diff options
Diffstat (limited to 'nss/lib/pk11wrap')
33 files changed, 15292 insertions, 13965 deletions
diff --git a/nss/lib/pk11wrap/debug_module.c b/nss/lib/pk11wrap/debug_module.c index 89ebacc..9230c01 100644 --- a/nss/lib/pk11wrap/debug_module.c +++ b/nss/lib/pk11wrap/debug_module.c @@ -3,7 +3,7 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "prlog.h" #include <stdio.h> -#include "cert.h" /* for CERT_DerNameToAscii & CERT_Hexify */ +#include "cert.h" /* for CERT_DerNameToAscii & CERT_Hexify */ static PRLogModuleInfo *modlog = NULL; @@ -13,575 +13,593 @@ static CK_FUNCTION_LIST debug_functions; static void print_final_statistics(void); -#define STRING static const char - -STRING fmt_flags[] = " flags = 0x%x"; -STRING fmt_hKey[] = " hKey = 0x%x"; -STRING fmt_hObject[] = " hObject = 0x%x"; -STRING fmt_hSession[] = " hSession = 0x%x"; -STRING fmt_manufacturerID[] = " manufacturerID = \"%.32s\""; -STRING fmt_pData[] = " pData = 0x%p"; -STRING fmt_pDigest[] = " pDigest = 0x%p"; -STRING fmt_pEncryptedData[] = " pEncryptedData = 0x%p"; -STRING fmt_pEncryptedPart[] = " pEncryptedPart = 0x%p"; -STRING fmt_pInfo[] = " pInfo = 0x%p"; -STRING fmt_pMechanism[] = " pMechanism = 0x%p"; -STRING fmt_pOperationState[] = " pOperationState = 0x%p"; -STRING fmt_pPart[] = " pPart = 0x%p"; -STRING fmt_pPin[] = " pPin = 0x%p"; -STRING fmt_pSignature[] = " pSignature = 0x%p"; -STRING fmt_pTemplate[] = " pTemplate = 0x%p"; -STRING fmt_pWrappedKey[] = " pWrappedKey = 0x%p"; -STRING fmt_phKey[] = " phKey = 0x%p"; -STRING fmt_phObject[] = " phObject = 0x%p"; -STRING fmt_pulCount[] = " pulCount = 0x%p"; -STRING fmt_pulDataLen[] = " pulDataLen = 0x%p"; -STRING fmt_pulDigestLen[] = " pulDigestLen = 0x%p"; -STRING fmt_pulEncryptedPartLen[] = " pulEncryptedPartLen = 0x%p"; -STRING fmt_pulPartLen[] = " pulPartLen = 0x%p"; -STRING fmt_pulSignatureLen[] = " pulSignatureLen = 0x%p"; -STRING fmt_slotID[] = " slotID = 0x%x"; -STRING fmt_sphKey[] = " *phKey = 0x%x"; -STRING fmt_spulCount[] = " *pulCount = 0x%x"; -STRING fmt_spulDataLen[] = " *pulDataLen = 0x%x"; -STRING fmt_spulDigestLen[] = " *pulDigestLen = 0x%x"; +#define STRING static const char + +STRING fmt_flags[] = " flags = 0x%x"; +STRING fmt_hKey[] = " hKey = 0x%x"; +STRING fmt_hObject[] = " hObject = 0x%x"; +STRING fmt_hSession[] = " hSession = 0x%x"; +STRING fmt_manufacturerID[] = " manufacturerID = \"%.32s\""; +STRING fmt_pData[] = " pData = 0x%p"; +STRING fmt_pDigest[] = " pDigest = 0x%p"; +STRING fmt_pEncryptedData[] = " pEncryptedData = 0x%p"; +STRING fmt_pEncryptedPart[] = " pEncryptedPart = 0x%p"; +STRING fmt_pInfo[] = " pInfo = 0x%p"; +STRING fmt_pMechanism[] = " pMechanism = 0x%p"; +STRING fmt_pOperationState[] = " pOperationState = 0x%p"; +STRING fmt_pPart[] = " pPart = 0x%p"; +STRING fmt_pPin[] = " pPin = 0x%p"; +STRING fmt_pSignature[] = " pSignature = 0x%p"; +STRING fmt_pTemplate[] = " pTemplate = 0x%p"; +STRING fmt_pWrappedKey[] = " pWrappedKey = 0x%p"; +STRING fmt_phKey[] = " phKey = 0x%p"; +STRING fmt_phObject[] = " phObject = 0x%p"; +STRING fmt_pulCount[] = " pulCount = 0x%p"; +STRING fmt_pulDataLen[] = " pulDataLen = 0x%p"; +STRING fmt_pulDigestLen[] = " pulDigestLen = 0x%p"; +STRING fmt_pulEncryptedPartLen[] = " pulEncryptedPartLen = 0x%p"; +STRING fmt_pulPartLen[] = " pulPartLen = 0x%p"; +STRING fmt_pulSignatureLen[] = " pulSignatureLen = 0x%p"; +STRING fmt_slotID[] = " slotID = 0x%x"; +STRING fmt_sphKey[] = " *phKey = 0x%x"; +STRING fmt_spulCount[] = " *pulCount = 0x%x"; +STRING fmt_spulDataLen[] = " *pulDataLen = 0x%x"; +STRING fmt_spulDigestLen[] = " *pulDigestLen = 0x%x"; STRING fmt_spulEncryptedPartLen[] = " *pulEncryptedPartLen = 0x%x"; -STRING fmt_spulPartLen[] = " *pulPartLen = 0x%x"; -STRING fmt_spulSignatureLen[] = " *pulSignatureLen = 0x%x"; -STRING fmt_ulAttributeCount[] = " ulAttributeCount = %d"; -STRING fmt_ulCount[] = " ulCount = %d"; -STRING fmt_ulDataLen[] = " ulDataLen = %d"; -STRING fmt_ulEncryptedPartLen[] = " ulEncryptedPartLen = %d"; -STRING fmt_ulPartLen[] = " ulPartLen = %d"; -STRING fmt_ulPinLen[] = " ulPinLen = %d"; -STRING fmt_ulSignatureLen[] = " ulSignatureLen = %d"; - -STRING fmt_fwVersion[] = " firmware version: %d.%d"; -STRING fmt_hwVersion[] = " hardware version: %d.%d"; -STRING fmt_s_qsq_d[] = " %s = \"%s\" [%d]"; -STRING fmt_s_s_d[] = " %s = %s [%d]"; -STRING fmt_s_lu[] = " %s = %lu"; -STRING fmt_invalid_handle[] = " (CK_INVALID_HANDLE)"; - - -static void get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len) -{ -#define CASE(attr) case attr: a = #attr ; break - - const char * a = NULL; +STRING fmt_spulPartLen[] = " *pulPartLen = 0x%x"; +STRING fmt_spulSignatureLen[] = " *pulSignatureLen = 0x%x"; +STRING fmt_ulAttributeCount[] = " ulAttributeCount = %d"; +STRING fmt_ulCount[] = " ulCount = %d"; +STRING fmt_ulDataLen[] = " ulDataLen = %d"; +STRING fmt_ulEncryptedPartLen[] = " ulEncryptedPartLen = %d"; +STRING fmt_ulPartLen[] = " ulPartLen = %d"; +STRING fmt_ulPinLen[] = " ulPinLen = %d"; +STRING fmt_ulSignatureLen[] = " ulSignatureLen = %d"; + +STRING fmt_fwVersion[] = " firmware version: %d.%d"; +STRING fmt_hwVersion[] = " hardware version: %d.%d"; +STRING fmt_s_qsq_d[] = " %s = \"%s\" [%d]"; +STRING fmt_s_s_d[] = " %s = %s [%d]"; +STRING fmt_s_lu[] = " %s = %lu"; +STRING fmt_invalid_handle[] = " (CK_INVALID_HANDLE)"; + +static void +get_attr_type_str(CK_ATTRIBUTE_TYPE atype, char *str, int len) +{ +#define CASE(attr) \ + case attr: \ + a = #attr; \ + break + + const char *a = NULL; switch (atype) { - CASE(CKA_CLASS); - CASE(CKA_TOKEN); - CASE(CKA_PRIVATE); - CASE(CKA_LABEL); - CASE(CKA_APPLICATION); - CASE(CKA_VALUE); - CASE(CKA_OBJECT_ID); - CASE(CKA_CERTIFICATE_TYPE); - CASE(CKA_CERTIFICATE_CATEGORY); - CASE(CKA_ISSUER); - CASE(CKA_SERIAL_NUMBER); - CASE(CKA_AC_ISSUER); - CASE(CKA_OWNER); - CASE(CKA_ATTR_TYPES); - CASE(CKA_TRUSTED); - CASE(CKA_KEY_TYPE); - CASE(CKA_SUBJECT); - CASE(CKA_ID); - CASE(CKA_SENSITIVE); - CASE(CKA_ENCRYPT); - CASE(CKA_DECRYPT); - CASE(CKA_WRAP); - CASE(CKA_UNWRAP); - CASE(CKA_SIGN); - CASE(CKA_SIGN_RECOVER); - CASE(CKA_VERIFY); - CASE(CKA_VERIFY_RECOVER); - CASE(CKA_DERIVE); - CASE(CKA_START_DATE); - CASE(CKA_END_DATE); - CASE(CKA_MODULUS); - CASE(CKA_MODULUS_BITS); - CASE(CKA_PUBLIC_EXPONENT); - CASE(CKA_PRIVATE_EXPONENT); - CASE(CKA_PRIME_1); - CASE(CKA_PRIME_2); - CASE(CKA_EXPONENT_1); - CASE(CKA_EXPONENT_2); - CASE(CKA_COEFFICIENT); - CASE(CKA_PRIME); - CASE(CKA_SUBPRIME); - CASE(CKA_BASE); - CASE(CKA_PRIME_BITS); - CASE(CKA_SUBPRIME_BITS); - CASE(CKA_VALUE_BITS); - CASE(CKA_VALUE_LEN); - CASE(CKA_EXTRACTABLE); - CASE(CKA_LOCAL); - CASE(CKA_NEVER_EXTRACTABLE); - CASE(CKA_ALWAYS_SENSITIVE); - CASE(CKA_KEY_GEN_MECHANISM); - CASE(CKA_MODIFIABLE); - CASE(CKA_ECDSA_PARAMS); - CASE(CKA_EC_POINT); - CASE(CKA_SECONDARY_AUTH); - CASE(CKA_AUTH_PIN_FLAGS); - CASE(CKA_HW_FEATURE_TYPE); - CASE(CKA_RESET_ON_INIT); - CASE(CKA_HAS_RESET); - CASE(CKA_VENDOR_DEFINED); - CASE(CKA_NSS_URL); - CASE(CKA_NSS_EMAIL); - CASE(CKA_NSS_SMIME_INFO); - CASE(CKA_NSS_SMIME_TIMESTAMP); - CASE(CKA_NSS_PKCS8_SALT); - CASE(CKA_NSS_PASSWORD_CHECK); - CASE(CKA_NSS_EXPIRES); - CASE(CKA_NSS_KRL); - CASE(CKA_NSS_PQG_COUNTER); - CASE(CKA_NSS_PQG_SEED); - CASE(CKA_NSS_PQG_H); - CASE(CKA_NSS_PQG_SEED_BITS); - CASE(CKA_TRUST); - CASE(CKA_TRUST_DIGITAL_SIGNATURE); - CASE(CKA_TRUST_NON_REPUDIATION); - CASE(CKA_TRUST_KEY_ENCIPHERMENT); - CASE(CKA_TRUST_DATA_ENCIPHERMENT); - CASE(CKA_TRUST_KEY_AGREEMENT); - CASE(CKA_TRUST_KEY_CERT_SIGN); - CASE(CKA_TRUST_CRL_SIGN); - CASE(CKA_TRUST_SERVER_AUTH); - CASE(CKA_TRUST_CLIENT_AUTH); - CASE(CKA_TRUST_CODE_SIGNING); - CASE(CKA_TRUST_EMAIL_PROTECTION); - CASE(CKA_TRUST_IPSEC_END_SYSTEM); - CASE(CKA_TRUST_IPSEC_TUNNEL); - CASE(CKA_TRUST_IPSEC_USER); - CASE(CKA_TRUST_TIME_STAMPING); - CASE(CKA_CERT_SHA1_HASH); - CASE(CKA_CERT_MD5_HASH); - CASE(CKA_NETSCAPE_DB); - CASE(CKA_NETSCAPE_TRUST); - default: break; + CASE(CKA_CLASS); + CASE(CKA_TOKEN); + CASE(CKA_PRIVATE); + CASE(CKA_LABEL); + CASE(CKA_APPLICATION); + CASE(CKA_VALUE); + CASE(CKA_OBJECT_ID); + CASE(CKA_CERTIFICATE_TYPE); + CASE(CKA_CERTIFICATE_CATEGORY); + CASE(CKA_ISSUER); + CASE(CKA_SERIAL_NUMBER); + CASE(CKA_AC_ISSUER); + CASE(CKA_OWNER); + CASE(CKA_ATTR_TYPES); + CASE(CKA_TRUSTED); + CASE(CKA_KEY_TYPE); + CASE(CKA_SUBJECT); + CASE(CKA_ID); + CASE(CKA_SENSITIVE); + CASE(CKA_ENCRYPT); + CASE(CKA_DECRYPT); + CASE(CKA_WRAP); + CASE(CKA_UNWRAP); + CASE(CKA_SIGN); + CASE(CKA_SIGN_RECOVER); + CASE(CKA_VERIFY); + CASE(CKA_VERIFY_RECOVER); + CASE(CKA_DERIVE); + CASE(CKA_START_DATE); + CASE(CKA_END_DATE); + CASE(CKA_MODULUS); + CASE(CKA_MODULUS_BITS); + CASE(CKA_PUBLIC_EXPONENT); + CASE(CKA_PRIVATE_EXPONENT); + CASE(CKA_PRIME_1); + CASE(CKA_PRIME_2); + CASE(CKA_EXPONENT_1); + CASE(CKA_EXPONENT_2); + CASE(CKA_COEFFICIENT); + CASE(CKA_PRIME); + CASE(CKA_SUBPRIME); + CASE(CKA_BASE); + CASE(CKA_PRIME_BITS); + CASE(CKA_SUBPRIME_BITS); + CASE(CKA_VALUE_BITS); + CASE(CKA_VALUE_LEN); + CASE(CKA_EXTRACTABLE); + CASE(CKA_LOCAL); + CASE(CKA_NEVER_EXTRACTABLE); + CASE(CKA_ALWAYS_SENSITIVE); + CASE(CKA_KEY_GEN_MECHANISM); + CASE(CKA_MODIFIABLE); + CASE(CKA_ECDSA_PARAMS); + CASE(CKA_EC_POINT); + CASE(CKA_SECONDARY_AUTH); + CASE(CKA_AUTH_PIN_FLAGS); + CASE(CKA_HW_FEATURE_TYPE); + CASE(CKA_RESET_ON_INIT); + CASE(CKA_HAS_RESET); + CASE(CKA_VENDOR_DEFINED); + CASE(CKA_NSS_URL); + CASE(CKA_NSS_EMAIL); + CASE(CKA_NSS_SMIME_INFO); + CASE(CKA_NSS_SMIME_TIMESTAMP); + CASE(CKA_NSS_PKCS8_SALT); + CASE(CKA_NSS_PASSWORD_CHECK); + CASE(CKA_NSS_EXPIRES); + CASE(CKA_NSS_KRL); + CASE(CKA_NSS_PQG_COUNTER); + CASE(CKA_NSS_PQG_SEED); + CASE(CKA_NSS_PQG_H); + CASE(CKA_NSS_PQG_SEED_BITS); + CASE(CKA_TRUST); + CASE(CKA_TRUST_DIGITAL_SIGNATURE); + CASE(CKA_TRUST_NON_REPUDIATION); + CASE(CKA_TRUST_KEY_ENCIPHERMENT); + CASE(CKA_TRUST_DATA_ENCIPHERMENT); + CASE(CKA_TRUST_KEY_AGREEMENT); + CASE(CKA_TRUST_KEY_CERT_SIGN); + CASE(CKA_TRUST_CRL_SIGN); + CASE(CKA_TRUST_SERVER_AUTH); + CASE(CKA_TRUST_CLIENT_AUTH); + CASE(CKA_TRUST_CODE_SIGNING); + CASE(CKA_TRUST_EMAIL_PROTECTION); + CASE(CKA_TRUST_IPSEC_END_SYSTEM); + CASE(CKA_TRUST_IPSEC_TUNNEL); + CASE(CKA_TRUST_IPSEC_USER); + CASE(CKA_TRUST_TIME_STAMPING); + CASE(CKA_CERT_SHA1_HASH); + CASE(CKA_CERT_MD5_HASH); + CASE(CKA_NETSCAPE_DB); + CASE(CKA_NETSCAPE_TRUST); + default: + break; } if (a) - PR_snprintf(str, len, "%s", a); + PR_snprintf(str, len, "%s", a); else - PR_snprintf(str, len, "0x%p", atype); + PR_snprintf(str, len, "0x%p", atype); } -static void get_obj_class(CK_OBJECT_CLASS objClass, char *str, int len) +static void +get_obj_class(CK_OBJECT_CLASS objClass, char *str, int len) { - const char * a = NULL; + const char *a = NULL; switch (objClass) { - CASE(CKO_DATA); - CASE(CKO_CERTIFICATE); - CASE(CKO_PUBLIC_KEY); - CASE(CKO_PRIVATE_KEY); - CASE(CKO_SECRET_KEY); - CASE(CKO_HW_FEATURE); - CASE(CKO_DOMAIN_PARAMETERS); - CASE(CKO_NSS_CRL); - CASE(CKO_NSS_SMIME); - CASE(CKO_NSS_TRUST); - CASE(CKO_NSS_BUILTIN_ROOT_LIST); - default: break; + CASE(CKO_DATA); + CASE(CKO_CERTIFICATE); + CASE(CKO_PUBLIC_KEY); + CASE(CKO_PRIVATE_KEY); + CASE(CKO_SECRET_KEY); + CASE(CKO_HW_FEATURE); + CASE(CKO_DOMAIN_PARAMETERS); + CASE(CKO_NSS_CRL); + CASE(CKO_NSS_SMIME); + CASE(CKO_NSS_TRUST); + CASE(CKO_NSS_BUILTIN_ROOT_LIST); + default: + break; } if (a) - PR_snprintf(str, len, "%s", a); + PR_snprintf(str, len, "%s", a); else - PR_snprintf(str, len, "0x%p", objClass); + PR_snprintf(str, len, "0x%p", objClass); } -static void get_trust_val(CK_TRUST trust, char *str, int len) +static void +get_trust_val(CK_TRUST trust, char *str, int len) { - const char * a = NULL; + const char *a = NULL; switch (trust) { - CASE(CKT_NSS_TRUSTED); - CASE(CKT_NSS_TRUSTED_DELEGATOR); - CASE(CKT_NSS_NOT_TRUSTED); - CASE(CKT_NSS_MUST_VERIFY_TRUST); - CASE(CKT_NSS_TRUST_UNKNOWN); - CASE(CKT_NSS_VALID_DELEGATOR); - default: break; + CASE(CKT_NSS_TRUSTED); + CASE(CKT_NSS_TRUSTED_DELEGATOR); + CASE(CKT_NSS_NOT_TRUSTED); + CASE(CKT_NSS_MUST_VERIFY_TRUST); + CASE(CKT_NSS_TRUST_UNKNOWN); + CASE(CKT_NSS_VALID_DELEGATOR); + default: + break; } if (a) - PR_snprintf(str, len, "%s", a); + PR_snprintf(str, len, "%s", a); else - PR_snprintf(str, len, "0x%p", trust); + PR_snprintf(str, len, "0x%p", trust); } -static void log_rv(CK_RV rv) +static void +log_rv(CK_RV rv) { - const char * a = NULL; + const char *a = NULL; switch (rv) { - CASE(CKR_OK); - CASE(CKR_CANCEL); - CASE(CKR_HOST_MEMORY); - CASE(CKR_SLOT_ID_INVALID); - CASE(CKR_GENERAL_ERROR); - CASE(CKR_FUNCTION_FAILED); - CASE(CKR_ARGUMENTS_BAD); - CASE(CKR_NO_EVENT); - CASE(CKR_NEED_TO_CREATE_THREADS); - CASE(CKR_CANT_LOCK); - CASE(CKR_ATTRIBUTE_READ_ONLY); - CASE(CKR_ATTRIBUTE_SENSITIVE); - CASE(CKR_ATTRIBUTE_TYPE_INVALID); - CASE(CKR_ATTRIBUTE_VALUE_INVALID); - CASE(CKR_DATA_INVALID); - CASE(CKR_DATA_LEN_RANGE); - CASE(CKR_DEVICE_ERROR); - CASE(CKR_DEVICE_MEMORY); - CASE(CKR_DEVICE_REMOVED); - CASE(CKR_ENCRYPTED_DATA_INVALID); - CASE(CKR_ENCRYPTED_DATA_LEN_RANGE); - CASE(CKR_FUNCTION_CANCELED); - CASE(CKR_FUNCTION_NOT_PARALLEL); - CASE(CKR_FUNCTION_NOT_SUPPORTED); - CASE(CKR_KEY_HANDLE_INVALID); - CASE(CKR_KEY_SIZE_RANGE); - CASE(CKR_KEY_TYPE_INCONSISTENT); - CASE(CKR_KEY_NOT_NEEDED); - CASE(CKR_KEY_CHANGED); - CASE(CKR_KEY_NEEDED); - CASE(CKR_KEY_INDIGESTIBLE); - CASE(CKR_KEY_FUNCTION_NOT_PERMITTED); - CASE(CKR_KEY_NOT_WRAPPABLE); - CASE(CKR_KEY_UNEXTRACTABLE); - CASE(CKR_MECHANISM_INVALID); - CASE(CKR_MECHANISM_PARAM_INVALID); - CASE(CKR_OBJECT_HANDLE_INVALID); - CASE(CKR_OPERATION_ACTIVE); - CASE(CKR_OPERATION_NOT_INITIALIZED); - CASE(CKR_PIN_INCORRECT); - CASE(CKR_PIN_INVALID); - CASE(CKR_PIN_LEN_RANGE); - CASE(CKR_PIN_EXPIRED); - CASE(CKR_PIN_LOCKED); - CASE(CKR_SESSION_CLOSED); - CASE(CKR_SESSION_COUNT); - CASE(CKR_SESSION_HANDLE_INVALID); - CASE(CKR_SESSION_PARALLEL_NOT_SUPPORTED); - CASE(CKR_SESSION_READ_ONLY); - CASE(CKR_SESSION_EXISTS); - CASE(CKR_SESSION_READ_ONLY_EXISTS); - CASE(CKR_SESSION_READ_WRITE_SO_EXISTS); - CASE(CKR_SIGNATURE_INVALID); - CASE(CKR_SIGNATURE_LEN_RANGE); - CASE(CKR_TEMPLATE_INCOMPLETE); - CASE(CKR_TEMPLATE_INCONSISTENT); - CASE(CKR_TOKEN_NOT_PRESENT); - CASE(CKR_TOKEN_NOT_RECOGNIZED); - CASE(CKR_TOKEN_WRITE_PROTECTED); - CASE(CKR_UNWRAPPING_KEY_HANDLE_INVALID); - CASE(CKR_UNWRAPPING_KEY_SIZE_RANGE); - CASE(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT); - CASE(CKR_USER_ALREADY_LOGGED_IN); - CASE(CKR_USER_NOT_LOGGED_IN); - CASE(CKR_USER_PIN_NOT_INITIALIZED); - CASE(CKR_USER_TYPE_INVALID); - CASE(CKR_USER_ANOTHER_ALREADY_LOGGED_IN); - CASE(CKR_USER_TOO_MANY_TYPES); - CASE(CKR_WRAPPED_KEY_INVALID); - CASE(CKR_WRAPPED_KEY_LEN_RANGE); - CASE(CKR_WRAPPING_KEY_HANDLE_INVALID); - CASE(CKR_WRAPPING_KEY_SIZE_RANGE); - CASE(CKR_WRAPPING_KEY_TYPE_INCONSISTENT); - CASE(CKR_RANDOM_SEED_NOT_SUPPORTED); - CASE(CKR_RANDOM_NO_RNG); - CASE(CKR_DOMAIN_PARAMS_INVALID); - CASE(CKR_BUFFER_TOO_SMALL); - CASE(CKR_SAVED_STATE_INVALID); - CASE(CKR_INFORMATION_SENSITIVE); - CASE(CKR_STATE_UNSAVEABLE); - CASE(CKR_CRYPTOKI_NOT_INITIALIZED); - CASE(CKR_CRYPTOKI_ALREADY_INITIALIZED); - CASE(CKR_MUTEX_BAD); - CASE(CKR_MUTEX_NOT_LOCKED); - CASE(CKR_FUNCTION_REJECTED); - CASE(CKR_KEY_PARAMS_INVALID); - default: break; + CASE(CKR_OK); + CASE(CKR_CANCEL); + CASE(CKR_HOST_MEMORY); + CASE(CKR_SLOT_ID_INVALID); + CASE(CKR_GENERAL_ERROR); + CASE(CKR_FUNCTION_FAILED); + CASE(CKR_ARGUMENTS_BAD); + CASE(CKR_NO_EVENT); + CASE(CKR_NEED_TO_CREATE_THREADS); + CASE(CKR_CANT_LOCK); + CASE(CKR_ATTRIBUTE_READ_ONLY); + CASE(CKR_ATTRIBUTE_SENSITIVE); + CASE(CKR_ATTRIBUTE_TYPE_INVALID); + CASE(CKR_ATTRIBUTE_VALUE_INVALID); + CASE(CKR_DATA_INVALID); + CASE(CKR_DATA_LEN_RANGE); + CASE(CKR_DEVICE_ERROR); + CASE(CKR_DEVICE_MEMORY); + CASE(CKR_DEVICE_REMOVED); + CASE(CKR_ENCRYPTED_DATA_INVALID); + CASE(CKR_ENCRYPTED_DATA_LEN_RANGE); + CASE(CKR_FUNCTION_CANCELED); + CASE(CKR_FUNCTION_NOT_PARALLEL); + CASE(CKR_FUNCTION_NOT_SUPPORTED); + CASE(CKR_KEY_HANDLE_INVALID); + CASE(CKR_KEY_SIZE_RANGE); + CASE(CKR_KEY_TYPE_INCONSISTENT); + CASE(CKR_KEY_NOT_NEEDED); + CASE(CKR_KEY_CHANGED); + CASE(CKR_KEY_NEEDED); + CASE(CKR_KEY_INDIGESTIBLE); + CASE(CKR_KEY_FUNCTION_NOT_PERMITTED); + CASE(CKR_KEY_NOT_WRAPPABLE); + CASE(CKR_KEY_UNEXTRACTABLE); + CASE(CKR_MECHANISM_INVALID); + CASE(CKR_MECHANISM_PARAM_INVALID); + CASE(CKR_OBJECT_HANDLE_INVALID); + CASE(CKR_OPERATION_ACTIVE); + CASE(CKR_OPERATION_NOT_INITIALIZED); + CASE(CKR_PIN_INCORRECT); + CASE(CKR_PIN_INVALID); + CASE(CKR_PIN_LEN_RANGE); + CASE(CKR_PIN_EXPIRED); + CASE(CKR_PIN_LOCKED); + CASE(CKR_SESSION_CLOSED); + CASE(CKR_SESSION_COUNT); + CASE(CKR_SESSION_HANDLE_INVALID); + CASE(CKR_SESSION_PARALLEL_NOT_SUPPORTED); + CASE(CKR_SESSION_READ_ONLY); + CASE(CKR_SESSION_EXISTS); + CASE(CKR_SESSION_READ_ONLY_EXISTS); + CASE(CKR_SESSION_READ_WRITE_SO_EXISTS); + CASE(CKR_SIGNATURE_INVALID); + CASE(CKR_SIGNATURE_LEN_RANGE); + CASE(CKR_TEMPLATE_INCOMPLETE); + CASE(CKR_TEMPLATE_INCONSISTENT); + CASE(CKR_TOKEN_NOT_PRESENT); + CASE(CKR_TOKEN_NOT_RECOGNIZED); + CASE(CKR_TOKEN_WRITE_PROTECTED); + CASE(CKR_UNWRAPPING_KEY_HANDLE_INVALID); + CASE(CKR_UNWRAPPING_KEY_SIZE_RANGE); + CASE(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT); + CASE(CKR_USER_ALREADY_LOGGED_IN); + CASE(CKR_USER_NOT_LOGGED_IN); + CASE(CKR_USER_PIN_NOT_INITIALIZED); + CASE(CKR_USER_TYPE_INVALID); + CASE(CKR_USER_ANOTHER_ALREADY_LOGGED_IN); + CASE(CKR_USER_TOO_MANY_TYPES); + CASE(CKR_WRAPPED_KEY_INVALID); + CASE(CKR_WRAPPED_KEY_LEN_RANGE); + CASE(CKR_WRAPPING_KEY_HANDLE_INVALID); + CASE(CKR_WRAPPING_KEY_SIZE_RANGE); + CASE(CKR_WRAPPING_KEY_TYPE_INCONSISTENT); + CASE(CKR_RANDOM_SEED_NOT_SUPPORTED); + CASE(CKR_RANDOM_NO_RNG); + CASE(CKR_DOMAIN_PARAMS_INVALID); + CASE(CKR_BUFFER_TOO_SMALL); + CASE(CKR_SAVED_STATE_INVALID); + CASE(CKR_INFORMATION_SENSITIVE); + CASE(CKR_STATE_UNSAVEABLE); + CASE(CKR_CRYPTOKI_NOT_INITIALIZED); + CASE(CKR_CRYPTOKI_ALREADY_INITIALIZED); + CASE(CKR_MUTEX_BAD); + CASE(CKR_MUTEX_NOT_LOCKED); + CASE(CKR_FUNCTION_REJECTED); + CASE(CKR_KEY_PARAMS_INVALID); + default: + break; } if (a) - PR_LOG(modlog, 1, (" rv = %s\n", a)); + PR_LOG(modlog, 1, (" rv = %s\n", a)); else - PR_LOG(modlog, 1, (" rv = 0x%x\n", rv)); + PR_LOG(modlog, 1, (" rv = 0x%x\n", rv)); } -static void log_state(CK_STATE state) +static void +log_state(CK_STATE state) { - const char * a = NULL; + const char *a = NULL; switch (state) { - CASE(CKS_RO_PUBLIC_SESSION); - CASE(CKS_RO_USER_FUNCTIONS); - CASE(CKS_RW_PUBLIC_SESSION); - CASE(CKS_RW_USER_FUNCTIONS); - CASE(CKS_RW_SO_FUNCTIONS); - default: break; + CASE(CKS_RO_PUBLIC_SESSION); + CASE(CKS_RO_USER_FUNCTIONS); + CASE(CKS_RW_PUBLIC_SESSION); + CASE(CKS_RW_USER_FUNCTIONS); + CASE(CKS_RW_SO_FUNCTIONS); + default: + break; } if (a) - PR_LOG(modlog, 1, (" state = %s\n", a)); + PR_LOG(modlog, 1, (" state = %s\n", a)); else - PR_LOG(modlog, 1, (" state = 0x%x\n", state)); + PR_LOG(modlog, 1, (" state = 0x%x\n", state)); } -static void log_handle(int level, const char * format, CK_ULONG handle) +static void +log_handle(int level, const char *format, CK_ULONG handle) { char fmtBuf[80]; if (handle) - PR_LOG(modlog, level, (format, handle)); + PR_LOG(modlog, level, (format, handle)); else { - PL_strncpyz(fmtBuf, format, sizeof fmtBuf); - PL_strcatn(fmtBuf, sizeof fmtBuf, fmt_invalid_handle); - PR_LOG(modlog, level, (fmtBuf, handle)); + PL_strncpyz(fmtBuf, format, sizeof fmtBuf); + PL_strcatn(fmtBuf, sizeof fmtBuf, fmt_invalid_handle); + PR_LOG(modlog, level, (fmtBuf, handle)); } } -static void print_mechanism(CK_MECHANISM_PTR m) +static void +print_mechanism(CK_MECHANISM_PTR m) { - const char * a = NULL; + const char *a = NULL; switch (m->mechanism) { - CASE(CKM_AES_CBC); - CASE(CKM_AES_CBC_ENCRYPT_DATA); - CASE(CKM_AES_CBC_PAD); - CASE(CKM_AES_CCM); - CASE(CKM_AES_CTR); - CASE(CKM_AES_CTS); - CASE(CKM_AES_GCM); - CASE(CKM_AES_ECB); - CASE(CKM_AES_ECB_ENCRYPT_DATA); - CASE(CKM_AES_KEY_GEN); - CASE(CKM_AES_MAC); - CASE(CKM_AES_MAC_GENERAL); - CASE(CKM_CAMELLIA_CBC); - CASE(CKM_CAMELLIA_CBC_ENCRYPT_DATA); - CASE(CKM_CAMELLIA_CBC_PAD); - CASE(CKM_CAMELLIA_ECB); - CASE(CKM_CAMELLIA_ECB_ENCRYPT_DATA); - CASE(CKM_CAMELLIA_KEY_GEN); - CASE(CKM_CAMELLIA_MAC); - CASE(CKM_CAMELLIA_MAC_GENERAL); - CASE(CKM_CDMF_CBC); - CASE(CKM_CDMF_CBC_PAD); - CASE(CKM_CDMF_ECB); - CASE(CKM_CDMF_KEY_GEN); - CASE(CKM_CDMF_MAC); - CASE(CKM_CDMF_MAC_GENERAL); - CASE(CKM_CMS_SIG); - CASE(CKM_CONCATENATE_BASE_AND_DATA); - CASE(CKM_CONCATENATE_BASE_AND_KEY); - CASE(CKM_CONCATENATE_DATA_AND_BASE); - CASE(CKM_DES2_KEY_GEN); - CASE(CKM_DES3_CBC); - CASE(CKM_DES3_CBC_ENCRYPT_DATA); - CASE(CKM_DES3_CBC_PAD); - CASE(CKM_DES3_ECB); - CASE(CKM_DES3_ECB_ENCRYPT_DATA); - CASE(CKM_DES3_KEY_GEN); - CASE(CKM_DES3_MAC); - CASE(CKM_DES3_MAC_GENERAL); - CASE(CKM_DES_CBC); - CASE(CKM_DES_CBC_ENCRYPT_DATA); - CASE(CKM_DES_CBC_PAD); - CASE(CKM_DES_CFB64); - CASE(CKM_DES_CFB8); - CASE(CKM_DES_ECB); - CASE(CKM_DES_ECB_ENCRYPT_DATA); - CASE(CKM_DES_KEY_GEN); - CASE(CKM_DES_MAC); - CASE(CKM_DES_MAC_GENERAL); - CASE(CKM_DES_OFB64); - CASE(CKM_DES_OFB8); - CASE(CKM_DH_PKCS_DERIVE); - CASE(CKM_DH_PKCS_KEY_PAIR_GEN); - CASE(CKM_DH_PKCS_PARAMETER_GEN); - CASE(CKM_DSA); - CASE(CKM_DSA_KEY_PAIR_GEN); - CASE(CKM_DSA_PARAMETER_GEN); - CASE(CKM_DSA_SHA1); - CASE(CKM_ECDH1_COFACTOR_DERIVE); - CASE(CKM_ECDH1_DERIVE); - CASE(CKM_ECDSA); - CASE(CKM_ECDSA_SHA1); - CASE(CKM_ECMQV_DERIVE); - CASE(CKM_EC_KEY_PAIR_GEN); /* also CASE(CKM_ECDSA_KEY_PAIR_GEN); */ - CASE(CKM_EXTRACT_KEY_FROM_KEY); - CASE(CKM_FASTHASH); - CASE(CKM_FORTEZZA_TIMESTAMP); - CASE(CKM_GENERIC_SECRET_KEY_GEN); - CASE(CKM_IDEA_CBC); - CASE(CKM_IDEA_CBC_PAD); - CASE(CKM_IDEA_ECB); - CASE(CKM_IDEA_KEY_GEN); - CASE(CKM_IDEA_MAC); - CASE(CKM_IDEA_MAC_GENERAL); - CASE(CKM_KEA_KEY_DERIVE); - CASE(CKM_KEA_KEY_PAIR_GEN); - CASE(CKM_KEY_WRAP_LYNKS); - CASE(CKM_KEY_WRAP_SET_OAEP); - CASE(CKM_MD2); - CASE(CKM_MD2_HMAC); - CASE(CKM_MD2_HMAC_GENERAL); - CASE(CKM_MD2_KEY_DERIVATION); - CASE(CKM_MD2_RSA_PKCS); - CASE(CKM_MD5); - CASE(CKM_MD5_HMAC); - CASE(CKM_MD5_HMAC_GENERAL); - CASE(CKM_MD5_KEY_DERIVATION); - CASE(CKM_MD5_RSA_PKCS); - CASE(CKM_PBA_SHA1_WITH_SHA1_HMAC); - CASE(CKM_PBE_MD2_DES_CBC); - CASE(CKM_PBE_MD5_DES_CBC); - CASE(CKM_PBE_SHA1_DES2_EDE_CBC); - CASE(CKM_PBE_SHA1_DES3_EDE_CBC); - CASE(CKM_PBE_SHA1_RC2_128_CBC); - CASE(CKM_PBE_SHA1_RC2_40_CBC); - CASE(CKM_PBE_SHA1_RC4_128); - CASE(CKM_PBE_SHA1_RC4_40); - CASE(CKM_PKCS5_PBKD2); - CASE(CKM_RC2_CBC); - CASE(CKM_RC2_CBC_PAD); - CASE(CKM_RC2_ECB); - CASE(CKM_RC2_KEY_GEN); - CASE(CKM_RC2_MAC); - CASE(CKM_RC2_MAC_GENERAL); - CASE(CKM_RC4); - CASE(CKM_RC4_KEY_GEN); - CASE(CKM_RC5_CBC); - CASE(CKM_RC5_CBC_PAD); - CASE(CKM_RC5_ECB); - CASE(CKM_RC5_KEY_GEN); - CASE(CKM_RC5_MAC); - CASE(CKM_RC5_MAC_GENERAL); - CASE(CKM_RIPEMD128); - CASE(CKM_RIPEMD128_HMAC); - CASE(CKM_RIPEMD128_HMAC_GENERAL); - CASE(CKM_RIPEMD128_RSA_PKCS); - CASE(CKM_RIPEMD160); - CASE(CKM_RIPEMD160_HMAC); - CASE(CKM_RIPEMD160_HMAC_GENERAL); - CASE(CKM_RIPEMD160_RSA_PKCS); - CASE(CKM_RSA_9796); - CASE(CKM_RSA_PKCS); - CASE(CKM_RSA_PKCS_KEY_PAIR_GEN); - CASE(CKM_RSA_PKCS_OAEP); - CASE(CKM_RSA_PKCS_PSS); - CASE(CKM_RSA_X9_31); - CASE(CKM_RSA_X9_31_KEY_PAIR_GEN); - CASE(CKM_RSA_X_509); - CASE(CKM_SHA1_KEY_DERIVATION); - CASE(CKM_SHA1_RSA_PKCS); - CASE(CKM_SHA1_RSA_PKCS_PSS); - CASE(CKM_SHA1_RSA_X9_31); - CASE(CKM_SHA224); - CASE(CKM_SHA224_HMAC); - CASE(CKM_SHA224_HMAC_GENERAL); - CASE(CKM_SHA224_KEY_DERIVATION); - CASE(CKM_SHA224_RSA_PKCS); - CASE(CKM_SHA224_RSA_PKCS_PSS); - CASE(CKM_SHA256); - CASE(CKM_SHA256_HMAC); - CASE(CKM_SHA256_HMAC_GENERAL); - CASE(CKM_SHA256_KEY_DERIVATION); - CASE(CKM_SHA256_RSA_PKCS); - CASE(CKM_SHA256_RSA_PKCS_PSS); - CASE(CKM_SHA384); - CASE(CKM_SHA384_HMAC); - CASE(CKM_SHA384_HMAC_GENERAL); - CASE(CKM_SHA384_KEY_DERIVATION); - CASE(CKM_SHA384_RSA_PKCS); - CASE(CKM_SHA384_RSA_PKCS_PSS); - CASE(CKM_SHA512); - CASE(CKM_SHA512_HMAC); - CASE(CKM_SHA512_HMAC_GENERAL); - CASE(CKM_SHA512_KEY_DERIVATION); - CASE(CKM_SHA512_RSA_PKCS); - CASE(CKM_SHA512_RSA_PKCS_PSS); - CASE(CKM_SHA_1); - CASE(CKM_SHA_1_HMAC); - CASE(CKM_SHA_1_HMAC_GENERAL); - CASE(CKM_SKIPJACK_CBC64); - CASE(CKM_SKIPJACK_CFB16); - CASE(CKM_SKIPJACK_CFB32); - CASE(CKM_SKIPJACK_CFB64); - CASE(CKM_SKIPJACK_CFB8); - CASE(CKM_SKIPJACK_ECB64); - CASE(CKM_SKIPJACK_KEY_GEN); - CASE(CKM_SKIPJACK_OFB64); - CASE(CKM_SKIPJACK_PRIVATE_WRAP); - CASE(CKM_SKIPJACK_RELAYX); - CASE(CKM_SKIPJACK_WRAP); - CASE(CKM_SSL3_KEY_AND_MAC_DERIVE); - CASE(CKM_SSL3_MASTER_KEY_DERIVE); - CASE(CKM_SSL3_MASTER_KEY_DERIVE_DH); - CASE(CKM_SSL3_MD5_MAC); - CASE(CKM_SSL3_PRE_MASTER_KEY_GEN); - CASE(CKM_SSL3_SHA1_MAC); - CASE(CKM_TLS_KEY_AND_MAC_DERIVE); - CASE(CKM_TLS_MASTER_KEY_DERIVE); - CASE(CKM_TLS_MASTER_KEY_DERIVE_DH); - CASE(CKM_TLS_PRE_MASTER_KEY_GEN); - CASE(CKM_TLS_PRF); - CASE(CKM_TWOFISH_CBC); - CASE(CKM_TWOFISH_KEY_GEN); - CASE(CKM_X9_42_DH_DERIVE); - CASE(CKM_X9_42_DH_HYBRID_DERIVE); - CASE(CKM_X9_42_DH_KEY_PAIR_GEN); - CASE(CKM_X9_42_DH_PARAMETER_GEN); - CASE(CKM_X9_42_MQV_DERIVE); - CASE(CKM_XOR_BASE_AND_DATA); - default: break; + CASE(CKM_AES_CBC); + CASE(CKM_AES_CBC_ENCRYPT_DATA); + CASE(CKM_AES_CBC_PAD); + CASE(CKM_AES_CCM); + CASE(CKM_AES_CTR); + CASE(CKM_AES_CTS); + CASE(CKM_AES_GCM); + CASE(CKM_AES_ECB); + CASE(CKM_AES_ECB_ENCRYPT_DATA); + CASE(CKM_AES_KEY_GEN); + CASE(CKM_AES_MAC); + CASE(CKM_AES_MAC_GENERAL); + CASE(CKM_CAMELLIA_CBC); + CASE(CKM_CAMELLIA_CBC_ENCRYPT_DATA); + CASE(CKM_CAMELLIA_CBC_PAD); + CASE(CKM_CAMELLIA_ECB); + CASE(CKM_CAMELLIA_ECB_ENCRYPT_DATA); + CASE(CKM_CAMELLIA_KEY_GEN); + CASE(CKM_CAMELLIA_MAC); + CASE(CKM_CAMELLIA_MAC_GENERAL); + CASE(CKM_CDMF_CBC); + CASE(CKM_CDMF_CBC_PAD); + CASE(CKM_CDMF_ECB); + CASE(CKM_CDMF_KEY_GEN); + CASE(CKM_CDMF_MAC); + CASE(CKM_CDMF_MAC_GENERAL); + CASE(CKM_CMS_SIG); + CASE(CKM_CONCATENATE_BASE_AND_DATA); + CASE(CKM_CONCATENATE_BASE_AND_KEY); + CASE(CKM_CONCATENATE_DATA_AND_BASE); + CASE(CKM_DES2_KEY_GEN); + CASE(CKM_DES3_CBC); + CASE(CKM_DES3_CBC_ENCRYPT_DATA); + CASE(CKM_DES3_CBC_PAD); + CASE(CKM_DES3_ECB); + CASE(CKM_DES3_ECB_ENCRYPT_DATA); + CASE(CKM_DES3_KEY_GEN); + CASE(CKM_DES3_MAC); + CASE(CKM_DES3_MAC_GENERAL); + CASE(CKM_DES_CBC); + CASE(CKM_DES_CBC_ENCRYPT_DATA); + CASE(CKM_DES_CBC_PAD); + CASE(CKM_DES_CFB64); + CASE(CKM_DES_CFB8); + CASE(CKM_DES_ECB); + CASE(CKM_DES_ECB_ENCRYPT_DATA); + CASE(CKM_DES_KEY_GEN); + CASE(CKM_DES_MAC); + CASE(CKM_DES_MAC_GENERAL); + CASE(CKM_DES_OFB64); + CASE(CKM_DES_OFB8); + CASE(CKM_DH_PKCS_DERIVE); + CASE(CKM_DH_PKCS_KEY_PAIR_GEN); + CASE(CKM_DH_PKCS_PARAMETER_GEN); + CASE(CKM_DSA); + CASE(CKM_DSA_KEY_PAIR_GEN); + CASE(CKM_DSA_PARAMETER_GEN); + CASE(CKM_DSA_SHA1); + CASE(CKM_ECDH1_COFACTOR_DERIVE); + CASE(CKM_ECDH1_DERIVE); + CASE(CKM_ECDSA); + CASE(CKM_ECDSA_SHA1); + CASE(CKM_ECMQV_DERIVE); + CASE(CKM_EC_KEY_PAIR_GEN); /* also CASE(CKM_ECDSA_KEY_PAIR_GEN); */ + CASE(CKM_EXTRACT_KEY_FROM_KEY); + CASE(CKM_FASTHASH); + CASE(CKM_FORTEZZA_TIMESTAMP); + CASE(CKM_GENERIC_SECRET_KEY_GEN); + CASE(CKM_IDEA_CBC); + CASE(CKM_IDEA_CBC_PAD); + CASE(CKM_IDEA_ECB); + CASE(CKM_IDEA_KEY_GEN); + CASE(CKM_IDEA_MAC); + CASE(CKM_IDEA_MAC_GENERAL); + CASE(CKM_KEA_KEY_DERIVE); + CASE(CKM_KEA_KEY_PAIR_GEN); + CASE(CKM_KEY_WRAP_LYNKS); + CASE(CKM_KEY_WRAP_SET_OAEP); + CASE(CKM_MD2); + CASE(CKM_MD2_HMAC); + CASE(CKM_MD2_HMAC_GENERAL); + CASE(CKM_MD2_KEY_DERIVATION); + CASE(CKM_MD2_RSA_PKCS); + CASE(CKM_MD5); + CASE(CKM_MD5_HMAC); + CASE(CKM_MD5_HMAC_GENERAL); + CASE(CKM_MD5_KEY_DERIVATION); + CASE(CKM_MD5_RSA_PKCS); + CASE(CKM_PBA_SHA1_WITH_SHA1_HMAC); + CASE(CKM_PBE_MD2_DES_CBC); + CASE(CKM_PBE_MD5_DES_CBC); + CASE(CKM_PBE_SHA1_DES2_EDE_CBC); + CASE(CKM_PBE_SHA1_DES3_EDE_CBC); + CASE(CKM_PBE_SHA1_RC2_128_CBC); + CASE(CKM_PBE_SHA1_RC2_40_CBC); + CASE(CKM_PBE_SHA1_RC4_128); + CASE(CKM_PBE_SHA1_RC4_40); + CASE(CKM_PKCS5_PBKD2); + CASE(CKM_RC2_CBC); + CASE(CKM_RC2_CBC_PAD); + CASE(CKM_RC2_ECB); + CASE(CKM_RC2_KEY_GEN); + CASE(CKM_RC2_MAC); + CASE(CKM_RC2_MAC_GENERAL); + CASE(CKM_RC4); + CASE(CKM_RC4_KEY_GEN); + CASE(CKM_RC5_CBC); + CASE(CKM_RC5_CBC_PAD); + CASE(CKM_RC5_ECB); + CASE(CKM_RC5_KEY_GEN); + CASE(CKM_RC5_MAC); + CASE(CKM_RC5_MAC_GENERAL); + CASE(CKM_RIPEMD128); + CASE(CKM_RIPEMD128_HMAC); + CASE(CKM_RIPEMD128_HMAC_GENERAL); + CASE(CKM_RIPEMD128_RSA_PKCS); + CASE(CKM_RIPEMD160); + CASE(CKM_RIPEMD160_HMAC); + CASE(CKM_RIPEMD160_HMAC_GENERAL); + CASE(CKM_RIPEMD160_RSA_PKCS); + CASE(CKM_RSA_9796); + CASE(CKM_RSA_PKCS); + CASE(CKM_RSA_PKCS_KEY_PAIR_GEN); + CASE(CKM_RSA_PKCS_OAEP); + CASE(CKM_RSA_PKCS_PSS); + CASE(CKM_RSA_X9_31); + CASE(CKM_RSA_X9_31_KEY_PAIR_GEN); + CASE(CKM_RSA_X_509); + CASE(CKM_SHA1_KEY_DERIVATION); + CASE(CKM_SHA1_RSA_PKCS); + CASE(CKM_SHA1_RSA_PKCS_PSS); + CASE(CKM_SHA1_RSA_X9_31); + CASE(CKM_SHA224); + CASE(CKM_SHA224_HMAC); + CASE(CKM_SHA224_HMAC_GENERAL); + CASE(CKM_SHA224_KEY_DERIVATION); + CASE(CKM_SHA224_RSA_PKCS); + CASE(CKM_SHA224_RSA_PKCS_PSS); + CASE(CKM_SHA256); + CASE(CKM_SHA256_HMAC); + CASE(CKM_SHA256_HMAC_GENERAL); + CASE(CKM_SHA256_KEY_DERIVATION); + CASE(CKM_SHA256_RSA_PKCS); + CASE(CKM_SHA256_RSA_PKCS_PSS); + CASE(CKM_SHA384); + CASE(CKM_SHA384_HMAC); + CASE(CKM_SHA384_HMAC_GENERAL); + CASE(CKM_SHA384_KEY_DERIVATION); + CASE(CKM_SHA384_RSA_PKCS); + CASE(CKM_SHA384_RSA_PKCS_PSS); + CASE(CKM_SHA512); + CASE(CKM_SHA512_HMAC); + CASE(CKM_SHA512_HMAC_GENERAL); + CASE(CKM_SHA512_KEY_DERIVATION); + CASE(CKM_SHA512_RSA_PKCS); + CASE(CKM_SHA512_RSA_PKCS_PSS); + CASE(CKM_SHA_1); + CASE(CKM_SHA_1_HMAC); + CASE(CKM_SHA_1_HMAC_GENERAL); + CASE(CKM_SKIPJACK_CBC64); + CASE(CKM_SKIPJACK_CFB16); + CASE(CKM_SKIPJACK_CFB32); + CASE(CKM_SKIPJACK_CFB64); + CASE(CKM_SKIPJACK_CFB8); + CASE(CKM_SKIPJACK_ECB64); + CASE(CKM_SKIPJACK_KEY_GEN); + CASE(CKM_SKIPJACK_OFB64); + CASE(CKM_SKIPJACK_PRIVATE_WRAP); + CASE(CKM_SKIPJACK_RELAYX); + CASE(CKM_SKIPJACK_WRAP); + CASE(CKM_SSL3_KEY_AND_MAC_DERIVE); + CASE(CKM_SSL3_MASTER_KEY_DERIVE); + CASE(CKM_SSL3_MASTER_KEY_DERIVE_DH); + CASE(CKM_SSL3_MD5_MAC); + CASE(CKM_SSL3_PRE_MASTER_KEY_GEN); + CASE(CKM_SSL3_SHA1_MAC); + CASE(CKM_TLS_KEY_AND_MAC_DERIVE); + CASE(CKM_TLS_MASTER_KEY_DERIVE); + CASE(CKM_TLS_MASTER_KEY_DERIVE_DH); + CASE(CKM_TLS_PRE_MASTER_KEY_GEN); + CASE(CKM_TLS_PRF); + CASE(CKM_TWOFISH_CBC); + CASE(CKM_TWOFISH_KEY_GEN); + CASE(CKM_X9_42_DH_DERIVE); + CASE(CKM_X9_42_DH_HYBRID_DERIVE); + CASE(CKM_X9_42_DH_KEY_PAIR_GEN); + CASE(CKM_X9_42_DH_PARAMETER_GEN); + CASE(CKM_X9_42_MQV_DERIVE); + CASE(CKM_XOR_BASE_AND_DATA); + default: + break; } if (a) - PR_LOG(modlog, 4, (" mechanism = %s", a)); + PR_LOG(modlog, 4, (" mechanism = %s", a)); else - PR_LOG(modlog, 4, (" mechanism = 0x%p", m->mechanism)); + PR_LOG(modlog, 4, (" mechanism = 0x%p", m->mechanism)); } -static void get_key_type(CK_KEY_TYPE keyType, char *str, int len) +static void +get_key_type(CK_KEY_TYPE keyType, char *str, int len) { - const char * a = NULL; + const char *a = NULL; switch (keyType) { - CASE(CKK_AES); - CASE(CKK_CAMELLIA); - CASE(CKK_CDMF); - CASE(CKK_DES); - CASE(CKK_DES2); - CASE(CKK_DES3); - CASE(CKK_DH); - CASE(CKK_DSA); - CASE(CKK_EC); /* also CASE(CKK_ECDSA); */ - CASE(CKK_GENERIC_SECRET); - CASE(CKK_IDEA); - CASE(CKK_INVALID_KEY_TYPE); - CASE(CKK_KEA); - CASE(CKK_RC2); - CASE(CKK_RC4); - CASE(CKK_RC5); - CASE(CKK_RSA); - CASE(CKK_SKIPJACK); - CASE(CKK_TWOFISH); - CASE(CKK_X9_42_DH); - default: break; + CASE(CKK_AES); + CASE(CKK_CAMELLIA); + CASE(CKK_CDMF); + CASE(CKK_DES); + CASE(CKK_DES2); + CASE(CKK_DES3); + CASE(CKK_DH); + CASE(CKK_DSA); + CASE(CKK_EC); /* also CASE(CKK_ECDSA); */ + CASE(CKK_GENERIC_SECRET); + CASE(CKK_IDEA); + CASE(CKK_INVALID_KEY_TYPE); + CASE(CKK_KEA); + CASE(CKK_RC2); + CASE(CKK_RC4); + CASE(CKK_RC5); + CASE(CKK_RSA); + CASE(CKK_SKIPJACK); + CASE(CKK_TWOFISH); + CASE(CKK_X9_42_DH); + default: + break; } if (a) - PR_snprintf(str, len, "%s", a); + PR_snprintf(str, len, "%s", a); else - PR_snprintf(str, len, "0x%p", keyType); + PR_snprintf(str, len, "0x%p", keyType); } -static void print_attr_value(CK_ATTRIBUTE_PTR attr) +static void +print_attr_value(CK_ATTRIBUTE_PTR attr) { char atype[48]; char valstr[49]; @@ -589,153 +607,154 @@ static void print_attr_value(CK_ATTRIBUTE_PTR attr) get_attr_type_str(attr->type, atype, sizeof atype); switch (attr->type) { - case CKA_ALWAYS_SENSITIVE: - case CKA_DECRYPT: - case CKA_DERIVE: - case CKA_ENCRYPT: - case CKA_EXTRACTABLE: - case CKA_LOCAL: - case CKA_MODIFIABLE: - case CKA_NEVER_EXTRACTABLE: - case CKA_PRIVATE: - case CKA_SENSITIVE: - case CKA_SIGN: - case CKA_SIGN_RECOVER: - case CKA_TOKEN: - case CKA_UNWRAP: - case CKA_VERIFY: - case CKA_VERIFY_RECOVER: - case CKA_WRAP: - if (attr->ulValueLen > 0 && attr->pValue) { - CK_BBOOL tf = *((CK_BBOOL *)attr->pValue); - PR_LOG(modlog, 4, (fmt_s_s_d, - atype, tf ? "CK_TRUE" : "CK_FALSE", attr->ulValueLen)); - break; - } - case CKA_CLASS: - if (attr->ulValueLen > 0 && attr->pValue) { - CK_OBJECT_CLASS objClass = *((CK_OBJECT_CLASS *)attr->pValue); - get_obj_class(objClass, valstr, sizeof valstr); - PR_LOG(modlog, 4, (fmt_s_s_d, - atype, valstr, attr->ulValueLen)); - break; - } - case CKA_TRUST_CLIENT_AUTH: - case CKA_TRUST_CODE_SIGNING: - case CKA_TRUST_EMAIL_PROTECTION: - case CKA_TRUST_SERVER_AUTH: - if (attr->ulValueLen > 0 && attr->pValue) { - CK_TRUST trust = *((CK_TRUST *)attr->pValue); - get_trust_val(trust, valstr, sizeof valstr); - PR_LOG(modlog, 4, (fmt_s_s_d, - atype, valstr, attr->ulValueLen)); - break; - } - case CKA_KEY_TYPE: - if (attr->ulValueLen > 0 && attr->pValue) { - CK_KEY_TYPE keyType = *((CK_KEY_TYPE *)attr->pValue); - get_key_type(keyType, valstr, sizeof valstr); - PR_LOG(modlog, 4, (fmt_s_s_d, - atype, valstr, attr->ulValueLen)); - break; - } - case CKA_PIXEL_X: - case CKA_PIXEL_Y: - case CKA_RESOLUTION: - case CKA_CHAR_ROWS: - case CKA_CHAR_COLUMNS: - case CKA_BITS_PER_PIXEL: - case CKA_CERTIFICATE_CATEGORY: /* should print as enum/string */ - case CKA_JAVA_MIDP_SECURITY_DOMAIN: /* should print as enum/string */ - case CKA_MODULUS_BITS: - case CKA_PRIME_BITS: - case CKA_SUBPRIME_BITS: - case CKA_VALUE_BITS: - case CKA_VALUE_LEN: - if (attr->ulValueLen > 0 && attr->pValue) { - CK_ULONG valueLen = *((CK_ULONG *)attr->pValue); - /* XXX check for the special value CK_UNAVAILABLE_INFORMATION */ - PR_LOG(modlog, 4, (fmt_s_lu, atype, (PRUint32)valueLen)); - break; - } - case CKA_LABEL: - case CKA_NSS_EMAIL: - case CKA_NSS_URL: - if (attr->ulValueLen > 0 && attr->pValue) { - len = PR_MIN(attr->ulValueLen + 1, sizeof valstr); - PR_snprintf(valstr, len, "%s", attr->pValue); - PR_LOG(modlog, 4, (fmt_s_qsq_d, - atype, valstr, attr->ulValueLen)); - break; - } - case CKA_ISSUER: - case CKA_SUBJECT: - if (attr->ulValueLen > 0 && attr->pValue) { - char * asciiName; - SECItem derName; - derName.type = siDERNameBuffer; - derName.data = attr->pValue; - derName.len = attr->ulValueLen; - asciiName = CERT_DerNameToAscii(&derName); - if (asciiName) { - PR_LOG(modlog, 4, (fmt_s_s_d, - atype, asciiName, attr->ulValueLen)); - PORT_Free(asciiName); - break; - } - /* else treat like a binary buffer */ - goto binary_buffer; - } - case CKA_ID: - if (attr->ulValueLen > 0 && attr->pValue) { - unsigned char * pV = attr->pValue; - for (len = (int)attr->ulValueLen; len > 0; --len) { - unsigned int ch = *pV++; - if (ch >= 0x20 && ch < 0x7f) - continue; - if (!ch && len == 1) /* will ignore NUL if last character */ - continue; - break; - } - if (!len) { /* entire string is printable */ - len = PR_MIN(attr->ulValueLen + 1, sizeof valstr); - PR_snprintf(valstr, len, "%s", attr->pValue); - PR_LOG(modlog, 4, (fmt_s_qsq_d, - atype, valstr, attr->ulValueLen)); - break; - } - /* else fall through and treat like a binary buffer */ - } -binary_buffer: - case CKA_SERIAL_NUMBER: - default: - if (attr->ulValueLen > 0 && attr->pValue) { - char * hexBuf; - SECItem attrBuf; - attrBuf.type = siDERNameBuffer; - attrBuf.data = attr->pValue; - attrBuf.len = PR_MIN(attr->ulValueLen, (sizeof valstr)/2); - - hexBuf = CERT_Hexify(&attrBuf, PR_FALSE); - if (hexBuf) { - PR_LOG(modlog, 4, (fmt_s_s_d, - atype, hexBuf, attr->ulValueLen)); - PORT_Free(hexBuf); - break; - } - /* else fall through and show only the address. :( */ - } - PR_LOG(modlog, 4, (" %s = [0x%p] [%d]", - atype, attr->pValue, attr->ulValueLen)); - break; + case CKA_ALWAYS_SENSITIVE: + case CKA_DECRYPT: + case CKA_DERIVE: + case CKA_ENCRYPT: + case CKA_EXTRACTABLE: + case CKA_LOCAL: + case CKA_MODIFIABLE: + case CKA_NEVER_EXTRACTABLE: + case CKA_PRIVATE: + case CKA_SENSITIVE: + case CKA_SIGN: + case CKA_SIGN_RECOVER: + case CKA_TOKEN: + case CKA_UNWRAP: + case CKA_VERIFY: + case CKA_VERIFY_RECOVER: + case CKA_WRAP: + if (attr->ulValueLen > 0 && attr->pValue) { + CK_BBOOL tf = *((CK_BBOOL *)attr->pValue); + PR_LOG(modlog, 4, (fmt_s_s_d, + atype, tf ? "CK_TRUE" : "CK_FALSE", attr->ulValueLen)); + break; + } + case CKA_CLASS: + if (attr->ulValueLen > 0 && attr->pValue) { + CK_OBJECT_CLASS objClass = *((CK_OBJECT_CLASS *)attr->pValue); + get_obj_class(objClass, valstr, sizeof valstr); + PR_LOG(modlog, 4, (fmt_s_s_d, + atype, valstr, attr->ulValueLen)); + break; + } + case CKA_TRUST_CLIENT_AUTH: + case CKA_TRUST_CODE_SIGNING: + case CKA_TRUST_EMAIL_PROTECTION: + case CKA_TRUST_SERVER_AUTH: + if (attr->ulValueLen > 0 && attr->pValue) { + CK_TRUST trust = *((CK_TRUST *)attr->pValue); + get_trust_val(trust, valstr, sizeof valstr); + PR_LOG(modlog, 4, (fmt_s_s_d, + atype, valstr, attr->ulValueLen)); + break; + } + case CKA_KEY_TYPE: + if (attr->ulValueLen > 0 && attr->pValue) { + CK_KEY_TYPE keyType = *((CK_KEY_TYPE *)attr->pValue); + get_key_type(keyType, valstr, sizeof valstr); + PR_LOG(modlog, 4, (fmt_s_s_d, + atype, valstr, attr->ulValueLen)); + break; + } + case CKA_PIXEL_X: + case CKA_PIXEL_Y: + case CKA_RESOLUTION: + case CKA_CHAR_ROWS: + case CKA_CHAR_COLUMNS: + case CKA_BITS_PER_PIXEL: + case CKA_CERTIFICATE_CATEGORY: /* should print as enum/string */ + case CKA_JAVA_MIDP_SECURITY_DOMAIN: /* should print as enum/string */ + case CKA_MODULUS_BITS: + case CKA_PRIME_BITS: + case CKA_SUBPRIME_BITS: + case CKA_VALUE_BITS: + case CKA_VALUE_LEN: + if (attr->ulValueLen > 0 && attr->pValue) { + CK_ULONG valueLen = *((CK_ULONG *)attr->pValue); + /* XXX check for the special value CK_UNAVAILABLE_INFORMATION */ + PR_LOG(modlog, 4, (fmt_s_lu, atype, (PRUint32)valueLen)); + break; + } + case CKA_LABEL: + case CKA_NSS_EMAIL: + case CKA_NSS_URL: + if (attr->ulValueLen > 0 && attr->pValue) { + len = PR_MIN(attr->ulValueLen + 1, sizeof valstr); + PR_snprintf(valstr, len, "%s", attr->pValue); + PR_LOG(modlog, 4, (fmt_s_qsq_d, + atype, valstr, attr->ulValueLen)); + break; + } + case CKA_ISSUER: + case CKA_SUBJECT: + if (attr->ulValueLen > 0 && attr->pValue) { + char *asciiName; + SECItem derName; + derName.type = siDERNameBuffer; + derName.data = attr->pValue; + derName.len = attr->ulValueLen; + asciiName = CERT_DerNameToAscii(&derName); + if (asciiName) { + PR_LOG(modlog, 4, (fmt_s_s_d, + atype, asciiName, attr->ulValueLen)); + PORT_Free(asciiName); + break; + } + /* else treat like a binary buffer */ + goto binary_buffer; + } + case CKA_ID: + if (attr->ulValueLen > 0 && attr->pValue) { + unsigned char *pV = attr->pValue; + for (len = (int)attr->ulValueLen; len > 0; --len) { + unsigned int ch = *pV++; + if (ch >= 0x20 && ch < 0x7f) + continue; + if (!ch && len == 1) /* will ignore NUL if last character */ + continue; + break; + } + if (!len) { /* entire string is printable */ + len = PR_MIN(attr->ulValueLen + 1, sizeof valstr); + PR_snprintf(valstr, len, "%s", attr->pValue); + PR_LOG(modlog, 4, (fmt_s_qsq_d, + atype, valstr, attr->ulValueLen)); + break; + } + /* else fall through and treat like a binary buffer */ + } + binary_buffer: + case CKA_SERIAL_NUMBER: + default: + if (attr->ulValueLen > 0 && attr->pValue) { + char *hexBuf; + SECItem attrBuf; + attrBuf.type = siDERNameBuffer; + attrBuf.data = attr->pValue; + attrBuf.len = PR_MIN(attr->ulValueLen, (sizeof valstr) / 2); + + hexBuf = CERT_Hexify(&attrBuf, PR_FALSE); + if (hexBuf) { + PR_LOG(modlog, 4, (fmt_s_s_d, + atype, hexBuf, attr->ulValueLen)); + PORT_Free(hexBuf); + break; + } + /* else fall through and show only the address. :( */ + } + PR_LOG(modlog, 4, (" %s = [0x%p] [%d]", + atype, attr->pValue, attr->ulValueLen)); + break; } } -static void print_template(CK_ATTRIBUTE_PTR templ, CK_ULONG tlen) +static void +print_template(CK_ATTRIBUTE_PTR templ, CK_ULONG tlen) { CK_ULONG i; - for (i=0; i<tlen; i++) { - print_attr_value(&templ[i]); + for (i = 0; i < tlen; i++) { + print_attr_value(&templ[i]); } } @@ -745,7 +764,10 @@ struct nssdbg_prof_str { char *function; }; -#define NSSDBG_DEFINE(func) { 0, 0, #func } +#define NSSDBG_DEFINE(func) \ + { \ + 0, 0, #func \ + } struct nssdbg_prof_str nssdbg_prof_data[] = { #define FUNC_C_INITIALIZE 0 @@ -794,7 +816,7 @@ struct nssdbg_prof_str nssdbg_prof_data[] = { NSSDBG_DEFINE(C_CopyObject), #define FUNC_C_DESTROYOBJECT 22 NSSDBG_DEFINE(C_DestroyObject), -#define FUNC_C_GETOBJECTSIZE 23 +#define FUNC_C_GETOBJECTSIZE 23 NSSDBG_DEFINE(C_GetObjectSize), #define FUNC_C_GETATTRIBUTEVALUE 24 NSSDBG_DEFINE(C_GetAttributeValue), @@ -872,7 +894,7 @@ struct nssdbg_prof_str nssdbg_prof_data[] = { NSSDBG_DEFINE(C_WrapKey), #define FUNC_C_UNWRAPKEY 61 NSSDBG_DEFINE(C_UnWrapKey), -#define FUNC_C_DERIVEKEY 62 +#define FUNC_C_DERIVEKEY 62 NSSDBG_DEFINE(C_DeriveKey), #define FUNC_C_SEEDRANDOM 63 NSSDBG_DEFINE(C_SeedRandom), @@ -886,105 +908,106 @@ struct nssdbg_prof_str nssdbg_prof_data[] = { NSSDBG_DEFINE(C_WaitForSlotEvent) }; -int nssdbg_prof_size = sizeof(nssdbg_prof_data)/sizeof(nssdbg_prof_data[0]); - +int nssdbg_prof_size = sizeof(nssdbg_prof_data) / sizeof(nssdbg_prof_data[0]); -static void nssdbg_finish_time(PRInt32 fun_number, PRIntervalTime start) +static void +nssdbg_finish_time(PRInt32 fun_number, PRIntervalTime start) { PRIntervalTime ival; PRIntervalTime end = PR_IntervalNow(); - ival = end-start; + ival = end - start; /* sigh, lie to PRAtomic add and say we are using signed values */ PR_ATOMIC_ADD((PRInt32 *)&nssdbg_prof_data[fun_number].time, (PRInt32)ival); } -static void nssdbg_start_time(PRInt32 fun_number, PRIntervalTime *start) +static void +nssdbg_start_time(PRInt32 fun_number, PRIntervalTime *start) { PR_ATOMIC_INCREMENT((PRInt32 *)&nssdbg_prof_data[fun_number].calls); *start = PR_IntervalNow(); } #define COMMON_DEFINITIONS \ - CK_RV rv; \ + CK_RV rv; \ PRIntervalTime start -CK_RV NSSDBGC_Initialize( - CK_VOID_PTR pInitArgs -) +CK_RV +NSSDBGC_Initialize( + CK_VOID_PTR pInitArgs) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_Initialize")); PR_LOG(modlog, 3, (" pInitArgs = 0x%p", pInitArgs)); - nssdbg_start_time(FUNC_C_INITIALIZE,&start); + nssdbg_start_time(FUNC_C_INITIALIZE, &start); rv = module_functions->C_Initialize(pInitArgs); - nssdbg_finish_time(FUNC_C_INITIALIZE,start); + nssdbg_finish_time(FUNC_C_INITIALIZE, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Finalize( - CK_VOID_PTR pReserved -) +CK_RV +NSSDBGC_Finalize( + CK_VOID_PTR pReserved) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_Finalize")); PR_LOG(modlog, 3, (" pReserved = 0x%p", pReserved)); - nssdbg_start_time(FUNC_C_FINALIZE,&start); + nssdbg_start_time(FUNC_C_FINALIZE, &start); rv = module_functions->C_Finalize(pReserved); - nssdbg_finish_time(FUNC_C_FINALIZE,start); + nssdbg_finish_time(FUNC_C_FINALIZE, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_GetInfo( - CK_INFO_PTR pInfo -) +CK_RV +NSSDBGC_GetInfo( + CK_INFO_PTR pInfo) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_GetInfo")); PR_LOG(modlog, 3, (fmt_pInfo, pInfo)); - nssdbg_start_time(FUNC_C_GETINFO,&start); + nssdbg_start_time(FUNC_C_GETINFO, &start); rv = module_functions->C_GetInfo(pInfo); - nssdbg_finish_time(FUNC_C_GETINFO,start); + nssdbg_finish_time(FUNC_C_GETINFO, start); if (rv == CKR_OK) { - PR_LOG(modlog, 4, (" cryptoki version: %d.%d", - pInfo->cryptokiVersion.major, - pInfo->cryptokiVersion.minor)); - PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID)); - PR_LOG(modlog, 4, (" library description = \"%.32s\"", - pInfo->libraryDescription)); - PR_LOG(modlog, 4, (" library version: %d.%d", - pInfo->libraryVersion.major, - pInfo->libraryVersion.minor)); + PR_LOG(modlog, 4, (" cryptoki version: %d.%d", + pInfo->cryptokiVersion.major, + pInfo->cryptokiVersion.minor)); + PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID)); + PR_LOG(modlog, 4, (" library description = \"%.32s\"", + pInfo->libraryDescription)); + PR_LOG(modlog, 4, (" library version: %d.%d", + pInfo->libraryVersion.major, + pInfo->libraryVersion.minor)); } log_rv(rv); return rv; } -CK_RV NSSDBGC_GetFunctionList( - CK_FUNCTION_LIST_PTR_PTR ppFunctionList -) +CK_RV +NSSDBGC_GetFunctionList( + CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_GetFunctionList")); PR_LOG(modlog, 3, (" ppFunctionList = 0x%p", ppFunctionList)); - nssdbg_start_time(FUNC_C_GETFUNCITONLIST,&start); + nssdbg_start_time(FUNC_C_GETFUNCITONLIST, &start); rv = module_functions->C_GetFunctionList(ppFunctionList); - nssdbg_finish_time(FUNC_C_GETFUNCITONLIST,start); + nssdbg_finish_time(FUNC_C_GETFUNCITONLIST, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_GetSlotList( - CK_BBOOL tokenPresent, - CK_SLOT_ID_PTR pSlotList, - CK_ULONG_PTR pulCount -) +CK_RV +NSSDBGC_GetSlotList( + CK_BBOOL tokenPresent, + CK_SLOT_ID_PTR pSlotList, + CK_ULONG_PTR pulCount) { COMMON_DEFINITIONS; @@ -993,96 +1016,96 @@ CK_RV NSSDBGC_GetSlotList( PR_LOG(modlog, 3, (" tokenPresent = 0x%x", tokenPresent)); PR_LOG(modlog, 3, (" pSlotList = 0x%p", pSlotList)); PR_LOG(modlog, 3, (fmt_pulCount, pulCount)); - nssdbg_start_time(FUNC_C_GETSLOTLIST,&start); + nssdbg_start_time(FUNC_C_GETSLOTLIST, &start); rv = module_functions->C_GetSlotList(tokenPresent, pSlotList, pulCount); - nssdbg_finish_time(FUNC_C_GETSLOTLIST,start); + nssdbg_finish_time(FUNC_C_GETSLOTLIST, start); PR_LOG(modlog, 4, (fmt_spulCount, *pulCount)); if (pSlotList) { - for (i=0; i<*pulCount; i++) { - PR_LOG(modlog, 4, (" slotID[%d] = %x", i, pSlotList[i])); - } + for (i = 0; i < *pulCount; i++) { + PR_LOG(modlog, 4, (" slotID[%d] = %x", i, pSlotList[i])); + } } log_rv(rv); return rv; } -CK_RV NSSDBGC_GetSlotInfo( - CK_SLOT_ID slotID, - CK_SLOT_INFO_PTR pInfo -) +CK_RV +NSSDBGC_GetSlotInfo( + CK_SLOT_ID slotID, + CK_SLOT_INFO_PTR pInfo) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_GetSlotInfo")); PR_LOG(modlog, 3, (fmt_slotID, slotID)); PR_LOG(modlog, 3, (fmt_pInfo, pInfo)); - nssdbg_start_time(FUNC_C_GETSLOTINFO,&start); + nssdbg_start_time(FUNC_C_GETSLOTINFO, &start); rv = module_functions->C_GetSlotInfo(slotID, pInfo); - nssdbg_finish_time(FUNC_C_GETSLOTINFO,start); + nssdbg_finish_time(FUNC_C_GETSLOTINFO, start); if (rv == CKR_OK) { - PR_LOG(modlog, 4, (" slotDescription = \"%.64s\"", - pInfo->slotDescription)); - PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID)); - PR_LOG(modlog, 4, (" flags = %s %s %s", - pInfo->flags & CKF_HW_SLOT ? "CKF_HW_SLOT" : "", - pInfo->flags & CKF_REMOVABLE_DEVICE ? "CKF_REMOVABLE_DEVICE" : "", - pInfo->flags & CKF_TOKEN_PRESENT ? "CKF_TOKEN_PRESENT" : "")); - PR_LOG(modlog, 4, (fmt_hwVersion, - pInfo->hardwareVersion.major, - pInfo->hardwareVersion.minor)); - PR_LOG(modlog, 4, (fmt_fwVersion, - pInfo->firmwareVersion.major, - pInfo->firmwareVersion.minor)); + PR_LOG(modlog, 4, (" slotDescription = \"%.64s\"", + pInfo->slotDescription)); + PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID)); + PR_LOG(modlog, 4, (" flags = %s %s %s", + pInfo->flags & CKF_HW_SLOT ? "CKF_HW_SLOT" : "", + pInfo->flags & CKF_REMOVABLE_DEVICE ? "CKF_REMOVABLE_DEVICE" : "", + pInfo->flags & CKF_TOKEN_PRESENT ? "CKF_TOKEN_PRESENT" : "")); + PR_LOG(modlog, 4, (fmt_hwVersion, + pInfo->hardwareVersion.major, + pInfo->hardwareVersion.minor)); + PR_LOG(modlog, 4, (fmt_fwVersion, + pInfo->firmwareVersion.major, + pInfo->firmwareVersion.minor)); } log_rv(rv); return rv; } -CK_RV NSSDBGC_GetTokenInfo( - CK_SLOT_ID slotID, - CK_TOKEN_INFO_PTR pInfo -) +CK_RV +NSSDBGC_GetTokenInfo( + CK_SLOT_ID slotID, + CK_TOKEN_INFO_PTR pInfo) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_GetTokenInfo")); PR_LOG(modlog, 3, (fmt_slotID, slotID)); PR_LOG(modlog, 3, (fmt_pInfo, pInfo)); - nssdbg_start_time(FUNC_C_GETTOKENINFO,&start); + nssdbg_start_time(FUNC_C_GETTOKENINFO, &start); rv = module_functions->C_GetTokenInfo(slotID, pInfo); - nssdbg_finish_time(FUNC_C_GETTOKENINFO,start); + nssdbg_finish_time(FUNC_C_GETTOKENINFO, start); if (rv == CKR_OK) { - PR_LOG(modlog, 4, (" label = \"%.32s\"", pInfo->label)); - PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID)); - PR_LOG(modlog, 4, (" model = \"%.16s\"", pInfo->model)); - PR_LOG(modlog, 4, (" serial = \"%.16s\"", pInfo->serialNumber)); - PR_LOG(modlog, 4, (" flags = %s %s %s %s", - pInfo->flags & CKF_RNG ? "CKF_RNG" : "", - pInfo->flags & CKF_WRITE_PROTECTED ? "CKF_WRITE_PROTECTED" : "", - pInfo->flags & CKF_LOGIN_REQUIRED ? "CKF_LOGIN_REQUIRED" : "", - pInfo->flags & CKF_USER_PIN_INITIALIZED ? "CKF_USER_PIN_INIT" : "")); - PR_LOG(modlog, 4, (" maxSessions = %u, Sessions = %u", - pInfo->ulMaxSessionCount, pInfo->ulSessionCount)); - PR_LOG(modlog, 4, (" maxRwSessions = %u, RwSessions = %u", - pInfo->ulMaxRwSessionCount, - pInfo->ulRwSessionCount)); - /* ignore Max & Min Pin Len, Public and Private Memory */ - PR_LOG(modlog, 4, (fmt_hwVersion, - pInfo->hardwareVersion.major, - pInfo->hardwareVersion.minor)); - PR_LOG(modlog, 4, (fmt_fwVersion, - pInfo->firmwareVersion.major, - pInfo->firmwareVersion.minor)); + PR_LOG(modlog, 4, (" label = \"%.32s\"", pInfo->label)); + PR_LOG(modlog, 4, (fmt_manufacturerID, pInfo->manufacturerID)); + PR_LOG(modlog, 4, (" model = \"%.16s\"", pInfo->model)); + PR_LOG(modlog, 4, (" serial = \"%.16s\"", pInfo->serialNumber)); + PR_LOG(modlog, 4, (" flags = %s %s %s %s", + pInfo->flags & CKF_RNG ? "CKF_RNG" : "", + pInfo->flags & CKF_WRITE_PROTECTED ? "CKF_WRITE_PROTECTED" : "", + pInfo->flags & CKF_LOGIN_REQUIRED ? "CKF_LOGIN_REQUIRED" : "", + pInfo->flags & CKF_USER_PIN_INITIALIZED ? "CKF_USER_PIN_INIT" : "")); + PR_LOG(modlog, 4, (" maxSessions = %u, Sessions = %u", + pInfo->ulMaxSessionCount, pInfo->ulSessionCount)); + PR_LOG(modlog, 4, (" maxRwSessions = %u, RwSessions = %u", + pInfo->ulMaxRwSessionCount, + pInfo->ulRwSessionCount)); + /* ignore Max & Min Pin Len, Public and Private Memory */ + PR_LOG(modlog, 4, (fmt_hwVersion, + pInfo->hardwareVersion.major, + pInfo->hardwareVersion.minor)); + PR_LOG(modlog, 4, (fmt_fwVersion, + pInfo->firmwareVersion.major, + pInfo->firmwareVersion.minor)); } log_rv(rv); return rv; } -CK_RV NSSDBGC_GetMechanismList( - CK_SLOT_ID slotID, - CK_MECHANISM_TYPE_PTR pMechanismList, - CK_ULONG_PTR pulCount -) +CK_RV +NSSDBGC_GetMechanismList( + CK_SLOT_ID slotID, + CK_MECHANISM_TYPE_PTR pMechanismList, + CK_ULONG_PTR pulCount) { COMMON_DEFINITIONS; @@ -1090,21 +1113,21 @@ CK_RV NSSDBGC_GetMechanismList( PR_LOG(modlog, 3, (fmt_slotID, slotID)); PR_LOG(modlog, 3, (" pMechanismList = 0x%p", pMechanismList)); PR_LOG(modlog, 3, (fmt_pulCount, pulCount)); - nssdbg_start_time(FUNC_C_GETMECHANISMLIST,&start); + nssdbg_start_time(FUNC_C_GETMECHANISMLIST, &start); rv = module_functions->C_GetMechanismList(slotID, - pMechanismList, - pulCount); - nssdbg_finish_time(FUNC_C_GETMECHANISMLIST,start); + pMechanismList, + pulCount); + nssdbg_finish_time(FUNC_C_GETMECHANISMLIST, start); PR_LOG(modlog, 4, (fmt_spulCount, *pulCount)); log_rv(rv); return rv; } -CK_RV NSSDBGC_GetMechanismInfo( - CK_SLOT_ID slotID, - CK_MECHANISM_TYPE type, - CK_MECHANISM_INFO_PTR pInfo -) +CK_RV +NSSDBGC_GetMechanismInfo( + CK_SLOT_ID slotID, + CK_MECHANISM_TYPE type, + CK_MECHANISM_INFO_PTR pInfo) { COMMON_DEFINITIONS; @@ -1112,21 +1135,21 @@ CK_RV NSSDBGC_GetMechanismInfo( PR_LOG(modlog, 3, (fmt_slotID, slotID)); PR_LOG(modlog, 3, (" type = 0x%x", type)); PR_LOG(modlog, 3, (fmt_pInfo, pInfo)); - nssdbg_start_time(FUNC_C_GETMECHANISMINFO,&start); + nssdbg_start_time(FUNC_C_GETMECHANISMINFO, &start); rv = module_functions->C_GetMechanismInfo(slotID, - type, - pInfo); - nssdbg_finish_time(FUNC_C_GETMECHANISMINFO,start); + type, + pInfo); + nssdbg_finish_time(FUNC_C_GETMECHANISMINFO, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_InitToken( - CK_SLOT_ID slotID, - CK_CHAR_PTR pPin, - CK_ULONG ulPinLen, - CK_CHAR_PTR pLabel -) +CK_RV +NSSDBGC_InitToken( + CK_SLOT_ID slotID, + CK_CHAR_PTR pPin, + CK_ULONG ulPinLen, + CK_CHAR_PTR pLabel) { COMMON_DEFINITIONS; @@ -1135,21 +1158,21 @@ CK_RV NSSDBGC_InitToken( PR_LOG(modlog, 3, (fmt_pPin, pPin)); PR_LOG(modlog, 3, (fmt_ulPinLen, ulPinLen)); PR_LOG(modlog, 3, (" pLabel = 0x%p", pLabel)); - nssdbg_start_time(FUNC_C_INITTOKEN,&start); + nssdbg_start_time(FUNC_C_INITTOKEN, &start); rv = module_functions->C_InitToken(slotID, - pPin, - ulPinLen, - pLabel); - nssdbg_finish_time(FUNC_C_INITTOKEN,start); + pPin, + ulPinLen, + pLabel); + nssdbg_finish_time(FUNC_C_INITTOKEN, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_InitPIN( - CK_SESSION_HANDLE hSession, - CK_CHAR_PTR pPin, - CK_ULONG ulPinLen -) +CK_RV +NSSDBGC_InitPIN( + CK_SESSION_HANDLE hSession, + CK_CHAR_PTR pPin, + CK_ULONG ulPinLen) { COMMON_DEFINITIONS; @@ -1157,22 +1180,22 @@ CK_RV NSSDBGC_InitPIN( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pPin, pPin)); PR_LOG(modlog, 3, (fmt_ulPinLen, ulPinLen)); - nssdbg_start_time(FUNC_C_INITPIN,&start); + nssdbg_start_time(FUNC_C_INITPIN, &start); rv = module_functions->C_InitPIN(hSession, - pPin, - ulPinLen); - nssdbg_finish_time(FUNC_C_INITPIN,start); + pPin, + ulPinLen); + nssdbg_finish_time(FUNC_C_INITPIN, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_SetPIN( - CK_SESSION_HANDLE hSession, - CK_CHAR_PTR pOldPin, - CK_ULONG ulOldLen, - CK_CHAR_PTR pNewPin, - CK_ULONG ulNewLen -) +CK_RV +NSSDBGC_SetPIN( + CK_SESSION_HANDLE hSession, + CK_CHAR_PTR pOldPin, + CK_ULONG ulOldLen, + CK_CHAR_PTR pNewPin, + CK_ULONG ulNewLen) { COMMON_DEFINITIONS; @@ -1182,13 +1205,13 @@ CK_RV NSSDBGC_SetPIN( PR_LOG(modlog, 3, (" ulOldLen = %d", ulOldLen)); PR_LOG(modlog, 3, (" pNewPin = 0x%p", pNewPin)); PR_LOG(modlog, 3, (" ulNewLen = %d", ulNewLen)); - nssdbg_start_time(FUNC_C_SETPIN,&start); + nssdbg_start_time(FUNC_C_SETPIN, &start); rv = module_functions->C_SetPIN(hSession, - pOldPin, - ulOldLen, - pNewPin, - ulNewLen); - nssdbg_finish_time(FUNC_C_SETPIN,start); + pOldPin, + ulOldLen, + pNewPin, + ulNewLen); + nssdbg_finish_time(FUNC_C_SETPIN, start); log_rv(rv); return rv; } @@ -1196,13 +1219,13 @@ CK_RV NSSDBGC_SetPIN( static PRUint32 numOpenSessions = 0; static PRUint32 maxOpenSessions = 0; -CK_RV NSSDBGC_OpenSession( - CK_SLOT_ID slotID, - CK_FLAGS flags, - CK_VOID_PTR pApplication, - CK_NOTIFY Notify, - CK_SESSION_HANDLE_PTR phSession -) +CK_RV +NSSDBGC_OpenSession( + CK_SLOT_ID slotID, + CK_FLAGS flags, + CK_VOID_PTR pApplication, + CK_NOTIFY Notify, + CK_SESSION_HANDLE_PTR phSession) { COMMON_DEFINITIONS; @@ -1214,80 +1237,80 @@ CK_RV NSSDBGC_OpenSession( PR_LOG(modlog, 3, (" pApplication = 0x%p", pApplication)); PR_LOG(modlog, 3, (" Notify = 0x%x", Notify)); PR_LOG(modlog, 3, (" phSession = 0x%p", phSession)); - nssdbg_start_time(FUNC_C_OPENSESSION,&start); + nssdbg_start_time(FUNC_C_OPENSESSION, &start); rv = module_functions->C_OpenSession(slotID, - flags, - pApplication, - Notify, - phSession); - nssdbg_finish_time(FUNC_C_OPENSESSION,start); + flags, + pApplication, + Notify, + phSession); + nssdbg_finish_time(FUNC_C_OPENSESSION, start); log_handle(4, " *phSession = 0x%x", *phSession); log_rv(rv); return rv; } -CK_RV NSSDBGC_CloseSession( - CK_SESSION_HANDLE hSession -) +CK_RV +NSSDBGC_CloseSession( + CK_SESSION_HANDLE hSession) { COMMON_DEFINITIONS; PR_ATOMIC_DECREMENT((PRInt32 *)&numOpenSessions); PR_LOG(modlog, 1, ("C_CloseSession")); log_handle(3, fmt_hSession, hSession); - nssdbg_start_time(FUNC_C_CLOSESESSION,&start); + nssdbg_start_time(FUNC_C_CLOSESESSION, &start); rv = module_functions->C_CloseSession(hSession); - nssdbg_finish_time(FUNC_C_CLOSESESSION,start); + nssdbg_finish_time(FUNC_C_CLOSESESSION, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_CloseAllSessions( - CK_SLOT_ID slotID -) +CK_RV +NSSDBGC_CloseAllSessions( + CK_SLOT_ID slotID) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_CloseAllSessions")); PR_LOG(modlog, 3, (fmt_slotID, slotID)); - nssdbg_start_time(FUNC_C_CLOSEALLSESSIONS,&start); + nssdbg_start_time(FUNC_C_CLOSEALLSESSIONS, &start); rv = module_functions->C_CloseAllSessions(slotID); - nssdbg_finish_time(FUNC_C_CLOSEALLSESSIONS,start); + nssdbg_finish_time(FUNC_C_CLOSEALLSESSIONS, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_GetSessionInfo( - CK_SESSION_HANDLE hSession, - CK_SESSION_INFO_PTR pInfo -) +CK_RV +NSSDBGC_GetSessionInfo( + CK_SESSION_HANDLE hSession, + CK_SESSION_INFO_PTR pInfo) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_GetSessionInfo")); log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pInfo, pInfo)); - nssdbg_start_time(FUNC_C_GETSESSIONINFO,&start); + nssdbg_start_time(FUNC_C_GETSESSIONINFO, &start); rv = module_functions->C_GetSessionInfo(hSession, - pInfo); - nssdbg_finish_time(FUNC_C_GETSESSIONINFO,start); + pInfo); + nssdbg_finish_time(FUNC_C_GETSESSIONINFO, start); if (rv == CKR_OK) { - PR_LOG(modlog, 4, (fmt_slotID, pInfo->slotID)); - log_state(pInfo->state); - PR_LOG(modlog, 4, (" flags = %s %s", - pInfo->flags & CKF_RW_SESSION ? "CKF_RW_SESSION" : "", - pInfo->flags & CKF_SERIAL_SESSION ? "CKF_SERIAL_SESSION" : "")); - PR_LOG(modlog, 4, (" deviceError = 0x%x", pInfo->ulDeviceError)); + PR_LOG(modlog, 4, (fmt_slotID, pInfo->slotID)); + log_state(pInfo->state); + PR_LOG(modlog, 4, (" flags = %s %s", + pInfo->flags & CKF_RW_SESSION ? "CKF_RW_SESSION" : "", + pInfo->flags & CKF_SERIAL_SESSION ? "CKF_SERIAL_SESSION" : "")); + PR_LOG(modlog, 4, (" deviceError = 0x%x", pInfo->ulDeviceError)); } log_rv(rv); return rv; } -CK_RV NSSDBGC_GetOperationState( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pOperationState, - CK_ULONG_PTR pulOperationStateLen -) +CK_RV +NSSDBGC_GetOperationState( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, + CK_ULONG_PTR pulOperationStateLen) { COMMON_DEFINITIONS; @@ -1295,23 +1318,23 @@ CK_RV NSSDBGC_GetOperationState( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pOperationState, pOperationState)); PR_LOG(modlog, 3, (" pulOperationStateLen = 0x%p", pulOperationStateLen)); - nssdbg_start_time(FUNC_C_GETOPERATIONSTATE,&start); + nssdbg_start_time(FUNC_C_GETOPERATIONSTATE, &start); rv = module_functions->C_GetOperationState(hSession, - pOperationState, - pulOperationStateLen); - nssdbg_finish_time(FUNC_C_GETOPERATIONSTATE,start); + pOperationState, + pulOperationStateLen); + nssdbg_finish_time(FUNC_C_GETOPERATIONSTATE, start); PR_LOG(modlog, 4, (" *pulOperationStateLen = 0x%x", *pulOperationStateLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_SetOperationState( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pOperationState, - CK_ULONG ulOperationStateLen, - CK_OBJECT_HANDLE hEncryptionKey, - CK_OBJECT_HANDLE hAuthenticationKey -) +CK_RV +NSSDBGC_SetOperationState( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pOperationState, + CK_ULONG ulOperationStateLen, + CK_OBJECT_HANDLE hEncryptionKey, + CK_OBJECT_HANDLE hAuthenticationKey) { COMMON_DEFINITIONS; @@ -1321,23 +1344,23 @@ CK_RV NSSDBGC_SetOperationState( PR_LOG(modlog, 3, (" ulOperationStateLen = %d", ulOperationStateLen)); log_handle(3, " hEncryptionKey = 0x%x", hEncryptionKey); log_handle(3, " hAuthenticationKey = 0x%x", hAuthenticationKey); - nssdbg_start_time(FUNC_C_SETOPERATIONSTATE,&start); + nssdbg_start_time(FUNC_C_SETOPERATIONSTATE, &start); rv = module_functions->C_SetOperationState(hSession, - pOperationState, - ulOperationStateLen, - hEncryptionKey, - hAuthenticationKey); - nssdbg_finish_time(FUNC_C_SETOPERATIONSTATE,start); + pOperationState, + ulOperationStateLen, + hEncryptionKey, + hAuthenticationKey); + nssdbg_finish_time(FUNC_C_SETOPERATIONSTATE, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Login( - CK_SESSION_HANDLE hSession, - CK_USER_TYPE userType, - CK_CHAR_PTR pPin, - CK_ULONG ulPinLen -) +CK_RV +NSSDBGC_Login( + CK_SESSION_HANDLE hSession, + CK_USER_TYPE userType, + CK_CHAR_PTR pPin, + CK_ULONG ulPinLen) { COMMON_DEFINITIONS; @@ -1346,37 +1369,37 @@ CK_RV NSSDBGC_Login( PR_LOG(modlog, 3, (" userType = 0x%x", userType)); PR_LOG(modlog, 3, (fmt_pPin, pPin)); PR_LOG(modlog, 3, (fmt_ulPinLen, ulPinLen)); - nssdbg_start_time(FUNC_C_LOGIN,&start); + nssdbg_start_time(FUNC_C_LOGIN, &start); rv = module_functions->C_Login(hSession, - userType, - pPin, - ulPinLen); - nssdbg_finish_time(FUNC_C_LOGIN,start); + userType, + pPin, + ulPinLen); + nssdbg_finish_time(FUNC_C_LOGIN, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Logout( - CK_SESSION_HANDLE hSession -) +CK_RV +NSSDBGC_Logout( + CK_SESSION_HANDLE hSession) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_Logout")); log_handle(3, fmt_hSession, hSession); - nssdbg_start_time(FUNC_C_LOGOUT,&start); + nssdbg_start_time(FUNC_C_LOGOUT, &start); rv = module_functions->C_Logout(hSession); - nssdbg_finish_time(FUNC_C_LOGOUT,start); + nssdbg_finish_time(FUNC_C_LOGOUT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_CreateObject( - CK_SESSION_HANDLE hSession, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phObject -) +CK_RV +NSSDBGC_CreateObject( + CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phObject) { COMMON_DEFINITIONS; @@ -1386,24 +1409,24 @@ CK_RV NSSDBGC_CreateObject( PR_LOG(modlog, 3, (fmt_ulCount, ulCount)); PR_LOG(modlog, 3, (fmt_phObject, phObject)); print_template(pTemplate, ulCount); - nssdbg_start_time(FUNC_C_CREATEOBJECT,&start); + nssdbg_start_time(FUNC_C_CREATEOBJECT, &start); rv = module_functions->C_CreateObject(hSession, - pTemplate, - ulCount, - phObject); - nssdbg_finish_time(FUNC_C_CREATEOBJECT,start); + pTemplate, + ulCount, + phObject); + nssdbg_finish_time(FUNC_C_CREATEOBJECT, start); log_handle(4, " *phObject = 0x%x", *phObject); log_rv(rv); return rv; } -CK_RV NSSDBGC_CopyObject( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phNewObject -) +CK_RV +NSSDBGC_CopyObject( + CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phNewObject) { COMMON_DEFINITIONS; @@ -1414,41 +1437,41 @@ CK_RV NSSDBGC_CopyObject( PR_LOG(modlog, 3, (fmt_ulCount, ulCount)); PR_LOG(modlog, 3, (" phNewObject = 0x%p", phNewObject)); print_template(pTemplate, ulCount); - nssdbg_start_time(FUNC_C_COPYOBJECT,&start); + nssdbg_start_time(FUNC_C_COPYOBJECT, &start); rv = module_functions->C_CopyObject(hSession, - hObject, - pTemplate, - ulCount, - phNewObject); - nssdbg_finish_time(FUNC_C_COPYOBJECT,start); + hObject, + pTemplate, + ulCount, + phNewObject); + nssdbg_finish_time(FUNC_C_COPYOBJECT, start); log_handle(4, " *phNewObject = 0x%x", *phNewObject); log_rv(rv); return rv; } -CK_RV NSSDBGC_DestroyObject( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject -) +CK_RV +NSSDBGC_DestroyObject( + CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_DestroyObject")); log_handle(3, fmt_hSession, hSession); log_handle(3, fmt_hObject, hObject); - nssdbg_start_time(FUNC_C_DESTROYOBJECT,&start); + nssdbg_start_time(FUNC_C_DESTROYOBJECT, &start); rv = module_functions->C_DestroyObject(hSession, - hObject); - nssdbg_finish_time(FUNC_C_DESTROYOBJECT,start); + hObject); + nssdbg_finish_time(FUNC_C_DESTROYOBJECT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_GetObjectSize( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ULONG_PTR pulSize -) +CK_RV +NSSDBGC_GetObjectSize( + CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ULONG_PTR pulSize) { COMMON_DEFINITIONS; @@ -1456,22 +1479,22 @@ CK_RV NSSDBGC_GetObjectSize( log_handle(3, fmt_hSession, hSession); log_handle(3, fmt_hObject, hObject); PR_LOG(modlog, 3, (" pulSize = 0x%p", pulSize)); - nssdbg_start_time(FUNC_C_GETOBJECTSIZE,&start); + nssdbg_start_time(FUNC_C_GETOBJECTSIZE, &start); rv = module_functions->C_GetObjectSize(hSession, - hObject, - pulSize); - nssdbg_finish_time(FUNC_C_GETOBJECTSIZE,start); + hObject, + pulSize); + nssdbg_finish_time(FUNC_C_GETOBJECTSIZE, start); PR_LOG(modlog, 4, (" *pulSize = 0x%x", *pulSize)); log_rv(rv); return rv; } -CK_RV NSSDBGC_GetAttributeValue( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount -) +CK_RV +NSSDBGC_GetAttributeValue( + CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount) { COMMON_DEFINITIONS; @@ -1480,23 +1503,23 @@ CK_RV NSSDBGC_GetAttributeValue( log_handle(3, fmt_hObject, hObject); PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate)); PR_LOG(modlog, 3, (fmt_ulCount, ulCount)); - nssdbg_start_time(FUNC_C_GETATTRIBUTEVALUE,&start); + nssdbg_start_time(FUNC_C_GETATTRIBUTEVALUE, &start); rv = module_functions->C_GetAttributeValue(hSession, - hObject, - pTemplate, - ulCount); - nssdbg_finish_time(FUNC_C_GETATTRIBUTEVALUE,start); + hObject, + pTemplate, + ulCount); + nssdbg_finish_time(FUNC_C_GETATTRIBUTEVALUE, start); print_template(pTemplate, ulCount); log_rv(rv); return rv; } -CK_RV NSSDBGC_SetAttributeValue( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hObject, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount -) +CK_RV +NSSDBGC_SetAttributeValue( + CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hObject, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount) { COMMON_DEFINITIONS; @@ -1506,21 +1529,21 @@ CK_RV NSSDBGC_SetAttributeValue( PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate)); PR_LOG(modlog, 3, (fmt_ulCount, ulCount)); print_template(pTemplate, ulCount); - nssdbg_start_time(FUNC_C_SETATTRIBUTEVALUE,&start); + nssdbg_start_time(FUNC_C_SETATTRIBUTEVALUE, &start); rv = module_functions->C_SetAttributeValue(hSession, - hObject, - pTemplate, - ulCount); - nssdbg_finish_time(FUNC_C_SETATTRIBUTEVALUE,start); + hObject, + pTemplate, + ulCount); + nssdbg_finish_time(FUNC_C_SETATTRIBUTEVALUE, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_FindObjectsInit( - CK_SESSION_HANDLE hSession, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount -) +CK_RV +NSSDBGC_FindObjectsInit( + CK_SESSION_HANDLE hSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount) { COMMON_DEFINITIONS; @@ -1529,21 +1552,21 @@ CK_RV NSSDBGC_FindObjectsInit( PR_LOG(modlog, 3, (fmt_pTemplate, pTemplate)); PR_LOG(modlog, 3, (fmt_ulCount, ulCount)); print_template(pTemplate, ulCount); - nssdbg_start_time(FUNC_C_FINDOBJECTSINIT,&start); + nssdbg_start_time(FUNC_C_FINDOBJECTSINIT, &start); rv = module_functions->C_FindObjectsInit(hSession, - pTemplate, - ulCount); - nssdbg_finish_time(FUNC_C_FINDOBJECTSINIT,start); + pTemplate, + ulCount); + nssdbg_finish_time(FUNC_C_FINDOBJECTSINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_FindObjects( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE_PTR phObject, - CK_ULONG ulMaxObjectCount, - CK_ULONG_PTR pulObjectCount -) +CK_RV +NSSDBGC_FindObjects( + CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE_PTR phObject, + CK_ULONG ulMaxObjectCount, + CK_ULONG_PTR pulObjectCount) { COMMON_DEFINITIONS; CK_ULONG i; @@ -1553,41 +1576,41 @@ CK_RV NSSDBGC_FindObjects( PR_LOG(modlog, 3, (fmt_phObject, phObject)); PR_LOG(modlog, 3, (" ulMaxObjectCount = %d", ulMaxObjectCount)); PR_LOG(modlog, 3, (" pulObjectCount = 0x%p", pulObjectCount)); - nssdbg_start_time(FUNC_C_FINDOBJECTS,&start); + nssdbg_start_time(FUNC_C_FINDOBJECTS, &start); rv = module_functions->C_FindObjects(hSession, - phObject, - ulMaxObjectCount, - pulObjectCount); - nssdbg_finish_time(FUNC_C_FINDOBJECTS,start); + phObject, + ulMaxObjectCount, + pulObjectCount); + nssdbg_finish_time(FUNC_C_FINDOBJECTS, start); PR_LOG(modlog, 4, (" *pulObjectCount = 0x%x", *pulObjectCount)); - for (i=0; i<*pulObjectCount; i++) { - PR_LOG(modlog, 4, (" phObject[%d] = 0x%x%s", i, phObject[i], - phObject[i] ? "" : fmt_invalid_handle)); + for (i = 0; i < *pulObjectCount; i++) { + PR_LOG(modlog, 4, (" phObject[%d] = 0x%x%s", i, phObject[i], + phObject[i] ? "" : fmt_invalid_handle)); } log_rv(rv); return rv; } -CK_RV NSSDBGC_FindObjectsFinal( - CK_SESSION_HANDLE hSession -) +CK_RV +NSSDBGC_FindObjectsFinal( + CK_SESSION_HANDLE hSession) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_FindObjectsFinal")); log_handle(3, fmt_hSession, hSession); - nssdbg_start_time(FUNC_C_FINDOBJECTSFINAL,&start); + nssdbg_start_time(FUNC_C_FINDOBJECTSFINAL, &start); rv = module_functions->C_FindObjectsFinal(hSession); - nssdbg_finish_time(FUNC_C_FINDOBJECTSFINAL,start); + nssdbg_finish_time(FUNC_C_FINDOBJECTSFINAL, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_EncryptInit( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) +CK_RV +NSSDBGC_EncryptInit( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) { COMMON_DEFINITIONS; @@ -1596,22 +1619,22 @@ CK_RV NSSDBGC_EncryptInit( PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism)); log_handle(3, fmt_hKey, hKey); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_ENCRYPTINIT,&start); + nssdbg_start_time(FUNC_C_ENCRYPTINIT, &start); rv = module_functions->C_EncryptInit(hSession, - pMechanism, - hKey); - nssdbg_finish_time(FUNC_C_ENCRYPTINIT,start); + pMechanism, + hKey); + nssdbg_finish_time(FUNC_C_ENCRYPTINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Encrypt( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pEncryptedData, - CK_ULONG_PTR pulEncryptedDataLen -) +CK_RV +NSSDBGC_Encrypt( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, + CK_ULONG ulDataLen, + CK_BYTE_PTR pEncryptedData, + CK_ULONG_PTR pulEncryptedDataLen) { COMMON_DEFINITIONS; @@ -1621,25 +1644,25 @@ CK_RV NSSDBGC_Encrypt( PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen)); PR_LOG(modlog, 3, (fmt_pEncryptedData, pEncryptedData)); PR_LOG(modlog, 3, (" pulEncryptedDataLen = 0x%p", pulEncryptedDataLen)); - nssdbg_start_time(FUNC_C_ENCRYPT,&start); + nssdbg_start_time(FUNC_C_ENCRYPT, &start); rv = module_functions->C_Encrypt(hSession, - pData, - ulDataLen, - pEncryptedData, - pulEncryptedDataLen); - nssdbg_finish_time(FUNC_C_ENCRYPT,start); + pData, + ulDataLen, + pEncryptedData, + pulEncryptedDataLen); + nssdbg_finish_time(FUNC_C_ENCRYPT, start); PR_LOG(modlog, 4, (" *pulEncryptedDataLen = 0x%x", *pulEncryptedDataLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_EncryptUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG_PTR pulEncryptedPartLen -) +CK_RV +NSSDBGC_EncryptUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) { COMMON_DEFINITIONS; @@ -1649,23 +1672,23 @@ CK_RV NSSDBGC_EncryptUpdate( PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen)); PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart)); PR_LOG(modlog, 3, (fmt_pulEncryptedPartLen, pulEncryptedPartLen)); - nssdbg_start_time(FUNC_C_ENCRYPTUPDATE,&start); + nssdbg_start_time(FUNC_C_ENCRYPTUPDATE, &start); rv = module_functions->C_EncryptUpdate(hSession, - pPart, - ulPartLen, - pEncryptedPart, - pulEncryptedPartLen); - nssdbg_finish_time(FUNC_C_ENCRYPTUPDATE,start); + pPart, + ulPartLen, + pEncryptedPart, + pulEncryptedPartLen); + nssdbg_finish_time(FUNC_C_ENCRYPTUPDATE, start); PR_LOG(modlog, 4, (fmt_spulEncryptedPartLen, *pulEncryptedPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_EncryptFinal( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pLastEncryptedPart, - CK_ULONG_PTR pulLastEncryptedPartLen -) +CK_RV +NSSDBGC_EncryptFinal( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastEncryptedPart, + CK_ULONG_PTR pulLastEncryptedPartLen) { COMMON_DEFINITIONS; @@ -1673,21 +1696,21 @@ CK_RV NSSDBGC_EncryptFinal( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (" pLastEncryptedPart = 0x%p", pLastEncryptedPart)); PR_LOG(modlog, 3, (" pulLastEncryptedPartLen = 0x%p", pulLastEncryptedPartLen)); - nssdbg_start_time(FUNC_C_ENCRYPTFINAL,&start); + nssdbg_start_time(FUNC_C_ENCRYPTFINAL, &start); rv = module_functions->C_EncryptFinal(hSession, - pLastEncryptedPart, - pulLastEncryptedPartLen); - nssdbg_finish_time(FUNC_C_ENCRYPTFINAL,start); + pLastEncryptedPart, + pulLastEncryptedPartLen); + nssdbg_finish_time(FUNC_C_ENCRYPTFINAL, start); PR_LOG(modlog, 4, (" *pulLastEncryptedPartLen = 0x%x", *pulLastEncryptedPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DecryptInit( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) +CK_RV +NSSDBGC_DecryptInit( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) { COMMON_DEFINITIONS; @@ -1696,22 +1719,22 @@ CK_RV NSSDBGC_DecryptInit( PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism)); log_handle(3, fmt_hKey, hKey); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_DECRYPTINIT,&start); + nssdbg_start_time(FUNC_C_DECRYPTINIT, &start); rv = module_functions->C_DecryptInit(hSession, - pMechanism, - hKey); - nssdbg_finish_time(FUNC_C_DECRYPTINIT,start); + pMechanism, + hKey); + nssdbg_finish_time(FUNC_C_DECRYPTINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Decrypt( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedData, - CK_ULONG ulEncryptedDataLen, - CK_BYTE_PTR pData, - CK_ULONG_PTR pulDataLen -) +CK_RV +NSSDBGC_Decrypt( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedData, + CK_ULONG ulEncryptedDataLen, + CK_BYTE_PTR pData, + CK_ULONG_PTR pulDataLen) { COMMON_DEFINITIONS; @@ -1721,25 +1744,25 @@ CK_RV NSSDBGC_Decrypt( PR_LOG(modlog, 3, (" ulEncryptedDataLen = %d", ulEncryptedDataLen)); PR_LOG(modlog, 3, (fmt_pData, pData)); PR_LOG(modlog, 3, (fmt_pulDataLen, pulDataLen)); - nssdbg_start_time(FUNC_C_DECRYPT,&start); + nssdbg_start_time(FUNC_C_DECRYPT, &start); rv = module_functions->C_Decrypt(hSession, - pEncryptedData, - ulEncryptedDataLen, - pData, - pulDataLen); - nssdbg_finish_time(FUNC_C_DECRYPT,start); + pEncryptedData, + ulEncryptedDataLen, + pData, + pulDataLen); + nssdbg_finish_time(FUNC_C_DECRYPT, start); PR_LOG(modlog, 4, (fmt_spulDataLen, *pulDataLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DecryptUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG ulEncryptedPartLen, - CK_BYTE_PTR pPart, - CK_ULONG_PTR pulPartLen -) +CK_RV +NSSDBGC_DecryptUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, + CK_ULONG_PTR pulPartLen) { COMMON_DEFINITIONS; @@ -1749,23 +1772,23 @@ CK_RV NSSDBGC_DecryptUpdate( PR_LOG(modlog, 3, (fmt_ulEncryptedPartLen, ulEncryptedPartLen)); PR_LOG(modlog, 3, (fmt_pPart, pPart)); PR_LOG(modlog, 3, (fmt_pulPartLen, pulPartLen)); - nssdbg_start_time(FUNC_C_DECRYPTUPDATE,&start); + nssdbg_start_time(FUNC_C_DECRYPTUPDATE, &start); rv = module_functions->C_DecryptUpdate(hSession, - pEncryptedPart, - ulEncryptedPartLen, - pPart, - pulPartLen); - nssdbg_finish_time(FUNC_C_DECRYPTUPDATE,start); + pEncryptedPart, + ulEncryptedPartLen, + pPart, + pulPartLen); + nssdbg_finish_time(FUNC_C_DECRYPTUPDATE, start); PR_LOG(modlog, 4, (fmt_spulPartLen, *pulPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DecryptFinal( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pLastPart, - CK_ULONG_PTR pulLastPartLen -) +CK_RV +NSSDBGC_DecryptFinal( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pLastPart, + CK_ULONG_PTR pulLastPartLen) { COMMON_DEFINITIONS; @@ -1773,20 +1796,20 @@ CK_RV NSSDBGC_DecryptFinal( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (" pLastPart = 0x%p", pLastPart)); PR_LOG(modlog, 3, (" pulLastPartLen = 0x%p", pulLastPartLen)); - nssdbg_start_time(FUNC_C_DECRYPTFINAL,&start); + nssdbg_start_time(FUNC_C_DECRYPTFINAL, &start); rv = module_functions->C_DecryptFinal(hSession, - pLastPart, - pulLastPartLen); - nssdbg_finish_time(FUNC_C_DECRYPTFINAL,start); + pLastPart, + pulLastPartLen); + nssdbg_finish_time(FUNC_C_DECRYPTFINAL, start); PR_LOG(modlog, 4, (" *pulLastPartLen = 0x%x", *pulLastPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DigestInit( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism -) +CK_RV +NSSDBGC_DigestInit( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism) { COMMON_DEFINITIONS; @@ -1794,21 +1817,21 @@ CK_RV NSSDBGC_DigestInit( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism)); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_DIGESTINIT,&start); + nssdbg_start_time(FUNC_C_DIGESTINIT, &start); rv = module_functions->C_DigestInit(hSession, - pMechanism); - nssdbg_finish_time(FUNC_C_DIGESTINIT,start); + pMechanism); + nssdbg_finish_time(FUNC_C_DIGESTINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Digest( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen -) +CK_RV +NSSDBGC_Digest( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, + CK_ULONG ulDataLen, + CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen) { COMMON_DEFINITIONS; @@ -1818,23 +1841,23 @@ CK_RV NSSDBGC_Digest( PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen)); PR_LOG(modlog, 3, (fmt_pDigest, pDigest)); PR_LOG(modlog, 3, (fmt_pulDigestLen, pulDigestLen)); - nssdbg_start_time(FUNC_C_DIGEST,&start); + nssdbg_start_time(FUNC_C_DIGEST, &start); rv = module_functions->C_Digest(hSession, - pData, - ulDataLen, - pDigest, - pulDigestLen); - nssdbg_finish_time(FUNC_C_DIGEST,start); + pData, + ulDataLen, + pDigest, + pulDigestLen); + nssdbg_finish_time(FUNC_C_DIGEST, start); PR_LOG(modlog, 4, (fmt_spulDigestLen, *pulDigestLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DigestUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen -) +CK_RV +NSSDBGC_DigestUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, + CK_ULONG ulPartLen) { COMMON_DEFINITIONS; @@ -1842,37 +1865,37 @@ CK_RV NSSDBGC_DigestUpdate( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pPart, pPart)); PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen)); - nssdbg_start_time(FUNC_C_DIGESTUPDATE,&start); + nssdbg_start_time(FUNC_C_DIGESTUPDATE, &start); rv = module_functions->C_DigestUpdate(hSession, - pPart, - ulPartLen); - nssdbg_finish_time(FUNC_C_DIGESTUPDATE,start); + pPart, + ulPartLen); + nssdbg_finish_time(FUNC_C_DIGESTUPDATE, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_DigestKey( - CK_SESSION_HANDLE hSession, - CK_OBJECT_HANDLE hKey -) +CK_RV +NSSDBGC_DigestKey( + CK_SESSION_HANDLE hSession, + CK_OBJECT_HANDLE hKey) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_DigestKey")); log_handle(3, fmt_hSession, hSession); - nssdbg_start_time(FUNC_C_DIGESTKEY,&start); + nssdbg_start_time(FUNC_C_DIGESTKEY, &start); rv = module_functions->C_DigestKey(hSession, - hKey); - nssdbg_finish_time(FUNC_C_DIGESTKEY,start); + hKey); + nssdbg_finish_time(FUNC_C_DIGESTKEY, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_DigestFinal( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pDigest, - CK_ULONG_PTR pulDigestLen -) +CK_RV +NSSDBGC_DigestFinal( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pDigest, + CK_ULONG_PTR pulDigestLen) { COMMON_DEFINITIONS; @@ -1880,21 +1903,21 @@ CK_RV NSSDBGC_DigestFinal( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pDigest, pDigest)); PR_LOG(modlog, 3, (fmt_pulDigestLen, pulDigestLen)); - nssdbg_start_time(FUNC_C_DIGESTFINAL,&start); + nssdbg_start_time(FUNC_C_DIGESTFINAL, &start); rv = module_functions->C_DigestFinal(hSession, - pDigest, - pulDigestLen); - nssdbg_finish_time(FUNC_C_DIGESTFINAL,start); + pDigest, + pulDigestLen); + nssdbg_finish_time(FUNC_C_DIGESTFINAL, start); PR_LOG(modlog, 4, (fmt_spulDigestLen, *pulDigestLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_SignInit( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) +CK_RV +NSSDBGC_SignInit( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) { COMMON_DEFINITIONS; @@ -1903,22 +1926,22 @@ CK_RV NSSDBGC_SignInit( PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism)); log_handle(3, fmt_hKey, hKey); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_SIGNINIT,&start); + nssdbg_start_time(FUNC_C_SIGNINIT, &start); rv = module_functions->C_SignInit(hSession, - pMechanism, - hKey); - nssdbg_finish_time(FUNC_C_SIGNINIT,start); + pMechanism, + hKey); + nssdbg_finish_time(FUNC_C_SIGNINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Sign( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen -) +CK_RV +NSSDBGC_Sign( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, + CK_ULONG ulDataLen, + CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen) { COMMON_DEFINITIONS; @@ -1928,23 +1951,23 @@ CK_RV NSSDBGC_Sign( PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen)); PR_LOG(modlog, 3, (fmt_pSignature, pSignature)); PR_LOG(modlog, 3, (fmt_pulSignatureLen, pulSignatureLen)); - nssdbg_start_time(FUNC_C_SIGN,&start); + nssdbg_start_time(FUNC_C_SIGN, &start); rv = module_functions->C_Sign(hSession, - pData, - ulDataLen, - pSignature, - pulSignatureLen); - nssdbg_finish_time(FUNC_C_SIGN,start); + pData, + ulDataLen, + pSignature, + pulSignatureLen); + nssdbg_finish_time(FUNC_C_SIGN, start); PR_LOG(modlog, 4, (fmt_spulSignatureLen, *pulSignatureLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_SignUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen -) +CK_RV +NSSDBGC_SignUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, + CK_ULONG ulPartLen) { COMMON_DEFINITIONS; @@ -1952,20 +1975,20 @@ CK_RV NSSDBGC_SignUpdate( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pPart, pPart)); PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen)); - nssdbg_start_time(FUNC_C_SIGNUPDATE,&start); + nssdbg_start_time(FUNC_C_SIGNUPDATE, &start); rv = module_functions->C_SignUpdate(hSession, - pPart, - ulPartLen); - nssdbg_finish_time(FUNC_C_SIGNUPDATE,start); + pPart, + ulPartLen); + nssdbg_finish_time(FUNC_C_SIGNUPDATE, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_SignFinal( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen -) +CK_RV +NSSDBGC_SignFinal( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen) { COMMON_DEFINITIONS; @@ -1973,21 +1996,21 @@ CK_RV NSSDBGC_SignFinal( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pSignature, pSignature)); PR_LOG(modlog, 3, (fmt_pulSignatureLen, pulSignatureLen)); - nssdbg_start_time(FUNC_C_SIGNFINAL,&start); + nssdbg_start_time(FUNC_C_SIGNFINAL, &start); rv = module_functions->C_SignFinal(hSession, - pSignature, - pulSignatureLen); - nssdbg_finish_time(FUNC_C_SIGNFINAL,start); + pSignature, + pulSignatureLen); + nssdbg_finish_time(FUNC_C_SIGNFINAL, start); PR_LOG(modlog, 4, (fmt_spulSignatureLen, *pulSignatureLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_SignRecoverInit( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) +CK_RV +NSSDBGC_SignRecoverInit( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) { COMMON_DEFINITIONS; @@ -1996,22 +2019,22 @@ CK_RV NSSDBGC_SignRecoverInit( PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism)); log_handle(3, fmt_hKey, hKey); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_SIGNRECOVERINIT,&start); + nssdbg_start_time(FUNC_C_SIGNRECOVERINIT, &start); rv = module_functions->C_SignRecoverInit(hSession, - pMechanism, - hKey); - nssdbg_finish_time(FUNC_C_SIGNRECOVERINIT,start); + pMechanism, + hKey); + nssdbg_finish_time(FUNC_C_SIGNRECOVERINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_SignRecover( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, - CK_ULONG_PTR pulSignatureLen -) +CK_RV +NSSDBGC_SignRecover( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, + CK_ULONG ulDataLen, + CK_BYTE_PTR pSignature, + CK_ULONG_PTR pulSignatureLen) { COMMON_DEFINITIONS; @@ -2021,23 +2044,23 @@ CK_RV NSSDBGC_SignRecover( PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen)); PR_LOG(modlog, 3, (fmt_pSignature, pSignature)); PR_LOG(modlog, 3, (fmt_pulSignatureLen, pulSignatureLen)); - nssdbg_start_time(FUNC_C_SIGNRECOVER,&start); + nssdbg_start_time(FUNC_C_SIGNRECOVER, &start); rv = module_functions->C_SignRecover(hSession, - pData, - ulDataLen, - pSignature, - pulSignatureLen); - nssdbg_finish_time(FUNC_C_SIGNRECOVER,start); + pData, + ulDataLen, + pSignature, + pulSignatureLen); + nssdbg_finish_time(FUNC_C_SIGNRECOVER, start); PR_LOG(modlog, 4, (fmt_spulSignatureLen, *pulSignatureLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_VerifyInit( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) +CK_RV +NSSDBGC_VerifyInit( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) { COMMON_DEFINITIONS; @@ -2046,22 +2069,22 @@ CK_RV NSSDBGC_VerifyInit( PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism)); log_handle(3, fmt_hKey, hKey); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_VERIFYINIT,&start); + nssdbg_start_time(FUNC_C_VERIFYINIT, &start); rv = module_functions->C_VerifyInit(hSession, - pMechanism, - hKey); - nssdbg_finish_time(FUNC_C_VERIFYINIT,start); + pMechanism, + hKey); + nssdbg_finish_time(FUNC_C_VERIFYINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_Verify( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pData, - CK_ULONG ulDataLen, - CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen -) +CK_RV +NSSDBGC_Verify( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pData, + CK_ULONG ulDataLen, + CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen) { COMMON_DEFINITIONS; @@ -2071,22 +2094,22 @@ CK_RV NSSDBGC_Verify( PR_LOG(modlog, 3, (fmt_ulDataLen, ulDataLen)); PR_LOG(modlog, 3, (fmt_pSignature, pSignature)); PR_LOG(modlog, 3, (fmt_ulSignatureLen, ulSignatureLen)); - nssdbg_start_time(FUNC_C_VERIFY,&start); + nssdbg_start_time(FUNC_C_VERIFY, &start); rv = module_functions->C_Verify(hSession, - pData, - ulDataLen, - pSignature, - ulSignatureLen); - nssdbg_finish_time(FUNC_C_VERIFY,start); + pData, + ulDataLen, + pSignature, + ulSignatureLen); + nssdbg_finish_time(FUNC_C_VERIFY, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_VerifyUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen -) +CK_RV +NSSDBGC_VerifyUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, + CK_ULONG ulPartLen) { COMMON_DEFINITIONS; @@ -2094,20 +2117,20 @@ CK_RV NSSDBGC_VerifyUpdate( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pPart, pPart)); PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen)); - nssdbg_start_time(FUNC_C_VERIFYUPDATE,&start); + nssdbg_start_time(FUNC_C_VERIFYUPDATE, &start); rv = module_functions->C_VerifyUpdate(hSession, - pPart, - ulPartLen); - nssdbg_finish_time(FUNC_C_VERIFYUPDATE,start); + pPart, + ulPartLen); + nssdbg_finish_time(FUNC_C_VERIFYUPDATE, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_VerifyFinal( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen -) +CK_RV +NSSDBGC_VerifyFinal( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen) { COMMON_DEFINITIONS; @@ -2115,20 +2138,20 @@ CK_RV NSSDBGC_VerifyFinal( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (fmt_pSignature, pSignature)); PR_LOG(modlog, 3, (fmt_ulSignatureLen, ulSignatureLen)); - nssdbg_start_time(FUNC_C_VERIFYFINAL,&start); + nssdbg_start_time(FUNC_C_VERIFYFINAL, &start); rv = module_functions->C_VerifyFinal(hSession, - pSignature, - ulSignatureLen); - nssdbg_finish_time(FUNC_C_VERIFYFINAL,start); + pSignature, + ulSignatureLen); + nssdbg_finish_time(FUNC_C_VERIFYFINAL, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_VerifyRecoverInit( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hKey -) +CK_RV +NSSDBGC_VerifyRecoverInit( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hKey) { COMMON_DEFINITIONS; @@ -2137,22 +2160,22 @@ CK_RV NSSDBGC_VerifyRecoverInit( PR_LOG(modlog, 3, (fmt_pMechanism, pMechanism)); log_handle(3, fmt_hKey, hKey); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_VERIFYRECOVERINIT,&start); + nssdbg_start_time(FUNC_C_VERIFYRECOVERINIT, &start); rv = module_functions->C_VerifyRecoverInit(hSession, - pMechanism, - hKey); - nssdbg_finish_time(FUNC_C_VERIFYRECOVERINIT,start); + pMechanism, + hKey); + nssdbg_finish_time(FUNC_C_VERIFYRECOVERINIT, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_VerifyRecover( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSignature, - CK_ULONG ulSignatureLen, - CK_BYTE_PTR pData, - CK_ULONG_PTR pulDataLen -) +CK_RV +NSSDBGC_VerifyRecover( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSignature, + CK_ULONG ulSignatureLen, + CK_BYTE_PTR pData, + CK_ULONG_PTR pulDataLen) { COMMON_DEFINITIONS; @@ -2162,25 +2185,25 @@ CK_RV NSSDBGC_VerifyRecover( PR_LOG(modlog, 3, (fmt_ulSignatureLen, ulSignatureLen)); PR_LOG(modlog, 3, (fmt_pData, pData)); PR_LOG(modlog, 3, (fmt_pulDataLen, pulDataLen)); - nssdbg_start_time(FUNC_C_VERIFYRECOVER,&start); + nssdbg_start_time(FUNC_C_VERIFYRECOVER, &start); rv = module_functions->C_VerifyRecover(hSession, - pSignature, - ulSignatureLen, - pData, - pulDataLen); - nssdbg_finish_time(FUNC_C_VERIFYRECOVER,start); + pSignature, + ulSignatureLen, + pData, + pulDataLen); + nssdbg_finish_time(FUNC_C_VERIFYRECOVER, start); PR_LOG(modlog, 4, (fmt_spulDataLen, *pulDataLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DigestEncryptUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG_PTR pulEncryptedPartLen -) +CK_RV +NSSDBGC_DigestEncryptUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) { COMMON_DEFINITIONS; @@ -2190,25 +2213,25 @@ CK_RV NSSDBGC_DigestEncryptUpdate( PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen)); PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart)); PR_LOG(modlog, 3, (fmt_pulEncryptedPartLen, pulEncryptedPartLen)); - nssdbg_start_time(FUNC_C_DIGESTENCRYPTUPDATE,&start); + nssdbg_start_time(FUNC_C_DIGESTENCRYPTUPDATE, &start); rv = module_functions->C_DigestEncryptUpdate(hSession, - pPart, - ulPartLen, - pEncryptedPart, - pulEncryptedPartLen); - nssdbg_finish_time(FUNC_C_DIGESTENCRYPTUPDATE,start); + pPart, + ulPartLen, + pEncryptedPart, + pulEncryptedPartLen); + nssdbg_finish_time(FUNC_C_DIGESTENCRYPTUPDATE, start); PR_LOG(modlog, 4, (fmt_spulEncryptedPartLen, *pulEncryptedPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DecryptDigestUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG ulEncryptedPartLen, - CK_BYTE_PTR pPart, - CK_ULONG_PTR pulPartLen -) +CK_RV +NSSDBGC_DecryptDigestUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, + CK_ULONG_PTR pulPartLen) { COMMON_DEFINITIONS; @@ -2218,25 +2241,25 @@ CK_RV NSSDBGC_DecryptDigestUpdate( PR_LOG(modlog, 3, (fmt_ulEncryptedPartLen, ulEncryptedPartLen)); PR_LOG(modlog, 3, (fmt_pPart, pPart)); PR_LOG(modlog, 3, (fmt_pulPartLen, pulPartLen)); - nssdbg_start_time(FUNC_C_DECRYPTDIGESTUPDATE,&start); + nssdbg_start_time(FUNC_C_DECRYPTDIGESTUPDATE, &start); rv = module_functions->C_DecryptDigestUpdate(hSession, - pEncryptedPart, - ulEncryptedPartLen, - pPart, - pulPartLen); - nssdbg_finish_time(FUNC_C_DECRYPTDIGESTUPDATE,start); + pEncryptedPart, + ulEncryptedPartLen, + pPart, + pulPartLen); + nssdbg_finish_time(FUNC_C_DECRYPTDIGESTUPDATE, start); PR_LOG(modlog, 4, (fmt_spulPartLen, *pulPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_SignEncryptUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pPart, - CK_ULONG ulPartLen, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG_PTR pulEncryptedPartLen -) +CK_RV +NSSDBGC_SignEncryptUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pPart, + CK_ULONG ulPartLen, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG_PTR pulEncryptedPartLen) { COMMON_DEFINITIONS; @@ -2246,25 +2269,25 @@ CK_RV NSSDBGC_SignEncryptUpdate( PR_LOG(modlog, 3, (fmt_ulPartLen, ulPartLen)); PR_LOG(modlog, 3, (fmt_pEncryptedPart, pEncryptedPart)); PR_LOG(modlog, 3, (fmt_pulEncryptedPartLen, pulEncryptedPartLen)); - nssdbg_start_time(FUNC_C_SIGNENCRYPTUPDATE,&start); + nssdbg_start_time(FUNC_C_SIGNENCRYPTUPDATE, &start); rv = module_functions->C_SignEncryptUpdate(hSession, - pPart, - ulPartLen, - pEncryptedPart, - pulEncryptedPartLen); - nssdbg_finish_time(FUNC_C_SIGNENCRYPTUPDATE,start); + pPart, + ulPartLen, + pEncryptedPart, + pulEncryptedPartLen); + nssdbg_finish_time(FUNC_C_SIGNENCRYPTUPDATE, start); PR_LOG(modlog, 4, (fmt_spulEncryptedPartLen, *pulEncryptedPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_DecryptVerifyUpdate( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pEncryptedPart, - CK_ULONG ulEncryptedPartLen, - CK_BYTE_PTR pPart, - CK_ULONG_PTR pulPartLen -) +CK_RV +NSSDBGC_DecryptVerifyUpdate( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pEncryptedPart, + CK_ULONG ulEncryptedPartLen, + CK_BYTE_PTR pPart, + CK_ULONG_PTR pulPartLen) { COMMON_DEFINITIONS; @@ -2274,25 +2297,25 @@ CK_RV NSSDBGC_DecryptVerifyUpdate( PR_LOG(modlog, 3, (fmt_ulEncryptedPartLen, ulEncryptedPartLen)); PR_LOG(modlog, 3, (fmt_pPart, pPart)); PR_LOG(modlog, 3, (fmt_pulPartLen, pulPartLen)); - nssdbg_start_time(FUNC_C_DECRYPTVERIFYUPDATE,&start); + nssdbg_start_time(FUNC_C_DECRYPTVERIFYUPDATE, &start); rv = module_functions->C_DecryptVerifyUpdate(hSession, - pEncryptedPart, - ulEncryptedPartLen, - pPart, - pulPartLen); - nssdbg_finish_time(FUNC_C_DECRYPTVERIFYUPDATE,start); + pEncryptedPart, + ulEncryptedPartLen, + pPart, + pulPartLen); + nssdbg_finish_time(FUNC_C_DECRYPTVERIFYUPDATE, start); PR_LOG(modlog, 4, (fmt_spulPartLen, *pulPartLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_GenerateKey( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulCount, - CK_OBJECT_HANDLE_PTR phKey -) +CK_RV +NSSDBGC_GenerateKey( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulCount, + CK_OBJECT_HANDLE_PTR phKey) { COMMON_DEFINITIONS; @@ -2304,28 +2327,28 @@ CK_RV NSSDBGC_GenerateKey( PR_LOG(modlog, 3, (fmt_phKey, phKey)); print_template(pTemplate, ulCount); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_GENERATEKEY,&start); + nssdbg_start_time(FUNC_C_GENERATEKEY, &start); rv = module_functions->C_GenerateKey(hSession, - pMechanism, - pTemplate, - ulCount, - phKey); - nssdbg_finish_time(FUNC_C_GENERATEKEY,start); + pMechanism, + pTemplate, + ulCount, + phKey); + nssdbg_finish_time(FUNC_C_GENERATEKEY, start); log_handle(4, fmt_sphKey, *phKey); log_rv(rv); return rv; } -CK_RV NSSDBGC_GenerateKeyPair( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_ATTRIBUTE_PTR pPublicKeyTemplate, - CK_ULONG ulPublicKeyAttributeCount, - CK_ATTRIBUTE_PTR pPrivateKeyTemplate, - CK_ULONG ulPrivateKeyAttributeCount, - CK_OBJECT_HANDLE_PTR phPublicKey, - CK_OBJECT_HANDLE_PTR phPrivateKey -) +CK_RV +NSSDBGC_GenerateKeyPair( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_ATTRIBUTE_PTR pPublicKeyTemplate, + CK_ULONG ulPublicKeyAttributeCount, + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, + CK_ULONG ulPrivateKeyAttributeCount, + CK_OBJECT_HANDLE_PTR phPublicKey, + CK_OBJECT_HANDLE_PTR phPrivateKey) { COMMON_DEFINITIONS; @@ -2341,30 +2364,30 @@ CK_RV NSSDBGC_GenerateKeyPair( PR_LOG(modlog, 3, (" phPrivateKey = 0x%p", phPrivateKey)); print_template(pPrivateKeyTemplate, ulPrivateKeyAttributeCount); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_GENERATEKEYPAIR,&start); + nssdbg_start_time(FUNC_C_GENERATEKEYPAIR, &start); rv = module_functions->C_GenerateKeyPair(hSession, - pMechanism, - pPublicKeyTemplate, - ulPublicKeyAttributeCount, - pPrivateKeyTemplate, - ulPrivateKeyAttributeCount, - phPublicKey, - phPrivateKey); - nssdbg_finish_time(FUNC_C_GENERATEKEYPAIR,start); + pMechanism, + pPublicKeyTemplate, + ulPublicKeyAttributeCount, + pPrivateKeyTemplate, + ulPrivateKeyAttributeCount, + phPublicKey, + phPrivateKey); + nssdbg_finish_time(FUNC_C_GENERATEKEYPAIR, start); log_handle(4, " *phPublicKey = 0x%x", *phPublicKey); log_handle(4, " *phPrivateKey = 0x%x", *phPrivateKey); log_rv(rv); return rv; } -CK_RV NSSDBGC_WrapKey( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hWrappingKey, - CK_OBJECT_HANDLE hKey, - CK_BYTE_PTR pWrappedKey, - CK_ULONG_PTR pulWrappedKeyLen -) +CK_RV +NSSDBGC_WrapKey( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hWrappingKey, + CK_OBJECT_HANDLE hKey, + CK_BYTE_PTR pWrappedKey, + CK_ULONG_PTR pulWrappedKeyLen) { COMMON_DEFINITIONS; @@ -2376,29 +2399,29 @@ CK_RV NSSDBGC_WrapKey( PR_LOG(modlog, 3, (fmt_pWrappedKey, pWrappedKey)); PR_LOG(modlog, 3, (" pulWrappedKeyLen = 0x%p", pulWrappedKeyLen)); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_WRAPKEY,&start); + nssdbg_start_time(FUNC_C_WRAPKEY, &start); rv = module_functions->C_WrapKey(hSession, - pMechanism, - hWrappingKey, - hKey, - pWrappedKey, - pulWrappedKeyLen); - nssdbg_finish_time(FUNC_C_WRAPKEY,start); + pMechanism, + hWrappingKey, + hKey, + pWrappedKey, + pulWrappedKeyLen); + nssdbg_finish_time(FUNC_C_WRAPKEY, start); PR_LOG(modlog, 4, (" *pulWrappedKeyLen = 0x%x", *pulWrappedKeyLen)); log_rv(rv); return rv; } -CK_RV NSSDBGC_UnwrapKey( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hUnwrappingKey, - CK_BYTE_PTR pWrappedKey, - CK_ULONG ulWrappedKeyLen, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, - CK_OBJECT_HANDLE_PTR phKey -) +CK_RV +NSSDBGC_UnwrapKey( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hUnwrappingKey, + CK_BYTE_PTR pWrappedKey, + CK_ULONG ulWrappedKeyLen, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey) { COMMON_DEFINITIONS; @@ -2413,29 +2436,29 @@ CK_RV NSSDBGC_UnwrapKey( PR_LOG(modlog, 3, (fmt_phKey, phKey)); print_template(pTemplate, ulAttributeCount); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_UNWRAPKEY,&start); + nssdbg_start_time(FUNC_C_UNWRAPKEY, &start); rv = module_functions->C_UnwrapKey(hSession, - pMechanism, - hUnwrappingKey, - pWrappedKey, - ulWrappedKeyLen, - pTemplate, - ulAttributeCount, - phKey); - nssdbg_finish_time(FUNC_C_UNWRAPKEY,start); + pMechanism, + hUnwrappingKey, + pWrappedKey, + ulWrappedKeyLen, + pTemplate, + ulAttributeCount, + phKey); + nssdbg_finish_time(FUNC_C_UNWRAPKEY, start); log_handle(4, fmt_sphKey, *phKey); log_rv(rv); return rv; } -CK_RV NSSDBGC_DeriveKey( - CK_SESSION_HANDLE hSession, - CK_MECHANISM_PTR pMechanism, - CK_OBJECT_HANDLE hBaseKey, - CK_ATTRIBUTE_PTR pTemplate, - CK_ULONG ulAttributeCount, - CK_OBJECT_HANDLE_PTR phKey -) +CK_RV +NSSDBGC_DeriveKey( + CK_SESSION_HANDLE hSession, + CK_MECHANISM_PTR pMechanism, + CK_OBJECT_HANDLE hBaseKey, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_OBJECT_HANDLE_PTR phKey) { COMMON_DEFINITIONS; @@ -2448,24 +2471,24 @@ CK_RV NSSDBGC_DeriveKey( PR_LOG(modlog, 3, (fmt_phKey, phKey)); print_template(pTemplate, ulAttributeCount); print_mechanism(pMechanism); - nssdbg_start_time(FUNC_C_DERIVEKEY,&start); + nssdbg_start_time(FUNC_C_DERIVEKEY, &start); rv = module_functions->C_DeriveKey(hSession, - pMechanism, - hBaseKey, - pTemplate, - ulAttributeCount, - phKey); - nssdbg_finish_time(FUNC_C_DERIVEKEY,start); + pMechanism, + hBaseKey, + pTemplate, + ulAttributeCount, + phKey); + nssdbg_finish_time(FUNC_C_DERIVEKEY, start); log_handle(4, fmt_sphKey, *phKey); log_rv(rv); return rv; } -CK_RV NSSDBGC_SeedRandom( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR pSeed, - CK_ULONG ulSeedLen -) +CK_RV +NSSDBGC_SeedRandom( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR pSeed, + CK_ULONG ulSeedLen) { COMMON_DEFINITIONS; @@ -2473,20 +2496,20 @@ CK_RV NSSDBGC_SeedRandom( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (" pSeed = 0x%p", pSeed)); PR_LOG(modlog, 3, (" ulSeedLen = %d", ulSeedLen)); - nssdbg_start_time(FUNC_C_SEEDRANDOM,&start); + nssdbg_start_time(FUNC_C_SEEDRANDOM, &start); rv = module_functions->C_SeedRandom(hSession, - pSeed, - ulSeedLen); - nssdbg_finish_time(FUNC_C_SEEDRANDOM,start); + pSeed, + ulSeedLen); + nssdbg_finish_time(FUNC_C_SEEDRANDOM, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_GenerateRandom( - CK_SESSION_HANDLE hSession, - CK_BYTE_PTR RandomData, - CK_ULONG ulRandomLen -) +CK_RV +NSSDBGC_GenerateRandom( + CK_SESSION_HANDLE hSession, + CK_BYTE_PTR RandomData, + CK_ULONG ulRandomLen) { COMMON_DEFINITIONS; @@ -2494,50 +2517,50 @@ CK_RV NSSDBGC_GenerateRandom( log_handle(3, fmt_hSession, hSession); PR_LOG(modlog, 3, (" RandomData = 0x%p", RandomData)); PR_LOG(modlog, 3, (" ulRandomLen = %d", ulRandomLen)); - nssdbg_start_time(FUNC_C_GENERATERANDOM,&start); + nssdbg_start_time(FUNC_C_GENERATERANDOM, &start); rv = module_functions->C_GenerateRandom(hSession, - RandomData, - ulRandomLen); - nssdbg_finish_time(FUNC_C_GENERATERANDOM,start); + RandomData, + ulRandomLen); + nssdbg_finish_time(FUNC_C_GENERATERANDOM, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_GetFunctionStatus( - CK_SESSION_HANDLE hSession -) +CK_RV +NSSDBGC_GetFunctionStatus( + CK_SESSION_HANDLE hSession) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_GetFunctionStatus")); log_handle(3, fmt_hSession, hSession); - nssdbg_start_time(FUNC_C_GETFUNCTIONSTATUS,&start); + nssdbg_start_time(FUNC_C_GETFUNCTIONSTATUS, &start); rv = module_functions->C_GetFunctionStatus(hSession); - nssdbg_finish_time(FUNC_C_GETFUNCTIONSTATUS,start); + nssdbg_finish_time(FUNC_C_GETFUNCTIONSTATUS, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_CancelFunction( - CK_SESSION_HANDLE hSession -) +CK_RV +NSSDBGC_CancelFunction( + CK_SESSION_HANDLE hSession) { COMMON_DEFINITIONS; PR_LOG(modlog, 1, ("C_CancelFunction")); log_handle(3, fmt_hSession, hSession); - nssdbg_start_time(FUNC_C_CANCELFUNCTION,&start); + nssdbg_start_time(FUNC_C_CANCELFUNCTION, &start); rv = module_functions->C_CancelFunction(hSession); - nssdbg_finish_time(FUNC_C_CANCELFUNCTION,start); + nssdbg_finish_time(FUNC_C_CANCELFUNCTION, start); log_rv(rv); return rv; } -CK_RV NSSDBGC_WaitForSlotEvent( - CK_FLAGS flags, - CK_SLOT_ID_PTR pSlot, - CK_VOID_PTR pRserved -) +CK_RV +NSSDBGC_WaitForSlotEvent( + CK_FLAGS flags, + CK_SLOT_ID_PTR pSlot, + CK_VOID_PTR pRserved) { COMMON_DEFINITIONS; @@ -2545,18 +2568,18 @@ CK_RV NSSDBGC_WaitForSlotEvent( PR_LOG(modlog, 3, (fmt_flags, flags)); PR_LOG(modlog, 3, (" pSlot = 0x%p", pSlot)); PR_LOG(modlog, 3, (" pRserved = 0x%p", pRserved)); - nssdbg_start_time(FUNC_C_WAITFORSLOTEVENT,&start); + nssdbg_start_time(FUNC_C_WAITFORSLOTEVENT, &start); rv = module_functions->C_WaitForSlotEvent(flags, - pSlot, - pRserved); - nssdbg_finish_time(FUNC_C_WAITFORSLOTEVENT,start); + pSlot, + pRserved); + nssdbg_finish_time(FUNC_C_WAITFORSLOTEVENT, start); log_rv(rv); return rv; } -CK_FUNCTION_LIST_PTR nss_InsertDeviceLog( - CK_FUNCTION_LIST_PTR devEPV -) +CK_FUNCTION_LIST_PTR +nss_InsertDeviceLog( + CK_FUNCTION_LIST_PTR devEPV) { module_functions = devEPV; modlog = PR_NewLogModule("nss_mod_log"); @@ -2644,38 +2667,40 @@ CK_FUNCTION_LIST_PTR nss_InsertDeviceLog( * the time in microsecond. * */ -static PRUint32 getPrintTime(PRIntervalTime time ,char **type) -{ - PRUint32 prTime; - - /* detect a programming error by outputting 'bu' to the output stream - * rather than crashing */ - *type = "bug"; - if (time == 0) { - *type = "z"; - return 0; - } - - prTime = PR_IntervalToSeconds(time); - - if (prTime >= 600) { - *type="m"; - return prTime/60; - } - if (prTime >= 10) { - *type="s"; - return prTime; - } - prTime = PR_IntervalToMilliseconds(time); - if (prTime >= 10) { - *type="ms"; - return prTime; - } - *type = "us"; - return PR_IntervalToMicroseconds(time); -} - -static void print_final_statistics(void) +static PRUint32 +getPrintTime(PRIntervalTime time, char **type) +{ + PRUint32 prTime; + + /* detect a programming error by outputting 'bu' to the output stream + * rather than crashing */ + *type = "bug"; + if (time == 0) { + *type = "z"; + return 0; + } + + prTime = PR_IntervalToSeconds(time); + + if (prTime >= 600) { + *type = "m"; + return prTime / 60; + } + if (prTime >= 10) { + *type = "s"; + return prTime; + } + prTime = PR_IntervalToMilliseconds(time); + if (prTime >= 10) { + *type = "ms"; + return prTime; + } + *type = "us"; + return PR_IntervalToMicroseconds(time); +} + +static void +print_final_statistics(void) { int total_calls = 0; PRIntervalTime total_time = 0; @@ -2685,53 +2710,51 @@ static void print_final_statistics(void) FILE *outfile = NULL; int i; - fname = PR_GetEnv("NSS_OUTPUT_FILE"); + fname = PR_GetEnvSecure("NSS_OUTPUT_FILE"); if (fname) { - /* need to add an optional process id to the filename */ - outfile = fopen(fname,"w+"); + /* need to add an optional process id to the filename */ + outfile = fopen(fname, "w+"); } if (!outfile) { - outfile = stdout; + outfile = stdout; } - - - fprintf(outfile,"%-25s %10s %12s %12s %10s\n", "Function", "# Calls", - "Time", "Avg.", "% Time"); - fprintf(outfile,"\n"); - for (i=0; i < nssdbg_prof_size; i++) { - total_calls += nssdbg_prof_data[i].calls; - total_time += nssdbg_prof_data[i].time; + + fprintf(outfile, "%-25s %10s %12s %12s %10s\n", "Function", "# Calls", + "Time", "Avg.", "% Time"); + fprintf(outfile, "\n"); + for (i = 0; i < nssdbg_prof_size; i++) { + total_calls += nssdbg_prof_data[i].calls; + total_time += nssdbg_prof_data[i].time; } - for (i=0; i < nssdbg_prof_size; i++) { - PRIntervalTime time = nssdbg_prof_data[i].time; - PRUint32 usTime = PR_IntervalToMicroseconds(time); - PRUint32 prTime = 0; - PRUint32 calls = nssdbg_prof_data[i].calls; - /* don't print out functions that weren't even called */ - if (calls == 0) { - continue; - } - - prTime = getPrintTime(time,&type); - - fprintf(outfile,"%-25s %10d %10d%2s ", nssdbg_prof_data[i].function, - calls, prTime, type); - /* for now always output the average in microseconds */ - fprintf(outfile,"%10.2f%2s", (float)usTime / (float)calls, "us" ); - fprintf(outfile,"%10.2f%%", ((float)time / (float)total_time) * 100); - fprintf(outfile,"\n"); + for (i = 0; i < nssdbg_prof_size; i++) { + PRIntervalTime time = nssdbg_prof_data[i].time; + PRUint32 usTime = PR_IntervalToMicroseconds(time); + PRUint32 prTime = 0; + PRUint32 calls = nssdbg_prof_data[i].calls; + /* don't print out functions that weren't even called */ + if (calls == 0) { + continue; + } + + prTime = getPrintTime(time, &type); + + fprintf(outfile, "%-25s %10d %10d%2s ", nssdbg_prof_data[i].function, + calls, prTime, type); + /* for now always output the average in microseconds */ + fprintf(outfile, "%10.2f%2s", (float)usTime / (float)calls, "us"); + fprintf(outfile, "%10.2f%%", ((float)time / (float)total_time) * 100); + fprintf(outfile, "\n"); } - fprintf(outfile,"\n"); + fprintf(outfile, "\n"); - pr_total_time = getPrintTime(total_time,&type); + pr_total_time = getPrintTime(total_time, &type); - fprintf(outfile,"%25s %10d %10d%2s\n", "Totals", total_calls, - pr_total_time, type); - fprintf(outfile,"\n\nMaximum number of concurrent open sessions: %d\n\n", - maxOpenSessions); - fflush (outfile); + fprintf(outfile, "%25s %10d %10d%2s\n", "Totals", total_calls, + pr_total_time, type); + fprintf(outfile, "\n\nMaximum number of concurrent open sessions: %d\n\n", + maxOpenSessions); + fflush(outfile); if (outfile != stdout) { - fclose(outfile); + fclose(outfile); } } - diff --git a/nss/lib/pk11wrap/dev3hack.c b/nss/lib/pk11wrap/dev3hack.c index c1fe55c..27325a5 100644 --- a/nss/lib/pk11wrap/dev3hack.c +++ b/nss/lib/pk11wrap/dev3hack.c @@ -24,45 +24,43 @@ NSS_IMPLEMENT nssSession * nssSession_ImportNSS3Session(NSSArena *arenaOpt, - CK_SESSION_HANDLE session, + CK_SESSION_HANDLE session, PZLock *lock, PRBool rw) { nssSession *rvSession = NULL; if (session != CK_INVALID_SESSION) { - rvSession = nss_ZNEW(arenaOpt, nssSession); - if (rvSession) { - rvSession->handle = session; - rvSession->lock = lock; - rvSession->ownLock = PR_FALSE; - rvSession->isRW = rw; - } + rvSession = nss_ZNEW(arenaOpt, nssSession); + if (rvSession) { + rvSession->handle = session; + rvSession->lock = lock; + rvSession->ownLock = PR_FALSE; + rvSession->isRW = rw; + } } return rvSession; } NSS_IMPLEMENT nssSession * -nssSlot_CreateSession -( - NSSSlot *slot, - NSSArena *arenaOpt, - PRBool readWrite -) +nssSlot_CreateSession( + NSSSlot *slot, + NSSArena *arenaOpt, + PRBool readWrite) { nssSession *rvSession; if (!readWrite) { - /* nss3hack version only returns rw swssions */ - return NULL; + /* nss3hack version only returns rw swssions */ + return NULL; } rvSession = nss_ZNEW(arenaOpt, nssSession); if (!rvSession) { - return (nssSession *)NULL; + return (nssSession *)NULL; } rvSession->handle = PK11_GetRWSession(slot->pk11slot); if (rvSession->handle == CK_INVALID_HANDLE) { - nss_ZFreeIf(rvSession); - return NULL; + nss_ZFreeIf(rvSession); + return NULL; } rvSession->isRW = PR_TRUE; rvSession->slot = slot; @@ -87,17 +85,14 @@ nssSlot_CreateSession } NSS_IMPLEMENT PRStatus -nssSession_Destroy -( - nssSession *s -) +nssSession_Destroy(nssSession *s) { PRStatus rv = PR_SUCCESS; if (s) { - if (s->isRW) { - PK11_RestoreROSession(s->slot->pk11slot, s->handle); - } - rv = nss_ZFreeIf(s); + if (s->isRW) { + PK11_RestoreROSession(s->slot->pk11slot, s->handle); + } + rv = nss_ZFreeIf(s); } return rv; } @@ -109,12 +104,12 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) NSSArena *arena; arena = nssArena_Create(); if (!arena) { - return NULL; + return NULL; } rvSlot = nss_ZNEW(arena, NSSSlot); if (!rvSlot) { - nssArena_Destroy(arena); - return NULL; + nssArena_Destroy(arena); + return NULL; } rvSlot->base.refCount = 1; rvSlot->base.lock = PZ_NewLock(nssILockOther); @@ -123,7 +118,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) rvSlot->epv = nss3slot->functionList; rvSlot->slotID = nss3slot->slotID; /* Grab the slot name from the PKCS#11 fixed-length buffer */ - rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name,td->arena); + rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena); rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; return rvSlot; } @@ -136,53 +131,53 @@ nssToken_CreateFromPK11SlotInfo(NSSTrustDomain *td, PK11SlotInfo *nss3slot) /* Don't create a token object for a disabled slot */ if (nss3slot->disabled) { - PORT_SetError(SEC_ERROR_NO_TOKEN); - return NULL; + PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; } arena = nssArena_Create(); if (!arena) { - return NULL; + return NULL; } rvToken = nss_ZNEW(arena, NSSToken); if (!rvToken) { - nssArena_Destroy(arena); - return NULL; + nssArena_Destroy(arena); + return NULL; } rvToken->base.refCount = 1; rvToken->base.lock = PZ_NewLock(nssILockOther); if (!rvToken->base.lock) { - nssArena_Destroy(arena); - return NULL; + nssArena_Destroy(arena); + return NULL; } rvToken->base.arena = arena; rvToken->pk11slot = nss3slot; rvToken->epv = nss3slot->functionList; rvToken->defaultSession = nssSession_ImportNSS3Session(td->arena, - nss3slot->session, - nss3slot->sessionLock, - nss3slot->defRWSession); + nss3slot->session, + nss3slot->sessionLock, + nss3slot->defRWSession); #if 0 /* we should do this instead of blindly continuing. */ if (!rvToken->defaultSession) { - PORT_SetError(SEC_ERROR_NO_TOKEN); - goto loser; + PORT_SetError(SEC_ERROR_NO_TOKEN); + goto loser; } #endif if (!PK11_IsInternal(nss3slot) && PK11_IsHW(nss3slot)) { - rvToken->cache = nssTokenObjectCache_Create(rvToken, - PR_TRUE, PR_TRUE, PR_TRUE); - if (!rvToken->cache) - goto loser; + rvToken->cache = nssTokenObjectCache_Create(rvToken, + PR_TRUE, PR_TRUE, PR_TRUE); + if (!rvToken->cache) + goto loser; } rvToken->trustDomain = td; /* Grab the token name from the PKCS#11 fixed-length buffer */ - rvToken->base.name = nssUTF8_Duplicate(nss3slot->token_name,td->arena); + rvToken->base.name = nssUTF8_Duplicate(nss3slot->token_name, td->arena); rvToken->slot = nssSlot_CreateFromPK11SlotInfo(td, nss3slot); if (!rvToken->slot) { goto loser; } rvToken->slot->token = rvToken; if (rvToken->defaultSession) - rvToken->defaultSession->slot = rvToken->slot; + rvToken->defaultSession->slot = rvToken->slot; return rvToken; loser: PZ_DestroyLock(rvToken->base.lock); @@ -194,25 +189,19 @@ NSS_IMPLEMENT void nssToken_UpdateName(NSSToken *token) { if (!token) { - return; + return; } - token->base.name = nssUTF8_Duplicate(token->pk11slot->token_name,token->base.arena); + token->base.name = nssUTF8_Duplicate(token->pk11slot->token_name, token->base.arena); } NSS_IMPLEMENT PRBool -nssSlot_IsPermanent -( - NSSSlot *slot -) +nssSlot_IsPermanent(NSSSlot *slot) { return slot->pk11slot->isPerm; } NSS_IMPLEMENT PRBool -nssSlot_IsFriendly -( - NSSSlot *slot -) +nssSlot_IsFriendly(NSSSlot *slot) { return PK11_IsFriendly(slot->pk11slot); } @@ -223,43 +212,37 @@ nssToken_Refresh(NSSToken *token) PK11SlotInfo *nss3slot; if (!token) { - return PR_SUCCESS; + return PR_SUCCESS; } nss3slot = token->pk11slot; - token->defaultSession = - nssSession_ImportNSS3Session(token->slot->base.arena, - nss3slot->session, - nss3slot->sessionLock, - nss3slot->defRWSession); + token->defaultSession = + nssSession_ImportNSS3Session(token->slot->base.arena, + nss3slot->session, + nss3slot->sessionLock, + nss3slot->defRWSession); return token->defaultSession ? PR_SUCCESS : PR_FAILURE; } NSS_IMPLEMENT PRStatus -nssSlot_Refresh -( - NSSSlot *slot -) +nssSlot_Refresh(NSSSlot *slot) { PK11SlotInfo *nss3slot = slot->pk11slot; PRBool doit = PR_FALSE; if (slot->token && slot->token->base.name[0] == 0) { - doit = PR_TRUE; + doit = PR_TRUE; } if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) { - return PR_FAILURE; + return PR_FAILURE; } if (doit) { - nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, - slot->token); + nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, + slot->token); } return nssToken_Refresh(slot->token); } NSS_IMPLEMENT PRStatus -nssToken_GetTrustOrder -( - NSSToken *tok -) +nssToken_GetTrustOrder(NSSToken *tok) { PK11SlotInfo *slot; SECMODModule *module; @@ -269,18 +252,14 @@ nssToken_GetTrustOrder } NSS_IMPLEMENT PRBool -nssSlot_IsLoggedIn -( - NSSSlot *slot -) +nssSlot_IsLoggedIn(NSSSlot *slot) { if (!slot->pk11slot->needLogin) { - return PR_TRUE; + return PR_TRUE; } return PK11_IsLoggedIn(slot->pk11slot, NULL); } - NSSTrustDomain * nssToken_GetTrustDomain(NSSToken *token) { @@ -288,18 +267,13 @@ nssToken_GetTrustDomain(NSSToken *token) } NSS_EXTERN PRStatus -nssTrustDomain_RemoveTokenCertsFromCache -( - NSSTrustDomain *td, - NSSToken *token -); +nssTrustDomain_RemoveTokenCertsFromCache( + NSSTrustDomain *td, + NSSToken *token); NSS_IMPLEMENT PRStatus -nssToken_NotifyCertsNotVisible -( - NSSToken *tok -) +nssToken_NotifyCertsNotVisible( + NSSToken *tok) { return nssTrustDomain_RemoveTokenCertsFromCache(tok->trustDomain, tok); } - diff --git a/nss/lib/pk11wrap/dev3hack.h b/nss/lib/pk11wrap/dev3hack.h index 6b4f8de..6105259 100644 --- a/nss/lib/pk11wrap/dev3hack.h +++ b/nss/lib/pk11wrap/dev3hack.h @@ -23,7 +23,7 @@ nssToken_GetTrustDomain(NSSToken *token); void PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst); -NSSToken * PK11Slot_GetNSSToken(PK11SlotInfo *sl); +NSSToken *PK11Slot_GetNSSToken(PK11SlotInfo *sl); PR_END_EXTERN_C diff --git a/nss/lib/pk11wrap/exports.gyp b/nss/lib/pk11wrap/exports.gyp new file mode 100644 index 0000000..b3d4bf4 --- /dev/null +++ b/nss/lib/pk11wrap/exports.gyp @@ -0,0 +1,39 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'lib_pk11wrap_exports', + 'type': 'none', + 'copies': [ + { + 'files': [ + 'pk11func.h', + 'pk11pqg.h', + 'pk11priv.h', + 'pk11pub.h', + 'pk11sdr.h', + 'secmod.h', + 'secmodt.h', + 'secpkcs5.h' + ], + 'destination': '<(nss_public_dist_dir)/<(module)' + }, + { + 'files': [ + 'dev3hack.h', + 'secmodi.h' + ], + 'destination': '<(nss_private_dist_dir)/<(module)' + } + ] + } + ], + 'variables': { + 'module': 'nss' + } +} diff --git a/nss/lib/pk11wrap/pk11akey.c b/nss/lib/pk11wrap/pk11akey.c index b0604de..d086ed4 100644 --- a/nss/lib/pk11wrap/pk11akey.c +++ b/nss/lib/pk11wrap/pk11akey.c @@ -14,53 +14,54 @@ #include "pk11func.h" #include "cert.h" #include "key.h" +#include "keyi.h" #include "secitem.h" -#include "secasn1.h" -#include "secoid.h" +#include "secasn1.h" +#include "secoid.h" #include "secerr.h" #include "sechash.h" -#include "secpkcs5.h" +#include "secpkcs5.h" #include "blapit.h" static SECItem * pk11_MakeIDFromPublicKey(SECKEYPublicKey *pubKey) { /* set the ID to the public key so we can find it again */ - SECItem *pubKeyIndex = NULL; + SECItem *pubKeyIndex = NULL; switch (pubKey->keyType) { - case rsaKey: - pubKeyIndex = &pubKey->u.rsa.modulus; - break; - case dsaKey: - pubKeyIndex = &pubKey->u.dsa.publicValue; - break; - case dhKey: - pubKeyIndex = &pubKey->u.dh.publicValue; - break; - case ecKey: - pubKeyIndex = &pubKey->u.ec.publicValue; - break; - default: - return NULL; + case rsaKey: + pubKeyIndex = &pubKey->u.rsa.modulus; + break; + case dsaKey: + pubKeyIndex = &pubKey->u.dsa.publicValue; + break; + case dhKey: + pubKeyIndex = &pubKey->u.dh.publicValue; + break; + case ecKey: + pubKeyIndex = &pubKey->u.ec.publicValue; + break; + default: + return NULL; } PORT_Assert(pubKeyIndex != NULL); return PK11_MakeIDFromPubKey(pubKeyIndex); -} +} /* * import a public key into the desired slot * - * This function takes a public key structure and creates a public key in a + * This function takes a public key structure and creates a public key in a * given slot. If isToken is set, then a persistant public key is created. * * Note: it is possible for this function to return a handle for a key which * is persistant, even if isToken is not set. */ CK_OBJECT_HANDLE -PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, - PRBool isToken) +PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, + PRBool isToken) { CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; @@ -78,139 +79,167 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, /* if we already have an object in the desired slot, use it */ if (!isToken && pubKey->pkcs11Slot == slot) { - return pubKey->pkcs11ID; + return pubKey->pkcs11ID; } /* free the existing key */ if (pubKey->pkcs11Slot != NULL) { - PK11SlotInfo *oSlot = pubKey->pkcs11Slot; - if (!PK11_IsPermObject(pubKey->pkcs11Slot,pubKey->pkcs11ID)) { - PK11_EnterSlotMonitor(oSlot); - (void) PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session, - pubKey->pkcs11ID); - PK11_ExitSlotMonitor(oSlot); - } - PK11_FreeSlot(oSlot); - pubKey->pkcs11Slot = NULL; - } - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++; + PK11SlotInfo *oSlot = pubKey->pkcs11Slot; + if (!PK11_IsPermObject(pubKey->pkcs11Slot, pubKey->pkcs11ID)) { + PK11_EnterSlotMonitor(oSlot); + (void)PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session, + pubKey->pkcs11ID); + PK11_ExitSlotMonitor(oSlot); + } + PK11_FreeSlot(oSlot); + pubKey->pkcs11Slot = NULL; + } + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse, - sizeof(CK_BBOOL) ); attrs++; + sizeof(CK_BBOOL)); + attrs++; if (isToken) { - ckaId = pk11_MakeIDFromPublicKey(pubKey); - if (ckaId == NULL) { - PORT_SetError( SEC_ERROR_BAD_KEY ); - return CK_INVALID_HANDLE; - } - PK11_SETATTRS(attrs, CKA_ID, ckaId->data, ckaId->len); attrs++; + ckaId = pk11_MakeIDFromPublicKey(pubKey); + if (ckaId == NULL) { + PORT_SetError(SEC_ERROR_BAD_KEY); + return CK_INVALID_HANDLE; + } + PK11_SETATTRS(attrs, CKA_ID, ckaId->data, ckaId->len); + attrs++; } /* now import the key */ { switch (pubKey->keyType) { - case rsaKey: - keyType = CKK_RSA; - PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, - sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data, - pubKey->u.rsa.modulus.len); attrs++; - PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, - pubKey->u.rsa.publicExponent.data, - pubKey->u.rsa.publicExponent.len); attrs++; - break; - case dsaKey: - keyType = CKK_DSA; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dsa.params.prime.data, - pubKey->u.dsa.params.prime.len); attrs++; - PK11_SETATTRS(attrs,CKA_SUBPRIME,pubKey->u.dsa.params.subPrime.data, - pubKey->u.dsa.params.subPrime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dsa.params.base.data, - pubKey->u.dsa.params.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dsa.publicValue.data, - pubKey->u.dsa.publicValue.len); attrs++; - break; - case fortezzaKey: - keyType = CKK_DSA; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data, - pubKey->u.fortezza.params.prime.len); attrs++; - PK11_SETATTRS(attrs,CKA_SUBPRIME, - pubKey->u.fortezza.params.subPrime.data, - pubKey->u.fortezza.params.subPrime.len);attrs++; - PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.fortezza.params.base.data, - pubKey->u.fortezza.params.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, - pubKey->u.fortezza.DSSKey.len); attrs++; - break; - case dhKey: - keyType = CKK_DH; - PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dh.prime.data, - pubKey->u.dh.prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dh.base.data, - pubKey->u.dh.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dh.publicValue.data, - pubKey->u.dh.publicValue.len); attrs++; - break; - case ecKey: - keyType = CKK_EC; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++; - PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_EC_PARAMS, - pubKey->u.ec.DEREncodedParams.data, - pubKey->u.ec.DEREncodedParams.len); attrs++; - if (PR_GetEnv("NSS_USE_DECODED_CKA_EC_POINT")) { - PK11_SETATTRS(attrs, CKA_EC_POINT, - pubKey->u.ec.publicValue.data, - pubKey->u.ec.publicValue.len); attrs++; - } else { - pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &pubKey->u.ec.publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (pubValue == NULL) { - if (ckaId) { - SECITEM_FreeItem(ckaId,PR_TRUE); - } - return CK_INVALID_HANDLE; - } - PK11_SETATTRS(attrs, CKA_EC_POINT, - pubValue->data, pubValue->len); attrs++; - } - break; - default: - if (ckaId) { - SECITEM_FreeItem(ckaId,PR_TRUE); - } - PORT_SetError( SEC_ERROR_BAD_KEY ); - return CK_INVALID_HANDLE; - } - - templateCount = attrs - theTemplate; - signedcount = attrs - signedattr; - PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE))); - for (attrs=signedattr; signedcount; attrs++, signedcount--) { - pk11_SignedToUnsigned(attrs); - } + case rsaKey: + keyType = CKK_RSA; + PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data, + pubKey->u.rsa.modulus.len); + attrs++; + PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, + pubKey->u.rsa.publicExponent.data, + pubKey->u.rsa.publicExponent.len); + attrs++; + break; + case dsaKey: + keyType = CKK_DSA; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dsa.params.prime.data, + pubKey->u.dsa.params.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, pubKey->u.dsa.params.subPrime.data, + pubKey->u.dsa.params.subPrime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dsa.params.base.data, + pubKey->u.dsa.params.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dsa.publicValue.data, + pubKey->u.dsa.publicValue.len); + attrs++; + break; + case fortezzaKey: + keyType = CKK_DSA; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.fortezza.params.prime.data, + pubKey->u.fortezza.params.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, + pubKey->u.fortezza.params.subPrime.data, + pubKey->u.fortezza.params.subPrime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.fortezza.params.base.data, + pubKey->u.fortezza.params.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, + pubKey->u.fortezza.DSSKey.len); + attrs++; + break; + case dhKey: + keyType = CKK_DH; + PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dh.prime.data, + pubKey->u.dh.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dh.base.data, + pubKey->u.dh.