Chromium Code Reviews

Side by Side Diff: mozilla/security/nss/lib/pk11wrap/pk11slot.c

Issue 14249009: Change the NSS and NSPR source tree to the new directory structure to be (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/
Patch Set: Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View unified diff | | Annotate | Revision Log
« no previous file with comments | « mozilla/security/nss/lib/pk11wrap/pk11skey.c ('k') | mozilla/security/nss/lib/pk11wrap/pk11util.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * Deal with PKCS #11 Slots.
6 */
7 #include "seccomon.h"
8 #include "secmod.h"
9 #include "nssilock.h"
10 #include "secmodi.h"
11 #include "secmodti.h"
12 #include "pkcs11t.h"
13 #include "pk11func.h"
14 #include "secitem.h"
15 #include "secerr.h"
16
17 #include "dev.h"
18 #include "dev3hack.h"
19 #include "pkim.h"
20 #include "utilpars.h"
21
22
23 /*************************************************************
24 * local static and global data
25 *************************************************************/
26
27 /*
28 * This array helps parsing between names, mechanisms, and flags.
29 * to make the config files understand more entries, add them
30 * to this table.
31 */
32 PK11DefaultArrayEntry PK11_DefaultArray[] = {
33 { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
34 { "DSA", SECMOD_DSA_FLAG, CKM_DSA },
35 { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
36 { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
37 { "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
38 { "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
39 { "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
40 { "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC },
41 { "SEED", SECMOD_SEED_FLAG, CKM_SEED_CBC },
42 { "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
43 { "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
44 /* { "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */
45 { "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 },
46 /* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */
47 { "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 },
48 { "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
49 { "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
50 { "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
51 { "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
52 { "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
53 { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM },
54 { "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM },
55 };
56 const int num_pk11_default_mechanisms =
57 sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
58
59 PK11DefaultArrayEntry *
60 PK11_GetDefaultArray(int *size)
61 {
62 if (size) {
63 *size = num_pk11_default_mechanisms;
64 }
65 return PK11_DefaultArray;
66 }
67
68 /*
69 * These slotlists are lists of modules which provide default support for
70 * a given algorithm or mechanism.
71 */
72 static PK11SlotList
73 pk11_seedSlotList,
74 pk11_camelliaSlotList,
75 pk11_aesSlotList,
76 pk11_desSlotList,
77 pk11_rc4SlotList,
78 pk11_rc2SlotList,
79 pk11_rc5SlotList,
80 pk11_sha1SlotList,
81 pk11_md5SlotList,
82 pk11_md2SlotList,
83 pk11_rsaSlotList,
84 pk11_dsaSlotList,
85 pk11_dhSlotList,
86 pk11_ecSlotList,
87 pk11_ideaSlotList,
88 pk11_sslSlotList,
89 pk11_tlsSlotList,
90 pk11_randomSlotList,
91 pk11_sha256SlotList,
92 pk11_sha512SlotList; /* slots do SHA512 and SHA384 */
93
94 /************************************************************
95 * Generic Slot List and Slot List element manipulations
96 ************************************************************/
97
98 /*
99 * allocate a new list
100 */
101 PK11SlotList *
102 PK11_NewSlotList(void)
103 {
104 PK11SlotList *list;
105
106 list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList));
107 if (list == NULL) return NULL;
108 list->head = NULL;
109 list->tail = NULL;
110 list->lock = PZ_NewLock(nssILockList);
111 if (list->lock == NULL) {
112 PORT_Free(list);
113 return NULL;
114 }
115
116 return list;
117 }
118
119 /*
120 * free a list element when all the references go away.
121 */
122 SECStatus
123 PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le)
124 {
125 PRBool freeit = PR_FALSE;
126
127 if (list == NULL || le == NULL) {
128 PORT_SetError(SEC_ERROR_INVALID_ARGS);
129 return SECFailure;
130 }
131
132 PZ_Lock(list->lock);
133 if (le->refCount-- == 1) {
134 freeit = PR_TRUE;
135 }
136 PZ_Unlock(list->lock);
137 if (freeit) {
138 PK11_FreeSlot(le->slot);
139 PORT_Free(le);
140 }
141 return SECSuccess;
142 }
143
144 static void
145 pk11_FreeSlotListStatic(PK11SlotList *list)
146 {
147 PK11SlotListElement *le, *next ;
148 if (list == NULL) return;
149
150 for (le = list->head ; le; le = next) {
151 next = le->next;
152 PK11_FreeSlotListElement(list,le);
153 }
154 if (list->lock) {
155 PZ_DestroyLock(list->lock);
156 }
157 list->lock = NULL;
158 list->head = NULL;
159 }
160
161 /*
162 * if we are freeing the list, we must be the only ones with a pointer
163 * to the list.
164 */
165 void
166 PK11_FreeSlotList(PK11SlotList *list)
167 {
168 pk11_FreeSlotListStatic(list);
169 PORT_Free(list);
170 }
171
172 /*
173 * add a slot to a list
174 * "slot" is the slot to be added. Ownership is not transferred.
175 * "sorted" indicates whether or not the slot should be inserted according to
176 * cipherOrder of the associated module. PR_FALSE indicates that the slot
177 * should be inserted to the head of the list.
178 */
179 SECStatus
180 PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted)
181 {
182 PK11SlotListElement *le;
183 PK11SlotListElement *element;
184
185 le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement));
186 if (le == NULL) return SECFailure;
187
188 le->slot = PK11_ReferenceSlot(slot);
189 le->prev = NULL;
190 le->refCount = 1;
191 PZ_Lock(list->lock);
192 element = list->head;
193 /* Insertion sort, with higher cipherOrders are sorted first in the list */
194 while (element && sorted && (element->slot->module->cipherOrder >
195 le->slot->module->cipherOrder)) {
196 element = element->next;
197 }
198 if (element) {
199 le->prev = element->prev;
200 element->prev = le;
201 le->next = element;
202 } else {
203 le->prev = list->tail;
204 le->next = NULL;
205 list->tail = le;
206 }
207 if (le->prev) le->prev->next = le;
208 if (list->head == element) list->head = le;
209 PZ_Unlock(list->lock);
210
211 return SECSuccess;
212 }
213
214 /*
215 * remove a slot entry from the list
216 */
217 SECStatus
218 PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le)
219 {
220 PZ_Lock(list->lock);
221 if (le->prev) le->prev->next = le->next; else list->head = le->next;
222 if (le->next) le->next->prev = le->prev; else list->tail = le->prev;
223 le->next = le->prev = NULL;
224 PZ_Unlock(list->lock);
225 PK11_FreeSlotListElement(list,le);
226 return SECSuccess;
227 }
228
229 /*
230 * Move a list to the end of the target list.
231 * NOTE: There is no locking here... This assumes BOTH lists are private copy
232 * lists. It also does not re-sort the target list.
233 */
234 SECStatus
235 pk11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
236 {
237 if (src->head == NULL) return SECSuccess;
238
239 if (target->tail == NULL) {
240 target->head = src->head;
241 } else {
242 target->tail->next = src->head;
243 }
244 src->head->prev = target->tail;
245 target->tail = src->tail;
246 src->head = src->tail = NULL;
247 return SECSuccess;
248 }
249
250 /*
251 * get an element from the list with a reference. You must own the list.
252 */
253 PK11SlotListElement *
254 PK11_GetFirstRef(PK11SlotList *list)
255 {
256 PK11SlotListElement *le;
257
258 le = list->head;
259 if (le != NULL) (le)->refCount++;
260 return le;
261 }
262
263 /*
264 * get the next element from the list with a reference. You must own the list.
265 */
266 PK11SlotListElement *
267 PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
268 {
269 PK11SlotListElement *new_le;
270 new_le = le->next;
271 if (new_le) new_le->refCount++;
272 PK11_FreeSlotListElement(list,le);
273 return new_le;
274 }
275
276 /*
277 * get an element safely from the list. This just makes sure that if
278 * this element is not deleted while we deal with it.
279 */
280 PK11SlotListElement *
281 PK11_GetFirstSafe(PK11SlotList *list)
282 {
283 PK11SlotListElement *le;
284
285 PZ_Lock(list->lock);
286 le = list->head;
287 if (le != NULL) (le)->refCount++;
288 PZ_Unlock(list->lock);
289 return le;
290 }
291
292 /*
293 * NOTE: if this element gets deleted, we can no longer safely traverse using
294 * it's pointers. We can either terminate the loop, or restart from the
295 * beginning. This is controlled by the restart option.
296 */
297 PK11SlotListElement *
298 PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
299 {
300 PK11SlotListElement *new_le;
301 PZ_Lock(list->lock);
302 new_le = le->next;
303 if (le->next == NULL) {
304 /* if the prev and next fields are NULL then either this element
305 * has been removed and we need to walk the list again (if restart
306 * is true) or this was the only element on the list */
307 if ((le->prev == NULL) && restart && (list->head != le)) {
308 new_le = list->head;
309 }
310 }
311 if (new_le) new_le->refCount++;
312 PZ_Unlock(list->lock);
313 PK11_FreeSlotListElement(list,le);
314 return new_le;
315 }
316
317
318 /*
319 * Find the element that holds this slot
320 */
321 PK11SlotListElement *
322 PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot)
323 {
324 PK11SlotListElement *le;
325
326 for (le = PK11_GetFirstSafe(list); le;
327 le = PK11_GetNextSafe(list,le,PR_TRUE)) {
328 if (le->slot == slot) return le;
329 }
330 return NULL;
331 }
332
333 /************************************************************
334 * Generic Slot Utilities
335 ************************************************************/
336 /*
337 * Create a new slot structure
338 */
339 PK11SlotInfo *
340 PK11_NewSlotInfo(SECMODModule *mod)
341 {
342 PK11SlotInfo *slot;
343
344 slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo));
345 if (slot == NULL) return slot;
346
347 slot->sessionLock = mod->isThreadSafe ?
