| Index: nss/lib/pk11wrap/pk11pars.c
|
| diff --git a/nss/lib/pk11wrap/pk11pars.c b/nss/lib/pk11wrap/pk11pars.c
|
| deleted file mode 100644
|
| index 8dd07e7e5e41785a9281d302b2981ec240729f5b..0000000000000000000000000000000000000000
|
| --- a/nss/lib/pk11wrap/pk11pars.c
|
| +++ /dev/null
|
| @@ -1,1661 +0,0 @@
|
| -/* This Source Code Form is subject to the terms of the Mozilla Public
|
| - * License, v. 2.0. If a copy of the MPL was not distributed with this
|
| - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
| -/*
|
| - * The following handles the loading, unloading and management of
|
| - * various PCKS #11 modules
|
| - */
|
| -
|
| -#include <ctype.h>
|
| -#include <assert.h>
|
| -#include "pkcs11.h"
|
| -#include "seccomon.h"
|
| -#include "secmod.h"
|
| -#include "secmodi.h"
|
| -#include "secmodti.h"
|
| -#include "pki3hack.h"
|
| -#include "secerr.h"
|
| -#include "nss.h"
|
| -#include "utilpars.h"
|
| -
|
| -/* create a new module */
|
| -static SECMODModule *
|
| -secmod_NewModule(void)
|
| -{
|
| - SECMODModule *newMod;
|
| - PLArenaPool *arena;
|
| -
|
| -
|
| - /* create an arena in which dllName and commonName can be
|
| - * allocated.
|
| - */
|
| - arena = PORT_NewArena(512);
|
| - if (arena == NULL) {
|
| - return NULL;
|
| - }
|
| -
|
| - newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule));
|
| - if (newMod == NULL) {
|
| - PORT_FreeArena(arena,PR_FALSE);
|
| - return NULL;
|
| - }
|
| -
|
| - /*
|
| - * initialize of the fields of the module
|
| - */
|
| - newMod->arena = arena;
|
| - newMod->internal = PR_FALSE;
|
| - newMod->loaded = PR_FALSE;
|
| - newMod->isFIPS = PR_FALSE;
|
| - newMod->dllName = NULL;
|
| - newMod->commonName = NULL;
|
| - newMod->library = NULL;
|
| - newMod->functionList = NULL;
|
| - newMod->slotCount = 0;
|
| - newMod->slots = NULL;
|
| - newMod->slotInfo = NULL;
|
| - newMod->slotInfoCount = 0;
|
| - newMod->refCount = 1;
|
| - newMod->ssl[0] = 0;
|
| - newMod->ssl[1] = 0;
|
| - newMod->libraryParams = NULL;
|
| - newMod->moduleDBFunc = NULL;
|
| - newMod->parent = NULL;
|
| - newMod->isCritical = PR_FALSE;
|
| - newMod->isModuleDB = PR_FALSE;
|
| - newMod->moduleDBOnly = PR_FALSE;
|
| - newMod->trustOrder = 0;
|
| - newMod->cipherOrder = 0;
|
| - newMod->evControlMask = 0;
|
| - newMod->refLock = PZ_NewLock(nssILockRefLock);
|
| - if (newMod->refLock == NULL) {
|
| - PORT_FreeArena(arena,PR_FALSE);
|
| - return NULL;
|
| - }
|
| - return newMod;
|
| -
|
| -}
|
| -
|
| -/* private flags for isModuleDB (field in SECMODModule). */
|
| -/* The meaing of these flags is as follows:
|
| - *
|
| - * SECMOD_FLAG_MODULE_DB_IS_MODULE_DB - This is a module that accesses the
|
| - * database of other modules to load. Module DBs are loadable modules that
|
| - * tells NSS which PKCS #11 modules to load and when. These module DBs are
|
| - * chainable. That is, one module DB can load another one. NSS system init
|
| - * design takes advantage of this feature. In system NSS, a fixed system
|
| - * module DB loads the system defined libraries, then chains out to the
|
| - * traditional module DBs to load any system or user configured modules
|
| - * (like smart cards). This bit is the same as the already existing meaning
|
| - * of isModuleDB = PR_TRUE. None of the other module db flags should be set
|
| - * if this flag isn't on.
|
| - *
|
| - * SECMOD_FLAG_MODULE_DB_SKIP_FIRST - This flag tells NSS to skip the first
|
| - * PKCS #11 module presented by a module DB. This allows the OS to load a
|
| - * softoken from the system module, then ask the existing module DB code to
|
| - * load the other PKCS #11 modules in that module DB (skipping it's request
|
| - * to load softoken). This gives the system init finer control over the
|
| - * configuration of that softoken module.
|
| - *
|
| - * SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB - This flag allows system init to mark a
|
| - * different module DB as the 'default' module DB (the one in which
|
| - * 'Add module' changes will go). Without this flag NSS takes the first
|
| - * module as the default Module DB, but in system NSS, that first module
|
| - * is the system module, which is likely read only (at least to the user).
|
| - * This allows system NSS to delegate those changes to the user's module DB,
|
| - * preserving the user's ability to load new PKCS #11 modules (which only
|
| - * affect him), from existing applications like Firefox.
|
| - */
|
| -#define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB 0x01 /* must be set if any of the
|
| - *other flags are set */
|
| -#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
| -#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
| -
|
| -
|
| -/* private flags for internal (field in SECMODModule). */
|
| -/* The meaing of these flags is as follows:
|
| - *
|
| - * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
|
| - * the internal module (that is, softoken). This bit is the same as the
|
| - * already existing meaning of internal = PR_TRUE. None of the other
|
| - * internal flags should be set if this flag isn't on.
|
| - *
|
| - * SECMOD_FLAG_MODULE_INTERNAL_KEY_SLOT - This flag allows system init to mark
|
| - * a different slot returned byt PK11_GetInternalKeySlot(). The 'primary'
|
| - * slot defined by this module will be the new internal key slot.
|
| - */
|
| -#define SECMOD_FLAG_INTERNAL_IS_INTERNAL 0x01 /* must be set if any of
|
| - *the other flags are set */
|
| -#define SECMOD_FLAG_INTERNAL_KEY_SLOT 0x02
|
| -
|
| -/*
|
| - * for 3.4 we continue to use the old SECMODModule structure
|
| - */
|
| -SECMODModule *
|
| -SECMOD_CreateModule(const char *library, const char *moduleName,
|
| - const char *parameters, const char *nss)
|
| -{
|
| - return SECMOD_CreateModuleEx(library, moduleName, parameters, nss, NULL);
|
| -}
|
| -
|
| -/*
|
| - * NSS config options format:
|
| - *
|
| - * The specified ciphers will be allowed by policy, but an application
|
| - * may allow more by policy explicitly:
|
| - * config="allow=curve1:curve2:hash1:hash2:rsa-1024..."
|
| - *
|
| - * Only the specified hashes and curves will be allowed:
|
| - * config="disallow=all allow=sha1:sha256:secp256r1:secp384r1"
|
| - *
|
| - * Only the specified hashes and curves will be allowed, and
|
| - * RSA keys of 2048 or more will be accepted, and DH key exchange
|
| - * with 1024-bit primes or more:
|
| - * config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024"
|
| - *
|
| - * A policy that enables the AES ciphersuites and the SECP256/384 curves:
|
| - * config="allow=aes128-cbc:aes128-gcm:TLS1.0:TLS1.2:TLS1.1:HMAC-SHA1:SHA1:SHA256:SHA384:RSA:ECDHE-RSA:SECP256R1:SECP384R1"
|
| - *
|
| - * Disallow values are parsed first, then allow values, independent of the
|
| - * order they appear.
|
| - *
|
| - * Future key words (not yet implemented):
|
| - * enable: turn on ciphersuites by default.
|
| - * disable: turn off ciphersuites by default without disallowing them by policy.
|
| - * flags: turn on the following flags:
|
| - * ssl-lock: turn off the ability for applications to change policy with
|
| - * the SSL_SetCipherPolicy (or SSL_SetPolicy).