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dh.publicValue.data, + pubKey->u.dh.publicValue.len); + attrs++; + break; + case ecKey: + keyType = CKK_EC; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_EC_PARAMS, + pubKey->u.ec.DEREncodedParams.data, + pubKey->u.ec.DEREncodedParams.len); + attrs++; + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) { + PK11_SETATTRS(attrs, CKA_EC_POINT, + pubKey->u.ec.publicValue.data, + pubKey->u.ec.publicValue.len); + attrs++; + } else { + pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + if (ckaId) { + SECITEM_FreeItem(ckaId, PR_TRUE); + } + return CK_INVALID_HANDLE; + } + PK11_SETATTRS(attrs, CKA_EC_POINT, + pubValue->data, pubValue->len); + attrs++; + } + break; + default: + if (ckaId) { + SECITEM_FreeItem(ckaId, PR_TRUE); + } + PORT_SetError(SEC_ERROR_BAD_KEY); + return CK_INVALID_HANDLE; + } + + templateCount = attrs - theTemplate; + signedcount = attrs - signedattr; + PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE))); + for (attrs = signedattr; signedcount; attrs++, signedcount--) { + pk11_SignedToUnsigned(attrs); + } rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate, - templateCount, isToken, &objectID); - if (ckaId) { - SECITEM_FreeItem(ckaId,PR_TRUE); - } - if (pubValue) { - SECITEM_FreeItem(pubValue,PR_TRUE); - } - if ( rv != SECSuccess) { - return CK_INVALID_HANDLE; - } + templateCount, isToken, &objectID); + if (ckaId) { + SECITEM_FreeItem(ckaId, PR_TRUE); + } + if (pubValue) { + SECITEM_FreeItem(pubValue, PR_TRUE); + } + if (rv != SECSuccess) { + return CK_INVALID_HANDLE; + } } pubKey->pkcs11ID = objectID; @@ -229,22 +258,21 @@ pk11_Attr2SecItem(PLArenaPool *arena, const CK_ATTRIBUTE *attr, SECItem *item) (void)SECITEM_AllocItem(arena, item, attr->ulValueLen); if (item->data == NULL) { - return CKR_HOST_MEMORY; - } + return CKR_HOST_MEMORY; + } PORT_Memcpy(item->data, attr->pValue, item->len); return CKR_OK; } - /* * get a curve length from a set of ecParams. - * + * * We need this so we can reliably determine if the ecPoint passed to us * was encoded or not. With out this, for many curves, we would incorrectly * identify an unencoded curve as an encoded curve 1 in 65536 times, and for - * a few we would make that same mistake 1 in 32768 times. These are bad + * a few we would make that same mistake 1 in 32768 times. These are bad * numbers since they are rare enough to pass tests, but common enough to - * be tripped over in the field. + * be tripped over in the field. * * This function will only work for curves we recognized as of March 2009. * The assumption is curves in use after March of 2009 would be supplied by @@ -253,127 +281,133 @@ pk11_Attr2SecItem(PLArenaPool *arena, const CK_ATTRIBUTE *attr, SECItem *item) * Point length = (Roundup(curveLenInBits/8)*2+1) */ static int -pk11_get_EC_PointLenInBytes(PLArenaPool *arena, const SECItem *ecParams) +pk11_get_EC_PointLenInBytes(PLArenaPool *arena, const SECItem *ecParams, + PRBool *plain) { - SECItem oid; - SECOidTag tag; - SECStatus rv; - - /* decode the OID tag */ - rv = SEC_QuickDERDecodeItem(arena, &oid, - SEC_ASN1_GET(SEC_ObjectIDTemplate), ecParams); - if (rv != SECSuccess) { - /* could be explict curves, allow them to work if the - * PKCS #11 module support them. If we try to parse the - * explicit curve value in the future, we may return -1 here - * to indicate an invalid parameter if the explicit curve - * decode fails. */ - return 0; - } - - tag = SECOID_FindOIDTag(&oid); - switch (tag) { - case SEC_OID_SECG_EC_SECP112R1: - case SEC_OID_SECG_EC_SECP112R2: - return 29; /* curve len in bytes = 14 bytes */ - case SEC_OID_SECG_EC_SECT113R1: - case SEC_OID_SECG_EC_SECT113R2: - return 31; /* curve len in bytes = 15 bytes */ - case SEC_OID_SECG_EC_SECP128R1: - case SEC_OID_SECG_EC_SECP128R2: - return 33; /* curve len in bytes = 16 bytes */ - case SEC_OID_SECG_EC_SECT131R1: - case SEC_OID_SECG_EC_SECT131R2: - return 35; /* curve len in bytes = 17 bytes */ - case SEC_OID_SECG_EC_SECP160K1: - case SEC_OID_SECG_EC_SECP160R1: - case SEC_OID_SECG_EC_SECP160R2: - return 41; /* curve len in bytes = 20 bytes */ - case SEC_OID_SECG_EC_SECT163K1: - case SEC_OID_SECG_EC_SECT163R1: - case SEC_OID_SECG_EC_SECT163R2: - case SEC_OID_ANSIX962_EC_C2PNB163V1: - case SEC_OID_ANSIX962_EC_C2PNB163V2: - case SEC_OID_ANSIX962_EC_C2PNB163V3: - return 43; /* curve len in bytes = 21 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB176V1: - return 45; /* curve len in bytes = 22 bytes */ - case SEC_OID_ANSIX962_EC_C2TNB191V1: - case SEC_OID_ANSIX962_EC_C2TNB191V2: - case SEC_OID_ANSIX962_EC_C2TNB191V3: - case SEC_OID_SECG_EC_SECP192K1: - case SEC_OID_ANSIX962_EC_PRIME192V1: - case SEC_OID_ANSIX962_EC_PRIME192V2: - case SEC_OID_ANSIX962_EC_PRIME192V3: - return 49; /*curve len in bytes = 24 bytes */ - case SEC_OID_SECG_EC_SECT193R1: - case SEC_OID_SECG_EC_SECT193R2: - return 51; /*curve len in bytes = 25 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB208W1: - return 53; /*curve len in bytes = 26 bytes */ - case SEC_OID_SECG_EC_SECP224K1: - case SEC_OID_SECG_EC_SECP224R1: - return 57; /*curve len in bytes = 28 bytes */ - case SEC_OID_SECG_EC_SECT233K1: - case SEC_OID_SECG_EC_SECT233R1: - case SEC_OID_SECG_EC_SECT239K1: - case SEC_OID_ANSIX962_EC_PRIME239V1: - case SEC_OID_ANSIX962_EC_PRIME239V2: - case SEC_OID_ANSIX962_EC_PRIME239V3: - case SEC_OID_ANSIX962_EC_C2TNB239V1: - case SEC_OID_ANSIX962_EC_C2TNB239V2: - case SEC_OID_ANSIX962_EC_C2TNB239V3: - return 61; /*curve len in bytes = 30 bytes */ - case SEC_OID_ANSIX962_EC_PRIME256V1: - case SEC_OID_SECG_EC_SECP256K1: - return 65; /*curve len in bytes = 32 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB272W1: - return 69; /*curve len in bytes = 34 bytes */ - case SEC_OID_SECG_EC_SECT283K1: - case SEC_OID_SECG_EC_SECT283R1: - return 73; /*curve len in bytes = 36 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB304W1: - return 77; /*curve len in bytes = 38 bytes */ - case SEC_OID_ANSIX962_EC_C2TNB359V1: - return 91; /*curve len in bytes = 45 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB368W1: - return 93; /*curve len in bytes = 46 bytes */ - case SEC_OID_SECG_EC_SECP384R1: - return 97; /*curve len in bytes = 48 bytes */ - case SEC_OID_SECG_EC_SECT409K1: - case SEC_OID_SECG_EC_SECT409R1: - return 105; /*curve len in bytes = 52 bytes */ - case SEC_OID_ANSIX962_EC_C2TNB431R1: - return 109; /*curve len in bytes = 54 bytes */ - case SEC_OID_SECG_EC_SECP521R1: - return 133; /*curve len in bytes = 66 bytes */ - case SEC_OID_SECG_EC_SECT571K1: - case SEC_OID_SECG_EC_SECT571R1: - return 145; /*curve len in bytes = 72 bytes */ - /* unknown or unrecognized OIDs. return unknown length */ - default: - break; - } - return 0; + SECItem oid; + SECOidTag tag; + SECStatus rv; + + /* decode the OID tag */ + rv = SEC_QuickDERDecodeItem(arena, &oid, + SEC_ASN1_GET(SEC_ObjectIDTemplate), ecParams); + if (rv != SECSuccess) { + /* could be explict curves, allow them to work if the + * PKCS #11 module support them. If we try to parse the + * explicit curve value in the future, we may return -1 here + * to indicate an invalid parameter if the explicit curve + * decode fails. */ + return 0; + } + + *plain = PR_FALSE; + tag = SECOID_FindOIDTag(&oid); + switch (tag) { + case SEC_OID_SECG_EC_SECP112R1: + case SEC_OID_SECG_EC_SECP112R2: + return 29; /* curve len in bytes = 14 bytes */ + case SEC_OID_SECG_EC_SECT113R1: + case SEC_OID_SECG_EC_SECT113R2: + return 31; /* curve len in bytes = 15 bytes */ + case SEC_OID_SECG_EC_SECP128R1: + case SEC_OID_SECG_EC_SECP128R2: + return 33; /* curve len in bytes = 16 bytes */ + case SEC_OID_SECG_EC_SECT131R1: + case SEC_OID_SECG_EC_SECT131R2: + return 35; /* curve len in bytes = 17 bytes */ + case SEC_OID_SECG_EC_SECP160K1: + case SEC_OID_SECG_EC_SECP160R1: + case SEC_OID_SECG_EC_SECP160R2: + return 41; /* curve len in bytes = 20 bytes */ + case SEC_OID_SECG_EC_SECT163K1: + case SEC_OID_SECG_EC_SECT163R1: + case SEC_OID_SECG_EC_SECT163R2: + case SEC_OID_ANSIX962_EC_C2PNB163V1: + case SEC_OID_ANSIX962_EC_C2PNB163V2: + case SEC_OID_ANSIX962_EC_C2PNB163V3: + return 43; /* curve len in bytes = 21 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB176V1: + return 45; /* curve len in bytes = 22 bytes */ + case SEC_OID_ANSIX962_EC_C2TNB191V1: + case SEC_OID_ANSIX962_EC_C2TNB191V2: + case SEC_OID_ANSIX962_EC_C2TNB191V3: + case SEC_OID_SECG_EC_SECP192K1: + case SEC_OID_ANSIX962_EC_PRIME192V1: + case SEC_OID_ANSIX962_EC_PRIME192V2: + case SEC_OID_ANSIX962_EC_PRIME192V3: + return 49; /*curve len in bytes = 24 bytes */ + case SEC_OID_SECG_EC_SECT193R1: + case SEC_OID_SECG_EC_SECT193R2: + return 51; /*curve len in bytes = 25 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB208W1: + return 53; /*curve len in bytes = 26 bytes */ + case SEC_OID_SECG_EC_SECP224K1: + case SEC_OID_SECG_EC_SECP224R1: + return 57; /*curve len in bytes = 28 bytes */ + case SEC_OID_SECG_EC_SECT233K1: + case SEC_OID_SECG_EC_SECT233R1: + case SEC_OID_SECG_EC_SECT239K1: + case SEC_OID_ANSIX962_EC_PRIME239V1: + case SEC_OID_ANSIX962_EC_PRIME239V2: + case SEC_OID_ANSIX962_EC_PRIME239V3: + case SEC_OID_ANSIX962_EC_C2TNB239V1: + case SEC_OID_ANSIX962_EC_C2TNB239V2: + case SEC_OID_ANSIX962_EC_C2TNB239V3: + return 61; /*curve len in bytes = 30 bytes */ + case SEC_OID_ANSIX962_EC_PRIME256V1: + case SEC_OID_SECG_EC_SECP256K1: + return 65; /*curve len in bytes = 32 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB272W1: + return 69; /*curve len in bytes = 34 bytes */ + case SEC_OID_SECG_EC_SECT283K1: + case SEC_OID_SECG_EC_SECT283R1: + return 73; /*curve len in bytes = 36 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB304W1: + return 77; /*curve len in bytes = 38 bytes */ + case SEC_OID_ANSIX962_EC_C2TNB359V1: + return 91; /*curve len in bytes = 45 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB368W1: + return 93; /*curve len in bytes = 46 bytes */ + case SEC_OID_SECG_EC_SECP384R1: + return 97; /*curve len in bytes = 48 bytes */ + case SEC_OID_SECG_EC_SECT409K1: + case SEC_OID_SECG_EC_SECT409R1: + return 105; /*curve len in bytes = 52 bytes */ + case SEC_OID_ANSIX962_EC_C2TNB431R1: + return 109; /*curve len in bytes = 54 bytes */ + case SEC_OID_SECG_EC_SECP521R1: + return 133; /*curve len in bytes = 66 bytes */ + case SEC_OID_SECG_EC_SECT571K1: + case SEC_OID_SECG_EC_SECT571R1: + return 145; /*curve len in bytes = 72 bytes */ + case SEC_OID_CURVE25519: + *plain = PR_TRUE; + return 32; /* curve len in bytes = 32 bytes (only X) */ + /* unknown or unrecognized OIDs. return unknown length */ + default: + break; + } + return 0; } /* * returns the decoded point. In some cases the point may already be decoded. - * this function tries to detect those cases and return the point in + * this function tries to detect those cases and return the point in * publicKeyValue. In other cases it's DER encoded. In those cases the point - * is first decoded and returned. Space for the point is allocated out of + * is first decoded and returned. Space for the point is allocated out of * the passed in arena. */ static CK_RV pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, - const CK_ATTRIBUTE *ecPoint, SECItem *publicKeyValue) + const CK_ATTRIBUTE *ecPoint, SECItem *publicKeyValue) { SECItem encodedPublicValue; SECStatus rv; int keyLen; + PRBool plain = PR_FALSE; if (ecPoint->ulValueLen == 0) { - return CKR_ATTRIBUTE_VALUE_INVALID; + return CKR_ATTRIBUTE_VALUE_INVALID; } /* @@ -381,7 +415,7 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * NSS has mistakenly passed unencoded values, and some PKCS #11 vendors * followed that mistake. Now we need to detect which encoding we were * passed in. The task is made more complicated by the fact the the - * DER encoding byte (SEC_ASN_OCTET_STRING) is the same as the + * DER encoding byte (SEC_ASN_OCTET_STRING) is the same as the * EC_POINT_FORM_UNCOMPRESSED byte (0x04), so we can't use that to * determine which curve we are using. */ @@ -393,134 +427,140 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * encoded or not heuristically. If the ecParams are invalid, it * will return -1 for the keyLen. */ - keyLen = pk11_get_EC_PointLenInBytes(arena, ecParams); + keyLen = pk11_get_EC_PointLenInBytes(arena, ecParams, &plain); if (keyLen < 0) { - return CKR_ATTRIBUTE_VALUE_INVALID; + return CKR_ATTRIBUTE_VALUE_INVALID; } + /* + * Some curves are not encoded but we don't have the name here. + * Instead, pk11_get_EC_PointLenInBytes returns true plain if this is the + * case. + */ + if (plain && ecPoint->ulValueLen == (unsigned int)keyLen) { + return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); + } /* If the point is uncompressed and the lengths match, it * must be an unencoded point */ - if ((*((char *)ecPoint->pValue) == EC_POINT_FORM_UNCOMPRESSED) - && (ecPoint->ulValueLen == (unsigned int)keyLen)) { - return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); + if ((*((char *)ecPoint->pValue) == EC_POINT_FORM_UNCOMPRESSED) && + (ecPoint->ulValueLen == (unsigned int)keyLen)) { + return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); } /* now assume the key passed to us was encoded and decode it */ if (*((char *)ecPoint->pValue) == SEC_ASN1_OCTET_STRING) { - /* OK, now let's try to decode it and see if it's valid */ - encodedPublicValue.data = ecPoint->pValue; - encodedPublicValue.len = ecPoint->ulValueLen; - rv = SEC_QuickDERDecodeItem(arena, publicKeyValue, - SEC_ASN1_GET(SEC_OctetStringTemplate), &encodedPublicValue); - - /* it coded correctly & we know the key length (and they match) - * then we are done, return the results. */ + /* OK, now let's try to decode it and see if it's valid */ + encodedPublicValue.data = ecPoint->pValue; + encodedPublicValue.len = ecPoint->ulValueLen; + rv = SEC_QuickDERDecodeItem(arena, publicKeyValue, + SEC_ASN1_GET(SEC_OctetStringTemplate), &encodedPublicValue); + + /* it coded correctly & we know the key length (and they match) + * then we are done, return the results. */ if (keyLen && rv == SECSuccess && publicKeyValue->len == (unsigned int)keyLen) { - return CKR_OK; - } - - /* if we know the key length, one of the above tests should have - * succeded. If it doesn't the module gave us bad data */ - if (keyLen) { - return CKR_ATTRIBUTE_VALUE_INVALID; - } - - - /* We don't know the key length, so we don't know deterministically - * which encoding was used. We now will try to pick the most likely - * form that's correct, with a preference for the encoded form if we - * can't determine for sure. We do this by checking the key we got - * back from SEC_QuickDERDecodeItem for defects. If no defects are - * found, we assume the encoded parameter was was passed to us. - * our defect tests include: - * 1) it didn't decode. - * 2) The decode key had an invalid length (must be odd). - * 3) The decoded key wasn't an UNCOMPRESSED key. - * 4) The decoded key didn't include the entire encoded block - * except the DER encoding values. (fixing DER length to one - * particular value). - */ - if ((rv != SECSuccess) - || ((publicKeyValue->len & 1) != 1) - || (publicKeyValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) - || (PORT_Memcmp(&encodedPublicValue.data[encodedPublicValue.len - - publicKeyValue->len], publicKeyValue->data, - publicKeyValue->len) != 0)) { - /* The decoded public key was flawed, the original key must have - * already been in decoded form. Do a quick sanity check then - * return the original key value. - */ - if ((encodedPublicValue.len & 1) == 0) { - return CKR_ATTRIBUTE_VALUE_INVALID; - } - return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); - } - - /* as best we can figure, the passed in key was encoded, and we've - * now decoded it. Note: there is a chance this could be wrong if the - * following conditions hold: - * 1) The first byte or bytes of the X point looks like a valid length - * of precisely the right size (2*curveSize -1). this means for curves - * less than 512 bits (64 bytes), this will happen 1 in 256 times*. - * for curves between 512 and 1024, this will happen 1 in 65,536 times* - * for curves between 1024 and 256K this will happen 1 in 16 million* - * 2) The length of the 'DER length field' is odd - * (making both the encoded and decode - * values an odd length. this is true of all curves less than 512, - * as well as curves between 1024 and 256K). - * 3) The X[length of the 'DER length field'] == 0x04, 1 in 256. - * - * (* assuming all values are equally likely in the first byte, - * This isn't true if the curve length is not a multiple of 8. In these - * cases, if the DER length is possible, it's more likely, - * if it's not possible, then we have no false decodes). - * - * For reference here are the odds for the various curves we currently - * have support for (and the only curves SSL will negotiate at this - * time). NOTE: None of the supported curves will show up here - * because we return a valid length for all of these curves. - * The only way to get here is to have some application (not SSL) - * which supports some unknown curve and have some vendor supplied - * PKCS #11 module support that curve. NOTE: in this case, one - * presumes that that pkcs #11 module is likely to be using the - * correct encodings. - * - * Prime Curves (GFp): - * Bit False Odds of - * Size DER Len False Decode Positive - * 112 27 1 in 65536 - * 128 31 1 in 65536 - * 160 39 1 in 65536 - * 192 47 1 in 65536 - * 224 55 1 in 65536 - * 239 59 1 in 32768 (top byte can only be 0-127) - * 256 63 1 in 65536 - * 521 129,131 0 (decoded value would be even) - * - * Binary curves (GF2m). - * Bit False Odds of - * Size DER Len False Decode Positive - * 131 33 0 (top byte can only be 0-7) - * 163 41 0 (top byte can only be 0-7) - * 176 43 1 in 65536 - * 191 47 1 in 32768 (top byte can only be 0-127) - * 193 49 0 (top byte can only be 0-1) - * 208 51 1 in 65536 - * 233 59 0 (top byte can only be 0-1) - * 239 59 1 in 32768 (top byte can only be 0-127) - * 272 67 1 in 65536 - * 283 71 0 (top byte can only be 0-7) - * 304 75 1 in 65536 - * 359 89 1 in 32768 (top byte can only be 0-127) - * 368 91 1 in 65536 - * 409 103 0 (top byte can only be 0-1) - * 431 107 1 in 32768 (top byte can only be 0-127) - * 571 129,143 0 (decoded value would be even) - * - */ - - return CKR_OK; + return CKR_OK; + } + + /* if we know the key length, one of the above tests should have + * succeded. If it doesn't the module gave us bad data */ + if (keyLen) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* We don't know the key length, so we don't know deterministically + * which encoding was used. We now will try to pick the most likely + * form that's correct, with a preference for the encoded form if we + * can't determine for sure. We do this by checking the key we got + * back from SEC_QuickDERDecodeItem for defects. If no defects are + * found, we assume the encoded parameter was was passed to us. + * our defect tests include: + * 1) it didn't decode. + * 2) The decode key had an invalid length (must be odd). + * 3) The decoded key wasn't an UNCOMPRESSED key. + * 4) The decoded key didn't include the entire encoded block + * except the DER encoding values. (fixing DER length to one + * particular value). + */ + if ((rv != SECSuccess) || ((publicKeyValue->len & 1) != 1) || + (publicKeyValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) || + (PORT_Memcmp(&encodedPublicValue.data[encodedPublicValue.len - publicKeyValue->len], + publicKeyValue->data, + publicKeyValue->len) != 0)) { + /* The decoded public key was flawed, the original key must have + * already been in decoded form. Do a quick sanity check then + * return the original key value. + */ + if ((encodedPublicValue.len & 1) == 0) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); + } + + /* as best we can figure, the passed in key was encoded, and we've + * now decoded it. Note: there is a chance this could be wrong if the + * following conditions hold: + * 1) The first byte or bytes of the X point looks like a valid length + * of precisely the right size (2*curveSize -1). this means for curves + * less than 512 bits (64 bytes), this will happen 1 in 256 times*. + * for curves between 512 and 1024, this will happen 1 in 65,536 times* + * for curves between 1024 and 256K this will happen 1 in 16 million* + * 2) The length of the 'DER length field' is odd + * (making both the encoded and decode + * values an odd length. this is true of all curves less than 512, + * as well as curves between 1024 and 256K). + * 3) The X[length of the 'DER length field'] == 0x04, 1 in 256. + * + * (* assuming all values are equally likely in the first byte, + * This isn't true if the curve length is not a multiple of 8. In these + * cases, if the DER length is possible, it's more likely, + * if it's not possible, then we have no false decodes). + * + * For reference here are the odds for the various curves we currently + * have support for (and the only curves SSL will negotiate at this + * time). NOTE: None of the supported curves will show up here + * because we return a valid length for all of these curves. + * The only way to get here is to have some application (not SSL) + * which supports some unknown curve and have some vendor supplied + * PKCS #11 module support that curve. NOTE: in this case, one + * presumes that that pkcs #11 module is likely to be using the + * correct encodings. + * + * Prime Curves (GFp): + * Bit False Odds of + * Size DER Len False Decode Positive + * 112 27 1 in 65536 + * 128 31 1 in 65536 + * 160 39 1 in 65536 + * 192 47 1 in 65536 + * 224 55 1 in 65536 + * 239 59 1 in 32768 (top byte can only be 0-127) + * 256 63 1 in 65536 + * 521 129,131 0 (decoded value would be even) + * + * Binary curves (GF2m). + * Bit False Odds of + * Size DER Len False Decode Positive + * 131 33 0 (top byte can only be 0-7) + * 163 41 0 (top byte can only be 0-7) + * 176 43 1 in 65536 + * 191 47 1 in 32768 (top byte can only be 0-127) + * 193 49 0 (top byte can only be 0-1) + * 208 51 1 in 65536 + * 233 59 0 (top byte can only be 0-1) + * 239 59 1 in 32768 (top byte can only be 0-127) + * 272 67 1 in 65536 + * 283 71 0 (top byte can only be 0-7) + * 304 75 1 in 65536 + * 359 89 1 in 32768 (top byte can only be 0-127) + * 368 91 1 in 65536 + * 409 103 0 (top byte can only be 0-1) + * 431 107 1 in 32768 (top byte can only be 0-127) + * 571 129,143 0 (decoded value would be even) + * + */ + + return CKR_OK; } /* In theory, we should handle the case where the curve == 0 and @@ -528,13 +568,13 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * handled by doing a santity check on the key length and returning * pk11_Attr2SecItem() to copy the ecPoint to the publicKeyValue). * - * This test is unnecessary, however, due to the fact that + * This test is unnecessary, however, due to the fact that * EC_POINT_FORM_UNCOMPRESSED == SEC_ASIN1_OCTET_STRING, that case is * handled in the above if. That means if we get here, the initial * byte of our ecPoint value was invalid, so we can safely return. * invalid attribute. */ - + return CKR_ATTRIBUTE_VALUE_INVALID; } @@ -542,7 +582,7 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * extract a public key from a slot and id */ SECKEYPublicKey * -PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id) +PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, CK_OBJECT_HANDLE id) { CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; PLArenaPool *arena; @@ -552,171 +592,200 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id) CK_KEY_TYPE pk11KeyType; CK_RV crv; CK_ATTRIBUTE template[8]; - CK_ATTRIBUTE *attrs= template; - CK_ATTRIBUTE *modulus,*exponent,*base,*prime,*subprime,*value; + CK_ATTRIBUTE *attrs = template; + CK_ATTRIBUTE *modulus, *exponent, *base, *prime, *subprime, *value; CK_ATTRIBUTE *ecparams; /* if we didn't know the key type, get it */ - if (keyType== nullKey) { - - pk11KeyType = PK11_ReadULongAttribute(slot,id,CKA_KEY_TYPE); - if (pk11KeyType == CK_UNAVAILABLE_INFORMATION) { - return NULL; - } - switch (pk11KeyType) { - case CKK_RSA: - keyType = rsaKey; - break; - case CKK_DSA: - keyType = dsaKey; - break; - case CKK_DH: - keyType = dhKey; - break; - case CKK_EC: - keyType = ecKey; - break; - default: - PORT_SetError( SEC_ERROR_BAD_KEY ); - return NULL; - } - } + if (keyType == nullKey) { + pk11KeyType = PK11_ReadULongAttribute(slot, id, CKA_KEY_TYPE); + if (pk11KeyType == CK_UNAVAILABLE_INFORMATION) { + return NULL; + } + switch (pk11KeyType) { + case CKK_RSA: + keyType = rsaKey; + break; + case CKK_DSA: + keyType = dsaKey; + break; + case CKK_DH: + keyType = dhKey; + break; + case CKK_EC: + keyType = ecKey; + break; + default: + PORT_SetError(SEC_ERROR_BAD_KEY); + return NULL; + } + } /* now we need to create space for the public key */ - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) return NULL; - tmp_arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + return NULL; + tmp_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (tmp_arena == NULL) { - PORT_FreeArena (arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } - - pubKey = (SECKEYPublicKey *) - PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); + pubKey = (SECKEYPublicKey *) + PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); if (pubKey == NULL) { - PORT_FreeArena (arena, PR_FALSE); - PORT_FreeArena (tmp_arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(tmp_arena, PR_FALSE); + return NULL; } pubKey->arena = arena; pubKey->keyType = keyType; pubKey->pkcs11Slot = PK11_ReferenceSlot(slot); pubKey->pkcs11ID = id; - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, - sizeof(keyClass)); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, - sizeof(pk11KeyType) ); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, + sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, + sizeof(pk11KeyType)); + attrs++; switch (pubKey->keyType) { - case rsaKey: - modulus = attrs; - PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); attrs++; - exponent = attrs; - PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); attrs++; - - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - crv = pk11_Attr2SecItem(arena,modulus,&pubKey->u.rsa.modulus); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,exponent,&pubKey->u.rsa.publicExponent); - if (crv != CKR_OK) break; - break; - case dsaKey: - prime = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; - subprime = attrs; - PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); attrs++; - base = attrs; - PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; - value = attrs; - PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dsa.params.prime); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,subprime,&pubKey->u.dsa.params.subPrime); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dsa.params.base); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dsa.publicValue); - if (crv != CKR_OK) break; - break; - case dhKey: - prime = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; - base = attrs; - PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; - value =attrs; - PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dh.prime); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dh.base); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dh.publicValue); - if (crv != CKR_OK) break; - break; - case ecKey: - pubKey->u.ec.size = 0; - ecparams = attrs; - PK11_SETATTRS(attrs, CKA_EC_PARAMS, NULL, 0); attrs++; - value =attrs; - PK11_SETATTRS(attrs, CKA_EC_POINT, NULL, 0); attrs++; - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - - crv = pk11_Attr2SecItem(arena,ecparams, - &pubKey->u.ec.DEREncodedParams); - if (crv != CKR_OK) break; - crv = pk11_get_Decoded_ECPoint(arena, - &pubKey->u.ec.DEREncodedParams, value, - &pubKey->u.ec.publicValue); - break; - case fortezzaKey: - case nullKey: - default: - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - - PORT_FreeArena(tmp_arena,PR_FALSE); + case rsaKey: + modulus = attrs; + PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); + attrs++; + exponent = attrs; + PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); + attrs++; + + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + crv = pk11_Attr2SecItem(arena, modulus, &pubKey->u.rsa.modulus); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, exponent, &pubKey->u.rsa.publicExponent); + if (crv != CKR_OK) + break; + break; + case dsaKey: + prime = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); + attrs++; + subprime = attrs; + PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); + attrs++; + base = attrs; + PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); + attrs++; + value = attrs; + PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); + attrs++; + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + crv = pk11_Attr2SecItem(arena, prime, &pubKey->u.dsa.params.prime); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, subprime, &pubKey->u.dsa.params.subPrime); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, base, &pubKey->u.dsa.params.base); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, value, &pubKey->u.dsa.publicValue); + if (crv != CKR_OK) + break; + break; + case dhKey: + prime = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); + attrs++; + base = attrs; + PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); + attrs++; + value = attrs; + PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); + attrs++; + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + crv = pk11_Attr2SecItem(arena, prime, &pubKey->u.dh.prime); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, base, &pubKey->u.dh.base); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, value, &pubKey->u.dh.publicValue); + if (crv != CKR_OK) + break; + break; + case ecKey: + pubKey->u.ec.size = 0; + ecparams = attrs; + PK11_SETATTRS(attrs, CKA_EC_PARAMS, NULL, 0); + attrs++; + value = attrs; + PK11_SETATTRS(attrs, CKA_EC_POINT, NULL, 0); + attrs++; + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + + crv = pk11_Attr2SecItem(arena, ecparams, + &pubKey->u.ec.DEREncodedParams); + if (crv != CKR_OK) + break; + crv = pk11_get_Decoded_ECPoint(arena, + &pubKey->u.ec.DEREncodedParams, value, + &pubKey->u.ec.publicValue); + if (seckey_SetPointEncoding(arena, pubKey) != SECSuccess) { + crv |= CKR_GENERAL_ERROR; + } + break; + case fortezzaKey: + case nullKey: + default: + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + + PORT_FreeArena(tmp_arena, PR_FALSE); if (crv != CKR_OK) { - PORT_FreeArena(arena,PR_FALSE); - PK11_FreeSlot(slot); - PORT_SetError( PK11_MapError(crv) ); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + PK11_FreeSlot(slot); + PORT_SetError(PK11_MapError(crv)); + return NULL; } return pubKey; @@ -726,8 +795,8 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id) * Build a Private Key structure from raw PKCS #11 information. */ SECKEYPrivateKey * -PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, - PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx) +PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, + PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx) { PLArenaPool *arena; SECKEYPrivateKey *privKey; @@ -736,40 +805,51 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, /* don't know? look it up */ if (keyType == nullKey) { - CK_KEY_TYPE pk11Type = CKK_RSA; - - pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE); - isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN,PR_FALSE); - switch (pk11Type) { - case CKK_RSA: keyType = rsaKey; break; - case CKK_DSA: keyType = dsaKey; break; - case CKK_DH: keyType = dhKey; break; - case CKK_KEA: keyType = fortezzaKey; break; - case CKK_EC: keyType = ecKey; break; - default: - break; - } + CK_KEY_TYPE pk11Type = CKK_RSA; + + pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE); + isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE); + switch (pk11Type) { + case CKK_RSA: + keyType = rsaKey; + break; + case CKK_DSA: + keyType = dsaKey; + break; + case CKK_DH: + keyType = dhKey; + break; + case CKK_KEA: + keyType = fortezzaKey; + break; + case CKK_EC: + keyType = ecKey; + break; + default: + break; + } } /* if the key is private, make sure we are authenticated to the * token before we try to use it */ - isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE,PR_FALSE); + isPrivate = (PRBool)PK11_HasAttributeSet(slot, privID, CKA_PRIVATE, PR_FALSE); if (isPrivate) { - rv = PK11_Authenticate(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - return NULL; - } + rv = PK11_Authenticate(slot, PR_TRUE, wincx); + if (rv != SECSuccess) { + return NULL; + } } /* now we need to create space for the private key */ - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) return NULL; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + return NULL; - privKey = (SECKEYPrivateKey *) - PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey)); + privKey = (SECKEYPrivateKey *) + PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey)); if (privKey == NULL) { - PORT_FreeArena(arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } privKey->arena = arena; @@ -782,7 +862,6 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, return privKey; } - PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key) { @@ -803,34 +882,31 @@ PK11_GetPrivateModulusLen(SECKEYPrivateKey *key) int length; switch (key->keyType) { - case rsaKey: - crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return -1; - } - length = theTemplate.ulValueLen; - if ( *(unsigned char *)theTemplate.pValue == 0) { - length--; - } - if (theTemplate.pValue != NULL) - PORT_Free(theTemplate.pValue); - return (int) length; - - case fortezzaKey: - case dsaKey: - case dhKey: - default: - break; + case rsaKey: + crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return -1; + } + length = theTemplate.ulValueLen; + if (*(unsigned char *)theTemplate.pValue == 0) { + length--; + } + PORT_Free(theTemplate.pValue); + return (int)length; + + case fortezzaKey: + case dsaKey: + case dhKey: + default: + break; } if (theTemplate.pValue != NULL) - PORT_Free(theTemplate.pValue); - PORT_SetError( SEC_ERROR_INVALID_KEY ); + PORT_Free(theTemplate.pValue); + PORT_SetError(SEC_ERROR_INVALID_KEY); return -1; } - - /* * take a private key in one pkcs11 module and load it into another: * NOTE: the source private key is a rare animal... it can't be sensitive. @@ -838,43 +914,43 @@ PK11_GetPrivateModulusLen(SECKEYPrivateKey *key) * result into another. */ static SECKEYPrivateKey * -pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PK11AttrFlags attrFlags) +pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot, SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PK11AttrFlags attrFlags) { CK_ATTRIBUTE privTemplate[] = { /* class must be first */ - { CKA_CLASS, NULL, 0 }, - { CKA_KEY_TYPE, NULL, 0 }, - { CKA_ID, NULL, 0 }, - /* RSA - the attributes below will be replaced for other - * key types. - */ - { CKA_MODULUS, NULL, 0 }, - { CKA_PRIVATE_EXPONENT, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - { CKA_PRIME_1, NULL, 0 }, - { CKA_PRIME_2, NULL, 0 }, - { CKA_EXPONENT_1, NULL, 0 }, - { CKA_EXPONENT_2, NULL, 0 }, - { CKA_COEFFICIENT, NULL, 0 }, - { CKA_DECRYPT, NULL, 0 }, - { CKA_DERIVE, NULL, 0 }, - { CKA_SIGN, NULL, 0 }, - { CKA_SIGN_RECOVER, NULL, 0 }, - { CKA_UNWRAP, NULL, 0 }, - /* reserve space for the attributes that may be - * specified in attrFlags */ - { CKA_TOKEN, NULL, 0 }, - { CKA_PRIVATE, NULL, 0 }, - { CKA_MODIFIABLE, NULL, 0 }, - { CKA_SENSITIVE, NULL, 0 }, - { CKA_EXTRACTABLE, NULL, 0 }, -#define NUM_RESERVED_ATTRS 5 /* number of reserved attributes above */ + { CKA_CLASS, NULL, 0 }, + { CKA_KEY_TYPE, NULL, 0 }, + { CKA_ID, NULL, 0 }, + /* RSA - the attributes below will be replaced for other + * key types. + */ + { CKA_MODULUS, NULL, 0 }, + { CKA_PRIVATE_EXPONENT, NULL, 0 }, + { CKA_PUBLIC_EXPONENT, NULL, 0 }, + { CKA_PRIME_1, NULL, 0 }, + { CKA_PRIME_2, NULL, 0 }, + { CKA_EXPONENT_1, NULL, 0 }, + { CKA_EXPONENT_2, NULL, 0 }, + { CKA_COEFFICIENT, NULL, 0 }, + { CKA_DECRYPT, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_SIGN, NULL, 0 }, + { CKA_SIGN_RECOVER, NULL, 0 }, + { CKA_UNWRAP, NULL, 0 }, + /* reserve space for the attributes that may be + * specified in attrFlags */ + { CKA_TOKEN, NULL, 0 }, + { CKA_PRIVATE, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, + { CKA_SENSITIVE, NULL, 0 }, + { CKA_EXTRACTABLE, NULL, 0 }, +#define NUM_RESERVED_ATTRS 5 /* number of reserved attributes above */ }; CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; CK_ATTRIBUTE *attrs = NULL, *ap; - const int templateSize = sizeof(privTemplate)/sizeof(privTemplate[0]); + const int templateSize = sizeof(privTemplate) / sizeof(privTemplate[0]); PLArenaPool *arena; CK_OBJECT_HANDLE objectID; int i, count = 0; @@ -884,120 +960,160 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0); if (pk11_BadAttrFlags(attrFlags)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - for (i=0; i < templateSize; i++) { - if (privTemplate[i].type == CKA_MODULUS) { - attrs= &privTemplate[i]; - count = i; - break; - } + for (i = 0; i < templateSize; i++) { + if (privTemplate[i].type == CKA_MODULUS) { + attrs = &privTemplate[i]; + count = i; + break; + } } PORT_Assert(attrs != NULL); if (attrs == NULL) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; } ap = attrs; switch (privKey->keyType) { - case rsaKey: - count = templateSize - NUM_RESERVED_ATTRS; - extra_count = count - (attrs - privTemplate); - break; - case dsaKey: - ap->type = CKA_PRIME; ap++; count++; extra_count++; - ap->type = CKA_SUBPRIME; ap++; count++; extra_count++; - ap->type = CKA_BASE; ap++; count++; extra_count++; - ap->type = CKA_VALUE; ap++; count++; extra_count++; - ap->type = CKA_SIGN; ap++; count++; extra_count++; - break; - case dhKey: - ap->type = CKA_PRIME; ap++; count++; extra_count++; - ap->type = CKA_BASE; ap++; count++; extra_count++; - ap->type = CKA_VALUE; ap++; count++; extra_count++; - ap->type = CKA_DERIVE; ap++; count++; extra_count++; - break; - case ecKey: - ap->type = CKA_EC_PARAMS; ap++; count++; extra_count++; - ap->type = CKA_VALUE; ap++; count++; extra_count++; - ap->type = CKA_DERIVE; ap++; count++; extra_count++; - ap->type = CKA_SIGN; ap++; count++; extra_count++; - break; - default: - count = 0; - extra_count = 0; - break; - } - - if (count == 0) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; - } - - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) return NULL; - /* + case rsaKey: + count = templateSize - NUM_RESERVED_ATTRS; + extra_count = count - (attrs - privTemplate); + break; + case dsaKey: + ap->type = CKA_PRIME; + ap++; + count++; + extra_count++; + ap->type = CKA_SUBPRIME; + ap++; + count++; + extra_count++; + ap->type = CKA_BASE; + ap++; + count++; + extra_count++; + ap->type = CKA_VALUE; + ap++; + count++; + extra_count++; + ap->type = CKA_SIGN; + ap++; + count++; + extra_count++; + break; + case dhKey: + ap->type = CKA_PRIME; + ap++; + count++; + extra_count++; + ap->type = CKA_BASE; + ap++; + count++; + extra_count++; + ap->type = CKA_VALUE; + ap++; + count++; + extra_count++; + ap->type = CKA_DERIVE; + ap++; + count++; + extra_count++; + break; + case ecKey: + ap->type = CKA_EC_PARAMS; + ap++; + count++; + extra_count++; + ap->type = CKA_VALUE; + ap++; + count++; + extra_count++; + ap->type = CKA_DERIVE; + ap++; + count++; + extra_count++; + ap->type = CKA_SIGN; + ap++; + count++; + extra_count++; + break; + default: + count = 0; + extra_count = 0; + break; + } + + if (count == 0) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + return NULL; + /* * read out the old attributes. */ - crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, - privTemplate,count); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - PORT_FreeArena(arena, PR_TRUE); - return NULL; - } - - /* Set token, private, modifiable, sensitive, and extractable */ - count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count], - &cktrue, &ckfalse); - - /* Not everyone can handle zero padded key values, give + crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, + privTemplate, count); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + PORT_FreeArena(arena, PR_TRUE); + return NULL; + } + + /* Set token, private, modifiable, sensitive, and extractable */ + count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count], + &cktrue, &ckfalse); + + /* Not everyone can handle zero padded key values, give * them the raw data as unsigned */ - for (ap=attrs; extra_count; ap++, extra_count--) { - pk11_SignedToUnsigned(ap); - } - - /* now Store the puppies */ - rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, - count, token, &objectID); - PORT_FreeArena(arena, PR_TRUE); - if (rv != SECSuccess) { - return NULL; - } - - /* try loading the public key */ - if (pubKey) { - PK11_ImportPublicKey(slot, pubKey, token); - if (pubKey->pkcs11Slot) { - PK11_FreeSlot(pubKey->pkcs11Slot); - pubKey->pkcs11Slot = NULL; - pubKey->pkcs11ID = CK_INVALID_HANDLE; - } - } - - /* build new key structure */ - return PK11_MakePrivKey(slot, privKey->keyType, !token, - objectID, privKey->wincx); + for (ap = attrs; extra_count; ap++, extra_count--) { + pk11_SignedToUnsigned(ap); + } + + /* now Store the puppies */ + rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, + count, token, &objectID); + PORT_FreeArena(arena, PR_TRUE); + if (rv != SECSuccess) { + return NULL; + } + + /* try loading the public key */ + if (pubKey) { + PK11_ImportPublicKey(slot, pubKey, token); + if (pubKey->pkcs11Slot) { + PK11_FreeSlot(pubKey->pkcs11Slot); + pubKey->pkcs11Slot = NULL; + pubKey->pkcs11ID = CK_INVALID_HANDLE; + } + } + + /* build new key structure */ + return PK11_MakePrivKey(slot, privKey->keyType, !token, + objectID, privKey->wincx); } static SECKEYPrivateKey * -pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) +pk11_loadPrivKey(PK11SlotInfo *slot, SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) { PK11AttrFlags attrFlags = 0; if (token) { - attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE); + attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE); } else { - attrFlags |= (PK11_ATTR_SESSION | PK11_ATTR_PUBLIC); + attrFlags |= (PK11_ATTR_SESSION | PK11_ATTR_PUBLIC); } if (sensitive) { - attrFlags |= PK11_ATTR_SENSITIVE; + attrFlags |= PK11_ATTR_SENSITIVE; } else { - attrFlags |= PK11_ATTR_INSENSITIVE; + attrFlags |= PK11_ATTR_INSENSITIVE; } return pk11_loadPrivKeyWithFlags(slot, privKey, pubKey, attrFlags); } @@ -1006,20 +1122,19 @@ pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, * export this for PSM */ SECKEYPrivateKey * -PK11_LoadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) +PK11_LoadPrivKey(PK11SlotInfo *slot, SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) { - return pk11_loadPrivKey(slot,privKey,pubKey,token,sensitive); + return pk11_loadPrivKey(slot, privKey, pubKey, token, sensitive); } - /* * Use the token to generate a key pair. */ SECKEYPrivateKey * -PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, - CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx) +PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, + CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx) { /* we have to use these native types because when we call PKCS 11 modules * we have to make sure that we are using the correct sizes for all the @@ -1029,61 +1144,61 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, CK_ULONG modulusBits; CK_BYTE publicExponent[4]; CK_ATTRIBUTE privTemplate[] = { - { CKA_SENSITIVE, NULL, 0}, - { CKA_TOKEN, NULL, 0}, - { CKA_PRIVATE, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_UNWRAP, NULL, 0}, - { CKA_SIGN, NULL, 0}, - { CKA_DECRYPT, NULL, 0}, - { CKA_EXTRACTABLE, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_SENSITIVE, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_PRIVATE, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_UNWRAP, NULL, 0 }, + { CKA_SIGN, NULL, 0 }, + { CKA_DECRYPT, NULL, 0 }, + { CKA_EXTRACTABLE, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE rsaPubTemplate[] = { - { CKA_MODULUS_BITS, NULL, 0}, - { CKA_PUBLIC_EXPONENT, NULL, 0}, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_MODULUS_BITS, NULL, 0 }, + { CKA_PUBLIC_EXPONENT, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE dsaPubTemplate[] = { - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_PRIME, NULL, 0 }, + { CKA_SUBPRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE dhPubTemplate[] = { - { CKA_PRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_PRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE ecPubTemplate[] = { - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_EC_PARAMS, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; - SECKEYECParams * ecParams; + SECKEYECParams *ecParams; /*CK_ULONG key_size = 0;*/ CK_ATTRIBUTE *pubTemplate; @@ -1091,17 +1206,17 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, int pubCount = 0; PK11RSAGenParams *rsaParams; SECKEYPQGParams *dsaParams; - SECKEYDHParams * dhParams; + SECKEYDHParams *dhParams; CK_MECHANISM mechanism; CK_MECHANISM test_mech; CK_MECHANISM test_mech2; CK_SESSION_HANDLE session_handle; CK_RV crv; - CK_OBJECT_HANDLE privID,pubID; + CK_OBJECT_HANDLE privID, pubID; SECKEYPrivateKey *privKey; KeyType keyType; PRBool restore; - int peCount,i; + int peCount, i; CK_ATTRIBUTE *attrs; CK_ATTRIBUTE *privattrs; CK_ATTRIBUTE setTemplate; @@ -1113,76 +1228,74 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0); /* subset of attrFlags applicable to the public key */ PK11AttrFlags pubKeyAttrFlags = attrFlags & - (PK11_ATTR_TOKEN | PK11_ATTR_SESSION - | PK11_ATTR_MODIFIABLE | PK11_ATTR_UNMODIFIABLE); + (PK11_ATTR_TOKEN | PK11_ATTR_SESSION | PK11_ATTR_MODIFIABLE | PK11_ATTR_UNMODIFIABLE); if (pk11_BadAttrFlags(attrFlags)) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } if (!param) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); + PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } /* * The opFlags and opFlagMask parameters allow us to control the * settings of the key usage attributes (CKA_ENCRYPT and friends). - * opFlagMask is set to one if the flag is specified in opFlags and - * zero if it is to take on a default value calculated by + * opFlagMask is set to one if the flag is specified in opFlags and + * zero if it is to take on a default value calculated by * PK11_GenerateKeyPairWithOpFlags. - * opFlags specifies the actual value of the flag 1 or 0. + * opFlags specifies the actual value of the flag 1 or 0. * Bits not corresponding to one bits in opFlagMask should be zero. */ /* if we are trying to turn on a flag, it better be in the mask */ - PORT_Assert ((opFlags & ~opFlagsMask) == 0); + PORT_Assert((opFlags & ~opFlagsMask) == 0); opFlags &= opFlagsMask; PORT_Assert(slot != NULL); if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE); - return NULL; + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; } /* if our slot really doesn't do this mechanism, Generate the key * in our internal token and write it out */ - if (!PK11_DoesMechanism(slot,type)) { - PK11SlotInfo *int_slot = PK11_GetInternalSlot(); - - /* don't loop forever looking for a slot */ - if (slot == int_slot) { - PK11_FreeSlot(int_slot); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; - } - - /* if there isn't a suitable slot, then we can't do the keygen */ - if (int_slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; - } - - /* generate the temporary key to load */ - privKey = PK11_GenerateKeyPair(int_slot,type, param, pubKey, PR_FALSE, - PR_FALSE, wincx); - PK11_FreeSlot(int_slot); - - /* if successful, load the temp key into the new token */ - if (privKey != NULL) { - SECKEYPrivateKey *newPrivKey = pk11_loadPrivKeyWithFlags(slot, - privKey,*pubKey,attrFlags); - SECKEY_DestroyPrivateKey(privKey); - if (newPrivKey == NULL) { - SECKEY_DestroyPublicKey(*pubKey); - *pubKey = NULL; - } - return newPrivKey; - } - return NULL; - } - + if (!PK11_DoesMechanism(slot, type)) { + PK11SlotInfo *int_slot = PK11_GetInternalSlot(); + + /* don't loop forever looking for a slot */ + if (slot == int_slot) { + PK11_FreeSlot(int_slot); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + /* if there isn't a suitable slot, then we can't do the keygen */ + if (int_slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; + } + + /* generate the temporary key to load */ + privKey = PK11_GenerateKeyPair(int_slot, type, param, pubKey, PR_FALSE, + PR_FALSE, wincx); + PK11_FreeSlot(int_slot); + + /* if successful, load the temp key into the new token */ + if (privKey != NULL) { + SECKEYPrivateKey *newPrivKey = pk11_loadPrivKeyWithFlags(slot, + privKey, *pubKey, attrFlags); + SECKEY_DestroyPrivateKey(privKey); + if (newPrivKey == NULL) { + SECKEY_DestroyPublicKey(*pubKey); + *pubKey = NULL; + } + return newPrivKey; + } + return NULL; + } mechanism.mechanism = type; mechanism.pParameter = NULL; @@ -1196,317 +1309,340 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, /* set up the private key template */ privattrs = privTemplate; privattrs += pk11_AttrFlagsToAttributes(attrFlags, privattrs, - &cktrue, &ckfalse); + &cktrue, &ckfalse); /* set up the mechanism specific info */ switch (type) { - case CKM_RSA_PKCS_KEY_PAIR_GEN: - case CKM_RSA_X9_31_KEY_PAIR_GEN: - rsaParams = (PK11RSAGenParams *)param; - if (rsaParams->pe == 0) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - modulusBits = rsaParams->keySizeInBits; - peCount = 0; - - /* convert pe to a PKCS #11 string */ - for (i=0; i < 4; i++) { - if (peCount || (rsaParams->pe & - ((unsigned long)0xff000000L >> (i*8)))) { - publicExponent[peCount] = - (CK_BYTE)((rsaParams->pe >> (3-i)*8) & 0xff); - peCount++; - } - } - PORT_Assert(peCount != 0); - attrs = rsaPubTemplate; - PK11_SETATTRS(attrs, CKA_MODULUS_BITS, - &modulusBits, sizeof(modulusBits)); attrs++; - PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, - publicExponent, peCount);attrs++; - pubTemplate = rsaPubTemplate; - keyType = rsaKey; - test_mech.mechanism = CKM_RSA_PKCS; - break; - case CKM_DSA_KEY_PAIR_GEN: - dsaParams = (SECKEYPQGParams *)param; - attrs = dsaPubTemplate; - PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data, - dsaParams->prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data, - dsaParams->subPrime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data, - dsaParams->base.len); attrs++; - pubTemplate = dsaPubTemplate; - keyType = dsaKey; - test_mech.mechanism = CKM_DSA; - break; - case CKM_DH_PKCS_KEY_PAIR_GEN: - dhParams = (SECKEYDHParams *)param; - attrs = dhPubTemplate; - PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data, - dhParams->prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data, - dhParams->base.len); attrs++; - pubTemplate = dhPubTemplate; - keyType = dhKey; - test_mech.mechanism = CKM_DH_PKCS_DERIVE; - break; - case CKM_EC_KEY_PAIR_GEN: - ecParams = (SECKEYECParams *)param; - attrs = ecPubTemplate; - PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data, - ecParams->len); attrs++; - pubTemplate = ecPubTemplate; - keyType = ecKey; - /* - * ECC supports 2 different mechanism types (unlike RSA, which - * supports different usages with the same mechanism). - * We may need to query both mechanism types and or the results - * together -- but we only do that if either the user has - * requested both usages, or not specified any usages. - */ - if ((opFlags & (CKF_SIGN|CKF_DERIVE)) == (CKF_SIGN|CKF_DERIVE)) { - /* We've explicitly turned on both flags, use both mechanism */ - test_mech.mechanism = CKM_ECDH1_DERIVE; - test_mech2.mechanism = CKM_ECDSA; - } else if (opFlags & CKF_SIGN) { - /* just do signing */ - test_mech.mechanism = CKM_ECDSA; - } else if (opFlags & CKF_DERIVE) { - /* just do ECDH */ - test_mech.mechanism = CKM_ECDH1_DERIVE; - } else { - /* neither was specified default to both */ - test_mech.mechanism = CKM_ECDH1_DERIVE; - test_mech2.mechanism = CKM_ECDSA; - } - break; - default: - PORT_SetError( SEC_ERROR_BAD_KEY ); - return NULL; + case CKM_RSA_PKCS_KEY_PAIR_GEN: + case CKM_RSA_X9_31_KEY_PAIR_GEN: + rsaParams = (PK11RSAGenParams *)param; + if (rsaParams->pe == 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + modulusBits = rsaParams->keySizeInBits; + peCount = 0; + + /* convert pe to a PKCS #11 string */ + for (i = 0; i < 4; i++) { + if (peCount || (rsaParams->pe & + ((unsigned long)0xff000000L >> (i * 8)))) { + publicExponent[peCount] = + (CK_BYTE)((rsaParams->pe >> (3 - i) * 8) & 0xff); + peCount++; + } + } + PORT_Assert(peCount != 0); + attrs = rsaPubTemplate; + PK11_SETATTRS(attrs, CKA_MODULUS_BITS, + &modulusBits, sizeof(modulusBits)); + attrs++; + PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, + publicExponent, peCount); + attrs++; + pubTemplate = rsaPubTemplate; + keyType = rsaKey; + test_mech.mechanism = CKM_RSA_PKCS; + break; + case CKM_DSA_KEY_PAIR_GEN: + dsaParams = (SECKEYPQGParams *)param; + attrs = dsaPubTemplate; + PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data, + dsaParams->prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data, + dsaParams->subPrime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data, + dsaParams->base.len); + attrs++; + pubTemplate = dsaPubTemplate; + keyType = dsaKey; + test_mech.mechanism = CKM_DSA; + break; + case CKM_DH_PKCS_KEY_PAIR_GEN: + dhParams = (SECKEYDHParams *)param; + attrs = dhPubTemplate; + PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data, + dhParams->prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data, + dhParams->base.len); + attrs++; + pubTemplate = dhPubTemplate; + keyType = dhKey; + test_mech.mechanism = CKM_DH_PKCS_DERIVE; + break; + case CKM_EC_KEY_PAIR_GEN: + ecParams = (SECKEYECParams *)param; + attrs = ecPubTemplate; + PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data, + ecParams->len); + attrs++; + pubTemplate = ecPubTemplate; + keyType = ecKey; + /* + * ECC supports 2 different mechanism types (unlike RSA, which + * supports different usages with the same mechanism). + * We may need to query both mechanism types and or the results + * together -- but we only do that if either the user has + * requested both usages, or not specified any usages. + */ + if ((opFlags & (CKF_SIGN | CKF_DERIVE)) == (CKF_SIGN | CKF_DERIVE)) { + /* We've explicitly turned on both flags, use both mechanism */ + test_mech.mechanism = CKM_ECDH1_DERIVE; + test_mech2.mechanism = CKM_ECDSA; + } else if (opFlags & CKF_SIGN) { + /* just do signing */ + test_mech.mechanism = CKM_ECDSA; + } else if (opFlags & CKF_DERIVE) { + /* just do ECDH */ + test_mech.mechanism = CKM_ECDH1_DERIVE; + } else { + /* neither was specified default to both */ + test_mech.mechanism = CKM_ECDH1_DERIVE; + test_mech2.mechanism = CKM_ECDSA; + } + break; + default: + PORT_SetError(SEC_ERROR_BAD_KEY); + return NULL; } /* now query the slot to find out how "good" a key we can generate */ - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, - test_mech.mechanism,&mechanism_info); + test_mech.mechanism, &mechanism_info); /* * EC keys are used in multiple different types of mechanism, if we * are using dual use keys, we need to query the second mechanism * as well. */ if (test_mech2.mechanism != CKM_INVALID_MECHANISM) { - CK_MECHANISM_INFO mechanism_info2; - CK_RV crv2; - - if (crv != CKR_OK) { - /* the first failed, make sure there is no trash in the - * mechanism flags when we or it below */ - mechanism_info.flags = 0; - } - crv2 = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, - test_mech2.mechanism, &mechanism_info2); - if (crv2 == CKR_OK) { - crv = CKR_OK; /* succeed if either mechnaism info succeeds */ - /* combine the 2 sets of mechnanism flags */ - mechanism_info.flags |= mechanism_info2.flags; - } - } - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + CK_MECHANISM_INFO mechanism_info2; + CK_RV crv2; + + if (crv != CKR_OK) { + /* the first failed, make sure there is no trash in the + * mechanism flags when we or it below */ + mechanism_info.flags = 0; + } + crv2 = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, + test_mech2.mechanism, &mechanism_info2); + if (crv2 == CKR_OK) { + crv = CKR_OK; /* succeed if either mechnaism info succeeds */ + /* combine the 2 sets of mechnanism flags */ + mechanism_info.flags |= mechanism_info2.flags; + } + } + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); if ((crv != CKR_OK) || (mechanism_info.flags == 0)) { - /* must be old module... guess what it should be... */ - switch (test_mech.mechanism) { - case CKM_RSA_PKCS: - mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | - CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP); - break; - case CKM_DSA: - mechanism_info.flags = CKF_SIGN | CKF_VERIFY; - break; - case CKM_DH_PKCS_DERIVE: - mechanism_info.flags = CKF_DERIVE; - break; - case CKM_ECDH1_DERIVE: - mechanism_info.flags = CKF_DERIVE; - if (test_mech2.mechanism == CKM_ECDSA) { - mechanism_info.flags |= CKF_SIGN | CKF_VERIFY; - } - break; - case CKM_ECDSA: - mechanism_info.flags = CKF_SIGN | CKF_VERIFY; - break; - default: - break; - } + /* must be old module... guess what it should be... */ + switch (test_mech.mechanism) { + case CKM_RSA_PKCS: + mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | + CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP); + break; + case CKM_DSA: + mechanism_info.flags = CKF_SIGN | CKF_VERIFY; + break; + case CKM_DH_PKCS_DERIVE: + mechanism_info.flags = CKF_DERIVE; + break; + case CKM_ECDH1_DERIVE: + mechanism_info.flags = CKF_DERIVE; + if (test_mech2.mechanism == CKM_ECDSA) { + mechanism_info.flags |= CKF_SIGN | CKF_VERIFY; + } + break; + case CKM_ECDSA: + mechanism_info.flags = CKF_SIGN | CKF_VERIFY; + break; + default: + break; + } } /* now adjust our flags according to the user's key usage passed to us */ mechanism_info.flags = (mechanism_info.flags & (~opFlagsMask)) | opFlags; /* set the public key attributes */ attrs += pk11_AttrFlagsToAttributes(pubKeyAttrFlags, attrs, - &cktrue, &ckfalse); - PK11_SETATTRS(attrs, CKA_DERIVE, - mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_WRAP, - mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_VERIFY, - mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, - mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_ENCRYPT, - mechanism_info.flags & CKF_ENCRYPT? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; + &cktrue, &ckfalse); + PK11_SETATTRS(attrs, CKA_DERIVE, + mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_WRAP, + mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_VERIFY, + mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, + mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_ENCRYPT, + mechanism_info.flags & CKF_ENCRYPT ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; /* set the private key attributes */ - PK11_SETATTRS(privattrs, CKA_DERIVE, - mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; - PK11_SETATTRS(privattrs, CKA_UNWRAP, - mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; - PK11_SETATTRS(privattrs, CKA_SIGN, - mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; - PK11_SETATTRS(privattrs, CKA_DECRYPT, - mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; + PK11_SETATTRS(privattrs, CKA_DERIVE, + mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; + PK11_SETATTRS(privattrs, CKA_UNWRAP, + mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; + PK11_SETATTRS(privattrs, CKA_SIGN, + mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; + PK11_SETATTRS(privattrs, CKA_DECRYPT, + mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; if (token) { - session_handle = PK11_GetRWSession(slot); - haslock = PK11_RWSessionHasLock(slot,session_handle); - restore = PR_TRUE; + session_handle = PK11_GetRWSession(slot); + haslock = PK11_RWSessionHasLock(slot, session_handle); + restore = PR_TRUE; } else { - session_handle = slot->session; - if (session_handle != CK_INVALID_SESSION) - PK11_EnterSlotMonitor(slot); - restore = PR_FALSE; - haslock = PR_TRUE; + session_handle = slot->session; + if (session_handle != CK_INVALID_SESSION) + PK11_EnterSlotMonitor(slot); + restore = PR_FALSE; + haslock = PR_TRUE; } if (session_handle == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return NULL; + PORT_SetError(SEC_ERROR_BAD_DATA); + return NULL; } privCount = privattrs - privTemplate; pubCount = attrs - pubTemplate; crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism, - pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID); + pubTemplate, pubCount, privTemplate, privCount, &pubID, &privID); if (crv != CKR_OK) { - if (restore) { - PK11_RestoreROSession(slot,session_handle); - } else PK11_ExitSlotMonitor(slot); - PORT_SetError( PK11_MapError(crv) ); - return NULL; + if (restore) { + PK11_RestoreROSession(slot, session_handle); + } else + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return NULL; } /* This locking code is dangerous and needs to be more thought * out... the real problem is that we're holding the mutex open this long */ - if (haslock) { PK11_ExitSlotMonitor(slot); } + if (haslock) { + PK11_ExitSlotMonitor(slot); + } /* swap around the ID's for older PKCS #11 modules */ - keyClass = PK11_ReadULongAttribute(slot,pubID,CKA_CLASS); + keyClass = PK11_ReadULongAttribute(slot, pubID, CKA_CLASS); if (keyClass != CKO_PUBLIC_KEY) { - CK_OBJECT_HANDLE tmp = pubID; - pubID = privID; - privID = tmp; + CK_OBJECT_HANDLE tmp = pubID; + pubID = privID; + privID = tmp; } *pubKey = PK11_ExtractPublicKey(slot, keyType, pubID); if (*pubKey == NULL) { - if (restore) { - /* we may have to restore the mutex so it get's exited properly - * in RestoreROSession */ - if (haslock) PK11_EnterSlotMonitor(slot); - PK11_RestoreROSession(slot,session_handle); - } - PK11_DestroyObject(slot,pubID); - PK11_DestroyObject(slot,privID); - return NULL; + if (restore) { + /* we may have to restore the mutex so it get's exited properly + * in RestoreROSession */ + if (haslock) + PK11_EnterSlotMonitor(slot); + PK11_RestoreROSession(slot, session_handle); + } + PK11_DestroyObject(slot, pubID); + PK11_DestroyObject(slot, privID); + return NULL; } /* set the ID to the public key so we can find it again */ cka_id = pk11_MakeIDFromPublicKey(*pubKey); - pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN,PR_FALSE); + pubIsToken = (PRBool)PK11_HasAttributeSet(slot, pubID, CKA_TOKEN, PR_FALSE); PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len); - if (haslock) { PK11_EnterSlotMonitor(slot); } + if (haslock) { + PK11_EnterSlotMonitor(slot); + } crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID, - &setTemplate, 1); - + &setTemplate, 1); + if (crv == CKR_OK && pubIsToken) { - crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID, - &setTemplate, 1); + crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID, + &setTemplate, 1); } - if (restore) { - PK11_RestoreROSession(slot,session_handle); + PK11_RestoreROSession(slot, session_handle); } else { - PK11_ExitSlotMonitor(slot); + PK11_ExitSlotMonitor(slot); } - SECITEM_FreeItem(cka_id,PR_TRUE); - + SECITEM_FreeItem(cka_id, PR_TRUE); if (crv != CKR_OK) { - PK11_DestroyObject(slot,pubID); - PK11_DestroyObject(slot,privID); - PORT_SetError( PK11_MapError(crv) ); - *pubKey = NULL; - return NULL; + PK11_DestroyObject(slot, pubID); + PK11_DestroyObject(slot, privID); + PORT_SetError(PK11_MapError(crv)); + *pubKey = NULL; + return NULL; } - privKey = PK11_MakePrivKey(slot,keyType,!token,privID,wincx); + privKey = PK11_MakePrivKey(slot, keyType, !token, privID, wincx); if (privKey == NULL) { - SECKEY_DestroyPublicKey(*pubKey); - PK11_DestroyObject(slot,privID); - *pubKey = NULL; - return NULL; + SECKEY_DestroyPublicKey(*pubKey); + PK11_DestroyObject(slot, privID); + *pubKey = NULL; + return NULL; } return privKey; } SECKEYPrivateKey * -PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, void *wincx) +PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, void *wincx) { - return PK11_GenerateKeyPairWithOpFlags(slot,type,param,pubKey,attrFlags, - 0, 0, wincx); + return PK11_GenerateKeyPairWithOpFlags(slot, type, param, pubKey, attrFlags, + 0, 0, wincx); } /* * Use the token to generate a key pair. */ SECKEYPrivateKey * -PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - void *param, SECKEYPublicKey **pubKey, PRBool token, - PRBool sensitive, void *wincx) +PK11_GenerateKeyPair(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + void *param, SECKEYPublicKey **pubKey, PRBool token, + PRBool sensitive, void *wincx) { PK11AttrFlags attrFlags = 0; if (token) { - attrFlags |= PK11_ATTR_TOKEN; + attrFlags |= PK11_ATTR_TOKEN; } else { - attrFlags |= PK11_ATTR_SESSION; + attrFlags |= PK11_ATTR_SESSION; } if (sensitive) { - attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE); + attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE); } else { - attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC); + attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC); } return PK11_GenerateKeyPairWithFlags(slot, type, param, pubKey, - attrFlags, wincx); + attrFlags, wincx); } /* build a public KEA key from the public value */ SECKEYPublicKey * -PK11_MakeKEAPubKey(unsigned char *keyData,int length) +PK11_MakeKEAPubKey(unsigned char *keyData, int length) { SECKEYPublicKey *pubk; SECItem pkData; @@ -1517,14 +1653,14 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length) pkData.len = length; pkData.type = siBuffer; - arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) - return NULL; + return NULL; - pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); + pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); if (pubk == NULL) { - PORT_FreeArena (arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } pubk->arena = arena; @@ -1533,8 +1669,8 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length) pubk->keyType = fortezzaKey; rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData); if (rv != SECSuccess) { - PORT_FreeArena (arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } return pubk; } @@ -1545,29 +1681,29 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length) * could later be looked up by its nickname, it would leak a SECKEYPrivateKey. * So isPerm must be true. */ -SECStatus +SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, - SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, KeyType keyType, - unsigned int keyUsage, void *wincx) + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, KeyType keyType, + unsigned int keyUsage, void *wincx) { if (!isPerm) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } return PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(slot, epki, - pwitem, nickname, publicValue, isPerm, isPrivate, keyType, - keyUsage, NULL, wincx); + pwitem, nickname, publicValue, isPerm, isPrivate, keyType, + keyUsage, NULL, wincx); } SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, - SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, KeyType keyType, - unsigned int keyUsage, SECKEYPrivateKey **privk, - void *wincx) + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, KeyType keyType, + unsigned int keyUsage, SECKEYPrivateKey **privk, + void *wincx) { CK_MECHANISM_TYPE pbeMechType; SECItem *crypto_param = NULL; @@ -1580,131 +1716,131 @@ PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, CK_KEY_TYPE key_type; CK_ATTRIBUTE_TYPE *usage = NULL; CK_ATTRIBUTE_TYPE rsaUsage[] = { - CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER }; + CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER + }; CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN }; CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE }; CK_ATTRIBUTE_TYPE ecUsage[] = { CKA_SIGN, CKA_DERIVE }; - if((epki == NULL) || (pwitem == NULL)) - return SECFailure; + if ((epki == NULL) || (pwitem == NULL)) + return SECFailure; pbeMechType = PK11_AlgtagToMechanism(SECOID_FindOIDTag( - &epki->algorithm.algorithm)); + &epki->algorithm.algorithm)); switch (keyType) { - default: - case rsaKey: - key_type = CKK_RSA; - switch (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) { - case KU_KEY_ENCIPHERMENT: - usage = rsaUsage; - usageCount = 2; - break; - case KU_DIGITAL_SIGNATURE: - usage = &rsaUsage[2]; - usageCount = 2; - break; - case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE: - case 0: /* default to everything */ - usage = rsaUsage; - usageCount = 4; - break; - } - break; - case dhKey: - key_type = CKK_DH; - usage = dhUsage; - usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]); - break; - case dsaKey: - key_type = CKK_DSA; - usage = dsaUsage; - usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]); - break; - case ecKey: - key_type = CKK_EC; - switch (keyUsage & (KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT)) { - case KU_DIGITAL_SIGNATURE: - usage = ecUsage; - usageCount = 1; - break; - case KU_KEY_AGREEMENT: - usage = &ecUsage[1]; - usageCount = 1; - break; - case KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT: - default: /* default to everything */ - usage = ecUsage; - usageCount = 2; - break; - } - break; + default: + case rsaKey: + key_type = CKK_RSA; + switch (keyUsage & (KU_KEY_ENCIPHERMENT | KU_DIGITAL_SIGNATURE)) { + case KU_KEY_ENCIPHERMENT: + usage = rsaUsage; + usageCount = 2; + break; + case KU_DIGITAL_SIGNATURE: + usage = &rsaUsage[2]; + usageCount = 2; + break; + case KU_KEY_ENCIPHERMENT | KU_DIGITAL_SIGNATURE: + case 0: /* default to everything */ + usage = rsaUsage; + usageCount = 4; + break; + } + break; + case dhKey: + key_type = CKK_DH; + usage = dhUsage; + usageCount = sizeof(dhUsage) / sizeof(dhUsage[0]); + break; + case dsaKey: + key_type = CKK_DSA; + usage = dsaUsage; + usageCount = sizeof(dsaUsage) / sizeof(dsaUsage[0]); + break; + case ecKey: + key_type = CKK_EC; + switch (keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) { + case KU_DIGITAL_SIGNATURE: + usage = ecUsage; + usageCount = 1; + break; + case KU_KEY_AGREEMENT: + usage = &ecUsage[1]; + usageCount = 1; + break; + case KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT: + default: /* default to everything */ + usage = ecUsage; + usageCount = 2; + break; + } + break; } try_faulty_3des: key = PK11_PBEKeyGen(slot, &epki->algorithm, pwitem, faulty3DES, wincx); if (key == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } cryptoMechType = pk11_GetPBECryptoMechanism(&epki->algorithm, - &crypto_param, pwitem, faulty3DES); + &crypto_param, pwitem, faulty3DES); if (cryptoMechType == CKM_INVALID_MECHANISM) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } - cryptoMechType = PK11_GetPadMechanism(cryptoMechType); PORT_Assert(usage != NULL); PORT_Assert(usageCount != 0); - privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType, - crypto_param, &epki->encryptedData, - nickname, publicValue, isPerm, isPrivate, - key_type, usage, usageCount, wincx); - if(privKey) { - if (privk) { - *privk = privKey; - } else { - SECKEY_DestroyPrivateKey(privKey); - } - privKey = NULL; - rv = SECSuccess; - goto done; - } - - /* if we are unable to import the key and the pbeMechType is + privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType, + crypto_param, &epki->encryptedData, + nickname, publicValue, isPerm, isPrivate, + key_type, usage, usageCount, wincx); + if (privKey) { + if (privk) { + *privk = privKey; + } else { + SECKEY_DestroyPrivateKey(privKey); + } + privKey = NULL; + rv = SECSuccess; + goto done; + } + + /* if we are unable to import the key and the pbeMechType is * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that * the encrypted blob was created with a buggy key generation method * which is described in the PKCS 12 implementation notes. So we * need to try importing via that method. - */ - if((pbeMechType == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) { - /* clean up after ourselves before redoing the key generation. */ + */ + if ((pbeMechType == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) { + /* clean up after ourselves before redoing the key generation. */ - PK11_FreeSymKey(key); - key = NULL; + PK11_FreeSymKey(key); + key = NULL; - if(crypto_param) { - SECITEM_ZfreeItem(crypto_param, PR_TRUE); - crypto_param = NULL; - } + if (crypto_param) { + SECITEM_ZfreeItem(crypto_param, PR_TRUE); + crypto_param = NULL; + } - faulty3DES = PR_TRUE; - goto try_faulty_3des; + faulty3DES = PR_TRUE; + goto try_faulty_3des; } /* key import really did fail */ rv = SECFailure; done: - if(crypto_param != NULL) { - SECITEM_ZfreeItem(crypto_param, PR_TRUE); + if (crypto_param != NULL) { + SECITEM_ZfreeItem(crypto_param, PR_TRUE); } - if(key != NULL) { - PK11_FreeSymKey(key); + if (key != NULL) { + PK11_FreeSymKey(key); } return rv; @@ -1714,82 +1850,81 @@ SECKEYPrivateKeyInfo * PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx) { SECKEYPrivateKeyInfo *pki = NULL; - SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); + SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); if (pk != NULL) { - pki = PK11_ExportPrivKeyInfo(pk, wincx); - SECKEY_DestroyPrivateKey(pk); + pki = PK11_ExportPrivKeyInfo(pk, wincx); + SECKEY_DestroyPrivateKey(pk); } return pki; } -SECKEYEncryptedPrivateKeyInfo * +SECKEYEncryptedPrivateKeyInfo * PK11_ExportEncryptedPrivKeyInfo( - PK11SlotInfo *slot, /* optional, encrypt key in this slot */ - SECOidTag algTag, /* encrypt key with this algorithm */ - SECItem *pwitem, /* password for PBE encryption */ - SECKEYPrivateKey *pk, /* encrypt this private key */ - int iteration, /* interations for PBE alg */ - void *wincx) /* context for password callback ? */ + PK11SlotInfo *slot, /* optional, encrypt key in this slot */ + SECOidTag algTag, /* encrypt key with this algorithm */ + SECItem *pwitem, /* password for PBE encryption */ + SECKEYPrivateKey *pk, /* encrypt this private key */ + int iteration, /* interations for PBE alg */ + void *wincx) /* context for password callback ? */ { - SECKEYEncryptedPrivateKeyInfo *epki = NULL; - PLArenaPool *arena = NULL; - SECAlgorithmID *algid; - SECOidTag pbeAlgTag = SEC_OID_UNKNOWN; - SECItem *crypto_param = NULL; - PK11SymKey *key = NULL; - SECKEYPrivateKey *tmpPK = NULL; - SECStatus rv = SECSuccess; - CK_RV crv; - CK_ULONG encBufLen; - CK_MECHANISM_TYPE pbeMechType; - CK_MECHANISM_TYPE cryptoMechType; - CK_MECHANISM cryptoMech; + SECKEYEncryptedPrivateKeyInfo *epki = NULL; + PLArenaPool *arena = NULL; + SECAlgorithmID *algid; + SECOidTag pbeAlgTag = SEC_OID_UNKNOWN; + SECItem *crypto_param = NULL; + PK11SymKey *key = NULL; + SECKEYPrivateKey *tmpPK = NULL; + SECStatus rv = SECSuccess; + CK_RV crv; + CK_ULONG encBufLen; + CK_MECHANISM_TYPE pbeMechType; + CK_MECHANISM_TYPE cryptoMechType; + CK_MECHANISM cryptoMech; if (!pwitem || !pk) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } algid = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, SEC_OID_UNKNOWN, - &pbeAlgTag, 0, NULL, iteration); + &pbeAlgTag, 0, NULL, iteration); if (algid == NULL) { - return NULL; + return NULL; } arena = PORT_NewArena(2048); if (arena) - epki = PORT_ArenaZNew(arena, SECKEYEncryptedPrivateKeyInfo); - if(epki == NULL) { - rv = SECFailure; - goto loser; + epki = PORT_ArenaZNew(arena, SECKEYEncryptedPrivateKeyInfo); + if (epki == NULL) { + rv = SECFailure; + goto loser; } epki->arena = arena; - /* if we didn't specify a slot, use the slot the private key was in */ if (!slot) { - slot = pk->pkcs11Slot; + slot = pk->pkcs11Slot; } /* if we specified a different slot, and the private key slot can do the - * pbe key gen, generate the key in the private key slot so we don't have + * pbe key gen, generate the key in the private key slot so we don't have * to move it later */ pbeMechType = PK11_AlgtagToMechanism(pbeAlgTag); if (slot != pk->pkcs11Slot) { - if (PK11_DoesMechanism(pk->pkcs11Slot,pbeMechType)) { - slot = pk->pkcs11Slot; - } + if (PK11_DoesMechanism(pk->pkcs11Slot, pbeMechType)) { + slot = pk->pkcs11Slot; + } } key = PK11_PBEKeyGen(slot, algid, pwitem, PR_FALSE, wincx); if (key == NULL) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } cryptoMechType = PK11_GetPBECryptoMechanism(algid, &crypto_param, pwitem); if (cryptoMechType == CKM_INVALID_MECHANISM) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMechType); @@ -1798,24 +1933,24 @@ PK11_ExportEncryptedPrivKeyInfo( /* If the key isn't in the private key slot, move it */ if (key->slot != pk->pkcs11Slot) { - PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot, - key->type, CKA_WRAP, key); - if (newkey == NULL) { + PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot, + key->type, CKA_WRAP, key); + if (newkey == NULL) { /* couldn't import the wrapping key, try exporting the * private key */ - tmpPK = pk11_loadPrivKey(key->slot, pk, NULL, PR_FALSE, PR_TRUE); - if (tmpPK == NULL) { - rv = SECFailure; - goto loser; - } - pk = tmpPK; - } else { - /* free the old key and use the new key */ - PK11_FreeSymKey(key); - key = newkey; - } - } - + tmpPK = pk11_loadPrivKey(key->slot, pk, NULL, PR_FALSE, PR_TRUE); + if (tmpPK == NULL) { + rv = SECFailure; + goto loser; + } + pk = tmpPK; + } else { + /* free the old key and use the new key */ + PK11_FreeSymKey(key); + key = newkey; + } + } + /* we are extracting an encrypted privateKey structure. * which needs to be freed along with the buffer into which it is * returned. eventually, we should retrieve an encrypted key using @@ -1823,81 +1958,77 @@ PK11_ExportEncryptedPrivKeyInfo( */ encBufLen = 0; PK11_EnterSlotMonitor(pk->pkcs11Slot); - crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, - &cryptoMech, key->objectID, pk->pkcs11ID, NULL, - &encBufLen); + crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, &cryptoMech, key->objectID, pk->pkcs11ID, NULL, &encBufLen); PK11_ExitSlotMonitor(pk->pkcs11Slot); if (crv != CKR_OK) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } epki->encryptedData.data = PORT_ArenaAlloc(arena, encBufLen); if (!epki->encryptedData.data) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } PK11_EnterSlotMonitor(pk->pkcs11Slot); - crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, - &cryptoMech, key->objectID, pk->pkcs11ID, - epki->encryptedData.data, &encBufLen); + crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, &cryptoMech, key->objectID, pk->pkcs11ID, epki->encryptedData.data, &encBufLen); PK11_ExitSlotMonitor(pk->pkcs11Slot); - epki->encryptedData.len = (unsigned int) encBufLen; - if(crv != CKR_OK) { - rv = SECFailure; - goto loser; + epki->encryptedData.len = (unsigned int)encBufLen; + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; } - if(!epki->encryptedData.len) { - rv = SECFailure; - goto loser; + if (!epki->encryptedData.len) { + rv = SECFailure; + goto loser; } rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid); loser: - if(crypto_param != NULL) { - SECITEM_ZfreeItem(crypto_param, PR_TRUE); - crypto_param = NULL; + if (crypto_param != NULL) { + SECITEM_ZfreeItem(crypto_param, PR_TRUE); + crypto_param = NULL; } - if(key != NULL) { - PK11_FreeSymKey(key); + if (key != NULL) { + PK11_FreeSymKey(key); } if (tmpPK != NULL) { - SECKEY_DestroyPrivateKey(tmpPK); + SECKEY_DestroyPrivateKey(tmpPK); } SECOID_DestroyAlgorithmID(algid, PR_TRUE); - if(rv == SECFailure) { - if(arena != NULL) { - PORT_FreeArena(arena, PR_TRUE); - } - epki = NULL; + if (rv == SECFailure) { + if (arena != NULL) { + PORT_FreeArena(arena, PR_TRUE); + } + epki = NULL; } return epki; } -SECKEYEncryptedPrivateKeyInfo * +SECKEYEncryptedPrivateKeyInfo * PK11_ExportEncryptedPrivateKeyInfo( - PK11SlotInfo *slot, /* optional, encrypt key in this slot */ - SECOidTag algTag, /* encrypt key with this algorithm */ - SECItem *pwitem, /* password for PBE encryption */ - CERTCertificate *cert, /* wrap priv key for this user cert */ - int iteration, /* interations for PBE alg */ - void *wincx) /* context for password callback ? */ + PK11SlotInfo *slot, /* optional, encrypt key in this slot */ + SECOidTag algTag, /* encrypt key with this algorithm */ + SECItem *pwitem, /* password for PBE encryption */ + CERTCertificate *cert, /* wrap priv key for this user cert */ + int iteration, /* interations for PBE alg */ + void *wincx) /* context for password callback ? */ { SECKEYEncryptedPrivateKeyInfo *epki = NULL; - SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); + SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); if (pk != NULL) { - epki = PK11_ExportEncryptedPrivKeyInfo(slot, algTag, pwitem, pk, - iteration, wincx); - SECKEY_DestroyPrivateKey(pk); + epki = PK11_ExportEncryptedPrivKeyInfo(slot, algTag, pwitem, pk, + iteration, wincx); + SECKEY_DestroyPrivateKey(pk); } return epki; } -SECItem* +SECItem * PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk) { return SECKEY_EncodeDERSubjectPublicKeyInfo(pubk); @@ -1906,57 +2037,56 @@ PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk) char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey) { - return PK11_GetObjectNickname(privKey->pkcs11Slot,privKey->pkcs11ID); + return PK11_GetObjectNickname(privKey->pkcs11Slot, privKey->pkcs11ID); } char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey) { - return PK11_GetObjectNickname(pubKey->pkcs11Slot,pubKey->pkcs11ID); + return PK11_GetObjectNickname(pubKey->pkcs11Slot, pubKey->pkcs11ID); } SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, const char *nickname) { return PK11_SetObjectNickname(privKey->pkcs11Slot, - privKey->pkcs11ID,nickname); + privKey->pkcs11ID, nickname); } SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, const char *nickname) { return PK11_SetObjectNickname(pubKey->pkcs11Slot, - pubKey->pkcs11ID,nickname); + pubKey->pkcs11ID, nickname); } SECKEYPQGParams * PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey) { CK_ATTRIBUTE pTemplate[] = { - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, + { CKA_PRIME, NULL, 0 }, + { CKA_SUBPRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, }; - int pTemplateLen = sizeof(pTemplate)/sizeof(pTemplate[0]); + int pTemplateLen = sizeof(pTemplate) / sizeof(pTemplate[0]); PLArenaPool *arena = NULL; SECKEYPQGParams *params; CK_RV crv; - arena = PORT_NewArena(2048); if (arena == NULL) { - goto loser; + goto loser; } - params=(SECKEYPQGParams *)PORT_ArenaZAlloc(arena,sizeof(SECKEYPQGParams)); + params = (SECKEYPQGParams *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPQGParams)); if (params == NULL) { - goto loser; + goto loser; } - crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, - pTemplate, pTemplateLen); + crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, + pTemplate, pTemplateLen); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } params->arena = arena; @@ -1971,55 +2101,55 @@ PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey) loser: if (arena != NULL) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } -SECKEYPrivateKey* +SECKEYPrivateKey * PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot, - SECKEYPrivateKey *privKey) + SECKEYPrivateKey *privKey) { - CK_RV crv; - CK_OBJECT_HANDLE newKeyID; + CK_RV crv; + CK_OBJECT_HANDLE newKeyID; - static const CK_BBOOL ckfalse = CK_FALSE; - static const CK_ATTRIBUTE template[1] = { - { CKA_TOKEN, (CK_BBOOL *)&ckfalse, sizeof ckfalse } + static const CK_BBOOL ckfalse = CK_FALSE; + static const CK_ATTRIBUTE template[1] = { + { CKA_TOKEN, (CK_BBOOL *)&ckfalse, sizeof ckfalse } }; if (destSlot && destSlot != privKey->pkcs11Slot) { - SECKEYPrivateKey *newKey = - pk11_loadPrivKey(destSlot, - privKey, - NULL, /* pubKey */ - PR_FALSE, /* token */ - PR_FALSE);/* sensitive */ - if (newKey) - return newKey; + SECKEYPrivateKey *newKey = + pk11_loadPrivKey(destSlot, + privKey, + NULL, /* pubKey */ + PR_FALSE, /* token */ + PR_FALSE); /* sensitive */ + if (newKey) + return newKey; } destSlot = privKey->pkcs11Slot; PK11_Authenticate(destSlot, PR_TRUE, privKey->wincx); PK11_EnterSlotMonitor(destSlot); - crv = PK11_GETTAB(destSlot)->C_CopyObject( destSlot->session, - privKey->pkcs11ID, - (CK_ATTRIBUTE *)template, - 1, &newKeyID); + crv = PK11_GETTAB(destSlot)->C_CopyObject(destSlot->session, + privKey->pkcs11ID, + (CK_ATTRIBUTE *)template, + 1, &newKeyID); PK11_ExitSlotMonitor(destSlot); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return NULL; + PORT_SetError(PK11_MapError(crv)); + return NULL; } - return PK11_MakePrivKey(destSlot, privKey->keyType, PR_TRUE /*isTemp*/, - newKeyID, privKey->wincx); + return PK11_MakePrivKey(destSlot, privKey->keyType, PR_TRUE /*isTemp*/, + newKeyID, privKey->wincx); } -SECKEYPrivateKey* -PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx) +SECKEYPrivateKey * +PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void *wincx) { - PK11SlotInfo* slot = privk->pkcs11Slot; + PK11SlotInfo *slot = privk->pkcs11Slot; CK_ATTRIBUTE template[1]; CK_ATTRIBUTE *attrs = template; CK_BBOOL cktrue = CK_TRUE; @@ -2027,25 +2157,26 @@ PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx) CK_OBJECT_HANDLE newKeyID; CK_SESSION_HANDLE rwsession; - PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); + attrs++; PK11_Authenticate(slot, PR_TRUE, wincx); rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return NULL; + PORT_SetError(SEC_ERROR_BAD_DATA); + return NULL; } crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, privk->pkcs11ID, - template, 1, &newKeyID); + template, 1, &newKeyID); PK11_RestoreROSession(slot, rwsession); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); return NULL; } return PK11_MakePrivKey(slot, nullKey /*KeyType*/, PR_FALSE /*isTemp*/, - newKeyID, NULL /*wincx*/); + newKeyID, NULL /*wincx*/); } /* @@ -2055,15 +2186,15 @@ PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx) SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force) { - CERTCertificate *cert=PK11_GetCertFromPrivateKey(privKey); + CERTCertificate *cert = PK11_GetCertFromPrivateKey(privKey); SECStatus rv = SECWouldBlock; if (!cert || force) { - /* now, then it's safe for the key to go away */ - rv = PK11_DestroyTokenObject(privKey->pkcs11Slot,privKey->pkcs11ID); + /* now, then it's safe for the key to go away */ + rv = PK11_DestroyTokenObject(privKey->pkcs11Slot, privKey->pkcs11ID); } if (cert) { - CERT_DestroyCertificate(cert); + CERT_DestroyCertificate(cert); } SECKEY_DestroyPrivateKey(privKey); return rv; @@ -2078,9 +2209,9 @@ PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey) { /* now, then it's safe for the key to go away */ if (pubKey->pkcs11Slot == NULL) { - return SECFailure; + return SECFailure; } - PK11_DestroyTokenObject(pubKey->pkcs11Slot,pubKey->pkcs11ID); + PK11_DestroyTokenObject(pubKey->pkcs11Slot, pubKey->pkcs11ID); SECKEY_DestroyPublicKey(pubKey); return SECSuccess; } @@ -2089,9 +2220,9 @@ PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey) * key call back structure. */ typedef struct pk11KeyCallbackStr { - SECStatus (* callback)(SECKEYPrivateKey *,void *); - void *callbackArg; - void *wincx; + SECStatus (*callback)(SECKEYPrivateKey *, void *); + void *callbackArg; + void *wincx; } pk11KeyCallback; /* @@ -2102,22 +2233,22 @@ pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg) { SECStatus rv = SECSuccess; SECKEYPrivateKey *privKey; - pk11KeyCallback *keycb = (pk11KeyCallback *) arg; + pk11KeyCallback *keycb = (pk11KeyCallback *)arg; if (!arg) { return SECFailure; } - privKey = PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,keycb->wincx); + privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, keycb->wincx); if (privKey == NULL) { - return SECFailure; + return SECFailure; } if (keycb->callback) { - rv = (*keycb->callback)(privKey,keycb->callbackArg); + rv = (*keycb->callback)(privKey, keycb->callbackArg); } - SECKEY_DestroyPrivateKey(privKey); + SECKEY_DestroyPrivateKey(privKey); return rv; } @@ -2135,8 +2266,8 @@ pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg) * An argument that will be passed to the callback function. */ SECStatus -PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, - SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg) +PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot, + SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg) { pk11KeyCallback perKeyCB; pk11TraverseSlot perObjectCB; @@ -2152,7 +2283,7 @@ PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, theTemplate[1].pValue = &ckTrue; theTemplate[1].ulValueLen = sizeof(ckTrue); - if(slot==NULL) { + if (slot == NULL) { return SECSuccess; } @@ -2175,19 +2306,19 @@ pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, SECItem *keyID) { CK_OBJECT_CLASS privKey = CKO_PRIVATE_KEY; CK_ATTRIBUTE theTemplate[] = { - { CKA_ID, NULL, 0 }, - { CKA_CLASS, NULL, 0 }, + { CKA_ID, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, }; /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_ATTRIBUTE *attrs = theTemplate; - PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len ); attrs++; + PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); + attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &privKey, sizeof(privKey)); - return pk11_FindObjectByTemplate(slot,theTemplate,tsize); -} - + return pk11_FindObjectByTemplate(slot, theTemplate, tsize); +} SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx) @@ -2196,10 +2327,10 @@ PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx) SECKEYPrivateKey *privKey; keyHandle = pk11_FindPrivateKeyFromCertID(slot, keyID); - if (keyHandle == CK_INVALID_HANDLE) { - return NULL; + if (keyHandle == CK_INVALID_HANDLE) { + return NULL; } - privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx); + privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx); return privKey; } @@ -2209,55 +2340,55 @@ PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx) * smart cards happy. */ SECItem * -PK11_MakeIDFromPubKey(SECItem *pubKeyData) +PK11_MakeIDFromPubKey(SECItem *pubKeyData) { PK11Context *context; SECItem *certCKA_ID; SECStatus rv; if (pubKeyData->len <= SHA1_LENGTH) { - /* probably an already hashed value. The strongest known public - * key values <= 160 bits would be less than 40 bit symetric in - * strength. Don't hash them, just return the value. There are - * none at the time of this writing supported by previous versions - * of NSS, so change is binary compatible safe */ - return SECITEM_DupItem(pubKeyData); + /* probably an already hashed value. The strongest known public + * key values <= 160 bits would be less than 40 bit symetric in + * strength. Don't hash them, just return the value. There are + * none at the time of this writing supported by previous versions + * of NSS, so change is binary compatible safe */ + return SECITEM_DupItem(pubKeyData); } context = PK11_CreateDigestContext(SEC_OID_SHA1); if (context == NULL) { - return NULL; + return NULL; } rv = PK11_DigestBegin(context); if (rv == SECSuccess) { - rv = PK11_DigestOp(context,pubKeyData->data,pubKeyData->len); + rv = PK11_DigestOp(context, pubKeyData->data, pubKeyData->len); } if (rv != SECSuccess) { - PK11_DestroyContext(context,PR_TRUE); - return NULL; + PK11_DestroyContext(context, PR_TRUE); + return NULL; } certCKA_ID = (SECItem *)PORT_Alloc(sizeof(SECItem)); if (certCKA_ID == NULL) { - PK11_DestroyContext(context,PR_TRUE); - return NULL; + PK11_DestroyContext(context, PR_TRUE); + return NULL; } certCKA_ID->len = SHA1_LENGTH; - certCKA_ID->data = (unsigned char*)PORT_Alloc(certCKA_ID->len); + certCKA_ID->data = (unsigned char *)PORT_Alloc(certCKA_ID->len); if (certCKA_ID->data == NULL) { - PORT_Free(certCKA_ID); - PK11_DestroyContext(context,PR_TRUE); + PORT_Free(certCKA_ID); + PK11_DestroyContext(context, PR_TRUE); return NULL; } - rv = PK11_DigestFinal(context,certCKA_ID->data,&certCKA_ID->len, - SHA1_LENGTH); - PK11_DestroyContext(context,PR_TRUE); + rv = PK11_DigestFinal(context, certCKA_ID->data, &certCKA_ID->len, + SHA1_LENGTH); + PK11_DestroyContext(context, PR_TRUE); if (rv != SECSuccess) { - SECITEM_FreeItem(certCKA_ID,PR_TRUE); - return NULL; + SECITEM_FreeItem(certCKA_ID, PR_TRUE); + return NULL; } return certCKA_ID; @@ -2267,41 +2398,41 @@ PK11_MakeIDFromPubKey(SECItem *pubKeyData) * Call PK11_GetLowLevelKeyIDForPrivateKey instead. */ - SECItem * PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *privKey) { - return pk11_GetLowLevelKeyFromHandle(privKey->pkcs11Slot,privKey->pkcs11ID); + return pk11_GetLowLevelKeyFromHandle(privKey->pkcs11Slot, privKey->pkcs11ID); } static SECStatus privateKeyListCallback(SECKEYPrivateKey *key, void *arg) { - SECKEYPrivateKeyList *list = (SECKEYPrivateKeyList*)arg; + SECKEYPrivateKeyList *list = (SECKEYPrivateKeyList *)arg; return SECKEY_AddPrivateKeyToListTail(list, SECKEY_CopyPrivateKey(key)); } -SECKEYPrivateKeyList* +SECKEYPrivateKeyList * PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot) { SECStatus status; SECKEYPrivateKeyList *keys; keys = SECKEY_NewPrivateKeyList(); - if(keys == NULL) return NULL; + if (keys == NULL) + return NULL; status = PK11_TraversePrivateKeysInSlot(slot, privateKeyListCallback, - (void*)keys); + (void *)keys); - if( status != SECSuccess ) { - SECKEY_DestroyPrivateKeyList(keys); - keys = NULL; + if (status != SECSuccess) { + SECKEY_DestroyPrivateKeyList(keys); + keys = NULL; } return keys; } -SECKEYPublicKeyList* +SECKEYPublicKeyList * PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname) { CK_ATTRIBUTE findTemp[4]; @@ -2312,42 +2443,44 @@ PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname) int objCount = 0; CK_OBJECT_HANDLE *key_ids; SECKEYPublicKeyList *keys; - int i,len; - + int i, len; attrs = findTemp; - PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; if (nickname) { - len = PORT_Strlen(nickname); - PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++; + len = PORT_Strlen(nickname); + PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); + attrs++; } tsize = attrs - findTemp; - PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); - key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount); + key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); if (key_ids == NULL) { - return NULL; + return NULL; } keys = SECKEY_NewPublicKeyList(); if (keys == NULL) { - PORT_Free(key_ids); - return NULL; + PORT_Free(key_ids); + return NULL; } - for (i=0; i < objCount ; i++) { - SECKEYPublicKey *pubKey = - PK11_ExtractPublicKey(slot,nullKey,key_ids[i]); - if (pubKey) { - SECKEY_AddPublicKeyToListTail(keys, pubKey); - } - } + for (i = 0; i < objCount; i++) { + SECKEYPublicKey *pubKey = + PK11_ExtractPublicKey(slot, nullKey, key_ids[i]); + if (pubKey) { + SECKEY_AddPublicKeyToListTail(keys, pubKey); + } + } - PORT_Free(key_ids); - return keys; + PORT_Free(key_ids); + return keys; } -SECKEYPrivateKeyList* +SECKEYPrivateKeyList * PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx) { CK_ATTRIBUTE findTemp[4]; @@ -2358,36 +2491,37 @@ PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx) int objCount = 0; CK_OBJECT_HANDLE *key_ids; SECKEYPrivateKeyList *keys; - int i,len; - + int i, len; attrs = findTemp; - PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; if (nickname) { - len = PORT_Strlen(nickname); - PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++; + len = PORT_Strlen(nickname); + PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); + attrs++; } tsize = attrs - findTemp; - PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); - key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount); + key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); if (key_ids == NULL) { - return NULL; + return NULL; } keys = SECKEY_NewPrivateKeyList(); if (keys == NULL) { - PORT_Free(key_ids); - return NULL; + PORT_Free(key_ids); + return NULL; } - for (i=0; i < objCount ; i++) { - SECKEYPrivateKey *privKey = - PK11_MakePrivKey(slot,nullKey,PR_TRUE,key_ids[i],wincx); - SECKEY_AddPrivateKeyToListTail(keys, privKey); - } + for (i = 0; i < objCount; i++) { + SECKEYPrivateKey *privKey = + PK11_MakePrivKey(slot, nullKey, PR_TRUE, key_ids[i], wincx); + SECKEY_AddPrivateKeyToListTail(keys, privKey); + } - PORT_Free(key_ids); - return keys; + PORT_Free(key_ids); + return keys; } - diff --git a/nss/lib/pk11wrap/pk11auth.c b/nss/lib/pk11wrap/pk11auth.c index 14aeffa..4ccfad6 100644 --- a/nss/lib/pk11wrap/pk11auth.c +++ b/nss/lib/pk11wrap/pk11auth.c @@ -13,8 +13,7 @@ #include "secitem.h" #include "secerr.h" -#include "pkim.h" - +#include "pkim.h" /************************************************************* * local static and global data @@ -22,22 +21,22 @@ /* * This structure keeps track of status that spans all the Slots. * NOTE: This is a global data structure. It semantics expect thread crosstalk - * be very careful when you see it used. - * It's major purpose in life is to allow the user to log in one PER + * be very careful when you see it used. + * It's major purpose in life is to allow the user to log in one PER * Tranaction, even if a transaction spans threads. The problem is the user - * may have to enter a password one just to be able to look at the + * may have to enter a password one just to be able to look at the * personalities/certificates (s)he can use. Then if Auth every is one, they * may have to enter the password again to use the card. See PK11_StartTransac * and PK11_EndTransaction. */ static struct PK11GlobalStruct { - int transaction; - PRBool inTransaction; - char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *); - PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *); - PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *); + int transaction; + PRBool inTransaction; + char *(PR_CALLBACK *getPass)(PK11SlotInfo *, PRBool, void *); + PRBool(PR_CALLBACK *verifyPass)(PK11SlotInfo *, void *); + PRBool(PR_CALLBACK *isLoggedIn)(PK11SlotInfo *, void *); } PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL }; - + /*********************************************************** * Password Utilities ***********************************************************/ @@ -47,7 +46,7 @@ static struct PK11GlobalStruct { */ static SECStatus pk11_CheckPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, - char *pw, PRBool alreadyLocked, PRBool contextSpecific) + char *pw, PRBool alreadyLocked, PRBool contextSpecific) { int len = 0; CK_RV crv; @@ -57,67 +56,69 @@ pk11_CheckPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, int retry = 0; if (slot->protectedAuthPath) { - len = 0; - pw = NULL; + len = 0; + pw = NULL; } else if (pw == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } else { - len = PORT_Strlen(pw); + len = PORT_Strlen(pw); } do { - if (!alreadyLocked) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_Login(session, - contextSpecific ? CKU_CONTEXT_SPECIFIC : CKU_USER, - (unsigned char *)pw,len); - slot->lastLoginCheck = 0; - mustRetry = PR_FALSE; - if (!alreadyLocked) PK11_ExitSlotMonitor(slot); - switch (crv) { - /* if we're already logged in, we're good to go */ - case CKR_OK: - /* TODO If it was for CKU_CONTEXT_SPECIFIC should we do this */ - slot->authTransact = PK11_Global.transaction; - /* Fall through */ - case CKR_USER_ALREADY_LOGGED_IN: - slot->authTime = currtime; - rv = SECSuccess; - break; - case CKR_PIN_INCORRECT: - PORT_SetError(SEC_ERROR_BAD_PASSWORD); - rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ - break; - /* someone called reset while we fetched the password, try again once - * if the token is still there. */ - case CKR_SESSION_HANDLE_INVALID: - case CKR_SESSION_CLOSED: - if (session != slot->session) { - /* don't bother retrying, we were in a middle of an operation, - * which is now lost. Just fail. */ - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; - break; - } - if (retry++ == 0) { - rv = PK11_InitToken(slot,PR_FALSE); - if (rv == SECSuccess) { - if (slot->session != CK_INVALID_SESSION) { - session = slot->session; /* we should have - * a new session now */ - mustRetry = PR_TRUE; - } else { - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; - } - } - break; - } - /* Fall through */ - default: - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; /* some failure we can't fix by retrying */ - } + if (!alreadyLocked) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_Login(session, + contextSpecific ? CKU_CONTEXT_SPECIFIC : CKU_USER, + (unsigned char *)pw, len); + slot->lastLoginCheck = 0; + mustRetry = PR_FALSE; + if (!alreadyLocked) + PK11_ExitSlotMonitor(slot); + switch (crv) { + /* if we're already logged in, we're good to go */ + case CKR_OK: + /* TODO If it was for CKU_CONTEXT_SPECIFIC should we do this */ + slot->authTransact = PK11_Global.transaction; + /* Fall through */ + case CKR_USER_ALREADY_LOGGED_IN: + slot->authTime = currtime; + rv = SECSuccess; + break; + case CKR_PIN_INCORRECT: + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ + break; + /* someone called reset while we fetched the password, try again once + * if the token is still there. */ + case CKR_SESSION_HANDLE_INVALID: + case CKR_SESSION_CLOSED: + if (session != slot->session) { + /* don't bother retrying, we were in a middle of an operation, + * which is now lost. Just fail. */ + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; + break; + } + if (retry++ == 0) { + rv = PK11_InitToken(slot, PR_FALSE); + if (rv == SECSuccess) { + if (slot->session != CK_INVALID_SESSION) { + session = slot->session; /* we should have + * a new session now */ + mustRetry = PR_TRUE; + } else { + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; + } + } + break; + } + /* Fall through */ + default: + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; /* some failure we can't fix by retrying */ + } } while (mustRetry); return rv; } @@ -135,13 +136,13 @@ PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw) PRTime currtime = PR_Now(); if (slot->protectedAuthPath) { - len = 0; - pw = NULL; + len = 0; + pw = NULL; } else if (pw == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } else { - len = PORT_Strlen(pw); + len = PORT_Strlen(pw); } /* @@ -163,24 +164,24 @@ PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw) PK11_EnterSlotMonitor(slot); PK11_GETTAB(slot)->C_Logout(slot->session); - crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, - (unsigned char *)pw,len); + crv = PK11_GETTAB(slot)->C_Login(slot->session, CKU_USER, + (unsigned char *)pw, len); slot->lastLoginCheck = 0; PK11_ExitSlotMonitor(slot); switch (crv) { - /* if we're already logged in, we're good to go */ - case CKR_OK: - slot->authTransact = PK11_Global.transaction; - slot->authTime = currtime; - rv = SECSuccess; - break; - case CKR_PIN_INCORRECT: - PORT_SetError(SEC_ERROR_BAD_PASSWORD); - rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ - break; - default: - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; /* some failure we can't fix by retrying */ + /* if we're already logged in, we're good to go */ + case CKR_OK: + slot->authTransact = PK11_Global.transaction; + slot->authTime = currtime; + rv = SECSuccess; + break; + case CKR_PIN_INCORRECT: + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ + break; + default: + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; /* some failure we can't fix by retrying */ } return rv; } @@ -196,26 +197,28 @@ PK11_Logout(PK11SlotInfo *slot) slot->lastLoginCheck = 0; PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } - return SECSuccess; + return SECSuccess; } /* * transaction stuff is for when we test for the need to do every * time auth to see if we already did it for this slot/transaction */ -void PK11_StartAuthTransaction(void) +void +PK11_StartAuthTransaction(void) { -PK11_Global.transaction++; -PK11_Global.inTransaction = PR_TRUE; + PK11_Global.transaction++; + PK11_Global.inTransaction = PR_TRUE; } -void PK11_EndAuthTransaction(void) +void +PK11_EndAuthTransaction(void) { -PK11_Global.transaction++; -PK11_Global.inTransaction = PR_FALSE; + PK11_Global.transaction++; + PK11_Global.inTransaction = PR_FALSE; } /* @@ -223,37 +226,39 @@ PK11_Global.inTransaction = PR_FALSE; * need to reauthenticate. */ void -PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx) +PK11_HandlePasswordCheck(PK11SlotInfo *slot, void *wincx) { int askpw = slot->askpw; PRBool NeedAuth = PR_FALSE; - if (!slot->needLogin) return; + if (!slot->needLogin) + return; if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { - PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); + PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); - if (def_slot) { - askpw = def_slot->askpw; - PK11_FreeSlot(def_slot); - } + if (def_slot) { + askpw = def_slot->askpw; + PK11_FreeSlot(def_slot); + } } /* timeouts are handled by isLoggedIn */ - if (!PK11_IsLoggedIn(slot,wincx)) { - NeedAuth = PR_TRUE; + if (!PK11_IsLoggedIn(slot, wincx)) { + NeedAuth = PR_TRUE; } else if (askpw == -1) { - if (!PK11_Global.inTransaction || - (PK11_Global.transaction != slot->authTransact)) { - PK11_EnterSlotMonitor(slot); - PK11_GETTAB(slot)->C_Logout(slot->session); - slot->lastLoginCheck = 0; - PK11_ExitSlotMonitor(slot); - NeedAuth = PR_TRUE; - } - } - if (NeedAuth) PK11_DoPassword(slot, slot->session, PR_TRUE, - wincx, PR_FALSE, PR_FALSE); + if (!PK11_Global.inTransaction || + (PK11_Global.transaction != slot->authTransact)) { + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Logout(slot->session); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + NeedAuth = PR_TRUE; + } + } + if (NeedAuth) + PK11_DoPassword(slot, slot->session, PR_TRUE, + wincx, PR_FALSE, PR_FALSE); } void @@ -266,31 +271,31 @@ PK11_SlotDBUpdate(PK11SlotInfo *slot) * set new askpw and timeout values */ void -PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout) +PK11_SetSlotPWValues(PK11SlotInfo *slot, int askpw, int timeout) { - slot->askpw = askpw; - slot->timeout = timeout; - slot->defaultFlags |= PK11_OWN_PW_DEFAULTS; - PK11_SlotDBUpdate(slot); + slot->askpw = askpw; + slot->timeout = timeout; + slot->defaultFlags |= PK11_OWN_PW_DEFAULTS; + PK11_SlotDBUpdate(slot); } /* * Get the askpw and timeout values for this slot */ void -PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout) +PK11_GetSlotPWValues(PK11SlotInfo *slot, int *askpw, int *timeout) { *askpw = slot->askpw; *timeout = slot->timeout; if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { - PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); + PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); - if (def_slot) { - *askpw = def_slot->askpw; - *timeout = def_slot->timeout; - PK11_FreeSlot(def_slot); - } + if (def_slot) { + *askpw = def_slot->askpw; + *timeout = def_slot->timeout; + PK11_FreeSlot(def_slot); + } } } @@ -302,7 +307,7 @@ PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout) PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx) { - return slot->needLogin && !PK11_IsLoggedIn(slot,wincx); + return slot->needLogin && !PK11_IsLoggedIn(slot, wincx); } /* @@ -310,10 +315,14 @@ pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx) * This function only does the authentication if it is needed. */ SECStatus -PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) { - if (pk11_LoginStillRequired(slot,wincx)) { - return PK11_DoPassword(slot, slot->session, loadCerts, wincx, - PR_FALSE, PR_FALSE); +PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) +{ + if (!slot) { + return SECFailure; + } + if (pk11_LoginStillRequired(slot, wincx)) { + return PK11_DoPassword(slot, slot->session, loadCerts, wincx, + PR_FALSE, PR_FALSE); } return SECSuccess; } @@ -327,12 +336,11 @@ pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) { SECStatus rv = SECSuccess; if (!PK11_IsFriendly(slot)) { - rv = PK11_Authenticate(slot, loadCerts, wincx); + rv = PK11_Authenticate(slot, loadCerts, wincx); } return rv; } - /* * NOTE: this assumes that we are logged out of the card before hand */ @@ -347,42 +355,42 @@ PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw) /* get a rwsession */ rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return rv; + PORT_SetError(SEC_ERROR_BAD_DATA); + return rv; } if (slot->protectedAuthPath) { - len = 0; - ssopw = NULL; + len = 0; + ssopw = NULL; } else if (ssopw == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } else { - len = PORT_Strlen(ssopw); + len = PORT_Strlen(ssopw); } /* check the password */ - crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, - (unsigned char *)ssopw,len); + crv = PK11_GETTAB(slot)->C_Login(rwsession, CKU_SO, + (unsigned char *)ssopw, len); slot->lastLoginCheck = 0; switch (crv) { - /* if we're already logged in, we're good to go */ - case CKR_OK: - rv = SECSuccess; - break; - case CKR_PIN_INCORRECT: - PORT_SetError(SEC_ERROR_BAD_PASSWORD); - rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ - break; - default: - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; /* some failure we can't fix by retrying */ + /* if we're already logged in, we're good to go */ + case CKR_OK: + rv = SECSuccess; + break; + case CKR_PIN_INCORRECT: + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ + break; + default: + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; /* some failure we can't fix by retrying */ } PK11_GETTAB(slot)->C_Logout(rwsession); slot->lastLoginCheck = 0; /* release rwsession */ - PK11_RestoreROSession(slot,rwsession); + PK11_RestoreROSession(slot, rwsession); return rv; } @@ -390,13 +398,13 @@ PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw) * make sure the password conforms to your token's requirements. */ SECStatus -PK11_VerifyPW(PK11SlotInfo *slot,char *pw) +PK11_VerifyPW(PK11SlotInfo *slot, char *pw) { int len = PORT_Strlen(pw); if ((slot->minPassword > len) || (slot->maxPassword < len)) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; } return SECSuccess; } @@ -413,8 +421,10 @@ PK11_InitPin(PK11SlotInfo *slot, const char *ssopw, const char *userpw) int len; int ssolen; - if (userpw == NULL) userpw = ""; - if (ssopw == NULL) ssopw = ""; + if (userpw == NULL) + userpw = ""; + if (ssopw == NULL) + ssopw = ""; len = PORT_Strlen(userpw); ssolen = PORT_Strlen(ssopw); @@ -422,48 +432,48 @@ PK11_InitPin(PK11SlotInfo *slot, const char *ssopw, const char *userpw) /* get a rwsession */ rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - slot->lastLoginCheck = 0; - return rv; + PORT_SetError(SEC_ERROR_BAD_DATA); + slot->lastLoginCheck = 0; + return rv; } if (slot->protectedAuthPath) { - len = 0; - ssolen = 0; - ssopw = NULL; - userpw = NULL; + len = 0; + ssolen = 0; + ssopw = NULL; + userpw = NULL; } /* check the password */ - crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, - (unsigned char *)ssopw,ssolen); + crv = PK11_GETTAB(slot)->C_Login(rwsession, CKU_SO, + (unsigned char *)ssopw, ssolen); slot->lastLoginCheck = 0; if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - goto done; + PORT_SetError(PK11_MapError(crv)); + goto done; } - crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len); + crv = PK11_GETTAB(slot)->C_InitPIN(rwsession, (unsigned char *)userpw, len); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); + PORT_SetError(PK11_MapError(crv)); } else { - rv = SECSuccess; + rv = SECSuccess; } done: PK11_GETTAB(slot)->C_Logout(rwsession); slot->lastLoginCheck = 0; - PK11_RestoreROSession(slot,rwsession); + PK11_RestoreROSession(slot, rwsession); if (rv == SECSuccess) { /* update our view of the world */ - PK11_InitToken(slot,PR_TRUE); - if (slot->needLogin) { - PK11_EnterSlotMonitor(slot); - PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, - (unsigned char *)userpw,len); - slot->lastLoginCheck = 0; - PK11_ExitSlotMonitor(slot); - } + PK11_InitToken(slot, PR_TRUE); + if (slot->needLogin) { + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Login(slot->session, CKU_USER, + (unsigned char *)userpw, len); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + } } return rv; } @@ -482,38 +492,43 @@ PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw, const char *newpw) /* use NULL values to trigger the protected authentication path */ if (!slot->protectedAuthPath) { - if (newpw == NULL) newpw = ""; - if (oldpw == NULL) oldpw = ""; + if (newpw == NULL) + newpw = ""; + if (oldpw == NULL) + oldpw = ""; } - if (newpw) newLen = PORT_Strlen(newpw); - if (oldpw) oldLen = PORT_Strlen(oldpw); + if (newpw) + newLen = PORT_Strlen(newpw); + if (oldpw) + oldLen = PORT_Strlen(oldpw); /* get a rwsession */ rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return rv; + PORT_SetError(SEC_ERROR_BAD_DATA); + return rv; } crv = PK11_GETTAB(slot)->C_SetPIN(rwsession, - (unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen); + (unsigned char *)oldpw, oldLen, (unsigned char *)newpw, newLen); if (crv == CKR_OK) { - rv = SECSuccess; + rv = SECSuccess; } else { - PORT_SetError(PK11_MapError(crv)); + PORT_SetError(PK11_MapError(crv)); } - PK11_RestoreROSession(slot,rwsession); + PK11_RestoreROSession(slot, rwsession); /* update our view of the world */ - PK11_InitToken(slot,PR_TRUE); + PK11_InitToken(slot, PR_TRUE); return rv; } static char * -pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx) +pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void *wincx) { - if (PK11_Global.getPass == NULL) return NULL; + if (PK11_Global.getPass == NULL) + return NULL; return (*PK11_Global.getPass)(slot, retry, wincx); } @@ -535,7 +550,6 @@ PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func) PK11_Global.isLoggedIn = func; } - /* * authenticate to a slot. This loops until we can't recover, the user * gives up, or we succeed. If we're already logged in and this function @@ -545,19 +559,18 @@ PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func) */ SECStatus PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, - PRBool loadCerts, void *wincx, PRBool alreadyLocked, - PRBool contextSpecific) + PRBool loadCerts, void *wincx, PRBool alreadyLocked, + PRBool contextSpecific) { SECStatus rv = SECFailure; - char * password; + char *password; PRBool attempt = PR_FALSE; if (PK11_NeedUserInit(slot)) { - PORT_SetError(SEC_ERROR_IO); - return SECFailure; + PORT_SetError(SEC_ERROR_IO); + return SECFailure; } - /* * Central server type applications which control access to multiple * slave applications to single crypto devices need to virtuallize the @@ -568,69 +581,72 @@ PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, * server code that it should now verify the clients password and tell us * the results. */ - if (PK11_IsLoggedIn(slot,NULL) && - (PK11_Global.verifyPass != NULL)) { - if (!PK11_Global.verifyPass(slot,wincx)) { - PORT_SetError(SEC_ERROR_BAD_PASSWORD); - return SECFailure; - } - return SECSuccess; + if (PK11_IsLoggedIn(slot, NULL) && + (PK11_Global.verifyPass != NULL)) { + if (!PK11_Global.verifyPass(slot, wincx)) { + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + return SECFailure; + } + return SECSuccess; } /* get the password. This can drop out of the while loop * for the following reasons: - * (1) the user refused to enter a password. - * (return error to caller) - * (2) the token user password is disabled [usually due to - * too many failed authentication attempts]. - * (return error to caller) - * (3) the password was successful. + * (1) the user refused to enter a password. + * (return error to caller) + * (2) the token user password is disabled [usually due to + * too many failed authentication attempts]. + * (return error to caller) + * (3) the password was successful. */ while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) { - /* if the token has a protectedAuthPath, the application may have + /* if the token has a protectedAuthPath, the application may have * already issued the C_Login as part of it's pk11_GetPassword call. - * In this case the application will tell us what the results were in + * In this case the application will tell us what the results were in * the password value (retry or the authentication was successful) so - * we can skip our own C_Login call (which would force the token to - * try to login again). - * - * Applications that don't know about protectedAuthPath will return a - * password, which we will ignore and trigger the token to - * 'authenticate' itself anyway. Hopefully the blinking display on - * the reader, or the flashing light under the thumbprint reader will - * attract the user's attention */ - attempt = PR_TRUE; - if (slot->protectedAuthPath) { - /* application tried to authenticate and failed. it wants to try - * again, continue looping */ - if (strcmp(password, PK11_PW_RETRY) == 0) { - rv = SECWouldBlock; - PORT_Free(password); - continue; - } - /* applicaton tried to authenticate and succeeded we're done */ - if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) { - rv = SECSuccess; - PORT_Free(password); - break; - } - } - rv = pk11_CheckPassword(slot, session, password, - alreadyLocked, contextSpecific); - PORT_Memset(password, 0, PORT_Strlen(password)); - PORT_Free(password); - if (rv != SECWouldBlock) break; + * we can skip our own C_Login call (which would force the token to + * try to login again). + * + * Applications that don't know about protectedAuthPath will return a + * password, which we will ignore and trigger the token to + * 'authenticate' itself anyway. Hopefully the blinking display on + * the reader, or the flashing light under the thumbprint reader will + * attract the user's attention */ + attempt = PR_TRUE; + if (slot->protectedAuthPath) { + /* application tried to authenticate and failed. it wants to try + * again, continue looping */ + if (strcmp(password, PK11_PW_RETRY) == 0) { + rv = SECWouldBlock; + PORT_Free(password); + continue; + } + /* applicaton tried to authenticate and succeeded we're done */ + if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) { + rv = SECSuccess; + PORT_Free(password); + break; + } + } + rv = pk11_CheckPassword(slot, session, password, + alreadyLocked, contextSpecific); + PORT_Memset(password, 0, PORT_Strlen(password)); + PORT_Free(password); + if (rv != SECWouldBlock) + break; } if (rv == SECSuccess) { - if (!PK11_IsFriendly(slot)) { - nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, - slot->nssToken); - } - } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD); + if (!PK11_IsFriendly(slot)) { + nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, + slot->nssToken); + } + } else if (!attempt) + PORT_SetError(SEC_ERROR_BAD_PASSWORD); return rv; } -void PK11_LogoutAll(void) +void +PK11_LogoutAll(void) { SECMODListLock *lock = SECMOD_GetDefaultModuleListLock(); SECMODModuleList *modList; @@ -639,16 +655,16 @@ void PK11_LogoutAll(void) /* NSS is not initialized, there are not tokens to log out */ if (lock == NULL) { - return; + return; } SECMOD_GetReadLock(lock); modList = SECMOD_GetDefaultModuleList(); /* find the number of entries */ for (mlp = modList; mlp != NULL; mlp = mlp->next) { - for (i=0; i < mlp->module->slotCount; i++) { - PK11_Logout(mlp->module->slots[i]); - } + for (i = 0; i < mlp->module->slotCount; i++) { + PK11_Logout(mlp->module->slots[i]); + } } SECMOD_ReleaseReadLock(lock); @@ -664,26 +680,28 @@ PK11_GetMinimumPwdLength(PK11SlotInfo *slot) PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot) { - return slot->protectedAuthPath; + return slot->protectedAuthPath; } /* - * we can initialize the password if 1) The toke is not inited + * we can initialize the password if 1) The toke is not inited * (need login == true and see need UserInit) or 2) the token has * a NULL password. (slot->needLogin = false & need user Init = false). */ -PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot) +PRBool +PK11_NeedPWInitForSlot(PK11SlotInfo *slot) { if (slot->needLogin && PK11_NeedUserInit(slot)) { - return PR_TRUE; + return PR_TRUE; } if (!slot->needLogin && !PK11_NeedUserInit(slot)) { - return PR_TRUE; + return PR_TRUE; } return PR_FALSE; } -PRBool PK11_NeedPWInit() +PRBool +PK11_NeedPWInit() { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); PRBool ret = PK11_NeedPWInitForSlot(slot); @@ -692,14 +710,14 @@ PRBool PK11_NeedPWInit() return ret; } -PRBool -pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime, - PRIntervalTime *retTime) +PRBool +pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime, + PRIntervalTime *retTime) { PRIntervalTime time; *retTime = time = PR_IntervalNow(); - return (PRBool) (lastTime) && ((time-lastTime) < delayTime); + return (PRBool)(lastTime) && ((time - lastTime) < delayTime); } /* @@ -707,7 +725,7 @@ pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime, * because it's state can change without intervention from us. */ PRBool -PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx) +PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx) { CK_SESSION_INFO sessionInfo; int askpw = slot->askpw; @@ -717,72 +735,73 @@ PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx) static PRIntervalTime login_delay_time = 0; if (login_delay_time == 0) { - login_delay_time = PR_SecondsToInterval(1); + login_delay_time = PR_SecondsToInterval(1); } /* If we don't have our own password default values, use the system * ones */ if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { - PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); + PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); - if (def_slot) { - askpw = def_slot->askpw; - timeout = def_slot->timeout; - PK11_FreeSlot(def_slot); - } + if (def_slot) { + askpw = def_slot->askpw; + timeout = def_slot->timeout; + PK11_FreeSlot(def_slot); + } } if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) && - (*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; } - + (*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { + return PR_FALSE; + } /* forget the password if we've been inactive too long */ if (askpw == 1) { - PRTime currtime = PR_Now(); - PRTime result; - PRTime mult; - - LL_I2L(result, timeout); - LL_I2L(mult, 60*1000*1000); - LL_MUL(result,result,mult); - LL_ADD(result, result, slot->authTime); - if (LL_CMP(result, <, currtime) ) { - PK11_EnterSlotMonitor(slot); - PK11_GETTAB(slot)->C_Logout(slot->session); - slot->lastLoginCheck = 0; - PK11_ExitSlotMonitor(slot); - } else { - slot->authTime = currtime; - } + PRTime currtime = PR_Now(); + PRTime result; + PRTime mult; + + LL_I2L(result, timeout); + LL_I2L(mult, 60 * 1000 * 1000); + LL_MUL(result, result, mult); + LL_ADD(result, result, slot->authTime); + if (LL_CMP(result, <, currtime)) { + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Logout(slot->session); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + } else { + slot->authTime = currtime; + } } PK11_EnterSlotMonitor(slot); - if (pk11_InDelayPeriod(slot->lastLoginCheck,login_delay_time, &curTime)) { - sessionInfo.state = slot->lastState; - crv = CKR_OK; + if (pk11_InDelayPeriod(slot->lastLoginCheck, login_delay_time, &curTime)) { + sessionInfo.state = slot->lastState; + crv = CKR_OK; } else { - crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo); - if (crv == CKR_OK) { - slot->lastState = sessionInfo.state; - slot->lastLoginCheck = curTime; - } + crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); + if (crv == CKR_OK) { + slot->lastState = sessionInfo.state; + slot->lastLoginCheck = curTime; + } } PK11_ExitSlotMonitor(slot); /* if we can't get session info, something is really wrong */ if (crv != CKR_OK) { - slot->session = CK_INVALID_SESSION; - return PR_FALSE; + slot->session = CK_INVALID_SESSION; + return PR_FALSE; } switch (sessionInfo.state) { - case CKS_RW_PUBLIC_SESSION: - case CKS_RO_PUBLIC_SESSION: - default: - break; /* fail */ - case CKS_RW_USER_FUNCTIONS: - case CKS_RW_SO_FUNCTIONS: - case CKS_RO_USER_FUNCTIONS: - return PR_TRUE; - } - return PR_FALSE; + case CKS_RW_PUBLIC_SESSION: + case CKS_RO_PUBLIC_SESSION: + default: + break; /* fail */ + case CKS_RW_USER_FUNCTIONS: + case CKS_RW_SO_FUNCTIONS: + case CKS_RO_USER_FUNCTIONS: + return PR_TRUE; + } + return PR_FALSE; } diff --git a/nss/lib/pk11wrap/pk11cert.c b/nss/lib/pk11wrap/pk11cert.c index e29b4e2..6968ae7 100644 --- a/nss/lib/pk11wrap/pk11cert.c +++ b/nss/lib/pk11wrap/pk11cert.c @@ -15,7 +15,7 @@ #include "cert.h" #include "certi.h" #include "secitem.h" -#include "key.h" +#include "key.h" #include "secoid.h" #include "pkcs7t.h" #include "cmsreclist.h" @@ -27,7 +27,7 @@ #include "pki3hack.h" #include "dev3hack.h" -#include "devm.h" +#include "devm.h" #include "nsspki.h" #include "pki.h" #include "pkim.h" @@ -39,7 +39,7 @@ extern const NSSError NSS_ERROR_NOT_FOUND; extern const NSSError NSS_ERROR_INVALID_CERTIFICATE; struct nss3_cert_cbstr { - SECStatus(* callback)(CERTCertificate*, void *); + SECStatus (*callback)(CERTCertificate *, void *); nssList *cached; void *arg; }; @@ -47,69 +47,77 @@ struct nss3_cert_cbstr { /* Translate from NSSCertificate to CERTCertificate, then pass the latter * to a callback. */ -static PRStatus convert_cert(NSSCertificate *c, void *arg) +static PRStatus +convert_cert(NSSCertificate *c, void *arg) { CERTCertificate *nss3cert; SECStatus secrv; struct nss3_cert_cbstr *nss3cb = (struct nss3_cert_cbstr *)arg; /* 'c' is not adopted. caller will free it */ nss3cert = STAN_GetCERTCertificate(c); - if (!nss3cert) return PR_FAILURE; + if (!nss3cert) + return PR_FAILURE; secrv = (*nss3cb->callback)(nss3cert, nss3cb->arg); return (secrv) ? PR_FAILURE : PR_SUCCESS; } /* - * build a cert nickname based on the token name and the label of the + * build a cert nickname based on the token name and the label of the * certificate If the label in NULL, build a label based on the ID. */ -static int toHex(int x) { return (x < 10) ? (x+'0') : (x+'a'-10); } +static int +toHex(int x) +{ + return (x < 10) ? (x + '0') : (x + 'a' - 10); +} #define MAX_CERT_ID 4 #define DEFAULT_STRING "Cert ID " static char * -pk11_buildNickname(PK11SlotInfo *slot,CK_ATTRIBUTE *cert_label, - CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id) +pk11_buildNickname(PK11SlotInfo *slot, CK_ATTRIBUTE *cert_label, + CK_ATTRIBUTE *key_label, CK_ATTRIBUTE *cert_id) { int prefixLen = PORT_Strlen(slot->token_name); int suffixLen = 0; char *suffix = NULL; - char buildNew[sizeof(DEFAULT_STRING)+MAX_CERT_ID*2]; - char *next,*nickname; + char buildNew[sizeof(DEFAULT_STRING) + MAX_CERT_ID * 2]; + char *next, *nickname; if (cert_label && (cert_label->ulValueLen)) { - suffixLen = cert_label->ulValueLen; - suffix = (char*)cert_label->pValue; + suffixLen = cert_label->ulValueLen; + suffix = (char *)cert_label->pValue; } else if (key_label && (key_label->ulValueLen)) { - suffixLen = key_label->ulValueLen; - suffix = (char*)key_label->pValue; + suffixLen = key_label->ulValueLen; + suffix = (char *)key_label->pValue; } else if (cert_id && cert_id->ulValueLen > 0) { - int i,first = cert_id->ulValueLen - MAX_CERT_ID; - int offset = sizeof(DEFAULT_STRING); - char *idValue = (char *)cert_id->pValue; - - PORT_Memcpy(buildNew,DEFAULT_STRING,sizeof(DEFAULT_STRING)-1); - next = buildNew + offset; - if (first < 0) first = 0; - for (i=first; i < (int) cert_id->ulValueLen; i++) { - *next++ = toHex((idValue[i] >> 4) & 0xf); - *next++ = toHex(idValue[i] & 0xf); - } - *next++ = 0; - suffix = buildNew; - suffixLen = PORT_Strlen(buildNew); + int i, first = cert_id->ulValueLen - MAX_CERT_ID; + int offset = sizeof(DEFAULT_STRING); + char *idValue = (char *)cert_id->pValue; + + PORT_Memcpy(buildNew, DEFAULT_STRING, sizeof(DEFAULT_STRING) - 1); + next = buildNew + offset; + if (first < 0) + first = 0; + for (i = first; i < (int)cert_id->ulValueLen; i++) { + *next++ = toHex((idValue[i] >> 4) & 0xf); + *next++ = toHex(idValue[i] & 0xf); + } + *next++ = 0; + suffix = buildNew; + suffixLen = PORT_Strlen(buildNew); } else { - PORT_SetError( SEC_ERROR_LIBRARY_FAILURE ); - return NULL; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; } /* if is internal key slot, add code to skip the prefix!! */ - next = nickname = (char *)PORT_Alloc(prefixLen+1+suffixLen+1); - if (nickname == NULL) return NULL; + next = nickname = (char *)PORT_Alloc(prefixLen + 1 + suffixLen + 1); + if (nickname == NULL) + return NULL; - PORT_Memcpy(next,slot->token_name,prefixLen); + PORT_Memcpy(next, slot->token_name, prefixLen); next += prefixLen; *next++ = ':'; - PORT_Memcpy(next,suffix,suffixLen); + PORT_Memcpy(next, suffix, suffixLen); next += suffixLen; *next++ = 0; return nickname; @@ -117,67 +125,69 @@ pk11_buildNickname(PK11SlotInfo *slot,CK_ATTRIBUTE *cert_label, PRBool PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert, - CK_OBJECT_HANDLE certID) + CK_OBJECT_HANDLE certID) { CK_OBJECT_CLASS theClass; - if (slot == NULL) return PR_FALSE; - if (cert == NULL) return PR_FALSE; + if (slot == NULL) + return PR_FALSE; + if (cert == NULL) + return PR_FALSE; theClass = CKO_PRIVATE_KEY; - if (pk11_LoginStillRequired(slot,NULL)) { - theClass = CKO_PUBLIC_KEY; - } - if (PK11_MatchItem(slot, certID , theClass) != CK_INVALID_HANDLE) { - return PR_TRUE; - } - - if (theClass == CKO_PUBLIC_KEY) { - SECKEYPublicKey *pubKey= CERT_ExtractPublicKey(cert); - CK_ATTRIBUTE theTemplate; - - if (pubKey == NULL) { - return PR_FALSE; - } - - PK11_SETATTRS(&theTemplate,0,NULL,0); - switch (pubKey->keyType) { - case rsaKey: - case rsaPssKey: - case rsaOaepKey: - PK11_SETATTRS(&theTemplate,CKA_MODULUS, pubKey->u.rsa.modulus.data, - pubKey->u.rsa.modulus.len); - break; - case dsaKey: - PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dsa.publicValue.data, - pubKey->u.dsa.publicValue.len); - break; - case dhKey: - PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data, - pubKey->u.dh.publicValue.len); - break; - case ecKey: - PK11_SETATTRS(&theTemplate,CKA_EC_POINT, - pubKey->u.ec.publicValue.data, - pubKey->u.ec.publicValue.len); - break; - case keaKey: - case fortezzaKey: - case nullKey: - /* fall through and return false */ - break; - } - - if (theTemplate.ulValueLen == 0) { - SECKEY_DestroyPublicKey(pubKey); - return PR_FALSE; - } - pk11_SignedToUnsigned(&theTemplate); - if (pk11_FindObjectByTemplate(slot,&theTemplate,1) != CK_INVALID_HANDLE) { - SECKEY_DestroyPublicKey(pubKey); - return PR_TRUE; - } - SECKEY_DestroyPublicKey(pubKey); + if (pk11_LoginStillRequired(slot, NULL)) { + theClass = CKO_PUBLIC_KEY; + } + if (PK11_MatchItem(slot, certID, theClass) != CK_INVALID_HANDLE) { + return PR_TRUE; + } + + if (theClass == CKO_PUBLIC_KEY) { + SECKEYPublicKey *pubKey = CERT_ExtractPublicKey(cert); + CK_ATTRIBUTE theTemplate; + + if (pubKey == NULL) { + return PR_FALSE; + } + + PK11_SETATTRS(&theTemplate, 0, NULL, 0); + switch (pubKey->keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + PK11_SETATTRS(&theTemplate, CKA_MODULUS, pubKey->u.rsa.modulus.data, + pubKey->u.rsa.modulus.len); + break; + case dsaKey: + PK11_SETATTRS(&theTemplate, CKA_VALUE, pubKey->u.dsa.publicValue.data, + pubKey->u.dsa.publicValue.len); + break; + case dhKey: + PK11_SETATTRS(&theTemplate, CKA_VALUE, pubKey->u.dh.publicValue.data, + pubKey->u.dh.publicValue.len); + break; + case ecKey: + PK11_SETATTRS(&theTemplate, CKA_EC_POINT, + pubKey->u.ec.publicValue.data, + pubKey->u.ec.publicValue.len); + break; + case keaKey: + case fortezzaKey: + case nullKey: + /* fall through and return false */ + break; + } + + if (theTemplate.ulValueLen == 0) { + SECKEY_DestroyPublicKey(pubKey); + return PR_FALSE; + } + pk11_SignedToUnsigned(&theTemplate); + if (pk11_FindObjectByTemplate(slot, &theTemplate, 1) != CK_INVALID_HANDLE) { + SECKEY_DestroyPublicKey(pubKey); + return PR_TRUE; + } + SECKEY_DestroyPublicKey(pubKey); } return PR_FALSE; } @@ -186,35 +196,33 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert, * Check out if a cert has ID of zero. This is a magic ID that tells * NSS that this cert may be an automagically trusted cert. * The Cert has to be self signed as well. That check is done elsewhere. - * + * */ PRBool pk11_isID0(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID) { - CK_ATTRIBUTE keyID = {CKA_ID, NULL, 0}; + CK_ATTRIBUTE keyID = { CKA_ID, NULL, 0 }; PRBool isZero = PR_FALSE; int i; CK_RV crv; - - crv = PK11_GetAttributes(NULL,slot,certID,&keyID,1); + crv = PK11_GetAttributes(NULL, slot, certID, &keyID, 1); if (crv != CKR_OK) { - return isZero; + return isZero; } if (keyID.ulValueLen != 0) { - char *value = (char *)keyID.pValue; - isZero = PR_TRUE; /* ID exists, may be zero */ - for (i=0; i < (int) keyID.ulValueLen; i++) { - if (value[i] != 0) { - isZero = PR_FALSE; /* nope */ - break; - } - } + char *value = (char *)keyID.pValue; + isZero = PR_TRUE; /* ID exists, may be zero */ + for (i = 0; i < (int)keyID.ulValueLen; i++) { + if (value[i] != 0) { + isZero = PR_FALSE; /* nope */ + break; + } + } } PORT_Free(keyID.pValue); return isZero; - } /* @@ -222,8 +230,8 @@ pk11_isID0(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID) * CERTCertificate. Optionally, output the nickname string. */ static CERTCertificate * -pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, - CK_ATTRIBUTE *privateLabel, char **nickptr) +pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, + CK_ATTRIBUTE *privateLabel, char **nickptr) { NSSCertificate *c; nssCryptokiObject *co = NULL; @@ -234,48 +242,48 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, /* Get the cryptoki object from the handle */ token = PK11Slot_GetNSSToken(slot); if (token->defaultSession) { - co = nssCryptokiObject_Create(token, token->defaultSession, certID); + co = nssCryptokiObject_Create(token, token->defaultSession, certID); } else { - PORT_SetError(SEC_ERROR_NO_TOKEN); + PORT_SetError(SEC_ERROR_NO_TOKEN); } if (!co) { - return NULL; + return NULL; } /* Create a PKI object from the cryptoki instance */ pkio = nssPKIObject_Create(NULL, co, td, NULL, nssPKIMonitor); if (!pkio) { - nssCryptokiObject_Destroy(co); - return NULL; + nssCryptokiObject_Destroy(co); + return NULL; } /* Create a certificate */ c = nssCertificate_Create(pkio); if (!c) { - nssPKIObject_Destroy(pkio); - return NULL; + nssPKIObject_Destroy(pkio); + return NULL; } - /* Build and output a nickname, if desired. + /* Build and output a nickname, if desired. * This must be done before calling nssTrustDomain_AddCertsToCache * because that function may destroy c, pkio and co! */ if ((nickptr) && (co->label)) { - CK_ATTRIBUTE label, id; + CK_ATTRIBUTE label, id; - label.type = CKA_LABEL; - label.pValue = co->label; - label.ulValueLen = PORT_Strlen(co->label); + label.type = CKA_LABEL; + label.pValue = co->label; + label.ulValueLen = PORT_Strlen(co->label); - id.type = CKA_ID; - id.pValue = c->id.data; - id.ulValueLen = c->id.size; + id.type = CKA_ID; + id.pValue = c->id.data; + id.ulValueLen = c->id.size; - *nickptr = pk11_buildNickname(slot, &label, privateLabel, &id); + *nickptr = pk11_buildNickname(slot, &label, privateLabel, &id); } /* This function may destroy the cert in "c" and all its subordinate - * structures, and replace the value in "c" with the address of a + * structures, and replace the value in "c" with the address of a * different NSSCertificate that it found in the cache. * Presumably, the nickname which we just output above remains valid. :) */ @@ -288,78 +296,77 @@ pk11_fastCert(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, * Must be a CertObject. This code does not explicitly checks that. */ CERTCertificate * -PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID, - CK_ATTRIBUTE *privateLabel) +PK11_MakeCertFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE certID, + CK_ATTRIBUTE *privateLabel) { - char * nickname = NULL; + char *nickname = NULL; CERTCertificate *cert = NULL; CERTCertTrust *trust; - cert = pk11_fastCert(slot,certID,privateLabel, &nickname); - if (cert == NULL) - goto loser; + cert = pk11_fastCert(slot, certID, privateLabel, &nickname); + if (cert == NULL) + goto loser; if (nickname) { - if (cert->nickname != NULL) { - cert->dbnickname = cert->nickname; - } - cert->nickname = PORT_ArenaStrdup(cert->arena,nickname); - PORT_Free(nickname); - nickname = NULL; + if (cert->nickname != NULL) { + cert->dbnickname = cert->nickname; + } + cert->nickname = PORT_ArenaStrdup(cert->arena, nickname); + PORT_Free(nickname); + nickname = NULL; } /* remember where this cert came from.... If we have just looked * it up from the database and it already has a slot, don't add a new * one. */ if (cert->slot == NULL) { - cert->slot = PK11_ReferenceSlot(slot); - cert->pkcs11ID = certID; - cert->ownSlot = PR_TRUE; - cert->series = slot->series; - } - - trust = (CERTCertTrust*)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust)); - if (trust == NULL) - goto loser; - PORT_Memset(trust,0, sizeof(CERTCertTrust)); - - if(! pk11_HandleTrustObject(slot, cert, trust) ) { - unsigned int type; - - /* build some cert trust flags */ - if (CERT_IsCACert(cert, &type)) { - unsigned int trustflags = CERTDB_VALID_CA; - - /* Allow PKCS #11 modules to give us trusted CA's. We only accept - * valid CA's which are self-signed here. They must have an object - * ID of '0'. */ - if (pk11_isID0(slot,certID) && - cert->isRoot) { - trustflags |= CERTDB_TRUSTED_CA; - /* is the slot a fortezza card? allow the user or - * admin to turn on objectSigning, but don't turn - * full trust on explicitly */ - if (PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) { - trust->objectSigningFlags |= CERTDB_VALID_CA; - } - } - if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) { - trust->sslFlags |= trustflags; - } - if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) { - trust->emailFlags |= trustflags; - } - if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) - == NS_CERT_TYPE_OBJECT_SIGNING_CA) { - trust->objectSigningFlags |= trustflags; - } - } - } - - if (PK11_IsUserCert(slot,cert,certID)) { - trust->sslFlags |= CERTDB_USER; - trust->emailFlags |= CERTDB_USER; - /* trust->objectSigningFlags |= CERTDB_USER; */ + cert->slot = PK11_ReferenceSlot(slot); + cert->pkcs11ID = certID; + cert->ownSlot = PR_TRUE; + cert->series = slot->series; + } + + trust = (CERTCertTrust *)PORT_ArenaAlloc(cert->arena, sizeof(CERTCertTrust)); + if (trust == NULL) + goto loser; + PORT_Memset(trust, 0, sizeof(CERTCertTrust)); + + if (!pk11_HandleTrustObject(slot, cert, trust)) { + unsigned int type; + + /* build some cert trust flags */ + if (CERT_IsCACert(cert, &type)) { + unsigned int trustflags = CERTDB_VALID_CA; + + /* Allow PKCS #11 modules to give us trusted CA's. We only accept + * valid CA's which are self-signed here. They must have an object + * ID of '0'. */ + if (pk11_isID0(slot, certID) && + cert->isRoot) { + trustflags |= CERTDB_TRUSTED_CA; + /* is the slot a fortezza card? allow the user or + * admin to turn on objectSigning, but don't turn + * full trust on explicitly */ + if (PK11_DoesMechanism(slot, CKM_KEA_KEY_DERIVE)) { + trust->objectSigningFlags |= CERTDB_VALID_CA; + } + } + if ((type & NS_CERT_TYPE_SSL_CA) == NS_CERT_TYPE_SSL_CA) { + trust->sslFlags |= trustflags; + } + if ((type & NS_CERT_TYPE_EMAIL_CA) == NS_CERT_TYPE_EMAIL_CA) { + trust->emailFlags |= trustflags; + } + if ((type & NS_CERT_TYPE_OBJECT_SIGNING_CA) == NS_CERT_TYPE_OBJECT_SIGNING_CA) { + trust->objectSigningFlags |= trustflags; + } + } + } + + if (PK11_IsUserCert(slot, cert, certID)) { + trust->sslFlags |= CERTDB_USER; + trust->emailFlags |= CERTDB_USER; + /* trust->objectSigningFlags |= CERTDB_USER; */ } CERT_LockCertTrust(cert); cert->trust = trust; @@ -368,14 +375,13 @@ PK11_MakeCertFromHandle(PK11SlotInfo *slot,CK_OBJECT_HANDLE certID, return cert; loser: - if (nickname) - PORT_Free(nickname); - if (cert) - CERT_DestroyCertificate(cert); + if (nickname) + PORT_Free(nickname); + if (cert) + CERT_DestroyCertificate(cert); return NULL; } - /* * Build get a certificate from a private key */ @@ -384,17 +390,16 @@ PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey) { PK11SlotInfo *slot = privKey->pkcs11Slot; CK_OBJECT_HANDLE handle = privKey->pkcs11ID; - CK_OBJECT_HANDLE certID = - PK11_MatchItem(slot,handle,CKO_CERTIFICATE); + CK_OBJECT_HANDLE certID = + PK11_MatchItem(slot, handle, CKO_CERTIFICATE); CERTCertificate *cert; if (certID == CK_INVALID_HANDLE) { - PORT_SetError(SSL_ERROR_NO_CERTIFICATE); - return NULL; + PORT_SetError(SSL_ERROR_NO_CERTIFICATE); + return NULL; } - cert = PK11_MakeCertFromHandle(slot,certID,NULL); + cert = PK11_MakeCertFromHandle(slot, certID, NULL); return (cert); - } /* @@ -402,20 +407,20 @@ PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey) * private key. */ SECStatus -PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx) +PK11_DeleteTokenCertAndKey(CERTCertificate *cert, void *wincx) { - SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert,wincx); + SECKEYPrivateKey *privKey = PK11_FindKeyByAnyCert(cert, wincx); CK_OBJECT_HANDLE pubKey; PK11SlotInfo *slot = NULL; pubKey = pk11_FindPubKeyByAnyCert(cert, &slot, wincx); if (privKey) { - /* For 3.4, utilize the generic cert delete function */ - SEC_DeletePermCertificate(cert); - PK11_DeleteTokenPrivateKey(privKey, PR_FALSE); + /* For 3.4, utilize the generic cert delete function */ + SEC_DeletePermCertificate(cert); + PK11_DeleteTokenPrivateKey(privKey, PR_FALSE); } - if ((pubKey != CK_INVALID_HANDLE) && (slot != NULL)) { - PK11_DestroyTokenObject(slot,pubKey); + if ((pubKey != CK_INVALID_HANDLE) && (slot != NULL)) { + PK11_DestroyTokenObject(slot, pubKey); PK11_FreeSlot(slot); } return SECSuccess; @@ -425,25 +430,24 @@ PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx) * cert callback structure */ typedef struct pk11DoCertCallbackStr { - SECStatus(* callback)(PK11SlotInfo *slot, CERTCertificate*, void *); - SECStatus(* noslotcallback)(CERTCertificate*, void *); - SECStatus(* itemcallback)(CERTCertificate*, SECItem *, void *); - void *callbackArg; + SECStatus (*callback)(PK11SlotInfo *slot, CERTCertificate *, void *); + SECStatus (*noslotcallback)(CERTCertificate *, void *); + SECStatus (*itemcallback)(CERTCertificate *, SECItem *, void *); + void *callbackArg; } pk11DoCertCallback; - typedef struct pk11CertCallbackStr { - SECStatus(* callback)(CERTCertificate*,SECItem *,void *); - void *callbackArg; + SECStatus (*callback)(CERTCertificate *, SECItem *, void *); + void *callbackArg; } pk11CertCallback; -struct fake_der_cb_argstr -{ - SECStatus(* callback)(CERTCertificate*, SECItem *, void *); +struct fake_der_cb_argstr { + SECStatus (*callback)(CERTCertificate *, SECItem *, void *); void *arg; }; -static SECStatus fake_der_cb(CERTCertificate *c, void *a) +static SECStatus +fake_der_cb(CERTCertificate *c, void *a) { struct fake_der_cb_argstr *fda = (struct fake_der_cb_argstr *)a; return (*fda->callback)(c, &c->derCert, fda->arg); @@ -453,15 +457,15 @@ static SECStatus fake_der_cb(CERTCertificate *c, void *a) * Extract all the certs on a card from a slot. */ SECStatus -PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *), - void *arg, void *wincx) +PK11_TraverseSlotCerts(SECStatus (*callback)(CERTCertificate *, SECItem *, void *), + void *arg, void *wincx) { NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain(); struct fake_der_cb_argstr fda; struct nss3_cert_cbstr pk11cb; /* authenticate to the tokens first */ - (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, wincx); + (void)pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, wincx); fda.callback = callback; fda.arg = arg; @@ -472,7 +476,7 @@ PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *), } static void -transfer_token_certs_to_collection(nssList *certList, NSSToken *token, +transfer_token_certs_to_collection(nssList *certList, NSSToken *token, nssPKIObjectCollection *collection) { NSSCertificate **certs; @@ -480,37 +484,37 @@ transfer_token_certs_to_collection(nssList *certList, NSSToken *token, NSSToken **tokens, **tp; count = nssList_Count(certList); if (count == 0) { - return; + return; } certs = nss_ZNEWARRAY(NULL, NSSCertificate *, count); if (!certs) { - return; + return; } nssList_GetArray(certList, (void **)certs, count); - for (i=0; i<count; i++) { - tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL); - if (tokens) { - for (tp = tokens; *tp; tp++) { - if (*tp == token) { - nssPKIObjectCollection_AddObject(collection, - (nssPKIObject *)certs[i]); - } - } - nssTokenArray_Destroy(tokens); - } - CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(certs[i])); + for (i = 0; i < count; i++) { + tokens = nssPKIObject_GetTokens(&certs[i]->object, NULL); + if (tokens) { + for (tp = tokens; *tp; tp++) { + if (*tp == token) { + nssPKIObjectCollection_AddObject(collection, + (nssPKIObject *)certs[i]); + } + } + nssTokenArray_Destroy(tokens); + } + CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(certs[i])); } nss_ZFreeIf(certs); } CERTCertificate * -PK11_FindCertFromNickname(const char *nickname, void *wincx) +PK11_FindCertFromNickname(const char *nickname, void *wincx) { PRStatus status; CERTCertificate *rvCert = NULL; NSSCertificate *cert = NULL; NSSCertificate **certs = NULL; - static const NSSUsage usage = {PR_TRUE /* ... */ }; + static const NSSUsage usage = { PR_TRUE /* ... */ }; NSSToken *token; NSSTrustDomain *defaultTD = STAN_GetDefaultTrustDomain(); PK11SlotInfo *slot = NULL; @@ -524,180 +528,180 @@ PK11_FindCertFromNickname(const char *nickname, void *wincx) /* error code is set */ return NULL; } - if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) { - tokenName = nickCopy; - nickname = delimit + 1; - *delimit = '\0'; - /* find token by name */ - token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName); - if (token) { - slot = PK11_ReferenceSlot(token->pk11slot); - } else { - PORT_SetError(SEC_ERROR_NO_TOKEN); - } - *delimit = ':'; + if ((delimit = PORT_Strchr(nickCopy, ':')) != NULL) { + tokenName = nickCopy; + nickname = delimit + 1; + *delimit = '\0'; + /* find token by name */ + token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName); + if (token) { + slot = PK11_ReferenceSlot(token->pk11slot); + } else { + PORT_SetError(SEC_ERROR_NO_TOKEN); + } + *delimit = ':'; } else { - slot = PK11_GetInternalKeySlot(); - token = PK11Slot_GetNSSToken(slot); + slot = PK11_GetInternalKeySlot(); + token = PK11Slot_GetNSSToken(slot); } if (token) { - nssList *certList; - nssCryptokiObject **instances; - nssPKIObjectCollection *collection; - nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; - if (!PK11_IsPresent(slot)) { - goto loser; - } - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - goto loser; - } - collection = nssCertificateCollection_Create(defaultTD, NULL); - if (!collection) { - goto loser; - } - certList = nssList_Create(NULL, PR_FALSE); - if (!certList) { - nssPKIObjectCollection_Destroy(collection); - goto loser; - } - (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, - nickname, - certList); - transfer_token_certs_to_collection(certList, token, collection); - instances = nssToken_FindCertificatesByNickname(token, - NULL, - nickname, - tokenOnly, - 0, - &status); - nssPKIObjectCollection_AddInstances(collection, instances, 0); - nss_ZFreeIf(instances); - /* if it wasn't found, repeat the process for email address */ - if (nssPKIObjectCollection_Count(collection) == 0 && - PORT_Strchr(nickname, '@') != NULL) - { - char* lowercaseName = CERT_FixupEmailAddr(nickname); - if (lowercaseName) { - (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, - lowercaseName, - certList); - transfer_token_certs_to_collection(certList, token, collection); - instances = nssToken_FindCertificatesByEmail(token, - NULL, - lowercaseName, - tokenOnly, - 0, - &status); - nssPKIObjectCollection_AddInstances(collection, instances, 0); - nss_ZFreeIf(instances); - PORT_Free(lowercaseName); - } - } - certs = nssPKIObjectCollection_GetCertificates(collection, - NULL, 0, NULL); - nssPKIObjectCollection_Destroy(collection); - if (certs) { - cert = nssCertificateArray_FindBestCertificate(certs, NULL, - &usage, NULL); - if (cert) { - rvCert = STAN_GetCERTCertificateOrRelease(cert); - } - nssCertificateArray_Destroy(certs); - } - nssList_Destroy(certList); + nssList *certList; + nssCryptokiObject **instances; + nssPKIObjectCollection *collection; + nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + if (!PK11_IsPresent(slot)) { + goto loser; + } + rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); + if (rv != SECSuccess) { + goto loser; + } + collection = nssCertificateCollection_Create(defaultTD, NULL); + if (!collection) { + goto loser; + } + certList = nssList_Create(NULL, PR_FALSE); + if (!certList) { + nssPKIObjectCollection_Destroy(collection); + goto loser; + } + (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, + nickname, + certList); + transfer_token_certs_to_collection(certList, token, collection); + instances = nssToken_FindCertificatesByNickname(token, + NULL, + nickname, + tokenOnly, + 0, + &status); + nssPKIObjectCollection_AddInstances(collection, instances, 0); + nss_ZFreeIf(instances); + /* if it wasn't found, repeat the process for email address */ + if (nssPKIObjectCollection_Count(collection) == 0 && + PORT_Strchr(nickname, '@') != NULL) { + char *lowercaseName = CERT_FixupEmailAddr(nickname); + if (lowercaseName) { + (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, + lowercaseName, + certList); + transfer_token_certs_to_collection(certList, token, collection); + instances = nssToken_FindCertificatesByEmail(token, + NULL, + lowercaseName, + tokenOnly, + 0, + &status); + nssPKIObjectCollection_AddInstances(collection, instances, 0); + nss_ZFreeIf(instances); + PORT_Free(lowercaseName); + } + } + certs = nssPKIObjectCollection_GetCertificates(collection, + NULL, 0, NULL); + nssPKIObjectCollection_Destroy(collection); + if (certs) { + cert = nssCertificateArray_FindBestCertificate(certs, NULL, + &usage, NULL); + if (cert) { + rvCert = STAN_GetCERTCertificateOrRelease(cert); + } + nssCertificateArray_Destroy(certs); + } + nssList_Destroy(certList); } if (slot) { - PK11_FreeSlot(slot); + PK11_FreeSlot(slot); } - if (nickCopy) PORT_Free(nickCopy); + if (nickCopy) + PORT_Free(nickCopy); return rvCert; loser: if (slot) { - PK11_FreeSlot(slot); + PK11_FreeSlot(slot); } - if (nickCopy) PORT_Free(nickCopy); + if (nickCopy) + PORT_Free(nickCopy); return NULL; } /* Traverse slots callback */ typedef struct FindCertsEmailArgStr { - char *email; + char *email; CERTCertList *certList; } FindCertsEmailArg; -SECStatus +SECStatus FindCertsEmailCallback(CERTCertificate *cert, SECItem *item, void *arg) { - FindCertsEmailArg *cbparam = (FindCertsEmailArg *) arg; + FindCertsEmailArg *cbparam = (FindCertsEmailArg *)arg; const char *cert_email = CERT_GetFirstEmailAddress(cert); PRBool found = PR_FALSE; /* Email address present in certificate? */ - if (cert_email == NULL){ - return SECSuccess; + if (cert_email == NULL) { + return SECSuccess; } - + /* Parameter correctly set? */ if (cbparam->email == NULL) { - return SECFailure; + return SECFailure; } /* Loop over all email addresses */ do { - if (!strcmp(cert_email, cbparam->email)) { - /* found one matching email address */ - PRTime now = PR_Now(); - found = PR_TRUE; - CERT_AddCertToListSorted(cbparam->certList, - CERT_DupCertificate(cert), - CERT_SortCBValidity, &now); - } - cert_email = CERT_GetNextEmailAddress(cert, cert_email); - } while (cert_email && !found); + if (!strcmp(cert_email, cbparam->email)) { + /* found one matching email address */ + PRTime now = PR_Now(); + found = PR_TRUE; + CERT_AddCertToListSorted(cbparam->certList, + CERT_DupCertificate(cert), + CERT_SortCBValidity, &now); + } + cert_email = CERT_GetNextEmailAddress(cert, cert_email); + } while (cert_email && !found); return SECSuccess; } /* Find all certificates with matching email address */ CERTCertList * -PK11_FindCertsFromEmailAddress(const char *email, void *wincx) +PK11_FindCertsFromEmailAddress(const char *email, void *wincx) { FindCertsEmailArg cbparam; SECStatus rv; cbparam.certList = CERT_NewCertList(); if (cbparam.certList == NULL) { - return NULL; + return NULL; } cbparam.email = CERT_FixupEmailAddr(email); if (cbparam.email == NULL) { - CERT_DestroyCertList(cbparam.certList); - return NULL; + CERT_DestroyCertList(cbparam.certList); + return NULL; } - rv = PK11_TraverseSlotCerts(FindCertsEmailCallback, &cbparam, NULL); + rv = PK11_TraverseSlotCerts(FindCertsEmailCallback, &cbparam, NULL); if (rv != SECSuccess) { - CERT_DestroyCertList(cbparam.certList); - PORT_Free(cbparam.email); - return NULL; + CERT_DestroyCertList(cbparam.certList); + PORT_Free(cbparam.email); + return NULL; } /* empty list? */ - if (CERT_LIST_HEAD(cbparam.certList) == NULL || + if (CERT_LIST_HEAD(cbparam.certList) == NULL || CERT_LIST_END(CERT_LIST_HEAD(cbparam.certList), cbparam.certList)) { - CERT_DestroyCertList(cbparam.certList); - cbparam.certList = NULL; + CERT_DestroyCertList(cbparam.certList); + cbparam.certList = NULL; } PORT_Free(cbparam.email); return cbparam.certList; } - CERTCertList * -PK11_FindCertsFromNickname(const char *nickname, void *wincx) +PK11_FindCertsFromNickname(const char *nickname, void *wincx) { char *nickCopy; char *delimit = NULL; @@ -717,67 +721,69 @@ PK11_FindCertsFromNickname(const char *nickname, void *wincx) /* error code is set */ return NULL; } - if ((delimit = PORT_Strchr(nickCopy,':')) != NULL) { - tokenName = nickCopy; - nickname = delimit + 1; - *delimit = '\0'; - /* find token by name */ - token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName); - if (token) { - slot = PK11_ReferenceSlot(token->pk11slot); - } else { - PORT_SetError(SEC_ERROR_NO_TOKEN); - slot = NULL; - } - *delimit = ':'; + if ((delimit = PORT_Strchr(nickCopy, ':')) != NULL) { + tokenName = nickCopy; + nickname = delimit + 1; + *delimit = '\0'; + /* find token by name */ + token = NSSTrustDomain_FindTokenByName(defaultTD, (NSSUTF8 *)tokenName); + if (token) { + slot = PK11_ReferenceSlot(token->pk11slot); + } else { + PORT_SetError(SEC_ERROR_NO_TOKEN); + slot = NULL; + } + *delimit = ':'; } else { - slot = PK11_GetInternalKeySlot(); - token = PK11Slot_GetNSSToken(slot); + slot = PK11_GetInternalKeySlot(); + token = PK11Slot_GetNSSToken(slot); } if (token) { - PRStatus status; - nssList *nameList; - nssCryptokiObject **instances; - nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - PK11_FreeSlot(slot); - if (nickCopy) PORT_Free(nickCopy); - return NULL; - } - collection = nssCertificateCollection_Create(defaultTD, NULL); - if (!collection) { - PK11_FreeSlot(slot); - if (nickCopy) PORT_Free(nickCopy); - return NULL; - } - nameList = nssList_Create(NULL, PR_FALSE); - if (!nameList) { - PK11_FreeSlot(slot); - if (nickCopy) PORT_Free(nickCopy); - return NULL; - } - (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, - nickname, - nameList); - transfer_token_certs_to_collection(nameList, token, collection); - instances = nssToken_FindCertificatesByNickname(token, - NULL, - nickname, - tokenOnly, - 0, - &status); - nssPKIObjectCollection_AddInstances(collection, instances, 0); - nss_ZFreeIf(instances); + PRStatus status; + nssList *nameList; + nssCryptokiObject **instances; + nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); + if (rv != SECSuccess) { + PK11_FreeSlot(slot); + if (nickCopy) + PORT_Free(nickCopy); + return NULL; + } + collection = nssCertificateCollection_Create(defaultTD, NULL); + if (!collection) { + PK11_FreeSlot(slot); + if (nickCopy) + PORT_Free(nickCopy); + return NULL; + } + nameList = nssList_Create(NULL, PR_FALSE); + if (!nameList) { + PK11_FreeSlot(slot); + if (nickCopy) + PORT_Free(nickCopy); + return NULL; + } + (void)nssTrustDomain_GetCertsForNicknameFromCache(defaultTD, + nickname, + nameList); + transfer_token_certs_to_collection(nameList, token, collection); + instances = nssToken_FindCertificatesByNickname(token, + NULL, + nickname, + tokenOnly, + 0, + &status); + nssPKIObjectCollection_AddInstances(collection, instances, 0); + nss_ZFreeIf(instances); /* if it wasn't found, repeat the process for email address */ if (nssPKIObjectCollection_Count(collection) == 0 && - PORT_Strchr(nickname, '@') != NULL) - { - char* lowercaseName = CERT_FixupEmailAddr(nickname); + PORT_Strchr(nickname, '@') != NULL) { + char *lowercaseName = CERT_FixupEmailAddr(nickname); if (lowercaseName) { - (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, - lowercaseName, + (void)nssTrustDomain_GetCertsForEmailAddressFromCache(defaultTD, + lowercaseName, nameList); transfer_token_certs_to_collection(nameList, token, collection); instances = nssToken_FindCertificatesByEmail(token, @@ -793,36 +799,37 @@ PK11_FindCertsFromNickname(const char *nickname, void *wincx) } nssList_Destroy(nameList); - foundCerts = nssPKIObjectCollection_GetCertificates(collection, - NULL, 0, NULL); - nssPKIObjectCollection_Destroy(collection); + foundCerts = nssPKIObjectCollection_GetCertificates(collection, + NULL, 0, NULL); + nssPKIObjectCollection_Destroy(collection); } if (slot) { - PK11_FreeSlot(slot); + PK11_FreeSlot(slot); } - if (nickCopy) PORT_Free(nickCopy); + if (nickCopy) + PORT_Free(nickCopy); if (foundCerts) { - PRTime now = PR_Now(); - certList = CERT_NewCertList(); - for (i=0, c = *foundCerts; c; c = foundCerts[++i]) { - if (certList) { - CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c); - /* c may be invalid after this, don't reference it */ - if (certCert) { - /* CERT_AddCertToListSorted adopts certCert */ - CERT_AddCertToListSorted(certList, certCert, - CERT_SortCBValidity, &now); - } - } else { - nssCertificate_Destroy(c); - } - } - if (certList && CERT_LIST_HEAD(certList) == NULL) { - CERT_DestroyCertList(certList); - certList = NULL; - } - /* all the certs have been adopted or freed, free the raw array */ - nss_ZFreeIf(foundCerts); + PRTime now = PR_Now(); + certList = CERT_NewCertList(); + for (i = 0, c = *foundCerts; c; c = foundCerts[++i]) { + if (certList) { + CERTCertificate *certCert = STAN_GetCERTCertificateOrRelease(c); + /* c may be invalid after this, don't reference it */ + if (certCert) { + /* CERT_AddCertToListSorted adopts certCert */ + CERT_AddCertToListSorted(certList, certCert, + CERT_SortCBValidity, &now); + } + } else { + nssCertificate_Destroy(c); + } + } + if (certList && CERT_LIST_HEAD(certList) == NULL) { + CERT_DestroyCertList(certList); + certList = NULL; + } + /* all the certs have been adopted or freed, free the raw array */ + nss_ZFreeIf(foundCerts); } return certList; } @@ -833,30 +840,31 @@ PK11_FindCertsFromNickname(const char *nickname, void *wincx) * pkcs11 to extract the public key (we currently do not), this will break. */ SECItem * -PK11_GetPubIndexKeyID(CERTCertificate *cert) +PK11_GetPubIndexKeyID(CERTCertificate *cert) { SECKEYPublicKey *pubk; SECItem *newItem = NULL; pubk = CERT_ExtractPublicKey(cert); - if (pubk == NULL) return NULL; + if (pubk == NULL) + return NULL; switch (pubk->keyType) { - case rsaKey: - newItem = SECITEM_DupItem(&pubk->u.rsa.modulus); - break; - case dsaKey: - newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue); - break; - case dhKey: - newItem = SECITEM_DupItem(&pubk->u.dh.publicValue); - break; - case ecKey: - newItem = SECITEM_DupItem(&pubk->u.ec.publicValue); - break; - case fortezzaKey: - default: - newItem = NULL; /* Fortezza Fix later... */ + case rsaKey: + newItem = SECITEM_DupItem(&pubk->u.rsa.modulus); + break; + case dsaKey: + newItem = SECITEM_DupItem(&pubk->u.dsa.publicValue); + break; + case dhKey: + newItem = SECITEM_DupItem(&pubk->u.dh.publicValue); + break; + case ecKey: + newItem = SECITEM_DupItem(&pubk->u.ec.publicValue); + break; + case fortezzaKey: + default: + newItem = NULL; /* Fortezza Fix later... */ } SECKEY_DestroyPublicKey(pubk); /* make hash of it */ @@ -867,15 +875,16 @@ PK11_GetPubIndexKeyID(CERTCertificate *cert) * generate a CKA_ID from a certificate. */ SECItem * -pk11_mkcertKeyID(CERTCertificate *cert) +pk11_mkcertKeyID(CERTCertificate *cert) { - SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert) ; + SECItem *pubKeyData = PK11_GetPubIndexKeyID(cert); SECItem *certCKA_ID; - if (pubKeyData == NULL) return NULL; - + if (pubKeyData == NULL) + return NULL; + certCKA_ID = PK11_MakeIDFromPubKey(pubKeyData); - SECITEM_FreeItem(pubKeyData,PR_TRUE); + SECITEM_FreeItem(pubKeyData, PR_TRUE); return certCKA_ID; } @@ -883,9 +892,9 @@ pk11_mkcertKeyID(CERTCertificate *cert) * Write the cert into the token. */ SECStatus -PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, - CK_OBJECT_HANDLE key, const char *nickname, - PRBool includeTrust) +PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, + CK_OBJECT_HANDLE key, const char *nickname, + PRBool includeTrust) { PRStatus status; NSSCertificate *c; @@ -893,54 +902,54 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, NSSToken *token = PK11Slot_GetNSSToken(slot); SECItem *keyID = pk11_mkcertKeyID(cert); char *emailAddr = NULL; - nssCertificateStoreTrace lockTrace = {NULL, NULL, PR_FALSE, PR_FALSE}; - nssCertificateStoreTrace unlockTrace = {NULL, NULL, PR_FALSE, PR_FALSE}; + nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; + nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; if (keyID == NULL) { - goto loser; /* error code should be set already */ + goto loser; /* error code should be set already */ } if (!token) { - PORT_SetError(SEC_ERROR_NO_TOKEN); - goto loser; + PORT_SetError(SEC_ERROR_NO_TOKEN); + goto loser; } if (PK11_IsInternal(slot) && cert->emailAddr && cert->emailAddr[0]) { - emailAddr = cert->emailAddr; + emailAddr = cert->emailAddr; } /* need to get the cert as a stan cert */ if (cert->nssCertificate) { - c = cert->nssCertificate; + c = cert->nssCertificate; } else { - c = STAN_GetNSSCertificate(cert); - if (c == NULL) { - goto loser; - } + c = STAN_GetNSSCertificate(cert); + if (c == NULL) { + goto loser; + } } /* set the id for the cert */ nssItem_Create(c->object.arena, &c->id, keyID->len, keyID->data); if (!c->id.data) { - goto loser; + goto loser; } if (key != CK_INVALID_HANDLE) { - /* create an object for the key, ... */ - keyobj = nss_ZNEW(NULL, nssCryptokiObject); - if (!keyobj) { - goto loser; - } - keyobj->token = nssToken_AddRef(token); - keyobj->handle = key; - keyobj->isTokenObject = PR_TRUE; - - /* ... in order to set matching attributes for the key */ - status = nssCryptokiPrivateKey_SetCertificate(keyobj, NULL, nickname, - &c->id, &c->subject); - nssCryptokiObject_Destroy(keyobj); - if (status != PR_SUCCESS) { - goto loser; - } + /* create an object for the key, ... */ + keyobj = nss_ZNEW(NULL, nssCryptokiObject); + if (!keyobj) { + goto loser; + } + keyobj->token = nssToken_AddRef(token); + keyobj->handle = key; + keyobj->isTokenObject = PR_TRUE; + + /* ... in order to set matching attributes for the key */ + status = nssCryptokiPrivateKey_SetCertificate(keyobj, NULL, nickname, + &c->id, &c->subject); + nssCryptokiObject_Destroy(keyobj); + if (status != PR_SUCCESS) { + goto loser; + } } /* do the token import */ @@ -952,26 +961,26 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, &c->issuer, &c->subject, &c->serial, - emailAddr, + emailAddr, PR_TRUE); if (!certobj) { - if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) { - PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); - SECITEM_FreeItem(keyID,PR_TRUE); - return SECFailure; - } - goto loser; + if (NSS_GetError() == NSS_ERROR_INVALID_CERTIFICATE) { + PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); + SECITEM_FreeItem(keyID, PR_TRUE); + return SECFailure; + } + goto loser; } if (c->object.cryptoContext) { - /* Delete the temp instance */ - NSSCryptoContext *cc = c->object.cryptoContext; - nssCertificateStore_Lock(cc->certStore, &lockTrace); - nssCertificateStore_RemoveCertLOCKED(cc->certStore, c); - nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace); - c->object.cryptoContext = NULL; - cert->istemp = PR_FALSE; - cert->isperm = PR_TRUE; + /* Delete the temp instance */ + NSSCryptoContext *cc = c->object.cryptoContext; + nssCertificateStore_Lock(cc->certStore, &lockTrace); + nssCertificateStore_RemoveCertLOCKED(cc->certStore, c); + nssCertificateStore_Unlock(cc->certStore, &lockTrace, &unlockTrace); + c->object.cryptoContext = NULL; + cert->istemp = PR_FALSE; + cert->isperm = PR_TRUE; } /* add the new instance to the cert, force an update of the @@ -985,30 +994,31 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1); (void)STAN_ForceCERTCertificateUpdate(c); nssCertificate_Destroy(c); - SECITEM_FreeItem(keyID,PR_TRUE); + SECITEM_FreeItem(keyID, PR_TRUE); return SECSuccess; loser: CERT_MapStanError(); - SECITEM_FreeItem(keyID,PR_TRUE); + SECITEM_FreeItem(keyID, PR_TRUE); if (PORT_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) { - PORT_SetError(SEC_ERROR_ADDING_CERT); + PORT_SetError(SEC_ERROR_ADDING_CERT); } return SECFailure; } SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert, - CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) + CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust) { CERTCertificate *cert; SECStatus rv; cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), derCert, NULL, PR_FALSE, PR_TRUE); - if (cert == NULL) return SECFailure; + if (cert == NULL) + return SECFailure; rv = PK11_ImportCert(slot, cert, key, nickname, includeTrust); - CERT_DestroyCertificate (cert); + CERT_DestroyCertificate(cert); return rv; } @@ -1016,21 +1026,21 @@ PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert, * get a certificate handle, look at the cached handle first.. */ CK_OBJECT_HANDLE -pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, - CK_ATTRIBUTE *theTemplate,int tsize) +pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, + CK_ATTRIBUTE *theTemplate, int tsize) { CK_OBJECT_HANDLE certh; if (cert->slot == slot) { - certh = cert->pkcs11ID; - if ((certh == CK_INVALID_HANDLE) || - (cert->series != slot->series)) { - certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize); - cert->pkcs11ID = certh; - cert->series = slot->series; - } + certh = cert->pkcs11ID; + if ((certh == CK_INVALID_HANDLE) || + (cert->series != slot->series)) { + certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize); + cert->pkcs11ID = certh; + cert->series = slot->series; + } } else { - certh = pk11_FindObjectByTemplate(slot,theTemplate,tsize); + certh = pk11_FindObjectByTemplate(slot, theTemplate, tsize); } return certh; } @@ -1040,24 +1050,25 @@ pk11_getcerthandle(PK11SlotInfo *slot, CERTCertificate *cert, */ SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert, - void *wincx) + void *wincx) { int err; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { - { CKA_VALUE, NULL, 0 }, - { CKA_CLASS, NULL, 0 } + { CKA_VALUE, NULL, 0 }, + { CKA_CLASS, NULL, 0 } }; /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_OBJECT_HANDLE certh; CK_OBJECT_HANDLE keyh; CK_ATTRIBUTE *attrs = theTemplate; PRBool needLogin; SECStatus rv; - PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, - cert->derCert.len); attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, + cert->derCert.len); + attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); /* @@ -1065,45 +1076,45 @@ PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, CERTCertificate *cert, */ rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); if (rv != SECSuccess) { - return NULL; + return NULL; } - certh = pk11_getcerthandle(slot,cert,theTemplate,tsize); + certh = pk11_getcerthandle(slot, cert, theTemplate, tsize); if (certh == CK_INVALID_HANDLE) { - return NULL; + return NULL; } /* * prevent a login race condition. If slot is logged in between - * our call to pk11_LoginStillRequired and the + * our call to pk11_LoginStillRequired and the * PK11_MatchItem. The matchItem call will either succeed, or - * we will call it one more time after calling PK11_Authenticate + * we will call it one more time after calling PK11_Authenticate * (which is a noop on an authenticated token). */ - needLogin = pk11_LoginStillRequired(slot,wincx); - keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY); + needLogin = pk11_LoginStillRequired(slot, wincx); + keyh = PK11_MatchItem(slot, certh, CKO_PRIVATE_KEY); if ((keyh == CK_INVALID_HANDLE) && needLogin && - (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || - SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) { - /* try it again authenticated */ - rv = PK11_Authenticate(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - return NULL; - } - keyh = PK11_MatchItem(slot,certh,CKO_PRIVATE_KEY); - } - if (keyh == CK_INVALID_HANDLE) { - return NULL; + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err)) { + /* try it again authenticated */ + rv = PK11_Authenticate(slot, PR_TRUE, wincx); + if (rv != SECSuccess) { + return NULL; + } + keyh = PK11_MatchItem(slot, certh, CKO_PRIVATE_KEY); + } + if (keyh == CK_INVALID_HANDLE) { + return NULL; } return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyh, wincx); -} +} /* * import a cert for a private key we have already generated. Set the label * on both to be the nickname. This is for the Key Gen, orphaned key case. */ PK11SlotInfo * -PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, - void *wincx) +PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, + void *wincx) { PK11SlotList *list; PK11SlotListElement *le; @@ -1115,51 +1126,54 @@ PK11_KeyForCertExists(CERTCertificate *cert, CK_OBJECT_HANDLE *keyPtr, keyID = pk11_mkcertKeyID(cert); /* get them all! */ - list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx); + list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, wincx); if ((keyID == NULL) || (list == NULL)) { - if (keyID) SECITEM_FreeItem(keyID,PR_TRUE); - if (list) PK11_FreeSlotList(list); - return NULL; + if (keyID) + SECITEM_FreeItem(keyID, PR_TRUE); + if (list) + PK11_FreeSlotList(list); + return NULL; } /* Look for the slot that holds the Key */ - for (le = list->head ; le; le = le->next) { - /* - * prevent a login race condition. If le->slot is logged in between - * our call to pk11_LoginStillRequired and the - * pk11_FindPrivateKeyFromCertID, the find will either succeed, or - * we will call it one more time after calling PK11_Authenticate - * (which is a noop on an authenticated token). - */ - PRBool needLogin = pk11_LoginStillRequired(le->slot,wincx); - key = pk11_FindPrivateKeyFromCertID(le->slot,keyID); - if ((key == CK_INVALID_HANDLE) && needLogin && - (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || - SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) { - /* authenticate and try again */ - rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); - if (rv != SECSuccess) continue; - key = pk11_FindPrivateKeyFromCertID(le->slot,keyID); - } - if (key != CK_INVALID_HANDLE) { - slot = PK11_ReferenceSlot(le->slot); - if (keyPtr) *keyPtr = key; - break; - } - } - - SECITEM_FreeItem(keyID,PR_TRUE); + for (le = list->head; le; le = le->next) { + /* + * prevent a login race condition. If le->slot is logged in between + * our call to pk11_LoginStillRequired and the + * pk11_FindPrivateKeyFromCertID, the find will either succeed, or + * we will call it one more time after calling PK11_Authenticate + * (which is a noop on an authenticated token). + */ + PRBool needLogin = pk11_LoginStillRequired(le->slot, wincx); + key = pk11_FindPrivateKeyFromCertID(le->slot, keyID); + if ((key == CK_INVALID_HANDLE) && needLogin && + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err)) { + /* authenticate and try again */ + rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); + if (rv != SECSuccess) + continue; + key = pk11_FindPrivateKeyFromCertID(le->slot, keyID); + } + if (key != CK_INVALID_HANDLE) { + slot = PK11_ReferenceSlot(le->slot); + if (keyPtr) + *keyPtr = key; + break; + } + } + + SECITEM_FreeItem(keyID, PR_TRUE); PK11_FreeSlotList(list); return slot; - } /* * import a cert for a private key we have already generated. Set the label * on both to be the nickname. This is for the Key Gen, orphaned key case. */ PK11SlotInfo * -PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, - void *wincx) +PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, + void *wincx) { CERTCertificate *cert; PK11SlotInfo *slot = NULL; @@ -1168,52 +1182,54 @@ PK11_KeyForDERCertExists(SECItem *derCert, CK_OBJECT_HANDLE *keyPtr, * to get the ID attribute. */ cert = CERT_DecodeDERCertificate(derCert, PR_FALSE, NULL); - if (cert == NULL) return NULL; + if (cert == NULL) + return NULL; slot = PK11_KeyForCertExists(cert, keyPtr, wincx); - CERT_DestroyCertificate (cert); + CERT_DestroyCertificate(cert); return slot; } PK11SlotInfo * PK11_ImportCertForKey(CERTCertificate *cert, const char *nickname, - void *wincx) + void *wincx) { PK11SlotInfo *slot = NULL; CK_OBJECT_HANDLE key; - slot = PK11_KeyForCertExists(cert,&key,wincx); + slot = PK11_KeyForCertExists(cert, &key, wincx); if (slot) { - if (PK11_ImportCert(slot,cert,key,nickname,PR_FALSE) != SECSuccess) { - PK11_FreeSlot(slot); - slot = NULL; - } + if (PK11_ImportCert(slot, cert, key, nickname, PR_FALSE) != SECSuccess) { + PK11_FreeSlot(slot); + slot = NULL; + } } else { - PORT_SetError(SEC_ERROR_ADDING_CERT); + PORT_SetError(SEC_ERROR_ADDING_CERT); } return slot; } PK11SlotInfo * -PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,void *wincx) +PK11_ImportDERCertForKey(SECItem *derCert, char *nickname, void *wincx) { CERTCertificate *cert; PK11SlotInfo *slot = NULL; cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), derCert, NULL, PR_FALSE, PR_TRUE); - if (cert == NULL) return NULL; + if (cert == NULL) + return NULL; slot = PK11_ImportCertForKey(cert, nickname, wincx); - CERT_DestroyCertificate (cert); + CERT_DestroyCertificate(cert); return slot; } static CK_OBJECT_HANDLE -pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, - CK_ATTRIBUTE *searchTemplate, int count, void *wincx) +pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, + CK_ATTRIBUTE *searchTemplate, int count, void *wincx) { PK11SlotList *list; PK11SlotListElement *le; @@ -1224,36 +1240,36 @@ pk11_FindCertObjectByTemplate(PK11SlotInfo **slotPtr, *slotPtr = NULL; /* get them all! */ - list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx); + list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, wincx); if (list == NULL) { - return CK_INVALID_HANDLE; + return CK_INVALID_HANDLE; } - /* Look for the slot that holds the Key */ - for (le = list->head ; le; le = le->next) { - rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx); - if (rv != SECSuccess) continue; - - certHandle = pk11_FindObjectByTemplate(le->slot,searchTemplate,count); - if (certHandle != CK_INVALID_HANDLE) { - slot = PK11_ReferenceSlot(le->slot); - break; - } + for (le = list->head; le; le = le->next) { + rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx); + if (rv != SECSuccess) + continue; + + certHandle = pk11_FindObjectByTemplate(le->slot, searchTemplate, count); + if (certHandle != CK_INVALID_HANDLE) { + slot = PK11_ReferenceSlot(le->slot); + break; + } } PK11_FreeSlotList(list); if (slot == NULL) { - return CK_INVALID_HANDLE; + return CK_INVALID_HANDLE; } *slotPtr = slot; return certHandle; } CERTCertificate * -PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, - CERTIssuerAndSN *issuerSN, void *wincx) +PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, + CERTIssuerAndSN *issuerSN, void *wincx) { CERTCertificate *rvCert = NULL; NSSCertificate *cert = NULL; @@ -1267,20 +1283,19 @@ PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, PRStatus status; if (!issuerSN || !issuerSN->derIssuer.data || !issuerSN->derIssuer.len || - !issuerSN->serialNumber.data || !issuerSN->serialNumber.len || - issuerSN->derIssuer.len > CERT_MAX_DN_BYTES || - issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES ) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + !issuerSN->serialNumber.data || !issuerSN->serialNumber.len || + issuerSN->derIssuer.len > CERT_MAX_DN_BYTES || + issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } /* Paranoia */ if (token == NULL) { - PORT_SetError(SEC_ERROR_NO_TOKEN); - return NULL; + PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; } - /* PKCS#11 needs to use DER-encoded serial numbers. Create a * CERTIssuerAndSN that actually has the encoded value and pass that * to PKCS#11 (and the crypto context). @@ -1289,7 +1304,7 @@ PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, &issuerSN->serialNumber, SEC_ASN1_GET(SEC_IntegerTemplate)); if (!derSerial) { - return NULL; + return NULL; } NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer); @@ -1297,44 +1312,44 @@ PK11_FindCertByIssuerAndSNOnToken(PK11SlotInfo *slot, session = nssToken_GetDefaultSession(token); if (!session) { - goto loser; + goto loser; } - instance = nssToken_FindCertificateByIssuerAndSerialNumber(token,session, - &issuer, &serial, nssTokenSearchType_TokenForced, &status); + instance = nssToken_FindCertificateByIssuerAndSerialNumber(token, session, + &issuer, &serial, nssTokenSearchType_TokenForced, &status); SECITEM_FreeItem(derSerial, PR_TRUE); if (!instance) { - goto loser; + goto loser; } object = nssPKIObject_Create(NULL, instance, td, NULL, nssPKIMonitor); if (!object) { - goto loser; + goto loser; } instance = NULL; /* adopted by the previous call */ cert = nssCertificate_Create(object); if (!cert) { - goto loser; + goto loser; } object = NULL; /* adopted by the previous call */ - nssTrustDomain_AddCertsToCache(td, &cert,1); + nssTrustDomain_AddCertsToCache(td, &cert, 1); /* on failure, cert is freed below */ rvCert = STAN_GetCERTCertificate(cert); if (!rvCert) { - goto loser; + goto loser; } return rvCert; loser: if (instance) { - nssCryptokiObject_Destroy(instance); + nssCryptokiObject_Destroy(instance); } if (object) { - nssPKIObject_Destroy(object); + nssPKIObject_Destroy(object); } if (cert) { - nssCertificate_Destroy(cert); + nssCertificate_Destroy(cert); } return NULL; } @@ -1344,28 +1359,28 @@ static PRCallOnceType keyIDHashCallOnce; static PRStatus PR_CALLBACK pk11_keyIDHash_populate(void *wincx) { - CERTCertList *certList; + CERTCertList *certList; CERTCertListNode *node = NULL; - SECItem subjKeyID = {siBuffer, NULL, 0}; - SECItem *slotid = NULL; + SECItem subjKeyID = { siBuffer, NULL, 0 }; + SECItem *slotid = NULL; SECMODModuleList *modules, *mlp; - SECMODListLock *moduleLock; - int i; + SECMODListLock *moduleLock; + int i; certList = PK11_ListCerts(PK11CertListUser, wincx); if (!certList) { - return PR_FAILURE; + return PR_FAILURE; } for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); node = CERT_LIST_NEXT(node)) { - if (CERT_FindSubjectKeyIDExtension(node->cert, - &subjKeyID) == SECSuccess && - subjKeyID.data != NULL) { - cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert); - SECITEM_FreeItem(&subjKeyID, PR_FALSE); - } + if (CERT_FindSubjectKeyIDExtension(node->cert, + &subjKeyID) == SECSuccess && + subjKeyID.data != NULL) { + cert_AddSubjectKeyIDMapping(&subjKeyID, node->cert); + SECITEM_FreeItem(&subjKeyID, PR_FALSE); + } } CERT_DestroyCertList(certList); @@ -1376,26 +1391,26 @@ pk11_keyIDHash_populate(void *wincx) slotid = SECITEM_AllocItem(NULL, NULL, sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID)); if (!slotid) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return PR_FAILURE; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return PR_FAILURE; } moduleLock = SECMOD_GetDefaultModuleListLock(); if (!moduleLock) { - SECITEM_FreeItem(slotid, PR_TRUE); - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return PR_FAILURE; + SECITEM_FreeItem(slotid, PR_TRUE); + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return PR_FAILURE; } SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); for (mlp = modules; mlp; mlp = mlp->next) { - for (i = 0; i < mlp->module->slotCount; i++) { - memcpy(slotid->data, &mlp->module->slots[i]->slotID, - sizeof(CK_SLOT_ID)); - memcpy(&slotid->data[sizeof(CK_SLOT_ID)], &mlp->module->moduleID, - sizeof(SECMODModuleID)); - cert_UpdateSubjectKeyIDSlotCheck(slotid, - mlp->module->slots[i]->series); - } + for (i = 0; i < mlp->module->slotCount; i++) { + memcpy(slotid->data, &mlp->module->slots[i]->slotID, + sizeof(CK_SLOT_ID)); + memcpy(&slotid->data[sizeof(CK_SLOT_ID)], &mlp->module->moduleID, + sizeof(SECMODModuleID)); + cert_UpdateSubjectKeyIDSlotCheck(slotid, + mlp->module->slots[i]->series); + } } SECMOD_ReleaseReadLock(moduleLock); SECITEM_FreeItem(slotid, PR_TRUE); @@ -1411,102 +1426,102 @@ pk11_keyIDHash_populate(void *wincx) * (they should be!) */ static CERTCertificate * -pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, int *rlIndex, void *pwarg) +pk11_FindCertObjectByRecipientNew(PK11SlotInfo *slot, NSSCMSRecipient **recipientlist, + int *rlIndex, void *pwarg) { NSSCMSRecipient *ri = NULL; int i; PRBool tokenRescanDone = PR_FALSE; CERTCertTrust trust; - for (i=0; (ri = recipientlist[i]) != NULL; i++) { - CERTCertificate *cert = NULL; - if (ri->kind == RLSubjKeyID) { - SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID); - if (!derCert && !tokenRescanDone) { - /* - * We didn't find the cert by its key ID. If we have slots - * with removable tokens, a failure from - * cert_FindDERCertBySubjectKeyID doesn't necessarily imply - * that the cert is unavailable - the token might simply - * have been inserted after the initial run of - * pk11_keyIDHash_populate (wrapped by PR_CallOnceWithArg), - * or a different token might have been present in that - * slot, initially. Let's check for new tokens... - */ - PK11SlotList *sl = PK11_GetAllTokens(CKM_INVALID_MECHANISM, - PR_FALSE, PR_FALSE, pwarg); - if (sl) { - PK11SlotListElement *le; - SECItem *slotid = SECITEM_AllocItem(NULL, NULL, - sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID)); - if (!slotid) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - PK11_FreeSlotList(sl); - return NULL; - } - for (le = sl->head; le; le = le->next) { - memcpy(slotid->data, &le->slot->slotID, - sizeof(CK_SLOT_ID)); - memcpy(&slotid->data[sizeof(CK_SLOT_ID)], - &le->slot->module->moduleID, - sizeof(SECMODModuleID)); - /* - * Any changes with the slot since our last check? - * If so, re-read the certs in that specific slot. - */ - if (cert_SubjectKeyIDSlotCheckSeries(slotid) - != PK11_GetSlotSeries(le->slot)) { - CERTCertListNode *node = NULL; - SECItem subjKeyID = {siBuffer, NULL, 0}; - CERTCertList *cl = PK11_ListCertsInSlot(le->slot); - if (!cl) { - continue; - } - for (node = CERT_LIST_HEAD(cl); - !CERT_LIST_END(node, cl); - node = CERT_LIST_NEXT(node)) { - if (CERT_IsUserCert(node->cert) && - CERT_FindSubjectKeyIDExtension(node->cert, - &subjKeyID) == SECSuccess) { - if (subjKeyID.data) { - cert_AddSubjectKeyIDMapping(&subjKeyID, - node->cert); - cert_UpdateSubjectKeyIDSlotCheck(slotid, - PK11_GetSlotSeries(le->slot)); - } - SECITEM_FreeItem(&subjKeyID, PR_FALSE); - } - } - CERT_DestroyCertList(cl); - } - } - PK11_FreeSlotList(sl); - SECITEM_FreeItem(slotid, PR_TRUE); - } - /* only check once per message/recipientlist */ - tokenRescanDone = PR_TRUE; - /* do another lookup (hopefully we found that cert...) */ - derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID); - } - if (derCert) { - cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg); - SECITEM_FreeItem(derCert, PR_TRUE); - } - } else { - cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, - pwarg); - } - if (cert) { - /* this isn't our cert */ - if (CERT_GetCertTrust(cert, &trust) != SECSuccess || - ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) { - CERT_DestroyCertificate(cert); - continue; - } - ri->slot = PK11_ReferenceSlot(slot); - *rlIndex = i; - return cert; - } + for (i = 0; (ri = recipientlist[i]) != NULL; i++) { + CERTCertificate *cert = NULL; + if (ri->kind == RLSubjKeyID) { + SECItem *derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID); + if (!derCert && !tokenRescanDone) { + /* + * We didn't find the cert by its key ID. If we have slots + * with removable tokens, a failure from + * cert_FindDERCertBySubjectKeyID doesn't necessarily imply + * that the cert is unavailable - the token might simply + * have been inserted after the initial run of + * pk11_keyIDHash_populate (wrapped by PR_CallOnceWithArg), + * or a different token might have been present in that + * slot, initially. Let's check for new tokens... + */ + PK11SlotList *sl = PK11_GetAllTokens(CKM_INVALID_MECHANISM, + PR_FALSE, PR_FALSE, pwarg); + if (sl) { + PK11SlotListElement *le; + SECItem *slotid = SECITEM_AllocItem(NULL, NULL, + sizeof(CK_SLOT_ID) + sizeof(SECMODModuleID)); + if (!slotid) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + PK11_FreeSlotList(sl); + return NULL; + } + for (le = sl->head; le; le = le->next) { + memcpy(slotid->data, &le->slot->slotID, + sizeof(CK_SLOT_ID)); + memcpy(&slotid->data[sizeof(CK_SLOT_ID)], + &le->slot->module->moduleID, + sizeof(SECMODModuleID)); + /* + * Any changes with the slot since our last check? + * If so, re-read the certs in that specific slot. + */ + if (cert_SubjectKeyIDSlotCheckSeries(slotid) != PK11_GetSlotSeries(le->slot)) { + CERTCertListNode *node = NULL; + SECItem subjKeyID = { siBuffer, NULL, 0 }; + CERTCertList *cl = PK11_ListCertsInSlot(le->slot); + if (!cl) { + continue; + } + for (node = CERT_LIST_HEAD(cl); + !CERT_LIST_END(node, cl); + node = CERT_LIST_NEXT(node)) { + if (CERT_IsUserCert(node->cert) && + CERT_FindSubjectKeyIDExtension(node->cert, + &subjKeyID) == SECSuccess) { + if (subjKeyID.data) { + cert_AddSubjectKeyIDMapping(&subjKeyID, + node->cert); + cert_UpdateSubjectKeyIDSlotCheck(slotid, + PK11_GetSlotSeries(le->slot)); + } + SECITEM_FreeItem(&subjKeyID, PR_FALSE); + } + } + CERT_DestroyCertList(cl); + } + } + PK11_FreeSlotList(sl); + SECITEM_FreeItem(slotid, PR_TRUE); + } + /* only check once per message/recipientlist */ + tokenRescanDone = PR_TRUE; + /* do another lookup (hopefully we found that cert...) */ + derCert = cert_FindDERCertBySubjectKeyID(ri->id.subjectKeyID); + } + if (derCert) { + cert = PK11_FindCertFromDERCertItem(slot, derCert, pwarg); + SECITEM_FreeItem(derCert, PR_TRUE); + } + } else { + cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->id.issuerAndSN, + pwarg); + } + if (cert) { + /* this isn't our cert */ + if (CERT_GetCertTrust(cert, &trust) != SECSuccess || + ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) { + CERT_DestroyCertificate(cert); + continue; + } + ri->slot = PK11_ReferenceSlot(slot); + *rlIndex = i; + return cert; + } } *rlIndex = -1; return NULL; @@ -1527,20 +1542,21 @@ pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *winc SECStatus rv; /* get them all! */ - list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx); + list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, wincx); if (list == NULL) { - return CK_INVALID_HANDLE; + return CK_INVALID_HANDLE; } /* Look for the slot that holds the Key */ - for (le = list->head ; le; le = le->next) { - rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx); - if (rv != SECSuccess) continue; + for (le = list->head; le; le = le->next) { + rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx); + if (rv != SECSuccess) + continue; - cert = pk11_FindCertObjectByRecipientNew(le->slot, - recipientlist, rlIndex, wincx); - if (cert) - break; + cert = pk11_FindCertObjectByRecipientNew(le->slot, + recipientlist, rlIndex, wincx); + if (cert) + break; } PK11_FreeSlotList(list); @@ -1553,30 +1569,29 @@ pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *winc * list of recipients. This searches one slot. */ static CERTCertificate * -pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, - SEC_PKCS7RecipientInfo **recipientArray, - SEC_PKCS7RecipientInfo **rip, void *pwarg) +pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, + SEC_PKCS7RecipientInfo **recipientArray, + SEC_PKCS7RecipientInfo **rip, void *pwarg) { SEC_PKCS7RecipientInfo *ri = NULL; CERTCertTrust trust; int i; - for (i=0; (ri = recipientArray[i]) != NULL; i++) { - CERTCertificate *cert; + for (i = 0; (ri = recipientArray[i]) != NULL; i++) { + CERTCertificate *cert; - cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, - pwarg); + cert = PK11_FindCertByIssuerAndSNOnToken(slot, ri->issuerAndSN, + pwarg); if (cert) { - /* this isn't our cert */ - if (CERT_GetCertTrust(cert, &trust) != SECSuccess || - ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) { - CERT_DestroyCertificate(cert); - continue; - } - *rip = ri; - return cert; - } - + /* this isn't our cert */ + if (CERT_GetCertTrust(cert, &trust) != SECSuccess || + ((trust.emailFlags & CERTDB_USER) != CERTDB_USER)) { + CERT_DestroyCertificate(cert); + continue; + } + *rip = ri; + return cert; + } } *rip = NULL; return NULL; @@ -1586,43 +1601,45 @@ pk11_FindCertObjectByRecipient(PK11SlotInfo *slot, * This function is the same as above, but it searches all the slots. */ static CERTCertificate * -pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, - SEC_PKCS7RecipientInfo **recipientArray,SEC_PKCS7RecipientInfo **rip, - void *wincx) +pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, + SEC_PKCS7RecipientInfo **recipientArray, + SEC_PKCS7RecipientInfo **rip, + void *wincx) { PK11SlotList *list; PK11SlotListElement *le; - CERTCertificate * cert = NULL; + CERTCertificate *cert = NULL; PK11SlotInfo *slot = NULL; SECStatus rv; *slotPtr = NULL; /* get them all! */ - list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_TRUE,wincx); + list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, wincx); if (list == NULL) { - return CK_INVALID_HANDLE; + return CK_INVALID_HANDLE; } *rip = NULL; /* Look for the slot that holds the Key */ - for (le = list->head ; le; le = le->next) { - rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx); - if (rv != SECSuccess) continue; + for (le = list->head; le; le = le->next) { + rv = pk11_AuthenticateUnfriendly(le->slot, PR_TRUE, wincx); + if (rv != SECSuccess) + continue; - cert = pk11_FindCertObjectByRecipient(le->slot, recipientArray, - rip, wincx); - if (cert) { - slot = PK11_ReferenceSlot(le->slot); - break; - } + cert = pk11_FindCertObjectByRecipient(le->slot, recipientArray, + rip, wincx); + if (cert) { + slot = PK11_ReferenceSlot(le->slot); + break; + } } PK11_FreeSlotList(list); if (slot == NULL) { - return NULL; + return NULL; } *slotPtr = slot; PORT_Assert(cert != NULL); @@ -1637,28 +1654,31 @@ pk11_AllFindCertObjectByRecipient(PK11SlotInfo **slotPtr, * the key... */ CERTCertificate * -PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr, - SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip, - SECKEYPrivateKey**privKey, void *wincx) +PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr, + SEC_PKCS7RecipientInfo **array, + SEC_PKCS7RecipientInfo **rip, + SECKEYPrivateKey **privKey, void *wincx) { CERTCertificate *cert = NULL; *privKey = NULL; *slotPtr = NULL; - cert = pk11_AllFindCertObjectByRecipient(slotPtr,array,rip,wincx); + cert = pk11_AllFindCertObjectByRecipient(slotPtr, array, rip, wincx); if (!cert) { - return NULL; + return NULL; } *privKey = PK11_FindKeyByAnyCert(cert, wincx); if (*privKey == NULL) { - goto loser; + goto loser; } return cert; loser: - if (cert) CERT_DestroyCertificate(cert); - if (*slotPtr) PK11_FreeSlot(*slotPtr); + if (cert) + CERT_DestroyCertificate(cert); + if (*slotPtr) + PK11_FreeSlot(*slotPtr); *slotPtr = NULL; return NULL; } @@ -1678,11 +1698,11 @@ PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *win rv = PR_CallOnceWithArg(&keyIDHashCallOnce, pk11_keyIDHash_populate, wincx); if (rv != PR_SUCCESS) - return -1; + return -1; cert = pk11_AllFindCertObjectByRecipientNew(recipientlist, wincx, &rlIndex); if (!cert) { - return -1; + return -1; } rl = recipientlist[rlIndex]; @@ -1691,7 +1711,7 @@ PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *win rl->privkey = PK11_FindKeyByAnyCert(cert, wincx); if (rl->privkey == NULL) { - goto loser; + goto loser; } /* make a cert from the cert handle */ @@ -1699,15 +1719,17 @@ PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *win return rlIndex; loser: - if (cert) CERT_DestroyCertificate(cert); - if (rl->slot) PK11_FreeSlot(rl->slot); + if (cert) + CERT_DestroyCertificate(cert); + if (rl->slot) + PK11_FreeSlot(rl->slot); rl->slot = NULL; return -1; } CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN, - void *wincx) + void *wincx) { CERTCertificate *rvCert = NULL; NSSCertificate *cert; @@ -1716,14 +1738,15 @@ PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN, SECItem *derSerial; if (!issuerSN || !issuerSN->derIssuer.data || !issuerSN->derIssuer.len || - !issuerSN->serialNumber.data || !issuerSN->serialNumber.len || - issuerSN->derIssuer.len > CERT_MAX_DN_BYTES || - issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES ) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + !issuerSN->serialNumber.data || !issuerSN->serialNumber.len || + issuerSN->derIssuer.len > CERT_MAX_DN_BYTES || + issuerSN->serialNumber.len > CERT_MAX_SERIAL_NUMBER_BYTES) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - if (slotPtr) *slotPtr = NULL; + if (slotPtr) + *slotPtr = NULL; /* PKCS#11 needs to use DER-encoded serial numbers. Create a * CERTIssuerAndSN that actually has the encoded value and pass that @@ -1733,45 +1756,46 @@ PK11_FindCertByIssuerAndSN(PK11SlotInfo **slotPtr, CERTIssuerAndSN *issuerSN, &issuerSN->serialNumber, SEC_ASN1_GET(SEC_IntegerTemplate)); if (!derSerial) { - return NULL; + return NULL; } NSSITEM_FROM_SECITEM(&issuer, &issuerSN->derIssuer); NSSITEM_FROM_SECITEM(&serial, derSerial); cc = STAN_GetDefaultCryptoContext(); - cert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(cc, - &issuer, - &serial); + cert = NSSCryptoContext_FindCertificateByIssuerAndSerialNumber(cc, + &issuer, + &serial); if (cert) { - SECITEM_FreeItem(derSerial, PR_TRUE); - return STAN_GetCERTCertificateOrRelease(cert); + SECITEM_FreeItem(derSerial, PR_TRUE); + return STAN_GetCERTCertificateOrRelease(cert); } do { - /* free the old cert on retry. Associated slot was not present */ - if (rvCert) { - CERT_DestroyCertificate(rvCert); - rvCert = NULL; - } - - cert = NSSTrustDomain_FindCertificateByIssuerAndSerialNumber( - STAN_GetDefaultTrustDomain(), - &issuer, - &serial); - if (!cert) { - break; - } - - rvCert = STAN_GetCERTCertificateOrRelease(cert); - if (rvCert == NULL) { - break; - } - - /* Check to see if the cert's token is still there */ + /* free the old cert on retry. Associated slot was not present */ + if (rvCert) { + CERT_DestroyCertificate(rvCert); + rvCert = NULL; + } + + cert = NSSTrustDomain_FindCertificateByIssuerAndSerialNumber( + STAN_GetDefaultTrustDomain(), + &issuer, + &serial); + if (!cert) { + break; + } + + rvCert = STAN_GetCERTCertificateOrRelease(cert); + if (rvCert == NULL) { + break; + } + + /* Check to see if the cert's token is still there */ } while (!PK11_IsPresent(rvCert->slot)); - if (rvCert && slotPtr) *slotPtr = PK11_ReferenceSlot(rvCert->slot); + if (rvCert && slotPtr) + *slotPtr = PK11_ReferenceSlot(rvCert->slot); SECITEM_FreeItem(derSerial, PR_TRUE); return rvCert; @@ -1783,37 +1807,38 @@ PK11_FindObjectForCert(CERTCertificate *cert, void *wincx, PK11SlotInfo **pSlot) CK_OBJECT_HANDLE certHandle; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE *attr; - CK_ATTRIBUTE searchTemplate[]= { - { CKA_CLASS, NULL, 0 }, - { CKA_VALUE, NULL, 0 }, + CK_ATTRIBUTE searchTemplate[] = { + { CKA_CLASS, NULL, 0 }, + { CKA_VALUE, NULL, 0 }, }; - int templateSize = sizeof(searchTemplate)/sizeof(searchTemplate[0]); + int templateSize = sizeof(searchTemplate) / sizeof(searchTemplate[0]); attr = searchTemplate; - PK11_SETATTRS(attr, CKA_CLASS, &certClass, sizeof(certClass)); attr++; + PK11_SETATTRS(attr, CKA_CLASS, &certClass, sizeof(certClass)); + attr++; PK11_SETATTRS(attr, CKA_VALUE, cert->derCert.data, cert->derCert.len); if (cert->slot) { - certHandle = pk11_getcerthandle(cert->slot, cert, searchTemplate, - templateSize); - if (certHandle != CK_INVALID_HANDLE) { - *pSlot = PK11_ReferenceSlot(cert->slot); - return certHandle; - } + certHandle = pk11_getcerthandle(cert->slot, cert, searchTemplate, + templateSize); + if (certHandle != CK_INVALID_HANDLE) { + *pSlot = PK11_ReferenceSlot(cert->slot); + return certHandle; + } } certHandle = pk11_FindCertObjectByTemplate(pSlot, searchTemplate, templateSize, wincx); if (certHandle != CK_INVALID_HANDLE) { - if (cert->slot == NULL) { - cert->slot = PK11_ReferenceSlot(*pSlot); - cert->pkcs11ID = certHandle; - cert->ownSlot = PR_TRUE; - cert->series = cert->slot->series; - } + if (cert->slot == NULL) { + cert->slot = PK11_ReferenceSlot(*pSlot); + cert->pkcs11ID = certHandle; + cert->ownSlot = PR_TRUE; + cert->series = cert->slot->series; + } } - return(certHandle); + return (certHandle); } SECKEYPrivateKey * @@ -1829,31 +1854,31 @@ PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx) certHandle = PK11_FindObjectForCert(cert, wincx, &slot); if (certHandle == CK_INVALID_HANDLE) { - return NULL; + return NULL; } /* * prevent a login race condition. If slot is logged in between - * our call to pk11_LoginStillRequired and the + * our call to pk11_LoginStillRequired and the * PK11_MatchItem. The matchItem call will either succeed, or - * we will call it one more time after calling PK11_Authenticate + * we will call it one more time after calling PK11_Authenticate * (which is a noop on an authenticated token). */ - needLogin = pk11_LoginStillRequired(slot,wincx); - keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY); - if ((keyHandle == CK_INVALID_HANDLE) && needLogin && - (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || - SEC_ERROR_TOKEN_NOT_LOGGED_IN == err ) ) { - /* authenticate and try again */ - rv = PK11_Authenticate(slot, PR_TRUE, wincx); - if (rv == SECSuccess) { - keyHandle = PK11_MatchItem(slot,certHandle,CKO_PRIVATE_KEY); - } - } - if (keyHandle != CK_INVALID_HANDLE) { - privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx); + needLogin = pk11_LoginStillRequired(slot, wincx); + keyHandle = PK11_MatchItem(slot, certHandle, CKO_PRIVATE_KEY); + if ((keyHandle == CK_INVALID_HANDLE) && needLogin && + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err)) { + /* authenticate and try again */ + rv = PK11_Authenticate(slot, PR_TRUE, wincx); + if (rv == SECSuccess) { + keyHandle = PK11_MatchItem(slot, certHandle, CKO_PRIVATE_KEY); + } + } + if (keyHandle != CK_INVALID_HANDLE) { + privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx); } if (slot) { - PK11_FreeSlot(slot); + PK11_FreeSlot(slot); } return privKey; } @@ -1866,12 +1891,12 @@ pk11_FindPubKeyByAnyCert(CERTCertificate *cert, PK11SlotInfo **slot, void *wincx certHandle = PK11_FindObjectForCert(cert, wincx, slot); if (certHandle == CK_INVALID_HANDLE) { - return CK_INVALID_HANDLE; + return CK_INVALID_HANDLE; } - keyHandle = PK11_MatchItem(*slot,certHandle,CKO_PUBLIC_KEY); - if (keyHandle == CK_INVALID_HANDLE) { - PK11_FreeSlot(*slot); - return CK_INVALID_HANDLE; + keyHandle = PK11_MatchItem(*slot, certHandle, CKO_PUBLIC_KEY); + if (keyHandle == CK_INVALID_HANDLE) { + PK11_FreeSlot(*slot); + return CK_INVALID_HANDLE; } return keyHandle; } @@ -1884,35 +1909,36 @@ PK11_NumberCertsForCertSubject(CERTCertificate *cert) { CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_SUBJECT, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, }; CK_ATTRIBUTE *attr = theTemplate; - int templateSize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int templateSize = sizeof(theTemplate) / sizeof(theTemplate[0]); - PK11_SETATTRS(attr,CKA_CLASS, &certClass, sizeof(certClass)); attr++; - PK11_SETATTRS(attr,CKA_SUBJECT,cert->derSubject.data,cert->derSubject.len); + PK11_SETATTRS(attr, CKA_CLASS, &certClass, sizeof(certClass)); + attr++; + PK11_SETATTRS(attr, CKA_SUBJECT, cert->derSubject.data, cert->derSubject.len); if (cert->slot == NULL) { - PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, - PR_FALSE,PR_TRUE,NULL); - PK11SlotListElement *le; - int count = 0; + PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, + PR_FALSE, PR_TRUE, NULL); + PK11SlotListElement *le; + int count = 0; - if (!list) { + if (!list) { /* error code is set */ return 0; - } + } - /* loop through all the fortezza tokens */ - for (le = list->head; le; le = le->next) { - count += PK11_NumberObjectsFor(le->slot,theTemplate,templateSize); - } - PK11_FreeSlotList(list); - return count; + /* loop through all the fortezza tokens */ + for (le = list->head; le; le = le->next) { + count += PK11_NumberObjectsFor(le->slot, theTemplate, templateSize); + } + PK11_FreeSlotList(list); + return count; } - return PK11_NumberObjectsFor(cert->slot,theTemplate,templateSize); + return PK11_NumberObjectsFor(cert->slot, theTemplate, templateSize); } /* @@ -1920,27 +1946,26 @@ PK11_NumberCertsForCertSubject(CERTCertificate *cert) */ SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, - SECStatus(* callback)(CERTCertificate*, void *), void *arg) + SECStatus (*callback)(CERTCertificate *, void *), void *arg) { - if(!cert) { - return SECFailure; + if (!cert) { + return SECFailure; } if (cert->slot == NULL) { - PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, - PR_FALSE,PR_TRUE,NULL); - PK11SlotListElement *le; + PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, + PR_FALSE, PR_TRUE, NULL); + PK11SlotListElement *le; - if (!list) { + if (!list) { /* error code is set */ return SECFailure; - } - /* loop through all the tokens */ - for (le = list->head; le; le = le->next) { - PK11_TraverseCertsForSubjectInSlot(cert,le->slot,callback,arg); - } - PK11_FreeSlotList(list); - return SECSuccess; - + } + /* loop through all the tokens */ + for (le = list->head; le; le = le->next) { + PK11_TraverseCertsForSubjectInSlot(cert, le->slot, callback, arg); + } + PK11_FreeSlotList(list); + return SECSuccess; } return PK11_TraverseCertsForSubjectInSlot(cert, cert->slot, callback, arg); @@ -1948,7 +1973,7 @@ PK11_TraverseCertsForSubject(CERTCertificate *cert, SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot, - SECStatus(* callback)(CERTCertificate*, void *), void *arg) + SECStatus (*callback)(CERTCertificate *, void *), void *arg) { PRStatus nssrv = PR_SUCCESS; NSSToken *token; @@ -1963,23 +1988,23 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot, NSSITEM_FROM_SECITEM(&subject, &cert->derSubject); token = PK11Slot_GetNSSToken(slot); if (!nssToken_IsPresent(token)) { - return SECSuccess; + return SECSuccess; } collection = nssCertificateCollection_Create(td, NULL); if (!collection) { - return SECFailure; + return SECFailure; } subjectList = nssList_Create(NULL, PR_FALSE); if (!subjectList) { - nssPKIObjectCollection_Destroy(collection); - return SECFailure; + nssPKIObjectCollection_Destroy(collection); + return SECFailure; } - (void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject, + (void)nssTrustDomain_GetCertsForSubjectFromCache(td, &subject, subjectList); transfer_token_certs_to_collection(subjectList, token, collection); instances = nssToken_FindCertificatesBySubject(token, NULL, - &subject, - tokenOnly, 0, &nssrv); + &subject, + tokenOnly, 0, &nssrv); nssPKIObjectCollection_AddInstances(collection, instances, 0); nss_ZFreeIf(instances); nssList_Destroy(subjectList); @@ -1987,26 +2012,26 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot, NULL, 0, NULL); nssPKIObjectCollection_Destroy(collection); if (certs) { - CERTCertificate *oldie; - NSSCertificate **cp; - for (cp = certs; *cp; cp++) { - oldie = STAN_GetCERTCertificate(*cp); - if (!oldie) { - continue; - } - if ((*callback)(oldie, arg) != SECSuccess) { - nssrv = PR_FAILURE; - break; - } - } - nssCertificateArray_Destroy(certs); + CERTCertificate *oldie; + NSSCertificate **cp; + for (cp = certs; *cp; cp++) { + oldie = STAN_GetCERTCertificate(*cp); + if (!oldie) { + continue; + } + if ((*callback)(oldie, arg) != SECSuccess) { + nssrv = PR_FAILURE; + break; + } + } + nssCertificateArray_Destroy(certs); } return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; } SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, - SECStatus(* callback)(CERTCertificate*, void *), void *arg) + SECStatus (*callback)(CERTCertificate *, void *), void *arg) { PRStatus nssrv = PR_SUCCESS; NSSToken *token; @@ -2020,29 +2045,29 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; token = PK11Slot_GetNSSToken(slot); if (!nssToken_IsPresent(token)) { - return SECSuccess; + return SECSuccess; } - if (nickname->data[nickname->len-1] != '\0') { - nick = nssUTF8_Create(NULL, nssStringType_UTF8String, - nickname->data, nickname->len); - created = PR_TRUE; + if (nickname->data[nickname->len - 1] != '\0') { + nick = nssUTF8_Create(NULL, nssStringType_UTF8String, + nickname->data, nickname->len); + created = PR_TRUE; } else { - nick = (NSSUTF8 *)nickname->data; + nick = (NSSUTF8 *)nickname->data; } td = STAN_GetDefaultTrustDomain(); collection = nssCertificateCollection_Create(td, NULL); if (!collection) { - goto loser; + goto loser; } nameList = nssList_Create(NULL, PR_FALSE); if (!nameList) { - goto loser; + goto loser; } (void)nssTrustDomain_GetCertsForNicknameFromCache(td, nick, nameList); transfer_token_certs_to_collection(nameList, token, collection); instances = nssToken_FindCertificatesByNickname(token, NULL, - nick, - tokenOnly, 0, &nssrv); + nick, + tokenOnly, 0, &nssrv); nssPKIObjectCollection_AddInstances(collection, instances, 0); nss_ZFreeIf(instances); nssList_Destroy(nameList); @@ -2050,38 +2075,39 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, NULL, 0, NULL); nssPKIObjectCollection_Destroy(collection); if (certs) { - CERTCertificate *oldie; - NSSCertificate **cp; - for (cp = certs; *cp; cp++) { - oldie = STAN_GetCERTCertificate(*cp); - if (!oldie) { - continue; - } - if ((*callback)(oldie, arg) != SECSuccess) { - nssrv = PR_FAILURE; - break; - } - } - nssCertificateArray_Destroy(certs); - } - if (created) nss_ZFreeIf(nick); + CERTCertificate *oldie; + NSSCertificate **cp; + for (cp = certs; *cp; cp++) { + oldie = STAN_GetCERTCertificate(*cp); + if (!oldie) { + continue; + } + if ((*callback)(oldie, arg) != SECSuccess) { + nssrv = PR_FAILURE; + break; + } + } + nssCertificateArray_Destroy(certs); + } + if (created) + nss_ZFreeIf(nick); return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; loser: if (created) { - nss_ZFreeIf(nick); + nss_ZFreeIf(nick); } if (collection) { - nssPKIObjectCollection_Destroy(collection); + nssPKIObjectCollection_Destroy(collection); } if (nameList) { - nssList_Destroy(nameList); + nssList_Destroy(nameList); } return SECFailure; } SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot, - SECStatus(* callback)(CERTCertificate*, void *), void *arg) + SECStatus (*callback)(CERTCertificate *, void *), void *arg) { PRStatus nssrv; NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); @@ -2093,16 +2119,16 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot, nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; tok = PK11Slot_GetNSSToken(slot); if (!nssToken_IsPresent(tok)) { - return SECSuccess; + return SECSuccess; } collection = nssCertificateCollection_Create(td, NULL); if (!collection) { - return SECFailure; + return SECFailure; } certList = nssList_Create(NULL, PR_FALSE); if (!certList) { - nssPKIObjectCollection_Destroy(collection); - return SECFailure; + nssPKIObjectCollection_Destroy(collection); + return SECFailure; } (void)nssTrustDomain_GetCertsFromCache(td, certList); transfer_token_certs_to_collection(certList, tok, collection); @@ -2115,65 +2141,70 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot, NULL, 0, NULL); nssPKIObjectCollection_Destroy(collection); if (certs) { - CERTCertificate *oldie; - NSSCertificate **cp; - for (cp = certs; *cp; cp++) { - oldie = STAN_GetCERTCertificate(*cp); - if (!oldie) { - continue; - } - if ((*callback)(oldie, arg) != SECSuccess) { - nssrv = PR_FAILURE; - break; - } - } - nssCertificateArray_Destroy(certs); + CERTCertificate *oldie; + NSSCertificate **cp; + for (cp = certs; *cp; cp++) { + oldie = STAN_GetCERTCertificate(*cp); + if (!oldie) { + continue; + } + if ((*callback)(oldie, arg) != SECSuccess) { + nssrv = PR_FAILURE; + break; + } + } + nssCertificateArray_Destroy(certs); } return (nssrv == PR_SUCCESS) ? SECSuccess : SECFailure; } /* - * return the certificate associated with a derCert + * return the certificate associated with a derCert */ CERTCertificate * PK11_FindCertFromDERCert(PK11SlotInfo *slot, CERTCertificate *cert, - void *wincx) + void *wincx) { return PK11_FindCertFromDERCertItem(slot, &cert->derCert, wincx); } CERTCertificate * PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert, - void *wincx) + void *wincx) { NSSDER derCert; NSSToken *tok; nssCryptokiObject *co = NULL; SECStatus rv; + CERTCertificate *cert = NULL; tok = PK11Slot_GetNSSToken(slot); NSSITEM_FROM_SECITEM(&derCert, inDerCert); rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); if (rv != SECSuccess) { - PK11_FreeSlot(slot); - return NULL; + PK11_FreeSlot(slot); + return NULL; } co = nssToken_FindCertificateByEncodedCertificate(tok, NULL, &derCert, - nssTokenSearchType_TokenOnly, NULL); + nssTokenSearchType_TokenOnly, NULL); - return co ? PK11_MakeCertFromHandle(slot, co->handle, NULL) : NULL; + if (co) { + cert = PK11_MakeCertFromHandle(slot, co->handle, NULL); + nssCryptokiObject_Destroy(co); + } -} + return cert; +} /* * import a cert for a private key we have already generated. Set the label * on both to be the nickname. */ -static CK_OBJECT_HANDLE -pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, - void *wincx) +static CK_OBJECT_HANDLE +pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, + void *wincx) { SECItem *keyID; CK_OBJECT_HANDLE key; @@ -2181,32 +2212,33 @@ pk11_findKeyObjectByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, PRBool needLogin; int err; - if((slot == NULL) || (cert == NULL)) { - return CK_INVALID_HANDLE; + if ((slot == NULL) || (cert == NULL)) { + return CK_INVALID_HANDLE; } keyID = pk11_mkcertKeyID(cert); - if(keyID == NULL) { - return CK_INVALID_HANDLE; + if (keyID == NULL) { + return CK_INVALID_HANDLE; } /* * prevent a login race condition. If slot is logged in between - * our call to pk11_LoginStillRequired and the + * our call to pk11_LoginStillRequired and the * pk11_FindPrivateKeyFromCerID. The matchItem call will either succeed, or - * we will call it one more time after calling PK11_Authenticate + * we will call it one more time after calling PK11_Authenticate * (which is a noop on an authenticated token). */ - needLogin = pk11_LoginStillRequired(slot,wincx); + needLogin = pk11_LoginStillRequired(slot, wincx); key = pk11_FindPrivateKeyFromCertID(slot, keyID); if ((key == CK_INVALID_HANDLE) && needLogin && - (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || - SEC_ERROR_TOKEN_NOT_LOGGED_IN == err )) { - /* authenticate and try again */ - rv = PK11_Authenticate(slot, PR_TRUE, wincx); - if (rv != SECSuccess) goto loser; - key = pk11_FindPrivateKeyFromCertID(slot, keyID); - } + (SSL_ERROR_NO_CERTIFICATE == (err = PORT_GetError()) || + SEC_ERROR_TOKEN_NOT_LOGGED_IN == err)) { + /* authenticate and try again */ + rv = PK11_Authenticate(slot, PR_TRUE, wincx); + if (rv != SECSuccess) + goto loser; + key = pk11_FindPrivateKeyFromCertID(slot, keyID); + } loser: SECITEM_ZfreeItem(keyID, PR_TRUE); @@ -2214,90 +2246,91 @@ loser: } SECKEYPrivateKey * -PK11_FindKeyByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, - void *wincx) +PK11_FindKeyByDERCert(PK11SlotInfo *slot, CERTCertificate *cert, + void *wincx) { CK_OBJECT_HANDLE keyHandle; - if((slot == NULL) || (cert == NULL)) { - return NULL; + if ((slot == NULL) || (cert == NULL)) { + return NULL; } keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx); if (keyHandle == CK_INVALID_HANDLE) { - return NULL; + return NULL; } - return PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,wincx); + return PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx); } SECStatus -PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, - char *nickname, - PRBool addCertUsage,void *wincx) +PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, + char *nickname, + PRBool addCertUsage, void *wincx) { CK_OBJECT_HANDLE keyHandle; - if((slot == NULL) || (cert == NULL) || (nickname == NULL)) { - return SECFailure; + if ((slot == NULL) || (cert == NULL) || (nickname == NULL)) { + return SECFailure; } keyHandle = pk11_findKeyObjectByDERCert(slot, cert, wincx); if (keyHandle == CK_INVALID_HANDLE) { - return SECFailure; + return SECFailure; } return PK11_ImportCert(slot, cert, keyHandle, nickname, addCertUsage); -} - +} /* remove when the real version comes out */ -#define SEC_OID_MISSI_KEA 300 /* until we have v3 stuff merged */ +#define SEC_OID_MISSI_KEA 300 /* until we have v3 stuff merged */ PRBool -KEAPQGCompare(CERTCertificate *server,CERTCertificate *cert) { +KEAPQGCompare(CERTCertificate *server, CERTCertificate *cert) +{ /* not implemented */ return PR_FALSE; } PRBool -PK11_FortezzaHasKEA(CERTCertificate *cert) +PK11_FortezzaHasKEA(CERTCertificate *cert) { - /* look at the subject and see if it is a KEA for MISSI key */ - SECOidData *oid; - CERTCertTrust trust; - - if (CERT_GetCertTrust(cert, &trust) != SECSuccess || - ((trust.sslFlags & CERTDB_USER) != CERTDB_USER)) { - return PR_FALSE; - } - - oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm); - if (!oid) { - return PR_FALSE; - } - - return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || - (oid->offset == SEC_OID_MISSI_KEA_DSS) || - (oid->offset == SEC_OID_MISSI_KEA)) ; + /* look at the subject and see if it is a KEA for MISSI key */ + SECOidData *oid; + CERTCertTrust trust; + + if (CERT_GetCertTrust(cert, &trust) != SECSuccess || + ((trust.sslFlags & CERTDB_USER) != CERTDB_USER)) { + return PR_FALSE; + } + + oid = SECOID_FindOID(&cert->subjectPublicKeyInfo.algorithm.algorithm); + if (!oid) { + return PR_FALSE; + } + + return (PRBool)((oid->offset == SEC_OID_MISSI_KEA_DSS_OLD) || + (oid->offset == SEC_OID_MISSI_KEA_DSS) || + (oid->offset == SEC_OID_MISSI_KEA)); } /* * Find a kea cert on this slot that matches the domain of it's peer */ static CERTCertificate -*pk11_GetKEAMate(PK11SlotInfo *slot,CERTCertificate *peer) + * + pk11_GetKEAMate(PK11SlotInfo *slot, CERTCertificate *peer) { int i; CERTCertificate *returnedCert = NULL; - for (i=0; i < slot->cert_count; i++) { - CERTCertificate *cert = slot->cert_array[i]; + for (i = 0; i < slot->cert_count; i++) { + CERTCertificate *cert = slot->cert_array[i]; - if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer,cert)) { - returnedCert = CERT_DupCertificate(cert); - break; - } + if (PK11_FortezzaHasKEA(cert) && KEAPQGCompare(peer, cert)) { + returnedCert = CERT_DupCertificate(cert); + break; + } } return returnedCert; } @@ -2312,7 +2345,7 @@ CERTCertificate * PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx) { PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE, - PR_FALSE,PR_TRUE,wincx); + PR_FALSE, PR_TRUE, wincx); PK11SlotListElement *le; CERTCertificate *returnedCert = NULL; SECStatus rv; @@ -2325,12 +2358,14 @@ PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx) /* loop through all the fortezza tokens */ for (le = keaList->head; le; le = le->next) { rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); - if (rv != SECSuccess) continue; - if (le->slot->session == CK_INVALID_SESSION) { - continue; - } - returnedCert = pk11_GetKEAMate(le->slot,server); - if (returnedCert) break; + if (rv != SECSuccess) + continue; + if (le->slot->session == CK_INVALID_SESSION) { + continue; + } + returnedCert = pk11_GetKEAMate(le->slot, server); + if (returnedCert) + break; } PK11_FreeSlotList(keaList); @@ -2338,27 +2373,27 @@ PK11_FindBestKEAMatch(CERTCertificate *server, void *wincx) } /* - * find a matched pair of kea certs to key exchange parameters from one + * find a matched pair of kea certs to key exchange parameters from one * fortezza card to another as necessary. */ SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2, - CERTCertificate **cert1, CERTCertificate **cert2) + CERTCertificate **cert1, CERTCertificate **cert2) { CERTCertificate *returnedCert = NULL; int i; - for (i=0; i < slot1->cert_count; i++) { - CERTCertificate *cert = slot1->cert_array[i]; + for (i = 0; i < slot1->cert_count; i++) { + CERTCertificate *cert = slot1->cert_array[i]; - if (PK11_FortezzaHasKEA(cert)) { - returnedCert = pk11_GetKEAMate(slot2,cert); - if (returnedCert != NULL) { - *cert2 = returnedCert; - *cert1 = CERT_DupCertificate(cert); - return SECSuccess; - } - } + if (PK11_FortezzaHasKEA(cert)) { + returnedCert = pk11_GetKEAMate(slot2, cert); + if (returnedCert != NULL) { + *cert2 = returnedCert; + *cert1 = CERT_DupCertificate(cert); + return SECSuccess; + } + } } return SECFailure; } @@ -2371,16 +2406,17 @@ PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) { CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { - { CKA_VALUE, NULL, 0 }, - { CKA_CLASS, NULL, 0 } + { CKA_VALUE, NULL, 0 }, + { CKA_CLASS, NULL, 0 } }; /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_ATTRIBUTE *attrs = theTemplate; SECStatus rv; PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, - cert->derCert.len); attrs++; + cert->derCert.len); + attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); /* @@ -2388,17 +2424,16 @@ PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, void *wincx) */ rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); if (rv != SECSuccess) { - return CK_INVALID_HANDLE; + return CK_INVALID_HANDLE; } - return pk11_getcerthandle(slot,cert,theTemplate,tsize); + return pk11_getcerthandle(slot, cert, theTemplate, tsize); } -/* Looking for PK11_GetKeyIDFromCert? +/* Looking for PK11_GetKeyIDFromCert? * Use PK11_GetLowLevelKeyIDForCert instead. */ - struct listCertsStr { PK11CertListType type; CERTCertList *certList; @@ -2418,88 +2453,87 @@ pk11ListCertCallback(NSSCertificate *c, void *arg) SECStatus rv; if ((type == PK11CertListUnique) || (type == PK11CertListRootUnique) || - (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique) ) { + (type == PK11CertListCAUnique) || (type == PK11CertListUserUnique)) { /* only list one instance of each certificate, even if several exist */ - isUnique = PR_TRUE; + isUnique = PR_TRUE; } if ((type == PK11CertListCA) || (type == PK11CertListRootUnique) || (type == PK11CertListCAUnique)) { - isCA = PR_TRUE; + isCA = PR_TRUE; } /* if we want user certs and we don't have one skip this cert */ - if ( ( (type == PK11CertListUser) || (type == PK11CertListUserUnique) ) && - !NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) { - return PR_SUCCESS; + if (((type == PK11CertListUser) || (type == PK11CertListUserUnique)) && + !NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) { + return PR_SUCCESS; } /* PK11CertListRootUnique means we want CA certs without a private key. * This is for legacy app support . PK11CertListCAUnique should be used * instead to get all CA certs, regardless of private key */ - if ((type == PK11CertListRootUnique) && - NSSCertificate_IsPrivateKeyAvailable(c, NULL,NULL)) { - return PR_SUCCESS; + if ((type == PK11CertListRootUnique) && + NSSCertificate_IsPrivateKeyAvailable(c, NULL, NULL)) { + return PR_SUCCESS; } /* caller still owns the reference to 'c' */ newCert = STAN_GetCERTCertificate(c); if (!newCert) { - return PR_SUCCESS; + return PR_SUCCESS; } /* if we want CA certs and it ain't one, skip it */ - if( isCA && (!CERT_IsCACert(newCert, &certType)) ) { - return PR_SUCCESS; + if (isCA && (!CERT_IsCACert(newCert, &certType))) { + return PR_SUCCESS; } if (isUnique) { - CERT_DupCertificate(newCert); - - nickname = STAN_GetCERTCertificateName(certList->arena, c); - - /* put slot certs at the end */ - if (newCert->slot && !PK11_IsInternal(newCert->slot)) { - rv = CERT_AddCertToListTailWithData(certList,newCert,nickname); - } else { - rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname); - } - /* if we didn't add the cert to the list, don't leak it */ - if (rv != SECSuccess) { - CERT_DestroyCertificate(newCert); - } + CERT_DupCertificate(newCert); + + nickname = STAN_GetCERTCertificateName(certList->arena, c); + + /* put slot certs at the end */ + if (newCert->slot && !PK11_IsInternal(newCert->slot)) { + rv = CERT_AddCertToListTailWithData(certList, newCert, nickname); + } else { + rv = CERT_AddCertToListHeadWithData(certList, newCert, nickname); + } + /* if we didn't add the cert to the list, don't leak it */ + if (rv != SECSuccess) { + CERT_DestroyCertificate(newCert); + } } else { - /* add multiple instances to the cert list */ - nssCryptokiObject **ip; - nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object); - if (!instances) { - return PR_SUCCESS; - } - for (ip = instances; *ip; ip++) { - nssCryptokiObject *instance = *ip; - PK11SlotInfo *slot = instance->token->pk11slot; - - /* put the same CERTCertificate in the list for all instances */ - CERT_DupCertificate(newCert); - - nickname = STAN_GetCERTCertificateNameForInstance( - certList->arena, c, instance); - - /* put slot certs at the end */ - if (slot && !PK11_IsInternal(slot)) { - rv = CERT_AddCertToListTailWithData(certList,newCert,nickname); - } else { - rv = CERT_AddCertToListHeadWithData(certList,newCert,nickname); - } - /* if we didn't add the cert to the list, don't leak it */ - if (rv != SECSuccess) { - CERT_DestroyCertificate(newCert); - } - } - nssCryptokiObjectArray_Destroy(instances); + /* add multiple instances to the cert list */ + nssCryptokiObject **ip; + nssCryptokiObject **instances = nssPKIObject_GetInstances(&c->object); + if (!instances) { + return PR_SUCCESS; + } + for (ip = instances; *ip; ip++) { + nssCryptokiObject *instance = *ip; + PK11SlotInfo *slot = instance->token->pk11slot; + + /* put the same CERTCertificate in the list for all instances */ + CERT_DupCertificate(newCert); + + nickname = STAN_GetCERTCertificateNameForInstance( + certList->arena, c, instance); + + /* put slot certs at the end */ + if (slot && !PK11_IsInternal(slot)) { + rv = CERT_AddCertToListTailWithData(certList, newCert, nickname); + } else { + rv = CERT_AddCertToListHeadWithData(certList, newCert, nickname); + } + /* if we didn't add the cert to the list, don't leak it */ + if (rv != SECSuccess) { + CERT_DestroyCertificate(newCert); + } + } + nssCryptokiObjectArray_Destroy(instances); } return PR_SUCCESS; } - CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg) { @@ -2511,23 +2545,23 @@ PK11_ListCerts(PK11CertListType type, void *pwarg) listCerts.certList = certList; /* authenticate to the slots */ - (void) pk11_TraverseAllSlots( NULL, NULL, PR_TRUE, pwarg); + (void)pk11_TraverseAllSlots(NULL, NULL, PR_TRUE, pwarg); NSSTrustDomain_TraverseCertificates(defaultTD, pk11ListCertCallback, - &listCerts); + &listCerts); return certList; } - + SECItem * PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot, - CERTCertificate *cert, void *wincx) + CERTCertificate *cert, void *wincx) { CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { - { CKA_VALUE, NULL, 0 }, - { CKA_CLASS, NULL, 0 } + { CKA_VALUE, NULL, 0 }, + { CKA_CLASS, NULL, 0 } }; /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_OBJECT_HANDLE certHandle; CK_ATTRIBUTE *attrs = theTemplate; PK11SlotInfo *slotRef = NULL; @@ -2535,29 +2569,31 @@ PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot, SECStatus rv; if (slot) { - PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, - cert->derCert.len); attrs++; - PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); - - rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - return NULL; - } - certHandle = pk11_getcerthandle(slot,cert,theTemplate,tsize); + PK11_SETATTRS(attrs, CKA_VALUE, cert->derCert.data, + cert->derCert.len); + attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); + + rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); + if (rv != SECSuccess) { + return NULL; + } + certHandle = pk11_getcerthandle(slot, cert, theTemplate, tsize); } else { - certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef); - if (certHandle == CK_INVALID_HANDLE) { - return pk11_mkcertKeyID(cert); - } - slot = slotRef; + certHandle = PK11_FindObjectForCert(cert, wincx, &slotRef); + if (certHandle == CK_INVALID_HANDLE) { + return pk11_mkcertKeyID(cert); + } + slot = slotRef; } if (certHandle == CK_INVALID_HANDLE) { - return NULL; + return NULL; } - item = pk11_GetLowLevelKeyFromHandle(slot,certHandle); - if (slotRef) PK11_FreeSlot(slotRef); + item = pk11_GetLowLevelKeyFromHandle(slot, certHandle); + if (slotRef) + PK11_FreeSlot(slotRef); return item; } @@ -2568,9 +2604,9 @@ typedef struct { } ListCertsArg; static SECStatus -listCertsCallback(CERTCertificate* cert, void*arg) +listCertsCallback(CERTCertificate *cert, void *arg) { - ListCertsArg *cdata = (ListCertsArg*)arg; + ListCertsArg *cdata = (ListCertsArg *)arg; char *nickname = NULL; nssCryptokiObject *instance, **ci; nssCryptokiObject **instances; @@ -2586,25 +2622,25 @@ listCertsCallback(CERTCertificate* cert, void*arg) } instance = NULL; for (ci = instances; *ci; ci++) { - if ((*ci)->token->pk11slot == cdata->slot) { - instance = *ci; - break; - } + if ((*ci)->token->pk11slot == cdata->slot) { + instance = *ci; + break; + } } PORT_Assert(instance != NULL); if (!instance) { - nssCryptokiObjectArray_Destroy(instances); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; + nssCryptokiObjectArray_Destroy(instances); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } nickname = STAN_GetCERTCertificateNameForInstance(cdata->list->arena, - c, instance); + c, instance); nssCryptokiObjectArray_Destroy(instances); CERT_DupCertificate(cert); rv = CERT_AddCertToListTailWithData(cdata->list, cert, nickname); if (rv != SECSuccess) { - CERT_DestroyCertificate(cert); + CERT_DestroyCertificate(cert); } return rv; } @@ -2617,16 +2653,17 @@ PK11_ListCertsInSlot(PK11SlotInfo *slot) ListCertsArg cdata; certs = CERT_NewCertList(); - if(certs == NULL) return NULL; + if (certs == NULL) + return NULL; cdata.list = certs; cdata.slot = slot; status = PK11_TraverseCertsInSlot(slot, listCertsCallback, - &cdata); + &cdata); - if( status != SECSuccess ) { - CERT_DestroyCertList(certs); - certs = NULL; + if (status != SECSuccess) { + CERT_DestroyCertList(certs); + certs = NULL; } return certs; @@ -2642,41 +2679,41 @@ PK11_GetAllSlotsForCert(CERTCertificate *cert, void *arg) PRBool found = PR_FALSE; if (!cert) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } c = STAN_GetNSSCertificate(cert); if (!c) { - CERT_MapStanError(); - return NULL; + CERT_MapStanError(); + return NULL; } /* add multiple instances to the cert list */ instances = nssPKIObject_GetInstances(&c->object); if (!instances) { - PORT_SetError(SEC_ERROR_NO_TOKEN); - return NULL; + PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; } slotList = PK11_NewSlotList(); if (!slotList) { - nssCryptokiObjectArray_Destroy(instances); - return NULL; + nssCryptokiObjectArray_Destroy(instances); + return NULL; } for (ip = instances; *ip; ip++) { - nssCryptokiObject *instance = *ip; - PK11SlotInfo *slot = instance->token->pk11slot; - if (slot) { - PK11_AddSlotToList(slotList, slot, PR_TRUE); - found = PR_TRUE; - } + nssCryptokiObject *instance = *ip; + PK11SlotInfo *slot = instance->token->pk11slot; + if (slot) { + PK11_AddSlotToList(slotList, slot, PR_TRUE); + found = PR_TRUE; + } } if (!found) { - PK11_FreeSlotList(slotList); - PORT_SetError(SEC_ERROR_NO_TOKEN); - slotList = NULL; + PK11_FreeSlotList(slotList); + PORT_SetError(SEC_ERROR_NO_TOKEN); + slotList = NULL; } nssCryptokiObjectArray_Destroy(instances); diff --git a/nss/lib/pk11wrap/pk11cxt.c b/nss/lib/pk11wrap/pk11cxt.c index d626ba7..e9726d0 100644 --- a/nss/lib/pk11wrap/pk11cxt.c +++ b/nss/lib/pk11wrap/pk11cxt.c @@ -2,7 +2,7 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* - * This file PK11Contexts which are used in multipart hashing, + * This file PK11Contexts which are used in multipart hashing, * encryption/decryption, and signing/verication operations. */ @@ -14,7 +14,7 @@ #include "pkcs11.h" #include "pk11func.h" #include "secitem.h" -#include "secoid.h" +#include "secoid.h" #include "sechash.h" #include "secerr.h" @@ -30,26 +30,28 @@ static const SECItem pk11_null_params = { 0 }; * the monitors... */ void -PK11_EnterContextMonitor(PK11Context *cx) { +PK11_EnterContextMonitor(PK11Context *cx) +{ /* if we own the session and our slot is ThreadSafe, only monitor * the Context */ if ((cx->ownSession) && (cx->slot->isThreadSafe)) { - /* Should this use monitors instead? */ - PZ_Lock(cx->sessionLock); + /* Should this use monitors instead? */ + PZ_Lock(cx->sessionLock); } else { - PK11_EnterSlotMonitor(cx->slot); + PK11_EnterSlotMonitor(cx->slot); } } void -PK11_ExitContextMonitor(PK11Context *cx) { +PK11_ExitContextMonitor(PK11Context *cx) +{ /* if we own the session and our slot is ThreadSafe, only monitor * the Context */ if ((cx->ownSession) && (cx->slot->isThreadSafe)) { - /* Should this use monitors instead? */ - PZ_Unlock(cx->sessionLock); + /* Should this use monitors instead? */ + PZ_Unlock(cx->sessionLock); } else { - PK11_ExitSlotMonitor(cx->slot); + PK11_ExitSlotMonitor(cx->slot); } } @@ -59,51 +61,50 @@ PK11_ExitContextMonitor(PK11Context *cx) { void PK11_DestroyContext(PK11Context *context, PRBool freeit) { - pk11_CloseSession(context->slot,context->session,context->ownSession); + pk11_CloseSession(context->slot, context->session, context->ownSession); /* initialize the critical fields of the context */ - if (context->savedData != NULL ) PORT_Free(context->savedData); - if (context->key) PK11_FreeSymKey(context->key); + if (context->savedData != NULL) + PORT_Free(context->savedData); + if (context->key) + PK11_FreeSymKey(context->key); if (context->param && context->param != &pk11_null_params) - SECITEM_FreeItem(context->param, PR_TRUE); - if (context->sessionLock) PZ_DestroyLock(context->sessionLock); + SECITEM_FreeItem(context->param, PR_TRUE); + if (context->sessionLock) + PZ_DestroyLock(context->sessionLock); PK11_FreeSlot(context->slot); - if (freeit) PORT_Free(context); + if (freeit) + PORT_Free(context); } /* * save the current context. Allocate Space if necessary. */ static unsigned char * -pk11_saveContextHelper(PK11Context *context, unsigned char *buffer, +pk11_saveContextHelper(PK11Context *context, unsigned char *buffer, unsigned long *savedLength) { CK_RV crv; /* If buffer is NULL, this will get the length */ - crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session, - (CK_BYTE_PTR)buffer, - savedLength); + crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session, (CK_BYTE_PTR)buffer, savedLength); if (!buffer || (crv == CKR_BUFFER_TOO_SMALL)) { - /* the given buffer wasn't big enough (or was NULL), but we - * have the length, so try again with a new buffer and the - * correct length - */ - unsigned long bufLen = *savedLength; - buffer = PORT_Alloc(bufLen); - if (buffer == NULL) { - return (unsigned char *)NULL; - } - crv = PK11_GETTAB(context->slot)->C_GetOperationState( - context->session, - (CK_BYTE_PTR)buffer, - savedLength); - if (crv != CKR_OK) { - PORT_ZFree(buffer, bufLen); - } + /* the given buffer wasn't big enough (or was NULL), but we + * have the length, so try again with a new buffer and the + * correct length + */ + unsigned long bufLen = *savedLength; + buffer = PORT_Alloc(bufLen); + if (buffer == NULL) { + return (unsigned char *)NULL; + } + crv = PK11_GETTAB(context->slot)->C_GetOperationState(context->session, (CK_BYTE_PTR)buffer, savedLength); + if (crv != CKR_OK) { + PORT_ZFree(buffer, bufLen); + } } if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return (unsigned char *)NULL; + PORT_SetError(PK11_MapError(crv)); + return (unsigned char *)NULL; } return buffer; } @@ -111,7 +112,7 @@ pk11_saveContextHelper(PK11Context *context, unsigned char *buffer, void * pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength) { - return pk11_saveContextHelper(context, + return pk11_saveContextHelper(context, (unsigned char *)space, savedLength); } @@ -119,24 +120,22 @@ pk11_saveContext(PK11Context *context, void *space, unsigned long *savedLength) * restore the current context */ SECStatus -pk11_restoreContext(PK11Context *context,void *space, unsigned long savedLength) +pk11_restoreContext(PK11Context *context, void *space, unsigned long savedLength) { CK_RV crv; - CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID: - CK_INVALID_HANDLE; + CK_OBJECT_HANDLE objectID = (context->key) ? context->key->objectID : CK_INVALID_HANDLE; PORT_Assert(space != NULL); if (space == NULL) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } - crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session, - (CK_BYTE_PTR)space, savedLength, objectID, 0); + crv = PK11_GETTAB(context->slot)->C_SetOperationState(context->session, (CK_BYTE_PTR)space, savedLength, objectID, 0); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv)); - return SECFailure; - } - return SECSuccess; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + return SECSuccess; } SECStatus pk11_Finalize(PK11Context *context); @@ -144,7 +143,7 @@ SECStatus pk11_Finalize(PK11Context *context); /* * Context initialization. Used by all flavors of CreateContext */ -static SECStatus +static SECStatus pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info) { CK_RV crv; @@ -152,42 +151,38 @@ pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info) SECStatus rv = SECSuccess; switch (context->operation) { - case CKA_ENCRYPT: - crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session, - mech_info, symKey->objectID); - break; - case CKA_DECRYPT: - if (context->fortezzaHack) { - CK_ULONG count = 0;; - /* generate the IV for fortezza */ - crv=PK11_GETTAB(context->slot)->C_EncryptInit(context->session, - mech_info, symKey->objectID); - if (crv != CKR_OK) break; - PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, - NULL, &count); - } - crv=PK11_GETTAB(context->slot)->C_DecryptInit(context->session, - mech_info, symKey->objectID); - break; - case CKA_SIGN: - crv=PK11_GETTAB(context->slot)->C_SignInit(context->session, - mech_info, symKey->objectID); - break; - case CKA_VERIFY: - crv=PK11_GETTAB(context->slot)->C_SignInit(context->session, - mech_info, symKey->objectID); - break; - case CKA_DIGEST: - crv=PK11_GETTAB(context->slot)->C_DigestInit(context->session, - mech_info); - break; - default: - crv = CKR_OPERATION_NOT_INITIALIZED; - break; + case CKA_ENCRYPT: + crv = PK11_GETTAB(context->slot)->C_EncryptInit(context->session, mech_info, symKey->objectID); + break; + case CKA_DECRYPT: + if (context->fortezzaHack) { + CK_ULONG count = 0; + /* generate the IV for fortezza */ + crv = PK11_GETTAB(context->slot)->C_EncryptInit(context->session, mech_info, symKey->objectID); + if (crv != CKR_OK) + break; + PK11_GETTAB(context->slot) + ->C_EncryptFinal(context->session, + NULL, &count); + } + crv = PK11_GETTAB(context->slot)->C_DecryptInit(context->session, mech_info, symKey->objectID); + break; + case CKA_SIGN: + crv = PK11_GETTAB(context->slot)->C_SignInit(context->session, mech_info, symKey->objectID); + break; + case CKA_VERIFY: + crv = PK11_GETTAB(context->slot)->C_SignInit(context->session, mech_info, symKey->objectID); + break; + case CKA_DIGEST: + crv = PK11_GETTAB(context->slot)->C_DigestInit(context->session, mech_info); + break; + default: + crv = CKR_OPERATION_NOT_INITIALIZED; + break; } if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); return SECFailure; } @@ -195,36 +190,37 @@ pk11_context_init(PK11Context *context, CK_MECHANISM *mech_info) * handle session starvation case.. use our last session to multiplex */ if (!context->ownSession) { - context->savedData = pk11_saveContext(context,context->savedData, - &context->savedLength); - if (context->savedData == NULL) rv = SECFailure; - /* clear out out session for others to use */ - pk11_Finalize(context); + context->savedData = pk11_saveContext(context, context->savedData, + &context->savedLength); + if (context->savedData == NULL) + rv = SECFailure; + /* clear out out session for others to use */ + pk11_Finalize(context); } return rv; } - /* * Common Helper Function do come up with a new context. */ -static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, - PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, - SECItem *param) +static PK11Context * +pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, + PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, + SECItem *param) { CK_MECHANISM mech_info; PK11Context *context; SECStatus rv; - + PORT_Assert(slot != NULL); - if (!slot || (!symKey && ((operation != CKA_DIGEST) || - (type == CKM_SKIPJACK_CBC64)))) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + if (!slot || (!symKey && ((operation != CKA_DIGEST) || + (type == CKM_SKIPJACK_CBC64)))) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - context = (PK11Context *) PORT_Alloc(sizeof(PK11Context)); + context = (PK11Context *)PORT_Alloc(sizeof(PK11Context)); if (context == NULL) { - return NULL; + return NULL; } /* now deal with the fortezza hack... the fortezza hack is an attempt @@ -236,16 +232,16 @@ static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, * of the connection.*/ context->fortezzaHack = PR_FALSE; if (type == CKM_SKIPJACK_CBC64) { - if (symKey->origin == PK11_OriginFortezzaHack) { - context->fortezzaHack = PR_TRUE; - } + if (symKey->origin == PK11_OriginFortezzaHack) { + context->fortezzaHack = PR_TRUE; + } } /* initialize the critical fields of the context */ context->operation = operation; context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL; context->slot = PK11_ReferenceSlot(slot); - context->session = pk11_GetNewSession(slot,&context->ownSession); + context->session = pk11_GetNewSession(slot, &context->ownSession); context->cx = symKey ? symKey->cx : NULL; /* get our session */ context->savedData = NULL; @@ -254,64 +250,64 @@ static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, * begins on a single context */ context->type = type; if (param) { - if (param->len > 0) { - context->param = SECITEM_DupItem(param); - } else { - context->param = (SECItem *)&pk11_null_params; - } + if (param->len > 0) { + context->param = SECITEM_DupItem(param); + } else { + context->param = (SECItem *)&pk11_null_params; + } } else { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - context->param = NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + context->param = NULL; } context->init = PR_FALSE; context->sessionLock = PZ_NewLock(nssILockPK11cxt); if ((context->param == NULL) || (context->sessionLock == NULL)) { - PK11_DestroyContext(context,PR_TRUE); - return NULL; + PK11_DestroyContext(context, PR_TRUE); + return NULL; } mech_info.mechanism = type; mech_info.pParameter = param->data; mech_info.ulParameterLen = param->len; PK11_EnterContextMonitor(context); - rv = pk11_context_init(context,&mech_info); + rv = pk11_context_init(context, &mech_info); PK11_ExitContextMonitor(context); if (rv != SECSuccess) { - PK11_DestroyContext(context,PR_TRUE); - return NULL; + PK11_DestroyContext(context, PR_TRUE); + return NULL; } context->init = PR_TRUE; return context; } - /* * put together the various PK11_Create_Context calls used by different * parts of libsec. */ PK11Context * __PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, - SECItem *param, void *wincx) + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, + SECItem *param, void *wincx) { PK11SymKey *symKey = NULL; PK11Context *context = NULL; /* first get a slot */ if (slot == NULL) { - slot = PK11_GetBestSlot(type,wincx); - if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - goto loser; - } + slot = PK11_GetBestSlot(type, wincx); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + goto loser; + } } else { - PK11_ReferenceSlot(slot); + PK11_ReferenceSlot(slot); } /* now import the key */ - symKey = PK11_ImportSymKey(slot, type, origin, operation, key, wincx); - if (symKey == NULL) goto loser; + symKey = PK11_ImportSymKey(slot, type, origin, operation, key, wincx); + if (symKey == NULL) + goto loser; context = PK11_CreateContextBySymKey(type, operation, symKey, param); @@ -328,37 +324,35 @@ loser: PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, - SECItem *param, void *wincx) + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, + SECItem *param, void *wincx) { return __PK11_CreateContextByRawKey(slot, type, origin, operation, key, param, wincx); } - /* * Create a context from a key. We really should make sure we aren't using * the same key in multiple session! */ PK11Context * -PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,CK_ATTRIBUTE_TYPE operation, - PK11SymKey *symKey, SECItem *param) +PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation, + PK11SymKey *symKey, SECItem *param) { PK11SymKey *newKey; PK11Context *context; /* if this slot doesn't support the mechanism, go to a slot that does */ - newKey = pk11_ForceSlot(symKey,type,operation); + newKey = pk11_ForceSlot(symKey, type, operation); if (newKey == NULL) { - PK11_ReferenceSymKey(symKey); + PK11_ReferenceSymKey(symKey); } else { - symKey = newKey; + symKey = newKey; } - /* Context Adopts the symKey.... */ context = pk11_CreateNewContextInSlot(type, symKey->slot, operation, symKey, - param); + param); PK11_FreeSymKey(symKey); return context; } @@ -379,8 +373,8 @@ PK11_CreateDigestContext(SECOidTag hashAlg) type = PK11_AlgtagToMechanism(hashAlg); slot = PK11_GetBestSlot(type, NULL); if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; } /* maybe should really be PK11_GenerateNewParam?? */ @@ -396,60 +390,63 @@ PK11_CreateDigestContext(SECOidTag hashAlg) /* * create a new context which is the clone of the state of old context. */ -PK11Context * PK11_CloneContext(PK11Context *old) +PK11Context * +PK11_CloneContext(PK11Context *old) { - PK11Context *newcx; - PRBool needFree = PR_FALSE; - SECStatus rv = SECSuccess; - void *data; - unsigned long len; + PK11Context *newcx; + PRBool needFree = PR_FALSE; + SECStatus rv = SECSuccess; + void *data; + unsigned long len; - newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation, - old->key, old->param); - if (newcx == NULL) return NULL; + newcx = pk11_CreateNewContextInSlot(old->type, old->slot, old->operation, + old->key, old->param); + if (newcx == NULL) + return NULL; - /* now clone the save state. First we need to find the save state + /* now clone the save state. First we need to find the save state * of the old session. If the old context owns it's session, * the state needs to be saved, otherwise the state is in saveData. */ - if (old->ownSession) { + if (old->ownSession) { PK11_EnterContextMonitor(old); - data=pk11_saveContext(old,NULL,&len); + data = pk11_saveContext(old, NULL, &len); PK11_ExitContextMonitor(old); - needFree = PR_TRUE; - } else { - data = old->savedData; - len = old->savedLength; - } - - if (data == NULL) { - PK11_DestroyContext(newcx,PR_TRUE); - return NULL; - } - - /* now copy that state into our new context. Again we have different + needFree = PR_TRUE; + } else { + data = old->savedData; + len = old->savedLength; + } + + if (data == NULL) { + PK11_DestroyContext(newcx, PR_TRUE); + return NULL; + } + + /* now copy that state into our new context. Again we have different * work if the new context owns it's own session. If it does, we * restore the state gathered above. If it doesn't, we copy the * saveData pointer... */ - if (newcx->ownSession) { + if (newcx->ownSession) { PK11_EnterContextMonitor(newcx); - rv = pk11_restoreContext(newcx,data,len); + rv = pk11_restoreContext(newcx, data, len); PK11_ExitContextMonitor(newcx); - } else { - PORT_Assert(newcx->savedData != NULL); - if ((newcx->savedData == NULL) || (newcx->savedLength < len)) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - rv = SECFailure; - } else { - PORT_Memcpy(newcx->savedData,data,len); - newcx->savedLength = len; - } + } else { + PORT_Assert(newcx->savedData != NULL); + if ((newcx->savedData == NULL) || (newcx->savedLength < len)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + rv = SECFailure; + } else { + PORT_Memcpy(newcx->savedData, data, len); + newcx->savedLength = len; + } } - if (needFree) PORT_Free(data); + if (needFree) + PORT_Free(data); if (rv != SECSuccess) { - PK11_DestroyContext(newcx,PR_TRUE); - return NULL; + PK11_DestroyContext(newcx, PR_TRUE); + return NULL; } return newcx; } @@ -459,30 +456,31 @@ PK11Context * PK11_CloneContext(PK11Context *old) * work. */ SECStatus -PK11_SaveContext(PK11Context *cx,unsigned char *save,int *len, int saveLength) +PK11_SaveContext(PK11Context *cx, unsigned char *save, int *len, int saveLength) { - unsigned char * data = NULL; + unsigned char *data = NULL; CK_ULONG length = saveLength; if (cx->ownSession) { PK11_EnterContextMonitor(cx); - data = pk11_saveContextHelper(cx, save, &length); + data = pk11_saveContextHelper(cx, save, &length); PK11_ExitContextMonitor(cx); - if (data) *len = length; - } else if ((unsigned) saveLength >= cx->savedLength) { - data = (unsigned char*)cx->savedData; - if (cx->savedData) { - PORT_Memcpy(save,cx->savedData,cx->savedLength); - } - *len = cx->savedLength; + if (data) + *len = length; + } else if ((unsigned)saveLength >= cx->savedLength) { + data = (unsigned char *)cx->savedData; + if (cx->savedData) { + PORT_Memcpy(save, cx->savedData, cx->savedLength); + } + *len = cx->savedLength; } if (data != NULL) { - if (cx->ownSession) { - PORT_ZFree(data, length); - } - return SECSuccess; + if (cx->ownSession) { + PORT_ZFree(data, length); + } + return SECSuccess; } else { - return SECFailure; + return SECFailure; } } @@ -497,22 +495,22 @@ PK11_SaveContextAlloc(PK11Context *cx, if (cx->ownSession) { PK11_EnterContextMonitor(cx); - stateBuf = pk11_saveContextHelper(cx, preAllocBuf, &length); + stateBuf = pk11_saveContextHelper(cx, preAllocBuf, &length); PK11_ExitContextMonitor(cx); - *stateLen = (stateBuf != NULL) ? length : 0; + *stateLen = (stateBuf != NULL) ? length : 0; } else { - if (pabLen < cx->savedLength) { - stateBuf = (unsigned char *)PORT_Alloc(cx->savedLength); - if (!stateBuf) { - return (unsigned char *)NULL; - } - } else { - stateBuf = preAllocBuf; - } - if (cx->savedData) { - PORT_Memcpy(stateBuf, cx->savedData, cx->savedLength); - } - *stateLen = cx->savedLength; + if (pabLen < cx->savedLength) { + stateBuf = (unsigned char *)PORT_Alloc(cx->savedLength); + if (!stateBuf) { + return (unsigned char *)NULL; + } + } else { + stateBuf = preAllocBuf; + } + if (cx->savedData) { + PORT_Memcpy(stateBuf, cx->savedData, cx->savedLength); + } + *stateLen = cx->savedLength; } return stateBuf; } @@ -522,23 +520,23 @@ PK11_SaveContextAlloc(PK11Context *cx, * FORTEZZA . */ SECStatus -PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len) +PK11_RestoreContext(PK11Context *cx, unsigned char *save, int len) { SECStatus rv = SECSuccess; if (cx->ownSession) { PK11_EnterContextMonitor(cx); - pk11_Finalize(cx); - rv = pk11_restoreContext(cx,save,len); + pk11_Finalize(cx); + rv = pk11_restoreContext(cx, save, len); PK11_ExitContextMonitor(cx); } else { - PORT_Assert(cx->savedData != NULL); - if ((cx->savedData == NULL) || (cx->savedLength < (unsigned) len)) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - rv = SECFailure; - } else { - PORT_Memcpy(cx->savedData,save,len); - cx->savedLength = len; - } + PORT_Assert(cx->savedData != NULL); + if ((cx->savedData == NULL) || (cx->savedLength < (unsigned)len)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + rv = SECFailure; + } else { + PORT_Memcpy(cx->savedData, save, len); + cx->savedLength = len; + } } return rv; } @@ -549,27 +547,28 @@ PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len) * if we can't get a PK11 Context. */ PRBool -PK11_HashOK(SECOidTag algID) { +PK11_HashOK(SECOidTag algID) +{ PK11Context *cx; cx = PK11_CreateDigestContext(algID); - if (cx == NULL) return PR_FALSE; + if (cx == NULL) + return PR_FALSE; PK11_DestroyContext(cx, PR_TRUE); return PR_TRUE; } - - /* * start a new digesting or Mac'ing operation on this context */ -SECStatus PK11_DigestBegin(PK11Context *cx) +SECStatus +PK11_DigestBegin(PK11Context *cx) { CK_MECHANISM mech_info; SECStatus rv; if (cx->init == PR_TRUE) { - return SECSuccess; + return SECSuccess; } /* @@ -581,11 +580,11 @@ SECStatus PK11_DigestBegin(PK11Context *cx) mech_info.mechanism = cx->type; mech_info.pParameter = cx->param->data; mech_info.ulParameterLen = cx->param->len; - rv = pk11_context_init(cx,&mech_info); + rv = pk11_context_init(cx, &mech_info); PK11_ExitContextMonitor(cx); if (rv != SECSuccess) { - return SECFailure; + return SECFailure; } cx->init = PR_TRUE; return SECSuccess; @@ -593,7 +592,8 @@ SECStatus PK11_DigestBegin(PK11Context *cx) SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, const unsigned char *in, - PRInt32 len) { + PRInt32 len) +{ PK11Context *context; unsigned int max_length; unsigned int out_length; @@ -606,42 +606,42 @@ PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, const unsigned char *in, } context = PK11_CreateDigestContext(hashAlg); - if (context == NULL) return SECFailure; + if (context == NULL) + return SECFailure; rv = PK11_DigestBegin(context); if (rv != SECSuccess) { - PK11_DestroyContext(context, PR_TRUE); - return rv; + PK11_DestroyContext(context, PR_TRUE); + return rv; } rv = PK11_DigestOp(context, in, len); if (rv != SECSuccess) { - PK11_DestroyContext(context, PR_TRUE); - return rv; + PK11_DestroyContext(context, PR_TRUE); + return rv; } /* XXX This really should have been an argument to this function! */ max_length = HASH_ResultLenByOidTag(hashAlg); PORT_Assert(max_length); if (!max_length) - max_length = HASH_LENGTH_MAX; + max_length = HASH_LENGTH_MAX; - rv = PK11_DigestFinal(context,out,&out_length,max_length); + rv = PK11_DigestFinal(context, out, &out_length, max_length); PK11_DestroyContext(context, PR_TRUE); return rv; } - /* * execute a bulk encryption operation */ SECStatus -PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, - int maxout, const unsigned char *in, int inlen) +PK11_CipherOp(PK11Context *context, unsigned char *out, int *outlen, + int maxout, const unsigned char *in, int inlen) { CK_RV crv = CKR_OK; CK_ULONG length = maxout; - CK_ULONG offset =0; + CK_ULONG offset = 0; SECStatus rv = SECSuccess; unsigned char *saveOut = out; unsigned char *allocOut = NULL; @@ -651,12 +651,12 @@ PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, */ PK11_EnterContextMonitor(context); if (!context->ownSession) { - rv = pk11_restoreContext(context,context->savedData, - context->savedLength); - if (rv != SECSuccess) { - PK11_ExitContextMonitor(context); - return rv; - } + rv = pk11_restoreContext(context, context->savedData, + context->savedLength); + if (rv != SECSuccess) { + PK11_ExitContextMonitor(context); + return rv; + } } /* @@ -664,82 +664,77 @@ PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, * lose them on the first decrypt. */ if (context->fortezzaHack) { - unsigned char random[8]; - if (context->operation == CKA_ENCRYPT) { - PK11_ExitContextMonitor(context); - rv = PK11_GenerateRandom(random,sizeof(random)); - PK11_EnterContextMonitor(context); - - /* since we are offseting the output, we can't encrypt back into - * the same buffer... allocate a temporary buffer just for this - * call. */ - allocOut = out = (unsigned char*)PORT_Alloc(maxout); - if (out == NULL) { - PK11_ExitContextMonitor(context); - return SECFailure; - } - crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, - random,sizeof(random),out,&length); - - out += length; - maxout -= length; - offset = length; - } else if (context->operation == CKA_DECRYPT) { - length = sizeof(random); - crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, - (CK_BYTE_PTR)in,sizeof(random),random,&length); - inlen -= length; - in += length; - context->fortezzaHack = PR_FALSE; - } + unsigned char random[8]; + if (context->operation == CKA_ENCRYPT) { + PK11_ExitContextMonitor(context); + rv = PK11_GenerateRandom(random, sizeof(random)); + PK11_EnterContextMonitor(context); + + /* since we are offseting the output, we can't encrypt back into + * the same buffer... allocate a temporary buffer just for this + * call. */ + allocOut = out = (unsigned char *)PORT_Alloc(maxout); + if (out == NULL) { + PK11_ExitContextMonitor(context); + return SECFailure; + } + crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, random, sizeof(random), out, &length); + + out += length; + maxout -= length; + offset = length; + } else if (context->operation == CKA_DECRYPT) { + length = sizeof(random); + crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, (CK_BYTE_PTR)in, sizeof(random), random, &length); + inlen -= length; + in += length; + context->fortezzaHack = PR_FALSE; + } } switch (context->operation) { - case CKA_ENCRYPT: - length = maxout; - crv=PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, - (CK_BYTE_PTR)in, inlen, - out, &length); - length += offset; - break; - case CKA_DECRYPT: - length = maxout; - crv=PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, - (CK_BYTE_PTR)in, inlen, - out, &length); - break; - default: - crv = CKR_OPERATION_NOT_INITIALIZED; - break; + case CKA_ENCRYPT: + length = maxout; + crv = PK11_GETTAB(context->slot)->C_EncryptUpdate(context->session, (CK_BYTE_PTR)in, inlen, out, &length); + length += offset; + break; + case CKA_DECRYPT: + length = maxout; + crv = PK11_GETTAB(context->slot)->C_DecryptUpdate(context->session, (CK_BYTE_PTR)in, inlen, out, &length); + break; + default: + crv = CKR_OPERATION_NOT_INITIALIZED; + break; } if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - *outlen = 0; + PORT_SetError(PK11_MapError(crv)); + *outlen = 0; rv = SECFailure; } else { - *outlen = length; + *outlen = length; } if (context->fortezzaHack) { - if (context->operation == CKA_ENCRYPT) { - PORT_Assert(allocOut); - PORT_Memcpy(saveOut, allocOut, length); - PORT_Free(allocOut); - } - context->fortezzaHack = PR_FALSE; + if (context->operation == CKA_ENCRYPT) { + PORT_Assert(allocOut); + PORT_Memcpy(saveOut, allocOut, length); + PORT_Free(allocOut); + } + context->fortezzaHack = PR_FALSE; } /* * handle session starvation case.. use our last session to multiplex */ if (!context->ownSession) { - context->savedData = pk11_saveContext(context,context->savedData, - &context->savedLength); - if (context->savedData == NULL) rv = SECFailure; - - /* clear out out session for others to use */ - pk11_Finalize(context); + context->savedData = pk11_saveContext(context, context->savedData, + &context->savedLength); + if (context->savedData == NULL) + rv = SECFailure; + + /* clear out out session for others to use */ + pk11_Finalize(context); } PK11_ExitContextMonitor(context); return rv; @@ -749,7 +744,7 @@ PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, * execute a digest/signature operation */ SECStatus -PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) +PK11_DigestOp(PK11Context *context, const unsigned char *in, unsigned inLen) { CK_RV crv = CKR_OK; SECStatus rv = SECSuccess; @@ -768,38 +763,32 @@ PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) context->init = PR_FALSE; PK11_EnterContextMonitor(context); if (!context->ownSession) { - rv = pk11_restoreContext(context,context->savedData, - context->savedLength); - if (rv != SECSuccess) { - PK11_ExitContextMonitor(context); - return rv; - } + rv = pk11_restoreContext(context, context->savedData, + context->savedLength); + if (rv != SECSuccess) { + PK11_ExitContextMonitor(context); + return rv; + } } switch (context->operation) { - /* also for MAC'ing */ - case CKA_SIGN: - crv=PK11_GETTAB(context->slot)->C_SignUpdate(context->session, - (unsigned char *)in, - inLen); - break; - case CKA_VERIFY: - crv=PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session, - (unsigned char *)in, - inLen); - break; - case CKA_DIGEST: - crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, - (unsigned char *)in, - inLen); - break; - default: - crv = CKR_OPERATION_NOT_INITIALIZED; - break; + /* also for MAC'ing */ + case CKA_SIGN: + crv = PK11_GETTAB(context->slot)->C_SignUpdate(context->session, (unsigned char *)in, inLen); + break; + case CKA_VERIFY: + crv = PK11_GETTAB(context->slot)->C_VerifyUpdate(context->session, (unsigned char *)in, inLen); + break; + case CKA_DIGEST: + crv = PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, (unsigned char *)in, inLen); + break; + default: + crv = CKR_OPERATION_NOT_INITIALIZED; + break; } if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); rv = SECFailure; } @@ -807,12 +796,13 @@ PK11_DigestOp(PK11Context *context, const unsigned char * in, unsigned inLen) * handle session starvation case.. use our last session to multiplex */ if (!context->ownSession) { - context->savedData = pk11_saveContext(context,context->savedData, - &context->savedLength); - if (context->savedData == NULL) rv = SECFailure; - - /* clear out out session for others to use */ - pk11_Finalize(context); + context->savedData = pk11_saveContext(context, context->savedData, + &context->savedLength); + if (context->savedData == NULL) + rv = SECFailure; + + /* clear out out session for others to use */ + pk11_Finalize(context); } PK11_ExitContextMonitor(context); return rv; @@ -837,37 +827,34 @@ PK11_DigestKey(PK11Context *context, PK11SymKey *key) * state. */ if (context->slot != key->slot) { - newKey = pk11_CopyToSlot(context->slot,CKM_SSL3_SHA1_MAC,CKA_SIGN,key); + newKey = pk11_CopyToSlot(context->slot, CKM_SSL3_SHA1_MAC, CKA_SIGN, key); } else { - newKey = PK11_ReferenceSymKey(key); + newKey = PK11_ReferenceSymKey(key); } context->init = PR_FALSE; PK11_EnterContextMonitor(context); if (!context->ownSession) { - rv = pk11_restoreContext(context,context->savedData, - context->savedLength); - if (rv != SECSuccess) { - PK11_ExitContextMonitor(context); + rv = pk11_restoreContext(context, context->savedData, + context->savedLength); + if (rv != SECSuccess) { + PK11_ExitContextMonitor(context); PK11_FreeSymKey(newKey); - return rv; - } + return rv; + } } - if (newKey == NULL) { - crv = CKR_KEY_TYPE_INCONSISTENT; - if (key->data.data) { - crv=PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, - key->data.data,key->data.len); - } + crv = CKR_KEY_TYPE_INCONSISTENT; + if (key->data.data) { + crv = PK11_GETTAB(context->slot)->C_DigestUpdate(context->session, key->data.data, key->data.len); + } } else { - crv=PK11_GETTAB(context->slot)->C_DigestKey(context->session, - newKey->objectID); + crv = PK11_GETTAB(context->slot)->C_DigestKey(context->session, newKey->objectID); } if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); rv = SECFailure; } @@ -875,15 +862,17 @@ PK11_DigestKey(PK11Context *context, PK11SymKey *key) * handle session starvation case.. use our last session to multiplex */ if (!context->ownSession) { - context->savedData = pk11_saveContext(context,context->savedData, - &context->savedLength); - if (context->savedData == NULL) rv = SECFailure; - - /* clear out out session for others to use */ - pk11_Finalize(context); + context->savedData = pk11_saveContext(context, context->savedData, + &context->savedLength); + if (context->savedData == NULL) + rv = SECFailure; + + /* clear out out session for others to use */ + pk11_Finalize(context); } PK11_ExitContextMonitor(context); - if (newKey) PK11_FreeSymKey(newKey); + if (newKey) + PK11_FreeSymKey(newKey); return rv; } @@ -891,7 +880,8 @@ PK11_DigestKey(PK11Context *context, PK11SymKey *key) * externally callable version of the lowercase pk11_finalize(). */ SECStatus -PK11_Finalize(PK11Context *context) { +PK11_Finalize(PK11Context *context) +{ SECStatus rv; PK11_EnterContextMonitor(context); @@ -913,63 +903,58 @@ pk11_Finalize(PK11Context *context) unsigned char *buffer = NULL; if (!context->ownSession) { - return SECSuccess; + return SECSuccess; } finalize: switch (context->operation) { - case CKA_ENCRYPT: - crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, - buffer, &count); - break; - case CKA_DECRYPT: - crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, - buffer, &count); - break; - case CKA_SIGN: - crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session, - buffer, &count); - break; - case CKA_VERIFY: - crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, - buffer, count); - break; - case CKA_DIGEST: - crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session, - buffer, &count); - break; - default: - crv = CKR_OPERATION_NOT_INITIALIZED; - break; + case CKA_ENCRYPT: + crv = PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, buffer, &count); + break; + case CKA_DECRYPT: + crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, buffer, &count); + break; + case CKA_SIGN: + crv = PK11_GETTAB(context->slot)->C_SignFinal(context->session, buffer, &count); + break; + case CKA_VERIFY: + crv = PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, buffer, count); + break; + case CKA_DIGEST: + crv = PK11_GETTAB(context->slot)->C_DigestFinal(context->session, buffer, &count); + break; + default: + crv = CKR_OPERATION_NOT_INITIALIZED; + break; } if (crv != CKR_OK) { - if (buffer != stackBuf) { - PORT_Free(buffer); - } - if (crv == CKR_OPERATION_NOT_INITIALIZED) { - /* if there's no operation, it is finalized */ - return SECSuccess; - } - PORT_SetError( PK11_MapError(crv) ); + if (buffer != stackBuf) { + PORT_Free(buffer); + } + if (crv == CKR_OPERATION_NOT_INITIALIZED) { + /* if there's no operation, it is finalized */ + return SECSuccess; + } + PORT_SetError(PK11_MapError(crv)); return SECFailure; } /* try to finalize the session with a buffer */ - if (buffer == NULL) { - if (count <= sizeof stackBuf) { - buffer = stackBuf; - } else { - buffer = PORT_Alloc(count); - if (buffer == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; - } - } - goto finalize; + if (buffer == NULL) { + if (count <= sizeof stackBuf) { + buffer = stackBuf; + } else { + buffer = PORT_Alloc(count); + if (buffer == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + } + goto finalize; } if (buffer != stackBuf) { - PORT_Free(buffer); + PORT_Free(buffer); } return SECSuccess; } @@ -980,63 +965,55 @@ finalize: * either out of an arena or out of the standard heap. */ SECStatus -PK11_DigestFinal(PK11Context *context,unsigned char *data, - unsigned int *outLen, unsigned int length) +PK11_DigestFinal(PK11Context *context, unsigned char *data, + unsigned int *outLen, unsigned int length) { CK_ULONG len; CK_RV crv; SECStatus rv; - /* if we ran out of session, we need to restore our previously stored * state. */ PK11_EnterContextMonitor(context); if (!context->ownSession) { - rv = pk11_restoreContext(context,context->savedData, - context->savedLength); - if (rv != SECSuccess) { - PK11_ExitContextMonitor(context); - return rv; - } + rv = pk11_restoreContext(context, context->savedData, + context->savedLength); + if (rv != SECSuccess) { + PK11_ExitContextMonitor(context); + return rv; + } } len = length; switch (context->operation) { - case CKA_SIGN: - crv=PK11_GETTAB(context->slot)->C_SignFinal(context->session, - data,&len); - break; - case CKA_VERIFY: - crv=PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, - data,len); - break; - case CKA_DIGEST: - crv=PK11_GETTAB(context->slot)->C_DigestFinal(context->session, - data,&len); - break; - case CKA_ENCRYPT: - crv=PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, - data, &len); - break; - case CKA_DECRYPT: - crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, - data, &len); - break; - default: - crv = CKR_OPERATION_NOT_INITIALIZED; - break; + case CKA_SIGN: + crv = PK11_GETTAB(context->slot)->C_SignFinal(context->session, data, &len); + break; + case CKA_VERIFY: + crv = PK11_GETTAB(context->slot)->C_VerifyFinal(context->session, data, len); + break; + case CKA_DIGEST: + crv = PK11_GETTAB(context->slot)->C_DigestFinal(context->session, data, &len); + break; + case CKA_ENCRYPT: + crv = PK11_GETTAB(context->slot)->C_EncryptFinal(context->session, data, &len); + break; + case CKA_DECRYPT: + crv = PK11_GETTAB(context->slot)->C_DecryptFinal(context->session, data, &len); + break; + default: + crv = CKR_OPERATION_NOT_INITIALIZED; + break; } PK11_ExitContextMonitor(context); - *outLen = (unsigned int) len; + *outLen = (unsigned int)len; context->init = PR_FALSE; /* allow Begin to start up again */ - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } - diff --git a/nss/lib/pk11wrap/pk11err.c b/nss/lib/pk11wrap/pk11err.c index 7d9ab92..db6d244 100644 --- a/nss/lib/pk11wrap/pk11err.c +++ b/nss/lib/pk11wrap/pk11err.c @@ -1,7 +1,7 @@ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* +/* * this file maps PKCS11 Errors into SECErrors * This is an information reducing process, since most errors are reflected * back to the user (the user doesn't care about invalid flags, or active @@ -18,118 +18,124 @@ #include "secerr.h" #include "prerror.h" -#ifdef PK11_ERROR_USE_ARRAY +#ifdef PK11_ERROR_USE_ARRAY /* * build a static array of entries... */ static struct { - CK_RV pk11_error; - int sec_error; + CK_RV pk11_error; + int sec_error; } pk11_error_map = { -#define MAPERROR(x,y) {x, y}, +#define MAPERROR(x, y) { x, y }, #else /* the default is to use a big switch statement */ int -PK11_MapError(CK_RV rv) { +PK11_MapError(CK_RV rv) +{ - switch (rv) { -#define MAPERROR(x,y) case x: return y; + switch (rv) { +#define MAPERROR(x, y) \ + case x: \ + return y; #endif -/* the guts mapping */ - MAPERROR(CKR_OK, 0) - MAPERROR(CKR_CANCEL, SEC_ERROR_IO) - MAPERROR(CKR_HOST_MEMORY, SEC_ERROR_NO_MEMORY) - MAPERROR(CKR_SLOT_ID_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_ARGUMENTS_BAD, SEC_ERROR_INVALID_ARGS) - MAPERROR(CKR_ATTRIBUTE_READ_ONLY, SEC_ERROR_READ_ONLY) - MAPERROR(CKR_ATTRIBUTE_SENSITIVE, SEC_ERROR_IO) /* XX SENSITIVE */ - MAPERROR(CKR_ATTRIBUTE_TYPE_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_ATTRIBUTE_VALUE_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_BUFFER_TOO_SMALL, SEC_ERROR_OUTPUT_LEN) - MAPERROR(CKR_DATA_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_DATA_LEN_RANGE, SEC_ERROR_INPUT_LEN) - MAPERROR(CKR_DEVICE_ERROR, SEC_ERROR_PKCS11_DEVICE_ERROR) - MAPERROR(CKR_DEVICE_MEMORY, SEC_ERROR_NO_MEMORY) - MAPERROR(CKR_DEVICE_REMOVED, SEC_ERROR_NO_TOKEN) - MAPERROR(CKR_DOMAIN_PARAMS_INVALID, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_ENCRYPTED_DATA_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_ENCRYPTED_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_FUNCTION_CANCELED, SEC_ERROR_LIBRARY_FAILURE) - MAPERROR(CKR_FUNCTION_FAILED, SEC_ERROR_PKCS11_FUNCTION_FAILED) - MAPERROR(CKR_FUNCTION_NOT_PARALLEL, SEC_ERROR_LIBRARY_FAILURE) - MAPERROR(CKR_FUNCTION_NOT_SUPPORTED, PR_NOT_IMPLEMENTED_ERROR) - MAPERROR(CKR_GENERAL_ERROR, SEC_ERROR_PKCS11_GENERAL_ERROR) - MAPERROR(CKR_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_MECHANISM_INVALID, SEC_ERROR_INVALID_ALGORITHM) - MAPERROR(CKR_MECHANISM_PARAM_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_NO_EVENT, SEC_ERROR_NO_EVENT) - MAPERROR(CKR_OBJECT_HANDLE_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_OPERATION_ACTIVE, SEC_ERROR_LIBRARY_FAILURE) - MAPERROR(CKR_OPERATION_NOT_INITIALIZED,SEC_ERROR_LIBRARY_FAILURE ) - MAPERROR(CKR_PIN_INCORRECT, SEC_ERROR_BAD_PASSWORD) - MAPERROR(CKR_PIN_INVALID, SEC_ERROR_INVALID_PASSWORD) - MAPERROR(CKR_PIN_LEN_RANGE, SEC_ERROR_INVALID_PASSWORD) - MAPERROR(CKR_PIN_EXPIRED, SEC_ERROR_EXPIRED_PASSWORD) - MAPERROR(CKR_PIN_LOCKED, SEC_ERROR_LOCKED_PASSWORD) - MAPERROR(CKR_SESSION_CLOSED, SEC_ERROR_LIBRARY_FAILURE) - MAPERROR(CKR_SESSION_COUNT, SEC_ERROR_NO_MEMORY) /* XXXX? */ - MAPERROR(CKR_SESSION_HANDLE_INVALID, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_SESSION_PARALLEL_NOT_SUPPORTED, SEC_ERROR_LIBRARY_FAILURE) - MAPERROR(CKR_SESSION_READ_ONLY, SEC_ERROR_READ_ONLY) - MAPERROR(CKR_SIGNATURE_INVALID, SEC_ERROR_BAD_SIGNATURE) - MAPERROR(CKR_SIGNATURE_LEN_RANGE, SEC_ERROR_BAD_SIGNATURE) - MAPERROR(CKR_TEMPLATE_INCOMPLETE, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_TEMPLATE_INCONSISTENT, SEC_ERROR_BAD_DATA) - MAPERROR(CKR_TOKEN_NOT_PRESENT, SEC_ERROR_NO_TOKEN) - MAPERROR(CKR_TOKEN_NOT_RECOGNIZED, SEC_ERROR_IO) - MAPERROR(CKR_TOKEN_WRITE_PROTECTED, SEC_ERROR_READ_ONLY) - MAPERROR(CKR_UNWRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_UNWRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_USER_ALREADY_LOGGED_IN, 0) - MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_TOKEN_NOT_LOGGED_IN) - MAPERROR(CKR_USER_PIN_NOT_INITIALIZED, SEC_ERROR_NO_TOKEN) - MAPERROR(CKR_USER_TYPE_INVALID, SEC_ERROR_LIBRARY_FAILURE) - MAPERROR(CKR_WRAPPED_KEY_INVALID, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_WRAPPED_KEY_LEN_RANGE, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_WRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_WRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY) - MAPERROR(CKR_VENDOR_DEFINED, SEC_ERROR_LIBRARY_FAILURE) - MAPERROR(CKR_NETSCAPE_CERTDB_FAILED, SEC_ERROR_BAD_DATABASE) - MAPERROR(CKR_NETSCAPE_KEYDB_FAILED, SEC_ERROR_BAD_DATABASE) - MAPERROR(CKR_CANT_LOCK, SEC_ERROR_INCOMPATIBLE_PKCS11) + /* the guts mapping */ + /* clang-format off */ + MAPERROR(CKR_OK, 0) + MAPERROR(CKR_CANCEL, SEC_ERROR_IO) + MAPERROR(CKR_HOST_MEMORY, SEC_ERROR_NO_MEMORY) + MAPERROR(CKR_SLOT_ID_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_ARGUMENTS_BAD, SEC_ERROR_INVALID_ARGS) + MAPERROR(CKR_ATTRIBUTE_READ_ONLY, SEC_ERROR_READ_ONLY) + MAPERROR(CKR_ATTRIBUTE_SENSITIVE, SEC_ERROR_IO) /* XX SENSITIVE */ + MAPERROR(CKR_ATTRIBUTE_TYPE_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_ATTRIBUTE_VALUE_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_BUFFER_TOO_SMALL, SEC_ERROR_OUTPUT_LEN) + MAPERROR(CKR_DATA_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_DATA_LEN_RANGE, SEC_ERROR_INPUT_LEN) + MAPERROR(CKR_DEVICE_ERROR, SEC_ERROR_PKCS11_DEVICE_ERROR) + MAPERROR(CKR_DEVICE_MEMORY, SEC_ERROR_NO_MEMORY) + MAPERROR(CKR_DEVICE_REMOVED, SEC_ERROR_NO_TOKEN) + MAPERROR(CKR_DOMAIN_PARAMS_INVALID, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_ENCRYPTED_DATA_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_ENCRYPTED_DATA_LEN_RANGE, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_FUNCTION_CANCELED, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_FUNCTION_FAILED, SEC_ERROR_PKCS11_FUNCTION_FAILED) + MAPERROR(CKR_FUNCTION_NOT_PARALLEL, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_FUNCTION_NOT_SUPPORTED, PR_NOT_IMPLEMENTED_ERROR) + MAPERROR(CKR_GENERAL_ERROR, SEC_ERROR_PKCS11_GENERAL_ERROR) + MAPERROR(CKR_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_MECHANISM_INVALID, SEC_ERROR_INVALID_ALGORITHM) + MAPERROR(CKR_MECHANISM_PARAM_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_NO_EVENT, SEC_ERROR_NO_EVENT) + MAPERROR(CKR_OBJECT_HANDLE_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_OPERATION_ACTIVE, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_OPERATION_NOT_INITIALIZED, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_PIN_INCORRECT, SEC_ERROR_BAD_PASSWORD) + MAPERROR(CKR_PIN_INVALID, SEC_ERROR_INVALID_PASSWORD) + MAPERROR(CKR_PIN_LEN_RANGE, SEC_ERROR_INVALID_PASSWORD) + MAPERROR(CKR_PIN_EXPIRED, SEC_ERROR_EXPIRED_PASSWORD) + MAPERROR(CKR_PIN_LOCKED, SEC_ERROR_LOCKED_PASSWORD) + MAPERROR(CKR_SESSION_CLOSED, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_SESSION_COUNT, SEC_ERROR_NO_MEMORY) /* XXXX? */ + MAPERROR(CKR_SESSION_HANDLE_INVALID, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_SESSION_PARALLEL_NOT_SUPPORTED, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_SESSION_READ_ONLY, SEC_ERROR_READ_ONLY) + MAPERROR(CKR_SIGNATURE_INVALID, SEC_ERROR_BAD_SIGNATURE) + MAPERROR(CKR_SIGNATURE_LEN_RANGE, SEC_ERROR_BAD_SIGNATURE) + MAPERROR(CKR_TEMPLATE_INCOMPLETE, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_TEMPLATE_INCONSISTENT, SEC_ERROR_BAD_DATA) + MAPERROR(CKR_TOKEN_NOT_PRESENT, SEC_ERROR_NO_TOKEN) + MAPERROR(CKR_TOKEN_NOT_RECOGNIZED, SEC_ERROR_IO) + MAPERROR(CKR_TOKEN_WRITE_PROTECTED, SEC_ERROR_READ_ONLY) + MAPERROR(CKR_UNWRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_UNWRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_USER_ALREADY_LOGGED_IN, 0) + MAPERROR(CKR_USER_NOT_LOGGED_IN, SEC_ERROR_TOKEN_NOT_LOGGED_IN) + MAPERROR(CKR_USER_PIN_NOT_INITIALIZED, SEC_ERROR_NO_TOKEN) + MAPERROR(CKR_USER_TYPE_INVALID, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_WRAPPED_KEY_INVALID, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_WRAPPED_KEY_LEN_RANGE, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_WRAPPING_KEY_HANDLE_INVALID, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_WRAPPING_KEY_SIZE_RANGE, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, SEC_ERROR_INVALID_KEY) + MAPERROR(CKR_VENDOR_DEFINED, SEC_ERROR_LIBRARY_FAILURE) + MAPERROR(CKR_NETSCAPE_CERTDB_FAILED, SEC_ERROR_BAD_DATABASE) + MAPERROR(CKR_NETSCAPE_KEYDB_FAILED, SEC_ERROR_BAD_DATABASE) + MAPERROR(CKR_CANT_LOCK, SEC_ERROR_INCOMPATIBLE_PKCS11) +/* clang-format on */ -#ifdef PK11_ERROR_USE_ARRAY +#ifdef PK11_ERROR_USE_ARRAY }; int -PK11_MapError(CK_RV rv) { - int size = sizeof(pk11_error_map)/sizeof(pk11_error_map[0]); +PK11_MapError(CK_RV rv) +{ + int size = sizeof(pk11_error_map) / sizeof(pk11_error_map[0]); - for (i=0; i < size; i++) { - if (pk11_error_map[i].pk11_error == rv) { - return pk11_error_map[i].sec_error; - } + for (i = 0; i < size; i++) { + if (pk11_error_map[i].pk11_error == rv) { + return pk11_error_map[i].sec_error; + } } return SEC_ERROR_UNKNOWN_PKCS11_ERROR; - } - +} #else - default: - break; - } - return SEC_ERROR_UNKNOWN_PKCS11_ERROR; + /* clang-format off */ + default : + break; +/* clang-format on */ +} +return SEC_ERROR_UNKNOWN_PKCS11_ERROR; } - #endif diff --git a/nss/lib/pk11wrap/pk11kea.c b/nss/lib/pk11wrap/pk11kea.c index a7dd4fb..331a19c 100644 --- a/nss/lib/pk11wrap/pk11kea.c +++ b/nss/lib/pk11wrap/pk11kea.c @@ -29,103 +29,112 @@ pk11_FindRSAPubKey(PK11SlotInfo *slot) CK_KEY_TYPE key_type = CKK_RSA; CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY; CK_ATTRIBUTE theTemplate[2]; - int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]); + int template_count = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_ATTRIBUTE *attrs = theTemplate; - PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++; - PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &class_type, sizeof(class_type)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &key_type, sizeof(key_type)); + attrs++; template_count = attrs - theTemplate; - PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)); + PR_ASSERT(template_count <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)); - return pk11_FindObjectByTemplate(slot,theTemplate,template_count); + return pk11_FindObjectByTemplate(slot, theTemplate, template_count); } PK11SymKey * -pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, - PRBool isPerm, PK11SymKey *symKey) +pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, + PRBool isPerm, PK11SymKey *symKey) { PK11SymKey *newSymKey = NULL; SECStatus rv; /* performance improvement can go here --- use a generated key at startup - * to generate a per token wrapping key. If it exists, use it, otherwise + * to generate a per token wrapping key. If it exists, use it, otherwise * do a full key exchange. */ /* find a common Key Exchange algorithm */ /* RSA */ - if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && - PK11_DoesMechanism(slot,CKM_RSA_PKCS)) { - CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE; - SECKEYPublicKey *pubKey = NULL; - SECKEYPrivateKey *privKey = NULL; - SECItem wrapData; - unsigned int symKeyLength = PK11_GetKeyLength(symKey); + if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && + PK11_DoesMechanism(slot, CKM_RSA_PKCS)) { + CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE; + CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE; + SECKEYPublicKey *pubKey = NULL; + SECKEYPrivateKey *privKey = NULL; + SECItem wrapData; + unsigned int symKeyLength = PK11_GetKeyLength(symKey); - wrapData.data = NULL; + wrapData.data = NULL; - /* find RSA Public Key on target */ - pubKeyHandle = pk11_FindRSAPubKey(slot); - if (pubKeyHandle != CK_INVALID_HANDLE) { - privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY); - } + /* find RSA Public Key on target */ + pubKeyHandle = pk11_FindRSAPubKey(slot); + if (pubKeyHandle != CK_INVALID_HANDLE) { + privKeyHandle = PK11_MatchItem(slot, pubKeyHandle, CKO_PRIVATE_KEY); + } - /* if no key exists, generate a key pair */ - if (privKeyHandle == CK_INVALID_HANDLE) { - PK11RSAGenParams rsaParams; + /* if no key exists, generate a key pair */ + if (privKeyHandle == CK_INVALID_HANDLE) { + PK11RSAGenParams rsaParams; - if (symKeyLength > 53) /* bytes */ { - /* we'd have to generate an RSA key pair > 512 bits long, - ** and that's too costly. Don't even try. - */ - PORT_SetError( SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY ); - goto rsa_failed; - } - rsaParams.keySizeInBits = - (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256; - rsaParams.pe = 0x10001; - privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, - &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx); - } else { - /* if keys exist, build SECKEY data structures for them */ - privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle, - symKey->cx); - if (privKey != NULL) { - pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle); - if (pubKey && pubKey->pkcs11Slot) { - PK11_FreeSlot(pubKey->pkcs11Slot); - pubKey->pkcs11Slot = NULL; - pubKey->pkcs11ID = CK_INVALID_HANDLE; - } - } - } - if (privKey == NULL) goto rsa_failed; - if (pubKey == NULL) goto rsa_failed; + if (symKeyLength > 53) /* bytes */ { + /* we'd have to generate an RSA key pair > 512 bits long, + ** and that's too costly. Don't even try. + */ + PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY); + goto rsa_failed; + } + rsaParams.keySizeInBits = + (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256; + rsaParams.pe = 0x10001; + privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, + &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx); + } else { + /* if keys exist, build SECKEY data structures for them */ + privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, privKeyHandle, + symKey->cx); + if (privKey != NULL) { + pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle); + if (pubKey && pubKey->pkcs11Slot) { + PK11_FreeSlot(pubKey->pkcs11Slot); + pubKey->pkcs11Slot = NULL; + pubKey->pkcs11ID = CK_INVALID_HANDLE; + } + } + } + if (privKey == NULL) + goto rsa_failed; + if (pubKey == NULL) + goto rsa_failed; - wrapData.len = SECKEY_PublicKeyStrength(pubKey); - if (!wrapData.len) goto rsa_failed; + wrapData.len = SECKEY_PublicKeyStrength(pubKey); + if (!wrapData.len) + goto rsa_failed; wrapData.data = PORT_Alloc(wrapData.len); - if (wrapData.data == NULL) goto rsa_failed; + if (wrapData.data == NULL) + goto rsa_failed; - /* now wrap the keys in and out */ - rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData); - if (rv == SECSuccess) { - newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey, - &wrapData,type,operation,symKeyLength,flags,isPerm); - /* make sure we wound up where we wanted to be! */ - if (newSymKey && newSymKey->slot != slot) { - PK11_FreeSymKey(newSymKey); - newSymKey = NULL; - } - } -rsa_failed: - if (wrapData.data != NULL) PORT_Free(wrapData.data); - if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey); - if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey); + /* now wrap the keys in and out */ + rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData); + if (rv == SECSuccess) { + newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey, + &wrapData, type, operation, + symKeyLength, flags, isPerm); + /* make sure we wound up where we wanted to be! */ + if (newSymKey && newSymKey->slot != slot) { + PK11_FreeSymKey(newSymKey); + newSymKey = NULL; + } + } + rsa_failed: + if (wrapData.data != NULL) + PORT_Free(wrapData.data); + if (privKey != NULL) + SECKEY_DestroyPrivateKey(privKey); + if (pubKey != NULL) + SECKEY_DestroyPublicKey(pubKey); - return newSymKey; + return newSymKey; } - PORT_SetError( SEC_ERROR_NO_MODULE ); + PORT_SetError(SEC_ERROR_NO_MODULE); return NULL; } - diff --git a/nss/lib/pk11wrap/pk11list.c b/nss/lib/pk11wrap/pk11list.c index 9e32482..aaf29f6 100644 --- a/nss/lib/pk11wrap/pk11list.c +++ b/nss/lib/pk11wrap/pk11list.c @@ -16,25 +16,27 @@ /* * create a new lock for a Module List */ -SECMODListLock *SECMOD_NewListLock() +SECMODListLock * +SECMOD_NewListLock() { - return NSSRWLock_New( 10, "moduleListLock"); + return NSSRWLock_New(10, "moduleListLock"); } /* * destroy the lock */ -void SECMOD_DestroyListLock(SECMODListLock *lock) +void +SECMOD_DestroyListLock(SECMODListLock *lock) { NSSRWLock_Destroy(lock); } - /* * Lock the List for Read: NOTE: this assumes the reading isn't so common * the writing will be starved. */ -void SECMOD_GetReadLock(SECMODListLock *modLock) +void +SECMOD_GetReadLock(SECMODListLock *modLock) { NSSRWLock_LockRead(modLock); } @@ -42,36 +44,36 @@ void SECMOD_GetReadLock(SECMODListLock *modLock) /* * Release the Read lock */ -void SECMOD_ReleaseReadLock(SECMODListLock *modLock) +void +SECMOD_ReleaseReadLock(SECMODListLock *modLock) { NSSRWLock_UnlockRead(modLock); } - /* * lock the list for Write */ -void SECMOD_GetWriteLock(SECMODListLock *modLock) +void +SECMOD_GetWriteLock(SECMODListLock *modLock) { NSSRWLock_LockWrite(modLock); } - /* * Release the Write Lock: NOTE, this code is pretty inefficient if you have * lots of write collisions. */ -void SECMOD_ReleaseWriteLock(SECMODListLock *modLock) +void +SECMOD_ReleaseWriteLock(SECMODListLock *modLock) { NSSRWLock_UnlockWrite(modLock); } - /* * must Hold the Write lock */ void -SECMOD_RemoveList(SECMODModuleList **parent, SECMODModuleList *child) +SECMOD_RemoveList(SECMODModuleList **parent, SECMODModuleList *child) { *parent = child->next; child->next = NULL; @@ -81,15 +83,17 @@ SECMOD_RemoveList(SECMODModuleList **parent, SECMODModuleList *child) * if lock is not specified, it must already be held */ void -SECMOD_AddList(SECMODModuleList *parent, SECMODModuleList *child, - SECMODListLock *lock) +SECMOD_AddList(SECMODModuleList *parent, SECMODModuleList *child, + SECMODListLock *lock) { - if (lock) { SECMOD_GetWriteLock(lock); } + if (lock) { + SECMOD_GetWriteLock(lock); + } child->next = parent->next; parent->next = child; - if (lock) { SECMOD_ReleaseWriteLock(lock); } + if (lock) { + SECMOD_ReleaseWriteLock(lock); + } } - - diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c index e3ba122..f12d0fd 100644 --- a/nss/lib/pk11wrap/pk11load.c +++ b/nss/lib/pk11wrap/pk11load.c @@ -27,38 +27,46 @@ static char *modToDBG = NULL; #endif /* build the PKCS #11 2.01 lock files */ -CK_RV PR_CALLBACK secmodCreateMutext(CK_VOID_PTR_PTR pmutex) { - *pmutex = (CK_VOID_PTR) PZ_NewLock(nssILockOther); - if ( *pmutex ) return CKR_OK; +CK_RV PR_CALLBACK +secmodCreateMutext(CK_VOID_PTR_PTR pmutex) +{ + *pmutex = (CK_VOID_PTR)PZ_NewLock(nssILockOther); + if (*pmutex) + return CKR_OK; return CKR_HOST_MEMORY; } -CK_RV PR_CALLBACK secmodDestroyMutext(CK_VOID_PTR mutext) { +CK_RV PR_CALLBACK +secmodDestroyMutext(CK_VOID_PTR mutext) +{ PZ_DestroyLock((PZLock *)mutext); return CKR_OK; } -CK_RV PR_CALLBACK secmodLockMutext(CK_VOID_PTR mutext) { +CK_RV PR_CALLBACK +secmodLockMutext(CK_VOID_PTR mutext) +{ PZ_Lock((PZLock *)mutext); return CKR_OK; } -CK_RV PR_CALLBACK secmodUnlockMutext(CK_VOID_PTR mutext) { +CK_RV PR_CALLBACK +secmodUnlockMutext(CK_VOID_PTR mutext) +{ PZ_Unlock((PZLock *)mutext); return CKR_OK; } -static SECMODModuleID nextModuleID = 1; +static SECMODModuleID nextModuleID = 1; static const CK_C_INITIALIZE_ARGS secmodLockFunctions = { - secmodCreateMutext, secmodDestroyMutext, secmodLockMutext, - secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS| - CKF_OS_LOCKING_OK - ,NULL + secmodCreateMutext, secmodDestroyMutext, secmodLockMutext, + secmodUnlockMutext, CKF_LIBRARY_CANT_CREATE_OS_THREADS | + CKF_OS_LOCKING_OK, + NULL }; static const CK_C_INITIALIZE_ARGS secmodNoLockArgs = { NULL, NULL, NULL, NULL, - CKF_LIBRARY_CANT_CREATE_OS_THREADS - ,NULL + CKF_LIBRARY_CANT_CREATE_OS_THREADS, NULL }; static PRBool loadSingleThreadedModules = PR_TRUE; @@ -66,9 +74,10 @@ static PRBool enforceAlreadyInitializedError = PR_TRUE; static PRBool finalizeModules = PR_TRUE; /* set global options for NSS PKCS#11 module loader */ -SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules, - PRBool allowAlreadyInitializedModules, - PRBool dontFinalizeModules) +SECStatus +pk11_setGlobalOptions(PRBool noSingleThreadedModules, + PRBool allowAlreadyInitializedModules, + PRBool dontFinalizeModules) { if (noSingleThreadedModules) { loadSingleThreadedModules = PR_FALSE; @@ -88,7 +97,8 @@ SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules, return SECSuccess; } -PRBool pk11_getFinalizeModulesOption(void) +PRBool +pk11_getFinalizeModulesOption(void) { return finalizeModules; } @@ -114,82 +124,81 @@ secmod_handleReload(SECMODModule *oldModule, SECMODModule *newModule) char **children; CK_SLOT_ID *ids; SECMODConfigList *conflist = NULL; - SECStatus rv = SECFailure; - int count = 0; + SECStatus rv = SECFailure; + int count = 0; /* first look for tokens= key words from the module spec */ modulespec = newModule->libraryParams; newModuleSpec = secmod_ParseModuleSpecForTokens(PR_TRUE, - newModule->isFIPS, modulespec, &children, &ids); + newModule->isFIPS, modulespec, &children, &ids); if (!newModuleSpec) { - return SECFailure; + return SECFailure; } - /* + /* * We are now trying to open a new slot on an already loaded module. * If that slot represents a cert/key database, we don't want to open * multiple copies of that same database. Unfortunately we understand * the softoken flags well enough to be able to do this, so we can only get * the list of already loaded databases if we are trying to open another - * internal module. + * internal module. */ if (oldModule->internal) { - conflist = secmod_GetConfigList(oldModule->isFIPS, - oldModule->libraryParams, &count); + conflist = secmod_GetConfigList(oldModule->isFIPS, + oldModule->libraryParams, &count); } - /* don't open multiple of the same db */ - if (conflist && secmod_MatchConfigList(newModuleSpec, conflist, count)) { - rv = SECSuccess; - goto loser; + if (conflist && secmod_MatchConfigList(newModuleSpec, conflist, count)) { + rv = SECSuccess; + goto loser; } slot = SECMOD_OpenNewSlot(oldModule, newModuleSpec); if (slot) { - int newID; - char **thisChild; - CK_SLOT_ID *thisID; - char *oldModuleSpec; - - if (secmod_IsInternalKeySlot(newModule)) { - pk11_SetInternalKeySlotIfFirst(slot); - } - newID = slot->slotID; - PK11_FreeSlot(slot); - for (thisChild=children, thisID=ids; thisChild && *thisChild; - thisChild++,thisID++) { - if (conflist && - secmod_MatchConfigList(*thisChild, conflist, count)) { - *thisID = (CK_SLOT_ID) -1; - continue; - } - slot = SECMOD_OpenNewSlot(oldModule, *thisChild); - if (slot) { - *thisID = slot->slotID; - PK11_FreeSlot(slot); - } else { - *thisID = (CK_SLOT_ID) -1; - } - } - - /* update the old module initialization string in case we need to - * shutdown and reinit the whole mess (this is rare, but can happen - * when trying to stop smart card insertion/removal threads)... */ - oldModuleSpec = secmod_MkAppendTokensList(oldModule->arena, - oldModule->libraryParams, newModuleSpec, newID, - children, ids); - if (oldModuleSpec) { - oldModule->libraryParams = oldModuleSpec; - } - - rv = SECSuccess; + int newID; + char **thisChild; + CK_SLOT_ID *thisID; + char *oldModuleSpec; + + if (secmod_IsInternalKeySlot(newModule)) { + pk11_SetInternalKeySlotIfFirst(slot); + } + newID = slot->slotID; + PK11_FreeSlot(slot); + for (thisChild = children, thisID = ids; thisChild && *thisChild; + thisChild++, thisID++) { + if (conflist && + secmod_MatchConfigList(*thisChild, conflist, count)) { + *thisID = (CK_SLOT_ID)-1; + continue; + } + slot = SECMOD_OpenNewSlot(oldModule, *thisChild); + if (slot) { + *thisID = slot->slotID; + PK11_FreeSlot(slot); + } else { + *thisID = (CK_SLOT_ID)-1; + } + } + + /* update the old module initialization string in case we need to + * shutdown and reinit the whole mess (this is rare, but can happen + * when trying to stop smart card insertion/removal threads)... */ + oldModuleSpec = secmod_MkAppendTokensList(oldModule->arena, + oldModule->libraryParams, newModuleSpec, newID, + children, ids); + if (oldModuleSpec) { + oldModule->libraryParams = oldModuleSpec; + } + + rv = SECSuccess; } loser: secmod_FreeChildren(children, ids); PORT_Free(newModuleSpec); if (conflist) { - secmod_FreeConfigList(conflist, count); + secmod_FreeConfigList(conflist, count); } return rv; } @@ -198,15 +207,15 @@ loser: * collect the steps we need to initialize a module in a single function */ SECStatus -secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload, - PRBool* alreadyLoaded) +secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload, + PRBool *alreadyLoaded) { CK_C_INITIALIZE_ARGS moduleArgs; CK_VOID_PTR pInitArgs; CK_RV crv; if (reload) { - *reload = NULL; + *reload = NULL; } if (!mod || !alreadyLoaded) { @@ -215,86 +224,86 @@ secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload, } if (mod->libraryParams == NULL) { - if (mod->isThreadSafe) { - pInitArgs = (void *) &secmodLockFunctions; - } else { - pInitArgs = NULL; - } + if (mod->isThreadSafe) { + pInitArgs = (void *)&secmodLockFunctions; + } else { + pInitArgs = NULL; + } } else { - if (mod->isThreadSafe) { - moduleArgs = secmodLockFunctions; - } else { - moduleArgs = secmodNoLockArgs; - } - moduleArgs.LibraryParameters = (void *) mod->libraryParams; - pInitArgs = &moduleArgs; + if (mod->isThreadSafe) { + moduleArgs = secmodLockFunctions; + } else { + moduleArgs = secmodNoLockArgs; + } + moduleArgs.LibraryParameters = (void *)mod->libraryParams; + pInitArgs = &moduleArgs; } crv = PK11_GETTAB(mod)->C_Initialize(pInitArgs); if (CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) { - SECMODModule *oldModule = NULL; - - /* Library has already been loaded once, if caller expects it, and it - * has additional configuration, try reloading it as well. */ - if (reload != NULL && mod->libraryParams) { - oldModule = secmod_FindModuleByFuncPtr(mod->functionList); - } - /* Library has been loaded by NSS. It means it may be capable of - * reloading */ - if (oldModule) { - SECStatus rv; - rv = secmod_handleReload(oldModule, mod); - if (rv == SECSuccess) { - /* This module should go away soon, since we've - * simply expanded the slots on the old module. - * When it goes away, it should not Finalize since - * that will close our old module as well. Setting - * the function list to NULL will prevent that close */ - mod->functionList = NULL; - *reload = oldModule; - return SECSuccess; - } - SECMOD_DestroyModule(oldModule); - } - /* reload not possible, fall back to old semantics */ - if (!enforceAlreadyInitializedError) { - *alreadyLoaded = PR_TRUE; + SECMODModule *oldModule = NULL; + + /* Library has already been loaded once, if caller expects it, and it + * has additional configuration, try reloading it as well. */ + if (reload != NULL && mod->libraryParams) { + oldModule = secmod_FindModuleByFuncPtr(mod->functionList); + } + /* Library has been loaded by NSS. It means it may be capable of + * reloading */ + if (oldModule) { + SECStatus rv; + rv = secmod_handleReload(oldModule, mod); + if (rv == SECSuccess) { + /* This module should go away soon, since we've + * simply expanded the slots on the old module. + * When it goes away, it should not Finalize since + * that will close our old module as well. Setting + * the function list to NULL will prevent that close */ + mod->functionList = NULL; + *reload = oldModule; + return SECSuccess; + } + SECMOD_DestroyModule(oldModule); + } + /* reload not possible, fall back to old semantics */ + if (!enforceAlreadyInitializedError) { + *alreadyLoaded = PR_TRUE; return SECSuccess; - } + } } if (crv != CKR_OK) { - if (!mod->isThreadSafe || - crv == CKR_NETSCAPE_CERTDB_FAILED || - crv == CKR_NETSCAPE_KEYDB_FAILED) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; - } - /* If we had attempted to init a single threaded module "with" - * parameters and it failed, should we retry "without" parameters? - * (currently we don't retry in this scenario) */ - - if (!loadSingleThreadedModules) { - PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11); - return SECFailure; - } - /* If we arrive here, the module failed a ThreadSafe init. */ - mod->isThreadSafe = PR_FALSE; - if (!mod->libraryParams) { - pInitArgs = NULL; - } else { - moduleArgs = secmodNoLockArgs; - moduleArgs.LibraryParameters = (void *) mod->libraryParams; - pInitArgs = &moduleArgs; - } - crv = PK11_GETTAB(mod)->C_Initialize(pInitArgs); - if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) && - (!enforceAlreadyInitializedError)) { - *alreadyLoaded = PR_TRUE; - return SECSuccess; - } - if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; - } + if (!mod->isThreadSafe || + crv == CKR_NETSCAPE_CERTDB_FAILED || + crv == CKR_NETSCAPE_KEYDB_FAILED) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + /* If we had attempted to init a single threaded module "with" + * parameters and it failed, should we retry "without" parameters? + * (currently we don't retry in this scenario) */ + + if (!loadSingleThreadedModules) { + PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11); + return SECFailure; + } + /* If we arrive here, the module failed a ThreadSafe init. */ + mod->isThreadSafe = PR_FALSE; + if (!mod->libraryParams) { + pInitArgs = NULL; + } else { + moduleArgs = secmodNoLockArgs; + moduleArgs.LibraryParameters = (void *)mod->libraryParams; + pInitArgs = &moduleArgs; + } + crv = PK11_GETTAB(mod)->C_Initialize(pInitArgs); + if ((CKR_CRYPTOKI_ALREADY_INITIALIZED == crv) && + (!enforceAlreadyInitializedError)) { + *alreadyLoaded = PR_TRUE; + return SECSuccess; + } + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } } return SECSuccess; } @@ -304,50 +313,50 @@ secmod_ModuleInit(SECMODModule *mod, SECMODModule **reload, * into the database. */ void -SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) { +SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) +{ PK11PreSlotInfo *psi = NULL; int i; if (slot->hasRootCerts) { - for (i=0; i < mod->slotInfoCount; i++) { - if (slot->slotID == mod->slotInfo[i].slotID) { - psi = &mod->slotInfo[i]; - break; - } - } - if (psi == NULL) { - /* allocate more slots */ - PK11PreSlotInfo *psi_list = (PK11PreSlotInfo *) - PORT_ArenaAlloc(mod->arena, - (mod->slotInfoCount+1)* sizeof(PK11PreSlotInfo)); - /* copy the old ones */ - if (mod->slotInfoCount > 0) { - PORT_Memcpy(psi_list,mod->slotInfo, - (mod->slotInfoCount)*sizeof(PK11PreSlotInfo)); - } - /* assign psi to the last new slot */ - psi = &psi_list[mod->slotInfoCount]; - psi->slotID = slot->slotID; - psi->askpw = 0; - psi->timeout = 0; - psi ->defaultFlags = 0; - - /* increment module count & store new list */ - mod->slotInfo = psi_list; - mod->slotInfoCount++; - - } - psi->hasRootCerts = 1; + for (i = 0; i < mod->slotInfoCount; i++) { + if (slot->slotID == mod->slotInfo[i].slotID) { + psi = &mod->slotInfo[i]; + break; + } + } + if (psi == NULL) { + /* allocate more slots */ + PK11PreSlotInfo *psi_list = (PK11PreSlotInfo *) + PORT_ArenaAlloc(mod->arena, + (mod->slotInfoCount + 1) * sizeof(PK11PreSlotInfo)); + /* copy the old ones */ + if (mod->slotInfoCount > 0) { + PORT_Memcpy(psi_list, mod->slotInfo, + (mod->slotInfoCount) * sizeof(PK11PreSlotInfo)); + } + /* assign psi to the last new slot */ + psi = &psi_list[mod->slotInfoCount]; + psi->slotID = slot->slotID; + psi->askpw = 0; + psi->timeout = 0; + psi->defaultFlags = 0; + + /* increment module count & store new list */ + mod->slotInfo = psi_list; + mod->slotInfoCount++; + } + psi->hasRootCerts = 1; } } -static const char* my_shlib_name = - SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; -static const char* softoken_shlib_name = - SHLIB_PREFIX"softokn"SOFTOKEN_SHLIB_VERSION"."SHLIB_SUFFIX; +static const char *my_shlib_name = + SHLIB_PREFIX "nss" SHLIB_VERSION "." SHLIB_SUFFIX; +static const char *softoken_shlib_name = + SHLIB_PREFIX "softokn" SOFTOKEN_SHLIB_VERSION "." SHLIB_SUFFIX; static const PRCallOnceType pristineCallOnce; static PRCallOnceType loadSoftokenOnce; -static PRLibrary* softokenLib; +static PRLibrary *softokenLib; static PRInt32 softokenLoadCount; #include "prio.h" @@ -358,25 +367,26 @@ static PRInt32 softokenLoadCount; /* This function must be run only once. */ /* determine if hybrid platform, then actually load the DSO. */ static PRStatus -softoken_LoadDSO( void ) +softoken_LoadDSO(void) { - PRLibrary * handle; - - handle = PORT_LoadLibraryFromOrigin(my_shlib_name, - (PRFuncPtr) &softoken_LoadDSO, - softoken_shlib_name); - if (handle) { - softokenLib = handle; - return PR_SUCCESS; - } - return PR_FAILURE; + PRLibrary *handle; + + handle = PORT_LoadLibraryFromOrigin(my_shlib_name, + (PRFuncPtr)&softoken_LoadDSO, + softoken_shlib_name); + if (handle) { + softokenLib = handle; + return PR_SUCCESS; + } + return PR_FAILURE; } /* * load a new module into our address space and initialize it. */ SECStatus -secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { +secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) +{ PRLibrary *library = NULL; CK_C_GetFunctionList entry = NULL; CK_INFO info; @@ -385,92 +395,94 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { PRBool alreadyLoaded = PR_FALSE; char *disableUnload = NULL; - if (mod->loaded) return SECSuccess; + if (mod->loaded) + return SECSuccess; /* intenal modules get loaded from their internal list */ if (mod->internal && (mod->dllName == NULL)) { - /* - * Loads softoken as a dynamic library, - * even though the rest of NSS assumes this as the "internal" module. - */ - if (!softokenLib && - PR_SUCCESS != PR_CallOnce(&loadSoftokenOnce, &softoken_LoadDSO)) - return SECFailure; + /* + * Loads softoken as a dynamic library, + * even though the rest of NSS assumes this as the "internal" module. + */ + if (!softokenLib && + PR_SUCCESS != PR_CallOnce(&loadSoftokenOnce, &softoken_LoadDSO)) + return SECFailure; + + PR_ATOMIC_INCREMENT(&softokenLoadCount); + + if (mod->isFIPS) { + entry = (CK_C_GetFunctionList) + PR_FindSymbol(softokenLib, "FC_GetFunctionList"); + } else { + entry = (CK_C_GetFunctionList) + PR_FindSymbol(softokenLib, "NSC_GetFunctionList"); + } - PR_ATOMIC_INCREMENT(&softokenLoadCount); + if (!entry) + return SECFailure; - if (mod->isFIPS) { - entry = (CK_C_GetFunctionList) - PR_FindSymbol(softokenLib, "FC_GetFunctionList"); + if (mod->isModuleDB) { + mod->moduleDBFunc = (CK_C_GetFunctionList) + PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); + } + + if (mod->moduleDBOnly) { + mod->loaded = PR_TRUE; + return SECSuccess; + } } else { - entry = (CK_C_GetFunctionList) - PR_FindSymbol(softokenLib, "NSC_GetFunctionList"); - } + /* Not internal, load the DLL and look up C_GetFunctionList */ + if (mod->dllName == NULL) { + return SECFailure; + } - if (!entry) - return SECFailure; + /* load the library. If this succeeds, then we have to remember to + * unload the library if anything goes wrong from here on out... + */ + library = PR_LoadLibrary(mod->dllName); + mod->library = (void *)library; - if (mod->isModuleDB) { - mod->moduleDBFunc = (CK_C_GetFunctionList) - PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); - } + if (library == NULL) { + return SECFailure; + } - if (mod->moduleDBOnly) { - mod->loaded = PR_TRUE; - return SECSuccess; - } - } else { - /* Not internal, load the DLL and look up C_GetFunctionList */ - if (mod->dllName == NULL) { - return SECFailure; - } - - /* load the library. If this succeeds, then we have to remember to - * unload the library if anything goes wrong from here on out... - */ - library = PR_LoadLibrary(mod->dllName); - mod->library = (void *)library; - - if (library == NULL) { - return SECFailure; - } - - /* - * now we need to get the entry point to find the function pointers - */ - if (!mod->moduleDBOnly) { - entry = (CK_C_GetFunctionList) - PR_FindSymbol(library, "C_GetFunctionList"); - } - if (mod->isModuleDB) { - mod->moduleDBFunc = (void *) - PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); - } - if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; - if (entry == NULL) { - if (mod->isModuleDB) { - mod->loaded = PR_TRUE; - mod->moduleDBOnly = PR_TRUE; - return SECSuccess; - } - PR_UnloadLibrary(library); - return SECFailure; - } + /* + * now we need to get the entry point to find the function pointers + */ + if (!mod->moduleDBOnly) { + entry = (CK_C_GetFunctionList) + PR_FindSymbol(library, "C_GetFunctionList"); + } + if (mod->isModuleDB) { + mod->moduleDBFunc = (void *) + PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); + } + if (mod->moduleDBFunc == NULL) + mod->isModuleDB = PR_FALSE; + if (entry == NULL) { + if (mod->isModuleDB) { + mod->loaded = PR_TRUE; + mod->moduleDBOnly = PR_TRUE; + return SECSuccess; + } + PR_UnloadLibrary(library); + return SECFailure; + } } /* * We need to get the function list */ - if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) - goto fail; + if ((*entry)((CK_FUNCTION_LIST_PTR *)&mod->functionList) != CKR_OK) + goto fail; #ifdef DEBUG_MODULE if (PR_TRUE) { - modToDBG = PR_GetEnv("NSS_DEBUG_PKCS11_MODULE"); - if (modToDBG && strcmp(mod->commonName, modToDBG) == 0) { - mod->functionList = (void *)nss_InsertDeviceLog( - (CK_FUNCTION_LIST_PTR)mod->functionList); - } + modToDBG = PR_GetEnvSecure("NSS_DEBUG_PKCS11_MODULE"); + if (modToDBG && strcmp(mod->commonName, modToDBG) == 0) { + mod->functionList = (void *)nss_InsertDeviceLog( + (CK_FUNCTION_LIST_PTR)mod->functionList); + } } #endif @@ -479,19 +491,21 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { /* Now we initialize the module */ rv = secmod_ModuleInit(mod, oldModule, &alreadyLoaded); if (rv != SECSuccess) { - goto fail; + goto fail; } - /* module has been reloaded, this module itself is done, + /* module has been reloaded, this module itself is done, * return to the caller */ if (mod->functionList == NULL) { - mod->loaded = PR_TRUE; /* technically the module is loaded.. */ - return SECSuccess; + mod->loaded = PR_TRUE; /* technically the module is loaded.. */ + return SECSuccess; } /* check the version number */ - if (PK11_GETTAB(mod)->C_GetInfo(&info) != CKR_OK) goto fail2; - if (info.cryptokiVersion.major != 2) goto fail2; + if (PK11_GETTAB(mod)->C_GetInfo(&info) != CKR_OK) + goto fail2; + if (info.cryptokiVersion.major != 2) + goto fail2; /* all 2.0 are a priori *not* thread safe */ if (info.cryptokiVersion.minor < 1) { if (!loadSingleThreadedModules) { @@ -505,50 +519,51 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { /* If we don't have a common name, get it from the PKCS 11 module */ if ((mod->commonName == NULL) || (mod->commonName[0] == 0)) { - mod->commonName = PK11_MakeString(mod->arena,NULL, - (char *)info.libraryDescription, sizeof(info.libraryDescription)); - if (mod->commonName == NULL) goto fail2; + mod->commonName = PK11_MakeString(mod->arena, NULL, + (char *)info.libraryDescription, sizeof(info.libraryDescription)); + if (mod->commonName == NULL) + goto fail2; } - /* initialize the Slots */ if (PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, NULL, &slotCount) == CKR_OK) { - CK_SLOT_ID *slotIDs; - int i; - CK_RV crv; - - mod->slots = (PK11SlotInfo **)PORT_ArenaAlloc(mod->arena, - sizeof(PK11SlotInfo *) * slotCount); - if (mod->slots == NULL) goto fail2; - - slotIDs = (CK_SLOT_ID *) PORT_Alloc(sizeof(CK_SLOT_ID)*slotCount); - if (slotIDs == NULL) { - goto fail2; - } - crv = PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, slotIDs, &slotCount); - if (crv != CKR_OK) { - PORT_Free(slotIDs); - goto fail2; - } - - /* Initialize each slot */ - for (i=0; i < (int)slotCount; i++) { - mod->slots[i] = PK11_NewSlotInfo(mod); - PK11_InitSlot(mod,slotIDs[i],mod->slots[i]); - /* look down the slot info table */ - PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount); - SECMOD_SetRootCerts(mod->slots[i],mod); - /* explicitly mark the internal slot as such if IsInternalKeySlot() - * is set */ - if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) { - pk11_SetInternalKeySlotIfFirst(mod->slots[i]); - } - } - mod->slotCount = slotCount; - mod->slotInfoCount = 0; - PORT_Free(slotIDs); + CK_SLOT_ID *slotIDs; + int i; + CK_RV crv; + + mod->slots = (PK11SlotInfo **)PORT_ArenaAlloc(mod->arena, + sizeof(PK11SlotInfo *) * slotCount); + if (mod->slots == NULL) + goto fail2; + + slotIDs = (CK_SLOT_ID *)PORT_Alloc(sizeof(CK_SLOT_ID) * slotCount); + if (slotIDs == NULL) { + goto fail2; + } + crv = PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, slotIDs, &slotCount); + if (crv != CKR_OK) { + PORT_Free(slotIDs); + goto fail2; + } + + /* Initialize each slot */ + for (i = 0; i < (int)slotCount; i++) { + mod->slots[i] = PK11_NewSlotInfo(mod); + PK11_InitSlot(mod, slotIDs[i], mod->slots[i]); + /* look down the slot info table */ + PK11_LoadSlotList(mod->slots[i], mod->slotInfo, mod->slotInfoCount); + SECMOD_SetRootCerts(mod->slots[i], mod); + /* explicitly mark the internal slot as such if IsInternalKeySlot() + * is set */ + if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) { + pk11_SetInternalKeySlotIfFirst(mod->slots[i]); + } + } + mod->slotCount = slotCount; + mod->slotInfoCount = 0; + PORT_Free(slotIDs); } - + mod->loaded = PR_TRUE; mod->moduleID = nextModuleID++; return SECSuccess; @@ -558,7 +573,7 @@ fail2: } fail: mod->functionList = NULL; - disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); + disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); if (library && !disableUnload) { PR_UnloadLibrary(library); } @@ -566,50 +581,51 @@ fail: } SECStatus -SECMOD_UnloadModule(SECMODModule *mod) { +SECMOD_UnloadModule(SECMODModule *mod) +{ PRLibrary *library; char *disableUnload = NULL; if (!mod->loaded) { - return SECFailure; + return SECFailure; } if (finalizeModules) { - if (mod->functionList &&!mod->moduleDBOnly) { - PK11_GETTAB(mod)->C_Finalize(NULL); - } + if (mod->functionList && !mod->moduleDBOnly) { + PK11_GETTAB(mod)->C_Finalize(NULL); + } } mod->moduleID = 0; mod->loaded = PR_FALSE; - + /* do we want the semantics to allow unloading the internal library? * if not, we should change this to SECFailure and move it above the * mod->loaded = PR_FALSE; */ if (mod->internal && (mod->dllName == NULL)) { if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { - if (softokenLib) { - disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); - if (!disableUnload) { + if (softokenLib) { + disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); + if (!disableUnload) { #ifdef DEBUG - PRStatus status = PR_UnloadLibrary(softokenLib); - PORT_Assert(PR_SUCCESS == status); + PRStatus status = PR_UnloadLibrary(softokenLib); + PORT_Assert(PR_SUCCESS == status); #else - PR_UnloadLibrary(softokenLib); + PR_UnloadLibrary(softokenLib); #endif - } - softokenLib = NULL; - } - loadSoftokenOnce = pristineCallOnce; + } + softokenLib = NULL; + } + loadSoftokenOnce = pristineCallOnce; } - return SECSuccess; + return SECSuccess; } library = (PRLibrary *)mod->library; /* paranoia */ if (library == NULL) { - return SECFailure; + return SECFailure; } - disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); + disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); if (!disableUnload) { PR_UnloadLibrary(library); } @@ -621,7 +637,7 @@ nss_DumpModuleLog(void) { #ifdef DEBUG_MODULE if (modToDBG) { - print_final_statistics(); + print_final_statistics(); } #endif } diff --git a/nss/lib/pk11wrap/pk11mech.c b/nss/lib/pk11wrap/pk11mech.c index 29e86e6..4db05ff 100644 --- a/nss/lib/pk11wrap/pk11mech.c +++ b/nss/lib/pk11wrap/pk11mech.c @@ -12,7 +12,7 @@ #include "pk11func.h" #include "secitem.h" #include "secder.h" -#include "secasn1.h" +#include "secasn1.h" #include "secoid.h" #include "secerr.h" @@ -24,17 +24,17 @@ * Tables used for Extended mechanism mapping (currently not used) */ typedef struct { - CK_MECHANISM_TYPE keyGen; - CK_KEY_TYPE keyType; - CK_MECHANISM_TYPE type; - CK_MECHANISM_TYPE padType; - int blockSize; - int iv; + CK_MECHANISM_TYPE keyGen; + CK_KEY_TYPE keyType; + CK_MECHANISM_TYPE type; + CK_MECHANISM_TYPE padType; + int blockSize; + int iv; } pk11MechanismData; - -static pk11MechanismData pk11_default = - { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, - CKM_FAKE_RANDOM, CKM_FAKE_RANDOM, 8, 8 }; + +static pk11MechanismData pk11_default = + { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, + CKM_FAKE_RANDOM, CKM_FAKE_RANDOM, 8, 8 }; static pk11MechanismData *pk11_MechanismTable = NULL; static int pk11_MechTableSize = 0; static int pk11_MechEntrySize = 0; @@ -61,7 +61,7 @@ CK_MECHANISM_TYPE wrapMechanismList[] = { CKM_SKIPJACK_WRAP, }; -int wrapMechanismCount = sizeof(wrapMechanismList)/sizeof(wrapMechanismList[0]); +int wrapMechanismCount = sizeof(wrapMechanismList) / sizeof(wrapMechanismList[0]); /********************************************************************* * Mechanism Mapping functions @@ -75,10 +75,10 @@ static pk11MechanismData * pk11_lookup(CK_MECHANISM_TYPE type) { int i; - for (i=0; i < pk11_MechEntrySize; i++) { - if (pk11_MechanismTable[i].type == type) { - return (&pk11_MechanismTable[i]); - } + for (i = 0; i < pk11_MechEntrySize; i++) { + if (pk11_MechanismTable[i].type == type) { + return (&pk11_MechanismTable[i]); + } } return &pk11_default; } @@ -90,10 +90,10 @@ CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot) { int i; - for (i=0; i < wrapMechanismCount; i++) { - if (PK11_DoesMechanism(slot,wrapMechanismList[i])) { - return wrapMechanismList[i]; - } + for (i = 0; i < wrapMechanismCount; i++) { + if (PK11_DoesMechanism(slot, wrapMechanismList[i])) { + return wrapMechanismList[i]; + } } return CKM_INVALID_MECHANISM; } @@ -108,9 +108,9 @@ PK11_GetBestWrapMechanism(PK11SlotInfo *slot) */ void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key, - CK_MECHANISM_TYPE keyGen, - CK_MECHANISM_TYPE padType, - int ivLen, int blockSize) + CK_MECHANISM_TYPE keyGen, + CK_MECHANISM_TYPE padType, + int ivLen, int blockSize) { int tableSize = pk11_MechTableSize; int size = pk11_MechEntrySize; @@ -118,15 +118,17 @@ PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key, pk11MechanismData *old = pk11_MechanismTable; pk11MechanismData *newt = pk11_MechanismTable; - if (size > tableSize) { - int oldTableSize = tableSize; - tableSize += 10; - newt = PORT_NewArray(pk11MechanismData, tableSize); - if (newt == NULL) return; + int oldTableSize = tableSize; + tableSize += 10; + newt = PORT_NewArray(pk11MechanismData, tableSize); + if (newt == NULL) + return; - if (old) PORT_Memcpy(newt, old, oldTableSize*sizeof(*newt)); - } else old = NULL; + if (old) + PORT_Memcpy(newt, old, oldTableSize * sizeof(*newt)); + } else + old = NULL; newt[entry].type = type; newt[entry].keyType = key; @@ -138,7 +140,8 @@ PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key, pk11_MechanismTable = newt; pk11_MechTableSize = tableSize; pk11_MechEntrySize = size; - if (old) PORT_Free(old); + if (old) + PORT_Free(old); } /* @@ -148,53 +151,55 @@ CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type) { switch (type) { - case CKK_SEED: - return CKM_SEED_CBC; - case CKK_CAMELLIA: - return CKM_CAMELLIA_CBC; - case CKK_AES: - return CKM_AES_CBC; - case CKK_DES: - return CKM_DES_CBC; - case CKK_DES3: - return CKM_DES3_KEY_GEN; - case CKK_DES2: - return CKM_DES2_KEY_GEN; - case CKK_CDMF: - return CKM_CDMF_CBC; - case CKK_RC2: - return CKM_RC2_CBC; - case CKK_RC4: - return CKM_RC4; - case CKK_RC5: - return CKM_RC5_CBC; - case CKK_SKIPJACK: - return CKM_SKIPJACK_CBC64; - case CKK_BATON: - return CKM_BATON_CBC128; - case CKK_JUNIPER: - return CKM_JUNIPER_CBC128; - case CKK_IDEA: - return CKM_IDEA_CBC; - case CKK_CAST: - return CKM_CAST_CBC; - case CKK_CAST3: - return CKM_CAST3_CBC; - case CKK_CAST5: - return CKM_CAST5_CBC; - case CKK_RSA: - return CKM_RSA_PKCS; - case CKK_DSA: - return CKM_DSA; - case CKK_DH: - return CKM_DH_PKCS_DERIVE; - case CKK_KEA: - return CKM_KEA_KEY_DERIVE; - case CKK_EC: /* CKK_ECDSA is deprecated */ - return CKM_ECDSA; - case CKK_GENERIC_SECRET: - default: - return CKM_SHA_1_HMAC; + case CKK_SEED: + return CKM_SEED_CBC; + case CKK_CAMELLIA: + return CKM_CAMELLIA_CBC; + case CKK_NSS_CHACHA20: + return CKM_NSS_CHACHA20_POLY1305; + case CKK_AES: + return CKM_AES_CBC; + case CKK_DES: + return CKM_DES_CBC; + case CKK_DES3: + return CKM_DES3_KEY_GEN; + case CKK_DES2: + return CKM_DES2_KEY_GEN; + case CKK_CDMF: + return CKM_CDMF_CBC; + case CKK_RC2: + return CKM_RC2_CBC; + case CKK_RC4: + return CKM_RC4; + case CKK_RC5: + return CKM_RC5_CBC; + case CKK_SKIPJACK: + return CKM_SKIPJACK_CBC64; + case CKK_BATON: + return CKM_BATON_CBC128; + case CKK_JUNIPER: + return CKM_JUNIPER_CBC128; + case CKK_IDEA: + return CKM_IDEA_CBC; + case CKK_CAST: + return CKM_CAST_CBC; + case CKK_CAST3: + return CKM_CAST3_CBC; + case CKK_CAST5: + return CKM_CAST5_CBC; + case CKK_RSA: + return CKM_RSA_PKCS; + case CKK_DSA: + return CKM_DSA; + case CKK_DH: + return CKM_DH_PKCS_DERIVE; + case CKK_KEA: + return CKM_KEA_KEY_DERIVE; + case CKK_EC: /* CKK_ECDSA is deprecated */ + return CKM_ECDSA; + case CKK_GENERIC_SECRET: + default: + return CKM_SHA_1_HMAC; } } @@ -202,209 +207,212 @@ PK11_GetKeyMechanism(CK_KEY_TYPE type) * Get the key type needed for the given mechanism */ CK_KEY_TYPE -PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len) +PK11_GetKeyType(CK_MECHANISM_TYPE type, unsigned long len) { switch (type) { - case CKM_SEED_ECB: - case CKM_SEED_CBC: - case CKM_SEED_MAC: - case CKM_SEED_MAC_GENERAL: - case CKM_SEED_CBC_PAD: - case CKM_SEED_KEY_GEN: - return CKK_SEED; - case CKM_CAMELLIA_ECB: - case CKM_CAMELLIA_CBC: - case CKM_CAMELLIA_MAC: - case CKM_CAMELLIA_MAC_GENERAL: - case CKM_CAMELLIA_CBC_PAD: - case CKM_CAMELLIA_KEY_GEN: - return CKK_CAMELLIA; - case CKM_AES_ECB: - case CKM_AES_CBC: - case CKM_AES_CCM: - case CKM_AES_CTR: - case CKM_AES_CTS: - case CKM_AES_GCM: - case CKM_AES_MAC: - case CKM_AES_MAC_GENERAL: - case CKM_AES_CBC_PAD: - case CKM_AES_KEY_GEN: - case CKM_NETSCAPE_AES_KEY_WRAP: - case CKM_NETSCAPE_AES_KEY_WRAP_PAD: - return CKK_AES; - case CKM_DES_ECB: - case CKM_DES_CBC: - case CKM_DES_MAC: - case CKM_DES_MAC_GENERAL: - case CKM_DES_CBC_PAD: - case CKM_DES_KEY_GEN: - case CKM_KEY_WRAP_LYNKS: - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - return CKK_DES; - case CKM_DES3_ECB: - case CKM_DES3_CBC: - case CKM_DES3_MAC: - case CKM_DES3_MAC_GENERAL: - case CKM_DES3_CBC_PAD: - return (len == 16) ? CKK_DES2 : CKK_DES3; - case CKM_DES2_KEY_GEN: - case CKM_PBE_SHA1_DES2_EDE_CBC: - return CKK_DES2; - case CKM_PBE_SHA1_DES3_EDE_CBC: - case CKM_DES3_KEY_GEN: - return CKK_DES3; - case CKM_CDMF_ECB: - case CKM_CDMF_CBC: - case CKM_CDMF_MAC: - case CKM_CDMF_MAC_GENERAL: - case CKM_CDMF_CBC_PAD: - case CKM_CDMF_KEY_GEN: - return CKK_CDMF; - case CKM_RC2_ECB: - case CKM_RC2_CBC: - case CKM_RC2_MAC: - case CKM_RC2_MAC_GENERAL: - case CKM_RC2_CBC_PAD: - case CKM_RC2_KEY_GEN: - case CKM_PBE_SHA1_RC2_128_CBC: - case CKM_PBE_SHA1_RC2_40_CBC: - return CKK_RC2; - case CKM_RC4: - case CKM_RC4_KEY_GEN: - return CKK_RC4; - case CKM_RC5_ECB: - case CKM_RC5_CBC: - case CKM_RC5_MAC: - case CKM_RC5_MAC_GENERAL: - case CKM_RC5_CBC_PAD: - case CKM_RC5_KEY_GEN: - return CKK_RC5; - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_SKIPJACK_KEY_GEN: - case CKM_SKIPJACK_WRAP: - case CKM_SKIPJACK_PRIVATE_WRAP: - return CKK_SKIPJACK; - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_BATON_WRAP: - case CKM_BATON_KEY_GEN: - return CKK_BATON; - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - case CKM_JUNIPER_WRAP: - case CKM_JUNIPER_KEY_GEN: - return CKK_JUNIPER; - case CKM_IDEA_CBC: - case CKM_IDEA_ECB: - case CKM_IDEA_MAC: - case CKM_IDEA_MAC_GENERAL: - case CKM_IDEA_CBC_PAD: - case CKM_IDEA_KEY_GEN: - return CKK_IDEA; - case CKM_CAST_ECB: - case CKM_CAST_CBC: - case CKM_CAST_MAC: - case CKM_CAST_MAC_GENERAL: - case CKM_CAST_CBC_PAD: - case CKM_CAST_KEY_GEN: - case CKM_PBE_MD5_CAST_CBC: - return CKK_CAST; - case CKM_CAST3_ECB: - case CKM_CAST3_CBC: - case CKM_CAST3_MAC: - case CKM_CAST3_MAC_GENERAL: - case CKM_CAST3_CBC_PAD: - case CKM_CAST3_KEY_GEN: - case CKM_PBE_MD5_CAST3_CBC: - return CKK_CAST3; - case CKM_CAST5_ECB: - case CKM_CAST5_CBC: - case CKM_CAST5_MAC: - case CKM_CAST5_MAC_GENERAL: - case CKM_CAST5_CBC_PAD: - case CKM_CAST5_KEY_GEN: - case CKM_PBE_MD5_CAST5_CBC: - return CKK_CAST5; - case CKM_RSA_PKCS: - case CKM_RSA_9796: - case CKM_RSA_X_509: - case CKM_MD2_RSA_PKCS: - case CKM_MD5_RSA_PKCS: - case CKM_SHA1_RSA_PKCS: - case CKM_SHA224_RSA_PKCS: - case CKM_SHA256_RSA_PKCS: - case CKM_SHA384_RSA_PKCS: - case CKM_SHA512_RSA_PKCS: - case CKM_KEY_WRAP_SET_OAEP: - case CKM_RSA_PKCS_KEY_PAIR_GEN: - case CKM_RSA_X9_31_KEY_PAIR_GEN: - return CKK_RSA; - case CKM_DSA: - case CKM_DSA_SHA1: - case CKM_DSA_KEY_PAIR_GEN: - return CKK_DSA; - case CKM_DH_PKCS_DERIVE: - case CKM_DH_PKCS_KEY_PAIR_GEN: - return CKK_DH; - case CKM_KEA_KEY_DERIVE: - case CKM_KEA_KEY_PAIR_GEN: - return CKK_KEA; - case CKM_ECDSA: - case CKM_ECDSA_SHA1: - case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ - case CKM_ECDH1_DERIVE: - return CKK_EC; /* CKK_ECDSA is deprecated */ - case CKM_SSL3_PRE_MASTER_KEY_GEN: - case CKM_GENERIC_SECRET_KEY_GEN: - case CKM_SSL3_MASTER_KEY_DERIVE: - case CKM_SSL3_MASTER_KEY_DERIVE_DH: - case CKM_SSL3_KEY_AND_MAC_DERIVE: - case CKM_SSL3_SHA1_MAC: - case CKM_SSL3_MD5_MAC: - case CKM_TLS_MASTER_KEY_DERIVE: - case CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256: - case CKM_TLS_MASTER_KEY_DERIVE_DH: - case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256: - case CKM_TLS_KEY_AND_MAC_DERIVE: - case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: - case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: - case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: - case CKM_SHA_1_HMAC: - case CKM_SHA_1_HMAC_GENERAL: - case CKM_SHA224_HMAC: - case CKM_SHA224_HMAC_GENERAL: - case CKM_SHA256_HMAC: - case CKM_SHA256_HMAC_GENERAL: - case CKM_SHA384_HMAC: - case CKM_SHA384_HMAC_GENERAL: - case CKM_SHA512_HMAC: - case CKM_SHA512_HMAC_GENERAL: - case CKM_MD2_HMAC: - case CKM_MD2_HMAC_GENERAL: - case CKM_MD5_HMAC: - case CKM_MD5_HMAC_GENERAL: - case CKM_TLS_PRF_GENERAL: - case CKM_NSS_TLS_PRF_GENERAL_SHA256: - return CKK_GENERIC_SECRET; - default: - return pk11_lookup(type)->keyType; + case CKM_SEED_ECB: + case CKM_SEED_CBC: + case CKM_SEED_MAC: + case CKM_SEED_MAC_GENERAL: + case CKM_SEED_CBC_PAD: + case CKM_SEED_KEY_GEN: + return CKK_SEED; + case CKM_CAMELLIA_ECB: + case CKM_CAMELLIA_CBC: + case CKM_CAMELLIA_MAC: + case CKM_CAMELLIA_MAC_GENERAL: + case CKM_CAMELLIA_CBC_PAD: + case CKM_CAMELLIA_KEY_GEN: + return CKK_CAMELLIA; + case CKM_NSS_CHACHA20_POLY1305: + case CKM_NSS_CHACHA20_KEY_GEN: + return CKK_NSS_CHACHA20; + case CKM_AES_ECB: + case CKM_AES_CBC: + case CKM_AES_CCM: + case CKM_AES_CTR: + case CKM_AES_CTS: + case CKM_AES_GCM: + case CKM_AES_MAC: + case CKM_AES_MAC_GENERAL: + case CKM_AES_CBC_PAD: + case CKM_AES_KEY_GEN: + case CKM_NETSCAPE_AES_KEY_WRAP: + case CKM_NETSCAPE_AES_KEY_WRAP_PAD: + return CKK_AES; + case CKM_DES_ECB: + case CKM_DES_CBC: + case CKM_DES_MAC: + case CKM_DES_MAC_GENERAL: + case CKM_DES_CBC_PAD: + case CKM_DES_KEY_GEN: + case CKM_KEY_WRAP_LYNKS: + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + return CKK_DES; + case CKM_DES3_ECB: + case CKM_DES3_CBC: + case CKM_DES3_MAC: + case CKM_DES3_MAC_GENERAL: + case CKM_DES3_CBC_PAD: + return (len == 16) ? CKK_DES2 : CKK_DES3; + case CKM_DES2_KEY_GEN: + case CKM_PBE_SHA1_DES2_EDE_CBC: + return CKK_DES2; + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_DES3_KEY_GEN: + return CKK_DES3; + case CKM_CDMF_ECB: + case CKM_CDMF_CBC: + case CKM_CDMF_MAC: + case CKM_CDMF_MAC_GENERAL: + case CKM_CDMF_CBC_PAD: + case CKM_CDMF_KEY_GEN: + return CKK_CDMF; + case CKM_RC2_ECB: + case CKM_RC2_CBC: + case CKM_RC2_MAC: + case CKM_RC2_MAC_GENERAL: + case CKM_RC2_CBC_PAD: + case CKM_RC2_KEY_GEN: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + return CKK_RC2; + case CKM_RC4: + case CKM_RC4_KEY_GEN: + return CKK_RC4; + case CKM_RC5_ECB: + case CKM_RC5_CBC: + case CKM_RC5_MAC: + case CKM_RC5_MAC_GENERAL: + case CKM_RC5_CBC_PAD: + case CKM_RC5_KEY_GEN: + return CKK_RC5; + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_SKIPJACK_KEY_GEN: + case CKM_SKIPJACK_WRAP: + case CKM_SKIPJACK_PRIVATE_WRAP: + return CKK_SKIPJACK; + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_BATON_WRAP: + case CKM_BATON_KEY_GEN: + return CKK_BATON; + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + case CKM_JUNIPER_WRAP: + case CKM_JUNIPER_KEY_GEN: + return CKK_JUNIPER; + case CKM_IDEA_CBC: + case CKM_IDEA_ECB: + case CKM_IDEA_MAC: + case CKM_IDEA_MAC_GENERAL: + case CKM_IDEA_CBC_PAD: + case CKM_IDEA_KEY_GEN: + return CKK_IDEA; + case CKM_CAST_ECB: + case CKM_CAST_CBC: + case CKM_CAST_MAC: + case CKM_CAST_MAC_GENERAL: + case CKM_CAST_CBC_PAD: + case CKM_CAST_KEY_GEN: + case CKM_PBE_MD5_CAST_CBC: + return CKK_CAST; + case CKM_CAST3_ECB: + case CKM_CAST3_CBC: + case CKM_CAST3_MAC: + case CKM_CAST3_MAC_GENERAL: + case CKM_CAST3_CBC_PAD: + case CKM_CAST3_KEY_GEN: + case CKM_PBE_MD5_CAST3_CBC: + return CKK_CAST3; + case CKM_CAST5_ECB: + case CKM_CAST5_CBC: + case CKM_CAST5_MAC: + case CKM_CAST5_MAC_GENERAL: + case CKM_CAST5_CBC_PAD: + case CKM_CAST5_KEY_GEN: + case CKM_PBE_MD5_CAST5_CBC: + return CKK_CAST5; + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: + case CKM_SHA224_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: + case CKM_KEY_WRAP_SET_OAEP: + case CKM_RSA_PKCS_KEY_PAIR_GEN: + case CKM_RSA_X9_31_KEY_PAIR_GEN: + return CKK_RSA; + case CKM_DSA: + case CKM_DSA_SHA1: + case CKM_DSA_KEY_PAIR_GEN: + return CKK_DSA; + case CKM_DH_PKCS_DERIVE: + case CKM_DH_PKCS_KEY_PAIR_GEN: + return CKK_DH; + case CKM_KEA_KEY_DERIVE: + case CKM_KEA_KEY_PAIR_GEN: + return CKK_KEA; + case CKM_ECDSA: + case CKM_ECDSA_SHA1: + case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ + case CKM_ECDH1_DERIVE: + return CKK_EC; /* CKK_ECDSA is deprecated */ + case CKM_SSL3_PRE_MASTER_KEY_GEN: + case CKM_GENERIC_SECRET_KEY_GEN: + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_MASTER_KEY_DERIVE_DH: + case CKM_SSL3_KEY_AND_MAC_DERIVE: + case CKM_SSL3_SHA1_MAC: + case CKM_SSL3_MD5_MAC: + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256: + case CKM_TLS_MASTER_KEY_DERIVE_DH: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256: + case CKM_TLS_KEY_AND_MAC_DERIVE: + case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: + case CKM_SHA_1_HMAC: + case CKM_SHA_1_HMAC_GENERAL: + case CKM_SHA224_HMAC: + case CKM_SHA224_HMAC_GENERAL: + case CKM_SHA256_HMAC: + case CKM_SHA256_HMAC_GENERAL: + case CKM_SHA384_HMAC: + case CKM_SHA384_HMAC_GENERAL: + case CKM_SHA512_HMAC: + case CKM_SHA512_HMAC_GENERAL: + case CKM_MD2_HMAC: + case CKM_MD2_HMAC_GENERAL: + case CKM_MD5_HMAC: + case CKM_MD5_HMAC_GENERAL: + case CKM_TLS_PRF_GENERAL: + case CKM_NSS_TLS_PRF_GENERAL_SHA256: + return CKK_GENERIC_SECRET; + default: + return pk11_lookup(type)->keyType; } } /* - * Get the Key Gen Mechanism needed for the given + * Get the Key Gen Mechanism needed for the given * crypto mechanism */ CK_MECHANISM_TYPE @@ -417,208 +425,210 @@ CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size) { switch (type) { - case CKM_SEED_ECB: - case CKM_SEED_CBC: - case CKM_SEED_MAC: - case CKM_SEED_MAC_GENERAL: - case CKM_SEED_CBC_PAD: - case CKM_SEED_KEY_GEN: - return CKM_SEED_KEY_GEN; - case CKM_CAMELLIA_ECB: - case CKM_CAMELLIA_CBC: - case CKM_CAMELLIA_MAC: - case CKM_CAMELLIA_MAC_GENERAL: - case CKM_CAMELLIA_CBC_PAD: - case CKM_CAMELLIA_KEY_GEN: - return CKM_CAMELLIA_KEY_GEN; - case CKM_AES_ECB: - case CKM_AES_CBC: - case CKM_AES_CCM: - case CKM_AES_CTR: - case CKM_AES_CTS: - case CKM_AES_GCM: - case CKM_AES_MAC: - case CKM_AES_MAC_GENERAL: - case CKM_AES_CBC_PAD: - case CKM_AES_KEY_GEN: - return CKM_AES_KEY_GEN; - case CKM_DES_ECB: - case CKM_DES_CBC: - case CKM_DES_MAC: - case CKM_DES_MAC_GENERAL: - case CKM_KEY_WRAP_LYNKS: - case CKM_DES_CBC_PAD: - case CKM_DES_KEY_GEN: - return CKM_DES_KEY_GEN; - case CKM_DES3_ECB: - case CKM_DES3_CBC: - case CKM_DES3_MAC: - case CKM_DES3_MAC_GENERAL: - case CKM_DES3_CBC_PAD: - return (size == 16) ? CKM_DES2_KEY_GEN : CKM_DES3_KEY_GEN; - case CKM_DES3_KEY_GEN: - return CKM_DES3_KEY_GEN; - case CKM_DES2_KEY_GEN: - return CKM_DES2_KEY_GEN; - case CKM_CDMF_ECB: - case CKM_CDMF_CBC: - case CKM_CDMF_MAC: - case CKM_CDMF_MAC_GENERAL: - case CKM_CDMF_CBC_PAD: - case CKM_CDMF_KEY_GEN: - return CKM_CDMF_KEY_GEN; - case CKM_RC2_ECB: - case CKM_RC2_CBC: - case CKM_RC2_MAC: - case CKM_RC2_MAC_GENERAL: - case CKM_RC2_CBC_PAD: - case CKM_RC2_KEY_GEN: - return CKM_RC2_KEY_GEN; - case CKM_RC4: - case CKM_RC4_KEY_GEN: - return CKM_RC4_KEY_GEN; - case CKM_RC5_ECB: - case CKM_RC5_CBC: - case CKM_RC5_MAC: - case CKM_RC5_MAC_GENERAL: - case CKM_RC5_CBC_PAD: - case CKM_RC5_KEY_GEN: - return CKM_RC5_KEY_GEN; - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_SKIPJACK_WRAP: - case CKM_SKIPJACK_KEY_GEN: - return CKM_SKIPJACK_KEY_GEN; - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_BATON_WRAP: - case CKM_BATON_KEY_GEN: - return CKM_BATON_KEY_GEN; - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - case CKM_JUNIPER_WRAP: - case CKM_JUNIPER_KEY_GEN: - return CKM_JUNIPER_KEY_GEN; - case CKM_IDEA_CBC: - case CKM_IDEA_ECB: - case CKM_IDEA_MAC: - case CKM_IDEA_MAC_GENERAL: - case CKM_IDEA_CBC_PAD: - case CKM_IDEA_KEY_GEN: - return CKM_IDEA_KEY_GEN; - case CKM_CAST_ECB: - case CKM_CAST_CBC: - case CKM_CAST_MAC: - case CKM_CAST_MAC_GENERAL: - case CKM_CAST_CBC_PAD: - case CKM_CAST_KEY_GEN: - return CKM_CAST_KEY_GEN; - case CKM_CAST3_ECB: - case CKM_CAST3_CBC: - case CKM_CAST3_MAC: - case CKM_CAST3_MAC_GENERAL: - case CKM_CAST3_CBC_PAD: - case CKM_CAST3_KEY_GEN: - return CKM_CAST3_KEY_GEN; - case CKM_CAST5_ECB: - case CKM_CAST5_CBC: - case CKM_CAST5_MAC: - case CKM_CAST5_MAC_GENERAL: - case CKM_CAST5_CBC_PAD: - case CKM_CAST5_KEY_GEN: - return CKM_CAST5_KEY_GEN; - case CKM_RSA_PKCS: - case CKM_RSA_9796: - case CKM_RSA_X_509: - case CKM_MD2_RSA_PKCS: - case CKM_MD5_RSA_PKCS: - case CKM_SHA1_RSA_PKCS: - case CKM_SHA224_RSA_PKCS: - case CKM_SHA256_RSA_PKCS: - case CKM_SHA384_RSA_PKCS: - case CKM_SHA512_RSA_PKCS: - case CKM_KEY_WRAP_SET_OAEP: - case CKM_RSA_PKCS_KEY_PAIR_GEN: - return CKM_RSA_PKCS_KEY_PAIR_GEN; - case CKM_RSA_X9_31_KEY_PAIR_GEN: - return CKM_RSA_X9_31_KEY_PAIR_GEN; - case CKM_DSA: - case CKM_DSA_SHA1: - case CKM_DSA_KEY_PAIR_GEN: - return CKM_DSA_KEY_PAIR_GEN; - case CKM_DH_PKCS_DERIVE: - case CKM_DH_PKCS_KEY_PAIR_GEN: - return CKM_DH_PKCS_KEY_PAIR_GEN; - case CKM_KEA_KEY_DERIVE: - case CKM_KEA_KEY_PAIR_GEN: - return CKM_KEA_KEY_PAIR_GEN; - case CKM_ECDSA: - case CKM_ECDSA_SHA1: - case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ - case CKM_ECDH1_DERIVE: - return CKM_EC_KEY_PAIR_GEN; - case CKM_SSL3_PRE_MASTER_KEY_GEN: - case CKM_SSL3_MASTER_KEY_DERIVE: - case CKM_SSL3_KEY_AND_MAC_DERIVE: - case CKM_SSL3_SHA1_MAC: - case CKM_SSL3_MD5_MAC: - case CKM_TLS_MASTER_KEY_DERIVE: - case CKM_TLS_KEY_AND_MAC_DERIVE: - case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: - case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: - case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: - return CKM_SSL3_PRE_MASTER_KEY_GEN; - case CKM_SHA_1_HMAC: - case CKM_SHA_1_HMAC_GENERAL: - case CKM_SHA224_HMAC: - case CKM_SHA224_HMAC_GENERAL: - case CKM_SHA256_HMAC: - case CKM_SHA256_HMAC_GENERAL: - case CKM_SHA384_HMAC: - case CKM_SHA384_HMAC_GENERAL: - case CKM_SHA512_HMAC: - case CKM_SHA512_HMAC_GENERAL: - case CKM_MD2_HMAC: - case CKM_MD2_HMAC_GENERAL: - case CKM_MD5_HMAC: - case CKM_MD5_HMAC_GENERAL: - case CKM_TLS_PRF_GENERAL: - case CKM_NSS_TLS_PRF_GENERAL_SHA256: - case CKM_GENERIC_SECRET_KEY_GEN: - return CKM_GENERIC_SECRET_KEY_GEN; - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_PBA_SHA1_WITH_SHA1_HMAC: - case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: - case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: - case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: - case CKM_NETSCAPE_PBE_SHA1_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: - case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: - case CKM_PBE_SHA1_RC2_40_CBC: - case CKM_PBE_SHA1_RC2_128_CBC: - case CKM_PBE_SHA1_RC4_40: - case CKM_PBE_SHA1_RC4_128: - case CKM_PBE_SHA1_DES3_EDE_CBC: - case CKM_PBE_SHA1_DES2_EDE_CBC: - case CKM_PKCS5_PBKD2: - return type; - default: - return pk11_lookup(type)->keyGen; + case CKM_SEED_ECB: + case CKM_SEED_CBC: + case CKM_SEED_MAC: + case CKM_SEED_MAC_GENERAL: + case CKM_SEED_CBC_PAD: + case CKM_SEED_KEY_GEN: + return CKM_SEED_KEY_GEN; + case CKM_CAMELLIA_ECB: + case CKM_CAMELLIA_CBC: + case CKM_CAMELLIA_MAC: + case CKM_CAMELLIA_MAC_GENERAL: + case CKM_CAMELLIA_CBC_PAD: + case CKM_CAMELLIA_KEY_GEN: + return CKM_CAMELLIA_KEY_GEN; + case CKM_NSS_CHACHA20_POLY1305: + return CKM_NSS_CHACHA20_KEY_GEN; + case CKM_AES_ECB: + case CKM_AES_CBC: + case CKM_AES_CCM: + case CKM_AES_CTR: + case CKM_AES_CTS: + case CKM_AES_GCM: + case CKM_AES_MAC: + case CKM_AES_MAC_GENERAL: + case CKM_AES_CBC_PAD: + case CKM_AES_KEY_GEN: + return CKM_AES_KEY_GEN; + case CKM_DES_ECB: + case CKM_DES_CBC: + case CKM_DES_MAC: + case CKM_DES_MAC_GENERAL: + case CKM_KEY_WRAP_LYNKS: + case CKM_DES_CBC_PAD: + case CKM_DES_KEY_GEN: + return CKM_DES_KEY_GEN; + case CKM_DES3_ECB: + case CKM_DES3_CBC: + case CKM_DES3_MAC: + case CKM_DES3_MAC_GENERAL: + case CKM_DES3_CBC_PAD: + return (size == 16) ? CKM_DES2_KEY_GEN : CKM_DES3_KEY_GEN; + case CKM_DES3_KEY_GEN: + return CKM_DES3_KEY_GEN; + case CKM_DES2_KEY_GEN: + return CKM_DES2_KEY_GEN; + case CKM_CDMF_ECB: + case CKM_CDMF_CBC: + case CKM_CDMF_MAC: + case CKM_CDMF_MAC_GENERAL: + case CKM_CDMF_CBC_PAD: + case CKM_CDMF_KEY_GEN: + return CKM_CDMF_KEY_GEN; + case CKM_RC2_ECB: + case CKM_RC2_CBC: + case CKM_RC2_MAC: + case CKM_RC2_MAC_GENERAL: + case CKM_RC2_CBC_PAD: + case CKM_RC2_KEY_GEN: + return CKM_RC2_KEY_GEN; + case CKM_RC4: + case CKM_RC4_KEY_GEN: + return CKM_RC4_KEY_GEN; + case CKM_RC5_ECB: + case CKM_RC5_CBC: + case CKM_RC5_MAC: + case CKM_RC5_MAC_GENERAL: + case CKM_RC5_CBC_PAD: + case CKM_RC5_KEY_GEN: + return CKM_RC5_KEY_GEN; + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_SKIPJACK_WRAP: + case CKM_SKIPJACK_KEY_GEN: + return CKM_SKIPJACK_KEY_GEN; + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_BATON_WRAP: + case CKM_BATON_KEY_GEN: + return CKM_BATON_KEY_GEN; + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + case CKM_JUNIPER_WRAP: + case CKM_JUNIPER_KEY_GEN: + return CKM_JUNIPER_KEY_GEN; + case CKM_IDEA_CBC: + case CKM_IDEA_ECB: + case CKM_IDEA_MAC: + case CKM_IDEA_MAC_GENERAL: + case CKM_IDEA_CBC_PAD: + case CKM_IDEA_KEY_GEN: + return CKM_IDEA_KEY_GEN; + case CKM_CAST_ECB: + case CKM_CAST_CBC: + case CKM_CAST_MAC: + case CKM_CAST_MAC_GENERAL: + case CKM_CAST_CBC_PAD: + case CKM_CAST_KEY_GEN: + return CKM_CAST_KEY_GEN; + case CKM_CAST3_ECB: + case CKM_CAST3_CBC: + case CKM_CAST3_MAC: + case CKM_CAST3_MAC_GENERAL: + case CKM_CAST3_CBC_PAD: + case CKM_CAST3_KEY_GEN: + return CKM_CAST3_KEY_GEN; + case CKM_CAST5_ECB: + case CKM_CAST5_CBC: + case CKM_CAST5_MAC: + case CKM_CAST5_MAC_GENERAL: + case CKM_CAST5_CBC_PAD: + case CKM_CAST5_KEY_GEN: + return CKM_CAST5_KEY_GEN; + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: + case CKM_SHA224_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: + case CKM_KEY_WRAP_SET_OAEP: + case CKM_RSA_PKCS_KEY_PAIR_GEN: + return CKM_RSA_PKCS_KEY_PAIR_GEN; + case CKM_RSA_X9_31_KEY_PAIR_GEN: + return CKM_RSA_X9_31_KEY_PAIR_GEN; + case CKM_DSA: + case CKM_DSA_SHA1: + case CKM_DSA_KEY_PAIR_GEN: + return CKM_DSA_KEY_PAIR_GEN; + case CKM_DH_PKCS_DERIVE: + case CKM_DH_PKCS_KEY_PAIR_GEN: + return CKM_DH_PKCS_KEY_PAIR_GEN; + case CKM_KEA_KEY_DERIVE: + case CKM_KEA_KEY_PAIR_GEN: + return CKM_KEA_KEY_PAIR_GEN; + case CKM_ECDSA: + case CKM_ECDSA_SHA1: + case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ + case CKM_ECDH1_DERIVE: + return CKM_EC_KEY_PAIR_GEN; + case CKM_SSL3_PRE_MASTER_KEY_GEN: + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_KEY_AND_MAC_DERIVE: + case CKM_SSL3_SHA1_MAC: + case CKM_SSL3_MD5_MAC: + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_TLS_KEY_AND_MAC_DERIVE: + case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE: + case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: + return CKM_SSL3_PRE_MASTER_KEY_GEN; + case CKM_SHA_1_HMAC: + case CKM_SHA_1_HMAC_GENERAL: + case CKM_SHA224_HMAC: + case CKM_SHA224_HMAC_GENERAL: + case CKM_SHA256_HMAC: + case CKM_SHA256_HMAC_GENERAL: + case CKM_SHA384_HMAC: + case CKM_SHA384_HMAC_GENERAL: + case CKM_SHA512_HMAC: + case CKM_SHA512_HMAC_GENERAL: + case CKM_MD2_HMAC: + case CKM_MD2_HMAC_GENERAL: + case CKM_MD5_HMAC: + case CKM_MD5_HMAC_GENERAL: + case CKM_TLS_PRF_GENERAL: + case CKM_NSS_TLS_PRF_GENERAL_SHA256: + case CKM_GENERIC_SECRET_KEY_GEN: + return CKM_GENERIC_SECRET_KEY_GEN; + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_PBA_SHA1_WITH_SHA1_HMAC: + case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_PKCS5_PBKD2: + return type; + default: + return pk11_lookup(type)->keyGen; } } @@ -626,98 +636,98 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size) * get the mechanism block size */ int -PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params) +PK11_GetBlockSize(CK_MECHANISM_TYPE type, SECItem *params) { CK_RC5_PARAMS *rc5_params; CK_RC5_CBC_PARAMS *rc5_cbc_params; switch (type) { - case CKM_RC5_ECB: - if ((params) && (params->data)) { - rc5_params = (CK_RC5_PARAMS *) params->data; - return (rc5_params->ulWordsize)*2; - } - return 8; - case CKM_RC5_CBC: - case CKM_RC5_CBC_PAD: - if ((params) && (params->data)) { - rc5_cbc_params = (CK_RC5_CBC_PARAMS *) params->data; - return (rc5_cbc_params->ulWordsize)*2; - } - return 8; - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_RC2_ECB: - case CKM_IDEA_ECB: - case CKM_CAST_ECB: - case CKM_CAST3_ECB: - case CKM_CAST5_ECB: - case CKM_RC2_CBC: - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_DES_CBC: - case CKM_DES3_CBC: - case CKM_IDEA_CBC: - case CKM_CAST_CBC: - case CKM_CAST3_CBC: - case CKM_CAST5_CBC: - case CKM_DES_CBC_PAD: - case CKM_DES3_CBC_PAD: - case CKM_RC2_CBC_PAD: - case CKM_IDEA_CBC_PAD: - case CKM_CAST_CBC_PAD: - case CKM_CAST3_CBC_PAD: - case CKM_CAST5_CBC_PAD: - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: - case CKM_PBE_SHA1_RC2_40_CBC: - case CKM_PBE_SHA1_RC2_128_CBC: - case CKM_PBE_SHA1_DES3_EDE_CBC: - case CKM_PBE_SHA1_DES2_EDE_CBC: - return 8; - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - return 4; - case CKM_SEED_ECB: - case CKM_SEED_CBC: - case CKM_SEED_CBC_PAD: - case CKM_CAMELLIA_ECB: - case CKM_CAMELLIA_CBC: - case CKM_CAMELLIA_CBC_PAD: - case CKM_AES_ECB: - case CKM_AES_CBC: - case CKM_AES_CBC_PAD: - case CKM_BATON_ECB128: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - return 16; - case CKM_BATON_ECB96: - return 12; - case CKM_RC4: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: - case CKM_PBE_SHA1_RC4_40: - case CKM_PBE_SHA1_RC4_128: - return 0; - case CKM_RSA_PKCS: - case CKM_RSA_9796: - case CKM_RSA_X_509: - /*actually it's the modulus length of the key!*/ - return -1; /* failure */ - default: - return pk11_lookup(type)->blockSize; + case CKM_RC5_ECB: + if ((params) && (params->data)) { + rc5_params = (CK_RC5_PARAMS *)params->data; + return (rc5_params->ulWordsize) * 2; + } + return 8; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + if ((params) && (params->data)) { + rc5_cbc_params = (CK_RC5_CBC_PARAMS *)params->data; + return (rc5_cbc_params->ulWordsize) * 2; + } + return 8; + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RC2_ECB: + case CKM_IDEA_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + case CKM_RC2_CBC: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_RC2_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + return 8; + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + return 4; + case CKM_SEED_ECB: + case CKM_SEED_CBC: + case CKM_SEED_CBC_PAD: + case CKM_CAMELLIA_ECB: + case CKM_CAMELLIA_CBC: + case CKM_CAMELLIA_CBC_PAD: + case CKM_AES_ECB: + case CKM_AES_CBC: + case CKM_AES_CBC_PAD: + case CKM_BATON_ECB128: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + return 16; + case CKM_BATON_ECB96: + return 12; + case CKM_RC4: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + return 0; + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + /*actually it's the modulus length of the key!*/ + return -1; /* failure */ + default: + return pk11_lookup(type)->blockSize; } } @@ -728,87 +738,86 @@ int PK11_GetIVLength(CK_MECHANISM_TYPE type) { switch (type) { - case CKM_SEED_ECB: - case CKM_CAMELLIA_ECB: - case CKM_AES_ECB: - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_RC2_ECB: - case CKM_IDEA_ECB: - case CKM_SKIPJACK_WRAP: - case CKM_BATON_WRAP: - case CKM_RC5_ECB: - case CKM_CAST_ECB: - case CKM_CAST3_ECB: - case CKM_CAST5_ECB: - return 0; - case CKM_RC2_CBC: - case CKM_DES_CBC: - case CKM_DES3_CBC: - case CKM_IDEA_CBC: - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: - case CKM_PBE_SHA1_RC2_40_CBC: - case CKM_PBE_SHA1_RC2_128_CBC: - case CKM_PBE_SHA1_DES3_EDE_CBC: - case CKM_PBE_SHA1_DES2_EDE_CBC: - case CKM_RC5_CBC: - case CKM_CAST_CBC: - case CKM_CAST3_CBC: - case CKM_CAST5_CBC: - case CKM_RC2_CBC_PAD: - case CKM_DES_CBC_PAD: - case CKM_DES3_CBC_PAD: - case CKM_IDEA_CBC_PAD: - case CKM_RC5_CBC_PAD: - case CKM_CAST_CBC_PAD: - case CKM_CAST3_CBC_PAD: - case CKM_CAST5_CBC_PAD: - return 8; - case CKM_SEED_CBC: - case CKM_SEED_CBC_PAD: - case CKM_CAMELLIA_CBC: - case CKM_CAMELLIA_CBC_PAD: - case CKM_AES_CBC: - case CKM_AES_CBC_PAD: - return 16; - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - return 24; - case CKM_RC4: - case CKM_RSA_PKCS: - case CKM_RSA_9796: - case CKM_RSA_X_509: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: - case CKM_PBE_SHA1_RC4_40: - case CKM_PBE_SHA1_RC4_128: - return 0; - default: - return pk11_lookup(type)->iv; + case CKM_SEED_ECB: + case CKM_CAMELLIA_ECB: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RC2_ECB: + case CKM_IDEA_ECB: + case CKM_SKIPJACK_WRAP: + case CKM_BATON_WRAP: + case CKM_RC5_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + return 0; + case CKM_RC2_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_RC5_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_RC2_CBC_PAD: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_RC5_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + return 8; + case CKM_SEED_CBC: + case CKM_SEED_CBC_PAD: + case CKM_CAMELLIA_CBC: + case CKM_CAMELLIA_CBC_PAD: + case CKM_AES_CBC: + case CKM_AES_CBC_PAD: + return 16; + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + return 24; + case CKM_RC4: + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + return 0; + default: + return pk11_lookup(type)->iv; } } - /* These next two utilities are here to help facilitate future * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions * like SSL and S-MIME to automatically add them. @@ -823,136 +832,141 @@ pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, SECItem *iv, int keyLen) SECItem *param; param = (SECItem *)PORT_Alloc(sizeof(SECItem)); - if (param == NULL) return NULL; + if (param == NULL) + return NULL; param->data = NULL; param->len = 0; param->type = 0; switch (type) { - case CKM_SEED_ECB: - case CKM_CAMELLIA_ECB: - case CKM_AES_ECB: - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_RSA_PKCS: - case CKM_RSA_X_509: - case CKM_RSA_9796: - case CKM_IDEA_ECB: - case CKM_CDMF_ECB: - case CKM_CAST_ECB: - case CKM_CAST3_ECB: - case CKM_CAST5_ECB: - case CKM_RC4: - break; - case CKM_RC2_ECB: - rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); - if (rc2_ecb_params == NULL) break; - /* Maybe we should pass the key size in too to get this value? */ - *rc2_ecb_params = keyLen ? keyLen*8 : 128; - param->data = (unsigned char *) rc2_ecb_params; - param->len = sizeof(CK_RC2_PARAMS); - break; - case CKM_RC2_CBC: - case CKM_RC2_CBC_PAD: - rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); - if (rc2_params == NULL) break; - /* Maybe we should pass the key size in too to get this value? */ - rc2_params->ulEffectiveBits = keyLen ? keyLen*8 : 128; - if (iv && iv->data) - PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv)); - param->data = (unsigned char *) rc2_params; - param->len = sizeof(CK_RC2_CBC_PARAMS); - break; - case CKM_RC5_CBC: - case CKM_RC5_CBC_PAD: - rc5_cbc_params = (CK_RC5_CBC_PARAMS *) - PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0)); - if (rc5_cbc_params == NULL) break; - if (iv && iv->data && iv->len) { - rc5_cbc_params->pIv = ((CK_BYTE_PTR) rc5_cbc_params) - + sizeof(CK_RC5_CBC_PARAMS); - PORT_Memcpy(rc5_cbc_params->pIv,iv->data,iv->len); - rc5_cbc_params->ulIvLen = iv->len; - rc5_cbc_params->ulWordsize = iv->len/2; - } else { - rc5_cbc_params->ulWordsize = 4; - rc5_cbc_params->pIv = NULL; - rc5_cbc_params->ulIvLen = 0; - } - rc5_cbc_params->ulRounds = 16; - param->data = (unsigned char *) rc5_cbc_params; - param->len = sizeof(CK_RC5_CBC_PARAMS); - break; - case CKM_RC5_ECB: - rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS)); - if (rc5_params == NULL) break; - if (iv && iv->data && iv->len) { - rc5_params->ulWordsize = iv->len/2; - } else { - rc5_params->ulWordsize = 4; - } - rc5_params->ulRounds = 16; - param->data = (unsigned char *) rc5_params; - param->len = sizeof(CK_RC5_PARAMS); - break; - - case CKM_SEED_CBC: - case CKM_CAMELLIA_CBC: - case CKM_AES_CBC: - case CKM_DES_CBC: - case CKM_DES3_CBC: - case CKM_IDEA_CBC: - case CKM_CDMF_CBC: - case CKM_CAST_CBC: - case CKM_CAST3_CBC: - case CKM_CAST5_CBC: - case CKM_CAMELLIA_CBC_PAD: - case CKM_AES_CBC_PAD: - case CKM_DES_CBC_PAD: - case CKM_DES3_CBC_PAD: - case CKM_IDEA_CBC_PAD: - case CKM_CDMF_CBC_PAD: - case CKM_CAST_CBC_PAD: - case CKM_CAST3_CBC_PAD: - case CKM_CAST5_CBC_PAD: - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - if ((iv == NULL) || (iv->data == NULL)) break; - param->data = (unsigned char*)PORT_Alloc(iv->len); - if (param->data != NULL) { - PORT_Memcpy(param->data,iv->data,iv->len); - param->len = iv->len; - } - break; - /* unknown mechanism, pass IV in if it's there */ - default: - if (pk11_lookup(type)->iv == 0) { - break; - } - if ((iv == NULL) || (iv->data == NULL)) { - break; - } - param->data = (unsigned char*)PORT_Alloc(iv->len); - if (param->data != NULL) { - PORT_Memcpy(param->data,iv->data,iv->len); - param->len = iv->len; - } - break; - } - return param; + case CKM_SEED_ECB: + case CKM_CAMELLIA_ECB: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RSA_PKCS: + case CKM_RSA_X_509: + case CKM_RSA_9796: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + case CKM_RC4: + break; + case CKM_RC2_ECB: + rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); + if (rc2_ecb_params == NULL) + break; + /* Maybe we should pass the key size in too to get this value? */ + *rc2_ecb_params = keyLen ? keyLen * 8 : 128; + param->data = (unsigned char *)rc2_ecb_params; + param->len = sizeof(CK_RC2_PARAMS); + break; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); + if (rc2_params == NULL) + break; + /* Maybe we should pass the key size in too to get this value? */ + rc2_params->ulEffectiveBits = keyLen ? keyLen * 8 : 128; + if (iv && iv->data) + PORT_Memcpy(rc2_params->iv, iv->data, sizeof(rc2_params->iv)); + param->data = (unsigned char *)rc2_params; + param->len = sizeof(CK_RC2_CBC_PARAMS); + break; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rc5_cbc_params = (CK_RC5_CBC_PARAMS *) + PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0)); + if (rc5_cbc_params == NULL) + break; + if (iv && iv->data && iv->len) { + rc5_cbc_params->pIv = ((CK_BYTE_PTR)rc5_cbc_params) + sizeof(CK_RC5_CBC_PARAMS); + PORT_Memcpy(rc5_cbc_params->pIv, iv->data, iv->len); + rc5_cbc_params->ulIvLen = iv->len; + rc5_cbc_params->ulWordsize = iv->len / 2; + } else { + rc5_cbc_params->ulWordsize = 4; + rc5_cbc_params->pIv = NULL; + rc5_cbc_params->ulIvLen = 0; + } + rc5_cbc_params->ulRounds = 16; + param->data = (unsigned char *)rc5_cbc_params; + param->len = sizeof(CK_RC5_CBC_PARAMS); + break; + case CKM_RC5_ECB: + rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS)); + if (rc5_params == NULL) + break; + if (iv && iv->data && iv->len) { + rc5_params->ulWordsize = iv->len / 2; + } else { + rc5_params->ulWordsize = 4; + } + rc5_params->ulRounds = 16; + param->data = (unsigned char *)rc5_params; + param->len = sizeof(CK_RC5_PARAMS); + break; + + case CKM_SEED_CBC: + case CKM_CAMELLIA_CBC: + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_CAMELLIA_CBC_PAD: + case CKM_AES_CBC_PAD: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + if ((iv == NULL) || (iv->data == NULL)) + break; + param->data = (unsigned char *)PORT_Alloc(iv->len); + if (param->data != NULL) { + PORT_Memcpy(param->data, iv->data, iv->len); + param->len = iv->len; + } + break; + /* unknown mechanism, pass IV in if it's there */ + default: + if (pk11_lookup(type)->iv == 0) { + break; + } + if ((iv == NULL) || (iv->data == NULL)) { + break; + } + param->data = (unsigned char *)PORT_Alloc(iv->len); + if (param->data != NULL) { + PORT_Memcpy(param->data, iv->data, iv->len); + param->len = iv->len; + } + break; + } + return param; } /* These next two utilities are here to help facilitate future @@ -960,90 +974,90 @@ pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, SECItem *iv, int keyLen) * like SSL and S-MIME to automatically add them. */ SECItem * -PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv) +PK11_ParamFromIV(CK_MECHANISM_TYPE type, SECItem *iv) { return pk11_ParamFromIVWithLen(type, iv, 0); } unsigned char * -PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len) +PK11_IVFromParam(CK_MECHANISM_TYPE type, SECItem *param, int *len) { CK_RC2_CBC_PARAMS *rc2_params; CK_RC5_CBC_PARAMS *rc5_cbc_params; *len = 0; switch (type) { - case CKM_SEED_ECB: - case CKM_CAMELLIA_ECB: - case CKM_AES_ECB: - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_RSA_PKCS: - case CKM_RSA_X_509: - case CKM_RSA_9796: - case CKM_IDEA_ECB: - case CKM_CDMF_ECB: - case CKM_CAST_ECB: - case CKM_CAST3_ECB: - case CKM_CAST5_ECB: - case CKM_RC4: - return NULL; - case CKM_RC2_ECB: - return NULL; - case CKM_RC2_CBC: - case CKM_RC2_CBC_PAD: - rc2_params = (CK_RC2_CBC_PARAMS *)param->data; - *len = sizeof(rc2_params->iv); - return &rc2_params->iv[0]; - case CKM_RC5_CBC: - case CKM_RC5_CBC_PAD: - rc5_cbc_params = (CK_RC5_CBC_PARAMS *) param->data; - *len = rc5_cbc_params->ulIvLen; - return rc5_cbc_params->pIv; - case CKM_SEED_CBC: - case CKM_CAMELLIA_CBC: - case CKM_AES_CBC: - case CKM_DES_CBC: - case CKM_DES3_CBC: - case CKM_IDEA_CBC: - case CKM_CDMF_CBC: - case CKM_CAST_CBC: - case CKM_CAST3_CBC: - case CKM_CAST5_CBC: - case CKM_CAMELLIA_CBC_PAD: - case CKM_AES_CBC_PAD: - case CKM_DES_CBC_PAD: - case CKM_DES3_CBC_PAD: - case CKM_IDEA_CBC_PAD: - case CKM_CDMF_CBC_PAD: - case CKM_CAST_CBC_PAD: - case CKM_CAST3_CBC_PAD: - case CKM_CAST5_CBC_PAD: - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - break; - /* unknown mechanism, pass IV in if it's there */ - default: - break; - } - if (param->data) { - *len = param->len; - } - return param->data; + case CKM_SEED_ECB: + case CKM_CAMELLIA_ECB: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RSA_PKCS: + case CKM_RSA_X_509: + case CKM_RSA_9796: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + case CKM_RC4: + return NULL; + case CKM_RC2_ECB: + return NULL; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rc2_params = (CK_RC2_CBC_PARAMS *)param->data; + *len = sizeof(rc2_params->iv); + return &rc2_params->iv[0]; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rc5_cbc_params = (CK_RC5_CBC_PARAMS *)param->data; + *len = rc5_cbc_params->ulIvLen; + return rc5_cbc_params->pIv; + case CKM_SEED_CBC: + case CKM_CAMELLIA_CBC: + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_CAMELLIA_CBC_PAD: + case CKM_AES_CBC_PAD: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + break; + /* unknown mechanism, pass IV in if it's there */ + default: + break; + } + if (param->data) { + *len = param->len; + } + return param->data; } typedef struct sec_rc5cbcParameterStr { @@ -1055,27 +1069,27 @@ typedef struct sec_rc5cbcParameterStr { static const SEC_ASN1Template sec_rc5ecb_parameter_template[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(sec_rc5cbcParameter) }, + 0, NULL, sizeof(sec_rc5cbcParameter) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc5cbcParameter,version) }, + offsetof(sec_rc5cbcParameter, version) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc5cbcParameter,rounds) }, + offsetof(sec_rc5cbcParameter, rounds) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc5cbcParameter,blockSizeInBits) }, + offsetof(sec_rc5cbcParameter, blockSizeInBits) }, { 0 } }; static const SEC_ASN1Template sec_rc5cbc_parameter_template[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(sec_rc5cbcParameter) }, + 0, NULL, sizeof(sec_rc5cbcParameter) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc5cbcParameter,version) }, + offsetof(sec_rc5cbcParameter, version) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc5cbcParameter,rounds) }, + offsetof(sec_rc5cbcParameter, rounds) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc5cbcParameter,blockSizeInBits) }, + offsetof(sec_rc5cbcParameter, blockSizeInBits) }, { SEC_ASN1_OCTET_STRING, - offsetof(sec_rc5cbcParameter,iv) }, + offsetof(sec_rc5cbcParameter, iv) }, { 0 } }; @@ -1086,430 +1100,435 @@ typedef struct sec_rc2cbcParameterStr { static const SEC_ASN1Template sec_rc2cbc_parameter_template[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(sec_rc2cbcParameter) }, + 0, NULL, sizeof(sec_rc2cbcParameter) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc2cbcParameter,rc2ParameterVersion) }, + offsetof(sec_rc2cbcParameter, rc2ParameterVersion) }, { SEC_ASN1_OCTET_STRING, - offsetof(sec_rc2cbcParameter,iv) }, + offsetof(sec_rc2cbcParameter, iv) }, { 0 } }; static const SEC_ASN1Template sec_rc2ecb_parameter_template[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(sec_rc2cbcParameter) }, + 0, NULL, sizeof(sec_rc2cbcParameter) }, { SEC_ASN1_INTEGER, - offsetof(sec_rc2cbcParameter,rc2ParameterVersion) }, + offsetof(sec_rc2cbcParameter, rc2ParameterVersion) }, { 0 } }; /* S/MIME picked id values to represent differnt keysizes */ /* I do have a formula, but it ain't pretty, and it only works because you * can always match three points to a parabola:) */ -static unsigned char rc2_map(SECItem *version) +static unsigned char +rc2_map(SECItem *version) { long x; x = DER_GetInteger(version); - + switch (x) { - case 58: return 128; - case 120: return 64; - case 160: return 40; + case 58: + return 128; + case 120: + return 64; + case 160: + return 40; } - return 128; + return 128; } -static unsigned long rc2_unmap(unsigned long x) +static unsigned long +rc2_unmap(unsigned long x) { switch (x) { - case 128: return 58; - case 64: return 120; - case 40: return 160; + case 128: + return 58; + case 64: + return 120; + case 40: + return 160; } - return 58; + return 58; } - - /* Generate a mechaism param from a type, and iv. */ SECItem * PK11_ParamFromAlgid(SECAlgorithmID *algid) { - CK_RC2_CBC_PARAMS * rc2_cbc_params = NULL; - CK_RC2_PARAMS * rc2_ecb_params = NULL; - CK_RC5_CBC_PARAMS * rc5_cbc_params = NULL; - CK_RC5_PARAMS * rc5_ecb_params = NULL; - PLArenaPool * arena = NULL; - SECItem * mech = NULL; - SECOidTag algtag; - SECStatus rv; - CK_MECHANISM_TYPE type; + CK_RC2_CBC_PARAMS *rc2_cbc_params = NULL; + CK_RC2_PARAMS *rc2_ecb_params = NULL; + CK_RC5_CBC_PARAMS *rc5_cbc_params = NULL; + CK_RC5_PARAMS *rc5_ecb_params = NULL; + PLArenaPool *arena = NULL; + SECItem *mech = NULL; + SECOidTag algtag; + SECStatus rv; + CK_MECHANISM_TYPE type; /* initialize these to prevent UMRs in the ASN1 decoder. */ - SECItem iv = {siBuffer, NULL, 0}; - sec_rc2cbcParameter rc2 = { {siBuffer, NULL, 0}, {siBuffer, NULL, 0} }; - sec_rc5cbcParameter rc5 = { {siBuffer, NULL, 0}, {siBuffer, NULL, 0}, - {siBuffer, NULL, 0}, {siBuffer, NULL, 0} }; + SECItem iv = { siBuffer, NULL, 0 }; + sec_rc2cbcParameter rc2 = { { siBuffer, NULL, 0 }, { siBuffer, NULL, 0 } }; + sec_rc5cbcParameter rc5 = { { siBuffer, NULL, 0 }, { siBuffer, NULL, 0 }, { siBuffer, NULL, 0 }, { siBuffer, NULL, 0 } }; algtag = SECOID_GetAlgorithmTag(algid); type = PK11_AlgtagToMechanism(algtag); mech = PORT_New(SECItem); if (mech == NULL) { - return NULL; + return NULL; } mech->type = siBuffer; mech->data = NULL; - mech->len = 0; + mech->len = 0; arena = PORT_NewArena(1024); if (!arena) { - goto loser; + goto loser; } /* handle the complicated cases */ switch (type) { - case CKM_RC2_ECB: - rv = SEC_ASN1DecodeItem(arena, &rc2 ,sec_rc2ecb_parameter_template, - &(algid->parameters)); - if (rv != SECSuccess) { - goto loser; - } - rc2_ecb_params = PORT_New(CK_RC2_PARAMS); - if (rc2_ecb_params == NULL) { - goto loser; - } - *rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion); - mech->data = (unsigned char *) rc2_ecb_params; - mech->len = sizeof *rc2_ecb_params; - break; - case CKM_RC2_CBC: - case CKM_RC2_CBC_PAD: - rv = SEC_ASN1DecodeItem(arena, &rc2 ,sec_rc2cbc_parameter_template, - &(algid->parameters)); - if (rv != SECSuccess) { - goto loser; - } - rc2_cbc_params = PORT_New(CK_RC2_CBC_PARAMS); - if (rc2_cbc_params == NULL) { - goto loser; - } - mech->data = (unsigned char *) rc2_cbc_params; - mech->len = sizeof *rc2_cbc_params; - rc2_cbc_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion); - if (rc2.iv.len != sizeof rc2_cbc_params->iv) { - PORT_SetError(SEC_ERROR_INPUT_LEN); - goto loser; - } - PORT_Memcpy(rc2_cbc_params->iv, rc2.iv.data, rc2.iv.len); - break; - case CKM_RC5_ECB: - rv = SEC_ASN1DecodeItem(arena, &rc5 ,sec_rc5ecb_parameter_template, - &(algid->parameters)); - if (rv != SECSuccess) { - goto loser; - } - rc5_ecb_params = PORT_New(CK_RC5_PARAMS); - if (rc5_ecb_params == NULL) { - goto loser; - } - rc5_ecb_params->ulRounds = DER_GetInteger(&rc5.rounds); - rc5_ecb_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8; - mech->data = (unsigned char *) rc5_ecb_params; - mech->len = sizeof *rc5_ecb_params; - break; - case CKM_RC5_CBC: - case CKM_RC5_CBC_PAD: - rv = SEC_ASN1DecodeItem(arena, &rc5 ,sec_rc5cbc_parameter_template, - &(algid->parameters)); - if (rv != SECSuccess) { - goto loser; - } - rc5_cbc_params = (CK_RC5_CBC_PARAMS *) - PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len); - if (rc5_cbc_params == NULL) { - goto loser; - } - mech->data = (unsigned char *) rc5_cbc_params; - mech->len = sizeof *rc5_cbc_params; - rc5_cbc_params->ulRounds = DER_GetInteger(&rc5.rounds); - rc5_cbc_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8; - rc5_cbc_params->pIv = ((CK_BYTE_PTR)rc5_cbc_params) - + sizeof(CK_RC5_CBC_PARAMS); - rc5_cbc_params->ulIvLen = rc5.iv.len; - PORT_Memcpy(rc5_cbc_params->pIv, rc5.iv.data, rc5.iv.len); - break; - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: - case CKM_PBE_SHA1_DES2_EDE_CBC: - case CKM_PBE_SHA1_DES3_EDE_CBC: - case CKM_PBE_SHA1_RC2_40_CBC: - case CKM_PBE_SHA1_RC2_128_CBC: - case CKM_PBE_SHA1_RC4_40: - case CKM_PBE_SHA1_RC4_128: - case CKM_PKCS5_PBKD2: - rv = pbe_PK11AlgidToParam(algid,mech); - if (rv != SECSuccess) { - goto loser; - } - break; - case CKM_RC4: - case CKM_SEED_ECB: - case CKM_CAMELLIA_ECB: - case CKM_AES_ECB: - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_IDEA_ECB: - case CKM_CDMF_ECB: - case CKM_CAST_ECB: - case CKM_CAST3_ECB: - case CKM_CAST5_ECB: - break; - - default: - if (pk11_lookup(type)->iv == 0) { - break; - } - /* FALL THROUGH */ - case CKM_SEED_CBC: - case CKM_CAMELLIA_CBC: - case CKM_AES_CBC: - case CKM_DES_CBC: - case CKM_DES3_CBC: - case CKM_IDEA_CBC: - case CKM_CDMF_CBC: - case CKM_CAST_CBC: - case CKM_CAST3_CBC: - case CKM_CAST5_CBC: - case CKM_SEED_CBC_PAD: - case CKM_CAMELLIA_CBC_PAD: - case CKM_AES_CBC_PAD: - case CKM_DES_CBC_PAD: - case CKM_DES3_CBC_PAD: - case CKM_IDEA_CBC_PAD: - case CKM_CDMF_CBC_PAD: - case CKM_CAST_CBC_PAD: - case CKM_CAST3_CBC_PAD: - case CKM_CAST5_CBC_PAD: - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - /* simple cases are simply octet string encoded IVs */ - rv = SEC_ASN1DecodeItem(arena, &iv, - SEC_ASN1_GET(SEC_OctetStringTemplate), - &(algid->parameters)); - if (rv != SECSuccess || iv.data == NULL) { - goto loser; - } - /* XXX Should be some IV length sanity check here. */ - mech->data = (unsigned char*)PORT_Alloc(iv.len); - if (mech->data == NULL) { - goto loser; - } - PORT_Memcpy(mech->data, iv.data, iv.len); - mech->len = iv.len; - break; + case CKM_RC2_ECB: + rv = SEC_ASN1DecodeItem(arena, &rc2, sec_rc2ecb_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + goto loser; + } + rc2_ecb_params = PORT_New(CK_RC2_PARAMS); + if (rc2_ecb_params == NULL) { + goto loser; + } + *rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion); + mech->data = (unsigned char *)rc2_ecb_params; + mech->len = sizeof *rc2_ecb_params; + break; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rv = SEC_ASN1DecodeItem(arena, &rc2, sec_rc2cbc_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + goto loser; + } + rc2_cbc_params = PORT_New(CK_RC2_CBC_PARAMS); + if (rc2_cbc_params == NULL) { + goto loser; + } + mech->data = (unsigned char *)rc2_cbc_params; + mech->len = sizeof *rc2_cbc_params; + rc2_cbc_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion); + if (rc2.iv.len != sizeof rc2_cbc_params->iv) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + goto loser; + } + PORT_Memcpy(rc2_cbc_params->iv, rc2.iv.data, rc2.iv.len); + break; + case CKM_RC5_ECB: + rv = SEC_ASN1DecodeItem(arena, &rc5, sec_rc5ecb_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + goto loser; + } + rc5_ecb_params = PORT_New(CK_RC5_PARAMS); + if (rc5_ecb_params == NULL) { + goto loser; + } + rc5_ecb_params->ulRounds = DER_GetInteger(&rc5.rounds); + rc5_ecb_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits) / 8; + mech->data = (unsigned char *)rc5_ecb_params; + mech->len = sizeof *rc5_ecb_params; + break; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rv = SEC_ASN1DecodeItem(arena, &rc5, sec_rc5cbc_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + goto loser; + } + rc5_cbc_params = (CK_RC5_CBC_PARAMS *) + PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len); + if (rc5_cbc_params == NULL) { + goto loser; + } + mech->data = (unsigned char *)rc5_cbc_params; + mech->len = sizeof *rc5_cbc_params; + rc5_cbc_params->ulRounds = DER_GetInteger(&rc5.rounds); + rc5_cbc_params->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits) / 8; + rc5_cbc_params->pIv = ((CK_BYTE_PTR)rc5_cbc_params) + sizeof(CK_RC5_CBC_PARAMS); + rc5_cbc_params->ulIvLen = rc5.iv.len; + PORT_Memcpy(rc5_cbc_params->pIv, rc5.iv.data, rc5.iv.len); + break; + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + case CKM_PKCS5_PBKD2: + rv = pbe_PK11AlgidToParam(algid, mech); + if (rv != SECSuccess) { + goto loser; + } + break; + case CKM_RC4: + case CKM_SEED_ECB: + case CKM_CAMELLIA_ECB: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + break; + + default: + if (pk11_lookup(type)->iv == 0) { + break; + } + /* FALL THROUGH */ + case CKM_SEED_CBC: + case CKM_CAMELLIA_CBC: + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_SEED_CBC_PAD: + case CKM_CAMELLIA_CBC_PAD: + case CKM_AES_CBC_PAD: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + /* simple cases are simply octet string encoded IVs */ + rv = SEC_ASN1DecodeItem(arena, &iv, + SEC_ASN1_GET(SEC_OctetStringTemplate), + &(algid->parameters)); + if (rv != SECSuccess || iv.data == NULL) { + goto loser; + } + /* XXX Should be some IV length sanity check here. */ + mech->data = (unsigned char *)PORT_Alloc(iv.len); + if (mech->data == NULL) { + goto loser; + } + PORT_Memcpy(mech->data, iv.data, iv.len); + mech->len = iv.len; + break; } PORT_FreeArena(arena, PR_FALSE); return mech; loser: if (arena) - PORT_FreeArena(arena, PR_FALSE); - SECITEM_FreeItem(mech,PR_TRUE); + PORT_FreeArena(arena, PR_FALSE); + SECITEM_FreeItem(mech, PR_TRUE); return NULL; } /* - * Generate an IV for the given mechanism + * Generate an IV for the given mechanism */ static SECStatus -pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) { +pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) +{ int iv_size = PK11_GetIVLength(type); SECStatus rv; iv->len = iv_size; - if (iv_size == 0) { - iv->data = NULL; - return SECSuccess; + if (iv_size == 0) { + iv->data = NULL; + return SECSuccess; } - iv->data = (unsigned char *) PORT_Alloc(iv_size); + iv->data = (unsigned char *)PORT_Alloc(iv_size); if (iv->data == NULL) { - iv->len = 0; - return SECFailure; + iv->len = 0; + return SECFailure; } - rv = PK11_GenerateRandom(iv->data,iv->len); + rv = PK11_GenerateRandom(iv->data, iv->len); if (rv != SECSuccess) { - PORT_Free(iv->data); - iv->data = NULL; iv->len = 0; - return SECFailure; + PORT_Free(iv->data); + iv->data = NULL; + iv->len = 0; + return SECFailure; } return SECSuccess; } - /* * create a new parameter block from the passed in MECHANISM and the * key. Use Netscape's S/MIME Rules for the New param block. */ SECItem * -pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen) -{ +pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen) +{ CK_RC2_CBC_PARAMS *rc2_params; CK_RC2_PARAMS *rc2_ecb_params; SECItem *mech; SECItem iv; SECStatus rv; - mech = (SECItem *) PORT_Alloc(sizeof(SECItem)); - if (mech == NULL) return NULL; + mech = (SECItem *)PORT_Alloc(sizeof(SECItem)); + if (mech == NULL) + return NULL; rv = SECSuccess; mech->type = siBuffer; mech->data = NULL; mech->len = 0; switch (type) { - case CKM_RC4: - case CKM_SEED_ECB: - case CKM_CAMELLIA_ECB: - case CKM_AES_ECB: - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_IDEA_ECB: - case CKM_CDMF_ECB: - case CKM_CAST_ECB: - case CKM_CAST3_ECB: - case CKM_CAST5_ECB: - break; - case CKM_RC2_ECB: - rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); - if (rc2_ecb_params == NULL) { - rv = SECFailure; - break; - } - /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, - * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ - *rc2_ecb_params = keyLen ? keyLen*8 : 128; - mech->data = (unsigned char *) rc2_ecb_params; - mech->len = sizeof(CK_RC2_PARAMS); - break; - case CKM_RC2_CBC: - case CKM_RC2_CBC_PAD: - rv = pk11_GenIV(type,&iv); - if (rv != SECSuccess) { - break; - } - rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); - if (rc2_params == NULL) { - PORT_Free(iv.data); - rv = SECFailure; - break; - } - /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, - * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ - rc2_params->ulEffectiveBits = keyLen ? keyLen*8 : 128; - if (iv.data) - PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv)); - mech->data = (unsigned char *) rc2_params; - mech->len = sizeof(CK_RC2_CBC_PARAMS); - PORT_Free(iv.data); - break; - case CKM_RC5_ECB: - PORT_Free(mech); - return PK11_ParamFromIV(type,NULL); - case CKM_RC5_CBC: - case CKM_RC5_CBC_PAD: - rv = pk11_GenIV(type,&iv); - if (rv != SECSuccess) { - break; - } - PORT_Free(mech); - return PK11_ParamFromIV(type,&iv); - default: - if (pk11_lookup(type)->iv == 0) { - break; - } - case CKM_SEED_CBC: - case CKM_CAMELLIA_CBC: - case CKM_AES_CBC: - case CKM_DES_CBC: - case CKM_DES3_CBC: - case CKM_IDEA_CBC: - case CKM_CDMF_CBC: - case CKM_CAST_CBC: - case CKM_CAST3_CBC: - case CKM_CAST5_CBC: - case CKM_DES_CBC_PAD: - case CKM_DES3_CBC_PAD: - case CKM_IDEA_CBC_PAD: - case CKM_CDMF_CBC_PAD: - case CKM_CAST_CBC_PAD: - case CKM_CAST3_CBC_PAD: - case CKM_CAST5_CBC_PAD: - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - rv = pk11_GenIV(type,&iv); - if (rv != SECSuccess) { - break; - } - mech->data = (unsigned char*)PORT_Alloc(iv.len); - if (mech->data == NULL) { - PORT_Free(iv.data); - rv = SECFailure; - break; - } - PORT_Memcpy(mech->data,iv.data,iv.len); - mech->len = iv.len; - PORT_Free(iv.data); - break; + case CKM_RC4: + case CKM_SEED_ECB: + case CKM_CAMELLIA_ECB: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + break; + case CKM_RC2_ECB: + rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); + if (rc2_ecb_params == NULL) { + rv = SECFailure; + break; + } + /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, + * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ + *rc2_ecb_params = keyLen ? keyLen * 8 : 128; + mech->data = (unsigned char *)rc2_ecb_params; + mech->len = sizeof(CK_RC2_PARAMS); + break; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rv = pk11_GenIV(type, &iv); + if (rv != SECSuccess) { + break; + } + rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); + if (rc2_params == NULL) { + PORT_Free(iv.data); + rv = SECFailure; + break; + } + /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, + * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ + rc2_params->ulEffectiveBits = keyLen ? keyLen * 8 : 128; + if (iv.data) + PORT_Memcpy(rc2_params->iv, iv.data, sizeof(rc2_params->iv)); + mech->data = (unsigned char *)rc2_params; + mech->len = sizeof(CK_RC2_CBC_PARAMS); + PORT_Free(iv.data); + break; + case CKM_RC5_ECB: + PORT_Free(mech); + return PK11_ParamFromIV(type, NULL); + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rv = pk11_GenIV(type, &iv); + if (rv != SECSuccess) { + break; + } + PORT_Free(mech); + return PK11_ParamFromIV(type, &iv); + default: + if (pk11_lookup(type)->iv == 0) { + break; + } + case CKM_SEED_CBC: + case CKM_CAMELLIA_CBC: + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + rv = pk11_GenIV(type, &iv); + if (rv != SECSuccess) { + break; + } + mech->data = (unsigned char *)PORT_Alloc(iv.len); + if (mech->data == NULL) { + PORT_Free(iv.data); + rv = SECFailure; + break; + } + PORT_Memcpy(mech->data, iv.data, iv.len); + mech->len = iv.len; + PORT_Free(iv.data); + break; } - if (rv != SECSuccess) { - SECITEM_FreeItem(mech,PR_TRUE); - return NULL; + if (rv != SECSuccess) { + SECITEM_FreeItem(mech, PR_TRUE); + return NULL; } return mech; - } SECItem * -PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) -{ - int keyLen = key ? PK11_GetKeyLength(key) : 0; +PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) +{ + int keyLen = key ? PK11_GetKeyLength(key) : 0; return pk11_GenerateNewParamWithKeyLen(type, keyLen); } @@ -1518,8 +1537,9 @@ PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) /* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */ SECStatus -PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, - PLArenaPool *arena, SECAlgorithmID *algid) { +PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, + PLArenaPool *arena, SECAlgorithmID *algid) +{ CK_RC2_CBC_PARAMS *rc2_params; sec_rc2cbcParameter rc2; CK_RC5_CBC_PARAMS *rc5_params; @@ -1530,138 +1550,139 @@ PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, unsigned long rc2version; switch (type) { - case CKM_RC4: - case CKM_SEED_ECB: - case CKM_CAMELLIA_ECB: - case CKM_AES_ECB: - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_IDEA_ECB: - case CKM_CDMF_ECB: - case CKM_CAST_ECB: - case CKM_CAST3_ECB: - case CKM_CAST5_ECB: - newParams = NULL; - rv = SECSuccess; - break; - case CKM_RC2_ECB: - break; - case CKM_RC2_CBC: - case CKM_RC2_CBC_PAD: - rc2_params = (CK_RC2_CBC_PARAMS *)param->data; - rc2version = rc2_unmap(rc2_params->ulEffectiveBits); - if (SEC_ASN1EncodeUnsignedInteger (NULL, &(rc2.rc2ParameterVersion), - rc2version) == NULL) - break; - rc2.iv.data = rc2_params->iv; - rc2.iv.len = sizeof(rc2_params->iv); - newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc2, - sec_rc2cbc_parameter_template); - PORT_Free(rc2.rc2ParameterVersion.data); - if (newParams == NULL) - break; - rv = SECSuccess; - break; - - case CKM_RC5_ECB: /* well not really... */ - break; - case CKM_RC5_CBC: - case CKM_RC5_CBC_PAD: - rc5_params = (CK_RC5_CBC_PARAMS *)param->data; - if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.version, RC5_V10) == NULL) - break; - if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.blockSizeInBits, - rc5_params->ulWordsize*8) == NULL) { + case CKM_RC4: + case CKM_SEED_ECB: + case CKM_CAMELLIA_ECB: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + newParams = NULL; + rv = SECSuccess; + break; + case CKM_RC2_ECB: + break; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rc2_params = (CK_RC2_CBC_PARAMS *)param->data; + rc2version = rc2_unmap(rc2_params->ulEffectiveBits); + if (SEC_ASN1EncodeUnsignedInteger(NULL, &(rc2.rc2ParameterVersion), + rc2version) == NULL) + break; + rc2.iv.data = rc2_params->iv; + rc2.iv.len = sizeof(rc2_params->iv); + newParams = SEC_ASN1EncodeItem(NULL, NULL, &rc2, + sec_rc2cbc_parameter_template); + PORT_Free(rc2.rc2ParameterVersion.data); + if (newParams == NULL) + break; + rv = SECSuccess; + break; + + case CKM_RC5_ECB: /* well not really... */ + break; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rc5_params = (CK_RC5_CBC_PARAMS *)param->data; + if (SEC_ASN1EncodeUnsignedInteger(NULL, &rc5.version, RC5_V10) == NULL) + break; + if (SEC_ASN1EncodeUnsignedInteger(NULL, &rc5.blockSizeInBits, + rc5_params->ulWordsize * 8) == NULL) { + PORT_Free(rc5.version.data); + break; + } + if (SEC_ASN1EncodeUnsignedInteger(NULL, &rc5.rounds, + rc5_params->ulWordsize * 8) == NULL) { + PORT_Free(rc5.blockSizeInBits.data); + PORT_Free(rc5.version.data); + break; + } + rc5.iv.data = rc5_params->pIv; + rc5.iv.len = rc5_params->ulIvLen; + newParams = SEC_ASN1EncodeItem(NULL, NULL, &rc5, + sec_rc5cbc_parameter_template); PORT_Free(rc5.version.data); - break; - } - if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.rounds, - rc5_params->ulWordsize*8) == NULL) { PORT_Free(rc5.blockSizeInBits.data); - PORT_Free(rc5.version.data); - break; - } - rc5.iv.data = rc5_params->pIv; - rc5.iv.len = rc5_params->ulIvLen; - newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc5, - sec_rc5cbc_parameter_template); - PORT_Free(rc5.version.data); - PORT_Free(rc5.blockSizeInBits.data); - PORT_Free(rc5.rounds.data); - if (newParams == NULL) - break; - rv = SECSuccess; - break; - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: - case CKM_PBE_SHA1_DES3_EDE_CBC: - case CKM_PBE_SHA1_DES2_EDE_CBC: - case CKM_PBE_SHA1_RC2_40_CBC: - case CKM_PBE_SHA1_RC2_128_CBC: - case CKM_PBE_SHA1_RC4_40: - case CKM_PBE_SHA1_RC4_128: - return PBE_PK11ParamToAlgid(algTag, param, arena, algid); - default: - if (pk11_lookup(type)->iv == 0) { - rv = SECSuccess; - newParams = NULL; - break; - } - case CKM_SEED_CBC: - case CKM_CAMELLIA_CBC: - case CKM_AES_CBC: - case CKM_DES_CBC: - case CKM_DES3_CBC: - case CKM_IDEA_CBC: - case CKM_CDMF_CBC: - case CKM_CAST_CBC: - case CKM_CAST3_CBC: - case CKM_CAST5_CBC: - case CKM_DES_CBC_PAD: - case CKM_DES3_CBC_PAD: - case CKM_IDEA_CBC_PAD: - case CKM_CDMF_CBC_PAD: - case CKM_CAST_CBC_PAD: - case CKM_CAST3_CBC_PAD: - case CKM_CAST5_CBC_PAD: - case CKM_SKIPJACK_CBC64: - case CKM_SKIPJACK_ECB64: - case CKM_SKIPJACK_OFB64: - case CKM_SKIPJACK_CFB64: - case CKM_SKIPJACK_CFB32: - case CKM_SKIPJACK_CFB16: - case CKM_SKIPJACK_CFB8: - case CKM_BATON_ECB128: - case CKM_BATON_ECB96: - case CKM_BATON_CBC128: - case CKM_BATON_COUNTER: - case CKM_BATON_SHUFFLE: - case CKM_JUNIPER_ECB128: - case CKM_JUNIPER_CBC128: - case CKM_JUNIPER_COUNTER: - case CKM_JUNIPER_SHUFFLE: - newParams = SEC_ASN1EncodeItem(NULL,NULL,param, - SEC_ASN1_GET(SEC_OctetStringTemplate) ); - if (newParams == NULL) - break; - rv = SECSuccess; - break; + PORT_Free(rc5.rounds.data); + if (newParams == NULL) + break; + rv = SECSuccess; + break; + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + return PBE_PK11ParamToAlgid(algTag, param, arena, algid); + default: + if (pk11_lookup(type)->iv == 0) { + rv = SECSuccess; + newParams = NULL; + break; + } + case CKM_SEED_CBC: + case CKM_CAMELLIA_CBC: + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + newParams = SEC_ASN1EncodeItem(NULL, NULL, param, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (newParams == NULL) + break; + rv = SECSuccess; + break; } - if (rv != SECSuccess) { - if (newParams) SECITEM_FreeItem(newParams,PR_TRUE); - return rv; + if (rv != SECSuccess) { + if (newParams) + SECITEM_FreeItem(newParams, PR_TRUE); + return rv; } rv = SECOID_SetAlgorithmID(arena, algid, algTag, newParams); - SECITEM_FreeItem(newParams,PR_TRUE); + SECITEM_FreeItem(newParams, PR_TRUE); return rv; } @@ -1669,19 +1690,23 @@ PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, * map OID's directly into the PKCS #11 mechanism we want to call. We find * this mapping in our standard OID table */ CK_MECHANISM_TYPE -PK11_AlgtagToMechanism(SECOidTag algTag) { +PK11_AlgtagToMechanism(SECOidTag algTag) +{ SECOidData *oid = SECOID_FindOIDByTag(algTag); - if (oid) return (CK_MECHANISM_TYPE) oid->mechanism; + if (oid) + return (CK_MECHANISM_TYPE)oid->mechanism; return CKM_INVALID_MECHANISM; } /* turn a mechanism into an oid. */ SECOidTag -PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) { +PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) +{ SECOidData *oid = SECOID_FindOIDByMechanism((unsigned long)type); - if (oid) return oid->offset; + if (oid) + return oid->offset; return SEC_OID_UNKNOWN; } @@ -1690,149 +1715,150 @@ PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) { * mechanism, we simply return the mechanism. */ CK_MECHANISM_TYPE -PK11_GetPadMechanism(CK_MECHANISM_TYPE type) { - switch(type) { - case CKM_SEED_CBC: - return CKM_SEED_CBC_PAD; - case CKM_CAMELLIA_CBC: - return CKM_CAMELLIA_CBC_PAD; - case CKM_AES_CBC: - return CKM_AES_CBC_PAD; - case CKM_DES_CBC: - return CKM_DES_CBC_PAD; - case CKM_DES3_CBC: - return CKM_DES3_CBC_PAD; - case CKM_RC2_CBC: - return CKM_RC2_CBC_PAD; - case CKM_CDMF_CBC: - return CKM_CDMF_CBC_PAD; - case CKM_CAST_CBC: - return CKM_CAST_CBC_PAD; - case CKM_CAST3_CBC: - return CKM_CAST3_CBC_PAD; - case CKM_CAST5_CBC: - return CKM_CAST5_CBC_PAD; - case CKM_RC5_CBC: - return CKM_RC5_CBC_PAD; - case CKM_IDEA_CBC: - return CKM_IDEA_CBC_PAD; - default: - break; +PK11_GetPadMechanism(CK_MECHANISM_TYPE type) +{ + switch (type) { + case CKM_SEED_CBC: + return CKM_SEED_CBC_PAD; + case CKM_CAMELLIA_CBC: + return CKM_CAMELLIA_CBC_PAD; + case CKM_AES_CBC: + return CKM_AES_CBC_PAD; + case CKM_DES_CBC: + return CKM_DES_CBC_PAD; + case CKM_DES3_CBC: + return CKM_DES3_CBC_PAD; + case CKM_RC2_CBC: + return CKM_RC2_CBC_PAD; + case CKM_CDMF_CBC: + return CKM_CDMF_CBC_PAD; + case CKM_CAST_CBC: + return CKM_CAST_CBC_PAD; + case CKM_CAST3_CBC: + return CKM_CAST3_CBC_PAD; + case CKM_CAST5_CBC: + return CKM_CAST5_CBC_PAD; + case CKM_RC5_CBC: + return CKM_RC5_CBC_PAD; + case CKM_IDEA_CBC: + return CKM_IDEA_CBC_PAD; + default: + break; } return type; } - + static PRBool -pk11_isAllZero(unsigned char *data,int len) { +pk11_isAllZero(unsigned char *data, int len) +{ while (len--) { - if (*data++) { - return PR_FALSE; - } + if (*data++) { + return PR_FALSE; + } } return PR_TRUE; } CK_RV -PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, - CK_MECHANISM_PTR pCryptoMechanism, - SECItem *pbe_pwd, PRBool faulty3DES) +PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, + CK_MECHANISM_PTR pCryptoMechanism, + SECItem *pbe_pwd, PRBool faulty3DES) { int iv_len = 0; CK_PBE_PARAMS_PTR pPBEparams; CK_RC2_CBC_PARAMS_PTR rc2_params; CK_ULONG rc2_key_len; - if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) { - return CKR_HOST_MEMORY; + if ((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) { + return CKR_HOST_MEMORY; } /* pkcs5 v2 cannot be supported by this interface. * use PK11_GetPBECryptoMechanism instead. */ - if ((pPBEMechanism->mechanism == CKM_INVALID_MECHANISM) || - (pPBEMechanism->mechanism == CKM_PKCS5_PBKD2)) { - return CKR_MECHANISM_INVALID; + if ((pPBEMechanism->mechanism == CKM_INVALID_MECHANISM) || + (pPBEMechanism->mechanism == CKM_PKCS5_PBKD2)) { + return CKR_MECHANISM_INVALID; } pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter; iv_len = PK11_GetIVLength(pPBEMechanism->mechanism); if (iv_len) { - if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) { - SECItem param; - PK11SymKey *symKey; - PK11SlotInfo *intSlot = PK11_GetInternalSlot(); - - if (intSlot == NULL) { - return CKR_DEVICE_ERROR; - } - - param.data = pPBEMechanism->pParameter; - param.len = pPBEMechanism->ulParameterLen; - - symKey = PK11_RawPBEKeyGen(intSlot, - pPBEMechanism->mechanism, ¶m, pbe_pwd, faulty3DES, NULL); - PK11_FreeSlot(intSlot); - if (symKey== NULL) { - return CKR_DEVICE_ERROR; /* sigh */ - } - PK11_FreeSymKey(symKey); - } + if (pk11_isAllZero(pPBEparams->pInitVector, iv_len)) { + SECItem param; + PK11SymKey *symKey; + PK11SlotInfo *intSlot = PK11_GetInternalSlot(); + + if (intSlot == NULL) { + return CKR_DEVICE_ERROR; + } + + param.data = pPBEMechanism->pParameter; + param.len = pPBEMechanism->ulParameterLen; + + symKey = PK11_RawPBEKeyGen(intSlot, + pPBEMechanism->mechanism, ¶m, pbe_pwd, faulty3DES, NULL); + PK11_FreeSlot(intSlot); + if (symKey == NULL) { + return CKR_DEVICE_ERROR; /* sigh */ + } + PK11_FreeSymKey(symKey); + } } - switch(pPBEMechanism->mechanism) { - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_DES_CBC: - pCryptoMechanism->mechanism = CKM_DES_CBC; - goto have_crypto_mechanism; - case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: - case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: - case CKM_PBE_SHA1_DES3_EDE_CBC: - case CKM_PBE_SHA1_DES2_EDE_CBC: - pCryptoMechanism->mechanism = CKM_DES3_CBC; -have_crypto_mechanism: - pCryptoMechanism->pParameter = PORT_Alloc(iv_len); - pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len; - if(pCryptoMechanism->pParameter == NULL) { - return CKR_HOST_MEMORY; - } - PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter), - (unsigned char *)(pPBEparams->pInitVector), - iv_len); - break; - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: - case CKM_PBE_SHA1_RC4_40: - case CKM_PBE_SHA1_RC4_128: - pCryptoMechanism->mechanism = CKM_RC4; - pCryptoMechanism->ulParameterLen = 0; - pCryptoMechanism->pParameter = CK_NULL_PTR; - break; - case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: - case CKM_PBE_SHA1_RC2_40_CBC: - rc2_key_len = 40; - goto have_key_len; - case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: - rc2_key_len = 128; -have_key_len: - pCryptoMechanism->mechanism = CKM_RC2_CBC; - pCryptoMechanism->ulParameterLen = (CK_ULONG) - sizeof(CK_RC2_CBC_PARAMS); - pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR) - PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS)); - if(pCryptoMechanism->pParameter == NULL) { - return CKR_HOST_MEMORY; - } - rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter; - PORT_Memcpy((unsigned char *)rc2_params->iv, - (unsigned char *)pPBEparams->pInitVector, - iv_len); - rc2_params->ulEffectiveBits = rc2_key_len; - break; - default: - return CKR_MECHANISM_INVALID; + switch (pPBEMechanism->mechanism) { + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + pCryptoMechanism->mechanism = CKM_DES_CBC; + goto have_crypto_mechanism; + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + pCryptoMechanism->mechanism = CKM_DES3_CBC; + have_crypto_mechanism: + pCryptoMechanism->pParameter = PORT_Alloc(iv_len); + pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len; + if (pCryptoMechanism->pParameter == NULL) { + return CKR_HOST_MEMORY; + } + PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter), + (unsigned char *)(pPBEparams->pInitVector), + iv_len); + break; + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + pCryptoMechanism->mechanism = CKM_RC4; + pCryptoMechanism->ulParameterLen = 0; + pCryptoMechanism->pParameter = CK_NULL_PTR; + break; + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + rc2_key_len = 40; + goto have_key_len; + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + rc2_key_len = 128; + have_key_len: + pCryptoMechanism->mechanism = CKM_RC2_CBC; + pCryptoMechanism->ulParameterLen = (CK_ULONG)sizeof(CK_RC2_CBC_PARAMS); + pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR) + PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS)); + if (pCryptoMechanism->pParameter == NULL) { + return CKR_HOST_MEMORY; + } + rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter; + PORT_Memcpy((unsigned char *)rc2_params->iv, + (unsigned char *)pPBEparams->pInitVector, + iv_len); + rc2_params->ulEffectiveBits = rc2_key_len; + break; + default: + return CKR_MECHANISM_INVALID; } return CKR_OK; @@ -1843,16 +1869,16 @@ CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType) { switch (keyType) { - case rsaKey: - return CKM_RSA_PKCS; - case fortezzaKey: - case dsaKey: - return CKM_DSA; - case ecKey: - return CKM_ECDSA; - case dhKey: - default: - break; + case rsaKey: + return CKM_RSA_PKCS; + case fortezzaKey: + case dsaKey: + return CKM_DSA; + case ecKey: + return CKM_ECDSA; + case dhKey: + default: + break; } return CKM_INVALID_MECHANISM; } @@ -1861,27 +1887,27 @@ CK_MECHANISM_TYPE pk11_mapWrapKeyType(KeyType keyType) { switch (keyType) { - case rsaKey: - return CKM_RSA_PKCS; - /* Add fortezza?? */ - default: - break; + case rsaKey: + return CKM_RSA_PKCS; + /* Add fortezza?? */ + default: + break; } return CKM_INVALID_MECHANISM; } -SECOidTag +SECOidTag PK11_FortezzaMapSig(SECOidTag algTag) { switch (algTag) { - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_DSS: - case SEC_OID_MISSI_DSS_OLD: - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: - return SEC_OID_ANSIX9_DSA_SIGNATURE; - default: - break; + case SEC_OID_MISSI_KEA_DSS: + case SEC_OID_MISSI_DSS: + case SEC_OID_MISSI_DSS_OLD: + case SEC_OID_MISSI_KEA_DSS_OLD: + case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: + return SEC_OID_ANSIX9_DSA_SIGNATURE; + default: + break; } return algTag; } diff --git a/nss/lib/pk11wrap/pk11merge.c b/nss/lib/pk11wrap/pk11merge.c index 8fadc7c..8c4c512 100644 --- a/nss/lib/pk11wrap/pk11merge.c +++ b/nss/lib/pk11wrap/pk11merge.c @@ -30,50 +30,74 @@ */ static SECStatus pk11_setAttributes(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - CK_ATTRIBUTE *setTemplate, CK_ULONG setTemplCount) + CK_ATTRIBUTE *setTemplate, CK_ULONG setTemplCount) { CK_RV crv; CK_SESSION_HANDLE rwsession; rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; } crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id, - setTemplate, setTemplCount); + setTemplate, setTemplCount); PK11_RestoreROSession(slot, rwsession); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } - /* * copy a template of attributes from a source object to a target object. * if target object is not given, create it. */ static SECStatus pk11_copyAttributes(PLArenaPool *arena, - PK11SlotInfo *targetSlot, CK_OBJECT_HANDLE targetID, - PK11SlotInfo *sourceSlot, CK_OBJECT_HANDLE sourceID, - CK_ATTRIBUTE *copyTemplate, CK_ULONG copyTemplateCount) + PK11SlotInfo *targetSlot, CK_OBJECT_HANDLE targetID, + PK11SlotInfo *sourceSlot, CK_OBJECT_HANDLE sourceID, + CK_ATTRIBUTE *copyTemplate, CK_ULONG copyTemplateCount) { - SECStatus rv = PK11_GetAttributes(arena, sourceSlot, sourceID, - copyTemplate, copyTemplateCount); - if (rv != SECSuccess) { - return rv; + SECStatus rv; + CK_ATTRIBUTE *newTemplate = NULL; + CK_RV crv; + + crv = PK11_GetAttributes(arena, sourceSlot, sourceID, + copyTemplate, copyTemplateCount); + /* if we have missing attributes, just skip them and create the object */ + if (crv == CKR_ATTRIBUTE_TYPE_INVALID) { + int i, j; + newTemplate = PORT_NewArray(CK_ATTRIBUTE, copyTemplateCount); + /* remove the unknown attributes. If we don't have enough attributes + * PK11_CreateNewObject() will fail */ + for (i = 0, j = 0; i < copyTemplateCount; i++) { + if (copyTemplate[i].ulValueLen != -1) { + newTemplate[j] = copyTemplate[i]; + j++; + } + } + copyTemplate = newTemplate; + copyTemplateCount = j; + crv = PK11_GetAttributes(arena, sourceSlot, sourceID, + copyTemplate, copyTemplateCount); + } + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } if (targetID == CK_INVALID_HANDLE) { - /* we need to create the object */ - rv = PK11_CreateNewObject(targetSlot, CK_INVALID_SESSION, - copyTemplate, copyTemplateCount, PR_TRUE, &targetID); + /* we need to create the object */ + rv = PK11_CreateNewObject(targetSlot, CK_INVALID_SESSION, + copyTemplate, copyTemplateCount, PR_TRUE, &targetID); } else { - /* update the existing object with the new attributes */ - rv = pk11_setAttributes(targetSlot, targetID, - copyTemplate, copyTemplateCount); + /* update the existing object with the new attributes */ + rv = pk11_setAttributes(targetSlot, targetID, + copyTemplate, copyTemplateCount); + } + if (newTemplate) { + free(newTemplate); } return rv; } @@ -83,9 +107,9 @@ pk11_copyAttributes(PLArenaPool *arena, */ static SECStatus pk11_matchAcrossTokens(PLArenaPool *arena, PK11SlotInfo *targetSlot, - PK11SlotInfo *sourceSlot, - CK_ATTRIBUTE *template, CK_ULONG tsize, - CK_OBJECT_HANDLE id, CK_OBJECT_HANDLE *peer) + PK11SlotInfo *sourceSlot, + CK_ATTRIBUTE *template, CK_ULONG tsize, + CK_OBJECT_HANDLE id, CK_OBJECT_HANDLE *peer) { CK_RV crv; @@ -93,14 +117,14 @@ pk11_matchAcrossTokens(PLArenaPool *arena, PK11SlotInfo *targetSlot, crv = PK11_GetAttributes(arena, sourceSlot, id, template, tsize); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } if (template[0].ulValueLen == -1) { - crv = CKR_ATTRIBUTE_TYPE_INVALID; - PORT_SetError( PK11_MapError(crv) ); - goto loser; + crv = CKR_ATTRIBUTE_TYPE_INVALID; + PORT_SetError(PK11_MapError(crv)); + goto loser; } *peer = pk11_FindObjectByTemplate(targetSlot, template, tsize); @@ -115,46 +139,44 @@ loser: */ SECStatus pk11_encrypt(PK11SymKey *symKey, CK_MECHANISM_TYPE mechType, SECItem *param, - SECItem *input, SECItem **output) + SECItem *input, SECItem **output) { PK11Context *ctxt = NULL; SECStatus rv = SECSuccess; if (*output) { - SECITEM_FreeItem(*output,PR_TRUE); + SECITEM_FreeItem(*output, PR_TRUE); } - *output = SECITEM_AllocItem(NULL, NULL, input->len+20 /*slop*/); + *output = SECITEM_AllocItem(NULL, NULL, input->len + 20 /*slop*/); if (!*output) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } ctxt = PK11_CreateContextBySymKey(mechType, CKA_ENCRYPT, symKey, param); if (ctxt == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } - rv = PK11_CipherOp(ctxt, (*output)->data, - (int *)&((*output)->len), - (*output)->len, input->data, input->len); + rv = PK11_CipherOp(ctxt, (*output)->data, + (int *)&((*output)->len), + (*output)->len, input->data, input->len); done: if (ctxt) { - PK11_Finalize(ctxt); - PK11_DestroyContext(ctxt,PR_TRUE); + PK11_Finalize(ctxt); + PK11_DestroyContext(ctxt, PR_TRUE); } if (rv != SECSuccess) { - if (*output) { - SECITEM_FreeItem(*output, PR_TRUE); - *output = NULL; - } + if (*output) { + SECITEM_FreeItem(*output, PR_TRUE); + *output = NULL; + } } return rv; } - - /************************************************************************* * * Private Keys @@ -169,23 +191,22 @@ pk11_getPrivateKeyUsage(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) { unsigned int usage = 0; - if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP,PR_FALSE) || - PK11_HasAttributeSet(slot,id, CKA_DECRYPT,PR_FALSE))) { - usage |= KU_KEY_ENCIPHERMENT; + if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP, PR_FALSE) || + PK11_HasAttributeSet(slot, id, CKA_DECRYPT, PR_FALSE))) { + usage |= KU_KEY_ENCIPHERMENT; } if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) { - usage |= KU_KEY_AGREEMENT; + usage |= KU_KEY_AGREEMENT; } - if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE) || - PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE))) { - usage |= KU_DIGITAL_SIGNATURE; + if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE) || + PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE))) { + usage |= KU_DIGITAL_SIGNATURE; } return usage; } - - + /* - * merge a private key, + * merge a private key, * * Private keys are merged using PBE wrapped keys with a random * value as the 'password'. Once the base key is moved, The remaining @@ -193,7 +214,7 @@ pk11_getPrivateKeyUsage(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) */ static SECStatus pk11_mergePrivateKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { SECKEYPrivateKey *sourceKey = NULL; CK_OBJECT_HANDLE targetKeyID; @@ -208,110 +229,109 @@ pk11_mergePrivateKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, unsigned char randomData[SHA1_LENGTH]; SECOidTag algTag = SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; CK_ATTRIBUTE privTemplate[] = { - { CKA_ID, NULL, 0 }, - { CKA_CLASS, NULL, 0 } + { CKA_ID, NULL, 0 }, + { CKA_CLASS, NULL, 0 } }; - CK_ULONG privTemplateCount = sizeof(privTemplate)/sizeof(privTemplate[0]); + CK_ULONG privTemplateCount = sizeof(privTemplate) / sizeof(privTemplate[0]); CK_ATTRIBUTE privCopyTemplate[] = { - { CKA_SUBJECT, NULL, 0 } + { CKA_SUBJECT, NULL, 0 } }; - CK_ULONG privCopyTemplateCount = - sizeof(privCopyTemplate)/sizeof(privCopyTemplate[0]); + CK_ULONG privCopyTemplateCount = + sizeof(privCopyTemplate) / sizeof(privCopyTemplate[0]); - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* check to see if the key is already in the target slot */ - rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, privTemplate, - privTemplateCount, id, &targetKeyID); + rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, privTemplate, + privTemplateCount, id, &targetKeyID); if (rv != SECSuccess) { - goto done; + goto done; } if (targetKeyID != CK_INVALID_HANDLE) { - /* match found, not an error ... */ - goto done; + /* match found, not an error ... */ + goto done; } /* get an NSS representation of our source key */ - sourceKey = PK11_MakePrivKey(sourceSlot, nullKey, PR_FALSE, - id, sourcePwArg); + sourceKey = PK11_MakePrivKey(sourceSlot, nullKey, PR_FALSE, + id, sourcePwArg); if (sourceKey == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* Load the private key */ /* generate a random pwitem */ rv = PK11_GenerateRandom(randomData, sizeof(randomData)); if (rv != SECSuccess) { - goto done; + goto done; } pwitem.data = randomData; pwitem.len = sizeof(randomData); /* fetch the private key encrypted */ - epki = PK11_ExportEncryptedPrivKeyInfo(sourceSlot, algTag, &pwitem, - sourceKey, 1, sourcePwArg); + epki = PK11_ExportEncryptedPrivKeyInfo(sourceSlot, algTag, &pwitem, + sourceKey, 1, sourcePwArg); if (epki == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } nickname = PK11_GetObjectNickname(sourceSlot, id); /* NULL nickanme is fine (in fact is often normal) */ - if (nickname) { - nickItem.data = (unsigned char *)nickname; - nickItem.len = PORT_Strlen(nickname); + if (nickname) { + nickItem.data = (unsigned char *)nickname; + nickItem.len = PORT_Strlen(nickname); } keyUsage = pk11_getPrivateKeyUsage(sourceSlot, id); /* pass in the CKA_ID */ publicValue.data = privTemplate[0].pValue; publicValue.len = privTemplate[0].ulValueLen; rv = PK11_ImportEncryptedPrivateKeyInfo(targetSlot, epki, &pwitem, - nickname? &nickItem : NULL , &publicValue, - PR_TRUE, PR_TRUE, sourceKey->keyType, keyUsage, - targetPwArg); + nickname ? &nickItem : NULL, &publicValue, + PR_TRUE, PR_TRUE, sourceKey->keyType, keyUsage, + targetPwArg); if (rv != SECSuccess) { - goto done; + goto done; } /* make sure it made it */ - rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, privTemplate, - privTemplateCount, id, &targetKeyID); + rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, privTemplate, + privTemplateCount, id, &targetKeyID); if (rv != SECSuccess) { - goto done; + goto done; } if (targetKeyID == CK_INVALID_HANDLE) { - /* this time the key should exist */ - rv = SECFailure; - goto done; + /* this time the key should exist */ + rv = SECFailure; + goto done; } /* fill in remaining attributes */ rv = pk11_copyAttributes(arena, targetSlot, targetKeyID, sourceSlot, id, - privCopyTemplate, privCopyTemplateCount); + privCopyTemplate, privCopyTemplateCount); done: /* make sure the 'key' is cleared */ PORT_Memset(randomData, 0, sizeof(randomData)); if (nickname) { - PORT_Free(nickname); + PORT_Free(nickname); } if (sourceKey) { - SECKEY_DestroyPrivateKey(sourceKey); + SECKEY_DestroyPrivateKey(sourceKey); } if (epki) { - SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE); + SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE); } if (arena) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } - /************************************************************************* * * Secret Keys @@ -322,12 +342,12 @@ done: * we need to find a unique CKA_ID. * The basic idea is to just increment the lowest byte. * This code also handles the following corner cases: - * 1) the single byte overflows. On overflow we increment the next byte up + * 1) the single byte overflows. On overflow we increment the next byte up * and so forth until we have overflowed the entire CKA_ID. * 2) If we overflow the entire CKA_ID we expand it by one byte. * 3) the CKA_ID is non-existent, we create a new one with one byte. - * This means no matter what CKA_ID is passed, the result of this function - * is always a new CKA_ID, and this function will never return the same + * This means no matter what CKA_ID is passed, the result of this function + * is always a new CKA_ID, and this function will never return the same * CKA_ID the it has returned in the passed. */ static SECStatus @@ -337,76 +357,75 @@ pk11_incrementID(PLArenaPool *arena, CK_ATTRIBUTE *ptemplate) CK_ULONG len = ptemplate->ulValueLen; if (buf == NULL || len == (CK_ULONG)-1) { - /* we have no valid CKAID, we'll create a basic one byte CKA_ID below */ - len = 0; + /* we have no valid CKAID, we'll create a basic one byte CKA_ID below */ + len = 0; } else { - CK_ULONG i; - - /* walk from the back to front, incrementing - * the CKA_ID until we no longer have a carry, - * or have hit the front of the id. */ - for (i=len; i != 0; i--) { - buf[i-1]++; - if (buf[i-1] != 0) { - /* no more carries, the increment is complete */ - return SECSuccess; - } - } - /* we've now overflowed, fall through and expand the CKA_ID by - * one byte */ - } + CK_ULONG i; + + /* walk from the back to front, incrementing + * the CKA_ID until we no longer have a carry, + * or have hit the front of the id. */ + for (i = len; i != 0; i--) { + buf[i - 1]++; + if (buf[i - 1] != 0) { + /* no more carries, the increment is complete */ + return SECSuccess; + } + } + /* we've now overflowed, fall through and expand the CKA_ID by + * one byte */ + } /* if we are here we've run the counter to zero (indicating an overflow). * create an CKA_ID that is all zeros, but has one more zero than * the previous CKA_ID */ - buf = PORT_ArenaZAlloc(arena, len+1); + buf = PORT_ArenaZAlloc(arena, len + 1); if (buf == NULL) { - return SECFailure; + return SECFailure; } ptemplate->pValue = buf; - ptemplate->ulValueLen = len+1; + ptemplate->ulValueLen = len + 1; return SECSuccess; } - static CK_FLAGS pk11_getSecretKeyFlags(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) { CK_FLAGS flags = 0; if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP, PR_FALSE)) { - flags |= CKF_UNWRAP; + flags |= CKF_UNWRAP; } if (PK11_HasAttributeSet(slot, id, CKA_WRAP, PR_FALSE)) { - flags |= CKF_WRAP; + flags |= CKF_WRAP; } if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT, PR_FALSE)) { - flags |= CKF_ENCRYPT; + flags |= CKF_ENCRYPT; } if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT, PR_FALSE)) { - flags |= CKF_DECRYPT; + flags |= CKF_DECRYPT; } if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) { - flags |= CKF_DERIVE; + flags |= CKF_DERIVE; } if (PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE)) { - flags |= CKF_SIGN; + flags |= CKF_SIGN; } if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE)) { - flags |= CKF_SIGN_RECOVER; + flags |= CKF_SIGN_RECOVER; } if (PK11_HasAttributeSet(slot, id, CKA_VERIFY, PR_FALSE)) { - flags |= CKF_VERIFY; + flags |= CKF_VERIFY; } if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER, PR_FALSE)) { - flags |= CKF_VERIFY_RECOVER; + flags |= CKF_VERIFY_RECOVER; } return flags; } -static const char testString[] = - "My Encrytion Test Data (should be at least 32 bytes long)"; +static const char testString[] = + "My Encrytion Test Data (should be at least 32 bytes long)"; /* - * merge a secret key, + * merge a secret key, * * Secret keys may collide by CKA_ID as we merge 2 token. If we collide * on the CKA_ID, we need to make sure we are dealing with different keys. @@ -414,7 +433,7 @@ static const char testString[] = * before, and this key could have been merged already. If the keys are * the same, we are done. If they are not, we need to update the CKA_ID of * the source key and try again. - * + * * Once we know we have a unique key to merge in, we use NSS's underlying * key Move function which will do a key exchange if necessary to move * the key from one token to another. Then we set the CKA_ID and additional @@ -422,7 +441,7 @@ static const char testString[] = */ static SECStatus pk11_mergeSecretKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { PK11SymKey *sourceKey = NULL; PK11SymKey *targetKey = NULL; @@ -438,26 +457,26 @@ pk11_mergeSecretKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, CK_MECHANISM_TYPE keyMechType, cryptoMechType; CK_KEY_TYPE sourceKeyType, targetKeyType; CK_ATTRIBUTE symTemplate[] = { - { CKA_ID, NULL, 0 }, - { CKA_CLASS, NULL, 0 } + { CKA_ID, NULL, 0 }, + { CKA_CLASS, NULL, 0 } }; - CK_ULONG symTemplateCount = sizeof(symTemplate)/sizeof(symTemplate[0]); + CK_ULONG symTemplateCount = sizeof(symTemplate) / sizeof(symTemplate[0]); CK_ATTRIBUTE symCopyTemplate[] = { - { CKA_LABEL, NULL, 0 } + { CKA_LABEL, NULL, 0 } }; - CK_ULONG symCopyTemplateCount = - sizeof(symCopyTemplate)/sizeof(symCopyTemplate[0]); + CK_ULONG symCopyTemplateCount = + sizeof(symCopyTemplate) / sizeof(symCopyTemplate[0]); - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } sourceKeyType = PK11_ReadULongAttribute(sourceSlot, id, CKA_KEY_TYPE); - if (sourceKeyType == (CK_ULONG) -1) { - rv = SECFailure; - goto done; + if (sourceKeyType == (CK_ULONG)-1) { + rv = SECFailure; + goto done; } /* get the key mechanism */ @@ -467,124 +486,124 @@ pk11_mergeSecretKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, * type. It tries to return encryption/decryption mechanisms, however * CKM_DES3_CBC uses and abmiguous keyType, so keyMechType is returned as * 'keygen' mechanism. Detect that case here */ - cryptoMechType = keyMechType; - if ((keyMechType == CKM_DES3_KEY_GEN) || - (keyMechType == CKM_DES2_KEY_GEN)) { - cryptoMechType = CKM_DES3_CBC; + cryptoMechType = keyMechType; + if ((keyMechType == CKM_DES3_KEY_GEN) || + (keyMechType == CKM_DES2_KEY_GEN)) { + cryptoMechType = CKM_DES3_CBC; } sourceKey = PK11_SymKeyFromHandle(sourceSlot, NULL, PK11_OriginDerive, - keyMechType , id, PR_FALSE, sourcePwArg); + keyMechType, id, PR_FALSE, sourcePwArg); if (sourceKey == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } - /* check to see a key with the same CKA_ID already exists in + /* check to see a key with the same CKA_ID already exists in * the target slot. If it does, then we need to verify if the keys * really matches. If they don't import the key with a new CKA_ID * value. */ rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, - symTemplate, symTemplateCount, id, &targetKeyID); + symTemplate, symTemplateCount, id, &targetKeyID); if (rv != SECSuccess) { - goto done; + goto done; } /* set up the input test */ input.data = (unsigned char *)testString; blockSize = PK11_GetBlockSize(cryptoMechType, NULL); if (blockSize < 0) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } input.len = blockSize; if (input.len == 0) { - input.len = sizeof (testString); + input.len = sizeof(testString); } while (targetKeyID != CK_INVALID_HANDLE) { - /* test to see if the keys are identical */ - targetKeyType = PK11_ReadULongAttribute(sourceSlot, id, CKA_KEY_TYPE); - if (targetKeyType == sourceKeyType) { - /* same keyType - see if it's the same key */ - targetKey = PK11_SymKeyFromHandle(targetSlot, NULL, - PK11_OriginDerive, keyMechType, targetKeyID, PR_FALSE, - targetPwArg); - /* get a parameter if we don't already have one */ - if (!param) { - param = PK11_GenerateNewParam(cryptoMechType, sourceKey); - if (param == NULL) { - rv = SECFailure; - goto done; - } - } - /* use the source key to encrypt a reference */ - if (!sourceOutput) { - rv = pk11_encrypt(sourceKey, cryptoMechType, param, &input, - &sourceOutput); - if (rv != SECSuccess) { - goto done; - } - } - /* encrypt the reference with the target key */ - rv = pk11_encrypt(targetKey, cryptoMechType, param, &input, - &targetOutput); - if (rv == SECSuccess) { - if (SECITEM_ItemsAreEqual(sourceOutput, targetOutput)) { - /* they produce the same output, they must be the - * same key */ - goto done; - } - SECITEM_FreeItem(targetOutput, PR_TRUE); - targetOutput = NULL; - } - PK11_FreeSymKey(targetKey); - targetKey = NULL; - } - /* keys aren't equal, update the KEY_ID and look again */ - rv = pk11_incrementID(arena, &symTemplate[0]); - if (rv != SECSuccess) { - goto done; - } - targetKeyID = pk11_FindObjectByTemplate(targetSlot, - symTemplate, symTemplateCount); + /* test to see if the keys are identical */ + targetKeyType = PK11_ReadULongAttribute(sourceSlot, id, CKA_KEY_TYPE); + if (targetKeyType == sourceKeyType) { + /* same keyType - see if it's the same key */ + targetKey = PK11_SymKeyFromHandle(targetSlot, NULL, + PK11_OriginDerive, keyMechType, targetKeyID, PR_FALSE, + targetPwArg); + /* get a parameter if we don't already have one */ + if (!param) { + param = PK11_GenerateNewParam(cryptoMechType, sourceKey); + if (param == NULL) { + rv = SECFailure; + goto done; + } + } + /* use the source key to encrypt a reference */ + if (!sourceOutput) { + rv = pk11_encrypt(sourceKey, cryptoMechType, param, &input, + &sourceOutput); + if (rv != SECSuccess) { + goto done; + } + } + /* encrypt the reference with the target key */ + rv = pk11_encrypt(targetKey, cryptoMechType, param, &input, + &targetOutput); + if (rv == SECSuccess) { + if (SECITEM_ItemsAreEqual(sourceOutput, targetOutput)) { + /* they produce the same output, they must be the + * same key */ + goto done; + } + SECITEM_FreeItem(targetOutput, PR_TRUE); + targetOutput = NULL; + } + PK11_FreeSymKey(targetKey); + targetKey = NULL; + } + /* keys aren't equal, update the KEY_ID and look again */ + rv = pk11_incrementID(arena, &symTemplate[0]); + if (rv != SECSuccess) { + goto done; + } + targetKeyID = pk11_FindObjectByTemplate(targetSlot, + symTemplate, symTemplateCount); } /* we didn't find a matching key, import this one with the new * CKAID */ flags = pk11_getSecretKeyFlags(sourceSlot, id); targetKey = PK11_MoveSymKey(targetSlot, PK11_OriginDerive, flags, PR_TRUE, - sourceKey); + sourceKey); if (targetKey == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* set the key new CKAID */ rv = pk11_setAttributes(targetSlot, targetKey->objectID, symTemplate, 1); if (rv != SECSuccess) { - goto done; + goto done; } /* fill in remaining attributes */ - rv = pk11_copyAttributes(arena, targetSlot, targetKey->objectID, - sourceSlot, id, symCopyTemplate, symCopyTemplateCount); + rv = pk11_copyAttributes(arena, targetSlot, targetKey->objectID, + sourceSlot, id, symCopyTemplate, symCopyTemplateCount); done: if (sourceKey) { - PK11_FreeSymKey(sourceKey); + PK11_FreeSymKey(sourceKey); } if (targetKey) { - PK11_FreeSymKey(targetKey); + PK11_FreeSymKey(targetKey); } if (sourceOutput) { - SECITEM_FreeItem(sourceOutput, PR_TRUE); + SECITEM_FreeItem(sourceOutput, PR_TRUE); } if (targetOutput) { - SECITEM_FreeItem(targetOutput, PR_TRUE); + SECITEM_FreeItem(targetOutput, PR_TRUE); } if (param) { - SECITEM_FreeItem(param, PR_TRUE); + SECITEM_FreeItem(param, PR_TRUE); } if (arena) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } @@ -603,70 +622,68 @@ done: */ static SECStatus pk11_mergePublicKey(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { SECKEYPublicKey *sourceKey = NULL; CK_OBJECT_HANDLE targetKeyID; PLArenaPool *arena = NULL; SECStatus rv = SECSuccess; CK_ATTRIBUTE pubTemplate[] = { - { CKA_ID, NULL, 0 }, - { CKA_CLASS, NULL, 0 } + { CKA_ID, NULL, 0 }, + { CKA_CLASS, NULL, 0 } }; - CK_ULONG pubTemplateCount = sizeof(pubTemplate)/sizeof(pubTemplate[0]); + CK_ULONG pubTemplateCount = sizeof(pubTemplate) / sizeof(pubTemplate[0]); CK_ATTRIBUTE pubCopyTemplate[] = { - { CKA_ID, NULL, 0 }, - { CKA_LABEL, NULL, 0 }, - { CKA_SUBJECT, NULL, 0 } + { CKA_ID, NULL, 0 }, + { CKA_LABEL, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 } }; - CK_ULONG pubCopyTemplateCount = - sizeof(pubCopyTemplate)/sizeof(pubCopyTemplate[0]); + CK_ULONG pubCopyTemplateCount = + sizeof(pubCopyTemplate) / sizeof(pubCopyTemplate[0]); - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } - /* check to see if the key is already in the target slot */ - rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, pubTemplate, - pubTemplateCount, id, &targetKeyID); + rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, pubTemplate, + pubTemplateCount, id, &targetKeyID); if (rv != SECSuccess) { - goto done; + goto done; } /* Key is already in the target slot */ if (targetKeyID != CK_INVALID_HANDLE) { - /* not an error ... */ - goto done; + /* not an error ... */ + goto done; } /* fetch an NSS representation of the public key */ sourceKey = PK11_ExtractPublicKey(sourceSlot, nullKey, id); - if (sourceKey== NULL) { - rv = SECFailure; - goto done; + if (sourceKey == NULL) { + rv = SECFailure; + goto done; } /* load the public key into the target token. */ targetKeyID = PK11_ImportPublicKey(targetSlot, sourceKey, PR_TRUE); if (targetKeyID == CK_INVALID_HANDLE) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* fill in remaining attributes */ rv = pk11_copyAttributes(arena, targetSlot, targetKeyID, sourceSlot, id, - pubCopyTemplate, pubCopyTemplateCount); - + pubCopyTemplate, pubCopyTemplateCount); done: if (sourceKey) { - SECKEY_DestroyPublicKey(sourceKey); + SECKEY_DestroyPublicKey(sourceKey); } if (arena) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } @@ -678,7 +695,7 @@ done: *************************************************************************/ /* - * Two copies of the source code for this algorithm exist in NSS. + * Two copies of the source code for this algorithm exist in NSS. * Changes must be made in both copies. * The other copy is in sftkdb_resolveConflicts() in softoken/sftkdb.c. */ @@ -691,44 +708,45 @@ pk11_IncrementNickname(char *nickname) int len = strlen(nickname); /* does nickname end with " #n*" ? */ - for (end = len - 1; - end >= 2 && (digit = nickname[end]) <= '9' && digit >= '0'; - end--) /* just scan */ ; + for (end = len - 1; + end >= 2 && (digit = nickname[end]) <= '9' && digit >= '0'; + end--) /* just scan */ + ; if (len >= 3 && end < (len - 1) /* at least one digit */ && - nickname[end] == '#' && - nickname[end - 1] == ' ') { - /* Already has a suitable suffix string */ + nickname[end] == '#' && + nickname[end - 1] == ' ') { + /* Already has a suitable suffix string */ } else { - /* ... append " #2" to the name */ - static const char num2[] = " #2"; - newNickname = PORT_Realloc(nickname, len + sizeof(num2)); - if (newNickname) { - PORT_Strcat(newNickname, num2); - } else { - PORT_Free(nickname); - } - return newNickname; - } - - for (end = len - 1; - end >= 0 && (digit = nickname[end]) <= '9' && digit >= '0'; - end--) { - if (digit < '9') { - nickname[end]++; - return nickname; - } - nickname[end] = '0'; + /* ... append " #2" to the name */ + static const char num2[] = " #2"; + newNickname = PORT_Realloc(nickname, len + sizeof(num2)); + if (newNickname) { + PORT_Strcat(newNickname, num2); + } else { + PORT_Free(nickname); + } + return newNickname; + } + + for (end = len - 1; + end >= 0 && (digit = nickname[end]) <= '9' && digit >= '0'; + end--) { + if (digit < '9') { + nickname[end]++; + return nickname; + } + nickname[end] = '0'; } /* we overflowed, insert a new '1' for a carry in front of the number */ newNickname = PORT_Realloc(nickname, len + 2); if (newNickname) { - newNickname[++end] = '1'; - PORT_Memset(&newNickname[end + 1], '0', len - end); - newNickname[len + 1] = 0; + newNickname[++end] = '1'; + PORT_Memset(&newNickname[end + 1], '0', len - end); + newNickname[len + 1] = 0; } else { - PORT_Free(nickname); + PORT_Free(nickname); } return newNickname; } @@ -740,22 +758,22 @@ pk11_IncrementNickname(char *nickname) */ static SECStatus pk11_mergeCert(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { CERTCertificate *sourceCert = NULL; CK_OBJECT_HANDLE targetCertID = CK_INVALID_HANDLE; char *nickname = NULL; SECStatus rv = SECSuccess; PLArenaPool *arena = NULL; - CK_ATTRIBUTE sourceCKAID = {CKA_ID, NULL, 0}; - CK_ATTRIBUTE targetCKAID = {CKA_ID, NULL, 0}; + CK_ATTRIBUTE sourceCKAID = { CKA_ID, NULL, 0 }; + CK_ATTRIBUTE targetCKAID = { CKA_ID, NULL, 0 }; SECStatus lrv = SECSuccess; int error = SEC_ERROR_LIBRARY_FAILURE; sourceCert = PK11_MakeCertFromHandle(sourceSlot, id, NULL); if (sourceCert == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } nickname = PK11_GetObjectNickname(sourceSlot, id); @@ -764,107 +782,104 @@ pk11_mergeCert(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, * different subjects. This code will prevent us from getting * actual import errors */ if (nickname) { - const char *tokenName = PK11_GetTokenName(targetSlot); - char *tokenNickname = NULL; - - do { - tokenNickname = PR_smprintf("%s:%s",tokenName, nickname); - if (!tokenNickname) { - break; - } - if (!SEC_CertNicknameConflict(tokenNickname, - &sourceCert->derSubject, CERT_GetDefaultCertDB())) { - break; - } - nickname = pk11_IncrementNickname(nickname); - if (!nickname) { - break; - } - PR_smprintf_free(tokenNickname); - } while (1); - if (tokenNickname) { - PR_smprintf_free(tokenNickname); - } - } - - + const char *tokenName = PK11_GetTokenName(targetSlot); + char *tokenNickname = NULL; + + do { + tokenNickname = PR_smprintf("%s:%s", tokenName, nickname); + if (!tokenNickname) { + break; + } + if (!SEC_CertNicknameConflict(tokenNickname, + &sourceCert->derSubject, CERT_GetDefaultCertDB())) { + break; + } + nickname = pk11_IncrementNickname(nickname); + if (!nickname) { + break; + } + PR_smprintf_free(tokenNickname); + } while (1); + if (tokenNickname) { + PR_smprintf_free(tokenNickname); + } + } /* see if the cert is already there */ targetCertID = PK11_FindCertInSlot(targetSlot, sourceCert, targetPwArg); if (targetCertID == CK_INVALID_HANDLE) { - /* cert doesn't exist load the cert in. */ - /* OK for the nickname to be NULL, not all certs have nicknames */ - rv = PK11_ImportCert(targetSlot, sourceCert, CK_INVALID_HANDLE, - nickname, PR_FALSE); - goto done; + /* cert doesn't exist load the cert in. */ + /* OK for the nickname to be NULL, not all certs have nicknames */ + rv = PK11_ImportCert(targetSlot, sourceCert, CK_INVALID_HANDLE, + nickname, PR_FALSE); + goto done; } /* the cert already exists, see if the nickname and/or CKA_ID need * to be updated */ - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* does our source have a CKA_ID ? */ - rv = PK11_GetAttributes(arena, sourceSlot, id, &sourceCKAID, 1); + rv = PK11_GetAttributes(arena, sourceSlot, id, &sourceCKAID, 1); if (rv != SECSuccess) { - sourceCKAID.ulValueLen = 0; + sourceCKAID.ulValueLen = 0; } /* if we have a source CKA_ID, see of we need to update the * target's CKA_ID */ if (sourceCKAID.ulValueLen != 0) { - rv = PK11_GetAttributes(arena, targetSlot, targetCertID, - &targetCKAID, 1); - if (rv != SECSuccess) { - targetCKAID.ulValueLen = 0; - } - /* if the target has no CKA_ID, update it from the source */ - if (targetCKAID.ulValueLen == 0) { - lrv=pk11_setAttributes(targetSlot, targetCertID, &sourceCKAID, 1); - if (lrv != SECSuccess) { - error = PORT_GetError(); - } - } + rv = PK11_GetAttributes(arena, targetSlot, targetCertID, + &targetCKAID, 1); + if (rv != SECSuccess) { + targetCKAID.ulValueLen = 0; + } + /* if the target has no CKA_ID, update it from the source */ + if (targetCKAID.ulValueLen == 0) { + lrv = pk11_setAttributes(targetSlot, targetCertID, &sourceCKAID, 1); + if (lrv != SECSuccess) { + error = PORT_GetError(); + } + } } rv = SECSuccess; /* now check if we need to update the nickname */ if (nickname && *nickname) { - char *targetname; - targetname = PK11_GetObjectNickname(targetSlot, targetCertID); - if (!targetname || !*targetname) { - /* target has no nickname, or it's empty, update it */ - rv = PK11_SetObjectNickname(targetSlot, targetCertID, nickname); - } - if (targetname) { - PORT_Free(targetname); - } + char *targetname; + targetname = PK11_GetObjectNickname(targetSlot, targetCertID); + if (!targetname || !