x95, 0xcf, 0x5b, 0x95, 0x32, 0xef, 0x18, + 0x5f, 0xd3, 0xdf, 0x7e, 0x22, 0xdd, 0x25, 0xeb, + 0xe1, 0xbf, 0x3b, 0x9a, 0x55, 0x75, 0x4f, 0x3c, + 0x38, 0x67, 0x57, 0x04, 0x04, 0x57, 0x27, 0xf6, + 0x34, 0x0e, 0x57, 0x8a, 0x7c, 0xff, 0x7d, 0xca, + 0x8c, 0x06, 0xf8, 0x9d, 0xdb, 0xe4, 0xd8, 0x19, + 0xdd, 0x4d, 0xfd, 0x8f, 0xa0, 0x06, 0x53, 0xe8, + 0x33, 0x00, 0x70, 0x3f, 0x6b, 0xc3, 0xbd, 0x9a, + 0x78, 0xb5, 0xa9, 0xef, 0x6d, 0xda, 0x67, 0x92 + }; + + /* RSA Known Signed Hash (2048-bits). */ + static const PRUint8 rsa_known_sha384_signature[] = { + 0x20, 0x2d, 0x21, 0x3a, 0xaa, 0x1e, 0x05, 0x15, + 0x5c, 0xca, 0x84, 0x86, 0xc0, 0x15, 0x81, 0xdf, + 0xd4, 0x06, 0x9f, 0xe0, 0xc1, 0xed, 0xef, 0x0f, + 0xfe, 0xb3, 0xc3, 0xbb, 0x28, 0xa5, 0x56, 0xbf, + 0xe3, 0x11, 0x5c, 0xc2, 0xc0, 0x0b, 0xfa, 0xfa, + 0x3d, 0xd3, 0x06, 0x20, 0xe2, 0xc9, 0xe4, 0x66, + 0x28, 0xb7, 0xc0, 0x3b, 0x3c, 0x96, 0xc6, 0x49, + 0x3b, 0xcf, 0x86, 0x49, 0x31, 0xaf, 0x5b, 0xa3, + 0xec, 0x63, 0x10, 0xdf, 0xda, 0x2f, 0x68, 0xac, + 0x7b, 0x3a, 0x49, 0xfa, 0xe6, 0x0d, 0xfe, 0x37, + 0x17, 0x56, 0x8e, 0x5c, 0x48, 0x97, 0x43, 0xf7, + 0xa0, 0xbc, 0xe3, 0x4b, 0x42, 0xde, 0x58, 0x1d, + 0xd9, 0x5d, 0xb3, 0x08, 0x35, 0xbd, 0xa4, 0xe1, + 0x80, 0xc3, 0x64, 0xab, 0x21, 0x97, 0xad, 0xfb, + 0x71, 0xee, 0xa3, 0x3d, 0x9c, 0xaa, 0xfa, 0x16, + 0x60, 0x46, 0x32, 0xda, 0x44, 0x2e, 0x10, 0x92, + 0x20, 0xd8, 0x98, 0x80, 0x84, 0x75, 0x5b, 0x70, + 0x91, 0x00, 0x33, 0x19, 0x69, 0xc9, 0x2a, 0xec, + 0x3d, 0xe5, 0x5f, 0x0f, 0x9a, 0xa7, 0x97, 0x1f, + 0x79, 0xc3, 0x1d, 0x65, 0x74, 0x62, 0xc5, 0xa1, + 0x23, 0x65, 0x4b, 0x84, 0xa1, 0x03, 0x98, 0xf3, + 0xf1, 0x02, 0x24, 0xca, 0xe5, 0xd4, 0xc8, 0xa2, + 0x30, 0xad, 0x72, 0x7d, 0x29, 0x60, 0x1a, 0x8e, + 0x6f, 0x23, 0xa4, 0xda, 0x68, 0xa4, 0x45, 0x9c, + 0x39, 0x70, 0x44, 0x18, 0x4b, 0x73, 0xfe, 0xf8, + 0x33, 0x53, 0x1d, 0x7e, 0x93, 0x93, 0xac, 0xc7, + 0x1e, 0x6e, 0x6b, 0xfd, 0x9e, 0xba, 0xa6, 0x71, + 0x70, 0x47, 0x6a, 0xd6, 0x82, 0x32, 0xa2, 0x6e, + 0x20, 0x72, 0xb0, 0xba, 0xec, 0x91, 0xbb, 0x6b, + 0xcc, 0x84, 0x0a, 0x33, 0x2b, 0x8a, 0x8d, 0xeb, + 0x71, 0xcd, 0xca, 0x67, 0x1b, 0xad, 0x10, 0xd4, + 0xce, 0x4f, 0xc0, 0x29, 0xec, 0xfa, 0xed, 0xfa + }; + + /* RSA Known Signed Hash (2048-bits). */ + static const PRUint8 rsa_known_sha512_signature[] = { + 0x35, 0x0e, 0x74, 0x9d, 0xeb, 0xc7, 0x67, 0x31, + 0x9f, 0xff, 0x0b, 0xbb, 0x5e, 0x66, 0xb4, 0x2f, + 0xbf, 0x72, 0x60, 0x4f, 0xe9, 0xbd, 0xec, 0xc8, + 0x17, 0x79, 0x5f, 0x39, 0x83, 0xb4, 0x54, 0x2e, + 0x01, 0xb9, 0xd3, 0x20, 0x47, 0xcb, 0xd4, 0x42, + 0xf2, 0x6e, 0x36, 0xc1, 0x97, 0xad, 0xef, 0x8e, + 0xe6, 0x51, 0xee, 0x5e, 0x9e, 0x88, 0xb4, 0x9d, + 0xda, 0x3e, 0x77, 0x4b, 0xe8, 0xae, 0x48, 0x53, + 0x2c, 0xc4, 0xd3, 0x25, 0x6b, 0x23, 0xb7, 0x54, + 0x3c, 0x95, 0x8f, 0xfb, 0x6f, 0x6d, 0xc5, 0x56, + 0x39, 0x69, 0x28, 0x0e, 0x74, 0x9b, 0x31, 0xe8, + 0x76, 0x77, 0x2b, 0xc1, 0x44, 0x89, 0x81, 0x93, + 0xfc, 0xf6, 0xec, 0x5f, 0x8f, 0x89, 0xfc, 0x1d, + 0xa4, 0x53, 0x58, 0x8c, 0xe9, 0xc0, 0xc0, 0x26, + 0xe6, 0xdf, 0x6d, 0x27, 0xb1, 0x8e, 0x3e, 0xb6, + 0x47, 0xe1, 0x02, 0x96, 0xc2, 0x5f, 0x7f, 0x3d, + 0xc5, 0x6c, 0x2f, 0xea, 0xaa, 0x5e, 0x39, 0xfc, + 0x77, 0xca, 0x00, 0x02, 0x5c, 0x64, 0x7c, 0xce, + 0x7d, 0x63, 0x82, 0x05, 0xed, 0xf7, 0x5b, 0x55, + 0x58, 0xc0, 0xeb, 0x76, 0xd7, 0x95, 0x55, 0x37, + 0x85, 0x7d, 0x17, 0xad, 0xd2, 0x11, 0xfd, 0x97, + 0x48, 0xb5, 0xc2, 0x5e, 0xc7, 0x62, 0xc0, 0xe0, + 0x68, 0xa8, 0x61, 0x14, 0x41, 0xca, 0x25, 0x3a, + 0xec, 0x48, 0x54, 0x22, 0x83, 0x2b, 0x69, 0x54, + 0xfd, 0xc8, 0x99, 0x9a, 0xee, 0x37, 0x03, 0xa3, + 0x8f, 0x0f, 0x32, 0xb0, 0xaa, 0x74, 0x39, 0x04, + 0x7c, 0xd9, 0xc2, 0x8f, 0xbe, 0xf2, 0xc4, 0xbe, + 0xdd, 0x7a, 0x7a, 0x7f, 0x72, 0xd3, 0x80, 0x59, + 0x18, 0xa0, 0xa1, 0x2d, 0x6f, 0xa3, 0xa9, 0x48, + 0xed, 0x20, 0xa6, 0xea, 0xaa, 0x10, 0x83, 0x98, + 0x0c, 0x13, 0x69, 0x6e, 0xcd, 0x31, 0x6b, 0xd0, + 0x66, 0xa6, 0x5e, 0x30, 0x0c, 0x82, 0xd5, 0x81 + }; + + static const RSAPublicKey bl_public_key = { + NULL, + { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus, + FIPS_RSA_MODULUS_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, + FIPS_RSA_PUBLIC_EXPONENT_LENGTH } + }; + static const RSAPrivateKey bl_private_key = { + NULL, + { FIPS_RSA_TYPE, (unsigned char *)rsa_version, + FIPS_RSA_PRIVATE_VERSION_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus, + FIPS_RSA_MODULUS_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent, + FIPS_RSA_PUBLIC_EXPONENT_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent, + FIPS_RSA_PRIVATE_EXPONENT_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0, + FIPS_RSA_PRIME0_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1, + FIPS_RSA_PRIME1_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0, + FIPS_RSA_EXPONENT0_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1, + FIPS_RSA_EXPONENT1_LENGTH }, + { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient, + FIPS_RSA_COEFFICIENT_LENGTH } + }; + +/* RSA variables. */ +#ifdef CREATE_TEMP_ARENAS + PLArenaPool *rsa_public_arena; + PLArenaPool *rsa_private_arena; +#endif + NSSLOWKEYPublicKey *rsa_public_key; + NSSLOWKEYPrivateKey *rsa_private_key; + SECStatus rsa_status; + + NSSLOWKEYPublicKey low_public_key = { NULL, NSSLOWKEYRSAKey }; + NSSLOWKEYPrivateKey low_private_key = { NULL, NSSLOWKEYRSAKey }; + + /****************************************/ + /* Compose RSA Public/Private Key Pair. */ + /****************************************/ + + low_public_key.u.rsa = bl_public_key; + low_private_key.u.rsa = bl_private_key; + + rsa_public_key = &low_public_key; + rsa_private_key = &low_private_key; + +#ifdef CREATE_TEMP_ARENAS + /* Create some space for the RSA public key. */ + rsa_public_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + + if (rsa_public_arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (SECFailure); + } + + /* Create some space for the RSA private key. */ + rsa_private_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + + if (rsa_private_arena == NULL) { + PORT_FreeArena(rsa_public_arena, PR_TRUE); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (SECFailure); + } + + rsa_public_key->arena = rsa_public_arena; + rsa_private_key->arena = rsa_private_arena; +#endif + + /**************************************************/ + /* RSA Hash tests */ + /**************************************************/ + + rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA256, + rsa_public_key, rsa_private_key, + rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, + rsa_known_sha256_signature); + if (rsa_status != SECSuccess) + goto rsa_loser; + + rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA384, + rsa_public_key, rsa_private_key, + rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, + rsa_known_sha384_signature); + if (rsa_status != SECSuccess) + goto rsa_loser; + + rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA512, + rsa_public_key, rsa_private_key, + rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH, + rsa_known_sha512_signature); + if (rsa_status != SECSuccess) + goto rsa_loser; + + /* Dispose of all RSA key material. */ + nsslowkey_DestroyPublicKey(rsa_public_key); + nsslowkey_DestroyPrivateKey(rsa_private_key); + + return (SECSuccess); + +rsa_loser: + + nsslowkey_DestroyPublicKey(rsa_public_key); + nsslowkey_DestroyPrivateKey(rsa_private_key); + + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); +} + +static SECStatus +sftk_fips_HKDF_PowerUpSelfTest(void) +{ + SECStatus status; + static const unsigned char base_key[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, + 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, + 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f + }; + static const unsigned char known_hkdf_sha256_key[] = { + 0xdd, 0xdb, 0xeb, 0xe5, 0x6d, 0xd2, 0x96, 0xa4, + 0x07, 0xc5, 0x7d, 0xda, 0x31, 0x56, 0x8d, 0xa5, + 0x41, 0x3e, 0x90, 0xd4, 0xe6, 0x98, 0xeb, 0xf8, + 0x5a, 0x49, 0x7f, 0x38, 0xef, 0x01, 0x8a, 0xe5, + 0xda, 0x36, 0xe5, 0xcf, 0x21, 0xe3, 0x9f, 0xc3, + 0x32, 0xb3, 0x1e, 0xf6, 0xc5, 0x10, 0x4c, 0x86, + 0x53, 0x5e, 0x6f, 0xe0, 0x63, 0x6e, 0x43, 0x33, + 0x61, 0x35, 0xf4, 0x17, 0x10, 0x77, 0x75, 0x2a + }; +/* current NIST IG's say we only need to test one instance + * of kdfs, keep these others around in case the guidance + * changes */ +#ifdef NSS_FULL_POST + static const unsigned char known_hkdf_sha384_key[] = { + 0x35, 0x64, 0xc4, 0xa1, 0xcc, 0xc1, 0xdc, 0xe4, + 0xe2, 0xca, 0x51, 0xae, 0xe8, 0x92, 0x88, 0x30, + 0x8b, 0xb0, 0x2b, 0xac, 0x00, 0x15, 0xac, 0x15, + 0x97, 0xc9, 0xf4, 0x6b, 0xf6, 0x3f, 0x97, 0xea, + 0x48, 0x55, 0x38, 0x25, 0x06, 0x5d, 0x91, 0x64, + 0xbd, 0x09, 0xf3, 0x44, 0xbc, 0x82, 0xbe, 0xdb, + 0x5c, 0xd7, 0xf2, 0x24, 0xa5, 0x55, 0x8d, 0xa9, + 0xa8, 0x85, 0xde, 0x8c, 0x33, 0xe0, 0x4d, 0xc3 + }; + static const unsigned char known_hkdf_sha512_key[] = { + 0x63, 0x4e, 0xbc, 0x42, 0xb3, 0x56, 0x74, 0x7d, + 0x1b, 0x55, 0xf0, 0x34, 0x54, 0xcb, 0x6d, 0x58, + 0x39, 0x96, 0x10, 0xda, 0x03, 0x20, 0x8f, 0x77, + 0x0d, 0xb4, 0xf7, 0xf6, 0x67, 0x0d, 0x5b, 0x6b, + 0xd0, 0x30, 0xc4, 0xdd, 0x67, 0x61, 0x5d, 0x9a, + 0xf5, 0x18, 0x6e, 0x1b, 0x60, 0x97, 0xc2, 0x4d, + 0x23, 0x43, 0x69, 0xe6, 0x3b, 0xa5, 0xdf, 0xe9, + 0x7c, 0xf1, 0x87, 0x48, 0x6f, 0xb9, 0xd3, 0x02 + }; +#endif + unsigned char outBytes[64] = { 0 }; + + CK_HKDF_PARAMS hkdf_params; + + hkdf_params.bExpand = CK_TRUE; + hkdf_params.bExtract = CK_TRUE; + hkdf_params.ulSaltType = CKF_HKDF_SALT_DATA; + hkdf_params.pSalt = (CK_BYTE_PTR)base_key; + hkdf_params.ulSaltLen = sizeof(base_key); + hkdf_params.pInfo = (CK_BYTE_PTR)base_key; + hkdf_params.ulInfoLen = sizeof(base_key); + + /**************************************************/ + /* HKDF tests */ + /**************************************************/ + + hkdf_params.prfHashMechanism = CKM_SHA256_HMAC; + status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL, + base_key, 32, NULL, outBytes, sizeof(outBytes), + PR_TRUE, PR_TRUE); + if ((status != SECSuccess) || + PORT_Memcmp(outBytes, known_hkdf_sha256_key, sizeof(outBytes)) != 0) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); + } + +#ifdef NSS_FULL_POST + hkdf_params.prfHashMechanism = CKM_SHA384_HMAC; + status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL, + base_key, 48, NULL, outBytes, sizeof(outBytes), + PR_TRUE, PR_TRUE); + if ((status != SECSuccess) || + PORT_Memcmp(outBytes, known_hkdf_sha384_key, sizeof(outBytes)) != 0) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); + } + + hkdf_params.prfHashMechanism = CKM_SHA512_HMAC; + status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL, + base_key, 64, NULL, outBytes, sizeof(outBytes), + PR_TRUE, PR_TRUE); + if ((status != SECSuccess) || + PORT_Memcmp(outBytes, known_hkdf_sha512_key, sizeof(outBytes)) != 0) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); + } +#endif + + return (SECSuccess); +} + +static PRBool sftk_self_tests_ran = PR_FALSE; +static PRBool sftk_self_tests_success = PR_FALSE; + +/* + * This function is called at dll load time, the code tha makes this + * happen is platform specific on defined above. + */ +void +sftk_startup_tests_with_rerun(PRBool rerun) +{ + SECStatus rv; + const char *libraryName = rerun ? BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : SOFTOKEN_LIB_NAME; + + PORT_Assert(!sftk_self_tests_ran); + PORT_Assert(!sftk_self_tests_success); + sftk_self_tests_ran = PR_TRUE; + sftk_self_tests_success = PR_FALSE; /* just in case */ + + /* need to initiallize the oid library before the RSA tests */ + rv = SECOID_Init(); + if (rv != SECSuccess) { + return; + } + /* make sure freebl is initialized, or our RSA check + * may fail. This is normally done at freebl load time, but it's + * possible we may have shut freebl down without unloading it. */ + rv = BL_Init(); + if (rv != SECSuccess) { + return; + } + + rv = RNG_RNGInit(); + if (rv != SECSuccess) { + return; + } + /* check the RSA combined functions in softoken */ + rv = sftk_fips_RSA_PowerUpSelfTest(); + if (rv != SECSuccess) { + return; + } + if (!BLAPI_SHVerify(libraryName, + (PRFuncPtr)&sftk_fips_RSA_PowerUpSelfTest)) { + /* something is wrong with the library, fail without enabling + * the token */ + return; + } + rv = sftk_fips_IKE_PowerUpSelfTests(); + if (rv != SECSuccess) { + return; + } + + rv = sftk_fips_SP800_108_PowerUpSelfTests(); + if (rv != SECSuccess) { + return; + } + + rv = sftk_fips_HKDF_PowerUpSelfTest(); + if (rv != SECSuccess) { + return; + } + + rv = sftk_fips_pbkdf_PowerUpSelfTests(); + if (rv != SECSuccess) { + return; + } + + sftk_self_tests_success = PR_TRUE; +} + +static void +sftk_startup_tests(void) +{ + sftk_startup_tests_with_rerun(PR_FALSE); +} + +/* + * this is called from nsc_Common_Initizialize entry points that gates access + * to * all other pkcs11 functions. This prevents softoken operation if our + * power on selftest failed. + */ +CK_RV +sftk_FIPSEntryOK(PRBool rerun) +{ +#ifdef NSS_NO_INIT_SUPPORT + /* this should only be set on platforms that can't handle one of the INIT + * schemes. This code allows those platforms to continue to function, + * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT + * is not set, and init support has not been properly enabled, softken + * will always fail because of the test below + */ + if (!sftk_self_tests_ran) { + sftk_startup_tests(); + } +#endif + if (rerun) { + sftk_self_tests_ran = PR_FALSE; + sftk_self_tests_success = PR_FALSE; + sftk_startup_tests_with_rerun(PR_TRUE); + } + if (!sftk_self_tests_success) { + return CKR_DEVICE_ERROR; + } + return CKR_OK; +} +#else +#include "pkcs11t.h" +CK_RV +sftk_FIPSEntryOK() +{ + return CKR_DEVICE_ERROR; +} +#endif /* NSS_FIPS_DISABLED */ diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c new file mode 100644 index 0000000000..cf5d73ce74 --- /dev/null +++ b/security/nss/lib/softoken/fipstokn.c @@ -0,0 +1,2080 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements PKCS 11 on top of our existing security modules + * + * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. + * This implementation has two slots: + * slot 1 is our generic crypto support. It does not require login + * (unless you've enabled FIPS). It supports Public Key ops, and all they + * bulk ciphers and hashes. It can also support Private Key ops for imported + * Private keys. It does not have any token storage. + * slot 2 is our private key support. It requires a login before use. It + * can store Private Keys and Certs as token objects. Currently only private + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ +#include "seccomon.h" +#include "softoken.h" +#include "lowkeyi.h" +#include "pkcs11.h" +#include "pkcs11i.h" +#include "prenv.h" +#include "prprf.h" + +#include + +#ifdef XP_UNIX +#define NSS_AUDIT_WITH_SYSLOG 1 +#include +#include +#endif + +#ifdef LINUX +#include +#include +#define LIBAUDIT_NAME "libaudit.so.1" +#ifndef AUDIT_CRYPTO_TEST_USER +#define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */ +#define AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 /* Crypto attribute change */ +#define AUDIT_CRYPTO_LOGIN 2402 /* Logged in as crypto officer */ +#define AUDIT_CRYPTO_LOGOUT 2403 /* Logged out from crypto */ +#define AUDIT_CRYPTO_KEY_USER 2404 /* Create,delete,negotiate */ +#define AUDIT_CRYPTO_FAILURE_USER 2405 /* Fail decrypt,encrypt,randomize */ +#endif +static void *libaudit_handle; +static int (*audit_open_func)(void); +static void (*audit_close_func)(int fd); +static int (*audit_log_user_message_func)(int audit_fd, int type, + const char *message, const char *hostname, const char *addr, + const char *tty, int result); +static int (*audit_send_user_message_func)(int fd, int type, + const char *message); + +static pthread_once_t libaudit_once_control = PTHREAD_ONCE_INIT; + +static void +libaudit_init(void) +{ + libaudit_handle = dlopen(LIBAUDIT_NAME, RTLD_LAZY); + if (!libaudit_handle) { + return; + } + audit_open_func = dlsym(libaudit_handle, "audit_open"); + audit_close_func = dlsym(libaudit_handle, "audit_close"); + /* + * audit_send_user_message is the older function. + * audit_log_user_message, if available, is preferred. + */ + audit_log_user_message_func = dlsym(libaudit_handle, + "audit_log_user_message"); + if (!audit_log_user_message_func) { + audit_send_user_message_func = dlsym(libaudit_handle, + "audit_send_user_message"); + } + if (!audit_open_func || !audit_close_func || + (!audit_log_user_message_func && !audit_send_user_message_func)) { + dlclose(libaudit_handle); + libaudit_handle = NULL; + audit_open_func = NULL; + audit_close_func = NULL; + audit_log_user_message_func = NULL; + audit_send_user_message_func = NULL; + } +} +#endif /* LINUX */ + +/* + * ******************** Password Utilities ******************************* + */ +static PRBool isLoggedIn = PR_FALSE; +static PRBool isLevel2 = PR_TRUE; +PRBool sftk_fatalError = PR_FALSE; + +/* + * This function returns + * - CKR_PIN_INVALID if the password/PIN is not a legal UTF8 string + * - CKR_PIN_LEN_RANGE if the password/PIN is too short or does not + * consist of characters from three or more character classes. + * - CKR_OK otherwise + * + * The minimum password/PIN length is FIPS_MIN_PIN Unicode characters. + * We define five character classes: digits (0-9), ASCII lowercase letters, + * ASCII uppercase letters, ASCII non-alphanumeric characters (such as + * space and punctuation marks), and non-ASCII characters. If an ASCII + * uppercase letter is the first character of the password/PIN, the + * uppercase letter is not counted toward its character class. Similarly, + * if a digit is the last character of the password/PIN, the digit is not + * counted toward its character class. + * + * Although NSC_SetPIN and NSC_InitPIN already do the maximum and minimum + * password/PIN length checks, they check the length in bytes as opposed + * to characters. To meet the minimum password/PIN guessing probability + * requirements in FIPS 140-2, we need to check the length in characters. + */ +static CK_RV +sftk_newPinCheck(CK_CHAR_PTR pPin, CK_ULONG ulPinLen) +{ + unsigned int i; + int nchar = 0; /* number of characters */ + int ntrail = 0; /* number of trailing bytes to follow */ + int ndigit = 0; /* number of decimal digits */ + int nlower = 0; /* number of ASCII lowercase letters */ + int nupper = 0; /* number of ASCII uppercase letters */ + int nnonalnum = 0; /* number of ASCII non-alphanumeric characters */ + int nnonascii = 0; /* number of non-ASCII characters */ + int nclass; /* number of character classes */ + + for (i = 0; i < ulPinLen; i++) { + unsigned int byte = pPin[i]; + + if (ntrail) { + if ((byte & 0xc0) != 0x80) { + /* illegal */ + nchar = -1; + break; + } + if (--ntrail == 0) { + nchar++; + nnonascii++; + } + continue; + } + if ((byte & 0x80) == 0x00) { + /* single-byte (ASCII) character */ + nchar++; + if (isdigit(byte)) { + if (i < ulPinLen - 1) { + ndigit++; + } + } else if (islower(byte)) { + nlower++; + } else if (isupper(byte)) { + if (i > 0) { + nupper++; + } + } else { + nnonalnum++; + } + } else if ((byte & 0xe0) == 0xc0) { + /* leading byte of two-byte character */ + ntrail = 1; + } else if ((byte & 0xf0) == 0xe0) { + /* leading byte of three-byte character */ + ntrail = 2; + } else if ((byte & 0xf8) == 0xf0) { + /* leading byte of four-byte character */ + ntrail = 3; + } else { + /* illegal */ + nchar = -1; + break; + } + } + if (nchar == -1) { + /* illegal UTF8 string */ + return CKR_PIN_INVALID; + } + if (nchar < FIPS_MIN_PIN) { + return CKR_PIN_LEN_RANGE; + } + nclass = (ndigit != 0) + (nlower != 0) + (nupper != 0) + + (nnonalnum != 0) + (nnonascii != 0); + if (nclass < 3) { + return CKR_PIN_LEN_RANGE; + } + return CKR_OK; +} + +/* FIPS required checks before any useful cryptographic services */ +static CK_RV +sftk_fipsCheck(void) +{ + if (sftk_fatalError) + return CKR_DEVICE_ERROR; + if (isLevel2 && !isLoggedIn) + return CKR_USER_NOT_LOGGED_IN; + return CKR_OK; +} + +#define SFTK_FIPSCHECK() \ + CK_RV rv; \ + if ((rv = sftk_fipsCheck()) != CKR_OK) \ + return rv; + +#define SFTK_FIPSFATALCHECK() \ + if (sftk_fatalError) \ + return CKR_DEVICE_ERROR; + +/* grab an attribute out of a raw template */ +void * +fc_getAttribute(CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, CK_ATTRIBUTE_TYPE type) +{ + int i; + + for (i = 0; i < (int)ulCount; i++) { + if (pTemplate[i].type == type) { + return pTemplate[i].pValue; + } + } + return NULL; +} + +#define __PASTE(x, y) x##y + +/* ------------- forward declare all the NSC_ functions ------------- */ +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO + +#define CK_PKCS11_3_0 1 + +#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(NS, name) +#define CK_NEED_ARG_LIST 1 + +#include "pkcs11f.h" + +/* ------------- forward declare all the FIPS functions ------------- */ +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO + +#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F, name) +#define CK_NEED_ARG_LIST 1 + +#include "pkcs11f.h" + +/* ------------- build the CK_CRYPTO_TABLE ------------------------- */ +static CK_FUNCTION_LIST_3_0 sftk_fipsTable = { + { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR }, + +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO + +#define CK_PKCS11_FUNCTION_INFO(name) \ + __PASTE(F, name) \ + , + +#include "pkcs11f.h" + +}; + +/* forward declaration of special GetInfo functions */ +CK_RV FC_GetInfoV2(CK_INFO_PTR pInfo); +CK_RV NSC_GetInfoV2(CK_INFO_PTR pInfo); +CK_RV FC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo); +CK_RV NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo); + +static CK_FUNCTION_LIST sftk_fipsTable_v2 = { + { 2, 40 }, + +#undef CK_PKCS11_3_0 +#define CK_PKCS11_2_0_ONLY 1 +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO +#define C_GetInfo C_GetInfoV2 +#define C_GetMechanismInfo C_GetMechanismInfoV2 + +#define CK_PKCS11_FUNCTION_INFO(name) \ + __PASTE(F, name) \ + , + +#include "pkcs11f.h" + +}; + +#undef C_GetInfo +#undef C_GetMechanismInfo +#undef CK_NEED_ARG_LIST +#undef CK_PKCS11_FUNCTION_INFO +#undef CK_PKCS11_2_0_ONLY + +#undef __PASTE + +/* + * Array is orderd by default first + */ +static CK_INTERFACE fips_interfaces[] = { + { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_fipsTable, NSS_INTERFACE_FLAGS }, + { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_fipsTable_v2, NSS_INTERFACE_FLAGS }, + { (CK_UTF8CHAR_PTR) "Vendor NSS Module Interface", &sftk_module_funcList, NSS_INTERFACE_FLAGS }, + { (CK_UTF8CHAR_PTR) "Vendor NSS FIPS Interface", &sftk_fips_funcList, NSS_INTERFACE_FLAGS } +}; +/* must match the count of interfaces in fips_interfaces above*/ +#define FIPS_INTERFACE_COUNT 4 + +/* CKO_NOT_A_KEY can be any object class that's not a key object. */ +#define CKO_NOT_A_KEY CKO_DATA + +#define SFTK_IS_KEY_OBJECT(objClass) \ + (((objClass) == CKO_PUBLIC_KEY) || \ + ((objClass) == CKO_PRIVATE_KEY) || \ + ((objClass) == CKO_SECRET_KEY)) + +#define SFTK_IS_NONPUBLIC_KEY_OBJECT(objClass) \ + (((objClass) == CKO_PRIVATE_KEY) || ((objClass) == CKO_SECRET_KEY)) + +static CK_RV +sftk_get_object_class_and_fipsCheck(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_OBJECT_CLASS *pObjClass) +{ + CK_RV rv; + CK_ATTRIBUTE class; + class.type = CKA_CLASS; + class.pValue = pObjClass; + class.ulValueLen = sizeof(*pObjClass); + rv = NSC_GetAttributeValue(hSession, hObject, &class, 1); + if ((rv == CKR_OK) && SFTK_IS_NONPUBLIC_KEY_OBJECT(*pObjClass)) { + rv = sftk_fipsCheck(); + } + return rv; +} + +#ifdef LINUX + +int +sftk_mapLinuxAuditType(NSSAuditSeverity severity, NSSAuditType auditType) +{ + switch (auditType) { + case NSS_AUDIT_ACCESS_KEY: + case NSS_AUDIT_CHANGE_KEY: + case NSS_AUDIT_COPY_KEY: + case NSS_AUDIT_DERIVE_KEY: + case NSS_AUDIT_DESTROY_KEY: + case NSS_AUDIT_DIGEST_KEY: + case NSS_AUDIT_GENERATE_KEY: + case NSS_AUDIT_LOAD_KEY: + case NSS_AUDIT_UNWRAP_KEY: + case NSS_AUDIT_WRAP_KEY: + return AUDIT_CRYPTO_KEY_USER; + case NSS_AUDIT_CRYPT: + return (severity == NSS_AUDIT_ERROR) ? AUDIT_CRYPTO_FAILURE_USER : AUDIT_CRYPTO_KEY_USER; + case NSS_AUDIT_FIPS_STATE: + case NSS_AUDIT_INIT_PIN: + case NSS_AUDIT_INIT_TOKEN: + case NSS_AUDIT_SET_PIN: + return AUDIT_CRYPTO_PARAM_CHANGE_USER; + case NSS_AUDIT_SELF_TEST: + return AUDIT_CRYPTO_TEST_USER; + case NSS_AUDIT_LOGIN: + return AUDIT_CRYPTO_LOGIN; + case NSS_AUDIT_LOGOUT: + return AUDIT_CRYPTO_LOGOUT; + /* we skip the fault case here so we can get compiler + * warnings if new 'NSSAuditType's are added without + * added them to this list, defaults fall through */ + } + /* default */ + return AUDIT_CRYPTO_PARAM_CHANGE_USER; +} +#endif + +/********************************************************************** + * + * FIPS 140 auditable event logging + * + **********************************************************************/ + +PRBool sftk_audit_enabled = PR_FALSE; + +/* + * Each audit record must have the following information: + * - Date and time of the event + * - Type of event + * - user (subject) identity + * - outcome (success or failure) of the event + * - process ID + * - name (ID) of the object + * - for changes to data (except for authentication data and CSPs), the new + * and old values of the data + * - for authentication attempts, the origin of the attempt (e.g., terminal + * identifier) + * - for assuming a role, the type of role, and the location of the request + */ +void +sftk_LogAuditMessage(NSSAuditSeverity severity, NSSAuditType auditType, + const char *msg) +{ +#ifdef NSS_AUDIT_WITH_SYSLOG + int level; + + switch (severity) { + case NSS_AUDIT_ERROR: + level = LOG_ERR; + break; + case NSS_AUDIT_WARNING: + level = LOG_WARNING; + break; + default: + level = LOG_INFO; + break; + } + /* timestamp is provided by syslog in the message header */ + syslog(level | LOG_USER /* facility */, + "NSS " SOFTOKEN_LIB_NAME "[pid=%d uid=%d]: %s", + (int)getpid(), (int)getuid(), msg); +#ifdef LINUX + if (pthread_once(&libaudit_once_control, libaudit_init) != 0) { + return; + } + if (libaudit_handle) { + int audit_fd; + int linuxAuditType; + int result = (severity != NSS_AUDIT_ERROR); /* 1=success; 0=failed */ + char *message = PR_smprintf("NSS " SOFTOKEN_LIB_NAME ": %s", msg); + if (!message) { + return; + } + audit_fd = audit_open_func(); + if (audit_fd < 0) { + PR_smprintf_free(message); + return; + } + linuxAuditType = sftk_mapLinuxAuditType(severity, auditType); + if (audit_log_user_message_func) { + audit_log_user_message_func(audit_fd, linuxAuditType, message, + NULL, NULL, NULL, result); + } else { + audit_send_user_message_func(audit_fd, linuxAuditType, message); + } + audit_close_func(audit_fd); + PR_smprintf_free(message); + } +#endif /* LINUX */ +#else +/* do nothing */ +#endif +} + +/********************************************************************** + * + * Start of PKCS 11 functions + * + **********************************************************************/ +/* return the function list */ +CK_RV +FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) +{ + + CHECK_FORK(); + + *pFunctionList = &sftk_fipsTable_v2; + return CKR_OK; +} + +CK_RV +FC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount) +{ + CK_ULONG count = *pulCount; + *pulCount = FIPS_INTERFACE_COUNT; + if (interfaces == NULL) { + return CKR_OK; + } + if (count < FIPS_INTERFACE_COUNT) { + return CKR_BUFFER_TOO_SMALL; + } + PORT_Memcpy(interfaces, fips_interfaces, sizeof(fips_interfaces)); + return CKR_OK; +} + +/* + * Get the requested interface, use the fips_interfaces array so we can + * easily add new interfaces as they occur. + */ +CK_RV +FC_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion, + CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags) +{ + int i; + for (i = 0; i < FIPS_INTERFACE_COUNT; i++) { + CK_INTERFACE_PTR interface = &fips_interfaces[i]; + if (pInterfaceName && PORT_Strcmp((char *)pInterfaceName, (char *)interface->pInterfaceName) != 0) { + continue; + } + if (pVersion && PORT_Memcmp(pVersion, (CK_VERSION *)interface->pFunctionList, sizeof(CK_VERSION)) != 0) { + continue; + } + if (flags & ((interface->flags & flags) != flags)) { + continue; + } + *ppInterface = interface; + return CKR_OK; + } + return CKR_ARGUMENTS_BAD; +} + +/* sigh global so pkcs11 can read it */ +PRBool nsf_init = PR_FALSE; + +void +fc_log_init_error(CK_RV crv) +{ + if (sftk_audit_enabled) { + char msg[128]; + PR_snprintf(msg, sizeof msg, + "C_Initialize()=0x%08lX " + "power-up self-tests failed", + (PRUint32)crv); + sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); + } +} + +/* FC_Initialize initializes the PKCS #11 library. */ +CK_RV +FC_Initialize(CK_VOID_PTR pReserved) +{ + const char *envp; + CK_RV crv; + PRBool rerun; + + if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) { + sftk_audit_enabled = (atoi(envp) == 1); + } + + /* if we have the forcePOST flag on, rerun the integrity checks */ + /* we need to know this before we fully parse the arguments in + * nsc_CommonInitialize, so read it now */ + rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved); + + /* At this point we should have already done post and integrity checks. + * if we haven't, it probably means the FIPS product has not been installed + * or the tests failed. Don't let an application try to enter FIPS mode. This + * also forces the tests to be rerun if forcePOST is set. */ + crv = sftk_FIPSEntryOK(rerun); + if (crv != CKR_OK) { + sftk_fatalError = PR_TRUE; + fc_log_init_error(crv); + return crv; + } + + sftk_ForkReset(pReserved, &crv); + + if (nsf_init) { + return CKR_CRYPTOKI_ALREADY_INITIALIZED; + } + + crv = nsc_CommonInitialize(pReserved, PR_TRUE); + + /* not an 'else' rv can be set by either SFTK_LowInit or SFTK_SlotInit*/ + if (crv != CKR_OK) { + sftk_fatalError = PR_TRUE; + return crv; + } + + sftk_fatalError = PR_FALSE; /* any error has been reset */ + nsf_init = PR_TRUE; + isLevel2 = PR_TRUE; /* assume level 2 unless we learn otherwise */ + + return CKR_OK; +} + +/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/ +CK_RV +FC_Finalize(CK_VOID_PTR pReserved) +{ + CK_RV crv; + + if (sftk_ForkReset(pReserved, &crv)) { + return crv; + } + + if (!nsf_init) { + return CKR_OK; + } + + crv = nsc_CommonFinalize(pReserved, PR_TRUE); + + nsf_init = (PRBool) !(crv == CKR_OK); + return crv; +} + +/* FC_GetInfo returns general information about PKCS #11. */ +CK_RV +FC_GetInfo(CK_INFO_PTR pInfo) +{ + CHECK_FORK(); + + return NSC_GetInfo(pInfo); +} + +/* FC_GetInfo returns general information about PKCS #11. */ +CK_RV +FC_GetInfoV2(CK_INFO_PTR pInfo) +{ + CHECK_FORK(); + + return NSC_GetInfoV2(pInfo); +} + +/* FC_GetSlotList obtains a list of slots in the system. */ +CK_RV +FC_GetSlotList(CK_BBOOL tokenPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) +{ + CHECK_FORK(); + + return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount, + NSC_FIPS_MODULE); +} + +/* FC_GetSlotInfo obtains information about a particular slot in the system. */ +CK_RV +FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) +{ + CHECK_FORK(); + + return NSC_GetSlotInfo(slotID, pInfo); +} + +/*FC_GetTokenInfo obtains information about a particular token in the system.*/ +CK_RV +FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) +{ + CK_RV crv; + + CHECK_FORK(); + + crv = NSC_GetTokenInfo(slotID, pInfo); + if (crv == CKR_OK) { + /* use the global database to figure out if we are running in + * FIPS 140 Level 1 or Level 2 */ + if (slotID == FIPS_SLOT_ID && + (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) { + isLevel2 = PR_FALSE; + } + } + return crv; +} + +/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/ +CK_RV +FC_GetMechanismList(CK_SLOT_ID slotID, + CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) +{ + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + if (sftk_isFIPS(slotID)) { + slotID = NETSCAPE_SLOT_ID; + } + /* FIPS Slots support all functions */ + return NSC_GetMechanismList(slotID, pMechanismList, pusCount); +} + +/* FC_GetMechanismInfo obtains information about a particular mechanism + * possibly supported by a token. */ +CK_RV +FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo) +{ + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + if (sftk_isFIPS(slotID)) { + slotID = NETSCAPE_SLOT_ID; + } + /* FIPS Slots support all functions */ + return NSC_GetMechanismInfo(slotID, type, pInfo); +} + +/* FC_GetMechanismInfoV2 same as FC_GetMechanismInfo except the Message + * flags have been stripped out */ +CK_RV +FC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo) +{ + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + if (sftk_isFIPS(slotID)) { + slotID = NETSCAPE_SLOT_ID; + } + /* FIPS Slots support all functions */ + return NSC_GetMechanismInfoV2(slotID, type, pInfo); +} + +/* FC_InitToken initializes a token. */ +CK_RV +FC_InitToken(CK_SLOT_ID slotID, CK_CHAR_PTR pPin, + CK_ULONG usPinLen, CK_CHAR_PTR pLabel) +{ + CK_RV crv; + + CHECK_FORK(); + + crv = NSC_InitToken(slotID, pPin, usPinLen, pLabel); + if (sftk_audit_enabled) { + char msg[128]; + NSSAuditSeverity severity = (crv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + /* pLabel points to a 32-byte label, which is not null-terminated */ + PR_snprintf(msg, sizeof msg, + "C_InitToken(slotID=%lu, pLabel=\"%.32s\")=0x%08lX", + (PRUint32)slotID, pLabel, (PRUint32)crv); + sftk_LogAuditMessage(severity, NSS_AUDIT_INIT_TOKEN, msg); + } + return crv; +} + +/* FC_InitPIN initializes the normal user's PIN. */ +CK_RV +FC_InitPIN(CK_SESSION_HANDLE hSession, + CK_CHAR_PTR pPin, CK_ULONG ulPinLen) +{ + CK_RV rv; + + CHECK_FORK(); + + if (sftk_fatalError) + return CKR_DEVICE_ERROR; + /* NSC_InitPIN will only work once per database. We can either initialize + * it to level1 (pin len == 0) or level2. If we initialize to level 2, then + * we need to make sure the pin meets FIPS requirements */ + if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) { + rv = NSC_InitPIN(hSession, pPin, ulPinLen); + if ((rv == CKR_OK) && + (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) { + isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE; + } + } + if (sftk_audit_enabled) { + char msg[128]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + PR_snprintf(msg, sizeof msg, + "C_InitPIN(hSession=0x%08lX)=0x%08lX", + (PRUint32)hSession, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_INIT_PIN, msg); + } + return rv; +} + +/* FC_SetPIN modifies the PIN of user that is currently logged in. */ +/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */ +CK_RV +FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, + CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) +{ + CK_RV rv; + + CHECK_FORK(); + + rv = sftk_fipsCheck(); + if (rv != CKR_OK) { + goto loser; + } + + if (isLevel2 || usNewLen > 0) { + rv = sftk_newPinCheck(pNewPin, usNewLen); + if (rv != CKR_OK) { + goto loser; + } + rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen); + if (rv != CKR_OK) { + goto loser; + } + if (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID) { + /* if we set the password in level1 we now go + * to level2. NOTE: we don't allow the user to + * go from level2 to level1 */ + isLevel2 = PR_TRUE; + } + } else { + /* here both old and new passwords are empty, but we need to + * call NSC_SetPIN to force rekey the database entries */ + PORT_Assert(usNewLen == 0); + rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen); + if (rv != CKR_OK) { + goto loser; + } + } + +loser: + if (sftk_audit_enabled) { + char msg[128]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + PR_snprintf(msg, sizeof msg, + "C_SetPIN(hSession=0x%08lX)=0x%08lX", + (PRUint32)hSession, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_SET_PIN, msg); + } + return rv; +} + +/* FC_OpenSession opens a session between an application and a token. */ +CK_RV +FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, + CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession) +{ + SFTK_FIPSFATALCHECK(); + + CHECK_FORK(); + + return NSC_OpenSession(slotID, flags, pApplication, Notify, phSession); +} + +/* FC_CloseSession closes a session between an application and a token. */ +CK_RV +FC_CloseSession(CK_SESSION_HANDLE hSession) +{ + CHECK_FORK(); + + return NSC_CloseSession(hSession); +} + +/* FC_CloseAllSessions closes all sessions with a token. */ +CK_RV +FC_CloseAllSessions(CK_SLOT_ID slotID) +{ + + CHECK_FORK(); + + return NSC_CloseAllSessions(slotID); +} + +CK_RV +FC_SessionCancel(CK_SESSION_HANDLE hSession, CK_FLAGS flags) +{ + SFTK_FIPSFATALCHECK(); + + CHECK_FORK(); + + return NSC_SessionCancel(hSession, flags); +} + +/* FC_GetSessionInfo obtains information about the session. */ +CK_RV +FC_GetSessionInfo(CK_SESSION_HANDLE hSession, + CK_SESSION_INFO_PTR pInfo) +{ + CK_RV rv; + SFTK_FIPSFATALCHECK(); + + CHECK_FORK(); + + rv = NSC_GetSessionInfo(hSession, pInfo); + if (rv == CKR_OK) { + /* handle the case where the auxilary slot doesn't require login. + * piggy back on the main token's login state */ + if (isLoggedIn && + ((pInfo->state == CKS_RO_PUBLIC_SESSION) || + (pInfo->state == CKS_RW_PUBLIC_SESSION))) { + CK_RV crv; + CK_TOKEN_INFO tInfo; + crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession), + &tInfo); + /* if the token doesn't login, use our global login state */ + if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) { + if (pInfo->state == CKS_RO_PUBLIC_SESSION) { + pInfo->state = CKS_RO_USER_FUNCTIONS; + } else { + pInfo->state = CKS_RW_USER_FUNCTIONS; + } + } + } + } + return rv; +} + +/* FC_Login logs a user into a token. */ +CK_RV +FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_CHAR_PTR pPin, CK_ULONG usPinLen) +{ + CK_RV rv; + PRBool successful; + if (sftk_fatalError) + return CKR_DEVICE_ERROR; + rv = NSC_Login(hSession, userType, pPin, usPinLen); + successful = (rv == CKR_OK) || (rv == CKR_USER_ALREADY_LOGGED_IN); + if (successful) + isLoggedIn = PR_TRUE; + if (sftk_audit_enabled) { + char msg[128]; + NSSAuditSeverity severity; + severity = successful ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + PR_snprintf(msg, sizeof msg, + "C_Login(hSession=0x%08lX, userType=%lu)=0x%08lX", + (PRUint32)hSession, (PRUint32)userType, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_LOGIN, msg); + } + return rv; +} + +CK_RV +FC_LoginUser(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pUsername, + CK_ULONG ulUsernameLen) +{ + CK_RV rv; + PRBool successful; + if (sftk_fatalError) + return CKR_DEVICE_ERROR; + rv = NSC_LoginUser(hSession, userType, pPin, ulPinLen, + pUsername, ulUsernameLen); + successful = (rv == CKR_OK) || (rv == CKR_USER_ALREADY_LOGGED_IN); + if (successful) + isLoggedIn = PR_TRUE; + if (sftk_audit_enabled) { + char msg[128]; + char user[61]; + int len = PR_MIN(ulUsernameLen, sizeof(user) - 1); + PORT_Memcpy(user, pUsername, len); + user[len] = 0; + NSSAuditSeverity severity; + severity = successful ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + PR_snprintf(msg, sizeof msg, + "C_LoginUser(hSession=0x%08lX, userType=%lu username=%s)=0x%08lX", + (PRUint32)hSession, (PRUint32)userType, user, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_LOGIN, msg); + } + return rv; +} + +/* FC_Logout logs a user out from a token. */ +CK_RV +FC_Logout(CK_SESSION_HANDLE hSession) +{ + CK_RV rv; + + CHECK_FORK(); + + if ((rv = sftk_fipsCheck()) == CKR_OK) { + rv = NSC_Logout(hSession); + isLoggedIn = PR_FALSE; + } + if (sftk_audit_enabled) { + char msg[128]; + NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR; + PR_snprintf(msg, sizeof msg, + "C_Logout(hSession=0x%08lX)=0x%08lX", + (PRUint32)hSession, (PRUint32)rv); + sftk_LogAuditMessage(severity, NSS_AUDIT_LOGOUT, msg); + } + return rv; +} + +/* FC_CreateObject creates a new object. */ +CK_RV +FC_CreateObject(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phObject) +{ + CK_OBJECT_CLASS *classptr; + CK_RV rv = CKR_OK; + + CHECK_FORK(); + + classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate, ulCount, CKA_CLASS); + if (classptr == NULL) + return CKR_TEMPLATE_INCOMPLETE; + + if (*classptr == CKO_NSS_NEWSLOT || *classptr == CKO_NSS_DELSLOT) { + if (sftk_fatalError) + return CKR_DEVICE_ERROR; + } else { + rv = sftk_fipsCheck(); + if (rv != CKR_OK) + return rv; + } + + /* FIPS can't create keys from raw key material */ + if (SFTK_IS_NONPUBLIC_KEY_OBJECT(*classptr)) { + rv = CKR_ATTRIBUTE_VALUE_INVALID; + } else { + rv = NSC_CreateObject(hSession, pTemplate, ulCount, phObject); + } + if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(*classptr)) { + sftk_AuditCreateObject(hSession, pTemplate, ulCount, phObject, rv); + } + return rv; +} + +/* FC_CopyObject copies an object, creating a new object for the copy. */ +CK_RV +FC_CopyObject(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phNewObject) +{ + CK_RV rv; + CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); + if (rv == CKR_OK) { + rv = NSC_CopyObject(hSession, hObject, pTemplate, ulCount, phNewObject); + } + if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) { + sftk_AuditCopyObject(hSession, + hObject, pTemplate, ulCount, phNewObject, rv); + } + return rv; +} + +/* FC_DestroyObject destroys an object. */ +CK_RV +FC_DestroyObject(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject) +{ + CK_RV rv; + CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); + if (rv == CKR_OK) { + rv = NSC_DestroyObject(hSession, hObject); + } + if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) { + sftk_AuditDestroyObject(hSession, hObject, rv); + } + return rv; +} + +/* FC_GetObjectSize gets the size of an object in bytes. */ +CK_RV +FC_GetObjectSize(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) +{ + CK_RV rv; + CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); + if (rv == CKR_OK) { + rv = NSC_GetObjectSize(hSession, hObject, pulSize); + } + if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) { + sftk_AuditGetObjectSize(hSession, hObject, pulSize, rv); + } + return rv; +} + +/* FC_GetAttributeValue obtains the value of one or more object attributes. */ +CK_RV +FC_GetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) +{ + CK_RV rv; + CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); + if (rv == CKR_OK) { + rv = NSC_GetAttributeValue(hSession, hObject, pTemplate, ulCount); + } + if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) { + sftk_AuditGetAttributeValue(hSession, hObject, pTemplate, ulCount, rv); + } + return rv; +} + +/* FC_SetAttributeValue modifies the value of one or more object attributes */ +CK_RV +FC_SetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) +{ + CK_RV rv; + CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY; + + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass); + if (rv == CKR_OK) { + rv = NSC_SetAttributeValue(hSession, hObject, pTemplate, ulCount); + } + if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) { + sftk_AuditSetAttributeValue(hSession, hObject, pTemplate, ulCount, rv); + } + return rv; +} + +/* FC_FindObjectsInit initializes a search for token and session objects + * that match a template. */ +CK_RV +FC_FindObjectsInit(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount) +{ + /* let publically readable object be found */ + unsigned int i; + CK_RV rv; + PRBool needLogin = PR_FALSE; + + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + + for (i = 0; i < usCount; i++) { + CK_OBJECT_CLASS class; + if (pTemplate[i].type != CKA_CLASS) { + continue; + } + if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) { + continue; + } + if (pTemplate[i].pValue == NULL) { + continue; + } + class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue; + if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) { + needLogin = PR_TRUE; + break; + } + } + if (needLogin) { + if ((rv = sftk_fipsCheck()) != CKR_OK) + return rv; + } + return NSC_FindObjectsInit(hSession, pTemplate, usCount); +} + +/* FC_FindObjects continues a search for token and session objects + * that match a template, obtaining additional object handles. */ +CK_RV +FC_FindObjects(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE_PTR phObject, CK_ULONG usMaxObjectCount, + CK_ULONG_PTR pusObjectCount) +{ + CHECK_FORK(); + + /* let publically readable object be found */ + SFTK_FIPSFATALCHECK(); + return NSC_FindObjects(hSession, phObject, usMaxObjectCount, + pusObjectCount); +} + +/* + ************** Crypto Functions: Encrypt ************************ + */ + +/* FC_EncryptInit initializes an encryption operation. */ +CK_RV +FC_EncryptInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_EncryptInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("Encrypt", hSession, pMechanism, hKey, rv); + } + return rv; +} + +/* FC_Encrypt encrypts single-part data. */ +CK_RV +FC_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData, + CK_ULONG_PTR pusEncryptedDataLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_Encrypt(hSession, pData, usDataLen, pEncryptedData, + pusEncryptedDataLen); +} + +/* FC_EncryptUpdate continues a multiple-part encryption operation. */ +CK_RV +FC_EncryptUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pusEncryptedPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_EncryptUpdate(hSession, pPart, usPartLen, pEncryptedPart, + pusEncryptedPartLen); +} + +/* FC_EncryptFinal finishes a multiple-part encryption operation. */ +CK_RV +FC_EncryptFinal(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_EncryptFinal(hSession, pLastEncryptedPart, + pusLastEncryptedPartLen); +} + +/* + ************** Crypto Functions: Decrypt ************************ + */ + +/* FC_DecryptInit initializes a decryption operation. */ +CK_RV +FC_DecryptInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_DecryptInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("Decrypt", hSession, pMechanism, hKey, rv); + } + return rv; +} + +/* FC_Decrypt decrypts encrypted data in a single part. */ +CK_RV +FC_Decrypt(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedData, CK_ULONG usEncryptedDataLen, CK_BYTE_PTR pData, + CK_ULONG_PTR pusDataLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_Decrypt(hSession, pEncryptedData, usEncryptedDataLen, pData, + pusDataLen); +} + +/* FC_DecryptUpdate continues a multiple-part decryption operation. */ +CK_RV +FC_DecryptUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_DecryptUpdate(hSession, pEncryptedPart, usEncryptedPartLen, + pPart, pusPartLen); +} + +/* FC_DecryptFinal finishes a multiple-part decryption operation. */ +CK_RV +FC_DecryptFinal(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_DecryptFinal(hSession, pLastPart, pusLastPartLen); +} + +/* + ************** Crypto Functions: Digest (HASH) ************************ + */ + +/* FC_DigestInit initializes a message-digesting operation. */ +CK_RV +FC_DigestInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism) +{ + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + return NSC_DigestInit(hSession, pMechanism); +} + +/* FC_Digest digests data in a single part. */ +CK_RV +FC_Digest(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pusDigestLen) +{ + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + return NSC_Digest(hSession, pData, usDataLen, pDigest, pusDigestLen); +} + +/* FC_DigestUpdate continues a multiple-part message-digesting operation. */ +CK_RV +FC_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG usPartLen) +{ + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + return NSC_DigestUpdate(hSession, pPart, usPartLen); +} + +/* FC_DigestFinal finishes a multiple-part message-digesting operation. */ +CK_RV +FC_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pusDigestLen) +{ + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + return NSC_DigestFinal(hSession, pDigest, pusDigestLen); +} + +/* + ************** Crypto Functions: Sign ************************ + */ + +/* FC_SignInit initializes a signature (private key encryption) operation, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature */ +CK_RV +FC_SignInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_SignInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("Sign", hSession, pMechanism, hKey, rv); + } + return rv; +} + +/* FC_Sign signs (encrypts with private key) data in a single part, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature */ +CK_RV +FC_Sign(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pusSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_Sign(hSession, pData, usDataLen, pSignature, pusSignatureLen); +} + +/* FC_SignUpdate continues a multiple-part signature operation, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature */ +CK_RV +FC_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG usPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_SignUpdate(hSession, pPart, usPartLen); +} + +/* FC_SignFinal finishes a multiple-part signature operation, + * returning the signature. */ +CK_RV +FC_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pusSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_SignFinal(hSession, pSignature, pusSignatureLen); +} + +/* + ************** Crypto Functions: Sign Recover ************************ + */ +/* FC_SignRecoverInit initializes a signature operation, + * where the (digest) data can be recovered from the signature. + * E.g. encryption with the user's private key */ +CK_RV +FC_SignRecoverInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_SignRecoverInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("SignRecover", hSession, pMechanism, hKey, rv); + } + return rv; +} + +/* FC_SignRecover signs data in a single operation + * where the (digest) data can be recovered from the signature. + * E.g. encryption with the user's private key */ +CK_RV +FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_SignRecover(hSession, pData, usDataLen, pSignature, pusSignatureLen); +} + +/* + ************** Crypto Functions: verify ************************ + */ + +/* FC_VerifyInit initializes a verification operation, + * where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature (e.g. DSA) */ +CK_RV +FC_VerifyInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_VerifyInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("Verify", hSession, pMechanism, hKey, rv); + } + return rv; +} + +/* FC_Verify verifies a signature in a single-part operation, + * where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature */ +CK_RV +FC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) +{ + /* make sure we're legal */ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_Verify(hSession, pData, usDataLen, pSignature, usSignatureLen); +} + +/* FC_VerifyUpdate continues a multiple-part verification operation, + * where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature */ +CK_RV +FC_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG usPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_VerifyUpdate(hSession, pPart, usPartLen); +} + +/* FC_VerifyFinal finishes a multiple-part verification operation, + * checking the signature. */ +CK_RV +FC_VerifyFinal(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_VerifyFinal(hSession, pSignature, usSignatureLen); +} + +/* + ************** Crypto Functions: Verify Recover ************************ + */ + +/* FC_VerifyRecoverInit initializes a signature verification operation, + * where the data is recovered from the signature. + * E.g. Decryption with the user's public key */ +CK_RV +FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_VerifyRecoverInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("VerifyRecover", hSession, pMechanism, hKey, rv); + } + return rv; +} + +/* FC_VerifyRecover verifies a signature in a single-part operation, + * where the data is recovered from the signature. + * E.g. Decryption with the user's public key */ +CK_RV +FC_VerifyRecover(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen, + CK_BYTE_PTR pData, CK_ULONG_PTR pusDataLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_VerifyRecover(hSession, pSignature, usSignatureLen, pData, + pusDataLen); +} + +/* + **************************** Key Functions: ************************ + */ + +/* FC_GenerateKey generates a secret key, creating a new key object. */ +CK_RV +FC_GenerateKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phKey) +{ + CK_BBOOL *boolptr; + + SFTK_FIPSCHECK(); + CHECK_FORK(); + + /* all secret keys must be sensitive, if the upper level code tries to say + * otherwise, reject it. */ + boolptr = (CK_BBOOL *)fc_getAttribute(pTemplate, ulCount, CKA_SENSITIVE); + if (boolptr != NULL) { + if (!(*boolptr)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + } + + rv = NSC_GenerateKey(hSession, pMechanism, pTemplate, ulCount, phKey); + if (sftk_audit_enabled) { + sftk_AuditGenerateKey(hSession, pMechanism, pTemplate, ulCount, phKey, rv); + } + return rv; +} + +/* FC_GenerateKeyPair generates a public-key/private-key pair, + * creating new key objects. */ +CK_RV +FC_GenerateKeyPair(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey, + CK_OBJECT_HANDLE_PTR phPrivateKey) +{ + CK_BBOOL *boolptr; + CK_RV crv; + + SFTK_FIPSCHECK(); + CHECK_FORK(); + + /* all private keys must be sensitive, if the upper level code tries to say + * otherwise, reject it. */ + boolptr = (CK_BBOOL *)fc_getAttribute(pPrivateKeyTemplate, + usPrivateKeyAttributeCount, CKA_SENSITIVE); + if (boolptr != NULL) { + if (!(*boolptr)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + } + crv = NSC_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, + usPublicKeyAttributeCount, pPrivateKeyTemplate, + usPrivateKeyAttributeCount, phPublicKey, phPrivateKey); + if (crv == CKR_GENERAL_ERROR) { + /* pairwise consistency check failed. */ + sftk_fatalError = PR_TRUE; + } + if (sftk_audit_enabled) { + sftk_AuditGenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, + usPublicKeyAttributeCount, pPrivateKeyTemplate, + usPrivateKeyAttributeCount, phPublicKey, phPrivateKey, crv); + } + return crv; +} + +/* FC_WrapKey wraps (i.e., encrypts) a key. */ +CK_RV +FC_WrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey, + CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey, + CK_ULONG_PTR pulWrappedKeyLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_WrapKey(hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, + pulWrappedKeyLen); + if (sftk_audit_enabled) { + sftk_AuditWrapKey(hSession, pMechanism, hWrappingKey, hKey, pWrappedKey, + pulWrappedKeyLen, rv); + } + return rv; +} + +/* FC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */ +CK_RV +FC_UnwrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey, + CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey) +{ + CK_BBOOL *boolptr; + + SFTK_FIPSCHECK(); + CHECK_FORK(); + + /* all secret keys must be sensitive, if the upper level code tries to say + * otherwise, reject it. */ + boolptr = (CK_BBOOL *)fc_getAttribute(pTemplate, + ulAttributeCount, CKA_SENSITIVE); + if (boolptr != NULL) { + if (!(*boolptr)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + } + rv = NSC_UnwrapKey(hSession, pMechanism, hUnwrappingKey, pWrappedKey, + ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey); + if (sftk_audit_enabled) { + sftk_AuditUnwrapKey(hSession, pMechanism, hUnwrappingKey, pWrappedKey, + ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey, rv); + } + return rv; +} + +/* FC_DeriveKey derives a key from a base key, creating a new key object. */ +CK_RV +FC_DeriveKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey) +{ + CK_BBOOL *boolptr; + + SFTK_FIPSCHECK(); + CHECK_FORK(); + + /* all secret keys must be sensitive, if the upper level code tries to say + * otherwise, reject it. */ + boolptr = (CK_BBOOL *)fc_getAttribute(pTemplate, + ulAttributeCount, CKA_SENSITIVE); + if (boolptr != NULL) { + if (!(*boolptr)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + } + rv = NSC_DeriveKey(hSession, pMechanism, hBaseKey, pTemplate, + ulAttributeCount, phKey); + if (sftk_audit_enabled) { + sftk_AuditDeriveKey(hSession, pMechanism, hBaseKey, pTemplate, + ulAttributeCount, phKey, rv); + } + return rv; +} + +/* + **************************** Radom Functions: ************************ + */ + +/* FC_SeedRandom mixes additional seed material into the token's random number + * generator. */ +CK_RV +FC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, + CK_ULONG usSeedLen) +{ + CK_RV crv; + + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + crv = NSC_SeedRandom(hSession, pSeed, usSeedLen); + if (crv != CKR_OK) { + sftk_fatalError = PR_TRUE; + } + return crv; +} + +/* FC_GenerateRandom generates random data. */ +CK_RV +FC_GenerateRandom(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) +{ + CK_RV crv; + + CHECK_FORK(); + + SFTK_FIPSFATALCHECK(); + crv = NSC_GenerateRandom(hSession, pRandomData, ulRandomLen); + if (crv != CKR_OK) { + sftk_fatalError = PR_TRUE; + if (sftk_audit_enabled) { + char msg[128]; + PR_snprintf(msg, sizeof msg, + "C_GenerateRandom(hSession=0x%08lX, pRandomData=%p, " + "ulRandomLen=%lu)=0x%08lX " + "self-test: continuous RNG test failed", + (PRUint32)hSession, pRandomData, + (PRUint32)ulRandomLen, (PRUint32)crv); + sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); + } + } + return crv; +} + +/* FC_GetFunctionStatus obtains an updated status of a function running + * in parallel with an application. */ +CK_RV +FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_GetFunctionStatus(hSession); +} + +/* FC_CancelFunction cancels a function running in parallel */ +CK_RV +FC_CancelFunction(CK_SESSION_HANDLE hSession) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_CancelFunction(hSession); +} + +/* + **************************** Version 1.1 Functions: ************************ + */ + +/* FC_GetOperationState saves the state of the cryptographic + *operation in a session. */ +CK_RV +FC_GetOperationState(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen) +{ + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + return NSC_GetOperationState(hSession, pOperationState, pulOperationStateLen); +} + +/* FC_SetOperationState restores the state of the cryptographic operation + * in a session. */ +CK_RV +FC_SetOperationState(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen, + CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) +{ + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + return NSC_SetOperationState(hSession, pOperationState, ulOperationStateLen, + hEncryptionKey, hAuthenticationKey); +} + +/* FC_FindObjectsFinal finishes a search for token and session objects. */ +CK_RV +FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) +{ + /* let publically readable object be found */ + SFTK_FIPSFATALCHECK(); + CHECK_FORK(); + + return NSC_FindObjectsFinal(hSession); +} + +/* Dual-function cryptographic operations */ + +/* FC_DigestEncryptUpdate continues a multiple-part digesting and encryption + * operation. */ +CK_RV +FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_DigestEncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart, + pulEncryptedPartLen); +} + +/* FC_DecryptDigestUpdate continues a multiple-part decryption and digesting + * operation. */ +CK_RV +FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_DecryptDigestUpdate(hSession, pEncryptedPart, ulEncryptedPartLen, + pPart, pulPartLen); +} + +/* FC_SignEncryptUpdate continues a multiple-part signing and encryption + * operation. */ +CK_RV +FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_SignEncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart, + pulEncryptedPartLen); +} + +/* FC_DecryptVerifyUpdate continues a multiple-part decryption and verify + * operation. */ +CK_RV +FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, + CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + return NSC_DecryptVerifyUpdate(hSession, pEncryptedData, ulEncryptedDataLen, + pData, pulDataLen); +} + +/* FC_DigestKey continues a multi-part message-digesting operation, + * by digesting the value of a secret key as part of the data already digested. + */ +CK_RV +FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_DigestKey(hSession, hKey); + if (sftk_audit_enabled) { + sftk_AuditDigestKey(hSession, hKey, rv); + } + return rv; +} + +CK_RV +FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, + CK_VOID_PTR pReserved) +{ + CHECK_FORK(); + + return NSC_WaitForSlotEvent(flags, pSlot, pReserved); +} + +CK_RV +FC_MessageEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_MessageEncryptInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("MessageEncrypt", hSession, pMechanism, hKey, rv); + } + return rv; +} + +CK_RV +FC_EncryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pPlaintext, + CK_ULONG ulPlaintextLen, CK_BYTE_PTR pCiphertext, + CK_ULONG_PTR pulCiphertextLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_EncryptMessage(hSession, pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen, + pPlaintext, ulPlaintextLen, pCiphertext, + pulCiphertextLen); +} + +CK_RV +FC_EncryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_EncryptMessageBegin(hSession, pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen); +} + +CK_RV +FC_EncryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG ulPlaintextPartLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG_PTR pulCiphertextPartLen, CK_FLAGS flags) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_EncryptMessageNext(hSession, pParameter, ulParameterLen, + pPlaintextPart, ulPlaintextPartLen, + pCiphertextPart, pulCiphertextPartLen, flags); +} + +CK_RV +FC_MessageEncryptFinal(CK_SESSION_HANDLE hSession) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_MessageEncryptFinal(hSession); +} + +CK_RV +FC_MessageDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_MessageDecryptInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("MessageDecrypt", hSession, pMechanism, hKey, rv); + } + return rv; +} + +CK_RV +FC_DecryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pCiphertext, + CK_ULONG ulCiphertextLen, CK_BYTE_PTR pPlaintext, + CK_ULONG_PTR pulPlaintextLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DecryptMessage(hSession, pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen, + pCiphertext, ulCiphertextLen, pPlaintext, + pulPlaintextLen); +} + +CK_RV +FC_DecryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DecryptMessageBegin(hSession, pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen); +} + +CK_RV +FC_DecryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG ulCiphertextPartLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG_PTR pulPlaintextPartLen, CK_FLAGS flags) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_DecryptMessageNext(hSession, pParameter, ulParameterLen, + pCiphertextPart, ulCiphertextPartLen, + pPlaintextPart, pulPlaintextPartLen, flags); +} + +CK_RV +FC_MessageDecryptFinal(CK_SESSION_HANDLE hSession) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_MessageDecryptFinal(hSession); +} + +CK_RV +FC_MessageSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_MessageSignInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("MessageSign", hSession, pMechanism, hKey, rv); + } + return rv; +} + +CK_RV +FC_SignMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, CK_ULONG ulDataLen, + CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_SignMessage(hSession, pParameter, ulParameterLen, pData, + ulDataLen, pSignature, pulSignatureLen); +} + +CK_RV +FC_SignMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_SignMessageBegin(hSession, pParameter, ulParameterLen); +} + +CK_RV +FC_SignMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_SignMessageNext(hSession, pParameter, ulParameterLen, pData, + ulDataLen, pSignature, pulSignatureLen); +} + +CK_RV +FC_MessageSignFinal(CK_SESSION_HANDLE hSession) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_MessageSignFinal(hSession); +} + +CK_RV +FC_MessageVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + + rv = NSC_MessageVerifyInit(hSession, pMechanism, hKey); + if (sftk_audit_enabled) { + sftk_AuditCryptInit("MessageVerify", hSession, pMechanism, hKey, rv); + } + return rv; +} + +CK_RV +FC_VerifyMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_VerifyMessage(hSession, pParameter, ulParameterLen, pData, + ulDataLen, pSignature, ulSignatureLen); +} + +CK_RV +FC_VerifyMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_VerifyMessageBegin(hSession, pParameter, ulParameterLen); +} + +CK_RV +FC_VerifyMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_VerifyMessageNext(hSession, pParameter, ulParameterLen, + pData, ulDataLen, pSignature, ulSignatureLen); +} + +CK_RV +FC_MessageVerifyFinal(CK_SESSION_HANDLE hSession) +{ + SFTK_FIPSCHECK(); + CHECK_FORK(); + return NSC_MessageVerifyFinal(hSession); +} diff --git a/security/nss/lib/softoken/jpakesftk.c b/security/nss/lib/softoken/jpakesftk.c new file mode 100644 index 0000000000..7ed1e3495c --- /dev/null +++ b/security/nss/lib/softoken/jpakesftk.c @@ -0,0 +1,359 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "seccomon.h" +#include "secerr.h" +#include "blapi.h" +#include "pkcs11i.h" +#include "softoken.h" + +static CK_RV +jpake_mapStatus(SECStatus rv, CK_RV invalidArgsMapping) +{ + int err; + if (rv == SECSuccess) + return CKR_OK; + err = PORT_GetError(); + switch (err) { + /* XXX: SEC_ERROR_INVALID_ARGS might be caused by invalid template + parameters. */ + case SEC_ERROR_INVALID_ARGS: + return invalidArgsMapping; + case SEC_ERROR_BAD_SIGNATURE: + return CKR_SIGNATURE_INVALID; + case SEC_ERROR_NO_MEMORY: + return CKR_HOST_MEMORY; + } + return CKR_FUNCTION_FAILED; +} + +/* If key is not NULL then the gx value will be stored as an attribute with + the type given by the gxAttrType parameter. */ +static CK_RV +jpake_Sign(PLArenaPool *arena, const PQGParams *pqg, HASH_HashType hashType, + const SECItem *signerID, const SECItem *x, + CK_NSS_JPAKEPublicValue *out) +{ + SECItem gx, gv, r; + CK_RV crv; + + PORT_Assert(arena != NULL); + + gx.data = NULL; + gv.data = NULL; + r.data = NULL; + crv = jpake_mapStatus(JPAKE_Sign(arena, pqg, hashType, signerID, x, NULL, + NULL, &gx, &gv, &r), + CKR_MECHANISM_PARAM_INVALID); + if (crv == CKR_OK) { + if ((out->pGX != NULL && out->ulGXLen >= gx.len) || + (out->pGV != NULL && out->ulGVLen >= gv.len) || + (out->pR != NULL && out->ulRLen >= r.len)) { + PORT_Memcpy(out->pGX, gx.data, gx.len); + PORT_Memcpy(out->pGV, gv.data, gv.len); + PORT_Memcpy(out->pR, r.data, r.len); + out->ulGXLen = gx.len; + out->ulGVLen = gv.len; + out->ulRLen = r.len; + } else { + crv = CKR_MECHANISM_PARAM_INVALID; + } + } + return crv; +} + +static CK_RV +jpake_Verify(PLArenaPool *arena, const PQGParams *pqg, + HASH_HashType hashType, const SECItem *signerID, + const CK_BYTE *peerIDData, CK_ULONG peerIDLen, + const CK_NSS_JPAKEPublicValue *publicValueIn) +{ + SECItem peerID, gx, gv, r; + peerID.data = (unsigned char *)peerIDData; + peerID.len = peerIDLen; + gx.data = publicValueIn->pGX; + gx.len = publicValueIn->ulGXLen; + gv.data = publicValueIn->pGV; + gv.len = publicValueIn->ulGVLen; + r.data = publicValueIn->pR; + r.len = publicValueIn->ulRLen; + return jpake_mapStatus(JPAKE_Verify(arena, pqg, hashType, signerID, &peerID, + &gx, &gv, &r), + CKR_MECHANISM_PARAM_INVALID); +} + +#define NUM_ELEM(x) (sizeof(x) / sizeof(x)[0]) + +/* If the template has the key type set, ensure that it was set to the correct + * value. If the template did not have the key type set, set it to the + * correct value. + */ +static CK_RV +jpake_enforceKeyType(SFTKObject *key, CK_KEY_TYPE keyType) +{ + CK_RV crv; + SFTKAttribute *keyTypeAttr = sftk_FindAttribute(key, CKA_KEY_TYPE); + if (keyTypeAttr != NULL) { + crv = *(CK_KEY_TYPE *)keyTypeAttr->attrib.pValue == keyType + ? CKR_OK + : CKR_TEMPLATE_INCONSISTENT; + sftk_FreeAttribute(keyTypeAttr); + } else { + crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof keyType); + } + return crv; +} + +static CK_RV +jpake_MultipleSecItem2Attribute(SFTKObject *key, const SFTKItemTemplate *attrs, + size_t attrsCount) +{ + size_t i; + + for (i = 0; i < attrsCount; ++i) { + CK_RV crv = sftk_forceAttribute(key, attrs[i].type, attrs[i].item->data, + attrs[i].item->len); + if (crv != CKR_OK) + return crv; + } + return CKR_OK; +} + +CK_RV +jpake_Round1(HASH_HashType hashType, CK_NSS_JPAKERound1Params *params, + SFTKObject *key) +{ + CK_RV crv; + PQGParams pqg; + PLArenaPool *arena; + SECItem signerID; + SFTKItemTemplate templateAttrs[] = { + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_BASE, &pqg.base }, + { CKA_NSS_JPAKE_SIGNERID, &signerID } + }; + SECItem x2, gx1, gx2; + const SFTKItemTemplate generatedAttrs[] = { + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + }; + SECItem x1; + + PORT_Assert(params != NULL); + PORT_Assert(key != NULL); + + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + if (arena == NULL) + crv = CKR_HOST_MEMORY; + + crv = sftk_MultipleAttribute2SecItem(arena, key, templateAttrs, + NUM_ELEM(templateAttrs)); + + if (crv == CKR_OK && (signerID.data == NULL || signerID.len == 0)) + crv = CKR_TEMPLATE_INCOMPLETE; + + /* generate x1, g^x1 and the proof of knowledge of x1 */ + if (crv == CKR_OK) { + x1.data = NULL; + crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x1), + CKR_TEMPLATE_INCONSISTENT); + } + if (crv == CKR_OK) + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x1, ¶ms->gx1); + + /* generate x2, g^x2 and the proof of knowledge of x2 */ + if (crv == CKR_OK) { + x2.data = NULL; + crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x2), + CKR_TEMPLATE_INCONSISTENT); + } + if (crv == CKR_OK) + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2, ¶ms->gx2); + + /* Save the values needed for round 2 into CKA_VALUE */ + if (crv == CKR_OK) { + gx1.data = params->gx1.pGX; + gx1.len = params->gx1.ulGXLen; + gx2.data = params->gx2.pGX; + gx2.len = params->gx2.ulGXLen; + crv = jpake_MultipleSecItem2Attribute(key, generatedAttrs, + NUM_ELEM(generatedAttrs)); + } + + PORT_FreeArena(arena, PR_TRUE); + return crv; +} + +CK_RV +jpake_Round2(HASH_HashType hashType, CK_NSS_JPAKERound2Params *params, + SFTKObject *sourceKey, SFTKObject *key) +{ + CK_RV crv; + PLArenaPool *arena; + PQGParams pqg; + SECItem signerID, x2, gx1, gx2; + SFTKItemTemplate sourceAttrs[] = { + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_BASE, &pqg.base }, + { CKA_NSS_JPAKE_SIGNERID, &signerID }, + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + }; + SECItem x2s, gx3, gx4; + const SFTKItemTemplate copiedAndGeneratedAttrs[] = { + { CKA_NSS_JPAKE_SIGNERID, &signerID }, + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_X2S, &x2s }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + { CKA_NSS_JPAKE_GX3, &gx3 }, + { CKA_NSS_JPAKE_GX4, &gx4 } + }; + SECItem peerID; + + PORT_Assert(params != NULL); + PORT_Assert(sourceKey != NULL); + PORT_Assert(key != NULL); + + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + if (arena == NULL) + crv = CKR_HOST_MEMORY; + + /* TODO: check CKK_NSS_JPAKE_ROUND1 */ + + crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs, + NUM_ELEM(sourceAttrs)); + + /* Get the peer's ID out of the template and sanity-check it. */ + if (crv == CKR_OK) + crv = sftk_Attribute2SecItem(arena, &peerID, key, + CKA_NSS_JPAKE_PEERID); + if (crv == CKR_OK && (peerID.data == NULL || peerID.len == 0)) + crv = CKR_TEMPLATE_INCOMPLETE; + if (crv == CKR_OK && SECITEM_CompareItem(&signerID, &peerID) == SECEqual) + crv = CKR_TEMPLATE_INCONSISTENT; + + /* Verify zero-knowledge proofs for g^x3 and g^x4 */ + if (crv == CKR_OK) + crv = jpake_Verify(arena, &pqg, hashType, &signerID, + peerID.data, peerID.len, ¶ms->gx3); + if (crv == CKR_OK) + crv = jpake_Verify(arena, &pqg, hashType, &signerID, + peerID.data, peerID.len, ¶ms->gx4); + + /* Calculate the base and x2s for A=base^x2s */ + if (crv == CKR_OK) { + SECItem s; + s.data = params->pSharedKey; + s.len = params->ulSharedKeyLen; + gx3.data = params->gx3.pGX; + gx3.len = params->gx3.ulGXLen; + gx4.data = params->gx4.pGX; + gx4.len = params->gx4.ulGXLen; + pqg.base.data = NULL; + x2s.data = NULL; + crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime, + &gx1, &gx3, &gx4, &pqg.base, + &x2, &s, &x2s), + CKR_MECHANISM_PARAM_INVALID); + } + + /* Generate A=base^x2s and its zero-knowledge proof. */ + if (crv == CKR_OK) + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2s, ¶ms->A); + + /* Copy P and Q from the ROUND1 key to the ROUND2 key and save the values + needed for the final key material derivation into CKA_VALUE. */ + if (crv == CKR_OK) + crv = sftk_forceAttribute(key, CKA_PRIME, pqg.prime.data, + pqg.prime.len); + if (crv == CKR_OK) + crv = sftk_forceAttribute(key, CKA_SUBPRIME, pqg.subPrime.data, + pqg.subPrime.len); + if (crv == CKR_OK) { + crv = jpake_MultipleSecItem2Attribute(key, copiedAndGeneratedAttrs, + NUM_ELEM(copiedAndGeneratedAttrs)); + } + + if (crv == CKR_OK) + crv = jpake_enforceKeyType(key, CKK_NSS_JPAKE_ROUND2); + + PORT_FreeArena(arena, PR_TRUE); + return crv; +} + +CK_RV +jpake_Final(HASH_HashType hashType, const CK_NSS_JPAKEFinalParams *param, + SFTKObject *sourceKey, SFTKObject *key) +{ + PLArenaPool *arena; + SECItem K; + PQGParams pqg; + CK_RV crv; + SECItem peerID, signerID, x2s, x2, gx1, gx2, gx3, gx4; + SFTKItemTemplate sourceAttrs[] = { + { CKA_NSS_JPAKE_PEERID, &peerID }, + { CKA_NSS_JPAKE_SIGNERID, &signerID }, + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_X2S, &x2s }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + { CKA_NSS_JPAKE_GX3, &gx3 }, + { CKA_NSS_JPAKE_GX4, &gx4 } + }; + + PORT_Assert(param != NULL); + PORT_Assert(sourceKey != NULL); + PORT_Assert(key != NULL); + + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + if (arena == NULL) + crv = CKR_HOST_MEMORY; + + /* TODO: verify key type CKK_NSS_JPAKE_ROUND2 */ + + crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs, + NUM_ELEM(sourceAttrs)); + + /* Calculate base for B=base^x4s */ + if (crv == CKR_OK) { + pqg.base.data = NULL; + crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime, + &gx1, &gx2, &gx3, &pqg.base, + NULL, NULL, NULL), + CKR_MECHANISM_PARAM_INVALID); + } + + /* Verify zero-knowledge proof for B */ + if (crv == CKR_OK) + crv = jpake_Verify(arena, &pqg, hashType, &signerID, + peerID.data, peerID.len, ¶m->B); + if (crv == CKR_OK) { + SECItem B; + B.data = param->B.pGX; + B.len = param->B.ulGXLen; + K.data = NULL; + crv = jpake_mapStatus(JPAKE_Final(arena, &pqg.prime, &pqg.subPrime, + &x2, &gx4, &x2s, &B, &K), + CKR_MECHANISM_PARAM_INVALID); + } + + /* Save key material into CKA_VALUE. */ + if (crv == CKR_OK) + crv = sftk_forceAttribute(key, CKA_VALUE, K.data, K.len); + + if (crv == CKR_OK) + crv = jpake_enforceKeyType(key, CKK_GENERIC_SECRET); + + PORT_FreeArena(arena, PR_TRUE); + return crv; +} diff --git a/security/nss/lib/softoken/kbkdf.c b/security/nss/lib/softoken/kbkdf.c new file mode 100644 index 0000000000..c6021ef5e5 --- /dev/null +++ b/security/nss/lib/softoken/kbkdf.c @@ -0,0 +1,1520 @@ +#include "pkcs11i.h" +#include "blapi.h" +#include "secerr.h" +#include "softoken.h" + +/* Overview: + * + * This file contains implementations of the three KDFs from NIST SP800-108 + * "Recommendation for Key Derivation Using Pseudorandom Functions": + * + * 1. KDF in Counter Mode (section 5.1) + * 2. KDF in Feedback Mode (section 5.2) + * 3. KDF in Double-Pipeline Iteration Mode (section 5.3) + * + * These KDFs are a form of negotiable building blocks for KDFs: protocol + * designers can choose various fields, their endianness, and the underlying + * PRF. These constructs are generic enough to handle creation of arbitrary, + * (but known ahead of time) length outputs. + * + * The families of PRFs described here are used, among other places, in + * Kerberos and GlobalPlatform's Secure Channel Protocol 03. The PKCS#11 v3.0 + * design for this KDF facilitates a wide range of uses. + * + * Implementation Details: + * + * We reuse the new sftk_MACCtx for handling the underlying MACing; with a few + * safe restrictions, we can reuse whatever it gives us to use as a PRF. + * + * We implement the core of the KDF in the *Raw(...) version of the function + * call. The PKCS#11 key handling happens in the non-Raw version. This means + * we need a single large allocation upfront (large enough to store the entire + * key stream), but means we can share key parsing logic and enable the + * creation of data objects. + */ + +/* [ section: #define's ] */ + +#define VALID_CK_BOOL(x) ((x) == CK_TRUE || (x) == CK_FALSE) +#define IS_COUNTER(_mech) ((_mech) == CKM_SP800_108_COUNTER_KDF || (_mech) == CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA) +#define DOES_DERIVE_DATA(_mech) ((_mech) == CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA || (_mech) == CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA || (_mech) == CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA) + +/* [ section: parameter validation ] */ + +static CK_RV +kbkdf_LoadParameters(CK_MECHANISM_TYPE mech, CK_MECHANISM_PTR pMechanism, CK_SP800_108_KDF_PARAMS_PTR kdf_params, CK_BYTE_PTR *initial_value, CK_ULONG_PTR initial_value_length) +{ + /* This function loads the parameters for the given mechanism into the + * specified kdf_params, splitting off the IV if present. In PKCS#11 v3.0, + * CK_SP800_108_FEEDBACK_KDF_PARAMS and CK_SP800_108_KDF_PARAMS have + * different ordering of internal parameters, which means that it isn't + * easy to reuse feedback parameters in the same functions as non-feedback + * parameters. Rather than duplicating the logic, split out the only + * Feedback-specific data (the IV) into a separate argument and repack it + * into the passed kdf_params struct instead. */ + PR_ASSERT(pMechanism != NULL && kdf_params != NULL && initial_value != NULL && initial_value_length != NULL); + + CK_SP800_108_KDF_PARAMS_PTR in_params; + CK_SP800_108_FEEDBACK_KDF_PARAMS_PTR feedback_params; + + if (mech == CKM_SP800_108_FEEDBACK_KDF || mech == CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA) { + if (pMechanism->ulParameterLen != sizeof(CK_SP800_108_FEEDBACK_KDF_PARAMS)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + feedback_params = (CK_SP800_108_FEEDBACK_KDF_PARAMS *)pMechanism->pParameter; + + if (feedback_params->pIV == NULL && feedback_params->ulIVLen > 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + + kdf_params->prfType = feedback_params->prfType; + kdf_params->ulNumberOfDataParams = feedback_params->ulNumberOfDataParams; + kdf_params->pDataParams = feedback_params->pDataParams; + kdf_params->ulAdditionalDerivedKeys = feedback_params->ulAdditionalDerivedKeys; + kdf_params->pAdditionalDerivedKeys = feedback_params->pAdditionalDerivedKeys; + + *initial_value = feedback_params->pIV; + *initial_value_length = feedback_params->ulIVLen; + } else { + if (pMechanism->ulParameterLen != sizeof(CK_SP800_108_KDF_PARAMS)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + in_params = (CK_SP800_108_KDF_PARAMS *)pMechanism->pParameter; + + (*kdf_params) = *in_params; + } + + return CKR_OK; +} + +static CK_RV +kbkdf_ValidateParameter(CK_MECHANISM_TYPE mech, const CK_PRF_DATA_PARAM *data) +{ + /* This function validates that the passed data parameter (data) conforms + * to PKCS#11 v3.0's expectations for KDF parameters. This depends both on + * the type of this parameter (data->type) and on the KDF mechanism (mech) + * as certain parameters are context dependent (like Iteration Variable). + */ + + /* If the parameter is missing a value when one is expected, then this + * parameter is invalid. */ + if ((data->pValue == NULL) != (data->ulValueLen == 0)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + switch (data->type) { + case CK_SP800_108_ITERATION_VARIABLE: + case CK_SP800_108_OPTIONAL_COUNTER: { + if (data->type == CK_SP800_108_ITERATION_VARIABLE && !IS_COUNTER(mech)) { + /* In Feedback and Double Pipeline KDFs, PKCS#11 v3.0 connotes the + * iteration variable as the chaining value from the previous PRF + * invocation. In contrast, counter mode treats this variable as a + * COUNTER_FORMAT descriptor. Thus we can skip validation of + * iteration variable parameters outside of counter mode. However, + * PKCS#11 v3.0 technically mandates that pValue is NULL, so we + * still have to validate that. */ + + if (data->pValue != NULL) { + return CKR_MECHANISM_PARAM_INVALID; + } + + return CKR_OK; + } + + /* In counter mode, data->pValue should be a pointer to an instance of + * CK_SP800_108_COUNTER_FORMAT; validate its length. */ + if (data->ulValueLen != sizeof(CK_SP800_108_COUNTER_FORMAT)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + CK_SP800_108_COUNTER_FORMAT_PTR param = (CK_SP800_108_COUNTER_FORMAT_PTR)data->pValue; + + /* Validate the endian parameter. */ + if (!VALID_CK_BOOL(param->bLittleEndian)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Due to restrictions by our underlying hashes, we restrict bit + * widths to actually be byte widths by ensuring they're a multiple + * of eight. */ + if ((param->ulWidthInBits % 8) != 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Note that section 5.1 denotes the maximum length of the counter + * to be 32. */ + if (param->ulWidthInBits > 32) { + return CKR_MECHANISM_PARAM_INVALID; + } + break; + } + case CK_SP800_108_DKM_LENGTH: { + /* data->pValue should be a pointer to an instance of + * CK_SP800_108_DKM_LENGTH_FORMAT; validate its length. */ + if (data->ulValueLen != sizeof(CK_SP800_108_DKM_LENGTH_FORMAT)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + CK_SP800_108_DKM_LENGTH_FORMAT_PTR param = (CK_SP800_108_DKM_LENGTH_FORMAT_PTR)data->pValue; + + /* Validate the method parameter. */ + if (param->dkmLengthMethod != CK_SP800_108_DKM_LENGTH_SUM_OF_KEYS && + param->dkmLengthMethod != CK_SP800_108_DKM_LENGTH_SUM_OF_SEGMENTS) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Validate the endian parameter. */ + if (!VALID_CK_BOOL(param->bLittleEndian)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Validate the maximum width: we restrict it to being a byte width + * instead of a bit width due to restrictions by the underlying + * PRFs. */ + if ((param->ulWidthInBits % 8) != 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Ensure that the width doesn't overflow a 64-bit int. This + * restriction is arbitrary but since the counters can't exceed + * 32-bits (and most PRFs output at most 1024 bits), you're unlikely + * to need all 64-bits of length indicator. */ + if (param->ulWidthInBits > 64) { + return CKR_MECHANISM_PARAM_INVALID; + } + break; + } + case CK_SP800_108_BYTE_ARRAY: + /* There is no additional data to validate for byte arrays; we can + * only assume the byte array is of the specified size. */ + break; + default: + /* Unexpected parameter type. */ + return CKR_MECHANISM_PARAM_INVALID; + } + + return CKR_OK; +} + +static CK_RV +kbkdf_ValidateDerived(CK_DERIVED_KEY_PTR key) +{ + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + PRUint64 keySize = 0; + + /* The pointer to the key handle shouldn't be NULL. If it is, we can't + * do anything else, so exit early. Every other failure case sets the + * key->phKey = CK_INVALID_HANDLE, so we can't use `goto failure` here. */ + if (key->phKey == NULL) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Validate that we have no attributes if and only if pTemplate is NULL. + * Otherwise, there's an inconsistency somewhere. */ + if ((key->ulAttributeCount == 0) != (key->pTemplate == NULL)) { + goto failure; + } + + for (size_t offset = 0; offset < key->ulAttributeCount; offset++) { + CK_ATTRIBUTE_PTR template = key->pTemplate + offset; + + /* We only look for the CKA_VALUE_LEN and CKA_KEY_TYPE attributes. + * Everything else we assume we can set on the key if it is passed + * here. However, if we can't inquire as to a length (and barring + * that, if we have a key type without a standard length), we're + * definitely stuck. This mirrors the logic at the top of + * NSC_DeriveKey(...). */ + if (template->type == CKA_KEY_TYPE) { + if (template->ulValueLen != sizeof(CK_KEY_TYPE)) { + goto failure; + } + + keyType = *(CK_KEY_TYPE *)template->pValue; + } else if (template->type == CKA_VALUE_LEN) { + if (template->ulValueLen != sizeof(CK_ULONG)) { + goto failure; + } + + keySize = *(CK_ULONG *)template->pValue; + } + } + + if (keySize == 0) { + /* When we lack a keySize, see if we can infer it from the type of the + * passed key. */ + keySize = sftk_MapKeySize(keyType); + } + + /* The main piece of information we validate is that we have a length for + * this key. */ + if (keySize == 0 || keySize >= (1ull << 32ull)) { + goto failure; + } + + return CKR_OK; + +failure: + /* PKCS#11 v3.0: If the failure was caused by the content of a specific + * key's template (ie the template defined by the content of pTemplate), + * the corresponding phKey value will be set to CK_INVALID_HANDLE to + * identify the offending template. */ + *(key->phKey) = CK_INVALID_HANDLE; + return CKR_MECHANISM_PARAM_INVALID; +} + +static CK_RV +kbkdf_ValidateParameters(CK_MECHANISM_TYPE mech, const CK_SP800_108_KDF_PARAMS *params, CK_ULONG keySize) +{ + CK_RV ret = CKR_MECHANISM_PARAM_INVALID; + int param_type_count[5] = { 0, 0, 0, 0, 0 }; + size_t offset = 0; + + /* Start with checking the prfType as a mechanism against a list of + * PRFs allowed by PKCS#11 v3.0. */ + if (!(/* The following types aren't defined in NSS yet. */ + /* params->prfType != CKM_3DES_CMAC && */ + params->prfType == CKM_AES_CMAC || /* allow */ + /* We allow any HMAC except MD2 and MD5. */ + params->prfType != CKM_MD2_HMAC || /* disallow */ + params->prfType != CKM_MD5_HMAC || /* disallow */ + sftk_HMACMechanismToHash(params->prfType) != HASH_AlgNULL /* Valid HMAC <-> HASH isn't NULL */ + )) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* We can't have a null pDataParams pointer: we always need at least one + * parameter to succeed. */ + if (params->pDataParams == NULL) { + return CKR_HOST_MEMORY; + } + + /* Validate each KDF parameter. */ + for (offset = 0; offset < params->ulNumberOfDataParams; offset++) { + /* Validate this parameter has acceptable values. */ + ret = kbkdf_ValidateParameter(mech, params->pDataParams + offset); + if (ret != CKR_OK) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Count that we have a parameter of this type. The above logic + * in ValidateParameter MUST validate that type is within the + * appropriate range. */ + PR_ASSERT(params->pDataParams[offset].type < sizeof(param_type_count) / sizeof(param_type_count[0])); + param_type_count[params->pDataParams[offset].type] += 1; + } + + if (IS_COUNTER(mech)) { + /* We have to have at least one iteration variable parameter. */ + if (param_type_count[CK_SP800_108_ITERATION_VARIABLE] == 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* We can't have any optional counters parameters -- these belong in + * iteration variable parameters instead. */ + if (param_type_count[CK_SP800_108_OPTIONAL_COUNTER] != 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + } + + /* Validate basic assumptions about derived keys: + * NULL <-> ulAdditionalDerivedKeys > 0 + */ + if ((params->ulAdditionalDerivedKeys == 0) != (params->pAdditionalDerivedKeys == NULL)) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Validate each derived key. */ + for (offset = 0; offset < params->ulAdditionalDerivedKeys; offset++) { + ret = kbkdf_ValidateDerived(params->pAdditionalDerivedKeys + offset); + if (ret != CKR_OK) { + return CKR_MECHANISM_PARAM_INVALID; + } + } + + /* Validate the length of our primary key. */ + if (keySize == 0 || ((PRUint64)keySize) >= (1ull << 32ull)) { + return CKR_KEY_SIZE_RANGE; + } + + return CKR_OK; +} + +/* [ section: parameter helpers ] */ + +static CK_VOID_PTR +kbkdf_FindParameter(const CK_SP800_108_KDF_PARAMS *params, CK_PRF_DATA_TYPE type) +{ + for (size_t offset = 0; offset < params->ulNumberOfDataParams; offset++) { + if (params->pDataParams[offset].type == type) { + return params->pDataParams[offset].pValue; + } + } + + return NULL; +} + +size_t +kbkdf_IncrementBuffer(size_t cur_offset, size_t consumed, size_t prf_length) +{ + return cur_offset + PR_ROUNDUP(consumed, prf_length); +} + +CK_ULONG +kbkdf_GetDerivedKeySize(CK_DERIVED_KEY_PTR derived_key) +{ + /* Precondition: kbkdf_ValidateDerived(...) returns CKR_OK for this key, + * which implies that keySize is defined. */ + + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG keySize = 0; + + for (size_t offset = 0; offset < derived_key->ulAttributeCount; offset++) { + CK_ATTRIBUTE_PTR template = derived_key->pTemplate + offset; + + /* Find the two attributes we care about. */ + if (template->type == CKA_KEY_TYPE) { + keyType = *(CK_KEY_TYPE *)template->pValue; + } else if (template->type == CKA_VALUE_LEN) { + keySize = *(CK_ULONG *)template->pValue; + } + } + + /* Prefer keySize, if we have it. */ + if (keySize > 0) { + return keySize; + } + + /* Else, fall back to this mapping. We know kbkdf_ValidateDerived(...) + * passed, so this should return non-zero. */ + return sftk_MapKeySize(keyType); +} + +static CK_RV +kbkdf_CalculateLength(const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, CK_ULONG ret_key_size, PRUint64 *output_bitlen, size_t *buffer_length) +{ + /* Two cases: either we have additional derived keys or we don't. In the + * case that we don't, the length of the derivation is the size of the + * single derived key, and that is the length of the PRF buffer. Otherwise, + * we need to use the proper CK_SP800_108_DKM_LENGTH_METHOD to calculate + * the length of the output (in bits), with a separate value for the size + * of the PRF data buffer. This means that, under PKCS#11 with additional + * derived keys, we lie to the KDF about the _actual_ length of the PRF + * output. + * + * Note that *output_bitlen is the L parameter in NIST SP800-108 and is in + * bits. However, *buffer_length is in bytes. + */ + + if (params->ulAdditionalDerivedKeys == 0) { + /* When we have no additional derived keys, we get the keySize from + * the value passed to one of our KBKDF_* methods. */ + *output_bitlen = ret_key_size; + *buffer_length = ret_key_size; + } else { + /* Offset in the additional derived keys array. */ + size_t offset = 0; + + /* Size of the derived key. */ + CK_ULONG derived_size = 0; + + /* In the below, we place the sum of the keys into *output_bitlen + * and the size of the buffer (with padding mandated by PKCS#11 v3.0) + * into *buffer_length. If the method is the segment sum, then we + * replace *output_bitlen with *buffer_length at the end. This ensures + * we always get a output buffer large enough to handle all derived + * keys, and *output_bitlen reflects the correct L value. */ + + /* Count the initial derived key. */ + *output_bitlen = ret_key_size; + *buffer_length = kbkdf_IncrementBuffer(0, ret_key_size, ctx->mac_size); + + /* Handle n - 1 keys. The last key is special. */ + for (; offset < params->ulAdditionalDerivedKeys - 1; offset++) { + derived_size = kbkdf_GetDerivedKeySize(params->pAdditionalDerivedKeys + offset); + + *output_bitlen += derived_size; + *buffer_length = kbkdf_IncrementBuffer(*buffer_length, derived_size, ctx->mac_size); + } + + /* Handle the last key. */ + derived_size = kbkdf_GetDerivedKeySize(params->pAdditionalDerivedKeys + offset); + + *output_bitlen += derived_size; + *buffer_length = kbkdf_IncrementBuffer(*buffer_length, derived_size, ctx->mac_size); + + /* Pointer to the DKM method parameter. Note that this implicit cast + * is safe since we've assumed we've been validated by + * kbkdf_ValidateParameters(...). When kdm_param is NULL, we don't + * use the output_bitlen parameter. */ + CK_SP800_108_DKM_LENGTH_FORMAT_PTR dkm_param = kbkdf_FindParameter(params, CK_SP800_108_DKM_LENGTH); + if (dkm_param != NULL) { + if (dkm_param->dkmLengthMethod == CK_SP800_108_DKM_LENGTH_SUM_OF_SEGMENTS) { + *output_bitlen = *buffer_length; + } + } + } + + /* Note that keySize is the size in bytes and ctx->mac_size is also + * the size in bytes. However, output_bitlen needs to be in bits, so + * multiply by 8 here. */ + *output_bitlen *= 8; + + return CKR_OK; +} + +static CK_RV +kbkdf_CalculateIterations(CK_MECHANISM_TYPE mech, const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, size_t buffer_length, PRUint32 *num_iterations) +{ + CK_SP800_108_COUNTER_FORMAT_PTR param_ptr = NULL; + PRUint64 iteration_count; + PRUint64 r = 32; + + /* We need to know how many full iterations are required. This is done + * by rounding up the division of the PRF length into buffer_length. + * However, we're not guaranteed that the last output is a full PRF + * invocation, so handle that here. */ + iteration_count = buffer_length + (ctx->mac_size - 1); + iteration_count = iteration_count / ctx->mac_size; + + /* NIST SP800-108, section 5.1, process step #2: + * + * if n > 2^r - 1, then indicate an error and stop. + * + * In non-counter mode KDFs, r is set at 32, leaving behavior + * under-defined when the optional counter is included but fewer than + * 32 bits. This implementation assumes r is 32, but if the counter + * parameter is included, validates it against that. In counter-mode + * KDFs, this is in the ITERATION_VARIABLE parameter; in feedback- or + * pipeline-mode KDFs, this is in the COUNTER parameter. + * + * This is consistent with the supplied sample CAVP tests; none reuses the + * same counter value. In some configurations, this could result in + * duplicated KDF output. We seek to avoid that from happening. + */ + if (IS_COUNTER(mech)) { + param_ptr = kbkdf_FindParameter(params, CK_SP800_108_ITERATION_VARIABLE); + + /* Validated by kbkdf_ValidateParameters(...) above. */ + PR_ASSERT(param_ptr != NULL); + + r = ((CK_SP800_108_COUNTER_FORMAT_PTR)param_ptr)->ulWidthInBits; + } else { + param_ptr = kbkdf_FindParameter(params, CK_SP800_108_COUNTER); + + /* Not guaranteed to exist, hence the default value of r=32. */ + if (param_ptr != NULL) { + r = ((CK_SP800_108_COUNTER_FORMAT_PTR)param_ptr)->ulWidthInBits; + } + } + + if (iteration_count >= (1ull << r) || r > 32) { + return CKR_MECHANISM_PARAM_INVALID; + } + + *num_iterations = (PRUint32)iteration_count; + + return CKR_OK; +} + +static CK_RV +kbkdf_AddParameters(CK_MECHANISM_TYPE mech, sftk_MACCtx *ctx, const CK_SP800_108_KDF_PARAMS *params, PRUint32 counter, PRUint64 length, const unsigned char *chaining_prf, size_t chaining_prf_len, CK_PRF_DATA_TYPE exclude) +{ + size_t offset = 0; + CK_RV ret = CKR_OK; + + for (offset = 0; offset < params->ulNumberOfDataParams; offset++) { + CK_PRF_DATA_PARAM_PTR param = params->pDataParams + offset; + + if (param->type == exclude) { + /* Necessary for Double Pipeline mode: when constructing the IV, + * we skip the optional counter. */ + continue; + } + + switch (param->type) { + case CK_SP800_108_ITERATION_VARIABLE: { + /* When present in COUNTER mode, this signifies adding the counter + * variable to the PRF. Otherwise, it signifies the chaining + * value for other KDF modes. */ + if (IS_COUNTER(mech)) { + CK_SP800_108_COUNTER_FORMAT_PTR counter_format = (CK_SP800_108_COUNTER_FORMAT_PTR)param->pValue; + CK_BYTE buffer[sizeof(PRUint64)]; + CK_ULONG num_bytes; + sftk_EncodeInteger(counter, counter_format->ulWidthInBits, counter_format->bLittleEndian, buffer, &num_bytes); + ret = sftk_MAC_Update(ctx, buffer, num_bytes); + } else { + ret = sftk_MAC_Update(ctx, chaining_prf, chaining_prf_len); + } + break; + } + case CK_SP800_108_COUNTER: { + /* Only present in the case when not using COUNTER mode. */ + PR_ASSERT(!IS_COUNTER(mech)); + + /* We should've already validated that this parameter is of + * type COUNTER_FORMAT. */ + CK_SP800_108_COUNTER_FORMAT_PTR counter_format = (CK_SP800_108_COUNTER_FORMAT_PTR)param->pValue; + CK_BYTE buffer[sizeof(PRUint64)]; + CK_ULONG num_bytes; + sftk_EncodeInteger(counter, counter_format->ulWidthInBits, counter_format->bLittleEndian, buffer, &num_bytes); + ret = sftk_MAC_Update(ctx, buffer, num_bytes); + break; + } + case CK_SP800_108_BYTE_ARRAY: + ret = sftk_MAC_Update(ctx, (CK_BYTE_PTR)param->pValue, param->ulValueLen); + break; + case CK_SP800_108_DKM_LENGTH: { + /* We've already done the hard work of calculating the length in + * the kbkdf_CalculateIterations function; we merely need to add + * the length to the desired point in the input stream. */ + CK_SP800_108_DKM_LENGTH_FORMAT_PTR length_format = (CK_SP800_108_DKM_LENGTH_FORMAT_PTR)param->pValue; + CK_BYTE buffer[sizeof(PRUint64)]; + CK_ULONG num_bytes; + sftk_EncodeInteger(length, length_format->ulWidthInBits, length_format->bLittleEndian, buffer, &num_bytes); + ret = sftk_MAC_Update(ctx, buffer, num_bytes); + break; + } + default: + /* This should've been caught by kbkdf_ValidateParameters(...). */ + PR_ASSERT(PR_FALSE); + return CKR_MECHANISM_PARAM_INVALID; + } + + if (ret != CKR_OK) { + return ret; + } + } + + return CKR_OK; +} + +CK_RV +kbkdf_SaveKey(SFTKObject *key, unsigned char *key_buffer, unsigned int key_len) +{ + return sftk_forceAttribute(key, CKA_VALUE, key_buffer, key_len); +} + +CK_RV +kbkdf_CreateKey(CK_MECHANISM_TYPE kdf_mech, CK_SESSION_HANDLE hSession, CK_DERIVED_KEY_PTR derived_key, SFTKObject **ret_key) +{ + /* Largely duplicated from NSC_DeriveKey(...) */ + CK_RV ret = CKR_HOST_MEMORY; + SFTKObject *key = NULL; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + size_t offset = 0; + + /* Slot should be non-NULL because NSC_DeriveKey(...) has already + * performed a sftk_SlotFromSessionHandle(...) call on this session + * handle. However, Coverity incorrectly flagged this (see 1607955). */ + PR_ASSERT(slot != NULL); + PR_ASSERT(ret_key != NULL); + PR_ASSERT(derived_key != NULL); + PR_ASSERT(derived_key->phKey != NULL); + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + /* Create the new key object for this additional derived key. */ + key = sftk_NewObject(slot); + if (key == NULL) { + return CKR_HOST_MEMORY; + } + + /* Setup the key from the provided template. */ + for (offset = 0; offset < derived_key->ulAttributeCount; offset++) { + ret = sftk_AddAttributeType(key, sftk_attr_expand(derived_key->pTemplate + offset)); + if (ret != CKR_OK) { + sftk_FreeObject(key); + return ret; + } + } + + /* When using the CKM_SP800_* series of mechanisms, the result must be a + * secret key, so its contents can be adequately protected in FIPS mode. + * However, when using the special CKM_NSS_SP800_*_DERIVE_DATA series, the + * contents need not be protected, so we set CKO_DATA on these "keys". */ + CK_OBJECT_CLASS classType = CKO_SECRET_KEY; + if (DOES_DERIVE_DATA(kdf_mech)) { + classType = CKO_DATA; + } + + ret = sftk_forceAttribute(key, CKA_CLASS, &classType, sizeof(classType)); + if (ret != CKR_OK) { + sftk_FreeObject(key); + return ret; + } + + *ret_key = key; + return CKR_OK; +} + +CK_RV +kbkdf_FinalizeKey(CK_SESSION_HANDLE hSession, CK_DERIVED_KEY_PTR derived_key, SFTKObject *key) +{ + /* Largely duplicated from NSC_DeriveKey(...) */ + CK_RV ret = CKR_HOST_MEMORY; + SFTKSession *session = NULL; + + PR_ASSERT(derived_key != NULL && key != NULL); + + SFTKSessionObject *sessionForKey = sftk_narrowToSessionObject(key); + PR_ASSERT(sessionForKey != NULL); + sessionForKey->wasDerived = PR_TRUE; + + session = sftk_SessionFromHandle(hSession); + + /* Session should be non-NULL because NSC_DeriveKey(...) has already + * performed a sftk_SessionFromHandle(...) call on this session handle. */ + PR_ASSERT(session != NULL); + + ret = sftk_handleObject(key, session); + if (ret != CKR_OK) { + goto done; + } + + *(derived_key->phKey) = key->handle; + +done: + /* Guaranteed that key != NULL */ + sftk_FreeObject(key); + + /* Doesn't do anything. */ + if (session) { + sftk_FreeSession(session); + } + + return ret; +} + +CK_RV +kbkdf_SaveKeys(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE hSession, CK_SP800_108_KDF_PARAMS_PTR params, unsigned char *output_buffer, size_t buffer_len, size_t prf_length, SFTKObject *ret_key, CK_ULONG ret_key_size) +{ + CK_RV ret; + size_t key_offset = 0; + size_t buffer_offset = 0; + + PR_ASSERT(output_buffer != NULL && buffer_len > 0 && ret_key != NULL); + + /* First place key material into the main key. */ + ret = kbkdf_SaveKey(ret_key, output_buffer + buffer_offset, ret_key_size); + if (ret != CKR_OK) { + return ret; + } + + /* Then increment the offset based on PKCS#11 additional key guidelines: + * no two keys may share the key stream from the same PRF invocation. */ + buffer_offset = kbkdf_IncrementBuffer(buffer_offset, ret_key_size, prf_length); + + if (params->ulAdditionalDerivedKeys > 0) { + /* Note that the following code is technically incorrect: PKCS#11 v3.0 + * says that _no_ key should be set in the event of failure to derive + * _any_ key. */ + for (key_offset = 0; key_offset < params->ulAdditionalDerivedKeys; key_offset++) { + CK_DERIVED_KEY_PTR derived_key = params->pAdditionalDerivedKeys + key_offset; + SFTKObject *key_obj = NULL; + size_t key_size = kbkdf_GetDerivedKeySize(derived_key); + + /* Create a new internal key object for this derived key. */ + ret = kbkdf_CreateKey(mech, hSession, derived_key, &key_obj); + if (ret != CKR_OK) { + *(derived_key->phKey) = CK_INVALID_HANDLE; + return ret; + } + + /* Save the underlying key bytes to the key object. */ + ret = kbkdf_SaveKey(key_obj, output_buffer + buffer_offset, key_size); + if (ret != CKR_OK) { + /* When kbkdf_CreateKey(...) exits with an error, it will free + * the constructed key object. kbkdf_FinalizeKey(...) also + * always frees the key object. In the unlikely event that + * kbkdf_SaveKey(...) _does_ fail, we thus need to free it + * manually. */ + sftk_FreeObject(key_obj); + *(derived_key->phKey) = CK_INVALID_HANDLE; + return ret; + } + + /* Handle the increment. */ + buffer_offset = kbkdf_IncrementBuffer(buffer_offset, key_size, prf_length); + + /* Finalize this key. */ + ret = kbkdf_FinalizeKey(hSession, derived_key, key_obj); + if (ret != CKR_OK) { + *(derived_key->phKey) = CK_INVALID_HANDLE; + return ret; + } + } + } + + return CKR_OK; +} + +/* [ section: KDFs ] */ + +static CK_RV +kbkdf_CounterRaw(const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, unsigned char *ret_buffer, size_t buffer_length, PRUint64 output_bitlen) +{ + CK_RV ret = CKR_OK; + + /* Counter variable for this KDF instance. */ + PRUint32 counter; + + /* Number of iterations required of this PRF necessary to reach the + * desired output length. */ + PRUint32 num_iterations; + + /* Offset in ret_buffer that we're at. */ + size_t buffer_offset = 0; + + /* Size of this block, in bytes. Defaults to ctx->mac_size except on + * the last iteration where it could be a partial block. */ + size_t block_size = ctx->mac_size; + + /* Calculate the number of iterations required based on the size of the + * output buffer. */ + ret = kbkdf_CalculateIterations(CKM_SP800_108_COUNTER_KDF, params, ctx, buffer_length, &num_iterations); + if (ret != CKR_OK) { + return ret; + } + + /* + * 5.1 - [ KDF in Counter Mode ] + * + * Fixed values: + * 1. h - the length of the PRF in bits (ctx->mac_size) + * 2. r - the length of the binary representation of the counter i + * (params[k: params[k].type == CK_SP800_108_ITERATION_VARIABLE:].data->ulWidthInBits) + * Input: + * 1. K_I - the key for the PRF (base_key) + * 2. label - a binary data field, usually before the separator. Optional. + * 3. context - a binary data field, usually after the separator. Optional. + * 4. L - length of the output in bits (output_bitlen) + * + * Process: + * 1. n := ceil(L / h) (num_iterations) + * 2. if n > 2^r - 1, then indicate an error and stop + * 3. result(0) = NULL + * 4. for i = 1 to n, do + * a. K(i) = PRF(K_I, [i]_2 || Label || 0x00 || Context || [L]_2) + * b. result(i) := result(i - 1) || K(i). + * 5. return K_O := the leftmost L bits of result(n). + */ + for (counter = 1; counter <= num_iterations; counter++) { + if (counter == num_iterations) { + block_size = buffer_length - buffer_offset; + + /* Assumption: if we've validated our arguments correctly, this + * should always be true. */ + PR_ASSERT(block_size <= ctx->mac_size); + } + + /* Add all parameters required by this instance of the KDF to the + * input stream of the underlying PRF. */ + ret = kbkdf_AddParameters(CKM_SP800_108_COUNTER_KDF, ctx, params, counter, output_bitlen, NULL, 0 /* chaining_prf output */, 0 /* exclude */); + if (ret != CKR_OK) { + return ret; + } + + /* Finalize this iteration of the PRF. */ + ret = sftk_MAC_Finish(ctx, ret_buffer + buffer_offset, NULL, block_size); + if (ret != CKR_OK) { + return ret; + } + + /* Increment our position in the key material. */ + buffer_offset += block_size; + + if (counter < num_iterations) { + /* Reset the underlying PRF for the next iteration. Only do this + * when we have a next iteration since it isn't necessary to do + * either before the first iteration (MAC is already initialized) + * or after the last iteration (we won't be called again). */ + ret = sftk_MAC_Reset(ctx); + if (ret != CKR_OK) { + return ret; + } + } + } + + return CKR_OK; +} + +static CK_RV +kbkdf_FeedbackRaw(const CK_SP800_108_KDF_PARAMS *params, const unsigned char *initial_value, CK_ULONG initial_value_length, sftk_MACCtx *ctx, unsigned char *ret_buffer, size_t buffer_length, PRUint64 output_bitlen) +{ + CK_RV ret = CKR_OK; + + /* Counter variable for this KDF instance. */ + PRUint32 counter; + + /* Number of iterations required of this PRF necessary to reach the + * desired output length. */ + PRUint32 num_iterations; + + /* Offset in ret_buffer that we're at. */ + size_t buffer_offset = 0; + + /* Size of this block, in bytes. Defaults to ctx->mac_size except on + * the last iteration where it could be a partial block. */ + size_t block_size = ctx->mac_size; + + /* The last PRF invocation and/or the initial value; used for feedback + * chaining in this KDF. Note that we have to make it large enough to + * fit the output of the PRF, but we can delay its actual creation until + * the first PRF invocation. Until then, point to the IV value. */ + unsigned char *chaining_value = (unsigned char *)initial_value; + + /* Size of the chaining value discussed above. Defaults to the size of + * the IV value. */ + size_t chaining_length = initial_value_length; + + /* Calculate the number of iterations required based on the size of the + * output buffer. */ + ret = kbkdf_CalculateIterations(CKM_SP800_108_FEEDBACK_KDF, params, ctx, buffer_length, &num_iterations); + if (ret != CKR_OK) { + goto finish; + } + + /* + * 5.2 - [ KDF in Feedback Mode ] + * + * Fixed values: + * 1. h - the length of the PRF in bits (ctx->mac_size) + * 2. r - the length of the binary representation of the counter i + * (params[k: params[k].type == CK_SP800_108_OPTIONAL_COUNTER:].data->ulWidthInBits) + * Note that it is only specified when the optional counter is requested. + * Input: + * 1. K_I - the key for the PRF (base_key) + * 2. label - a binary data field, usually before the separator. Optional. + * 3. context - a binary data field, usually after the separator. Optional. + * 4. IV - a binary data field, initial PRF value. (params->pIV) + * 5. L - length of the output in bits (output_bitlen) + * + * Process: + * 1. n := ceil(L / h) (num_iterations) + * 2. if n > 2^32 - 1, then indicate an error and stop + * 3. result(0) = NULL, K(0) := IV (chaining_value) + * 4. for i = 1 to n, do + * a. K(i) = PRF(K_I, K(i-1) {|| [i]_2} || Label || 0x00 || Context || [L]_2) + * b. result(i) := result(i - 1) || K(i). + * 5. return K_O := the leftmost L bits of result(n). + */ + for (counter = 1; counter <= num_iterations; counter++) { + if (counter == num_iterations) { + block_size = buffer_length - buffer_offset; + + /* Assumption: if we've validated our arguments correctly, this + * should always be true. */ + PR_ASSERT(block_size <= ctx->mac_size); + } + + /* Add all parameters required by this instance of the KDF to the + * input stream of the underlying PRF. */ + ret = kbkdf_AddParameters(CKM_SP800_108_FEEDBACK_KDF, ctx, params, counter, output_bitlen, chaining_value, chaining_length, 0 /* exclude */); + if (ret != CKR_OK) { + goto finish; + } + + if (counter == 1) { + /* On the first iteration, chaining_value points to the IV from + * the caller and chaining_length is the length of that IV. We + * now need to allocate a buffer of suitable length to store the + * MAC output. */ + chaining_value = PORT_ZNewArray(unsigned char, ctx->mac_size); + chaining_length = ctx->mac_size; + + if (chaining_value == NULL) { + ret = CKR_HOST_MEMORY; + goto finish; + } + } + + /* Finalize this iteration of the PRF. Unlike other KDF forms, we + * first save this to the chaining value so that we can reuse it + * in the next iteration before copying the necessary length to + * the output buffer. */ + ret = sftk_MAC_Finish(ctx, chaining_value, NULL, chaining_length); + if (ret != CKR_OK) { + goto finish; + } + + /* Save as much of the chaining value as we need for output. */ + PORT_Memcpy(ret_buffer + buffer_offset, chaining_value, block_size); + + /* Increment our position in the key material. */ + buffer_offset += block_size; + + if (counter < num_iterations) { + /* Reset the underlying PRF for the next iteration. Only do this + * when we have a next iteration since it isn't necessary to do + * either before the first iteration (MAC is already initialized) + * or after the last iteration (we won't be called again). */ + ret = sftk_MAC_Reset(ctx); + if (ret != CKR_OK) { + goto finish; + } + } + } + +finish: + if (chaining_value != initial_value && chaining_value != NULL) { + PORT_ZFree(chaining_value, chaining_length); + } + + return ret; +} + +static CK_RV +kbkdf_PipelineRaw(const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, unsigned char *ret_buffer, size_t buffer_length, PRUint64 output_bitlen) +{ + CK_RV ret = CKR_OK; + + /* Counter variable for this KDF instance. */ + PRUint32 counter; + + /* Number of iterations required of this PRF necessary to reach the + * desired output length. */ + PRUint32 num_iterations; + + /* Offset in ret_buffer that we're at. */ + size_t buffer_offset = 0; + + /* Size of this block, in bytes. Defaults to ctx->mac_size except on + * the last iteration where it could be a partial block. */ + size_t block_size = ctx->mac_size; + + /* The last PRF invocation. This is used for the first of the double + * PRF invocations this KDF is named after. This defaults to NULL, + * signifying that we have to calculate the initial value from params; + * when non-NULL, we directly add only this value to the PRF. */ + unsigned char *chaining_value = NULL; + + /* Size of the chaining value discussed above. Defaults to 0. */ + size_t chaining_length = 0; + + /* Calculate the number of iterations required based on the size of the + * output buffer. */ + ret = kbkdf_CalculateIterations(CKM_SP800_108_DOUBLE_PIPELINE_KDF, params, ctx, buffer_length, &num_iterations); + if (ret != CKR_OK) { + goto finish; + } + + /* + * 5.3 - [ KDF in Double-Pipeline Iteration Mode ] + * + * Fixed values: + * 1. h - the length of the PRF in bits (ctx->mac_size) + * 2. r - the length of the binary representation of the counter i + * (params[k: params[k].type == CK_SP800_108_OPTIONAL_COUNTER:].data->ulWidthInBits) + * Note that it is only specified when the optional counter is requested. + * Input: + * 1. K_I - the key for the PRF (base_key) + * 2. label - a binary data field, usually before the separator. Optional. + * 3. context - a binary data field, usually after the separator. Optional. + * 4. L - length of the output in bits (output_bitlen) + * + * Process: + * 1. n := ceil(L / h) (num_iterations) + * 2. if n > 2^32 - 1, then indicate an error and stop + * 3. result(0) = NULL + * 4. A(0) := IV := Label || 0x00 || Context || [L]_2 + * 5. for i = 1 to n, do + * a. A(i) := PRF(K_I, A(i-1)) + * b. K(i) := PRF(K_I, A(i) {|| [i]_2} || Label || 0x00 || Context || [L]_2 + * c. result(i) := result(i-1) || K(i) + * 6. return K_O := the leftmost L bits of result(n). + */ + for (counter = 1; counter <= num_iterations; counter++) { + if (counter == num_iterations) { + block_size = buffer_length - buffer_offset; + + /* Assumption: if we've validated our arguments correctly, this + * should always be true. */ + PR_ASSERT(block_size <= ctx->mac_size); + } + + /* ===== First pipeline: construct A(i) ===== */ + if (counter == 1) { + /* On the first iteration, we have no chaining value so specify + * NULL for the pointer and 0 for the length, and exclude the + * optional counter if it exists. This is what NIST specifies as + * the IV for the KDF. */ + ret = kbkdf_AddParameters(CKM_SP800_108_DOUBLE_PIPELINE_KDF, ctx, params, counter, output_bitlen, NULL, 0, CK_SP800_108_OPTIONAL_COUNTER); + if (ret != CKR_OK) { + goto finish; + } + + /* Allocate the chaining value so we can save the PRF output. */ + chaining_value = PORT_ZNewArray(unsigned char, ctx->mac_size); + chaining_length = ctx->mac_size; + if (chaining_value == NULL) { + ret = CKR_HOST_MEMORY; + goto finish; + } + } else { + /* On all other iterations, the next stage of the first pipeline + * comes directly from this stage. */ + ret = sftk_MAC_Update(ctx, chaining_value, chaining_length); + if (ret != CKR_OK) { + goto finish; + } + } + + /* Save the PRF output to chaining_value for use in the second + * pipeline. */ + ret = sftk_MAC_Finish(ctx, chaining_value, NULL, chaining_length); + if (ret != CKR_OK) { + goto finish; + } + + /* Reset the PRF so we can reuse it for the second pipeline. */ + ret = sftk_MAC_Reset(ctx); + if (ret != CKR_OK) { + goto finish; + } + + /* ===== Second pipeline: construct K(i) ===== */ + + /* Add all parameters required by this instance of the KDF to the + * input stream of the underlying PRF. Note that this includes the + * chaining value we calculated from the previous pipeline stage. */ + ret = kbkdf_AddParameters(CKM_SP800_108_FEEDBACK_KDF, ctx, params, counter, output_bitlen, chaining_value, chaining_length, 0 /* exclude */); + if (ret != CKR_OK) { + goto finish; + } + + /* Finalize this iteration of the PRF directly to the output buffer. + * Unlike Feedback mode, this pipeline doesn't influence the previous + * stage. */ + ret = sftk_MAC_Finish(ctx, ret_buffer + buffer_offset, NULL, block_size); + if (ret != CKR_OK) { + goto finish; + } + + /* Increment our position in the key material. */ + buffer_offset += block_size; + + if (counter < num_iterations) { + /* Reset the underlying PRF for the next iteration. Only do this + * when we have a next iteration since it isn't necessary to do + * either before the first iteration (MAC is already initialized) + * or after the last iteration (we won't be called again). */ + ret = sftk_MAC_Reset(ctx); + if (ret != CKR_OK) { + goto finish; + } + } + } + +finish: + PORT_ZFree(chaining_value, chaining_length); + + return ret; +} + +static CK_RV +kbkdf_RawDispatch(CK_MECHANISM_TYPE mech, + const CK_SP800_108_KDF_PARAMS *kdf_params, + const CK_BYTE *initial_value, + CK_ULONG initial_value_length, + SFTKObject *prf_key, const unsigned char *prf_key_bytes, + unsigned int prf_key_length, unsigned char **out_key_bytes, + size_t *out_key_length, unsigned int *mac_size, + CK_ULONG ret_key_size) +{ + CK_RV ret; + /* Context for our underlying PRF function. + * + * Zeroing context required unconditional call of sftk_MAC_Destroy. + */ + sftk_MACCtx ctx = { 0 }; + + /* We need one buffers large enough to fit the entire KDF key stream for + * all iterations of the PRF. This needs only include to the end of the + * last key, so it isn't an even multiple of the PRF output size. */ + unsigned char *output_buffer = NULL; + + /* Size of the above buffer, in bytes. Note that this is technically + * separate from the below output_bitlen variable due to the presence + * of additional derived keys. See commentary in kbkdf_CalculateLength. + */ + size_t buffer_length = 0; + + /* While NIST specifies a maximum length (in bits) for the counter, they + * don't for the maximum length. It is unlikely, but theoretically + * possible for output of the PRF to exceed 32 bits while keeping the + * counter under 2^32. Thus, use a 64-bit variable for the maximum + * output length. + * + * It is unlikely any caller will request this much data in practice. + * 2^32 invocations of the PRF (for a 512-bit PRF) would be 256GB of + * data in the KDF key stream alone. The bigger limit is the number of + * and size of keys (again, 2^32); this could easily exceed 256GB when + * counting the backing softoken key, the key data, template data, and + * the input parameters to this KDF. + * + * This is the L parameter in NIST SP800-108. + */ + PRUint64 output_bitlen = 0; + + /* First validate our passed input parameters against PKCS#11 v3.0 + * and NIST SP800-108 requirements. */ + ret = kbkdf_ValidateParameters(mech, kdf_params, ret_key_size); + if (ret != CKR_OK) { + goto finish; + } + + /* Initialize the underlying PRF state. */ + if (prf_key) { + ret = sftk_MAC_Init(&ctx, kdf_params->prfType, prf_key); + } else { + ret = sftk_MAC_InitRaw(&ctx, kdf_params->prfType, prf_key_bytes, + prf_key_length, PR_TRUE); + } + if (ret != CKR_OK) { + goto finish; + } + + /* Compute the size of our output buffer based on passed parameters and + * the output size of the underlying PRF. */ + ret = kbkdf_CalculateLength(kdf_params, &ctx, ret_key_size, &output_bitlen, &buffer_length); + if (ret != CKR_OK) { + goto finish; + } + + /* Allocate memory for the PRF output */ + output_buffer = PORT_ZNewArray(unsigned char, buffer_length); + if (output_buffer == NULL) { + ret = CKR_HOST_MEMORY; + goto finish; + } + + /* Call into the underlying KDF */ + switch (mech) { + case CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA: /* fall through */ + case CKM_SP800_108_COUNTER_KDF: + ret = kbkdf_CounterRaw(kdf_params, &ctx, output_buffer, buffer_length, output_bitlen); + break; + case CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA: /* fall through */ + case CKM_SP800_108_FEEDBACK_KDF: + ret = kbkdf_FeedbackRaw(kdf_params, initial_value, initial_value_length, &ctx, output_buffer, buffer_length, output_bitlen); + break; + case CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA: /* fall through */ + case CKM_SP800_108_DOUBLE_PIPELINE_KDF: + ret = kbkdf_PipelineRaw(kdf_params, &ctx, output_buffer, buffer_length, output_bitlen); + break; + default: + /* Shouldn't happen unless NIST introduces a new KBKDF type. */ + PR_ASSERT(PR_FALSE); + ret = CKR_FUNCTION_FAILED; + } + + /* Validate the above KDF succeeded. */ + if (ret != CKR_OK) { + goto finish; + } + + *out_key_bytes = output_buffer; + *out_key_length = buffer_length; + *mac_size = ctx.mac_size; + + output_buffer = NULL; /* returning the buffer, don't zero and free it */ + +finish: + PORT_ZFree(output_buffer, buffer_length); + + /* Free the PRF. This should handle clearing all sensitive information. */ + sftk_MAC_Destroy(&ctx, PR_FALSE); + return ret; +} + +/* [ section: PKCS#11 entry ] */ + +CK_RV +kbkdf_Dispatch(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, SFTKObject *prf_key, SFTKObject *ret_key, CK_ULONG ret_key_size) +{ + /* This handles boilerplate common to all KBKDF types. Instead of placing + * this in pkcs11c.c, place it here to reduce clutter. */ + + CK_RV ret; + + /* Assumptions about our calling environment. */ + PR_ASSERT(pMechanism != NULL && prf_key != NULL && ret_key != NULL); + + /* Validate that the caller passed parameters. */ + if (pMechanism->pParameter == NULL) { + return CKR_MECHANISM_PARAM_INVALID; + } + + /* Create a common set of parameters to use for all KDF types. This + * separates out the KDF parameters from the Feedback-specific IV, + * allowing us to use a common type for all calls. */ + CK_SP800_108_KDF_PARAMS kdf_params = { 0 }; + CK_BYTE_PTR initial_value = NULL; + CK_ULONG initial_value_length = 0; + unsigned char *output_buffer = NULL; + size_t buffer_length = 0; + unsigned int mac_size = 0; + + /* Split Feedback-specific IV from remaining KDF parameters. */ + ret = kbkdf_LoadParameters(mech, pMechanism, &kdf_params, &initial_value, &initial_value_length); + if (ret != CKR_OK) { + goto finish; + } + /* let rawDispatch handle the rest. We split this out so we could + * handle the POST test without accessing pkcs #11 objects. */ + ret = kbkdf_RawDispatch(mech, &kdf_params, initial_value, + initial_value_length, prf_key, NULL, 0, + &output_buffer, &buffer_length, &mac_size, + ret_key_size); + if (ret != CKR_OK) { + goto finish; + } + + /* Write the output of the PRF into the appropriate keys. */ + ret = kbkdf_SaveKeys(mech, hSession, &kdf_params, output_buffer, buffer_length, mac_size, ret_key, ret_key_size); + if (ret != CKR_OK) { + goto finish; + } + +finish: + PORT_ZFree(output_buffer, buffer_length); + + return ret; +} + +struct sftk_SP800_Test_struct { + CK_MECHANISM_TYPE mech; + CK_SP800_108_KDF_PARAMS kdf_params; + unsigned int expected_mac_size; + unsigned int ret_key_length; + const unsigned char expected_key_bytes[64]; +}; + +static const CK_SP800_108_COUNTER_FORMAT counter_32 = { 0, 32 }; +static const CK_PRF_DATA_PARAM counter_32_data = { CK_SP800_108_ITERATION_VARIABLE, (CK_VOID_PTR)&counter_32, sizeof(counter_32) }; + +#ifdef NSS_FULL_POST +static const CK_SP800_108_COUNTER_FORMAT counter_16 = { 0, 16 }; +static const CK_PRF_DATA_PARAM counter_16_data = { CK_SP800_108_ITERATION_VARIABLE, (CK_VOID_PTR)&counter_16, sizeof(counter_16) }; +static const CK_PRF_DATA_PARAM counter_null_data = { CK_SP800_108_ITERATION_VARIABLE, NULL, 0 }; +#endif + +static const struct sftk_SP800_Test_struct sftk_SP800_Tests[] = { +#ifdef NSS_FULL_POST + { + CKM_SP800_108_COUNTER_KDF, + { CKM_AES_CMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_16_data, 0, NULL }, + 16, + 64, + { 0x7b, 0x1c, 0xe7, 0xf3, 0x14, 0x67, 0x15, 0xdd, + 0xde, 0x0c, 0x09, 0x46, 0x3f, 0x47, 0x7b, 0xa6, + 0xb8, 0xba, 0x40, 0x07, 0x7c, 0xe3, 0x19, 0x53, + 0x26, 0xac, 0x4c, 0x2e, 0x2b, 0x37, 0x41, 0xe4, + 0x1b, 0x01, 0x3f, 0x2f, 0x2d, 0x16, 0x95, 0xee, + 0xeb, 0x7e, 0x72, 0x7d, 0xa4, 0xab, 0x2e, 0x67, + 0x1d, 0xef, 0x6f, 0xa2, 0xc6, 0xee, 0x3c, 0xcf, + 0xef, 0x88, 0xfd, 0x5c, 0x1d, 0x7b, 0xa0, 0x5a }, + }, + { + CKM_SP800_108_COUNTER_KDF, + { CKM_SHA384_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_32_data, 0, NULL }, + 48, + 64, + { 0xe6, 0x62, 0xa4, 0x32, 0x5c, 0xe4, 0xc2, 0x28, + 0x73, 0x8a, 0x5d, 0x94, 0xe7, 0x05, 0xe0, 0x5a, + 0x71, 0x61, 0xb2, 0x3c, 0x51, 0x28, 0x03, 0x1d, + 0xa7, 0xf5, 0x10, 0x83, 0x34, 0xdb, 0x11, 0x73, + 0x92, 0xa6, 0x79, 0x74, 0x81, 0x5d, 0x22, 0x7e, + 0x8d, 0xf2, 0x59, 0x14, 0x56, 0x60, 0xcf, 0xb2, + 0xb3, 0xfd, 0x46, 0xfd, 0x9b, 0x74, 0xfe, 0x4a, + 0x09, 0x30, 0x4a, 0xdf, 0x07, 0x43, 0xfe, 0x85 }, + }, + { + CKM_SP800_108_COUNTER_KDF, + { CKM_SHA512_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_32_data, 0, NULL }, + 64, + 64, + { 0xb0, 0x78, 0x36, 0xe1, 0x15, 0xd6, 0xf0, 0xac, + 0x68, 0x7b, 0x42, 0xd3, 0xb6, 0x82, 0x51, 0xad, + 0x95, 0x0a, 0x69, 0x88, 0x84, 0xc2, 0x2e, 0x07, + 0x34, 0x62, 0x8d, 0x42, 0x72, 0x0f, 0x22, 0xe6, + 0xd5, 0x7f, 0x80, 0x15, 0xe6, 0x84, 0x00, 0x65, + 0xef, 0x64, 0x77, 0x29, 0xd6, 0x3b, 0xc7, 0x9a, + 0x15, 0x6d, 0x36, 0xf3, 0x96, 0xc9, 0x14, 0x3f, + 0x2d, 0x4a, 0x7c, 0xdb, 0xc3, 0x6c, 0x3d, 0x6a }, + }, + { + CKM_SP800_108_FEEDBACK_KDF, + { CKM_AES_CMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 16, + 64, + { 0xc0, 0xa0, 0x23, 0x96, 0x16, 0x4d, 0xd6, 0xbd, + 0x2a, 0x75, 0x8e, 0x72, 0xf5, 0xc3, 0xa0, 0xb8, + 0x78, 0x83, 0x15, 0x21, 0x34, 0xd3, 0xd8, 0x71, + 0xc9, 0xe7, 0x4b, 0x20, 0xb7, 0x65, 0x5b, 0x13, + 0xbc, 0x85, 0x54, 0xe3, 0xb6, 0xee, 0x73, 0xd5, + 0xf2, 0xa0, 0x94, 0x1a, 0x79, 0x66, 0x3b, 0x1e, + 0x67, 0x3e, 0x69, 0xa4, 0x12, 0x40, 0xa9, 0xda, + 0x8d, 0x14, 0xb1, 0xce, 0xf1, 0x4b, 0x79, 0x4e }, + }, + { + CKM_SP800_108_FEEDBACK_KDF, + { CKM_SHA256_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 32, + 64, + { 0x99, 0x9b, 0x08, 0x79, 0x14, 0x2e, 0x58, 0x34, + 0xd7, 0x92, 0xa7, 0x7e, 0x7f, 0xc2, 0xf0, 0x34, + 0xa3, 0x4e, 0x33, 0xf0, 0x63, 0x95, 0x2d, 0xad, + 0xbf, 0x3b, 0xcb, 0x6d, 0x4e, 0x07, 0xd9, 0xe9, + 0xbd, 0xbd, 0x77, 0x54, 0xe1, 0xa3, 0x36, 0x26, + 0xcd, 0xb1, 0xf9, 0x2d, 0x80, 0x68, 0xa2, 0x01, + 0x4e, 0xbf, 0x35, 0xec, 0x65, 0xae, 0xfd, 0x71, + 0xa6, 0xd7, 0x62, 0x26, 0x2c, 0x3f, 0x73, 0x63 }, + }, + { + CKM_SP800_108_FEEDBACK_KDF, + { CKM_SHA384_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 48, + 64, + { 0xc8, 0x7a, 0xf8, 0xd9, 0x6b, 0x90, 0x82, 0x35, + 0xea, 0xf5, 0x2c, 0x8f, 0xce, 0xaa, 0x3b, 0xa5, + 0x68, 0xd3, 0x7f, 0xae, 0x31, 0x93, 0xe6, 0x69, + 0x0c, 0xd1, 0x74, 0x7f, 0x8f, 0xc2, 0xe2, 0x33, + 0x93, 0x45, 0x23, 0xba, 0xb3, 0x73, 0xc9, 0x2c, + 0xd6, 0xd2, 0x10, 0x16, 0xe9, 0x9f, 0x9e, 0xe8, + 0xc1, 0x0e, 0x29, 0x95, 0x3d, 0x16, 0x68, 0x24, + 0x40, 0x4d, 0x40, 0x21, 0x41, 0xa6, 0xc8, 0xdb }, + }, + { + CKM_SP800_108_FEEDBACK_KDF, + { CKM_SHA512_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 64, + 64, + { 0x81, 0x39, 0x12, 0xc2, 0xf9, 0x31, 0x24, 0x7c, + 0x71, 0x12, 0x97, 0x08, 0x82, 0x76, 0x83, 0x55, + 0x8c, 0x82, 0xf3, 0x09, 0xd6, 0x1b, 0x7a, 0xa2, + 0x6e, 0x71, 0x6b, 0xad, 0x46, 0x57, 0x60, 0x89, + 0x38, 0xcf, 0x63, 0xfa, 0xf4, 0x38, 0x27, 0xef, + 0xf0, 0xaf, 0x75, 0x4e, 0xc2, 0xe0, 0x31, 0xdb, + 0x59, 0x7d, 0x19, 0xc9, 0x6d, 0xbb, 0xed, 0x95, + 0xaf, 0x3e, 0xd8, 0x33, 0x76, 0xab, 0xec, 0xfa }, + }, + { + CKM_SP800_108_DOUBLE_PIPELINE_KDF, + { CKM_AES_CMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 16, + 64, + { 0x3e, 0xa8, 0xbf, 0x77, 0x84, 0x90, 0xb0, 0x3a, + 0x89, 0x16, 0x32, 0x01, 0x92, 0xd3, 0x1f, 0x1b, + 0xc1, 0x06, 0xc5, 0x32, 0x62, 0x03, 0x50, 0x16, + 0x3b, 0xb9, 0xa7, 0xdc, 0xb5, 0x68, 0x6a, 0xbb, + 0xbb, 0x7d, 0x63, 0x69, 0x24, 0x6e, 0x09, 0xd6, + 0x6f, 0x80, 0x57, 0x65, 0xc5, 0x62, 0x33, 0x96, + 0x69, 0xe6, 0xab, 0x65, 0x36, 0xd0, 0xe2, 0x5c, + 0xd7, 0xbd, 0xe4, 0x68, 0x13, 0xd6, 0xb1, 0x46 }, + }, + { + CKM_SP800_108_DOUBLE_PIPELINE_KDF, + { CKM_SHA256_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 32, + 64, + { 0xeb, 0x28, 0xd9, 0x2c, 0x19, 0x33, 0xb9, 0x2a, + 0xf9, 0xac, 0x85, 0xbd, 0xf4, 0xdb, 0xfa, 0x88, + 0x73, 0xf4, 0x36, 0x08, 0xdb, 0xfe, 0x13, 0xd1, + 0x5a, 0xec, 0x7b, 0x68, 0x13, 0x53, 0xb3, 0xd1, + 0x31, 0xf2, 0x83, 0xae, 0x9f, 0x75, 0x47, 0xb6, + 0x6d, 0x3c, 0x20, 0x16, 0x47, 0x9c, 0x27, 0x66, + 0xec, 0xa9, 0xdf, 0x0c, 0xda, 0x2a, 0xf9, 0xf4, + 0x55, 0x74, 0xde, 0x9d, 0x3f, 0xe3, 0x5e, 0x14 }, + }, + { + CKM_SP800_108_DOUBLE_PIPELINE_KDF, + { CKM_SHA384_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 48, + 64, + { 0xa5, 0xca, 0x32, 0x40, 0x00, 0x93, 0xb2, 0xcc, + 0x78, 0x3c, 0xa6, 0xc4, 0xaf, 0xa8, 0xb3, 0xd0, + 0xa4, 0x6b, 0xb5, 0x31, 0x35, 0x87, 0x33, 0xa2, + 0x6a, 0x6b, 0xe1, 0xff, 0xea, 0x1d, 0x6e, 0x9e, + 0x0b, 0xde, 0x8b, 0x92, 0x15, 0xd6, 0x56, 0x2f, + 0xb6, 0x1a, 0xd7, 0xd2, 0x01, 0x3e, 0x28, 0x2e, + 0xfa, 0x84, 0x3c, 0xc0, 0xe8, 0xbe, 0x94, 0xc0, + 0x06, 0xbd, 0xbf, 0x87, 0x1f, 0xb8, 0x64, 0xc2 }, + }, + { + CKM_SP800_108_DOUBLE_PIPELINE_KDF, + { CKM_SHA512_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL }, + 64, + 64, + { 0x3f, 0xd9, 0x4e, 0x80, 0x58, 0x21, 0xc8, 0xea, + 0x22, 0x17, 0xcf, 0x7d, 0xce, 0xfd, 0xec, 0x03, + 0xb9, 0xe4, 0xa2, 0xf7, 0xc0, 0xf1, 0x68, 0x81, + 0x53, 0x71, 0xb7, 0x42, 0x14, 0x4e, 0x5b, 0x09, + 0x05, 0x31, 0xb9, 0x27, 0x18, 0x2d, 0x23, 0xf8, + 0x9c, 0x3d, 0x4e, 0xd0, 0xdd, 0xf3, 0x1e, 0x4b, + 0xf2, 0xf9, 0x1a, 0x5d, 0x00, 0x66, 0x22, 0x83, + 0xae, 0x3c, 0x53, 0xd2, 0x54, 0x4b, 0x06, 0x4c }, + }, +#endif + { + CKM_SP800_108_COUNTER_KDF, + { CKM_SHA256_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_32_data, 0, NULL }, + 32, + 64, + { 0xfb, 0x2b, 0xb5, 0xde, 0xce, 0x5a, 0x2b, 0xdc, + 0x25, 0x8f, 0x54, 0x17, 0x4b, 0x5a, 0xa7, 0x90, + 0x64, 0x36, 0xeb, 0x43, 0x1f, 0x1d, 0xf9, 0x23, + 0xb2, 0x22, 0x29, 0xa0, 0xfa, 0x2e, 0x21, 0xb6, + 0xb7, 0xfb, 0x27, 0x0a, 0x1c, 0xa6, 0x58, 0x43, + 0xa1, 0x16, 0x44, 0x29, 0x4b, 0x1c, 0xb3, 0x72, + 0xd5, 0x98, 0x9d, 0x27, 0xd5, 0x75, 0x25, 0xbf, + 0x23, 0x61, 0x40, 0x48, 0xbb, 0x0b, 0x49, 0x8e }, + } +}; + +SECStatus +sftk_fips_SP800_108_PowerUpSelfTests(void) +{ + int i; + CK_RV crv; + + const unsigned char prf_key[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, + 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, + 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, + 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, + 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, + 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78 + }; + for (i = 0; i < PR_ARRAY_SIZE(sftk_SP800_Tests); i++) { + const struct sftk_SP800_Test_struct *test = &sftk_SP800_Tests[i]; + unsigned char *output_buffer; + size_t buffer_length; + unsigned int mac_size; + + crv = kbkdf_RawDispatch(test->mech, &test->kdf_params, + prf_key, test->expected_mac_size, + NULL, prf_key, test->expected_mac_size, + &output_buffer, &buffer_length, &mac_size, + test->ret_key_length); + if (crv != CKR_OK) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + if ((mac_size != test->expected_mac_size) || + (buffer_length != test->ret_key_length) || + (output_buffer == NULL) || + (PORT_Memcmp(output_buffer, test->expected_key_bytes, buffer_length) != 0)) { + PORT_ZFree(output_buffer, buffer_length); + return SECFailure; + } + PORT_ZFree(output_buffer, buffer_length); + } + return SECSuccess; +} diff --git a/security/nss/lib/softoken/legacydb/Makefile b/security/nss/lib/softoken/legacydb/Makefile new file mode 100644 index 0000000000..1b860a3358 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/Makefile @@ -0,0 +1,60 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +ifdef NSS_NO_INIT_SUPPORT + DEFINES += -DNSS_NO_INIT_SUPPORT +endif +ifeq ($(OS_TARGET),Linux) +ifeq ($(CPU_ARCH),ppc) +ifdef USE_64 + DEFINES += -DNSS_NO_INIT_SUPPORT +endif # USE_64 +endif # ppc +else # !Linux + # turn off no init support everywhere for now + DEFINES += -DNSS_NO_INIT_SUPPORT +endif # Linux + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include config.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +# indicates dependency on freebl static lib +$(SHARED_LIBRARY): $(CRYPTOLIB) diff --git a/security/nss/lib/softoken/legacydb/cdbhdl.h b/security/nss/lib/softoken/legacydb/cdbhdl.h new file mode 100644 index 0000000000..e7243db775 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/cdbhdl.h @@ -0,0 +1,51 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * cdbhdl.h - certificate database handle + * private to the certdb module + */ +#ifndef _CDBHDL_H_ +#define _CDBHDL_H_ + +#include "nspr.h" +#include "mcom_db.h" +#include "pcertt.h" +#include "prtypes.h" + +/* + * Handle structure for open certificate databases + */ +struct NSSLOWCERTCertDBHandleStr { + DB *permCertDB; + PZMonitor *dbMon; + PRBool dbVerify; + PRInt32 ref; /* reference count */ +}; + +#ifdef DBM_USING_NSPR +#define NO_RDONLY PR_RDONLY +#define NO_RDWR PR_RDWR +#define NO_CREATE (PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE) +#else +#define NO_RDONLY O_RDONLY +#define NO_RDWR O_RDWR +#define NO_CREATE (O_RDWR | O_CREAT | O_TRUNC) +#endif + +typedef DB *(*rdbfunc)(const char *appName, const char *prefix, + const char *type, int flags); +typedef int (*rdbstatusfunc)(void); + +#define RDB_FAIL 1 +#define RDB_RETRY 2 + +DB *rdbopen(const char *appName, const char *prefix, + const char *type, int flags, int *status); + +DB *dbsopen(const char *dbname, int flags, int mode, DBTYPE type, + const void *appData); +SECStatus db_Copy(DB *dest, DB *src); +int db_InitComplete(DB *db); + +#endif diff --git a/security/nss/lib/softoken/legacydb/config.mk b/security/nss/lib/softoken/legacydb/config.mk new file mode 100644 index 0000000000..54a23c3b0d --- /dev/null +++ b/security/nss/lib/softoken/legacydb/config.mk @@ -0,0 +1,50 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) +CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) + +EXTRA_LIBS += \ + $(CRYPTOLIB) \ + $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \ + $(NULL) + +# can't do this in manifest.mn because OS_TARGET isn't defined there. +ifeq (,$(filter-out WIN%,$(OS_TARGET))) + +ifdef NS_USE_GCC +EXTRA_SHARED_LIBS += \ + -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ + -lnssutil3 \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +else # ! NS_USE_GCC + +EXTRA_SHARED_LIBS += \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \ + $(DIST)/lib/nssutil3.lib \ + $(NULL) +endif # NS_USE_GCC + +else + +# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS) +# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. +EXTRA_SHARED_LIBS += \ + -L$(DIST)/lib \ + -L$(NSSUTIL_LIB_DIR) \ + -lnssutil3 \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +endif diff --git a/security/nss/lib/softoken/legacydb/dbmshim.c b/security/nss/lib/softoken/legacydb/dbmshim.c new file mode 100644 index 0000000000..cca24bc6be --- /dev/null +++ b/security/nss/lib/softoken/legacydb/dbmshim.c @@ -0,0 +1,539 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Berkeley DB 1.85 Shim code to handle blobs. + */ +#include "mcom_db.h" +#include "secitem.h" +#include "nssb64.h" +#include "blapi.h" +#include "secerr.h" + +#include "lgdb.h" + +/* + * Blob block: + * Byte 0 CERTDB Version -+ -+ + * Byte 1 certDBEntryTypeBlob | BLOB_HEAD_LEN | + * Byte 2 flags (always '0'); | | + * Byte 3 reserved (always '0'); -+ | + * Byte 4 LSB length | <--BLOB_LENGTH_START | BLOB_BUF_LEN + * Byte 5 . | | + * Byte 6 . | BLOB_LENGTH_LEN | + * Byte 7 MSB length | | + * Byte 8 blob_filename -+ -+ <-- BLOB_NAME_START | + * Byte 9 . | BLOB_NAME_LEN | + * . . | | + * Byte 37 . -+ -+ + */ +#define DBS_BLOCK_SIZE (16 * 1024) /* 16 k */ +#define DBS_MAX_ENTRY_SIZE (DBS_BLOCK_SIZE - (2048)) /* 14 k */ +#define DBS_CACHE_SIZE DBS_BLOCK_SIZE * 8 +#define ROUNDDIV(x, y) (x + (y - 1)) / y +#define BLOB_HEAD_LEN 4 +#define BLOB_LENGTH_START BLOB_HEAD_LEN +#define BLOB_LENGTH_LEN 4 +#define BLOB_NAME_START BLOB_LENGTH_START + BLOB_LENGTH_LEN +#define BLOB_NAME_LEN 1 + ROUNDDIV(SHA1_LENGTH, 3) * 4 + 1 +#define BLOB_BUF_LEN BLOB_HEAD_LEN + BLOB_LENGTH_LEN + BLOB_NAME_LEN + +/* a Shim data structure. This data structure has a db built into it. */ +typedef struct DBSStr DBS; + +struct DBSStr { + DB db; + char *blobdir; + int mode; + PRBool readOnly; + char staticBlobArea[BLOB_BUF_LEN]; +}; + +/* + * return true if the Datablock contains a blobtype + */ +static PRBool +dbs_IsBlob(DBT *blobData) +{ + unsigned char *addr = (unsigned char *)blobData->data; + if (blobData->size < BLOB_BUF_LEN) { + return PR_FALSE; + } + return addr && ((certDBEntryType)addr[1] == certDBEntryTypeBlob); +} + +/* + * extract the filename in the blob of the real data set. + * This value is not malloced (does not need to be freed by the caller. + */ +static const char * +dbs_getBlobFileName(DBT *blobData) +{ + char *addr = (char *)blobData->data; + + return &addr[BLOB_NAME_START]; +} + +/* + * extract the size of the actual blob from the blob record + */ +static PRUint32 +dbs_getBlobSize(DBT *blobData) +{ + unsigned char *addr = (unsigned char *)blobData->data; + + return (PRUint32)(addr[BLOB_LENGTH_START + 3] << 24) | + (addr[BLOB_LENGTH_START + 2] << 16) | + (addr[BLOB_LENGTH_START + 1] << 8) | + addr[BLOB_LENGTH_START]; +} + +/* We are using base64 data for the filename, but base64 data can include a + * '/' which is interpreted as a path separator on many platforms. Replace it + * with an inocuous '-'. We don't need to convert back because we never actual + * decode the filename. + */ + +static void +dbs_replaceSlash(char *cp, int len) +{ + while (len--) { + if (*cp == '/') + *cp = '-'; + cp++; + } +} + +/* + * create a blob record from a key, data and return it in blobData. + * NOTE: The data element is static data (keeping with the dbm model). + */ +static void +dbs_mkBlob(DBS *dbsp, const DBT *key, const DBT *data, DBT *blobData) +{ + unsigned char sha1_data[SHA1_LENGTH]; + char *b = dbsp->staticBlobArea; + PRUint32 length = data->size; + SECItem sha1Item; + + b[0] = CERT_DB_FILE_VERSION; /* certdb version number */ + b[1] = (char)certDBEntryTypeBlob; /* type */ + b[2] = 0; /* flags */ + b[3] = 0; /* reserved */ + b[BLOB_LENGTH_START] = length & 0xff; + b[BLOB_LENGTH_START + 1] = (length >> 8) & 0xff; + b[BLOB_LENGTH_START + 2] = (length >> 16) & 0xff; + b[BLOB_LENGTH_START + 3] = (length >> 24) & 0xff; + sha1Item.data = sha1_data; + sha1Item.len = SHA1_LENGTH; + SHA1_HashBuf(sha1_data, key->data, key->size); + b[BLOB_NAME_START] = 'b'; /* Make sure we start with a alpha */ + NSSBase64_EncodeItem(NULL, &b[BLOB_NAME_START + 1], BLOB_NAME_LEN - 1, &sha1Item); + b[BLOB_BUF_LEN - 1] = 0; + dbs_replaceSlash(&b[BLOB_NAME_START + 1], BLOB_NAME_LEN - 1); + blobData->data = b; + blobData->size = BLOB_BUF_LEN; + return; +} + +/* + * construct a path to the actual blob. The string returned must be + * freed by the caller with PR_smprintf_free. + * + * Note: this file does lots of consistancy checks on the DBT. The + * routines that call this depend on these checks, so they don't worry + * about them (success of this routine implies a good blobdata record). + */ +static char * +dbs_getBlobFilePath(char *blobdir, DBT *blobData) +{ + const char *name; + + if (blobdir == NULL) { + PR_SetError(SEC_ERROR_BAD_DATABASE, 0); + return NULL; + } + if (!dbs_IsBlob(blobData)) { + PR_SetError(SEC_ERROR_BAD_DATABASE, 0); + return NULL; + } + name = dbs_getBlobFileName(blobData); + if (!name || *name == 0) { + PR_SetError(SEC_ERROR_BAD_DATABASE, 0); + return NULL; + } + return PR_smprintf("%s" PATH_SEPARATOR "%s", blobdir, name); +} + +/* + * Delete a blob file pointed to by the blob record. + */ +static void +dbs_removeBlob(DBS *dbsp, DBT *blobData) +{ + char *file; + + file = dbs_getBlobFilePath(dbsp->blobdir, blobData); + if (!file) { + return; + } + PR_Delete(file); + PR_smprintf_free(file); +} + +/* + * Directory modes are slightly different, the 'x' bit needs to be on to + * access them. Copy all the read bits to 'x' bits + */ +static int +dbs_DirMode(int mode) +{ + int x_bits = (mode >> 2) & 0111; + return mode | x_bits; +} + +/* + * write a data blob to it's file. blobdData is the blob record that will be + * stored in the database. data is the actual data to go out on disk. + */ +static int +dbs_writeBlob(DBS *dbsp, int mode, DBT *blobData, const DBT *data) +{ + char *file = NULL; + PRFileDesc *filed; + PRStatus status; + int len; + int error = 0; + + file = dbs_getBlobFilePath(dbsp->blobdir, blobData); + if (!file) { + goto loser; + } + if (PR_Access(dbsp->blobdir, PR_ACCESS_EXISTS) != PR_SUCCESS) { + status = PR_MkDir(dbsp->blobdir, dbs_DirMode(mode)); + if (status != PR_SUCCESS) { + goto loser; + } + } + filed = PR_OpenFile(file, PR_CREATE_FILE | PR_TRUNCATE | PR_WRONLY, mode); + if (filed == NULL) { + error = PR_GetError(); + goto loser; + } + len = PR_Write(filed, data->data, data->size); + error = PR_GetError(); + PR_Close(filed); + if (len < (int)data->size) { + goto loser; + } + PR_smprintf_free(file); + return 0; + +loser: + if (file) { + PR_Delete(file); + PR_smprintf_free(file); + } + /* don't let close or delete reset the error */ + PR_SetError(error, 0); + return -1; +} + +/* + * platforms that cannot map the file need to read it into a temp buffer. + */ +static unsigned char * +dbs_EmulateMap(PRFileDesc *filed, int len) +{ + unsigned char *addr; + PRInt32 dataRead; + + addr = PORT_Alloc(len); + if (addr == NULL) { + return NULL; + } + + dataRead = PR_Read(filed, addr, len); + if (dataRead != len) { + PORT_Free(addr); + if (dataRead > 0) { + /* PR_Read didn't set an error, we need to */ + PR_SetError(SEC_ERROR_BAD_DATABASE, 0); + } + return NULL; + } + + return addr; +} + +/* + * pull a database record off the disk + * data points to the blob record on input and the real record (if we could + * read it) on output. if there is an error data is not modified. + */ +static int +dbs_readBlob(DBS *dbsp, DBT *data) +{ + char *file = NULL; + PRFileDesc *filed = NULL; + unsigned char *addr = NULL; + int error; + int len = -1; + + file = dbs_getBlobFilePath(dbsp->blobdir, data); + if (!file) { + goto loser; + } + filed = PR_OpenFile(file, PR_RDONLY, 0); + PR_smprintf_free(file); + file = NULL; + if (filed == NULL) { + goto loser; + } + + len = dbs_getBlobSize(data); + /* Bug 1323150 + * PR_MemMap fails on Windows for larger certificates. + * https://msdn.microsoft.com/en-us/library/windows/desktop/aa366761(v=vs.85).aspx + * Let's always use the emulated map, i.e. read the file. + */ + addr = dbs_EmulateMap(filed, len); + if (addr == NULL) { + goto loser; + } + PR_Close(filed); + + data->data = addr; + data->size = len; + return 0; + +loser: + /* preserve the error code */ + error = PR_GetError(); + if (filed) { + PR_Close(filed); + } + PR_SetError(error, 0); + return -1; +} + +/* + * actual DBM shims + */ +static int +dbs_get(const DB *dbs, const DBT *key, DBT *data, unsigned int flags) +{ + int ret; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + ret = (*db->get)(db, key, data, flags); + if ((ret == 0) && dbs_IsBlob(data)) { + ret = dbs_readBlob(dbsp, data); + } + + return (ret); +} + +static int +dbs_put(const DB *dbs, DBT *key, const DBT *data, unsigned int flags) +{ + DBT blob; + int ret = 0; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + /* If the db is readonly, just pass the data down to rdb and let it fail */ + if (!dbsp->readOnly) { + DBT oldData; + int ret1; + + /* make sure the current record is deleted if it's a blob */ + ret1 = (*db->get)(db, key, &oldData, 0); + if ((ret1 == 0) && flags == R_NOOVERWRITE) { + /* let DBM return the error to maintain consistancy */ + return (*db->put)(db, key, data, flags); + } + if ((ret1 == 0) && dbs_IsBlob(&oldData)) { + dbs_removeBlob(dbsp, &oldData); + } + + if (data->size > DBS_MAX_ENTRY_SIZE) { + dbs_mkBlob(dbsp, key, data, &blob); + ret = dbs_writeBlob(dbsp, dbsp->mode, &blob, data); + data = &blob; + } + } + + if (ret == 0) { + ret = (*db->put)(db, key, data, flags); + } + return (ret); +} + +static int +dbs_sync(const DB *dbs, unsigned int flags) +{ + DB *db = (DB *)dbs->internal; + return (*db->sync)(db, flags); +} + +static int +dbs_del(const DB *dbs, const DBT *key, unsigned int flags) +{ + int ret; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + if (!dbsp->readOnly) { + DBT oldData; + ret = (*db->get)(db, key, &oldData, 0); + if ((ret == 0) && dbs_IsBlob(&oldData)) { + dbs_removeBlob(dbsp, &oldData); + } + } + + return (*db->del)(db, key, flags); +} + +static int +dbs_seq(const DB *dbs, DBT *key, DBT *data, unsigned int flags) +{ + int ret; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + ret = (*db->seq)(db, key, data, flags); + if ((ret == 0) && dbs_IsBlob(data)) { + /* don't return a blob read as an error so traversals keep going */ + (void)dbs_readBlob(dbsp, data); + } + + return (ret); +} + +static int +dbs_close(DB *dbs) +{ + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + int ret; + + ret = (*db->close)(db); + PORT_Free(dbsp->blobdir); + PORT_Free(dbsp); + return ret; +} + +static int +dbs_fd(const DB *dbs) +{ + DB *db = (DB *)dbs->internal; + + return (*db->fd)(db); +} + +/* + * the naming convention we use is + * change the .xxx into .dir. (for nss it's always .db); + * if no .extension exists or is equal to .dir, add a .dir + * the returned data must be freed. + */ +#define DIRSUFFIX ".dir" +static char * +dbs_mkBlobDirName(const char *dbname) +{ + int dbname_len = PORT_Strlen(dbname); + int dbname_end = dbname_len; + const char *cp; + char *blobDir = NULL; + + /* scan back from the end looking for either a directory separator, a '.', + * or the end of the string. NOTE: Windows should check for both separators + * here. For now this is safe because we know NSS always uses a '.' + */ + for (cp = &dbname[dbname_len]; + (cp > dbname) && (*cp != '.') && (*cp != *PATH_SEPARATOR); + cp--) + /* Empty */; + if (*cp == '.') { + dbname_end = cp - dbname; + if (PORT_Strcmp(cp, DIRSUFFIX) == 0) { + dbname_end = dbname_len; + } + } + blobDir = PORT_ZAlloc(dbname_end + sizeof(DIRSUFFIX)); + if (blobDir == NULL) { + return NULL; + } + PORT_Memcpy(blobDir, dbname, dbname_end); + PORT_Memcpy(&blobDir[dbname_end], DIRSUFFIX, sizeof(DIRSUFFIX)); + return blobDir; +} + +#define DBM_DEFAULT 0 +static const HASHINFO dbs_hashInfo = { + DBS_BLOCK_SIZE, /* bucket size, must be greater than = to + * or maximum entry size (+ header) + * we allow before blobing */ + DBM_DEFAULT, /* Fill Factor */ + DBM_DEFAULT, /* number of elements */ + DBS_CACHE_SIZE, /* cache size */ + DBM_DEFAULT, /* hash function */ + DBM_DEFAULT, /* byte order */ +}; + +/* + * the open function. NOTE: this is the only exposed function in this file. + * everything else is called through the function table pointer. + */ +DB * +dbsopen(const char *dbname, int flags, int mode, DBTYPE type, + const void *userData) +{ + DB *db = NULL, *dbs = NULL; + DBS *dbsp = NULL; + + /* NOTE: we are overriding userData with dbs_hashInfo. since all known + * callers pass 0, this is ok, otherwise we should merge the two */ + + dbsp = (DBS *)PORT_ZAlloc(sizeof(DBS)); + if (!dbsp) { + return NULL; + } + dbs = &dbsp->db; + + dbsp->blobdir = dbs_mkBlobDirName(dbname); + if (dbsp->blobdir == NULL) { + goto loser; + } + dbsp->mode = mode; + dbsp->readOnly = (PRBool)(flags == NO_RDONLY); + + /* the real dbm call */ + db = dbopen(dbname, flags, mode, type, &dbs_hashInfo); + if (db == NULL) { + goto loser; + } + dbs->internal = (void *)db; + dbs->type = type; + dbs->close = dbs_close; + dbs->get = dbs_get; + dbs->del = dbs_del; + dbs->put = dbs_put; + dbs->seq = dbs_seq; + dbs->sync = dbs_sync; + dbs->fd = dbs_fd; + + return dbs; +loser: + if (db) { + (*db->close)(db); + } + if (dbsp->blobdir) { + PORT_Free(dbsp->blobdir); + } + PORT_Free(dbsp); + return NULL; +} diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c new file mode 100644 index 0000000000..22ab1cc0ef --- /dev/null +++ b/security/nss/lib/softoken/legacydb/keydb.c @@ -0,0 +1,2274 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "lowkeyi.h" +#include "secasn1.h" +#include "secder.h" +#include "secoid.h" +#include "blapi.h" +#include "secitem.h" +#include "pcert.h" +#include "mcom_db.h" +#include "secerr.h" + +#include "keydbi.h" +#include "lgdb.h" + +/* + * Record keys for keydb + */ +#define SALT_STRING "global-salt" +#define VERSION_STRING "Version" +#define KEYDB_PW_CHECK_STRING "password-check" +#define KEYDB_PW_CHECK_LEN 14 +#define KEYDB_FAKE_PW_CHECK_STRING "fake-password-check" +#define KEYDB_FAKE_PW_CHECK_LEN 19 + +/* Size of the global salt for key database */ +#define SALT_LENGTH 16 + +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) + +const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSLOWKEYEncryptedPrivateKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OCTET_STRING, + offsetof(NSSLOWKEYEncryptedPrivateKeyInfo, encryptedData) }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_PointerToEncryptedPrivateKeyInfoTemplate[] = { + { SEC_ASN1_POINTER, 0, nsslowkey_EncryptedPrivateKeyInfoTemplate } +}; + +/* ====== Default key databse encryption algorithm ====== */ +static void +sec_destroy_dbkey(NSSLOWKEYDBKey *dbkey) +{ + if (dbkey && dbkey->arena) { + PORT_FreeArena(dbkey->arena, PR_FALSE); + } +} + +static void +free_dbt(DBT *dbt) +{ + if (dbt) { + PORT_Free(dbt->data); + PORT_Free(dbt); + } + + return; +} + +static int keydb_Get(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, + unsigned int flags); +static int keydb_Put(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, + unsigned int flags); +static int keydb_Sync(NSSLOWKEYDBHandle *db, unsigned int flags); +static int keydb_Del(NSSLOWKEYDBHandle *db, DBT *key, unsigned int flags); +static int keydb_Seq(NSSLOWKEYDBHandle *db, DBT *key, DBT *data, + unsigned int flags); +static void keydb_Close(NSSLOWKEYDBHandle *db); + +/* + * format of key database entries for version 3 of database: + * byte offset field + * ----------- ----- + * 0 version + * 1 salt-len + * 2 nn-len + * 3.. salt-data + * ... nickname + * ... encrypted-key-data + */ +static DBT * +encode_dbkey(NSSLOWKEYDBKey *dbkey, unsigned char version) +{ + DBT *bufitem = NULL; + unsigned char *buf; + int nnlen; + char *nn; + + bufitem = (DBT *)PORT_ZAlloc(sizeof(DBT)); + if (bufitem == NULL) { + goto loser; + } + + if (dbkey->nickname) { + nn = dbkey->nickname; + nnlen = PORT_Strlen(nn) + 1; + } else { + nn = ""; + nnlen = 1; + } + + /* compute the length of the record */ + /* 1 + 1 + 1 == version number header + salt length + nn len */ + bufitem->size = dbkey->salt.len + nnlen + dbkey->derPK.len + 1 + 1 + 1; + + bufitem->data = (void *)PORT_ZAlloc(bufitem->size); + if (bufitem->data == NULL) { + goto loser; + } + + buf = (unsigned char *)bufitem->data; + + /* set version number */ + buf[0] = version; + + /* set length of salt */ + PORT_Assert(dbkey->salt.len < 256); + buf[1] = dbkey->salt.len; + + /* set length of nickname */ + PORT_Assert(nnlen < 256); + buf[2] = nnlen; + + /* copy salt */ + if (dbkey->salt.len > 0) { + PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len); + } + + /* copy nickname */ + PORT_Memcpy(&buf[3 + dbkey->salt.len], nn, nnlen); + + /* copy encrypted key */ + PORT_Memcpy(&buf[3 + dbkey->salt.len + nnlen], dbkey->derPK.data, + dbkey->derPK.len); + + return (bufitem); + +loser: + if (bufitem) { + free_dbt(bufitem); + } + + return (NULL); +} + +static NSSLOWKEYDBKey * +decode_dbkey(DBT *bufitem, int expectedVersion) +{ + NSSLOWKEYDBKey *dbkey; + PLArenaPool *arena = NULL; + unsigned char *buf; + int version; + int keyoff; + int nnlen; + int saltoff; + + buf = (unsigned char *)bufitem->data; + + version = buf[0]; + + if (version != expectedVersion) { + goto loser; + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey)); + if (dbkey == NULL) { + goto loser; + } + + dbkey->arena = arena; + dbkey->salt.data = NULL; + dbkey->derPK.data = NULL; + + dbkey->salt.len = buf[1]; + dbkey->salt.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->salt.len); + if (dbkey->salt.data == NULL) { + goto loser; + } + + saltoff = 2; + keyoff = 2 + dbkey->salt.len; + + if (expectedVersion >= 3) { + nnlen = buf[2]; + if (nnlen) { + dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1); + if (dbkey->nickname) { + PORT_Memcpy(dbkey->nickname, &buf[keyoff + 1], nnlen); + } + } + keyoff += (nnlen + 1); + saltoff = 3; + } + + PORT_Memcpy(dbkey->salt.data, &buf[saltoff], dbkey->salt.len); + + dbkey->derPK.len = bufitem->size - keyoff; + dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->derPK.len); + if (dbkey->derPK.data == NULL) { + goto loser; + } + + PORT_Memcpy(dbkey->derPK.data, &buf[keyoff], dbkey->derPK.len); + + return (dbkey); + +loser: + + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +static NSSLOWKEYDBKey * +get_dbkey(NSSLOWKEYDBHandle *handle, DBT *index) +{ + NSSLOWKEYDBKey *dbkey; + DBT entry; + int ret; + + /* get it from the database */ + ret = keydb_Get(handle, index, &entry, 0); + if (ret) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return NULL; + } + + /* set up dbkey struct */ + + dbkey = decode_dbkey(&entry, handle->version); + + return (dbkey); +} + +static SECStatus +put_dbkey(NSSLOWKEYDBHandle *handle, DBT *index, NSSLOWKEYDBKey *dbkey, PRBool update) +{ + DBT *keydata = NULL; + int status; + + keydata = encode_dbkey(dbkey, handle->version); + if (keydata == NULL) { + goto loser; + } + + /* put it in the database */ + if (update) { + status = keydb_Put(handle, index, keydata, 0); + } else { + status = keydb_Put(handle, index, keydata, R_NOOVERWRITE); + } + + if (status) { + goto loser; + } + + /* sync the database */ + status = keydb_Sync(handle, 0); + if (status) { + goto loser; + } + + free_dbt(keydata); + return (SECSuccess); + +loser: + if (keydata) { + free_dbt(keydata); + } + + return (SECFailure); +} + +SECStatus +nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, + SECStatus (*keyfunc)(DBT *k, DBT *d, void *pdata), + void *udata) +{ + DBT data; + DBT key; + SECStatus status; + int ret; + + if (handle == NULL) { + return (SECFailure); + } + + ret = keydb_Seq(handle, &key, &data, R_FIRST); + if (ret) { + return (SECFailure); + } + + do { + /* skip version record */ + if (data.size > 1) { + if (key.size == (sizeof(SALT_STRING) - 1)) { + if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) { + continue; + } + } + + /* skip password check */ + if (key.size == KEYDB_PW_CHECK_LEN) { + if (PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, + KEYDB_PW_CHECK_LEN) == 0) { + continue; + } + } + + status = (*keyfunc)(&key, &data, udata); + if (status != SECSuccess) { + return (status); + } + } + } while (keydb_Seq(handle, &key, &data, R_NEXT) == 0); + + return (SECSuccess); +} + +#ifdef notdef +typedef struct keyNode { + struct keyNode *next; + DBT key; +} keyNode; + +typedef struct { + PLArenaPool *arena; + keyNode *head; +} keyList; + +static SECStatus +sec_add_key_to_list(DBT *key, DBT *data, void *arg) +{ + keyList *keylist; + keyNode *node; + void *keydata; + + keylist = (keyList *)arg; + + /* allocate the node struct */ + node = (keyNode *)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode)); + if (node == NULL) { + return (SECFailure); + } + + /* allocate room for key data */ + keydata = PORT_ArenaZAlloc(keylist->arena, key->size); + if (keydata == NULL) { + return (SECFailure); + } + + /* link node into list */ + node->next = keylist->head; + keylist->head = node; + + /* copy key into node */ + PORT_Memcpy(keydata, key->data, key->size); + node->key.size = key->size; + node->key.data = keydata; + + return (SECSuccess); +} +#endif + +static SECItem * +decodeKeyDBGlobalSalt(DBT *saltData) +{ + SECItem *saltitem; + + saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + if (saltitem == NULL) { + return (NULL); + } + + saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size); + if (saltitem->data == NULL) { + PORT_Free(saltitem); + return (NULL); + } + + saltitem->len = saltData->size; + PORT_Memcpy(saltitem->data, saltData->data, saltitem->len); + + return (saltitem); +} + +static SECItem * +GetKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle) +{ + DBT saltKey; + DBT saltData; + int ret; + + saltKey.data = SALT_STRING; + saltKey.size = sizeof(SALT_STRING) - 1; + + ret = keydb_Get(handle, &saltKey, &saltData, 0); + if (ret) { + return (NULL); + } + + return (decodeKeyDBGlobalSalt(&saltData)); +} + +static SECStatus +StoreKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle, SECItem *salt) +{ + DBT saltKey; + DBT saltData; + int status; + + saltKey.data = SALT_STRING; + saltKey.size = sizeof(SALT_STRING) - 1; + + saltData.data = (void *)salt->data; + saltData.size = salt->len; + + /* put global salt into the database now */ + status = keydb_Put(handle, &saltKey, &saltData, 0); + if (status) { + return (SECFailure); + } + + return (SECSuccess); +} + +static SECStatus +makeGlobalVersion(NSSLOWKEYDBHandle *handle) +{ + unsigned char version; + DBT versionData; + DBT versionKey; + int status; + + version = NSSLOWKEY_DB_FILE_VERSION; + versionData.data = &version; + versionData.size = 1; + versionKey.data = VERSION_STRING; + versionKey.size = sizeof(VERSION_STRING) - 1; + + /* put version string into the database now */ + status = keydb_Put(handle, &versionKey, &versionData, 0); + if (status) { + return (SECFailure); + } + handle->version = version; + + return (SECSuccess); +} + +static SECStatus +makeGlobalSalt(NSSLOWKEYDBHandle *handle) +{ + DBT saltKey; + DBT saltData; + unsigned char saltbuf[16]; + int status; + + saltKey.data = SALT_STRING; + saltKey.size = sizeof(SALT_STRING) - 1; + + saltData.data = (void *)saltbuf; + saltData.size = sizeof(saltbuf); + RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf)); + + /* put global salt into the database now */ + status = keydb_Put(handle, &saltKey, &saltData, 0); + if (status) { + return (SECFailure); + } + + return (SECSuccess); +} + +static SECStatus +encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg, + SECItem *encCheck); + +static unsigned char +nsslowkey_version(NSSLOWKEYDBHandle *handle) +{ + DBT versionKey; + DBT versionData; + int ret; + versionKey.data = VERSION_STRING; + versionKey.size = sizeof(VERSION_STRING) - 1; + + if (handle->db == NULL) { + return 255; + } + + /* lookup version string in database */ + ret = keydb_Get(handle, &versionKey, &versionData, 0); + + /* error accessing the database */ + if (ret < 0) { + return 255; + } + + if (ret >= 1) { + return 0; + } + return *((unsigned char *)versionData.data); +} + +static PRBool +seckey_HasAServerKey(NSSLOWKEYDBHandle *handle) +{ + DBT key; + DBT data; + int ret; + PRBool found = PR_FALSE; + + ret = keydb_Seq(handle, &key, &data, R_FIRST); + if (ret) { + return PR_FALSE; + } + + do { + /* skip version record */ + if (data.size > 1) { + /* skip salt */ + if (key.size == (sizeof(SALT_STRING) - 1)) { + if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) { + continue; + } + } + /* skip pw check entry */ + if (key.size == KEYDB_PW_CHECK_LEN) { + if (PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING, + KEYDB_PW_CHECK_LEN) == 0) { + continue; + } + } + + /* keys stored by nickname will have 0 as the last byte of the + * db key. Other keys must be stored by modulus. We will not + * update those because they are left over from a keygen that + * never resulted in a cert. + */ + if (((unsigned char *)key.data)[key.size - 1] != 0) { + continue; + } + + if (PORT_Strcmp(key.data, "Server-Key") == 0) { + found = PR_TRUE; + break; + } + } + } while (keydb_Seq(handle, &key, &data, R_NEXT) == 0); + + return found; +} + +/* forward declare local create function */ +static NSSLOWKEYDBHandle *nsslowkey_NewHandle(DB *dbHandle); + +/* + * currently updates key database from v2 to v3 + */ +static SECStatus +nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle) +{ + SECStatus rv; + DBT checkKey; + DBT checkData; + DBT saltKey; + DBT saltData; + DBT key; + DBT data; + unsigned char version; + NSSLOWKEYDBKey *dbkey = NULL; + NSSLOWKEYDBHandle *update = NULL; + SECItem *oldSalt = NULL; + int ret; + SECItem checkitem; + + if (handle->updatedb == NULL) { + return SECSuccess; + } + + /* create a full DB Handle for our update so we + * can use the correct locks for the db primatives */ + update = nsslowkey_NewHandle(handle->updatedb); + if (update == NULL) { + return SECSuccess; + } + + /* update has now inherited the database handle */ + handle->updatedb = NULL; + + /* + * check the version record + */ + version = nsslowkey_version(update); + if (version != 2) { + goto done; + } + + saltKey.data = SALT_STRING; + saltKey.size = sizeof(SALT_STRING) - 1; + + ret = keydb_Get(update, &saltKey, &saltData, 0); + if (ret) { + /* no salt in old db, so it is corrupted */ + goto done; + } + + oldSalt = decodeKeyDBGlobalSalt(&saltData); + if (oldSalt == NULL) { + /* bad salt in old db, so it is corrupted */ + goto done; + } + + /* + * look for a pw check entry + */ + checkKey.data = KEYDB_PW_CHECK_STRING; + checkKey.size = KEYDB_PW_CHECK_LEN; + + ret = keydb_Get(update, &checkKey, &checkData, 0); + if (ret) { + /* + * if we have a key, but no KEYDB_PW_CHECK_STRING, then this must + * be an old server database, and it does have a password associated + * with it. Put a fake entry in so we can identify this db when we do + * get the password for it. + */ + if (seckey_HasAServerKey(update)) { + DBT fcheckKey; + DBT fcheckData; + + /* + * include a fake string + */ + fcheckKey.data = KEYDB_FAKE_PW_CHECK_STRING; + fcheckKey.size = KEYDB_FAKE_PW_CHECK_LEN; + fcheckData.data = "1"; + fcheckData.size = 1; + /* put global salt into the new database now */ + ret = keydb_Put(handle, &saltKey, &saltData, 0); + if (ret) { + goto done; + } + ret = keydb_Put(handle, &fcheckKey, &fcheckData, 0); + if (ret) { + goto done; + } + } else { + goto done; + } + } else { + /* put global salt into the new database now */ + ret = keydb_Put(handle, &saltKey, &saltData, 0); + if (ret) { + goto done; + } + + dbkey = decode_dbkey(&checkData, 2); + if (dbkey == NULL) { + goto done; + } + checkitem = dbkey->derPK; + dbkey->derPK.data = NULL; + + /* format the new pw check entry */ + rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem); + if (rv != SECSuccess) { + goto done; + } + + rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE); + if (rv != SECSuccess) { + goto done; + } + + /* free the dbkey */ + sec_destroy_dbkey(dbkey); + dbkey = NULL; + } + + /* now traverse the database */ + ret = keydb_Seq(update, &key, &data, R_FIRST); + if (ret) { + goto done; + } + + do { + /* skip version record */ + if (data.size > 1) { + /* skip salt */ + if (key.size == (sizeof(SALT_STRING) - 1)) { + if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) { + continue; + } + } + /* skip pw check entry */ + if (key.size == checkKey.size) { + if (PORT_Memcmp(key.data, checkKey.data, key.size) == 0) { + continue; + } + } + + /* keys stored by nickname will have 0 as the last byte of the + * db key. Other keys must be stored by modulus. We will not + * update those because they are left over from a keygen that + * never resulted in a cert. + */ + if (((unsigned char *)key.data)[key.size - 1] != 0) { + continue; + } + + dbkey = decode_dbkey(&data, 2); + if (dbkey == NULL) { + continue; + } + + /* This puts the key into the new database with the same + * index (nickname) that it had before. The second pass + * of the update will have the password. It will decrypt + * and re-encrypt the entries using a new algorithm. + */ + dbkey->nickname = (char *)key.data; + rv = put_dbkey(handle, &key, dbkey, PR_FALSE); + dbkey->nickname = NULL; + + sec_destroy_dbkey(dbkey); + } + } while (keydb_Seq(update, &key, &data, R_NEXT) == 0); + + dbkey = NULL; + +done: + /* sync the database */ + ret = keydb_Sync(handle, 0); + + nsslowkey_CloseKeyDB(update); + + if (oldSalt) { + SECITEM_FreeItem(oldSalt, PR_TRUE); + } + + if (dbkey) { + sec_destroy_dbkey(dbkey); + } + + return (SECSuccess); +} + +static SECStatus +openNewDB(const char *appName, const char *prefix, const char *dbname, + NSSLOWKEYDBHandle *handle, NSSLOWKEYDBNameFunc namecb, void *cbarg) +{ + SECStatus rv = SECFailure; + int status = RDB_FAIL; + char *updname = NULL; + DB *updatedb = NULL; + PRBool updated = PR_FALSE; + int ret; + + if (appName) { + handle->db = rdbopen(appName, prefix, "key", NO_CREATE, &status); + } else { + handle->db = dbopen(dbname, NO_CREATE, 0600, DB_HASH, 0); + } + /* if create fails then we lose */ + if (handle->db == NULL) { + return (status == RDB_RETRY) ? SECWouldBlock : SECFailure; + } + + /* force a transactional read, which will verify that one and only one + * process attempts the update. */ + if (nsslowkey_version(handle) == NSSLOWKEY_DB_FILE_VERSION) { + /* someone else has already updated the database for us */ + db_InitComplete(handle->db); + return SECSuccess; + } + + /* + * if we are creating a multiaccess database, see if there is a + * local database we can update from. + */ + if (appName) { + NSSLOWKEYDBHandle *updateHandle; + updatedb = dbopen(dbname, NO_RDONLY, 0600, DB_HASH, 0); + if (!updatedb) { + goto noupdate; + } + + /* nsslowkey_version needs a full handle because it calls + * the kdb_Get() function, which needs to lock. + */ + updateHandle = nsslowkey_NewHandle(updatedb); + if (!updateHandle) { + updatedb->close(updatedb); + goto noupdate; + } + + handle->version = nsslowkey_version(updateHandle); + if (handle->version != NSSLOWKEY_DB_FILE_VERSION) { + nsslowkey_CloseKeyDB(updateHandle); + goto noupdate; + } + + /* copy the new DB from the old one */ + db_Copy(handle->db, updatedb); + nsslowkey_CloseKeyDB(updateHandle); + db_InitComplete(handle->db); + return SECSuccess; + } +noupdate: + + /* update the version number */ + rv = makeGlobalVersion(handle); + if (rv != SECSuccess) { + goto loser; + } + + /* + * try to update from v2 db + */ + updname = (*namecb)(cbarg, 2); + if (updname != NULL) { + handle->updatedb = dbopen(updname, NO_RDONLY, 0600, DB_HASH, 0); + PORT_Free(updname); + + if (handle->updatedb) { + /* + * Try to update the db using a null password. If the db + * doesn't have a password, then this will work. If it does + * have a password, then this will fail and we will do the + * update later + */ + rv = nsslowkey_UpdateKeyDBPass1(handle); + if (rv == SECSuccess) { + updated = PR_TRUE; + } + } + } + + /* we are using the old salt if we updated from an old db */ + if (!updated) { + rv = makeGlobalSalt(handle); + if (rv != SECSuccess) { + goto loser; + } + } + + /* sync the database */ + ret = keydb_Sync(handle, 0); + if (ret) { + rv = SECFailure; + goto loser; + } + rv = SECSuccess; + +loser: + db_InitComplete(handle->db); + return rv; +} + +static DB * +openOldDB(const char *appName, const char *prefix, const char *dbname, + PRBool openflags) +{ + DB *db = NULL; + + if (appName) { + db = rdbopen(appName, prefix, "key", openflags, NULL); + } else { + db = dbopen(dbname, openflags, 0600, DB_HASH, 0); + } + + return db; +} + +/* check for correct version number */ +static PRBool +verifyVersion(NSSLOWKEYDBHandle *handle) +{ + int version = nsslowkey_version(handle); + + handle->version = version; + if (version != NSSLOWKEY_DB_FILE_VERSION) { + if (handle->db) { + keydb_Close(handle); + handle->db = NULL; + } + } + return handle->db != NULL; +} + +static NSSLOWKEYDBHandle * +nsslowkey_NewHandle(DB *dbHandle) +{ + NSSLOWKEYDBHandle *handle; + handle = (NSSLOWKEYDBHandle *)PORT_ZAlloc(sizeof(NSSLOWKEYDBHandle)); + if (handle == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + + handle->appname = NULL; + handle->dbname = NULL; + handle->global_salt = NULL; + handle->updatedb = NULL; + handle->db = dbHandle; + handle->ref = 1; + handle->lock = PZ_NewLock(nssILockKeyDB); + + return handle; +} + +NSSLOWKEYDBHandle * +nsslowkey_OpenKeyDB(PRBool readOnly, const char *appName, const char *prefix, + NSSLOWKEYDBNameFunc namecb, void *cbarg) +{ + NSSLOWKEYDBHandle *handle = NULL; + SECStatus rv; + int openflags; + char *dbname = NULL; + + handle = nsslowkey_NewHandle(NULL); + + openflags = readOnly ? NO_RDONLY : NO_RDWR; + + dbname = (*namecb)(cbarg, NSSLOWKEY_DB_FILE_VERSION); + if (dbname == NULL) { + goto loser; + } + handle->appname = appName ? PORT_Strdup(appName) : NULL; + handle->dbname = (appName == NULL) ? PORT_Strdup(dbname) : (prefix ? PORT_Strdup(prefix) : NULL); + handle->readOnly = readOnly; + + handle->db = openOldDB(appName, prefix, dbname, openflags); + if (handle->db) { + verifyVersion(handle); + if (handle->version == 255) { + goto loser; + } + } + + /* if first open fails, try to create a new DB */ + if (handle->db == NULL) { + if (readOnly) { + goto loser; + } + + rv = openNewDB(appName, prefix, dbname, handle, namecb, cbarg); + /* two processes started to initialize the database at the same time. + * The multiprocess code blocked the second one, then had it retry to + * see if it can just open the database normally */ + if (rv == SECWouldBlock) { + handle->db = openOldDB(appName, prefix, dbname, openflags); + verifyVersion(handle); + if (handle->db == NULL) { + goto loser; + } + } else if (rv != SECSuccess) { + goto loser; + } + } + + handle->global_salt = GetKeyDBGlobalSalt(handle); + if (dbname) + PORT_Free(dbname); + return handle; + +loser: + + if (dbname) + PORT_Free(dbname); + PORT_SetError(SEC_ERROR_BAD_DATABASE); + nsslowkey_CloseKeyDB(handle); + return NULL; +} + +/* + * Close the database + */ +void +nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle) +{ + if (handle != NULL) { + if (handle->db != NULL) { + keydb_Close(handle); + } + if (handle->updatedb) { + handle->updatedb->close(handle->updatedb); + } + if (handle->dbname) + PORT_Free(handle->dbname); + if (handle->appname) + PORT_Free(handle->appname); + if (handle->global_salt) { + SECITEM_FreeItem(handle->global_salt, PR_TRUE); + } + if (handle->lock != NULL) { + SKIP_AFTER_FORK(PZ_DestroyLock(handle->lock)); + } + + PORT_Free(handle); + } +} + +/* Get the key database version */ +int +nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle) +{ + PORT_Assert(handle != NULL); + + return handle->version; +} + +/* + * Delete a private key that was stored in the database + */ +SECStatus +nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, const SECItem *pubkey) +{ + DBT namekey; + int ret; + + if (handle == NULL) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); + } + + /* set up db key and data */ + namekey.data = pubkey->data; + namekey.size = pubkey->len; + + /* delete it from the database */ + ret = keydb_Del(handle, &namekey, 0); + if (ret) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); + } + + /* sync the database */ + ret = keydb_Sync(handle, 0); + if (ret) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); + } + + return (SECSuccess); +} + +/* + * Store a key in the database, indexed by its public key modulus.(value!) + */ +SECStatus +nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdb) +{ + return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, + nickname, sdb, PR_FALSE); +} + +SECStatus +nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdb) +{ + return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData, + nickname, sdb, PR_TRUE); +} + +/* see if the symetric CKA_ID already Exists. + */ +PRBool +nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id) +{ + DBT namekey; + DBT dummy; + int status; + + namekey.data = (char *)id->data; + namekey.size = id->len; + status = keydb_Get(handle, &namekey, &dummy, 0); + if (status) { + return PR_FALSE; + } + + return PR_TRUE; +} + +/* see if the public key for this cert is in the database filed + * by modulus + */ +PRBool +nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cert) +{ + NSSLOWKEYPublicKey *pubkey = NULL; + DBT namekey; + DBT dummy; + int status; + + /* get cert's public key */ + pubkey = nsslowcert_ExtractPublicKey(cert); + if (pubkey == NULL) { + return PR_FALSE; + } + + /* TNH - make key from NSSLOWKEYPublicKey */ + switch (pubkey->keyType) { + case NSSLOWKEYRSAKey: + namekey.data = pubkey->u.rsa.modulus.data; + namekey.size = pubkey->u.rsa.modulus.len; + break; + case NSSLOWKEYDSAKey: + namekey.data = pubkey->u.dsa.publicValue.data; + namekey.size = pubkey->u.dsa.publicValue.len; + break; + case NSSLOWKEYDHKey: + namekey.data = pubkey->u.dh.publicValue.data; + namekey.size = pubkey->u.dh.publicValue.len; + break; + case NSSLOWKEYECKey: + namekey.data = pubkey->u.ec.publicValue.data; + namekey.size = pubkey->u.ec.publicValue.len; + break; + default: + /* XXX We don't do Fortezza or DH yet. */ + return PR_FALSE; + } + + if (handle->version != 3) { + unsigned char buf[SHA1_LENGTH]; + SHA1_HashBuf(buf, namekey.data, namekey.size); + /* NOTE: don't use pubkey after this! it's now thrashed */ + PORT_Memcpy(namekey.data, buf, sizeof(buf)); + namekey.size = sizeof(buf); + } + + status = keydb_Get(handle, &namekey, &dummy, 0); + /* some databases have the key stored as a signed value */ + if (status) { + unsigned char *buf = (unsigned char *)PORT_Alloc(namekey.size + 1); + if (buf) { + PORT_Memcpy(&buf[1], namekey.data, namekey.size); + buf[0] = 0; + namekey.data = buf; + namekey.size++; + status = keydb_Get(handle, &namekey, &dummy, 0); + PORT_Free(buf); + } + } + lg_nsslowkey_DestroyPublicKey(pubkey); + if (status) { + return PR_FALSE; + } + + return PR_TRUE; +} + +typedef struct NSSLowPasswordDataParamStr { + SECItem salt; + SECItem iter; +} NSSLowPasswordDataParam; + +static const SEC_ASN1Template NSSLOWPasswordParamTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLowPasswordDataParam) }, + { SEC_ASN1_OCTET_STRING, offsetof(NSSLowPasswordDataParam, salt) }, + { SEC_ASN1_INTEGER, offsetof(NSSLowPasswordDataParam, iter) }, + { 0 } +}; +struct LGEncryptedDataInfoStr { + SECAlgorithmID algorithm; + SECItem encryptedData; +}; +typedef struct LGEncryptedDataInfoStr LGEncryptedDataInfo; + +const SEC_ASN1Template lg_EncryptedDataInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(LGEncryptedDataInfo) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(LGEncryptedDataInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OCTET_STRING, + offsetof(LGEncryptedDataInfo, encryptedData) }, + { 0 } +}; + +static SECItem * +nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data) +{ + NSSLowPasswordDataParam param; + LGEncryptedDataInfo edi; + PLArenaPool *arena; + unsigned char one = 1; + SECItem *epw = NULL; + SECItem *encParam; + int iterLen = 0; + int saltLen; + SECStatus rv; + + param.salt = *salt; + param.iter.type = siBuffer; /* encode as signed integer */ + param.iter.data = &one; + param.iter.len = 1; + edi.encryptedData = *data; + + iterLen = salt->len > 1 ? salt->data[salt->len - 1] : 2; + saltLen = (salt->len - iterLen) - 1; + /* if the resulting saltLen is a sha hash length, then assume that + * the iteration count is tacked on the end of the buffer */ + if ((saltLen == SHA1_LENGTH) || (saltLen == SHA256_LENGTH) || (saltLen == SHA384_LENGTH) || (saltLen == SHA224_LENGTH) || + (saltLen == SHA512_LENGTH)) { + param.iter.data = &salt->data[saltLen]; + param.iter.len = iterLen; + param.salt.len = saltLen; + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return NULL; + } + + encParam = SEC_ASN1EncodeItem(arena, NULL, ¶m, + NSSLOWPasswordParamTemplate); + if (encParam == NULL) { + goto loser; + } + rv = SECOID_SetAlgorithmID(arena, &edi.algorithm, alg, encParam); + if (rv != SECSuccess) { + goto loser; + } + epw = SEC_ASN1EncodeItem(NULL, NULL, &edi, lg_EncryptedDataInfoTemplate); + +loser: + PORT_FreeArena(arena, PR_FALSE); + return epw; +} + +static SECItem * +nsslowkey_DecodePW(const SECItem *derData, SECOidTag *alg, SECItem *salt) +{ + NSSLowPasswordDataParam param; + LGEncryptedDataInfo edi; + PLArenaPool *arena; + SECItem *pwe = NULL; + SECStatus rv; + + salt->data = NULL; + param.iter.type = siBuffer; /* decode as signed integer */ + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return NULL; + } + + rv = SEC_QuickDERDecodeItem(arena, &edi, lg_EncryptedDataInfoTemplate, + derData); + if (rv != SECSuccess) { + goto loser; + } + *alg = SECOID_GetAlgorithmTag(&edi.algorithm); + rv = SEC_QuickDERDecodeItem(arena, ¶m, NSSLOWPasswordParamTemplate, + &edi.algorithm.parameters); + if (rv != SECSuccess) { + goto loser; + } + /* if the iteration count isn't one, tack it at the end of the salt */ + if (!