|
| - * policy-lock: turn off the ability for applications to change policy with
|
| - * the call NSS_SetAlgorithmPolicy.
|
| - * ssl-default-lock: turn off the ability for applications to change cipher
|
| - * suite states with SSL_EnableCipher, SSL_DisableCipher.
|
| - *
|
| - */
|
| -
|
| -typedef struct {
|
| - const char *name;
|
| - unsigned name_size;
|
| - SECOidTag oid;
|
| - PRUint32 val;
|
| -} oidValDef;
|
| -
|
| -typedef struct {
|
| - const char *name;
|
| - unsigned name_size;
|
| - PRInt32 option;
|
| -} optionFreeDef;
|
| -
|
| -typedef struct {
|
| - const char *name;
|
| - unsigned name_size;
|
| - PRUint32 flag;
|
| -} policyFlagDef;
|
| -
|
| -/*
|
| - * This table should be merged with the SECOID table.
|
| - */
|
| -#define CIPHER_NAME(x) x,(sizeof(x)-1)
|
| -static const oidValDef algOptList[] = {
|
| - /* Curves */
|
| - {CIPHER_NAME("PRIME192V1"),SEC_OID_ANSIX962_EC_PRIME192V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("PRIME192V2"), SEC_OID_ANSIX962_EC_PRIME192V2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("PRIME192V3"), SEC_OID_ANSIX962_EC_PRIME192V3,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("PRIME239V1"), SEC_OID_ANSIX962_EC_PRIME239V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("PRIME239V2"), SEC_OID_ANSIX962_EC_PRIME239V2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("PRIME239V3"), SEC_OID_ANSIX962_EC_PRIME239V3,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("PRIME256V1"), SEC_OID_ANSIX962_EC_PRIME256V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP112R1"), SEC_OID_SECG_EC_SECP112R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP112R2"), SEC_OID_SECG_EC_SECP112R2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP128R1"), SEC_OID_SECG_EC_SECP128R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP128R2"), SEC_OID_SECG_EC_SECP128R2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP160K1"), SEC_OID_SECG_EC_SECP160K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP160R1"), SEC_OID_SECG_EC_SECP160R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP160R2"), SEC_OID_SECG_EC_SECP160R2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP192K1"), SEC_OID_SECG_EC_SECP192K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP192R1"), SEC_OID_ANSIX962_EC_PRIME192V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP224K1"), SEC_OID_SECG_EC_SECP224K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP256K1"), SEC_OID_SECG_EC_SECP256K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP256R1"), SEC_OID_ANSIX962_EC_PRIME256V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP384R1"), SEC_OID_SECG_EC_SECP384R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECP521R1"), SEC_OID_SECG_EC_SECP521R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - /* ANSI X9.62 named elliptic curves (characteristic two field) */
|
| - {CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2PNB163V2"), SEC_OID_ANSIX962_EC_C2PNB163V2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2PNB163V3"), SEC_OID_ANSIX962_EC_C2PNB163V3,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2PNB176V1"), SEC_OID_ANSIX962_EC_C2PNB176V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB191V1"), SEC_OID_ANSIX962_EC_C2TNB191V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB191V2"), SEC_OID_ANSIX962_EC_C2TNB191V2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB191V3"), SEC_OID_ANSIX962_EC_C2TNB191V3,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2ONB191V4"), SEC_OID_ANSIX962_EC_C2ONB191V4,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2ONB191V5"), SEC_OID_ANSIX962_EC_C2ONB191V5,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2PNB208W1"), SEC_OID_ANSIX962_EC_C2PNB208W1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB239V1"), SEC_OID_ANSIX962_EC_C2TNB239V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB239V2"), SEC_OID_ANSIX962_EC_C2TNB239V2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB239V3"), SEC_OID_ANSIX962_EC_C2TNB239V3,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2ONB239V4"), SEC_OID_ANSIX962_EC_C2ONB239V4,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2ONB239V5"), SEC_OID_ANSIX962_EC_C2ONB239V5,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2PNB272W1"), SEC_OID_ANSIX962_EC_C2PNB272W1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2PNB304W1"), SEC_OID_ANSIX962_EC_C2PNB304W1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB359V1"), SEC_OID_ANSIX962_EC_C2TNB359V1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2PNB368W1"), SEC_OID_ANSIX962_EC_C2PNB368W1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("C2TNB431R1"), SEC_OID_ANSIX962_EC_C2TNB431R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - /* SECG named elliptic curves (characteristic two field) */
|
| - {CIPHER_NAME("SECT113R1"), SEC_OID_SECG_EC_SECT113R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT131R1"), SEC_OID_SECG_EC_SECT113R2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT131R1"), SEC_OID_SECG_EC_SECT131R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT131R2"), SEC_OID_SECG_EC_SECT131R2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT163K1"), SEC_OID_SECG_EC_SECT163K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT163R1"), SEC_OID_SECG_EC_SECT163R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT163R2"), SEC_OID_SECG_EC_SECT163R2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT193R1"), SEC_OID_SECG_EC_SECT193R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT193R2"), SEC_OID_SECG_EC_SECT193R2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT233K1"), SEC_OID_SECG_EC_SECT233K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT233R1"), SEC_OID_SECG_EC_SECT233R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT239K1"), SEC_OID_SECG_EC_SECT239K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT283K1"), SEC_OID_SECG_EC_SECT283K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT283R1"), SEC_OID_SECG_EC_SECT283R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT409K1"), SEC_OID_SECG_EC_SECT409K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT409R1"), SEC_OID_SECG_EC_SECT409R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT571K1"), SEC_OID_SECG_EC_SECT571K1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| -
|
| - /* Hashes */
|
| - {CIPHER_NAME("MD2"), SEC_OID_MD2,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("MD4"), SEC_OID_MD4,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("MD5"), SEC_OID_MD5,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SHA224"), SEC_OID_SHA224,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SHA256"), SEC_OID_SHA256,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SHA384"), SEC_OID_SHA384,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("SHA512"), SEC_OID_SHA512,
|
| - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| -
|
| - /* MACs */
|
| - {CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("HMAC-SHA256"), SEC_OID_HMAC_SHA256, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL},
|
| -
|
| - /* Ciphers */
|
| - {CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("AES256-CBC"), SEC_OID_AES_256_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("AES128-GCM"), SEC_OID_AES_128_GCM, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("AES192-GCM"), SEC_OID_AES_192_GCM, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("AES256-GCM"), SEC_OID_AES_256_GCM, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("CAMELLIA128-CBC"), SEC_OID_CAMELLIA_128_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("CAMELLIA192-CBC"), SEC_OID_CAMELLIA_192_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("CAMELLIA256-CBC"), SEC_OID_CAMELLIA_256_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("CHACHA20-POLY1305"), SEC_OID_CHACHA20_POLY1305, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("SEED-CBC"), SEC_OID_SEED_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("DES-EDE3-CBC"), SEC_OID_DES_EDE3_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("DES-40-CBC"), SEC_OID_DES_40_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("DES-CBC"), SEC_OID_DES_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("NULL-CIPHER"), SEC_OID_NULL_CIPHER, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL},
|
| -
|
| - /* Key exchange */
|
| - {CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("DHE-RSA"), SEC_OID_TLS_DHE_RSA, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("DHE-DSS"), SEC_OID_TLS_DHE_DSS, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("DH-RSA"), SEC_OID_TLS_DH_RSA, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("DH-DSS"), SEC_OID_TLS_DH_DSS, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("ECDHE-ECDSA"), SEC_OID_TLS_ECDHE_ECDSA, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX},
|
| -};
|
| -
|
| -static const optionFreeDef sslOptList[] = {
|
| - /* Versions */
|
| - {CIPHER_NAME("SSL2.0"), 0x002},
|
| - {CIPHER_NAME("SSL3.0"), 0x300},
|
| - {CIPHER_NAME("SSL3.1"), 0x301},
|
| - {CIPHER_NAME("TLS1.0"), 0x301},
|
| - {CIPHER_NAME("TLS1.1"), 0x302},
|
| - {CIPHER_NAME("TLS1.2"), 0x303},
|
| - {CIPHER_NAME("TLS1.3"), 0x304},
|
| - {CIPHER_NAME("DTLS1.0"),0x302},
|
| - {CIPHER_NAME("DTLS1.1"),0x302},
|
| - {CIPHER_NAME("DTLS1.2"),0x303},
|
| - {CIPHER_NAME("DTLS1.3"),0x304},
|
| -};
|
| -
|
| -static const optionFreeDef freeOptList[] = {
|
| -
|
| - /* Restrictions for asymetric keys */
|
| - {CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE},
|
| - {CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE},
|
| - {CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE},
|
| - /* constraints on SSL Protocols */
|
| - {CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY},
|
| - {CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY},
|
| - /* constraints on DTLS Protocols */
|
| - {CIPHER_NAME("DTLS-VERSION-MIN"), NSS_DTLS_VERSION_MIN_POLICY},
|
| - {CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MIN_POLICY}
|
| -};
|
| -
|
| -static const policyFlagDef policyFlagList[] = {
|
| - {CIPHER_NAME("SSL"), NSS_USE_ALG_IN_SSL},
|
| - {CIPHER_NAME("SSL-KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX},
|
| - /* add other key exhanges in the future */
|
| - {CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX},
|
| - {CIPHER_NAME("CERT-SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - /* add other signatures in the future */
|
| - {CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - /* enable everything */
|
| - {CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL|NSS_USE_ALG_IN_SSL_KX|
|
| - NSS_USE_ALG_IN_CERT_SIGNATURE},
|
| - {CIPHER_NAME("NONE"), 0}
|
| -};
|
| -
|
| -/*
|
| - * Get the next cipher on the list. point to the next one in 'next'.
