From 4ecbd3a80f907f8109e9b0d89ea30a306a6a7cef Mon Sep 17 00:00:00 2001 From: "relyea%netscape.com" Date: Fri, 10 May 2002 18:11:37 +0000 Subject: Allow both FIPS and non-FIPS tokens to be initialized and active at the same time. --- security/nss/lib/softoken/fipstokn.c | 20 +++- security/nss/lib/softoken/pkcs11.c | 172 +++++++++++++++++++++++------------ security/nss/lib/softoken/pkcs11i.h | 10 +- 3 files changed, 140 insertions(+), 62 deletions(-) diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c index e3abfaf88..c33670451 100644 --- a/security/nss/lib/softoken/fipstokn.c +++ b/security/nss/lib/softoken/fipstokn.c @@ -164,11 +164,17 @@ CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) { return CKR_OK; } +/* sigh global so pkcs11 can read it */ +PRBool nsf_init = PR_FALSE; /* FC_Initialize initializes the PKCS #11 library. */ CK_RV FC_Initialize(CK_VOID_PTR pReserved) { CK_RV crv; + if (nsf_init) { + return CKR_CRYPTOKI_ALREADY_INITIALIZED; + } + crv = nsc_CommonInitialize(pReserved, PR_TRUE); /* not an 'else' rv can be set by either PK11_LowInit or PK11_SlotInit*/ @@ -181,17 +187,24 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) { crv = pk11_fipsPowerUpSelfTest(); if (crv != CKR_OK) { + nsc_CommonFinalize(NULL, PR_TRUE); fatalError = PR_TRUE; return crv; } + nsf_init = PR_TRUE; return CKR_OK; } /*FC_Finalize indicates that an application is done with the PKCS #11 library.*/ CK_RV FC_Finalize (CK_VOID_PTR pReserved) { - /* this should free up FIPS Slot */ - return NSC_Finalize (pReserved); + CK_RV crv; + if (!nsf_init) { + return CKR_OK; + } + crv = nsc_CommonFinalize (pReserved, PR_TRUE); + nsf_init = (PRBool) !(crv == CKR_OK); + return crv; } @@ -203,7 +216,8 @@ CK_RV FC_GetInfo(CK_INFO_PTR pInfo) { /* FC_GetSlotList obtains a list of slots in the system. */ CK_RV FC_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) { - return NSC_GetSlotList(tokenPresent,pSlotList,pulCount); + return nsc_CommonGetSlotList(tokenPresent,pSlotList,pulCount, + NSC_FIPS_MODULE); } /* FC_GetSlotInfo obtains information about a particular slot in the system. */ diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 86b7520f4..639b651ae 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -2056,61 +2056,81 @@ pk11_getDefSlotName(CK_SLOT_ID slotID) return buf; } -static CK_ULONG nscSlotCount = 0; -static CK_SLOT_ID_PTR nscSlotList = NULL; -static CK_ULONG nscSlotListSize = 0; -static PLHashTable *nscSlotHashTable = NULL; +static CK_ULONG nscSlotCount[2] = {0 , 0}; +static CK_SLOT_ID_PTR nscSlotList[2] = {NULL, NULL}; +static CK_ULONG nscSlotListSize[2] = {0, 0}; +static PLHashTable *nscSlotHashTable[2] = {NULL, NULL}; + +static int +pk11_GetModuleIndex(CK_SLOT_ID slotID) +{ + if ((slotID == FIPS_SLOT_ID) || (slotID > 100)) { + return NSC_FIPS_MODULE; + } + return NSC_NON_FIPS_MODULE; +} /* look up a slot structure from the ID (used to be a macro when we only * had two slots) */ PK11Slot * pk11_SlotFromID(CK_SLOT_ID slotID) { - return (PK11Slot *)PL_HashTableLookupConst(nscSlotHashTable, (void *)slotID); + int index = pk11_GetModuleIndex(slotID); + return (PK11Slot *)PL_HashTableLookupConst(nscSlotHashTable[index], + (void *)slotID); } PK11Slot * pk11_SlotFromSessionHandle(CK_SESSION_HANDLE handle) { - CK_ULONG slotIDIndex = (handle >> 24) & 0xff; + CK_ULONG slotIDIndex = (handle >> 24) & 0x7f; + CK_ULONG moduleIndex = (handle >> 31) & 1; - if (slotIDIndex >= nscSlotCount) { + if (slotIDIndex >= nscSlotCount[moduleIndex]) { return NULL; } - return pk11_SlotFromID(nscSlotList[slotIDIndex]); + return pk11_SlotFromID(nscSlotList[moduleIndex][slotIDIndex]); } -PK11Slot * pk11_NewSlotFromID(CK_SLOT_ID slotID) +PK11Slot * pk11_NewSlotFromID(CK_SLOT_ID slotID, int moduleIndex) { PK11Slot *slot = NULL; PLHashEntry *entry; + int index; + + index = pk11_GetModuleIndex(slotID); + + /* make sure the slotID for this module is valid */ + if (moduleIndex != index) { + return