((param.iter.len == 1) && (param.iter.data[0] == 1))) { + int total_len = param.salt.len + param.iter.len + 1; + salt->data = PORT_Alloc(total_len); + if (salt->data == NULL) { + goto loser; + } + PORT_Memcpy(salt->data, param.salt.data, param.salt.len); + PORT_Memcpy(&salt->data[param.salt.len], param.iter.data, + param.iter.len); + salt->data[total_len - 1] = param.iter.len; + salt->len = total_len; + } else { + rv = SECITEM_CopyItem(NULL, salt, ¶m.salt); + if (rv != SECSuccess) { + goto loser; + } + } + pwe = SECITEM_DupItem(&edi.encryptedData); + +loser: + if (!pwe && salt->data) { + PORT_Free(salt->data); + salt->data = NULL; + } + PORT_FreeArena(arena, PR_FALSE); + return pwe; +} + +/* + * check to see if the user has a password + */ +static SECStatus +nsslowkey_GetPWCheckEntry(NSSLOWKEYDBHandle *handle, NSSLOWKEYPasswordEntry *entry) +{ + DBT checkkey; /*, checkdata; */ + NSSLOWKEYDBKey *dbkey = NULL; + SECItem *global_salt = NULL; + SECItem *item = NULL; + SECItem entryData, oid; + SECItem none = { siBuffer, NULL, 0 }; + SECStatus rv = SECFailure; + SECOidTag algorithm; + + if (handle == NULL) { + /* PORT_SetError */ + return (SECFailure); + } + + global_salt = GetKeyDBGlobalSalt(handle); + if (!global_salt) { + global_salt = &none; + } + if (global_salt->len > sizeof(entry->data)) { + /* PORT_SetError */ + goto loser; + } + + PORT_Memcpy(entry->data, global_salt->data, global_salt->len); + entry->salt.data = entry->data; + entry->salt.len = global_salt->len; + entry->value.data = &entry->data[entry->salt.len]; + + checkkey.data = KEYDB_PW_CHECK_STRING; + checkkey.size = KEYDB_PW_CHECK_LEN; + dbkey = get_dbkey(handle, &checkkey); + if (dbkey == NULL) { + /* handle 'FAKE' check here */ + goto loser; + } + + oid.len = dbkey->derPK.data[0]; + oid.data = &dbkey->derPK.data[1]; + + if (dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 + oid.len)) { + goto loser; + } + algorithm = SECOID_FindOIDTag(&oid); + entryData.type = siBuffer; + entryData.len = dbkey->derPK.len - (oid.len + 1); + entryData.data = &dbkey->derPK.data[oid.len + 1]; + + item = nsslowkey_EncodePW(algorithm, &dbkey->salt, &entryData); + if (!item || (item->len + entry->salt.len) > sizeof(entry->data)) { + goto loser; + } + PORT_Memcpy(entry->value.data, item->data, item->len); + entry->value.len = item->len; + rv = SECSuccess; + +loser: + if (item) { + SECITEM_FreeItem(item, PR_TRUE); + } + if (dbkey) { + sec_destroy_dbkey(dbkey); + } + if (global_salt != &none) { + SECITEM_FreeItem(global_salt, PR_TRUE); + } + return rv; +} + +/* + * check to see if the user has a password + */ +static SECStatus +nsslowkey_PutPWCheckEntry(NSSLOWKEYDBHandle *handle, NSSLOWKEYPasswordEntry *entry) +{ + DBT checkkey; + NSSLOWKEYDBKey *dbkey = NULL; + SECItem *item = NULL; + SECItem salt; + SECOidTag algid = SEC_OID_UNKNOWN; + SECStatus rv = SECFailure; + PLArenaPool *arena; + int ret; + + if (handle == NULL) { + /* PORT_SetError */ + return (SECFailure); + } + + checkkey.data = KEYDB_PW_CHECK_STRING; + checkkey.size = KEYDB_PW_CHECK_LEN; + + salt.data = NULL; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return SECFailure; + } + + item = nsslowkey_DecodePW(&entry->value, &algid, &salt); + if (item == NULL) { + goto loser; + } + + dbkey = PORT_ArenaZNew(arena, NSSLOWKEYDBKey); + if (dbkey == NULL) { + goto loser; + } + + dbkey->arena = arena; + + rv = SECITEM_CopyItem(arena, &dbkey->salt, &salt); + if (rv != SECSuccess) { + goto loser; + } + + rv = encodePWCheckEntry(arena, &dbkey->derPK, algid, item); + if (rv != SECSuccess) { + goto loser; + } + + rv = put_dbkey(handle, &checkkey, dbkey, PR_TRUE); + if (rv != SECSuccess) { + goto loser; + } + + if (handle->global_salt) { + SECITEM_FreeItem(handle->global_salt, PR_TRUE); + handle->global_salt = NULL; + } + rv = StoreKeyDBGlobalSalt(handle, &entry->salt); + if (rv != SECSuccess) { + goto loser; + } + ret = keydb_Sync(handle, 0); + if (ret) { + rv = SECFailure; + goto loser; + } + handle->global_salt = GetKeyDBGlobalSalt(handle); + +loser: + if (item) { + SECITEM_FreeItem(item, PR_TRUE); + } + if (arena) { + PORT_FreeArena(arena, PR_TRUE); + } + if (salt.data) { + PORT_Free(salt.data); + } + return rv; +} + +#ifdef EC_DEBUG +#define SEC_PRINT(str1, str2, num, sitem) \ + printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \ + str1, str2, num, sitem->len); \ + for (i = 0; i < sitem->len; i++) { \ + printf("%02x:", sitem->data[i]); \ + } \ + printf("\n") +#else +#define SEC_PRINT(a, b, c, d) +#endif /* EC_DEBUG */ + +SECStatus +seckey_encrypt_private_key(PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk, + SDB *sdbpw, SECItem *result) +{ + NSSLOWKEYPrivateKeyInfo *pki = NULL; + SECStatus rv = SECFailure; + PLArenaPool *temparena = NULL; + SECItem *der_item = NULL; + SECItem *cipherText = NULL; + SECItem *dummy = NULL; +#ifdef EC_DEBUG + SECItem *fordebug = NULL; +#endif + int savelen; + + temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (temparena == NULL) + goto loser; + + /* allocate structures */ + pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, + sizeof(NSSLOWKEYPrivateKeyInfo)); + der_item = (SECItem *)PORT_ArenaZAlloc(temparena, sizeof(SECItem)); + if ((pki == NULL) || (der_item == NULL)) + goto loser; + + /* setup private key info */ + dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version), + NSSLOWKEY_PRIVATE_KEY_INFO_VERSION); + if (dummy == NULL) + goto loser; + + /* Encode the key, and set the algorithm (with params) */ + switch (pk->keyType) { + case NSSLOWKEYRSAKey: + lg_prepare_low_rsa_priv_key_for_asn1(pk); + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_RSAPrivateKeyTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_PKCS1_RSA_ENCRYPTION, 0); + if (rv == SECFailure) { + goto loser; + } + + break; + case NSSLOWKEYDSAKey: + lg_prepare_low_dsa_priv_key_for_asn1(pk); + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_DSAPrivateKeyTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); + dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params, + lg_nsslowkey_PQGParamsTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_ANSIX9_DSA_SIGNATURE, dummy); + if (rv == SECFailure) { + goto loser; + } + + break; + case NSSLOWKEYDHKey: + lg_prepare_low_dh_priv_key_for_asn1(pk); + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_DHPrivateKeyTemplate); + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy); + if (rv == SECFailure) { + goto loser; + } + break; + case NSSLOWKEYECKey: + lg_prepare_low_ec_priv_key_for_asn1(pk); + /* Public value is encoded as a bit string so adjust length + * to be in bits before ASN encoding and readjust + * immediately after. + * + * Since the SECG specification recommends not including the + * parameters as part of ECPrivateKey, we zero out the curveOID + * length before encoding and restore it later. + */ + pk->u.ec.publicValue.len <<= 3; + savelen = pk->u.ec.ecParams.curveOID.len; + pk->u.ec.ecParams.curveOID.len = 0; + dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk, + lg_nsslowkey_ECPrivateKeyTemplate); + pk->u.ec.ecParams.curveOID.len = savelen; + pk->u.ec.publicValue.len >>= 3; + + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + dummy = &pk->u.ec.ecParams.DEREncoding; + + /* At this point dummy should contain the encoded params */ + rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm), + SEC_OID_ANSIX962_EC_PUBLIC_KEY, dummy); + + if (rv == SECFailure) { + goto loser; + } + +#ifdef EC_DEBUG + fordebug = &(pki->privateKey); + SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey", + pk->keyType, fordebug); +#endif + + break; + default: + /* We don't support DH or Fortezza private keys yet */ + PORT_Assert(PR_FALSE); + break; + } + + /* setup encrypted private key info */ + dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, + lg_nsslowkey_PrivateKeyInfoTemplate); + + SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo", + pk->keyType, der_item); + + if (dummy == NULL) { + rv = SECFailure; + goto loser; + } + + rv = lg_util_encrypt(temparena, sdbpw, dummy, &cipherText); + if (rv != SECSuccess) { + goto loser; + } + + rv = SECITEM_CopyItem(permarena, result, cipherText); + +loser: + + if (temparena != NULL) + PORT_FreeArena(temparena, PR_TRUE); + + return rv; +} + +static SECStatus +seckey_put_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, SDB *sdbpw, + NSSLOWKEYPrivateKey *pk, char *nickname, PRBool update) +{ + NSSLOWKEYDBKey *dbkey = NULL; + PLArenaPool *arena = NULL; + SECStatus rv = SECFailure; + + if ((keydb == NULL) || (index == NULL) || (sdbpw == NULL) || + (pk == NULL)) + return SECFailure; + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) + return SECFailure; + + dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey)); + if (dbkey == NULL) + goto loser; + dbkey->arena = arena; + dbkey->nickname = nickname; + + rv = seckey_encrypt_private_key(arena, pk, sdbpw, &dbkey->derPK); + if (rv != SECSuccess) + goto loser; + + rv = put_dbkey(keydb, index, dbkey, update); + +/* let success fall through */ +loser: + if (arena != NULL) + PORT_FreeArena(arena, PR_TRUE); + + return rv; +} + +/* + * Store a key in the database, indexed by its public key modulus. + * Note that the nickname is optional. It was only used by keyutil. + */ +SECStatus +nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdbpw, + PRBool update) +{ + DBT namekey; + SECStatus rv; + + if (handle == NULL) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); + } + + /* set up db key and data */ + namekey.data = pubKeyData->data; + namekey.size = pubKeyData->len; + + /* encrypt the private key */ + rv = seckey_put_private_key(handle, &namekey, sdbpw, privkey, nickname, + update); + + return (rv); +} + +static NSSLOWKEYPrivateKey * +seckey_decrypt_private_key(SECItem *epki, + SDB *sdbpw) +{ + NSSLOWKEYPrivateKey *pk = NULL; + NSSLOWKEYPrivateKeyInfo *pki = NULL; + SECStatus rv = SECFailure; + PLArenaPool *temparena = NULL, *permarena = NULL; + SECItem *dest = NULL; +#ifdef EC_DEBUG + SECItem *fordebug = NULL; +#endif + + if ((epki == NULL) || (sdbpw == NULL)) + goto loser; + + temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if ((temparena == NULL) || (permarena == NULL)) + goto loser; + + /* allocate temporary items */ + pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena, + sizeof(NSSLOWKEYPrivateKeyInfo)); + + /* allocate permanent arena items */ + pk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(permarena, + sizeof(NSSLOWKEYPrivateKey)); + + if ((pk == NULL) || (pki == NULL)) + goto loser; + + pk->arena = permarena; + + rv = lg_util_decrypt(sdbpw, epki, &dest); + if (rv != SECSuccess) { + goto loser; + } + + if (dest != NULL) { + SECItem newPrivateKey; + SECItem newAlgParms; + + SEC_PRINT("seckey_decrypt_private_key()", "PrivateKeyInfo", -1, + dest); + + rv = SEC_QuickDERDecodeItem(temparena, pki, + lg_nsslowkey_PrivateKeyInfoTemplate, dest); + if (rv == SECSuccess) { + switch (SECOID_GetAlgorithmTag(&pki->algorithm)) { + case SEC_OID_X500_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_ENCRYPTION: + pk->keyType = NSSLOWKEYRSAKey; + lg_prepare_low_rsa_priv_key_for_asn1(pk); + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_RSAPrivateKeyTemplate, + &newPrivateKey); + if (rv == SECSuccess) { + break; + } + /* Try decoding with the alternative template, but only allow + * a zero-length modulus for a secret key object. + * See bug 715073. + */ + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_RSAPrivateKeyTemplate2, + &newPrivateKey); + /* A publicExponent of 0 is the defining property of a secret + * key disguised as an RSA key. When decoding with the + * alternative template, only accept a secret key with an + * improperly encoded modulus and a publicExponent of 0. + */ + if (rv == SECSuccess) { + if (pk->u.rsa.modulus.len == 2 && + pk->u.rsa.modulus.data[0] == SEC_ASN1_INTEGER && + pk->u.rsa.modulus.data[1] == 0 && + pk->u.rsa.publicExponent.len == 1 && + pk->u.rsa.publicExponent.data[0] == 0) { + /* Fix the zero-length integer by setting it to 0. */ + pk->u.rsa.modulus.data = pk->u.rsa.publicExponent.data; + pk->u.rsa.modulus.len = pk->u.rsa.publicExponent.len; + } else { + PORT_SetError(SEC_ERROR_BAD_DER); + rv = SECFailure; + } + } + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + pk->keyType = NSSLOWKEYDSAKey; + lg_prepare_low_dsa_priv_key_for_asn1(pk); + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_DSAPrivateKeyTemplate, + &newPrivateKey); + if (rv != SECSuccess) + goto loser; + lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); + if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms, + &pki->algorithm.parameters)) + break; + rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params, + lg_nsslowkey_PQGParamsTemplate, + &newAlgParms); + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + pk->keyType = NSSLOWKEYDHKey; + lg_prepare_low_dh_priv_key_for_asn1(pk); + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_DHPrivateKeyTemplate, + &newPrivateKey); + break; + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + pk->keyType = NSSLOWKEYECKey; + lg_prepare_low_ec_priv_key_for_asn1(pk); + +#ifdef EC_DEBUG + fordebug = &pki->privateKey; + SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", + pk->keyType, fordebug); +#endif + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey)) + break; + rv = SEC_QuickDERDecodeItem(permarena, pk, + lg_nsslowkey_ECPrivateKeyTemplate, + &newPrivateKey); + if (rv != SECSuccess) + goto loser; + + lg_prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams); + + rv = SECITEM_CopyItem(permarena, + &pk->u.ec.ecParams.DEREncoding, + &pki->algorithm.parameters); + + if (rv != SECSuccess) + goto loser; + + /* Fill out the rest of EC params */ + rv = LGEC_FillParams(permarena, &pk->u.ec.ecParams.DEREncoding, + &pk->u.ec.ecParams); + + if (rv != SECSuccess) + goto loser; + + if (pk->u.ec.publicValue.len != 0) { + pk->u.ec.publicValue.len >>= 3; + } + + break; + default: + rv = SECFailure; + break; + } + } else if (PORT_GetError() == SEC_ERROR_BAD_DER) { + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + goto loser; + } + } + +/* let success fall through */ +loser: + if (temparena != NULL) + PORT_FreeArena(temparena, PR_TRUE); + if (dest != NULL) + SECITEM_ZfreeItem(dest, PR_TRUE); + + if (rv != SECSuccess) { + if (permarena != NULL) + PORT_FreeArena(permarena, PR_TRUE); + pk = NULL; + } + + return pk; +} + +static NSSLOWKEYPrivateKey * +seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SDB *sdbpw) +{ + if ((dbkey == NULL) || (sdbpw == NULL)) { + return NULL; + } + + return seckey_decrypt_private_key(&(dbkey->derPK), sdbpw); +} + +static NSSLOWKEYPrivateKey * +seckey_get_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, char **nickname, + SDB *sdbpw) +{ + NSSLOWKEYDBKey *dbkey = NULL; + NSSLOWKEYPrivateKey *pk = NULL; + + if ((keydb == NULL) || (index == NULL) || (sdbpw == NULL)) { + return NULL; + } + + dbkey = get_dbkey(keydb, index); + if (dbkey == NULL) { + goto loser; + } + + if (nickname) { + if (dbkey->nickname && (dbkey->nickname[0] != 0)) { + *nickname = PORT_Strdup(dbkey->nickname); + } else { + *nickname = NULL; + } + } + + pk = seckey_decode_encrypted_private_key(dbkey, sdbpw); + +/* let success fall through */ +loser: + + if (dbkey != NULL) { + sec_destroy_dbkey(dbkey); + } + + return pk; +} + +/* + * Find a key in the database, indexed by its public key modulus + * This is used to find keys that have been stored before their + * certificate arrives. Once the certificate arrives the key + * is looked up by the public modulus in the certificate, and the + * re-stored by its nickname. + */ +NSSLOWKEYPrivateKey * +nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, + SDB *sdbpw) +{ + DBT namekey; + NSSLOWKEYPrivateKey *pk = NULL; + + if (handle == NULL) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return NULL; + } + + /* set up db key */ + namekey.data = modulus->data; + namekey.size = modulus->len; + + pk = seckey_get_private_key(handle, &namekey, NULL, sdbpw); + + /* no need to free dbkey, since its on the stack, and the data it + * points to is owned by the database + */ + return (pk); +} + +char * +nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, + SECItem *modulus, SDB *sdbpw) +{ + DBT namekey; + NSSLOWKEYPrivateKey *pk = NULL; + char *nickname = NULL; + + if (handle == NULL) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return NULL; + } + + /* set up db key */ + namekey.data = modulus->data; + namekey.size = modulus->len; + + pk = seckey_get_private_key(handle, &namekey, &nickname, sdbpw); + if (pk) { + lg_nsslowkey_DestroyPrivateKey(pk); + } + + /* no need to free dbkey, since its on the stack, and the data it + * points to is owned by the database + */ + return (nickname); +} +/* ===== ENCODING ROUTINES ===== */ + +static SECStatus +encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg, + SECItem *encCheck) +{ + SECOidData *oidData; + + oidData = SECOID_FindOIDByTag(alg); + if (oidData == NULL) { + return SECFailure; + } + + entry->len = 1 + oidData->oid.len + encCheck->len; + if (arena) { + entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len); + } else { + entry->data = (unsigned char *)PORT_Alloc(entry->len); + } + + if (entry->data == NULL) { + return SECFailure; + } + + /* first length of oid */ + entry->data[0] = (unsigned char)oidData->oid.len; + /* next oid itself */ + PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len); + /* finally the encrypted check string */ + PORT_Memcpy(&entry->data[1 + oidData->oid.len], encCheck->data, + encCheck->len); + + return SECSuccess; +} + +#define MAX_DB_SIZE 0xffff +/* + * Clear out all the keys in the existing database + */ +static SECStatus +nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle) +{ + SECStatus rv; + int errors = 0; + + if (handle->db == NULL) { + return (SECSuccess); + } + + if (handle->readOnly) { + /* set an error code */ + return SECFailure; + } + + if (handle->appname == NULL && handle->dbname == NULL) { + return SECFailure; + } + + keydb_Close(handle); + if (handle->appname) { + handle->db = + rdbopen(handle->appname, handle->dbname, "key", NO_CREATE, NULL); + } else { + handle->db = dbopen(handle->dbname, NO_CREATE, 0600, DB_HASH, 0); + } + if (handle->db == NULL) { + /* set an error code */ + return SECFailure; + } + + rv = makeGlobalVersion(handle); + if (rv != SECSuccess) { + errors++; + goto done; + } + + if (handle->global_salt) { + rv = StoreKeyDBGlobalSalt(handle, handle->global_salt); + } else { + rv = makeGlobalSalt(handle); + if (rv == SECSuccess) { + handle->global_salt = GetKeyDBGlobalSalt(handle); + } + } + if (rv != SECSuccess) { + errors++; + } + +done: + /* sync the database */ + (void)keydb_Sync(handle, 0); + db_InitComplete(handle->db); + + return (errors == 0 ? SECSuccess : SECFailure); +} + +static int +keydb_Get(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags) +{ + int ret; + PRLock *kdbLock = kdb->lock; + DB *db = kdb->db; + + PORT_Assert(kdbLock != NULL); + PZ_Lock(kdbLock); + + ret = (*db->get)(db, key, data, flags); + + (void)PZ_Unlock(kdbLock); + + return (ret); +} + +static int +keydb_Put(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags) +{ + int ret = 0; + PRLock *kdbLock = kdb->lock; + DB *db = kdb->db; + + PORT_Assert(kdbLock != NULL); + PZ_Lock(kdbLock); + + ret = (*db->put)(db, key, data, flags); + + (void)PZ_Unlock(kdbLock); + + return (ret); +} + +static int +keydb_Sync(NSSLOWKEYDBHandle *kdb, unsigned int flags) +{ + int ret; + PRLock *kdbLock = kdb->lock; + DB *db = kdb->db; + + PORT_Assert(kdbLock != NULL); + PZ_Lock(kdbLock); + + ret = (*db->sync)(db, flags); + + (void)PZ_Unlock(kdbLock); + + return (ret); +} + +static int +keydb_Del(NSSLOWKEYDBHandle *kdb, DBT *key, unsigned int flags) +{ + int ret; + PRLock *kdbLock = kdb->lock; + DB *db = kdb->db; + + PORT_Assert(kdbLock != NULL); + PZ_Lock(kdbLock); + + ret = (*db->del)(db, key, flags); + + (void)PZ_Unlock(kdbLock); + + return (ret); +} + +static int +keydb_Seq(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags) +{ + int ret; + PRLock *kdbLock = kdb->lock; + DB *db = kdb->db; + + PORT_Assert(kdbLock != NULL); + PZ_Lock(kdbLock); + + ret = (*db->seq)(db, key, data, flags); + + (void)PZ_Unlock(kdbLock); + + return (ret); +} + +static void +keydb_Close(NSSLOWKEYDBHandle *kdb) +{ + PRLock *kdbLock = kdb->lock; + DB *db = kdb->db; + + PORT_Assert(kdbLock != NULL); + SKIP_AFTER_FORK(PZ_Lock(kdbLock)); + + (*db->close)(db); + + SKIP_AFTER_FORK(PZ_Unlock(kdbLock)); + + return; +} + +/* + * SDB Entry Points for the Key DB + */ + +CK_RV +lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2) +{ + NSSLOWKEYDBHandle *keydb; + NSSLOWKEYPasswordEntry entry; + SECStatus rv; + + keydb = lg_getKeyDB(sdb); + if (keydb == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + if (PORT_Strcmp(id, "password") != 0) { + /* shouldn't happen */ + return CKR_GENERAL_ERROR; /* no extra data stored */ + } + rv = nsslowkey_GetPWCheckEntry(keydb, &entry); + if (rv != SECSuccess) { + return CKR_GENERAL_ERROR; + } + item1->len = entry.salt.len; + PORT_Memcpy(item1->data, entry.salt.data, item1->len); + item2->len = entry.value.len; + PORT_Memcpy(item2->data, entry.value.data, item2->len); + return CKR_OK; +} + +CK_RV +lg_PutMetaData(SDB *sdb, const char *id, + const SECItem *item1, const SECItem *item2) +{ + NSSLOWKEYDBHandle *keydb; + NSSLOWKEYPasswordEntry entry; + SECStatus rv; + + keydb = lg_getKeyDB(sdb); + if (keydb == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + if (PORT_Strcmp(id, "password") != 0) { + /* shouldn't happen */ + return CKR_GENERAL_ERROR; /* no extra data stored */ + } + entry.salt = *item1; + entry.value = *item2; + rv = nsslowkey_PutPWCheckEntry(keydb, &entry); + if (rv != SECSuccess) { + return CKR_GENERAL_ERROR; + } + return CKR_OK; +} + +CK_RV +lg_DestroyMetaData(SDB *db, const char *id) +{ + return CKR_GENERAL_ERROR; /* no extra data stored */ +} + +CK_RV +lg_Reset(SDB *sdb) +{ + NSSLOWKEYDBHandle *keydb; + SECStatus rv; + + keydb = lg_getKeyDB(sdb); + if (keydb == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + rv = nsslowkey_ResetKeyDB(keydb); + if (rv != SECSuccess) { + return CKR_GENERAL_ERROR; + } + return CKR_OK; +} diff --git a/security/nss/lib/softoken/legacydb/keydbi.h b/security/nss/lib/softoken/legacydb/keydbi.h new file mode 100644 index 0000000000..783c98ecc3 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/keydbi.h @@ -0,0 +1,52 @@ +/* + * private.h - Private data structures for the software token library + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _KEYDBI_H_ +#define _KEYDBI_H_ + +#include "nspr.h" +#include "seccomon.h" +#include "mcom_db.h" + +/* + * Handle structure for open key databases + */ +struct NSSLOWKEYDBHandleStr { + DB *db; + DB *updatedb; /* used when updating an old version */ + SECItem *global_salt; /* password hashing salt for this db */ + int version; /* version of the database */ + char *appname; /* multiaccess app name */ + char *dbname; /* name of the openned DB */ + PRBool readOnly; /* is the DB read only */ + PRLock *lock; + PRInt32 ref; /* reference count */ +}; + +/* +** Typedef for callback for traversing key database. +** "key" is the key used to index the data in the database (nickname) +** "data" is the key data +** "pdata" is the user's data +*/ +typedef SECStatus (*NSSLOWKEYTraverseKeysFunc)(DBT *key, DBT *data, void *pdata); + +SEC_BEGIN_PROTOS + +/* +** Traverse the entire key database, and pass the nicknames and keys to a +** user supplied function. +** "f" is the user function to call for each key +** "udata" is the user's data, which is passed through to "f" +*/ +extern SECStatus nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle, + NSSLOWKEYTraverseKeysFunc f, + void *udata); + +SEC_END_PROTOS + +#endif /* _KEYDBI_H_ */ diff --git a/security/nss/lib/softoken/legacydb/legacydb.gyp b/security/nss/lib/softoken/legacydb/legacydb.gyp new file mode 100644 index 0000000000..34c0235bdd --- /dev/null +++ b/security/nss/lib/softoken/legacydb/legacydb.gyp @@ -0,0 +1,66 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'nssdbm', + 'type': 'static_library', + 'sources': [ + 'dbmshim.c', + 'keydb.c', + 'lgattr.c', + 'lgcreate.c', + 'lgdestroy.c', + 'lgfind.c', + 'lgfips.c', + 'lginit.c', + 'lgutil.c', + 'lowcert.c', + 'lowkey.c', + 'pcertdb.c', + 'pk11db.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:dbm_exports', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/freebl/freebl.gyp:freebl', + '<(DEPTH)/lib/dbm/src/src.gyp:dbm' + ] + }, + { + 'target_name': 'nssdbm3', + 'type': 'shared_library', + 'dependencies': [ + 'nssdbm' + ], + 'conditions': [ + [ 'moz_fold_libs==0', { + 'dependencies': [ + '<(DEPTH)/lib/util/util.gyp:nssutil3', + ], + }, { + 'libraries': [ + '<(moz_folded_library_name)', + ], + }], + ], + 'variables': { + 'mapfile': 'nssdbm.def' + } + } + ], + 'target_defaults': { + 'defines': [ + 'SHLIB_SUFFIX=\"<(dll_suffix)\"', + 'SHLIB_PREFIX=\"<(dll_prefix)\"', + 'LG_LIB_NAME=\"<(dll_prefix)nssdbm3.<(dll_suffix)\"' + ] + }, + 'variables': { + 'module': 'nss' + } +} diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c new file mode 100644 index 0000000000..cbc708a3fa --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lgattr.c @@ -0,0 +1,1782 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * Internal PKCS #11 functions. Should only be called by pkcs11.c + */ +#include "pkcs11.h" +#include "lgdb.h" + +#include "pcertt.h" +#include "lowkeyi.h" +#include "pcert.h" +#include "blapi.h" +#include "secerr.h" +#include "secasn1.h" + +/* + * Cache the object we are working on during Set's and Get's + */ +typedef struct LGObjectCacheStr { + CK_OBJECT_CLASS objclass; + CK_OBJECT_HANDLE handle; + SDB *sdb; + void *objectInfo; + LGFreeFunc infoFree; + SECItem dbKey; +} LGObjectCache; + +static const CK_OBJECT_HANDLE lg_classArray[] = { + 0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY, + CKO_NSS_TRUST, CKO_NSS_CRL, CKO_NSS_SMIME, + CKO_CERTIFICATE +}; + +#define handleToClass(handle) \ + lg_classArray[((handle & LG_TOKEN_TYPE_MASK)) >> LG_TOKEN_TYPE_SHIFT] + +static void lg_DestroyObjectCache(LGObjectCache *obj); + +static LGObjectCache * +lg_NewObjectCache(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE handle) +{ + LGObjectCache *obj = NULL; + SECStatus rv; + + obj = PORT_New(LGObjectCache); + if (obj == NULL) { + return NULL; + } + + obj->objclass = handleToClass(handle); + obj->handle = handle; + obj->sdb = sdb; + obj->objectInfo = NULL; + obj->infoFree = NULL; + obj->dbKey.data = NULL; + obj->dbKey.len = 0; + lg_DBLock(sdb); + if (dbKey == NULL) { + dbKey = lg_lookupTokenKeyByHandle(sdb, handle); + } + if (dbKey == NULL) { + lg_DBUnlock(sdb); + goto loser; + } + rv = SECITEM_CopyItem(NULL, &obj->dbKey, dbKey); + lg_DBUnlock(sdb); + if (rv != SECSuccess) { + goto loser; + } + + return obj; +loser: + (void)lg_DestroyObjectCache(obj); + return NULL; +} + +/* + * free all the data associated with an object. Object reference count must + * be 'zero'. + */ +static void +lg_DestroyObjectCache(LGObjectCache *obj) +{ + if (obj->dbKey.data) { + PORT_Free(obj->dbKey.data); + obj->dbKey.data = NULL; + } + if (obj->objectInfo) { + (*obj->infoFree)(obj->objectInfo); + obj->objectInfo = NULL; + obj->infoFree = NULL; + } + PORT_Free(obj); +} +/* + * ******************** Attribute Utilities ******************************* + */ + +static CK_RV +lg_ULongAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type, CK_ULONG value) +{ + unsigned char *data; + int i; + + if (attr->pValue == NULL) { + attr->ulValueLen = 4; + return CKR_OK; + } + if (attr->ulValueLen < 4) { + attr->ulValueLen = (CK_ULONG)-1; + return CKR_BUFFER_TOO_SMALL; + } + + data = (unsigned char *)attr->pValue; + for (i = 0; i < 4; i++) { + data[i] = (value >> ((3 - i) * 8)) & 0xff; + } + attr->ulValueLen = 4; + return CKR_OK; +} + +static CK_RV +lg_CopyAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type, + CK_VOID_PTR value, CK_ULONG len) +{ + + if (attr->pValue == NULL) { + attr->ulValueLen = len; + return CKR_OK; + } + if (attr->ulValueLen < len) { + attr->ulValueLen = (CK_ULONG)-1; + return CKR_BUFFER_TOO_SMALL; + } + if (len > 0 && value != NULL) { + PORT_Memcpy(attr->pValue, value, len); + } + attr->ulValueLen = len; + return CKR_OK; +} + +static CK_RV +lg_CopyAttributeSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type, + void *value, CK_ULONG len) +{ + unsigned char *dval = (unsigned char *)value; + if (*dval == 0) { + dval++; + len--; + } + return lg_CopyAttribute(attribute, type, dval, len); +} + +static CK_RV +lg_CopyPrivAttribute(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type, + void *value, CK_ULONG len, SDB *sdbpw) +{ + SECItem plainText, *cipherText = NULL; + CK_RV crv = CKR_USER_NOT_LOGGED_IN; + SECStatus rv; + + plainText.data = value; + plainText.len = len; + rv = lg_util_encrypt(NULL, sdbpw, &plainText, &cipherText); + if (rv != SECSuccess) { + goto loser; + } + crv = lg_CopyAttribute(attribute, type, cipherText->data, cipherText->len); +loser: + if (cipherText) { + SECITEM_FreeItem(cipherText, PR_TRUE); + } + return crv; +} + +static CK_RV +lg_CopyPrivAttrSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type, + void *value, CK_ULONG len, SDB *sdbpw) +{ + unsigned char *dval = (unsigned char *)value; + + if (*dval == 0) { + dval++; + len--; + } + return lg_CopyPrivAttribute(attribute, type, dval, len, sdbpw); +} + +static CK_RV +lg_invalidAttribute(CK_ATTRIBUTE *attr) +{ + attr->ulValueLen = (CK_ULONG)-1; + return CKR_ATTRIBUTE_TYPE_INVALID; +} + +#define LG_DEF_ATTRIBUTE(value, len) \ + { \ + 0, value, len \ + } + +#define LG_CLONE_ATTR(attribute, type, staticAttr) \ + lg_CopyAttribute(attribute, type, staticAttr.pValue, staticAttr.ulValueLen) + +CK_BBOOL lg_staticTrueValue = CK_TRUE; +CK_BBOOL lg_staticFalseValue = CK_FALSE; +static const CK_ATTRIBUTE lg_StaticTrueAttr = + LG_DEF_ATTRIBUTE(&lg_staticTrueValue, sizeof(lg_staticTrueValue)); +static const CK_ATTRIBUTE lg_StaticFalseAttr = + LG_DEF_ATTRIBUTE(&lg_staticFalseValue, sizeof(lg_staticFalseValue)); +static const CK_ATTRIBUTE lg_StaticNullAttr = LG_DEF_ATTRIBUTE(NULL, 0); +char lg_StaticOneValue = 1; + +/* + * helper functions which get the database and call the underlying + * low level database function. + */ +static char * +lg_FindKeyNicknameByPublicKey(SDB *sdb, SECItem *dbKey) +{ + NSSLOWKEYDBHandle *keyHandle; + char *label; + + keyHandle = lg_getKeyDB(sdb); + if (!keyHandle) { + return NULL; + } + + label = nsslowkey_FindKeyNicknameByPublicKey(keyHandle, dbKey, + sdb); + return label; +} + +NSSLOWKEYPrivateKey * +lg_FindKeyByPublicKey(SDB *sdb, SECItem *dbKey) +{ + NSSLOWKEYPrivateKey *privKey; + NSSLOWKEYDBHandle *keyHandle; + + keyHandle = lg_getKeyDB(sdb); + if (keyHandle == NULL) { + return NULL; + } + privKey = nsslowkey_FindKeyByPublicKey(keyHandle, dbKey, sdb); + if (privKey == NULL) { + return NULL; + } + return privKey; +} + +static certDBEntrySMime * +lg_getSMime(LGObjectCache *obj) +{ + certDBEntrySMime *entry; + NSSLOWCERTCertDBHandle *certHandle; + + if (obj->objclass != CKO_NSS_SMIME) { + return NULL; + } + if (obj->objectInfo) { + return (certDBEntrySMime *)obj->objectInfo; + } + + certHandle = lg_getCertDB(obj->sdb); + if (!certHandle) { + return NULL; + } + entry = nsslowcert_ReadDBSMimeEntry(certHandle, (char *)obj->dbKey.data); + obj->objectInfo = (void *)entry; + obj->infoFree = (LGFreeFunc)nsslowcert_DestroyDBEntry; + return entry; +} + +static certDBEntryRevocation * +lg_getCrl(LGObjectCache *obj) +{ + certDBEntryRevocation *crl; + PRBool isKrl; + NSSLOWCERTCertDBHandle *certHandle; + + if (obj->objclass != CKO_NSS_CRL) { + return NULL; + } + if (obj->objectInfo) { + return (certDBEntryRevocation *)obj->objectInfo; + } + + isKrl = (PRBool)(obj->handle == LG_TOKEN_KRL_HANDLE); + certHandle = lg_getCertDB(obj->sdb); + if (!certHandle) { + return NULL; + } + + crl = nsslowcert_FindCrlByKey(certHandle, &obj->dbKey, isKrl); + obj->objectInfo = (void *)crl; + obj->infoFree = (LGFreeFunc)nsslowcert_DestroyDBEntry; + return crl; +} + +static NSSLOWCERTCertificate * +lg_getCert(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle) +{ + NSSLOWCERTCertificate *cert; + CK_OBJECT_CLASS objClass = obj->objclass; + + if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NSS_TRUST)) { + return NULL; + } + if (objClass == CKO_CERTIFICATE && obj->objectInfo) { + return (NSSLOWCERTCertificate *)obj->objectInfo; + } + cert = nsslowcert_FindCertByKey(certHandle, &obj->dbKey); + if (objClass == CKO_CERTIFICATE) { + obj->objectInfo = (void *)cert; + obj->infoFree = (LGFreeFunc)nsslowcert_DestroyCertificate; + } + return cert; +} + +static NSSLOWCERTTrust * +lg_getTrust(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle) +{ + NSSLOWCERTTrust *trust; + + if (obj->objclass != CKO_NSS_TRUST) { + return NULL; + } + if (obj->objectInfo) { + return (NSSLOWCERTTrust *)obj->objectInfo; + } + trust = nsslowcert_FindTrustByKey(certHandle, &obj->dbKey); + obj->objectInfo = (void *)trust; + obj->infoFree = (LGFreeFunc)nsslowcert_DestroyTrust; + return trust; +} + +static NSSLOWKEYPublicKey * +lg_GetPublicKey(LGObjectCache *obj) +{ + NSSLOWKEYPublicKey *pubKey; + NSSLOWKEYPrivateKey *privKey; + + if (obj->objclass != CKO_PUBLIC_KEY) { + return NULL; + } + if (obj->objectInfo) { + return (NSSLOWKEYPublicKey *)obj->objectInfo; + } + privKey = lg_FindKeyByPublicKey(obj->sdb, &obj->dbKey); + if (privKey == NULL) { + return NULL; + } + pubKey = lg_nsslowkey_ConvertToPublicKey(privKey); + lg_nsslowkey_DestroyPrivateKey(privKey); + obj->objectInfo = (void *)pubKey; + obj->infoFree = (LGFreeFunc)lg_nsslowkey_DestroyPublicKey; + return pubKey; +} + +/* + * we need two versions of lg_GetPrivateKey. One version that takes the + * DB handle so we can pass the handle we have already acquired in, + * rather than going through the 'getKeyDB' code again, + * which may fail the second time and another which just aquires + * the key handle from the sdb (where we don't already have a key handle. + * This version does the former. + */ +static NSSLOWKEYPrivateKey * +lg_GetPrivateKeyWithDB(LGObjectCache *obj, NSSLOWKEYDBHandle *keyHandle) +{ + NSSLOWKEYPrivateKey *privKey; + + if ((obj->objclass != CKO_PRIVATE_KEY) && + (obj->objclass != CKO_SECRET_KEY)) { + return NULL; + } + if (obj->objectInfo) { + return (NSSLOWKEYPrivateKey *)obj->objectInfo; + } + privKey = nsslowkey_FindKeyByPublicKey(keyHandle, &obj->dbKey, obj->sdb); + if (privKey == NULL) { + return NULL; + } + obj->objectInfo = (void *)privKey; + obj->infoFree = (LGFreeFunc)lg_nsslowkey_DestroyPrivateKey; + return privKey; +} + +/* this version does the latter */ +static NSSLOWKEYPrivateKey * +lg_GetPrivateKey(LGObjectCache *obj) +{ + NSSLOWKEYDBHandle *keyHandle; + NSSLOWKEYPrivateKey *privKey; + + keyHandle = lg_getKeyDB(obj->sdb); + if (!keyHandle) { + return NULL; + } + privKey = lg_GetPrivateKeyWithDB(obj, keyHandle); + return privKey; +} + +/* lg_GetPubItem returns data associated with the public key. + * one only needs to free the public key. This comment is here + * because this sematic would be non-obvious otherwise. All callers + * should include this comment. + */ +static SECItem * +lg_GetPubItem(NSSLOWKEYPublicKey *pubKey) +{ + SECItem *pubItem = NULL; + /* get value to compare from the cert's public key */ + switch (pubKey->keyType) { + case NSSLOWKEYRSAKey: + pubItem = &pubKey->u.rsa.modulus; + break; + case NSSLOWKEYDSAKey: + pubItem = &pubKey->u.dsa.publicValue; + break; + case NSSLOWKEYDHKey: + pubItem = &pubKey->u.dh.publicValue; + break; + case NSSLOWKEYECKey: + pubItem = &pubKey->u.ec.publicValue; + break; + default: + break; + } + return pubItem; +} + +static CK_RV +lg_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_RSA; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.rsa.modulus.data, key->u.rsa.modulus.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_ENCRYPT: + case CKA_VERIFY: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_MODULUS: + return lg_CopyAttributeSigned(attribute, type, key->u.rsa.modulus.data, + key->u.rsa.modulus.len); + case CKA_PUBLIC_EXPONENT: + return lg_CopyAttributeSigned(attribute, type, + key->u.rsa.publicExponent.data, + key->u.rsa.publicExponent.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindDSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_DSA; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.dsa.publicValue.data, + key->u.dsa.publicValue.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + case CKA_ENCRYPT: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_VERIFY: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_VALUE: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.publicValue.data, + key->u.dsa.publicValue.len); + case CKA_PRIME: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.params.prime.data, + key->u.dsa.params.prime.len); + case CKA_SUBPRIME: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.params.subPrime.data, + key->u.dsa.params.subPrime.len); + case CKA_BASE: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.params.base.data, + key->u.dsa.params.base.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindDHPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_DH; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.dh.publicValue.data, key->u.dh.publicValue.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_ENCRYPT: + case CKA_VERIFY: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_VALUE: + return lg_CopyAttributeSigned(attribute, type, + key->u.dh.publicValue.data, + key->u.dh.publicValue.len); + case CKA_PRIME: + return lg_CopyAttributeSigned(attribute, type, key->u.dh.prime.data, + key->u.dh.prime.len); + case CKA_BASE: + return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data, + key->u.dh.base.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_EC; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.ec.publicValue.data, + key->u.ec.publicValue.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + case CKA_VERIFY: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_ENCRYPT: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_EC_PARAMS: + return lg_CopyAttributeSigned(attribute, type, + key->u.ec.ecParams.DEREncoding.data, + key->u.ec.ecParams.DEREncoding.len); + case CKA_EC_POINT: + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) { + return lg_CopyAttributeSigned(attribute, type, + key->u.ec.publicValue.data, + key->u.ec.publicValue.len); + } else { + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &(key->u.ec.publicValue), + SEC_ASN1_GET(SEC_OctetStringTemplate)); + CK_RV crv; + if (!pubValue) { + return CKR_HOST_MEMORY; + } + crv = lg_CopyAttributeSigned(attribute, type, + pubValue->data, + pubValue->len); + SECITEM_FreeItem(pubValue, PR_TRUE); + return crv; + } + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + NSSLOWKEYPublicKey *key; + CK_RV crv; + char *label; + + switch (type) { + case CKA_PRIVATE: + case CKA_SENSITIVE: + case CKA_ALWAYS_SENSITIVE: + case CKA_NEVER_EXTRACTABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_MODIFIABLE: + case CKA_EXTRACTABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_SUBJECT: + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + case CKA_START_DATE: + case CKA_END_DATE: + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + case CKA_LABEL: + label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey); + if (label == NULL) { + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + } + crv = lg_CopyAttribute(attribute, type, label, PORT_Strlen(label)); + PORT_Free(label); + return crv; + default: + break; + } + + key = lg_GetPublicKey(obj); + if (key == NULL) { + if (type == CKA_ID) { + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + } + return CKR_OBJECT_HANDLE_INVALID; + } + + switch (key->keyType) { + case NSSLOWKEYRSAKey: + return lg_FindRSAPublicKeyAttribute(key, type, attribute); + case NSSLOWKEYDSAKey: + return lg_FindDSAPublicKeyAttribute(key, type, attribute); + case NSSLOWKEYDHKey: + return lg_FindDHPublicKeyAttribute(key, type, attribute); + case NSSLOWKEYECKey: + return lg_FindECPublicKeyAttribute(key, type, attribute); + default: + break; + } + + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindSecretKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + NSSLOWKEYPrivateKey *key; + char *label; + unsigned char *keyString; + CK_RV crv; + int keyTypeLen; + CK_ULONG keyLen; + CK_KEY_TYPE keyType; + PRUint32 keyTypeStorage; + + switch (type) { + case CKA_PRIVATE: + case CKA_SENSITIVE: + case CKA_ALWAYS_SENSITIVE: + case CKA_EXTRACTABLE: + case CKA_DERIVE: + case CKA_ENCRYPT: + case CKA_DECRYPT: + case CKA_SIGN: + case CKA_VERIFY: + case CKA_WRAP: + case CKA_UNWRAP: + case CKA_MODIFIABLE: + case CKA_LOCAL: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_NEVER_EXTRACTABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_START_DATE: + case CKA_END_DATE: + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + case CKA_LABEL: + label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey); + if (label == NULL) { + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + } + crv = lg_CopyAttribute(attribute, type, label, PORT_Strlen(label)); + PORT_Free(label); + return crv; + case CKA_ID: + return lg_CopyAttribute(attribute, type, obj->dbKey.data, + obj->dbKey.len); + case CKA_KEY_TYPE: + case CKA_VALUE_LEN: + case CKA_VALUE: + break; + default: + return lg_invalidAttribute(attribute); + } + + key = lg_GetPrivateKey(obj); + if (key == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + switch (type) { + case CKA_KEY_TYPE: + /* handle legacy databases. In legacy databases key_type was stored + * in host order, with any leading zeros stripped off. Only key types + * under 0x1f (AES) were stored. We assume that any values which are + * either 1 byte long (big endian), or have byte[0] between 0 and + * 0x7f and bytes[1]-bytes[3] equal to '0' (little endian). All other + * values are assumed to be from the new database, which is always 4 + * bytes in network order */ + keyType = 0; + keyString = key->u.rsa.coefficient.data; + keyTypeLen = key->u.rsa.coefficient.len; + + /* + * Because of various endian and word lengths The database may have + * stored the keyType value in one of the following formats: + * (kt) <= 0x1f + * length data + * Big Endian, pre-3.9, all lengths: 1 (kt) + * Little Endian, pre-3.9, 32 bits: 4 (kt) 0 0 0 + * Little Endian, pre-3.9, 64 bits: 8 (kt) 0 0 0 0 0 0 0 + * All platforms, 3.9, 32 bits: 4 0 0 0 (kt) + * Big Endian, 3.9, 64 bits: 8 0 0 0 (kt) 0 0 0 0 + * Little Endian, 3.9, 64 bits: 8 0 0 0 0 0 0 0 (kt) + * All platforms, >= 3.9.1, all lengths: 4 (a) k1 k2 k3 + * where (a) is 0 or >= 0x80. currently (a) can only be 0. + */ + /* + * this key was written on a 64 bit platform with a using NSS 3.9 + * or earlier. Reduce the 64 bit possibilities above. When we are + * through, we will only have: + * + * Big Endian, pre-3.9, all lengths: 1 (kt) + * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0 + * All platforms, 3.9, all lengths: 4 0 0 0 (kt) + * All platforms, => 3.9.1, all lengths: 4 (a) k1 k2 k3 + */ + if (keyTypeLen == 8) { + keyTypeStorage = *(PRUint32 *)keyString; + if (keyTypeStorage == 0) { + keyString += sizeof(PRUint32); + } + keyTypeLen = 4; + } + /* + * Now Handle: + * + * All platforms, 3.9, all lengths: 4 0 0 0 (kt) + * All platforms, => 3.9.1, all lengths: 4 (a) k1 k2 k3 + * + * NOTE: if kt == 0 or ak1k2k3 == 0, the test fails and + * we handle it as: + * + * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0 + */ + if (keyTypeLen == sizeof(keyTypeStorage) && + (((keyString[0] & 0x80) == 0x80) || + !((keyString[1] == 0) && (keyString[2] == 0) && (keyString[3] == 0)))) { + PORT_Memcpy(&keyTypeStorage, keyString, sizeof(keyTypeStorage)); + keyType = (CK_KEY_TYPE)PR_ntohl(keyTypeStorage); + } else { + /* + * Now Handle: + * + * Big Endian, pre-3.9, all lengths: 1 (kt) + * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0 + * -- KeyType == 0 all other cases ---: 4 0 0 0 0 + */ + keyType = (CK_KEY_TYPE)keyString[0]; + } + return lg_ULongAttribute(attribute, type, keyType); + case CKA_VALUE: + return lg_CopyPrivAttribute(attribute, type, key->u.rsa.privateExponent.data, + key->u.rsa.privateExponent.len, obj->sdb); + case CKA_VALUE_LEN: + keyLen = key->u.rsa.privateExponent.len; + return lg_ULongAttribute(attribute, type, keyLen); + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindRSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute, SDB *sdbpw) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_RSA; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.rsa.modulus.data, key->u.rsa.modulus.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_DECRYPT: + case CKA_SIGN: + case CKA_SIGN_RECOVER: + case CKA_UNWRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_MODULUS: + return lg_CopyAttributeSigned(attribute, type, key->u.rsa.modulus.data, + key->u.rsa.modulus.len); + case CKA_PUBLIC_EXPONENT: + return lg_CopyAttributeSigned(attribute, type, + key->u.rsa.publicExponent.data, + key->u.rsa.publicExponent.len); + case CKA_PRIVATE_EXPONENT: + return lg_CopyPrivAttrSigned(attribute, type, + key->u.rsa.privateExponent.data, + key->u.rsa.privateExponent.len, sdbpw); + case CKA_PRIME_1: + return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime1.data, + key->u.rsa.prime1.len, sdbpw); + case CKA_PRIME_2: + return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime2.data, + key->u.rsa.prime2.len, sdbpw); + case CKA_EXPONENT_1: + return lg_CopyPrivAttrSigned(attribute, type, + key->u.rsa.exponent1.data, + key->u.rsa.exponent1.len, sdbpw); + case CKA_EXPONENT_2: + return lg_CopyPrivAttrSigned(attribute, type, + key->u.rsa.exponent2.data, + key->u.rsa.exponent2.len, sdbpw); + case CKA_COEFFICIENT: + return lg_CopyPrivAttrSigned(attribute, type, + key->u.rsa.coefficient.data, + key->u.rsa.coefficient.len, sdbpw); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindDSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute, SDB *sdbpw) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_DSA; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.dsa.publicValue.data, + key->u.dsa.publicValue.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + case CKA_DECRYPT: + case CKA_SIGN_RECOVER: + case CKA_UNWRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_SIGN: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_VALUE: + return lg_CopyPrivAttrSigned(attribute, type, + key->u.dsa.privateValue.data, + key->u.dsa.privateValue.len, sdbpw); + case CKA_PRIME: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.params.prime.data, + key->u.dsa.params.prime.len); + case CKA_SUBPRIME: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.params.subPrime.data, + key->u.dsa.params.subPrime.len); + case CKA_BASE: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.params.base.data, + key->u.dsa.params.base.len); + case CKA_NSS_DB: + return lg_CopyAttributeSigned(attribute, type, + key->u.dsa.publicValue.data, + key->u.dsa.publicValue.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindDHPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute, SDB *sdbpw) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_DH; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.dh.publicValue.data, key->u.dh.publicValue.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_DECRYPT: + case CKA_SIGN: + case CKA_SIGN_RECOVER: + case CKA_UNWRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_VALUE: + return lg_CopyPrivAttrSigned(attribute, type, + key->u.dh.privateValue.data, + key->u.dh.privateValue.len, sdbpw); + case CKA_PRIME: + return lg_CopyAttributeSigned(attribute, type, key->u.dh.prime.data, + key->u.dh.prime.len); + case CKA_BASE: + return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data, + key->u.dh.base.len); + case CKA_NSS_DB: + return lg_CopyAttributeSigned(attribute, type, + key->u.dh.publicValue.data, + key->u.dh.publicValue.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute, SDB *sdbpw) +{ + unsigned char hash[SHA1_LENGTH]; + CK_KEY_TYPE keyType = CKK_EC; + + switch (type) { + case CKA_KEY_TYPE: + return lg_ULongAttribute(attribute, type, keyType); + case CKA_ID: + SHA1_HashBuf(hash, key->u.ec.publicValue.data, key->u.ec.publicValue.len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_DERIVE: + case CKA_SIGN: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_DECRYPT: + case CKA_SIGN_RECOVER: + case CKA_UNWRAP: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_VALUE: + return lg_CopyPrivAttribute(attribute, type, + key->u.ec.privateValue.data, + key->u.ec.privateValue.len, sdbpw); + case CKA_EC_PARAMS: + return lg_CopyAttributeSigned(attribute, type, + key->u.ec.ecParams.DEREncoding.data, + key->u.ec.ecParams.DEREncoding.len); + case CKA_NSS_DB: + return lg_CopyAttributeSigned(attribute, type, + key->u.ec.publicValue.data, + key->u.ec.publicValue.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + NSSLOWKEYPrivateKey *key; + char *label; + CK_RV crv; + + switch (type) { + case CKA_PRIVATE: + case CKA_SENSITIVE: + case CKA_ALWAYS_SENSITIVE: + case CKA_EXTRACTABLE: + case CKA_MODIFIABLE: + case CKA_LOCAL: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_NEVER_EXTRACTABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_SUBJECT: + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + case CKA_START_DATE: + case CKA_END_DATE: + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + case CKA_LABEL: + label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey); + if (label == NULL) { + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + } + crv = lg_CopyAttribute(attribute, type, label, PORT_Strlen(label)); + PORT_Free(label); + return crv; + default: + break; + } + key = lg_GetPrivateKey(obj); + if (key == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + switch (key->keyType) { + case NSSLOWKEYRSAKey: + return lg_FindRSAPrivateKeyAttribute(key, type, attribute, obj->sdb); + case NSSLOWKEYDSAKey: + return lg_FindDSAPrivateKeyAttribute(key, type, attribute, obj->sdb); + case NSSLOWKEYDHKey: + return lg_FindDHPrivateKeyAttribute(key, type, attribute, obj->sdb); + case NSSLOWKEYECKey: + return lg_FindECPrivateKeyAttribute(key, type, attribute, obj->sdb); + default: + break; + } + + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + certDBEntrySMime *entry; + switch (type) { + case CKA_PRIVATE: + case CKA_MODIFIABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_NSS_EMAIL: + return lg_CopyAttribute(attribute, type, obj->dbKey.data, + obj->dbKey.len - 1); + case CKA_NSS_SMIME_TIMESTAMP: + case CKA_SUBJECT: + case CKA_VALUE: + break; + default: + return lg_invalidAttribute(attribute); + } + entry = lg_getSMime(obj); + if (entry == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + switch (type) { + case CKA_NSS_SMIME_TIMESTAMP: + return lg_CopyAttribute(attribute, type, entry->optionsDate.data, + entry->optionsDate.len); + case CKA_SUBJECT: + return lg_CopyAttribute(attribute, type, entry->subjectName.data, + entry->subjectName.len); + case CKA_VALUE: + return lg_CopyAttribute(attribute, type, entry->smimeOptions.data, + entry->smimeOptions.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + NSSLOWCERTTrust *trust; + NSSLOWCERTCertDBHandle *certHandle; + NSSLOWCERTCertificate *cert; + unsigned char hash[SHA1_LENGTH]; + unsigned int trustFlags; + CK_RV crv = CKR_CANCEL; + + switch (type) { + case CKA_PRIVATE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_MODIFIABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_CERT_SHA1_HASH: + case CKA_CERT_MD5_HASH: + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_SERVER_AUTH: + case CKA_TRUST_EMAIL_PROTECTION: + case CKA_TRUST_CODE_SIGNING: + case CKA_TRUST_STEP_UP_APPROVED: + case CKA_ISSUER: + case CKA_SERIAL_NUMBER: + break; + default: + return lg_invalidAttribute(attribute); + } + certHandle = lg_getCertDB(obj->sdb); + if (!certHandle) { + return CKR_OBJECT_HANDLE_INVALID; + } + trust = lg_getTrust(obj, certHandle); + if (trust == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + switch (type) { + case CKA_CERT_SHA1_HASH: + SHA1_HashBuf(hash, trust->derCert->data, trust->derCert->len); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_CERT_MD5_HASH: + MD5_HashBuf(hash, trust->derCert->data, trust->derCert->len); + return lg_CopyAttribute(attribute, type, hash, MD5_LENGTH); + case CKA_TRUST_CLIENT_AUTH: + trustFlags = trust->trust->sslFlags & + CERTDB_TRUSTED_CLIENT_CA + ? trust->trust->sslFlags | CERTDB_TRUSTED_CA + : 0; + goto trust; + case CKA_TRUST_SERVER_AUTH: + trustFlags = trust->trust->sslFlags; + goto trust; + case CKA_TRUST_EMAIL_PROTECTION: + trustFlags = trust->trust->emailFlags; + goto trust; + case CKA_TRUST_CODE_SIGNING: + trustFlags = trust->trust->objectSigningFlags; + trust: + if (trustFlags & CERTDB_TRUSTED_CA) { + return lg_ULongAttribute(attribute, type, + CKT_NSS_TRUSTED_DELEGATOR); + } + if (trustFlags & CERTDB_TRUSTED) { + return lg_ULongAttribute(attribute, type, CKT_NSS_TRUSTED); + } + if (trustFlags & CERTDB_MUST_VERIFY) { + return lg_ULongAttribute(attribute, type, + CKT_NSS_MUST_VERIFY_TRUST); + } + if (trustFlags & CERTDB_TRUSTED_UNKNOWN) { + return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN); + } + if (trustFlags & CERTDB_VALID_CA) { + return lg_ULongAttribute(attribute, type, CKT_NSS_VALID_DELEGATOR); + } + if (trustFlags & CERTDB_TERMINAL_RECORD) { + return lg_ULongAttribute(attribute, type, CKT_NSS_NOT_TRUSTED); + } + return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN); + case CKA_TRUST_STEP_UP_APPROVED: + if (trust->trust->sslFlags & CERTDB_GOVT_APPROVED_CA) { + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + } else { + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + } + default: + break; + } + + switch (type) { + case CKA_ISSUER: + cert = lg_getCert(obj, certHandle); + if (cert == NULL) + break; + crv = lg_CopyAttribute(attribute, type, cert->derIssuer.data, + cert->derIssuer.len); + break; + case CKA_SERIAL_NUMBER: + cert = lg_getCert(obj, certHandle); + if (cert == NULL) + break; + crv = lg_CopyAttribute(attribute, type, cert->derSN.data, + cert->derSN.len); + break; + default: + cert = NULL; + break; + } + if (cert) { + nsslowcert_DestroyCertificate(cert); + return crv; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + certDBEntryRevocation *crl; + + switch (type) { + case CKA_PRIVATE: + case CKA_MODIFIABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_NSS_KRL: + return ((obj->handle == LG_TOKEN_KRL_HANDLE) + ? LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr) + : LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr)); + case CKA_SUBJECT: + return lg_CopyAttribute(attribute, type, obj->dbKey.data, + obj->dbKey.len); + case CKA_NSS_URL: + case CKA_VALUE: + break; + default: + return lg_invalidAttribute(attribute); + } + crl = lg_getCrl(obj); + if (!crl) { + return CKR_OBJECT_HANDLE_INVALID; + } + switch (type) { + case CKA_NSS_URL: + if (crl->url == NULL) { + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + } + return lg_CopyAttribute(attribute, type, crl->url, + PORT_Strlen(crl->url) + 1); + case CKA_VALUE: + return lg_CopyAttribute(attribute, type, crl->derCrl.data, + crl->derCrl.len); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +static CK_RV +lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *attribute) +{ + NSSLOWCERTCertificate *cert; + NSSLOWCERTCertDBHandle *certHandle; + NSSLOWKEYPublicKey *pubKey; + unsigned char hash[SHA1_LENGTH]; + SECItem *item; + + switch (type) { + case CKA_PRIVATE: + return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr); + case CKA_MODIFIABLE: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_CERTIFICATE_TYPE: + /* hardcoding X.509 into here */ + return lg_ULongAttribute(attribute, type, CKC_X_509); + case CKA_VALUE: + case CKA_ID: + case CKA_LABEL: + case CKA_SUBJECT: + case CKA_ISSUER: + case CKA_SERIAL_NUMBER: + case CKA_NSS_EMAIL: + break; + default: + return lg_invalidAttribute(attribute); + } + + certHandle = lg_getCertDB(obj->sdb); + if (certHandle == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + + cert = lg_getCert(obj, certHandle); + if (cert == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + switch (type) { + case CKA_VALUE: + return lg_CopyAttribute(attribute, type, cert->derCert.data, + cert->derCert.len); + case CKA_ID: + if (((cert->trust->sslFlags & CERTDB_USER) == 0) && + ((cert->trust->emailFlags & CERTDB_USER) == 0) && + ((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) { + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + } + pubKey = nsslowcert_ExtractPublicKey(cert); + if (pubKey == NULL) + break; + item = lg_GetPubItem(pubKey); + if (item == NULL) { + lg_nsslowkey_DestroyPublicKey(pubKey); + break; + } + SHA1_HashBuf(hash, item->data, item->len); + /* item is imbedded in pubKey, just free the key */ + lg_nsslowkey_DestroyPublicKey(pubKey); + return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH); + case CKA_LABEL: + return cert->nickname + ? lg_CopyAttribute(attribute, type, cert->nickname, + PORT_Strlen(cert->nickname)) + : LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + case CKA_SUBJECT: + return lg_CopyAttribute(attribute, type, cert->derSubject.data, + cert->derSubject.len); + case CKA_ISSUER: + return lg_CopyAttribute(attribute, type, cert->derIssuer.data, + cert->derIssuer.len); + case CKA_SERIAL_NUMBER: + return lg_CopyAttribute(attribute, type, cert->derSN.data, + cert->derSN.len); + case CKA_NSS_EMAIL: + return (cert->emailAddr && cert->emailAddr[0]) + ? lg_CopyAttribute(attribute, type, cert->emailAddr, + PORT_Strlen(cert->emailAddr)) + : LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +CK_RV +lg_GetSingleAttribute(LGObjectCache *obj, CK_ATTRIBUTE *attribute) +{ + /* handle the common ones */ + CK_ATTRIBUTE_TYPE type = attribute->type; + switch (type) { + case CKA_CLASS: + return lg_ULongAttribute(attribute, type, obj->objclass); + case CKA_TOKEN: + return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr); + case CKA_LABEL: + if ((obj->objclass == CKO_CERTIFICATE) || + (obj->objclass == CKO_PRIVATE_KEY) || + (obj->objclass == CKO_PUBLIC_KEY) || + (obj->objclass == CKO_SECRET_KEY)) { + break; + } + return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr); + default: + break; + } + switch (obj->objclass) { + case CKO_CERTIFICATE: + return lg_FindCertAttribute(obj, type, attribute); + case CKO_NSS_CRL: + return lg_FindCrlAttribute(obj, type, attribute); + case CKO_NSS_TRUST: + return lg_FindTrustAttribute(obj, type, attribute); + case CKO_NSS_SMIME: + return lg_FindSMIMEAttribute(obj, type, attribute); + case CKO_PUBLIC_KEY: + return lg_FindPublicKeyAttribute(obj, type, attribute); + case CKO_PRIVATE_KEY: + return lg_FindPrivateKeyAttribute(obj, type, attribute); + case CKO_SECRET_KEY: + return lg_FindSecretKeyAttribute(obj, type, attribute); + default: + break; + } + return lg_invalidAttribute(attribute); +} + +/* + * Fill in the attribute template based on the data in the database. + */ +CK_RV +lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *templ, + CK_ULONG count) +{ + LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK); + CK_RV crv, crvCollect = CKR_OK; + unsigned int i; + + if (obj == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + + for (i = 0; i < count; i++) { + crv = lg_GetSingleAttribute(obj, &templ[i]); + if (crvCollect == CKR_OK) + crvCollect = crv; + } + + lg_DestroyObjectCache(obj); + return crvCollect; +} + +PRBool +lg_cmpAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attribute) +{ + unsigned char buf[LG_BUF_SPACE]; + CK_ATTRIBUTE testAttr; + unsigned char *tempBuf = NULL; + PRBool match = PR_TRUE; + CK_RV crv; + + /* we're going to compare 'attribute' with the actual attribute from + * the object. We'll use the length of 'attribute' to decide how much + * space we need to read the test attribute. If 'attribute' doesn't give + * enough space, then we know the values don't match and that will + * show up as ckr != CKR_OK */ + testAttr = *attribute; + testAttr.pValue = buf; + + /* if we don't have enough space, malloc it */ + if (attribute->ulValueLen > LG_BUF_SPACE) { + tempBuf = PORT_Alloc(attribute->ulValueLen); + if (!tempBuf) { + return PR_FALSE; + } + testAttr.pValue = tempBuf; + } + + /* get the attribute */ + crv = lg_GetSingleAttribute(obj, &testAttr); + /* if the attribute was read OK, compare it */ + if ((crv != CKR_OK) || + (attribute->pValue == NULL) || + (attribute->ulValueLen != testAttr.ulValueLen) || + (PORT_Memcmp(attribute->pValue, testAttr.pValue, testAttr.ulValueLen) != 0)) { + /* something didn't match, this isn't the object we are looking for */ + match = PR_FALSE; + } + /* free the buffer we may have allocated */ + if (tempBuf) { + PORT_Free(tempBuf); + } + return match; +} + +PRBool +lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class, + const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + PRBool match = PR_TRUE; + LGObjectCache *obj = lg_NewObjectCache(sdb, dbKey, class); + unsigned int i; + + if (obj == NULL) { + return PR_FALSE; + } + + for (i = 0; i < count; i++) { + match = lg_cmpAttribute(obj, &templ[i]); + if (!match) { + break; + } + } + + /* done looking, free up our cache */ + lg_DestroyObjectCache(obj); + + /* if we get through the whole list without finding a mismatched attribute, + * then this object fits the criteria we are matching */ + return match; +} + +static CK_RV +lg_SetCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len) +{ + NSSLOWCERTCertificate *cert; + NSSLOWCERTCertDBHandle *certHandle; + char *nickname = NULL; + SECStatus rv; + CK_RV crv; + + /* we can't change the EMAIL values, but let the + * upper layers feel better about the fact we tried to set these */ + if (type == CKA_NSS_EMAIL) { + return CKR_OK; + } + + certHandle = lg_getCertDB(obj->sdb); + if (certHandle == NULL) { + crv = CKR_TOKEN_WRITE_PROTECTED; + goto done; + } + + if ((type != CKA_LABEL) && (type != CKA_ID)) { + crv = CKR_ATTRIBUTE_READ_ONLY; + goto done; + } + + cert = lg_getCert(obj, certHandle); + if (cert == NULL) { + crv = CKR_OBJECT_HANDLE_INVALID; + goto done; + } + + /* if the app is trying to set CKA_ID, it's probably because it just + * imported the key. Look to see if we need to set the CERTDB_USER bits. + */ + if (type == CKA_ID) { + if (((cert->trust->sslFlags & CERTDB_USER) == 0) && + ((cert->trust->emailFlags & CERTDB_USER) == 0) && + ((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) { + NSSLOWKEYDBHandle *keyHandle; + + keyHandle = lg_getKeyDB(obj->sdb); + if (keyHandle) { + if (nsslowkey_KeyForCertExists(keyHandle, cert)) { + NSSLOWCERTCertTrust trust = *cert->trust; + trust.sslFlags |= CERTDB_USER; + trust.emailFlags |= CERTDB_USER; + trust.objectSigningFlags |= CERTDB_USER; + nsslowcert_ChangeCertTrust(certHandle, cert, &trust); + } + } + } + crv = CKR_OK; + goto done; + } + + /* must be CKA_LABEL */ + if (value != NULL) { + nickname = PORT_ZAlloc(len + 1); + if (nickname == NULL) { + crv = CKR_HOST_MEMORY; + goto done; + } + PORT_Memcpy(nickname, value, len); + nickname[len] = 0; + } + rv = nsslowcert_AddPermNickname(certHandle, cert, nickname); + crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; + +done: + if (nickname) { + PORT_Free(nickname); + } + return crv; +} + +static CK_RV +lg_SetPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len, + PRBool *writePrivate) +{ + NSSLOWKEYPrivateKey *privKey; + NSSLOWKEYDBHandle *keyHandle; + char *nickname = NULL; + SECStatus rv; + CK_RV crv; + + /* we can't change the ID and we don't store the subject, but let the + * upper layers feel better about the fact we tried to set these */ + if ((type == CKA_ID) || (type == CKA_SUBJECT) || + (type == CKA_LOCAL) || (type == CKA_NEVER_EXTRACTABLE) || + (type == CKA_ALWAYS_SENSITIVE)) { + return CKR_OK; + } + + keyHandle = lg_getKeyDB(obj->sdb); + if (keyHandle == NULL) { + crv = CKR_TOKEN_WRITE_PROTECTED; + goto done; + } + + privKey = lg_GetPrivateKeyWithDB(obj, keyHandle); + if (privKey == NULL) { + crv = CKR_OBJECT_HANDLE_INVALID; + goto done; + } + + crv = CKR_ATTRIBUTE_READ_ONLY; + switch (type) { + case CKA_LABEL: + if (value != NULL) { + nickname = PORT_ZAlloc(len + 1); + if (nickname == NULL) { + crv = CKR_HOST_MEMORY; + goto done; + } + PORT_Memcpy(nickname, value, len); + nickname[len] = 0; + } + rv = nsslowkey_UpdateNickname(keyHandle, privKey, &obj->dbKey, + nickname, obj->sdb); + crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; + break; + case CKA_UNWRAP: + case CKA_SIGN: + case CKA_DERIVE: + case CKA_SIGN_RECOVER: + case CKA_DECRYPT: + /* ignore attempts to change restrict these. + * legacyDB ignore these flags and always presents all of them + * that are valid as true. + * NOTE: We only get here if the current value and the new value do + * not match. */ + if (*(char *)value == 0) { + crv = CKR_OK; + } + break; + case CKA_VALUE: + case CKA_PRIVATE_EXPONENT: + case CKA_PRIME_1: + case CKA_PRIME_2: + case CKA_EXPONENT_1: + case CKA_EXPONENT_2: + case CKA_COEFFICIENT: + /* We aren't really changing these values, we are just triggering + * the database to update it's entry */ + *writePrivate = PR_TRUE; + crv = CKR_OK; + break; + default: + crv = CKR_ATTRIBUTE_READ_ONLY; + break; + } +done: + if (nickname) { + PORT_Free(nickname); + } + return crv; +} + +static CK_RV +lg_SetPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len, + PRBool *writePrivate) +{ + /* we can't change the ID and we don't store the subject, but let the + * upper layers feel better about the fact we tried to set these */ + if ((type == CKA_ID) || (type == CKA_SUBJECT) || (type == CKA_LABEL)) { + return CKR_OK; + } + return CKR_ATTRIBUTE_READ_ONLY; +} + +static CK_RV +lg_SetTrustAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr) +{ + unsigned int flags; + CK_TRUST trust; + NSSLOWCERTCertificate *cert = NULL; + NSSLOWCERTCertDBHandle *certHandle; + NSSLOWCERTCertTrust dbTrust; + SECStatus rv; + CK_RV crv; + + if (attr->type == CKA_LABEL) { + return CKR_OK; + } + + crv = lg_GetULongAttribute(attr->type, attr, 1, &trust); + if (crv != CKR_OK) { + return crv; + } + flags = lg_MapTrust(trust, (PRBool)(attr->type == CKA_TRUST_CLIENT_AUTH)); + + certHandle = lg_getCertDB(obj->sdb); + + if (certHandle == NULL) { + crv = CKR_TOKEN_WRITE_PROTECTED; + goto done; + } + + cert = lg_getCert(obj, certHandle); + if (cert == NULL) { + crv = CKR_OBJECT_HANDLE_INVALID; + goto done; + } + dbTrust = *cert->trust; + + switch (attr->type) { + case CKA_TRUST_EMAIL_PROTECTION: + dbTrust.emailFlags = flags | + (cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS); + break; + case CKA_TRUST_CODE_SIGNING: + dbTrust.objectSigningFlags = flags | + (cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS); + break; + case CKA_TRUST_CLIENT_AUTH: + dbTrust.sslFlags = flags | (cert->trust->sslFlags & + (CERTDB_PRESERVE_TRUST_BITS | CERTDB_TRUSTED_CA)); + break; + case CKA_TRUST_SERVER_AUTH: + dbTrust.sslFlags = flags | (cert->trust->sslFlags & + (CERTDB_PRESERVE_TRUST_BITS | CERTDB_TRUSTED_CLIENT_CA)); + break; + default: + crv = CKR_ATTRIBUTE_READ_ONLY; + goto done; + } + + rv = nsslowcert_ChangeCertTrust(certHandle, cert, &dbTrust); + crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; +done: + if (cert) { + nsslowcert_DestroyCertificate(cert); + } + return crv; +} + +static CK_RV +lg_SetSingleAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr, + PRBool *writePrivate) +{ + CK_ATTRIBUTE attribLocal; + CK_RV crv; + + if ((attr->type == CKA_NSS_DB) && (obj->objclass == CKO_PRIVATE_KEY)) { + *writePrivate = PR_TRUE; + return CKR_OK; + } + + /* Make sure the attribute exists first */ + attribLocal.type = attr->type; + attribLocal.pValue = NULL; + attribLocal.ulValueLen = 0; + crv = lg_GetSingleAttribute(obj, &attribLocal); + if (crv != CKR_OK) { + return crv; + } + + /* if we are just setting it to the value we already have, + * allow it to happen. Let label setting go through so + * we have the opportunity to repair any database corruption. */ + if (attr->type != CKA_LABEL) { + if (lg_cmpAttribute(obj, attr)) { + return CKR_OK; + } + } + + crv = CKR_ATTRIBUTE_READ_ONLY; + switch (obj->objclass) { + case CKO_CERTIFICATE: + /* change NICKNAME, EMAIL, */ + crv = lg_SetCertAttribute(obj, attr->type, + attr->pValue, attr->ulValueLen); + break; + case CKO_NSS_CRL: + /* change URL */ + break; + case CKO_NSS_TRUST: + crv = lg_SetTrustAttribute(obj, attr); + break; + case CKO_PRIVATE_KEY: + case CKO_SECRET_KEY: + crv = lg_SetPrivateKeyAttribute(obj, attr->type, + attr->pValue, attr->ulValueLen, writePrivate); + break; + case CKO_PUBLIC_KEY: + crv = lg_SetPublicKeyAttribute(obj, attr->type, + attr->pValue, attr->ulValueLen, writePrivate); + break; + } + return crv; +} + +/* + * Fill in the attribute template based on the data in the database. + */ +CK_RV +lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, + const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK); + CK_RV crv, crvCollect = CKR_OK; + PRBool writePrivate = PR_FALSE; + unsigned int i; + + if (obj == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + + for (i = 0; i < count; i++) { + crv = lg_SetSingleAttribute(obj, &templ[i], &writePrivate); + if (crvCollect == CKR_OK) + crvCollect = crv; + } + + /* Write any collected changes out for private and secret keys. + * don't do the write for just the label */ + if (writePrivate) { + NSSLOWKEYPrivateKey *privKey = lg_GetPrivateKey(obj); + SECStatus rv = SECFailure; + char *label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey); + + if (privKey) { + rv = nsslowkey_StoreKeyByPublicKeyAlg(lg_getKeyDB(sdb), privKey, + &obj->dbKey, label, sdb, PR_TRUE); + } + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + } + PORT_Free(label); + } + + lg_DestroyObjectCache(obj); + return crvCollect; +} diff --git a/security/nss/lib/softoken/legacydb/lgcreate.c b/security/nss/lib/softoken/legacydb/lgcreate.c new file mode 100644 index 0000000000..3ed50a4255 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lgcreate.c @@ -0,0 +1,1020 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "secitem.h" +#include "pkcs11.h" +#include "lgdb.h" +#include "pcert.h" +#include "lowkeyi.h" +#include "blapi.h" +#include "secder.h" +#include "secasn1.h" + +#include "keydbi.h" + +/* + * ******************** Object Creation Utilities *************************** + */ + +/* + * check the consistancy and initialize a Certificate Object + */ +static CK_RV +lg_createCertObject(SDB *sdb, CK_OBJECT_HANDLE *handle, + const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + SECItem derCert; + NSSLOWCERTCertificate *cert; + NSSLOWCERTCertTrust *trust = NULL; + NSSLOWCERTCertTrust userTrust = { CERTDB_USER, CERTDB_USER, CERTDB_USER }; + NSSLOWCERTCertTrust defTrust = { CERTDB_TRUSTED_UNKNOWN, + CERTDB_TRUSTED_UNKNOWN, CERTDB_TRUSTED_UNKNOWN }; + char *label = NULL; + char *email = NULL; + SECStatus rv; + CK_RV crv; + PRBool inDB = PR_TRUE; + NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb); + NSSLOWKEYDBHandle *keyHandle = NULL; + CK_CERTIFICATE_TYPE type; + const CK_ATTRIBUTE *attribute; + + /* we can't store any certs private */ + if (lg_isTrue(CKA_PRIVATE, templ, count)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* We only support X.509 Certs for now */ + crv = lg_GetULongAttribute(CKA_CERTIFICATE_TYPE, templ, count, &type); + if (crv != CKR_OK) { + return crv; + } + + if (type != CKC_X_509) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* X.509 Certificate */ + + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + /* get the der cert */ + attribute = lg_FindAttribute(CKA_VALUE, templ, count); + if (!attribute) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + derCert.type = 0; + derCert.data = (unsigned char *)attribute->pValue; + derCert.len = attribute->ulValueLen; + + label = lg_getString(CKA_LABEL, templ, count); + + cert = nsslowcert_FindCertByDERCert(certHandle, &derCert); + if (cert == NULL) { + cert = nsslowcert_DecodeDERCertificate(&derCert, label); + inDB = PR_FALSE; + } + if (cert == NULL) { + if (label) + PORT_Free(label); + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + keyHandle = lg_getKeyDB(sdb); + if (keyHandle) { + if (nsslowkey_KeyForCertExists(keyHandle, cert)) { + trust = &userTrust; + } + } + + if (!inDB) { + if (!trust) + trust = &defTrust; + rv = nsslowcert_AddPermCert(certHandle, cert, label, trust); + } else { + rv = trust ? nsslowcert_ChangeCertTrust(certHandle, cert, trust) : SECSuccess; + } + + if (label) + PORT_Free(label); + + if (rv != SECSuccess) { + nsslowcert_DestroyCertificate(cert); + return CKR_DEVICE_ERROR; + } + + /* + * Add a NULL S/MIME profile if necessary. + */ + email = lg_getString(CKA_NSS_EMAIL, templ, count); + if (email) { + certDBEntrySMime *entry; + + entry = nsslowcert_ReadDBSMimeEntry(certHandle, email); + if (!entry) { + nsslowcert_SaveSMimeProfile(certHandle, email, + &cert->derSubject, NULL, NULL); + } else { + nsslowcert_DestroyDBEntry((certDBEntry *)entry); + } + PORT_Free(email); + } + *handle = lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_CERT); + nsslowcert_DestroyCertificate(cert); + + return CKR_OK; +} + +unsigned int +lg_MapTrust(CK_TRUST trust, PRBool clientAuth) +{ + unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA : CERTDB_TRUSTED_CA; + switch (trust) { + case CKT_NSS_TRUSTED: + return CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; + case CKT_NSS_TRUSTED_DELEGATOR: + return CERTDB_VALID_CA | trustCA; + case CKT_NSS_MUST_VERIFY_TRUST: + return CERTDB_MUST_VERIFY; + case CKT_NSS_NOT_TRUSTED: + return CERTDB_TERMINAL_RECORD; + case CKT_NSS_VALID_DELEGATOR: /* implies must verify */ + return CERTDB_VALID_CA; + default: + break; + } + return CERTDB_TRUSTED_UNKNOWN; +} + +/* + * check the consistancy and initialize a Trust Object + */ +static CK_RV +lg_createTrustObject(SDB *sdb, CK_OBJECT_HANDLE *handle, + const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + const CK_ATTRIBUTE *issuer = NULL; + const CK_ATTRIBUTE *serial = NULL; + NSSLOWCERTCertificate *cert = NULL; + const CK_ATTRIBUTE *trust; + CK_TRUST sslTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST clientTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST emailTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST signTrust = CKT_NSS_TRUST_UNKNOWN; + CK_BBOOL stepUp; + NSSLOWCERTCertTrust dbTrust = { 0 }; + SECStatus rv; + NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb); + NSSLOWCERTIssuerAndSN issuerSN; + + /* we can't store any certs private */ + if (lg_isTrue(CKA_PRIVATE, templ, count)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + issuer = lg_FindAttribute(CKA_ISSUER, templ, count); + serial = lg_FindAttribute(CKA_SERIAL_NUMBER, templ, count); + + if (issuer && serial) { + issuerSN.derIssuer.data = (unsigned char *)issuer->pValue; + issuerSN.derIssuer.len = issuer->ulValueLen; + + issuerSN.serialNumber.data = (unsigned char *)serial->pValue; + issuerSN.serialNumber.len = serial->ulValueLen; + + cert = nsslowcert_FindCertByIssuerAndSN(certHandle, &issuerSN); + } + + if (cert == NULL) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + lg_GetULongAttribute(CKA_TRUST_SERVER_AUTH, templ, count, &sslTrust); + lg_GetULongAttribute(CKA_TRUST_CLIENT_AUTH, templ, count, &clientTrust); + lg_GetULongAttribute(CKA_TRUST_EMAIL_PROTECTION, templ, count, &emailTrust); + lg_GetULongAttribute(CKA_TRUST_CODE_SIGNING, templ, count, &signTrust); + stepUp = CK_FALSE; + trust = lg_FindAttribute(CKA_TRUST_STEP_UP_APPROVED, templ, count); + if (trust) { + if (trust->ulValueLen == sizeof(CK_BBOOL)) { + stepUp = *(CK_BBOOL *)trust->pValue; + } + } + + /* preserve certain old fields */ + if (cert->trust) { + dbTrust.sslFlags = cert->trust->sslFlags & CERTDB_PRESERVE_TRUST_BITS; + dbTrust.emailFlags = + cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS; + dbTrust.objectSigningFlags = + cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS; + } + + dbTrust.sslFlags |= lg_MapTrust(sslTrust, PR_FALSE); + dbTrust.sslFlags |= lg_MapTrust(clientTrust, PR_TRUE); + dbTrust.emailFlags |= lg_MapTrust(emailTrust, PR_FALSE); + dbTrust.objectSigningFlags |= lg_MapTrust(signTrust, PR_FALSE); + if (stepUp) { + dbTrust.sslFlags |= CERTDB_GOVT_APPROVED_CA; + } + + rv = nsslowcert_ChangeCertTrust(certHandle, cert, &dbTrust); + *handle = lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_TRUST); + nsslowcert_DestroyCertificate(cert); + if (rv != SECSuccess) { + return CKR_DEVICE_ERROR; + } + + return CKR_OK; +} + +/* + * check the consistancy and initialize a Trust Object + */ +static CK_RV +lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle, + const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + SECItem derSubj, rawProfile, rawTime, emailKey; + SECItem *pRawProfile = NULL; + SECItem *pRawTime = NULL; + char *email = NULL; + const CK_ATTRIBUTE *subject = NULL, + *profile = NULL, + *time = NULL; + SECStatus rv; + NSSLOWCERTCertDBHandle *certHandle; + CK_RV ck_rv = CKR_OK; + + /* we can't store any certs private */ + if (lg_isTrue(CKA_PRIVATE, templ, count)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + certHandle = lg_getCertDB(sdb); + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + /* lookup SUBJECT */ + subject = lg_FindAttribute(CKA_SUBJECT, templ, count); + PORT_Assert(subject); + if (!subject) { + ck_rv = CKR_ATTRIBUTE_VALUE_INVALID; + goto loser; + } + + derSubj.data = (unsigned char *)subject->pValue; + derSubj.len = subject->ulValueLen; + derSubj.type = 0; + + /* lookup VALUE */ + profile = lg_FindAttribute(CKA_VALUE, templ, count); + if (profile) { + rawProfile.data = (unsigned char *)profile->pValue; + rawProfile.len = profile->ulValueLen; + rawProfile.type = siBuffer; + pRawProfile = &rawProfile; + } + + /* lookup Time */ + time = lg_FindAttribute(CKA_NSS_SMIME_TIMESTAMP, templ, count); + if (time) { + rawTime.data = (unsigned char *)time->pValue; + rawTime.len = time->ulValueLen; + rawTime.type = siBuffer; + pRawTime = &rawTime; + } + + email = lg_getString(CKA_NSS_EMAIL, templ, count); + if (!email) { + ck_rv = CKR_ATTRIBUTE_VALUE_INVALID; + goto loser; + } + + /* Store S/MIME Profile by SUBJECT */ + rv = nsslowcert_SaveSMimeProfile(certHandle, email, &derSubj, + pRawProfile, pRawTime); + if (rv != SECSuccess) { + ck_rv = CKR_DEVICE_ERROR; + goto loser; + } + emailKey.data = (unsigned char *)email; + emailKey.len = PORT_Strlen(email) + 1; + + *handle = lg_mkHandle(sdb, &emailKey, LG_TOKEN_TYPE_SMIME); + +loser: + if (email) + PORT_Free(email); + + return ck_rv; +} + +/* + * check the consistancy and initialize a Trust Object + */ +static CK_RV +lg_createCrlObject(SDB *sdb, CK_OBJECT_HANDLE *handle, + const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + PRBool isKRL = PR_FALSE; + SECItem derSubj, derCrl; + char *url = NULL; + const CK_ATTRIBUTE *subject, *crl; + SECStatus rv; + NSSLOWCERTCertDBHandle *certHandle; + + certHandle = lg_getCertDB(sdb); + + /* we can't store any private crls */ + if (lg_isTrue(CKA_PRIVATE, templ, count)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + /* lookup SUBJECT */ + subject = lg_FindAttribute(CKA_SUBJECT, templ, count); + if (!subject) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + derSubj.data = (unsigned char *)subject->pValue; + derSubj.len = subject->ulValueLen; + + /* lookup VALUE */ + crl = lg_FindAttribute(CKA_VALUE, templ, count); + PORT_Assert(crl); + if (!crl) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + derCrl.data = (unsigned char *)crl->pValue; + derCrl.len = crl->ulValueLen; + + url = lg_getString(CKA_NSS_URL, templ, count); + isKRL = lg_isTrue(CKA_NSS_KRL, templ, count); + + /* Store CRL by SUBJECT */ + rv = nsslowcert_AddCrl(certHandle, &derCrl, &derSubj, url, isKRL); + + if (url) { + PORT_Free(url); + } + if (rv != SECSuccess) { + return CKR_DEVICE_ERROR; + } + + /* if we overwrote the existing CRL, poison the handle entry so we get + * a new object handle */ + (void)lg_poisonHandle(sdb, &derSubj, + isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL); + *handle = lg_mkHandle(sdb, &derSubj, + isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL); + + return CKR_OK; +} + +/* + * check the consistancy and initialize a Public Key Object + */ +static CK_RV +lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type, + CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE; + CK_RV crv = CKR_OK; + NSSLOWKEYPrivateKey *priv; + SECItem pubKeySpace = { siBuffer, NULL, 0 }; + SECItem *pubKey; + SECItem pubKey2Space = { siBuffer, NULL, 0 }; + PLArenaPool *arena = NULL; + NSSLOWKEYDBHandle *keyHandle = NULL; + + switch (key_type) { + case CKK_RSA: + pubKeyAttr = CKA_MODULUS; + break; + case CKK_EC: + pubKeyAttr = CKA_EC_POINT; + break; + case CKK_DSA: + case CKK_DH: + break; + default: + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + pubKey = &pubKeySpace; + crv = lg_Attribute2SSecItem(NULL, pubKeyAttr, templ, count, pubKey); + if (crv != CKR_OK) + return crv; + + if (key_type == CKK_EC) { + SECStatus rv; + /* + * for ECC, use the decoded key first. + */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + crv = CKR_HOST_MEMORY; + goto done; + } + rv = SEC_QuickDERDecodeItem(arena, &pubKey2Space, + SEC_ASN1_GET(SEC_OctetStringTemplate), + pubKey); + if (rv != SECSuccess) { + /* decode didn't work, just try the pubKey */ + PORT_FreeArena(arena, PR_FALSE); + arena = NULL; + } else { + /* try the decoded pub key first */ + pubKey = &pubKey2Space; + } + } + + PORT_Assert(pubKey->data); + if (pubKey->data == NULL) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } + keyHandle = lg_getKeyDB(sdb); + if (keyHandle == NULL) { + crv = CKR_TOKEN_WRITE_PROTECTED; + goto done; + } + if (keyHandle->version != 3) { + unsigned char buf[SHA1_LENGTH]; + SHA1_HashBuf(buf, pubKey->data, pubKey->len); + PORT_Memcpy(pubKey->data, buf, sizeof(buf)); + pubKey->len = sizeof(buf); + } + /* make sure the associated private key already exists */ + /* only works if we are logged in */ + priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, sdb /*password*/); + if (priv == NULL && pubKey == &pubKey2Space) { + /* no match on the decoded key, match the original pubkey */ + pubKey = &pubKeySpace; + priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, + sdb /*password*/); + } + if (priv == NULL) { + /* the legacy database can only 'store' public keys which already + * have their corresponding private keys in the database */ + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } + lg_nsslowkey_DestroyPrivateKey(priv); + crv = CKR_OK; + + *handle = lg_mkHandle(sdb, pubKey, LG_TOKEN_TYPE_PUB); + +done: + PORT_Free(pubKeySpace.data); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return crv; +} + +/* make a private key from a verified object */ +static NSSLOWKEYPrivateKey * +lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count, + CK_KEY_TYPE key_type, CK_RV *crvp) +{ + NSSLOWKEYPrivateKey *privKey; + PLArenaPool *arena; + CK_RV crv = CKR_OK; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + *crvp = CKR_HOST_MEMORY; + return NULL; + } + + privKey = (NSSLOWKEYPrivateKey *) + PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey)); + if (privKey == NULL) { + PORT_FreeArena(arena, PR_FALSE); + *crvp = CKR_HOST_MEMORY; + return NULL; + } + + /* in future this would be a switch on key_type */ + privKey->arena = arena; + switch (key_type) { + case CKK_RSA: + privKey->keyType = NSSLOWKEYRSAKey; + crv = lg_Attribute2SSecItem(arena, CKA_MODULUS, templ, count, + &privKey->u.rsa.modulus); + if (crv != CKR_OK) + break; + crv = lg_Attribute2SSecItem(arena, CKA_PUBLIC_EXPONENT, templ, count, + &privKey->u.rsa.publicExponent); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_PRIVATE_EXPONENT, templ, count, + &privKey->u.rsa.privateExponent, sdb); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_PRIME_1, templ, count, + &privKey->u.rsa.prime1, sdb); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_PRIME_2, templ, count, + &privKey->u.rsa.prime2, sdb); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_EXPONENT_1, templ, count, + &privKey->u.rsa.exponent1, sdb); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_EXPONENT_2, templ, count, + &privKey->u.rsa.exponent2, sdb); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_COEFFICIENT, templ, count, + &privKey->u.rsa.coefficient, sdb); + if (crv != CKR_OK) + break; + rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version, + NSSLOWKEY_VERSION); + if (rv != SECSuccess) + crv = CKR_HOST_MEMORY; + break; + + case CKK_DSA: + privKey->keyType = NSSLOWKEYDSAKey; + crv = lg_Attribute2SSecItem(arena, CKA_PRIME, templ, count, + &privKey->u.dsa.params.prime); + if (crv != CKR_OK) + break; + crv = lg_Attribute2SSecItem(arena, CKA_SUBPRIME, templ, count, + &privKey->u.dsa.params.subPrime); + if (crv != CKR_OK) + break; + crv = lg_Attribute2SSecItem(arena, CKA_BASE, templ, count, + &privKey->u.dsa.params.base); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count, + &privKey->u.dsa.privateValue, sdb); + if (crv != CKR_OK) + break; + if (lg_hasAttribute(CKA_NSS_DB, templ, count)) { + crv = lg_Attribute2SSecItem(arena, CKA_NSS_DB, templ, count, + &privKey->u.dsa.publicValue); + /* privKey was zero'd so public value is already set to NULL, 0 + * if we don't set it explicitly */ + } + break; + + case CKK_DH: + privKey->keyType = NSSLOWKEYDHKey; + crv = lg_Attribute2SSecItem(arena, CKA_PRIME, templ, count, + &privKey->u.dh.prime); + if (crv != CKR_OK) + break; + crv = lg_Attribute2SSecItem(arena, CKA_BASE, templ, count, + &privKey->u.dh.base); + if (crv != CKR_OK) + break; + crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count, + &privKey->u.dh.privateValue, sdb); + if (crv != CKR_OK) + break; + if (lg_hasAttribute(CKA_NSS_DB, templ, count)) { + crv = lg_Attribute2SSecItem(arena, CKA_NSS_DB, templ, count, + &privKey->u.dh.publicValue); + /* privKey was zero'd so public value is already set to NULL, 0 + * if we don't set it explicitly */ + } + break; + + case CKK_EC: + privKey->keyType = NSSLOWKEYECKey; + crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS, templ, count, + &privKey->u.ec.ecParams.DEREncoding); + if (crv != CKR_OK) + break; + + /* Fill out the rest of the ecParams structure + * based on the encoded params + */ + if (LGEC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding, + &privKey->u.ec.ecParams) != SECSuccess) { + crv = CKR_DOMAIN_PARAMS_INVALID; + break; + } + crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count, + &privKey->u.ec.privateValue, sdb); + if (crv != CKR_OK) + break; + if (lg_hasAttribute(CKA_NSS_DB, templ, count)) { + crv = lg_Attribute2SSecItem(arena, CKA_NSS_DB, templ, count, + &privKey->u.ec.publicValue); + if (crv != CKR_OK) + break; + /* privKey was zero'd so public value is already set to NULL, 0 + * if we don't set it explicitly */ + } + rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version, + NSSLOWKEY_EC_PRIVATE_KEY_VERSION); + if (rv != SECSuccess) + crv = CKR_HOST_MEMORY; + break; + + default: + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + *crvp = crv; + if (crv != CKR_OK) { + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } + return privKey; +} + +/* + * check the consistancy and initialize a Private Key Object + */ +static CK_RV +lg_createPrivateKeyObject(SDB *sdb, CK_KEY_TYPE key_type, + CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + NSSLOWKEYPrivateKey *privKey; + char *label; + SECStatus rv = SECSuccess; + CK_RV crv = CKR_DEVICE_ERROR; + SECItem pubKey; + NSSLOWKEYDBHandle *keyHandle = lg_getKeyDB(sdb); + + if (keyHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + privKey = lg_mkPrivKey(sdb, templ, count, key_type, &crv); + if (privKey == NULL) + return crv; + label = lg_getString(CKA_LABEL, templ, count); + + crv = lg_Attribute2SSecItem(NULL, CKA_NSS_DB, templ, count, &pubKey); + if (crv != CKR_OK) { + crv = CKR_TEMPLATE_INCOMPLETE; + rv = SECFailure; + goto fail; + } +#ifdef notdef + if (keyHandle->version != 3) { + unsigned char buf[SHA1_LENGTH]; + SHA1_HashBuf(buf, pubKey.data, pubKey.len); + PORT_Memcpy(pubKey.data, buf, sizeof(buf)); + pubKey.len = sizeof(buf); + } +#endif + /* get the key type */ + if (key_type == CKK_RSA) { + rv = RSA_PrivateKeyCheck(&privKey->u.rsa); + if (rv == SECFailure) { + goto fail; + } + } + rv = nsslowkey_StoreKeyByPublicKey(keyHandle, privKey, &pubKey, + label, sdb /*->password*/); + +fail: + if (label) + PORT_Free(label); + *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_PRIV); + if (pubKey.data) + PORT_Free(pubKey.data); + lg_nsslowkey_DestroyPrivateKey(privKey); + if (rv != SECSuccess) + return crv; + + return CKR_OK; +} + +#define LG_KEY_MAX_RETRIES 10 /* don't hang if we are having problems with the rng */ +#define LG_KEY_ID_SIZE 18 /* don't use either SHA1 or MD5 sizes */ +/* + * Secret keys must have a CKA_ID value to be stored in the database. This code + * will generate one if there wasn't one already. + */ +static CK_RV +lg_GenerateSecretCKA_ID(NSSLOWKEYDBHandle *handle, SECItem *id, char *label) +{ + unsigned int retries; + SECStatus rv = SECSuccess; + CK_RV crv = CKR_OK; + + id->data = NULL; + if (label) { + id->data = (unsigned char *)PORT_Strdup(label); + if (id->data == NULL) { + return CKR_HOST_MEMORY; + } + id->len = PORT_Strlen(label) + 1; + if (!nsslowkey_KeyForIDExists(handle, id)) { + return CKR_OK; + } + PORT_Free(id->data); + id->data = NULL; + id->len = 0; + } + id->data = (unsigned char *)PORT_Alloc(LG_KEY_ID_SIZE); + if (id->data == NULL) { + return CKR_HOST_MEMORY; + } + id->len = LG_KEY_ID_SIZE; + + retries = 0; + do { + rv = RNG_GenerateGlobalRandomBytes(id->data, id->len); + } while (rv == SECSuccess && nsslowkey_KeyForIDExists(handle, id) && + (++retries <= LG_KEY_MAX_RETRIES)); + + if ((rv != SECSuccess) || (retries > LG_KEY_MAX_RETRIES)) { + crv = CKR_DEVICE_ERROR; /* random number generator is bad */ + PORT_Free(id->data); + id->data = NULL; + id->len = 0; + } + return crv; +} + +static NSSLOWKEYPrivateKey * +lg_mkSecretKeyRep(const CK_ATTRIBUTE *templ, + CK_ULONG count, CK_KEY_TYPE key_type, + SECItem *pubkey, SDB *sdbpw) +{ + NSSLOWKEYPrivateKey *privKey = 0; + PLArenaPool *arena = 0; + CK_KEY_TYPE keyType; + PRUint32 keyTypeStorage; + SECItem keyTypeItem; + CK_RV crv; + SECStatus rv; + static unsigned char derZero[1] = { 0 }; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + privKey = (NSSLOWKEYPrivateKey *) + PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey)); + if (privKey == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + privKey->arena = arena; + + /* Secret keys are represented in the database as "fake" RSA keys. + * The RSA key is marked as a secret key representation by setting the + * public exponent field to 0, which is an invalid RSA exponent. + * The other fields are set as follows: + * modulus - CKA_ID value for the secret key + * private exponent - CKA_VALUE (the key itself) + * coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm + * is used for the key. + * all others - set to integer 0 + */ + privKey->keyType = NSSLOWKEYRSAKey; + + /* The modulus is set to the key id of the symmetric key */ + privKey->u.rsa.modulus.data = + (unsigned char *)PORT_ArenaAlloc(arena, pubkey->len); + if (privKey->u.rsa.modulus.data == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + privKey->u.rsa.modulus.len = pubkey->len; + PORT_Memcpy(privKey->u.rsa.modulus.data, pubkey->data, pubkey->len); + + /* The public exponent is set to 0 to indicate a special key */ + privKey->u.rsa.publicExponent.len = sizeof derZero; + privKey->u.rsa.publicExponent.data = derZero; + + /* The private exponent is the actual key value */ + crv = lg_PrivAttr2SecItem(arena, CKA_VALUE, templ, count, + &privKey->u.rsa.privateExponent, sdbpw); + if (crv != CKR_OK) + goto loser; + + /* All other fields empty - needs testing */ + privKey->u.rsa.prime1.len = sizeof derZero; + privKey->u.rsa.prime1.data = derZero; + + privKey->u.rsa.prime2.len = sizeof derZero; + privKey->u.rsa.prime2.data = derZero; + + privKey->u.rsa.exponent1.len = sizeof derZero; + privKey->u.rsa.exponent1.data = derZero; + + privKey->u.rsa.exponent2.len = sizeof derZero; + privKey->u.rsa.exponent2.data = derZero; + + /* Coeficient set to KEY_TYPE */ + crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &keyType); + if (crv != CKR_OK) + goto loser; + /* on 64 bit platforms, we still want to store 32 bits of keyType (This is + * safe since the PKCS #11 defines for all types are 32 bits or less). */ + keyTypeStorage = (PRUint32)keyType; + keyTypeStorage = PR_htonl(keyTypeStorage); + keyTypeItem.data = (unsigned char *)&keyTypeStorage; + keyTypeItem.len = sizeof(keyTypeStorage); + rv = SECITEM_CopyItem(arena, &privKey->u.rsa.coefficient, &keyTypeItem); + if (rv != SECSuccess) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + /* Private key version field set normally for compatibility */ + rv = DER_SetUInteger(privKey->arena, + &privKey->u.rsa.version, NSSLOWKEY_VERSION); + if (rv != SECSuccess) { + crv = CKR_HOST_MEMORY; + goto loser; + } + +loser: + if (crv != CKR_OK) { + PORT_FreeArena(arena, PR_FALSE); + privKey = 0; + } + + return privKey; +} + +/* + * check the consistancy and initialize a Secret Key Object + */ +static CK_RV +lg_createSecretKeyObject(SDB *sdb, CK_KEY_TYPE key_type, + CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + CK_RV crv; + NSSLOWKEYPrivateKey *privKey = NULL; + NSSLOWKEYDBHandle *keyHandle = NULL; + SECItem pubKey; + char *label = NULL; + SECStatus rv = SECSuccess; + + pubKey.data = 0; + + /* If the object is a TOKEN object, store in the database */ + keyHandle = lg_getKeyDB(sdb); + + if (keyHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + label = lg_getString(CKA_LABEL, templ, count); + + crv = lg_Attribute2SecItem(NULL, CKA_ID, templ, count, &pubKey); + /* Should this be ID? */ + if (crv != CKR_OK) + goto loser; + + /* if we don't have an ID, generate one */ + if (pubKey.len == 0) { + if (pubKey.data) { + PORT_Free(pubKey.data); + pubKey.data = NULL; + } + crv = lg_GenerateSecretCKA_ID(keyHandle, &pubKey, label); + if (crv != CKR_OK) + goto loser; + } + + privKey = lg_mkSecretKeyRep(templ, count, key_type, &pubKey, sdb); + if (privKey == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + rv = nsslowkey_StoreKeyByPublicKey(keyHandle, + privKey, &pubKey, label, sdb /*->password*/); + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + goto loser; + } + + *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_KEY); + +loser: + if (label) + PORT_Free(label); + if (privKey) + lg_nsslowkey_DestroyPrivateKey(privKey); + if (pubKey.data) + PORT_Free(pubKey.data); + + return crv; +} + +/* + * check the consistancy and initialize a Key Object + */ +static CK_RV +lg_createKeyObject(SDB *sdb, CK_OBJECT_CLASS objclass, + CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + CK_RV crv; + CK_KEY_TYPE key_type; + + /* get the key type */ + crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &key_type); + if (crv != CKR_OK) { + return crv; + } + + switch (objclass) { + case CKO_PUBLIC_KEY: + return lg_createPublicKeyObject(sdb, key_type, handle, templ, count); + case CKO_PRIVATE_KEY: + return lg_createPrivateKeyObject(sdb, key_type, handle, templ, count); + case CKO_SECRET_KEY: + return lg_createSecretKeyObject(sdb, key_type, handle, templ, count); + default: + break; + } + return CKR_ATTRIBUTE_VALUE_INVALID; +} + +/* + * return the 'next' key handle + */ +CK_RV +lg_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *handle) +{ + /* the upper level needs the Object ID early to populate any + * signature attributes. The legacy can't really return a new + * handle without the full object template (chicken and egg issue). + * Fortunately we can just return a bogus handle because the legacy + * database doesn't support meta data and can't store any of the signed + * attributes anyway */ + *handle = CK_INVALID_HANDLE; + return CKR_OK; +} + +/* + * Parse the template and create an object stored in the DB that reflects. + * the object specified in the database. + */ +CK_RV +lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle, + const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + CK_RV crv; + CK_OBJECT_CLASS objclass; + + /* get the object class */ + crv = lg_GetULongAttribute(CKA_CLASS, templ, count, &objclass); + if (crv != CKR_OK) { + return crv; + } + + /* Now handle the specific object class. + */ + switch (objclass) { + case CKO_CERTIFICATE: + crv = lg_createCertObject(sdb, handle, templ, count); + break; + case CKO_NSS_TRUST: + crv = lg_createTrustObject(sdb, handle, templ, count); + break; + case CKO_NSS_CRL: + crv = lg_createCrlObject(sdb, handle, templ, count); + break; + case CKO_NSS_SMIME: + crv = lg_createSMimeObject(sdb, handle, templ, count); + break; + case CKO_PRIVATE_KEY: + case CKO_PUBLIC_KEY: + case CKO_SECRET_KEY: + crv = lg_createKeyObject(sdb, objclass, handle, templ, count); + break; + default: + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + + return crv; +} diff --git a/security/nss/lib/softoken/legacydb/lgdb.h b/security/nss/lib/softoken/legacydb/lgdb.h new file mode 100644 index 0000000000..c28e8a3687 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lgdb.h @@ -0,0 +1,177 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * Internal data structures and functions used by pkcs11.c + */ +#ifndef _LGDB_H_ +#define _LGDB_H_ 1 + +#include "nssilock.h" +#include "seccomon.h" +#include "secoidt.h" +#include "lowkeyti.h" +#include "pkcs11t.h" +#include "sdb.h" +#include "cdbhdl.h" + +#define MULTIACCESS "multiaccess:" + +/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */ +#define PATH_SEPARATOR "/" +#define SECMOD_DB "secmod.db" +#define CERT_DB_FMT "%scert%s.db" +#define KEY_DB_FMT "%skey%s.db" + +SEC_BEGIN_PROTOS + +/* internal utility functions used by pkcs11.c */ +extern const CK_ATTRIBUTE *lg_FindAttribute(CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count); +extern CK_RV lg_Attribute2SecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item); +extern CK_RV lg_Attribute2SSecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item); +extern CK_RV lg_PrivAttr2SecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item, SDB *sdbpw); +extern CK_RV lg_PrivAttr2SSecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item, SDB *sdbpw); +extern CK_RV lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + CK_ULONG *out); +extern PRBool lg_hasAttribute(CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count); +extern PRBool lg_isTrue(CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count); +extern PRBool lg_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass); +extern char *lg_getString(CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count); +extern unsigned int lg_MapTrust(CK_TRUST trust, PRBool clientAuth); + +/* clear out all the existing object ID to database key mappings. + * used to reinit a token */ +extern CK_RV lg_ClearTokenKeyHashTable(SDB *sdb); + +extern void lg_FreeSearch(SDBFind *search); + +NSSLOWCERTCertDBHandle *lg_getCertDB(SDB *sdb); +NSSLOWKEYDBHandle *lg_getKeyDB(SDB *sdb); + +const char *lg_EvaluateConfigDir(const char *configdir, char **domain); + +/* verify the FIPS selftests ran and were successful */ +PRBool lg_FIPSEntryOK(void); + +/* + * object handle modifiers + */ +#define LG_TOKEN_MASK 0xc0000000L +#define LG_TOKEN_TYPE_MASK 0x38000000L +#define LG_TOKEN_TYPE_SHIFT 27 +/* keydb (high bit == 0) */ +#define LG_TOKEN_TYPE_PRIV 0x08000000L +#define LG_TOKEN_TYPE_PUB 0x10000000L +#define LG_TOKEN_TYPE_KEY 0x18000000L +/* certdb (high bit == 1) */ +#define LG_TOKEN_TYPE_TRUST 0x20000000L +#define LG_TOKEN_TYPE_CRL 0x28000000L +#define LG_TOKEN_TYPE_SMIME 0x30000000L +#define LG_TOKEN_TYPE_CERT 0x38000000L + +#define LG_TOKEN_KRL_HANDLE (LG_TOKEN_TYPE_CRL | 1) + +#define LG_SEARCH_BLOCK_SIZE 10 +#define LG_BUF_SPACE 50 +#define LG_STRICT PR_FALSE + +/* + * token object utilities + */ +void lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle); +PRBool lg_poisonHandle(SDB *sdb, SECItem *dbkey, CK_OBJECT_HANDLE handle); +PRBool lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class, + const CK_ATTRIBUTE *templ, CK_ULONG count); +const SECItem *lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle); +CK_OBJECT_HANDLE lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class); +SECStatus lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle); + +SECStatus lg_util_encrypt(PLArenaPool *arena, SDB *sdbpw, + SECItem *plainText, SECItem **cipherText); +SECStatus lg_util_decrypt(SDB *sdbpw, + SECItem *cipherText, SECItem **plainText); +PLHashTable *lg_GetHashTable(SDB *sdb); +void lg_DBLock(SDB *sdb); +void lg_DBUnlock(SDB *sdb); + +typedef void (*LGFreeFunc)(void *); + +/* + * database functions + */ + +/* lg_FindObjectsInit initializes a search for token and session objects + * that match a template. */ +CK_RV lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate, + CK_ULONG ulCount, SDBFind **search); +/* lg_FindObjects continues a search for token and session objects + * that match a template, obtaining additional object handles. */ +CK_RV lg_FindObjects(SDB *sdb, SDBFind *search, + CK_OBJECT_HANDLE *phObject, CK_ULONG ulMaxObjectCount, + CK_ULONG *pulObjectCount); + +/* lg_FindObjectsFinal finishes a search for token and session objects. */ +CK_RV lg_FindObjectsFinal(SDB *lgdb, SDBFind *search); + +/* lg_CreateObject parses the template and create an object stored in the + * DB that reflects the object specified in the template. */ +CK_RV lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle, + const CK_ATTRIBUTE *templ, CK_ULONG count); + +CK_RV lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, + CK_ATTRIBUTE *template, CK_ULONG count); +CK_RV lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, + const CK_ATTRIBUTE *template, CK_ULONG count); +CK_RV lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id); + +CK_RV lg_Close(SDB *sdb); +CK_RV lg_Reset(SDB *sdb); + +/* + * The old database doesn't share and doesn't support + * transactions. + */ +CK_RV lg_Begin(SDB *sdb); +CK_RV lg_Commit(SDB *sdb); +CK_RV lg_Abort(SDB *sdb); +CK_RV lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2); +CK_RV lg_PutMetaData(SDB *sdb, const char *id, + const SECItem *item1, const SECItem *item2); +CK_RV lg_DestroyMetaData(SDB *sdb, const char *id); +CK_RV lg_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *object_id); + +SEC_END_PROTOS + +#ifndef XP_UNIX + +#define NO_FORK_CHECK + +#endif + +#ifndef NO_FORK_CHECK + +extern PRBool lg_parentForkedAfterC_Initialize; +#define SKIP_AFTER_FORK(x) \ + if (!lg_parentForkedAfterC_Initialize) \ + x + +#else + +#define SKIP_AFTER_FORK(x) x + +#endif /* NO_FORK_CHECK */ + +#endif /* _LGDB_H_ */ diff --git a/security/nss/lib/softoken/legacydb/lgdestroy.c b/security/nss/lib/softoken/legacydb/lgdestroy.c new file mode 100644 index 0000000000..1e3839d7be --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lgdestroy.c @@ -0,0 +1,110 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * Internal PKCS #11 functions. Should only be called by pkcs11.c + */ +#include "pkcs11.h" +#include "lgdb.h" +#include "pcert.h" +#include "lowkeyi.h" + +/* + * remove an object. + */ +CK_RV +lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id) +{ + CK_RV crv = CKR_OK; + SECStatus rv; + NSSLOWCERTCertificate *cert; + NSSLOWCERTCertTrust tmptrust; + PRBool isKrl; + NSSLOWKEYDBHandle *keyHandle; + NSSLOWCERTCertDBHandle *certHandle; + const SECItem *dbKey; + + object_id &= ~LG_TOKEN_MASK; + dbKey = lg_lookupTokenKeyByHandle(sdb, object_id); + if (dbKey == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + + /* remove the objects from the real data base */ + switch (object_id & LG_TOKEN_TYPE_MASK) { + case LG_TOKEN_TYPE_PRIV: + case LG_TOKEN_TYPE_KEY: + /* KEYID is the public KEY for DSA and DH, and the MODULUS for + * RSA */ + keyHandle = lg_getKeyDB(sdb); + if (!keyHandle) { + crv = CKR_TOKEN_WRITE_PROTECTED; + break; + } + rv = nsslowkey_DeleteKey(keyHandle, dbKey); + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + } + break; + case LG_TOKEN_TYPE_PUB: + break; /* public keys only exist at the behest of the priv key */ + case LG_TOKEN_TYPE_CERT: + certHandle = lg_getCertDB(sdb); + if (!certHandle) { + crv = CKR_TOKEN_WRITE_PROTECTED; + break; + } + cert = nsslowcert_FindCertByKey(certHandle, dbKey); + if (cert == NULL) { + crv = CKR_DEVICE_ERROR; + break; + } + rv = nsslowcert_DeletePermCertificate(cert); + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + } + nsslowcert_DestroyCertificate(cert); + break; + case LG_TOKEN_TYPE_CRL: + certHandle = lg_getCertDB(sdb); + if (!certHandle) { + crv = CKR_TOKEN_WRITE_PROTECTED; + break; + } + isKrl = (PRBool)(object_id == LG_TOKEN_KRL_HANDLE); + rv = nsslowcert_DeletePermCRL(certHandle, dbKey, isKrl); + if (rv == SECFailure) + crv = CKR_DEVICE_ERROR; + break; + case LG_TOKEN_TYPE_TRUST: + certHandle = lg_getCertDB(sdb); + if (!certHandle) { + crv = CKR_TOKEN_WRITE_PROTECTED; + break; + } + cert = nsslowcert_FindCertByKey(certHandle, dbKey); + if (cert == NULL) { + crv = CKR_DEVICE_ERROR; + break; + } + tmptrust = *cert->trust; + tmptrust.sslFlags &= CERTDB_PRESERVE_TRUST_BITS; + tmptrust.emailFlags &= CERTDB_PRESERVE_TRUST_BITS; + tmptrust.objectSigningFlags &= CERTDB_PRESERVE_TRUST_BITS; + tmptrust.sslFlags |= CERTDB_TRUSTED_UNKNOWN; + tmptrust.emailFlags |= CERTDB_TRUSTED_UNKNOWN; + tmptrust.objectSigningFlags |= CERTDB_TRUSTED_UNKNOWN; + rv = nsslowcert_ChangeCertTrust(certHandle, cert, &tmptrust); + if (rv != SECSuccess) + crv = CKR_DEVICE_ERROR; + nsslowcert_DestroyCertificate(cert); + break; + default: + break; + } + lg_DBLock(sdb); + lg_deleteTokenKeyByHandle(sdb, object_id); + lg_DBUnlock(sdb); + + return crv; +} diff --git a/security/nss/lib/softoken/legacydb/lgfind.c b/security/nss/lib/softoken/legacydb/lgfind.c new file mode 100644 index 0000000000..3c18c0ef12 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lgfind.c @@ -0,0 +1,912 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "secitem.h" +#include "pkcs11.h" +#include "lgdb.h" +#include "lowkeyi.h" +#include "pcert.h" +#include "blapi.h" + +#include "keydbi.h" + +/* + * This code maps PKCS #11 Finds to legacy database searches. This code + * was orginally in pkcs11.c in previous versions of NSS. + */ + +struct SDBFindStr { + CK_OBJECT_HANDLE *handles; + int size; + int index; + int array_size; +}; + +/* + * free a search structure + */ +void +lg_FreeSearch(SDBFind *search) +{ + if (search->handles) { + PORT_Free(search->handles); + } + PORT_Free(search); +} + +void +lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle) +{ + if (search->handles == NULL) { + return; + } + if (search->size >= search->array_size) { + search->array_size += LG_SEARCH_BLOCK_SIZE; + search->handles = (CK_OBJECT_HANDLE *)PORT_Realloc(search->handles, + sizeof(CK_OBJECT_HANDLE) * search->array_size); + if (search->handles == NULL) { + return; + } + } + search->handles[search->size] = handle; + search->size++; +} + +/* + * find any certs that may match the template and load them. + */ +#define LG_CERT 0x00000001 +#define LG_TRUST 0x00000002 +#define LG_CRL 0x00000004 +#define LG_SMIME 0x00000008 +#define LG_PRIVATE 0x00000010 +#define LG_PUBLIC 0x00000020 +#define LG_KEY 0x00000040 + +/* + * structure to collect key handles. + */ +typedef struct lgEntryDataStr { + SDB *sdb; + SDBFind *searchHandles; + const CK_ATTRIBUTE *template; + CK_ULONG templ_count; +} lgEntryData; + +static SECStatus +lg_crl_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg) +{ + lgEntryData *crlData; + CK_OBJECT_HANDLE class_handle; + SDB *sdb; + + crlData = (lgEntryData *)arg; + sdb = crlData->sdb; + + class_handle = (type == certDBEntryTypeRevocation) ? LG_TOKEN_TYPE_CRL : LG_TOKEN_KRL_HANDLE; + if (lg_tokenMatch(sdb, key, class_handle, + crlData->template, crlData->templ_count)) { + lg_addHandle(crlData->searchHandles, + lg_mkHandle(sdb, key, class_handle)); + } + return (SECSuccess); +} + +static void +lg_searchCrls(SDB *sdb, SECItem *derSubject, PRBool isKrl, + unsigned long classFlags, SDBFind *search, + const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) +{ + NSSLOWCERTCertDBHandle *certHandle = NULL; + + certHandle = lg_getCertDB(sdb); + if (certHandle == NULL) { + return; + } + if (derSubject->data != NULL) { + certDBEntryRevocation *crl = + nsslowcert_FindCrlByKey(certHandle, derSubject, isKrl); + + if (crl != NULL) { + lg_addHandle(search, lg_mkHandle(sdb, derSubject, + isKrl ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL)); + nsslowcert_DestroyDBEntry((certDBEntry *)crl); + } + } else { + lgEntryData crlData; + + /* traverse */ + crlData.sdb = sdb; + crlData.searchHandles = search; + crlData.template = pTemplate; + crlData.templ_count = ulCount; + nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeRevocation, + lg_crl_collect, (void *)&crlData); + nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeKeyRevocation, + lg_crl_collect, (void *)&crlData); + } +} + +/* + * structure to collect key handles. + */ +typedef struct lgKeyDataStr { + SDB *sdb; + NSSLOWKEYDBHandle *keyHandle; + SDBFind *searchHandles; + SECItem *id; + const CK_ATTRIBUTE *template; + CK_ULONG templ_count; + unsigned long classFlags; + PRBool strict; +} lgKeyData; + +static PRBool +isSecretKey(NSSLOWKEYPrivateKey *privKey) +{ + if (privKey->keyType == NSSLOWKEYRSAKey && + privKey->u.rsa.publicExponent.len == 1 && + privKey->u.rsa.publicExponent.data[0] == 0) + return PR_TRUE; + + return PR_FALSE; +} + +static SECStatus +lg_key_collect(DBT *key, DBT *data, void *arg) +{ + lgKeyData *keyData; + NSSLOWKEYPrivateKey *privKey = NULL; + SECItem tmpDBKey; + SDB *sdb; + unsigned long classFlags; + + keyData = (lgKeyData *)arg; + sdb = keyData->sdb; + classFlags = keyData->classFlags; + + tmpDBKey.data = key->data; + tmpDBKey.len = key->size; + tmpDBKey.type = siBuffer; + + PORT_Assert(keyData->keyHandle); + if (!keyData->strict && keyData->id && keyData->id->data) { + SECItem result; + PRBool haveMatch = PR_FALSE; + unsigned char hashKey[SHA1_LENGTH]; + result.data = hashKey; + result.len = sizeof(hashKey); + + if (keyData->id->len == 0) { + /* Make sure this isn't a LG_KEY */ + privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, + &tmpDBKey, keyData->sdb /*->password*/); + if (privKey) { + /* turn off the unneeded class flags */ + classFlags &= isSecretKey(privKey) ? ~(LG_PRIVATE | LG_PUBLIC) : ~LG_KEY; + haveMatch = (PRBool)((classFlags & (LG_KEY | LG_PRIVATE | LG_PUBLIC)) != 0); + lg_nsslowkey_DestroyPrivateKey(privKey); + } + } else { + SHA1_HashBuf(hashKey, key->data, key->size); /* match id */ + haveMatch = SECITEM_ItemsAreEqual(keyData->id, &result); + if (!haveMatch && ((unsigned char *)key->data)[0] == 0) { + /* This is a fix for backwards compatibility. The key + * database indexes private keys by the public key, and + * versions of NSS prior to 3.4 stored the public key as + * a signed integer. The public key is now treated as an + * unsigned integer, with no leading zero. In order to + * correctly compute the hash of an old key, it is necessary + * to fallback and detect the leading zero. + */ + SHA1_HashBuf(hashKey, + (unsigned char *)key->data + 1, key->size - 1); + haveMatch = SECITEM_ItemsAreEqual(keyData->id, &result); + } + } + if (haveMatch) { + if (classFlags & LG_PRIVATE) { + lg_addHandle(keyData->searchHandles, + lg_mkHandle(sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV)); + } + if (classFlags & LG_PUBLIC) { + lg_addHandle(keyData->searchHandles, + lg_mkHandle(sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB)); + } + if (classFlags & LG_KEY) { + lg_addHandle(keyData->searchHandles, + lg_mkHandle(sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY)); + } + } + return SECSuccess; + } + + privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, &tmpDBKey, + keyData->sdb /*->password*/); + if (privKey == NULL) { + goto loser; + } + + if (isSecretKey(privKey)) { + if ((classFlags & LG_KEY) && + lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY, + keyData->template, keyData->templ_count)) { + lg_addHandle(keyData->searchHandles, + lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY)); + } + } else { + if ((classFlags & LG_PRIVATE) && + lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV, + keyData->template, keyData->templ_count)) { + lg_addHandle(keyData->searchHandles, + lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV)); + } + if ((classFlags & LG_PUBLIC) && + lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB, + keyData->template, keyData->templ_count)) { + lg_addHandle(keyData->searchHandles, + lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB)); + } + } + +loser: + if (privKey) { + lg_nsslowkey_DestroyPrivateKey(privKey); + } + return (SECSuccess); +} + +static void +lg_searchKeys(SDB *sdb, SECItem *key_id, + unsigned long classFlags, SDBFind *search, PRBool mustStrict, + const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) +{ + NSSLOWKEYDBHandle *keyHandle = NULL; + NSSLOWKEYPrivateKey *privKey; + lgKeyData keyData; + PRBool found = PR_FALSE; + + keyHandle = lg_getKeyDB(sdb); + if (keyHandle == NULL) { + return; + } + + if (key_id->data) { + privKey = nsslowkey_FindKeyByPublicKey(keyHandle, key_id, sdb); + if (privKey) { + if ((classFlags & LG_KEY) && isSecretKey(privKey)) { + lg_addHandle(search, + lg_mkHandle(sdb, key_id, LG_TOKEN_TYPE_KEY)); + found = PR_TRUE; + } + if ((classFlags & LG_PRIVATE) && !isSecretKey(privKey)) { + lg_addHandle(search, + lg_mkHandle(sdb, key_id, LG_TOKEN_TYPE_PRIV)); + found = PR_TRUE; + } + if ((classFlags & LG_PUBLIC) && !isSecretKey(privKey)) { + lg_addHandle(search, + lg_mkHandle(sdb, key_id, LG_TOKEN_TYPE_PUB)); + found = PR_TRUE; + } + lg_nsslowkey_DestroyPrivateKey(privKey); + } + /* don't do the traversal if we have an up to date db */ + if (keyHandle->version != 3) { + goto loser; + } + /* don't do the traversal if it can't possibly be the correct id */ + /* all soft token id's are SHA1_HASH_LEN's */ + if (key_id->len != SHA1_LENGTH) { + goto loser; + } + if (found) { + /* if we already found some keys, don't do the traversal */ + goto loser; + } + } + keyData.sdb = sdb; + keyData.keyHandle = keyHandle; + keyData.searchHandles = search; + keyData.id = key_id; + keyData.template = pTemplate; + keyData.templ_count = ulCount; + keyData.classFlags = classFlags; + keyData.strict = mustStrict ? mustStrict : LG_STRICT; + + nsslowkey_TraverseKeys(keyHandle, lg_key_collect, &keyData); + +loser: + return; +} + +/* + * structure to collect certs into + */ +typedef struct lgCertDataStr { + SDB *sdb; + int cert_count; + int max_cert_count; + NSSLOWCERTCertificate **certs; + const CK_ATTRIBUTE *template; + CK_ULONG templ_count; + unsigned long classFlags; + PRBool strict; +} lgCertData; + +/* + * collect all the certs from the traverse call. + */ +static SECStatus +lg_cert_collect(NSSLOWCERTCertificate *cert, void *arg) +{ + lgCertData *cd = (lgCertData *)arg; + + if (cert == NULL) { + return SECSuccess; + } + + if (cd->certs == NULL) { + return SECFailure; + } + + if (cd->strict) { + if ((cd->classFlags & LG_CERT) && + !lg_tokenMatch(cd->sdb, &cert->certKey, LG_TOKEN_TYPE_CERT, cd->template, cd->templ_count)) { + return SECSuccess; + } + if ((cd->classFlags & LG_TRUST) && + !lg_tokenMatch(cd->sdb, &cert->certKey, LG_TOKEN_TYPE_TRUST, cd->template, cd->templ_count)) { + return SECSuccess; + } + } + + /* allocate more space if we need it. This should only happen in + * the general traversal case */ + if (cd->cert_count >= cd->max_cert_count) { + int size; + cd->max_cert_count += LG_SEARCH_BLOCK_SIZE; + size = cd->max_cert_count * sizeof(NSSLOWCERTCertificate *); + cd->certs = (NSSLOWCERTCertificate **)PORT_Realloc(cd->certs, size); + if (cd->certs == NULL) { + return SECFailure; + } + } + + cd->certs[cd->cert_count++] = nsslowcert_DupCertificate(cert); + return SECSuccess; +} + +/* provide impedence matching ... */ +static SECStatus +lg_cert_collect2(NSSLOWCERTCertificate *cert, SECItem *dymmy, void *arg) +{ + return lg_cert_collect(cert, arg); +} + +static void +lg_searchSingleCert(lgCertData *certData, NSSLOWCERTCertificate *cert) +{ + if (cert == NULL) { + return; + } + if (certData->strict && + !lg_tokenMatch(certData->sdb, &cert->certKey, LG_TOKEN_TYPE_CERT, + certData->template, certData->templ_count)) { + nsslowcert_DestroyCertificate(cert); + return; + } + certData->certs = (NSSLOWCERTCertificate **) + PORT_Alloc(sizeof(NSSLOWCERTCertificate *)); + if (certData->certs == NULL) { + nsslowcert_DestroyCertificate(cert); + return; + } + certData->certs[0] = cert; + certData->cert_count = 1; +} + +static void +lg_CertSetupData(lgCertData *certData, int count) +{ + certData->max_cert_count = count; + + if (certData->max_cert_count <= 0) { + return; + } + certData->certs = (NSSLOWCERTCertificate **) + PORT_Alloc(count * sizeof(NSSLOWCERTCertificate *)); + return; +} + +static void +lg_searchCertsAndTrust(SDB *sdb, SECItem *derCert, SECItem *name, + SECItem *derSubject, NSSLOWCERTIssuerAndSN *issuerSN, + SECItem *email, + unsigned long classFlags, SDBFind *handles, + const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount) +{ + NSSLOWCERTCertDBHandle *certHandle = NULL; + lgCertData certData; + int i; + + certHandle = lg_getCertDB(sdb); + if (certHandle == NULL) + return; + + certData.sdb = sdb; + certData.max_cert_count = 0; + certData.certs = NULL; + certData.cert_count = 0; + certData.template = pTemplate; + certData.templ_count = ulCount; + certData.classFlags = classFlags; + certData.strict = LG_STRICT; + + /* + * Find the Cert. + */ + if (derCert->data != NULL) { + NSSLOWCERTCertificate *cert = + nsslowcert_FindCertByDERCert(certHandle, derCert); + lg_searchSingleCert(&certData, cert); + } else if (name->data != NULL) { + char *tmp_name = (char *)PORT_Alloc(name->len + 1); + int count; + + if (tmp_name == NULL) { + return; + } + PORT_Memcpy(tmp_name, name->data, name->len); + tmp_name[name->len] = 0; + + count = nsslowcert_NumPermCertsForNickname(certHandle, tmp_name); + lg_CertSetupData(&certData, count); + nsslowcert_TraversePermCertsForNickname(certHandle, tmp_name, + lg_cert_collect, &certData); + PORT_Free(tmp_name); + } else if (derSubject->data != NULL) { + int count; + + count = nsslowcert_NumPermCertsForSubject(certHandle, derSubject); + lg_CertSetupData(&certData, count); + nsslowcert_TraversePermCertsForSubject(certHandle, derSubject, + lg_cert_collect, &certData); + } else if ((issuerSN->derIssuer.data != NULL) && + (issuerSN->serialNumber.data != NULL)) { + if (classFlags & LG_CERT) { + NSSLOWCERTCertificate *cert = + nsslowcert_FindCertByIssuerAndSN(certHandle, issuerSN); + + lg_searchSingleCert(&certData, cert); + } + if (classFlags & LG_TRUST) { + NSSLOWCERTTrust *trust = + nsslowcert_FindTrustByIssuerAndSN(certHandle, issuerSN); + + if (trust) { + lg_addHandle(handles, + lg_mkHandle(sdb, &trust->dbKey, LG_TOKEN_TYPE_TRUST)); + nsslowcert_DestroyTrust(trust); + } + } + } else if (email->data != NULL) { + char *tmp_name = (char *)PORT_Alloc(email->len + 1); + certDBEntrySMime *entry = NULL; + + if (tmp_name == NULL) { + return; + } + PORT_Memcpy(tmp_name, email->data, email->len); + tmp_name[email->len] = 0; + + entry = nsslowcert_ReadDBSMimeEntry(certHandle, tmp_name); + if (entry) { + int count; + SECItem *subjectName = &entry->subjectName; + + count = nsslowcert_NumPermCertsForSubject(certHandle, subjectName); + lg_CertSetupData(&certData, count); + nsslowcert_TraversePermCertsForSubject(certHandle, subjectName, + lg_cert_collect, &certData); + + nsslowcert_DestroyDBEntry((certDBEntry *)entry); + } + PORT_Free(tmp_name); + } else { + /* we aren't filtering the certs, we are working on all, so turn + * on the strict filters. */ + certData.strict = PR_TRUE; + lg_CertSetupData(&certData, LG_SEARCH_BLOCK_SIZE); + nsslowcert_TraversePermCerts(certHandle, lg_cert_collect2, &certData); + } + + /* + * build the handles + */ + for (i = 0; i < certData.cert_count; i++) { + NSSLOWCERTCertificate *cert = certData.certs[i]; + + /* if we filtered it would have been on the stuff above */ + if (classFlags & LG_CERT) { + lg_addHandle(handles, + lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_CERT)); + } + if ((classFlags & LG_TRUST) && nsslowcert_hasTrust(cert->trust)) { + lg_addHandle(handles, + lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_TRUST)); + } + nsslowcert_DestroyCertificate(cert); + } + + if (certData.certs) + PORT_Free(certData.certs); + return; +} + +static SECStatus +lg_smime_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg) +{ + lgEntryData *smimeData; + SDB *sdb; + + smimeData = (lgEntryData *)arg; + sdb = smimeData->sdb; + + if (lg_tokenMatch(sdb, key, LG_TOKEN_TYPE_SMIME, + smimeData->template, smimeData->templ_count)) { + lg_addHandle(smimeData->searchHandles, + lg_mkHandle(sdb, key, LG_TOKEN_TYPE_SMIME)); + } + return (SECSuccess); +} + +static void +lg_searchSMime(SDB *sdb, SECItem *email, SDBFind *handles, + const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount) +{ + NSSLOWCERTCertDBHandle *certHandle = NULL; + certDBEntrySMime *entry; + + certHandle = lg_getCertDB(sdb); + if (certHandle == NULL) + return; + + if (email->data != NULL) { + char *tmp_name = (char *)PORT_Alloc(email->len + 1); + + if (tmp_name == NULL) { + return; + } + PORT_Memcpy(tmp_name, email->data, email->len); + tmp_name[email->len] = 0; + + entry = nsslowcert_ReadDBSMimeEntry(certHandle, tmp_name); + if (entry) { + SECItem emailKey; + + emailKey.data = (unsigned char *)tmp_name; + emailKey.len = PORT_Strlen(tmp_name) + 1; + emailKey.type = 0; + lg_addHandle(handles, + lg_mkHandle(sdb, &emailKey, LG_TOKEN_TYPE_SMIME)); + nsslowcert_DestroyDBEntry((certDBEntry *)entry); + } + PORT_Free(tmp_name); + } else { + /* traverse */ + lgEntryData smimeData; + + /* traverse */ + smimeData.sdb = sdb; + smimeData.searchHandles = handles; + smimeData.template = pTemplate; + smimeData.templ_count = ulCount; + nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeSMimeProfile, + lg_smime_collect, (void *)&smimeData); + } + return; +} + +static CK_RV +lg_searchTokenList(SDB *sdb, SDBFind *search, + const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount) +{ + int i; + PRBool isKrl = PR_FALSE; + SECItem derCert = { siBuffer, NULL, 0 }; + SECItem derSubject = { siBuffer, NULL, 0 }; + SECItem name = { siBuffer, NULL, 0 }; + SECItem email = { siBuffer, NULL, 0 }; + SECItem key_id = { siBuffer, NULL, 0 }; + SECItem cert_sha1_hash = { siBuffer, NULL, 0 }; + SECItem cert_md5_hash = { siBuffer, NULL, 0 }; + NSSLOWCERTIssuerAndSN issuerSN = { + { siBuffer, NULL, 0 }, + { siBuffer, NULL, 0 } + }; + SECItem *copy = NULL; + CK_CERTIFICATE_TYPE certType; + CK_OBJECT_CLASS objectClass; + CK_RV crv; + unsigned long classFlags; + + if (lg_getCertDB(sdb) == NULL) { + classFlags = LG_PRIVATE | LG_KEY; + } else { + classFlags = LG_CERT | LG_TRUST | LG_PUBLIC | LG_SMIME | LG_CRL; + } + + /* + * look for things to search on token objects for. If the right options + * are specified, we can use them as direct indeces into the database + * (rather than using linear searches. We can also use the attributes to + * limit the kinds of objects we are searching for. Later we can use this + * array to filter the remaining objects more finely. + */ + for (i = 0; classFlags && i < (int)ulCount; i++) { + + switch (pTemplate[i].type) { + case CKA_SUBJECT: + copy = &derSubject; + classFlags &= (LG_CERT | LG_PRIVATE | LG_PUBLIC | LG_SMIME | LG_CRL); + break; + case CKA_ISSUER: + copy = &issuerSN.derIssuer; + classFlags &= (LG_CERT | LG_TRUST); + break; + case CKA_SERIAL_NUMBER: + copy = &issuerSN.serialNumber; + classFlags &= (LG_CERT | LG_TRUST); + break; + case CKA_VALUE: + copy = &derCert; + classFlags &= (LG_CERT | LG_CRL | LG_SMIME); + break; + case CKA_LABEL: + copy = &name; + break; + case CKA_NSS_EMAIL: + copy = &email; + classFlags &= LG_SMIME | LG_CERT; + break; + case CKA_NSS_SMIME_TIMESTAMP: + classFlags &= LG_SMIME; + break; + case CKA_CLASS: + crv = lg_GetULongAttribute(CKA_CLASS, &pTemplate[i], 1, &objectClass); + if (crv != CKR_OK) { + classFlags = 0; + break; + } + switch (objectClass) { + case CKO_CERTIFICATE: + classFlags &= LG_CERT; + break; + case CKO_NSS_TRUST: + classFlags &= LG_TRUST; + break; + case CKO_NSS_CRL: + classFlags &= LG_CRL; + break; + case CKO_NSS_SMIME: + classFlags &= LG_SMIME; + break; + case CKO_PRIVATE_KEY: + classFlags &= LG_PRIVATE; + break; + case CKO_PUBLIC_KEY: + classFlags &= LG_PUBLIC; + break; + case CKO_SECRET_KEY: + classFlags &= LG_KEY; + break; + default: + classFlags = 0; + break; + } + break; + case CKA_PRIVATE: + if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) { + classFlags = 0; + break; + } + if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) { + classFlags &= (LG_PRIVATE | LG_KEY); + } else { + classFlags &= ~(LG_PRIVATE | LG_KEY); + } + break; + case CKA_SENSITIVE: + if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) { + classFlags = 0; + break; + } + if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) { + classFlags &= (LG_PRIVATE | LG_KEY); + } else { + classFlags = 0; + } + break; + case CKA_TOKEN: + if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) { + classFlags = 0; + break; + } + if (*((CK_BBOOL *)pTemplate[i].pValue) != CK_TRUE) { + classFlags = 0; + } + break; + case CKA_CERT_SHA1_HASH: + classFlags &= LG_TRUST; + copy = &cert_sha1_hash; + break; + case CKA_CERT_MD5_HASH: + classFlags &= LG_TRUST; + copy = &cert_md5_hash; + break; + case CKA_CERTIFICATE_TYPE: + crv = lg_GetULongAttribute(CKA_CERTIFICATE_TYPE, &pTemplate[i], + 1, &certType); + if (crv != CKR_OK) { + classFlags = 0; + break; + } + classFlags &= LG_CERT; + if (certType != CKC_X_509) { + classFlags = 0; + } + break; + case CKA_ID: + copy = &key_id; + classFlags &= (LG_CERT | LG_PRIVATE | LG_KEY | LG_PUBLIC); + break; + case CKA_NSS_KRL: + if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) { + classFlags = 0; + break; + } + classFlags &= LG_CRL; + isKrl = (PRBool)(*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE); + break; + case CKA_MODIFIABLE: + break; + case CKA_KEY_TYPE: + case CKA_DERIVE: + classFlags &= LG_PUBLIC | LG_PRIVATE | LG_KEY; + break; + case CKA_VERIFY_RECOVER: + classFlags &= LG_PUBLIC; + break; + case CKA_SIGN_RECOVER: + classFlags &= LG_PRIVATE; + break; + case CKA_ENCRYPT: + case CKA_VERIFY: + case CKA_WRAP: + classFlags &= LG_PUBLIC | LG_KEY; + break; + case CKA_DECRYPT: + case CKA_SIGN: + case CKA_UNWRAP: + case CKA_ALWAYS_SENSITIVE: + case CKA_EXTRACTABLE: + case CKA_NEVER_EXTRACTABLE: + classFlags &= LG_PRIVATE | LG_KEY; + break; + /* can't be a certificate if it doesn't match one of the above + * attributes */ + default: + classFlags = 0; + break; + } + if (copy) { + copy->data = (unsigned char *)pTemplate[i].pValue; + copy->len = pTemplate[i].ulValueLen; + } + copy = NULL; + } + + /* certs */ + if (classFlags & (LG_CERT | LG_TRUST)) { + lg_searchCertsAndTrust(sdb, &derCert, &name, &derSubject, + &issuerSN, &email, classFlags, search, + pTemplate, ulCount); + } + + /* keys */ + if (classFlags & (LG_PRIVATE | LG_PUBLIC | LG_KEY)) { + PRBool mustStrict = (name.len != 0); + lg_searchKeys(sdb, &key_id, classFlags, search, + mustStrict, pTemplate, ulCount); + } + + /* crl's */ + if (classFlags & LG_CRL) { + lg_searchCrls(sdb, &derSubject, isKrl, classFlags, search, + pTemplate, ulCount); + } + /* Add S/MIME entry stuff */ + if (classFlags & LG_SMIME) { + lg_searchSMime(sdb, &email, search, pTemplate, ulCount); + } + return CKR_OK; +} + +/* lg_FindObjectsInit initializes a search for token and session objects + * that match a template. */ +CK_RV +lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate, + CK_ULONG ulCount, SDBFind **retSearch) +{ + SDBFind *search; + CK_RV crv = CKR_OK; + + *retSearch = NULL; + + search = (SDBFind *)PORT_Alloc(sizeof(SDBFind)); + if (search == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + search->handles = (CK_OBJECT_HANDLE *) + PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * LG_SEARCH_BLOCK_SIZE); + if (search->handles == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + search->index = 0; + search->size = 0; + search->array_size = LG_SEARCH_BLOCK_SIZE; + /* FIXME - do we still need to get Login state? */ + + crv = lg_searchTokenList(sdb, search, pTemplate, ulCount); + if (crv != CKR_OK) { + goto loser; + } + + *retSearch = search; + return CKR_OK; + +loser: + if (search) { + lg_FreeSearch(search); + } + return crv; +} + +/* lg_FindObjects continues a search for token and session objects + * that match a template, obtaining additional object handles. */ +CK_RV +lg_FindObjects(SDB *sdb, SDBFind *search, + CK_OBJECT_HANDLE *phObject, CK_ULONG ulMaxObjectCount, + CK_ULONG *pulObjectCount) +{ + int transfer; + int left; + + *pulObjectCount = 0; + left = search->size - search->index; + transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount; + if (transfer > 0) { + PORT_Memcpy(phObject, &search->handles[search->index], + transfer * sizeof(CK_OBJECT_HANDLE)); + } else { + *phObject = CK_INVALID_HANDLE; + } + + search->index += transfer; + *pulObjectCount = transfer; + return CKR_OK; +} + +/* lg_FindObjectsFinal finishes a search for token and session objects. */ +CK_RV +lg_FindObjectsFinal(SDB *lgdb, SDBFind *search) +{ + + if (search != NULL) { + lg_FreeSearch(search); + } + return CKR_OK; +} diff --git a/security/nss/lib/softoken/legacydb/lgfips.c b/security/nss/lib/softoken/legacydb/lgfips.c new file mode 100644 index 0000000000..d9270b4355 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lgfips.c @@ -0,0 +1,120 @@ +/* + * PKCS #11 FIPS Power-Up Self Test. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */ + +#ifndef NSS_FIPS_DISABLED + +#include "seccomon.h" +#include "lgdb.h" +#include "blapi.h" + +/* + * different platforms have different ways of calling and initial entry point + * when the dll/.so is loaded. Most platforms support either a posix pragma + * or the GCC attribute. Some platforms suppor a pre-defined name, and some + * platforms have a link line way of invoking this function. + */ + +/* The pragma */ +#if defined(USE_INIT_PRAGMA) +#pragma init(lg_startup_tests) +#endif + +/* GCC Attribute */ +#if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT) +#define INIT_FUNCTION __attribute__((constructor)) +#else +#define INIT_FUNCTION +#endif + +static void INIT_FUNCTION lg_startup_tests(void); + +/* Windows pre-defined entry */ +#if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT) +#include + +BOOL WINAPI +DllMain( + HINSTANCE hinstDLL, // handle to DLL module + DWORD fdwReason, // reason for calling function + LPVOID lpReserved) // reserved +{ + // Perform actions based on the reason for calling. + switch (fdwReason) { + case DLL_PROCESS_ATTACH: + // Initialize once for each new process. + // Return FALSE to fail DLL load. + lg_startup_tests(); + break; + + case DLL_THREAD_ATTACH: + // Do thread-specific initialization. + break; + + case DLL_THREAD_DETACH: + // Do thread-specific cleanup. + break; + + case DLL_PROCESS_DETACH: + // Perform any necessary cleanup. + break; + } + return TRUE; // Successful DLL_PROCESS_ATTACH. +} +#endif + +static PRBool lg_self_tests_ran = PR_FALSE; +static PRBool lg_self_tests_success = PR_FALSE; + +static void +lg_local_function(void) +{ +} + +/* + * This function is called at dll load time, the code tha makes this + * happen is platform specific on defined above. + */ +static void +lg_startup_tests(void) +{ + const char *libraryName = LG_LIB_NAME; + + PORT_Assert(!lg_self_tests_ran); + PORT_Assert(!lg_self_tests_success); + lg_self_tests_ran = PR_TRUE; + lg_self_tests_success = PR_FALSE; /* just in case */ + + /* no self tests required for the legacy db, only the integrity check */ + /* check the integrity of our shared library */ + if (!BLAPI_SHVerify(libraryName, (PRFuncPtr)&lg_local_function)) { + /* something is wrong with the library, fail without enabling + * the fips token */ + return; + } + /* FIPS product has been installed and is functioning, allow + * the module to operate in fips mode */ + lg_self_tests_success = PR_TRUE; +} + +PRBool +lg_FIPSEntryOK() +{ +#ifdef NSS_NO_INIT_SUPPORT + /* this should only be set on platforms that can't handle one of the INIT + * schemes. This code allows those platforms to continue to function, + * though they don't meet the strict NIST requirements. If NO_INIT_SUPPORT + * is not set, and init support has not been properly enabled, softken + * will always fail because of the test below */ + if (!lg_self_tests_ran) { + lg_startup_tests(); + } +#endif + return lg_self_tests_success; +} + +#endif /* NSS_FIPS_DISABLED */ diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c new file mode 100644 index 0000000000..3cd4d8ea03 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lginit.c @@ -0,0 +1,661 @@ +/* + * NSS utility functions + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "lowkeyi.h" +#include "pcert.h" +#include "keydbi.h" +#include "lgdb.h" +#include "secoid.h" +#include "prenv.h" +#include "softkver.h" + +/* Library identity and versioning */ + +#if defined(DEBUG) +#define _DEBUG_STRING " (debug)" +#else +#define _DEBUG_STRING "" +#endif + +/* + * Version information + */ +const char __nss_dbm_version[] = "Version: NSS " SOFTOKEN_VERSION _DEBUG_STRING; + +typedef struct LGPrivateStr { + NSSLOWCERTCertDBHandle *certDB; + NSSLOWKEYDBHandle *keyDB; + PRLock *dbLock; + PLHashTable *hashTable; +} LGPrivate; + +static char * +lg_certdb_name_cb(void *arg, int dbVersion) +{ + const char *configdir = (const char *)arg; + const char *dbver; + char *smpname = NULL; + char *dbname = NULL; + + switch (dbVersion) { + case 8: + dbver = "8"; + break; + case 7: + dbver = "7"; + break; + case 6: + dbver = "6"; + break; + case 5: + dbver = "5"; + break; + case 4: + default: + dbver = ""; + break; + } + + /* make sure we return something allocated with PORT_ so we have properly + * matched frees at the end */ + smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver); + if (smpname) { + dbname = PORT_Strdup(smpname); + PR_smprintf_free(smpname); + } + return dbname; +} + +static char * +lg_keydb_name_cb(void *arg, int dbVersion) +{ + const char *configdir = (const char *)arg; + const char *dbver; + char *smpname = NULL; + char *dbname = NULL; + + switch (dbVersion) { + case 4: + dbver = "4"; + break; + case 3: + dbver = "3"; + break; + case 1: + dbver = "1"; + break; + case 2: + default: + dbver = ""; + break; + } + + smpname = PR_smprintf(KEY_DB_FMT, configdir, dbver); + if (smpname) { + dbname = PORT_Strdup(smpname); + PR_smprintf_free(smpname); + } + return dbname; +} + +const char * +lg_EvaluateConfigDir(const char *configdir, char **appName) +{ + if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS) - 1) == 0) { + char *cdir; + + *appName = PORT_Strdup(configdir + sizeof(MULTIACCESS) - 1); + if (*appName == NULL) { + return configdir; + } + cdir = *appName; + while (*cdir && *cdir != ':') { + cdir++; + } + if (*cdir == ':') { + *cdir = 0; + cdir++; + } + configdir = cdir; + } + return configdir; +} + +static int rdbmapflags(int flags); +static rdbfunc lg_rdbfunc = NULL; +static rdbstatusfunc lg_rdbstatusfunc = NULL; + +/* NOTE: SHLIB_SUFFIX is defined on the command line */ +#define RDBLIB SHLIB_PREFIX "rdb." SHLIB_SUFFIX + +DB * +rdbopen(const char *appName, const char *prefix, + const char *type, int flags, int *status) +{ + PRLibrary *lib; + DB *db; + char *disableUnload = NULL; + + if (lg_rdbfunc) { + db = (*lg_rdbfunc)(appName, prefix, type, rdbmapflags(flags)); + if (!db && status && lg_rdbstatusfunc) { + *status = (*lg_rdbstatusfunc)(); + } + return db; + } + + /* + * try to open the library. + */ + lib = PR_LoadLibrary(RDBLIB); + + if (!lib) { + return NULL; + } + + /* get the entry points */ + lg_rdbstatusfunc = (rdbstatusfunc)PR_FindSymbol(lib, "rdbstatus"); + lg_rdbfunc = (rdbfunc)PR_FindSymbol(lib, "rdbopen"); + if (lg_rdbfunc) { + db = (*lg_rdbfunc)(appName, prefix, type, rdbmapflags(flags)); + if (!db && status && lg_rdbstatusfunc) { + *status = (*lg_rdbstatusfunc)(); + } + return db; + } + + /* couldn't find the entry point, unload the library and fail */ + disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); + if (!disableUnload) { + PR_UnloadLibrary(lib); + } + return NULL; +} + +/* + * the following data structures are from rdb.h. + */ +struct RDBStr { + DB db; + int (*xactstart)(DB *db); + int (*xactdone)(DB *db, PRBool abort); + int version; + int (*dbinitcomplete)(DB *db); +}; + +#define DB_RDB ((DBTYPE)0xff) +#define RDB_RDONLY 1 +#define RDB_RDWR 2 +#define RDB_CREATE 4 + +static int +rdbmapflags(int flags) +{ + switch (flags) { + case NO_RDONLY: + return RDB_RDONLY; + case NO_RDWR: + return RDB_RDWR; + case NO_CREATE: + return RDB_CREATE; + default: + break; + } + return 0; +} + +PRBool +db_IsRDB(DB *db) +{ + return (PRBool)db->type == DB_RDB; +} + +int +db_BeginTransaction(DB *db) +{ + struct RDBStr *rdb = (struct RDBStr *)db; + if (db->type != DB_RDB) { + return 0; + } + + return rdb->xactstart(db); +} + +int +db_FinishTransaction(DB *db, PRBool abort) +{ + struct RDBStr *rdb = (struct RDBStr *)db; + if (db->type != DB_RDB) { + return 0; + } + + return rdb->xactdone(db, abort); +} + +static DB * +lg_getRawDB(SDB *sdb) +{ + NSSLOWCERTCertDBHandle *certDB; + NSSLOWKEYDBHandle *keyDB; + + certDB = lg_getCertDB(sdb); + if (certDB) { + return certDB->permCertDB; + } + keyDB = lg_getKeyDB(sdb); + if (keyDB) { + return keyDB->db; + } + return NULL; +} + +CK_RV +lg_Begin(SDB *sdb) +{ + DB *db = lg_getRawDB(sdb); + int ret; + + if (db == NULL) { + return CKR_GENERAL_ERROR; /* shouldn't happen */ + } + ret = db_BeginTransaction(db); + if (ret != 0) { + return CKR_GENERAL_ERROR; /* could happen */ + } + return CKR_OK; +} + +CK_RV +lg_Commit(SDB *sdb) +{ + DB *db = lg_getRawDB(sdb); + int ret; + + if (db == NULL) { + return CKR_GENERAL_ERROR; /* shouldn't happen */ + } + ret = db_FinishTransaction(db, PR_FALSE); + if (ret != 0) { + return CKR_GENERAL_ERROR; /* could happen */ + } + return CKR_OK; +} + +CK_RV +lg_Abort(SDB *sdb) +{ + DB *db = lg_getRawDB(sdb); + int ret; + + if (db == NULL) { + return CKR_GENERAL_ERROR; /* shouldn't happen */ + } + ret = db_FinishTransaction(db, PR_TRUE); + if (ret != 0) { + return CKR_GENERAL_ERROR; /* could happen */ + } + return CKR_OK; +} + +int +db_InitComplete(DB *db) +{ + struct RDBStr *rdb = (struct RDBStr *)db; + if (db->type != DB_RDB) { + return 0; + } + /* we should have added a version number to the RDBS structure. Since we + * didn't, we detect that we have and 'extended' structure if the rdbstatus + * func exists */ + if (!lg_rdbstatusfunc) { + return 0; + } + + return rdb->dbinitcomplete(db); +} + +SECStatus +db_Copy(DB *dest, DB *src) +{ + int ret; + DBT key, data; + ret = (*src->seq)(src, &key, &data, R_FIRST); + if (ret) { + return SECSuccess; + } + + do { + (void)(*dest->put)(dest, &key, &data, R_NOOVERWRITE); + } while ((*src->seq)(src, &key, &data, R_NEXT) == 0); + (void)(*dest->sync)(dest, 0); + + return SECSuccess; +} + +static CK_RV +lg_OpenCertDB(const char *configdir, const char *prefix, PRBool readOnly, + NSSLOWCERTCertDBHandle **certdbPtr) +{ + NSSLOWCERTCertDBHandle *certdb = NULL; + CK_RV crv = CKR_NSS_CERTDB_FAILED; + SECStatus rv; + char *name = NULL; + char *appName = NULL; + + if (prefix == NULL) { + prefix = ""; + } + + configdir = lg_EvaluateConfigDir(configdir, &appName); + + name = PR_smprintf("%s" PATH_SEPARATOR "%s", configdir, prefix); + if (name == NULL) + goto loser; + + certdb = (NSSLOWCERTCertDBHandle *)PORT_ZAlloc(sizeof(NSSLOWCERTCertDBHandle)); + if (certdb == NULL) + goto loser; + + certdb->ref = 1; + /* fix when we get the DB in */ + rv = nsslowcert_OpenCertDB(certdb, readOnly, appName, prefix, + lg_certdb_name_cb, (void *)name, PR_FALSE); + if (rv == SECSuccess) { + crv = CKR_OK; + *certdbPtr = certdb; + certdb = NULL; + } +loser: + if (certdb) + PR_Free(certdb); + if (name) + PR_smprintf_free(name); + if (appName) + PORT_Free(appName); + return crv; +} + +static CK_RV +lg_OpenKeyDB(const char *configdir, const char *prefix, PRBool readOnly, + NSSLOWKEYDBHandle **keydbPtr) +{ + NSSLOWKEYDBHandle *keydb; + char *name = NULL; + char *appName = NULL; + + if (prefix == NULL) { + prefix = ""; + } + configdir = lg_EvaluateConfigDir(configdir, &appName); + + name = PR_smprintf("%s" PATH_SEPARATOR "%s", configdir, prefix); + if (name == NULL) + return CKR_HOST_MEMORY; + keydb = nsslowkey_OpenKeyDB(readOnly, appName, prefix, + lg_keydb_name_cb, (void *)name); + PR_smprintf_free(name); + if (appName) + PORT_Free(appName); + if (keydb == NULL) + return CKR_NSS_KEYDB_FAILED; + *keydbPtr = keydb; + + return CKR_OK; +} + +/* + * Accessors for the private parts of the sdb structure. + */ +void +lg_DBLock(SDB *sdb) +{ + LGPrivate *lgdb_p = (LGPrivate *)sdb->private; + SKIP_AFTER_FORK(PR_Lock(lgdb_p->dbLock)); +} + +void +lg_DBUnlock(SDB *sdb) +{ + LGPrivate *lgdb_p = (LGPrivate *)sdb->private; + SKIP_AFTER_FORK(PR_Unlock(lgdb_p->dbLock)); +} + +PLHashTable * +lg_GetHashTable(SDB *sdb) +{ + LGPrivate *lgdb_p = (LGPrivate *)sdb->private; + return lgdb_p->hashTable; +} + +NSSLOWCERTCertDBHandle * +lg_getCertDB(SDB *sdb) +{ + LGPrivate *lgdb_p = (LGPrivate *)sdb->private; + + return lgdb_p->certDB; +} + +NSSLOWKEYDBHandle * +lg_getKeyDB(SDB *sdb) +{ + LGPrivate *lgdb_p = (LGPrivate *)sdb->private; + + return lgdb_p->keyDB; +} + +PRBool lg_parentForkedAfterC_Initialize; + +void +lg_SetForkState(PRBool forked) +{ + lg_parentForkedAfterC_Initialize = forked; +} + +CK_RV +lg_Close(SDB *sdb) +{ + LGPrivate *lgdb_p = (LGPrivate *)sdb->private; + lg_ClearTokenKeyHashTable(sdb); + if (lgdb_p) { + if (lgdb_p->certDB) { + nsslowcert_ClosePermCertDB(lgdb_p->certDB); + } else if (lgdb_p->keyDB) { + nsslowkey_CloseKeyDB(lgdb_p->keyDB); + } + if (lgdb_p->dbLock) { + SKIP_AFTER_FORK(PR_DestroyLock(lgdb_p->dbLock)); + } + if (lgdb_p->hashTable) { + PL_HashTableDestroy(lgdb_p->hashTable); + } + PORT_Free(lgdb_p); + } + PORT_Free(sdb); + return CKR_OK; +} + +static PLHashNumber +lg_HashNumber(const void *key) +{ + return (PLHashNumber)((char *)key - (char *)NULL); +} + +/* + * helper function to wrap a NSSLOWCERTCertDBHandle or a NSSLOWKEYDBHandle + * with and sdb structure. + */ +CK_RV +lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr, + NSSLOWKEYDBHandle *keydbPtr) +{ + SDB *sdb = NULL; + LGPrivate *lgdb_p = NULL; + CK_RV error = CKR_HOST_MEMORY; + + *pSdb = NULL; + sdb = (SDB *)PORT_Alloc(sizeof(SDB)); + if (sdb == NULL) { + goto loser; + } + lgdb_p = (LGPrivate *)PORT_Alloc(sizeof(LGPrivate)); + if (lgdb_p == NULL) { + goto loser; + } + /* invariant fields */ + lgdb_p->certDB = certdbPtr; + lgdb_p->keyDB = keydbPtr; + lgdb_p->dbLock = PR_NewLock(); + if (lgdb_p->dbLock == NULL) { + goto loser; + } + lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, PL_CompareValues, + SECITEM_HashCompare, NULL, 0); + if (lgdb_p->hashTable == NULL) { + PR_DestroyLock(lgdb_p->dbLock); + goto loser; + } + + sdb->private = lgdb_p; + sdb->version = 1; + sdb->sdb_flags = flags; + sdb->app_private = NULL; + sdb->sdb_FindObjectsInit = lg_FindObjectsInit; + sdb->sdb_FindObjects = lg_FindObjects; + sdb->sdb_FindObjectsFinal = lg_FindObjectsFinal; + sdb->sdb_GetAttributeValue = lg_GetAttributeValue; + sdb->sdb_SetAttributeValue = lg_SetAttributeValue; + sdb->sdb_CreateObject = lg_CreateObject; + sdb->sdb_DestroyObject = lg_DestroyObject; + sdb->sdb_GetMetaData = lg_GetMetaData; + sdb->sdb_PutMetaData = lg_PutMetaData; + sdb->sdb_DestroyMetaData = lg_DestroyMetaData; + sdb->sdb_Begin = lg_Begin; + sdb->sdb_Commit = lg_Commit; + sdb->sdb_Abort = lg_Abort; + sdb->sdb_Reset = lg_Reset; + sdb->sdb_Close = lg_Close; + sdb->sdb_SetForkState = lg_SetForkState; + sdb->sdb_GetNewObjectID = lg_GetNewObjectID; + + *pSdb = sdb; + return CKR_OK; + +loser: + if (sdb) { + PORT_Free(sdb); + } + if (lgdb_p) { + PORT_Free(lgdb_p); + } + return error; +} + +/* + * OK there are now lots of options here, lets go through them all: + * + * configdir - base directory where all the cert, key, and module datbases live. + * certPrefix - prefix added to the beginning of the cert database example: " + * "https-server1-" + * keyPrefix - prefix added to the beginning of the key database example: " + * "https-server1-" + * secmodName - name of the security module database (usually "secmod.db"). + * readOnly - Boolean: true if the databases are to be openned read only. + * nocertdb - Don't open the cert DB and key DB's, just initialize the + * Volatile certdb. + * nomoddb - Don't open the security module DB, just initialize the + * PKCS #11 module. + * forceOpen - Continue to force initializations even if the databases cannot + * be opened. + */ +CK_RV +legacy_Open(const char *configdir, const char *certPrefix, + const char *keyPrefix, int certVersion, int keyVersion, + int flags, SDB **certDB, SDB **keyDB) +{ + CK_RV crv = CKR_OK; + SECStatus rv; + PRBool readOnly = ((flags & 0x7) == SDB_RDONLY) ? PR_TRUE : PR_FALSE; + +#define NSS_VERSION_VARIABLE __nss_dbm_version +#include "verref.h" + +#ifndef NSS_FIPS_DISABLED + if (flags & SDB_FIPS) { + /* We shouldn't get here when FIPS is not enabled on the database. But + * we also don't care when this NSS build doesn't support FIPS. */ + if (!lg_FIPSEntryOK()) { + return CKR_DEVICE_ERROR; + } + } +#endif + + rv = SECOID_Init(); + if (SECSuccess != rv) { + return CKR_DEVICE_ERROR; + } + nsslowcert_InitLocks(); + + if (keyDB) + *keyDB = NULL; + if (certDB) + *certDB = NULL; + + if (certDB) { + NSSLOWCERTCertDBHandle *certdbPtr = NULL; + + crv = lg_OpenCertDB(configdir, certPrefix, readOnly, &certdbPtr); + if (crv != CKR_OK) { + goto loser; + } + crv = lg_init(certDB, flags, certdbPtr, NULL); + if (crv != CKR_OK) { + nsslowcert_ClosePermCertDB(certdbPtr); + goto loser; + } + } + if (keyDB) { + NSSLOWKEYDBHandle *keydbPtr; + + crv = lg_OpenKeyDB(configdir, keyPrefix, readOnly, &keydbPtr); + if (crv != CKR_OK) { + goto loser; + } + crv = lg_init(keyDB, flags, NULL, keydbPtr); + if (crv != CKR_OK) { + nsslowkey_CloseKeyDB(keydbPtr); + goto loser; + } + if (certDB && *certDB) { + LGPrivate *lgdb_p = (LGPrivate *)(*certDB)->private; + lgdb_p->keyDB = keydbPtr; + } + } + +loser: + if (crv != CKR_OK) { + if (keyDB && *keyDB) { + lg_Close(*keyDB); + *keyDB = NULL; + } + if (certDB && *certDB) { + lg_Close(*certDB); + *certDB = NULL; + } + } + return crv; +} + +CK_RV +legacy_Shutdown(PRBool forked) +{ + lg_SetForkState(forked); + nsslowcert_DestroyFreeLists(); + nsslowcert_DestroyGlobalLocks(); + SECOID_Shutdown(); + lg_SetForkState(PR_FALSE); + return CKR_OK; +} diff --git a/security/nss/lib/softoken/legacydb/lgutil.c b/security/nss/lib/softoken/legacydb/lgutil.c new file mode 100644 index 0000000000..d872bf4b39 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lgutil.c @@ -0,0 +1,399 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "lgdb.h" +#include "secerr.h" +#include "lgglue.h" + +/* + * ******************** Attribute Utilities ******************************* + */ + +/* + * look up and attribute structure from a type and Object structure. + * The returned attribute is referenced and needs to be freed when + * it is no longer needed. + */ +const CK_ATTRIBUTE * +lg_FindAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, + CK_ULONG count) +{ + unsigned int i; + + for (i = 0; i < count; i++) { + if (templ[i].type == type) { + return &templ[i]; + } + } + return NULL; +} + +/* + * return true if object has attribute + */ +PRBool +lg_hasAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, + CK_ULONG count) +{ + if (lg_FindAttribute(type, templ, count) == NULL) { + return PR_FALSE; + } + return PR_TRUE; +} + +/* + * copy an attribute into a SECItem. Secitem is allocated in the specified + * arena. + */ +CK_RV +lg_Attribute2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item) +{ + int len; + const CK_ATTRIBUTE *attribute; + + attribute = lg_FindAttribute(type, templ, count); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + len = attribute->ulValueLen; + + if (arena) { + item->data = (unsigned char *)PORT_ArenaAlloc(arena, len); + } else { + item->data = (unsigned char *)PORT_Alloc(len); + } + if (item->data == NULL) { + return CKR_HOST_MEMORY; + } + item->len = len; + if (item->len) { + PORT_Memcpy(item->data, attribute->pValue, len); + } + return CKR_OK; +} + +/* + * copy an unsigned attribute into a SECItem. Secitem is allocated in + * the specified arena. + */ +CK_RV +lg_Attribute2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item) +{ + const CK_ATTRIBUTE *attribute; + item->data = NULL; + + attribute = lg_FindAttribute(type, templ, count); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + + (void)SECITEM_AllocItem(arena, item, attribute->ulValueLen); + if (item->data == NULL) { + return CKR_HOST_MEMORY; + } + PORT_Memcpy(item->data, attribute->pValue, item->len); + return CKR_OK; +} + +/* + * copy an unsigned attribute into a SECItem. Secitem is allocated in + * the specified arena. + */ +CK_RV +lg_PrivAttr2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item, SDB *sdbpw) +{ + const CK_ATTRIBUTE *attribute; + SECItem epki, *dest = NULL; + SECStatus rv; + + item->data = NULL; + + attribute = lg_FindAttribute(type, templ, count); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + + epki.data = attribute->pValue; + epki.len = attribute->ulValueLen; + + rv = lg_util_decrypt(sdbpw, &epki, &dest); + if (rv != SECSuccess) { + return CKR_USER_NOT_LOGGED_IN; + } + (void)SECITEM_AllocItem(arena, item, dest->len); + if (item->data == NULL) { + SECITEM_FreeItem(dest, PR_TRUE); + return CKR_HOST_MEMORY; + } + + PORT_Memcpy(item->data, dest->data, item->len); + SECITEM_FreeItem(dest, PR_TRUE); + return CKR_OK; +} + +CK_RV +lg_PrivAttr2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type, + const CK_ATTRIBUTE *templ, CK_ULONG count, + SECItem *item, SDB *sdbpw) +{ + return lg_PrivAttr2SSecItem(arena, type, templ, count, item, sdbpw); +} + +/* + * this is only valid for CK_BBOOL type attributes. Return the state + * of that attribute. + */ +PRBool +lg_isTrue(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + const CK_ATTRIBUTE *attribute; + PRBool tok = PR_FALSE; + + attribute = lg_FindAttribute(type, templ, count); + if (attribute == NULL) { + return PR_FALSE; + } + tok = (PRBool)(*(CK_BBOOL *)attribute->pValue); + + return tok; +} + +/* + * return a null terminated string from attribute 'type'. This string + * is allocated and needs to be freed with PORT_Free() When complete. + */ +char * +lg_getString(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count) +{ + const CK_ATTRIBUTE *attribute; + char *label = NULL; + + attribute = lg_FindAttribute(type, templ, count); + if (attribute == NULL) + return NULL; + + if (attribute->pValue != NULL) { + label = (char *)PORT_Alloc(attribute->ulValueLen + 1); + if (label == NULL) { + return NULL; + } + + PORT_Memcpy(label, attribute->pValue, attribute->ulValueLen); + label[attribute->ulValueLen] = 0; + } + return label; +} + +CK_RV +lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, + CK_ULONG count, CK_ULONG *longData) +{ + const CK_ATTRIBUTE *attribute; + CK_ULONG value = 0; + const unsigned char *data; + int i; + + attribute = lg_FindAttribute(type, templ, count); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + + if (attribute->ulValueLen != 4) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + data = (const unsigned char *)attribute->pValue; + for (i = 0; i < 4; i++) { + value |= (CK_ULONG)(data[i]) << ((3 - i) * 8); + } + + *longData = value; + return CKR_OK; +} + +/* + * ******************** Object Utilities ******************************* + */ + +SECStatus +lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle) +{ + SECItem *item; + PRBool rem; + PLHashTable *hashTable = lg_GetHashTable(sdb); + + item = (SECItem *)PL_HashTableLookup(hashTable, (void *)handle); + rem = PL_HashTableRemove(hashTable, (void *)handle); + if (rem && item) { + SECITEM_FreeItem(item, PR_TRUE); + } + return rem ? SECSuccess : SECFailure; +} + +/* must be called holding lg_DBLock(sdb) */ +static SECStatus +lg_addTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle, SECItem *key) +{ + PLHashEntry *entry; + SECItem *item; + PLHashTable *hashTable = lg_GetHashTable(sdb); + + item = SECITEM_DupItem(key); + if (item == NULL) { + return SECFailure; + } + entry = PL_HashTableAdd(hashTable, (void *)handle, item); + if (entry == NULL) { + SECITEM_FreeItem(item, PR_TRUE); + return SECFailure; + } + return SECSuccess; +} + +/* must be called holding lg_DBLock(sdb) */ +const SECItem * +lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle) +{ + PLHashTable *hashTable = lg_GetHashTable(sdb); + return (const SECItem *)PL_HashTableLookup(hashTable, (void *)handle); +} + +static PRIntn +lg_freeHashItem(PLHashEntry *entry, PRIntn index, void *arg) +{ + SECItem *item = (SECItem *)entry->value; + + SECITEM_FreeItem(item, PR_TRUE); + return HT_ENUMERATE_NEXT; +} + +CK_RV +lg_ClearTokenKeyHashTable(SDB *sdb) +{ + PLHashTable *hashTable; + lg_DBLock(sdb); + hashTable = lg_GetHashTable(sdb); + PL_HashTableEnumerateEntries(hashTable, lg_freeHashItem, NULL); + lg_DBUnlock(sdb); + return CKR_OK; +} + +/* + * handle Token Object stuff + */ +static void +lg_XORHash(unsigned char *key, unsigned char *dbkey, int len) +{ + int i; + + PORT_Memset(key, 0, 4); + + for (i = 0; i < len - 4; i += 4) { + key[0] ^= dbkey[i]; + key[1] ^= dbkey[i + 1]; + key[2] ^= dbkey[i + 2]; + key[3] ^= dbkey[i + 3]; + } +} + +/* Make a token handle for an object and record it so we can find it again */ +CK_OBJECT_HANDLE +lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class) +{ + unsigned char hashBuf[4]; + CK_OBJECT_HANDLE handle; + const SECItem *key; + + handle = class; + /* there is only one KRL, use a fixed handle for it */ + if (handle != LG_TOKEN_KRL_HANDLE) { + lg_XORHash(hashBuf, dbKey->data, dbKey->len); + handle = ((CK_OBJECT_HANDLE)hashBuf[0] << 24) | + ((CK_OBJECT_HANDLE)hashBuf[1] << 16) | + ((CK_OBJECT_HANDLE)hashBuf[2] << 8) | + (CK_OBJECT_HANDLE)hashBuf[3]; + handle = class | (handle & ~(LG_TOKEN_TYPE_MASK | LG_TOKEN_MASK)); + /* we have a CRL who's handle has randomly matched the reserved KRL + * handle, increment it */ + if (handle == LG_TOKEN_KRL_HANDLE) { + handle++; + } + } + + lg_DBLock(sdb); + while ((key = lg_lookupTokenKeyByHandle(sdb, handle)) != NULL) { + if (SECITEM_ItemsAreEqual(key, dbKey)) { + lg_DBUnlock(sdb); + return handle; + } + handle++; + } + lg_addTokenKeyByHandle(sdb, handle, dbKey); + lg_DBUnlock(sdb); + return handle; +} + +PRBool +lg_poisonHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class) +{ + unsigned char hashBuf[4]; + CK_OBJECT_HANDLE handle; + const SECItem *key; + + handle = class; + /* there is only one KRL, use a fixed handle for it */ + if (handle != LG_TOKEN_KRL_HANDLE) { + lg_XORHash(hashBuf, dbKey->data, dbKey->len); + handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) | + (hashBuf[2] << 8) | hashBuf[3]; + handle = class | (handle & ~(LG_TOKEN_TYPE_MASK | LG_TOKEN_MASK)); + /* we have a CRL who's handle has randomly matched the reserved KRL + * handle, increment it */ + if (handle == LG_TOKEN_KRL_HANDLE) { + handle++; + } + } + lg_DBLock(sdb); + while ((key = lg_lookupTokenKeyByHandle(sdb, handle)) != NULL) { + if (SECITEM_ItemsAreEqual(key, dbKey)) { + key->data[0] ^= 0x80; + lg_DBUnlock(sdb); + return PR_TRUE; + } + handle++; + } + lg_DBUnlock(sdb); + return PR_FALSE; +} + +static LGEncryptFunc lg_encrypt_stub = NULL; +static LGDecryptFunc lg_decrypt_stub = NULL; + +void +legacy_SetCryptFunctions(LGEncryptFunc enc, LGDecryptFunc dec) +{ + lg_encrypt_stub = enc; + lg_decrypt_stub = dec; +} + +SECStatus +lg_util_encrypt(PLArenaPool *arena, SDB *sdb, + SECItem *plainText, SECItem **cipherText) +{ + if (lg_encrypt_stub == NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return (*lg_encrypt_stub)(arena, sdb, plainText, cipherText); +} + +SECStatus +lg_util_decrypt(SDB *sdb, SECItem *cipherText, SECItem **plainText) +{ + if (lg_decrypt_stub == NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return (*lg_decrypt_stub)(sdb, cipherText, plainText); +} diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c new file mode 100644 index 0000000000..5a349f0aad --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lowcert.c @@ -0,0 +1,854 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Certificate handling code + */ + +#include "seccomon.h" +#include "secder.h" +#include "nssilock.h" +#include "lowkeyi.h" +#include "secasn1.h" +#include "secoid.h" +#include "secerr.h" +#include "pcert.h" + +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) + +static const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSubjectPublicKeyInfo) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSLOWCERTSubjectPublicKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_BIT_STRING, + offsetof(NSSLOWCERTSubjectPublicKeyInfo, subjectPublicKey) }, + { 0 } +}; + +static const SEC_ASN1Template nsslowcert_RSAPublicKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.modulus) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.publicExponent) }, + { 0 } +}; +static const SEC_ASN1Template nsslowcert_DSAPublicKeyTemplate[] = { + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.dsa.publicValue) }, + { 0 } +}; +static const SEC_ASN1Template nsslowcert_DHPublicKeyTemplate[] = { + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.dh.publicValue) }, + { 0 } +}; + +/* + * See bugzilla bug 125359 + * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints, + * all of the templates above that en/decode into integers must be converted + * from ASN.1's signed integer type. This is done by marking either the + * source or destination (encoding or decoding, respectively) type as + * siUnsignedInteger. + */ + +static void +prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk) +{ + pubk->u.rsa.modulus.type = siUnsignedInteger; + pubk->u.rsa.publicExponent.type = siUnsignedInteger; +} + +static void +prepare_low_dsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk) +{ + pubk->u.dsa.publicValue.type = siUnsignedInteger; + pubk->u.dsa.params.prime.type = siUnsignedInteger; + pubk->u.dsa.params.subPrime.type = siUnsignedInteger; + pubk->u.dsa.params.base.type = siUnsignedInteger; +} + +static void +prepare_low_dh_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk) +{ + pubk->u.dh.prime.type = siUnsignedInteger; + pubk->u.dh.base.type = siUnsignedInteger; + pubk->u.dh.publicValue.type = siUnsignedInteger; +} + +/* + * simple cert decoder to avoid the cost of asn1 engine + */ +static unsigned char * +nsslowcert_dataStart(unsigned char *buf, unsigned int length, + unsigned int *data_length, PRBool includeTag, + unsigned char *rettag) +{ + unsigned char tag; + unsigned int used_length = 0; + + /* need at least a tag and a 1 byte length */ + if (length < 2) { + return NULL; + } + + tag = buf[used_length++]; + + if (rettag) { + *rettag = tag; + } + + /* blow out when we come to the end */ + if (tag == 0) { + return NULL; + } + + *data_length = buf[used_length++]; + + if (*data_length & 0x80) { + int len_count = *data_length & 0x7f; + + if (len_count + used_length > length) { + return NULL; + } + + *data_length = 0; + + while (len_count-- > 0) { + *data_length = (*data_length << 8) | buf[used_length++]; + } + } + + if (*data_length > (length - used_length)) { + *data_length = length - used_length; + return NULL; + } + if (includeTag) + *data_length += used_length; + + return (buf + (includeTag ? 0 : used_length)); +} + +static void +SetTimeType(SECItem *item, unsigned char tagtype) +{ + switch (tagtype) { + case SEC_ASN1_UTC_TIME: + item->type = siUTCTime; + break; + + case SEC_ASN1_GENERALIZED_TIME: + item->type = siGeneralizedTime; + break; + + default: + PORT_Assert(0); + break; + } +} + +static int +nsslowcert_GetValidityFields(unsigned char *buf, int buf_length, + SECItem *notBefore, SECItem *notAfter) +{ + unsigned char tagtype; + notBefore->data = nsslowcert_dataStart(buf, buf_length, + ¬Before->len, PR_FALSE, &tagtype); + if (notBefore->data == NULL) + return SECFailure; + SetTimeType(notBefore, tagtype); + buf_length -= (notBefore->data - buf) + notBefore->len; + buf = notBefore->data + notBefore->len; + notAfter->data = nsslowcert_dataStart(buf, buf_length, + ¬After->len, PR_FALSE, &tagtype); + if (notAfter->data == NULL) + return SECFailure; + SetTimeType(notAfter, tagtype); + return SECSuccess; +} + +static int +nsslowcert_GetCertFields(unsigned char *cert, int cert_length, + SECItem *issuer, SECItem *serial, SECItem *derSN, SECItem *subject, + SECItem *valid, SECItem *subjkey, SECItem *extensions) +{ + unsigned char *buf; + unsigned int buf_length; + unsigned char *dummy; + unsigned int dummylen; + + /* get past the signature wrap */ + buf = nsslowcert_dataStart(cert, cert_length, &buf_length, PR_FALSE, NULL); + if (buf == NULL) + return SECFailure; + /* get into the raw cert data */ + buf = nsslowcert_dataStart(buf, buf_length, &buf_length, PR_FALSE, NULL); + if (buf == NULL) + return SECFailure; + /* skip past any optional version number */ + if ((buf[0] & 0xa0) == 0xa0) { + dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL); + if (dummy == NULL) + return SECFailure; + buf_length -= (dummy - buf) + dummylen; + buf = dummy + dummylen; + } + /* serial number */ + if (derSN) { + derSN->data = nsslowcert_dataStart(buf, buf_length, &derSN->len, PR_TRUE, NULL); + /* derSN->data doesn't need to be checked because if it fails so will + * serial->data below. The only difference between the two calls is + * whether or not the tags are included in the returned buffer */ + } + serial->data = nsslowcert_dataStart(buf, buf_length, &serial->len, PR_FALSE, NULL); + if (serial->data == NULL) + return SECFailure; + buf_length -= (serial->data - buf) + serial->len; + buf = serial->data + serial->len; + /* skip the OID */ + dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL); + if (dummy == NULL) + return SECFailure; + buf_length -= (dummy - buf) + dummylen; + buf = dummy + dummylen; + /* issuer */ + issuer->data = nsslowcert_dataStart(buf, buf_length, &issuer->len, PR_TRUE, NULL); + if (issuer->data == NULL) + return SECFailure; + buf_length -= (issuer->data - buf) + issuer->len; + buf = issuer->data + issuer->len; + + /* only wanted issuer/SN */ + if (valid == NULL) { + return SECSuccess; + } + /* validity */ + valid->data = nsslowcert_dataStart(buf, buf_length, &valid->len, PR_FALSE, NULL); + if (valid->data == NULL) + return SECFailure; + buf_length -= (valid->data - buf) + valid->len; + buf = valid->data + valid->len; + /*subject */ + subject->data = nsslowcert_dataStart(buf, buf_length, &subject->len, PR_TRUE, NULL); + if (subject->data == NULL) + return SECFailure; + buf_length -= (subject->data - buf) + subject->len; + buf = subject->data + subject->len; + /* subject key info */ + subjkey->data = nsslowcert_dataStart(buf, buf_length, &subjkey->len, PR_TRUE, NULL); + if (subjkey->data == NULL) + return SECFailure; + buf_length -= (subjkey->data - buf) + subjkey->len; + buf = subjkey->data + subjkey->len; + + extensions->data = NULL; + extensions->len = 0; + while (buf_length > 0) { + /* EXTENSIONS */ + if (buf[0] == 0xa3) { + extensions->data = nsslowcert_dataStart(buf, buf_length, + &extensions->len, PR_FALSE, NULL); + /* if the DER is bad, we should fail. Previously we accepted + * bad DER here and treated the extension as missin */ + if (extensions->data == NULL || + (extensions->data - buf) + extensions->len != buf_length) + return SECFailure; + buf = extensions->data; + buf_length = extensions->len; + /* now parse the SEQUENCE holding the extensions. */ + dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL); + if (dummy == NULL || + (dummy - buf) + dummylen != buf_length) + return SECFailure; + buf_length -= (dummy - buf); + buf = dummy; + /* Now parse the extensions inside this sequence */ + } + dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL); + if (dummy == NULL) + return SECFailure; + buf_length -= (dummy - buf) + dummylen; + buf = dummy + dummylen; + } + return SECSuccess; +} + +static SECStatus +nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter) +{ + int rv; + NSSLOWCERTValidity validity; + + rv = nsslowcert_GetValidityFields(c->validity.data, c->validity.len, + &validity.notBefore, &validity.notAfter); + if (rv != SECSuccess) { + return rv; + } + + /* convert DER not-before time */ + rv = DER_DecodeTimeChoice(notBefore, &validity.notBefore); + if (rv) { + return (SECFailure); + } + + /* convert DER not-after time */ + rv = DER_DecodeTimeChoice(notAfter, &validity.notAfter); + if (rv) { + return (SECFailure); + } + + return (SECSuccess); +} + +/* + * is certa newer than certb? If one is expired, pick the other one. + */ +PRBool +nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb) +{ + PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now; + SECStatus rv; + PRBool newerbefore, newerafter; + + rv = nsslowcert_GetCertTimes(certa, ¬BeforeA, ¬AfterA); + if (rv != SECSuccess) { + return (PR_FALSE); + } + + rv = nsslowcert_GetCertTimes(certb, ¬BeforeB, ¬AfterB); + if (rv != SECSuccess) { + return (PR_TRUE); + } + + newerbefore = PR_FALSE; + if (LL_CMP(notBeforeA, >, notBeforeB)) { + newerbefore = PR_TRUE; + } + + newerafter = PR_FALSE; + if (LL_CMP(notAfterA, >, notAfterB)) { + newerafter = PR_TRUE; + } + + if (newerbefore && newerafter) { + return (PR_TRUE); + } + + if ((!newerbefore) && (!newerafter)) { + return (PR_FALSE); + } + + /* get current time */ + now = PR_Now(); + + if (newerbefore) { + /* cert A was issued after cert B, but expires sooner */ + /* if A is expired, then pick B */ + if (LL_CMP(notAfterA, <, now)) { + return (PR_FALSE); + } + return (PR_TRUE); + } else { + /* cert B was issued after cert A, but expires sooner */ + /* if B is expired, then pick A */ + if (LL_CMP(notAfterB, <, now)) { + return (PR_TRUE); + } + return (PR_FALSE); + } +} + +#define SOFT_DEFAULT_CHUNKSIZE 2048 + +static SECStatus +nsslowcert_KeyFromIssuerAndSN(PLArenaPool *arena, + SECItem *issuer, SECItem *sn, SECItem *key) +{ + unsigned int len = sn->len + issuer->len; + + if (!arena) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + if (len > NSS_MAX_LEGACY_DB_KEY_SIZE) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + goto loser; + } + key->data = (unsigned char *)PORT_ArenaAlloc(arena, len); + if (!key->data) { + goto loser; + } + + key->len = len; + /* copy the serialNumber */ + PORT_Memcpy(key->data, sn->data, sn->len); + + /* copy the issuer */ + PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len); + + return (SECSuccess); + +loser: + return (SECFailure); +} + +static SECStatus +nsslowcert_KeyFromIssuerAndSNStatic(unsigned char *space, + int spaceLen, SECItem *issuer, SECItem *sn, SECItem *key) +{ + unsigned int len = sn->len + issuer->len; + + key->data = pkcs11_allocStaticData(len, space, spaceLen); + if (!key->data) { + goto loser; + } + + key->len = len; + /* copy the serialNumber */ + PORT_Memcpy(key->data, sn->data, sn->len); + + /* copy the issuer */ + PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len); + + return (SECSuccess); + +loser: + return (SECFailure); +} + +static char * +nsslowcert_EmailName(SECItem *derDN, char *space, unsigned int len) +{ + unsigned char *buf; + unsigned int buf_length; + + /* unwrap outer sequence */ + buf = nsslowcert_dataStart(derDN->data, derDN->len, &buf_length, PR_FALSE, NULL); + if (buf == NULL) + return NULL; + + /* Walk each RDN */ + while (buf_length > 0) { + unsigned char *rdn; + unsigned int rdn_length; + + /* grab next rdn */ + rdn = nsslowcert_dataStart(buf, buf_length, &rdn_length, PR_FALSE, NULL); + if (rdn == NULL) { + return NULL; + } + buf_length -= (rdn - buf) + rdn_length; + buf = rdn + rdn_length; + + while (rdn_length > 0) { + unsigned char *ava; + unsigned int ava_length; + unsigned char *oid; + unsigned int oid_length; + unsigned char *name; + unsigned int name_length; + SECItem oidItem; + SECOidTag type; + + /* unwrap the ava */ + ava = nsslowcert_dataStart(rdn, rdn_length, &ava_length, PR_FALSE, + NULL); + if (ava == NULL) + return NULL; + rdn_length -= (ava - rdn) + ava_length; + rdn = ava + ava_length; + + oid = nsslowcert_dataStart(ava, ava_length, &oid_length, PR_FALSE, + NULL); + if (oid == NULL) { + return NULL; + } + ava_length -= (oid - ava) + oid_length; + ava = oid + oid_length; + + name = nsslowcert_dataStart(ava, ava_length, &name_length, PR_FALSE, + NULL); + if (name == NULL) { + return NULL; + } + ava_length -= (name - ava) + name_length; + ava = name + name_length; + + oidItem.data = oid; + oidItem.len = oid_length; + type = SECOID_FindOIDTag(&oidItem); + if ((type == SEC_OID_PKCS9_EMAIL_ADDRESS) || + (type == SEC_OID_RFC1274_MAIL)) { + /* Email is supposed to be IA5String, so no + * translation necessary */ + char *emailAddr; + emailAddr = (char *)pkcs11_copyStaticData(name, name_length + 1, + (unsigned char *)space, len); + if (emailAddr) { + emailAddr[name_length] = 0; + } + return emailAddr; + } + } + } + return NULL; +} + +static char * +nsslowcert_EmailAltName(NSSLOWCERTCertificate *cert, char *space, + unsigned int len) +{ + unsigned char *exts; + unsigned int exts_length; + + /* unwrap the sequence */ + exts = nsslowcert_dataStart(cert->extensions.data, cert->extensions.len, + &exts_length, PR_FALSE, NULL); + /* loop through extension */ + while (exts && exts_length > 0) { + unsigned char *ext; + unsigned int ext_length; + unsigned char *oid; + unsigned int oid_length; + unsigned char *nameList; + unsigned int nameList_length; + SECItem oidItem; + SECOidTag type; + + ext = nsslowcert_dataStart(exts, exts_length, &ext_length, + PR_FALSE, NULL); + if (ext == NULL) { + break; + } + exts_length -= (ext - exts) + ext_length; + exts = ext + ext_length; + + oid = nsslowcert_dataStart(ext, ext_length, &oid_length, PR_FALSE, NULL); + if (oid == NULL) { + break; + } + ext_length -= (oid - ext) + oid_length; + ext = oid + oid_length; + oidItem.data = oid; + oidItem.len = oid_length; + type = SECOID_FindOIDTag(&oidItem); + + /* get Alt Extension */ + if (type != SEC_OID_X509_SUBJECT_ALT_NAME) { + continue; + } + + /* skip passed the critical flag */ + if (ext[0] == 0x01) { /* BOOLEAN */ + unsigned char *dummy; + unsigned int dummy_length; + dummy = nsslowcert_dataStart(ext, ext_length, &dummy_length, + PR_FALSE, NULL); + if (dummy == NULL) { + break; + } + ext_length -= (dummy - ext) + dummy_length; + ext = dummy + dummy_length; + } + + /* unwrap the name list */ + nameList = nsslowcert_dataStart(ext, ext_length, &nameList_length, + PR_FALSE, NULL); + if (nameList == NULL) { + break; + } + ext_length -= (nameList - ext) + nameList_length; + ext = nameList + nameList_length; + nameList = nsslowcert_dataStart(nameList, nameList_length, + &nameList_length, PR_FALSE, NULL); + /* loop through the name list */ + while (nameList && nameList_length > 0) { + unsigned char *thisName; + unsigned int thisName_length; + + thisName = nsslowcert_dataStart(nameList, nameList_length, + &thisName_length, PR_FALSE, NULL); + if (thisName == NULL) { + break; + } + if (nameList[0] == 0xa2) { /* DNS Name */ + SECItem dn; + char *emailAddr; + + dn.data = thisName; + dn.len = thisName_length; + emailAddr = nsslowcert_EmailName(&dn, space, len); + if (emailAddr) { + return emailAddr; + } + } + if (nameList[0] == 0x81) { /* RFC 822name */ + char *emailAddr; + emailAddr = (char *)pkcs11_copyStaticData(thisName, + thisName_length + 1, (unsigned char *)space, len); + if (emailAddr) { + emailAddr[thisName_length] = 0; + } + return emailAddr; + } + nameList_length -= (thisName - nameList) + thisName_length; + nameList = thisName + thisName_length; + } + break; + } + return NULL; +} + +static char * +nsslowcert_GetCertificateEmailAddress(NSSLOWCERTCertificate *cert) +{ + char *emailAddr = NULL; + char *str; + + emailAddr = nsslowcert_EmailName(&cert->derSubject, cert->emailAddrSpace, + sizeof(cert->emailAddrSpace)); + /* couldn't find the email address in the DN, check the subject Alt name */ + if (!emailAddr && cert->extensions.data) { + emailAddr = nsslowcert_EmailAltName(cert, cert->emailAddrSpace, + sizeof(cert->emailAddrSpace)); + } + + /* make it lower case */ + str = emailAddr; + while (str && *str) { + *str = tolower(*str); + str++; + } + return emailAddr; +} + +/* + * take a DER certificate and decode it into a certificate structure + */ +NSSLOWCERTCertificate * +nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname) +{ + NSSLOWCERTCertificate *cert; + int rv; + + /* allocate the certificate structure */ + cert = nsslowcert_CreateCert(); + + if (!cert) { + goto loser; + } + + /* point to passed in DER data */ + cert->derCert = *derSignedCert; + cert->nickname = NULL; + cert->certKey.data = NULL; + cert->referenceCount = 1; + + /* decode the certificate info */ + rv = nsslowcert_GetCertFields(cert->derCert.data, cert->derCert.len, + &cert->derIssuer, &cert->serialNumber, &cert->derSN, &cert->derSubject, + &cert->validity, &cert->derSubjKeyInfo, &cert->extensions); + + if (rv != SECSuccess) { + goto loser; + } + + /* cert->subjectKeyID; x509v3 subject key identifier */ + cert->subjectKeyID.data = NULL; + cert->subjectKeyID.len = 0; + cert->dbEntry = NULL; + cert->trust = NULL; + cert->dbhandle = NULL; + + /* generate and save the database key for the cert */ + rv = nsslowcert_KeyFromIssuerAndSNStatic(cert->certKeySpace, + sizeof(cert->certKeySpace), &cert->derIssuer, + &cert->serialNumber, &cert->certKey); + if (rv) { + goto loser; + } + + /* set the nickname */ + if (nickname == NULL) { + cert->nickname = NULL; + } else { + /* copy and install the nickname */ + cert->nickname = pkcs11_copyNickname(nickname, cert->nicknameSpace, + sizeof(cert->nicknameSpace)); + } + +#ifdef FIXME + /* initialize the subjectKeyID */ + rv = cert_GetKeyID(cert); + if (rv != SECSuccess) { + goto loser; + } +#endif + + /* set the email address */ + cert->emailAddr = nsslowcert_GetCertificateEmailAddress(cert); + + cert->referenceCount = 1; + + return (cert); + +loser: + if (cert) { + nsslowcert_DestroyCertificate(cert); + } + + return (0); +} + +char * +nsslowcert_FixupEmailAddr(char *emailAddr) +{ + char *retaddr; + char *str; + + if (emailAddr == NULL) { + return (NULL); + } + + /* copy the string */ + str = retaddr = PORT_Strdup(emailAddr); + if (str == NULL) { + return (NULL); + } + + /* make it lower case */ + while (*str) { + *str = tolower(*str); + str++; + } + + return (retaddr); +} + +/* + * Generate a database key, based on serial number and issuer, from a + * DER certificate. + */ +SECStatus +nsslowcert_KeyFromDERCert(PLArenaPool *arena, SECItem *derCert, SECItem *key) +{ + int rv; + NSSLOWCERTCertKey certkey; + + PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey)); + + rv = nsslowcert_GetCertFields(derCert->data, derCert->len, + &certkey.derIssuer, &certkey.serialNumber, NULL, NULL, + NULL, NULL, NULL); + + if (rv) { + goto loser; + } + + return (nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer, + &certkey.serialNumber, key)); +loser: + return (SECFailure); +} + +NSSLOWKEYPublicKey * +nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert) +{ + NSSLOWCERTSubjectPublicKeyInfo spki; + NSSLOWKEYPublicKey *pubk; + SECItem os; + SECStatus rv; + PLArenaPool *arena; + SECOidTag tag; + SECItem newDerSubjKeyInfo; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + return NULL; + + pubk = (NSSLOWKEYPublicKey *) + PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPublicKey)); + if (pubk == NULL) { + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } + + pubk->arena = arena; + PORT_Memset(&spki, 0, sizeof(spki)); + + /* copy the DER into the arena, since Quick DER returns data that points + into the DER input, which may get freed by the caller */ + rv = SECITEM_CopyItem(arena, &newDerSubjKeyInfo, &cert->derSubjKeyInfo); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } + + /* we haven't bothered decoding the spki struct yet, do it now */ + rv = SEC_QuickDERDecodeItem(arena, &spki, + nsslowcert_SubjectPublicKeyInfoTemplate, &newDerSubjKeyInfo); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } + + /* Convert bit string length from bits to bytes */ + os = spki.subjectPublicKey; + DER_ConvertBitString(&os); + + tag = SECOID_GetAlgorithmTag(&spki.algorithm); + switch (tag) { + case SEC_OID_X500_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + pubk->keyType = NSSLOWKEYRSAKey; + prepare_low_rsa_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(arena, pubk, + nsslowcert_RSAPublicKeyTemplate, &os); + if (rv == SECSuccess) + return pubk; + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + pubk->keyType = NSSLOWKEYDSAKey; + prepare_low_dsa_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(arena, pubk, + nsslowcert_DSAPublicKeyTemplate, &os); + if (rv == SECSuccess) + return pubk; + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + pubk->keyType = NSSLOWKEYDHKey; + prepare_low_dh_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(arena, pubk, + nsslowcert_DHPublicKeyTemplate, &os); + if (rv == SECSuccess) + return pubk; + break; + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + pubk->keyType = NSSLOWKEYECKey; + /* Since PKCS#11 directly takes the DER encoding of EC params + * and public value, we don't need any decoding here. + */ + rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding, + &spki.algorithm.parameters); + if (rv != SECSuccess) + break; + + /* Fill out the rest of the ecParams structure + * based on the encoded params + */ + if (LGEC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding, + &pubk->u.ec.ecParams) != SECSuccess) + break; + + rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os); + if (rv == SECSuccess) + return pubk; + break; + default: + rv = SECFailure; + break; + } + + lg_nsslowkey_DestroyPublicKey(pubk); + return NULL; +} diff --git a/security/nss/lib/softoken/legacydb/lowkey.c b/security/nss/lib/softoken/legacydb/lowkey.c new file mode 100644 index 0000000000..a9b7cce3d4 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lowkey.c @@ -0,0 +1,388 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "lowkeyi.h" +#include "secoid.h" +#include "secitem.h" +#include "secder.h" +#include "secasn1.h" +#include "secerr.h" + +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_BitStringTemplate) +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) + +static const SEC_ASN1Template nsslowkey_AttributeTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSSLOWKEYAttribute) }, + { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) }, + { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(NSSLOWKEYAttribute, attrValue), + SEC_ASN1_SUB(SEC_AnyTemplate) }, + { 0 } +}; + +static const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = { + { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate }, +}; +/* ASN1 Templates for new decoder/encoder */ +const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) }, + { SEC_ASN1_INTEGER, + offsetof(NSSLOWKEYPrivateKeyInfo, version) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSLOWKEYPrivateKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OCTET_STRING, + offsetof(NSSLOWKEYPrivateKeyInfo, privateKey) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(NSSLOWKEYPrivateKeyInfo, attributes), + nsslowkey_SetOfAttributeTemplate }, + { 0 } +}; + +const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) }, + { SEC_ASN1_INTEGER, offsetof(PQGParams, prime) }, + { SEC_ASN1_INTEGER, offsetof(PQGParams, subPrime) }, + { SEC_ASN1_INTEGER, offsetof(PQGParams, base) }, + { 0 } +}; + +const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.version) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.modulus) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.publicExponent) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.privateExponent) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime1) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime2) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent1) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent2) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.coefficient) }, + { 0 } +}; + +/* + * Allows u.rsa.modulus to be zero length for secret keys with an empty + * CKA_ID incorrectly generated in NSS 3.13.3 or earlier. Only used for + * decoding. See bug 715073. + */ +const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.version) }, + { SEC_ASN1_ANY, offsetof(NSSLOWKEYPrivateKey, u.rsa.modulus) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.publicExponent) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.privateExponent) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime1) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime2) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent1) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent2) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.coefficient) }, + { 0 } +}; + +const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.publicValue) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.privateValue) }, + { 0 } +}; + +const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) }, + { 0 } +}; + +/* NOTE: The SECG specification allows the private key structure + * to contain curve parameters but recommends that they be stored + * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo + * instead. + */ +const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) }, + { SEC_ASN1_OCTET_STRING, + offsetof(NSSLOWKEYPrivateKey, u.ec.privateValue) }, + /* We only support named curves for which the parameters are + * encoded as an object ID. + */ + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(NSSLOWKEYPrivateKey, u.ec.ecParams.curveOID), + SEC_ASN1_SUB(SEC_ObjectIDTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 1, + offsetof(NSSLOWKEYPrivateKey, u.ec.publicValue), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, + { 0 } +}; + +/* + * smaller version of EC_FillParams. In this code, we only need + * oid and DER data. + */ +SECStatus +LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams, + ECParams *params) +{ + SECOidTag tag; + SECItem oid = { siBuffer, NULL, 0 }; + +#if EC_DEBUG + int i; + + printf("Encoded params in EC_DecodeParams: "); + for (i = 0; i < encodedParams->len; i++) { + printf("%02x:", encodedParams->data[i]); + } + printf("\n"); +#endif + + oid.len = encodedParams->len - 2; + oid.data = encodedParams->data + 2; + if ((encodedParams->data[0] != SEC_ASN1_OBJECT_ID) || + ((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; + } + + params->arena = arena; + + /* For named curves, fill out curveOID */ + params->curveOID.len = oid.len; + params->curveOID.data = (unsigned char *)PORT_ArenaAlloc(arena, oid.len); + if (params->curveOID.data == NULL) { + return SECFailure; + } + memcpy(params->curveOID.data, oid.data, oid.len); + + return SECSuccess; +} + +/* Copy all of the fields from srcParams into dstParams + */ +SECStatus +LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams, + const ECParams *srcParams) +{ + SECStatus rv = SECFailure; + + dstParams->arena = arena; + rv = SECITEM_CopyItem(arena, &dstParams->DEREncoding, + &srcParams->DEREncoding); + if (rv != SECSuccess) { + goto loser; + } + rv = SECITEM_CopyItem(arena, &dstParams->curveOID, + &srcParams->curveOID); + if (rv != SECSuccess) { + goto loser; + } + + return SECSuccess; + +loser: + return SECFailure; +} +/* + * See bugzilla bug 125359 + * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints, + * all of the templates above that en/decode into integers must be converted + * from ASN.1's signed integer type. This is done by marking either the + * source or destination (encoding or decoding, respectively) type as + * siUnsignedInteger. + */ + +void +lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.rsa.modulus.type = siUnsignedInteger; + key->u.rsa.publicExponent.type = siUnsignedInteger; + key->u.rsa.privateExponent.type = siUnsignedInteger; + key->u.rsa.prime1.type = siUnsignedInteger; + key->u.rsa.prime2.type = siUnsignedInteger; + key->u.rsa.exponent1.type = siUnsignedInteger; + key->u.rsa.exponent2.type = siUnsignedInteger; + key->u.rsa.coefficient.type = siUnsignedInteger; +} + +void +lg_prepare_low_pqg_params_for_asn1(PQGParams *params) +{ + params->prime.type = siUnsignedInteger; + params->subPrime.type = siUnsignedInteger; + params->base.type = siUnsignedInteger; +} + +void +lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.dsa.publicValue.type = siUnsignedInteger; + key->u.dsa.privateValue.type = siUnsignedInteger; + key->u.dsa.params.prime.type = siUnsignedInteger; + key->u.dsa.params.subPrime.type = siUnsignedInteger; + key->u.dsa.params.base.type = siUnsignedInteger; +} + +void +lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.dh.prime.type = siUnsignedInteger; + key->u.dh.base.type = siUnsignedInteger; + key->u.dh.publicValue.type = siUnsignedInteger; + key->u.dh.privateValue.type = siUnsignedInteger; +} + +void +lg_prepare_low_ecparams_for_asn1(ECParams *params) +{ + params->DEREncoding.type = siUnsignedInteger; + params->curveOID.type = siUnsignedInteger; +} + +void +lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.ec.version.type = siUnsignedInteger; + key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger; + key->u.ec.ecParams.curveOID.type = siUnsignedInteger; + key->u.ec.privateValue.type = siUnsignedInteger; + key->u.ec.publicValue.type = siUnsignedInteger; +} + +void +lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk) +{ + if (privk && privk->arena) { + PORT_FreeArena(privk->arena, PR_TRUE); + } +} + +void +lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk) +{ + if (pubk && pubk->arena) { + PORT_FreeArena(pubk->arena, PR_FALSE); + } +} + +NSSLOWKEYPublicKey * +lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk) +{ + NSSLOWKEYPublicKey *pubk; + PLArenaPool *arena; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + + switch (privk->keyType) { + case NSSLOWKEYRSAKey: + case NSSLOWKEYNullKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + if (privk->keyType == NSSLOWKEYNullKey) + return pubk; + rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus, + &privk->u.rsa.modulus); + if (rv == SECSuccess) { + rv = SECITEM_CopyItem(arena, &pubk->u.rsa.publicExponent, + &privk->u.rsa.publicExponent); + if (rv == SECSuccess) + return pubk; + } + } else { + PORT_SetError(SEC_ERROR_NO_MEMORY); + } + break; + case NSSLOWKEYDSAKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue, + &privk->u.dsa.publicValue); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, + &privk->u.dsa.params.prime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, + &privk->u.dsa.params.subPrime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, + &privk->u.dsa.params.base); + if (rv == SECSuccess) + return pubk; + } + break; + case NSSLOWKEYDHKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue, + &privk->u.dh.publicValue); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime, + &privk->u.dh.prime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dh.base, + &privk->u.dh.base); + if (rv == SECSuccess) + return pubk; + } + break; + case NSSLOWKEYECKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, + &privk->u.ec.publicValue); + if (rv != SECSuccess) + break; + pubk->u.ec.ecParams.arena = arena; + /* Copy the rest of the params */ + rv = LGEC_CopyParams(arena, &(pubk->u.ec.ecParams), + &(privk->u.ec.ecParams)); + if (rv == SECSuccess) + return pubk; + } + break; + /* No Fortezza in Low Key implementations (Fortezza keys aren't + * stored in our data base */ + default: + break; + } + + PORT_FreeArena(arena, PR_FALSE); + return NULL; +} diff --git a/security/nss/lib/softoken/legacydb/lowkeyi.h b/security/nss/lib/softoken/legacydb/lowkeyi.h new file mode 100644 index 0000000000..4a5bcfa914 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lowkeyi.h @@ -0,0 +1,148 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _LOWKEYI_H_ +#define _LOWKEYI_H_ + +#include "prtypes.h" +#include "seccomon.h" +#include "secoidt.h" +#include "pcertt.h" +#include "lowkeyti.h" +#include "sdb.h" + +SEC_BEGIN_PROTOS + +/* + * See bugzilla bug 125359 + * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints, + * all of the templates above that en/decode into integers must be converted + * from ASN.1's signed integer type. This is done by marking either the + * source or destination (encoding or decoding, respectively) type as + * siUnsignedInteger. + */ +extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params); +extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void lg_prepare_low_ecparams_for_asn1(ECParams *params); + +typedef char *(*NSSLOWKEYDBNameFunc)(void *arg, int dbVersion); + +/* +** Open a key database. +*/ +extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly, + const char *domain, + const char *prefix, + NSSLOWKEYDBNameFunc namecb, + void *cbarg); + +/* +** Close the specified key database. +*/ +extern void nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle); + +/* + * Get the version number of the database + */ +extern int nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle); + +/* +** Delete a key from the database +*/ +extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, + const SECItem *pubkey); + +/* +** Store a key in the database, indexed by its public key modulus. +** "pk" is the private key to store +** "f" is the callback function for getting the password +** "arg" is the argument for the callback +*/ +extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *pk, + SECItem *pubKeyData, + char *nickname, + SDB *sdb); + +/* does the key for this cert exist in the database filed by modulus */ +extern PRBool nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, + NSSLOWCERTCertificate *cert); +/* does a key with this ID already exist? */ +extern PRBool nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id); + +/* +** Destroy a private key object. +** "key" the object +** "freeit" if PR_TRUE then free the object as well as its sub-objects +*/ +extern void lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key); + +/* +** Destroy a public key object. +** "key" the object +** "freeit" if PR_TRUE then free the object as well as its sub-objects +*/ +extern void lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key); + +/* +** Convert a low private key "privateKey" into a public low key +*/ +extern NSSLOWKEYPublicKey + * + lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey); + +SECStatus +nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdb); + +/* Store key by modulus and specify an encryption algorithm to use. + * handle is the pointer to the key database, + * privkey is the private key to be stored, + * f and arg are the function and arguments to the callback + * to get a password, + * algorithm is the algorithm which the privKey is to be stored. + * A return of anything but SECSuccess indicates failure. + */ +extern SECStatus +nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle, + NSSLOWKEYPrivateKey *privkey, + SECItem *pubKeyData, + char *nickname, + SDB *sdb, + PRBool update); + +/* Find key by modulus. This function is the inverse of store key + * by modulus. An attempt to locate the key with "modulus" is + * performed. If the key is found, the private key is returned, + * else NULL is returned. + * modulus is the modulus to locate + */ +extern NSSLOWKEYPrivateKey * +nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, + SDB *sdb); + +extern char * +nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle, + SECItem *modulus, SDB *sdb); + +/* + * smaller version of EC_FillParams. In this code, we only need + * oid and DER data. + */ +SECStatus LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams, + ECParams *params); + +/* Copy all of the fields from srcParams into dstParams */ +SECStatus LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams, + const ECParams *srcParams); + +SEC_END_PROTOS + +#endif /* _LOWKEYI_H_ */ diff --git a/security/nss/lib/softoken/legacydb/lowkeyti.h b/security/nss/lib/softoken/legacydb/lowkeyti.h new file mode 100644 index 0000000000..2fd5d4e293 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/lowkeyti.h @@ -0,0 +1,130 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _LOWKEYTI_H_ +#define _LOWKEYTI_H_ 1 + +#include "blapit.h" +#include "prtypes.h" +#include "plarena.h" +#include "secitem.h" +#include "secasn1t.h" +#include "secoidt.h" + +/* + * a key in/for the data base + */ +struct NSSLOWKEYDBKeyStr { + PLArenaPool *arena; + int version; + char *nickname; + SECItem salt; + SECItem derPK; +}; +typedef struct NSSLOWKEYDBKeyStr NSSLOWKEYDBKey; + +typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle; + +#ifdef NSS_USE_KEY4_DB +#define NSSLOWKEY_DB_FILE_VERSION 4 +#else +#define NSSLOWKEY_DB_FILE_VERSION 3 +#endif + +#define NSSLOWKEY_VERSION 0 /* what we *create* */ + +/* +** Typedef for callback to get a password "key". +*/ +extern const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[]; +extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[]; +extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[]; +#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */ +extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[]; + +extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[]; +extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[]; + +/* + * PKCS #8 attributes + */ +struct NSSLOWKEYAttributeStr { + SECItem attrType; + SECItem *attrValue; +}; +typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute; + +/* +** A PKCS#8 private key info object +*/ +struct NSSLOWKEYPrivateKeyInfoStr { + PLArenaPool *arena; + SECItem version; + SECAlgorithmID algorithm; + SECItem privateKey; + NSSLOWKEYAttribute **attributes; +}; +typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo; +#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */ + +/* +** A PKCS#8 private key info object +*/ +struct NSSLOWKEYEncryptedPrivateKeyInfoStr { + PLArenaPool *arena; + SECAlgorithmID algorithm; + SECItem encryptedData; +}; +typedef struct NSSLOWKEYEncryptedPrivateKeyInfoStr NSSLOWKEYEncryptedPrivateKeyInfo; + +typedef enum { + NSSLOWKEYNullKey = 0, + NSSLOWKEYRSAKey = 1, + NSSLOWKEYDSAKey = 2, + NSSLOWKEYDHKey = 4, + NSSLOWKEYECKey = 5 +} NSSLOWKEYType; + +/* +** An RSA public key object. +*/ +struct NSSLOWKEYPublicKeyStr { + PLArenaPool *arena; + NSSLOWKEYType keyType; + union { + RSAPublicKey rsa; + DSAPublicKey dsa; + DHPublicKey dh; + ECPublicKey ec; + } u; +}; +typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey; + +/* +** Low Level private key object +** This is only used by the raw Crypto engines (crypto), keydb (keydb), +** and PKCS #11. Everyone else uses the high level key structure. +*/ +struct NSSLOWKEYPrivateKeyStr { + PLArenaPool *arena; + NSSLOWKEYType keyType; + union { + RSAPrivateKey rsa; + DSAPrivateKey dsa; + DHPrivateKey dh; + ECPrivateKey ec; + } u; +}; +typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey; + +typedef struct NSSLOWKEYPasswordEntryStr NSSLOWKEYPasswordEntry; +struct NSSLOWKEYPasswordEntryStr { + SECItem salt; + SECItem value; + unsigned char data[128]; +}; + +#endif /* _LOWKEYTI_H_ */ diff --git a/security/nss/lib/softoken/legacydb/manifest.mn b/security/nss/lib/softoken/legacydb/manifest.mn new file mode 100644 index 0000000000..caac524be0 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/manifest.mn @@ -0,0 +1,32 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +CORE_DEPTH = ../../.. + +MODULE = nss + +REQUIRES = dbm + +LIBRARY_NAME = nssdbm +LIBRARY_VERSION = 3 +MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def + +DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DLG_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" + +CSRCS = \ + dbmshim.c \ + keydb.c \ + lgattr.c \ + lgcreate.c \ + lgdestroy.c \ + lgfind.c \ + lgfips.c \ + lginit.c \ + lgutil.c \ + lowcert.c \ + lowkey.c \ + pcertdb.c \ + pk11db.c \ + $(NULL) + diff --git a/security/nss/lib/softoken/legacydb/nssdbm.def b/security/nss/lib/softoken/legacydb/nssdbm.def new file mode 100644 index 0000000000..dd6d5fa47b --- /dev/null +++ b/security/nss/lib/softoken/legacydb/nssdbm.def @@ -0,0 +1,31 @@ +;+# +;+# This Source Code Form is subject to the terms of the Mozilla Public +;+# License, v. 2.0. If a copy of the MPL was not distributed with this +;+# file, You can obtain one at http://mozilla.org/MPL/2.0/. +;+# +;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS +;+# 1. For all unix platforms, the string ";-" means "remove this line" +;+# 2. For all unix platforms, the string " DATA " will be removed from any +;+# line on which it occurs. +;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX. +;+# On AIX, lines containing ";+" will be removed. +;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed. +;+# 5. For all unix platforms, after the above processing has taken place, +;+# all characters after the first ";" on the line will be removed. +;+# And for AIX, the first ";" will also be removed. +;+# This file is passed directly to windows. Since ';' is a comment, all UNIX +;+# directives are hidden behind ";", ";+", and ";-" +;+NSSDBM_3.12 { # NSS 3.12 release +;+ global: +LIBRARY nssdbm3 ;- +EXPORTS ;- +legacy_Open; +legacy_Shutdown; +legacy_ReadSecmodDB; +legacy_ReleaseSecmodDBData; +legacy_AddSecmodDB; +legacy_DeleteSecmodDB; +legacy_SetCryptFunctions; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/softoken/legacydb/nssdbm.rc b/security/nss/lib/softoken/legacydb/nssdbm.rc new file mode 100644 index 0000000000..cff86168e9 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/nssdbm.rc @@ -0,0 +1,68 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "../softkver.h" +#include + +#define MY_LIBNAME "nssdbm" +#define MY_FILEDESCRIPTION "Legacy Database Driver" + +#define STRINGIZE(x) #x +#define STRINGIZE2(x) STRINGIZE(x) +#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR) + +#ifdef _DEBUG +#define MY_DEBUG_STR " (debug)" +#define MY_FILEFLAGS_1 VS_FF_DEBUG +#else +#define MY_DEBUG_STR "" +#define MY_FILEFLAGS_1 0x0L +#endif +#if SOFTOKEN_BETA +#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE +#else +#define MY_FILEFLAGS_2 MY_FILEFLAGS_1 +#endif + +#ifdef WINNT +#define MY_FILEOS VOS_NT_WINDOWS32 +#else +#define MY_FILEOS VOS__WINDOWS32 +#endif + +#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR + +///////////////////////////////////////////////////////////////////////////// +// +// Version-information resource +// + +VS_VERSION_INFO VERSIONINFO + FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD + PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD + FILEFLAGSMASK VS_FFI_FILEFLAGSMASK + FILEFLAGS MY_FILEFLAGS_2 + FILEOS MY_FILEOS + FILETYPE VFT_DLL + FILESUBTYPE 0x0L // not used + +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904B0" // Lang=US English, CharSet=Unicode + BEGIN + VALUE "CompanyName", "Mozilla Foundation\0" + VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0" + VALUE "FileVersion", SOFTOKEN_VERSION "\0" + VALUE "InternalName", MY_INTERNAL_NAME "\0" + VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0" + VALUE "ProductName", "Network Security Services\0" + VALUE "ProductVersion", SOFTOKEN_VERSION "\0" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 1200 + END +END diff --git a/security/nss/lib/softoken/legacydb/pcert.h b/security/nss/lib/softoken/legacydb/pcert.h new file mode 100644 index 0000000000..d4be3f93d3 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/pcert.h @@ -0,0 +1,228 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _PCERTDB_H_ +#define _PCERTDB_H_ + +#include "plarena.h" +#include "prlong.h" +#include "pcertt.h" + +#include "lowkeyti.h" /* for struct NSSLOWKEYPublicKeyStr */ + +SEC_BEGIN_PROTOS + +/* + * initialize any global certificate locks + */ +SECStatus nsslowcert_InitLocks(void); + +/* +** Add a DER encoded certificate to the permanent database. +** "derCert" is the DER encoded certificate. +** "nickname" is the nickname to use for the cert +** "trust" is the trust parameters for the cert +*/ +SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle, + NSSLOWCERTCertificate *cert, + char *nickname, NSSLOWCERTCertTrust *trust); +SECStatus nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname); + +SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert); + +typedef SECStatus(PR_CALLBACK *PermCertCallback)(NSSLOWCERTCertificate *cert, + SECItem *k, void *pdata); +/* +** Traverse the entire permanent database, and pass the certs off to a +** user supplied function. +** "certfunc" is the user function to call for each certificate +** "udata" is the user's data, which is passed through to "certfunc" +*/ +SECStatus +nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle, + PermCertCallback certfunc, + void *udata); + +PRBool +nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle); + +certDBEntryRevocation * +nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, + SECItem *crlKey, PRBool isKRL); + +SECStatus +nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, const SECItem *derName, + PRBool isKRL); +SECStatus +nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, + SECItem *derKey, char *url, PRBool isKRL); + +NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB(); +NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *); + +NSSLOWCERTCertificate * +nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert, + char *nickname, PRBool isperm, PRBool copyDER); +NSSLOWCERTCertificate * +nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert); +void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert); +void nsslowcert_DestroyTrust(NSSLOWCERTTrust *Trust); + +/* + * Lookup a certificate in the databases without locking + * "certKey" is the database key to look for + * + * XXX - this should be internal, but pkcs 11 needs to call it during a + * traversal. + */ +NSSLOWCERTCertificate * +nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey); + +/* + * Lookup trust for a certificate in the databases without locking + * "certKey" is the database key to look for + * + * XXX - this should be internal, but pkcs 11 needs to call it during a + * traversal. + */ +NSSLOWCERTTrust * +nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey); + +/* +** Generate a certificate key from the issuer and serialnumber, then look it +** up in the database. Return the cert if found. +** "issuerAndSN" is the issuer and serial number to look for +*/ +extern NSSLOWCERTCertificate * +nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN); + +/* +** Generate a certificate key from the issuer and serialnumber, then look it +** up in the database. Return the cert if found. +** "issuerAndSN" is the issuer and serial number to look for +*/ +extern NSSLOWCERTTrust * +nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN); + +/* +** Find a certificate in the database by a DER encoded certificate +** "derCert" is the DER encoded certificate +*/ +extern NSSLOWCERTCertificate * +nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert); + +/* convert an email address to lower case */ +char *nsslowcert_FixupEmailAddr(char *emailAddr); + +/* +** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure +** "derSignedCert" is the DER encoded signed certificate +** "copyDER" is true if the DER should be copied, false if the +** existing copy should be referenced +** "nickname" is the nickname to use in the database. If it is NULL +** then a temporary nickname is generated. +*/ +extern NSSLOWCERTCertificate * +nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname); + +SECStatus +nsslowcert_KeyFromDERCert(PLArenaPool *arena, SECItem *derCert, SECItem *key); + +certDBEntrySMime * +nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *certHandle, + char *emailAddr); +void +nsslowcert_DestroyDBEntry(certDBEntry *entry); + +SECStatus +nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly, + const char *domain, const char *prefix, + NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile); + +void +nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle); + +/* + * is certa newer than certb? If one is expired, pick the other one. + */ +PRBool +nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb); + +SECStatus +nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle, + certDBEntryType type, + SECStatus (*callback)(SECItem *data, SECItem *key, + certDBEntryType type, void *pdata), + void *udata); +SECStatus +nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle, + SECItem *derSubject, + NSSLOWCERTCertCallback cb, void *cbarg); +int +nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle, + SECItem *derSubject); +SECStatus +nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle, + char *nickname, NSSLOWCERTCertCallback cb, void *cbarg); + +int +nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, + char *nickname); +SECStatus +nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert, + NSSLOWCERTCertTrust *trust); + +SECStatus +nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, + SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime); + +/* + * Change the trust attributes of a certificate and make them permanent + * in the database. + */ +SECStatus +nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, + NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust); + +PRBool +nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle); + +void +nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value); + +PRBool +nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust); + +void +nsslowcert_DestroyFreeLists(void); + +void +nsslowcert_DestroyGlobalLocks(void); + +void +pkcs11_freeNickname(char *nickname, char *space); + +char * +pkcs11_copyNickname(char *nickname, char *space, int spaceLen); + +void +pkcs11_freeStaticData(unsigned char *data, unsigned char *space); + +unsigned char * +pkcs11_allocStaticData(int datalen, unsigned char *space, int spaceLen); + +unsigned char * +pkcs11_copyStaticData(unsigned char *data, int datalen, unsigned char *space, + int spaceLen); +NSSLOWCERTCertificate * +nsslowcert_CreateCert(void); + +certDBEntry * +nsslowcert_DecodeAnyDBEntry(SECItem *dbData, const SECItem *dbKey, + certDBEntryType entryType, void *pdata); + +SEC_END_PROTOS + +#endif /* _PCERTDB_H_ */ diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c new file mode 100644 index 0000000000..488d0f06ca --- /dev/null +++ b/security/nss/lib/softoken/legacydb/pcertdb.c @@ -0,0 +1,5350 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Permanent Certificate database handling code + */ +#include "lowkeyti.h" +#include "pcert.h" +#include "mcom_db.h" +#include "pcert.h" +#include "secitem.h" +#include "secder.h" + +#include "secerr.h" +#include "lgdb.h" + +/* forward declaration */ +NSSLOWCERTCertificate * +nsslowcert_FindCertByDERCertNoLocking(NSSLOWCERTCertDBHandle *handle, SECItem *derCert); +static SECStatus +nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, + char *emailAddr, SECItem *derSubject, SECItem *emailProfile, + SECItem *profileTime); +static SECStatus +nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust); +static SECStatus +nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, + SECItem *crlKey, char *url, PRBool isKRL); + +static NSSLOWCERTCertificate *certListHead = NULL; +static NSSLOWCERTTrust *trustListHead = NULL; +static certDBEntryCert *entryListHead = NULL; +static int certListCount = 0; +static int trustListCount = 0; +static int entryListCount = 0; +#define MAX_CERT_LIST_COUNT 10 +#define MAX_TRUST_LIST_COUNT 10 +#define MAX_ENTRY_LIST_COUNT 10 + +/* + * the following functions are wrappers for the db library that implement + * a global lock to make the database thread safe. + */ +static PZLock *dbLock = NULL; +static PZLock *certRefCountLock = NULL; +static PZLock *certTrustLock = NULL; +static PZLock *freeListLock = NULL; + +void +certdb_InitDBLock(NSSLOWCERTCertDBHandle *handle) +{ + if (dbLock == NULL) { + dbLock = PZ_NewLock(nssILockCertDB); + PORT_Assert(dbLock != NULL); + } +} + +SECStatus +nsslowcert_InitLocks(void) +{ + if (freeListLock == NULL) { + freeListLock = PZ_NewLock(nssILockRefLock); + if (freeListLock == NULL) { + return SECFailure; + } + } + if (certRefCountLock == NULL) { + certRefCountLock = PZ_NewLock(nssILockRefLock); + if (certRefCountLock == NULL) { + return SECFailure; + } + } + if (certTrustLock == NULL) { + certTrustLock = PZ_NewLock(nssILockCertDB); + if (certTrustLock == NULL) { + return SECFailure; + } + } + + return SECSuccess; +} + +/* + * Acquire the global lock on the cert database. + * This lock is currently used for the following operations: + * adding or deleting a cert to either the temp or perm databases + * converting a temp to perm or perm to temp + * changing (maybe just adding!?) the trust of a cert + * chaning the DB status checking Configuration + */ +static void +nsslowcert_LockDB(NSSLOWCERTCertDBHandle *handle) +{ + PZ_EnterMonitor(handle->dbMon); + return; +} + +/* + * Free the global cert database lock. + */ +static void +nsslowcert_UnlockDB(NSSLOWCERTCertDBHandle *handle) +{ +#ifdef DEBUG + PRStatus prstat = PZ_ExitMonitor(handle->dbMon); + PORT_Assert(prstat == PR_SUCCESS); +#else + PZ_ExitMonitor(handle->dbMon); +#endif +} + +/* + * Acquire the cert reference count lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +static void +nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert) +{ + PORT_Assert(certRefCountLock != NULL); + + PZ_Lock(certRefCountLock); + return; +} + +/* + * Free the cert reference count lock + */ +static void +nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert) +{ + PORT_Assert(certRefCountLock != NULL); + +#ifdef DEBUG + { + PRStatus prstat = PZ_Unlock(certRefCountLock); + PORT_Assert(prstat == PR_SUCCESS); + } +#else + PZ_Unlock(certRefCountLock); +#endif +} + +/* + * Acquire the cert trust lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +static void +nsslowcert_LockCertTrust(NSSLOWCERTCertificate *cert) +{ + PORT_Assert(certTrustLock != NULL); + + PZ_Lock(certTrustLock); + return; +} + +/* + * Free the cert trust lock + */ +static void +nsslowcert_UnlockCertTrust(NSSLOWCERTCertificate *cert) +{ + PORT_Assert(certTrustLock != NULL); + +#ifdef DEBUG + { + PRStatus prstat = PZ_Unlock(certTrustLock); + PORT_Assert(prstat == PR_SUCCESS); + } +#else + PZ_Unlock(certTrustLock); +#endif +} + +/* + * Acquire the cert reference count lock + * There is currently one global lock for all certs, but I'm putting a cert + * arg here so that it will be easy to make it per-cert in the future if + * that turns out to be necessary. + */ +static void +nsslowcert_LockFreeList(void) +{ + PORT_Assert(freeListLock != NULL); + + SKIP_AFTER_FORK(PZ_Lock(freeListLock)); + return; +} + +/* + * Free the cert reference count lock + */ +static void +nsslowcert_UnlockFreeList(void) +{ + PORT_Assert(freeListLock != NULL); + +#ifdef DEBUG + { + PRStatus prstat = PR_SUCCESS; + SKIP_AFTER_FORK(prstat = PZ_Unlock(freeListLock)); + PORT_Assert(prstat == PR_SUCCESS); + } +#else + SKIP_AFTER_FORK(PZ_Unlock(freeListLock)); +#endif +} + +NSSLOWCERTCertificate * +nsslowcert_DupCertificate(NSSLOWCERTCertificate *c) +{ + if (c) { + nsslowcert_LockCertRefCount(c); + ++c->referenceCount; + nsslowcert_UnlockCertRefCount(c); + } + return c; +} + +static int +certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags) +{ + int ret; + + PORT_Assert(dbLock != NULL); + PZ_Lock(dbLock); + + ret = (*db->get)(db, key, data, flags); + + (void)PZ_Unlock(dbLock); + + return (ret); +} + +static int +certdb_Put(DB *db, DBT *key, DBT *data, unsigned int flags) +{ + int ret = 0; + + PORT_Assert(dbLock != NULL); + PZ_Lock(dbLock); + + ret = (*db->put)(db, key, data, flags); + + (void)PZ_Unlock(dbLock); + + return (ret); +} + +static int +certdb_Sync(DB *db, unsigned int flags) +{ + int ret; + + PORT_Assert(dbLock != NULL); + PZ_Lock(dbLock); + + ret = (*db->sync)(db, flags); + + (void)PZ_Unlock(dbLock); + + return (ret); +} + +#define DB_NOT_FOUND -30991 /* from DBM 3.2 */ +static int +certdb_Del(DB *db, DBT *key, unsigned int flags) +{ + int ret; + + PORT_Assert(dbLock != NULL); + PZ_Lock(dbLock); + + ret = (*db->del)(db, key, flags); + + (void)PZ_Unlock(dbLock); + + /* don't fail if the record is already deleted */ + if (ret == DB_NOT_FOUND) { + ret = 0; + } + + return (ret); +} + +static int +certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags) +{ + int ret; + + PORT_Assert(dbLock != NULL); + PZ_Lock(dbLock); + + ret = (*db->seq)(db, key, data, flags); + + (void)PZ_Unlock(dbLock); + + return (ret); +} + +static void +certdb_Close(DB *db) +{ + PORT_Assert(dbLock != NULL); + SKIP_AFTER_FORK(PZ_Lock(dbLock)); + + (*db->close)(db); + + SKIP_AFTER_FORK(PZ_Unlock(dbLock)); + + return; +} + +void +pkcs11_freeNickname(char *nickname, char *space) +{ + if (nickname && nickname != space) { + PORT_Free(nickname); + } +} + +char * +pkcs11_copyNickname(char *nickname, char *space, int spaceLen) +{ + int len; + char *copy = NULL; + + len = PORT_Strlen(nickname) + 1; + if (len <= spaceLen) { + copy = space; + PORT_Memcpy(copy, nickname, len); + } else { + copy = PORT_Strdup(nickname); + } + + return copy; +} + +void +pkcs11_freeStaticData(unsigned char *data, unsigned char *space) +{ + if (data && data != space) { + PORT_Free(data); + } +} + +unsigned char * +pkcs11_allocStaticData(int len, unsigned char *space, int spaceLen) +{ + unsigned char *data = NULL; + + if (len <= spaceLen) { + data = space; + } else { + data = (unsigned char *)PORT_Alloc(len); + } + + return data; +} + +unsigned char * +pkcs11_copyStaticData(unsigned char *data, int len, + unsigned char *space, int spaceLen) +{ + unsigned char *copy = pkcs11_allocStaticData(len, space, spaceLen); + if (copy) { + PORT_Memcpy(copy, data, len); + } + + return copy; +} + +/* + * destroy a database entry + */ +static void +DestroyDBEntry(certDBEntry *entry) +{ + PLArenaPool *arena = entry->common.arena; + + /* must be one of our certDBEntry from the free list */ + if (arena == NULL) { + certDBEntryCert *certEntry; + if (entry->common.type != certDBEntryTypeCert) { + return; + } + certEntry = (certDBEntryCert *)entry; + + pkcs11_freeStaticData(certEntry->derCert.data, certEntry->derCertSpace); + pkcs11_freeNickname(certEntry->nickname, certEntry->nicknameSpace); + + nsslowcert_LockFreeList(); + if (entryListCount > MAX_ENTRY_LIST_COUNT) { + PORT_Free(certEntry); + } else { + entryListCount++; + PORT_Memset(certEntry, 0, sizeof(*certEntry)); + certEntry->next = entryListHead; + entryListHead = certEntry; + } + nsslowcert_UnlockFreeList(); + return; + } + + /* Zero out the entry struct, so that any further attempts to use it + * will cause an exception (e.g. null pointer reference). */ + PORT_Memset(&entry->common, 0, sizeof entry->common); + PORT_FreeArena(arena, PR_FALSE); + + return; +} + +/* forward references */ +static void nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert); + +static SECStatus +DeleteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, SECItem *dbkey) +{ + DBT key; + int ret; + + /* init the database key */ + key.data = dbkey->data; + key.size = dbkey->len; + + dbkey->data[0] = (unsigned char)type; + + /* delete entry from database */ + ret = certdb_Del(handle->permCertDB, &key, 0); + if (ret != 0) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + ret = certdb_Sync(handle->permCertDB, 0); + if (ret) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + return (SECSuccess); + +loser: + return (SECFailure); +} + +static SECStatus +ReadDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry, + SECItem *dbkey, SECItem *dbentry, PLArenaPool *arena) +{ + DBT data, key; + int ret; + unsigned char *buf; + + /* init the database key */ + key.data = dbkey->data; + key.size = dbkey->len; + + dbkey->data[0] = (unsigned char)entry->type; + + /* read entry from database */ + ret = certdb_Get(handle->permCertDB, &key, &data, 0); + if (ret != 0) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + /* validate the entry */ + if (data.size < SEC_DB_ENTRY_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + buf = (unsigned char *)data.data; + /* version 7 has the same schema, we may be using a v7 db if we openned + * the databases readonly. */ + if (!