|
| - * return the length;
|
| - */
|
| -static const char *
|
| -secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2,
|
| - int *len, const char **next)
|
| -{
|
| - const char *start = cipher;
|
| -
|
| - if (start == NULL) {
|
| - *len = 0;
|
| - *next = NULL;
|
| - return start;
|
| - }
|
| -
|
| - for (; *cipher && *cipher != sep2; cipher++) {
|
| - if (*cipher == sep1) {
|
| - *next = cipher+1;
|
| - *len = cipher - start;
|
| - return start;
|
| - }
|
| - }
|
| - *next = NULL;
|
| - *len = cipher-start;
|
| - return start;
|
| -}
|
| -
|
| -static PRUint32
|
| -secmod_parsePolicyValue(const char *policyFlags, int policyLength)
|
| -{
|
| - const char *flag, *currentString;
|
| - PRUint32 flags = 0;
|
| - int i;
|
| -
|
| - for (currentString = policyFlags; currentString
|
| - && currentString < policyFlags + policyLength; ) {
|
| - int length;
|
| - flag = secmod_ArgGetSubValue(currentString, ',', ':', &length,
|
| - ¤tString);
|
| - if (length == 0) {
|
| - continue;
|
| - }
|
| - for (i = 0; i < PR_ARRAY_SIZE(policyFlagList); i++) {
|
| - const policyFlagDef *policy = &policyFlagList[i];
|
| - unsigned name_size = policy->name_size;
|
| - if ((policy->name_size == length) &&
|
| - PORT_Strncasecmp(policy->name, flag, name_size) == 0) {
|
| - flags |= policy->flag;
|
| - break;
|
| - }
|
| - }
|
| - }
|
| - return flags;
|
| -}
|
| -
|
| -
|
| -/* allow symbolic names for values. The only ones currently defines or
|
| - * SSL protocol versions. */
|
| -static PRInt32
|
| -secmod_getPolicyOptValue(const char *policyValue, int policyValueLength)
|
| -{
|
| - PRInt32 val = atoi(policyValue);
|
| - int i;
|
| -
|
| -
|
| - if ((val != 0) || (*policyValue == '0')) {
|
| - return val;
|
| - }
|
| - for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
|
| - if (policyValueLength == sslOptList[i].name_size &&
|
| - PORT_Strncasecmp(sslOptList[i].name, policyValue,
|
| - sslOptList[i].name_size) == 0 ) {
|
| - val = sslOptList[i].option;
|
| - break;
|
| - }
|
| - }
|
| - return val;
|
| -}
|
| -
|
| -static SECStatus secmod_applyCryptoPolicy(const char *policyString,
|
| - PRBool allow)
|
| -{
|
| - const char *cipher, *currentString;
|
| - unsigned i;
|
| - SECStatus rv = SECSuccess;
|
| - PRBool unknown;
|
| -
|
| -
|
| - if (policyString == NULL || policyString[0] == 0) {
|
| - return SECSuccess; /* do nothing */
|
| - }
|
| -
|
| - /* if we change any of these, make sure it gets applied in ssl as well */
|
| - NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
|
| -
|
| - for (currentString = policyString; currentString; ) {
|
| - int length;
|
| - PRBool newValue = PR_FALSE;
|
| -
|
| - cipher = secmod_ArgGetSubValue(currentString, ':', 0, &length,
|
| - ¤tString);
|
| - unknown = PR_TRUE;
|
| - if (length >= 3 && cipher[3] == '/') {
|
| - newValue = PR_TRUE;
|
| - }
|
| - if ((newValue || (length == 3))
|
| - && PORT_Strncasecmp(cipher, "all", 3) == 0) {
|
| - /* disable or enable all options by default */
|
| - PRUint32 value = 0;
|
| - if (newValue) {
|
| - value = secmod_parsePolicyValue(&cipher[3]+1, length-3-1);
|
| - }
|
| - for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
|
| - PRUint32 enable, disable;
|
| - if (!newValue) {
|
| - value = algOptList[i].val;
|
| - }
|
| - if (allow) {
|
| - enable = value;
|
| - disable = 0;
|
| - } else {
|
| - enable = 0;
|
| - disable = value;
|
| - }
|
| - NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable);
|
| - }
|
| - continue;
|
| - }
|
| -
|
| - for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
|
| - const oidValDef *algOpt = &algOptList[i];
|
| - unsigned name_size = algOpt->name_size;
|
| - PRBool newValue = PR_FALSE;
|
| -
|
| - if ((length >= name_size) && (cipher[name_size] == '/')) {
|
| - newValue = PR_TRUE;
|
| - }
|
| - if ( (newValue || algOpt->name_size == length) &&
|
| - PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
|
| - PRUint32 value = algOpt->val;
|
| - PRUint32 enable, disable;
|
| - if (newValue) {
|
| - value = secmod_parsePolicyValue(&cipher[name_size]+1,
|
| - length-name_size-1);
|
| - }
|
| - if (allow) {
|
| - enable = value;
|
| - disable = 0;
|
| - } else {
|
| - enable = 0;
|
| - disable = value;
|
| - }
|
| - rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
|
| - if (rv != SECSuccess) {
|
| - /* could not enable option */
|
| - /* NSS_SetAlgorithPolicy should have set the error code */
|
| - return SECFailure;
|
| - }
|
| - unknown = PR_FALSE;
|
| - break;
|
| - }
|
| - }
|
| - if (!unknown) {
|
| - continue;
|
| - }
|
| -
|
| - for (i = 0; i < PR_ARRAY_SIZE(freeOptList); i++) {
|
| - const optionFreeDef *freeOpt = &freeOptList[i];
|
| - unsigned name_size = freeOpt->name_size;
|
| -
|
| - if ((length > name_size) && cipher[name_size] == '=' &&
|
| - PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0 ) {
|
| - PRInt32 val = secmod_getPolicyOptValue( &cipher[name_size+1],
|
| - length-name_size-1);
|
| -
|
| - rv = NSS_OptionSet(freeOpt->option, val);
|
| - if (rv != SECSuccess) {
|
| - /* could not enable option */
|
| - /* NSS_OptionSet should have set the error code */
|
| - return SECFailure;
|
| - }
|
| - /* to allow the policy to expand in the future. ignore ciphers
|
| - * we don't understand */
|
| - unknown = PR_FALSE;
|
| - break;
|
| - }
|
| - }
|
| - }
|
| - return rv;
|
| -}
|
| -
|
| -static SECStatus
|
| -secmod_parseCryptoPolicy(const char *policyConfig)
|
| -{
|
| - char *disallow, *allow;
|
| - SECStatus rv;
|
| -
|
| - if (policyConfig == NULL) {
|
| - return SECSuccess; /* no policy given */
|
| - }
|
| - /* make sure we initialize the oid table and set all the default policy
|
| - * values first so we can override them here */
|
| - rv = SECOID_Init();
|
| - if (rv != SECSuccess) {
|
| - return rv;
|
| - }
|
| - disallow = NSSUTIL_ArgGetParamValue("disallow",policyConfig);
|
| - rv = secmod_applyCryptoPolicy(disallow, PR_FALSE);
|
| - if (disallow) PORT_Free(disallow);
|
| - if (rv != SECSuccess) {
|
| - return rv;
|
| - }
|
| - allow = NSSUTIL_ArgGetParamValue("allow",policyConfig);
|
| - rv = secmod_applyCryptoPolicy(allow, PR_TRUE);
|
| - if (allow) PORT_Free(allow);
|
| - return rv;
|
| -}
|
| -
|
| -/*
|
| - * for 3.4 we continue to use the old SECMODModule structure
|
| - */
|
| -SECMODModule *
|