348 PZ_NewLock(nssILockSession) : mod->refLock;
349 if (slot->sessionLock == NULL) {
350 PORT_Free(slot);
351 return NULL;
352 }
353 slot->freeListLock = PZ_NewLock(nssILockFreelist);
354 if (slot->freeListLock == NULL) {
355 if (mod->isThreadSafe) {
356 PZ_DestroyLock(slot->sessionLock);
357 }
358 PORT_Free(slot);
359 return NULL;
360 }
361 slot->freeSymKeysWithSessionHead = NULL;
362 slot->freeSymKeysHead = NULL;
363 slot->keyCount = 0;
364 slot->maxKeyCount = 0;
365 slot->functionList = NULL;
366 slot->needTest = PR_TRUE;
367 slot->isPerm = PR_FALSE;
368 slot->isHW = PR_FALSE;
369 slot->isInternal = PR_FALSE;
370 slot->isThreadSafe = PR_FALSE;
371 slot->disabled = PR_FALSE;
372 slot->series = 1;
373 slot->wrapKey = 0;
374 slot->wrapMechanism = CKM_INVALID_MECHANISM;
375 slot->refKeys[0] = CK_INVALID_HANDLE;
376 slot->reason = PK11_DIS_NONE;
377 slot->readOnly = PR_TRUE;
378 slot->needLogin = PR_FALSE;
379 slot->hasRandom = PR_FALSE;
380 slot->defRWSession = PR_FALSE;
381 slot->protectedAuthPath = PR_FALSE;
382 slot->flags = 0;
383 slot->session = CK_INVALID_SESSION;
384 slot->slotID = 0;
385 slot->defaultFlags = 0;
386 slot->refCount = 1;
387 slot->askpw = 0;
388 slot->timeout = 0;
389 slot->mechanismList = NULL;
390 slot->mechanismCount = 0;
391 slot->cert_array = NULL;
392 slot->cert_count = 0;
393 slot->slot_name[0] = 0;
394 slot->token_name[0] = 0;
395 PORT_Memset(slot->serial,' ',sizeof(slot->serial));
396 slot->module = NULL;
397 slot->authTransact = 0;
398 slot->authTime = LL_ZERO;
399 slot->minPassword = 0;
400 slot->maxPassword = 0;
401 slot->hasRootCerts = PR_FALSE;
402 slot->nssToken = NULL;
403 return slot;
404 }
405
406 /* create a new reference to a slot so it doesn't go away */
407 PK11SlotInfo *
408 PK11_ReferenceSlot(PK11SlotInfo *slot)
409 {
410 PR_ATOMIC_INCREMENT(&slot->refCount);
411 return slot;
412 }
413
414 /* Destroy all info on a slot we have built up */
415 void
416 PK11_DestroySlot(PK11SlotInfo *slot)
417 {
418 /* free up the cached keys and sessions */
419 PK11_CleanKeyList(slot);
420
421 /* free up all the sessions on this slot */
422 if (slot->functionList) {
423 PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
424 }
425
426 if (slot->mechanismList) {
427 PORT_Free(slot->mechanismList);
428 }
429 if (slot->isThreadSafe && slot->sessionLock) {
430 PZ_DestroyLock(slot->sessionLock);
431 }
432 slot->sessionLock = NULL;
433 if (slot->freeListLock) {
434 PZ_DestroyLock(slot->freeListLock);
435 slot->freeListLock = NULL;
436 }
437
438 /* finally Tell our parent module that we've gone away so it can unload */
439 if (slot->module) {
440 SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
441 }
442
443 /* ok, well not quit finally... now we free the memory */
444 PORT_Free(slot);
445 }
446
447
448 /* We're all done with the slot, free it */
449 void
450 PK11_FreeSlot(PK11SlotInfo *slot)
451 {
452 if (PR_ATOMIC_DECREMENT(&slot->refCount) == 0) {
453 PK11_DestroySlot(slot);
454 }
455 }
456
457 void
458 PK11_EnterSlotMonitor(PK11SlotInfo *slot) {
459 PZ_Lock(slot->sessionLock);
460 }
461
462 void
463 PK11_ExitSlotMonitor(PK11SlotInfo *slot) {
464 PZ_Unlock(slot->sessionLock);
465 }
466
467 /***********************************************************
468 * Functions to find specific slots.
469 ***********************************************************/
470 PRBool
471 SECMOD_HasRootCerts(void)
472 {
473 SECMODModuleList *mlp;
474 SECMODModuleList *modules;
475 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
476 int i;
477 PRBool found = PR_FALSE;
478
479 if (!moduleLock) {
480 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
481 return found;
482 }
483
484 /* work through all the slots */
485 SECMOD_GetReadLock(moduleLock);
486 modules = SECMOD_GetDefaultModuleList();
487 for(mlp = modules; mlp != NULL; mlp = mlp->next) {
488 for (i=0; i < mlp->module->slotCount; i++) {
489 PK11SlotInfo *tmpSlot = mlp->module->slots[i];
490 if (PK11_IsPresent(tmpSlot)) {
491 if (tmpSlot->hasRootCerts) {
492 found = PR_TRUE;
493 break;
494 }
495 }
496 }
497 if (found) break;
498 }
499 SECMOD_ReleaseReadLock(moduleLock);
500
501 return found;
502 }
503
504 /***********************************************************
505 * Functions to find specific slots.
506 ***********************************************************/
507 PK11SlotList *
508 PK11_FindSlotsByNames(const char *dllName, const char* slotName,
509 const char* tokenName, PRBool presentOnly)
510 {
511 SECMODModuleList *mlp;
512 SECMODModuleList *modules;
513 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
514 int i;
515 PK11SlotList* slotList = NULL;
516 PRUint32 slotcount = 0;
517 SECStatus rv = SECSuccess;
518
519 if (!moduleLock) {
520 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
521 return slotList;
522 }
523
524 slotList = PK11_NewSlotList();
525 if (!slotList) {
526 PORT_SetError(SEC_ERROR_NO_MEMORY);
527 return slotList;
528 }
529
530 if ( ((NULL == dllName) || (0 == *dllName)) &&
531 ((NULL == slotName) || (0 == *slotName)) &&
532 ((NULL == tokenName) || (0 == *tokenName)) ) {
533 /* default to softoken */
534 PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot(), PR_TRUE);
535 return slotList;
536 }
537
538 /* work through all the slots */
539 SECMOD_GetReadLock(moduleLock);
540 modules = SECMOD_GetDefaultModuleList();
541 for (mlp = modules; mlp != NULL; mlp = mlp->next) {
542 PORT_Assert(mlp->module);
543 if (!mlp->module) {
544 rv = SECFailure;
545 break;
546 }
547 if ((!dllName) || (mlp->module->dllName &&
548 (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) {
549 for (i=0; i < mlp->module->slotCount; i++) {
550 PK11SlotInfo *tmpSlot = (mlp->module->slots?mlp->module->slots[i ]:NULL);
551 PORT_Assert(tmpSlot);
552 if (!tmpSlot) {
553 rv = SECFailure;
554 break;
555 }
556 if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) &&
557 ( (!tokenName) || (tmpSlot->token_name &&
558 (0==PORT_Strcmp(tmpSlot->token_name, tokenName)))) &&
559 ( (!slotName) || (tmpSlot->slot_name &&
560 (0==PORT_Strcmp(tmpSlot->slot_name, slotName)))) ) {
561 if (tmpSlot) {
562 PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE);
563 slotcount++;
564 }
565 }
566 }
567 }
568 }
569 SECMOD_ReleaseReadLock(moduleLock);
570
571 if ( (0 == slotcount) || (SECFailure == rv) ) {
572 PORT_SetError(SEC_ERROR_NO_TOKEN);
573 PK11_FreeSlotList(slotList);
574 slotList = NULL;
575 }
576
577 if (SECFailure == rv) {
578 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
579 }
580
581 return slotList;
582 }
583
584 PK11SlotInfo *
585 PK11_FindSlotByName(const char *name)
586 {
587 SECMODModuleList *mlp;
588 SECMODModuleList *modules;
589 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
590 int i;
591 PK11SlotInfo *slot = NULL;
592
593 if (!moduleLock) {
594 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
595 return slot;
596 }
597 if ((name == NULL) || (*name == 0)) {
598 return PK11_GetInternalKeySlot();
599 }
600
601 /* work through all the slots */
602 SECMOD_GetReadLock(moduleLock);
603 modules = SECMOD_GetDefaultModuleList();
604 for(mlp = modules; mlp != NULL; mlp = mlp->next) {
605 for (i=0; i < mlp->module->slotCount; i++) {
606 PK11SlotInfo *tmpSlot = mlp->module->slots[i];
607 if (PK11_IsPresent(tmpSlot)) {
608 if (PORT_Strcmp(tmpSlot->token_name,name) == 0) {
609 slot = PK11_ReferenceSlot(tmpSlot);
610 break;
611 }
612 }
613 }
614 if (slot != NULL) break;
615 }
616 SECMOD_ReleaseReadLock(moduleLock);
617
618 if (slot == NULL) {
619 PORT_SetError(SEC_ERROR_NO_TOKEN);
620 }
621
622 return slot;
623 }
624
625
626 PK11SlotInfo *
627 PK11_FindSlotBySerial(char *serial)
628 {
629 SECMODModuleList *mlp;
630 SECMODModuleList *modules;
631 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
632 int i;
633 PK11SlotInfo *slot = NULL;
634
635 if (!moduleLock) {
636 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
637 return slot;
638 }
639 /* work through all the slots */
640 SECMOD_GetReadLock(moduleLock);
641 modules = SECMOD_GetDefaultModuleList();
642 for(mlp = modules; mlp != NULL; mlp = mlp->next) {
643 for (i=0; i < mlp->module->slotCount; i++) {
644 PK11SlotInfo *tmpSlot = mlp->module->slots[i];
645 if (PK11_IsPresent(tmpSlot)) {
646 if (PORT_Memcmp(tmpSlot->serial,serial,
647 sizeof(tmpSlot->serial)) == 0) {
648 slot = PK11_ReferenceSlot(tmpSlot);
649 break;
650 }
651 }
652 }
653 if (slot != NULL) break;
654 }
655 SECMOD_ReleaseReadLock(moduleLock);
656
657 if (slot == NULL) {
658 PORT_SetError(SEC_ERROR_NO_TOKEN);
659 }
660
661 return slot;
662 }
663
664 /*
665 * notification stub. If we ever get interested in any events that
666 * the pkcs11 functions may pass back to use, we can catch them here...