*targetname) { + /* target has no nickname, or it's empty, update it */ + rv = PK11_SetObjectNickname(targetSlot, targetCertID, nickname); + } + if (targetname) { + PORT_Free(targetname); + } } /* restore the error code if CKA_ID failed, but nickname didn't */ if ((rv == SECSuccess) && (lrv != SECSuccess)) { - rv = lrv; - PORT_SetError(error); + rv = lrv; + PORT_SetError(error); } done: if (nickname) { - PORT_Free(nickname); + PORT_Free(nickname); } if (sourceCert) { - CERT_DestroyCertificate(sourceCert); + CERT_DestroyCertificate(sourceCert); } if (arena) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } - /************************************************************************* * * Crls @@ -878,53 +893,53 @@ done: */ static SECStatus pk11_mergeCrl(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { CK_OBJECT_HANDLE targetCrlID; PLArenaPool *arena = NULL; SECStatus rv = SECSuccess; CK_ATTRIBUTE crlTemplate[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_CLASS, NULL, 0 }, - { CKA_NSS_KRL, NULL, 0 } + { CKA_SUBJECT, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, + { CKA_NSS_KRL, NULL, 0 } }; - CK_ULONG crlTemplateCount = sizeof(crlTemplate)/sizeof(crlTemplate[0]); + CK_ULONG crlTemplateCount = sizeof(crlTemplate) / sizeof(crlTemplate[0]); CK_ATTRIBUTE crlCopyTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_TOKEN, NULL, 0 }, - { CKA_LABEL, NULL, 0 }, - { CKA_PRIVATE, NULL, 0 }, - { CKA_MODIFIABLE, NULL, 0 }, - { CKA_SUBJECT, NULL, 0 }, - { CKA_NSS_KRL, NULL, 0 }, - { CKA_NSS_URL, NULL, 0 }, - { CKA_VALUE, NULL, 0 } + { CKA_CLASS, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_LABEL, NULL, 0 }, + { CKA_PRIVATE, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_NSS_KRL, NULL, 0 }, + { CKA_NSS_URL, NULL, 0 }, + { CKA_VALUE, NULL, 0 } }; - CK_ULONG crlCopyTemplateCount = - sizeof(crlCopyTemplate)/sizeof(crlCopyTemplate[0]); + CK_ULONG crlCopyTemplateCount = + sizeof(crlCopyTemplate) / sizeof(crlCopyTemplate[0]); - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* check to see if the crl is already in the target slot */ - rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, crlTemplate, - crlTemplateCount, id, &targetCrlID); + rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, crlTemplate, + crlTemplateCount, id, &targetCrlID); if (rv != SECSuccess) { - goto done; + goto done; } if (targetCrlID != CK_INVALID_HANDLE) { - /* we already have a CRL, check to see which is more up-to-date. */ - goto done; + /* we already have a CRL, check to see which is more up-to-date. */ + goto done; } /* load the CRL into the target token. */ rv = pk11_copyAttributes(arena, targetSlot, targetCrlID, sourceSlot, id, - crlCopyTemplate, crlCopyTemplateCount); + crlCopyTemplate, crlCopyTemplateCount); done: if (arena) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } @@ -940,54 +955,54 @@ done: */ static SECStatus pk11_mergeSmime(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { CK_OBJECT_HANDLE targetSmimeID; PLArenaPool *arena = NULL; SECStatus rv = SECSuccess; CK_ATTRIBUTE smimeTemplate[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_NSS_EMAIL, NULL, 0 }, - { CKA_CLASS, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_NSS_EMAIL, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, }; - CK_ULONG smimeTemplateCount = - sizeof(smimeTemplate)/sizeof(smimeTemplate[0]); + CK_ULONG smimeTemplateCount = + sizeof(smimeTemplate) / sizeof(smimeTemplate[0]); CK_ATTRIBUTE smimeCopyTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_TOKEN, NULL, 0 }, - { CKA_LABEL, NULL, 0 }, - { CKA_PRIVATE, NULL, 0 }, - { CKA_MODIFIABLE, NULL, 0 }, - { CKA_SUBJECT, NULL, 0 }, - { CKA_NSS_EMAIL, NULL, 0 }, - { CKA_NSS_SMIME_TIMESTAMP, NULL, 0 }, - { CKA_VALUE, NULL, 0 } + { CKA_CLASS, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_LABEL, NULL, 0 }, + { CKA_PRIVATE, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_NSS_EMAIL, NULL, 0 }, + { CKA_NSS_SMIME_TIMESTAMP, NULL, 0 }, + { CKA_VALUE, NULL, 0 } }; - CK_ULONG smimeCopyTemplateCount = - sizeof(smimeCopyTemplate)/sizeof(smimeCopyTemplate[0]); + CK_ULONG smimeCopyTemplateCount = + sizeof(smimeCopyTemplate) / sizeof(smimeCopyTemplate[0]); - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* check to see if the crl is already in the target slot */ - rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, smimeTemplate, - smimeTemplateCount, id, &targetSmimeID); + rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, smimeTemplate, + smimeTemplateCount, id, &targetSmimeID); if (rv != SECSuccess) { - goto done; + goto done; } if (targetSmimeID != CK_INVALID_HANDLE) { - /* we already have a SMIME record */ - goto done; + /* we already have a SMIME record */ + goto done; } /* load the SMime Record into the target token. */ rv = pk11_copyAttributes(arena, targetSlot, targetSmimeID, sourceSlot, id, - smimeCopyTemplate, smimeCopyTemplateCount); + smimeCopyTemplate, smimeCopyTemplateCount); done: if (arena) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } @@ -998,7 +1013,6 @@ done: * *************************************************************************/ - /* * decide which trust record entry wins. PR_TRUE (source) or PR_FALSE (target) */ @@ -1007,10 +1021,10 @@ done: PRBool pk11_mergeTrustEntry(CK_ATTRIBUTE *target, CK_ATTRIBUTE *source) { - CK_ULONG targetTrust = (target->ulValueLen == sizeof (CK_LONG)) ? - *(CK_ULONG *)target->pValue : CKT_NSS_TRUST_UNKNOWN; - CK_ULONG sourceTrust = (source->ulValueLen == sizeof (CK_LONG)) ? - *(CK_ULONG *)source->pValue : CKT_NSS_TRUST_UNKNOWN; + CK_ULONG targetTrust = (target->ulValueLen == sizeof(CK_LONG)) ? *(CK_ULONG *)target->pValue + : CKT_NSS_TRUST_UNKNOWN; + CK_ULONG sourceTrust = (source->ulValueLen == sizeof(CK_LONG)) ? *(CK_ULONG *)source->pValue + : CKT_NSS_TRUST_UNKNOWN; /* * Examine a single entry and deside if the source or target version @@ -1018,38 +1032,38 @@ pk11_mergeTrustEntry(CK_ATTRIBUTE *target, CK_ATTRIBUTE *source) * any case we need to update, we will write the whole source record * to the target database. That means for each individual record, if the * target wins, we need to update the source (in case later we have a - * case where the source wins). If the source wins, it already + * case where the source wins). If the source wins, it already */ if (sourceTrust == targetTrust) { - return USE_TARGET; /* which equates to 'do nothing' */ + return USE_TARGET; /* which equates to 'do nothing' */ } if (sourceTrust == CKT_NSS_TRUST_UNKNOWN) { - return USE_TARGET; + return USE_TARGET; } /* target has no idea, use the source's idea of the trust value */ if (targetTrust == CKT_NSS_TRUST_UNKNOWN) { - /* source overwrites the target */ - return USE_SOURCE; + /* source overwrites the target */ + return USE_SOURCE; } - /* so both the target and the source have some idea of what this - * trust attribute should be, and neither agree exactly. - * At this point, we prefer 'hard' attributes over 'soft' ones. + /* so both the target and the source have some idea of what this + * trust attribute should be, and neither agree exactly. + * At this point, we prefer 'hard' attributes over 'soft' ones. * 'hard' ones are CKT_NSS_TRUSTED, CKT_NSS_TRUSTED_DELEGATOR, and * CKT_NSS_UNTRUTED. Soft ones are ones which don't change the * actual trust of the cert (CKT_MUST_VERIFY, CKT_NSS_VALID, * CKT_NSS_VALID_DELEGATOR). */ - if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) - || (sourceTrust == CKT_NSS_VALID_DELEGATOR)) { - return USE_TARGET; + if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) || + (sourceTrust == CKT_NSS_VALID_DELEGATOR)) { + return USE_TARGET; } - if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) - || (targetTrust == CKT_NSS_VALID_DELEGATOR)) { - /* source overrites the target */ - return USE_SOURCE; + if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) || + (targetTrust == CKT_NSS_VALID_DELEGATOR)) { + /* source overrites the target */ + return USE_SOURCE; } /* both have hard attributes, we have a conflict, let the target win. */ @@ -1060,117 +1074,116 @@ pk11_mergeTrustEntry(CK_ATTRIBUTE *target, CK_ATTRIBUTE *source) */ static SECStatus pk11_mergeTrust(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { CK_OBJECT_HANDLE targetTrustID; PLArenaPool *arena = NULL; SECStatus rv = SECSuccess; int error = 0; CK_ATTRIBUTE trustTemplate[] = { - { CKA_ISSUER, NULL, 0 }, - { CKA_SERIAL_NUMBER, NULL, 0 }, - { CKA_CLASS, NULL, 0 }, + { CKA_ISSUER, NULL, 0 }, + { CKA_SERIAL_NUMBER, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, }; - CK_ULONG trustTemplateCount = - sizeof(trustTemplate)/sizeof(trustTemplate[0]); + CK_ULONG trustTemplateCount = + sizeof(trustTemplate) / sizeof(trustTemplate[0]); CK_ATTRIBUTE trustCopyTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_TOKEN, NULL, 0 }, - { CKA_LABEL, NULL, 0 }, - { CKA_PRIVATE, NULL, 0 }, - { CKA_MODIFIABLE, NULL, 0 }, - { CKA_ISSUER, NULL, 0}, - { CKA_SERIAL_NUMBER, NULL, 0}, - { CKA_CERT_SHA1_HASH, NULL, 0 }, - { CKA_CERT_MD5_HASH, NULL, 0 }, - { CKA_TRUST_SERVER_AUTH, NULL, 0 }, - { CKA_TRUST_CLIENT_AUTH, NULL, 0 }, - { CKA_TRUST_CODE_SIGNING, NULL, 0 }, - { CKA_TRUST_EMAIL_PROTECTION, NULL, 0 }, - { CKA_TRUST_STEP_UP_APPROVED, NULL, 0 } + { CKA_CLASS, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_LABEL, NULL, 0 }, + { CKA_PRIVATE, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, + { CKA_ISSUER, NULL, 0 }, + { CKA_SERIAL_NUMBER, NULL, 0 }, + { CKA_CERT_SHA1_HASH, NULL, 0 }, + { CKA_CERT_MD5_HASH, NULL, 0 }, + { CKA_TRUST_SERVER_AUTH, NULL, 0 }, + { CKA_TRUST_CLIENT_AUTH, NULL, 0 }, + { CKA_TRUST_CODE_SIGNING, NULL, 0 }, + { CKA_TRUST_EMAIL_PROTECTION, NULL, 0 }, + { CKA_TRUST_STEP_UP_APPROVED, NULL, 0 } }; - CK_ULONG trustCopyTemplateCount = - sizeof(trustCopyTemplate)/sizeof(trustCopyTemplate[0]); + CK_ULONG trustCopyTemplateCount = + sizeof(trustCopyTemplate) / sizeof(trustCopyTemplate[0]); - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } /* check to see if the crl is already in the target slot */ - rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, trustTemplate, - trustTemplateCount, id, &targetTrustID); + rv = pk11_matchAcrossTokens(arena, targetSlot, sourceSlot, trustTemplate, + trustTemplateCount, id, &targetTrustID); if (rv != SECSuccess) { - goto done; + goto done; } if (targetTrustID != CK_INVALID_HANDLE) { - /* a matching trust record already exists, merge it in */ - CK_ATTRIBUTE_TYPE trustAttrs[] = { - CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, - CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION, - CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, - CKA_TRUST_TIME_STAMPING - }; - CK_ULONG trustAttrsCount = - sizeof(trustAttrs)/sizeof(trustAttrs[0]); - - CK_ULONG i; - CK_ATTRIBUTE targetTemplate, sourceTemplate; - - /* existing trust record, merge the two together */ - for (i=0; i < trustAttrsCount; i++) { - targetTemplate.type = sourceTemplate.type = trustAttrs[i]; - targetTemplate.pValue = sourceTemplate.pValue = NULL; - targetTemplate.ulValueLen = sourceTemplate.ulValueLen = 0; - PK11_GetAttributes(arena, sourceSlot, id, &sourceTemplate, 1); - PK11_GetAttributes(arena, targetSlot, targetTrustID, - &targetTemplate, 1); - if (pk11_mergeTrustEntry(&targetTemplate, &sourceTemplate)) { - /* source wins, write out the source attribute to the target */ - SECStatus lrv = pk11_setAttributes(targetSlot, targetTrustID, - &sourceTemplate, 1); - if (lrv != SECSuccess) { - rv = SECFailure; - error = PORT_GetError(); - } - } - } - - /* handle step */ - sourceTemplate.type = CKA_TRUST_STEP_UP_APPROVED; - sourceTemplate.pValue = NULL; - sourceTemplate.ulValueLen = 0; - - /* if the source has steup set, then set it in the target */ - PK11_GetAttributes(arena, sourceSlot, id, &sourceTemplate, 1); - if ((sourceTemplate.ulValueLen == sizeof(CK_BBOOL)) && - (sourceTemplate.pValue) && - (*(CK_BBOOL *)sourceTemplate.pValue == CK_TRUE)) { - SECStatus lrv = pk11_setAttributes(targetSlot, targetTrustID, - &sourceTemplate, 1); - if (lrv != SECSuccess) { - rv = SECFailure; - error = PORT_GetError(); - } - } - - goto done; - + /* a matching trust record already exists, merge it in */ + CK_ATTRIBUTE_TYPE trustAttrs[] = { + CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, + CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION, + CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, + CKA_TRUST_TIME_STAMPING + }; + CK_ULONG trustAttrsCount = + sizeof(trustAttrs) / sizeof(trustAttrs[0]); + + CK_ULONG i; + CK_ATTRIBUTE targetTemplate, sourceTemplate; + + /* existing trust record, merge the two together */ + for (i = 0; i < trustAttrsCount; i++) { + targetTemplate.type = sourceTemplate.type = trustAttrs[i]; + targetTemplate.pValue = sourceTemplate.pValue = NULL; + targetTemplate.ulValueLen = sourceTemplate.ulValueLen = 0; + PK11_GetAttributes(arena, sourceSlot, id, &sourceTemplate, 1); + PK11_GetAttributes(arena, targetSlot, targetTrustID, + &targetTemplate, 1); + if (pk11_mergeTrustEntry(&targetTemplate, &sourceTemplate)) { + /* source wins, write out the source attribute to the target */ + SECStatus lrv = pk11_setAttributes(targetSlot, targetTrustID, + &sourceTemplate, 1); + if (lrv != SECSuccess) { + rv = SECFailure; + error = PORT_GetError(); + } + } + } + + /* handle step */ + sourceTemplate.type = CKA_TRUST_STEP_UP_APPROVED; + sourceTemplate.pValue = NULL; + sourceTemplate.ulValueLen = 0; + + /* if the source has steup set, then set it in the target */ + PK11_GetAttributes(arena, sourceSlot, id, &sourceTemplate, 1); + if ((sourceTemplate.ulValueLen == sizeof(CK_BBOOL)) && + (sourceTemplate.pValue) && + (*(CK_BBOOL *)sourceTemplate.pValue == CK_TRUE)) { + SECStatus lrv = pk11_setAttributes(targetSlot, targetTrustID, + &sourceTemplate, 1); + if (lrv != SECSuccess) { + rv = SECFailure; + error = PORT_GetError(); + } + } + + goto done; } /* load the new trust Record into the target token. */ rv = pk11_copyAttributes(arena, targetSlot, targetTrustID, sourceSlot, id, - trustCopyTemplate, trustCopyTemplateCount); + trustCopyTemplate, trustCopyTemplateCount); done: if (arena) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } /* restore the error code */ if (rv == SECFailure && error) { - PORT_SetError(error); + PORT_SetError(error); } - + return rv; } @@ -1184,70 +1197,69 @@ done: */ static SECStatus pk11_mergeObject(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE id, void *targetPwArg, void *sourcePwArg) { CK_OBJECT_CLASS objClass; - objClass = PK11_ReadULongAttribute(sourceSlot, id, CKA_CLASS); - if (objClass == (CK_ULONG) -1) { - PORT_SetError( SEC_ERROR_UNKNOWN_OBJECT_TYPE ); - return SECFailure; + if (objClass == (CK_ULONG)-1) { + PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); + return SECFailure; } switch (objClass) { - case CKO_CERTIFICATE: - return pk11_mergeCert(targetSlot, sourceSlot, id, - targetPwArg, sourcePwArg); - case CKO_NSS_TRUST: - return pk11_mergeTrust(targetSlot, sourceSlot, id, - targetPwArg, sourcePwArg); - case CKO_PUBLIC_KEY: - return pk11_mergePublicKey(targetSlot, sourceSlot, id, - targetPwArg, sourcePwArg); - case CKO_PRIVATE_KEY: - return pk11_mergePrivateKey(targetSlot, sourceSlot, id, - targetPwArg, sourcePwArg); - case CKO_SECRET_KEY: - return pk11_mergeSecretKey(targetSlot, sourceSlot, id, - targetPwArg, sourcePwArg); - case CKO_NSS_CRL: - return pk11_mergeCrl(targetSlot, sourceSlot, id, - targetPwArg, sourcePwArg); - case CKO_NSS_SMIME: - return pk11_mergeSmime(targetSlot, sourceSlot, id, - targetPwArg, sourcePwArg); - default: - break; - } - - PORT_SetError( SEC_ERROR_UNKNOWN_OBJECT_TYPE ); + case CKO_CERTIFICATE: + return pk11_mergeCert(targetSlot, sourceSlot, id, + targetPwArg, sourcePwArg); + case CKO_NSS_TRUST: + return pk11_mergeTrust(targetSlot, sourceSlot, id, + targetPwArg, sourcePwArg); + case CKO_PUBLIC_KEY: + return pk11_mergePublicKey(targetSlot, sourceSlot, id, + targetPwArg, sourcePwArg); + case CKO_PRIVATE_KEY: + return pk11_mergePrivateKey(targetSlot, sourceSlot, id, + targetPwArg, sourcePwArg); + case CKO_SECRET_KEY: + return pk11_mergeSecretKey(targetSlot, sourceSlot, id, + targetPwArg, sourcePwArg); + case CKO_NSS_CRL: + return pk11_mergeCrl(targetSlot, sourceSlot, id, + targetPwArg, sourcePwArg); + case CKO_NSS_SMIME: + return pk11_mergeSmime(targetSlot, sourceSlot, id, + targetPwArg, sourcePwArg); + default: + break; + } + + PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); return SECFailure; } PK11MergeLogNode * pk11_newMergeLogNode(PLArenaPool *arena, - PK11SlotInfo *slot, CK_OBJECT_HANDLE id, int error) + PK11SlotInfo *slot, CK_OBJECT_HANDLE id, int error) { PK11MergeLogNode *newLog; PK11GenericObject *obj; newLog = PORT_ArenaZNew(arena, PK11MergeLogNode); if (newLog == NULL) { - return NULL; + return NULL; } obj = PORT_ArenaZNew(arena, PK11GenericObject); - if ( !obj ) { - return NULL; + if (!obj) { + return NULL; } /* initialize it */ obj->slot = slot; obj->objectID = id; - newLog->object= obj; + newLog->object = obj; newLog->error = error; return newLog; } @@ -1257,63 +1269,63 @@ pk11_newMergeLogNode(PLArenaPool *arena, */ static SECStatus pk11_mergeByObjectIDs(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - CK_OBJECT_HANDLE *objectIDs, int count, - PK11MergeLog *log, void *targetPwArg, void *sourcePwArg) + CK_OBJECT_HANDLE *objectIDs, int count, + PK11MergeLog *log, void *targetPwArg, void *sourcePwArg) { SECStatus rv = SECSuccess; int error = SEC_ERROR_LIBRARY_FAILURE; int i; - - for (i=0; i < count; i++) { - /* try to update the entire database. On failure, keep going, - * but remember the error to report back to the caller */ - SECStatus lrv; - PK11MergeLogNode *newLog; - - lrv= pk11_mergeObject(targetSlot, sourceSlot, objectIDs[i], - targetPwArg, sourcePwArg); - if (lrv == SECSuccess) { - /* merged with no problem, go to next object */ - continue; - } - - /* remember that we failed and why */ - rv = SECFailure; - error = PORT_GetError(); - - /* log the errors */ - if (!log) { - /* not logging, go to next entry */ - continue; - } - newLog = pk11_newMergeLogNode(log->arena, sourceSlot, - objectIDs[i], error); - if (!newLog) { - /* failed to allocate entry, just keep going */ - continue; - } - - /* link in the errorlog entry */ - newLog->next = NULL; - if (log->tail) { - log->tail->next = newLog; - } else { - log->head = newLog; - } - newLog->prev = log->tail; - log->tail = newLog; + + for (i = 0; i < count; i++) { + /* try to update the entire database. On failure, keep going, + * but remember the error to report back to the caller */ + SECStatus lrv; + PK11MergeLogNode *newLog; + + lrv = pk11_mergeObject(targetSlot, sourceSlot, objectIDs[i], + targetPwArg, sourcePwArg); + if (lrv == SECSuccess) { + /* merged with no problem, go to next object */ + continue; + } + + /* remember that we failed and why */ + rv = SECFailure; + error = PORT_GetError(); + + /* log the errors */ + if (!log) { + /* not logging, go to next entry */ + continue; + } + newLog = pk11_newMergeLogNode(log->arena, sourceSlot, + objectIDs[i], error); + if (!newLog) { + /* failed to allocate entry, just keep going */ + continue; + } + + /* link in the errorlog entry */ + newLog->next = NULL; + if (log->tail) { + log->tail->next = newLog; + } else { + log->head = newLog; + } + newLog->prev = log->tail; + log->tail = newLog; } /* restore the last error code */ if (rv != SECSuccess) { - PORT_SetError(error); + PORT_SetError(error); } return rv; } /* * Merge all the records in sourceSlot that aren't in targetSlot - * + * * This function will return failure if not all the objects * successfully merged. * @@ -1323,7 +1335,7 @@ pk11_mergeByObjectIDs(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, */ SECStatus PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - PK11MergeLog *log, void *targetPwArg, void *sourcePwArg) + PK11MergeLog *log, void *targetPwArg, void *sourcePwArg) { SECStatus rv = SECSuccess, lrv = SECSuccess; int error = SEC_ERROR_LIBRARY_FAILURE; @@ -1340,25 +1352,25 @@ PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, */ rv = PK11_Authenticate(targetSlot, PR_TRUE, targetPwArg); if (rv != SECSuccess) { - goto loser; + goto loser; } rv = PK11_Authenticate(sourceSlot, PR_TRUE, sourcePwArg); if (rv != SECSuccess) { - goto loser; + goto loser; } /* turns out the old DB's are rather fragile if the private keys aren't * merged in first, so do the private keys explicity. */ objectIDs = pk11_FindObjectsByTemplate(sourceSlot, search, 2, &count); if (objectIDs) { - lrv = pk11_mergeByObjectIDs(targetSlot, sourceSlot, - objectIDs, count, log, - targetPwArg, sourcePwArg); - if (lrv != SECSuccess) { - error = PORT_GetError(); - } - PORT_Free(objectIDs); - count = 0; + lrv = pk11_mergeByObjectIDs(targetSlot, sourceSlot, + objectIDs, count, log, + targetPwArg, sourcePwArg); + if (lrv != SECSuccess) { + error = PORT_GetError(); + } + PORT_Free(objectIDs); + count = 0; } /* now do the rest (NOTE: this will repeat the private keys, but @@ -1366,26 +1378,26 @@ PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, * merged in */ objectIDs = pk11_FindObjectsByTemplate(sourceSlot, search, 1, &count); if (!objectIDs) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } - rv = pk11_mergeByObjectIDs(targetSlot, sourceSlot, objectIDs, count, log, - targetPwArg, sourcePwArg); + rv = pk11_mergeByObjectIDs(targetSlot, sourceSlot, objectIDs, count, log, + targetPwArg, sourcePwArg); if (rv == SECSuccess) { - /* if private keys failed, but the rest succeeded, be sure to let - * the caller know that private keys failed and why. - * NOTE: this is highly unlikely since the same keys that failed - * in the previous merge call will most likely fail in this one */ - if (lrv != SECSuccess) { - rv = lrv; - PORT_SetError(error); - } + /* if private keys failed, but the rest succeeded, be sure to let + * the caller know that private keys failed and why. + * NOTE: this is highly unlikely since the same keys that failed + * in the previous merge call will most likely fail in this one */ + if (lrv != SECSuccess) { + rv = lrv; + PORT_SetError(error); + } } loser: if (objectIDs) { - PORT_Free(objectIDs); + PORT_Free(objectIDs); } return rv; } @@ -1396,15 +1408,15 @@ PK11_CreateMergeLog(void) PLArenaPool *arena; PK11MergeLog *log; - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - return NULL; + return NULL; } log = PORT_ArenaZNew(arena, PK11MergeLog); if (log == NULL) { - PORT_FreeArena(arena,PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } log->arena = arena; log->version = 1; @@ -1414,7 +1426,7 @@ PK11_CreateMergeLog(void) void PK11_DestroyMergeLog(PK11MergeLog *log) { - if (log && log->arena) { - PORT_FreeArena(log->arena, PR_FALSE); + if (log && log->arena) { + PORT_FreeArena(log->arena, PR_FALSE); } } diff --git a/nss/lib/pk11wrap/pk11nobj.c b/nss/lib/pk11wrap/pk11nobj.c index dcca434..41d1d96 100644 --- a/nss/lib/pk11wrap/pk11nobj.c +++ b/nss/lib/pk11wrap/pk11nobj.c @@ -14,20 +14,20 @@ #include "pkcs11.h" #include "pk11func.h" #include "cert.h" -#include "certi.h" +#include "certi.h" #include "secitem.h" -#include "sechash.h" +#include "sechash.h" #include "secoid.h" -#include "certdb.h" +#include "certdb.h" #include "secerr.h" #include "pki3hack.h" -#include "dev3hack.h" +#include "dev3hack.h" -#include "devm.h" +#include "devm.h" #include "pki.h" -#include "pkim.h" +#include "pkim.h" extern const NSSError NSS_ERROR_NOT_FOUND; @@ -35,135 +35,135 @@ CK_TRUST pk11_GetTrustField(PK11SlotInfo *slot, PLArenaPool *arena, CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type) { - CK_TRUST rv = 0; - SECItem item; + CK_TRUST rv = 0; + SECItem item; - item.data = NULL; - item.len = 0; + item.data = NULL; + item.len = 0; - if( SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item) ) { - PORT_Assert(item.len == sizeof(CK_TRUST)); - PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST)); - /* Damn, is there an endian problem here? */ - return rv; - } + if (SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item)) { + PORT_Assert(item.len == sizeof(CK_TRUST)); + PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST)); + /* Damn, is there an endian problem here? */ + return rv; + } - return 0; + return 0; } PRBool pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust *trust) { - PLArenaPool *arena; - - CK_ATTRIBUTE tobjTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_CERT_SHA1_HASH, NULL, 0 }, - }; + PLArenaPool *arena; - CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; - CK_OBJECT_HANDLE tobjID; - unsigned char sha1_hash[SHA1_LENGTH]; + CK_ATTRIBUTE tobjTemplate[] = { + { CKA_CLASS, NULL, 0 }, + { CKA_CERT_SHA1_HASH, NULL, 0 }, + }; - CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth; + CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST; + CK_OBJECT_HANDLE tobjID; + unsigned char sha1_hash[SHA1_LENGTH]; - PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len); + CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth; - PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc)); - PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash, - SHA1_LENGTH); + PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len); - tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate, - sizeof(tobjTemplate)/sizeof(tobjTemplate[0])); - if( CK_INVALID_HANDLE == tobjID ) { - return PR_FALSE; - } + PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc)); + PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash, + SHA1_LENGTH); - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if( NULL == arena ) return PR_FALSE; + tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate, + sizeof(tobjTemplate) / sizeof(tobjTemplate[0])); + if (CK_INVALID_HANDLE == tobjID) { + return PR_FALSE; + } - /* Unfortunately, it seems that PK11_GetAttributes doesn't deal - * well with nonexistent attributes. I guess we have to check - * the trust info fields one at a time. - */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (NULL == arena) + return PR_FALSE; - /* We could verify CKA_CERT_HASH here */ + /* Unfortunately, it seems that PK11_GetAttributes doesn't deal + * well with nonexistent attributes. I guess we have to check + * the trust info fields one at a time. + */ - /* We could verify CKA_EXPIRES here */ + /* We could verify CKA_CERT_HASH here */ + /* We could verify CKA_EXPIRES here */ - /* "Purpose" trust information */ - serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH); - clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH); - codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING); - emailProtection = pk11_GetTrustField(slot, arena, tobjID, - CKA_TRUST_EMAIL_PROTECTION); - /* Here's where the fun logic happens. We have to map back from the - * key usage, extended key usage, purpose, and possibly other trust values - * into the old trust-flags bits. */ + /* "Purpose" trust information */ + serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH); + clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH); + codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING); + emailProtection = pk11_GetTrustField(slot, arena, tobjID, + CKA_TRUST_EMAIL_PROTECTION); + /* Here's where the fun logic happens. We have to map back from the + * key usage, extended key usage, purpose, and possibly other trust values + * into the old trust-flags bits. */ - /* First implementation: keep it simple for testing. We can study what other - * mappings would be appropriate and add them later.. fgmr 20000724 */ + /* First implementation: keep it simple for testing. We can study what other + * mappings would be appropriate and add them later.. fgmr 20000724 */ - if ( serverAuth == CKT_NSS_TRUSTED ) { - trust->sslFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; - } + if (serverAuth == CKT_NSS_TRUSTED) { + trust->sslFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; + } - if ( serverAuth == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | - CERTDB_NS_TRUSTED_CA; - } - if ( clientAuth == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA ; - } + if (serverAuth == CKT_NSS_TRUSTED_DELEGATOR) { + trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | + CERTDB_NS_TRUSTED_CA; + } + if (clientAuth == CKT_NSS_TRUSTED_DELEGATOR) { + trust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA; + } - if ( emailProtection == CKT_NSS_TRUSTED ) { - trust->emailFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; - } + if (emailProtection == CKT_NSS_TRUSTED) { + trust->emailFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; + } - if ( emailProtection == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; - } + if (emailProtection == CKT_NSS_TRUSTED_DELEGATOR) { + trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; + } - if( codeSigning == CKT_NSS_TRUSTED ) { - trust->objectSigningFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; - } + if (codeSigning == CKT_NSS_TRUSTED) { + trust->objectSigningFlags |= CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED; + } - if( codeSigning == CKT_NSS_TRUSTED_DELEGATOR ) { - trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; - } + if (codeSigning == CKT_NSS_TRUSTED_DELEGATOR) { + trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA; + } - /* There's certainly a lot more logic that can go here.. */ + /* There's certainly a lot more logic that can go here.. */ - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); - return PR_TRUE; + return PR_TRUE; } static SECStatus pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) { SECItem derCrl; - CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg; + CERTCrlHeadNode *head = (CERTCrlHeadNode *)arg; CERTCrlNode *new_node = NULL; CK_ATTRIBUTE fetchCrl[3] = { - { CKA_VALUE, NULL, 0}, - { CKA_NETSCAPE_KRL, NULL, 0}, - { CKA_NETSCAPE_URL, NULL, 0}, + { CKA_VALUE, NULL, 0 }, + { CKA_NETSCAPE_KRL, NULL, 0 }, + { CKA_NETSCAPE_URL, NULL, 0 }, }; - const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]); + const int fetchCrlSize = sizeof(fetchCrl) / sizeof(fetchCrl[2]); CK_RV crv; SECStatus rv = SECFailure; - crv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize); + crv = PK11_GetAttributes(head->arena, slot, crlID, fetchCrl, fetchCrlSize); if (CKR_OK != crv) { - PORT_SetError(PK11_MapError(crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } if (!fetchCrl[1].pValue) { - PORT_SetError(SEC_ERROR_CRL_INVALID); - goto loser; + PORT_SetError(SEC_ERROR_CRL_INVALID); + goto loser; } new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode)); @@ -179,15 +179,15 @@ pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) derCrl.type = siBuffer; derCrl.data = (unsigned char *)fetchCrl[0].pValue; derCrl.len = fetchCrl[0].ulValueLen; - new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type); + new_node->crl = CERT_DecodeDERCrl(head->arena, &derCrl, new_node->type); if (new_node->crl == NULL) { - goto loser; + goto loser; } if (fetchCrl[2].pValue) { int nnlen = fetchCrl[2].ulValueLen; - new_node->crl->url = (char *)PORT_ArenaAlloc(head->arena, nnlen+1); - if ( !new_node->crl->url ) { + new_node->crl->url = (char *)PORT_ArenaAlloc(head->arena, nnlen + 1); + if (!new_node->crl->url) { goto loser; } PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen); @@ -196,7 +196,6 @@ pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) new_node->crl->url = NULL; } - new_node->next = NULL; if (head->last) { head->last->next = new_node; @@ -207,7 +206,7 @@ pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) rv = SECSuccess; loser: - return(rv); + return (rv); } /* @@ -215,7 +214,8 @@ loser: * CRLs are allocated in the list's arena. */ SECStatus -PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) { +PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) +{ pk11TraverseSlot creater; CK_ATTRIBUTE theTemplate[2]; CK_ATTRIBUTE *attrs; @@ -223,14 +223,16 @@ PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) { CK_BBOOL isKrl = CK_FALSE; attrs = theTemplate; - PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); + attrs++; if (type != -1) { - isKrl = (CK_BBOOL) (type == SEC_KRL_TYPE); - PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); attrs++; + isKrl = (CK_BBOOL)(type == SEC_KRL_TYPE); + PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); + attrs++; } creater.callback = pk11_CollectCrls; - creater.callbackArg = (void *) nodes; + creater.callbackArg = (void *)nodes; creater.findTemplate = theTemplate; creater.templateCount = (attrs - theTemplate); @@ -238,7 +240,7 @@ PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) { } struct crlOptionsStr { - CERTCrlHeadNode* head; + CERTCrlHeadNode *head; PRInt32 decodeOptions; }; @@ -248,32 +250,32 @@ static SECStatus pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg) { - SECItem* derCrl = NULL; - crlOptions* options = (crlOptions*) arg; + SECItem *derCrl = NULL; + crlOptions *options = (crlOptions *)arg; CERTCrlHeadNode *head = options->head; CERTCrlNode *new_node = NULL; CK_ATTRIBUTE fetchCrl[3] = { - { CKA_VALUE, NULL, 0}, - { CKA_NETSCAPE_KRL, NULL, 0}, - { CKA_NETSCAPE_URL, NULL, 0}, + { CKA_VALUE, NULL, 0 }, + { CKA_NETSCAPE_KRL, NULL, 0 }, + { CKA_NETSCAPE_URL, NULL, 0 }, }; - const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]); + const int fetchCrlSize = sizeof(fetchCrl) / sizeof(fetchCrl[2]); CK_RV crv; SECStatus rv = SECFailure; PRBool adopted = PR_FALSE; /* whether the CRL adopted the DER memory successfully */ int i; - crv = PK11_GetAttributes(NULL,slot,crlID,fetchCrl,fetchCrlSize); + crv = PK11_GetAttributes(NULL, slot, crlID, fetchCrl, fetchCrlSize); if (CKR_OK != crv) { - PORT_SetError(PK11_MapError(crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } if (!fetchCrl[1].pValue) { /* reject KRLs */ - PORT_SetError(SEC_ERROR_CRL_INVALID); - goto loser; + PORT_SetError(SEC_ERROR_CRL_INVALID); + goto loser; } new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, @@ -291,20 +293,20 @@ pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, derCrl->type = siBuffer; derCrl->data = (unsigned char *)fetchCrl[0].pValue; derCrl->len = fetchCrl[0].ulValueLen; - new_node->crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl,new_node->type, + new_node->crl = CERT_DecodeDERCrlWithFlags(NULL, derCrl, new_node->type, options->decodeOptions); if (new_node->crl == NULL) { - goto loser; - } + goto loser; + } adopted = PR_TRUE; /* now that the CRL has adopted the DER memory, we won't need to free it upon exit */ if (fetchCrl[2].pValue && fetchCrl[2].ulValueLen) { /* copy the URL if there is one */ int nnlen = fetchCrl[2].ulValueLen; - new_node->crl->url = (char *)PORT_ArenaAlloc(new_node->crl->arena, - nnlen+1); - if ( !new_node->crl->url ) { + new_node->crl->url = (char *)PORT_ArenaAlloc(new_node->crl->arena, + nnlen + 1); + if (!new_node->crl->url) { goto loser; } PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen); @@ -326,7 +328,7 @@ pk11_RetrieveCrlsCallback(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, loser: /* free attributes that weren't adopted by the CRL */ - for (i=1;i<fetchCrlSize;i++) { + for (i = 1; i < fetchCrlSize; i++) { if (fetchCrl[i].pValue) { PORT_Free(fetchCrl[i].pValue); } @@ -342,7 +344,7 @@ loser: /* free the memory for the SECItem structure itself */ SECITEM_FreeItem(derCrl, PR_TRUE); } - return(rv); + return (rv); } /* @@ -351,8 +353,9 @@ loser: * arena, so that they can be used individually in the CRL cache . * CRLs are always partially decoded for efficiency. */ -SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, - void *wincx) +SECStatus +pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem *issuer, + void *wincx) { pk11TraverseSlot creater; CK_ATTRIBUTE theTemplate[2]; @@ -361,27 +364,27 @@ SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, crlOptions options; attrs = theTemplate; - PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); + attrs++; options.head = nodes; - /* - do a partial decoding - we don't need to decode the entries while - fetching + /* - do a partial decoding - we don't need to decode the entries while fetching - don't copy the DER for optimal performance - CRL can be very large - have the CRL objects adopt the DER, so SEC_DestroyCrl will free it - keep bad CRL objects. The CRL cache is interested in them, for security purposes. Bad CRL objects are a sign of something amiss. - */ + */ options.decodeOptions = CRL_DECODE_SKIP_ENTRIES | CRL_DECODE_DONT_COPY_DER | CRL_DECODE_ADOPT_HEAP_DER | CRL_DECODE_KEEP_BAD_CRL; - if (issuer) - { - PK11_SETATTRS(attrs, CKA_SUBJECT, issuer->data, issuer->len); attrs++; + if (issuer) { + PK11_SETATTRS(attrs, CKA_SUBJECT, issuer->data, issuer->len); + attrs++; } creater.callback = pk11_RetrieveCrlsCallback; - creater.callbackArg = (void *) &options; + creater.callbackArg = (void *)&options; creater.findTemplate = theTemplate; creater.templateCount = (attrs - theTemplate); @@ -389,71 +392,70 @@ SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, } /* - * return the crl associated with a derSubjectName + * return the crl associated with a derSubjectName */ SECItem * PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle, - SECItem *name, int type, char **pUrl) + SECItem *name, int type, char **pUrl) { NSSCRL **crls, **crlp, *crl = NULL; NSSDER subject; SECItem *rvItem; NSSTrustDomain *td = STAN_GetDefaultTrustDomain(); - char * url = NULL; + char *url = NULL; PORT_SetError(0); NSSITEM_FROM_SECITEM(&subject, name); if (*slot) { - nssCryptokiObject **instances; - nssPKIObjectCollection *collection; - nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; - NSSToken *token = PK11Slot_GetNSSToken(*slot); - collection = nssCRLCollection_Create(td, NULL); - if (!collection) { - goto loser; - } - instances = nssToken_FindCRLsBySubject(token, NULL, &subject, - tokenOnly, 0, NULL); - nssPKIObjectCollection_AddInstances(collection, instances, 0); - nss_ZFreeIf(instances); - crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL); - nssPKIObjectCollection_Destroy(collection); + nssCryptokiObject **instances; + nssPKIObjectCollection *collection; + nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly; + NSSToken *token = PK11Slot_GetNSSToken(*slot); + collection = nssCRLCollection_Create(td, NULL); + if (!collection) { + goto loser; + } + instances = nssToken_FindCRLsBySubject(token, NULL, &subject, + tokenOnly, 0, NULL); + nssPKIObjectCollection_AddInstances(collection, instances, 0); + nss_ZFreeIf(instances); + crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL); + nssPKIObjectCollection_Destroy(collection); } else { - crls = nssTrustDomain_FindCRLsBySubject(td, &subject); + crls = nssTrustDomain_FindCRLsBySubject(td, &subject); } if ((!crls) || (*crls == NULL)) { - if (crls) { - nssCRLArray_Destroy(crls); - } - if (NSS_GetError() == NSS_ERROR_NOT_FOUND) { - PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); - } - goto loser; + if (crls) { + nssCRLArray_Destroy(crls); + } + if (NSS_GetError() == NSS_ERROR_NOT_FOUND) { + PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); + } + goto loser; } for (crlp = crls; *crlp; crlp++) { - if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) || - ((*crlp)->isKRL && type != SEC_CRL_TYPE)) - { - crl = nssCRL_AddRef(*crlp); - break; - } + if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) || + ((*crlp)->isKRL && type != SEC_CRL_TYPE)) { + crl = nssCRL_AddRef(*crlp); + break; + } } nssCRLArray_Destroy(crls); - if (!crl) { - /* CRL collection was found, but no interesting CRL's were on it. - * Not an error */ - PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); - goto loser; + if (!crl) { + /* CRL collection was found, but no interesting CRL's were on it. + * Not an error */ + PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); + goto loser; } if (crl->url) { - url = PORT_Strdup(crl->url); - if (!url) { - goto loser; - } + url = PORT_Strdup(crl->url); + if (!url) { + goto loser; + } } rvItem = SECITEM_AllocItem(NULL, NULL, crl->encoding.size); if (!rvItem) { - goto loser; + goto loser; } memcpy(rvItem->data, crl->encoding.data, crl->encoding.size); *slot = PK11_ReferenceSlot(crl->object.instances[0]->token->pk11slot); @@ -464,18 +466,18 @@ PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle, loser: if (url) - PORT_Free(url); + PORT_Free(url); if (crl) - nssCRL_Destroy(crl); + nssCRL_Destroy(crl); if (PORT_GetError() == 0) { - PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); + PORT_SetError(SEC_ERROR_CRL_NOT_FOUND); } return NULL; } CK_OBJECT_HANDLE -PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, - char *url, int type) +PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, + char *url, int type) { NSSItem derCRL, derSubject; NSSToken *token = PK11Slot_GetNSSToken(slot); @@ -486,20 +488,19 @@ PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name, NSSITEM_FROM_SECITEM(&derSubject, name); NSSITEM_FROM_SECITEM(&derCRL, crl); - object = nssToken_ImportCRL(token, NULL, + object = nssToken_ImportCRL(token, NULL, &derSubject, &derCRL, isKRL, url, PR_TRUE); if (object) { - rvH = object->handle; - nssCryptokiObject_Destroy(object); + rvH = object->handle; + nssCryptokiObject_Destroy(object); } else { - rvH = CK_INVALID_HANDLE; + rvH = CK_INVALID_HANDLE; PORT_SetError(SEC_ERROR_CRL_IMPORT_FAILED); } return rvH; } - /* * delete a crl. */ @@ -513,9 +514,9 @@ SEC_DeletePermCRL(CERTSignedCrl *crl) if (slot == NULL) { PORT_Assert(slot); - /* shouldn't happen */ - PORT_SetError( SEC_ERROR_CRL_INVALID); - return SECFailure; + /* shouldn't happen */ + PORT_SetError(SEC_ERROR_CRL_INVALID); + return SECFailure; } token = PK11Slot_GetNSSToken(slot); @@ -534,129 +535,130 @@ SEC_DeletePermCRL(CERTSignedCrl *crl) } /* - * return the certificate associated with a derCert + * return the certificate associated with a derCert */ SECItem * PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr, - SECItem *name, SECItem **profileTime) + SECItem *name, SECItem **profileTime) { CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME; CK_ATTRIBUTE theTemplate[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_CLASS, NULL, 0 }, - { CKA_NETSCAPE_EMAIL, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, + { CKA_NETSCAPE_EMAIL, NULL, 0 }, }; - CK_ATTRIBUTE smimeData[] = { - { CKA_SUBJECT, NULL, 0 }, - { CKA_VALUE, NULL, 0 }, + CK_ATTRIBUTE smimeData[] = { + { CKA_SUBJECT, NULL, 0 }, + { CKA_VALUE, NULL, 0 }, }; /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE; CK_ATTRIBUTE *attrs = theTemplate; CK_RV crv; SECItem *emailProfile = NULL; if (!emailAddr || !emailAddr[0]) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++; - PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++; - PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr)); - attrs++; + PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); + attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr)); + attrs++; if (*slot) { - smimeh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize); + smimeh = pk11_FindObjectByTemplate(*slot, theTemplate, tsize); } else { - PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, - PR_FALSE,PR_TRUE,NULL); - PK11SlotListElement *le; - - if (!list) { - return NULL; - } - /* loop through all the slots */ - for (le = list->head; le; le = le->next) { - smimeh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize); - if (smimeh != CK_INVALID_HANDLE) { - *slot = PK11_ReferenceSlot(le->slot); - break; - } - } - PK11_FreeSlotList(list); - } - + PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, + PR_FALSE, PR_TRUE, NULL); + PK11SlotListElement *le; + + if (!list) { + return NULL; + } + /* loop through all the slots */ + for (le = list->head; le; le = le->next) { + smimeh = pk11_FindObjectByTemplate(le->slot, theTemplate, tsize); + if (smimeh != CK_INVALID_HANDLE) { + *slot = PK11_ReferenceSlot(le->slot); + break; + } + } + PK11_FreeSlotList(list); + } + if (smimeh == CK_INVALID_HANDLE) { - PORT_SetError(SEC_ERROR_NO_KRL); - return NULL; + PORT_SetError(SEC_ERROR_NO_KRL); + return NULL; } if (profileTime) { - PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0); - } - - crv = PK11_GetAttributes(NULL,*slot,smimeh,smimeData,2); + PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0); + } + + crv = PK11_GetAttributes(NULL, *slot, smimeh, smimeData, 2); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError (crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } if (!profileTime) { - SECItem profileSubject; + SECItem profileSubject; - profileSubject.data = (unsigned char*) smimeData[0].pValue; - profileSubject.len = smimeData[0].ulValueLen; - if (!SECITEM_ItemsAreEqual(&profileSubject,name)) { - goto loser; - } + profileSubject.data = (unsigned char *)smimeData[0].pValue; + profileSubject.len = smimeData[0].ulValueLen; + if (!SECITEM_ItemsAreEqual(&profileSubject, name)) { + goto loser; + } } - emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); if (emailProfile == NULL) { - goto loser; + goto loser; } - emailProfile->data = (unsigned char*) smimeData[1].pValue; + emailProfile->data = (unsigned char *)smimeData[1].pValue; emailProfile->len = smimeData[1].ulValueLen; if (profileTime) { - *profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); - if (*profileTime) { - (*profileTime)->data = (unsigned char*) smimeData[0].pValue; - (*profileTime)->len = smimeData[0].ulValueLen; - } + *profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem)); + if (*profileTime) { + (*profileTime)->data = (unsigned char *)smimeData[0].pValue; + (*profileTime)->len = smimeData[0].ulValueLen; + } } loser: if (emailProfile == NULL) { - if (smimeData[1].pValue) { - PORT_Free(smimeData[1].pValue); - } + if (smimeData[1].pValue) { + PORT_Free(smimeData[1].pValue); + } } if (profileTime == NULL || *profileTime == NULL) { - if (smimeData[0].pValue) { - PORT_Free(smimeData[0].pValue); - } + if (smimeData[0].pValue) { + PORT_Free(smimeData[0].pValue); + } } return emailProfile; } - SECStatus PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, - SECItem *emailProfile, SECItem *profileTime) + SECItem *emailProfile, SECItem *profileTime) { CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME; CK_BBOOL ck_true = CK_TRUE; CK_ATTRIBUTE theTemplate[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_TOKEN, NULL, 0 }, - { CKA_SUBJECT, NULL, 0 }, - { CKA_NETSCAPE_EMAIL, NULL, 0 }, - { CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 }, - { CKA_VALUE, NULL, 0 } + { CKA_CLASS, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_SUBJECT, NULL, 0 }, + { CKA_NETSCAPE_EMAIL, NULL, 0 }, + { CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 }, + { CKA_VALUE, NULL, 0 } }; /* if you change the array, change the variable below as well */ int realSize = 0; @@ -666,60 +668,65 @@ PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, PK11SlotInfo *free_slot = NULL; CK_RV crv; #ifdef DEBUG - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); #endif - PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++; - PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); attrs++; - PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, - emailAddr, PORT_Strlen(emailAddr)+1); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); + attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, + emailAddr, PORT_Strlen(emailAddr) + 1); + attrs++; if (profileTime) { - PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data, - profileTime->len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE,emailProfile->data, - emailProfile->len); attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data, + profileTime->len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, emailProfile->data, + emailProfile->len); + attrs++; } realSize = attrs - theTemplate; - PORT_Assert (realSize <= tsize); + PORT_Assert(realSize <= tsize); if (slot == NULL) { - free_slot = slot = PK11_GetInternalKeySlot(); - /* we need to free the key slot in the end!!! */ + free_slot = slot = PK11_GetInternalKeySlot(); + /* we need to free the key slot in the end!!! */ } rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_READ_ONLY); - if (free_slot) { - PK11_FreeSlot(free_slot); - } - return SECFailure; + PORT_SetError(SEC_ERROR_READ_ONLY); + if (free_slot) { + PK11_FreeSlot(free_slot); + } + return SECFailure; } - crv = PK11_GETTAB(slot)-> - C_CreateObject(rwsession,theTemplate,realSize,&smimeh); + crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, theTemplate, realSize, &smimeh); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); } - PK11_RestoreROSession(slot,rwsession); + PK11_RestoreROSession(slot, rwsession); if (free_slot) { - PK11_FreeSlot(free_slot); + PK11_FreeSlot(free_slot); } return SECSuccess; } - -CERTSignedCrl * crl_storeCRL (PK11SlotInfo *slot,char *url, - CERTSignedCrl *newCrl, SECItem *derCrl, int type); +CERTSignedCrl *crl_storeCRL(PK11SlotInfo *slot, char *url, + CERTSignedCrl *newCrl, SECItem *derCrl, int type); /* import the CRL into the token */ -CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, - int type, void *wincx, PRInt32 importOptions, PLArenaPool* arena, - PRInt32 decodeoptions) +CERTSignedCrl * +PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url, + int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, + PRInt32 decodeoptions) { CERTSignedCrl *newCrl, *crl; SECStatus rv; @@ -733,27 +740,27 @@ CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, if (newCrl == NULL) { if (type == SEC_CRL_TYPE) { /* only promote error when the error code is too generic */ - if (PORT_GetError () == SEC_ERROR_BAD_DER) + if (PORT_GetError() == SEC_ERROR_BAD_DER) PORT_SetError(SEC_ERROR_CRL_INVALID); - } else { + } else { PORT_SetError(SEC_ERROR_KRL_INVALID); } - break; + break; } - if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){ - CERTCertDBHandle* handle = CERT_GetDefaultCertDB(); + if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)) { + CERTCertDBHandle *handle = CERT_GetDefaultCertDB(); PR_ASSERT(handle != NULL); - caCert = CERT_FindCertByName (handle, - &newCrl->crl.derName); + caCert = CERT_FindCertByName(handle, + &newCrl->crl.derName); if (caCert == NULL) { - PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); + PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); break; } /* If caCert is a v3 certificate, make sure that it can be used for crl signing purpose */ - rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN); + rv = CERT_CheckCertUsage(caCert, KU_CRL_SIGN); if (rv != SECSuccess) { break; } @@ -770,12 +777,12 @@ CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, } } - crl = crl_storeCRL(slot, url, newCrl, derCRL, type); + crl = crl_storeCRL(slot, url, newCrl, derCRL, type); } while (0); if (crl == NULL) { - SEC_DestroyCrl (newCrl); + SEC_DestroyCrl(newCrl); } if (caCert) { CERT_DestroyCertificate(caCert); diff --git a/nss/lib/pk11wrap/pk11obj.c b/nss/lib/pk11wrap/pk11obj.c index 848b45a..18850b2 100644 --- a/nss/lib/pk11wrap/pk11obj.c +++ b/nss/lib/pk11wrap/pk11obj.c @@ -11,7 +11,7 @@ #include "pkcs11.h" #include "pkcs11t.h" #include "pk11func.h" -#include "key.h" +#include "key.h" #include "secitem.h" #include "secerr.h" #include "sslerr.h" @@ -22,63 +22,68 @@ * Build a block big enough to hold the data */ SECItem * -PK11_BlockData(SECItem *data,unsigned long size) { +PK11_BlockData(SECItem *data, unsigned long size) +{ SECItem *newData; + if (size == 0u) + return NULL; + newData = (SECItem *)PORT_Alloc(sizeof(SECItem)); - if (newData == NULL) return NULL; + if (newData == NULL) + return NULL; - newData->len = (data->len + (size-1))/size; + newData->len = (data->len + (size - 1)) / size; newData->len *= size; - newData->data = (unsigned char *) PORT_ZAlloc(newData->len); + newData->data = (unsigned char *)PORT_ZAlloc(newData->len); if (newData->data == NULL) { - PORT_Free(newData); - return NULL; + PORT_Free(newData); + return NULL; } - PORT_Memset(newData->data,newData->len-data->len,newData->len); - PORT_Memcpy(newData->data,data->data,data->len); + PORT_Memset(newData->data, newData->len - data->len, newData->len); + PORT_Memcpy(newData->data, data->data, data->len); return newData; } - SECStatus -PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) { +PK11_DestroyObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object) +{ CK_RV crv; PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object); + crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session, object); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - return SECFailure; + return SECFailure; } return SECSuccess; } SECStatus -PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) { +PK11_DestroyTokenObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object) +{ CK_RV crv; SECStatus rv = SECSuccess; CK_SESSION_HANDLE rwsession; - rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; } - crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object); + crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession, object); if (crv != CKR_OK) { - rv = SECFailure; - PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; + PORT_SetError(PK11_MapError(crv)); } - PK11_RestoreROSession(slot,rwsession); + PK11_RestoreROSession(slot, rwsession); return rv; } /* - * Read in a single attribute into a SECItem. Allocate space for it with + * Read in a single attribute into a SECItem. Allocate space for it with * PORT_Alloc unless an arena is supplied. In the latter case use the arena * to allocate the space. * @@ -87,59 +92,62 @@ PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) { */ SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result) { + CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result) +{ CK_ATTRIBUTE attr = { 0, NULL, 0 }; CK_RV crv; attr.type = type; PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session, id, &attr, 1); if (crv != CKR_OK) { - PK11_ExitSlotMonitor(slot); - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } if (arena) { - attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen); + attr.pValue = PORT_ArenaAlloc(arena, attr.ulValueLen); } else { - attr.pValue = PORT_Alloc(attr.ulValueLen); + attr.pValue = PORT_Alloc(attr.ulValueLen); } if (attr.pValue == NULL) { - PK11_ExitSlotMonitor(slot); - return SECFailure; + PK11_ExitSlotMonitor(slot); + return SECFailure; } - crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session, id, &attr, 1); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - if (!arena) PORT_Free(attr.pValue); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + if (!arena) + PORT_Free(attr.pValue); + return SECFailure; } - result->data = (unsigned char*)attr.pValue; + result->data = (unsigned char *)attr.pValue; result->len = attr.ulValueLen; return SECSuccess; } /* - * Read in a single attribute into As a Ulong. + * Read in a single attribute into As a Ulong. */ CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type) { + CK_ATTRIBUTE_TYPE type) +{ CK_ATTRIBUTE attr; CK_ULONG value = CK_UNAVAILABLE_INFORMATION; CK_RV crv; - PK11_SETATTRS(&attr,type,&value,sizeof(value)); + PK11_SETATTRS(&attr, type, &value, sizeof(value)); PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session, id, &attr, 1); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); + PORT_SetError(PK11_MapError(crv)); } return value; } @@ -148,23 +156,25 @@ PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, * check to see if a bool has been set. */ CK_BBOOL -PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type, PRBool haslock ) +PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, PRBool haslock) { CK_BBOOL ckvalue = CK_FALSE; CK_ATTRIBUTE theTemplate; CK_RV crv; /* Prepare to retrieve the attribute. */ - PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) ); + PK11_SETATTRS(&theTemplate, type, &ckvalue, sizeof(CK_BBOOL)); /* Retrieve attribute value. */ - if (!haslock) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id, - &theTemplate, 1 ); - if (!haslock) PK11_ExitSlotMonitor(slot); - if( crv != CKR_OK ) { - PORT_SetError( PK11_MapError( crv ) ); + if (!haslock) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session, id, + &theTemplate, 1); + if (!haslock) + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); return CK_FALSE; } @@ -176,80 +186,81 @@ PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id, * provided, allocate space out of the arena. */ CK_RV -PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot, - CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count) +PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, + CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count) { int i; - /* make pedantic happy... note that it's only used arena != NULL */ - void *mark = NULL; + /* make pedantic happy... note that it's only used arena != NULL */ + void *mark = NULL; CK_RV crv; PORT_Assert(slot->session != CK_INVALID_SESSION); if (slot->session == CK_INVALID_SESSION) - return CKR_SESSION_HANDLE_INVALID; + return CKR_SESSION_HANDLE_INVALID; /* * first get all the lengths of the parameters. */ PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session, obj, attr, count); if (crv != CKR_OK) { - PK11_ExitSlotMonitor(slot); - return crv; + PK11_ExitSlotMonitor(slot); + return crv; } if (arena) { - mark = PORT_ArenaMark(arena); - if (mark == NULL) return CKR_HOST_MEMORY; + mark = PORT_ArenaMark(arena); + if (mark == NULL) + return CKR_HOST_MEMORY; } /* * now allocate space to store the results. */ - for (i=0; i < count; i++) { - if (attr[i].ulValueLen == 0) - continue; - if (arena) { - attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen); - if (attr[i].pValue == NULL) { - /* arena failures, just release the mark */ - PORT_ArenaRelease(arena,mark); - PK11_ExitSlotMonitor(slot); - return CKR_HOST_MEMORY; - } - } else { - attr[i].pValue = PORT_Alloc(attr[i].ulValueLen); - if (attr[i].pValue == NULL) { - /* Separate malloc failures, loop to release what we have - * so far */ - int j; - for (j= 0; j < i; j++) { - PORT_Free(attr[j].pValue); - /* don't give the caller pointers to freed memory */ - attr[j].pValue = NULL; - } - PK11_ExitSlotMonitor(slot); - return CKR_HOST_MEMORY; - } - } + for (i = 0; i < count; i++) { + if (attr[i].ulValueLen == 0) + continue; + if (arena) { + attr[i].pValue = PORT_ArenaAlloc(arena, attr[i].ulValueLen); + if (attr[i].pValue == NULL) { + /* arena failures, just release the mark */ + PORT_ArenaRelease(arena, mark); + PK11_ExitSlotMonitor(slot); + return CKR_HOST_MEMORY; + } + } else { + attr[i].pValue = PORT_Alloc(attr[i].ulValueLen); + if (attr[i].pValue == NULL) { + /* Separate malloc failures, loop to release what we have + * so far */ + int j; + for (j = 0; j < i; j++) { + PORT_Free(attr[j].pValue); + /* don't give the caller pointers to freed memory */ + attr[j].pValue = NULL; + } + PK11_ExitSlotMonitor(slot); + return CKR_HOST_MEMORY; + } + } } /* * finally get the results. */ - crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session, obj, attr, count); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - if (arena) { - PORT_ArenaRelease(arena,mark); - } else { - for (i= 0; i < count; i++) { - PORT_Free(attr[i].pValue); - /* don't give the caller pointers to freed memory */ - attr[i].pValue = NULL; - } - } + if (arena) { + PORT_ArenaRelease(arena, mark); + } else { + for (i = 0; i < count; i++) { + PORT_Free(attr[i].pValue); + /* don't give the caller pointers to freed memory */ + attr[i].pValue = NULL; + } + } } else if (arena && mark) { - PORT_ArenaUnmark(arena,mark); + PORT_ArenaUnmark(arena, mark); } return crv; } @@ -257,25 +268,25 @@ PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot, PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) { - return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN, PR_FALSE); + return (PRBool)PK11_HasAttributeSet(slot, handle, CKA_TOKEN, PR_FALSE); } char * -PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) +PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) { char *nickname = NULL; SECItem result; SECStatus rv; - rv = PK11_ReadAttribute(slot,id,CKA_LABEL,NULL,&result); + rv = PK11_ReadAttribute(slot, id, CKA_LABEL, NULL, &result); if (rv != SECSuccess) { - return NULL; + return NULL; } - nickname = PORT_ZAlloc(result.len+1); + nickname = PORT_ZAlloc(result.len + 1); if (nickname == NULL) { - PORT_Free(result.data); - return NULL; + PORT_Free(result.data); + return NULL; } PORT_Memcpy(nickname, result.data, result.len); PORT_Free(result.data); @@ -283,8 +294,8 @@ PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) } SECStatus -PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - const char *nickname) +PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + const char *nickname) { int len = PORT_Strlen(nickname); CK_ATTRIBUTE setTemplate; @@ -292,21 +303,21 @@ PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, CK_SESSION_HANDLE rwsession; if (len < 0) { - return SECFailure; + return SECFailure; } - PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *) nickname, len); + PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *)nickname, len); rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; } crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id, - &setTemplate, 1); + &setTemplate, 1); PK11_RestoreROSession(slot, rwsession); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -315,13 +326,14 @@ PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, * strip leading zero's from key material */ void -pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) { +pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) +{ char *ptr = (char *)attrib->pValue; unsigned long len = attrib->ulValueLen; while ((len > 1) && (*ptr == 0)) { - len--; - ptr++; + len--; + ptr++; } attrib->pValue = ptr; attrib->ulValueLen = len; @@ -332,68 +344,71 @@ pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) { * 'exclusive' session. In this case owner becomes false. */ CK_SESSION_HANDLE -pk11_GetNewSession(PK11SlotInfo *slot,PRBool *owner) +pk11_GetNewSession(PK11SlotInfo *slot, PRBool *owner) { CK_SESSION_HANDLE session; - *owner = PR_TRUE; - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - if ( PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, - slot,pk11_notify,&session) != CKR_OK) { - *owner = PR_FALSE; - session = slot->session; - } - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + *owner = PR_TRUE; + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + if (PK11_GETTAB(slot)->C_OpenSession(slot->slotID, CKF_SERIAL_SESSION, + slot, pk11_notify, &session) != CKR_OK) { + *owner = PR_FALSE; + session = slot->session; + } + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); return session; } void -pk11_CloseSession(PK11SlotInfo *slot,CK_SESSION_HANDLE session,PRBool owner) +pk11_CloseSession(PK11SlotInfo *slot, CK_SESSION_HANDLE session, PRBool owner) { - if (!owner) return; - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - (void) PK11_GETTAB(slot)->C_CloseSession(session); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (!owner) + return; + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + (void)PK11_GETTAB(slot)->C_CloseSession(session); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); } - SECStatus PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session, - const CK_ATTRIBUTE *theTemplate, int count, - PRBool token, CK_OBJECT_HANDLE *objectID) + const CK_ATTRIBUTE *theTemplate, int count, + PRBool token, CK_OBJECT_HANDLE *objectID) { - CK_SESSION_HANDLE rwsession; - CK_RV crv; - SECStatus rv = SECSuccess; - - rwsession = session; - if (token) { - rwsession = PK11_GetRWSession(slot); - } else if (rwsession == CK_INVALID_SESSION) { - rwsession = slot->session; - if (rwsession != CK_INVALID_SESSION) - PK11_EnterSlotMonitor(slot); - } - if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; - } - crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, - /* cast away const :-( */ (CK_ATTRIBUTE_PTR)theTemplate, - count, objectID); - if(crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - rv = SECFailure; - } - if (token) { - PK11_RestoreROSession(slot, rwsession); - } else if (session == CK_INVALID_SESSION) { - PK11_ExitSlotMonitor(slot); - } + CK_SESSION_HANDLE rwsession; + CK_RV crv; + SECStatus rv = SECSuccess; - return rv; -} + rwsession = session; + if (token) { + rwsession = PK11_GetRWSession(slot); + } else if (rwsession == CK_INVALID_SESSION) { + rwsession = slot->session; + if (rwsession != CK_INVALID_SESSION) + PK11_EnterSlotMonitor(slot); + } + if (rwsession == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, + /* cast away const :-( */ (CK_ATTRIBUTE_PTR)theTemplate, + count, objectID); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; + } + if (token) { + PK11_RestoreROSession(slot, rwsession); + } else if (session == CK_INVALID_SESSION) { + PK11_ExitSlotMonitor(slot); + } + return rv; +} /* This function may add a maximum of 9 attributes. */ unsigned int @@ -401,26 +416,25 @@ pk11_OpFlagsToAttributes(CK_FLAGS flags, CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue) { const static CK_ATTRIBUTE_TYPE attrTypes[12] = { - CKA_ENCRYPT, CKA_DECRYPT, 0 /* DIGEST */, CKA_SIGN, - CKA_SIGN_RECOVER, CKA_VERIFY, CKA_VERIFY_RECOVER, 0 /* GEN */, - 0 /* GEN PAIR */, CKA_WRAP, CKA_UNWRAP, CKA_DERIVE + CKA_ENCRYPT, CKA_DECRYPT, 0 /* DIGEST */, CKA_SIGN, + CKA_SIGN_RECOVER, CKA_VERIFY, CKA_VERIFY_RECOVER, 0 /* GEN */, + 0 /* GEN PAIR */, CKA_WRAP, CKA_UNWRAP, CKA_DERIVE }; - const CK_ATTRIBUTE_TYPE *pType = attrTypes; - CK_ATTRIBUTE *attr = attrs; - CK_FLAGS test = CKF_ENCRYPT; - + const CK_ATTRIBUTE_TYPE *pType = attrTypes; + CK_ATTRIBUTE *attr = attrs; + CK_FLAGS test = CKF_ENCRYPT; PR_ASSERT(!(flags & ~CKF_KEY_OPERATION_FLAGS)); flags &= CKF_KEY_OPERATION_FLAGS; for (; flags && test <= CKF_DERIVE; test <<= 1, ++pType) { - if (test & flags) { - flags ^= test; - PR_ASSERT(*pType); - PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); - ++attr; - } + if (test & flags) { + flags ^= test; + PR_ASSERT(*pType); + PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); + ++attr; + } } return (attr - attrs); } @@ -443,30 +457,30 @@ pk11_BadAttrFlags(PK11AttrFlags attrFlags) */ unsigned int pk11_AttrFlagsToAttributes(PK11AttrFlags attrFlags, CK_ATTRIBUTE *attrs, - CK_BBOOL *ckTrue, CK_BBOOL *ckFalse) + CK_BBOOL *ckTrue, CK_BBOOL *ckFalse) { const static CK_ATTRIBUTE_TYPE attrTypes[5] = { - CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_SENSITIVE, - CKA_EXTRACTABLE + CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_SENSITIVE, + CKA_EXTRACTABLE }; - const CK_ATTRIBUTE_TYPE *pType = attrTypes; - CK_ATTRIBUTE *attr = attrs; - PK11AttrFlags test = PK11_ATTR_TOKEN; + const CK_ATTRIBUTE_TYPE *pType = attrTypes; + CK_ATTRIBUTE *attr = attrs; + PK11AttrFlags test = PK11_ATTR_TOKEN; PR_ASSERT(!pk11_BadAttrFlags(attrFlags)); /* we test two related bitflags in each iteration */ for (; attrFlags && test <= PK11_ATTR_EXTRACTABLE; test <<= 2, ++pType) { - if (test & attrFlags) { - attrFlags ^= test; - PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); - ++attr; - } else if ((test << 1) & attrFlags) { - attrFlags ^= (test << 1); - PK11_SETATTRS(attr, *pType, ckFalse, sizeof *ckFalse); - ++attr; - } + if (test & attrFlags) { + attrFlags ^= test; + PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); + ++attr; + } else if ((test << 1) & attrFlags) { + attrFlags ^= (test << 1); + PK11_SETATTRS(attr, *pType, ckFalse, sizeof *ckFalse); + ++attr; + } } return (attr - attrs); } @@ -479,38 +493,40 @@ static int pk11_backupGetSignLength(SECKEYPrivateKey *key) { PK11SlotInfo *slot = key->pkcs11Slot; - CK_MECHANISM mech = {0, NULL, 0 }; + CK_MECHANISM mech = { 0, NULL, 0 }; PRBool owner = PR_TRUE; CK_SESSION_HANDLE session; CK_ULONG len; CK_RV crv; - unsigned char h_data[20] = { 0 }; + unsigned char h_data[20] = { 0 }; unsigned char buf[20]; /* obviously to small */ CK_ULONG smallLen = sizeof(buf); mech.mechanism = PK11_MapSignKeyType(key->keyType); - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID); + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_SignInit(session, &mech, key->pkcs11ID); if (crv != CKR_OK) { - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return -1; + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return -1; } len = 0; - crv = PK11_GETTAB(slot)->C_Sign(session,h_data,sizeof(h_data), - NULL, &len); + crv = PK11_GETTAB(slot)->C_Sign(session, h_data, sizeof(h_data), + NULL, &len); /* now call C_Sign with too small a buffer to clear the session state */ - (void) PK11_GETTAB(slot)-> - C_Sign(session,h_data,sizeof(h_data),buf,&smallLen); - - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + (void)PK11_GETTAB(slot)->C_Sign(session, h_data, sizeof(h_data), buf, &smallLen); + + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return -1; + PORT_SetError(PK11_MapError(crv)); + return -1; } return len; } @@ -522,50 +538,50 @@ int PK11_SignatureLen(SECKEYPrivateKey *key) { int val; - SECItem attributeItem = {siBuffer, NULL, 0}; + SECItem attributeItem = { siBuffer, NULL, 0 }; SECStatus rv; - int length; + int length; switch (key->keyType) { - case rsaKey: - val = PK11_GetPrivateModulusLen(key); - if (val == -1) { - return pk11_backupGetSignLength(key); - } - return (unsigned long) val; - - case fortezzaKey: - return 40; - - case dsaKey: - rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_SUBPRIME, - NULL, &attributeItem); - if (rv == SECSuccess) { - length = attributeItem.len; - if ((length > 0) && attributeItem.data[0] == 0) { - length--; - } - PORT_Free(attributeItem.data); - return length*2; - } - return pk11_backupGetSignLength(key); - - case ecKey: - rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_EC_PARAMS, - NULL, &attributeItem); - if (rv == SECSuccess) { - length = SECKEY_ECParamsToBasePointOrderLen(&attributeItem); - PORT_Free(attributeItem.data); - if (length != 0) { - length = ((length + 7)/8) * 2; - return length; - } - } - return pk11_backupGetSignLength(key); - default: - break; - } - PORT_SetError( SEC_ERROR_INVALID_KEY ); + case rsaKey: + val = PK11_GetPrivateModulusLen(key); + if (val == -1) { + return pk11_backupGetSignLength(key); + } + return (unsigned long)val; + + case fortezzaKey: + return 40; + + case dsaKey: + rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_SUBPRIME, + NULL, &attributeItem); + if (rv == SECSuccess) { + length = attributeItem.len; + if ((length > 0) && attributeItem.data[0] == 0) { + length--; + } + PORT_Free(attributeItem.data); + return length * 2; + } + return pk11_backupGetSignLength(key); + + case ecKey: + rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_EC_PARAMS, + NULL, &attributeItem); + if (rv == SECSuccess) { + length = SECKEY_ECParamsToBasePointOrderLen(&attributeItem); + PORT_Free(attributeItem.data); + if (length != 0) { + length = ((length + 7) / 8) * 2; + return length; + } + } + return pk11_backupGetSignLength(key); + default: + break; + } + PORT_SetError(SEC_ERROR_INVALID_KEY); return 0; } @@ -579,36 +595,37 @@ PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject) CK_RV crv; PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_CopyObject(slot->session,srcObject,NULL,0, - &destObject); + crv = PK11_GETTAB(slot)->C_CopyObject(slot->session, srcObject, NULL, 0, + &destObject); PK11_ExitSlotMonitor(slot); - if (crv == CKR_OK) return destObject; - PORT_SetError( PK11_MapError(crv) ); + if (crv == CKR_OK) + return destObject; + PORT_SetError(PK11_MapError(crv)); return CK_INVALID_HANDLE; } PRBool pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs, - CK_ATTRIBUTE_TYPE target) + CK_ATTRIBUTE_TYPE target) { for (; numAttrs > 0; ++attr, --numAttrs) { - if (attr->type == target) - return PR_TRUE; + if (attr->type == target) + return PR_TRUE; } return PR_FALSE; } - + /* * Recover the Signed data. We need this because our old verify can't * figure out which hash algorithm to use until we decryptted this. */ SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig, - SECItem *dsig, void *wincx) + SECItem *dsig, void *wincx) { PK11SlotInfo *slot = key->pkcs11Slot; CK_OBJECT_HANDLE id = key->pkcs11ID; - CK_MECHANISM mech = {0, NULL, 0 }; + CK_MECHANISM mech = { 0, NULL, 0 }; PRBool owner = PR_TRUE; CK_SESSION_HANDLE session; CK_ULONG len; @@ -617,43 +634,46 @@ PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig, mech.mechanism = PK11_MapSignKeyType(key->keyType); if (slot == NULL) { - slot = PK11_GetBestSlotWithAttributes(mech.mechanism, - CKF_VERIFY_RECOVER,0,wincx); - if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return SECFailure; - } - id = PK11_ImportPublicKey(slot,key,PR_FALSE); + slot = PK11_GetBestSlotWithAttributes(mech.mechanism, + CKF_VERIFY_RECOVER, 0, wincx); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return SECFailure; + } + id = PK11_ImportPublicKey(slot, key, PR_FALSE); } else { - PK11_ReferenceSlot(slot); + PK11_ReferenceSlot(slot); } if (id == CK_INVALID_HANDLE) { - PK11_FreeSlot(slot); - PORT_SetError( SEC_ERROR_BAD_KEY ); - return SECFailure; + PK11_FreeSlot(slot); + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; } - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session,&mech,id); + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session, &mech, id); if (crv != CKR_OK) { - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - PK11_FreeSlot(slot); - return SECFailure; + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + PK11_FreeSlot(slot); + return SECFailure; } len = dsig->len; - crv = PK11_GETTAB(slot)->C_VerifyRecover(session,sig->data, - sig->len, dsig->data, &len); - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + crv = PK11_GETTAB(slot)->C_VerifyRecover(session, sig->data, + sig->len, dsig->data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); dsig->len = len; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - PK11_FreeSlot(slot); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + PK11_FreeSlot(slot); + return SECFailure; } PK11_FreeSlot(slot); return SECSuccess; @@ -664,69 +684,88 @@ PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig, */ SECStatus PK11_Verify(SECKEYPublicKey *key, const SECItem *sig, const SECItem *hash, - void *wincx) + void *wincx) +{ + CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType); + return PK11_VerifyWithMechanism(key, mech, NULL, sig, hash, wincx); +} + +/* + * Verify a signature from its hash using the given algorithm. + */ +SECStatus +PK11_VerifyWithMechanism(SECKEYPublicKey *key, CK_MECHANISM_TYPE mechanism, + const SECItem *param, const SECItem *sig, + const SECItem *hash, void *wincx) { PK11SlotInfo *slot = key->pkcs11Slot; CK_OBJECT_HANDLE id = key->pkcs11ID; - CK_MECHANISM mech = {0, NULL, 0 }; + CK_MECHANISM mech = { 0, NULL, 0 }; PRBool owner = PR_TRUE; CK_SESSION_HANDLE session; CK_RV crv; - mech.mechanism = PK11_MapSignKeyType(key->keyType); + mech.mechanism = mechanism; + if (param) { + mech.pParameter = param->data; + mech.ulParameterLen = param->len; + } if (slot == NULL) { - unsigned int length = 0; - if ((mech.mechanism == CKM_DSA) && - /* 129 is 1024 bits translated to bytes and - * padded with an optional '0' to maintain a - * positive sign */ - (key->u.dsa.params.prime.len > 129)) { - /* we need to get a slot that not only can do DSA, but can do DSA2 - * key lengths */ - length = key->u.dsa.params.prime.len; - if (key->u.dsa.params.prime.data[0] == 0) { - length --; - } - /* convert keysize to bits for slot lookup */ - length *= 8; - } - slot = PK11_GetBestSlotWithAttributes(mech.mechanism, - CKF_VERIFY,length,wincx); - if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return SECFailure; - } - id = PK11_ImportPublicKey(slot,key,PR_FALSE); - + unsigned int length = 0; + if ((mech.mechanism == CKM_DSA) && + /* 129 is 1024 bits translated to bytes and + * padded with an optional '0' to maintain a + * positive sign */ + (key->u.dsa.params.prime.len > 129)) { + /* we need to get a slot that not only can do DSA, but can do DSA2 + * key lengths */ + length = key->u.dsa.params.prime.len; + if (key->u.dsa.params.prime.data[0] == 0) { + length--; + } + /* convert keysize to bits for slot lookup */ + length *= 8; + } + slot = PK11_GetBestSlotWithAttributes(mech.mechanism, + CKF_VERIFY, length, wincx); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return SECFailure; + } + id = PK11_ImportPublicKey(slot, key, PR_FALSE); + } else { - PK11_ReferenceSlot(slot); + PK11_ReferenceSlot(slot); } if (id == CK_INVALID_HANDLE) { - PK11_FreeSlot(slot); - PORT_SetError( SEC_ERROR_BAD_KEY ); - return SECFailure; + PK11_FreeSlot(slot); + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; } - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_VerifyInit(session,&mech,id); + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_VerifyInit(session, &mech, id); if (crv != CKR_OK) { - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PK11_FreeSlot(slot); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; - } - crv = PK11_GETTAB(slot)->C_Verify(session,hash->data, - hash->len, sig->data, sig->len); - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PK11_FreeSlot(slot); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + crv = PK11_GETTAB(slot)->C_Verify(session, hash->data, + hash->len, sig->data, sig->len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); PK11_FreeSlot(slot); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -737,47 +776,65 @@ PK11_Verify(SECKEYPublicKey *key, const SECItem *sig, const SECItem *hash, SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, const SECItem *hash) { + CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType); + return PK11_SignWithMechanism(key, mech, NULL, sig, hash); +} + +/* + * Sign a hash using the given algorithm. + */ +SECStatus +PK11_SignWithMechanism(SECKEYPrivateKey *key, CK_MECHANISM_TYPE mechanism, + const SECItem *param, SECItem *sig, const SECItem *hash) +{ PK11SlotInfo *slot = key->pkcs11Slot; - CK_MECHANISM mech = {0, NULL, 0 }; + CK_MECHANISM mech = { 0, NULL, 0 }; PRBool owner = PR_TRUE; CK_SESSION_HANDLE session; PRBool haslock = PR_FALSE; CK_ULONG len; CK_RV crv; - mech.mechanism = PK11_MapSignKeyType(key->keyType); + mech.mechanism = mechanism; + if (param) { + mech.pParameter = param->data; + mech.ulParameterLen = param->len; + } - if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) { - PK11_HandlePasswordCheck(slot, key->wincx); + if (SECKEY_HAS_ATTRIBUTE_SET(key, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, key->wincx); } - session = pk11_GetNewSession(slot,&owner); + session = pk11_GetNewSession(slot, &owner); haslock = (!owner || !(slot->isThreadSafe)); - if (haslock) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID); + if (haslock) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_SignInit(session, &mech, key->pkcs11ID); if (crv != CKR_OK) { - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } - /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then - * do C_Login with CKU_CONTEXT_SPECIFIC + /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then + * do C_Login with CKU_CONTEXT_SPECIFIC * between C_SignInit and C_Sign */ if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { - PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); + PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); } len = sig->len; - crv = PK11_GETTAB(slot)->C_Sign(session,hash->data, - hash->len, sig->data, &len); - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + crv = PK11_GETTAB(slot)->C_Sign(session, hash->data, + hash->len, sig->data, &len); + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); sig->len = len; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -787,10 +844,10 @@ PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, const SECItem *hash) */ SECStatus PK11_SignWithSymKey(PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, - SECItem *param, SECItem *sig, const SECItem *data) + SECItem *param, SECItem *sig, const SECItem *data) { PK11SlotInfo *slot = symKey->slot; - CK_MECHANISM mech = {0, NULL, 0 }; + CK_MECHANISM mech = { 0, NULL, 0 }; PRBool owner = PR_TRUE; CK_SESSION_HANDLE session; PRBool haslock = PR_FALSE; @@ -799,30 +856,33 @@ PK11_SignWithSymKey(PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, mech.mechanism = mechanism; if (param) { - mech.pParameter = param->data; - mech.ulParameterLen = param->len; + mech.pParameter = param->data; + mech.ulParameterLen = param->len; } - session = pk11_GetNewSession(slot,&owner); + session = pk11_GetNewSession(slot, &owner); haslock = (!owner || !(slot->isThreadSafe)); - if (haslock) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,symKey->objectID); + if (haslock) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_SignInit(session, &mech, symKey->objectID); if (crv != CKR_OK) { - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } len = sig->len; - crv = PK11_GETTAB(slot)->C_Sign(session,data->data, - data->len, sig->data, &len); - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + crv = PK11_GETTAB(slot)->C_Sign(session, data->data, + data->len, sig->data, &len); + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); sig->len = len; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -835,7 +895,7 @@ PK11_Decrypt(PK11SymKey *symKey, const unsigned char *enc, unsigned encLen) { PK11SlotInfo *slot = symKey->slot; - CK_MECHANISM mech = {0, NULL, 0 }; + CK_MECHANISM mech = { 0, NULL, 0 }; CK_ULONG len = maxLen; PRBool owner = PR_TRUE; CK_SESSION_HANDLE session; @@ -844,29 +904,32 @@ PK11_Decrypt(PK11SymKey *symKey, mech.mechanism = mechanism; if (param) { - mech.pParameter = param->data; - mech.ulParameterLen = param->len; + mech.pParameter = param->data; + mech.ulParameterLen = param->len; } session = pk11_GetNewSession(slot, &owner); haslock = (!owner || !slot->isThreadSafe); - if (haslock) PK11_EnterSlotMonitor(slot); + if (haslock) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_DecryptInit(session, &mech, symKey->objectID); if (crv != CKR_OK) { - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot, session, owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen, out, &len); - if (haslock) PK11_ExitSlotMonitor(slot); + if (haslock) + PK11_ExitSlotMonitor(slot); pk11_CloseSession(slot, session, owner); *outLen = len; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -879,7 +942,7 @@ PK11_Encrypt(PK11SymKey *symKey, const unsigned char *data, unsigned int dataLen) { PK11SlotInfo *slot = symKey->slot; - CK_MECHANISM mech = {0, NULL, 0 }; + CK_MECHANISM mech = { 0, NULL, 0 }; CK_ULONG len = maxLen; PRBool owner = PR_TRUE; CK_SESSION_HANDLE session; @@ -888,35 +951,38 @@ PK11_Encrypt(PK11SymKey *symKey, mech.mechanism = mechanism; if (param) { - mech.pParameter = param->data; - mech.ulParameterLen = param->len; + mech.pParameter = param->data; + mech.ulParameterLen = param->len; } session = pk11_GetNewSession(slot, &owner); haslock = (!owner || !slot->isThreadSafe); - if (haslock) PK11_EnterSlotMonitor(slot); + if (haslock) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_EncryptInit(session, &mech, symKey->objectID); if (crv != CKR_OK) { - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } crv = PK11_GETTAB(slot)->C_Encrypt(session, (unsigned char *)data, dataLen, out, &len); - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); *outLen = len; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } static SECStatus pk11_PrivDecryptRaw(SECKEYPrivateKey *key, - unsigned char *data, unsigned *outLen, unsigned int maxLen, + unsigned char *data, unsigned *outLen, unsigned int maxLen, const unsigned char *enc, unsigned encLen, CK_MECHANISM_PTR mech) { @@ -928,44 +994,47 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *key, CK_RV crv; if (key->keyType != rsaKey) { - PORT_SetError( SEC_ERROR_INVALID_KEY ); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; } /* Why do we do a PK11_handle check here? for simple * decryption? .. because the user may have asked for 'ask always' * and this is a private key operation. In practice, thought, it's mute * since only servers wind up using this function */ - if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) { - PK11_HandlePasswordCheck(slot, key->wincx); + if (SECKEY_HAS_ATTRIBUTE_SET(key, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, key->wincx); } - session = pk11_GetNewSession(slot,&owner); + session = pk11_GetNewSession(slot, &owner); haslock = (!owner || !(slot->isThreadSafe)); - if (haslock) PK11_EnterSlotMonitor(slot); + if (haslock) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID); if (crv != CKR_OK) { - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } - /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then - * do C_Login with CKU_CONTEXT_SPECIFIC + /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then + * do C_Login with CKU_CONTEXT_SPECIFIC * between C_DecryptInit and C_Decrypt * ... But see note above about servers */ if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { - PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); + PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); } crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen, - data, &out); - if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + data, &out); + if (haslock) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); *outLen = out; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -975,7 +1044,7 @@ PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, unsigned *outLen, unsigned int maxLen, const unsigned char *enc, unsigned encLen) { - CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; + CK_MECHANISM mech = { CKM_RSA_X_509, NULL, 0 }; return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); } @@ -984,7 +1053,7 @@ PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data, unsigned *outLen, unsigned int maxLen, const unsigned char *enc, unsigned encLen) { - CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; + CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); } @@ -1002,39 +1071,42 @@ pk11_PubEncryptRaw(SECKEYPublicKey *key, CK_SESSION_HANDLE session; CK_RV crv; - slot = PK11_GetBestSlotWithAttributes(mech->mechanism,CKF_ENCRYPT,0,wincx); + slot = PK11_GetBestSlotWithAttributes(mech->mechanism, CKF_ENCRYPT, 0, wincx); if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return SECFailure; + PORT_SetError(SEC_ERROR_NO_MODULE); + return SECFailure; } - id = PK11_ImportPublicKey(slot,key,PR_FALSE); + id = PK11_ImportPublicKey(slot, key, PR_FALSE); if (id == CK_INVALID_HANDLE) { - PK11_FreeSlot(slot); - PORT_SetError( SEC_ERROR_BAD_KEY ); - return SECFailure; + PK11_FreeSlot(slot); + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; } - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_EncryptInit(session, mech, id); if (crv != CKR_OK) { - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PK11_FreeSlot(slot); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; - } - crv = PK11_GETTAB(slot)->C_Encrypt(session,(unsigned char *)data,dataLen, - out,&len); - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PK11_FreeSlot(slot); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + crv = PK11_GETTAB(slot)->C_Encrypt(session, (unsigned char *)data, dataLen, + out, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); PK11_FreeSlot(slot); *outLen = len; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -1045,11 +1117,11 @@ PK11_PubEncryptRaw(SECKEYPublicKey *key, const unsigned char *data, unsigned dataLen, void *wincx) { - CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; + CK_MECHANISM mech = { CKM_RSA_X_509, NULL, 0 }; unsigned int outLen; if (!key || key->keyType != rsaKey) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; } outLen = SECKEY_PublicKeyStrength(key); return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech, @@ -1062,11 +1134,11 @@ PK11_PubEncryptPKCS1(SECKEYPublicKey *key, const unsigned char *data, unsigned dataLen, void *wincx) { - CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; + CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 }; unsigned int outLen; if (!key || key->keyType != rsaKey) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; } outLen = SECKEY_PublicKeyStrength(key); return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech, @@ -1107,16 +1179,16 @@ PK11_PubEncrypt(SECKEYPublicKey *key, SECKEYPrivateKey * PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, - CK_MECHANISM_TYPE wrapType, SECItem *param, - SECItem *wrappedKey, SECItem *label, - SECItem *idValue, PRBool perm, PRBool sensitive, - CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, - int usageCount, void *wincx) + CK_MECHANISM_TYPE wrapType, SECItem *param, + SECItem *wrappedKey, SECItem *label, + SECItem *idValue, PRBool perm, PRBool sensitive, + CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, + int usageCount, void *wincx) { CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; - CK_ATTRIBUTE keyTemplate[15] ; + CK_ATTRIBUTE keyTemplate[15]; int templateCount = 0; CK_OBJECT_HANDLE privKeyID; CK_MECHANISM mechanism; @@ -1127,125 +1199,134 @@ PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, PK11SymKey *newKey = NULL; int i; - if(!slot || !wrappedKey || !idValue) { - /* SET AN ERROR!!! */ - return NULL; + if (!slot || !wrappedKey || !idValue) { + /* SET AN ERROR!!! */ + return NULL; } ck_id = PK11_MakeIDFromPubKey(idValue); - if(!ck_id) { - return NULL; + if (!ck_id) { + return NULL; } PK11_SETATTRS(attrs, CKA_TOKEN, perm ? &cktrue : &ckfalse, - sizeof(cktrue)); attrs++; - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++; + sizeof(cktrue)); + attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; PK11_SETATTRS(attrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse, - sizeof(cktrue)); attrs++; + sizeof(cktrue)); + attrs++; PK11_SETATTRS(attrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse, - sizeof(cktrue)); attrs++; + sizeof(cktrue)); + attrs++; if (label && label->data) { - PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); attrs++; + PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); + attrs++; } - PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); attrs++; - for (i=0; i < usageCount; i++) { - PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); attrs++; + PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); + attrs++; + for (i = 0; i < usageCount; i++) { + PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); + attrs++; } if (PK11_IsInternal(slot)) { - PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, - idValue->len); attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, + idValue->len); + attrs++; } templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)) ); + PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE))); mechanism.mechanism = wrapType; - if(!param) param = param_free= PK11_ParamFromIV(wrapType, NULL); - if(param) { - mechanism.pParameter = param->data; - mechanism.ulParameterLen = param->len; + if (!param) + param = param_free = PK11_ParamFromIV(wrapType, NULL); + if (param) { + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; } else { - mechanism.pParameter = NULL; - mechanism.ulParameterLen = 0; + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; } if (wrappingKey->slot != slot) { - newKey = pk11_CopyToSlot(slot,wrapType,CKA_UNWRAP,wrappingKey); + newKey = pk11_CopyToSlot(slot, wrapType, CKA_UNWRAP, wrappingKey); } else { - newKey = PK11_ReferenceSymKey(wrappingKey); + newKey = PK11_ReferenceSymKey(wrappingKey); } if (newKey) { - if (perm) { - /* Get RW Session will either lock the monitor if necessary, - * or return a thread safe session handle, or fail. */ - rwsession = PK11_GetRWSession(slot); - } else { - rwsession = slot->session; - if (rwsession != CK_INVALID_SESSION) - PK11_EnterSlotMonitor(slot); - } + if (perm) { + /* Get RW Session will either lock the monitor if necessary, + * or return a thread safe session handle, or fail. */ + rwsession = PK11_GetRWSession(slot); + } else { + rwsession = slot->session; + if (rwsession != CK_INVALID_SESSION) + PK11_EnterSlotMonitor(slot); + } /* This is a lot a work to deal with fussy PKCS #11 modules * that can't bother to return BAD_DATA when presented with an * invalid session! */ - if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - goto loser; - } - crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, - newKey->objectID, - wrappedKey->data, - wrappedKey->len, keyTemplate, - templateCount, &privKeyID); - - if (perm) { - PK11_RestoreROSession(slot, rwsession); - } else { - PK11_ExitSlotMonitor(slot); - } - PK11_FreeSymKey(newKey); - newKey = NULL; + if (rwsession == CK_INVALID_SESSION) { + PORT_SetError(SEC_ERROR_BAD_DATA); + goto loser; + } + crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, + newKey->objectID, + wrappedKey->data, + wrappedKey->len, keyTemplate, + templateCount, &privKeyID); + + if (perm) { + PK11_RestoreROSession(slot, rwsession); + } else { + PK11_ExitSlotMonitor(slot); + } + PK11_FreeSymKey(newKey); + newKey = NULL; } else { - crv = CKR_FUNCTION_NOT_SUPPORTED; + crv = CKR_FUNCTION_NOT_SUPPORTED; } - if (ck_id) { - SECITEM_FreeItem(ck_id, PR_TRUE); - ck_id = NULL; - } + SECITEM_FreeItem(ck_id, PR_TRUE); + ck_id = NULL; if (crv != CKR_OK) { - /* we couldn't unwrap the key, use the internal module to do the - * unwrap, then load the new key into the token */ - PK11SlotInfo *int_slot = PK11_GetInternalSlot(); - - if (int_slot && (slot != int_slot)) { - SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot, - wrappingKey, wrapType, param, wrappedKey, label, - idValue, PR_FALSE, PR_FALSE, - keyType, usage, usageCount, wincx); - if (privKey) { - SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot,privKey, - NULL,perm,sensitive); - SECKEY_DestroyPrivateKey(privKey); - PK11_FreeSlot(int_slot); - return newPrivKey; - } - } - if (int_slot) PK11_FreeSlot(int_slot); - PORT_SetError( PK11_MapError(crv) ); - return NULL; + /* we couldn't unwrap the key, use the internal module to do the + * unwrap, then load the new key into the token */ + PK11SlotInfo *int_slot = PK11_GetInternalSlot(); + + if (int_slot && (slot != int_slot)) { + SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot, + wrappingKey, wrapType, param, wrappedKey, label, + idValue, PR_FALSE, PR_FALSE, + keyType, usage, usageCount, wincx); + if (privKey) { + SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot, privKey, + NULL, perm, sensitive); + SECKEY_DestroyPrivateKey(privKey); + PK11_FreeSlot(int_slot); + return newPrivKey; + } + } + if (int_slot) + PK11_FreeSlot(int_slot); + PORT_SetError(PK11_MapError(crv)); + return NULL; } return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx); loser: if (newKey) { - PK11_FreeSymKey(newKey); + PK11_FreeSymKey(newKey); } if (ck_id) { - SECITEM_FreeItem(ck_id, PR_TRUE); + SECITEM_FreeItem(ck_id, PR_TRUE); } return NULL; } @@ -1257,69 +1338,69 @@ loser: * call C_WrapKey after all the setup has taken place. */ SECStatus -PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, - SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, - SECItem *param, SECItem *wrappedKey, void *wincx) +PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, + SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, void *wincx) { - PK11SlotInfo *privSlot = privKey->pkcs11Slot; /* The slot where - * the private key - * we are going to - * wrap lives. - */ - PK11SymKey *newSymKey = NULL; + PK11SlotInfo *privSlot = privKey->pkcs11Slot; /* The slot where + * the private key + * we are going to + * wrap lives. + */ + PK11SymKey *newSymKey = NULL; SECKEYPrivateKey *newPrivKey = NULL; - SECItem *param_free = NULL; - CK_ULONG len = wrappedKey->len; - CK_MECHANISM mech; - CK_RV crv; + SECItem *param_free = NULL; + CK_ULONG len = wrappedKey->len; + CK_MECHANISM mech; + CK_RV crv; if (!privSlot || !PK11_DoesMechanism(privSlot, wrapType)) { /* Figure out a slot that does the mechanism and try to import - * the private key onto that slot. - */ + * the private key onto that slot. + */ PK11SlotInfo *int_slot = PK11_GetInternalSlot(); - privSlot = int_slot; /* The private key has a new home */ - newPrivKey = PK11_LoadPrivKey(privSlot,privKey,NULL,PR_FALSE,PR_FALSE); - /* newPrivKey has allocated its own reference to the slot, so it's - * safe until we destroy newPrivkey. - */ - PK11_FreeSlot(int_slot); - if (newPrivKey == NULL) { - return SECFailure; - } - privKey = newPrivKey; + privSlot = int_slot; /* The private key has a new home */ + newPrivKey = PK11_LoadPrivKey(privSlot, privKey, NULL, PR_FALSE, PR_FALSE); + /* newPrivKey has allocated its own reference to the slot, so it's + * safe until we destroy newPrivkey. + */ + PK11_FreeSlot(int_slot); + if (newPrivKey == NULL) { + return SECFailure; + } + privKey = newPrivKey; } if (privSlot != wrappingKey->slot) { - newSymKey = pk11_CopyToSlot (privSlot, wrapType, CKA_WRAP, - wrappingKey); - wrappingKey = newSymKey; + newSymKey = pk11_CopyToSlot(privSlot, wrapType, CKA_WRAP, + wrappingKey); + wrappingKey = newSymKey; } if (wrappingKey == NULL) { if (newPrivKey) { - SECKEY_DestroyPrivateKey(newPrivKey); - } - return SECFailure; + SECKEY_DestroyPrivateKey(newPrivKey); + } + return SECFailure; } mech.mechanism = wrapType; if (!param) { param = param_free = PK11_ParamFromIV(wrapType, NULL); } if (param) { - mech.pParameter = param->data; - mech.ulParameterLen = param->len; + mech.pParameter = param->data; + mech.ulParameterLen = param->len; } else { - mech.pParameter = NULL; - mech.ulParameterLen = 0; + mech.pParameter = NULL; + mech.ulParameterLen = 0; } PK11_EnterSlotMonitor(privSlot); - crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, - wrappingKey->objectID, - privKey->pkcs11ID, - wrappedKey->data, &len); + crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, + wrappingKey->objectID, + privKey->pkcs11ID, + wrappedKey->data, &len); PK11_ExitSlotMonitor(privSlot); if (newSymKey) { @@ -1329,12 +1410,12 @@ PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, SECKEY_DestroyPrivateKey(newPrivKey); } if (param_free) { - SECITEM_FreeItem(param_free,PR_TRUE); + SECITEM_FreeItem(param_free, PR_TRUE); } if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } wrappedKey->len = len; @@ -1351,7 +1432,7 @@ PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, */ firstObj = PK11_FindGenericObjects(slot, objClass); for (thisObj=firstObj; - thisObj; + thisObj; thisObj=PK11_GetNextGenericObject(thisObj)) { /* operate on thisObj */ } @@ -1360,14 +1441,14 @@ PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, */ firstObj = PK11_FindGenericObjects(slot, objClass); for (thisObj=firstObj; - thisObj; + thisObj; thisObj=PK11_GetNextGenericObject(thisObj)) { - if (isMyObj(thisObj)) { - if ( thisObj == firstObj) { + if (isMyObj(thisObj)) { + if ( thisObj == firstObj) { /* NOTE: firstObj could be NULL at this point */ - firstObj = PK11_GetNextGenericObject(thsObj); - } - PK11_UnlinkGenericObject(thisObj); + firstObj = PK11_GetNextGenericObject(thsObj); + } + PK11_UnlinkGenericObject(thisObj); myObj = thisObj; break; } @@ -1396,37 +1477,37 @@ PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass) PK11GenericObject *firstObj = NULL; int i, count = 0; + PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); + attrs++; - PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++; - - objectIDs = pk11_FindObjectsByTemplate(slot,template,1,&count); + objectIDs = pk11_FindObjectsByTemplate(slot, template, 1, &count); if (objectIDs == NULL) { - return NULL; + return NULL; } /* where we connect our object once we've created it.. */ - for (i=0; i < count; i++) { - obj = PORT_New(PK11GenericObject); - if ( !obj ) { - if (firstObj) { - PK11_DestroyGenericObjects(firstObj); - } - PORT_Free(objectIDs); - return NULL; - } - /* initialize it */ - obj->slot = PK11_ReferenceSlot(slot); - obj->objectID = objectIDs[i]; - obj->next = NULL; - obj->prev = NULL; - - /* link it in */ - if (firstObj == NULL) { - firstObj = obj; - } else { - PK11_LinkGenericObject(lastObj, obj); - } - lastObj = obj; + for (i = 0; i < count; i++) { + obj = PORT_New(PK11GenericObject); + if (!obj) { + if (firstObj) { + PK11_DestroyGenericObjects(firstObj); + } + PORT_Free(objectIDs); + return NULL; + } + /* initialize it */ + obj->slot = PK11_ReferenceSlot(slot); + obj->objectID = objectIDs[i]; + obj->next = NULL; + obj->prev = NULL; + + /* link it in */ + if (firstObj == NULL) { + firstObj = obj; + } else { + PK11_LinkGenericObject(lastObj, obj); + } + lastObj = obj; } PORT_Free(objectIDs); return firstObj; @@ -1459,9 +1540,9 @@ PK11_LinkGenericObject(PK11GenericObject *list, PK11GenericObject *object) object->next = list->next; list->next = object; if (object->next != NULL) { - object->next->prev = object; + object->next->prev = object; } - return SECSuccess; + return SECSuccess; } /* @@ -1472,10 +1553,10 @@ SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object) { if (object->prev != NULL) { - object->prev->next = object->next; + object->prev->next = object->next; } if (object->next != NULL) { - object->next->prev = object->prev; + object->next->prev = object->prev; } object->next = NULL; @@ -1488,16 +1569,16 @@ PK11_UnlinkGenericObject(PK11GenericObject *object) * For an already unlinked object there is no difference between * PK11_DestroyGenericObject and PK11_DestroyGenericObjects */ -SECStatus +SECStatus PK11_DestroyGenericObject(PK11GenericObject *object) { if (object == NULL) { - return SECSuccess; + return SECSuccess; } PK11_UnlinkGenericObject(object); if (object->slot) { - PK11_FreeSlot(object->slot); + PK11_FreeSlot(object->slot); } PORT_Free(object); return SECSuccess; @@ -1508,60 +1589,59 @@ PK11_DestroyGenericObject(PK11GenericObject *object) * This will destroy all objects in a list that the object is linked into. * (the list is traversed in both directions). */ -SECStatus +SECStatus PK11_DestroyGenericObjects(PK11GenericObject *objects) { PK11GenericObject *nextObject; PK11GenericObject *prevObject; - + if (objects == NULL) { - return SECSuccess; + return SECSuccess; } nextObject = objects->next; prevObject = objects->prev; /* delete all the objects after it in the list */ - for (; objects; objects = nextObject) { - nextObject = objects->next; - PK11_DestroyGenericObject(objects); + for (; objects; objects = nextObject) { + nextObject = objects->next; + PK11_DestroyGenericObject(objects); } /* delete all the objects before it in the list */ - for (objects = prevObject; objects; objects = prevObject) { - prevObject = objects->prev; - PK11_DestroyGenericObject(objects); + for (objects = prevObject; objects; objects = prevObject) { + prevObject = objects->prev; + PK11_DestroyGenericObject(objects); } return SECSuccess; } - /* * Hand Create a new object and return the Generic object for our new object. */ PK11GenericObject * PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, - int count, PRBool token) + int count, PRBool token) { CK_OBJECT_HANDLE objectID; PK11GenericObject *obj; CK_RV crv; PK11_EnterSlotMonitor(slot); - crv = PK11_CreateNewObject(slot, slot->session, pTemplate, count, - token, &objectID); + crv = PK11_CreateNewObject(slot, slot->session, pTemplate, count, + token, &objectID); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return NULL; + PORT_SetError(PK11_MapError(crv)); + return NULL; } obj = PORT_New(PK11GenericObject); - if ( !obj ) { - /* error set by PORT_New */ - return NULL; + if (!obj) { + /* error set by PORT_New */ + return NULL; } - /* initialize it */ + /* initialize it */ obj->slot = PK11_ReferenceSlot(slot); obj->objectID = objectID; obj->next = NULL; @@ -1573,8 +1653,8 @@ PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, * Change an attribute on a raw object */ SECStatus -PK11_WriteRawAttribute(PK11ObjectType objType, void *objSpec, - CK_ATTRIBUTE_TYPE attrType, SECItem *item) +PK11_WriteRawAttribute(PK11ObjectType objType, void *objSpec, + CK_ATTRIBUTE_TYPE attrType, SECItem *item) { PK11SlotInfo *slot = NULL; CK_OBJECT_HANDLE handle = 0; @@ -1583,90 +1663,88 @@ PK11_WriteRawAttribute(PK11ObjectType objType, void *objSpec, CK_SESSION_HANDLE rwsession; switch (objType) { - case PK11_TypeGeneric: - slot = ((PK11GenericObject *)objSpec)->slot; - handle = ((PK11GenericObject *)objSpec)->objectID; - break; - case PK11_TypePrivKey: - slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot; - handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID; - break; - case PK11_TypePubKey: - slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot; - handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID; - break; - case PK11_TypeSymKey: - slot = ((PK11SymKey *)objSpec)->slot; - handle = ((PK11SymKey *)objSpec)->objectID; - break; - case PK11_TypeCert: /* don't handle cert case for now */ - default: - break; + case PK11_TypeGeneric: + slot = ((PK11GenericObject *)objSpec)->slot; + handle = ((PK11GenericObject *)objSpec)->objectID; + break; + case PK11_TypePrivKey: + slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot; + handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID; + break; + case PK11_TypePubKey: + slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot; + handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID; + break; + case PK11_TypeSymKey: + slot = ((PK11SymKey *)objSpec)->slot; + handle = ((PK11SymKey *)objSpec)->objectID; + break; + case PK11_TypeCert: /* don't handle cert case for now */ + default: + break; } if (slot == NULL) { - PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); - return SECFailure; + PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); + return SECFailure; } - PK11_SETATTRS(&setTemplate, attrType, (CK_CHAR *) item->data, item->len); + PK11_SETATTRS(&setTemplate, attrType, (CK_CHAR *)item->data, item->len); rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; } crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, handle, - &setTemplate, 1); + &setTemplate, 1); PK11_RestoreROSession(slot, rwsession); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } - SECStatus -PK11_ReadRawAttribute(PK11ObjectType objType, void *objSpec, - CK_ATTRIBUTE_TYPE attrType, SECItem *item) +PK11_ReadRawAttribute(PK11ObjectType objType, void *objSpec, + CK_ATTRIBUTE_TYPE attrType, SECItem *item) { PK11SlotInfo *slot = NULL; CK_OBJECT_HANDLE handle = 0; switch (objType) { - case PK11_TypeGeneric: - slot = ((PK11GenericObject *)objSpec)->slot; - handle = ((PK11GenericObject *)objSpec)->objectID; - break; - case PK11_TypePrivKey: - slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot; - handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID; - break; - case PK11_TypePubKey: - slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot; - handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID; - break; - case PK11_TypeSymKey: - slot = ((PK11SymKey *)objSpec)->slot; - handle = ((PK11SymKey *)objSpec)->objectID; - break; - case PK11_TypeCert: /* don't handle cert case for now */ - default: - break; + case PK11_TypeGeneric: + slot = ((PK11GenericObject *)objSpec)->slot; + handle = ((PK11GenericObject *)objSpec)->objectID; + break; + case PK11_TypePrivKey: + slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot; + handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID; + break; + case PK11_TypePubKey: + slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot; + handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID; + break; + case PK11_TypeSymKey: + slot = ((PK11SymKey *)objSpec)->slot; + handle = ((PK11SymKey *)objSpec)->objectID; + break; + case PK11_TypeCert: /* don't handle cert case for now */ + default: + break; } if (slot == NULL) { - PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); - return SECFailure; + PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); + return SECFailure; } return PK11_ReadAttribute(slot, handle, attrType, NULL, item); } - /* * return the object handle that matches the template */ CK_OBJECT_HANDLE -pk11_FindObjectByTemplate(PK11SlotInfo *slot,CK_ATTRIBUTE *theTemplate,int tsize) +pk11_FindObjectByTemplate(PK11SlotInfo *slot, CK_ATTRIBUTE *theTemplate, int tsize) { CK_OBJECT_HANDLE object; CK_RV crv = CKR_SESSION_HANDLE_INVALID; @@ -1677,36 +1755,35 @@ pk11_FindObjectByTemplate(PK11SlotInfo *slot,CK_ATTRIBUTE *theTemplate,int tsize */ PK11_EnterSlotMonitor(slot); if (slot->session != CK_INVALID_SESSION) { - crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, - theTemplate, tsize); + crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, + theTemplate, tsize); } if (crv != CKR_OK) { PK11_ExitSlotMonitor(slot); - PORT_SetError( PK11_MapError(crv) ); - return CK_INVALID_HANDLE; + PORT_SetError(PK11_MapError(crv)); + return CK_INVALID_HANDLE; } - crv=PK11_GETTAB(slot)->C_FindObjects(slot->session,&object,1,&objectCount); + crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, &object, 1, &objectCount); PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session); PK11_ExitSlotMonitor(slot); if ((crv != CKR_OK) || (objectCount < 1)) { - /* shouldn't use SSL_ERROR... here */ - PORT_SetError( crv != CKR_OK ? PK11_MapError(crv) : - SSL_ERROR_NO_CERTIFICATE); - return CK_INVALID_HANDLE; + /* shouldn't use SSL_ERROR... here */ + PORT_SetError(crv != CKR_OK ? PK11_MapError(crv) : SSL_ERROR_NO_CERTIFICATE); + return CK_INVALID_HANDLE; } /* blow up if the PKCS #11 module returns us and invalid object handle */ PORT_Assert(object != CK_INVALID_HANDLE); return object; -} +} /* * return all the object handles that matches the template */ CK_OBJECT_HANDLE * pk11_FindObjectsByTemplate(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, - int templCount, int *object_count) + int templCount, int *object_count) { CK_OBJECT_HANDLE *objID = NULL; CK_ULONG returned_count = 0; @@ -1714,54 +1791,55 @@ pk11_FindObjectsByTemplate(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, PK11_EnterSlotMonitor(slot); if (slot->session != CK_INVALID_SESSION) { - crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, - findTemplate, templCount); + crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, + findTemplate, templCount); } if (crv != CKR_OK) { - PK11_ExitSlotMonitor(slot); - PORT_SetError( PK11_MapError(crv) ); - *object_count = -1; - return NULL; + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + *object_count = -1; + return NULL; } - /* * collect all the Matching Objects */ do { - CK_OBJECT_HANDLE *oldObjID = objID; - - if (objID == NULL) { - objID = (CK_OBJECT_HANDLE *) PORT_Alloc(sizeof(CK_OBJECT_HANDLE)* - (*object_count+ PK11_SEARCH_CHUNKSIZE)); - } else { - objID = (CK_OBJECT_HANDLE *) PORT_Realloc(objID, - sizeof(CK_OBJECT_HANDLE)*(*object_count+PK11_SEARCH_CHUNKSIZE)); - } - - if (objID == NULL) { - if (oldObjID) PORT_Free(oldObjID); - break; - } - crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, - &objID[*object_count],PK11_SEARCH_CHUNKSIZE,&returned_count); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - PORT_Free(objID); - objID = NULL; - break; - } - *object_count += returned_count; + CK_OBJECT_HANDLE *oldObjID = objID; + + if (objID == NULL) { + objID = (CK_OBJECT_HANDLE *)PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * + (*object_count + PK11_SEARCH_CHUNKSIZE)); + } else { + objID = (CK_OBJECT_HANDLE *)PORT_Realloc(objID, + sizeof(CK_OBJECT_HANDLE) * (*object_count + PK11_SEARCH_CHUNKSIZE)); + } + + if (objID == NULL) { + if (oldObjID) + PORT_Free(oldObjID); + break; + } + crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, + &objID[*object_count], PK11_SEARCH_CHUNKSIZE, &returned_count); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + PORT_Free(objID); + objID = NULL; + break; + } + *object_count += returned_count; } while (returned_count == PK11_SEARCH_CHUNKSIZE); PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session); PK11_ExitSlotMonitor(slot); if (objID && (*object_count == 0)) { - PORT_Free(objID); - return NULL; + PORT_Free(objID); + return NULL; } - if (objID == NULL) *object_count = -1; + if (objID == NULL) + *object_count = -1; return objID; } /* @@ -1770,49 +1848,46 @@ pk11_FindObjectsByTemplate(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, */ CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID, - CK_OBJECT_CLASS matchclass) + CK_OBJECT_CLASS matchclass) { CK_ATTRIBUTE theTemplate[] = { - { CKA_ID, NULL, 0 }, - { CKA_CLASS, NULL, 0 } + { CKA_ID, NULL, 0 }, + { CKA_CLASS, NULL, 0 } }; /* if you change the array, change the variable below as well */ CK_ATTRIBUTE *keyclass = &theTemplate[1]; - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); /* if you change the array, change the variable below as well */ CK_OBJECT_HANDLE peerID; - PLArenaPool *arena; + PORTCheapArenaPool tmpArena; CK_RV crv; /* now we need to create space for the public key */ - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) return CK_INVALID_HANDLE; + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); - crv = PK11_GetAttributes(arena,slot,searchID,theTemplate,tsize); + crv = PK11_GetAttributes(&tmpArena.arena, slot, searchID, theTemplate, tsize); if (crv != CKR_OK) { - PORT_FreeArena(arena,PR_FALSE); - PORT_SetError( PK11_MapError(crv) ); - return CK_INVALID_HANDLE; + PORT_DestroyCheapArena(&tmpArena); + PORT_SetError(PK11_MapError(crv)); + return CK_INVALID_HANDLE; } if ((theTemplate[0].ulValueLen == 0) || (theTemplate[0].ulValueLen == -1)) { - PORT_FreeArena(arena,PR_FALSE); - if (matchclass == CKO_CERTIFICATE) - PORT_SetError(SEC_ERROR_BAD_KEY); - else - PORT_SetError(SEC_ERROR_NO_KEY); - return CK_INVALID_HANDLE; - } - - + PORT_DestroyCheapArena(&tmpArena); + if (matchclass == CKO_CERTIFICATE) + PORT_SetError(SEC_ERROR_BAD_KEY); + else + PORT_SetError(SEC_ERROR_NO_KEY); + return CK_INVALID_HANDLE; + } /* * issue the find */ *(CK_OBJECT_CLASS *)(keyclass->pValue) = matchclass; - peerID = pk11_FindObjectByTemplate(slot,theTemplate,tsize); - PORT_FreeArena(arena,PR_FALSE); + peerID = pk11_FindObjectByTemplate(slot, theTemplate, tsize); + PORT_DestroyCheapArena(&tmpArena); return peerID; } @@ -1821,8 +1896,8 @@ PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID, * count the number of objects that match the template. */ int -PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, - int templCount) +PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, + int templCount) { CK_OBJECT_HANDLE objID[PK11_SEARCH_CHUNKSIZE]; int object_count = 0; @@ -1831,27 +1906,27 @@ PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, PK11_EnterSlotMonitor(slot); if (slot->session != CK_INVALID_SESSION) { - crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, - findTemplate, templCount); + crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, + findTemplate, templCount); } if (crv != CKR_OK) { PK11_ExitSlotMonitor(slot); - PORT_SetError( PK11_MapError(crv) ); - return object_count; + PORT_SetError(PK11_MapError(crv)); + return object_count; } /* * collect all the Matching Objects */ do { - crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, objID, - PK11_SEARCH_CHUNKSIZE, - &returned_count); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - break; - } - object_count += returned_count; + crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, objID, + PK11_SEARCH_CHUNKSIZE, + &returned_count); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + break; + } + object_count += returned_count; } while (returned_count == PK11_SEARCH_CHUNKSIZE); PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session); @@ -1868,22 +1943,22 @@ PK11_TraverseSlot(PK11SlotInfo *slot, void *arg) int i; CK_OBJECT_HANDLE *objID = NULL; int object_count = 0; - pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg; + pk11TraverseSlot *slotcb = (pk11TraverseSlot *)arg; - objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate, - slotcb->templateCount,&object_count); + objID = pk11_FindObjectsByTemplate(slot, slotcb->findTemplate, + slotcb->templateCount, &object_count); /*Actually this isn't a failure... there just were no objs to be found*/ if (object_count == 0) { - return SECSuccess; + return SECSuccess; } if (objID == NULL) { - return SECFailure; + return SECFailure; } - for (i=0; i < object_count; i++) { - (*slotcb->callback)(slot,objID[i],slotcb->callbackArg); + for (i = 0; i < object_count; i++) { + (*slotcb->callback)(slot, objID[i], slotcb->callbackArg); } PORT_Free(objID); return SECSuccess; @@ -1893,27 +1968,29 @@ PK11_TraverseSlot(PK11SlotInfo *slot, void *arg) * Traverse all the objects in all slots. */ SECStatus -pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), - void *arg, PRBool forceLogin, void *wincx) { +pk11_TraverseAllSlots(SECStatus (*callback)(PK11SlotInfo *, void *), + void *arg, PRBool forceLogin, void *wincx) +{ PK11SlotList *list; PK11SlotListElement *le; SECStatus rv; /* get them all! */ - list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,wincx); - if (list == NULL) return SECFailure; + list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, wincx); + if (list == NULL) + return SECFailure; /* look at each slot and authenticate as necessary */ - for (le = list->head ; le; le = le->next) { - if (forceLogin) { - rv = pk11_AuthenticateUnfriendly(le->slot, PR_FALSE, wincx); - if (rv != SECSuccess) { - continue; - } - } - if (callback) { - (*callback)(le->slot,arg); - } + for (le = list->head; le; le = le->next) { + if (forceLogin) { + rv = pk11_AuthenticateUnfriendly(le->slot, PR_FALSE, wincx); + if (rv != SECSuccess) { + continue; + } + } + if (callback) { + (*callback)(le->slot, arg); + } } PK11_FreeSlotList(list); @@ -1922,41 +1999,41 @@ pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), } CK_OBJECT_HANDLE * -PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr, - CK_OBJECT_CLASS objclass, int *returnCount, void *wincx) +PK11_FindObjectsFromNickname(char *nickname, PK11SlotInfo **slotptr, + CK_OBJECT_CLASS objclass, int *returnCount, void *wincx) { char *tokenName; char *delimit; PK11SlotInfo *slot; CK_OBJECT_HANDLE *objID; CK_ATTRIBUTE findTemplate[] = { - { CKA_LABEL, NULL, 0}, - { CKA_CLASS, NULL, 0}, + { CKA_LABEL, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, }; - int findCount = sizeof(findTemplate)/sizeof(findTemplate[0]); + int findCount = sizeof(findTemplate) / sizeof(findTemplate[0]); SECStatus rv; PK11_SETATTRS(&findTemplate[1], CKA_CLASS, &objclass, sizeof(objclass)); *slotptr = slot = NULL; *returnCount = 0; /* first find the slot associated with this nickname */ - if ((delimit = PORT_Strchr(nickname,':')) != NULL) { - int len = delimit - nickname; - tokenName = (char*)PORT_Alloc(len+1); - PORT_Memcpy(tokenName,nickname,len); - tokenName[len] = 0; + if ((delimit = PORT_Strchr(nickname, ':')) != NULL) { + int len = delimit - nickname; + tokenName = (char *)PORT_Alloc(len + 1); + PORT_Memcpy(tokenName, nickname, len); + tokenName[len] = 0; slot = *slotptr = PK11_FindSlotByName(tokenName); PORT_Free(tokenName); - /* if we couldn't find a slot, assume the nickname is an internal cert - * with no proceding slot name */ - if (slot == NULL) { - slot = *slotptr = PK11_GetInternalKeySlot(); - } else { - nickname = delimit+1; - } + /* if we couldn't find a slot, assume the nickname is an internal cert + * with no proceding slot name */ + if (slot == NULL) { + slot = *slotptr = PK11_GetInternalKeySlot(); + } else { + nickname = delimit + 1; + } } else { - *slotptr = slot = PK11_GetInternalKeySlot(); + *slotptr = slot = PK11_GetInternalKeySlot(); } if (slot == NULL) { return CK_INVALID_HANDLE; @@ -1964,59 +2041,58 @@ PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr, rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); if (rv != SECSuccess) { - PK11_FreeSlot(slot); - *slotptr = NULL; - return CK_INVALID_HANDLE; + PK11_FreeSlot(slot); + *slotptr = NULL; + return CK_INVALID_HANDLE; } findTemplate[0].pValue = nickname; findTemplate[0].ulValueLen = PORT_Strlen(nickname); - objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,returnCount); + objID = pk11_FindObjectsByTemplate(slot, findTemplate, findCount, returnCount); if (objID == NULL) { - /* PKCS #11 isn't clear on whether or not the NULL is - * stored in the template.... try the find again with the - * full null terminated string. */ - findTemplate[0].ulValueLen += 1; - objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount, - returnCount); - if (objID == NULL) { - /* Well that's the best we can do. It's just not here */ - /* what about faked nicknames? */ - PK11_FreeSlot(slot); - *slotptr = NULL; - *returnCount = 0; - } + /* PKCS #11 isn't clear on whether or not the NULL is + * stored in the template.... try the find again with the + * full null terminated string. */ + findTemplate[0].ulValueLen += 1; + objID = pk11_FindObjectsByTemplate(slot, findTemplate, findCount, + returnCount); + if (objID == NULL) { + /* Well that's the best we can do. It's just not here */ + /* what about faked nicknames? */ + PK11_FreeSlot(slot); + *slotptr = NULL; + *returnCount = 0; + } } return objID; } SECItem * -pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) +pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) { CK_ATTRIBUTE theTemplate[] = { - { CKA_ID, NULL, 0 }, + { CKA_ID, NULL, 0 }, }; - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_RV crv; SECItem *item; item = SECITEM_AllocItem(NULL, NULL, 0); if (item == NULL) { - return NULL; + return NULL; } - crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize); + crv = PK11_GetAttributes(NULL, slot, handle, theTemplate, tsize); if (crv != CKR_OK) { - SECITEM_FreeItem(item,PR_TRUE); - PORT_SetError( PK11_MapError(crv) ); - return NULL; + SECITEM_FreeItem(item, PR_TRUE); + PORT_SetError(PK11_MapError(crv)); + return NULL; } - item->data = (unsigned char*) theTemplate[0].pValue; - item->len =theTemplate[0].ulValueLen; + item->data = (unsigned char *)theTemplate[0].pValue; + item->len = theTemplate[0].ulValueLen; return item; } - diff --git a/nss/lib/pk11wrap/pk11pars.c b/nss/lib/pk11wrap/pk11pars.c index 40ac790..ee20789 100644 --- a/nss/lib/pk11wrap/pk11pars.c +++ b/nss/lib/pk11wrap/pk11pars.c @@ -7,6 +7,7 @@ */ #include <ctype.h> +#include <assert.h> #include "pkcs11.h" #include "seccomon.h" #include "secmod.h" @@ -14,29 +15,29 @@ #include "secmodti.h" #include "pki3hack.h" #include "secerr.h" - -#include "utilpars.h" +#include "nss.h" +#include "utilpars.h" +#include "pk11pub.h" /* create a new module */ -static SECMODModule * +static SECMODModule * secmod_NewModule(void) { SECMODModule *newMod; PLArenaPool *arena; - /* create an arena in which dllName and commonName can be * allocated. */ arena = PORT_NewArena(512); if (arena == NULL) { - return NULL; + return NULL; } - newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule)); + newMod = (SECMODModule *)PORT_ArenaAlloc(arena, sizeof(SECMODModule)); if (newMod == NULL) { - PORT_FreeArena(arena,PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } /* @@ -68,148 +69,658 @@ secmod_NewModule(void) newMod->evControlMask = 0; newMod->refLock = PZ_NewLock(nssILockRefLock); if (newMod->refLock == NULL) { - PORT_FreeArena(arena,PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } return newMod; - } /* private flags for isModuleDB (field in SECMODModule). */ /* The meaing of these flags is as follows: * - * SECMOD_FLAG_MODULE_DB_IS_MODULE_DB - This is a module that accesses the + * SECMOD_FLAG_MODULE_DB_IS_MODULE_DB - This is a module that accesses the * database of other modules to load. Module DBs are loadable modules that - * tells NSS which PKCS #11 modules to load and when. These module DBs are - * chainable. That is, one module DB can load another one. NSS system init - * design takes advantage of this feature. In system NSS, a fixed system - * module DB loads the system defined libraries, then chains out to the - * traditional module DBs to load any system or user configured modules - * (like smart cards). This bit is the same as the already existing meaning - * of isModuleDB = PR_TRUE. None of the other module db flags should be set + * tells NSS which PKCS #11 modules to load and when. These module DBs are + * chainable. That is, one module DB can load another one. NSS system init + * design takes advantage of this feature. In system NSS, a fixed system + * module DB loads the system defined libraries, then chains out to the + * traditional module DBs to load any system or user configured modules + * (like smart cards). This bit is the same as the already existing meaning + * of isModuleDB = PR_TRUE. None of the other module db flags should be set * if this flag isn't on. * - * SECMOD_FLAG_MODULE_DB_SKIP_FIRST - This flag tells NSS to skip the first - * PKCS #11 module presented by a module DB. This allows the OS to load a - * softoken from the system module, then ask the existing module DB code to - * load the other PKCS #11 modules in that module DB (skipping it's request - * to load softoken). This gives the system init finer control over the + * SECMOD_FLAG_MODULE_DB_SKIP_FIRST - This flag tells NSS to skip the first + * PKCS #11 module presented by a module DB. This allows the OS to load a + * softoken from the system module, then ask the existing module DB code to + * load the other PKCS #11 modules in that module DB (skipping it's request + * to load softoken). This gives the system init finer control over the * configuration of that softoken module. * - * SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB - This flag allows system init to mark a - * different module DB as the 'default' module DB (the one in which - * 'Add module' changes will go). Without this flag NSS takes the first - * module as the default Module DB, but in system NSS, that first module + * SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB - This flag allows system init to mark a + * different module DB as the 'default' module DB (the one in which + * 'Add module' changes will go). Without this flag NSS takes the first + * module as the default Module DB, but in system NSS, that first module * is the system module, which is likely read only (at least to the user). - * This allows system NSS to delegate those changes to the user's module DB, - * preserving the user's ability to load new PKCS #11 modules (which only + * This allows system NSS to delegate those changes to the user's module DB, + * preserving the user's ability to load new PKCS #11 modules (which only * affect him), from existing applications like Firefox. */ -#define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB 0x01 /* must be set if any of the - *other flags are set */ -#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02 +#define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB 0x01 /* must be set if any of the \ + *other flags are set */ +#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02 #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04 - /* private flags for internal (field in SECMODModule). */ /* The meaing of these flags is as follows: * * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is - * the internal module (that is, softoken). This bit is the same as the - * already existing meaning of internal = PR_TRUE. None of the other + * the internal module (that is, softoken). This bit is the same as the + * already existing meaning of internal = PR_TRUE. None of the other * internal flags should be set if this flag isn't on. * - * SECMOD_FLAG_MODULE_INTERNAL_KEY_SLOT - This flag allows system init to mark + * SECMOD_FLAG_MODULE_INTERNAL_KEY_SLOT - This flag allows system init to mark * a different slot returned byt PK11_GetInternalKeySlot(). The 'primary' * slot defined by this module will be the new internal key slot. */ -#define SECMOD_FLAG_INTERNAL_IS_INTERNAL 0x01 /* must be set if any of - *the other flags are set */ -#define SECMOD_FLAG_INTERNAL_KEY_SLOT 0x02 +#define SECMOD_FLAG_INTERNAL_IS_INTERNAL 0x01 /* must be set if any of \ + *the other flags are set */ +#define SECMOD_FLAG_INTERNAL_KEY_SLOT 0x02 /* * for 3.4 we continue to use the old SECMODModule structure */ SECMODModule * -SECMOD_CreateModule(const char *library, const char *moduleName, - const char *parameters, const char *nss) +SECMOD_CreateModule(const char *library, const char *moduleName, + const char *parameters, const char *nss) { return SECMOD_CreateModuleEx(library, moduleName, parameters, nss, NULL); } /* + * NSS config options format: + * + * The specified ciphers will be allowed by policy, but an application + * may allow more by policy explicitly: + * config="allow=curve1:curve2:hash1:hash2:rsa-1024..." + * + * Only the specified hashes and curves will be allowed: + * config="disallow=all allow=sha1:sha256:secp256r1:secp384r1" + * + * Only the specified hashes and curves will be allowed, and + * RSA keys of 2048 or more will be accepted, and DH key exchange + * with 1024-bit primes or more: + * config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024" + * + * A policy that enables the AES ciphersuites and the SECP256/384 curves: + * config="allow=aes128-cbc:aes128-gcm:TLS1.0:TLS1.2:TLS1.1:HMAC-SHA1:SHA1:SHA256:SHA384:RSA:ECDHE-RSA:SECP256R1:SECP384R1" + * + * Disallow values are parsed first, then allow values, independent of the + * order they appear. + * + * Future key words (not yet implemented): + * enable: turn on ciphersuites by default. + * disable: turn off ciphersuites by default without disallowing them by policy. + * flags: turn on the following flags: + * ssl-lock: turn off the ability for applications to change policy with + * the SSL_SetCipherPolicy (or SSL_SetPolicy). + * policy-lock: turn off the ability for applications to change policy with + * the call NSS_SetAlgorithmPolicy. + * ssl-default-lock: turn off the ability for applications to change cipher + * suite states with SSL_EnableCipher, SSL_DisableCipher. + * + */ + +typedef struct { + const char *name; + unsigned name_size; + SECOidTag oid; + PRUint32 val; +} oidValDef; + +typedef struct { + const char *name; + unsigned name_size; + PRInt32 option; +} optionFreeDef; + +typedef struct { + const char *name; + unsigned name_size; + PRUint32 flag; +} policyFlagDef; + +/* + * This table should be merged with the SECOID table. + */ +#define CIPHER_NAME(x) x, (sizeof(x) - 1) +static const oidValDef algOptList[] = { + /* Curves */ + { CIPHER_NAME("PRIME192V1"), SEC_OID_ANSIX962_EC_PRIME192V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("PRIME192V2"), SEC_OID_ANSIX962_EC_PRIME192V2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("PRIME192V3"), SEC_OID_ANSIX962_EC_PRIME192V3, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("PRIME239V1"), SEC_OID_ANSIX962_EC_PRIME239V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("PRIME239V2"), SEC_OID_ANSIX962_EC_PRIME239V2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("PRIME239V3"), SEC_OID_ANSIX962_EC_PRIME239V3, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("PRIME256V1"), SEC_OID_ANSIX962_EC_PRIME256V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP112R1"), SEC_OID_SECG_EC_SECP112R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP112R2"), SEC_OID_SECG_EC_SECP112R2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP128R1"), SEC_OID_SECG_EC_SECP128R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP128R2"), SEC_OID_SECG_EC_SECP128R2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP160K1"), SEC_OID_SECG_EC_SECP160K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP160R1"), SEC_OID_SECG_EC_SECP160R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP160R2"), SEC_OID_SECG_EC_SECP160R2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP192K1"), SEC_OID_SECG_EC_SECP192K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP192R1"), SEC_OID_ANSIX962_EC_PRIME192V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP224K1"), SEC_OID_SECG_EC_SECP224K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP256K1"), SEC_OID_SECG_EC_SECP256K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP256R1"), SEC_OID_ANSIX962_EC_PRIME256V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP384R1"), SEC_OID_SECG_EC_SECP384R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECP521R1"), SEC_OID_SECG_EC_SECP521R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + /* ANSI X9.62 named elliptic curves (characteristic two field) */ + { CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB163V2"), SEC_OID_ANSIX962_EC_C2PNB163V2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB163V3"), SEC_OID_ANSIX962_EC_C2PNB163V3, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB176V1"), SEC_OID_ANSIX962_EC_C2PNB176V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB191V1"), SEC_OID_ANSIX962_EC_C2TNB191V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB191V2"), SEC_OID_ANSIX962_EC_C2TNB191V2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB191V3"), SEC_OID_ANSIX962_EC_C2TNB191V3, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2ONB191V4"), SEC_OID_ANSIX962_EC_C2ONB191V4, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2ONB191V5"), SEC_OID_ANSIX962_EC_C2ONB191V5, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB208W1"), SEC_OID_ANSIX962_EC_C2PNB208W1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB239V1"), SEC_OID_ANSIX962_EC_C2TNB239V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB239V2"), SEC_OID_ANSIX962_EC_C2TNB239V2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB239V3"), SEC_OID_ANSIX962_EC_C2TNB239V3, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2ONB239V4"), SEC_OID_ANSIX962_EC_C2ONB239V4, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2ONB239V5"), SEC_OID_ANSIX962_EC_C2ONB239V5, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB272W1"), SEC_OID_ANSIX962_EC_C2PNB272W1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB304W1"), SEC_OID_ANSIX962_EC_C2PNB304W1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB359V1"), SEC_OID_ANSIX962_EC_C2TNB359V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2PNB368W1"), SEC_OID_ANSIX962_EC_C2PNB368W1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("C2TNB431R1"), SEC_OID_ANSIX962_EC_C2TNB431R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + /* SECG named elliptic curves (characteristic two field) */ + { CIPHER_NAME("SECT113R1"), SEC_OID_SECG_EC_SECT113R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT131R1"), SEC_OID_SECG_EC_SECT113R2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT131R1"), SEC_OID_SECG_EC_SECT131R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT131R2"), SEC_OID_SECG_EC_SECT131R2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT163K1"), SEC_OID_SECG_EC_SECT163K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT163R1"), SEC_OID_SECG_EC_SECT163R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT163R2"), SEC_OID_SECG_EC_SECT163R2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT193R1"), SEC_OID_SECG_EC_SECT193R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT193R2"), SEC_OID_SECG_EC_SECT193R2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT233K1"), SEC_OID_SECG_EC_SECT233K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT233R1"), SEC_OID_SECG_EC_SECT233R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT239K1"), SEC_OID_SECG_EC_SECT239K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT283K1"), SEC_OID_SECG_EC_SECT283K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT283R1"), SEC_OID_SECG_EC_SECT283R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT409K1"), SEC_OID_SECG_EC_SECT409K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT409R1"), SEC_OID_SECG_EC_SECT409R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT571K1"), SEC_OID_SECG_EC_SECT571K1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + + /* Hashes */ + { CIPHER_NAME("MD2"), SEC_OID_MD2, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("MD4"), SEC_OID_MD4, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("MD5"), SEC_OID_MD5, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SHA1"), SEC_OID_SHA1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SHA224"), SEC_OID_SHA224, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SHA256"), SEC_OID_SHA256, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SHA384"), SEC_OID_SHA384, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SHA512"), SEC_OID_SHA512, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + + /* MACs */ + { CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("HMAC-SHA256"), SEC_OID_HMAC_SHA256, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL }, + + /* Ciphers */ + { CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("AES256-CBC"), SEC_OID_AES_256_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("AES128-GCM"), SEC_OID_AES_128_GCM, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("AES192-GCM"), SEC_OID_AES_192_GCM, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("AES256-GCM"), SEC_OID_AES_256_GCM, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("CAMELLIA128-CBC"), SEC_OID_CAMELLIA_128_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("CAMELLIA192-CBC"), SEC_OID_CAMELLIA_192_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("CAMELLIA256-CBC"), SEC_OID_CAMELLIA_256_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("CHACHA20-POLY1305"), SEC_OID_CHACHA20_POLY1305, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("SEED-CBC"), SEC_OID_SEED_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("DES-EDE3-CBC"), SEC_OID_DES_EDE3_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("DES-40-CBC"), SEC_OID_DES_40_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("DES-CBC"), SEC_OID_DES_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("NULL-CIPHER"), SEC_OID_NULL_CIPHER, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL }, + + /* Key exchange */ + { CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("DHE-RSA"), SEC_OID_TLS_DHE_RSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("DHE-DSS"), SEC_OID_TLS_DHE_DSS, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("DH-RSA"), SEC_OID_TLS_DH_RSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("DH-DSS"), SEC_OID_TLS_DH_DSS, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("ECDHE-ECDSA"), SEC_OID_TLS_ECDHE_ECDSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, +}; + +static const optionFreeDef sslOptList[] = { + /* Versions */ + { CIPHER_NAME("SSL2.0"), 0x002 }, + { CIPHER_NAME("SSL3.0"), 0x300 }, + { CIPHER_NAME("SSL3.1"), 0x301 }, + { CIPHER_NAME("TLS1.0"), 0x301 }, + { CIPHER_NAME("TLS1.1"), 0x302 }, + { CIPHER_NAME("TLS1.2"), 0x303 }, + { CIPHER_NAME("TLS1.3"), 0x304 }, + { CIPHER_NAME("DTLS1.0"), 0x302 }, + { CIPHER_NAME("DTLS1.1"), 0x302 }, + { CIPHER_NAME("DTLS1.2"), 0x303 }, + { CIPHER_NAME("DTLS1.3"), 0x304 }, +}; + +static const optionFreeDef freeOptList[] = { + + /* Restrictions for asymetric keys */ + { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE }, + { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE }, + { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE }, + /* constraints on SSL Protocols */ + { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY }, + { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY }, + /* constraints on DTLS Protocols */ + { CIPHER_NAME("DTLS-VERSION-MIN"), NSS_DTLS_VERSION_MIN_POLICY }, + { CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MIN_POLICY } +}; + +static const policyFlagDef policyFlagList[] = { + { CIPHER_NAME("SSL"), NSS_USE_ALG_IN_SSL }, + { CIPHER_NAME("SSL-KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX }, + /* add other key exhanges in the future */ + { CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("CERT-SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE }, + /* add other signatures in the future */ + { CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE }, + /* enable everything */ + { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | + NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("NONE"), 0 } +}; + +/* + * Get the next cipher on the list. point to the next one in 'next'. + * return the length; + */ +static const char * +secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2, + int *len, const char **next) +{ + const char *start = cipher; + + if (start == NULL) { + *len = 0; + *next = NULL; + return start; + } + + for (; *cipher && *cipher != sep2; cipher++) { + if (*cipher == sep1) { + *next = cipher + 1; + *len = cipher - start; + return start; + } + } + *next = NULL; + *len = cipher - start; + return start; +} + +static PRUint32 +secmod_parsePolicyValue(const char *policyFlags, int policyLength) +{ + const char *flag, *currentString; + PRUint32 flags = 0; + int i; + + for (currentString = policyFlags; currentString && + currentString < policyFlags + policyLength;) { + int length; + flag = secmod_ArgGetSubValue(currentString, ',', ':', &length, + ¤tString); + if (length == 0) { + continue; + } + for (i = 0; i < PR_ARRAY_SIZE(policyFlagList); i++) { + const policyFlagDef *policy = &policyFlagList[i]; + unsigned name_size = policy->name_size; + if ((policy->name_size == length) && + PORT_Strncasecmp(policy->name, flag, name_size) == 0) { + flags |= policy->flag; + break; + } + } + } + return flags; +} + +/* allow symbolic names for values. The only ones currently defines or + * SSL protocol versions. */ +static PRInt32 +secmod_getPolicyOptValue(const char *policyValue, int policyValueLength) +{ + PRInt32 val = atoi(policyValue); + int i; + + if ((val != 0) || (*policyValue == '0')) { + return val; + } + for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) { + if (policyValueLength == sslOptList[i].name_size && + PORT_Strncasecmp(sslOptList[i].name, policyValue, + sslOptList[i].name_size) == 0) { + val = sslOptList[i].option; + break; + } + } + return val; +} + +static SECStatus +secmod_applyCryptoPolicy(const char *policyString, + PRBool allow) +{ + const char *cipher, *currentString; + unsigned i; + SECStatus rv = SECSuccess; + PRBool unknown; + + if (policyString == NULL || policyString[0] == 0) { + return SECSuccess; /* do nothing */ + } + + /* if we change any of these, make sure it gets applied in ssl as well */ + NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0); + + for (currentString = policyString; currentString;) { + int length; + PRBool newValue = PR_FALSE; + + cipher = secmod_ArgGetSubValue(currentString, ':', 0, &length, + ¤tString); + unknown = PR_TRUE; + if (length >= 3 && cipher[3] == '/') { + newValue = PR_TRUE; + } + if ((newValue || (length == 3)) && PORT_Strncasecmp(cipher, "all", 3) == 0) { + /* disable or enable all options by default */ + PRUint32 value = 0; + if (newValue) { + value = secmod_parsePolicyValue(&cipher[3] + 1, length - 3 - 1); + } + for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) { + PRUint32 enable, disable; + if (!newValue) { + value = algOptList[i].val; + } + if (allow) { + enable = value; + disable = 0; + } else { + enable = 0; + disable = value; + } + NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable); + } + continue; + } + + for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) { + const oidValDef *algOpt = &algOptList[i]; + unsigned name_size = algOpt->name_size; + PRBool newValue = PR_FALSE; + + if ((length >= name_size) && (cipher[name_size] == '/')) { + newValue = PR_TRUE; + } + if ((newValue || algOpt->name_size == length) && + PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) { + PRUint32 value = algOpt->val; + PRUint32 enable, disable; + if (newValue) { + value = secmod_parsePolicyValue(&cipher[name_size] + 1, + length - name_size - 1); + } + if (allow) { + enable = value; + disable = 0; + } else { + enable = 0; + disable = value; + } + rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable); + if (rv != SECSuccess) { + /* could not enable option */ + /* NSS_SetAlgorithPolicy should have set the error code */ + return SECFailure; + } + unknown = PR_FALSE; + break; + } + } + if (!unknown) { + continue; + } + + for (i = 0; i < PR_ARRAY_SIZE(freeOptList); i++) { + const optionFreeDef *freeOpt = &freeOptList[i]; + unsigned name_size = freeOpt->name_size; + + if ((length > name_size) && cipher[name_size] == '=' && + PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0) { + PRInt32 val = secmod_getPolicyOptValue(&cipher[name_size + 1], + length - name_size - 1); + + rv = NSS_OptionSet(freeOpt->option, val); + if (rv != SECSuccess) { + /* could not enable option */ + /* NSS_OptionSet should have set the error code */ + return SECFailure; + } + /* to allow the policy to expand in the future. ignore ciphers + * we don't understand */ + unknown = PR_FALSE; + break; + } + } + } + return rv; +} + +static SECStatus +secmod_parseCryptoPolicy(const char *policyConfig) +{ + char *disallow, *allow; + SECStatus rv; + + if (policyConfig == NULL) { + return SECSuccess; /* no policy given */ + } + /* make sure we initialize the oid table and set all the default policy + * values first so we can override them here */ + rv = SECOID_Init(); + if (rv != SECSuccess) { + return rv; + } + disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig); + rv = secmod_applyCryptoPolicy(disallow, PR_FALSE); + if (disallow) + PORT_Free(disallow); + if (rv != SECSuccess) { + return rv; + } + allow = NSSUTIL_ArgGetParamValue("allow", policyConfig); + rv = secmod_applyCryptoPolicy(allow, PR_TRUE); + if (allow) + PORT_Free(allow); + return rv; +} + +/* * for 3.4 we continue to use the old SECMODModule structure */ SECMODModule * -SECMOD_CreateModuleEx(const char *library, const char *moduleName, - const char *parameters, const char *nss, - const char *config) +SECMOD_CreateModuleEx(const char *library, const char *moduleName, + const char *parameters, const char *nss, + const char *config) { - SECMODModule *mod = secmod_NewModule(); - char *slotParams,*ciphers; + SECMODModule *mod; + SECStatus rv; + char *slotParams, *ciphers; /* pk11pars.h still does not have const char * interfaces */ char *nssc = (char *)nss; - if (mod == NULL) return NULL; - mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : ""); + rv = secmod_parseCryptoPolicy(config); + + /* do not load the module if policy parsing fails */ + if (rv != SECSuccess) { + return NULL; + } + + mod = secmod_NewModule(); + if (mod == NULL) + return NULL; + + mod->commonName = PORT_ArenaStrdup(mod->arena, moduleName ? moduleName : ""); if (library) { - mod->dllName = PORT_ArenaStrdup(mod->arena,library); + mod->dllName = PORT_ArenaStrdup(mod->arena, library); } /* new field */ if (parameters) { - mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters); - } - if (config) { - /* XXX: Apply configuration */ - } - mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc); - mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc); - mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc); - slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc); - mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams, - &mod->slotInfoCount); - if (slotParams) PORT_Free(slotParams); + mod->libraryParams = PORT_ArenaStrdup(mod->arena, parameters); + } + + mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc); + mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc); + mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc); + slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc); + mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams, + &mod->slotInfoCount); + if (slotParams) + PORT_Free(slotParams); /* new field */ - mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder",nssc, - NSSUTIL_DEFAULT_TRUST_ORDER,NULL); + mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder", nssc, + NSSUTIL_DEFAULT_TRUST_ORDER, NULL); /* new field */ - mod->cipherOrder = NSSUTIL_ArgReadLong("cipherOrder",nssc, - NSSUTIL_DEFAULT_CIPHER_ORDER,NULL); + mod->cipherOrder = NSSUTIL_ArgReadLong("cipherOrder", nssc, + NSSUTIL_DEFAULT_CIPHER_ORDER, NULL); /* new field */ - mod->isModuleDB = NSSUTIL_ArgHasFlag("flags","moduleDB",nssc); - mod->moduleDBOnly = NSSUTIL_ArgHasFlag("flags","moduleDBOnly",nssc); - if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE; + mod->isModuleDB = NSSUTIL_ArgHasFlag("flags", "moduleDB", nssc); + mod->moduleDBOnly = NSSUTIL_ArgHasFlag("flags", "moduleDBOnly", nssc); + if (mod->moduleDBOnly) + mod->isModuleDB = PR_TRUE; - /* we need more bits, but we also want to preserve binary compatibility - * so we overload the isModuleDB PRBool with additional flags. + /* we need more bits, but we also want to preserve binary compatibility + * so we overload the isModuleDB PRBool with additional flags. * These flags are only valid if mod->isModuleDB is already set. - * NOTE: this depends on the fact that PRBool is at least a char on - * all platforms. These flags are only valid if moduleDB is set, so + * NOTE: this depends on the fact that PRBool is at least a char on + * all platforms. These flags are only valid if moduleDB is set, so * code checking if (mod->isModuleDB) will continue to work correctly. */ if (mod->isModuleDB) { - char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB; - if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) { - flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST; - } - if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) { - flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB; - } - /* additional moduleDB flags could be added here in the future */ - mod->isModuleDB = (PRBool) flags; + char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB; + if (NSSUTIL_ArgHasFlag("flags", "skipFirst", nssc)) { + flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST; + } + if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) { + flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB; + } + /* additional moduleDB flags could be added here in the future */ + mod->isModuleDB = (PRBool)flags; } if (mod->internal) { - char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL; + char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL; - if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) { - flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT; - } - mod->internal = (PRBool) flags; + if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) { + flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT; + } + mod->internal = (PRBool)flags; } - ciphers = NSSUTIL_ArgGetParamValue("ciphers",nssc); - NSSUTIL_ArgParseCipherFlags(&mod->ssl[0],ciphers); - if (ciphers) PORT_Free(ciphers); + ciphers = NSSUTIL_ArgGetParamValue("ciphers", nssc); + NSSUTIL_ArgParseCipherFlags(&mod->ssl[0], ciphers); + if (ciphers) + PORT_Free(ciphers); secmod_PrivateModuleCount++; @@ -219,38 +730,38 @@ SECMOD_CreateModuleEx(const char *library, const char *moduleName, PRBool SECMOD_GetSkipFirstFlag(SECMODModule *mod) { - char flags = (char) mod->isModuleDB; + char flags = (char)mod->isModuleDB; - return (flags & SECMOD_FLAG_MODULE_DB_SKIP_FIRST) ? PR_TRUE : PR_FALSE; + return (flags & SECMOD_FLAG_MODULE_DB_SKIP_FIRST) ? PR_TRUE : PR_FALSE; } PRBool SECMOD_GetDefaultModDBFlag(SECMODModule *mod) { - char flags = (char) mod->isModuleDB; + char flags = (char)mod->isModuleDB; - return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE; + return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE; } PRBool secmod_IsInternalKeySlot(SECMODModule *mod) { - char flags = (char) mod->internal; + char flags = (char)mod->internal; - return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE; + return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE; } void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val) { - char flags = (char) mod->internal; - - if (val) { - flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT; - } else { - flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT; - } - mod->internal = flags; + char flags = (char)mod->internal; + + if (val) { + flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT; + } else { + flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT; + } + mod->internal = flags; } /* @@ -264,50 +775,49 @@ secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val) */ static char * secmod_doDescCopy(char *target, int *targetLen, const char *desc, - int descLen, char *value) + int descLen, char *value) { int diff, esc_len; esc_len = NSSUTIL_EscapeSize(value, '\"') - 1; diff = esc_len - strlen(value); if (diff > 0) { - /* we need to escape... expand newSpecPtr as well to make sure - * we don't overflow it */ - char *newPtr = PORT_Realloc(target, *targetLen * diff); - if (!newPtr) { - return target; /* not enough space, just drop the whole copy */ - } - *targetLen += diff; - target = newPtr; - value = NSSUTIL_Escape(value, '\"'); - if (value == NULL) { - return target; /* couldn't escape value, just drop the copy */ - } + /* we need to escape... expand newSpecPtr as well to make sure + * we don't overflow it */ + char *newPtr = PORT_Realloc(target, *targetLen * diff); + if (!newPtr) { + return target; /* not enough space, just drop the whole copy */ + } + *targetLen += diff; + target = newPtr; + value = NSSUTIL_Escape(value, '\"'); + if (value == NULL) { + return target; /* couldn't escape value, just drop the copy */ + } } PORT_Memcpy(target, desc, descLen); target += descLen; - *target++='\"'; + *target++ = '\"'; PORT_Memcpy(target, value, esc_len); target += esc_len; - *target++='\"'; + *target++ = '\"'; if (diff > 0) { - PORT_Free(value); + PORT_Free(value); } return target; } -#define SECMOD_SPEC_COPY(new, start, end) \ - if (end > start) { \ - int _cnt = end - start; \ - PORT_Memcpy(new, start, _cnt); \ - new += _cnt; \ - } +#define SECMOD_SPEC_COPY(new, start, end) \ + if (end > start) { \ + int _cnt = end - start; \ + PORT_Memcpy(new, start, _cnt); \ + new += _cnt; \ + } #define SECMOD_TOKEN_DESCRIPTION "tokenDescription=" -#define SECMOD_SLOT_DESCRIPTION "slotDescription=" - +#define SECMOD_SLOT_DESCRIPTION "slotDescription=" /* - * Find any tokens= values in the module spec. + * Find any tokens= values in the module spec. * Always return a new spec which does not have any tokens= arguments. * If tokens= arguments are found, Split the the various tokens defined into * an array of child specs to return. @@ -316,37 +826,37 @@ secmod_doDescCopy(char *target, int *targetLen, const char *desc, * spec. */ char * -secmod_ParseModuleSpecForTokens(PRBool convert, PRBool isFIPS, - char *moduleSpec, char ***children, - CK_SLOT_ID **ids) +secmod_ParseModuleSpecForTokens(PRBool convert, PRBool isFIPS, + const char *moduleSpec, char ***children, + CK_SLOT_ID **ids) { - int newSpecLen = PORT_Strlen(moduleSpec)+2; - char *newSpec = PORT_Alloc(newSpecLen); - char *newSpecPtr = newSpec; - char *modulePrev = moduleSpec; - char *target = NULL; + int newSpecLen = PORT_Strlen(moduleSpec) + 2; + char *newSpec = PORT_Alloc(newSpecLen); + char *newSpecPtr = newSpec; + const char *modulePrev = moduleSpec; + char *target = NULL; char *tmp = NULL; - char **childArray = NULL; - char *tokenIndex; - CK_SLOT_ID *idArray = NULL; - int tokenCount = 0; - int i; + char **childArray = NULL; + const char *tokenIndex; + CK_SLOT_ID *idArray = NULL; + int tokenCount = 0; + int i; if (newSpec == NULL) { - return NULL; + return NULL; } *children = NULL; if (ids) { - *ids = NULL; + *ids = NULL; } moduleSpec = NSSUTIL_ArgStrip(moduleSpec); SECMOD_SPEC_COPY(newSpecPtr, modulePrev, moduleSpec); - /* Notes on 'convert' and 'isFIPS' flags: The base parameters for opening - * a new softoken module takes the following parameters to name the + /* Notes on 'convert' and 'isFIPS' flags: The base parameters for opening + * a new softoken module takes the following parameters to name the * various tokens: - * + * * cryptoTokenDescription: name of the non-fips crypto token. * cryptoSlotDescription: name of the non-fips crypto slot. * dbTokenDescription: name of the non-fips db token. @@ -360,9 +870,9 @@ secmod_ParseModuleSpecForTokens(PRBool convert, PRBool isFIPS, * slotDescription: name of the slot. * * - * The convert flag tells us to drop the unnecessary *TokenDescription - * and *SlotDescription arguments and convert the appropriate pair - * (either db or FIPS based on the isFIPS flag) to tokenDescription and + * The convert flag tells us to drop the unnecessary *TokenDescription + * and *SlotDescription arguments and convert the appropriate pair + * (either db or FIPS based on the isFIPS flag) to tokenDescription and * slotDescription). */ /* @@ -370,139 +880,152 @@ secmod_ParseModuleSpecForTokens(PRBool convert, PRBool isFIPS, * otherise copy the argument. */ while (*moduleSpec) { - int next; - modulePrev = moduleSpec; - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, target, "tokens=", - modulePrev = moduleSpec; /* skip copying */ ) - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "cryptoTokenDescription=", - if (convert) { modulePrev = moduleSpec; } ); - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "cryptoSlotDescription=", - if (convert) { modulePrev = moduleSpec; } ); - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "dbTokenDescription=", - if (convert) { - modulePrev = moduleSpec; - if (!isFIPS) { - newSpecPtr = secmod_doDescCopy(newSpecPtr, - &newSpecLen, SECMOD_TOKEN_DESCRIPTION, - sizeof(SECMOD_TOKEN_DESCRIPTION)-1, tmp); - } - }); - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "dbSlotDescription=", - if (convert) { - modulePrev = moduleSpec; /* skip copying */ - if (!isFIPS) { - newSpecPtr = secmod_doDescCopy(newSpecPtr, - &newSpecLen, SECMOD_SLOT_DESCRIPTION, - sizeof(SECMOD_SLOT_DESCRIPTION)-1, tmp); - } - } ); - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "FIPSTokenDescription=", - if (convert) { - modulePrev = moduleSpec; /* skip copying */ - if (isFIPS) { - newSpecPtr = secmod_doDescCopy(newSpecPtr, - &newSpecLen, SECMOD_TOKEN_DESCRIPTION, - sizeof(SECMOD_TOKEN_DESCRIPTION)-1, tmp); - } - } ); - NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "FIPSSlotDescription=", - if (convert) { - modulePrev = moduleSpec; /* skip copying */ - if (isFIPS) { - newSpecPtr = secmod_doDescCopy(newSpecPtr, - &newSpecLen, SECMOD_SLOT_DESCRIPTION, - sizeof(SECMOD_SLOT_DESCRIPTION)-1, tmp); - } - } ); - NSSUTIL_HANDLE_FINAL_ARG(moduleSpec) - SECMOD_SPEC_COPY(newSpecPtr, modulePrev, moduleSpec); + int next; + modulePrev = moduleSpec; + NSSUTIL_HANDLE_STRING_ARG(moduleSpec, target, "tokens=", + modulePrev = moduleSpec; + /* skip copying */) + NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "cryptoTokenDescription=", + if (convert) { modulePrev = moduleSpec; }); + NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "cryptoSlotDescription=", + if (convert) { modulePrev = moduleSpec; }); + NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "dbTokenDescription=", + if (convert) { + modulePrev = moduleSpec; + if (!isFIPS) { + newSpecPtr = secmod_doDescCopy(newSpecPtr, + &newSpecLen, + SECMOD_TOKEN_DESCRIPTION, + sizeof(SECMOD_TOKEN_DESCRIPTION) - 1, + tmp); + } + }); + NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "dbSlotDescription=", + if (convert) { + modulePrev = moduleSpec; /* skip copying */ + if (!isFIPS) { + newSpecPtr = secmod_doDescCopy(newSpecPtr, + &newSpecLen, + SECMOD_SLOT_DESCRIPTION, + sizeof(SECMOD_SLOT_DESCRIPTION) - 1, + tmp); + } + }); + NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "FIPSTokenDescription=", + if (convert) { + modulePrev = moduleSpec; /* skip copying */ + if (isFIPS) { + newSpecPtr = secmod_doDescCopy(newSpecPtr, + &newSpecLen, + SECMOD_TOKEN_DESCRIPTION, + sizeof(SECMOD_TOKEN_DESCRIPTION) - 1, + tmp); + } + }); + NSSUTIL_HANDLE_STRING_ARG(moduleSpec, tmp, "FIPSSlotDescription=", + if (convert) { + modulePrev = moduleSpec; /* skip copying */ + if (isFIPS) { + newSpecPtr = secmod_doDescCopy(newSpecPtr, + &newSpecLen, + SECMOD_SLOT_DESCRIPTION, + sizeof(SECMOD_SLOT_DESCRIPTION) - 1, + tmp); + } + }); + NSSUTIL_HANDLE_FINAL_ARG(moduleSpec) + SECMOD_SPEC_COPY(newSpecPtr, modulePrev, moduleSpec); } if (tmp) { - PORT_Free(tmp); - tmp = NULL; + PORT_Free(tmp); + tmp = NULL; } *newSpecPtr = 0; /* no target found, return the newSpec */ if (target == NULL) { - return newSpec; + return newSpec; } /* now build the child array from target */ /*first count them */ for (tokenIndex = NSSUTIL_ArgStrip(target); *tokenIndex; - tokenIndex = NSSUTIL_ArgStrip(NSSUTIL_ArgSkipParameter(tokenIndex))) { - tokenCount++; + tokenIndex = NSSUTIL_ArgStrip(NSSUTIL_ArgSkipParameter(tokenIndex))) { + tokenCount++; } - childArray = PORT_NewArray(char *, tokenCount+1); + childArray = PORT_NewArray(char *, tokenCount + 1); if (childArray == NULL) { - /* just return the spec as is then */ - PORT_Free(target); - return newSpec; + /* just return the spec as is then */ + PORT_Free(target); + return newSpec; } if (ids) { - idArray = PORT_NewArray(CK_SLOT_ID, tokenCount+1); - if (idArray == NULL) { - PORT_Free(childArray); - PORT_Free(target); - return newSpec; - } + idArray = PORT_NewArray(CK_SLOT_ID, tokenCount + 1); + if (idArray == NULL) { + PORT_Free(childArray); + PORT_Free(target); + return newSpec; + } } /* now fill them in */ - for (tokenIndex = NSSUTIL_ArgStrip(target), i=0 ; - *tokenIndex && (i < tokenCount); - tokenIndex=NSSUTIL_ArgStrip(tokenIndex)) { - int next; - char *name = NSSUTIL_ArgGetLabel(tokenIndex, &next); - tokenIndex += next; - - if (idArray) { - idArray[i] = NSSUTIL_ArgDecodeNumber(name); - } + for (tokenIndex = NSSUTIL_ArgStrip(target), i = 0; + *tokenIndex && (i < tokenCount); + tokenIndex = NSSUTIL_ArgStrip(tokenIndex)) { + int next; + char *name = NSSUTIL_ArgGetLabel(tokenIndex, &next); + tokenIndex += next; + + if (idArray) { + idArray[i] = NSSUTIL_ArgDecodeNumber(name); + } - PORT_Free(name); /* drop the explicit number */ + PORT_Free(name); /* drop the explicit number */ - /* if anything is left, copy the args to the child array */ - if (!NSSUTIL_ArgIsBlank(*tokenIndex)) { - childArray[i++] = NSSUTIL_ArgFetchValue(tokenIndex, &next); - tokenIndex += next; - } + /* if anything is left, copy the args to the child array */ + if (!NSSUTIL_ArgIsBlank(*tokenIndex)) { + childArray[i++] = NSSUTIL_ArgFetchValue(tokenIndex, &next); + tokenIndex += next; + } } PORT_Free(target); childArray[i] = 0; if (idArray) { - idArray[i] = 0; + idArray[i] = 0; } /* return it */ *children = childArray; if (ids) { - *ids = idArray; + *ids = idArray; } return newSpec; } /* get the database and flags from the spec */ static char * -secmod_getConfigDir(char *spec, char **certPrefix, char **keyPrefix, - PRBool *readOnly) +secmod_getConfigDir(const char *spec, char **certPrefix, char **keyPrefix, + PRBool *readOnly) { - char * config = NULL; + char *config = NULL; *certPrefix = NULL; *keyPrefix = NULL; - *readOnly = NSSUTIL_ArgHasFlag("flags","readOnly",spec); + *readOnly = NSSUTIL_ArgHasFlag("flags", "readOnly", spec); + if (NSSUTIL_ArgHasFlag("flags", "nocertdb", spec) || + NSSUTIL_ArgHasFlag("flags", "nokeydb", spec)) { + return NULL; + } spec = NSSUTIL_ArgStrip(spec); while (*spec) { - int next; - NSSUTIL_HANDLE_STRING_ARG(spec, config, "configdir=", ;) - NSSUTIL_HANDLE_STRING_ARG(spec, *certPrefix, "certPrefix=", ;) - NSSUTIL_HANDLE_STRING_ARG(spec, *keyPrefix, "keyPrefix=", ;) - NSSUTIL_HANDLE_FINAL_ARG(spec) + int next; + NSSUTIL_HANDLE_STRING_ARG(spec, config, "configdir=", ;) + NSSUTIL_HANDLE_STRING_ARG(spec, *certPrefix, "certPrefix=", ;) + NSSUTIL_HANDLE_STRING_ARG(spec, *keyPrefix, "keyPrefix=", ;) + NSSUTIL_HANDLE_FINAL_ARG(spec) } return config; } @@ -527,29 +1050,30 @@ secmod_GetConfigList(PRBool isFIPS, char *spec, int *count) SECMODConfigList *conflist = NULL; int i; - strippedSpec = secmod_ParseModuleSpecForTokens(PR_TRUE, isFIPS, - spec,&children,&ids); + strippedSpec = secmod_ParseModuleSpecForTokens(PR_TRUE, isFIPS, + spec, &children, &ids); if (strippedSpec == NULL) { - return NULL; + return NULL; } - for (childCount=0; children && children[childCount]; childCount++) ; - *count = childCount+1; /* include strippedSpec */ - conflist = PORT_NewArray(SECMODConfigList,*count); + for (childCount = 0; children && children[childCount]; childCount++) + ; + *count = childCount + 1; /* include strippedSpec */ + conflist = PORT_NewArray(SECMODConfigList, *count); if (conflist == NULL) { - *count = 0; - goto loser; + *count = 0; + goto loser; } - conflist[0].config = secmod_getConfigDir(strippedSpec, - &conflist[0].certPrefix, - &conflist[0].keyPrefix, - &conflist[0].isReadOnly); - for (i=0; i < childCount; i++) { - conflist[i+1].config = secmod_getConfigDir(children[i], - &conflist[i+1].certPrefix, - &conflist[i+1].keyPrefix, - &conflist[i+1].isReadOnly); + conflist[0].config = secmod_getConfigDir(strippedSpec, + &conflist[0].certPrefix, + &conflist[0].keyPrefix, + &conflist[0].isReadOnly); + for (i = 0; i < childCount; i++) { + conflist[i + 1].config = secmod_getConfigDir(children[i], + &conflist[i + 1].certPrefix, + &conflist[i + 1].keyPrefix, + &conflist[i + 1].isReadOnly); } loser: @@ -569,18 +1093,18 @@ secmod_configIsDBM(char *configDir) /* explicit dbm open */ if (strncmp(configDir, "dbm:", 4) == 0) { - return PR_TRUE; + return PR_TRUE; } /* explicit open of a non-dbm database */ - if ((strncmp(configDir, "sql:",4) == 0) - || (strncmp(configDir, "rdb:", 4) == 0) - || (strncmp(configDir, "extern:", 7) == 0)) { - return PR_FALSE; + if ((strncmp(configDir, "sql:", 4) == 0) || + (strncmp(configDir, "rdb:", 4) == 0) || + (strncmp(configDir, "extern:", 7) == 0)) { + return PR_FALSE; } - env = PR_GetEnv("NSS_DEFAULT_DB_TYPE"); + env = PR_GetEnvSecure("NSS_DEFAULT_DB_TYPE"); /* implicit dbm open */ - if ((env == NULL) || (strcmp(env,"dbm") == 0)) { - return PR_TRUE; + if ((env == NULL) || (strcmp(env, "dbm") == 0)) { + return PR_TRUE; } /* implicit non-dbm open */ return PR_FALSE; @@ -593,55 +1117,88 @@ static PRBool secmod_matchPrefix(char *prefix1, char *prefix2) { if ((prefix1 == NULL) || (*prefix1 == 0)) { - if ((prefix2 == NULL) || (*prefix2 == 0)) { - return PR_TRUE; - } - return PR_FALSE; + if ((prefix2 == NULL) || (*prefix2 == 0)) { + return PR_TRUE; + } + return PR_FALSE; } if (strcmp(prefix1, prefix2) == 0) { - return PR_TRUE; + return PR_TRUE; } return PR_FALSE; } +/* do two config paramters match? Not all callers are compariing + * SECMODConfigLists directly, so this function breaks them out to their + * components. */ +static PRBool +secmod_matchConfig(char *configDir1, char *configDir2, + char *certPrefix1, char *certPrefix2, + char *keyPrefix1, char *keyPrefix2, + PRBool isReadOnly1, PRBool isReadOnly2) +{ + /* TODO: Document the answer to the question: + * "Why not allow them to match if they are both NULL?" + * See: https://bugzilla.mozilla.org/show_bug.cgi?id=1318633#c1 + */ + if ((configDir1 == NULL) || (configDir2 == NULL)) { + return PR_FALSE; + } + if (strcmp(configDir1, configDir2) != 0) { + return PR_FALSE; + } + if (!secmod_matchPrefix(certPrefix1, certPrefix2)) { + return PR_FALSE; + } + if (!secmod_matchPrefix(keyPrefix1, keyPrefix2)) { + return PR_FALSE; + } + /* these last test -- if we just need the DB open read only, + * than any open will suffice, but if we requested it read/write + * and it's only open read only, we need to open it again */ + if (isReadOnly1) { + return PR_TRUE; + } + if (isReadOnly2) { /* isReadonly1 == PR_FALSE */ + return PR_FALSE; + } + return PR_TRUE; +} + /* * return true if we are requesting a database that is already openned. */ PRBool -secmod_MatchConfigList(char *spec, SECMODConfigList *conflist, int count) +secmod_MatchConfigList(const char *spec, SECMODConfigList *conflist, int count) { char *config; char *certPrefix; char *keyPrefix; PRBool isReadOnly; - PRBool ret=PR_FALSE; + PRBool ret = PR_FALSE; int i; config = secmod_getConfigDir(spec, &certPrefix, &keyPrefix, &isReadOnly); if (!config) { - ret=PR_TRUE; - goto done; + goto done; } - /* NOTE: we dbm isn't multiple open safe. If we open the same database + /* NOTE: we dbm isn't multiple open safe. If we open the same database * twice from two different locations, then we can corrupt our database * (the cache will be inconsistent). Protect against this by claiming * for comparison only that we are always openning dbm databases read only. */ if (secmod_configIsDBM(config)) { - isReadOnly = 1; - } - for (i=0; i < count; i++) { - if ((strcmp(config,conflist[i].config) == 0) && - secmod_matchPrefix(certPrefix, conflist[i].certPrefix) && - secmod_matchPrefix(keyPrefix, conflist[i].keyPrefix) && - /* this last test -- if we just need the DB open read only, - * than any open will suffice, but if we requested it read/write - * and it's only open read only, we need to open it again */ - (isReadOnly || !conflist[i].isReadOnly)) { - ret = PR_TRUE; - goto done; - } + isReadOnly = 1; + } + for (i = 0; i < count; i++) { + if (secmod_matchConfig(config, conflist[i].config, certPrefix, + conflist[i].certPrefix, keyPrefix, + conflist[i].keyPrefix, isReadOnly, + conflist[i].isReadOnly)) { + ret = PR_TRUE; + goto done; + } } ret = PR_FALSE; @@ -652,14 +1209,93 @@ done: return ret; } +/* + * Find the slot id from the module spec. If the slot is the database slot, we + * can get the slot id from the default database slot. + */ +CK_SLOT_ID +secmod_GetSlotIDFromModuleSpec(const char *moduleSpec, SECMODModule *module) +{ + char *tmp_spec = NULL; + char **children, **thisChild; + CK_SLOT_ID *ids, *thisID, slotID = -1; + char *inConfig = NULL, *thisConfig = NULL; + char *inCertPrefix = NULL, *thisCertPrefix = NULL; + char *inKeyPrefix = NULL, *thisKeyPrefix = NULL; + PRBool inReadOnly, thisReadOnly; + + inConfig = secmod_getConfigDir(moduleSpec, &inCertPrefix, &inKeyPrefix, + &inReadOnly); + if (!inConfig) { + goto done; + } + + if (secmod_configIsDBM(inConfig)) { + inReadOnly = 1; + } + + tmp_spec = secmod_ParseModuleSpecForTokens(PR_TRUE, module->isFIPS, + module->libraryParams, &children, &ids); + if (tmp_spec == NULL) { + goto done; + } + + /* first check to see if the parent is the database */ + thisConfig = secmod_getConfigDir(tmp_spec, &thisCertPrefix, &thisKeyPrefix, + &thisReadOnly); + if (!thisConfig) { + goto done; + } + if (secmod_matchConfig(inConfig, thisConfig, inCertPrefix, thisCertPrefix, + inKeyPrefix, thisKeyPrefix, inReadOnly, thisReadOnly)) { + /* yup it's the default key slot, get the id for it */ + PK11SlotInfo *slot = PK11_GetInternalKeySlot(); + if (slot) { + slotID = slot->slotID; + PK11_FreeSlot(slot); + } + goto done; + } + + /* find id of the token */ + for (thisChild = children, thisID = ids; thisChild && *thisChild; thisChild++, thisID++) { + PORT_Free(thisConfig); + PORT_Free(thisCertPrefix); + PORT_Free(thisKeyPrefix); + thisConfig = secmod_getConfigDir(*thisChild, &thisCertPrefix, + &thisKeyPrefix, &thisReadOnly); + if (thisConfig == NULL) { + continue; + } + if (secmod_matchConfig(inConfig, thisConfig, inCertPrefix, thisCertPrefix, + inKeyPrefix, thisKeyPrefix, inReadOnly, thisReadOnly)) { + slotID = *thisID; + break; + } + } + +done: + PORT_Free(inConfig); + PORT_Free(inCertPrefix); + PORT_Free(inKeyPrefix); + PORT_Free(thisConfig); + PORT_Free(thisCertPrefix); + PORT_Free(thisKeyPrefix); + if (tmp_spec) { + secmod_FreeChildren(children, ids); + PORT_Free(tmp_spec); + } + return slotID; +} + void secmod_FreeConfigList(SECMODConfigList *conflist, int count) { int i; - for (i=0; i < count; i++) { - PORT_Free(conflist[i].config); - PORT_Free(conflist[i].certPrefix); - PORT_Free(conflist[i].keyPrefix); + for (i = 0; i < count; i++) { + PORT_Free(conflist[i].config); + PORT_Free(conflist[i].certPrefix); + PORT_Free(conflist[i].keyPrefix); } PORT_Free(conflist); } @@ -670,15 +1306,15 @@ secmod_FreeChildren(char **children, CK_SLOT_ID *ids) char **thisChild; if (!children) { - return; + return; } - for (thisChild = children; thisChild && *thisChild; thisChild++ ) { - PORT_Free(*thisChild); + for (thisChild = children; thisChild && *thisChild; thisChild++) { + PORT_Free(*thisChild); } PORT_Free(children); if (ids) { - PORT_Free(ids); + PORT_Free(ids); } return; } @@ -692,11 +1328,11 @@ secmod_getChildLength(char *child, CK_SLOT_ID id) { int length = NSSUTIL_DoubleEscapeSize(child, '>', ']'); if (id == 0) { - length++; + length++; } while (id) { - length++; - id = id >> 4; + length++; + id = id >> 4; } length += 6; /* {sp}0x[id]=<{child}> */ return length; @@ -712,26 +1348,26 @@ secmod_mkTokenChild(char **next, int *length, char *child, CK_SLOT_ID id) int len; char *escSpec; - len = PR_snprintf(*next, *length, " 0x%x=<",id); + len = PR_snprintf(*next, *length, " 0x%x=<", id); if (len < 0) { - return SECFailure; + return SECFailure; } *next += len; *length -= len; escSpec = NSSUTIL_DoubleEscape(child, '>', ']'); if (escSpec == NULL) { - return SECFailure; + return SECFailure; } if (*child && (*escSpec == 0)) { - PORT_Free(escSpec); - return SECFailure; + PORT_Free(escSpec); + return SECFailure; } len = strlen(escSpec); - if (len+1 > *length) { - PORT_Free(escSpec); - return SECFailure; + if (len + 1 > *length) { + PORT_Free(escSpec); + return SECFailure; } - PORT_Memcpy(*next,escSpec, len); + PORT_Memcpy(*next, escSpec, len); *next += len; *length -= len; PORT_Free(escSpec); @@ -745,23 +1381,23 @@ secmod_mkTokenChild(char **next, int *length, char *child, CK_SLOT_ID id) char * secmod_MkAppendTokensList(PLArenaPool *arena, char *oldParam, char *newToken, - CK_SLOT_ID newID, char **children, CK_SLOT_ID *ids) + CK_SLOT_ID newID, char **children, CK_SLOT_ID *ids) { - char *rawParam = NULL; /* oldParam with tokens stripped off */ - char *newParam = NULL; /* space for the return parameter */ - char *nextParam = NULL; /* current end of the new parameter */ + char *rawParam = NULL; /* oldParam with tokens stripped off */ + char *newParam = NULL; /* space for the return parameter */ + char *nextParam = NULL; /* current end of the new parameter */ char **oldChildren = NULL; CK_SLOT_ID *oldIds = NULL; - void *mark = NULL; /* mark the arena pool in case we need - * to release it */ + void *mark = NULL; /* mark the arena pool in case we need + * to release it */ int length, i, tmpLen; SECStatus rv; /* first strip out and save the old tokenlist */ - rawParam = secmod_ParseModuleSpecForTokens(PR_FALSE,PR_FALSE, - oldParam,&oldChildren,&oldIds); + rawParam = secmod_ParseModuleSpecForTokens(PR_FALSE, PR_FALSE, + oldParam, &oldChildren, &oldIds); if (!rawParam) { - goto loser; + goto loser; } /* now calculate the total length of the new buffer */ @@ -769,63 +1405,63 @@ secmod_MkAppendTokensList(PLArenaPool *arena, char *oldParam, char *newToken, * length of the token string (does include the NULL), closing bracket */ length = strlen(rawParam) + sizeof(TOKEN_STRING) + 1; /* now add then length of all the old children */ - for (i=0; oldChildren && oldChildren[i]; i++) { - length += secmod_getChildLength(oldChildren[i], oldIds[i]); + for (i = 0; oldChildren && oldChildren[i]; i++) { + length += secmod_getChildLength(oldChildren[i], oldIds[i]); } /* add the new token */ length += secmod_getChildLength(newToken, newID); /* and it's new children */ - for (i=0; children && children[i]; i++) { - if (ids[i] == -1) { - continue; - } - length += secmod_getChildLength(children[i], ids[i]); + for (i = 0; children && children[i]; i++) { + if (ids[i] == -1) { + continue; + } + length += secmod_getChildLength(children[i], ids[i]); } /* now allocate and build the string */ mark = PORT_ArenaMark(arena); if (!mark) { - goto loser; + goto loser; } - newParam = PORT_ArenaAlloc(arena,length); + newParam = PORT_ArenaAlloc(arena, length); if (!newParam) { - goto loser; + goto loser; } PORT_Strcpy(newParam, oldParam); tmpLen = strlen(oldParam); nextParam = newParam + tmpLen; length -= tmpLen; - PORT_Memcpy(nextParam, TOKEN_STRING, sizeof(TOKEN_STRING)-1); - nextParam += sizeof(TOKEN_STRING)-1; - length -= sizeof(TOKEN_STRING)-1; - - for (i=0; oldChildren && oldChildren[i]; i++) { - rv = secmod_mkTokenChild(&nextParam,&length,oldChildren[i],oldIds[i]); - if (rv != SECSuccess) { - goto loser; - } + PORT_Memcpy(nextParam, TOKEN_STRING, sizeof(TOKEN_STRING) - 1); + nextParam += sizeof(TOKEN_STRING) - 1; + length -= sizeof(TOKEN_STRING) - 1; + + for (i = 0; oldChildren && oldChildren[i]; i++) { + rv = secmod_mkTokenChild(&nextParam, &length, oldChildren[i], oldIds[i]); + if (rv != SECSuccess) { + goto loser; + } } rv = secmod_mkTokenChild(&nextParam, &length, newToken, newID); if (rv != SECSuccess) { - goto loser; + goto loser; } - for (i=0; children && children[i]; i++) { - if (ids[i] == -1) { - continue; - } - rv = secmod_mkTokenChild(&nextParam, &length, children[i], ids[i]); - if (rv != SECSuccess) { - goto loser; - } + for (i = 0; children && children[i]; i++) { + if (ids[i] == -1) { + continue; + } + rv = secmod_mkTokenChild(&nextParam, &length, children[i], ids[i]); + if (rv != SECSuccess) { + goto loser; + } } if (length < 2) { - goto loser; + goto loser; } *nextParam++ = ']'; @@ -837,21 +1473,21 @@ secmod_MkAppendTokensList(PLArenaPool *arena, char *oldParam, char *newToken, loser: if (mark) { - PORT_ArenaRelease(arena, mark); - newParam = NULL; /* if the mark is still active, - * don't return the param */ + PORT_ArenaRelease(arena, mark); + newParam = NULL; /* if the mark is still active, + * don't return the param */ } if (rawParam) { - PORT_Free(rawParam); + PORT_Free(rawParam); } if (oldChildren) { - secmod_FreeChildren(oldChildren, oldIds); + secmod_FreeChildren(oldChildren, oldIds); } return newParam; } - + static char * -secmod_mkModuleSpec(SECMODModule * module) +secmod_mkModuleSpec(SECMODModule *module) { char *nss = NULL, *modSpec = NULL, **slotStrings = NULL; int slotCount, i, si; @@ -862,71 +1498,70 @@ secmod_mkModuleSpec(SECMODModule * module) SECMOD_GetReadLock(moduleLock); if (module->slotCount) { - for (i=0; i < module->slotCount; i++) { - if (module->slots[i]->defaultFlags !=0) { - slotCount++; - } - } + for (i = 0; i < module->slotCount; i++) { + if (module->slots[i]->defaultFlags != 0) { + slotCount++; + } + } } else { - slotCount = module->slotInfoCount; + slotCount = module->slotInfoCount; } - slotStrings = (char **)PORT_ZAlloc(slotCount*sizeof(char *)); + slotStrings = (char **)PORT_ZAlloc(slotCount * sizeof(char *)); if (slotStrings == NULL) { SECMOD_ReleaseReadLock(moduleLock); - goto loser; + goto loser; } - /* build the slot info strings */ if (module->slotCount) { - for (i=0, si= 0; i < module->slotCount; i++) { - if (module->slots[i]->defaultFlags) { - PORT_Assert(si < slotCount); - if (si >= slotCount) break; - slotStrings[si] = NSSUTIL_MkSlotString(module->slots[i]->slotID, - module->slots[i]->defaultFlags, - module->slots[i]->timeout, - module->slots[i]->askpw, - module->slots[i]->hasRootCerts, - module->slots[i]->hasRootTrust); - si++; - } - } - } else { - for (i=0; i < slotCount; i++) { - slotStrings[i] = NSSUTIL_MkSlotString( - module->slotInfo[i].slotID, - module->slotInfo[i].defaultFlags, - module->slotInfo[i].timeout, - module->slotInfo[i].askpw, - module->slotInfo[i].hasRootCerts, - module->slotInfo[i].hasRootTrust); - } + for (i = 0, si = 0; i < module->slotCount; i++) { + if (module->slots[i]->defaultFlags) { + PORT_Assert(si < slotCount); + if (si >= slotCount) + break; + slotStrings[si] = NSSUTIL_MkSlotString(module->slots[i]->slotID, + module->slots[i]->defaultFlags, + module->slots[i]->timeout, + module->slots[i]->askpw, + module->slots[i]->hasRootCerts, + module->slots[i]->hasRootTrust); + si++; + } + } + } else { + for (i = 0; i < slotCount; i++) { + slotStrings[i] = NSSUTIL_MkSlotString( + module->slotInfo[i].slotID, + module->slotInfo[i].defaultFlags, + module->slotInfo[i].timeout, + module->slotInfo[i].askpw, + module->slotInfo[i].hasRootCerts, + module->slotInfo[i].hasRootTrust); + } } SECMOD_ReleaseReadLock(moduleLock); - nss = NSSUTIL_MkNSSString(slotStrings,slotCount,module->internal, - module->isFIPS, module->isModuleDB, - module->moduleDBOnly, module->isCritical, - module->trustOrder, module->cipherOrder, - module->ssl[0],module->ssl[1]); - modSpec= NSSUTIL_MkModuleSpec(module->dllName,module->commonName, - module->libraryParams,nss); + nss = NSSUTIL_MkNSSString(slotStrings, slotCount, module->internal, + module->isFIPS, module->isModuleDB, + module->moduleDBOnly, module->isCritical, + module->trustOrder, module->cipherOrder, + module->ssl[0], module->ssl[1]); + modSpec = NSSUTIL_MkModuleSpec(module->dllName, module->commonName, + module->libraryParams, nss); PORT_Free(slotStrings); PR_smprintf_free(nss); loser: return (modSpec); } - char ** SECMOD_GetModuleSpecList(SECMODModule *module) { - SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc; + SECMODModuleDBFunc func = (SECMODModuleDBFunc)module->moduleDBFunc; if (func) { - return (*func)(SECMOD_MODULE_DB_FUNCTION_FIND, - module->libraryParams,NULL); + return (*func)(SECMOD_MODULE_DB_FUNCTION_FIND, + module->libraryParams, NULL); } return NULL; } @@ -938,15 +1573,17 @@ SECMOD_AddPermDB(SECMODModule *module) char *moduleSpec; char **retString; - if (module->parent == NULL) return SECFailure; + if (module->parent == NULL) + return SECFailure; - func = (SECMODModuleDBFunc) module->parent->moduleDBFunc; + func = (SECMODModuleDBFunc)module->parent->moduleDBFunc; if (func) { - moduleSpec = secmod_mkModuleSpec(module); - retString = (*func)(SECMOD_MODULE_DB_FUNCTION_ADD, - module->parent->libraryParams,moduleSpec); - PORT_Free(moduleSpec); - if (retString != NULL) return SECSuccess; + moduleSpec = secmod_mkModuleSpec(module); + retString = (*func)(SECMOD_MODULE_DB_FUNCTION_ADD, + module->parent->libraryParams, moduleSpec); + PORT_Free(moduleSpec); + if (retString != NULL) + return SECSuccess; } return SECFailure; } @@ -958,15 +1595,17 @@ SECMOD_DeletePermDB(SECMODModule *module) char *moduleSpec; char **retString; - if (module->parent == NULL) return SECFailure; + if (module->parent == NULL) + return SECFailure; - func = (SECMODModuleDBFunc) module->parent->moduleDBFunc; + func = (SECMODModuleDBFunc)module->parent->moduleDBFunc; if (func) { - moduleSpec = secmod_mkModuleSpec(module); - retString = (*func)(SECMOD_MODULE_DB_FUNCTION_DEL, - module->parent->libraryParams,moduleSpec); - PORT_Free(moduleSpec); - if (retString != NULL) return SECSuccess; + moduleSpec = secmod_mkModuleSpec(module); + retString = (*func)(SECMOD_MODULE_DB_FUNCTION_DEL, + module->parent->libraryParams, moduleSpec); + PORT_Free(moduleSpec); + if (retString != NULL) + return SECSuccess; } return SECFailure; } @@ -974,12 +1613,13 @@ SECMOD_DeletePermDB(SECMODModule *module) SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList) { - SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc; + SECMODModuleDBFunc func = (SECMODModuleDBFunc)module->moduleDBFunc; char **retString; if (func) { - retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE, - module->libraryParams,moduleSpecList); - if (retString != NULL) return SECSuccess; + retString = (*func)(SECMOD_MODULE_DB_FUNCTION_RELEASE, + module->libraryParams, moduleSpecList); + if (retString != NULL) + return SECSuccess; } return SECFailure; } @@ -988,9 +1628,9 @@ SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList) * load a PKCS#11 module but do not add it to the default NSS trust domain */ SECMODModule * -SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse) +SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse) { - char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss= NULL; + char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss = NULL; char *config = NULL; SECStatus status; SECMODModule *module = NULL; @@ -1000,107 +1640,112 @@ SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse) /* initialize the underlying module structures */ SECMOD_Init(); - status = NSSUTIL_ArgParseModuleSpecEx(modulespec, &library, &moduleName, - ¶meters, &nss, - &config); + status = NSSUTIL_ArgParseModuleSpecEx(modulespec, &library, &moduleName, + ¶meters, &nss, + &config); if (status != SECSuccess) { - goto loser; + goto loser; } module = SECMOD_CreateModuleEx(library, moduleName, parameters, nss, config); - if (library) PORT_Free(library); - if (moduleName) PORT_Free(moduleName); - if (parameters) PORT_Free(parameters); - if (nss) PORT_Free(nss); - if (config) PORT_Free(config); + if (library) + PORT_Free(library); + if (moduleName) + PORT_Free(moduleName); + if (parameters) + PORT_Free(parameters); + if (nss) + PORT_Free(nss); + if (config) + PORT_Free(config); if (!module) { - goto loser; + goto loser; } if (parent) { - module->parent = SECMOD_ReferenceModule(parent); - if (module->internal && secmod_IsInternalKeySlot(parent)) { - module->internal = parent->internal; - } + module->parent = SECMOD_ReferenceModule(parent); + if (module->internal && secmod_IsInternalKeySlot(parent)) { + module->internal = parent->internal; + } } /* load it */ rv = secmod_LoadPKCS11Module(module, &oldModule); if (rv != SECSuccess) { - goto loser; + goto loser; } /* if we just reload an old module, no need to add it to any lists. * we simple release all our references */ if (oldModule) { - /* This module already exists, don't link it anywhere. This - * will probably destroy this module */ - SECMOD_DestroyModule(module); - return oldModule; + /* This module already exists, don't link it anywhere. This + * will probably destroy this module */ + SECMOD_DestroyModule(module); + return oldModule; } if (recurse && module->isModuleDB) { - char ** moduleSpecList; - PORT_SetError(0); - - moduleSpecList = SECMOD_GetModuleSpecList(module); - if (moduleSpecList) { - char **index; - - index = moduleSpecList; - if (*index && SECMOD_GetSkipFirstFlag(module)) { - index++; - } - - for (; *index; index++) { - SECMODModule *child; - if (0 == PORT_Strcmp(*index, modulespec)) { - /* avoid trivial infinite recursion */ - PORT_SetError(SEC_ERROR_NO_MODULE); - rv = SECFailure; - break; - } - child = SECMOD_LoadModule(*index,module,PR_TRUE); - if (!child) break; - if (child->isCritical && !child->loaded) { - int err = PORT_GetError(); - if (!err) - err = SEC_ERROR_NO_MODULE; - SECMOD_DestroyModule(child); - PORT_SetError(err); - rv = SECFailure; - break; - } - SECMOD_DestroyModule(child); - } - SECMOD_FreeModuleSpecList(module,moduleSpecList); - } else { - if (!PORT_GetError()) - PORT_SetError(SEC_ERROR_NO_MODULE); - rv = SECFailure; - } + char **moduleSpecList; + PORT_SetError(0); + + moduleSpecList = SECMOD_GetModuleSpecList(module); + if (moduleSpecList) { + char **index; + + index = moduleSpecList; + if (*index && SECMOD_GetSkipFirstFlag(module)) { + index++; + } + + for (; *index; index++) { + SECMODModule *child; + if (0 == PORT_Strcmp(*index, modulespec)) { + /* avoid trivial infinite recursion */ + PORT_SetError(SEC_ERROR_NO_MODULE); + rv = SECFailure; + break; + } + child = SECMOD_LoadModule(*index, module, PR_TRUE); + if (!child) + break; + if (child->isCritical && !child->loaded) { + int err = PORT_GetError(); + if (!err) + err = SEC_ERROR_NO_MODULE; + SECMOD_DestroyModule(child); + PORT_SetError(err); + rv = SECFailure; + break; + } + SECMOD_DestroyModule(child); + } + SECMOD_FreeModuleSpecList(module, moduleSpecList); + } else { + if (!PORT_GetError()) + PORT_SetError(SEC_ERROR_NO_MODULE); + rv = SECFailure; + } } if (rv != SECSuccess) { - goto loser; + goto loser; } - /* inherit the reference */ if (!module->moduleDBOnly) { - SECMOD_AddModuleToList(module); + SECMOD_AddModuleToList(module); } else { - SECMOD_AddModuleToDBOnlyList(module); + SECMOD_AddModuleToDBOnlyList(module); } - + /* handle any additional work here */ return module; loser: if (module) { - if (module->loaded) { - SECMOD_UnloadModule(module); - } - SECMOD_AddModuleToUnloadList(module); + if (module->loaded) { + SECMOD_UnloadModule(module); + } + SECMOD_AddModuleToUnloadList(module); } return module; } @@ -1109,16 +1754,16 @@ loser: * load a PKCS#11 module and add it to the default NSS trust domain */ SECMODModule * -SECMOD_LoadUserModule(char *modulespec,SECMODModule *parent, PRBool recurse) +SECMOD_LoadUserModule(char *modulespec, SECMODModule *parent, PRBool recurse) { SECStatus rv = SECSuccess; - SECMODModule * newmod = SECMOD_LoadModule(modulespec, parent, recurse); + SECMODModule *newmod = SECMOD_LoadModule(modulespec, parent, recurse); SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); if (newmod) { - SECMOD_GetReadLock(moduleLock); + SECMOD_GetReadLock(moduleLock); rv = STAN_AddModuleToDefaultTrustDomain(newmod); - SECMOD_ReleaseReadLock(moduleLock); + SECMOD_ReleaseReadLock(moduleLock); if (SECSuccess != rv) { SECMOD_DestroyModule(newmod); return NULL; @@ -1131,7 +1776,8 @@ SECMOD_LoadUserModule(char *modulespec,SECMODModule *parent, PRBool recurse) * remove the PKCS#11 module from the default NSS trust domain, call * C_Finalize, and destroy the module structure */ -SECStatus SECMOD_UnloadUserModule(SECMODModule *mod) +SECStatus +SECMOD_UnloadUserModule(SECMODModule *mod) { SECStatus rv = SECSuccess; int atype = 0; @@ -1148,4 +1794,3 @@ SECStatus SECMOD_UnloadUserModule(SECMODModule *mod) } return SECMOD_DeleteModuleEx(NULL, mod, &atype, PR_FALSE); } - diff --git a/nss/lib/pk11wrap/pk11pbe.c b/nss/lib/pk11wrap/pk11pbe.c index cc72faf..7837bfe 100644 --- a/nss/lib/pk11wrap/pk11pbe.c +++ b/nss/lib/pk11wrap/pk11pbe.c @@ -26,80 +26,78 @@ typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter; struct SEC_PKCS5PBEParameterStr { - PLArenaPool *poolp; - SECItem salt; /* octet string */ - SECItem iteration; /* integer */ - SECItem keyLength; /* PKCS5v2 only */ - SECAlgorithmID *pPrfAlgId; /* PKCS5v2 only */ - SECAlgorithmID prfAlgId; /* PKCS5v2 only */ + PLArenaPool *poolp; + SECItem salt; /* octet string */ + SECItem iteration; /* integer */ + SECItem keyLength; /* PKCS5v2 only */ + SECAlgorithmID *pPrfAlgId; /* PKCS5v2 only */ + SECAlgorithmID prfAlgId; /* PKCS5v2 only */ }; -/* PKCS5 V2 has an algorithm ID for the encryption and for - * the key generation. This is valid for SEC_OID_PKCS5_PBES2 +/* PKCS5 V2 has an algorithm ID for the encryption and for + * the key generation. This is valid for SEC_OID_PKCS5_PBES2 * and SEC_OID_PKCS5_PBMAC1 */ struct sec_pkcs5V2ParameterStr { - PLArenaPool *poolp; - SECAlgorithmID pbeAlgId; /* real pbe algorithms */ + PLArenaPool *poolp; + SECAlgorithmID pbeAlgId; /* real pbe algorithms */ SECAlgorithmID cipherAlgId; /* encryption/mac */ }; typedef struct sec_pkcs5V2ParameterStr sec_pkcs5V2Parameter; - /* template for PKCS 5 PBE Parameter. This template has been expanded * based upon the additions in PKCS 12. This should eventually be moved * if RSA updates PKCS 5. */ const SEC_ASN1Template SEC_PKCS5PBEParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - { SEC_ASN1_OCTET_STRING, - offsetof(SEC_PKCS5PBEParameter, salt) }, - { SEC_ASN1_INTEGER, - offsetof(SEC_PKCS5PBEParameter, iteration) }, - { 0 } -}; + { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + { SEC_ASN1_OCTET_STRING, + offsetof(SEC_PKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, + offsetof(SEC_PKCS5PBEParameter, iteration) }, + { 0 } + }; const SEC_ASN1Template SEC_V2PKCS12PBEParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, - { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, - { 0 } -}; + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, + { 0 } + }; SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) /* SECOID_PKCS5_PBKDF2 */ const SEC_ASN1Template SEC_PKCS5V2PBEParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - /* This is really a choice, but since we only understand this + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + /* This is really a choice, but since we only understand this * choice, just inline it */ - { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, - { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, - { SEC_ASN1_INTEGER|SEC_ASN1_OPTIONAL, - offsetof(SEC_PKCS5PBEParameter, keyLength) }, - { SEC_ASN1_POINTER | SEC_ASN1_XTRN | SEC_ASN1_OPTIONAL, - offsetof(SEC_PKCS5PBEParameter, pPrfAlgId), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } -}; + { SEC_ASN1_OCTET_STRING, offsetof(SEC_PKCS5PBEParameter, salt) }, + { SEC_ASN1_INTEGER, offsetof(SEC_PKCS5PBEParameter, iteration) }, + { SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, + offsetof(SEC_PKCS5PBEParameter, keyLength) }, + { SEC_ASN1_POINTER | SEC_ASN1_XTRN | SEC_ASN1_OPTIONAL, + offsetof(SEC_PKCS5PBEParameter, pPrfAlgId), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } + }; /* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */ const SEC_ASN1Template SEC_PKCS5V2ParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(sec_pkcs5V2Parameter, pbeAlgId), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(sec_pkcs5V2Parameter, cipherAlgId), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } -}; - + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS5PBEParameter) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(sec_pkcs5V2Parameter, pbeAlgId), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(sec_pkcs5V2Parameter, cipherAlgId), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } + }; /* * maps a PBE algorithm to a crypto algorithm. for PKCS12 and PKCS5v1 @@ -108,32 +106,31 @@ const SEC_ASN1Template SEC_PKCS5V2ParameterTemplate[] = SECOidTag sec_pkcs5GetCryptoFromAlgTag(SECOidTag algorithm) { - switch(algorithm) - { - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: - return SEC_OID_DES_EDE3_CBC; - case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: - return SEC_OID_DES_CBC; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - return SEC_OID_RC2_CBC; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: - return SEC_OID_RC4; - case SEC_OID_PKCS5_PBKDF2: - case SEC_OID_PKCS5_PBES2: - case SEC_OID_PKCS5_PBMAC1: - return SEC_OID_PKCS5_PBKDF2; - default: - break; + switch (algorithm) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: + return SEC_OID_DES_EDE3_CBC; + case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: + return SEC_OID_DES_CBC; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + return SEC_OID_RC2_CBC; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + return SEC_OID_RC4; + case SEC_OID_PKCS5_PBKDF2: + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: + return SEC_OID_PKCS5_PBKDF2; + default: + break; } return SEC_OID_UNKNOWN; @@ -151,27 +148,27 @@ sec_pkcs5_v2_get_v2_param(PLArenaPool *arena, SECAlgorithmID *algid) SECStatus rv; if (arena == NULL) { - localArena = arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if (arena == NULL) { - return NULL; - } + localArena = arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (arena == NULL) { + return NULL; + } } pbeV2_param = PORT_ArenaZNew(arena, sec_pkcs5V2Parameter); if (pbeV2_param == NULL) { - goto loser; + goto loser; } - + rv = SEC_ASN1DecodeItem(arena, pbeV2_param, - SEC_PKCS5V2ParameterTemplate, &algid->parameters); + SEC_PKCS5V2ParameterTemplate, &algid->parameters); if (rv == SECFailure) { - goto loser; + goto loser; } pbeV2_param->poolp = arena; return pbeV2_param; loser: if (localArena) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } @@ -179,50 +176,49 @@ loser: void sec_pkcs5_v2_destroy_v2_param(sec_pkcs5V2Parameter *param) { - if (param && param->poolp) { - PORT_FreeArena(param->poolp, PR_TRUE); - } + if (param && param->poolp) { + PORT_FreeArena(param->poolp, PR_TRUE); + } } - /* maps crypto algorithm from PBE algorithm. */ -SECOidTag +SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid) { SECOidTag pbeAlg; SECOidTag cipherAlg; - if(algid == NULL) - return SEC_OID_UNKNOWN; + if (algid == NULL) + return SEC_OID_UNKNOWN; pbeAlg = SECOID_GetAlgorithmTag(algid); cipherAlg = sec_pkcs5GetCryptoFromAlgTag(pbeAlg); - if ((cipherAlg == SEC_OID_PKCS5_PBKDF2) && - (pbeAlg != SEC_OID_PKCS5_PBKDF2)) { - sec_pkcs5V2Parameter *pbeV2_param; - cipherAlg = SEC_OID_UNKNOWN; + if ((cipherAlg == SEC_OID_PKCS5_PBKDF2) && + (pbeAlg != SEC_OID_PKCS5_PBKDF2)) { + sec_pkcs5V2Parameter *pbeV2_param; + cipherAlg = SEC_OID_UNKNOWN; - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param != NULL) { - cipherAlg = SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - } + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param != NULL) { + cipherAlg = SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + } } return cipherAlg; } /* check to see if an oid is a pbe algorithm - */ -PRBool + */ +PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid) { return (PRBool)(SEC_PKCS5GetCryptoAlgorithm(algid) != SEC_OID_UNKNOWN); } -PRBool +PRBool SEC_PKCS5IsAlgorithmPBEAlgTag(SECOidTag algtag) { return (PRBool)(sec_pkcs5GetCryptoFromAlgTag(algtag) != SEC_OID_UNKNOWN); @@ -237,70 +233,69 @@ sec_pkcs5v2_get_pbe(SECOidTag algTag) { /* if it's a valid hash oid... */ if (HASH_GetHashOidTagByHMACOidTag(algTag) != SEC_OID_UNKNOWN) { - /* use the MAC tag */ - return SEC_OID_PKCS5_PBMAC1; + /* use the MAC tag */ + return SEC_OID_PKCS5_PBMAC1; } if (HASH_GetHashTypeByOidTag(algTag) != HASH_AlgNULL) { - /* eliminate Hash algorithms */ - return SEC_OID_UNKNOWN; + /* eliminate Hash algorithms */ + return SEC_OID_UNKNOWN; } if (PK11_AlgtagToMechanism(algTag) != CKM_INVALID_MECHANISM) { - /* it's not a hash, if it has a PKCS #11 mechanism associated - * with it, assume it's a cipher. (NOTE this will generate - * some false positives). */ - return SEC_OID_PKCS5_PBES2; + /* it's not a hash, if it has a PKCS #11 mechanism associated + * with it, assume it's a cipher. (NOTE this will generate + * some false positives). */ + return SEC_OID_PKCS5_PBES2; } return SEC_OID_UNKNOWN; } -/* +/* * maps PBE algorithm from crypto algorithm, assumes SHA1 hashing. * input keyLen in bits. */ -SECOidTag +SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen) { - switch(algTag) - { - case SEC_OID_DES_EDE3_CBC: - switch(keyLen) { - case 168: - case 192: - case 0: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; - case 128: - case 92: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC; - default: - break; - } - break; - case SEC_OID_DES_CBC: - return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC; - case SEC_OID_RC2_CBC: - switch(keyLen) { - case 40: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC; - case 128: - case 0: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC; - default: - break; - } - break; - case SEC_OID_RC4: - switch(keyLen) { - case 40: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4; - case 128: - case 0: - return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4; - default: - break; - } - break; - default: - return sec_pkcs5v2_get_pbe(algTag); + switch (algTag) { + case SEC_OID_DES_EDE3_CBC: + switch (keyLen) { + case 168: + case 192: + case 0: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; + case 128: + case 92: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC; + default: + break; + } + break; + case SEC_OID_DES_CBC: + return SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC; + case SEC_OID_RC2_CBC: + switch (keyLen) { + case 40: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC; + case 128: + case 0: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC; + default: + break; + } + break; + case SEC_OID_RC4: + switch (keyLen) { + case 40: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4; + case 128: + case 0: + return SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4; + default: + break; + } + break; + default: + return sec_pkcs5v2_get_pbe(algTag); } return SEC_OID_UNKNOWN; @@ -321,18 +316,18 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid) algorithm = SECOID_GetAlgorithmTag(algid); /* sanity check, they should all be PBKDF2 here */ if (algorithm != SEC_OID_PKCS5_PBKDF2) { - return -1; + return -1; } arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); if (arena == NULL) { - goto loser; + goto loser; } PORT_Memset(&p5_param, 0, sizeof(p5_param)); - rv = SEC_ASN1DecodeItem(arena,&p5_param, - SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); + rv = SEC_ASN1DecodeItem(arena, &p5_param, + SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); if (rv != SECSuccess) { - goto loser; + goto loser; } if (p5_param.keyLength.data != NULL) { @@ -341,7 +336,7 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid) loser: if (arena) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return length; } @@ -349,76 +344,72 @@ loser: /* * get the key length in bytes needed for the PBE algorithm */ -int +int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid) { SECOidTag algorithm; - if(algid == NULL) - return SEC_OID_UNKNOWN; + if (algid == NULL) + return SEC_OID_UNKNOWN; algorithm = SECOID_GetAlgorithmTag(algid); - switch(algorithm) - { - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: - return 24; - case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: - case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: - return 8; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - return 5; - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: - return 16; - case SEC_OID_PKCS5_PBKDF2: - return sec_pkcs5v2_key_length(algid); - case SEC_OID_PKCS5_PBES2: - case SEC_OID_PKCS5_PBMAC1: - { - sec_pkcs5V2Parameter *pbeV2_param; - int length = -1; - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param != NULL) { - length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - } - return length; - } - - default: - break; + switch (algorithm) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + return 24; + case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC: + case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: + return 8; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + return 5; + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + return 16; + case SEC_OID_PKCS5_PBKDF2: + return sec_pkcs5v2_key_length(algid); + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: { + sec_pkcs5V2Parameter *pbeV2_param; + int length = -1; + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param != NULL) { + length = sec_pkcs5v2_key_length(&pbeV2_param->pbeAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + } + return length; + } + + default: + break; } return -1; } - /* the PKCS12 V2 algorithms only encode the salt, there is no iteration * count so we need a check for V2 algorithm parameters. */ static PRBool sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm) { - switch(algorithm) - { - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: - case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: - return PR_TRUE; - default: - break; + switch (algorithm) { + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: + case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: + return PR_TRUE; + default: + break; } return PR_FALSE; @@ -427,28 +418,27 @@ sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(SECOidTag algorithm) static PRBool sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(SECOidTag algorithm) { - switch(algorithm) - { - case SEC_OID_PKCS5_PBES2: - case SEC_OID_PKCS5_PBMAC1: - case SEC_OID_PKCS5_PBKDF2: - return PR_TRUE; - default: - break; + switch (algorithm) { + case SEC_OID_PKCS5_PBES2: + case SEC_OID_PKCS5_PBMAC1: + case SEC_OID_PKCS5_PBKDF2: + return PR_TRUE; + default: + break; } return PR_FALSE; } -/* destroy a pbe parameter. it assumes that the parameter was +/* destroy a pbe parameter. it assumes that the parameter was * generated using the appropriate create function and therefor * contains an arena pool. */ -static void +static void sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param) { - if(pbe_param != NULL) - PORT_FreeArena(pbe_param->poolp, PR_TRUE); + if (pbe_param != NULL) + PORT_FreeArena(pbe_param->poolp, PR_TRUE); } /* creates a PBE parameter based on the PBE algorithm. the only required @@ -460,84 +450,84 @@ sec_pkcs5_destroy_pbe_param(SEC_PKCS5PBEParameter *pbe_param) * iteration - number of iterations to perform hashing. * keyLength - only used in variable key length algorithms. if specified, * should be in bytes. - * once a parameter is allocated, it should be destroyed calling + * once a parameter is allocated, it should be destroyed calling * sec_pkcs5_destroy_pbe_parameter or SEC_PKCS5DestroyPBEParameter. */ #define DEFAULT_SALT_LENGTH 16 static SEC_PKCS5PBEParameter * -sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, - SECItem *salt, - int iteration, - int keyLength, - SECOidTag prfAlg) +sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, + SECItem *salt, + int iteration, + int keyLength, + SECOidTag prfAlg) { PLArenaPool *poolp = NULL; SEC_PKCS5PBEParameter *pbe_param = NULL; - SECStatus rv= SECSuccess; + SECStatus rv = SECSuccess; void *dummy = NULL; - if(iteration < 0) { - return NULL; + if (iteration < 0) { + return NULL; } poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if(poolp == NULL) - return NULL; + if (poolp == NULL) + return NULL; pbe_param = (SEC_PKCS5PBEParameter *)PORT_ArenaZAlloc(poolp, - sizeof(SEC_PKCS5PBEParameter)); - if(!pbe_param) { - PORT_FreeArena(poolp, PR_TRUE); - return NULL; + sizeof(SEC_PKCS5PBEParameter)); + if (!pbe_param) { + PORT_FreeArena(poolp, PR_TRUE); + return NULL; } pbe_param->poolp = poolp; rv = SECFailure; if (salt && salt->data) { - rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt); + rv = SECITEM_CopyItem(poolp, &pbe_param->salt, salt); } else { - /* sigh, the old interface generated salt on the fly, so we have to - * preserve the semantics */ - pbe_param->salt.len = DEFAULT_SALT_LENGTH; - pbe_param->salt.data = PORT_ArenaZAlloc(poolp,DEFAULT_SALT_LENGTH); - if (pbe_param->salt.data) { - rv = PK11_GenerateRandom(pbe_param->salt.data,DEFAULT_SALT_LENGTH); - } + /* sigh, the old interface generated salt on the fly, so we have to + * preserve the semantics */ + pbe_param->salt.len = DEFAULT_SALT_LENGTH; + pbe_param->salt.data = PORT_ArenaZAlloc(poolp, DEFAULT_SALT_LENGTH); + if (pbe_param->salt.data) { + rv = PK11_GenerateRandom(pbe_param->salt.data, DEFAULT_SALT_LENGTH); + } } - if(rv != SECSuccess) { - PORT_FreeArena(poolp, PR_TRUE); - return NULL; + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_TRUE); + return NULL; } /* encode the integer */ - dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, - iteration); + dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->iteration, + iteration); rv = (dummy) ? SECSuccess : SECFailure; - if(rv != SECSuccess) { - PORT_FreeArena(poolp, PR_FALSE); - return NULL; + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_FALSE); + return NULL; } /* * for PKCS5 v2 Add the keylength and the prf */ if (algorithm == SEC_OID_PKCS5_PBKDF2) { - dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->keyLength, - keyLength); - rv = (dummy) ? SECSuccess : SECFailure; - if (rv != SECSuccess) { - PORT_FreeArena(poolp, PR_FALSE); - return NULL; - } - rv = SECOID_SetAlgorithmID(poolp, &pbe_param->prfAlgId, prfAlg, NULL); - if (rv != SECSuccess) { - PORT_FreeArena(poolp, PR_FALSE); - return NULL; - } - pbe_param->pPrfAlgId = &pbe_param->prfAlgId; + dummy = SEC_ASN1EncodeInteger(poolp, &pbe_param->keyLength, + keyLength); + rv = (dummy) ? SECSuccess : SECFailure; + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_FALSE); + return NULL; + } + rv = SECOID_SetAlgorithmID(poolp, &pbe_param->prfAlgId, prfAlg, NULL); + if (rv != SECSuccess) { + PORT_FreeArena(poolp, PR_FALSE); + return NULL; + } + pbe_param->pPrfAlgId = &pbe_param->prfAlgId; } return pbe_param; @@ -545,19 +535,19 @@ sec_pkcs5_create_pbe_parameter(SECOidTag algorithm, /* creates a algorithm ID containing the PBE algorithm and appropriate * parameters. the required parameter is the algorithm. if salt is - * not specified, it is generated randomly. + * not specified, it is generated randomly. * - * the returned SECAlgorithmID should be destroyed using + * the returned SECAlgorithmID should be destroyed using * SECOID_DestroyAlgorithmID */ SECAlgorithmID * -sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, - SECOidTag cipherAlgorithm, - SECOidTag prfAlg, - SECOidTag *pPbeAlgorithm, - int keyLength, - SECItem *salt, - int iteration) +sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, + SECOidTag cipherAlgorithm, + SECOidTag prfAlg, + SECOidTag *pPbeAlgorithm, + int keyLength, + SECItem *salt, + int iteration) { PLArenaPool *poolp = NULL; SECAlgorithmID *algid, *ret_algid = NULL; @@ -568,174 +558,173 @@ sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, SEC_PKCS5PBEParameter *pbe_param = NULL; sec_pkcs5V2Parameter pbeV2_param; - if(iteration <= 0) { - return NULL; + if (iteration <= 0) { + return NULL; } poolp = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if(!poolp) { - goto loser; + if (!poolp) { + goto loser; } if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm) || - sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { - /* use PKCS 5 v2 */ - SECItem *cipherParams; - - /* - * if we ask for pkcs5 Algorithms directly, then the - * application needs to supply the cipher algorithm, - * otherwise we are implicitly using pkcs5 v2 and the - * passed in algorithm is the encryption algorithm. - */ - if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { - if (cipherAlgorithm == SEC_OID_UNKNOWN) { - goto loser; - } - } else { - cipherAlgorithm = algorithm; - /* force algorithm to be chosen below */ - algorithm = SEC_OID_PKCS5_PBKDF2; - } - - pbeAlgorithm = SEC_OID_PKCS5_PBKDF2; - /* - * 'algorithm' is the overall algorithm oid tag used to wrap the - * entire algoithm ID block. For PKCS5v1 and PKCS12, this - * algorithm OID has encoded in it both the PBE KDF function - * and the encryption algorithm. For PKCS 5v2, PBE KDF and - * encryption/macing oids are encoded as parameters in - * the algorithm ID block. - * - * Thus in PKCS5 v1 and PKCS12, this algorithm maps to a pkcs #11 - * mechanism, where as in PKCS 5v2, this alogithm tag does not map - * directly to a PKCS #11 mechanim, instead the 2 oids in the - * algorithm ID block map the the actual PKCS #11 mechanism. - * gorithm is). We use choose this algorithm oid based on the - * cipherAlgorithm to determine what this should be (MAC1 or PBES2). - */ - if (algorithm == SEC_OID_PKCS5_PBKDF2) { - /* choose mac or pbes */ - algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm); - } - - /* set the PKCS5v2 specific parameters */ - if (keyLength == 0) { - SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); - if (hashAlg != SEC_OID_UNKNOWN) { - keyLength = HASH_ResultLenByOidTag(hashAlg); - } else { - CK_MECHANISM_TYPE cryptoMech; - cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm); - if (cryptoMech == CKM_INVALID_MECHANISM) { - goto loser; - } - keyLength = PK11_GetMaxKeyLength(cryptoMech); - } - if (keyLength == 0) { - goto loser; - } - } - /* currently only SEC_OID_HMAC_SHA1 is defined */ - if (prfAlg == SEC_OID_UNKNOWN) { - prfAlg = SEC_OID_HMAC_SHA1; - } - - /* build the PKCS5v2 cipher algorithm id */ - cipherParams = pk11_GenerateNewParamWithKeyLen( - PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); - if (!cipherParams) { - goto loser; - } - - PORT_Memset(&pbeV2_param, 0, sizeof (pbeV2_param)); - - rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, - poolp, &pbeV2_param.cipherAlgId); - SECITEM_FreeItem(cipherParams, PR_TRUE); - if (rv != SECSuccess) { - goto loser; - } - } - + sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { + /* use PKCS 5 v2 */ + SECItem *cipherParams; + + /* + * if we ask for pkcs5 Algorithms directly, then the + * application needs to supply the cipher algorithm, + * otherwise we are implicitly using pkcs5 v2 and the + * passed in algorithm is the encryption algorithm. + */ + if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { + if (cipherAlgorithm == SEC_OID_UNKNOWN) { + goto loser; + } + } else { + cipherAlgorithm = algorithm; + /* force algorithm to be chosen below */ + algorithm = SEC_OID_PKCS5_PBKDF2; + } + + pbeAlgorithm = SEC_OID_PKCS5_PBKDF2; + /* + * 'algorithm' is the overall algorithm oid tag used to wrap the + * entire algoithm ID block. For PKCS5v1 and PKCS12, this + * algorithm OID has encoded in it both the PBE KDF function + * and the encryption algorithm. For PKCS 5v2, PBE KDF and + * encryption/macing oids are encoded as parameters in + * the algorithm ID block. + * + * Thus in PKCS5 v1 and PKCS12, this algorithm maps to a pkcs #11 + * mechanism, where as in PKCS 5v2, this alogithm tag does not map + * directly to a PKCS #11 mechanim, instead the 2 oids in the + * algorithm ID block map the the actual PKCS #11 mechanism. + * gorithm is). We use choose this algorithm oid based on the + * cipherAlgorithm to determine what this should be (MAC1 or PBES2). + */ + if (algorithm == SEC_OID_PKCS5_PBKDF2) { + /* choose mac or pbes */ + algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm); + } + + /* set the PKCS5v2 specific parameters */ + if (keyLength == 0) { + SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); + if (hashAlg != SEC_OID_UNKNOWN) { + keyLength = HASH_ResultLenByOidTag(hashAlg); + } else { + CK_MECHANISM_TYPE cryptoMech; + cryptoMech = PK11_AlgtagToMechanism(cipherAlgorithm); + if (cryptoMech == CKM_INVALID_MECHANISM) { + goto loser; + } + keyLength = PK11_GetMaxKeyLength(cryptoMech); + } + if (keyLength == 0) { + goto loser; + } + } + /* currently SEC_OID_HMAC_SHA1 is the default */ + if (prfAlg == SEC_OID_UNKNOWN) { + prfAlg = SEC_OID_HMAC_SHA1; + } + + /* build the PKCS5v2 cipher algorithm id */ + cipherParams = pk11_GenerateNewParamWithKeyLen( + PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); + if (!cipherParams) { + goto loser; + } + + PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param)); + + rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, + poolp, &pbeV2_param.cipherAlgId); + SECITEM_FreeItem(cipherParams, PR_TRUE); + if (rv != SECSuccess) { + goto loser; + } + } /* generate the parameter */ pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration, - keyLength, prfAlg); - if(!pbe_param) { - goto loser; + keyLength, prfAlg); + if (!pbe_param) { + goto loser; } /* generate the algorithm id */ algid = (SECAlgorithmID *)PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID)); - if(algid == NULL) { - goto loser; + if (algid == NULL) { + goto loser; } der_param.data = NULL; der_param.len = 0; if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(algorithm)) { - /* first encode the PBE algorithm ID */ - dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, - SEC_PKCS5V2PBEParameterTemplate); - if (dummy == NULL) { - goto loser; - } - rv = SECOID_SetAlgorithmID(poolp, &pbeV2_param.pbeAlgId, - pbeAlgorithm, &der_param); - if (rv != SECSuccess) { - goto loser; - } - - /* now encode the Full PKCS 5 parameter */ - der_param.data = NULL; - der_param.len = 0; - dummy = SEC_ASN1EncodeItem(poolp, &der_param, &pbeV2_param, - SEC_PKCS5V2ParameterTemplate); - } else if(!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) { - dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, - SEC_PKCS5PBEParameterTemplate); + /* first encode the PBE algorithm ID */ + dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, + SEC_PKCS5V2PBEParameterTemplate); + if (dummy == NULL) { + goto loser; + } + rv = SECOID_SetAlgorithmID(poolp, &pbeV2_param.pbeAlgId, + pbeAlgorithm, &der_param); + if (rv != SECSuccess) { + goto loser; + } + + /* now encode the Full PKCS 5 parameter */ + der_param.data = NULL; + der_param.len = 0; + dummy = SEC_ASN1EncodeItem(poolp, &der_param, &pbeV2_param, + SEC_PKCS5V2ParameterTemplate); + } else if (!sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) { + dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, + SEC_PKCS5PBEParameterTemplate); } else { - dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, - SEC_V2PKCS12PBEParameterTemplate); + dummy = SEC_ASN1EncodeItem(poolp, &der_param, pbe_param, + SEC_V2PKCS12PBEParameterTemplate); } if (dummy == NULL) { - goto loser; + goto loser; } rv = SECOID_SetAlgorithmID(poolp, algid, algorithm, &der_param); if (rv != SECSuccess) { - goto loser; + goto loser; } ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID)); if (ret_algid == NULL) { - goto loser; + goto loser; } rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid); if (rv != SECSuccess) { - SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE); - ret_algid = NULL; + SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE); + ret_algid = NULL; } else if (pPbeAlgorithm) { - *pPbeAlgorithm = pbeAlgorithm; + *pPbeAlgorithm = pbeAlgorithm; } loser: if (poolp != NULL) { - PORT_FreeArena(poolp, PR_TRUE); - algid = NULL; + PORT_FreeArena(poolp, PR_TRUE); + algid = NULL; } if (pbe_param) { - sec_pkcs5_destroy_pbe_param(pbe_param); + sec_pkcs5_destroy_pbe_param(pbe_param); } return ret_algid; } SECStatus -pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech) +pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech) { SEC_PKCS5PBEParameter p5_param; SECItem *salt = NULL; @@ -747,14 +736,12 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech) CK_ULONG iterations; int paramLen = 0; int iv_len; - arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); if (arena == NULL) { - goto loser; + goto loser; } - /* * decode the algid based on the pbe type */ @@ -762,131 +749,145 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech) if (sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) { iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm)); rv = SEC_ASN1DecodeItem(arena, &p5_param, - SEC_V2PKCS12PBEParameterTemplate, &algid->parameters); + SEC_V2PKCS12PBEParameterTemplate, &algid->parameters); } else if (algorithm == SEC_OID_PKCS5_PBKDF2) { - iv_len = 0; - rv = SEC_ASN1DecodeItem(arena,&p5_param, - SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); + iv_len = 0; + rv = SEC_ASN1DecodeItem(arena, &p5_param, + SEC_PKCS5V2PBEParameterTemplate, &algid->parameters); } else { iv_len = PK11_GetIVLength(PK11_AlgtagToMechanism(algorithm)); - rv = SEC_ASN1DecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate, - &algid->parameters); + rv = SEC_ASN1DecodeItem(arena, &p5_param, SEC_PKCS5PBEParameterTemplate, + &algid->parameters); } if (iv_len < 0) { - goto loser; + goto loser; } if (rv != SECSuccess) { - goto loser; + goto loser; } - + /* get salt */ salt = &p5_param.salt; - iterations = (CK_ULONG) DER_GetInteger(&p5_param.iteration); + iterations = (CK_ULONG)DER_GetInteger(&p5_param.iteration); /* allocate and fill in the PKCS #11 parameters * based on the algorithm. */ if (algorithm == SEC_OID_PKCS5_PBKDF2) { - SECOidTag prfAlgTag; - CK_PKCS5_PBKD2_PARAMS *pbeV2_params = - (CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc( - sizeof(CK_PKCS5_PBKD2_PARAMS)+ salt->len); - - if (pbeV2_params == NULL) { - goto loser; - } - paramData = (unsigned char *)pbeV2_params; - paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS); - - /* set the prf */ - prfAlgTag = SEC_OID_HMAC_SHA1; - if (p5_param.pPrfAlgId && - p5_param.pPrfAlgId->algorithm.data != 0) { - prfAlgTag = SECOID_GetAlgorithmTag(p5_param.pPrfAlgId); - } - if (prfAlgTag == SEC_OID_HMAC_SHA1) { - pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA1; - } else { - /* only SHA1_HMAC is currently supported by PKCS #11 */ - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; - } - - /* probably should fetch these from the prfAlgid */ - pbeV2_params->pPrfData = NULL; - pbeV2_params->ulPrfDataLen = 0; - pbeV2_params->saltSource = CKZ_SALT_SPECIFIED; - pSalt = ((CK_CHAR_PTR) pbeV2_params)+sizeof(CK_PKCS5_PBKD2_PARAMS); + SECOidTag prfAlgTag; + CK_PKCS5_PBKD2_PARAMS *pbeV2_params = + (CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc( + sizeof(CK_PKCS5_PBKD2_PARAMS) + salt->len); + + if (pbeV2_params == NULL) { + goto loser; + } + paramData = (unsigned char *)pbeV2_params; + paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS); + + /* set the prf */ + prfAlgTag = SEC_OID_HMAC_SHA1; + if (p5_param.pPrfAlgId && + p5_param.pPrfAlgId->algorithm.data != 0) { + prfAlgTag = SECOID_GetAlgorithmTag(p5_param.pPrfAlgId); + } + switch (prfAlgTag) { + case SEC_OID_HMAC_SHA1: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA1; + break; + case SEC_OID_HMAC_SHA224: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA224; + break; + case SEC_OID_HMAC_SHA256: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA256; + break; + case SEC_OID_HMAC_SHA384: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA384; + break; + case SEC_OID_HMAC_SHA512: + pbeV2_params->prf = CKP_PKCS5_PBKD2_HMAC_SHA512; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; + } + + /* probably should fetch these from the prfAlgid */ + pbeV2_params->pPrfData = NULL; + pbeV2_params->ulPrfDataLen = 0; + pbeV2_params->saltSource = CKZ_SALT_SPECIFIED; + pSalt = ((CK_CHAR_PTR)pbeV2_params) + sizeof(CK_PKCS5_PBKD2_PARAMS); PORT_Memcpy(pSalt, salt->data, salt->len); - pbeV2_params->pSaltSourceData = pSalt; - pbeV2_params->ulSaltSourceDataLen = salt->len; - pbeV2_params->iterations = iterations; + pbeV2_params->pSaltSourceData = pSalt; + pbeV2_params->ulSaltSourceDataLen = salt->len; + pbeV2_params->iterations = iterations; } else { - CK_PBE_PARAMS *pbe_params = NULL; - pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS)+ - salt->len+iv_len); - if (pbe_params == NULL) { - goto loser; - } - paramData = (unsigned char *)pbe_params; - paramLen = sizeof(CK_PBE_PARAMS); - - pSalt = ((CK_CHAR_PTR) pbe_params)+sizeof(CK_PBE_PARAMS); - pbe_params->pSalt = pSalt; + CK_PBE_PARAMS *pbe_params = NULL; + pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS) + + salt->len + iv_len); + if (pbe_params == NULL) { + goto loser; + } + paramData = (unsigned char *)pbe_params; + paramLen = sizeof(CK_PBE_PARAMS); + + pSalt = ((CK_CHAR_PTR)pbe_params) + sizeof(CK_PBE_PARAMS); + pbe_params->pSalt = pSalt; PORT_Memcpy(pSalt, salt->data, salt->len); - pbe_params->ulSaltLen = salt->len; - if (iv_len) { - pbe_params->pInitVector = - ((CK_CHAR_PTR) pbe_params)+ sizeof(CK_PBE_PARAMS)+salt->len; - } - pbe_params->ulIteration = iterations; + pbe_params->ulSaltLen = salt->len; + if (iv_len) { + pbe_params->pInitVector = + ((CK_CHAR_PTR)pbe_params) + sizeof(CK_PBE_PARAMS) + salt->len; + } + pbe_params->ulIteration = iterations; } /* copy into the mechanism sec item */ mech->data = paramData; mech->len = paramLen; if (arena) { - PORT_FreeArena(arena,PR_TRUE); + PORT_FreeArena(arena, PR_TRUE); } return SECSuccess; loser: if (paramData) { - PORT_Free(paramData); + PORT_Free(paramData); } if (arena) { - PORT_FreeArena(arena,PR_TRUE); + PORT_FreeArena(arena, PR_TRUE); } return SECFailure; } /* - * public, deprecated, not valid for pkcs5 v2 - * + * public, deprecated, not valid for pkcs5 v2 + * * use PK11_CreatePBEV2AlgorithmID or PK11_CreatePBEAlgorithmID to create * PBE algorithmID's directly. */ SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PLArenaPool *arena, - SECAlgorithmID *algId) + SECAlgorithmID *algId) { CK_PBE_PARAMS *pbe_param; SECItem pbeSalt; SECAlgorithmID *pbeAlgID = NULL; SECStatus rv; - if(!param || !algId) { - return SECFailure; + if (!param || !algId) { + return SECFailure; } pbe_param = (CK_PBE_PARAMS *)param->data; pbeSalt.data = (unsigned char *)pbe_param->pSalt; pbeSalt.len = pbe_param->ulSaltLen; - pbeAlgID = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, - SEC_OID_UNKNOWN, NULL, 0, &pbeSalt, (int)pbe_param->ulIteration); - if(!pbeAlgID) { - return SECFailure; + pbeAlgID = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, + SEC_OID_UNKNOWN, NULL, 0, + &pbeSalt, (int)pbe_param->ulIteration); + if (!pbeAlgID) { + return SECFailure; } rv = SECOID_CopyAlgorithmID(arena, algId, pbeAlgID); @@ -895,7 +896,7 @@ PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PLArenaPool *arena, } /* - * public, Deprecated, This function is only for binary compatibility with + * public, Deprecated, This function is only for binary compatibility with * older applications. Does not support PKCS5v2. * * Applications should use PK11_PBEKeyGen() for keys and PK11_GetPBEIV() for @@ -903,8 +904,8 @@ PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, PLArenaPool *arena, */ PBEBitGenContext * PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, - SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, - unsigned int iterations) + SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, + unsigned int iterations) { SECItem *context = NULL; SECItem mechItem; @@ -913,57 +914,56 @@ PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, PK11SlotInfo *slot; PK11SymKey *symKey = NULL; unsigned char ivData[8]; - /* use the purpose to select the low level keygen algorithm */ switch (bitGenPurpose) { - case pbeBitGenIntegrityKey: - switch (hashAlgorithm) { - case SEC_OID_SHA1: - mechanism = CKM_PBA_SHA1_WITH_SHA1_HMAC; - break; - case SEC_OID_MD2: - mechanism = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; - break; - case SEC_OID_MD5: - mechanism = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; - break; - default: - break; - } - break; - case pbeBitGenCipherIV: - if (bitsNeeded > 64) { - break; - } - if (hashAlgorithm != SEC_OID_SHA1) { - break; - } - mechanism = CKM_PBE_SHA1_DES3_EDE_CBC; - break; - case pbeBitGenCipherKey: - if (hashAlgorithm != SEC_OID_SHA1) { - break; - } - switch (bitsNeeded) { - case 40: - mechanism = CKM_PBE_SHA1_RC4_40; - break; - case 128: - mechanism = CKM_PBE_SHA1_RC4_128; - break; - default: - break; - } - case pbeBitGenIDNull: - break; + case pbeBitGenIntegrityKey: + switch (hashAlgorithm) { + case SEC_OID_SHA1: + mechanism = CKM_PBA_SHA1_WITH_SHA1_HMAC; + break; + case SEC_OID_MD2: + mechanism = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN; + break; + case SEC_OID_MD5: + mechanism = CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN; + break; + default: + break; + } + break; + case pbeBitGenCipherIV: + if (bitsNeeded > 64) { + break; + } + if (hashAlgorithm != SEC_OID_SHA1) { + break; + } + mechanism = CKM_PBE_SHA1_DES3_EDE_CBC; + break; + case pbeBitGenCipherKey: + if (hashAlgorithm != SEC_OID_SHA1) { + break; + } + switch (bitsNeeded) { + case 40: + mechanism = CKM_PBE_SHA1_RC4_40; + break; + case 128: + mechanism = CKM_PBE_SHA1_RC4_128; + break; + default: + break; + } + case pbeBitGenIDNull: + break; } if (mechanism == CKM_INVALID_MECHANISM) { - /* we should set an error, but this is a deprecated function, and - * we are keeping bug for bug compatibility;)... */ - return NULL; - } + /* we should set an error, but this is a deprecated function, and + * we are keeping bug for bug compatibility;)... */ + return NULL; + } pbe_params.pInitVector = ivData; pbe_params.pPassword = pwitem->data; @@ -971,42 +971,41 @@ PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, pbe_params.pSalt = salt->data; pbe_params.ulSaltLen = salt->len; pbe_params.ulIteration = iterations; - mechItem.data = (unsigned char *) &pbe_params; + mechItem.data = (unsigned char *)&pbe_params; mechItem.len = sizeof(pbe_params); - slot = PK11_GetInternalSlot(); - symKey = PK11_RawPBEKeyGen(slot,mechanism, - &mechItem, pwitem, PR_FALSE, NULL); + symKey = PK11_RawPBEKeyGen(slot, mechanism, + &mechItem, pwitem, PR_FALSE, NULL); PK11_FreeSlot(slot); if (symKey != NULL) { - if (bitGenPurpose == pbeBitGenCipherIV) { - /* NOTE: this assumes that bitsNeeded is a multiple of 8! */ - SECItem ivItem; - - ivItem.data = ivData; - ivItem.len = bitsNeeded/8; - context = SECITEM_DupItem(&ivItem); - } else { - SECItem *keyData; - PK11_ExtractKeyValue(symKey); - keyData = PK11_GetKeyData(symKey); - - /* assert bitsNeeded with length? */ - if (keyData) { - context = SECITEM_DupItem(keyData); - } - } - PK11_FreeSymKey(symKey); + if (bitGenPurpose == pbeBitGenCipherIV) { + /* NOTE: this assumes that bitsNeeded is a multiple of 8! */ + SECItem ivItem; + + ivItem.data = ivData; + ivItem.len = bitsNeeded / 8; + context = SECITEM_DupItem(&ivItem); + } else { + SECItem *keyData; + PK11_ExtractKeyValue(symKey); + keyData = PK11_GetKeyData(symKey); + + /* assert bitsNeeded with length? */ + if (keyData) { + context = SECITEM_DupItem(keyData); + } + } + PK11_FreeSymKey(symKey); } return (PBEBitGenContext *)context; } /* - * public, Deprecated, This function is only for binary compatibility with + * public, Deprecated, This function is only for binary compatibility with * older applications. Does not support PKCS5v2. - * + * * Applications should use PK11_PBEKeyGen() for keys and PK11_GetIV() for * iv values rather than generating PBE bits directly. */ @@ -1017,16 +1016,16 @@ PBE_GenerateBits(PBEBitGenContext *context) } /* - * public, Deprecated, This function is only for binary compatibility with + * public, Deprecated, This function is only for binary compatibility with * older applications. Does not support PKCS5v2. - * + * * Applications should use PK11_PBEKeyGen() for keys and PK11_GetPBEIV() for * iv values rather than generating PBE bits directly. */ void PBE_DestroyContext(PBEBitGenContext *context) { - SECITEM_FreeItem((SECItem *)context,PR_TRUE); + SECITEM_FreeItem((SECItem *)context, PR_TRUE); } /* @@ -1044,48 +1043,48 @@ SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES) PK11SymKey *symKey; PK11SlotInfo *slot; CK_PBE_PARAMS_PTR pPBEparams; - SECOidTag pbeAlg; + SECOidTag pbeAlg; pbeAlg = SECOID_GetAlgorithmTag(algid); if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(pbeAlg)) { - unsigned char *ivData; - sec_pkcs5V2Parameter *pbeV2_param = NULL; - - /* can only return the IV if the crypto Algorithm exists */ - if (pbeAlg == SEC_OID_PKCS5_PBKDF2) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; - } - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param == NULL) { - goto loser; - } - /* extract the IV from the cipher algid portion of our pkcs 5 v2 - * algorithm id */ - type = PK11_AlgtagToMechanism( - SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); - param = PK11_ParamFromAlgid(&pbeV2_param->cipherAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - if (!param) { - goto loser; - } - /* NOTE: NULL is a permissible return here */ - ivData = PK11_IVFromParam(type, param, &iv_len); - src.data = ivData; - src.len = iv_len; - goto done; + unsigned char *ivData; + sec_pkcs5V2Parameter *pbeV2_param = NULL; + + /* can only return the IV if the crypto Algorithm exists */ + if (pbeAlg == SEC_OID_PKCS5_PBKDF2) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; + } + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param == NULL) { + goto loser; + } + /* extract the IV from the cipher algid portion of our pkcs 5 v2 + * algorithm id */ + type = PK11_AlgtagToMechanism( + SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); + param = PK11_ParamFromAlgid(&pbeV2_param->cipherAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + if (!param) { + goto loser; + } + /* NOTE: NULL is a permissible return here */ + ivData = PK11_IVFromParam(type, param, &iv_len); + src.data = ivData; + src.len = iv_len; + goto done; } type = PK11_AlgtagToMechanism(pbeAlg); param = PK11_ParamFromAlgid(algid); if (param == NULL) { - goto done; + goto done; } slot = PK11_GetInternalSlot(); symKey = PK11_RawPBEKeyGen(slot, type, param, pwitem, faulty3DES, NULL); PK11_FreeSlot(slot); if (symKey == NULL) { - goto loser; + goto loser; } PK11_FreeSymKey(symKey); pPBEparams = (CK_PBE_PARAMS_PTR)param->data; @@ -1099,7 +1098,7 @@ done: loser: if (param) { - SECITEM_ZfreeItem(param, PR_TRUE); + SECITEM_ZfreeItem(param, PR_TRUE); } return iv; } @@ -1109,8 +1108,8 @@ loser: */ PBEBitGenContext * __PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, - SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, - unsigned int iterations) + SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, + unsigned int iterations) { PORT_Assert("__PBE_CreateContext is Deprecated" == NULL); return NULL; @@ -1147,29 +1146,29 @@ static void pk11_destroy_ck_pbe_params(CK_PBE_PARAMS *pbe_params) { if (pbe_params) { - if (pbe_params->pPassword) - PORT_ZFree(pbe_params->pPassword, pbe_params->ulPasswordLen); - if (pbe_params->pSalt) - PORT_ZFree(pbe_params->pSalt, pbe_params->ulSaltLen); - PORT_ZFree(pbe_params, sizeof(CK_PBE_PARAMS)); + if (pbe_params->pPassword) + PORT_ZFree(pbe_params->pPassword, pbe_params->ulPasswordLen); + if (pbe_params->pSalt) + PORT_ZFree(pbe_params->pSalt, pbe_params->ulSaltLen); + PORT_ZFree(pbe_params, sizeof(CK_PBE_PARAMS)); } } /* - * public, deprecated. use PK11_CreatePBEAlgorithmID or - * PK11_CreatePBEV2AlgorithmID instead. If you needthe pkcs #11 parameters, - * use PK11_ParamFromAlgid from the algorithm id you created using + * public, deprecated. use PK11_CreatePBEAlgorithmID or + * PK11_CreatePBEV2AlgorithmID instead. If you needthe pkcs #11 parameters, + * use PK11_ParamFromAlgid from the algorithm id you created using * PK11_CreatePBEAlgorithmID or PK11_CreatePBEV2AlgorithmID. */ -SECItem * +SECItem * PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations) { CK_PBE_PARAMS *pbe_params = NULL; SECItem *paramRV = NULL; paramRV = SECITEM_AllocItem(NULL, NULL, sizeof(CK_PBE_PARAMS)); - if (!paramRV ) { - goto loser; + if (!paramRV) { + goto loser; } /* init paramRV->data with zeros. SECITEM_AllocItem does not do it */ PORT_Memset(paramRV->data, 0, sizeof(CK_PBE_PARAMS)); @@ -1184,7 +1183,7 @@ PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations) pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(salt->len); if (!pbe_params->pSalt) { - goto loser; + goto loser; } PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len); pbe_params->ulSaltLen = salt->len; @@ -1195,8 +1194,8 @@ PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations) loser: if (pbe_params) pk11_destroy_ck_pbe_params(pbe_params); - if (paramRV) - PORT_ZFree(paramRV, sizeof(SECItem)); + if (paramRV) + PORT_ZFree(paramRV, sizeof(SECItem)); return NULL; } @@ -1207,10 +1206,10 @@ void PK11_DestroyPBEParams(SECItem *pItem) { if (pItem) { - CK_PBE_PARAMS * params = (CK_PBE_PARAMS *)(pItem->data); - if (params) - pk11_destroy_ck_pbe_params(params); - PORT_ZFree(pItem, sizeof(SECItem)); + CK_PBE_PARAMS *params = (CK_PBE_PARAMS *)(pItem->data); + if (params) + pk11_destroy_ck_pbe_params(params); + PORT_ZFree(pItem, sizeof(SECItem)); } } @@ -1224,7 +1223,8 @@ PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt) { SECAlgorithmID *algid = NULL; algid = sec_pkcs5CreateAlgorithmID(algorithm, - SEC_OID_UNKNOWN, SEC_OID_UNKNOWN, NULL, 0, salt, iteration); + SEC_OID_UNKNOWN, SEC_OID_UNKNOWN, NULL, + 0, salt, iteration); return algid; } @@ -1233,12 +1233,12 @@ PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt) */ SECAlgorithmID * PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag, - SECOidTag prfAlgTag, int keyLength, int iteration, - SECItem *salt) + SECOidTag prfAlgTag, int keyLength, int iteration, + SECItem *salt) { SECAlgorithmID *algid = NULL; algid = sec_pkcs5CreateAlgorithmID(pbeAlgTag, cipherAlgTag, prfAlgTag, - NULL, keyLength, salt, iteration); + NULL, keyLength, salt, iteration); return algid; } @@ -1246,48 +1246,49 @@ PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag, * private. */ PK11SymKey * -pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - SECItem *params, CK_KEY_TYPE keyType, int keyLen, - SECItem *pwitem, void *wincx) +pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *params, CK_KEY_TYPE keyType, int keyLen, + SECItem *pwitem, void *wincx) { CK_ULONG pwLen; /* do some sanity checks */ if ((params == NULL) || (params->data == NULL)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } if (type == CKM_INVALID_MECHANISM) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; } /* set the password pointer in the parameters... */ if (type == CKM_PKCS5_PBKD2) { - CK_PKCS5_PBKD2_PARAMS *pbev2_params; - if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data; - pbev2_params->pPassword = pwitem->data; - pwLen = pwitem->len; - pbev2_params->ulPasswordLen = &pwLen; + CK_PKCS5_PBKD2_PARAMS *pbev2_params; + if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data; + pbev2_params->pPassword = pwitem->data; + pwLen = pwitem->len; + pbev2_params->ulPasswordLen = &pwLen; } else { - CK_PBE_PARAMS *pbe_params; - if (params->len < sizeof(CK_PBE_PARAMS)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - pbe_params = (CK_PBE_PARAMS *)params->data; - pbe_params->pPassword = pwitem->data; - pbe_params->ulPasswordLen = pwitem->len; + CK_PBE_PARAMS *pbe_params; + if (params->len < sizeof(CK_PBE_PARAMS)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + pbe_params = (CK_PBE_PARAMS *)params->data; + pbe_params->pPassword = pwitem->data; + pbe_params->ulPasswordLen = pwitem->len; } /* generate the key (and sometimes the IV as a side effect...) */ - return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, - keyLen, NULL, CKF_SIGN|CKF_ENCRYPT|CKF_DECRYPT|CKF_UNWRAP|CKF_WRAP, - 0, wincx); + return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, + keyLen, NULL, + CKF_SIGN | CKF_ENCRYPT | CKF_DECRYPT | CKF_UNWRAP | CKF_WRAP, + 0, wincx); } /* @@ -1295,10 +1296,10 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, */ PK11SymKey * PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech, - SECItem *pwitem, PRBool faulty3DES, void *wincx) + SECItem *pwitem, PRBool faulty3DES, void *wincx) { - if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { - type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; + if (faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { + type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; } return pk11_RawPBEKeyGenWithKeyType(slot, type, mech, -1, 0, pwitem, wincx); } @@ -1312,12 +1313,12 @@ PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech, */ PK11SymKey * PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, - PRBool faulty3DES, void *wincx) + PRBool faulty3DES, void *wincx) { CK_MECHANISM_TYPE type; SECItem *param = NULL; PK11SymKey *symKey = NULL; - SECOidTag pbeAlg; + SECOidTag pbeAlg; CK_KEY_TYPE keyType = -1; int keyLen = 0; @@ -1325,45 +1326,45 @@ PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, /* if we're using PKCS5v2, extract the additional information we need * (key length, key type, and pbeAlg). */ if (sec_pkcs5_is_algorithm_v2_pkcs5_algorithm(pbeAlg)) { - CK_MECHANISM_TYPE cipherMech; - sec_pkcs5V2Parameter *pbeV2_param; - - pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); - if (pbeV2_param == NULL) { - return NULL; - } - cipherMech = PK11_AlgtagToMechanism( - SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); - pbeAlg = SECOID_GetAlgorithmTag(&pbeV2_param->pbeAlgId); - param = PK11_ParamFromAlgid(&pbeV2_param->pbeAlgId); - sec_pkcs5_v2_destroy_v2_param(pbeV2_param); - keyLen = SEC_PKCS5GetKeyLength(algid); - if (keyLen == -1) { - keyLen = 0; - } - keyType = PK11_GetKeyType(cipherMech, keyLen); + CK_MECHANISM_TYPE cipherMech; + sec_pkcs5V2Parameter *pbeV2_param; + + pbeV2_param = sec_pkcs5_v2_get_v2_param(NULL, algid); + if (pbeV2_param == NULL) { + return NULL; + } + cipherMech = PK11_AlgtagToMechanism( + SECOID_GetAlgorithmTag(&pbeV2_param->cipherAlgId)); + pbeAlg = SECOID_GetAlgorithmTag(&pbeV2_param->pbeAlgId); + param = PK11_ParamFromAlgid(&pbeV2_param->pbeAlgId); + sec_pkcs5_v2_destroy_v2_param(pbeV2_param); + keyLen = SEC_PKCS5GetKeyLength(algid); + if (keyLen == -1) { + keyLen = 0; + } + keyType = PK11_GetKeyType(cipherMech, keyLen); } else { - param = PK11_ParamFromAlgid(algid); + param = PK11_ParamFromAlgid(algid); } - if(param == NULL) { - goto loser; + if (param == NULL) { + goto loser; } - type = PK11_AlgtagToMechanism(pbeAlg); + type = PK11_AlgtagToMechanism(pbeAlg); if (type == CKM_INVALID_MECHANISM) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; } - if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { - type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; + if (faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) { + type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC; } - symKey = pk11_RawPBEKeyGenWithKeyType(slot, type, param, keyType, keyLen, - pwitem, wincx); + symKey = pk11_RawPBEKeyGenWithKeyType(slot, type, param, keyType, keyLen, + pwitem, wincx); loser: if (param) { - SECITEM_ZfreeItem(param, PR_TRUE); + SECITEM_ZfreeItem(param, PR_TRUE); } return symKey; } @@ -1378,8 +1379,8 @@ PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem) } CK_MECHANISM_TYPE -pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, - SECItem *pbe_pwd, PRBool faulty3DES) +pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, + SECItem *pbe_pwd, PRBool faulty3DES) { int keyLen = 0; SECOidTag algTag = SEC_PKCS5GetCryptoAlgorithm(algid); @@ -1388,27 +1389,27 @@ pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, SECItem *iv = NULL; if (mech == CKM_INVALID_MECHANISM) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; } if (PK11_GetIVLength(mech)) { - iv = SEC_PKCS5GetIV(algid, pbe_pwd, faulty3DES); - if (iv == NULL) { - goto loser; - } + iv = SEC_PKCS5GetIV(algid, pbe_pwd, faulty3DES); + if (iv == NULL) { + goto loser; + } } keyLen = SEC_PKCS5GetKeyLength(algid); *param = pk11_ParamFromIVWithLen(mech, iv, keyLen); if (*param == NULL) { - goto loser; + goto loser; } returnedMechanism = mech; loser: if (iv) { - SECITEM_FreeItem(iv,PR_TRUE); + SECITEM_FreeItem(iv, PR_TRUE); } return returnedMechanism; } @@ -1425,8 +1426,8 @@ loser: * The caller is responsible for freeing the parameter. */ CK_MECHANISM_TYPE -PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, - SECItem *pbe_pwd) +PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, + SECItem *pbe_pwd) { return pk11_GetPBECryptoMechanism(algid, param, pbe_pwd, PR_FALSE); } diff --git a/nss/lib/pk11wrap/pk11pk12.c b/nss/lib/pk11wrap/pk11pk12.c index e5a0a21..1683cc5 100644 --- a/nss/lib/pk11wrap/pk11pk12.c +++ b/nss/lib/pk11wrap/pk11pk12.c @@ -20,8 +20,6 @@ #include "secerr.h" #include "prerror.h" - - /* These data structures should move to a common .h file shared between the * wrappers and the pkcs 12 code. */ @@ -31,7 +29,7 @@ /* member names from PKCS#1, section 7.2 */ struct SECKEYRSAPrivateKeyStr { - PLArenaPool * arena; + PLArenaPool *arena; SECItem version; SECItem modulus; SECItem publicExponent; @@ -44,7 +42,6 @@ struct SECKEYRSAPrivateKeyStr { }; typedef struct SECKEYRSAPrivateKeyStr SECKEYRSAPrivateKey; - /* ** DSA Raw Private Key structures */ @@ -60,7 +57,7 @@ typedef struct SECKEYDSAPrivateKeyStr SECKEYDSAPrivateKey; ** Structure member names suggested by PKCS#3. */ struct SECKEYDHPrivateKeyStr { - PLArenaPool * arena; + PLArenaPool *arena; SECItem prime; SECItem base; SECItem privateValue; @@ -76,7 +73,7 @@ struct SECKEYRawPrivateKeyStr { union { SECKEYRSAPrivateKey rsa; SECKEYDSAPrivateKey dsa; - SECKEYDHPrivateKey dh; + SECKEYDHPrivateKey dh; } u; }; typedef struct SECKEYRawPrivateKeyStr SECKEYRawPrivateKey; @@ -90,10 +87,10 @@ SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) */ const SEC_ASN1Template SECKEY_AttributeTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SECKEYAttribute) }, + 0, NULL, sizeof(SECKEYAttribute) }, { SEC_ASN1_OBJECT_ID, offsetof(SECKEYAttribute, attrType) }, { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(SECKEYAttribute, attrValue), - SEC_ASN1_SUB(SEC_AnyTemplate) }, + SEC_ASN1_SUB(SEC_AnyTemplate) }, { 0 } }; @@ -103,14 +100,14 @@ const SEC_ASN1Template SECKEY_SetOfAttributeTemplate[] = { const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPrivateKeyInfo) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPrivateKeyInfo,version) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPrivateKeyInfo, version) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(SECKEYPrivateKeyInfo,algorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPrivateKeyInfo,privateKey) }, + offsetof(SECKEYPrivateKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPrivateKeyInfo, privateKey) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(SECKEYPrivateKeyInfo,attributes), - SECKEY_SetOfAttributeTemplate }, + offsetof(SECKEYPrivateKeyInfo, attributes), + SECKEY_SetOfAttributeTemplate }, { 0 } }; @@ -120,41 +117,41 @@ const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[] = { const SEC_ASN1Template SECKEY_RSAPrivateKeyExportTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.version) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.modulus) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.publicExponent) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.privateExponent) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime1) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime2) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent1) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent2) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.coefficient) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.version) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.modulus) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.publicExponent) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.privateExponent) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.prime1) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.prime2) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.exponent1) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.exponent2) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.rsa.coefficient) }, { 0 } }; const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[] = { - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dsa.privateValue) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dsa.privateValue) }, }; const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = { - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.privateValue) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.base) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.prime) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.privateValue) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.base) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.prime) }, }; const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) }, + 0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(SECKEYEncryptedPrivateKeyInfo,algorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(SECKEYEncryptedPrivateKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OCTET_STRING, - offsetof(SECKEYEncryptedPrivateKeyInfo,encryptedData) }, + offsetof(SECKEYEncryptedPrivateKeyInfo, encryptedData) }, { 0 } }; const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[] = { - { SEC_ASN1_POINTER, 0, SECKEY_EncryptedPrivateKeyInfoTemplate } + { SEC_ASN1_POINTER, 0, SECKEY_EncryptedPrivateKeyInfoTemplate } }; SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_EncryptedPrivateKeyInfoTemplate) @@ -201,21 +198,22 @@ prepare_dh_priv_key_export_for_asn1(SECKEYRawPrivateKey *key) key->u.dh.base.type = siUnsignedInteger; } - SECStatus -PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, unsigned int keyUsage, void *wincx) +PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, unsigned int keyUsage, void *wincx) { return PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, derPKI, - nickname, publicValue, isPerm, isPrivate, keyUsage, NULL, wincx); + nickname, publicValue, + isPerm, isPrivate, keyUsage, + NULL, wincx); } SECStatus -PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey** privk, - void *wincx) +PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, + SECItem *nickname, SECItem *publicValue, + PRBool isPerm, PRBool isPrivate, unsigned int keyUsage, + SECKEYPrivateKey **privk, void *wincx) { SECKEYPrivateKeyInfo *pki = NULL; PLArenaPool *temparena = NULL; @@ -232,29 +230,38 @@ PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, pki->arena = temparena; rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate, - derPKI); - if( rv != SECSuccess ) { + derPKI); + if (rv != SECSuccess) { /* If SEC_ASN1DecodeItem fails, we cannot assume anything about the * validity of the data in pki. The best we can do is free the arena - * and return. - */ + * and return. */ PORT_FreeArena(temparena, PR_TRUE); return rv; } + if (pki->privateKey.data == NULL) { + /* If SEC_ASN1DecodeItems succeeds but SECKEYPrivateKeyInfo.privateKey + * is a zero-length octet string, free the arena and return a failure + * to avoid trying to zero the corresponding SECItem in + * SECKEY_DestroyPrivateKeyInfo(). */ + PORT_FreeArena(temparena, PR_TRUE); + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; + } rv = PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname, - publicValue, isPerm, isPrivate, keyUsage, privk, wincx); + publicValue, isPerm, isPrivate, + keyUsage, privk, wincx); /* this zeroes the key and frees the arena */ SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/); return rv; } - + SECStatus -PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey **privk, - void *wincx) +PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, unsigned int keyUsage, SECKEYPrivateKey **privk, + void *wincx) { CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; @@ -272,159 +279,195 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk, attrs = theTemplate; - - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse, - sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse, - sizeof(CK_BBOOL) ); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse, - sizeof(CK_BBOOL) ); attrs++; + sizeof(CK_BBOOL)); + attrs++; switch (lpk->keyType) { - case rsaKey: - keyType = CKK_RSA; - PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ? - &cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ? - &cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? - &cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, - (keyUsage & KU_DIGITAL_SIGNATURE) ? - &cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++; - ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus); - if (ck_id == NULL) { - goto loser; - } - PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++; - if (nickname) { - PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++; - } - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data, - lpk->u.rsa.modulus.len); attrs++; - PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, - lpk->u.rsa.publicExponent.data, - lpk->u.rsa.publicExponent.len); attrs++; - PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT, - lpk->u.rsa.privateExponent.data, - lpk->u.rsa.privateExponent.len); attrs++; - PK11_SETATTRS(attrs, CKA_PRIME_1, - lpk->u.rsa.prime1.data, - lpk->u.rsa.prime1.len); attrs++; - PK11_SETATTRS(attrs, CKA_PRIME_2, - lpk->u.rsa.prime2.data, - lpk->u.rsa.prime2.len); attrs++; - PK11_SETATTRS(attrs, CKA_EXPONENT_1, - lpk->u.rsa.exponent1.data, - lpk->u.rsa.exponent1.len); attrs++; - PK11_SETATTRS(attrs, CKA_EXPONENT_2, - lpk->u.rsa.exponent2.data, - lpk->u.rsa.exponent2.len); attrs++; - PK11_SETATTRS(attrs, CKA_COEFFICIENT, - lpk->u.rsa.coefficient.data, - lpk->u.rsa.coefficient.len); attrs++; - break; - case dsaKey: - keyType = CKK_DSA; - /* To make our intenal PKCS #11 module work correctly with - * our database, we need to pass in the public key value for - * this dsa key. We have a netscape only CKA_ value to do this. - * Only send it to internal slots */ - if( publicValue == NULL ) { - goto loser; - } - if (PK11_IsInternal(slot)) { - PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, - publicValue->data, publicValue->len); attrs++; - } - PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++; - if(nickname) { - PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); - attrs++; - } - ck_id = PK11_MakeIDFromPubKey(publicValue); - if (ck_id == NULL) { - goto loser; - } - PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dsa.params.prime.data, - lpk->u.dsa.params.prime.len); attrs++; - PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data, - lpk->u.dsa.params.subPrime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dsa.params.base.data, - lpk->u.dsa.params.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dsa.privateValue.data, - lpk->u.dsa.privateValue.len); attrs++; - break; - case dhKey: - keyType = CKK_DH; - /* To make our intenal PKCS #11 module work correctly with - * our database, we need to pass in the public key value for - * this dh key. We have a netscape only CKA_ value to do this. - * Only send it to internal slots */ - if (PK11_IsInternal(slot)) { - PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, - publicValue->data, publicValue->len); attrs++; - } - PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++; - if(nickname) { - PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); - attrs++; - } - ck_id = PK11_MakeIDFromPubKey(publicValue); - if (ck_id == NULL) { - goto loser; - } - PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dh.prime.data, - lpk->u.dh.prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dh.base.data, - lpk->u.dh.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dh.privateValue.data, - lpk->u.dh.privateValue.len); attrs++; - break; - /* what about fortezza??? */ - default: - PORT_SetError(SEC_ERROR_BAD_KEY); - goto loser; + case rsaKey: + keyType = CKK_RSA; + PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ? &cktrue + : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ? &cktrue + : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue + : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, + (keyUsage & KU_DIGITAL_SIGNATURE) ? &cktrue + : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus); + if (ck_id == NULL) { + goto loser; + } + PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); + attrs++; + if (nickname) { + PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); + attrs++; + } + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data, + lpk->u.rsa.modulus.len); + attrs++; + PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, + lpk->u.rsa.publicExponent.data, + lpk->u.rsa.publicExponent.len); + attrs++; + PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT, + lpk->u.rsa.privateExponent.data, + lpk->u.rsa.privateExponent.len); + attrs++; + PK11_SETATTRS(attrs, CKA_PRIME_1, + lpk->u.rsa.prime1.data, + lpk->u.rsa.prime1.len); + attrs++; + PK11_SETATTRS(attrs, CKA_PRIME_2, + lpk->u.rsa.prime2.data, + lpk->u.rsa.prime2.len); + attrs++; + PK11_SETATTRS(attrs, CKA_EXPONENT_1, + lpk->u.rsa.exponent1.data, + lpk->u.rsa.exponent1.len); + attrs++; + PK11_SETATTRS(attrs, CKA_EXPONENT_2, + lpk->u.rsa.exponent2.data, + lpk->u.rsa.exponent2.len); + attrs++; + PK11_SETATTRS(attrs, CKA_COEFFICIENT, + lpk->u.rsa.coefficient.data, + lpk->u.rsa.coefficient.len); + attrs++; + break; + case dsaKey: + keyType = CKK_DSA; + /* To make our intenal PKCS #11 module work correctly with + * our database, we need to pass in the public key value for + * this dsa key. We have a netscape only CKA_ value to do this. + * Only send it to internal slots */ + if (publicValue == NULL) { + goto loser; + } + if (PK11_IsInternal(slot)) { + PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, + publicValue->data, publicValue->len); + attrs++; + } + PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); + attrs++; + if (nickname) { + PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); + attrs++; + } + ck_id = PK11_MakeIDFromPubKey(publicValue); + if (ck_id == NULL) { + goto loser; + } + PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dsa.params.prime.data, + lpk->u.dsa.params.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, lpk->u.dsa.params.subPrime.data, + lpk->u.dsa.params.subPrime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dsa.params.base.data, + lpk->u.dsa.params.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dsa.privateValue.data, + lpk->u.dsa.privateValue.len); + attrs++; + break; + case dhKey: + keyType = CKK_DH; + /* To make our intenal PKCS #11 module work correctly with + * our database, we need to pass in the public key value for + * this dh key. We have a netscape only CKA_ value to do this. + * Only send it to internal slots */ + if (PK11_IsInternal(slot)) { + PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, + publicValue->data, publicValue->len); + attrs++; + } + PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + attrs++; + if (nickname) { + PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); + attrs++; + } + ck_id = PK11_MakeIDFromPubKey(publicValue); + if (ck_id == NULL) { + goto loser; + } + PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dh.prime.data, + lpk->u.dh.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dh.base.data, + lpk->u.dh.