| -SECMOD_CreateModuleEx(const char *library, const char *moduleName,
|
| - const char *parameters, const char *nss,
|
| - const char *config)
|
| -{
|
| - SECMODModule *mod;
|
| - SECStatus rv;
|
| - char *slotParams,*ciphers;
|
| - /* pk11pars.h still does not have const char * interfaces */
|
| - char *nssc = (char *)nss;
|
| -
|
| - rv = secmod_parseCryptoPolicy(config);
|
| -
|
| - /* do not load the module if policy parsing fails */
|
| - if (rv != SECSuccess) {
|
| - return NULL;
|
| - }
|
| -
|
| - mod = secmod_NewModule();
|
| - if (mod == NULL) return NULL;
|
| -
|
| - mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : "");
|
| - if (library) {
|
| - mod->dllName = PORT_ArenaStrdup(mod->arena,library);
|
| - }
|
| - /* new field */
|
| - if (parameters) {
|
| - mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters);
|
| - }
|
| -
|
| - mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc);
|
| - mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
|
| - mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
|
| - slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc);
|
| - mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
|
| - &mod->slotInfoCount);
|
| - if (slotParams) PORT_Free(slotParams);
|
| - /* new field */
|
| - mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder",nssc,
|
| - NSSUTIL_DEFAULT_TRUST_ORDER,NULL);
|
| - /* new field */
|
| - mod->cipherOrder = NSSUTIL_ArgReadLong("cipherOrder",nssc,
|
| - NSSUTIL_DEFAULT_CIPHER_ORDER,NULL);
|
| - /* new field */
|
| - mod->isModuleDB = NSSUTIL_ArgHasFlag("flags","moduleDB",nssc);
|
| - mod->moduleDBOnly = NSSUTIL_ArgHasFlag("flags","moduleDBOnly",nssc);
|
| - if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
|
| -
|
| - /* we need more bits, but we also want to preserve binary compatibility
|
| - * so we overload the isModuleDB PRBool with additional flags.
|
| - * These flags are only valid if mod->isModuleDB is already set.
|
| - * NOTE: this depends on the fact that PRBool is at least a char on
|
| - * all platforms. These flags are only valid if moduleDB is set, so
|
| - * code checking if (mod->isModuleDB) will continue to work correctly. */
|
| - if (mod->isModuleDB) {
|
| - char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
|
| - if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
|
| - flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
|
| - }
|
| - if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
|
| - flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
| - }
|
| - /* additional moduleDB flags could be added here in the future */
|
| - mod->isModuleDB = (PRBool) flags;
|
| - }
|
| -
|
| - if (mod->internal) {
|
| - char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
|
| -
|
| - if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
|
| - flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
|
| - }
|
| - mod->internal = (PRBool) flags;
|
| - }
|
| -
|
| - ciphers = NSSUTIL_ArgGetParamValue("ciphers",nssc);
|
| - NSSUTIL_ArgParseCipherFlags(&mod->ssl[0],ciphers);
|
| - if (ciphers) PORT_Free(ciphers);
|
| -
|
| - secmod_PrivateModuleCount++;
|
| -
|
| - return mod;
|
| -}
|
| -
|
| -PRBool
|
| -SECMOD_GetSkipFirstFlag(SECMODModule *mod)
|
| -{
|
| - char flags = (char) mod->isModuleDB;
|
| -
|
| - return (flags & SECMOD_FLAG_MODULE_DB_SKIP_FIRST) ? PR_TRUE : PR_FALSE;
|
| -}
|
| -
|
| -PRBool
|
| -SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
|
| -{
|
| - char flags = (char) mod->isModuleDB;
|
| -
|
| - return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
|
| -}
|
| -
|
| -PRBool
|
| -secmod_IsInternalKeySlot(SECMODModule *mod)
|
| -{
|
| - char flags = (char) mod->internal;
|
| -
|
| - return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
|
| -}
|
| -
|
| -void
|
| -secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val)
|
| -{
|
| - char flags = (char) mod->internal;
|
| -
|
| - if (val) {
|
| - flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
|
| - } else {
|
| - flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT;
|
| - }
|
| - mod->internal = flags;
|
| -}
|
| -
|
| -/*
|
| - * copy desc and value into target. Target is known to be big enough to
|
| - * hold desc +2 +value, which is good because the result of this will be
|
| - * *desc"*value". We may, however, have to add some escapes for special
|
| - * characters imbedded into value (rare). This string potentially comes from
|
| - * a user, so we don't want the user overflowing the target buffer by using
|
| - * excessive escapes. To prevent this we count the escapes we need to add and
|
| - * try to expand the buffer with Realloc.
|
| - */
|
| -static char *
|
| -secmod_doDescCopy(char *target, int *targetLen, const char *desc,
|
| - int descLen, char *value)
|
| -{
|
| - int diff, esc_len;
|
| -
|
| - esc_len = NSSUTIL_EscapeSize(value, '\"') - 1;
|
| - diff = esc_len - strlen(value);
|
| - if (diff > 0) {
|
| - /* we need to escape... expand newSpecPtr as well to make sure
|
| - * we don't overflow it */
|
| - char *newPtr = PORT_Realloc(target, *targetLen * diff);
|
| - if (!newPtr) {
|
| - return target; /* not enough space, just drop the whole copy */
|
| - }
|
| - *targetLen += diff;
|
| - target = newPtr;
|
| - value = NSSUTIL_Escape(value, '\"');
|
| - if (value == NULL) {
|
| - return target; /* couldn't escape value, just drop the copy */
|
| - }
|
| - }
|
| - PORT_Memcpy(target, desc, descLen);
|
| - target += descLen;
|
| - *target++='\"';
|
| - PORT_Memcpy(target, value, esc_len);
|
| - target += esc_len;
|
| - *target++='\"';
|
| - if (diff > 0) {
|
| - PORT_Free(value);
|
| - }
|
| - return target;
|
| -}
|
| -
|
| -#define SECMOD_SPEC_COPY(new, start, end) \
|
| - if (end > start) { \
|
| - int _cnt = end - start; \
|
| - PORT_Memcpy(new, start, _cnt); \
|
| - new += _cnt; \
|
| - }
|
| -#define SECMOD_TOKEN_DESCRIPTION "tokenDescription="
|
| -#define SECMOD_SLOT_DESCRIPTION "slotDescription="
|
| -
|
| -
|
| -/*
|
| - * Find any tokens= values in the module spec.
|
| - * Always return a new spec which does not have any tokens= arguments.
|
| - * If tokens= arguments are found, Split the the various tokens defined into
|
| - * an array of child specs to return.
|
| - *
|
| - * Caller is responsible for freeing the child spec and the new token
|
| - * spec.