667 * currently pdata is a slotinfo structure.
668 */
669 CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
670 CK_VOID_PTR pdata)
671 {
672 return CKR_OK;
673 }
674
675 /*
676 * grab a new RW session
677 * !!! has a side effect of grabbing the Monitor if either the slot's default
678 * session is RW or the slot is not thread safe. Monitor is release in function
679 * below
680 */
681 CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot)
682 {
683 CK_SESSION_HANDLE rwsession;
684 CK_RV crv;
685 PRBool haveMonitor = PR_FALSE;
686
687 if (!slot->isThreadSafe || slot->defRWSession) {
688 PK11_EnterSlotMonitor(slot);
689 haveMonitor = PR_TRUE;
690 }
691 if (slot->defRWSession) {
692 PORT_Assert(slot->session != CK_INVALID_SESSION);
693 if (slot->session != CK_INVALID_SESSION)
694 return slot->session;
695 }
696
697 crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
698 CKF_RW_SESSION|CKF_SERIAL_SESSION,
699 slot, pk11_notify,&rwsession);
700 PORT_Assert(rwsession != CK_INVALID_SESSION || crv != CKR_OK);
701 if (crv != CKR_OK || rwsession == CK_INVALID_SESSION) {
702 if (crv == CKR_OK)
703 crv = CKR_DEVICE_ERROR;
704 if (haveMonitor)
705 PK11_ExitSlotMonitor(slot);
706 PORT_SetError(PK11_MapError(crv));
707 return CK_INVALID_SESSION;
708 }
709 if (slot->defRWSession) { /* we have the monitor */
710 slot->session = rwsession;
711 }
712 return rwsession;
713 }
714
715 PRBool
716 PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle)
717 {
718 PRBool hasLock;
719 hasLock = (PRBool)(!slot->isThreadSafe ||
720 (slot->defRWSession && slot->session != CK_INVALID_SESSION));
721 return hasLock;
722 }
723
724 static PRBool
725 pk11_RWSessionIsDefault(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
726 {
727 PRBool isDefault;
728 isDefault = (PRBool)(slot->session == rwsession &&
729 slot->defRWSession &&
730 slot->session != CK_INVALID_SESSION);
731 return isDefault;
732 }
733
734 /*
735 * close the rwsession and restore our readonly session
736 * !!! has a side effect of releasing the Monitor if either the slot's default
737 * session is RW or the slot is not thread safe.
738 */
739 void
740 PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
741 {
742 PORT_Assert(rwsession != CK_INVALID_SESSION);
743 if (rwsession != CK_INVALID_SESSION) {
744 PRBool doExit = PK11_RWSessionHasLock(slot, rwsession);
745 if (!pk11_RWSessionIsDefault(slot, rwsession))
746 PK11_GETTAB(slot)->C_CloseSession(rwsession);
747 if (doExit)
748 PK11_ExitSlotMonitor(slot);
749 }
750 }
751
752 /************************************************************
753 * Manage the built-In Slot Lists
754 ************************************************************/
755
756 /* Init the static built int slot list (should actually integrate
757 * with PK11_NewSlotList */
758 static void
759 pk11_InitSlotListStatic(PK11SlotList *list)
760 {
761 list->lock = PZ_NewLock(nssILockList);
762 list->head = NULL;
763 }
764
765
766 /* initialize the system slotlists */
767 SECStatus
768 PK11_InitSlotLists(void)
769 {
770 pk11_InitSlotListStatic(&pk11_seedSlotList);
771 pk11_InitSlotListStatic(&pk11_camelliaSlotList);
772 pk11_InitSlotListStatic(&pk11_aesSlotList);
773 pk11_InitSlotListStatic(&pk11_desSlotList);
774 pk11_InitSlotListStatic(&pk11_rc4SlotList);
775 pk11_InitSlotListStatic(&pk11_rc2SlotList);
776 pk11_InitSlotListStatic(&pk11_rc5SlotList);
777 pk11_InitSlotListStatic(&pk11_md5SlotList);
778 pk11_InitSlotListStatic(&pk11_md2SlotList);
779 pk11_InitSlotListStatic(&pk11_sha1SlotList);
780 pk11_InitSlotListStatic(&pk11_rsaSlotList);
781 pk11_InitSlotListStatic(&pk11_dsaSlotList);
782 pk11_InitSlotListStatic(&pk11_dhSlotList);
783 pk11_InitSlotListStatic(&pk11_ecSlotList);
784 pk11_InitSlotListStatic(&pk11_ideaSlotList);
785 pk11_InitSlotListStatic(&pk11_sslSlotList);
786 pk11_InitSlotListStatic(&pk11_tlsSlotList);
787 pk11_InitSlotListStatic(&pk11_randomSlotList);
788 pk11_InitSlotListStatic(&pk11_sha256SlotList);
789 pk11_InitSlotListStatic(&pk11_sha512SlotList);
790 return SECSuccess;
791 }
792
793 void
794 PK11_DestroySlotLists(void)
795 {
796 pk11_FreeSlotListStatic(&pk11_seedSlotList);
797 pk11_FreeSlotListStatic(&pk11_camelliaSlotList);
798 pk11_FreeSlotListStatic(&pk11_aesSlotList);
799 pk11_FreeSlotListStatic(&pk11_desSlotList);
800 pk11_FreeSlotListStatic(&pk11_rc4SlotList);
801 pk11_FreeSlotListStatic(&pk11_rc2SlotList);
802 pk11_FreeSlotListStatic(&pk11_rc5SlotList);
803 pk11_FreeSlotListStatic(&pk11_md5SlotList);
804 pk11_FreeSlotListStatic(&pk11_md2SlotList);
805 pk11_FreeSlotListStatic(&pk11_sha1SlotList);
806 pk11_FreeSlotListStatic(&pk11_rsaSlotList);
807 pk11_FreeSlotListStatic(&pk11_dsaSlotList);
808 pk11_FreeSlotListStatic(&pk11_dhSlotList);
809 pk11_FreeSlotListStatic(&pk11_ecSlotList);
810 pk11_FreeSlotListStatic(&pk11_ideaSlotList);
811 pk11_FreeSlotListStatic(&pk11_sslSlotList);
812 pk11_FreeSlotListStatic(&pk11_tlsSlotList);
813 pk11_FreeSlotListStatic(&pk11_randomSlotList);
814 pk11_FreeSlotListStatic(&pk11_sha256SlotList);
815 pk11_FreeSlotListStatic(&pk11_sha512SlotList);
816 return;
817 }
818
819 /* return a system slot list based on mechanism */
820 PK11SlotList *
821 PK11_GetSlotList(CK_MECHANISM_TYPE type)
822 {
823 /* XXX a workaround for Bugzilla bug #55267 */
824 #if defined(HPUX) && defined(__LP64__)
825 if (CKM_INVALID_MECHANISM == type)
826 return NULL;
827 #endif
828 switch (type) {
829 case CKM_SEED_CBC:
830 case CKM_SEED_ECB:
831 return &pk11_seedSlotList;
832 case CKM_CAMELLIA_CBC:
833 case CKM_CAMELLIA_ECB:
834 return &pk11_camelliaSlotList;
835 case CKM_AES_CBC:
836 case CKM_AES_ECB:
837 return &pk11_aesSlotList;
838 case CKM_DES_CBC:
839 case CKM_DES_ECB:
840 case CKM_DES3_ECB:
841 case CKM_DES3_CBC:
842 return &pk11_desSlotList;
843 case CKM_RC4:
844 return &pk11_rc4SlotList;
845 case CKM_RC5_CBC:
846 return &pk11_rc5SlotList;
847 case CKM_SHA_1:
848 return &pk11_sha1SlotList;
849 case CKM_SHA224:
850 case CKM_SHA256:
851 return &pk11_sha256SlotList;
852 case CKM_SHA384:
853 case CKM_SHA512:
854 return &pk11_sha512SlotList;
855 case CKM_MD5:
856 return &pk11_md5SlotList;
857 case CKM_MD2:
858 return &pk11_md2SlotList;
859 case CKM_RC2_ECB:
860 case CKM_RC2_CBC:
861 return &pk11_rc2SlotList;
862 case CKM_RSA_PKCS:
863 case CKM_RSA_PKCS_KEY_PAIR_GEN:
864 case CKM_RSA_X_509:
865 return &pk11_rsaSlotList;
866 case CKM_DSA:
867 return &pk11_dsaSlotList;
868 case CKM_DH_PKCS_KEY_PAIR_GEN:
869 case CKM_DH_PKCS_DERIVE:
870 return &pk11_dhSlotList;
871 case CKM_ECDSA:
872 case CKM_ECDSA_SHA1:
873 case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
874 case CKM_ECDH1_DERIVE:
875 return &pk11_ecSlotList;
876 case CKM_SSL3_PRE_MASTER_KEY_GEN:
877 case CKM_SSL3_MASTER_KEY_DERIVE:
878 case CKM_SSL3_SHA1_MAC:
879 case CKM_SSL3_MD5_MAC:
880 return &pk11_sslSlotList;
881 case CKM_TLS_MASTER_KEY_DERIVE:
882 case CKM_TLS_KEY_AND_MAC_DERIVE:
883 return &pk11_tlsSlotList;
884 case CKM_IDEA_CBC:
885 case CKM_IDEA_ECB:
886 return &pk11_ideaSlotList;
887 case CKM_FAKE_RANDOM:
888 return &pk11_randomSlotList;
889 }
890 return NULL;
891 }
892
893 /*
894 * load the static SlotInfo structures used to select a PKCS11 slot.