((buf[0] == (unsigned char)CERT_DB_FILE_VERSION) || + (buf[0] == (unsigned char)CERT_DB_V7_FILE_VERSION))) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + if (buf[1] != (unsigned char)entry->type) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + /* copy out header information */ + entry->version = (unsigned int)buf[0]; + entry->type = (certDBEntryType)buf[1]; + entry->flags = (unsigned int)buf[2]; + + /* format body of entry for return to caller */ + dbentry->len = data.size - SEC_DB_ENTRY_HEADER_LEN; + if (dbentry->len) { + if (arena) { + dbentry->data = (unsigned char *) + PORT_ArenaAlloc(arena, dbentry->len); + if (dbentry->data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + PORT_Memcpy(dbentry->data, &buf[SEC_DB_ENTRY_HEADER_LEN], + dbentry->len); + } else { + dbentry->data = &buf[SEC_DB_ENTRY_HEADER_LEN]; + } + } else { + dbentry->data = NULL; + } + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/** + ** Implement low level database access + **/ +static SECStatus +WriteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry, + SECItem *dbkey, SECItem *dbentry) +{ + int ret; + DBT data, key; + unsigned char *buf; + + data.data = dbentry->data; + data.size = dbentry->len; + + buf = (unsigned char *)data.data; + + buf[0] = (unsigned char)entry->version; + buf[1] = (unsigned char)entry->type; + buf[2] = (unsigned char)entry->flags; + + key.data = dbkey->data; + key.size = dbkey->len; + + dbkey->data[0] = (unsigned char)entry->type; + + /* put the record into the database now */ + ret = certdb_Put(handle->permCertDB, &key, &data, 0); + + if (ret != 0) { + goto loser; + } + + ret = certdb_Sync(handle->permCertDB, 0); + + if (ret) { + goto loser; + } + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * encode a database cert record + */ +static SECStatus +EncodeDBCertEntry(certDBEntryCert *entry, PLArenaPool *arena, SECItem *dbitem) +{ + unsigned int nnlen; + unsigned char *buf; + char *nn; + char zbuf = 0; + + if (entry->nickname) { + nn = entry->nickname; + } else { + nn = &zbuf; + } + nnlen = PORT_Strlen(nn) + 1; + + /* allocate space for encoded database record, including space + * for low level header + */ + dbitem->len = entry->derCert.len + nnlen + DB_CERT_ENTRY_HEADER_LEN + + SEC_DB_ENTRY_HEADER_LEN; + + dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len); + if (dbitem->data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* fill in database record */ + buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; + + buf[0] = (PRUint8)(entry->trust.sslFlags >> 8); + buf[1] = (PRUint8)(entry->trust.sslFlags); + buf[2] = (PRUint8)(entry->trust.emailFlags >> 8); + buf[3] = (PRUint8)(entry->trust.emailFlags); + buf[4] = (PRUint8)(entry->trust.objectSigningFlags >> 8); + buf[5] = (PRUint8)(entry->trust.objectSigningFlags); + buf[6] = (PRUint8)(entry->derCert.len >> 8); + buf[7] = (PRUint8)(entry->derCert.len); + buf[8] = (PRUint8)(nnlen >> 8); + buf[9] = (PRUint8)(nnlen); + + PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data, + entry->derCert.len); + + PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN + entry->derCert.len], + nn, nnlen); + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * encode a database key for a cert record + */ +static SECStatus +EncodeDBCertKey(const SECItem *certKey, PLArenaPool *arena, SECItem *dbkey) +{ + unsigned int len = certKey->len + SEC_DB_KEY_HEADER_LEN; + if (len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; + if (arena) { + dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, len); + } else { + if (dbkey->len < len) { + dbkey->data = (unsigned char *)PORT_Alloc(len); + } + } + dbkey->len = len; + if (dbkey->data == NULL) { + goto loser; + } + PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], + certKey->data, certKey->len); + dbkey->data[0] = certDBEntryTypeCert; + + return (SECSuccess); +loser: + return (SECFailure); +} + +static SECStatus +EncodeDBGenericKey(const SECItem *certKey, PLArenaPool *arena, SECItem *dbkey, + certDBEntryType entryType) +{ + /* + * we only allow _one_ KRL key! + */ + if (entryType == certDBEntryTypeKeyRevocation) { + dbkey->len = SEC_DB_KEY_HEADER_LEN; + dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); + if (dbkey->data == NULL) { + goto loser; + } + dbkey->data[0] = (unsigned char)entryType; + return (SECSuccess); + } + + dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; + dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); + if (dbkey->data == NULL) { + goto loser; + } + PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], + certKey->data, certKey->len); + dbkey->data[0] = (unsigned char)entryType; + + return (SECSuccess); +loser: + return (SECFailure); +} + +static SECStatus +DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry) +{ + unsigned int nnlen; + unsigned int headerlen; + int lenoff; + + /* allow updates of old versions of the database */ + switch (entry->common.version) { + case 5: + headerlen = DB_CERT_V5_ENTRY_HEADER_LEN; + lenoff = 3; + break; + case 6: + /* should not get here */ + PORT_Assert(0); + headerlen = DB_CERT_V6_ENTRY_HEADER_LEN; + lenoff = 3; + break; + case 7: + case 8: + headerlen = DB_CERT_ENTRY_HEADER_LEN; + lenoff = 6; + break; + default: + /* better not get here */ + PORT_Assert(0); + headerlen = DB_CERT_V5_ENTRY_HEADER_LEN; + lenoff = 3; + break; + } + + /* is record long enough for header? */ + if (dbentry->len < headerlen) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + /* is database entry correct length? */ + entry->derCert.len = ((dbentry->data[lenoff] << 8) | + dbentry->data[lenoff + 1]); + nnlen = ((dbentry->data[lenoff + 2] << 8) | dbentry->data[lenoff + 3]); + lenoff = dbentry->len - (entry->derCert.len + nnlen + headerlen); + if (lenoff) { + if (lenoff < 0 || (lenoff & 0xffff) != 0) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + /* The cert size exceeded 64KB. Reconstruct the correct length. */ + entry->derCert.len += lenoff; + } + + /* Is data long enough? */ + if (dbentry->len < headerlen + entry->derCert.len) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + /* copy the dercert */ + entry->derCert.data = pkcs11_copyStaticData(&dbentry->data[headerlen], + entry->derCert.len, entry->derCertSpace, sizeof(entry->derCertSpace)); + if (entry->derCert.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* copy the nickname */ + if (nnlen > 1) { + /* Is data long enough? */ + if (dbentry->len < headerlen + entry->derCert.len + nnlen) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + entry->nickname = (char *)pkcs11_copyStaticData( + &dbentry->data[headerlen + entry->derCert.len], nnlen, + (unsigned char *)entry->nicknameSpace, + sizeof(entry->nicknameSpace)); + if (entry->nickname == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + } else { + entry->nickname = NULL; + } + + if (entry->common.version < 7) { + /* allow updates of v5 db */ + entry->trust.sslFlags = dbentry->data[0]; + entry->trust.emailFlags = dbentry->data[1]; + entry->trust.objectSigningFlags = dbentry->data[2]; + } else { + entry->trust.sslFlags = (dbentry->data[0] << 8) | dbentry->data[1]; + entry->trust.emailFlags = (dbentry->data[2] << 8) | dbentry->data[3]; + entry->trust.objectSigningFlags = + (dbentry->data[4] << 8) | dbentry->data[5]; + } + + return (SECSuccess); +loser: + return (SECFailure); +} + +/* + * Create a new certDBEntryCert from existing data + */ +static certDBEntryCert * +NewDBCertEntry(SECItem *derCert, char *nickname, + NSSLOWCERTCertTrust *trust, int flags) +{ + certDBEntryCert *entry; + PLArenaPool *arena = NULL; + int nnlen; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!arena) { + goto loser; + } + + entry = PORT_ArenaZNew(arena, certDBEntryCert); + if (entry == NULL) { + goto loser; + } + + /* fill in the dbCert */ + entry->common.arena = arena; + entry->common.type = certDBEntryTypeCert; + entry->common.version = CERT_DB_FILE_VERSION; + entry->common.flags = flags; + + if (trust) { + entry->trust = *trust; + } + + entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, derCert->len); + if (!entry->derCert.data) { + goto loser; + } + entry->derCert.len = derCert->len; + PORT_Memcpy(entry->derCert.data, derCert->data, derCert->len); + + nnlen = (nickname ? strlen(nickname) + 1 : 0); + + if (nnlen) { + entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen); + if (!entry->nickname) { + goto loser; + } + PORT_Memcpy(entry->nickname, nickname, nnlen); + + } else { + entry->nickname = 0; + } + + return (entry); + +loser: + + /* allocation error, free arena and return */ + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (0); +} + +/* + * Decode a version 4 DBCert from the byte stream database format + * and construct a current database entry struct + */ +static certDBEntryCert * +DecodeV4DBCertEntry(unsigned char *buf, int len) +{ + certDBEntryCert *entry; + int certlen; + int nnlen; + PLArenaPool *arena; + + /* make sure length is at least long enough for the header */ + if (len < DBCERT_V4_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (0); + } + + /* get other lengths */ + certlen = buf[3] << 8 | buf[4]; + nnlen = buf[5] << 8 | buf[6]; + + /* make sure DB entry is the right size */ + if ((certlen + nnlen + DBCERT_V4_HEADER_LEN) != len) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (0); + } + + /* allocate arena */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!arena) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (0); + } + + /* allocate structure and members */ + entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert)); + + if (!entry) { + goto loser; + } + + entry->common.arena = arena; + entry->common.version = CERT_DB_FILE_VERSION; + entry->common.type = certDBEntryTypeCert; + entry->common.flags = 0; + entry->trust.sslFlags = buf[0]; + entry->trust.emailFlags = buf[1]; + entry->trust.objectSigningFlags = buf[2]; + + entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, certlen); + if (!entry->derCert.data) { + goto loser; + } + entry->derCert.len = certlen; + PORT_Memcpy(entry->derCert.data, &buf[DBCERT_V4_HEADER_LEN], certlen); + + if (nnlen) { + entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen); + if (!entry->nickname) { + goto loser; + } + PORT_Memcpy(entry->nickname, &buf[DBCERT_V4_HEADER_LEN + certlen], nnlen); + + if (PORT_Strcmp(entry->nickname, "Server-Cert") == 0) { + entry->trust.sslFlags |= CERTDB_USER; + } + } else { + entry->nickname = 0; + } + + return (entry); + +loser: + PORT_FreeArena(arena, PR_FALSE); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (0); +} + +/* + * Encode a Certificate database entry into byte stream suitable for + * the database + */ +static SECStatus +WriteDBCertEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry) +{ + SECItem dbitem, dbkey; + PLArenaPool *tmparena = NULL; + SECItem tmpitem; + SECStatus rv; + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + goto loser; + } + + rv = EncodeDBCertEntry(entry, tmparena, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + /* get the database key and format it */ + rv = nsslowcert_KeyFromDERCert(tmparena, &entry->derCert, &tmpitem); + if (rv == SECFailure) { + goto loser; + } + + rv = EncodeDBCertKey(&tmpitem, tmparena, &dbkey); + if (rv == SECFailure) { + goto loser; + } + + /* now write it to the database */ + rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (SECSuccess); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + return (SECFailure); +} + +/* + * delete a certificate entry + */ +static SECStatus +DeleteDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey) +{ + SECItem dbkey; + SECStatus rv; + + dbkey.data = NULL; + dbkey.len = 0; + + rv = EncodeDBCertKey(certKey, NULL, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = DeleteDBEntry(handle, certDBEntryTypeCert, &dbkey); + if (rv == SECFailure) { + goto loser; + } + + PORT_Free(dbkey.data); + + return (SECSuccess); + +loser: + if (dbkey.data) { + PORT_Free(dbkey.data); + } + return (SECFailure); +} + +static certDBEntryCert * +CreateCertEntry(void) +{ + certDBEntryCert *entry; + + nsslowcert_LockFreeList(); + entry = entryListHead; + if (entry) { + entryListCount--; + entryListHead = entry->next; + } + PORT_Assert(entryListCount >= 0); + nsslowcert_UnlockFreeList(); + if (entry) { + return entry; + } + + return PORT_ZNew(certDBEntryCert); +} + +static void +DestroyCertEntryFreeList(void) +{ + certDBEntryCert *entry; + + nsslowcert_LockFreeList(); + while (NULL != (entry = entryListHead)) { + entryListCount--; + entryListHead = entry->next; + PORT_Free(entry); + } + PORT_Assert(!entryListCount); + entryListCount = 0; + nsslowcert_UnlockFreeList(); +} + +/* + * Read a certificate entry + */ +static certDBEntryCert * +ReadDBCertEntry(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey) +{ + certDBEntryCert *entry; + SECItem dbkey; + SECItem dbentry; + SECStatus rv; + unsigned char buf[512]; + + dbkey.data = buf; + dbkey.len = sizeof(buf); + + entry = CreateCertEntry(); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->common.arena = NULL; + entry->common.type = certDBEntryTypeCert; + + rv = EncodeDBCertKey(certKey, NULL, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL); + if (rv == SECFailure) { + goto loser; + } + + rv = DecodeDBCertEntry(entry, &dbentry); + if (rv != SECSuccess) { + goto loser; + } + + pkcs11_freeStaticData(dbkey.data, buf); + dbkey.data = NULL; + return (entry); + +loser: + pkcs11_freeStaticData(dbkey.data, buf); + dbkey.data = NULL; + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + + return (NULL); +} + +/* + * encode a database cert record + */ +static SECStatus +EncodeDBCrlEntry(certDBEntryRevocation *entry, PLArenaPool *arena, SECItem *dbitem) +{ + unsigned int nnlen = 0; + unsigned char *buf; + + if (entry->url) { + nnlen = PORT_Strlen(entry->url) + 1; + } + + /* allocate space for encoded database record, including space + * for low level header + */ + dbitem->len = entry->derCrl.len + nnlen + SEC_DB_ENTRY_HEADER_LEN + DB_CRL_ENTRY_HEADER_LEN; + + dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len); + if (dbitem->data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* fill in database record */ + buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; + + buf[0] = (PRUint8)(entry->derCrl.len >> 8); + buf[1] = (PRUint8)(entry->derCrl.len); + buf[2] = (PRUint8)(nnlen >> 8); + buf[3] = (PRUint8)(nnlen); + + PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data, + entry->derCrl.len); + + if (nnlen != 0) { + PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len], + entry->url, nnlen); + } + + return (SECSuccess); + +loser: + return (SECFailure); +} + +static SECStatus +DecodeDBCrlEntry(certDBEntryRevocation *entry, SECItem *dbentry) +{ + unsigned int urlLen; + int lenDiff; + + /* is record long enough for header? */ + if (dbentry->len < DB_CRL_ENTRY_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + /* is database entry correct length? */ + entry->derCrl.len = ((dbentry->data[0] << 8) | dbentry->data[1]); + urlLen = ((dbentry->data[2] << 8) | dbentry->data[3]); + lenDiff = dbentry->len - + (entry->derCrl.len + urlLen + DB_CRL_ENTRY_HEADER_LEN); + if (lenDiff) { + if (lenDiff < 0 || (lenDiff & 0xffff) != 0) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + /* CRL entry is greater than 64 K. Hack to make this continue to work */ + entry->derCrl.len += lenDiff; + } + + /* copy the der CRL */ + entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena, + entry->derCrl.len); + if (entry->derCrl.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->derCrl.data, &dbentry->data[DB_CRL_ENTRY_HEADER_LEN], + entry->derCrl.len); + + /* copy the url */ + entry->url = NULL; + if (urlLen != 0) { + entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, urlLen); + if (entry->url == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->url, + &dbentry->data[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len], + urlLen); + } + + return (SECSuccess); +loser: + return (SECFailure); +} + +/* + * Create a new certDBEntryRevocation from existing data + */ +static certDBEntryRevocation * +NewDBCrlEntry(SECItem *derCrl, char *url, certDBEntryType crlType, int flags) +{ + certDBEntryRevocation *entry; + PLArenaPool *arena = NULL; + int nnlen; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!arena) { + goto loser; + } + + entry = PORT_ArenaZNew(arena, certDBEntryRevocation); + if (entry == NULL) { + goto loser; + } + + /* fill in the dbRevolcation */ + entry->common.arena = arena; + entry->common.type = crlType; + entry->common.version = CERT_DB_FILE_VERSION; + entry->common.flags = flags; + + entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(arena, derCrl->len); + if (!entry->derCrl.data) { + goto loser; + } + + if (url) { + nnlen = PORT_Strlen(url) + 1; + entry->url = (char *)PORT_ArenaAlloc(arena, nnlen); + if (!entry->url) { + goto loser; + } + PORT_Memcpy(entry->url, url, nnlen); + } else { + entry->url = NULL; + } + + entry->derCrl.len = derCrl->len; + PORT_Memcpy(entry->derCrl.data, derCrl->data, derCrl->len); + + return (entry); + +loser: + + /* allocation error, free arena and return */ + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (0); +} + +static SECStatus +WriteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryRevocation *entry, + SECItem *crlKey) +{ + SECItem dbkey; + PLArenaPool *tmparena = NULL; + SECItem encodedEntry; + SECStatus rv; + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + goto loser; + } + + rv = EncodeDBCrlEntry(entry, tmparena, &encodedEntry); + if (rv == SECFailure) { + goto loser; + } + + rv = EncodeDBGenericKey(crlKey, tmparena, &dbkey, entry->common.type); + if (rv == SECFailure) { + goto loser; + } + + /* now write it to the database */ + rv = WriteDBEntry(handle, &entry->common, &dbkey, &encodedEntry); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (SECSuccess); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + return (SECFailure); +} +/* + * delete a crl entry + */ +static SECStatus +DeleteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, const SECItem *crlKey, + certDBEntryType crlType) +{ + SECItem dbkey; + PLArenaPool *arena = NULL; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + rv = EncodeDBGenericKey(crlKey, arena, &dbkey, crlType); + if (rv != SECSuccess) { + goto loser; + } + + rv = DeleteDBEntry(handle, crlType, &dbkey); + if (rv == SECFailure) { + goto loser; + } + + PORT_FreeArena(arena, PR_FALSE); + return (SECSuccess); + +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (SECFailure); +} + +/* + * Read a certificate entry + */ +static certDBEntryRevocation * +ReadDBCrlEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey, + certDBEntryType crlType) +{ + PLArenaPool *arena = NULL; + PLArenaPool *tmparena = NULL; + certDBEntryRevocation *entry; + SECItem dbkey; + SECItem dbentry; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntryRevocation *) + PORT_ArenaAlloc(arena, sizeof(certDBEntryRevocation)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->common.arena = arena; + entry->common.type = crlType; + + rv = EncodeDBGenericKey(certKey, tmparena, &dbkey, crlType); + if (rv != SECSuccess) { + goto loser; + } + + rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL); + if (rv == SECFailure) { + goto loser; + } + + rv = DecodeDBCrlEntry(entry, &dbentry); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (entry); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +void +nsslowcert_DestroyDBEntry(certDBEntry *entry) +{ + DestroyDBEntry(entry); + return; +} + +/* + * Encode a database nickname record + */ +static SECStatus +EncodeDBNicknameEntry(certDBEntryNickname *entry, PLArenaPool *arena, + SECItem *dbitem) +{ + unsigned char *buf; + + /* allocate space for encoded database record, including space + * for low level header + */ + dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN + + SEC_DB_ENTRY_HEADER_LEN; + dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len); + if (dbitem->data == NULL) { + goto loser; + } + + /* fill in database record */ + buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; + buf[0] = (PRUint8)(entry->subjectName.len >> 8); + buf[1] = (PRUint8)(entry->subjectName.len); + PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data, + entry->subjectName.len); + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * Encode a database key for a nickname record + */ +static SECStatus +EncodeDBNicknameKey(char *nickname, PLArenaPool *arena, + SECItem *dbkey) +{ + unsigned int nnlen; + + nnlen = PORT_Strlen(nickname) + 1; /* includes null */ + + /* now get the database key and format it */ + dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; + dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); + if (dbkey->data == NULL) { + goto loser; + } + PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], nickname, nnlen); + dbkey->data[0] = certDBEntryTypeNickname; + + return (SECSuccess); + +loser: + return (SECFailure); +} + +static SECStatus +DecodeDBNicknameEntry(certDBEntryNickname *entry, SECItem *dbentry, + char *nickname) +{ + int lenDiff; + + /* is record long enough for header? */ + if (dbentry->len < DB_NICKNAME_ENTRY_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + /* is database entry correct length? */ + entry->subjectName.len = ((dbentry->data[0] << 8) | dbentry->data[1]); + lenDiff = dbentry->len - + (entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN); + if (lenDiff) { + if (lenDiff < 0 || (lenDiff & 0xffff) != 0) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + /* The entry size exceeded 64KB. Reconstruct the correct length. */ + entry->subjectName.len += lenDiff; + } + + /* copy the certkey */ + entry->subjectName.data = + (unsigned char *)PORT_ArenaAlloc(entry->common.arena, + entry->subjectName.len); + if (entry->subjectName.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->subjectName.data, + &dbentry->data[DB_NICKNAME_ENTRY_HEADER_LEN], + entry->subjectName.len); + entry->subjectName.type = siBuffer; + + entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena, + PORT_Strlen(nickname) + 1); + if (entry->nickname) { + PORT_Strcpy(entry->nickname, nickname); + } + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * create a new nickname entry + */ +static certDBEntryNickname * +NewDBNicknameEntry(char *nickname, SECItem *subjectName, unsigned int flags) +{ + PLArenaPool *arena = NULL; + certDBEntryNickname *entry; + int nnlen; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena, + sizeof(certDBEntryNickname)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* init common fields */ + entry->common.arena = arena; + entry->common.type = certDBEntryTypeNickname; + entry->common.version = CERT_DB_FILE_VERSION; + entry->common.flags = flags; + + /* copy the nickname */ + nnlen = PORT_Strlen(nickname) + 1; + + entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen); + if (entry->nickname == NULL) { + goto loser; + } + + PORT_Memcpy(entry->nickname, nickname, nnlen); + + rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName); + if (rv != SECSuccess) { + goto loser; + } + + return (entry); +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * delete a nickname entry + */ +static SECStatus +DeleteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname) +{ + PLArenaPool *arena = NULL; + SECStatus rv; + SECItem dbkey; + + if (nickname == NULL) { + return (SECSuccess); + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + rv = EncodeDBNicknameKey(nickname, arena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = DeleteDBEntry(handle, certDBEntryTypeNickname, &dbkey); + if (rv == SECFailure) { + goto loser; + } + + PORT_FreeArena(arena, PR_FALSE); + return (SECSuccess); + +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (SECFailure); +} + +/* + * Read a nickname entry + */ +static certDBEntryNickname * +ReadDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname) +{ + PLArenaPool *arena = NULL; + PLArenaPool *tmparena = NULL; + certDBEntryNickname *entry; + SECItem dbkey; + SECItem dbentry; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena, + sizeof(certDBEntryNickname)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->common.arena = arena; + entry->common.type = certDBEntryTypeNickname; + + rv = EncodeDBNicknameKey(nickname, tmparena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena); + if (rv == SECFailure) { + goto loser; + } + + /* is record long enough for header? */ + if (dbentry.len < DB_NICKNAME_ENTRY_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + rv = DecodeDBNicknameEntry(entry, &dbentry, nickname); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (entry); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * Encode a nickname entry into byte stream suitable for + * the database + */ +static SECStatus +WriteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryNickname *entry) +{ + SECItem dbitem, dbkey; + PLArenaPool *tmparena = NULL; + SECStatus rv; + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + goto loser; + } + + rv = EncodeDBNicknameEntry(entry, tmparena, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + rv = EncodeDBNicknameKey(entry->nickname, tmparena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + /* now write it to the database */ + rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (SECSuccess); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + return (SECFailure); +} + +static SECStatus +EncodeDBSMimeEntry(certDBEntrySMime *entry, PLArenaPool *arena, + SECItem *dbitem) +{ + unsigned char *buf; + + /* allocate space for encoded database record, including space + * for low level header + */ + dbitem->len = entry->subjectName.len + entry->smimeOptions.len + + entry->optionsDate.len + + DB_SMIME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN; + + dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len); + if (dbitem->data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* fill in database record */ + buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; + + buf[0] = (PRUint8)(entry->subjectName.len >> 8); + buf[1] = (PRUint8)(entry->subjectName.len); + buf[2] = (PRUint8)(entry->smimeOptions.len >> 8); + buf[3] = (PRUint8)(entry->smimeOptions.len); + buf[4] = (PRUint8)(entry->optionsDate.len >> 8); + buf[5] = (PRUint8)(entry->optionsDate.len); + + /* if no smime options, then there should not be an options date either */ + PORT_Assert(!((entry->smimeOptions.len == 0) && + (entry->optionsDate.len != 0))); + + PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN], entry->subjectName.data, + entry->subjectName.len); + if (entry->smimeOptions.len) { + PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len], + entry->smimeOptions.data, + entry->smimeOptions.len); + PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len + + entry->smimeOptions.len], + entry->optionsDate.data, + entry->optionsDate.len); + } + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * Encode a database key for a SMIME record + */ +static SECStatus +EncodeDBSMimeKey(char *emailAddr, PLArenaPool *arena, + SECItem *dbkey) +{ + unsigned int addrlen; + + addrlen = PORT_Strlen(emailAddr) + 1; /* includes null */ + + /* now get the database key and format it */ + dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; + dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); + if (dbkey->data == NULL) { + goto loser; + } + PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], emailAddr, addrlen); + dbkey->data[0] = certDBEntryTypeSMimeProfile; + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * Decode a database SMIME record + */ +static SECStatus +DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr) +{ + int lenDiff; + + /* is record long enough for header? */ + if (dbentry->len < DB_SMIME_ENTRY_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + /* is database entry correct length? */ + entry->subjectName.len = ((dbentry->data[0] << 8) | dbentry->data[1]); + entry->smimeOptions.len = ((dbentry->data[2] << 8) | dbentry->data[3]); + entry->optionsDate.len = ((dbentry->data[4] << 8) | dbentry->data[5]); + lenDiff = dbentry->len - (entry->subjectName.len + + entry->smimeOptions.len + + entry->optionsDate.len + + DB_SMIME_ENTRY_HEADER_LEN); + if (lenDiff) { + if (lenDiff < 0 || (lenDiff & 0xffff) != 0) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + /* The entry size exceeded 64KB. Reconstruct the correct length. */ + entry->subjectName.len += lenDiff; + } + + /* copy the subject name */ + entry->subjectName.data = + (unsigned char *)PORT_ArenaAlloc(entry->common.arena, + entry->subjectName.len); + if (entry->subjectName.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->subjectName.data, + &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN], + entry->subjectName.len); + + /* copy the smime options */ + if (entry->smimeOptions.len) { + entry->smimeOptions.data = + (unsigned char *)PORT_ArenaAlloc(entry->common.arena, + entry->smimeOptions.len); + if (entry->smimeOptions.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->smimeOptions.data, + &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN + + entry->subjectName.len], + entry->smimeOptions.len); + } else { + entry->smimeOptions.data = NULL; + } + if (entry->optionsDate.len) { + entry->optionsDate.data = + (unsigned char *)PORT_ArenaAlloc(entry->common.arena, + entry->optionsDate.len); + if (entry->optionsDate.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->optionsDate.data, + &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN + + entry->subjectName.len + + entry->smimeOptions.len], + entry->optionsDate.len); + } else { + entry->optionsDate.data = NULL; + } + + /* both options and options date must either exist or not exist */ + if (((entry->optionsDate.len == 0) || + (entry->smimeOptions.len == 0)) && + entry->smimeOptions.len != entry->optionsDate.len) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + entry->emailAddr = (char *)PORT_ArenaAlloc(entry->common.arena, + PORT_Strlen(emailAddr) + 1); + if (entry->emailAddr) { + PORT_Strcpy(entry->emailAddr, emailAddr); + } + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * create a new SMIME entry + */ +static certDBEntrySMime * +NewDBSMimeEntry(char *emailAddr, SECItem *subjectName, SECItem *smimeOptions, + SECItem *optionsDate, unsigned int flags) +{ + PLArenaPool *arena = NULL; + certDBEntrySMime *entry; + int addrlen; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena, + sizeof(certDBEntrySMime)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* init common fields */ + entry->common.arena = arena; + entry->common.type = certDBEntryTypeSMimeProfile; + entry->common.version = CERT_DB_FILE_VERSION; + entry->common.flags = flags; + + /* copy the email addr */ + addrlen = PORT_Strlen(emailAddr) + 1; + + entry->emailAddr = (char *)PORT_ArenaAlloc(arena, addrlen); + if (entry->emailAddr == NULL) { + goto loser; + } + + PORT_Memcpy(entry->emailAddr, emailAddr, addrlen); + + /* copy the subject name */ + rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName); + if (rv != SECSuccess) { + goto loser; + } + + /* copy the smime options */ + if (smimeOptions) { + rv = SECITEM_CopyItem(arena, &entry->smimeOptions, smimeOptions); + if (rv != SECSuccess) { + goto loser; + } + } else { + PORT_Assert(optionsDate == NULL); + entry->smimeOptions.data = NULL; + entry->smimeOptions.len = 0; + } + + /* copy the options date */ + if (optionsDate) { + rv = SECITEM_CopyItem(arena, &entry->optionsDate, optionsDate); + if (rv != SECSuccess) { + goto loser; + } + } else { + PORT_Assert(smimeOptions == NULL); + entry->optionsDate.data = NULL; + entry->optionsDate.len = 0; + } + + return (entry); +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * delete a SMIME entry + */ +static SECStatus +DeleteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr) +{ + PLArenaPool *arena = NULL; + SECStatus rv; + SECItem dbkey; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + rv = EncodeDBSMimeKey(emailAddr, arena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = DeleteDBEntry(handle, certDBEntryTypeSMimeProfile, &dbkey); + if (rv == SECFailure) { + goto loser; + } + + PORT_FreeArena(arena, PR_FALSE); + return (SECSuccess); + +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (SECFailure); +} + +/* + * Read a SMIME entry + */ +certDBEntrySMime * +nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr) +{ + PLArenaPool *arena = NULL; + PLArenaPool *tmparena = NULL; + certDBEntrySMime *entry = NULL; + SECItem dbkey; + SECItem dbentry; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntrySMime *)PORT_ArenaZAlloc(arena, + sizeof(certDBEntrySMime)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->common.arena = arena; + entry->common.type = certDBEntryTypeSMimeProfile; + + rv = EncodeDBSMimeKey(emailAddr, tmparena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena); + if (rv == SECFailure) { + goto loser; + } + + /* is record long enough for header? */ + if (dbentry.len < DB_SMIME_ENTRY_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + rv = DecodeDBSMimeEntry(entry, &dbentry, emailAddr); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (entry); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * Encode a SMIME entry into byte stream suitable for + * the database + */ +static SECStatus +WriteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySMime *entry) +{ + SECItem dbitem, dbkey; + PLArenaPool *tmparena = NULL; + SECStatus rv; + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + goto loser; + } + + rv = EncodeDBSMimeEntry(entry, tmparena, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + rv = EncodeDBSMimeKey(entry->emailAddr, tmparena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + /* now write it to the database */ + rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (SECSuccess); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + return (SECFailure); +} + +/* + * Encode a database subject record + */ +static SECStatus +EncodeDBSubjectEntry(certDBEntrySubject *entry, PLArenaPool *arena, + SECItem *dbitem) +{ + unsigned char *buf; + int len; + unsigned int ncerts; + unsigned int i; + unsigned char *tmpbuf; + unsigned int nnlen = 0; + unsigned int eaddrslen = 0; + int keyidoff; + SECItem *certKeys = entry->certKeys; + SECItem *keyIDs = entry->keyIDs; + ; + + if (entry->nickname) { + nnlen = PORT_Strlen(entry->nickname) + 1; + } + if (entry->emailAddrs) { + eaddrslen = 2; + for (i = 0; i < entry->nemailAddrs; i++) { + eaddrslen += PORT_Strlen(entry->emailAddrs[i]) + 1 + 2; + } + } + + ncerts = entry->ncerts; + + /* compute the length of the entry */ + keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen; + len = keyidoff + (4 * ncerts) + eaddrslen; + for (i = 0; i < ncerts; i++) { + if (keyIDs[i].len > 0xffff || + (certKeys[i].len > 0xffff)) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + goto loser; + } + len += certKeys[i].len; + len += keyIDs[i].len; + } + + /* allocate space for encoded database record, including space + * for low level header + */ + dbitem->len = len + SEC_DB_ENTRY_HEADER_LEN; + + dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len); + if (dbitem->data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* fill in database record */ + buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; + + buf[0] = (PRUint8)(ncerts >> 8); + buf[1] = (PRUint8)(ncerts); + buf[2] = (PRUint8)(nnlen >> 8); + buf[3] = (PRUint8)(nnlen); + /* v7 email field is NULL in v8 */ + buf[4] = 0; + buf[5] = 0; + + PORT_Assert(DB_SUBJECT_ENTRY_HEADER_LEN == 6); + + if (entry->nickname) { + PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen); + } + tmpbuf = &buf[keyidoff]; + for (i = 0; i < ncerts; i++) { + tmpbuf[0] = (PRUint8)(certKeys[i].len >> 8); + tmpbuf[1] = (PRUint8)(certKeys[i].len); + tmpbuf += 2; + } + for (i = 0; i < ncerts; i++) { + tmpbuf[0] = (PRUint8)(keyIDs[i].len >> 8); + tmpbuf[1] = (PRUint8)(keyIDs[i].len); + tmpbuf += 2; + } + + for (i = 0; i < ncerts; i++) { + PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len); + tmpbuf += certKeys[i].len; + } + for (i = 0; i < ncerts; i++) { + if (keyIDs[i].len) { + PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len); + tmpbuf += keyIDs[i].len; + } + } + + if (entry->emailAddrs) { + tmpbuf[0] = (PRUint8)(entry->nemailAddrs >> 8); + tmpbuf[1] = (PRUint8)(entry->nemailAddrs); + tmpbuf += 2; + for (i = 0; i < entry->nemailAddrs; i++) { + int nameLen = PORT_Strlen(entry->emailAddrs[i]) + 1; + tmpbuf[0] = (PRUint8)(nameLen >> 8); + tmpbuf[1] = (PRUint8)(nameLen); + tmpbuf += 2; + PORT_Memcpy(tmpbuf, entry->emailAddrs[i], nameLen); + tmpbuf += nameLen; + } + } + + PORT_Assert(tmpbuf == &buf[len]); + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * Encode a database key for a subject record + */ +static SECStatus +EncodeDBSubjectKey(SECItem *derSubject, PLArenaPool *arena, + SECItem *dbkey) +{ + dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; + dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); + if (dbkey->data == NULL) { + goto loser; + } + PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], derSubject->data, + derSubject->len); + dbkey->data[0] = certDBEntryTypeSubject; + + return (SECSuccess); + +loser: + return (SECFailure); +} + +static SECStatus +DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry, + const SECItem *derSubject) +{ + PLArenaPool *arena = entry->common.arena; + unsigned char *tmpbuf; + unsigned char *end; + void *mark = PORT_ArenaMark(arena); + unsigned int eaddrlen; + unsigned int i; + unsigned int keyidoff; + unsigned int len; + unsigned int ncerts = 0; + unsigned int nnlen; + SECStatus rv; + + rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject); + if (rv != SECSuccess) { + goto loser; + } + + /* is record long enough for header? */ + if (dbentry->len < DB_SUBJECT_ENTRY_HEADER_LEN) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + entry->ncerts = ncerts = ((dbentry->data[0] << 8) | dbentry->data[1]); + nnlen = ((dbentry->data[2] << 8) | dbentry->data[3]); + eaddrlen = ((dbentry->data[4] << 8) | dbentry->data[5]); + keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen; + len = keyidoff + (4 * ncerts); + if (dbentry->len < len) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + entry->certKeys = PORT_ArenaNewArray(arena, SECItem, ncerts); + entry->keyIDs = PORT_ArenaNewArray(arena, SECItem, ncerts); + if ((entry->certKeys == NULL) || (entry->keyIDs == NULL)) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + if (nnlen > 1) { /* null terminator is stored */ + entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen); + if (entry->nickname == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->nickname, + &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN], + nnlen); + } else { + entry->nickname = NULL; + } + + /* if we have an old style email entry, there is only one */ + entry->nemailAddrs = 0; + if (eaddrlen > 1) { /* null terminator is stored */ + entry->emailAddrs = PORT_ArenaNewArray(arena, char *, 2); + if (entry->emailAddrs == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->emailAddrs[0] = (char *)PORT_ArenaAlloc(arena, eaddrlen); + if (entry->emailAddrs[0] == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->emailAddrs[0], + &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN + nnlen], + eaddrlen); + entry->nemailAddrs = 1; + } else { + entry->emailAddrs = NULL; + } + + /* collect the lengths of the certKeys and keyIDs, and total the + * overall length. + */ + tmpbuf = &dbentry->data[keyidoff]; + for (i = 0; i < ncerts; i++) { + unsigned int itemlen = (tmpbuf[0] << 8) | tmpbuf[1]; + entry->certKeys[i].len = itemlen; + len += itemlen; + tmpbuf += 2; + } + for (i = 0; i < ncerts; i++) { + unsigned int itemlen = (tmpbuf[0] << 8) | tmpbuf[1]; + entry->keyIDs[i].len = itemlen; + len += itemlen; + tmpbuf += 2; + } + + /* is encoded entry large enough ? */ + if (len > dbentry->len) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + goto loser; + } + + for (i = 0; i < ncerts; i++) { + unsigned int kLen = entry->certKeys[i].len; + entry->certKeys[i].data = (unsigned char *)PORT_ArenaAlloc(arena, kLen); + if (entry->certKeys[i].data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->certKeys[i].data, tmpbuf, kLen); + tmpbuf += kLen; + } + for (i = 0; i < ncerts; i++) { + unsigned int iLen = entry->keyIDs[i].len; + entry->keyIDs[i].data = (unsigned char *)PORT_ArenaAlloc(arena, iLen); + if (entry->keyIDs[i].data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, iLen); + tmpbuf += iLen; + } + + end = dbentry->data + dbentry->len; + if ((eaddrlen == 0) && (end - tmpbuf > 1)) { + /* read in the additional email addresses */ + entry->nemailAddrs = (((unsigned int)tmpbuf[0]) << 8) | tmpbuf[1]; + tmpbuf += 2; + if (end - tmpbuf < 2 * (int)entry->nemailAddrs) + goto loser; + entry->emailAddrs = PORT_ArenaNewArray(arena, char *, entry->nemailAddrs); + if (entry->emailAddrs == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + for (i = 0; i < entry->nemailAddrs; i++) { + int nameLen; + if (end - tmpbuf < 2) { + goto loser; + } + nameLen = (((int)tmpbuf[0]) << 8) | tmpbuf[1]; + tmpbuf += 2; + if (end - tmpbuf < nameLen) { + goto loser; + } + entry->emailAddrs[i] = PORT_ArenaAlloc(arena, nameLen); + if (entry->emailAddrs == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + PORT_Memcpy(entry->emailAddrs[i], tmpbuf, nameLen); + tmpbuf += nameLen; + } + if (tmpbuf != end) + goto loser; + } + PORT_ArenaUnmark(arena, mark); + return (SECSuccess); + +loser: + PORT_ArenaRelease(arena, mark); /* discard above allocations */ + return (SECFailure); +} + +/* + * create a new subject entry with a single cert + */ +static certDBEntrySubject * +NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey, + SECItem *keyID, char *nickname, char *emailAddr, + unsigned int flags) +{ + PLArenaPool *arena = NULL; + certDBEntrySubject *entry; + SECStatus rv; + unsigned int nnlen; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena, + sizeof(certDBEntrySubject)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* init common fields */ + entry->common.arena = arena; + entry->common.type = certDBEntryTypeSubject; + entry->common.version = CERT_DB_FILE_VERSION; + entry->common.flags = flags; + + /* copy the subject */ + rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject); + if (rv != SECSuccess) { + goto loser; + } + + entry->ncerts = 1; + entry->nemailAddrs = 0; + /* copy nickname */ + if (nickname && (*nickname != '\0')) { + nnlen = PORT_Strlen(nickname) + 1; + entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen); + if (entry->nickname == NULL) { + goto loser; + } + + PORT_Memcpy(entry->nickname, nickname, nnlen); + } else { + entry->nickname = NULL; + } + + /* copy email addr */ + if (emailAddr && (*emailAddr != '\0')) { + emailAddr = nsslowcert_FixupEmailAddr(emailAddr); + if (emailAddr == NULL) { + entry->emailAddrs = NULL; + goto loser; + } + + entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *)); + if (entry->emailAddrs == NULL) { + PORT_Free(emailAddr); + goto loser; + } + entry->emailAddrs[0] = PORT_ArenaStrdup(arena, emailAddr); + if (entry->emailAddrs[0]) { + entry->nemailAddrs = 1; + } + + PORT_Free(emailAddr); + } else { + entry->emailAddrs = NULL; + } + + /* allocate space for certKeys and keyIDs */ + entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem)); + entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem)); + if ((entry->certKeys == NULL) || (entry->keyIDs == NULL)) { + goto loser; + } + + /* copy the certKey and keyID */ + rv = SECITEM_CopyItem(arena, &entry->certKeys[0], certKey); + if (rv != SECSuccess) { + goto loser; + } + rv = SECITEM_CopyItem(arena, &entry->keyIDs[0], keyID); + if (rv != SECSuccess) { + goto loser; + } + + return (entry); +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * delete a subject entry + */ +static SECStatus +DeleteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject) +{ + SECItem dbkey; + PLArenaPool *arena = NULL; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + rv = EncodeDBSubjectKey(derSubject, arena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = DeleteDBEntry(handle, certDBEntryTypeSubject, &dbkey); + if (rv == SECFailure) { + goto loser; + } + + PORT_FreeArena(arena, PR_FALSE); + return (SECSuccess); + +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (SECFailure); +} + +/* + * Read the subject entry + */ +static certDBEntrySubject * +ReadDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject) +{ + /* |arena| isn't function-bounded, so cannot be a PORTCheapArenaPool. */ + PLArenaPool *arena = NULL; + PORTCheapArenaPool tmpArena; + + certDBEntrySubject *entry; + SECItem dbkey; + SECItem dbentry; + SECStatus rv; + + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena, + sizeof(certDBEntrySubject)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->common.arena = arena; + entry->common.type = certDBEntryTypeSubject; + + rv = EncodeDBSubjectKey(derSubject, &tmpArena.arena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, &tmpArena.arena); + if (rv == SECFailure) { + goto loser; + } + + rv = DecodeDBSubjectEntry(entry, &dbentry, derSubject); + if (rv == SECFailure) { + goto loser; + } + + PORT_DestroyCheapArena(&tmpArena); + return (entry); + +loser: + PORT_DestroyCheapArena(&tmpArena); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * Encode a subject name entry into byte stream suitable for + * the database + */ +static SECStatus +WriteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySubject *entry) +{ + SECItem dbitem, dbkey; + PLArenaPool *tmparena = NULL; + SECStatus rv; + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + goto loser; + } + + rv = EncodeDBSubjectEntry(entry, tmparena, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + rv = EncodeDBSubjectKey(&entry->derSubject, tmparena, &dbkey); + if (rv != SECSuccess) { + goto loser; + } + + /* now write it to the database */ + rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (SECSuccess); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + return (SECFailure); +} + +typedef enum { nsslowcert_remove, + nsslowcert_add } nsslowcertUpdateType; + +static SECStatus +nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle, + SECItem *derSubject, char *emailAddr, nsslowcertUpdateType updateType) +{ + certDBEntrySubject *entry = NULL; + int index = -1, i; + SECStatus rv; + + if (emailAddr) { + emailAddr = nsslowcert_FixupEmailAddr(emailAddr); + if (emailAddr == NULL) { + return SECFailure; + } + } else { + return SECSuccess; + } + + entry = ReadDBSubjectEntry(dbhandle, derSubject); + if (entry == NULL) { + rv = SECFailure; + goto done; + } + + for (i = 0; i < (int)(entry->nemailAddrs); i++) { + if (PORT_Strcmp(entry->emailAddrs[i], emailAddr) == 0) { + index = i; + } + } + + if (updateType == nsslowcert_remove) { + if (index == -1) { + rv = SECSuccess; + goto done; + } + entry->nemailAddrs--; + for (i = index; i < (int)(entry->nemailAddrs); i++) { + entry->emailAddrs[i] = entry->emailAddrs[i + 1]; + } + } else { + char **newAddrs = NULL; + + if (index != -1) { + rv = SECSuccess; + goto done; + } + newAddrs = (char **)PORT_ArenaAlloc(entry->common.arena, + (entry->nemailAddrs + 1) * sizeof(char *)); + if (!newAddrs) { + rv = SECFailure; + goto done; + } + for (i = 0; i < (int)(entry->nemailAddrs); i++) { + newAddrs[i] = entry->emailAddrs[i]; + } + newAddrs[entry->nemailAddrs] = + PORT_ArenaStrdup(entry->common.arena, emailAddr); + if (!newAddrs[entry->nemailAddrs]) { + rv = SECFailure; + goto done; + } + entry->emailAddrs = newAddrs; + entry->nemailAddrs++; + } + + /* delete the subject entry */ + DeleteDBSubjectEntry(dbhandle, derSubject); + + /* write the new one */ + rv = WriteDBSubjectEntry(dbhandle, entry); + +done: + if (entry) + DestroyDBEntry((certDBEntry *)entry); + if (emailAddr) + PORT_Free(emailAddr); + return rv; +} + +/* + * writes a nickname to an existing subject entry that does not currently + * have one + */ +static SECStatus +AddNicknameToSubject(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname) +{ + certDBEntrySubject *entry; + SECStatus rv; + + if (nickname == NULL) { + return (SECFailure); + } + + entry = ReadDBSubjectEntry(dbhandle, &cert->derSubject); + PORT_Assert(entry != NULL); + if (entry == NULL) { + goto loser; + } + + PORT_Assert(entry->nickname == NULL); + if (entry->nickname != NULL) { + goto loser; + } + + entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname); + + if (entry->nickname == NULL) { + goto loser; + } + + /* delete the subject entry */ + DeleteDBSubjectEntry(dbhandle, &cert->derSubject); + + /* write the new one */ + rv = WriteDBSubjectEntry(dbhandle, entry); + if (rv != SECSuccess) { + goto loser; + } + + DestroyDBEntry((certDBEntry *)entry); + return (SECSuccess); + +loser: + DestroyDBEntry((certDBEntry *)entry); + return (SECFailure); +} + +/* + * create a new version entry + */ +static certDBEntryVersion * +NewDBVersionEntry(unsigned int flags) +{ + PLArenaPool *arena = NULL; + certDBEntryVersion *entry; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena, + sizeof(certDBEntryVersion)); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->common.arena = arena; + entry->common.type = certDBEntryTypeVersion; + entry->common.version = CERT_DB_FILE_VERSION; + entry->common.flags = flags; + + return (entry); +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * Read the version entry + */ +static certDBEntryVersion * +ReadDBVersionEntry(NSSLOWCERTCertDBHandle *handle) +{ + PLArenaPool *arena = NULL; + PLArenaPool *tmparena = NULL; + certDBEntryVersion *entry; + SECItem dbkey; + SECItem dbentry; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + entry = PORT_ArenaZNew(arena, certDBEntryVersion); + if (entry == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + entry->common.arena = arena; + entry->common.type = certDBEntryTypeVersion; + + /* now get the database key and format it */ + dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN; + dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len); + if (dbkey.data == NULL) { + goto loser; + } + PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY, + SEC_DB_VERSION_KEY_LEN); + + rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (entry); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +/* + * Encode a version entry into byte stream suitable for + * the database + */ +static SECStatus +WriteDBVersionEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryVersion *entry) +{ + SECItem dbitem, dbkey; + PLArenaPool *tmparena = NULL; + SECStatus rv; + + tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (tmparena == NULL) { + goto loser; + } + + /* allocate space for encoded database record, including space + * for low level header + */ + dbitem.len = SEC_DB_ENTRY_HEADER_LEN; + + dbitem.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbitem.len); + if (dbitem.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* now get the database key and format it */ + dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN; + dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len); + if (dbkey.data == NULL) { + goto loser; + } + PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY, + SEC_DB_VERSION_KEY_LEN); + + /* now write it to the database */ + rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem); + if (rv != SECSuccess) { + goto loser; + } + + PORT_FreeArena(tmparena, PR_FALSE); + return (SECSuccess); + +loser: + if (tmparena) { + PORT_FreeArena(tmparena, PR_FALSE); + } + return (SECFailure); +} + +/* + * cert is no longer a perm cert, but will remain a temp cert + */ +static SECStatus +RemovePermSubjectNode(NSSLOWCERTCertificate *cert) +{ + certDBEntrySubject *entry; + unsigned int i; + SECStatus rv; + + entry = ReadDBSubjectEntry(cert->dbhandle, &cert->derSubject); + if (entry == NULL) { + return (SECFailure); + } + + PORT_Assert(entry->ncerts); + rv = SECFailure; + + if (entry->ncerts > 1) { + for (i = 0; i < entry->ncerts; i++) { + if (SECITEM_CompareItem(&entry->certKeys[i], &cert->certKey) == + SECEqual) { + /* copy rest of list forward one entry */ + for (i = i + 1; i < entry->ncerts; i++) { + entry->certKeys[i - 1] = entry->certKeys[i]; + entry->keyIDs[i - 1] = entry->keyIDs[i]; + } + entry->ncerts--; + DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject); + rv = WriteDBSubjectEntry(cert->dbhandle, entry); + break; + } + } + } else { + /* no entries left, delete the perm entry in the DB */ + if (entry->emailAddrs) { + /* if the subject had an email record, then delete it too */ + for (i = 0; i < entry->nemailAddrs; i++) { + DeleteDBSMimeEntry(cert->dbhandle, entry->emailAddrs[i]); + } + } + if (entry->nickname) { + DeleteDBNicknameEntry(cert->dbhandle, entry->nickname); + } + + DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject); + } + DestroyDBEntry((certDBEntry *)entry); + + return (rv); +} + +/* + * add a cert to the perm subject list + */ +static SECStatus +AddPermSubjectNode(certDBEntrySubject *entry, NSSLOWCERTCertificate *cert, + char *nickname) +{ + SECItem *newCertKeys, *newKeyIDs; + unsigned int i, new_i; + SECStatus rv; + unsigned int ncerts; + + PORT_Assert(entry); + ncerts = entry->ncerts; + + if (nickname && entry->nickname) { + /* nicknames must be the same */ + PORT_Assert(PORT_Strcmp(nickname, entry->nickname) == 0); + } + + if ((entry->nickname == NULL) && (nickname != NULL)) { + /* copy nickname into the entry */ + entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname); + if (entry->nickname == NULL) { + return (SECFailure); + } + } + + /* a DB entry already exists, so add this cert */ + newCertKeys = PORT_ArenaZNewArray(entry->common.arena, SECItem, ncerts + 1); + newKeyIDs = PORT_ArenaZNewArray(entry->common.arena, SECItem, ncerts + 1); + + if ((newCertKeys == NULL) || (newKeyIDs == NULL)) { + return (SECFailure); + } + + /* Step 1: copy certs older than "cert" into new entry. */ + for (i = 0, new_i = 0; i < ncerts; i++) { + NSSLOWCERTCertificate *cmpcert; + PRBool isNewer; + cmpcert = nsslowcert_FindCertByKey(cert->dbhandle, + &entry->certKeys[i]); + /* The entry has been corrupted, remove it from the list */ + if (!cmpcert) { + continue; + } + + isNewer = nsslowcert_IsNewer(cert, cmpcert); + nsslowcert_DestroyCertificate(cmpcert); + if (isNewer) + break; + /* copy this cert entry */ + newCertKeys[new_i] = entry->certKeys[i]; + newKeyIDs[new_i] = entry->keyIDs[i]; + new_i++; + } + + /* Step 2: Add "cert" to the entry. */ + rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[new_i], + &cert->certKey); + if (rv != SECSuccess) { + return (SECFailure); + } + rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[new_i], + &cert->subjectKeyID); + if (rv != SECSuccess) { + return (SECFailure); + } + new_i++; + + /* Step 3: copy remaining certs (if any) from old entry to new. */ + for (; i < ncerts; i++, new_i++) { + newCertKeys[new_i] = entry->certKeys[i]; + newKeyIDs[new_i] = entry->keyIDs[i]; + } + + /* update certKeys and keyIDs */ + entry->certKeys = newCertKeys; + entry->keyIDs = newKeyIDs; + + /* set new count value */ + entry->ncerts = new_i; + + DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject); + rv = WriteDBSubjectEntry(cert->dbhandle, entry); + return (rv); +} + +SECStatus +nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle, + SECItem *derSubject, + NSSLOWCERTCertCallback cb, void *cbarg) +{ + certDBEntrySubject *entry; + unsigned int i; + NSSLOWCERTCertificate *cert; + SECStatus rv = SECSuccess; + + entry = ReadDBSubjectEntry(handle, derSubject); + + if (entry == NULL) { + return (SECFailure); + } + + for (i = 0; i < entry->ncerts; i++) { + cert = nsslowcert_FindCertByKey(handle, &entry->certKeys[i]); + if (!cert) { + continue; + } + rv = (*cb)(cert, cbarg); + nsslowcert_DestroyCertificate(cert); + if (rv == SECFailure) { + break; + } + } + + DestroyDBEntry((certDBEntry *)entry); + + return (rv); +} + +int +nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle, + SECItem *derSubject) +{ + certDBEntrySubject *entry; + int ret; + + entry = ReadDBSubjectEntry(handle, derSubject); + + if (entry == NULL) { + return (SECFailure); + } + + ret = entry->ncerts; + + DestroyDBEntry((certDBEntry *)entry); + + return (ret); +} + +SECStatus +nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle, + char *nickname, NSSLOWCERTCertCallback cb, void *cbarg) +{ + certDBEntryNickname *nnentry = NULL; + certDBEntrySMime *smentry = NULL; + SECStatus rv; + SECItem *derSubject = NULL; + + nnentry = ReadDBNicknameEntry(handle, nickname); + if (nnentry) { + derSubject = &nnentry->subjectName; + } else { + smentry = nsslowcert_ReadDBSMimeEntry(handle, nickname); + if (smentry) { + derSubject = &smentry->subjectName; + } + } + + if (derSubject) { + rv = nsslowcert_TraversePermCertsForSubject(handle, derSubject, + cb, cbarg); + } else { + rv = SECFailure; + } + + if (nnentry) { + DestroyDBEntry((certDBEntry *)nnentry); + } + if (smentry) { + DestroyDBEntry((certDBEntry *)smentry); + } + + return (rv); +} + +int +nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle, + char *nickname) +{ + certDBEntryNickname *entry; + int ret; + + entry = ReadDBNicknameEntry(handle, nickname); + + if (entry) { + ret = nsslowcert_NumPermCertsForSubject(handle, &entry->subjectName); + DestroyDBEntry((certDBEntry *)entry); + } else { + ret = 0; + } + return (ret); +} + +/* + * add a nickname to a cert that doesn't have one + */ +static SECStatus +AddNicknameToPermCert(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname) +{ + certDBEntryCert *entry; + int rv; + + entry = cert->dbEntry; + PORT_Assert(entry != NULL); + if (entry == NULL) { + goto loser; + } + + pkcs11_freeNickname(entry->nickname, entry->nicknameSpace); + entry->nickname = NULL; + entry->nickname = pkcs11_copyNickname(nickname, entry->nicknameSpace, + sizeof(entry->nicknameSpace)); + + rv = WriteDBCertEntry(dbhandle, entry); + if (rv) { + goto loser; + } + + pkcs11_freeNickname(cert->nickname, cert->nicknameSpace); + cert->nickname = NULL; + cert->nickname = pkcs11_copyNickname(nickname, cert->nicknameSpace, + sizeof(cert->nicknameSpace)); + + return (SECSuccess); + +loser: + return (SECFailure); +} + +/* + * add a nickname to a cert that is already in the perm database, but doesn't + * have one yet (it is probably an e-mail cert). + */ +SECStatus +nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname) +{ + SECStatus rv = SECFailure; + certDBEntrySubject *entry = NULL; + certDBEntryNickname *nicknameEntry = NULL; + + nsslowcert_LockDB(dbhandle); + + entry = ReadDBSubjectEntry(dbhandle, &cert->derSubject); + if (entry == NULL) + goto loser; + + if (entry->nickname == NULL) { + + /* no nickname for subject */ + rv = AddNicknameToSubject(dbhandle, cert, nickname); + if (rv != SECSuccess) { + goto loser; + } + rv = AddNicknameToPermCert(dbhandle, cert, nickname); + if (rv != SECSuccess) { + goto loser; + } + nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0); + if (nicknameEntry == NULL) { + goto loser; + } + + rv = WriteDBNicknameEntry(dbhandle, nicknameEntry); + if (rv != SECSuccess) { + goto loser; + } + } else { + /* subject already has a nickname */ + rv = AddNicknameToPermCert(dbhandle, cert, entry->nickname); + if (rv != SECSuccess) { + goto loser; + } + /* make sure nickname entry exists. If the database was corrupted, + * we may have lost the nickname entry. Add it back now */ + nicknameEntry = ReadDBNicknameEntry(dbhandle, entry->nickname); + if (nicknameEntry == NULL) { + nicknameEntry = NewDBNicknameEntry(entry->nickname, + &cert->derSubject, 0); + if (nicknameEntry == NULL) { + goto loser; + } + + rv = WriteDBNicknameEntry(dbhandle, nicknameEntry); + if (rv != SECSuccess) { + goto loser; + } + } + } + rv = SECSuccess; + +loser: + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + if (nicknameEntry) { + DestroyDBEntry((certDBEntry *)nicknameEntry); + } + nsslowcert_UnlockDB(dbhandle); + return (rv); +} + +static certDBEntryCert * +AddCertToPermDB(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert, + char *nickname, NSSLOWCERTCertTrust *trust) +{ + certDBEntryCert *certEntry = NULL; + certDBEntryNickname *nicknameEntry = NULL; + certDBEntrySubject *subjectEntry = NULL; + int state = 0; + SECStatus rv; + PRBool donnentry = PR_FALSE; + + if (nickname) { + donnentry = PR_TRUE; + } + + subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject); + + if (subjectEntry && subjectEntry->nickname) { + donnentry = PR_FALSE; + nickname = subjectEntry->nickname; + } + + certEntry = NewDBCertEntry(&cert->derCert, nickname, trust, 0); + if (certEntry == NULL) { + goto loser; + } + + if (donnentry) { + nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0); + if (nicknameEntry == NULL) { + goto loser; + } + } + + rv = WriteDBCertEntry(handle, certEntry); + if (rv != SECSuccess) { + goto loser; + } + state = 1; + + if (nicknameEntry) { + rv = WriteDBNicknameEntry(handle, nicknameEntry); + if (rv != SECSuccess) { + goto loser; + } + } + + state = 2; + + /* "Change" handles if necessary */ + cert->dbhandle = handle; + + /* add to or create new subject entry */ + if (subjectEntry) { + /* REWRITE BASED ON SUBJECT ENTRY */ + rv = AddPermSubjectNode(subjectEntry, cert, nickname); + if (rv != SECSuccess) { + goto loser; + } + } else { + /* make a new subject entry - this case is only used when updating + * an old version of the database. This is OK because the oldnickname + * db format didn't allow multiple certs with the same subject. + */ + /* where does subjectKeyID and certKey come from? */ + subjectEntry = NewDBSubjectEntry(&cert->derSubject, &cert->certKey, + &cert->subjectKeyID, nickname, + NULL, 0); + if (subjectEntry == NULL) { + goto loser; + } + rv = WriteDBSubjectEntry(handle, subjectEntry); + if (rv != SECSuccess) { + goto loser; + } + } + + state = 3; + + if (nicknameEntry) { + DestroyDBEntry((certDBEntry *)nicknameEntry); + } + + if (subjectEntry) { + DestroyDBEntry((certDBEntry *)subjectEntry); + } + + return (certEntry); + +loser: + /* don't leave partial entry in the database */ + if (state > 0) { + DeleteDBCertEntry(handle, &cert->certKey); + } + if ((state > 1) && donnentry) { + DeleteDBNicknameEntry(handle, nickname); + } + if (certEntry) { + DestroyDBEntry((certDBEntry *)certEntry); + } + if (nicknameEntry) { + DestroyDBEntry((certDBEntry *)nicknameEntry); + } + if (subjectEntry) { + DestroyDBEntry((certDBEntry *)subjectEntry); + } + + return (NULL); +} + +/* forward declaration */ +static SECStatus +UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb); + +/* + * version 8 uses the same schema as version 7. The only differences are + * 1) version 8 db uses the blob shim to store data entries > 32k. + * 2) version 8 db sets the db block size to 32k. + * both of these are dealt with by the handle. + */ + +static SECStatus +UpdateV8DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb) +{ + return UpdateV7DB(handle, updatedb); +} + +/* + * we could just blindly sequence through reading key data pairs and writing + * them back out, but some cert.db's have gotten quite large and may have some + * subtle corruption problems, so instead we cycle through the certs and + * CRL's and S/MIME profiles and rebuild our subject lists from those records. + */ +static SECStatus +UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb) +{ + DBT key, data; + int ret; + NSSLOWCERTCertificate *cert; + PRBool isKRL = PR_FALSE; + certDBEntryType entryType; + SECItem dbEntry, dbKey; + certDBEntryRevocation crlEntry; + certDBEntryCert certEntry; + certDBEntrySMime smimeEntry; + SECStatus rv; + + ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST); + + if (ret) { + return (SECFailure); + } + + do { + unsigned char *dataBuf = (unsigned char *)data.data; + unsigned char *keyBuf = (unsigned char *)key.data; + dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN]; + dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN; + entryType = (certDBEntryType)keyBuf[0]; + dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN]; + dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN; + if ((dbEntry.len <= 0) || (dbKey.len <= 0)) { + continue; + } + + switch (entryType) { + /* these entries will get regenerated as we read the + * rest of the data from the database */ + case certDBEntryTypeVersion: + case certDBEntryTypeSubject: + case certDBEntryTypeContentVersion: + case certDBEntryTypeNickname: + /* smime profiles need entries created after the certs have + * been imported, loop over them in a second run */ + case certDBEntryTypeSMimeProfile: + break; + + case certDBEntryTypeCert: + /* decode Entry */ + certEntry.common.version = (unsigned int)dataBuf[0]; + certEntry.common.type = entryType; + certEntry.common.flags = (unsigned int)dataBuf[2]; + rv = DecodeDBCertEntry(&certEntry, &dbEntry); + if (rv != SECSuccess) { + break; + } + /* should we check for existing duplicates? */ + cert = nsslowcert_DecodeDERCertificate(&certEntry.derCert, + certEntry.nickname); + if (cert) { + nsslowcert_UpdatePermCert(handle, cert, certEntry.nickname, + &certEntry.trust); + nsslowcert_DestroyCertificate(cert); + } + /* free any data the decode may have allocated. */ + pkcs11_freeStaticData(certEntry.derCert.data, + certEntry.derCertSpace); + pkcs11_freeNickname(certEntry.nickname, certEntry.nicknameSpace); + break; + + case certDBEntryTypeKeyRevocation: + isKRL = PR_TRUE; + /* fall through */ + case certDBEntryTypeRevocation: + crlEntry.common.version = (unsigned int)dataBuf[0]; + crlEntry.common.type = entryType; + crlEntry.common.flags = (unsigned int)dataBuf[2]; + crlEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (crlEntry.common.arena == NULL) { + break; + } + rv = DecodeDBCrlEntry(&crlEntry, &dbEntry); + if (rv != SECSuccess) { + break; + } + nsslowcert_UpdateCrl(handle, &crlEntry.derCrl, &dbKey, + crlEntry.url, isKRL); + /* free data allocated by the decode */ + PORT_FreeArena(crlEntry.common.arena, PR_FALSE); + crlEntry.common.arena = NULL; + break; + + default: + break; + } + } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0); + + /* now loop again updating just the SMimeProfile. */ + ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST); + + if (ret) { + return (SECFailure); + } + + do { + unsigned char *dataBuf = (unsigned char *)data.data; + unsigned char *keyBuf = (unsigned char *)key.data; + dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN]; + dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN; + entryType = (certDBEntryType)keyBuf[0]; + if (entryType != certDBEntryTypeSMimeProfile) { + continue; + } + dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN]; + dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN; + if ((dbEntry.len <= 0) || (dbKey.len <= 0)) { + continue; + } + smimeEntry.common.version = (unsigned int)dataBuf[0]; + smimeEntry.common.type = entryType; + smimeEntry.common.flags = (unsigned int)dataBuf[2]; + smimeEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + /* decode entry */ + rv = DecodeDBSMimeEntry(&smimeEntry, &dbEntry, (char *)dbKey.data); + if (rv == SECSuccess) { + nsslowcert_UpdateSMimeProfile(handle, smimeEntry.emailAddr, + &smimeEntry.subjectName, &smimeEntry.smimeOptions, + &smimeEntry.optionsDate); + } + PORT_FreeArena(smimeEntry.common.arena, PR_FALSE); + smimeEntry.common.arena = NULL; + } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0); + + (*updatedb->close)(updatedb); + + /* a database update is a good time to go back and verify the integrity of + * the keys and certs */ + handle->dbVerify = PR_TRUE; + return (SECSuccess); +} + +/* + * NOTE - Version 6 DB did not go out to the real world in a release, + * so we can remove this function in a later release. + */ +static SECStatus +UpdateV6DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb) +{ + int ret; + DBT key, data; + unsigned char *buf, *tmpbuf = NULL; + certDBEntryType type; + certDBEntryNickname *nnEntry = NULL; + certDBEntrySubject *subjectEntry = NULL; + certDBEntrySMime *emailEntry = NULL; + char *nickname; + char *emailAddr; + + /* + * Sequence through the old database and copy all of the entries + * to the new database. Subject name entries will have the new + * fields inserted into them (with zero length). + */ + ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST); + if (ret) { + return (SECFailure); + } + + do { + buf = (unsigned char *)data.data; + + if (data.size >= 3) { + if (buf[0] == 6) { /* version number */ + type = (certDBEntryType)buf[1]; + if (type == certDBEntryTypeSubject) { + /* expando subjecto entrieo */ + tmpbuf = (unsigned char *)PORT_Alloc(data.size + 4); + if (tmpbuf) { + /* copy header stuff */ + PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN + 2); + /* insert 4 more bytes of zero'd header */ + PORT_Memset(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2], + 0, 4); + /* copy rest of the data */ + PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6], + &buf[SEC_DB_ENTRY_HEADER_LEN + 2], + data.size - (SEC_DB_ENTRY_HEADER_LEN + 2)); + + data.data = (void *)tmpbuf; + data.size += 4; + buf = tmpbuf; + } + } else if (type == certDBEntryTypeCert) { + /* expando certo entrieo */ + tmpbuf = (unsigned char *)PORT_Alloc(data.size + 3); + if (tmpbuf) { + /* copy header stuff */ + PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN); + + /* copy trust flage, setting msb's to 0 */ + tmpbuf[SEC_DB_ENTRY_HEADER_LEN] = 0; + tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 1] = + buf[SEC_DB_ENTRY_HEADER_LEN]; + tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2] = 0; + tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 3] = + buf[SEC_DB_ENTRY_HEADER_LEN + 1]; + tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 4] = 0; + tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 5] = + buf[SEC_DB_ENTRY_HEADER_LEN + 2]; + + /* copy rest of the data */ + PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6], + &buf[SEC_DB_ENTRY_HEADER_LEN + 3], + data.size - (SEC_DB_ENTRY_HEADER_LEN + 3)); + + data.data = (void *)tmpbuf; + data.size += 3; + buf = tmpbuf; + } + } + + /* update the record version number */ + buf[0] = CERT_DB_FILE_VERSION; + + /* copy to the new database */ + ret = certdb_Put(handle->permCertDB, &key, &data, 0); + if (tmpbuf) { + PORT_Free(tmpbuf); + tmpbuf = NULL; + } + if (ret) { + return SECFailure; + } + } + } + } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0); + + ret = certdb_Sync(handle->permCertDB, 0); + if (ret) { + return SECFailure; + } + + ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST); + if (ret) { + return (SECFailure); + } + + do { + buf = (unsigned char *)data.data; + + if (data.size >= 3) { + if (buf[0] == CERT_DB_FILE_VERSION) { /* version number */ + type = (certDBEntryType)buf[1]; + if (type == certDBEntryTypeNickname) { + nickname = &((char *)key.data)[1]; + + /* get the matching nickname entry in the new DB */ + nnEntry = ReadDBNicknameEntry(handle, nickname); + if (nnEntry == NULL) { + goto endloop; + } + + /* find the subject entry pointed to by nickname */ + subjectEntry = ReadDBSubjectEntry(handle, + &nnEntry->subjectName); + if (subjectEntry == NULL) { + goto endloop; + } + + subjectEntry->nickname = + (char *)PORT_ArenaAlloc(subjectEntry->common.arena, + key.size - 1); + if (subjectEntry->nickname) { + PORT_Memcpy(subjectEntry->nickname, nickname, + key.size - 1); + (void)WriteDBSubjectEntry(handle, subjectEntry); + } + } else if (type == certDBEntryTypeSMimeProfile) { + emailAddr = &((char *)key.data)[1]; + + /* get the matching smime entry in the new DB */ + emailEntry = nsslowcert_ReadDBSMimeEntry(handle, emailAddr); + if (emailEntry == NULL) { + goto endloop; + } + + /* find the subject entry pointed to by nickname */ + subjectEntry = ReadDBSubjectEntry(handle, + &emailEntry->subjectName); + if (subjectEntry == NULL) { + goto endloop; + } + + subjectEntry->emailAddrs = (char **) + PORT_ArenaAlloc(subjectEntry->common.arena, + sizeof(char *)); + if (subjectEntry->emailAddrs) { + subjectEntry->emailAddrs[0] = + (char *)PORT_ArenaAlloc(subjectEntry->common.arena, + key.size - 1); + if (subjectEntry->emailAddrs[0]) { + PORT_Memcpy(subjectEntry->emailAddrs[0], emailAddr, + key.size - 1); + subjectEntry->nemailAddrs = 1; + (void)WriteDBSubjectEntry(handle, subjectEntry); + } + } + } + + endloop: + if (subjectEntry) { + DestroyDBEntry((certDBEntry *)subjectEntry); + subjectEntry = NULL; + } + if (nnEntry) { + DestroyDBEntry((certDBEntry *)nnEntry); + nnEntry = NULL; + } + if (emailEntry) { + DestroyDBEntry((certDBEntry *)emailEntry); + emailEntry = NULL; + } + } + } + } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0); + + ret = certdb_Sync(handle->permCertDB, 0); + if (ret) { + return SECFailure; + } + + (*updatedb->close)(updatedb); + return (SECSuccess); +} + +static SECStatus +updateV5Callback(NSSLOWCERTCertificate *cert, SECItem *k, void *pdata) +{ + NSSLOWCERTCertDBHandle *handle; + certDBEntryCert *entry; + NSSLOWCERTCertTrust *trust; + + handle = (NSSLOWCERTCertDBHandle *)pdata; + trust = &cert->dbEntry->trust; + + /* SSL user certs can be used for email if they have an email addr */ + if (cert->emailAddr && (trust->sslFlags & CERTDB_USER) && + (trust->emailFlags == 0)) { + trust->emailFlags = CERTDB_USER; + } + /* servers didn't set the user flags on the server cert.. */ + if (PORT_Strcmp(cert->dbEntry->nickname, "Server-Cert") == 0) { + trust->sslFlags |= CERTDB_USER; + } + + entry = AddCertToPermDB(handle, cert, cert->dbEntry->nickname, + &cert->dbEntry->trust); + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + + return (SECSuccess); +} + +static SECStatus +UpdateV5DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb) +{ + NSSLOWCERTCertDBHandle updatehandle; + + updatehandle.permCertDB = updatedb; + updatehandle.dbMon = PZ_NewMonitor(nssILockCertDB); + updatehandle.dbVerify = 0; + updatehandle.ref = 1; /* prevent premature close */ + + (void)nsslowcert_TraversePermCerts(&updatehandle, updateV5Callback, + (void *)handle); + + PZ_DestroyMonitor(updatehandle.dbMon); + + (*updatedb->close)(updatedb); + return (SECSuccess); +} + +static PRBool +isV4DB(DB *db) +{ + DBT key, data; + int ret; + + key.data = "Version"; + key.size = 7; + + ret = (*db->get)(db, &key, &data, 0); + if (ret) { + return PR_FALSE; + } + + if ((data.size == 1) && (*(unsigned char *)data.data <= 4)) { + return PR_TRUE; + } + + return PR_FALSE; +} + +static SECStatus +UpdateV4DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb) +{ + DBT key, data; + certDBEntryCert *entry, *entry2; + int ret; + NSSLOWCERTCertificate *cert; + + ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST); + + if (ret) { + return (SECFailure); + } + + do { + if (data.size != 1) { /* skip version number */ + + /* decode the old DB entry */ + entry = (certDBEntryCert *) + DecodeV4DBCertEntry((unsigned char *)data.data, data.size); + + if (entry) { + cert = nsslowcert_DecodeDERCertificate(&entry->derCert, + entry->nickname); + + if (cert != NULL) { + /* add to new database */ + entry2 = AddCertToPermDB(handle, cert, entry->nickname, + &entry->trust); + + nsslowcert_DestroyCertificate(cert); + if (entry2) { + DestroyDBEntry((certDBEntry *)entry2); + } + } + DestroyDBEntry((certDBEntry *)entry); + } + } + } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0); + + (*updatedb->close)(updatedb); + return (SECSuccess); +} + +/* + * return true if a database key conflict exists + */ +PRBool +nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle) +{ + SECStatus rv; + DBT tmpdata; + DBT namekey; + int ret; + SECItem keyitem; + PLArenaPool *arena = NULL; + SECItem derKey; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + /* get the db key of the cert */ + rv = nsslowcert_KeyFromDERCert(arena, derCert, &derKey); + if (rv != SECSuccess) { + goto loser; + } + + rv = EncodeDBCertKey(&derKey, arena, &keyitem); + if (rv != SECSuccess) { + goto loser; + } + + namekey.data = keyitem.data; + namekey.size = keyitem.len; + + ret = certdb_Get(handle->permCertDB, &namekey, &tmpdata, 0); + if (ret == 0) { + goto loser; + } + + PORT_FreeArena(arena, PR_FALSE); + + return (PR_FALSE); +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (PR_TRUE); +} + +/* + * return true if a nickname conflict exists + * NOTE: caller must have already made sure that this exact cert + * doesn't exist in the DB + */ +static PRBool +nsslowcert_CertNicknameConflict(char *nickname, SECItem *derSubject, + NSSLOWCERTCertDBHandle *handle) +{ + PRBool rv; + certDBEntryNickname *entry; + + if (nickname == NULL) { + return (PR_FALSE); + } + + entry = ReadDBNicknameEntry(handle, nickname); + + if (entry == NULL) { + /* no entry for this nickname, so no conflict */ + return (PR_FALSE); + } + + rv = PR_TRUE; + if (SECITEM_CompareItem(derSubject, &entry->subjectName) == SECEqual) { + /* if subject names are the same, then no conflict */ + rv = PR_FALSE; + } + + DestroyDBEntry((certDBEntry *)entry); + return (rv); +} + +#ifdef DBM_USING_NSPR +#define NO_RDONLY PR_RDONLY +#define NO_RDWR PR_RDWR +#define NO_CREATE (PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE) +#else +#define NO_RDONLY O_RDONLY +#define NO_RDWR O_RDWR +#define NO_CREATE (O_RDWR | O_CREAT | O_TRUNC) +#endif + +/* + * open an old database that needs to be updated + */ +static DB * +nsslowcert_openolddb(NSSLOWCERTDBNameFunc namecb, void *cbarg, int version) +{ + char *tmpname; + DB *updatedb = NULL; + + tmpname = (*namecb)(cbarg, version); /* get v6 db name */ + if (tmpname) { + updatedb = dbopen(tmpname, NO_RDONLY, 0600, DB_HASH, 0); + PORT_Free(tmpname); + } + return updatedb; +} + +static SECStatus +openNewCertDB(const char *appName, const char *prefix, const char *certdbname, + NSSLOWCERTCertDBHandle *handle, NSSLOWCERTDBNameFunc namecb, void *cbarg) +{ + SECStatus rv; + certDBEntryVersion *versionEntry = NULL; + DB *updatedb = NULL; + int status = RDB_FAIL; + + if (appName) { + handle->permCertDB = rdbopen(appName, prefix, "cert", NO_CREATE, &status); + } else { + handle->permCertDB = dbsopen(certdbname, NO_CREATE, 0600, DB_HASH, 0); + } + + /* if create fails then we lose */ + if (handle->permCertDB == 0) { + return status == RDB_RETRY ? SECWouldBlock : SECFailure; + } + + /* Verify version number; */ + versionEntry = NewDBVersionEntry(0); + if (versionEntry == NULL) { + rv = SECFailure; + goto loser; + } + + rv = WriteDBVersionEntry(handle, versionEntry); + + DestroyDBEntry((certDBEntry *)versionEntry); + + if (rv != SECSuccess) { + goto loser; + } + + /* rv must already be Success here because of previous if statement */ + /* try to upgrade old db here */ + if (appName && + (updatedb = dbsopen(certdbname, NO_RDONLY, 0600, DB_HASH, 0)) != NULL) { + rv = UpdateV8DB(handle, updatedb); + } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 7)) != NULL) { + rv = UpdateV7DB(handle, updatedb); + } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 6)) != NULL) { + rv = UpdateV6DB(handle, updatedb); + } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 5)) != NULL) { + rv = UpdateV5DB(handle, updatedb); + } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 4)) != NULL) { + /* NES has v5 format db's with v4 db names! */ + if (isV4DB(updatedb)) { + rv = UpdateV4DB(handle, updatedb); + } else { + rv = UpdateV5DB(handle, updatedb); + } + } + +loser: + db_InitComplete(handle->permCertDB); + return rv; +} + +static int +nsslowcert_GetVersionNumber(NSSLOWCERTCertDBHandle *handle) +{ + certDBEntryVersion *versionEntry = NULL; + int version = 0; + + versionEntry = ReadDBVersionEntry(handle); + if (versionEntry == NULL) { + return 0; + } + version = versionEntry->common.version; + DestroyDBEntry((certDBEntry *)versionEntry); + return version; +} + +/* + * Open the certificate database and index databases. Create them if + * they are not there or bad. + */ +static SECStatus +nsslowcert_OpenPermCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly, + const char *appName, const char *prefix, + NSSLOWCERTDBNameFunc namecb, void *cbarg) +{ + SECStatus rv; + int openflags; + char *certdbname; + int version = 0; + + certdbname = (*namecb)(cbarg, CERT_DB_FILE_VERSION); + if (certdbname == NULL) { + return (SECFailure); + } + + openflags = readOnly ? NO_RDONLY : NO_RDWR; + + /* + * first open the permanent file based database. + */ + if (appName) { + handle->permCertDB = rdbopen(appName, prefix, "cert", openflags, NULL); + } else { + handle->permCertDB = dbsopen(certdbname, openflags, 0600, DB_HASH, 0); + } + + /* check for correct version number */ + if (handle->permCertDB) { + version = nsslowcert_GetVersionNumber(handle); + if ((version != CERT_DB_FILE_VERSION) && + !(appName && version == CERT_DB_V7_FILE_VERSION)) { + goto loser; + } + } else if (readOnly) { + /* don't create if readonly */ + /* Try openning a version 7 database */ + handle->permCertDB = nsslowcert_openolddb(namecb, cbarg, 7); + if (!handle->permCertDB) { + goto loser; + } + if (nsslowcert_GetVersionNumber(handle) != 7) { + goto loser; + } + } else { + /* if first open fails, try to create a new DB */ + rv = openNewCertDB(appName, prefix, certdbname, handle, namecb, cbarg); + if (rv == SECWouldBlock) { + /* only the rdb version can fail with wouldblock */ + handle->permCertDB = + rdbopen(appName, prefix, "cert", openflags, NULL); + + /* check for correct version number */ + if (!handle->permCertDB) { + goto loser; + } + version = nsslowcert_GetVersionNumber(handle); + if ((version != CERT_DB_FILE_VERSION) && + !(appName && version == CERT_DB_V7_FILE_VERSION)) { + goto loser; + } + } else if (rv != SECSuccess) { + goto loser; + } + } + + PORT_Free(certdbname); + + return (SECSuccess); + +loser: + + PORT_SetError(SEC_ERROR_BAD_DATABASE); + + if (handle->permCertDB) { + certdb_Close(handle->permCertDB); + handle->permCertDB = 0; + } + + PORT_Free(certdbname); + + return (SECFailure); +} + +/* + * delete all DB records associated with a particular certificate + */ +static SECStatus +DeletePermCert(NSSLOWCERTCertificate *cert) +{ + SECStatus rv; + SECStatus ret; + + ret = SECSuccess; + + rv = DeleteDBCertEntry(cert->dbhandle, &cert->certKey); + if (rv != SECSuccess) { + ret = SECFailure; + } + + rv = RemovePermSubjectNode(cert); + + return (ret); +} + +/* + * Delete a certificate from the permanent database. + */ +SECStatus +nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert) +{ + SECStatus rv; + + nsslowcert_LockDB(cert->dbhandle); + + /* delete the records from the permanent database */ + rv = DeletePermCert(cert); + + /* get rid of dbcert and stuff pointing to it */ + DestroyDBEntry((certDBEntry *)cert->dbEntry); + cert->dbEntry = NULL; + cert->trust = NULL; + + nsslowcert_UnlockDB(cert->dbhandle); + return (rv); +} + +/* + * Traverse all of the entries in the database of a particular type + * call the given function for each one. + */ +SECStatus +nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle, + certDBEntryType type, + SECStatus (*callback)(SECItem *data, SECItem *key, + certDBEntryType type, void *pdata), + void *udata) +{ + DBT data; + DBT key; + SECStatus rv = SECSuccess; + int ret; + SECItem dataitem; + SECItem keyitem; + unsigned char *buf; + unsigned char *keybuf; + + ret = certdb_Seq(handle->permCertDB, &key, &data, R_FIRST); + if (ret) { + return (SECFailure); + } + /* here, ret is zero and rv is SECSuccess. + * Below here, ret is a count of successful calls to the callback function. + */ + do { + buf = (unsigned char *)data.data; + + if (buf[1] == (unsigned char)type) { + dataitem.len = data.size; + dataitem.data = buf; + dataitem.type = siBuffer; + keyitem.len = key.size - SEC_DB_KEY_HEADER_LEN; + keybuf = (unsigned char *)key.data; + keyitem.data = &keybuf[SEC_DB_KEY_HEADER_LEN]; + keyitem.type = siBuffer; + /* type should equal keybuf[0]. */ + + rv = (*callback)(&dataitem, &keyitem, type, udata); + if (rv == SECSuccess) { + ++ret; + } + } + } while (certdb_Seq(handle->permCertDB, &key, &data, R_NEXT) == 0); + /* If any callbacks succeeded, or no calls to callbacks were made, + * then report success. Otherwise, report failure. + */ + return (ret ? SECSuccess : rv); +} +/* + * Decode a certificate and enter it into the temporary certificate database. + * Deal with nicknames correctly + * + * This is the private entry point. + */ +static NSSLOWCERTCertificate * +DecodeACert(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry) +{ + NSSLOWCERTCertificate *cert = NULL; + + cert = nsslowcert_DecodeDERCertificate(&entry->derCert, entry->nickname); + + if (cert == NULL) { + goto loser; + } + + cert->dbhandle = handle; + cert->dbEntry = entry; + cert->trust = &entry->trust; + + return (cert); + +loser: + return (0); +} + +static NSSLOWCERTTrust * +CreateTrust(void) +{ + NSSLOWCERTTrust *trust = NULL; + + nsslowcert_LockFreeList(); + trust = trustListHead; + if (trust) { + trustListCount--; + trustListHead = trust->next; + trust->next = NULL; + } + PORT_Assert(trustListCount >= 0); + nsslowcert_UnlockFreeList(); + if (trust) { + return trust; + } + + return PORT_ZNew(NSSLOWCERTTrust); +} + +static void +DestroyTrustFreeList(void) +{ + NSSLOWCERTTrust *trust; + + nsslowcert_LockFreeList(); + while (NULL != (trust = trustListHead)) { + trustListCount--; + trustListHead = trust->next; + PORT_Free(trust); + } + PORT_Assert(!trustListCount); + trustListCount = 0; + nsslowcert_UnlockFreeList(); +} + +static NSSLOWCERTTrust * +DecodeTrustEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry, + const SECItem *dbKey) +{ + NSSLOWCERTTrust *trust = CreateTrust(); + if (trust == NULL) { + return trust; + } + trust->dbhandle = handle; + trust->dbEntry = entry; + trust->dbKey.data = pkcs11_copyStaticData(dbKey->data, dbKey->len, + trust->dbKeySpace, sizeof(trust->dbKeySpace)); + if (!trust->dbKey.data) { + PORT_Free(trust); + return NULL; + } + trust->dbKey.len = dbKey->len; + + trust->trust = &entry->trust; + trust->derCert = &entry->derCert; + + return (trust); +} + +typedef struct { + PermCertCallback certfunc; + NSSLOWCERTCertDBHandle *handle; + void *data; +} PermCertCallbackState; + +/* + * traversal callback to decode certs and call callers callback + */ +static SECStatus +certcallback(SECItem *dbdata, SECItem *dbkey, certDBEntryType type, void *data) +{ + PermCertCallbackState *mystate; + SECStatus rv; + certDBEntryCert *entry; + SECItem entryitem; + NSSLOWCERTCertificate *cert; + PLArenaPool *arena = NULL; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert)); + if (!entry) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + mystate = (PermCertCallbackState *)data; + entry->common.version = (unsigned int)dbdata->data[0]; + entry->common.type = (certDBEntryType)dbdata->data[1]; + entry->common.flags = (unsigned int)dbdata->data[2]; + entry->common.arena = arena; + + entryitem.len = dbdata->len - SEC_DB_ENTRY_HEADER_LEN; + entryitem.data = &dbdata->data[SEC_DB_ENTRY_HEADER_LEN]; + + rv = DecodeDBCertEntry(entry, &entryitem); + if (rv != SECSuccess) { + goto loser; + } + entry->derCert.type = siBuffer; + + /* note: Entry is 'inheritted'. */ + cert = DecodeACert(mystate->handle, entry); + + rv = (*mystate->certfunc)(cert, dbkey, mystate->data); + + /* arena stored in entry destroyed by nsslowcert_DestroyCertificate */ + nsslowcert_DestroyCertificateNoLocking(cert); + + return (rv); + +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + return (SECFailure); +} + +/* + * Traverse all of the certificates in the permanent database and + * call the given function for each one; expect the caller to have lock. + */ +static SECStatus +TraversePermCertsNoLocking(NSSLOWCERTCertDBHandle *handle, + SECStatus (*certfunc)(NSSLOWCERTCertificate *cert, + SECItem *k, + void *pdata), + void *udata) +{ + SECStatus rv; + PermCertCallbackState mystate; + + mystate.certfunc = certfunc; + mystate.handle = handle; + mystate.data = udata; + rv = nsslowcert_TraverseDBEntries(handle, certDBEntryTypeCert, certcallback, + (void *)&mystate); + + return (rv); +} + +/* + * Traverse all of the certificates in the permanent database and + * call the given function for each one. + */ +SECStatus +nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle, + SECStatus (*certfunc)(NSSLOWCERTCertificate *cert, SECItem *k, + void *pdata), + void *udata) +{ + SECStatus rv; + + nsslowcert_LockDB(handle); + rv = TraversePermCertsNoLocking(handle, certfunc, udata); + nsslowcert_UnlockDB(handle); + + return (rv); +} + +/* + * Close the database + */ +void +nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle) +{ + if (handle) { + if (handle->permCertDB) { + certdb_Close(handle->permCertDB); + handle->permCertDB = NULL; + } + if (handle->dbMon) { + PZ_DestroyMonitor(handle->dbMon); + handle->dbMon = NULL; + } + PORT_Free(handle); + } + return; +} + +/* + * Get the trust attributes from a certificate + */ +SECStatus +nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust) +{ + SECStatus rv; + + nsslowcert_LockCertTrust(cert); + + if (cert->trust == NULL) { + rv = SECFailure; + } else { + *trust = *cert->trust; + rv = SECSuccess; + } + + nsslowcert_UnlockCertTrust(cert); + return (rv); +} + +/* + * Change the trust attributes of a certificate and make them permanent + * in the database. + */ +SECStatus +nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle, + NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust) +{ + certDBEntryCert *entry; + int rv; + SECStatus ret; + + nsslowcert_LockDB(handle); + nsslowcert_LockCertTrust(cert); + /* only set the trust on permanent certs */ + if (cert->trust == NULL) { + ret = SECFailure; + goto done; + } + + *cert->trust = *trust; + if (cert->dbEntry == NULL) { + ret = SECSuccess; /* not in permanent database */ + goto done; + } + + entry = cert->dbEntry; + entry->trust = *trust; + + rv = WriteDBCertEntry(handle, entry); + if (rv) { + ret = SECFailure; + goto done; + } + + ret = SECSuccess; + +done: + nsslowcert_UnlockCertTrust(cert); + nsslowcert_UnlockDB(handle); + return (ret); +} + +static SECStatus +nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust) +{ + char *oldnn; + certDBEntryCert *entry; + PRBool conflict; + SECStatus ret; + + PORT_Assert(!cert->dbEntry); + + /* don't add a conflicting nickname */ + conflict = nsslowcert_CertNicknameConflict(nickname, &cert->derSubject, + dbhandle); + if (conflict) { + ret = SECFailure; + goto done; + } + + /* save old nickname so that we can delete it */ + oldnn = cert->nickname; + + entry = AddCertToPermDB(dbhandle, cert, nickname, trust); + + if (entry == NULL) { + ret = SECFailure; + goto done; + } + + pkcs11_freeNickname(oldnn, cert->nicknameSpace); + + cert->nickname = (entry->nickname) ? pkcs11_copyNickname(entry->nickname, + cert->nicknameSpace, sizeof(cert->nicknameSpace)) + : NULL; + cert->trust = &entry->trust; + cert->dbEntry = entry; + + ret = SECSuccess; +done: + return (ret); +} + +SECStatus +nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle, + NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust) +{ + SECStatus ret; + + nsslowcert_LockDB(dbhandle); + + ret = nsslowcert_UpdatePermCert(dbhandle, cert, nickname, trust); + + nsslowcert_UnlockDB(dbhandle); + return (ret); +} + +/* + * Open the certificate database and index databases. Create them if + * they are not there or bad. + */ +SECStatus +nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly, + const char *appName, const char *prefix, + NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile) +{ + int rv; + + certdb_InitDBLock(handle); + + handle->dbMon = PZ_NewMonitor(nssILockCertDB); + PORT_Assert(handle->dbMon != NULL); + handle->dbVerify = PR_FALSE; + + rv = nsslowcert_OpenPermCertDB(handle, readOnly, appName, prefix, + namecb, cbarg); + if (rv) { + goto loser; + } + + return (SECSuccess); + +loser: + if (handle->dbMon) { + PZ_DestroyMonitor(handle->dbMon); + handle->dbMon = NULL; + } + PORT_SetError(SEC_ERROR_BAD_DATABASE); + return (SECFailure); +} + +PRBool +nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle) +{ + if (!handle) + return PR_FALSE; + return handle->dbVerify; +} + +void +nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value) +{ + handle->dbVerify = value; +} + +/* + * Lookup a certificate in the databases. + */ +static NSSLOWCERTCertificate * +FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey, PRBool lockdb) +{ + NSSLOWCERTCertificate *cert = NULL; + certDBEntryCert *entry; + PRBool locked = PR_FALSE; + + if (lockdb) { + locked = PR_TRUE; + nsslowcert_LockDB(handle); + } + + /* find in perm database */ + entry = ReadDBCertEntry(handle, certKey); + + if (entry == NULL) { + goto loser; + } + + /* inherit entry */ + cert = DecodeACert(handle, entry); + +loser: + if (cert == NULL) { + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + } + + if (locked) { + nsslowcert_UnlockDB(handle); + } + + return (cert); +} + +/* + * Lookup a certificate in the databases. + */ +static NSSLOWCERTTrust * +FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey, PRBool lockdb) +{ + NSSLOWCERTTrust *trust = NULL; + certDBEntryCert *entry; + PRBool locked = PR_FALSE; + + if (lockdb) { + locked = PR_TRUE; + nsslowcert_LockDB(handle); + } + + /* find in perm database */ + entry = ReadDBCertEntry(handle, certKey); + + if (entry == NULL) { + goto loser; + } + + if (!nsslowcert_hasTrust(&entry->trust)) { + goto loser; + } + + /* inherit entry */ + trust = DecodeTrustEntry(handle, entry, certKey); + +loser: + if (trust == NULL) { + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + } + + if (locked) { + nsslowcert_UnlockDB(handle); + } + + return (trust); +} + +/* + * Lookup a certificate in the databases without locking + */ +NSSLOWCERTCertificate * +nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey) +{ + return (FindCertByKey(handle, certKey, PR_FALSE)); +} + +/* + * Lookup a trust object in the databases without locking + */ +NSSLOWCERTTrust * +nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey) +{ + return (FindTrustByKey(handle, certKey, PR_FALSE)); +} + +/* + * Generate a key from an issuerAndSerialNumber, and find the + * associated cert in the database. + */ +NSSLOWCERTCertificate * +nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN) +{ + SECItem certKey; + SECItem *sn = &issuerAndSN->serialNumber; + SECItem *issuer = &issuerAndSN->derIssuer; + NSSLOWCERTCertificate *cert; + int data_len = sn->len; + int index = 0; + + /* automatically detect DER encoded serial numbers and remove the der + * encoding since the database expects unencoded data. + * if it's DER encoded, there must be at least 3 bytes, tag, len, data */ + if ((sn->len >= 3) && (sn->data[0] == 0x2)) { + /* remove the der encoding of the serial number before generating the + * key.. */ + int data_left = sn->len - 2; + data_len = sn->data[1]; + index = 2; + + /* extended length ? (not very likely for a serial number) */ + if (data_len & 0x80) { + int len_count = data_len & 0x7f; + + data_len = 0; + data_left -= len_count; + if (data_left > 0) { + while (len_count--) { + data_len = (data_len << 8) | sn->data[index++]; + } + } + } + /* XXX leaving any leading zeros on the serial number for backwards + * compatibility + */ + /* not a valid der, must be just an unlucky serial number value */ + if (data_len != data_left) { + data_len = sn->len; + index = 0; + } + } + + certKey.type = 0; + certKey.data = (unsigned char *)PORT_Alloc(sn->len + issuer->len); + certKey.len = data_len + issuer->len; + + if (certKey.data == NULL) { + return (0); + } + + /* first try the serial number as hand-decoded above*/ + /* copy the serialNumber */ + PORT_Memcpy(certKey.data, &sn->data[index], data_len); + + /* copy the issuer */ + PORT_Memcpy(&certKey.data[data_len], issuer->data, issuer->len); + + cert = nsslowcert_FindCertByKey(handle, &certKey); + if (cert) { + PORT_Free(certKey.data); + return (cert); + } + + /* didn't find it, try by der encoded serial number */ + /* copy the serialNumber */ + PORT_Memcpy(certKey.data, sn->data, sn->len); + + /* copy the issuer */ + PORT_Memcpy(&certKey.data[sn->len], issuer->data, issuer->len); + certKey.len = sn->len + issuer->len; + + cert = nsslowcert_FindCertByKey(handle, &certKey); + + PORT_Free(certKey.data); + + return (cert); +} + +/* + * Generate a key from an issuerAndSerialNumber, and find the + * associated cert in the database. + */ +NSSLOWCERTTrust * +nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, + NSSLOWCERTIssuerAndSN *issuerAndSN) +{ + SECItem certKey; + SECItem *sn = &issuerAndSN->serialNumber; + SECItem *issuer = &issuerAndSN->derIssuer; + NSSLOWCERTTrust *trust; + unsigned char keyBuf[512]; + int data_len = sn->len; + int index = 0; + int len; + + /* automatically detect DER encoded serial numbers and remove the der + * encoding since the database expects unencoded data. + * if it's DER encoded, there must be at least 3 bytes, tag, len, data */ + if ((sn->len >= 3) && (sn->data[0] == 0x2)) { + /* remove the der encoding of the serial number before generating the + * key.. */ + int data_left = sn->len - 2; + data_len = sn->data[1]; + index = 2; + + /* extended length ? (not very likely for a serial number) */ + if (data_len & 0x80) { + int len_count = data_len & 0x7f; + + data_len = 0; + data_left -= len_count; + if (data_left > 0) { + while (len_count--) { + data_len = (data_len << 8) | sn->data[index++]; + } + } + } + /* XXX leaving any leading zeros on the serial number for backwards + * compatibility + */ + /* not a valid der, must be just an unlucky serial number value */ + if (data_len != data_left) { + data_len = sn->len; + index = 0; + } + } + + certKey.type = 0; + certKey.len = data_len + issuer->len; + len = sn->len + issuer->len; + if (len > sizeof(keyBuf)) { + certKey.data = (unsigned char *)PORT_Alloc(len); + } else { + certKey.data = keyBuf; + } + + if (certKey.data == NULL) { + return (0); + } + + /* first try the serial number as hand-decoded above*/ + /* copy the serialNumber */ + PORT_Memcpy(certKey.data, &sn->data[index], data_len); + + /* copy the issuer */ + PORT_Memcpy(&certKey.data[data_len], issuer->data, issuer->len); + + trust = nsslowcert_FindTrustByKey(handle, &certKey); + if (trust) { + pkcs11_freeStaticData(certKey.data, keyBuf); + return (trust); + } + + if (index == 0) { + pkcs11_freeStaticData(certKey.data, keyBuf); + return NULL; + } + + /* didn't find it, try by der encoded serial number */ + /* copy the serialNumber */ + PORT_Memcpy(certKey.data, sn->data, sn->len); + + /* copy the issuer */ + PORT_Memcpy(&certKey.data[sn->len], issuer->data, issuer->len); + certKey.len = sn->len + issuer->len; + + trust = nsslowcert_FindTrustByKey(handle, &certKey); + + pkcs11_freeStaticData(certKey.data, keyBuf); + + return (trust); +} + +/* + * look for the given DER certificate in the database + */ +NSSLOWCERTCertificate * +nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert) +{ + PLArenaPool *arena; + SECItem certKey; + SECStatus rv; + NSSLOWCERTCertificate *cert = NULL; + + /* create a scratch arena */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return (NULL); + } + + /* extract the database key from the cert */ + rv = nsslowcert_KeyFromDERCert(arena, derCert, &certKey); + if (rv != SECSuccess) { + goto loser; + } + + /* find the certificate */ + cert = nsslowcert_FindCertByKey(handle, &certKey); + +loser: + PORT_FreeArena(arena, PR_FALSE); + return (cert); +} + +static void +DestroyCertificate(NSSLOWCERTCertificate *cert, PRBool lockdb) +{ + int refCount; + NSSLOWCERTCertDBHandle *handle; + + if (cert) { + + handle = cert->dbhandle; + + /* + * handle may be NULL, for example if the cert was created with + * nsslowcert_DecodeDERCertificate. + */ + if (lockdb && handle) { + nsslowcert_LockDB(handle); + } + + nsslowcert_LockCertRefCount(cert); + PORT_Assert(cert->referenceCount > 0); + refCount = --cert->referenceCount; + nsslowcert_UnlockCertRefCount(cert); + + if (refCount == 0) { + certDBEntryCert *entry = cert->dbEntry; + + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + + pkcs11_freeNickname(cert->nickname, cert->nicknameSpace); + pkcs11_freeNickname(cert->emailAddr, cert->emailAddrSpace); + pkcs11_freeStaticData(cert->certKey.data, cert->certKeySpace); + cert->certKey.data = NULL; + cert->nickname = NULL; + + /* zero cert before freeing. Any stale references to this cert + * after this point will probably cause an exception. */ + PORT_Memset(cert, 0, sizeof *cert); + + /* use reflock to protect the free list */ + nsslowcert_LockFreeList(); + if (certListCount > MAX_CERT_LIST_COUNT) { + PORT_Free(cert); + } else { + certListCount++; + cert->next = certListHead; + certListHead = cert; + } + nsslowcert_UnlockFreeList(); + cert = NULL; + } + if (lockdb && handle) { + nsslowcert_UnlockDB(handle); + } + } + + return; +} + +NSSLOWCERTCertificate * +nsslowcert_CreateCert(void) +{ + NSSLOWCERTCertificate *cert; + nsslowcert_LockFreeList(); + cert = certListHead; + if (cert) { + certListHead = cert->next; + certListCount--; + } + PORT_Assert(certListCount >= 0); + nsslowcert_UnlockFreeList(); + if (cert) { + return cert; + } + return PORT_ZNew(NSSLOWCERTCertificate); +} + +static void +DestroyCertFreeList(void) +{ + NSSLOWCERTCertificate *cert; + + nsslowcert_LockFreeList(); + while (NULL != (cert = certListHead)) { + certListCount--; + certListHead = cert->next; + PORT_Free(cert); + } + PORT_Assert(!certListCount); + certListCount = 0; + nsslowcert_UnlockFreeList(); +} + +void +nsslowcert_DestroyTrust(NSSLOWCERTTrust *trust) +{ + certDBEntryCert *entry = trust->dbEntry; + + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + pkcs11_freeStaticData(trust->dbKey.data, trust->dbKeySpace); + PORT_Memset(trust, 0, sizeof(*trust)); + + nsslowcert_LockFreeList(); + if (trustListCount > MAX_TRUST_LIST_COUNT) { + PORT_Free(trust); + } else { + trustListCount++; + trust->next = trustListHead; + trustListHead = trust; + } + nsslowcert_UnlockFreeList(); + + return; +} + +void +nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert) +{ + DestroyCertificate(cert, PR_TRUE); + return; +} + +static void +nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert) +{ + DestroyCertificate(cert, PR_FALSE); + return; +} + +/* + * Lookup a CRL in the databases. We mirror the same fast caching data base + * caching stuff used by certificates....? + */ +certDBEntryRevocation * +nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle, + SECItem *crlKey, PRBool isKRL) +{ + SECItem keyitem; + SECStatus rv; + PLArenaPool *arena = NULL; + certDBEntryRevocation *entry = NULL; + certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation + : certDBEntryTypeRevocation; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + + rv = EncodeDBGenericKey(crlKey, arena, &keyitem, crlType); + if (rv != SECSuccess) { + goto loser; + } + + /* find in perm database */ + entry = ReadDBCrlEntry(handle, crlKey, crlType); + + if (entry == NULL) { + goto loser; + } + +loser: + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + + return entry; +} + +/* + * replace the existing URL in the data base with a new one + */ +static SECStatus +nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, + SECItem *crlKey, char *url, PRBool isKRL) +{ + SECStatus rv = SECFailure; + certDBEntryRevocation *entry = NULL; + certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation + : certDBEntryTypeRevocation; + DeleteDBCrlEntry(handle, crlKey, crlType); + + /* Write the new entry into the data base */ + entry = NewDBCrlEntry(derCrl, url, crlType, 0); + if (entry == NULL) + goto done; + + rv = WriteDBCrlEntry(handle, entry, crlKey); + if (rv != SECSuccess) + goto done; + +done: + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + return rv; +} + +SECStatus +nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl, + SECItem *crlKey, char *url, PRBool isKRL) +{ + SECStatus rv; + + rv = nsslowcert_UpdateCrl(handle, derCrl, crlKey, url, isKRL); + + return rv; +} + +SECStatus +nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, const SECItem *derName, + PRBool isKRL) +{ + SECStatus rv; + certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation + : certDBEntryTypeRevocation; + + rv = DeleteDBCrlEntry(handle, derName, crlType); + if (rv != SECSuccess) + goto done; + +done: + return rv; +} + +PRBool +nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust) +{ + if (trust == NULL) { + return PR_FALSE; + } + /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then + * we don't have a trust record. */ + return !(((trust->sslFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0) && + ((trust->emailFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0) && + ((trust->objectSigningFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0)); +} + +/* + * This function has the logic that decides if another person's cert and + * email profile from an S/MIME message should be saved. It can deal with + * the case when there is no profile. + */ +static SECStatus +nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, + char *emailAddr, SECItem *derSubject, SECItem *emailProfile, + SECItem *profileTime) +{ + certDBEntrySMime *entry = NULL; + SECStatus rv = SECFailure; + ; + + /* find our existing entry */ + entry = nsslowcert_ReadDBSMimeEntry(dbhandle, emailAddr); + + if (entry) { + /* keep our old db entry consistant for old applications. */ + if (!SECITEM_ItemsAreEqual(derSubject, &entry->subjectName)) { + nsslowcert_UpdateSubjectEmailAddr(dbhandle, &entry->subjectName, + emailAddr, nsslowcert_remove); + } + DestroyDBEntry((certDBEntry *)entry); + entry = NULL; + } + + /* now save the entry */ + entry = NewDBSMimeEntry(emailAddr, derSubject, emailProfile, + profileTime, 0); + if (entry == NULL) { + rv = SECFailure; + goto loser; + } + + nsslowcert_LockDB(dbhandle); + + rv = DeleteDBSMimeEntry(dbhandle, emailAddr); + /* if delete fails, try to write new entry anyway... */ + + /* link subject entry back here */ + rv = nsslowcert_UpdateSubjectEmailAddr(dbhandle, derSubject, emailAddr, + nsslowcert_add); + if (rv != SECSuccess) { + nsslowcert_UnlockDB(dbhandle); + goto loser; + } + + rv = WriteDBSMimeEntry(dbhandle, entry); + if (rv != SECSuccess) { + nsslowcert_UnlockDB(dbhandle); + goto loser; + } + + nsslowcert_UnlockDB(dbhandle); + + rv = SECSuccess; + +loser: + if (entry) { + DestroyDBEntry((certDBEntry *)entry); + } + return (rv); +} + +SECStatus +nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr, + SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime) +{ + SECStatus rv = SECFailure; + ; + + rv = nsslowcert_UpdateSMimeProfile(dbhandle, emailAddr, + derSubject, emailProfile, profileTime); + + return (rv); +} + +void +nsslowcert_DestroyFreeLists(void) +{ + if (freeListLock == NULL) { + return; + } + DestroyCertEntryFreeList(); + DestroyTrustFreeList(); + DestroyCertFreeList(); + SKIP_AFTER_FORK(PZ_DestroyLock(freeListLock)); + freeListLock = NULL; +} + +void +nsslowcert_DestroyGlobalLocks(void) +{ + if (dbLock) { + SKIP_AFTER_FORK(PZ_DestroyLock(dbLock)); + dbLock = NULL; + } + if (certRefCountLock) { + SKIP_AFTER_FORK(PZ_DestroyLock(certRefCountLock)); + certRefCountLock = NULL; + } + if (certTrustLock) { + SKIP_AFTER_FORK(PZ_DestroyLock(certTrustLock)); + certTrustLock = NULL; + } +} + +certDBEntry * +nsslowcert_DecodeAnyDBEntry(SECItem *dbData, const SECItem *dbKey, + certDBEntryType entryType, void *pdata) +{ + PLArenaPool *arena = NULL; + certDBEntry *entry; + SECStatus rv; + SECItem dbEntry; + + if ((dbData->len < SEC_DB_ENTRY_HEADER_LEN) || (dbKey->len == 0)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + dbEntry.data = &dbData->data[SEC_DB_ENTRY_HEADER_LEN]; + dbEntry.len = dbData->len - SEC_DB_ENTRY_HEADER_LEN; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto loser; + } + entry = PORT_ArenaZNew(arena, certDBEntry); + if (!entry) + goto loser; + + entry->common.version = (unsigned int)dbData->data[0]; + entry->common.flags = (unsigned int)dbData->data[2]; + entry->common.type = entryType; + entry->common.arena = arena; + + switch (entryType) { + case certDBEntryTypeContentVersion: /* This type appears to be unused */ + case certDBEntryTypeVersion: /* This type has only the common hdr */ + rv = SECSuccess; + break; + + case certDBEntryTypeSubject: + rv = DecodeDBSubjectEntry(&entry->subject, &dbEntry, dbKey); + break; + + case certDBEntryTypeNickname: + rv = DecodeDBNicknameEntry(&entry->nickname, &dbEntry, + (char *)dbKey->data); + break; + + /* smime profiles need entries created after the certs have + * been imported, loop over them in a second run */ + case certDBEntryTypeSMimeProfile: + rv = DecodeDBSMimeEntry(&entry->smime, &dbEntry, (char *)dbKey->data); + break; + + case certDBEntryTypeCert: + rv = DecodeDBCertEntry(&entry->cert, &dbEntry); + break; + + case certDBEntryTypeKeyRevocation: + case certDBEntryTypeRevocation: + rv = DecodeDBCrlEntry(&entry->revocation, &dbEntry); + break; + + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; + } + + if (rv == SECSuccess) + return entry; + +loser: + if (arena) + PORT_FreeArena(arena, PR_FALSE); + return NULL; +} diff --git a/security/nss/lib/softoken/legacydb/pcertt.h b/security/nss/lib/softoken/legacydb/pcertt.h new file mode 100644 index 0000000000..7eaa82def8 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/pcertt.h @@ -0,0 +1,418 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * certt.h - public data structures for the certificate library + */ +#ifndef _PCERTT_H_ +#define _PCERTT_H_ + +#include "prclist.h" +#include "pkcs11t.h" +#include "seccomon.h" +#include "secoidt.h" +#include "plarena.h" +#include "prcvar.h" +#include "nssilock.h" +#include "prio.h" +#include "prmon.h" + +/* Non-opaque objects */ +typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle; +typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey; + +typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust; +typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust; +typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate; +typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList; +typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN; +typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData; +typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo; +typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity; + +/* +** An X.509 validity object +*/ +struct NSSLOWCERTValidityStr { + PLArenaPool *arena; + SECItem notBefore; + SECItem notAfter; +}; + +/* + * A serial number and issuer name, which is used as a database key + */ +struct NSSLOWCERTCertKeyStr { + SECItem serialNumber; + SECItem derIssuer; +}; + +/* +** A signed data object. Used to implement the "signed" macro used +** in the X.500 specs. +*/ +struct NSSLOWCERTSignedDataStr { + SECItem data; + SECAlgorithmID signatureAlgorithm; + SECItem signature; +}; + +/* +** An X.509 subject-public-key-info object +*/ +struct NSSLOWCERTSubjectPublicKeyInfoStr { + PLArenaPool *arena; + SECAlgorithmID algorithm; + SECItem subjectPublicKey; +}; + +typedef struct _certDBEntryCert certDBEntryCert; +typedef struct _certDBEntryRevocation certDBEntryRevocation; + +struct NSSLOWCERTCertTrustStr { + unsigned int sslFlags; + unsigned int emailFlags; + unsigned int objectSigningFlags; +}; + +/* +** PKCS11 Trust representation +*/ +struct NSSLOWCERTTrustStr { + NSSLOWCERTTrust *next; + NSSLOWCERTCertDBHandle *dbhandle; + SECItem dbKey; /* database key for this cert */ + certDBEntryCert *dbEntry; /* database entry struct */ + NSSLOWCERTCertTrust *trust; + SECItem *derCert; /* original DER for the cert */ + unsigned char dbKeySpace[512]; +}; + +/* +** An X.509 certificate object (the unsigned form) +*/ +struct NSSLOWCERTCertificateStr { + /* the arena is used to allocate any data structures that have the same + * lifetime as the cert. This is all stuff that hangs off of the cert + * structure, and is all freed at the same time. I is used when the + * cert is decoded, destroyed, and at some times when it changes + * state + */ + NSSLOWCERTCertificate *next; + NSSLOWCERTCertDBHandle *dbhandle; + + SECItem derCert; /* original DER for the cert */ + SECItem derIssuer; /* DER for issuer name */ + SECItem derSN; + SECItem serialNumber; + SECItem derSubject; /* DER for subject name */ + SECItem derSubjKeyInfo; + NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo; + SECItem certKey; /* database key for this cert */ + SECItem validity; + certDBEntryCert *dbEntry; /* database entry struct */ + SECItem subjectKeyID; /* x509v3 subject key identifier */ + SECItem extensions; + char *nickname; + char *emailAddr; + NSSLOWCERTCertTrust *trust; + + /* the reference count is modified whenever someone looks up, dups + * or destroys a certificate + */ + int referenceCount; + + char nicknameSpace[200]; + char emailAddrSpace[200]; + unsigned char certKeySpace[512]; +}; + +#define SEC_CERTIFICATE_VERSION_1 0 /* default created */ +#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */ +#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */ + +#define SEC_CRL_VERSION_1 0 /* default */ +#define SEC_CRL_VERSION_2 1 /* v2 extensions */ + +#define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024) + +struct NSSLOWCERTIssuerAndSNStr { + SECItem derIssuer; + SECItem serialNumber; +}; + +typedef SECStatus (*NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg); + +/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */ +/* callback to return database name based on version number */ +typedef char *(*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion); + +/* XXX Lisa thinks the template declarations belong in cert.h, not here? */ + +#include "secasn1t.h" /* way down here because I expect template stuff to + * move out of here anyway */ + +/* + * Certificate Database related definitions and data structures + */ + +/* version number of certificate database */ +#define CERT_DB_FILE_VERSION 8 +#define CERT_DB_V7_FILE_VERSION 7 +#define CERT_DB_CONTENT_VERSION 2 + +#define SEC_DB_ENTRY_HEADER_LEN 3 +#define SEC_DB_KEY_HEADER_LEN 1 + +/* All database entries have this form: + * + * byte offset field + * ----------- ----- + * 0 version + * 1 type + * 2 flags + */ + +/* database entry types */ +typedef enum { + certDBEntryTypeVersion = 0, + certDBEntryTypeCert = 1, + certDBEntryTypeNickname = 2, + certDBEntryTypeSubject = 3, + certDBEntryTypeRevocation = 4, + certDBEntryTypeKeyRevocation = 5, + certDBEntryTypeSMimeProfile = 6, + certDBEntryTypeContentVersion = 7, + certDBEntryTypeBlob = 8 +} certDBEntryType; + +typedef struct { + certDBEntryType type; + unsigned int version; + unsigned int flags; + PLArenaPool *arena; +} certDBEntryCommon; + +/* + * Certificate entry: + * + * byte offset field + * ----------- ----- + * 0 sslFlags-msb + * 1 sslFlags-lsb + * 2 emailFlags-msb + * 3 emailFlags-lsb + * 4 objectSigningFlags-msb + * 5 objectSigningFlags-lsb + * 6 derCert-len-msb + * 7 derCert-len-lsb + * 8 nickname-len-msb + * 9 nickname-len-lsb + * ... derCert + * ... nickname + * + * NOTE: the nickname string as stored in the database is null terminated, + * in other words, the last byte of the db entry is always 0 + * if a nickname is present. + * NOTE: if nickname is not present, then nickname-len-msb and + * nickname-len-lsb will both be zero. + */ +struct _certDBEntryCert { + certDBEntryCommon common; + certDBEntryCert *next; + NSSLOWCERTCertTrust trust; + SECItem derCert; + char *nickname; + char nicknameSpace[200]; + unsigned char derCertSpace[2048]; +}; + +/* + * Certificate Nickname entry: + * + * byte offset field + * ----------- ----- + * 0 subjectname-len-msb + * 1 subjectname-len-lsb + * 2... subjectname + * + * The database key for this type of entry is a nickname string + * The "subjectname" value is the DER encoded DN of the identity + * that matches this nickname. + */ +typedef struct { + certDBEntryCommon common; + char *nickname; + SECItem subjectName; +} certDBEntryNickname; + +#define DB_NICKNAME_ENTRY_HEADER_LEN 2 + +/* + * Certificate Subject entry: + * + * byte offset field + * ----------- ----- + * 0 ncerts-msb + * 1 ncerts-lsb + * 2 nickname-msb + * 3 nickname-lsb + * 4 emailAddr-msb + * 5 emailAddr-lsb + * ... nickname + * ... emailAddr + * ...+2*i certkey-len-msb + * ...+1+2*i certkey-len-lsb + * ...+2*ncerts+2*i keyid-len-msb + * ...+1+2*ncerts+2*i keyid-len-lsb + * ... certkeys + * ... keyids + * + * The database key for this type of entry is the DER encoded subject name + * The "certkey" value is an array of certificate database lookup keys that + * points to the database entries for the certificates that matche + * this subject. + * + */ +typedef struct _certDBEntrySubject { + certDBEntryCommon common; + SECItem derSubject; + unsigned int ncerts; + char *nickname; + SECItem *certKeys; + SECItem *keyIDs; + char **emailAddrs; + unsigned int nemailAddrs; +} certDBEntrySubject; + +#define DB_SUBJECT_ENTRY_HEADER_LEN 6 + +/* + * Certificate SMIME profile entry: + * + * byte offset field + * ----------- ----- + * 0 subjectname-len-msb + * 1 subjectname-len-lsb + * 2 smimeoptions-len-msb + * 3 smimeoptions-len-lsb + * 4 options-date-len-msb + * 5 options-date-len-lsb + * 6... subjectname + * ... smimeoptions + * ... options-date + * + * The database key for this type of entry is the email address string + * The "subjectname" value is the DER encoded DN of the identity + * that matches this nickname. + * The "smimeoptions" value is a string that represents the algorithm + * capabilities on the remote user. + * The "options-date" is the date that the smime options value was created. + * This is generally the signing time of the signed message that contained + * the options. It is a UTCTime value. + */ +typedef struct { + certDBEntryCommon common; + char *emailAddr; + SECItem subjectName; + SECItem smimeOptions; + SECItem optionsDate; +} certDBEntrySMime; + +#define DB_SMIME_ENTRY_HEADER_LEN 6 + +/* + * Crl/krl entry: + * + * byte offset field + * ----------- ----- + * 0 derCert-len-msb + * 1 derCert-len-lsb + * 2 url-len-msb + * 3 url-len-lsb + * ... derCert + * ... url + * + * NOTE: the url string as stored in the database is null terminated, + * in other words, the last byte of the db entry is always 0 + * if a nickname is present. + * NOTE: if url is not present, then url-len-msb and + * url-len-lsb will both be zero. + */ +#define DB_CRL_ENTRY_HEADER_LEN 4 +struct _certDBEntryRevocation { + certDBEntryCommon common; + SECItem derCrl; + char *url; /* where to load the crl from */ +}; + +/* + * Database Version Entry: + * + * byte offset field + * ----------- ----- + * only the low level header... + * + * The database key for this type of entry is the string "Version" + */ +typedef struct { + certDBEntryCommon common; +} certDBEntryVersion; + +#define SEC_DB_VERSION_KEY "Version" +#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY) + +/* + * Database Content Version Entry: + * + * byte offset field + * ----------- ----- + * 0 contentVersion + * + * The database key for this type of entry is the string "ContentVersion" + */ +typedef struct { + certDBEntryCommon common; + char contentVersion; +} certDBEntryContentVersion; + +#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion" +#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY) + +typedef union { + certDBEntryCommon common; + certDBEntryCert cert; + certDBEntryContentVersion content; + certDBEntryNickname nickname; + certDBEntryRevocation revocation; + certDBEntrySMime smime; + certDBEntrySubject subject; + certDBEntryVersion version; +} certDBEntry; + +/* length of the fixed part of a database entry */ +#define DBCERT_V4_HEADER_LEN 7 +#define DB_CERT_V5_ENTRY_HEADER_LEN 7 +#define DB_CERT_V6_ENTRY_HEADER_LEN 7 +#define DB_CERT_ENTRY_HEADER_LEN 10 + +/* common flags for all types of certificates */ +#define CERTDB_TERMINAL_RECORD (1u << 0) +#define CERTDB_TRUSTED (1u << 1) +#define CERTDB_SEND_WARN (1u << 2) +#define CERTDB_VALID_CA (1u << 3) +#define CERTDB_TRUSTED_CA (1u << 4) /* trusted for issuing server certs */ +#define CERTDB_NS_TRUSTED_CA (1u << 5) +#define CERTDB_USER (1u << 6) +#define CERTDB_TRUSTED_CLIENT_CA (1u << 7) /* trusted for issuing client certs */ +#define CERTDB_INVISIBLE_CA (1u << 8) /* don't show in UI */ +#define CERTDB_GOVT_APPROVED_CA (1u << 9) /* can do strong crypto in export ver */ +#define CERTDB_MUST_VERIFY (1u << 10) /* explicitly don't trust this cert */ +#define CERTDB_TRUSTED_UNKNOWN (1u << 11) /* accept trust from another source */ + +/* bits not affected by the CKO_NETSCAPE_TRUST object */ +#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \ + CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \ + CERTDB_GOVT_APPROVED_CA) + +#endif /* _PCERTT_H_ */ diff --git a/security/nss/lib/softoken/legacydb/pk11db.c b/security/nss/lib/softoken/legacydb/pk11db.c new file mode 100644 index 0000000000..a7421c83d3 --- /dev/null +++ b/security/nss/lib/softoken/legacydb/pk11db.c @@ -0,0 +1,731 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * The following code handles the storage of PKCS 11 modules used by the + * NSS. This file is written to abstract away how the modules are + * stored so we can deside that later. + */ + +#include "lgdb.h" +#include "mcom_db.h" +#include "secerr.h" +#include "utilpars.h" + +#define FREE_CLEAR(p) \ + if (p) { \ + PORT_Free(p); \ + p = NULL; \ + } + +/* Construct a database key for a given module */ +static SECStatus +lgdb_MakeKey(DBT *key, char *module) +{ + int len = 0; + char *commonName; + + commonName = NSSUTIL_ArgGetParamValue("name", module); + if (commonName == NULL) { + commonName = NSSUTIL_ArgGetParamValue("library", module); + } + if (commonName == NULL) + return SECFailure; + len = PORT_Strlen(commonName); + key->data = commonName; + key->size = len; + return SECSuccess; +} + +/* free out constructed database key */ +static void +lgdb_FreeKey(DBT *key) +{ + if (key->data) { + PORT_Free(key->data); + } + key->data = NULL; + key->size = 0; +} + +typedef struct lgdbDataStr lgdbData; +typedef struct lgdbSlotDataStr lgdbSlotData; +struct lgdbDataStr { + unsigned char major; + unsigned char minor; + unsigned char nameStart[2]; + unsigned char slotOffset[2]; + unsigned char internal; + unsigned char fips; + unsigned char ssl[8]; + unsigned char trustOrder[4]; + unsigned char cipherOrder[4]; + unsigned char reserved1; + unsigned char isModuleDB; + unsigned char isModuleDBOnly; + unsigned char isCritical; + unsigned char reserved[4]; + unsigned char names[6]; /* enough space for the length fields */ +}; + +struct lgdbSlotDataStr { + unsigned char slotID[4]; + unsigned char defaultFlags[4]; + unsigned char timeout[4]; + unsigned char askpw; + unsigned char hasRootCerts; + unsigned char reserved[18]; /* this makes it a round 32 bytes */ +}; + +#define LGDB_DB_VERSION_MAJOR 0 +#define LGDB_DB_VERSION_MINOR 6 +#define LGDB_DB_EXT1_VERSION_MAJOR 0 +#define LGDB_DB_EXT1_VERSION_MINOR 6 +#define LGDB_DB_NOUI_VERSION_MAJOR 0 +#define LGDB_DB_NOUI_VERSION_MINOR 4 + +#define LGDB_PUTSHORT(dest, src) \ + (dest)[1] = (unsigned char)((src)&0xff); \ + (dest)[0] = (unsigned char)(((src) >> 8) & 0xff); +#define LGDB_PUTLONG(dest, src) \ + (dest)[3] = (unsigned char)((src)&0xff); \ + (dest)[2] = (unsigned char)(((src) >> 8) & 0xff); \ + (dest)[1] = (unsigned char)(((src) >> 16) & 0xff); \ + (dest)[0] = (unsigned char)(((src) >> 24) & 0xff); +#define LGDB_GETSHORT(src) \ + ((unsigned short)(((src)[0] << 8) | (src)[1])) +#define LGDB_GETLONG(src) \ + ((unsigned long)(((unsigned long)(src)[0] << 24) | \ + ((unsigned long)(src)[1] << 16) | \ + ((unsigned long)(src)[2] << 8) | \ + (unsigned long)(src)[3])) + +/* + * build a data base entry from a module + */ +static SECStatus +lgdb_EncodeData(DBT *data, char *module) +{ + lgdbData *encoded = NULL; + lgdbSlotData *slot; + unsigned char *dataPtr, *offsetPtr; + unsigned short len, len2 = 0, len3 = 0; + int count = 0; + unsigned short offset; + int dataLen, i; + unsigned long order; + unsigned long ssl[2]; + char *commonName = NULL, *dllName = NULL, *param = NULL, *nss = NULL; + char *slotParams, *ciphers; + struct NSSUTILPreSlotInfoStr *slotInfo = NULL; + SECStatus rv = SECFailure; + + rv = NSSUTIL_ArgParseModuleSpec(module, &dllName, &commonName, ¶m, &nss); + if (rv != SECSuccess) + return rv; + rv = SECFailure; + + if (commonName == NULL) { + /* set error */ + goto loser; + } + + len = PORT_Strlen(commonName); + if (dllName) { + len2 = PORT_Strlen(dllName); + } + if (param) { + len3 = PORT_Strlen(param); + } + + slotParams = NSSUTIL_ArgGetParamValue("slotParams", nss); + slotInfo = NSSUTIL_ArgParseSlotInfo(NULL, slotParams, &count); + if (slotParams) + PORT_Free(slotParams); + + if (count && slotInfo == NULL) { + /* set error */ + goto loser; + } + + dataLen = sizeof(lgdbData) + len + len2 + len3 + sizeof(unsigned short) + + count * sizeof(lgdbSlotData); + + data->data = (unsigned char *)PORT_ZAlloc(dataLen); + encoded = (lgdbData *)data->data; + dataPtr = (unsigned char *)data->data; + data->size = dataLen; + + if (encoded == NULL) { + /* set error */ + goto loser; + } + + encoded->major = LGDB_DB_VERSION_MAJOR; + encoded->minor = LGDB_DB_VERSION_MINOR; + encoded->internal = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "internal", nss) ? 1 : 0); + encoded->fips = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "FIPS", nss) ? 1 : 0); + encoded->isModuleDB = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "isModuleDB", nss) ? 1 : 0); + encoded->isModuleDBOnly = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "isModuleDBOnly", nss) ? 1 : 0); + encoded->isCritical = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "critical", nss) ? 1 : 0); + + order = NSSUTIL_ArgReadLong("trustOrder", nss, + NSSUTIL_DEFAULT_TRUST_ORDER, NULL); + LGDB_PUTLONG(encoded->trustOrder, order); + order = NSSUTIL_ArgReadLong("cipherOrder", nss, + NSSUTIL_DEFAULT_CIPHER_ORDER, NULL); + LGDB_PUTLONG(encoded->cipherOrder, order); + + ciphers = NSSUTIL_ArgGetParamValue("ciphers", nss); + NSSUTIL_ArgParseCipherFlags(&ssl[0], ciphers); + LGDB_PUTLONG(encoded->ssl, ssl[0]); + LGDB_PUTLONG(&encoded->ssl[4], ssl[1]); + if (ciphers) + PORT_Free(ciphers); + + offset = (unsigned short)offsetof(lgdbData, names); + LGDB_PUTSHORT(encoded->nameStart, offset); + offset = offset + len + len2 + len3 + 3 * sizeof(unsigned short); + LGDB_PUTSHORT(encoded->slotOffset, offset); + + LGDB_PUTSHORT(&dataPtr[offset], ((unsigned short)count)); + slot = (lgdbSlotData *)(dataPtr + offset + sizeof(unsigned short)); + + offsetPtr = encoded->names; + LGDB_PUTSHORT(encoded->names, len); + offsetPtr += sizeof(unsigned short); + PORT_Memcpy(offsetPtr, commonName, len); + offsetPtr += len; + + LGDB_PUTSHORT(offsetPtr, len2); + offsetPtr += sizeof(unsigned short); + if (len2) { + PORT_Memcpy(offsetPtr, dllName, len2); + } + offsetPtr += len2; + + LGDB_PUTSHORT(offsetPtr, len3); + offsetPtr += sizeof(unsigned short); + if (len3) { + PORT_Memcpy(offsetPtr, param, len3); + } + offsetPtr += len3; + + if (count) { + for (i = 0; i < count; i++) { + LGDB_PUTLONG(slot[i].slotID, slotInfo[i].slotID); + LGDB_PUTLONG(slot[i].defaultFlags, + slotInfo[i].defaultFlags); + LGDB_PUTLONG(slot[i].timeout, slotInfo[i].timeout); + slot[i].askpw = slotInfo[i].askpw; + slot[i].hasRootCerts = slotInfo[i].hasRootCerts; + PORT_Memset(slot[i].reserved, 0, sizeof(slot[i].reserved)); + } + } + rv = SECSuccess; + +loser: + if (commonName) + PORT_Free(commonName); + if (dllName) + PORT_Free(dllName); + if (param) + PORT_Free(param); + if (slotInfo) + PORT_Free(slotInfo); + if (nss) + PORT_Free(nss); + return rv; +} + +static void +lgdb_FreeData(DBT *data) +{ + if (data->data) { + PORT_Free(data->data); + } +} + +static void +lgdb_FreeSlotStrings(char **slotStrings, int count) +{ + int i; + + for (i = 0; i < count; i++) { + if (slotStrings[i]) { + PR_smprintf_free(slotStrings[i]); + slotStrings[i] = NULL; + } + } +} + +/* + * build a module from the data base entry. + */ +static char * +lgdb_DecodeData(char *defParams, DBT *data, PRBool *retInternal) +{ + lgdbData *encoded; + lgdbSlotData *slots; + PLArenaPool *arena; + char *commonName = NULL; + char *dllName = NULL; + char *parameters = NULL; + char *nss; + char *moduleSpec; + char **slotStrings = NULL; + unsigned char *names; + unsigned long slotCount; + unsigned long ssl0 = 0; + unsigned long ssl1 = 0; + unsigned long slotID; + unsigned long defaultFlags; + unsigned long timeout; + unsigned long trustOrder = NSSUTIL_DEFAULT_TRUST_ORDER; + unsigned long cipherOrder = NSSUTIL_DEFAULT_CIPHER_ORDER; + unsigned short len; + unsigned short namesOffset = 0; /* start of the names block */ + unsigned long namesRunningOffset; /* offset to name we are + * currently processing */ + unsigned short slotOffset; + PRBool isOldVersion = PR_FALSE; + PRBool internal; + PRBool isFIPS; + PRBool isModuleDB = PR_FALSE; + PRBool isModuleDBOnly = PR_FALSE; + PRBool extended = PR_FALSE; + int i; + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) + return NULL; + +#define CHECK_SIZE(x) \ + if ((unsigned int)data->size < (unsigned int)(x)) \ + goto db_loser + + /* ------------------------------------------------------------- + ** Process the buffer header, which is the lgdbData struct. + ** It may be an old or new version. Check the length for each. + */ + + CHECK_SIZE(offsetof(lgdbData, trustOrder[0])); + + encoded = (lgdbData *)data->data; + + internal = (encoded->internal != 0) ? PR_TRUE : PR_FALSE; + isFIPS = (encoded->fips != 0) ? PR_TRUE : PR_FALSE; + + if (retInternal) + *retInternal = internal; + if (internal) { + parameters = PORT_ArenaStrdup(arena, defParams); + if (parameters == NULL) + goto loser; + } + if (internal && (encoded->major == LGDB_DB_NOUI_VERSION_MAJOR) && + (encoded->minor <= LGDB_DB_NOUI_VERSION_MINOR)) { + isOldVersion = PR_TRUE; + } + if ((encoded->major == LGDB_DB_EXT1_VERSION_MAJOR) && + (encoded->minor >= LGDB_DB_EXT1_VERSION_MINOR)) { + CHECK_SIZE(sizeof(lgdbData)); + trustOrder = LGDB_GETLONG(encoded->trustOrder); + cipherOrder = LGDB_GETLONG(encoded->cipherOrder); + isModuleDB = (encoded->isModuleDB != 0) ? PR_TRUE : PR_FALSE; + isModuleDBOnly = (encoded->isModuleDBOnly != 0) ? PR_TRUE : PR_FALSE; + extended = PR_TRUE; + } + if (internal && !extended) { + trustOrder = 0; + cipherOrder = 100; + } + /* decode SSL cipher enable flags */ + ssl0 = LGDB_GETLONG(encoded->ssl); + ssl1 = LGDB_GETLONG(encoded->ssl + 4); + + slotOffset = LGDB_GETSHORT(encoded->slotOffset); + namesOffset = LGDB_GETSHORT(encoded->nameStart); + + /*-------------------------------------------------------------- + ** Now process the variable length set of names. + ** The names have this structure: + ** struct { + ** BYTE commonNameLen[ 2 ]; + ** BYTE commonName [ commonNameLen ]; + ** BTTE libNameLen [ 2 ]; + ** BYTE libName [ libNameLen ]; + ** If it is "extended" it also has these members: + ** BYTE initStringLen[ 2 ]; + ** BYTE initString [ initStringLen ]; + ** } + */ + + namesRunningOffset = namesOffset; + /* copy the module's common name */ + CHECK_SIZE(namesRunningOffset + 2); + names = (unsigned char *)data->data; + len = LGDB_GETSHORT(names + namesRunningOffset); + + CHECK_SIZE(namesRunningOffset + 2 + len); + commonName = (char *)PORT_ArenaAlloc(arena, len + 1); + if (commonName == NULL) + goto loser; + PORT_Memcpy(commonName, names + namesRunningOffset + 2, len); + commonName[len] = 0; + namesRunningOffset += len + 2; + + /* copy the module's shared library file name. */ + CHECK_SIZE(namesRunningOffset + 2); + len = LGDB_GETSHORT(names + namesRunningOffset); + if (len) { + CHECK_SIZE(namesRunningOffset + 2 + len); + dllName = (char *)PORT_ArenaAlloc(arena, len + 1); + if (dllName == NULL) + goto loser; + PORT_Memcpy(dllName, names + namesRunningOffset + 2, len); + dllName[len] = 0; + } + namesRunningOffset += len + 2; + + /* copy the module's initialization string, if present. */ + if (!internal && extended) { + CHECK_SIZE(namesRunningOffset + 2); + len = LGDB_GETSHORT(names + namesRunningOffset); + if (len) { + CHECK_SIZE(namesRunningOffset + 2 + len); + parameters = (char *)PORT_ArenaAlloc(arena, len + 1); + if (parameters == NULL) + goto loser; + PORT_Memcpy(parameters, names + namesRunningOffset + 2, len); + parameters[len] = 0; + } + namesRunningOffset += len + 2; + } + + /* + * Consistency check: Make sure the slot and names blocks don't + * overlap. These blocks can occur in any order, so this check is made + * in 2 parts. First we check the case where the slot block starts + * after the name block. Later, when we have the slot block length, + * we check the case where slot block starts before the name block. + * NOTE: in most cases any overlap will likely be detected by invalid + * data read from the blocks, but it's better to find out sooner + * than later. + */ + if (slotOffset >= namesOffset) { /* slot block starts after name block */ + if (slotOffset < namesRunningOffset) { + goto db_loser; + } + } + + /* ------------------------------------------------------------------ + ** Part 3, process the slot table. + ** This part has this structure: + ** struct { + ** BYTE slotCount [ 2 ]; + ** lgdbSlotData [ slotCount ]; + ** { + */ + + CHECK_SIZE(slotOffset + 2); + slotCount = LGDB_GETSHORT((unsigned char *)data->data + slotOffset); + + /* + * Consistency check: Part 2. We now have the slot block length, we can + * check the case where the slotblock procedes the name block. + */ + if (slotOffset < namesOffset) { /* slot block starts before name block */ + if (namesOffset < slotOffset + 2 + slotCount * sizeof(lgdbSlotData)) { + goto db_loser; + } + } + + CHECK_SIZE((slotOffset + 2 + slotCount * sizeof(lgdbSlotData))); + slots = (lgdbSlotData *)((unsigned char *)data->data + slotOffset + 2); + + /* slotCount; */ + slotStrings = (char **)PORT_ArenaZAlloc(arena, slotCount * sizeof(char *)); + if (slotStrings == NULL) + goto loser; + for (i = 0; i < (int)slotCount; i++, slots++) { + PRBool hasRootCerts = PR_FALSE; + PRBool hasRootTrust = PR_FALSE; + slotID = LGDB_GETLONG(slots->slotID); + defaultFlags = LGDB_GETLONG(slots->defaultFlags); + timeout = LGDB_GETLONG(slots->timeout); + hasRootCerts = slots->hasRootCerts; + if (isOldVersion && internal && (slotID != 2)) { + unsigned long internalFlags = + NSSUTIL_ArgParseSlotFlags("slotFlags", + NSSUTIL_DEFAULT_SFTKN_FLAGS); + defaultFlags |= internalFlags; + } + if (hasRootCerts && !extended) { + trustOrder = 100; + } + + slotStrings[i] = NSSUTIL_MkSlotString(slotID, defaultFlags, timeout, + (unsigned char)slots->askpw, + hasRootCerts, hasRootTrust); + if (slotStrings[i] == NULL) { + lgdb_FreeSlotStrings(slotStrings, i); + goto loser; + } + } + + nss = NSSUTIL_MkNSSString(slotStrings, slotCount, internal, isFIPS, + isModuleDB, isModuleDBOnly, internal, trustOrder, + cipherOrder, ssl0, ssl1); + lgdb_FreeSlotStrings(slotStrings, slotCount); + /* it's permissible (and normal) for nss to be NULL. it simply means + * there are no NSS specific parameters in the database */ + moduleSpec = NSSUTIL_MkModuleSpec(dllName, commonName, parameters, nss); + PR_smprintf_free(nss); + PORT_FreeArena(arena, PR_TRUE); + return moduleSpec; + +db_loser: + PORT_SetError(SEC_ERROR_BAD_DATABASE); +loser: + PORT_FreeArena(arena, PR_TRUE); + return NULL; +} + +static DB * +lgdb_OpenDB(const char *appName, const char *filename, const char *dbName, + PRBool readOnly, PRBool update) +{ + DB *pkcs11db = NULL; + + if (appName) { + char *secname = PORT_Strdup(filename); + int len = strlen(secname); + int status = RDB_FAIL; + + if (len >= 3 && PORT_Strcmp(&secname[len - 3], ".db") == 0) { + secname[len - 3] = 0; + } + pkcs11db = + rdbopen(appName, "", secname, readOnly ? NO_RDONLY : NO_RDWR, NULL); + if (update && !pkcs11db) { + DB *updatedb; + + pkcs11db = rdbopen(appName, "", secname, NO_CREATE, &status); + if (!pkcs11db) { + if (status == RDB_RETRY) { + pkcs11db = rdbopen(appName, "", secname, + readOnly ? NO_RDONLY : NO_RDWR, NULL); + } + PORT_Free(secname); + return pkcs11db; + } + updatedb = dbopen(dbName, NO_RDONLY, 0600, DB_HASH, 0); + if (updatedb) { + db_Copy(pkcs11db, updatedb); + (*updatedb->close)(updatedb); + } else { + (*pkcs11db->close)(pkcs11db); + PORT_Free(secname); + return NULL; + } + } + PORT_Free(secname); + return pkcs11db; + } + + /* I'm sure we should do more checks here sometime... */ + pkcs11db = dbopen(dbName, readOnly ? NO_RDONLY : NO_RDWR, 0600, DB_HASH, 0); + + /* didn't exist? create it */ + if (pkcs11db == NULL) { + if (readOnly) + return NULL; + + pkcs11db = dbopen(dbName, NO_CREATE, 0600, DB_HASH, 0); + if (pkcs11db) + (*pkcs11db->sync)(pkcs11db, 0); + } + return pkcs11db; +} + +static void +lgdb_CloseDB(DB *pkcs11db) +{ + (*pkcs11db->close)(pkcs11db); +} + +SECStatus legacy_AddSecmodDB(const char *appName, const char *filename, + const char *dbname, char *module, PRBool rw); + +#define LGDB_STEP 10 +/* + * Read all the existing modules in + */ +char ** +legacy_ReadSecmodDB(const char *appName, const char *filename, + const char *dbname, char *params, PRBool rw) +{ + DBT key, data; + int ret; + DB *pkcs11db = NULL; + char **moduleList = NULL, **newModuleList = NULL; + int moduleCount = 1; + int useCount = LGDB_STEP; + + moduleList = (char **)PORT_ZAlloc(useCount * sizeof(char **)); + if (moduleList == NULL) + return NULL; + + pkcs11db = lgdb_OpenDB(appName, filename, dbname, PR_TRUE, rw); + if (pkcs11db == NULL) + goto done; + + /* read and parse the file or data base */ + ret = (*pkcs11db->seq)(pkcs11db, &key, &data, R_FIRST); + if (ret) + goto done; + + do { + char *moduleString; + PRBool internal = PR_FALSE; + if ((moduleCount + 1) >= useCount) { + useCount += LGDB_STEP; + newModuleList = + (char **)PORT_Realloc(moduleList, useCount * sizeof(char *)); + if (newModuleList == NULL) + goto done; + moduleList = newModuleList; + PORT_Memset(&moduleList[moduleCount + 1], 0, + sizeof(char *) * LGDB_STEP); + } + moduleString = lgdb_DecodeData(params, &data, &internal); + if (internal) { + moduleList[0] = moduleString; + } else { + moduleList[moduleCount] = moduleString; + moduleCount++; + } + } while ((*pkcs11db->seq)(pkcs11db, &key, &data, R_NEXT) == 0); + +done: + if (!moduleList[0]) { + char *newparams = NSSUTIL_Quote(params, '"'); + if (newparams) { + moduleList[0] = PR_smprintf( + NSSUTIL_DEFAULT_INTERNAL_INIT1 "%s" NSSUTIL_DEFAULT_INTERNAL_INIT2 "%s" NSSUTIL_DEFAULT_INTERNAL_INIT3, + newparams, NSSUTIL_DEFAULT_SFTKN_FLAGS); + PORT_Free(newparams); + } + } + /* deal with trust cert db here */ + + if (pkcs11db) { + lgdb_CloseDB(pkcs11db); + } else if (moduleList[0] && rw) { + legacy_AddSecmodDB(appName, filename, dbname, moduleList[0], rw); + } + if (!moduleList[0]) { + PORT_Free(moduleList); + moduleList = NULL; + } + return moduleList; +} + +SECStatus +legacy_ReleaseSecmodDBData(const char *appName, const char *filename, + const char *dbname, char **moduleSpecList, PRBool rw) +{ + if (moduleSpecList) { + char **index; + for (index = moduleSpecList; *index; index++) { + PR_smprintf_free(*index); + } + PORT_Free(moduleSpecList); + } + return SECSuccess; +} + +/* + * Delete a module from the Data Base + */ +SECStatus +legacy_DeleteSecmodDB(const char *appName, const char *filename, + const char *dbname, char *args, PRBool rw) +{ + DBT key; + SECStatus rv = SECFailure; + DB *pkcs11db = NULL; + int ret; + + if (!rw) + return SECFailure; + + /* make sure we have a db handle */ + pkcs11db = lgdb_OpenDB(appName, filename, dbname, PR_FALSE, PR_FALSE); + if (pkcs11db == NULL) { + return SECFailure; + } + + rv = lgdb_MakeKey(&key, args); + if (rv != SECSuccess) + goto done; + rv = SECFailure; + ret = (*pkcs11db->del)(pkcs11db, &key, 0); + lgdb_FreeKey(&key); + if (ret != 0) + goto done; + + ret = (*pkcs11db->sync)(pkcs11db, 0); + if (ret == 0) + rv = SECSuccess; + +done: + lgdb_CloseDB(pkcs11db); + return rv; +} + +/* + * Add a module to the Data base + */ +SECStatus +legacy_AddSecmodDB(const char *appName, const char *filename, + const char *dbname, char *module, PRBool rw) +{ + DBT key, data; + SECStatus rv = SECFailure; + DB *pkcs11db = NULL; + int ret; + + if (!rw) + return SECFailure; + + /* make sure we have a db handle */ + pkcs11db = lgdb_OpenDB(appName, filename, dbname, PR_FALSE, PR_FALSE); + if (pkcs11db == NULL) { + return SECFailure; + } + + rv = lgdb_MakeKey(&key, module); + if (rv != SECSuccess) + goto done; + rv = lgdb_EncodeData(&data, module); + if (rv != SECSuccess) { + lgdb_FreeKey(&key); + goto done; + } + rv = SECFailure; + ret = (*pkcs11db->put)(pkcs11db, &key, &data, 0); + lgdb_FreeKey(&key); + lgdb_FreeData(&data); + if (ret != 0) + goto done; + + ret = (*pkcs11db->sync)(pkcs11db, 0); + if (ret == 0) + rv = SECSuccess; + +done: + lgdb_CloseDB(pkcs11db); + return rv; +} diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c new file mode 100644 index 0000000000..461e9a3cd2 --- /dev/null +++ b/security/nss/lib/softoken/lgglue.c @@ -0,0 +1,422 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * The following code handles the storage of PKCS 11 modules used by the + * NSS. This file is written to abstract away how the modules are + * stored so we can deside that later. + */ +#include "sftkdb.h" +#include "sftkdbti.h" +#include "sdb.h" +#include "prsystem.h" +#include "prprf.h" +#include "prenv.h" +#include "lgglue.h" +#include "secerr.h" +#include "softoken.h" + +static LGOpenFunc legacy_glue_open = NULL; +static LGReadSecmodFunc legacy_glue_readSecmod = NULL; +static LGReleaseSecmodFunc legacy_glue_releaseSecmod = NULL; +static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL; +static LGAddSecmodFunc legacy_glue_addSecmod = NULL; +static LGShutdownFunc legacy_glue_shutdown = NULL; + +/* + * The following 3 functions duplicate the work done by bl_LoadLibrary. + * We should make bl_LoadLibrary a global and replace the call to + * sftkdb_LoadLibrary(const char *libname) with it. + */ +#ifdef XP_UNIX +#include +#define LG_MAX_LINKS 20 +static char * +sftkdb_resolvePath(const char *orig) +{ + int count = 0; + int len = 0; + int ret = -1; + char *resolved = NULL; + char *source = NULL; + + len = 1025; /* MAX PATH +1*/ + if (strlen(orig) + 1 > len) { + /* PATH TOO LONG */ + return NULL; + } + resolved = PORT_Alloc(len); + if (!resolved) { + return NULL; + } + source = PORT_Alloc(len); + if (!source) { + goto loser; + } + PORT_Strcpy(source, orig); + /* Walk down all the links */ + while (count++ < LG_MAX_LINKS) { + char *tmp; + /* swap our previous sorce out with resolved */ + /* read it */ + ret = readlink(source, resolved, len - 1); + if (ret < 0) { + break; + } + resolved[ret] = 0; + tmp = source; + source = resolved; + resolved = tmp; + } + if (count > 1) { + ret = 0; + } +loser: + if (resolved) { + PORT_Free(resolved); + } + if (ret < 0) { + if (source) { + PORT_Free(source); + source = NULL; + } + } + return source; +} + +#endif + +static PRLibrary * +sftkdb_LoadFromPath(const char *path, const char *libname) +{ + char *c; + int pathLen, nameLen, fullPathLen; + char *fullPathName = NULL; + PRLibSpec libSpec; + PRLibrary *lib = NULL; + + /* strip of our parent's library name */ + c = strrchr(path, PR_GetDirectorySeparator()); + if (!c) { + return NULL; /* invalid path */ + } + pathLen = (c - path) + 1; + nameLen = strlen(libname); + fullPathLen = pathLen + nameLen + 1; + fullPathName = (char *)PORT_Alloc(fullPathLen); + if (fullPathName == NULL) { + return NULL; /* memory allocation error */ + } + PORT_Memcpy(fullPathName, path, pathLen); + PORT_Memcpy(fullPathName + pathLen, libname, nameLen); + fullPathName[fullPathLen - 1] = 0; + + libSpec.type = PR_LibSpec_Pathname; + libSpec.value.pathname = fullPathName; + lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL); + PORT_Free(fullPathName); + return lib; +} + +static PRLibrary * +sftkdb_LoadLibrary(const char *libname) +{ + PRLibrary *lib = NULL; + PRFuncPtr fn_addr; + char *parentLibPath = NULL; + + fn_addr = (PRFuncPtr)&sftkdb_LoadLibrary; + parentLibPath = PR_GetLibraryFilePathname(SOFTOKEN_LIB_NAME, fn_addr); + + if (!parentLibPath) { + goto done; + } + + lib = sftkdb_LoadFromPath(parentLibPath, libname); +#ifdef XP_UNIX + /* handle symbolic link case */ + if (!lib) { + char *trueParentLibPath = sftkdb_resolvePath(parentLibPath); + if (!trueParentLibPath) { + goto done; + } + lib = sftkdb_LoadFromPath(trueParentLibPath, libname); + PORT_Free(trueParentLibPath); + } +#endif + +done: + if (parentLibPath) { + PORT_Free(parentLibPath); + } + + /* still couldn't load it, try the generic path */ + if (!lib) { + PRLibSpec libSpec; + libSpec.type = PR_LibSpec_Pathname; + libSpec.value.pathname = libname; + lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL); + } + + return lib; +} + +/* + * stub files for legacy db's to be able to encrypt and decrypt + * various keys and attributes. + */ +static SECStatus +sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText, + SECItem **cipherText) +{ + SFTKDBHandle *handle = sdb->app_private; + SECStatus rv; + SECItem *key; + int iterationCount; + + if (handle == NULL) { + return SECFailure; + } + + /* if we aren't the key handle, try the other handle */ + if (handle->type != SFTK_KEYDB_TYPE) { + handle = handle->peerDB; + } + + /* not a key handle */ + if (handle == NULL || handle->passwordLock == NULL) { + return SECFailure; + } + + PZ_Lock(handle->passwordLock); + if (handle->passwordKey.data == NULL) { + PZ_Unlock(handle->passwordLock); + /* PORT_SetError */ + return SECFailure; + } + key = handle->newKey ? handle->newKey : &handle->passwordKey; + if (sftk_isLegacyIterationCountAllowed()) { + if (handle->newKey) { + iterationCount = handle->newDefaultIterationCount; + } else { + iterationCount = handle->defaultIterationCount; + } + } else { + iterationCount = 1; + } + + rv = sftkdb_EncryptAttribute(arena, handle, sdb, key, iterationCount, + CK_INVALID_HANDLE, CKT_INVALID_TYPE, + plainText, cipherText); + PZ_Unlock(handle->passwordLock); + + return rv; +} + +/* + * stub files for legacy db's to be able to encrypt and decrypt + * various keys and attributes. + */ +static SECStatus +sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, SECItem **plainText) +{ + SFTKDBHandle *handle = sdb->app_private; + SECStatus rv; + SECItem *oldKey = NULL; + + if (handle == NULL) { + return SECFailure; + } + + /* if we aren't the key handle, try the other handle */ + oldKey = handle->oldKey; + if (handle->type != SFTK_KEYDB_TYPE) { + handle = handle->peerDB; + } + + /* not a key handle */ + if (handle == NULL || handle->passwordLock == NULL) { + return SECFailure; + } + + PZ_Lock(handle->passwordLock); + if (handle->passwordKey.data == NULL) { + PZ_Unlock(handle->passwordLock); + /* PORT_SetError */ + return SECFailure; + } + rv = sftkdb_DecryptAttribute(NULL, oldKey ? oldKey : &handle->passwordKey, + CK_INVALID_HANDLE, + CKT_INVALID_TYPE, + cipherText, plainText); + PZ_Unlock(handle->passwordLock); + + return rv; +} + +static const char *LEGACY_LIB_NAME = + SHLIB_PREFIX "nssdbm" SHLIB_VERSION "." SHLIB_SUFFIX; +/* + * 2 bools to tell us if we've check the legacy library successfully or + * not. Initialize on startup to false by the C BSS segment; + */ +static PRLibrary *legacy_glue_lib = NULL; +static SECStatus +sftkdbLoad_Legacy() +{ + PRLibrary *lib = NULL; + LGSetCryptFunc setCryptFunction = NULL; + + if (legacy_glue_lib) { + return SECSuccess; + } + + lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); + if (lib == NULL) { + return SECFailure; + } + + legacy_glue_open = (LGOpenFunc)PR_FindFunctionSymbol(lib, "legacy_Open"); + legacy_glue_readSecmod = + (LGReadSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_ReadSecmodDB"); + legacy_glue_releaseSecmod = + (LGReleaseSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_ReleaseSecmodDBData"); + legacy_glue_deleteSecmod = + (LGDeleteSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_DeleteSecmodDB"); + legacy_glue_addSecmod = + (LGAddSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_AddSecmodDB"); + legacy_glue_shutdown = + (LGShutdownFunc)PR_FindFunctionSymbol(lib, "legacy_Shutdown"); + setCryptFunction = + (LGSetCryptFunc)PR_FindFunctionSymbol(lib, "legacy_SetCryptFunctions"); + + if (!legacy_glue_open || !legacy_glue_readSecmod || + !legacy_glue_releaseSecmod || !legacy_glue_deleteSecmod || + !legacy_glue_addSecmod || !setCryptFunction) { + PR_UnloadLibrary(lib); + return SECFailure; + } + + setCryptFunction(sftkdb_encrypt_stub, sftkdb_decrypt_stub); + legacy_glue_lib = lib; + return SECSuccess; +} + +CK_RV +sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix, + int certVersion, int keyVersion, int flags, + SDB **certDB, SDB **keyDB) +{ + SECStatus rv; + + rv = sftkdbLoad_Legacy(); + if (rv != SECSuccess) { + return CKR_GENERAL_ERROR; + } + if (!legacy_glue_open) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return (*legacy_glue_open)(dir, certPrefix, keyPrefix, + certVersion, keyVersion, + flags, certDB, keyDB); +} + +char ** +sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, + const char *dbname, char *params, PRBool rw) +{ + SECStatus rv; + + rv = sftkdbLoad_Legacy(); + if (rv != SECSuccess) { + return NULL; + } + if (!legacy_glue_readSecmod) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + return (*legacy_glue_readSecmod)(appName, filename, dbname, params, rw); +} + +SECStatus +sftkdbCall_ReleaseSecmodDBData(const char *appName, + const char *filename, const char *dbname, + char **moduleSpecList, PRBool rw) +{ + SECStatus rv; + + rv = sftkdbLoad_Legacy(); + if (rv != SECSuccess) { + return rv; + } + if (!legacy_glue_releaseSecmod) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return (*legacy_glue_releaseSecmod)(appName, filename, dbname, + moduleSpecList, rw); +} + +SECStatus +sftkdbCall_DeleteSecmodDB(const char *appName, + const char *filename, const char *dbname, + char *args, PRBool rw) +{ + SECStatus rv; + + rv = sftkdbLoad_Legacy(); + if (rv != SECSuccess) { + return rv; + } + if (!legacy_glue_deleteSecmod) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return (*legacy_glue_deleteSecmod)(appName, filename, dbname, args, rw); +} + +SECStatus +sftkdbCall_AddSecmodDB(const char *appName, + const char *filename, const char *dbname, + char *module, PRBool rw) +{ + SECStatus rv; + + rv = sftkdbLoad_Legacy(); + if (rv != SECSuccess) { + return rv; + } + if (!legacy_glue_addSecmod) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + return (*legacy_glue_addSecmod)(appName, filename, dbname, module, rw); +} + +CK_RV +sftkdbCall_Shutdown(void) +{ + CK_RV crv = CKR_OK; + char *disableUnload = NULL; + if (!legacy_glue_lib) { + return CKR_OK; + } + if (legacy_glue_shutdown) { +#ifdef NO_FORK_CHECK + PRBool parentForkedAfterC_Initialize = PR_FALSE; +#endif + crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); + } + disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); + if (!disableUnload) { + PR_UnloadLibrary(legacy_glue_lib); + } + legacy_glue_lib = NULL; + legacy_glue_open = NULL; + legacy_glue_readSecmod = NULL; + legacy_glue_releaseSecmod = NULL; + legacy_glue_deleteSecmod = NULL; + legacy_glue_addSecmod = NULL; + return crv; +} diff --git a/security/nss/lib/softoken/lgglue.h b/security/nss/lib/softoken/lgglue.h new file mode 100644 index 0000000000..61dbfecf62 --- /dev/null +++ b/security/nss/lib/softoken/lgglue.h @@ -0,0 +1,59 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This code defines the glue layer between softoken and the legacy DB library + */ +#include "sdb.h" + +/* + * function prototypes for the callbacks into softoken from the legacyDB + */ + +typedef SECStatus (*LGEncryptFunc)(PLArenaPool *arena, SDB *sdb, + SECItem *plainText, SECItem **cipherText); +typedef SECStatus (*LGDecryptFunc)(SDB *sdb, SECItem *cipherText, + SECItem **plainText); + +/* + * function prototypes for the exported functions. + */ +typedef CK_RV (*LGOpenFunc)(const char *dir, const char *certPrefix, + const char *keyPrefix, + int certVersion, int keyVersion, int flags, + SDB **certDB, SDB **keyDB); +typedef char **(*LGReadSecmodFunc)(const char *appName, + const char *filename, + const char *dbname, char *params, PRBool rw); +typedef SECStatus (*LGReleaseSecmodFunc)(const char *appName, + const char *filename, + const char *dbname, char **params, PRBool rw); +typedef SECStatus (*LGDeleteSecmodFunc)(const char *appName, + const char *filename, + const char *dbname, char *params, PRBool rw); +typedef SECStatus (*LGAddSecmodFunc)(const char *appName, + const char *filename, + const char *dbname, char *params, PRBool rw); +typedef SECStatus (*LGShutdownFunc)(PRBool forked); +typedef void (*LGSetForkStateFunc)(PRBool); +typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); + +/* + * Softoken Glue Functions + */ +CK_RV sftkdbCall_open(const char *dir, const char *certPrefix, + const char *keyPrefix, + int certVersion, int keyVersion, int flags, + SDB **certDB, SDB **keyDB); +char **sftkdbCall_ReadSecmodDB(const char *appName, const char *filename, + const char *dbname, char *params, PRBool rw); +SECStatus sftkdbCall_ReleaseSecmodDBData(const char *appName, + const char *filename, const char *dbname, + char **moduleSpecList, PRBool rw); +SECStatus sftkdbCall_DeleteSecmodDB(const char *appName, + const char *filename, const char *dbname, + char *args, PRBool rw); +SECStatus sftkdbCall_AddSecmodDB(const char *appName, + const char *filename, const char *dbname, + char *module, PRBool rw); +CK_RV sftkdbCall_Shutdown(void); diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c new file mode 100644 index 0000000000..f47bda231d --- /dev/null +++ b/security/nss/lib/softoken/lowkey.c @@ -0,0 +1,544 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "lowkeyi.h" +#include "secoid.h" +#include "secitem.h" +#include "secder.h" +#include "base64.h" +#include "secasn1.h" +#include "secerr.h" +#include "softoken.h" + +SEC_ASN1_MKSUB(SEC_AnyTemplate) +SEC_ASN1_MKSUB(SEC_BitStringTemplate) +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate) +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) + +const SEC_ASN1Template nsslowkey_AttributeTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSSLOWKEYAttribute) }, + { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) }, + { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, + offsetof(NSSLOWKEYAttribute, attrValue), + SEC_ASN1_SUB(SEC_AnyTemplate) }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = { + { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate }, +}; +/* ASN1 Templates for new decoder/encoder */ +const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) }, + { SEC_ASN1_INTEGER, + offsetof(NSSLOWKEYPrivateKeyInfo, version) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSLOWKEYPrivateKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OCTET_STRING, + offsetof(NSSLOWKEYPrivateKeyInfo, privateKey) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(NSSLOWKEYPrivateKeyInfo, attributes), + nsslowkey_SetOfAttributeTemplate }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYSubjectPublicKeyInfo) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSLOWKEYSubjectPublicKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_BIT_STRING, + offsetof(NSSLOWKEYSubjectPublicKeyInfo, subjectPublicKey) }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_RSAPublicKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.modulus) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.publicExponent) }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) }, + { SEC_ASN1_INTEGER, offsetof(PQGParams, prime) }, + { SEC_ASN1_INTEGER, offsetof(PQGParams, subPrime) }, + { SEC_ASN1_INTEGER, offsetof(PQGParams, base) }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.version) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.modulus) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.publicExponent) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.privateExponent) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime1) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime2) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent1) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent2) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.coefficient) }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.publicValue) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.privateValue) }, + { 0 } +}; + +const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = { + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.privateValue) }, +}; + +const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) }, + { 0 } +}; + +/* NOTE: The SECG specification allows the private key structure + * to contain curve parameters but recommends that they be stored + * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo + * instead. + */ +const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) }, + { SEC_ASN1_OCTET_STRING, + offsetof(NSSLOWKEYPrivateKey, u.ec.privateValue) }, + /* We only support named curves for which the parameters are + * encoded as an object ID. + */ + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 0, + offsetof(NSSLOWKEYPrivateKey, u.ec.ecParams.curveOID), + SEC_ASN1_SUB(SEC_ObjectIDTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_XTRN | 1, + offsetof(NSSLOWKEYPrivateKey, u.ec.publicValue), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, + { 0 } +}; +/* + * See bugzilla bug 125359 + * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints, + * all of the templates above that en/decode into integers must be converted + * from ASN.1's signed integer type. This is done by marking either the + * source or destination (encoding or decoding, respectively) type as + * siUnsignedInteger. + */ + +void +prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.rsa.modulus.type = siUnsignedInteger; + key->u.rsa.publicExponent.type = siUnsignedInteger; + key->u.rsa.privateExponent.type = siUnsignedInteger; + key->u.rsa.prime1.type = siUnsignedInteger; + key->u.rsa.prime2.type = siUnsignedInteger; + key->u.rsa.exponent1.type = siUnsignedInteger; + key->u.rsa.exponent2.type = siUnsignedInteger; + key->u.rsa.coefficient.type = siUnsignedInteger; +} + +void +prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *key) +{ + key->u.rsa.modulus.type = siUnsignedInteger; + key->u.rsa.publicExponent.type = siUnsignedInteger; +} + +void +prepare_low_pqg_params_for_asn1(PQGParams *params) +{ + params->prime.type = siUnsignedInteger; + params->subPrime.type = siUnsignedInteger; + params->base.type = siUnsignedInteger; +} + +void +prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.dsa.publicValue.type = siUnsignedInteger; + key->u.dsa.privateValue.type = siUnsignedInteger; + key->u.dsa.params.prime.type = siUnsignedInteger; + key->u.dsa.params.subPrime.type = siUnsignedInteger; + key->u.dsa.params.base.type = siUnsignedInteger; +} + +void +prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.dsa.privateValue.type = siUnsignedInteger; +} + +void +prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.dh.prime.type = siUnsignedInteger; + key->u.dh.base.type = siUnsignedInteger; + key->u.dh.publicValue.type = siUnsignedInteger; + key->u.dh.privateValue.type = siUnsignedInteger; +} + +void +prepare_low_ecparams_for_asn1(ECParams *params) +{ + params->DEREncoding.type = siUnsignedInteger; + params->curveOID.type = siUnsignedInteger; +} + +void +prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key) +{ + key->u.ec.version.type = siUnsignedInteger; + key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger; + key->u.ec.ecParams.curveOID.type = siUnsignedInteger; + key->u.ec.privateValue.type = siUnsignedInteger; + key->u.ec.publicValue.type = siUnsignedInteger; +} + +void +nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk) +{ + if (privk && privk->arena) { + PORT_FreeArena(privk->arena, PR_TRUE); + } +} + +void +nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk) +{ + if (pubk && pubk->arena) { + PORT_FreeArena(pubk->arena, PR_TRUE); + } +} +unsigned +nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk) +{ + /* interpret modulus length as key strength... in + * fortezza that's the public key length */ + + switch (pubk->keyType) { + case NSSLOWKEYRSAKey: + if (pubk->u.rsa.modulus.len == 0) { + return 0; + } + if (pubk->u.rsa.modulus.data[0] == 0) { + return pubk->u.rsa.modulus.len - 1; + } + return pubk->u.rsa.modulus.len; + default: + break; + } + return 0; +} + +unsigned +nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk) +{ + switch (privk->keyType) { + case NSSLOWKEYRSAKey: + if (privk->u.rsa.modulus.len == 0) { + return 0; + } + if (privk->u.rsa.modulus.data[0] == 0) { + return privk->u.rsa.modulus.len - 1; + } + return privk->u.rsa.modulus.len; + default: + break; + } + return 0; +} + +NSSLOWKEYPublicKey * +nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk) +{ + NSSLOWKEYPublicKey *pubk; + SECItem publicValue; + PLArenaPool *arena; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + + switch (privk->keyType) { + case NSSLOWKEYRSAKey: + case NSSLOWKEYNullKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + if (privk->keyType == NSSLOWKEYNullKey) + return pubk; + rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus, + &privk->u.rsa.modulus); + if (rv == SECSuccess) { + rv = SECITEM_CopyItem(arena, &pubk->u.rsa.publicExponent, + &privk->u.rsa.publicExponent); + if (rv == SECSuccess) + return pubk; + } + } else { + PORT_SetError(SEC_ERROR_NO_MEMORY); + } + break; + case NSSLOWKEYDSAKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + /* if the public key value doesn't exist, calculate it */ + if (privk->u.dsa.publicValue.len == 0) { + rv = DH_Derive(&privk->u.dsa.params.base, &privk->u.dsa.params.prime, + &privk->u.dsa.privateValue, &publicValue, 0); + if (rv != SECSuccess) { + break; + } + rv = SECITEM_CopyItem(privk->arena, &privk->u.dsa.publicValue, &publicValue); + SECITEM_ZfreeItem(&publicValue, PR_FALSE); + if (rv != SECSuccess) { + break; + } + } + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue, + &privk->u.dsa.publicValue); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, + &privk->u.dsa.params.prime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, + &privk->u.dsa.params.subPrime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, + &privk->u.dsa.params.base); + if (rv == SECSuccess) + return pubk; + } + break; + case NSSLOWKEYDHKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + /* if the public key value doesn't exist, calculate it */ + if (privk->u.dh.publicValue.len == 0) { + rv = DH_Derive(&privk->u.dh.base, &privk->u.dh.prime, + &privk->u.dh.privateValue, &publicValue, 0); + if (rv != SECSuccess) { + break; + } + rv = SECITEM_CopyItem(privk->arena, &privk->u.dh.publicValue, &publicValue); + SECITEM_ZfreeItem(&publicValue, PR_FALSE); + if (rv != SECSuccess) { + break; + } + } + rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue, + &privk->u.dh.publicValue); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime, + &privk->u.dh.prime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, &pubk->u.dh.base, + &privk->u.dh.base); + if (rv == SECSuccess) + return pubk; + } + break; + case NSSLOWKEYECKey: + pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPublicKey)); + if (pubk != NULL) { + SECStatus rv; + + pubk->arena = arena; + pubk->keyType = privk->keyType; + rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, + &privk->u.ec.publicValue); + if (rv != SECSuccess) + break; + pubk->u.ec.ecParams.arena = arena; + /* Copy the rest of the params */ + rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams), + &(privk->u.ec.ecParams)); + if (rv == SECSuccess) + return pubk; + } + break; + /* No Fortezza in Low Key implementations (Fortezza keys aren't + * stored in our data base */ + default: + break; + } + + PORT_FreeArena(arena, PR_TRUE); + return NULL; +} + +NSSLOWKEYPrivateKey * +nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey) +{ + NSSLOWKEYPrivateKey *returnKey = NULL; + SECStatus rv = SECFailure; + PLArenaPool *poolp; + + if (!privKey) { + return NULL; + } + + poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!poolp) { + return NULL; + } + + returnKey = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(poolp, sizeof(NSSLOWKEYPrivateKey)); + if (!returnKey) { + rv = SECFailure; + goto loser; + } + + returnKey->keyType = privKey->keyType; + returnKey->arena = poolp; + + switch (privKey->keyType) { + case NSSLOWKEYRSAKey: + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.modulus), + &(privKey->u.rsa.modulus)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.version), + &(privKey->u.rsa.version)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.publicExponent), + &(privKey->u.rsa.publicExponent)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.privateExponent), + &(privKey->u.rsa.privateExponent)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime1), + &(privKey->u.rsa.prime1)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime2), + &(privKey->u.rsa.prime2)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent1), + &(privKey->u.rsa.exponent1)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent2), + &(privKey->u.rsa.exponent2)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.coefficient), + &(privKey->u.rsa.coefficient)); + if (rv != SECSuccess) + break; + break; + case NSSLOWKEYDSAKey: + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.publicValue), + &(privKey->u.dsa.publicValue)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.privateValue), + &(privKey->u.dsa.privateValue)); + if (rv != SECSuccess) + break; + returnKey->u.dsa.params.arena = poolp; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.prime), + &(privKey->u.dsa.params.prime)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.subPrime), + &(privKey->u.dsa.params.subPrime)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.base), + &(privKey->u.dsa.params.base)); + if (rv != SECSuccess) + break; + break; + case NSSLOWKEYDHKey: + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.publicValue), + &(privKey->u.dh.publicValue)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.privateValue), + &(privKey->u.dh.privateValue)); + if (rv != SECSuccess) + break; + returnKey->u.dsa.params.arena = poolp; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime), + &(privKey->u.dh.prime)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base), + &(privKey->u.dh.base)); + if (rv != SECSuccess) + break; + break; + case NSSLOWKEYECKey: + rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version), + &(privKey->u.ec.version)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue), + &(privKey->u.ec.publicValue)); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.privateValue), + &(privKey->u.ec.privateValue)); + if (rv != SECSuccess) + break; + returnKey->u.ec.ecParams.arena = poolp; + /* Copy the rest of the params */ + rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams), + &(privKey->u.ec.ecParams)); + if (rv != SECSuccess) + break; + break; + default: + rv = SECFailure; + } + +loser: + + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_TRUE); + returnKey = NULL; + } + + return returnKey; +} diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h new file mode 100644 index 0000000000..e599f01fa0 --- /dev/null +++ b/security/nss/lib/softoken/lowkeyi.h @@ -0,0 +1,70 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _LOWKEYI_H_ +#define _LOWKEYI_H_ + +#include "prtypes.h" +#include "seccomon.h" +#include "secoidt.h" +#include "lowkeyti.h" + +SEC_BEGIN_PROTOS + +/* + * See bugzilla bug 125359 + * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints, + * all of the templates above that en/decode into integers must be converted + * from ASN.1's signed integer type. This is done by marking either the + * source or destination (encoding or decoding, respectively) type as + * siUnsignedInteger. + */ +extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void prepare_low_pqg_params_for_asn1(PQGParams *params); +extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key); +extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key); +extern void prepare_low_ecparams_for_asn1(ECParams *params); +extern void prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *key); + +/* +** Destroy a private key object. +** "key" the object +** "freeit" if PR_TRUE then free the object as well as its sub-objects +*/ +extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key); + +/* +** Destroy a public key object. +** "key" the object +** "freeit" if PR_TRUE then free the object as well as its sub-objects +*/ +extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key); + +/* +** Return the modulus length of "pubKey". +*/ +extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey); + +/* +** Return the modulus length of "privKey". +*/ +extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey); + +/* +** Convert a low private key "privateKey" into a public low key +*/ +extern NSSLOWKEYPublicKey * +nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey); + +/* Make a copy of a low private key in it's own arena. + * a return of NULL indicates an error. + */ +extern NSSLOWKEYPrivateKey * +nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey); + +SEC_END_PROTOS + +#endif /* _LOWKEYI_H_ */ diff --git a/security/nss/lib/softoken/lowkeyti.h b/security/nss/lib/softoken/lowkeyti.h new file mode 100644 index 0000000000..7e77592c53 --- /dev/null +++ b/security/nss/lib/softoken/lowkeyti.h @@ -0,0 +1,100 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _LOWKEYTI_H_ +#define _LOWKEYTI_H_ 1 + +#include "blapit.h" +#include "prtypes.h" +#include "plarena.h" +#include "secitem.h" +#include "secasn1t.h" +#include "secoidt.h" + +/* +** Typedef for callback to get a password "key". +*/ +extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[]; +extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[]; +extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[]; +extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[]; +extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[]; +extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[]; +#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */ +extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[]; + +extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[]; +extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[]; +extern const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[]; +extern const SEC_ASN1Template nsslowkey_RSAPublicKeyTemplate[]; + +/* + * PKCS #8 attributes + */ +struct NSSLOWKEYAttributeStr { + SECItem attrType; + SECItem *attrValue; +}; +typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute; + +/* +** A PKCS#8 private key info object +*/ +struct NSSLOWKEYPrivateKeyInfoStr { + PLArenaPool *arena; + SECItem version; + SECAlgorithmID algorithm; + SECItem privateKey; + NSSLOWKEYAttribute **attributes; +}; +typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo; +#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */ + +struct NSSLOWKEYSubjectPublicKeyInfoStr { + PLArenaPool *arena; + SECAlgorithmID algorithm; + SECItem subjectPublicKey; +}; +typedef struct NSSLOWKEYSubjectPublicKeyInfoStr NSSLOWKEYSubjectPublicKeyInfo; + +typedef enum { + NSSLOWKEYNullKey = 0, + NSSLOWKEYRSAKey = 1, + NSSLOWKEYDSAKey = 2, + NSSLOWKEYDHKey = 4, + NSSLOWKEYECKey = 5 +} NSSLOWKEYType; + +/* +** An RSA public key object. +*/ +struct NSSLOWKEYPublicKeyStr { + PLArenaPool *arena; + NSSLOWKEYType keyType; + union { + RSAPublicKey rsa; + DSAPublicKey dsa; + DHPublicKey dh; + ECPublicKey ec; + } u; +}; +typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey; + +/* +** Low Level private key object +** This is only used by the raw Crypto engines (crypto), keydb (keydb), +** and PKCS #11. Everyone else uses the high level key structure. +*/ +struct NSSLOWKEYPrivateKeyStr { + PLArenaPool *arena; + NSSLOWKEYType keyType; + union { + RSAPrivateKey rsa; + DSAPrivateKey dsa; + DHPrivateKey dh; + ECPrivateKey ec; + } u; +}; +typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey; + +#endif /* _LOWKEYTI_H_ */ diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c new file mode 100644 index 0000000000..ff80f573ff --- /dev/null +++ b/security/nss/lib/softoken/lowpbe.c @@ -0,0 +1,1820 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "plarena.h" + +#include "seccomon.h" +#include "secitem.h" +#include "secport.h" +#include "hasht.h" +#include "pkcs11t.h" +#include "blapi.h" +#include "hasht.h" +#include "secasn1.h" +#include "secder.h" +#include "lowpbe.h" +#include "secoid.h" +#include "alghmac.h" +#include "softoken.h" +#include "secerr.h" +#include "pkcs11i.h" + +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) + +/* how much a crypto encrypt/decryption may expand a buffer */ +#define MAX_CRYPTO_EXPANSION 64 + +/* template for PKCS 5 PBE Parameter. This template has been expanded + * based upon the additions in PKCS 12. This should eventually be moved + * if RSA updates PKCS 5. + */ +static const SEC_ASN1Template NSSPKCS5PBEParameterTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(NSSPKCS5PBEParameter) }, + { SEC_ASN1_OCTET_STRING, + offsetof(NSSPKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, + offsetof(NSSPKCS5PBEParameter, iteration) }, + { 0 } +}; + +static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) }, + { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) }, + { 0 } +}; + +/* PKCS5 v2 */ + +struct nsspkcs5V2PBEParameterStr { + SECAlgorithmID keyParams; /* parameters of the key generation */ + SECAlgorithmID algParams; /* parameters for the encryption or mac op */ +}; + +typedef struct nsspkcs5V2PBEParameterStr nsspkcs5V2PBEParameter; + +static const SEC_ASN1Template NSSPKCS5V2PBES2ParameterTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(nsspkcs5V2PBEParameter) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(nsspkcs5V2PBEParameter, keyParams), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(nsspkcs5V2PBEParameter, algParams), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; + +static const SEC_ASN1Template NSSPKCS5V2PBEParameterTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) }, + /* this is really a choice, but since we don't understand any other + * choice, just inline it. */ + { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) }, + { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, keyLength) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSPKCS5PBEParameter, prfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; + +SECStatus +nsspkcs5_HashBuf(const SECHashObject *hashObj, unsigned char *dest, + unsigned char *src, int len) +{ + void *ctx; + unsigned int retLen; + + ctx = hashObj->create(); + if (ctx == NULL) { + return SECFailure; + } + hashObj->begin(ctx); + hashObj->update(ctx, src, len); + hashObj->end(ctx, dest, &retLen, hashObj->length); + hashObj->destroy(ctx, PR_TRUE); + return SECSuccess; +} + +/* generate bits using any hash + */ +static SECItem * +nsspkcs5_PBKDF1(const SECHashObject *hashObj, SECItem *salt, SECItem *pwd, + int iter, PRBool faulty3DES) +{ + SECItem *hash = NULL, *pre_hash = NULL; + SECStatus rv = SECFailure; + + if ((salt == NULL) || (pwd == NULL) || (iter < 0)) { + return NULL; + } + + hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + + if ((hash != NULL) && (pre_hash != NULL)) { + int i, ph_len; + + ph_len = hashObj->length; + if ((salt->len + pwd->len) > hashObj->length) { + ph_len = salt->len + pwd->len; + } + + rv = SECFailure; + + /* allocate buffers */ + hash->len = hashObj->length; + hash->data = (unsigned char *)PORT_ZAlloc(hash->len); + pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len); + + /* in pbeSHA1TripleDESCBC there was an allocation error that made + * it into the caller. We do not want to propagate those errors + * further, so we are doing it correctly, but reading the old method. + */ + if (faulty3DES) { + pre_hash->len = ph_len; + } else { + pre_hash->len = salt->len + pwd->len; + } + + /* preform hash */ + if ((hash->data != NULL) && (pre_hash->data != NULL)) { + rv = SECSuccess; + /* check for 0 length password */ + if (pwd->len > 0) { + PORT_Memcpy(pre_hash->data, pwd->data, pwd->len); + } + if (salt->len > 0) { + PORT_Memcpy((pre_hash->data + pwd->len), salt->data, salt->len); + } + for (i = 0; ((i < iter) && (rv == SECSuccess)); i++) { + rv = nsspkcs5_HashBuf(hashObj, hash->data, + pre_hash->data, pre_hash->len); + if (rv != SECFailure) { + pre_hash->len = hashObj->length; + PORT_Memcpy(pre_hash->data, hash->data, hashObj->length); + } + } + } + } + + if (pre_hash != NULL) { + SECITEM_ZfreeItem(pre_hash, PR_TRUE); + } + + if ((rv != SECSuccess) && (hash != NULL)) { + SECITEM_ZfreeItem(hash, PR_TRUE); + hash = NULL; + } + + return hash; +} + +/* this bit generation routine is described in PKCS 12 and the proposed + * extensions to PKCS 5. an initial hash is generated following the + * instructions laid out in PKCS 5. If the number of bits generated is + * insufficient, then the method discussed in the proposed extensions to + * PKCS 5 in PKCS 12 are used. This extension makes use of the HMAC + * function. And the P_Hash function from the TLS standard. + */ +static SECItem * +nsspkcs5_PFXPBE(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param, + SECItem *init_hash, unsigned int bytes_needed) +{ + SECItem *ret_bits = NULL; + int hash_size = 0; + unsigned int i; + unsigned int hash_iter; + unsigned int dig_len; + SECStatus rv = SECFailure; + unsigned char *state = NULL; + unsigned int state_len; + HMACContext *cx = NULL; + + hash_size = hashObj->length; + hash_iter = (bytes_needed + (unsigned int)hash_size - 1) / hash_size; + + /* allocate return buffer */ + ret_bits = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + if (ret_bits == NULL) + return NULL; + ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1); + ret_bits->len = (hash_iter * hash_size); + if (ret_bits->data == NULL) { + PORT_Free(ret_bits); + return NULL; + } + + /* allocate intermediate hash buffer. 