|
| - */
|
| -char *
|
| -secmod_ParseModuleSpecForTokens(PRBool convert, PRBool isFIPS,
|
| - const char *moduleSpec, char ***children,
|
| - CK_SLOT_ID **ids)
|
| -{
|
| - int newSpecLen = PORT_Strlen(moduleSpec)+2;
|
| - char *newSpec = PORT_Alloc(newSpecLen);
|
| - char *newSpecPtr = newSpec;
|
| - const char *modulePrev = moduleSpec;
|
| - char *target = NULL;
|
| - char *tmp = NULL;
|
| - char **childArray = NULL;
|
| - const char *tokenIndex;
|
| - CK_SLOT_ID *idArray = NULL;
|
| - int tokenCount = 0;
|
| - int i;
|
| -
|
| - if (newSpec == NULL) {
|
| - return NULL;
|
| - }
|
| -
|
| - *children = NULL;
|
| - if (ids) {
|
| - *ids = NULL;
|
| - }
|
| - moduleSpec = NSSUTIL_ArgStrip(moduleSpec);
|
| - SECMOD_SPEC_COPY(newSpecPtr, modulePrev, moduleSpec);
|
| -
|
| - /* Notes on 'convert' and 'isFIPS' flags: The base parameters for opening
|
| - * a new softoken module takes the following parameters to name the
|
| - * various tokens:
|
| - *
|
| - * cryptoTokenDescription: name of the non-fips crypto token.
|
| - * cryptoSlotDescription: name of the non-fips crypto slot.
|
| - * dbTokenDescription: name of the non-fips db token.
|
| - * dbSlotDescription: name of the non-fips db slot.
|
| - * FIPSTokenDescription: name of the fips db/crypto token.
|
| - * FIPSSlotDescription: name of the fips db/crypto slot.
|
| - *
|
| - * if we are opening a new slot, we need to have the following
|
| - * parameters:
|
| - * tokenDescription: name of the token.
|
| - * slotDescription: name of the slot.
|
| - *
|
| - *
|
| - * The convert flag tells us to drop the unnecessary *TokenDescription
|
| - * and *SlotDescription arguments and convert the appropriate pair
|
| - * (either db or FIPS based on the isFIPS flag) to tokenDescription and
|
| - * slotDescription).
|
| - */
|
| - /*
|
| - * walk down the list. if we find a tokens= argument, save it,
|
| - * otherise copy the argument.
|
| - */
|
| - while (*moduleSpec) {
|
| - int next;
|
| - modulePrev = moduleSpec;
|
| - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, target, "tokens=",
|
| - modulePrev = moduleSpec; /* skip copying */ )
|
| - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "cryptoTokenDescription=",
|
| - if (convert) { modulePrev = moduleSpec; } );
|
| - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "cryptoSlotDescription=",
|
| - if (convert) { modulePrev = moduleSpec; } );
|
| - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "dbTokenDescription=",
|
| - if (convert) {
|
| - modulePrev = moduleSpec;
|
| - if (!isFIPS) {
|
| - newSpecPtr = secmod_doDescCopy(newSpecPtr,
|
| - &newSpecLen, SECMOD_TOKEN_DESCRIPTION,
|
| - sizeof(SECMOD_TOKEN_DESCRIPTION)-1, tmp);
|
| - }
|
| - });
|
| - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "dbSlotDescription=",
|
| - if (convert) {
|
| - modulePrev = moduleSpec; /* skip copying */
|
| - if (!isFIPS) {
|
| - newSpecPtr = secmod_doDescCopy(newSpecPtr,
|
| - &newSpecLen, SECMOD_SLOT_DESCRIPTION,
|
| - sizeof(SECMOD_SLOT_DESCRIPTION)-1, tmp);
|
| - }
|
| - } );
|
| - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "FIPSTokenDescription=",
|
| - if (convert) {
|
| - modulePrev = moduleSpec; /* skip copying */
|
| - if (isFIPS) {
|
| - newSpecPtr = secmod_doDescCopy(newSpecPtr,
|
| - &newSpecLen, SECMOD_TOKEN_DESCRIPTION,
|
| - sizeof(SECMOD_TOKEN_DESCRIPTION)-1, tmp);
|
| - }
|
| - } );
|
| - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "FIPSSlotDescription=",
|
| - if (convert) {
|
| - modulePrev = moduleSpec; /* skip copying */
|
| - if (isFIPS) {
|
| - newSpecPtr = secmod_doDescCopy(newSpecPtr,
|
| - &newSpecLen, SECMOD_SLOT_DESCRIPTION,
|
| - sizeof(SECMOD_SLOT_DESCRIPTION)-1, tmp);
|
| - }
|
| - } );
|
| - NSSUTIL_HANDLE_FINAL_ARG(moduleSpec)
|
| - SECMOD_SPEC_COPY(newSpecPtr, modulePrev, moduleSpec);
|
| - }
|
| - if (tmp) {
|
| - PORT_Free(tmp);
|
| - tmp = NULL;
|
| - }
|
| - *newSpecPtr = 0;
|
| -
|
| - /* no target found, return the newSpec */
|
| - if (target == NULL) {
|
| - return newSpec;
|
| - }
|
| -
|
| - /* now build the child array from target */
|
| - /*first count them */
|
| - for (tokenIndex = NSSUTIL_ArgStrip(target); *tokenIndex;
|
| - tokenIndex = NSSUTIL_ArgStrip(NSSUTIL_ArgSkipParameter(tokenIndex))) {
|
| - tokenCount++;
|
| - }
|
| -
|
| - childArray = PORT_NewArray(char *, tokenCount+1);
|
| - if (childArray == NULL) {
|
| - /* just return the spec as is then */
|
| - PORT_Free(target);
|
| - return newSpec;
|
| - }
|
| - if (ids) {
|
| - idArray = PORT_NewArray(CK_SLOT_ID, tokenCount+1);
|
| - if (idArray == NULL) {
|
| - PORT_Free(childArray);
|
| - PORT_Free(target);
|
| - return newSpec;
|
| - }
|
| - }
|
| -
|
| - /* now fill them in */
|
| - for (tokenIndex = NSSUTIL_ArgStrip(target), i=0 ;
|
| - *tokenIndex && (i < tokenCount);
|
| - tokenIndex=NSSUTIL_ArgStrip(tokenIndex)) {
|
| - int next;
|
| - char *name = NSSUTIL_ArgGetLabel(tokenIndex, &next);
|
| - tokenIndex += next;
|
| -
|
| - if (idArray) {
|
| - idArray[i] = NSSUTIL_ArgDecodeNumber(name);
|
| - }
|
| -
|
| - PORT_Free(name); /* drop the explicit number */
|
| -
|
| - /* if anything is left, copy the args to the child array */
|
| - if (!NSSUTIL_ArgIsBlank(*tokenIndex)) {
|
| - childArray[i++] = NSSUTIL_ArgFetchValue(tokenIndex, &next);
|
| - tokenIndex += next;
|
| - }
|
| - }
|
| -
|
| - PORT_Free(target);
|
| - childArray[i] = 0;
|
| - if (idArray) {
|
| - idArray[i] = 0;
|
| - }
|
| -
|
| - /* return it */
|
| - *children = childArray;
|
| - if (ids) {
|
| - *ids = idArray;
|
| - }
|
| - return newSpec;
|
| -}
|
| -
|
| -/* get the database and flags from the spec */
|
| -static char *
|
| -secmod_getConfigDir(const char *spec, char **certPrefix, char **keyPrefix,
|
| - PRBool *readOnly)
|
| -{
|
| - char * config = NULL;
|
| -
|
| - *certPrefix = NULL;
|
| - *keyPrefix = NULL;
|
| - *readOnly = NSSUTIL_ArgHasFlag("flags","readOnly",spec);
|
| -
|
| - spec = NSSUTIL_ArgStrip(spec);
|
| - while (*spec) {
|
| - int next;
|
| - NSSUTIL_HANDLE_STRING_ARG(spec, config, "configdir=", ;)
|
| - NSSUTIL_HANDLE_STRING_ARG(spec, *certPrefix, "certPrefix=", ;)
|
| - NSSUTIL_HANDLE_STRING_ARG(spec, *keyPrefix, "keyPrefix=", ;)
|
| - NSSUTIL_HANDLE_FINAL_ARG(spec)
|
| - }
|
| - return config;
|
| -}
|
| -
|
| -struct SECMODConfigListStr {
|
| - char *config;
|
| - char *certPrefix;
|
| - char *keyPrefix;
|
| - PRBool isReadOnly;
|
| -};
|
| -
|
| -/*
|
| - * return an array of already openned databases from a spec list.