895 * preSlotInfo has a list of all the default flags for the slots on this
896 * module.
897 */
898 void
899 PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count)
900 {
901 int i;
902
903 for (i=0; i < count; i++) {
904 if (psi[i].slotID == slot->slotID)
905 break;
906 }
907
908 if (i == count) return;
909
910 slot->defaultFlags = psi[i].defaultFlags;
911 slot->askpw = psi[i].askpw;
912 slot->timeout = psi[i].timeout;
913 slot->hasRootCerts = psi[i].hasRootCerts;
914
915 /* if the slot is already disabled, don't load them into the
916 * default slot lists. We get here so we can save the default
917 * list value. */
918 if (slot->disabled) return;
919
920 /* if the user has disabled us, don't load us in */
921 if (slot->defaultFlags & PK11_DISABLE_FLAG) {
922 slot->disabled = PR_TRUE;
923 slot->reason = PK11_DIS_USER_SELECTED;
924 /* free up sessions and things?? */
925 return;
926 }
927
928 for (i=0; i < num_pk11_default_mechanisms; i++) {
929 if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
930 CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
931 PK11SlotList *slotList = PK11_GetSlotList(mechanism);
932
933 if (slotList) PK11_AddSlotToList(slotList,slot,PR_FALSE);
934 }
935 }
936
937 return;
938 }
939
940
941 /*
942 * update a slot to its new attribute according to the slot list
943 * returns: SECSuccess if nothing to do or add/delete is successful
944 */
945 SECStatus
946 PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
947 PRBool add)
948 /* add: PR_TRUE if want to turn on */
949 {
950 SECStatus result = SECSuccess;
951 PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
952
953 if (add) { /* trying to turn on a mechanism */
954
955 /* turn on the default flag in the slot */
956 slot->defaultFlags |= entry->flag;
957
958 /* add this slot to the list */
959 if (slotList!=NULL)
960 result = PK11_AddSlotToList(slotList, slot, PR_FALSE);
961
962 } else { /* trying to turn off */
963
964 /* turn OFF the flag in the slot */
965 slot->defaultFlags &= ~entry->flag;
966
967 if (slotList) {
968 /* find the element in the list & delete it */
969 PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot);
970
971 /* remove the slot from the list */
972 if (le)
973 result = PK11_DeleteSlotFromList(slotList, le);
974 }
975 }
976 return result;
977 }
978
979 /*
980 * clear a slot off of all of it's default list
981 */
982 void
983 PK11_ClearSlotList(PK11SlotInfo *slot)
984 {
985 int i;
986
987 if (slot->disabled) return;
988 if (slot->defaultFlags == 0) return;
989
990 for (i=0; i < num_pk11_default_mechanisms; i++) {
991 if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
992 CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
993 PK11SlotList *slotList = PK11_GetSlotList(mechanism);
994 PK11SlotListElement *le = NULL;
995
996 if (slotList) le = PK11_FindSlotElement(slotList,slot);
997
998 if (le) {
999 PK11_DeleteSlotFromList(slotList,le);
1000 PK11_FreeSlotListElement(slotList,le);
1001 }
1002 }
1003 }
1004 }
1005
1006
1007 /******************************************************************
1008 * Slot initialization
1009 ******************************************************************/
1010 /*
1011 * turn a PKCS11 Static Label into a string
1012 */
1013 char *
1014 PK11_MakeString(PRArenaPool *arena,char *space,
1015 char *staticString,int stringLen)
1016 {
1017 int i;
1018 char *newString;
1019 for(i=(stringLen-1); i >= 0; i--) {
1020 if (staticString[i] != ' ') break;
1021 }
1022 /* move i to point to the last space */
1023 i++;
1024 if (arena) {
1025 newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */);
1026 } else if (space) {
1027 newString = space;
1028 } else {
1029 newString = (char*)PORT_Alloc(i+1 /* space for NULL */);
1030 }
1031 if (newString == NULL) return NULL;
1032
1033 if (i) PORT_Memcpy(newString,staticString, i);
1034 newString[i] = 0;
1035
1036 return newString;
1037 }
1038
1039 /*
1040 * Reads in the slots mechanism list for later use
1041 */
1042 SECStatus
1043 PK11_ReadMechanismList(PK11SlotInfo *slot)
1044 {
1045 CK_ULONG count;
1046 CK_RV crv;
1047 PRUint32 i;
1048
1049 if (slot->mechanismList) {
1050 PORT_Free(slot->mechanismList);
1051 slot->mechanismList = NULL;
1052 }
1053 slot->mechanismCount = 0;
1054
1055 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1056 crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
1057 if (crv != CKR_OK) {
1058 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1059 PORT_SetError(PK11_MapError(crv));
1060 return SECFailure;
1061 }
1062
1063 slot->mechanismList = (CK_MECHANISM_TYPE *)
1064 PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
1065 if (slot->mechanismList == NULL) {
1066 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1067 return SECFailure;
1068 }
1069 crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
1070 slot->mechanismList, &count);
1071 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1072 if (crv != CKR_OK) {
1073 PORT_Free(slot->mechanismList);
1074 slot->mechanismList = NULL;
1075 PORT_SetError(PK11_MapError(crv));
1076 return SECSuccess;
1077 }
1078 slot->mechanismCount = count;
1079 PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
1080
1081 for (i=0; i < count; i++) {
1082 CK_MECHANISM_TYPE mech = slot->mechanismList[i];
1083 if (mech < 0x7ff) {
1084 slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8);
1085 }
1086 }
1087 return SECSuccess;
1088 }
1089
1090 /*
1091 * initialize a new token
1092 * unlike initialize slot, this can be called multiple times in the lifetime
1093 * of NSS. It reads the information associated with a card or token,
1094 * that is not going to change unless the card or token changes.
1095 */
1096 SECStatus
1097 PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
1098 {
1099 CK_TOKEN_INFO tokenInfo;
1100 CK_RV crv;
1101 char *tmp;
1102 SECStatus rv;
1103 PRStatus status;
1104
1105 /* set the slot flags to the current token values */
1106 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1107 crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
1108 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1109 if (crv != CKR_OK) {
1110 PORT_SetError(PK11_MapError(crv));
1111 return SECFailure;
1112 }
1113
1114 /* set the slot flags to the current token values */
1115 slot->series++; /* allow other objects to detect that the
1116 * slot is different */
1117 slot->flags = tokenInfo.flags;
1118 slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ?
1119 PR_TRUE : PR_FALSE);
1120 slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ?
1121 PR_TRUE : PR_FALSE);
1122
1123
1124 slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
1125 slot->protectedAuthPath =
1126 ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
1127 ? PR_TRUE : PR_FALSE);
1128 slot->lastLoginCheck = 0;
1129 slot->lastState = 0;
1130 /* on some platforms Active Card incorrectly sets the
1131 * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
1132 if (slot->isActiveCard) {
1133 slot->protectedAuthPath = PR_FALSE;
1134 }
1135 tmp = PK11_MakeString(NULL,slot->token_name,
1136 (char *)tokenInfo.label, sizeof(tokenInfo.label));
1137 slot->minPassword = tokenInfo.ulMinPinLen;
1138 slot->maxPassword = tokenInfo.ulMaxPinLen;
1139 PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial));
1140
1141 nssToken_UpdateName(slot->nssToken);
1142
1143 slot->defRWSession = (PRBool)((!slot->readOnly) &&
1144 (tokenInfo.ulMaxSessionCount == 1));
1145 rv = PK11_ReadMechanismList(slot);
1146 if (rv != SECSuccess) return rv;
1147
1148 slot->hasRSAInfo = PR_FALSE;
1149 slot->RSAInfoFlags = 0;
1150
1151 /* initialize the maxKeyCount value */
1152 if (tokenInfo.ulMaxSessionCount == 0) {
1153 slot->maxKeyCount = 800; /* should be #define or a config param */
1154 } else if (tokenInfo.ulMaxSessionCount < 20) {
1155 /* don't have enough sessions to keep that many keys around */
1156 slot->maxKeyCount = 0;
1157 } else {
1158 slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2;
1159 }
1160
1161 /* Make sure our session handle is valid */
1162 if (slot->session == CK_INVALID_SESSION) {
1163 /* we know we don't have a valid session, go get one */
1164 CK_SESSION_HANDLE session;
1165
1166 /* session should be Readonly, serial */
1167 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1168 crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
1169 (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
1170 slot,pk11_notify,&session);
1171 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1172 if (crv != CKR_OK) {
1173 PORT_SetError(PK11_MapError(crv));
1174 return SECFailure;
1175 }
1176 slot->session = session;
1177 } else {
1178 /* The session we have may be defunct (the token associated with it)
1179 * has been removed */
1180 CK_SESSION_INFO sessionInfo;
1181
1182 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1183 crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
1184 if (crv == CKR_DEVICE_ERROR) {
1185 PK11_GETTAB(slot)->C_CloseSession(slot->session);
1186 crv = CKR_SESSION_CLOSED;
1187 }
1188 if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) {
1189 crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
1190 (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
1191 slot,pk11_notify,&slot->session);
1192 if (crv != CKR_OK) {
1193 PORT_SetError(PK11_MapError(crv));
1194 slot->session = CK_INVALID_SESSION;
1195 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1196 return SECFailure;
1197 }
1198 }
1199 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1200 }
1201
1202 status = nssToken_Refresh(slot->nssToken);
1203 if (status != PR_SUCCESS)
1204 return SECFailure;
1205
1206 if (!(slot->isInternal) && (slot->hasRandom)) {
1207 /* if this slot has a random number generater, use it to add entropy
1208 * to the internal slot. */
1209 PK11SlotInfo *int_slot = PK11_GetInternalSlot();
1210
1211 if (int_slot) {
1212 unsigned char random_bytes[32];
1213
1214 /* if this slot can issue random numbers, get some entropy from
1215 * that random number generater and give it to our internal token.