8 is for the 8 bytes of + * data which are added based on iteration number + */ + + if ((unsigned int)hash_size > pbe_param->salt.len) { + state_len = hash_size; + } else { + state_len = pbe_param->salt.len; + } + state = (unsigned char *)PORT_ZAlloc(state_len); + if (state == NULL) { + rv = SECFailure; + goto loser; + } + if (pbe_param->salt.len > 0) { + PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len); + } + + cx = HMAC_Create(hashObj, init_hash->data, init_hash->len, PR_TRUE); + if (cx == NULL) { + rv = SECFailure; + goto loser; + } + + for (i = 0; i < hash_iter; i++) { + + /* generate output bits */ + HMAC_Begin(cx); + HMAC_Update(cx, state, state_len); + HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len); + rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size), + &dig_len, hash_size); + if (rv != SECSuccess) + goto loser; + PORT_Assert((unsigned int)hash_size == dig_len); + + /* generate new state */ + HMAC_Begin(cx); + HMAC_Update(cx, state, state_len); + rv = HMAC_Finish(cx, state, &state_len, state_len); + if (rv != SECSuccess) + goto loser; + PORT_Assert(state_len == dig_len); + } + +loser: + if (state != NULL) + PORT_ZFree(state, state_len); + HMAC_Destroy(cx, PR_TRUE); + + if (rv != SECSuccess) { + SECITEM_ZfreeItem(ret_bits, PR_TRUE); + ret_bits = NULL; + } + + return ret_bits; +} + +/* generate bits for the key and iv determination. if enough bits + * are not generated using PKCS 5, then we need to generate more bits + * based on the extension proposed in PKCS 12 + */ +static SECItem * +nsspkcs5_PBKDF1Extended(const SECHashObject *hashObj, + NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PRBool faulty3DES) +{ + SECItem *hash = NULL; + SECItem *newHash = NULL; + int bytes_needed; + int bytes_available; + + bytes_needed = pbe_param->ivLen + pbe_param->keyLen; + bytes_available = hashObj->length; + + hash = nsspkcs5_PBKDF1(hashObj, &pbe_param->salt, pwitem, + pbe_param->iter, faulty3DES); + + if (hash == NULL) { + return NULL; + } + + if (bytes_needed <= bytes_available) { + return hash; + } + + newHash = nsspkcs5_PFXPBE(hashObj, pbe_param, hash, bytes_needed); + if (hash != newHash) + SECITEM_ZfreeItem(hash, PR_TRUE); + return newHash; +} + +/* + * PBDKDF2 is PKCS #5 v2.0 it's currently not used by NSS + */ +static void +do_xor(unsigned char *dest, unsigned char *src, int len) +{ + /* use byt xor, not all platforms are happy about inaligned + * integer fetches */ + while (len--) { + *dest = *dest ^ *src; + dest++; + src++; + } +} + +static SECStatus +nsspkcs5_PBKDF2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt, + int iterations, unsigned int i, unsigned char *T) +{ + int j; + HMACContext *cx = NULL; + unsigned int hLen = hashobj->length; + SECStatus rv = SECFailure; + unsigned char *last = NULL; + unsigned int lastLength = salt->len + 4; + unsigned int lastBufLength; + + cx = HMAC_Create(hashobj, pwitem->data, pwitem->len, PR_FALSE); + if (cx == NULL) { + goto loser; + } + PORT_Memset(T, 0, hLen); + lastBufLength = PR_MAX(lastLength, hLen); + last = PORT_Alloc(lastBufLength); + if (last == NULL) { + goto loser; + } + PORT_Memcpy(last, salt->data, salt->len); + last[salt->len] = (i >> 24) & 0xff; + last[salt->len + 1] = (i >> 16) & 0xff; + last[salt->len + 2] = (i >> 8) & 0xff; + last[salt->len + 3] = i & 0xff; + + /* NOTE: we need at least one iteration to return success! */ + for (j = 0; j < iterations; j++) { + HMAC_Begin(cx); + HMAC_Update(cx, last, lastLength); + rv = HMAC_Finish(cx, last, &lastLength, hLen); + if (rv != SECSuccess) { + break; + } + do_xor(T, last, hLen); + } +loser: + if (cx) { + HMAC_Destroy(cx, PR_TRUE); + } + if (last) { + PORT_ZFree(last, lastBufLength); + } + return rv; +} + +static SECItem * +nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param, + SECItem *pwitem) +{ + int iterations = pbe_param->iter; + int bytesNeeded = pbe_param->keyLen; + unsigned int dkLen = bytesNeeded; + unsigned int hLen = hashobj->length; + unsigned int nblocks = (dkLen + hLen - 1) / hLen; + unsigned int i; + unsigned char *rp; + unsigned char *T = NULL; + SECItem *result = NULL; + SECItem *salt = &pbe_param->salt; + SECStatus rv = SECFailure; + + result = SECITEM_AllocItem(NULL, NULL, nblocks * hLen); + if (result == NULL) { + return NULL; + } + + T = PORT_Alloc(hLen); + if (T == NULL) { + goto loser; + } + + for (i = 1, rp = result->data; i <= nblocks; i++, rp += hLen) { + rv = nsspkcs5_PBKDF2_F(hashobj, pwitem, salt, iterations, i, T); + if (rv != SECSuccess) { + break; + } + PORT_Memcpy(rp, T, hLen); + } + +loser: + if (T) { + PORT_ZFree(T, hLen); + } + if (rv != SECSuccess) { + SECITEM_ZfreeItem(result, PR_TRUE); + result = NULL; + } else { + result->len = dkLen; + } + + return result; +} + +#define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y)) +#define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y)) +/* + * This is the extended PBE function defined by the final PKCS #12 spec. + */ +static SECItem * +nsspkcs5_PKCS12PBE(const SECHashObject *hashObject, + NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, + PBEBitGenID bitGenPurpose, unsigned int bytesNeeded) +{ + PLArenaPool *arena = NULL; + unsigned int SLen, PLen; + unsigned int hashLength = hashObject->length; + unsigned char *S, *P; + SECItem *A = NULL, B, D, I; + SECItem *salt = &pbe_param->salt; + unsigned int c, i = 0; + unsigned int hashLen; + int iter; + unsigned char *iterBuf; + void *hash = NULL; + unsigned int bufferLength; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + return NULL; + } + + /* how many hash object lengths are needed */ + c = (bytesNeeded + (hashLength - 1)) / hashLength; + + /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */ + bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64); + + /* initialize our buffers */ + D.len = bufferLength; + /* B and D are the same length, use one alloc go get both */ + D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2); + B.len = D.len; + B.data = D.data + D.len; + + /* if all goes well, A will be returned, so don't use our temp arena */ + A = SECITEM_AllocItem(NULL, NULL, c * hashLength); + if (A == NULL) { + goto loser; + } + + SLen = NSSPBE_ROUNDUP(salt->len, bufferLength); + PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength); + I.len = SLen + PLen; + I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len); + if (I.data == NULL) { + goto loser; + } + + /* S & P are only used to initialize I */ + S = I.data; + P = S + SLen; + + PORT_Memset(D.data, (char)bitGenPurpose, D.len); + if (SLen) { + for (i = 0; i < SLen; i += salt->len) { + PORT_Memcpy(S + i, salt->data, NSSPBE_MIN(SLen - i, salt->len)); + } + } + if (PLen) { + for (i = 0; i < PLen; i += pwitem->len) { + PORT_Memcpy(P + i, pwitem->data, NSSPBE_MIN(PLen - i, pwitem->len)); + } + } + + iterBuf = (unsigned char *)PORT_ArenaZAlloc(arena, hashLength); + if (iterBuf == NULL) { + goto loser; + } + + hash = hashObject->create(); + if (!hash) { + goto loser; + } + /* calculate the PBE now */ + for (i = 0; i < c; i++) { + int Bidx; /* must be signed or the for loop won't terminate */ + unsigned int k, j; + unsigned char *Ai = A->data + i * hashLength; + + for (iter = 0; iter < pbe_param->iter; iter++) { + hashObject->begin(hash); + + if (iter) { + hashObject->update(hash, iterBuf, hashLen); + } else { + hashObject->update(hash, D.data, D.len); + hashObject->update(hash, I.data, I.len); + } + + hashObject->end(hash, iterBuf, &hashLen, hashObject->length); + if (hashLen != hashObject->length) { + break; + } + } + + PORT_Memcpy(Ai, iterBuf, hashLength); + for (Bidx = 0; Bidx < (int)B.len; Bidx += hashLength) { + PORT_Memcpy(B.data + Bidx, iterBuf, NSSPBE_MIN(B.len - Bidx, hashLength)); + } + + k = I.len / B.len; + for (j = 0; j < k; j++) { + unsigned int q, carryBit; + unsigned char *Ij = I.data + j * B.len; + + /* (Ij = Ij+B+1) */ + for (Bidx = (B.len - 1), q = 1, carryBit = 0; Bidx >= 0; Bidx--, q = 0) { + q += (unsigned int)Ij[Bidx]; + q += (unsigned int)B.data[Bidx]; + q += carryBit; + + carryBit = (q > 0xff); + Ij[Bidx] = (unsigned char)(q & 0xff); + } + } + } +loser: + if (hash) { + hashObject->destroy(hash, PR_TRUE); + } + if (arena) { + PORT_FreeArena(arena, PR_TRUE); + } + + if (A) { + /* if i != c, then we didn't complete the loop above and must of failed + * somwhere along the way */ + if (i != c) { + SECITEM_ZfreeItem(A, PR_TRUE); + A = NULL; + } else { + A->len = bytesNeeded; + } + } + + return A; +} + +struct KDFCacheItemStr { + SECItem *hash; + SECItem *salt; + SECItem *pwItem; + HASH_HashType hashType; + int iterations; + int keyLen; +}; +typedef struct KDFCacheItemStr KDFCacheItem; + +/* Bug 1606992 - Cache the hash result for the common case that we're + * asked to repeatedly compute the key for the same password item, + * hash, iterations and salt. */ +#define KDF2_CACHE_COUNT 150 +static struct { + PZLock *lock; + struct { + KDFCacheItem common; + int ivLen; + PRBool faulty3DES; + } cacheKDF1; + struct { + KDFCacheItem common[KDF2_CACHE_COUNT]; + int next; + } cacheKDF2; +} PBECache; + +void +sftk_PBELockInit(void) +{ + if (!PBECache.lock) { + PBECache.lock = PZ_NewLock(nssIPBECacheLock); + } +} + +static void +sftk_clearPBECommonCacheItemsLocked(KDFCacheItem *item) +{ + if (item->hash) { + SECITEM_ZfreeItem(item->hash, PR_TRUE); + item->hash = NULL; + } + if (item->salt) { + SECITEM_ZfreeItem(item->salt, PR_TRUE); + item->salt = NULL; + } + if (item->pwItem) { + SECITEM_ZfreeItem(item->pwItem, PR_TRUE); + item->pwItem = NULL; + } +} + +static void +sftk_setPBECommonCacheItemsKDFLocked(KDFCacheItem *cacheItem, + const SECItem *hash, + const NSSPKCS5PBEParameter *pbe_param, + const SECItem *pwItem) +{ + cacheItem->hash = SECITEM_DupItem(hash); + cacheItem->hashType = pbe_param->hashType; + cacheItem->iterations = pbe_param->iter; + cacheItem->keyLen = pbe_param->keyLen; + cacheItem->salt = SECITEM_DupItem(&pbe_param->salt); + cacheItem->pwItem = SECITEM_DupItem(pwItem); +} + +static void +sftk_setPBECacheKDF2(const SECItem *hash, + const NSSPKCS5PBEParameter *pbe_param, + const SECItem *pwItem) +{ + PZ_Lock(PBECache.lock); + KDFCacheItem *next = &PBECache.cacheKDF2.common[PBECache.cacheKDF2.next]; + + sftk_clearPBECommonCacheItemsLocked(next); + + sftk_setPBECommonCacheItemsKDFLocked(next, hash, pbe_param, pwItem); + PBECache.cacheKDF2.next++; + if (PBECache.cacheKDF2.next >= KDF2_CACHE_COUNT) { + PBECache.cacheKDF2.next = 0; + } + + PZ_Unlock(PBECache.lock); +} + +static void +sftk_setPBECacheKDF1(const SECItem *hash, + const NSSPKCS5PBEParameter *pbe_param, + const SECItem *pwItem, + PRBool faulty3DES) +{ + PZ_Lock(PBECache.lock); + + sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF1.common); + + sftk_setPBECommonCacheItemsKDFLocked(&PBECache.cacheKDF1.common, + hash, pbe_param, pwItem); + PBECache.cacheKDF1.faulty3DES = faulty3DES; + PBECache.cacheKDF1.ivLen = pbe_param->ivLen; + + PZ_Unlock(PBECache.lock); +} + +static PRBool +sftk_comparePBECommonCacheItemLocked(const KDFCacheItem *cacheItem, + const NSSPKCS5PBEParameter *pbe_param, + const SECItem *pwItem) +{ + return (cacheItem->hash && + cacheItem->salt && + cacheItem->pwItem && + pbe_param->hashType == cacheItem->hashType && + pbe_param->iter == cacheItem->iterations && + pbe_param->keyLen == cacheItem->keyLen && + SECITEM_ItemsAreEqual(&pbe_param->salt, cacheItem->salt) && + SECITEM_ItemsAreEqual(pwItem, cacheItem->pwItem)); +} + +static SECItem * +sftk_getPBECacheKDF2(const NSSPKCS5PBEParameter *pbe_param, + const SECItem *pwItem) +{ + SECItem *result = NULL; + int i; + + PZ_Lock(PBECache.lock); + for (i = 0; i < KDF2_CACHE_COUNT; i++) { + const KDFCacheItem *cacheItem = &PBECache.cacheKDF2.common[i]; + if (sftk_comparePBECommonCacheItemLocked(cacheItem, + pbe_param, pwItem)) { + result = SECITEM_DupItem(cacheItem->hash); + break; + } + } + PZ_Unlock(PBECache.lock); + + return result; +} + +static SECItem * +sftk_getPBECacheKDF1(const NSSPKCS5PBEParameter *pbe_param, + const SECItem *pwItem, + PRBool faulty3DES) +{ + SECItem *result = NULL; + const KDFCacheItem *cacheItem = &PBECache.cacheKDF1.common; + + PZ_Lock(PBECache.lock); + if (sftk_comparePBECommonCacheItemLocked(cacheItem, pbe_param, pwItem) && + PBECache.cacheKDF1.faulty3DES == faulty3DES && + PBECache.cacheKDF1.ivLen == pbe_param->ivLen) { + result = SECITEM_DupItem(cacheItem->hash); + } + PZ_Unlock(PBECache.lock); + + return result; +} + +void +sftk_PBELockShutdown(void) +{ + int i; + if (PBECache.lock) { + PZ_DestroyLock(PBECache.lock); + PBECache.lock = 0; + } + sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF1.common); + for (i = 0; i < KDF2_CACHE_COUNT; i++) { + sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF2.common[i]); + } + PBECache.cacheKDF2.next = 0; +} + +/* + * generate key as per PKCS 5 + */ +SECItem * +nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, + SECItem *iv, PRBool faulty3DES) +{ + SECItem *hash = NULL, *key = NULL; + const SECHashObject *hashObj; + PRBool getIV = PR_FALSE; + + if ((pbe_param == NULL) || (pwitem == NULL)) { + return NULL; + } + + key = SECITEM_AllocItem(NULL, NULL, pbe_param->keyLen); + if (key == NULL) { + return NULL; + } + + if (iv && (pbe_param->ivLen) && (iv->data == NULL)) { + getIV = PR_TRUE; + iv->data = (unsigned char *)PORT_Alloc(pbe_param->ivLen); + if (iv->data == NULL) { + goto loser; + } + iv->len = pbe_param->ivLen; + } + + hashObj = HASH_GetRawHashObject(pbe_param->hashType); + switch (pbe_param->pbeType) { + case NSSPKCS5_PBKDF1: + hash = sftk_getPBECacheKDF1(pbe_param, pwitem, faulty3DES); + if (!hash) { + hash = nsspkcs5_PBKDF1Extended(hashObj, pbe_param, pwitem, faulty3DES); + sftk_setPBECacheKDF1(hash, pbe_param, pwitem, faulty3DES); + } + if (hash == NULL) { + goto loser; + } + PORT_Assert(hash->len >= key->len + (getIV ? iv->len : 0)); + if (getIV) { + PORT_Memcpy(iv->data, hash->data + (hash->len - iv->len), iv->len); + } + + break; + case NSSPKCS5_PBKDF2: + hash = sftk_getPBECacheKDF2(pbe_param, pwitem); + if (!hash) { + hash = nsspkcs5_PBKDF2(hashObj, pbe_param, pwitem); + sftk_setPBECacheKDF2(hash, pbe_param, pwitem); + } + if (getIV) { + PORT_Memcpy(iv->data, pbe_param->ivData, iv->len); + } + break; + case NSSPKCS5_PKCS12_V2: + if (getIV) { + hash = nsspkcs5_PKCS12PBE(hashObj, pbe_param, pwitem, + pbeBitGenCipherIV, iv->len); + if (hash == NULL) { + goto loser; + } + PORT_Memcpy(iv->data, hash->data, iv->len); + SECITEM_ZfreeItem(hash, PR_TRUE); + hash = NULL; + } + hash = nsspkcs5_PKCS12PBE(hashObj, pbe_param, pwitem, + pbe_param->keyID, key->len); + default: + break; + } + + if (hash == NULL) { + goto loser; + } + + if (pbe_param->is2KeyDES) { + PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3); + PORT_Memcpy(&(key->data[(key->len * 2) / 3]), key->data, + key->len / 3); + } else { + PORT_Memcpy(key->data, hash->data, key->len); + } + + SECITEM_ZfreeItem(hash, PR_TRUE); + return key; + +loser: + if (getIV && iv->data) { + PORT_ZFree(iv->data, iv->len); + iv->data = NULL; + } + + SECITEM_ZfreeItem(key, PR_TRUE); + return NULL; +} + +#define MAX_IV_LENGTH 64 +/* get a random IV into the parameters */ +static SECStatus +nsspkcs5_SetIVParam(NSSPKCS5PBEParameter *pbe_param, int ivLen) +{ + SECStatus rv; + SECItem derIV; + SECItem iv; + SECItem *dummy = NULL; + unsigned char ivData[MAX_IV_LENGTH]; + + PORT_Assert(ivLen <= MAX_IV_LENGTH); + + /* Because of a bug in the decode section, the IV's not are expected + * to be der encoded, but still need to parse as if they were der data. + * because we want to be compatible with existing versions of nss that + * have that bug, create an IV that looks like der data. That still + * leaves 14 bytes of entropy in the IV */ + rv = RNG_GenerateGlobalRandomBytes(ivData, ivLen - 2); + if (rv != SECSuccess) { + return SECFailure; + } + derIV.data = NULL; + derIV.len = 0; + iv.data = ivData; + iv.len = ivLen - 2; + dummy = SEC_ASN1EncodeItem(pbe_param->poolp, &derIV, &iv, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (dummy == NULL) { + return SECFailure; + } + pbe_param->ivData = derIV.data; + pbe_param->ivLen = derIV.len; + PORT_Assert(pbe_param->ivLen == ivLen); + return SECSuccess; +} + +static SECStatus +nsspkcs5_FillInParam(SECOidTag algorithm, HASH_HashType hashType, + NSSPKCS5PBEParameter *pbe_param) +{ + PRBool skipType = PR_FALSE; + SECStatus rv; + + pbe_param->keyLen = 5; + pbe_param->ivLen = 8; + pbe_param->hashType = hashType; + pbe_param->pbeType = NSSPKCS5_PBKDF1; + pbe_param->encAlg = SEC_OID_RC2_CBC; + pbe_param->is2KeyDES = PR_FALSE; + switch (algorithm) { + /* DES3 Algorithms */ + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + pbe_param->is2KeyDES = PR_TRUE; + /* fall through */ + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + pbe_param->pbeType = NSSPKCS5_PKCS12_V2; + /* fall through */ + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: + pbe_param->keyLen = 24; + pbe_param->encAlg = SEC_OID_DES_EDE3_CBC; + break; + + /* DES Algorithms */ + case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: + pbe_param->hashType = HASH_AlgMD2; + goto finish_des; + case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: + pbe_param->hashType = HASH_AlgMD5; + /* fall through */ + case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: + finish_des: + pbe_param->keyLen = 8; + pbe_param->encAlg = SEC_OID_DES_CBC; + break; + +#ifndef NSS_DISABLE_DEPRECATED_RC2 + /* RC2 Algorithms */ + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + pbe_param->keyLen = 16; + /* fall through */ + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + pbe_param->pbeType = NSSPKCS5_PKCS12_V2; + break; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + pbe_param->keyLen = 16; + /* fall through */ + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + break; +#endif + + /* RC4 algorithms */ + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: + skipType = PR_TRUE; + /* fall through */ + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + pbe_param->keyLen = 16; + /* fall through */ + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + if (!skipType) { + pbe_param->pbeType = NSSPKCS5_PKCS12_V2; + } + /* fall through */ + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: + pbe_param->ivLen = 0; + pbe_param->encAlg = SEC_OID_RC4; + break; + + case SEC_OID_PKCS5_PBKDF2: + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: + /* everything else will be filled in by the template */ + pbe_param->ivLen = 0; + pbe_param->pbeType = NSSPKCS5_PBKDF2; + pbe_param->encAlg = SEC_OID_PKCS5_PBKDF2; + pbe_param->keyLen = 0; /* needs to be set by caller after return */ + break; + /* AES uses PBKDF2 */ + case SEC_OID_AES_128_CBC: + rv = nsspkcs5_SetIVParam(pbe_param, 16); + if (rv != SECSuccess) { + return rv; + } + pbe_param->ivLen = 16; + pbe_param->pbeType = NSSPKCS5_PBKDF2; + pbe_param->encAlg = algorithm; + pbe_param->keyLen = 128 / 8; + break; + case SEC_OID_AES_192_CBC: + rv = nsspkcs5_SetIVParam(pbe_param, 16); + if (rv != SECSuccess) { + return rv; + } + pbe_param->pbeType = NSSPKCS5_PBKDF2; + pbe_param->encAlg = algorithm; + pbe_param->keyLen = 192 / 8; + break; + case SEC_OID_AES_256_CBC: + rv = nsspkcs5_SetIVParam(pbe_param, 16); + if (rv != SECSuccess) { + return rv; + } + pbe_param->pbeType = NSSPKCS5_PBKDF2; + pbe_param->encAlg = algorithm; + pbe_param->keyLen = 256 / 8; + break; + case SEC_OID_AES_128_KEY_WRAP: + pbe_param->ivLen = 0; + pbe_param->pbeType = NSSPKCS5_PBKDF2; + pbe_param->encAlg = algorithm; + pbe_param->keyLen = 128 / 8; + break; + case SEC_OID_AES_192_KEY_WRAP: + pbe_param->ivLen = 0; + pbe_param->pbeType = NSSPKCS5_PBKDF2; + pbe_param->encAlg = algorithm; + pbe_param->keyLen = 192 / 8; + break; + case SEC_OID_AES_256_KEY_WRAP: + pbe_param->ivLen = 0; + pbe_param->pbeType = NSSPKCS5_PBKDF2; + pbe_param->encAlg = algorithm; + pbe_param->keyLen = 256 / 8; + break; + + default: + return SECFailure; + } + if (pbe_param->pbeType == NSSPKCS5_PBKDF2) { + SECOidTag prfAlg = HASH_HMACOidFromHash(pbe_param->hashType); + if (prfAlg == SEC_OID_UNKNOWN) { + return SECFailure; + } + rv = SECOID_SetAlgorithmID(pbe_param->poolp, &pbe_param->prfAlg, + prfAlg, NULL); + if (rv != SECSuccess) { + return rv; + } + } + return SECSuccess; +} + +/* decode the algid and generate a PKCS 5 parameter from it + */ +NSSPKCS5PBEParameter * +nsspkcs5_NewParam(SECOidTag alg, HASH_HashType hashType, SECItem *salt, + int iterationCount) +{ + PLArenaPool *arena = NULL; + NSSPKCS5PBEParameter *pbe_param = NULL; + SECStatus rv = SECFailure; + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) + return NULL; + + /* allocate memory for the parameter */ + pbe_param = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena, + sizeof(NSSPKCS5PBEParameter)); + + if (pbe_param == NULL) { + goto loser; + } + + pbe_param->poolp = arena; + + rv = nsspkcs5_FillInParam(alg, hashType, pbe_param); + if (rv != SECSuccess) { + goto loser; + } + + pbe_param->iter = iterationCount; + if (salt) { + rv = SECITEM_CopyItem(arena, &pbe_param->salt, salt); + } + + /* default key gen */ + pbe_param->keyID = pbeBitGenCipherKey; + +loser: + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_TRUE); + pbe_param = NULL; + } + + return pbe_param; +} + +/* + * find the hash type needed to implement a specific HMAC. + * OID definitions are from pkcs 5 v2.0 and 2.1 + */ +HASH_HashType +HASH_FromHMACOid(SECOidTag hmac) +{ + switch (hmac) { + case SEC_OID_HMAC_SHA1: + return HASH_AlgSHA1; + case SEC_OID_HMAC_SHA256: + return HASH_AlgSHA256; + case SEC_OID_HMAC_SHA384: + return HASH_AlgSHA384; + case SEC_OID_HMAC_SHA512: + return HASH_AlgSHA512; + case SEC_OID_HMAC_SHA224: + default: + break; + } + return HASH_AlgNULL; +} + +SECOidTag +HASH_HMACOidFromHash(HASH_HashType hashType) +{ + switch (hashType) { + case HASH_AlgSHA1: + return SEC_OID_HMAC_SHA1; + case HASH_AlgSHA256: + return SEC_OID_HMAC_SHA256; + case HASH_AlgSHA384: + return SEC_OID_HMAC_SHA384; + case HASH_AlgSHA512: + return SEC_OID_HMAC_SHA512; + case HASH_AlgSHA224: + return SEC_OID_HMAC_SHA224; + case HASH_AlgMD2: + case HASH_AlgMD5: + case HASH_AlgTOTAL: + default: + break; + } + return SEC_OID_UNKNOWN; +} + +/* decode the algid and generate a PKCS 5 parameter from it + */ +NSSPKCS5PBEParameter * +nsspkcs5_AlgidToParam(SECAlgorithmID *algid) +{ + NSSPKCS5PBEParameter *pbe_param = NULL; + nsspkcs5V2PBEParameter pbev2_param; + SECOidTag algorithm; + SECStatus rv = SECFailure; + + if (algid == NULL) { + return NULL; + } + + algorithm = SECOID_GetAlgorithmTag(algid); + if (algorithm == SEC_OID_UNKNOWN) { + goto loser; + } + + pbe_param = nsspkcs5_NewParam(algorithm, HASH_AlgSHA1, NULL, 1); + if (pbe_param == NULL) { + goto loser; + } + + /* decode parameter */ + rv = SECFailure; + switch (pbe_param->pbeType) { + case NSSPKCS5_PBKDF1: + rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, + NSSPKCS5PBEParameterTemplate, &algid->parameters); + break; + case NSSPKCS5_PKCS12_V2: + rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, + NSSPKCS5PKCS12V2PBEParameterTemplate, &algid->parameters); + break; + case NSSPKCS5_PBKDF2: + PORT_Memset(&pbev2_param, 0, sizeof(pbev2_param)); + /* just the PBE */ + if (algorithm == SEC_OID_PKCS5_PBKDF2) { + rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, + NSSPKCS5V2PBEParameterTemplate, &algid->parameters); + } else { + /* PBE data an others */ + rv = SEC_ASN1DecodeItem(pbe_param->poolp, &pbev2_param, + NSSPKCS5V2PBES2ParameterTemplate, &algid->parameters); + if (rv != SECSuccess) { + break; + } + pbe_param->encAlg = SECOID_GetAlgorithmTag(&pbev2_param.algParams); + rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param, + NSSPKCS5V2PBEParameterTemplate, + &pbev2_param.keyParams.parameters); + if (rv != SECSuccess) { + break; + } + pbe_param->keyLen = DER_GetInteger(&pbe_param->keyLength); + } + /* we we are encrypting, save any iv's */ + if (algorithm == SEC_OID_PKCS5_PBES2) { + pbe_param->ivLen = pbev2_param.algParams.parameters.len; + pbe_param->ivData = pbev2_param.algParams.parameters.data; + } + pbe_param->hashType = + HASH_FromHMACOid(SECOID_GetAlgorithmTag(&pbe_param->prfAlg)); + if (pbe_param->hashType == HASH_AlgNULL) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + rv = SECFailure; + } + break; + } + +loser: + PORT_Memset(&pbev2_param, 0, sizeof(pbev2_param)); + if (rv == SECSuccess) { + pbe_param->iter = DER_GetInteger(&pbe_param->iteration); + } else { + nsspkcs5_DestroyPBEParameter(pbe_param); + pbe_param = NULL; + } + + return pbe_param; +} + +/* destroy a pbe parameter. it assumes that the parameter was + * generated using the appropriate create function and therefor + * contains an arena pool. + */ +void +nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *pbe_param) +{ + if (pbe_param != NULL) { + PORT_FreeArena(pbe_param->poolp, PR_TRUE); + } +} + +/* crypto routines */ +/* perform DES encryption and decryption. these routines are called + * by nsspkcs5_CipherData. In the case of an error, NULL is returned. + */ +static SECItem * +sec_pkcs5_des(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, + PRBool encrypt) +{ + SECItem *dest; + SECItem *dup_src; + CK_RV crv = CKR_DEVICE_ERROR; + int error; + SECStatus rv = SECFailure; + DESContext *ctxt; + unsigned int pad; + + if ((src == NULL) || (key == NULL) || (iv == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + dup_src = SECITEM_DupItem(src); + if (dup_src == NULL) { + return NULL; + } + + if (encrypt != PR_FALSE) { + void *dummy; + + dummy = CBC_PadBuffer(NULL, dup_src->data, + dup_src->len, &dup_src->len, DES_BLOCK_SIZE); + if (dummy == NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + return NULL; + } + dup_src->data = (unsigned char *)dummy; + } + + dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION); + if (dest == NULL) { + goto loser; + } + ctxt = DES_CreateContext(key->data, iv->data, + (triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC), + encrypt); + if (ctxt == NULL) { + goto loser; + } + rv = (encrypt ? DES_Encrypt : DES_Decrypt)( + ctxt, dest->data, &dest->len, + dest->len, dup_src->data, dup_src->len); + + crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; + error = PORT_GetError(); + + /* remove padding */ + if ((encrypt == PR_FALSE) && (rv == SECSuccess)) { + crv = sftk_CheckCBCPadding(dest->data, dest->len, DES_BLOCK_SIZE, &pad); + dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len); + PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD)); + } + DES_DestroyContext(ctxt, PR_TRUE); + +loser: + if (crv != CKR_OK) { + if (dest != NULL) { + SECITEM_ZfreeItem(dest, PR_TRUE); + } + dest = NULL; + } + + if (dup_src != NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + } + + return dest; +} + +/* perform aes encryption/decryption if an error occurs, NULL is returned + */ +static SECItem * +sec_pkcs5_aes(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, + PRBool encrypt) +{ + SECItem *dest; + SECItem *dup_src; + CK_RV crv = CKR_DEVICE_ERROR; + int error; + SECStatus rv = SECFailure; + AESContext *ctxt; + unsigned int pad; + + if ((src == NULL) || (key == NULL) || (iv == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + dup_src = SECITEM_DupItem(src); + if (dup_src == NULL) { + return NULL; + } + + if (encrypt != PR_FALSE) { + void *dummy; + + dummy = CBC_PadBuffer(NULL, dup_src->data, + dup_src->len, &dup_src->len, AES_BLOCK_SIZE); + if (dummy == NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + return NULL; + } + dup_src->data = (unsigned char *)dummy; + } + + dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION); + if (dest == NULL) { + goto loser; + } + ctxt = AES_CreateContext(key->data, iv->data, NSS_AES_CBC, + encrypt, key->len, AES_BLOCK_SIZE); + if (ctxt == NULL) { + goto loser; + } + rv = (encrypt ? AES_Encrypt : AES_Decrypt)( + ctxt, dest->data, &dest->len, + dest->len, dup_src->data, dup_src->len); + + crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; + error = PORT_GetError(); + + /* remove padding */ + if ((encrypt == PR_FALSE) && (rv == SECSuccess)) { + crv = sftk_CheckCBCPadding(dest->data, dest->len, AES_BLOCK_SIZE, &pad); + dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len); + PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD)); + } + AES_DestroyContext(ctxt, PR_TRUE); + +loser: + if (crv != CKR_OK) { + if (dest != NULL) { + SECITEM_ZfreeItem(dest, PR_TRUE); + } + dest = NULL; + } + + if (dup_src != NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + } + + return dest; +} + +/* perform aes encryption/decryption if an error occurs, NULL is returned + */ +static SECItem * +sec_pkcs5_aes_key_wrap(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des, + PRBool encrypt) +{ + SECItem *dest; + SECItem *dup_src; + CK_RV crv = CKR_DEVICE_ERROR; + int error; + SECStatus rv = SECFailure; + AESKeyWrapContext *ctxt; + unsigned int pad; + + if ((src == NULL) || (key == NULL) || (iv == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + dup_src = SECITEM_DupItem(src); + if (dup_src == NULL) { + return NULL; + } + + if (encrypt != PR_FALSE) { + void *dummy; + + dummy = CBC_PadBuffer(NULL, dup_src->data, + dup_src->len, &dup_src->len, AES_BLOCK_SIZE); + if (dummy == NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + return NULL; + } + dup_src->data = (unsigned char *)dummy; + } + + dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION); + if (dest == NULL) { + goto loser; + } + ctxt = AESKeyWrap_CreateContext(key->data, iv->data, encrypt, + key->len); + + if (ctxt == NULL) { + goto loser; + } + rv = (encrypt ? AESKeyWrap_Encrypt : AESKeyWrap_Decrypt)( + ctxt, dest->data, &dest->len, + dest->len, dup_src->data, dup_src->len); + + crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR; + error = PORT_GetError(); + + /* remove padding */ + if ((encrypt == PR_FALSE) && (rv == SECSuccess)) { + crv = sftk_CheckCBCPadding(dest->data, dest->len, AES_BLOCK_SIZE, &pad); + dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len); + PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD)); + } + AESKeyWrap_DestroyContext(ctxt, PR_TRUE); + +loser: + if (crv != CKR_OK) { + if (dest != NULL) { + SECITEM_ZfreeItem(dest, PR_TRUE); + } + dest = NULL; + } + + if (dup_src != NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + } + + return dest; +} + +#ifndef NSS_DISABLE_DEPRECATED_RC2 +/* perform rc2 encryption/decryption if an error occurs, NULL is returned + */ +static SECItem * +sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy, + PRBool encrypt) +{ + SECItem *dest; + SECItem *dup_src; + SECStatus rv = SECFailure; + int pad; + + if ((src == NULL) || (key == NULL) || (iv == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + dup_src = SECITEM_DupItem(src); + if (dup_src == NULL) { + return NULL; + } + + if (encrypt != PR_FALSE) { + void *v; + + v = CBC_PadBuffer(NULL, dup_src->data, + dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */); + if (v == NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + return NULL; + } + dup_src->data = (unsigned char *)v; + } + + dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + if (dest != NULL) { + dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64); + if (dest->data != NULL) { + RC2Context *ctxt; + + ctxt = RC2_CreateContext(key->data, key->len, iv->data, + NSS_RC2_CBC, key->len); + + if (ctxt != NULL) { + rv = (encrypt ? RC2_Encrypt : RC2_Decrypt)( + ctxt, dest->data, &dest->len, + dup_src->len + 64, dup_src->data, dup_src->len); + + /* assumes 8 byte blocks -- remove padding */ + if ((rv == SECSuccess) && (encrypt != PR_TRUE)) { + pad = dest->data[dest->len - 1]; + if ((pad > 0) && (pad <= 8)) { + if (dest->data[dest->len - pad] != pad) { + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECFailure; + } else { + dest->len -= pad; + } + } else { + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECFailure; + } + } + } + } + } + + if ((rv != SECSuccess) && (dest != NULL)) { + SECITEM_ZfreeItem(dest, PR_TRUE); + dest = NULL; + } + + if (dup_src != NULL) { + SECITEM_ZfreeItem(dup_src, PR_TRUE); + } + + return dest; +} +#endif /* NSS_DISABLE_DEPRECATED_RC2 */ + +/* perform rc4 encryption and decryption */ +static SECItem * +sec_pkcs5_rc4(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy_op, + PRBool encrypt) +{ + SECItem *dest; + SECStatus rv = SECFailure; + + if ((src == NULL) || (key == NULL) || (iv == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + if (dest != NULL) { + dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) * + (src->len + 64)); + if (dest->data != NULL) { + RC4Context *ctxt; + + ctxt = RC4_CreateContext(key->data, key->len); + if (ctxt) { + rv = (encrypt ? RC4_Encrypt : RC4_Decrypt)( + ctxt, dest->data, &dest->len, + src->len + 64, src->data, src->len); + RC4_DestroyContext(ctxt, PR_TRUE); + } + } + } + + if ((rv != SECSuccess) && (dest)) { + SECITEM_ZfreeItem(dest, PR_TRUE); + dest = NULL; + } + + return dest; +} +/* function pointer template for crypto functions */ +typedef SECItem *(*pkcs5_crypto_func)(SECItem *key, SECItem *iv, + SECItem *src, PRBool op1, PRBool op2); + +/* performs the cipher operation on the src and returns the result. + * if an error occurs, NULL is returned. + * + * a null length password is allowed. this corresponds to encrypting + * the data with ust the salt. + */ +/* change this to use PKCS 11? */ +SECItem * +nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, + SECItem *src, PRBool encrypt, PRBool *update) +{ + SECItem *key = NULL, iv; + SECItem *dest = NULL; + PRBool tripleDES = PR_TRUE; + pkcs5_crypto_func cryptof; + + iv.data = NULL; + + if (update) { + *update = PR_FALSE; + } + + if ((pwitem == NULL) || (src == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + /* get key, and iv */ + key = nsspkcs5_ComputeKeyAndIV(pbe_param, pwitem, &iv, PR_FALSE); + if (key == NULL) { + return NULL; + } + + switch (pbe_param->encAlg) { + /* PKCS 5 v2 only */ + case SEC_OID_AES_128_KEY_WRAP: + case SEC_OID_AES_192_KEY_WRAP: + case SEC_OID_AES_256_KEY_WRAP: + cryptof = sec_pkcs5_aes_key_wrap; + break; + case SEC_OID_AES_128_CBC: + case SEC_OID_AES_192_CBC: + case SEC_OID_AES_256_CBC: + cryptof = sec_pkcs5_aes; + break; + case SEC_OID_DES_EDE3_CBC: + cryptof = sec_pkcs5_des; + tripleDES = PR_TRUE; + break; + case SEC_OID_DES_CBC: + cryptof = sec_pkcs5_des; + tripleDES = PR_FALSE; + break; +#ifndef NSS_DISABLE_DEPRECATED_RC2 + case SEC_OID_RC2_CBC: + cryptof = sec_pkcs5_rc2; + break; +#endif + case SEC_OID_RC4: + cryptof = sec_pkcs5_rc4; + break; + default: + cryptof = NULL; + break; + } + + if (cryptof == NULL) { + goto loser; + } + + dest = (*cryptof)(key, &iv, src, tripleDES, encrypt); + /* + * it's possible for some keys and keydb's to claim to + * be triple des when they're really des. In this case + * we simply try des. If des works we set the update flag + * so the key db knows it needs to update all it's entries. + * The case can only happen on decrypted of a + * SEC_OID_DES_EDE3_CBD. + */ + if ((pbe_param->encAlg == SEC_OID_DES_EDE3_CBC) && + (dest == NULL) && (encrypt == PR_FALSE)) { + dest = (*cryptof)(key, &iv, src, PR_FALSE, encrypt); + if (update && (dest != NULL)) + *update = PR_TRUE; + } + +loser: + if (key != NULL) { + SECITEM_ZfreeItem(key, PR_TRUE); + } + if (iv.data != NULL) { + SECITEM_ZfreeItem(&iv, PR_FALSE); + } + + return dest; +} + +/* creates a algorithm ID containing the PBE algorithm and appropriate + * parameters. the required parameter is the algorithm. if salt is + * not specified, it is generated randomly. if IV is specified, it overrides + * the PKCS 5 generation of the IV. + * + * the returned SECAlgorithmID should be destroyed using + * SECOID_DestroyAlgorithmID + */ +SECAlgorithmID * +nsspkcs5_CreateAlgorithmID(PLArenaPool *arena, SECOidTag algorithm, + NSSPKCS5PBEParameter *pbe_param) +{ + SECAlgorithmID *algid, *ret_algid = NULL; + SECItem der_param; + nsspkcs5V2PBEParameter pkcs5v2_param; + + SECStatus rv = SECFailure; + void *dummy = NULL; + + if (arena == NULL) { + return NULL; + } + + der_param.data = NULL; + der_param.len = 0; + + /* generate the algorithm id */ + algid = (SECAlgorithmID *)PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID)); + if (algid == NULL) { + goto loser; + } + + if (pbe_param->iteration.data == NULL) { + dummy = SEC_ASN1EncodeInteger(pbe_param->poolp, &pbe_param->iteration, + pbe_param->iter); + if (dummy == NULL) { + goto loser; + } + } + switch (pbe_param->pbeType) { + case NSSPKCS5_PBKDF1: + dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param, + NSSPKCS5PBEParameterTemplate); + break; + case NSSPKCS5_PKCS12_V2: + dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param, + NSSPKCS5PKCS12V2PBEParameterTemplate); + break; + case NSSPKCS5_PBKDF2: + if (pbe_param->keyLength.data == NULL) { + dummy = SEC_ASN1EncodeInteger(pbe_param->poolp, + &pbe_param->keyLength, pbe_param->keyLen); + if (dummy == NULL) { + goto loser; + } + } + PORT_Memset(&pkcs5v2_param, 0, sizeof(pkcs5v2_param)); + dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param, + NSSPKCS5V2PBEParameterTemplate); + if (dummy == NULL) { + break; + } + dummy = NULL; + rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.keyParams, + SEC_OID_PKCS5_PBKDF2, &der_param); + if (rv != SECSuccess) { + break; + } + der_param.data = pbe_param->ivData; + der_param.len = pbe_param->ivLen; + rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.algParams, + pbe_param->encAlg, pbe_param->ivLen ? &der_param : NULL); + if (rv != SECSuccess) { + dummy = NULL; + break; + } + der_param.data = NULL; + der_param.len = 0; + dummy = SEC_ASN1EncodeItem(arena, &der_param, &pkcs5v2_param, + NSSPKCS5V2PBES2ParameterTemplate); + /* If the algorithm was set to some encryption oid, set it + * to PBES2 */ + if ((algorithm != SEC_OID_PKCS5_PBKDF2) && + (algorithm != SEC_OID_PKCS5_PBMAC1)) { + algorithm = SEC_OID_PKCS5_PBES2; + } + break; + default: + break; + } + + if (dummy == NULL) { + goto loser; + } + + rv = SECOID_SetAlgorithmID(arena, algid, algorithm, &der_param); + if (rv != SECSuccess) { + goto loser; + } + + ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID)); + if (ret_algid == NULL) { + goto loser; + } + + rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid); + if (rv != SECSuccess) { + SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE); + ret_algid = NULL; + } + +loser: + + return ret_algid; +} + +#define TEST_KEY "pbkdf test key" +SECStatus +sftk_fips_pbkdf_PowerUpSelfTests(void) +{ + SECItem *result; + SECItem inKey; + NSSPKCS5PBEParameter pbe_params; + unsigned char iteration_count = 5; + unsigned char keyLen = 64; + char *inKeyData = TEST_KEY; + static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; + static const unsigned char pbkdf_known_answer[] = { + 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, + 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, + 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37, + 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90, + 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa, + 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1, + 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66, + 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5 + }; + + sftk_PBELockInit(); + + inKey.data = (unsigned char *)inKeyData; + inKey.len = sizeof(TEST_KEY) - 1; + + pbe_params.salt.data = (unsigned char *)saltData; + pbe_params.salt.len = sizeof(saltData); + /* the interation and keyLength are used as intermediate + * values when decoding the Algorithm ID, set them for completeness, + * but they are not used */ + pbe_params.iteration.data = &iteration_count; + pbe_params.iteration.len = 1; + pbe_params.keyLength.data = &keyLen; + pbe_params.keyLength.len = 1; + /* pkcs5v2 stores the key in the AlgorithmID, so we don't need to + * generate it here */ + pbe_params.ivLen = 0; + pbe_params.ivData = NULL; + /* keyID is only used by pkcs12 extensions to pkcs5v1 */ + pbe_params.keyID = pbeBitGenCipherKey; + /* Algorithm is used by the decryption code after get get our key */ + pbe_params.encAlg = SEC_OID_AES_256_CBC; + /* these are the fields actually used in nsspkcs5_ComputeKeyAndIV + * for NSSPKCS5_PBKDF2 */ + pbe_params.iter = iteration_count; + pbe_params.keyLen = keyLen; + pbe_params.hashType = HASH_AlgSHA256; + pbe_params.pbeType = NSSPKCS5_PBKDF2; + pbe_params.is2KeyDES = PR_FALSE; + + result = nsspkcs5_ComputeKeyAndIV(&pbe_params, &inKey, NULL, PR_FALSE); + if ((result == NULL) || (result->len != sizeof(pbkdf_known_answer)) || + (PORT_Memcmp(result->data, pbkdf_known_answer, sizeof(pbkdf_known_answer)) != 0)) { + SECITEM_FreeItem(result, PR_TRUE); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + SECITEM_FreeItem(result, PR_TRUE); + return SECSuccess; +} diff --git a/security/nss/lib/softoken/lowpbe.h b/security/nss/lib/softoken/lowpbe.h new file mode 100644 index 0000000000..b567c59681 --- /dev/null +++ b/security/nss/lib/softoken/lowpbe.h @@ -0,0 +1,112 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _SECPKCS5_H_ +#define _SECPKCS5_H_ + +#include "plarena.h" +#include "secitem.h" +#include "seccomon.h" +#include "secoidt.h" +#include "hasht.h" + +typedef SECItem *(*SEC_PKCS5GetPBEPassword)(void *arg); + +/* used for V2 PKCS 12 Draft Spec */ +typedef enum { + pbeBitGenIDNull = 0, + pbeBitGenCipherKey = 0x01, + pbeBitGenCipherIV = 0x02, + pbeBitGenIntegrityKey = 0x03 +} PBEBitGenID; + +typedef enum { + NSSPKCS5_PBKDF1 = 0, + NSSPKCS5_PBKDF2 = 1, + NSSPKCS5_PKCS12_V2 = 2 +} NSSPKCS5PBEType; + +typedef struct NSSPKCS5PBEParameterStr NSSPKCS5PBEParameter; + +struct NSSPKCS5PBEParameterStr { + PLArenaPool *poolp; + SECItem salt; /* octet string */ + SECItem iteration; /* integer */ + SECItem keyLength; /* integer */ + + /* used locally */ + int iter; + int keyLen; + int ivLen; + unsigned char *ivData; + HASH_HashType hashType; + NSSPKCS5PBEType pbeType; + SECAlgorithmID prfAlg; + PBEBitGenID keyID; + SECOidTag encAlg; + PRBool is2KeyDES; +}; + +SEC_BEGIN_PROTOS +/* Create a PKCS5 Algorithm ID + * The algorithm ID is set up using the PKCS #5 parameter structure + * algorithm is the PBE algorithm ID for the desired algorithm + * pbe is a pbe param block with all the info needed to create the + * algorithm id. + * If an error occurs or the algorithm specified is not supported + * or is not a password based encryption algorithm, NULL is returned. + * Otherwise, a pointer to the algorithm id is returned. + */ +extern SECAlgorithmID * +nsspkcs5_CreateAlgorithmID(PLArenaPool *arena, SECOidTag algorithm, + NSSPKCS5PBEParameter *pbe); + +/* + * Convert an Algorithm ID to a PBE Param. + * NOTE: this does not suppport PKCS 5 v2 because it's only used for the + * keyDB which only support PKCS 5 v1, PFX, and PKCS 12. + */ +NSSPKCS5PBEParameter * +nsspkcs5_AlgidToParam(SECAlgorithmID *algid); + +/* + * Convert an Algorithm ID to a PBE Param. + * NOTE: this does not suppport PKCS 5 v2 because it's only used for the + * keyDB which only support PKCS 5 v1, PFX, and PKCS 12. + */ +NSSPKCS5PBEParameter * +nsspkcs5_NewParam(SECOidTag alg, HASH_HashType hashType, SECItem *salt, + int iterationCount); + +/* Encrypt/Decrypt data using password based encryption. + * algid is the PBE algorithm identifier, + * pwitem is the password, + * src is the source for encryption/decryption, + * encrypt is PR_TRUE for encryption, PR_FALSE for decryption. + * The key and iv are generated based upon PKCS #5 then the src + * is either encrypted or decrypted. If an error occurs, NULL + * is returned, otherwise the ciphered contents is returned. + */ +extern SECItem * +nsspkcs5_CipherData(NSSPKCS5PBEParameter *, SECItem *pwitem, + SECItem *src, PRBool encrypt, PRBool *update); + +extern SECItem * +nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *, SECItem *pwitem, + SECItem *iv, PRBool faulty3DES); + +/* Destroys PBE parameter */ +extern void +nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *param); + +HASH_HashType HASH_FromHMACOid(SECOidTag oid); +SECOidTag HASH_HMACOidFromHash(HASH_HashType); + +/* fips selftest */ +extern SECStatus +sftk_fips_pbkdf_PowerUpSelfTests(void); + +SEC_END_PROTOS + +#endif diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn new file mode 100644 index 0000000000..34daf1c4a0 --- /dev/null +++ b/security/nss/lib/softoken/manifest.mn @@ -0,0 +1,70 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +CORE_DEPTH = ../.. + +MODULE = nss +ifndef NSS_DISABLE_DBM +DIRS = legacydb +endif + +LIBRARY_NAME = softokn +LIBRARY_VERSION = 3 +MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def + +DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" + +ifdef SQLITE_INCLUDE_DIR +INCLUDES += -I$(SQLITE_INCLUDE_DIR) +endif + +EXPORTS = \ + lowkeyi.h \ + lowkeyti.h \ + $(NULL) + +PRIVATE_EXPORTS = \ + pkcs11ni.h \ + softoken.h \ + softoknt.h \ + softkver.h \ + sdb.h \ + sftkdbt.h \ + $(NULL) + +CSRCS = \ + fipsaudt.c \ + fipstest.c \ + fipstokn.c \ + kbkdf.c \ + lowkey.c \ + lowpbe.c \ + padbuf.c \ + pkcs11.c \ + pkcs11c.c \ + pkcs11u.c \ + sdb.c \ + sftkdb.c \ + sftkdhverify.c \ + sftkhmac.c \ + sftkike.c \ + sftkmessage.c \ + sftkpars.c \ + sftkpwd.c \ + softkver.c \ + tlsprf.c \ + jpakesftk.c \ + $(NULL) + +ifndef NSS_DISABLE_DBM +PRIVATE_EXPORTS += lgglue.h +CSRCS += lgglue.c +endif + +ifdef SQLITE_UNSAFE_THREADS +DEFINES += -DSQLITE_UNSAFE_THREADS +endif + +# This part of the code, including all sub-dirs, can be optimized for size +export ALLOW_OPT_CODE_SIZE = 1 diff --git a/security/nss/lib/softoken/padbuf.c b/security/nss/lib/softoken/padbuf.c new file mode 100644 index 0000000000..6e897f2131 --- /dev/null +++ b/security/nss/lib/softoken/padbuf.c @@ -0,0 +1,49 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "blapit.h" +#include "secport.h" +#include "secerr.h" + +/* + * Prepare a buffer for any padded CBC encryption algorithm, growing to the + * appropriate boundary and filling with the appropriate padding. + * blockSize must be a power of 2. + * + * NOTE: If arena is non-NULL, we re-allocate from there, otherwise + * we assume (and use) XP memory (re)allocation. + */ +unsigned char * +CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf, unsigned int inlen, + unsigned int *outlen, int blockSize) +{ + unsigned char *outbuf; + unsigned int des_len; + unsigned int i; + unsigned char des_pad_len; + + /* + * We need from 1 to blockSize bytes -- we *always* grow. + * The extra bytes contain the value of the length of the padding: + * if we have 2 bytes of padding, then the padding is "0x02, 0x02". + */ + des_len = (inlen + blockSize) & ~(blockSize - 1); + + if (arena != NULL) { + outbuf = (unsigned char *)PORT_ArenaGrow(arena, inbuf, inlen, des_len); + } else { + outbuf = (unsigned char *)PORT_Realloc(inbuf, des_len); + } + + if (outbuf == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + + des_pad_len = des_len - inlen; + for (i = inlen; i < des_len; i++) + outbuf[i] = des_pad_len; + + *outlen = des_len; + return outbuf; +} diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c new file mode 100644 index 0000000000..a730ba397e --- /dev/null +++ b/security/nss/lib/softoken/pkcs11.c @@ -0,0 +1,5416 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements PKCS 11 on top of our existing security modules + * + * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. + * This implementation has two slots: + * slot 1 is our generic crypto support. It does not require login. + * It supports Public Key ops, and all they bulk ciphers and hashes. + * It can also support Private Key ops for imported Private keys. It does + * not have any token storage. + * slot 2 is our private key support. It requires a login before use. It + * can store Private Keys and Certs as token objects. Currently only private + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ +#include "seccomon.h" +#include "secitem.h" +#include "pkcs11.h" +#include "pkcs11i.h" +#include "softoken.h" +#include "lowkeyi.h" +#include "blapi.h" +#include "secder.h" +#include "secport.h" +#include "secrng.h" +#include "prtypes.h" +#include "nspr.h" +#include "softkver.h" +#include "secoid.h" +#include "sftkdb.h" +#include "utilpars.h" +#include "ec.h" +#include "secasn1.h" +#include "secerr.h" +#include "lgglue.h" + +PRBool parentForkedAfterC_Initialize; + +#ifndef NO_FORK_CHECK + +PRBool sftkForkCheckDisabled; + +#if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) +PRBool forked = PR_FALSE; +#endif + +#if defined(CHECK_FORK_GETPID) || defined(CHECK_FORK_MIXED) +#include +pid_t myPid; +#endif + +#ifdef CHECK_FORK_MIXED +#include +PRBool usePthread_atfork; +#endif + +#endif + +/* + * ******************** Static data ******************************* + */ + +/* The next three strings must be exactly 32 characters long */ +static char *manufacturerID = "Mozilla Foundation "; +static char manufacturerID_space[33]; +static char *libraryDescription = "NSS Internal Crypto Services "; +static char libraryDescription_space[33]; + +/* + * In FIPS mode, we disallow login attempts for 1 second after a login + * failure so that there are at most 60 login attempts per minute. + */ +static PRIntervalTime loginWaitTime; + +#define __PASTE(x, y) x##y + +/* + * we renamed all our internal functions, get the correct + * definitions for them... + */ +#undef CK_PKCS11_FUNCTION_INFO +#undef CK_NEED_ARG_LIST + +#define CK_PKCS11_3_0 1 +#define CK_EXTERN extern +#define CK_PKCS11_FUNCTION_INFO(func) \ + CK_RV __PASTE(NS, func) +#define CK_NEED_ARG_LIST 1 + +#include "pkcs11f.h" + +/* build the crypto module table */ +static CK_FUNCTION_LIST_3_0 sftk_funcList = { + { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR }, + +#undef CK_PKCS11_FUNCTION_INFO +#undef CK_NEED_ARG_LIST + +#define CK_PKCS11_FUNCTION_INFO(func) \ + __PASTE(NS, func) \ + , +#include "pkcs11f.h" + +}; + +/* need a special version of get info for version 2 which returns the version + * 2.4 version number */ +CK_RV NSC_GetInfoV2(CK_INFO_PTR pInfo); +CK_RV NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo); + +/* build the crypto module table */ +static CK_FUNCTION_LIST sftk_funcList_v2 = { + { 2, 40 }, + +#undef CK_PKCS11_3_0 +#define CK_PKCS_11_2_0_ONLY 1 +#undef CK_PKCS11_FUNCTION_INFO +#undef CK_NEED_ARG_LIST +#define C_GetInfo C_GetInfoV2 +#define C_GetMechanismInfo C_GetMechanismInfoV2 + +#define CK_PKCS11_FUNCTION_INFO(func) \ + __PASTE(NS, func) \ + , +#include "pkcs11f.h" + +}; + +#undef C_GetInfo +#undef C_GetMechanismInfo +#undef CK_PKCS_11_2_0_ONLY +#undef CK_PKCS11_FUNCTION_INFO +#undef CK_NEED_ARG_LIST + +#undef __PASTE + +CK_NSS_MODULE_FUNCTIONS sftk_module_funcList = { + { 1, 0 }, + NSC_ModuleDBFunc +}; + +static CK_RV +nsc_NSSGetFIPSStatus(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ULONG ulOperationType, + CK_ULONG *pulFIPSStatus); +CK_NSS_FIPS_FUNCTIONS sftk_fips_funcList = { + { 1, 0 }, + nsc_NSSGetFIPSStatus +}; + +/* + * Array is orderd by default first + */ +static CK_INTERFACE nss_interfaces[] = { + { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_funcList, NSS_INTERFACE_FLAGS }, + { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_funcList_v2, NSS_INTERFACE_FLAGS }, + { (CK_UTF8CHAR_PTR) "Vendor NSS Module Interface", &sftk_module_funcList, NSS_INTERFACE_FLAGS }, + { (CK_UTF8CHAR_PTR) "Vendor NSS FIPS Interface", &sftk_fips_funcList, NSS_INTERFACE_FLAGS } +}; +/* must match the count of interfaces in nss_interfaces above */ +#define NSS_INTERFACE_COUNT 4 + +/* List of DES Weak Keys */ +typedef unsigned char desKey[8]; +static const desKey sftk_desWeakTable[] = { +#ifdef noParity + /* weak */ + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, + { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, + { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe }, + /* semi-weak */ + { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, + { 0xfe, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0xfe }, + + { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, + { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, + + { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0x0f, 0x00, 0x0f }, + { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, + + { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, + { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, + + { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, + { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, + + { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, + { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, +#else + /* weak */ + { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, + { 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e }, + { 0xe0, 0xe0, 0xe0, 0xe0, 0xf1, 0xf1, 0xf1, 0xf1 }, + { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe }, + + /* semi-weak */ + { 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe }, + { 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01 }, + + { 0x1f, 0xe0, 0x1f, 0xe0, 0x0e, 0xf1, 0x0e, 0xf1 }, + { 0xe0, 0x1f, 0xe0, 0x1f, 0xf1, 0x0e, 0xf1, 0x0e }, + + { 0x01, 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1 }, + { 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1, 0x01 }, + + { 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, + { 0xfe, 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e }, + + { 0x01, 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e }, + { 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e, 0x01 }, + + { 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1, 0xfe }, + { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1 } +#endif +}; + +static const int sftk_desWeakTableSize = sizeof(sftk_desWeakTable) / + sizeof(sftk_desWeakTable[0]); + +/* DES KEY Parity conversion table. Takes each byte/2 as an index, returns + * that byte with the proper parity bit set */ +static const unsigned char parityTable[256] = { + /* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */ + /* E */ 0x01, 0x02, 0x04, 0x07, 0x08, 0x0b, 0x0d, 0x0e, + /* Odd....0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */ + /* O */ 0x10, 0x13, 0x15, 0x16, 0x19, 0x1a, 0x1c, 0x1f, + /* Odd....0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */ + /* O */ 0x20, 0x23, 0x25, 0x26, 0x29, 0x2a, 0x2c, 0x2f, + /* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */ + /* E */ 0x31, 0x32, 0x34, 0x37, 0x38, 0x3b, 0x3d, 0x3e, + /* Odd....0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */ + /* O */ 0x40, 0x43, 0x45, 0x46, 0x49, 0x4a, 0x4c, 0x4f, + /* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */ + /* E */ 0x51, 0x52, 0x54, 0x57, 0x58, 0x5b, 0x5d, 0x5e, + /* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */ + /* E */ 0x61, 0x62, 0x64, 0x67, 0x68, 0x6b, 0x6d, 0x6e, + /* Odd....0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */ + /* O */ 0x70, 0x73, 0x75, 0x76, 0x79, 0x7a, 0x7c, 0x7f, + /* Odd....0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */ + /* O */ 0x80, 0x83, 0x85, 0x86, 0x89, 0x8a, 0x8c, 0x8f, + /* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */ + /* E */ 0x91, 0x92, 0x94, 0x97, 0x98, 0x9b, 0x9d, 0x9e, + /* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */ + /* E */ 0xa1, 0xa2, 0xa4, 0xa7, 0xa8, 0xab, 0xad, 0xae, + /* Odd....0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */ + /* O */ 0xb0, 0xb3, 0xb5, 0xb6, 0xb9, 0xba, 0xbc, 0xbf, + /* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */ + /* E */ 0xc1, 0xc2, 0xc4, 0xc7, 0xc8, 0xcb, 0xcd, 0xce, + /* Odd....0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */ + /* O */ 0xd0, 0xd3, 0xd5, 0xd6, 0xd9, 0xda, 0xdc, 0xdf, + /* Odd....0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */ + /* O */ 0xe0, 0xe3, 0xe5, 0xe6, 0xe9, 0xea, 0xec, 0xef, + /* Even...0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe */ + /* E */ 0xf1, 0xf2, 0xf4, 0xf7, 0xf8, 0xfb, 0xfd, 0xfe +}; + +/* Mechanisms */ +struct mechanismList { + CK_MECHANISM_TYPE type; + CK_MECHANISM_INFO info; + PRBool privkey; +}; + +/* + * the following table includes a complete list of mechanism defined by + * PKCS #11 version 2.01. Those Mechanisms not supported by this PKCS #11 + * module are ifdef'ed out. + */ +#define CKF_EN_DE CKF_ENCRYPT | CKF_DECRYPT +#define CKF_WR_UN CKF_WRAP | CKF_UNWRAP +#define CKF_SN_VR CKF_SIGN | CKF_VERIFY +#define CKF_SN_RE CKF_SIGN_RECOVER | CKF_VERIFY_RECOVER +#define CKF_EN_DE_MSG CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT + +#define CKF_EN_DE_WR_UN CKF_EN_DE | CKF_WR_UN +#define CKF_SN_VR_RE CKF_SN_VR | CKF_SN_RE +#define CKF_DUZ_IT_ALL CKF_EN_DE_WR_UN | CKF_SN_VR_RE + +#define CKF_EC_PNU CKF_EC_F_P | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS + +#define CKF_EC_BPNU CKF_EC_F_2M | CKF_EC_PNU + +#define CK_MAX 0xffffffff + +static const struct mechanismList mechanisms[] = { + + /* + * PKCS #11 Mechanism List. + * + * The first argument is the PKCS #11 Mechanism we support. + * The second argument is Mechanism info structure. It includes: + * The minimum key size, + * in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs. + * in bytes for RC5, AES, Camellia, and CAST* + * ignored for DES*, IDEA and FORTEZZA based + * The maximum key size, + * in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs. + * in bytes for RC5, AES, Camellia, and CAST* + * ignored for DES*, IDEA and FORTEZZA based + * Flags + * What operations are supported by this mechanism. + * The third argument is a bool which tells if this mechanism is + * supported in the database token. + * + */ + + /* ------------------------- RSA Operations ---------------------------*/ + { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, + { CKM_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_DUZ_IT_ALL }, PR_TRUE }, + { CKM_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_RSA_PKCS_OAEP, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_EN_DE_WR_UN }, PR_TRUE }, +#ifdef SFTK_RSA9796_SUPPORTED + { CKM_RSA_9796, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_DUZ_IT_ALL }, PR_TRUE }, +#endif + { CKM_RSA_X_509, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_DUZ_IT_ALL }, PR_TRUE }, + /* -------------- RSA Multipart Signing Operations -------------------- */ + { CKM_MD2_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_MD5_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA1_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA224_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA256_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA384_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA512_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA1_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE }, + /* ------------------------- DSA Operations --------------------------- */ + { CKM_DSA_KEY_PAIR_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, + { CKM_DSA, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, + { CKM_DSA_PARAMETER_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE }, PR_TRUE }, + { CKM_DSA_SHA1, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, + { CKM_DSA_SHA224, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, + { CKM_DSA_SHA256, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, + { CKM_DSA_SHA384, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, + { CKM_DSA_SHA512, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE }, + /* -------------------- Diffie Hellman Operations --------------------- */ + /* no diffie hellman yet */ + { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE }, + { CKM_DH_PKCS_DERIVE, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_DERIVE }, PR_TRUE }, + /* -------------------- Elliptic Curve Operations --------------------- */ + { CKM_EC_KEY_PAIR_GEN, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_GENERATE_KEY_PAIR | CKF_EC_BPNU }, PR_TRUE }, + { CKM_ECDH1_DERIVE, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_DERIVE | CKF_EC_BPNU }, PR_TRUE }, + { CKM_ECDSA, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE }, + { CKM_ECDSA_SHA1, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE }, + { CKM_ECDSA_SHA224, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE }, + { CKM_ECDSA_SHA256, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE }, + { CKM_ECDSA_SHA384, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE }, + { CKM_ECDSA_SHA512, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE }, + /* ------------------------- RC2 Operations --------------------------- */ + { CKM_RC2_KEY_GEN, { 1, 128, CKF_GENERATE }, PR_TRUE }, + { CKM_RC2_ECB, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_RC2_CBC, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_RC2_MAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_RC2_MAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_RC2_CBC_PAD, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE }, + /* ------------------------- RC4 Operations --------------------------- */ + { CKM_RC4_KEY_GEN, { 1, 256, CKF_GENERATE }, PR_FALSE }, + { CKM_RC4, { 1, 256, CKF_EN_DE_WR_UN }, PR_FALSE }, + /* ------------------------- DES Operations --------------------------- */ + { CKM_DES_KEY_GEN, { 8, 8, CKF_GENERATE }, PR_TRUE }, + { CKM_DES_ECB, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_DES_CBC, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_DES_MAC, { 8, 8, CKF_SN_VR }, PR_TRUE }, + { CKM_DES_MAC_GENERAL, { 8, 8, CKF_SN_VR }, PR_TRUE }, + { CKM_DES_CBC_PAD, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_DES2_KEY_GEN, { 24, 24, CKF_GENERATE }, PR_TRUE }, + { CKM_DES3_KEY_GEN, { 24, 24, CKF_GENERATE }, PR_TRUE }, + { CKM_DES3_ECB, { 24, 24, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_DES3_CBC, { 24, 24, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_DES3_MAC, { 24, 24, CKF_SN_VR }, PR_TRUE }, + { CKM_DES3_MAC_GENERAL, { 24, 24, CKF_SN_VR }, PR_TRUE }, + { CKM_DES3_CBC_PAD, { 24, 24, CKF_EN_DE_WR_UN }, PR_TRUE }, + /* ------------------------- CDMF Operations --------------------------- */ + { CKM_CDMF_KEY_GEN, { 8, 8, CKF_GENERATE }, PR_TRUE }, + { CKM_CDMF_ECB, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CDMF_CBC, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CDMF_MAC, { 8, 8, CKF_SN_VR }, PR_TRUE }, + { CKM_CDMF_MAC_GENERAL, { 8, 8, CKF_SN_VR }, PR_TRUE }, + { CKM_CDMF_CBC_PAD, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + /* ------------------------- AES Operations --------------------------- */ + { CKM_AES_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_AES_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_AES_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_AES_CMAC, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_AES_CMAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_AES_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE }, + { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE }, + { CKM_AES_GCM, { 16, 32, CKF_EN_DE_MSG }, PR_TRUE }, + { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE }, + { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE }, + /* ------------------------- Camellia Operations --------------------- */ + { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_CAMELLIA_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAMELLIA_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAMELLIA_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_CAMELLIA_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_CAMELLIA_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, +/* ------------------------- SEED Operations --------------------------- */ +#ifndef NSS_DISABLE_DEPRECATED_SEED + { CKM_SEED_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE }, + { CKM_SEED_ECB, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_SEED_CBC, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_SEED_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_SEED_MAC_GENERAL, { 16, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_SEED_CBC_PAD, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, +#endif +/* ------------------------- ChaCha20 Operations ---------------------- */ +#ifndef NSS_DISABLE_CHACHAPOLY + { CKM_NSS_CHACHA20_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_CHACHA20_POLY1305, { 32, 32, CKF_EN_DE }, PR_TRUE }, + { CKM_NSS_CHACHA20_CTR, { 32, 32, CKF_EN_DE }, PR_TRUE }, + { CKM_CHACHA20_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_CHACHA20, { 32, 32, CKF_EN_DE }, PR_TRUE }, + { CKM_CHACHA20_POLY1305, { 32, 32, CKF_EN_DE_MSG }, PR_TRUE }, +#endif /* NSS_DISABLE_CHACHAPOLY */ + /* ------------------------- Hashing Operations ----------------------- */ + { CKM_MD2, { 0, 0, CKF_DIGEST }, PR_FALSE }, + { CKM_MD2_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_MD2_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_MD5, { 0, 0, CKF_DIGEST }, PR_FALSE }, + { CKM_MD5_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_MD5_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA_1, { 0, 0, CKF_DIGEST }, PR_FALSE }, + { CKM_SHA_1_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA_1_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA224, { 0, 0, CKF_DIGEST }, PR_FALSE }, + { CKM_SHA224_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA224_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA256, { 0, 0, CKF_DIGEST }, PR_FALSE }, + { CKM_SHA256_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA256_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA384, { 0, 0, CKF_DIGEST }, PR_FALSE }, + { CKM_SHA384_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA384_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA512, { 0, 0, CKF_DIGEST }, PR_FALSE }, + { CKM_SHA512_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_SHA512_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_TLS_PRF_GENERAL, { 0, 512, CKF_SN_VR }, PR_FALSE }, + { CKM_TLS_MAC, { 0, 512, CKF_SN_VR }, PR_FALSE }, + { CKM_NSS_TLS_PRF_GENERAL_SHA256, + { 0, 512, CKF_SN_VR }, + PR_FALSE }, + /* ------------------------- HKDF Operations -------------------------- */ + { CKM_HKDF_DERIVE, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE }, + { CKM_HKDF_DATA, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE }, + { CKM_HKDF_KEY_GEN, { 20, 64, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_HKDF_SHA1, { 1, 128, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_HKDF_SHA256, { 1, 128, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_HKDF_SHA384, { 1, 128, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_HKDF_SHA512, { 1, 128, CKF_DERIVE }, PR_TRUE }, +/* ------------------------- CAST Operations --------------------------- */ +#ifdef NSS_SOFTOKEN_DOES_CAST + /* Cast operations are not supported ( yet? ) */ + { CKM_CAST_KEY_GEN, { 1, 8, CKF_GENERATE }, PR_TRUE }, + { CKM_CAST_ECB, { 1, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST_CBC, { 1, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST_MAC, { 1, 8, CKF_SN_VR }, PR_TRUE }, + { CKM_CAST_MAC_GENERAL, { 1, 8, CKF_SN_VR }, PR_TRUE }, + { CKM_CAST_CBC_PAD, { 1, 8, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST3_KEY_GEN, { 1, 16, CKF_GENERATE }, PR_TRUE }, + { CKM_CAST3_ECB, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST3_CBC, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST3_MAC, { 1, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_CAST3_MAC_GENERAL, { 1, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_CAST3_CBC_PAD, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST5_KEY_GEN, { 1, 16, CKF_GENERATE }, PR_TRUE }, + { CKM_CAST5_ECB, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST5_CBC, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAST5_MAC, { 1, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_CAST5_MAC_GENERAL, { 1, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_CAST5_CBC_PAD, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, +#endif +#if NSS_SOFTOKEN_DOES_RC5 + /* ------------------------- RC5 Operations --------------------------- */ + { CKM_RC5_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_RC5_ECB, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_RC5_CBC, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_RC5_MAC, { 1, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_RC5_MAC_GENERAL, { 1, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_RC5_CBC_PAD, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, +#endif +#ifdef NSS_SOFTOKEN_DOES_IDEA + /* ------------------------- IDEA Operations -------------------------- */ + { CKM_IDEA_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE }, + { CKM_IDEA_ECB, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_IDEA_CBC, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_IDEA_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_IDEA_MAC_GENERAL, { 16, 16, CKF_SN_VR }, PR_TRUE }, + { CKM_IDEA_CBC_PAD, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE }, +#endif + /* --------------------- Secret Key Operations ------------------------ */ + { CKM_GENERIC_SECRET_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_AES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CAMELLIA_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_CAMELLIA_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, +#ifndef NSS_DISABLE_DEPRECATED_SEED + { CKM_SEED_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_SEED_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, +#endif + /* ---------------------- SSL Key Derivations ------------------------- */ + { CKM_SSL3_PRE_MASTER_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_FALSE }, + { CKM_SSL3_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_SSL3_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE }, + { CKM_SSL3_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_SSL3_MD5_MAC, { 0, 16, CKF_DERIVE }, PR_FALSE }, + { CKM_SSL3_SHA1_MAC, { 0, 20, CKF_DERIVE }, PR_FALSE }, + { CKM_MD5_KEY_DERIVATION, { 0, 16, CKF_DERIVE }, PR_FALSE }, + { CKM_MD2_KEY_DERIVATION, { 0, 16, CKF_DERIVE }, PR_FALSE }, + { CKM_SHA1_KEY_DERIVATION, { 0, 20, CKF_DERIVE }, PR_FALSE }, + { CKM_SHA224_KEY_DERIVATION, { 0, 28, CKF_DERIVE }, PR_FALSE }, + { CKM_SHA256_KEY_DERIVATION, { 0, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_SHA384_KEY_DERIVATION, { 0, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_SHA512_KEY_DERIVATION, { 0, 64, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, + { 48, 48, CKF_DERIVE }, + PR_FALSE }, + { CKM_TLS_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, + { 8, 128, CKF_DERIVE }, + PR_FALSE }, + { CKM_TLS_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, + { 48, 48, CKF_DERIVE }, + PR_FALSE }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, + { 48, 128, CKF_DERIVE }, + PR_FALSE }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, + { 48, 128, CKF_DERIVE }, + PR_FALSE }, + /* ---------------------- PBE Key Derivations ------------------------ */ + { CKM_PBE_MD2_DES_CBC, { 8, 8, CKF_DERIVE }, PR_TRUE }, + { CKM_PBE_MD5_DES_CBC, { 8, 8, CKF_DERIVE }, PR_TRUE }, + /* ------------------ NSS PBE Key Derivations ------------------- */ + { CKM_NSS_PBE_SHA1_DES_CBC, { 8, 8, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC, { 24, 24, CKF_GENERATE }, PR_TRUE }, + { CKM_PBE_SHA1_DES3_EDE_CBC, { 24, 24, CKF_GENERATE }, PR_TRUE }, + { CKM_PBE_SHA1_DES2_EDE_CBC, { 24, 24, CKF_GENERATE }, PR_TRUE }, + { CKM_PBE_SHA1_RC2_40_CBC, { 40, 40, CKF_GENERATE }, PR_TRUE }, + { CKM_PBE_SHA1_RC2_128_CBC, { 128, 128, CKF_GENERATE }, PR_TRUE }, + { CKM_PBE_SHA1_RC4_40, { 40, 40, CKF_GENERATE }, PR_TRUE }, + { CKM_PBE_SHA1_RC4_128, { 128, 128, CKF_GENERATE }, PR_TRUE }, + { CKM_PBA_SHA1_WITH_SHA1_HMAC, { 20, 20, CKF_GENERATE }, PR_TRUE }, + { CKM_PKCS5_PBKD2, { 1, 256, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PBE_SHA1_HMAC_KEY_GEN, { 20, 20, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PBE_MD5_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PBE_MD2_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 28, 28, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 64, 64, CKF_GENERATE }, PR_TRUE }, + /* ------------------ NIST 800-108 Key Derivations ------------------- */ + { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE }, + { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE }, + { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE }, + /* ------------------ AES Key Wrap (also encrypt) ------------------- */ + { CKM_NSS_AES_KEY_WRAP, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_NSS_AES_KEY_WRAP_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_KEY_WRAP, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_KEY_WRAP_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_KEY_WRAP_KWP, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + /* --------------------------- J-PAKE -------------------------------- */ + { CKM_NSS_JPAKE_ROUND1_SHA1, { 0, 0, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND1_SHA256, { 0, 0, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND1_SHA384, { 0, 0, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND1_SHA512, { 0, 0, CKF_GENERATE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND2_SHA1, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND2_SHA256, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND2_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND2_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA1, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA256, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE }, + /* -------------------- Constant Time TLS MACs ----------------------- */ + { CKM_NSS_HMAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE }, + { CKM_NSS_SSL3_MAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE }, + /* --------------------IPSEC ----------------------- */ + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE } +}; +static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]); + +/* sigh global so fipstokn can read it */ +PRBool nsc_init = PR_FALSE; + +#if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) + +#include + +static void +ForkedChild(void) +{ + if (nsc_init || nsf_init) { + forked = PR_TRUE; + } +} + +#endif + +static char * +sftk_setStringName(const char *inString, char *buffer, int buffer_length, PRBool nullTerminate) +{ + int full_length, string_length; + + full_length = nullTerminate ? buffer_length - 1 : buffer_length; + string_length = PORT_Strlen(inString); + /* + * shorten the string, respecting utf8 encoding + * to do so, we work backward from the end + * bytes looking from the end are either: + * - ascii [0x00,0x7f] + * - the [2-n]th byte of a multibyte sequence + * [0x3F,0xBF], i.e, most significant 2 bits are '10' + * - the first byte of a multibyte sequence [0xC0,0xFD], + * i.e, most significant 2 bits are '11' + * + * When the string is too long, we lop off any trailing '10' bytes, + * if any. When these are all eliminated we lop off + * one additional byte. Thus if we lopped any '10' + * we'll be lopping a '11' byte (the first byte of the multibyte sequence), + * otherwise we're lopping off an ascii character. + * + * To test for '10' bytes, we first AND it with + * 11000000 (0xc0) so that we get 10000000 (0x80) if and only if + * the byte starts with 10. We test for equality. + */ + while (string_length > full_length) { + /* need to shorten */ + while (string_length > 0 && + ((inString[string_length - 1] & (char)0xc0) == (char)0x80)) { + /* lop off '10' byte */ + string_length--; + } + /* + * test string_length in case bad data is received + * and string consisted of all '10' bytes, + * avoiding any infinite loop + */ + if (string_length) { + /* remove either '11' byte or an asci byte */ + string_length--; + } + } + PORT_Memset(buffer, ' ', full_length); + if (nullTerminate) { + buffer[full_length] = 0; + } + PORT_Memcpy(buffer, inString, string_length); + return buffer; +} +/* + * Configuration utils + */ +static CK_RV +sftk_configure(const char *man, const char *libdes) +{ + + /* make sure the internationalization was done correctly... */ + if (man) { + manufacturerID = sftk_setStringName(man, manufacturerID_space, + sizeof(manufacturerID_space), PR_TRUE); + } + if (libdes) { + libraryDescription = sftk_setStringName(libdes, + libraryDescription_space, sizeof(libraryDescription_space), + PR_TRUE); + } + + return CKR_OK; +} + +/* + * ******************** Password Utilities ******************************* + */ + +/* + * see if the key DB password is enabled + */ +static PRBool +sftk_hasNullPassword(SFTKSlot *slot, SFTKDBHandle *keydb) +{ + PRBool pwenabled; + + pwenabled = PR_FALSE; + if (sftkdb_HasPasswordSet(keydb) == SECSuccess) { + PRBool tokenRemoved = PR_FALSE; + SECStatus rv = sftkdb_CheckPasswordNull(keydb, &tokenRemoved); + if (tokenRemoved) { + sftk_CloseAllSessions(slot, PR_FALSE); + } + return (rv == SECSuccess); + } + + return pwenabled; +} + +/* + * ******************** Object Creation Utilities *************************** + */ + +/* Make sure a given attribute exists. If it doesn't, initialize it to + * value and len + */ +CK_RV +sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len) +{ + if (!sftk_hasAttribute(object, type)) { + return sftk_AddAttributeType(object, type, value, len); + } + return CKR_OK; +} + +/* + * check the consistancy and initialize a Data Object + */ +static CK_RV +sftk_handleDataObject(SFTKSession *session, SFTKObject *object) +{ + CK_RV crv; + + /* first reject private and token data objects */ + if (sftk_isTrue(object, CKA_PRIVATE) || sftk_isTrue(object, CKA_TOKEN)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* now just verify the required date fields */ + crv = sftk_defaultAttribute(object, CKA_APPLICATION, NULL, 0); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_VALUE, NULL, 0); + if (crv != CKR_OK) + return crv; + + return CKR_OK; +} + +/* + * check the consistancy and initialize a Certificate Object + */ +static CK_RV +sftk_handleCertObject(SFTKSession *session, SFTKObject *object) +{ + CK_CERTIFICATE_TYPE type; + SFTKAttribute *attribute; + CK_RV crv; + + /* certificates must have a type */ + if (!sftk_hasAttribute(object, CKA_CERTIFICATE_TYPE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* we can't store any certs private */ + if (sftk_isTrue(object, CKA_PRIVATE)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* We only support X.509 Certs for now */ + attribute = sftk_FindAttribute(object, CKA_CERTIFICATE_TYPE); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + type = *(CK_CERTIFICATE_TYPE *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + + if (type != CKC_X_509) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* X.509 Certificate */ + + /* make sure we have a cert */ + if (!sftk_hasAttribute(object, CKA_VALUE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* in PKCS #11, Subject is a required field */ + if (!sftk_hasAttribute(object, CKA_SUBJECT)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* in PKCS #11, Issuer is a required field */ + if (!sftk_hasAttribute(object, CKA_ISSUER)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* in PKCS #11, Serial is a required field */ + if (!sftk_hasAttribute(object, CKA_SERIAL_NUMBER)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* add it to the object */ + object->objectInfo = NULL; + object->infoFree = (SFTKFree)NULL; + + /* now just verify the required date fields */ + crv = sftk_defaultAttribute(object, CKA_ID, NULL, 0); + if (crv != CKR_OK) { + return crv; + } + + if (sftk_isTrue(object, CKA_TOKEN)) { + SFTKSlot *slot = session->slot; + SFTKDBHandle *certHandle = sftk_getCertDB(slot); + + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + crv = sftkdb_write(certHandle, object, &object->handle); + sftk_freeDB(certHandle); + return crv; + } + + return CKR_OK; +} + +/* + * check the consistancy and initialize a Trust Object + */ +static CK_RV +sftk_handleTrustObject(SFTKSession *session, SFTKObject *object) +{ + /* we can't store any certs private */ + if (sftk_isTrue(object, CKA_PRIVATE)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* certificates must have a type */ + if (!sftk_hasAttribute(object, CKA_ISSUER)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_SERIAL_NUMBER)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_CERT_SHA1_HASH)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_CERT_MD5_HASH)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + if (sftk_isTrue(object, CKA_TOKEN)) { + SFTKSlot *slot = session->slot; + SFTKDBHandle *certHandle = sftk_getCertDB(slot); + CK_RV crv; + + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + crv = sftkdb_write(certHandle, object, &object->handle); + sftk_freeDB(certHandle); + return crv; + } + + return CKR_OK; +} + +/* + * check the consistancy and initialize a Trust Object + */ +static CK_RV +sftk_handleSMimeObject(SFTKSession *session, SFTKObject *object) +{ + + /* we can't store any certs private */ + if (sftk_isTrue(object, CKA_PRIVATE)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* certificates must have a type */ + if (!sftk_hasAttribute(object, CKA_SUBJECT)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_NSS_EMAIL)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + if (sftk_isTrue(object, CKA_TOKEN)) { + SFTKSlot *slot = session->slot; + SFTKDBHandle *certHandle; + CK_RV crv; + + PORT_Assert(slot); + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + certHandle = sftk_getCertDB(slot); + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + crv = sftkdb_write(certHandle, object, &object->handle); + sftk_freeDB(certHandle); + return crv; + } + + return CKR_OK; +} + +/* + * check the consistancy and initialize a Trust Object + */ +static CK_RV +sftk_handleCrlObject(SFTKSession *session, SFTKObject *object) +{ + + /* we can't store any certs private */ + if (sftk_isTrue(object, CKA_PRIVATE)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* certificates must have a type */ + if (!sftk_hasAttribute(object, CKA_SUBJECT)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_VALUE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + if (sftk_isTrue(object, CKA_TOKEN)) { + SFTKSlot *slot = session->slot; + SFTKDBHandle *certHandle = sftk_getCertDB(slot); + CK_RV crv; + + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + crv = sftkdb_write(certHandle, object, &object->handle); + sftk_freeDB(certHandle); + return crv; + } + + return CKR_OK; +} + +/* + * check the consistancy and initialize a Public Key Object + */ +static CK_RV +sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object, + CK_KEY_TYPE key_type) +{ + CK_BBOOL encrypt = CK_TRUE; + CK_BBOOL recover = CK_TRUE; + CK_BBOOL wrap = CK_TRUE; + CK_BBOOL derive = CK_FALSE; + CK_BBOOL verify = CK_TRUE; + CK_RV crv; + + switch (key_type) { + case CKK_RSA: + crv = sftk_ConstrainAttribute(object, CKA_MODULUS, + RSA_MIN_MODULUS_BITS, 0, 0); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_ConstrainAttribute(object, CKA_PUBLIC_EXPONENT, 2, 0, 0); + if (crv != CKR_OK) { + return crv; + } + break; + case CKK_DSA: + crv = sftk_ConstrainAttribute(object, CKA_SUBPRIME, + DSA_MIN_Q_BITS, DSA_MAX_Q_BITS, 0); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_ConstrainAttribute(object, CKA_PRIME, + DSA_MIN_P_BITS, DSA_MAX_P_BITS, 64); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_ConstrainAttribute(object, CKA_BASE, 2, DSA_MAX_P_BITS, 0); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_ConstrainAttribute(object, CKA_VALUE, 2, DSA_MAX_P_BITS, 0); + if (crv != CKR_OK) { + return crv; + } + encrypt = CK_FALSE; + recover = CK_FALSE; + wrap = CK_FALSE; + break; + case CKK_DH: + crv = sftk_ConstrainAttribute(object, CKA_PRIME, + DH_MIN_P_BITS, DH_MAX_P_BITS, 0); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_ConstrainAttribute(object, CKA_BASE, 2, DH_MAX_P_BITS, 0); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_ConstrainAttribute(object, CKA_VALUE, 2, DH_MAX_P_BITS, 0); + if (crv != CKR_OK) { + return crv; + } + verify = CK_FALSE; + derive = CK_TRUE; + encrypt = CK_FALSE; + recover = CK_FALSE; + wrap = CK_FALSE; + break; + case CKK_EC: + if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_EC_POINT)) { + return CKR_TEMPLATE_INCOMPLETE; + } + derive = CK_TRUE; /* for ECDH */ + verify = CK_TRUE; /* for ECDSA */ + encrypt = CK_FALSE; + recover = CK_FALSE; + wrap = CK_FALSE; + break; + default: + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* make sure the required fields exist */ + crv = sftk_defaultAttribute(object, CKA_SUBJECT, NULL, 0); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_ENCRYPT, &encrypt, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_VERIFY, &verify, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_VERIFY_RECOVER, + &recover, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_WRAP, &wrap, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_DERIVE, &derive, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + + object->objectInfo = sftk_GetPubKey(object, key_type, &crv); + if (object->objectInfo == NULL) { + return crv; + } + object->infoFree = (SFTKFree)nsslowkey_DestroyPublicKey; + + /* Check that an imported EC key is valid */ + if (key_type == CKK_EC) { + NSSLOWKEYPublicKey *pubKey = (NSSLOWKEYPublicKey *)object->objectInfo; + SECStatus rv = EC_ValidatePublicKey(&pubKey->u.ec.ecParams, + &pubKey->u.ec.publicValue); + + if (rv != SECSuccess) { + return CKR_TEMPLATE_INCONSISTENT; + } + } + + if (sftk_isTrue(object, CKA_TOKEN)) { + SFTKSlot *slot = session->slot; + SFTKDBHandle *certHandle = sftk_getCertDB(slot); + + if (certHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + crv = sftkdb_write(certHandle, object, &object->handle); + sftk_freeDB(certHandle); + return crv; + } + + return CKR_OK; +} + +static NSSLOWKEYPrivateKey * +sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key, CK_RV *rvp); + +static SECStatus +sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded); + +/* + * check the consistancy and initialize a Private Key Object + */ +static CK_RV +sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYPE key_type) +{ + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL encrypt = CK_TRUE; + CK_BBOOL sign = CK_FALSE; + CK_BBOOL recover = CK_TRUE; + CK_BBOOL wrap = CK_TRUE; + CK_BBOOL derive = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + PRBool createObjectInfo = PR_TRUE; + PRBool fillPrivateKey = PR_FALSE; + int missing_rsa_mod_component = 0; + int missing_rsa_exp_component = 0; + int missing_rsa_crt_component = 0; + + SECItem mod; + CK_RV crv; + SECStatus rv; + + switch (key_type) { + case CKK_RSA: + if (!sftk_hasAttribute(object, CKA_MODULUS)) { + missing_rsa_mod_component++; + } + if (!sftk_hasAttribute(object, CKA_PUBLIC_EXPONENT)) { + missing_rsa_exp_component++; + } + if (!sftk_hasAttribute(object, CKA_PRIVATE_EXPONENT)) { + missing_rsa_exp_component++; + } + if (!sftk_hasAttribute(object, CKA_PRIME_1)) { + missing_rsa_mod_component++; + } + if (!sftk_hasAttribute(object, CKA_PRIME_2)) { + missing_rsa_mod_component++; + } + if (!sftk_hasAttribute(object, CKA_EXPONENT_1)) { + missing_rsa_crt_component++; + } + if (!sftk_hasAttribute(object, CKA_EXPONENT_2)) { + missing_rsa_crt_component++; + } + if (!sftk_hasAttribute(object, CKA_COEFFICIENT)) { + missing_rsa_crt_component++; + } + if (missing_rsa_mod_component || missing_rsa_exp_component || + missing_rsa_crt_component) { + /* we are missing a component, see if we have enough to rebuild + * the rest */ + int have_exp = 2 - missing_rsa_exp_component; + int have_component = 5 - + (missing_rsa_exp_component + missing_rsa_mod_component); + + if ((have_exp == 0) || (have_component < 3)) { + /* nope, not enough to reconstruct the private key */ + return CKR_TEMPLATE_INCOMPLETE; + } + fillPrivateKey = PR_TRUE; + } + /*verify the parameters for consistency*/ + rv = sftk_verifyRSAPrivateKey(object, fillPrivateKey); + if (rv != SECSuccess) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* make sure Netscape DB attribute is set correctly */ + crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS); + if (crv != CKR_OK) + return crv; + crv = sftk_forceAttribute(object, CKA_NSS_DB, + sftk_item_expand(&mod)); + if (mod.data) + SECITEM_ZfreeItem(&mod, PR_FALSE); + if (crv != CKR_OK) + return crv; + + sign = CK_TRUE; + derive = CK_FALSE; + break; + case CKK_DSA: + if (!sftk_hasAttribute(object, CKA_SUBPRIME)) { + return CKR_TEMPLATE_INCOMPLETE; + } + sign = CK_TRUE; + derive = CK_FALSE; + /* fall through */ + case CKK_DH: + if (!sftk_hasAttribute(object, CKA_PRIME)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_BASE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_VALUE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + /* allow subprime to be set after the fact */ + crv = sftk_defaultAttribute(object, CKA_SUBPRIME, NULL, 0); + if (crv != CKR_OK) { + return crv; + } + encrypt = CK_FALSE; + recover = CK_FALSE; + wrap = CK_FALSE; + break; + case CKK_EC: + if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (!sftk_hasAttribute(object, CKA_VALUE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + encrypt = CK_FALSE; + sign = CK_TRUE; + recover = CK_FALSE; + wrap = CK_FALSE; + break; + case CKK_NSS_JPAKE_ROUND1: + if (!sftk_hasAttribute(object, CKA_PRIME) || + !sftk_hasAttribute(object, CKA_SUBPRIME) || + !sftk_hasAttribute(object, CKA_BASE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + /* fall through */ + case CKK_NSS_JPAKE_ROUND2: + /* CKA_NSS_JPAKE_SIGNERID and CKA_NSS_JPAKE_PEERID are checked in + the J-PAKE code. */ + encrypt = sign = recover = wrap = CK_FALSE; + derive = CK_TRUE; + createObjectInfo = PR_FALSE; + break; + default: + return CKR_ATTRIBUTE_VALUE_INVALID; + } + crv = sftk_defaultAttribute(object, CKA_SUBJECT, NULL, 0); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_SENSITIVE, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_DECRYPT, &encrypt, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_SIGN, &sign, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_SIGN_RECOVER, &recover, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_UNWRAP, &wrap, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_DERIVE, &derive, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + /* the next two bits get modified only in the key gen and token cases */ + crv = sftk_forceAttribute(object, CKA_ALWAYS_SENSITIVE, + &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_forceAttribute(object, CKA_NEVER_EXTRACTABLE, + &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + + /* should we check the non-token RSA private keys? */ + + if (sftk_isTrue(object, CKA_TOKEN)) { + SFTKSlot *slot = session->slot; + SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); + + if (keyHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + crv = sftkdb_write(keyHandle, object, &object->handle); + sftk_freeDB(keyHandle); + return crv; + } else if (createObjectInfo) { + object->objectInfo = sftk_mkPrivKey(object, key_type, &crv); + if (object->objectInfo == NULL) + return crv; + object->infoFree = (SFTKFree)nsslowkey_DestroyPrivateKey; + } + return CKR_OK; +} + +/* forward declare the DES formating function for handleSecretKey */ +void sftk_FormatDESKey(unsigned char *key, int length); + +/* Validate secret key data, and set defaults */ +static CK_RV +validateSecretKey(SFTKSession *session, SFTKObject *object, + CK_KEY_TYPE key_type, PRBool isFIPS) +{ + CK_RV crv; + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + SFTKAttribute *attribute = NULL; + unsigned long requiredLen; + + crv = sftk_defaultAttribute(object, CKA_SENSITIVE, + isFIPS ? &cktrue : &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_EXTRACTABLE, + &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_DECRYPT, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_SIGN, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_VERIFY, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_WRAP, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_UNWRAP, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + + if (!sftk_hasAttribute(object, CKA_VALUE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + /* the next two bits get modified only in the key gen and token cases */ + crv = sftk_forceAttribute(object, CKA_ALWAYS_SENSITIVE, + &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_forceAttribute(object, CKA_NEVER_EXTRACTABLE, + &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + + /* some types of keys have a value length */ + crv = CKR_OK; + switch (key_type) { + /* force CKA_VALUE_LEN to be set */ + case CKK_GENERIC_SECRET: + case CKK_RC2: + case CKK_RC4: +#if NSS_SOFTOKEN_DOES_RC5 + case CKK_RC5: +#endif +#ifdef NSS_SOFTOKEN_DOES_CAST + case CKK_CAST: + case CKK_CAST3: + case CKK_CAST5: +#endif +#if NSS_SOFTOKEN_DOES_IDEA + case CKK_IDEA: +#endif + attribute = sftk_FindAttribute(object, CKA_VALUE); + /* shouldn't happen */ + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + crv = sftk_forceAttribute(object, CKA_VALUE_LEN, + &attribute->attrib.ulValueLen, sizeof(CK_ULONG)); + sftk_FreeAttribute(attribute); + break; + /* force the value to have the correct parity */ + case CKK_DES: + case CKK_DES2: + case CKK_DES3: + case CKK_CDMF: + attribute = sftk_FindAttribute(object, CKA_VALUE); + /* shouldn't happen */ + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + requiredLen = sftk_MapKeySize(key_type); + if (attribute->attrib.ulValueLen != requiredLen) { + sftk_FreeAttribute(attribute); + return CKR_KEY_SIZE_RANGE; + } + sftk_FormatDESKey((unsigned char *)attribute->attrib.pValue, + attribute->attrib.ulValueLen); + sftk_FreeAttribute(attribute); + break; + case CKK_AES: + attribute = sftk_FindAttribute(object, CKA_VALUE); + /* shouldn't happen */ + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + if (attribute->attrib.ulValueLen != 16 && + attribute->attrib.ulValueLen != 24 && + attribute->attrib.ulValueLen != 32) { + sftk_FreeAttribute(attribute); + return CKR_KEY_SIZE_RANGE; + } + crv = sftk_forceAttribute(object, CKA_VALUE_LEN, + &attribute->attrib.ulValueLen, sizeof(CK_ULONG)); + sftk_FreeAttribute(attribute); + break; + default: + break; + } + + return crv; +} + +/* + * check the consistancy and initialize a Secret Key Object + */ +static CK_RV +sftk_handleSecretKeyObject(SFTKSession *session, SFTKObject *object, + CK_KEY_TYPE key_type, PRBool isFIPS) +{ + CK_RV crv; + + /* First validate and set defaults */ + crv = validateSecretKey(session, object, key_type, isFIPS); + if (crv != CKR_OK) + goto loser; + + /* If the object is a TOKEN object, store in the database */ + if (sftk_isTrue(object, CKA_TOKEN)) { + SFTKSlot *slot = session->slot; + SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); + + if (keyHandle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + crv = sftkdb_write(keyHandle, object, &object->handle); + sftk_freeDB(keyHandle); + return crv; + } + +loser: + + return crv; +} + +/* + * check the consistancy and initialize a Key Object + */ +static CK_RV +sftk_handleKeyObject(SFTKSession *session, SFTKObject *object) +{ + SFTKAttribute *attribute; + CK_KEY_TYPE key_type; + CK_BBOOL ckfalse = CK_FALSE; + CK_RV crv; + + /* verify the required fields */ + if (!sftk_hasAttribute(object, CKA_KEY_TYPE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* now verify the common fields */ + crv = sftk_defaultAttribute(object, CKA_ID, NULL, 0); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_START_DATE, NULL, 0); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_END_DATE, NULL, 0); + if (crv != CKR_OK) + return crv; + /* CKA_DERIVE is common to all keys, but it's default value is + * key dependent */ + crv = sftk_defaultAttribute(object, CKA_LOCAL, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + + /* get the key type */ + attribute = sftk_FindAttribute(object, CKA_KEY_TYPE); + if (!attribute) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + + switch (object->objclass) { + case CKO_PUBLIC_KEY: + return sftk_handlePublicKeyObject(session, object, key_type); + case CKO_PRIVATE_KEY: + return sftk_handlePrivateKeyObject(session, object, key_type); + case CKO_SECRET_KEY: + /* make sure the required fields exist */ + return sftk_handleSecretKeyObject(session, object, key_type, + (PRBool)(sftk_isFIPS(session->slot->slotID))); + default: + break; + } + return CKR_ATTRIBUTE_VALUE_INVALID; +} + +/* + * check the consistancy and Verify a DSA Parameter Object + */ +static CK_RV +sftk_handleDSAParameterObject(SFTKSession *session, SFTKObject *object) +{ + SFTKAttribute *primeAttr = NULL; + SFTKAttribute *subPrimeAttr = NULL; + SFTKAttribute *baseAttr = NULL; + SFTKAttribute *seedAttr = NULL; + SFTKAttribute *hAttr = NULL; + SFTKAttribute *attribute; + CK_RV crv = CKR_TEMPLATE_INCOMPLETE; + PQGParams params; + PQGVerify vfy, *verify = NULL; + SECStatus result, rv; + /* This bool keeps track of whether or not we need verify parameters. + * If a P, Q and G or supplied, we dont' need verify parameters, as we + * have PQ and G. + * - If G is not supplied, the presumption is that we want to + * verify P and Q only. + * - If counter is supplied, it is presumed we want to verify PQ because + * the counter is only used in verification. + * - If H is supplied, is is presumed we want to verify G because H is + * only used to verify G. + * - Any verification step must have the SEED (counter or H could be + * missing depending on exactly what we want to verify). If SEED is supplied, + * the code just goes ahead and runs verify (other errors are parameter + * errors are detected by the PQG_VerifyParams function). If SEED is not + * supplied, but we determined that we are trying to verify (because needVfy + * is set, go ahead and return CKR_TEMPLATE_INCOMPLETE. + */ + PRBool needVfy = PR_FALSE; + + primeAttr = sftk_FindAttribute(object, CKA_PRIME); + if (primeAttr == NULL) + goto loser; + params.prime.data = primeAttr->attrib.pValue; + params.prime.len = primeAttr->attrib.ulValueLen; + + subPrimeAttr = sftk_FindAttribute(object, CKA_SUBPRIME); + if (subPrimeAttr == NULL) + goto loser; + params.subPrime.data = subPrimeAttr->attrib.pValue; + params.subPrime.len = subPrimeAttr->attrib.ulValueLen; + + baseAttr = sftk_FindAttribute(object, CKA_BASE); + if (baseAttr != NULL) { + params.base.data = baseAttr->attrib.pValue; + params.base.len = baseAttr->attrib.ulValueLen; + } else { + params.base.data = NULL; + params.base.len = 0; + needVfy = PR_TRUE; /* presumably only including PQ so we can verify + * them. */ + } + + attribute = sftk_FindAttribute(object, CKA_NSS_PQG_COUNTER); + if (attribute != NULL) { + vfy.counter = *(CK_ULONG *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + needVfy = PR_TRUE; /* included a count so we can verify PQ */ + } else { + vfy.counter = -1; + } + + hAttr = sftk_FindAttribute(object, CKA_NSS_PQG_H); + if (hAttr != NULL) { + vfy.h.data = hAttr->attrib.pValue; + vfy.h.len = hAttr->attrib.ulValueLen; + needVfy = PR_TRUE; /* included H so we can verify G */ + } else { + vfy.h.data = NULL; + vfy.h.len = 0; + } + seedAttr = sftk_FindAttribute(object, CKA_NSS_PQG_SEED); + if (seedAttr != NULL) { + vfy.seed.data = seedAttr->attrib.pValue; + vfy.seed.len = seedAttr->attrib.ulValueLen; + + verify = &vfy; + } else if (needVfy) { + goto loser; /* Verify always needs seed, if we need verify and not seed + * then fail */ + } + + crv = CKR_FUNCTION_FAILED; + rv = PQG_VerifyParams(¶ms, verify, &result); + if (rv == SECSuccess) { + crv = (result == SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID; + } + +loser: + if (hAttr) + sftk_FreeAttribute(hAttr); + if (seedAttr) + sftk_FreeAttribute(seedAttr); + if (baseAttr) + sftk_FreeAttribute(baseAttr); + if (subPrimeAttr) + sftk_FreeAttribute(subPrimeAttr); + if (primeAttr) + sftk_FreeAttribute(primeAttr); + + return crv; +} + +/* + * check the consistancy and initialize a Key Parameter Object + */ +static CK_RV +sftk_handleKeyParameterObject(SFTKSession *session, SFTKObject *object) +{ + SFTKAttribute *attribute; + CK_KEY_TYPE key_type; + CK_BBOOL ckfalse = CK_FALSE; + CK_RV crv; + + /* verify the required fields */ + if (!sftk_hasAttribute(object, CKA_KEY_TYPE)) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* now verify the common fields */ + crv = sftk_defaultAttribute(object, CKA_LOCAL, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + + /* get the key type */ + attribute = sftk_FindAttribute(object, CKA_KEY_TYPE); + if (!attribute) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + + switch (key_type) { + case CKK_DSA: + return sftk_handleDSAParameterObject(session, object); + + default: + break; + } + return CKR_KEY_TYPE_INCONSISTENT; +} + +/* + * Handle Object does all the object consistancy checks, automatic attribute + * generation, attribute defaulting, etc. If handleObject succeeds, the object + * will be assigned an object handle, and the object installed in the session + * or stored in the DB. + */ +CK_RV +sftk_handleObject(SFTKObject *object, SFTKSession *session) +{ + SFTKSlot *slot = session->slot; + SFTKAttribute *attribute; + CK_BBOOL ckfalse = CK_FALSE; + CK_BBOOL cktrue = CK_TRUE; + PRBool isLoggedIn, needLogin; + CK_RV crv; + + /* make sure all the base object types are defined. If not set the + * defaults */ + crv = sftk_defaultAttribute(object, CKA_TOKEN, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_LABEL, NULL, 0); + if (crv != CKR_OK) + return crv; + crv = sftk_defaultAttribute(object, CKA_MODIFIABLE, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + return crv; + + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + + /* don't create a private object if we aren't logged in */ + if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE)) { + return CKR_USER_NOT_LOGGED_IN; + } + + if (((session->info.flags & CKF_RW_SESSION) == 0) && + (sftk_isTrue(object, CKA_TOKEN))) { + return CKR_SESSION_READ_ONLY; + } + + /* Assign a unique SESSION object handle to every new object, + * whether it is a session object or a token object. + * At this point, all new objects are structured as session objects. + * Objects with the CKA_TOKEN attribute true will be turned into + * token objects and will have a token object handle assigned to + * them by a call to sftk_mkHandle in the handler for each object + * class, invoked below. + * + * It may be helpful to note/remember that + * sftk_narrowToXxxObject uses sftk_isToken, + * sftk_isToken examines the sign bit of the object's handle, but + * sftk_isTrue(...,CKA_TOKEN) examines the CKA_TOKEN attribute. + */ + object->handle = sftk_getNextHandle(slot); + + /* get the object class */ + attribute = sftk_FindAttribute(object, CKA_CLASS); + if (attribute == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + + /* Now handle the specific object class. + * At this point, all objects are session objects, and the session + * number must be passed to the object class handlers. + */ + switch (object->objclass) { + case CKO_DATA: + crv = sftk_handleDataObject(session, object); + break; + case CKO_CERTIFICATE: + crv = sftk_handleCertObject(session, object); + break; + case CKO_NSS_TRUST: + crv = sftk_handleTrustObject(session, object); + break; + case CKO_NSS_CRL: + crv = sftk_handleCrlObject(session, object); + break; + case CKO_NSS_SMIME: + crv = sftk_handleSMimeObject(session, object); + break; + case CKO_PRIVATE_KEY: + case CKO_PUBLIC_KEY: + case CKO_SECRET_KEY: + crv = sftk_handleKeyObject(session, object); + break; + case CKO_DOMAIN_PARAMETERS: + crv = sftk_handleKeyParameterObject(session, object); + break; + default: + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + + /* can't fail from here on out unless the pk_handlXXX functions have + * failed the request */ + if (crv != CKR_OK) { + return crv; + } + + /* Now link the object into the slot and session structures. + * If the object has a true CKA_TOKEN attribute, the above object + * class handlers will have set the sign bit in the object handle, + * causing the following test to be true. + */ + if (sftk_isToken(object->handle)) { + sftk_convertSessionToToken(object); + } else { + object->slot = slot; + sftk_AddObject(session, object); + } + + return CKR_OK; +} + +/* + * ******************** Public Key Utilities *************************** + */ +/* Generate a low public key structure from an object */ +NSSLOWKEYPublicKey * +sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type, + CK_RV *crvp) +{ + NSSLOWKEYPublicKey *pubKey; + PLArenaPool *arena; + CK_RV crv; + + if (object->objclass != CKO_PUBLIC_KEY) { + *crvp = CKR_KEY_TYPE_INCONSISTENT; + return NULL; + } + + if (sftk_isToken(object->handle)) { + /* ferret out the token object handle */ + } + + /* If we already have a key, use it */ + if (object->objectInfo) { + *crvp = CKR_OK; + return (NSSLOWKEYPublicKey *)object->objectInfo; + } + + /* allocate the structure */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + *crvp = CKR_HOST_MEMORY; + return NULL; + } + + pubKey = (NSSLOWKEYPublicKey *) + PORT_ArenaAlloc(arena, sizeof(NSSLOWKEYPublicKey)); + if (pubKey == NULL) { + PORT_FreeArena(arena, PR_FALSE); + *crvp = CKR_HOST_MEMORY; + return NULL; + } + + /* fill in the structure */ + pubKey->arena = arena; + switch (key_type) { + case CKK_RSA: + pubKey->keyType = NSSLOWKEYRSAKey; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.rsa.modulus, + object, CKA_MODULUS); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.rsa.publicExponent, + object, CKA_PUBLIC_EXPONENT); + break; + case CKK_DSA: + pubKey->keyType = NSSLOWKEYDSAKey; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.prime, + object, CKA_PRIME); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.subPrime, + object, CKA_SUBPRIME); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.base, + object, CKA_BASE); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.publicValue, + object, CKA_VALUE); + break; + case CKK_DH: + pubKey->keyType = NSSLOWKEYDHKey; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.prime, + object, CKA_PRIME); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.base, + object, CKA_BASE); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue, + object, CKA_VALUE); + break; + case CKK_EC: + pubKey->keyType = NSSLOWKEYECKey; + crv = sftk_Attribute2SSecItem(arena, + &pubKey->u.ec.ecParams.DEREncoding, + object, CKA_EC_PARAMS); + if (crv != CKR_OK) + break; + + /* Fill out the rest of the ecParams structure + * based on the encoded params + */ + if (EC_FillParams(arena, &pubKey->u.ec.ecParams.DEREncoding, + &pubKey->u.ec.ecParams) != SECSuccess) { + crv = CKR_DOMAIN_PARAMS_INVALID; + break; + } + + crv = sftk_Attribute2SSecItem(arena, &pubKey->u.ec.publicValue, + object, CKA_EC_POINT); + if (crv == CKR_OK) { + unsigned int keyLen = EC_GetPointSize(&pubKey->u.ec.ecParams); + + /* special note: We can't just use the first byte to distinguish + * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING. + * Both are 0x04. */ + + /* Handle the non-DER encoded case. + * Some curves are always pressumed to be non-DER. + */ + if (pubKey->u.ec.publicValue.len == keyLen && + (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain || + pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) { + break; /* key was not DER encoded, no need to unwrap */ + } + + /* handle the encoded case */ + if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) && + pubKey->u.ec.publicValue.len > keyLen) { + SECItem publicValue; + SECStatus rv; + + rv = SEC_QuickDERDecodeItem(arena, &publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate), + &pubKey->u.ec.publicValue); + /* nope, didn't decode correctly */ + if ((rv != SECSuccess) || (publicValue.len != keyLen)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + /* we don't handle compressed points except in the case of ECCurve25519 */ + if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && + (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + /* replace our previous with the decoded key */ + pubKey->u.ec.publicValue = publicValue; + break; + } + crv = CKR_ATTRIBUTE_VALUE_INVALID; + } + break; + default: + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + *crvp = crv; + if (crv != CKR_OK) { + PORT_FreeArena(arena, PR_TRUE); + return NULL; + } + + object->objectInfo = pubKey; + object->infoFree = (SFTKFree)nsslowkey_DestroyPublicKey; + return pubKey; +} + +/* make a private key from a verified object */ +static NSSLOWKEYPrivateKey * +sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp) +{ + NSSLOWKEYPrivateKey *privKey; + SFTKItemTemplate itemTemplate[SFTK_MAX_ITEM_TEMPLATE]; + int itemTemplateCount = 0; + PLArenaPool *arena; + CK_RV crv = CKR_OK; + SECStatus rv; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + *crvp = CKR_HOST_MEMORY; + return NULL; + } + + privKey = (NSSLOWKEYPrivateKey *) + PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey)); + if (privKey == NULL) { + PORT_FreeArena(arena, PR_FALSE); + *crvp = CKR_HOST_MEMORY; + return NULL; + } + + /* in future this would be a switch on key_type */ + privKey->arena = arena; + switch (key_type) { + case CKK_RSA: + privKey->keyType = NSSLOWKEYRSAKey; + + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.modulus, CKA_MODULUS); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.publicExponent, CKA_PUBLIC_EXPONENT); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.privateExponent, CKA_PRIVATE_EXPONENT); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.prime1, CKA_PRIME_1); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.prime2, CKA_PRIME_2); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.exponent1, CKA_EXPONENT_1); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.exponent2, CKA_EXPONENT_2); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.rsa.coefficient, CKA_COEFFICIENT); + itemTemplateCount++; + rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version, + NSSLOWKEY_PRIVATE_KEY_INFO_VERSION); + if (rv != SECSuccess) + crv = CKR_HOST_MEMORY; + break; + + case CKK_DSA: + privKey->keyType = NSSLOWKEYDSAKey; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.dsa.params.prime, CKA_PRIME); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.dsa.params.subPrime, CKA_SUBPRIME); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.dsa.params.base, CKA_BASE); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.dsa.privateValue, CKA_VALUE); + itemTemplateCount++; + /* privKey was zero'd so public value is already set to NULL, 0 + * if we don't set it explicitly */ + break; + + case CKK_DH: + privKey->keyType = NSSLOWKEYDHKey; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.dh.prime, CKA_PRIME); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.dh.base, CKA_BASE); + itemTemplateCount++; + SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount, + &privKey->u.dh.privateValue, CKA_VALUE); + itemTemplateCount++; + /* privKey was zero'd so public value is already set to NULL, 0 + * if we don't set it explicitly */ + break; + + case CKK_EC: + privKey->keyType = NSSLOWKEYECKey; + crv = sftk_Attribute2SSecItem(arena, + &privKey->u.ec.ecParams.DEREncoding, + object, CKA_EC_PARAMS); + if (crv != CKR_OK) + break; + + /* Fill out the rest of the ecParams structure + * based on the encoded params + */ + if (EC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding, + &privKey->u.ec.ecParams) != SECSuccess) { + crv = CKR_DOMAIN_PARAMS_INVALID; + break; + } + crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.privateValue, + object, CKA_VALUE); + if (crv != CKR_OK) + break; + + if (sftk_hasAttribute(object, CKA_NSS_DB)) { + crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.publicValue, + object, CKA_NSS_DB); + if (crv != CKR_OK) + break; + /* privKey was zero'd so public value is already set to NULL, 0 + * if we don't set it explicitly */ + } + rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version, + NSSLOWKEY_EC_PRIVATE_KEY_VERSION); + if (rv != SECSuccess) { + crv = CKR_HOST_MEMORY; +/* The following ifdef is needed for Linux arm distros and + * Android as gcc 4.6 has a bug when targeting arm (but not + * thumb). The bug has been fixed in gcc 4.7. + * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56561 + */ +#if defined(__arm__) && !defined(__thumb__) && defined(__GNUC__) + *crvp = CKR_HOST_MEMORY; + break; +#endif + } + break; + + default: + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if (crv == CKR_OK && itemTemplateCount != 0) { + PORT_Assert(itemTemplateCount > 0); + PORT_Assert(itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE); + crv = sftk_MultipleAttribute2SecItem(arena, object, itemTemplate, + itemTemplateCount); + } + *crvp = crv; + if (crv != CKR_OK) { + PORT_FreeArena(arena, PR_TRUE); + return NULL; + } + return privKey; +} + +/* + * If a partial RSA private key is present, fill in the rest if necessary, + * and then verify the parameters are well-formed + */ +static SECStatus +sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded) +{ + RSAPrivateKey tmpKey = { 0 }; + SFTKAttribute *modulus = NULL; + SFTKAttribute *prime1 = NULL; + SFTKAttribute *prime2 = NULL; + SFTKAttribute *privateExponent = NULL; + SFTKAttribute *publicExponent = NULL; + SFTKAttribute *exponent1 = NULL; + SFTKAttribute *exponent2 = NULL; + SFTKAttribute *coefficient = NULL; + SECStatus rv; + CK_RV crv; + + /* first fill in the components that we have. Populate only uses + * the non-crt components, so only fill those in */ + tmpKey.arena = NULL; + modulus = sftk_FindAttribute(object, CKA_MODULUS); + if (modulus) { + tmpKey.modulus.data = modulus->attrib.pValue; + tmpKey.modulus.len = modulus->attrib.ulValueLen; + } + prime1 = sftk_FindAttribute(object, CKA_PRIME_1); + if (prime1) { + tmpKey.prime1.data = prime1->attrib.pValue; + tmpKey.prime1.len = prime1->attrib.ulValueLen; + } + prime2 = sftk_FindAttribute(object, CKA_PRIME_2); + if (prime2) { + tmpKey.prime2.data = prime2->attrib.pValue; + tmpKey.prime2.len = prime2->attrib.ulValueLen; + } + privateExponent = sftk_FindAttribute(object, CKA_PRIVATE_EXPONENT); + if (privateExponent) { + tmpKey.privateExponent.data = privateExponent->attrib.pValue; + tmpKey.privateExponent.len = privateExponent->attrib.ulValueLen; + } + publicExponent = sftk_FindAttribute(object, CKA_PUBLIC_EXPONENT); + if (publicExponent) { + tmpKey.publicExponent.data = publicExponent->attrib.pValue; + tmpKey.publicExponent.len = publicExponent->attrib.ulValueLen; + } + exponent1 = sftk_FindAttribute(object, CKA_EXPONENT_1); + if (exponent1) { + tmpKey.exponent1.data = exponent1->attrib.pValue; + tmpKey.exponent1.len = exponent1->attrib.ulValueLen; + } + exponent2 = sftk_FindAttribute(object, CKA_EXPONENT_2); + if (exponent2) { + tmpKey.exponent2.data = exponent2->attrib.pValue; + tmpKey.exponent2.len = exponent2->attrib.ulValueLen; + } + coefficient = sftk_FindAttribute(object, CKA_COEFFICIENT); + if (coefficient) { + tmpKey.coefficient.data = coefficient->attrib.pValue; + tmpKey.coefficient.len = coefficient->attrib.ulValueLen; + } + + if (fillIfNeeded) { + /* + * populate requires one exponent plus 2 other components to work. + * we expected our caller to check that first. If that didn't happen, + * populate will simply return an error here. + */ + rv = RSA_PopulatePrivateKey(&tmpKey); + if (rv != SECSuccess) { + goto loser; + } + } + rv = RSA_PrivateKeyCheck(&tmpKey); + if (rv != SECSuccess) { + goto loser; + } + /* now that we have a fully populated key, set all our attribute values */ + rv = SECFailure; + if (!modulus || modulus->attrib.pValue != tmpKey.modulus.data) { + crv = sftk_forceAttribute(object, CKA_MODULUS, + sftk_item_expand(&tmpKey.modulus)); + if (crv != CKR_OK) + goto loser; + } + if (!publicExponent || + publicExponent->attrib.pValue != tmpKey.publicExponent.data) { + crv = sftk_forceAttribute(object, CKA_PUBLIC_EXPONENT, + sftk_item_expand(&tmpKey.publicExponent)); + if (crv != CKR_OK) + goto loser; + } + if (!privateExponent || + privateExponent->attrib.pValue != tmpKey.privateExponent.data) { + crv = sftk_forceAttribute(object, CKA_PRIVATE_EXPONENT, + sftk_item_expand(&tmpKey.privateExponent)); + if (crv != CKR_OK) + goto loser; + } + if (!prime1 || prime1->attrib.pValue != tmpKey.prime1.data) { + crv = sftk_forceAttribute(object, CKA_PRIME_1, + sftk_item_expand(&tmpKey.prime1)); + if (crv != CKR_OK) + goto loser; + } + if (!prime2 || prime2->attrib.pValue != tmpKey.prime2.data) { + crv = sftk_forceAttribute(object, CKA_PRIME_2, + sftk_item_expand(&tmpKey.prime2)); + if (crv != CKR_OK) + goto loser; + } + if (!exponent1 || exponent1->attrib.pValue != tmpKey.exponent1.data) { + crv = sftk_forceAttribute(object, CKA_EXPONENT_1, + sftk_item_expand(&tmpKey.exponent1)); + if (crv != CKR_OK) + goto loser; + } + if (!exponent2 || exponent2->attrib.pValue != tmpKey.exponent2.data) { + crv = sftk_forceAttribute(object, CKA_EXPONENT_2, + sftk_item_expand(&tmpKey.exponent2)); + if (crv != CKR_OK) + goto loser; + } + if (!coefficient || coefficient->attrib.pValue != tmpKey.coefficient.data) { + crv = sftk_forceAttribute(object, CKA_COEFFICIENT, + sftk_item_expand(&tmpKey.coefficient)); + if (crv != CKR_OK) + goto loser; + } + rv = SECSuccess; + +/* we're done (one way or the other), clean up all our stuff */ +loser: + if (tmpKey.arena) { + PORT_FreeArena(tmpKey.arena, PR_TRUE); + } + if (modulus) { + sftk_FreeAttribute(modulus); + } + if (prime1) { + sftk_FreeAttribute(prime1); + } + if (prime2) { + sftk_FreeAttribute(prime2); + } + if (privateExponent) { + sftk_FreeAttribute(privateExponent); + } + if (publicExponent) { + sftk_FreeAttribute(publicExponent); + } + if (exponent1) { + sftk_FreeAttribute(exponent1); + } + if (exponent2) { + sftk_FreeAttribute(exponent2); + } + if (coefficient) { + sftk_FreeAttribute(coefficient); + } + return rv; +} + +/* Generate a low private key structure from an object */ +NSSLOWKEYPrivateKey * +sftk_GetPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp) +{ + NSSLOWKEYPrivateKey *priv = NULL; + + if (object->objclass != CKO_PRIVATE_KEY) { + *crvp = CKR_KEY_TYPE_INCONSISTENT; + return NULL; + } + if (object->objectInfo) { + *crvp = CKR_OK; + return (NSSLOWKEYPrivateKey *)object->objectInfo; + } + + priv = sftk_mkPrivKey(object, key_type, crvp); + object->objectInfo = priv; + object->infoFree = (SFTKFree)nsslowkey_DestroyPrivateKey; + return priv; +} + +/* populate a public key object from a lowpublic keys structure */ +CK_RV +sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey) +{ + CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY; + CK_BBOOL cktrue = CK_TRUE; + CK_RV crv = CKR_OK; + sftk_DeleteAttributeType(publicKey, CKA_CLASS); + sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE); + sftk_DeleteAttributeType(publicKey, CKA_VALUE); + + switch (keyType) { + case CKK_RSA: + sftk_DeleteAttributeType(publicKey, CKA_MODULUS); + sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT); + /* format the keys */ + /* fill in the RSA dependent paramenters in the public key */ + crv = sftk_AddAttributeType(publicKey, CKA_MODULUS, + sftk_item_expand(&pubKey->u.rsa.modulus)); + if (crv != CKR_OK) { + break; + } + crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT, + sftk_item_expand(&pubKey->u.rsa.publicExponent)); + break; + case CKK_DSA: + sftk_DeleteAttributeType(publicKey, CKA_PRIME); + sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME); + sftk_DeleteAttributeType(publicKey, CKA_BASE); + crv = sftk_AddAttributeType(publicKey, CKA_PRIME, + sftk_item_expand(&pubKey->u.dsa.params.prime)); + if (crv != CKR_OK) { + break; + } + crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME, + sftk_item_expand(&pubKey->u.dsa.params.subPrime)); + if (crv != CKR_OK) { + break; + } + crv = sftk_AddAttributeType(publicKey, CKA_BASE, + sftk_item_expand(&pubKey->u.dsa.params.base)); + if (crv != CKR_OK) { + break; + } + crv = sftk_AddAttributeType(publicKey, CKA_VALUE, + sftk_item_expand(&pubKey->u.dsa.publicValue)); + break; + case CKK_DH: + sftk_DeleteAttributeType(publicKey, CKA_PRIME); + sftk_DeleteAttributeType(publicKey, CKA_BASE); + crv = sftk_AddAttributeType(publicKey, CKA_PRIME, + sftk_item_expand(&pubKey->u.dh.prime)); + if (crv != CKR_OK) { + break; + } + crv = sftk_AddAttributeType(publicKey, CKA_BASE, + sftk_item_expand(&pubKey->u.dh.base)); + if (crv != CKR_OK) { + break; + } + crv = sftk_AddAttributeType(publicKey, CKA_VALUE, + sftk_item_expand(&pubKey->u.dh.publicValue)); + break; + case CKK_EC: + sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS); + sftk_DeleteAttributeType(publicKey, CKA_EC_POINT); + crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS, + sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding)); + if (crv != CKR_OK) { + break; + } + crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, + sftk_item_expand(&pubKey->u.ec.publicValue)); + break; + default: + return CKR_KEY_TYPE_INCONSISTENT; + } + if (crv != CKR_OK) { + return crv; + } + crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &classType, + sizeof(CK_OBJECT_CLASS)); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &keyType, + sizeof(CK_KEY_TYPE)); + if (crv != CKR_OK) { + return crv; + } + /* now handle the operator attributes */ + if (sftk_isTrue(privateKey, CKA_DECRYPT)) { + crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) { + return crv; + } + } + if (sftk_isTrue(privateKey, CKA_SIGN)) { + crv = sftk_forceAttribute(publicKey, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) { + return crv; + } + } + if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER)) { + crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) { + return crv; + } + } + if (sftk_isTrue(privateKey, CKA_DERIVE)) { + crv = sftk_forceAttribute(publicKey, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) { + return crv; + } + } + return crv; +} + +/* + **************************** Symetric Key utils ************************ + */ +/* + * set the DES key with parity bits correctly + */ +void +sftk_FormatDESKey(unsigned char *key, int length) +{ + int i; + + /* format the des key */ + for (i = 0; i < length; i++) { + key[i] = parityTable[key[i] >> 1]; + } +} + +/* + * check a des key (des2 or des3 subkey) for weak keys. + */ +PRBool +sftk_CheckDESKey(unsigned char *key) +{ + int i; + + /* format the des key with parity */ + sftk_FormatDESKey(key, 8); + + for (i = 0; i < sftk_desWeakTableSize; i++) { + if (PORT_Memcmp(key, sftk_desWeakTable[i], 8) == 0) { + return PR_TRUE; + } + } + return PR_FALSE; +} + +/* + * check if a des or triple des key is weak. + */ +PRBool +sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type) +{ + + switch (key_type) { + case CKK_DES: + return sftk_CheckDESKey(key); + case CKM_DES2_KEY_GEN: + if (sftk_CheckDESKey(key)) + return PR_TRUE; + return sftk_CheckDESKey(&key[8]); + case CKM_DES3_KEY_GEN: + if (sftk_CheckDESKey(key)) + return PR_TRUE; + if (sftk_CheckDESKey(&key[8])) + return PR_TRUE; + return sftk_CheckDESKey(&key[16]); + default: + break; + } + return PR_FALSE; +} + +/********************************************************************** + * + * Start of PKCS 11 functions + * + **********************************************************************/ + +/* return the function list */ +CK_RV +NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) +{ + *pFunctionList = (CK_FUNCTION_LIST_PTR)&sftk_funcList_v2; + return CKR_OK; +} + +/* return the function list */ +CK_RV +C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) +{ + return NSC_GetFunctionList(pFunctionList); +} + +CK_RV +NSC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount) +{ + CK_ULONG count = *pulCount; + *pulCount = NSS_INTERFACE_COUNT; + if (interfaces == NULL) { + return CKR_OK; + } + if (count < NSS_INTERFACE_COUNT) { + return CKR_BUFFER_TOO_SMALL; + } + PORT_Memcpy(interfaces, nss_interfaces, sizeof(nss_interfaces)); + return CKR_OK; +} + +CK_RV +C_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount) +{ + return NSC_GetInterfaceList(interfaces, pulCount); +} + +/* + * Get the requested interface, use the nss_interfaces array so we can + * easily add new interfaces as they occur. + */ +CK_RV +NSC_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion, + CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags) +{ + int i; + for (i = 0; i < NSS_INTERFACE_COUNT; i++) { + CK_INTERFACE_PTR interface = &nss_interfaces[i]; + if (pInterfaceName && PORT_Strcmp((char *)pInterfaceName, (char *)interface->pInterfaceName) != 0) { + continue; + } + if (pVersion && PORT_Memcmp(pVersion, (CK_VERSION *)interface->pFunctionList, sizeof(CK_VERSION)) != 0) { + continue; + } + if (flags & ((interface->flags & flags) != flags)) { + continue; + } + *ppInterface = interface; + return CKR_OK; + } + return CKR_ARGUMENTS_BAD; +} + +CK_RV +C_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion, + CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags) +{ + return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags); +} + +static PLHashNumber +sftk_HashNumber(const void *key) +{ + return (PLHashNumber)((char *)key - (char *)NULL); +} + +/* + * eventually I'd like to expunge all occurances of XXX_SLOT_ID and + * just go with the info in the slot. This is one place, however, + * where it might be a little difficult. + */ +const char * +sftk_getDefTokName(CK_SLOT_ID slotID) +{ + static char buf[33]; + + switch (slotID) { + case NETSCAPE_SLOT_ID: + return "NSS Generic Crypto Services "; + case PRIVATE_KEY_SLOT_ID: + return "NSS Certificate DB "; + case FIPS_SLOT_ID: + return "NSS FIPS 140-2 Certificate DB "; + default: + break; + } + snprintf(buf, sizeof(buf), "NSS Application Token %08x ", (unsigned int)slotID); + return buf; +} + +const char * +sftk_getDefSlotName(CK_SLOT_ID slotID) +{ + static char buf[65]; + + switch (slotID) { + case NETSCAPE_SLOT_ID: + return "NSS Internal Cryptographic Services "; + case PRIVATE_KEY_SLOT_ID: + return "NSS User Private Key and Certificate Services "; + case FIPS_SLOT_ID: + return "NSS FIPS 140-2 User Private Key Services "; + default: + break; + } + snprintf(buf, sizeof(buf), + "NSS Application Slot %08x ", + (unsigned int)slotID); + return buf; +} + +static CK_ULONG nscSlotCount[2] = { 0, 0 }; +static CK_SLOT_ID_PTR nscSlotList[2] = { NULL, NULL }; +static CK_ULONG nscSlotListSize[2] = { 0, 0 }; +static PLHashTable *nscSlotHashTable[2] = { NULL, NULL }; + +static unsigned int +sftk_GetModuleIndex(CK_SLOT_ID slotID) +{ + if (sftk_isFIPS(slotID)) { + return NSC_FIPS_MODULE; + } + return NSC_NON_FIPS_MODULE; +} + +/* look up a slot structure from the ID (used to be a macro when we only + * had two slots) */ +/* if all is true, return the slot even if it has been 'unloaded' */ +/* if all is false, only return the slots which are present */ +SFTKSlot * +sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all) +{ + SFTKSlot *slot; + unsigned int index = sftk_GetModuleIndex(slotID); + + if (nscSlotHashTable[index] == NULL) + return NULL; + slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], + (void *)(uintptr_t)slotID); + /* cleared slots shouldn't 'show up' */ + if (slot && !all && !slot->present) + slot = NULL; + return slot; +} + +CK_SLOT_ID +sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle) +{ + CK_ULONG slotIDIndex = (handle >> 24) & 0x7f; + CK_ULONG moduleIndex = (handle >> 31) & 1; + + if (slotIDIndex >= nscSlotCount[moduleIndex]) { + return (CK_SLOT_ID)-1; + } + return nscSlotList[moduleIndex][slotIDIndex]; +} + +SFTKSlot * +sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle) +{ + return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE); +} + +static CK_RV +sftk_RegisterSlot(SFTKSlot *slot, unsigned int moduleIndex) +{ + PLHashEntry *entry; + unsigned int index; + + index = sftk_GetModuleIndex(slot->slotID); + + /* make sure the slotID for this module is valid */ + if (moduleIndex != index) { + return CKR_SLOT_ID_INVALID; + } + + if (nscSlotList[index] == NULL) { + nscSlotListSize[index] = NSC_SLOT_LIST_BLOCK_SIZE; + nscSlotList[index] = (CK_SLOT_ID *) + PORT_ZAlloc(nscSlotListSize[index] * sizeof(CK_SLOT_ID)); + if (nscSlotList[index] == NULL) { + return CKR_HOST_MEMORY; + } + } + if (nscSlotCount[index] >= nscSlotListSize[index]) { + CK_SLOT_ID *oldNscSlotList = nscSlotList[index]; + CK_ULONG oldNscSlotListSize = nscSlotListSize[index]; + nscSlotListSize[index] += NSC_SLOT_LIST_BLOCK_SIZE; + nscSlotList[index] = (CK_SLOT_ID *)PORT_Realloc(oldNscSlotList, + nscSlotListSize[index] * sizeof(CK_SLOT_ID)); + if (nscSlotList[index] == NULL) { + /* evidently coverity doesn't know realloc does not + * free var if it fails ! */ + /* coverity [use_after_free : FALSE] */ + nscSlotList[index] = oldNscSlotList; + nscSlotListSize[index] = oldNscSlotListSize; + return CKR_HOST_MEMORY; + } + } + + if (nscSlotHashTable[index] == NULL) { + nscSlotHashTable[index] = PL_NewHashTable(64, sftk_HashNumber, + PL_CompareValues, PL_CompareValues, NULL, 0); + if (nscSlotHashTable[index] == NULL) { + return CKR_HOST_MEMORY; + } + } + + entry = PL_HashTableAdd(nscSlotHashTable[index], (void *)(uintptr_t)slot->slotID, slot); + if (entry == NULL) { + return CKR_HOST_MEMORY; + } + slot->index = (nscSlotCount[index] & 0x7f) | ((index << 7) & 0x80); + nscSlotList[index][nscSlotCount[index]++] = slot->slotID; + + return CKR_OK; +} + +/* + * ths function has all the common initialization that happens whenever we + * create a new slot or repurpose an old slot (only valid for slotID's 4 + * and greater). + * + * things that are not reinitialized are: + * slotID (can't change) + * slotDescription (can't change once defined) + * the locks and hash tables (difficult to change in running code, and + * unnecessary. hash tables and list are cleared on shutdown, but they + * are cleared in a 'friendly' way). + * session and object ID counters -- so any old sessions and objects in the + * application will get properly notified that the world has changed. + * + * things that are reinitialized: + * database (otherwise what would the point be;). + * state variables related to databases. + * session count stat info. + * tokenDescription. + * + * NOTE: slotID's 4 and greater show up as removable devices. + * + */ +CK_RV +SFTK_SlotReInit(SFTKSlot *slot, char *configdir, char *updatedir, + char *updateID, sftk_token_parameters *params, + unsigned int moduleIndex) +{ + PRBool needLogin = !params->noKeyDB; + CK_RV crv; + + slot->hasTokens = PR_FALSE; + slot->sessionIDConflict = 0; + slot->sessionCount = 0; + slot->rwSessionCount = 0; + slot->needLogin = PR_FALSE; + slot->isLoggedIn = PR_FALSE; + slot->ssoLoggedIn = PR_FALSE; + slot->DB_loaded = PR_FALSE; + slot->certDB = NULL; + slot->keyDB = NULL; + slot->minimumPinLen = 0; + slot->readOnly = params->readOnly; + sftk_setStringName(params->tokdes ? params->tokdes : sftk_getDefTokName(slot->slotID), slot->tokDescription, + sizeof(slot->tokDescription), PR_TRUE); + sftk_setStringName(params->updtokdes ? params->updtokdes : " ", + slot->updateTokDescription, + sizeof(slot->updateTokDescription), PR_TRUE); + + if ((!params->noCertDB) || (!params->noKeyDB)) { + SFTKDBHandle *certHandle = NULL; + SFTKDBHandle *keyHandle = NULL; + crv = sftk_DBInit(params->configdir ? params->configdir : configdir, + params->certPrefix, params->keyPrefix, + params->updatedir ? params->updatedir : updatedir, + params->updCertPrefix, params->updKeyPrefix, + params->updateID ? params->updateID : updateID, + params->readOnly, params->noCertDB, params->noKeyDB, + params->forceOpen, + moduleIndex == NSC_FIPS_MODULE, + &certHandle, &keyHandle); + if (crv != CKR_OK) { + goto loser; + } + + slot->certDB = certHandle; + slot->keyDB = keyHandle; + } + if (needLogin) { + /* if the data base is initialized with a null password,remember that */ + slot->needLogin = + (PRBool)!sftk_hasNullPassword(slot, slot->keyDB); + if ((params->minPW >= 0) && (params->minPW <= SFTK_MAX_PIN)) { + slot->minimumPinLen = params->minPW; + } + if ((slot->minimumPinLen == 0) && (params->pwRequired)) { + slot->minimumPinLen = 1; + } + /* Make sure the pin len is set to the Minimum allowed value for fips + * when in FIPS mode. NOTE: we don't set it if the database has not + * been initialized yet so that we can init into level1 mode if needed + */ + if ((sftkdb_HasPasswordSet(slot->keyDB) == SECSuccess) && + (moduleIndex == NSC_FIPS_MODULE) && + (slot->minimumPinLen < FIPS_MIN_PIN)) { + slot->minimumPinLen = FIPS_MIN_PIN; + } + } + + slot->present = PR_TRUE; + return CKR_OK; + +loser: + SFTK_ShutdownSlot(slot); + return crv; +} + +/* + * initialize one of the slot structures. figure out which by the ID + */ +CK_RV +SFTK_SlotInit(char *configdir, char *updatedir, char *updateID, + sftk_token_parameters *params, unsigned int moduleIndex) +{ + unsigned int i; + CK_SLOT_ID slotID = params->slotID; + SFTKSlot *slot; + CK_RV crv = CKR_HOST_MEMORY; + + /* + * first we initialize everything that is 'permanent' with this slot. + * that is everything we aren't going to shutdown if we close this slot + * and open it up again with different databases */ + + slot = PORT_ZNew(SFTKSlot); + + if (slot == NULL) { + return CKR_HOST_MEMORY; + } + + slot->optimizeSpace = params->optimizeSpace; + if (slot->optimizeSpace) { + slot->sessObjHashSize = SPACE_SESSION_OBJECT_HASH_SIZE; + slot->sessHashSize = SPACE_SESSION_HASH_SIZE; + slot->numSessionLocks = 1; + } else { + slot->sessObjHashSize = TIME_SESSION_OBJECT_HASH_SIZE; + slot->sessHashSize = TIME_SESSION_HASH_SIZE; + slot->numSessionLocks = slot->sessHashSize / BUCKETS_PER_SESSION_LOCK; + } + slot->sessionLockMask = slot->numSessionLocks - 1; + + slot->slotLock = PZ_NewLock(nssILockSession); + if (slot->slotLock == NULL) + goto mem_loser; + slot->sessionLock = PORT_ZNewArray(PZLock *, slot->numSessionLocks); + if (slot->sessionLock == NULL) + goto mem_loser; + for (i = 0; i < slot->numSessionLocks; i++) { + slot->sessionLock[i] = PZ_NewLock(nssILockSession); + if (slot->sessionLock[i] == NULL) + goto mem_loser; + } + slot->objectLock = PZ_NewLock(nssILockObject); + if (slot->objectLock == NULL) + goto mem_loser; + slot->pwCheckLock = PR_NewLock(); + if (slot->pwCheckLock == NULL) + goto mem_loser; + slot->head = PORT_ZNewArray(SFTKSession *, slot->sessHashSize); + if (slot->head == NULL) + goto mem_loser; + slot->sessObjHashTable = PORT_ZNewArray(SFTKObject *, slot->sessObjHashSize); + if (slot->sessObjHashTable == NULL) + goto mem_loser; + slot->tokObjHashTable = PL_NewHashTable(64, sftk_HashNumber, PL_CompareValues, + SECITEM_HashCompare, NULL, 0); + if (slot->tokObjHashTable == NULL) + goto mem_loser; + + slot->sessionIDCount = 0; + slot->sessionObjectHandleCount = NSC_MIN_SESSION_OBJECT_HANDLE; + slot->slotID = slotID; + sftk_setStringName(params->slotdes ? params->slotdes : sftk_getDefSlotName(slotID), slot->slotDescription, + sizeof(slot->slotDescription), PR_TRUE); + crv = sftk_InitSession(&slot->moduleObjects, slot, slotID, NULL, NULL, + CKF_SERIAL_SESSION); + if (crv != CKR_OK) { + goto loser; + } + + /* call the reinit code to set everything that changes between token + * init calls */ + crv = SFTK_SlotReInit(slot, configdir, updatedir, updateID, + params, moduleIndex); + if (crv != CKR_OK) { + goto loser; + } + if (sftk_isFIPS(slotID)) { + crv = sftk_CreateValidationObjects(slot); + if (crv != CKR_OK) { + goto loser; + } + } + crv = sftk_RegisterSlot(slot, moduleIndex); + if (crv != CKR_OK) { + goto loser; + } + return CKR_OK; + +mem_loser: + crv = CKR_HOST_MEMORY; +loser: + SFTK_DestroySlotData(slot); + return crv; +} + +CK_RV +sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout) +{ + SFTKSession *session; + unsigned int i; + SFTKDBHandle *handle; + + /* first log out the card */ + /* special case - if we are in a middle of upgrade, we want to close the + * sessions to fake a token removal to tell the upper level code we have + * switched from one database to another, but we don't want to + * explicity logout in case we can continue the upgrade with the + * existing password if possible. + */ + if (logout) { + handle = sftk_getKeyDB(slot); + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); + slot->isLoggedIn = PR_FALSE; + if (slot->needLogin && handle) { + sftkdb_ClearPassword(handle); + } + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); + if (handle) { + sftk_freeDB(handle); + } + } + + /* now close all the current sessions */ + /* NOTE: If you try to open new sessions before NSC_CloseAllSessions + * completes, some of those new sessions may or may not be closed by + * NSC_CloseAllSessions... but any session running when this code starts + * will guarrenteed be close, and no session will be partially closed */ + for (i = 0; i < slot->sessHashSize; i++) { + PZLock *lock = SFTK_SESSION_LOCK(slot, i); + do { + SKIP_AFTER_FORK(PZ_Lock(lock)); + session = slot->head[i]; + /* hand deque */ + /* this duplicates function of NSC_close session functions, but + * because we know that we are freeing all the sessions, we can + * do more efficient processing */ + if (session) { + slot->head[i] = session->next; + if (session->next) + session->next->prev = NULL; + session->next = session->prev = NULL; + SKIP_AFTER_FORK(PZ_Unlock(lock)); + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); + --slot->sessionCount; + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); + if (session->info.flags & CKF_RW_SESSION) { + (void)PR_ATOMIC_DECREMENT(&slot->rwSessionCount); + } + } else { + SKIP_AFTER_FORK(PZ_Unlock(lock)); + } + if (session) { + sftk_DestroySession(session); + } + } while (session != NULL); + } + return CKR_OK; +} + +/* + * shut down the databases. + * we get the slot lock (which also protects slot->certDB and slot->keyDB) + * and clear the values so the new users will not find the databases. + * once things are clear, we can release our references to the databases. + * The databases will close when the last reference is released. + * + * We use reference counts so that we don't crash if someone shuts down + * a token that another thread is actively using. + */ +static void +sftk_DBShutdown(SFTKSlot *slot) +{ + SFTKDBHandle *certHandle; + SFTKDBHandle *keyHandle; + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); + certHandle = slot->certDB; + slot->certDB = NULL; + keyHandle = slot->keyDB; + slot->keyDB = NULL; + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); + if (certHandle) { + sftk_freeDB(certHandle); + } + if (keyHandle) { + sftk_freeDB(keyHandle); + } +} + +CK_RV +SFTK_ShutdownSlot(SFTKSlot *slot) +{ + /* make sure no new PK11 calls work except C_GetSlotInfo */ + slot->present = PR_FALSE; + + /* close all outstanding sessions + * the sessHashSize variable guarentees we have all the session + * mechanism set up */ + if (slot->head) { + sftk_CloseAllSessions(slot, PR_TRUE); + } + + /* clear all objects.. session objects are cleared as a result of + * closing all the sessions. We just need to clear the token object + * cache. slot->tokObjHashTable guarentees we have the token + * infrastructure set up. */ + if (slot->tokObjHashTable) { + SFTK_ClearTokenKeyHashTable(slot); + } + + /* clear the slot description for the next guy */ + PORT_Memset(slot->tokDescription, 0, sizeof(slot->tokDescription)); + + /* now shut down the databases. */ + sftk_DBShutdown(slot); + return CKR_OK; +} + +/* + * initialize one of the slot structures. figure out which by the ID + */ +CK_RV +SFTK_DestroySlotData(SFTKSlot *slot) +{ + unsigned int i; + + SFTK_ShutdownSlot(slot); + + sftk_ClearSession(&slot->moduleObjects); + + if (slot->tokObjHashTable) { + PL_HashTableDestroy(slot->tokObjHashTable); + slot->tokObjHashTable = NULL; + } + + if (slot->sessObjHashTable) { + PORT_Free(slot->sessObjHashTable); + slot->sessObjHashTable = NULL; + } + slot->sessObjHashSize = 0; + + if (slot->head) { + PORT_Free(slot->head); + slot->head = NULL; + } + slot->sessHashSize = 0; + + /* OK everything has been disassembled, now we can finally get rid + * of the locks */ + SKIP_AFTER_FORK(PZ_DestroyLock(slot->slotLock)); + slot->slotLock = NULL; + if (slot->sessionLock) { + for (i = 0; i < slot->numSessionLocks; i++) { + if (slot->sessionLock[i]) { + SKIP_AFTER_FORK(PZ_DestroyLock(slot->sessionLock[i])); + slot->sessionLock[i] = NULL; + } + } + PORT_Free(slot->sessionLock); + slot->sessionLock = NULL; + } + if (slot->objectLock) { + SKIP_AFTER_FORK(PZ_DestroyLock(slot->objectLock)); + slot->objectLock = NULL; + } + if (slot->pwCheckLock) { + SKIP_AFTER_FORK(PR_DestroyLock(slot->pwCheckLock)); + slot->pwCheckLock = NULL; + } + PORT_Free(slot); + return CKR_OK; +} + +/* + * handle the SECMOD.db + */ +char ** +NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args) +{ +#ifndef NSS_DISABLE_DBM + char *secmod = NULL; + char *appName = NULL; + char *filename = NULL; + NSSDBType dbType = NSS_DB_TYPE_NONE; + PRBool rw; + static char *success = "Success"; +#endif /* NSS_DISABLE_DBM */ + char **rvstr = NULL; + + rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args); + if (rvstr != NULL) { + return rvstr; + } + + if (PORT_GetError() != SEC_ERROR_LEGACY_DATABASE) { + return NULL; + } + +#ifndef NSS_DISABLE_DBM + /* The legacy database uses the old dbm, which is only linked with the + * legacy DB handler, which is only callable from softoken */ + + secmod = _NSSUTIL_GetSecmodName(parameters, &dbType, &appName, + &filename, &rw); + + switch (function) { + case SECMOD_MODULE_DB_FUNCTION_FIND: + if (secmod == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + if (rw && (dbType != NSS_DB_TYPE_LEGACY) && + (dbType != NSS_DB_TYPE_MULTIACCESS)) { + /* if we get here, we are trying to update the local database */ + /* force data from the legacy DB */ + char *oldSecmod = NULL; + char *oldAppName = NULL; + char *oldFilename = NULL; + PRBool oldrw; + char **strings = NULL; + int i; + + dbType = NSS_DB_TYPE_LEGACY; + oldSecmod = _NSSUTIL_GetSecmodName(parameters, &dbType, &oldAppName, + &oldFilename, &oldrw); + strings = sftkdbCall_ReadSecmodDB(appName, oldFilename, oldSecmod, + (char *)parameters, oldrw); + if (strings) { + /* write out the strings */ + for (i = 0; strings[i]; i++) { + NSSUTIL_DoModuleDBFunction(SECMOD_MODULE_DB_FUNCTION_ADD, + parameters, strings[i]); + } + sftkdbCall_ReleaseSecmodDBData(oldAppName, oldFilename, oldSecmod, + (char **)strings, oldrw); + } else { + /* write out a dummy record */ + NSSUTIL_DoModuleDBFunction(SECMOD_MODULE_DB_FUNCTION_ADD, + parameters, " "); + } + if (oldSecmod) { + PR_smprintf_free(oldSecmod); + } + if (oldAppName) { + PORT_Free(oldAppName); + } + if (oldFilename) { + PORT_Free(oldFilename); + } + rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args); + break; + } + rvstr = sftkdbCall_ReadSecmodDB(appName, filename, secmod, + (char *)parameters, rw); + break; + case SECMOD_MODULE_DB_FUNCTION_ADD: + if (secmod == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + rvstr = (sftkdbCall_AddSecmodDB(appName, filename, secmod, + (char *)args, rw) == SECSuccess) + ? &success + : NULL; + break; + case SECMOD_MODULE_DB_FUNCTION_DEL: + if (secmod == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; + } + rvstr = (sftkdbCall_DeleteSecmodDB(appName, filename, secmod, + (char *)args, rw) == SECSuccess) + ? &success + : NULL; + break; + case SECMOD_MODULE_DB_FUNCTION_RELEASE: + rvstr = (sftkdbCall_ReleaseSecmodDBData(appName, filename, secmod, + (char **)args, rw) == SECSuccess) + ? &success + : NULL; + break; + } + +loser: + if (secmod) + PR_smprintf_free(secmod); + if (appName) + PORT_Free(appName); + if (filename) + PORT_Free(filename); +#endif /* NSS_DISABLE_DBM */ + return rvstr; +} + +static void +nscFreeAllSlots(unsigned int moduleIndex) +{ + /* free all the slots */ + SFTKSlot *slot = NULL; + CK_SLOT_ID slotID; + int i; + + if (nscSlotList[moduleIndex]) { + CK_ULONG tmpSlotCount = nscSlotCount[moduleIndex]; + CK_SLOT_ID_PTR tmpSlotList = nscSlotList[moduleIndex]; + PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex]; + + /* first close all the session */ + for (i = 0; i < (int)tmpSlotCount; i++) { + slotID = tmpSlotList[i]; + (void)NSC_CloseAllSessions(slotID); + } + + /* now clear out the statics */ + nscSlotList[moduleIndex] = NULL; + nscSlotCount[moduleIndex] = 0; + nscSlotHashTable[moduleIndex] = NULL; + nscSlotListSize[moduleIndex] = 0; + + for (i = 0; i < (int)tmpSlotCount; i++) { + slotID = tmpSlotList[i]; + slot = (SFTKSlot *) + PL_HashTableLookup(tmpSlotHashTable, (void *)(uintptr_t)slotID); + PORT_Assert(slot); + if (!slot) + continue; + SFTK_DestroySlotData(slot); + PL_HashTableRemove(tmpSlotHashTable, (void *)(uintptr_t)slotID); + } + PORT_Free(tmpSlotList); + PL_HashTableDestroy(tmpSlotHashTable); + } +} + +static void +sftk_closePeer(PRBool isFIPS) +{ + CK_SLOT_ID slotID = isFIPS ? PRIVATE_KEY_SLOT_ID : FIPS_SLOT_ID; + SFTKSlot *slot; + unsigned int moduleIndex = isFIPS ? NSC_NON_FIPS_MODULE : NSC_FIPS_MODULE; + PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex]; + + slot = (SFTKSlot *)PL_HashTableLookup(tmpSlotHashTable, (void *)(uintptr_t)slotID); + if (slot == NULL) { + return; + } + sftk_DBShutdown(slot); + return; +} + +extern void sftk_PBELockInit(void); +extern void sftk_PBELockShutdown(void); + +/* NSC_Initialize initializes the Cryptoki library. */ +CK_RV +nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) +{ + CK_RV crv = CKR_OK; + SECStatus rv; + CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved; + PRBool destroy_freelist_on_error = PR_TRUE; + int i; + unsigned int moduleIndex = isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE; + + if (isFIPS) { + loginWaitTime = PR_SecondsToInterval(1); + } + + ENABLE_FORK_CHECK(); + + sftk_PBELockInit(); + + rv = SECOID_Init(); + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + return crv; + } + + rv = RNG_RNGInit(); /* initialize random number generator */ + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + return crv; + } + rv = BL_Init(); /* initialize freebl engine */ + if (rv != SECSuccess) { + crv = CKR_DEVICE_ERROR; + return crv; + } + + /* NOTE: + * we should be getting out mutexes from this list, not statically binding + * them from NSPR. This should happen before we allow the internal to split + * off from the rest on NSS. + */ + + /* initialize the key and cert db's */ + if (init_args && (!(init_args->flags & CKF_OS_LOCKING_OK))) { + if (init_args->CreateMutex && init_args->DestroyMutex && + init_args->LockMutex && init_args->UnlockMutex) { + /* softoken always uses NSPR (ie. OS locking), and doesn't know how + * to use the lock functions provided by the application. + */ + crv = CKR_CANT_LOCK; + return crv; + } + if (init_args->CreateMutex || init_args->DestroyMutex || + init_args->LockMutex || init_args->UnlockMutex) { + /* only some of the lock functions were provided by the + * application. This is invalid per PKCS#11 spec. + */ + crv = CKR_ARGUMENTS_BAD; + return crv; + } + } + crv = CKR_ARGUMENTS_BAD; + if ((init_args && init_args->LibraryParameters)) { + sftk_parameters paramStrings; + + crv = sftk_parseParameters((char *)init_args->LibraryParameters, ¶mStrings, isFIPS); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_configure(paramStrings.man, paramStrings.libdes); + if (crv != CKR_OK) { + goto loser; + } + + /* if we have a peer already open, have him close his DB's so we + * don't clobber each other. */ + if ((isFIPS && nsc_init) || (!isFIPS && nsf_init)) { + sftk_closePeer(isFIPS); + if (sftk_audit_enabled) { + if (isFIPS && nsc_init) { + sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE, + "enabled FIPS mode"); + } else { + sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE, + "disabled FIPS mode"); + } + } + /* if we have a peer open, we don't want to destroy the freelist + * from under the peer if we fail, the free list will be + * destroyed in that case when the C_Finalize is called for + * the peer */ + destroy_freelist_on_error = PR_FALSE; + } + /* allow us to create objects in SFTK_SlotInit */ + sftk_InitFreeLists(); + + for (i = 0; i < paramStrings.token_count; i++) { + crv = SFTK_SlotInit(paramStrings.configdir, + paramStrings.updatedir, paramStrings.updateID, + ¶mStrings.tokens[i], moduleIndex); + if (crv != CKR_OK) { + nscFreeAllSlots(moduleIndex); + break; + } + } + loser: + sftk_freeParams(¶mStrings); + } + if (destroy_freelist_on_error && (CKR_OK != crv)) { + /* idempotent. If the list are already freed, this is a noop */ + sftk_CleanupFreeLists(); + } + +#ifndef NO_FORK_CHECK + if (CKR_OK == crv) { +#if defined(CHECK_FORK_MIXED) + /* Before Solaris 10, fork handlers are not unregistered at dlclose() + * time. So, we only use pthread_atfork on Solaris 10 and later. For + * earlier versions, we use PID checks. + */ + char buf[200]; + int major = 0, minor = 0; + + long rv = sysinfo(SI_RELEASE, buf, sizeof(buf)); + if (rv > 0 && rv < sizeof(buf)) { + if (2 == sscanf(buf, "%d.%d", &major, &minor)) { + /* Are we on Solaris 10 or greater ? */ + if (major > 5 || (5 == major && minor >= 10)) { + /* we are safe to use pthread_atfork */ + usePthread_atfork = PR_TRUE; + } + } + } + if (usePthread_atfork) { + pthread_atfork(NULL, NULL, ForkedChild); + } else { + myPid = getpid(); + } + +#elif defined(CHECK_FORK_PTHREAD) + pthread_atfork(NULL, NULL, ForkedChild); +#elif defined(CHECK_FORK_GETPID) + myPid = getpid(); +#else +#error Incorrect fork check method. +#endif + } +#endif + return crv; +} + +CK_RV +NSC_Initialize(CK_VOID_PTR pReserved) +{ + CK_RV crv; + + sftk_ForkReset(pReserved, &crv); + + if (nsc_init) { + return CKR_CRYPTOKI_ALREADY_INITIALIZED; + } + crv = nsc_CommonInitialize(pReserved, PR_FALSE); + nsc_init = (PRBool)(crv == CKR_OK); + return crv; +} + +/* NSC_Finalize indicates that an application is done with the + * Cryptoki library.*/ +CK_RV +nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS) +{ + /* propagate the fork status to freebl and util */ + BL_SetForkState(parentForkedAfterC_Initialize); + UTIL_SetForkState(parentForkedAfterC_Initialize); + + nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE); + + /* don't muck with the globals if our peer is still initialized */ + if (isFIPS && nsc_init) { + return CKR_OK; + } + if (!isFIPS && nsf_init) { + return CKR_OK; + } + + sftk_CleanupFreeLists(); + sftkdb_Shutdown(); + + /* This function does not discard all our previously aquired entropy. */ + RNG_RNGShutdown(); + + /* tell freeBL to clean up after itself */ + BL_Cleanup(); + + /* reset fork status in freebl. We must do this before BL_Unload so that + * this call doesn't force freebl to be reloaded. */ + BL_SetForkState(PR_FALSE); + +#ifndef NSS_STATIC_SOFTOKEN + /* unload freeBL shared library from memory. This may only decrement the + * OS refcount if it's been loaded multiple times, eg. by libssl */ + BL_Unload(); +#endif + + /* clean up the default OID table */ + SECOID_Shutdown(); + + sftk_PBELockShutdown(); + + /* reset fork status in util */ + UTIL_SetForkState(PR_FALSE); + + nsc_init = PR_FALSE; + +#ifndef NO_FORK_CHECK +#ifdef CHECK_FORK_MIXED + if (!usePthread_atfork) { + myPid = 0; /* allow CHECK_FORK in the next softoken initialization to + * succeed */ + } else { + forked = PR_FALSE; /* allow reinitialization */ + } +#elif defined(CHECK_FORK_GETPID) + myPid = 0; /* allow reinitialization */ +#elif defined(CHECK_FORK_PTHREAD) + forked = PR_FALSE; /* allow reinitialization */ +#endif +#endif + return CKR_OK; +} + +/* Hard-reset the entire softoken PKCS#11 module if the parent process forked + * while it was initialized. */ +PRBool +sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV *crv) +{ +#ifndef NO_FORK_CHECK + if (PARENT_FORKED()) { + parentForkedAfterC_Initialize = PR_TRUE; + if (nsc_init) { + /* finalize non-FIPS token */ + *crv = nsc_CommonFinalize(pReserved, PR_FALSE); + PORT_Assert(CKR_OK == *crv); + nsc_init = (PRBool) !(*crv == CKR_OK); + } + if (nsf_init) { + /* finalize FIPS token */ + *crv = nsc_CommonFinalize(pReserved, PR_TRUE); + PORT_Assert(CKR_OK == *crv); + nsf_init = (PRBool) !(*crv == CKR_OK); + } + parentForkedAfterC_Initialize = PR_FALSE; + return PR_TRUE; + } +#endif + return PR_FALSE; +} + +/* NSC_Finalize indicates that an application is done with the + * Cryptoki library.*/ +CK_RV +NSC_Finalize(CK_VOID_PTR pReserved) +{ + CK_RV crv; + + /* reset entire PKCS#11 module upon fork */ + if (sftk_ForkReset(pReserved, &crv)) { + return crv; + } + + if (!nsc_init) { + return CKR_OK; + } + + crv = nsc_CommonFinalize(pReserved, PR_FALSE); + + nsc_init = (PRBool) !(crv == CKR_OK); + + return crv; +} + +extern const char __nss_softokn_version[]; + +/* NSC_GetInfo returns general information about Cryptoki. */ +CK_RV +NSC_GetInfo(CK_INFO_PTR pInfo) +{ +#define NSS_VERSION_VARIABLE __nss_softokn_version +#include "verref.h" + + CHECK_FORK(); + + pInfo->cryptokiVersion.major = CRYPTOKI_VERSION_MAJOR; + pInfo->cryptokiVersion.minor = CRYPTOKI_VERSION_MINOR; + PORT_Memcpy(pInfo->manufacturerID, manufacturerID, 32); + pInfo->libraryVersion.major = SOFTOKEN_VMAJOR; + pInfo->libraryVersion.minor = SOFTOKEN_VMINOR; + PORT_Memcpy(pInfo->libraryDescription, libraryDescription, 32); + pInfo->flags = 0; + return CKR_OK; +} + +/* NSC_GetInfo returns general information about Cryptoki. */ +CK_RV +NSC_GetInfoV2(CK_INFO_PTR pInfo) +{ + CHECK_FORK(); + + pInfo->cryptokiVersion.major = 2; + pInfo->cryptokiVersion.minor = 40; + PORT_Memcpy(pInfo->manufacturerID, manufacturerID, 32); + pInfo->libraryVersion.major = SOFTOKEN_VMAJOR; + pInfo->libraryVersion.minor = SOFTOKEN_VMINOR; + PORT_Memcpy(pInfo->libraryDescription, libraryDescription, 32); + pInfo->flags = 0; + return CKR_OK; +} + +/* NSC_GetSlotList obtains a list of slots in the system. */ +CK_RV +nsc_CommonGetSlotList(CK_BBOOL tokenPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, + unsigned int moduleIndex) +{ + *pulCount = nscSlotCount[moduleIndex]; + if (pSlotList != NULL) { + PORT_Memcpy(pSlotList, nscSlotList[moduleIndex], + nscSlotCount[moduleIndex] * sizeof(CK_SLOT_ID)); + } + return CKR_OK; +} + +/* NSC_GetSlotList obtains a list of slots in the system. */ +CK_RV +NSC_GetSlotList(CK_BBOOL tokenPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) +{ + CHECK_FORK(); + return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount, + NSC_NON_FIPS_MODULE); +} + +/* NSC_GetSlotInfo obtains information about a particular slot in the system. */ +CK_RV +NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) +{ + SFTKSlot *slot = sftk_SlotFromID(slotID, PR_TRUE); + + CHECK_FORK(); + + if (slot == NULL) + return CKR_SLOT_ID_INVALID; + + PORT_Memcpy(pInfo->manufacturerID, manufacturerID, + sizeof(pInfo->manufacturerID)); + PORT_Memcpy(pInfo->slotDescription, slot->slotDescription, + sizeof(pInfo->slotDescription)); + pInfo->flags = (slot->present) ? CKF_TOKEN_PRESENT : 0; + + /* all user defined slots are defined as removable */ + if (slotID >= SFTK_MIN_USER_SLOT_ID) { + pInfo->flags |= CKF_REMOVABLE_DEVICE; + } else { + /* In the case where we are doing a merge update, we need + * the DB slot to be removable so the token name can change + * appropriately. */ + SFTKDBHandle *handle = sftk_getKeyDB(slot); + if (handle) { + if (sftkdb_InUpdateMerge(handle)) { + pInfo->flags |= CKF_REMOVABLE_DEVICE; + } + sftk_freeDB(handle); + } + } + + /* If there is no key database, this is for example the case when NSS was + * initialized with NSS_NoDbInit(), then there won't be any point in + * requesting a PIN. Set the CKF_USER_PIN_INITIALIZED bit so that + * PK11_NeedUserInit() doesn't indicate that a PIN is needed. + */ + if (slot->keyDB == NULL) { + pInfo->flags |= CKF_USER_PIN_INITIALIZED; + } + + /* ok we really should read it out of the keydb file. */ + /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */ + pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR; + pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR; + pInfo->firmwareVersion.major = SOFTOKEN_VPATCH; + pInfo->firmwareVersion.minor = SOFTOKEN_VBUILD; + return CKR_OK; +} + +/* + * check the current state of the 'needLogin' flag in case the database has + * been changed underneath us. + */ +static PRBool +sftk_checkNeedLogin(SFTKSlot *slot, SFTKDBHandle *keyHandle) +{ + PRBool needLogin; + if (sftkdb_PWCached(keyHandle) == SECSuccess) { + PZ_Lock(slot->slotLock); + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + } else { + needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle); + PZ_Lock(slot->slotLock); + slot->needLogin = needLogin; + PZ_Unlock(slot->slotLock); + } + return needLogin; +} + +static PRBool +sftk_isBlank(const char *s, int len) +{ + int i; + for (i = 0; i < len; i++) { + if (s[i] != ' ') { + return PR_FALSE; + } + } + return PR_TRUE; +} + +/* NSC_GetTokenInfo obtains information about a particular token in + * the system. */ +CK_RV +NSC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) +{ + SFTKSlot *slot; + SFTKDBHandle *handle; + + CHECK_FORK(); + + if (!nsc_init && !nsf_init) + return CKR_CRYPTOKI_NOT_INITIALIZED; + slot = sftk_SlotFromID(slotID, PR_FALSE); + if (slot == NULL) + return CKR_SLOT_ID_INVALID; + + PORT_Memcpy(pInfo->manufacturerID, manufacturerID, 32); + PORT_Memcpy(pInfo->model, "NSS 3 ", 16); + PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16); + PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16); + pInfo->ulMaxSessionCount = 0; /* arbitrarily large */ + pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */ + PZ_Lock(slot->slotLock); /* Protect sessionCount / rwSessioncount */ + pInfo->ulSessionCount = slot->sessionCount; + pInfo->ulRwSessionCount = slot->rwSessionCount; + PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */ + pInfo->firmwareVersion.major = 0; + pInfo->firmwareVersion.minor = 0; + PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label)); + handle = sftk_getKeyDB(slot); + pInfo->flags = CKF_RNG | CKF_DUAL_CRYPTO_OPERATIONS; + if (handle == NULL) { + pInfo->flags |= CKF_WRITE_PROTECTED; + pInfo->ulMaxPinLen = 0; + pInfo->ulMinPinLen = 0; + pInfo->ulTotalPublicMemory = 0; + pInfo->ulFreePublicMemory = 0; + pInfo->ulTotalPrivateMemory = 0; + pInfo->ulFreePrivateMemory = 0; + pInfo->hardwareVersion.major = 4; + pInfo->hardwareVersion.minor = 0; + } else { + /* + * we have three possible states which we may be in: + * (1) No DB password has been initialized. This also means we + * have no keys in the key db. + * (2) Password initialized to NULL. This means we have keys, but + * the user has chosen not use a password. + * (3) Finally we have an initialized password whicn is not NULL, and + * we will need to prompt for it. + */ + if (sftkdb_HasPasswordSet(handle) == SECFailure) { + pInfo->flags |= CKF_LOGIN_REQUIRED; + } else if (!sftk_checkNeedLogin(slot, handle)) { + pInfo->flags |= CKF_USER_PIN_INITIALIZED; + } else { + pInfo->flags |= CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED; + /* + * if we are doing a merge style update, and we need to get the password + * of our source database (the database we are updating from), make sure we + * return a token name that will match the database we are prompting for. + */ + if (sftkdb_NeedUpdateDBPassword(handle)) { + /* if we have an update tok description, use it. otherwise + * use the updateID for this database */ + if (!sftk_isBlank(slot->updateTokDescription, + sizeof(pInfo->label))) { + PORT_Memcpy(pInfo->label, slot->updateTokDescription, + sizeof(pInfo->label)); + } else { + /* build from updateID */ + const char *updateID = sftkdb_GetUpdateID(handle); + if (updateID) { + sftk_setStringName(updateID, (char *)pInfo->label, + sizeof(pInfo->label), PR_FALSE); + } + } + } + } + pInfo->ulMaxPinLen = SFTK_MAX_PIN; + pInfo->ulMinPinLen = (CK_ULONG)slot->minimumPinLen; + pInfo->ulTotalPublicMemory = 1; + pInfo->ulFreePublicMemory = 1; + pInfo->ulTotalPrivateMemory = 1; + pInfo->ulFreePrivateMemory = 1; +#ifdef SHDB_FIXME + pInfo->hardwareVersion.major = CERT_DB_FILE_VERSION; + pInfo->hardwareVersion.minor = handle->version; +#else + pInfo->hardwareVersion.major = 0; + pInfo->hardwareVersion.minor = 0; +#endif + sftk_freeDB(handle); + } + /* + * CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED how CKF_TOKEN_INITIALIZED + * should be set + * 0 0 1 + * 1 0 0 + * 0 1 1 + * 1 1 1 + */ + if (!