NULL; + } - if (nscSlotList == NULL) { - nscSlotListSize = NSC_SLOT_LIST_BLOCK_SIZE; - nscSlotList = (CK_SLOT_ID *) - PORT_ZAlloc(nscSlotListSize*sizeof(CK_SLOT_ID)); - if (nscSlotList == NULL) { + if (nscSlotList[index] == NULL) { + nscSlotListSize[index] = NSC_SLOT_LIST_BLOCK_SIZE; + nscSlotList[index] = (CK_SLOT_ID *) + PORT_ZAlloc(nscSlotListSize[index]*sizeof(CK_SLOT_ID)); + if (nscSlotList[index] == NULL) { return NULL; } } - if (nscSlotCount >= nscSlotListSize) { - CK_SLOT_ID* oldNscSlotList = nscSlotList; - CK_ULONG oldNscSlotListSize = nscSlotListSize; - nscSlotListSize += NSC_SLOT_LIST_BLOCK_SIZE; - nscSlotList = (CK_SLOT_ID *) PORT_Realloc(oldNscSlotList, - nscSlotListSize*sizeof(CK_SLOT_ID)); - if (nscSlotList == NULL) { - nscSlotList = oldNscSlotList; - nscSlotListSize = oldNscSlotListSize; + if (nscSlotCount[index] >= nscSlotListSize[index]) { + CK_SLOT_ID* oldNscSlotList = nscSlotList[index]; + CK_ULONG oldNscSlotListSize = nscSlotListSize[index]; + nscSlotListSize[index] += NSC_SLOT_LIST_BLOCK_SIZE; + nscSlotList[index] = (CK_SLOT_ID *) PORT_Realloc(oldNscSlotList, + nscSlotListSize[index]*sizeof(CK_SLOT_ID)); + if (nscSlotList[index] == NULL) { + nscSlotList[index] = oldNscSlotList; + nscSlotListSize[index] = oldNscSlotListSize; return NULL; } } - if (nscSlotHashTable == NULL) { - nscSlotHashTable = PL_NewHashTable(64,pk11_HashNumber,PL_CompareValues, - PL_CompareValues, NULL, 0); - if (nscSlotHashTable == NULL) { + if (nscSlotHashTable[index] == NULL) { + nscSlotHashTable[index] = PL_NewHashTable(64,pk11_HashNumber, + PL_CompareValues, PL_CompareValues, NULL, 0); + if (nscSlotHashTable[index] == NULL) { return NULL; } } @@ -2120,13 +2140,13 @@ PK11Slot * pk11_NewSlotFromID(CK_SLOT_ID slotID) return NULL; } - entry = PL_HashTableAdd(nscSlotHashTable,(void *)slotID,slot); + entry = PL_HashTableAdd(nscSlotHashTable[index],(void *)slotID,slot); if (entry == NULL) { PORT_Free(slot); return NULL; } - slot->index = nscSlotCount; - nscSlotList[nscSlotCount++] = slotID; + slot->index = (nscSlotCount[index] & 0x7f) | ((index << 7) & 0x80); + nscSlotList[index][nscSlotCount[index]++] = slotID; return slot; } @@ -2135,11 +2155,11 @@ PK11Slot * pk11_NewSlotFromID(CK_SLOT_ID slotID) * initialize one of the slot structures. figure out which by the ID */ CK_RV -PK11_SlotInit(char *configdir,pk11_token_parameters *params) +PK11_SlotInit(char *configdir,pk11_token_parameters *params, int moduleIndex) { int i; CK_SLOT_ID slotID = params->slotID; - PK11Slot *slot = pk11_NewSlotFromID(slotID); + PK11Slot *slot = pk11_NewSlotFromID(slotID, moduleIndex); PRBool needLogin = !params->noKeyDB; CK_RV crv; @@ -2314,23 +2334,23 @@ NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args) return rvstr; } -static void nscFreeAllSlots() +static void nscFreeAllSlots(int moduleIndex) { /* free all the slots */ PK11Slot *slot = NULL; CK_SLOT_ID slotID; int i; - if (nscSlotList) { - CK_ULONG tmpSlotCount = nscSlotCount; - CK_SLOT_ID_PTR tmpSlotList = nscSlotList; - PLHashTable *tmpSlotHashTable = nscSlotHashTable; + if (nscSlotList[moduleIndex]) { + CK_ULONG tmpSlotCount = nscSlotCount[moduleIndex]; + CK_SLOT_ID_PTR tmpSlotList = nscSlotList[moduleIndex]; + PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex]; /* now clear out the statics */ - nscSlotList = NULL; - nscSlotCount = 0; - nscSlotHashTable = NULL; - nscSlotListSize = 0; + nscSlotList[moduleIndex] = NULL; + nscSlotCount[moduleIndex] = 0; + nscSlotHashTable[moduleIndex] = NULL; + nscSlotListSize[moduleIndex] = 0; for (i=0; i < (int) tmpSlotCount; i++) { slotID = tmpSlotList[i]; @@ -2346,7 +2366,7 @@ static void nscFreeAllSlots() } } -static PRBool nsc_init = PR_FALSE; + /* NSC_Initialize initializes the Cryptoki library. */ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) { @@ -2354,10 +2374,7 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) SECStatus rv; CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *) pReserved; int