1216 */
1217 PK11_EnterSlotMonitor(slot);
1218 crv = PK11_GETTAB(slot)->C_GenerateRandom
1219 (slot->session,random_bytes, sizeof(random_bytes));
1220 PK11_ExitSlotMonitor(slot);
1221 if (crv == CKR_OK) {
1222 PK11_EnterSlotMonitor(int_slot);
1223 PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session,
1224 random_bytes, sizeof(random_bytes));
1225 PK11_ExitSlotMonitor(int_slot);
1226 }
1227
1228 /* Now return the favor and send entropy to the token's random
1229 * number generater */
1230 PK11_EnterSlotMonitor(int_slot);
1231 crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
1232 random_bytes, sizeof(random_bytes));
1233 PK11_ExitSlotMonitor(int_slot);
1234 if (crv == CKR_OK) {
1235 PK11_EnterSlotMonitor(slot);
1236 crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,
1237 random_bytes, sizeof(random_bytes));
1238 PK11_ExitSlotMonitor(slot);
1239 }
1240 PK11_FreeSlot(int_slot);
1241 }
1242 }
1243 /* work around a problem in softoken where it incorrectly
1244 * reports databases opened read only as read/write. */
1245 if (slot->isInternal && !slot->readOnly) {
1246 CK_SESSION_HANDLE session = CK_INVALID_SESSION;
1247
1248 /* try to open a R/W session */
1249 crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
1250 CKF_RW_SESSION|CKF_SERIAL_SESSION, slot, pk11_notify ,&session);
1251 /* what a well behaved token should return if you open
1252 * a RW session on a read only token */
1253 if (crv == CKR_TOKEN_WRITE_PROTECTED) {
1254 slot->readOnly = PR_TRUE;
1255 } else if (crv == CKR_OK) {
1256 CK_SESSION_INFO sessionInfo;
1257
1258 /* Because of a second bug in softoken, which silently returns
1259 * a RO session, we need to check what type of session we got. */
1260 crv = PK11_GETTAB(slot)->C_GetSessionInfo(session, &sessionInfo);
1261 if (crv == CKR_OK) {
1262 if ((sessionInfo.flags & CKF_RW_SESSION) == 0) {
1263 /* session was readonly, so this softoken slot must be * readonly */
1264 slot->readOnly = PR_TRUE;
1265 }
1266 }
1267 PK11_GETTAB(slot)->C_CloseSession(session);
1268 }
1269 }
1270
1271 return SECSuccess;
1272 }
1273
1274 /*
1275 * initialize a new token
1276 * unlike initialize slot, this can be called multiple times in the lifetime
1277 * of NSS. It reads the information associated with a card or token,
1278 * that is not going to change unless the card or token changes.
1279 */
1280 SECStatus
1281 PK11_TokenRefresh(PK11SlotInfo *slot)
1282 {
1283 CK_TOKEN_INFO tokenInfo;
1284 CK_RV crv;
1285
1286 /* set the slot flags to the current token values */
1287 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1288 crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
1289 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1290 if (crv != CKR_OK) {
1291 PORT_SetError(PK11_MapError(crv));
1292 return SECFailure;
1293 }
1294
1295 slot->flags = tokenInfo.flags;
1296 slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ?
1297 PR_TRUE : PR_FALSE);
1298 slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ?
1299 PR_TRUE : PR_FALSE);
1300 slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
1301 slot->protectedAuthPath =
1302 ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
1303 ? PR_TRUE : PR_FALSE);
1304 /* on some platforms Active Card incorrectly sets the
1305 * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
1306 if (slot->isActiveCard) {
1307 slot->protectedAuthPath = PR_FALSE;
1308 }
1309 return SECSuccess;
1310 }
1311
1312 static PRBool
1313 pk11_isRootSlot(PK11SlotInfo *slot)
1314 {
1315 CK_ATTRIBUTE findTemp[1];
1316 CK_ATTRIBUTE *attrs;
1317 CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
1318 int tsize;
1319 CK_OBJECT_HANDLE handle;
1320
1321 attrs = findTemp;
1322 PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++;
1323 tsize = attrs - findTemp;
1324 PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
1325
1326 handle = pk11_FindObjectByTemplate(slot,findTemp,tsize);
1327 if (handle == CK_INVALID_HANDLE) {
1328 return PR_FALSE;
1329 }
1330 return PR_TRUE;
1331 }
1332
1333 /*
1334 * Initialize the slot :
1335 * This initialization code is called on each slot a module supports when
1336 * it is loaded. It does the bringup initialization. The difference between
1337 * this and InitToken is Init slot does those one time initialization stuff,
1338 * usually associated with the reader, while InitToken may get called multiple
1339 * times as tokens are removed and re-inserted.
1340 */
1341 void
1342 PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
1343 {
1344 SECStatus rv;
1345 char *tmp;
1346 CK_SLOT_INFO slotInfo;
1347
1348 slot->functionList = mod->functionList;
1349 slot->isInternal = mod->internal;
1350 slot->slotID = slotID;
1351 slot->isThreadSafe = mod->isThreadSafe;
1352 slot->hasRSAInfo = PR_FALSE;
1353
1354 if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) {
1355 slot->disabled = PR_TRUE;
1356 slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
1357 return;
1358 }
1359
1360 /* test to make sure claimed mechanism work */
1361 slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
1362 slot->module = mod; /* NOTE: we don't make a reference here because
1363 * modules have references to their slots. This
1364 * works because modules keep implicit references
1365 * from their slots, and won't unload and disappear
1366 * until all their slots have been freed */
1367 tmp = PK11_MakeString(NULL,slot->slot_name,
1368 (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
1369 slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
1370 #define ACTIVE_CARD "ActivCard SA"
1371 slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID,
1372 ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0);
1373 if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) {
1374 slot->isPerm = PR_TRUE;
1375 /* permanment slots must have the token present always */
1376 if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
1377 slot->disabled = PR_TRUE;
1378 slot->reason = PK11_DIS_TOKEN_NOT_PRESENT;
1379 return; /* nothing else to do */
1380 }
1381 }
1382 /* if the token is present, initialize it */
1383 if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
1384 rv = PK11_InitToken(slot,PR_TRUE);
1385 /* the only hard failures are on permanent devices, or function
1386 * verify failures... function verify failures are already handled
1387 * by tokenInit */
1388 if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) {
1389 slot->disabled = PR_TRUE;
1390 slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
1391 }
1392 if (rv == SECSuccess && pk11_isRootSlot(slot)) {
1393 if (!slot->hasRootCerts) {
1394 slot->module->trustOrder = 100;
1395 }
1396 slot->hasRootCerts= PR_TRUE;
1397 }
1398 }
1399 }
1400
1401
1402
1403 /*********************************************************************
1404 * Slot mapping utility functions.
1405 *********************************************************************/
1406
1407 /*
1408 * determine if the token is present. If the token is present, make sure
1409 * we have a valid session handle. Also set the value of needLogin
1410 * appropriately.
