Update NSS to NSS 3.14 Beta 1.

mozilla/security/nss/lib/pk11wrap/pk11slot.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * Deal with PKCS #11 Slots.
  */
 #include "seccomon.h"
 #include "secmod.h"
 #include "nssilock.h"
 #include "secmodi.h"
 #include "secmodti.h"
 #include "pkcs11t.h"
 #include "pk11func.h"
 #include "secitem.h"
 #include "secerr.h"
 
 #include "dev.h" 
 #include "dev3hack.h" 
 #include "pkim.h"
+#include "utilpars.h"
 
 
 /*************************************************************
  * local static and global data
  *************************************************************/
 
 /*
  * This array helps parsing between names, mechanisms, and flags.
  * to make the config files understand more entries, add them
- * to this table. (NOTE: we need function to export this table and its size)
+ * to this table.
  */
 PK11DefaultArrayEntry PK11_DefaultArray[] = {
         { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
         { "DSA", SECMOD_DSA_FLAG, CKM_DSA },
         { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
         { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
         { "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
         { "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
         { "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
         { "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC },
@@ skipping 1908 matching lines @@
                           * free the element later */
         rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
         if (rv != SECSuccess) {
             PK11_DeleteSlotFromList(list,le);
             continue;
         }
     }
     return list;
 }
 
+/*
+ * returns true if the slot doesn't conform to the requested attributes
+ */
+PRBool
+pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, 
+        CK_FLAGS mechanismInfoFlags, unsigned int keySize) 
+{
+    CK_MECHANISM_INFO mechanism_info;
+    CK_RV crv = CKR_OK;
+
+    /* handle the only case where we don't actually fetch the mechanisms
+     * on the fly */
+    if ((keySize == 0) && (mechanism == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
+        mechanism_info.flags = slot->RSAInfoFlags;
+    } else {
+        if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+        crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism, 
+                                                        &mechanism_info);
+        if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+        /* if we were getting the RSA flags, save them */
+        if ((crv == CKR_OK) && (mechanism == CKM_RSA_PKCS) 
+                                                && (!slot->hasRSAInfo)) {
+            slot->RSAInfoFlags = mechanism_info.flags;
+            slot->hasRSAInfo = PR_TRUE;
+        }
+    }
+    /* couldn't get the mechanism info */
+    if (crv != CKR_OK ) {
+        return PR_TRUE;
+    }
+    if (keySize && ((mechanism_info.ulMinKeySize > keySize)
+                        || (mechanism_info.ulMaxKeySize < keySize)) ) {
+        /* Token can do mechanism, but not at the key size we
+         * want */
+        return PR_TRUE;
+    }
+    if (mechanismInfoFlags && ((mechanism_info.flags & mechanismInfoFlags) !=
+                                mechanismInfoFlags) ) {
+        return PR_TRUE;
+    }
+    return PR_FALSE;
+}
+
 
 /*
- * find the best slot which supports the given
- * Mechanism. In normal cases this should grab the first slot on the list
- * with no fuss.
+ * Find the best slot which supports the given set of mechanisms and key sizes.
+ * In normal cases this should grab the first slot on the list with no fuss.
+ * The size array is presumed to match one for one with the mechanism type 
+ * array, which allows you to specify the required key size for each
+ * mechanism in the list. Whether key size is in bits or bytes is mechanism
+ * dependent. Typically asymetric keys are in bits and symetric keys are in 
+ * bytes.
  */
 PK11SlotInfo *
-PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx)
+PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, 
+                CK_FLAGS *mechanismInfoFlags, unsigned int *keySize, 
+                unsigned int mech_count, void *wincx)
 {
     PK11SlotList *list = NULL;
     PK11SlotListElement *le ;
     PK11SlotInfo *slot = NULL;
     PRBool freeit = PR_FALSE;
     PRBool listNeedLogin = PR_FALSE;
     int i;
     SECStatus rv;
 
     list = PK11_GetSlotList(type[0]);
@@ skipping 30 matching lines @@
 
     for (le = PK11_GetFirstSafe(list); le;
                                 le = PK11_GetNextSafe(list,le,PR_TRUE)) {
         if (PK11_IsPresent(le->slot)) {
             PRBool doExit = PR_FALSE;
             for (i=0; i < mech_count; i++) {
                 if (!PK11_DoesMechanism(le->slot,type[i])) {
                     doExit = PR_TRUE;
                     break;
                 }
+                if ((mechanismInfoFlags && mechanismInfoFlags[i]) ||
+                        (keySize && keySize[i])) {
+                    if (pk11_filterSlot(le->slot, type[i], 
+                            mechanismInfoFlags ?  mechanismInfoFlags[i] : 0,
+                            keySize ? keySize[i] : 0)) {
+                        doExit = PR_TRUE;
+                        break;
+                    }
+                }
             }
+    
             if (doExit) continue;
               
             if (listNeedLogin && le->slot->needLogin) {
                 rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
                 if (rv != SECSuccess) continue;
             }
             slot = le->slot;
             PK11_ReferenceSlot(slot);
             PK11_FreeSlotListElement(list,le);
             if (freeit) { PK11_FreeSlotList(list); }
             return slot;
         }
     }
     if (freeit) { PK11_FreeSlotList(list); }
     if (PORT_GetError() == 0) {
         PORT_SetError(SEC_ERROR_NO_TOKEN);
     }
     return NULL;
 }
 
+PK11SlotInfo *
+PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, 
+                         unsigned int mech_count, void *wincx)
+{
+    return PK11_GetBestSlotMultipleWithAttributes(type, NULL, NULL, 
+                                                mech_count, wincx);
+}
+
 /* original get best slot now calls the multiple version with only one type */
 PK11SlotInfo *
 PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
 {
-    return PK11_GetBestSlotMultiple(&type, 1, wincx);
+    return PK11_GetBestSlotMultipleWithAttributes(&type, NULL, NULL, 1, wincx);
+}
+
+PK11SlotInfo *
+PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, CK_FLAGS mechanismFlags,
+                unsigned int keySize, void *wincx)
+{
+    return PK11_GetBestSlotMultipleWithAttributes(&type, &mechanismFlags,
+                                                 &keySize, 1, wincx);
 }
 
 int
 PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
 {
     CK_MECHANISM_INFO mechanism_info;
     CK_RV crv;
 
     if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
@@ skipping 236 matching lines @@
                 first_time_set = PR_TRUE;
             }
             if ((interval-first_time) > timeout) {
                 return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
             }
         }
         PR_Sleep(latency);
    }
    return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent;
 }