(pInfo->flags & CKF_LOGIN_REQUIRED) || + (pInfo->flags & CKF_USER_PIN_INITIALIZED)) { + pInfo->flags |= CKF_TOKEN_INITIALIZED; + } + return CKR_OK; +} + +/* NSC_GetMechanismList obtains a list of mechanism types + * supported by a token. */ +CK_RV +NSC_GetMechanismList(CK_SLOT_ID slotID, + CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount) +{ + CK_ULONG i; + + CHECK_FORK(); + + switch (slotID) { + /* default: */ + case NETSCAPE_SLOT_ID: + *pulCount = mechanismCount; + if (pMechanismList != NULL) { + for (i = 0; i < mechanismCount; i++) { + pMechanismList[i] = mechanisms[i].type; + } + } + break; + default: + *pulCount = 0; + for (i = 0; i < mechanismCount; i++) { + if (mechanisms[i].privkey) { + (*pulCount)++; + if (pMechanismList != NULL) { + *pMechanismList++ = mechanisms[i].type; + } + } + } + break; + } + return CKR_OK; +} + +/* NSC_GetMechanismInfo obtains information about a particular mechanism + * possibly supported by a token. */ +CK_RV +NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo) +{ + PRBool isPrivateKey; + CK_ULONG i; + + CHECK_FORK(); + + switch (slotID) { + case NETSCAPE_SLOT_ID: + isPrivateKey = PR_FALSE; + break; + default: + isPrivateKey = PR_TRUE; + break; + } + for (i = 0; i < mechanismCount; i++) { + if (type == mechanisms[i].type) { + if (isPrivateKey && !mechanisms[i].privkey) { + return CKR_MECHANISM_INVALID; + } + PORT_Memcpy(pInfo, &mechanisms[i].info, sizeof(CK_MECHANISM_INFO)); + return CKR_OK; + } + } + return CKR_MECHANISM_INVALID; +} + +/* + * If we are using the V2 interface, strip out the message flags + */ +#define SFTK_MESSAGE_FLAGS (CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY) +CK_RV +NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo) +{ + CK_RV crv; + crv = NSC_GetMechanismInfo(slotID, type, pInfo); + if (crv == CKR_OK) { + pInfo->flags = pInfo->flags & ~SFTK_MESSAGE_FLAGS; + } + return crv; +} + +CK_RV +sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op) +{ + CK_ULONG i; + CK_FLAGS flags = sftk_AttributeToFlags(op); + + if (flags == 0) { + return CKR_ARGUMENTS_BAD; + } + for (i = 0; i < mechanismCount; i++) { + if (type == mechanisms[i].type) { + return (flags & mechanisms[i].info.flags) ? CKR_OK + : CKR_MECHANISM_INVALID; + } + } + return CKR_MECHANISM_INVALID; +} + +/* NSC_InitToken initializes a token. */ +CK_RV +NSC_InitToken(CK_SLOT_ID slotID, CK_CHAR_PTR pPin, + CK_ULONG ulPinLen, CK_CHAR_PTR pLabel) +{ + SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE); + SFTKDBHandle *handle; + SECStatus rv; + unsigned int i; + SFTKObject *object; + + CHECK_FORK(); + + if (slot == NULL) + return CKR_SLOT_ID_INVALID; + + /* don't initialize the database if we aren't talking to a token + * that uses the key database. + */ + if (slotID == NETSCAPE_SLOT_ID) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + /* first, delete all our loaded key and cert objects from our + * internal list. */ + PZ_Lock(slot->objectLock); + for (i = 0; i < slot->sessObjHashSize; i++) { + do { + object = slot->sessObjHashTable[i]; + /* hand deque */ + /* this duplicates function of NSC_close session functions, but + * because we know that we are freeing all the sessions, we can + * do more efficient processing */ + if (object) { + slot->sessObjHashTable[i] = object->next; + + if (object->next) + object->next->prev = NULL; + object->next = object->prev = NULL; + } + if (object) + sftk_FreeObject(object); + } while (object != NULL); + } + slot->DB_loaded = PR_FALSE; + PZ_Unlock(slot->objectLock); + + /* then clear out the key database */ + handle = sftk_getKeyDB(slot); + if (handle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + rv = sftkdb_ResetKeyDB(handle); + /* clear the password */ + sftkdb_ClearPassword(handle); + /* update slot->needLogin (should be true now since no password is set) */ + sftk_checkNeedLogin(slot, handle); + sftk_freeDB(handle); + if (rv != SECSuccess) { + return CKR_DEVICE_ERROR; + } + + return CKR_OK; +} + +/* NSC_InitPIN initializes the normal user's PIN. */ +CK_RV +NSC_InitPIN(CK_SESSION_HANDLE hSession, + CK_CHAR_PTR pPin, CK_ULONG ulPinLen) +{ + SFTKSession *sp = NULL; + SFTKSlot *slot; + SFTKDBHandle *handle = NULL; + char newPinStr[SFTK_MAX_PIN + 1]; + SECStatus rv; + CK_RV crv = CKR_SESSION_HANDLE_INVALID; + PRBool tokenRemoved = PR_FALSE; + + CHECK_FORK(); + + sp = sftk_SessionFromHandle(hSession); + if (sp == NULL) { + goto loser; + } + + slot = sftk_SlotFromSession(sp); + if (slot == NULL) { + goto loser; + } + + handle = sftk_getKeyDB(slot); + if (handle == NULL) { + crv = CKR_PIN_LEN_RANGE; + goto loser; + } + + if (sp->info.state != CKS_RW_SO_FUNCTIONS) { + crv = CKR_USER_NOT_LOGGED_IN; + goto loser; + } + + sftk_FreeSession(sp); + sp = NULL; + + /* make sure the pins aren't too long */ + if (ulPinLen > SFTK_MAX_PIN) { + crv = CKR_PIN_LEN_RANGE; + goto loser; + } + if (ulPinLen < (CK_ULONG)slot->minimumPinLen) { + crv = CKR_PIN_LEN_RANGE; + goto loser; + } + + if (sftkdb_HasPasswordSet(handle) != SECFailure) { + crv = CKR_DEVICE_ERROR; + goto loser; + } + + /* convert to null terminated string */ + PORT_Memcpy(newPinStr, pPin, ulPinLen); + newPinStr[ulPinLen] = 0; + + /* build the hashed pins which we pass around */ + + /* change the data base */ + rv = sftkdb_ChangePassword(handle, NULL, newPinStr, &tokenRemoved); + if (tokenRemoved) { + sftk_CloseAllSessions(slot, PR_FALSE); + } + PORT_Memset(newPinStr, 0, ulPinLen); + sftk_freeDB(handle); + handle = NULL; + + /* Now update our local copy of the pin */ + if (rv == SECSuccess) { + if (ulPinLen == 0) { + PZ_Lock(slot->slotLock); + slot->needLogin = PR_FALSE; + PZ_Unlock(slot->slotLock); + } + /* database has been initialized, now force min password in FIPS + * mode. NOTE: if we are in level1, we may not have a password, but + * forcing it now will prevent an insufficient password from being set. + */ + if ((sftk_GetModuleIndex(slot->slotID) == NSC_FIPS_MODULE) && + (slot->minimumPinLen < FIPS_MIN_PIN)) { + slot->minimumPinLen = FIPS_MIN_PIN; + } + return CKR_OK; + } + crv = CKR_PIN_INCORRECT; + +loser: + if (sp) { + sftk_FreeSession(sp); + } + if (handle) { + sftk_freeDB(handle); + } + return crv; +} + +/* NSC_SetPIN modifies the PIN of user that is currently logged in. */ +/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */ +CK_RV +NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, + CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen) +{ + SFTKSession *sp = NULL; + SFTKSlot *slot; + SFTKDBHandle *handle = NULL; + char newPinStr[SFTK_MAX_PIN + 1], oldPinStr[SFTK_MAX_PIN + 1]; + SECStatus rv; + CK_RV crv = CKR_SESSION_HANDLE_INVALID; + PRBool needLogin; + PRBool tokenRemoved = PR_FALSE; + + CHECK_FORK(); + + sp = sftk_SessionFromHandle(hSession); + if (sp == NULL) { + goto loser; + } + + slot = sftk_SlotFromSession(sp); + if (!slot) { + goto loser; + } + + handle = sftk_getKeyDB(slot); + if (handle == NULL) { + sftk_FreeSession(sp); + return CKR_PIN_LEN_RANGE; /* XXX FIXME wrong return value */ + } + + PZ_Lock(slot->slotLock); + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + if (needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) { + crv = CKR_USER_NOT_LOGGED_IN; + goto loser; + } + + sftk_FreeSession(sp); + sp = NULL; + + /* make sure the pins aren't too long */ + if ((ulNewLen > SFTK_MAX_PIN) || (ulOldLen > SFTK_MAX_PIN)) { + crv = CKR_PIN_LEN_RANGE; + goto loser; + } + /* check the length of new pin, unless both old and new passwords + * are empty */ + if ((ulNewLen != 0 || ulOldLen != 0) && + ulNewLen < (CK_ULONG)slot->minimumPinLen) { + crv = CKR_PIN_LEN_RANGE; + goto loser; + } + + /* convert to null terminated string */ + PORT_Memcpy(newPinStr, pNewPin, ulNewLen); + newPinStr[ulNewLen] = 0; + PORT_Memcpy(oldPinStr, pOldPin, ulOldLen); + oldPinStr[ulOldLen] = 0; + + /* change the data base password */ + PR_Lock(slot->pwCheckLock); + rv = sftkdb_ChangePassword(handle, oldPinStr, newPinStr, &tokenRemoved); + PORT_Memset(newPinStr, 0, ulNewLen); + PORT_Memset(oldPinStr, 0, ulOldLen); + if (tokenRemoved) { + sftk_CloseAllSessions(slot, PR_FALSE); + } + if ((rv != SECSuccess) && (sftk_isFIPS(slot->slotID))) { + PR_Sleep(loginWaitTime); + } + PR_Unlock(slot->pwCheckLock); + + /* Now update our local copy of the pin */ + if (rv == SECSuccess) { + PZ_Lock(slot->slotLock); + slot->needLogin = (PRBool)(ulNewLen != 0); + slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess); + PZ_Unlock(slot->slotLock); + /* Reset login flags. */ + if (ulNewLen == 0) { + PZ_Lock(slot->slotLock); + slot->isLoggedIn = PR_FALSE; + slot->ssoLoggedIn = PR_FALSE; + PZ_Unlock(slot->slotLock); + + tokenRemoved = PR_FALSE; + rv = sftkdb_CheckPasswordNull(handle, &tokenRemoved); + if (tokenRemoved) { + sftk_CloseAllSessions(slot, PR_FALSE); + } + } + sftk_update_all_states(slot); + sftk_freeDB(handle); + return CKR_OK; + } + crv = CKR_PIN_INCORRECT; +loser: + if (sp) { + sftk_FreeSession(sp); + } + if (handle) { + sftk_freeDB(handle); + } + return crv; +} + +/* NSC_OpenSession opens a session between an application and a token. */ +CK_RV +NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, + CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession) +{ + SFTKSlot *slot; + CK_SESSION_HANDLE sessionID; + SFTKSession *session; + SFTKSession *sameID; + + CHECK_FORK(); + + slot = sftk_SlotFromID(slotID, PR_FALSE); + if (slot == NULL) + return CKR_SLOT_ID_INVALID; + + /* new session (we only have serial sessions) */ + session = sftk_NewSession(slotID, Notify, pApplication, + flags | CKF_SERIAL_SESSION); + if (session == NULL) + return CKR_HOST_MEMORY; + + if (slot->readOnly && (flags & CKF_RW_SESSION)) { + /* NETSCAPE_SLOT_ID is Read ONLY */ + session->info.flags &= ~CKF_RW_SESSION; + } + PZ_Lock(slot->slotLock); + ++slot->sessionCount; + PZ_Unlock(slot->slotLock); + if (session->info.flags & CKF_RW_SESSION) { + (void)PR_ATOMIC_INCREMENT(&slot->rwSessionCount); + } + + do { + PZLock *lock; + do { + sessionID = (PR_ATOMIC_INCREMENT(&slot->sessionIDCount) & 0xffffff) | (slot->index << 24); + } while (sessionID == CK_INVALID_HANDLE); + lock = SFTK_SESSION_LOCK(slot, sessionID); + PZ_Lock(lock); + sftkqueue_find(sameID, sessionID, slot->head, slot->sessHashSize); + if (sameID == NULL) { + session->handle = sessionID; + sftk_update_state(slot, session); + sftkqueue_add(session, sessionID, slot->head, slot->sessHashSize); + } else { + slot->sessionIDConflict++; /* for debugging */ + } + PZ_Unlock(lock); + } while (sameID != NULL); + + *phSession = sessionID; + return CKR_OK; +} + +/* NSC_CloseSession closes a session between an application and a token. */ +CK_RV +NSC_CloseSession(CK_SESSION_HANDLE hSession) +{ + SFTKSlot *slot; + SFTKSession *session; + PRBool sessionFound; + PZLock *lock; + + CHECK_FORK(); + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + slot = sftk_SlotFromSession(session); + sessionFound = PR_FALSE; + + /* lock */ + lock = SFTK_SESSION_LOCK(slot, hSession); + PZ_Lock(lock); + if (sftkqueue_is_queued(session, hSession, slot->head, slot->sessHashSize)) { + sessionFound = PR_TRUE; + sftkqueue_delete(session, hSession, slot->head, slot->sessHashSize); + } + PZ_Unlock(lock); + + if (sessionFound) { + SFTKDBHandle *handle; + handle = sftk_getKeyDB(slot); + PZ_Lock(slot->slotLock); + if (--slot->sessionCount == 0) { + slot->isLoggedIn = PR_FALSE; + if (slot->needLogin && handle) { + sftkdb_ClearPassword(handle); + } + } + PZ_Unlock(slot->slotLock); + if (handle) { + sftk_freeDB(handle); + } + if (session->info.flags & CKF_RW_SESSION) { + (void)PR_ATOMIC_DECREMENT(&slot->rwSessionCount); + } + sftk_DestroySession(session); + session = NULL; + } + + return CKR_OK; +} + +/* NSC_CloseAllSessions closes all sessions with a token. */ +CK_RV +NSC_CloseAllSessions(CK_SLOT_ID slotID) +{ + SFTKSlot *slot; + +#ifndef NO_FORK_CHECK + /* skip fork check if we are being called from C_Initialize or C_Finalize */ + if (!parentForkedAfterC_Initialize) { + CHECK_FORK(); + } +#endif + + slot = sftk_SlotFromID(slotID, PR_FALSE); + if (slot == NULL) + return CKR_SLOT_ID_INVALID; + + return sftk_CloseAllSessions(slot, PR_TRUE); +} + +/* NSC_GetSessionInfo obtains information about the session. */ +CK_RV +NSC_GetSessionInfo(CK_SESSION_HANDLE hSession, + CK_SESSION_INFO_PTR pInfo) +{ + SFTKSession *session; + + CHECK_FORK(); + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + + PORT_Memcpy(pInfo, &session->info, sizeof(CK_SESSION_INFO)); + sftk_FreeSession(session); + return CKR_OK; +} + +/* NSC_Login logs a user into a token. */ +CK_RV +NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_CHAR_PTR pPin, CK_ULONG ulPinLen) +{ + SFTKSlot *slot; + SFTKSession *session; + SFTKDBHandle *handle; + CK_FLAGS sessionFlags; + SECStatus rv; + CK_RV crv; + char pinStr[SFTK_MAX_PIN + 1]; + PRBool tokenRemoved = PR_FALSE; + PRBool isLoggedIn; + PRBool needLogin; + + CHECK_FORK(); + + /* get the slot */ + slot = sftk_SlotFromSessionHandle(hSession); + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + /* make sure the session is valid */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + sessionFlags = session->info.flags; + sftk_FreeSession(session); + session = NULL; + + /* can't log into the Netscape Slot */ + if (slot->slotID == NETSCAPE_SLOT_ID) { + return CKR_USER_TYPE_INVALID; + } + + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + + if (isLoggedIn) + return CKR_USER_ALREADY_LOGGED_IN; + if (!needLogin) { + return ulPinLen ? CKR_PIN_INCORRECT : CKR_OK; + } + slot->ssoLoggedIn = PR_FALSE; + + if (ulPinLen > SFTK_MAX_PIN) + return CKR_PIN_LEN_RANGE; + + /* convert to null terminated string */ + if (ulPinLen) { + PORT_Memcpy(pinStr, pPin, ulPinLen); + } + pinStr[ulPinLen] = 0; + + handle = sftk_getKeyDB(slot); + if (handle == NULL) { + PORT_Memset(pinStr, 0, ulPinLen); + return CKR_USER_TYPE_INVALID; + } + + /* + * Deal with bootstrap. We allow the SSO to login in with a NULL + * password if and only if we haven't initialized the KEY DB yet. + * We only allow this on a RW session. + */ + rv = sftkdb_HasPasswordSet(handle); + if (rv == SECFailure) { + /* allow SSO's to log in only if there is not password on the + * key database */ + if (((userType == CKU_SO) && (sessionFlags & CKF_RW_SESSION)) + /* fips always needs to authenticate, even if there isn't a db */ + || (sftk_isFIPS(slot->slotID))) { + /* should this be a fixed password? */ + if (ulPinLen == 0) { + sftkdb_ClearPassword(handle); + PZ_Lock(slot->slotLock); + slot->isLoggedIn = PR_TRUE; + slot->ssoLoggedIn = (PRBool)(userType == CKU_SO); + PZ_Unlock(slot->slotLock); + sftk_update_all_states(slot); + crv = CKR_OK; + goto done; + } + crv = CKR_PIN_INCORRECT; + goto done; + } + crv = CKR_USER_TYPE_INVALID; + goto done; + } + + /* don't allow the SSO to log in if the user is already initialized */ + if (userType != CKU_USER) { + crv = CKR_USER_TYPE_INVALID; + goto done; + } + + /* build the hashed pins which we pass around */ + PR_Lock(slot->pwCheckLock); + rv = sftkdb_CheckPassword(handle, pinStr, &tokenRemoved); + if (tokenRemoved) { + sftk_CloseAllSessions(slot, PR_FALSE); + } + if ((rv != SECSuccess) && (sftk_isFIPS(slot->slotID))) { + PR_Sleep(loginWaitTime); + } + PR_Unlock(slot->pwCheckLock); + if (rv == SECSuccess) { + PZ_Lock(slot->slotLock); + /* make sure the login state matches the underlying + * database state */ + slot->isLoggedIn = sftkdb_PWCached(handle) == SECSuccess ? PR_TRUE : PR_FALSE; + PZ_Unlock(slot->slotLock); + + sftk_freeDB(handle); + handle = NULL; + + /* update all sessions */ + sftk_update_all_states(slot); + return CKR_OK; + } + + crv = CKR_PIN_INCORRECT; +done: + PORT_Memset(pinStr, 0, ulPinLen); + if (handle) { + sftk_freeDB(handle); + } + return crv; +} + +CK_RV +NSC_LoginUser(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, + CK_CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pUsername, + CK_ULONG ulUsernameLen) +{ + /* softoken currently does not support additional users */ + return CKR_OPERATION_NOT_INITIALIZED; +} + +/* NSC_Logout logs a user out from a token. */ +CK_RV +NSC_Logout(CK_SESSION_HANDLE hSession) +{ + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + SFTKSession *session; + SFTKDBHandle *handle; + + CHECK_FORK(); + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + sftk_FreeSession(session); + session = NULL; + + if (!slot->isLoggedIn) + return CKR_USER_NOT_LOGGED_IN; + + handle = sftk_getKeyDB(slot); + PZ_Lock(slot->slotLock); + slot->isLoggedIn = PR_FALSE; + slot->ssoLoggedIn = PR_FALSE; + if (slot->needLogin && handle) { + sftkdb_ClearPassword(handle); + } + PZ_Unlock(slot->slotLock); + if (handle) { + sftk_freeDB(handle); + } + + sftk_update_all_states(slot); + return CKR_OK; +} + +/* + * Create or remove a new slot on the fly. + * When creating a slot, "slot" is the slot that the request came from. The + * resulting slot will live in the same module as "slot". + * When removing a slot, "slot" is the slot to be removed. + * "object" is the creation object that specifies the module spec for the slot + * to add or remove. + */ +static CK_RV +sftk_CreateNewSlot(SFTKSlot *slot, CK_OBJECT_CLASS class, + SFTKObject *object) +{ + PRBool isValidUserSlot = PR_FALSE; + PRBool isValidFIPSUserSlot = PR_FALSE; + PRBool isValidSlot = PR_FALSE; + PRBool isFIPS = PR_FALSE; + unsigned int moduleIndex = NSC_NON_FIPS_MODULE; + SFTKAttribute *attribute; + sftk_parameters paramStrings; + char *paramString; + CK_SLOT_ID slotID = 0; + SFTKSlot *newSlot = NULL; + CK_RV crv = CKR_OK; + + if (class != CKO_NSS_DELSLOT && class != CKO_NSS_NEWSLOT) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + if (class == CKO_NSS_NEWSLOT && slot->slotID == FIPS_SLOT_ID) { + isFIPS = PR_TRUE; + } + attribute = sftk_FindAttribute(object, CKA_NSS_MODULE_SPEC); + if (attribute == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + paramString = (char *)attribute->attrib.pValue; + crv = sftk_parseParameters(paramString, ¶mStrings, isFIPS); + if (crv != CKR_OK) { + goto loser; + } + + /* enforce only one at a time */ + if (paramStrings.token_count != 1) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto loser; + } + + slotID = paramStrings.tokens[0].slotID; + + /* stay within the valid ID space */ + isValidUserSlot = (slotID >= SFTK_MIN_USER_SLOT_ID && + slotID <= SFTK_MAX_USER_SLOT_ID); + isValidFIPSUserSlot = (slotID >= SFTK_MIN_FIPS_USER_SLOT_ID && + slotID <= SFTK_MAX_FIPS_USER_SLOT_ID); + + if (class == CKO_NSS_DELSLOT) { + if (slot->slotID == slotID) { + isValidSlot = isValidUserSlot || isValidFIPSUserSlot; + } + } else { + /* only the crypto or FIPS slots can create new slot objects */ + if (slot->slotID == NETSCAPE_SLOT_ID) { + isValidSlot = isValidUserSlot; + moduleIndex = NSC_NON_FIPS_MODULE; + } else if (slot->slotID == FIPS_SLOT_ID) { + isValidSlot = isValidFIPSUserSlot; + moduleIndex = NSC_FIPS_MODULE; + } + } + + if (!isValidSlot) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto loser; + } + + /* unload any existing slot at this id */ + newSlot = sftk_SlotFromID(slotID, PR_TRUE); + if (newSlot && newSlot->present) { + crv = SFTK_ShutdownSlot(newSlot); + if (crv != CKR_OK) { + goto loser; + } + } + + /* if we were just planning on deleting the slot, then do so now */ + if (class == CKO_NSS_DELSLOT) { + /* sort of a unconventional use of this error code, be we are + * overusing CKR_ATTRIBUTE_VALUE_INVALID, and it does apply */ + crv = newSlot ? CKR_OK : CKR_SLOT_ID_INVALID; + goto loser; /* really exit */ + } + + if (newSlot) { + crv = SFTK_SlotReInit(newSlot, paramStrings.configdir, + paramStrings.updatedir, paramStrings.updateID, + ¶mStrings.tokens[0], moduleIndex); + } else { + crv = SFTK_SlotInit(paramStrings.configdir, + paramStrings.updatedir, paramStrings.updateID, + ¶mStrings.tokens[0], moduleIndex); + } + +loser: + sftk_freeParams(¶mStrings); + sftk_FreeAttribute(attribute); + + return crv; +} + +/* NSC_CreateObject creates a new object. */ +CK_RV +NSC_CreateObject(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phObject) +{ + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + SFTKSession *session; + SFTKObject *object; + /* make sure class isn't randomly CKO_NSS_NEWSLOT or + * CKO_NETSCPE_DELSLOT. */ + CK_OBJECT_CLASS class = CKO_VENDOR_DEFINED; + CK_RV crv; + int i; + + CHECK_FORK(); + + *phObject = CK_INVALID_HANDLE; + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + /* + * now lets create an object to hang the attributes off of + */ + object = sftk_NewObject(slot); /* fill in the handle later */ + if (object == NULL) { + return CKR_HOST_MEMORY; + } + object->isFIPS = PR_FALSE; /* if we created the object on the fly, + * it's not a FIPS object */ + + /* + * load the template values into the object + */ + for (i = 0; i < (int)ulCount; i++) { + crv = sftk_AddAttributeType(object, sftk_attr_expand(&pTemplate[i])); + if (crv != CKR_OK) { + sftk_FreeObject(object); + return crv; + } + if ((pTemplate[i].type == CKA_CLASS) && pTemplate[i].pValue) { + class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue; + } + } + + /* get the session */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + sftk_FreeObject(object); + return CKR_SESSION_HANDLE_INVALID; + } + + /* + * handle pseudo objects (CKO_NEWSLOT) + */ + if ((class == CKO_NSS_NEWSLOT) || (class == CKO_NSS_DELSLOT)) { + crv = sftk_CreateNewSlot(slot, class, object); + goto done; + } + + /* + * handle the base object stuff + */ + crv = sftk_handleObject(object, session); + *phObject = object->handle; +done: + sftk_FreeSession(session); + sftk_FreeObject(object); + + return crv; +} + +/* NSC_CopyObject copies an object, creating a new object for the copy. */ +CK_RV +NSC_CopyObject(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phNewObject) +{ + SFTKObject *destObject, *srcObject; + SFTKSession *session; + CK_RV crv = CKR_OK; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + int i; + + CHECK_FORK(); + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + /* Get srcObject so we can find the class */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + srcObject = sftk_ObjectFromHandle(hObject, session); + if (srcObject == NULL) { + sftk_FreeSession(session); + return CKR_OBJECT_HANDLE_INVALID; + } + /* + * create an object to hang the attributes off of + */ + destObject = sftk_NewObject(slot); /* fill in the handle later */ + if (destObject == NULL) { + sftk_FreeSession(session); + sftk_FreeObject(srcObject); + return CKR_HOST_MEMORY; + } + + /* + * load the template values into the object + */ + for (i = 0; i < (int)ulCount; i++) { + if (sftk_modifyType(pTemplate[i].type, srcObject->objclass) == SFTK_NEVER) { + crv = CKR_ATTRIBUTE_READ_ONLY; + break; + } + crv = sftk_AddAttributeType(destObject, sftk_attr_expand(&pTemplate[i])); + if (crv != CKR_OK) { + break; + } + } + if (crv != CKR_OK) { + sftk_FreeSession(session); + sftk_FreeObject(srcObject); + sftk_FreeObject(destObject); + return crv; + } + + /* sensitive can only be changed to CK_TRUE */ + if (sftk_hasAttribute(destObject, CKA_SENSITIVE)) { + if (!sftk_isTrue(destObject, CKA_SENSITIVE)) { + sftk_FreeSession(session); + sftk_FreeObject(srcObject); + sftk_FreeObject(destObject); + return CKR_ATTRIBUTE_READ_ONLY; + } + } + + /* + * now copy the old attributes from the new attributes + */ + /* don't create a token object if we aren't in a rw session */ + /* we need to hold the lock to copy a consistant version of + * the object. */ + crv = sftk_CopyObject(destObject, srcObject); + + destObject->objclass = srcObject->objclass; + sftk_FreeObject(srcObject); + if (crv != CKR_OK) { + sftk_FreeObject(destObject); + sftk_FreeSession(session); + return crv; + } + + crv = sftk_handleObject(destObject, session); + *phNewObject = destObject->handle; + sftk_FreeSession(session); + sftk_FreeObject(destObject); + + return crv; +} + +/* NSC_GetObjectSize gets the size of an object in bytes. */ +CK_RV +NSC_GetObjectSize(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) +{ + CHECK_FORK(); + + *pulSize = 0; + return CKR_OK; +} + +static CK_RV +nsc_GetTokenAttributeValue(SFTKSession *session, CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) +{ + SFTKSlot *slot = sftk_SlotFromSession(session); + SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject); + SFTKDBHandle *keydb = NULL; + CK_RV crv; + + if (dbHandle == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + + crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount); + + /* make sure we don't export any sensitive information */ + keydb = sftk_getKeyDB(slot); + if (dbHandle == keydb) { + CK_ULONG i; + for (i = 0; i < ulCount; i++) { + if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY)) { + crv = CKR_ATTRIBUTE_SENSITIVE; + if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) { + PORT_Memset(pTemplate[i].pValue, 0, + pTemplate[i].ulValueLen); + } + pTemplate[i].ulValueLen = -1; + } + } + } + + sftk_freeDB(dbHandle); + if (keydb) { + sftk_freeDB(keydb); + } + return crv; +} + +/* NSC_GetAttributeValue obtains the value of one or more object attributes. */ +CK_RV +NSC_GetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) +{ + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + SFTKSession *session; + SFTKObject *object; + SFTKAttribute *attribute; + PRBool sensitive, isLoggedIn, needLogin; + CK_RV crv; + int i; + + CHECK_FORK(); + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + /* + * make sure we're allowed + */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + /* short circuit everything for token objects */ + if (sftk_isToken(hObject)) { + crv = nsc_GetTokenAttributeValue(session, hObject, pTemplate, ulCount); + sftk_FreeSession(session); + return crv; + } + + /* handle the session object */ + object = sftk_ObjectFromHandle(hObject, session); + sftk_FreeSession(session); + if (object == NULL) { + return CKR_OBJECT_HANDLE_INVALID; + } + + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + + /* don't read a private object if we aren't logged in */ + if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE)) { + sftk_FreeObject(object); + return CKR_USER_NOT_LOGGED_IN; + } + + crv = CKR_OK; + sensitive = sftk_isTrue(object, CKA_SENSITIVE); + for (i = 0; i < (int)ulCount; i++) { + /* Make sure that this attribute is retrievable */ + if (sensitive && sftk_isSensitive(pTemplate[i].type, object->objclass)) { + crv = CKR_ATTRIBUTE_SENSITIVE; + pTemplate[i].ulValueLen = -1; + continue; + } + attribute = sftk_FindAttribute(object, pTemplate[i].type); + if (attribute == NULL) { + crv = CKR_ATTRIBUTE_TYPE_INVALID; + pTemplate[i].ulValueLen = -1; + continue; + } + if (pTemplate[i].pValue != NULL) { + PORT_Memcpy(pTemplate[i].pValue, attribute->attrib.pValue, + attribute->attrib.ulValueLen); + } + pTemplate[i].ulValueLen = attribute->attrib.ulValueLen; + sftk_FreeAttribute(attribute); + } + + sftk_FreeObject(object); + return crv; +} + +/* NSC_SetAttributeValue modifies the value of one or more object attributes */ +CK_RV +NSC_SetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) +{ + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + SFTKSession *session; + SFTKAttribute *attribute; + SFTKObject *object; + PRBool isToken, isLoggedIn, needLogin; + CK_RV crv = CKR_OK; + CK_BBOOL legal; + int i; + + CHECK_FORK(); + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + /* + * make sure we're allowed + */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + object = sftk_ObjectFromHandle(hObject, session); + if (object == NULL) { + sftk_FreeSession(session); + return CKR_OBJECT_HANDLE_INVALID; + } + + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + + /* don't modify a private object if we aren't logged in */ + if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE)) { + sftk_FreeSession(session); + sftk_FreeObject(object); + return CKR_USER_NOT_LOGGED_IN; + } + + /* don't modify a token object if we aren't in a rw session */ + isToken = sftk_isTrue(object, CKA_TOKEN); + if (((session->info.flags & CKF_RW_SESSION) == 0) && isToken) { + sftk_FreeSession(session); + sftk_FreeObject(object); + return CKR_SESSION_READ_ONLY; + } + sftk_FreeSession(session); + + /* only change modifiable objects */ + if (!sftk_isTrue(object, CKA_MODIFIABLE)) { + sftk_FreeObject(object); + return CKR_ATTRIBUTE_READ_ONLY; + } + + for (i = 0; i < (int)ulCount; i++) { + /* Make sure that this attribute is changeable */ + switch (sftk_modifyType(pTemplate[i].type, object->objclass)) { + case SFTK_NEVER: + case SFTK_ONCOPY: + default: + crv = CKR_ATTRIBUTE_READ_ONLY; + break; + + case SFTK_SENSITIVE: + legal = (pTemplate[i].type == CKA_EXTRACTABLE) ? CK_FALSE : CK_TRUE; + if ((*(CK_BBOOL *)pTemplate[i].pValue) != legal) { + crv = CKR_ATTRIBUTE_READ_ONLY; + } + break; + case SFTK_ALWAYS: + break; + } + if (crv != CKR_OK) + break; + + /* find the old attribute */ + attribute = sftk_FindAttribute(object, pTemplate[i].type); + if (attribute == NULL) { + crv = CKR_ATTRIBUTE_TYPE_INVALID; + break; + } + sftk_FreeAttribute(attribute); + crv = sftk_forceAttribute(object, sftk_attr_expand(&pTemplate[i])); + if (crv != CKR_OK) + break; + } + + sftk_FreeObject(object); + return crv; +} + +static CK_RV +sftk_expandSearchList(SFTKSearchResults *search, int count) +{ + search->array_size += count; + search->handles = (CK_OBJECT_HANDLE *)PORT_Realloc(search->handles, + sizeof(CK_OBJECT_HANDLE) * search->array_size); + return search->handles ? CKR_OK : CKR_HOST_MEMORY; +} + +static CK_RV +sftk_searchDatabase(SFTKDBHandle *handle, SFTKSearchResults *search, + const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) +{ + CK_RV crv; + int objectListSize = search->array_size - search->size; + CK_OBJECT_HANDLE *array = &search->handles[search->size]; + SDBFind *find; + CK_ULONG count; + + crv = sftkdb_FindObjectsInit(handle, pTemplate, ulCount, &find); + if (crv != CKR_OK) + return crv; + do { + crv = sftkdb_FindObjects(handle, find, array, objectListSize, &count); + if ((crv != CKR_OK) || (count == 0)) + break; + search->size += count; + objectListSize -= count; + if (objectListSize > 0) + break; + crv = sftk_expandSearchList(search, NSC_SEARCH_BLOCK_SIZE); + objectListSize = NSC_SEARCH_BLOCK_SIZE; + array = &search->handles[search->size]; + } while (crv == CKR_OK); + sftkdb_FindObjectsFinal(handle, find); + + return crv; +} + +/* softoken used to search the SMimeEntries automatically instead of + * doing this in pk11wrap. This code should really be up in + * pk11wrap so that it will work with other tokens other than softoken. + */ +CK_RV +sftk_emailhack(SFTKSlot *slot, SFTKDBHandle *handle, + SFTKSearchResults *search, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) +{ + PRBool isCert = PR_FALSE; + int emailIndex = -1; + unsigned int i; + SFTKSearchResults smime_search; + CK_ATTRIBUTE smime_template[2]; + CK_OBJECT_CLASS smime_class = CKO_NSS_SMIME; + SFTKAttribute *attribute = NULL; + SFTKObject *object = NULL; + CK_RV crv = CKR_OK; + + smime_search.handles = NULL; /* paranoia, some one is bound to add a goto + * loser before this gets initialized */ + + /* see if we are looking for email certs */ + for (i = 0; i < ulCount; i++) { + if (pTemplate[i].type == CKA_CLASS) { + if ((pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS) || + (*(CK_OBJECT_CLASS *)pTemplate[i].pValue) != CKO_CERTIFICATE)) { + /* not a cert, skip out */ + break; + } + isCert = PR_TRUE; + } else if (pTemplate[i].type == CKA_NSS_EMAIL) { + emailIndex = i; + } + if (isCert && (emailIndex != -1)) + break; + } + + if (!isCert || (emailIndex == -1)) { + return CKR_OK; + } + + /* we are doing a cert and email search, find the SMimeEntry */ + smime_template[0].type = CKA_CLASS; + smime_template[0].pValue = &smime_class; + smime_template[0].ulValueLen = sizeof(smime_class); + smime_template[1] = pTemplate[emailIndex]; + + smime_search.handles = (CK_OBJECT_HANDLE *) + PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE); + if (smime_search.handles == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + smime_search.index = 0; + smime_search.size = 0; + smime_search.array_size = NSC_SEARCH_BLOCK_SIZE; + + crv = sftk_searchDatabase(handle, &smime_search, smime_template, 2); + if (crv != CKR_OK || smime_search.size == 0) { + goto loser; + } + + /* get the SMime subject */ + object = sftk_NewTokenObject(slot, NULL, smime_search.handles[0]); + if (object == NULL) { + crv = CKR_HOST_MEMORY; /* is there any other reason for this failure? */ + goto loser; + } + attribute = sftk_FindAttribute(object, CKA_SUBJECT); + if (attribute == NULL) { + crv = CKR_ATTRIBUTE_TYPE_INVALID; + goto loser; + } + + /* now find the certs with that subject */ + pTemplate[emailIndex] = attribute->attrib; + /* now add the appropriate certs to the search list */ + crv = sftk_searchDatabase(handle, search, pTemplate, ulCount); + pTemplate[emailIndex] = smime_template[1]; /* restore the user's template*/ + +loser: + if (attribute) { + sftk_FreeAttribute(attribute); + } + if (object) { + sftk_FreeObject(object); + } + if (smime_search.handles) { + PORT_Free(smime_search.handles); + } + + return crv; +} + +static void +sftk_pruneSearch(CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, + PRBool *searchCertDB, PRBool *searchKeyDB) +{ + CK_ULONG i; + + *searchCertDB = PR_TRUE; + *searchKeyDB = PR_TRUE; + for (i = 0; i < ulCount; i++) { + if (pTemplate[i].type == CKA_CLASS && pTemplate[i].pValue != NULL) { + CK_OBJECT_CLASS class = *((CK_OBJECT_CLASS *)pTemplate[i].pValue); + if (class == CKO_PRIVATE_KEY || class == CKO_SECRET_KEY) { + *searchCertDB = PR_FALSE; + } else { + *searchKeyDB = PR_FALSE; + } + break; + } + } +} + +static CK_RV +sftk_searchTokenList(SFTKSlot *slot, SFTKSearchResults *search, + CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, + PRBool isLoggedIn) +{ + CK_RV crv = CKR_OK; + CK_RV crv2; + PRBool searchCertDB; + PRBool searchKeyDB; + + sftk_pruneSearch(pTemplate, ulCount, &searchCertDB, &searchKeyDB); + + if (searchCertDB) { + SFTKDBHandle *certHandle = sftk_getCertDB(slot); + crv = sftk_searchDatabase(certHandle, search, pTemplate, ulCount); + crv2 = sftk_emailhack(slot, certHandle, search, pTemplate, ulCount); + if (crv == CKR_OK) + crv = crv2; + sftk_freeDB(certHandle); + } + + if (crv == CKR_OK && isLoggedIn && searchKeyDB) { + SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); + crv = sftk_searchDatabase(keyHandle, search, pTemplate, ulCount); + sftk_freeDB(keyHandle); + } + return crv; +} + +/* NSC_FindObjectsInit initializes a search for token and session objects + * that match a template. */ +CK_RV +NSC_FindObjectsInit(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) +{ + SFTKSearchResults *search = NULL, *freeSearch = NULL; + SFTKSession *session = NULL; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + CK_RV crv = CKR_OK; + PRBool isLoggedIn; + + CHECK_FORK(); + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + crv = CKR_SESSION_HANDLE_INVALID; + goto loser; + } + + search = (SFTKSearchResults *)PORT_Alloc(sizeof(SFTKSearchResults)); + if (search == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + search->handles = (CK_OBJECT_HANDLE *) + PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE); + if (search->handles == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + search->index = 0; + search->size = 0; + search->array_size = NSC_SEARCH_BLOCK_SIZE; + + PZ_Lock(slot->slotLock); + isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn); + PZ_Unlock(slot->slotLock); + + crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, isLoggedIn); + if (crv != CKR_OK) { + goto loser; + } + + /* build list of found objects in the session */ + crv = sftk_searchObjectList(search, slot->sessObjHashTable, + slot->sessObjHashSize, slot->objectLock, + pTemplate, ulCount, isLoggedIn); + if (crv != CKR_OK) { + goto loser; + } + + if ((freeSearch = session->search) != NULL) { + session->search = NULL; + sftk_FreeSearch(freeSearch); + } + session->search = search; + sftk_FreeSession(session); + return CKR_OK; + +loser: + if (search) { + sftk_FreeSearch(search); + } + if (session) { + sftk_FreeSession(session); + } + return crv; +} + +/* NSC_FindObjects continues a search for token and session objects + * that match a template, obtaining additional object handles. */ +CK_RV +NSC_FindObjects(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, + CK_ULONG_PTR pulObjectCount) +{ + SFTKSession *session; + SFTKSearchResults *search; + int transfer; + int left; + + CHECK_FORK(); + + *pulObjectCount = 0; + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + if (session->search == NULL) { + sftk_FreeSession(session); + return CKR_OK; + } + search = session->search; + left = session->search->size - session->search->index; + transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount; + if (transfer > 0) { + PORT_Memcpy(phObject, &search->handles[search->index], + transfer * sizeof(CK_OBJECT_HANDLE)); + } else { + *phObject = CK_INVALID_HANDLE; + } + + search->index += transfer; + if (search->index == search->size) { + session->search = NULL; + sftk_FreeSearch(search); + } + *pulObjectCount = transfer; + sftk_FreeSession(session); + return CKR_OK; +} + +/* NSC_FindObjectsFinal finishes a search for token and session objects. */ +CK_RV +NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession) +{ + SFTKSession *session; + SFTKSearchResults *search; + + CHECK_FORK(); + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + search = session->search; + session->search = NULL; + sftk_FreeSession(session); + if (search != NULL) { + sftk_FreeSearch(search); + } + return CKR_OK; +} + +CK_RV +NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, + CK_VOID_PTR pReserved) +{ + CHECK_FORK(); + + return CKR_FUNCTION_NOT_SUPPORTED; +} + +static CK_RV +nsc_NSSGetFIPSStatus(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ULONG ulOperationType, + CK_ULONG *pulFIPSStatus) +{ + CK_ULONG sessionState = CKS_NSS_UNINITIALIZED; + CK_ULONG objectState = CKS_NSS_UNINITIALIZED; + PRBool needSession = PR_FALSE; + PRBool needObject = PR_FALSE; + SFTKSession *session; + SFTKObject *object; + + *pulFIPSStatus = CKS_NSS_FIPS_NOT_OK; + + /* first determine what we need to look up */ + switch (ulOperationType) { + case CKT_NSS_SESSION_CHECK: + case CKT_NSS_SESSION_LAST_CHECK: + needSession = PR_TRUE; + needObject = PR_FALSE; + break; + case CKT_NSS_OBJECT_CHECK: + needSession = PR_FALSE; + needObject = PR_TRUE; + break; + case CKT_NSS_BOTH_CHECK: + needSession = PR_TRUE; + needObject = PR_TRUE; + break; + default: + return CKR_ARGUMENTS_BAD; + } + + /* we always need the session handle, the object handle is only + * meaningful if there is a session */ + session = sftk_SessionFromHandle(hSession); + if (!session) { + return CKR_SESSION_HANDLE_INVALID; + } + if (needSession) { + if (CKT_NSS_SESSION_LAST_CHECK == ulOperationType) { + sessionState = session->lastOpWasFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK; + } else { + if (session->enc_context) { + sessionState = session->enc_context->isFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK; + } + if (sessionState != CKS_NSS_FIPS_NOT_OK && session->hash_context) { + sessionState = session->hash_context->isFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK; + } + /* sessionState is set to CKS_NSS_UNINITIALIZED if neither + * context exists */ + } + } + + if (needObject) { + object = sftk_ObjectFromHandle(hObject, session); + if (!object) { + sftk_FreeSession(session); + return CKR_OBJECT_HANDLE_INVALID; + } + objectState = object->isFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK; + sftk_FreeObject(object); + } + + sftk_FreeSession(session); + + /* If we didn't fetch the state, then it is uninitialized. + * The session state can also be uninitialized if there are no active + * crypto operations on the session. Turns out the rules for combining + * the states are the same whether or not the state was uninitialzed + * because we didn't fetch it or because there wasn't a state to fetch. + */ + + /* if the object State is uninitialized, return the state of the session. */ + if (objectState == CKS_NSS_UNINITIALIZED) { + /* if they are both uninitalized, return CKS_FIPS_NOT_OK */ + if (sessionState == CKS_NSS_UNINITIALIZED) { + /* *pulFIPSStatus already set to CKS_FIPS_NOT_OK */ + return CKR_OK; + } + *pulFIPSStatus = sessionState; + return CKR_OK; + } + /* objectState is initialized, if sessionState is uninitialized, we can + * just return objectState */ + if (sessionState == CKS_NSS_UNINITIALIZED) { + *pulFIPSStatus = objectState; + return CKR_OK; + } + + /* they are are not equal, one must be CKS_FIPS_NOT_OK, so we return that + * value CKS_FIPS_NOT_OK */ + if (objectState != sessionState) { + /* *pulFIPSStatus already set to CKS_FIPS_NOT_OK */ + return CKR_OK; + } + + /* objectState and sessionState or the same, so we can return either */ + *pulFIPSStatus = sessionState; + return CKR_OK; +} diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c new file mode 100644 index 0000000000..f2cc984a84 --- /dev/null +++ b/security/nss/lib/softoken/pkcs11c.c @@ -0,0 +1,8965 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements PKCS 11 on top of our existing security modules + * + * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. + * This implementation has two slots: + * slot 1 is our generic crypto support. It does not require login. + * It supports Public Key ops, and all they bulk ciphers and hashes. + * It can also support Private Key ops for imported Private keys. It does + * not have any token storage. + * slot 2 is our private key support. It requires a login before use. It + * can store Private Keys and Certs as token objects. Currently only private + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ +#include "seccomon.h" +#include "secitem.h" +#include "secport.h" +#include "blapi.h" +#include "pkcs11.h" +#include "pkcs11i.h" +#include "pkcs1sig.h" +#include "lowkeyi.h" +#include "secder.h" +#include "secdig.h" +#include "lowpbe.h" /* We do PBE below */ +#include "pkcs11t.h" +#include "secoid.h" +#include "cmac.h" +#include "alghmac.h" +#include "softoken.h" +#include "secasn1.h" +#include "secerr.h" + +#include "prprf.h" +#include "prenv.h" + +#define __PASTE(x, y) x##y +#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize) +/* + * we renamed all our internal functions, get the correct + * definitions for them... + */ +#undef CK_PKCS11_FUNCTION_INFO +#undef CK_NEED_ARG_LIST + +#define CK_PKCS11_3_0 1 + +#define CK_EXTERN extern +#define CK_PKCS11_FUNCTION_INFO(func) \ + CK_RV __PASTE(NS, func) +#define CK_NEED_ARG_LIST 1 + +#include "pkcs11f.h" + +/* create a definition of SHA1 that's consistent + * with the rest of the CKM_SHAxxx hashes*/ +#define CKM_SHA1 CKM_SHA_1 +#define CKM_SHA1_HMAC CKM_SHA_1_HMAC +#define CKM_SHA1_HMAC_GENERAL CKM_SHA_1_HMAC_GENERAL + +typedef struct { + PRUint8 client_version[2]; + PRUint8 random[46]; +} SSL3RSAPreMasterSecret; + +static void +sftk_Null(void *data, PRBool freeit) +{ + return; +} + +#ifdef EC_DEBUG +#define SEC_PRINT(str1, str2, num, sitem) \ + printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \ + str1, str2, num, sitem->len); \ + for (i = 0; i < sitem->len; i++) { \ + printf("%02x:", sitem->data[i]); \ + } \ + printf("\n") +#else +#undef EC_DEBUG +#define SEC_PRINT(a, b, c, d) +#endif + +/* + * free routines.... Free local type allocated data, and convert + * other free routines to the destroy signature. + */ +static void +sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit) +{ + nsslowkey_DestroyPrivateKey(key); +} + +static void +sftk_Space(void *data, PRBool freeit) +{ + PORT_Free(data); +} + +static void +sftk_ZSpace(void *data, PRBool freeit) +{ + size_t len = *(size_t *)data; + PORT_ZFree(data, len); +} + +/* + * turn a CDMF key into a des key. CDMF is an old IBM scheme to export DES by + * Deprecating a full des key to 40 bit key strenth. + */ +static CK_RV +sftk_cdmf2des(unsigned char *cdmfkey, unsigned char *deskey) +{ + unsigned char key1[8] = { 0xc4, 0x08, 0xb0, 0x54, 0x0b, 0xa1, 0xe0, 0xae }; + unsigned char key2[8] = { 0xef, 0x2c, 0x04, 0x1c, 0xe6, 0x38, 0x2f, 0xe6 }; + unsigned char enc_src[8]; + unsigned char enc_dest[8]; + unsigned int leng, i; + DESContext *descx; + SECStatus rv; + CK_RV crv = CKR_OK; + + /* zero the parity bits */ + for (i = 0; i < 8; i++) { + enc_src[i] = cdmfkey[i] & 0xfe; + } + + /* encrypt with key 1 */ + descx = DES_CreateContext(key1, NULL, NSS_DES, PR_TRUE); + if (descx == NULL) { + crv = CKR_HOST_MEMORY; + goto done; + } + rv = DES_Encrypt(descx, enc_dest, &leng, 8, enc_src, 8); + DES_DestroyContext(descx, PR_TRUE); + if (rv != SECSuccess) { + crv = sftk_MapCryptError(PORT_GetError()); + goto done; + } + + /* xor source with des, zero the parity bits and deprecate the key*/ + for (i = 0; i < 8; i++) { + if (i & 1) { + enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0xfe; + } else { + enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0x0e; + } + } + + /* encrypt with key 2 */ + descx = DES_CreateContext(key2, NULL, NSS_DES, PR_TRUE); + if (descx == NULL) { + crv = CKR_HOST_MEMORY; + goto done; + } + rv = DES_Encrypt(descx, deskey, &leng, 8, enc_src, 8); + DES_DestroyContext(descx, PR_TRUE); + if (rv != SECSuccess) { + crv = sftk_MapCryptError(PORT_GetError()); + goto done; + } + + /* set the corret parity on our new des key */ + sftk_FormatDESKey(deskey, 8); +done: + PORT_Memset(enc_src, 0, sizeof enc_src); + PORT_Memset(enc_dest, 0, sizeof enc_dest); + return crv; +} + +/* NSC_DestroyObject destroys an object. */ +CK_RV +NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) +{ + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + SFTKSession *session; + SFTKObject *object; + SFTKFreeStatus status; + + CHECK_FORK(); + + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + /* + * This whole block just makes sure we really can destroy the + * requested object. + */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + object = sftk_ObjectFromHandle(hObject, session); + if (object == NULL) { + sftk_FreeSession(session); + return CKR_OBJECT_HANDLE_INVALID; + } + + /* don't destroy a private object if we aren't logged in */ + if ((!slot->isLoggedIn) && (slot->needLogin) && + (sftk_isTrue(object, CKA_PRIVATE))) { + sftk_FreeSession(session); + sftk_FreeObject(object); + return CKR_USER_NOT_LOGGED_IN; + } + + /* don't destroy a token object if we aren't in a rw session */ + + if (((session->info.flags & CKF_RW_SESSION) == 0) && + (sftk_isTrue(object, CKA_TOKEN))) { + sftk_FreeSession(session); + sftk_FreeObject(object); + return CKR_SESSION_READ_ONLY; + } + + sftk_DeleteObject(session, object); + + sftk_FreeSession(session); + + /* + * get some indication if the object is destroyed. Note: this is not + * 100%. Someone may have an object reference outstanding (though that + * should not be the case by here. Also note that the object is "half" + * destroyed. Our internal representation is destroyed, but it may still + * be in the data base. + */ + status = sftk_FreeObject(object); + + return (status != SFTK_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR; +} + +/* + * Returns true if "params" contains a valid set of PSS parameters + */ +static PRBool +sftk_ValidatePssParams(const CK_RSA_PKCS_PSS_PARAMS *params) +{ + if (!params) { + return PR_FALSE; + } + if (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL || + sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) { + return PR_FALSE; + } + return PR_TRUE; +} + +/* + * Returns true if "params" contains a valid set of OAEP parameters + */ +static PRBool +sftk_ValidateOaepParams(const CK_RSA_PKCS_OAEP_PARAMS *params) +{ + if (!params) { + return PR_FALSE; + } + /* The requirements of ulSourceLen/pSourceData come from PKCS #11, which + * state: + * If the parameter is empty, pSourceData must be NULL and + * ulSourceDataLen must be zero. + */ + if (params->source != CKZ_DATA_SPECIFIED || + (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) || + (sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) || + (params->ulSourceDataLen == 0 && params->pSourceData != NULL) || + (params->ulSourceDataLen != 0 && params->pSourceData == NULL)) { + return PR_FALSE; + } + return PR_TRUE; +} + +/* + * return a context based on the SFTKContext type. + */ +SFTKSessionContext * +sftk_ReturnContextByType(SFTKSession *session, SFTKContextType type) +{ + switch (type) { + case SFTK_ENCRYPT: + case SFTK_DECRYPT: + case SFTK_MESSAGE_ENCRYPT: + case SFTK_MESSAGE_DECRYPT: + return session->enc_context; + case SFTK_HASH: + return session->hash_context; + case SFTK_SIGN: + case SFTK_SIGN_RECOVER: + case SFTK_VERIFY: + case SFTK_VERIFY_RECOVER: + case SFTK_MESSAGE_SIGN: + case SFTK_MESSAGE_VERIFY: + return session->hash_context; + } + return NULL; +} + +/* + * change a context based on the SFTKContext type. + */ +void +sftk_SetContextByType(SFTKSession *session, SFTKContextType type, + SFTKSessionContext *context) +{ + switch (type) { + case SFTK_ENCRYPT: + case SFTK_DECRYPT: + case SFTK_MESSAGE_ENCRYPT: + case SFTK_MESSAGE_DECRYPT: + session->enc_context = context; + break; + case SFTK_HASH: + session->hash_context = context; + break; + case SFTK_SIGN: + case SFTK_SIGN_RECOVER: + case SFTK_VERIFY: + case SFTK_VERIFY_RECOVER: + case SFTK_MESSAGE_SIGN: + case SFTK_MESSAGE_VERIFY: + session->hash_context = context; + break; + } + return; +} + +/* + * code to grab the context. Needed by every C_XXXUpdate, C_XXXFinal, + * and C_XXX function. The function takes a session handle, the context type, + * and wether or not the session needs to be multipart. It returns the context, + * and optionally returns the session pointer (if sessionPtr != NULL) if session + * pointer is returned, the caller is responsible for freeing it. + */ +CK_RV +sftk_GetContext(CK_SESSION_HANDLE handle, SFTKSessionContext **contextPtr, + SFTKContextType type, PRBool needMulti, SFTKSession **sessionPtr) +{ + SFTKSession *session; + SFTKSessionContext *context; + + session = sftk_SessionFromHandle(handle); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + context = sftk_ReturnContextByType(session, type); + /* make sure the context is valid */ + if ((context == NULL) || (context->type != type) || (needMulti && !(context->multi))) { + sftk_FreeSession(session); + return CKR_OPERATION_NOT_INITIALIZED; + } + *contextPtr = context; + if (sessionPtr != NULL) { + *sessionPtr = session; + } else { + sftk_FreeSession(session); + } + return CKR_OK; +} + +/** Terminate operation (in the PKCS#11 spec sense). + * Intuitive name for FreeContext/SetNullContext pair. + */ +void +sftk_TerminateOp(SFTKSession *session, SFTKContextType ctype, + SFTKSessionContext *context) +{ + session->lastOpWasFIPS = context->isFIPS; + sftk_FreeContext(context); + sftk_SetContextByType(session, ctype, NULL); +} + +/* + ************** Crypto Functions: Encrypt ************************ + */ + +/* + * All the NSC_InitXXX functions have a set of common checks and processing they + * all need to do at the beginning. This is done here. + */ +CK_RV +sftk_InitGeneric(SFTKSession *session, CK_MECHANISM *pMechanism, + SFTKSessionContext **contextPtr, + SFTKContextType ctype, SFTKObject **keyPtr, + CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr, + CK_OBJECT_CLASS pubKeyType, CK_ATTRIBUTE_TYPE operation) +{ + SFTKObject *key = NULL; + SFTKAttribute *att; + SFTKSessionContext *context; + + /* We can only init if there is not current context active */ + if (sftk_ReturnContextByType(session, ctype) != NULL) { + return CKR_OPERATION_ACTIVE; + } + + /* find the key */ + if (keyPtr) { + key = sftk_ObjectFromHandle(hKey, session); + if (key == NULL) { + return CKR_KEY_HANDLE_INVALID; + } + + /* make sure it's a valid key for this operation */ + if (((key->objclass != CKO_SECRET_KEY) && + (key->objclass != pubKeyType)) || + !sftk_isTrue(key, operation)) { + sftk_FreeObject(key); + return CKR_KEY_TYPE_INCONSISTENT; + } + /* get the key type */ + att = sftk_FindAttribute(key, CKA_KEY_TYPE); + if (att == NULL) { + sftk_FreeObject(key); + return CKR_KEY_TYPE_INCONSISTENT; + } + PORT_Assert(att->attrib.ulValueLen == sizeof(CK_KEY_TYPE)); + if (att->attrib.ulValueLen != sizeof(CK_KEY_TYPE)) { + sftk_FreeAttribute(att); + sftk_FreeObject(key); + return CKR_ATTRIBUTE_VALUE_INVALID; + } + PORT_Memcpy(keyTypePtr, att->attrib.pValue, sizeof(CK_KEY_TYPE)); + sftk_FreeAttribute(att); + *keyPtr = key; + } + + /* allocate the context structure */ + context = (SFTKSessionContext *)PORT_Alloc(sizeof(SFTKSessionContext)); + if (context == NULL) { + if (key) + sftk_FreeObject(key); + return CKR_HOST_MEMORY; + } + context->type = ctype; + context->multi = PR_TRUE; + context->rsa = PR_FALSE; + context->cipherInfo = NULL; + context->hashInfo = NULL; + context->doPad = PR_FALSE; + context->padDataLength = 0; + context->key = key; + context->blockSize = 0; + context->maxLen = 0; + context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism, + operation, key); + *contextPtr = context; + return CKR_OK; +} + +static int +sftk_aes_mode(CK_MECHANISM_TYPE mechanism) +{ + switch (mechanism) { + case CKM_AES_CBC_PAD: + case CKM_AES_CBC: + return NSS_AES_CBC; + case CKM_AES_ECB: + return NSS_AES; + case CKM_AES_CTS: + return NSS_AES_CTS; + case CKM_AES_CTR: + return NSS_AES_CTR; + case CKM_AES_GCM: + return NSS_AES_GCM; + } + return -1; +} + +static SECStatus +sftk_RSAEncryptRaw(NSSLOWKEYPublicKey *key, unsigned char *output, + unsigned int *outputLen, unsigned int maxLen, + const unsigned char *input, unsigned int inputLen) +{ + SECStatus rv = SECFailure; + + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + rv = RSA_EncryptRaw(&key->u.rsa, output, outputLen, maxLen, input, + inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + + return rv; +} + +static SECStatus +sftk_RSADecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output, + unsigned int *outputLen, unsigned int maxLen, + const unsigned char *input, unsigned int inputLen) +{ + SECStatus rv = SECFailure; + + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + rv = RSA_DecryptRaw(&key->u.rsa, output, outputLen, maxLen, input, + inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + + return rv; +} + +static SECStatus +sftk_RSAEncrypt(NSSLOWKEYPublicKey *key, unsigned char *output, + unsigned int *outputLen, unsigned int maxLen, + const unsigned char *input, unsigned int inputLen) +{ + SECStatus rv = SECFailure; + + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + rv = RSA_EncryptBlock(&key->u.rsa, output, outputLen, maxLen, input, + inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + + return rv; +} + +static SECStatus +sftk_RSADecrypt(NSSLOWKEYPrivateKey *key, unsigned char *output, + unsigned int *outputLen, unsigned int maxLen, + const unsigned char *input, unsigned int inputLen) +{ + SECStatus rv = SECFailure; + + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + rv = RSA_DecryptBlock(&key->u.rsa, output, outputLen, maxLen, input, + inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + + return rv; +} + +static void +sftk_freeRSAOAEPInfo(SFTKOAEPInfo *info, PRBool freeit) +{ + PORT_ZFree(info->params.pSourceData, info->params.ulSourceDataLen); + PORT_ZFree(info, sizeof(SFTKOAEPInfo)); +} + +static SECStatus +sftk_RSAEncryptOAEP(SFTKOAEPInfo *info, unsigned char *output, + unsigned int *outputLen, unsigned int maxLen, + const unsigned char *input, unsigned int inputLen) +{ + HASH_HashType hashAlg; + HASH_HashType maskHashAlg; + + PORT_Assert(info->key.pub->keyType == NSSLOWKEYRSAKey); + if (info->key.pub->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg); + maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf); + + return RSA_EncryptOAEP(&info->key.pub->u.rsa, hashAlg, maskHashAlg, + (const unsigned char *)info->params.pSourceData, + info->params.ulSourceDataLen, NULL, 0, + output, outputLen, maxLen, input, inputLen); +} + +static SECStatus +sftk_RSADecryptOAEP(SFTKOAEPInfo *info, unsigned char *output, + unsigned int *outputLen, unsigned int maxLen, + const unsigned char *input, unsigned int inputLen) +{ + SECStatus rv = SECFailure; + HASH_HashType hashAlg; + HASH_HashType maskHashAlg; + + PORT_Assert(info->key.priv->keyType == NSSLOWKEYRSAKey); + if (info->key.priv->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg); + maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf); + + rv = RSA_DecryptOAEP(&info->key.priv->u.rsa, hashAlg, maskHashAlg, + (const unsigned char *)info->params.pSourceData, + info->params.ulSourceDataLen, + output, outputLen, maxLen, input, inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + return rv; +} + +static SFTKChaCha20Poly1305Info * +sftk_ChaCha20Poly1305_CreateContext(const unsigned char *key, + unsigned int keyLen, + const CK_NSS_AEAD_PARAMS *params) +{ + SFTKChaCha20Poly1305Info *ctx; + + if (params->ulNonceLen != sizeof(ctx->nonce)) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return NULL; + } + + ctx = PORT_New(SFTKChaCha20Poly1305Info); + if (ctx == NULL) { + return NULL; + } + + if (ChaCha20Poly1305_InitContext(&ctx->freeblCtx, key, keyLen, + params->ulTagLen) != SECSuccess) { + PORT_Free(ctx); + return NULL; + } + + PORT_Memcpy(ctx->nonce, params->pNonce, sizeof(ctx->nonce)); + + /* AAD data and length must both be null, or both non-null. */ + PORT_Assert((params->pAAD == NULL) == (params->ulAADLen == 0)); + + if (params->ulAADLen > sizeof(ctx->ad)) { + /* Need to allocate an overflow buffer for the additional data. */ + ctx->adOverflow = (unsigned char *)PORT_Alloc(params->ulAADLen); + if (!ctx->adOverflow) { + PORT_Free(ctx); + return NULL; + } + PORT_Memcpy(ctx->adOverflow, params->pAAD, params->ulAADLen); + } else { + ctx->adOverflow = NULL; + if (params->pAAD) { + PORT_Memcpy(ctx->ad, params->pAAD, params->ulAADLen); + } + } + ctx->adLen = params->ulAADLen; + + return ctx; +} + +static void +sftk_ChaCha20Poly1305_DestroyContext(SFTKChaCha20Poly1305Info *ctx, + PRBool freeit) +{ + ChaCha20Poly1305_DestroyContext(&ctx->freeblCtx, PR_FALSE); + if (ctx->adOverflow != NULL) { + PORT_ZFree(ctx->adOverflow, ctx->adLen); + ctx->adOverflow = NULL; + } else { + PORT_Memset(ctx->ad, 0, ctx->adLen); + } + ctx->adLen = 0; + if (freeit) { + PORT_Free(ctx); + } +} + +static SECStatus +sftk_ChaCha20Poly1305_Encrypt(const SFTKChaCha20Poly1305Info *ctx, + unsigned char *output, unsigned int *outputLen, + unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen) +{ + const unsigned char *ad = ctx->adOverflow; + + if (ad == NULL) { + ad = ctx->ad; + } + + return ChaCha20Poly1305_Seal(&ctx->freeblCtx, output, outputLen, + maxOutputLen, input, inputLen, ctx->nonce, + sizeof(ctx->nonce), ad, ctx->adLen); +} + +static SECStatus +sftk_ChaCha20Poly1305_Decrypt(const SFTKChaCha20Poly1305Info *ctx, + unsigned char *output, unsigned int *outputLen, + unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen) +{ + const unsigned char *ad = ctx->adOverflow; + + if (ad == NULL) { + ad = ctx->ad; + } + + return ChaCha20Poly1305_Open(&ctx->freeblCtx, output, outputLen, + maxOutputLen, input, inputLen, ctx->nonce, + sizeof(ctx->nonce), ad, ctx->adLen); +} + +static SECStatus +sftk_ChaCha20Ctr(const SFTKChaCha20CtrInfo *ctx, + unsigned char *output, unsigned int *outputLen, + unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen) +{ + if (maxOutputLen < inputLen) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } + ChaCha20_Xor(output, input, inputLen, ctx->key, + ctx->nonce, ctx->counter); + *outputLen = inputLen; + return SECSuccess; +} + +static void +sftk_ChaCha20Ctr_DestroyContext(SFTKChaCha20CtrInfo *ctx, + PRBool freeit) +{ + memset(ctx, 0, sizeof(*ctx)); + if (freeit) { + PORT_Free(ctx); + } +} + +/** NSC_CryptInit initializes an encryption/Decryption operation. + * + * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey. + * Called by NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac) only for block + * ciphers MAC'ing. + */ +CK_RV +sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey, + CK_ATTRIBUTE_TYPE mechUsage, CK_ATTRIBUTE_TYPE keyUsage, + SFTKContextType contextType, PRBool isEncrypt) +{ + SFTKSession *session; + SFTKObject *key; + SFTKSessionContext *context; + SFTKAttribute *att; +#ifndef NSS_DISABLE_DEPRECATED_RC2 + CK_RC2_CBC_PARAMS *rc2_param; + unsigned effectiveKeyLength; +#endif +#if NSS_SOFTOKEN_DOES_RC5 + CK_RC5_CBC_PARAMS *rc5_param; + SECItem rc5Key; +#endif + CK_NSS_GCM_PARAMS nss_gcm_param; + void *aes_param; + CK_NSS_AEAD_PARAMS nss_aead_params; + CK_NSS_AEAD_PARAMS *nss_aead_params_ptr = NULL; + CK_KEY_TYPE key_type; + CK_RV crv = CKR_OK; + unsigned char newdeskey[24]; + PRBool useNewKey = PR_FALSE; + int t; + + if (!pMechanism) { + return CKR_MECHANISM_PARAM_INVALID; + } + + crv = sftk_MechAllowsOperation(pMechanism->mechanism, mechUsage); + if (crv != CKR_OK) + return crv; + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + + crv = sftk_InitGeneric(session, pMechanism, &context, contextType, &key, + hKey, &key_type, + isEncrypt ? CKO_PUBLIC_KEY : CKO_PRIVATE_KEY, + keyUsage); + + if (crv != CKR_OK) { + sftk_FreeSession(session); + return crv; + } + + context->doPad = PR_FALSE; + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS: + case CKM_RSA_X_509: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->multi = PR_FALSE; + context->rsa = PR_TRUE; + if (isEncrypt) { + NSSLOWKEYPublicKey *pubKey = sftk_GetPubKey(key, CKK_RSA, &crv); + if (pubKey == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->maxLen = nsslowkey_PublicModulusLen(pubKey); + context->cipherInfo = (void *)pubKey; + context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509 + ? sftk_RSAEncryptRaw + : sftk_RSAEncrypt); + } else { + NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(key, CKK_RSA, &crv); + if (privKey == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->maxLen = nsslowkey_PrivateModulusLen(privKey); + context->cipherInfo = (void *)privKey; + context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509 + ? sftk_RSADecryptRaw + : sftk_RSADecrypt); + } + context->destroy = sftk_Null; + break; + case CKM_RSA_PKCS_OAEP: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS) || + !sftk_ValidateOaepParams((CK_RSA_PKCS_OAEP_PARAMS *)pMechanism->pParameter)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + context->multi = PR_FALSE; + context->rsa = PR_TRUE; + { + SFTKOAEPInfo *info; + CK_RSA_PKCS_OAEP_PARAMS *params = + (CK_RSA_PKCS_OAEP_PARAMS *)pMechanism->pParameter; + /* make a copy of the source data value for future + * use (once the user has reclaimed his data in pParameter)*/ + void *newSource = NULL; + if (params->pSourceData) { + newSource = PORT_Alloc(params->ulSourceDataLen); + if (newSource == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + PORT_Memcpy(newSource, params->pSourceData, params->ulSourceDataLen); + } + info = PORT_New(SFTKOAEPInfo); + if (info == NULL) { + PORT_ZFree(newSource, params->ulSourceDataLen); + crv = CKR_HOST_MEMORY; + break; + } + info->params = *params; + info->params.pSourceData = newSource; + info->isEncrypt = isEncrypt; + + /* now setup encryption and decryption contexts */ + if (isEncrypt) { + info->key.pub = sftk_GetPubKey(key, CKK_RSA, &crv); + if (info->key.pub == NULL) { + sftk_freeRSAOAEPInfo(info, PR_TRUE); + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->update = (SFTKCipher)sftk_RSAEncryptOAEP; + context->maxLen = nsslowkey_PublicModulusLen(info->key.pub); + } else { + info->key.priv = sftk_GetPrivKey(key, CKK_RSA, &crv); + if (info->key.priv == NULL) { + sftk_freeRSAOAEPInfo(info, PR_TRUE); + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->update = (SFTKCipher)sftk_RSADecryptOAEP; + context->maxLen = nsslowkey_PrivateModulusLen(info->key.priv); + } + context->cipherInfo = info; + } + context->destroy = (SFTKDestroy)sftk_freeRSAOAEPInfo; + break; +#ifndef NSS_DISABLE_DEPRECATED_RC2 + case CKM_RC2_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_RC2_ECB: + case CKM_RC2_CBC: + context->blockSize = 8; + if (key_type != CKK_RC2) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC2_CBC_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter; + effectiveKeyLength = (rc2_param->ulEffectiveBits + 7) / 8; + context->cipherInfo = + RC2_CreateContext((unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen, rc2_param->iv, + pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 : NSS_RC2_CBC, effectiveKeyLength); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->update = (SFTKCipher)(isEncrypt ? RC2_Encrypt : RC2_Decrypt); + context->destroy = (SFTKDestroy)RC2_DestroyContext; + break; +#endif /* NSS_DISABLE_DEPRECATED_RC2 */ + +#if NSS_SOFTOKEN_DOES_RC5 + case CKM_RC5_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_RC5_ECB: + case CKM_RC5_CBC: + if (key_type != CKK_RC5) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC5_CBC_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + rc5_param = (CK_RC5_CBC_PARAMS *)pMechanism->pParameter; + context->blockSize = rc5_param->ulWordsize * 2; + rc5Key.data = (unsigned char *)att->attrib.pValue; + rc5Key.len = att->attrib.ulValueLen; + context->cipherInfo = RC5_CreateContext(&rc5Key, rc5_param->ulRounds, + rc5_param->ulWordsize, rc5_param->pIv, + pMechanism->mechanism == CKM_RC5_ECB ? NSS_RC5 : NSS_RC5_CBC); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->update = (SFTKCipher)(isEncrypt ? RC5_Encrypt : RC5_Decrypt); + context->destroy = (SFTKDestroy)RC5_DestroyContext; + break; +#endif + case CKM_RC4: + if (key_type != CKK_RC4) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->cipherInfo = + RC4_CreateContext((unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; /* WRONG !!! */ + break; + } + context->update = (SFTKCipher)(isEncrypt ? RC4_Encrypt : RC4_Decrypt); + context->destroy = (SFTKDestroy)RC4_DestroyContext; + break; + case CKM_CDMF_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_CDMF_ECB: + case CKM_CDMF_CBC: + if (key_type != CKK_CDMF) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC; + goto finish_des; + case CKM_DES_ECB: + if (key_type != CKK_DES) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + t = NSS_DES; + goto finish_des; + case CKM_DES_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_DES_CBC: + if (key_type != CKK_DES) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + t = NSS_DES_CBC; + goto finish_des; + case CKM_DES3_ECB: + if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + t = NSS_DES_EDE3; + goto finish_des; + case CKM_DES3_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_DES3_CBC: + if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + t = NSS_DES_EDE3_CBC; + finish_des: + if ((t != NSS_DES && t != NSS_DES_EDE3) && (pMechanism->pParameter == NULL || + pMechanism->ulParameterLen < 8)) { + crv = CKR_DOMAIN_PARAMS_INVALID; + break; + } + context->blockSize = 8; + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + if (key_type == CKK_DES2 && + (t == NSS_DES_EDE3_CBC || t == NSS_DES_EDE3)) { + /* extend DES2 key to DES3 key. */ + memcpy(newdeskey, att->attrib.pValue, 16); + memcpy(newdeskey + 16, newdeskey, 8); + useNewKey = PR_TRUE; + } else if (key_type == CKK_CDMF) { + crv = sftk_cdmf2des((unsigned char *)att->attrib.pValue, newdeskey); + if (crv != CKR_OK) { + sftk_FreeAttribute(att); + break; + } + useNewKey = PR_TRUE; + } + context->cipherInfo = DES_CreateContext( + useNewKey ? newdeskey : (unsigned char *)att->attrib.pValue, + (unsigned char *)pMechanism->pParameter, t, isEncrypt); + if (useNewKey) + memset(newdeskey, 0, sizeof newdeskey); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->update = (SFTKCipher)(isEncrypt ? DES_Encrypt : DES_Decrypt); + context->destroy = (SFTKDestroy)DES_DestroyContext; + break; +#ifndef NSS_DISABLE_DEPRECATED_SEED + case CKM_SEED_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_SEED_CBC: + if (!pMechanism->pParameter || + pMechanism->ulParameterLen != 16) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + /* fall thru */ + case CKM_SEED_ECB: + context->blockSize = 16; + if (key_type != CKK_SEED) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->cipherInfo = SEED_CreateContext( + (unsigned char *)att->attrib.pValue, + (unsigned char *)pMechanism->pParameter, + pMechanism->mechanism == CKM_SEED_ECB ? NSS_SEED : NSS_SEED_CBC, + isEncrypt); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->update = (SFTKCipher)(isEncrypt ? SEED_Encrypt : SEED_Decrypt); + context->destroy = (SFTKDestroy)SEED_DestroyContext; + break; +#endif /* NSS_DISABLE_DEPRECATED_SEED */ + case CKM_CAMELLIA_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_CAMELLIA_CBC: + if (!pMechanism->pParameter || + pMechanism->ulParameterLen != 16) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + /* fall thru */ + case CKM_CAMELLIA_ECB: + context->blockSize = 16; + if (key_type != CKK_CAMELLIA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->cipherInfo = Camellia_CreateContext( + (unsigned char *)att->attrib.pValue, + (unsigned char *)pMechanism->pParameter, + pMechanism->mechanism == + CKM_CAMELLIA_ECB + ? NSS_CAMELLIA + : NSS_CAMELLIA_CBC, + isEncrypt, att->attrib.ulValueLen); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->update = (SFTKCipher)(isEncrypt ? Camellia_Encrypt : Camellia_Decrypt); + context->destroy = (SFTKDestroy)Camellia_DestroyContext; + break; + + case CKM_AES_CBC_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_AES_ECB: + case CKM_AES_CBC: + context->blockSize = 16; + case CKM_AES_CTS: + case CKM_AES_CTR: + case CKM_AES_GCM: + aes_param = pMechanism->pParameter; + /* + * Due to a mismatch between the documentation and the header + * file, two different definitions for CK_GCM_PARAMS exist. + * The header file is normative according to Oasis, but NSS used + * the documentation. In PKCS #11 v3.0, this was reconciled in + * favor of the header file definition. To maintain binary + * compatibility, NSS now defines CK_GCM_PARAMS_V3 as the official + * version v3 (V2.4 header file) and CK_NSS_GCM_PARAMS as the + * legacy (V2.4 documentation, NSS version). CK_GCM_PARAMS + * is defined as CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is not + * defined and CK_NSS_GCM_PARAMS if it is. Internally + * softoken continues to use the legacy version. The code below + * automatically detects which parameter was passed in and + * converts CK_GCM_PARAMS_V3 to the CK_NSS_GCM_PARAMS (legacy + * version) on the fly. NSS proper will eventually start + * using the CK_GCM_PARAMS_V3 version and fall back to the + * CK_NSS_GCM_PARAMS if the CK_GCM_PARAMS_V3 version fails with + * CKR_MECHANISM_PARAM_INVALID. + */ + if (pMechanism->mechanism == CKM_AES_GCM) { + if (!aes_param) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + if (pMechanism->ulParameterLen == sizeof(CK_GCM_PARAMS_V3)) { + /* convert the true V3 parameters into the old NSS parameters */ + CK_GCM_PARAMS_V3 *gcm_params = (CK_GCM_PARAMS_V3 *)aes_param; + if (gcm_params->ulIvLen * 8 != gcm_params->ulIvBits) { + /* only support byte aligned IV lengths */ + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + aes_param = (void *)&nss_gcm_param; + nss_gcm_param.pIv = gcm_params->pIv; + nss_gcm_param.ulIvLen = gcm_params->ulIvLen; + nss_gcm_param.pAAD = gcm_params->pAAD; + nss_gcm_param.ulAADLen = gcm_params->ulAADLen; + nss_gcm_param.ulTagBits = gcm_params->ulTagBits; + } else if (pMechanism->ulParameterLen != sizeof(CK_NSS_GCM_PARAMS)) { + /* neither old nor new style params, must be invalid */ + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } else if ((pMechanism->mechanism == CKM_AES_CTR && BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CTR_PARAMS))) || + ((pMechanism->mechanism == CKM_AES_CBC || pMechanism->mechanism == CKM_AES_CTS) && BAD_PARAM_CAST(pMechanism, AES_BLOCK_SIZE))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + + if (pMechanism->mechanism == CKM_AES_GCM) { + context->multi = PR_FALSE; + } + if (key_type != CKK_AES) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->cipherInfo = AES_CreateContext( + (unsigned char *)att->attrib.pValue, + (unsigned char *)aes_param, + sftk_aes_mode(pMechanism->mechanism), + isEncrypt, att->attrib.ulValueLen, 16); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->update = (SFTKCipher)(isEncrypt ? AES_Encrypt : AES_Decrypt); + context->destroy = (SFTKDestroy)AES_DestroyContext; + break; + + case CKM_NSS_CHACHA20_POLY1305: + case CKM_CHACHA20_POLY1305: + if (pMechanism->mechanism == CKM_NSS_CHACHA20_POLY1305) { + if (key_type != CKK_NSS_CHACHA20) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if ((pMechanism->pParameter == NULL) || + (pMechanism->ulParameterLen != sizeof(CK_NSS_AEAD_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + nss_aead_params_ptr = (CK_NSS_AEAD_PARAMS *)pMechanism->pParameter; + } else { + CK_SALSA20_CHACHA20_POLY1305_PARAMS_PTR chacha_poly_params; + if (key_type != CKK_CHACHA20) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if ((pMechanism->pParameter == NULL) || + (pMechanism->ulParameterLen != + sizeof(CK_SALSA20_CHACHA20_POLY1305_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + chacha_poly_params = (CK_SALSA20_CHACHA20_POLY1305_PARAMS_PTR) + pMechanism->pParameter; + nss_aead_params_ptr = &nss_aead_params; + nss_aead_params.pNonce = chacha_poly_params->pNonce; + nss_aead_params.ulNonceLen = chacha_poly_params->ulNonceLen; + nss_aead_params.pAAD = chacha_poly_params->pAAD; + nss_aead_params.ulAADLen = chacha_poly_params->ulAADLen; + nss_aead_params.ulTagLen = 16; /* Poly1305 is always 16 */ + } + + context->multi = PR_FALSE; + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->cipherInfo = sftk_ChaCha20Poly1305_CreateContext( + (unsigned char *)att->attrib.pValue, att->attrib.ulValueLen, + nss_aead_params_ptr); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + context->update = (SFTKCipher)(isEncrypt ? sftk_ChaCha20Poly1305_Encrypt : sftk_ChaCha20Poly1305_Decrypt); + context->destroy = (SFTKDestroy)sftk_ChaCha20Poly1305_DestroyContext; + break; + + case CKM_NSS_CHACHA20_CTR: /* old NSS private version */ + case CKM_CHACHA20: /* PKCS #11 v3 version */ + { + unsigned char *counter; + unsigned char *nonce; + unsigned long counter_len; + unsigned long nonce_len; + context->multi = PR_FALSE; + if (pMechanism->mechanism == CKM_NSS_CHACHA20_CTR) { + if (key_type != CKK_NSS_CHACHA20) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if (pMechanism->pParameter == NULL || pMechanism->ulParameterLen != 16) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + counter_len = 4; + counter = pMechanism->pParameter; + nonce = counter + 4; + nonce_len = 12; + } else { + CK_CHACHA20_PARAMS_PTR chacha20_param_ptr; + if (key_type != CKK_CHACHA20) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if (pMechanism->pParameter == NULL || pMechanism->ulParameterLen != sizeof(CK_CHACHA20_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + chacha20_param_ptr = (CK_CHACHA20_PARAMS_PTR)pMechanism->pParameter; + if ((chacha20_param_ptr->blockCounterBits != 32) && + (chacha20_param_ptr->blockCounterBits != 64)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + counter_len = chacha20_param_ptr->blockCounterBits / PR_BITS_PER_BYTE; + counter = chacha20_param_ptr->pBlockCounter; + nonce = chacha20_param_ptr->pNonce; + nonce_len = chacha20_param_ptr->ulNonceBits / PR_BITS_PER_BYTE; + } + + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + SFTKChaCha20CtrInfo *ctx = PORT_ZNew(SFTKChaCha20CtrInfo); + if (!ctx) { + sftk_FreeAttribute(att); + crv = CKR_HOST_MEMORY; + break; + } + if (att->attrib.ulValueLen != sizeof(ctx->key)) { + sftk_FreeAttribute(att); + PORT_Free(ctx); + crv = CKR_KEY_HANDLE_INVALID; + break; + } + memcpy(ctx->key, att->attrib.pValue, att->attrib.ulValueLen); + sftk_FreeAttribute(att); + + /* make sure we don't overflow our parameters */ + if ((sizeof(ctx->counter) < counter_len) || + (sizeof(ctx->nonce) < nonce_len)) { + PORT_Free(ctx); + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + + /* The counter is little endian. */ + int i = 0; + for (; i < counter_len; ++i) { + ctx->counter |= (PRUint32)counter[i] << (i * 8); + } + memcpy(ctx->nonce, nonce, nonce_len); + context->cipherInfo = ctx; + context->update = (SFTKCipher)sftk_ChaCha20Ctr; + context->destroy = (SFTKDestroy)sftk_ChaCha20Ctr_DestroyContext; + break; + } + + case CKM_NSS_AES_KEY_WRAP_PAD: + case CKM_AES_KEY_WRAP_PAD: + context->doPad = PR_TRUE; + /* fall thru */ + case CKM_NSS_AES_KEY_WRAP: + case CKM_AES_KEY_WRAP: + context->blockSize = 8; + case CKM_AES_KEY_WRAP_KWP: + context->multi = PR_FALSE; + if (key_type != CKK_AES) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + context->cipherInfo = AESKeyWrap_CreateContext( + (unsigned char *)att->attrib.pValue, + (unsigned char *)pMechanism->pParameter, + isEncrypt, att->attrib.ulValueLen); + sftk_FreeAttribute(att); + if (context->cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + if (pMechanism->mechanism == CKM_AES_KEY_WRAP_KWP) { + context->update = (SFTKCipher)(isEncrypt ? AESKeyWrap_EncryptKWP + : AESKeyWrap_DecryptKWP); + } else { + context->update = (SFTKCipher)(isEncrypt ? AESKeyWrap_Encrypt + : AESKeyWrap_Decrypt); + } + context->destroy = (SFTKDestroy)AESKeyWrap_DestroyContext; + break; + + default: + crv = CKR_MECHANISM_INVALID; + break; + } + + if (crv != CKR_OK) { + sftk_FreeContext(context); + sftk_FreeSession(session); + return crv; + } + sftk_SetContextByType(session, contextType, context); + sftk_FreeSession(session); + return CKR_OK; +} + +/* NSC_EncryptInit initializes an encryption operation. */ +CK_RV +NSC_EncryptInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + CHECK_FORK(); + return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, CKA_ENCRYPT, + SFTK_ENCRYPT, PR_TRUE); +} + +/* NSC_EncryptUpdate continues a multiple-part encryption operation. */ +CK_RV +NSC_EncryptUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) +{ + SFTKSessionContext *context; + unsigned int outlen, i; + unsigned int padoutlen = 0; + unsigned int maxout = *pulEncryptedPartLen; + CK_RV crv; + SECStatus rv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; + + if (!pEncryptedPart) { + if (context->doPad) { + CK_ULONG totalDataAvailable = ulPartLen + context->padDataLength; + CK_ULONG blocksToSend = totalDataAvailable / context->blockSize; + + *pulEncryptedPartLen = blocksToSend * context->blockSize; + return CKR_OK; + } + *pulEncryptedPartLen = ulPartLen; + return CKR_OK; + } + + /* do padding */ + if (context->doPad) { + /* deal with previous buffered data */ + if (context->padDataLength != 0) { + /* fill in the padded to a full block size */ + for (i = context->padDataLength; + (ulPartLen != 0) && i < context->blockSize; i++) { + context->padBuf[i] = *pPart++; + ulPartLen--; + context->padDataLength++; + } + + /* not enough data to encrypt yet? then return */ + if (context->padDataLength != context->blockSize) { + *pulEncryptedPartLen = 0; + return CKR_OK; + } + /* encrypt the current padded data */ + rv = (*context->update)(context->cipherInfo, pEncryptedPart, + &padoutlen, maxout, context->padBuf, + context->blockSize); + if (rv != SECSuccess) { + return sftk_MapCryptError(PORT_GetError()); + } + pEncryptedPart += padoutlen; + maxout -= padoutlen; + } + /* save the residual */ + context->padDataLength = ulPartLen % context->blockSize; + if (context->padDataLength) { + PORT_Memcpy(context->padBuf, + &pPart[ulPartLen - context->padDataLength], + context->padDataLength); + ulPartLen -= context->padDataLength; + } + /* if we've exhausted our new buffer, we're done */ + if (ulPartLen == 0) { + *pulEncryptedPartLen = padoutlen; + return CKR_OK; + } + } + + /* do it: NOTE: this assumes buf size in is >= buf size out! */ + rv = (*context->update)(context->cipherInfo, pEncryptedPart, + &outlen, maxout, pPart, ulPartLen); + if (rv != SECSuccess) { + return sftk_MapCryptError(PORT_GetError()); + } + *pulEncryptedPartLen = (CK_ULONG)(outlen + padoutlen); + return CKR_OK; +} + +/* NSC_EncryptFinal finishes a multiple-part encryption operation. */ +CK_RV +NSC_EncryptFinal(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int outlen, i; + unsigned int maxout = *pulLastEncryptedPartLen; + CK_RV crv; + SECStatus rv = SECSuccess; + PRBool contextFinished = PR_TRUE; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + *pulLastEncryptedPartLen = 0; + if (!pLastEncryptedPart) { + /* caller is checking the amount of remaining data */ + if (context->blockSize > 0 && context->doPad) { + *pulLastEncryptedPartLen = context->blockSize; + contextFinished = PR_FALSE; /* still have padding to go */ + } + goto finish; + } + + /* do padding */ + if (context->doPad) { + unsigned char padbyte = (unsigned char)(context->blockSize - context->padDataLength); + /* fill out rest of pad buffer with pad magic*/ + for (i = context->padDataLength; i < context->blockSize; i++) { + context->padBuf[i] = padbyte; + } + rv = (*context->update)(context->cipherInfo, pLastEncryptedPart, + &outlen, maxout, context->padBuf, context->blockSize); + if (rv == SECSuccess) + *pulLastEncryptedPartLen = (CK_ULONG)outlen; + } + +finish: + if (contextFinished) + sftk_TerminateOp(session, SFTK_ENCRYPT, context); + sftk_FreeSession(session); + return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError()); +} + +/* NSC_Encrypt encrypts single-part data. */ +CK_RV +NSC_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData, + CK_ULONG_PTR pulEncryptedDataLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int outlen; + unsigned int maxoutlen = *pulEncryptedDataLen; + CK_RV crv; + CK_RV crv2; + SECStatus rv = SECSuccess; + SECItem pText; + + pText.type = siBuffer; + pText.data = pData; + pText.len = ulDataLen; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_FALSE, &session); + if (crv != CKR_OK) + return crv; + + if (!pEncryptedData) { + outlen = context->rsa ? context->maxLen : ulDataLen + 2 * context->blockSize; + goto done; + } + + if (context->doPad) { + if (context->multi) { + CK_ULONG updateLen = maxoutlen; + CK_ULONG finalLen; + /* padding is fairly complicated, have the update and final + * code deal with it */ + sftk_FreeSession(session); + crv = NSC_EncryptUpdate(hSession, pData, ulDataLen, pEncryptedData, + &updateLen); + if (crv != CKR_OK) { + updateLen = 0; + } + maxoutlen -= updateLen; + pEncryptedData += updateLen; + finalLen = maxoutlen; + crv2 = NSC_EncryptFinal(hSession, pEncryptedData, &finalLen); + if (crv == CKR_OK && crv2 == CKR_OK) { + *pulEncryptedDataLen = updateLen + finalLen; + } + return crv == CKR_OK ? crv2 : crv; + } + /* doPad without multi means that padding must be done on the first + ** and only update. There will be no final. + */ + PORT_Assert(context->blockSize > 1); + if (context->blockSize > 1) { + CK_ULONG remainder = ulDataLen % context->blockSize; + CK_ULONG padding = context->blockSize - remainder; + pText.len += padding; + pText.data = PORT_ZAlloc(pText.len); + if (pText.data) { + memcpy(pText.data, pData, ulDataLen); + memset(pText.data + ulDataLen, padding, padding); + } else { + crv = CKR_HOST_MEMORY; + goto fail; + } + } + } + + /* do it: NOTE: this assumes buf size is big enough. */ + rv = (*context->update)(context->cipherInfo, pEncryptedData, + &outlen, maxoutlen, pText.data, pText.len); + crv = (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError()); + if (pText.data != pData) + PORT_ZFree(pText.data, pText.len); +fail: + sftk_TerminateOp(session, SFTK_ENCRYPT, context); +done: + sftk_FreeSession(session); + if (crv == CKR_OK) { + *pulEncryptedDataLen = (CK_ULONG)outlen; + } + return crv; +} + +/* + ************** Crypto Functions: Decrypt ************************ + */ + +/* NSC_DecryptInit initializes a decryption operation. */ +CK_RV +NSC_DecryptInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + CHECK_FORK(); + return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT, CKA_DECRYPT, + SFTK_DECRYPT, PR_FALSE); +} + +/* NSC_DecryptUpdate continues a multiple-part decryption operation. */ +CK_RV +NSC_DecryptUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) +{ + SFTKSessionContext *context; + unsigned int padoutlen = 0; + unsigned int outlen; + unsigned int maxout = *pulPartLen; + CK_RV crv; + SECStatus rv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_DECRYPT, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; + + /* this can only happen on an NSS programming error */ + PORT_Assert((context->padDataLength == 0) || context->padDataLength == context->blockSize); + + if (context->doPad) { + /* Check the data length for block ciphers. If we are padding, + * then we must be using a block cipher. In the non-padding case + * the error will be returned by the underlying decryption + * function when we do the actual decrypt. We need to do the + * check here to avoid returning a negative length to the caller + * or reading before the beginning of the pEncryptedPart buffer. + */ + if ((ulEncryptedPartLen == 0) || + (ulEncryptedPartLen % context->blockSize) != 0) { + return CKR_ENCRYPTED_DATA_LEN_RANGE; + } + } + + if (!pPart) { + if (context->doPad) { + *pulPartLen = + ulEncryptedPartLen + context->padDataLength - context->blockSize; + return CKR_OK; + } + /* for stream ciphers there is are no constraints on ulEncryptedPartLen. + * for block ciphers, it must be a multiple of blockSize. The error is + * detected when this function is called again do decrypt the output. + */ + *pulPartLen = ulEncryptedPartLen; + return CKR_OK; + } + + if (context->doPad) { + /* first decrypt our saved buffer */ + if (context->padDataLength != 0) { + rv = (*context->update)(context->cipherInfo, pPart, &padoutlen, + maxout, context->padBuf, context->blockSize); + if (rv != SECSuccess) + return sftk_MapDecryptError(PORT_GetError()); + pPart += padoutlen; + maxout -= padoutlen; + } + /* now save the final block for the next decrypt or the final */ + PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen - context->blockSize], + context->blockSize); + context->padDataLength = context->blockSize; + ulEncryptedPartLen -= context->padDataLength; + } + + /* do it: NOTE: this assumes buf size in is >= buf size out! */ + rv = (*context->update)(context->cipherInfo, pPart, &outlen, + maxout, pEncryptedPart, ulEncryptedPartLen); + if (rv != SECSuccess) { + return sftk_MapDecryptError(PORT_GetError()); + } + *pulPartLen = (CK_ULONG)(outlen + padoutlen); + return CKR_OK; +} + +/* NSC_DecryptFinal finishes a multiple-part decryption operation. */ +CK_RV +NSC_DecryptFinal(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int outlen; + unsigned int maxout = *pulLastPartLen; + CK_RV crv; + SECStatus rv = SECSuccess; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_DECRYPT, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + *pulLastPartLen = 0; + if (!pLastPart) { + /* caller is checking the amount of remaining data */ + if (context->padDataLength > 0) { + *pulLastPartLen = context->padDataLength; + } + goto finish; + } + + if (context->doPad) { + /* decrypt our saved buffer */ + if (context->padDataLength != 0) { + /* this assumes that pLastPart is big enough to hold the *whole* + * buffer!!! */ + rv = (*context->update)(context->cipherInfo, pLastPart, &outlen, + maxout, context->padBuf, context->blockSize); + if (rv != SECSuccess) { + crv = sftk_MapDecryptError(PORT_GetError()); + } else { + unsigned int padSize = 0; + crv = sftk_CheckCBCPadding(pLastPart, outlen, + context->blockSize, &padSize); + /* Update pulLastPartLen, in constant time, if crv is OK */ + *pulLastPartLen = PORT_CT_SEL(sftk_CKRVToMask(crv), outlen - padSize, *pulLastPartLen); + } + } + } + + sftk_TerminateOp(session, SFTK_DECRYPT, context); +finish: + sftk_FreeSession(session); + return crv; +} + +/* NSC_Decrypt decrypts encrypted data in a single part. */ +CK_RV +NSC_Decrypt(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData, + CK_ULONG_PTR pulDataLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int outlen; + unsigned int maxoutlen = *pulDataLen; + CK_RV crv; + CK_RV crv2; + SECStatus rv = SECSuccess; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_DECRYPT, PR_FALSE, &session); + if (crv != CKR_OK) + return crv; + + if (!pData) { + *pulDataLen = (CK_ULONG)(ulEncryptedDataLen + context->blockSize); + goto done; + } + + if (context->doPad && context->multi) { + CK_ULONG updateLen = maxoutlen; + CK_ULONG finalLen; + /* padding is fairly complicated, have the update and final + * code deal with it */ + sftk_FreeSession(session); + crv = NSC_DecryptUpdate(hSession, pEncryptedData, ulEncryptedDataLen, + pData, &updateLen); + if (crv == CKR_OK) { + maxoutlen -= updateLen; + pData += updateLen; + } + finalLen = maxoutlen; + crv2 = NSC_DecryptFinal(hSession, pData, &finalLen); + if (crv == CKR_OK) { + *pulDataLen = PORT_CT_SEL(sftk_CKRVToMask(crv2), updateLen + finalLen, *pulDataLen); + return crv2; + } else { + return crv; + } + } + + rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, + pEncryptedData, ulEncryptedDataLen); + /* XXX need to do MUCH better error mapping than this. */ + crv = (rv == SECSuccess) ? CKR_OK : sftk_MapDecryptError(PORT_GetError()); + if (rv == SECSuccess) { + if (context->doPad) { + unsigned int padSize = 0; + crv = sftk_CheckCBCPadding(pData, outlen, context->blockSize, + &padSize); + /* Update pulDataLen, in constant time, if crv is OK */ + *pulDataLen = PORT_CT_SEL(sftk_CKRVToMask(crv), outlen - padSize, *pulDataLen); + } else { + *pulDataLen = (CK_ULONG)outlen; + } + } + sftk_TerminateOp(session, SFTK_DECRYPT, context); +done: + sftk_FreeSession(session); + return crv; +} + +/* + ************** Crypto Functions: Digest (HASH) ************************ + */ + +/* NSC_DigestInit initializes a message-digesting operation. */ +CK_RV +NSC_DigestInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism) +{ + SFTKSession *session; + SFTKSessionContext *context; + CK_RV crv = CKR_OK; + + CHECK_FORK(); + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_HASH, + NULL, 0, NULL, 0, CKA_DIGEST); + if (crv != CKR_OK) { + sftk_FreeSession(session); + return crv; + } + +#define INIT_MECH(mmm) \ + case CKM_##mmm: { \ + mmm##Context *mmm##_ctx = mmm##_NewContext(); \ + context->cipherInfo = (void *)mmm##_ctx; \ + context->cipherInfoLen = mmm##_FlattenSize(mmm##_ctx); \ + context->currentMech = CKM_##mmm; \ + context->hashUpdate = (SFTKHash)mmm##_Update; \ + context->end = (SFTKEnd)mmm##_End; \ + context->destroy = (SFTKDestroy)mmm##_DestroyContext; \ + context->maxLen = mmm##_LENGTH; \ + if (mmm##_ctx) \ + mmm##_Begin(mmm##_ctx); \ + else \ + crv = CKR_HOST_MEMORY; \ + break; \ + } + + switch (pMechanism->mechanism) { + INIT_MECH(MD2) + INIT_MECH(MD5) + INIT_MECH(SHA1) + INIT_MECH(SHA224) + INIT_MECH(SHA256) + INIT_MECH(SHA384) + INIT_MECH(SHA512) + + default: + crv = CKR_MECHANISM_INVALID; + break; + } + + if (crv != CKR_OK) { + sftk_FreeContext(context); + sftk_FreeSession(session); + return crv; + } + sftk_SetContextByType(session, SFTK_HASH, context); + sftk_FreeSession(session); + return CKR_OK; +} + +/* NSC_Digest digests data in a single part. */ +CK_RV +NSC_Digest(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int digestLen; + unsigned int maxout = *pulDigestLen; + CK_RV crv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_FALSE, &session); + if (crv != CKR_OK) + return crv; + + if (pDigest == NULL) { + *pulDigestLen = context->maxLen; + goto finish; + } + + /* do it: */ + (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen); + /* NOTE: this assumes buf size is bigenough for the algorithm */ + (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout); + *pulDigestLen = digestLen; + + sftk_TerminateOp(session, SFTK_HASH, context); +finish: + sftk_FreeSession(session); + return CKR_OK; +} + +/* NSC_DigestUpdate continues a multiple-part message-digesting operation. */ +CK_RV +NSC_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen) +{ + SFTKSessionContext *context; + CK_RV crv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; + /* do it: */ + (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen); + return CKR_OK; +} + +/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */ +CK_RV +NSC_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int maxout = *pulDigestLen; + unsigned int digestLen; + CK_RV crv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + if (pDigest != NULL) { + (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout); + *pulDigestLen = digestLen; + sftk_TerminateOp(session, SFTK_HASH, context); + } else { + *pulDigestLen = context->maxLen; + } + + sftk_FreeSession(session); + return CKR_OK; +} + +/* + * these helper functions are used by Generic Macing and Signing functions + * that use hashes as part of their operations. + */ +#define DOSUB(mmm) \ + static CK_RV \ + sftk_doSub##mmm(SFTKSessionContext *context) \ + { \ + mmm##Context *mmm##_ctx = mmm##_NewContext(); \ + context->hashInfo = (void *)mmm##_ctx; \ + context->hashUpdate = (SFTKHash)mmm##_Update; \ + context->end = (SFTKEnd)mmm##_End; \ + context->hashdestroy = (SFTKDestroy)mmm##_DestroyContext; \ + if (!context->hashInfo) { \ + return CKR_HOST_MEMORY; \ + } \ + mmm##_Begin(mmm##_ctx); \ + return CKR_OK; \ + } + +DOSUB(MD2) +DOSUB(MD5) +DOSUB(SHA1) +DOSUB(SHA224) +DOSUB(SHA256) +DOSUB(SHA384) +DOSUB(SHA512) + +static SECStatus +sftk_SignCopy( + CK_ULONG *copyLen, + void *out, unsigned int *outLength, + unsigned int maxLength, + const unsigned char *hashResult, + unsigned int hashResultLength) +{ + unsigned int toCopy = *copyLen; + if (toCopy > maxLength) { + toCopy = maxLength; + } + if (toCopy > hashResultLength) { + toCopy = hashResultLength; + } + memcpy(out, hashResult, toCopy); + if (outLength) { + *outLength = toCopy; + } + return SECSuccess; +} + +/* Verify is just a compare for HMAC */ +static SECStatus +sftk_HMACCmp(CK_ULONG *copyLen, unsigned char *sig, unsigned int sigLen, + unsigned char *hash, unsigned int hashLen) +{ + if (NSS_SecureMemcmp(sig, hash, *copyLen) == 0) { + return SECSuccess; + } + + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; +} + +/* + * common HMAC + CMAC initialization routine + */ +static CK_RV +sftk_doMACInit(CK_MECHANISM_TYPE mech, SFTKSessionContext *session, + SFTKObject *key, CK_ULONG mac_size) +{ + CK_RV crv; + sftk_MACCtx *context; + CK_ULONG *intpointer; + PRBool isFIPS = sftk_isFIPS(key->slot->slotID); + + /* Set up the initial context. */ + crv = sftk_MAC_Create(mech, key, &context); + if (crv != CKR_OK) { + return crv; + } + + session->hashInfo = context; + session->multi = PR_TRUE; + + /* Required by FIPS 198 Section 4. Delay this check until after the MAC + * has been initialized to steal the output size of the MAC. */ + if (isFIPS && (mac_size < 4 || mac_size < context->mac_size / 2)) { + sftk_MAC_Destroy(context, PR_TRUE); + return CKR_BUFFER_TOO_SMALL; + } + + /* Configure our helper functions appropriately. Note that these casts + * ignore the return values. */ + session->hashUpdate = (SFTKHash)sftk_MAC_Update; + session->end = (SFTKEnd)sftk_MAC_Finish; + session->hashdestroy = (SFTKDestroy)sftk_MAC_Destroy; + + intpointer = PORT_New(CK_ULONG); + if (intpointer == NULL) { + sftk_MAC_Destroy(context, PR_TRUE); + return CKR_HOST_MEMORY; + } + *intpointer = mac_size; + session->cipherInfo = intpointer; + + /* Since we're only "hashing", copy the result from session->end to the + * caller using sftk_SignCopy. */ + session->update = (SFTKCipher)sftk_SignCopy; + session->verify = (SFTKVerify)sftk_HMACCmp; + session->destroy = (SFTKDestroy)sftk_Space; + + session->maxLen = context->mac_size; + + return CKR_OK; +} + +/* + * SSL Macing support. SSL Macs are inited, then update with the base + * hashing algorithm, then finalized in sign and verify + */ + +/* + * FROM SSL: + * 60 bytes is 3 times the maximum length MAC size that is supported. + * We probably should have one copy of this table. We still need this table + * in ssl to 'sign' the handshake hashes. + */ +static unsigned char ssl_pad_1[60] = { + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, + 0x36, 0x36, 0x36, 0x36 +}; +static unsigned char ssl_pad_2[60] = { + 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, + 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, + 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, + 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, + 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, + 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, + 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, + 0x5c, 0x5c, 0x5c, 0x5c +}; + +static SECStatus +sftk_SSLMACSign(SFTKSSLMACInfo *info, unsigned char *sig, unsigned int *sigLen, + unsigned int maxLen, unsigned char *hash, unsigned int hashLen) +{ + unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH]; + unsigned int out; + + info->begin(info->hashContext); + info->update(info->hashContext, info->key, info->keySize); + info->update(info->hashContext, ssl_pad_2, info->padSize); + info->update(info->hashContext, hash, hashLen); + info->end(info->hashContext, tmpBuf, &out, SFTK_MAX_MAC_LENGTH); + PORT_Memcpy(sig, tmpBuf, info->macSize); + PORT_Memset(tmpBuf, 0, info->macSize); + *sigLen = info->macSize; + return SECSuccess; +} + +static SECStatus +sftk_SSLMACVerify(SFTKSSLMACInfo *info, unsigned char *sig, unsigned int sigLen, + unsigned char *hash, unsigned int hashLen) +{ + unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH]; + unsigned int out; + int cmp; + + info->begin(info->hashContext); + info->update(info->hashContext, info->key, info->keySize); + info->update(info->hashContext, ssl_pad_2, info->padSize); + info->update(info->hashContext, hash, hashLen); + info->end(info->hashContext, tmpBuf, &out, SFTK_MAX_MAC_LENGTH); + cmp = NSS_SecureMemcmp(sig, tmpBuf, info->macSize); + PORT_Memset(tmpBuf, 0, info->macSize); + return (cmp == 0) ? SECSuccess : SECFailure; +} + +/* + * common HMAC initalization routine + */ +static CK_RV +sftk_doSSLMACInit(SFTKSessionContext *context, SECOidTag oid, + SFTKObject *key, CK_ULONG mac_size) +{ + SFTKAttribute *keyval; + SFTKBegin begin; + int padSize; + SFTKSSLMACInfo *sslmacinfo; + CK_RV crv = CKR_MECHANISM_INVALID; + + if (oid == SEC_OID_SHA1) { + crv = sftk_doSubSHA1(context); + if (crv != CKR_OK) + return crv; + begin = (SFTKBegin)SHA1_Begin; + padSize = 40; + } else { + crv = sftk_doSubMD5(context); + if (crv != CKR_OK) + return crv; + begin = (SFTKBegin)MD5_Begin; + padSize = 48; + } + context->multi = PR_TRUE; + + keyval = sftk_FindAttribute(key, CKA_VALUE); + if (keyval == NULL) + return CKR_KEY_SIZE_RANGE; + + context->hashUpdate(context->hashInfo, keyval->attrib.pValue, + keyval->attrib.ulValueLen); + context->hashUpdate(context->hashInfo, ssl_pad_1, padSize); + sslmacinfo = (SFTKSSLMACInfo *)PORT_Alloc(sizeof(SFTKSSLMACInfo)); + if (sslmacinfo == NULL) { + sftk_FreeAttribute(keyval); + return CKR_HOST_MEMORY; + } + sslmacinfo->size = sizeof(SFTKSSLMACInfo); + sslmacinfo->macSize = mac_size; + sslmacinfo->hashContext = context->hashInfo; + PORT_Memcpy(sslmacinfo->key, keyval->attrib.pValue, + keyval->attrib.ulValueLen); + sslmacinfo->keySize = keyval->attrib.ulValueLen; + sslmacinfo->begin = begin; + sslmacinfo->end = context->end; + sslmacinfo->update = context->hashUpdate; + sslmacinfo->padSize = padSize; + sftk_FreeAttribute(keyval); + context->cipherInfo = (void *)sslmacinfo; + context->destroy = (SFTKDestroy)sftk_ZSpace; + context->update = (SFTKCipher)sftk_SSLMACSign; + context->verify = (SFTKVerify)sftk_SSLMACVerify; + context->maxLen = mac_size; + return CKR_OK; +} + +/* + ************** Crypto Functions: Sign ************************ + */ + +/** + * Check if We're using CBCMacing and initialize the session context if we are. + * @param contextType SFTK_SIGN or SFTK_VERIFY + * @param keyUsage check whether key allows this usage + */ +static CK_RV +sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE keyUsage, + SFTKContextType contextType) + +{ + CK_MECHANISM cbc_mechanism; + CK_ULONG mac_bytes = SFTK_INVALID_MAC_SIZE; +#ifndef NSS_DISABLE_DEPRECATED_RC2 + CK_RC2_CBC_PARAMS rc2_params; +#endif +#if NSS_SOFTOKEN_DOES_RC5 + CK_RC5_CBC_PARAMS rc5_params; + CK_RC5_MAC_GENERAL_PARAMS *rc5_mac; +#endif + unsigned char ivBlock[SFTK_MAX_BLOCK_SIZE]; + unsigned char k2[SFTK_MAX_BLOCK_SIZE]; + unsigned char k3[SFTK_MAX_BLOCK_SIZE]; + SFTKSessionContext *context; + CK_RV crv; + unsigned int blockSize; + PRBool isXCBC = PR_FALSE; + + if (!pMechanism) { + return CKR_MECHANISM_PARAM_INVALID; + } + + switch (pMechanism->mechanism) { +#ifndef NSS_DISABLE_DEPRECATED_RC2 + case CKM_RC2_MAC_GENERAL: + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC2_MAC_GENERAL_PARAMS))) { + return CKR_MECHANISM_PARAM_INVALID; + } + mac_bytes = + ((CK_RC2_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength; + /* fall through */ + case CKM_RC2_MAC: + /* this works because ulEffectiveBits is in the same place in both the + * CK_RC2_MAC_GENERAL_PARAMS and CK_RC2_CBC_PARAMS */ + rc2_params.ulEffectiveBits = ((CK_RC2_MAC_GENERAL_PARAMS *) + pMechanism->pParameter) + ->ulEffectiveBits; + PORT_Memset(rc2_params.iv, 0, sizeof(rc2_params.iv)); + cbc_mechanism.mechanism = CKM_RC2_CBC; + cbc_mechanism.pParameter = &rc2_params; + cbc_mechanism.ulParameterLen = sizeof(rc2_params); + blockSize = 8; + break; +#endif /* NSS_DISABLE_DEPRECATED_RC2 */ + +#if NSS_SOFTOKEN_DOES_RC5 + case CKM_RC5_MAC_GENERAL: + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC5_MAC_GENERAL_PARAMS))) { + return CKR_MECHANISM_PARAM_INVALID; + } + mac_bytes = + ((CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength; + /* fall through */ + case CKM_RC5_MAC: + /* this works because ulEffectiveBits is in the same place in both the + * CK_RC5_MAC_GENERAL_PARAMS and CK_RC5_CBC_PARAMS */ + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC5_MAC_GENERAL_PARAMS))) { + return CKR_MECHANISM_PARAM_INVALID; + } + rc5_mac = (CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter; + rc5_params.ulWordsize = rc5_mac->ulWordsize; + rc5_params.ulRounds = rc5_mac->ulRounds; + rc5_params.pIv = ivBlock; + if ((blockSize = rc5_mac->ulWordsize * 2) > SFTK_MAX_BLOCK_SIZE) + return CKR_MECHANISM_PARAM_INVALID; + rc5_params.ulIvLen = blockSize; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_RC5_CBC; + cbc_mechanism.pParameter = &rc5_params; + cbc_mechanism.ulParameterLen = sizeof(rc5_params); + break; +#endif + /* add cast and idea later */ + case CKM_DES_MAC_GENERAL: + mac_bytes = *(CK_ULONG *)pMechanism->pParameter; + /* fall through */ + case CKM_DES_MAC: + blockSize = 8; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_DES_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + break; + case CKM_DES3_MAC_GENERAL: + mac_bytes = *(CK_ULONG *)pMechanism->pParameter; + /* fall through */ + case CKM_DES3_MAC: + blockSize = 8; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_DES3_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + break; + case CKM_CDMF_MAC_GENERAL: + mac_bytes = *(CK_ULONG *)pMechanism->pParameter; + /* fall through */ + case CKM_CDMF_MAC: + blockSize = 8; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_CDMF_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + break; +#ifndef NSS_DISABLE_DEPRECATED_SEED + case CKM_SEED_MAC_GENERAL: + mac_bytes = *(CK_ULONG *)pMechanism->pParameter; + /* fall through */ + case CKM_SEED_MAC: + blockSize = 16; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_SEED_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + break; +#endif /* NSS_DISABLE_DEPRECATED_SEED */ + case CKM_CAMELLIA_MAC_GENERAL: + mac_bytes = *(CK_ULONG *)pMechanism->pParameter; + /* fall through */ + case CKM_CAMELLIA_MAC: + blockSize = 16; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_CAMELLIA_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + break; + case CKM_AES_MAC_GENERAL: + mac_bytes = *(CK_ULONG *)pMechanism->pParameter; + /* fall through */ + case CKM_AES_MAC: + blockSize = 16; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_AES_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + break; + case CKM_AES_XCBC_MAC_96: + case CKM_AES_XCBC_MAC: + /* The only difference between CKM_AES_XCBC_MAC + * and CKM_AES_XCBC_MAC_96 is the size of the returned mac. */ + mac_bytes = pMechanism->mechanism == CKM_AES_XCBC_MAC_96 ? 12 : 16; + blockSize = 16; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_AES_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + /* is XCBC requires extra processing at the end of the operation */ + isXCBC = PR_TRUE; + /* The input key is used to generate k1, k2, and k3. k2 and k3 + * are used at the end in the pad step. k1 replaces the input + * key in the aes cbc mac */ + crv = sftk_aes_xcbc_new_keys(hSession, hKey, &hKey, k2, k3); + if (crv != CKR_OK) { + return crv; + } + break; + default: + return CKR_FUNCTION_NOT_SUPPORTED; + } + + /* if MAC size is externally supplied, it should be checked. + */ + if (mac_bytes == SFTK_INVALID_MAC_SIZE) + mac_bytes = blockSize >> 1; + else { + if (mac_bytes > blockSize) { + crv = CKR_MECHANISM_PARAM_INVALID; + goto fail; + } + } + + crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey, + CKA_ENCRYPT, /* CBC mech is able to ENCRYPT, not SIGN/VERIFY */ + keyUsage, contextType, PR_TRUE); + if (crv != CKR_OK) + goto fail; + crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL); + + /* this shouldn't happen! */ + PORT_Assert(crv == CKR_OK); + if (crv != CKR_OK) + goto fail; + context->blockSize = blockSize; + context->macSize = mac_bytes; + context->isXCBC = isXCBC; + if (isXCBC) { + /* save the xcbc specific parameters */ + PORT_Memcpy(context->k2, k2, blockSize); + PORT_Memcpy(context->k3, k3, blockSize); + PORT_Memset(k2, 0, blockSize); + PORT_Memset(k3, 0, blockSize); + /* get rid of the temp key now that the context has been created */ + NSC_DestroyObject(hSession, hKey); + } + return CKR_OK; +fail: + if (isXCBC) { + PORT_Memset(k2, 0, blockSize); + PORT_Memset(k3, 0, blockSize); + NSC_DestroyObject(hSession, hKey); /* get rid of our temp key */ + } + return crv; +} + +/* + * encode RSA PKCS #1 Signature data before signing... + */ +static SECStatus +sftk_RSAHashSign(SFTKHashSignInfo *info, unsigned char *sig, + unsigned int *sigLen, unsigned int maxLen, + const unsigned char *hash, unsigned int hashLen) +{ + PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey); + if (info->key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + return RSA_HashSign(info->hashOid, info->key, sig, sigLen, maxLen, + hash, hashLen); +} + +/* XXX Old template; want to expunge it eventually. */ +static DERTemplate SECAlgorithmIDTemplate[] = { + { DER_SEQUENCE, + 0, NULL, sizeof(SECAlgorithmID) }, + { DER_OBJECT_ID, + offsetof(SECAlgorithmID, algorithm) }, + { DER_OPTIONAL | DER_ANY, + offsetof(SECAlgorithmID, parameters) }, + { 0 } +}; + +/* + * XXX OLD Template. Once all uses have been switched over to new one, + * remove this. + */ +static DERTemplate SGNDigestInfoTemplate[] = { + { DER_SEQUENCE, + 0, NULL, sizeof(SGNDigestInfo) }, + { DER_INLINE, + offsetof(SGNDigestInfo, digestAlgorithm), + SECAlgorithmIDTemplate }, + { DER_OCTET_STRING, + offsetof(SGNDigestInfo, digest) }, + { 0 } +}; + +/* + * encode RSA PKCS #1 Signature data before signing... + */ +SECStatus +RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, + unsigned char *sig, unsigned int *sigLen, unsigned int maxLen, + const unsigned char *hash, unsigned int hashLen) +{ + SECStatus rv = SECFailure; + SECItem digder; + PLArenaPool *arena = NULL; + SGNDigestInfo *di = NULL; + + digder.data = NULL; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + goto loser; + } + + /* Construct digest info */ + di = SGN_CreateDigestInfo(hashOid, hash, hashLen); + if (!di) { + goto loser; + } + + /* Der encode the digest as a DigestInfo */ + rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di); + if (rv != SECSuccess) { + goto loser; + } + + /* + ** Encrypt signature after constructing appropriate PKCS#1 signature + ** block + */ + rv = RSA_Sign(&key->u.rsa, sig, sigLen, maxLen, digder.data, + digder.len); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + +loser: + SGN_DestroyDigestInfo(di); + if (arena != NULL) { + PORT_FreeArena(arena, PR_TRUE); + } + return rv; +} + +static SECStatus +sftk_RSASign(NSSLOWKEYPrivateKey *key, unsigned char *output, + unsigned int *outputLen, unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen) +{ + SECStatus rv = SECFailure; + + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + rv = RSA_Sign(&key->u.rsa, output, outputLen, maxOutputLen, input, + inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + return rv; +} + +static SECStatus +sftk_RSASignRaw(NSSLOWKEYPrivateKey *key, unsigned char *output, + unsigned int *outputLen, unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen) +{ + SECStatus rv = SECFailure; + + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + rv = RSA_SignRaw(&key->u.rsa, output, outputLen, maxOutputLen, input, + inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + return rv; +} + +static SECStatus +sftk_RSASignPSS(SFTKPSSSignInfo *info, unsigned char *sig, + unsigned int *sigLen, unsigned int maxLen, + const unsigned char *hash, unsigned int hashLen) +{ + SECStatus rv = SECFailure; + HASH_HashType hashAlg; + HASH_HashType maskHashAlg; + CK_RSA_PKCS_PSS_PARAMS *params = &info->params; + + PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey); + if (info->key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg); + maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf); + + rv = RSA_SignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, NULL, + params->sLen, sig, sigLen, maxLen, hash, hashLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + return rv; +} + +static SECStatus +nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen, + void *dataBuf, unsigned int dataLen) +{ + SECItem signature, digest; + NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx; + + signature.data = (unsigned char *)sigBuf; + signature.len = sigLen; + digest.data = (unsigned char *)dataBuf; + digest.len = dataLen; + return DSA_VerifyDigest(&(key->u.dsa), &signature, &digest); +} + +static SECStatus +nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, + unsigned int *sigLen, unsigned int maxSigLen, + void *dataBuf, unsigned int dataLen) +{ + SECItem signature, digest; + SECStatus rv; + NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx; + + signature.data = (unsigned char *)sigBuf; + signature.len = maxSigLen; + digest.data = (unsigned char *)dataBuf; + digest.len = dataLen; + rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + *sigLen = signature.len; + return rv; +} + +static SECStatus +nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, + void *dataBuf, unsigned int dataLen) +{ + SECItem signature, digest; + NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx; + + signature.data = (unsigned char *)sigBuf; + signature.len = sigLen; + digest.data = (unsigned char *)dataBuf; + digest.len = dataLen; + return ECDSA_VerifyDigest(&(key->u.ec), &signature, &digest); +} + +static SECStatus +nsc_ECDSASignStub(void *ctx, void *sigBuf, + unsigned int *sigLen, unsigned int maxSigLen, + void *dataBuf, unsigned int dataLen) +{ + SECItem signature, digest; + SECStatus rv; + NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx; + + signature.data = (unsigned char *)sigBuf; + signature.len = maxSigLen; + digest.data = (unsigned char *)dataBuf; + digest.len = dataLen; + rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + *sigLen = signature.len; + return rv; +} + +/* NSC_SignInit setups up the signing operations. There are three basic + * types of signing: + * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied + * to data in a single Sign operation (which often looks a lot like an + * encrypt, with data coming in and data going out). + * (2) Hash based signing, where we continually hash the data, then apply + * some sort of signature to the end. + * (3) Block Encryption CBC MAC's, where the Data is encrypted with a key, + * and only the final block is part of the mac. + * + * For case number 3, we initialize a context much like the Encryption Context + * (in fact we share code). We detect case 3 in C_SignUpdate, C_Sign, and + * C_Final by the following method... if it's not multi-part, and it's doesn't + * have a hash context, it must be a block Encryption CBC MAC. + * + * For case number 2, we initialize a hash structure, as well as make it + * multi-part. Updates are simple calls to the hash update function. Final + * calls the hashend, then passes the result to the 'update' function (which + * operates as a final signature function). In some hash based MAC'ing (as + * opposed to hash base signatures), the update function is can be simply a + * copy (as is the case with HMAC). + */ +CK_RV +NSC_SignInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTKSession *session; + SFTKObject *key; + SFTKSessionContext *context; + CK_KEY_TYPE key_type; + CK_RV crv = CKR_OK; + NSSLOWKEYPrivateKey *privKey; + SFTKHashSignInfo *info = NULL; + SFTKPSSSignInfo *pinfo = NULL; + + CHECK_FORK(); + + /* Block Cipher MACing Algorithms use a different Context init method..*/ + crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, SFTK_SIGN); + if (crv != CKR_FUNCTION_NOT_SUPPORTED) + return crv; + + /* we're not using a block cipher mac */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_SIGN, &key, + hKey, &key_type, CKO_PRIVATE_KEY, CKA_SIGN); + if (crv != CKR_OK) { + sftk_FreeSession(session); + return crv; + } + + context->multi = PR_FALSE; + +#define INIT_RSA_SIGN_MECH(mmm) \ + case CKM_##mmm##_RSA_PKCS: \ + context->multi = PR_TRUE; \ + crv = sftk_doSub##mmm(context); \ + if (crv != CKR_OK) \ + break; \ + context->update = (SFTKCipher)sftk_RSAHashSign; \ + info = PORT_New(SFTKHashSignInfo); \ + if (info == NULL) { \ + crv = CKR_HOST_MEMORY; \ + break; \ + } \ + info->hashOid = SEC_OID_##mmm; \ + goto finish_rsa; + + switch (pMechanism->mechanism) { + INIT_RSA_SIGN_MECH(MD5) + INIT_RSA_SIGN_MECH(MD2) + INIT_RSA_SIGN_MECH(SHA1) + INIT_RSA_SIGN_MECH(SHA224) + INIT_RSA_SIGN_MECH(SHA256) + INIT_RSA_SIGN_MECH(SHA384) + INIT_RSA_SIGN_MECH(SHA512) + + case CKM_RSA_PKCS: + context->update = (SFTKCipher)sftk_RSASign; + goto finish_rsa; + case CKM_RSA_X_509: + context->update = (SFTKCipher)sftk_RSASignRaw; + finish_rsa: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->rsa = PR_TRUE; + privKey = sftk_GetPrivKey(key, CKK_RSA, &crv); + if (privKey == NULL) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + /* OK, info is allocated only if we're doing hash and sign mechanism. + * It's necessary to be able to set the correct OID in the final + * signature. + */ + if (info) { + info->key = privKey; + context->cipherInfo = info; + context->destroy = (SFTKDestroy)sftk_Space; + } else { + context->cipherInfo = privKey; + context->destroy = (SFTKDestroy)sftk_Null; + } + context->maxLen = nsslowkey_PrivateModulusLen(privKey); + break; + +#define INIT_RSA_PSS_SIG_MECH(mmm) \ + case CKM_##mmm##_RSA_PKCS_PSS: \ + context->multi = PR_TRUE; \ + crv = sftk_doSub##mmm(context); \ + if (crv != CKR_OK) \ + break; \ + if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) { \ + crv = CKR_MECHANISM_PARAM_INVALID; \ + break; \ + } \ + if (((const CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter)->hashAlg != CKM_##mmm) { \ + crv = CKR_MECHANISM_PARAM_INVALID; \ + break; \ + } \ + goto finish_rsa_pss; + INIT_RSA_PSS_SIG_MECH(SHA1) + INIT_RSA_PSS_SIG_MECH(SHA224) + INIT_RSA_PSS_SIG_MECH(SHA256) + INIT_RSA_PSS_SIG_MECH(SHA384) + INIT_RSA_PSS_SIG_MECH(SHA512) + case CKM_RSA_PKCS_PSS: + finish_rsa_pss: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->rsa = PR_TRUE; + if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) || + !sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + pinfo = PORT_New(SFTKPSSSignInfo); + if (pinfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + pinfo->size = sizeof(SFTKPSSSignInfo); + pinfo->params = *(CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter; + pinfo->key = sftk_GetPrivKey(key, CKK_RSA, &crv); + if (pinfo->key == NULL) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->cipherInfo = pinfo; + context->destroy = (SFTKDestroy)sftk_ZSpace; + context->update = (SFTKCipher)sftk_RSASignPSS; + context->maxLen = nsslowkey_PrivateModulusLen(pinfo->key); + break; + +#define INIT_DSA_SIG_MECH(mmm) \ + case CKM_DSA_##mmm: \ + context->multi = PR_TRUE; \ + crv = sftk_doSub##mmm(context); \ + if (crv != CKR_OK) \ + break; \ + goto finish_dsa; + INIT_DSA_SIG_MECH(SHA1) + INIT_DSA_SIG_MECH(SHA224) + INIT_DSA_SIG_MECH(SHA256) + INIT_DSA_SIG_MECH(SHA384) + INIT_DSA_SIG_MECH(SHA512) + case CKM_DSA: + finish_dsa: + if (key_type != CKK_DSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + privKey = sftk_GetPrivKey(key, CKK_DSA, &crv); + if (privKey == NULL) { + break; + } + context->cipherInfo = privKey; + context->update = (SFTKCipher)nsc_DSA_Sign_Stub; + context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey; + context->maxLen = DSA_MAX_SIGNATURE_LEN; + + break; + +#define INIT_ECDSA_SIG_MECH(mmm) \ + case CKM_ECDSA_##mmm: \ + context->multi = PR_TRUE; \ + crv = sftk_doSub##mmm(context); \ + if (crv != CKR_OK) \ + break; \ + goto finish_ecdsa; + INIT_ECDSA_SIG_MECH(SHA1) + INIT_ECDSA_SIG_MECH(SHA224) + INIT_ECDSA_SIG_MECH(SHA256) + INIT_ECDSA_SIG_MECH(SHA384) + INIT_ECDSA_SIG_MECH(SHA512) + case CKM_ECDSA: + finish_ecdsa: + if (key_type != CKK_EC) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + privKey = sftk_GetPrivKey(key, CKK_EC, &crv); + if (privKey == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->cipherInfo = privKey; + context->update = (SFTKCipher)nsc_ECDSASignStub; + context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey; + context->maxLen = MAX_ECKEY_LEN * 2; + + break; + +#define INIT_HMAC_MECH(mmm) \ + case CKM_##mmm##_HMAC_GENERAL: \ + PORT_Assert(pMechanism->pParameter); \ + if (!pMechanism->pParameter) { \ + crv = CKR_MECHANISM_PARAM_INVALID; \ + break; \ + } \ + crv = sftk_doMACInit(pMechanism->mechanism, context, key, \ + *(CK_ULONG *)pMechanism->pParameter); \ + break; \ + case CKM_##mmm##_HMAC: \ + crv = sftk_doMACInit(pMechanism->mechanism, context, key, \ + mmm##_LENGTH); \ + break; + + INIT_HMAC_MECH(MD2) + INIT_HMAC_MECH(MD5) + INIT_HMAC_MECH(SHA1) + INIT_HMAC_MECH(SHA224) + INIT_HMAC_MECH(SHA256) + INIT_HMAC_MECH(SHA384) + INIT_HMAC_MECH(SHA512) + + case CKM_AES_CMAC_GENERAL: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter || pMechanism->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_doMACInit(pMechanism->mechanism, context, key, *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_AES_CMAC: + crv = sftk_doMACInit(pMechanism->mechanism, context, key, AES_BLOCK_SIZE); + break; + case CKM_SSL3_MD5_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_SSL3_SHA1_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_TLS_PRF_GENERAL: + crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0); + break; + case CKM_TLS_MAC: { + CK_TLS_MAC_PARAMS *tls12_mac_params; + HASH_HashType tlsPrfHash; + const char *label; + + if (pMechanism->ulParameterLen != sizeof(CK_TLS_MAC_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + tls12_mac_params = (CK_TLS_MAC_PARAMS *)pMechanism->pParameter; + if (tls12_mac_params->prfHashMechanism == CKM_TLS_PRF) { + /* The TLS 1.0 and 1.1 PRF */ + tlsPrfHash = HASH_AlgNULL; + if (tls12_mac_params->ulMacLength != 12) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } else { + /* The hash function for the TLS 1.2 PRF */ + tlsPrfHash = + sftk_GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL || + tls12_mac_params->ulMacLength < 12) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } + if (tls12_mac_params->ulServerOrClient == 1) { + label = "server finished"; + } else if (tls12_mac_params->ulServerOrClient == 2) { + label = "client finished"; + } else { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_TLSPRFInit(context, key, key_type, tlsPrfHash, + tls12_mac_params->ulMacLength); + if (crv == CKR_OK) { + context->hashUpdate(context->hashInfo, label, 15); + } + break; + } + case CKM_NSS_TLS_PRF_GENERAL_SHA256: + crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0); + break; + + case CKM_NSS_HMAC_CONSTANT_TIME: { + sftk_MACConstantTimeCtx *ctx = + sftk_HMACConstantTime_New(pMechanism, key); + CK_ULONG *intpointer; + + if (ctx == NULL) { + crv = CKR_ARGUMENTS_BAD; + break; + } + intpointer = PORT_New(CK_ULONG); + if (intpointer == NULL) { + PORT_Free(ctx); + crv = CKR_HOST_MEMORY; + break; + } + *intpointer = ctx->hash->length; + + context->cipherInfo = intpointer; + context->hashInfo = ctx; + context->currentMech = pMechanism->mechanism; + context->hashUpdate = sftk_HMACConstantTime_Update; + context->hashdestroy = sftk_MACConstantTime_DestroyContext; + context->end = sftk_MACConstantTime_EndHash; + context->update = (SFTKCipher)sftk_SignCopy; + context->destroy = sftk_Space; + context->maxLen = 64; + context->multi = PR_TRUE; + break; + } + + case CKM_NSS_SSL3_MAC_CONSTANT_TIME: { + sftk_MACConstantTimeCtx *ctx = + sftk_SSLv3MACConstantTime_New(pMechanism, key); + CK_ULONG *intpointer; + + if (ctx == NULL) { + crv = CKR_ARGUMENTS_BAD; + break; + } + intpointer = PORT_New(CK_ULONG); + if (intpointer == NULL) { + PORT_Free(ctx); + crv = CKR_HOST_MEMORY; + break; + } + *intpointer = ctx->hash->length; + + context->cipherInfo = intpointer; + context->hashInfo = ctx; + context->currentMech = pMechanism->mechanism; + context->hashUpdate = sftk_SSLv3MACConstantTime_Update; + context->hashdestroy = sftk_MACConstantTime_DestroyContext; + context->end = sftk_MACConstantTime_EndHash; + context->update = (SFTKCipher)sftk_SignCopy; + context->destroy = sftk_Space; + context->maxLen = 64; + context->multi = PR_TRUE; + break; + } + + default: + crv = CKR_MECHANISM_INVALID; + break; + } + + if (crv != CKR_OK) { + if (info) + PORT_Free(info); + if (pinfo) + PORT_ZFree(pinfo, pinfo->size); + sftk_FreeContext(context); + sftk_FreeSession(session); + return crv; + } + sftk_SetContextByType(session, SFTK_SIGN, context); + sftk_FreeSession(session); + return CKR_OK; +} + +/** MAC one block of data by block cipher + */ +static CK_RV +sftk_MACBlock(SFTKSessionContext *ctx, void *blk) +{ + unsigned int outlen; + return (SECSuccess == (ctx->update)(ctx->cipherInfo, ctx->macBuf, &outlen, + SFTK_MAX_BLOCK_SIZE, blk, ctx->blockSize)) + ? CKR_OK + : sftk_MapCryptError(PORT_GetError()); +} + +/** MAC last (incomplete) block of data by block cipher + * + * Call once, then terminate MACing operation. + */ +static CK_RV +sftk_MACFinal(SFTKSessionContext *ctx) +{ + unsigned int padLen = ctx->padDataLength; + /* pad and proceed the residual */ + if (ctx->isXCBC) { + CK_RV crv = sftk_xcbc_mac_pad(ctx->padBuf, padLen, ctx->blockSize, + ctx->k2, ctx->k3); + if (crv != CKR_OK) + return crv; + return sftk_MACBlock(ctx, ctx->padBuf); + } + if (padLen) { + /* shd clr ctx->padLen to make sftk_MACFinal idempotent */ + PORT_Memset(ctx->padBuf + padLen, 0, ctx->blockSize - padLen); + return sftk_MACBlock(ctx, ctx->padBuf); + } else + return CKR_OK; +} + +/** The common implementation for {Sign,Verify}Update. (S/V only vary in their + * setup and final operations). + * + * A call which results in an error terminates the operation [PKCS#11,v2.11] + */ +static CK_RV +sftk_MACUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, SFTKContextType type) +{ + SFTKSession *session; + SFTKSessionContext *context; + CK_RV crv; + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + if (context->hashInfo) { + (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen); + } else { + /* must be block cipher MACing */ + + unsigned int blkSize = context->blockSize; + unsigned char *residual = /* free room in context->padBuf */ + context->padBuf + context->padDataLength; + unsigned int minInput = /* min input for MACing at least one block */ + blkSize - context->padDataLength; + + /* not enough data even for one block */ + if (ulPartLen <= minInput) { + PORT_Memcpy(residual, pPart, ulPartLen); + context->padDataLength += ulPartLen; + goto cleanup; + } + /* MACing residual */ + if (context->padDataLength) { + PORT_Memcpy(residual, pPart, minInput); + ulPartLen -= minInput; + pPart += minInput; + if (CKR_OK != (crv = sftk_MACBlock(context, context->padBuf))) + goto terminate; + } + /* MACing full blocks */ + while (ulPartLen > blkSize) { + if (CKR_OK != (crv = sftk_MACBlock(context, pPart))) + goto terminate; + ulPartLen -= blkSize; + pPart += blkSize; + } + /* save the residual */ + if ((context->padDataLength = ulPartLen)) + PORT_Memcpy(context->padBuf, pPart, ulPartLen); + } /* blk cipher MACing */ + + goto cleanup; + +terminate: + sftk_TerminateOp(session, type, context); +cleanup: + sftk_FreeSession(session); + return crv; +} + +/* NSC_SignUpdate continues a multiple-part signature operation, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature + * + * A call which results in an error terminates the operation [PKCS#11,v2.11] + */ +CK_RV +NSC_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen) +{ + CHECK_FORK(); + return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN); +} + +struct SFTK_SESSION_FLAGS { + CK_FLAGS flag; + SFTKContextType type; +}; + +const static struct SFTK_SESSION_FLAGS sftk_session_flags[] = { + { CKF_ENCRYPT, SFTK_ENCRYPT }, + { CKF_DECRYPT, SFTK_DECRYPT }, + { CKF_DIGEST, SFTK_HASH }, + { CKF_SIGN, SFTK_SIGN }, + { CKF_SIGN_RECOVER, SFTK_SIGN_RECOVER }, + { CKF_VERIFY, SFTK_VERIFY }, + { CKF_VERIFY_RECOVER, SFTK_VERIFY_RECOVER }, + { CKF_MESSAGE_ENCRYPT, SFTK_MESSAGE_ENCRYPT }, + { CKF_MESSAGE_DECRYPT, SFTK_MESSAGE_DECRYPT }, + { CKF_MESSAGE_SIGN, SFTK_MESSAGE_SIGN }, + { CKF_MESSAGE_VERIFY, SFTK_MESSAGE_VERIFY }, +}; +const static int sftk_flag_count = PR_ARRAY_SIZE(sftk_session_flags); + +/* + * Cancel one or more operations running on the existing session. + */ +CK_RV +NSC_SessionCancel(CK_SESSION_HANDLE hSession, CK_FLAGS flags) +{ + SFTKSession *session; + SFTKSessionContext *context; + CK_RV gcrv = CKR_OK; + CK_RV crv; + int i; + + for (i = 0; i < sftk_flag_count; i++) { + if (flags & sftk_session_flags[i].flag) { + flags &= ~sftk_session_flags[i].flag; + crv = sftk_GetContext(hSession, &context, sftk_session_flags[i].type, PR_TRUE, &session); + if (crv != CKR_OK) { + gcrv = CKR_OPERATION_CANCEL_FAILED; + continue; + } + sftk_TerminateOp(session, sftk_session_flags[i].type, context); + } + } + if (flags & CKF_FIND_OBJECTS) { + flags &= ~CKF_FIND_OBJECTS; + crv = NSC_FindObjectsFinal(hSession); + if (crv != CKR_OK) { + gcrv = CKR_OPERATION_CANCEL_FAILED; + } + } + if (flags) { + gcrv = CKR_OPERATION_CANCEL_FAILED; + } + return gcrv; +} + +/* NSC_SignFinal finishes a multiple-part signature operation, + * returning the signature. */ +CK_RV +NSC_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int outlen; + unsigned int maxoutlen = *pulSignatureLen; + CK_RV crv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_SIGN, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + if (context->hashInfo) { + unsigned int digestLen; + unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH]; + + if (!pSignature) { + outlen = context->maxLen; + goto finish; + } + (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf)); + if (SECSuccess != (context->update)(context->cipherInfo, pSignature, + &outlen, maxoutlen, tmpbuf, digestLen)) + crv = sftk_MapCryptError(PORT_GetError()); + /* CKR_BUFFER_TOO_SMALL here isn't continuable, let operation terminate. + * Keeping "too small" CK_RV intact is a standard violation, but allows + * application read EXACT signature length */ + PORT_Memset(tmpbuf, 0, sizeof tmpbuf); + } else { + /* must be block cipher MACing */ + outlen = context->macSize; + /* null or "too small" buf doesn't terminate operation [PKCS#11,v2.11]*/ + if (!pSignature || maxoutlen < outlen) { + if (pSignature) + crv = CKR_BUFFER_TOO_SMALL; + goto finish; + } + if (CKR_OK == (crv = sftk_MACFinal(context))) + PORT_Memcpy(pSignature, context->macBuf, outlen); + } + + sftk_TerminateOp(session, SFTK_SIGN, context); +finish: + *pulSignatureLen = outlen; + sftk_FreeSession(session); + return crv; +} + +/* NSC_Sign signs (encrypts with private key) data in a single part, + * where the signature is (will be) an appendix to the data, + * and plaintext cannot be recovered from the signature */ +CK_RV +NSC_Sign(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + CK_RV crv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_SIGN, PR_FALSE, &session); + if (crv != CKR_OK) + return crv; + + if (!pSignature) { + /* see also how C_SignUpdate implements this */ + *pulSignatureLen = (!context->multi || context->hashInfo) + ? context->maxLen + : context->macSize; /* must be block cipher MACing */ + goto finish; + } + + /* multi part Signing are completely implemented by SignUpdate and + * sign Final */ + if (context->multi) { + /* SignFinal can't follow failed SignUpdate */ + if (CKR_OK == (crv = NSC_SignUpdate(hSession, pData, ulDataLen))) + crv = NSC_SignFinal(hSession, pSignature, pulSignatureLen); + } else { + /* single-part PKC signature (e.g. CKM_ECDSA) */ + unsigned int outlen; + unsigned int maxoutlen = *pulSignatureLen; + if (SECSuccess != (*context->update)(context->cipherInfo, pSignature, + &outlen, maxoutlen, pData, ulDataLen)) + crv = sftk_MapCryptError(PORT_GetError()); + *pulSignatureLen = (CK_ULONG)outlen; + /* "too small" here is certainly continuable */ + if (crv != CKR_BUFFER_TOO_SMALL) + sftk_TerminateOp(session, SFTK_SIGN, context); + } /* single-part */ + +finish: + sftk_FreeSession(session); + return crv; +} + +/* + ************** Crypto Functions: Sign Recover ************************ + */ +/* NSC_SignRecoverInit initializes a signature operation, + * where the (digest) data can be recovered from the signature. + * E.g. encryption with the user's private key */ +CK_RV +NSC_SignRecoverInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + CHECK_FORK(); + + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS: + case CKM_RSA_X_509: + return NSC_SignInit(hSession, pMechanism, hKey); + default: + break; + } + return CKR_MECHANISM_INVALID; +} + +/* NSC_SignRecover signs data in a single operation + * where the (digest) data can be recovered from the signature. + * E.g. encryption with the user's private key */ +CK_RV +NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) +{ + CHECK_FORK(); + + return NSC_Sign(hSession, pData, ulDataLen, pSignature, pulSignatureLen); +} + +/* + ************** Crypto Functions: verify ************************ + */ + +/* Handle RSA Signature formatting */ +static SECStatus +sftk_hashCheckSign(SFTKHashVerifyInfo *info, const unsigned char *sig, + unsigned int sigLen, const unsigned char *digest, + unsigned int digestLen) +{ + PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey); + if (info->key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen, digest, + digestLen); +} + +SECStatus +RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key, + const unsigned char *sig, unsigned int sigLen, + const unsigned char *digestData, unsigned int digestLen) +{ + unsigned char *pkcs1DigestInfoData; + SECItem pkcs1DigestInfo; + SECItem digest; + unsigned int bufferSize; + SECStatus rv; + + /* pkcs1DigestInfo.data must be less than key->u.rsa.modulus.len */ + bufferSize = key->u.rsa.modulus.len; + pkcs1DigestInfoData = PORT_ZAlloc(bufferSize); + if (!pkcs1DigestInfoData) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + + pkcs1DigestInfo.data = pkcs1DigestInfoData; + pkcs1DigestInfo.len = bufferSize; + + /* decrypt the block */ + rv = RSA_CheckSignRecover(&key->u.rsa, pkcs1DigestInfo.data, + &pkcs1DigestInfo.len, pkcs1DigestInfo.len, + sig, sigLen); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + } else { + digest.data = (PRUint8 *)digestData; + digest.len = digestLen; + rv = _SGN_VerifyPKCS1DigestInfo( + digestOid, &digest, &pkcs1DigestInfo, + PR_FALSE /*XXX: unsafeAllowMissingParameters*/); + } + + PORT_ZFree(pkcs1DigestInfoData, bufferSize); + return rv; +} + +static SECStatus +sftk_RSACheckSign(NSSLOWKEYPublicKey *key, const unsigned char *sig, + unsigned int sigLen, const unsigned char *digest, + unsigned int digestLen) +{ + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + return RSA_CheckSign(&key->u.rsa, sig, sigLen, digest, digestLen); +} + +static SECStatus +sftk_RSACheckSignRaw(NSSLOWKEYPublicKey *key, const unsigned char *sig, + unsigned int sigLen, const unsigned char *digest, + unsigned int digestLen) +{ + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + return RSA_CheckSignRaw(&key->u.rsa, sig, sigLen, digest, digestLen); +} + +static SECStatus +sftk_RSACheckSignPSS(SFTKPSSVerifyInfo *info, const unsigned char *sig, + unsigned int sigLen, const unsigned char *digest, + unsigned int digestLen) +{ + HASH_HashType hashAlg; + HASH_HashType maskHashAlg; + CK_RSA_PKCS_PSS_PARAMS *params = &info->params; + + PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey); + if (info->key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg); + maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf); + + return RSA_CheckSignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, + params->sLen, sig, sigLen, digest, digestLen); +} + +/* NSC_VerifyInit initializes a verification operation, + * where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature (e.g. DSA) */ +CK_RV +NSC_VerifyInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTKSession *session; + SFTKObject *key; + SFTKSessionContext *context; + CK_KEY_TYPE key_type; + CK_RV crv = CKR_OK; + NSSLOWKEYPublicKey *pubKey; + SFTKHashVerifyInfo *info = NULL; + SFTKPSSVerifyInfo *pinfo = NULL; + + CHECK_FORK(); + + /* Block Cipher MACing Algorithms use a different Context init method..*/ + crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, SFTK_VERIFY); + if (crv != CKR_FUNCTION_NOT_SUPPORTED) + return crv; + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_VERIFY, &key, + hKey, &key_type, CKO_PUBLIC_KEY, CKA_VERIFY); + if (crv != CKR_OK) { + sftk_FreeSession(session); + return crv; + } + + context->multi = PR_FALSE; + +#define INIT_RSA_VFY_MECH(mmm) \ + case CKM_##mmm##_RSA_PKCS: \ + context->multi = PR_TRUE; \ + crv = sftk_doSub##mmm(context); \ + if (crv != CKR_OK) \ + break; \ + context->verify = (SFTKVerify)sftk_hashCheckSign; \ + info = PORT_New(SFTKHashVerifyInfo); \ + if (info == NULL) { \ + crv = CKR_HOST_MEMORY; \ + break; \ + } \ + info->hashOid = SEC_OID_##mmm; \ + goto finish_rsa; + + switch (pMechanism->mechanism) { + INIT_RSA_VFY_MECH(MD5) + INIT_RSA_VFY_MECH(MD2) + INIT_RSA_VFY_MECH(SHA1) + INIT_RSA_VFY_MECH(SHA224) + INIT_RSA_VFY_MECH(SHA256) + INIT_RSA_VFY_MECH(SHA384) + INIT_RSA_VFY_MECH(SHA512) + + case CKM_RSA_PKCS: + context->verify = (SFTKVerify)sftk_RSACheckSign; + goto finish_rsa; + case CKM_RSA_X_509: + context->verify = (SFTKVerify)sftk_RSACheckSignRaw; + finish_rsa: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->rsa = PR_TRUE; + pubKey = sftk_GetPubKey(key, CKK_RSA, &crv); + if (pubKey == NULL) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + if (info) { + info->key = pubKey; + context->cipherInfo = info; + context->destroy = sftk_Space; + } else { + context->cipherInfo = pubKey; + context->destroy = sftk_Null; + } + break; + + INIT_RSA_PSS_SIG_MECH(SHA1) + INIT_RSA_PSS_SIG_MECH(SHA224) + INIT_RSA_PSS_SIG_MECH(SHA256) + INIT_RSA_PSS_SIG_MECH(SHA384) + INIT_RSA_PSS_SIG_MECH(SHA512) + case CKM_RSA_PKCS_PSS: + finish_rsa_pss: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->rsa = PR_TRUE; + if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) || + !sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + pinfo = PORT_New(SFTKPSSVerifyInfo); + if (pinfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + pinfo->size = sizeof(SFTKPSSVerifyInfo); + pinfo->params = *(CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter; + pinfo->key = sftk_GetPubKey(key, CKK_RSA, &crv); + if (pinfo->key == NULL) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->cipherInfo = pinfo; + context->destroy = (SFTKDestroy)sftk_ZSpace; + context->verify = (SFTKVerify)sftk_RSACheckSignPSS; + break; + + INIT_DSA_SIG_MECH(SHA1) + INIT_DSA_SIG_MECH(SHA224) + INIT_DSA_SIG_MECH(SHA256) + INIT_DSA_SIG_MECH(SHA384) + INIT_DSA_SIG_MECH(SHA512) + case CKM_DSA: + finish_dsa: + if (key_type != CKK_DSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + pubKey = sftk_GetPubKey(key, CKK_DSA, &crv); + if (pubKey == NULL) { + break; + } + context->cipherInfo = pubKey; + context->verify = (SFTKVerify)nsc_DSA_Verify_Stub; + context->destroy = sftk_Null; + break; + + INIT_ECDSA_SIG_MECH(SHA1) + INIT_ECDSA_SIG_MECH(SHA224) + INIT_ECDSA_SIG_MECH(SHA256) + INIT_ECDSA_SIG_MECH(SHA384) + INIT_ECDSA_SIG_MECH(SHA512) + case CKM_ECDSA: + finish_ecdsa: + if (key_type != CKK_EC) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + pubKey = sftk_GetPubKey(key, CKK_EC, &crv); + if (pubKey == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + context->cipherInfo = pubKey; + context->verify = (SFTKVerify)nsc_ECDSAVerifyStub; + context->destroy = sftk_Null; + break; + + INIT_HMAC_MECH(MD2) + INIT_HMAC_MECH(MD5) + INIT_HMAC_MECH(SHA1) + INIT_HMAC_MECH(SHA224) + INIT_HMAC_MECH(SHA256) + INIT_HMAC_MECH(SHA384) + INIT_HMAC_MECH(SHA512) + + case CKM_SSL3_MD5_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_SSL3_SHA1_MAC: + PORT_Assert(pMechanism->pParameter); + if (!pMechanism->pParameter) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_TLS_PRF_GENERAL: + crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0); + break; + case CKM_NSS_TLS_PRF_GENERAL_SHA256: + crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0); + break; + + default: + crv = CKR_MECHANISM_INVALID; + break; + } + + if (crv != CKR_OK) { + if (info) + PORT_Free(info); + if (pinfo) + PORT_ZFree(pinfo, pinfo->size); + sftk_FreeContext(context); + sftk_FreeSession(session); + return crv; + } + sftk_SetContextByType(session, SFTK_VERIFY, context); + sftk_FreeSession(session); + return CKR_OK; +} + +/* NSC_Verify verifies a signature in a single-part operation, + * where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature */ +CK_RV +NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + CK_RV crv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_VERIFY, PR_FALSE, &session); + if (crv != CKR_OK) + return crv; + + /* multi part Verifying are completely implemented by VerifyUpdate and + * VerifyFinal */ + if (context->multi) { + /* VerifyFinal can't follow failed VerifyUpdate */ + if (CKR_OK == (crv = NSC_VerifyUpdate(hSession, pData, ulDataLen))) + crv = NSC_VerifyFinal(hSession, pSignature, ulSignatureLen); + } else { + if (SECSuccess != (*context->verify)(context->cipherInfo, pSignature, + ulSignatureLen, pData, ulDataLen)) + crv = sftk_MapCryptError(PORT_GetError()); + + sftk_TerminateOp(session, SFTK_VERIFY, context); + } + sftk_FreeSession(session); + return crv; +} + +/* NSC_VerifyUpdate continues a multiple-part verification operation, + * where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature + * + * A call which results in an error terminates the operation [PKCS#11,v2.11] + */ +CK_RV +NSC_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen) +{ + CHECK_FORK(); + return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY); +} + +/* NSC_VerifyFinal finishes a multiple-part verification operation, + * checking the signature. */ +CK_RV +NSC_VerifyFinal(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + CK_RV crv; + + CHECK_FORK(); + + if (!pSignature) + return CKR_ARGUMENTS_BAD; + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_VERIFY, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + if (context->hashInfo) { + unsigned int digestLen; + unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH]; + + (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf)); + if (SECSuccess != (context->verify)(context->cipherInfo, pSignature, + ulSignatureLen, tmpbuf, digestLen)) + crv = sftk_MapCryptError(PORT_GetError()); + PORT_Memset(tmpbuf, 0, sizeof tmpbuf); + } else if (ulSignatureLen != context->macSize) { + /* must be block cipher MACing */ + crv = CKR_SIGNATURE_LEN_RANGE; + } else if (CKR_OK == (crv = sftk_MACFinal(context))) { + if (NSS_SecureMemcmp(pSignature, context->macBuf, ulSignatureLen)) + crv = CKR_SIGNATURE_INVALID; + } + + sftk_TerminateOp(session, SFTK_VERIFY, context); + sftk_FreeSession(session); + return crv; +} + +/* + ************** Crypto Functions: Verify Recover ************************ + */ +static SECStatus +sftk_RSACheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data, + unsigned int *dataLen, unsigned int maxDataLen, + const unsigned char *sig, unsigned int sigLen) +{ + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + return RSA_CheckSignRecover(&key->u.rsa, data, dataLen, maxDataLen, + sig, sigLen); +} + +static SECStatus +sftk_RSACheckSignRecoverRaw(NSSLOWKEYPublicKey *key, unsigned char *data, + unsigned int *dataLen, unsigned int maxDataLen, + const unsigned char *sig, unsigned int sigLen) +{ + PORT_Assert(key->keyType == NSSLOWKEYRSAKey); + if (key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + return RSA_CheckSignRecoverRaw(&key->u.rsa, data, dataLen, maxDataLen, + sig, sigLen); +} + +/* NSC_VerifyRecoverInit initializes a signature verification operation, + * where the data is recovered from the signature. + * E.g. Decryption with the user's public key */ +CK_RV +NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +{ + SFTKSession *session; + SFTKObject *key; + SFTKSessionContext *context; + CK_KEY_TYPE key_type; + CK_RV crv = CKR_OK; + NSSLOWKEYPublicKey *pubKey; + + CHECK_FORK(); + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_VERIFY_RECOVER, + &key, hKey, &key_type, CKO_PUBLIC_KEY, CKA_VERIFY_RECOVER); + if (crv != CKR_OK) { + sftk_FreeSession(session); + return crv; + } + + context->multi = PR_TRUE; + + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS: + case CKM_RSA_X_509: + if (key_type != CKK_RSA) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + context->multi = PR_FALSE; + context->rsa = PR_TRUE; + pubKey = sftk_GetPubKey(key, CKK_RSA, &crv); + if (pubKey == NULL) { + break; + } + context->cipherInfo = pubKey; + context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509 + ? sftk_RSACheckSignRecoverRaw + : sftk_RSACheckSignRecover); + context->destroy = sftk_Null; + break; + default: + crv = CKR_MECHANISM_INVALID; + break; + } + + if (crv != CKR_OK) { + PORT_Free(context); + sftk_FreeSession(session); + return crv; + } + sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, context); + sftk_FreeSession(session); + return CKR_OK; +} + +/* NSC_VerifyRecover verifies a signature in a single-part operation, + * where the data is recovered from the signature. + * E.g. Decryption with the user's public key */ +CK_RV +NSC_VerifyRecover(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen, + CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) +{ + SFTKSession *session; + SFTKSessionContext *context; + unsigned int outlen; + unsigned int maxoutlen = *pulDataLen; + CK_RV crv; + SECStatus rv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_VERIFY_RECOVER, + PR_FALSE, &session); + if (crv != CKR_OK) + return crv; + if (pData == NULL) { + /* to return the actual size, we need to do the decrypt, just return + * the max size, which is the size of the input signature. */ + *pulDataLen = ulSignatureLen; + rv = SECSuccess; + goto finish; + } + + rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen, + pSignature, ulSignatureLen); + *pulDataLen = (CK_ULONG)outlen; + + sftk_TerminateOp(session, SFTK_VERIFY_RECOVER, context); +finish: + sftk_FreeSession(session); + return (rv == SECSuccess) ? CKR_OK : sftk_MapVerifyError(PORT_GetError()); +} + +/* + **************************** Random Functions: ************************ + */ + +/* NSC_SeedRandom mixes additional seed material into the token's random number + * generator. */ +CK_RV +NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, + CK_ULONG ulSeedLen) +{ + SECStatus rv; + + CHECK_FORK(); + + rv = RNG_RandomUpdate(pSeed, ulSeedLen); + return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError()); +} + +/* NSC_GenerateRandom generates random data. */ +CK_RV +NSC_GenerateRandom(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) +{ + SECStatus rv; + + CHECK_FORK(); + + rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen); + /* + * This may fail with SEC_ERROR_NEED_RANDOM, which means the RNG isn't + * seeded with enough entropy. + */ + return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError()); +} + +/* + **************************** Key Functions: ************************ + */ + +/* + * generate a password based encryption key. This code uses + * PKCS5 to do the work. + */ +static CK_RV +nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism, + void *buf, CK_ULONG *key_length, PRBool faulty3DES) +{ + SECItem *pbe_key = NULL, iv, pwitem; + CK_PBE_PARAMS *pbe_params = NULL; + CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL; + + *key_length = 0; + iv.data = NULL; + iv.len = 0; + + if (pMechanism->mechanism == CKM_PKCS5_PBKD2) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) { + return CKR_MECHANISM_PARAM_INVALID; + } + pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; + pwitem.data = (unsigned char *)pbkd2_params->pPassword; + /* was this a typo in the PKCS #11 spec? */ + pwitem.len = *pbkd2_params->ulPasswordLen; + } else { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) { + return CKR_MECHANISM_PARAM_INVALID; + } + pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter; + pwitem.data = (unsigned char *)pbe_params->pPassword; + pwitem.len = pbe_params->ulPasswordLen; + } + pbe_key = nsspkcs5_ComputeKeyAndIV(pkcs5_pbe, &pwitem, &iv, faulty3DES); + if (pbe_key == NULL) { + return CKR_HOST_MEMORY; + } + + PORT_Memcpy(buf, pbe_key->data, pbe_key->len); + *key_length = pbe_key->len; + SECITEM_ZfreeItem(pbe_key, PR_TRUE); + pbe_key = NULL; + + if (iv.data) { + if (pbe_params && pbe_params->pInitVector != NULL) { + PORT_Memcpy(pbe_params->pInitVector, iv.data, iv.len); + } + PORT_Free(iv.data); + } + + return CKR_OK; +} + +/* + * this is coded for "full" support. These selections will be limitted to + * the official subset by freebl. + */ +static unsigned int +sftk_GetSubPrimeFromPrime(unsigned int primeBits) +{ + if (primeBits <= 1024) { + return 160; + } else if (primeBits <= 2048) { + return 224; + } else if (primeBits <= 3072) { + return 256; + } else if (primeBits <= 7680) { + return 384; + } else { + return 512; + } +} + +static CK_RV +nsc_parameter_gen(CK_KEY_TYPE key_type, SFTKObject *key) +{ + SFTKAttribute *attribute; + CK_ULONG counter; + unsigned int seedBits = 0; + unsigned int subprimeBits = 0; + unsigned int primeBits; + unsigned int j = 8; /* default to 1024 bits */ + CK_RV crv = CKR_OK; + PQGParams *params = NULL; + PQGVerify *vfy = NULL; + SECStatus rv; + + attribute = sftk_FindAttribute(key, CKA_PRIME_BITS); + if (attribute == NULL) { + attribute = sftk_FindAttribute(key, CKA_PRIME); + if (attribute == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } else { + primeBits = attribute->attrib.ulValueLen; + sftk_FreeAttribute(attribute); + } + } else { + primeBits = (unsigned int)*(CK_ULONG *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + } + if (primeBits < 1024) { + j = PQG_PBITS_TO_INDEX(primeBits); + if (j == (unsigned int)-1) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + } + + attribute = sftk_FindAttribute(key, CKA_NSS_PQG_SEED_BITS); + if (attribute != NULL) { + seedBits = (unsigned int)*(CK_ULONG *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + } + + attribute = sftk_FindAttribute(key, CKA_SUBPRIME_BITS); + if (attribute != NULL) { + subprimeBits = (unsigned int)*(CK_ULONG *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + } + + /* if P and Q are supplied, we want to generate a new G */ + attribute = sftk_FindAttribute(key, CKA_PRIME); + if (attribute != NULL) { + PLArenaPool *arena; + + sftk_FreeAttribute(attribute); + arena = PORT_NewArena(1024); + if (arena == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + params = PORT_ArenaAlloc(arena, sizeof(*params)); + if (params == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + params->arena = arena; + crv = sftk_Attribute2SSecItem(arena, ¶ms->prime, key, CKA_PRIME); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_Attribute2SSecItem(arena, ¶ms->subPrime, + key, CKA_SUBPRIME); + if (crv != CKR_OK) { + goto loser; + } + + arena = PORT_NewArena(1024); + if (arena == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + vfy = PORT_ArenaAlloc(arena, sizeof(*vfy)); + if (vfy == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + vfy->arena = arena; + crv = sftk_Attribute2SSecItem(arena, &vfy->seed, key, CKA_NSS_PQG_SEED); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_Attribute2SSecItem(arena, &vfy->h, key, CKA_NSS_PQG_H); + if (crv != CKR_OK) { + goto loser; + } + sftk_DeleteAttributeType(key, CKA_PRIME); + sftk_DeleteAttributeType(key, CKA_SUBPRIME); + sftk_DeleteAttributeType(key, CKA_NSS_PQG_SEED); + sftk_DeleteAttributeType(key, CKA_NSS_PQG_H); + } + + sftk_DeleteAttributeType(key, CKA_PRIME_BITS); + sftk_DeleteAttributeType(key, CKA_SUBPRIME_BITS); + sftk_DeleteAttributeType(key, CKA_NSS_PQG_SEED_BITS); + + /* use the old PQG interface if we have old input data */ + if ((primeBits < 1024) || ((primeBits == 1024) && (subprimeBits == 0))) { + if (seedBits == 0) { + rv = PQG_ParamGen(j, ¶ms, &vfy); + } else { + rv = PQG_ParamGenSeedLen(j, seedBits / 8, ¶ms, &vfy); + } + } else { + if (subprimeBits == 0) { + subprimeBits = sftk_GetSubPrimeFromPrime(primeBits); + } + if (seedBits == 0) { + seedBits = primeBits; + } + rv = PQG_ParamGenV2(primeBits, subprimeBits, seedBits / 8, ¶ms, &vfy); + } + + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + return sftk_MapCryptError(PORT_GetError()); + } + crv = sftk_AddAttributeType(key, CKA_PRIME, + params->prime.data, params->prime.len); + if (crv != CKR_OK) + goto loser; + crv = sftk_AddAttributeType(key, CKA_SUBPRIME, + params->subPrime.data, params->subPrime.len); + if (crv != CKR_OK) + goto loser; + crv = sftk_AddAttributeType(key, CKA_BASE, + params->base.data, params->base.len); + if (crv != CKR_OK) + goto loser; + counter = vfy->counter; + crv = sftk_AddAttributeType(key, CKA_NSS_PQG_COUNTER, + &counter, sizeof(counter)); + crv = sftk_AddAttributeType(key, CKA_NSS_PQG_SEED, + vfy->seed.data, vfy->seed.len); + if (crv != CKR_OK) + goto loser; + crv = sftk_AddAttributeType(key, CKA_NSS_PQG_H, + vfy->h.data, vfy->h.len); + if (crv != CKR_OK) + goto loser; + +loser: + if (params) { + PQG_DestroyParams(params); + } + + if (vfy) { + PQG_DestroyVerify(vfy); + } + return crv; +} + +static CK_RV +nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type, + CK_ULONG *key_length) +{ + CK_RV crv = CKR_OK; + + switch (mechanism) { +#ifndef NSS_DISABLE_DEPRECATED_RC2 + case CKM_RC2_KEY_GEN: + *key_type = CKK_RC2; + if (*key_length == 0) + crv = CKR_TEMPLATE_INCOMPLETE; + break; +#endif /* NSS_DISABLE_DEPRECATED_RC2 */ +#if NSS_SOFTOKEN_DOES_RC5 + case CKM_RC5_KEY_GEN: + *key_type = CKK_RC5; + if (*key_length == 0) + crv = CKR_TEMPLATE_INCOMPLETE; + break; +#endif + case CKM_RC4_KEY_GEN: + *key_type = CKK_RC4; + if (*key_length == 0) + crv = CKR_TEMPLATE_INCOMPLETE; + break; + case CKM_GENERIC_SECRET_KEY_GEN: + *key_type = CKK_GENERIC_SECRET; + if (*key_length == 0) + crv = CKR_TEMPLATE_INCOMPLETE; + break; + case CKM_CDMF_KEY_GEN: + *key_type = CKK_CDMF; + *key_length = 8; + break; + case CKM_DES_KEY_GEN: + *key_type = CKK_DES; + *key_length = 8; + break; + case CKM_DES2_KEY_GEN: + *key_type = CKK_DES2; + *key_length = 16; + break; + case CKM_DES3_KEY_GEN: + *key_type = CKK_DES3; + *key_length = 24; + break; +#ifndef NSS_DISABLE_DEPRECATED_SEED + case CKM_SEED_KEY_GEN: + *key_type = CKK_SEED; + *key_length = 16; + break; +#endif /* NSS_DISABLE_DEPRECATED_SEED */ + case CKM_CAMELLIA_KEY_GEN: + *key_type = CKK_CAMELLIA; + if (*key_length == 0) + crv = CKR_TEMPLATE_INCOMPLETE; + break; + case CKM_AES_KEY_GEN: + *key_type = CKK_AES; + if (*key_length == 0) + crv = CKR_TEMPLATE_INCOMPLETE; + break; + case CKM_NSS_CHACHA20_KEY_GEN: + *key_type = CKK_NSS_CHACHA20; + *key_length = 32; + break; + case CKM_CHACHA20_KEY_GEN: + *key_type = CKK_CHACHA20; + *key_length = 32; + break; + case CKM_HKDF_KEY_GEN: + *key_type = CKK_HKDF; + if (*key_length == 0) + crv = CKR_TEMPLATE_INCOMPLETE; + break; + default: + PORT_Assert(0); + crv = CKR_MECHANISM_INVALID; + break; + } + + return crv; +} + +CK_RV +nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe) +{ + SECItem salt; + CK_PBE_PARAMS *pbe_params = NULL; + NSSPKCS5PBEParameter *params; + PLArenaPool *arena = NULL; + SECStatus rv; + + *pbe = NULL; + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) { + return CKR_HOST_MEMORY; + } + + params = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena, + sizeof(NSSPKCS5PBEParameter)); + if (params == NULL) { + PORT_FreeArena(arena, PR_TRUE); + return CKR_HOST_MEMORY; + } + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) { + PORT_FreeArena(arena, PR_TRUE); + return CKR_MECHANISM_PARAM_INVALID; + } + + params->poolp = arena; + params->ivLen = 0; + params->pbeType = NSSPKCS5_PKCS12_V2; + params->hashType = HASH_AlgSHA1; + params->encAlg = SEC_OID_SHA1; /* any invalid value */ + params->is2KeyDES = PR_FALSE; + params->keyID = pbeBitGenIntegrityKey; + pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter; + params->iter = pbe_params->ulIteration; + + salt.data = (unsigned char *)pbe_params->pSalt; + salt.len = (unsigned int)pbe_params->ulSaltLen; + salt.type = siBuffer; + rv = SECITEM_CopyItem(arena, ¶ms->salt, &salt); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_TRUE); + return CKR_HOST_MEMORY; + } + switch (pMechanism->mechanism) { + case CKM_NSS_PBE_SHA1_HMAC_KEY_GEN: + case CKM_PBA_SHA1_WITH_SHA1_HMAC: + params->hashType = HASH_AlgSHA1; + params->keyLen = 20; + break; + case CKM_NSS_PBE_MD5_HMAC_KEY_GEN: + params->hashType = HASH_AlgMD5; + params->keyLen = 16; + break; + case CKM_NSS_PBE_MD2_HMAC_KEY_GEN: + params->hashType = HASH_AlgMD2; + params->keyLen = 16; + break; + case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA224; + params->keyLen = 28; + break; + case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA256; + params->keyLen = 32; + break; + case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA384; + params->keyLen = 48; + break; + case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: + params->hashType = HASH_AlgSHA512; + params->keyLen = 64; + break; + default: + PORT_FreeArena(arena, PR_TRUE); + return CKR_MECHANISM_INVALID; + } + *pbe = params; + return CKR_OK; +} + +/* maybe this should be table driven? */ +static CK_RV +nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe, + CK_KEY_TYPE *key_type, CK_ULONG *key_length) +{ + CK_RV crv = CKR_OK; + SECOidData *oid; + CK_PBE_PARAMS *pbe_params = NULL; + NSSPKCS5PBEParameter *params = NULL; + HASH_HashType hashType = HASH_AlgSHA1; + CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL; + SECItem salt; + CK_ULONG iteration = 0; + + *pbe = NULL; + + oid = SECOID_FindOIDByMechanism(pMechanism->mechanism); + if (oid == NULL) { + return CKR_MECHANISM_INVALID; + } + + if (pMechanism->mechanism == CKM_PKCS5_PBKD2) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) { + return CKR_MECHANISM_PARAM_INVALID; + } + pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; + switch (pbkd2_params->prf) { + case CKP_PKCS5_PBKD2_HMAC_SHA1: + hashType = HASH_AlgSHA1; + break; + case CKP_PKCS5_PBKD2_HMAC_SHA224: + hashType = HASH_AlgSHA224; + break; + case CKP_PKCS5_PBKD2_HMAC_SHA256: + hashType = HASH_AlgSHA256; + break; + case CKP_PKCS5_PBKD2_HMAC_SHA384: + hashType = HASH_AlgSHA384; + break; + case CKP_PKCS5_PBKD2_HMAC_SHA512: + hashType = HASH_AlgSHA512; + break; + default: + return CKR_MECHANISM_PARAM_INVALID; + } + if (pbkd2_params->saltSource != CKZ_SALT_SPECIFIED) { + return CKR_MECHANISM_PARAM_INVALID; + } + salt.data = (unsigned char *)pbkd2_params->pSaltSourceData; + salt.len = (unsigned int)pbkd2_params->ulSaltSourceDataLen; + iteration = pbkd2_params->iterations; + } else { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) { + return CKR_MECHANISM_PARAM_INVALID; + } + pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter; + salt.data = (unsigned char *)pbe_params->pSalt; + salt.len = (unsigned int)pbe_params->ulSaltLen; + iteration = pbe_params->ulIteration; + } + params = nsspkcs5_NewParam(oid->offset, hashType, &salt, iteration); + if (params == NULL) { + return CKR_MECHANISM_INVALID; + } + + switch (params->encAlg) { + case SEC_OID_DES_CBC: + *key_type = CKK_DES; + *key_length = params->keyLen; + break; + case SEC_OID_DES_EDE3_CBC: + *key_type = params->is2KeyDES ? CKK_DES2 : CKK_DES3; + *key_length = params->keyLen; + break; +#ifndef NSS_DISABLE_DEPRECATED_RC2 + case SEC_OID_RC2_CBC: + *key_type = CKK_RC2; + *key_length = params->keyLen; + break; +#endif /* NSS_DISABLE_DEPRECATED_RC2 */ + case SEC_OID_RC4: + *key_type = CKK_RC4; + *key_length = params->keyLen; + break; + case SEC_OID_PKCS5_PBKDF2: + /* key type must already be set */ + if (*key_type == CKK_INVALID_KEY_TYPE) { + crv = CKR_TEMPLATE_INCOMPLETE; + break; + } + /* PBKDF2 needs to calculate the key length from the other parameters + */ + if (*key_length == 0) { + *key_length = sftk_MapKeySize(*key_type); + } + if (*key_length == 0) { + crv = CKR_TEMPLATE_INCOMPLETE; + break; + } + params->keyLen = *key_length; + break; + default: + crv = CKR_MECHANISM_INVALID; + break; + } + if (crv == CKR_OK) { + *pbe = params; + } else { + nsspkcs5_DestroyPBEParameter(params); + } + return crv; +} + +/* NSC_GenerateKey generates a secret key, creating a new key object. */ +CK_RV +NSC_GenerateKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phKey) +{ + SFTKObject *key; + SFTKSession *session; + PRBool checkWeak = PR_FALSE; + CK_ULONG key_length = 0; + CK_KEY_TYPE key_type = CKK_INVALID_KEY_TYPE; + CK_OBJECT_CLASS objclass = CKO_SECRET_KEY; + CK_RV crv = CKR_OK; + CK_BBOOL cktrue = CK_TRUE; + NSSPKCS5PBEParameter *pbe_param = NULL; + int i; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + unsigned char buf[MAX_KEY_LEN]; + enum { nsc_pbe, + nsc_ssl, + nsc_bulk, + nsc_param, + nsc_jpake } key_gen_type; + SSL3RSAPreMasterSecret *rsa_pms; + CK_VERSION *version; + /* in very old versions of NSS, there were implementation errors with key + * generation methods. We want to beable to read these, but not + * produce them any more. The affected algorithm was 3DES. + */ + PRBool faultyPBE3DES = PR_FALSE; + HASH_HashType hashType = HASH_AlgNULL; + + CHECK_FORK(); + + if (!slot) { + return CKR_SESSION_HANDLE_INVALID; + } + /* + * now lets create an object to hang the attributes off of + */ + key = sftk_NewObject(slot); /* fill in the handle later */ + if (key == NULL) { + return CKR_HOST_MEMORY; + } + + /* + * load the template values into the object + */ + for (i = 0; i < (int)ulCount; i++) { + if (pTemplate[i].type == CKA_VALUE_LEN) { + key_length = *(CK_ULONG *)pTemplate[i].pValue; + continue; + } + /* some algorithms need keytype specified */ + if (pTemplate[i].type == CKA_KEY_TYPE) { + key_type = *(CK_ULONG *)pTemplate[i].pValue; + continue; + } + + crv = sftk_AddAttributeType(key, sftk_attr_expand(&pTemplate[i])); + if (crv != CKR_OK) { + break; + } + } + if (crv != CKR_OK) { + goto loser; + } + + /* make sure we don't have any class, key_type, or value fields */ + sftk_DeleteAttributeType(key, CKA_CLASS); + sftk_DeleteAttributeType(key, CKA_KEY_TYPE); + sftk_DeleteAttributeType(key, CKA_VALUE); + + /* Now Set up the parameters to generate the key (based on mechanism) */ + key_gen_type = nsc_bulk; /* bulk key by default */ + switch (pMechanism->mechanism) { + case CKM_CDMF_KEY_GEN: + case CKM_DES_KEY_GEN: + case CKM_DES2_KEY_GEN: + case CKM_DES3_KEY_GEN: + checkWeak = PR_TRUE; +/* fall through */ +#ifndef NSS_DISABLE_DEPRECATED_RC2 + case CKM_RC2_KEY_GEN: +#endif + case CKM_RC4_KEY_GEN: + case CKM_GENERIC_SECRET_KEY_GEN: +#ifndef NSS_DISABLE_DEPRECATED_SEED + case CKM_SEED_KEY_GEN: +#endif + case CKM_CAMELLIA_KEY_GEN: + case CKM_AES_KEY_GEN: + case CKM_NSS_CHACHA20_KEY_GEN: + case CKM_CHACHA20_KEY_GEN: +#if NSS_SOFTOKEN_DOES_RC5 + case CKM_RC5_KEY_GEN: +#endif + crv = nsc_SetupBulkKeyGen(pMechanism->mechanism, &key_type, &key_length); + break; + case CKM_SSL3_PRE_MASTER_KEY_GEN: + key_type = CKK_GENERIC_SECRET; + key_length = 48; + key_gen_type = nsc_ssl; + break; + case CKM_PBA_SHA1_WITH_SHA1_HMAC: + case CKM_NSS_PBE_SHA1_HMAC_KEY_GEN: + case CKM_NSS_PBE_MD5_HMAC_KEY_GEN: + case CKM_NSS_PBE_MD2_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN: + case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN: + key_gen_type = nsc_pbe; + key_type = CKK_GENERIC_SECRET; + crv = nsc_SetupHMACKeyGen(pMechanism, &pbe_param); + break; + case CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC: + faultyPBE3DES = PR_TRUE; + /* fall through */ + case CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC: +#ifndef NSS_DISABLE_DEPRECATED_RC2 + case CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: +#endif + case CKM_NSS_PBE_SHA1_DES_CBC: + case CKM_NSS_PBE_SHA1_40_BIT_RC4: + case CKM_NSS_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_PBE_SHA1_RC4_128: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_MD5_DES_CBC: + case CKM_PBE_MD2_DES_CBC: + case CKM_PKCS5_PBKD2: + key_gen_type = nsc_pbe; + crv = nsc_SetupPBEKeyGen(pMechanism, &pbe_param, &key_type, &key_length); + break; + case CKM_DSA_PARAMETER_GEN: + key_gen_type = nsc_param; + key_type = CKK_DSA; + objclass = CKO_DOMAIN_PARAMETERS; + crv = CKR_OK; + break; + case CKM_NSS_JPAKE_ROUND1_SHA1: + hashType = HASH_AlgSHA1; + goto jpake1; + case CKM_NSS_JPAKE_ROUND1_SHA256: + hashType = HASH_AlgSHA256; + goto jpake1; + case CKM_NSS_JPAKE_ROUND1_SHA384: + hashType = HASH_AlgSHA384; + goto jpake1; + case CKM_NSS_JPAKE_ROUND1_SHA512: + hashType = HASH_AlgSHA512; + goto jpake1; + jpake1: + key_gen_type = nsc_jpake; + key_type = CKK_NSS_JPAKE_ROUND1; + objclass = CKO_PRIVATE_KEY; + if (pMechanism->pParameter == NULL || + pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKERound1Params)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + if (sftk_isTrue(key, CKA_TOKEN)) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + crv = CKR_OK; + break; + default: + crv = CKR_MECHANISM_INVALID; + break; + } + + /* make sure we aren't going to overflow the buffer */ + if (sizeof(buf) < key_length) { + /* someone is getting pretty optimistic about how big their key can + * be... */ + crv = CKR_TEMPLATE_INCONSISTENT; + } + + if (crv != CKR_OK) { + if (pbe_param) { + nsspkcs5_DestroyPBEParameter(pbe_param); + } + goto loser; + } + + /* if there was no error, + * key_type *MUST* be set in the switch statement above */ + PORT_Assert(key_type != CKK_INVALID_KEY_TYPE); + + /* + * now to the actual key gen. + */ + switch (key_gen_type) { + case nsc_pbe: + crv = nsc_pbe_key_gen(pbe_param, pMechanism, buf, &key_length, + faultyPBE3DES); + nsspkcs5_DestroyPBEParameter(pbe_param); + break; + case nsc_ssl: + rsa_pms = (SSL3RSAPreMasterSecret *)buf; + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_VERSION))) { + crv = CKR_MECHANISM_PARAM_INVALID; + goto loser; + } + version = (CK_VERSION *)pMechanism->pParameter; + rsa_pms->client_version[0] = version->major; + rsa_pms->client_version[1] = version->minor; + crv = + NSC_GenerateRandom(0, &rsa_pms->random[0], sizeof(rsa_pms->random)); + break; + case nsc_bulk: + /* get the key, check for weak keys and repeat if found */ + do { + crv = NSC_GenerateRandom(0, buf, key_length); + } while (crv == CKR_OK && checkWeak && sftk_IsWeakKey(buf, key_type)); + break; + case nsc_param: + /* generate parameters */ + *buf = 0; + crv = nsc_parameter_gen(key_type, key); + break; + case nsc_jpake: + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_NSS_JPAKERound1Params))) { + crv = CKR_MECHANISM_PARAM_INVALID; + goto loser; + } + crv = jpake_Round1(hashType, + (CK_NSS_JPAKERound1Params *)pMechanism->pParameter, + key); + break; + } + + if (crv != CKR_OK) { + goto loser; + } + + /* Add the class, key_type, and value */ + crv = sftk_AddAttributeType(key, CKA_CLASS, &objclass, sizeof(CK_OBJECT_CLASS)); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &key_type, sizeof(CK_KEY_TYPE)); + if (crv != CKR_OK) { + goto loser; + } + if (key_length != 0) { + crv = sftk_AddAttributeType(key, CKA_VALUE, buf, key_length); + if (crv != CKR_OK) { + goto loser; + } + } + + /* get the session */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + crv = CKR_SESSION_HANDLE_INVALID; + goto loser; + } + + /* + * handle the base object stuff + */ + crv = sftk_handleObject(key, session); + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL)); + } + if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) { + crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL)); + } + if (crv == CKR_OK) { + *phKey = key->handle; + } +loser: + PORT_Memset(buf, 0, sizeof buf); + sftk_FreeObject(key); + return crv; +} + +#define PAIRWISE_DIGEST_LENGTH SHA1_LENGTH /* 160-bits */ +#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ + +/* + * FIPS 140-2 pairwise consistency check utilized to validate key pair. + * + * This function returns + * CKR_OK if pairwise consistency check passed + * CKR_GENERAL_ERROR if pairwise consistency check failed + * other error codes if paiswise consistency check could not be + * performed, for example, CKR_HOST_MEMORY. + */ +static CK_RV +sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession, SFTKSlot *slot, + SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType) +{ + /* + * Key type Mechanism type + * -------------------------------- + * For encrypt/decrypt: CKK_RSA => CKM_RSA_PKCS + * others => CKM_INVALID_MECHANISM + * + * For sign/verify: CKK_RSA => CKM_RSA_PKCS + * CKK_DSA => CKM_DSA + * CKK_EC => CKM_ECDSA + * others => CKM_INVALID_MECHANISM + * + * None of these mechanisms has a parameter. + * + * For derive CKK_DH => CKM_DH_PKCS_DERIVE + * CKK_EC => CKM_ECDH1_DERIVE + * others => CKM_INVALID_MECHANISM + * + * The parameters for these mechanisms is the public key. + */ + CK_MECHANISM mech = { 0, NULL, 0 }; + + CK_ULONG modulusLen = 0; + CK_ULONG subPrimeLen = 0; + PRBool isEncryptable = PR_FALSE; + PRBool canSignVerify = PR_FALSE; + PRBool isDerivable = PR_FALSE; + CK_RV crv; + + /* Variables used for Encrypt/Decrypt functions. */ + unsigned char *known_message = (unsigned char *)"Known Crypto Message"; + unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH]; + CK_ULONG bytes_decrypted; + unsigned char *ciphertext; + unsigned char *text_compared; + CK_ULONG bytes_encrypted; + CK_ULONG bytes_compared; + CK_ULONG pairwise_digest_length = PAIRWISE_DIGEST_LENGTH; + + /* Variables used for Signature/Verification functions. */ + /* Must be at least 256 bits for DSA2 digest */ + unsigned char *known_digest = (unsigned char *)"Mozilla Rules the World through NSS!"; + unsigned char *signature; + CK_ULONG signature_length; + + if (keyType == CKK_RSA) { + SFTKAttribute *attribute; + + /* Get modulus length of private key. */ + attribute = sftk_FindAttribute(privateKey, CKA_MODULUS); + if (attribute == NULL) { + return CKR_DEVICE_ERROR; + } + modulusLen = attribute->attrib.ulValueLen; + if (*(unsigned char *)attribute->attrib.pValue == 0) { + modulusLen--; + } + sftk_FreeAttribute(attribute); + } else if (keyType == CKK_DSA) { + SFTKAttribute *attribute; + + /* Get subprime length of private key. */ + attribute = sftk_FindAttribute(privateKey, CKA_SUBPRIME); + if (attribute == NULL) { + return CKR_DEVICE_ERROR; + } + subPrimeLen = attribute->attrib.ulValueLen; + if (subPrimeLen > 1 && *(unsigned char *)attribute->attrib.pValue == 0) { + subPrimeLen--; + } + sftk_FreeAttribute(attribute); + } + + /**************************************************/ + /* Pairwise Consistency Check of Encrypt/Decrypt. */ + /**************************************************/ + + isEncryptable = sftk_isTrue(privateKey, CKA_DECRYPT); + + /* + * If the decryption attribute is set, attempt to encrypt + * with the public key and decrypt with the private key. + */ + if (isEncryptable) { + if (keyType != CKK_RSA) { + return CKR_DEVICE_ERROR; + } + bytes_encrypted = modulusLen; + mech.mechanism = CKM_RSA_PKCS; + + /* Allocate space for ciphertext. */ + ciphertext = (unsigned char *)PORT_ZAlloc(bytes_encrypted); + if (ciphertext == NULL) { + return CKR_HOST_MEMORY; + } + + /* Prepare for encryption using the public key. */ + crv = NSC_EncryptInit(hSession, &mech, publicKey->handle); + if (crv != CKR_OK) { + PORT_Free(ciphertext); + return crv; + } + + /* Encrypt using the public key. */ + crv = NSC_Encrypt(hSession, + known_message, + PAIRWISE_MESSAGE_LENGTH, + ciphertext, + &bytes_encrypted); + if (crv != CKR_OK) { + PORT_Free(ciphertext); + return crv; + } + + /* Always use the smaller of these two values . . . */ + bytes_compared = PR_MIN(bytes_encrypted, PAIRWISE_MESSAGE_LENGTH); + + /* + * If there was a failure, the plaintext + * goes at the end, therefore . . . + */ + text_compared = ciphertext + bytes_encrypted - bytes_compared; + + /* + * Check to ensure that ciphertext does + * NOT EQUAL known input message text + * per FIPS PUB 140-2 directive. + */ + if (PORT_Memcmp(text_compared, known_message, + bytes_compared) == 0) { + /* Set error to Invalid PRIVATE Key. */ + PORT_SetError(SEC_ERROR_INVALID_KEY); + PORT_Free(ciphertext); + return CKR_GENERAL_ERROR; + } + + /* Prepare for decryption using the private key. */ + crv = NSC_DecryptInit(hSession, &mech, privateKey->handle); + if (crv != CKR_OK) { + PORT_Free(ciphertext); + return crv; + } + + memset(plaintext, 0, PAIRWISE_MESSAGE_LENGTH); + + /* + * Initialize bytes decrypted to be the + * expected PAIRWISE_MESSAGE_LENGTH. + */ + bytes_decrypted = PAIRWISE_MESSAGE_LENGTH; + + /* + * Decrypt using the private key. + * NOTE: No need to reset the + * value of bytes_encrypted. + */ + crv = NSC_Decrypt(hSession, + ciphertext, + bytes_encrypted, + plaintext, + &bytes_decrypted); + + /* Finished with ciphertext; free it. */ + PORT_Free(ciphertext); + + if (crv != CKR_OK) { + return crv; + } + + /* + * Check to ensure that the output plaintext + * does EQUAL known input message text. + */ + if ((bytes_decrypted != PAIRWISE_MESSAGE_LENGTH) || + (PORT_Memcmp(plaintext, known_message, + PAIRWISE_MESSAGE_LENGTH) != 0)) { + /* Set error to Bad PUBLIC Key. */ + PORT_SetError(SEC_ERROR_BAD_KEY); + return CKR_GENERAL_ERROR; + } + } + + /**********************************************/ + /* Pairwise Consistency Check of Sign/Verify. */ + /**********************************************/ + + canSignVerify = sftk_isTrue(privateKey, CKA_SIGN); + /* Unfortunately CKA_SIGN is always true in lg dbs. We have to check the + * actual curve to determine if we can do sign/verify. */ + if (canSignVerify && keyType == CKK_EC) { + NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(privateKey, CKK_EC, &crv); + if (privKey && privKey->u.ec.ecParams.name == ECCurve25519) { + canSignVerify = PR_FALSE; + } + } + + if (canSignVerify) { + /* Determine length of signature. */ + switch (keyType) { + case CKK_RSA: + signature_length = modulusLen; + mech.mechanism = CKM_RSA_PKCS; + break; + case CKK_DSA: + signature_length = DSA_MAX_SIGNATURE_LEN; + pairwise_digest_length = subPrimeLen; + mech.mechanism = CKM_DSA; + break; + case CKK_EC: + signature_length = MAX_ECKEY_LEN * 2; + mech.mechanism = CKM_ECDSA; + break; + default: + return CKR_DEVICE_ERROR; + } + + /* Allocate space for signature data. */ + signature = (unsigned char *)PORT_ZAlloc(signature_length); + if (signature == NULL) { + return CKR_HOST_MEMORY; + } + + /* Sign the known hash using the private key. */ + crv = NSC_SignInit(hSession, &mech, privateKey->handle); + if (crv != CKR_OK) { + PORT_Free(signature); + return crv; + } + + crv = NSC_Sign(hSession, + known_digest, + pairwise_digest_length, + signature, + &signature_length); + if (crv != CKR_OK) { + PORT_Free(signature); + return crv; + } + + /* detect trivial signing transforms */ + if ((signature_length >= pairwise_digest_length) && + (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) { + PORT_Free(signature); + return CKR_DEVICE_ERROR; + } + + /* Verify the known hash using the public key. */ + crv = NSC_VerifyInit(hSession, &mech, publicKey->handle); + if (crv != CKR_OK) { + PORT_Free(signature); + return crv; + } + + crv = NSC_Verify(hSession, + known_digest, + pairwise_digest_length, + signature, + signature_length); + + /* Free signature data. */ + PORT_Free(signature); + + if ((crv == CKR_SIGNATURE_LEN_RANGE) || + (crv == CKR_SIGNATURE_INVALID)) { + return CKR_GENERAL_ERROR; + } + if (crv != CKR_OK) { + return crv; + } + } + + /**********************************************/ + /* Pairwise Consistency Check for Derivation */ + /**********************************************/ + + isDerivable = sftk_isTrue(privateKey, CKA_DERIVE); + + if (isDerivable) { + SFTKAttribute *pubAttribute = NULL; + CK_OBJECT_HANDLE newKey; + PRBool isFIPS = sftk_isFIPS(slot->slotID); + CK_RV crv2; + CK_OBJECT_CLASS secret = CKO_SECRET_KEY; + CK_KEY_TYPE generic = CKK_GENERIC_SECRET; + CK_ULONG keyLen = 128; + CK_BBOOL ckTrue = CK_TRUE; + CK_ATTRIBUTE template[] = { + { CKA_CLASS, &secret, sizeof(secret) }, + { CKA_KEY_TYPE, &generic, sizeof(generic) }, + { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, + { CKA_DERIVE, &ckTrue, sizeof(ckTrue) } + }; + CK_ULONG templateCount = PR_ARRAY_SIZE(template); + CK_ECDH1_DERIVE_PARAMS ecParams; + + crv = CKR_OK; /*paranoia, already get's set before we drop to the end */ + /* FIPS 140-2 requires we verify that the resulting key is a valid key. + * The easiest way to do this is to do a derive operation, which checks + * the validity of the key */ + + switch (keyType) { + case CKK_DH: + mech.mechanism = CKM_DH_PKCS_DERIVE; + pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); + if (pubAttribute == NULL) { + return CKR_DEVICE_ERROR; + } + mech.pParameter = pubAttribute->attrib.pValue; + mech.ulParameterLen = pubAttribute->attrib.ulValueLen; + break; + case CKK_EC: + mech.mechanism = CKM_ECDH1_DERIVE; + pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); + if (pubAttribute == NULL) { + return CKR_DEVICE_ERROR; + } + ecParams.kdf = CKD_NULL; + ecParams.ulSharedDataLen = 0; + ecParams.pSharedData = NULL; + ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen; + ecParams.pPublicData = pubAttribute->attrib.pValue; + mech.pParameter = &ecParams; + mech.ulParameterLen = sizeof(ecParams); + break; + default: + return CKR_DEVICE_ERROR; + } + + crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey); + if (crv != CKR_OK) { + sftk_FreeAttribute(pubAttribute); + return crv; + } + /* FIPS requires full validation, but in fipx mode NSC_Derive + * only does partial validation with approved primes, now handle + * full validation */ + if (isFIPS && keyType == CKK_DH) { + SECItem pubKey; + SECItem prime; + SECItem subPrime; + const SECItem *subPrimePtr = &subPrime; + + pubKey.data = pubAttribute->attrib.pValue; + pubKey.len = pubAttribute->attrib.ulValueLen; + prime.data = subPrime.data = NULL; + prime.len = subPrime.len = 0; + crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); + if (crv != CKR_OK) { + goto done; + } + crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); + /* we ignore the return code an only look at the length */ + if (subPrime.len == 0) { + /* subprime not supplied, In this case look it up. + * This only works with approved primes, but in FIPS mode + * that's the only kine of prime that will get here */ + subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS); + if (subPrimePtr == NULL) { + crv = CKR_GENERAL_ERROR; + goto done; + } + } + if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) { + crv = CKR_GENERAL_ERROR; + } + done: + SECITEM_ZfreeItem(&subPrime, PR_FALSE); + SECITEM_ZfreeItem(&prime, PR_FALSE); + } + /* clean up before we return */ + sftk_FreeAttribute(pubAttribute); + crv2 = NSC_DestroyObject(hSession, newKey); + if (crv != CKR_OK) { + return crv; + } + if (crv2 != CKR_OK) { + return crv2; + } + } + + return CKR_OK; +} + +/* NSC_GenerateKeyPair generates a public-key/private-key pair, + * creating new key objects. */ +CK_RV +NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey, + CK_OBJECT_HANDLE_PTR phPrivateKey) +{ + SFTKObject *publicKey, *privateKey; + SFTKSession *session; + CK_KEY_TYPE key_type; + CK_RV crv = CKR_OK; + CK_BBOOL cktrue = CK_TRUE; + SECStatus rv; + CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY; + CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY; + int i; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + unsigned int bitSize; + + /* RSA */ + int public_modulus_bits = 0; + SECItem pubExp; + RSAPrivateKey *rsaPriv; + + /* DSA */ + PQGParams pqgParam; + DHParams dhParam; + DSAPrivateKey *dsaPriv; + + /* Diffie Hellman */ + DHPrivateKey *dhPriv; + + /* Elliptic Curve Cryptography */ + SECItem ecEncodedParams; /* DER Encoded parameters */ + ECPrivateKey *ecPriv; + ECParams *ecParams; + + CHECK_FORK(); + + if (!slot) { + return CKR_SESSION_HANDLE_INVALID; + } + /* + * now lets create an object to hang the attributes off of + */ + publicKey = sftk_NewObject(slot); /* fill in the handle later */ + if (publicKey == NULL) { + return CKR_HOST_MEMORY; + } + + /* + * load the template values into the publicKey + */ + for (i = 0; i < (int)ulPublicKeyAttributeCount; i++) { + if (pPublicKeyTemplate[i].type == CKA_MODULUS_BITS) { + public_modulus_bits = *(CK_ULONG *)pPublicKeyTemplate[i].pValue; + continue; + } + + crv = sftk_AddAttributeType(publicKey, + sftk_attr_expand(&pPublicKeyTemplate[i])); + if (crv != CKR_OK) + break; + } + + if (crv != CKR_OK) { + sftk_FreeObject(publicKey); + return CKR_HOST_MEMORY; + } + + privateKey = sftk_NewObject(slot); /* fill in the handle later */ + if (privateKey == NULL) { + sftk_FreeObject(publicKey); + return CKR_HOST_MEMORY; + } + /* + * now load the private key template + */ + for (i = 0; i < (int)ulPrivateKeyAttributeCount; i++) { + if (pPrivateKeyTemplate[i].type == CKA_VALUE_BITS) { + continue; + } + + crv = sftk_AddAttributeType(privateKey, + sftk_attr_expand(&pPrivateKeyTemplate[i])); + if (crv != CKR_OK) + break; + } + + if (crv != CKR_OK) { + sftk_FreeObject(publicKey); + sftk_FreeObject(privateKey); + return CKR_HOST_MEMORY; + } + sftk_DeleteAttributeType(privateKey, CKA_CLASS); + sftk_DeleteAttributeType(privateKey, CKA_KEY_TYPE); + sftk_DeleteAttributeType(privateKey, CKA_VALUE); + sftk_DeleteAttributeType(publicKey, CKA_CLASS); + sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE); + sftk_DeleteAttributeType(publicKey, CKA_VALUE); + + /* Now Set up the parameters to generate the key (based on mechanism) */ + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS_KEY_PAIR_GEN: + /* format the keys */ + sftk_DeleteAttributeType(publicKey, CKA_MODULUS); + sftk_DeleteAttributeType(privateKey, CKA_NSS_DB); + sftk_DeleteAttributeType(privateKey, CKA_MODULUS); + sftk_DeleteAttributeType(privateKey, CKA_PRIVATE_EXPONENT); + sftk_DeleteAttributeType(privateKey, CKA_PUBLIC_EXPONENT); + sftk_DeleteAttributeType(privateKey, CKA_PRIME_1); + sftk_DeleteAttributeType(privateKey, CKA_PRIME_2); + sftk_DeleteAttributeType(privateKey, CKA_EXPONENT_1); + sftk_DeleteAttributeType(privateKey, CKA_EXPONENT_2); + sftk_DeleteAttributeType(privateKey, CKA_COEFFICIENT); + key_type = CKK_RSA; + if (public_modulus_bits == 0) { + crv = CKR_TEMPLATE_INCOMPLETE; + break; + } + if (public_modulus_bits < RSA_MIN_MODULUS_BITS) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + if (public_modulus_bits % 2 != 0) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + + /* extract the exponent */ + crv = sftk_Attribute2SSecItem(NULL, &pubExp, publicKey, CKA_PUBLIC_EXPONENT); + if (crv != CKR_OK) + break; + bitSize = sftk_GetLengthInBits(pubExp.data, pubExp.len); + if (bitSize < 2) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + SECITEM_ZfreeItem(&pubExp, PR_FALSE); + break; + } + crv = sftk_AddAttributeType(privateKey, CKA_PUBLIC_EXPONENT, + sftk_item_expand(&pubExp)); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&pubExp, PR_FALSE); + break; + } + + rsaPriv = RSA_NewKey(public_modulus_bits, &pubExp); + SECITEM_ZfreeItem(&pubExp, PR_FALSE); + if (rsaPriv == NULL) { + if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + /* now fill in the RSA dependent paramenters in the public key */ + crv = sftk_AddAttributeType(publicKey, CKA_MODULUS, + sftk_item_expand(&rsaPriv->modulus)); + if (crv != CKR_OK) + goto kpg_done; + /* now fill in the RSA dependent paramenters in the private key */ + crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB, + sftk_item_expand(&rsaPriv->modulus)); + if (crv != CKR_OK) + goto kpg_done; + crv = sftk_AddAttributeType(privateKey, CKA_MODULUS, + sftk_item_expand(&rsaPriv->modulus)); + if (crv != CKR_OK) + goto kpg_done; + crv = sftk_AddAttributeType(privateKey, CKA_PRIVATE_EXPONENT, + sftk_item_expand(&rsaPriv->privateExponent)); + if (crv != CKR_OK) + goto kpg_done; + crv = sftk_AddAttributeType(privateKey, CKA_PRIME_1, + sftk_item_expand(&rsaPriv->prime1)); + if (crv != CKR_OK) + goto kpg_done; + crv = sftk_AddAttributeType(privateKey, CKA_PRIME_2, + sftk_item_expand(&rsaPriv->prime2)); + if (crv != CKR_OK) + goto kpg_done; + crv = sftk_AddAttributeType(privateKey, CKA_EXPONENT_1, + sftk_item_expand(&rsaPriv->exponent1)); + if (crv != CKR_OK) + goto kpg_done; + crv = sftk_AddAttributeType(privateKey, CKA_EXPONENT_2, + sftk_item_expand(&rsaPriv->exponent2)); + if (crv != CKR_OK) + goto kpg_done; + crv = sftk_AddAttributeType(privateKey, CKA_COEFFICIENT, + sftk_item_expand(&rsaPriv->coefficient)); + kpg_done: + /* Should zeroize the contents first, since this func doesn't. */ + PORT_FreeArena(rsaPriv->arena, PR_TRUE); + break; + case CKM_DSA_KEY_PAIR_GEN: + sftk_DeleteAttributeType(publicKey, CKA_VALUE); + sftk_DeleteAttributeType(privateKey, CKA_NSS_DB); + sftk_DeleteAttributeType(privateKey, CKA_PRIME); + sftk_DeleteAttributeType(privateKey, CKA_SUBPRIME); + sftk_DeleteAttributeType(privateKey, CKA_BASE); + key_type = CKK_DSA; + + /* extract the necessary parameters and copy them to the private key */ + crv = sftk_Attribute2SSecItem(NULL, &pqgParam.prime, publicKey, CKA_PRIME); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(NULL, &pqgParam.subPrime, publicKey, + CKA_SUBPRIME); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + break; + } + crv = sftk_Attribute2SSecItem(NULL, &pqgParam.base, publicKey, CKA_BASE); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + break; + } + crv = sftk_AddAttributeType(privateKey, CKA_PRIME, + sftk_item_expand(&pqgParam.prime)); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE); + break; + } + crv = sftk_AddAttributeType(privateKey, CKA_SUBPRIME, + sftk_item_expand(&pqgParam.subPrime)); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE); + break; + } + crv = sftk_AddAttributeType(privateKey, CKA_BASE, + sftk_item_expand(&pqgParam.base)); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE); + break; + } + + /* + * these are checked by DSA_NewKey + */ + bitSize = sftk_GetLengthInBits(pqgParam.subPrime.data, + pqgParam.subPrime.len); + if ((bitSize < DSA_MIN_Q_BITS) || (bitSize > DSA_MAX_Q_BITS)) { + crv = CKR_TEMPLATE_INCOMPLETE; + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE); + break; + } + bitSize = sftk_GetLengthInBits(pqgParam.prime.data, pqgParam.prime.len); + if ((bitSize < DSA_MIN_P_BITS) || (bitSize > DSA_MAX_P_BITS)) { + crv = CKR_TEMPLATE_INCOMPLETE; + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE); + break; + } + bitSize = sftk_GetLengthInBits(pqgParam.base.data, pqgParam.base.len); + if ((bitSize < 2) || (bitSize > DSA_MAX_P_BITS)) { + crv = CKR_TEMPLATE_INCOMPLETE; + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE); + break; + } + + /* Generate the key */ + rv = DSA_NewKey(&pqgParam, &dsaPriv); + + SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE); + SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE); + + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + + /* store the generated key into the attributes */ + crv = sftk_AddAttributeType(publicKey, CKA_VALUE, + sftk_item_expand(&dsaPriv->publicValue)); + if (crv != CKR_OK) + goto dsagn_done; + + /* now fill in the RSA dependent paramenters in the private key */ + crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB, + sftk_item_expand(&dsaPriv->publicValue)); + if (crv != CKR_OK) + goto dsagn_done; + crv = sftk_AddAttributeType(privateKey, CKA_VALUE, + sftk_item_expand(&dsaPriv->privateValue)); + + dsagn_done: + /* should zeroize, since this function doesn't. */ + PORT_FreeArena(dsaPriv->params.arena, PR_TRUE); + break; + + case CKM_DH_PKCS_KEY_PAIR_GEN: + sftk_DeleteAttributeType(privateKey, CKA_PRIME); + sftk_DeleteAttributeType(privateKey, CKA_BASE); + sftk_DeleteAttributeType(privateKey, CKA_VALUE); + sftk_DeleteAttributeType(privateKey, CKA_NSS_DB); + key_type = CKK_DH; + + /* extract the necessary parameters and copy them to private keys */ + crv = sftk_Attribute2SSecItem(NULL, &dhParam.prime, publicKey, + CKA_PRIME); + if (crv != CKR_OK) + break; + crv = sftk_Attribute2SSecItem(NULL, &dhParam.base, publicKey, CKA_BASE); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE); + break; + } + crv = sftk_AddAttributeType(privateKey, CKA_PRIME, + sftk_item_expand(&dhParam.prime)); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&dhParam.base, PR_FALSE); + break; + } + crv = sftk_AddAttributeType(privateKey, CKA_BASE, + sftk_item_expand(&dhParam.base)); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&dhParam.base, PR_FALSE); + break; + } + bitSize = sftk_GetLengthInBits(dhParam.prime.data, dhParam.prime.len); + if ((bitSize < DH_MIN_P_BITS) || (bitSize > DH_MAX_P_BITS)) { + crv = CKR_TEMPLATE_INCOMPLETE; + SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&dhParam.base, PR_FALSE); + break; + } + bitSize = sftk_GetLengthInBits(dhParam.base.data, dhParam.base.len); + if ((bitSize < 1) || (bitSize > DH_MAX_P_BITS)) { + crv = CKR_TEMPLATE_INCOMPLETE; + SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&dhParam.base, PR_FALSE); + break; + } + + rv = DH_NewKey(&dhParam, &dhPriv); + SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE); + SECITEM_ZfreeItem(&dhParam.base, PR_FALSE); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + + crv = sftk_AddAttributeType(publicKey, CKA_VALUE, + sftk_item_expand(&dhPriv->publicValue)); + if (crv != CKR_OK) + goto dhgn_done; + + crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB, + sftk_item_expand(&dhPriv->publicValue)); + if (crv != CKR_OK) + goto dhgn_done; + + crv = sftk_AddAttributeType(privateKey, CKA_VALUE, + sftk_item_expand(&dhPriv->privateValue)); + + dhgn_done: + /* should zeroize, since this function doesn't. */ + PORT_FreeArena(dhPriv->arena, PR_TRUE); + break; + + case CKM_EC_KEY_PAIR_GEN: + sftk_DeleteAttributeType(privateKey, CKA_EC_PARAMS); + sftk_DeleteAttributeType(privateKey, CKA_VALUE); + sftk_DeleteAttributeType(privateKey, CKA_NSS_DB); + key_type = CKK_EC; + + /* extract the necessary parameters and copy them to private keys */ + crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey, + CKA_EC_PARAMS); + if (crv != CKR_OK) + break; + + crv = sftk_AddAttributeType(privateKey, CKA_EC_PARAMS, + sftk_item_expand(&ecEncodedParams)); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&ecEncodedParams, PR_FALSE); + break; + } + + /* Decode ec params before calling EC_NewKey */ + rv = EC_DecodeParams(&ecEncodedParams, &ecParams); + SECITEM_ZfreeItem(&ecEncodedParams, PR_FALSE); + if (rv != SECSuccess) { + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + rv = EC_NewKey(ecParams, &ecPriv); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + PORT_FreeArena(ecParams->arena, PR_TRUE); + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || + ecParams->fieldID.type == ec_field_plain) { + PORT_FreeArena(ecParams->arena, PR_TRUE); + crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, + sftk_item_expand(&ecPriv->publicValue)); + } else { + PORT_FreeArena(ecParams->arena, PR_TRUE); + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &ecPriv->publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (!pubValue) { + crv = CKR_ARGUMENTS_BAD; + goto ecgn_done; + } + crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, + sftk_item_expand(pubValue)); + SECITEM_ZfreeItem(pubValue, PR_TRUE); + } + if (crv != CKR_OK) + goto ecgn_done; + + crv = sftk_AddAttributeType(privateKey, CKA_VALUE, + sftk_item_expand(&ecPriv->privateValue)); + if (crv != CKR_OK) + goto ecgn_done; + + crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB, + sftk_item_expand(&ecPriv->publicValue)); + ecgn_done: + /* should zeroize, since this function doesn't. */ + PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE); + break; + + default: + crv = CKR_MECHANISM_INVALID; + } + + if (crv != CKR_OK) { + sftk_FreeObject(privateKey); + sftk_FreeObject(publicKey); + return crv; + } + + /* Add the class, key_type The loop lets us check errors blow out + * on errors and clean up at the bottom */ + session = NULL; /* make pedtantic happy... session cannot leave the*/ + /* loop below NULL unless an error is set... */ + do { + crv = sftk_AddAttributeType(privateKey, CKA_CLASS, &privClass, + sizeof(CK_OBJECT_CLASS)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &pubClass, + sizeof(CK_OBJECT_CLASS)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(privateKey, CKA_KEY_TYPE, &key_type, + sizeof(CK_KEY_TYPE)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &key_type, + sizeof(CK_KEY_TYPE)); + if (crv != CKR_OK) + break; + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + crv = CKR_SESSION_HANDLE_INVALID; + } while (0); + + if (crv != CKR_OK) { + sftk_FreeObject(privateKey); + sftk_FreeObject(publicKey); + return crv; + } + + /* + * handle the base object cleanup for the public Key + */ + crv = sftk_handleObject(privateKey, session); + if (crv != CKR_OK) { + sftk_FreeSession(session); + sftk_FreeObject(privateKey); + sftk_FreeObject(publicKey); + return crv; + } + + /* + * handle the base object cleanup for the private Key + * If we have any problems, we destroy the public Key we've + * created and linked. + */ + crv = sftk_handleObject(publicKey, session); + sftk_FreeSession(session); + if (crv != CKR_OK) { + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); + return crv; + } + if (sftk_isTrue(privateKey, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(privateKey, CKA_ALWAYS_SENSITIVE, + &cktrue, sizeof(CK_BBOOL)); + } + if (crv == CKR_OK && sftk_isTrue(publicKey, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(publicKey, CKA_ALWAYS_SENSITIVE, + &cktrue, sizeof(CK_BBOOL)); + } + if (crv == CKR_OK && !sftk_isTrue(privateKey, CKA_EXTRACTABLE)) { + crv = sftk_forceAttribute(privateKey, CKA_NEVER_EXTRACTABLE, + &cktrue, sizeof(CK_BBOOL)); + } + if (crv == CKR_OK && !sftk_isTrue(publicKey, CKA_EXTRACTABLE)) { + crv = sftk_forceAttribute(publicKey, CKA_NEVER_EXTRACTABLE, + &cktrue, sizeof(CK_BBOOL)); + } + + if (crv == CKR_OK) { + /* Perform FIPS 140-2 pairwise consistency check. */ + crv = sftk_PairwiseConsistencyCheck(hSession, slot, + publicKey, privateKey, key_type); + if (crv != CKR_OK) { + if (sftk_audit_enabled) { + char msg[128]; + PR_snprintf(msg, sizeof msg, + "C_GenerateKeyPair(hSession=0x%08lX, " + "pMechanism->mechanism=0x%08lX)=0x%08lX " + "self-test: pair-wise consistency test failed", + (PRUint32)hSession, (PRUint32)pMechanism->mechanism, + (PRUint32)crv); + sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); + } + } + } + + if (crv != CKR_OK) { + NSC_DestroyObject(hSession, publicKey->handle); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); + return crv; + } + + *phPrivateKey = privateKey->handle; + *phPublicKey = publicKey->handle; + sftk_FreeObject(publicKey); + sftk_FreeObject(privateKey); + + return CKR_OK; +} + +static SECItem * +sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp) +{ + NSSLOWKEYPrivateKey *lk = NULL; + NSSLOWKEYPrivateKeyInfo *pki = NULL; + SFTKAttribute *attribute = NULL; + PLArenaPool *arena = NULL; + SECOidTag algorithm = SEC_OID_UNKNOWN; + void *dummy, *param = NULL; + SECStatus rv = SECSuccess; + SECItem *encodedKey = NULL; +#ifdef EC_DEBUG + SECItem *fordebug; +#endif + int savelen; + + if (!key) { + *crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */ + return NULL; + } + + attribute = sftk_FindAttribute(key, CKA_KEY_TYPE); + if (!attribute) { + *crvp = CKR_KEY_TYPE_INCONSISTENT; + return NULL; + } + + lk = sftk_GetPrivKey(key, *(CK_KEY_TYPE *)attribute->attrib.pValue, crvp); + sftk_FreeAttribute(attribute); + if (!lk) { + return NULL; + } + + arena = PORT_NewArena(2048); /* XXX different size? */ + if (!arena) { + *crvp = CKR_HOST_MEMORY; + rv = SECFailure; + goto loser; + } + + pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPrivateKeyInfo)); + if (!pki) { + *crvp = CKR_HOST_MEMORY; + rv = SECFailure; + goto loser; + } + pki->arena = arena; + + param = NULL; + switch (lk->keyType) { + case NSSLOWKEYRSAKey: + prepare_low_rsa_priv_key_for_asn1(lk); + dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk, + nsslowkey_RSAPrivateKeyTemplate); + + /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */ + attribute = sftk_FindAttribute(key, CKA_PUBLIC_KEY_INFO); + if (attribute) { + NSSLOWKEYSubjectPublicKeyInfo *publicKeyInfo; + SECItem spki; + + spki.data = attribute->attrib.pValue; + spki.len = attribute->attrib.ulValueLen; + + publicKeyInfo = PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYSubjectPublicKeyInfo)); + if (!publicKeyInfo) { + sftk_FreeAttribute(attribute); + *crvp = CKR_HOST_MEMORY; + rv = SECFailure; + goto loser; + } + rv = SEC_QuickDERDecodeItem(arena, publicKeyInfo, + nsslowkey_SubjectPublicKeyInfoTemplate, + &spki); + if (rv != SECSuccess) { + sftk_FreeAttribute(attribute); + *crvp = CKR_KEY_TYPE_INCONSISTENT; + goto loser; + } + algorithm = SECOID_GetAlgorithmTag(&publicKeyInfo->algorithm); + if (algorithm != SEC_OID_PKCS1_RSA_ENCRYPTION && + algorithm != SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + sftk_FreeAttribute(attribute); + rv = SECFailure; + *crvp = CKR_KEY_TYPE_INCONSISTENT; + goto loser; + } + param = SECITEM_DupItem(&publicKeyInfo->algorithm.parameters); + if (!param) { + sftk_FreeAttribute(attribute); + rv = SECFailure; + *crvp = CKR_HOST_MEMORY; + goto loser; + } + sftk_FreeAttribute(attribute); + } else { + /* default to PKCS #1 */ + algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION; + } + break; + case NSSLOWKEYDSAKey: + prepare_low_dsa_priv_key_export_for_asn1(lk); + dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk, + nsslowkey_DSAPrivateKeyExportTemplate); + prepare_low_pqg_params_for_asn1(&lk->u.dsa.params); + param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params), + nsslowkey_PQGParamsTemplate); + algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE; + break; + case NSSLOWKEYECKey: + prepare_low_ec_priv_key_for_asn1(lk); + /* Public value is encoded as a bit string so adjust length + * to be in bits before ASN encoding and readjust + * immediately after. + * + * Since the SECG specification recommends not including the + * parameters as part of ECPrivateKey, we zero out the curveOID + * length before encoding and restore it later. + */ + lk->u.ec.publicValue.len <<= 3; + savelen = lk->u.ec.ecParams.curveOID.len; + lk->u.ec.ecParams.curveOID.len = 0; + dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk, + nsslowkey_ECPrivateKeyTemplate); + lk->u.ec.ecParams.curveOID.len = savelen; + lk->u.ec.publicValue.len >>= 3; + +#ifdef EC_DEBUG + fordebug = &pki->privateKey; + SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType, + fordebug); +#endif + + param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding); + + algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY; + break; + case NSSLOWKEYDHKey: + default: + dummy = NULL; + break; + } + + if (!