1411 */
1412 static PRBool
1413 pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts)
1414 {
1415 CK_SLOT_INFO slotInfo;
1416 CK_SESSION_INFO sessionInfo;
1417 CK_RV crv;
1418
1419 /* disabled slots are never present */
1420 if (slot->disabled) {
1421 return PR_FALSE;
1422 }
1423
1424 /* permanent slots are always present */
1425 if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) {
1426 return PR_TRUE;
1427 }
1428
1429 if (slot->nssToken) {
1430 return nssToken_IsPresent(slot->nssToken);
1431 }
1432
1433 /* removable slots have a flag that says they are present */
1434 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1435 if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) {
1436 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1437 return PR_FALSE;
1438 }
1439 if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
1440 /* if the slot is no longer present, close the session */
1441 if (slot->session != CK_INVALID_SESSION) {
1442 PK11_GETTAB(slot)->C_CloseSession(slot->session);
1443 slot->session = CK_INVALID_SESSION;
1444 }
1445 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1446 return PR_FALSE;
1447 }
1448
1449 /* use the session Info to determine if the card has been removed and then
1450 * re-inserted */
1451 if (slot->session != CK_INVALID_SESSION) {
1452 if (slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1453 crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
1454 if (crv != CKR_OK) {
1455 PK11_GETTAB(slot)->C_CloseSession(slot->session);
1456 slot->session = CK_INVALID_SESSION;
1457 }
1458 if (slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1459 }
1460 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1461
1462 /* card has not been removed, current token info is correct */
1463 if (slot->session != CK_INVALID_SESSION) return PR_TRUE;
1464
1465 /* initialize the token info state */
1466 if (PK11_InitToken(slot,loadCerts) != SECSuccess) {
1467 return PR_FALSE;
1468 }
1469
1470 return PR_TRUE;
1471 }
1472
1473 /*
1474 * old version of the routine
1475 */
1476 PRBool
1477 PK11_IsPresent(PK11SlotInfo *slot) {
1478 return pk11_IsPresentCertLoad(slot,PR_TRUE);
1479 }
1480
1481 /* is the slot disabled? */
1482 PRBool
1483 PK11_IsDisabled(PK11SlotInfo *slot)
1484 {
1485 return slot->disabled;
1486 }
1487
1488 /* and why? */
1489 PK11DisableReasons
1490 PK11_GetDisabledReason(PK11SlotInfo *slot)
1491 {
1492 return slot->reason;
1493 }
1494
1495 /* returns PR_TRUE if successfully disable the slot */
1496 /* returns PR_FALSE otherwise */
1497 PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) {
1498
1499 slot->defaultFlags |= PK11_DISABLE_FLAG;
1500 slot->disabled = PR_TRUE;
1501 slot->reason = PK11_DIS_USER_SELECTED;
1502
1503 return PR_TRUE;
1504 }
1505
1506 PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) {
1507
1508 slot->defaultFlags &= ~PK11_DISABLE_FLAG;
1509 slot->disabled = PR_FALSE;
1510 slot->reason = PK11_DIS_NONE;
1511 return PR_TRUE;
1512 }
1513
1514 PRBool PK11_HasRootCerts(PK11SlotInfo *slot) {
1515 return slot->hasRootCerts;
1516 }
1517
1518 /* Get the module this slot is attached to */
1519 SECMODModule *
1520 PK11_GetModule(PK11SlotInfo *slot)
1521 {
1522 return slot->module;
1523 }
1524
1525 /* return the default flags of a slot */
1526 unsigned long
1527 PK11_GetDefaultFlags(PK11SlotInfo *slot)
1528 {
1529 return slot->defaultFlags;
1530 }
1531
1532 /*
1533 * The following wrapper functions allow us to export an opaque slot
1534 * function to the rest of libsec and the world... */
1535 PRBool
1536 PK11_IsReadOnly(PK11SlotInfo *slot)
1537 {
1538 return slot->readOnly;
1539 }
1540
1541 PRBool
1542 PK11_IsHW(PK11SlotInfo *slot)
1543 {
1544 return slot->isHW;
1545 }
1546
1547 PRBool
1548 PK11_IsRemovable(PK11SlotInfo *slot)
1549 {
1550 return !slot->isPerm;
1551 }
1552
1553 PRBool
1554 PK11_IsInternal(PK11SlotInfo *slot)
1555 {
1556 return slot->isInternal;
1557 }
1558
1559 PRBool
1560 PK11_IsInternalKeySlot(PK11SlotInfo *slot)
1561 {
1562 PK11SlotInfo *int_slot;
1563 PRBool result;
1564
1565 if (!slot->isInternal) {
1566 return PR_FALSE;
1567 }
1568
1569 int_slot = PK11_GetInternalKeySlot();
1570 result = (int_slot == slot) ? PR_TRUE : PR_FALSE;
1571 PK11_FreeSlot(int_slot);
1572 return result;
1573 }
1574
1575 PRBool
1576 PK11_NeedLogin(PK11SlotInfo *slot)
1577 {
1578 return slot->needLogin;
1579 }
1580
1581 PRBool
1582 PK11_IsFriendly(PK11SlotInfo *slot)
1583 {
1584 /* internal slot always has public readable certs */
1585 return (PRBool)(slot->isInternal ||
1586 ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) ==
1587 SECMOD_FRIENDLY_FLAG));
1588 }
1589
1590 char *
1591 PK11_GetTokenName(PK11SlotInfo *slot)
1592 {
1593 return slot->token_name;
1594 }
1595
1596 char *
1597 PK11_GetSlotName(PK11SlotInfo *slot)
1598 {
1599 return slot->slot_name;
1600 }
1601
1602 int
1603 PK11_GetSlotSeries(PK11SlotInfo *slot)
1604 {
1605 return slot->series;
1606 }
1607
1608 int
1609 PK11_GetCurrentWrapIndex(PK11SlotInfo *slot)
1610 {
1611 return slot->wrapKey;
1612 }
1613
1614 CK_SLOT_ID
1615 PK11_GetSlotID(PK11SlotInfo *slot)
1616 {
1617 return slot->slotID;
1618 }
1619
1620 SECMODModuleID
1621 PK11_GetModuleID(PK11SlotInfo *slot)
1622 {
1623 return slot->module->moduleID;
1624 }
1625
1626 static void
1627 pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size)
1628 {
1629 CK_CHAR *walk = buffer;
1630 CK_CHAR *end = buffer + buffer_size;
1631
1632 /* find the NULL */
1633 while (walk < end && *walk != '\0') {
1634 walk++;
1635 }
1636
1637 /* clear out the buffer */
1638 while (walk < end) {
1639 *walk++ = ' ';
1640 }
1641 }
1642
1643 /* return the slot info structure */
1644 SECStatus
1645 PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info)
1646 {
1647 CK_RV crv;
1648
1649 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1650 /*
1651 * some buggy drivers do not fill the buffer completely,
1652 * erase the buffer first
1653 */
1654 PORT_Memset(info->slotDescription,' ',sizeof(info->slotDescription));
1655 PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
1656 crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info);
1657 pk11_zeroTerminatedToBlankPadded(info->slotDescription,
1658 sizeof(info->slotDescription));
1659 pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
1660 sizeof(info->manufacturerID));
1661 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1662 if (crv != CKR_OK) {
1663 PORT_SetError(PK11_MapError(crv));
1664 return SECFailure;
1665 }
1666 return SECSuccess;
1667 }
1668
1669 /* return the token info structure */
1670 SECStatus
1671 PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info)
1672 {
1673 CK_RV crv;
1674 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1675 /*
1676 * some buggy drivers do not fill the buffer completely,
1677 * erase the buffer first
1678 */
1679 PORT_Memset(info->label,' ',sizeof(info->label));
1680 PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
1681 PORT_Memset(info->model,' ',sizeof(info->model));
1682 PORT_Memset(info->serialNumber,' ',sizeof(info->serialNumber));
1683 crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info);
1684 pk11_zeroTerminatedToBlankPadded(info->label,sizeof(info->label));
1685 pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
1686 sizeof(info->manufacturerID));
1687 pk11_zeroTerminatedToBlankPadded(info->model,sizeof(info->model));
1688 pk11_zeroTerminatedToBlankPadded(info->serialNumber,
1689 sizeof(info->serialNumber));
1690 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1691 if (crv != CKR_OK) {
1692 PORT_SetError(PK11_MapError(crv));
1693 return SECFailure;
1694 }
1695 return SECSuccess;
1696 }
1697
1698 /* Find out if we need to initialize the user's pin */
1699 PRBool
1700 PK11_NeedUserInit(PK11SlotInfo *slot)
1701 {
1702 PRBool needUserInit = (PRBool) ((slot->flags & CKF_USER_PIN_INITIALIZED)
1703 == 0);
1704
1705 if (needUserInit) {
1706 CK_TOKEN_INFO info;
1707 SECStatus rv;
1708
1709 /* see if token has been initialized off line */
1710 rv = PK11_GetTokenInfo(slot, &info);
1711 if (rv == SECSuccess) {
1712 slot->flags = info.flags;
1713 }
1714 }
1715 return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0);
1716 }
1717
1718 static PK11SlotInfo *pk11InternalKeySlot = NULL;
1719
1720 /*
1721 * Set a new default internal keyslot. If one has already been set, clear it.
1722 * Passing NULL falls back to the NSS normally selected default internal key
1723 * slot.
1724 */
1725 void
1726 pk11_SetInternalKeySlot(PK11SlotInfo *slot)
1727 {
1728 if (pk11InternalKeySlot) {
1729 PK11_FreeSlot(pk11InternalKeySlot);
1730 }
1731 pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
1732 }
1733
1734 /*
1735 * Set a new default internal keyslot if the normal key slot has not already
1736 * been overridden. Subsequent calls to this function will be ignored unless
1737 * pk11_SetInternalKeySlot is used to clear the current default.
1738 */
1739 void
1740 pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot)
1741 {
1742 if (pk11InternalKeySlot) {
1743 return;
1744 }
1745 pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
1746 }
1747
1748 /*
1749 * Swap out a default internal keyslot. Caller owns the Slot Reference
1750 */
1751 PK11SlotInfo *
1752 pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
1753 {
1754 PK11SlotInfo *swap = pk11InternalKeySlot;
1755
1756 pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
1757 return swap;
1758 }
1759
1760
1761 /* get the internal key slot. FIPS has only one slot for both key slots and
1762 * default slots */
1763 PK11SlotInfo *
1764 PK11_GetInternalKeySlot(void)
1765 {
1766 SECMODModule *mod;
1767
1768 if (pk11InternalKeySlot) {
1769 return PK11_ReferenceSlot(pk11InternalKeySlot);
1770 }
1771
1772 mod = SECMOD_GetInternalModule();
1773 PORT_Assert(mod != NULL);
1774 if (!mod) {
1775 PORT_SetError( SEC_ERROR_NO_MODULE );
1776 return NULL;
1777 }
1778 return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]);
1779 }
1780
1781 /* get the internal default slot */
1782 PK11SlotInfo *
1783 PK11_GetInternalSlot(void)
1784 {
1785 SECMODModule * mod = SECMOD_GetInternalModule();
1786 PORT_Assert(mod != NULL);
1787 if (!mod) {
1788 PORT_SetError( SEC_ERROR_NO_MODULE );
1789 return NULL;
1790 }
1791 if (mod->isFIPS) {
1792 return PK11_GetInternalKeySlot();
1793 }
1794 return PK11_ReferenceSlot(mod->slots[0]);
1795 }
1796
1797 /*
1798 * check if a given slot supports the requested mechanism
1799 */
1800 PRBool
1801 PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
1802 {
1803 int i;
1804
1805 /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
1806 * tell us we're looking form someone that has implemented get
1807 * random bits */
1808 if (type == CKM_FAKE_RANDOM) {
1809 return slot->hasRandom;
1810 }
1811
1812 /* for most mechanism, bypass the linear lookup */
1813 if (type < 0x7ff) {
1814 return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ?
1815 PR_TRUE : PR_FALSE;
1816 }
1817
1818 for (i=0; i < (int) slot->mechanismCount; i++) {
1819 if (slot->mechanismList[i] == type) return PR_TRUE;
1820 }
1821 return PR_FALSE;
1822 }
1823
1824 /*
1825 * Return true if a token that can do the desired mechanism exists.
1826 * This allows us to have hardware tokens that can do function XYZ magically
1827 * allow SSL Ciphers to appear if they are plugged in.