|
| - */
|
| -SECMODConfigList *
|
| -secmod_GetConfigList(PRBool isFIPS, char *spec, int *count)
|
| -{
|
| - char **children;
|
| - CK_SLOT_ID *ids;
|
| - char *strippedSpec;
|
| - int childCount;
|
| - SECMODConfigList *conflist = NULL;
|
| - int i;
|
| -
|
| - strippedSpec = secmod_ParseModuleSpecForTokens(PR_TRUE, isFIPS,
|
| - spec,&children,&ids);
|
| - if (strippedSpec == NULL) {
|
| - return NULL;
|
| - }
|
| -
|
| - for (childCount=0; children && children[childCount]; childCount++) ;
|
| - *count = childCount+1; /* include strippedSpec */
|
| - conflist = PORT_NewArray(SECMODConfigList,*count);
|
| - if (conflist == NULL) {
|
| - *count = 0;
|
| - goto loser;
|
| - }
|
| -
|
| - conflist[0].config = secmod_getConfigDir(strippedSpec,
|
| - &conflist[0].certPrefix,
|
| - &conflist[0].keyPrefix,
|
| - &conflist[0].isReadOnly);
|
| - for (i=0; i < childCount; i++) {
|
| - conflist[i+1].config = secmod_getConfigDir(children[i],
|
| - &conflist[i+1].certPrefix,
|
| - &conflist[i+1].keyPrefix,
|
| - &conflist[i+1].isReadOnly);
|
| - }
|
| -
|
| -loser:
|
| - secmod_FreeChildren(children, ids);
|
| - PORT_Free(strippedSpec);
|
| - return conflist;
|
| -}
|
| -
|
| -/*
|
| - * determine if we are trying to open an old dbm database. For this test
|
| - * RDB databases should return PR_FALSE.
|
| - */
|
| -static PRBool
|
| -secmod_configIsDBM(char *configDir)
|
| -{
|
| - char *env;
|
| -
|
| - /* explicit dbm open */
|
| - if (strncmp(configDir, "dbm:", 4) == 0) {
|
| - return PR_TRUE;
|
| - }
|
| - /* explicit open of a non-dbm database */
|
| - if ((strncmp(configDir, "sql:",4) == 0)
|
| - || (strncmp(configDir, "rdb:", 4) == 0)
|
| - || (strncmp(configDir, "extern:", 7) == 0)) {
|
| - return PR_FALSE;
|
| - }
|
| - env = PR_GetEnvSecure("NSS_DEFAULT_DB_TYPE");
|
| - /* implicit dbm open */
|
| - if ((env == NULL) || (strcmp(env,"dbm") == 0)) {
|
| - return PR_TRUE;
|
| - }
|
| - /* implicit non-dbm open */
|
| - return PR_FALSE;
|
| -}
|
| -
|
| -/*
|
| - * match two prefixes. prefix may be NULL. NULL patches '\0'
|
| - */
|
| -static PRBool
|
| -secmod_matchPrefix(char *prefix1, char *prefix2)
|
| -{
|
| - if ((prefix1 == NULL) || (*prefix1 == 0)) {
|
| - if ((prefix2 == NULL) || (*prefix2 == 0)) {
|
| - return PR_TRUE;
|
| - }
|
| - return PR_FALSE;
|
| - }
|
| - if (strcmp(prefix1, prefix2) == 0) {
|
| - return PR_TRUE;
|
| - }
|
| - return PR_FALSE;
|
| -}
|
| -
|
| -/*
|
| - * return true if we are requesting a database that is already openned.
|
| - */
|
| -PRBool
|
| -secmod_MatchConfigList(char *spec, SECMODConfigList *conflist, int count)
|
| -{
|
| - char *config;
|
| - char *certPrefix;
|
| - char *keyPrefix;
|
| - PRBool isReadOnly;
|
| - PRBool ret=PR_FALSE;
|
| - int i;
|
| -
|
| - config = secmod_getConfigDir(spec, &certPrefix, &keyPrefix, &isReadOnly);
|
| - if (!config) {
|
| - ret=PR_TRUE;
|
| - goto done;
|
| - }
|
| -
|
| - /* NOTE: we dbm isn't multiple open safe. If we open the same database
|
| - * twice from two different locations, then we can corrupt our database
|
| - * (the cache will be inconsistent). Protect against this by claiming
|
| - * for comparison only that we are always openning dbm databases read only.
|
| - */
|
| - if (secmod_configIsDBM(config)) {
|
| - isReadOnly = 1;
|
| - }
|
| - for (i=0; i < count; i++) {
|
| - if ((strcmp(config,conflist[i].config) == 0) &&
|
| - secmod_matchPrefix(certPrefix, conflist[i].certPrefix) &&
|
| - secmod_matchPrefix(keyPrefix, conflist[i].keyPrefix) &&
|
| - /* this last test -- if we just need the DB open read only,
|
| - * than any open will suffice, but if we requested it read/write
|
| - * and it's only open read only, we need to open it again */
|
| - (isReadOnly || !conflist[i].isReadOnly)) {
|
| - ret = PR_TRUE;
|
| - goto done;
|
| - }
|
| - }
|
| -
|
| - ret = PR_FALSE;
|
| -done:
|
| - PORT_Free(config);
|
| - PORT_Free(certPrefix);
|
| - PORT_Free(keyPrefix);
|
| - return ret;
|
| -}
|
| -
|
| -void
|
| -secmod_FreeConfigList(SECMODConfigList *conflist, int count)
|
| -{
|
| - int i;
|
| - for (i=0; i < count; i++) {
|
| - PORT_Free(conflist[i].config);
|
| - PORT_Free(conflist[i].certPrefix);
|
| - PORT_Free(conflist[i].keyPrefix);
|
| - }
|
| - PORT_Free(conflist);
|
| -}
|
| -
|
| -void
|
| -secmod_FreeChildren(char **children, CK_SLOT_ID *ids)
|
| -{
|
| - char **thisChild;
|
| -
|
| - if (!children) {
|
| - return;
|
| - }
|
| -
|
| - for (thisChild = children; thisChild && *thisChild; thisChild++ ) {
|
| - PORT_Free(*thisChild);
|
| - }
|
| - PORT_Free(children);
|
| - if (ids) {
|
| - PORT_Free(ids);
|
| - }
|
| - return;
|
| -}
|
| -
|
| -/*
|
| - * caclulate the length of each child record:
|
| - * " 0x{id}=<{escaped_child}>"
|
| - */
|
| -static int
|
| -secmod_getChildLength(char *child, CK_SLOT_ID id)
|
| -{
|
| - int length = NSSUTIL_DoubleEscapeSize(child, '>', ']');
|
| - if (id == 0) {
|
| - length++;
|
| - }
|
| - while (id) {
|
| - length++;
|
| - id = id >> 4;
|
| - }
|
| - length += 6; /* {sp}0x[id]=<{child}> */
|
| - return length;
|
| -}
|
| -
|
| -/*
|
| - * Build a child record:
|
| - * " 0x{id}=<{escaped_child}>"
|
| - */
|
| -static SECStatus
|
| -secmod_mkTokenChild(char **next, int *length, char *child, CK_SLOT_ID id)
|
| -{
|
| - int len;
|
| - char *escSpec;
|
| -
|
| - len = PR_snprintf(*next, *length, " 0x%x=<",id);
|
| - if (len < 0) {
|
| - return SECFailure;
|
| - }
|
| - *next += len;
|
| - *length -= len;
|
| - escSpec = NSSUTIL_DoubleEscape(child, '>', ']');
|
| - if (escSpec == NULL) {
|
| - return SECFailure;
|
| - }
|
| - if (*child && (*escSpec == 0)) {
|
| - PORT_Free(escSpec);
|
| - return SECFailure;
|
| - }
|
| - len = strlen(escSpec);
|
| - if (len+1 > *length) {
|
| - PORT_Free(escSpec);
|
| - return SECFailure;
|
| - }
|
| - PORT_Memcpy(*next,escSpec, len);
|
| - *next += len;
|
| - *length -= len;
|
| - PORT_Free(escSpec);
|
| - **next = '>';
|
| - (*next)++;
|
| - (*length)--;
|
| - return SECSuccess;
|
| -}
|
| -
|