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) { + *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */ + rv = SECFailure; + goto loser; + } + + rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm, + (SECItem *)param); + if (rv != SECSuccess) { + *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */ + rv = SECFailure; + goto loser; + } + + dummy = SEC_ASN1EncodeInteger(arena, &pki->version, + NSSLOWKEY_PRIVATE_KEY_INFO_VERSION); + if (!dummy) { + *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */ + rv = SECFailure; + goto loser; + } + + encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, + nsslowkey_PrivateKeyInfoTemplate); + *crvp = encodedKey ? CKR_OK : CKR_DEVICE_ERROR; + +#ifdef EC_DEBUG + fordebug = encodedKey; + SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKeyInfo", lk->keyType, + fordebug); +#endif +loser: + if (arena) { + PORT_FreeArena(arena, PR_TRUE); + } + + if (lk && (lk != key->objectInfo)) { + nsslowkey_DestroyPrivateKey(lk); + } + + if (param) { + SECITEM_ZfreeItem((SECItem *)param, PR_TRUE); + } + + if (rv != SECSuccess) { + return NULL; + } + + return encodedKey; +} + +/* it doesn't matter yet, since we colapse error conditions in the + * level above, but we really should map those few key error differences */ +static CK_RV +sftk_mapWrap(CK_RV crv) +{ + switch (crv) { + case CKR_ENCRYPTED_DATA_INVALID: + crv = CKR_WRAPPED_KEY_INVALID; + break; + } + return crv; +} + +/* NSC_WrapKey wraps (i.e., encrypts) a key. */ +CK_RV +NSC_WrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey, + CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey, + CK_ULONG_PTR pulWrappedKeyLen) +{ + SFTKSession *session; + SFTKAttribute *attribute; + SFTKObject *key; + CK_RV crv; + + CHECK_FORK(); + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + key = sftk_ObjectFromHandle(hKey, session); + if (key == NULL) { + sftk_FreeSession(session); + return CKR_KEY_HANDLE_INVALID; + } + + switch (key->objclass) { + case CKO_SECRET_KEY: { + SFTKSessionContext *context = NULL; + SECItem pText; + + attribute = sftk_FindAttribute(key, CKA_VALUE); + + if (attribute == NULL) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey, + CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE); + if (crv != CKR_OK) { + sftk_FreeAttribute(attribute); + break; + } + + pText.type = siBuffer; + pText.data = (unsigned char *)attribute->attrib.pValue; + pText.len = attribute->attrib.ulValueLen; + + /* Find out if this is a block cipher. */ + crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_FALSE, NULL); + if (crv != CKR_OK || !context) + break; + if (context->blockSize > 1) { + unsigned int remainder = pText.len % context->blockSize; + if (!context->doPad && remainder) { + /* When wrapping secret keys with unpadded block ciphers, + ** the keys are zero padded, if necessary, to fill out + ** a full block. + */ + pText.len += context->blockSize - remainder; + pText.data = PORT_ZAlloc(pText.len); + if (pText.data) + memcpy(pText.data, attribute->attrib.pValue, + attribute->attrib.ulValueLen); + else { + crv = CKR_HOST_MEMORY; + break; + } + } + } + + crv = NSC_Encrypt(hSession, (CK_BYTE_PTR)pText.data, + pText.len, pWrappedKey, pulWrappedKeyLen); + /* always force a finalize, both on errors and when + * we are just getting the size */ + if (crv != CKR_OK || pWrappedKey == NULL) { + CK_RV lcrv; + lcrv = sftk_GetContext(hSession, &context, + SFTK_ENCRYPT, PR_FALSE, NULL); + sftk_SetContextByType(session, SFTK_ENCRYPT, NULL); + if (lcrv == CKR_OK && context) { + sftk_FreeContext(context); + } + } + + if (pText.data != (unsigned char *)attribute->attrib.pValue) + PORT_ZFree(pText.data, pText.len); + sftk_FreeAttribute(attribute); + break; + } + + case CKO_PRIVATE_KEY: { + SECItem *bpki = sftk_PackagePrivateKey(key, &crv); + SFTKSessionContext *context = NULL; + + if (!bpki) { + break; + } + + crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey, + CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(bpki, PR_TRUE); + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + + crv = NSC_Encrypt(hSession, bpki->data, bpki->len, + pWrappedKey, pulWrappedKeyLen); + /* always force a finalize */ + if (crv != CKR_OK || pWrappedKey == NULL) { + CK_RV lcrv; + lcrv = sftk_GetContext(hSession, &context, + SFTK_ENCRYPT, PR_FALSE, NULL); + sftk_SetContextByType(session, SFTK_ENCRYPT, NULL); + if (lcrv == CKR_OK && context) { + sftk_FreeContext(context); + } + } + SECITEM_ZfreeItem(bpki, PR_TRUE); + break; + } + + default: + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + sftk_FreeObject(key); + sftk_FreeSession(session); + return sftk_mapWrap(crv); +} + +/* + * import a pprivate key info into the desired slot + */ +static SECStatus +sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki) +{ + CK_BBOOL cktrue = CK_TRUE; + CK_KEY_TYPE keyType = CKK_RSA; + SECStatus rv = SECFailure; + const SEC_ASN1Template *keyTemplate, *paramTemplate; + void *paramDest = NULL; + PLArenaPool *arena; + NSSLOWKEYPrivateKey *lpk = NULL; + NSSLOWKEYPrivateKeyInfo *pki = NULL; + CK_RV crv = CKR_KEY_TYPE_INCONSISTENT; + + arena = PORT_NewArena(2048); + if (!arena) { + return SECFailure; + } + + pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPrivateKeyInfo)); + if (!pki) { + PORT_FreeArena(arena, PR_FALSE); + return SECFailure; + } + + if (SEC_ASN1DecodeItem(arena, pki, nsslowkey_PrivateKeyInfoTemplate, bpki) != SECSuccess) { + PORT_FreeArena(arena, PR_TRUE); + return SECFailure; + } + + lpk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(arena, + sizeof(NSSLOWKEYPrivateKey)); + if (lpk == NULL) { + goto loser; + } + lpk->arena = arena; + + switch (SECOID_GetAlgorithmTag(&pki->algorithm)) { + case SEC_OID_PKCS1_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + keyTemplate = nsslowkey_RSAPrivateKeyTemplate; + paramTemplate = NULL; + paramDest = NULL; + lpk->keyType = NSSLOWKEYRSAKey; + prepare_low_rsa_priv_key_for_asn1(lpk); + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate; + paramTemplate = nsslowkey_PQGParamsTemplate; + paramDest = &(lpk->u.dsa.params); + lpk->keyType = NSSLOWKEYDSAKey; + prepare_low_dsa_priv_key_export_for_asn1(lpk); + prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params); + break; + /* case NSSLOWKEYDHKey: */ + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + keyTemplate = nsslowkey_ECPrivateKeyTemplate; + paramTemplate = NULL; + paramDest = &(lpk->u.ec.ecParams.DEREncoding); + lpk->keyType = NSSLOWKEYECKey; + prepare_low_ec_priv_key_for_asn1(lpk); + prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams); + break; + default: + keyTemplate = NULL; + paramTemplate = NULL; + paramDest = NULL; + break; + } + + if (!keyTemplate) { + goto loser; + } + + /* decode the private key and any algorithm parameters */ + rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey); + + if (lpk->keyType == NSSLOWKEYECKey) { + /* convert length in bits to length in bytes */ + lpk->u.ec.publicValue.len >>= 3; + rv = SECITEM_CopyItem(arena, + &(lpk->u.ec.ecParams.DEREncoding), + &(pki->algorithm.parameters)); + if (rv != SECSuccess) { + goto loser; + } + } + + if (rv != SECSuccess) { + goto loser; + } + if (paramDest && paramTemplate) { + rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate, + &(pki->algorithm.parameters)); + if (rv != SECSuccess) { + goto loser; + } + } + + rv = SECFailure; + + switch (lpk->keyType) { + case NSSLOWKEYRSAKey: + keyType = CKK_RSA; + if (sftk_hasAttribute(key, CKA_NSS_DB)) { + sftk_DeleteAttributeType(key, CKA_NSS_DB); + } + crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, + sizeof(keyType)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_UNWRAP, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_DECRYPT, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_MODULUS, + sftk_item_expand(&lpk->u.rsa.modulus)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_PUBLIC_EXPONENT, + sftk_item_expand(&lpk->u.rsa.publicExponent)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_PRIVATE_EXPONENT, + sftk_item_expand(&lpk->u.rsa.privateExponent)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_PRIME_1, + sftk_item_expand(&lpk->u.rsa.prime1)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_PRIME_2, + sftk_item_expand(&lpk->u.rsa.prime2)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_EXPONENT_1, + sftk_item_expand(&lpk->u.rsa.exponent1)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_EXPONENT_2, + sftk_item_expand(&lpk->u.rsa.exponent2)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_COEFFICIENT, + sftk_item_expand(&lpk->u.rsa.coefficient)); + break; + case NSSLOWKEYDSAKey: + keyType = CKK_DSA; + crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT; + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, + sizeof(keyType)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_PRIME, + sftk_item_expand(&lpk->u.dsa.params.prime)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_SUBPRIME, + sftk_item_expand(&lpk->u.dsa.params.subPrime)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_BASE, + sftk_item_expand(&lpk->u.dsa.params.base)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_VALUE, + sftk_item_expand(&lpk->u.dsa.privateValue)); + if (crv != CKR_OK) + break; + break; +#ifdef notdef + case NSSLOWKEYDHKey: + template = dhTemplate; + templateCount = sizeof(dhTemplate) / sizeof(CK_ATTRIBUTE); + keyType = CKK_DH; + break; +#endif + /* what about fortezza??? */ + case NSSLOWKEYECKey: + keyType = CKK_EC; + crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT; + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, + sizeof(keyType)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_DERIVE, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_EC_PARAMS, + sftk_item_expand(&lpk->u.ec.ecParams.DEREncoding)); + if (crv != CKR_OK) + break; + crv = sftk_AddAttributeType(key, CKA_VALUE, + sftk_item_expand(&lpk->u.ec.privateValue)); + if (crv != CKR_OK) + break; + /* XXX Do we need to decode the EC Params here ?? */ + break; + default: + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + + if (crv != CKR_OK) { + goto loser; + } + + /* For RSA-PSS, record the original algorithm parameters so + * they can be encrypted altoghether when wrapping */ + if (SECOID_GetAlgorithmTag(&pki->algorithm) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + NSSLOWKEYSubjectPublicKeyInfo spki; + NSSLOWKEYPublicKey pubk; + SECItem *publicKeyInfo; + + memset(&spki, 0, sizeof(NSSLOWKEYSubjectPublicKeyInfo)); + rv = SECOID_CopyAlgorithmID(arena, &spki.algorithm, &pki->algorithm); + if (rv != SECSuccess) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + prepare_low_rsa_pub_key_for_asn1(&pubk); + + rv = SECITEM_CopyItem(arena, &pubk.u.rsa.modulus, &lpk->u.rsa.modulus); + if (rv != SECSuccess) { + crv = CKR_HOST_MEMORY; + goto loser; + } + rv = SECITEM_CopyItem(arena, &pubk.u.rsa.publicExponent, &lpk->u.rsa.publicExponent); + if (rv != SECSuccess) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + if (SEC_ASN1EncodeItem(arena, &spki.subjectPublicKey, + &pubk, nsslowkey_RSAPublicKeyTemplate) == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + publicKeyInfo = SEC_ASN1EncodeItem(arena, NULL, + &spki, nsslowkey_SubjectPublicKeyInfoTemplate); + if (!publicKeyInfo) { + crv = CKR_HOST_MEMORY; + goto loser; + } + crv = sftk_AddAttributeType(key, CKA_PUBLIC_KEY_INFO, + sftk_item_expand(publicKeyInfo)); + } + +loser: + if (lpk) { + nsslowkey_DestroyPrivateKey(lpk); + } + + if (crv != CKR_OK) { + return SECFailure; + } + + return SECSuccess; +} + +/* NSC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */ +CK_RV +NSC_UnwrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey, + CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey) +{ + SFTKObject *key = NULL; + SFTKSession *session; + CK_ULONG key_length = 0; + unsigned char *buf = NULL; + CK_RV crv = CKR_OK; + int i; + CK_ULONG bsize = ulWrappedKeyLen; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + SECItem bpki; + CK_OBJECT_CLASS target_type = CKO_SECRET_KEY; + + CHECK_FORK(); + + if (!slot) { + return CKR_SESSION_HANDLE_INVALID; + } + /* + * now lets create an object to hang the attributes off of + */ + key = sftk_NewObject(slot); /* fill in the handle later */ + if (key == NULL) { + return CKR_HOST_MEMORY; + } + + /* + * load the template values into the object + */ + for (i = 0; i < (int)ulAttributeCount; i++) { + if (pTemplate[i].type == CKA_VALUE_LEN) { + key_length = *(CK_ULONG *)pTemplate[i].pValue; + continue; + } + if (pTemplate[i].type == CKA_CLASS) { + target_type = *(CK_OBJECT_CLASS *)pTemplate[i].pValue; + } + crv = sftk_AddAttributeType(key, sftk_attr_expand(&pTemplate[i])); + if (crv != CKR_OK) + break; + } + if (crv != CKR_OK) { + sftk_FreeObject(key); + return crv; + } + + crv = sftk_CryptInit(hSession, pMechanism, hUnwrappingKey, CKA_UNWRAP, + CKA_UNWRAP, SFTK_DECRYPT, PR_FALSE); + if (crv != CKR_OK) { + sftk_FreeObject(key); + return sftk_mapWrap(crv); + } + + /* allocate the buffer to decrypt into + * this assumes the unwrapped key is never larger than the + * wrapped key. For all the mechanisms we support this is true */ + buf = (unsigned char *)PORT_Alloc(ulWrappedKeyLen); + bsize = ulWrappedKeyLen; + + crv = NSC_Decrypt(hSession, pWrappedKey, ulWrappedKeyLen, buf, &bsize); + if (crv != CKR_OK) { + sftk_FreeObject(key); + PORT_Free(buf); + return sftk_mapWrap(crv); + } + + switch (target_type) { + case CKO_SECRET_KEY: + if (!sftk_hasAttribute(key, CKA_KEY_TYPE)) { + crv = CKR_TEMPLATE_INCOMPLETE; + break; + } + + if (key_length == 0 || key_length > bsize) { + key_length = bsize; + } + if (key_length > MAX_KEY_LEN) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + + /* add the value */ + crv = sftk_AddAttributeType(key, CKA_VALUE, buf, key_length); + break; + case CKO_PRIVATE_KEY: + bpki.data = (unsigned char *)buf; + bpki.len = bsize; + crv = CKR_OK; + if (sftk_unwrapPrivateKey(key, &bpki) != SECSuccess) { + crv = CKR_TEMPLATE_INCOMPLETE; + } + break; + default: + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + + PORT_ZFree(buf, bsize); + if (crv != CKR_OK) { + sftk_FreeObject(key); + return crv; + } + + /* get the session */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + sftk_FreeObject(key); + return CKR_SESSION_HANDLE_INVALID; + } + + /* mark the key as FIPS if the previous operation was all FIPS */ + key->isFIPS = session->lastOpWasFIPS; + + /* + * handle the base object stuff + */ + crv = sftk_handleObject(key, session); + *phKey = key->handle; + sftk_FreeSession(session); + sftk_FreeObject(key); + + return crv; +} + +/* + * The SSL key gen mechanism create's lots of keys. This function handles the + * details of each of these key creation. + */ +static CK_RV +sftk_buildSSLKey(CK_SESSION_HANDLE hSession, SFTKObject *baseKey, + PRBool isMacKey, unsigned char *keyBlock, unsigned int keySize, + CK_OBJECT_HANDLE *keyHandle) +{ + SFTKObject *key; + SFTKSession *session; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + CK_RV crv = CKR_HOST_MEMORY; + + /* + * now lets create an object to hang the attributes off of + */ + *keyHandle = CK_INVALID_HANDLE; + key = sftk_NewObject(baseKey->slot); + if (key == NULL) + return CKR_HOST_MEMORY; + sftk_narrowToSessionObject(key)->wasDerived = PR_TRUE; + + crv = sftk_CopyObject(key, baseKey); + if (crv != CKR_OK) + goto loser; + if (isMacKey) { + crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + if (crv != CKR_OK) + goto loser; + crv = sftk_forceAttribute(key, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + goto loser; + crv = sftk_forceAttribute(key, CKA_ENCRYPT, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + goto loser; + crv = sftk_forceAttribute(key, CKA_DECRYPT, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + goto loser; + crv = sftk_forceAttribute(key, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + goto loser; + crv = sftk_forceAttribute(key, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + goto loser; + crv = sftk_forceAttribute(key, CKA_WRAP, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + goto loser; + crv = sftk_forceAttribute(key, CKA_UNWRAP, &ckfalse, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + goto loser; + } + crv = sftk_forceAttribute(key, CKA_VALUE, keyBlock, keySize); + if (crv != CKR_OK) + goto loser; + + /* get the session */ + crv = CKR_HOST_MEMORY; + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + goto loser; + } + + crv = sftk_handleObject(key, session); + sftk_FreeSession(session); + *keyHandle = key->handle; +loser: + if (key) + sftk_FreeObject(key); + return crv; +} + +/* + * if there is an error, we need to free the keys we already created in SSL + * This is the routine that will do it.. + */ +static void +sftk_freeSSLKeys(CK_SESSION_HANDLE session, + CK_SSL3_KEY_MAT_OUT *returnedMaterial) +{ + if (returnedMaterial->hClientMacSecret != CK_INVALID_HANDLE) { + NSC_DestroyObject(session, returnedMaterial->hClientMacSecret); + } + if (returnedMaterial->hServerMacSecret != CK_INVALID_HANDLE) { + NSC_DestroyObject(session, returnedMaterial->hServerMacSecret); + } + if (returnedMaterial->hClientKey != CK_INVALID_HANDLE) { + NSC_DestroyObject(session, returnedMaterial->hClientKey); + } + if (returnedMaterial->hServerKey != CK_INVALID_HANDLE) { + NSC_DestroyObject(session, returnedMaterial->hServerKey); + } +} + +/* + * when deriving from sensitive and extractable keys, we need to preserve some + * of the semantics in the derived key. This helper routine maintains these + * semantics. + */ +static CK_RV +sftk_DeriveSensitiveCheck(SFTKObject *baseKey, SFTKObject *destKey, + PRBool canBeData) +{ + PRBool hasSensitive; + PRBool sensitive = PR_FALSE; + CK_BBOOL bFalse = CK_FALSE; + PRBool hasExtractable; + PRBool extractable = PR_TRUE; + CK_BBOOL bTrue = CK_TRUE; + CK_RV crv = CKR_OK; + SFTKAttribute *att; + PRBool isData = PR_TRUE; + + if (canBeData) { + CK_OBJECT_CLASS objClass; + + /* if the target key is actually data, don't set the unexpected + * attributes */ + crv = sftk_GetULongAttribute(destKey, CKA_CLASS, &objClass); + if (crv != CKR_OK) { + return crv; + } + if (objClass == CKO_DATA) { + return CKR_OK; + } + + /* if the base key is data, it doesn't have sensitive attributes, + * allow the destKey to get it's own */ + crv = sftk_GetULongAttribute(baseKey, CKA_CLASS, &objClass); + if (crv != CKR_OK) { + return crv; + } + if (objClass == CKO_DATA) { + isData = PR_TRUE; + } + } + + hasSensitive = PR_FALSE; + att = sftk_FindAttribute(destKey, CKA_SENSITIVE); + if (att) { + hasSensitive = PR_TRUE; + sensitive = (PRBool) * (CK_BBOOL *)att->attrib.pValue; + sftk_FreeAttribute(att); + } + + hasExtractable = PR_FALSE; + att = sftk_FindAttribute(destKey, CKA_EXTRACTABLE); + if (att) { + hasExtractable = PR_TRUE; + extractable = (PRBool) * (CK_BBOOL *)att->attrib.pValue; + sftk_FreeAttribute(att); + } + + /* don't make a key more accessible */ + if (sftk_isTrue(baseKey, CKA_SENSITIVE) && hasSensitive && + (sensitive == PR_FALSE)) { + return CKR_KEY_FUNCTION_NOT_PERMITTED; + } + if (!sftk_isTrue(baseKey, CKA_EXTRACTABLE) && hasExtractable && + (extractable == PR_TRUE)) { + return CKR_KEY_FUNCTION_NOT_PERMITTED; + } + + /* inherit parent's sensitivity */ + if (!hasSensitive) { + att = sftk_FindAttribute(baseKey, CKA_SENSITIVE); + if (att != NULL) { + crv = sftk_defaultAttribute(destKey, + sftk_attr_expand(&att->attrib)); + sftk_FreeAttribute(att); + } else if (isData) { + crv = sftk_defaultAttribute(destKey, CKA_SENSITIVE, + &bFalse, sizeof(bFalse)); + } else { + return CKR_KEY_TYPE_INCONSISTENT; + } + if (crv != CKR_OK) + return crv; + } + if (!hasExtractable) { + att = sftk_FindAttribute(baseKey, CKA_EXTRACTABLE); + if (att != NULL) { + crv = sftk_defaultAttribute(destKey, + sftk_attr_expand(&att->attrib)); + sftk_FreeAttribute(att); + } else if (isData) { + crv = sftk_defaultAttribute(destKey, CKA_EXTRACTABLE, + &bTrue, sizeof(bTrue)); + } else { + return CKR_KEY_TYPE_INCONSISTENT; + } + if (crv != CKR_OK) + return crv; + } + + /* we should inherit the parent's always extractable/ never sensitive info, + * but handleObject always forces this attributes, so we would need to do + * something special. */ + return CKR_OK; +} + +/* + * make known fixed PKCS #11 key types to their sizes in bytes + */ +unsigned long +sftk_MapKeySize(CK_KEY_TYPE keyType) +{ + switch (keyType) { + case CKK_CDMF: + return 8; + case CKK_DES: + return 8; + case CKK_DES2: + return 16; + case CKK_DES3: + return 24; + /* IDEA and CAST need to be added */ + default: + break; + } + return 0; +} + +/* Inputs: + * key_len: Length of derived key to be generated. + * SharedSecret: a shared secret that is the output of a key agreement primitive. + * SharedInfo: (Optional) some data shared by the entities computing the secret key. + * SharedInfoLen: the length in octets of SharedInfo + * Hash: The hash function to be used in the KDF + * HashLen: the length in octets of the output of Hash + * Output: + * key: Pointer to a buffer containing derived key, if return value is SECSuccess. + */ +static CK_RV +sftk_compute_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len, SECItem *SharedSecret, + CK_BYTE_PTR SharedInfo, CK_ULONG SharedInfoLen, + SECStatus Hash(unsigned char *, const unsigned char *, PRUint32), + CK_ULONG HashLen) +{ + unsigned char *buffer = NULL, *output_buffer = NULL; + PRUint32 buffer_len, max_counter, i; + SECStatus rv; + CK_RV crv; + + /* Check that key_len isn't too long. The maximum key length could be + * greatly increased if the code below did not limit the 4-byte counter + * to a maximum value of 255. */ + if (key_len > 254 * HashLen) + return CKR_ARGUMENTS_BAD; + + if (SharedInfo == NULL) + SharedInfoLen = 0; + + buffer_len = SharedSecret->len + 4 + SharedInfoLen; + buffer = (CK_BYTE *)PORT_Alloc(buffer_len); + if (buffer == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + max_counter = key_len / HashLen; + if (key_len > max_counter * HashLen) + max_counter++; + + output_buffer = (CK_BYTE *)PORT_Alloc(max_counter * HashLen); + if (output_buffer == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + /* Populate buffer with SharedSecret || Counter || [SharedInfo] + * where Counter is 0x00000001 */ + PORT_Memcpy(buffer, SharedSecret->data, SharedSecret->len); + buffer[SharedSecret->len] = 0; + buffer[SharedSecret->len + 1] = 0; + buffer[SharedSecret->len + 2] = 0; + buffer[SharedSecret->len + 3] = 1; + if (SharedInfo) { + PORT_Memcpy(&buffer[SharedSecret->len + 4], SharedInfo, SharedInfoLen); + } + + for (i = 0; i < max_counter; i++) { + rv = Hash(&output_buffer[i * HashLen], buffer, buffer_len); + if (rv != SECSuccess) { + /* 'Hash' should not fail. */ + crv = CKR_FUNCTION_FAILED; + goto loser; + } + + /* Increment counter (assumes max_counter < 255) */ + buffer[SharedSecret->len + 3]++; + } + + PORT_ZFree(buffer, buffer_len); + if (key_len < max_counter * HashLen) { + PORT_Memset(output_buffer + key_len, 0, max_counter * HashLen - key_len); + } + *key = output_buffer; + + return CKR_OK; + +loser: + if (buffer) { + PORT_ZFree(buffer, buffer_len); + } + if (output_buffer) { + PORT_ZFree(output_buffer, max_counter * HashLen); + } + return crv; +} + +static CK_RV +sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len, + SECItem *SharedSecret, + CK_BYTE_PTR SharedInfo, CK_ULONG SharedInfoLen, + CK_EC_KDF_TYPE kdf) +{ + if (kdf == CKD_SHA1_KDF) + return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo, + SharedInfoLen, SHA1_HashBuf, SHA1_LENGTH); + else if (kdf == CKD_SHA224_KDF) + return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo, + SharedInfoLen, SHA224_HashBuf, SHA224_LENGTH); + else if (kdf == CKD_SHA256_KDF) + return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo, + SharedInfoLen, SHA256_HashBuf, SHA256_LENGTH); + else if (kdf == CKD_SHA384_KDF) + return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo, + SharedInfoLen, SHA384_HashBuf, SHA384_LENGTH); + else if (kdf == CKD_SHA512_KDF) + return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo, + SharedInfoLen, SHA512_HashBuf, SHA512_LENGTH); + else + return CKR_MECHANISM_INVALID; +} + +/* + * Handle the derive from a block encryption cipher + */ +CK_RV +sftk_DeriveEncrypt(SFTKCipher encrypt, void *cipherInfo, + int blockSize, SFTKObject *key, CK_ULONG keySize, + unsigned char *data, CK_ULONG len) +{ + /* large enough for a 512-bit key */ + unsigned char tmpdata[SFTK_MAX_DERIVE_KEY_SIZE]; + SECStatus rv; + unsigned int outLen; + CK_RV crv; + + if ((len % blockSize) != 0) { + return CKR_MECHANISM_PARAM_INVALID; + } + if (len > SFTK_MAX_DERIVE_KEY_SIZE) { + return CKR_MECHANISM_PARAM_INVALID; + } + if (keySize && (len < keySize)) { + return CKR_MECHANISM_PARAM_INVALID; + } + if (keySize == 0) { + keySize = len; + } + + rv = (*encrypt)(cipherInfo, &tmpdata, &outLen, len, data, len); + if (rv != SECSuccess) { + crv = sftk_MapCryptError(PORT_GetError()); + return crv; + } + + crv = sftk_forceAttribute(key, CKA_VALUE, tmpdata, keySize); + PORT_Memset(tmpdata, 0, sizeof tmpdata); + return crv; +} + +CK_RV +sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_SESSION_HANDLE hSession, + SFTKObject *sourceKey, const unsigned char *sourceKeyBytes, + int sourceKeyLen, SFTKObject *key, unsigned char *outKeyBytes, + int keySize, PRBool canBeData, PRBool isFIPS) +{ + SFTKSession *session; + SFTKAttribute *saltKey_att = NULL; + const SECHashObject *rawHash; + unsigned hashLen; + unsigned genLen = 0; + unsigned char hashbuf[HASH_LENGTH_MAX]; + unsigned char keyBlock[9 * SFTK_MAX_MAC_LENGTH]; + unsigned char *keyBlockAlloc = NULL; /* allocated keyBlock */ + unsigned char *keyBlockData = keyBlock; /* pointer to current keyBlock */ + const unsigned char *prk; /* psuedo-random key */ + CK_ULONG prkLen; + const unsigned char *okm; /* output keying material */ + HASH_HashType hashType = sftk_GetHashTypeFromMechanism(params->prfHashMechanism); + SFTKObject *saltKey = NULL; + CK_RV crv = CKR_OK; + + /* Spec says it should be the base hash, but also accept the HMAC */ + if (hashType == HASH_AlgNULL) { + hashType = sftk_HMACMechanismToHash(params->prfHashMechanism); + } + rawHash = HASH_GetRawHashObject(hashType); + if (rawHash == NULL || rawHash->length > sizeof(hashbuf)) { + return CKR_MECHANISM_INVALID; + } + hashLen = rawHash->length; + + if ((!params->bExpand && !params->bExtract) || + (params->bExtract && params->ulSaltLen > 0 && !params->pSalt) || + (params->bExpand && params->ulInfoLen > 0 && !params->pInfo)) { + return CKR_MECHANISM_PARAM_INVALID; + } + if ((params->bExpand && keySize == 0) || + (!params->bExpand && keySize > hashLen) || + (params->bExpand && keySize > 255 * hashLen)) { + return CKR_TEMPLATE_INCONSISTENT; + } + + /* sourceKey is NULL if we are called from the POST, skip the + * sensitiveCheck */ + if (sourceKey != NULL) { + crv = sftk_DeriveSensitiveCheck(sourceKey, key, canBeData); + if (crv != CKR_OK) + return crv; + } + + /* HKDF-Extract(salt, base key value) */ + if (params->bExtract) { + CK_BYTE *salt; + CK_ULONG saltLen; + HMACContext *hmac; + unsigned int bufLen; + + switch (params->ulSaltType) { + case CKF_HKDF_SALT_NULL: + saltLen = hashLen; + salt = hashbuf; + memset(salt, 0, saltLen); + break; + case CKF_HKDF_SALT_DATA: + salt = params->pSalt; + saltLen = params->ulSaltLen; + if ((salt == NULL) || (params->ulSaltLen == 0)) { + return CKR_MECHANISM_PARAM_INVALID; + } + break; + case CKF_HKDF_SALT_KEY: + /* lookup key */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + + saltKey = sftk_ObjectFromHandle(params->hSaltKey, session); + sftk_FreeSession(session); + if (saltKey == NULL) { + return CKR_KEY_HANDLE_INVALID; + } + /* if the base key is not fips, but the salt key is, the + * resulting key can be fips */ + if (isFIPS && (key->isFIPS == 0) && (saltKey->isFIPS == 1)) { + CK_MECHANISM mech; + mech.mechanism = CKM_HKDF_DERIVE; + mech.pParameter = params; + mech.ulParameterLen = sizeof(*params); + key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech, + CKA_DERIVE, saltKey); + } + saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE); + if (saltKey_att == NULL) { + sftk_FreeObject(saltKey); + return CKR_KEY_HANDLE_INVALID; + } + /* save the resulting salt */ + salt = saltKey_att->attrib.pValue; + saltLen = saltKey_att->attrib.ulValueLen; + break; + default: + return CKR_MECHANISM_PARAM_INVALID; + break; + } + + hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS); + if (saltKey_att) { + sftk_FreeAttribute(saltKey_att); + } + if (saltKey) { + sftk_FreeObject(saltKey); + } + if (!hmac) { + return CKR_HOST_MEMORY; + } + HMAC_Begin(hmac); + HMAC_Update(hmac, sourceKeyBytes, sourceKeyLen); + HMAC_Finish(hmac, hashbuf, &bufLen, sizeof(hashbuf)); + HMAC_Destroy(hmac, PR_TRUE); + PORT_Assert(bufLen == rawHash->length); + prk = hashbuf; + prkLen = bufLen; + } else { + /* PRK = base key value */ + prk = sourceKeyBytes; + prkLen = sourceKeyLen; + } + + /* HKDF-Expand */ + if (!params->bExpand) { + okm = prk; + keySize = genLen = hashLen; + } else { + /* T(1) = HMAC-Hash(prk, "" | info | 0x01) + * T(n) = HMAC-Hash(prk, T(n-1) | info | n + * key material = T(1) | ... | T(n) + */ + HMACContext *hmac; + CK_BYTE bi; + unsigned iterations; + + genLen = PR_ROUNDUP(keySize, hashLen); + iterations = genLen / hashLen; + + if (genLen > sizeof(keyBlock)) { + keyBlockAlloc = PORT_Alloc(genLen); + if (keyBlockAlloc == NULL) { + return CKR_HOST_MEMORY; + } + keyBlockData = keyBlockAlloc; + } + hmac = HMAC_Create(rawHash, prk, prkLen, isFIPS); + if (hmac == NULL) { + PORT_Free(keyBlockAlloc); + return CKR_HOST_MEMORY; + } + for (bi = 1; bi <= iterations && bi > 0; ++bi) { + unsigned len; + HMAC_Begin(hmac); + if (bi > 1) { + HMAC_Update(hmac, &keyBlockData[(bi - 2) * hashLen], hashLen); + } + if (params->ulInfoLen != 0) { + HMAC_Update(hmac, params->pInfo, params->ulInfoLen); + } + HMAC_Update(hmac, &bi, 1); + HMAC_Finish(hmac, &keyBlockData[(bi - 1) * hashLen], &len, + hashLen); + PORT_Assert(len == hashLen); + } + HMAC_Destroy(hmac, PR_TRUE); + okm = &keyBlockData[0]; + } + /* key material = okm */ + crv = CKR_OK; + if (key) { + crv = sftk_forceAttribute(key, CKA_VALUE, okm, keySize); + } else { + PORT_Assert(outKeyBytes != NULL); + PORT_Memcpy(outKeyBytes, okm, keySize); + } + PORT_Memset(keyBlockData, 0, genLen); + PORT_Memset(hashbuf, 0, sizeof(hashbuf)); + PORT_Free(keyBlockAlloc); + return crv; +} + +/* + * SSL Key generation given pre master secret + */ +#define NUM_MIXERS 9 +static const char *const mixers[NUM_MIXERS] = { + "A", + "BB", + "CCC", + "DDDD", + "EEEEE", + "FFFFFF", + "GGGGGGG", + "HHHHHHHH", + "IIIIIIIII" +}; +#define SSL3_PMS_LENGTH 48 +#define SSL3_MASTER_SECRET_LENGTH 48 +#define SSL3_RANDOM_LENGTH 32 + +/* NSC_DeriveKey derives a key from a base key, creating a new key object. */ +CK_RV +NSC_DeriveKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey) +{ + SFTKSession *session; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + SFTKObject *key; + SFTKObject *sourceKey; + SFTKAttribute *att = NULL; + SFTKAttribute *att2 = NULL; + unsigned char *buf; + SHA1Context *sha; + MD5Context *md5; + MD2Context *md2; + CK_ULONG macSize; + CK_ULONG tmpKeySize; + CK_ULONG IVSize; + CK_ULONG keySize = 0; + CK_RV crv = CKR_OK; + CK_BBOOL cktrue = CK_TRUE; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_OBJECT_CLASS classType = CKO_SECRET_KEY; + CK_KEY_DERIVATION_STRING_DATA *stringPtr; + PRBool isTLS = PR_FALSE; + PRBool isDH = PR_FALSE; + HASH_HashType tlsPrfHash = HASH_AlgNULL; + SECStatus rv; + int i; + unsigned int outLen; + unsigned char sha_out[SHA1_LENGTH]; + unsigned char key_block[NUM_MIXERS * SFTK_MAX_MAC_LENGTH]; + PRBool isFIPS; + HASH_HashType hashType; + CK_MECHANISM_TYPE hashMech; + PRBool extractValue = PR_TRUE; + CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS ikeAppB; + CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *pIkeAppB; + + CHECK_FORK(); + + if (!slot) { + return CKR_SESSION_HANDLE_INVALID; + } + if (!pMechanism) { + return CKR_MECHANISM_PARAM_INVALID; + } + CK_MECHANISM_TYPE mechanism = pMechanism->mechanism; + + /* + * now lets create an object to hang the attributes off of + */ + if (phKey) + *phKey = CK_INVALID_HANDLE; + + key = sftk_NewObject(slot); /* fill in the handle later */ + if (key == NULL) { + return CKR_HOST_MEMORY; + } + isFIPS = sftk_isFIPS(slot->slotID); + + /* + * load the template values into the object + */ + for (i = 0; i < (int)ulAttributeCount; i++) { + crv = sftk_AddAttributeType(key, sftk_attr_expand(&pTemplate[i])); + if (crv != CKR_OK) + break; + + if (pTemplate[i].type == CKA_KEY_TYPE) { + keyType = *(CK_KEY_TYPE *)pTemplate[i].pValue; + } + if (pTemplate[i].type == CKA_VALUE_LEN) { + keySize = *(CK_ULONG *)pTemplate[i].pValue; + } + } + if (crv != CKR_OK) { + sftk_FreeObject(key); + return crv; + } + + if (keySize == 0) { + keySize = sftk_MapKeySize(keyType); + } + + switch (mechanism) { + case CKM_NSS_JPAKE_ROUND2_SHA1: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA256: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA384: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA512: + extractValue = PR_FALSE; + classType = CKO_PRIVATE_KEY; + break; + case CKM_NSS_PUB_FROM_PRIV: + extractValue = PR_FALSE; + classType = CKO_PUBLIC_KEY; + break; + case CKM_HKDF_DATA: /* fall through */ + case CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA: /* fall through */ + case CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA: /* fall through */ + case CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA: + classType = CKO_DATA; + break; + case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA512: + extractValue = PR_FALSE; + /* fall through */ + default: + classType = CKO_SECRET_KEY; + } + + crv = sftk_forceAttribute(key, CKA_CLASS, &classType, sizeof(classType)); + if (crv != CKR_OK) { + sftk_FreeObject(key); + return crv; + } + + /* look up the base key we're deriving with */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + sftk_FreeObject(key); + return CKR_SESSION_HANDLE_INVALID; + } + + sourceKey = sftk_ObjectFromHandle(hBaseKey, session); + sftk_FreeSession(session); + /* is this eventually succeeds, lastOpWasFIPS will be set the resulting key's + * FIPS state below. */ + session->lastOpWasFIPS = PR_FALSE; + if (sourceKey == NULL) { + sftk_FreeObject(key); + return CKR_KEY_HANDLE_INVALID; + } + + if (extractValue) { + /* get the value of the base key */ + att = sftk_FindAttribute(sourceKey, CKA_VALUE); + if (att == NULL) { + sftk_FreeObject(key); + sftk_FreeObject(sourceKey); + return CKR_KEY_HANDLE_INVALID; + } + } + key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey); + + switch (mechanism) { + /* get a public key from a private key. nsslowkey_ConvertToPublickey() + * will generate the public portion if it doesn't already exist. */ + case CKM_NSS_PUB_FROM_PRIV: { + NSSLOWKEYPrivateKey *privKey; + NSSLOWKEYPublicKey *pubKey; + int error; + + crv = sftk_GetULongAttribute(sourceKey, CKA_KEY_TYPE, &keyType); + if (crv != CKR_OK) { + break; + } + + /* privKey is stored in sourceKey and will be destroyed when + * the sourceKey is freed. */ + privKey = sftk_GetPrivKey(sourceKey, keyType, &crv); + if (privKey == NULL) { + break; + } + pubKey = nsslowkey_ConvertToPublicKey(privKey); + if (pubKey == NULL) { + error = PORT_GetError(); + crv = sftk_MapCryptError(error); + break; + } + crv = sftk_PutPubKey(key, sourceKey, keyType, pubKey); + nsslowkey_DestroyPublicKey(pubKey); + break; + } + case CKM_NSS_IKE_PRF_DERIVE: + if (pMechanism->ulParameterLen != + sizeof(CK_NSS_IKE_PRF_DERIVE_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_ike_prf(hSession, att, + (CK_NSS_IKE_PRF_DERIVE_PARAMS *)pMechanism->pParameter, key); + break; + case CKM_NSS_IKE1_PRF_DERIVE: + if (pMechanism->ulParameterLen != + sizeof(CK_NSS_IKE1_PRF_DERIVE_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_ike1_prf(hSession, att, + (CK_NSS_IKE1_PRF_DERIVE_PARAMS *)pMechanism->pParameter, + key, keySize); + break; + case CKM_NSS_IKE1_APP_B_PRF_DERIVE: + pIkeAppB = (CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *)pMechanism->pParameter; + if (pMechanism->ulParameterLen == + sizeof(CK_MECHANISM_TYPE)) { + ikeAppB.prfMechanism = *(CK_MECHANISM_TYPE *)pMechanism->pParameter; + ikeAppB.bHasKeygxy = PR_FALSE; + ikeAppB.hKeygxy = CK_INVALID_HANDLE; + ikeAppB.pExtraData = NULL; + ikeAppB.ulExtraDataLen = 0; + pIkeAppB = &ikeAppB; + } else if (pMechanism->ulParameterLen != + sizeof(CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_ike1_appendix_b_prf(hSession, att, pIkeAppB, key, + keySize); + break; + case CKM_NSS_IKE_PRF_PLUS_DERIVE: + if (pMechanism->ulParameterLen != + sizeof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_ike_prf_plus(hSession, att, + (CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *)pMechanism->pParameter, + key, keySize); + break; + /* + * generate the master secret + */ + case CKM_TLS12_MASTER_KEY_DERIVE: + case CKM_TLS12_MASTER_KEY_DERIVE_DH: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256: + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_TLS_MASTER_KEY_DERIVE_DH: + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_MASTER_KEY_DERIVE_DH: { + CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master; + SSL3RSAPreMasterSecret *rsa_pms; + unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2]; + + if ((mechanism == CKM_TLS12_MASTER_KEY_DERIVE) || + (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tls12_master = + (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)pMechanism->pParameter; + tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_master->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } else if ((mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256) || + (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) { + tlsPrfHash = HASH_AlgSHA256; + } + + if ((mechanism != CKM_SSL3_MASTER_KEY_DERIVE) && + (mechanism != CKM_SSL3_MASTER_KEY_DERIVE_DH)) { + isTLS = PR_TRUE; + } + if ((mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) || + (mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH) || + (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) || + (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) { + isDH = PR_TRUE; + } + + /* first do the consistency checks */ + if (!isDH && (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att2 = sftk_FindAttribute(sourceKey, CKA_KEY_TYPE); + if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue != + CKK_GENERIC_SECRET)) { + if (att2) + sftk_FreeAttribute(att2); + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + sftk_FreeAttribute(att2); + if (keyType != CKK_GENERIC_SECRET) { + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) { + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + + /* finally do the key gen */ + ssl3_master = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *) + pMechanism->pParameter; + + if (ssl3_master->pVersion) { + SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key); + rsa_pms = (SSL3RSAPreMasterSecret *)att->attrib.pValue; + /* don't leak more key material then necessary for SSL to work */ + if ((sessKey == NULL) || sessKey->wasDerived) { + ssl3_master->pVersion->major = 0xff; + ssl3_master->pVersion->minor = 0xff; + } else { + ssl3_master->pVersion->major = rsa_pms->client_version[0]; + ssl3_master->pVersion->minor = rsa_pms->client_version[1]; + } + } + if (ssl3_master->RandomInfo.ulClientRandomLen != SSL3_RANDOM_LENGTH) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + if (ssl3_master->RandomInfo.ulServerRandomLen != SSL3_RANDOM_LENGTH) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + PORT_Memcpy(crsrdata, + ssl3_master->RandomInfo.pClientRandom, SSL3_RANDOM_LENGTH); + PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH, + ssl3_master->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH); + + if (isTLS) { + SECStatus status; + SECItem crsr = { siBuffer, NULL, 0 }; + SECItem master = { siBuffer, NULL, 0 }; + SECItem pms = { siBuffer, NULL, 0 }; + + crsr.data = crsrdata; + crsr.len = sizeof crsrdata; + master.data = key_block; + master.len = SSL3_MASTER_SECRET_LENGTH; + pms.data = (unsigned char *)att->attrib.pValue; + pms.len = att->attrib.ulValueLen; + + if (tlsPrfHash != HASH_AlgNULL) { + status = TLS_P_hash(tlsPrfHash, &pms, "master secret", + &crsr, &master, isFIPS); + } else { + status = TLS_PRF(&pms, "master secret", &crsr, &master, isFIPS); + } + if (status != SECSuccess) { + PORT_Memset(crsrdata, 0, sizeof crsrdata); + crv = CKR_FUNCTION_FAILED; + break; + } + } else { + /* now allocate the hash contexts */ + md5 = MD5_NewContext(); + if (md5 == NULL) { + PORT_Memset(crsrdata, 0, sizeof crsrdata); + crv = CKR_HOST_MEMORY; + break; + } + sha = SHA1_NewContext(); + if (sha == NULL) { + PORT_Memset(crsrdata, 0, sizeof crsrdata); + PORT_Free(md5); + crv = CKR_HOST_MEMORY; + break; + } + for (i = 0; i < 3; i++) { + SHA1_Begin(sha); + SHA1_Update(sha, (unsigned char *)mixers[i], strlen(mixers[i])); + SHA1_Update(sha, (const unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen); + SHA1_Update(sha, crsrdata, sizeof crsrdata); + SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH); + PORT_Assert(outLen == SHA1_LENGTH); + + MD5_Begin(md5); + MD5_Update(md5, (const unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen); + MD5_Update(md5, sha_out, outLen); + MD5_End(md5, &key_block[i * MD5_LENGTH], &outLen, MD5_LENGTH); + PORT_Assert(outLen == MD5_LENGTH); + } + PORT_Free(md5); + PORT_Free(sha); + PORT_Memset(crsrdata, 0, sizeof crsrdata); + PORT_Memset(sha_out, 0, sizeof sha_out); + } + + /* store the results */ + crv = sftk_forceAttribute(key, CKA_VALUE, key_block, SSL3_MASTER_SECRET_LENGTH); + PORT_Memset(key_block, 0, sizeof key_block); + if (crv != CKR_OK) + break; + keyType = CKK_GENERIC_SECRET; + crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + if (isTLS) { + /* TLS's master secret is used to "sign" finished msgs with PRF. */ + /* XXX This seems like a hack. But SFTK_Derive only accepts + * one "operation" argument. */ + crv = sftk_forceAttribute(key, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + crv = sftk_forceAttribute(key, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + /* While we're here, we might as well force this, too. */ + crv = sftk_forceAttribute(key, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + if (crv != CKR_OK) + break; + } + break; + } + + /* Extended master key derivation [draft-ietf-tls-session-hash] */ + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: { + CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *ems_params; + SSL3RSAPreMasterSecret *rsa_pms; + SECStatus status; + SECItem pms = { siBuffer, NULL, 0 }; + SECItem seed = { siBuffer, NULL, 0 }; + SECItem master = { siBuffer, NULL, 0 }; + + ems_params = (CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *) + pMechanism->pParameter; + + /* First do the consistency checks */ + if ((mechanism == CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE) && + (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att2 = sftk_FindAttribute(sourceKey, CKA_KEY_TYPE); + if ((att2 == NULL) || + (*(CK_KEY_TYPE *)att2->attrib.pValue != CKK_GENERIC_SECRET)) { + if (att2) + sftk_FreeAttribute(att2); + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + sftk_FreeAttribute(att2); + if (keyType != CKK_GENERIC_SECRET) { + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) { + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + + /* Do the key derivation */ + pms.data = (unsigned char *)att->attrib.pValue; + pms.len = att->attrib.ulValueLen; + seed.data = ems_params->pSessionHash; + seed.len = ems_params->ulSessionHashLen; + master.data = key_block; + master.len = SSL3_MASTER_SECRET_LENGTH; + if (ems_params->prfHashMechanism == CKM_TLS_PRF) { + /* + * In this case, the session hash is the concatenation of SHA-1 + * and MD5, so it should be 36 bytes long. + */ + if (seed.len != MD5_LENGTH + SHA1_LENGTH) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + + status = TLS_PRF(&pms, "extended master secret", + &seed, &master, isFIPS); + } else { + const SECHashObject *hashObj; + + tlsPrfHash = sftk_GetHashTypeFromMechanism(ems_params->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + + hashObj = HASH_GetRawHashObject(tlsPrfHash); + if (seed.len != hashObj->length) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + + status = TLS_P_hash(tlsPrfHash, &pms, "extended master secret", + &seed, &master, isFIPS); + } + if (status != SECSuccess) { + crv = CKR_FUNCTION_FAILED; + break; + } + + /* Reflect the version if required */ + if (ems_params->pVersion) { + SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key); + rsa_pms = (SSL3RSAPreMasterSecret *)att->attrib.pValue; + /* don't leak more key material than necessary for SSL to work */ + if ((sessKey == NULL) || sessKey->wasDerived) { + ems_params->pVersion->major = 0xff; + ems_params->pVersion->minor = 0xff; + } else { + ems_params->pVersion->major = rsa_pms->client_version[0]; + ems_params->pVersion->minor = rsa_pms->client_version[1]; + } + } + + /* Store the results */ + crv = sftk_forceAttribute(key, CKA_VALUE, key_block, + SSL3_MASTER_SECRET_LENGTH); + PORT_Memset(key_block, 0, sizeof key_block); + break; + } + + case CKM_TLS12_KEY_AND_MAC_DERIVE: + case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: + case CKM_TLS_KEY_AND_MAC_DERIVE: + case CKM_SSL3_KEY_AND_MAC_DERIVE: { + CK_SSL3_KEY_MAT_PARAMS *ssl3_keys; + CK_SSL3_KEY_MAT_OUT *ssl3_keys_out; + CK_ULONG effKeySize; + unsigned int block_needed; + unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2]; + + if (mechanism == CKM_TLS12_KEY_AND_MAC_DERIVE) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_KEY_MAT_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + CK_TLS12_KEY_MAT_PARAMS *tls12_keys = + (CK_TLS12_KEY_MAT_PARAMS *)pMechanism->pParameter; + tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_keys->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } else if (mechanism == CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) { + tlsPrfHash = HASH_AlgSHA256; + } + + if (mechanism != CKM_SSL3_KEY_AND_MAC_DERIVE) { + isTLS = PR_TRUE; + } + + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv != CKR_OK) + break; + + if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) { + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + att2 = sftk_FindAttribute(sourceKey, CKA_KEY_TYPE); + if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue != + CKK_GENERIC_SECRET)) { + if (att2) + sftk_FreeAttribute(att2); + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + sftk_FreeAttribute(att2); + md5 = MD5_NewContext(); + if (md5 == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + sha = SHA1_NewContext(); + if (sha == NULL) { + MD5_DestroyContext(md5, PR_TRUE); + crv = CKR_HOST_MEMORY; + break; + } + + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_SSL3_KEY_MAT_PARAMS))) { + MD5_DestroyContext(md5, PR_TRUE); + SHA1_DestroyContext(sha, PR_TRUE); + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + ssl3_keys = (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter; + + PORT_Memcpy(srcrdata, + ssl3_keys->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH); + PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH, + ssl3_keys->RandomInfo.pClientRandom, SSL3_RANDOM_LENGTH); + + /* + * clear out our returned keys so we can recover on failure + */ + ssl3_keys_out = ssl3_keys->pReturnedKeyMaterial; + ssl3_keys_out->hClientMacSecret = CK_INVALID_HANDLE; + ssl3_keys_out->hServerMacSecret = CK_INVALID_HANDLE; + ssl3_keys_out->hClientKey = CK_INVALID_HANDLE; + ssl3_keys_out->hServerKey = CK_INVALID_HANDLE; + + /* + * How much key material do we need? + */ + macSize = ssl3_keys->ulMacSizeInBits / 8; + effKeySize = ssl3_keys->ulKeySizeInBits / 8; + IVSize = ssl3_keys->ulIVSizeInBits / 8; + if (keySize == 0) { + effKeySize = keySize; + } + + /* bIsExport must be false. */ + if (ssl3_keys->bIsExport) { + MD5_DestroyContext(md5, PR_TRUE); + SHA1_DestroyContext(sha, PR_TRUE); + PORT_Memset(srcrdata, 0, sizeof srcrdata); + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + + block_needed = 2 * (macSize + effKeySize + IVSize); + PORT_Assert(block_needed <= sizeof key_block); + if (block_needed > sizeof key_block) + block_needed = sizeof key_block; + + /* + * generate the key material: This looks amazingly similar to the + * PMS code, and is clearly crying out for a function to provide it. + */ + if (isTLS) { + SECStatus status; + SECItem srcr = { siBuffer, NULL, 0 }; + SECItem keyblk = { siBuffer, NULL, 0 }; + SECItem master = { siBuffer, NULL, 0 }; + + srcr.data = srcrdata; + srcr.len = sizeof srcrdata; + keyblk.data = key_block; + keyblk.len = block_needed; + master.data = (unsigned char *)att->attrib.pValue; + master.len = att->attrib.ulValueLen; + + if (tlsPrfHash != HASH_AlgNULL) { + status = TLS_P_hash(tlsPrfHash, &master, "key expansion", + &srcr, &keyblk, isFIPS); + } else { + status = TLS_PRF(&master, "key expansion", &srcr, &keyblk, + isFIPS); + } + if (status != SECSuccess) { + goto key_and_mac_derive_fail; + } + } else { + unsigned int block_bytes = 0; + /* key_block = + * MD5(master_secret + SHA('A' + master_secret + + * ServerHello.random + ClientHello.random)) + + * MD5(master_secret + SHA('BB' + master_secret + + * ServerHello.random + ClientHello.random)) + + * MD5(master_secret + SHA('CCC' + master_secret + + * ServerHello.random + ClientHello.random)) + + * [...]; + */ + for (i = 0; i < NUM_MIXERS && block_bytes < block_needed; i++) { + SHA1_Begin(sha); + SHA1_Update(sha, (unsigned char *)mixers[i], strlen(mixers[i])); + SHA1_Update(sha, (const unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen); + SHA1_Update(sha, srcrdata, sizeof srcrdata); + SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH); + PORT_Assert(outLen == SHA1_LENGTH); + MD5_Begin(md5); + MD5_Update(md5, (const unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen); + MD5_Update(md5, sha_out, outLen); + MD5_End(md5, &key_block[i * MD5_LENGTH], &outLen, MD5_LENGTH); + PORT_Assert(outLen == MD5_LENGTH); + block_bytes += outLen; + } + PORT_Memset(sha_out, 0, sizeof sha_out); + } + + /* + * Put the key material where it goes. + */ + i = 0; /* now shows how much consumed */ + + /* + * The key_block is partitioned as follows: + * client_write_MAC_secret[CipherSpec.hash_size] + */ + crv = sftk_buildSSLKey(hSession, key, PR_TRUE, &key_block[i], macSize, + &ssl3_keys_out->hClientMacSecret); + if (crv != CKR_OK) + goto key_and_mac_derive_fail; + + i += macSize; + + /* + * server_write_MAC_secret[CipherSpec.hash_size] + */ + crv = sftk_buildSSLKey(hSession, key, PR_TRUE, &key_block[i], macSize, + &ssl3_keys_out->hServerMacSecret); + if (crv != CKR_OK) { + goto key_and_mac_derive_fail; + } + i += macSize; + + if (keySize) { + /* + ** Generate Domestic write keys and IVs. + ** client_write_key[CipherSpec.key_material] + */ + crv = sftk_buildSSLKey(hSession, key, PR_FALSE, &key_block[i], + keySize, &ssl3_keys_out->hClientKey); + if (crv != CKR_OK) { + goto key_and_mac_derive_fail; + } + i += keySize; + + /* + ** server_write_key[CipherSpec.key_material] + */ + crv = sftk_buildSSLKey(hSession, key, PR_FALSE, &key_block[i], + keySize, &ssl3_keys_out->hServerKey); + if (crv != CKR_OK) { + goto key_and_mac_derive_fail; + } + i += keySize; + + /* + ** client_write_IV[CipherSpec.IV_size] + */ + if (IVSize > 0) { + PORT_Memcpy(ssl3_keys_out->pIVClient, + &key_block[i], IVSize); + i += IVSize; + } + + /* + ** server_write_IV[CipherSpec.IV_size] + */ + if (IVSize > 0) { + PORT_Memcpy(ssl3_keys_out->pIVServer, + &key_block[i], IVSize); + i += IVSize; + } + PORT_Assert(i <= sizeof key_block); + } + + crv = CKR_OK; + + if (0) { + key_and_mac_derive_fail: + if (crv == CKR_OK) + crv = CKR_FUNCTION_FAILED; + sftk_freeSSLKeys(hSession, ssl3_keys_out); + } + PORT_Memset(srcrdata, 0, sizeof srcrdata); + PORT_Memset(key_block, 0, sizeof key_block); + MD5_DestroyContext(md5, PR_TRUE); + SHA1_DestroyContext(sha, PR_TRUE); + sftk_FreeObject(key); + key = NULL; + break; + } + + case CKM_DES3_ECB_ENCRYPT_DATA: + case CKM_DES3_CBC_ENCRYPT_DATA: { + void *cipherInfo; + unsigned char des3key[MAX_DES3_KEY_SIZE]; + CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_DES3_ECB_ENCRYPT_DATA) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) + pMechanism->pParameter; + mode = NSS_DES_EDE3; + iv = NULL; + data = stringPtr->pData; + len = stringPtr->ulLen; + } else { + mode = NSS_DES_EDE3_CBC; + desEncryptPtr = + (CK_DES_CBC_ENCRYPT_DATA_PARAMS *) + pMechanism->pParameter; + iv = desEncryptPtr->iv; + data = desEncryptPtr->pData; + len = desEncryptPtr->length; + } + if (att->attrib.ulValueLen == 16) { + PORT_Memcpy(des3key, att->attrib.pValue, 16); + PORT_Memcpy(des3key + 16, des3key, 8); + } else if (att->attrib.ulValueLen == 24) { + PORT_Memcpy(des3key, att->attrib.pValue, 24); + } else { + crv = CKR_KEY_SIZE_RANGE; + break; + } + cipherInfo = DES_CreateContext(des3key, iv, mode, PR_TRUE); + PORT_Memset(des3key, 0, 24); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt, + cipherInfo, 8, key, keySize, + data, len); + DES_DestroyContext(cipherInfo, PR_TRUE); + break; + } + + case CKM_AES_ECB_ENCRYPT_DATA: + case CKM_AES_CBC_ENCRYPT_DATA: { + void *cipherInfo; + CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_AES_ECB_ENCRYPT_DATA) { + mode = NSS_AES; + iv = NULL; + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; + data = stringPtr->pData; + len = stringPtr->ulLen; + } else { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CBC_ENCRYPT_DATA_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + aesEncryptPtr = + (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)pMechanism->pParameter; + mode = NSS_AES_CBC; + iv = aesEncryptPtr->iv; + data = aesEncryptPtr->pData; + len = aesEncryptPtr->length; + } + + cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue, + iv, mode, PR_TRUE, + att->attrib.ulValueLen, 16); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)AES_Encrypt, + cipherInfo, 16, key, keySize, + data, len); + AES_DestroyContext(cipherInfo, PR_TRUE); + break; + } + + case CKM_CAMELLIA_ECB_ENCRYPT_DATA: + case CKM_CAMELLIA_CBC_ENCRYPT_DATA: { + void *cipherInfo; + CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_CAMELLIA_ECB_ENCRYPT_DATA) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) + pMechanism->pParameter; + aesEncryptPtr = NULL; + mode = NSS_CAMELLIA; + data = stringPtr->pData; + len = stringPtr->ulLen; + iv = NULL; + } else { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CBC_ENCRYPT_DATA_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + stringPtr = NULL; + aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *) + pMechanism->pParameter; + mode = NSS_CAMELLIA_CBC; + iv = aesEncryptPtr->iv; + data = aesEncryptPtr->pData; + len = aesEncryptPtr->length; + } + + cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue, + iv, mode, PR_TRUE, + att->attrib.ulValueLen); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)Camellia_Encrypt, + cipherInfo, 16, key, keySize, + data, len); + Camellia_DestroyContext(cipherInfo, PR_TRUE); + break; + } + +#ifndef NSS_DISABLE_DEPRECATED_SEED + case CKM_SEED_ECB_ENCRYPT_DATA: + case CKM_SEED_CBC_ENCRYPT_DATA: { + void *cipherInfo; + CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; + int mode; + unsigned char *iv; + unsigned char *data; + CK_ULONG len; + + if (mechanism == CKM_SEED_ECB_ENCRYPT_DATA) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + mode = NSS_SEED; + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) + pMechanism->pParameter; + aesEncryptPtr = NULL; + data = stringPtr->pData; + len = stringPtr->ulLen; + iv = NULL; + } else { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CBC_ENCRYPT_DATA_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + mode = NSS_SEED_CBC; + aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *) + pMechanism->pParameter; + iv = aesEncryptPtr->iv; + data = aesEncryptPtr->pData; + len = aesEncryptPtr->length; + } + + cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue, + iv, mode, PR_TRUE); + if (cipherInfo == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + crv = sftk_DeriveEncrypt((SFTKCipher)SEED_Encrypt, + cipherInfo, 16, key, keySize, + data, len); + SEED_DestroyContext(cipherInfo, PR_TRUE); + break; + } +#endif /* NSS_DISABLE_DEPRECATED_SEED */ + + case CKM_CONCATENATE_BASE_AND_KEY: { + SFTKObject *newKey; + + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv != CKR_OK) + break; + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + crv = CKR_SESSION_HANDLE_INVALID; + break; + } + + newKey = sftk_ObjectFromHandle(*(CK_OBJECT_HANDLE *) + pMechanism->pParameter, + session); + sftk_FreeSession(session); + if (newKey == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + break; + } + + if (sftk_isTrue(newKey, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(newKey, CKA_SENSITIVE, &cktrue, + sizeof(CK_BBOOL)); + if (crv != CKR_OK) { + sftk_FreeObject(newKey); + break; + } + } + + att2 = sftk_FindAttribute(newKey, CKA_VALUE); + if (att2 == NULL) { + sftk_FreeObject(newKey); + crv = CKR_KEY_HANDLE_INVALID; + break; + } + tmpKeySize = att->attrib.ulValueLen + att2->attrib.ulValueLen; + if (keySize == 0) + keySize = tmpKeySize; + if (keySize > tmpKeySize) { + sftk_FreeObject(newKey); + sftk_FreeAttribute(att2); + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + buf = (unsigned char *)PORT_Alloc(tmpKeySize); + if (buf == NULL) { + sftk_FreeAttribute(att2); + sftk_FreeObject(newKey); + crv = CKR_HOST_MEMORY; + break; + } + + PORT_Memcpy(buf, att->attrib.pValue, att->attrib.ulValueLen); + PORT_Memcpy(buf + att->attrib.ulValueLen, + att2->attrib.pValue, att2->attrib.ulValueLen); + + crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize); + PORT_ZFree(buf, tmpKeySize); + sftk_FreeAttribute(att2); + sftk_FreeObject(newKey); + break; + } + + case CKM_CONCATENATE_BASE_AND_DATA: + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv != CKR_OK) + break; + + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; + tmpKeySize = att->attrib.ulValueLen + stringPtr->ulLen; + if (keySize == 0) + keySize = tmpKeySize; + if (keySize > tmpKeySize) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + buf = (unsigned char *)PORT_Alloc(tmpKeySize); + if (buf == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + + PORT_Memcpy(buf, att->attrib.pValue, att->attrib.ulValueLen); + PORT_Memcpy(buf + att->attrib.ulValueLen, stringPtr->pData, + stringPtr->ulLen); + + crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize); + PORT_ZFree(buf, tmpKeySize); + break; + case CKM_CONCATENATE_DATA_AND_BASE: + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv != CKR_OK) + break; + + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; + tmpKeySize = att->attrib.ulValueLen + stringPtr->ulLen; + if (keySize == 0) + keySize = tmpKeySize; + if (keySize > tmpKeySize) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + buf = (unsigned char *)PORT_Alloc(tmpKeySize); + if (buf == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + + PORT_Memcpy(buf, stringPtr->pData, stringPtr->ulLen); + PORT_Memcpy(buf + stringPtr->ulLen, att->attrib.pValue, + att->attrib.ulValueLen); + + crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize); + PORT_ZFree(buf, tmpKeySize); + break; + case CKM_XOR_BASE_AND_DATA: + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv != CKR_OK) + break; + + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; + tmpKeySize = PR_MIN(att->attrib.ulValueLen, stringPtr->ulLen); + if (keySize == 0) + keySize = tmpKeySize; + if (keySize > tmpKeySize) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + buf = (unsigned char *)PORT_Alloc(keySize); + if (buf == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + + PORT_Memcpy(buf, att->attrib.pValue, keySize); + for (i = 0; i < (int)keySize; i++) { + buf[i] ^= stringPtr->pData[i]; + } + + crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize); + PORT_ZFree(buf, keySize); + break; + + case CKM_EXTRACT_KEY_FROM_KEY: { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_EXTRACT_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + /* the following assumes 8 bits per byte */ + CK_ULONG extract = *(CK_EXTRACT_PARAMS *)pMechanism->pParameter; + CK_ULONG shift = extract & 0x7; /* extract mod 8 the fast way */ + CK_ULONG offset = extract >> 3; /* extract div 8 the fast way */ + + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv != CKR_OK) + break; + + if (keySize == 0) { + crv = CKR_TEMPLATE_INCOMPLETE; + break; + } + /* make sure we have enough bits in the original key */ + if (att->attrib.ulValueLen < + (offset + keySize + ((shift != 0) ? 1 : 0))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + buf = (unsigned char *)PORT_Alloc(keySize); + if (buf == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + + /* copy the bits we need into the new key */ + for (i = 0; i < (int)keySize; i++) { + unsigned char *value = + ((unsigned char *)att->attrib.pValue) + offset + i; + if (shift) { + buf[i] = (value[0] << (shift)) | (value[1] >> (8 - shift)); + } else { + buf[i] = value[0]; + } + } + + crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize); + PORT_ZFree(buf, keySize); + break; + } + case CKM_MD2_KEY_DERIVATION: + if (keySize == 0) + keySize = MD2_LENGTH; + if (keySize > MD2_LENGTH) { + crv = CKR_TEMPLATE_INCONSISTENT; + break; + } + /* now allocate the hash contexts */ + md2 = MD2_NewContext(); + if (md2 == NULL) { + crv = CKR_HOST_MEMORY; + break; + } + MD2_Begin(md2); + MD2_Update(md2, (const unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen); + MD2_End(md2, key_block, &outLen, MD2_LENGTH); + MD2_DestroyContext(md2, PR_TRUE); + + crv = sftk_forceAttribute(key, CKA_VALUE, key_block, keySize); + PORT_Memset(key_block, 0, MD2_LENGTH); + break; +#define DERIVE_KEY_HASH(hash) \ + case CKM_##hash##_KEY_DERIVATION: \ + if (keySize == 0) \ + keySize = hash##_LENGTH; \ + if (keySize > hash##_LENGTH) { \ + crv = CKR_TEMPLATE_INCONSISTENT; \ + break; \ + } \ + hash##_HashBuf(key_block, (const unsigned char *)att->attrib.pValue, \ + att->attrib.ulValueLen); \ + crv = sftk_forceAttribute(key, CKA_VALUE, key_block, keySize); \ + PORT_Memset(key_block, 0, hash##_LENGTH); \ + break; + DERIVE_KEY_HASH(MD5) + DERIVE_KEY_HASH(SHA1) + DERIVE_KEY_HASH(SHA224) + DERIVE_KEY_HASH(SHA256) + DERIVE_KEY_HASH(SHA384) + DERIVE_KEY_HASH(SHA512) + + case CKM_DH_PKCS_DERIVE: { + SECItem derived, dhPublic; + SECItem dhPrime, dhValue; + const SECItem *subPrime; + /* sourceKey - values for the local existing low key */ + /* get prime and value attributes */ + crv = sftk_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME); + if (crv != CKR_OK) + break; + + dhPublic.data = pMechanism->pParameter; + dhPublic.len = pMechanism->ulParameterLen; + + /* if the prime is an approved prime, we can skip all the other + * checks. */ + subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS); + if (subPrime == NULL) { + SECItem dhSubPrime; + /* If the caller set the subprime value, it means that + * either the caller knows the subprime value and wants us + * to validate the key against the subprime, or that the + * caller wants us to verify that the prime is a safe prime + * by passing in subprime = (prime-1)/2 */ + dhSubPrime.data = NULL; + dhSubPrime.len = 0; + crv = sftk_Attribute2SecItem(NULL, &dhSubPrime, + sourceKey, CKA_SUBPRIME); + /* we ignore the value of crv here, We treat a valid + * return of len = 0 and a failure to find a subrime the same + * NOTE: we free the subprime in both cases depending on + * PORT_Free of NULL to be a noop */ + if (dhSubPrime.len != 0) { + PRBool isSafe = PR_FALSE; + + /* Callers can set dhSubPrime to q=(p-1)/2 to force + * checks for safe primes. If so we only need to check + * q and p for primality and skip the group test. */ + rv = sftk_IsSafePrime(&dhPrime, &dhSubPrime, &isSafe); + if (rv != SECSuccess) { + /* either p or q was even and therefore not prime, + * we can stop processing here and fail now */ + crv = CKR_ARGUMENTS_BAD; + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE); + break; + } + + /* first make sure the primes are really prime */ + if (!KEA_PrimeCheck(&dhPrime)) { + crv = CKR_ARGUMENTS_BAD; + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE); + break; + } + if (!KEA_PrimeCheck(&dhSubPrime)) { + crv = CKR_ARGUMENTS_BAD; + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE); + break; + } + if (isFIPS || !isSafe) { + /* With safe primes, there is only one other small + * subgroup. As long as y isn't 0, 1, or -1 mod p, + * any other y is safe. Only do the full check for + * non-safe primes, except in FIPS mode we need + * to do this check on all primes in which + * we receive the subprime value */ + if (!KEA_Verify(&dhPublic, &dhPrime, &dhSubPrime)) { + crv = CKR_ARGUMENTS_BAD; + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE); + break; + } + } + } else if (isFIPS) { + /* In FIPS mode we only accept approved primes, or + * primes with the full subprime value */ + crv = CKR_ARGUMENTS_BAD; + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + break; + } + /* checks are complete, no need for the subPrime any longer */ + SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE); + } + + /* now that the prime is validated, get the private value */ + crv = sftk_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE); + if (crv != CKR_OK) { + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + break; + } + + /* calculate private value - oct */ + rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize); + + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + SECITEM_ZfreeItem(&dhValue, PR_FALSE); + + if (rv == SECSuccess) { + sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len); + SECITEM_ZfreeItem(&derived, PR_FALSE); + crv = CKR_OK; + } else + crv = CKR_HOST_MEMORY; + + break; + } + + case CKM_ECDH1_DERIVE: + case CKM_ECDH1_COFACTOR_DERIVE: { + SECItem ecScalar, ecPoint; + SECItem tmp; + PRBool withCofactor = PR_FALSE; + unsigned char *secret; + unsigned char *keyData = NULL; + unsigned int secretlen, pubKeyLen; + CK_ECDH1_DERIVE_PARAMS *mechParams; + NSSLOWKEYPrivateKey *privKey; + PLArenaPool *arena = NULL; + + /* Check mechanism parameters */ + mechParams = (CK_ECDH1_DERIVE_PARAMS *)pMechanism->pParameter; + if ((pMechanism->ulParameterLen != sizeof(CK_ECDH1_DERIVE_PARAMS)) || + ((mechParams->kdf == CKD_NULL) && + ((mechParams->ulSharedDataLen != 0) || + (mechParams->pSharedData != NULL)))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + + privKey = sftk_GetPrivKey(sourceKey, CKK_EC, &crv); + if (privKey == NULL) { + break; + } + + /* Now we are working with a non-NULL private key */ + SECITEM_CopyItem(NULL, &ecScalar, &privKey->u.ec.privateValue); + + ecPoint.data = mechParams->pPublicData; + ecPoint.len = mechParams->ulPublicDataLen; + + pubKeyLen = EC_GetPointSize(&privKey->u.ec.ecParams); + + /* if the len is too large, might be an encoded point */ + if (ecPoint.len > pubKeyLen) { + SECItem newPoint; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + goto ec_loser; + } + + rv = SEC_QuickDERDecodeItem(arena, &newPoint, + SEC_ASN1_GET(SEC_OctetStringTemplate), + &ecPoint); + if (rv != SECSuccess) { + goto ec_loser; + } + ecPoint = newPoint; + } + + if (mechanism == CKM_ECDH1_COFACTOR_DERIVE) { + withCofactor = PR_TRUE; + } + + rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar, + withCofactor, &tmp); + SECITEM_ZfreeItem(&ecScalar, PR_FALSE); + ecScalar.data = NULL; + if (privKey != sourceKey->objectInfo) { + nsslowkey_DestroyPrivateKey(privKey); + privKey = NULL; + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + arena = NULL; + } + + if (rv != SECSuccess) { + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + + /* + * apply the kdf function. + */ + if (mechParams->kdf == CKD_NULL) { + /* + * tmp is the raw data created by ECDH_Derive, + * secret and secretlen are the values we will + * eventually pass as our generated key. + */ + secret = tmp.data; + secretlen = tmp.len; + } else { + secretlen = keySize; + crv = sftk_ANSI_X9_63_kdf(&secret, keySize, + &tmp, mechParams->pSharedData, + mechParams->ulSharedDataLen, mechParams->kdf); + PORT_ZFree(tmp.data, tmp.len); + if (crv != CKR_OK) { + break; + } + tmp.data = secret; + tmp.len = secretlen; + } + + /* + * if keySize is supplied, then we are generating a key of a specific + * length. This is done by taking the least significant 'keySize' + * bytes from the unsigned value calculated by ECDH. Note: this may + * mean padding temp with extra leading zeros from what ECDH_Derive + * already returned (which itself may contain leading zeros). + */ + if (keySize) { + if (secretlen < keySize) { + keyData = PORT_ZAlloc(keySize); + if (!keyData) { + PORT_ZFree(tmp.data, tmp.len); + crv = CKR_HOST_MEMORY; + break; + } + PORT_Memcpy(&keyData[keySize - secretlen], secret, secretlen); + secret = keyData; + } else { + secret += (secretlen - keySize); + } + secretlen = keySize; + } + + sftk_forceAttribute(key, CKA_VALUE, secret, secretlen); + PORT_ZFree(tmp.data, tmp.len); + if (keyData) { + PORT_ZFree(keyData, keySize); + } + break; + + ec_loser: + crv = CKR_ARGUMENTS_BAD; + SECITEM_ZfreeItem(&ecScalar, PR_FALSE); + if (privKey != sourceKey->objectInfo) + nsslowkey_DestroyPrivateKey(privKey); + if (arena) { + PORT_FreeArena(arena, PR_TRUE); + } + break; + } + /* See RFC 5869 and CK_NSS_HKDFParams for documentation. */ + case CKM_NSS_HKDF_SHA1: + hashMech = CKM_SHA_1; + goto hkdf; + case CKM_NSS_HKDF_SHA256: + hashMech = CKM_SHA256; + goto hkdf; + case CKM_NSS_HKDF_SHA384: + hashMech = CKM_SHA384; + goto hkdf; + case CKM_NSS_HKDF_SHA512: + hashMech = CKM_SHA512; + goto hkdf; + hkdf : { + const CK_NSS_HKDFParams *params = + (const CK_NSS_HKDFParams *)pMechanism->pParameter; + CK_HKDF_PARAMS hkdfParams; + + if (pMechanism->ulParameterLen != sizeof(CK_NSS_HKDFParams)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + hkdfParams.bExtract = params->bExtract; + hkdfParams.bExpand = params->bExpand; + if (params->pSalt) { + hkdfParams.ulSaltType = CKF_HKDF_SALT_DATA; + } else { + hkdfParams.ulSaltType = CKF_HKDF_SALT_NULL; + } + hkdfParams.pSalt = params->pSalt; + hkdfParams.ulSaltLen = params->ulSaltLen; + hkdfParams.hSaltKey = CK_INVALID_HANDLE; + hkdfParams.pInfo = params->pInfo; + hkdfParams.ulInfoLen = params->ulInfoLen; + hkdfParams.prfHashMechanism = hashMech; + + crv = sftk_HKDF(&hkdfParams, hSession, sourceKey, + att->attrib.pValue, att->attrib.ulValueLen, + key, NULL, keySize, PR_FALSE, isFIPS); + } break; + case CKM_HKDF_DERIVE: + case CKM_HKDF_DATA: /* only difference is the class of key */ + if ((pMechanism->pParameter == NULL) || + (pMechanism->ulParameterLen != sizeof(CK_HKDF_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + crv = sftk_HKDF((CK_HKDF_PARAMS_PTR)pMechanism->pParameter, + hSession, sourceKey, att->attrib.pValue, + att->attrib.ulValueLen, key, NULL, keySize, PR_TRUE, + isFIPS); + break; + case CKM_NSS_JPAKE_ROUND2_SHA1: + hashType = HASH_AlgSHA1; + goto jpake2; + case CKM_NSS_JPAKE_ROUND2_SHA256: + hashType = HASH_AlgSHA256; + goto jpake2; + case CKM_NSS_JPAKE_ROUND2_SHA384: + hashType = HASH_AlgSHA384; + goto jpake2; + case CKM_NSS_JPAKE_ROUND2_SHA512: + hashType = HASH_AlgSHA512; + goto jpake2; + jpake2: + if (pMechanism->pParameter == NULL || + pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKERound2Params)) + crv = CKR_MECHANISM_PARAM_INVALID; + if (crv == CKR_OK && sftk_isTrue(key, CKA_TOKEN)) + crv = CKR_TEMPLATE_INCONSISTENT; + if (crv == CKR_OK) + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv == CKR_OK) + crv = jpake_Round2(hashType, + (CK_NSS_JPAKERound2Params *)pMechanism->pParameter, + sourceKey, key); + break; + + case CKM_NSS_JPAKE_FINAL_SHA1: + hashType = HASH_AlgSHA1; + goto jpakeFinal; + case CKM_NSS_JPAKE_FINAL_SHA256: + hashType = HASH_AlgSHA256; + goto jpakeFinal; + case CKM_NSS_JPAKE_FINAL_SHA384: + hashType = HASH_AlgSHA384; + goto jpakeFinal; + case CKM_NSS_JPAKE_FINAL_SHA512: + hashType = HASH_AlgSHA512; + goto jpakeFinal; + jpakeFinal: + if (pMechanism->pParameter == NULL || + pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKEFinalParams)) + crv = CKR_MECHANISM_PARAM_INVALID; + /* We purposely do not do the derive sensitivity check; we want to be + able to derive non-sensitive keys while allowing the ROUND1 and + ROUND2 keys to be sensitive (which they always are, since they are + in the CKO_PRIVATE_KEY class). The caller must include CKA_SENSITIVE + in the template in order for the resultant keyblock key to be + sensitive. + */ + if (crv == CKR_OK) + crv = jpake_Final(hashType, + (CK_NSS_JPAKEFinalParams *)pMechanism->pParameter, + sourceKey, key); + break; + + case CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA: /* fall through */ + case CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA: /* fall through */ + case CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA: /* fall through */ + case CKM_SP800_108_COUNTER_KDF: /* fall through */ + case CKM_SP800_108_FEEDBACK_KDF: /* fall through */ + case CKM_SP800_108_DOUBLE_PIPELINE_KDF: + crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE); + if (crv != CKR_OK) { + break; + } + + crv = kbkdf_Dispatch(mechanism, hSession, pMechanism, sourceKey, key, keySize); + break; + default: + crv = CKR_MECHANISM_INVALID; + } + if (att) { + sftk_FreeAttribute(att); + } + sftk_FreeObject(sourceKey); + if (crv != CKR_OK) { + if (key) + sftk_FreeObject(key); + return crv; + } + + /* link the key object into the list */ + if (key) { + SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key); + PORT_Assert(sessKey); + /* get the session */ + sessKey->wasDerived = PR_TRUE; + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + sftk_FreeObject(key); + return CKR_HOST_MEMORY; + } + + crv = sftk_handleObject(key, session); + session->lastOpWasFIPS = key->isFIPS; + sftk_FreeSession(session); + *phKey = key->handle; + sftk_FreeObject(key); + } + return crv; +} + +/* NSC_GetFunctionStatus obtains an updated status of a function running + * in parallel with an application. */ +CK_RV +NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession) +{ + CHECK_FORK(); + + return CKR_FUNCTION_NOT_PARALLEL; +} + +/* NSC_CancelFunction cancels a function running in parallel */ +CK_RV +NSC_CancelFunction(CK_SESSION_HANDLE hSession) +{ + CHECK_FORK(); + + return CKR_FUNCTION_NOT_PARALLEL; +} + +/* NSC_GetOperationState saves the state of the cryptographic + * operation in a session. + * NOTE: This code only works for digest functions for now. eventually need + * to add full flatten/resurect to our state stuff so that all types of state + * can be saved */ +CK_RV +NSC_GetOperationState(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen) +{ + SFTKSessionContext *context; + SFTKSession *session; + CK_RV crv; + CK_ULONG pOSLen = *pulOperationStateLen; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + *pulOperationStateLen = context->cipherInfoLen + sizeof(CK_MECHANISM_TYPE) + sizeof(SFTKContextType); + if (pOperationState == NULL) { + sftk_FreeSession(session); + return CKR_OK; + } else { + if (pOSLen < *pulOperationStateLen) { + return CKR_BUFFER_TOO_SMALL; + } + } + PORT_Memcpy(pOperationState, &context->type, sizeof(SFTKContextType)); + pOperationState += sizeof(SFTKContextType); + PORT_Memcpy(pOperationState, &context->currentMech, + sizeof(CK_MECHANISM_TYPE)); + pOperationState += sizeof(CK_MECHANISM_TYPE); + PORT_Memcpy(pOperationState, context->cipherInfo, context->cipherInfoLen); + sftk_FreeSession(session); + return CKR_OK; +} + +#define sftk_Decrement(stateSize, len) \ + stateSize = ((stateSize) > (CK_ULONG)(len)) ? ((stateSize) - (CK_ULONG)(len)) : 0; + +/* NSC_SetOperationState restores the state of the cryptographic + * operation in a session. This is coded like it can restore lots of + * states, but it only works for truly flat cipher structures. */ +CK_RV +NSC_SetOperationState(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen, + CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) +{ + SFTKSessionContext *context; + SFTKSession *session; + SFTKContextType type; + CK_MECHANISM mech; + CK_RV crv = CKR_OK; + + CHECK_FORK(); + + while (ulOperationStateLen != 0) { + /* get what type of state we're dealing with... */ + PORT_Memcpy(&type, pOperationState, sizeof(SFTKContextType)); + + /* fix up session contexts based on type */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + context = sftk_ReturnContextByType(session, type); + sftk_SetContextByType(session, type, NULL); + if (context) { + sftk_FreeContext(context); + } + pOperationState += sizeof(SFTKContextType); + sftk_Decrement(ulOperationStateLen, sizeof(SFTKContextType)); + + /* get the mechanism structure */ + PORT_Memcpy(&mech.mechanism, pOperationState, sizeof(CK_MECHANISM_TYPE)); + pOperationState += sizeof(CK_MECHANISM_TYPE); + sftk_Decrement(ulOperationStateLen, sizeof(CK_MECHANISM_TYPE)); + /* should be filled in... but not necessary for hash */ + mech.pParameter = NULL; + mech.ulParameterLen = 0; + switch (type) { + case SFTK_HASH: + crv = NSC_DigestInit(hSession, &mech); + if (crv != CKR_OK) + break; + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, + NULL); + if (crv != CKR_OK) + break; + PORT_Memcpy(context->cipherInfo, pOperationState, + context->cipherInfoLen); + pOperationState += context->cipherInfoLen; + sftk_Decrement(ulOperationStateLen, context->cipherInfoLen); + break; + default: + /* do sign/encrypt/decrypt later */ + crv = CKR_SAVED_STATE_INVALID; + } + sftk_FreeSession(session); + if (crv != CKR_OK) + break; + } + return crv; +} + +/* Dual-function cryptographic operations */ + +/* NSC_DigestEncryptUpdate continues a multiple-part digesting and encryption + * operation. */ +CK_RV +NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) +{ + CK_RV crv; + + CHECK_FORK(); + + crv = NSC_EncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart, + pulEncryptedPartLen); + if (crv != CKR_OK) + return crv; + crv = NSC_DigestUpdate(hSession, pPart, ulPartLen); + + return crv; +} + +/* NSC_DecryptDigestUpdate continues a multiple-part decryption and + * digesting operation. */ +CK_RV +NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) +{ + CK_RV crv; + + CHECK_FORK(); + + crv = NSC_DecryptUpdate(hSession, pEncryptedPart, ulEncryptedPartLen, + pPart, pulPartLen); + if (crv != CKR_OK) + return crv; + crv = NSC_DigestUpdate(hSession, pPart, *pulPartLen); + + return crv; +} + +/* NSC_SignEncryptUpdate continues a multiple-part signing and + * encryption operation. */ +CK_RV +NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) +{ + CK_RV crv; + + CHECK_FORK(); + + crv = NSC_EncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart, + pulEncryptedPartLen); + if (crv != CKR_OK) + return crv; + crv = NSC_SignUpdate(hSession, pPart, ulPartLen); + + return crv; +} + +/* NSC_DecryptVerifyUpdate continues a multiple-part decryption + * and verify operation. */ +CK_RV +NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, + CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) +{ + CK_RV crv; + + CHECK_FORK(); + + crv = NSC_DecryptUpdate(hSession, pEncryptedData, ulEncryptedDataLen, + pData, pulDataLen); + if (crv != CKR_OK) + return crv; + crv = NSC_VerifyUpdate(hSession, pData, *pulDataLen); + + return crv; +} + +/* NSC_DigestKey continues a multi-part message-digesting operation, + * by digesting the value of a secret key as part of the data already digested. + */ +CK_RV +NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) +{ + SFTKSession *session = NULL; + SFTKObject *key = NULL; + SFTKAttribute *att; + CK_RV crv; + + CHECK_FORK(); + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + + key = sftk_ObjectFromHandle(hKey, session); + sftk_FreeSession(session); + if (key == NULL) + return CKR_KEY_HANDLE_INVALID; + + /* PUT ANY DIGEST KEY RESTRICTION CHECKS HERE */ + + /* make sure it's a valid key for this operation */ + if (key->objclass != CKO_SECRET_KEY) { + sftk_FreeObject(key); + return CKR_KEY_TYPE_INCONSISTENT; + } + /* get the key value */ + att = sftk_FindAttribute(key, CKA_VALUE); + sftk_FreeObject(key); + if (!att) { + return CKR_KEY_HANDLE_INVALID; + } + crv = NSC_DigestUpdate(hSession, (CK_BYTE_PTR)att->attrib.pValue, + att->attrib.ulValueLen); + sftk_FreeAttribute(att); + return crv; +} diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h new file mode 100644 index 0000000000..b0408dc430 --- /dev/null +++ b/security/nss/lib/softoken/pkcs11i.h @@ -0,0 +1,977 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * Internal data structures and functions used by pkcs11.c + */ +#ifndef _PKCS11I_H_ +#define _PKCS11I_H_ 1 + +#include "nssilock.h" +#include "seccomon.h" +#include "secoidt.h" +#include "lowkeyti.h" +#include "pkcs11t.h" + +#include "sftkdbt.h" +#include "chacha20poly1305.h" +#include "hasht.h" + +#include "alghmac.h" +#include "cmac.h" + +/* + * Configuration Defines + * + * The following defines affect the space verse speed trade offs of + * the PKCS #11 module. For the most part the current settings are optimized + * for web servers, where we want faster speed and lower lock contention at + * the expense of space. + */ + +/* + * The attribute allocation strategy is static allocation: + * Attributes are pre-allocated as part of the session object and used from + * the object array. + */ +#define MAX_OBJS_ATTRS 45 /* number of attributes to preallocate in \ + * the object (must me the absolute max) */ +#define ATTR_SPACE 50 /* Maximum size of attribute data before extra \ + * data needs to be allocated. This is set to \ + * enough space to hold an SSL MASTER secret */ + +#define NSC_STRICT PR_FALSE /* forces the code to do strict template \ + * matching when doing C_FindObject on token \ + * objects. This will slow down search in \ + * NSS. */ +/* default search block allocations and increments */ +#define NSC_CERT_BLOCK_SIZE 50 +#define NSC_SEARCH_BLOCK_SIZE 5 +#define NSC_SLOT_LIST_BLOCK_SIZE 10 + +#define NSC_MIN_SESSION_OBJECT_HANDLE 1U + +#define NSC_FIPS_MODULE 1 +#define NSC_NON_FIPS_MODULE 0 + +/* these are data base storage hashes, not cryptographic hashes.. The define + * the effective size of the various object hash tables */ +/* clients care more about memory usage than lookup performance on + * cyrptographic objects. Clients also have less objects around to play with + * + * we eventually should make this configurable at runtime! Especially now that + * NSS is a shared library. + */ +#define SPACE_ATTRIBUTE_HASH_SIZE 32 +#define SPACE_SESSION_OBJECT_HASH_SIZE 32 +#define SPACE_SESSION_HASH_SIZE 32 +#define TIME_ATTRIBUTE_HASH_SIZE 32 +#define TIME_SESSION_OBJECT_HASH_SIZE 1024 +#define TIME_SESSION_HASH_SIZE 1024 +#define MAX_OBJECT_LIST_SIZE 800 +/* how many objects to keep on the free list + * before we start freeing them */ +#define MAX_KEY_LEN 256 /* maximum symmetric key length in bytes */ + +/* + * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number. + * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0. + * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0. + * + * HASH_SIZE LOG2_BUCKETS_PER BUCKETS_PER_LOCK NUMBER_OF_BUCKETS + * 1024 9 512 2 + * 1024 5 32 32 + * 1024 1 2 512 + * 1024 0 1 1024 + * 4096 11 2048 2 + * 4096 9 512 8 + * 4096 5 32 128 + * 4096 1 2 2048 + * 4096 0 1 4096 + */ +#define LOG2_BUCKETS_PER_SESSION_LOCK 1 +#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK)) +/* NOSPREAD sessionID to hash table index macro has been slower. */ + +/* define typedefs, double as forward declarations as well */ +typedef struct SFTKAttributeStr SFTKAttribute; +typedef struct SFTKObjectListStr SFTKObjectList; +typedef struct SFTKObjectFreeListStr SFTKObjectFreeList; +typedef struct SFTKObjectListElementStr SFTKObjectListElement; +typedef struct SFTKObjectStr SFTKObject; +typedef struct SFTKSessionObjectStr SFTKSessionObject; +typedef struct SFTKTokenObjectStr SFTKTokenObject; +typedef struct SFTKSessionStr SFTKSession; +typedef struct SFTKSlotStr SFTKSlot; +typedef struct SFTKSessionContextStr SFTKSessionContext; +typedef struct SFTKSearchResultsStr SFTKSearchResults; +typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo; +typedef struct SFTKHashSignInfoStr SFTKHashSignInfo; +typedef struct SFTKOAEPInfoStr SFTKOAEPInfo; +typedef struct SFTKPSSSignInfoStr SFTKPSSSignInfo; +typedef struct SFTKPSSVerifyInfoStr SFTKPSSVerifyInfo; +typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo; +typedef struct SFTKChaCha20Poly1305InfoStr SFTKChaCha20Poly1305Info; +typedef struct SFTKChaCha20CtrInfoStr SFTKChaCha20CtrInfo; +typedef struct SFTKItemTemplateStr SFTKItemTemplate; + +/* define function pointer typdefs for pointer tables */ +typedef void (*SFTKDestroy)(void *, PRBool); +typedef void (*SFTKBegin)(void *); +typedef SECStatus (*SFTKCipher)(void *, void *, unsigned int *, unsigned int, + void *, unsigned int); +typedef SECStatus (*SFTKAEADCipher)(void *, void *, unsigned int *, + unsigned int, void *, unsigned int, + void *, unsigned int, void *, unsigned int); +typedef SECStatus (*SFTKVerify)(void *, void *, unsigned int, void *, unsigned int); +typedef void (*SFTKHash)(void *, const void *, unsigned int); +typedef void (*SFTKEnd)(void *, void *, unsigned int *, unsigned int); +typedef void (*SFTKFree)(void *); + +/* Value to tell if an attribute is modifiable or not. + * NEVER: attribute is only set on creation. + * ONCOPY: attribute is set on creation and can only be changed on copy. + * SENSITIVE: attribute can only be changed to TRUE. + * ALWAYS: attribute can always be changed. + */ +typedef enum { + SFTK_NEVER = 0, + SFTK_ONCOPY = 1, + SFTK_SENSITIVE = 2, + SFTK_ALWAYS = 3 +} SFTKModifyType; + +/* + * Free Status Enum... tell us more information when we think we're + * deleting an object. + */ +typedef enum { + SFTK_DestroyFailure, + SFTK_Destroyed, + SFTK_Busy +} SFTKFreeStatus; + +/* + * attribute values of an object. + */ +struct SFTKAttributeStr { + SFTKAttribute *next; + SFTKAttribute *prev; + PRBool freeAttr; + PRBool freeData; + /*must be called handle to make sftkqueue_find work */ + CK_ATTRIBUTE_TYPE handle; + CK_ATTRIBUTE attrib; + unsigned char space[ATTR_SPACE]; +}; + +/* + * doubly link list of objects + */ +struct SFTKObjectListStr { + SFTKObjectList *next; + SFTKObjectList *prev; + SFTKObject *parent; +}; + +struct SFTKObjectFreeListStr { + SFTKObject *head; + PZLock *lock; + int count; +}; + +/* + * PKCS 11 crypto object structure + */ +struct SFTKObjectStr { + SFTKObject *next; + SFTKObject *prev; + CK_OBJECT_CLASS objclass; + CK_OBJECT_HANDLE handle; + int refCount; + PZLock *refLock; + SFTKSlot *slot; + void *objectInfo; + SFTKFree infoFree; + PRBool isFIPS; +}; + +struct SFTKTokenObjectStr { + SFTKObject obj; + SECItem dbKey; +}; + +struct SFTKSessionObjectStr { + SFTKObject obj; + SFTKObjectList sessionList; + PZLock *attributeLock; + SFTKSession *session; + PRBool wasDerived; + int nextAttr; + SFTKAttribute attrList[MAX_OBJS_ATTRS]; + PRBool optimizeSpace; + unsigned int hashSize; + SFTKAttribute *head[1]; +}; + +/* + * struct to deal with a temparary list of objects + */ +struct SFTKObjectListElementStr { + SFTKObjectListElement *next; + SFTKObject *object; +}; + +/* + * Area to hold Search results + */ +struct SFTKSearchResultsStr { + CK_OBJECT_HANDLE *handles; + int size; + int index; + int array_size; +}; + +/* + * the universal crypto/hash/sign/verify context structure + */ +typedef enum { + SFTK_ENCRYPT, + SFTK_DECRYPT, + SFTK_HASH, + SFTK_SIGN, + SFTK_SIGN_RECOVER, + SFTK_VERIFY, + SFTK_VERIFY_RECOVER, + SFTK_MESSAGE_ENCRYPT, + SFTK_MESSAGE_DECRYPT, + SFTK_MESSAGE_SIGN, + SFTK_MESSAGE_VERIFY +} SFTKContextType; + +/** max block size of supported block ciphers */ +#define SFTK_MAX_BLOCK_SIZE 16 +/** currently SHA512 is the biggest hash length */ +#define SFTK_MAX_MAC_LENGTH 64 +#define SFTK_INVALID_MAC_SIZE 0xffffffff + +/** Particular ongoing operation in session (sign/verify/digest/encrypt/...) + * + * Understanding sign/verify context: + * multi=1 hashInfo=0 block (symmetric) cipher MACing + * multi=1 hashInfo=X PKC S/V with prior hashing + * multi=0 hashInfo=0 PKC S/V one shot (w/o hashing) + * multi=0 hashInfo=X *** shouldn't happen *** + */ +struct SFTKSessionContextStr { + SFTKContextType type; + PRBool multi; /* is multipart */ + PRBool rsa; /* is rsa */ + PRBool doPad; /* use PKCS padding for block ciphers */ + PRBool isXCBC; /* xcbc, use special handling in final */ + PRBool isFIPS; /* current operation is in FIPS mode */ + unsigned int blockSize; /* blocksize for padding */ + unsigned int padDataLength; /* length of the valid data in padbuf */ + /** latest incomplete block of data for block cipher */ + unsigned char padBuf[SFTK_MAX_BLOCK_SIZE]; + /** result of MAC'ing of latest full block of data with block cipher */ + unsigned char macBuf[SFTK_MAX_BLOCK_SIZE]; + unsigned char k2[SFTK_MAX_BLOCK_SIZE]; + unsigned char k3[SFTK_MAX_BLOCK_SIZE]; + CK_ULONG macSize; /* size of a general block cipher mac*/ + void *cipherInfo; + void *hashInfo; + unsigned int cipherInfoLen; + CK_MECHANISM_TYPE currentMech; + SFTKCipher update; + SFTKAEADCipher aeadUpdate; + SFTKHash hashUpdate; + SFTKEnd end; + SFTKDestroy destroy; + SFTKDestroy hashdestroy; + SFTKVerify verify; + unsigned int maxLen; + SFTKObject *key; +}; + +/* + * Sessions (have objects) + */ +struct SFTKSessionStr { + SFTKSession *next; + SFTKSession *prev; + CK_SESSION_HANDLE handle; + PZLock *objectLock; + int objectIDCount; + CK_SESSION_INFO info; + CK_NOTIFY notify; + CK_VOID_PTR appData; + SFTKSlot *slot; + SFTKSearchResults *search; + SFTKSessionContext *enc_context; + SFTKSessionContext *hash_context; + SFTKSessionContext *sign_context; + PRBool lastOpWasFIPS; + SFTKObjectList *objects[1]; +}; + +/* + * slots (have sessions and objects) + * + * The array of sessionLock's protect the session hash table (head[]) + * as well as the reference count of session objects in that bucket + * (head[]->refCount), objectLock protects all elements of the slot's + * object hash tables (sessObjHashTable[] and tokObjHashTable), and + * sessionObjectHandleCount. + * slotLock protects the remaining protected elements: + * password, needLogin, isLoggedIn, ssoLoggedIn, and sessionCount, + * and pwCheckLock serializes the key database password checks in + * NSC_SetPIN and NSC_Login. + * + * Each of the fields below has the following lifetime as commented + * next to the fields: + * invariant - This value is set when the slot is first created and + * never changed until it is destroyed. + * per load - This value is set when the slot is first created, or + * when the slot is used to open another directory. Between open and close + * this field does not change. + * variable - This value changes through the normal process of slot operation. + * - reset. The value of this variable is cleared during an open/close + * cycles. + * - preserved. The value of this variable is preserved over open/close + * cycles. + */ +struct SFTKSlotStr { + CK_SLOT_ID slotID; /* invariant */ + PZLock *slotLock; /* invariant */ + PZLock **sessionLock; /* invariant */ + unsigned int numSessionLocks; /* invariant */ + unsigned long sessionLockMask; /* invariant */ + PZLock *objectLock; /* invariant */ + PRLock *pwCheckLock; /* invariant */ + PRBool present; /* variable -set */ + PRBool hasTokens; /* per load */ + PRBool isLoggedIn; /* variable - reset */ + PRBool ssoLoggedIn; /* variable - reset */ + PRBool needLogin; /* per load */ + PRBool DB_loaded; /* per load */ + PRBool readOnly; /* per load */ + PRBool optimizeSpace; /* invariant */ + SFTKDBHandle *certDB; /* per load */ + SFTKDBHandle *keyDB; /* per load */ + int minimumPinLen; /* per load */ + PRInt32 sessionIDCount; /* atomically incremented */ + /* (preserved) */ + int sessionIDConflict; /* not protected by a lock */ + /* (preserved) */ + int sessionCount; /* variable - reset */ + PRInt32 rwSessionCount; /* set by atomic operations */ + /* (reset) */ + int sessionObjectHandleCount; /* variable - perserved */ + CK_ULONG index; /* invariant */ + PLHashTable *tokObjHashTable; /* invariant */ + SFTKObject **sessObjHashTable; /* variable - reset */ + unsigned int sessObjHashSize; /* invariant */ + SFTKSession **head; /* variable -reset */ + unsigned int sessHashSize; /* invariant */ + char tokDescription[33]; /* per load */ + char updateTokDescription[33]; /* per load */ + char slotDescription[65]; /* invariant */ + SFTKSession moduleObjects; /* global session to hang module specific + * objects like profile objects or + * validation objects */ +}; + +/* + * special joint operations Contexts + */ +struct SFTKHashVerifyInfoStr { + SECOidTag hashOid; + void *params; + NSSLOWKEYPublicKey *key; +}; + +struct SFTKHashSignInfoStr { + SECOidTag hashOid; + void *params; + NSSLOWKEYPrivateKey *key; +}; + +struct SFTKPSSVerifyInfoStr { + size_t size; /* must be first */ + CK_RSA_PKCS_PSS_PARAMS params; + NSSLOWKEYPublicKey *key; +}; + +struct SFTKPSSSignInfoStr { + size_t size; /* must be first */ + CK_RSA_PKCS_PSS_PARAMS params; + NSSLOWKEYPrivateKey *key; +}; + +/** + * Contexts for RSA-OAEP + */ +struct SFTKOAEPInfoStr { + CK_RSA_PKCS_OAEP_PARAMS params; + PRBool isEncrypt; + union { + NSSLOWKEYPublicKey *pub; + NSSLOWKEYPrivateKey *priv; + } key; +}; + +/* context for the Final SSLMAC message */ +struct SFTKSSLMACInfoStr { + size_t size; /* must be first */ + void *hashContext; + SFTKBegin begin; + SFTKHash update; + SFTKEnd end; + CK_ULONG macSize; + int padSize; + unsigned char key[MAX_KEY_LEN]; + unsigned int keySize; +}; + +/* SFTKChaCha20Poly1305Info saves the key, tag length, nonce, + * and additional data for a ChaCha20+Poly1305 AEAD operation. */ +struct SFTKChaCha20Poly1305InfoStr { + ChaCha20Poly1305Context freeblCtx; + unsigned char nonce[12]; + unsigned char ad[16]; + unsigned char *adOverflow; + unsigned int adLen; +}; + +/* SFTKChaCha20BlockInfoStr the key, nonce and counter for a + * ChaCha20 block operation. */ +struct SFTKChaCha20CtrInfoStr { + PRUint8 key[32]; + PRUint8 nonce[12]; + PRUint32 counter; +}; + +/* + * Template based on SECItems, suitable for passing as arrays + */ +struct SFTKItemTemplateStr { + CK_ATTRIBUTE_TYPE type; + SECItem *item; +}; + +/* macro for setting SFTKTemplates. */ +#define SFTK_SET_ITEM_TEMPLATE(templ, count, itemPtr, attr) \ + templ[count].type = attr; \ + templ[count].item = itemPtr + +#define SFTK_MAX_ITEM_TEMPLATE 10 + +/* + * session handle modifiers + */ +#define SFTK_SESSION_SLOT_MASK 0xff000000L + +/* + * object handle modifiers + */ +#define SFTK_TOKEN_MASK 0x80000000L +#define SFTK_TOKEN_MAGIC 0x80000000L +#define SFTK_TOKEN_TYPE_MASK 0x70000000L +/* keydb (high bit == 0) */ +#define SFTK_TOKEN_TYPE_PRIV 0x10000000L +#define SFTK_TOKEN_TYPE_PUB 0x20000000L +#define SFTK_TOKEN_TYPE_KEY 0x30000000L +/* certdb (high bit == 1) */ +#define SFTK_TOKEN_TYPE_TRUST 0x40000000L +#define SFTK_TOKEN_TYPE_CRL 0x50000000L +#define SFTK_TOKEN_TYPE_SMIME 0x60000000L +#define SFTK_TOKEN_TYPE_CERT 0x70000000L + +#define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC | SFTK_TOKEN_TYPE_CRL | 1) +/* how big (in bytes) a password/pin we can deal with */ +#define SFTK_MAX_PIN 500 +/* minimum password/pin length (in Unicode characters) in FIPS mode */ +#define FIPS_MIN_PIN 7 + +/* slot ID's */ +#define NETSCAPE_SLOT_ID 1 +#define PRIVATE_KEY_SLOT_ID 2 +#define FIPS_SLOT_ID 3 + +/* slot helper macros */ +#define sftk_SlotFromSession(sp) ((sp)->slot) +#define sftk_isToken(id) (((id)&SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC) +#define sftk_isFIPS(id) \ + (((id) == FIPS_SLOT_ID) || ((id) >= SFTK_MIN_FIPS_USER_SLOT_ID)) + +/* the session hash multiplier (see bug 201081) */ +#define SHMULTIPLIER 1791398085 + +/* queueing helper macros */ +#define sftk_hash(value, size) \ + ((PRUint32)((value)*SHMULTIPLIER) & (size - 1)) +#define sftkqueue_add(element, id, head, hash_size) \ + { \ + int tmp = sftk_hash(id, hash_size); \ + (element)->next = (head)[tmp]; \ + (element)->prev = NULL; \ + if ((head)[tmp]) \ + (head)[tmp]->prev = (element); \ + (head)[tmp] = (element); \ + } +#define sftkqueue_find(element, id, head, hash_size) \ + for ((element) = (head)[sftk_hash(id, hash_size)]; (element) != NULL; \ + (element) = (element)->next) { \ + if ((element)->handle == (id)) { \ + break; \ + } \ + } +#define sftkqueue_is_queued(element, id, head, hash_size) \ + (((element)->next) || ((element)->prev) || \ + ((head)[sftk_hash(id, hash_size)] == (element))) +#define sftkqueue_delete(element, id, head, hash_size) \ + if ((element)->next) \ + (element)->next->prev = (element)->prev; \ + if ((element)->prev) \ + (element)->prev->next = (element)->next; \ + else \ + (head)[sftk_hash(id, hash_size)] = ((element)->next); \ + (element)->next = NULL; \ + (element)->prev = NULL; + +#define sftkqueue_init_element(element) \ + (element)->prev = NULL; + +#define sftkqueue_add2(element, id, index, head) \ + { \ + (element)->next = (head)[index]; \ + if ((head)[index]) \ + (head)[index]->prev = (element); \ + (head)[index] = (element); \ + } + +#define sftkqueue_find2(element, id, index, head) \ + for ((element) = (head)[index]; \ + (element) != NULL; \ + (element) = (element)->next) { \ + if ((element)->handle == (id)) { \ + break; \ + } \ + } + +#define sftkqueue_delete2(element, id, index, head) \ + if ((element)->next) \ + (element)->next->prev = (element)->prev; \ + if ((element)->prev) \ + (element)->prev->next = (element)->next; \ + else \ + (head)[index] = ((element)->next); + +#define sftkqueue_clear_deleted_element(element) \ + (element)->next = NULL; \ + (element)->prev = NULL; + +/* sessionID (handle) is used to determine session lock bucket */ +#ifdef NOSPREAD +/* NOSPREAD: (ID>>L2LPB) & (perbucket-1) */ +#define SFTK_SESSION_LOCK(slot, handle) \ + ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) & (slot)->sessionLockMask]) +#else +/* SPREAD: ID & (perbucket-1) */ +#define SFTK_SESSION_LOCK(slot, handle) \ + ((slot)->sessionLock[(handle) & (slot)->sessionLockMask]) +#endif + +/* expand an attribute & secitem structures out */ +#define sftk_attr_expand(ap) (ap)->type, (ap)->pValue, (ap)->ulValueLen +#define sftk_item_expand(ip) (ip)->data, (ip)->len + +typedef struct sftk_token_parametersStr { + CK_SLOT_ID slotID; + char *configdir; + char *certPrefix; + char *keyPrefix; + char *updatedir; + char *updCertPrefix; + char *updKeyPrefix; + char *updateID; + char *tokdes; + char *slotdes; + char *updtokdes; + int minPW; + PRBool readOnly; + PRBool noCertDB; + PRBool noKeyDB; + PRBool forceOpen; + PRBool pwRequired; + PRBool optimizeSpace; +} sftk_token_parameters; + +typedef struct sftk_parametersStr { + char *configdir; + char *updatedir; + char *updateID; + char *secmodName; + char *man; + char *libdes; + PRBool readOnly; + PRBool noModDB; + PRBool noCertDB; + PRBool forceOpen; + PRBool pwRequired; + PRBool optimizeSpace; + sftk_token_parameters *tokens; + int token_count; +} sftk_parameters; + +/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */ +#define CERT_DB_FMT "%scert%s.db" +#define KEY_DB_FMT "%skey%s.db" + +struct sftk_MACConstantTimeCtxStr { + const SECHashObject *hash; + unsigned char mac[64]; + unsigned char secret[64]; + unsigned int headerLength; + unsigned int secretLength; + unsigned int totalLength; + unsigned char header[75]; +}; +typedef struct sftk_MACConstantTimeCtxStr sftk_MACConstantTimeCtx; + +struct sftk_MACCtxStr { + /* This is a common MAC context that supports both HMAC and CMAC + * operations. This also presents a unified set of semantics: + * + * - Everything except Destroy returns a CK_RV, indicating success + * or failure. (This handles the difference between HMAC's and CMAC's + * interfaces, since the underlying AES _might_ fail with CMAC). + * + * - The underlying MAC is started on Init(...), so Update(...) can + * called right away. (This handles the difference between HMAC and + * CMAC in their *_Init(...) functions). + * + * - Calling semantics: + * + * - One of sftk_MAC_{Create,Init,InitRaw}(...) to set up the MAC + * context, checking the return code. + * - sftk_MAC_Update(...) as many times as necessary to process + * input data, checking the return code. + * - sftk_MAC_Finish(...) to get the output of the MAC; result_len + * may be NULL if the caller knows the expected output length, + * checking the return code. If result_len is NULL, this will + * PR_ASSERT(...) that the actual returned length was equal to + * max_result_len. + * + * Note: unlike HMAC_Finish(...), this allows the caller to specify + * a return value less than return length, to align with + * CMAC_Finish(...)'s semantics. This will force an additional + * stack allocation of size SFTK_MAX_MAC_LENGTH. + * - sftk_MAC_Reset(...) if the caller wishes to compute a new MAC + * with the same key, checking the return code. + * - sftk_MAC_Destroy(...) when the caller frees its associated + * memory, passing PR_TRUE if sftk_MAC_Create(...) was called, + * and PR_FALSE otherwise. + */ + + CK_MECHANISM_TYPE mech; + unsigned int mac_size; + + union { + HMACContext *hmac; + CMACContext *cmac; + + /* Functions to update when adding a new MAC or a new hash: + * + * - sftk_MAC_Init + * - sftk_MAC_Update + * - sftk_MAC_Finish + * - sftk_MAC_Reset + */ + void *raw; + } mac; + + void (*destroy_func)(void *ctx, PRBool free_it); +}; +typedef struct sftk_MACCtxStr sftk_MACCtx; + +extern CK_NSS_MODULE_FUNCTIONS sftk_module_funcList; +extern CK_NSS_FIPS_FUNCTIONS sftk_fips_funcList; + +SEC_BEGIN_PROTOS + +/* shared functions between pkcs11.c and fipstokn.c */ +extern PRBool nsf_init; +extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS); +extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS); +extern PRBool sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV *crv); +extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, + CK_SLOT_ID_PTR pSlotList, + CK_ULONG_PTR pulCount, + unsigned int moduleIndex); + +/* slot initialization, reinit, shutdown and destruction */ +extern CK_RV SFTK_SlotInit(char *configdir, char *updatedir, char *updateID, + sftk_token_parameters *params, + unsigned int moduleIndex); +extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir, + char *updatedir, char *updateID, + sftk_token_parameters *params, + unsigned int moduleIndex); +extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot); +extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot); +extern CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout); + +/* internal utility functions used by pkcs11.c */ +extern CK_RV sftk_MapCryptError(int error); +extern CK_RV sftk_MapDecryptError(int error); +extern CK_RV sftk_MapVerifyError(int error); +extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object, + CK_ATTRIBUTE_TYPE type); +extern void sftk_FreeAttribute(SFTKAttribute *attribute); +extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *valPtr, CK_ULONG length); +extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item, + SFTKObject *object, CK_ATTRIBUTE_TYPE type); +extern CK_RV sftk_MultipleAttribute2SecItem(PLArenaPool *arena, + SFTKObject *object, + SFTKItemTemplate *templ, int count); +extern unsigned int sftk_GetLengthInBits(unsigned char *buf, + unsigned int bufLen); +extern CK_RV sftk_ConstrainAttribute(SFTKObject *object, + CK_ATTRIBUTE_TYPE type, int minLength, + int maxLength, int minMultiple); +extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type); +extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type); +extern void sftk_DeleteAttributeType(SFTKObject *object, + CK_ATTRIBUTE_TYPE type); +extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item, + SFTKObject *object, CK_ATTRIBUTE_TYPE type); +extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item, + SFTKObject *object, + CK_ATTRIBUTE_TYPE type); +extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type, + CK_OBJECT_CLASS inClass); +extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass); +extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type); +extern void sftk_nullAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type); +extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + CK_ULONG *longData); +extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len); +extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len); +extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth); + +extern SFTKObject *sftk_NewObject(SFTKSlot *slot); +extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject); +extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object); +extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object); +extern void sftk_ReferenceObject(SFTKObject *object); +extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle, + SFTKSession *session); +extern CK_OBJECT_HANDLE sftk_getNextHandle(SFTKSlot *slot); +extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object); +extern void sftk_AddObject(SFTKSession *session, SFTKObject *object); +/* clear out all the existing object ID to database key mappings. + * used to reinit a token */ +extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot); + +extern CK_RV sftk_searchObjectList(SFTKSearchResults *search, + SFTKObject **head, unsigned int size, + PZLock *lock, CK_ATTRIBUTE_PTR inTemplate, + int count, PRBool isLoggedIn); +extern SFTKObjectListElement *sftk_FreeObjectListElement( + SFTKObjectListElement *objectList); +extern void sftk_FreeObjectList(SFTKObjectListElement *objectList); +extern void sftk_FreeSearch(SFTKSearchResults *search); +extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session); + +extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all); +extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle); +extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle); +extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle); +extern void sftk_FreeSession(SFTKSession *session); +extern void sftk_ClearSession(SFTKSession *session); +extern void sftk_DestroySession(SFTKSession *session); +extern CK_RV sftk_InitSession(SFTKSession *session, SFTKSlot *slot, + CK_SLOT_ID slotID, CK_NOTIFY notify, + CK_VOID_PTR pApplication, CK_FLAGS flags); +extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, + CK_VOID_PTR pApplication, CK_FLAGS flags); +extern void sftk_update_state(SFTKSlot *slot, SFTKSession *session); +extern void sftk_update_all_states(SFTKSlot *slot); +extern void sftk_InitFreeLists(void); +extern void sftk_CleanupFreeLists(void); + +/* + * Helper functions to handle the session crypto contexts + */ +extern CK_RV sftk_InitGeneric(SFTKSession *session, + CK_MECHANISM *pMechanism, + SFTKSessionContext **contextPtr, + SFTKContextType ctype, SFTKObject **keyPtr, + CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr, + CK_OBJECT_CLASS pubKeyType, + CK_ATTRIBUTE_TYPE operation); +void sftk_SetContextByType(SFTKSession *session, SFTKContextType type, + SFTKSessionContext *context); +extern CK_RV sftk_GetContext(CK_SESSION_HANDLE handle, + SFTKSessionContext **contextPtr, + SFTKContextType type, PRBool needMulti, + SFTKSession **sessionPtr); +extern void sftk_TerminateOp(SFTKSession *session, SFTKContextType ctype, + SFTKSessionContext *context); +extern void sftk_FreeContext(SFTKSessionContext *context); + +extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object, + CK_KEY_TYPE key_type, CK_RV *crvp); +extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object, + CK_KEY_TYPE key_type, CK_RV *crvp); +extern CK_RV sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privKey, CK_KEY_TYPE keyType, + NSSLOWKEYPublicKey *pubKey); +extern void sftk_FormatDESKey(unsigned char *key, int length); +extern PRBool sftk_CheckDESKey(unsigned char *key); +extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type); +extern void sftk_EncodeInteger(PRUint64 integer, CK_ULONG num_bits, CK_BBOOL littleEndian, + CK_BYTE_PTR output, CK_ULONG_PTR output_len); + +/* ike and xcbc helpers */ +extern CK_RV sftk_ike_prf(CK_SESSION_HANDLE hSession, + const SFTKAttribute *inKey, + const CK_NSS_IKE_PRF_DERIVE_PARAMS *params, SFTKObject *outKey); +extern CK_RV sftk_ike1_prf(CK_SESSION_HANDLE hSession, + const SFTKAttribute *inKey, + const CK_NSS_IKE1_PRF_DERIVE_PARAMS *params, SFTKObject *outKey, + unsigned int keySize); +extern CK_RV sftk_ike1_appendix_b_prf(CK_SESSION_HANDLE hSession, + const SFTKAttribute *inKey, + const CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *params, + SFTKObject *outKey, + unsigned int keySize); +extern CK_RV sftk_ike_prf_plus(CK_SESSION_HANDLE hSession, + const SFTKAttribute *inKey, + const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params, SFTKObject *outKey, + unsigned int keySize); +extern CK_RV sftk_aes_xcbc_new_keys(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hKey, CK_OBJECT_HANDLE_PTR phKey, + unsigned char *k2, unsigned char *k3); +extern CK_RV sftk_xcbc_mac_pad(unsigned char *padBuf, unsigned int bufLen, + unsigned int blockSize, const unsigned char *k2, + const unsigned char *k3); +extern SECStatus sftk_fips_IKE_PowerUpSelfTests(void); + +/* mechanism allows this operation */ +extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op); + +/* helper function which calls nsslowkey_FindKeyByPublicKey after safely + * acquiring a reference to the keydb from the slot */ +NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey); + +/* + * parameter parsing functions + */ +CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS); +void sftk_freeParams(sftk_parameters *params); +PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved); + +/* + * narrow objects + */ +SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *); +SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *); + +/* + * token object utilities + */ +void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle); +PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey, + CK_OBJECT_HANDLE handle); +SFTKObject *sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, + CK_OBJECT_HANDLE handle); +SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so); + +/* J-PAKE (jpakesftk.c) */ +extern CK_RV jpake_Round1(HASH_HashType hashType, + CK_NSS_JPAKERound1Params *params, + SFTKObject *key); +extern CK_RV jpake_Round2(HASH_HashType hashType, + CK_NSS_JPAKERound2Params *params, + SFTKObject *sourceKey, SFTKObject *key); +extern CK_RV jpake_Final(HASH_HashType hashType, + const CK_NSS_JPAKEFinalParams *params, + SFTKObject *sourceKey, SFTKObject *key); + +/* Constant time MAC functions (hmacct.c) */ +sftk_MACConstantTimeCtx *sftk_HMACConstantTime_New( + CK_MECHANISM_PTR mech, SFTKObject *key); +sftk_MACConstantTimeCtx *sftk_SSLv3MACConstantTime_New( + CK_MECHANISM_PTR mech, SFTKObject *key); +void sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len); +void sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len); +void sftk_MACConstantTime_EndHash( + void *pctx, void *out, unsigned int *outLength, unsigned int maxLength); +void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool); + +/* Crypto Utilities */ +HASH_HashType sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech); + +/**************************************** + * implement TLS Pseudo Random Function (PRF) + */ + +extern CK_RV +sftk_TLSPRFInit(SFTKSessionContext *context, + SFTKObject *key, + CK_KEY_TYPE key_type, + HASH_HashType hash_alg, + unsigned int out_len); + +/* PKCS#11 MAC implementation. See sftk_MACCtxStr declaration above for + * calling semantics for these functions. */ +HASH_HashType sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech); +CK_RV sftk_MAC_Create(CK_MECHANISM_TYPE mech, SFTKObject *key, sftk_MACCtx **ret_ctx); +CK_RV sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key); +CK_RV sftk_MAC_InitRaw(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, const unsigned char *key, unsigned int key_len, PRBool isFIPS); +CK_RV sftk_MAC_Update(sftk_MACCtx *ctx, const CK_BYTE *data, unsigned int data_len); +CK_RV sftk_MAC_Finish(sftk_MACCtx *ctx, CK_BYTE_PTR result, unsigned int *result_len, unsigned int max_result_len); +CK_RV sftk_MAC_Reset(sftk_MACCtx *ctx); +void sftk_MAC_Destroy(sftk_MACCtx *ctx, PRBool free_it); + +/* constant time helpers */ +unsigned int sftk_CKRVToMask(CK_RV rv); +CK_RV sftk_CheckCBCPadding(CK_BYTE_PTR pBuf, unsigned int bufLen, + unsigned int blockSize, unsigned int *outPadSize); + +/* NIST 800-108 (kbkdf.c) implementations */ +extern CK_RV kbkdf_Dispatch(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, SFTKObject *base_key, SFTKObject *ret_key, CK_ULONG keySize); +extern SECStatus sftk_fips_SP800_108_PowerUpSelfTests(void); + +/* export the HKDF function for use in PowerupSelfTests */ +CK_RV sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_SESSION_HANDLE hSession, + SFTKObject *sourceKey, const unsigned char *sourceKeyBytes, + int sourceKeyLen, SFTKObject *key, + unsigned char *outKeyBytes, int keySize, + PRBool canBeData, PRBool isFIPS); + +char **NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args); + +/* dh verify functions */ +/* verify that dhPrime matches one of our known primes, and if so return + * it's subprime value */ +const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS); +/* check if dhSubPrime claims dhPrime is a safe prime. */ +SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe); +/* map an operation Attribute to a Mechanism flag */ +CK_FLAGS sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE op); +/* check the FIPS table to determine if this current operation is allowed by + * FIPS security policy */ +PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, + CK_ATTRIBUTE_TYPE op, SFTKObject *source); +/* add validation objects to the slot */ +CK_RV sftk_CreateValidationObjects(SFTKSlot *slot); + +SEC_END_PROTOS + +#endif /* _PKCS11I_H_ */ diff --git a/security/nss/lib/softoken/pkcs11ni.h b/security/nss/lib/softoken/pkcs11ni.h new file mode 100644 index 0000000000..612842c938 --- /dev/null +++ b/security/nss/lib/softoken/pkcs11ni.h @@ -0,0 +1,20 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _PKCS11NI_H_ +#define _PKCS11NI_H_ + +/* + * pkcs11ni.h + * + * This file contains softoken private exports for NSS + */ + +/* softoken slot ID's */ +#define SFTK_MIN_USER_SLOT_ID 4 +#define SFTK_MAX_USER_SLOT_ID 100 +#define SFTK_MIN_FIPS_USER_SLOT_ID 101 +#define SFTK_MAX_FIPS_USER_SLOT_ID 127 + +#endif /* _PKCS11NI_H_ */ diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c new file mode 100644 index 0000000000..f483060986 --- /dev/null +++ b/security/nss/lib/softoken/pkcs11u.c @@ -0,0 +1,2563 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * Internal PKCS #11 functions. Should only be called by pkcs11.c + */ +#include "pkcs11.h" +#include "pkcs11i.h" +#include "lowkeyi.h" +#include "secasn1.h" +#include "blapi.h" +#include "secerr.h" +#include "prnetdb.h" /* for PR_ntohl */ +#include "sftkdb.h" +#include "softoken.h" +#include "secoid.h" +#include "softkver.h" + +#if !defined(NSS_FIPS_DISABLED) && defined(NSS_ENABLE_FIPS_INDICATORS) +/* this file should be supplied by the vendor and include all the + * algorithms which have Algorithm certs and have been reviewed by + * the lab. A blank file is included for the base so that FIPS mode + * will still be compiled and run, but FIPS indicators will always + * return PR_FALSE + */ +#include "fips_algorithms.h" +#define NSS_HAS_FIPS_INDICATORS 1 +#endif + +/* + * ******************** Error mapping ******************************* + */ +/* + * map all the SEC_ERROR_xxx error codes that may be returned by freebl + * functions to CKR_xxx. return CKR_DEVICE_ERROR by default for backward + * compatibility. + */ +CK_RV +sftk_MapCryptError(int error) +{ + switch (error) { + case SEC_ERROR_INVALID_ARGS: + case SEC_ERROR_BAD_DATA: /* MP_RANGE gets mapped to this */ + return CKR_ARGUMENTS_BAD; + case SEC_ERROR_INPUT_LEN: + return CKR_DATA_LEN_RANGE; + case SEC_ERROR_OUTPUT_LEN: + return CKR_BUFFER_TOO_SMALL; + case SEC_ERROR_LIBRARY_FAILURE: + return CKR_GENERAL_ERROR; + case SEC_ERROR_NO_MEMORY: + return CKR_HOST_MEMORY; + case SEC_ERROR_BAD_SIGNATURE: + return CKR_SIGNATURE_INVALID; + case SEC_ERROR_INVALID_KEY: + return CKR_KEY_SIZE_RANGE; + case SEC_ERROR_BAD_KEY: /* an EC public key that fails validation */ + return CKR_KEY_SIZE_RANGE; /* the closest error code */ + case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM: + return CKR_TEMPLATE_INCONSISTENT; + case SEC_ERROR_UNSUPPORTED_KEYALG: + return CKR_MECHANISM_INVALID; + case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE: + return CKR_DOMAIN_PARAMS_INVALID; + /* key pair generation failed after max number of attempts */ + case SEC_ERROR_NEED_RANDOM: + return CKR_FUNCTION_FAILED; + } + return CKR_DEVICE_ERROR; +} + +/* + * functions which adjust the mapping based on different contexts + * (Decrypt or Verify). + */ + +/* used by Decrypt and UnwrapKey (indirectly) and Decrypt message */ +CK_RV +sftk_MapDecryptError(int error) +{ + switch (error) { + /* usually a padding error, or aead tag mismatch */ + case SEC_ERROR_BAD_DATA: + return CKR_ENCRYPTED_DATA_INVALID; + default: + return sftk_MapCryptError(error); + } +} + +/* + * return CKR_SIGNATURE_INVALID instead of CKR_DEVICE_ERROR by default for + * backward compatibilty. + */ +CK_RV +sftk_MapVerifyError(int error) +{ + CK_RV crv = sftk_MapCryptError(error); + if (crv == CKR_DEVICE_ERROR) + crv = CKR_SIGNATURE_INVALID; + return crv; +} + +/* + * ******************** Attribute Utilities ******************************* + */ + +/* + * create a new attribute with type, value, and length. Space is allocated + * to hold value. + */ +static SFTKAttribute * +sftk_NewAttribute(SFTKObject *object, + CK_ATTRIBUTE_TYPE type, const void *value, CK_ULONG len) +{ + SFTKAttribute *attribute; + + SFTKSessionObject *so = sftk_narrowToSessionObject(object); + int index; + + if (so == NULL) { + /* allocate new attribute in a buffer */ + PORT_Assert(0); + return NULL; + } + /* + * We attempt to keep down contention on Malloc and Arena locks by + * limiting the number of these calls on high traversed paths. This + * is done for attributes by 'allocating' them from a pool already + * allocated by the parent object. + */ + PZ_Lock(so->attributeLock); + index = so->nextAttr++; + PZ_Unlock(so->attributeLock); + PORT_Assert(index < MAX_OBJS_ATTRS); + if (index >= MAX_OBJS_ATTRS) + return NULL; + + attribute = &so->attrList[index]; + attribute->attrib.type = type; + attribute->freeAttr = PR_FALSE; + attribute->freeData = PR_FALSE; + if (value) { + if (len <= ATTR_SPACE) { + attribute->attrib.pValue = attribute->space; + } else { + attribute->attrib.pValue = PORT_Alloc(len); + attribute->freeData = PR_TRUE; + } + if (attribute->attrib.pValue == NULL) { + return NULL; + } + PORT_Memcpy(attribute->attrib.pValue, value, len); + attribute->attrib.ulValueLen = len; + } else { + attribute->attrib.pValue = NULL; + attribute->attrib.ulValueLen = 0; + } + attribute->attrib.type = type; + attribute->handle = type; + attribute->next = attribute->prev = NULL; + return attribute; +} + +/* + * Free up all the memory associated with an attribute. Reference count + * must be zero to call this. + */ +static void +sftk_DestroyAttribute(SFTKAttribute *attribute) +{ + if (attribute->attrib.pValue) { + /* clear out the data in the attribute value... it may have been + * sensitive data */ + PORT_Memset(attribute->attrib.pValue, 0, attribute->attrib.ulValueLen); + if (attribute->freeData) { + PORT_Free(attribute->attrib.pValue); + attribute->attrib.pValue = NULL; + attribute->freeData = PR_FALSE; + } + } + if (attribute->freeAttr) { + PORT_Free(attribute); + } +} + +/* + * release a reference to an attribute structure + */ +void +sftk_FreeAttribute(SFTKAttribute *attribute) +{ + if (attribute && attribute->freeAttr) { + sftk_DestroyAttribute(attribute); + return; + } +} + +static SFTKAttribute * +sftk_FindTokenAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *myattribute = NULL; + SFTKDBHandle *dbHandle = NULL; + CK_RV crv = CKR_HOST_MEMORY; + + myattribute = (SFTKAttribute *)PORT_Alloc(sizeof(SFTKAttribute)); + if (myattribute == NULL) { + goto loser; + } + + dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle); + + myattribute->handle = type; + myattribute->attrib.type = type; + myattribute->attrib.pValue = myattribute->space; + myattribute->attrib.ulValueLen = ATTR_SPACE; + myattribute->next = myattribute->prev = NULL; + myattribute->freeAttr = PR_TRUE; + myattribute->freeData = PR_FALSE; + + crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle, + &myattribute->attrib, 1); + + /* attribute is bigger than our attribute space buffer, malloc it */ + if (crv == CKR_BUFFER_TOO_SMALL) { + myattribute->attrib.pValue = NULL; + crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle, + &myattribute->attrib, 1); + if (crv != CKR_OK) { + goto loser; + } + myattribute->attrib.pValue = PORT_Alloc(myattribute->attrib.ulValueLen); + if (myattribute->attrib.pValue == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + myattribute->freeData = PR_TRUE; + crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle, + &myattribute->attrib, 1); + } +loser: + if (dbHandle) { + sftk_freeDB(dbHandle); + } + if (crv != CKR_OK) { + if (myattribute) { + myattribute->attrib.ulValueLen = 0; + sftk_FreeAttribute(myattribute); + myattribute = NULL; + } + } + return myattribute; +} + +/* + * look up and attribute structure from a type and Object structure. + * The returned attribute is referenced and needs to be freed when + * it is no longer needed. + */ +SFTKAttribute * +sftk_FindAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *attribute; + SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object); + + if (sessObject == NULL) { + return sftk_FindTokenAttribute(sftk_narrowToTokenObject(object), type); + } + + PZ_Lock(sessObject->attributeLock); + sftkqueue_find(attribute, type, sessObject->head, sessObject->hashSize); + PZ_Unlock(sessObject->attributeLock); + + return (attribute); +} + +/* + * Take a buffer and it's length and return it's true size in bits; + */ +unsigned int +sftk_GetLengthInBits(unsigned char *buf, unsigned int bufLen) +{ + unsigned int size = bufLen * 8; + unsigned int i; + + /* Get the real length in bytes */ + for (i = 0; i < bufLen; i++) { + unsigned char c = *buf++; + if (c != 0) { + unsigned char m; + for (m = 0x80; m > 0; m = m >> 1) { + if ((c & m) != 0) { + break; + } + size--; + } + break; + } + size -= 8; + } + return size; +} + +/* + * Constrain a big num attribute. to size and padding + * minLength means length of the object must be greater than equal to minLength + * maxLength means length of the object must be less than equal to maxLength + * minMultiple means that object length mod minMultiple must equal 0. + * all input sizes are in bits. + * if any constraint is '0' that constraint is not checked. + */ +CK_RV +sftk_ConstrainAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + int minLength, int maxLength, int minMultiple) +{ + SFTKAttribute *attribute; + int size; + unsigned char *ptr; + + attribute = sftk_FindAttribute(object, type); + if (!attribute) { + return CKR_TEMPLATE_INCOMPLETE; + } + ptr = (unsigned char *)attribute->attrib.pValue; + if (ptr == NULL) { + sftk_FreeAttribute(attribute); + return CKR_ATTRIBUTE_VALUE_INVALID; + } + size = sftk_GetLengthInBits(ptr, attribute->attrib.ulValueLen); + sftk_FreeAttribute(attribute); + + if ((minLength != 0) && (size < minLength)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + if ((maxLength != 0) && (size > maxLength)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + if ((minMultiple != 0) && ((size % minMultiple) != 0)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + return CKR_OK; +} + +PRBool +sftk_hasAttributeToken(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type) +{ + CK_ATTRIBUTE template; + CK_RV crv; + SFTKDBHandle *dbHandle; + + dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle); + template.type = type; + template.pValue = NULL; + template.ulValueLen = 0; + + crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle, &template, 1); + sftk_freeDB(dbHandle); + + /* attribute is bigger than our attribute space buffer, malloc it */ + return (crv == CKR_OK) ? PR_TRUE : PR_FALSE; +} + +/* + * return true if object has attribute + */ +PRBool +sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *attribute; + SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object); + + if (sessObject == NULL) { + return sftk_hasAttributeToken(sftk_narrowToTokenObject(object), type); + } + + PZ_Lock(sessObject->attributeLock); + sftkqueue_find(attribute, type, sessObject->head, sessObject->hashSize); + PZ_Unlock(sessObject->attributeLock); + + return (PRBool)(attribute != NULL); +} + +/* + * add an attribute to an object + */ +static void +sftk_AddAttribute(SFTKObject *object, SFTKAttribute *attribute) +{ + SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object); + + if (sessObject == NULL) + return; + PZ_Lock(sessObject->attributeLock); + sftkqueue_add(attribute, attribute->handle, + sessObject->head, sessObject->hashSize); + PZ_Unlock(sessObject->attributeLock); +} + +/* + * copy an unsigned attribute into a SECItem. Secitem is allocated in + * the specified arena. + */ +CK_RV +sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item, SFTKObject *object, + CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *attribute; + + item->data = NULL; + + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + + (void)SECITEM_AllocItem(arena, item, attribute->attrib.ulValueLen); + if (item->data == NULL) { + sftk_FreeAttribute(attribute); + return CKR_HOST_MEMORY; + } + PORT_Memcpy(item->data, attribute->attrib.pValue, item->len); + sftk_FreeAttribute(attribute); + return CKR_OK; +} + +/* + * fetch multiple attributes into SECItems. Secitem data is allocated in + * the specified arena. + */ +CK_RV +sftk_MultipleAttribute2SecItem(PLArenaPool *arena, SFTKObject *object, + SFTKItemTemplate *itemTemplate, int itemTemplateCount) +{ + + CK_RV crv = CKR_OK; + CK_ATTRIBUTE templateSpace[SFTK_MAX_ITEM_TEMPLATE]; + CK_ATTRIBUTE *template; + SFTKTokenObject *tokObject; + SFTKDBHandle *dbHandle = NULL; + int i; + + tokObject = sftk_narrowToTokenObject(object); + + /* session objects, just loop through the list */ + if (tokObject == NULL) { + for (i = 0; i < itemTemplateCount; i++) { + crv = sftk_Attribute2SecItem(arena, itemTemplate[i].item, object, + itemTemplate[i].type); + if (crv != CKR_OK) { + return crv; + } + } + return CKR_OK; + } + + /* don't do any work if none is required */ + if (itemTemplateCount == 0) { + return CKR_OK; + } + + /* don't allocate the template unless we need it */ + if (itemTemplateCount > SFTK_MAX_ITEM_TEMPLATE) { + template = PORT_NewArray(CK_ATTRIBUTE, itemTemplateCount); + } else { + template = templateSpace; + } + + if (template == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + dbHandle = sftk_getDBForTokenObject(object->slot, object->handle); + if (dbHandle == NULL) { + crv = CKR_OBJECT_HANDLE_INVALID; + goto loser; + } + + /* set up the PKCS #11 template */ + for (i = 0; i < itemTemplateCount; i++) { + template[i].type = itemTemplate[i].type; + template[i].pValue = NULL; + template[i].ulValueLen = 0; + } + + /* fetch the attribute lengths */ + crv = sftkdb_GetAttributeValue(dbHandle, object->handle, + template, itemTemplateCount); + if (crv != CKR_OK) { + goto loser; + } + + /* allocate space for the attributes */ + for (i = 0; i < itemTemplateCount; i++) { + template[i].pValue = PORT_ArenaAlloc(arena, template[i].ulValueLen); + if (template[i].pValue == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + } + + /* fetch the attributes */ + crv = sftkdb_GetAttributeValue(dbHandle, object->handle, + template, itemTemplateCount); + if (crv != CKR_OK) { + goto loser; + } + + /* Fill in the items */ + for (i = 0; i < itemTemplateCount; i++) { + itemTemplate[i].item->data = template[i].pValue; + itemTemplate[i].item->len = template[i].ulValueLen; + } + +loser: + if (template != templateSpace) { + PORT_Free(template); + } + if (dbHandle) { + sftk_freeDB(dbHandle); + } + + return crv; +} + +/* + * delete an attribute from an object + */ +static void +sftk_DeleteAttribute(SFTKObject *object, SFTKAttribute *attribute) +{ + SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object); + + if (sessObject == NULL) { + return; + } + PZ_Lock(sessObject->attributeLock); + if (sftkqueue_is_queued(attribute, attribute->handle, + sessObject->head, sessObject->hashSize)) { + sftkqueue_delete(attribute, attribute->handle, + sessObject->head, sessObject->hashSize); + } + PZ_Unlock(sessObject->attributeLock); +} + +/* + * this is only valid for CK_BBOOL type attributes. Return the state + * of that attribute. + */ +PRBool +sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *attribute; + PRBool tok = PR_FALSE; + + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) { + return PR_FALSE; + } + tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue); + sftk_FreeAttribute(attribute); + + return tok; +} + +/* + * force an attribute to null. + * this is for sensitive keys which are stored in the database, we don't + * want to keep this info around in memory in the clear. + */ +void +sftk_nullAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *attribute; + + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) + return; + + if (attribute->attrib.pValue != NULL) { + PORT_Memset(attribute->attrib.pValue, 0, attribute->attrib.ulValueLen); + if (attribute->freeData) { + PORT_Free(attribute->attrib.pValue); + } + attribute->freeData = PR_FALSE; + attribute->attrib.pValue = NULL; + attribute->attrib.ulValueLen = 0; + } + sftk_FreeAttribute(attribute); +} + +static CK_RV +sftk_forceTokenAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len) +{ + CK_ATTRIBUTE attribute; + SFTKDBHandle *dbHandle = NULL; + SFTKTokenObject *to = sftk_narrowToTokenObject(object); + CK_RV crv; + + PORT_Assert(to); + if (to == NULL) { + return CKR_DEVICE_ERROR; + } + + dbHandle = sftk_getDBForTokenObject(object->slot, object->handle); + + attribute.type = type; + attribute.pValue = (void *)value; + attribute.ulValueLen = len; + + crv = sftkdb_SetAttributeValue(dbHandle, object, &attribute, 1); + sftk_freeDB(dbHandle); + return crv; +} + +/* + * force an attribute to a specifc value. + */ +CK_RV +sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *value, unsigned int len) +{ + SFTKAttribute *attribute; + void *att_val = NULL; + PRBool freeData = PR_FALSE; + + PORT_Assert(object); + PORT_Assert(object->refCount); + PORT_Assert(object->slot); + if (!object || + !object->refCount || + !object->slot) { + return CKR_DEVICE_ERROR; + } + if (sftk_isToken(object->handle)) { + return sftk_forceTokenAttribute(object, type, value, len); + } + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) + return sftk_AddAttributeType(object, type, value, len); + + if (value) { + if (len <= ATTR_SPACE) { + att_val = attribute->space; + } else { + att_val = PORT_Alloc(len); + freeData = PR_TRUE; + } + if (att_val == NULL) { + return CKR_HOST_MEMORY; + } + if (attribute->attrib.pValue == att_val) { + PORT_Memset(attribute->attrib.pValue, 0, + attribute->attrib.ulValueLen); + } + PORT_Memcpy(att_val, value, len); + } + if (attribute->attrib.pValue != NULL) { + if (attribute->attrib.pValue != att_val) { + PORT_Memset(attribute->attrib.pValue, 0, + attribute->attrib.ulValueLen); + } + if (attribute->freeData) { + PORT_Free(attribute->attrib.pValue); + } + attribute->freeData = PR_FALSE; + attribute->attrib.pValue = NULL; + attribute->attrib.ulValueLen = 0; + } + if (att_val) { + attribute->attrib.pValue = att_val; + attribute->attrib.ulValueLen = len; + attribute->freeData = freeData; + } + sftk_FreeAttribute(attribute); + return CKR_OK; +} + +/* + * return a null terminated string from attribute 'type'. This string + * is allocated and needs to be freed with PORT_Free() When complete. + */ +char * +sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *attribute; + char *label = NULL; + + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) + return NULL; + + if (attribute->attrib.pValue != NULL) { + label = (char *)PORT_Alloc(attribute->attrib.ulValueLen + 1); + if (label == NULL) { + sftk_FreeAttribute(attribute); + return NULL; + } + + PORT_Memcpy(label, attribute->attrib.pValue, + attribute->attrib.ulValueLen); + label[attribute->attrib.ulValueLen] = 0; + } + sftk_FreeAttribute(attribute); + return label; +} + +/* + * decode when a particular attribute may be modified + * SFTK_NEVER: This attribute must be set at object creation time and + * can never be modified. + * SFTK_ONCOPY: This attribute may be modified only when you copy the + * object. + * SFTK_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from + * CK_FALSE to CK_TRUE. + * SFTK_ALWAYS: This attribute can always be modified. + * Some attributes vary their modification type based on the class of the + * object. + */ +SFTKModifyType +sftk_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) +{ + /* if we don't know about it, user user defined, always allow modify */ + SFTKModifyType mtype = SFTK_ALWAYS; + + switch (type) { + /* NEVER */ + case CKA_CLASS: + case CKA_CERTIFICATE_TYPE: + case CKA_KEY_TYPE: + case CKA_MODULUS: + case CKA_MODULUS_BITS: + case CKA_PUBLIC_EXPONENT: + case CKA_PRIVATE_EXPONENT: + case CKA_PRIME: + case CKA_BASE: + case CKA_PRIME_1: + case CKA_PRIME_2: + case CKA_EXPONENT_1: + case CKA_EXPONENT_2: + case CKA_COEFFICIENT: + case CKA_VALUE_LEN: + case CKA_ALWAYS_SENSITIVE: + case CKA_NEVER_EXTRACTABLE: + case CKA_NSS_DB: + mtype = SFTK_NEVER; + break; + + /* ONCOPY */ + case CKA_TOKEN: + case CKA_PRIVATE: + case CKA_MODIFIABLE: + mtype = SFTK_ONCOPY; + break; + + /* SENSITIVE */ + case CKA_SENSITIVE: + case CKA_EXTRACTABLE: + mtype = SFTK_SENSITIVE; + break; + + /* ALWAYS */ + case CKA_LABEL: + case CKA_APPLICATION: + case CKA_ID: + case CKA_SERIAL_NUMBER: + case CKA_START_DATE: + case CKA_END_DATE: + case CKA_DERIVE: + case CKA_ENCRYPT: + case CKA_DECRYPT: + case CKA_SIGN: + case CKA_VERIFY: + case CKA_SIGN_RECOVER: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + case CKA_UNWRAP: + mtype = SFTK_ALWAYS; + break; + + /* DEPENDS ON CLASS */ + case CKA_VALUE: + mtype = (inClass == CKO_DATA) ? SFTK_ALWAYS : SFTK_NEVER; + break; + + case CKA_SUBPRIME: + /* allow the CKA_SUBPRIME to be added to dh private keys */ + mtype = (inClass == CKO_PRIVATE_KEY) ? SFTK_ALWAYS : SFTK_NEVER; + break; + + case CKA_SUBJECT: + mtype = (inClass == CKO_CERTIFICATE) ? SFTK_NEVER : SFTK_ALWAYS; + break; + default: + break; + } + return mtype; +} + +/* decode if a particular attribute is sensitive (cannot be read + * back to the user of if the object is set to SENSITIVE) */ +PRBool +sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass) +{ + switch (type) { + /* ALWAYS */ + case CKA_PRIVATE_EXPONENT: + case CKA_PRIME_1: + case CKA_PRIME_2: + case CKA_EXPONENT_1: + case CKA_EXPONENT_2: + case CKA_COEFFICIENT: + return PR_TRUE; + + /* DEPENDS ON CLASS */ + case CKA_VALUE: + /* PRIVATE and SECRET KEYS have SENSITIVE values */ + return (PRBool)((inClass == CKO_PRIVATE_KEY) || (inClass == CKO_SECRET_KEY)); + + default: + break; + } + return PR_FALSE; +} + +/* + * copy an attribute into a SECItem. Secitem is allocated in the specified + * arena. + */ +CK_RV +sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item, SFTKObject *object, + CK_ATTRIBUTE_TYPE type) +{ + int len; + SFTKAttribute *attribute; + + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + len = attribute->attrib.ulValueLen; + + if (arena) { + item->data = (unsigned char *)PORT_ArenaAlloc(arena, len); + } else { + item->data = (unsigned char *)PORT_Alloc(len); + } + if (item->data == NULL) { + sftk_FreeAttribute(attribute); + return CKR_HOST_MEMORY; + } + item->len = len; + PORT_Memcpy(item->data, attribute->attrib.pValue, len); + sftk_FreeAttribute(attribute); + return CKR_OK; +} + +CK_RV +sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + CK_ULONG *longData) +{ + SFTKAttribute *attribute; + + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) + return CKR_TEMPLATE_INCOMPLETE; + + if (attribute->attrib.ulValueLen != sizeof(CK_ULONG)) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + *longData = *(CK_ULONG *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + return CKR_OK; +} + +void +sftk_DeleteAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type) +{ + SFTKAttribute *attribute; + attribute = sftk_FindAttribute(object, type); + if (attribute == NULL) + return; + sftk_DeleteAttribute(object, attribute); + sftk_DestroyAttribute(attribute); +} + +CK_RV +sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *valPtr, CK_ULONG length) +{ + SFTKAttribute *attribute; + attribute = sftk_NewAttribute(object, type, valPtr, length); + if (attribute == NULL) { + return CKR_HOST_MEMORY; + } + sftk_AddAttribute(object, attribute); + return CKR_OK; +} + +/* + * ******************** Object Utilities ******************************* + */ + +/* must be called holding sftk_tokenKeyLock(slot) */ +static SECItem * +sftk_lookupTokenKeyByHandle(SFTKSlot *slot, CK_OBJECT_HANDLE handle) +{ + return (SECItem *)PL_HashTableLookup(slot->tokObjHashTable, (void *)(uintptr_t)handle); +} + +/* + * use the refLock. This operations should be very rare, so the added + * contention on the ref lock should be lower than the overhead of adding + * a new lock. We use separate functions for this just in case I'm wrong. + */ +static void +sftk_tokenKeyLock(SFTKSlot *slot) +{ + SKIP_AFTER_FORK(PZ_Lock(slot->objectLock)); +} + +static void +sftk_tokenKeyUnlock(SFTKSlot *slot) +{ + SKIP_AFTER_FORK(PZ_Unlock(slot->objectLock)); +} + +static PRIntn +sftk_freeHashItem(PLHashEntry *entry, PRIntn index, void *arg) +{ + SECItem *item = (SECItem *)entry->value; + + SECITEM_FreeItem(item, PR_TRUE); + return HT_ENUMERATE_NEXT; +} + +CK_RV +SFTK_ClearTokenKeyHashTable(SFTKSlot *slot) +{ + sftk_tokenKeyLock(slot); + PORT_Assert(!slot->present); + PL_HashTableEnumerateEntries(slot->tokObjHashTable, sftk_freeHashItem, NULL); + sftk_tokenKeyUnlock(slot); + return CKR_OK; +} + +/* allocation hooks that allow us to recycle old object structures */ +static SFTKObjectFreeList sessionObjectList = { NULL, NULL, 0 }; +static SFTKObjectFreeList tokenObjectList = { NULL, NULL, 0 }; + +SFTKObject * +sftk_GetObjectFromList(PRBool *hasLocks, PRBool optimizeSpace, + SFTKObjectFreeList *list, unsigned int hashSize, PRBool isSessionObject) +{ + SFTKObject *object; + int size = 0; + + if (!optimizeSpace) { + PZ_Lock(list->lock); + object = list->head; + if (object) { + list->head = object->next; + list->count--; + } + PZ_Unlock(list->lock); + if (object) { + object->next = object->prev = NULL; + *hasLocks = PR_TRUE; + return object; + } + } + size = isSessionObject ? sizeof(SFTKSessionObject) + hashSize * sizeof(SFTKAttribute *) : sizeof(SFTKTokenObject); + + object = (SFTKObject *)PORT_ZAlloc(size); + if (isSessionObject && object) { + ((SFTKSessionObject *)object)->hashSize = hashSize; + } + *hasLocks = PR_FALSE; + return object; +} + +static void +sftk_PutObjectToList(SFTKObject *object, SFTKObjectFreeList *list, + PRBool isSessionObject) +{ + + /* the code below is equivalent to : + * optimizeSpace = isSessionObject ? object->optimizeSpace : PR_FALSE; + * just faster. + */ + PRBool optimizeSpace = isSessionObject && + ((SFTKSessionObject *)object)->optimizeSpace; + if (object->refLock && !optimizeSpace && (list->count < MAX_OBJECT_LIST_SIZE)) { + PZ_Lock(list->lock); + object->next = list->head; + list->head = object; + list->count++; + PZ_Unlock(list->lock); + return; + } + if (isSessionObject) { + SFTKSessionObject *so = (SFTKSessionObject *)object; + PZ_DestroyLock(so->attributeLock); + so->attributeLock = NULL; + } + if (object->refLock) { + PZ_DestroyLock(object->refLock); + object->refLock = NULL; + } + PORT_Free(object); +} + +static SFTKObject * +sftk_freeObjectData(SFTKObject *object) +{ + SFTKObject *next = object->next; + + PORT_Free(object); + return next; +} + +static void +sftk_InitFreeList(SFTKObjectFreeList *list) +{ + if (!list->lock) { + list->lock = PZ_NewLock(nssILockObject); + } +} + +void +sftk_InitFreeLists(void) +{ + sftk_InitFreeList(&sessionObjectList); + sftk_InitFreeList(&tokenObjectList); +} + +static void +sftk_CleanupFreeList(SFTKObjectFreeList *list, PRBool isSessionList) +{ + SFTKObject *object; + + if (!list->lock) { + return; + } + SKIP_AFTER_FORK(PZ_Lock(list->lock)); + for (object = list->head; object != NULL; + object = sftk_freeObjectData(object)) { + PZ_DestroyLock(object->refLock); + if (isSessionList) { + PZ_DestroyLock(((SFTKSessionObject *)object)->attributeLock); + } + } + list->count = 0; + list->head = NULL; + SKIP_AFTER_FORK(PZ_Unlock(list->lock)); + SKIP_AFTER_FORK(PZ_DestroyLock(list->lock)); + list->lock = NULL; +} + +void +sftk_CleanupFreeLists(void) +{ + sftk_CleanupFreeList(&sessionObjectList, PR_TRUE); + sftk_CleanupFreeList(&tokenObjectList, PR_FALSE); +} + +/* + * Create a new object + */ +SFTKObject * +sftk_NewObject(SFTKSlot *slot) +{ + SFTKObject *object; + SFTKSessionObject *sessObject; + PRBool hasLocks = PR_FALSE; + unsigned int i; + unsigned int hashSize = 0; + + hashSize = (slot->optimizeSpace) ? SPACE_ATTRIBUTE_HASH_SIZE : TIME_ATTRIBUTE_HASH_SIZE; + + object = sftk_GetObjectFromList(&hasLocks, slot->optimizeSpace, + &sessionObjectList, hashSize, PR_TRUE); + if (object == NULL) { + return NULL; + } + sessObject = (SFTKSessionObject *)object; + sessObject->nextAttr = 0; + + for (i = 0; i < MAX_OBJS_ATTRS; i++) { + sessObject->attrList[i].attrib.pValue = NULL; + sessObject->attrList[i].freeData = PR_FALSE; + } + sessObject->optimizeSpace = slot->optimizeSpace; + + object->handle = 0; + object->next = object->prev = NULL; + object->slot = slot; + object->isFIPS = sftk_isFIPS(slot->slotID); + + object->refCount = 1; + sessObject->sessionList.next = NULL; + sessObject->sessionList.prev = NULL; + sessObject->sessionList.parent = object; + sessObject->session = NULL; + sessObject->wasDerived = PR_FALSE; + if (!hasLocks) + object->refLock = PZ_NewLock(nssILockRefLock); + if (object->refLock == NULL) { + PORT_Free(object); + return NULL; + } + if (!hasLocks) + sessObject->attributeLock = PZ_NewLock(nssILockAttribute); + if (sessObject->attributeLock == NULL) { + PZ_DestroyLock(object->refLock); + PORT_Free(object); + return NULL; + } + for (i = 0; i < sessObject->hashSize; i++) { + sessObject->head[i] = NULL; + } + object->objectInfo = NULL; + object->infoFree = NULL; + return object; +} + +static CK_RV +sftk_DestroySessionObjectData(SFTKSessionObject *so) +{ + int i; + + for (i = 0; i < MAX_OBJS_ATTRS; i++) { + unsigned char *value = so->attrList[i].attrib.pValue; + if (value) { + PORT_Memset(value, 0, so->attrList[i].attrib.ulValueLen); + if (so->attrList[i].freeData) { + PORT_Free(value); + } + so->attrList[i].attrib.pValue = NULL; + so->attrList[i].freeData = PR_FALSE; + } + } + /* PZ_DestroyLock(so->attributeLock);*/ + return CKR_OK; +} + +/* + * free all the data associated with an object. Object reference count must + * be 'zero'. + */ +static CK_RV +sftk_DestroyObject(SFTKObject *object) +{ + CK_RV crv = CKR_OK; + SFTKSessionObject *so = sftk_narrowToSessionObject(object); + SFTKTokenObject *to = sftk_narrowToTokenObject(object); + + PORT_Assert(object->refCount == 0); + + /* delete the database value */ + if (to) { + if (to->dbKey.data) { + PORT_Free(to->dbKey.data); + to->dbKey.data = NULL; + } + } + if (so) { + sftk_DestroySessionObjectData(so); + } + if (object->objectInfo) { + (*object->infoFree)(object->objectInfo); + object->objectInfo = NULL; + object->infoFree = NULL; + } + if (so) { + sftk_PutObjectToList(object, &sessionObjectList, PR_TRUE); + } else { + sftk_PutObjectToList(object, &tokenObjectList, PR_FALSE); + } + return crv; +} + +void +sftk_ReferenceObject(SFTKObject *object) +{ + PZ_Lock(object->refLock); + object->refCount++; + PZ_Unlock(object->refLock); +} + +static SFTKObject * +sftk_ObjectFromHandleOnSlot(CK_OBJECT_HANDLE handle, SFTKSlot *slot) +{ + SFTKObject *object; + PRUint32 index = sftk_hash(handle, slot->sessObjHashSize); + + if (sftk_isToken(handle)) { + return sftk_NewTokenObject(slot, NULL, handle); + } + + PZ_Lock(slot->objectLock); + sftkqueue_find2(object, handle, index, slot->sessObjHashTable); + if (object) { + sftk_ReferenceObject(object); + } + PZ_Unlock(slot->objectLock); + + return (object); +} +/* + * look up and object structure from a handle. OBJECT_Handles only make + * sense in terms of a given session. make a reference to that object + * structure returned. + */ +SFTKObject * +sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle, SFTKSession *session) +{ + SFTKSlot *slot = sftk_SlotFromSession(session); + + return sftk_ObjectFromHandleOnSlot(handle, slot); +} + +/* + * release a reference to an object handle + */ +SFTKFreeStatus +sftk_FreeObject(SFTKObject *object) +{ + PRBool destroy = PR_FALSE; + CK_RV crv; + + PZ_Lock(object->refLock); + if (object->refCount == 1) + destroy = PR_TRUE; + object->refCount--; + PZ_Unlock(object->refLock); + + if (destroy) { + crv = sftk_DestroyObject(object); + if (crv != CKR_OK) { + return SFTK_DestroyFailure; + } + return SFTK_Destroyed; + } + return SFTK_Busy; +} + +/* find the next available object handle that isn't currently in use */ +/* NOTE: This function could loop forever if we've exhausted all + * 3^31-1 handles. This is highly unlikely (NSS has been running for + * decades with this code) uless we start increasing the size of the + * SFTK_TOKEN_MASK (which is just the high bit currently). */ +CK_OBJECT_HANDLE +sftk_getNextHandle(SFTKSlot *slot) +{ + CK_OBJECT_HANDLE handle; + SFTKObject *duplicateObject = NULL; + do { + PRUint32 wrappedAround; + + duplicateObject = NULL; + PZ_Lock(slot->objectLock); + wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK; + handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK; + if (!handle) /* don't allow zero handle */ + handle = NSC_MIN_SESSION_OBJECT_HANDLE; + slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround; + /* Is there already a session object with this handle? */ + if (wrappedAround) { + sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable, + slot->sessObjHashSize); + } + PZ_Unlock(slot->objectLock); + } while (duplicateObject != NULL); + return handle; +} + +/* + * add an object to a slot and session queue. These two functions + * adopt the object. + */ +void +sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object) +{ + PRUint32 index = sftk_hash(object->handle, slot->sessObjHashSize); + sftkqueue_init_element(object); + PZ_Lock(slot->objectLock); + sftkqueue_add2(object, object->handle, index, slot->sessObjHashTable); + PZ_Unlock(slot->objectLock); +} + +void +sftk_AddObject(SFTKSession *session, SFTKObject *object) +{ + SFTKSlot *slot = sftk_SlotFromSession(session); + SFTKSessionObject *so = sftk_narrowToSessionObject(object); + + if (so) { + PZ_Lock(session->objectLock); + sftkqueue_add(&so->sessionList, 0, session->objects, 0); + so->session = session; + PZ_Unlock(session->objectLock); + } + sftk_AddSlotObject(slot, object); + sftk_ReferenceObject(object); +} + +/* + * delete an object from a slot and session queue + */ +CK_RV +sftk_DeleteObject(SFTKSession *session, SFTKObject *object) +{ + SFTKSlot *slot = sftk_SlotFromSession(session); + SFTKSessionObject *so = sftk_narrowToSessionObject(object); + CK_RV crv = CKR_OK; + PRUint32 index = sftk_hash(object->handle, slot->sessObjHashSize); + + /* Handle Token case */ + if (so && so->session) { + session = so->session; + PZ_Lock(session->objectLock); + sftkqueue_delete(&so->sessionList, 0, session->objects, 0); + PZ_Unlock(session->objectLock); + PZ_Lock(slot->objectLock); + sftkqueue_delete2(object, object->handle, index, slot->sessObjHashTable); + PZ_Unlock(slot->objectLock); + sftkqueue_clear_deleted_element(object); + sftk_FreeObject(object); /* free the reference owned by the queue */ + } else { + SFTKDBHandle *handle = sftk_getDBForTokenObject(slot, object->handle); +#ifdef DEBUG + SFTKTokenObject *to = sftk_narrowToTokenObject(object); + PORT_Assert(to); +#endif + crv = sftkdb_DestroyObject(handle, object->handle, object->objclass); + sftk_freeDB(handle); + } + return crv; +} + +/* + * Token objects don't explicitly store their attributes, so we need to know + * what attributes make up a particular token object before we can copy it. + * below are the tables by object type. + */ +static const CK_ATTRIBUTE_TYPE commonAttrs[] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_MODIFIABLE +}; +static const CK_ULONG commonAttrsCount = + sizeof(commonAttrs) / sizeof(commonAttrs[0]); + +static const CK_ATTRIBUTE_TYPE commonKeyAttrs[] = { + CKA_ID, CKA_START_DATE, CKA_END_DATE, CKA_DERIVE, CKA_LOCAL, CKA_KEY_TYPE +}; +static const CK_ULONG commonKeyAttrsCount = + sizeof(commonKeyAttrs) / sizeof(commonKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE secretKeyAttrs[] = { + CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, + CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_VALUE +}; +static const CK_ULONG secretKeyAttrsCount = + sizeof(secretKeyAttrs) / sizeof(secretKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE commonPubKeyAttrs[] = { + CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_WRAP, CKA_SUBJECT +}; +static const CK_ULONG commonPubKeyAttrsCount = + sizeof(commonPubKeyAttrs) / sizeof(commonPubKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE rsaPubKeyAttrs[] = { + CKA_MODULUS, CKA_PUBLIC_EXPONENT +}; +static const CK_ULONG rsaPubKeyAttrsCount = + sizeof(rsaPubKeyAttrs) / sizeof(rsaPubKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE dsaPubKeyAttrs[] = { + CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE +}; +static const CK_ULONG dsaPubKeyAttrsCount = + sizeof(dsaPubKeyAttrs) / sizeof(dsaPubKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = { + CKA_PRIME, CKA_BASE, CKA_VALUE +}; +static const CK_ULONG dhPubKeyAttrsCount = + sizeof(dhPubKeyAttrs) / sizeof(dhPubKeyAttrs[0]); +static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = { + CKA_EC_PARAMS, CKA_EC_POINT +}; +static const CK_ULONG ecPubKeyAttrsCount = + sizeof(ecPubKeyAttrs) / sizeof(ecPubKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = { + CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT, + CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NSS_DB, CKA_PUBLIC_KEY_INFO +}; +static const CK_ULONG commonPrivKeyAttrsCount = + sizeof(commonPrivKeyAttrs) / sizeof(commonPrivKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE rsaPrivKeyAttrs[] = { + CKA_MODULUS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, + CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT +}; +static const CK_ULONG rsaPrivKeyAttrsCount = + sizeof(rsaPrivKeyAttrs) / sizeof(rsaPrivKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE dsaPrivKeyAttrs[] = { + CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE +}; +static const CK_ULONG dsaPrivKeyAttrsCount = + sizeof(dsaPrivKeyAttrs) / sizeof(dsaPrivKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = { + CKA_PRIME, CKA_BASE, CKA_VALUE +}; +static const CK_ULONG dhPrivKeyAttrsCount = + sizeof(dhPrivKeyAttrs) / sizeof(dhPrivKeyAttrs[0]); +static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = { + CKA_EC_PARAMS, CKA_VALUE +}; +static const CK_ULONG ecPrivKeyAttrsCount = + sizeof(ecPrivKeyAttrs) / sizeof(ecPrivKeyAttrs[0]); + +static const CK_ATTRIBUTE_TYPE certAttrs[] = { + CKA_CERTIFICATE_TYPE, CKA_VALUE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER +}; +static const CK_ULONG certAttrsCount = + sizeof(certAttrs) / sizeof(certAttrs[0]); + +static const CK_ATTRIBUTE_TYPE trustAttrs[] = { + CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, + CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_EMAIL_PROTECTION, + CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED +}; +static const CK_ULONG trustAttrsCount = + sizeof(trustAttrs) / sizeof(trustAttrs[0]); + +static const CK_ATTRIBUTE_TYPE smimeAttrs[] = { + CKA_SUBJECT, CKA_NSS_EMAIL, CKA_NSS_SMIME_TIMESTAMP, CKA_VALUE +}; +static const CK_ULONG smimeAttrsCount = + sizeof(smimeAttrs) / sizeof(smimeAttrs[0]); + +static const CK_ATTRIBUTE_TYPE crlAttrs[] = { + CKA_SUBJECT, CKA_VALUE, CKA_NSS_URL, CKA_NSS_KRL +}; +static const CK_ULONG crlAttrsCount = + sizeof(crlAttrs) / sizeof(crlAttrs[0]); + +/* copy an object based on it's table */ +CK_RV +stfk_CopyTokenAttributes(SFTKObject *destObject, SFTKTokenObject *src_to, + const CK_ATTRIBUTE_TYPE *attrArray, CK_ULONG attrCount) +{ + SFTKAttribute *attribute; + SFTKAttribute *newAttribute; + CK_RV crv = CKR_OK; + unsigned int i; + + for (i = 0; i < attrCount; i++) { + if (!sftk_hasAttribute(destObject, attrArray[i])) { + attribute = sftk_FindAttribute(&src_to->obj, attrArray[i]); + if (!attribute) { + continue; /* return CKR_ATTRIBUTE_VALUE_INVALID; */ + } + /* we need to copy the attribute since each attribute + * only has one set of link list pointers */ + newAttribute = sftk_NewAttribute(destObject, + sftk_attr_expand(&attribute->attrib)); + sftk_FreeAttribute(attribute); /* free the old attribute */ + if (!newAttribute) { + return CKR_HOST_MEMORY; + } + sftk_AddAttribute(destObject, newAttribute); + } + } + return crv; +} + +CK_RV +stfk_CopyTokenPrivateKey(SFTKObject *destObject, SFTKTokenObject *src_to) +{ + CK_RV crv; + CK_KEY_TYPE key_type; + SFTKAttribute *attribute; + + /* copy the common attributes for all keys first */ + crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs, + commonKeyAttrsCount); + if (crv != CKR_OK) { + goto fail; + } + /* copy the common attributes for all private keys next */ + crv = stfk_CopyTokenAttributes(destObject, src_to, commonPrivKeyAttrs, + commonPrivKeyAttrsCount); + if (crv != CKR_OK) { + goto fail; + } + attribute = sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE); + PORT_Assert(attribute); /* if it wasn't here, ww should have failed + * copying the common attributes */ + if (!attribute) { + /* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but + * the fact is, the only reason we couldn't get the attribute would + * be a memory error or database error (an error in the 'device'). + * if we have a database error code, we could return it here */ + crv = CKR_DEVICE_ERROR; + goto fail; + } + key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + + /* finally copy the attributes for various private key types */ + switch (key_type) { + case CKK_RSA: + crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPrivKeyAttrs, + rsaPrivKeyAttrsCount); + break; + case CKK_DSA: + crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPrivKeyAttrs, + dsaPrivKeyAttrsCount); + break; + case CKK_DH: + crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs, + dhPrivKeyAttrsCount); + break; + case CKK_EC: + crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs, + ecPrivKeyAttrsCount); + break; + default: + crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types + * of token keys into our database. */ + } +fail: + return crv; +} + +CK_RV +stfk_CopyTokenPublicKey(SFTKObject *destObject, SFTKTokenObject *src_to) +{ + CK_RV crv; + CK_KEY_TYPE key_type; + SFTKAttribute *attribute; + + /* copy the common attributes for all keys first */ + crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs, + commonKeyAttrsCount); + if (crv != CKR_OK) { + goto fail; + } + + /* copy the common attributes for all public keys next */ + crv = stfk_CopyTokenAttributes(destObject, src_to, commonPubKeyAttrs, + commonPubKeyAttrsCount); + if (crv != CKR_OK) { + goto fail; + } + attribute = sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE); + PORT_Assert(attribute); /* if it wasn't here, ww should have failed + * copying the common attributes */ + if (!attribute) { + /* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but + * the fact is, the only reason we couldn't get the attribute would + * be a memory error or database error (an error in the 'device'). + * if we have a database error code, we could return it here */ + crv = CKR_DEVICE_ERROR; + goto fail; + } + key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; + sftk_FreeAttribute(attribute); + + /* finally copy the attributes for various public key types */ + switch (key_type) { + case CKK_RSA: + crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPubKeyAttrs, + rsaPubKeyAttrsCount); + break; + case CKK_DSA: + crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPubKeyAttrs, + dsaPubKeyAttrsCount); + break; + case CKK_DH: + crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs, + dhPubKeyAttrsCount); + break; + case CKK_EC: + crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs, + ecPubKeyAttrsCount); + break; + default: + crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types + * of token keys into our database. */ + } +fail: + return crv; +} +CK_RV +stfk_CopyTokenSecretKey(SFTKObject *destObject, SFTKTokenObject *src_to) +{ + CK_RV crv; + crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs, + commonKeyAttrsCount); + if (crv != CKR_OK) { + goto fail; + } + crv = stfk_CopyTokenAttributes(destObject, src_to, secretKeyAttrs, + secretKeyAttrsCount); +fail: + return crv; +} + +/* + * Copy a token object. We need to explicitly copy the relevant + * attributes since token objects don't store those attributes in + * the token itself. + */ +CK_RV +sftk_CopyTokenObject(SFTKObject *destObject, SFTKObject *srcObject) +{ + SFTKTokenObject *src_to = sftk_narrowToTokenObject(srcObject); + CK_RV crv; + + PORT_Assert(src_to); + if (src_to == NULL) { + return CKR_DEVICE_ERROR; /* internal state inconsistant */ + } + + crv = stfk_CopyTokenAttributes(destObject, src_to, commonAttrs, + commonAttrsCount); + if (crv != CKR_OK) { + goto fail; + } + switch (src_to->obj.objclass) { + case CKO_CERTIFICATE: + crv = stfk_CopyTokenAttributes(destObject, src_to, certAttrs, + certAttrsCount); + break; + case CKO_NSS_TRUST: + crv = stfk_CopyTokenAttributes(destObject, src_to, trustAttrs, + trustAttrsCount); + break; + case CKO_NSS_SMIME: + crv = stfk_CopyTokenAttributes(destObject, src_to, smimeAttrs, + smimeAttrsCount); + break; + case CKO_NSS_CRL: + crv = stfk_CopyTokenAttributes(destObject, src_to, crlAttrs, + crlAttrsCount); + break; + case CKO_PRIVATE_KEY: + crv = stfk_CopyTokenPrivateKey(destObject, src_to); + break; + case CKO_PUBLIC_KEY: + crv = stfk_CopyTokenPublicKey(destObject, src_to); + break; + case CKO_SECRET_KEY: + crv = stfk_CopyTokenSecretKey(destObject, src_to); + break; + default: + crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types + * of token keys into our database. */ + } +fail: + return crv; +} + +/* + * copy the attributes from one object to another. Don't overwrite existing + * attributes. NOTE: This is a pretty expensive operation since it + * grabs the attribute locks for the src object for a *long* time. + */ +CK_RV +sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject) +{ + SFTKAttribute *attribute; + SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject); + unsigned int i; + + destObject->isFIPS = srcObject->isFIPS; + if (src_so == NULL) { + return sftk_CopyTokenObject(destObject, srcObject); + } + + PZ_Lock(src_so->attributeLock); + for (i = 0; i < src_so->hashSize; i++) { + attribute = src_so->head[i]; + do { + if (attribute) { + if (!sftk_hasAttribute(destObject, attribute->handle)) { + /* we need to copy the attribute since each attribute + * only has one set of link list pointers */ + SFTKAttribute *newAttribute = sftk_NewAttribute( + destObject, sftk_attr_expand(&attribute->attrib)); + if (newAttribute == NULL) { + PZ_Unlock(src_so->attributeLock); + return CKR_HOST_MEMORY; + } + sftk_AddAttribute(destObject, newAttribute); + } + attribute = attribute->next; + } + } while (attribute != NULL); + } + PZ_Unlock(src_so->attributeLock); + + return CKR_OK; +} + +/* + * ******************** Search Utilities ******************************* + */ + +/* add an object to a search list */ +CK_RV +AddToList(SFTKObjectListElement **list, SFTKObject *object) +{ + SFTKObjectListElement *newElem = + (SFTKObjectListElement *)PORT_Alloc(sizeof(SFTKObjectListElement)); + + if (newElem == NULL) + return CKR_HOST_MEMORY; + + newElem->next = *list; + newElem->object = object; + sftk_ReferenceObject(object); + + *list = newElem; + return CKR_OK; +} + +/* return true if the object matches the template */ +PRBool +sftk_objectMatch(SFTKObject *object, CK_ATTRIBUTE_PTR theTemplate, int count) +{ + int i; + + for (i = 0; i < count; i++) { + SFTKAttribute *attribute = sftk_FindAttribute(object, theTemplate[i].type); + if (attribute == NULL) { + return PR_FALSE; + } + if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) { + if (PORT_Memcmp(attribute->attrib.pValue, theTemplate[i].pValue, + theTemplate[i].ulValueLen) == 0) { + sftk_FreeAttribute(attribute); + continue; + } + } + sftk_FreeAttribute(attribute); + return PR_FALSE; + } + return PR_TRUE; +} + +/* search through all the objects in the queue and return the template matches + * in the object list. + */ +CK_RV +sftk_searchObjectList(SFTKSearchResults *search, SFTKObject **head, + unsigned int size, PZLock *lock, CK_ATTRIBUTE_PTR theTemplate, + int count, PRBool isLoggedIn) +{ + unsigned int i; + SFTKObject *object; + CK_RV crv = CKR_OK; + + PZ_Lock(lock); + for (i = 0; i < size; i++) { + for (object = head[i]; object != NULL; object = object->next) { + if (sftk_objectMatch(object, theTemplate, count)) { + /* don't return objects that aren't yet visible */ + if ((!isLoggedIn) && sftk_isTrue(object, CKA_PRIVATE)) + continue; + sftk_addHandle(search, object->handle); + } + } + } + PZ_Unlock(lock); + return crv; +} + +/* + * free a single list element. Return the Next object in the list. + */ +SFTKObjectListElement * +sftk_FreeObjectListElement(SFTKObjectListElement *objectList) +{ + SFTKObjectListElement *ol = objectList->next; + + sftk_FreeObject(objectList->object); + PORT_Free(objectList); + return ol; +} + +/* free an entire object list */ +void +sftk_FreeObjectList(SFTKObjectListElement *objectList) +{ + SFTKObjectListElement *ol; + + for (ol = objectList; ol != NULL; ol = sftk_FreeObjectListElement(ol)) { + } +} + +/* + * free a search structure + */ +void +sftk_FreeSearch(SFTKSearchResults *search) +{ + if (search->handles) { + PORT_Free(search->handles); + } + PORT_Free(search); +} + +/* + * ******************** Session Utilities ******************************* + */ + +/* update the sessions state based in it's flags and wether or not it's + * logged in */ +void +sftk_update_state(SFTKSlot *slot, SFTKSession *session) +{ + if (slot->isLoggedIn) { + if (slot->ssoLoggedIn) { + session->info.state = CKS_RW_SO_FUNCTIONS; + } else if (session->info.flags & CKF_RW_SESSION) { + session->info.state = CKS_RW_USER_FUNCTIONS; + } else { + session->info.state = CKS_RO_USER_FUNCTIONS; + } + } else { + if (session->info.flags & CKF_RW_SESSION) { + session->info.state = CKS_RW_PUBLIC_SESSION; + } else { + session->info.state = CKS_RO_PUBLIC_SESSION; + } + } +} + +/* update the state of all the sessions on a slot */ +void +sftk_update_all_states(SFTKSlot *slot) +{ + unsigned int i; + SFTKSession *session; + + for (i = 0; i < slot->sessHashSize; i++) { + PZLock *lock = SFTK_SESSION_LOCK(slot, i); + PZ_Lock(lock); + for (session = slot->head[i]; session; session = session->next) { + sftk_update_state(slot, session); + } + PZ_Unlock(lock); + } +} + +/* + * context are cipher and digest contexts that are associated with a session + */ +void +sftk_FreeContext(SFTKSessionContext *context) +{ + if (context->cipherInfo) { + (*context->destroy)(context->cipherInfo, PR_TRUE); + } + if (context->hashInfo) { + (*context->hashdestroy)(context->hashInfo, PR_TRUE); + } + if (context->key) { + sftk_FreeObject(context->key); + context->key = NULL; + } + PORT_Free(context); +} + +/* + * Init a new session. NOTE: The session handle is not set, and the + * session is not added to the slot's session queue. + */ +CK_RV +sftk_InitSession(SFTKSession *session, SFTKSlot *slot, CK_SLOT_ID slotID, + CK_NOTIFY notify, CK_VOID_PTR pApplication, CK_FLAGS flags) +{ + session->next = session->prev = NULL; + session->enc_context = NULL; + session->hash_context = NULL; + session->sign_context = NULL; + session->search = NULL; + session->objectIDCount = 1; + session->objectLock = PZ_NewLock(nssILockObject); + if (session->objectLock == NULL) { + return CKR_HOST_MEMORY; + } + session->objects[0] = NULL; + + session->slot = slot; + session->notify = notify; + session->appData = pApplication; + session->info.flags = flags; + session->info.slotID = slotID; + session->info.ulDeviceError = 0; + sftk_update_state(slot, session); + /* no ops completed yet, so the last one couldn't be a FIPS op */ + session->lastOpWasFIPS = PR_FALSE; + return CKR_OK; +} + +/* + * Create a new session and init it. + */ +SFTKSession * +sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication, + CK_FLAGS flags) +{ + SFTKSession *session; + SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE); + CK_RV crv; + + if (slot == NULL) + return NULL; + + session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession)); + if (session == NULL) + return NULL; + + crv = sftk_InitSession(session, slot, slotID, notify, pApplication, flags); + if (crv != CKR_OK) { + PORT_Free(session); + return NULL; + } + return session; +} + +/* free all the data associated with a session. */ +void +sftk_ClearSession(SFTKSession *session) +{ + SFTKObjectList *op, *next; + + /* clean out the attributes */ + /* since no one is referencing us, it's safe to walk the chain + * without a lock */ + for (op = session->objects[0]; op != NULL; op = next) { + next = op->next; + /* paranoia */ + op->next = op->prev = NULL; + sftk_DeleteObject(session, op->parent); + } + PZ_DestroyLock(session->objectLock); + if (session->enc_context) { + sftk_FreeContext(session->enc_context); + } + if (session->hash_context) { + sftk_FreeContext(session->hash_context); + } + if (session->sign_context) { + sftk_FreeContext(session->sign_context); + } + if (session->search) { + sftk_FreeSearch(session->search); + } +} + +/* free the data associated with the session, and the session */ +void +sftk_DestroySession(SFTKSession *session) +{ + sftk_ClearSession(session); + PORT_Free(session); +} + +/* + * look up a session structure from a session handle + * generate a reference to it. + */ +SFTKSession * +sftk_SessionFromHandle(CK_SESSION_HANDLE handle) +{ + SFTKSlot *slot = sftk_SlotFromSessionHandle(handle); + SFTKSession *session; + PZLock *lock; + + if (!slot) + return NULL; + lock = SFTK_SESSION_LOCK(slot, handle); + + PZ_Lock(lock); + sftkqueue_find(session, handle, slot->head, slot->sessHashSize); + PZ_Unlock(lock); + + return (session); +} + +/* + * release a reference to a session handle. This method of using SFTKSessions + * is deprecated, but the pattern should be retained until a future effort + * to refactor all SFTKSession users at once is completed. + */ +void +sftk_FreeSession(SFTKSession *session) +{ + return; +} + +void +sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle) +{ + if (search->handles == NULL) { + return; + } + if (search->size >= search->array_size) { + search->array_size += NSC_SEARCH_BLOCK_SIZE; + search->handles = (CK_OBJECT_HANDLE *)PORT_Realloc(search->handles, + sizeof(CK_OBJECT_HANDLE) * search->array_size); + if (search->handles == NULL) { + return; + } + } + search->handles[search->size] = handle; + search->size++; +} + +static CK_RV +handleToClass(SFTKSlot *slot, CK_OBJECT_HANDLE handle, + CK_OBJECT_CLASS *objClass) +{ + SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, handle); + CK_ATTRIBUTE objClassTemplate; + CK_RV crv; + + *objClass = CKO_DATA; + objClassTemplate.type = CKA_CLASS; + objClassTemplate.pValue = objClass; + objClassTemplate.ulValueLen = sizeof(*objClass); + crv = sftkdb_GetAttributeValue(dbHandle, handle, &objClassTemplate, 1); + sftk_freeDB(dbHandle); + return crv; +} + +SFTKObject * +sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE handle) +{ + SFTKObject *object = NULL; + PRBool hasLocks = PR_FALSE; + CK_RV crv; + + object = sftk_GetObjectFromList(&hasLocks, PR_FALSE, &tokenObjectList, 0, + PR_FALSE); + if (object == NULL) { + return NULL; + } + + object->handle = handle; + /* every object must have a class, if we can't get it, the object + * doesn't exist */ + crv = handleToClass(slot, handle, &object->objclass); + if (crv != CKR_OK) { + goto loser; + } + object->slot = slot; + object->isFIPS = sftk_isFIPS(slot->slotID); + object->objectInfo = NULL; + object->infoFree = NULL; + if (!hasLocks) { + object->refLock = PZ_NewLock(nssILockRefLock); + } + if (object->refLock == NULL) { + goto loser; + } + object->refCount = 1; + + return object; +loser: + (void)sftk_DestroyObject(object); + return NULL; +} + +SFTKTokenObject * +sftk_convertSessionToToken(SFTKObject *obj) +{ + SECItem *key; + SFTKSessionObject *so = (SFTKSessionObject *)obj; + SFTKTokenObject *to = sftk_narrowToTokenObject(obj); + SECStatus rv; + + sftk_DestroySessionObjectData(so); + PZ_DestroyLock(so->attributeLock); + if (to == NULL) { + return NULL; + } + sftk_tokenKeyLock(so->obj.slot); + key = sftk_lookupTokenKeyByHandle(so->obj.slot, so->obj.handle); + if (key == NULL) { + sftk_tokenKeyUnlock(so->obj.slot); + return NULL; + } + rv = SECITEM_CopyItem(NULL, &to->dbKey, key); + sftk_tokenKeyUnlock(so->obj.slot); + if (rv == SECFailure) { + return NULL; + } + + return to; +} + +SFTKSessionObject * +sftk_narrowToSessionObject(SFTKObject *obj) +{ + return !sftk_isToken(obj->handle) ? (SFTKSessionObject *)obj : NULL; +} + +SFTKTokenObject * +sftk_narrowToTokenObject(SFTKObject *obj) +{ + return sftk_isToken(obj->handle) ? (SFTKTokenObject *)obj : NULL; +} + +/* Constant time helper functions */ + +/* sftk_CKRVToMask returns, in constant time, a mask value of + * all ones if rv == CKR_OK. Otherwise it returns zero. */ +unsigned int +sftk_CKRVToMask(CK_RV rv) +{ + PR_STATIC_ASSERT(CKR_OK == 0); + return ~PORT_CT_NOT_ZERO(rv); +} + +/* sftk_CheckCBCPadding checks, in constant time, the padding validity and + * accordingly sets the pad length. */ +CK_RV +sftk_CheckCBCPadding(CK_BYTE_PTR pBuf, unsigned int bufLen, + unsigned int blockSize, unsigned int *outPadSize) +{ + PORT_Assert(outPadSize); + + unsigned int padSize = (unsigned int)pBuf[bufLen - 1]; + + /* If padSize <= blockSize, set goodPad to all-1s and all-0s otherwise.*/ + unsigned int goodPad = PORT_CT_DUPLICATE_MSB_TO_ALL(~(blockSize - padSize)); + /* padSize should not be 0 */ + goodPad &= PORT_CT_NOT_ZERO(padSize); + + unsigned int i; + for (i = 0; i < blockSize; i++) { + /* If i < padSize, set loopMask to all-1s and all-0s otherwise.*/ + unsigned int loopMask = PORT_CT_DUPLICATE_MSB_TO_ALL(~(padSize - 1 - i)); + /* Get the padding value (should be padSize) from buffer */ + unsigned int padVal = pBuf[bufLen - 1 - i]; + /* Update goodPad only if i < padSize */ + goodPad &= PORT_CT_SEL(loopMask, ~(padVal ^ padSize), goodPad); + } + + /* If any of the final padding bytes had the wrong value, one or more + * of the lower eight bits of |goodPad| will be cleared. We AND the + * bottom 8 bits together and duplicate the result to all the bits. */ + goodPad &= goodPad >> 4; + goodPad &= goodPad >> 2; + goodPad &= goodPad >> 1; + goodPad <<= sizeof(goodPad) * 8 - 1; + goodPad = PORT_CT_DUPLICATE_MSB_TO_ALL(goodPad); + + /* Set outPadSize to padSize or 0 */ + *outPadSize = PORT_CT_SEL(goodPad, padSize, 0); + /* Return OK if the pad is valid */ + return PORT_CT_SEL(goodPad, CKR_OK, CKR_ENCRYPTED_DATA_INVALID); +} + +void +sftk_EncodeInteger(PRUint64 integer, CK_ULONG num_bits, CK_BBOOL littleEndian, + CK_BYTE_PTR output, CK_ULONG_PTR output_len) +{ + if (output_len) { + *output_len = (num_bits / 8); + } + + PR_ASSERT(num_bits > 0 && num_bits <= 64 && (num_bits % 8) == 0); + + if (littleEndian == CK_TRUE) { + for (size_t offset = 0; offset < num_bits / 8; offset++) { + output[offset] = (unsigned char)((integer >> (offset * 8)) & 0xFF); + } + } else { + for (size_t offset = 0; offset < num_bits / 8; offset++) { + PRUint64 shift = num_bits - (offset + 1) * 8; + output[offset] = (unsigned char)((integer >> shift) & 0xFF); + } + } +} + +CK_FLAGS +sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE op) +{ + CK_FLAGS flags = 0; + + switch (op) { + case CKA_ENCRYPT: + flags = CKF_ENCRYPT; + break; + case CKA_DECRYPT: + flags = CKF_DECRYPT; + break; + case CKA_WRAP: + flags = CKF_WRAP; + break; + case CKA_UNWRAP: + flags = CKF_UNWRAP; + break; + case CKA_SIGN: + flags = CKF_SIGN; + break; + case CKA_SIGN_RECOVER: + flags = CKF_SIGN_RECOVER; + break; + case CKA_VERIFY: + flags = CKF_VERIFY; + break; + case CKA_VERIFY_RECOVER: + flags = CKF_VERIFY_RECOVER; + break; + case CKA_DERIVE: + flags = CKF_DERIVE; + break; + /* fake attribute to select digesting */ + case CKA_DIGEST: + flags = CKF_DIGEST; + break; + case CKA_NSS_MESSAGE | CKA_ENCRYPT: + flags = CKF_MESSAGE_ENCRYPT; + break; + case CKA_NSS_MESSAGE | CKA_DECRYPT: + flags = CKF_MESSAGE_DECRYPT; + break; + case CKA_NSS_MESSAGE | CKA_SIGN: + flags = CKF_MESSAGE_SIGN; + break; + case CKA_NSS_MESSAGE | CKA_VERIFY: + flags = CKF_MESSAGE_VERIFY; + break; + default: + break; + } + return flags; +} + +/* + * ******************** Hash Utilities ************************** + */ +/* + * Utility function for converting PSS/OAEP parameter types into + * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447. + */ +HASH_HashType +sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech) +{ + switch (mech) { + case CKM_SHA_1: + case CKG_MGF1_SHA1: + return HASH_AlgSHA1; + case CKM_SHA224: + case CKG_MGF1_SHA224: + return HASH_AlgSHA224; + case CKM_SHA256: + case CKG_MGF1_SHA256: + return HASH_AlgSHA256; + case CKM_SHA384: + case CKG_MGF1_SHA384: + return HASH_AlgSHA384; + case CKM_SHA512: + case CKG_MGF1_SHA512: + return HASH_AlgSHA512; + default: + return HASH_AlgNULL; + } +} + +#ifdef NSS_HAS_FIPS_INDICATORS +/**************** FIPS Indicator Utilities *************************/ +/* sigh, we probably need a version of this in secutil so that both + * softoken and NSS can use it */ +static SECOidTag +sftk_quickGetECCCurveOid(SFTKObject *source) +{ + SFTKAttribute *attribute = sftk_FindAttribute(source, CKA_EC_PARAMS); + unsigned char *encoded; + int len; + SECItem oid; + SECOidTag tag; + + if (attribute == NULL) { + return SEC_OID_UNKNOWN; + } + encoded = attribute->attrib.pValue; + len = attribute->attrib.ulValueLen; + if ((len < 2) || (encoded[0] != SEC_ASN1_OBJECT_ID) || + (len != encoded[1] + 2)) { + sftk_FreeAttribute(attribute); + return SEC_OID_UNKNOWN; + } + oid.data = encoded + 2; + oid.len = len - 2; + tag = SECOID_FindOIDTag(&oid); + sftk_FreeAttribute(attribute); + return tag; +} + +/* This function currently only returns valid lengths for + * FIPS approved ECC curves. If we want to make this generic + * in the future, that Curve determination can be done in + * the sftk_handleSpecial. Since it's currently only used + * in FIPS indicators, it's currently only compiled with + * the FIPS indicator code */ +static int +sftk_getKeyLength(SFTKObject *source) +{ + CK_KEY_TYPE keyType = CK_INVALID_HANDLE; + CK_ATTRIBUTE_TYPE keyAttribute; + CK_ULONG keyLength = 0; + SFTKAttribute *attribute; + CK_RV crv; + + /* If we don't have a key, then it doesn't have a length. + * this may be OK (say we are hashing). The mech info will + * sort this out because algorithms which expect no keys + * will accept zero length for the keys */ + if (source == NULL) { + return 0; + } + + crv = sftk_GetULongAttribute(source, CKA_KEY_TYPE, &keyType); + if (crv != CKR_OK) { + /* sometimes we're passed a data object, in that case the + * key length is CKA_VALUE, which is the default */ + keyType = CKK_INVALID_KEY_TYPE; + } + if (keyType == CKK_EC) { + SECOidTag curve = sftk_quickGetECCCurveOid(source); + switch (curve) { + case SEC_OID_CURVE25519: + /* change when we start algorithm testing on curve25519 */ + return 0; + case SEC_OID_SECG_EC_SECP256R1: + return 256; + case SEC_OID_SECG_EC_SECP384R1: + return 384; + case SEC_OID_SECG_EC_SECP521R1: + /* this is a lie, but it makes the table easier. We don't + * have to have a double entry for every ECC mechanism */ + return 512; + default: + break; + } + /* other curves aren't NIST approved, returning 0 will cause these + * curves to fail FIPS length criteria */ + return 0; + } + + switch (keyType) { + case CKK_RSA: + keyAttribute = CKA_MODULUS; + break; + case CKK_DSA: + case CKK_DH: + keyAttribute = CKA_PRIME; + break; + default: + keyAttribute = CKA_VALUE; + break; + } + attribute = sftk_FindAttribute(source, keyAttribute); + if (attribute) { + keyLength = attribute->attrib.ulValueLen * 8; + sftk_FreeAttribute(attribute); + } + return keyLength; +} + +/* + * handle specialized FIPS semantics that are too complicated to + * handle with just a table. NOTE: this means any additional semantics + * would have to be coded here before they can be added to the table */ +static PRBool +sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech, + SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source) +{ + switch (mechInfo->special) { + case SFTKFIPSDH: { + SECItem dhPrime; + const SECItem *dhSubPrime; + CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime, + source, CKA_PRIME); + if (crv != CKR_OK) { + return PR_FALSE; + } + dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE); + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); + return (dhSubPrime) ? PR_TRUE : PR_FALSE; + } + case SFTKFIPSNone: + return PR_FALSE; + case SFTKFIPSECC: + /* we've already handled the curve selection in the 'getlength' + * function */ + return PR_TRUE; + case SFTKFIPSAEAD: { + if (mech->ulParameterLen == 0) { + /* AEAD ciphers are only in FIPS mode if we are using the + * MESSAGE interface. This takes an empty parameter + * in the init function */ + return PR_TRUE; + } + return PR_FALSE; + } + case SFTKFIPSRSAPSS: { + /* PSS salt must not be longer than the underlying hash. + * We verify that the underlying hash of the + * parameters matches Hash of the combined hash mechanisms, so + * we don't need to look at the specific PSS mechanism */ + CK_RSA_PKCS_PSS_PARAMS *pss = (CK_RSA_PKCS_PSS_PARAMS *) + mech->pParameter; + const SECHashObject *hashObj = NULL; + if (mech->ulParameterLen != sizeof(*pss)) { + return PR_FALSE; + } + /* we use the existing hash utilities to find the length of + * the hash */ + hashObj = HASH_GetRawHashObject(sftk_GetHashTypeFromMechanism( + pss->hashAlg)); + if (hashObj == NULL) { + return PR_FALSE; + } + if (pss->sLen > hashObj->length) { + return PR_FALSE; + } + return PR_TRUE; + } + default: + break; + } + /* if we didn't understand the special processing, mark it non-fips */ + return PR_FALSE; +} +#endif + +PRBool +sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op, + SFTKObject *source) +{ +#ifndef NSS_HAS_FIPS_INDICATORS + return PR_FALSE; +#else + int i; + CK_FLAGS opFlags; + CK_ULONG keyLength; + + /* handle all the quick stuff first */ + if (!sftk_isFIPS(slot->slotID)) { + return PR_FALSE; + } + if (source && !source->isFIPS) { + return PR_FALSE; + } + if (mech == NULL) { + return PR_FALSE; + } + + /* now get the calculated values */ + opFlags = sftk_AttributeToFlags(op); + if (opFlags == 0) { + return PR_FALSE; + } + keyLength = sftk_getKeyLength(source); + + /* check against our algorithm array */ + for (i = 0; i < SFTK_NUMBER_FIPS_ALGORITHMS; i++) { + SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i]; + /* if we match the number of records exactly, then we are an + * approved algorithm in the approved mode with an approved key */ + if (((mech->mechanism == mechs->type) && + (opFlags == (mechs->info.flags & opFlags)) && + (keyLength <= mechs->info.ulMaxKeySize) && + (keyLength >= mechs->info.ulMinKeySize) && + ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) && + ((mechs->special == SFTKFIPSNone) || + sftk_handleSpecial(slot, mech, mechs, source))) { + return PR_TRUE; + } + } + return PR_FALSE; +#endif +} + +/* + * create the FIPS Validation objects. If the vendor + * doesn't supply an NSS_FIPS_MODULE_ID, at compile time, + * then we assumethis is an unvalidated module. + */ +CK_RV +sftk_CreateValidationObjects(SFTKSlot *slot) +{ + const char *module_id; + int module_id_len; + CK_RV crv = CKR_OK; + /* we currently use vendor specific values until the validation + * objects are approved for PKCS #11 v3.2. */ + CK_OBJECT_CLASS cko_validation = CKO_NSS_VALIDATION; + CK_NSS_VALIDATION_TYPE ckv_fips = CKV_NSS_FIPS_140; + CK_VERSION fips_version = { 3, 0 }; /* FIPS-140-3 */ + CK_ULONG fips_level = 1; /* or 2 if you validated at level 2 */ + +#ifndef NSS_FIPS_MODULE_ID +#define NSS_FIPS_MODULE_ID "Generic NSS " SOFTOKEN_VERSION " Unvalidated" +#endif + module_id = NSS_FIPS_MODULE_ID; + module_id_len = sizeof(NSS_FIPS_MODULE_ID) - 1; + SFTKObject *object; + + object = sftk_NewObject(slot); /* fill in the handle later */ + if (object == NULL) { + return CKR_HOST_MEMORY; + } + object->isFIPS = PR_FALSE; + + crv = sftk_AddAttributeType(object, CKA_CLASS, + &cko_validation, sizeof(cko_validation)); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_TYPE, + &ckv_fips, sizeof(ckv_fips)); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_VERSION, + &fips_version, sizeof(fips_version)); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_LEVEL, + &fips_level, sizeof(fips_level)); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_MODULE_ID, + module_id, module_id_len); + if (crv != CKR_OK) { + goto loser; + } + + /* future, fill in validation certificate information from a supplied + * pointer to a config file */ + object->handle = sftk_getNextHandle(slot); + object->slot = slot; + sftk_AddObject(&slot->moduleObjects, object); +loser: + sftk_FreeObject(object); + return crv; +} diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c new file mode 100644 index 0000000000..548cf42537 --- /dev/null +++ b/security/nss/lib/softoken/sdb.c @@ -0,0 +1,2469 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements PKCS 11 on top of our existing security modules + * + * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. + * This implementation has two slots: + * slot 1 is our generic crypto support. It does not require login. + * It supports Public Key ops, and all they bulk ciphers and hashes. + * It can also support Private Key ops for imported Private keys. It does + * not have any token storage. + * slot 2 is our private key support. It requires a login before use. It + * can store Private Keys and Certs as token objects. Currently only private + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ + +#include "sdb.h" +#include "pkcs11t.h" +#include "seccomon.h" +#include +#include "prthread.h" +#include "prio.h" +#include +#include "secport.h" +#include "prmon.h" +#include "prenv.h" +#include "prprf.h" +#include "prsystem.h" /* for PR_GetDirectorySeparator() */ +#include +#if defined(_WIN32) +#include +#include +#elif defined(XP_UNIX) +#include +#endif +#if defined(LINUX) && !defined(ANDROID) +#include +#include +#endif +#include "utilpars.h" + +#ifdef SQLITE_UNSAFE_THREADS +#include "prlock.h" +/* + * SQLite can be compiled to be thread safe or not. + * turn on SQLITE_UNSAFE_THREADS if the OS does not support + * a thread safe version of sqlite. + */ +static PRLock *sqlite_lock = NULL; + +#define LOCK_SQLITE() PR_Lock(sqlite_lock); +#define UNLOCK_SQLITE() PR_Unlock(sqlite_lock); +#else +#define LOCK_SQLITE() +#define UNLOCK_SQLITE() +#endif + +typedef enum { + SDB_CERT = 1, + SDB_KEY = 2 +} sdbDataType; + +/* + * defines controlling how long we wait to acquire locks. + * + * SDB_SQLITE_BUSY_TIMEOUT specifies how long (in milliseconds) + * sqlite will wait on lock. If that timeout expires, sqlite will + * return SQLITE_BUSY. + * SDB_BUSY_RETRY_TIME specifies how many seconds the sdb_ code waits + * after receiving a busy before retrying. + * SDB_MAX_BUSY_RETRIES specifies how many times the sdb_ will retry on + * a busy condition. + * + * SDB_SQLITE_BUSY_TIMEOUT affects all opertions, both manual + * (prepare/step/reset/finalize) and automatic (sqlite3_exec()). + * SDB_BUSY_RETRY_TIME and SDB_MAX_BUSY_RETRIES only affect manual operations + * + * total wait time for automatic operations: + * 1 second (SDB_SQLITE_BUSY_TIMEOUT/1000). + * total wait time for manual operations: + * (1 second + SDB_BUSY_RETRY_TIME) * 30 = 30 seconds. + * (SDB_SQLITE_BUSY_TIMEOUT/1000 + SDB_BUSY_RETRY_TIME)*SDB_MAX_BUSY_RETRIES + */ +#define SDB_SQLITE_BUSY_TIMEOUT 1000 /* milliseconds */ +#define SDB_BUSY_RETRY_TIME 5 /* 'ticks', varies by platforms */ +#define SDB_MAX_BUSY_RETRIES 30 + +/* + * known attributes + */ +static const CK_ATTRIBUTE_TYPE known_attributes[] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION, + CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER, + CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED, + CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL, + CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY, + CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE, + CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER, + CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE, + CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, + CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT, + CKA_PUBLIC_KEY_INFO, CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, + CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE, + CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, + CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS, + CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, + CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_HW_FEATURE_TYPE, + CKA_RESET_ON_INIT, CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, + CKA_RESOLUTION, CKA_CHAR_ROWS, CKA_CHAR_COLUMNS, CKA_COLOR, + CKA_BITS_PER_PIXEL, CKA_CHAR_SETS, CKA_ENCODING_METHODS, CKA_MIME_TYPES, + CKA_MECHANISM_TYPE, CKA_REQUIRED_CMS_ATTRIBUTES, + CKA_DEFAULT_CMS_ATTRIBUTES, CKA_SUPPORTED_CMS_ATTRIBUTES, + CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, CKA_NSS_TRUST, CKA_NSS_URL, + CKA_NSS_EMAIL, CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP, + CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES, + CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED, + CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC, + CKA_NSS_OVERRIDE_EXTENSIONS, CKA_NSS_SERVER_DISTRUST_AFTER, + CKA_NSS_EMAIL_DISTRUST_AFTER, CKA_TRUST_DIGITAL_SIGNATURE, + CKA_TRUST_NON_REPUDIATION, CKA_TRUST_KEY_ENCIPHERMENT, + CKA_TRUST_DATA_ENCIPHERMENT, CKA_TRUST_KEY_AGREEMENT, + CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN, CKA_TRUST_SERVER_AUTH, + CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION, + CKA_TRUST_IPSEC_END_SYSTEM, CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, + CKA_TRUST_TIME_STAMPING, CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, + CKA_CERT_MD5_HASH, CKA_NSS_DB +}; + +static const int known_attributes_size = PR_ARRAY_SIZE(known_attributes); + +/* + * Note on use of sqlReadDB: Only one thread at a time may have an actual + * operation going on given sqlite3 * database. An operation is defined as + * the time from a sqlite3_prepare() until the sqlite3_finalize(). + * Multiple sqlite3 * databases can be open and have simultaneous operations + * going. We use the sqlXactDB for all write operations. This database + * is only opened when we first create a transaction and closed when the + * transaction is complete. sqlReadDB is open when we first opened the database + * and is used for all read operation. It's use is protected by a monitor. This + * is because an operation can span the use of FindObjectsInit() through the + * call to FindObjectsFinal(). In the intermediate time it is possible to call + * other operations like NSC_GetAttributeValue */ + +struct SDBPrivateStr { + char *sqlDBName; /* invariant, path to this database */ + sqlite3 *sqlXactDB; /* access protected by dbMon, use protected + * by the transaction. Current transaction db*/ + PRThread *sqlXactThread; /* protected by dbMon, + * current transaction thread */ + sqlite3 *sqlReadDB; /* use protected by dbMon, value invariant */ + PRIntervalTime lastUpdateTime; /* last time the cache was updated */ + PRIntervalTime updateInterval; /* how long the cache can go before it + * must be updated again */ + sdbDataType type; /* invariant, database type */ + char *table; /* invariant, SQL table which contains the db */ + char *cacheTable; /* invariant, SQL table cache of db */ + PRMonitor *dbMon; /* invariant, monitor to protect + * sqlXact* fields, and use of the sqlReadDB */ + CK_ATTRIBUTE_TYPE *schemaAttrs; /* Attribute columns that exist in the table. */ + unsigned int numSchemaAttrs; +}; + +typedef struct SDBPrivateStr SDBPrivate; + +/* Magic for an explicit NULL. NOTE: ideally this should be + * out of band data. Since it's not completely out of band, pick + * a value that has no meaning to any existing PKCS #11 attributes. + * This value is 1) not a valid string (imbedded '\0'). 