1828 */
1829 PRBool
1830 PK11_TokenExists(CK_MECHANISM_TYPE type)
1831 {
1832 SECMODModuleList *mlp;
1833 SECMODModuleList *modules;
1834 SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
1835 PK11SlotInfo *slot;
1836 PRBool found = PR_FALSE;
1837 int i;
1838
1839 if (!moduleLock) {
1840 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1841 return found;
1842 }
1843 /* we only need to know if there is a token that does this mechanism.
1844 * check the internal module first because it's fast, and supports
1845 * almost everything. */
1846 slot = PK11_GetInternalSlot();
1847 if (slot) {
1848 found = PK11_DoesMechanism(slot,type);
1849 PK11_FreeSlot(slot);
1850 }
1851 if (found) return PR_TRUE; /* bypass getting module locks */
1852
1853 SECMOD_GetReadLock(moduleLock);
1854 modules = SECMOD_GetDefaultModuleList();
1855 for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) {
1856 for (i=0; i < mlp->module->slotCount; i++) {
1857 slot = mlp->module->slots[i];
1858 if (PK11_IsPresent(slot)) {
1859 if (PK11_DoesMechanism(slot,type)) {
1860 found = PR_TRUE;
1861 break;
1862 }
1863 }
1864 }
1865 }
1866 SECMOD_ReleaseReadLock(moduleLock);
1867 return found;
1868 }
1869
1870 /*
1871 * get all the currently available tokens in a list.
1872 * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
1873 * get all the tokens. Make sure tokens that need authentication are put at
1874 * the end of this list.
1875 */
1876 PK11SlotList *
1877 PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts,
1878 void *wincx)
1879 {
1880 PK11SlotList * list;
1881 PK11SlotList * loginList;
1882 PK11SlotList * friendlyList;
1883 SECMODModuleList * mlp;
1884 SECMODModuleList * modules;
1885 SECMODListLock * moduleLock;
1886 int i;
1887 #if defined( XP_WIN32 )
1888 int j = 0;
1889 PRInt32 waste[16];
1890 #endif
1891
1892 moduleLock = SECMOD_GetDefaultModuleListLock();
1893 if (!moduleLock) {
1894 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1895 return NULL;
1896 }
1897
1898 list = PK11_NewSlotList();
1899 loginList = PK11_NewSlotList();
1900 friendlyList = PK11_NewSlotList();
1901 if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) {
1902 if (list) PK11_FreeSlotList(list);
1903 if (loginList) PK11_FreeSlotList(loginList);
1904 if (friendlyList) PK11_FreeSlotList(friendlyList);
1905 return NULL;
1906 }
1907
1908 SECMOD_GetReadLock(moduleLock);
1909
1910 modules = SECMOD_GetDefaultModuleList();
1911 for(mlp = modules; mlp != NULL; mlp = mlp->next) {
1912
1913 #if defined( XP_WIN32 )
1914 /* This is works around some horrible cache/page thrashing problems
1915 ** on Win32. Without this, this loop can take up to 6 seconds at
1916 ** 100% CPU on a Pentium-Pro 200. The thing this changes is to
1917 ** increase the size of the stack frame and modify it.
1918 ** Moving the loop code itself seems to have no effect.
1919 ** Dunno why this combination makes a difference, but it does.
1920 */
1921 waste[ j & 0xf] = j++;
1922 #endif
1923
1924 for (i = 0; i < mlp->module->slotCount; i++) {
1925 PK11SlotInfo *slot = mlp->module->slots[i];
1926
1927 if (pk11_IsPresentCertLoad(slot, loadCerts)) {
1928 if (needRW && slot->readOnly) continue;
1929 if ((type == CKM_INVALID_MECHANISM)
1930 || PK11_DoesMechanism(slot, type)) {
1931 if (pk11_LoginStillRequired(slot,wincx)) {
1932 if (PK11_IsFriendly(slot)) {
1933 PK11_AddSlotToList(friendlyList, slot, PR_TRUE);
1934 } else {
1935 PK11_AddSlotToList(loginList, slot, PR_TRUE);
1936 }
1937 } else {
1938 PK11_AddSlotToList(list, slot, PR_TRUE);
1939 }
1940 }
1941 }
1942 }
1943 }
1944 SECMOD_ReleaseReadLock(moduleLock);
1945
1946 pk11_MoveListToList(list,friendlyList);
1947 PK11_FreeSlotList(friendlyList);
1948 pk11_MoveListToList(list,loginList);
1949 PK11_FreeSlotList(loginList);
1950
1951 return list;
1952 }
1953
1954 /*
1955 * NOTE: This routine is working from a private List generated by
1956 * PK11_GetAllTokens. That is why it does not need to lock.
1957 */
1958 PK11SlotList *
1959 PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx)
1960 {
1961 PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx);
1962 PK11SlotListElement *le, *next ;
1963 SECStatus rv;
1964
1965 if (list == NULL) return list;
1966
1967 for (le = list->head ; le; le = next) {
1968 next = le->next; /* save the pointer here in case we have to
1969 * free the element later */
1970 rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
1971 if (rv != SECSuccess) {
1972 PK11_DeleteSlotFromList(list,le);
1973 continue;
1974 }
1975 }
1976 return list;
1977 }
1978
1979 /*
1980 * returns true if the slot doesn't conform to the requested attributes
1981 */
1982 PRBool
1983 pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism,
1984 CK_FLAGS mechanismInfoFlags, unsigned int keySize)
1985 {
1986 CK_MECHANISM_INFO mechanism_info;
1987 CK_RV crv = CKR_OK;
1988
1989 /* handle the only case where we don't actually fetch the mechanisms
1990 * on the fly */
1991 if ((keySize == 0) && (mechanism == CKM_RSA_PKCS) && (slot->hasRSAInfo)) {
1992 mechanism_info.flags = slot->RSAInfoFlags;
1993 } else {
1994 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
1995 crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism,
1996 &mechanism_info);
1997 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
1998 /* if we were getting the RSA flags, save them */
1999 if ((crv == CKR_OK) && (mechanism == CKM_RSA_PKCS)
2000 && (!slot->hasRSAInfo)) {
2001 slot->RSAInfoFlags = mechanism_info.flags;
2002 slot->hasRSAInfo = PR_TRUE;
2003 }
2004 }
2005 /* couldn't get the mechanism info */
2006 if (crv != CKR_OK ) {
2007 return PR_TRUE;
2008 }
2009 if (keySize && ((mechanism_info.ulMinKeySize > keySize)
2010 || (mechanism_info.ulMaxKeySize < keySize)) ) {
2011 /* Token can do mechanism, but not at the key size we
2012 * want */
2013 return PR_TRUE;
2014 }
2015 if (mechanismInfoFlags && ((mechanism_info.flags & mechanismInfoFlags) !=
2016 mechanismInfoFlags) ) {
2017 return PR_TRUE;
2018 }
2019 return PR_FALSE;
2020 }
2021
2022
2023 /*
2024 * Find the best slot which supports the given set of mechanisms and key sizes.
2025 * In normal cases this should grab the first slot on the list with no fuss.
2026 * The size array is presumed to match one for one with the mechanism type
2027 * array, which allows you to specify the required key size for each
2028 * mechanism in the list. Whether key size is in bits or bytes is mechanism
2029 * dependent. Typically asymetric keys are in bits and symetric keys are in
2030 * bytes.
2031 */
2032 PK11SlotInfo *
2033 PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type,
2034 CK_FLAGS *mechanismInfoFlags, unsigned int *keySize,
2035 unsigned int mech_count, void *wincx)
2036 {
2037 PK11SlotList *list = NULL;
2038 PK11SlotListElement *le ;
2039 PK11SlotInfo *slot = NULL;
2040 PRBool freeit = PR_FALSE;
2041 PRBool listNeedLogin = PR_FALSE;
2042 int i;
2043 SECStatus rv;
2044
2045 list = PK11_GetSlotList(type[0]);
2046
2047 if ((list == NULL) || (list->head == NULL)) {
2048 /* We need to look up all the tokens for the mechanism */
2049 list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx);
2050 freeit = PR_TRUE;
2051 }
2052
2053 /* no one can do it! */
2054 if (list == NULL) {
2055 PORT_SetError(SEC_ERROR_NO_TOKEN);
2056 return NULL;
2057 }
2058
2059 PORT_SetError(0);
2060
2061
2062 listNeedLogin = PR_FALSE;
2063 for (i=0; i < mech_count; i++) {
2064 if ((type[i] != CKM_FAKE_RANDOM) &&
2065 (type[i] != CKM_SHA_1) &&
2066 (type[i] != CKM_SHA224) &&
2067 (type[i] != CKM_SHA256) &&
2068 (type[i] != CKM_SHA384) &&
2069 (type[i] != CKM_SHA512) &&
2070 (type[i] != CKM_MD5) &&
2071 (type[i] != CKM_MD2)) {
2072 listNeedLogin = PR_TRUE;
2073 break;
2074 }
2075 }
2076
2077 for (le = PK11_GetFirstSafe(list); le;
2078 le = PK11_GetNextSafe(list,le,PR_TRUE)) {
2079 if (PK11_IsPresent(le->slot)) {
2080 PRBool doExit = PR_FALSE;
2081 for (i=0; i < mech_count; i++) {
2082 if (!PK11_DoesMechanism(le->slot,type[i])) {
2083 doExit = PR_TRUE;
2084 break;
2085 }
2086 if ((mechanismInfoFlags && mechanismInfoFlags[i]) ||
2087 (keySize && keySize[i])) {
2088 if (pk11_filterSlot(le->slot, type[i],
2089 mechanismInfoFlags ? mechanismInfoFlags[i] : 0,
2090 keySize ? keySize[i] : 0)) {
2091 doExit = PR_TRUE;
2092 break;
2093 }
2094 }
2095 }
2096
2097 if (doExit) continue;
2098
2099 if (listNeedLogin && le->slot->needLogin) {
2100 rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
2101 if (rv != SECSuccess) continue;
2102 }
2103 slot = le->slot;
2104 PK11_ReferenceSlot(slot);
2105 PK11_FreeSlotListElement(list,le);
2106 if (freeit) { PK11_FreeSlotList(list); }
2107 return slot;
2108 }
2109 }
2110 if (freeit) { PK11_FreeSlotList(list); }
2111 if (PORT_GetError() == 0) {
2112 PORT_SetError(SEC_ERROR_NO_TOKEN);
2113 }
2114 return NULL;
2115 }
2116
2117 PK11SlotInfo *
2118 PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type,
2119 unsigned int mech_count, void *wincx)
2120 {
2121 return PK11_GetBestSlotMultipleWithAttributes(type, NULL, NULL,
2122 mech_count, wincx);
2123 }
2124
2125 /* original get best slot now calls the multiple version with only one type */
2126 PK11SlotInfo *
2127 PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
2128 {
2129 return PK11_GetBestSlotMultipleWithAttributes(&type, NULL, NULL, 1, wincx);
2130 }
2131
2132 PK11SlotInfo *
2133 PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, CK_FLAGS mechanismFlags,
2134 unsigned int keySize, void *wincx)
2135 {
2136 return PK11_GetBestSlotMultipleWithAttributes(&type, &mechanismFlags,
2137 &keySize, 1, wincx);
2138 }
2139
2140 int
2141 PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
2142 {
2143 CK_MECHANISM_INFO mechanism_info;
2144 CK_RV crv;
2145
2146 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
2147 crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
2148 mechanism,&mechanism_info);
2149 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
2150 if (crv != CKR_OK) return 0;
2151
2152 if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize)
2153 return 0;
2154 return mechanism_info.ulMaxKeySize;
2155 }
2156
2157
2158 /*
2159 * This function uses the existing PKCS #11 module to find the
2160 * longest supported key length in the preferred token for a mechanism.