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dh.privateValue.data, + lpk->u.dh.privateValue.len); + attrs++; + break; + /* what about fortezza??? */ + default: + PORT_SetError(SEC_ERROR_BAD_KEY); + goto loser; } templateCount = attrs - theTemplate; - PORT_Assert(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)); PORT_Assert(signedattr != NULL); signedcount = attrs - signedattr; - for (ap=signedattr; signedcount; ap++, signedcount--) { - pk11_SignedToUnsigned(ap); + for (ap = signedattr; signedcount; ap++, signedcount--) { + pk11_SignedToUnsigned(ap); } rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, - theTemplate, templateCount, isPerm, &objectID); + theTemplate, templateCount, isPerm, &objectID); /* create and return a SECKEYPrivateKey */ - if( rv == SECSuccess && privk != NULL) { - *privk = PK11_MakePrivKey(slot, lpk->keyType, !isPerm, objectID, wincx); - if( *privk == NULL ) { - rv = SECFailure; - } + if (rv == SECSuccess && privk != NULL) { + *privk = PK11_MakePrivKey(slot, lpk->keyType, !isPerm, objectID, wincx); + if (*privk == NULL) { + rv = SECFailure; + } } loser: if (ck_id) { - SECITEM_ZfreeItem(ck_id, PR_TRUE); + SECITEM_ZfreeItem(ck_id, PR_TRUE); } return rv; } SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, - SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue, - PRBool isPerm, PRBool isPrivate, unsigned int keyUsage, - SECKEYPrivateKey **privk, void *wincx) + SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue, + PRBool isPerm, PRBool isPrivate, unsigned int keyUsage, + SECKEYPrivateKey **privk, void *wincx) { SECStatus rv = SECFailure; SECKEYRawPrivateKey *lpk = NULL; @@ -433,88 +476,86 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, PLArenaPool *arena = NULL; arena = PORT_NewArena(2048); - if(!arena) { - return SECFailure; + if (!arena) { + return SECFailure; } /* need to change this to use RSA/DSA keys */ lpk = (SECKEYRawPrivateKey *)PORT_ArenaZAlloc(arena, - sizeof(SECKEYRawPrivateKey)); - if(lpk == NULL) { - goto loser; + sizeof(SECKEYRawPrivateKey)); + if (lpk == NULL) { + goto loser; } lpk->arena = arena; - switch(SECOID_GetAlgorithmTag(&pki->algorithm)) { - case SEC_OID_PKCS1_RSA_ENCRYPTION: - prepare_rsa_priv_key_export_for_asn1(lpk); - keyTemplate = SECKEY_RSAPrivateKeyExportTemplate; - paramTemplate = NULL; - paramDest = NULL; - lpk->keyType = rsaKey; - break; - case SEC_OID_ANSIX9_DSA_SIGNATURE: - prepare_dsa_priv_key_export_for_asn1(lpk); - keyTemplate = SECKEY_DSAPrivateKeyExportTemplate; - paramTemplate = SECKEY_PQGParamsTemplate; - paramDest = &(lpk->u.dsa.params); - lpk->keyType = dsaKey; - break; - case SEC_OID_X942_DIFFIE_HELMAN_KEY: - if(!publicValue) { - goto loser; - } - prepare_dh_priv_key_export_for_asn1(lpk); - keyTemplate = SECKEY_DHPrivateKeyExportTemplate; - paramTemplate = NULL; - paramDest = NULL; - lpk->keyType = dhKey; - break; - - default: - keyTemplate = NULL; - paramTemplate = NULL; - paramDest = NULL; - break; + switch (SECOID_GetAlgorithmTag(&pki->algorithm)) { + case SEC_OID_PKCS1_RSA_ENCRYPTION: + prepare_rsa_priv_key_export_for_asn1(lpk); + keyTemplate = SECKEY_RSAPrivateKeyExportTemplate; + paramTemplate = NULL; + paramDest = NULL; + lpk->keyType = rsaKey; + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + prepare_dsa_priv_key_export_for_asn1(lpk); + keyTemplate = SECKEY_DSAPrivateKeyExportTemplate; + paramTemplate = SECKEY_PQGParamsTemplate; + paramDest = &(lpk->u.dsa.params); + lpk->keyType = dsaKey; + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + if (!publicValue) { + goto loser; + } + prepare_dh_priv_key_export_for_asn1(lpk); + keyTemplate = SECKEY_DHPrivateKeyExportTemplate; + paramTemplate = NULL; + paramDest = NULL; + lpk->keyType = dhKey; + break; + + default: + keyTemplate = NULL; + paramTemplate = NULL; + paramDest = NULL; + break; } - if(!keyTemplate) { - goto loser; + if (!keyTemplate) { + goto loser; } /* decode the private key and any algorithm parameters */ rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey); - if(rv != SECSuccess) { - goto loser; + if (rv != SECSuccess) { + goto loser; } - if(paramDest && paramTemplate) { - rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, - &(pki->algorithm.parameters)); - if(rv != SECSuccess) { - goto loser; - } + if (paramDest && paramTemplate) { + rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, + &(pki->algorithm.parameters)); + if (rv != SECSuccess) { + goto loser; + } } - rv = PK11_ImportAndReturnPrivateKey(slot,lpk,nickname,publicValue, isPerm, - isPrivate, keyUsage, privk, wincx); - + rv = PK11_ImportAndReturnPrivateKey(slot, lpk, nickname, publicValue, isPerm, + isPrivate, keyUsage, privk, wincx); loser: if (arena != NULL) { - PORT_FreeArena(arena, PR_TRUE); + PORT_FreeArena(arena, PR_TRUE); } return rv; } SECStatus -PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, unsigned int keyUsage, void *wincx) +PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, unsigned int keyUsage, void *wincx) { return PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname, - publicValue, isPerm, isPrivate, keyUsage, NULL, wincx); - + publicValue, isPerm, isPrivate, keyUsage, NULL, wincx); } SECItem * diff --git a/nss/lib/pk11wrap/pk11pqg.c b/nss/lib/pk11wrap/pk11pqg.c index be8adec..d7c5f36 100644 --- a/nss/lib/pk11wrap/pk11pqg.c +++ b/nss/lib/pk11wrap/pk11pqg.c @@ -13,20 +13,19 @@ #include "pk11pqg.h" #include "secerr.h" - /* Generate PQGParams and PQGVerify structs. * Length of P specified by L. * if L is greater than 1024 then the resulting verify parameters will be * DSA2. * Length of Q specified by N. If zero, The PKCS #11 module will * pick an appropriately sized Q for P. If N is specified and L = 1024, then - * the resulting verify parameters will be DSA2, Otherwise DSA1 parameters + * the resulting verify parameters will be DSA2, Otherwise DSA1 parameters * will be returned. * Length of SEED in bytes specified in seedBytes. * - * The underlying PKCS #11 module will check the values for L, N, + * The underlying PKCS #11 module will check the values for L, N, * and seedBytes. The rules for softoken are: - * + * * If L <= 1024, then L must be between 512 and 1024 in increments of 64 bits. * If L <= 1024, then N must be 0 or 160. * If L >= 1024, then L and N must match the following table: @@ -41,86 +40,92 @@ */ extern SECStatus PK11_PQG_ParamGenV2(unsigned int L, unsigned int N, - unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy) + unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy) { PK11SlotInfo *slot = NULL; CK_ATTRIBUTE genTemplate[5]; CK_ATTRIBUTE *attrs = genTemplate; - int count = sizeof(genTemplate)/sizeof(genTemplate[0]); + int count = sizeof(genTemplate) / sizeof(genTemplate[0]); CK_MECHANISM mechanism; CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE; CK_RV crv; CK_ATTRIBUTE pTemplate[] = { - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, + { CKA_PRIME, NULL, 0 }, + { CKA_SUBPRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, }; CK_ATTRIBUTE vTemplate[] = { - { CKA_NETSCAPE_PQG_COUNTER, NULL, 0 }, - { CKA_NETSCAPE_PQG_SEED, NULL, 0 }, - { CKA_NETSCAPE_PQG_H, NULL, 0 }, + { CKA_NETSCAPE_PQG_COUNTER, NULL, 0 }, + { CKA_NETSCAPE_PQG_SEED, NULL, 0 }, + { CKA_NETSCAPE_PQG_H, NULL, 0 }, }; CK_ULONG primeBits = L; CK_ULONG subPrimeBits = N; - int pTemplateCount = sizeof(pTemplate)/sizeof(pTemplate[0]); - int vTemplateCount = sizeof(vTemplate)/sizeof(vTemplate[0]); + int pTemplateCount = sizeof(pTemplate) / sizeof(pTemplate[0]); + int vTemplateCount = sizeof(vTemplate) / sizeof(vTemplate[0]); PLArenaPool *parena = NULL; PLArenaPool *varena = NULL; PQGParams *params = NULL; PQGVerify *verify = NULL; - CK_ULONG seedBits = seedBytes*8; + CK_ULONG seedBits = seedBytes * 8; *pParams = NULL; - *pVfy = NULL; + *pVfy = NULL; if (primeBits == (CK_ULONG)-1) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto loser; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; } - PK11_SETATTRS(attrs, CKA_PRIME_BITS,&primeBits,sizeof(primeBits)); attrs++; + PK11_SETATTRS(attrs, CKA_PRIME_BITS, &primeBits, sizeof(primeBits)); + attrs++; if (subPrimeBits != 0) { - PK11_SETATTRS(attrs, CKA_SUB_PRIME_BITS, - &subPrimeBits, sizeof(subPrimeBits)); attrs++; + PK11_SETATTRS(attrs, CKA_SUB_PRIME_BITS, + &subPrimeBits, sizeof(subPrimeBits)); + attrs++; } if (seedBits != 0) { - PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED_BITS, - &seedBits, sizeof(seedBits)); attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED_BITS, + &seedBits, sizeof(seedBits)); + attrs++; } count = attrs - genTemplate; - PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE)); + PR_ASSERT(count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE)); slot = PK11_GetInternalSlot(); if (slot == NULL) { - /* set error */ - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);/* shouldn't happen */ - goto loser; + /* set error */ + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); /* shouldn't happen */ + goto loser; } /* make sure the internal slot can handle DSA2 type parameters. */ if (primeBits > 1024) { - CK_MECHANISM_INFO mechanism_info; - - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, - CKM_DSA_PARAMETER_GEN, &mechanism_info); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - /* a bug in the old softoken left CKM_DSA_PARAMETER_GEN off of the - * mechanism List. If we get a failure asking for this value, we know - * it can't handle DSA2 */ - if ((crv != CKR_OK) || (mechanism_info.ulMaxKeySize < primeBits)) { - PK11_FreeSlot(slot); - slot = PK11_GetBestSlotWithAttributes(CKM_DSA_PARAMETER_GEN, 0, - primeBits, NULL); - if (slot == NULL) { - PORT_SetError(SEC_ERROR_NO_TOKEN); /* can happen */ - goto loser; - } - /* ditch seedBits in this case, they are NSS specific and at - * this point we have a token that claims to handle DSA2 */ - if (seedBits) { - attrs--; - } - } + CK_MECHANISM_INFO mechanism_info; + + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, + CKM_DSA_PARAMETER_GEN, + &mechanism_info); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + /* a bug in the old softoken left CKM_DSA_PARAMETER_GEN off of the + * mechanism List. If we get a failure asking for this value, we know + * it can't handle DSA2 */ + if ((crv != CKR_OK) || (mechanism_info.ulMaxKeySize < primeBits)) { + PK11_FreeSlot(slot); + slot = PK11_GetBestSlotWithAttributes(CKM_DSA_PARAMETER_GEN, 0, + primeBits, NULL); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_TOKEN); /* can happen */ + goto loser; + } + /* ditch seedBits in this case, they are NSS specific and at + * this point we have a token that claims to handle DSA2 */ + if (seedBits) { + attrs--; + } + } } /* Initialize the Key Gen Mechanism */ @@ -130,29 +135,28 @@ PK11_PQG_ParamGenV2(unsigned int L, unsigned int N, PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GenerateKey(slot->session, - &mechanism, genTemplate, count, &objectID); + &mechanism, genTemplate, count, &objectID); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } parena = PORT_NewArena(60); if (!parena) { - goto loser; - } + goto loser; + } crv = PK11_GetAttributes(parena, slot, objectID, pTemplate, pTemplateCount); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } - - params = (PQGParams *)PORT_ArenaAlloc(parena,sizeof(PQGParams)); + params = (PQGParams *)PORT_ArenaAlloc(parena, sizeof(PQGParams)); if (params == NULL) { - goto loser; + goto loser; } /* fill in Params */ @@ -167,26 +171,24 @@ PK11_PQG_ParamGenV2(unsigned int L, unsigned int N, params->base.data = pTemplate[2].pValue; params->base.len = pTemplate[2].ulValueLen; - varena = PORT_NewArena(60); if (!varena) { - goto loser; - } + goto loser; + } crv = PK11_GetAttributes(varena, slot, objectID, vTemplate, vTemplateCount); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } - - verify = (PQGVerify *)PORT_ArenaAlloc(varena,sizeof(PQGVerify)); + verify = (PQGVerify *)PORT_ArenaAlloc(varena, sizeof(PQGVerify)); if (verify == NULL) { - goto loser; + goto loser; } /* fill in Params */ verify->arena = varena; - verify->counter = (unsigned int)(*(CK_ULONG*)vTemplate[0].pValue); + verify->counter = (unsigned int)(*(CK_ULONG *)vTemplate[0].pValue); verify->seed.type = siUnsignedInteger; verify->seed.data = vTemplate[1].pValue; verify->seed.len = vTemplate[1].ulValueLen; @@ -194,26 +196,26 @@ PK11_PQG_ParamGenV2(unsigned int L, unsigned int N, verify->h.data = vTemplate[2].pValue; verify->h.len = vTemplate[2].ulValueLen; - PK11_DestroyObject(slot,objectID); + PK11_DestroyObject(slot, objectID); PK11_FreeSlot(slot); *pParams = params; - *pVfy = verify; + *pVfy = verify; return SECSuccess; loser: if (objectID != CK_INVALID_HANDLE) { - PK11_DestroyObject(slot,objectID); + PK11_DestroyObject(slot, objectID); } if (parena != NULL) { - PORT_FreeArena(parena,PR_FALSE); + PORT_FreeArena(parena, PR_FALSE); } if (varena != NULL) { - PORT_FreeArena(varena,PR_FALSE); + PORT_FreeArena(varena, PR_FALSE); } if (slot) { - PK11_FreeSlot(slot); + PK11_FreeSlot(slot); } return SECFailure; } @@ -224,15 +226,15 @@ loser: * seedBbytes must be in the range [20..255] or an error will result. */ extern SECStatus -PK11_PQG_ParamGenSeedLen( unsigned int j, unsigned int seedBytes, - PQGParams **pParams, PQGVerify **pVfy) +PK11_PQG_ParamGenSeedLen(unsigned int j, unsigned int seedBytes, + PQGParams **pParams, PQGVerify **pVfy) { unsigned int primeBits = PQG_INDEX_TO_PBITS(j); return PK11_PQG_ParamGenV2(primeBits, 0, seedBytes, pParams, pVfy); } /* Generate PQGParams and PQGVerify structs. - * Length of seed and length of h both equal length of P. + * Length of seed and length of h both equal length of P. * All lengths are specified by "j", according to the table above. */ extern SECStatus @@ -254,19 +256,19 @@ PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, PQGVerify **pVfy) */ extern SECStatus -PK11_PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, - SECStatus *result) +PK11_PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, + SECStatus *result) { CK_ATTRIBUTE keyTempl[] = { - { CKA_CLASS, NULL, 0 }, - { CKA_KEY_TYPE, NULL, 0 }, - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_TOKEN, NULL, 0 }, - { CKA_NETSCAPE_PQG_COUNTER, NULL, 0 }, - { CKA_NETSCAPE_PQG_SEED, NULL, 0 }, - { CKA_NETSCAPE_PQG_H, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, + { CKA_KEY_TYPE, NULL, 0 }, + { CKA_PRIME, NULL, 0 }, + { CKA_SUBPRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_NETSCAPE_PQG_COUNTER, NULL, 0 }, + { CKA_NETSCAPE_PQG_SEED, NULL, 0 }, + { CKA_NETSCAPE_PQG_H, NULL, 0 }, }; CK_ATTRIBUTE *attrs; CK_BBOOL ckfalse = CK_FALSE; @@ -280,76 +282,81 @@ PK11_PQG_VerifyParams(const PQGParams *params, const PQGVerify *vfy, CK_RV crv; attrs = keyTempl; - PK11_SETATTRS(attrs, CKA_CLASS, &class, sizeof(class)); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++; - PK11_SETATTRS(attrs, CKA_PRIME, params->prime.data, - params->prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_SUBPRIME, params->subPrime.data, - params->subPrime.len); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &class, sizeof(class)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, CKA_PRIME, params->prime.data, + params->prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, params->subPrime.data, + params->subPrime.len); + attrs++; if (params->base.len) { - PK11_SETATTRS(attrs, CKA_BASE,params->base.data,params->base.len); - attrs++; + PK11_SETATTRS(attrs, CKA_BASE, params->base.data, params->base.len); + attrs++; } - PK11_SETATTRS(attrs, CKA_TOKEN, &ckfalse, sizeof(ckfalse)); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckfalse, sizeof(ckfalse)); + attrs++; if (vfy) { - if (vfy->counter != -1) { - counter = vfy->counter; - PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_COUNTER, - &counter, sizeof(counter)); attrs++; - } - PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED, - vfy->seed.data, vfy->seed.len); attrs++; - if (vfy->h.len) { - PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_H, - vfy->h.data, vfy->h.len); attrs++; - } + if (vfy->counter != -1) { + counter = vfy->counter; + PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_COUNTER, + &counter, sizeof(counter)); + attrs++; + } + PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_SEED, + vfy->seed.data, vfy->seed.len); + attrs++; + if (vfy->h.len) { + PK11_SETATTRS(attrs, CKA_NETSCAPE_PQG_H, + vfy->h.data, vfy->h.len); + attrs++; + } } keyCount = attrs - keyTempl; - PORT_Assert(keyCount <= sizeof(keyTempl)/sizeof(keyTempl[0])); - + PORT_Assert(keyCount <= sizeof(keyTempl) / sizeof(keyTempl[0])); slot = PK11_GetInternalSlot(); if (slot == NULL) { - return SECFailure; + return SECFailure; } PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_CreateObject(slot->session, keyTempl, keyCount, - &objectID); + crv = PK11_GETTAB(slot)->C_CreateObject(slot->session, keyTempl, keyCount, + &objectID); PK11_ExitSlotMonitor(slot); /* throw away the keys, we only wanted the return code */ - PK11_DestroyObject(slot,objectID); + PK11_DestroyObject(slot, objectID); PK11_FreeSlot(slot); *result = SECSuccess; if (crv == CKR_ATTRIBUTE_VALUE_INVALID) { - *result = SECFailure; + *result = SECFailure; } else if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - rv = SECFailure; + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; } return rv; - } - - /************************************************************************** * Free the PQGParams struct and the things it points to. * **************************************************************************/ -extern void -PK11_PQG_DestroyParams(PQGParams *params) { - if (params == NULL) - return; +extern void +PK11_PQG_DestroyParams(PQGParams *params) +{ + if (params == NULL) + return; if (params->arena != NULL) { - PORT_FreeArena(params->arena, PR_FALSE); /* don't zero it */ + PORT_FreeArena(params->arena, PR_FALSE); /* don't zero it */ } else { - SECITEM_FreeItem(¶ms->prime, PR_FALSE); /* don't free prime */ - SECITEM_FreeItem(¶ms->subPrime, PR_FALSE); /* don't free subPrime */ - SECITEM_FreeItem(¶ms->base, PR_FALSE); /* don't free base */ - PORT_Free(params); + SECITEM_FreeItem(¶ms->prime, PR_FALSE); /* don't free prime */ + SECITEM_FreeItem(¶ms->subPrime, PR_FALSE); /* don't free subPrime */ + SECITEM_FreeItem(¶ms->base, PR_FALSE); /* don't free base */ + PORT_Free(params); } } @@ -357,19 +364,20 @@ PK11_PQG_DestroyParams(PQGParams *params) { * Free the PQGVerify struct and the things it points to. * **************************************************************************/ extern void -PK11_PQG_DestroyVerify(PQGVerify *vfy) { - if (vfy == NULL) - return; +PK11_PQG_DestroyVerify(PQGVerify *vfy) +{ + if (vfy == NULL) + return; if (vfy->arena != NULL) { - PORT_FreeArena(vfy->arena, PR_FALSE); /* don't zero it */ + PORT_FreeArena(vfy->arena, PR_FALSE); /* don't zero it */ } else { - SECITEM_FreeItem(&vfy->seed, PR_FALSE); /* don't free seed */ - SECITEM_FreeItem(&vfy->h, PR_FALSE); /* don't free h */ - PORT_Free(vfy); + SECITEM_FreeItem(&vfy->seed, PR_FALSE); /* don't free seed */ + SECITEM_FreeItem(&vfy->h, PR_FALSE); /* don't free h */ + PORT_Free(vfy); } } -#define PQG_DEFAULT_CHUNKSIZE 2048 /* bytes */ +#define PQG_DEFAULT_CHUNKSIZE 2048 /* bytes */ /************************************************************************** * Return a pointer to a new PQGParams struct that is constructed from * @@ -377,136 +385,138 @@ PK11_PQG_DestroyVerify(PQGVerify *vfy) { * Return NULL on failure. * **************************************************************************/ extern PQGParams * -PK11_PQG_NewParams(const SECItem * prime, const SECItem * subPrime, - const SECItem * base) { +PK11_PQG_NewParams(const SECItem *prime, const SECItem *subPrime, + const SECItem *base) +{ PLArenaPool *arena; PQGParams *dest; SECStatus status; arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE); if (arena == NULL) - goto loser; + goto loser; - dest = (PQGParams*)PORT_ArenaZAlloc(arena, sizeof(PQGParams)); + dest = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams)); if (dest == NULL) - goto loser; + goto loser; dest->arena = arena; status = SECITEM_CopyItem(arena, &dest->prime, prime); if (status != SECSuccess) - goto loser; + goto loser; status = SECITEM_CopyItem(arena, &dest->subPrime, subPrime); if (status != SECSuccess) - goto loser; + goto loser; status = SECITEM_CopyItem(arena, &dest->base, base); if (status != SECSuccess) - goto loser; + goto loser; return dest; loser: if (arena != NULL) - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); return NULL; } - /************************************************************************** * Fills in caller's "prime" SECItem with the prime value in params. - * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE); **************************************************************************/ -extern SECStatus -PK11_PQG_GetPrimeFromParams(const PQGParams *params, SECItem * prime) { +extern SECStatus +PK11_PQG_GetPrimeFromParams(const PQGParams *params, SECItem *prime) +{ return SECITEM_CopyItem(NULL, prime, ¶ms->prime); } - /************************************************************************** * Fills in caller's "subPrime" SECItem with the prime value in params. - * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE); **************************************************************************/ extern SECStatus -PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem * subPrime) { +PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, SECItem *subPrime) +{ return SECITEM_CopyItem(NULL, subPrime, ¶ms->subPrime); } - /************************************************************************** * Fills in caller's "base" SECItem with the base value in params. - * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE); **************************************************************************/ -extern SECStatus -PK11_PQG_GetBaseFromParams(const PQGParams *params, SECItem *base) { +extern SECStatus +PK11_PQG_GetBaseFromParams(const PQGParams *params, SECItem *base) +{ return SECITEM_CopyItem(NULL, base, ¶ms->base); } - /************************************************************************** * Return a pointer to a new PQGVerify struct that is constructed from * * copies of the arguments passed in. * * Return NULL on failure. * **************************************************************************/ extern PQGVerify * -PK11_PQG_NewVerify(unsigned int counter, const SECItem * seed, - const SECItem * h) { +PK11_PQG_NewVerify(unsigned int counter, const SECItem *seed, + const SECItem *h) +{ PLArenaPool *arena; - PQGVerify * dest; - SECStatus status; + PQGVerify *dest; + SECStatus status; arena = PORT_NewArena(PQG_DEFAULT_CHUNKSIZE); if (arena == NULL) - goto loser; + goto loser; - dest = (PQGVerify*)PORT_ArenaZAlloc(arena, sizeof(PQGVerify)); + dest = (PQGVerify *)PORT_ArenaZAlloc(arena, sizeof(PQGVerify)); if (dest == NULL) - goto loser; + goto loser; - dest->arena = arena; + dest->arena = arena; dest->counter = counter; status = SECITEM_CopyItem(arena, &dest->seed, seed); if (status != SECSuccess) - goto loser; + goto loser; status = SECITEM_CopyItem(arena, &dest->h, h); if (status != SECSuccess) - goto loser; + goto loser; return dest; loser: if (arena != NULL) - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); return NULL; } - /************************************************************************** * Returns "counter" value from the PQGVerify. **************************************************************************/ -extern unsigned int -PK11_PQG_GetCounterFromVerify(const PQGVerify *verify) { +extern unsigned int +PK11_PQG_GetCounterFromVerify(const PQGVerify *verify) +{ return verify->counter; } /************************************************************************** * Fills in caller's "seed" SECItem with the seed value in verify. - * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE); **************************************************************************/ -extern SECStatus -PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed) { +extern SECStatus +PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, SECItem *seed) +{ return SECITEM_CopyItem(NULL, seed, &verify->seed); } - /************************************************************************** * Fills in caller's "h" SECItem with the h value in verify. - * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE); **************************************************************************/ -extern SECStatus -PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h) { +extern SECStatus +PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem *h) +{ return SECITEM_CopyItem(NULL, h, &verify->h); } diff --git a/nss/lib/pk11wrap/pk11pqg.h b/nss/lib/pk11wrap/pk11pqg.h index 02f9394..36596dd 100644 --- a/nss/lib/pk11wrap/pk11pqg.h +++ b/nss/lib/pk11wrap/pk11pqg.h @@ -6,27 +6,26 @@ */ #ifndef _PK11PQG_H_ -#define _PK11PQG_H_ 1 +#define _PK11PQG_H_ 1 #include "blapit.h" SEC_BEGIN_PROTOS /* Generate PQGParams and PQGVerify structs. - * Length of seed and length of h both equal length of P. + * Length of seed and length of h both equal length of P. * All lengths are specified by "j", according to the table above. */ -extern SECStatus PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, - PQGVerify **pVfy); +extern SECStatus PK11_PQG_ParamGen(unsigned int j, PQGParams **pParams, + PQGVerify **pVfy); /* Generate PQGParams and PQGVerify structs. * Length of P specified by j. Length of h will match length of P. * Length of SEED in bytes specified in seedBytes. * seedBbytes must be in the range [20..255] or an error will result. */ -extern SECStatus PK11_PQG_ParamGenSeedLen( unsigned int j, - unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy); - +extern SECStatus PK11_PQG_ParamGenSeedLen(unsigned int j, + unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy); /* Generate PQGParams and PQGVerify structs. * Length of P specified by L. @@ -34,13 +33,13 @@ extern SECStatus PK11_PQG_ParamGenSeedLen( unsigned int j, * DSA2. * Length of Q specified by N. If zero, The PKCS #11 module will * pick an appropriately sized Q for L. If N is specified and L = 1024, then - * the resulting verify parameters will be DSA2, Otherwise DSA1 parameters + * the resulting verify parameters will be DSA2, Otherwise DSA1 parameters * will be returned. * Length of SEED in bytes specified in seedBytes. * - * The underlying PKCS #11 module will check the values for L, N, + * The underlying PKCS #11 module will check the values for L, N, * and seedBytes. The rules for softoken are: - * + * * If L <= 1024, then L must be between 512 and 1024 in increments of 64 bits. * If L <= 1024, then N must be 0 or 160. * If L >= 1024, then L and N must match the following table: @@ -55,7 +54,7 @@ extern SECStatus PK11_PQG_ParamGenSeedLen( unsigned int j, */ extern SECStatus PK11_PQG_ParamGenV2(unsigned int L, unsigned int N, unsigned int seedBytes, - PQGParams **pParams, PQGVerify **pVfy); + PQGParams **pParams, PQGVerify **pVfy); /* Test PQGParams for validity as DSS PQG values. * If vfy is non-NULL, test PQGParams to make sure they were generated @@ -69,11 +68,11 @@ PK11_PQG_ParamGenV2(unsigned int L, unsigned int N, unsigned int seedBytes, * * Verify the following 12 facts about PQG counter SEED g and h * These tests are specified in FIPS 186-3 Appendix A.1.1.1, A.1.1.3, and A.2.2 - * PQG_VerifyParams in softoken/freebl will automatically choose the + * PQG_VerifyParams in softoken/freebl will automatically choose the * appropriate test. */ -extern SECStatus PK11_PQG_VerifyParams(const PQGParams *params, - const PQGVerify *vfy, SECStatus *result); +extern SECStatus PK11_PQG_VerifyParams(const PQGParams *params, + const PQGVerify *vfy, SECStatus *result); extern void PK11_PQG_DestroyParams(PQGParams *params); extern void PK11_PQG_DestroyVerify(PQGVerify *vfy); @@ -82,42 +81,36 @@ extern void PK11_PQG_DestroyVerify(PQGVerify *vfy); * copies of the arguments passed in. * * Return NULL on failure. * **************************************************************************/ -extern PQGParams * PK11_PQG_NewParams(const SECItem * prime, const - SECItem * subPrime, const SECItem * base); - +extern PQGParams *PK11_PQG_NewParams(const SECItem *prime, const SECItem *subPrime, const SECItem *base); /************************************************************************** * Fills in caller's "prime" SECItem with the prime value in params. - * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(prime, PR_FALSE); **************************************************************************/ -extern SECStatus PK11_PQG_GetPrimeFromParams(const PQGParams *params, - SECItem * prime); - +extern SECStatus PK11_PQG_GetPrimeFromParams(const PQGParams *params, + SECItem *prime); /************************************************************************** * Fills in caller's "subPrime" SECItem with the prime value in params. - * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(subPrime, PR_FALSE); **************************************************************************/ -extern SECStatus PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, - SECItem * subPrime); - +extern SECStatus PK11_PQG_GetSubPrimeFromParams(const PQGParams *params, + SECItem *subPrime); /************************************************************************** * Fills in caller's "base" SECItem with the base value in params. - * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(base, PR_FALSE); **************************************************************************/ -extern SECStatus PK11_PQG_GetBaseFromParams(const PQGParams *params, - SECItem *base); - +extern SECStatus PK11_PQG_GetBaseFromParams(const PQGParams *params, + SECItem *base); /************************************************************************** * Return a pointer to a new PQGVerify struct that is constructed from * * copies of the arguments passed in. * * Return NULL on failure. * **************************************************************************/ -extern PQGVerify * PK11_PQG_NewVerify(unsigned int counter, - const SECItem * seed, const SECItem * h); - +extern PQGVerify *PK11_PQG_NewVerify(unsigned int counter, + const SECItem *seed, const SECItem *h); /************************************************************************** * Returns "counter" value from the PQGVerify. @@ -126,16 +119,16 @@ extern unsigned int PK11_PQG_GetCounterFromVerify(const PQGVerify *verify); /************************************************************************** * Fills in caller's "seed" SECItem with the seed value in verify. - * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(seed, PR_FALSE); **************************************************************************/ -extern SECStatus PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, - SECItem *seed); +extern SECStatus PK11_PQG_GetSeedFromVerify(const PQGVerify *verify, + SECItem *seed); /************************************************************************** * Fills in caller's "h" SECItem with the h value in verify. - * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE); + * Contents can be freed by calling SECITEM_FreeItem(h, PR_FALSE); **************************************************************************/ -extern SECStatus PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem * h); +extern SECStatus PK11_PQG_GetHFromVerify(const PQGVerify *verify, SECItem *h); SEC_END_PROTOS diff --git a/nss/lib/pk11wrap/pk11priv.h b/nss/lib/pk11wrap/pk11priv.h index c68293b..45a60b4 100644 --- a/nss/lib/pk11wrap/pk11priv.h +++ b/nss/lib/pk11wrap/pk11priv.h @@ -17,7 +17,7 @@ /* * These are the private NSS functions. They are not exported by nss.def, and - * are not callable outside nss3.dll. + * are not callable outside nss3.dll. */ SEC_BEGIN_PROTOS @@ -25,13 +25,13 @@ SEC_BEGIN_PROTOS /************************************************************ * Generic Slot Lists Management ************************************************************/ -PK11SlotList * PK11_NewSlotList(void); -PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type, - PRBool needRW,void *wincx); -SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted); -SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le); +PK11SlotList *PK11_NewSlotList(void); +PK11SlotList *PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type, + PRBool needRW, void *wincx); +SECStatus PK11_AddSlotToList(PK11SlotList *list, PK11SlotInfo *slot, PRBool sorted); +SECStatus PK11_DeleteSlotFromList(PK11SlotList *list, PK11SlotListElement *le); PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list, - PK11SlotInfo *slot); + PK11SlotInfo *slot); PK11SlotInfo *PK11_FindSlotBySerial(char *serial); int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type); @@ -40,30 +40,29 @@ int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type); ************************************************************/ CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject); SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result); + CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result); CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type); -char * PK11_MakeString(PLArenaPool *arena,char *space,char *staticSring, - int stringLen); + CK_ATTRIBUTE_TYPE type); +char *PK11_MakeString(PLArenaPool *arena, char *space, char *staticSring, + int stringLen); int PK11_MapError(CK_RV error); CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot); -void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession); +void PK11_RestoreROSession(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession); PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot, - CK_SESSION_HANDLE session_handle); + CK_SESSION_HANDLE session_handle); PK11SlotInfo *PK11_NewSlotInfo(SECMODModule *mod); void PK11_EnterSlotMonitor(PK11SlotInfo *); void PK11_ExitSlotMonitor(PK11SlotInfo *); void PK11_CleanKeyList(PK11SlotInfo *slot); - /************************************************************ * Slot Password Management ************************************************************/ SECStatus PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, - PRBool loadCerts, void *wincx, PRBool alreadyLocked, - PRBool contextSpecific); -SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw); -void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx); + PRBool loadCerts, void *wincx, PRBool alreadyLocked, + PRBool contextSpecific); +SECStatus PK11_VerifyPW(PK11SlotInfo *slot, char *pw); +void PK11_HandlePasswordCheck(PK11SlotInfo *slot, void *wincx); void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func); void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func); @@ -76,12 +75,11 @@ PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type); void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count); void PK11_ClearSlotList(PK11SlotInfo *slot); - /****************************************************************** * Slot initialization ******************************************************************/ SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts); -void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot); +void PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot); PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot); SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot); void pk11_SetInternalKeySlot(PK11SlotInfo *slot); @@ -92,92 +90,89 @@ void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot); * Mechanism Mapping functions *********************************************************************/ void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key, - CK_MECHANISM_TYPE keygen, CK_MECHANISM_TYPE pad, - int ivLen, int blocksize); + CK_MECHANISM_TYPE keygen, CK_MECHANISM_TYPE pad, + int ivLen, int blocksize); CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type); CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size); /********************************************************************** - * Symetric, Public, and Private Keys + * Symetric, Public, and Private Keys **********************************************************************/ /* Key Generation specialized for SDR (fixed DES3 key) */ PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx); SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, - CK_OBJECT_HANDLE id); + CK_OBJECT_HANDLE id); CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert, - void *wincx, PK11SlotInfo **pSlot); -PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey); + void *wincx, PK11SlotInfo **pSlot); +PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey); /********************************************************************** * Certs **********************************************************************/ -SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, - SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg); -SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx); -CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname, - PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, - void *wincx); -CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer, - CK_OBJECT_CLASS o_class); -CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot, - CK_OBJECT_HANDLE id, - CK_ATTRIBUTE_TYPE type, - PRBool haslock ); -CK_RV PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot, - CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count); +SECStatus PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot, + SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg); +SECKEYPrivateKey *PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx); +CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname, + PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, + void *wincx); +CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer, + CK_OBJECT_CLASS o_class); +CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot, + CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, + PRBool haslock); +CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot, + CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count); int PK11_NumberCertsForCertSubject(CERTCertificate *cert); -SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, - SECStatus(*callback)(CERTCertificate *, void *), void *arg); +SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, + SECStatus (*callback)(CERTCertificate *, void *), void *arg); SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, - PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2); + PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2); SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot, - SECStatus(* callback)(CERTCertificate*, void *), void *arg); + SECStatus (*callback)(CERTCertificate *, void *), void *arg); SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx); - /********************************************************************** * Crypto Contexts **********************************************************************/ -PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, - SECItem *key, SECItem *param, void *wincx); +PK11Context *PK11_CreateContextByRawKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, + SECItem *key, SECItem *param, void *wincx); PRBool PK11_HashOK(SECOidTag hashAlg); - /********************************************************************** * Functions which are deprecated.... **********************************************************************/ SECItem * PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle, - SECItem *derName, int type, char **url); + SECItem *derName, int type, char **url); CK_OBJECT_HANDLE -PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, - SECItem *name, char *url, int type); +PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, + SECItem *name, char *url, int type); SECItem * PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj, - SECItem **profileTime); + SECItem **profileTime); SECStatus PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, - SECItem *emailProfile, SECItem *profileTime); + SECItem *emailProfile, SECItem *profileTime); PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle); -char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ; -SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, - const char *nickname) ; - +char *PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id); +SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + const char *nickname); /* private */ -SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), - void *cbArg, PRBool forceLogin, void *pwArg); +SECStatus pk11_TraverseAllSlots(SECStatus (*callback)(PK11SlotInfo *, void *), + void *cbArg, PRBool forceLogin, void *pwArg); /* fetch multiple CRLs for a specific issuer */ -SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem* issuer, - void *wincx); +SECStatus pk11_RetrieveCrls(CERTCrlHeadNode *nodes, SECItem *issuer, + void *wincx); /* set global options for NSS PKCS#11 module loader */ SECStatus pk11_setGlobalOptions(PRBool noSingleThreadedModules, diff --git a/nss/lib/pk11wrap/pk11pub.h b/nss/lib/pk11wrap/pk11pub.h index d4565eb..e11af86 100644 --- a/nss/lib/pk11wrap/pk11pub.h +++ b/nss/lib/pk11wrap/pk11pub.h @@ -26,32 +26,31 @@ SEC_BEGIN_PROTOS ************************************************************/ void PK11_FreeSlotList(PK11SlotList *list); SECStatus PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le); -PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list); -PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, - PK11SlotListElement *le, PRBool restart); +PK11SlotListElement *PK11_GetFirstSafe(PK11SlotList *list); +PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, + PK11SlotListElement *le, PRBool restart); /************************************************************ * Generic Slot Management ************************************************************/ PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot); void PK11_FreeSlot(PK11SlotInfo *slot); -SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object); -SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object); +SECStatus PK11_DestroyObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object); +SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE object); PK11SlotInfo *PK11_GetInternalKeySlot(void); PK11SlotInfo *PK11_GetInternalSlot(void); SECStatus PK11_Logout(PK11SlotInfo *slot); void PK11_LogoutAll(void); - /************************************************************ * Slot Password Management ************************************************************/ -void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout); -void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout); +void PK11_SetSlotPWValues(PK11SlotInfo *slot, int askpw, int timeout); +void PK11_GetSlotPWValues(PK11SlotInfo *slot, int *askpw, int *timeout); SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw); SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw); PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx); -SECStatus PK11_InitPin(PK11SlotInfo *slot,const char *ssopw, +SECStatus PK11_InitPin(PK11SlotInfo *slot, const char *ssopw, const char *pk11_userpwd); SECStatus PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw, const char *newpw); @@ -61,7 +60,6 @@ SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd); SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx); SECStatus PK11_TokenRefresh(PK11SlotInfo *slot); - /****************************************************************** * Slot info functions ******************************************************************/ @@ -73,12 +71,12 @@ PK11SlotInfo *PK11_FindSlotByName(const char *name); * returned. ******************************************************************/ PK11SlotList *PK11_FindSlotsByNames(const char *dllName, - const char* slotName, const char* tokenName, PRBool presentOnly); + const char *slotName, const char *tokenName, PRBool presentOnly); PRBool PK11_IsReadOnly(PK11SlotInfo *slot); PRBool PK11_IsInternal(PK11SlotInfo *slot); PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot); -char * PK11_GetTokenName(PK11SlotInfo *slot); -char * PK11_GetSlotName(PK11SlotInfo *slot); +char *PK11_GetTokenName(PK11SlotInfo *slot); +char *PK11_GetSlotName(PK11SlotInfo *slot); PRBool PK11_NeedLogin(PK11SlotInfo *slot); PRBool PK11_IsFriendly(PK11SlotInfo *slot); PRBool PK11_IsHW(PK11SlotInfo *slot); @@ -105,34 +103,34 @@ PRBool PK11_UserDisableSlot(PK11SlotInfo *slot); PRBool PK11_UserEnableSlot(PK11SlotInfo *slot); /* * wait for a specific slot event. - * event is a specific event to wait for. Currently only + * event is a specific event to wait for. Currently only * PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined. * timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only * poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change). - * pollInterval is a suggested pulling interval value. '0' means use the + * pollInterval is a suggested pulling interval value. '0' means use the * default. Future implementations that don't poll may ignore this value. - * series is the current series for the last slot. This should be the series + * series is the current series for the last slot. This should be the series * value for the slot the last time you read persistant information from the * slot. For instance, if you publish a cert from the slot, you should obtain - * the slot series at that time. Then PK11_WaitForTokenEvent can detect a - * a change in the slot between the time you publish and the time + * the slot series at that time. Then PK11_WaitForTokenEvent can detect a + * a change in the slot between the time you publish and the time * PK11_WaitForTokenEvent is called, elliminating potential race conditions. * * The current status that is returned is: * PK11TokenNotRemovable - always returned for any non-removable token. * PK11TokenPresent - returned when the token is present and we are waiting - * on a PK11TokenPresentEvent. Then next event to look for is a + * on a PK11TokenPresentEvent. Then next event to look for is a * PK11TokenChangeOrRemovalEvent. * PK11TokenChanged - returned when the old token has been removed and a new - * token ad been inserted, and we are waiting for a + * token ad been inserted, and we are waiting for a * PK11TokenChangeOrRemovalEvent. The next event to look for is another * PK11TokenChangeOrRemovalEvent. - * PK11TokenRemoved - returned when the token is not present and we are - * waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for + * PK11TokenRemoved - returned when the token is not present and we are + * waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for * is a PK11TokenPresentEvent. */ PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, - PRIntervalTime timeout, PRIntervalTime pollInterval, int series); + PRIntervalTime timeout, PRIntervalTime pollInterval, int series); PRBool PK11_NeedPWInit(void); PRBool PK11_TokenExists(CK_MECHANISM_TYPE); @@ -145,16 +143,16 @@ SECMODModule *PK11_GetModule(PK11SlotInfo *slot); *********************************************************************/ PRBool PK11_IsPresent(PK11SlotInfo *slot); PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type); -PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW, - PRBool loadCerts, void *wincx); -PK11SlotInfo *PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, - CK_FLAGS *mechFlag, unsigned int *keySize, - unsigned int count, void *wincx); -PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, - unsigned int count, void *wincx); +PK11SlotList *PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, + PRBool loadCerts, void *wincx); +PK11SlotInfo *PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, + CK_FLAGS *mechFlag, unsigned int *keySize, + unsigned int count, void *wincx); +PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, + unsigned int count, void *wincx); PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx); -PK11SlotInfo *PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, - CK_FLAGS mechFlag, unsigned int keySize, void *wincx); +PK11SlotInfo *PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, + CK_FLAGS mechFlag, unsigned int keySize, void *wincx); CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot); int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type); @@ -218,31 +216,28 @@ SECStatus SECMOD_CloseUserDB(PK11SlotInfo *slot); */ PK11SlotInfo *SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec); - /* - * merge the permanent objects from on token to another + * merge the permanent objects from on token to another */ SECStatus PK11_MergeTokens(PK11SlotInfo *targetSlot, PK11SlotInfo *sourceSlot, - PK11MergeLog *log, void *targetPwArg, void *sourcePwArg); + PK11MergeLog *log, void *targetPwArg, void *sourcePwArg); /* * create and destroy merge logs needed by PK11_MergeTokens */ -PK11MergeLog * PK11_CreateMergeLog(void); +PK11MergeLog *PK11_CreateMergeLog(void); void PK11_DestroyMergeLog(PK11MergeLog *log); - - /********************************************************************* * Mechanism Mapping functions *********************************************************************/ -CK_KEY_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len); +CK_KEY_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type, unsigned long len); CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type); -int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params); +int PK11_GetBlockSize(CK_MECHANISM_TYPE type, SECItem *params); int PK11_GetIVLength(CK_MECHANISM_TYPE type); -SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv); -unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len); -SECItem * PK11_BlockData(SECItem *data,unsigned long size); +SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type, SECItem *iv); +unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type, SECItem *param, int *len); +SECItem *PK11_BlockData(SECItem *data, unsigned long size); /* PKCS #11 to DER mapping functions */ SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid); @@ -251,35 +246,35 @@ CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag); SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type); SECOidTag PK11_FortezzaMapSig(SECOidTag algTag); SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param, - PLArenaPool *arena, SECAlgorithmID *algid); -SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len); -SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *,unsigned char *data,int len); + PLArenaPool *arena, SECAlgorithmID *algid); +SECStatus PK11_SeedRandom(PK11SlotInfo *, unsigned char *data, int len); +SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *, unsigned char *data, int len); SECStatus PK11_RandomUpdate(void *data, size_t bytes); -SECStatus PK11_GenerateRandom(unsigned char *data,int len); +SECStatus PK11_GenerateRandom(unsigned char *data, int len); /* warning: cannot work with pkcs 5 v2 * use algorithm ID s instead of pkcs #11 mechanism pointers */ CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, - CK_MECHANISM_PTR pCryptoMechanism, - SECItem *pbe_pwd, PRBool bad3DES); + CK_MECHANISM_PTR pCryptoMechanism, + SECItem *pbe_pwd, PRBool bad3DES); CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE); CK_MECHANISM_TYPE PK11_MapSignKeyType(KeyType keyType); /********************************************************************** - * Symmetric, Public, and Private Keys + * Symmetric, Public, and Private Keys **********************************************************************/ void PK11_FreeSymKey(PK11SymKey *key); PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey); PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx); -PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, - SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx); + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx); +PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, + CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, + SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx); PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, - PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, - PRBool owner, void *wincx); + PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, + PRBool owner, void *wincx); PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, - CK_MECHANISM_TYPE type,int series, void *wincx); + CK_MECHANISM_TYPE type, int series, void *wincx); /* * This function is not thread-safe. It can only be called when only * one thread has a reference to wrapKey. @@ -288,44 +283,43 @@ void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey); CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey); /* * import a public key into the desired slot - * - * This function takes a public key structure and creates a public key in a + * + * This function takes a public key structure and creates a public key in a * given slot. If isToken is set, then a persistant public key is created. * * Note: it is possible for this function to return a handle for a key which * is persistant, even if isToken is not set. */ -CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, - SECKEYPublicKey *pubKey, PRBool isToken); -PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - SECItem *param, int keySize,void *wincx); +CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, + SECKEYPublicKey *pubKey, PRBool isToken); +PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *param, int keySize, void *wincx); PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - SECItem *param, int keySize, SECItem *keyid, - PRBool isToken, void *wincx); + SECItem *param, int keySize, SECItem *keyid, + PRBool isToken, void *wincx); PK11SymKey *PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, SECItem *param, - int keySize, SECItem *keyid, CK_FLAGS opFlags, - PK11AttrFlags attrFlags, void *wincx); + CK_MECHANISM_TYPE type, SECItem *param, + int keySize, SECItem *keyid, CK_FLAGS opFlags, + PK11AttrFlags attrFlags, void *wincx); /* Generates a key using the exact template supplied by the caller. The other * PK11_[Token]KeyGen mechanisms should be used instead of this one whenever * they work because they include/exclude the CKA_VALUE_LEN template value * based on the mechanism type as required by many tokens. - * + * * keyGenType should be PK11_GetKeyGenWithSize(type, <key size>) or it should * be equal to type if PK11_GetKeyGenWithSize cannot be used (e.g. because * pk11wrap does not know about the mechanisms). */ PK11SymKey *PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, CK_MECHANISM_TYPE keyGenType, - SECItem *param, CK_ATTRIBUTE * attrs, + SECItem *param, CK_ATTRIBUTE *attrs, unsigned int attrsCount, void *wincx); -PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, - void *wincx); +PK11SymKey *PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, + void *wincx); PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey); CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key); CK_OBJECT_HANDLE PK11_GetSymKeyHandle(PK11SymKey *symKey); - /* * PK11_SetSymKeyUserData * sets generic user data on keys (usually a pointer to a data structure) @@ -333,22 +327,22 @@ CK_OBJECT_HANDLE PK11_GetSymKeyHandle(PK11SymKey *symKey); * symKey - key where data will be set. * data - data to be set. * freefunc - function used to free the data. - * Setting user data on symKeys with existing user data already set will cause + * Setting user data on symKeys with existing user data already set will cause * the existing user data to be freed before the new user data is set. - * Freeing user data is done by calling the user specified freefunc. - * If freefunc is NULL, the user data is assumed to be global or static an - * not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the - * effect of freeing any existing user data, and clearing the user data - * pointer. If user data exists when the symKey is finally freed, that + * Freeing user data is done by calling the user specified freefunc. + * If freefunc is NULL, the user data is assumed to be global or static an + * not freed. Passing NULL for user data to PK11_SetSymKeyUserData has the + * effect of freeing any existing user data, and clearing the user data + * pointer. If user data exists when the symKey is finally freed, that * data will be freed with freefunc. * * Applications should only use this function on keys which the application * has created directly, as there is only one user data value per key. */ -void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data, - PK11FreeDataFunc freefunc); -/* PK11_GetSymKeyUserData - * retrieves generic user data which was set on a key by +void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data, + PK11FreeDataFunc freefunc); +/* PK11_GetSymKeyUserData + * retrieves generic user data which was set on a key by * PK11_SetSymKeyUserData. * symKey - key with data to be fetched * @@ -360,15 +354,15 @@ void PK11_SetSymKeyUserData(PK11SymKey *symKey, void *data, void *PK11_GetSymKeyUserData(PK11SymKey *symKey); SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey, - PK11SymKey *symKey, SECItem *wrappedKey); + PK11SymKey *symKey, SECItem *wrappedKey); SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params, - PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey); + PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey); /* move a key to 'slot' optionally set the key attributes according to either * operation or the flags and making the key permanent at the same time. - * If the key is moved to the same slot, operation and flags values are + * If the key is moved to the same slot, operation and flags values are * currently ignored */ -PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, - CK_FLAGS flags, PRBool perm, PK11SymKey *symKey); +PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, + CK_FLAGS flags, PRBool perm, PK11SymKey *symKey); /* * derive a new key from the base key. * PK11_Derive returns a key which can do exactly one operation, and is @@ -379,31 +373,30 @@ PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, * (optionally) make the key permanent (token key). */ PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism, - SECItem *param, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize); -PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey, - CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags); -PK11SymKey * PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey, - CK_MECHANISM_TYPE derive, - SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_FLAGS flags, PRBool isPerm); + SECItem *param, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize); +PK11SymKey *PK11_DeriveWithFlags(PK11SymKey *baseKey, + CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags); +PK11SymKey *PK11_DeriveWithFlagsPerm(PK11SymKey *baseKey, + CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags, PRBool isPerm); PK11SymKey * -PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, - SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, - PRBool isPerm); - - -PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB, - CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ; -PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB, - CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, - CK_ULONG kdf, SECItem *sharedData, void *wincx); +PK11_DeriveWithTemplate(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, + PRBool isPerm); + +PK11SymKey *PK11_PubDerive(SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, void *wincx); +PK11SymKey *PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_ULONG kdf, SECItem *sharedData, void *wincx); /* * unwrap a new key with a symetric key. @@ -414,50 +407,50 @@ PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey, * PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can * (optionally) make the key permanent (token key). */ -PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, - CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize); -PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, - CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, - CK_FLAGS flags); -PK11SymKey * PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, - CK_MECHANISM_TYPE wrapType, - SECItem *param, SECItem *wrappedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_FLAGS flags, PRBool isPerm); +PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, + CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize); +PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, + CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, + CK_FLAGS flags); +PK11SymKey *PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, + CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags, PRBool isPerm); /* * unwrap a new key with a private key. * PK11_PubUnwrap returns a key which can do exactly one operation, and is * ephemeral (session key). - * PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can - * use * CKF_ flags to enable more than one operation, and optionally make + * PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can + * use * CKF_ flags to enable more than one operation, and optionally make * the key permanent (token key). */ PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize); -PK11SymKey * PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, - SECItem *wrappedKey, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, - CK_FLAGS flags, PRBool isPerm); -PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - SECItem *keyID, void *wincx); -SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force); + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize); +PK11SymKey *PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, + SECItem *wrappedKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_FLAGS flags, PRBool isPerm); +PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *keyID, void *wincx); +SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force); SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey); SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey); -SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx); -SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot, - SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, - PRBool token, PRBool sensitive); -char * PK11_GetSymKeyNickname(PK11SymKey *symKey); -char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey); -char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey); +SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert, void *wincx); +SECKEYPrivateKey *PK11_LoadPrivKey(PK11SlotInfo *slot, + SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool token, PRBool sensitive); +char *PK11_GetSymKeyNickname(PK11SymKey *symKey); +char *PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey); +char *PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey); SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname); -SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, - const char *nickname); -SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, - const char *nickname); +SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, + const char *nickname); +SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, + const char *nickname); /* * Using __PK11_SetCertificateNickname is *DANGEROUS*. @@ -472,17 +465,17 @@ SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, * If you ignore this warning, your process is TAINTED and will most likely misbehave. */ SECStatus __PK11_SetCertificateNickname(CERTCertificate *cert, - const char *nickname); + const char *nickname); /* size to hold key in bytes */ unsigned int PK11_GetKeyLength(PK11SymKey *key); /* size of actual secret parts of key in bits */ /* algid is because RC4 strength is determined by the effective bits as well * as the key bits */ -unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid); +unsigned int PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid); SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey); -SECItem * PK11_GetKeyData(PK11SymKey *symKey); -PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey); +SECItem *PK11_GetKeyData(PK11SymKey *symKey); +PK11SlotInfo *PK11_GetSlotFromKey(PK11SymKey *symKey); void *PK11_GetWindow(PK11SymKey *symKey); /* @@ -493,17 +486,17 @@ void *PK11_GetWindow(PK11SymKey *symKey); * * The underlying key usage is set using opFlags. opFlagsMask specifies * which operations are specified by opFlags. For instance to turn encrypt - * on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and + * on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and * opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You - * need to specify both the public and private key flags, - * PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the - * correct key type. Flags not specified in opFlagMask will be defaulted + * need to specify both the public and private key flags, + * PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the + * correct key type. Flags not specified in opFlagMask will be defaulted * according to mechanism type and token capabilities. */ SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, - PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask, - void *wincx); + CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, + PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask, + void *wincx); /* * The attrFlags is the logical OR of the PK11_ATTR_XXX bitflags. * These flags apply to the private key. The PK11_ATTR_TOKEN, @@ -511,28 +504,28 @@ SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, * flags also apply to the public key. */ SECKEYPrivateKey *PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, - PK11AttrFlags attrFlags, void *wincx); + CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, + PK11AttrFlags attrFlags, void *wincx); SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, - PRBool isPerm, PRBool isSensitive, void *wincx); -SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, - CERTCertificate *cert, void *wincx); -SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx); -SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, - void *wincx); -int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); + CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, + PRBool isPerm, PRBool isSensitive, void *wincx); +SECKEYPrivateKey *PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, + CERTCertificate *cert, void *wincx); +SECKEYPrivateKey *PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx); +SECKEYPrivateKey *PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, + void *wincx); +int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); SECStatus PK11_Decrypt(PK11SymKey *symkey, - CK_MECHANISM_TYPE mechanism, SECItem *param, - unsigned char *out, unsigned int *outLen, - unsigned int maxLen, - const unsigned char *enc, unsigned int encLen); + CK_MECHANISM_TYPE mechanism, SECItem *param, + unsigned char *out, unsigned int *outLen, + unsigned int maxLen, + const unsigned char *enc, unsigned int encLen); SECStatus PK11_Encrypt(PK11SymKey *symKey, - CK_MECHANISM_TYPE mechanism, SECItem *param, - unsigned char *out, unsigned int *outLen, - unsigned int maxLen, - const unsigned char *data, unsigned int dataLen); + CK_MECHANISM_TYPE mechanism, SECItem *param, + unsigned char *out, unsigned int *outLen, + unsigned int maxLen, + const unsigned char *data, unsigned int dataLen); /* note: despite the name, this function takes a private key. */ SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, @@ -568,134 +561,134 @@ SECStatus PK11_PubEncrypt(SECKEYPublicKey *key, const unsigned char *data, unsigned int dataLen, void *wincx); -SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, - SECKEYPrivateKeyInfo *pki, SECItem *nickname, - SECItem *publicValue, PRBool isPerm, PRBool isPrivate, - unsigned int usage, void *wincx); -SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, - SECKEYPrivateKeyInfo *pki, SECItem *nickname, - SECItem *publicValue, PRBool isPerm, PRBool isPrivate, - unsigned int usage, SECKEYPrivateKey** privk, void *wincx); -SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, - SECItem *derPKI, SECItem *nickname, - SECItem *publicValue, PRBool isPerm, PRBool isPrivate, - unsigned int usage, void *wincx); -SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, - SECItem *derPKI, SECItem *nickname, - SECItem *publicValue, PRBool isPerm, PRBool isPrivate, - unsigned int usage, SECKEYPrivateKey** privk, void *wincx); -SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, - SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, KeyType type, - unsigned int usage, void *wincx); -SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, - SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, KeyType type, - unsigned int usage, SECKEYPrivateKey** privk, void *wincx); +SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, + SECKEYPrivateKeyInfo *pki, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, void *wincx); +SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, + SECKEYPrivateKeyInfo *pki, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, SECKEYPrivateKey **privk, void *wincx); +SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, + SECItem *derPKI, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, void *wincx); +SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, + SECItem *derPKI, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, SECKEYPrivateKey **privk, void *wincx); +SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, KeyType type, + unsigned int usage, void *wincx); +SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, KeyType type, + unsigned int usage, SECKEYPrivateKey **privk, void *wincx); SECItem *PK11_ExportDERPrivateKeyInfo(SECKEYPrivateKey *pk, void *wincx); SECKEYPrivateKeyInfo *PK11_ExportPrivKeyInfo( - SECKEYPrivateKey *pk, void *wincx); + SECKEYPrivateKey *pk, void *wincx); SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo( - CERTCertificate *cert, void *wincx); + CERTCertificate *cert, void *wincx); SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo( - PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem, - SECKEYPrivateKey *pk, int iteration, void *wincx); + PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem, + SECKEYPrivateKey *pk, int iteration, void *wincx); SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo( - PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem, - CERTCertificate *cert, int iteration, void *wincx); -SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, - CERTCertificate *cert, void *wincx); + PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem, + CERTCertificate *cert, int iteration, void *wincx); +SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, + CERTCertificate *cert, void *wincx); SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length); SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key); PRBool PK11_VerifyKeyOK(PK11SymKey *key); -SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, - PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, - SECItem *param, SECItem *wrappedKey, SECItem *label, - SECItem *publicValue, PRBool token, PRBool sensitive, - CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount, - void *wincx); +SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, + PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, SECItem *label, + SECItem *publicValue, PRBool token, PRBool sensitive, + CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount, + void *wincx); SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, - SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, - SECItem *param, SECItem *wrappedKey, void *wincx); + SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, void *wincx); /* * The caller of PK11_DEREncodePublicKey should free the returned SECItem with * a SECITEM_FreeItem(..., PR_TRUE) call. */ -SECItem* PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk); -PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey, - CK_MECHANISM_TYPE mech); -SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, - char *nickname, void *wincx); -SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, - char *nickname); +SECItem *PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk); +PK11SymKey *PK11_CopySymKeyForSigning(PK11SymKey *originalKey, + CK_MECHANISM_TYPE mech); +SECKEYPrivateKeyList *PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, + char *nickname, void *wincx); +SECKEYPublicKeyList *PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, + char *nickname); SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey); /* deprecated */ -SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot); +SECKEYPrivateKeyList *PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot); PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, - void *wincx); + void *wincx); SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey( - SECKEYPrivateKey *privk, void* wincx); -SECKEYPrivateKey * PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot, - SECKEYPrivateKey *privKey); + SECKEYPrivateKey *privk, void *wincx); +SECKEYPrivateKey *PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot, + SECKEYPrivateKey *privKey); /********************************************************************** * Certs **********************************************************************/ SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData); SECStatus PK11_TraverseSlotCerts( - SECStatus(* callback)(CERTCertificate*,SECItem *,void *), - void *arg, void *wincx); -CERTCertificate * PK11_FindCertFromNickname(const char *nickname, void *wincx); -CERTCertList * PK11_FindCertsFromEmailAddress(const char *email, void *wincx); -CERTCertList * PK11_FindCertsFromNickname(const char *nickname, void *wincx); + SECStatus (*callback)(CERTCertificate *, SECItem *, void *), + void *arg, void *wincx); +CERTCertificate *PK11_FindCertFromNickname(const char *nickname, void *wincx); +CERTCertList *PK11_FindCertsFromEmailAddress(const char *email, void *wincx); +CERTCertList *PK11_FindCertsFromNickname(const char *nickname, void *wincx); CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey); SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, - CK_OBJECT_HANDLE key, const char *nickname, - PRBool includeTrust); + CK_OBJECT_HANDLE key, const char *nickname, + PRBool includeTrust); SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert, - CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust); -PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, + CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust); +PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, const char *nickname, void *wincx); PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname, - void *wincx); + void *wincx); PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert, - CK_OBJECT_HANDLE *keyPtr, void *wincx); + CK_OBJECT_HANDLE *keyPtr, void *wincx); PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert, - CK_OBJECT_HANDLE *keyPtr, void *wincx); -CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot, - CERTIssuerAndSN *sn, void *wincx); -CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot, - SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip, - SECKEYPrivateKey**privKey, void *wincx); + CK_OBJECT_HANDLE *keyPtr, void *wincx); +CERTCertificate *PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot, + CERTIssuerAndSN *sn, void *wincx); +CERTCertificate *PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot, + SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip, + SECKEYPrivateKey **privKey, void *wincx); int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, - void *wincx); + void *wincx); SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, - PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *), - void *arg); -CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, - CERTCertificate *cert, void *wincx); + PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *), + void *arg); +CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, + CERTCertificate *cert, void *wincx); CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, - const SECItem *derCert, void *wincx); + const SECItem *derCert, void *wincx); SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, - char *nickname, PRBool addUsage, - void *wincx); -CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx); + char *nickname, PRBool addUsage, + void *wincx); +CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert, void *wincx); PRBool PK11_FortezzaHasKEA(CERTCertificate *cert); CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, - void *wincx); + void *wincx); SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, - PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *), - void *arg); -CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg); -CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot); -CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, - int type, void *wincx, PRInt32 importOptions, PLArenaPool* arena, PRInt32 decodeOptions); + PK11SlotInfo *slot, SECStatus (*callback)(CERTCertificate *, void *), + void *arg); +CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg); +CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot); +CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url, + int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions); /********************************************************************** - * Sign/Verify + * Sign/Verify **********************************************************************/ /* @@ -706,24 +699,30 @@ CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, * -1 on failure?) */ int PK11_SignatureLen(SECKEYPrivateKey *key); -PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key); +PK11SlotInfo *PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key); SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, - const SECItem *hash); + const SECItem *hash); +SECStatus PK11_SignWithMechanism(SECKEYPrivateKey *key, + CK_MECHANISM_TYPE mechanism, + const SECItem *param, SECItem *sig, + const SECItem *hash); SECStatus PK11_SignWithSymKey(PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, - SECItem *param, SECItem *sig, const SECItem *data); + SECItem *param, SECItem *sig, const SECItem *data); SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig, - SECItem *dsig, void * wincx); + SECItem *dsig, void *wincx); SECStatus PK11_Verify(SECKEYPublicKey *key, const SECItem *sig, - const SECItem *hash, void *wincx); - - + const SECItem *hash, void *wincx); +SECStatus PK11_VerifyWithMechanism(SECKEYPublicKey *key, + CK_MECHANISM_TYPE mechanism, + const SECItem *param, const SECItem *sig, + const SECItem *hash, void *wincx); /********************************************************************** * Crypto Contexts **********************************************************************/ void PK11_DestroyContext(PK11Context *context, PRBool freeit); PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param); + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param); PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg); PK11Context *PK11_CloneContext(PK11Context *old); SECStatus PK11_DigestBegin(PK11Context *cx); @@ -732,17 +731,17 @@ SECStatus PK11_DigestBegin(PK11Context *cx); * the hash algorithm 'hashAlg'. */ SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, - const unsigned char *in, PRInt32 len); -SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, + const unsigned char *in, PRInt32 len); +SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, unsigned len); -SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, - int maxout, const unsigned char *in, int inlen); +SECStatus PK11_CipherOp(PK11Context *context, unsigned char *out, int *outlen, + int maxout, const unsigned char *in, int inlen); SECStatus PK11_Finalize(PK11Context *context); -SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, - unsigned int *outLen, unsigned int length); +SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, + unsigned int *outLen, unsigned int length); #define PK11_CipherFinal PK11_DigestFinal -SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save, - int *len, int saveLength); +SECStatus PK11_SaveContext(PK11Context *cx, unsigned char *save, + int *len, int saveLength); /* Save the context's state, with possible allocation. * The caller may supply an already allocated buffer in preAllocBuf, @@ -758,20 +757,19 @@ PK11_SaveContextAlloc(PK11Context *cx, unsigned char *preAllocBuf, unsigned int pabLen, unsigned int *stateLen); -SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len); -SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len); -void PK11_SetFortezzaHack(PK11SymKey *symKey) ; - +SECStatus PK11_RestoreContext(PK11Context *cx, unsigned char *save, int len); +SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey, unsigned char *iv, int len); +void PK11_SetFortezzaHack(PK11SymKey *symKey); /********************************************************************** - * PBE functions + * PBE functions **********************************************************************/ /* This function creates PBE parameters from the given inputs. The result * can be used to create a password integrity key for PKCS#12, by sending * the return value to PK11_KeyGen along with the appropriate mechanism. */ -SECItem * +SECItem * PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations); /* free params created above (can be called after keygen is done */ @@ -787,13 +785,13 @@ PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag, SECOidTag prfAlgTag, int keyLength, int iteration, SECItem *salt); PK11SymKey * -PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, - PRBool faulty3DES, void *wincx); +PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, + PRBool faulty3DES, void *wincx); /* warning: cannot work with PKCS 5 v2 use PK11_PBEKeyGen instead */ PK11SymKey * PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params, - SECItem *pwitem, PRBool faulty3DES, void *wincx); + SECItem *pwitem, PRBool faulty3DES, void *wincx); SECItem * PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem); /* @@ -802,38 +800,38 @@ PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem); * Caller is responsible for freeing the return parameter (param). */ CK_MECHANISM_TYPE -PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, - SECItem **param, SECItem *pwd); +PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, + SECItem **param, SECItem *pwd); /********************************************************************** * Functions to manage secmod flags **********************************************************************/ const PK11DefaultArrayEntry *PK11_GetDefaultArray(int *size); SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot, - const PK11DefaultArrayEntry *entry, - PRBool add); + const PK11DefaultArrayEntry *entry, + PRBool add); /********************************************************************** * Functions to look at PKCS #11 dependent data **********************************************************************/ -PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot, - CK_OBJECT_CLASS objClass); +PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot, + CK_OBJECT_CLASS objClass); PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object); PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object); SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object); SECStatus PK11_LinkGenericObject(PK11GenericObject *list, - PK11GenericObject *object); + PK11GenericObject *object); SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object); SECStatus PK11_DestroyGenericObject(PK11GenericObject *object); -PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot, - const CK_ATTRIBUTE *pTemplate, - int count, PRBool token); +PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot, + const CK_ATTRIBUTE *pTemplate, + int count, PRBool token); /* * PK11_ReadRawAttribute and PK11_WriteRawAttribute are generic * functions to read and modify the actual PKCS #11 attributes of * the underlying pkcs #11 object. - * + * * object is a pointer to an NSS object that represents the underlying * PKCS #11 object. It's type must match the type of PK11ObjectType * as follows: @@ -852,10 +850,10 @@ PK11GenericObject *PK11_CreateGenericObject(PK11SlotInfo *slot, * pointed to by item using a SECITEM_FreeItem(item, PR_FALSE) or * PORT_Free(item->data) call. */ -SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object, - CK_ATTRIBUTE_TYPE attr, SECItem *item); -SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object, - CK_ATTRIBUTE_TYPE attr, SECItem *item); +SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object, + CK_ATTRIBUTE_TYPE attr, SECItem *item); +SECStatus PK11_WriteRawAttribute(PK11ObjectType type, void *object, + CK_ATTRIBUTE_TYPE attr, SECItem *item); /* * PK11_GetAllSlotsForCert returns all the slots that a given certificate @@ -870,7 +868,7 @@ PK11_GetAllSlotsForCert(CERTCertificate *cert, void *arg); **********************************************************************/ SECItem * PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot, - CERTCertificate *cert, void *pwarg); + CERTCertificate *cert, void *pwarg); SECItem * PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key); diff --git a/nss/lib/pk11wrap/pk11sdr.c b/nss/lib/pk11wrap/pk11sdr.c index 43030b6..eb67bfb 100644 --- a/nss/lib/pk11wrap/pk11sdr.c +++ b/nss/lib/pk11wrap/pk11sdr.c @@ -13,34 +13,33 @@ * Data structure and template for encoding the result of an SDR operation * This is temporary. It should include the algorithm ID of the encryption mechanism */ -struct SDRResult -{ - SECItem keyid; - SECAlgorithmID alg; - SECItem data; +struct SDRResult { + SECItem keyid; + SECAlgorithmID alg; + SECItem data; }; typedef struct SDRResult SDRResult; SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) static SEC_ASN1Template template[] = { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof (SDRResult) }, - { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(SDRResult, alg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) }, - { 0 } + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SDRResult) }, + { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, keyid) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(SDRResult, alg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OCTET_STRING, offsetof(SDRResult, data) }, + { 0 } }; static unsigned char keyID[] = { - 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 + 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }; static SECItem keyIDItem = { - 0, - keyID, - sizeof keyID + 0, + keyID, + sizeof keyID }; /* local utility function for padding an incoming data block @@ -49,82 +48,91 @@ static SECItem keyIDItem = { static SECStatus padBlock(SECItem *data, int blockSize, SECItem *result) { - SECStatus rv = SECSuccess; - int padLength; - unsigned int i; + SECStatus rv = SECSuccess; + int padLength; + unsigned int i; - result->data = 0; - result->len = 0; + result->data = 0; + result->len = 0; - /* This algorithm always adds to the block (to indicate the number + /* This algorithm always adds to the block (to indicate the number * of pad bytes). So allocate a block large enough. */ - padLength = blockSize - (data->len % blockSize); - result->len = data->len + padLength; - result->data = (unsigned char *)PORT_Alloc(result->len); + padLength = blockSize - (data->len % blockSize); + result->len = data->len + padLength; + result->data = (unsigned char *)PORT_Alloc(result->len); - /* Copy the data */ - PORT_Memcpy(result->data, data->data, data->len); + /* Copy the data */ + PORT_Memcpy(result->data, data->data, data->len); - /* Add the pad values */ - for(i = data->len; i < result->len; i++) - result->data[i] = (unsigned char)padLength; + /* Add the pad values */ + for (i = data->len; i < result->len; i++) + result->data[i] = (unsigned char)padLength; - return rv; + return rv; } static SECStatus unpadBlock(SECItem *data, int blockSize, SECItem *result) { - SECStatus rv = SECSuccess; - int padLength; - unsigned int i; + SECStatus rv = SECSuccess; + int padLength; + unsigned int i; - result->data = 0; - result->len = 0; + result->data = 0; + result->len = 0; - /* Remove the padding from the end if the input data */ - if (data->len == 0 || data->len % blockSize != 0) { rv = SECFailure; goto loser; } + /* Remove the padding from the end if the input data */ + if (data->len == 0 || data->len % blockSize != 0) { + rv = SECFailure; + goto loser; + } - padLength = data->data[data->len-1]; - if (padLength > blockSize) { rv = SECFailure; goto loser; } + padLength = data->data[data->len - 1]; + if (padLength > blockSize) { + rv = SECFailure; + goto loser; + } - /* verify padding */ - for (i=data->len - padLength; i < data->len; i++) { - if (data->data[i] != padLength) { - rv = SECFailure; - goto loser; + /* verify padding */ + for (i = data->len - padLength; i < data->len; i++) { + if (data->data[i] != padLength) { + rv = SECFailure; + goto loser; + } } - } - result->len = data->len - padLength; - result->data = (unsigned char *)PORT_Alloc(result->len); - if (!result->data) { rv = SECFailure; goto loser; } + result->len = data->len - padLength; + result->data = (unsigned char *)PORT_Alloc(result->len); + if (!result->data) { + rv = SECFailure; + goto loser; + } - PORT_Memcpy(result->data, data->data, result->len); + PORT_Memcpy(result->data, data->data, result->len); - if (padLength < 2) { - return SECWouldBlock; - } + if (padLength < 2) { + return SECWouldBlock; + } loser: - return rv; + return rv; } static PRLock *pk11sdrLock = NULL; void -pk11sdr_Init (void) +pk11sdr_Init(void) { - pk11sdrLock = PR_NewLock(); + pk11sdrLock = PR_NewLock(); } void pk11sdr_Shutdown(void) { if (pk11sdrLock) { - PR_DestroyLock(pk11sdrLock); - pk11sdrLock = NULL; + PR_DestroyLock(pk11sdrLock); + pk11sdrLock = NULL; } } @@ -136,135 +144,171 @@ pk11sdr_Shutdown(void) SECStatus PK11SDR_Encrypt(SECItem *keyid, SECItem *data, SECItem *result, void *cx) { - SECStatus rv = SECSuccess; - PK11SlotInfo *slot = 0; - PK11SymKey *key = 0; - SECItem *params = 0; - PK11Context *ctx = 0; - CK_MECHANISM_TYPE type; - SDRResult sdrResult; - SECItem paddedData; - SECItem *pKeyID; - PLArenaPool *arena = 0; - - /* Initialize */ - paddedData.len = 0; - paddedData.data = 0; - - arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if (!arena) { rv = SECFailure; goto loser; } - - /* 1. Locate the requested keyid, or the default key (which has a keyid) - * 2. Create an encryption context - * 3. Encrypt - * 4. Encode the results (using ASN.1) - */ - - slot = PK11_GetInternalKeySlot(); - if (!slot) { rv = SECFailure; goto loser; } - - /* Use triple-DES */ - type = CKM_DES3_CBC; - - /* - * Login to the internal token before we look for the key, otherwise we - * won't find it. - */ - rv = PK11_Authenticate(slot, PR_TRUE, cx); - if (rv != SECSuccess) goto loser; - - /* Find the key to use */ - pKeyID = keyid; - if (pKeyID->len == 0) { - pKeyID = &keyIDItem; /* Use default value */ + SECStatus rv = SECSuccess; + PK11SlotInfo *slot = 0; + PK11SymKey *key = 0; + SECItem *params = 0; + PK11Context *ctx = 0; + CK_MECHANISM_TYPE type; + SDRResult sdrResult; + SECItem paddedData; + SECItem *pKeyID; + PLArenaPool *arena = 0; + + /* Initialize */ + paddedData.len = 0; + paddedData.data = 0; + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (!arena) { + rv = SECFailure; + goto loser; + } - /* put in a course lock to prevent a race between not finding the - * key and creating one. - */ + /* 1. Locate the requested keyid, or the default key (which has a keyid) + * 2. Create an encryption context + * 3. Encrypt + * 4. Encode the results (using ASN.1) + */ - if (pk11sdrLock) PR_Lock(pk11sdrLock); + slot = PK11_GetInternalKeySlot(); + if (!slot) { + rv = SECFailure; + goto loser; + } - /* Try to find the key */ - key = PK11_FindFixedKey(slot, type, pKeyID, cx); - - /* If the default key doesn't exist yet, try to create it */ - if (!key) key = PK11_GenDES3TokenKey(slot, pKeyID, cx); - if (pk11sdrLock) PR_Unlock(pk11sdrLock); - } else { - key = PK11_FindFixedKey(slot, type, pKeyID, cx); - } + /* Use triple-DES */ + type = CKM_DES3_CBC; + + /* + * Login to the internal token before we look for the key, otherwise we + * won't find it. + */ + rv = PK11_Authenticate(slot, PR_TRUE, cx); + if (rv != SECSuccess) + goto loser; + + /* Find the key to use */ + pKeyID = keyid; + if (pKeyID->len == 0) { + pKeyID = &keyIDItem; /* Use default value */ + + /* put in a course lock to prevent a race between not finding the + * key and creating one. + */ + + if (pk11sdrLock) + PR_Lock(pk11sdrLock); + + /* Try to find the key */ + key = PK11_FindFixedKey(slot, type, pKeyID, cx); + + /* If the default key doesn't exist yet, try to create it */ + if (!key) + key = PK11_GenDES3TokenKey(slot, pKeyID, cx); + if (pk11sdrLock) + PR_Unlock(pk11sdrLock); + } else { + key = PK11_FindFixedKey(slot, type, pKeyID, cx); + } - if (!key) { rv = SECFailure; goto loser; } + if (!key) { + rv = SECFailure; + goto loser; + } - params = PK11_GenerateNewParam(type, key); - if (!params) { rv = SECFailure; goto loser; } + params = PK11_GenerateNewParam(type, key); + if (!params) { + rv = SECFailure; + goto loser; + } - ctx = PK11_CreateContextBySymKey(type, CKA_ENCRYPT, key, params); - if (!ctx) { rv = SECFailure; goto loser; } + ctx = PK11_CreateContextBySymKey(type, CKA_ENCRYPT, key, params); + if (!ctx) { + rv = SECFailure; + goto loser; + } - rv = padBlock(data, PK11_GetBlockSize(type, 0), &paddedData); - if (rv != SECSuccess) goto loser; + rv = padBlock(data, PK11_GetBlockSize(type, 0), &paddedData); + if (rv != SECSuccess) + goto loser; - sdrResult.data.len = paddedData.len; - sdrResult.data.data = (unsigned char *)PORT_ArenaAlloc(arena, sdrResult.data.len); + sdrResult.data.len = paddedData.len; + sdrResult.data.data = (unsigned char *)PORT_ArenaAlloc(arena, sdrResult.data.len); - rv = PK11_CipherOp(ctx, sdrResult.data.data, (int*)&sdrResult.data.len, sdrResult.data.len, - paddedData.data, paddedData.len); - if (rv != SECSuccess) goto loser; + rv = PK11_CipherOp(ctx, sdrResult.data.data, (int *)&sdrResult.data.len, sdrResult.data.len, + paddedData.data, paddedData.len); + if (rv != SECSuccess) + goto loser; - PK11_Finalize(ctx); + PK11_Finalize(ctx); - sdrResult.keyid = *pKeyID; + sdrResult.keyid = *pKeyID; - rv = PK11_ParamToAlgid(SEC_OID_DES_EDE3_CBC, params, arena, &sdrResult.alg); - if (rv != SECSuccess) goto loser; + rv = PK11_ParamToAlgid(SEC_OID_DES_EDE3_CBC, params, arena, &sdrResult.alg); + if (rv != SECSuccess) + goto loser; - if (!SEC_ASN1EncodeItem(0, result, &sdrResult, template)) { rv = SECFailure; goto loser; } + if (!SEC_ASN1EncodeItem(0, result, &sdrResult, template)) { + rv = SECFailure; + goto loser; + } loser: - SECITEM_ZfreeItem(&paddedData, PR_FALSE); - if (arena) PORT_FreeArena(arena, PR_TRUE); - if (ctx) PK11_DestroyContext(ctx, PR_TRUE); - if (params) SECITEM_ZfreeItem(params, PR_TRUE); - if (key) PK11_FreeSymKey(key); - if (slot) PK11_FreeSlot(slot); - - return rv; + SECITEM_ZfreeItem(&paddedData, PR_FALSE); + if (arena) + PORT_FreeArena(arena, PR_TRUE); + if (ctx) + PK11_DestroyContext(ctx, PR_TRUE); + if (params) + SECITEM_ZfreeItem(params, PR_TRUE); + if (key) + PK11_FreeSymKey(key); + if (slot) + PK11_FreeSlot(slot); + + return rv; } /* decrypt a block */ static SECStatus -pk11Decrypt(PK11SlotInfo *slot, PLArenaPool *arena, - CK_MECHANISM_TYPE type, PK11SymKey *key, - SECItem *params, SECItem *in, SECItem *result) +pk11Decrypt(PK11SlotInfo *slot, PLArenaPool *arena, + CK_MECHANISM_TYPE type, PK11SymKey *key, + SECItem *params, SECItem *in, SECItem *result) { - PK11Context *ctx = 0; - SECItem paddedResult; - SECStatus rv; + PK11Context *ctx = 0; + SECItem paddedResult; + SECStatus rv; - paddedResult.len = 0; - paddedResult.data = 0; + paddedResult.len = 0; + paddedResult.data = 0; - ctx = PK11_CreateContextBySymKey(type, CKA_DECRYPT, key, params); - if (!ctx) { rv = SECFailure; goto loser; } + ctx = PK11_CreateContextBySymKey(type, CKA_DECRYPT, key, params); + if (!ctx) { + rv = SECFailure; + goto loser; + } - paddedResult.len = in->len; - paddedResult.data = PORT_ArenaAlloc(arena, paddedResult.len); + paddedResult.len = in->len; + paddedResult.data = PORT_ArenaAlloc(arena, paddedResult.len); - rv = PK11_CipherOp(ctx, paddedResult.data, - (int*)&paddedResult.len, paddedResult.len, - in->data, in->len); - if (rv != SECSuccess) goto loser; + rv = PK11_CipherOp(ctx, paddedResult.data, + (int *)&paddedResult.len, paddedResult.len, + in->data, in->len); + if (rv != SECSuccess) + goto loser; - PK11_Finalize(ctx); + PK11_Finalize(ctx); - /* Remove the padding */ - rv = unpadBlock(&paddedResult, PK11_GetBlockSize(type, 0), result); - if (rv) goto loser; + /* Remove the padding */ + rv = unpadBlock(&paddedResult, PK11_GetBlockSize(type, 0), result); + if (rv) + goto loser; loser: - if (ctx) PK11_DestroyContext(ctx, PR_TRUE); - return rv; + if (ctx) + PK11_DestroyContext(ctx, PR_TRUE); + return rv; } /* @@ -275,103 +319,119 @@ loser: SECStatus PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx) { - SECStatus rv = SECSuccess; - PK11SlotInfo *slot = 0; - PK11SymKey *key = 0; - CK_MECHANISM_TYPE type; - SDRResult sdrResult; - SECItem *params = 0; - SECItem possibleResult = { 0, NULL, 0 }; - PLArenaPool *arena = 0; - - arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); - if (!arena) { rv = SECFailure; goto loser; } - - /* Decode the incoming data */ - memset(&sdrResult, 0, sizeof sdrResult); - rv = SEC_QuickDERDecodeItem(arena, &sdrResult, template, data); - if (rv != SECSuccess) goto loser; /* Invalid format */ - - /* Find the slot and key for the given keyid */ - slot = PK11_GetInternalKeySlot(); - if (!slot) { rv = SECFailure; goto loser; } - - rv = PK11_Authenticate(slot, PR_TRUE, cx); - if (rv != SECSuccess) goto loser; - - /* Get the parameter values from the data */ - params = PK11_ParamFromAlgid(&sdrResult.alg); - if (!params) { rv = SECFailure; goto loser; } - - /* Use triple-DES (Should look up the algorithm) */ - type = CKM_DES3_CBC; - key = PK11_FindFixedKey(slot, type, &sdrResult.keyid, cx); - if (!key) { - rv = SECFailure; - } else { - rv = pk11Decrypt(slot, arena, type, key, params, - &sdrResult.data, result); - } - - /* - * if the pad value was too small (1 or 2), then it's statistically - * 'likely' that (1 in 256) that we may not have the correct key. - * Check the other keys for a better match. If we find none, use - * this result. - */ - if (rv == SECWouldBlock) { - possibleResult = *result; - } + SECStatus rv = SECSuccess; + PK11SlotInfo *slot = 0; + PK11SymKey *key = 0; + CK_MECHANISM_TYPE type; + SDRResult sdrResult; + SECItem *params = 0; + SECItem possibleResult = { 0, NULL, 0 }; + PLArenaPool *arena = 0; + + arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE); + if (!arena) { + rv = SECFailure; + goto loser; + } - /* - * handle the case where your key indicies may have been broken - */ - if (rv != SECSuccess) { - PK11SymKey *keyList = PK11_ListFixedKeysInSlot(slot, NULL, cx); - PK11SymKey *testKey = NULL; - PK11SymKey *nextKey = NULL; - - for (testKey = keyList; testKey; - testKey = PK11_GetNextSymKey(testKey)) { - rv = pk11Decrypt(slot, arena, type, testKey, params, - &sdrResult.data, result); - if (rv == SECSuccess) { - break; - } - /* found a close match. If it's our first remember it */ - if (rv == SECWouldBlock) { - if (possibleResult.data) { - /* this is unlikely but possible. If we hit this condition, - * we have no way of knowing which possibility to prefer. - * in this case we just match the key the application - * thought was the right one */ - SECITEM_ZfreeItem(result, PR_FALSE); - } else { - possibleResult = *result; - } - } - } - - /* free the list */ - for (testKey = keyList; testKey; testKey = nextKey) { - nextKey = PK11_GetNextSymKey(testKey); - PK11_FreeSymKey(testKey); - } - } - - /* we didn't find a better key, use the one with a small pad value */ - if ((rv != SECSuccess) && (possibleResult.data)) { - *result = possibleResult; - possibleResult.data = NULL; - rv = SECSuccess; - } + /* Decode the incoming data */ + memset(&sdrResult, 0, sizeof sdrResult); + rv = SEC_QuickDERDecodeItem(arena, &sdrResult, template, data); + if (rv != SECSuccess) + goto loser; /* Invalid format */ + + /* Find the slot and key for the given keyid */ + slot = PK11_GetInternalKeySlot(); + if (!slot) { + rv = SECFailure; + goto loser; + } -loser: - if (arena) PORT_FreeArena(arena, PR_TRUE); - if (key) PK11_FreeSymKey(key); - if (params) SECITEM_ZfreeItem(params, PR_TRUE); - if (slot) PK11_FreeSlot(slot); - if (possibleResult.data) SECITEM_ZfreeItem(&possibleResult, PR_FALSE); + rv = PK11_Authenticate(slot, PR_TRUE, cx); + if (rv != SECSuccess) + goto loser; + + /* Get the parameter values from the data */ + params = PK11_ParamFromAlgid(&sdrResult.alg); + if (!params) { + rv = SECFailure; + goto loser; + } - return rv; + /* Use triple-DES (Should look up the algorithm) */ + type = CKM_DES3_CBC; + key = PK11_FindFixedKey(slot, type, &sdrResult.keyid, cx); + if (!key) { + rv = SECFailure; + } else { + rv = pk11Decrypt(slot, arena, type, key, params, + &sdrResult.data, result); + } + + /* + * if the pad value was too small (1 or 2), then it's statistically + * 'likely' that (1 in 256) that we may not have the correct key. + * Check the other keys for a better match. If we find none, use + * this result. + */ + if (rv == SECWouldBlock) { + possibleResult = *result; + } + + /* + * handle the case where your key indicies may have been broken + */ + if (rv != SECSuccess) { + PK11SymKey *keyList = PK11_ListFixedKeysInSlot(slot, NULL, cx); + PK11SymKey *testKey = NULL; + PK11SymKey *nextKey = NULL; + + for (testKey = keyList; testKey; + testKey = PK11_GetNextSymKey(testKey)) { + rv = pk11Decrypt(slot, arena, type, testKey, params, + &sdrResult.data, result); + if (rv == SECSuccess) { + break; + } + /* found a close match. If it's our first remember it */ + if (rv == SECWouldBlock) { + if (possibleResult.data) { + /* this is unlikely but possible. If we hit this condition, + * we have no way of knowing which possibility to prefer. + * in this case we just match the key the application + * thought was the right one */ + SECITEM_ZfreeItem(result, PR_FALSE); + } else { + possibleResult = *result; + } + } + } + + /* free the list */ + for (testKey = keyList; testKey; testKey = nextKey) { + nextKey = PK11_GetNextSymKey(testKey); + PK11_FreeSymKey(testKey); + } + } + + /* we didn't find a better key, use the one with a small pad value */ + if ((rv != SECSuccess) && (possibleResult.data)) { + *result = possibleResult; + possibleResult.data = NULL; + rv = SECSuccess; + } + +loser: + if (arena) + PORT_FreeArena(arena, PR_TRUE); + if (key) + PK11_FreeSymKey(key); + if (params) + SECITEM_ZfreeItem(params, PR_TRUE); + if (slot) + PK11_FreeSlot(slot); + if (possibleResult.data) + SECITEM_ZfreeItem(&possibleResult, PR_FALSE); + + return rv; } diff --git a/nss/lib/pk11wrap/pk11skey.c b/nss/lib/pk11wrap/pk11skey.c index 20d9eaa..850ec02 100644 --- a/nss/lib/pk11wrap/pk11skey.c +++ b/nss/lib/pk11wrap/pk11skey.c @@ -19,15 +19,17 @@ #include "hasht.h" static void -pk11_EnterKeyMonitor(PK11SymKey *symKey) { - if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) - PK11_EnterSlotMonitor(symKey->slot); +pk11_EnterKeyMonitor(PK11SymKey *symKey) +{ + if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) + PK11_EnterSlotMonitor(symKey->slot); } static void -pk11_ExitKeyMonitor(PK11SymKey *symKey) { - if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) - PK11_ExitSlotMonitor(symKey->slot); +pk11_ExitKeyMonitor(PK11SymKey *symKey) +{ + if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) + PK11_ExitSlotMonitor(symKey->slot); } /* @@ -36,66 +38,67 @@ pk11_ExitKeyMonitor(PK11SymKey *symKey) { * was not specified). */ static PK11SymKey * -pk11_getKeyFromList(PK11SlotInfo *slot, PRBool needSession) { +pk11_getKeyFromList(PK11SlotInfo *slot, PRBool needSession) +{ PK11SymKey *symKey = NULL; PZ_Lock(slot->freeListLock); /* own session list are symkeys with sessions that the symkey owns. * 'most' symkeys will own their own session. */ if (needSession) { - if (slot->freeSymKeysWithSessionHead) { - symKey = slot->freeSymKeysWithSessionHead; - slot->freeSymKeysWithSessionHead = symKey->next; - slot->keyCount--; - } + if (slot->freeSymKeysWithSessionHead) { + symKey = slot->freeSymKeysWithSessionHead; + slot->freeSymKeysWithSessionHead = symKey->next; + slot->keyCount--; + } } /* if we don't need a symkey with its own session, or we couldn't find * one on the owner list, get one from the non-owner free list. */ if (!symKey) { - if (slot->freeSymKeysHead) { - symKey = slot->freeSymKeysHead; - slot->freeSymKeysHead = symKey->next; - slot->keyCount--; - } + if (slot->freeSymKeysHead) { + symKey = slot->freeSymKeysHead; + slot->freeSymKeysHead = symKey->next; + slot->keyCount--; + } } PZ_Unlock(slot->freeListLock); if (symKey) { - symKey->next = NULL; - if (!needSession) { - return symKey; - } - /* if we are getting an owner key, make sure we have a valid session. + symKey->next = NULL; + if (!needSession) { + return symKey; + } + /* if we are getting an owner key, make sure we have a valid session. * session could be invalid if the token has been removed or because * we got it from the non-owner free list */ - if ((symKey->series != slot->series) || - (symKey->session == CK_INVALID_SESSION)) { - symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner); - } - PORT_Assert(symKey->session != CK_INVALID_SESSION); - if (symKey->session != CK_INVALID_SESSION) - return symKey; - PK11_FreeSymKey(symKey); - /* if we are here, we need a session, but couldn't get one, it's - * unlikely we pk11_GetNewSession will succeed if we call it a second - * time. */ - return NULL; + if ((symKey->series != slot->series) || + (symKey->session == CK_INVALID_SESSION)) { + symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner); + } + PORT_Assert(symKey->session != CK_INVALID_SESSION); + if (symKey->session != CK_INVALID_SESSION) + return symKey; + PK11_FreeSymKey(symKey); + /* if we are here, we need a session, but couldn't get one, it's + * unlikely we pk11_GetNewSession will succeed if we call it a second + * time. */ + return NULL; } symKey = PORT_New(PK11SymKey); if (symKey == NULL) { - return NULL; + return NULL; } symKey->next = NULL; if (needSession) { - symKey->session = pk11_GetNewSession(slot,&symKey->sessionOwner); - PORT_Assert(symKey->session != CK_INVALID_SESSION); + symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner); + PORT_Assert(symKey->session != CK_INVALID_SESSION); if (symKey->session == CK_INVALID_SESSION) { - PK11_FreeSymKey(symKey); - symKey = NULL; - } + PK11_FreeSymKey(symKey); + symKey = NULL; + } } else { - symKey->session = CK_INVALID_SESSION; + symKey->session = CK_INVALID_SESSION; } return symKey; } @@ -107,16 +110,16 @@ PK11_CleanKeyList(PK11SlotInfo *slot) PK11SymKey *symKey = NULL; while (slot->freeSymKeysWithSessionHead) { - symKey = slot->freeSymKeysWithSessionHead; - slot->freeSymKeysWithSessionHead = symKey->next; - pk11_CloseSession(slot, symKey->session, symKey->sessionOwner); - PORT_Free(symKey); + symKey = slot->freeSymKeysWithSessionHead; + slot->freeSymKeysWithSessionHead = symKey->next; + pk11_CloseSession(slot, symKey->session, symKey->sessionOwner); + PORT_Free(symKey); } while (slot->freeSymKeysHead) { - symKey = slot->freeSymKeysHead; - slot->freeSymKeysHead = symKey->next; - pk11_CloseSession(slot, symKey->session, symKey->sessionOwner); - PORT_Free(symKey); + symKey = slot->freeSymKeysHead; + slot->freeSymKeysHead = symKey->next; + pk11_CloseSession(slot, symKey->session, symKey->sessionOwner); + PORT_Free(symKey); } return; } @@ -124,29 +127,29 @@ PK11_CleanKeyList(PK11SlotInfo *slot) /* * create a symetric key: * Slot is the slot to create the key in. - * type is the mechanism type + * type is the mechanism type * owner is does this symKey structure own it's object handle (rare * that this is false). * needSession means the returned symKey will return with a valid session * allocated already. */ static PK11SymKey * -pk11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - PRBool owner, PRBool needSession, void *wincx) +pk11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + PRBool owner, PRBool needSession, void *wincx) { PK11SymKey *symKey = pk11_getKeyFromList(slot, needSession); if (symKey == NULL) { - return NULL; + return NULL; } /* if needSession was specified, make sure we have a valid session. * callers which specify needSession as false should do their own * check of the session before returning the symKey */ if (needSession && symKey->session == CK_INVALID_SESSION) { - PK11_FreeSymKey(symKey); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; + PK11_FreeSymKey(symKey); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; } symKey->type = type; @@ -178,61 +181,60 @@ PK11_FreeSymKey(PK11SymKey *symKey) PRBool freeit = PR_TRUE; if (PR_ATOMIC_DECREMENT(&symKey->refCount) == 0) { - PK11SymKey *parent = symKey->parent; - - symKey->parent = NULL; - if ((symKey->owner) && symKey->objectID != CK_INVALID_HANDLE) { - pk11_EnterKeyMonitor(symKey); - (void) PK11_GETTAB(symKey->slot)-> - C_DestroyObject(symKey->session, symKey->objectID); - pk11_ExitKeyMonitor(symKey); - } - if (symKey->data.data) { - PORT_Memset(symKey->data.data, 0, symKey->data.len); - PORT_Free(symKey->data.data); - } - /* free any existing data */ - if (symKey->userData && symKey->freeFunc) { - (*symKey->freeFunc)(symKey->userData); - } + PK11SymKey *parent = symKey->parent; + + symKey->parent = NULL; + if ((symKey->owner) && symKey->objectID != CK_INVALID_HANDLE) { + pk11_EnterKeyMonitor(symKey); + (void)PK11_GETTAB(symKey->slot)->C_DestroyObject(symKey->session, symKey->objectID); + pk11_ExitKeyMonitor(symKey); + } + if (symKey->data.data) { + PORT_Memset(symKey->data.data, 0, symKey->data.len); + PORT_Free(symKey->data.data); + } + /* free any existing data */ + if (symKey->userData && symKey->freeFunc) { + (*symKey->freeFunc)(symKey->userData); + } slot = symKey->slot; PZ_Lock(slot->freeListLock); - if (slot->keyCount < slot->maxKeyCount) { - /* + if (slot->keyCount < slot->maxKeyCount) { + /* * freeSymkeysWithSessionHead contain a list of reusable - * SymKey structures with valid sessions. - * sessionOwner must be true. + * SymKey structures with valid sessions. + * sessionOwner must be true. * session must be valid. * freeSymKeysHead contain a list of SymKey structures without * valid session. * session must be CK_INVALID_SESSION. - * though sessionOwner is false, callers should not depend on - * this fact. - */ - if (symKey->sessionOwner) { - PORT_Assert (symKey->session != CK_INVALID_SESSION); - symKey->next = slot->freeSymKeysWithSessionHead; - slot->freeSymKeysWithSessionHead = symKey; - } else { - symKey->session = CK_INVALID_SESSION; - symKey->next = slot->freeSymKeysHead; - slot->freeSymKeysHead = symKey; - } - slot->keyCount++; - symKey->slot = NULL; - freeit = PR_FALSE; + * though sessionOwner is false, callers should not depend on + * this fact. + */ + if (symKey->sessionOwner) { + PORT_Assert(symKey->session != CK_INVALID_SESSION); + symKey->next = slot->freeSymKeysWithSessionHead; + slot->freeSymKeysWithSessionHead = symKey; + } else { + symKey->session = CK_INVALID_SESSION; + symKey->next = slot->freeSymKeysHead; + slot->freeSymKeysHead = symKey; + } + slot->keyCount++; + symKey->slot = NULL; + freeit = PR_FALSE; } - PZ_Unlock(slot->freeListLock); + PZ_Unlock(slot->freeListLock); if (freeit) { - pk11_CloseSession(symKey->slot, symKey->session, - symKey->sessionOwner); - PORT_Free(symKey); - } - PK11_FreeSlot(slot); + pk11_CloseSession(symKey->slot, symKey->session, + symKey->sessionOwner); + PORT_Free(symKey); + } + PK11_FreeSlot(slot); - if (parent) { - PK11_FreeSymKey(parent); - } + if (parent) { + PK11_FreeSymKey(parent); + } } } @@ -261,9 +263,10 @@ PK11_GetSlotFromKey(PK11SymKey *symKey) return PK11_ReferenceSlot(symKey->slot); } -CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *symKey) +CK_KEY_TYPE +PK11_GetSymKeyType(PK11SymKey *symKey) { - return PK11_GetKeyType(symKey->type,symKey->size); + return PK11_GetKeyType(symKey->type, symKey->size); } PK11SymKey * @@ -275,13 +278,13 @@ PK11_GetNextSymKey(PK11SymKey *symKey) char * PK11_GetSymKeyNickname(PK11SymKey *symKey) { - return PK11_GetObjectNickname(symKey->slot,symKey->objectID); + return PK11_GetObjectNickname(symKey->slot, symKey->objectID); } SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname) { - return PK11_SetObjectNickname(symKey->slot,symKey->objectID,nickname); + return PK11_SetObjectNickname(symKey->slot, symKey->objectID, nickname); } void * @@ -291,12 +294,12 @@ PK11_GetSymKeyUserData(PK11SymKey *symKey) } void -PK11_SetSymKeyUserData(PK11SymKey *symKey, void *userData, - PK11FreeDataFunc freeFunc) +PK11_SetSymKeyUserData(PK11SymKey *symKey, void *userData, + PK11FreeDataFunc freeFunc) { /* free any existing data */ if (symKey->userData && symKey->freeFunc) { - (*symKey->freeFunc)(symKey->userData); + (*symKey->freeFunc)(symKey->userData); } symKey->userData = userData; symKey->freeFunc = freeFunc; @@ -308,18 +311,18 @@ PK11_SetSymKeyUserData(PK11SymKey *symKey, void *userData, */ PK11SymKey * PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin, - CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx) + CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx) { PK11SymKey *symKey; PRBool needSession = !(owner && parent); if (keyID == CK_INVALID_HANDLE) { - return NULL; + return NULL; } symKey = pk11_CreateSymKey(slot, type, owner, needSession, wincx); if (symKey == NULL) { - return NULL; + return NULL; } symKey->objectID = keyID; @@ -330,18 +333,18 @@ PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin, * structure with a ref count so the session goes away only after all the * keys do. */ if (!needSession) { - symKey->sessionOwner = PR_FALSE; - symKey->session = parent->session; - symKey->parent = PK11_ReferenceSymKey(parent); + symKey->sessionOwner = PR_FALSE; + symKey->session = parent->session; + symKey->parent = PK11_ReferenceSymKey(parent); /* This is the only case where pk11_CreateSymKey does not explicitly - * check symKey->session. We need to assert here to make sure. - * the session isn't invalid. */ - PORT_Assert(parent->session != CK_INVALID_SESSION); - if (parent->session == CK_INVALID_SESSION) { - PK11_FreeSymKey(symKey); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; - } + * check symKey->session. We need to assert here to make sure. + * the session isn't invalid. */ + PORT_Assert(parent->session != CK_INVALID_SESSION); + if (parent->session == CK_INVALID_SESSION) { + PK11_FreeSymKey(symKey); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } } return symKey; @@ -352,16 +355,19 @@ PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin, */ PK11SymKey * PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type, - int series, void *wincx) + int series, void *wincx) { PK11SymKey *symKey = NULL; - if (slot->series != series) return NULL; - if (slot->refKeys[wrap] == CK_INVALID_HANDLE) return NULL; - if (type == CKM_INVALID_MECHANISM) type = slot->wrapMechanism; + if (slot->series != series) + return NULL; + if (slot->refKeys[wrap] == CK_INVALID_HANDLE) + return NULL; + if (type == CKM_INVALID_MECHANISM) + type = slot->wrapMechanism; symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, - slot->wrapMechanism, slot->refKeys[wrap], PR_FALSE, wincx); + slot->wrapMechanism, slot->refKeys[wrap], PR_FALSE, wincx); return symKey; } @@ -382,29 +388,29 @@ PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey) slot->wrapMechanism = wrapKey->type; } - /* * figure out if a key is still valid or if it is stale. */ PRBool -PK11_VerifyKeyOK(PK11SymKey *key) { +PK11_VerifyKeyOK(PK11SymKey *key) +{ if (!PK11_IsPresent(key->slot)) { - return PR_FALSE; + return PR_FALSE; } return (PRBool)(key->series == key->slot->series); } static PK11SymKey * pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - PK11Origin origin, PRBool isToken, CK_ATTRIBUTE *keyTemplate, - unsigned int templateCount, SECItem *key, void *wincx) + PK11Origin origin, PRBool isToken, CK_ATTRIBUTE *keyTemplate, + unsigned int templateCount, SECItem *key, void *wincx) { - PK11SymKey * symKey; - SECStatus rv; + PK11SymKey *symKey; + SECStatus rv; symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx); if (symKey == NULL) { - return NULL; + return NULL; } symKey->size = key->len; @@ -412,19 +418,19 @@ pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11_SETATTRS(&keyTemplate[templateCount], CKA_VALUE, key->data, key->len); templateCount++; - if (SECITEM_CopyItem(NULL,&symKey->data,key) != SECSuccess) { - PK11_FreeSymKey(symKey); - return NULL; + if (SECITEM_CopyItem(NULL, &symKey->data, key) != SECSuccess) { + PK11_FreeSymKey(symKey); + return NULL; } symKey->origin = origin; /* import the keys */ rv = PK11_CreateNewObject(slot, symKey->session, keyTemplate, - templateCount, isToken, &symKey->objectID); - if ( rv != SECSuccess) { - PK11_FreeSymKey(symKey); - return NULL; + templateCount, isToken, &symKey->objectID); + if (rv != SECSuccess) { + PK11_FreeSymKey(symKey); + return NULL; } return symKey; @@ -435,74 +441,80 @@ pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, */ PK11SymKey * PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,void *wincx) -{ - PK11SymKey * symKey; - unsigned int templateCount = 0; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_BBOOL cktrue = CK_TRUE; /* sigh */ - CK_ATTRIBUTE keyTemplate[5]; - CK_ATTRIBUTE * attrs = keyTemplate; - - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++; - PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx) +{ + PK11SymKey *symKey; + unsigned int templateCount = 0; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_BBOOL cktrue = CK_TRUE; /* sigh */ + CK_ATTRIBUTE keyTemplate[5]; + CK_ATTRIBUTE *attrs = keyTemplate; + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); + PR_ASSERT(templateCount + 1 <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); - keyType = PK11_GetKeyType(type,key->len); - symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, PR_FALSE, - keyTemplate, templateCount, key, wincx); + keyType = PK11_GetKeyType(type, key->len); + symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, PR_FALSE, + keyTemplate, templateCount, key, wincx); return symKey; } - /* * turn key bits into an appropriate key object */ PK11SymKey * PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, - CK_FLAGS flags, PRBool isPerm, void *wincx) -{ - PK11SymKey * symKey; - unsigned int templateCount = 0; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_BBOOL cktrue = CK_TRUE; /* sigh */ - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; - CK_ATTRIBUTE * attrs = keyTemplate; - - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++; + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, + CK_FLAGS flags, PRBool isPerm, void *wincx) +{ + PK11SymKey *symKey; + unsigned int templateCount = 0; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_BBOOL cktrue = CK_TRUE; /* sigh */ + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs = keyTemplate; + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; if (isPerm) { - PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue) ); attrs++; - /* sigh some tokens think CKA_PRIVATE = false is a reasonable - * default for secret keys */ - PK11_SETATTRS(attrs, CKA_PRIVATE, &cktrue, sizeof(cktrue) ); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); + attrs++; + /* sigh some tokens think CKA_PRIVATE = false is a reasonable + * default for secret keys */ + PK11_SETATTRS(attrs, CKA_PRIVATE, &cktrue, sizeof(cktrue)); + attrs++; } attrs += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); if ((operation != CKA_FLAGS_ONLY) && - !pk11_FindAttrInTemplate(keyTemplate, attrs-keyTemplate, operation)) { - PK11_SETATTRS(attrs, operation, &cktrue, sizeof(cktrue)); attrs++; + !pk11_FindAttrInTemplate(keyTemplate, attrs - keyTemplate, operation)) { + PK11_SETATTRS(attrs, operation, &cktrue, sizeof(cktrue)); + attrs++; } templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount+1 <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); + PR_ASSERT(templateCount + 1 <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); - keyType = PK11_GetKeyType(type,key->len); + keyType = PK11_GetKeyType(type, key->len); symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, isPerm, - keyTemplate, templateCount, key, wincx); + keyTemplate, templateCount, key, wincx); if (symKey && isPerm) { - symKey->owner = PR_FALSE; + symKey->owner = PR_FALSE; } return symKey; } - PK11SymKey * PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID, - void *wincx) + void *wincx) { CK_ATTRIBUTE findTemp[4]; CK_ATTRIBUTE *attrs; @@ -512,20 +524,23 @@ PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID, CK_OBJECT_HANDLE key_id; attrs = findTemp; - PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; if (keyID) { - PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); attrs++; + PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); + attrs++; } tsize = attrs - findTemp; - PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); - key_id = pk11_FindObjectByTemplate(slot,findTemp,tsize); + key_id = pk11_FindObjectByTemplate(slot, findTemp, tsize); if (key_id == CK_INVALID_HANDLE) { - return NULL; + return NULL; } return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id, - PR_FALSE, wincx); + PR_FALSE, wincx); } PK11SymKey * @@ -540,51 +555,53 @@ PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx) CK_OBJECT_HANDLE *key_ids; PK11SymKey *nextKey = NULL; PK11SymKey *topKey = NULL; - int i,len; + int i, len; attrs = findTemp; - PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; if (nickname) { - len = PORT_Strlen(nickname); - PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++; + len = PORT_Strlen(nickname); + PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); + attrs++; } tsize = attrs - findTemp; - PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); - key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount); + key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); if (key_ids == NULL) { - return NULL; - } - - for (i=0; i < objCount ; i++) { - SECItem typeData; - CK_KEY_TYPE type = CKK_GENERIC_SECRET; - SECStatus rv = PK11_ReadAttribute(slot, key_ids[i], - CKA_KEY_TYPE, NULL, &typeData); - if (rv == SECSuccess) { - if (typeData.len == sizeof(CK_KEY_TYPE)) { - type = *(CK_KEY_TYPE *)typeData.data; - } - PORT_Free(typeData.data); - } - nextKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, - PK11_GetKeyMechanism(type), key_ids[i], PR_FALSE, wincx); - if (nextKey) { - nextKey->next = topKey; - topKey = nextKey; - } - } - PORT_Free(key_ids); - return topKey; + return NULL; + } + + for (i = 0; i < objCount; i++) { + SECItem typeData; + CK_KEY_TYPE type = CKK_GENERIC_SECRET; + SECStatus rv = PK11_ReadAttribute(slot, key_ids[i], + CKA_KEY_TYPE, NULL, &typeData); + if (rv == SECSuccess) { + if (typeData.len == sizeof(CK_KEY_TYPE)) { + type = *(CK_KEY_TYPE *)typeData.data; + } + PORT_Free(typeData.data); + } + nextKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, + PK11_GetKeyMechanism(type), key_ids[i], PR_FALSE, wincx); + if (nextKey) { + nextKey->next = topKey; + topKey = nextKey; + } + } + PORT_Free(key_ids); + return topKey; } void * PK11_GetWindow(PK11SymKey *key) { - return key->cx; + return key->cx; } - /* * extract a symetric key value. NOTE: if the key is sensitive, we will @@ -596,21 +613,21 @@ PK11_ExtractKeyValue(PK11SymKey *symKey) SECStatus rv; if (symKey->data.data != NULL) { - if (symKey->size == 0) { - symKey->size = symKey->data.len; - } - return SECSuccess; + if (symKey->size == 0) { + symKey->size = symKey->data.len; + } + return SECSuccess; } if (symKey->slot == NULL) { - PORT_SetError( SEC_ERROR_INVALID_KEY ); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; } - rv = PK11_ReadAttribute(symKey->slot,symKey->objectID,CKA_VALUE,NULL, - &symKey->data); + rv = PK11_ReadAttribute(symKey->slot, symKey->objectID, CKA_VALUE, NULL, + &symKey->data); if (rv == SECSuccess) { - symKey->size = symKey->data.len; + symKey->size = symKey->data.len; } return rv; } @@ -619,9 +636,9 @@ SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey) { if (!PK11_IsPermObject(symKey->slot, symKey->objectID)) { - return SECFailure; + return SECFailure; } - PK11_DestroyTokenObject(symKey->slot,symKey->objectID); + PK11_DestroyTokenObject(symKey->slot, symKey->objectID); symKey->objectID = CK_INVALID_HANDLE; return SECSuccess; } @@ -639,7 +656,6 @@ __PK11_GetKeyData(PK11SymKey *symKey) return PK11_GetKeyData(symKey); } - /* * PKCS #11 key Types with predefined length */ @@ -648,13 +664,26 @@ pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType) { int length = 0; switch (keyType) { - case CKK_DES: length = 8; break; - case CKK_DES2: length = 16; break; - case CKK_DES3: length = 24; break; - case CKK_SKIPJACK: length = 10; break; - case CKK_BATON: length = 20; break; - case CKK_JUNIPER: length = 20; break; - default: break; + case CKK_DES: + length = 8; + break; + case CKK_DES2: + length = 16; + break; + case CKK_DES3: + length = 24; + break; + case CKK_SKIPJACK: + length = 10; + break; + case CKK_BATON: + length = 20; + break; + case CKK_JUNIPER: + length = 20; + break; + default: + break; } return length; } @@ -665,33 +694,35 @@ PK11_GetKeyLength(PK11SymKey *key) { CK_KEY_TYPE keyType; - if (key->size != 0) return key->size; + if (key->size != 0) + return key->size; /* First try to figure out the key length from its type */ - keyType = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_KEY_TYPE); + keyType = PK11_ReadULongAttribute(key->slot, key->objectID, CKA_KEY_TYPE); key->size = pk11_GetPredefinedKeyLength(keyType); if ((keyType == CKK_GENERIC_SECRET) && - (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)) { - key->size=48; + (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)) { + key->size = 48; } - if( key->size != 0 ) return key->size; + if (key->size != 0) + return key->size; - if (key->data.data == NULL) { - PK11_ExtractKeyValue(key); - } - /* key is probably secret. Look up its length */ - /* this is new PKCS #11 version 2.0 functionality. */ - if (key->size == 0) { - CK_ULONG keyLength; + if (key->data.data == NULL) { + PK11_ExtractKeyValue(key); + } + /* key is probably secret. Look up its length */ + /* this is new PKCS #11 version 2.0 functionality. */ + if (key->size == 0) { + CK_ULONG keyLength; - keyLength = PK11_ReadULongAttribute(key->slot,key->objectID,CKA_VALUE_LEN); - if (keyLength != CK_UNAVAILABLE_INFORMATION) { - key->size = (unsigned int)keyLength; - } + keyLength = PK11_ReadULongAttribute(key->slot, key->objectID, CKA_VALUE_LEN); + if (keyLength != CK_UNAVAILABLE_INFORMATION) { + key->size = (unsigned int)keyLength; + } } - return key->size; + return key->size; } /* return the strength of a key. This is different from length in that @@ -699,77 +730,78 @@ PK11_GetKeyLength(PK11SymKey *key) * of the key minus any checksums or parity. */ unsigned int -PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) -{ - int size=0; - CK_MECHANISM_TYPE mechanism= CKM_INVALID_MECHANISM; /* RC2 only */ - SECItem *param = NULL; /* RC2 only */ - CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */ - unsigned int effectiveBits = 0; /* RC2 ONLY */ - - switch (PK11_GetKeyType(key->type,0)) { - case CKK_CDMF: - return 40; - case CKK_DES: - return 56; - case CKK_DES3: - case CKK_DES2: - size = PK11_GetKeyLength(key); - if (size == 16) { - /* double des */ - return 112; /* 16*7 */ - } - return 168; - /* - * RC2 has is different than other ciphers in that it allows the user - * to deprecating keysize while still requiring all the bits for the - * original key. The info - * on what the effective key strength is in the parameter for the key. - * In S/MIME this parameter is stored in the DER encoded algid. In Our - * other uses of RC2, effectiveBits == keyBits, so this code functions - * correctly without an algid. - */ - case CKK_RC2: - /* if no algid was provided, fall through to default */ - if (!algid) { - break; - } - /* verify that the algid is for RC2 */ - mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid)); - if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) { - break; - } - - /* now get effective bits from the algorithm ID. */ - param = PK11_ParamFromAlgid(algid); - /* if we couldn't get memory just use key length */ - if (param == NULL) { - break; - } - - rc2_params = (CK_RC2_CBC_PARAMS *) param->data; - /* paranoia... shouldn't happen */ - PORT_Assert(param->data != NULL); - if (param->data == NULL) { - SECITEM_FreeItem(param,PR_TRUE); - break; - } - effectiveBits = (unsigned int)rc2_params->ulEffectiveBits; - SECITEM_FreeItem(param,PR_TRUE); - param = NULL; rc2_params=NULL; /* paranoia */ - - /* we have effective bits, is and allocated memory is free, now - * we need to return the smaller of effective bits and keysize */ - size = PK11_GetKeyLength(key); - if ((unsigned int)size*8 > effectiveBits) { - return effectiveBits; - } - - return size*8; /* the actual key is smaller, the strength can't be - * greater than the actual key size */ - - default: - break; +PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) +{ + int size = 0; + CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; /* RC2 only */ + SECItem *param = NULL; /* RC2 only */ + CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */ + unsigned int effectiveBits = 0; /* RC2 ONLY */ + + switch (PK11_GetKeyType(key->type, 0)) { + case CKK_CDMF: + return 40; + case CKK_DES: + return 56; + case CKK_DES3: + case CKK_DES2: + size = PK11_GetKeyLength(key); + if (size == 16) { + /* double des */ + return 112; /* 16*7 */ + } + return 168; + /* + * RC2 has is different than other ciphers in that it allows the user + * to deprecating keysize while still requiring all the bits for the + * original key. The info + * on what the effective key strength is in the parameter for the key. + * In S/MIME this parameter is stored in the DER encoded algid. In Our + * other uses of RC2, effectiveBits == keyBits, so this code functions + * correctly without an algid. + */ + case CKK_RC2: + /* if no algid was provided, fall through to default */ + if (!algid) { + break; + } + /* verify that the algid is for RC2 */ + mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid)); + if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) { + break; + } + + /* now get effective bits from the algorithm ID. */ + param = PK11_ParamFromAlgid(algid); + /* if we couldn't get memory just use key length */ + if (param == NULL) { + break; + } + + rc2_params = (CK_RC2_CBC_PARAMS *)param->data; + /* paranoia... shouldn't happen */ + PORT_Assert(param->data != NULL); + if (param->data == NULL) { + SECITEM_FreeItem(param, PR_TRUE); + break; + } + effectiveBits = (unsigned int)rc2_params->ulEffectiveBits; + SECITEM_FreeItem(param, PR_TRUE); + param = NULL; + rc2_params = NULL; /* paranoia */ + + /* we have effective bits, is and allocated memory is free, now + * we need to return the smaller of effective bits and keysize */ + size = PK11_GetKeyLength(key); + if ((unsigned int)size * 8 > effectiveBits) { + return effectiveBits; + } + + return size * 8; /* the actual key is smaller, the strength can't be + * greater than the actual key size */ + + default: + break; } return PK11_GetKeyLength(key) * 8; } @@ -780,36 +812,36 @@ PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) * into the new slot. */ PK11SymKey * -pk11_CopyToSlotPerm(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, - PRBool isPerm, PK11SymKey *symKey) +pk11_CopyToSlotPerm(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, + PRBool isPerm, PK11SymKey *symKey) { SECStatus rv; PK11SymKey *newKey = NULL; /* Extract the raw key data if possible */ if (symKey->data.data == NULL) { - rv = PK11_ExtractKeyValue(symKey); - /* KEY is sensitive, we're try key exchanging it. */ - if (rv != SECSuccess) { - return pk11_KeyExchange(slot, type, operation, - flags, isPerm, symKey); - } + rv = PK11_ExtractKeyValue(symKey); + /* KEY is sensitive, we're try key exchanging it. */ + if (rv != SECSuccess) { + return pk11_KeyExchange(slot, type, operation, + flags, isPerm, symKey); + } } - newKey = PK11_ImportSymKeyWithFlags(slot, type, symKey->origin, - operation, &symKey->data, flags, isPerm, symKey->cx); + newKey = PK11_ImportSymKeyWithFlags(slot, type, symKey->origin, + operation, &symKey->data, flags, isPerm, symKey->cx); if (newKey == NULL) { - newKey = pk11_KeyExchange(slot, type, operation, flags, isPerm, symKey); + newKey = pk11_KeyExchange(slot, type, operation, flags, isPerm, symKey); } return newKey; } PK11SymKey * -pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey) +pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey) { - return pk11_CopyToSlotPerm(slot, type, operation, 0, PR_FALSE, symKey); + return pk11_CopyToSlotPerm(slot, type, operation, 0, PR_FALSE, symKey); } /* @@ -818,7 +850,7 @@ pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, */ PK11SymKey * pk11_ForceSlotMultiple(PK11SymKey *symKey, CK_MECHANISM_TYPE *type, - int mechCount, CK_ATTRIBUTE_TYPE operation) + int mechCount, CK_ATTRIBUTE_TYPE operation) { PK11SlotInfo *slot = symKey->slot; PK11SymKey *newKey = NULL; @@ -826,25 +858,25 @@ pk11_ForceSlotMultiple(PK11SymKey *symKey, CK_MECHANISM_TYPE *type, int i; if (slot == NULL) { - needToCopy = PR_TRUE; + needToCopy = PR_TRUE; } else { - i = 0; - while ((i < mechCount) && (needToCopy == PR_FALSE)) { - if (!PK11_DoesMechanism(slot,type[i])) { - needToCopy = PR_TRUE; - } - i++; - } + i = 0; + while ((i < mechCount) && (needToCopy == PR_FALSE)) { + if (!PK11_DoesMechanism(slot, type[i])) { + needToCopy = PR_TRUE; + } + i++; + } } if (needToCopy == PR_TRUE) { - slot = PK11_GetBestSlotMultiple(type,mechCount,symKey->cx); - if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; - } - newKey = pk11_CopyToSlot(slot, type[0], operation, symKey); - PK11_FreeSlot(slot); + slot = PK11_GetBestSlotMultiple(type, mechCount, symKey->cx); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; + } + newKey = pk11_CopyToSlot(slot, type[0], operation, symKey); + PK11_FreeSlot(slot); } return newKey; } @@ -853,40 +885,40 @@ pk11_ForceSlotMultiple(PK11SymKey *symKey, CK_MECHANISM_TYPE *type, * Make sure the slot we are in is the correct slot for the operation */ PK11SymKey * -pk11_ForceSlot(PK11SymKey *symKey,CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation) +pk11_ForceSlot(PK11SymKey *symKey, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation) { return pk11_ForceSlotMultiple(symKey, &type, 1, operation); } PK11SymKey * -PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, - CK_FLAGS flags, PRBool perm, PK11SymKey *symKey) +PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, + CK_FLAGS flags, PRBool perm, PK11SymKey *symKey) { if (symKey->slot == slot) { - if (perm) { - return PK11_ConvertSessionSymKeyToTokenSymKey(symKey,symKey->cx); - } else { - return PK11_ReferenceSymKey(symKey); - } + if (perm) { + return PK11_ConvertSessionSymKeyToTokenSymKey(symKey, symKey->cx); + } else { + return PK11_ReferenceSymKey(symKey); + } } - - return pk11_CopyToSlotPerm(slot, symKey->type, - operation, flags, perm, symKey); + + return pk11_CopyToSlotPerm(slot, symKey->type, + operation, flags, perm, symKey); } /* - * Use the token to generate a key. - * - * keySize must be 'zero' for fixed key length algorithms. A nonzero - * keySize causes the CKA_VALUE_LEN attribute to be added to the template - * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN + * Use the token to generate a key. + * + * keySize must be 'zero' for fixed key length algorithms. A nonzero + * keySize causes the CKA_VALUE_LEN attribute to be added to the template + * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN * attribute for keys with fixed length. The exception is DES2. If you * select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN * parameter and use the key size to determine which underlying DES keygen * function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN). * - * keyType must be -1 for most algorithms. Some PBE algorthims cannot + * keyType must be -1 for most algorithms. Some PBE algorthims cannot * determine the correct key type from the mechanism or the parameters, * so key type must be specified. Other PKCS #11 mechanisms may do so in * the future. Currently there is no need to export this publically. @@ -898,50 +930,51 @@ PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, */ PK11SymKey * pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - SECItem *param, CK_KEY_TYPE keyType, int keySize, SECItem *keyid, - CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx) + SECItem *param, CK_KEY_TYPE keyType, int keySize, SECItem *keyid, + CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx) { PK11SymKey *symKey; CK_ATTRIBUTE genTemplate[MAX_TEMPL_ATTRS]; CK_ATTRIBUTE *attrs = genTemplate; - int count = sizeof(genTemplate)/sizeof(genTemplate[0]); + int count = sizeof(genTemplate) / sizeof(genTemplate[0]); CK_MECHANISM_TYPE keyGenType; CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; - CK_ULONG ck_key_size; /* only used for variable-length keys */ + CK_ULONG ck_key_size; /* only used for variable-length keys */ if (pk11_BadAttrFlags(attrFlags)) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - if ((keySize != 0) && (type != CKM_DES3_CBC) && - (type !=CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) { + if ((keySize != 0) && (type != CKM_DES3_CBC) && + (type != CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) { ck_key_size = keySize; /* Convert to PK11 type */ - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size)); - attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size)); + attrs++; } if (keyType != -1) { - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(CK_KEY_TYPE)); - attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(CK_KEY_TYPE)); + attrs++; } /* Include key id value if provided */ if (keyid) { - PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); attrs++; + PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); + attrs++; } attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse); attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue); count = attrs - genTemplate; - PR_ASSERT(count <= sizeof(genTemplate)/sizeof(CK_ATTRIBUTE)); + PR_ASSERT(count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE)); keyGenType = PK11_GetKeyGenWithSize(type, keySize); if (keyGenType == CKM_FAKE_RANDOM) { - PORT_SetError( SEC_ERROR_NO_MODULE ); + PORT_SetError(SEC_ERROR_NO_MODULE); return NULL; } symKey = PK11_KeyGenWithTemplate(slot, type, keyGenType, @@ -954,10 +987,10 @@ pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, /* * Use the token to generate a key. - Public - * - * keySize must be 'zero' for fixed key length algorithms. A nonzero - * keySize causes the CKA_VALUE_LEN attribute to be added to the template - * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN + * + * keySize must be 'zero' for fixed key length algorithms. A nonzero + * keySize causes the CKA_VALUE_LEN attribute to be added to the template + * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN * attribute for keys with fixed length. The exception is DES2. If you * select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN * parameter and use the key size to determine which underlying DES keygen @@ -968,11 +1001,11 @@ pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, */ PK11SymKey * PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, - PK11AttrFlags attrFlags, void *wincx) + SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, + PK11AttrFlags attrFlags, void *wincx) { - return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, -1, keySize, - keyid, opFlags, attrFlags, wincx); + return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, -1, keySize, + keyid, opFlags, attrFlags, wincx); } /* @@ -986,28 +1019,28 @@ PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, */ PK11SymKey * PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, - int keySize, SECItem *keyid, PRBool isToken, void *wincx) + int keySize, SECItem *keyid, PRBool isToken, void *wincx) { PK11SymKey *symKey; - PRBool weird = PR_FALSE; /* hack for fortezza */ + PRBool weird = PR_FALSE; /* hack for fortezza */ CK_FLAGS opFlags = CKF_SIGN; PK11AttrFlags attrFlags = 0; if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) { - weird = PR_TRUE; - keySize = 0; + weird = PR_TRUE; + keySize = 0; } opFlags |= weird ? CKF_DECRYPT : CKF_ENCRYPT; if (isToken) { - attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE); + attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE); } - symKey = pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, - -1, keySize, keyid, opFlags, attrFlags, wincx); + symKey = pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, + -1, keySize, keyid, opFlags, attrFlags, wincx); if (symKey && weird) { - PK11_SetFortezzaHack(symKey); + PK11_SetFortezzaHack(symKey); } return symKey; @@ -1015,7 +1048,7 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, PK11SymKey * PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, - int keySize, void *wincx) + int keySize, void *wincx) { return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx); } @@ -1023,7 +1056,7 @@ PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, PK11SymKey * PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, CK_MECHANISM_TYPE keyGenType, - SECItem *param, CK_ATTRIBUTE * attrs, + SECItem *param, CK_ATTRIBUTE *attrs, unsigned int attrsCount, void *wincx) { PK11SymKey *symKey; @@ -1044,25 +1077,25 @@ PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PORT_SetError(PK11_MapError(CKR_TEMPLATE_INCONSISTENT)); return NULL; } - keySize = * (CK_ULONG *) attrs[i].pValue; + keySize = *(CK_ULONG *)attrs[i].pValue; break; case CKA_TOKEN: - if (attrs[i].pValue == NULL || + if (attrs[i].pValue == NULL || attrs[i].ulValueLen != sizeof(CK_BBOOL)) { PORT_SetError(PK11_MapError(CKR_TEMPLATE_INCONSISTENT)); return NULL; } - isToken = (*(CK_BBOOL*)attrs[i].pValue) ? PR_TRUE : PR_FALSE; + isToken = (*(CK_BBOOL *)attrs[i].pValue) ? PR_TRUE : PR_FALSE; break; } } /* find a slot to generate the key into */ /* Only do slot management if this is not a token key */ - if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot,type))) { - PK11SlotInfo *bestSlot = PK11_GetBestSlot(type,wincx); + if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot, type))) { + PK11SlotInfo *bestSlot = PK11_GetBestSlot(type, wincx); if (bestSlot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); + PORT_SetError(SEC_ERROR_NO_MODULE); return NULL; } symKey = pk11_CreateSymKey(bestSlot, type, !isToken, PR_TRUE, wincx); @@ -1070,7 +1103,8 @@ PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, } else { symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx); } - if (symKey == NULL) return NULL; + if (symKey == NULL) + return NULL; symKey->size = keySize; symKey->origin = PK11_OriginGenerated; @@ -1086,13 +1120,13 @@ PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, /* Get session and perform locking */ if (isToken) { - PK11_Authenticate(symKey->slot,PR_TRUE,wincx); + PK11_Authenticate(symKey->slot, PR_TRUE, wincx); /* Should always be original slot */ - session = PK11_GetRWSession(symKey->slot); + session = PK11_GetRWSession(symKey->slot); symKey->owner = PR_FALSE; } else { session = symKey->session; - if (session != CK_INVALID_SESSION) + if (session != CK_INVALID_SESSION) pk11_EnterKeyMonitor(symKey); } if (session == CK_INVALID_SESSION) { @@ -1101,8 +1135,7 @@ PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, return NULL; } - crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session, - &mechanism, attrs, attrsCount, &symKey->objectID); + crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session, &mechanism, attrs, attrsCount, &symKey->objectID); /* Release lock and session */ if (isToken) { @@ -1113,25 +1146,24 @@ PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, if (crv != CKR_OK) { PK11_FreeSymKey(symKey); - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); return NULL; } return symKey; } - /* --- */ PK11SymKey * PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx) { - return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx); + return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx); } -PK11SymKey* +PK11SymKey * PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx) { - PK11SlotInfo* slot = symk->slot; + PK11SlotInfo *slot = symk->slot; CK_ATTRIBUTE template[1]; CK_ATTRIBUTE *attrs = template; CK_BBOOL cktrue = CK_TRUE; @@ -1139,25 +1171,26 @@ PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx) CK_OBJECT_HANDLE newKeyID; CK_SESSION_HANDLE rwsession; - PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); + attrs++; PK11_Authenticate(slot, PR_TRUE, wincx); rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return NULL; + PORT_SetError(SEC_ERROR_BAD_DATA); + return NULL; } crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, symk->objectID, - template, 1, &newKeyID); + template, 1, &newKeyID); PK11_RestoreROSession(slot, rwsession); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); return NULL; } return PK11_SymKeyFromHandle(slot, NULL /*parent*/, symk->origin, - symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/); + symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/); } /* @@ -1166,10 +1199,10 @@ PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx) * Diffie-Hellman Ciphers. */ SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey, - PK11SymKey *symKey, SECItem *wrappedKey) + PK11SymKey *symKey, SECItem *wrappedKey) { PK11SlotInfo *slot; - CK_ULONG len = wrappedKey->len; + CK_ULONG len = wrappedKey->len; PK11SymKey *newKey = NULL; CK_OBJECT_HANDLE id; CK_MECHANISM mechanism; @@ -1178,19 +1211,19 @@ PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey, CK_RV crv; if (symKey == NULL) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } /* if this slot doesn't support the mechanism, go to a slot that does */ - newKey = pk11_ForceSlot(symKey,type,CKA_ENCRYPT); + newKey = pk11_ForceSlot(symKey, type, CKA_ENCRYPT); if (newKey != NULL) { - symKey = newKey; + symKey = newKey; } if (symKey->slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return SECFailure; + PORT_SetError(SEC_ERROR_NO_MODULE); + return SECFailure; } slot = symKey->slot; @@ -1198,31 +1231,33 @@ PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey, mechanism.pParameter = NULL; mechanism.ulParameterLen = 0; - id = PK11_ImportPublicKey(slot,pubKey,PR_FALSE); + id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE); if (id == CK_INVALID_HANDLE) { - if (newKey) { - PK11_FreeSymKey(newKey); - } - return SECFailure; /* Error code has been set. */ - } - - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_WrapKey(session,&mechanism, - id,symKey->objectID,wrappedKey->data,&len); - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + if (newKey) { + PK11_FreeSymKey(newKey); + } + return SECFailure; /* Error code has been set. */ + } + + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism, + id, symKey->objectID, wrappedKey->data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); if (newKey) { - PK11_FreeSymKey(newKey); + PK11_FreeSymKey(newKey); } if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } wrappedKey->len = len; return SECSuccess; -} +} /* * this little function uses the Encrypt function to wrap a key, just in @@ -1230,7 +1265,7 @@ PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey, */ static SECStatus pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type, - SECItem *inKey, SECItem *outKey) + SECItem *inKey, SECItem *outKey) { PK11SlotInfo *slot; CK_ULONG len; @@ -1244,42 +1279,46 @@ pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type, /* use NULL IV's for wrapping */ mech.mechanism = type; if (param) { - mech.pParameter = param->data; - mech.ulParameterLen = param->len; + mech.pParameter = param->data; + mech.ulParameterLen = param->len; } else { - mech.pParameter = NULL; - mech.ulParameterLen = 0; - } - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_EncryptInit(session,&mech, - wrappingKey->objectID); + mech.pParameter = NULL; + mech.ulParameterLen = 0; + } + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_EncryptInit(session, &mech, + wrappingKey->objectID); if (crv != CKR_OK) { - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } /* keys are almost always aligned, but if we get this far, * we've gone above and beyond anyway... */ - data = PK11_BlockData(inKey,PK11_GetBlockSize(type,param)); + data = PK11_BlockData(inKey, PK11_GetBlockSize(type, param)); if (data == NULL) { - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; } len = outKey->len; - crv = PK11_GETTAB(slot)->C_Encrypt(session,data->data,data->len, - outKey->data, &len); - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - SECITEM_FreeItem(data,PR_TRUE); + crv = PK11_GETTAB(slot)->C_Encrypt(session, data->data, data->len, + outKey->data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + SECITEM_FreeItem(data, PR_TRUE); outKey->len = len; if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -1288,8 +1327,8 @@ pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type, * This function does a symetric based wrap. */ SECStatus -PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, - PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey) +PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, + PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey) { PK11SlotInfo *slot; CK_ULONG len = wrappedKey->len; @@ -1304,40 +1343,41 @@ PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, /* if this slot doesn't support the mechanism, go to a slot that does */ /* Force symKey and wrappingKey into the same slot */ if ((wrappingKey->slot == NULL) || (symKey->slot != wrappingKey->slot)) { - /* first try copying the wrapping Key to the symKey slot */ - if (symKey->slot && PK11_DoesMechanism(symKey->slot,type)) { - newKey = pk11_CopyToSlot(symKey->slot,type,CKA_WRAP,wrappingKey); - } - /* Nope, try it the other way */ - if (newKey == NULL) { - if (wrappingKey->slot) { - newKey = pk11_CopyToSlot(wrappingKey->slot, - symKey->type, CKA_ENCRYPT, symKey); - } - /* just not playing... one last thing, can we get symKey's data? - * If it's possible, we it should already be in the - * symKey->data.data pointer because pk11_CopyToSlot would have - * tried to put it there. */ - if (newKey == NULL) { - /* Can't get symKey's data: Game Over */ - if (symKey->data.data == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return SECFailure; - } - if (param == NULL) { - param_save = param = PK11_ParamFromIV(type,NULL); - } - rv = pk11_HandWrap(wrappingKey, param, type, - &symKey->data,wrappedKey); - if (param_save) SECITEM_FreeItem(param_save,PR_TRUE); - return rv; - } - /* we successfully moved the sym Key */ - symKey = newKey; - } else { - /* we successfully moved the wrapping Key */ - wrappingKey = newKey; - } + /* first try copying the wrapping Key to the symKey slot */ + if (symKey->slot && PK11_DoesMechanism(symKey->slot, type)) { + newKey = pk11_CopyToSlot(symKey->slot, type, CKA_WRAP, wrappingKey); + } + /* Nope, try it the other way */ + if (newKey == NULL) { + if (wrappingKey->slot) { + newKey = pk11_CopyToSlot(wrappingKey->slot, + symKey->type, CKA_ENCRYPT, symKey); + } + /* just not playing... one last thing, can we get symKey's data? + * If it's possible, we it should already be in the + * symKey->data.data pointer because pk11_CopyToSlot would have + * tried to put it there. */ + if (newKey == NULL) { + /* Can't get symKey's data: Game Over */ + if (symKey->data.