i; - - if (nsc_init) { - return CKR_CRYPTOKI_ALREADY_INITIALIZED; - } + int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE; rv = RNG_RNGInit(); /* initialize random number generator */ if (rv != SECSuccess) { @@ -2392,34 +2409,47 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) for (i=0; i < paramStrings.token_count; i++) { crv = - PK11_SlotInit(paramStrings.configdir, ¶mStrings.tokens[i]); + PK11_SlotInit(paramStrings.configdir, ¶mStrings.tokens[i], + moduleIndex); if (crv != CKR_OK) { - nscFreeAllSlots(); + nscFreeAllSlots(moduleIndex); break; } } loser: secmod_freeParams(¶mStrings); } - nsc_init = (PRBool) (crv == CKR_OK); return crv; } +static PRBool nsc_init = PR_FALSE; CK_RV NSC_Initialize(CK_VOID_PTR pReserved) { - return nsc_CommonInitialize(pReserved,PR_FALSE); + CK_RV crv; + if (nsc_init) { + return CKR_CRYPTOKI_ALREADY_INITIALIZED; + } + crv = nsc_CommonInitialize(pReserved,PR_FALSE); + nsc_init = (PRBool) (crv == CKR_OK); + return crv; } /* NSC_Finalize indicates that an application is done with the * Cryptoki library.*/ -CK_RV NSC_Finalize (CK_VOID_PTR pReserved) +CK_RV nsc_CommonFinalize (CK_VOID_PTR pReserved, PRBool isFIPS) { - if (!nsc_init) { + + + nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE); + + /* don't muck with the globals is our peer is still initialized */ + if (isFIPS && nsc_init) { + return CKR_OK; + } + if (!isFIPS && nsf_init) { return CKR_OK; } - - nscFreeAllSlots(); nsslowcert_DestroyGlobalLocks(); @@ -2444,6 +2474,23 @@ CK_RV NSC_Finalize (CK_VOID_PTR pReserved) return CKR_OK; } +/* NSC_Finalize indicates that an application is done with the + * Cryptoki library.*/ +CK_RV NSC_Finalize (CK_VOID_PTR pReserved) +{ + CK_RV crv; + + if (!nsc_init) { + return CKR_OK; + } + + crv = nsc_CommonFinalize (pReserved, PR_FALSE); + + nsc_init = (PRBool) !(crv == CKR_OK); + + return crv; +} + extern const char __nss_softokn_rcsid[]; extern const char __nss_softokn_sccsid[]; @@ -2465,15 +2512,24 @@ CK_RV NSC_GetInfo(CK_INFO_PTR pInfo) /* NSC_GetSlotList obtains a list of slots in the system. */ -CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent, - CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) +CK_RV nsc_CommonGetSlotList(CK_BBOOL tokenPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex) { - *pulCount = nscSlotCount; + *pulCount = nscSlotCount[moduleIndex]; if (pSlotList != NULL) { - PORT_Memcpy(pSlotList,nscSlotList,nscSlotCount*sizeof(CK_SLOT_ID)); + PORT_Memcpy(pSlotList,nscSlotList[moduleIndex], + nscSlotCount[moduleIndex]*sizeof(CK_SLOT_ID)); } return CKR_OK; } + +/* NSC_GetSlotList obtains a list of slots in the system. */ +CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) +{ + return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount, + NSC_NON_FIPS_MODULE); +} /* NSC_GetSlotInfo obtains information about a particular slot in the system. */ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index d909eaae7..af3350cd0 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -90,6 +90,9 @@ #define NSC_SEARCH_BLOCK_SIZE 5 #define NSC_SLOT_LIST_BLOCK_SIZE 10 +#define NSC_FIPS_MODULE 1 +#define NSC_NON_FIPS_MODULE 0 + /* these are data base storage hashes, not cryptographic hashes.. The define * the effective size of the various object hash tables */ #ifdef MOZ_CLIENT @@ -521,9 +524,14 @@ typedef struct pk11_parametersStr { SEC_BEGIN_PROTOS +extern int nsf_init; extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS); +extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS); +extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex); /* shared functions between PKCS11.c and PK11FIPS.c */ -extern CK_RV PK11_SlotInit(char *configdir,pk11_token_parameters *params); +extern CK_RV PK11_SlotInit(char *configdir,pk11_token_parameters *params, + int moduleIndex); /* internal utility functions used by pkcs11.c */ extern PK11Attribute *pk11_FindAttribute(PK11Object *object, -- cgit v1.2.1