2161 * This varies from the above function in that 1) it returns the key length
2162 * even for fixed key algorithms, and 2) it looks through the tokens
2163 * generally rather than for a specific token. This is used in liu of
2164 * a PK11_GetKeyLength function in pk11mech.c since we can actually read
2165 * supported key lengths from PKCS #11.
2166 *
2167 * For symmetric key operations the length is returned in bytes.
2168 */
2169 int
2170 PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism)
2171 {
2172 CK_MECHANISM_INFO mechanism_info;
2173 PK11SlotList *list = NULL;
2174 PK11SlotListElement *le ;
2175 PRBool freeit = PR_FALSE;
2176 int keyLength = 0;
2177
2178 list = PK11_GetSlotList(mechanism);
2179
2180 if ((list == NULL) || (list->head == NULL)) {
2181 /* We need to look up all the tokens for the mechanism */
2182 list = PK11_GetAllTokens(mechanism,PR_FALSE,PR_FALSE,NULL);
2183 freeit = PR_TRUE;
2184 }
2185
2186 /* no tokens recognize this mechanism */
2187 if (list == NULL) {
2188 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
2189 return 0;
2190 }
2191
2192 for (le = PK11_GetFirstSafe(list); le;
2193 le = PK11_GetNextSafe(list,le,PR_TRUE)) {
2194 PK11SlotInfo *slot = le->slot;
2195 CK_RV crv;
2196 if (PK11_IsPresent(slot)) {
2197 if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
2198 crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
2199 mechanism,&mechanism_info);
2200 if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
2201 if ((crv == CKR_OK) && (mechanism_info.ulMaxKeySize != 0)
2202 && (mechanism_info.ulMaxKeySize != 0xffffffff)) {
2203 keyLength = mechanism_info.ulMaxKeySize;
2204 break;
2205 }
2206 }
2207 }
2208 if (le)
2209 PK11_FreeSlotListElement(list, le);
2210 if (freeit)
2211 PK11_FreeSlotList(list);
2212 return keyLength;
2213 }
2214
2215 SECStatus
2216 PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) {
2217 CK_RV crv;
2218
2219 PK11_EnterSlotMonitor(slot);
2220 crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, data, (CK_ULONG)len);
2221 PK11_ExitSlotMonitor(slot);
2222 if (crv != CKR_OK) {
2223 PORT_SetError(PK11_MapError(crv));
2224 return SECFailure;
2225 }
2226 return SECSuccess;
2227 }
2228
2229
2230 SECStatus
2231 PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) {
2232 CK_RV crv;
2233
2234 if (!slot->isInternal) PK11_EnterSlotMonitor(slot);
2235 crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data,
2236 (CK_ULONG)len);
2237 if (!slot->isInternal) PK11_ExitSlotMonitor(slot);
2238 if (crv != CKR_OK) {
2239 PORT_SetError(PK11_MapError(crv));
2240 return SECFailure;
2241 }
2242 return SECSuccess;
2243 }
2244
2245 /* Attempts to update the Best Slot for "FAKE RANDOM" generation.
2246 ** If that's not the internal slot, then it also attempts to update the
2247 ** internal slot.
2248 ** The return value indicates if the INTERNAL slot was updated OK.
2249 */
2250 SECStatus
2251 PK11_RandomUpdate(void *data, size_t bytes)
2252 {
2253 PK11SlotInfo *slot;
2254 PRBool bestIsInternal;
2255 SECStatus status;
2256
2257 slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL);
2258 if (slot == NULL) {
2259 slot = PK11_GetInternalSlot();
2260 if (!slot)
2261 return SECFailure;
2262 }
2263
2264 bestIsInternal = PK11_IsInternal(slot);
2265 status = PK11_SeedRandom(slot, data, bytes);
2266 PK11_FreeSlot(slot);
2267
2268 if (!bestIsInternal) {
2269 /* do internal slot, too. */
2270 slot = PK11_GetInternalSlot(); /* can't fail */
2271 status = PK11_SeedRandom(slot, data, bytes);
2272 PK11_FreeSlot(slot);
2273 }
2274 return status;
2275 }
2276
2277
2278 SECStatus
2279 PK11_GenerateRandom(unsigned char *data,int len) {
2280 PK11SlotInfo *slot;
2281 SECStatus rv;
2282
2283 slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL);
2284 if (slot == NULL) return SECFailure;
2285
2286 rv = PK11_GenerateRandomOnSlot(slot, data, len);
2287 PK11_FreeSlot(slot);
2288 return rv;
2289 }
2290
2291 /*
2292 * Reset the token to it's initial state. For the internal module, this will
2293 * Purge your keydb, and reset your cert db certs to USER_INIT.
2294 */
2295 SECStatus
2296 PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd)
2297 {
2298 unsigned char tokenName[32];
2299 int tokenNameLen;
2300 CK_RV crv;
2301
2302 /* reconstruct the token name */
2303 tokenNameLen = PORT_Strlen(slot->token_name);
2304 if (tokenNameLen > sizeof(tokenName)) {
2305 tokenNameLen = sizeof(tokenName);
2306 }
2307
2308 PORT_Memcpy(tokenName,slot->token_name,tokenNameLen);
2309 if (tokenNameLen < sizeof(tokenName)) {
2310 PORT_Memset(&tokenName[tokenNameLen],' ',
2311 sizeof(tokenName)-tokenNameLen);
2312 }
2313
2314 /* initialize the token */
2315 PK11_EnterSlotMonitor(slot);
2316
2317 /* first shutdown the token. Existing sessions will get closed here */
2318 PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
2319 slot->session = CK_INVALID_SESSION;
2320
2321 /* now re-init the token */
2322 crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID,
2323 (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName);
2324
2325 /* finally bring the token back up */
2326 PK11_InitToken(slot,PR_TRUE);
2327 PK11_ExitSlotMonitor(slot);
2328 if (crv != CKR_OK) {
2329 PORT_SetError(PK11_MapError(crv));
2330 return SECFailure;
2331 }
2332 nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
2333 slot->nssToken);
2334 return SECSuccess;
2335 }
2336 void
2337 PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst)
2338 {
2339 sl->nssToken = nsst;
2340 }
2341
2342 NSSToken *
2343 PK11Slot_GetNSSToken(PK11SlotInfo *sl)
2344 {
2345 return sl->nssToken;
2346 }
2347
2348 /*
2349 * wait for a token to change it's state. The application passes in the expected
2350 * new state in event.
2351 */
2352 PK11TokenStatus
2353 PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
2354 PRIntervalTime timeout, PRIntervalTime latency, int series)
2355 {
2356 PRIntervalTime first_time = 0;
2357 PRBool first_time_set = PR_FALSE;
2358 PRBool waitForRemoval;
2359
2360 if (slot->isPerm) {
2361 return PK11TokenNotRemovable;
2362 }
2363 if (latency == 0) {
2364 latency = PR_SecondsToInterval(5);
2365 }
2366 waitForRemoval = (PRBool) (event == PK11TokenRemovedOrChangedEvent);
2367
2368 if (series == 0) {
2369 series = PK11_GetSlotSeries(slot);
2370 }
2371 while (PK11_IsPresent(slot) == waitForRemoval ) {
2372 PRIntervalTime interval;
2373
2374 if (waitForRemoval && series != PK11_GetSlotSeries(slot)) {
2375 return PK11TokenChanged;
2376 }
2377 if (timeout == PR_INTERVAL_NO_WAIT) {
2378 return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
2379 }
2380 if (timeout != PR_INTERVAL_NO_TIMEOUT ) {
2381 interval = PR_IntervalNow();
2382 if (!first_time_set) {
2383 first_time = interval;
2384 first_time_set = PR_TRUE;
2385 }
2386 if ((interval-first_time) > timeout) {
2387 return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
2388 }
2389 }
2390 PR_Sleep(latency);
2391 }
2392 return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent;
2393 }
OLDNEW
« no previous file with comments | « mozilla/security/nss/lib/pk11wrap/pk11skey.c ('k') | mozilla/security/nss/lib/pk11wrap/pk11util.c » ('j') | no next file with comments »

Powered by Google App Engine