2) not a U_LONG + * or a normal key (too short). 3) not a bool (too long). 4) not an RSA + * public exponent (too many bits). + */ +const unsigned char SQLITE_EXPLICIT_NULL[] = { 0xa5, 0x0, 0x5a }; +#define SQLITE_EXPLICIT_NULL_LEN 3 + +/* + * determine when we've completed our tasks + */ +static int +sdb_done(int err, int *count) +{ + /* allow as many rows as the database wants to give */ + if (err == SQLITE_ROW) { + *count = 0; + return 0; + } + if (err != SQLITE_BUSY) { + return 1; + } + /* err == SQLITE_BUSY, Dont' retry forever in this case */ + if (++(*count) >= SDB_MAX_BUSY_RETRIES) { + return 1; + } + return 0; +} + +#if defined(_WIN32) +/* + * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that + * sqlite3 expects. + */ + +static int +sdb_chmod(const char *filename, int pmode) +{ + int result; + + if (!filename) { + return -1; + } + + wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); + if (!filenameWide) { + return -1; + } + result = _wchmod(filenameWide, pmode); + PORT_Free(filenameWide); + + return result; +} +#else +#define sdb_chmod(filename, pmode) chmod((filename), (pmode)) +#endif + +/* + * find out where sqlite stores the temp tables. We do this by replicating + * the logic from sqlite. + */ +#if defined(_WIN32) +static char * +sdb_getFallbackTempDir(void) +{ + /* sqlite uses sqlite3_temp_directory if it is not NULL. We don't have + * access to sqlite3_temp_directory because it is not exported from + * sqlite3.dll. Assume sqlite3_win32_set_directory isn't called and + * sqlite3_temp_directory is NULL. + */ + char path[MAX_PATH]; + DWORD rv; + size_t len; + + rv = GetTempPathA(MAX_PATH, path); + if (rv > MAX_PATH || rv == 0) + return NULL; + len = strlen(path); + if (len == 0) + return NULL; + /* The returned string ends with a backslash, for example, "C:\TEMP\". */ + if (path[len - 1] == '\\') + path[len - 1] = '\0'; + return PORT_Strdup(path); +} +#elif defined(XP_UNIX) +static char * +sdb_getFallbackTempDir(void) +{ + const char *azDirs[] = { + NULL, + NULL, + "/var/tmp", + "/usr/tmp", + "/tmp", + NULL /* List terminator */ + }; + unsigned int i; + struct stat buf; + const char *zDir = NULL; + + azDirs[0] = sqlite3_temp_directory; + azDirs[1] = PR_GetEnvSecure("TMPDIR"); + + for (i = 0; i < PR_ARRAY_SIZE(azDirs); i++) { + zDir = azDirs[i]; + if (zDir == NULL) + continue; + if (stat(zDir, &buf)) + continue; + if (!S_ISDIR(buf.st_mode)) + continue; + if (access(zDir, 07)) + continue; + break; + } + + if (zDir == NULL) + return NULL; + return PORT_Strdup(zDir); +} +#else +#error "sdb_getFallbackTempDir not implemented" +#endif + +#ifndef SQLITE_FCNTL_TEMPFILENAME +/* SQLITE_FCNTL_TEMPFILENAME was added in SQLite 3.7.15 */ +#define SQLITE_FCNTL_TEMPFILENAME 16 +#endif + +static char * +sdb_getTempDir(sqlite3 *sqlDB) +{ + int sqlrv; + char *result = NULL; + char *tempName = NULL; + char *foundSeparator = NULL; + + /* Obtain temporary filename in sqlite's directory for temporary tables */ + sqlrv = sqlite3_file_control(sqlDB, 0, SQLITE_FCNTL_TEMPFILENAME, + (void *)&tempName); + if (sqlrv == SQLITE_NOTFOUND) { + /* SQLITE_FCNTL_TEMPFILENAME not implemented because we are using + * an older SQLite. */ + return sdb_getFallbackTempDir(); + } + if (sqlrv != SQLITE_OK) { + return NULL; + } + + /* We'll extract the temporary directory from tempName */ + foundSeparator = PORT_Strrchr(tempName, PR_GetDirectorySeparator()); + if (foundSeparator) { + /* We shorten the temp filename string to contain only + * the directory name (including the trailing separator). + * We know the byte after the foundSeparator position is + * safe to use, in the shortest scenario it contains the + * end-of-string byte. + * By keeping the separator at the found position, it will + * even work if tempDir consists of the separator, only. + * (In this case the toplevel directory will be used for + * access speed testing). */ + ++foundSeparator; + *foundSeparator = 0; + + /* Now we copy the directory name for our caller */ + result = PORT_Strdup(tempName); + } + + sqlite3_free(tempName); + return result; +} + +/* + * Map SQL_LITE errors to PKCS #11 errors as best we can. + */ +static CK_RV +sdb_mapSQLError(sdbDataType type, int sqlerr) +{ + switch (sqlerr) { + /* good matches */ + case SQLITE_OK: + case SQLITE_DONE: + return CKR_OK; + case SQLITE_NOMEM: + return CKR_HOST_MEMORY; + case SQLITE_READONLY: + return CKR_TOKEN_WRITE_PROTECTED; + /* close matches */ + case SQLITE_AUTH: + case SQLITE_PERM: + /*return CKR_USER_NOT_LOGGED_IN; */ + case SQLITE_CANTOPEN: + case SQLITE_NOTFOUND: + /* NSS distiguishes between failure to open the cert and the key db */ + return type == SDB_CERT ? CKR_NSS_CERTDB_FAILED : CKR_NSS_KEYDB_FAILED; + case SQLITE_IOERR: + return CKR_DEVICE_ERROR; + default: + break; + } + return CKR_GENERAL_ERROR; +} + +/* + * build up database name from a directory, prefix, name, version and flags. + */ +static char * +sdb_BuildFileName(const char *directory, + const char *prefix, const char *type, + int version) +{ + char *dbname = NULL; + /* build the full dbname */ + dbname = sqlite3_mprintf("%s%c%s%s%d.db", directory, + (int)(unsigned char)PR_GetDirectorySeparator(), + prefix, type, version); + return dbname; +} + +/* + * find out how expensive the access system call is for non-existant files + * in the given directory. Return the number of operations done in 33 ms. + */ +static PRUint32 +sdb_measureAccess(const char *directory) +{ + PRUint32 i; + PRIntervalTime time; + PRIntervalTime delta; + PRIntervalTime duration = PR_MillisecondsToInterval(33); + const char *doesntExistName = "_dOeSnotExist_.db"; + char *temp, *tempStartOfFilename; + size_t maxTempLen, maxFileNameLen, directoryLength, tmpdirLength = 0; +#ifdef SDB_MEASURE_USE_TEMP_DIR + /* + * on some OS's and Filesystems, creating a bunch of files and deleting + * them messes up the systems's caching, but if we create the files in + * a temp directory which we later delete, then the cache gets cleared + * up. This code uses several OS dependent calls, and it's not clear + * that temp directory use won't mess up other filesystems and OS caching, + * so if you need this for your OS, you can turn on the + * 'SDB_MEASURE_USE_TEMP_DIR' define in coreconf + */ + const char template[] = "dbTemp.XXXXXX"; + tmpdirLength = sizeof(template); +#endif + /* no directory, just return one */ + if (directory == NULL) { + return 1; + } + + /* our calculation assumes time is a 4 bytes == 32 bit integer */ + PORT_Assert(sizeof(time) == 4); + + directoryLength = strlen(directory); + + maxTempLen = directoryLength + 1 /* dirname + / */ + + tmpdirLength /* tmpdirname includes / */ + + strlen(doesntExistName) /* filename base */ + + 11 /* max chars for 32 bit int plus potential sign */ + + 1; /* zero terminator */ + + temp = PORT_ZAlloc(maxTempLen); + if (!temp) { + return 1; + } + + /* We'll copy directory into temp just once, then ensure it ends + * with the directory separator. */ + + strcpy(temp, directory); + if (directory[directoryLength - 1] != PR_GetDirectorySeparator()) { + temp[directoryLength++] = PR_GetDirectorySeparator(); + } + +#ifdef SDB_MEASURE_USE_TEMP_DIR + /* add the template for a temporary subdir, and create it */ + strcat(temp, template); + if (!mkdtemp(temp)) { + PORT_Free(temp); + return 1; + } + /* and terminate that tmp subdir with a / */ + strcat(temp, "/"); +#endif + + /* Remember the position after the last separator, and calculate the + * number of remaining bytes. */ + tempStartOfFilename = temp + directoryLength + tmpdirLength; + maxFileNameLen = maxTempLen - directoryLength; + + /* measure number of Access operations that can be done in 33 milliseconds + * (1/30'th of a second), or 10000 operations, which ever comes first. + */ + time = PR_IntervalNow(); + for (i = 0; i < 10000u; i++) { + PRIntervalTime next; + + /* We'll use the variable part first in the filename string, just in + * case it's longer than assumed, so if anything gets cut off, it + * will be cut off from the constant part. + * This code assumes the directory name at the beginning of + * temp remains unchanged during our loop. */ + PR_snprintf(tempStartOfFilename, maxFileNameLen, + ".%lu%s", (PRUint32)(time + i), doesntExistName); + PR_Access(temp, PR_ACCESS_EXISTS); + next = PR_IntervalNow(); + delta = next - time; + if (delta >= duration) + break; + } + +#ifdef SDB_MEASURE_USE_TEMP_DIR + /* turn temp back into our tmpdir path by removing doesntExistName, and + * remove the tmp dir */ + *tempStartOfFilename = '\0'; + (void)rmdir(temp); +#endif + PORT_Free(temp); + + /* always return 1 or greater */ + return i ? i : 1u; +} + +/* + * some file sytems are very slow to run sqlite3 on, particularly if the + * access count is pretty high. On these filesystems is faster to create + * a temporary database on the local filesystem and access that. This + * code uses a temporary table to create that cache. Temp tables are + * automatically cleared when the database handle it was created on + * Is freed. + */ +static const char DROP_CACHE_CMD[] = "DROP TABLE %s"; +static const char CREATE_CACHE_CMD[] = + "CREATE TEMPORARY TABLE %s AS SELECT * FROM %s"; +static const char CREATE_ISSUER_INDEX_CMD[] = + "CREATE INDEX issuer ON %s (a81)"; +static const char CREATE_SUBJECT_INDEX_CMD[] = + "CREATE INDEX subject ON %s (a101)"; +static const char CREATE_LABEL_INDEX_CMD[] = "CREATE INDEX label ON %s (a3)"; +static const char CREATE_ID_INDEX_CMD[] = "CREATE INDEX ckaid ON %s (a102)"; + +static CK_RV +sdb_buildCache(sqlite3 *sqlDB, sdbDataType type, + const char *cacheTable, const char *table) +{ + char *newStr; + int sqlerr = SQLITE_OK; + + newStr = sqlite3_mprintf(CREATE_CACHE_CMD, cacheTable, table); + if (newStr == NULL) { + return CKR_HOST_MEMORY; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + if (sqlerr != SQLITE_OK) { + return sdb_mapSQLError(type, sqlerr); + } + /* failure to create the indexes is not an issue */ + newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, cacheTable); + if (newStr == NULL) { + return CKR_OK; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, cacheTable); + if (newStr == NULL) { + return CKR_OK; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, cacheTable); + if (newStr == NULL) { + return CKR_OK; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, cacheTable); + if (newStr == NULL) { + return CKR_OK; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + return CKR_OK; +} + +/* + * update the cache and the data records describing it. + * The cache is updated by dropping the temp database and recreating it. + */ +static CK_RV +sdb_updateCache(SDBPrivate *sdb_p) +{ + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + char *newStr; + + /* drop the old table */ + newStr = sqlite3_mprintf(DROP_CACHE_CMD, sdb_p->cacheTable); + if (newStr == NULL) { + return CKR_HOST_MEMORY; + } + sqlerr = sqlite3_exec(sdb_p->sqlReadDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + if ((sqlerr != SQLITE_OK) && (sqlerr != SQLITE_ERROR)) { + /* something went wrong with the drop, don't try to refresh... + * NOTE: SQLITE_ERROR is returned if the table doesn't exist. In + * that case, we just continue on and try to reload it */ + return sdb_mapSQLError(sdb_p->type, sqlerr); + } + + /* set up the new table */ + error = sdb_buildCache(sdb_p->sqlReadDB, sdb_p->type, + sdb_p->cacheTable, sdb_p->table); + if (error == CKR_OK) { + /* we have a new cache! */ + sdb_p->lastUpdateTime = PR_IntervalNow(); + } + return error; +} + +/* + * The sharing of sqlite3 handles across threads is tricky. Older versions + * couldn't at all, but newer ones can under strict conditions. Basically + * no 2 threads can use the same handle while another thread has an open + * stmt running. Once the sqlite3_stmt is finalized, another thread can then + * use the database handle. + * + * We use monitors to protect against trying to use a database before + * it's sqlite3_stmt is finalized. This is preferable to the opening and + * closing the database each operation because there is significant overhead + * in the open and close. Also continually opening and closing the database + * defeats the cache code as the cache table is lost on close (thus + * requiring us to have to reinitialize the cache every operation). + * + * An execption to the shared handle is transations. All writes happen + * through a transaction. When we are in a transaction, we must use the + * same database pointer for that entire transation. In this case we save + * the transaction database and use it for all accesses on the transaction + * thread. Other threads use the common database. + * + * There can only be once active transaction on the database at a time. + * + * sdb_openDBLocal() provides us with a valid database handle for whatever + * state we are in (reading or in a transaction), and acquires any locks + * appropriate to that state. It also decides when it's time to refresh + * the cache before we start an operation. Any database handle returned + * just eventually be closed with sdb_closeDBLocal(). + * + * The table returned either points to the database's physical table, or + * to the cached shadow. Tranactions always return the physical table + * and read operations return either the physical table or the cache + * depending on whether or not the cache exists. + */ +static CK_RV +sdb_openDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB, const char **table) +{ + *sqlDB = NULL; + + PR_EnterMonitor(sdb_p->dbMon); + + if (table) { + *table = sdb_p->table; + } + + /* We're in a transaction, use the transaction DB */ + if ((sdb_p->sqlXactDB) && (sdb_p->sqlXactThread == PR_GetCurrentThread())) { + *sqlDB = sdb_p->sqlXactDB; + /* only one thread can get here, safe to unlock */ + PR_ExitMonitor(sdb_p->dbMon); + return CKR_OK; + } + + /* + * if we are just reading from the table, we may have the table + * cached in a temporary table (especially if it's on a shared FS). + * In that case we want to see updates to the table, the the granularity + * is on order of human scale, not computer scale. + */ + if (table && sdb_p->cacheTable) { + PRIntervalTime now = PR_IntervalNow(); + if ((now - sdb_p->lastUpdateTime) > sdb_p->updateInterval) { + sdb_updateCache(sdb_p); + } + *table = sdb_p->cacheTable; + } + + *sqlDB = sdb_p->sqlReadDB; + + /* leave holding the lock. only one thread can actually use a given + * database connection at once */ + + return CKR_OK; +} + +/* closing the local database currenly means unlocking the monitor */ +static CK_RV +sdb_closeDBLocal(SDBPrivate *sdb_p, sqlite3 *sqlDB) +{ + if (sdb_p->sqlXactDB != sqlDB) { + /* if we weren't in a transaction, we got a lock */ + PR_ExitMonitor(sdb_p->dbMon); + } + return CKR_OK; +} + +/* + * wrapper to sqlite3_open which also sets the busy_timeout + */ +static int +sdb_openDB(const char *name, sqlite3 **sqlDB, int flags) +{ + int sqlerr; + int openFlags; + + *sqlDB = NULL; + + if (flags & SDB_RDONLY) { + openFlags = SQLITE_OPEN_READONLY; + } else { + openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE; + /* sqlite 3.34 seem to incorrectly open readwrite. + * when the file is readonly. Explicitly reject that issue here */ + if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) { + return SQLITE_READONLY; + } + } + + /* Requires SQLite 3.5.0 or newer. */ + sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL); + if (sqlerr != SQLITE_OK) { + return sqlerr; + } + + sqlerr = sqlite3_busy_timeout(*sqlDB, SDB_SQLITE_BUSY_TIMEOUT); + if (sqlerr != SQLITE_OK) { + sqlite3_close(*sqlDB); + *sqlDB = NULL; + return sqlerr; + } + return SQLITE_OK; +} + +/* Sigh, if we created a new table since we opened the database, + * the database handle will not see the new table, we need to close this + * database and reopen it. Caller must be in a transaction or holding + * the dbMon. sqlDB is changed on success. */ +static int +sdb_reopenDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB) +{ + sqlite3 *newDB; + int sqlerr; + + /* open a new database */ + sqlerr = sdb_openDB(sdb_p->sqlDBName, &newDB, SDB_RDONLY); + if (sqlerr != SQLITE_OK) { + return sqlerr; + } + + /* if we are in a transaction, we may not be holding the monitor. + * grab it before we update the transaction database. This is + * safe since are using monitors. */ + PR_EnterMonitor(sdb_p->dbMon); + /* update our view of the database */ + if (sdb_p->sqlReadDB == *sqlDB) { + sdb_p->sqlReadDB = newDB; + } else if (sdb_p->sqlXactDB == *sqlDB) { + sdb_p->sqlXactDB = newDB; + } + PR_ExitMonitor(sdb_p->dbMon); + + /* close the old one */ + sqlite3_close(*sqlDB); + + *sqlDB = newDB; + return SQLITE_OK; +} + +struct SDBFindStr { + sqlite3 *sqlDB; + sqlite3_stmt *findstmt; +}; + +static const char FIND_OBJECTS_CMD[] = "SELECT ALL id FROM %s WHERE %s;"; +static const char FIND_OBJECTS_ALL_CMD[] = "SELECT ALL id FROM %s;"; +CK_RV +sdb_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *template, CK_ULONG count, + SDBFind **find) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + const char *table; + char *newStr, *findStr = NULL; + sqlite3_stmt *findstmt = NULL; + char *join = ""; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + unsigned int i; + + LOCK_SQLITE() + *find = NULL; + error = sdb_openDBLocal(sdb_p, &sqlDB, &table); + if (error != CKR_OK) { + goto loser; + } + + findStr = sqlite3_mprintf(""); + for (i = 0; findStr && i < count; i++) { + newStr = sqlite3_mprintf("%s%sa%x=$DATA%d", findStr, join, + template[i].type, i); + join = " AND "; + sqlite3_free(findStr); + findStr = newStr; + } + + if (findStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + + if (count == 0) { + newStr = sqlite3_mprintf(FIND_OBJECTS_ALL_CMD, table); + } else { + newStr = sqlite3_mprintf(FIND_OBJECTS_CMD, table, findStr); + } + sqlite3_free(findStr); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &findstmt, NULL); + sqlite3_free(newStr); + for (i = 0; sqlerr == SQLITE_OK && i < count; i++) { + const void *blobData = template[i].pValue; + unsigned int blobSize = template[i].ulValueLen; + if (blobSize == 0) { + blobSize = SQLITE_EXPLICIT_NULL_LEN; + blobData = SQLITE_EXPLICIT_NULL; + } + sqlerr = sqlite3_bind_blob(findstmt, i + 1, blobData, blobSize, + SQLITE_TRANSIENT); + } + if (sqlerr == SQLITE_OK) { + *find = PORT_New(SDBFind); + if (*find == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + (*find)->findstmt = findstmt; + (*find)->sqlDB = sqlDB; + UNLOCK_SQLITE() + return CKR_OK; + } + error = sdb_mapSQLError(sdb_p->type, sqlerr); + +loser: + if (findstmt) { + sqlite3_reset(findstmt); + sqlite3_finalize(findstmt); + } + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + UNLOCK_SQLITE() + return error; +} + +CK_RV +sdb_FindObjects(SDB *sdb, SDBFind *sdbFind, CK_OBJECT_HANDLE *object, + CK_ULONG arraySize, CK_ULONG *count) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3_stmt *stmt = sdbFind->findstmt; + int sqlerr = SQLITE_OK; + int retry = 0; + + *count = 0; + + if (arraySize == 0) { + return CKR_OK; + } + LOCK_SQLITE() + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + if (sqlerr == SQLITE_ROW) { + /* only care about the id */ + *object++ = sqlite3_column_int(stmt, 0); + arraySize--; + (*count)++; + } + } while (!sdb_done(sqlerr, &retry) && (arraySize > 0)); + + /* we only have some of the objects, there is probably more, + * set the sqlerr to an OK value so we return CKR_OK */ + if (sqlerr == SQLITE_ROW && arraySize == 0) { + sqlerr = SQLITE_DONE; + } + UNLOCK_SQLITE() + + return sdb_mapSQLError(sdb_p->type, sqlerr); +} + +CK_RV +sdb_FindObjectsFinal(SDB *sdb, SDBFind *sdbFind) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3_stmt *stmt = sdbFind->findstmt; + sqlite3 *sqlDB = sdbFind->sqlDB; + int sqlerr = SQLITE_OK; + + LOCK_SQLITE() + if (stmt) { + sqlite3_reset(stmt); + sqlerr = sqlite3_finalize(stmt); + } + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + PORT_Free(sdbFind); + + UNLOCK_SQLITE() + return sdb_mapSQLError(sdb_p->type, sqlerr); +} + +static CK_RV +sdb_GetValidAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id, + CK_ATTRIBUTE *template, CK_ULONG count) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + sqlite3_stmt *stmt = NULL; + const char *table = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + int found = 0; + int retry = 0; + unsigned int i; + + if (count == 0) { + error = CKR_OBJECT_HANDLE_INVALID; + goto loser; + } + + /* open a new db if necessary */ + error = sdb_openDBLocal(sdb_p, &sqlDB, &table); + if (error != CKR_OK) { + goto loser; + } + + char *columns = NULL; + for (i = 0; i < count; i++) { + char *newColumns; + if (columns) { + newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type); + sqlite3_free(columns); + columns = NULL; + } else { + newColumns = sqlite3_mprintf("a%x", template[i].type); + } + if (!newColumns) { + error = CKR_HOST_MEMORY; + goto loser; + } + columns = newColumns; + } + + PORT_Assert(columns); + + char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;", + columns, table); + sqlite3_free(columns); + columns = NULL; + if (!statement) { + error = CKR_HOST_MEMORY; + goto loser; + } + + sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL); + sqlite3_free(statement); + statement = NULL; + if (sqlerr != SQLITE_OK) { + goto loser; + } + + // NB: indices in sqlite3_bind_int are 1-indexed + sqlerr = sqlite3_bind_int(stmt, 1, object_id); + if (sqlerr != SQLITE_OK) { + goto loser; + } + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + if (sqlerr == SQLITE_ROW) { + PORT_Assert(!found); + for (i = 0; i < count; i++) { + unsigned int blobSize; + const char *blobData; + + // NB: indices in sqlite_column_{bytes,blob} are 0-indexed + blobSize = sqlite3_column_bytes(stmt, i); + blobData = sqlite3_column_blob(stmt, i); + if (blobData == NULL) { + /* PKCS 11 requires that get attributes process all the + * attributes in the template, marking the attributes with + * issues with -1. Mark the error but continue */ + template[i].ulValueLen = -1; + error = CKR_ATTRIBUTE_TYPE_INVALID; + continue; + } + /* If the blob equals our explicit NULL value, then the + * attribute is a NULL. */ + if ((blobSize == SQLITE_EXPLICIT_NULL_LEN) && + (PORT_Memcmp(blobData, SQLITE_EXPLICIT_NULL, + SQLITE_EXPLICIT_NULL_LEN) == 0)) { + blobSize = 0; + } + if (template[i].pValue) { + if (template[i].ulValueLen < blobSize) { + /* like CKR_ATTRIBUTE_TYPE_INVALID, continue processing */ + template[i].ulValueLen = -1; + error = CKR_BUFFER_TOO_SMALL; + continue; + } + PORT_Memcpy(template[i].pValue, blobData, blobSize); + } + template[i].ulValueLen = blobSize; + } + found = 1; + } + } while (!sdb_done(sqlerr, &retry)); + + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + stmt = NULL; + +loser: + /* fix up the error if necessary */ + if (error == CKR_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + if (!found && error == CKR_OK) { + error = CKR_OBJECT_HANDLE_INVALID; + } + } + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + + /* if we had to open a new database, free it now */ + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + return error; +} + +/* NOTE: requires sdb_p->schemaAttrs to be sorted asc. */ +inline static PRBool +sdb_attributeExists(SDB *sdb, CK_ATTRIBUTE_TYPE attr) +{ + SDBPrivate *sdb_p = sdb->private; + int first = 0; + int last = (int)sdb_p->numSchemaAttrs - 1; + while (last >= first) { + int mid = first + (last - first) / 2; + if (sdb_p->schemaAttrs[mid] == attr) { + return PR_TRUE; + } + if (attr > sdb_p->schemaAttrs[mid]) { + first = mid + 1; + } else { + last = mid - 1; + } + } + + return PR_FALSE; +} + +CK_RV +sdb_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, + CK_ATTRIBUTE *template, CK_ULONG count) +{ + CK_RV crv = CKR_OK; + unsigned int tmplIdx; + unsigned int resIdx = 0; + unsigned int validCount = 0; + unsigned int i; + + if (count == 0) { + return crv; + } + + CK_ATTRIBUTE *validTemplate; + PRBool invalidExists = PR_FALSE; + for (tmplIdx = 0; tmplIdx < count; tmplIdx++) { + if (!sdb_attributeExists(sdb, template[tmplIdx].type)) { + template[tmplIdx].ulValueLen = -1; + crv = CKR_ATTRIBUTE_TYPE_INVALID; + invalidExists = PR_TRUE; + break; + } + } + + if (!invalidExists) { + validTemplate = template; + validCount = count; + } else { + /* Create a new template containing only the valid subset of + * input |template|, and query with that. */ + validCount = tmplIdx; + validTemplate = malloc(sizeof(CK_ATTRIBUTE) * count); + if (!validTemplate) { + return CKR_HOST_MEMORY; + } + /* Copy in what we already know is valid. */ + for (i = 0; i < validCount; i++) { + validTemplate[i] = template[i]; + } + + /* tmplIdx was left at the index of the first invalid + * attribute, which has been handled. We only need to + * deal with the remainder. */ + tmplIdx++; + for (; tmplIdx < count; tmplIdx++) { + if (sdb_attributeExists(sdb, template[tmplIdx].type)) { + validTemplate[validCount++] = template[tmplIdx]; + } else { + template[tmplIdx].ulValueLen = -1; + } + } + } + + if (validCount) { + LOCK_SQLITE() + CK_RV crv2 = sdb_GetValidAttributeValueNoLock(sdb, object_id, validTemplate, validCount); + UNLOCK_SQLITE() + + /* If an invalid attribute was removed above, let + * the caller know. Any other error from the actual + * query should propogate. */ + crv = (crv2 == CKR_OK) ? crv : crv2; + } + + if (invalidExists) { + /* Copy out valid lengths. */ + tmplIdx = 0; + for (resIdx = 0; resIdx < validCount; resIdx++) { + for (; tmplIdx < count; tmplIdx++) { + if (template[tmplIdx].type != validTemplate[resIdx].type) { + continue; + } + template[tmplIdx].ulValueLen = validTemplate[resIdx].ulValueLen; + tmplIdx++; + break; + } + } + free(validTemplate); + } + + return crv; +} + +static const char SET_ATTRIBUTE_CMD[] = "UPDATE %s SET %s WHERE id=$ID;"; +CK_RV +sdb_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, + const CK_ATTRIBUTE *template, CK_ULONG count) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + sqlite3_stmt *stmt = NULL; + char *setStr = NULL; + char *newStr = NULL; + int sqlerr = SQLITE_OK; + int retry = 0; + CK_RV error = CKR_OK; + unsigned int i; + + if ((sdb->sdb_flags & SDB_RDONLY) != 0) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + if (count == 0) { + return CKR_OK; + } + + LOCK_SQLITE() + setStr = sqlite3_mprintf(""); + for (i = 0; setStr && i < count; i++) { + if (i == 0) { + sqlite3_free(setStr); + setStr = sqlite3_mprintf("a%x=$VALUE%d", + template[i].type, i); + continue; + } + newStr = sqlite3_mprintf("%s,a%x=$VALUE%d", setStr, + template[i].type, i); + sqlite3_free(setStr); + setStr = newStr; + } + newStr = NULL; + + if (setStr == NULL) { + return CKR_HOST_MEMORY; + } + newStr = sqlite3_mprintf(SET_ATTRIBUTE_CMD, sdb_p->table, setStr); + sqlite3_free(setStr); + if (newStr == NULL) { + UNLOCK_SQLITE() + return CKR_HOST_MEMORY; + } + error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); + if (error != CKR_OK) { + goto loser; + } + sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); + if (sqlerr != SQLITE_OK) + goto loser; + for (i = 0; i < count; i++) { + if (template[i].ulValueLen != 0) { + sqlerr = sqlite3_bind_blob(stmt, i + 1, template[i].pValue, + template[i].ulValueLen, SQLITE_STATIC); + } else { + sqlerr = sqlite3_bind_blob(stmt, i + 1, SQLITE_EXPLICIT_NULL, + SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC); + } + if (sqlerr != SQLITE_OK) + goto loser; + } + sqlerr = sqlite3_bind_int(stmt, i + 1, object_id); + if (sqlerr != SQLITE_OK) + goto loser; + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + } while (!sdb_done(sqlerr, &retry)); + +loser: + if (newStr) { + sqlite3_free(newStr); + } + if (error == CKR_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + } + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + + UNLOCK_SQLITE() + return error; +} + +/* + * check to see if a candidate object handle already exists. + */ +static PRBool +sdb_objectExists(SDB *sdb, CK_OBJECT_HANDLE candidate) +{ + CK_RV crv; + CK_ATTRIBUTE template = { CKA_LABEL, NULL, 0 }; + + crv = sdb_GetValidAttributeValueNoLock(sdb, candidate, &template, 1); + if (crv == CKR_OBJECT_HANDLE_INVALID) { + return PR_FALSE; + } + return PR_TRUE; +} + +/* + * if we're here, we are in a transaction, so it's safe + * to examine the current state of the database + */ +static CK_OBJECT_HANDLE +sdb_getObjectId(SDB *sdb) +{ + CK_OBJECT_HANDLE candidate; + static CK_OBJECT_HANDLE next_obj = CK_INVALID_HANDLE; + int count; + /* + * get an initial object handle to use + */ + if (next_obj == CK_INVALID_HANDLE) { + PRTime time; + time = PR_Now(); + + next_obj = (CK_OBJECT_HANDLE)(time & 0x3fffffffL); + } + candidate = next_obj++; + /* detect that we've looped through all the handles... */ + for (count = 0; count < 0x40000000; count++, candidate = next_obj++) { + /* mask off excess bits */ + candidate &= 0x3fffffff; + /* if we hit zero, go to the next entry */ + if (candidate == CK_INVALID_HANDLE) { + continue; + } + /* make sure we aren't already using */ + if (!sdb_objectExists(sdb, candidate)) { + /* this one is free */ + return candidate; + } + } + + /* no handle is free, fail */ + return CK_INVALID_HANDLE; +} + +CK_RV +sdb_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *object) +{ + CK_OBJECT_HANDLE id; + + id = sdb_getObjectId(sdb); + if (id == CK_INVALID_HANDLE) { + return CKR_DEVICE_MEMORY; /* basically we ran out of resources */ + } + *object = id; + return CKR_OK; +} + +static const char CREATE_CMD[] = "INSERT INTO %s (id%s) VALUES($ID%s);"; +CK_RV +sdb_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *object_id, + const CK_ATTRIBUTE *template, CK_ULONG count) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + sqlite3_stmt *stmt = NULL; + char *columnStr = NULL; + char *valueStr = NULL; + char *newStr = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + CK_OBJECT_HANDLE this_object = CK_INVALID_HANDLE; + int retry = 0; + unsigned int i; + + if ((sdb->sdb_flags & SDB_RDONLY) != 0) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + LOCK_SQLITE() + if ((*object_id != CK_INVALID_HANDLE) && + !sdb_objectExists(sdb, *object_id)) { + this_object = *object_id; + } else { + this_object = sdb_getObjectId(sdb); + } + if (this_object == CK_INVALID_HANDLE) { + UNLOCK_SQLITE(); + return CKR_HOST_MEMORY; + } + columnStr = sqlite3_mprintf(""); + valueStr = sqlite3_mprintf(""); + *object_id = this_object; + for (i = 0; columnStr && valueStr && i < count; i++) { + newStr = sqlite3_mprintf("%s,a%x", columnStr, template[i].type); + sqlite3_free(columnStr); + columnStr = newStr; + newStr = sqlite3_mprintf("%s,$VALUE%d", valueStr, i); + sqlite3_free(valueStr); + valueStr = newStr; + } + newStr = NULL; + if ((columnStr == NULL) || (valueStr == NULL)) { + if (columnStr) { + sqlite3_free(columnStr); + } + if (valueStr) { + sqlite3_free(valueStr); + } + UNLOCK_SQLITE() + return CKR_HOST_MEMORY; + } + newStr = sqlite3_mprintf(CREATE_CMD, sdb_p->table, columnStr, valueStr); + sqlite3_free(columnStr); + sqlite3_free(valueStr); + error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); + if (error != CKR_OK) { + goto loser; + } + sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); + if (sqlerr != SQLITE_OK) + goto loser; + sqlerr = sqlite3_bind_int(stmt, 1, *object_id); + if (sqlerr != SQLITE_OK) + goto loser; + for (i = 0; i < count; i++) { + if (template[i].ulValueLen) { + sqlerr = sqlite3_bind_blob(stmt, i + 2, template[i].pValue, + template[i].ulValueLen, SQLITE_STATIC); + } else { + sqlerr = sqlite3_bind_blob(stmt, i + 2, SQLITE_EXPLICIT_NULL, + SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC); + } + if (sqlerr != SQLITE_OK) + goto loser; + } + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + } while (!sdb_done(sqlerr, &retry)); + +loser: + if (newStr) { + sqlite3_free(newStr); + } + if (error == CKR_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + } + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + UNLOCK_SQLITE() + + return error; +} + +/* + * Generic destroy that can destroy metadata or objects + */ +static const char DESTROY_CMD[] = "DELETE FROM %s WHERE (id=$ID);"; +CK_RV +sdb_destroyAnyObject(SDB *sdb, const char *table, + CK_OBJECT_HANDLE object_id, const char *string_id) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + sqlite3_stmt *stmt = NULL; + char *newStr = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + int retry = 0; + + if ((sdb->sdb_flags & SDB_RDONLY) != 0) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + LOCK_SQLITE() + error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); + if (error != CKR_OK) { + goto loser; + } + newStr = sqlite3_mprintf(DESTROY_CMD, table); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); + sqlite3_free(newStr); + if (sqlerr != SQLITE_OK) + goto loser; + if (string_id == NULL) { + sqlerr = sqlite3_bind_int(stmt, 1, object_id); + } else { + sqlerr = sqlite3_bind_text(stmt, 1, string_id, + PORT_Strlen(string_id), SQLITE_STATIC); + } + if (sqlerr != SQLITE_OK) + goto loser; + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + } while (!sdb_done(sqlerr, &retry)); + +loser: + if (error == CKR_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + } + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + + UNLOCK_SQLITE() + return error; +} + +CK_RV +sdb_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id) +{ + SDBPrivate *sdb_p = sdb->private; + return sdb_destroyAnyObject(sdb, sdb_p->table, object_id, NULL); +} + +CK_RV +sdb_DestroyMetaData(SDB *sdb, const char *id) +{ + return sdb_destroyAnyObject(sdb, "metaData", 0, id); +} + +static const char BEGIN_CMD[] = "BEGIN IMMEDIATE TRANSACTION;"; + +/* + * start a transaction. + * + * We need to open a new database, then store that new database into + * the private data structure. We open the database first, then use locks + * to protect storing the data to prevent deadlocks. + */ +CK_RV +sdb_Begin(SDB *sdb) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + sqlite3_stmt *stmt = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + int retry = 0; + + if ((sdb->sdb_flags & SDB_RDONLY) != 0) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + LOCK_SQLITE() + + /* get a new version that we will use for the entire transaction */ + sqlerr = sdb_openDB(sdb_p->sqlDBName, &sqlDB, SDB_RDWR); + if (sqlerr != SQLITE_OK) { + goto loser; + } + + sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL); + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + /* don't retry BEGIN transaction*/ + retry = 0; + } while (!sdb_done(sqlerr, &retry)); + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + +loser: + error = sdb_mapSQLError(sdb_p->type, sqlerr); + + /* we are starting a new transaction, + * and if we succeeded, then save this database for the rest of + * our transaction */ + if (error == CKR_OK) { + /* we hold a 'BEGIN TRANSACTION' and a sdb_p->lock. At this point + * sdb_p->sqlXactDB MUST be null */ + PR_EnterMonitor(sdb_p->dbMon); + PORT_Assert(sdb_p->sqlXactDB == NULL); + sdb_p->sqlXactDB = sqlDB; + sdb_p->sqlXactThread = PR_GetCurrentThread(); + PR_ExitMonitor(sdb_p->dbMon); + } else { + /* we failed to start our transaction, + * free any databases we opened. */ + if (sqlDB) { + sqlite3_close(sqlDB); + } + } + + UNLOCK_SQLITE() + return error; +} + +/* + * Complete a transaction. Basically undo everything we did in begin. + * There are 2 flavors Abort and Commit. Basically the only differerence between + * these 2 are what the database will show. (no change in to former, change in + * the latter). + */ +static CK_RV +sdb_complete(SDB *sdb, const char *cmd) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + sqlite3_stmt *stmt = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + int retry = 0; + + if ((sdb->sdb_flags & SDB_RDONLY) != 0) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + /* We must have a transation database, or we shouldn't have arrived here */ + PR_EnterMonitor(sdb_p->dbMon); + PORT_Assert(sdb_p->sqlXactDB); + if (sdb_p->sqlXactDB == NULL) { + PR_ExitMonitor(sdb_p->dbMon); + return CKR_GENERAL_ERROR; /* shouldn't happen */ + } + PORT_Assert(sdb_p->sqlXactThread == PR_GetCurrentThread()); + if (sdb_p->sqlXactThread != PR_GetCurrentThread()) { + PR_ExitMonitor(sdb_p->dbMon); + return CKR_GENERAL_ERROR; /* shouldn't happen */ + } + sqlDB = sdb_p->sqlXactDB; + sdb_p->sqlXactDB = NULL; /* no one else can get to this DB, + * safe to unlock */ + sdb_p->sqlXactThread = NULL; + PR_ExitMonitor(sdb_p->dbMon); + + sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL); + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + } while (!sdb_done(sqlerr, &retry)); + + /* Pending BEGIN TRANSACTIONS Can move forward at this point. */ + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + + /* we we have a cached DB image, update it as well */ + if (sdb_p->cacheTable) { + PR_EnterMonitor(sdb_p->dbMon); + sdb_updateCache(sdb_p); + PR_ExitMonitor(sdb_p->dbMon); + } + + error = sdb_mapSQLError(sdb_p->type, sqlerr); + + /* We just finished a transaction. + * Free the database, and remove it from the list */ + sqlite3_close(sqlDB); + + return error; +} + +static const char COMMIT_CMD[] = "COMMIT TRANSACTION;"; +CK_RV +sdb_Commit(SDB *sdb) +{ + CK_RV crv; + LOCK_SQLITE() + crv = sdb_complete(sdb, COMMIT_CMD); + UNLOCK_SQLITE() + return crv; +} + +static const char ROLLBACK_CMD[] = "ROLLBACK TRANSACTION;"; +CK_RV +sdb_Abort(SDB *sdb) +{ + CK_RV crv; + LOCK_SQLITE() + crv = sdb_complete(sdb, ROLLBACK_CMD); + UNLOCK_SQLITE() + return crv; +} + +static int tableExists(sqlite3 *sqlDB, const char *tableName); + +static const char GET_PW_CMD[] = "SELECT ALL * FROM metaData WHERE id=$ID;"; +CK_RV +sdb_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = sdb_p->sqlXactDB; + sqlite3_stmt *stmt = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + int found = 0; + int retry = 0; + + LOCK_SQLITE() + error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); + if (error != CKR_OK) { + goto loser; + } + + /* handle 'test' versions of the sqlite db */ + sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL); + /* Sigh, if we created a new table since we opened the database, + * the database handle will not see the new table, we need to close this + * database and reopen it. This is safe because we are holding the lock + * still. */ + if (sqlerr == SQLITE_SCHEMA) { + sqlerr = sdb_reopenDBLocal(sdb_p, &sqlDB); + if (sqlerr != SQLITE_OK) { + goto loser; + } + sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL); + } + if (sqlerr != SQLITE_OK) + goto loser; + sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC); + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + if (sqlerr == SQLITE_ROW) { + const char *blobData; + unsigned int len = item1->len; + item1->len = sqlite3_column_bytes(stmt, 1); + if (item1->len > len) { + error = CKR_BUFFER_TOO_SMALL; + continue; + } + blobData = sqlite3_column_blob(stmt, 1); + PORT_Memcpy(item1->data, blobData, item1->len); + if (item2) { + len = item2->len; + item2->len = sqlite3_column_bytes(stmt, 2); + if (item2->len > len) { + error = CKR_BUFFER_TOO_SMALL; + continue; + } + blobData = sqlite3_column_blob(stmt, 2); + PORT_Memcpy(item2->data, blobData, item2->len); + } + found = 1; + } + } while (!sdb_done(sqlerr, &retry)); + +loser: + /* fix up the error if necessary */ + if (error == CKR_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + if (!found && error == CKR_OK) { + error = CKR_OBJECT_HANDLE_INVALID; + } + } + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + UNLOCK_SQLITE() + + return error; +} + +static const char PW_CREATE_TABLE_CMD[] = + "CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);"; +static const char PW_CREATE_CMD[] = + "INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);"; +static const char MD_CREATE_CMD[] = + "INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);"; + +CK_RV +sdb_PutMetaData(SDB *sdb, const char *id, const SECItem *item1, + const SECItem *item2) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = sdb_p->sqlXactDB; + sqlite3_stmt *stmt = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + int retry = 0; + const char *cmd = PW_CREATE_CMD; + + if ((sdb->sdb_flags & SDB_RDONLY) != 0) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + LOCK_SQLITE() + error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); + if (error != CKR_OK) { + goto loser; + } + + if (!tableExists(sqlDB, "metaData")) { + sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL); + if (sqlerr != SQLITE_OK) + goto loser; + } + if (item2 == NULL) { + cmd = MD_CREATE_CMD; + } + sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL); + if (sqlerr != SQLITE_OK) + goto loser; + sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC); + if (sqlerr != SQLITE_OK) + goto loser; + sqlerr = sqlite3_bind_blob(stmt, 2, item1->data, item1->len, SQLITE_STATIC); + if (sqlerr != SQLITE_OK) + goto loser; + if (item2) { + sqlerr = sqlite3_bind_blob(stmt, 3, item2->data, + item2->len, SQLITE_STATIC); + if (sqlerr != SQLITE_OK) + goto loser; + } + + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + } while (!sdb_done(sqlerr, &retry)); + +loser: + /* fix up the error if necessary */ + if (error == CKR_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + } + + if (stmt) { + sqlite3_reset(stmt); + sqlite3_finalize(stmt); + } + + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + UNLOCK_SQLITE() + + return error; +} + +static const char RESET_CMD[] = "DELETE FROM %s;"; +CK_RV +sdb_Reset(SDB *sdb) +{ + SDBPrivate *sdb_p = sdb->private; + sqlite3 *sqlDB = NULL; + char *newStr; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + + /* only Key databases can be reset */ + if (sdb_p->type != SDB_KEY) { + return CKR_OBJECT_HANDLE_INVALID; + } + + LOCK_SQLITE() + error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); + if (error != CKR_OK) { + goto loser; + } + + if (tableExists(sqlDB, sdb_p->table)) { + /* delete the contents of the key table */ + newStr = sqlite3_mprintf(RESET_CMD, sdb_p->table); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + + if (sqlerr != SQLITE_OK) + goto loser; + } + + /* delete the password entry table */ + sqlerr = sqlite3_exec(sqlDB, "DROP TABLE IF EXISTS metaData;", + NULL, 0, NULL); + +loser: + /* fix up the error if necessary */ + if (error == CKR_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + } + + if (sqlDB) { + sdb_closeDBLocal(sdb_p, sqlDB); + } + + UNLOCK_SQLITE() + return error; +} + +CK_RV +sdb_Close(SDB *sdb) +{ + SDBPrivate *sdb_p = sdb->private; + int sqlerr = SQLITE_OK; + sdbDataType type = sdb_p->type; + + sqlerr = sqlite3_close(sdb_p->sqlReadDB); + PORT_Free(sdb_p->sqlDBName); + if (sdb_p->cacheTable) { + sqlite3_free(sdb_p->cacheTable); + } + if (sdb_p->dbMon) { + PR_DestroyMonitor(sdb_p->dbMon); + } + free(sdb_p->schemaAttrs); + free(sdb_p); + free(sdb); + return sdb_mapSQLError(type, sqlerr); +} + +/* + * functions to support open + */ + +static const char CHECK_TABLE_CMD[] = "SELECT ALL * FROM %s LIMIT 0;"; + +/* return 1 if sqlDB contains table 'tableName */ +static int +tableExists(sqlite3 *sqlDB, const char *tableName) +{ + char *cmd = sqlite3_mprintf(CHECK_TABLE_CMD, tableName); + int sqlerr = SQLITE_OK; + + if (cmd == NULL) { + return 0; + } + + sqlerr = sqlite3_exec(sqlDB, cmd, NULL, 0, 0); + sqlite3_free(cmd); + + return (sqlerr == SQLITE_OK) ? 1 : 0; +} + +void +sdb_SetForkState(PRBool forked) +{ + /* XXXright now this is a no-op. The global fork state in the softokn3 + * shared library is already taken care of at the PKCS#11 level. + * If and when we add fork state to the sqlite shared library and extern + * interface, we will need to set it and reset it from here */ +} + +static int +sdb_attributeComparator(const void *a, const void *b) +{ + if (*(CK_ATTRIBUTE_TYPE *)a < *(CK_ATTRIBUTE_TYPE *)b) { + return -1; + } + if (*(CK_ATTRIBUTE_TYPE *)a > *(CK_ATTRIBUTE_TYPE *)b) { + return 1; + } + return 0; +} + +/* + * initialize a single database + */ +static const char INIT_CMD[] = + "CREATE TABLE %s (id PRIMARY KEY UNIQUE ON CONFLICT ABORT%s)"; + +CK_RV +sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, + int *newInit, int inFlags, PRUint32 accessOps, SDB **pSdb) +{ + int i; + char *initStr = NULL; + char *newStr; + char *queryStr = NULL; + int inTransaction = 0; + SDB *sdb = NULL; + SDBPrivate *sdb_p = NULL; + sqlite3 *sqlDB = NULL; + int sqlerr = SQLITE_OK; + CK_RV error = CKR_OK; + char *cacheTable = NULL; + PRIntervalTime now = 0; + char *env; + PRBool enableCache = PR_FALSE; + PRBool checkFSType = PR_FALSE; + PRBool measureSpeed = PR_FALSE; + PRBool create; + int flags = inFlags & 0x7; + + *pSdb = NULL; + *inUpdate = 0; + + /* sqlite3 doesn't have a flag to specify that we want to + * open the database read only. If the db doesn't exist, + * sqlite3 will always create it. + */ + LOCK_SQLITE(); + create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS); + if ((flags == SDB_RDONLY) && create) { + error = sdb_mapSQLError(type, SQLITE_CANTOPEN); + goto loser; + } + sqlerr = sdb_openDB(dbname, &sqlDB, flags); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(type, sqlerr); + goto loser; + } + + /* + * SQL created the file, but it doesn't set appropriate modes for + * a database. + * + * NO NSPR call for chmod? :( + */ + if (create && sdb_chmod(dbname, 0600) != 0) { + error = sdb_mapSQLError(type, SQLITE_CANTOPEN); + goto loser; + } + + if (flags != SDB_RDONLY) { + sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(type, sqlerr); + goto loser; + } + inTransaction = 1; + } + if (!tableExists(sqlDB, table)) { + *newInit = 1; + if (flags != SDB_CREATE) { + error = sdb_mapSQLError(type, SQLITE_CANTOPEN); + goto loser; + } + initStr = sqlite3_mprintf(""); + for (i = 0; initStr && i < known_attributes_size; i++) { + newStr = sqlite3_mprintf("%s, a%x", initStr, known_attributes[i]); + sqlite3_free(initStr); + initStr = newStr; + } + if (initStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + + newStr = sqlite3_mprintf(INIT_CMD, table, initStr); + sqlite3_free(initStr); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(type, sqlerr); + goto loser; + } + + newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, table); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(type, sqlerr); + goto loser; + } + + newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, table); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(type, sqlerr); + goto loser; + } + + newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, table); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(type, sqlerr); + goto loser; + } + + newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, table); + if (newStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); + sqlite3_free(newStr); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(type, sqlerr); + goto loser; + } + } + /* + * detect the case where we have created the database, but have + * not yet updated it. + * + * We only check the Key database because only the key database has + * a metaData table. The metaData table is created when a password + * is set, or in the case of update, when a password is supplied. + * If no key database exists, then the update would have happened immediately + * on noticing that the cert database didn't exist (see newInit set above). + */ + if (type == SDB_KEY && !tableExists(sqlDB, "metaData")) { + *newInit = 1; + } + + /* access to network filesystems are significantly slower than local ones + * for database operations. In those cases we need to create a cached copy + * of the database in a temporary location on the local disk. SQLITE + * already provides a way to create a temporary table and initialize it, + * so we use it for the cache (see sdb_buildCache for how it's done).*/ + + /* + * we decide whether or not to use the cache based on the following input. + * + * NSS_SDB_USE_CACHE environment variable is set to anything other than + * "yes" or "no" (for instance, "auto"): NSS will measure the performance + * of access to the temp database versus the access to the user's + * passed-in database location. If the temp database location is + * "significantly" faster we will use the cache. + * + * NSS_SDB_USE_CACHE environment variable is nonexistent or set to "no": + * cache will not be used. + * + * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will + * always be used. + * + * It is expected that most applications will not need this feature, and + * thus it is disabled by default. + */ + + env = PR_GetEnvSecure("NSS_SDB_USE_CACHE"); + + /* Variables enableCache, checkFSType, measureSpeed are PR_FALSE by default, + * which is the expected behavior for NSS_SDB_USE_CACHE="no". + * We don't need to check for "no" here. */ + if (!env) { + /* By default, with no variable set, we avoid expensive measuring for + * most FS types. We start with inexpensive FS type checking, and + * might perform measuring for some types. */ + checkFSType = PR_TRUE; + } else if (PORT_Strcasecmp(env, "yes") == 0) { + enableCache = PR_TRUE; + } else if (PORT_Strcasecmp(env, "no") != 0) { /* not "no" => "auto" */ + measureSpeed = PR_TRUE; + } + + if (checkFSType) { +#if defined(LINUX) && !defined(ANDROID) + struct statfs statfs_s; + if (statfs(dbname, &statfs_s) == 0) { + switch (statfs_s.f_type) { + case SMB_SUPER_MAGIC: + case 0xff534d42: /* CIFS_MAGIC_NUMBER */ + case NFS_SUPER_MAGIC: + /* We assume these are slow. */ + enableCache = PR_TRUE; + break; + case CODA_SUPER_MAGIC: + case 0x65735546: /* FUSE_SUPER_MAGIC */ + case NCP_SUPER_MAGIC: + /* It's uncertain if this FS is fast or slow. + * It seems reasonable to perform slow measuring for users + * with questionable FS speed. */ + measureSpeed = PR_TRUE; + break; + case AFS_SUPER_MAGIC: /* Already implements caching. */ + default: + break; + } + } +#endif + } + + if (measureSpeed) { + char *tempDir = NULL; + PRUint32 tempOps = 0; + /* + * Use PR_Access to determine how expensive it + * is to check for the existance of a local file compared to the same + * check in the temp directory. If the temp directory is faster, cache + * the database there. */ + tempDir = sdb_getTempDir(sqlDB); + if (tempDir) { + tempOps = sdb_measureAccess(tempDir); + PORT_Free(tempDir); + + /* There is a cost to continually copying the database. + * Account for that cost with the arbitrary factor of 10 */ + enableCache = (PRBool)(tempOps > accessOps * 10); + } + } + + if (enableCache) { + /* try to set the temp store to memory.*/ + sqlite3_exec(sqlDB, "PRAGMA temp_store=MEMORY", NULL, 0, NULL); + /* Failure to set the temp store to memory is not fatal, + * ignore the error */ + + cacheTable = sqlite3_mprintf("%sCache", table); + if (cacheTable == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + /* build the cache table */ + error = sdb_buildCache(sqlDB, type, cacheTable, table); + if (error != CKR_OK) { + goto loser; + } + /* initialize the last cache build time */ + now = PR_IntervalNow(); + } + + sdb = (SDB *)malloc(sizeof(SDB)); + if (!sdb) { + error = CKR_HOST_MEMORY; + goto loser; + } + sdb_p = (SDBPrivate *)malloc(sizeof(SDBPrivate)); + if (!sdb_p) { + error = CKR_HOST_MEMORY; + goto loser; + } + + /* Cache the attributes that are held in the table, so we can later check + * that queried attributes actually exist. We don't assume the schema + * to be exactly |known_attributes|, as it may change over time. */ + sdb_p->schemaAttrs = NULL; + if (!PORT_Strcmp("nssPublic", table) || + !PORT_Strcmp("nssPrivate", table)) { + sqlite3_stmt *stmt = NULL; + int retry = 0; + unsigned int backedAttrs = 0; + + /* Can't bind parameters to a PRAGMA. */ + queryStr = sqlite3_mprintf("PRAGMA table_info(%s);", table); + if (queryStr == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + sqlerr = sqlite3_prepare_v2(sqlDB, queryStr, -1, &stmt, NULL); + sqlite3_free(queryStr); + queryStr = NULL; + if (sqlerr != SQLITE_OK) { + goto loser; + } + unsigned int schemaAttrsCapacity = known_attributes_size; + sdb_p->schemaAttrs = malloc(schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE)); + if (!sdb_p->schemaAttrs) { + error = CKR_HOST_MEMORY; + goto loser; + } + do { + sqlerr = sqlite3_step(stmt); + if (sqlerr == SQLITE_BUSY) { + PR_Sleep(SDB_BUSY_RETRY_TIME); + } + if (sqlerr == SQLITE_ROW) { + if (backedAttrs == schemaAttrsCapacity) { + schemaAttrsCapacity += known_attributes_size; + sdb_p->schemaAttrs = realloc(sdb_p->schemaAttrs, + schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE)); + if (!sdb_p->schemaAttrs) { + error = CKR_HOST_MEMORY; + goto loser; + } + } + /* Record the ULONG attribute value. */ + char *val = (char *)sqlite3_column_text(stmt, 1); + if (val && val[0] == 'a') { + CK_ATTRIBUTE_TYPE attr = strtoul(&val[1], NULL, 16); + sdb_p->schemaAttrs[backedAttrs++] = attr; + } + } + } while (!sdb_done(sqlerr, &retry)); + + if (sqlerr != SQLITE_DONE) { + goto loser; + } + sqlerr = sqlite3_reset(stmt); + if (sqlerr != SQLITE_OK) { + goto loser; + } + sqlerr = sqlite3_finalize(stmt); + if (sqlerr != SQLITE_OK) { + goto loser; + } + + sdb_p->numSchemaAttrs = backedAttrs; + + /* Sort these once so we can shortcut invalid attribute searches. */ + qsort(sdb_p->schemaAttrs, sdb_p->numSchemaAttrs, + sizeof(CK_ATTRIBUTE_TYPE), sdb_attributeComparator); + } + + /* invariant fields */ + sdb_p->sqlDBName = PORT_Strdup(dbname); + sdb_p->type = type; + sdb_p->table = table; + sdb_p->cacheTable = cacheTable; + sdb_p->lastUpdateTime = now; + /* set the cache delay time. This is how long we will wait before we + * decide the existing cache is stale. Currently set to 10 sec */ + sdb_p->updateInterval = PR_SecondsToInterval(10); + sdb_p->dbMon = PR_NewMonitor(); + /* these fields are protected by the lock */ + sdb_p->sqlXactDB = NULL; + sdb_p->sqlXactThread = NULL; + sdb->private = sdb_p; + sdb->version = 1; + sdb->sdb_flags = inFlags | SDB_HAS_META; + sdb->app_private = NULL; + sdb->sdb_FindObjectsInit = sdb_FindObjectsInit; + sdb->sdb_FindObjects = sdb_FindObjects; + sdb->sdb_FindObjectsFinal = sdb_FindObjectsFinal; + sdb->sdb_GetAttributeValue = sdb_GetAttributeValue; + sdb->sdb_SetAttributeValue = sdb_SetAttributeValue; + sdb->sdb_CreateObject = sdb_CreateObject; + sdb->sdb_DestroyObject = sdb_DestroyObject; + sdb->sdb_GetMetaData = sdb_GetMetaData; + sdb->sdb_PutMetaData = sdb_PutMetaData; + sdb->sdb_DestroyMetaData = sdb_DestroyMetaData; + sdb->sdb_Begin = sdb_Begin; + sdb->sdb_Commit = sdb_Commit; + sdb->sdb_Abort = sdb_Abort; + sdb->sdb_Reset = sdb_Reset; + sdb->sdb_Close = sdb_Close; + sdb->sdb_SetForkState = sdb_SetForkState; + sdb->sdb_GetNewObjectID = sdb_GetNewObjectID; + + if (inTransaction) { + sqlerr = sqlite3_exec(sqlDB, COMMIT_CMD, NULL, 0, NULL); + if (sqlerr != SQLITE_OK) { + error = sdb_mapSQLError(sdb_p->type, sqlerr); + goto loser; + } + inTransaction = 0; + } + + sdb_p->sqlReadDB = sqlDB; + + *pSdb = sdb; + UNLOCK_SQLITE(); + return CKR_OK; + +loser: + /* lots of stuff to do */ + if (inTransaction) { + sqlite3_exec(sqlDB, ROLLBACK_CMD, NULL, 0, NULL); + } + if (sdb) { + free(sdb); + } + if (sdb_p) { + if (sdb_p->schemaAttrs) { + free(sdb_p->schemaAttrs); + } + free(sdb_p); + } + if (sqlDB) { + sqlite3_close(sqlDB); + } + UNLOCK_SQLITE(); + return error; +} + +/* sdbopen */ +CK_RV +s_open(const char *directory, const char *certPrefix, const char *keyPrefix, + int cert_version, int key_version, int flags, + SDB **certdb, SDB **keydb, int *newInit) +{ + char *cert = sdb_BuildFileName(directory, certPrefix, + "cert", cert_version); + char *key = sdb_BuildFileName(directory, keyPrefix, + "key", key_version); + CK_RV error = CKR_OK; + int inUpdate; + PRUint32 accessOps; + + if (certdb) + *certdb = NULL; + if (keydb) + *keydb = NULL; + *newInit = 0; + +#ifdef SQLITE_UNSAFE_THREADS + if (sqlite_lock == NULL) { + sqlite_lock = PR_NewLock(); + if (sqlite_lock == NULL) { + error = CKR_HOST_MEMORY; + goto loser; + } + } +#endif + + /* how long does it take to test for a non-existant file in our working + * directory? Allows us to test if we may be on a network file system */ + accessOps = 1; + { + char *env; + env = PR_GetEnvSecure("NSS_SDB_USE_CACHE"); + /* If the environment variable is undefined or set to yes or no, + * sdb_init() will ignore the value of accessOps, and we can skip the + * measuring.*/ + if (env && PORT_Strcasecmp(env, "no") != 0 && + PORT_Strcasecmp(env, "yes") != 0) { + accessOps = sdb_measureAccess(directory); + } + } + + /* + * open the cert data base + */ + if (certdb) { + /* initialize Certificate database */ + error = sdb_init(cert, "nssPublic", SDB_CERT, &inUpdate, + newInit, flags, accessOps, certdb); + if (error != CKR_OK) { + goto loser; + } + } + + /* + * open the key data base: + * NOTE:if we want to implement a single database, we open + * the same database file as the certificate here. + * + * cert an key db's have different tables, so they will not + * conflict. + */ + if (keydb) { + /* initialize the Key database */ + error = sdb_init(key, "nssPrivate", SDB_KEY, &inUpdate, + newInit, flags, accessOps, keydb); + if (error != CKR_OK) { + goto loser; + } + } + +loser: + if (cert) { + sqlite3_free(cert); + } + if (key) { + sqlite3_free(key); + } + + if (error != CKR_OK) { + /* currently redundant, but could be necessary if more code is added + * just before loser */ + if (keydb && *keydb) { + sdb_Close(*keydb); + } + if (certdb && *certdb) { + sdb_Close(*certdb); + } + } + + return error; +} + +CK_RV +s_shutdown() +{ +#ifdef SQLITE_UNSAFE_THREADS + if (sqlite_lock) { + PR_DestroyLock(sqlite_lock); + sqlite_lock = NULL; + } +#endif + return CKR_OK; +} diff --git a/security/nss/lib/softoken/sdb.h b/security/nss/lib/softoken/sdb.h new file mode 100644 index 0000000000..931be826ce --- /dev/null +++ b/security/nss/lib/softoken/sdb.h @@ -0,0 +1,101 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements PKCS 11 on top of our existing security modules + * + * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. + * This implementation has two slots: + * slot 1 is our generic crypto support. It does not require login. + * It supports Public Key ops, and all they bulk ciphers and hashes. + * It can also support Private Key ops for imported Private keys. It does + * not have any token storage. + * slot 2 is our private key support. It requires a login before use. It + * can store Private Keys and Certs as token objects. Currently only private + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ + +/* + * the following data structures should be moved to a 'rdb.h'. + */ + +#ifndef _SDB_H +#define _SDB_H 1 +#include "pkcs11t.h" +#include "secitem.h" +#include "sftkdbt.h" + +#define STATIC_CMD_SIZE 2048 + +typedef struct SDBFindStr SDBFind; +typedef struct SDBStr SDB; + +struct SDBStr { + void *private; + int version; + int reserved; + int sdb_flags; + void *app_private; + CK_RV(*sdb_FindObjectsInit) + (SDB *sdb, const CK_ATTRIBUTE *template, + CK_ULONG count, SDBFind **find); + CK_RV(*sdb_FindObjects) + (SDB *sdb, SDBFind *find, CK_OBJECT_HANDLE *ids, + CK_ULONG arraySize, CK_ULONG *count); + CK_RV(*sdb_FindObjectsFinal) + (SDB *sdb, SDBFind *find); + CK_RV(*sdb_GetAttributeValue) + (SDB *sdb, CK_OBJECT_HANDLE object, + CK_ATTRIBUTE *template, CK_ULONG count); + CK_RV(*sdb_SetAttributeValue) + (SDB *sdb, CK_OBJECT_HANDLE object, + const CK_ATTRIBUTE *template, CK_ULONG count); + CK_RV(*sdb_CreateObject) + (SDB *sdb, CK_OBJECT_HANDLE *object, + const CK_ATTRIBUTE *template, CK_ULONG count); + CK_RV(*sdb_DestroyObject) + (SDB *sdb, CK_OBJECT_HANDLE object); + CK_RV(*sdb_GetMetaData) + (SDB *sdb, const char *id, + SECItem *item1, SECItem *item2); + CK_RV(*sdb_PutMetaData) + (SDB *sdb, const char *id, + const SECItem *item1, const SECItem *item2); + CK_RV(*sdb_Begin) + (SDB *sdb); + CK_RV(*sdb_Commit) + (SDB *sdb); + CK_RV(*sdb_Abort) + (SDB *sdb); + CK_RV(*sdb_Reset) + (SDB *sdb); + CK_RV(*sdb_Close) + (SDB *sdb); + void (*sdb_SetForkState)(PRBool forked); + CK_RV(*sdb_GetNewObjectID) + (SDB *db, CK_OBJECT_HANDLE *object); + CK_RV(*sdb_DestroyMetaData) + (SDB *db, const char *id); +}; + +CK_RV s_open(const char *directory, const char *certPrefix, + const char *keyPrefix, + int cert_version, int key_version, + int flags, SDB **certdb, SDB **keydb, int *newInit); +CK_RV s_shutdown(); + +#if defined(_WIN32) +wchar_t *sdb_UTF8ToWide(const char *buf); +#endif + +/* flags */ +#define SDB_RDONLY 1 +#define SDB_RDWR 2 +#define SDB_CREATE 4 +#define SDB_HAS_META 8 +#define SDB_FIPS 0x10 + +#endif diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c new file mode 100644 index 0000000000..8827902ca3 --- /dev/null +++ b/security/nss/lib/softoken/sftkdb.c @@ -0,0 +1,3047 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * The following code handles the storage of PKCS 11 modules used by the + * NSS. For the rest of NSS, only one kind of database handle exists: + * + * SFTKDBHandle + * + * There is one SFTKDBHandle for the each key database and one for each cert + * database. These databases are opened as associated pairs, one pair per + * slot. SFTKDBHandles are reference counted objects. + * + * Each SFTKDBHandle points to a low level database handle (SDB). This handle + * represents the underlying physical database. These objects are not + * reference counted, an are 'owned' by their respective SFTKDBHandles. + * + * + */ +#include "sftkdb.h" +#include "sftkdbti.h" +#include "pkcs11t.h" +#include "pkcs11i.h" +#include "sdb.h" +#include "prprf.h" +#include "pratom.h" +#include "lgglue.h" +#include "utilpars.h" +#include "secerr.h" +#include "softoken.h" +#if defined(_WIN32) +#include +#endif + +/* + * We want all databases to have the same binary representation independent of + * endianness or length of the host architecture. In general PKCS #11 attributes + * are endian/length independent except those attributes that pass CK_ULONG. + * + * The following functions fixes up the CK_ULONG type attributes so that the data + * base sees a machine independent view. CK_ULONGs are stored as 4 byte network + * byte order values (big endian). + */ +#define BBP 8 + +PRBool +sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type) +{ + switch (type) { + case CKA_CERTIFICATE_CATEGORY: + case CKA_CERTIFICATE_TYPE: + case CKA_CLASS: + case CKA_JAVA_MIDP_SECURITY_DOMAIN: + case CKA_KEY_GEN_MECHANISM: + case CKA_KEY_TYPE: + case CKA_MECHANISM_TYPE: + case CKA_MODULUS_BITS: + case CKA_PRIME_BITS: + case CKA_SUBPRIME_BITS: + case CKA_VALUE_BITS: + case CKA_VALUE_LEN: + + case CKA_TRUST_DIGITAL_SIGNATURE: + case CKA_TRUST_NON_REPUDIATION: + case CKA_TRUST_KEY_ENCIPHERMENT: + case CKA_TRUST_DATA_ENCIPHERMENT: + case CKA_TRUST_KEY_AGREEMENT: + case CKA_TRUST_KEY_CERT_SIGN: + case CKA_TRUST_CRL_SIGN: + + case CKA_TRUST_SERVER_AUTH: + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_CODE_SIGNING: + case CKA_TRUST_EMAIL_PROTECTION: + case CKA_TRUST_IPSEC_END_SYSTEM: + case CKA_TRUST_IPSEC_TUNNEL: + case CKA_TRUST_IPSEC_USER: + case CKA_TRUST_TIME_STAMPING: + case CKA_TRUST_STEP_UP_APPROVED: + return PR_TRUE; + default: + break; + } + return PR_FALSE; +} + +/* are the attributes private? */ +static PRBool +sftkdb_isPrivateAttribute(CK_ATTRIBUTE_TYPE type) +{ + switch (type) { + case CKA_VALUE: + case CKA_PRIVATE_EXPONENT: + case CKA_PRIME_1: + case CKA_PRIME_2: + case CKA_EXPONENT_1: + case CKA_EXPONENT_2: + case CKA_COEFFICIENT: + return PR_TRUE; + default: + break; + } + return PR_FALSE; +} + +/* These attributes must be authenticated with an hmac. */ +static PRBool +sftkdb_isAuthenticatedAttribute(CK_ATTRIBUTE_TYPE type) +{ + switch (type) { + case CKA_MODULUS: + case CKA_PUBLIC_EXPONENT: + case CKA_CERT_SHA1_HASH: + case CKA_CERT_MD5_HASH: + case CKA_TRUST_SERVER_AUTH: + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_EMAIL_PROTECTION: + case CKA_TRUST_CODE_SIGNING: + case CKA_TRUST_STEP_UP_APPROVED: + case CKA_NSS_OVERRIDE_EXTENSIONS: + return PR_TRUE; + default: + break; + } + return PR_FALSE; +} +/* + * convert a native ULONG to a database ulong. Database ulong's + * are all 4 byte big endian values. + */ +void +sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value) +{ + int i; + + for (i = 0; i < SDB_ULONG_SIZE; i++) { + data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff; + } +} + +/* + * convert a database ulong back to a native ULONG. (reverse of the above + * function). + */ +static CK_ULONG +sftk_SDBULong2ULong(unsigned char *data) +{ + int i; + CK_ULONG value = 0; + + for (i = 0; i < SDB_ULONG_SIZE; i++) { + value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP); + } + return value; +} + +/* certain trust records are default values, which are the values + * returned if the signature check fails anyway. + * In those cases, we can skip the signature check. */ +PRBool +sftkdb_isNullTrust(const CK_ATTRIBUTE *template) +{ + switch (template->type) { + case CKA_TRUST_SERVER_AUTH: + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_EMAIL_PROTECTION: + case CKA_TRUST_CODE_SIGNING: + if (template->ulValueLen != SDB_ULONG_SIZE) { + break; + } + if (sftk_SDBULong2ULong(template->pValue) == + CKT_NSS_TRUST_UNKNOWN) { + return PR_TRUE; + } + break; + case CKA_TRUST_STEP_UP_APPROVED: + if (template->ulValueLen != 1) { + break; + } + if (*((unsigned char *)(template->pValue)) == 0) { + return PR_TRUE; + } + break; + default: + break; + } + return PR_FALSE; +} + +/* + * fix up the input templates. Our fixed up ints are stored in data and must + * be freed by the caller. The new template must also be freed. If there are no + * CK_ULONG attributes, the orignal template is passed in as is. + */ +static CK_ATTRIBUTE * +sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count, + unsigned char **dataOut, int *dataOutSize) +{ + int i; + int ulongCount = 0; + unsigned char *data; + CK_ATTRIBUTE *ntemplate; + + *dataOut = NULL; + *dataOutSize = 0; + + /* first count the number of CK_ULONG attributes */ + for (i = 0; i < count; i++) { + /* Don't 'fixup' NULL values */ + if (!template[i].pValue) { + continue; + } + if (template[i].ulValueLen == sizeof(CK_ULONG)) { + if (sftkdb_isULONGAttribute(template[i].type)) { + ulongCount++; + } + } + } + /* no attributes to fixup, just call on through */ + if (ulongCount == 0) { + return (CK_ATTRIBUTE *)template; + } + + /* allocate space for new ULONGS */ + data = (unsigned char *)PORT_Alloc(SDB_ULONG_SIZE * ulongCount); + if (!data) { + return NULL; + } + + /* allocate new template */ + ntemplate = PORT_NewArray(CK_ATTRIBUTE, count); + if (!ntemplate) { + PORT_Free(data); + return NULL; + } + *dataOut = data; + *dataOutSize = SDB_ULONG_SIZE * ulongCount; + /* copy the old template, fixup the actual ulongs */ + for (i = 0; i < count; i++) { + ntemplate[i] = template[i]; + /* Don't 'fixup' NULL values */ + if (!template[i].pValue) { + continue; + } + if (template[i].ulValueLen == sizeof(CK_ULONG)) { + if (sftkdb_isULONGAttribute(template[i].type)) { + CK_ULONG value = *(CK_ULONG *)template[i].pValue; + sftk_ULong2SDBULong(data, value); + ntemplate[i].pValue = data; + ntemplate[i].ulValueLen = SDB_ULONG_SIZE; + data += SDB_ULONG_SIZE; + } + } + } + return ntemplate; +} + +static const char SFTKDB_META_SIG_TEMPLATE[] = "sig_%s_%08x_%08x"; + +/* + * return a string describing the database type (key or cert) + */ +const char * +sftkdb_TypeString(SFTKDBHandle *handle) +{ + return (handle->type == SFTK_KEYDB_TYPE) ? "key" : "cert"; +} + +/* + * Some attributes are signed with an Hmac and a pbe key generated from + * the password. This signature is stored indexed by object handle and + * attribute type in the meta data table in the key database. + * + * Signature entries are indexed by the string + * sig_[cert/key]_{ObjectID}_{Attribute} + * + * This function fetches that pkcs5 signature. Caller supplies a SECItem + * pre-allocated to the appropriate size if the SECItem is too small the + * function will fail with CKR_BUFFER_TOO_SMALL. + */ +static CK_RV +sftkdb_getRawAttributeSignature(SFTKDBHandle *handle, SDB *db, + CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE type, + SECItem *signText) +{ + char id[30]; + CK_RV crv; + + snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE, + sftkdb_TypeString(handle), + (unsigned int)objectID, (unsigned int)type); + + crv = (*db->sdb_GetMetaData)(db, id, signText, NULL); + return crv; +} + +CK_RV +sftkdb_GetAttributeSignature(SFTKDBHandle *handle, SFTKDBHandle *keyHandle, + CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE type, + SECItem *signText) +{ + SDB *db = SFTK_GET_SDB(keyHandle); + return sftkdb_getRawAttributeSignature(handle, db, objectID, type, signText); +} + +CK_RV +sftkdb_DestroyAttributeSignature(SFTKDBHandle *handle, SDB *db, + CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE type) +{ + char id[30]; + CK_RV crv; + + snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE, + sftkdb_TypeString(handle), + (unsigned int)objectID, (unsigned int)type); + + crv = (*db->sdb_DestroyMetaData)(db, id); + return crv; +} + +/* + * Some attributes are signed with an Hmac and a pbe key generated from + * the password. This signature is stored indexed by object handle and + * attribute type in the meta data table in the key database. + * + * Signature entries are indexed by the string + * sig_[cert/key]_{ObjectID}_{Attribute} + * + * This function stores that pkcs5 signature. + */ +CK_RV +sftkdb_PutAttributeSignature(SFTKDBHandle *handle, SDB *keyTarget, + CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE type, + SECItem *signText) +{ + char id[30]; + CK_RV crv; + + snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE, + sftkdb_TypeString(handle), + (unsigned int)objectID, (unsigned int)type); + + crv = (*keyTarget->sdb_PutMetaData)(keyTarget, id, signText, NULL); + return crv; +} + +/* + * fix up returned data. NOTE: sftkdb_fixupTemplateIn has already allocated + * separate data sections for the database ULONG values. + */ +static CK_RV +sftkdb_fixupTemplateOut(CK_ATTRIBUTE *template, CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE *ntemplate, int count, SFTKDBHandle *handle) +{ + int i; + CK_RV crv = CKR_OK; + SFTKDBHandle *keyHandle; + PRBool checkSig = PR_TRUE; + PRBool checkEnc = PR_TRUE; + + PORT_Assert(handle); + + /* find the key handle */ + keyHandle = handle; + if (handle->type != SFTK_KEYDB_TYPE) { + checkEnc = PR_FALSE; + keyHandle = handle->peerDB; + } + + if ((keyHandle == NULL) || + ((SFTK_GET_SDB(keyHandle)->sdb_flags & SDB_HAS_META) == 0) || + (sftkdb_PWCached(keyHandle) != SECSuccess)) { + checkSig = PR_FALSE; + } + + for (i = 0; i < count; i++) { + CK_ULONG length = template[i].ulValueLen; + template[i].ulValueLen = ntemplate[i].ulValueLen; + /* fixup ulongs */ + if (ntemplate[i].ulValueLen == SDB_ULONG_SIZE) { + if (sftkdb_isULONGAttribute(template[i].type)) { + if (template[i].pValue) { + CK_ULONG value; + + value = sftk_SDBULong2ULong(ntemplate[i].pValue); + if (length < sizeof(CK_ULONG)) { + template[i].ulValueLen = -1; + crv = CKR_BUFFER_TOO_SMALL; + continue; + } + PORT_Memcpy(template[i].pValue, &value, sizeof(CK_ULONG)); + } + template[i].ulValueLen = sizeof(CK_ULONG); + } + } + + /* if no data was retrieved, no need to process encrypted or signed + * attributes */ + if ((template[i].pValue == NULL) || (template[i].ulValueLen == -1)) { + continue; + } + + /* fixup private attributes */ + if (checkEnc && sftkdb_isPrivateAttribute(ntemplate[i].type)) { + /* we have a private attribute */ + /* This code depends on the fact that the cipherText is bigger + * than the plain text */ + SECItem cipherText; + SECItem *plainText; + SECStatus rv; + + cipherText.data = ntemplate[i].pValue; + cipherText.len = ntemplate[i].ulValueLen; + PZ_Lock(handle->passwordLock); + if (handle->passwordKey.data == NULL) { + PZ_Unlock(handle->passwordLock); + template[i].ulValueLen = -1; + crv = CKR_USER_NOT_LOGGED_IN; + continue; + } + rv = sftkdb_DecryptAttribute(handle, + &handle->passwordKey, + objectID, + ntemplate[i].type, + &cipherText, &plainText); + PZ_Unlock(handle->passwordLock); + if (rv != SECSuccess) { + PORT_Memset(template[i].pValue, 0, template[i].ulValueLen); + template[i].ulValueLen = -1; + crv = CKR_GENERAL_ERROR; + continue; + } + PORT_Assert(template[i].ulValueLen >= plainText->len); + if (template[i].ulValueLen < plainText->len) { + SECITEM_ZfreeItem(plainText, PR_TRUE); + PORT_Memset(template[i].pValue, 0, template[i].ulValueLen); + template[i].ulValueLen = -1; + crv = CKR_GENERAL_ERROR; + continue; + } + + /* copy the plain text back into the template */ + PORT_Memcpy(template[i].pValue, plainText->data, plainText->len); + template[i].ulValueLen = plainText->len; + SECITEM_ZfreeItem(plainText, PR_TRUE); + } + /* make sure signed attributes are valid */ + if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type) && !sftkdb_isNullTrust(&ntemplate[i])) { + SECStatus rv; + CK_RV local_crv; + SECItem signText; + SECItem plainText; + unsigned char signData[SDB_MAX_META_DATA_LEN]; + + signText.data = signData; + signText.len = sizeof(signData); + + /* Use a local variable so that we don't clobber any already + * set error. This function returns either CKR_OK or the last + * found error in the template */ + local_crv = sftkdb_GetAttributeSignature(handle, keyHandle, + objectID, + ntemplate[i].type, + &signText); + if (local_crv != CKR_OK) { + PORT_Memset(template[i].pValue, 0, template[i].ulValueLen); + template[i].ulValueLen = -1; + crv = local_crv; + continue; + } + + plainText.data = ntemplate[i].pValue; + plainText.len = ntemplate[i].ulValueLen; + + /* + * we do a second check holding the lock just in case the user + * loggout while we were trying to get the signature. + */ + PZ_Lock(keyHandle->passwordLock); + if (keyHandle->passwordKey.data == NULL) { + /* if we are no longer logged in, no use checking the other + * Signatures either. */ + checkSig = PR_FALSE; + PZ_Unlock(keyHandle->passwordLock); + continue; + } + + rv = sftkdb_VerifyAttribute(keyHandle, + &keyHandle->passwordKey, + objectID, ntemplate[i].type, + &plainText, &signText); + PZ_Unlock(keyHandle->passwordLock); + if (rv != SECSuccess) { + PORT_Memset(template[i].pValue, 0, template[i].ulValueLen); + template[i].ulValueLen = -1; + crv = CKR_SIGNATURE_INVALID; /* better error code? */ + } + /* This Attribute is fine */ + } + } + return crv; +} + +/* + * Some attributes are signed with an HMAC and a pbe key generated from + * the password. This signature is stored indexed by object handle and + * + * Those attributes are: + * 1) Trust object hashes and trust values. + * 2) public key values. + * + * Certs themselves are considered properly authenticated by virtue of their + * signature, or their matching hash with the trust object. + * + * These signature is only checked for objects coming from shared databases. + * Older dbm style databases have such no signature checks. HMACs are also + * only checked when the token is logged in, as it requires a pbe generated + * from the password. + * + * Tokens which have no key database (and therefore no master password) do not + * have any stored signature values. Signature values are stored in the key + * database, since the signature data is tightly coupled to the key database + * password. + * + * This function takes a template of attributes that were either created or + * modified. These attributes are checked to see if the need to be signed. + * If they do, then this function signs the attributes and writes them + * to the meta data store. + * + * This function can fail if there are attributes that must be signed, but + * the token is not logged in. + * + * The caller is expected to abort any transaction he was in in the + * event of a failure of this function. + */ +static CK_RV +sftk_signTemplate(PLArenaPool *arena, SFTKDBHandle *handle, + PRBool mayBeUpdateDB, + CK_OBJECT_HANDLE objectID, const CK_ATTRIBUTE *template, + CK_ULONG count) +{ + unsigned int i; + CK_RV crv; + SFTKDBHandle *keyHandle = handle; + SDB *keyTarget = NULL; + PRBool usingPeerDB = PR_FALSE; + PRBool inPeerDBTransaction = PR_FALSE; + + PORT_Assert(handle); + + if (handle->type != SFTK_KEYDB_TYPE) { + keyHandle = handle->peerDB; + usingPeerDB = PR_TRUE; + } + + /* no key DB defined? then no need to sign anything */ + if (keyHandle == NULL) { + crv = CKR_OK; + goto loser; + } + + /* When we are in a middle of an update, we have an update database set, + * but we want to write to the real database. The bool mayBeUpdateDB is + * set to TRUE if it's possible that we want to write an update database + * rather than a primary */ + keyTarget = (mayBeUpdateDB && keyHandle->update) ? keyHandle->update : keyHandle->db; + + /* skip the the database does not support meta data */ + if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) { + crv = CKR_OK; + goto loser; + } + + /* If we had to switch databases, we need to initialize a transaction. */ + if (usingPeerDB) { + crv = (*keyTarget->sdb_Begin)(keyTarget); + if (crv != CKR_OK) { + goto loser; + } + inPeerDBTransaction = PR_TRUE; + } + + for (i = 0; i < count; i++) { + if (sftkdb_isAuthenticatedAttribute(template[i].type)) { + SECStatus rv; + SECItem *signText; + SECItem plainText; + + plainText.data = template[i].pValue; + plainText.len = template[i].ulValueLen; + PZ_Lock(keyHandle->passwordLock); + if (keyHandle->passwordKey.data == NULL) { + PZ_Unlock(keyHandle->passwordLock); + crv = CKR_USER_NOT_LOGGED_IN; + goto loser; + } + rv = sftkdb_SignAttribute(arena, keyHandle, keyTarget, + &keyHandle->passwordKey, + keyHandle->defaultIterationCount, + objectID, template[i].type, + &plainText, &signText); + PZ_Unlock(keyHandle->passwordLock); + if (rv != SECSuccess) { + crv = CKR_GENERAL_ERROR; /* better error code here? */ + goto loser; + } + crv = sftkdb_PutAttributeSignature(handle, keyTarget, objectID, + template[i].type, signText); + if (crv != CKR_OK) { + goto loser; + } + } + } + crv = CKR_OK; + + /* If necessary, commit the transaction */ + if (inPeerDBTransaction) { + crv = (*keyTarget->sdb_Commit)(keyTarget); + if (crv != CKR_OK) { + goto loser; + } + inPeerDBTransaction = PR_FALSE; + } + +loser: + if (inPeerDBTransaction) { + /* The transaction must have failed. Abort. */ + (*keyTarget->sdb_Abort)(keyTarget); + PORT_Assert(crv != CKR_OK); + if (crv == CKR_OK) + crv = CKR_GENERAL_ERROR; + } + return crv; +} + +static CK_RV +sftkdb_CreateObject(PLArenaPool *arena, SFTKDBHandle *handle, + SDB *db, CK_OBJECT_HANDLE *objectID, + CK_ATTRIBUTE *template, CK_ULONG count) +{ + CK_RV crv; + + crv = (*db->sdb_CreateObject)(db, objectID, template, count); + if (crv != CKR_OK) { + goto loser; + } + crv = sftk_signTemplate(arena, handle, (db == handle->update), + *objectID, template, count); +loser: + + return crv; +} + +static CK_RV +sftkdb_fixupSignatures(SFTKDBHandle *handle, + SDB *db, CK_OBJECT_HANDLE oldID, CK_OBJECT_HANDLE newID, + CK_ATTRIBUTE *ptemplate, CK_ULONG max_attributes) +{ + unsigned int i; + CK_RV crv = CKR_OK; + + /* if we don't have a meta table, we didn't write any signature objects */ + if ((db->sdb_flags & SDB_HAS_META) == 0) { + return CKR_OK; + } + for (i = 0; i < max_attributes; i++) { + CK_ATTRIBUTE *att = &ptemplate[i]; + CK_ATTRIBUTE_TYPE type = att->type; + if (sftkdb_isPrivateAttribute(type)) { + /* move the signature from one object handle to another and delete + * the old entry */ + SECItem signature; + unsigned char signData[SDB_MAX_META_DATA_LEN]; + + signature.data = signData; + signature.len = sizeof(signData); + crv = sftkdb_getRawAttributeSignature(handle, db, oldID, type, + &signature); + if (crv != CKR_OK) { + /* NOTE: if we ever change our default write from AES_CBC + * to AES_KW, We'll need to change this to a continue as + * we won't need the integrity record for AES_KW */ + break; + } + crv = sftkdb_PutAttributeSignature(handle, db, newID, type, + &signature); + if (crv != CKR_OK) { + break; + } + /* now get rid of the old one */ + crv = sftkdb_DestroyAttributeSignature(handle, db, oldID, type); + if (crv != CKR_OK) { + break; + } + } + } + return crv; +} + +CK_ATTRIBUTE * +sftk_ExtractTemplate(PLArenaPool *arena, SFTKObject *object, + SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID, + SDB *db, CK_ULONG *pcount, CK_RV *crv) +{ + unsigned int count; + CK_ATTRIBUTE *template; + unsigned int i, templateIndex; + SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object); + PRBool doEnc = PR_TRUE; + + *crv = CKR_OK; + + if (sessObject == NULL) { + *crv = CKR_GENERAL_ERROR; /* internal programming error */ + return NULL; + } + + PORT_Assert(handle); + /* find the key handle */ + if (handle->type != SFTK_KEYDB_TYPE) { + doEnc = PR_FALSE; + } + + PZ_Lock(sessObject->attributeLock); + count = 0; + for (i = 0; i < sessObject->hashSize; i++) { + SFTKAttribute *attr; + for (attr = sessObject->head[i]; attr; attr = attr->next) { + count++; + } + } + template = PORT_ArenaNewArray(arena, CK_ATTRIBUTE, count); + if (template == NULL) { + PZ_Unlock(sessObject->attributeLock); + *crv = CKR_HOST_MEMORY; + return NULL; + } + templateIndex = 0; + for (i = 0; i < sessObject->hashSize; i++) { + SFTKAttribute *attr; + for (attr = sessObject->head[i]; attr; attr = attr->next) { + CK_ATTRIBUTE *tp = &template[templateIndex++]; + /* copy the attribute */ + *tp = attr->attrib; + + /* fixup ULONG s */ + if ((tp->ulValueLen == sizeof(CK_ULONG)) && + (sftkdb_isULONGAttribute(tp->type))) { + CK_ULONG value = *(CK_ULONG *)tp->pValue; + unsigned char *data; + + tp->pValue = PORT_ArenaAlloc(arena, SDB_ULONG_SIZE); + data = (unsigned char *)tp->pValue; + if (data == NULL) { + *crv = CKR_HOST_MEMORY; + break; + } + sftk_ULong2SDBULong(data, value); + tp->ulValueLen = SDB_ULONG_SIZE; + } + + /* encrypt private attributes */ + if (doEnc && sftkdb_isPrivateAttribute(tp->type)) { + /* we have a private attribute */ + SECItem *cipherText; + SECItem plainText; + SECStatus rv; + + plainText.data = tp->pValue; + plainText.len = tp->ulValueLen; + PZ_Lock(handle->passwordLock); + if (handle->passwordKey.data == NULL) { + PZ_Unlock(handle->passwordLock); + *crv = CKR_USER_NOT_LOGGED_IN; + break; + } + rv = sftkdb_EncryptAttribute(arena, handle, db, + &handle->passwordKey, + handle->defaultIterationCount, + objectID, + tp->type, + &plainText, &cipherText); + PZ_Unlock(handle->passwordLock); + if (rv == SECSuccess) { + tp->pValue = cipherText->data; + tp->ulValueLen = cipherText->len; + } else { + *crv = CKR_GENERAL_ERROR; /* better error code here? */ + break; + } + PORT_Memset(plainText.data, 0, plainText.len); + } + } + } + PORT_Assert(templateIndex <= count); + PZ_Unlock(sessObject->attributeLock); + + if (*crv != CKR_OK) { + return NULL; + } + if (pcount) { + *pcount = count; + } + return template; +} + +/* + * return a pointer to the attribute in the give template. + * The return value is not const, as the caller may modify + * the given attribute value, but such modifications will + * modify the actual value in the template. + */ +static CK_ATTRIBUTE * +sftkdb_getAttributeFromTemplate(CK_ATTRIBUTE_TYPE attribute, + CK_ATTRIBUTE *ptemplate, CK_ULONG len) +{ + CK_ULONG i; + + for (i = 0; i < len; i++) { + if (attribute == ptemplate[i].type) { + return &ptemplate[i]; + } + } + return NULL; +} + +static const CK_ATTRIBUTE * +sftkdb_getAttributeFromConstTemplate(CK_ATTRIBUTE_TYPE attribute, + const CK_ATTRIBUTE *ptemplate, CK_ULONG len) +{ + CK_ULONG i; + + for (i = 0; i < len; i++) { + if (attribute == ptemplate[i].type) { + return &ptemplate[i]; + } + } + return NULL; +} + +/* + * fetch a template which identifies 'unique' entries based on object type + */ +static CK_RV +sftkdb_getFindTemplate(CK_OBJECT_CLASS objectType, unsigned char *objTypeData, + CK_ATTRIBUTE *findTemplate, CK_ULONG *findCount, + CK_ATTRIBUTE *ptemplate, int len) +{ + CK_ATTRIBUTE *attr; + CK_ULONG count = 1; + + sftk_ULong2SDBULong(objTypeData, objectType); + findTemplate[0].type = CKA_CLASS; + findTemplate[0].pValue = objTypeData; + findTemplate[0].ulValueLen = SDB_ULONG_SIZE; + + switch (objectType) { + case CKO_CERTIFICATE: + case CKO_NSS_TRUST: + attr = sftkdb_getAttributeFromTemplate(CKA_ISSUER, ptemplate, len); + if (attr == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + findTemplate[1] = *attr; + attr = sftkdb_getAttributeFromTemplate(CKA_SERIAL_NUMBER, + ptemplate, len); + if (attr == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + findTemplate[2] = *attr; + count = 3; + break; + + case CKO_PRIVATE_KEY: + case CKO_PUBLIC_KEY: + case CKO_SECRET_KEY: + attr = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, len); + if (attr == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + if (attr->ulValueLen == 0) { + /* key is too generic to determine that it's unique, usually + * happens in the key gen case */ + return CKR_OBJECT_HANDLE_INVALID; + } + + findTemplate[1] = *attr; + count = 2; + break; + + case CKO_NSS_CRL: + attr = sftkdb_getAttributeFromTemplate(CKA_SUBJECT, ptemplate, len); + if (attr == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + findTemplate[1] = *attr; + count = 2; + break; + + case CKO_NSS_SMIME: + attr = sftkdb_getAttributeFromTemplate(CKA_SUBJECT, ptemplate, len); + if (attr == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + findTemplate[1] = *attr; + attr = sftkdb_getAttributeFromTemplate(CKA_NSS_EMAIL, ptemplate, len); + if (attr == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + findTemplate[2] = *attr; + count = 3; + break; + default: + attr = sftkdb_getAttributeFromTemplate(CKA_VALUE, ptemplate, len); + if (attr == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + findTemplate[1] = *attr; + count = 2; + break; + } + *findCount = count; + + return CKR_OK; +} + +/* + * look to see if this object already exists and return its object ID if + * it does. + */ +static CK_RV +sftkdb_lookupObject(SDB *db, CK_OBJECT_CLASS objectType, + CK_OBJECT_HANDLE *id, CK_ATTRIBUTE *ptemplate, CK_ULONG len) +{ + CK_ATTRIBUTE findTemplate[3]; + CK_ULONG count = 1; + CK_ULONG objCount = 0; + SDBFind *find = NULL; + unsigned char objTypeData[SDB_ULONG_SIZE]; + CK_RV crv; + + *id = CK_INVALID_HANDLE; + if (objectType == CKO_NSS_CRL) { + return CKR_OK; + } + crv = sftkdb_getFindTemplate(objectType, objTypeData, + findTemplate, &count, ptemplate, len); + + if (crv == CKR_OBJECT_HANDLE_INVALID) { + /* key is too generic to determine that it's unique, usually + * happens in the key gen case, tell the caller to go ahead + * and just create it */ + return CKR_OK; + } + if (crv != CKR_OK) { + return crv; + } + + /* use the raw find, so we get the correct database */ + crv = (*db->sdb_FindObjectsInit)(db, findTemplate, count, &find); + if (crv != CKR_OK) { + return crv; + } + (*db->sdb_FindObjects)(db, find, id, 1, &objCount); + (*db->sdb_FindObjectsFinal)(db, find); + + if (objCount == 0) { + *id = CK_INVALID_HANDLE; + } + return CKR_OK; +} + +/* + * check to see if this template conflicts with others in our current database. + */ +static CK_RV +sftkdb_checkConflicts(SDB *db, CK_OBJECT_CLASS objectType, + const CK_ATTRIBUTE *ptemplate, CK_ULONG len, + CK_OBJECT_HANDLE sourceID) +{ + CK_ATTRIBUTE findTemplate[2]; + unsigned char objTypeData[SDB_ULONG_SIZE]; + /* we may need to allocate some temporaries. Keep track of what was + * allocated so we can free it in the end */ + unsigned char *temp1 = NULL; + unsigned char *temp2 = NULL; + CK_ULONG objCount = 0; + SDBFind *find = NULL; + CK_OBJECT_HANDLE id; + const CK_ATTRIBUTE *attr, *attr2; + CK_RV crv; + CK_ATTRIBUTE subject; + + /* Currently the only conflict is with nicknames pointing to the same + * subject when creating or modifying a certificate. */ + /* If the object is not a cert, no problem. */ + if (objectType != CKO_CERTIFICATE) { + return CKR_OK; + } + /* if not setting a nickname then there's still no problem */ + attr = sftkdb_getAttributeFromConstTemplate(CKA_LABEL, ptemplate, len); + if ((attr == NULL) || (attr->ulValueLen == 0)) { + return CKR_OK; + } + /* fetch the subject of the source. For creation and merge, this should + * be found in the template */ + attr2 = sftkdb_getAttributeFromConstTemplate(CKA_SUBJECT, ptemplate, len); + if (sourceID == CK_INVALID_HANDLE) { + if ((attr2 == NULL) || ((CK_LONG)attr2->ulValueLen < 0)) { + crv = CKR_TEMPLATE_INCOMPLETE; + goto done; + } + } else if ((attr2 == NULL) || ((CK_LONG)attr2->ulValueLen <= 0)) { + /* sourceID is set if we are trying to modify an existing entry instead + * of creating a new one. In this case the subject may not be (probably + * isn't) in the template, we have to read it from the database */ + subject.type = CKA_SUBJECT; + subject.pValue = NULL; + subject.ulValueLen = 0; + crv = (*db->sdb_GetAttributeValue)(db, sourceID, &subject, 1); + if (crv != CKR_OK) { + goto done; + } + if ((CK_LONG)subject.ulValueLen < 0) { + crv = CKR_DEVICE_ERROR; /* closest pkcs11 error to corrupted DB */ + goto done; + } + temp1 = subject.pValue = PORT_Alloc(++subject.ulValueLen); + if (temp1 == NULL) { + crv = CKR_HOST_MEMORY; + goto done; + } + crv = (*db->sdb_GetAttributeValue)(db, sourceID, &subject, 1); + if (crv != CKR_OK) { + goto done; + } + attr2 = &subject; + } + + /* check for another cert in the database with the same nickname */ + sftk_ULong2SDBULong(objTypeData, objectType); + findTemplate[0].type = CKA_CLASS; + findTemplate[0].pValue = objTypeData; + findTemplate[0].ulValueLen = SDB_ULONG_SIZE; + findTemplate[1] = *attr; + + crv = (*db->sdb_FindObjectsInit)(db, findTemplate, 2, &find); + if (crv != CKR_OK) { + goto done; + } + (*db->sdb_FindObjects)(db, find, &id, 1, &objCount); + (*db->sdb_FindObjectsFinal)(db, find); + + /* object count == 0 means no conflicting certs found, + * go on with the operation */ + if (objCount == 0) { + crv = CKR_OK; + goto done; + } + + /* There is a least one cert that shares the nickname, make sure it also + * matches the subject. */ + findTemplate[0] = *attr2; + /* we know how big the source subject was. Use that length to create the + * space for the target. If it's not enough space, then it means the + * source subject is too big, and therefore not a match. GetAttributeValue + * will return CKR_BUFFER_TOO_SMALL. Otherwise it should be exactly enough + * space (or enough space to be able to compare the result. */ + temp2 = findTemplate[0].pValue = PORT_Alloc(++findTemplate[0].ulValueLen); + if (temp2 == NULL) { + crv = CKR_HOST_MEMORY; + goto done; + } + crv = (*db->sdb_GetAttributeValue)(db, id, findTemplate, 1); + if (crv != CKR_OK) { + if (crv == CKR_BUFFER_TOO_SMALL) { + /* if our buffer is too small, then the Subjects clearly do + * not match */ + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto loser; + } + /* otherwise we couldn't get the value, just fail */ + goto done; + } + + /* Ok, we have both subjects, make sure they are the same. + * Compare the subjects */ + if ((findTemplate[0].ulValueLen != attr2->ulValueLen) || + (attr2->ulValueLen > 0 && + PORT_Memcmp(findTemplate[0].pValue, attr2->pValue, attr2->ulValueLen) != 0)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto loser; + } + crv = CKR_OK; + +done: + /* If we've failed for some other reason than a conflict, make sure we + * return an error code other than CKR_ATTRIBUTE_VALUE_INVALID. + * (NOTE: neither sdb_FindObjectsInit nor sdb_GetAttributeValue should + * return CKR_ATTRIBUTE_VALUE_INVALID, so the following is paranoia). + */ + if (crv == CKR_ATTRIBUTE_VALUE_INVALID) { + crv = CKR_GENERAL_ERROR; /* clearly a programming error */ + } + +/* exit point if we found a conflict */ +loser: + PORT_Free(temp1); + PORT_Free(temp2); + return crv; +} + +/* + * try to update the template to fix any errors. This is only done + * during update. + * + * NOTE: we must update the template or return an error, or the update caller + * will loop forever! + * + * Two copies of the source code for this algorithm exist in NSS. + * Changes must be made in both copies. + * The other copy is in pk11_IncrementNickname() in pk11wrap/pk11merge.c. + * + */ +static CK_RV +sftkdb_resolveConflicts(PLArenaPool *arena, CK_OBJECT_CLASS objectType, + CK_ATTRIBUTE *ptemplate, CK_ULONG *plen) +{ + CK_ATTRIBUTE *attr; + char *nickname, *newNickname; + unsigned int end, digit; + + /* sanity checks. We should never get here with these errors */ + if (objectType != CKO_CERTIFICATE) { + return CKR_GENERAL_ERROR; /* shouldn't happen */ + } + attr = sftkdb_getAttributeFromTemplate(CKA_LABEL, ptemplate, *plen); + if ((attr == NULL) || (attr->ulValueLen == 0)) { + return CKR_GENERAL_ERROR; /* shouldn't happen */ + } + + /* update the nickname */ + /* is there a number at the end of the nickname already? + * if so just increment that number */ + nickname = (char *)attr->pValue; + + /* does nickname end with " #n*" ? */ + for (end = attr->ulValueLen - 1; + end >= 2 && (digit = nickname[end]) <= '9' && digit >= '0'; + end--) /* just scan */ + ; + if (attr->ulValueLen >= 3 && + end < (attr->ulValueLen - 1) /* at least one digit */ && + nickname[end] == '#' && + nickname[end - 1] == ' ') { + /* Already has a suitable suffix string */ + } else { + /* ... append " #2" to the name */ + static const char num2[] = " #2"; + newNickname = PORT_ArenaAlloc(arena, attr->ulValueLen + sizeof(num2)); + if (!newNickname) { + return CKR_HOST_MEMORY; + } + PORT_Memcpy(newNickname, nickname, attr->ulValueLen); + PORT_Memcpy(&newNickname[attr->ulValueLen], num2, sizeof(num2)); + attr->pValue = newNickname; /* modifies ptemplate */ + attr->ulValueLen += 3; /* 3 is strlen(num2) */ + return CKR_OK; + } + + for (end = attr->ulValueLen; end-- > 0;) { + digit = nickname[end]; + if (digit > '9' || digit < '0') { + break; + } + if (digit < '9') { + nickname[end]++; + return CKR_OK; + } + nickname[end] = '0'; + } + + /* we overflowed, insert a new '1' for a carry in front of the number */ + newNickname = PORT_ArenaAlloc(arena, attr->ulValueLen + 1); + if (!newNickname) { + return CKR_HOST_MEMORY; + } + /* PORT_Memcpy should handle len of '0' */ + PORT_Memcpy(newNickname, nickname, ++end); + newNickname[end] = '1'; + PORT_Memset(&newNickname[end + 1], '0', attr->ulValueLen - end); + attr->pValue = newNickname; + attr->ulValueLen++; + return CKR_OK; +} + +/* + * set an attribute and sign it if necessary + */ +static CK_RV +sftkdb_setAttributeValue(PLArenaPool *arena, SFTKDBHandle *handle, + SDB *db, CK_OBJECT_HANDLE objectID, const CK_ATTRIBUTE *template, + CK_ULONG count) +{ + CK_RV crv; + crv = (*db->sdb_SetAttributeValue)(db, objectID, template, count); + if (crv != CKR_OK) { + return crv; + } + crv = sftk_signTemplate(arena, handle, db == handle->update, + objectID, template, count); + return crv; +} + +/* + * write a softoken object out to the database. + */ +CK_RV +sftkdb_write(SFTKDBHandle *handle, SFTKObject *object, + CK_OBJECT_HANDLE *objectID) +{ + CK_ATTRIBUTE *template; + PLArenaPool *arena; + CK_ULONG count; + CK_RV crv; + SDB *db; + PRBool inTransaction = PR_FALSE; + CK_OBJECT_HANDLE id, candidateID; + + *objectID = CK_INVALID_HANDLE; + + if (handle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + db = SFTK_GET_SDB(handle); + + /* + * we have opened a new database, but we have not yet updated it. We are + * still running pointing to the old database (so the application can + * still read). We don't want to write to the old database at this point, + * however, since it leads to user confusion. So at this point we simply + * require a user login. Let NSS know this so it can prompt the user. + */ + if (db == handle->update) { + return CKR_USER_NOT_LOGGED_IN; + } + + arena = PORT_NewArena(256); + if (arena == NULL) { + return CKR_HOST_MEMORY; + } + + crv = (*db->sdb_Begin)(db); + if (crv != CKR_OK) { + goto loser; + } + inTransaction = PR_TRUE; + + crv = (*db->sdb_GetNewObjectID)(db, &candidateID); + if (crv != CKR_OK) { + goto loser; + } + + template = sftk_ExtractTemplate(arena, object, handle, candidateID, db, &count, &crv); + if (!template) { + goto loser; + } + + /* + * We want to make the base database as free from object specific knowledge + * as possible. To maintain compatibility, keep some of the desirable + * object specific semantics of the old database. + * + * These were 2 fold: + * 1) there were certain conflicts (like trying to set the same nickname + * on two different subjects) that would return an error. + * 2) Importing the 'same' object would silently update that object. + * + * The following 2 functions mimic the desirable effects of these two + * semantics without pushing any object knowledge to the underlying database + * code. + */ + + /* make sure we don't have attributes that conflict with the existing DB */ + crv = sftkdb_checkConflicts(db, object->objclass, template, count, + CK_INVALID_HANDLE); + if (crv != CKR_OK) { + goto loser; + } + /* Find any copies that match this particular object */ + crv = sftkdb_lookupObject(db, object->objclass, &id, template, count); + if (crv != CKR_OK) { + goto loser; + } + if (id == CK_INVALID_HANDLE) { + *objectID = candidateID; + crv = sftkdb_CreateObject(arena, handle, db, objectID, template, count); + } else { + /* object already exists, modify it's attributes */ + *objectID = id; + /* The object ID changed from our candidate, we need to move any + * signature attribute signatures to the new object ID. */ + crv = sftkdb_fixupSignatures(handle, db, candidateID, id, + template, count); + if (crv != CKR_OK) { + goto loser; + } + crv = sftkdb_setAttributeValue(arena, handle, db, id, template, count); + } + if (crv != CKR_OK) { + goto loser; + } + crv = (*db->sdb_Commit)(db); + inTransaction = PR_FALSE; + +loser: + if (inTransaction) { + (*db->sdb_Abort)(db); + /* It is trivial to show the following code cannot + * happen unless something is horribly wrong with our compilier or + * hardware */ + PORT_Assert(crv != CKR_OK); + if (crv == CKR_OK) + crv = CKR_GENERAL_ERROR; + } + + if (arena) { + PORT_FreeArena(arena, PR_TRUE); + } + if (crv == CKR_OK) { + *objectID |= (handle->type | SFTK_TOKEN_TYPE); + } + return crv; +} + +CK_RV +sftkdb_FindObjectsInit(SFTKDBHandle *handle, const CK_ATTRIBUTE *template, + CK_ULONG count, SDBFind **find) +{ + unsigned char *data = NULL; + CK_ATTRIBUTE *ntemplate = NULL; + CK_RV crv; + int dataSize; + SDB *db; + + if (handle == NULL) { + return CKR_OK; + } + db = SFTK_GET_SDB(handle); + + if (count != 0) { + ntemplate = sftkdb_fixupTemplateIn(template, count, &data, &dataSize); + if (ntemplate == NULL) { + return CKR_HOST_MEMORY; + } + } + + crv = (*db->sdb_FindObjectsInit)(db, ntemplate, + count, find); + if (data) { + PORT_Free(ntemplate); + PORT_ZFree(data, dataSize); + } + return crv; +} + +CK_RV +sftkdb_FindObjects(SFTKDBHandle *handle, SDBFind *find, + CK_OBJECT_HANDLE *ids, int arraySize, CK_ULONG *count) +{ + CK_RV crv; + SDB *db; + + if (handle == NULL) { + *count = 0; + return CKR_OK; + } + db = SFTK_GET_SDB(handle); + + crv = (*db->sdb_FindObjects)(db, find, ids, + arraySize, count); + if (crv == CKR_OK) { + unsigned int i; + for (i = 0; i < *count; i++) { + ids[i] |= (handle->type | SFTK_TOKEN_TYPE); + } + } + return crv; +} + +CK_RV +sftkdb_FindObjectsFinal(SFTKDBHandle *handle, SDBFind *find) +{ + SDB *db; + if (handle == NULL) { + return CKR_OK; + } + db = SFTK_GET_SDB(handle); + return (*db->sdb_FindObjectsFinal)(db, find); +} + +CK_RV +sftkdb_GetAttributeValue(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE *template, CK_ULONG count) +{ + CK_RV crv, crv2; + CK_ATTRIBUTE *ntemplate; + unsigned char *data = NULL; + int dataSize = 0; + SDB *db; + + if (handle == NULL) { + return CKR_GENERAL_ERROR; + } + + /* short circuit common attributes */ + if (count == 1 && + (template[0].type == CKA_TOKEN || + template[0].type == CKA_PRIVATE || + template[0].type == CKA_SENSITIVE)) { + CK_BBOOL boolVal = CK_TRUE; + + if (template[0].pValue == NULL) { + template[0].ulValueLen = sizeof(CK_BBOOL); + return CKR_OK; + } + if (template[0].ulValueLen < sizeof(CK_BBOOL)) { + template[0].ulValueLen = -1; + return CKR_BUFFER_TOO_SMALL; + } + + if ((template[0].type == CKA_PRIVATE) && + (handle->type != SFTK_KEYDB_TYPE)) { + boolVal = CK_FALSE; + } + if ((template[0].type == CKA_SENSITIVE) && + (handle->type != SFTK_KEYDB_TYPE)) { + boolVal = CK_FALSE; + } + *(CK_BBOOL *)template[0].pValue = boolVal; + template[0].ulValueLen = sizeof(CK_BBOOL); + return CKR_OK; + } + + db = SFTK_GET_SDB(handle); + /* nothing to do */ + if (count == 0) { + return CKR_OK; + } + ntemplate = sftkdb_fixupTemplateIn(template, count, &data, &dataSize); + if (ntemplate == NULL) { + return CKR_HOST_MEMORY; + } + objectID &= SFTK_OBJ_ID_MASK; + crv = (*db->sdb_GetAttributeValue)(db, objectID, + ntemplate, count); + crv2 = sftkdb_fixupTemplateOut(template, objectID, ntemplate, + count, handle); + if (crv == CKR_OK) + crv = crv2; + if (data) { + PORT_Free(ntemplate); + PORT_ZFree(data, dataSize); + } + return crv; +} + +CK_RV +sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object, + const CK_ATTRIBUTE *template, CK_ULONG count) +{ + CK_ATTRIBUTE *ntemplate; + unsigned char *data = NULL; + PLArenaPool *arena = NULL; + SDB *db; + CK_RV crv = CKR_OK; + CK_OBJECT_HANDLE objectID = (object->handle & SFTK_OBJ_ID_MASK); + PRBool inTransaction = PR_FALSE; + int dataSize; + + if (handle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + + db = SFTK_GET_SDB(handle); + /* nothing to do */ + if (count == 0) { + return CKR_OK; + } + /* + * we have opened a new database, but we have not yet updated it. We are + * still running pointing to the old database (so the application can + * still read). We don't want to write to the old database at this point, + * however, since it leads to user confusion. So at this point we simply + * require a user login. Let NSS know this so it can prompt the user. + */ + if (db == handle->update) { + return CKR_USER_NOT_LOGGED_IN; + } + + ntemplate = sftkdb_fixupTemplateIn(template, count, &data, &dataSize); + if (ntemplate == NULL) { + return CKR_HOST_MEMORY; + } + + /* make sure we don't have attributes that conflict with the existing DB */ + crv = sftkdb_checkConflicts(db, object->objclass, ntemplate, count, + objectID); + if (crv != CKR_OK) { + goto loser; + } + + arena = PORT_NewArena(256); + if (arena == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + + crv = (*db->sdb_Begin)(db); + if (crv != CKR_OK) { + goto loser; + } + inTransaction = PR_TRUE; + crv = sftkdb_setAttributeValue(arena, handle, db, objectID, ntemplate, + count); + if (crv != CKR_OK) { + goto loser; + } + crv = (*db->sdb_Commit)(db); +loser: + if (crv != CKR_OK && inTransaction) { + (*db->sdb_Abort)(db); + } + if (data) { + PORT_Free(ntemplate); + PORT_ZFree(data, dataSize); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + return crv; +} + +CK_RV +sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID, + CK_OBJECT_CLASS objclass) +{ + CK_RV crv = CKR_OK; + SDB *db; + + if (handle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + db = SFTK_GET_SDB(handle); + objectID &= SFTK_OBJ_ID_MASK; + + crv = (*db->sdb_Begin)(db); + if (crv != CKR_OK) { + return crv; + } + crv = (*db->sdb_DestroyObject)(db, objectID); + if (crv != CKR_OK) { + goto loser; + } + /* if the database supports meta data, delete any old signatures + * that we may have added */ + if ((db->sdb_flags & SDB_HAS_META) == SDB_HAS_META) { + SDB *keydb = db; + if (handle->type == SFTK_KEYDB_TYPE) { + /* delete any private attribute signatures that might exist */ + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_VALUE); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_PRIVATE_EXPONENT); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_PRIME_1); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_PRIME_2); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_EXPONENT_1); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_EXPONENT_2); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_COEFFICIENT); + } else { + keydb = SFTK_GET_SDB(handle->peerDB); + } + /* now destroy any authenticated attributes that may exist */ + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_MODULUS); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_PUBLIC_EXPONENT); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_CERT_SHA1_HASH); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_CERT_MD5_HASH); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_TRUST_SERVER_AUTH); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_TRUST_CLIENT_AUTH); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_TRUST_EMAIL_PROTECTION); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_TRUST_CODE_SIGNING); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_TRUST_STEP_UP_APPROVED); + (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID, + CKA_NSS_OVERRIDE_EXTENSIONS); + } + crv = (*db->sdb_Commit)(db); +loser: + if (crv != CKR_OK) { + (*db->sdb_Abort)(db); + } + return crv; +} + +CK_RV +sftkdb_CloseDB(SFTKDBHandle *handle) +{ +#ifdef NO_FORK_CHECK + PRBool parentForkedAfterC_Initialize = PR_FALSE; +#endif + if (handle == NULL) { + return CKR_OK; + } + if (handle->update) { + if (handle->db->sdb_SetForkState) { + (*handle->db->sdb_SetForkState)(parentForkedAfterC_Initialize); + } + (*handle->update->sdb_Close)(handle->update); + } + if (handle->db) { + if (handle->db->sdb_SetForkState) { + (*handle->db->sdb_SetForkState)(parentForkedAfterC_Initialize); + } + (*handle->db->sdb_Close)(handle->db); + } + if (handle->passwordLock) { + PZ_Lock(handle->passwordLock); + } + if (handle->passwordKey.data) { + SECITEM_ZfreeItem(&handle->passwordKey, PR_FALSE); + } + if (handle->passwordLock) { + PZ_Unlock(handle->passwordLock); + SKIP_AFTER_FORK(PZ_DestroyLock(handle->passwordLock)); + } + if (handle->updatePasswordKey) { + SECITEM_ZfreeItem(handle->updatePasswordKey, PR_TRUE); + } + if (handle->updateID) { + PORT_Free(handle->updateID); + } + PORT_Free(handle); + return CKR_OK; +} + +/* + * reset a database to it's uninitialized state. + */ +static CK_RV +sftkdb_ResetDB(SFTKDBHandle *handle) +{ + CK_RV crv = CKR_OK; + SDB *db; + if (handle == NULL) { + return CKR_TOKEN_WRITE_PROTECTED; + } + db = SFTK_GET_SDB(handle); + crv = (*db->sdb_Begin)(db); + if (crv != CKR_OK) { + goto loser; + } + crv = (*db->sdb_Reset)(db); + if (crv != CKR_OK) { + goto loser; + } + crv = (*db->sdb_Commit)(db); +loser: + if (crv != CKR_OK) { + (*db->sdb_Abort)(db); + } + return crv; +} + +CK_RV +sftkdb_Begin(SFTKDBHandle *handle) +{ + CK_RV crv = CKR_OK; + SDB *db; + + if (handle == NULL) { + return CKR_OK; + } + db = SFTK_GET_SDB(handle); + if (db) { + crv = (*db->sdb_Begin)(db); + } + return crv; +} + +CK_RV +sftkdb_Commit(SFTKDBHandle *handle) +{ + CK_RV crv = CKR_OK; + SDB *db; + + if (handle == NULL) { + return CKR_OK; + } + db = SFTK_GET_SDB(handle); + if (db) { + (*db->sdb_Commit)(db); + } + return crv; +} + +CK_RV +sftkdb_Abort(SFTKDBHandle *handle) +{ + CK_RV crv = CKR_OK; + SDB *db; + + if (handle == NULL) { + return CKR_OK; + } + db = SFTK_GET_SDB(handle); + if (db) { + crv = (db->sdb_Abort)(db); + } + return crv; +} + +/* + * functions to update the database from an old database + */ + +/* + * known attributes + */ +static const CK_ATTRIBUTE_TYPE known_attributes[] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION, + CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER, + CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED, + CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL, + CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY, + CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE, + CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER, + CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE, + CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, + CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT, + CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, + CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE, + CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, + CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS, + CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, + CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_WRAP_TEMPLATE, + CKA_UNWRAP_TEMPLATE, CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, + CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, CKA_RESOLUTION, CKA_CHAR_ROWS, + CKA_CHAR_COLUMNS, CKA_COLOR, CKA_BITS_PER_PIXEL, CKA_CHAR_SETS, + CKA_ENCODING_METHODS, CKA_MIME_TYPES, CKA_MECHANISM_TYPE, + CKA_REQUIRED_CMS_ATTRIBUTES, CKA_DEFAULT_CMS_ATTRIBUTES, + CKA_SUPPORTED_CMS_ATTRIBUTES, CKA_NSS_URL, CKA_NSS_EMAIL, + CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP, + CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES, + CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED, + CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC, + CKA_TRUST_DIGITAL_SIGNATURE, CKA_TRUST_NON_REPUDIATION, + CKA_TRUST_KEY_ENCIPHERMENT, CKA_TRUST_DATA_ENCIPHERMENT, + CKA_TRUST_KEY_AGREEMENT, CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN, + CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING, + CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM, + CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING, + CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, + CKA_NSS_DB, CKA_NSS_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS, + CKA_PUBLIC_KEY_INFO +}; + +static unsigned int known_attributes_size = sizeof(known_attributes) / + sizeof(known_attributes[0]); + +static CK_RV +sftkdb_GetObjectTemplate(SDB *source, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE *ptemplate, CK_ULONG *max) +{ + unsigned int i, j; + CK_RV crv; + + if (*max < known_attributes_size) { + *max = known_attributes_size; + return CKR_BUFFER_TOO_SMALL; + } + for (i = 0; i < known_attributes_size; i++) { + ptemplate[i].type = known_attributes[i]; + ptemplate[i].pValue = NULL; + ptemplate[i].ulValueLen = 0; + } + + crv = (*source->sdb_GetAttributeValue)(source, id, + ptemplate, known_attributes_size); + + if ((crv != CKR_OK) && (crv != CKR_ATTRIBUTE_TYPE_INVALID)) { + return crv; + } + + for (i = 0, j = 0; i < known_attributes_size; i++, j++) { + while (i < known_attributes_size && (ptemplate[i].ulValueLen == -1)) { + i++; + } + if (i >= known_attributes_size) { + break; + } + /* cheap optimization */ + if (i == j) { + continue; + } + ptemplate[j] = ptemplate[i]; + } + *max = j; + return CKR_OK; +} + +static const char SFTKDB_META_UPDATE_TEMPLATE[] = "upd_%s_%s"; + +/* + * check to see if we have already updated this database. + * a NULL updateID means we are trying to do an in place + * single database update. In that case we have already + * determined that an update was necessary. + */ +static PRBool +sftkdb_hasUpdate(const char *typeString, SDB *db, const char *updateID) +{ + char *id; + CK_RV crv; + SECItem dummy = { 0, NULL, 0 }; + unsigned char dummyData[SDB_MAX_META_DATA_LEN]; + + if (!updateID) { + return PR_FALSE; + } + id = PR_smprintf(SFTKDB_META_UPDATE_TEMPLATE, typeString, updateID); + if (id == NULL) { + return PR_FALSE; + } + dummy.data = dummyData; + dummy.len = sizeof(dummyData); + + crv = (*db->sdb_GetMetaData)(db, id, &dummy, NULL); + PR_smprintf_free(id); + return crv == CKR_OK ? PR_TRUE : PR_FALSE; +} + +/* + * we just completed an update, store the update id + * so we don't need to do it again. If non was given, + * there is nothing to do. + */ +static CK_RV +sftkdb_putUpdate(const char *typeString, SDB *db, const char *updateID) +{ + char *id; + CK_RV crv; + SECItem dummy = { 0, NULL, 0 }; + + /* if no id was given, nothing to do */ + if (updateID == NULL) { + return CKR_OK; + } + + dummy.data = (unsigned char *)updateID; + dummy.len = PORT_Strlen(updateID); + + id = PR_smprintf(SFTKDB_META_UPDATE_TEMPLATE, typeString, updateID); + if (id == NULL) { + return PR_FALSE; + } + + crv = (*db->sdb_PutMetaData)(db, id, &dummy, NULL); + PR_smprintf_free(id); + return crv; +} + +/* + * get a ULong attribute from a template: + * NOTE: this is a raw templated stored in database order! + */ +static CK_ULONG +sftkdb_getULongFromTemplate(CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *ptemplate, CK_ULONG len) +{ + CK_ATTRIBUTE *attr = sftkdb_getAttributeFromTemplate(type, + ptemplate, len); + + if (attr && attr->pValue && attr->ulValueLen == SDB_ULONG_SIZE) { + return sftk_SDBULong2ULong(attr->pValue); + } + return (CK_ULONG)-1; +} + +/* + * we need to find a unique CKA_ID. + * The basic idea is to just increment the lowest byte. + * This code also handles the following corner cases: + * 1) the single byte overflows. On overflow we increment the next byte up + * and so forth until we have overflowed the entire CKA_ID. + * 2) If we overflow the entire CKA_ID we expand it by one byte. + * 3) the CKA_ID is non-existant, we create a new one with one byte. + * This means no matter what CKA_ID is passed, the result of this function + * is always a new CKA_ID, and this function will never return the same + * CKA_ID the it has returned in the passed. + */ +static CK_RV +sftkdb_incrementCKAID(PLArenaPool *arena, CK_ATTRIBUTE *ptemplate) +{ + unsigned char *buf = ptemplate->pValue; + CK_ULONG len = ptemplate->ulValueLen; + + if (buf == NULL || len == (CK_ULONG)-1) { + /* we have no valid CKAID, we'll create a basic one byte CKA_ID below */ + len = 0; + } else { + CK_ULONG i; + + /* walk from the back to front, incrementing + * the CKA_ID until we no longer have a carry, + * or have hit the front of the id. */ + for (i = len; i != 0; i--) { + buf[i - 1]++; + if (buf[i - 1] != 0) { + /* no more carries, the increment is complete */ + return CKR_OK; + } + } + /* we've now overflowed, fall through and expand the CKA_ID by + * one byte */ + } + buf = PORT_ArenaAlloc(arena, len + 1); + if (!buf) { + return CKR_HOST_MEMORY; + } + if (len > 0) { + PORT_Memcpy(buf, ptemplate->pValue, len); + } + buf[len] = 0; + ptemplate->pValue = buf; + ptemplate->ulValueLen = len + 1; + return CKR_OK; +} + +/* + * drop an attribute from a template. + */ +void +sftkdb_dropAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE *ptemplate, + CK_ULONG *plen) +{ + CK_ULONG count = *plen; + CK_ULONG i; + + for (i = 0; i < count; i++) { + if (attr->type == ptemplate[i].type) { + break; + } + } + + if (i == count) { + /* attribute not found */ + return; + } + + /* copy the remaining attributes up */ + for (i++; i < count; i++) { + ptemplate[i - 1] = ptemplate[i]; + } + + /* decrement the template size */ + *plen = count - 1; +} + +/* + * create some defines for the following functions to document the meaning + * of true/false. (make's it easier to remember what means what. + */ +typedef enum { + SFTKDB_DO_NOTHING = 0, + SFTKDB_ADD_OBJECT, + SFTKDB_MODIFY_OBJECT, + SFTKDB_DROP_ATTRIBUTE +} sftkdbUpdateStatus; + +/* + * helper function to reconcile a single trust entry. + * Identify which trust entry we want to keep. + * If we don't need to do anything (the records are already equal). + * return SFTKDB_DO_NOTHING. + * If we want to use the source version, + * return SFTKDB_MODIFY_OBJECT + * If we want to use the target version, + * return SFTKDB_DROP_ATTRIBUTE + * + * In the end the caller will remove any attributes in the source + * template when SFTKDB_DROP_ATTRIBUTE is specified, then use do a + * set attributes with that template on the target if we received + * any SFTKDB_MODIFY_OBJECT returns. + */ +sftkdbUpdateStatus +sftkdb_reconcileTrustEntry(PLArenaPool *arena, CK_ATTRIBUTE *target, + CK_ATTRIBUTE *source) +{ + CK_ULONG targetTrust = sftkdb_getULongFromTemplate(target->type, + target, 1); + CK_ULONG sourceTrust = sftkdb_getULongFromTemplate(target->type, + source, 1); + + /* + * try to pick the best solution between the source and the + * target. Update the source template if we want the target value + * to win out. Prefer cases where we don't actually update the + * trust entry. + */ + + /* they are the same, everything is already kosher */ + if (targetTrust == sourceTrust) { + return SFTKDB_DO_NOTHING; + } + + /* handle the case where the source Trust attribute may be a bit + * flakey */ + if (sourceTrust == (CK_ULONG)-1) { + /* + * The source Trust is invalid. We know that the target Trust + * must be valid here, otherwise the above + * targetTrust == sourceTrust check would have succeeded. + */ + return SFTKDB_DROP_ATTRIBUTE; + } + + /* target is invalid, use the source's idea of the trust value */ + if (targetTrust == (CK_ULONG)-1) { + /* overwriting the target in this case is OK */ + return SFTKDB_MODIFY_OBJECT; + } + + /* at this point we know that both attributes exist and have the + * appropriate length (SDB_ULONG_SIZE). We no longer need to check + * ulValueLen for either attribute. + */ + if (sourceTrust == CKT_NSS_TRUST_UNKNOWN) { + return SFTKDB_DROP_ATTRIBUTE; + } + + /* target has no idea, use the source's idea of the trust value */ + if (targetTrust == CKT_NSS_TRUST_UNKNOWN) { + /* overwriting the target in this case is OK */ + return SFTKDB_MODIFY_OBJECT; + } + + /* so both the target and the source have some idea of what this + * trust attribute should be, and neither agree exactly. + * At this point, we prefer 'hard' attributes over 'soft' ones. + * 'hard' ones are CKT_NSS_TRUSTED, CKT_NSS_TRUSTED_DELEGATOR, and + * CKT_NSS_NOT_TRUTED. Soft ones are ones which don't change the + * actual trust of the cert (CKT_MUST_VERIFY_TRUST, + * CKT_NSS_VALID_DELEGATOR). + */ + if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) || (sourceTrust == CKT_NSS_VALID_DELEGATOR)) { + return SFTKDB_DROP_ATTRIBUTE; + } + if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) || (targetTrust == CKT_NSS_VALID_DELEGATOR)) { + /* again, overwriting the target in this case is OK */ + return SFTKDB_MODIFY_OBJECT; + } + + /* both have hard attributes, we have a conflict, let the target win. */ + return SFTKDB_DROP_ATTRIBUTE; +} + +const CK_ATTRIBUTE_TYPE sftkdb_trustList[] = { CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, + CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION, + CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, + CKA_TRUST_TIME_STAMPING }; + +#define SFTK_TRUST_TEMPLATE_COUNT \ + (sizeof(sftkdb_trustList) / sizeof(sftkdb_trustList[0])) +/* + * Run through the list of known trust types, and reconcile each trust + * entry one by one. Keep track of we really need to write out the source + * trust object (overwriting the existing one). + */ +static sftkdbUpdateStatus +sftkdb_reconcileTrust(PLArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE *ptemplate, CK_ULONG *plen) +{ + CK_ATTRIBUTE trustTemplate[SFTK_TRUST_TEMPLATE_COUNT]; + unsigned char trustData[SFTK_TRUST_TEMPLATE_COUNT * SDB_ULONG_SIZE]; + sftkdbUpdateStatus update = SFTKDB_DO_NOTHING; + CK_ULONG i; + CK_RV crv; + + for (i = 0; i < SFTK_TRUST_TEMPLATE_COUNT; i++) { + trustTemplate[i].type = sftkdb_trustList[i]; + trustTemplate[i].pValue = &trustData[i * SDB_ULONG_SIZE]; + trustTemplate[i].ulValueLen = SDB_ULONG_SIZE; + } + crv = (*db->sdb_GetAttributeValue)(db, id, + trustTemplate, SFTK_TRUST_TEMPLATE_COUNT); + if ((crv != CKR_OK) && (crv != CKR_ATTRIBUTE_TYPE_INVALID)) { + /* target trust has some problems, update it */ + update = SFTKDB_MODIFY_OBJECT; + goto done; + } + + for (i = 0; i < SFTK_TRUST_TEMPLATE_COUNT; i++) { + CK_ATTRIBUTE *attr = sftkdb_getAttributeFromTemplate( + trustTemplate[i].type, ptemplate, *plen); + sftkdbUpdateStatus status; + + /* if target trust value doesn't exist, nothing to merge */ + if (trustTemplate[i].ulValueLen == (CK_ULONG)-1) { + /* if the source exists, then we want the source entry, + * go ahead and update */ + if (attr && attr->ulValueLen != (CK_ULONG)-1) { + update = SFTKDB_MODIFY_OBJECT; + } + continue; + } + + /* + * the source doesn't have the attribute, go to the next attribute + */ + if (attr == NULL) { + continue; + } + status = sftkdb_reconcileTrustEntry(arena, &trustTemplate[i], attr); + if (status == SFTKDB_MODIFY_OBJECT) { + update = SFTKDB_MODIFY_OBJECT; + } else if (status == SFTKDB_DROP_ATTRIBUTE) { + /* drop the source copy of the attribute, we are going with + * the target's version */ + sftkdb_dropAttribute(attr, ptemplate, plen); + } + } + + /* finally manage stepup */ + if (update == SFTKDB_MODIFY_OBJECT) { + CK_BBOOL stepUpBool = CK_FALSE; + /* if we are going to write from the source, make sure we don't + * overwrite the stepup bit if it's on*/ + trustTemplate[0].type = CKA_TRUST_STEP_UP_APPROVED; + trustTemplate[0].pValue = &stepUpBool; + trustTemplate[0].ulValueLen = sizeof(stepUpBool); + crv = (*db->sdb_GetAttributeValue)(db, id, trustTemplate, 1); + if ((crv == CKR_OK) && (stepUpBool == CK_TRUE)) { + sftkdb_dropAttribute(trustTemplate, ptemplate, plen); + } + } else { + /* we currently aren't going to update. If the source stepup bit is + * on however, do an update so the target gets it as well */ + CK_ATTRIBUTE *attr; + + attr = sftkdb_getAttributeFromTemplate(CKA_TRUST_STEP_UP_APPROVED, + ptemplate, *plen); + if (attr && (attr->ulValueLen == sizeof(CK_BBOOL)) && + (*(CK_BBOOL *)(attr->pValue) == CK_TRUE)) { + update = SFTKDB_MODIFY_OBJECT; + } + } + +done: + return update; +} + +static sftkdbUpdateStatus +sftkdb_handleIDAndName(PLArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE *ptemplate, CK_ULONG *plen) +{ + sftkdbUpdateStatus update = SFTKDB_DO_NOTHING; + CK_ATTRIBUTE *attr1, *attr2; + CK_ATTRIBUTE ttemplate[2] = { + { CKA_ID, NULL, 0 }, + { CKA_LABEL, NULL, 0 } + }; + + attr1 = sftkdb_getAttributeFromTemplate(CKA_LABEL, ptemplate, *plen); + attr2 = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, *plen); + + /* if the source has neither an id nor label, don't bother updating */ + if ((!attr1 || attr1->ulValueLen == 0) && + (!attr2 || attr2->ulValueLen == 0)) { + return SFTKDB_DO_NOTHING; + } + + /* the source has either an id or a label, see what the target has */ + (void)(*db->sdb_GetAttributeValue)(db, id, ttemplate, 2); + + /* if the target has neither, update from the source */ + if (((ttemplate[0].ulValueLen == 0) || + (ttemplate[0].ulValueLen == (CK_ULONG)-1)) && + ((ttemplate[1].ulValueLen == 0) || + (ttemplate[1].ulValueLen == (CK_ULONG)-1))) { + return SFTKDB_MODIFY_OBJECT; + } + + /* check the CKA_ID */ + if ((ttemplate[0].ulValueLen != 0) && + (ttemplate[0].ulValueLen != (CK_ULONG)-1)) { + /* we have a CKA_ID in the target, don't overwrite + * the target with an empty CKA_ID from the source*/ + if (attr1 && attr1->ulValueLen == 0) { + sftkdb_dropAttribute(attr1, ptemplate, plen); + } + } else if (attr1 && attr1->ulValueLen != 0) { + /* source has a CKA_ID, but the target doesn't, update the target */ + update = SFTKDB_MODIFY_OBJECT; + } + + /* check the nickname */ + if ((ttemplate[1].ulValueLen != 0) && + (ttemplate[1].ulValueLen != (CK_ULONG)-1)) { + + /* we have a nickname in the target, and we don't have to update + * the CKA_ID. We are done. NOTE: if we add addition attributes + * in this check, this shortcut can only go on the last of them. */ + if (update == SFTKDB_DO_NOTHING) { + return update; + } + /* we have a nickname in the target, don't overwrite + * the target with an empty nickname from the source */ + if (attr2 && attr2->ulValueLen == 0) { + sftkdb_dropAttribute(attr2, ptemplate, plen); + } + } else if (attr2 && attr2->ulValueLen != 0) { + /* source has a nickname, but the target doesn't, update the target */ + update = SFTKDB_MODIFY_OBJECT; + } + + return update; +} + +/* + * This function updates the template before we write the object out. + * + * If we are going to skip updating this object, return PR_FALSE. + * If it should be updated we return PR_TRUE. + * To help readability, these have been defined + * as SFTK_DONT_UPDATE and SFTK_UPDATE respectively. + */ +static PRBool +sftkdb_updateObjectTemplate(PLArenaPool *arena, SDB *db, + CK_OBJECT_CLASS objectType, + CK_ATTRIBUTE *ptemplate, CK_ULONG *plen, + CK_OBJECT_HANDLE *targetID) +{ + PRBool done; /* should we repeat the loop? */ + CK_OBJECT_HANDLE id; + CK_RV crv = CKR_OK; + + do { + crv = sftkdb_checkConflicts(db, objectType, ptemplate, + *plen, CK_INVALID_HANDLE); + if (crv != CKR_ATTRIBUTE_VALUE_INVALID) { + break; + } + crv = sftkdb_resolveConflicts(arena, objectType, ptemplate, plen); + } while (crv == CKR_OK); + + if (crv != CKR_OK) { + return SFTKDB_DO_NOTHING; + } + + do { + done = PR_TRUE; + crv = sftkdb_lookupObject(db, objectType, &id, ptemplate, *plen); + if (crv != CKR_OK) { + return SFTKDB_DO_NOTHING; + } + + /* This object already exists, merge it, don't update */ + if (id != CK_INVALID_HANDLE) { + CK_ATTRIBUTE *attr = NULL; + /* special post processing for attributes */ + switch (objectType) { + case CKO_CERTIFICATE: + case CKO_PUBLIC_KEY: + case CKO_PRIVATE_KEY: + /* update target's CKA_ID and labels if they don't already + * exist */ + *targetID = id; + return sftkdb_handleIDAndName(arena, db, id, ptemplate, plen); + case CKO_NSS_TRUST: + /* if we have conflicting trust object types, + * we need to reconcile them */ + *targetID = id; + return sftkdb_reconcileTrust(arena, db, id, ptemplate, plen); + case CKO_SECRET_KEY: + /* secret keys in the old database are all sdr keys, + * unfortunately they all appear to have the same CKA_ID, + * even though they are truly different keys, so we always + * want to update these keys, but we need to + * give them a new CKA_ID */ + /* NOTE: this changes ptemplate */ + attr = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, *plen); + crv = attr ? sftkdb_incrementCKAID(arena, attr) + : CKR_HOST_MEMORY; + /* in the extremely rare event that we needed memory and + * couldn't get it, just drop the key */ + if (crv != CKR_OK) { + return SFTKDB_DO_NOTHING; + } + done = PR_FALSE; /* repeat this find loop */ + break; + default: + /* for all other objects, if we found the equivalent object, + * don't update it */ + return SFTKDB_DO_NOTHING; + } + } + } while (!done); + + /* this object doesn't exist, update it */ + return SFTKDB_ADD_OBJECT; +} + +static CK_RV +sftkdb_updateIntegrity(PLArenaPool *arena, SFTKDBHandle *handle, + SDB *source, CK_OBJECT_HANDLE sourceID, + SDB *target, CK_OBJECT_HANDLE targetID, + CK_ATTRIBUTE *ptemplate, CK_ULONG max_attributes) +{ + unsigned int i; + CK_RV global_crv = CKR_OK; + + /* if the target doesn't have META data, don't need to do anything */ + if ((target->sdb_flags & SDB_HAS_META) == 0) { + return CKR_OK; + } + /* if the source doesn't have meta data, then the record won't require + * integrity */ + if ((source->sdb_flags & SDB_HAS_META) == 0) { + return CKR_OK; + } + for (i = 0; i < max_attributes; i++) { + CK_ATTRIBUTE *att = &ptemplate[i]; + CK_ATTRIBUTE_TYPE type = att->type; + if (sftkdb_isPrivateAttribute(type)) { + /* copy integrity signatures associated with this record (if any) */ + SECItem signature; + unsigned char signData[SDB_MAX_META_DATA_LEN]; + CK_RV crv; + + signature.data = signData; + signature.len = sizeof(signData); + crv = sftkdb_getRawAttributeSignature(handle, source, sourceID, type, + &signature); + if (crv != CKR_OK) { + /* old databases don't have signature IDs because they are + * 3DES encrypted. Since we know not to look for integrity + * for 3DES records it's OK not to find one here. A new record + * will be created when we reencrypt using AES CBC */ + continue; + } + crv = sftkdb_PutAttributeSignature(handle, target, targetID, type, + &signature); + if (crv != CKR_OK) { + /* we had a signature in the source db, but we couldn't store + * it in the target, remember the error so we can report it. */ + global_crv = crv; + } + } + } + return global_crv; +} + +#define MAX_ATTRIBUTES 500 +static CK_RV +sftkdb_mergeObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE id, + SECItem *key) +{ + CK_ATTRIBUTE template[MAX_ATTRIBUTES]; + CK_ATTRIBUTE *ptemplate; + CK_ULONG max_attributes = MAX_ATTRIBUTES; + CK_OBJECT_CLASS objectType; + SDB *source = handle->update; + SDB *target = handle->db; + unsigned int i; + CK_OBJECT_HANDLE newID = CK_INVALID_HANDLE; + CK_RV crv; + PLArenaPool *arena = NULL; + + arena = PORT_NewArena(256); + if (arena == NULL) { + return CKR_HOST_MEMORY; + } + + ptemplate = &template[0]; + id &= SFTK_OBJ_ID_MASK; + crv = sftkdb_GetObjectTemplate(source, id, ptemplate, &max_attributes); + if (crv == CKR_BUFFER_TOO_SMALL) { + ptemplate = PORT_ArenaNewArray(arena, CK_ATTRIBUTE, max_attributes); + if (ptemplate == NULL) { + crv = CKR_HOST_MEMORY; + } else { + crv = sftkdb_GetObjectTemplate(source, id, + ptemplate, &max_attributes); + } + } + if (crv != CKR_OK) { + goto loser; + } + + for (i = 0; i < max_attributes; i++) { + ptemplate[i].pValue = PORT_ArenaAlloc(arena, ptemplate[i].ulValueLen); + if (ptemplate[i].pValue == NULL) { + crv = CKR_HOST_MEMORY; + goto loser; + } + } + crv = (*source->sdb_GetAttributeValue)(source, id, + ptemplate, max_attributes); + if (crv != CKR_OK) { + goto loser; + } + + objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate, + max_attributes); + /* + * Update Object updates the object template if necessary then returns + * whether or not we need to actually write the object out to our target + * database. + */ + if (!handle->updateID) { + crv = sftkdb_CreateObject(arena, handle, target, &newID, + ptemplate, max_attributes); + } else { + sftkdbUpdateStatus update_status; + update_status = sftkdb_updateObjectTemplate(arena, target, + objectType, ptemplate, &max_attributes, &newID); + switch (update_status) { + case SFTKDB_ADD_OBJECT: + crv = sftkdb_CreateObject(arena, handle, target, &newID, + ptemplate, max_attributes); + break; + case SFTKDB_MODIFY_OBJECT: + crv = sftkdb_setAttributeValue(arena, handle, target, + newID, ptemplate, max_attributes); + break; + case SFTKDB_DO_NOTHING: + case SFTKDB_DROP_ATTRIBUTE: + break; + } + } + + /* if keyDB copy any meta data hashes to target, Update for the new + * object ID */ + if (crv == CKR_OK) { + crv = sftkdb_updateIntegrity(arena, handle, source, id, target, newID, + ptemplate, max_attributes); + } + +loser: + if (arena) { + PORT_FreeArena(arena, PR_TRUE); + } + return crv; +} + +#define MAX_IDS 10 +/* + * update a new database from an old one, now that we have the key + */ +CK_RV +sftkdb_Update(SFTKDBHandle *handle, SECItem *key) +{ + SDBFind *find = NULL; + CK_ULONG idCount = MAX_IDS; + CK_OBJECT_HANDLE ids[MAX_IDS]; + SECItem *updatePasswordKey = NULL; + CK_RV crv, crv2; + PRBool inTransaction = PR_FALSE; + unsigned int i; + + if (handle == NULL) { + return CKR_OK; + } + if (handle->update == NULL) { + return CKR_OK; + } + /* + * put the whole update under a transaction. This allows us to handle + * any possible race conditions between with the updateID check. + */ + crv = (*handle->db->sdb_Begin)(handle->db); + if (crv != CKR_OK) { + return crv; + } + inTransaction = PR_TRUE; + + /* some one else has already updated this db */ + if (sftkdb_hasUpdate(sftkdb_TypeString(handle), + handle->db, handle->updateID)) { + crv = CKR_OK; + goto done; + } + + updatePasswordKey = sftkdb_GetUpdatePasswordKey(handle); + if (updatePasswordKey) { + /* pass the source DB key to the legacy code, + * so it can decrypt things */ + handle->oldKey = updatePasswordKey; + } + + /* find all the objects */ + crv = sftkdb_FindObjectsInit(handle, NULL, 0, &find); + + if (crv != CKR_OK) { + goto loser; + } + while ((crv == CKR_OK) && (idCount == MAX_IDS)) { + crv = sftkdb_FindObjects(handle, find, ids, MAX_IDS, &idCount); + for (i = 0; (crv == CKR_OK) && (i < idCount); i++) { + crv = sftkdb_mergeObject(handle, ids[i], key); + } + } + crv2 = sftkdb_FindObjectsFinal(handle, find); + if (crv == CKR_OK) + crv = crv2; + +loser: + /* no longer need the old key value */ + handle->oldKey = NULL; + + /* update the password - even if we didn't update objects */ + if (handle->type == SFTK_KEYDB_TYPE) { + SECItem item1, item2; + unsigned char data1[SDB_MAX_META_DATA_LEN]; + unsigned char data2[SDB_MAX_META_DATA_LEN]; + + item1.data = data1; + item1.len = sizeof(data1); + item2.data = data2; + item2.len = sizeof(data2); + + /* if the target db already has a password, skip this. */ + crv = (*handle->db->sdb_GetMetaData)(handle->db, "password", + &item1, &item2); + if (crv == CKR_OK) { + goto done; + } + + /* nope, update it from the source */ + crv = (*handle->update->sdb_GetMetaData)(handle->update, "password", + &item1, &item2); + if (crv != CKR_OK) { + /* if we get here, neither the source, nor the target has been initialized + * with a password entry. Create a metadata table now so that we don't + * mistake this for a partially updated database */ + item1.data[0] = 0; + item2.data[0] = 0; + item1.len = item2.len = 1; + crv = (*handle->db->sdb_PutMetaData)(handle->db, "empty", &item1, &item2); + goto done; + } + crv = (*handle->db->sdb_PutMetaData)(handle->db, "password", &item1, + &item2); + if (crv != CKR_OK) { + goto done; + } + } + +done: + /* finally mark this up to date db up to date */ + /* some one else has already updated this db */ + if (crv == CKR_OK) { + crv = sftkdb_putUpdate(sftkdb_TypeString(handle), + handle->db, handle->updateID); + } + + if (inTransaction) { + if (crv == CKR_OK) { + crv = (*handle->db->sdb_Commit)(handle->db); + } else { + (*handle->db->sdb_Abort)(handle->db); + } + } + if (handle->update) { + (*handle->update->sdb_Close)(handle->update); + handle->update = NULL; + } + if (handle->updateID) { + PORT_Free(handle->updateID); + handle->updateID = NULL; + } + sftkdb_FreeUpdatePasswordKey(handle); + if (updatePasswordKey) { + SECITEM_ZfreeItem(updatePasswordKey, PR_TRUE); + } + handle->updateDBIsInit = PR_FALSE; + return crv; +} + +/****************************************************************** + * DB handle managing functions. + * + * These functions are called by softoken to initialize, acquire, + * and release database handles. + */ + +const char * +sftkdb_GetUpdateID(SFTKDBHandle *handle) +{ + return handle->updateID; +} + +/* release a database handle */ +void +sftk_freeDB(SFTKDBHandle *handle) +{ + PRInt32 ref; + + if (!handle) + return; + ref = PR_ATOMIC_DECREMENT(&handle->ref); + if (ref == 0) { + sftkdb_CloseDB(handle); + } + return; +} + +/* + * acquire a database handle for a certificate db + * (database for public objects) + */ +SFTKDBHandle * +sftk_getCertDB(SFTKSlot *slot) +{ + SFTKDBHandle *dbHandle; + + PZ_Lock(slot->slotLock); + dbHandle = slot->certDB; + if (dbHandle) { + (void)PR_ATOMIC_INCREMENT(&dbHandle->ref); + } + PZ_Unlock(slot->slotLock); + return dbHandle; +} + +/* + * acquire a database handle for a key database + * (database for private objects) + */ +SFTKDBHandle * +sftk_getKeyDB(SFTKSlot *slot) +{ + SFTKDBHandle *dbHandle; + + SKIP_AFTER_FORK(PZ_Lock(slot->slotLock)); + dbHandle = slot->keyDB; + if (dbHandle) { + (void)PR_ATOMIC_INCREMENT(&dbHandle->ref); + } + SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock)); + return dbHandle; +} + +/* + * acquire the database for a specific object. NOTE: objectID must point + * to a Token object! + */ +SFTKDBHandle * +sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID) +{ + SFTKDBHandle *dbHandle; + + PZ_Lock(slot->slotLock); + dbHandle = objectID & SFTK_KEYDB_TYPE ? slot->keyDB : slot->certDB; + if (dbHandle) { + (void)PR_ATOMIC_INCREMENT(&dbHandle->ref); + } + PZ_Unlock(slot->slotLock); + return dbHandle; +} + +/* + * initialize a new database handle + */ +static SFTKDBHandle * +sftk_NewDBHandle(SDB *sdb, int type, PRBool legacy) +{ + SFTKDBHandle *handle = PORT_New(SFTKDBHandle); + handle->ref = 1; + handle->db = sdb; + handle->update = NULL; + handle->peerDB = NULL; + handle->newKey = NULL; + handle->oldKey = NULL; + handle->updatePasswordKey = NULL; + handle->updateID = NULL; + handle->type = type; + handle->usesLegacyStorage = legacy; + handle->passwordKey.data = NULL; + handle->passwordKey.len = 0; + handle->passwordLock = NULL; + if (type == SFTK_KEYDB_TYPE) { + handle->passwordLock = PZ_NewLock(nssILockAttribute); + } + sdb->app_private = handle; + return handle; +} + +/* + * reset the key database to it's uninitialized state. This call + * will clear all the key entried. + */ +SECStatus +sftkdb_ResetKeyDB(SFTKDBHandle *handle) +{ + CK_RV crv; + + /* only rest the key db */ + if (handle->type != SFTK_KEYDB_TYPE) { + return SECFailure; + } + crv = sftkdb_ResetDB(handle); + if (crv != CKR_OK) { + /* set error */ + return SECFailure; + } + PZ_Lock(handle->passwordLock); + if (handle->passwordKey.data) { + SECITEM_ZfreeItem(&handle->passwordKey, PR_FALSE); + handle->passwordKey.data = NULL; + } + PZ_Unlock(handle->passwordLock); + return SECSuccess; +} + +#ifndef NSS_DISABLE_DBM +static PRBool +sftk_oldVersionExists(const char *dir, int version) +{ + int i; + PRStatus exists = PR_FAILURE; + char *file = NULL; + + for (i = version; i > 1; i--) { + file = PR_smprintf("%s%d.db", dir, i); + if (file == NULL) { + continue; + } + exists = PR_Access(file, PR_ACCESS_EXISTS); + PR_smprintf_free(file); + if (exists == PR_SUCCESS) { + return PR_TRUE; + } + } + return PR_FALSE; +} + +#if defined(_WIN32) +/* + * Convert an sdb path (encoded in UTF-8) to a legacy path (encoded in the + * current system codepage). Fails if the path contains a character outside + * the current system codepage. + */ +static char * +sftk_legacyPathFromSDBPath(const char *confdir) +{ + wchar_t *confdirWide; + DWORD size; + char *nconfdir; + BOOL unmappable; + + if (!confdir) { + return NULL; + } + confdirWide = _NSSUTIL_UTF8ToWide(confdir); + if (!confdirWide) { + return NULL; + } + + size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1, + NULL, 0, NULL, &unmappable); + if (size == 0 || unmappable) { + PORT_Free(confdirWide); + return NULL; + } + nconfdir = PORT_Alloc(sizeof(char) * size); + if (!nconfdir) { + PORT_Free(confdirWide); + return NULL; + } + size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1, + nconfdir, size, NULL, &unmappable); + PORT_Free(confdirWide); + if (size == 0 || unmappable) { + PORT_Free(nconfdir); + return NULL; + } + + return nconfdir; +} +#else +#define sftk_legacyPathFromSDBPath(confdir) PORT_Strdup((confdir)) +#endif + +static PRBool +sftk_hasLegacyDB(const char *confdir, const char *certPrefix, + const char *keyPrefix, int certVersion, int keyVersion) +{ + char *dir; + PRBool exists; + + if (certPrefix == NULL) { + certPrefix = ""; + } + + if (keyPrefix == NULL) { + keyPrefix = ""; + } + + dir = PR_smprintf("%s/%scert", confdir, certPrefix); + if (dir == NULL) { + return PR_FALSE; + } + + exists = sftk_oldVersionExists(dir, certVersion); + PR_smprintf_free(dir); + if (exists) { + return PR_TRUE; + } + + dir = PR_smprintf("%s/%skey", confdir, keyPrefix); + if (dir == NULL) { + return PR_FALSE; + } + + exists = sftk_oldVersionExists(dir, keyVersion); + PR_smprintf_free(dir); + return exists; +} +#endif /* NSS_DISABLE_DBM */ + +/* + * initialize certificate and key database handles as a pair. + * + * This function figures out what type of database we are opening and + * calls the appropriate low level function to open the database. + * It also figures out whether or not to setup up automatic update. + */ +CK_RV +sftk_DBInit(const char *configdir, const char *certPrefix, + const char *keyPrefix, const char *updatedir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, PRBool readOnly, PRBool noCertDB, + PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS, + SFTKDBHandle **certDB, SFTKDBHandle **keyDB) +{ + const char *confdir; + NSSDBType dbType = NSS_DB_TYPE_NONE; + char *appName = NULL; + SDB *keySDB, *certSDB; + CK_RV crv = CKR_OK; + int flags = SDB_RDONLY; + PRBool newInit = PR_FALSE; +#ifndef NSS_DISABLE_DBM + PRBool needUpdate = PR_FALSE; +#endif /* NSS_DISABLE_DBM */ + char *nconfdir = NULL; + PRBool legacy = PR_TRUE; + + if (!readOnly) { + flags = SDB_CREATE; + } + if (isFIPS) { + flags |= SDB_FIPS; + } + + *certDB = NULL; + *keyDB = NULL; + + if (noKeyDB && noCertDB) { + return CKR_OK; + } + confdir = _NSSUTIL_EvaluateConfigDir(configdir, &dbType, &appName); + + /* + * now initialize the appropriate database + */ + switch (dbType) { +#ifndef NSS_DISABLE_DBM + case NSS_DB_TYPE_LEGACY: + crv = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags, + noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB); + break; + case NSS_DB_TYPE_MULTIACCESS: + crv = sftkdbCall_open(configdir, certPrefix, keyPrefix, 8, 3, flags, + noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB); + break; +#endif /* NSS_DISABLE_DBM */ + case NSS_DB_TYPE_SQL: + case NSS_DB_TYPE_EXTERN: /* SHOULD open a loadable db */ + crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags, + noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit); + legacy = PR_FALSE; + +#ifndef NSS_DISABLE_DBM + /* + * if we failed to open the DB's read only, use the old ones if + * the exists. + */ + if (crv != CKR_OK) { + legacy = PR_TRUE; + if ((flags & SDB_RDONLY) == SDB_RDONLY) { + nconfdir = sftk_legacyPathFromSDBPath(confdir); + } + if (nconfdir && + sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) { + /* we have legacy databases, if we failed to open the new format + * DB's read only, just use the legacy ones */ + crv = sftkdbCall_open(nconfdir, certPrefix, + keyPrefix, 8, 3, flags, + noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB); + } + /* Handle the database merge case. + * + * For the merge case, we need help from the application. Only + * the application knows where the old database is, and what unique + * identifier it has associated with it. + * + * If the client supplies these values, we use them to determine + * if we need to update. + */ + } else if ( + /* both update params have been supplied */ + updatedir && *updatedir && updateID && *updateID + /* old dbs exist? */ + && sftk_hasLegacyDB(updatedir, updCertPrefix, updKeyPrefix, 8, 3) + /* and they have not yet been updated? */ + && ((noKeyDB || !sftkdb_hasUpdate("key", keySDB, updateID)) || (noCertDB || !sftkdb_hasUpdate("cert", certSDB, updateID)))) { + /* we need to update */ + confdir = updatedir; + certPrefix = updCertPrefix; + keyPrefix = updKeyPrefix; + needUpdate = PR_TRUE; + } else if (newInit) { + /* if the new format DB was also a newly created DB, and we + * succeeded, then need to update that new database with data + * from the existing legacy DB */ + nconfdir = sftk_legacyPathFromSDBPath(confdir); + if (nconfdir && + sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) { + confdir = nconfdir; + needUpdate = PR_TRUE; + } + } +#endif /* NSS_DISABLE_DBM */ + break; + default: + crv = CKR_GENERAL_ERROR; /* can't happen, EvaluationConfigDir MUST + * return one of the types we already + * specified. */ + } + if (crv != CKR_OK) { + goto done; + } + if (!noCertDB) { + *certDB = sftk_NewDBHandle(certSDB, SFTK_CERTDB_TYPE, legacy); + } else { + *certDB = NULL; + } + if (!noKeyDB) { + *keyDB = sftk_NewDBHandle(keySDB, SFTK_KEYDB_TYPE, legacy); + } else { + *keyDB = NULL; + } + + /* link them together */ + if (*certDB) { + (*certDB)->peerDB = *keyDB; + } + if (*keyDB) { + (*keyDB)->peerDB = *certDB; + } + +#ifndef NSS_DISABLE_DBM + /* + * if we need to update, open the legacy database and + * mark the handle as needing update. + */ + if (needUpdate) { + SDB *updateCert = NULL; + SDB *updateKey = NULL; + CK_RV crv2; + + crv2 = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags, + noCertDB ? NULL : &updateCert, + noKeyDB ? NULL : &updateKey); + if (crv2 == CKR_OK) { + if (*certDB) { + (*certDB)->update = updateCert; + (*certDB)->updateID = updateID && *updateID + ? PORT_Strdup(updateID) + : NULL; + updateCert->app_private = (*certDB); + } + if (*keyDB) { + PRBool tokenRemoved = PR_FALSE; + (*keyDB)->update = updateKey; + (*keyDB)->updateID = updateID && *updateID ? PORT_Strdup(updateID) : NULL; + updateKey->app_private = (*keyDB); + (*keyDB)->updateDBIsInit = PR_TRUE; + (*keyDB)->updateDBIsInit = + (sftkdb_HasPasswordSet(*keyDB) == SECSuccess) ? PR_TRUE : PR_FALSE; + /* if the password on the key db is NULL, kick off our update + * chain of events */ + sftkdb_CheckPasswordNull((*keyDB), &tokenRemoved); + } else { + /* we don't have a key DB, update the certificate DB now */ + sftkdb_Update(*certDB, NULL); + } + } + } +#endif /* NSS_DISABLE_DBM */ + +done: + if (appName) { + PORT_Free(appName); + } + if (nconfdir) { + PORT_Free(nconfdir); + } + return forceOpen ? CKR_OK : crv; +} + +CK_RV +sftkdb_Shutdown(void) +{ + s_shutdown(); +#ifndef NSS_DISABLE_DBM + sftkdbCall_Shutdown(); +#endif /* NSS_DISABLE_DBM */ + return CKR_OK; +} diff --git a/security/nss/lib/softoken/sftkdb.h b/security/nss/lib/softoken/sftkdb.h new file mode 100644 index 0000000000..a8c289d4d7 --- /dev/null +++ b/security/nss/lib/softoken/sftkdb.h @@ -0,0 +1,75 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "sftkdbt.h" +#include "sdb.h" +#include "pkcs11i.h" +#include "pkcs11t.h" + +/* raw database stuff */ +CK_RV sftkdb_write(SFTKDBHandle *handle, SFTKObject *, CK_OBJECT_HANDLE *); +CK_RV sftkdb_FindObjectsInit(SFTKDBHandle *sdb, const CK_ATTRIBUTE *template, + CK_ULONG count, SDBFind **find); +CK_RV sftkdb_FindObjects(SFTKDBHandle *sdb, SDBFind *find, + CK_OBJECT_HANDLE *ids, int arraySize, CK_ULONG *count); +CK_RV sftkdb_FindObjectsFinal(SFTKDBHandle *sdb, SDBFind *find); +CK_RV sftkdb_GetAttributeValue(SFTKDBHandle *handle, + CK_OBJECT_HANDLE object_id, CK_ATTRIBUTE *template, CK_ULONG count); +CK_RV sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object, + const CK_ATTRIBUTE *template, CK_ULONG count); +CK_RV sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE object_id, + CK_OBJECT_CLASS objclass); +CK_RV sftkdb_closeDB(SFTKDBHandle *handle); + +/* keydb functions */ + +SECStatus sftkdb_PWIsInitialized(SFTKDBHandle *keydb); +SECStatus sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, + PRBool *tokenRemoved); +SECStatus sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved); +SECStatus sftkdb_PWCached(SFTKDBHandle *keydb); +SECStatus sftkdb_HasPasswordSet(SFTKDBHandle *keydb); +SECStatus sftkdb_ResetKeyDB(SFTKDBHandle *keydb); +SECStatus sftkdb_ChangePassword(SFTKDBHandle *keydb, + char *oldPin, char *newPin, + PRBool *tokenRemoved); +SECStatus sftkdb_ClearPassword(SFTKDBHandle *keydb); +PRBool sftkdb_InUpdateMerge(SFTKDBHandle *keydb); +PRBool sftkdb_NeedUpdateDBPassword(SFTKDBHandle *keydb); +const char *sftkdb_GetUpdateID(SFTKDBHandle *keydb); +SECItem *sftkdb_GetUpdatePasswordKey(SFTKDBHandle *keydb); +void sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *keydb); + +/* Utility functions */ +/* + * OK there are now lots of options here, lets go through them all: + * + * configdir - base directory where all the cert, key, and module datbases live. + * certPrefix - prefix added to the beginning of the cert database example: " + * "https-server1-" + * keyPrefix - prefix added to the beginning of the key database example: " + * "https-server1-" + * secmodName - name of the security module database (usually "secmod.db"). + * readOnly - Boolean: true if the databases are to be openned read only. + * nocertdb - Don't open the cert DB and key DB's, just initialize the + * Volatile certdb. + * nomoddb - Don't open the security module DB, just initialize the + * PKCS #11 module. + * forceOpen - Continue to force initializations even if the databases cannot + * be opened. + */ +CK_RV sftk_DBInit(const char *configdir, const char *certPrefix, + const char *keyPrefix, const char *updatedir, + const char *updCertPrefix, const char *updKeyPrefix, + const char *updateID, PRBool readOnly, PRBool noCertDB, + PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS, + SFTKDBHandle **certDB, SFTKDBHandle **keyDB); +CK_RV sftkdb_Shutdown(void); + +SFTKDBHandle *sftk_getCertDB(SFTKSlot *slot); +SFTKDBHandle *sftk_getKeyDB(SFTKSlot *slot); +SFTKDBHandle *sftk_getDBForTokenObject(SFTKSlot *slot, + CK_OBJECT_HANDLE objectID); +void sftk_freeDB(SFTKDBHandle *certHandle); + +PRBool sftk_isLegacyIterationCountAllowed(void); diff --git a/security/nss/lib/softoken/sftkdbt.h b/security/nss/lib/softoken/sftkdbt.h new file mode 100644 index 0000000000..77beb845e5 --- /dev/null +++ b/security/nss/lib/softoken/sftkdbt.h @@ -0,0 +1,12 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SFTKDBT_H +#define SFTKDBT_H 1 +typedef struct SFTKDBHandleStr SFTKDBHandle; + +#define SDB_MAX_META_DATA_LEN 256 +#define SDB_ULONG_SIZE 4 + +#endif diff --git a/security/nss/lib/softoken/sftkdbti.h b/security/nss/lib/softoken/sftkdbti.h new file mode 100644 index 0000000000..eea52c81d3 --- /dev/null +++ b/security/nss/lib/softoken/sftkdbti.h @@ -0,0 +1,82 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef SFTKDBTI_H +#define SFTKDBTI_H 1 + +/* + * private defines + */ +struct SFTKDBHandleStr { + SDB *db; + PRInt32 ref; + CK_OBJECT_HANDLE type; + SECItem passwordKey; + int defaultIterationCount; + SECItem *newKey; + int newDefaultIterationCount; + SECItem *oldKey; + SECItem *updatePasswordKey; + PZLock *passwordLock; + SFTKDBHandle *peerDB; + SDB *update; + char *updateID; + PRBool updateDBIsInit; + PRBool usesLegacyStorage; +}; + +#define SFTK_KEYDB_TYPE 0x40000000 +#define SFTK_CERTDB_TYPE 0x00000000 +#define SFTK_OBJ_TYPE_MASK 0xc0000000 +#define SFTK_OBJ_ID_MASK (~SFTK_OBJ_TYPE_MASK) +#define SFTK_TOKEN_TYPE 0x80000000 + +/* the following is the number of id's to handle on the stack at a time, + * it's not an upper limit of IDS that can be stored in the database */ +#define SFTK_MAX_IDS 10 + +#define SFTK_GET_SDB(handle) \ + ((handle)->update ? (handle)->update : (handle)->db) + +SECStatus sftkdb_DecryptAttribute(SFTKDBHandle *handle, + SECItem *passKey, + CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE attrType, + SECItem *cipherText, SECItem **plainText); +SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena, + SFTKDBHandle *handle, SDB *db, + SECItem *passKey, + int iterationCount, + CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE attrType, + SECItem *plainText, SECItem **cipherText); +SECStatus sftkdb_SignAttribute(PLArenaPool *arena, + SFTKDBHandle *handle, SDB *db, + SECItem *passKey, + int iterationCount, CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE attrType, + SECItem *plainText, SECItem **sigText); +SECStatus sftkdb_VerifyAttribute(SFTKDBHandle *handle, + SECItem *passKey, + CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE attrType, + SECItem *plainText, SECItem *sigText); + +PRBool sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type); +void sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value); +CK_RV sftkdb_Update(SFTKDBHandle *handle, SECItem *key); +CK_RV sftkdb_PutAttributeSignature(SFTKDBHandle *handle, + SDB *keyTarget, CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE type, SECItem *signText); +CK_RV sftkdb_GetAttributeSignature(SFTKDBHandle *handle, + SFTKDBHandle *keyHandle, + CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE type, + SECItem *signText); +CK_RV +sftkdb_DestroyAttributeSignature(SFTKDBHandle *handle, SDB *db, + CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE type); + +#endif diff --git a/security/nss/lib/softoken/sftkdhverify.c b/security/nss/lib/softoken/sftkdhverify.c new file mode 100644 index 0000000000..4310486116 --- /dev/null +++ b/security/nss/lib/softoken/sftkdhverify.c @@ -0,0 +1,6845 @@ + +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file makes sure a prime given to us matches one of the known + * approved primes for diffie-helman. + * + * It also checks if a prime is a safe prime for the case + * where we don't match an approved prime. + */ +#include "seccomon.h" +#include "secitem.h" +#include "secerr.h" +#include "blapi.h" + +/* IKE 1536 prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } */ +static const unsigned char prime_ike_1536[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, + 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, + 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, + 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, + 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, + 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, + 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, + 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, + 0xCA, 0x23, 0x73, 0x27, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* IKE 2048 prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 */ +static const unsigned char prime_ike_2048[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, + 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, + 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, + 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, + 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, + 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, + 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, + 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, + 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, + 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, + 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* TLS 2048 prime is: 2^2048 - 2^1984 + {[2^1918 * e] + 560316 } * 2^64 - 1 */ +static const unsigned char prime_tls_2048[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58, + 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41, + 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02, + 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55, + 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA, + 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82, + 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3, + 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1, + 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32, + 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83, + 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* IKE 3072 prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } */ +static const unsigned char prime_ike_3072[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, + 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, + 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, + 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, + 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, + 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, + 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, + 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, + 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, + 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, + 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, + 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, + 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, + 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, + 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, + 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, + 0xA9, 0x3A, 0xD2, 0xCA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* TLS 3072 prime is: 2^3072 - 2^3008 + {[2^2942 * e] + 2625351} * 2^64 - 1 */ +static const unsigned char prime_tls_3072[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58, + 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41, + 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02, + 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55, + 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA, + 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82, + 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3, + 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1, + 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32, + 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83, + 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B, + 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26, + 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93, + 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB, + 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42, + 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B, + 0x66, 0xC6, 0x2E, 0x37, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* IKE 4096 prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } */ +static const unsigned char prime_ike_4096[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, + 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, + 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, + 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, + 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, + 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, + 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, + 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, + 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, + 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, + 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, + 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, + 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, + 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, + 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, + 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, + 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, + 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18, + 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, + 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, + 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, + 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F, + 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, + 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, + 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, + 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC, + 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* TLS 4096 prime is: 2^4096 - 2^4032 + {[2^3966 * e] + 5736041} * 2^64 - 1 */ +static const unsigned char prime_tls_4096[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58, + 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41, + 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02, + 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55, + 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA, + 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82, + 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3, + 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1, + 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32, + 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83, + 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B, + 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26, + 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93, + 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB, + 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42, + 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B, + 0x66, 0x9E, 0x1E, 0xF1, 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, 0xAC, 0x7D, 0x5F, 0x42, + 0xD6, 0x9F, 0x6D, 0x18, 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, 0x71, 0x35, 0xC8, 0x86, + 0xEF, 0xB4, 0x31, 0x8A, 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, 0x6D, 0xC7, 0x78, 0xF9, + 0x71, 0xAD, 0x00, 0x38, 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, 0x2A, 0x4E, 0xCE, 0xA9, + 0xF9, 0x8D, 0x0A, 0xCC, 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, 0x4D, 0xB5, 0xA8, 0x51, + 0xF4, 0x41, 0x82, 0xE1, 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* IKE 6144 prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } */ +static const unsigned char prime_ike_6144[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, + 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, + 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, + 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, + 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, + 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, + 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, + 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, + 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, + 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, + 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, + 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, + 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, + 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, + 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, + 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, + 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, + 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18, + 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, + 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, + 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, + 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F, + 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, + 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, + 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, + 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC, + 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, + 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, 0xC1, 0xD4, 0xDC, 0xB2, + 0x60, 0x26, 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, + 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, 0x2F, + 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, + 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, 0xDA, 0x3E, 0xDB, 0xEB, + 0xCF, 0x9B, 0x14, 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, + 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51, + 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, + 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, 0x32, 0xEA, 0x15, + 0xD1, 0x72, 0x1D, 0x03, 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, + 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31, + 0x90, 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, + 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, 0x45, 0xB7, + 0xFF, 0x58, 0x5A, 0xC5, 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, + 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, 0x14, 0xCC, 0x5E, 0xD2, + 0x0F, 0x80, 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, + 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, 0x3D, + 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, + 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, 0x38, 0x7F, 0xE8, 0xD7, + 0x6E, 0x3C, 0x04, 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, + 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E, + 0x6D, 0xCC, 0x40, 0x24, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* TLS 6144 prime is: 2^6144 - 2^6080 + {[2^6014 * e] + 15705020} * 2^64 - 1 */ +static const unsigned char prime_tls_6144[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58, + 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41, + 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02, + 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55, + 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA, + 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82, + 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3, + 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1, + 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32, + 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83, + 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B, + 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26, + 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93, + 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB, + 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42, + 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B, + 0x66, 0x9E, 0x1E, 0xF1, 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, 0xAC, 0x7D, 0x5F, 0x42, + 0xD6, 0x9F, 0x6D, 0x18, 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, 0x71, 0x35, 0xC8, 0x86, + 0xEF, 0xB4, 0x31, 0x8A, 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, 0x6D, 0xC7, 0x78, 0xF9, + 0x71, 0xAD, 0x00, 0x38, 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, 0x2A, 0x4E, 0xCE, 0xA9, + 0xF9, 0x8D, 0x0A, 0xCC, 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, 0x4D, 0xB5, 0xA8, 0x51, + 0xF4, 0x41, 0x82, 0xE1, 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, + 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, 0x4E, 0x67, 0x7D, 0x2C, + 0x38, 0x53, 0x2A, 0x3A, 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, + 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, 0x91, 0x7B, 0xDD, 0x64, + 0xB1, 0xC0, 0xFD, 0x4C, 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, + 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, 0x9B, 0x1F, 0x5C, 0x3E, + 0x4E, 0x46, 0x04, 0x1F, 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, + 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, 0xB8, 0x55, 0x32, 0x2E, + 0xDB, 0x63, 0x40, 0xD8, 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, + 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, 0x7F, 0xB2, 0x9F, 0x8C, + 0x18, 0x30, 0x23, 0xC3, 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, + 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, 0x94, 0xC6, 0x65, 0x1E, + 0x77, 0xCA, 0xF9, 0x92, 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, + 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, 0x0A, 0xE8, 0xDB, 0x58, + 0x47, 0xA6, 0x7C, 0xBE, 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, + 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, 0x62, 0x29, 0x2C, 0x31, + 0x15, 0x62, 0xA8, 0x46, 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, + 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, 0x8C, 0xCF, 0x2D, 0xD5, + 0xCA, 0xCE, 0xF4, 0x03, 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, + 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, 0x3F, 0xDD, 0x4A, 0x8E, + 0x9A, 0xDB, 0x1E, 0x69, 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, + 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, 0xA4, 0x0E, 0x32, 0x9C, + 0xD0, 0xE4, 0x0E, 0x65, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* IKE 8192 prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } */ +static const unsigned char prime_ike_8192[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, + 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, + 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, + 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, + 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, + 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, + 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, + 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, + 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, + 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, + 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, + 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57, + 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, + 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, + 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, + 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, + 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, + 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18, + 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, + 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, + 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, + 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F, + 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, + 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, + 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, + 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC, + 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, + 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, 0xC1, 0xD4, 0xDC, 0xB2, + 0x60, 0x26, 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, + 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, 0x2F, + 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, + 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, 0xDA, 0x3E, 0xDB, 0xEB, + 0xCF, 0x9B, 0x14, 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, + 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51, + 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, + 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, 0x32, 0xEA, 0x15, + 0xD1, 0x72, 0x1D, 0x03, 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, + 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31, + 0x90, 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, + 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, 0x45, 0xB7, + 0xFF, 0x58, 0x5A, 0xC5, 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, + 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, 0x14, 0xCC, 0x5E, 0xD2, + 0x0F, 0x80, 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, + 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, 0x3D, + 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, + 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, 0x38, 0x7F, 0xE8, 0xD7, + 0x6E, 0x3C, 0x04, 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, + 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E, + 0x6D, 0xBE, 0x11, 0x59, 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4, + 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, 0xD8, 0xBE, 0xC4, 0xD0, + 0x73, 0xB9, 0x31, 0xBA, 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00, + 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, 0x25, 0x76, 0xF6, 0x93, + 0x6B, 0xA4, 0x24, 0x66, 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68, + 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, 0x23, 0x8F, 0x16, 0xCB, + 0xE3, 0x9D, 0x65, 0x2D, 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, + 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, 0x13, 0xEB, 0x57, 0xA8, + 0x1A, 0x23, 0xF0, 0xC7, 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B, + 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, 0xFA, 0x9D, 0x4B, 0x7F, + 0xA2, 0xC0, 0x87, 0xE8, 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, + 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, 0x6D, 0x2A, 0x13, 0xF8, + 0x3F, 0x44, 0xF8, 0x2D, 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36, + 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, 0x64, 0xF3, 0x1C, 0xC5, + 0x08, 0x46, 0x85, 0x1D, 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1, + 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, 0xFA, 0xF3, 0x6B, 0xC3, + 0x1E, 0xCF, 0xA2, 0x68, 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92, + 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, 0x88, 0x9A, 0x00, 0x2E, + 0xD5, 0xEE, 0x38, 0x2B, 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47, + 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, 0x9E, 0x30, 0x50, 0xE2, + 0x76, 0x56, 0x94, 0xDF, 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, + 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* TLS 8192 prime is: 2^8192 - 2^8128 + {[2^8062 * e] + 10965728} * 2^64 - 1 */ +static const unsigned char prime_tls_8192[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58, + 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41, + 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02, + 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55, + 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA, + 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82, + 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3, + 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1, + 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32, + 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83, + 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B, + 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26, + 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93, + 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB, + 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42, + 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B, + 0x66, 0x9E, 0x1E, 0xF1, 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, 0xAC, 0x7D, 0x5F, 0x42, + 0xD6, 0x9F, 0x6D, 0x18, 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, 0x71, 0x35, 0xC8, 0x86, + 0xEF, 0xB4, 0x31, 0x8A, 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, 0x6D, 0xC7, 0x78, 0xF9, + 0x71, 0xAD, 0x00, 0x38, 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, 0x2A, 0x4E, 0xCE, 0xA9, + 0xF9, 0x8D, 0x0A, 0xCC, 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, 0x4D, 0xB5, 0xA8, 0x51, + 0xF4, 0x41, 0x82, 0xE1, 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, + 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, 0x4E, 0x67, 0x7D, 0x2C, + 0x38, 0x53, 0x2A, 0x3A, 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, + 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, 0x91, 0x7B, 0xDD, 0x64, + 0xB1, 0xC0, 0xFD, 0x4C, 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, + 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, 0x9B, 0x1F, 0x5C, 0x3E, + 0x4E, 0x46, 0x04, 0x1F, 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, + 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, 0xB8, 0x55, 0x32, 0x2E, + 0xDB, 0x63, 0x40, 0xD8, 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, + 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, 0x7F, 0xB2, 0x9F, 0x8C, + 0x18, 0x30, 0x23, 0xC3, 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, + 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, 0x94, 0xC6, 0x65, 0x1E, + 0x77, 0xCA, 0xF9, 0x92, 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, + 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, 0x0A, 0xE8, 0xDB, 0x58, + 0x47, 0xA6, 0x7C, 0xBE, 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, + 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, 0x62, 0x29, 0x2C, 0x31, + 0x15, 0x62, 0xA8, 0x46, 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, + 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, 0x8C, 0xCF, 0x2D, 0xD5, + 0xCA, 0xCE, 0xF4, 0x03, 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, + 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, 0x3F, 0xDD, 0x4A, 0x8E, + 0x9A, 0xDB, 0x1E, 0x69, 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, + 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, 0xA4, 0x0E, 0x32, 0x9C, + 0xCF, 0xF4, 0x6A, 0xAA, 0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, + 0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, 0xFD, 0xB2, 0x3F, 0xCE, + 0xC9, 0x50, 0x9D, 0x43, 0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, + 0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, 0x86, 0xB6, 0x31, 0x42, + 0xA3, 0xAB, 0x88, 0x29, 0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, + 0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, 0x29, 0x38, 0x88, 0x39, + 0xD2, 0xAF, 0x05, 0xE4, 0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, + 0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, 0x59, 0x16, 0x0C, 0xC0, + 0x46, 0xFD, 0x82, 0x51, 0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, + 0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, 0x51, 0xA8, 0xA9, 0x31, + 0x09, 0x70, 0x3F, 0xEE, 0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, + 0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, 0x99, 0xE9, 0xE3, 0x16, + 0x50, 0xC1, 0x21, 0x7B, 0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, + 0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, 0xA1, 0xFE, 0x30, 0x75, + 0xA5, 0x77, 0xE2, 0x31, 0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, + 0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, 0xB6, 0x85, 0x5D, 0xFE, + 0x72, 0xB0, 0xA6, 0x6E, 0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, + 0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, 0x2F, 0x74, 0x1E, 0xF8, + 0xC1, 0xFE, 0x86, 0xFE, 0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, + 0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, 0x08, 0x22, 0xE5, 0x06, + 0xA9, 0xF4, 0x61, 0x4E, 0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, + 0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF +}; + +/* q=(p-1)/2 for prime prime_ike_1536 */ +static const unsigned char subprime_ike_1536_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xe4, + 0x87, + 0xed, + 0x51, + 0x10, + 0xb4, + 0x61, + 0x1a, + 0x62, + 0x63, + 0x31, + 0x45, + 0xc0, + 0x6e, + 0x0e, + 0x68, + 0x94, + 0x81, + 0x27, + 0x04, + 0x45, + 0x33, + 0xe6, + 0x3a, + 0x01, + 0x05, + 0xdf, + 0x53, + 0x1d, + 0x89, + 0xcd, + 0x91, + 0x28, + 0xa5, + 0x04, + 0x3c, + 0xc7, + 0x1a, + 0x02, + 0x6e, + 0xf7, + 0xca, + 0x8c, + 0xd9, + 0xe6, + 0x9d, + 0x21, + 0x8d, + 0x98, + 0x15, + 0x85, + 0x36, + 0xf9, + 0x2f, + 0x8a, + 0x1b, + 0xa7, + 0xf0, + 0x9a, + 0xb6, + 0xb6, + 0xa8, + 0xe1, + 0x22, + 0xf2, + 0x42, + 0xda, + 0xbb, + 0x31, + 0x2f, + 0x3f, + 0x63, + 0x7a, + 0x26, + 0x21, + 0x74, + 0xd3, + 0x1b, + 0xf6, + 0xb5, + 0x85, + 0xff, + 0xae, + 0x5b, + 0x7a, + 0x03, + 0x5b, + 0xf6, + 0xf7, + 0x1c, + 0x35, + 0xfd, + 0xad, + 0x44, + 0xcf, + 0xd2, + 0xd7, + 0x4f, + 0x92, + 0x08, + 0xbe, + 0x25, + 0x8f, + 0xf3, + 0x24, + 0x94, + 0x33, + 0x28, + 0xf6, + 0x72, + 0x2d, + 0x9e, + 0xe1, + 0x00, + 0x3e, + 0x5c, + 0x50, + 0xb1, + 0xdf, + 0x82, + 0xcc, + 0x6d, + 0x24, + 0x1b, + 0x0e, + 0x2a, + 0xe9, + 0xcd, + 0x34, + 0x8b, + 0x1f, + 0xd4, + 0x7e, + 0x92, + 0x67, + 0xaf, + 0xc1, + 0xb2, + 0xae, + 0x91, + 0xee, + 0x51, + 0xd6, + 0xcb, + 0x0e, + 0x31, + 0x79, + 0xab, + 0x10, + 0x42, + 0xa9, + 0x5d, + 0xcf, + 0x6a, + 0x94, + 0x83, + 0xb8, + 0x4b, + 0x4b, + 0x36, + 0xb3, + 0x86, + 0x1a, + 0xa7, + 0x25, + 0x5e, + 0x4c, + 0x02, + 0x78, + 0xba, + 0x36, + 0x04, + 0x65, + 0x11, + 0xb9, + 0x93, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_ike_2048 */ +static const unsigned char subprime_ike_2048_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xe4, + 0x87, + 0xed, + 0x51, + 0x10, + 0xb4, + 0x61, + 0x1a, + 0x62, + 0x63, + 0x31, + 0x45, + 0xc0, + 0x6e, + 0x0e, + 0x68, + 0x94, + 0x81, + 0x27, + 0x04, + 0x45, + 0x33, + 0xe6, + 0x3a, + 0x01, + 0x05, + 0xdf, + 0x53, + 0x1d, + 0x89, + 0xcd, + 0x91, + 0x28, + 0xa5, + 0x04, + 0x3c, + 0xc7, + 0x1a, + 0x02, + 0x6e, + 