| -#define TOKEN_STRING " tokens=["
|
| -
|
| -char *
|
| -secmod_MkAppendTokensList(PLArenaPool *arena, char *oldParam, char *newToken,
|
| - CK_SLOT_ID newID, char **children, CK_SLOT_ID *ids)
|
| -{
|
| - char *rawParam = NULL; /* oldParam with tokens stripped off */
|
| - char *newParam = NULL; /* space for the return parameter */
|
| - char *nextParam = NULL; /* current end of the new parameter */
|
| - char **oldChildren = NULL;
|
| - CK_SLOT_ID *oldIds = NULL;
|
| - void *mark = NULL; /* mark the arena pool in case we need
|
| - * to release it */
|
| - int length, i, tmpLen;
|
| - SECStatus rv;
|
| -
|
| - /* first strip out and save the old tokenlist */
|
| - rawParam = secmod_ParseModuleSpecForTokens(PR_FALSE,PR_FALSE,
|
| - oldParam,&oldChildren,&oldIds);
|
| - if (!rawParam) {
|
| - goto loser;
|
| - }
|
| -
|
| - /* now calculate the total length of the new buffer */
|
| - /* First the 'fixed stuff', length of rawparam (does not include a NULL),
|
| - * length of the token string (does include the NULL), closing bracket */
|
| - length = strlen(rawParam) + sizeof(TOKEN_STRING) + 1;
|
| - /* now add then length of all the old children */
|
| - for (i=0; oldChildren && oldChildren[i]; i++) {
|
| - length += secmod_getChildLength(oldChildren[i], oldIds[i]);
|
| - }
|
| -
|
| - /* add the new token */
|
| - length += secmod_getChildLength(newToken, newID);
|
| -
|
| - /* and it's new children */
|
| - for (i=0; children && children[i]; i++) {
|
| - if (ids[i] == -1) {
|
| - continue;
|
| - }
|
| - length += secmod_getChildLength(children[i], ids[i]);
|
| - }
|
| -
|
| - /* now allocate and build the string */
|
| - mark = PORT_ArenaMark(arena);
|
| - if (!mark) {
|
| - goto loser;
|
| - }
|
| - newParam = PORT_ArenaAlloc(arena,length);
|
| - if (!newParam) {
|
| - goto loser;
|
| - }
|
| -
|
| - PORT_Strcpy(newParam, oldParam);
|
| - tmpLen = strlen(oldParam);
|
| - nextParam = newParam + tmpLen;
|
| - length -= tmpLen;
|
| - PORT_Memcpy(nextParam, TOKEN_STRING, sizeof(TOKEN_STRING)-1);
|
| - nextParam += sizeof(TOKEN_STRING)-1;
|
| - length -= sizeof(TOKEN_STRING)-1;
|
| -
|
| - for (i=0; oldChildren && oldChildren[i]; i++) {
|
| - rv = secmod_mkTokenChild(&nextParam,&length,oldChildren[i],oldIds[i]);
|
| - if (rv != SECSuccess) {
|
| - goto loser;
|
| - }
|
| - }
|
| -
|
| - rv = secmod_mkTokenChild(&nextParam, &length, newToken, newID);
|
| - if (rv != SECSuccess) {
|
| - goto loser;
|
| - }
|
| -
|
| - for (i=0; children && children[i]; i++) {
|
| - if (ids[i] == -1) {
|
| - continue;
|
| - }
|
| - rv = secmod_mkTokenChild(&nextParam, &length, children[i], ids[i]);
|
| - if (rv != SECSuccess) {
|
| - goto loser;
|
| - }
|
| - }
|
| -
|
| - if (length < 2) {
|
| - goto loser;
|
| - }
|
| -
|
| - *nextParam++ = ']';
|
| - *nextParam++ = 0;
|
| -
|
| - /* we are going to return newParam now, don't release the mark */
|
| - PORT_ArenaUnmark(arena, mark);
|
| - mark = NULL;
|
| -
|
| -loser:
|
| - if (mark) {
|
| - PORT_ArenaRelease(arena, mark);
|
| - newParam = NULL; /* if the mark is still active,
|
| - * don't return the param */
|
| - }
|
| - if (rawParam) {
|
| - PORT_Free(rawParam);
|
| - }
|
| - if (oldChildren) {
|
| - secmod_FreeChildren(oldChildren, oldIds);
|
| - }
|
| - return newParam;
|
| -}
|
| -
|
| -static char *
|
| -secmod_mkModuleSpec(SECMODModule * module)
|
| -{
|
| - char *nss = NULL, *modSpec = NULL, **slotStrings = NULL;
|
| - int slotCount, i, si;
|
| - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
|
| -
|
| - /* allocate target slot info strings */
|
| - slotCount = 0;
|
| -
|
| - SECMOD_GetReadLock(moduleLock);
|
| - if (module->slotCount) {
|
| - for (i=0; i < module->slotCount; i++) {
|
| - if (module->slots[i]->defaultFlags !=0) {
|
| - slotCount++;
|
| - }
|
| - }
|
| - } else {
|
| - slotCount = module->slotInfoCount;
|
| - }
|
| -
|
| - slotStrings = (char **)PORT_ZAlloc(slotCount*sizeof(char *));
|
| - if (slotStrings == NULL) {
|
| - SECMOD_ReleaseReadLock(moduleLock);
|
| - goto loser;
|
| - }
|
| -
|
| -
|
| - /* build the slot info strings */
|
| - if (module->slotCount) {
|
| - for (i=0, si= 0; i < module->slotCount; i++) {
|
| - if (module->slots[i]->defaultFlags) {
|
| - PORT_Assert(si < slotCount);
|
| - if (si >= slotCount) break;
|
| - slotStrings[si] = NSSUTIL_MkSlotString(module->slots[i]->slotID,
|
| - module->slots[i]->defaultFlags,
|
| - module->slots[i]->timeout,
|
| - module->slots[i]->askpw,
|
| - module->slots[i]->hasRootCerts,
|
| - module->slots[i]->hasRootTrust);
|
| - si++;
|
| - }
|
| - }
|
| - } else {
|
| - for (i=0; i < slotCount; i++) {
|
| - slotStrings[i] = NSSUTIL_MkSlotString(
|
| - module->slotInfo[i].slotID,
|
| - module->slotInfo[i].defaultFlags,
|
| - module->slotInfo[i].timeout,
|
| - module->slotInfo[i].askpw,
|
| - module->slotInfo[i].hasRootCerts,
|
| - module->slotInfo[i].hasRootTrust);
|
| - }
|
| - }
|
| -
|
| - SECMOD_ReleaseReadLock(moduleLock);
|
| - nss = NSSUTIL_MkNSSString(slotStrings,slotCount,module->internal,
|
| - module->isFIPS, module->isModuleDB,
|
| - module->moduleDBOnly, module->isCritical,
|
| - module->trustOrder, module->cipherOrder,
|
| - module->ssl[0],module->ssl[1]);
|
| - modSpec= NSSUTIL_MkModuleSpec(module->dllName,module->commonName,
|
| - module->libraryParams,nss);
|
| - PORT_Free(slotStrings);
|
| - PR_smprintf_free(nss);
|
| -loser:
|
| - return (modSpec);
|
| -}
|
| -
|
| -
|
| -char **
|
| -SECMOD_GetModuleSpecList(SECMODModule *module)
|
| -{
|
| - SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
|
| - if (func) {
|
| - return (*func)(SECMOD_MODULE_DB_FUNCTION_FIND,
|
| - module->libraryParams,NULL);
|
| - }
|
| - return NULL;
|
| -}
|
| -
|
| -SECStatus
|
| -SECMOD_AddPermDB(SECMODModule *module)
|
| -{
|
| - SECMODModuleDBFunc func;
|
| - char *moduleSpec;
|
| - char **retString;
|
| -
|
| - if (module->parent == NULL) return SECFailure;
|
| -
|
| - func = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
|
| - if (func) {
|
| - moduleSpec = secmod_mkModuleSpec(module);
|
| - retString = (*func)(SECMOD_MODULE_DB_FUNCTION_ADD,
|
| - module->parent->libraryParams,moduleSpec);
|
| - PORT_Free(moduleSpec);
|
| - if (retString != NULL) return SECSuccess;
|
| - }
|
| - return SECFailure;
|
| -}
|
| -
|
| -SECStatus
|
| -SECMOD_DeletePermDB(SECMODModule *module)
|
| -{
|
| - SECMODModuleDBFunc func;
|
| - char *moduleSpec;
|
| - char **retString;
|
| -
|
| - if (module->parent == NULL) return SECFailure;
|
| -
|
| - func = (SECMODModuleDBFunc) module->parent->moduleDBFunc;
|
| - if (func) {
|
| - moduleSpec = secmod_mkModuleSpec(module);
|
| - retString = (*func)(SECMOD_MODULE_DB_FUNCTION_DEL,
|
| - module->parent->libraryParams,moduleSpec);
|
| - PORT_Free(moduleSpec);
|
| - if (retString != NULL) return SECSuccess;
|
| - }
|
| - return SECFailure;
|
| -}
|
| -
|
| -SECStatus
|
| -SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList)
|
| -{
|
| - SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
|
| - char **retString;
|
| - if (func) {
|
| - retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE,
|
| - module->libraryParams,moduleSpecList);
|
| - if (retString != NULL) return SECSuccess;
|
| - }
|
| - return SECFailure;
|
| -}
|
| -
|
| -/*
|
| - * load a PKCS#11 module but do not add it to the default NSS trust domain
|
| - */
|
| -SECMODModule *
|
| -SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
|
| -{
|
| - char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss= NULL;
|
| - char *config = NULL;
|
| - SECStatus status;
|
| - SECMODModule *module = NULL;
|
| - SECMODModule *oldModule = NULL;
|
| - SECStatus rv;
|
| -
|
| - /* initialize the underlying module structures */
|
| - SECMOD_Init();
|
| -
|
| - status = NSSUTIL_ArgParseModuleSpecEx(modulespec, &library, &moduleName,
|
| - ¶meters, &nss,
|
| - &config);
|
| - if (status != SECSuccess) {
|
| - goto loser;
|
| - }
|
| -
|
| - module = SECMOD_CreateModuleEx(library, moduleName, parameters, nss, config);
|
| - if (library) PORT_Free(library);
|
| - if (moduleName) PORT_Free(moduleName);
|
| - if (parameters) PORT_Free(parameters);
|
| - if (nss) PORT_Free(nss);
|
| - if (config) PORT_Free(config);
|
| - if (!module) {
|
| - goto loser;
|
| - }
|
| - if (parent) {
|
| - module->parent = SECMOD_ReferenceModule(parent);
|
| - if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
| - module->internal = parent->internal;
|
| - }
|
| - }
|
| -
|
| - /* load it */
|
| - rv = secmod_LoadPKCS11Module(module, &oldModule);
|
| - if (rv != SECSuccess) {
|
| - goto loser;
|
| - }
|
| -
|
| - /* if we just reload an old module, no need to add it to any lists.
|
| - * we simple release all our references */
|
| - if (oldModule) {
|
| - /* This module already exists, don't link it anywhere. This
|
| - * will probably destroy this module */
|
| - SECMOD_DestroyModule(module);
|
| - return oldModule;
|
| - }
|
| -
|
| - if (recurse && module->isModuleDB) {
|
| - char ** moduleSpecList;
|
| - PORT_SetError(0);
|
| -
|
| - moduleSpecList = SECMOD_GetModuleSpecList(module);
|
| - if (moduleSpecList) {
|
| - char **index;
|
| -
|
| - index = moduleSpecList;
|
| - if (*index && SECMOD_GetSkipFirstFlag(module)) {
|
| - index++;
|
| - }
|
| -
|
| - for (; *index; index++) {
|
| - SECMODModule *child;
|
| - if (0 == PORT_Strcmp(*index, modulespec)) {
|
| - /* avoid trivial infinite recursion */
|
| - PORT_SetError(SEC_ERROR_NO_MODULE);
|
| - rv = SECFailure;
|
| - break;
|
| - }
|
| - child = SECMOD_LoadModule(*index,module,PR_TRUE);
|
| - if (!child) break;
|
| - if (child->isCritical && !child->loaded) {
|
| - int err = PORT_GetError();
|
| - if (!err)
|
| - err = SEC_ERROR_NO_MODULE;
|
| - SECMOD_DestroyModule(child);
|
| - PORT_SetError(err);
|
| - rv = SECFailure;
|
| - break;
|
| - }
|
| - SECMOD_DestroyModule(child);
|
| - }
|
| - SECMOD_FreeModuleSpecList(module,moduleSpecList);
|
| - } else {
|
| - if (!PORT_GetError())
|
| - PORT_SetError(SEC_ERROR_NO_MODULE);
|
| - rv = SECFailure;
|
| - }
|
| - }
|
| -
|
| - if (rv != SECSuccess) {
|
| - goto loser;
|
| - }
|
| -
|
| -
|
| - /* inherit the reference */
|
| - if (!module->moduleDBOnly) {
|
| - SECMOD_AddModuleToList(module);
|
| - } else {
|
| - SECMOD_AddModuleToDBOnlyList(module);
|
| - }
|
| -
|
| - /* handle any additional work here */
|
| - return module;
|
| -
|
| -loser:
|
| - if (module) {
|
| - if (module->loaded) {
|
| - SECMOD_UnloadModule(module);
|
| - }
|
| - SECMOD_AddModuleToUnloadList(module);
|
| - }
|
| - return module;
|
| -}
|
| -
|
| -/*
|
| - * load a PKCS#11 module and add it to the default NSS trust domain
|
| - */
|
| -SECMODModule *
|
| -SECMOD_LoadUserModule(char *modulespec,SECMODModule *parent, PRBool recurse)
|
| -{
|
| - SECStatus rv = SECSuccess;
|
| - SECMODModule * newmod = SECMOD_LoadModule(modulespec, parent, recurse);
|
| - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
|
| -
|
| - if (newmod) {
|
| - SECMOD_GetReadLock(moduleLock);
|
| - rv = STAN_AddModuleToDefaultTrustDomain(newmod);
|
| - SECMOD_ReleaseReadLock(moduleLock);
|
| - if (SECSuccess != rv) {
|
| - SECMOD_DestroyModule(newmod);
|
| - return NULL;
|
| - }
|
| - }
|
| - return newmod;
|
| -}
|
| -
|
| -/*
|
| - * remove the PKCS#11 module from the default NSS trust domain, call
|
| - * C_Finalize, and destroy the module structure
|
| - */
|
| -SECStatus SECMOD_UnloadUserModule(SECMODModule *mod)
|
| -{
|
| - SECStatus rv = SECSuccess;
|
| - int atype = 0;
|
| - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
|
| - if (!mod) {
|
| - return SECFailure;
|
| - }
|
| -
|
| - SECMOD_GetReadLock(moduleLock);
|
| - rv = STAN_RemoveModuleFromDefaultTrustDomain(mod);
|
| - SECMOD_ReleaseReadLock(moduleLock);
|
| - if (SECSuccess != rv) {
|
| - return SECFailure;
|
| - }
|
| - return SECMOD_DeleteModuleEx(NULL, mod, &atype, PR_FALSE);
|
| -}
|
| -
|
|
|
Chromium Code Reviews
Issue 2078763002:
Delete bundled copy of NSS and replace with README. (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss@master