0xf7, + 0xca, + 0x8c, + 0xd9, + 0xe6, + 0x9d, + 0x21, + 0x8d, + 0x98, + 0x15, + 0x85, + 0x36, + 0xf9, + 0x2f, + 0x8a, + 0x1b, + 0xa7, + 0xf0, + 0x9a, + 0xb6, + 0xb6, + 0xa8, + 0xe1, + 0x22, + 0xf2, + 0x42, + 0xda, + 0xbb, + 0x31, + 0x2f, + 0x3f, + 0x63, + 0x7a, + 0x26, + 0x21, + 0x74, + 0xd3, + 0x1b, + 0xf6, + 0xb5, + 0x85, + 0xff, + 0xae, + 0x5b, + 0x7a, + 0x03, + 0x5b, + 0xf6, + 0xf7, + 0x1c, + 0x35, + 0xfd, + 0xad, + 0x44, + 0xcf, + 0xd2, + 0xd7, + 0x4f, + 0x92, + 0x08, + 0xbe, + 0x25, + 0x8f, + 0xf3, + 0x24, + 0x94, + 0x33, + 0x28, + 0xf6, + 0x72, + 0x2d, + 0x9e, + 0xe1, + 0x00, + 0x3e, + 0x5c, + 0x50, + 0xb1, + 0xdf, + 0x82, + 0xcc, + 0x6d, + 0x24, + 0x1b, + 0x0e, + 0x2a, + 0xe9, + 0xcd, + 0x34, + 0x8b, + 0x1f, + 0xd4, + 0x7e, + 0x92, + 0x67, + 0xaf, + 0xc1, + 0xb2, + 0xae, + 0x91, + 0xee, + 0x51, + 0xd6, + 0xcb, + 0x0e, + 0x31, + 0x79, + 0xab, + 0x10, + 0x42, + 0xa9, + 0x5d, + 0xcf, + 0x6a, + 0x94, + 0x83, + 0xb8, + 0x4b, + 0x4b, + 0x36, + 0xb3, + 0x86, + 0x1a, + 0xa7, + 0x25, + 0x5e, + 0x4c, + 0x02, + 0x78, + 0xba, + 0x36, + 0x04, + 0x65, + 0x0c, + 0x10, + 0xbe, + 0x19, + 0x48, + 0x2f, + 0x23, + 0x17, + 0x1b, + 0x67, + 0x1d, + 0xf1, + 0xcf, + 0x3b, + 0x96, + 0x0c, + 0x07, + 0x43, + 0x01, + 0xcd, + 0x93, + 0xc1, + 0xd1, + 0x76, + 0x03, + 0xd1, + 0x47, + 0xda, + 0xe2, + 0xae, + 0xf8, + 0x37, + 0xa6, + 0x29, + 0x64, + 0xef, + 0x15, + 0xe5, + 0xfb, + 0x4a, + 0xac, + 0x0b, + 0x8c, + 0x1c, + 0xca, + 0xa4, + 0xbe, + 0x75, + 0x4a, + 0xb5, + 0x72, + 0x8a, + 0xe9, + 0x13, + 0x0c, + 0x4c, + 0x7d, + 0x02, + 0x88, + 0x0a, + 0xb9, + 0x47, + 0x2d, + 0x45, + 0x56, + 0x55, + 0x34, + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_tls_2048 */ +static const unsigned char subprime_tls_2048_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xd6, + 0xfc, + 0x2a, + 0x2c, + 0x51, + 0x5d, + 0xa5, + 0x4d, + 0x57, + 0xee, + 0x2b, + 0x10, + 0x13, + 0x9e, + 0x9e, + 0x78, + 0xec, + 0x5c, + 0xe2, + 0xc1, + 0xe7, + 0x16, + 0x9b, + 0x4a, + 0xd4, + 0xf0, + 0x9b, + 0x20, + 0x8a, + 0x32, + 0x19, + 0xfd, + 0xe6, + 0x49, + 0xce, + 0xe7, + 0x12, + 0x4d, + 0x9f, + 0x7c, + 0xbe, + 0x97, + 0xf1, + 0xb1, + 0xb1, + 0x86, + 0x3a, + 0xec, + 0x7b, + 0x40, + 0xd9, + 0x01, + 0x57, + 0x62, + 0x30, + 0xbd, + 0x69, + 0xef, + 0x8f, + 0x6a, + 0xea, + 0xfe, + 0xb2, + 0xb0, + 0x92, + 0x19, + 0xfa, + 0x8f, + 0xaf, + 0x83, + 0x37, + 0x68, + 0x42, + 0xb1, + 0xb2, + 0xaa, + 0x9e, + 0xf6, + 0x8d, + 0x79, + 0xda, + 0xab, + 0x89, + 0xaf, + 0x3f, + 0xab, + 0xe4, + 0x9a, + 0xcc, + 0x27, + 0x86, + 0x38, + 0x70, + 0x73, + 0x45, + 0xbb, + 0xf1, + 0x53, + 0x44, + 0xed, + 0x79, + 0xf7, + 0xf4, + 0x39, + 0x0e, + 0xf8, + 0xac, + 0x50, + 0x9b, + 0x56, + 0xf3, + 0x9a, + 0x98, + 0x56, + 0x65, + 0x27, + 0xa4, + 0x1d, + 0x3c, + 0xbd, + 0x5e, + 0x05, + 0x58, + 0xc1, + 0x59, + 0x92, + 0x7d, + 0xb0, + 0xe8, + 0x84, + 0x54, + 0xa5, + 0xd9, + 0x64, + 0x71, + 0xfd, + 0xdc, + 0xb5, + 0x6d, + 0x5b, + 0xb0, + 0x6b, + 0xfa, + 0x34, + 0x0e, + 0xa7, + 0xa1, + 0x51, + 0xef, + 0x1c, + 0xa6, + 0xfa, + 0x57, + 0x2b, + 0x76, + 0xf3, + 0xb1, + 0xb9, + 0x5d, + 0x8c, + 0x85, + 0x83, + 0xd3, + 0xe4, + 0x77, + 0x05, + 0x36, + 0xb8, + 0x4f, + 0x01, + 0x7e, + 0x70, + 0xe6, + 0xfb, + 0xf1, + 0x76, + 0x60, + 0x1a, + 0x02, + 0x66, + 0x94, + 0x1a, + 0x17, + 0xb0, + 0xc8, + 0xb9, + 0x7f, + 0x4e, + 0x74, + 0xc2, + 0xc1, + 0xff, + 0xc7, + 0x27, + 0x89, + 0x19, + 0x77, + 0x79, + 0x40, + 0xc1, + 0xe1, + 0xff, + 0x1d, + 0x8d, + 0xa6, + 0x37, + 0xd6, + 0xb9, + 0x9d, + 0xda, + 0xfe, + 0x5e, + 0x17, + 0x61, + 0x10, + 0x02, + 0xe2, + 0xc7, + 0x78, + 0xc1, + 0xbe, + 0x8b, + 0x41, + 0xd9, + 0x63, + 0x79, + 0xa5, + 0x13, + 0x60, + 0xd9, + 0x77, + 0xfd, + 0x44, + 0x35, + 0xa1, + 0x1c, + 0x30, + 0x94, + 0x2e, + 0x4b, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_ike_3072 */ +static const unsigned char subprime_ike_3072_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xe4, + 0x87, + 0xed, + 0x51, + 0x10, + 0xb4, + 0x61, + 0x1a, + 0x62, + 0x63, + 0x31, + 0x45, + 0xc0, + 0x6e, + 0x0e, + 0x68, + 0x94, + 0x81, + 0x27, + 0x04, + 0x45, + 0x33, + 0xe6, + 0x3a, + 0x01, + 0x05, + 0xdf, + 0x53, + 0x1d, + 0x89, + 0xcd, + 0x91, + 0x28, + 0xa5, + 0x04, + 0x3c, + 0xc7, + 0x1a, + 0x02, + 0x6e, + 0xf7, + 0xca, + 0x8c, + 0xd9, + 0xe6, + 0x9d, + 0x21, + 0x8d, + 0x98, + 0x15, + 0x85, + 0x36, + 0xf9, + 0x2f, + 0x8a, + 0x1b, + 0xa7, + 0xf0, + 0x9a, + 0xb6, + 0xb6, + 0xa8, + 0xe1, + 0x22, + 0xf2, + 0x42, + 0xda, + 0xbb, + 0x31, + 0x2f, + 0x3f, + 0x63, + 0x7a, + 0x26, + 0x21, + 0x74, + 0xd3, + 0x1b, + 0xf6, + 0xb5, + 0x85, + 0xff, + 0xae, + 0x5b, + 0x7a, + 0x03, + 0x5b, + 0xf6, + 0xf7, + 0x1c, + 0x35, + 0xfd, + 0xad, + 0x44, + 0xcf, + 0xd2, + 0xd7, + 0x4f, + 0x92, + 0x08, + 0xbe, + 0x25, + 0x8f, + 0xf3, + 0x24, + 0x94, + 0x33, + 0x28, + 0xf6, + 0x72, + 0x2d, + 0x9e, + 0xe1, + 0x00, + 0x3e, + 0x5c, + 0x50, + 0xb1, + 0xdf, + 0x82, + 0xcc, + 0x6d, + 0x24, + 0x1b, + 0x0e, + 0x2a, + 0xe9, + 0xcd, + 0x34, + 0x8b, + 0x1f, + 0xd4, + 0x7e, + 0x92, + 0x67, + 0xaf, + 0xc1, + 0xb2, + 0xae, + 0x91, + 0xee, + 0x51, + 0xd6, + 0xcb, + 0x0e, + 0x31, + 0x79, + 0xab, + 0x10, + 0x42, + 0xa9, + 0x5d, + 0xcf, + 0x6a, + 0x94, + 0x83, + 0xb8, + 0x4b, + 0x4b, + 0x36, + 0xb3, + 0x86, + 0x1a, + 0xa7, + 0x25, + 0x5e, + 0x4c, + 0x02, + 0x78, + 0xba, + 0x36, + 0x04, + 0x65, + 0x0c, + 0x10, + 0xbe, + 0x19, + 0x48, + 0x2f, + 0x23, + 0x17, + 0x1b, + 0x67, + 0x1d, + 0xf1, + 0xcf, + 0x3b, + 0x96, + 0x0c, + 0x07, + 0x43, + 0x01, + 0xcd, + 0x93, + 0xc1, + 0xd1, + 0x76, + 0x03, + 0xd1, + 0x47, + 0xda, + 0xe2, + 0xae, + 0xf8, + 0x37, + 0xa6, + 0x29, + 0x64, + 0xef, + 0x15, + 0xe5, + 0xfb, + 0x4a, + 0xac, + 0x0b, + 0x8c, + 0x1c, + 0xca, + 0xa4, + 0xbe, + 0x75, + 0x4a, + 0xb5, + 0x72, + 0x8a, + 0xe9, + 0x13, + 0x0c, + 0x4c, + 0x7d, + 0x02, + 0x88, + 0x0a, + 0xb9, + 0x47, + 0x2d, + 0x45, + 0x55, + 0x62, + 0x16, + 0xd6, + 0x99, + 0x8b, + 0x86, + 0x82, + 0x28, + 0x3d, + 0x19, + 0xd4, + 0x2a, + 0x90, + 0xd5, + 0xef, + 0x8e, + 0x5d, + 0x32, + 0x76, + 0x7d, + 0xc2, + 0x82, + 0x2c, + 0x6d, + 0xf7, + 0x85, + 0x45, + 0x75, + 0x38, + 0xab, + 0xae, + 0x83, + 0x06, + 0x3e, + 0xd9, + 0xcb, + 0x87, + 0xc2, + 0xd3, + 0x70, + 0xf2, + 0x63, + 0xd5, + 0xfa, + 0xd7, + 0x46, + 0x6d, + 0x84, + 0x99, + 0xeb, + 0x8f, + 0x46, + 0x4a, + 0x70, + 0x25, + 0x12, + 0xb0, + 0xce, + 0xe7, + 0x71, + 0xe9, + 0x13, + 0x0d, + 0x69, + 0x77, + 0x35, + 0xf8, + 0x97, + 0xfd, + 0x03, + 0x6c, + 0xc5, + 0x04, + 0x32, + 0x6c, + 0x3b, + 0x01, + 0x39, + 0x9f, + 0x64, + 0x35, + 0x32, + 0x29, + 0x0f, + 0x95, + 0x8c, + 0x0b, + 0xbd, + 0x90, + 0x06, + 0x5d, + 0xf0, + 0x8b, + 0xab, + 0xbd, + 0x30, + 0xae, + 0xb6, + 0x3b, + 0x84, + 0xc4, + 0x60, + 0x5d, + 0x6c, + 0xa3, + 0x71, + 0x04, + 0x71, + 0x27, + 0xd0, + 0x3a, + 0x72, + 0xd5, + 0x98, + 0xa1, + 0xed, + 0xad, + 0xfe, + 0x70, + 0x7e, + 0x88, + 0x47, + 0x25, + 0xc1, + 0x68, + 0x90, + 0x54, + 0x9d, + 0x69, + 0x65, + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_tls_3072 */ +static const unsigned char subprime_tls_3072_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xd6, + 0xfc, + 0x2a, + 0x2c, + 0x51, + 0x5d, + 0xa5, + 0x4d, + 0x57, + 0xee, + 0x2b, + 0x10, + 0x13, + 0x9e, + 0x9e, + 0x78, + 0xec, + 0x5c, + 0xe2, + 0xc1, + 0xe7, + 0x16, + 0x9b, + 0x4a, + 0xd4, + 0xf0, + 0x9b, + 0x20, + 0x8a, + 0x32, + 0x19, + 0xfd, + 0xe6, + 0x49, + 0xce, + 0xe7, + 0x12, + 0x4d, + 0x9f, + 0x7c, + 0xbe, + 0x97, + 0xf1, + 0xb1, + 0xb1, + 0x86, + 0x3a, + 0xec, + 0x7b, + 0x40, + 0xd9, + 0x01, + 0x57, + 0x62, + 0x30, + 0xbd, + 0x69, + 0xef, + 0x8f, + 0x6a, + 0xea, + 0xfe, + 0xb2, + 0xb0, + 0x92, + 0x19, + 0xfa, + 0x8f, + 0xaf, + 0x83, + 0x37, + 0x68, + 0x42, + 0xb1, + 0xb2, + 0xaa, + 0x9e, + 0xf6, + 0x8d, + 0x79, + 0xda, + 0xab, + 0x89, + 0xaf, + 0x3f, + 0xab, + 0xe4, + 0x9a, + 0xcc, + 0x27, + 0x86, + 0x38, + 0x70, + 0x73, + 0x45, + 0xbb, + 0xf1, + 0x53, + 0x44, + 0xed, + 0x79, + 0xf7, + 0xf4, + 0x39, + 0x0e, + 0xf8, + 0xac, + 0x50, + 0x9b, + 0x56, + 0xf3, + 0x9a, + 0x98, + 0x56, + 0x65, + 0x27, + 0xa4, + 0x1d, + 0x3c, + 0xbd, + 0x5e, + 0x05, + 0x58, + 0xc1, + 0x59, + 0x92, + 0x7d, + 0xb0, + 0xe8, + 0x84, + 0x54, + 0xa5, + 0xd9, + 0x64, + 0x71, + 0xfd, + 0xdc, + 0xb5, + 0x6d, + 0x5b, + 0xb0, + 0x6b, + 0xfa, + 0x34, + 0x0e, + 0xa7, + 0xa1, + 0x51, + 0xef, + 0x1c, + 0xa6, + 0xfa, + 0x57, + 0x2b, + 0x76, + 0xf3, + 0xb1, + 0xb9, + 0x5d, + 0x8c, + 0x85, + 0x83, + 0xd3, + 0xe4, + 0x77, + 0x05, + 0x36, + 0xb8, + 0x4f, + 0x01, + 0x7e, + 0x70, + 0xe6, + 0xfb, + 0xf1, + 0x76, + 0x60, + 0x1a, + 0x02, + 0x66, + 0x94, + 0x1a, + 0x17, + 0xb0, + 0xc8, + 0xb9, + 0x7f, + 0x4e, + 0x74, + 0xc2, + 0xc1, + 0xff, + 0xc7, + 0x27, + 0x89, + 0x19, + 0x77, + 0x79, + 0x40, + 0xc1, + 0xe1, + 0xff, + 0x1d, + 0x8d, + 0xa6, + 0x37, + 0xd6, + 0xb9, + 0x9d, + 0xda, + 0xfe, + 0x5e, + 0x17, + 0x61, + 0x10, + 0x02, + 0xe2, + 0xc7, + 0x78, + 0xc1, + 0xbe, + 0x8b, + 0x41, + 0xd9, + 0x63, + 0x79, + 0xa5, + 0x13, + 0x60, + 0xd9, + 0x77, + 0xfd, + 0x44, + 0x35, + 0xa1, + 0x1c, + 0x30, + 0x8f, + 0xe7, + 0xee, + 0x6f, + 0x1a, + 0xad, + 0x9d, + 0xb2, + 0x8c, + 0x81, + 0xad, + 0xde, + 0x1a, + 0x7a, + 0x6f, + 0x7c, + 0xce, + 0x01, + 0x1c, + 0x30, + 0xda, + 0x37, + 0xe4, + 0xeb, + 0x73, + 0x64, + 0x83, + 0xbd, + 0x6c, + 0x8e, + 0x93, + 0x48, + 0xfb, + 0xfb, + 0xf7, + 0x2c, + 0xc6, + 0x58, + 0x7d, + 0x60, + 0xc3, + 0x6c, + 0x8e, + 0x57, + 0x7f, + 0x09, + 0x84, + 0xc2, + 0x89, + 0xc9, + 0x38, + 0x5a, + 0x09, + 0x86, + 0x49, + 0xde, + 0x21, + 0xbc, + 0xa2, + 0x7a, + 0x7e, + 0xa2, + 0x29, + 0x71, + 0x6b, + 0xa6, + 0xe9, + 0xb2, + 0x79, + 0x71, + 0x0f, + 0x38, + 0xfa, + 0xa5, + 0xff, + 0xae, + 0x57, + 0x41, + 0x55, + 0xce, + 0x4e, + 0xfb, + 0x4f, + 0x74, + 0x36, + 0x95, + 0xe2, + 0x91, + 0x1b, + 0x1d, + 0x06, + 0xd5, + 0xe2, + 0x90, + 0xcb, + 0xcd, + 0x86, + 0xf5, + 0x6d, + 0x0e, + 0xdf, + 0xcd, + 0x21, + 0x6a, + 0xe2, + 0x24, + 0x27, + 0x05, + 0x5e, + 0x68, + 0x35, + 0xfd, + 0x29, + 0xee, + 0xf7, + 0x9e, + 0x0d, + 0x90, + 0x77, + 0x1f, + 0xea, + 0xce, + 0xbe, + 0x12, + 0xf2, + 0x0e, + 0x95, + 0xb3, + 0x63, + 0x17, + 0x1b, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_ike_4096 */ +static const unsigned char subprime_ike_4096_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xe4, + 0x87, + 0xed, + 0x51, + 0x10, + 0xb4, + 0x61, + 0x1a, + 0x62, + 0x63, + 0x31, + 0x45, + 0xc0, + 0x6e, + 0x0e, + 0x68, + 0x94, + 0x81, + 0x27, + 0x04, + 0x45, + 0x33, + 0xe6, + 0x3a, + 0x01, + 0x05, + 0xdf, + 0x53, + 0x1d, + 0x89, + 0xcd, + 0x91, + 0x28, + 0xa5, + 0x04, + 0x3c, + 0xc7, + 0x1a, + 0x02, + 0x6e, + 0xf7, + 0xca, + 0x8c, + 0xd9, + 0xe6, + 0x9d, + 0x21, + 0x8d, + 0x98, + 0x15, + 0x85, + 0x36, + 0xf9, + 0x2f, + 0x8a, + 0x1b, + 0xa7, + 0xf0, + 0x9a, + 0xb6, + 0xb6, + 0xa8, + 0xe1, + 0x22, + 0xf2, + 0x42, + 0xda, + 0xbb, + 0x31, + 0x2f, + 0x3f, + 0x63, + 0x7a, + 0x26, + 0x21, + 0x74, + 0xd3, + 0x1b, + 0xf6, + 0xb5, + 0x85, + 0xff, + 0xae, + 0x5b, + 0x7a, + 0x03, + 0x5b, + 0xf6, + 0xf7, + 0x1c, + 0x35, + 0xfd, + 0xad, + 0x44, + 0xcf, + 0xd2, + 0xd7, + 0x4f, + 0x92, + 0x08, + 0xbe, + 0x25, + 0x8f, + 0xf3, + 0x24, + 0x94, + 0x33, + 0x28, + 0xf6, + 0x72, + 0x2d, + 0x9e, + 0xe1, + 0x00, + 0x3e, + 0x5c, + 0x50, + 0xb1, + 0xdf, + 0x82, + 0xcc, + 0x6d, + 0x24, + 0x1b, + 0x0e, + 0x2a, + 0xe9, + 0xcd, + 0x34, + 0x8b, + 0x1f, + 0xd4, + 0x7e, + 0x92, + 0x67, + 0xaf, + 0xc1, + 0xb2, + 0xae, + 0x91, + 0xee, + 0x51, + 0xd6, + 0xcb, + 0x0e, + 0x31, + 0x79, + 0xab, + 0x10, + 0x42, + 0xa9, + 0x5d, + 0xcf, + 0x6a, + 0x94, + 0x83, + 0xb8, + 0x4b, + 0x4b, + 0x36, + 0xb3, + 0x86, + 0x1a, + 0xa7, + 0x25, + 0x5e, + 0x4c, + 0x02, + 0x78, + 0xba, + 0x36, + 0x04, + 0x65, + 0x0c, + 0x10, + 0xbe, + 0x19, + 0x48, + 0x2f, + 0x23, + 0x17, + 0x1b, + 0x67, + 0x1d, + 0xf1, + 0xcf, + 0x3b, + 0x96, + 0x0c, + 0x07, + 0x43, + 0x01, + 0xcd, + 0x93, + 0xc1, + 0xd1, + 0x76, + 0x03, + 0xd1, + 0x47, + 0xda, + 0xe2, + 0xae, + 0xf8, + 0x37, + 0xa6, + 0x29, + 0x64, + 0xef, + 0x15, + 0xe5, + 0xfb, + 0x4a, + 0xac, + 0x0b, + 0x8c, + 0x1c, + 0xca, + 0xa4, + 0xbe, + 0x75, + 0x4a, + 0xb5, + 0x72, + 0x8a, + 0xe9, + 0x13, + 0x0c, + 0x4c, + 0x7d, + 0x02, + 0x88, + 0x0a, + 0xb9, + 0x47, + 0x2d, + 0x45, + 0x55, + 0x62, + 0x16, + 0xd6, + 0x99, + 0x8b, + 0x86, + 0x82, + 0x28, + 0x3d, + 0x19, + 0xd4, + 0x2a, + 0x90, + 0xd5, + 0xef, + 0x8e, + 0x5d, + 0x32, + 0x76, + 0x7d, + 0xc2, + 0x82, + 0x2c, + 0x6d, + 0xf7, + 0x85, + 0x45, + 0x75, + 0x38, + 0xab, + 0xae, + 0x83, + 0x06, + 0x3e, + 0xd9, + 0xcb, + 0x87, + 0xc2, + 0xd3, + 0x70, + 0xf2, + 0x63, + 0xd5, + 0xfa, + 0xd7, + 0x46, + 0x6d, + 0x84, + 0x99, + 0xeb, + 0x8f, + 0x46, + 0x4a, + 0x70, + 0x25, + 0x12, + 0xb0, + 0xce, + 0xe7, + 0x71, + 0xe9, + 0x13, + 0x0d, + 0x69, + 0x77, + 0x35, + 0xf8, + 0x97, + 0xfd, + 0x03, + 0x6c, + 0xc5, + 0x04, + 0x32, + 0x6c, + 0x3b, + 0x01, + 0x39, + 0x9f, + 0x64, + 0x35, + 0x32, + 0x29, + 0x0f, + 0x95, + 0x8c, + 0x0b, + 0xbd, + 0x90, + 0x06, + 0x5d, + 0xf0, + 0x8b, + 0xab, + 0xbd, + 0x30, + 0xae, + 0xb6, + 0x3b, + 0x84, + 0xc4, + 0x60, + 0x5d, + 0x6c, + 0xa3, + 0x71, + 0x04, + 0x71, + 0x27, + 0xd0, + 0x3a, + 0x72, + 0xd5, + 0x98, + 0xa1, + 0xed, + 0xad, + 0xfe, + 0x70, + 0x7e, + 0x88, + 0x47, + 0x25, + 0xc1, + 0x68, + 0x90, + 0x54, + 0x90, + 0x84, + 0x00, + 0x8d, + 0x39, + 0x1e, + 0x09, + 0x53, + 0xc3, + 0xf3, + 0x6b, + 0xc4, + 0x38, + 0xcd, + 0x08, + 0x5e, + 0xdd, + 0x2d, + 0x93, + 0x4c, + 0xe1, + 0x93, + 0x8c, + 0x35, + 0x7a, + 0x71, + 0x1e, + 0x0d, + 0x4a, + 0x34, + 0x1a, + 0x5b, + 0x0a, + 0x85, + 0xed, + 0x12, + 0xc1, + 0xf4, + 0xe5, + 0x15, + 0x6a, + 0x26, + 0x74, + 0x6d, + 0xdd, + 0xe1, + 0x6d, + 0x82, + 0x6f, + 0x47, + 0x7c, + 0x97, + 0x47, + 0x7e, + 0x0a, + 0x0f, + 0xdf, + 0x65, + 0x53, + 0x14, + 0x3e, + 0x2c, + 0xa3, + 0xa7, + 0x35, + 0xe0, + 0x2e, + 0xcc, + 0xd9, + 0x4b, + 0x27, + 0xd0, + 0x48, + 0x61, + 0xd1, + 0x11, + 0x9d, + 0xd0, + 0xc3, + 0x28, + 0xad, + 0xf3, + 0xf6, + 0x8f, + 0xb0, + 0x94, + 0xb8, + 0x67, + 0x71, + 0x6b, + 0xd7, + 0xdc, + 0x0d, + 0xee, + 0xbb, + 0x10, + 0xb8, + 0x24, + 0x0e, + 0x68, + 0x03, + 0x48, + 0x93, + 0xea, + 0xd8, + 0x2d, + 0x54, + 0xc9, + 0xda, + 0x75, + 0x4c, + 0x46, + 0xc7, + 0xee, + 0xe0, + 0xc3, + 0x7f, + 0xdb, + 0xee, + 0x48, + 0x53, + 0x60, + 0x47, + 0xa6, + 0xfa, + 0x1a, + 0xe4, + 0x9a, + 0x03, + 0x18, + 0xcc, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_tls_4096 */ +static const unsigned char subprime_tls_4096_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xd6, + 0xfc, + 0x2a, + 0x2c, + 0x51, + 0x5d, + 0xa5, + 0x4d, + 0x57, + 0xee, + 0x2b, + 0x10, + 0x13, + 0x9e, + 0x9e, + 0x78, + 0xec, + 0x5c, + 0xe2, + 0xc1, + 0xe7, + 0x16, + 0x9b, + 0x4a, + 0xd4, + 0xf0, + 0x9b, + 0x20, + 0x8a, + 0x32, + 0x19, + 0xfd, + 0xe6, + 0x49, + 0xce, + 0xe7, + 0x12, + 0x4d, + 0x9f, + 0x7c, + 0xbe, + 0x97, + 0xf1, + 0xb1, + 0xb1, + 0x86, + 0x3a, + 0xec, + 0x7b, + 0x40, + 0xd9, + 0x01, + 0x57, + 0x62, + 0x30, + 0xbd, + 0x69, + 0xef, + 0x8f, + 0x6a, + 0xea, + 0xfe, + 0xb2, + 0xb0, + 0x92, + 0x19, + 0xfa, + 0x8f, + 0xaf, + 0x83, + 0x37, + 0x68, + 0x42, + 0xb1, + 0xb2, + 0xaa, + 0x9e, + 0xf6, + 0x8d, + 0x79, + 0xda, + 0xab, + 0x89, + 0xaf, + 0x3f, + 0xab, + 0xe4, + 0x9a, + 0xcc, + 0x27, + 0x86, + 0x38, + 0x70, + 0x73, + 0x45, + 0xbb, + 0xf1, + 0x53, + 0x44, + 0xed, + 0x79, + 0xf7, + 0xf4, + 0x39, + 0x0e, + 0xf8, + 0xac, + 0x50, + 0x9b, + 0x56, + 0xf3, + 0x9a, + 0x98, + 0x56, + 0x65, + 0x27, + 0xa4, + 0x1d, + 0x3c, + 0xbd, + 0x5e, + 0x05, + 0x58, + 0xc1, + 0x59, + 0x92, + 0x7d, + 0xb0, + 0xe8, + 0x84, + 0x54, + 0xa5, + 0xd9, + 0x64, + 0x71, + 0xfd, + 0xdc, + 0xb5, + 0x6d, + 0x5b, + 0xb0, + 0x6b, + 0xfa, + 0x34, + 0x0e, + 0xa7, + 0xa1, + 0x51, + 0xef, + 0x1c, + 0xa6, + 0xfa, + 0x57, + 0x2b, + 0x76, + 0xf3, + 0xb1, + 0xb9, + 0x5d, + 0x8c, + 0x85, + 0x83, + 0xd3, + 0xe4, + 0x77, + 0x05, + 0x36, + 0xb8, + 0x4f, + 0x01, + 0x7e, + 0x70, + 0xe6, + 0xfb, + 0xf1, + 0x76, + 0x60, + 0x1a, + 0x02, + 0x66, + 0x94, + 0x1a, + 0x17, + 0xb0, + 0xc8, + 0xb9, + 0x7f, + 0x4e, + 0x74, + 0xc2, + 0xc1, + 0xff, + 0xc7, + 0x27, + 0x89, + 0x19, + 0x77, + 0x79, + 0x40, + 0xc1, + 0xe1, + 0xff, + 0x1d, + 0x8d, + 0xa6, + 0x37, + 0xd6, + 0xb9, + 0x9d, + 0xda, + 0xfe, + 0x5e, + 0x17, + 0x61, + 0x10, + 0x02, + 0xe2, + 0xc7, + 0x78, + 0xc1, + 0xbe, + 0x8b, + 0x41, + 0xd9, + 0x63, + 0x79, + 0xa5, + 0x13, + 0x60, + 0xd9, + 0x77, + 0xfd, + 0x44, + 0x35, + 0xa1, + 0x1c, + 0x30, + 0x8f, + 0xe7, + 0xee, + 0x6f, + 0x1a, + 0xad, + 0x9d, + 0xb2, + 0x8c, + 0x81, + 0xad, + 0xde, + 0x1a, + 0x7a, + 0x6f, + 0x7c, + 0xce, + 0x01, + 0x1c, + 0x30, + 0xda, + 0x37, + 0xe4, + 0xeb, + 0x73, + 0x64, + 0x83, + 0xbd, + 0x6c, + 0x8e, + 0x93, + 0x48, + 0xfb, + 0xfb, + 0xf7, + 0x2c, + 0xc6, + 0x58, + 0x7d, + 0x60, + 0xc3, + 0x6c, + 0x8e, + 0x57, + 0x7f, + 0x09, + 0x84, + 0xc2, + 0x89, + 0xc9, + 0x38, + 0x5a, + 0x09, + 0x86, + 0x49, + 0xde, + 0x21, + 0xbc, + 0xa2, + 0x7a, + 0x7e, + 0xa2, + 0x29, + 0x71, + 0x6b, + 0xa6, + 0xe9, + 0xb2, + 0x79, + 0x71, + 0x0f, + 0x38, + 0xfa, + 0xa5, + 0xff, + 0xae, + 0x57, + 0x41, + 0x55, + 0xce, + 0x4e, + 0xfb, + 0x4f, + 0x74, + 0x36, + 0x95, + 0xe2, + 0x91, + 0x1b, + 0x1d, + 0x06, + 0xd5, + 0xe2, + 0x90, + 0xcb, + 0xcd, + 0x86, + 0xf5, + 0x6d, + 0x0e, + 0xdf, + 0xcd, + 0x21, + 0x6a, + 0xe2, + 0x24, + 0x27, + 0x05, + 0x5e, + 0x68, + 0x35, + 0xfd, + 0x29, + 0xee, + 0xf7, + 0x9e, + 0x0d, + 0x90, + 0x77, + 0x1f, + 0xea, + 0xce, + 0xbe, + 0x12, + 0xf2, + 0x0e, + 0x95, + 0xb3, + 0x4f, + 0x0f, + 0x78, + 0xb7, + 0x37, + 0xa9, + 0x61, + 0x8b, + 0x26, + 0xfa, + 0x7d, + 0xbc, + 0x98, + 0x74, + 0xf2, + 0x72, + 0xc4, + 0x2b, + 0xdb, + 0x56, + 0x3e, + 0xaf, + 0xa1, + 0x6b, + 0x4f, + 0xb6, + 0x8c, + 0x3b, + 0xb1, + 0xe7, + 0x8e, + 0xaa, + 0x81, + 0xa0, + 0x02, + 0x43, + 0xfa, + 0xad, + 0xd2, + 0xbf, + 0x18, + 0xe6, + 0x3d, + 0x38, + 0x9a, + 0xe4, + 0x43, + 0x77, + 0xda, + 0x18, + 0xc5, + 0x76, + 0xb5, + 0x0f, + 0x00, + 0x96, + 0xcf, + 0x34, + 0x19, + 0x54, + 0x83, + 0xb0, + 0x05, + 0x48, + 0xc0, + 0x98, + 0x62, + 0x36, + 0xe3, + 0xbc, + 0x7c, + 0xb8, + 0xd6, + 0x80, + 0x1c, + 0x04, + 0x94, + 0xcc, + 0xd1, + 0x99, + 0xe5, + 0xc5, + 0xbd, + 0x0d, + 0x0e, + 0xdc, + 0x9e, + 0xb8, + 0xa0, + 0x00, + 0x1e, + 0x15, + 0x27, + 0x67, + 0x54, + 0xfc, + 0xc6, + 0x85, + 0x66, + 0x05, + 0x41, + 0x48, + 0xe6, + 0xe7, + 0x64, + 0xbe, + 0xe7, + 0xc7, + 0x64, + 0xda, + 0xad, + 0x3f, + 0xc4, + 0x52, + 0x35, + 0xa6, + 0xda, + 0xd4, + 0x28, + 0xfa, + 0x20, + 0xc1, + 0x70, + 0xe3, + 0x45, + 0x00, + 0x3f, + 0x2f, + 0x32, + 0xaf, + 0xb5, + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_ike_6144 */ +static const unsigned char subprime_ike_6144_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xe4, + 0x87, + 0xed, + 0x51, + 0x10, + 0xb4, + 0x61, + 0x1a, + 0x62, + 0x63, + 0x31, + 0x45, + 0xc0, + 0x6e, + 0x0e, + 0x68, + 0x94, + 0x81, + 0x27, + 0x04, + 0x45, + 0x33, + 0xe6, + 0x3a, + 0x01, + 0x05, + 0xdf, + 0x53, + 0x1d, + 0x89, + 0xcd, + 0x91, + 0x28, + 0xa5, + 0x04, + 0x3c, + 0xc7, + 0x1a, + 0x02, + 0x6e, + 0xf7, + 0xca, + 0x8c, + 0xd9, + 0xe6, + 0x9d, + 0x21, + 0x8d, + 0x98, + 0x15, + 0x85, + 0x36, + 0xf9, + 0x2f, + 0x8a, + 0x1b, + 0xa7, + 0xf0, + 0x9a, + 0xb6, + 0xb6, + 0xa8, + 0xe1, + 0x22, + 0xf2, + 0x42, + 0xda, + 0xbb, + 0x31, + 0x2f, + 0x3f, + 0x63, + 0x7a, + 0x26, + 0x21, + 0x74, + 0xd3, + 0x1b, + 0xf6, + 0xb5, + 0x85, + 0xff, + 0xae, + 0x5b, + 0x7a, + 0x03, + 0x5b, + 0xf6, + 0xf7, + 0x1c, + 0x35, + 0xfd, + 0xad, + 0x44, + 0xcf, + 0xd2, + 0xd7, + 0x4f, + 0x92, + 0x08, + 0xbe, + 0x25, + 0x8f, + 0xf3, + 0x24, + 0x94, + 0x33, + 0x28, + 0xf6, + 0x72, + 0x2d, + 0x9e, + 0xe1, + 0x00, + 0x3e, + 0x5c, + 0x50, + 0xb1, + 0xdf, + 0x82, + 0xcc, + 0x6d, + 0x24, + 0x1b, + 0x0e, + 0x2a, + 0xe9, + 0xcd, + 0x34, + 0x8b, + 0x1f, + 0xd4, + 0x7e, + 0x92, + 0x67, + 0xaf, + 0xc1, + 0xb2, + 0xae, + 0x91, + 0xee, + 0x51, + 0xd6, + 0xcb, + 0x0e, + 0x31, + 0x79, + 0xab, + 0x10, + 0x42, + 0xa9, + 0x5d, + 0xcf, + 0x6a, + 0x94, + 0x83, + 0xb8, + 0x4b, + 0x4b, + 0x36, + 0xb3, + 0x86, + 0x1a, + 0xa7, + 0x25, + 0x5e, + 0x4c, + 0x02, + 0x78, + 0xba, + 0x36, + 0x04, + 0x65, + 0x0c, + 0x10, + 0xbe, + 0x19, + 0x48, + 0x2f, + 0x23, + 0x17, + 0x1b, + 0x67, + 0x1d, + 0xf1, + 0xcf, + 0x3b, + 0x96, + 0x0c, + 0x07, + 0x43, + 0x01, + 0xcd, + 0x93, + 0xc1, + 0xd1, + 0x76, + 0x03, + 0xd1, + 0x47, + 0xda, + 0xe2, + 0xae, + 0xf8, + 0x37, + 0xa6, + 0x29, + 0x64, + 0xef, + 0x15, + 0xe5, + 0xfb, + 0x4a, + 0xac, + 0x0b, + 0x8c, + 0x1c, + 0xca, + 0xa4, + 0xbe, + 0x75, + 0x4a, + 0xb5, + 0x72, + 0x8a, + 0xe9, + 0x13, + 0x0c, + 0x4c, + 0x7d, + 0x02, + 0x88, + 0x0a, + 0xb9, + 0x47, + 0x2d, + 0x45, + 0x55, + 0x62, + 0x16, + 0xd6, + 0x99, + 0x8b, + 0x86, + 0x82, + 0x28, + 0x3d, + 0x19, + 0xd4, + 0x2a, + 0x90, + 0xd5, + 0xef, + 0x8e, + 0x5d, + 0x32, + 0x76, + 0x7d, + 0xc2, + 0x82, + 0x2c, + 0x6d, + 0xf7, + 0x85, + 0x45, + 0x75, + 0x38, + 0xab, + 0xae, + 0x83, + 0x06, + 0x3e, + 0xd9, + 0xcb, + 0x87, + 0xc2, + 0xd3, + 0x70, + 0xf2, + 0x63, + 0xd5, + 0xfa, + 0xd7, + 0x46, + 0x6d, + 0x84, + 0x99, + 0xeb, + 0x8f, + 0x46, + 0x4a, + 0x70, + 0x25, + 0x12, + 0xb0, + 0xce, + 0xe7, + 0x71, + 0xe9, + 0x13, + 0x0d, + 0x69, + 0x77, + 0x35, + 0xf8, + 0x97, + 0xfd, + 0x03, + 0x6c, + 0xc5, + 0x04, + 0x32, + 0x6c, + 0x3b, + 0x01, + 0x39, + 0x9f, + 0x64, + 0x35, + 0x32, + 0x29, + 0x0f, + 0x95, + 0x8c, + 0x0b, + 0xbd, + 0x90, + 0x06, + 0x5d, + 0xf0, + 0x8b, + 0xab, + 0xbd, + 0x30, + 0xae, + 0xb6, + 0x3b, + 0x84, + 0xc4, + 0x60, + 0x5d, + 0x6c, + 0xa3, + 0x71, + 0x04, + 0x71, + 0x27, + 0xd0, + 0x3a, + 0x72, + 0xd5, + 0x98, + 0xa1, + 0xed, + 0xad, + 0xfe, + 0x70, + 0x7e, + 0x88, + 0x47, + 0x25, + 0xc1, + 0x68, + 0x90, + 0x54, + 0x90, + 0x84, + 0x00, + 0x8d, + 0x39, + 0x1e, + 0x09, + 0x53, + 0xc3, + 0xf3, + 0x6b, + 0xc4, + 0x38, + 0xcd, + 0x08, + 0x5e, + 0xdd, + 0x2d, + 0x93, + 0x4c, + 0xe1, + 0x93, + 0x8c, + 0x35, + 0x7a, + 0x71, + 0x1e, + 0x0d, + 0x4a, + 0x34, + 0x1a, + 0x5b, + 0x0a, + 0x85, + 0xed, + 0x12, + 0xc1, + 0xf4, + 0xe5, + 0x15, + 0x6a, + 0x26, + 0x74, + 0x6d, + 0xdd, + 0xe1, + 0x6d, + 0x82, + 0x6f, + 0x47, + 0x7c, + 0x97, + 0x47, + 0x7e, + 0x0a, + 0x0f, + 0xdf, + 0x65, + 0x53, + 0x14, + 0x3e, + 0x2c, + 0xa3, + 0xa7, + 0x35, + 0xe0, + 0x2e, + 0xcc, + 0xd9, + 0x4b, + 0x27, + 0xd0, + 0x48, + 0x61, + 0xd1, + 0x11, + 0x9d, + 0xd0, + 0xc3, + 0x28, + 0xad, + 0xf3, + 0xf6, + 0x8f, + 0xb0, + 0x94, + 0xb8, + 0x67, + 0x71, + 0x6b, + 0xd7, + 0xdc, + 0x0d, + 0xee, + 0xbb, + 0x10, + 0xb8, + 0x24, + 0x0e, + 0x68, + 0x03, + 0x48, + 0x93, + 0xea, + 0xd8, + 0x2d, + 0x54, + 0xc9, + 0xda, + 0x75, + 0x4c, + 0x46, + 0xc7, + 0xee, + 0xe0, + 0xc3, + 0x7f, + 0xdb, + 0xee, + 0x48, + 0x53, + 0x60, + 0x47, + 0xa6, + 0xfa, + 0x1a, + 0xe4, + 0x9a, + 0x01, + 0x42, + 0x49, + 0x1b, + 0x61, + 0xfd, + 0x5a, + 0x69, + 0x3e, + 0x38, + 0x13, + 0x60, + 0xea, + 0x6e, + 0x59, + 0x30, + 0x13, + 0x23, + 0x6f, + 0x64, + 0xba, + 0x8f, + 0x3b, + 0x1e, + 0xdd, + 0x1b, + 0xde, + 0xfc, + 0x7f, + 0xca, + 0x03, + 0x56, + 0xcf, + 0x29, + 0x87, + 0x72, + 0xed, + 0x9c, + 0x17, + 0xa0, + 0x98, + 0x00, + 0xd7, + 0x58, + 0x35, + 0x29, + 0xf6, + 0xc8, + 0x13, + 0xec, + 0x18, + 0x8b, + 0xcb, + 0x93, + 0xd8, + 0x43, + 0x2d, + 0x44, + 0x8c, + 0x6d, + 0x1f, + 0x6d, + 0xf5, + 0xe7, + 0xcd, + 0x8a, + 0x76, + 0xa2, + 0x67, + 0x36, + 0x5d, + 0x67, + 0x6a, + 0x5d, + 0x8d, + 0xed, + 0xbf, + 0x8a, + 0x23, + 0xf3, + 0x66, + 0x12, + 0xa5, + 0x99, + 0x90, + 0x28, + 0xa8, + 0x95, + 0xeb, + 0xd7, + 0xa1, + 0x37, + 0xdc, + 0x7a, + 0x00, + 0x9b, + 0xc6, + 0x69, + 0x5f, + 0xac, + 0xc1, + 0xe5, + 0x00, + 0xe3, + 0x25, + 0xc9, + 0x76, + 0x78, + 0x19, + 0x75, + 0x0a, + 0xe8, + 0xb9, + 0x0e, + 0x81, + 0xfa, + 0x41, + 0x6b, + 0xe7, + 0x37, + 0x3a, + 0x7f, + 0x7b, + 0x6a, + 0xaf, + 0x38, + 0x17, + 0xa3, + 0x4c, + 0x06, + 0x41, + 0x5a, + 0xd4, + 0x20, + 0x18, + 0xc8, + 0x05, + 0x8e, + 0x4f, + 0x2c, + 0xf3, + 0xe4, + 0xbf, + 0xdf, + 0x63, + 0xf4, + 0x79, + 0x91, + 0xd4, + 0xbd, + 0x3f, + 0x1b, + 0x66, + 0x44, + 0x5f, + 0x07, + 0x8e, + 0xa2, + 0xdb, + 0xff, + 0xac, + 0x2d, + 0x62, + 0xa5, + 0xea, + 0x03, + 0xd9, + 0x15, + 0xa0, + 0xaa, + 0x55, + 0x66, + 0x47, + 0xb6, + 0xbf, + 0x5f, + 0xa4, + 0x70, + 0xec, + 0x0a, + 0x66, + 0x2f, + 0x69, + 0x07, + 0xc0, + 0x1b, + 0xf0, + 0x53, + 0xcb, + 0x8a, + 0xf7, + 0x79, + 0x4d, + 0xf1, + 0x94, + 0x03, + 0x50, + 0xea, + 0xc5, + 0xdb, + 0xe2, + 0xed, + 0x3b, + 0x7a, + 0xa8, + 0x55, + 0x1e, + 0xc5, + 0x0f, + 0xdf, + 0xf8, + 0x75, + 0x8c, + 0xe6, + 0x58, + 0xd1, + 0x89, + 0xea, + 0xae, + 0x6d, + 0x2b, + 0x64, + 0xf6, + 0x17, + 0x79, + 0x4b, + 0x19, + 0x1c, + 0x3f, + 0xf4, + 0x6b, + 0xb7, + 0x1e, + 0x02, + 0x34, + 0x02, + 0x1f, + 0x47, + 0xb3, + 0x1f, + 0xa4, + 0x30, + 0x77, + 0x09, + 0x5f, + 0x96, + 0xad, + 0x85, + 0xba, + 0x3a, + 0x6b, + 0x73, + 0x4a, + 0x7c, + 0x8f, + 0x36, + 0xe6, + 0x20, + 0x12, + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_tls_6144 */ +static const unsigned char subprime_tls_6144_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xd6, + 0xfc, + 0x2a, + 0x2c, + 0x51, + 0x5d, + 0xa5, + 0x4d, + 0x57, + 0xee, + 0x2b, + 0x10, + 0x13, + 0x9e, + 0x9e, + 0x78, + 0xec, + 0x5c, + 0xe2, + 0xc1, + 0xe7, + 0x16, + 0x9b, + 0x4a, + 0xd4, + 0xf0, + 0x9b, + 0x20, + 0x8a, + 0x32, + 0x19, + 0xfd, + 0xe6, + 0x49, + 0xce, + 0xe7, + 0x12, + 0x4d, + 0x9f, + 0x7c, + 0xbe, + 0x97, + 0xf1, + 0xb1, + 0xb1, + 0x86, + 0x3a, + 0xec, + 0x7b, + 0x40, + 0xd9, + 0x01, + 0x57, + 0x62, + 0x30, + 0xbd, + 0x69, + 0xef, + 0x8f, + 0x6a, + 0xea, + 0xfe, + 0xb2, + 0xb0, + 0x92, + 0x19, + 0xfa, + 0x8f, + 0xaf, + 0x83, + 0x37, + 0x68, + 0x42, + 0xb1, + 0xb2, + 0xaa, + 0x9e, + 0xf6, + 0x8d, + 0x79, + 0xda, + 0xab, + 0x89, + 0xaf, + 0x3f, + 0xab, + 0xe4, + 0x9a, + 0xcc, + 0x27, + 0x86, + 0x38, + 0x70, + 0x73, + 0x45, + 0xbb, + 0xf1, + 0x53, + 0x44, + 0xed, + 0x79, + 0xf7, + 0xf4, + 0x39, + 0x0e, + 0xf8, + 0xac, + 0x50, + 0x9b, + 0x56, + 0xf3, + 0x9a, + 0x98, + 0x56, + 0x65, + 0x27, + 0xa4, + 0x1d, + 0x3c, + 0xbd, + 0x5e, + 0x05, + 0x58, + 0xc1, + 0x59, + 0x92, + 0x7d, + 0xb0, + 0xe8, + 0x84, + 0x54, + 0xa5, + 0xd9, + 0x64, + 0x71, + 0xfd, + 0xdc, + 0xb5, + 0x6d, + 0x5b, + 0xb0, + 0x6b, + 0xfa, + 0x34, + 0x0e, + 0xa7, + 0xa1, + 0x51, + 0xef, + 0x1c, + 0xa6, + 0xfa, + 0x57, + 0x2b, + 0x76, + 0xf3, + 0xb1, + 0xb9, + 0x5d, + 0x8c, + 0x85, + 0x83, + 0xd3, + 0xe4, + 0x77, + 0x05, + 0x36, + 0xb8, + 0x4f, + 0x01, + 0x7e, + 0x70, + 0xe6, + 0xfb, + 0xf1, + 0x76, + 0x60, + 0x1a, + 0x02, + 0x66, + 0x94, + 0x1a, + 0x17, + 0xb0, + 0xc8, + 0xb9, + 0x7f, + 0x4e, + 0x74, + 0xc2, + 0xc1, + 0xff, + 0xc7, + 0x27, + 0x89, + 0x19, + 0x77, + 0x79, + 0x40, + 0xc1, + 0xe1, + 0xff, + 0x1d, + 0x8d, + 0xa6, + 0x37, + 0xd6, + 0xb9, + 0x9d, + 0xda, + 0xfe, + 0x5e, + 0x17, + 0x61, + 0x10, + 0x02, + 0xe2, + 0xc7, + 0x78, + 0xc1, + 0xbe, + 0x8b, + 0x41, + 0xd9, + 0x63, + 0x79, + 0xa5, + 0x13, + 0x60, + 0xd9, + 0x77, + 0xfd, + 0x44, + 0x35, + 0xa1, + 0x1c, + 0x30, + 0x8f, + 0xe7, + 0xee, + 0x6f, + 0x1a, + 0xad, + 0x9d, + 0xb2, + 0x8c, + 0x81, + 0xad, + 0xde, + 0x1a, + 0x7a, + 0x6f, + 0x7c, + 0xce, + 0x01, + 0x1c, + 0x30, + 0xda, + 0x37, + 0xe4, + 0xeb, + 0x73, + 0x64, + 0x83, + 0xbd, + 0x6c, + 0x8e, + 0x93, + 0x48, + 0xfb, + 0xfb, + 0xf7, + 0x2c, + 0xc6, + 0x58, + 0x7d, + 0x60, + 0xc3, + 0x6c, + 0x8e, + 0x57, + 0x7f, + 0x09, + 0x84, + 0xc2, + 0x89, + 0xc9, + 0x38, + 0x5a, + 0x09, + 0x86, + 0x49, + 0xde, + 0x21, + 0xbc, + 0xa2, + 0x7a, + 0x7e, + 0xa2, + 0x29, + 0x71, + 0x6b, + 0xa6, + 0xe9, + 0xb2, + 0x79, + 0x71, + 0x0f, + 0x38, + 0xfa, + 0xa5, + 0xff, + 0xae, + 0x57, + 0x41, + 0x55, + 0xce, + 0x4e, + 0xfb, + 0x4f, + 0x74, + 0x36, + 0x95, + 0xe2, + 0x91, + 0x1b, + 0x1d, + 0x06, + 0xd5, + 0xe2, + 0x90, + 0xcb, + 0xcd, + 0x86, + 0xf5, + 0x6d, + 0x0e, + 0xdf, + 0xcd, + 0x21, + 0x6a, + 0xe2, + 0x24, + 0x27, + 0x05, + 0x5e, + 0x68, + 0x35, + 0xfd, + 0x29, + 0xee, + 0xf7, + 0x9e, + 0x0d, + 0x90, + 0x77, + 0x1f, + 0xea, + 0xce, + 0xbe, + 0x12, + 0xf2, + 0x0e, + 0x95, + 0xb3, + 0x4f, + 0x0f, + 0x78, + 0xb7, + 0x37, + 0xa9, + 0x61, + 0x8b, + 0x26, + 0xfa, + 0x7d, + 0xbc, + 0x98, + 0x74, + 0xf2, + 0x72, + 0xc4, + 0x2b, + 0xdb, + 0x56, + 0x3e, + 0xaf, + 0xa1, + 0x6b, + 0x4f, + 0xb6, + 0x8c, + 0x3b, + 0xb1, + 0xe7, + 0x8e, + 0xaa, + 0x81, + 0xa0, + 0x02, + 0x43, + 0xfa, + 0xad, + 0xd2, + 0xbf, + 0x18, + 0xe6, + 0x3d, + 0x38, + 0x9a, + 0xe4, + 0x43, + 0x77, + 0xda, + 0x18, + 0xc5, + 0x76, + 0xb5, + 0x0f, + 0x00, + 0x96, + 0xcf, + 0x34, + 0x19, + 0x54, + 0x83, + 0xb0, + 0x05, + 0x48, + 0xc0, + 0x98, + 0x62, + 0x36, + 0xe3, + 0xbc, + 0x7c, + 0xb8, + 0xd6, + 0x80, + 0x1c, + 0x04, + 0x94, + 0xcc, + 0xd1, + 0x99, + 0xe5, + 0xc5, + 0xbd, + 0x0d, + 0x0e, + 0xdc, + 0x9e, + 0xb8, + 0xa0, + 0x00, + 0x1e, + 0x15, + 0x27, + 0x67, + 0x54, + 0xfc, + 0xc6, + 0x85, + 0x66, + 0x05, + 0x41, + 0x48, + 0xe6, + 0xe7, + 0x64, + 0xbe, + 0xe7, + 0xc7, + 0x64, + 0xda, + 0xad, + 0x3f, + 0xc4, + 0x52, + 0x35, + 0xa6, + 0xda, + 0xd4, + 0x28, + 0xfa, + 0x20, + 0xc1, + 0x70, + 0xe3, + 0x45, + 0x00, + 0x3f, + 0x2f, + 0x06, + 0xec, + 0x81, + 0x05, + 0xfe, + 0xb2, + 0x5b, + 0x22, + 0x81, + 0xb6, + 0x3d, + 0x27, + 0x33, + 0xbe, + 0x96, + 0x1c, + 0x29, + 0x95, + 0x1d, + 0x11, + 0xdd, + 0x22, + 0x21, + 0x65, + 0x7a, + 0x9f, + 0x53, + 0x1d, + 0xda, + 0x2a, + 0x19, + 0x4d, + 0xbb, + 0x12, + 0x64, + 0x48, + 0xbd, + 0xee, + 0xb2, + 0x58, + 0xe0, + 0x7e, + 0xa6, + 0x59, + 0xc7, + 0x46, + 0x19, + 0xa6, + 0x38, + 0x0e, + 0x1d, + 0x66, + 0xd6, + 0x83, + 0x2b, + 0xfe, + 0x67, + 0xf6, + 0x38, + 0xcd, + 0x8f, + 0xae, + 0x1f, + 0x27, + 0x23, + 0x02, + 0x0f, + 0x9c, + 0x40, + 0xa3, + 0xfd, + 0xa6, + 0x7e, + 0xda, + 0x3b, + 0xd2, + 0x92, + 0x38, + 0xfb, + 0xd4, + 0xd4, + 0xb4, + 0x88, + 0x5c, + 0x2a, + 0x99, + 0x17, + 0x6d, + 0xb1, + 0xa0, + 0x6c, + 0x50, + 0x07, + 0x78, + 0x49, + 0x1a, + 0x82, + 0x88, + 0xf1, + 0x85, + 0x5f, + 0x60, + 0xff, + 0xfc, + 0xf1, + 0xd1, + 0x37, + 0x3f, + 0xd9, + 0x4f, + 0xc6, + 0x0c, + 0x18, + 0x11, + 0xe1, + 0xac, + 0x3f, + 0x1c, + 0x6d, + 0x00, + 0x3b, + 0xec, + 0xda, + 0x3b, + 0x1f, + 0x27, + 0x25, + 0xca, + 0x59, + 0x5d, + 0xe0, + 0xca, + 0x63, + 0x32, + 0x8f, + 0x3b, + 0xe5, + 0x7c, + 0xc9, + 0x77, + 0x55, + 0x60, + 0x11, + 0x95, + 0x14, + 0x0d, + 0xfb, + 0x59, + 0xd3, + 0x9c, + 0xe0, + 0x91, + 0x30, + 0x8b, + 0x41, + 0x05, + 0x74, + 0x6d, + 0xac, + 0x23, + 0xd3, + 0x3e, + 0x5f, + 0x7c, + 0xe4, + 0x84, + 0x8d, + 0xa3, + 0x16, + 0xa9, + 0xc6, + 0x6b, + 0x95, + 0x81, + 0xba, + 0x35, + 0x73, + 0xbf, + 0xaf, + 0x31, + 0x14, + 0x96, + 0x18, + 0x8a, + 0xb1, + 0x54, + 0x23, + 0x28, + 0x2e, + 0xe4, + 0x16, + 0xdc, + 0x2a, + 0x19, + 0xc5, + 0x72, + 0x4f, + 0xa9, + 0x1a, + 0xe4, + 0xad, + 0xc8, + 0x8b, + 0xc6, + 0x67, + 0x96, + 0xea, + 0xe5, + 0x67, + 0x7a, + 0x01, + 0xf6, + 0x4e, + 0x8c, + 0x08, + 0x63, + 0x13, + 0x95, + 0x82, + 0x2d, + 0x9d, + 0xb8, + 0xfc, + 0xee, + 0x35, + 0xc0, + 0x6b, + 0x1f, + 0xee, + 0xa5, + 0x47, + 0x4d, + 0x6d, + 0x8f, + 0x34, + 0xb1, + 0x53, + 0x4a, + 0x93, + 0x6a, + 0x18, + 0xb0, + 0xe0, + 0xd2, + 0x0e, + 0xab, + 0x86, + 0xbc, + 0x9c, + 0x6d, + 0x6a, + 0x52, + 0x07, + 0x19, + 0x4e, + 0x68, + 0x72, + 0x07, + 0x32, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_ike_8192 */ +static const unsigned char subprime_ike_8192_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xe4, + 0x87, + 0xed, + 0x51, + 0x10, + 0xb4, + 0x61, + 0x1a, + 0x62, + 0x63, + 0x31, + 0x45, + 0xc0, + 0x6e, + 0x0e, + 0x68, + 0x94, + 0x81, + 0x27, + 0x04, + 0x45, + 0x33, + 0xe6, + 0x3a, + 0x01, + 0x05, + 0xdf, + 0x53, + 0x1d, + 0x89, + 0xcd, + 0x91, + 0x28, + 0xa5, + 0x04, + 0x3c, + 0xc7, + 0x1a, + 0x02, + 0x6e, + 0xf7, + 0xca, + 0x8c, + 0xd9, + 0xe6, + 0x9d, + 0x21, + 0x8d, + 0x98, + 0x15, + 0x85, + 0x36, + 0xf9, + 0x2f, + 0x8a, + 0x1b, + 0xa7, + 0xf0, + 0x9a, + 0xb6, + 0xb6, + 0xa8, + 0xe1, + 0x22, + 0xf2, + 0x42, + 0xda, + 0xbb, + 0x31, + 0x2f, + 0x3f, + 0x63, + 0x7a, + 0x26, + 0x21, + 0x74, + 0xd3, + 0x1b, + 0xf6, + 0xb5, + 0x85, + 0xff, + 0xae, + 0x5b, + 0x7a, + 0x03, + 0x5b, + 0xf6, + 0xf7, + 0x1c, + 0x35, + 0xfd, + 0xad, + 0x44, + 0xcf, + 0xd2, + 0xd7, + 0x4f, + 0x92, + 0x08, + 0xbe, + 0x25, + 0x8f, + 0xf3, + 0x24, + 0x94, + 0x33, + 0x28, + 0xf6, + 0x72, + 0x2d, + 0x9e, + 0xe1, + 0x00, + 0x3e, + 0x5c, + 0x50, + 0xb1, + 0xdf, + 0x82, + 0xcc, + 0x6d, + 0x24, + 0x1b, + 0x0e, + 0x2a, + 0xe9, + 0xcd, + 0x34, + 0x8b, + 0x1f, + 0xd4, + 0x7e, + 0x92, + 0x67, + 0xaf, + 0xc1, + 0xb2, + 0xae, + 0x91, + 0xee, + 0x51, + 0xd6, + 0xcb, + 0x0e, + 0x31, + 0x79, + 0xab, + 0x10, + 0x42, + 0xa9, + 0x5d, + 0xcf, + 0x6a, + 0x94, + 0x83, + 0xb8, + 0x4b, + 0x4b, + 0x36, + 0xb3, + 0x86, + 0x1a, + 0xa7, + 0x25, + 0x5e, + 0x4c, + 0x02, + 0x78, + 0xba, + 0x36, + 0x04, + 0x65, + 0x0c, + 0x10, + 0xbe, + 0x19, + 0x48, + 0x2f, + 0x23, + 0x17, + 0x1b, + 0x67, + 0x1d, + 0xf1, + 0xcf, + 0x3b, + 0x96, + 0x0c, + 0x07, + 0x43, + 0x01, + 0xcd, + 0x93, + 0xc1, + 0xd1, + 0x76, + 0x03, + 0xd1, + 0x47, + 0xda, + 0xe2, + 0xae, + 0xf8, + 0x37, + 0xa6, + 0x29, + 0x64, + 0xef, + 0x15, + 0xe5, + 0xfb, + 0x4a, + 0xac, + 0x0b, + 0x8c, + 0x1c, + 0xca, + 0xa4, + 0xbe, + 0x75, + 0x4a, + 0xb5, + 0x72, + 0x8a, + 0xe9, + 0x13, + 0x0c, + 0x4c, + 0x7d, + 0x02, + 0x88, + 0x0a, + 0xb9, + 0x47, + 0x2d, + 0x45, + 0x55, + 0x62, + 0x16, + 0xd6, + 0x99, + 0x8b, + 0x86, + 0x82, + 0x28, + 0x3d, + 0x19, + 0xd4, + 0x2a, + 0x90, + 0xd5, + 0xef, + 0x8e, + 0x5d, + 0x32, + 0x76, + 0x7d, + 0xc2, + 0x82, + 0x2c, + 0x6d, + 0xf7, + 0x85, + 0x45, + 0x75, + 0x38, + 0xab, + 0xae, + 0x83, + 0x06, + 0x3e, + 0xd9, + 0xcb, + 0x87, + 0xc2, + 0xd3, + 0x70, + 0xf2, + 0x63, + 0xd5, + 0xfa, + 0xd7, + 0x46, + 0x6d, + 0x84, + 0x99, + 0xeb, + 0x8f, + 0x46, + 0x4a, + 0x70, + 0x25, + 0x12, + 0xb0, + 0xce, + 0xe7, + 0x71, + 0xe9, + 0x13, + 0x0d, + 0x69, + 0x77, + 0x35, + 0xf8, + 0x97, + 0xfd, + 0x03, + 0x6c, + 0xc5, + 0x04, + 0x32, + 0x6c, + 0x3b, + 0x01, + 0x39, + 0x9f, + 0x64, + 0x35, + 0x32, + 0x29, + 0x0f, + 0x95, + 0x8c, + 0x0b, + 0xbd, + 0x90, + 0x06, + 0x5d, + 0xf0, + 0x8b, + 0xab, + 0xbd, + 0x30, + 0xae, + 0xb6, + 0x3b, + 0x84, + 0xc4, + 0x60, + 0x5d, + 0x6c, + 0xa3, + 0x71, + 0x04, + 0x71, + 0x27, + 0xd0, + 0x3a, + 0x72, + 0xd5, + 0x98, + 0xa1, + 0xed, + 0xad, + 0xfe, + 0x70, + 0x7e, + 0x88, + 0x47, + 0x25, + 0xc1, + 0x68, + 0x90, + 0x54, + 0x90, + 0x84, + 0x00, + 0x8d, + 0x39, + 0x1e, + 0x09, + 0x53, + 0xc3, + 0xf3, + 0x6b, + 0xc4, + 0x38, + 0xcd, + 0x08, + 0x5e, + 0xdd, + 0x2d, + 0x93, + 0x4c, + 0xe1, + 0x93, + 0x8c, + 0x35, + 0x7a, + 0x71, + 0x1e, + 0x0d, + 0x4a, + 0x34, + 0x1a, + 0x5b, + 0x0a, + 0x85, + 0xed, + 0x12, + 0xc1, + 0xf4, + 0xe5, + 0x15, + 0x6a, + 0x26, + 0x74, + 0x6d, + 0xdd, + 0xe1, + 0x6d, + 0x82, + 0x6f, + 0x47, + 0x7c, + 0x97, + 0x47, + 0x7e, + 0x0a, + 0x0f, + 0xdf, + 0x65, + 0x53, + 0x14, + 0x3e, + 0x2c, + 0xa3, + 0xa7, + 0x35, + 0xe0, + 0x2e, + 0xcc, + 0xd9, + 0x4b, + 0x27, + 0xd0, + 0x48, + 0x61, + 0xd1, + 0x11, + 0x9d, + 0xd0, + 0xc3, + 0x28, + 0xad, + 0xf3, + 0xf6, + 0x8f, + 0xb0, + 0x94, + 0xb8, + 0x67, + 0x71, + 0x6b, + 0xd7, + 0xdc, + 0x0d, + 0xee, + 0xbb, + 0x10, + 0xb8, + 0x24, + 0x0e, + 0x68, + 0x03, + 0x48, + 0x93, + 0xea, + 0xd8, + 0x2d, + 0x54, + 0xc9, + 0xda, + 0x75, + 0x4c, + 0x46, + 0xc7, + 0xee, + 0xe0, + 0xc3, + 0x7f, + 0xdb, + 0xee, + 0x48, + 0x53, + 0x60, + 0x47, + 0xa6, + 0xfa, + 0x1a, + 0xe4, + 0x9a, + 0x01, + 0x42, + 0x49, + 0x1b, + 0x61, + 0xfd, + 0x5a, + 0x69, + 0x3e, + 0x38, + 0x13, + 0x60, + 0xea, + 0x6e, + 0x59, + 0x30, + 0x13, + 0x23, + 0x6f, + 0x64, + 0xba, + 0x8f, + 0x3b, + 0x1e, + 0xdd, + 0x1b, + 0xde, + 0xfc, + 0x7f, + 0xca, + 0x03, + 0x56, + 0xcf, + 0x29, + 0x87, + 0x72, + 0xed, + 0x9c, + 0x17, + 0xa0, + 0x98, + 0x00, + 0xd7, + 0x58, + 0x35, + 0x29, + 0xf6, + 0xc8, + 0x13, + 0xec, + 0x18, + 0x8b, + 0xcb, + 0x93, + 0xd8, + 0x43, + 0x2d, + 0x44, + 0x8c, + 0x6d, + 0x1f, + 0x6d, + 0xf5, + 0xe7, + 0xcd, + 0x8a, + 0x76, + 0xa2, + 0x67, + 0x36, + 0x5d, + 0x67, + 0x6a, + 0x5d, + 0x8d, + 0xed, + 0xbf, + 0x8a, + 0x23, + 0xf3, + 0x66, + 0x12, + 0xa5, + 0x99, + 0x90, + 0x28, + 0xa8, + 0x95, + 0xeb, + 0xd7, + 0xa1, + 0x37, + 0xdc, + 0x7a, + 0x00, + 0x9b, + 0xc6, + 0x69, + 0x5f, + 0xac, + 0xc1, + 0xe5, + 0x00, + 0xe3, + 0x25, + 0xc9, + 0x76, + 0x78, + 0x19, + 0x75, + 0x0a, + 0xe8, + 0xb9, + 0x0e, + 0x81, + 0xfa, + 0x41, + 0x6b, + 0xe7, + 0x37, + 0x3a, + 0x7f, + 0x7b, + 0x6a, + 0xaf, + 0x38, + 0x17, + 0xa3, + 0x4c, + 0x06, + 0x41, + 0x5a, + 0xd4, + 0x20, + 0x18, + 0xc8, + 0x05, + 0x8e, + 0x4f, + 0x2c, + 0xf3, + 0xe4, + 0xbf, + 0xdf, + 0x63, + 0xf4, + 0x79, + 0x91, + 0xd4, + 0xbd, + 0x3f, + 0x1b, + 0x66, + 0x44, + 0x5f, + 0x07, + 0x8e, + 0xa2, + 0xdb, + 0xff, + 0xac, + 0x2d, + 0x62, + 0xa5, + 0xea, + 0x03, + 0xd9, + 0x15, + 0xa0, + 0xaa, + 0x55, + 0x66, + 0x47, + 0xb6, + 0xbf, + 0x5f, + 0xa4, + 0x70, + 0xec, + 0x0a, + 0x66, + 0x2f, + 0x69, + 0x07, + 0xc0, + 0x1b, + 0xf0, + 0x53, + 0xcb, + 0x8a, + 0xf7, + 0x79, + 0x4d, + 0xf1, + 0x94, + 0x03, + 0x50, + 0xea, + 0xc5, + 0xdb, + 0xe2, + 0xed, + 0x3b, + 0x7a, + 0xa8, + 0x55, + 0x1e, + 0xc5, + 0x0f, + 0xdf, + 0xf8, + 0x75, + 0x8c, + 0xe6, + 0x58, + 0xd1, + 0x89, + 0xea, + 0xae, + 0x6d, + 0x2b, + 0x64, + 0xf6, + 0x17, + 0x79, + 0x4b, + 0x19, + 0x1c, + 0x3f, + 0xf4, + 0x6b, + 0xb7, + 0x1e, + 0x02, + 0x34, + 0x02, + 0x1f, + 0x47, + 0xb3, + 0x1f, + 0xa4, + 0x30, + 0x77, + 0x09, + 0x5f, + 0x96, + 0xad, + 0x85, + 0xba, + 0x3a, + 0x6b, + 0x73, + 0x4a, + 0x7c, + 0x8f, + 0x36, + 0xdf, + 0x08, + 0xac, + 0xba, + 0x51, + 0xc9, + 0x37, + 0x89, + 0x7f, + 0x72, + 0xf2, + 0x1c, + 0x3b, + 0xbe, + 0x5b, + 0x54, + 0x99, + 0x6f, + 0xc6, + 0x6c, + 0x5f, + 0x62, + 0x68, + 0x39, + 0xdc, + 0x98, + 0xdd, + 0x1d, + 0xe4, + 0x19, + 0x5b, + 0x46, + 0xce, + 0xe9, + 0x80, + 0x3a, + 0x0f, + 0xd3, + 0xdf, + 0xc5, + 0x7e, + 0x23, + 0xf6, + 0x92, + 0xbb, + 0x7b, + 0x49, + 0xb5, + 0xd2, + 0x12, + 0x33, + 0x1d, + 0x55, + 0xb1, + 0xce, + 0x2d, + 0x72, + 0x7a, + 0xb4, + 0x1a, + 0x11, + 0xda, + 0x3a, + 0x15, + 0xf8, + 0xe4, + 0xbc, + 0x11, + 0xc7, + 0x8b, + 0x65, + 0xf1, + 0xce, + 0xb2, + 0x96, + 0xf1, + 0xfe, + 0xdc, + 0x5f, + 0x7e, + 0x42, + 0x45, + 0x6c, + 0x91, + 0x11, + 0x17, + 0x02, + 0x52, + 0x01, + 0xbe, + 0x03, + 0x89, + 0xf5, + 0xab, + 0xd4, + 0x0d, + 0x11, + 0xf8, + 0x63, + 0x9a, + 0x39, + 0xfe, + 0x32, + 0x36, + 0x75, + 0x18, + 0x35, + 0xa5, + 0xe5, + 0xe4, + 0x43, + 0x17, + 0xc1, + 0xc2, + 0xee, + 0xfd, + 0x4e, + 0xa5, + 0xbf, + 0xd1, + 0x60, + 0x43, + 0xf4, + 0x3c, + 0xb4, + 0x19, + 0x81, + 0xf6, + 0xad, + 0xee, + 0x9d, + 0x03, + 0x15, + 0x9e, + 0x7a, + 0xd9, + 0xd1, + 0x3c, + 0x53, + 0x36, + 0x95, + 0x09, + 0xfc, + 0x1f, + 0xa2, + 0x7c, + 0x16, + 0xef, + 0x98, + 0x87, + 0x70, + 0x3a, + 0x55, + 0xb5, + 0x1b, + 0x22, + 0xcb, + 0xf4, + 0x4c, + 0xd0, + 0x12, + 0xae, + 0xe0, + 0xb2, + 0x79, + 0x8e, + 0x62, + 0x84, + 0x23, + 0x42, + 0x8e, + 0xfc, + 0xd5, + 0xa4, + 0x0c, + 0xae, + 0xf6, + 0xbf, + 0x50, + 0xd8, + 0xea, + 0x88, + 0x5e, + 0xbf, + 0x73, + 0xa6, + 0xb9, + 0xfd, + 0x79, + 0xb5, + 0xe1, + 0x8f, + 0x67, + 0xd1, + 0x34, + 0x1a, + 0xc8, + 0x23, + 0x7a, + 0x75, + 0xc3, + 0xcf, + 0xc9, + 0x20, + 0x04, + 0xa1, + 0xc5, + 0xa4, + 0x0e, + 0x36, + 0x6b, + 0xc4, + 0x4d, + 0x00, + 0x17, + 0x6a, + 0xf7, + 0x1c, + 0x15, + 0xe4, + 0x8c, + 0x86, + 0xd3, + 0x7e, + 0x01, + 0x37, + 0x23, + 0xca, + 0xac, + 0x72, + 0x23, + 0xab, + 0x3b, + 0xf4, + 0xd5, + 0x4f, + 0x18, + 0x28, + 0x71, + 0x3b, + 0x2b, + 0x4a, + 0x6f, + 0xe4, + 0x0f, + 0xab, + 0x74, + 0x40, + 0x5c, + 0xb7, + 0x38, + 0xb0, + 0x64, + 0xc0, + 0x6e, + 0xcc, + 0x76, + 0xe9, + 0xef, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +/* q=(p-1)/2 for prime prime_tls_8192 */ +static const unsigned char subprime_tls_8192_data[] = { + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xd6, + 0xfc, + 0x2a, + 0x2c, + 0x51, + 0x5d, + 0xa5, + 0x4d, + 0x57, + 0xee, + 0x2b, + 0x10, + 0x13, + 0x9e, + 0x9e, + 0x78, + 0xec, + 0x5c, + 0xe2, + 0xc1, + 0xe7, + 0x16, + 0x9b, + 0x4a, + 0xd4, + 0xf0, + 0x9b, + 0x20, + 0x8a, + 0x32, + 0x19, + 0xfd, + 0xe6, + 0x49, + 0xce, + 0xe7, + 0x12, + 0x4d, + 0x9f, + 0x7c, + 0xbe, + 0x97, + 0xf1, + 0xb1, + 0xb1, + 0x86, + 0x3a, + 0xec, + 0x7b, + 0x40, + 0xd9, + 0x01, + 0x57, + 0x62, + 0x30, + 0xbd, + 0x69, + 0xef, + 0x8f, + 0x6a, + 0xea, + 0xfe, + 0xb2, + 0xb0, + 0x92, + 0x19, + 0xfa, + 0x8f, + 0xaf, + 0x83, + 0x37, + 0x68, + 0x42, + 0xb1, + 0xb2, + 0xaa, + 0x9e, + 0xf6, + 0x8d, + 0x79, + 0xda, + 0xab, + 0x89, + 0xaf, + 0x3f, + 0xab, + 0xe4, + 0x9a, + 0xcc, + 0x27, + 0x86, + 0x38, + 0x70, + 0x73, + 0x45, + 0xbb, + 0xf1, + 0x53, + 0x44, + 0xed, + 0x79, + 0xf7, + 0xf4, + 0x39, + 0x0e, + 0xf8, + 0xac, + 0x50, + 0x9b, + 0x56, + 0xf3, + 0x9a, + 0x98, + 0x56, + 0x65, + 0x27, + 0xa4, + 0x1d, + 0x3c, + 0xbd, + 0x5e, + 0x05, + 0x58, + 0xc1, + 0x59, + 0x92, + 0x7d, + 0xb0, + 0xe8, + 0x84, + 0x54, + 0xa5, + 0xd9, + 0x64, + 0x71, + 0xfd, + 0xdc, + 0xb5, + 0x6d, + 0x5b, + 0xb0, + 0x6b, + 0xfa, + 0x34, + 0x0e, + 0xa7, + 0xa1, + 0x51, + 0xef, + 0x1c, + 0xa6, + 0xfa, + 0x57, + 0x2b, + 0x76, + 0xf3, + 0xb1, + 0xb9, + 0x5d, + 0x8c, + 0x85, + 0x83, + 0xd3, + 0xe4, + 0x77, + 0x05, + 0x36, + 0xb8, + 0x4f, + 0x01, + 0x7e, + 0x70, + 0xe6, + 0xfb, + 0xf1, + 0x76, + 0x60, + 0x1a, + 0x02, + 0x66, + 0x94, + 0x1a, + 0x17, + 0xb0, + 0xc8, + 0xb9, + 0x7f, + 0x4e, + 0x74, + 0xc2, + 0xc1, + 0xff, + 0xc7, + 0x27, + 0x89, + 0x19, + 0x77, + 0x79, + 0x40, + 0xc1, + 0xe1, + 0xff, + 0x1d, + 0x8d, + 0xa6, + 0x37, + 0xd6, + 0xb9, + 0x9d, + 0xda, + 0xfe, + 0x5e, + 0x17, + 0x61, + 0x10, + 0x02, + 0xe2, + 0xc7, + 0x78, + 0xc1, + 0xbe, + 0x8b, + 0x41, + 0xd9, + 0x63, + 0x79, + 0xa5, + 0x13, + 0x60, + 0xd9, + 0x77, + 0xfd, + 0x44, + 0x35, + 0xa1, + 0x1c, + 0x30, + 0x8f, + 0xe7, + 0xee, + 0x6f, + 0x1a, + 0xad, + 0x9d, + 0xb2, + 0x8c, + 0x81, + 0xad, + 0xde, + 0x1a, + 0x7a, + 0x6f, + 0x7c, + 0xce, + 0x01, + 0x1c, + 0x30, + 0xda, + 0x37, + 0xe4, + 0xeb, + 0x73, + 0x64, + 0x83, + 0xbd, + 0x6c, + 0x8e, + 0x93, + 0x48, + 0xfb, + 0xfb, + 0xf7, + 0x2c, + 0xc6, + 0x58, + 0x7d, + 0x60, + 0xc3, + 0x6c, + 0x8e, + 0x57, + 0x7f, + 0x09, + 0x84, + 0xc2, + 0x89, + 0xc9, + 0x38, + 0x5a, + 0x09, + 0x86, + 0x49, + 0xde, + 0x21, + 0xbc, + 0xa2, + 0x7a, + 0x7e, + 0xa2, + 0x29, + 0x71, + 0x6b, + 0xa6, + 0xe9, + 0xb2, + 0x79, + 0x71, + 0x0f, + 0x38, + 0xfa, + 0xa5, + 0xff, + 0xae, + 0x57, + 0x41, + 0x55, + 0xce, + 0x4e, + 0xfb, + 0x4f, + 0x74, + 0x36, + 0x95, + 0xe2, + 0x91, + 0x1b, + 0x1d, + 0x06, + 0xd5, + 0xe2, + 0x90, + 0xcb, + 0xcd, + 0x86, + 0xf5, + 0x6d, + 0x0e, + 0xdf, + 0xcd, + 0x21, + 0x6a, + 0xe2, + 0x24, + 0x27, + 0x05, + 0x5e, + 0x68, + 0x35, + 0xfd, + 0x29, + 0xee, + 0xf7, + 0x9e, + 0x0d, + 0x90, + 0x77, + 0x1f, + 0xea, + 0xce, + 0xbe, + 0x12, + 0xf2, + 0x0e, + 0x95, + 0xb3, + 0x4f, + 0x0f, + 0x78, + 0xb7, + 0x37, + 0xa9, + 0x61, + 0x8b, + 0x26, + 0xfa, + 0x7d, + 0xbc, + 0x98, + 0x74, + 0xf2, + 0x72, + 0xc4, + 0x2b, + 0xdb, + 0x56, + 0x3e, + 0xaf, + 0xa1, + 0x6b, + 0x4f, + 0xb6, + 0x8c, + 0x3b, + 0xb1, + 0xe7, + 0x8e, + 0xaa, + 0x81, + 0xa0, + 0x02, + 0x43, + 0xfa, + 0xad, + 0xd2, + 0xbf, + 0x18, + 0xe6, + 0x3d, + 0x38, + 0x9a, + 0xe4, + 0x43, + 0x77, + 0xda, + 0x18, + 0xc5, + 0x76, + 0xb5, + 0x0f, + 0x00, + 0x96, + 0xcf, + 0x34, + 0x19, + 0x54, + 0x83, + 0xb0, + 0x05, + 0x48, + 0xc0, + 0x98, + 0x62, + 0x36, + 0xe3, + 0xbc, + 0x7c, + 0xb8, + 0xd6, + 0x80, + 0x1c, + 0x04, + 0x94, + 0xcc, + 0xd1, + 0x99, + 0xe5, + 0xc5, + 0xbd, + 0x0d, + 0x0e, + 0xdc, + 0x9e, + 0xb8, + 0xa0, + 0x00, + 0x1e, + 0x15, + 0x27, + 0x67, + 0x54, + 0xfc, + 0xc6, + 0x85, + 0x66, + 0x05, + 0x41, + 0x48, + 0xe6, + 0xe7, + 0x64, + 0xbe, + 0xe7, + 0xc7, + 0x64, + 0xda, + 0xad, + 0x3f, + 0xc4, + 0x52, + 0x35, + 0xa6, + 0xda, + 0xd4, + 0x28, + 0xfa, + 0x20, + 0xc1, + 0x70, + 0xe3, + 0x45, + 0x00, + 0x3f, + 0x2f, + 0x06, + 0xec, + 0x81, + 0x05, + 0xfe, + 0xb2, + 0x5b, + 0x22, + 0x81, + 0xb6, + 0x3d, + 0x27, + 0x33, + 0xbe, + 0x96, + 0x1c, + 0x29, + 0x95, + 0x1d, + 0x11, + 0xdd, + 0x22, + 0x21, + 0x65, + 0x7a, + 0x9f, + 0x53, + 0x1d, + 0xda, + 0x2a, + 0x19, + 0x4d, + 0xbb, + 0x12, + 0x64, + 0x48, + 0xbd, + 0xee, + 0xb2, + 0x58, + 0xe0, + 0x7e, + 0xa6, + 0x59, + 0xc7, + 0x46, + 0x19, + 0xa6, + 0x38, + 0x0e, + 0x1d, + 0x66, + 0xd6, + 0x83, + 0x2b, + 0xfe, + 0x67, + 0xf6, + 0x38, + 0xcd, + 0x8f, + 0xae, + 0x1f, + 0x27, + 0x23, + 0x02, + 0x0f, + 0x9c, + 0x40, + 0xa3, + 0xfd, + 0xa6, + 0x7e, + 0xda, + 0x3b, + 0xd2, + 0x92, + 0x38, + 0xfb, + 0xd4, + 0xd4, + 0xb4, + 0x88, + 0x5c, + 0x2a, + 0x99, + 0x17, + 0x6d, + 0xb1, + 0xa0, + 0x6c, + 0x50, + 0x07, + 0x78, + 0x49, + 0x1a, + 0x82, + 0x88, + 0xf1, + 0x85, + 0x5f, + 0x60, + 0xff, + 0xfc, + 0xf1, + 0xd1, + 0x37, + 0x3f, + 0xd9, + 0x4f, + 0xc6, + 0x0c, + 0x18, + 0x11, + 0xe1, + 0xac, + 0x3f, + 0x1c, + 0x6d, + 0x00, + 0x3b, + 0xec, + 0xda, + 0x3b, + 0x1f, + 0x27, + 0x25, + 0xca, + 0x59, + 0x5d, + 0xe0, + 0xca, + 0x63, + 0x32, + 0x8f, + 0x3b, + 0xe5, + 0x7c, + 0xc9, + 0x77, + 0x55, + 0x60, + 0x11, + 0x95, + 0x14, + 0x0d, + 0xfb, + 0x59, + 0xd3, + 0x9c, + 0xe0, + 0x91, + 0x30, + 0x8b, + 0x41, + 0x05, + 0x74, + 0x6d, + 0xac, + 0x23, + 0xd3, + 0x3e, + 0x5f, + 0x7c, + 0xe4, + 0x84, + 0x8d, + 0xa3, + 0x16, + 0xa9, + 0xc6, + 0x6b, + 0x95, + 0x81, + 0xba, + 0x35, + 0x73, + 0xbf, + 0xaf, + 0x31, + 0x14, + 0x96, + 0x18, + 0x8a, + 0xb1, + 0x54, + 0x23, + 0x28, + 0x2e, + 0xe4, + 0x16, + 0xdc, + 0x2a, + 0x19, + 0xc5, + 0x72, + 0x4f, + 0xa9, + 0x1a, + 0xe4, + 0xad, + 0xc8, + 0x8b, + 0xc6, + 0x67, + 0x96, + 0xea, + 0xe5, + 0x67, + 0x7a, + 0x01, + 0xf6, + 0x4e, + 0x8c, + 0x08, + 0x63, + 0x13, + 0x95, + 0x82, + 0x2d, + 0x9d, + 0xb8, + 0xfc, + 0xee, + 0x35, + 0xc0, + 0x6b, + 0x1f, + 0xee, + 0xa5, + 0x47, + 0x4d, + 0x6d, + 0x8f, + 0x34, + 0xb1, + 0x53, + 0x4a, + 0x93, + 0x6a, + 0x18, + 0xb0, + 0xe0, + 0xd2, + 0x0e, + 0xab, + 0x86, + 0xbc, + 0x9c, + 0x6d, + 0x6a, + 0x52, + 0x07, + 0x19, + 0x4e, + 0x67, + 0xfa, + 0x35, + 0x55, + 0x1b, + 0x56, + 0x80, + 0x26, + 0x7b, + 0x00, + 0x64, + 0x1c, + 0x0f, + 0x21, + 0x2d, + 0x18, + 0xec, + 0xa8, + 0xd7, + 0x32, + 0x7e, + 0xd9, + 0x1f, + 0xe7, + 0x64, + 0xa8, + 0x4e, + 0xa1, + 0xb4, + 0x3f, + 0xf5, + 0xb4, + 0xf6, + 0xe8, + 0xe6, + 0x2f, + 0x05, + 0xc6, + 0x61, + 0xde, + 0xfb, + 0x25, + 0x88, + 0x77, + 0xc3, + 0x5b, + 0x18, + 0xa1, + 0x51, + 0xd5, + 0xc4, + 0x14, + 0xaa, + 0xad, + 0x97, + 0xba, + 0x3e, + 0x49, + 0x93, + 0x32, + 0xe5, + 0x96, + 0x07, + 0x8e, + 0x60, + 0x0d, + 0xeb, + 0x81, + 0x14, + 0x9c, + 0x44, + 0x1c, + 0xe9, + 0x57, + 0x82, + 0xf2, + 0x2a, + 0x28, + 0x25, + 0x63, + 0xc5, + 0xba, + 0xc1, + 0x41, + 0x14, + 0x23, + 0x60, + 0x5d, + 0x1a, + 0xe1, + 0xaf, + 0xae, + 0x2c, + 0x8b, + 0x06, + 0x60, + 0x23, + 0x7e, + 0xc1, + 0x28, + 0xaa, + 0x0f, + 0xe3, + 0x46, + 0x4e, + 0x43, + 0x58, + 0x11, + 0x5d, + 0xb8, + 0x4c, + 0xc3, + 0xb5, + 0x23, + 0x07, + 0x3a, + 0x28, + 0xd4, + 0x54, + 0x98, + 0x84, + 0xb8, + 0x1f, + 0xf7, + 0x0e, + 0x10, + 0xbf, + 0x36, + 0x1c, + 0x13, + 0x72, + 0x96, + 0x28, + 0xd5, + 0x34, + 0x8f, + 0x07, + 0x21, + 0x1e, + 0x7e, + 0x4c, + 0xf4, + 0xf1, + 0x8b, + 0x28, + 0x60, + 0x90, + 0xbd, + 0xb1, + 0x24, + 0x0b, + 0x66, + 0xd6, + 0xcd, + 0x4a, + 0xfc, + 0xea, + 0xdc, + 0x00, + 0xca, + 0x44, + 0x6c, + 0xe0, + 0x50, + 0x50, + 0xff, + 0x18, + 0x3a, + 0xd2, + 0xbb, + 0xf1, + 0x18, + 0xc1, + 0xfc, + 0x0e, + 0xa5, + 0x1f, + 0x97, + 0xd2, + 0x2b, + 0x8f, + 0x7e, + 0x46, + 0x70, + 0x5d, + 0x45, + 0x27, + 0xf4, + 0x5b, + 0x42, + 0xae, + 0xff, + 0x39, + 0x58, + 0x53, + 0x37, + 0x6f, + 0x69, + 0x7d, + 0xd5, + 0xfd, + 0xf2, + 0xc5, + 0x18, + 0x7d, + 0x7d, + 0x5f, + 0x0e, + 0x2e, + 0xb8, + 0xd4, + 0x3f, + 0x17, + 0xba, + 0x0f, + 0x7c, + 0x60, + 0xff, + 0x43, + 0x7f, + 0x53, + 0x5d, + 0xfe, + 0xf2, + 0x98, + 0x33, + 0xbf, + 0x86, + 0xcb, + 0xe8, + 0x8e, + 0xa4, + 0xfb, + 0xd4, + 0x22, + 0x1e, + 0x84, + 0x11, + 0x72, + 0x83, + 0x54, + 0xfa, + 0x30, + 0xa7, + 0x00, + 0x8f, + 0x15, + 0x4a, + 0x41, + 0xc7, + 0xfc, + 0x46, + 0x6b, + 0x46, + 0x45, + 0xdb, + 0xe2, + 0xe3, + 0x21, + 0x26, + 0x7f, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, + 0xff, +}; + +static const SECItem subprime_ike_1536 = { siBuffer, + (unsigned char *)subprime_ike_1536_data, + sizeof(subprime_ike_1536_data) }; +static const SECItem subprime_ike_2048 = { siBuffer, + (unsigned char *)subprime_ike_2048_data, + sizeof(subprime_ike_2048_data) }; +static const SECItem subprime_ike_3072 = { siBuffer, + (unsigned char *)subprime_ike_3072_data, + sizeof(subprime_ike_3072_data) }; +static const SECItem subprime_ike_4096 = { siBuffer, + (unsigned char *)subprime_ike_4096_data, + sizeof(subprime_ike_4096_data) }; +static const SECItem subprime_ike_6144 = { siBuffer, + (unsigned char *)subprime_ike_6144_data, + sizeof(subprime_ike_6144_data) }; +static const SECItem subprime_ike_8192 = { siBuffer, + (unsigned char *)subprime_ike_8192_data, + sizeof(subprime_ike_8192_data) }; +static const SECItem subprime_tls_2048 = { siBuffer, + (unsigned char *)subprime_tls_2048_data, + sizeof(subprime_tls_2048_data) }; +static const SECItem subprime_tls_3072 = { siBuffer, + (unsigned char *)subprime_tls_3072_data, + sizeof(subprime_tls_3072_data) }; +static const SECItem subprime_tls_4096 = { siBuffer, + (unsigned char *)subprime_tls_4096_data, + sizeof(subprime_tls_4096_data) }; +static const SECItem subprime_tls_6144 = { siBuffer, + (unsigned char *)subprime_tls_6144_data, + sizeof(subprime_tls_6144_data) }; +static const SECItem subprime_tls_8192 = { siBuffer, + (unsigned char *)subprime_tls_8192_data, + sizeof(subprime_tls_8192_data) }; + +/* + * verify that dhPrime matches one of our known primes + */ +const SECItem * +sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS) +{ + /* use the length to decide which primes to check */ + switch (dhPrime->len) { + case 1536 / PR_BITS_PER_BYTE: + /* don't accept 1536 bit primes in FIPS mode */ + if (isFIPS) { + break; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_1536, + sizeof(prime_ike_1536)) == 0) { + return &subprime_ike_1536; + } + break; + case 2048 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_2048, + sizeof(prime_tls_2048)) == 0) { + return &subprime_tls_2048; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_2048, + sizeof(prime_ike_2048)) == 0) { + return &subprime_ike_2048; + } + break; + case 3072 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_3072, + sizeof(prime_tls_3072)) == 0) { + return &subprime_tls_3072; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_3072, + sizeof(prime_ike_3072)) == 0) { + return &subprime_ike_3072; + } + break; + case 4096 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_4096, + sizeof(prime_tls_4096)) == 0) { + return &subprime_tls_4096; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_4096, + sizeof(prime_ike_4096)) == 0) { + return &subprime_ike_4096; + } + break; + case 6144 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_6144, + sizeof(prime_tls_6144)) == 0) { + return &subprime_tls_6144; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_6144, + sizeof(prime_ike_6144)) == 0) { + return &subprime_ike_6144; + } + break; + case 8192 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_8192, + sizeof(prime_tls_8192)) == 0) { + return &subprime_tls_8192; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_8192, + sizeof(prime_ike_8192)) == 0) { + return &subprime_ike_8192; + } + break; + } + /* no match found, return an error */ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; +} + +/* Use the provided subPrime to see if dhPrime is a safe prime. We'll check + * primality of those values later. */ +SECStatus +sftk_IsSafePrime(const SECItem *dhPrime, const SECItem *dhSubPrime, PRBool *isSafe) +{ + int i; + unsigned char carry = 0; + int offset = 0, subPrimeLen = dhPrime->len; + *isSafe = PR_FALSE; + + /* Both dhPrime and dhSubPrime should be odd */ + if (((dhPrime->data[dhPrime->len - 1] & 0x1) != 1) && ((dhSubPrime->data[dhSubPrime->len - 1] & 0x1) != 1)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + /* subPrime is p-1/2, which means subPrime is 1 bit shorter than p. + * It's length in bytes is the same unless the high byte of p == 1 or 0. + */ + if (dhPrime->data[0] <= 1) { + subPrimeLen--; + offset++; + carry = (dhPrime->data[0]) << 7; + } + + /* if subprime len is not long enough it is not a strong prime */ + if (dhSubPrime->len != subPrimeLen) { + return SECSuccess; + } + + /* does the subprime match q == (p-1)/2 */ + for (i = 0; i < subPrimeLen; i++) { + if (dhSubPrime->data[i] != + (carry | ((dhPrime->data[i + offset] >> 1) & 0x7f))) { + return SECSuccess; + } + carry = ((dhPrime->data[i + offset] & 1) << 7) & 0x80; + } + /* subPrime for p claims to be q=(p-1)/2. So the caller thinks p + * is a strong prime, just need to check primality of p and q to verify */ + *isSafe = PR_TRUE; + return SECSuccess; +} diff --git a/security/nss/lib/softoken/sftkhmac.c b/security/nss/lib/softoken/sftkhmac.c new file mode 100644 index 0000000000..bec2df79f1 --- /dev/null +++ b/security/nss/lib/softoken/sftkhmac.c @@ -0,0 +1,477 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "seccomon.h" +#include "secerr.h" +#include "blapi.h" +#include "pkcs11i.h" +#include "softoken.h" +#include "hmacct.h" + +/* sftk_HMACMechanismToHash converts a PKCS#11 MAC mechanism into a freebl hash + * type. */ +HASH_HashType +sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech) +{ + switch (mech) { + case CKM_MD2_HMAC: + return HASH_AlgMD2; + case CKM_MD5_HMAC: + case CKM_SSL3_MD5_MAC: + return HASH_AlgMD5; + case CKM_SHA_1_HMAC: + case CKM_SSL3_SHA1_MAC: + return HASH_AlgSHA1; + case CKM_SHA224_HMAC: + return HASH_AlgSHA224; + case CKM_SHA256_HMAC: + return HASH_AlgSHA256; + case CKM_SHA384_HMAC: + return HASH_AlgSHA384; + case CKM_SHA512_HMAC: + return HASH_AlgSHA512; + } + return HASH_AlgNULL; +} + +static sftk_MACConstantTimeCtx * +SetupMAC(CK_MECHANISM_PTR mech, SFTKObject *key) +{ + CK_NSS_MAC_CONSTANT_TIME_PARAMS *params = + (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter; + sftk_MACConstantTimeCtx *ctx; + HASH_HashType alg; + SFTKAttribute *keyval; + unsigned char secret[sizeof(ctx->secret)]; + unsigned int secretLength; + + if (mech->ulParameterLen != sizeof(CK_NSS_MAC_CONSTANT_TIME_PARAMS)) { + return NULL; + } + + alg = sftk_HMACMechanismToHash(params->macAlg); + if (alg == HASH_AlgNULL) { + return NULL; + } + + keyval = sftk_FindAttribute(key, CKA_VALUE); + if (keyval == NULL) { + return NULL; + } + secretLength = keyval->attrib.ulValueLen; + if (secretLength > sizeof(secret)) { + sftk_FreeAttribute(keyval); + return NULL; + } + memcpy(secret, keyval->attrib.pValue, secretLength); + sftk_FreeAttribute(keyval); + + ctx = PORT_Alloc(sizeof(sftk_MACConstantTimeCtx)); + if (!ctx) { + PORT_Memset(secret, 0, secretLength); + return NULL; + } + + memcpy(ctx->secret, secret, secretLength); + ctx->secretLength = secretLength; + ctx->hash = HASH_GetRawHashObject(alg); + ctx->totalLength = params->ulBodyTotalLen; + PORT_Memset(secret, 0, secretLength); + + return ctx; +} + +sftk_MACConstantTimeCtx * +sftk_HMACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key) +{ + CK_NSS_MAC_CONSTANT_TIME_PARAMS *params = + (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter; + sftk_MACConstantTimeCtx *ctx; + + if (params->ulHeaderLen > sizeof(ctx->header)) { + return NULL; + } + ctx = SetupMAC(mech, key); + if (!ctx) { + return NULL; + } + + ctx->headerLength = params->ulHeaderLen; + memcpy(ctx->header, params->pHeader, params->ulHeaderLen); + return ctx; +} + +sftk_MACConstantTimeCtx * +sftk_SSLv3MACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key) +{ + CK_NSS_MAC_CONSTANT_TIME_PARAMS *params = + (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter; + unsigned int padLength = 40, j; + sftk_MACConstantTimeCtx *ctx; + + if (params->macAlg != CKM_SSL3_MD5_MAC && + params->macAlg != CKM_SSL3_SHA1_MAC) { + return NULL; + } + ctx = SetupMAC(mech, key); + if (!ctx) { + return NULL; + } + + if (params->macAlg == CKM_SSL3_MD5_MAC) { + padLength = 48; + } + + ctx->headerLength = + ctx->secretLength + + padLength + + params->ulHeaderLen; + + if (ctx->headerLength > sizeof(ctx->header)) { + goto loser; + } + + j = 0; + memcpy(&ctx->header[j], ctx->secret, ctx->secretLength); + j += ctx->secretLength; + memset(&ctx->header[j], 0x36, padLength); + j += padLength; + memcpy(&ctx->header[j], params->pHeader, params->ulHeaderLen); + + return ctx; + +loser: + PORT_Free(ctx); + return NULL; +} + +void +sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len) +{ + sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx; + PORT_CheckSuccess(HMAC_ConstantTime( + ctx->mac, NULL, sizeof(ctx->mac), + ctx->hash, + ctx->secret, ctx->secretLength, + ctx->header, ctx->headerLength, + data, len, + ctx->totalLength)); +} + +void +sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len) +{ + sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx; + PORT_CheckSuccess(SSLv3_MAC_ConstantTime( + ctx->mac, NULL, sizeof(ctx->mac), + ctx->hash, + ctx->secret, ctx->secretLength, + ctx->header, ctx->headerLength, + data, len, + ctx->totalLength)); +} + +void +sftk_MACConstantTime_EndHash(void *pctx, void *out, unsigned int *outLength, + unsigned int maxLength) +{ + const sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx; + unsigned int toCopy = ctx->hash->length; + if (toCopy > maxLength) { + toCopy = maxLength; + } + memcpy(out, ctx->mac, toCopy); + if (outLength) { + *outLength = toCopy; + } +} + +void +sftk_MACConstantTime_DestroyContext(void *pctx, PRBool free) +{ + PORT_ZFree(pctx, sizeof(sftk_MACConstantTimeCtx)); +} + +CK_RV +sftk_MAC_Create(CK_MECHANISM_TYPE mech, SFTKObject *key, sftk_MACCtx **ret_ctx) +{ + CK_RV ret; + + if (ret_ctx == NULL || key == NULL) { + return CKR_HOST_MEMORY; + } + + *ret_ctx = PORT_New(sftk_MACCtx); + if (*ret_ctx == NULL) { + return CKR_HOST_MEMORY; + } + + ret = sftk_MAC_Init(*ret_ctx, mech, key); + if (ret != CKR_OK) { + sftk_MAC_Destroy(*ret_ctx, PR_TRUE); + } + + return ret; +} + +CK_RV +sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key) +{ + SFTKAttribute *keyval = NULL; + PRBool isFIPS = sftk_isFIPS(key->slot->slotID); + CK_RV ret = CKR_OK; + + /* Find the actual value of the key. */ + keyval = sftk_FindAttribute(key, CKA_VALUE); + if (keyval == NULL) { + ret = CKR_KEY_SIZE_RANGE; + goto done; + } + + ret = sftk_MAC_InitRaw(ctx, mech, + (const unsigned char *)keyval->attrib.pValue, + keyval->attrib.ulValueLen, isFIPS); + +done: + if (keyval) { + sftk_FreeAttribute(keyval); + } + return ret; +} + +CK_RV +sftk_MAC_InitRaw(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, const unsigned char *key, unsigned int key_len, PRBool isFIPS) +{ + const SECHashObject *hashObj = NULL; + CK_RV ret = CKR_OK; + + if (ctx == NULL) { + return CKR_HOST_MEMORY; + } + + /* Clear the context before use. */ + PORT_Memset(ctx, 0, sizeof(*ctx)); + + /* Save the mech. */ + ctx->mech = mech; + + /* Initialize the correct MAC context. */ + switch (mech) { + case CKM_MD2_HMAC: + case CKM_MD5_HMAC: + case CKM_SHA_1_HMAC: + case CKM_SHA224_HMAC: + case CKM_SHA256_HMAC: + case CKM_SHA384_HMAC: + case CKM_SHA512_HMAC: + hashObj = HASH_GetRawHashObject(sftk_HMACMechanismToHash(mech)); + + /* Because we condition above only on hashes we know to be valid, + * hashObj should never be NULL. This assert is only useful when + * adding a new hash function (for which only partial support has + * been added); thus there is no need to turn it into an if and + * avoid the NULL dereference on the following line. */ + PR_ASSERT(hashObj != NULL); + ctx->mac_size = hashObj->length; + + goto hmac; + case CKM_AES_CMAC: + ctx->mac.cmac = CMAC_Create(CMAC_AES, key, key_len); + ctx->destroy_func = (void (*)(void *, PRBool))(&CMAC_Destroy); + + /* Copy the behavior of sftk_doCMACInit here. */ + if (ctx->mac.cmac == NULL) { + if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) { + ret = CKR_KEY_SIZE_RANGE; + goto done; + } + + ret = CKR_HOST_MEMORY; + goto done; + } + + ctx->mac_size = AES_BLOCK_SIZE; + + goto done; + default: + ret = CKR_MECHANISM_PARAM_INVALID; + goto done; + } + +hmac: + ctx->mac.hmac = HMAC_Create(hashObj, key, key_len, isFIPS); + ctx->destroy_func = (void (*)(void *, PRBool))(&HMAC_Destroy); + + /* Copy the behavior of sftk_doHMACInit here. */ + if (ctx->mac.hmac == NULL) { + if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) { + ret = CKR_KEY_SIZE_RANGE; + goto done; + } + ret = CKR_HOST_MEMORY; + goto done; + } + + /* Semantics: HMAC and CMAC should behave the same. Begin HMAC now. */ + HMAC_Begin(ctx->mac.hmac); + +done: + /* Handle a failure: ctx->mac.raw should be NULL, but make sure + * destroy_func isn't set. */ + if (ret != CKR_OK) { + ctx->destroy_func = NULL; + } + + return ret; +} + +CK_RV +sftk_MAC_Reset(sftk_MACCtx *ctx) +{ + /* Useful for resetting the state of MAC prior to calling update again + * + * This lets the caller keep a single MAC instance and re-use it as long + * as the key stays the same. */ + switch (ctx->mech) { + case CKM_MD2_HMAC: + case CKM_MD5_HMAC: + case CKM_SHA_1_HMAC: + case CKM_SHA224_HMAC: + case CKM_SHA256_HMAC: + case CKM_SHA384_HMAC: + case CKM_SHA512_HMAC: + HMAC_Begin(ctx->mac.hmac); + break; + case CKM_AES_CMAC: + if (CMAC_Begin(ctx->mac.cmac) != SECSuccess) { + return CKR_FUNCTION_FAILED; + } + break; + default: + /* This shouldn't happen -- asserting indicates partial support + * for a new MAC type. */ + PR_ASSERT(PR_FALSE); + return CKR_FUNCTION_FAILED; + } + + return CKR_OK; +} + +CK_RV +sftk_MAC_Update(sftk_MACCtx *ctx, const CK_BYTE *data, unsigned int data_len) +{ + switch (ctx->mech) { + case CKM_MD2_HMAC: + case CKM_MD5_HMAC: + case CKM_SHA_1_HMAC: + case CKM_SHA224_HMAC: + case CKM_SHA256_HMAC: + case CKM_SHA384_HMAC: + case CKM_SHA512_HMAC: + /* HMAC doesn't indicate failure in the return code. */ + HMAC_Update(ctx->mac.hmac, data, data_len); + break; + case CKM_AES_CMAC: + /* CMAC indicates failure in the return code, however this is + * unlikely to occur. */ + if (CMAC_Update(ctx->mac.cmac, data, data_len) != SECSuccess) { + return CKR_FUNCTION_FAILED; + } + break; + default: + /* This shouldn't happen -- asserting indicates partial support + * for a new MAC type. */ + PR_ASSERT(PR_FALSE); + return CKR_FUNCTION_FAILED; + } + return CKR_OK; +} + +CK_RV +sftk_MAC_Finish(sftk_MACCtx *ctx, CK_BYTE_PTR result, unsigned int *result_len, unsigned int max_result_len) +{ + unsigned int actual_result_len; + + switch (ctx->mech) { + case CKM_MD2_HMAC: + case CKM_MD5_HMAC: + case CKM_SHA_1_HMAC: + case CKM_SHA224_HMAC: + case CKM_SHA256_HMAC: + case CKM_SHA384_HMAC: + case CKM_SHA512_HMAC: + /* HMAC doesn't indicate failure in the return code. Additionally, + * unlike CMAC, it doesn't support partial results. This means that we + * need to allocate a buffer if max_result_len < ctx->mac_size. */ + if (max_result_len >= ctx->mac_size) { + /* Split this into two calls to avoid an unnecessary stack + * allocation and memcpy when possible. */ + HMAC_Finish(ctx->mac.hmac, result, &actual_result_len, max_result_len); + } else { + uint8_t tmp_buffer[SFTK_MAX_MAC_LENGTH]; + + /* Assumption: buffer is large enough to hold this HMAC's + * output. */ + PR_ASSERT(SFTK_MAX_MAC_LENGTH >= ctx->mac_size); + + HMAC_Finish(ctx->mac.hmac, tmp_buffer, &actual_result_len, SFTK_MAX_MAC_LENGTH); + + if (actual_result_len > max_result_len) { + /* This should always be true since: + * + * (SFTK_MAX_MAC_LENGTH >= ctx->mac_size = + * actual_result_len) > max_result_len, + * + * but guard this truncation just in case. */ + actual_result_len = max_result_len; + } + + PORT_Memcpy(result, tmp_buffer, actual_result_len); + } + break; + case CKM_AES_CMAC: + /* CMAC indicates failure in the return code, however this is + * unlikely to occur. */ + if (CMAC_Finish(ctx->mac.cmac, result, &actual_result_len, max_result_len) != SECSuccess) { + return CKR_FUNCTION_FAILED; + } + break; + default: + /* This shouldn't happen -- asserting indicates partial support + * for a new MAC type. */ + PR_ASSERT(PR_FALSE); + return CKR_FUNCTION_FAILED; + } + + if (result_len) { + /* When result length is passed, inform the caller of its value. */ + *result_len = actual_result_len; + } else if (max_result_len == ctx->mac_size) { + /* Validate that the amount requested was what was actually given; the + * caller assumes that what they passed was the output size of the + * underlying MAC and that they got all the bytes the asked for. */ + PR_ASSERT(actual_result_len == max_result_len); + } + + return CKR_OK; +} + +void +sftk_MAC_Destroy(sftk_MACCtx *ctx, PRBool free_it) +{ + if (ctx == NULL) { + return; + } + + if (ctx->mac.raw != NULL && ctx->destroy_func != NULL) { + ctx->destroy_func(ctx->mac.raw, PR_TRUE); + } + + /* Clean up the struct so we don't double free accidentally. */ + PORT_Memset(ctx, 0, sizeof(sftk_MACCtx)); + + if (free_it == PR_TRUE) { + PORT_Free(ctx); + } +} diff --git a/security/nss/lib/softoken/sftkike.c b/security/nss/lib/softoken/sftkike.c new file mode 100644 index 0000000000..6756040b64 --- /dev/null +++ b/security/nss/lib/softoken/sftkike.c @@ -0,0 +1,1419 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements PKCS 11 on top of our existing security modules + * + * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. + * This implementation has two slots: + * slot 1 is our generic crypto support. It does not require login. + * It supports Public Key ops, and all they bulk ciphers and hashes. + * It can also support Private Key ops for imported Private keys. It does + * not have any token storage. + * slot 2 is our private key support. It requires a login before use. It + * can store Private Keys and Certs as token objects. Currently only private + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ +#include "seccomon.h" +#include "secitem.h" +#include "secport.h" +#include "blapi.h" +#include "pkcs11.h" +#include "pkcs11i.h" +#include "pkcs1sig.h" +#include "lowkeyi.h" +#include "secder.h" +#include "secdig.h" +#include "lowpbe.h" /* We do PBE below */ +#include "pkcs11t.h" +#include "secoid.h" +#include "alghmac.h" +#include "softoken.h" +#include "secasn1.h" +#include "secerr.h" + +#include "prprf.h" +#include "prenv.h" + +/* + * A common prfContext to handle both hmac and aes xcbc + * hash contexts have non-null hashObj and hmac, aes + * contexts have non-null aes */ +typedef struct prfContextStr { + HASH_HashType hashType; + const SECHashObject *hashObj; + HMACContext *hmac; + AESContext *aes; + unsigned int nextChar; + unsigned char padBuf[AES_BLOCK_SIZE]; + unsigned char macBuf[AES_BLOCK_SIZE]; + unsigned char k1[AES_BLOCK_SIZE]; + unsigned char k2[AES_BLOCK_SIZE]; + unsigned char k3[AES_BLOCK_SIZE]; +} prfContext; + +/* iv full of zeros used in several places in aes xcbc */ +static const unsigned char iv_zero[] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +/* + * Generate AES XCBC keys from the AES MAC key. + * k1 is used in the actual mac. + * k2 and k3 are used in the final pad step. + */ +static CK_RV +sftk_aes_xcbc_get_keys(const unsigned char *keyValue, unsigned int keyLen, + unsigned char *k1, unsigned char *k2, unsigned char *k3) +{ + SECStatus rv; + CK_RV crv; + unsigned int tmpLen; + AESContext *aes_context = NULL; + unsigned char newKey[AES_BLOCK_SIZE]; + + /* AES XCBC keys. k1, k2, and k3 are derived by encrypting + * k1data, k2data, and k3data with the mac key. + */ + static const unsigned char k1data[] = { + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 + }; + static const unsigned char k2data[] = { + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 + }; + static const unsigned char k3data[] = { + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 + }; + + /* k1_0 = aes_ecb(0, k1data) */ + static const unsigned char k1_0[] = { + 0xe1, 0x4d, 0x5d, 0x0e, 0xe2, 0x77, 0x15, 0xdf, + 0x08, 0xb4, 0x15, 0x2b, 0xa2, 0x3d, 0xa8, 0xe0 + + }; + /* k2_0 = aes_ecb(0, k2data) */ + static const unsigned char k2_0[] = { + 0x5e, 0xba, 0x73, 0xf8, 0x91, 0x42, 0xc5, 0x48, + 0x80, 0xf6, 0x85, 0x94, 0x37, 0x3c, 0x5c, 0x37 + }; + /* k3_0 = aes_ecb(0, k3data) */ + static const unsigned char k3_0[] = { + 0x8d, 0x34, 0xef, 0xcb, 0x3b, 0xd5, 0x45, 0xca, + 0x06, 0x2a, 0xec, 0xdf, 0xef, 0x7c, 0x0b, 0xfa + }; + + /* first make sure out input key is the correct length + * rfc 4434. If key is shorter, pad with zeros to the + * the right. If key is longer newKey = aes_xcbc(0, key, keyLen). + */ + if (keyLen < AES_BLOCK_SIZE) { + PORT_Memcpy(newKey, keyValue, keyLen); + PORT_Memset(&newKey[keyLen], 0, AES_BLOCK_SIZE - keyLen); + keyValue = newKey; + } else if (keyLen > AES_BLOCK_SIZE) { + /* calculate our new key = aes_xcbc(0, key, keyLen). Because the + * key above is fixed (0), we can precalculate k1, k2, and k3. + * if this code ever needs to be more generic (support any xcbc + * function rather than just aes, we would probably want to just + * recurse here using our prf functions. This would be safe because + * the recurse case would have keyLen == blocksize and thus skip + * this conditional. + */ + aes_context = AES_CreateContext(k1_0, iv_zero, NSS_AES_CBC, + PR_TRUE, AES_BLOCK_SIZE, AES_BLOCK_SIZE); + /* we know the following loop will execute at least once */ + while (keyLen > AES_BLOCK_SIZE) { + rv = AES_Encrypt(aes_context, newKey, &tmpLen, AES_BLOCK_SIZE, + keyValue, AES_BLOCK_SIZE); + if (rv != SECSuccess) { + goto fail; + } + keyValue += AES_BLOCK_SIZE; + keyLen -= AES_BLOCK_SIZE; + } + PORT_Memcpy(newKey, keyValue, keyLen); + sftk_xcbc_mac_pad(newKey, keyLen, AES_BLOCK_SIZE, k2_0, k3_0); + rv = AES_Encrypt(aes_context, newKey, &tmpLen, AES_BLOCK_SIZE, + newKey, AES_BLOCK_SIZE); + if (rv != SECSuccess) { + goto fail; + } + keyValue = newKey; + AES_DestroyContext(aes_context, PR_TRUE); + } + /* the length of the key in keyValue is known to be AES_BLOCK_SIZE, + * either because it was on input, or it was shorter and extended, or + * because it was mac'd down using aes_xcbc_prf. + */ + aes_context = AES_CreateContext(keyValue, iv_zero, + NSS_AES, PR_TRUE, AES_BLOCK_SIZE, AES_BLOCK_SIZE); + if (aes_context == NULL) { + goto fail; + } + rv = AES_Encrypt(aes_context, k1, &tmpLen, AES_BLOCK_SIZE, + k1data, sizeof(k1data)); + if (rv != SECSuccess) { + goto fail; + } + rv = AES_Encrypt(aes_context, k2, &tmpLen, AES_BLOCK_SIZE, + k2data, sizeof(k2data)); + if (rv != SECSuccess) { + goto fail; + } + rv = AES_Encrypt(aes_context, k3, &tmpLen, AES_BLOCK_SIZE, + k3data, sizeof(k3data)); + if (rv != SECSuccess) { + goto fail; + } + AES_DestroyContext(aes_context, PR_TRUE); + PORT_Memset(newKey, 0, AES_BLOCK_SIZE); + return CKR_OK; +fail: + crv = sftk_MapCryptError(PORT_GetError()); + if (aes_context) { + AES_DestroyContext(aes_context, PR_TRUE); + } + PORT_Memset(k1, 0, AES_BLOCK_SIZE); + PORT_Memset(k2, 0, AES_BLOCK_SIZE); + PORT_Memset(k3, 0, AES_BLOCK_SIZE); + PORT_Memset(newKey, 0, AES_BLOCK_SIZE); + return crv; +} + +/* encode the final pad block of aes xcbc, padBuf is modified */ +CK_RV +sftk_xcbc_mac_pad(unsigned char *padBuf, unsigned int bufLen, + unsigned int blockSize, const unsigned char *k2, + const unsigned char *k3) +{ + unsigned int i; + if (bufLen == blockSize) { + for (i = 0; i < blockSize; i++) { + padBuf[i] ^= k2[i]; + } + } else { + padBuf[bufLen++] = 0x80; + for (i = bufLen; i < blockSize; i++) { + padBuf[i] = 0x00; + } + for (i = 0; i < blockSize; i++) { + padBuf[i] ^= k3[i]; + } + } + return CKR_OK; +} + +/* Map the mechanism to the underlying hash. If the type is not a hash + * or HMAC, return HASH_AlgNULL. This can happen legitimately if + * we are doing AES XCBC */ +static HASH_HashType +sftk_map_hmac_to_hash(CK_MECHANISM_TYPE type) +{ + switch (type) { + case CKM_SHA_1_HMAC: + case CKM_SHA_1: + return HASH_AlgSHA1; + case CKM_MD5_HMAC: + case CKM_MD5: + return HASH_AlgMD5; + case CKM_MD2_HMAC: + case CKM_MD2: + return HASH_AlgMD2; + case CKM_SHA224_HMAC: + case CKM_SHA224: + return HASH_AlgSHA224; + case CKM_SHA256_HMAC: + case CKM_SHA256: + return HASH_AlgSHA256; + case CKM_SHA384_HMAC: + case CKM_SHA384: + return HASH_AlgSHA384; + case CKM_SHA512_HMAC: + case CKM_SHA512: + return HASH_AlgSHA512; + } + return HASH_AlgNULL; +} + +/* + * Generally setup the context based on the mechanism. + * If the mech is HMAC, context->hashObj should be set + * Otherwise it is assumed to be AES XCBC. prf_setup + * checks these assumptions and will return an error + * if they are not met. NOTE: this function does not allocate + * anything, so there is no requirement to free context after + * prf_setup like there is if you call prf_init. + */ +static CK_RV +prf_setup(prfContext *context, CK_MECHANISM_TYPE mech) +{ + context->hashType = sftk_map_hmac_to_hash(mech); + context->hashObj = NULL; + context->hmac = NULL; + context->aes = NULL; + if (context->hashType != HASH_AlgNULL) { + context->hashObj = HASH_GetRawHashObject(context->hashType); + if (context->hashObj == NULL) { + return CKR_GENERAL_ERROR; + } + return CKR_OK; + } else if (mech == CKM_AES_XCBC_MAC) { + return CKR_OK; + } + return CKR_MECHANISM_PARAM_INVALID; +} + +/* return the underlying prf length for this context. This will + * function once the context is setup */ +static CK_RV +prf_length(prfContext *context) +{ + if (context->hashObj) { + return context->hashObj->length; + } + return AES_BLOCK_SIZE; /* AES */ +} + +/* set up the key for the prf. prf_update or prf_final should not be called if + * prf_init has not been called first. Once prf_init returns hmac and + * aes contexts should set and valid. + */ +static CK_RV +prf_init(prfContext *context, const unsigned char *keyValue, + unsigned int keyLen) +{ + CK_RV crv; + + context->hmac = NULL; + if (context->hashObj) { + context->hmac = HMAC_Create(context->hashObj, + keyValue, keyLen, PR_FALSE); + if (context->hmac == NULL) { + return sftk_MapCryptError(PORT_GetError()); + } + HMAC_Begin(context->hmac); + } else { + crv = sftk_aes_xcbc_get_keys(keyValue, keyLen, context->k1, + context->k2, context->k3); + if (crv != CKR_OK) + return crv; + context->nextChar = 0; + context->aes = AES_CreateContext(context->k1, iv_zero, NSS_AES_CBC, + PR_TRUE, sizeof(context->k1), AES_BLOCK_SIZE); + if (context->aes == NULL) { + crv = sftk_MapCryptError(PORT_GetError()); + PORT_Memset(context->k1, 0, sizeof(context->k1)); + PORT_Memset(context->k2, 0, sizeof(context->k2)); + PORT_Memset(context->k3, 0, sizeof(context->k2)); + return crv; + } + } + return CKR_OK; +} + +/* + * process input to the prf + */ +static CK_RV +prf_update(prfContext *context, const unsigned char *buf, unsigned int len) +{ + unsigned int tmpLen; + SECStatus rv; + + if (context->hmac) { + HMAC_Update(context->hmac, buf, len); + } else { + /* AES MAC XCBC*/ + /* We must keep the last block back so that it can be processed in + * final. This is why we only check that nextChar + len > blocksize, + * rather than checking that nextChar + len >= blocksize */ + while (context->nextChar + len > AES_BLOCK_SIZE) { + if (context->nextChar != 0) { + /* first handle fill in any partial blocks in the buffer */ + unsigned int left = AES_BLOCK_SIZE - context->nextChar; + /* note: left can be zero */ + PORT_Memcpy(context->padBuf + context->nextChar, buf, left); + /* NOTE: AES MAC XCBC xors the data with the previous block + * We don't do that step here because our AES_Encrypt mode + * is CBC, which does the xor automatically */ + rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen, + sizeof(context->macBuf), context->padBuf, + sizeof(context->padBuf)); + if (rv != SECSuccess) { + return sftk_MapCryptError(PORT_GetError()); + } + context->nextChar = 0; + len -= left; + buf += left; + } else { + /* optimization. if we have complete blocks to write out + * (and will still have leftover blocks for padbuf in the end). + * we can mac directly out of our buffer without first copying + * them to padBuf */ + rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen, + sizeof(context->macBuf), buf, AES_BLOCK_SIZE); + if (rv != SECSuccess) { + return sftk_MapCryptError(PORT_GetError()); + } + len -= AES_BLOCK_SIZE; + buf += AES_BLOCK_SIZE; + } + } + PORT_Memcpy(context->padBuf + context->nextChar, buf, len); + context->nextChar += len; + } + return CKR_OK; +} + +/* + * free the data associated with the prf. Clear any possible CSPs + * This can safely be called on any context after prf_setup. It can + * also be called an an already freed context. + * A free context can be reused by calling prf_init again without + * the need to call prf_setup. + */ +static void +prf_free(prfContext *context) +{ + if (context->hmac) { + HMAC_Destroy(context->hmac, PR_TRUE); + context->hmac = NULL; + } + if (context->aes) { + PORT_Memset(context->k1, 0, sizeof(context->k1)); + PORT_Memset(context->k2, 0, sizeof(context->k2)); + PORT_Memset(context->k3, 0, sizeof(context->k2)); + PORT_Memset(context->padBuf, 0, sizeof(context->padBuf)); + PORT_Memset(context->macBuf, 0, sizeof(context->macBuf)); + AES_DestroyContext(context->aes, PR_TRUE); + context->aes = NULL; + } +} + +/* + * extract the final prf value. On success, this has the side effect of + * also freeing the context data and clearing the keys + */ +static CK_RV +prf_final(prfContext *context, unsigned char *buf, unsigned int len) +{ + unsigned int tmpLen; + SECStatus rv; + + if (context->hmac) { + unsigned int outLen; + HMAC_Finish(context->hmac, buf, &outLen, len); + if (outLen != len) { + return CKR_GENERAL_ERROR; + } + } else { + /* prf_update had guarrenteed that the last full block is still in + * the padBuf if the input data is a multiple of the blocksize. This + * allows sftk_xcbc_mac_pad to process that pad buf accordingly */ + CK_RV crv = sftk_xcbc_mac_pad(context->padBuf, context->nextChar, + AES_BLOCK_SIZE, context->k2, context->k3); + if (crv != CKR_OK) { + return crv; + } + rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen, + sizeof(context->macBuf), context->padBuf, AES_BLOCK_SIZE); + if (rv != SECSuccess) { + return sftk_MapCryptError(PORT_GetError()); + } + PORT_Memcpy(buf, context->macBuf, len); + } + prf_free(context); + return CKR_OK; +} + +/* + * There are four flavors of ike prf functions here. + * ike_prf is used in both ikeV1 and ikeV2 to generate + * an initial key that all the other keys are generated with. + * + * These functions are called from NSC_DeriveKey with the inKey value + * already looked up, and it expects the CKA_VALUE for outKey to be set. + * + * Depending on usage it returns either: + * 1. prf(Ni|Nr, inKey); (bDataAsKey=TRUE, bRekey=FALSE) + * 2. prf(inKey, Ni|Nr); (bDataAsKkey=FALSE, bRekey=FALSE) + * 3. prf(inKey, newKey | Ni | Nr); (bDataAsKey=FALSE, bRekey=TRUE) + * The resulting output key is always the length of the underlying prf + * (as returned by prf_length()). + * The combination of bDataAsKey=TRUE and bRekey=TRUE is not allowed + * + * Case 1 is used in + * a. ikev2 (rfc5996) inKey is called g^ir, the output is called SKEYSEED + * b. ikev1 (rfc2409) inKey is called g^ir, the output is called SKEYID + * Case 2 is used in ikev1 (rfc2409) inkey is called pre-shared-key, output + * is called SKEYID + * Case 3 is used in ikev2 (rfc5996) rekey case, inKey is SK_d, newKey is + * g^ir (new), the output is called SKEYSEED + */ +CK_RV +sftk_ike_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, + const CK_NSS_IKE_PRF_DERIVE_PARAMS *params, SFTKObject *outKey) +{ + SFTKAttribute *newKeyValue = NULL; + SFTKObject *newKeyObj = NULL; + unsigned char outKeyData[HASH_LENGTH_MAX]; + unsigned char *newInKey = NULL; + unsigned int newInKeySize = 0; + unsigned int macSize; + CK_RV crv = CKR_OK; + prfContext context; + + crv = prf_setup(&context, params->prfMechanism); + if (crv != CKR_OK) { + return crv; + } + macSize = prf_length(&context); + if ((params->bDataAsKey) && (params->bRekey)) { + return CKR_ARGUMENTS_BAD; + } + if (params->bRekey) { + /* lookup the value of new key from the session and key handle */ + SFTKSession *session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + newKeyObj = sftk_ObjectFromHandle(params->hNewKey, session); + sftk_FreeSession(session); + if (newKeyObj == NULL) { + return CKR_KEY_HANDLE_INVALID; + } + newKeyValue = sftk_FindAttribute(newKeyObj, CKA_VALUE); + if (newKeyValue == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + } + if (params->bDataAsKey) { + /* The key is Ni || Np, so we need to concatenate them together first */ + newInKeySize = params->ulNiLen + params->ulNrLen; + newInKey = PORT_Alloc(newInKeySize); + if (newInKey == NULL) { + crv = CKR_HOST_MEMORY; + goto fail; + } + PORT_Memcpy(newInKey, params->pNi, params->ulNiLen); + PORT_Memcpy(newInKey + params->ulNiLen, params->pNr, params->ulNrLen); + crv = prf_init(&context, newInKey, newInKeySize); + if (crv != CKR_OK) { + goto fail; + } + /* key as the data */ + crv = prf_update(&context, inKey->attrib.pValue, + inKey->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + } else { + crv = prf_init(&context, inKey->attrib.pValue, + inKey->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + if (newKeyValue) { + crv = prf_update(&context, newKeyValue->attrib.pValue, + newKeyValue->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + } + crv = prf_update(&context, params->pNi, params->ulNiLen); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, params->pNr, params->ulNrLen); + if (crv != CKR_OK) { + goto fail; + } + } + crv = prf_final(&context, outKeyData, macSize); + if (crv != CKR_OK) { + goto fail; + } + + crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, macSize); +fail: + if (newInKey) { + PORT_ZFree(newInKey, newInKeySize); + } + if (newKeyValue) { + sftk_FreeAttribute(newKeyValue); + } + if (newKeyObj) { + sftk_FreeObject(newKeyObj); + } + PORT_Memset(outKeyData, 0, macSize); + prf_free(&context); + return crv; +} + +/* + * The second flavor of ike prf is ike1_prf. + * + * It is used by ikeV1 to generate the various session keys used in the + * connection. It uses the initial key, an optional previous key, and a one byte + * key number to generate a unique key for each of the various session + * functions (encryption, decryption, mac). These keys expect a key size + * (as they may vary in length based on usage). If no length is provided, + * it will default to the length of the prf. + * + * This function returns either: + * prf(inKey, gxyKey || CKYi || CKYr || key_number) + * or + * prf(inKey, prevkey || gxyKey || CKYi || CKYr || key_number) + * depending on the stats of bHasPrevKey + * + * This is defined in rfc2409. For each of the following keys. + * inKey is SKEYID, gxyKey is g^xy + * for outKey = SKEYID_d, bHasPrevKey = false, key_number = 0 + * for outKey = SKEYID_a, prevKey= SKEYID_d, key_number = 1 + * for outKey = SKEYID_e, prevKey= SKEYID_a, key_number = 2 + */ +CK_RV +sftk_ike1_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, + const CK_NSS_IKE1_PRF_DERIVE_PARAMS *params, SFTKObject *outKey, + unsigned int keySize) +{ + SFTKAttribute *gxyKeyValue = NULL; + SFTKObject *gxyKeyObj = NULL; + SFTKAttribute *prevKeyValue = NULL; + SFTKObject *prevKeyObj = NULL; + SFTKSession *session; + unsigned char outKeyData[HASH_LENGTH_MAX]; + unsigned int macSize; + CK_RV crv; + prfContext context; + + crv = prf_setup(&context, params->prfMechanism); + if (crv != CKR_OK) { + return crv; + } + macSize = prf_length(&context); + if (keySize > macSize) { + return CKR_KEY_SIZE_RANGE; + } + if (keySize == 0) { + keySize = macSize; + } + + /* lookup the two keys from their passed in handles */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + gxyKeyObj = sftk_ObjectFromHandle(params->hKeygxy, session); + if (params->bHasPrevKey) { + prevKeyObj = sftk_ObjectFromHandle(params->hPrevKey, session); + } + sftk_FreeSession(session); + if ((gxyKeyObj == NULL) || ((params->bHasPrevKey) && + (prevKeyObj == NULL))) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + gxyKeyValue = sftk_FindAttribute(gxyKeyObj, CKA_VALUE); + if (gxyKeyValue == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + if (prevKeyObj) { + prevKeyValue = sftk_FindAttribute(prevKeyObj, CKA_VALUE); + if (prevKeyValue == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + } + + /* outKey = prf(inKey, [prevKey|] gxyKey | CKYi | CKYr | keyNumber) */ + crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + if (prevKeyValue) { + crv = prf_update(&context, prevKeyValue->attrib.pValue, + prevKeyValue->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + } + crv = prf_update(&context, gxyKeyValue->attrib.pValue, + gxyKeyValue->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, params->pCKYi, params->ulCKYiLen); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, params->pCKYr, params->ulCKYrLen); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, ¶ms->keyNumber, 1); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_final(&context, outKeyData, macSize); + if (crv != CKR_OK) { + goto fail; + } + + crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize); +fail: + if (gxyKeyValue) { + sftk_FreeAttribute(gxyKeyValue); + } + if (prevKeyValue) { + sftk_FreeAttribute(prevKeyValue); + } + if (gxyKeyObj) { + sftk_FreeObject(gxyKeyObj); + } + if (prevKeyObj) { + sftk_FreeObject(prevKeyObj); + } + PORT_Memset(outKeyData, 0, macSize); + prf_free(&context); + return crv; +} + +/* + * The third flavor of ike prf is ike1_appendix_b. + * + * It is used by ikeV1 to generate longer key material from skeyid_e. + * Unlike ike1_prf, if no length is provided, this function + * will generate a KEY_RANGE_ERROR. + * + * This function returns (from rfc2409 appendix b): + * Ka = K1 | K2 | K3 | K4 |... Kn + * where: + * K1 = prf(K, [gxyKey]|[extraData]) or prf(K, 0) if gxyKey and extraData + * ar not present. + * K2 = prf(K, K1|[gxyKey]|[extraData]) + * K3 = prf(K, K2|[gxyKey]|[extraData]) + * K4 = prf(K, K3|[gxyKey]|[extraData]) + * . + * Kn = prf(K, K(n-1)|[gxyKey]|[extraData]) + * K = inKey + */ +CK_RV +sftk_ike1_appendix_b_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, + const CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *params, + SFTKObject *outKey, unsigned int keySize) +{ + SFTKAttribute *gxyKeyValue = NULL; + SFTKObject *gxyKeyObj = NULL; + unsigned char *outKeyData = NULL; + unsigned char *thisKey = NULL; + unsigned char *lastKey = NULL; + unsigned int macSize; + unsigned int outKeySize; + unsigned int genKeySize; + PRBool quickMode = PR_FALSE; + CK_RV crv; + prfContext context; + + if ((params->ulExtraDataLen != 0) && (params->pExtraData == NULL)) { + return CKR_ARGUMENTS_BAD; + } + crv = prf_setup(&context, params->prfMechanism); + if (crv != CKR_OK) { + return crv; + } + + if (params->bHasKeygxy) { + SFTKSession *session; + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + gxyKeyObj = sftk_ObjectFromHandle(params->hKeygxy, session); + sftk_FreeSession(session); + if (gxyKeyObj == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + gxyKeyValue = sftk_FindAttribute(gxyKeyObj, CKA_VALUE); + if (gxyKeyValue == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + quickMode = PR_TRUE; + } + + if (params->ulExtraDataLen != 0) { + quickMode = PR_TRUE; + } + + macSize = prf_length(&context); + + if (keySize == 0) { + keySize = macSize; + } + + /* In appendix B, we are just expanding or contracting a single key. + * If the input key is less than or equal to the the key size we want, + * just subset the original key. In quick mode we are actually getting + * new keys (salted with our seed data and our gxy key), so we want to + * run through our algorithm */ + if ((!quickMode) && (keySize <= inKey->attrib.ulValueLen)) { + return sftk_forceAttribute(outKey, CKA_VALUE, + inKey->attrib.pValue, keySize); + } + + outKeySize = PR_ROUNDUP(keySize, macSize); + outKeyData = PORT_Alloc(outKeySize); + if (outKeyData == NULL) { + crv = CKR_HOST_MEMORY; + goto fail; + } + + /* + * this loop generates on block of the prf, basically + * kn = prf(key, Kn-1 | [Keygxy] | [ExtraData]) + * Kn is thisKey, Kn-1 is lastKey + * key is inKey + */ + thisKey = outKeyData; + for (genKeySize = 0; genKeySize < keySize; genKeySize += macSize) { + PRBool hashedData = PR_FALSE; + crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + if (lastKey != NULL) { + crv = prf_update(&context, lastKey, macSize); + if (crv != CKR_OK) { + goto fail; + } + hashedData = PR_TRUE; + } + if (gxyKeyValue != NULL) { + crv = prf_update(&context, gxyKeyValue->attrib.pValue, + gxyKeyValue->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + hashedData = PR_TRUE; + } + if (params->ulExtraDataLen != 0) { + crv = prf_update(&context, params->pExtraData, params->ulExtraDataLen); + if (crv != CKR_OK) { + goto fail; + } + hashedData = PR_TRUE; + } + /* if we haven't hashed anything yet, hash a zero */ + if (hashedData == PR_FALSE) { + const unsigned char zero = 0; + crv = prf_update(&context, &zero, 1); + if (crv != CKR_OK) { + goto fail; + } + } + crv = prf_final(&context, thisKey, macSize); + if (crv != CKR_OK) { + goto fail; + } + lastKey = thisKey; + thisKey += macSize; + } + crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize); +fail: + if (gxyKeyValue) { + sftk_FreeAttribute(gxyKeyValue); + } + if (gxyKeyObj) { + sftk_FreeObject(gxyKeyObj); + } + if (outKeyData) { + PORT_ZFree(outKeyData, outKeySize); + } + prf_free(&context); + return crv; +} + +/* + * The final flavor of ike prf is ike_prf_plus + * + * It is used by ikeV2 to generate the various session keys used in the + * connection. It uses the initial key and a feedback version of the prf + * to generate sufficient bytes to cover all the session keys. The application + * will then use CK_EXTRACT_KEY_FROM_KEY to pull out the various subkeys. + * This function expects a key size to be set by the application to cover + * all the keys. Unlike ike1_prf, if no length is provided, this function + * will generate a KEY_RANGE_ERROR + * + * This function returns (from rfc5996): + * prfplus = T1 | T2 | T3 | T4 |... Tn + * where: + * T1 = prf(K, S | 0x01) + * T2 = prf(K, T1 | S | 0x02) + * T3 = prf(K, T3 | S | 0x03) + * T4 = prf(K, T4 | S | 0x04) + * . + * Tn = prf(K, T(n-1) | n) + * K = inKey, S = seedKey | seedData + */ + +static CK_RV +sftk_ike_prf_plus_raw(CK_SESSION_HANDLE hSession, + const unsigned char *inKeyData, CK_ULONG inKeyLen, + const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params, + unsigned char **outKeyDataPtr, unsigned int *outKeySizePtr, + unsigned int keySize) +{ + SFTKAttribute *seedValue = NULL; + SFTKObject *seedKeyObj = NULL; + unsigned char *outKeyData = NULL; + unsigned int outKeySize; + unsigned char *thisKey; + unsigned char *lastKey = NULL; + unsigned char currentByte = 0; + unsigned int getKeySize; + unsigned int macSize; + CK_RV crv; + prfContext context; + + if (keySize == 0) { + return CKR_KEY_SIZE_RANGE; + } + + crv = prf_setup(&context, params->prfMechanism); + if (crv != CKR_OK) { + return crv; + } + /* pull in optional seedKey */ + if (params->bHasSeedKey) { + SFTKSession *session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + seedKeyObj = sftk_ObjectFromHandle(params->hSeedKey, session); + sftk_FreeSession(session); + if (seedKeyObj == NULL) { + return CKR_KEY_HANDLE_INVALID; + } + seedValue = sftk_FindAttribute(seedKeyObj, CKA_VALUE); + if (seedValue == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + } else if (params->ulSeedDataLen == 0) { + crv = CKR_ARGUMENTS_BAD; + goto fail; + } + macSize = prf_length(&context); + outKeySize = PR_ROUNDUP(keySize, macSize); + outKeyData = PORT_Alloc(outKeySize); + if (outKeyData == NULL) { + crv = CKR_HOST_MEMORY; + goto fail; + } + + /* + * this loop generates on block of the prf, basically + * Tn = prf(key, Tn-1 | S | n) + * Tn is thisKey, Tn-2 is lastKey, S is seedKey || seedData, + * key is inKey. currentByte = n-1 on entry. + */ + thisKey = outKeyData; + for (getKeySize = 0; getKeySize < keySize; getKeySize += macSize) { + /* if currentByte is 255, we'll overflow when we increment it below. + * This can only happen if keysize > 255*macSize. In that case + * the application has asked for too much key material, so return + * an error */ + if (currentByte == 255) { + crv = CKR_KEY_SIZE_RANGE; + goto fail; + } + crv = prf_init(&context, inKeyData, inKeyLen); + if (crv != CKR_OK) { + goto fail; + } + + if (lastKey) { + crv = prf_update(&context, lastKey, macSize); + if (crv != CKR_OK) { + goto fail; + } + } + /* prf the key first */ + if (seedValue) { + crv = prf_update(&context, seedValue->attrib.pValue, + seedValue->attrib.ulValueLen); + if (crv != CKR_OK) { + goto fail; + } + } + /* then prf the data */ + if (params->ulSeedDataLen != 0) { + crv = prf_update(&context, params->pSeedData, + params->ulSeedDataLen); + if (crv != CKR_OK) { + goto fail; + } + } + currentByte++; + crv = prf_update(&context, ¤tByte, 1); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_final(&context, thisKey, macSize); + if (crv != CKR_OK) { + goto fail; + } + lastKey = thisKey; + thisKey += macSize; + } + *outKeyDataPtr = outKeyData; + *outKeySizePtr = outKeySize; + outKeyData = NULL; /* don't free it here, our caller will free it */ +fail: + if (outKeyData) { + PORT_ZFree(outKeyData, outKeySize); + } + if (seedValue) { + sftk_FreeAttribute(seedValue); + } + if (seedKeyObj) { + sftk_FreeObject(seedKeyObj); + } + prf_free(&context); + return crv; +} + +/* + * ike prf + with code to deliever results tosoftoken objects. + */ +CK_RV +sftk_ike_prf_plus(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, + const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params, SFTKObject *outKey, + unsigned int keySize) +{ + unsigned char *outKeyData = NULL; + unsigned int outKeySize; + CK_RV crv; + + crv = sftk_ike_prf_plus_raw(hSession, inKey->attrib.pValue, + inKey->attrib.ulValueLen, params, + &outKeyData, &outKeySize, keySize); + if (crv != CKR_OK) { + return crv; + } + + crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize); + PORT_ZFree(outKeyData, outKeySize); + return crv; +} + +/* sftk_aes_xcbc_new_keys: + * + * aes xcbc creates 3 new keys from the input key. The first key will be the + * base key of the underlying cbc. The sign code hooks directly into encrypt + * so we'll have to create a full PKCS #11 key with handle for that key. The + * caller needs to delete the key when it's through setting up the context. + * + * The other two keys will be stored in the sign context until we need them + * at the end. + */ +CK_RV +sftk_aes_xcbc_new_keys(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hKey, CK_OBJECT_HANDLE_PTR phKey, + unsigned char *k2, unsigned char *k3) +{ + SFTKObject *key = NULL; + SFTKSession *session = NULL; + SFTKObject *inKeyObj = NULL; + SFTKAttribute *inKeyValue = NULL; + CK_KEY_TYPE key_type = CKK_AES; + CK_OBJECT_CLASS objclass = CKO_SECRET_KEY; + CK_BBOOL ck_true = CK_TRUE; + CK_RV crv = CKR_OK; + SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); + unsigned char buf[AES_BLOCK_SIZE]; + + if (!slot) { + return CKR_SESSION_HANDLE_INVALID; + } + + /* get the session */ + session = sftk_SessionFromHandle(hSession); + if (session == NULL) { + crv = CKR_SESSION_HANDLE_INVALID; + goto fail; + } + + inKeyObj = sftk_ObjectFromHandle(hKey, session); + if (inKeyObj == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + + inKeyValue = sftk_FindAttribute(inKeyObj, CKA_VALUE); + if (inKeyValue == NULL) { + crv = CKR_KEY_HANDLE_INVALID; + goto fail; + } + + crv = sftk_aes_xcbc_get_keys(inKeyValue->attrib.pValue, + inKeyValue->attrib.ulValueLen, buf, k2, k3); + + if (crv != CKR_OK) { + goto fail; + } + + /* + * now lets create an object to hang the attributes off of + */ + key = sftk_NewObject(slot); /* fill in the handle later */ + if (key == NULL) { + crv = CKR_HOST_MEMORY; + goto fail; + } + + /* make sure we don't have any class, key_type, or value fields */ + sftk_DeleteAttributeType(key, CKA_CLASS); + sftk_DeleteAttributeType(key, CKA_KEY_TYPE); + sftk_DeleteAttributeType(key, CKA_VALUE); + sftk_DeleteAttributeType(key, CKA_SIGN); + + /* Add the class, key_type, and value */ + crv = sftk_AddAttributeType(key, CKA_CLASS, &objclass, sizeof(CK_OBJECT_CLASS)); + if (crv != CKR_OK) { + goto fail; + } + crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &key_type, sizeof(CK_KEY_TYPE)); + if (crv != CKR_OK) { + goto fail; + } + crv = sftk_AddAttributeType(key, CKA_SIGN, &ck_true, sizeof(CK_BBOOL)); + if (crv != CKR_OK) { + goto fail; + } + crv = sftk_AddAttributeType(key, CKA_VALUE, buf, AES_BLOCK_SIZE); + if (crv != CKR_OK) { + goto fail; + } + + /* + * finish filling in the key and link it with our global system. + */ + crv = sftk_handleObject(key, session); + if (crv != CKR_OK) { + goto fail; + } + *phKey = key->handle; +fail: + if (session) { + sftk_FreeSession(session); + } + + if (inKeyValue) { + sftk_FreeAttribute(inKeyValue); + } + if (inKeyObj) { + sftk_FreeObject(inKeyObj); + } + if (key) { + sftk_FreeObject(key); + } + /* clear our CSPs */ + PORT_Memset(buf, 0, sizeof(buf)); + if (crv != CKR_OK) { + PORT_Memset(k2, 0, AES_BLOCK_SIZE); + PORT_Memset(k3, 0, AES_BLOCK_SIZE); + } + return crv; +} + +/* + * Helper function that tests a single prf test vector + */ +static SECStatus +prf_test(CK_MECHANISM_TYPE mech, + const unsigned char *inKey, unsigned int inKeyLen, + const unsigned char *plainText, unsigned int plainTextLen, + const unsigned char *expectedResult, unsigned int expectedResultLen) +{ + PRUint8 ike_computed_mac[HASH_LENGTH_MAX]; + prfContext context; + unsigned int macSize; + CK_RV crv; + + crv = prf_setup(&context, mech); + if (crv != CKR_OK) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + macSize = prf_length(&context); + crv = prf_init(&context, inKey, inKeyLen); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, plainText, plainTextLen); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_final(&context, ike_computed_mac, macSize); + if (crv != CKR_OK) { + goto fail; + } + + if (macSize != expectedResultLen) { + goto fail; + } + if (PORT_Memcmp(expectedResult, ike_computed_mac, macSize) != 0) { + goto fail; + } + + /* only do the alignment if the plaintext is long enough */ + if (plainTextLen <= macSize) { + return SECSuccess; + } + prf_free(&context); + /* do it again, but this time tweak with the alignment */ + crv = prf_init(&context, inKey, inKeyLen); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, plainText, 1); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, &plainText[1], macSize); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_update(&context, &plainText[1 + macSize], plainTextLen - (macSize + 1)); + if (crv != CKR_OK) { + goto fail; + } + crv = prf_final(&context, ike_computed_mac, macSize); + if (crv != CKR_OK) { + goto fail; + } + if (PORT_Memcmp(expectedResult, ike_computed_mac, macSize) != 0) { + goto fail; + } + prf_free(&context); + return SECSuccess; +fail: + prf_free(&context); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; +} + +/* + * FIPS Power up Self Tests for IKE. This is in this function so it + * can access the private prf_ functions here. It's called out of fipstest.c + */ +SECStatus +sftk_fips_IKE_PowerUpSelfTests(void) +{ + /* PRF known test vectors */ + static const PRUint8 ike_xcbc_known_key[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f + }; + static const PRUint8 ike_xcbc_known_plain_text[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f + }; + static const PRUint8 ike_xcbc_known_mac[] = { + 0xd2, 0xa2, 0x46, 0xfa, 0x34, 0x9b, 0x68, 0xa7, + 0x99, 0x98, 0xa4, 0x39, 0x4f, 0xf7, 0xa2, 0x63 + }; + /* test 2 uses the same key as test 1 */ + static const PRUint8 ike_xcbc_known_plain_text_2[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13 + }; + static const PRUint8 ike_xcbc_known_mac_2[] = { + 0x47, 0xf5, 0x1b, 0x45, 0x64, 0x96, 0x62, 0x15, + 0xb8, 0x98, 0x5c, 0x63, 0x05, 0x5e, 0xd3, 0x08 + }; + static const PRUint8 ike_xcbc_known_key_3[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09 + }; + /* test 3 uses the same plaintest as test 2 */ + static const PRUint8 ike_xcbc_known_mac_3[] = { + 0x0f, 0xa0, 0x87, 0xaf, 0x7d, 0x86, 0x6e, 0x76, + 0x53, 0x43, 0x4e, 0x60, 0x2f, 0xdd, 0xe8, 0x35 + }; + static const PRUint8 ike_xcbc_known_key_4[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0xed, 0xcb + }; + /* test 4 uses the same plaintest as test 2 */ + static const PRUint8 ike_xcbc_known_mac_4[] = { + 0x8c, 0xd3, 0xc9, 0x3a, 0xe5, 0x98, 0xa9, 0x80, + 0x30, 0x06, 0xff, 0xb6, 0x7c, 0x40, 0xe9, 0xe4 + }; + static const PRUint8 ike_sha1_known_key[] = { + 0x59, 0x98, 0x2b, 0x5b, 0xa5, 0x7e, 0x62, 0xc0, + 0x46, 0x0d, 0xef, 0xc7, 0x1e, 0x18, 0x64, 0x63 + }; + static const PRUint8 ike_sha1_known_plain_text[] = { + 0x1c, 0x07, 0x32, 0x1a, 0x9a, 0x7e, 0x41, 0xcd, + 0x88, 0x0c, 0xa3, 0x7a, 0xdb, 0x10, 0xc7, 0x3b, + 0xf0, 0x0e, 0x7a, 0xe3, 0xcf, 0xc6, 0xfd, 0x8b, + 0x51, 0xbc, 0xe2, 0xb9, 0x90, 0xe6, 0xf2, 0x01 + }; + static const PRUint8 ike_sha1_known_mac[] = { + 0x0c, 0x2a, 0xf3, 0x42, 0x97, 0x15, 0x62, 0x1d, + 0x2a, 0xad, 0xc9, 0x94, 0x5a, 0x90, 0x26, 0xfa, + 0xc7, 0x91, 0xe2, 0x4b + }; + static const PRUint8 ike_sha256_known_key[] = { + 0x9d, 0xa2, 0xd5, 0x8f, 0x57, 0xf0, 0x39, 0xf9, + 0x20, 0x4e, 0x0d, 0xd0, 0xef, 0x04, 0xf3, 0x72 + }; + static const PRUint8 ike_sha256_known_plain_text[] = { + 0x33, 0xf1, 0x7a, 0xfc, 0xb6, 0x13, 0x4c, 0xbf, + 0x1c, 0xab, 0x59, 0x87, 0x7d, 0x42, 0xdb, 0x35, + 0x82, 0x22, 0x6e, 0xff, 0x74, 0xdd, 0x37, 0xeb, + 0x8b, 0x75, 0xe6, 0x75, 0x64, 0x5f, 0xc1, 0x69 + }; + static const PRUint8 ike_sha256_known_mac[] = { + 0x80, 0x4b, 0x4a, 0x1e, 0x0e, 0xc5, 0x93, 0xcf, + 0xb6, 0xe4, 0x54, 0x52, 0x41, 0x49, 0x39, 0x6d, + 0xe2, 0x34, 0xd0, 0xda, 0xe2, 0x9f, 0x34, 0xa8, + 0xfd, 0xb5, 0xf9, 0xaf, 0xe7, 0x6e, 0xa6, 0x52 + }; + static const PRUint8 ike_sha384_known_key[] = { + 0xce, 0xc8, 0x9d, 0x84, 0x5a, 0xdd, 0x83, 0xef, + 0xce, 0xbd, 0x43, 0xab, 0x71, 0xd1, 0x7d, 0xb9 + }; + static const PRUint8 ike_sha384_known_plain_text[] = { + 0x17, 0x24, 0xdb, 0xd8, 0x93, 0x52, 0x37, 0x64, + 0xbf, 0xef, 0x8c, 0x6f, 0xa9, 0x27, 0x85, 0x6f, + 0xcc, 0xfb, 0x77, 0xae, 0x25, 0x43, 0x58, 0xcc, + 0xe2, 0x9c, 0x27, 0x69, 0xa3, 0x29, 0x15, 0xc1 + }; + static const PRUint8 ike_sha384_known_mac[] = { + 0x6e, 0x45, 0x14, 0x61, 0x0b, 0xf8, 0x2d, 0x0a, + 0xb7, 0xbf, 0x02, 0x60, 0x09, 0x6f, 0x61, 0x46, + 0xa1, 0x53, 0xc7, 0x12, 0x07, 0x1a, 0xbb, 0x63, + 0x3c, 0xed, 0x81, 0x3c, 0x57, 0x21, 0x56, 0xc7, + 0x83, 0xe3, 0x68, 0x74, 0xa6, 0x5a, 0x64, 0x69, + 0x0c, 0xa7, 0x01, 0xd4, 0x0d, 0x56, 0xea, 0x18 + }; + static const PRUint8 ike_sha512_known_key[] = { + 0xac, 0xad, 0xc6, 0x31, 0x4a, 0x69, 0xcf, 0xcd, + 0x4e, 0x4a, 0xd1, 0x77, 0x18, 0xfe, 0xa7, 0xce + }; + static const PRUint8 ike_sha512_known_plain_text[] = { + 0xb1, 0x5a, 0x9c, 0xfc, 0xe8, 0xc8, 0xd7, 0xea, + 0xb8, 0x79, 0xd6, 0x24, 0x30, 0x29, 0xd4, 0x01, + 0x88, 0xd3, 0xb7, 0x40, 0x87, 0x5a, 0x6a, 0xc6, + 0x2f, 0x56, 0xca, 0xc4, 0x37, 0x7e, 0x2e, 0xdd + }; + static const PRUint8 ike_sha512_known_mac[] = { + 0xf0, 0x5a, 0xa0, 0x36, 0xdf, 0xce, 0x45, 0xa5, + 0x58, 0xd4, 0x04, 0x18, 0xde, 0xa9, 0x80, 0x96, + 0xe5, 0x19, 0xbc, 0x78, 0x41, 0xe3, 0xdb, 0x3d, + 0xd9, 0x36, 0x58, 0xd1, 0x18, 0xc3, 0xe8, 0x3b, + 0x50, 0x2f, 0x39, 0x8e, 0xcb, 0x13, 0x61, 0xec, + 0x77, 0xd3, 0x8a, 0x88, 0x55, 0xef, 0xff, 0x40, + 0x7f, 0x6f, 0x77, 0x2e, 0x5d, 0x65, 0xb5, 0x8e, + 0xb1, 0x13, 0x40, 0x96, 0xe8, 0x47, 0x8d, 0x2b + }; + static const PRUint8 ike_known_sha256_prf_plus[] = { + 0xe6, 0xf1, 0x9b, 0x4a, 0x02, 0xe9, 0x73, 0x72, + 0x93, 0x9f, 0xdb, 0x46, 0x1d, 0xb1, 0x49, 0xcb, + 0x53, 0x08, 0x98, 0x3d, 0x41, 0x36, 0xfa, 0x8b, + 0x47, 0x04, 0x49, 0x11, 0x0d, 0x6e, 0x96, 0x1d, + 0xab, 0xbe, 0x94, 0x28, 0xa0, 0xb7, 0x9c, 0xa3, + 0x29, 0xe1, 0x40, 0xf8, 0xf8, 0x88, 0xb9, 0xb5, + 0x40, 0xd4, 0x54, 0x4d, 0x25, 0xab, 0x94, 0xd4, + 0x98, 0xd8, 0x00, 0xbf, 0x6f, 0xef, 0xe8, 0x39 + }; + SECStatus rv; + CK_RV crv; + unsigned char *outKeyData = NULL; + unsigned int outKeySize; + CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS ike_params; + + rv = prf_test(CKM_AES_XCBC_MAC, + ike_xcbc_known_key, sizeof(ike_xcbc_known_key), + ike_xcbc_known_plain_text, sizeof(ike_xcbc_known_plain_text), + ike_xcbc_known_mac, sizeof(ike_xcbc_known_mac)); + if (rv != SECSuccess) + return rv; + rv = prf_test(CKM_AES_XCBC_MAC, + ike_xcbc_known_key, sizeof(ike_xcbc_known_key), + ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2), + ike_xcbc_known_mac_2, sizeof(ike_xcbc_known_mac_2)); + if (rv != SECSuccess) + return rv; + rv = prf_test(CKM_AES_XCBC_MAC, + ike_xcbc_known_key_3, sizeof(ike_xcbc_known_key_3), + ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2), + ike_xcbc_known_mac_3, sizeof(ike_xcbc_known_mac_3)); + if (rv != SECSuccess) + return rv; + rv = prf_test(CKM_AES_XCBC_MAC, + ike_xcbc_known_key_4, sizeof(ike_xcbc_known_key_4), + ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2), + ike_xcbc_known_mac_4, sizeof(ike_xcbc_known_mac_4)); + if (rv != SECSuccess) + return rv; + rv = prf_test(CKM_SHA_1_HMAC, + ike_sha1_known_key, sizeof(ike_sha1_known_key), + ike_sha1_known_plain_text, sizeof(ike_sha1_known_plain_text), + ike_sha1_known_mac, sizeof(ike_sha1_known_mac)); + if (rv != SECSuccess) + return rv; + rv = prf_test(CKM_SHA256_HMAC, + ike_sha256_known_key, sizeof(ike_sha256_known_key), + ike_sha256_known_plain_text, + sizeof(ike_sha256_known_plain_text), + ike_sha256_known_mac, sizeof(ike_sha256_known_mac)); + if (rv != SECSuccess) + return rv; + rv = prf_test(CKM_SHA384_HMAC, + ike_sha384_known_key, sizeof(ike_sha384_known_key), + ike_sha384_known_plain_text, + sizeof(ike_sha384_known_plain_text), + ike_sha384_known_mac, sizeof(ike_sha384_known_mac)); + if (rv != SECSuccess) + return rv; + rv = prf_test(CKM_SHA512_HMAC, + ike_sha512_known_key, sizeof(ike_sha512_known_key), + ike_sha512_known_plain_text, + sizeof(ike_sha512_known_plain_text), + ike_sha512_known_mac, sizeof(ike_sha512_known_mac)); + + ike_params.prfMechanism = CKM_SHA256_HMAC; + ike_params.bHasSeedKey = PR_FALSE; + ike_params.hSeedKey = CK_INVALID_HANDLE; + ike_params.pSeedData = (CK_BYTE_PTR)ike_sha256_known_plain_text; + ike_params.ulSeedDataLen = sizeof(ike_sha256_known_plain_text); + crv = sftk_ike_prf_plus_raw(CK_INVALID_HANDLE, ike_sha256_known_key, + sizeof(ike_sha256_known_key), &ike_params, + &outKeyData, &outKeySize, 64); + if ((crv != CKR_OK) || + (outKeySize != sizeof(ike_known_sha256_prf_plus)) || + (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus, + sizeof(ike_known_sha256_prf_plus)) != 0)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + PORT_ZFree(outKeyData, outKeySize); + return rv; +} diff --git a/security/nss/lib/softoken/sftkmessage.c b/security/nss/lib/softoken/sftkmessage.c new file mode 100644 index 0000000000..3e45445e8e --- /dev/null +++ b/security/nss/lib/softoken/sftkmessage.c @@ -0,0 +1,377 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements PKCS 11 on top of our existing security modules + * + * Implement the PKCS #11 v3.0 Message interfaces + */ +#include "seccomon.h" +#include "pkcs11.h" +#include "pkcs11i.h" +#include "blapi.h" +#include "prenv.h" +#include "softoken.h" + +static SECStatus +sftk_ChaCha20_Poly1305_Message_Encrypt(ChaCha20Poly1305Context *ctx, + unsigned char *cipherText, unsigned int *cipherTextLen, + unsigned int maxOutLen, const unsigned char *plainText, + unsigned int plainTextLen, + CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS *params, + unsigned int paramsLen, const unsigned char *aad, + unsigned int aadLen) +{ + return ChaCha20Poly1305_Encrypt(ctx, cipherText, cipherTextLen, maxOutLen, + plainText, plainTextLen, params->pNonce, params->ulNonceLen, + aad, aadLen, params->pTag); +} +static SECStatus +sftk_ChaCha20_Poly1305_Message_Decrypt(ChaCha20Poly1305Context *ctx, + unsigned char *plainText, unsigned int *plainTextLen, + unsigned int maxOutLen, const unsigned char *cipherText, + unsigned int cipherTextLen, + CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS *params, + unsigned int paramsLen, const unsigned char *aad, + unsigned int aadLen) +{ + return ChaCha20Poly1305_Decrypt(ctx, plainText, plainTextLen, maxOutLen, + cipherText, cipherTextLen, params->pNonce, params->ulNonceLen, + aad, aadLen, params->pTag); +} + +/* + * Handle AEAD Encryption operation + * + * The setup is similiar to sftk_CryptInit except we set the aeadUpdate + * function instead of the normal update function. This function handles + * both the Encrypt case and the Decrypt case. + */ +static CK_RV +sftk_MessageCryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey, SFTKContextType contextType, + CK_ATTRIBUTE_TYPE operation, PRBool encrypt) +{ + SFTKSession *session; + SFTKObject *key; + SFTKSessionContext *context; + SFTKAttribute *att; + CK_KEY_TYPE key_type; + CK_RV crv = CKR_OK; + + if (!pMechanism) { + return CKR_MECHANISM_PARAM_INVALID; + } + + crv = sftk_MechAllowsOperation(pMechanism->mechanism, + CKA_NSS_MESSAGE | operation); + if (crv != CKR_OK) + return crv; + + session = sftk_SessionFromHandle(hSession); + if (session == NULL) + return CKR_SESSION_HANDLE_INVALID; + + crv = sftk_InitGeneric(session, pMechanism, &context, contextType, &key, + hKey, &key_type, CKO_SECRET_KEY, operation); + if (crv != CKR_OK) { + sftk_FreeSession(session); + return crv; + } + + att = sftk_FindAttribute(key, CKA_VALUE); + if (att == NULL) { + sftk_FreeSession(session); + sftk_FreeContext(context); + return CKR_KEY_HANDLE_INVALID; + } + + context->doPad = PR_FALSE; + context->multi = PR_TRUE; /* All message are 'multi' operations */ + + switch (pMechanism->mechanism) { + case CKM_AES_GCM: + context->cipherInfo = AES_CreateContext( + (unsigned char *)att->attrib.pValue, + NULL, NSS_AES_GCM, encrypt, att->attrib.ulValueLen, + AES_BLOCK_SIZE); + context->aeadUpdate = (SFTKAEADCipher)AES_AEAD; + context->destroy = (SFTKDestroy)AES_DestroyContext; + break; + case CKM_CHACHA20_POLY1305: + context->cipherInfo = ChaCha20Poly1305_CreateContext( + (unsigned char *)att->attrib.pValue, att->attrib.ulValueLen, + 16); + context->aeadUpdate = (SFTKAEADCipher)(encrypt ? sftk_ChaCha20_Poly1305_Message_Encrypt : sftk_ChaCha20_Poly1305_Message_Decrypt); + context->destroy = (SFTKDestroy)ChaCha20Poly1305_DestroyContext; + break; + default: + crv = CKR_MECHANISM_INVALID; + break; + } + if (context->cipherInfo == NULL) { + crv = sftk_MapCryptError(PORT_GetError()); + if (crv == CKR_OK) { + crv = CKR_GENERAL_ERROR; + } + } + if (crv != CKR_OK) { + sftk_FreeContext(context); + sftk_FreeSession(session); + return crv; + } + sftk_SetContextByType(session, contextType, context); + sftk_FreeSession(session); + return CKR_OK; +} + +/* + * Generic handler for the actual encryption/decryption. Each call handles + * The authentication data for the entire block. Multiple calls using + * BeginMessage and NextMessage are not supported and CKF_MESSSAGE_MULTI is + * not set on the supported algorithms + */ +static CK_RV +sftk_CryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pIntext, + CK_ULONG ulIntextLen, CK_BYTE_PTR pOuttext, + CK_ULONG_PTR pulOuttextLen, SFTKContextType contextType) +{ + SFTKSessionContext *context; + unsigned int outlen; + unsigned int maxout = *pulOuttextLen; + CK_RV crv; + SECStatus rv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; + + if (!pOuttext) { + *pulOuttextLen = ulIntextLen; + return CKR_OK; + } + rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen, + maxout, pIntext, ulIntextLen, + pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen); + + if (rv != SECSuccess) { + if (contextType == SFTK_MESSAGE_ENCRYPT) { + return sftk_MapCryptError(PORT_GetError()); + } else { + return sftk_MapDecryptError(PORT_GetError()); + } + } + *pulOuttextLen = (CK_ULONG)(outlen); + return CKR_OK; +} + +/* + * Common message cleanup rountine + */ +static CK_RV +sftk_MessageCryptFinal(CK_SESSION_HANDLE hSession, + SFTKContextType contextType) +{ + SFTKSession *session; + SFTKSessionContext *context; + CK_RV crv; + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + sftk_TerminateOp(session, contextType, context); + sftk_FreeSession(session); + return CKR_OK; +} + +/* MessageEncrypt and EncryptMessage functions just use the helper functions + * above */ +CK_RV +NSC_MessageEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + return sftk_MessageCryptInit(hSession, pMechanism, hKey, + SFTK_MESSAGE_ENCRYPT, CKA_ENCRYPT, PR_TRUE); +} + +CK_RV +NSC_EncryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pPlaintext, + CK_ULONG ulPlaintextLen, CK_BYTE_PTR pCiphertext, + CK_ULONG_PTR pulCiphertextLen) +{ + return sftk_CryptMessage(hSession, pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen, pPlaintext, + ulPlaintextLen, pCiphertext, pulCiphertextLen, + SFTK_MESSAGE_ENCRYPT); +} + +/* + * We only support the single shot function. The Begin/Next version can be + * dealt with if we need to support S/MIME or something. It would probably + * just buffer rather then returning intermediate results. + */ +CK_RV +NSC_EncryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_EncryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG ulPlaintextPartLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG_PTR pulCiphertextPartLen, CK_FLAGS flags) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_MessageEncryptFinal(CK_SESSION_HANDLE hSession) +{ + return sftk_MessageCryptFinal(hSession, SFTK_MESSAGE_ENCRYPT); +} + +/* MessageDecrypt and DecryptMessage functions just use the helper functions + * above */ +CK_RV +NSC_MessageDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + return sftk_MessageCryptInit(hSession, pMechanism, hKey, + SFTK_MESSAGE_DECRYPT, CKA_DECRYPT, PR_FALSE); +} + +CK_RV +NSC_DecryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pCiphertext, + CK_ULONG ulCiphertextLen, CK_BYTE_PTR pPlaintext, + CK_ULONG_PTR pulPlaintextLen) +{ + return sftk_CryptMessage(hSession, pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen, pCiphertext, + ulCiphertextLen, pPlaintext, pulPlaintextLen, + SFTK_MESSAGE_DECRYPT); +} + +/* + * We only support the single shot function. The Begin/Next version can be + * dealt with if we need to support S/MIME or something. It would probably + * just buffer rather then returning intermediate results. This is expecially + * true for decrypt, which isn't supposed to return any data unless it's been + * authenticated (which can't happen until the last block is processed). + */ +CK_RV +NSC_DecryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData, + CK_ULONG ulAssociatedDataLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_DecryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pCiphertextPart, + CK_ULONG ulCiphertextPartLen, CK_BYTE_PTR pPlaintextPart, + CK_ULONG_PTR pulPlaintextPartLen, CK_FLAGS flags) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_MessageDecryptFinal(CK_SESSION_HANDLE hSession) +{ + return sftk_MessageCryptFinal(hSession, SFTK_MESSAGE_DECRYPT); +} + +/* + * There are no mechanisms defined to use the MessageSign and MessageVerify + * interfaces yet, so we don't need to implement anything. + */ +CK_RV +NSC_MessageSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_SignMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, CK_ULONG ulDataLen, + CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_SignMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_SignMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_MessageSignFinal(CK_SESSION_HANDLE hSession) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_MessageVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_VerifyMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_VerifyMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_VerifyMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter, + CK_ULONG ulParameterLen, CK_BYTE_PTR pData, + CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV +NSC_MessageVerifyFinal(CK_SESSION_HANDLE hSession) +{ + return CKR_FUNCTION_NOT_SUPPORTED; +} diff --git a/security/nss/lib/softoken/sftkpars.c b/security/nss/lib/softoken/sftkpars.c new file mode 100644 index 0000000000..fdd08648fc --- /dev/null +++ b/security/nss/lib/softoken/sftkpars.c @@ -0,0 +1,268 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * The following code handles the storage of PKCS 11 modules used by the + * NSS. This file is written to abstract away how the modules are + * stored so we can deside that later. + */ +#include "pkcs11i.h" +#include "sdb.h" +#include "prprf.h" +#include "prenv.h" +#include "utilpars.h" + +#define FREE_CLEAR(p) \ + if (p) { \ + PORT_Free(p); \ + p = NULL; \ + } + +static void +sftk_parseTokenFlags(char *tmp, sftk_token_parameters *parsed) +{ + parsed->readOnly = NSSUTIL_ArgHasFlag("flags", "readOnly", tmp); + parsed->noCertDB = NSSUTIL_ArgHasFlag("flags", "noCertDB", tmp); + parsed->noKeyDB = NSSUTIL_ArgHasFlag("flags", "noKeyDB", tmp); + parsed->forceOpen = NSSUTIL_ArgHasFlag("flags", "forceOpen", tmp); + parsed->pwRequired = NSSUTIL_ArgHasFlag("flags", "passwordRequired", tmp); + parsed->optimizeSpace = NSSUTIL_ArgHasFlag("flags", "optimizeSpace", tmp); + return; +} + +static void +sftk_parseFlags(char *tmp, sftk_parameters *parsed) +{ + parsed->noModDB = NSSUTIL_ArgHasFlag("flags", "noModDB", tmp); + parsed->readOnly = NSSUTIL_ArgHasFlag("flags", "readOnly", tmp); + /* keep legacy interface working */ + parsed->noCertDB = NSSUTIL_ArgHasFlag("flags", "noCertDB", tmp); + parsed->forceOpen = NSSUTIL_ArgHasFlag("flags", "forceOpen", tmp); + parsed->pwRequired = NSSUTIL_ArgHasFlag("flags", "passwordRequired", tmp); + parsed->optimizeSpace = NSSUTIL_ArgHasFlag("flags", "optimizeSpace", tmp); + return; +} + +static CK_RV +sftk_parseTokenParameters(char *param, sftk_token_parameters *parsed) +{ + int next; + char *tmp = NULL; + const char *index; + index = NSSUTIL_ArgStrip(param); + + while (*index) { + NSSUTIL_HANDLE_STRING_ARG(index, parsed->configdir, "configDir=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->updatedir, "updateDir=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->updCertPrefix, "updateCertPrefix=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->updKeyPrefix, "updateKeyPrefix=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->updateID, "updateID=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->certPrefix, "certPrefix=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->keyPrefix, "keyPrefix=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->tokdes, "tokenDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->updtokdes, "updateTokenDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->slotdes, "slotDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG( + index, tmp, "minPWLen=", + if (tmp) { parsed->minPW=atoi(tmp); PORT_Free(tmp); tmp = NULL; }) + NSSUTIL_HANDLE_STRING_ARG( + index, tmp, "flags=", + if (tmp) { sftk_parseTokenFlags(param,parsed); PORT_Free(tmp); tmp = NULL; }) + NSSUTIL_HANDLE_FINAL_ARG(index) + } + return CKR_OK; +} + +static void +sftk_parseTokens(char *tokenParams, sftk_parameters *parsed) +{ + const char *tokenIndex; + sftk_token_parameters *tokens = NULL; + int i = 0, count = 0, next; + + if ((tokenParams == NULL) || (*tokenParams == 0)) + return; + + /* first count the number of slots */ + for (tokenIndex = NSSUTIL_ArgStrip(tokenParams); *tokenIndex; + tokenIndex = NSSUTIL_ArgStrip(NSSUTIL_ArgSkipParameter(tokenIndex))) { + count++; + } + + /* get the data structures */ + tokens = (sftk_token_parameters *) + PORT_ZAlloc(count * sizeof(sftk_token_parameters)); + if (tokens == NULL) + return; + + for (tokenIndex = NSSUTIL_ArgStrip(tokenParams), i = 0; + *tokenIndex && i < count; i++) { + char *name; + name = NSSUTIL_ArgGetLabel(tokenIndex, &next); + tokenIndex += next; + + tokens[i].slotID = NSSUTIL_ArgDecodeNumber(name); + tokens[i].readOnly = PR_FALSE; + tokens[i].noCertDB = PR_FALSE; + tokens[i].noKeyDB = PR_FALSE; + if (!NSSUTIL_ArgIsBlank(*tokenIndex)) { + char *args = NSSUTIL_ArgFetchValue(tokenIndex, &next); + tokenIndex += next; + if (args) { + sftk_parseTokenParameters(args, &tokens[i]); + PORT_Free(args); + } + } + if (name) + PORT_Free(name); + tokenIndex = NSSUTIL_ArgStrip(tokenIndex); + } + parsed->token_count = i; + parsed->tokens = tokens; + return; +} + +CK_RV +sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS) +{ + int next; + char *tmp = NULL; + const char *index; + char *certPrefix = NULL, *keyPrefix = NULL; + char *tokdes = NULL, *ptokdes = NULL, *pupdtokdes = NULL; + char *slotdes = NULL, *pslotdes = NULL; + char *fslotdes = NULL, *ftokdes = NULL; + char *minPW = NULL; + index = NSSUTIL_ArgStrip(param); + + PORT_Memset(parsed, 0, sizeof(sftk_parameters)); + + while (*index) { + NSSUTIL_HANDLE_STRING_ARG(index, parsed->configdir, "configDir=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->updatedir, "updateDir=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->updateID, "updateID=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->secmodName, "secmod=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->man, "manufacturerID=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, parsed->libdes, "libraryDescription=", ;) + /* constructed values, used so legacy interfaces still work */ + NSSUTIL_HANDLE_STRING_ARG(index, certPrefix, "certPrefix=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, keyPrefix, "keyPrefix=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, tokdes, "cryptoTokenDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, ptokdes, "dbTokenDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, slotdes, "cryptoSlotDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, pslotdes, "dbSlotDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, fslotdes, "FIPSSlotDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, ftokdes, "FIPSTokenDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, pupdtokdes, "updateTokenDescription=", ;) + NSSUTIL_HANDLE_STRING_ARG(index, minPW, "minPWLen=", ;) + + NSSUTIL_HANDLE_STRING_ARG( + index, tmp, "flags=", + if (tmp) { sftk_parseFlags(param,parsed); PORT_Free(tmp); tmp = NULL; }) + NSSUTIL_HANDLE_STRING_ARG( + index, tmp, "tokens=", + if (tmp) { sftk_parseTokens(tmp,parsed); PORT_Free(tmp); tmp = NULL; }) + NSSUTIL_HANDLE_FINAL_ARG(index) + } + if (parsed->tokens == NULL) { + int count = isFIPS ? 1 : 2; + int i = count - 1; + sftk_token_parameters *tokens = NULL; + + tokens = (sftk_token_parameters *) + PORT_ZAlloc(count * sizeof(sftk_token_parameters)); + if (tokens == NULL) { + goto loser; + } + parsed->tokens = tokens; + parsed->token_count = count; + tokens[i].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID; + tokens[i].certPrefix = certPrefix; + tokens[i].keyPrefix = keyPrefix; + tokens[i].minPW = minPW ? atoi(minPW) : 0; + tokens[i].readOnly = parsed->readOnly; + tokens[i].noCertDB = parsed->noCertDB; + tokens[i].noKeyDB = parsed->noCertDB; + tokens[i].forceOpen = parsed->forceOpen; + tokens[i].pwRequired = parsed->pwRequired; + tokens[i].optimizeSpace = parsed->optimizeSpace; + tokens[0].optimizeSpace = parsed->optimizeSpace; + certPrefix = NULL; + keyPrefix = NULL; + if (isFIPS) { + tokens[i].tokdes = ftokdes; + tokens[i].updtokdes = pupdtokdes; + tokens[i].slotdes = fslotdes; + fslotdes = NULL; + ftokdes = NULL; + pupdtokdes = NULL; + } else { + tokens[i].tokdes = ptokdes; + tokens[i].updtokdes = pupdtokdes; + tokens[i].slotdes = pslotdes; + tokens[0].slotID = NETSCAPE_SLOT_ID; + tokens[0].tokdes = tokdes; + tokens[0].slotdes = slotdes; + tokens[0].noCertDB = PR_TRUE; + tokens[0].noKeyDB = PR_TRUE; + pupdtokdes = NULL; + ptokdes = NULL; + pslotdes = NULL; + tokdes = NULL; + slotdes = NULL; + } + } + +loser: + FREE_CLEAR(certPrefix); + FREE_CLEAR(keyPrefix); + FREE_CLEAR(tokdes); + FREE_CLEAR(ptokdes); + FREE_CLEAR(pupdtokdes); + FREE_CLEAR(slotdes); + FREE_CLEAR(pslotdes); + FREE_CLEAR(fslotdes); + FREE_CLEAR(ftokdes); + FREE_CLEAR(minPW); + return CKR_OK; +} + +void +sftk_freeParams(sftk_parameters *params) +{ + int i; + + for (i = 0; i < params->token_count; i++) { + FREE_CLEAR(params->tokens[i].configdir); + FREE_CLEAR(params->tokens[i].certPrefix); + FREE_CLEAR(params->tokens[i].keyPrefix); + FREE_CLEAR(params->tokens[i].tokdes); + FREE_CLEAR(params->tokens[i].slotdes); + FREE_CLEAR(params->tokens[i].updatedir); + FREE_CLEAR(params->tokens[i].updCertPrefix); + FREE_CLEAR(params->tokens[i].updKeyPrefix); + FREE_CLEAR(params->tokens[i].updateID); + FREE_CLEAR(params->tokens[i].updtokdes); + } + + FREE_CLEAR(params->configdir); + FREE_CLEAR(params->secmodName); + FREE_CLEAR(params->man); + FREE_CLEAR(params->libdes); + FREE_CLEAR(params->tokens); + FREE_CLEAR(params->updatedir); + FREE_CLEAR(params->updateID); +} + +PRBool +sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved) +{ + CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved; + + /* if we don't have any params, the flag isn't set */ + if ((!init_args || !init_args->LibraryParameters)) { + return PR_FALSE; + } + + return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters); +} diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c new file mode 100644 index 0000000000..d885954085 --- /dev/null +++ b/security/nss/lib/softoken/sftkpwd.c @@ -0,0 +1,1485 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * The following code handles the storage of PKCS 11 modules used by the + * NSS. For the rest of NSS, only one kind of database handle exists: + * + * SFTKDBHandle + * + * There is one SFTKDBHandle for the each key database and one for each cert + * database. These databases are opened as associated pairs, one pair per + * slot. SFTKDBHandles are reference counted objects. + * + * Each SFTKDBHandle points to a low level database handle (SDB). This handle + * represents the underlying physical database. These objects are not + * reference counted, an are 'owned' by their respective SFTKDBHandles. + * + * + */ +#include "sftkdb.h" +#include "sftkdbti.h" +#include "pkcs11t.h" +#include "pkcs11i.h" +#include "sdb.h" +#include "prprf.h" +#include "secasn1.h" +#include "pratom.h" +#include "blapi.h" +#include "secoid.h" +#include "lowpbe.h" +#include "secdert.h" +#include "prsystem.h" +#include "lgglue.h" +#include "secerr.h" +#include "softoken.h" + +static const int NSS_MP_PBE_ITERATION_COUNT = 10000; + +static int +getPBEIterationCount(void) +{ + int c = NSS_MP_PBE_ITERATION_COUNT; + + char *val = getenv("NSS_MIN_MP_PBE_ITERATION_COUNT"); + if (val) { + int minimum = atoi(val); + if (c < minimum) { + c = minimum; + } + } + + val = getenv("NSS_MAX_MP_PBE_ITERATION_COUNT"); + if (val) { + int maximum = atoi(val); + if (c > maximum) { + c = maximum; + } + } + + return c; +} + +PRBool +sftk_isLegacyIterationCountAllowed(void) +{ + static const char *legacyCountEnvVar = + "NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT"; + char *iterEnv = getenv(legacyCountEnvVar); + return (iterEnv && strcmp("0", iterEnv) != 0); +} + +/****************************************************************** + * + * Key DB password handling functions + * + * These functions manage the key db password (set, reset, initialize, use). + * + * The key is managed on 'this side' of the database. All private data is + * encrypted before it is sent to the database itself. Besides PBE's, the + * database management code can also mix in various fixed keys so the data + * in the database is no longer considered 'plain text'. + */ + +/* take string password and turn it into a key. The key is dependent + * on a global salt entry acquired from the database. This salted + * value will be based to a pkcs5 pbe function before it is used + * in an actual encryption */ +static SECStatus +sftkdb_passwordToKey(SFTKDBHandle *keydb, SECItem *salt, + const char *pw, SECItem *key) +{ + SHA1Context *cx = NULL; + SECStatus rv = SECFailure; + + if (!pw) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + key->data = PORT_Alloc(SHA1_LENGTH); + if (key->data == NULL) { + goto loser; + } + key->len = SHA1_LENGTH; + + cx = SHA1_NewContext(); + if (cx == NULL) { + goto loser; + } + SHA1_Begin(cx); + if (salt && salt->data) { + SHA1_Update(cx, salt->data, salt->len); + } + SHA1_Update(cx, (unsigned char *)pw, PORT_Strlen(pw)); + SHA1_End(cx, key->data, &key->len, key->len); + rv = SECSuccess; + +loser: + if (cx) { + SHA1_DestroyContext(cx, PR_TRUE); + } + if (rv != SECSuccess) { + if (key->data != NULL) { + PORT_ZFree(key->data, key->len); + } + key->data = NULL; + } + return rv; +} + +/* + * Cipher text stored in the database contains 3 elements: + * 1) an identifier describing the encryption algorithm. + * 2) an entry specific salt value. + * 3) the encrypted value. + * + * The following data structure represents the encrypted data in a decoded + * (but still encrypted) form. + */ +typedef struct sftkCipherValueStr sftkCipherValue; +struct sftkCipherValueStr { + PLArenaPool *arena; + SECOidTag alg; + NSSPKCS5PBEParameter *param; + SECItem salt; + SECItem value; +}; + +#define SFTK_CIPHERTEXT_VERSION 3 + +struct SFTKDBEncryptedDataInfoStr { + SECAlgorithmID algorithm; + SECItem encryptedData; +}; +typedef struct SFTKDBEncryptedDataInfoStr SFTKDBEncryptedDataInfo; + +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) + +const SEC_ASN1Template sftkdb_EncryptedDataInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SFTKDBEncryptedDataInfo) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(SFTKDBEncryptedDataInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OCTET_STRING, + offsetof(SFTKDBEncryptedDataInfo, encryptedData) }, + { 0 } +}; + +/* + * This parses the cipherText into cipher value. NOTE: cipherValue will point + * to data in cipherText, if cipherText is freed, cipherValue will be invalid. + */ +static SECStatus +sftkdb_decodeCipherText(const SECItem *cipherText, sftkCipherValue *cipherValue) +{ + PLArenaPool *arena = NULL; + SFTKDBEncryptedDataInfo edi; + SECStatus rv; + + PORT_Assert(cipherValue); + cipherValue->arena = NULL; + cipherValue->param = NULL; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return SECFailure; + } + + rv = SEC_QuickDERDecodeItem(arena, &edi, sftkdb_EncryptedDataInfoTemplate, + cipherText); + if (rv != SECSuccess) { + goto loser; + } + cipherValue->alg = SECOID_GetAlgorithmTag(&edi.algorithm); + cipherValue->param = nsspkcs5_AlgidToParam(&edi.algorithm); + if (cipherValue->param == NULL) { + goto loser; + } + cipherValue->value = edi.encryptedData; + cipherValue->arena = arena; + + return SECSuccess; +loser: + if (cipherValue->param) { + nsspkcs5_DestroyPBEParameter(cipherValue->param); + cipherValue->param = NULL; + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } + return SECFailure; +} + +/* + * unlike decode, Encode actually allocates a SECItem the caller must free + * The caller can pass an optional arena to to indicate where to place + * the resultant cipherText. + */ +static SECStatus +sftkdb_encodeCipherText(PLArenaPool *arena, sftkCipherValue *cipherValue, + SECItem **cipherText) +{ + SFTKDBEncryptedDataInfo edi; + SECAlgorithmID *algid; + SECStatus rv; + PLArenaPool *localArena = NULL; + + localArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (localArena == NULL) { + return SECFailure; + } + + algid = nsspkcs5_CreateAlgorithmID(localArena, cipherValue->alg, + cipherValue->param); + if (algid == NULL) { + rv = SECFailure; + goto loser; + } + rv = SECOID_CopyAlgorithmID(localArena, &edi.algorithm, algid); + SECOID_DestroyAlgorithmID(algid, PR_TRUE); + if (rv != SECSuccess) { + goto loser; + } + edi.encryptedData = cipherValue->value; + + *cipherText = SEC_ASN1EncodeItem(arena, NULL, &edi, + sftkdb_EncryptedDataInfoTemplate); + if (*cipherText == NULL) { + rv = SECFailure; + } + +loser: + if (localArena) { + PORT_FreeArena(localArena, PR_TRUE); + } + + return rv; +} + +/* + * Use our key to decode a cipherText block from the database. + * + * plain text is allocated by nsspkcs5_CipherData and must be freed + * with SECITEM_FreeItem by the caller. + */ +SECStatus +sftkdb_DecryptAttribute(SFTKDBHandle *handle, SECItem *passKey, + CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type, + SECItem *cipherText, SECItem **plain) +{ + SECStatus rv; + sftkCipherValue cipherValue; + + /* First get the cipher type */ + *plain = NULL; + rv = sftkdb_decodeCipherText(cipherText, &cipherValue); + if (rv != SECSuccess) { + goto loser; + } + + *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value, + PR_FALSE, NULL); + if (*plain == NULL) { + rv = SECFailure; + goto loser; + } + + /* If we are using aes 256, we need to check authentication as well.*/ + if ((type != CKT_INVALID_TYPE) && + (cipherValue.alg == SEC_OID_PKCS5_PBES2) && + (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) { + SECItem signature; + unsigned char signData[SDB_MAX_META_DATA_LEN]; + CK_RV crv; + + /* if we get here from the old legacy db, there is clearly an + * error, don't return the plaintext */ + if (handle == NULL) { + rv = SECFailure; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + goto loser; + } + + signature.data = signData; + signature.len = sizeof(signData); + rv = SECFailure; + /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */ + crv = sftkdb_GetAttributeSignature(handle, handle, id, type, + &signature); + if (crv == CKR_OK) { + rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, + type, *plain, &signature); + } + if (rv != SECSuccess) { + /* handle bug 1720226 where old versions of NSS misfiled the signature + * attribute on password update */ + id |= SFTK_KEYDB_TYPE | SFTK_TOKEN_TYPE; + signature.len = sizeof(signData); + crv = sftkdb_GetAttributeSignature(handle, handle, id, type, + &signature); + if (crv != CKR_OK) { + rv = SECFailure; + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + goto loser; + } + rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, + type, *plain, &signature); + } + } + +loser: + if (cipherValue.param) { + nsspkcs5_DestroyPBEParameter(cipherValue.param); + } + if (cipherValue.arena) { + PORT_FreeArena(cipherValue.arena, PR_FALSE); + } + /* Item decrypted, but failed integrity, clear it out */ + if (*plain && rv != SECSuccess) { + SECITEM_ZfreeItem(*plain, PR_TRUE); + *plain = NULL; + } + return rv; +} + +/* If the database can't store the integrity check, it's a non-FIPS database + * and we use the old encryption scheme for it */ +static PRBool +sftkdb_useLegacyEncryption(SFTKDBHandle *handle, SDB *db) +{ + if ((handle == NULL) || (db == NULL)) { + /* this is the case where the legacy db is calling back to us to + * encrypt or decrypt attributes inside the lower level db code. + * This is because the legacy db stored keys as pkcs #8 encrypted + * blobs rather than individual encrypted attributes */ + return PR_TRUE; + } + /* currently, only the legacy db can't store meta data, but if we + * add a new db that also can't store meta data, then it to wouldn't + * be able to do the integrity checks. In both cases use the old encryption + * algorithms. */ + if ((db->sdb_flags & SDB_HAS_META) == 0) { + return PR_TRUE; + } + return PR_FALSE; +} + +/* + * encrypt a block. This function returned the encrypted ciphertext which + * the caller must free. If the caller provides an arena, cipherText will + * be allocated out of that arena. This also generated the per entry + * salt automatically. + */ +SECStatus +sftkdb_EncryptAttribute(PLArenaPool *arena, SFTKDBHandle *handle, SDB *db, + SECItem *passKey, int iterationCount, + CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type, + SECItem *plainText, SECItem **cipherText) +{ + SECStatus rv; + sftkCipherValue cipherValue; + SECItem *cipher = NULL; + NSSPKCS5PBEParameter *param = NULL; + unsigned char saltData[HASH_LENGTH_MAX]; + SECItem *signature = NULL; + HASH_HashType hashType = HASH_AlgNULL; + + if (sftkdb_useLegacyEncryption(handle, db)) { + cipherValue.alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC; + cipherValue.salt.len = SHA1_LENGTH; + hashType = HASH_AlgSHA1; + } else { + cipherValue.alg = SEC_OID_AES_256_CBC; + cipherValue.salt.len = SHA256_LENGTH; + hashType = HASH_AlgSHA256; + } + cipherValue.salt.data = saltData; + RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len); + + param = nsspkcs5_NewParam(cipherValue.alg, hashType, &cipherValue.salt, + iterationCount); + if (param == NULL) { + rv = SECFailure; + goto loser; + } + cipher = nsspkcs5_CipherData(param, passKey, plainText, PR_TRUE, NULL); + if (cipher == NULL) { + rv = SECFailure; + goto loser; + } + cipherValue.value = *cipher; + cipherValue.param = param; + + rv = sftkdb_encodeCipherText(arena, &cipherValue, cipherText); + if (rv != SECSuccess) { + goto loser; + } + + /* If we are using aes 256, we need to add authentication as well */ + if ((type != CKT_INVALID_TYPE) && + (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) { + rv = sftkdb_SignAttribute(arena, handle, db, passKey, iterationCount, + CK_INVALID_HANDLE, type, plainText, + &signature); + if (rv != SECSuccess) { + goto loser; + } + rv = sftkdb_PutAttributeSignature(handle, db, id, type, + signature); + if (rv != SECSuccess) { + goto loser; + } + } + +loser: + if ((arena == NULL) && signature) { + SECITEM_ZfreeItem(signature, PR_TRUE); + } + if (cipher) { + SECITEM_FreeItem(cipher, PR_TRUE); + } + if (param) { + nsspkcs5_DestroyPBEParameter(param); + } + return rv; +} + +/* + * use the password and the pbe parameters to generate an HMAC for the + * given plain text data. This is used by sftkdb_VerifyAttribute and + * sftkdb_SignAttribute. Signature is returned in signData. The caller + * must preallocate the space in the secitem. + */ +static SECStatus +sftkdb_pbehash(SECOidTag sigOid, SECItem *passKey, + NSSPKCS5PBEParameter *param, + CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType, + SECItem *plainText, SECItem *signData) +{ + SECStatus rv = SECFailure; + SECItem *key = NULL; + HMACContext *hashCx = NULL; + HASH_HashType hashType = HASH_AlgNULL; + const SECHashObject *hashObj; + unsigned char addressData[SDB_ULONG_SIZE]; + + hashType = HASH_FromHMACOid(param->encAlg); + if (hashType == HASH_AlgNULL) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + hashObj = HASH_GetRawHashObject(hashType); + if (hashObj == NULL) { + goto loser; + } + + key = nsspkcs5_ComputeKeyAndIV(param, passKey, NULL, PR_FALSE); + if (!key) { + goto loser; + } + + hashCx = HMAC_Create(hashObj, key->data, key->len, PR_TRUE); + if (!hashCx) { + goto loser; + } + HMAC_Begin(hashCx); + /* Tie this value to a particular object. This is most important for + * the trust attributes, where and attacker could copy a value for + * 'validCA' from another cert in the database */ + sftk_ULong2SDBULong(addressData, objectID); + HMAC_Update(hashCx, addressData, SDB_ULONG_SIZE); + sftk_ULong2SDBULong(addressData, attrType); + HMAC_Update(hashCx, addressData, SDB_ULONG_SIZE); + + HMAC_Update(hashCx, plainText->data, plainText->len); + rv = HMAC_Finish(hashCx, signData->data, &signData->len, signData->len); + +loser: + if (hashCx) { + HMAC_Destroy(hashCx, PR_TRUE); + } + if (key) { + SECITEM_ZfreeItem(key, PR_TRUE); + } + return rv; +} + +/* + * Use our key to verify a signText block from the database matches + * the plainText from the database. The signText is a PKCS 5 v2 pbe. + * plainText is the plainText of the attribute. + */ +SECStatus +sftkdb_VerifyAttribute(SFTKDBHandle *handle, + SECItem *passKey, CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE attrType, + SECItem *plainText, SECItem *signText) +{ + SECStatus rv; + sftkCipherValue signValue; + SECItem signature; + unsigned char signData[HASH_LENGTH_MAX]; + + /* First get the cipher type */ + rv = sftkdb_decodeCipherText(signText, &signValue); + if (rv != SECSuccess) { + goto loser; + } + signature.data = signData; + signature.len = sizeof(signData); + + rv = sftkdb_pbehash(signValue.alg, passKey, signValue.param, + objectID, attrType, plainText, &signature); + if (rv != SECSuccess) { + goto loser; + } + if (SECITEM_CompareItem(&signValue.value, &signature) != 0) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + rv = SECFailure; + } + +loser: + PORT_Memset(signData, 0, sizeof signData); + if (signValue.param) { + nsspkcs5_DestroyPBEParameter(signValue.param); + } + if (signValue.arena) { + PORT_FreeArena(signValue.arena, PR_TRUE); + } + return rv; +} + +/* + * Use our key to create a signText block the plain text of an + * attribute. The signText is a PKCS 5 v2 pbe. + */ +SECStatus +sftkdb_SignAttribute(PLArenaPool *arena, SFTKDBHandle *keyDB, SDB *db, + SECItem *passKey, int iterationCount, + CK_OBJECT_HANDLE objectID, + CK_ATTRIBUTE_TYPE attrType, + SECItem *plainText, SECItem **signature) +{ + SECStatus rv; + sftkCipherValue signValue; + NSSPKCS5PBEParameter *param = NULL; + unsigned char saltData[HASH_LENGTH_MAX]; + unsigned char signData[HASH_LENGTH_MAX]; + SECOidTag hmacAlg = SEC_OID_HMAC_SHA256; /* hash for authentication */ + SECOidTag prfAlg = SEC_OID_HMAC_SHA256; /* hash for pb key generation */ + HASH_HashType prfType; + unsigned int hmacLength; + unsigned int prfLength; + + /* this code allows us to fetch the lengths and hashes on the fly + * by simply changing the OID above */ + prfType = HASH_FromHMACOid(prfAlg); + PORT_Assert(prfType != HASH_AlgNULL); + prfLength = HASH_GetRawHashObject(prfType)->length; + PORT_Assert(prfLength <= HASH_LENGTH_MAX); + + hmacLength = HASH_GetRawHashObject(HASH_FromHMACOid(hmacAlg))->length; + PORT_Assert(hmacLength <= HASH_LENGTH_MAX); + + /* initialize our CipherValue structure */ + signValue.alg = SEC_OID_PKCS5_PBMAC1; + signValue.salt.len = prfLength; + signValue.salt.data = saltData; + signValue.value.data = signData; + signValue.value.len = hmacLength; + RNG_GenerateGlobalRandomBytes(saltData, prfLength); + + /* initialize our pkcs5 parameter */ + param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, + iterationCount); + if (param == NULL) { + rv = SECFailure; + goto loser; + } + param->keyID = pbeBitGenIntegrityKey; + /* set the PKCS 5 v2 parameters, not extractable from the + * data passed into nsspkcs5_NewParam */ + param->encAlg = hmacAlg; + param->hashType = prfType; + param->keyLen = hmacLength; + rv = SECOID_SetAlgorithmID(param->poolp, ¶m->prfAlg, prfAlg, NULL); + if (rv != SECSuccess) { + goto loser; + } + + /* calculate the mac */ + rv = sftkdb_pbehash(signValue.alg, passKey, param, objectID, attrType, + plainText, &signValue.value); + if (rv != SECSuccess) { + goto loser; + } + signValue.param = param; + + /* write it out */ + rv = sftkdb_encodeCipherText(arena, &signValue, signature); + if (rv != SECSuccess) { + goto loser; + } + +loser: + PORT_Memset(signData, 0, sizeof signData); + if (param) { + nsspkcs5_DestroyPBEParameter(param); + } + return rv; +} + +/* + * safely swith the passed in key for the one caches in the keydb handle + * + * A key attached to the handle tells us the the token is logged in. + * We can used the key attached to the handle in sftkdb_EncryptAttribute + * and sftkdb_DecryptAttribute calls. + */ +static void +sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount) +{ + unsigned char *data; + int len; + + if (keydb->passwordLock == NULL) { + PORT_Assert(keydb->type != SFTK_KEYDB_TYPE); + return; + } + + /* an atomic pointer set would be nice */ + SKIP_AFTER_FORK(PZ_Lock(keydb->passwordLock)); + data = keydb->passwordKey.data; + len = keydb->passwordKey.len; + keydb->passwordKey.data = passKey->data; + keydb->passwordKey.len = passKey->len; + keydb->defaultIterationCount = iterationCount; + passKey->data = data; + passKey->len = len; + SKIP_AFTER_FORK(PZ_Unlock(keydb->passwordLock)); +} + +/* + * returns true if we are in a middle of a merge style update. + */ +PRBool +sftkdb_InUpdateMerge(SFTKDBHandle *keydb) +{ + return keydb->updateID ? PR_TRUE : PR_FALSE; +} + +/* + * returns true if we are looking for the password for the user's old source + * database as part of a merge style update. + */ +PRBool +sftkdb_NeedUpdateDBPassword(SFTKDBHandle *keydb) +{ + if (!sftkdb_InUpdateMerge(keydb)) { + return PR_FALSE; + } + if (keydb->updateDBIsInit && !keydb->updatePasswordKey) { + return PR_TRUE; + } + return PR_FALSE; +} + +/* + * fetch an update password key from a handle. + */ +SECItem * +sftkdb_GetUpdatePasswordKey(SFTKDBHandle *handle) +{ + SECItem *key = NULL; + + /* if we're a cert db, fetch it from our peer key db */ + if (handle->type == SFTK_CERTDB_TYPE) { + handle = handle->peerDB; + } + + /* don't have one */ + if (!handle) { + return NULL; + } + + PZ_Lock(handle->passwordLock); + if (handle->updatePasswordKey) { + key = SECITEM_DupItem(handle->updatePasswordKey); + } + PZ_Unlock(handle->passwordLock); + + return key; +} + +/* + * free the update password key from a handle. + */ +void +sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *handle) +{ + SECItem *key = NULL; + + /* don't have one */ + if (!handle) { + return; + } + + /* if we're a cert db, we don't have one */ + if (handle->type == SFTK_CERTDB_TYPE) { + return; + } + + PZ_Lock(handle->passwordLock); + if (handle->updatePasswordKey) { + key = handle->updatePasswordKey; + handle->updatePasswordKey = NULL; + } + PZ_Unlock(handle->passwordLock); + + if (key) { + SECITEM_ZfreeItem(key, PR_TRUE); + } + + return; +} + +/* + * what password db we use depends heavily on the update state machine + * + * 1) no update db, return the normal database. + * 2) update db and no merge return the update db. + * 3) update db and in merge: + * return the update db if we need the update db's password, + * otherwise return our normal datbase. + */ +static SDB * +sftk_getPWSDB(SFTKDBHandle *keydb) +{ + if (!keydb->update) { + return keydb->db; + } + if (!sftkdb_InUpdateMerge(keydb)) { + return keydb->update; + } + if (sftkdb_NeedUpdateDBPassword(keydb)) { + return keydb->update; + } + return keydb->db; +} + +/* + * return success if we have a valid password entry. + * This is will show up outside of PKCS #11 as CKF_USER_PIN_INIT + * in the token flags. + */ +SECStatus +sftkdb_HasPasswordSet(SFTKDBHandle *keydb) +{ + SECItem salt, value; + unsigned char saltData[SDB_MAX_META_DATA_LEN]; + unsigned char valueData[SDB_MAX_META_DATA_LEN]; + CK_RV crv; + SDB *db; + + if (keydb == NULL) { + return SECFailure; + } + + db = sftk_getPWSDB(keydb); + if (db == NULL) { + return SECFailure; + } + + salt.data = saltData; + salt.len = sizeof(saltData); + value.data = valueData; + value.len = sizeof(valueData); + crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value); + + /* If no password is set, we can update right away */ + if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update && crv != CKR_OK) { + /* update the peer certdb if it exists */ + if (keydb->peerDB) { + sftkdb_Update(keydb->peerDB, NULL); + } + sftkdb_Update(keydb, NULL); + } + return (crv == CKR_OK) ? SECSuccess : SECFailure; +} + +/* pull out the common final part of checking a password */ +SECStatus +sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, + const char *pw, SECItem *value, + PRBool *tokenRemoved); + +/* + * check to see if we have the NULL password set. + * We special case the NULL password so that if you have no password set, you + * don't do thousands of hash rounds. This allows us to startup and get + * webpages without slowdown in normal mode. + */ +SECStatus +sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved) +{ + /* just like sftkdb_CheckPassowd, we get the salt and value, and + * create a dbkey */ + SECStatus rv; + SECItem salt, value; + unsigned char saltData[SDB_MAX_META_DATA_LEN]; + unsigned char valueData[SDB_MAX_META_DATA_LEN]; + SECItem key; + SDB *db; + CK_RV crv; + sftkCipherValue cipherValue; + + cipherValue.param = NULL; + cipherValue.arena = NULL; + + if (keydb == NULL) { + return SECFailure; + } + + db = sftk_getPWSDB(keydb); + if (db == NULL) { + return SECFailure; + } + + key.data = NULL; + key.len = 0; + + /* get the entry from the database */ + salt.data = saltData; + salt.len = sizeof(saltData); + value.data = valueData; + value.len = sizeof(valueData); + crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value); + if (crv != CKR_OK) { + rv = SECFailure; + goto done; + } + + /* get our intermediate key based on the entry salt value */ + rv = sftkdb_passwordToKey(keydb, &salt, "", &key); + if (rv != SECSuccess) { + goto done; + } + + /* First get the cipher type */ + rv = sftkdb_decodeCipherText(&value, &cipherValue); + if (rv != SECSuccess) { + goto done; + } + + if (cipherValue.param->iter != 1) { + rv = SECFailure; + goto done; + } + + rv = sftkdb_finishPasswordCheck(keydb, &key, "", &value, tokenRemoved); + +done: + if (key.data) { + PORT_ZFree(key.data, key.len); + } + if (cipherValue.param) { + nsspkcs5_DestroyPBEParameter(cipherValue.param); + } + if (cipherValue.arena) { + PORT_FreeArena(cipherValue.arena, PR_FALSE); + } + return rv; +} + +#define SFTK_PW_CHECK_STRING "password-check" +#define SFTK_PW_CHECK_LEN 14 + +/* + * check if the supplied password is valid + */ +SECStatus +sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved) +{ + SECStatus rv; + SECItem salt, value; + unsigned char saltData[SDB_MAX_META_DATA_LEN]; + unsigned char valueData[SDB_MAX_META_DATA_LEN]; + SECItem key; + SDB *db; + CK_RV crv; + + if (keydb == NULL) { + return SECFailure; + } + + db = sftk_getPWSDB(keydb); + if (db == NULL) { + return SECFailure; + } + + key.data = NULL; + key.len = 0; + + if (pw == NULL) + pw = ""; + + /* get the entry from the database */ + salt.data = saltData; + salt.len = sizeof(saltData); + value.data = valueData; + value.len = sizeof(valueData); + crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value); + if (crv != CKR_OK) { + rv = SECFailure; + goto done; + } + + /* get our intermediate key based on the entry salt value */ + rv = sftkdb_passwordToKey(keydb, &salt, pw, &key); + if (rv != SECSuccess) { + goto done; + } + + rv = sftkdb_finishPasswordCheck(keydb, &key, pw, &value, tokenRemoved); + +done: + if (key.data) { + PORT_ZFree(key.data, key.len); + } + return rv; +} + +/* we need to pass iterationCount in case we are updating a new database + * and from an old one. */ +SECStatus +sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw, + SECItem *value, PRBool *tokenRemoved) +{ + SECItem *result = NULL; + SECStatus rv; + int iterationCount = getPBEIterationCount(); + + if (*pw == 0) { + iterationCount = 1; + } else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) { + iterationCount = 1; + } + + /* decrypt the entry value */ + rv = sftkdb_DecryptAttribute(keydb, key, CK_INVALID_HANDLE, + CKT_INVALID_TYPE, value, &result); + if (rv != SECSuccess) { + goto done; + } + + /* if it's what we expect, update our key in the database handle and + * return Success */ + if ((result->len == SFTK_PW_CHECK_LEN) && + PORT_Memcmp(result->data, SFTK_PW_CHECK_STRING, SFTK_PW_CHECK_LEN) == 0) { + /* + * We have a password, now lets handle any potential update cases.. + * + * First, the normal case: no update. In this case we only need the + * the password for our only DB, which we now have, we switch + * the keys and fall through. + * Second regular (non-merge) update: The target DB does not yet have + * a password initialized, we now have the password for the source DB, + * so we can switch the keys and simply update the target database. + * Merge update case: This one is trickier. + * 1) If we need the source DB password, then we just got it here. + * We need to save that password, + * then we need to check to see if we need or have the target + * database password. + * If we have it (it's the same as the source), or don't need + * it (it's not set or is ""), we can start the update now. + * If we don't have it, we need the application to get it from + * the user. Clear our sessions out to simulate a token + * removal. C_GetTokenInfo will change the token description + * and the token will still appear to be logged out. + * 2) If we already have the source DB password, this password is + * for the target database. We can now move forward with the + * update, as we now have both required passwords. + * + */ + PZ_Lock(keydb->passwordLock); + if (sftkdb_NeedUpdateDBPassword(keydb)) { + /* Squirrel this special key away. + * This has the side effect of turning sftkdb_NeedLegacyPW off, + * as well as changing which database is returned from + * SFTK_GET_PW_DB (thus effecting both sftkdb_CheckPassword() + * and sftkdb_HasPasswordSet()) */ + keydb->updatePasswordKey = SECITEM_DupItem(key); + PZ_Unlock(keydb->passwordLock); + if (keydb->updatePasswordKey == NULL) { + /* PORT_Error set by SECITEM_DupItem */ + rv = SECFailure; + goto done; + } + + /* Simulate a token removal -- we need to do this any + * any case at this point so the token name is correct. */ + *tokenRemoved = PR_TRUE; + + /* + * OK, we got the update DB password, see if we need a password + * for the target... + */ + if (sftkdb_HasPasswordSet(keydb) == SECSuccess) { + /* We have a password, do we know what the password is? + * check 1) for the password the user supplied for the + * update DB, + * and 2) for the null password. + * + * RECURSION NOTE: we are calling ourselves here. This means + * any updates, switchKeys, etc will have been completed + * if these functions return successfully, in those cases + * just exit returning Success. We don't recurse infinitely + * because we are making this call from a NeedUpdateDBPassword + * block and we've already set that update password at this + * point. */ + rv = sftkdb_CheckPassword(keydb, pw, tokenRemoved); + if (rv == SECSuccess) { + /* source and target databases have the same password, we + * are good to go */ + goto done; + } + sftkdb_CheckPasswordNull(keydb, tokenRemoved); + + /* + * Important 'NULL' code here. At this point either we + * succeeded in logging in with "" or we didn't. + * + * If we did succeed at login, our machine state will be set + * to logged in appropriately. The application will find that + * it's logged in as soon as it opens a new session. We have + * also completed the update. Life is good. + * + * If we did not succeed, well the user still successfully + * logged into the update database, since we faked the token + * removal it's just like the user logged into his smart card + * then removed it. the actual login work, so we report that + * success back to the user, but we won't actually be + * logged in. The application will find this out when it + * checks it's login state, thus triggering another password + * prompt so we can get the real target DB password. + * + * summary, we exit from here with SECSuccess no matter what. + */ + rv = SECSuccess; + goto done; + } else { + /* there is no password, just fall through to update. + * update will write the source DB's password record + * into the target DB just like it would in a non-merge + * update case. */ + } + } else { + PZ_Unlock(keydb->passwordLock); + } + /* load the keys, so the keydb can parse it's key set */ + sftkdb_switchKeys(keydb, key, iterationCount); + + /* we need to update, do it now */ + if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update) { + /* update the peer certdb if it exists */ + if (keydb->peerDB) { + sftkdb_Update(keydb->peerDB, key); + } + sftkdb_Update(keydb, key); + } + } else { + rv = SECFailure; + /*PORT_SetError( bad password); */ + } + +done: + if (result) { + SECITEM_ZfreeItem(result, PR_TRUE); + } + return rv; +} + +/* + * return Success if the there is a cached password key. + */ +SECStatus +sftkdb_PWCached(SFTKDBHandle *keydb) +{ + SECStatus rv; + PZ_Lock(keydb->passwordLock); + rv = keydb->passwordKey.data ? SECSuccess : SECFailure; + PZ_Unlock(keydb->passwordLock); + return rv; +} + +static CK_RV +sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle, + CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount) +{ + SFTKDBHandle *keyHandle = handle; + SDB *keyTarget = NULL; + if (handle->type != SFTK_KEYDB_TYPE) { + keyHandle = handle->peerDB; + } + if (keyHandle == NULL) { + return CKR_OK; + } + // Old DBs don't have metadata, so we can return early here. + keyTarget = SFTK_GET_SDB(keyHandle); + if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) { + return CKR_OK; + } + + id &= SFTK_OBJ_ID_MASK; + + CK_ATTRIBUTE_TYPE authAttrTypes[] = { + CKA_MODULUS, + CKA_PUBLIC_EXPONENT, + CKA_CERT_SHA1_HASH, + CKA_CERT_MD5_HASH, + CKA_TRUST_SERVER_AUTH, + CKA_TRUST_CLIENT_AUTH, + CKA_TRUST_EMAIL_PROTECTION, + CKA_TRUST_CODE_SIGNING, + CKA_TRUST_STEP_UP_APPROVED, + CKA_NSS_OVERRIDE_EXTENSIONS, + }; + const CK_ULONG authAttrTypeCount = sizeof(authAttrTypes) / sizeof(authAttrTypes[0]); + + // We don't know what attributes this object has, so we update them one at a + // time. + unsigned int i; + for (i = 0; i < authAttrTypeCount; i++) { + CK_ATTRIBUTE authAttr = { authAttrTypes[i], NULL, 0 }; + CK_RV rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1); + if (rv != CKR_OK) { + continue; + } + if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) { + continue; + } + authAttr.pValue = PORT_ArenaAlloc(arena, authAttr.ulValueLen); + if (authAttr.pValue == NULL) { + return CKR_HOST_MEMORY; + } + rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1); + if (rv != CKR_OK) { + return rv; + } + if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) { + return CKR_GENERAL_ERROR; + } + // GetAttributeValue just verified the old macs, so it is safe to write + // them out now. + if (authAttr.ulValueLen == sizeof(CK_ULONG) && + sftkdb_isULONGAttribute(authAttr.type)) { + CK_ULONG value = *(CK_ULONG *)authAttr.pValue; + sftk_ULong2SDBULong(authAttr.pValue, value); + authAttr.ulValueLen = SDB_ULONG_SIZE; + } + SECItem *signText; + SECItem plainText; + plainText.data = authAttr.pValue; + plainText.len = authAttr.ulValueLen; + if (sftkdb_SignAttribute(arena, handle, keyTarget, newKey, + iterationCount, id, authAttr.type, + &plainText, &signText) != SECSuccess) { + return CKR_GENERAL_ERROR; + } + if (sftkdb_PutAttributeSignature(handle, keyTarget, id, authAttr.type, + signText) != SECSuccess) { + return CKR_GENERAL_ERROR; + } + } + + return CKR_OK; +} + +static CK_RV +sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb, + CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount) +{ + CK_ATTRIBUTE_TYPE privAttrTypes[] = { + CKA_VALUE, + CKA_PRIVATE_EXPONENT, + CKA_PRIME_1, + CKA_PRIME_2, + CKA_EXPONENT_1, + CKA_EXPONENT_2, + CKA_COEFFICIENT, + }; + const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]); + + // We don't know what attributes this object has, so we update them one at a + // time. + unsigned int i; + for (i = 0; i < privAttrCount; i++) { + // Read the old attribute in the clear. + CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK; + CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 }; + CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1); + if (crv != CKR_OK) { + continue; + } + if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) { + continue; + } + privAttr.pValue = PORT_ArenaAlloc(arena, privAttr.ulValueLen); + if (privAttr.pValue == NULL) { + return CKR_HOST_MEMORY; + } + crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1); + if (crv != CKR_OK) { + return crv; + } + if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) { + return CKR_GENERAL_ERROR; + } + SECItem plainText; + SECItem *result; + plainText.data = privAttr.pValue; + plainText.len = privAttr.ulValueLen; + if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey, + iterationCount, sdbId, privAttr.type, + &plainText, &result) != SECSuccess) { + return CKR_GENERAL_ERROR; + } + privAttr.pValue = result->data; + privAttr.ulValueLen = result->len; + // Clear sensitive data. + PORT_Memset(plainText.data, 0, plainText.len); + + // Write the newly encrypted attributes out directly. + keydb->newKey = newKey; + keydb->newDefaultIterationCount = iterationCount; + crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1); + keydb->newKey = NULL; + if (crv != CKR_OK) { + return crv; + } + } + + return CKR_OK; +} + +static CK_RV +sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id, + SECItem *newKey, int iterationCount) +{ + CK_RV crv = CKR_OK; + PLArenaPool *arena = NULL; + + /* get a new arena to simplify cleanup */ + arena = PORT_NewArena(1024); + if (!arena) { + return CKR_HOST_MEMORY; + } + + /* + * first handle the MACS + */ + crv = sftk_updateMacs(arena, handle, id, newKey, iterationCount); + if (crv != CKR_OK) { + goto loser; + } + + if (handle->type == SFTK_KEYDB_TYPE) { + crv = sftk_updateEncrypted(arena, handle, id, newKey, + iterationCount); + if (crv != CKR_OK) { + goto loser; + } + } + + /* free up our mess */ + PORT_FreeArena(arena, PR_TRUE); + return CKR_OK; + +loser: + /* there may be unencrypted data, clear it out down */ + PORT_FreeArena(arena, PR_TRUE); + return crv; +} + +/* + * must be called with the old key active. + */ +CK_RV +sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template, + CK_ULONG count, SECItem *newKey, int iterationCount) +{ + SDBFind *find = NULL; + CK_ULONG idCount = SFTK_MAX_IDS; + CK_OBJECT_HANDLE ids[SFTK_MAX_IDS]; + CK_RV crv, crv2; + unsigned int i; + + crv = sftkdb_FindObjectsInit(handle, template, count, &find); + + if (crv != CKR_OK) { + return crv; + } + while ((crv == CKR_OK) && (idCount == SFTK_MAX_IDS)) { + crv = sftkdb_FindObjects(handle, find, ids, SFTK_MAX_IDS, &idCount); + for (i = 0; (crv == CKR_OK) && (i < idCount); i++) { + crv = sftk_convertAttributes(handle, ids[i], newKey, + iterationCount); + } + } + crv2 = sftkdb_FindObjectsFinal(handle, find); + if (crv == CKR_OK) + crv = crv2; + + return crv; +} + +/* + * change the database password. + */ +SECStatus +sftkdb_ChangePassword(SFTKDBHandle *keydb, + char *oldPin, char *newPin, PRBool *tokenRemoved) +{ + SECStatus rv = SECSuccess; + SECItem plainText; + SECItem newKey; + SECItem *result = NULL; + SECItem salt, value; + SFTKDBHandle *certdb; + unsigned char saltData[SDB_MAX_META_DATA_LEN]; + unsigned char valueData[SDB_MAX_META_DATA_LEN]; + int iterationCount = getPBEIterationCount(); + CK_RV crv; + SDB *db; + + if (keydb == NULL) { + return SECFailure; + } + + db = SFTK_GET_SDB(keydb); + if (db == NULL) { + return SECFailure; + } + + newKey.data = NULL; + + /* make sure we have a valid old pin */ + crv = (*keydb->db->sdb_Begin)(keydb->db); + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; + } + salt.data = saltData; + salt.len = sizeof(saltData); + value.data = valueData; + value.len = sizeof(valueData); + crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value); + if (crv == CKR_OK) { + rv = sftkdb_CheckPassword(keydb, oldPin, tokenRemoved); + if (rv == SECFailure) { + goto loser; + } + } else { + salt.len = SHA1_LENGTH; + RNG_GenerateGlobalRandomBytes(salt.data, salt.len); + } + + if (newPin && *newPin == 0) { + iterationCount = 1; + } else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) { + iterationCount = 1; + } + + rv = sftkdb_passwordToKey(keydb, &salt, newPin, &newKey); + if (rv != SECSuccess) { + goto loser; + } + + /* + * convert encrypted entries here. + */ + crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey, iterationCount); + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; + } + /* fix up certdb macs */ + certdb = keydb->peerDB; + if (certdb) { + CK_ATTRIBUTE objectType = { CKA_CLASS, 0, sizeof(CK_OBJECT_CLASS) }; + CK_OBJECT_CLASS myClass = CKO_NSS_TRUST; + + objectType.pValue = &myClass; + crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey, + iterationCount); + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; + } + myClass = CKO_PUBLIC_KEY; + crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey, + iterationCount); + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; + } + } + + plainText.data = (unsigned char *)SFTK_PW_CHECK_STRING; + plainText.len = SFTK_PW_CHECK_LEN; + + rv = sftkdb_EncryptAttribute(NULL, keydb, keydb->db, &newKey, + iterationCount, CK_INVALID_HANDLE, + CKT_INVALID_TYPE, &plainText, &result); + if (rv != SECSuccess) { + goto loser; + } + value.data = result->data; + value.len = result->len; + crv = (*keydb->db->sdb_PutMetaData)(keydb->db, "password", &salt, &value); + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; + } + crv = (*keydb->db->sdb_Commit)(keydb->db); + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; + } + + keydb->newKey = NULL; + + sftkdb_switchKeys(keydb, &newKey, iterationCount); + +loser: + if (newKey.data) { + PORT_ZFree(newKey.data, newKey.len); + } + if (result) { + SECITEM_FreeItem(result, PR_TRUE); + } + if (rv != SECSuccess) { + (*keydb->db->sdb_Abort)(keydb->db); + } + + return rv; +} + +/* + * lose our cached password + */ +SECStatus +sftkdb_ClearPassword(SFTKDBHandle *keydb) +{ + SECItem oldKey; + oldKey.data = NULL; + oldKey.len = 0; + sftkdb_switchKeys(keydb, &oldKey, 1); + if (oldKey.data) { + PORT_ZFree(oldKey.data, oldKey.len); + } + return SECSuccess; +} diff --git a/security/nss/lib/softoken/softkver.c b/security/nss/lib/softoken/softkver.c new file mode 100644 index 0000000000..3f20fad274 --- /dev/null +++ b/security/nss/lib/softoken/softkver.c @@ -0,0 +1,18 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* Library identity and versioning */ + +#include "softkver.h" + +#if defined(DEBUG) +#define _DEBUG_STRING " (debug)" +#else +#define _DEBUG_STRING "" +#endif + +/* + * Version information + */ +const char __nss_softokn_version[] = "Version: NSS " SOFTOKEN_VERSION _DEBUG_STRING; diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h new file mode 100644 index 0000000000..b90bf9d251 --- /dev/null +++ b/security/nss/lib/softoken/softkver.h @@ -0,0 +1,27 @@ +/* + * Softoken version numbers + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _SOFTKVER_H_ +#define _SOFTKVER_H_ + +#define SOFTOKEN_ECC_STRING " Basic ECC" + +/* + * Softoken's major version, minor version, patch level, build number, + * and whether this is a beta release. + * + * The format of the version string should be + * ".[.[.]][ ][ ]" + */ +#define SOFTOKEN_VERSION "3.90.1" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VMAJOR 3 +#define SOFTOKEN_VMINOR 90 +#define SOFTOKEN_VPATCH 1 +#define SOFTOKEN_VBUILD 0 +#define SOFTOKEN_BETA PR_FALSE + +#endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/softoken/softoken.gyp b/security/nss/lib/softoken/softoken.gyp new file mode 100644 index 0000000000..1ff5286d79 --- /dev/null +++ b/security/nss/lib/softoken/softoken.gyp @@ -0,0 +1,111 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'softokn_static', + 'type': 'static_library', + 'defines': [ + 'NSS_STATIC_SOFTOKEN', + ], + 'dependencies': [ + 'softokn_base', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/freebl/freebl.gyp:freebl_static', + ], + 'conditions': [ + [ 'use_system_sqlite==1', { + 'dependencies': [ + '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3', + ], + }, { + 'dependencies': [ + '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite', + ], + }], + ], + }, + { + 'target_name': 'softokn', + 'type': 'static_library', + 'dependencies': [ + 'softokn_base', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3', + '<(DEPTH)/lib/freebl/freebl.gyp:freebl', + ] + }, + { + 'target_name': 'softokn_base', + 'type': 'none', + 'direct_dependent_settings': { + 'sources': [ + 'fipsaudt.c', + 'fipstest.c', + 'fipstokn.c', + 'jpakesftk.c', + 'kbkdf.c', + 'lowkey.c', + 'lowpbe.c', + 'padbuf.c', + 'pkcs11.c', + 'pkcs11c.c', + 'pkcs11u.c', + 'sdb.c', + 'sftkdhverify.c', + 'sftkdb.c', + 'sftkhmac.c', + 'sftkike.c', + 'sftkmessage.c', + 'sftkpars.c', + 'sftkpwd.c', + 'softkver.c', + 'tlsprf.c' + ], + 'conditions': [ + [ 'disable_dbm==0', { + 'sources': [ + 'lgglue.c', + ] + }] + ] + }, + }, + { + 'target_name': 'softokn3', + 'type': 'shared_library', + 'dependencies': [ + 'softokn', + ], + 'conditions': [ + [ 'moz_fold_libs==0', { + 'dependencies': [ + '<(DEPTH)/lib/util/util.gyp:nssutil3', + ], + }, { + 'libraries': [ + '<(moz_folded_library_name)', + ], + }], + ], + 'variables': { + 'mapfile': 'softokn.def' + } + } + ], + 'target_defaults': { + 'defines': [ + 'SHLIB_SUFFIX=\"<(dll_suffix)\"', + 'SHLIB_PREFIX=\"<(dll_prefix)\"', + 'SOFTOKEN_LIB_NAME=\"<(dll_prefix)softokn3.<(dll_suffix)\"', + 'SHLIB_VERSION=\"3\"' + ] + }, + 'variables': { + 'module': 'nss' + } +} diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h new file mode 100644 index 0000000000..dfb42b4e03 --- /dev/null +++ b/security/nss/lib/softoken/softoken.h @@ -0,0 +1,280 @@ +/* + * softoken.h - private data structures and prototypes for the softoken lib + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _SOFTOKEN_H_ +#define _SOFTOKEN_H_ + +#include "blapi.h" +#include "lowkeyti.h" +#include "softoknt.h" +#include "secoidt.h" + +#include "pkcs11t.h" + +SEC_BEGIN_PROTOS + +/* + * Convenience wrapper for doing a single PKCS#1 v1.5 RSA operations where the + * encoded digest info is computed internally, rather than by the caller. + * + * The HashSign variants expect as input the value of H, the computed hash + * from RFC 3447, Section 9.2, Step 1, and will compute the DER-encoded + * DigestInfo structure internally prior to signing/verifying. + */ +extern SECStatus +RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, + unsigned char *sig, unsigned int *sigLen, unsigned int maxLen, + const unsigned char *hash, unsigned int hashLen); + +extern SECStatus +RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key, + const unsigned char *sig, unsigned int sigLen, + const unsigned char *hash, unsigned int hashLen); + +/* +** Prepare a buffer for padded CBC encryption, growing to the appropriate +** boundary, filling with the appropriate padding. +** +** blockSize must be a power of 2. +** +** We add from 1 to blockSize bytes -- we *always* grow. +** The extra bytes contain the value of the length of the padding: +** if we have 2 bytes of padding, then the padding is "0x02, 0x02". +** +** NOTE: If arena is non-NULL, we re-allocate from there, otherwise +** we assume (and use) PR memory (re)allocation. +*/ +extern unsigned char *CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf, + unsigned int inlen, unsigned int *outlen, + int blockSize); + +/****************************************/ +/* +** Power-Up selftests are required for FIPS. +*/ +/* make sure Power-up selftests have been run. */ +extern CK_RV sftk_FIPSEntryOK(PRBool rerun); + +/* +** make known fixed PKCS #11 key types to their sizes in bytes +*/ +unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType); + +/* +** FIPS 140-2 auditing +*/ +extern PRBool sftk_audit_enabled; + +extern void sftk_LogAuditMessage(NSSAuditSeverity severity, + NSSAuditType, const char *msg); + +extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phObject, CK_RV rv); + +extern void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv); + +extern void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_RV rv); + +extern void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, + CK_RV rv); + +extern void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, CK_RV rv); + +extern void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, CK_RV rv); + +extern void sftk_AuditCryptInit(const char *opName, + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey, CK_RV rv); + +extern void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phKey, CK_RV rv); + +extern void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, + CK_OBJECT_HANDLE_PTR phPublicKey, + CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv); + +extern void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, + CK_BYTE_PTR pWrappedKey, + CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv); + +extern void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hUnwrappingKey, + CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey, CK_RV rv); + +extern void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hBaseKey, + CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey, CK_RV rv); + +extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hKey, CK_RV rv); + +/* +** FIPS 140-2 Error state +*/ +extern PRBool sftk_fatalError; + +/* +** macros to check for forked child process after C_Initialize +*/ +/* for PKCS #11 3.0, default is NO_FORK_CHECK, if you want it, now you + * need to define DO_FORK_CHECK */ +#if defined(XP_UNIX) && defined(DO_FORK_CHECK) + +#ifdef DEBUG + +#define FORK_ASSERT() \ + { \ + char *forkAssert = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \ + if ((!forkAssert) || (0 == strcmp(forkAssert, "1"))) { \ + PORT_Assert(0); \ + } \ + } + +#else + +#define FORK_ASSERT() + +#endif + +/* we have 3 methods of implementing the fork checks : + * - Solaris "mixed" method + * - pthread_atfork method + * - getpid method + */ + +#if !defined(CHECK_FORK_MIXED) && !defined(CHECK_FORK_PTHREAD) && \ + !defined(CHECK_FORK_GETPID) + +/* Choose fork check method automatically unless specified + * This section should be updated as more platforms get pthread fixes + * to unregister fork handlers in dlclose. + */ + +#ifdef SOLARIS + +/* Solaris 8, s9 use PID checks, s10 uses pthread_atfork */ + +#define CHECK_FORK_MIXED + +#elif defined(LINUX) || defined(__GLIBC__) || defined(FREEBSD) || defined(OPENBSD) + +#define CHECK_FORK_PTHREAD + +#else + +/* Other Unix platforms use only PID checks. Even if pthread_atfork is + * available, the behavior of dlclose isn't guaranteed by POSIX to + * unregister the fork handler. */ + +#define CHECK_FORK_GETPID + +#endif + +#endif + +#if defined(CHECK_FORK_MIXED) + +extern PRBool usePthread_atfork; +#include +extern pid_t myPid; +extern PRBool forked; + +#define PARENT_FORKED() (usePthread_atfork ? forked : (myPid && myPid != getpid())) + +#elif defined(CHECK_FORK_PTHREAD) + +extern PRBool forked; + +#define PARENT_FORKED() forked + +#elif defined(CHECK_FORK_GETPID) + +#include +extern pid_t myPid; + +#define PARENT_FORKED() (myPid && myPid != getpid()) + +#endif + +extern PRBool parentForkedAfterC_Initialize; +extern PRBool sftkForkCheckDisabled; + +#define CHECK_FORK() \ + do { \ + if (!sftkForkCheckDisabled && PARENT_FORKED()) { \ + FORK_ASSERT(); \ + return CKR_DEVICE_ERROR; \ + } \ + } while (0) + +#define SKIP_AFTER_FORK(x) \ + if (!parentForkedAfterC_Initialize) \ + x + +#define ENABLE_FORK_CHECK() \ + { \ + char *doForkCheck = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \ + if (doForkCheck && !strcmp(doForkCheck, "DISABLED")) { \ + sftkForkCheckDisabled = PR_TRUE; \ + } \ + } + +#else + +/* non-Unix platforms, or fork check disabled */ + +#define CHECK_FORK() +#define SKIP_AFTER_FORK(x) x +#define ENABLE_FORK_CHECK() + +#ifndef NO_FORK_CHECK +#define NO_FORK_CHECK +#endif + +#endif + +/* + * If we were trying to be complete, we would have both FORK_SAFE + * and non-Fork safe interfaces here. That would require doubling + * the functions in our function list for both this and the FIPS + * interface. Since NSS now always asks for a FORK_SAFE interface, + * and can fall back to a non-FORK_SAFE interface, we set only + * export one set of interfaces here */ +#ifdef NO_FORK_CHECK +#define NSS_INTERFACE_FLAGS CKF_INTERFACE_FORK_SAFE +#else +#define NSS_INTERFACE_FLAGS 0 +#endif + +SEC_END_PROTOS + +#endif /* _SOFTOKEN_H_ */ diff --git a/security/nss/lib/softoken/softokn.def b/security/nss/lib/softoken/softokn.def new file mode 100644 index 0000000000..135755be6c --- /dev/null +++ b/security/nss/lib/softoken/softokn.def @@ -0,0 +1,39 @@ +;+# +;+# This Source Code Form is subject to the terms of the Mozilla Public +;+# License, v. 2.0. If a copy of the MPL was not distributed with this +;+# file, You can obtain one at http://mozilla.org/MPL/2.0/. +;+# +;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS +;+# 1. For all unix platforms, the string ";-" means "remove this line" +;+# 2. For all unix platforms, the string " DATA " will be removed from any +;+# line on which it occurs. +;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX. +;+# On AIX, lines containing ";+" will be removed. +;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed. +;+# 5. For all unix platforms, after the above processing has taken place, +;+# all characters after the first ";" on the line will be removed. +;+# And for AIX, the first ";" will also be removed. +;+# This file is passed directly to windows. Since ';' is a comment, all UNIX +;+# directives are hidden behind ";", ";+", and ";-" +;+NSS_3.4 { # NSS 3.4 release +;+ global: +LIBRARY softokn3 ;- +EXPORTS ;- +C_GetFunctionList; Make this function like a real PKCS #11 module as well +FC_GetFunctionList; +NSC_GetFunctionList; +NSC_ModuleDBFunc; +;+ local: +;+ *; +;+}; +;+NSS_3.52 { # NSS 3.52 release adds pkcs #11 v3.0 +;+ global: +C_GetInterfaceList; +FC_GetInterfaceList; +NSC_GetInterfaceList; +C_GetInterface; +FC_GetInterface; +NSC_GetInterface; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/softoken/softokn.rc b/security/nss/lib/softoken/softokn.rc new file mode 100644 index 0000000000..f3dbb5c42e --- /dev/null +++ b/security/nss/lib/softoken/softokn.rc @@ -0,0 +1,68 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "softkver.h" +#include + +#define MY_LIBNAME "softokn" +#define MY_FILEDESCRIPTION "NSS PKCS #11 Library" + +#define STRINGIZE(x) #x +#define STRINGIZE2(x) STRINGIZE(x) +#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR) + +#ifdef _DEBUG +#define MY_DEBUG_STR " (debug)" +#define MY_FILEFLAGS_1 VS_FF_DEBUG +#else +#define MY_DEBUG_STR "" +#define MY_FILEFLAGS_1 0x0L +#endif +#if SOFTOKEN_BETA +#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE +#else +#define MY_FILEFLAGS_2 MY_FILEFLAGS_1 +#endif + +#ifdef WINNT +#define MY_FILEOS VOS_NT_WINDOWS32 +#else +#define MY_FILEOS VOS__WINDOWS32 +#endif + +#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR + +///////////////////////////////////////////////////////////////////////////// +// +// Version-information resource +// + +VS_VERSION_INFO VERSIONINFO + FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD + PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD + FILEFLAGSMASK VS_FFI_FILEFLAGSMASK + FILEFLAGS MY_FILEFLAGS_2 + FILEOS MY_FILEOS + FILETYPE VFT_DLL + FILESUBTYPE 0x0L // not used + +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904B0" // Lang=US English, CharSet=Unicode + BEGIN + VALUE "CompanyName", "Mozilla Foundation\0" + VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0" + VALUE "FileVersion", SOFTOKEN_VERSION "\0" + VALUE "InternalName", MY_INTERNAL_NAME "\0" + VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0" + VALUE "ProductName", "Network Security Services\0" + VALUE "ProductVersion", SOFTOKEN_VERSION "\0" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 1200 + END +END diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h new file mode 100644 index 0000000000..03c92361c0 --- /dev/null +++ b/security/nss/lib/softoken/softoknt.h @@ -0,0 +1,46 @@ +/* + * softoknt.h - public data structures for the software token library + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef _SOFTOKNT_H_ +#define _SOFTOKNT_H_ + +#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048 +#define DES_BLOCK_SIZE 8 /* bytes */ +#define MAX_DES3_KEY_SIZE 24 /* DES_BLOCK_SIZE * 3 */ +#define SFTK_MAX_DERIVE_KEY_SIZE 64 + +/* + * FIPS 140-2 auditing + */ +typedef enum { + NSS_AUDIT_ERROR = 3, /* errors */ + NSS_AUDIT_WARNING = 2, /* warning messages */ + NSS_AUDIT_INFO = 1 /* informational messages */ +} NSSAuditSeverity; + +typedef enum { + NSS_AUDIT_ACCESS_KEY = 0, + NSS_AUDIT_CHANGE_KEY, + NSS_AUDIT_COPY_KEY, + NSS_AUDIT_CRYPT, + NSS_AUDIT_DERIVE_KEY, + NSS_AUDIT_DESTROY_KEY, + NSS_AUDIT_DIGEST_KEY, + NSS_AUDIT_FIPS_STATE, + NSS_AUDIT_GENERATE_KEY, + NSS_AUDIT_INIT_PIN, + NSS_AUDIT_INIT_TOKEN, + NSS_AUDIT_LOAD_KEY, + NSS_AUDIT_LOGIN, + NSS_AUDIT_LOGOUT, + NSS_AUDIT_SELF_TEST, + NSS_AUDIT_SET_PIN, + NSS_AUDIT_UNWRAP_KEY, + NSS_AUDIT_WRAP_KEY +} NSSAuditType; + +#endif /* _SOFTOKNT_H_ */ diff --git a/security/nss/lib/softoken/tlsprf.c b/security/nss/lib/softoken/tlsprf.c new file mode 100644 index 0000000000..042cf194f7 --- /dev/null +++ b/security/nss/lib/softoken/tlsprf.c @@ -0,0 +1,198 @@ +/* tlsprf.c - TLS Pseudo Random Function (PRF) implementation + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pkcs11i.h" +#include "blapi.h" +#include "secerr.h" + +static void +sftk_TLSPRFNull(void *data, PRBool freeit) +{ + return; +} + +typedef struct { + PRUint32 cxSize; /* size of allocated block, in bytes. */ + PRUint32 cxBufSize; /* sizeof buffer at cxBufPtr. */ + unsigned char *cxBufPtr; /* points to real buffer, may be cxBuf. */ + PRUint32 cxKeyLen; /* bytes of cxBufPtr containing key. */ + PRUint32 cxDataLen; /* bytes of cxBufPtr containing data. */ + SECStatus cxRv; /* records failure of void functions. */ + PRBool cxIsFIPS; /* true if conforming to FIPS 198. */ + HASH_HashType cxHashAlg; /* hash algorithm to use for TLS 1.2+ */ + unsigned int cxOutLen; /* bytes of output if nonzero */ + unsigned char cxBuf[512]; /* actual size may be larger than 512. */ +} TLSPRFContext; + +static void +sftk_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, + unsigned int data_len) +{ + PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen; + + if (cx->cxRv != SECSuccess) /* function has previously failed. */ + return; + if (bytesUsed + data_len > cx->cxBufSize) { + /* We don't use realloc here because + ** (a) realloc doesn't zero out the old block, and + ** (b) if realloc fails, we lose the old block. + */ + PRUint32 newBufSize = bytesUsed + data_len + 512; + unsigned char *newBuf = (unsigned char *)PORT_Alloc(newBufSize); + if (!newBuf) { + cx->cxRv = SECFailure; + return; + } + PORT_Memcpy(newBuf, cx->cxBufPtr, bytesUsed); + if (cx->cxBufPtr != cx->cxBuf) { + PORT_ZFree(cx->cxBufPtr, bytesUsed); + } + cx->cxBufPtr = newBuf; + cx->cxBufSize = newBufSize; + } + PORT_Memcpy(cx->cxBufPtr + bytesUsed, data, data_len); + cx->cxDataLen += data_len; +} + +static void +sftk_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout, + unsigned int *pDigestLen, unsigned int maxDigestLen) +{ + *pDigestLen = 0; /* tells Verify that no data has been input yet. */ +} + +/* Compute the PRF values from the data previously input. */ +static SECStatus +sftk_TLSPRFUpdate(TLSPRFContext *cx, + unsigned char *sig, /* output goes here. */ + unsigned int *sigLen, /* how much output. */ + unsigned int maxLen, /* output buffer size */ + unsigned char *hash, /* unused. */ + unsigned int hashLen) /* unused. */ +{ + SECStatus rv; + SECItem sigItem; + SECItem seedItem; + SECItem secretItem; + + if (cx->cxRv != SECSuccess) + return cx->cxRv; + + secretItem.data = cx->cxBufPtr; + secretItem.len = cx->cxKeyLen; + + seedItem.data = cx->cxBufPtr + cx->cxKeyLen; + seedItem.len = cx->cxDataLen; + + sigItem.data = sig; + if (cx->cxOutLen == 0) { + sigItem.len = maxLen; + } else if (cx->cxOutLen <= maxLen) { + sigItem.len = cx->cxOutLen; + } else { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } + + if (cx->cxHashAlg != HASH_AlgNULL) { + rv = TLS_P_hash(cx->cxHashAlg, &secretItem, NULL, &seedItem, &sigItem, + cx->cxIsFIPS); + } else { + rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS); + } + if (rv == SECSuccess && sigLen != NULL) + *sigLen = sigItem.len; + return rv; +} + +static SECStatus +sftk_TLSPRFVerify(TLSPRFContext *cx, + unsigned char *sig, /* input, for comparison. */ + unsigned int sigLen, /* length of sig. */ + unsigned char *hash, /* data to be verified. */ + unsigned int hashLen) /* size of hash data. */ +{ + unsigned char *tmp = (unsigned char *)PORT_Alloc(sigLen); + unsigned int tmpLen = sigLen; + SECStatus rv; + + if (!tmp) + return SECFailure; + if (hashLen) { + /* hashLen is non-zero when the user does a one-step verify. + ** In this case, none of the data has been input yet. + */ + sftk_TLSPRFHashUpdate(cx, hash, hashLen); + } + rv = sftk_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0); + if (rv == SECSuccess) { + rv = (SECStatus)(1 - !NSS_SecureMemcmp(tmp, sig, sigLen)); + } + PORT_ZFree(tmp, sigLen); + return rv; +} + +static void +sftk_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit) +{ + if (freeit) { + if (cx->cxBufPtr != cx->cxBuf) + PORT_ZFree(cx->cxBufPtr, cx->cxBufSize); + PORT_ZFree(cx, cx->cxSize); + } +} + +CK_RV +sftk_TLSPRFInit(SFTKSessionContext *context, + SFTKObject *key, + CK_KEY_TYPE key_type, + HASH_HashType hash_alg, + unsigned int out_len) +{ + SFTKAttribute *keyVal; + TLSPRFContext *prf_cx; + CK_RV crv = CKR_HOST_MEMORY; + PRUint32 keySize; + PRUint32 blockSize; + + if (key_type != CKK_GENERIC_SECRET) + return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */ + + context->multi = PR_TRUE; + + keyVal = sftk_FindAttribute(key, CKA_VALUE); + keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen; + blockSize = keySize + sizeof(TLSPRFContext); + prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize); + if (!prf_cx) + goto done; + prf_cx->cxSize = blockSize; + prf_cx->cxKeyLen = keySize; + prf_cx->cxDataLen = 0; + prf_cx->cxBufSize = blockSize - offsetof(TLSPRFContext, cxBuf); + prf_cx->cxRv = SECSuccess; + prf_cx->cxIsFIPS = sftk_isFIPS(key->slot->slotID); + prf_cx->cxBufPtr = prf_cx->cxBuf; + prf_cx->cxHashAlg = hash_alg; + prf_cx->cxOutLen = out_len; + if (keySize) + PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize); + + context->hashInfo = (void *)prf_cx; + context->cipherInfo = (void *)prf_cx; + context->hashUpdate = (SFTKHash)sftk_TLSPRFHashUpdate; + context->end = (SFTKEnd)sftk_TLSPRFEnd; + context->update = (SFTKCipher)sftk_TLSPRFUpdate; + context->verify = (SFTKVerify)sftk_TLSPRFVerify; + context->destroy = (SFTKDestroy)sftk_TLSPRFNull; + context->hashdestroy = (SFTKDestroy)sftk_TLSPRFHashDestroy; + crv = CKR_OK; + +done: + if (keyVal) + sftk_FreeAttribute(keyVal); + return crv; +} -- cgit v1.2.3