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return SECFailure; + } + if (param == NULL) { + param_save = param = PK11_ParamFromIV(type, NULL); + } + rv = pk11_HandWrap(wrappingKey, param, type, + &symKey->data, wrappedKey); + if (param_save) + SECITEM_FreeItem(param_save, PR_TRUE); + return rv; + } + /* we successfully moved the sym Key */ + symKey = newKey; + } else { + /* we successfully moved the wrapping Key */ + wrappingKey = newKey; + } } /* at this point both keys are in the same token */ @@ -1345,224 +1385,231 @@ PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, mechanism.mechanism = type; /* use NULL IV's for wrapping */ if (param == NULL) { - param_save = param = PK11_ParamFromIV(type,NULL); + param_save = param = PK11_ParamFromIV(type, NULL); } if (param) { - mechanism.pParameter = param->data; - mechanism.ulParameterLen = param->len; + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; } else { - mechanism.pParameter = NULL; - mechanism.ulParameterLen = 0; + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; } len = wrappedKey->len; - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism, - wrappingKey->objectID, symKey->objectID, - wrappedKey->data, &len); - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + wrappingKey->objectID, symKey->objectID, + wrappedKey->data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); rv = SECSuccess; if (crv != CKR_OK) { - /* can't wrap it? try hand wrapping it... */ - do { - if (symKey->data.data == NULL) { - rv = PK11_ExtractKeyValue(symKey); - if (rv != SECSuccess) break; - } - rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data, - wrappedKey); - } while (PR_FALSE); + /* can't wrap it? try hand wrapping it... */ + do { + if (symKey->data.data == NULL) { + rv = PK11_ExtractKeyValue(symKey); + if (rv != SECSuccess) + break; + } + rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data, + wrappedKey); + } while (PR_FALSE); } else { wrappedKey->len = len; } - if (newKey) PK11_FreeSymKey(newKey); - if (param_save) SECITEM_FreeItem(param_save,PR_TRUE); + if (newKey) + PK11_FreeSymKey(newKey); + if (param_save) + SECITEM_FreeItem(param_save, PR_TRUE); return rv; -} +} /* * This Generates a new key based on a symetricKey */ PK11SymKey * -PK11_Derive( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize) +PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize) { - return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, - keySize, NULL, 0, PR_FALSE); + return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, + keySize, NULL, 0, PR_FALSE); } - PK11SymKey * -PK11_DeriveWithFlags( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, - SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_FLAGS flags) +PK11_DeriveWithFlags(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags) { - CK_BBOOL ckTrue = CK_TRUE; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; - unsigned int templateCount; + CK_BBOOL ckTrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue); - return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, - keySize, keyTemplate, templateCount, PR_FALSE); + return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, + keySize, keyTemplate, templateCount, PR_FALSE); } PK11SymKey * -PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, - SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_FLAGS flags, PRBool isPerm) +PK11_DeriveWithFlagsPerm(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags, PRBool isPerm) { - CK_BBOOL cktrue = CK_TRUE; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; - CK_ATTRIBUTE *attrs; - unsigned int templateCount = 0; + CK_BBOOL cktrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs; + unsigned int templateCount = 0; attrs = keyTemplate; if (isPerm) { - PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); + attrs++; } templateCount = attrs - keyTemplate; templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); - return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, - keySize, keyTemplate, templateCount, isPerm); + return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, + keySize, keyTemplate, templateCount, isPerm); } PK11SymKey * -PK11_DeriveWithTemplate( PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, - SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, - PRBool isPerm) -{ - PK11SlotInfo * slot = baseKey->slot; - PK11SymKey * symKey; - PK11SymKey * newBaseKey = NULL; - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_ULONG valueLen = 0; - CK_MECHANISM mechanism; - CK_RV crv; +PK11_DeriveWithTemplate(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, + PRBool isPerm) +{ + PK11SlotInfo *slot = baseKey->slot; + PK11SymKey *symKey; + PK11SymKey *newBaseKey = NULL; + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG valueLen = 0; + CK_MECHANISM mechanism; + CK_RV crv; #define MAX_ADD_ATTRS 4 - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; #undef MAX_ADD_ATTRS - CK_ATTRIBUTE * attrs = keyTemplate; + CK_ATTRIBUTE *attrs = keyTemplate; CK_SESSION_HANDLE session; - unsigned int templateCount; + unsigned int templateCount; if (numAttrs > MAX_TEMPL_ATTRS) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } /* first copy caller attributes in. */ for (templateCount = 0; templateCount < numAttrs; ++templateCount) { - *attrs++ = *userAttr++; + *attrs++ = *userAttr++; } /* We only add the following attributes to the template if the caller ** didn't already supply them. */ if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) { - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass); - attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass); + attrs++; } if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) { - keyType = PK11_GetKeyType(target, keySize); - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType ); - attrs++; + keyType = PK11_GetKeyType(target, keySize); + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType); + attrs++; } if (keySize > 0 && - !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) { - valueLen = (CK_ULONG)keySize; - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); - attrs++; + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) { + valueLen = (CK_ULONG)keySize; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); + attrs++; } if ((operation != CKA_FLAGS_ONLY) && - !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) { - PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); attrs++; + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) { + PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); + attrs++; } templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); /* move the key to a slot that can do the function */ - if (!PK11_DoesMechanism(slot,derive)) { - /* get a new base key & slot */ - PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx); + if (!PK11_DoesMechanism(slot, derive)) { + /* get a new base key & slot */ + PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx); - if (newSlot == NULL) return NULL; + if (newSlot == NULL) + return NULL; - newBaseKey = pk11_CopyToSlot (newSlot, derive, CKA_DERIVE, - baseKey); - PK11_FreeSlot(newSlot); - if (newBaseKey == NULL) - return NULL; - baseKey = newBaseKey; - slot = baseKey->slot; + newBaseKey = pk11_CopyToSlot(newSlot, derive, CKA_DERIVE, + baseKey); + PK11_FreeSlot(newSlot); + if (newBaseKey == NULL) + return NULL; + baseKey = newBaseKey; + slot = baseKey->slot; } - /* get our key Structure */ symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, baseKey->cx); if (symKey == NULL) { - return NULL; + return NULL; } symKey->size = keySize; mechanism.mechanism = derive; if (param) { - mechanism.pParameter = param->data; - mechanism.ulParameterLen = param->len; + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; } else { - mechanism.pParameter = NULL; - mechanism.ulParameterLen = 0; + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; } - symKey->origin=PK11_OriginDerive; + symKey->origin = PK11_OriginDerive; if (isPerm) { - session = PK11_GetRWSession(slot); + session = PK11_GetRWSession(slot); } else { pk11_EnterKeyMonitor(symKey); - session = symKey->session; + session = symKey->session; } if (session == CK_INVALID_SESSION) { - if (!isPerm) - pk11_ExitKeyMonitor(symKey); - crv = CKR_SESSION_HANDLE_INVALID; + if (!isPerm) + pk11_ExitKeyMonitor(symKey); + crv = CKR_SESSION_HANDLE_INVALID; } else { - crv = PK11_GETTAB(slot)->C_DeriveKey(session, &mechanism, - baseKey->objectID, keyTemplate, templateCount, &symKey->objectID); - if (isPerm) { - PK11_RestoreROSession(slot, session); - } else { - pk11_ExitKeyMonitor(symKey); - } - } - if (newBaseKey) - PK11_FreeSymKey(newBaseKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(session, &mechanism, + baseKey->objectID, keyTemplate, templateCount, &symKey->objectID); + if (isPerm) { + PK11_RestoreROSession(slot, session); + } else { + pk11_ExitKeyMonitor(symKey); + } + } + if (newBaseKey) + PK11_FreeSymKey(newBaseKey); if (crv != CKR_OK) { - PK11_FreeSymKey(symKey); - return NULL; + PK11_FreeSymKey(symKey); + return NULL; } return symKey; } /* Create a new key by concatenating base and data */ -static PK11SymKey *pk11_ConcatenateBaseAndData(PK11SymKey *base, - CK_BYTE *data, CK_ULONG dataLen, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation) +static PK11SymKey * +pk11_ConcatenateBaseAndData(PK11SymKey *base, + CK_BYTE *data, CK_ULONG dataLen, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation) { CK_KEY_DERIVATION_STRING_DATA mechParams; SECItem param; if (base == NULL) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } mechParams.pData = data; @@ -1571,45 +1618,48 @@ static PK11SymKey *pk11_ConcatenateBaseAndData(PK11SymKey *base, param.len = sizeof(CK_KEY_DERIVATION_STRING_DATA); return PK11_Derive(base, CKM_CONCATENATE_BASE_AND_DATA, - ¶m, target, operation, 0); + ¶m, target, operation, 0); } /* Create a new key by concatenating base and key */ -static PK11SymKey *pk11_ConcatenateBaseAndKey(PK11SymKey *base, - PK11SymKey *key, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize) +static PK11SymKey * +pk11_ConcatenateBaseAndKey(PK11SymKey *base, + PK11SymKey *key, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize) { SECItem param; if ((base == NULL) || (key == NULL)) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } param.data = (unsigned char *)&(key->objectID); param.len = sizeof(CK_OBJECT_HANDLE); return PK11_Derive(base, CKM_CONCATENATE_BASE_AND_KEY, - ¶m, target, operation, keySize); + ¶m, target, operation, keySize); } /* Create a new key whose value is the hash of tobehashed. * type is the mechanism for the derived key. */ -static PK11SymKey *pk11_HashKeyDerivation(PK11SymKey *toBeHashed, - CK_MECHANISM_TYPE hashMechanism, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize) +static PK11SymKey * +pk11_HashKeyDerivation(PK11SymKey *toBeHashed, + CK_MECHANISM_TYPE hashMechanism, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize) { return PK11_Derive(toBeHashed, hashMechanism, NULL, target, operation, keySize); } /* This function implements the ANSI X9.63 key derivation function */ -static PK11SymKey *pk11_ANSIX963Derive(PK11SymKey *sharedSecret, - CK_EC_KDF_TYPE kdf, SECItem *sharedData, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - CK_ULONG keySize) +static PK11SymKey * +pk11_ANSIX963Derive(PK11SymKey *sharedSecret, + CK_EC_KDF_TYPE kdf, SECItem *sharedData, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + CK_ULONG keySize) { CK_KEY_TYPE keyType; CK_MECHANISM_TYPE hashMechanism, mechanismArray[4]; @@ -1621,70 +1671,70 @@ static PK11SymKey *pk11_ANSIX963Derive(PK11SymKey *sharedSecret, PK11SymKey *oldIntermediateResult, *intermediateResult = NULL; if (sharedSecret == NULL) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } switch (kdf) { - case CKD_SHA1_KDF: - HashLen = SHA1_LENGTH; - hashMechanism = CKM_SHA1_KEY_DERIVATION; - break; - case CKD_SHA224_KDF: - HashLen = SHA224_LENGTH; - hashMechanism = CKM_SHA224_KEY_DERIVATION; - break; - case CKD_SHA256_KDF: - HashLen = SHA256_LENGTH; - hashMechanism = CKM_SHA256_KEY_DERIVATION; - break; - case CKD_SHA384_KDF: - HashLen = SHA384_LENGTH; - hashMechanism = CKM_SHA384_KEY_DERIVATION; - break; - case CKD_SHA512_KDF: - HashLen = SHA512_LENGTH; - hashMechanism = CKM_SHA512_KEY_DERIVATION; - break; - default: - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + case CKD_SHA1_KDF: + HashLen = SHA1_LENGTH; + hashMechanism = CKM_SHA1_KEY_DERIVATION; + break; + case CKD_SHA224_KDF: + HashLen = SHA224_LENGTH; + hashMechanism = CKM_SHA224_KEY_DERIVATION; + break; + case CKD_SHA256_KDF: + HashLen = SHA256_LENGTH; + hashMechanism = CKM_SHA256_KEY_DERIVATION; + break; + case CKD_SHA384_KDF: + HashLen = SHA384_LENGTH; + hashMechanism = CKM_SHA384_KEY_DERIVATION; + break; + case CKD_SHA512_KDF: + HashLen = SHA512_LENGTH; + hashMechanism = CKM_SHA512_KEY_DERIVATION; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } derivedKeySize = keySize; if (derivedKeySize == 0) { - keyType = PK11_GetKeyType(target,keySize); - derivedKeySize = pk11_GetPredefinedKeyLength(keyType); - if (derivedKeySize == 0) { - derivedKeySize = HashLen; - } + keyType = PK11_GetKeyType(target, keySize); + derivedKeySize = pk11_GetPredefinedKeyLength(keyType); + if (derivedKeySize == 0) { + derivedKeySize = HashLen; + } } /* Check that key_len isn't too long. The maximum key length could be * greatly increased if the code below did not limit the 4-byte counter * to a maximum value of 255. */ if (derivedKeySize > 254 * HashLen) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } maxCounter = derivedKeySize / HashLen; if (derivedKeySize > maxCounter * HashLen) - maxCounter++; + maxCounter++; if ((sharedData == NULL) || (sharedData->data == NULL)) - SharedInfoLen = 0; + SharedInfoLen = 0; else - SharedInfoLen = sharedData->len; + SharedInfoLen = sharedData->len; bufferLen = SharedInfoLen + 4; - + /* Populate buffer with Counter || sharedData * where Counter is 0x00000001. */ buffer = (unsigned char *)PORT_Alloc(bufferLen); if (buffer == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } buffer[0] = 0; @@ -1692,7 +1742,7 @@ static PK11SymKey *pk11_ANSIX963Derive(PK11SymKey *sharedSecret, buffer[2] = 0; buffer[3] = 1; if (SharedInfoLen > 0) { - PORT_Memcpy(&buffer[4], sharedData->data, SharedInfoLen); + PORT_Memcpy(&buffer[4], sharedData->data, SharedInfoLen); } /* Look for a slot that supports the mechanisms needed @@ -1705,82 +1755,81 @@ static PK11SymKey *pk11_ANSIX963Derive(PK11SymKey *sharedSecret, mechanismArray[3] = target; newSharedSecret = pk11_ForceSlotMultiple(sharedSecret, - mechanismArray, 4, operation); + mechanismArray, 4, operation); if (newSharedSecret != NULL) { - sharedSecret = newSharedSecret; - } - - for(counter=1; counter <= maxCounter; counter++) { - /* Concatenate shared_secret and buffer */ - toBeHashed = pk11_ConcatenateBaseAndData(sharedSecret, buffer, - bufferLen, hashMechanism, operation); - if (toBeHashed == NULL) { - goto loser; - } - - /* Hash value */ - if (maxCounter == 1) { - /* In this case the length of the key to be derived is - * less than or equal to the length of the hash output. - * So, the output of the hash operation will be the - * dervied key. */ - hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism, - target, operation, keySize); - } else { - /* In this case, the output of the hash operation will be - * concatenated with other data to create the derived key. */ - hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism, - CKM_CONCATENATE_BASE_AND_KEY, operation, 0); - } - PK11_FreeSymKey(toBeHashed); - if (hashOutput == NULL) { - goto loser; - } - - /* Append result to intermediate result, if necessary */ - oldIntermediateResult = intermediateResult; - - if (oldIntermediateResult == NULL) { - intermediateResult = hashOutput; - } else { - if (counter == maxCounter) { - /* This is the final concatenation, and so the output - * will be the derived key. */ - intermediateResult = - pk11_ConcatenateBaseAndKey(oldIntermediateResult, - hashOutput, target, operation, keySize); - } else { - /* The output of this concatenation will be concatenated - * with other data to create the derived key. */ - intermediateResult = - pk11_ConcatenateBaseAndKey(oldIntermediateResult, - hashOutput, CKM_CONCATENATE_BASE_AND_KEY, - operation, 0); - } - - PK11_FreeSymKey(hashOutput); - PK11_FreeSymKey(oldIntermediateResult); - if (intermediateResult == NULL) { - goto loser; - } - } - - /* Increment counter (assumes maxCounter < 255) */ - buffer[3]++; + sharedSecret = newSharedSecret; + } + + for (counter = 1; counter <= maxCounter; counter++) { + /* Concatenate shared_secret and buffer */ + toBeHashed = pk11_ConcatenateBaseAndData(sharedSecret, buffer, + bufferLen, hashMechanism, operation); + if (toBeHashed == NULL) { + goto loser; + } + + /* Hash value */ + if (maxCounter == 1) { + /* In this case the length of the key to be derived is + * less than or equal to the length of the hash output. + * So, the output of the hash operation will be the + * dervied key. */ + hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism, + target, operation, keySize); + } else { + /* In this case, the output of the hash operation will be + * concatenated with other data to create the derived key. */ + hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism, + CKM_CONCATENATE_BASE_AND_KEY, operation, 0); + } + PK11_FreeSymKey(toBeHashed); + if (hashOutput == NULL) { + goto loser; + } + + /* Append result to intermediate result, if necessary */ + oldIntermediateResult = intermediateResult; + + if (oldIntermediateResult == NULL) { + intermediateResult = hashOutput; + } else { + if (counter == maxCounter) { + /* This is the final concatenation, and so the output + * will be the derived key. */ + intermediateResult = + pk11_ConcatenateBaseAndKey(oldIntermediateResult, + hashOutput, target, operation, keySize); + } else { + /* The output of this concatenation will be concatenated + * with other data to create the derived key. */ + intermediateResult = + pk11_ConcatenateBaseAndKey(oldIntermediateResult, + hashOutput, CKM_CONCATENATE_BASE_AND_KEY, + operation, 0); + } + + PK11_FreeSymKey(hashOutput); + PK11_FreeSymKey(oldIntermediateResult); + if (intermediateResult == NULL) { + goto loser; + } + } + + /* Increment counter (assumes maxCounter < 255) */ + buffer[3]++; } PORT_ZFree(buffer, bufferLen); if (newSharedSecret != NULL) - PK11_FreeSymKey(newSharedSecret); + PK11_FreeSymKey(newSharedSecret); return intermediateResult; loser: - if (buffer != NULL) - PORT_ZFree(buffer, bufferLen); + PORT_ZFree(buffer, bufferLen); if (newSharedSecret != NULL) - PK11_FreeSymKey(newSharedSecret); + PK11_FreeSymKey(newSharedSecret); if (intermediateResult != NULL) - PK11_FreeSymKey(intermediateResult); + PK11_FreeSymKey(intermediateResult); return NULL; } @@ -1789,451 +1838,452 @@ loser: * random numbers. For Mail usage RandomB should be NULL. In the Sender's * case RandomA is generate, outherwize it is passed. */ -static unsigned char *rb_email = NULL; - PK11SymKey * -PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, - PRBool isSender, SECItem *randomA, SECItem *randomB, - CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) +PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, void *wincx) { PK11SlotInfo *slot = privKey->pkcs11Slot; CK_MECHANISM mechanism; PK11SymKey *symKey; CK_RV crv; - - if (rb_email == NULL) { - rb_email = PORT_ZAlloc(128); - if (rb_email == NULL) { - return NULL; - } - rb_email[127] = 1; - } - /* get our key Structure */ symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx); if (symKey == NULL) { - return NULL; + return NULL; } symKey->origin = PK11_OriginDerive; switch (privKey->keyType) { - case rsaKey: - case rsaPssKey: - case rsaOaepKey: - case nullKey: - PORT_SetError(SEC_ERROR_BAD_KEY); - break; - case dsaKey: - case keaKey: - case fortezzaKey: - { - CK_KEA_DERIVE_PARAMS param; - param.isSender = (CK_BBOOL) isSender; - param.ulRandomLen = randomA->len; - param.pRandomA = randomA->data; - param.pRandomB = rb_email; - if (randomB) - param.pRandomB = randomB->data; - if (pubKey->keyType == fortezzaKey) { - param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len; - param.pPublicData = pubKey->u.fortezza.KEAKey.data; - } else { - /* assert type == keaKey */ - /* XXX change to match key key types */ - param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len; - param.pPublicData = pubKey->u.fortezza.KEAKey.data; - } - - mechanism.mechanism = derive; - mechanism.pParameter = ¶m; - mechanism.ulParameterLen = sizeof(param); - - /* get a new symKey structure */ - pk11_EnterKeyMonitor(symKey); - crv=PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, - privKey->pkcs11ID, NULL, 0, &symKey->objectID); - pk11_ExitKeyMonitor(symKey); - if (crv == CKR_OK) return symKey; - PORT_SetError( PK11_MapError(crv) ); - } - break; - case dhKey: - { - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_ULONG key_size = 0; - CK_ATTRIBUTE keyTemplate[4]; - int templateCount; - CK_ATTRIBUTE *attrs = keyTemplate; - - if (pubKey->keyType != dhKey) { - PORT_SetError(SEC_ERROR_BAD_KEY); - break; - } - - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); - attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); - attrs++; - PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); - attrs++; - templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); - - keyType = PK11_GetKeyType(target,keySize); - key_size = keySize; - symKey->size = keySize; - if (key_size == 0) templateCount--; - - mechanism.mechanism = derive; - - /* we can undefine these when we define diffie-helman keys */ - - mechanism.pParameter = pubKey->u.dh.publicValue.data; - mechanism.ulParameterLen = pubKey->u.dh.publicValue.len; - - pk11_EnterKeyMonitor(symKey); - crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, - privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID); - pk11_ExitKeyMonitor(symKey); - if (crv == CKR_OK) return symKey; - PORT_SetError( PK11_MapError(crv) ); - } - break; - case ecKey: - { - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_ULONG key_size = 0; - CK_ATTRIBUTE keyTemplate[4]; - int templateCount; - CK_ATTRIBUTE *attrs = keyTemplate; - CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; - - if (pubKey->keyType != ecKey) { - PORT_SetError(SEC_ERROR_BAD_KEY); - break; - } - - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); - attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); - attrs++; - PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); - attrs++; - templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); - - keyType = PK11_GetKeyType(target,keySize); - key_size = keySize; - if (key_size == 0) { - if ((key_size = pk11_GetPredefinedKeyLength(keyType))) { - templateCount --; - } else { - /* sigh, some tokens can't figure this out and require - * CKA_VALUE_LEN to be set */ - key_size = SHA1_LENGTH; - } - } - symKey->size = key_size; - - mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); - mechParams->kdf = CKD_SHA1_KDF; - mechParams->ulSharedDataLen = 0; - mechParams->pSharedData = NULL; - mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; - mechParams->pPublicData = pubKey->u.ec.publicValue.data; - - mechanism.mechanism = derive; - mechanism.pParameter = mechParams; - mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); - - pk11_EnterKeyMonitor(symKey); - crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, - &mechanism, privKey->pkcs11ID, keyTemplate, - templateCount, &symKey->objectID); - pk11_ExitKeyMonitor(symKey); - - /* old PKCS #11 spec was ambiguous on what needed to be passed, - * try this again with and encoded public key */ - if (crv != CKR_OK) { - SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &pubKey->u.ec.publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (pubValue == NULL) { - PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); - break; - } - mechParams->ulPublicDataLen = pubValue->len; - mechParams->pPublicData = pubValue->data; - - pk11_EnterKeyMonitor(symKey); - crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, - &mechanism, privKey->pkcs11ID, keyTemplate, - templateCount, &symKey->objectID); - pk11_ExitKeyMonitor(symKey); - - SECITEM_FreeItem(pubValue,PR_TRUE); - } - - PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); - - if (crv == CKR_OK) return symKey; - PORT_SetError( PK11_MapError(crv) ); - } - } - - PK11_FreeSymKey(symKey); - return NULL; + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + case nullKey: + PORT_SetError(SEC_ERROR_BAD_KEY); + break; + case dsaKey: + case keaKey: + case fortezzaKey: { + static unsigned char rb_email[128] = { 0 }; + CK_KEA_DERIVE_PARAMS param; + param.isSender = (CK_BBOOL)isSender; + param.ulRandomLen = randomA->len; + param.pRandomA = randomA->data; + param.pRandomB = rb_email; + param.pRandomB[127] = 1; + if (randomB) + param.pRandomB = randomB->data; + if (pubKey->keyType == fortezzaKey) { + param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len; + param.pPublicData = pubKey->u.fortezza.KEAKey.data; + } else { + /* assert type == keaKey */ + /* XXX change to match key key types */ + param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len; + param.pPublicData = pubKey->u.fortezza.KEAKey.data; + } + + mechanism.mechanism = derive; + mechanism.pParameter = ¶m; + mechanism.ulParameterLen = sizeof(param); + + /* get a new symKey structure */ + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, + privKey->pkcs11ID, NULL, 0, + &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + if (crv == CKR_OK) + return symKey; + PORT_SetError(PK11_MapError(crv)); + } break; + case dhKey: { + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG key_size = 0; + CK_ATTRIBUTE keyTemplate[4]; + int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + + if (pubKey->keyType != dhKey) { + PORT_SetError(SEC_ERROR_BAD_KEY); + break; + } + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); + attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(target, keySize); + key_size = keySize; + symKey->size = keySize; + if (key_size == 0) + templateCount--; + + mechanism.mechanism = derive; + + /* we can undefine these when we define diffie-helman keys */ + + mechanism.pParameter = pubKey->u.dh.publicValue.data; + mechanism.ulParameterLen = pubKey->u.dh.publicValue.len; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, + privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + if (crv == CKR_OK) + return symKey; + PORT_SetError(PK11_MapError(crv)); + } break; + case ecKey: { + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG key_size = 0; + CK_ATTRIBUTE keyTemplate[4]; + int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; + + if (pubKey->keyType != ecKey) { + PORT_SetError(SEC_ERROR_BAD_KEY); + break; + } + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); + attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(target, keySize); + key_size = keySize; + if (key_size == 0) { + if ((key_size = pk11_GetPredefinedKeyLength(keyType))) { + templateCount--; + } else { + /* sigh, some tokens can't figure this out and require + * CKA_VALUE_LEN to be set */ + key_size = SHA1_LENGTH; + } + } + symKey->size = key_size; + + mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); + mechParams->kdf = CKD_SHA1_KDF; + mechParams->ulSharedDataLen = 0; + mechParams->pSharedData = NULL; + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; + + mechanism.mechanism = derive; + mechanism.pParameter = mechParams; + mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + /* old PKCS #11 spec was ambiguous on what needed to be passed, + * try this again with and encoded public key */ + if (crv != CKR_OK) { + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + break; + } + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + SECITEM_FreeItem(pubValue, PR_TRUE); + } + + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + + if (crv == CKR_OK) + return symKey; + PORT_SetError(PK11_MapError(crv)); + } + } + + PK11_FreeSymKey(symKey); + return NULL; } /* Returns the size of the public key, or 0 if there * is an error. */ static CK_ULONG -pk11_ECPubKeySize(SECItem *publicValue) +pk11_ECPubKeySize(SECKEYPublicKey *pubKey) { + SECItem *publicValue = &pubKey->u.ec.publicValue; + + if (pubKey->u.ec.encoding == ECPoint_XOnly) { + return publicValue->len; + } if (publicValue->data[0] == 0x04) { - /* key encoded in uncompressed form */ - return((publicValue->len - 1)/2); - } else if ( (publicValue->data[0] == 0x02) || - (publicValue->data[0] == 0x03)) { - /* key encoded in compressed form */ - return(publicValue->len - 1); + /* key encoded in uncompressed form */ + return ((publicValue->len - 1) / 2); } /* key encoding not recognized */ - return(0); + return 0; } static PK11SymKey * pk11_PubDeriveECKeyWithKDF( - SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, - PRBool isSender, SECItem *randomA, SECItem *randomB, - CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, - CK_ULONG kdf, SECItem *sharedData, void *wincx) -{ - PK11SlotInfo *slot = privKey->pkcs11Slot; - PK11SymKey *symKey; - PK11SymKey *SharedSecret; - CK_MECHANISM mechanism; - CK_RV crv; - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_ULONG key_size = 0; - CK_ATTRIBUTE keyTemplate[4]; - int templateCount; - CK_ATTRIBUTE *attrs = keyTemplate; - CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; + SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_ULONG kdf, SECItem *sharedData, void *wincx) +{ + PK11SlotInfo *slot = privKey->pkcs11Slot; + PK11SymKey *symKey; + PK11SymKey *SharedSecret; + CK_MECHANISM mechanism; + CK_RV crv; + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG key_size = 0; + CK_ATTRIBUTE keyTemplate[4]; + int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; if (pubKey->keyType != ecKey) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return NULL; + PORT_SetError(SEC_ERROR_BAD_KEY); + return NULL; } if ((kdf != CKD_NULL) && (kdf != CKD_SHA1_KDF) && - (kdf != CKD_SHA224_KDF) && (kdf != CKD_SHA256_KDF) && - (kdf != CKD_SHA384_KDF) && (kdf != CKD_SHA512_KDF)) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; + (kdf != CKD_SHA224_KDF) && (kdf != CKD_SHA256_KDF) && + (kdf != CKD_SHA384_KDF) && (kdf != CKD_SHA512_KDF)) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; } /* get our key Structure */ symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx); if (symKey == NULL) { - return NULL; + return NULL; } symKey->origin = PK11_OriginDerive; - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++; - PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); attrs++; - templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); + attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); - keyType = PK11_GetKeyType(target,keySize); + keyType = PK11_GetKeyType(target, keySize); key_size = keySize; if (key_size == 0) { - if ((key_size = pk11_GetPredefinedKeyLength(keyType))) { - templateCount --; - } else { - /* sigh, some tokens can't figure this out and require - * CKA_VALUE_LEN to be set */ - switch (kdf) { - case CKD_NULL: - key_size = pk11_ECPubKeySize(&pubKey->u.ec.publicValue); - if (key_size == 0) { - PK11_FreeSymKey(symKey); - return NULL; - } - break; - case CKD_SHA1_KDF: - key_size = SHA1_LENGTH; - break; - case CKD_SHA224_KDF: - key_size = SHA224_LENGTH; - break; - case CKD_SHA256_KDF: - key_size = SHA256_LENGTH; - break; - case CKD_SHA384_KDF: - key_size = SHA384_LENGTH; - break; - case CKD_SHA512_KDF: - key_size = SHA512_LENGTH; - break; - default: - PORT_Assert(!"Invalid CKD"); - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; - } - } + if ((key_size = pk11_GetPredefinedKeyLength(keyType))) { + templateCount--; + } else { + /* sigh, some tokens can't figure this out and require + * CKA_VALUE_LEN to be set */ + switch (kdf) { + case CKD_NULL: + key_size = pk11_ECPubKeySize(pubKey); + if (key_size == 0) { + PK11_FreeSymKey(symKey); + return NULL; + } + break; + case CKD_SHA1_KDF: + key_size = SHA1_LENGTH; + break; + case CKD_SHA224_KDF: + key_size = SHA224_LENGTH; + break; + case CKD_SHA256_KDF: + key_size = SHA256_LENGTH; + break; + case CKD_SHA384_KDF: + key_size = SHA384_LENGTH; + break; + case CKD_SHA512_KDF: + key_size = SHA512_LENGTH; + break; + default: + PORT_Assert(!"Invalid CKD"); + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + } } symKey->size = key_size; mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); if (!mechParams) { - PK11_FreeSymKey(symKey); - return NULL; + PK11_FreeSymKey(symKey); + return NULL; } mechParams->kdf = kdf; if (sharedData == NULL) { - mechParams->ulSharedDataLen = 0; - mechParams->pSharedData = NULL; + mechParams->ulSharedDataLen = 0; + mechParams->pSharedData = NULL; } else { - mechParams->ulSharedDataLen = sharedData->len; - mechParams->pSharedData = sharedData->data; + mechParams->ulSharedDataLen = sharedData->len; + mechParams->pSharedData = sharedData->data; } - mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; - mechParams->pPublicData = pubKey->u.ec.publicValue.data; + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; - mechanism.mechanism = derive; - mechanism.pParameter = mechParams; + mechanism.mechanism = derive; + mechanism.pParameter = mechParams; mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); pk11_EnterKeyMonitor(symKey); - crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, - privKey->pkcs11ID, keyTemplate, templateCount, &symKey->objectID); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, + privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); pk11_ExitKeyMonitor(symKey); /* old PKCS #11 spec was ambiguous on what needed to be passed, * try this again with an encoded public key */ if (crv != CKR_OK) { - SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &pubKey->u.ec.publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (pubValue == NULL) { - goto loser; - } - mechParams->ulPublicDataLen = pubValue->len; - mechParams->pPublicData = pubValue->data; - - pk11_EnterKeyMonitor(symKey); - crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, - &mechanism, privKey->pkcs11ID, keyTemplate, - templateCount, &symKey->objectID); - pk11_ExitKeyMonitor(symKey); - - if ((crv != CKR_OK) && (kdf != CKD_NULL)) { - /* Some PKCS #11 libraries cannot perform the key derivation - * function. So, try calling C_DeriveKey with CKD_NULL and then - * performing the KDF separately. - */ - CK_ULONG derivedKeySize = key_size; - - keyType = CKK_GENERIC_SECRET; - key_size = pk11_ECPubKeySize(&pubKey->u.ec.publicValue); - if (key_size == 0) { - SECITEM_FreeItem(pubValue,PR_TRUE); - goto loser; - } - SharedSecret = symKey; - SharedSecret->size = key_size; - - mechParams->kdf = CKD_NULL; - mechParams->ulSharedDataLen = 0; - mechParams->pSharedData = NULL; - mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; - mechParams->pPublicData = pubKey->u.ec.publicValue.data; - - pk11_EnterKeyMonitor(SharedSecret); - crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session, - &mechanism, privKey->pkcs11ID, keyTemplate, - templateCount, &SharedSecret->objectID); - pk11_ExitKeyMonitor(SharedSecret); - - if (crv != CKR_OK) { - /* old PKCS #11 spec was ambiguous on what needed to be passed, - * try this one final time with an encoded public key */ - mechParams->ulPublicDataLen = pubValue->len; - mechParams->pPublicData = pubValue->data; - - pk11_EnterKeyMonitor(SharedSecret); - crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session, - &mechanism, privKey->pkcs11ID, keyTemplate, - templateCount, &SharedSecret->objectID); - pk11_ExitKeyMonitor(SharedSecret); - } - - /* Perform KDF. */ - if (crv == CKR_OK) { - symKey = pk11_ANSIX963Derive(SharedSecret, kdf, - sharedData, target, operation, - derivedKeySize); - PK11_FreeSymKey(SharedSecret); - if (symKey == NULL) { - SECITEM_FreeItem(pubValue,PR_TRUE); - PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); - return NULL; - } - } - } - SECITEM_FreeItem(pubValue,PR_TRUE); + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + goto loser; + } + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + if ((crv != CKR_OK) && (kdf != CKD_NULL)) { + /* Some PKCS #11 libraries cannot perform the key derivation + * function. So, try calling C_DeriveKey with CKD_NULL and then + * performing the KDF separately. + */ + CK_ULONG derivedKeySize = key_size; + + keyType = CKK_GENERIC_SECRET; + key_size = pk11_ECPubKeySize(pubKey); + if (key_size == 0) { + SECITEM_FreeItem(pubValue, PR_TRUE); + goto loser; + } + SharedSecret = symKey; + SharedSecret->size = key_size; + + mechParams->kdf = CKD_NULL; + mechParams->ulSharedDataLen = 0; + mechParams->pSharedData = NULL; + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; + + pk11_EnterKeyMonitor(SharedSecret); + crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &SharedSecret->objectID); + pk11_ExitKeyMonitor(SharedSecret); + + if (crv != CKR_OK) { + /* old PKCS #11 spec was ambiguous on what needed to be passed, + * try this one final time with an encoded public key */ + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(SharedSecret); + crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &SharedSecret->objectID); + pk11_ExitKeyMonitor(SharedSecret); + } + + /* Perform KDF. */ + if (crv == CKR_OK) { + symKey = pk11_ANSIX963Derive(SharedSecret, kdf, + sharedData, target, operation, + derivedKeySize); + PK11_FreeSymKey(SharedSecret); + if (symKey == NULL) { + SECITEM_FreeItem(pubValue, PR_TRUE); + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + return NULL; + } + } + } + SECITEM_FreeItem(pubValue, PR_TRUE); } loser: PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); if (crv != CKR_OK) { - PK11_FreeSymKey(symKey); - symKey = NULL; - PORT_SetError( PK11_MapError(crv) ); + PK11_FreeSymKey(symKey); + symKey = NULL; + PORT_SetError(PK11_MapError(crv)); } return symKey; } PK11SymKey * -PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, - PRBool isSender, SECItem *randomA, SECItem *randomB, - CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, - CK_ULONG kdf, SECItem *sharedData, void *wincx) +PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_ULONG kdf, SECItem *sharedData, void *wincx) { switch (privKey->keyType) { - case rsaKey: - case nullKey: - case dsaKey: - case keaKey: - case fortezzaKey: - case dhKey: - return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB, - derive, target, operation, keySize, wincx); - case ecKey: - return pk11_PubDeriveECKeyWithKDF( privKey, pubKey, isSender, - randomA, randomB, derive, target, operation, keySize, - kdf, sharedData, wincx); - default: - PORT_SetError(SEC_ERROR_BAD_KEY); - break; + case rsaKey: + case nullKey: + case dsaKey: + case keaKey: + case fortezzaKey: + case dhKey: + return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB, + derive, target, operation, keySize, wincx); + case ecKey: + return pk11_PubDeriveECKeyWithKDF(privKey, pubKey, isSender, + randomA, randomB, derive, target, + operation, keySize, + kdf, sharedData, wincx); + default: + PORT_SetError(SEC_ERROR_BAD_KEY); + break; } return NULL; @@ -2246,9 +2296,9 @@ PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, */ static PK11SymKey * pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, - CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, - int key_size, void * wincx, CK_RV *crvp, PRBool isPerm) + CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, + int key_size, void *wincx, CK_RV *crvp, PRBool isPerm) { CK_ULONG len; SECItem outKey; @@ -2258,66 +2308,74 @@ pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, CK_SESSION_HANDLE session; /* remove any VALUE_LEN parameters */ - if (keyTemplate[templateCount-1].type == CKA_VALUE_LEN) { + if (keyTemplate[templateCount - 1].type == CKA_VALUE_LEN) { templateCount--; } /* keys are almost always aligned, but if we get this far, * we've gone above and beyond anyway... */ - outKey.data = (unsigned char*)PORT_Alloc(inKey->len); + outKey.data = (unsigned char *)PORT_Alloc(inKey->len); if (outKey.data == NULL) { - PORT_SetError( SEC_ERROR_NO_MEMORY ); - if (crvp) *crvp = CKR_HOST_MEMORY; - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + if (crvp) + *crvp = CKR_HOST_MEMORY; + return NULL; } len = inKey->len; /* use NULL IV's for wrapping */ - session = pk11_GetNewSession(slot,&owner); - if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_DecryptInit(session,mech,wrappingKey); + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, wrappingKey); if (crv != CKR_OK) { - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_Free(outKey.data); - PORT_SetError( PK11_MapError(crv) ); - if (crvp) *crvp =crv; - return NULL; - } - crv = PK11_GETTAB(slot)->C_Decrypt(session,inKey->data,inKey->len, - outKey.data, &len); - if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_Free(outKey.data); + PORT_SetError(PK11_MapError(crv)); + if (crvp) + *crvp = crv; + return NULL; + } + crv = PK11_GETTAB(slot)->C_Decrypt(session, inKey->data, inKey->len, + outKey.data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); if (crv != CKR_OK) { - PORT_Free(outKey.data); - PORT_SetError( PK11_MapError(crv) ); - if (crvp) *crvp =crv; - return NULL; + PORT_Free(outKey.data); + PORT_SetError(PK11_MapError(crv)); + if (crvp) + *crvp = crv; + return NULL; } outKey.len = (key_size == 0) ? len : key_size; outKey.type = siBuffer; - if (PK11_DoesMechanism(slot,target)) { - symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, - isPerm, keyTemplate, - templateCount, &outKey, wincx); + if (PK11_DoesMechanism(slot, target)) { + symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, + isPerm, keyTemplate, + templateCount, &outKey, wincx); } else { - slot = PK11_GetBestSlot(target,wincx); - if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - PORT_Free(outKey.data); - if (crvp) *crvp = CKR_DEVICE_ERROR; - return NULL; - } - symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, - isPerm, keyTemplate, - templateCount, &outKey, wincx); - PK11_FreeSlot(slot); + slot = PK11_GetBestSlot(target, wincx); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + PORT_Free(outKey.data); + if (crvp) + *crvp = CKR_DEVICE_ERROR; + return NULL; + } + symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, + isPerm, keyTemplate, + templateCount, &outKey, wincx); + PK11_FreeSlot(slot); } PORT_Free(outKey.data); - if (crvp) *crvp = symKey? CKR_OK : CKR_DEVICE_ERROR; + if (crvp) + *crvp = symKey ? CKR_OK : CKR_DEVICE_ERROR; return symKey; } @@ -2328,311 +2386,319 @@ pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, */ static PK11SymKey * pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, - CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, - void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, PRBool isPerm) -{ - PK11SymKey * symKey; - SECItem * param_free = NULL; - CK_BBOOL cktrue = CK_TRUE; - CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; - CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; - CK_ULONG valueLen = 0; - CK_MECHANISM mechanism; + CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, + void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, PRBool isPerm) +{ + PK11SymKey *symKey; + SECItem *param_free = NULL; + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG valueLen = 0; + CK_MECHANISM mechanism; CK_SESSION_HANDLE rwsession; - CK_RV crv; + CK_RV crv; CK_MECHANISM_INFO mechanism_info; #define MAX_ADD_ATTRS 4 - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; #undef MAX_ADD_ATTRS - CK_ATTRIBUTE * attrs = keyTemplate; - unsigned int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + unsigned int templateCount; if (numAttrs > MAX_TEMPL_ATTRS) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } /* first copy caller attributes in. */ for (templateCount = 0; templateCount < numAttrs; ++templateCount) { - *attrs++ = *userAttr++; + *attrs++ = *userAttr++; } /* We only add the following attributes to the template if the caller ** didn't already supply them. */ if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) { - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass); - attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass); + attrs++; } if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) { - keyType = PK11_GetKeyType(target, keySize); - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType ); - attrs++; + keyType = PK11_GetKeyType(target, keySize); + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType); + attrs++; } if ((operation != CKA_FLAGS_ONLY) && - !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) { - PK11_SETATTRS(attrs, operation, &cktrue, 1); attrs++; + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) { + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; } /* * must be last in case we need to use this template to import the key */ if (keySize > 0 && - !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) { - valueLen = (CK_ULONG)keySize; - PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); - attrs++; + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) { + valueLen = (CK_ULONG)keySize; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); + attrs++; } templateCount = attrs - keyTemplate; - PR_ASSERT(templateCount <= sizeof(keyTemplate)/sizeof(CK_ATTRIBUTE)); - + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); /* find out if we can do wrap directly. Because the RSA case if *very* * common, cache the results for it. */ if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) { - mechanism_info.flags = slot->RSAInfoFlags; + mechanism_info.flags = slot->RSAInfoFlags; } else { - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,wrapType, - &mechanism_info); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - if (crv != CKR_OK) { - mechanism_info.flags = 0; - } + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, wrapType, + &mechanism_info); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + mechanism_info.flags = 0; + } if (wrapType == CKM_RSA_PKCS) { - slot->RSAInfoFlags = mechanism_info.flags; - slot->hasRSAInfo = PR_TRUE; - } + slot->RSAInfoFlags = mechanism_info.flags; + slot->hasRSAInfo = PR_TRUE; + } } /* initialize the mechanism structure */ mechanism.mechanism = wrapType; /* use NULL IV's for wrapping */ - if (param == NULL) - param = param_free = PK11_ParamFromIV(wrapType,NULL); + if (param == NULL) + param = param_free = PK11_ParamFromIV(wrapType, NULL); if (param) { - mechanism.pParameter = param->data; - mechanism.ulParameterLen = param->len; + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; } else { - mechanism.pParameter = NULL; - mechanism.ulParameterLen = 0; - } - - if ((mechanism_info.flags & CKF_DECRYPT) - && !PK11_DoesMechanism(slot,target)) { - symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, - target, keyTemplate, templateCount, keySize, - wincx, &crv, isPerm); - if (symKey) { - if (param_free) SECITEM_FreeItem(param_free,PR_TRUE); - return symKey; - } - /* - * if the RSA OP simply failed, don't try to unwrap again - * with this module. - */ - if (crv == CKR_DEVICE_ERROR){ - if (param_free) SECITEM_FreeItem(param_free,PR_TRUE); - return NULL; - } - /* fall through, maybe they incorrectly set CKF_DECRYPT */ + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; + } + + if ((mechanism_info.flags & CKF_DECRYPT) && !PK11_DoesMechanism(slot, target)) { + symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, + target, keyTemplate, templateCount, keySize, + wincx, &crv, isPerm); + if (symKey) { + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); + return symKey; + } + /* + * if the RSA OP simply failed, don't try to unwrap again + * with this module. + */ + if (crv == CKR_DEVICE_ERROR) { + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); + return NULL; + } + /* fall through, maybe they incorrectly set CKF_DECRYPT */ } /* get our key Structure */ symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, wincx); if (symKey == NULL) { - if (param_free) SECITEM_FreeItem(param_free,PR_TRUE); - return NULL; + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); + return NULL; } symKey->size = keySize; symKey->origin = PK11_OriginUnwrap; if (isPerm) { - rwsession = PK11_GetRWSession(slot); + rwsession = PK11_GetRWSession(slot); } else { pk11_EnterKeyMonitor(symKey); - rwsession = symKey->session; + rwsession = symKey->session; } PORT_Assert(rwsession != CK_INVALID_SESSION); - if (rwsession == CK_INVALID_SESSION) - crv = CKR_SESSION_HANDLE_INVALID; + if (rwsession == CK_INVALID_SESSION) + crv = CKR_SESSION_HANDLE_INVALID; else - crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession,&mechanism,wrappingKey, - wrappedKey->data, wrappedKey->len, keyTemplate, templateCount, - &symKey->objectID); + crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, wrappingKey, + wrappedKey->data, wrappedKey->len, + keyTemplate, templateCount, + &symKey->objectID); if (isPerm) { - if (rwsession != CK_INVALID_SESSION) - PK11_RestoreROSession(slot, rwsession); + if (rwsession != CK_INVALID_SESSION) + PK11_RestoreROSession(slot, rwsession); } else { pk11_ExitKeyMonitor(symKey); } - if (param_free) SECITEM_FreeItem(param_free,PR_TRUE); + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); if (crv != CKR_OK) { - PK11_FreeSymKey(symKey); - symKey = NULL; - if (crv != CKR_DEVICE_ERROR) { - /* try hand Unwrapping */ - symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, - target, keyTemplate, templateCount, - keySize, wincx, NULL, isPerm); - } - } + PK11_FreeSymKey(symKey); + symKey = NULL; + if (crv != CKR_DEVICE_ERROR) { + /* try hand Unwrapping */ + symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, + target, keyTemplate, templateCount, + keySize, wincx, NULL, isPerm); + } + } - return symKey; + return symKey; } /* use a symetric key to unwrap another symetric key */ PK11SymKey * -PK11_UnwrapSymKey( PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, - SECItem *param, SECItem *wrappedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize) +PK11_UnwrapSymKey(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize) { return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID, - wrapType, param, wrappedKey, target, operation, keySize, - wrappingKey->cx, NULL, 0, PR_FALSE); + wrapType, param, wrappedKey, target, operation, keySize, + wrappingKey->cx, NULL, 0, PR_FALSE); } /* use a symetric key to unwrap another symetric key */ PK11SymKey * PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, - SECItem *param, SECItem *wrappedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_FLAGS flags) + SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags) { - CK_BBOOL ckTrue = CK_TRUE; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; - unsigned int templateCount; + CK_BBOOL ckTrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue); return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID, - wrapType, param, wrappedKey, target, operation, keySize, - wrappingKey->cx, keyTemplate, templateCount, PR_FALSE); + wrapType, param, wrappedKey, target, operation, keySize, + wrappingKey->cx, keyTemplate, templateCount, PR_FALSE); } PK11SymKey * -PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, - CK_MECHANISM_TYPE wrapType, - SECItem *param, SECItem *wrappedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, - int keySize, CK_FLAGS flags, PRBool isPerm) +PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, + CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags, PRBool isPerm) { - CK_BBOOL cktrue = CK_TRUE; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; - CK_ATTRIBUTE *attrs; - unsigned int templateCount; + CK_BBOOL cktrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs; + unsigned int templateCount; attrs = keyTemplate; if (isPerm) { - PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); + attrs++; } - templateCount = attrs-keyTemplate; + templateCount = attrs - keyTemplate; templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID, - wrapType, param, wrappedKey, target, operation, keySize, - wrappingKey->cx, keyTemplate, templateCount, isPerm); + wrapType, param, wrappedKey, target, operation, keySize, + wrappingKey->cx, keyTemplate, templateCount, isPerm); } - /* unwrap a symetric key with a private key. */ PK11SymKey * PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, - CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize) + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize) { CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType); - PK11SlotInfo *slot = wrappingKey->pkcs11Slot; + PK11SlotInfo *slot = wrappingKey->pkcs11Slot; - if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) { - PK11_HandlePasswordCheck(slot,wrappingKey->wincx); + if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, wrappingKey->wincx); } - + return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, - wrapType, NULL, wrappedKey, target, operation, keySize, - wrappingKey->wincx, NULL, 0, PR_FALSE); + wrapType, NULL, wrappedKey, target, operation, keySize, + wrappingKey->wincx, NULL, 0, PR_FALSE); } /* unwrap a symetric key with a private key. */ PK11SymKey * -PK11_PubUnwrapSymKeyWithFlags(SECKEYPrivateKey *wrappingKey, - SECItem *wrappedKey, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags) +PK11_PubUnwrapSymKeyWithFlags(SECKEYPrivateKey *wrappingKey, + SECItem *wrappedKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags) { CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType); - CK_BBOOL ckTrue = CK_TRUE; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; - unsigned int templateCount; - PK11SlotInfo *slot = wrappingKey->pkcs11Slot; + CK_BBOOL ckTrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; + PK11SlotInfo *slot = wrappingKey->pkcs11Slot; templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue); - if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) { - PK11_HandlePasswordCheck(slot,wrappingKey->wincx); + if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, wrappingKey->wincx); } - + return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, - wrapType, NULL, wrappedKey, target, operation, keySize, - wrappingKey->wincx, keyTemplate, templateCount, PR_FALSE); + wrapType, NULL, wrappedKey, target, operation, keySize, + wrappingKey->wincx, keyTemplate, templateCount, PR_FALSE); } PK11SymKey * -PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, - SECItem *wrappedKey, CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, int keySize, - CK_FLAGS flags, PRBool isPerm) +PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, + SECItem *wrappedKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_FLAGS flags, PRBool isPerm) { CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType); - CK_BBOOL cktrue = CK_TRUE; - CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; - CK_ATTRIBUTE *attrs; - unsigned int templateCount; - PK11SlotInfo *slot = wrappingKey->pkcs11Slot; + CK_BBOOL cktrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs; + unsigned int templateCount; + PK11SlotInfo *slot = wrappingKey->pkcs11Slot; attrs = keyTemplate; if (isPerm) { - PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); + attrs++; } - templateCount = attrs-keyTemplate; + templateCount = attrs - keyTemplate; templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); - if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey,CKA_PRIVATE)) { - PK11_HandlePasswordCheck(slot,wrappingKey->wincx); + if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, wrappingKey->wincx); } - + return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, - wrapType, NULL, wrappedKey, target, operation, keySize, - wrappingKey->wincx, keyTemplate, templateCount, isPerm); + wrapType, NULL, wrappedKey, target, operation, keySize, + wrappingKey->wincx, keyTemplate, templateCount, isPerm); } -PK11SymKey* +PK11SymKey * PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech) { CK_RV crv; CK_ATTRIBUTE setTemplate; - CK_BBOOL ckTrue = CK_TRUE; + CK_BBOOL ckTrue = CK_TRUE; PK11SlotInfo *slot = originalKey->slot; /* first just try to set this key up for signing */ PK11_SETATTRS(&setTemplate, CKA_SIGN, &ckTrue, sizeof(ckTrue)); pk11_EnterKeyMonitor(originalKey); - crv = PK11_GETTAB(slot)-> C_SetAttributeValue(originalKey->session, - originalKey->objectID, &setTemplate, 1); + crv = PK11_GETTAB(slot)->C_SetAttributeValue(originalKey->session, + originalKey->objectID, &setTemplate, 1); pk11_ExitKeyMonitor(originalKey); if (crv == CKR_OK) { - return PK11_ReferenceSymKey(originalKey); + return PK11_ReferenceSymKey(originalKey); } /* nope, doesn't like it, use the pk11 copy object command */ return pk11_CopyToSlot(slot, mech, CKA_SIGN, originalKey); } - -void -PK11_SetFortezzaHack(PK11SymKey *symKey) { - symKey->origin = PK11_OriginFortezzaHack; + +void +PK11_SetFortezzaHack(PK11SymKey *symKey) +{ + symKey->origin = PK11_OriginFortezzaHack; } /* @@ -2640,7 +2706,7 @@ PK11_SetFortezzaHack(PK11SymKey *symKey) { * working. This function simply gets a valid IV for the keys. */ SECStatus -PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len) +PK11_GenerateFortezzaIV(PK11SymKey *symKey, unsigned char *iv, int len) { CK_MECHANISM mech_info; CK_ULONG count = 0; @@ -2653,12 +2719,10 @@ PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len) /* generate the IV for fortezza */ PK11_EnterSlotMonitor(symKey->slot); - crv=PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session, - &mech_info, symKey->objectID); + crv = PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session, &mech_info, symKey->objectID); if (crv == CKR_OK) { - PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, - NULL, &count); - rv = SECSuccess; + PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, NULL, &count); + rv = SECSuccess; } PK11_ExitSlotMonitor(symKey->slot); return rv; @@ -2669,4 +2733,3 @@ PK11_GetSymKeyHandle(PK11SymKey *symKey) { return symKey->objectID; } - diff --git a/nss/lib/pk11wrap/pk11slot.c b/nss/lib/pk11wrap/pk11slot.c index d52c020..c66ae27 100644 --- a/nss/lib/pk11wrap/pk11slot.c +++ b/nss/lib/pk11wrap/pk11slot.c @@ -14,12 +14,11 @@ #include "secitem.h" #include "secerr.h" -#include "dev.h" -#include "dev3hack.h" +#include "dev.h" +#include "dev3hack.h" #include "pkim.h" #include "utilpars.h" - /************************************************************* * local static and global data *************************************************************/ @@ -30,38 +29,38 @@ * to this table. */ const PK11DefaultArrayEntry PK11_DefaultArray[] = { - { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, - { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, - { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA }, - { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, - { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, - { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, - { "DES", SECMOD_DES_FLAG, CKM_DES_CBC }, - { "AES", SECMOD_AES_FLAG, CKM_AES_CBC }, - { "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC }, - { "SEED", SECMOD_SEED_FLAG, CKM_SEED_CBC }, - { "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC }, - { "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 }, -/* { "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */ - { "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 }, -/* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */ - { "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 }, - { "MD5", SECMOD_MD5_FLAG, CKM_MD5 }, - { "MD2", SECMOD_MD2_FLAG, CKM_MD2 }, - { "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN }, - { "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE }, - { "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 }, - { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM }, - { "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM }, + { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, + { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, + { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA }, + { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, + { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, + { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, + { "DES", SECMOD_DES_FLAG, CKM_DES_CBC }, + { "AES", SECMOD_AES_FLAG, CKM_AES_CBC }, + { "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC }, + { "SEED", SECMOD_SEED_FLAG, CKM_SEED_CBC }, + { "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC }, + { "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 }, + /* { "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */ + { "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 }, + /* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */ + { "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 }, + { "MD5", SECMOD_MD5_FLAG, CKM_MD5 }, + { "MD2", SECMOD_MD2_FLAG, CKM_MD2 }, + { "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN }, + { "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE }, + { "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 }, + { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM }, + { "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM }, }; -const int num_pk11_default_mechanisms = - sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]); +const int num_pk11_default_mechanisms = + sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]); const PK11DefaultArrayEntry * PK11_GetDefaultArray(int *size) { if (size) { - *size = num_pk11_default_mechanisms; + *size = num_pk11_default_mechanisms; } return PK11_DefaultArray; } @@ -70,7 +69,7 @@ PK11_GetDefaultArray(int *size) * These slotlists are lists of modules which provide default support for * a given algorithm or mechanism. */ -static PK11SlotList +static PK11SlotList pk11_seedSlotList, pk11_camelliaSlotList, pk11_aesSlotList, @@ -90,28 +89,29 @@ static PK11SlotList pk11_tlsSlotList, pk11_randomSlotList, pk11_sha256SlotList, - pk11_sha512SlotList; /* slots do SHA512 and SHA384 */ + pk11_sha512SlotList; /* slots do SHA512 and SHA384 */ /************************************************************ * Generic Slot List and Slot List element manipulations ************************************************************/ /* - * allocate a new list + * allocate a new list */ PK11SlotList * PK11_NewSlotList(void) { PK11SlotList *list; - + list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList)); - if (list == NULL) return NULL; + if (list == NULL) + return NULL; list->head = NULL; list->tail = NULL; list->lock = PZ_NewLock(nssILockList); if (list->lock == NULL) { - PORT_Free(list); - return NULL; + PORT_Free(list); + return NULL; } return list; @@ -126,18 +126,18 @@ PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le) PRBool freeit = PR_FALSE; if (list == NULL || le == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } PZ_Lock(list->lock); if (le->refCount-- == 1) { - freeit = PR_TRUE; + freeit = PR_TRUE; } PZ_Unlock(list->lock); if (freeit) { - PK11_FreeSlot(le->slot); - PORT_Free(le); + PK11_FreeSlot(le->slot); + PORT_Free(le); } return SECSuccess; } @@ -145,15 +145,16 @@ PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le) static void pk11_FreeSlotListStatic(PK11SlotList *list) { - PK11SlotListElement *le, *next ; - if (list == NULL) return; + PK11SlotListElement *le, *next; + if (list == NULL) + return; - for (le = list->head ; le; le = next) { - next = le->next; - PK11_FreeSlotListElement(list,le); + for (le = list->head; le; le = next) { + next = le->next; + PK11_FreeSlotListElement(list, le); } if (list->lock) { - PZ_DestroyLock(list->lock); + PZ_DestroyLock(list->lock); } list->lock = NULL; list->head = NULL; @@ -178,13 +179,14 @@ PK11_FreeSlotList(PK11SlotList *list) * should be inserted to the head of the list. */ SECStatus -PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted) +PK11_AddSlotToList(PK11SlotList *list, PK11SlotInfo *slot, PRBool sorted) { PK11SlotListElement *le; PK11SlotListElement *element; - le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement)); - if (le == NULL) return SECFailure; + le = (PK11SlotListElement *)PORT_Alloc(sizeof(PK11SlotListElement)); + if (le == NULL) + return SECFailure; le->slot = PK11_ReferenceSlot(slot); le->prev = NULL; @@ -205,8 +207,10 @@ PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted) le->next = NULL; list->tail = le; } - if (le->prev) le->prev->next = le; - if (list->head == element) list->head = le; + if (le->prev) + le->prev->next = le; + if (list->head == element) + list->head = le; PZ_Unlock(list->lock); return SECSuccess; @@ -216,14 +220,20 @@ PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted) * remove a slot entry from the list */ SECStatus -PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le) +PK11_DeleteSlotFromList(PK11SlotList *list, PK11SlotListElement *le) { PZ_Lock(list->lock); - if (le->prev) le->prev->next = le->next; else list->head = le->next; - if (le->next) le->next->prev = le->prev; else list->tail = le->prev; + if (le->prev) + le->prev->next = le->next; + else + list->head = le->next; + if (le->next) + le->next->prev = le->prev; + else + list->tail = le->prev; le->next = le->prev = NULL; PZ_Unlock(list->lock); - PK11_FreeSlotListElement(list,le); + PK11_FreeSlotListElement(list, le); return SECSuccess; } @@ -233,14 +243,15 @@ PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le) * lists. It also does not re-sort the target list. */ SECStatus -pk11_MoveListToList(PK11SlotList *target,PK11SlotList *src) +pk11_MoveListToList(PK11SlotList *target, PK11SlotList *src) { - if (src->head == NULL) return SECSuccess; + if (src->head == NULL) + return SECSuccess; if (target->tail == NULL) { - target->head = src->head; + target->head = src->head; } else { - target->tail->next = src->head; + target->tail->next = src->head; } src->head->prev = target->tail; target->tail = src->tail; @@ -257,7 +268,8 @@ PK11_GetFirstRef(PK11SlotList *list) PK11SlotListElement *le; le = list->head; - if (le != NULL) (le)->refCount++; + if (le != NULL) + (le)->refCount++; return le; } @@ -269,8 +281,9 @@ PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) { PK11SlotListElement *new_le; new_le = le->next; - if (new_le) new_le->refCount++; - PK11_FreeSlotListElement(list,le); + if (new_le) + new_le->refCount++; + PK11_FreeSlotListElement(list, le); return new_le; } @@ -285,7 +298,8 @@ PK11_GetFirstSafe(PK11SlotList *list) PZ_Lock(list->lock); le = list->head; - if (le != NULL) (le)->refCount++; + if (le != NULL) + (le)->refCount++; PZ_Unlock(list->lock); return le; } @@ -302,31 +316,32 @@ PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) PZ_Lock(list->lock); new_le = le->next; if (le->next == NULL) { - /* if the prev and next fields are NULL then either this element - * has been removed and we need to walk the list again (if restart - * is true) or this was the only element on the list */ - if ((le->prev == NULL) && restart && (list->head != le)) { - new_le = list->head; - } - } - if (new_le) new_le->refCount++; + /* if the prev and next fields are NULL then either this element + * has been removed and we need to walk the list again (if restart + * is true) or this was the only element on the list */ + if ((le->prev == NULL) && restart && (list->head != le)) { + new_le = list->head; + } + } + if (new_le) + new_le->refCount++; PZ_Unlock(list->lock); - PK11_FreeSlotListElement(list,le); + PK11_FreeSlotListElement(list, le); return new_le; } - /* * Find the element that holds this slot */ PK11SlotListElement * -PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot) +PK11_FindSlotElement(PK11SlotList *list, PK11SlotInfo *slot) { PK11SlotListElement *le; for (le = PK11_GetFirstSafe(list); le; - le = PK11_GetNextSafe(list,le,PR_TRUE)) { - if (le->slot == slot) return le; + le = PK11_GetNextSafe(list, le, PR_TRUE)) { + if (le->slot == slot) + return le; } return NULL; } @@ -343,21 +358,21 @@ PK11_NewSlotInfo(SECMODModule *mod) PK11SlotInfo *slot; slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo)); - if (slot == NULL) return slot; + if (slot == NULL) + return slot; - slot->sessionLock = mod->isThreadSafe ? - PZ_NewLock(nssILockSession) : mod->refLock; + slot->sessionLock = mod->isThreadSafe ? PZ_NewLock(nssILockSession) : mod->refLock; if (slot->sessionLock == NULL) { - PORT_Free(slot); - return NULL; + PORT_Free(slot); + return NULL; } slot->freeListLock = PZ_NewLock(nssILockFreelist); if (slot->freeListLock == NULL) { - if (mod->isThreadSafe) { - PZ_DestroyLock(slot->sessionLock); - } - PORT_Free(slot); - return NULL; + if (mod->isThreadSafe) { + PZ_DestroyLock(slot->sessionLock); + } + PORT_Free(slot); + return NULL; } slot->freeSymKeysWithSessionHead = NULL; slot->freeSymKeysHead = NULL; @@ -393,7 +408,7 @@ PK11_NewSlotInfo(SECMODModule *mod) slot->cert_count = 0; slot->slot_name[0] = 0; slot->token_name[0] = 0; - PORT_Memset(slot->serial,' ',sizeof(slot->serial)); + PORT_Memset(slot->serial, ' ', sizeof(slot->serial)); slot->module = NULL; slot->authTransact = 0; slot->authTime = LL_ZERO; @@ -404,7 +419,7 @@ PK11_NewSlotInfo(SECMODModule *mod) slot->nssToken = NULL; return slot; } - + /* create a new reference to a slot so it doesn't go away */ PK11SlotInfo * PK11_ReferenceSlot(PK11SlotInfo *slot) @@ -417,52 +432,54 @@ PK11_ReferenceSlot(PK11SlotInfo *slot) void PK11_DestroySlot(PK11SlotInfo *slot) { - /* free up the cached keys and sessions */ - PK11_CleanKeyList(slot); - - /* free up all the sessions on this slot */ - if (slot->functionList) { - PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID); - } + /* free up the cached keys and sessions */ + PK11_CleanKeyList(slot); + + /* free up all the sessions on this slot */ + if (slot->functionList) { + PK11_GETTAB(slot) + ->C_CloseAllSessions(slot->slotID); + } - if (slot->mechanismList) { - PORT_Free(slot->mechanismList); - } - if (slot->isThreadSafe && slot->sessionLock) { - PZ_DestroyLock(slot->sessionLock); - } - slot->sessionLock = NULL; - if (slot->freeListLock) { - PZ_DestroyLock(slot->freeListLock); - slot->freeListLock = NULL; - } + if (slot->mechanismList) { + PORT_Free(slot->mechanismList); + } + if (slot->isThreadSafe && slot->sessionLock) { + PZ_DestroyLock(slot->sessionLock); + } + slot->sessionLock = NULL; + if (slot->freeListLock) { + PZ_DestroyLock(slot->freeListLock); + slot->freeListLock = NULL; + } - /* finally Tell our parent module that we've gone away so it can unload */ - if (slot->module) { - SECMOD_SlotDestroyModule(slot->module,PR_TRUE); - } + /* finally Tell our parent module that we've gone away so it can unload */ + if (slot->module) { + SECMOD_SlotDestroyModule(slot->module, PR_TRUE); + } - /* ok, well not quit finally... now we free the memory */ - PORT_Free(slot); + /* ok, well not quit finally... now we free the memory */ + PORT_Free(slot); } - /* We're all done with the slot, free it */ void PK11_FreeSlot(PK11SlotInfo *slot) { if (PR_ATOMIC_DECREMENT(&slot->refCount) == 0) { - PK11_DestroySlot(slot); + PK11_DestroySlot(slot); } } void -PK11_EnterSlotMonitor(PK11SlotInfo *slot) { +PK11_EnterSlotMonitor(PK11SlotInfo *slot) +{ PZ_Lock(slot->sessionLock); } void -PK11_ExitSlotMonitor(PK11SlotInfo *slot) { +PK11_ExitSlotMonitor(PK11SlotInfo *slot) +{ PZ_Unlock(slot->sessionLock); } @@ -472,31 +489,32 @@ PK11_ExitSlotMonitor(PK11SlotInfo *slot) { PRBool SECMOD_HasRootCerts(void) { - SECMODModuleList *mlp; - SECMODModuleList *modules; - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); - int i; - PRBool found = PR_FALSE; + SECMODModuleList *mlp; + SECMODModuleList *modules; + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + int i; + PRBool found = PR_FALSE; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return found; - } - - /* work through all the slots */ - SECMOD_GetReadLock(moduleLock); - modules = SECMOD_GetDefaultModuleList(); - for(mlp = modules; mlp != NULL; mlp = mlp->next) { - for (i=0; i < mlp->module->slotCount; i++) { - PK11SlotInfo *tmpSlot = mlp->module->slots[i]; - if (PK11_IsPresent(tmpSlot)) { - if (tmpSlot->hasRootCerts) { - found = PR_TRUE; - break; - } - } - } - if (found) break; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return found; + } + + /* work through all the slots */ + SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); + for (mlp = modules; mlp != NULL; mlp = mlp->next) { + for (i = 0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *tmpSlot = mlp->module->slots[i]; + if (PK11_IsPresent(tmpSlot)) { + if (tmpSlot->hasRootCerts) { + found = PR_TRUE; + break; + } + } + } + if (found) + break; } SECMOD_ReleaseReadLock(moduleLock); @@ -507,20 +525,20 @@ SECMOD_HasRootCerts(void) * Functions to find specific slots. ***********************************************************/ PK11SlotList * -PK11_FindSlotsByNames(const char *dllName, const char* slotName, - const char* tokenName, PRBool presentOnly) +PK11_FindSlotsByNames(const char *dllName, const char *slotName, + const char *tokenName, PRBool presentOnly) { SECMODModuleList *mlp; SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; - PK11SlotList* slotList = NULL; + PK11SlotList *slotList = NULL; PRUint32 slotcount = 0; SECStatus rv = SECSuccess; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return slotList; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slotList; } slotList = PK11_NewSlotList(); @@ -529,11 +547,17 @@ PK11_FindSlotsByNames(const char *dllName, const char* slotName, return slotList; } - if ( ((NULL == dllName) || (0 == *dllName)) && + if (((NULL == dllName) || (0 == *dllName)) && ((NULL == slotName) || (0 == *slotName)) && - ((NULL == tokenName) || (0 == *tokenName)) ) { + ((NULL == tokenName) || (0 == *tokenName))) { /* default to softoken */ - PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot(), PR_TRUE); + /* PK11_GetInternalKeySlot increments the refcount on the internal slot, + * but so does PK11_AddSlotToList. To avoid erroneously increasing the + * refcount twice, we get our own reference to the internal slot and + * decrement its refcount when we're done with it. */ + PK11SlotInfo *internalKeySlot = PK11_GetInternalKeySlot(); + PK11_AddSlotToList(slotList, internalKeySlot, PR_TRUE); + PK11_FreeSlot(internalKeySlot); return slotList; } @@ -547,30 +571,28 @@ PK11_FindSlotsByNames(const char *dllName, const char* slotName, break; } if ((!dllName) || (mlp->module->dllName && - (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) { - for (i=0; i < mlp->module->slotCount; i++) { - PK11SlotInfo *tmpSlot = (mlp->module->slots?mlp->module->slots[i]:NULL); + (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) { + for (i = 0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *tmpSlot = (mlp->module->slots ? mlp->module->slots[i] : NULL); PORT_Assert(tmpSlot); if (!tmpSlot) { rv = SECFailure; break; } if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) && - ( (!tokenName) || - (0==PORT_Strcmp(tmpSlot->token_name, tokenName)) ) && - ( (!slotName) || - (0==PORT_Strcmp(tmpSlot->slot_name, slotName)) ) ) { - if (tmpSlot) { - PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE); - slotcount++; - } + ((!tokenName) || + (0 == PORT_Strcmp(tmpSlot->token_name, tokenName))) && + ((!slotName) || + (0 == PORT_Strcmp(tmpSlot->slot_name, slotName)))) { + PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE); + slotcount++; } } } } SECMOD_ReleaseReadLock(moduleLock); - if ( (0 == slotcount) || (SECFailure == rv) ) { + if ((0 == slotcount) || (SECFailure == rv)) { PORT_SetError(SEC_ERROR_NO_TOKEN); PK11_FreeSlotList(slotList); slotList = NULL; @@ -586,78 +608,79 @@ PK11_FindSlotsByNames(const char *dllName, const char* slotName, PK11SlotInfo * PK11_FindSlotByName(const char *name) { - SECMODModuleList *mlp; - SECMODModuleList *modules; - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); - int i; - PK11SlotInfo *slot = NULL; + SECMODModuleList *mlp; + SECMODModuleList *modules; + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + int i; + PK11SlotInfo *slot = NULL; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return slot; - } - if ((name == NULL) || (*name == 0)) { - return PK11_GetInternalKeySlot(); - } - - /* work through all the slots */ - SECMOD_GetReadLock(moduleLock); - modules = SECMOD_GetDefaultModuleList(); - for(mlp = modules; mlp != NULL; mlp = mlp->next) { - for (i=0; i < mlp->module->slotCount; i++) { - PK11SlotInfo *tmpSlot = mlp->module->slots[i]; - if (PK11_IsPresent(tmpSlot)) { - if (PORT_Strcmp(tmpSlot->token_name,name) == 0) { - slot = PK11_ReferenceSlot(tmpSlot); - break; - } - } - } - if (slot != NULL) break; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slot; + } + if ((name == NULL) || (*name == 0)) { + return PK11_GetInternalKeySlot(); + } + + /* work through all the slots */ + SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); + for (mlp = modules; mlp != NULL; mlp = mlp->next) { + for (i = 0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *tmpSlot = mlp->module->slots[i]; + if (PK11_IsPresent(tmpSlot)) { + if (PORT_Strcmp(tmpSlot->token_name, name) == 0) { + slot = PK11_ReferenceSlot(tmpSlot); + break; + } + } + } + if (slot != NULL) + break; } SECMOD_ReleaseReadLock(moduleLock); if (slot == NULL) { - PORT_SetError(SEC_ERROR_NO_TOKEN); + PORT_SetError(SEC_ERROR_NO_TOKEN); } return slot; } - PK11SlotInfo * PK11_FindSlotBySerial(char *serial) { - SECMODModuleList *mlp; - SECMODModuleList *modules; - SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); - int i; - PK11SlotInfo *slot = NULL; + SECMODModuleList *mlp; + SECMODModuleList *modules; + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + int i; + PK11SlotInfo *slot = NULL; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return slot; - } - /* work through all the slots */ - SECMOD_GetReadLock(moduleLock); - modules = SECMOD_GetDefaultModuleList(); - for(mlp = modules; mlp != NULL; mlp = mlp->next) { - for (i=0; i < mlp->module->slotCount; i++) { - PK11SlotInfo *tmpSlot = mlp->module->slots[i]; - if (PK11_IsPresent(tmpSlot)) { - if (PORT_Memcmp(tmpSlot->serial,serial, - sizeof(tmpSlot->serial)) == 0) { - slot = PK11_ReferenceSlot(tmpSlot); - break; - } - } - } - if (slot != NULL) break; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slot; + } + /* work through all the slots */ + SECMOD_GetReadLock(moduleLock); + modules = SECMOD_GetDefaultModuleList(); + for (mlp = modules; mlp != NULL; mlp = mlp->next) { + for (i = 0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *tmpSlot = mlp->module->slots[i]; + if (PK11_IsPresent(tmpSlot)) { + if (PORT_Memcmp(tmpSlot->serial, serial, + sizeof(tmpSlot->serial)) == 0) { + slot = PK11_ReferenceSlot(tmpSlot); + break; + } + } + } + if (slot != NULL) + break; } SECMOD_ReleaseReadLock(moduleLock); if (slot == NULL) { - PORT_SetError(SEC_ERROR_NO_TOKEN); + PORT_SetError(SEC_ERROR_NO_TOKEN); } return slot; @@ -668,8 +691,9 @@ PK11_FindSlotBySerial(char *serial) * the pkcs11 functions may pass back to use, we can catch them here... * currently pdata is a slotinfo structure. */ -CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, - CK_VOID_PTR pdata) +CK_RV +pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, + CK_VOID_PTR pdata) { return CKR_OK; } @@ -680,56 +704,57 @@ CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, * session is RW or the slot is not thread safe. Monitor is release in function * below */ -CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot) +CK_SESSION_HANDLE +PK11_GetRWSession(PK11SlotInfo *slot) { CK_SESSION_HANDLE rwsession; CK_RV crv; PRBool haveMonitor = PR_FALSE; if (!slot->isThreadSafe || slot->defRWSession) { - PK11_EnterSlotMonitor(slot); - haveMonitor = PR_TRUE; + PK11_EnterSlotMonitor(slot); + haveMonitor = PR_TRUE; } if (slot->defRWSession) { - PORT_Assert(slot->session != CK_INVALID_SESSION); - if (slot->session != CK_INVALID_SESSION) - return slot->session; + PORT_Assert(slot->session != CK_INVALID_SESSION); + if (slot->session != CK_INVALID_SESSION) + return slot->session; } crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, - CKF_RW_SESSION|CKF_SERIAL_SESSION, - slot, pk11_notify,&rwsession); + CKF_RW_SESSION | CKF_SERIAL_SESSION, + slot, pk11_notify, &rwsession); PORT_Assert(rwsession != CK_INVALID_SESSION || crv != CKR_OK); if (crv != CKR_OK || rwsession == CK_INVALID_SESSION) { - if (crv == CKR_OK) - crv = CKR_DEVICE_ERROR; - if (haveMonitor) - PK11_ExitSlotMonitor(slot); - PORT_SetError(PK11_MapError(crv)); - return CK_INVALID_SESSION; + if (crv == CKR_OK) + crv = CKR_DEVICE_ERROR; + if (haveMonitor) + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return CK_INVALID_SESSION; } if (slot->defRWSession) { /* we have the monitor */ - slot->session = rwsession; + slot->session = rwsession; } return rwsession; } PRBool -PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) +PK11_RWSessionHasLock(PK11SlotInfo *slot, CK_SESSION_HANDLE session_handle) { PRBool hasLock; - hasLock = (PRBool)(!slot->isThreadSafe || - (slot->defRWSession && slot->session != CK_INVALID_SESSION)); + hasLock = (PRBool)(!slot->isThreadSafe || + (slot->defRWSession && slot->session != CK_INVALID_SESSION)); return hasLock; } static PRBool -pk11_RWSessionIsDefault(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession) +pk11_RWSessionIsDefault(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession) { PRBool isDefault; isDefault = (PRBool)(slot->session == rwsession && - slot->defRWSession && - slot->session != CK_INVALID_SESSION); + slot->defRWSession && + slot->session != CK_INVALID_SESSION); return isDefault; } @@ -739,15 +764,16 @@ pk11_RWSessionIsDefault(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession) * session is RW or the slot is not thread safe. */ void -PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession) +PK11_RestoreROSession(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession) { PORT_Assert(rwsession != CK_INVALID_SESSION); if (rwsession != CK_INVALID_SESSION) { - PRBool doExit = PK11_RWSessionHasLock(slot, rwsession); - if (!pk11_RWSessionIsDefault(slot, rwsession)) - PK11_GETTAB(slot)->C_CloseSession(rwsession); - if (doExit) - PK11_ExitSlotMonitor(slot); + PRBool doExit = PK11_RWSessionHasLock(slot, rwsession); + if (!pk11_RWSessionIsDefault(slot, rwsession)) + PK11_GETTAB(slot) + ->C_CloseSession(rwsession); + if (doExit) + PK11_ExitSlotMonitor(slot); } } @@ -764,7 +790,6 @@ pk11_InitSlotListStatic(PK11SlotList *list) list->head = NULL; } - /* initialize the system slotlists */ SECStatus PK11_InitSlotLists(void) @@ -828,71 +853,71 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type) return NULL; #endif switch (type) { - case CKM_SEED_CBC: - case CKM_SEED_ECB: - return &pk11_seedSlotList; - case CKM_CAMELLIA_CBC: - case CKM_CAMELLIA_ECB: - return &pk11_camelliaSlotList; - case CKM_AES_CBC: - case CKM_AES_CCM: - case CKM_AES_CTR: - case CKM_AES_CTS: - case CKM_AES_GCM: - case CKM_AES_ECB: - return &pk11_aesSlotList; - case CKM_DES_CBC: - case CKM_DES_ECB: - case CKM_DES3_ECB: - case CKM_DES3_CBC: - return &pk11_desSlotList; - case CKM_RC4: - return &pk11_rc4SlotList; - case CKM_RC5_CBC: - return &pk11_rc5SlotList; - case CKM_SHA_1: - return &pk11_sha1SlotList; - case CKM_SHA224: - case CKM_SHA256: - return &pk11_sha256SlotList; - case CKM_SHA384: - case CKM_SHA512: - return &pk11_sha512SlotList; - case CKM_MD5: - return &pk11_md5SlotList; - case CKM_MD2: - return &pk11_md2SlotList; - case CKM_RC2_ECB: - case CKM_RC2_CBC: - return &pk11_rc2SlotList; - case CKM_RSA_PKCS: - case CKM_RSA_PKCS_KEY_PAIR_GEN: - case CKM_RSA_X_509: - return &pk11_rsaSlotList; - case CKM_DSA: - return &pk11_dsaSlotList; - case CKM_DH_PKCS_KEY_PAIR_GEN: - case CKM_DH_PKCS_DERIVE: - return &pk11_dhSlotList; - case CKM_ECDSA: - case CKM_ECDSA_SHA1: - case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ - case CKM_ECDH1_DERIVE: - return &pk11_ecSlotList; - case CKM_SSL3_PRE_MASTER_KEY_GEN: - case CKM_SSL3_MASTER_KEY_DERIVE: - case CKM_SSL3_SHA1_MAC: - case CKM_SSL3_MD5_MAC: - return &pk11_sslSlotList; - case CKM_TLS_MASTER_KEY_DERIVE: - case CKM_TLS_KEY_AND_MAC_DERIVE: - case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: - return &pk11_tlsSlotList; - case CKM_IDEA_CBC: - case CKM_IDEA_ECB: - return &pk11_ideaSlotList; - case CKM_FAKE_RANDOM: - return &pk11_randomSlotList; + case CKM_SEED_CBC: + case CKM_SEED_ECB: + return &pk11_seedSlotList; + case CKM_CAMELLIA_CBC: + case CKM_CAMELLIA_ECB: + return &pk11_camelliaSlotList; + case CKM_AES_CBC: + case CKM_AES_CCM: + case CKM_AES_CTR: + case CKM_AES_CTS: + case CKM_AES_GCM: + case CKM_AES_ECB: + return &pk11_aesSlotList; + case CKM_DES_CBC: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_DES3_CBC: + return &pk11_desSlotList; + case CKM_RC4: + return &pk11_rc4SlotList; + case CKM_RC5_CBC: + return &pk11_rc5SlotList; + case CKM_SHA_1: + return &pk11_sha1SlotList; + case CKM_SHA224: + case CKM_SHA256: + return &pk11_sha256SlotList; + case CKM_SHA384: + case CKM_SHA512: + return &pk11_sha512SlotList; + case CKM_MD5: + return &pk11_md5SlotList; + case CKM_MD2: + return &pk11_md2SlotList; + case CKM_RC2_ECB: + case CKM_RC2_CBC: + return &pk11_rc2SlotList; + case CKM_RSA_PKCS: + case CKM_RSA_PKCS_KEY_PAIR_GEN: + case CKM_RSA_X_509: + return &pk11_rsaSlotList; + case CKM_DSA: + return &pk11_dsaSlotList; + case CKM_DH_PKCS_KEY_PAIR_GEN: + case CKM_DH_PKCS_DERIVE: + return &pk11_dhSlotList; + case CKM_ECDSA: + case CKM_ECDSA_SHA1: + case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ + case CKM_ECDH1_DERIVE: + return &pk11_ecSlotList; + case CKM_SSL3_PRE_MASTER_KEY_GEN: + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_SHA1_MAC: + case CKM_SSL3_MD5_MAC: + return &pk11_sslSlotList; + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_TLS_KEY_AND_MAC_DERIVE: + case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: + return &pk11_tlsSlotList; + case CKM_IDEA_CBC: + case CKM_IDEA_ECB: + return &pk11_ideaSlotList; + case CKM_FAKE_RANDOM: + return &pk11_randomSlotList; } return NULL; } @@ -907,12 +932,13 @@ PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count) { int i; - for (i=0; i < count; i++) { - if (psi[i].slotID == slot->slotID) - break; + for (i = 0; i < count; i++) { + if (psi[i].slotID == slot->slotID) + break; } - if (i == count) return; + if (i == count) + return; slot->defaultFlags = psi[i].defaultFlags; slot->askpw = psi[i].askpw; @@ -922,29 +948,30 @@ PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count) /* if the slot is already disabled, don't load them into the * default slot lists. We get here so we can save the default * list value. */ - if (slot->disabled) return; + if (slot->disabled) + return; /* if the user has disabled us, don't load us in */ if (slot->defaultFlags & PK11_DISABLE_FLAG) { - slot->disabled = PR_TRUE; - slot->reason = PK11_DIS_USER_SELECTED; - /* free up sessions and things?? */ - return; + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_USER_SELECTED; + /* free up sessions and things?? */ + return; } - for (i=0; i < num_pk11_default_mechanisms; i++) { - if (slot->defaultFlags & PK11_DefaultArray[i].flag) { - CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; - PK11SlotList *slotList = PK11_GetSlotList(mechanism); + for (i = 0; i < num_pk11_default_mechanisms; i++) { + if (slot->defaultFlags & PK11_DefaultArray[i].flag) { + CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; + PK11SlotList *slotList = PK11_GetSlotList(mechanism); - if (slotList) PK11_AddSlotToList(slotList,slot,PR_FALSE); - } + if (slotList) + PK11_AddSlotToList(slotList, slot, PR_FALSE); + } } return; } - /* * update a slot to its new attribute according to the slot list * returns: SECSuccess if nothing to do or add/delete is successful @@ -953,25 +980,25 @@ SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot, const PK11DefaultArrayEntry *entry, PRBool add) - /* add: PR_TRUE if want to turn on */ +/* add: PR_TRUE if want to turn on */ { SECStatus result = SECSuccess; PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism); if (add) { /* trying to turn on a mechanism */ - + /* turn on the default flag in the slot */ slot->defaultFlags |= entry->flag; - + /* add this slot to the list */ - if (slotList!=NULL) + if (slotList != NULL) result = PK11_AddSlotToList(slotList, slot, PR_FALSE); - + } else { /* trying to turn off */ - - /* turn OFF the flag in the slot */ + + /* turn OFF the flag in the slot */ slot->defaultFlags &= ~entry->flag; - + if (slotList) { /* find the element in the list & delete it */ PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot); @@ -992,26 +1019,28 @@ PK11_ClearSlotList(PK11SlotInfo *slot) { int i; - if (slot->disabled) return; - if (slot->defaultFlags == 0) return; + if (slot->disabled) + return; + if (slot->defaultFlags == 0) + return; - for (i=0; i < num_pk11_default_mechanisms; i++) { - if (slot->defaultFlags & PK11_DefaultArray[i].flag) { - CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; - PK11SlotList *slotList = PK11_GetSlotList(mechanism); - PK11SlotListElement *le = NULL; + for (i = 0; i < num_pk11_default_mechanisms; i++) { + if (slot->defaultFlags & PK11_DefaultArray[i].flag) { + CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; + PK11SlotList *slotList = PK11_GetSlotList(mechanism); + PK11SlotListElement *le = NULL; - if (slotList) le = PK11_FindSlotElement(slotList,slot); + if (slotList) + le = PK11_FindSlotElement(slotList, slot); - if (le) { - PK11_DeleteSlotFromList(slotList,le); - PK11_FreeSlotListElement(slotList,le); - } - } + if (le) { + PK11_DeleteSlotFromList(slotList, le); + PK11_FreeSlotListElement(slotList, le); + } + } } } - /****************************************************************** * Slot initialization ******************************************************************/ @@ -1019,29 +1048,32 @@ PK11_ClearSlotList(PK11SlotInfo *slot) * turn a PKCS11 Static Label into a string */ char * -PK11_MakeString(PLArenaPool *arena,char *space, - char *staticString,int stringLen) -{ - int i; - char *newString; - for(i=(stringLen-1); i >= 0; i--) { - if (staticString[i] != ' ') break; - } - /* move i to point to the last space */ - i++; - if (arena) { - newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */); - } else if (space) { - newString = space; - } else { - newString = (char*)PORT_Alloc(i+1 /* space for NULL */); - } - if (newString == NULL) return NULL; - - if (i) PORT_Memcpy(newString,staticString, i); - newString[i] = 0; - - return newString; +PK11_MakeString(PLArenaPool *arena, char *space, + char *staticString, int stringLen) +{ + int i; + char *newString; + for (i = (stringLen - 1); i >= 0; i--) { + if (staticString[i] != ' ') + break; + } + /* move i to point to the last space */ + i++; + if (arena) { + newString = (char *)PORT_ArenaAlloc(arena, i + 1 /* space for NULL */); + } else if (space) { + newString = space; + } else { + newString = (char *)PORT_Alloc(i + 1 /* space for NULL */); + } + if (newString == NULL) + return NULL; + + if (i) + PORT_Memcpy(newString, staticString, i); + newString[i] = 0; + + return newString; } /* @@ -1055,42 +1087,46 @@ PK11_ReadMechanismList(PK11SlotInfo *slot) PRUint32 i; if (slot->mechanismList) { - PORT_Free(slot->mechanismList); - slot->mechanismList = NULL; + PORT_Free(slot->mechanismList); + slot->mechanismList = NULL; } slot->mechanismCount = 0; - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, NULL, &count); if (crv != CKR_OK) { - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } slot->mechanismList = (CK_MECHANISM_TYPE *) - PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE)); + PORT_Alloc(count * sizeof(CK_MECHANISM_TYPE)); if (slot->mechanismList == NULL) { - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - return SECFailure; + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + return SECFailure; } crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, - slot->mechanismList, &count); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + slot->mechanismList, &count); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_Free(slot->mechanismList); - slot->mechanismList = NULL; - PORT_SetError(PK11_MapError(crv)); - return SECSuccess; + PORT_Free(slot->mechanismList); + slot->mechanismList = NULL; + PORT_SetError(PK11_MapError(crv)); + return SECSuccess; } slot->mechanismCount = count; PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits)); - for (i=0; i < count; i++) { - CK_MECHANISM_TYPE mech = slot->mechanismList[i]; - if (mech < 0x7ff) { - slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); - } + for (i = 0; i < count; i++) { + CK_MECHANISM_TYPE mech = slot->mechanismList[i]; + if (mech < 0x7ff) { + slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); + } } return SECSuccess; } @@ -1110,171 +1146,179 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) PRStatus status; /* set the slot flags to the current token values */ - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } /* set the slot flags to the current token values */ - slot->series++; /* allow other objects to detect that the - * slot is different */ + slot->series++; /* allow other objects to detect that the + * slot is different */ slot->flags = tokenInfo.flags; - slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? - PR_TRUE : PR_FALSE); - slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? - PR_TRUE : PR_FALSE); - - + slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); + slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); + slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); slot->protectedAuthPath = - ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) - ? PR_TRUE : PR_FALSE); + ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ? PR_TRUE + : PR_FALSE); slot->lastLoginCheck = 0; slot->lastState = 0; - /* on some platforms Active Card incorrectly sets the + /* on some platforms Active Card incorrectly sets the * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ if (slot->isActiveCard) { - slot->protectedAuthPath = PR_FALSE; + slot->protectedAuthPath = PR_FALSE; } - (void)PK11_MakeString(NULL,slot->token_name, - (char *)tokenInfo.label, sizeof(tokenInfo.label)); + (void)PK11_MakeString(NULL, slot->token_name, + (char *)tokenInfo.label, sizeof(tokenInfo.label)); slot->minPassword = tokenInfo.ulMinPinLen; slot->maxPassword = tokenInfo.ulMaxPinLen; - PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial)); + PORT_Memcpy(slot->serial, tokenInfo.serialNumber, sizeof(slot->serial)); nssToken_UpdateName(slot->nssToken); - slot->defRWSession = (PRBool)((!slot->readOnly) && - (tokenInfo.ulMaxSessionCount == 1)); + slot->defRWSession = (PRBool)((!slot->readOnly) && + (tokenInfo.ulMaxSessionCount == 1)); rv = PK11_ReadMechanismList(slot); - if (rv != SECSuccess) return rv; + if (rv != SECSuccess) + return rv; slot->hasRSAInfo = PR_FALSE; slot->RSAInfoFlags = 0; /* initialize the maxKeyCount value */ if (tokenInfo.ulMaxSessionCount == 0) { - slot->maxKeyCount = 800; /* should be #define or a config param */ + slot->maxKeyCount = 800; /* should be #define or a config param */ } else if (tokenInfo.ulMaxSessionCount < 20) { - /* don't have enough sessions to keep that many keys around */ - slot->maxKeyCount = 0; + /* don't have enough sessions to keep that many keys around */ + slot->maxKeyCount = 0; } else { - slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2; + slot->maxKeyCount = tokenInfo.ulMaxSessionCount / 2; } /* Make sure our session handle is valid */ if (slot->session == CK_INVALID_SESSION) { - /* we know we don't have a valid session, go get one */ - CK_SESSION_HANDLE session; - - /* session should be Readonly, serial */ - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, - (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, - slot,pk11_notify,&session); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; - } - slot->session = session; + /* we know we don't have a valid session, go get one */ + CK_SESSION_HANDLE session; + + /* session should be Readonly, serial */ + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, + slot, pk11_notify, &session); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + slot->session = session; } else { - /* The session we have may be defunct (the token associated with it) - * has been removed */ - CK_SESSION_INFO sessionInfo; + /* The session we have may be defunct (the token associated with it) + * has been removed */ + CK_SESSION_INFO sessionInfo; - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); if (crv == CKR_DEVICE_ERROR) { - PK11_GETTAB(slot)->C_CloseSession(slot->session); - crv = CKR_SESSION_CLOSED; - } - if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) { - crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID, - (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, - slot,pk11_notify,&slot->session); - if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - slot->session = CK_INVALID_SESSION; - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - return SECFailure; - } - } - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + PK11_GETTAB(slot) + ->C_CloseSession(slot->session); + crv = CKR_SESSION_CLOSED; + } + if ((crv == CKR_SESSION_CLOSED) || (crv == CKR_SESSION_HANDLE_INVALID)) { + crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, + slot, pk11_notify, &slot->session); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + slot->session = CK_INVALID_SESSION; + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + return SECFailure; + } + } + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); } status = nssToken_Refresh(slot->nssToken); if (status != PR_SUCCESS) - return SECFailure; + return SECFailure; if (!(slot->isInternal) && (slot->hasRandom)) { - /* if this slot has a random number generater, use it to add entropy - * to the internal slot. */ - PK11SlotInfo *int_slot = PK11_GetInternalSlot(); - - if (int_slot) { - unsigned char random_bytes[32]; - - /* if this slot can issue random numbers, get some entropy from - * that random number generater and give it to our internal token. - */ - PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GenerateRandom - (slot->session,random_bytes, sizeof(random_bytes)); - PK11_ExitSlotMonitor(slot); - if (crv == CKR_OK) { - PK11_EnterSlotMonitor(int_slot); - PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session, - random_bytes, sizeof(random_bytes)); - PK11_ExitSlotMonitor(int_slot); - } - - /* Now return the favor and send entropy to the token's random - * number generater */ - PK11_EnterSlotMonitor(int_slot); - crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, - random_bytes, sizeof(random_bytes)); - PK11_ExitSlotMonitor(int_slot); - if (crv == CKR_OK) { - PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, - random_bytes, sizeof(random_bytes)); - PK11_ExitSlotMonitor(slot); - } - PK11_FreeSlot(int_slot); - } + /* if this slot has a random number generater, use it to add entropy + * to the internal slot. */ + PK11SlotInfo *int_slot = PK11_GetInternalSlot(); + + if (int_slot) { + unsigned char random_bytes[32]; + + /* if this slot can issue random numbers, get some entropy from + * that random number generater and give it to our internal token. + */ + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(slot); + if (crv == CKR_OK) { + PK11_EnterSlotMonitor(int_slot); + PK11_GETTAB(int_slot) + ->C_SeedRandom(int_slot->session, + random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(int_slot); + } + + /* Now return the favor and send entropy to the token's random + * number generater */ + PK11_EnterSlotMonitor(int_slot); + crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, + random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(int_slot); + if (crv == CKR_OK) { + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, + random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(slot); + } + PK11_FreeSlot(int_slot); + } } /* work around a problem in softoken where it incorrectly * reports databases opened read only as read/write. */ if (slot->isInternal && !slot->readOnly) { - CK_SESSION_HANDLE session = CK_INVALID_SESSION; - - /* try to open a R/W session */ - crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID, - CKF_RW_SESSION|CKF_SERIAL_SESSION, slot, pk11_notify ,&session); - /* what a well behaved token should return if you open - * a RW session on a read only token */ - if (crv == CKR_TOKEN_WRITE_PROTECTED) { - slot->readOnly = PR_TRUE; - } else if (crv == CKR_OK) { - CK_SESSION_INFO sessionInfo; - - /* Because of a second bug in softoken, which silently returns - * a RO session, we need to check what type of session we got. */ - crv = PK11_GETTAB(slot)->C_GetSessionInfo(session, &sessionInfo); - if (crv == CKR_OK) { - if ((sessionInfo.flags & CKF_RW_SESSION) == 0) { - /* session was readonly, so this softoken slot must be * readonly */ - slot->readOnly = PR_TRUE; - } - } - PK11_GETTAB(slot)->C_CloseSession(session); - } - } - + CK_SESSION_HANDLE session = CK_INVALID_SESSION; + + /* try to open a R/W session */ + crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + CKF_RW_SESSION | CKF_SERIAL_SESSION, slot, pk11_notify, &session); + /* what a well behaved token should return if you open + * a RW session on a read only token */ + if (crv == CKR_TOKEN_WRITE_PROTECTED) { + slot->readOnly = PR_TRUE; + } else if (crv == CKR_OK) { + CK_SESSION_INFO sessionInfo; + + /* Because of a second bug in softoken, which silently returns + * a RO session, we need to check what type of session we got. */ + crv = PK11_GETTAB(slot)->C_GetSessionInfo(session, &sessionInfo); + if (crv == CKR_OK) { + if ((sessionInfo.flags & CKF_RW_SESSION) == 0) { + /* session was readonly, so this softoken slot must be readonly */ + slot->readOnly = PR_TRUE; + } + } + PK11_GETTAB(slot) + ->C_CloseSession(session); + } + } + return SECSuccess; } @@ -1291,33 +1335,34 @@ PK11_TokenRefresh(PK11SlotInfo *slot) CK_RV crv; /* set the slot flags to the current token values */ - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &tokenInfo); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } slot->flags = tokenInfo.flags; - slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? - PR_TRUE : PR_FALSE); - slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? - PR_TRUE : PR_FALSE); + slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); + slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); slot->protectedAuthPath = - ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) - ? PR_TRUE : PR_FALSE); - /* on some platforms Active Card incorrectly sets the + ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ? PR_TRUE + : PR_FALSE); + /* on some platforms Active Card incorrectly sets the * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ if (slot->isActiveCard) { - slot->protectedAuthPath = PR_FALSE; + slot->protectedAuthPath = PR_FALSE; } return SECSuccess; } static PRBool -pk11_isRootSlot(PK11SlotInfo *slot) +pk11_isRootSlot(PK11SlotInfo *slot) { CK_ATTRIBUTE findTemp[1]; CK_ATTRIBUTE *attrs; @@ -1326,13 +1371,14 @@ pk11_isRootSlot(PK11SlotInfo *slot) CK_OBJECT_HANDLE handle; attrs = findTemp; - PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); + attrs++; tsize = attrs - findTemp; - PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); - handle = pk11_FindObjectByTemplate(slot,findTemp,tsize); + handle = pk11_FindObjectByTemplate(slot, findTemp, tsize); if (handle == CK_INVALID_HANDLE) { - return PR_FALSE; + return PR_FALSE; } return PR_TRUE; } @@ -1356,63 +1402,61 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) slot->slotID = slotID; slot->isThreadSafe = mod->isThreadSafe; slot->hasRSAInfo = PR_FALSE; - - if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) { - slot->disabled = PR_TRUE; - slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; - return; + + if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID, &slotInfo) != CKR_OK) { + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + return; } /* test to make sure claimed mechanism work */ slot->needTest = mod->internal ? PR_FALSE : PR_TRUE; slot->module = mod; /* NOTE: we don't make a reference here because - * modules have references to their slots. This - * works because modules keep implicit references - * from their slots, and won't unload and disappear - * until all their slots have been freed */ - (void)PK11_MakeString(NULL,slot->slot_name, - (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription)); + * modules have references to their slots. This + * works because modules keep implicit references + * from their slots, and won't unload and disappear + * until all their slots have been freed */ + (void)PK11_MakeString(NULL, slot->slot_name, + (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription)); slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT); #define ACTIVE_CARD "ActivCard SA" slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID, - ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0); + ACTIVE_CARD, sizeof(ACTIVE_CARD) - 1) == 0); if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) { - slot->isPerm = PR_TRUE; - /* permanment slots must have the token present always */ - if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { - slot->disabled = PR_TRUE; - slot->reason = PK11_DIS_TOKEN_NOT_PRESENT; - return; /* nothing else to do */ - } + slot->isPerm = PR_TRUE; + /* permanment slots must have the token present always */ + if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_TOKEN_NOT_PRESENT; + return; /* nothing else to do */ + } } /* if the token is present, initialize it */ if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { - rv = PK11_InitToken(slot,PR_TRUE); - /* the only hard failures are on permanent devices, or function - * verify failures... function verify failures are already handled - * by tokenInit */ - if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) { - slot->disabled = PR_TRUE; - slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; - } - if (rv == SECSuccess && pk11_isRootSlot(slot)) { - if (!slot->hasRootCerts) { - slot->module->trustOrder = 100; - } - slot->hasRootCerts= PR_TRUE; - } + rv = PK11_InitToken(slot, PR_TRUE); + /* the only hard failures are on permanent devices, or function + * verify failures... function verify failures are already handled + * by tokenInit */ + if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) { + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + } + if (rv == SECSuccess && pk11_isRootSlot(slot)) { + if (!slot->hasRootCerts) { + slot->module->trustOrder = 100; + } + slot->hasRootCerts = PR_TRUE; + } } } - - /********************************************************************* * Slot mapping utility functions. *********************************************************************/ /* * determine if the token is present. If the token is present, make sure - * we have a valid session handle. Also set the value of needLogin + * we have a valid session handle. Also set the value of needLogin * appropriately. */ static PRBool @@ -1424,53 +1468,62 @@ pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts) /* disabled slots are never present */ if (slot->disabled) { - return PR_FALSE; + return PR_FALSE; } /* permanent slots are always present */ if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) { - return PR_TRUE; + return PR_TRUE; } if (slot->nssToken) { - return nssToken_IsPresent(slot->nssToken); + return nssToken_IsPresent(slot->nssToken); } /* removable slots have a flag that says they are present */ - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) { - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - return PR_FALSE; + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID, &slotInfo) != CKR_OK) { + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + return PR_FALSE; } if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { - /* if the slot is no longer present, close the session */ - if (slot->session != CK_INVALID_SESSION) { - PK11_GETTAB(slot)->C_CloseSession(slot->session); - slot->session = CK_INVALID_SESSION; - } - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - return PR_FALSE; + /* if the slot is no longer present, close the session */ + if (slot->session != CK_INVALID_SESSION) { + PK11_GETTAB(slot) + ->C_CloseSession(slot->session); + slot->session = CK_INVALID_SESSION; + } + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + return PR_FALSE; } /* use the session Info to determine if the card has been removed and then * re-inserted */ if (slot->session != CK_INVALID_SESSION) { - if (slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); - if (crv != CKR_OK) { - PK11_GETTAB(slot)->C_CloseSession(slot->session); - slot->session = CK_INVALID_SESSION; - } - if (slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); + if (crv != CKR_OK) { + PK11_GETTAB(slot) + ->C_CloseSession(slot->session); + slot->session = CK_INVALID_SESSION; + } + if (slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); } - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); /* card has not been removed, current token info is correct */ - if (slot->session != CK_INVALID_SESSION) return PR_TRUE; + if (slot->session != CK_INVALID_SESSION) + return PR_TRUE; /* initialize the token info state */ - if (PK11_InitToken(slot,loadCerts) != SECSuccess) { - return PR_FALSE; + if (PK11_InitToken(slot, loadCerts) != SECSuccess) { + return PR_FALSE; } return PR_TRUE; @@ -1480,8 +1533,9 @@ pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts) * old version of the routine */ PRBool -PK11_IsPresent(PK11SlotInfo *slot) { - return pk11_IsPresentCertLoad(slot,PR_TRUE); +PK11_IsPresent(PK11SlotInfo *slot) +{ + return pk11_IsPresentCertLoad(slot, PR_TRUE); } /* is the slot disabled? */ @@ -1500,22 +1554,26 @@ PK11_GetDisabledReason(PK11SlotInfo *slot) /* returns PR_TRUE if successfully disable the slot */ /* returns PR_FALSE otherwise */ -PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) { +PRBool +PK11_UserDisableSlot(PK11SlotInfo *slot) +{ /* Prevent users from disabling the internal module. */ if (slot->isInternal) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return PR_FALSE; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return PR_FALSE; } slot->defaultFlags |= PK11_DISABLE_FLAG; slot->disabled = PR_TRUE; slot->reason = PK11_DIS_USER_SELECTED; - + return PR_TRUE; } -PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) { +PRBool +PK11_UserEnableSlot(PK11SlotInfo *slot) +{ slot->defaultFlags &= ~PK11_DISABLE_FLAG; slot->disabled = PR_FALSE; @@ -1523,7 +1581,9 @@ PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) { return PR_TRUE; } -PRBool PK11_HasRootCerts(PK11SlotInfo *slot) { +PRBool +PK11_HasRootCerts(PK11SlotInfo *slot) +{ return slot->hasRootCerts; } @@ -1531,14 +1591,14 @@ PRBool PK11_HasRootCerts(PK11SlotInfo *slot) { SECMODModule * PK11_GetModule(PK11SlotInfo *slot) { - return slot->module; + return slot->module; } /* return the default flags of a slot */ unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot) { - return slot->defaultFlags; + return slot->defaultFlags; } /* @@ -1575,7 +1635,7 @@ PK11_IsInternalKeySlot(PK11SlotInfo *slot) PRBool result; if (!slot->isInternal) { - return PR_FALSE; + return PR_FALSE; } int_slot = PK11_GetInternalKeySlot(); @@ -1594,21 +1654,21 @@ PRBool PK11_IsFriendly(PK11SlotInfo *slot) { /* internal slot always has public readable certs */ - return (PRBool)(slot->isInternal || - ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == - SECMOD_FRIENDLY_FLAG)); + return (PRBool)(slot->isInternal || + ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == + SECMOD_FRIENDLY_FLAG)); } char * PK11_GetTokenName(PK11SlotInfo *slot) { - return slot->token_name; + return slot->token_name; } char * PK11_GetSlotName(PK11SlotInfo *slot) { - return slot->slot_name; + return slot->slot_name; } int @@ -1643,12 +1703,12 @@ pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size) /* find the NULL */ while (walk < end && *walk != '\0') { - walk++; + walk++; } /* clear out the buffer */ while (walk < end) { - *walk++ = ' '; + *walk++ = ' '; } } @@ -1658,22 +1718,24 @@ PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info) { CK_RV crv; - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); /* - * some buggy drivers do not fill the buffer completely, + * some buggy drivers do not fill the buffer completely, * erase the buffer first */ - PORT_Memset(info->slotDescription,' ',sizeof(info->slotDescription)); - PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID)); - crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info); + PORT_Memset(info->slotDescription, ' ', sizeof(info->slotDescription)); + PORT_Memset(info->manufacturerID, ' ', sizeof(info->manufacturerID)); + crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID, info); pk11_zeroTerminatedToBlankPadded(info->slotDescription, - sizeof(info->slotDescription)); + sizeof(info->slotDescription)); pk11_zeroTerminatedToBlankPadded(info->manufacturerID, - sizeof(info->manufacturerID)); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + sizeof(info->manufacturerID)); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -1683,26 +1745,28 @@ SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info) { CK_RV crv; - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); /* - * some buggy drivers do not fill the buffer completely, + * some buggy drivers do not fill the buffer completely, * erase the buffer first */ - PORT_Memset(info->label,' ',sizeof(info->label)); - PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID)); - PORT_Memset(info->model,' ',sizeof(info->model)); - PORT_Memset(info->serialNumber,' ',sizeof(info->serialNumber)); - crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info); - pk11_zeroTerminatedToBlankPadded(info->label,sizeof(info->label)); + PORT_Memset(info->label, ' ', sizeof(info->label)); + PORT_Memset(info->manufacturerID, ' ', sizeof(info->manufacturerID)); + PORT_Memset(info->model, ' ', sizeof(info->model)); + PORT_Memset(info->serialNumber, ' ', sizeof(info->serialNumber)); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, info); + pk11_zeroTerminatedToBlankPadded(info->label, sizeof(info->label)); pk11_zeroTerminatedToBlankPadded(info->manufacturerID, - sizeof(info->manufacturerID)); - pk11_zeroTerminatedToBlankPadded(info->model,sizeof(info->model)); + sizeof(info->manufacturerID)); + pk11_zeroTerminatedToBlankPadded(info->model, sizeof(info->model)); pk11_zeroTerminatedToBlankPadded(info->serialNumber, - sizeof(info->serialNumber)); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + sizeof(info->serialNumber)); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -1711,18 +1775,17 @@ PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info) PRBool PK11_NeedUserInit(PK11SlotInfo *slot) { - PRBool needUserInit = (PRBool) ((slot->flags & CKF_USER_PIN_INITIALIZED) - == 0); + PRBool needUserInit = (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0); if (needUserInit) { - CK_TOKEN_INFO info; - SECStatus rv; + CK_TOKEN_INFO info; + SECStatus rv; - /* see if token has been initialized off line */ - rv = PK11_GetTokenInfo(slot, &info); - if (rv == SECSuccess) { - slot->flags = info.flags; - } + /* see if token has been initialized off line */ + rv = PK11_GetTokenInfo(slot, &info); + if (rv == SECSuccess) { + slot->flags = info.flags; + } } return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0); } @@ -1737,10 +1800,10 @@ static PK11SlotInfo *pk11InternalKeySlot = NULL; void pk11_SetInternalKeySlot(PK11SlotInfo *slot) { - if (pk11InternalKeySlot) { - PK11_FreeSlot(pk11InternalKeySlot); - } - pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; + if (pk11InternalKeySlot) { + PK11_FreeSlot(pk11InternalKeySlot); + } + pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; } /* @@ -1751,10 +1814,10 @@ pk11_SetInternalKeySlot(PK11SlotInfo *slot) void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot) { - if (pk11InternalKeySlot) { - return; - } - pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; + if (pk11InternalKeySlot) { + return; + } + pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; } /* @@ -1763,13 +1826,12 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot) PK11SlotInfo * pk11_SwapInternalKeySlot(PK11SlotInfo *slot) { - PK11SlotInfo *swap = pk11InternalKeySlot; + PK11SlotInfo *swap = pk11InternalKeySlot; - pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; - return swap; + pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; + return swap; } - /* get the internal key slot. FIPS has only one slot for both key slots and * default slots */ PK11SlotInfo * @@ -1778,30 +1840,30 @@ PK11_GetInternalKeySlot(void) SECMODModule *mod; if (pk11InternalKeySlot) { - return PK11_ReferenceSlot(pk11InternalKeySlot); + return PK11_ReferenceSlot(pk11InternalKeySlot); } mod = SECMOD_GetInternalModule(); PORT_Assert(mod != NULL); if (!mod) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; } return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]); } /* get the internal default slot */ PK11SlotInfo * -PK11_GetInternalSlot(void) +PK11_GetInternalSlot(void) { - SECMODModule * mod = SECMOD_GetInternalModule(); + SECMODModule *mod = SECMOD_GetInternalModule(); PORT_Assert(mod != NULL); if (!mod) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; } if (mod->isFIPS) { - return PK11_GetInternalKeySlot(); + return PK11_GetInternalKeySlot(); } return PK11_ReferenceSlot(mod->slots[0]); } @@ -1818,17 +1880,17 @@ PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type) * tell us we're looking form someone that has implemented get * random bits */ if (type == CKM_FAKE_RANDOM) { - return slot->hasRandom; + return slot->hasRandom; } /* for most mechanism, bypass the linear lookup */ if (type < 0x7ff) { - return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? - PR_TRUE : PR_FALSE; + return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE : PR_FALSE; } - - for (i=0; i < (int) slot->mechanismCount; i++) { - if (slot->mechanismList[i] == type) return PR_TRUE; + + for (i = 0; i < (int)slot->mechanismCount; i++) { + if (slot->mechanismList[i] == type) + return PR_TRUE; } return PR_FALSE; } @@ -1849,31 +1911,32 @@ PK11_TokenExists(CK_MECHANISM_TYPE type) int i; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return found; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return found; } /* we only need to know if there is a token that does this mechanism. - * check the internal module first because it's fast, and supports + * check the internal module first because it's fast, and supports * almost everything. */ slot = PK11_GetInternalSlot(); if (slot) { - found = PK11_DoesMechanism(slot,type); - PK11_FreeSlot(slot); + found = PK11_DoesMechanism(slot, type); + PK11_FreeSlot(slot); } - if (found) return PR_TRUE; /* bypass getting module locks */ + if (found) + return PR_TRUE; /* bypass getting module locks */ SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); - for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) { - for (i=0; i < mlp->module->slotCount; i++) { - slot = mlp->module->slots[i]; - if (PK11_IsPresent(slot)) { - if (PK11_DoesMechanism(slot,type)) { - found = PR_TRUE; - break; - } - } - } + for (mlp = modules; mlp != NULL && (!found); mlp = mlp->next) { + for (i = 0; i < mlp->module->slotCount; i++) { + slot = mlp->module->slots[i]; + if (PK11_IsPresent(slot)) { + if (PK11_DoesMechanism(slot, type)) { + found = PR_TRUE; + break; + } + } + } } SECMOD_ReleaseReadLock(moduleLock); return found; @@ -1886,104 +1949,108 @@ PK11_TokenExists(CK_MECHANISM_TYPE type) * the end of this list. */ PK11SlotList * -PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, +PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, void *wincx) { - PK11SlotList * list; - PK11SlotList * loginList; - PK11SlotList * friendlyList; - SECMODModuleList * mlp; - SECMODModuleList * modules; - SECMODListLock * moduleLock; - int i; -#if defined( XP_WIN32 ) - int j = 0; - PRInt32 waste[16]; + PK11SlotList *list; + PK11SlotList *loginList; + PK11SlotList *friendlyList; + SECMODModuleList *mlp; + SECMODModuleList *modules; + SECMODListLock *moduleLock; + int i; +#if defined(XP_WIN32) + int j = 0; + PRInt32 waste[16]; #endif - moduleLock = SECMOD_GetDefaultModuleListLock(); + moduleLock = SECMOD_GetDefaultModuleListLock(); if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return NULL; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return NULL; } - list = PK11_NewSlotList(); - loginList = PK11_NewSlotList(); + list = PK11_NewSlotList(); + loginList = PK11_NewSlotList(); friendlyList = PK11_NewSlotList(); - if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) { - if (list) PK11_FreeSlotList(list); - if (loginList) PK11_FreeSlotList(loginList); - if (friendlyList) PK11_FreeSlotList(friendlyList); - return NULL; + if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) { + if (list) + PK11_FreeSlotList(list); + if (loginList) + PK11_FreeSlotList(loginList); + if (friendlyList) + PK11_FreeSlotList(friendlyList); + return NULL; } SECMOD_GetReadLock(moduleLock); - modules = SECMOD_GetDefaultModuleList(); - for(mlp = modules; mlp != NULL; mlp = mlp->next) { - -#if defined( XP_WIN32 ) - /* This is works around some horrible cache/page thrashing problems - ** on Win32. Without this, this loop can take up to 6 seconds at - ** 100% CPU on a Pentium-Pro 200. The thing this changes is to - ** increase the size of the stack frame and modify it. - ** Moving the loop code itself seems to have no effect. - ** Dunno why this combination makes a difference, but it does. - */ - waste[ j & 0xf] = j++; + modules = SECMOD_GetDefaultModuleList(); + for (mlp = modules; mlp != NULL; mlp = mlp->next) { + +#if defined(XP_WIN32) + /* This is works around some horrible cache/page thrashing problems + ** on Win32. Without this, this loop can take up to 6 seconds at + ** 100% CPU on a Pentium-Pro 200. The thing this changes is to + ** increase the size of the stack frame and modify it. + ** Moving the loop code itself seems to have no effect. + ** Dunno why this combination makes a difference, but it does. + */ + waste[j & 0xf] = j++; #endif - for (i = 0; i < mlp->module->slotCount; i++) { - PK11SlotInfo *slot = mlp->module->slots[i]; - - if (pk11_IsPresentCertLoad(slot, loadCerts)) { - if (needRW && slot->readOnly) continue; - if ((type == CKM_INVALID_MECHANISM) - || PK11_DoesMechanism(slot, type)) { - if (pk11_LoginStillRequired(slot,wincx)) { - if (PK11_IsFriendly(slot)) { - PK11_AddSlotToList(friendlyList, slot, PR_TRUE); - } else { - PK11_AddSlotToList(loginList, slot, PR_TRUE); - } - } else { - PK11_AddSlotToList(list, slot, PR_TRUE); - } - } - } - } + for (i = 0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *slot = mlp->module->slots[i]; + + if (pk11_IsPresentCertLoad(slot, loadCerts)) { + if (needRW && slot->readOnly) + continue; + if ((type == CKM_INVALID_MECHANISM) || PK11_DoesMechanism(slot, type)) { + if (pk11_LoginStillRequired(slot, wincx)) { + if (PK11_IsFriendly(slot)) { + PK11_AddSlotToList(friendlyList, slot, PR_TRUE); + } else { + PK11_AddSlotToList(loginList, slot, PR_TRUE); + } + } else { + PK11_AddSlotToList(list, slot, PR_TRUE); + } + } + } + } } SECMOD_ReleaseReadLock(moduleLock); - pk11_MoveListToList(list,friendlyList); + pk11_MoveListToList(list, friendlyList); PK11_FreeSlotList(friendlyList); - pk11_MoveListToList(list,loginList); + pk11_MoveListToList(list, loginList); PK11_FreeSlotList(loginList); return list; } /* - * NOTE: This routine is working from a private List generated by + * NOTE: This routine is working from a private List generated by * PK11_GetAllTokens. That is why it does not need to lock. */ PK11SlotList * -PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx) +PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type, PRBool needRW, void *wincx) { - PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx); - PK11SlotListElement *le, *next ; + PK11SlotList *list = PK11_GetAllTokens(type, needRW, PR_TRUE, wincx); + PK11SlotListElement *le, *next; SECStatus rv; - if (list == NULL) return list; + if (list == NULL) + return list; - for (le = list->head ; le; le = next) { - next = le->next; /* save the pointer here in case we have to - * free the element later */ - rv = PK11_Authenticate(le->slot,PR_TRUE,wincx); - if (rv != SECSuccess) { - PK11_DeleteSlotFromList(list,le); - continue; - } + for (le = list->head; le; le = next) { + next = le->next; /* save the pointer here in case we have to + * free the element later */ + rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); + if (rv != SECSuccess) { + PK11_DeleteSlotFromList(list, le); + continue; + } } return list; } @@ -1992,8 +2059,8 @@ PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx) * returns true if the slot doesn't conform to the requested attributes */ PRBool -pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, - CK_FLAGS mechanismInfoFlags, unsigned int keySize) +pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, + CK_FLAGS mechanismInfoFlags, unsigned int keySize) { CK_MECHANISM_INFO mechanism_info; CK_RV crv = CKR_OK; @@ -2001,53 +2068,52 @@ pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, /* handle the only case where we don't actually fetch the mechanisms * on the fly */ if ((keySize == 0) && (mechanism == CKM_RSA_PKCS) && (slot->hasRSAInfo)) { - mechanism_info.flags = slot->RSAInfoFlags; + mechanism_info.flags = slot->RSAInfoFlags; } else { - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism, - &mechanism_info); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - /* if we were getting the RSA flags, save them */ - if ((crv == CKR_OK) && (mechanism == CKM_RSA_PKCS) - && (!slot->hasRSAInfo)) { - slot->RSAInfoFlags = mechanism_info.flags; - slot->hasRSAInfo = PR_TRUE; - } + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism, + &mechanism_info); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + /* if we were getting the RSA flags, save them */ + if ((crv == CKR_OK) && (mechanism == CKM_RSA_PKCS) && (!slot->hasRSAInfo)) { + slot->RSAInfoFlags = mechanism_info.flags; + slot->hasRSAInfo = PR_TRUE; + } } /* couldn't get the mechanism info */ - if (crv != CKR_OK ) { - return PR_TRUE; + if (crv != CKR_OK) { + return PR_TRUE; } - if (keySize && ((mechanism_info.ulMinKeySize > keySize) - || (mechanism_info.ulMaxKeySize < keySize)) ) { - /* Token can do mechanism, but not at the key size we - * want */ - return PR_TRUE; + if (keySize && ((mechanism_info.ulMinKeySize > keySize) || (mechanism_info.ulMaxKeySize < keySize))) { + /* Token can do mechanism, but not at the key size we + * want */ + return PR_TRUE; } if (mechanismInfoFlags && ((mechanism_info.flags & mechanismInfoFlags) != - mechanismInfoFlags) ) { - return PR_TRUE; + mechanismInfoFlags)) { + return PR_TRUE; } return PR_FALSE; } - /* * Find the best slot which supports the given set of mechanisms and key sizes. * In normal cases this should grab the first slot on the list with no fuss. - * The size array is presumed to match one for one with the mechanism type + * The size array is presumed to match one for one with the mechanism type * array, which allows you to specify the required key size for each * mechanism in the list. Whether key size is in bits or bytes is mechanism - * dependent. Typically asymetric keys are in bits and symetric keys are in + * dependent. Typically asymetric keys are in bits and symetric keys are in * bytes. */ PK11SlotInfo * -PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, - CK_FLAGS *mechanismInfoFlags, unsigned int *keySize, - unsigned int mech_count, void *wincx) +PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, + CK_FLAGS *mechanismInfoFlags, unsigned int *keySize, + unsigned int mech_count, void *wincx) { PK11SlotList *list = NULL; - PK11SlotListElement *le ; + PK11SlotListElement *le; PK11SlotInfo *slot = NULL; PRBool freeit = PR_FALSE; PRBool listNeedLogin = PR_FALSE; @@ -2057,81 +2123,86 @@ PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, list = PK11_GetSlotList(type[0]); if ((list == NULL) || (list->head == NULL)) { - /* We need to look up all the tokens for the mechanism */ - list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx); - freeit = PR_TRUE; + /* We need to look up all the tokens for the mechanism */ + list = PK11_GetAllTokens(type[0], PR_FALSE, PR_TRUE, wincx); + freeit = PR_TRUE; } /* no one can do it! */ if (list == NULL) { - PORT_SetError(SEC_ERROR_NO_TOKEN); - return NULL; + PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; } PORT_SetError(0); - listNeedLogin = PR_FALSE; - for (i=0; i < mech_count; i++) { - if ((type[i] != CKM_FAKE_RANDOM) && - (type[i] != CKM_SHA_1) && - (type[i] != CKM_SHA224) && - (type[i] != CKM_SHA256) && - (type[i] != CKM_SHA384) && - (type[i] != CKM_SHA512) && - (type[i] != CKM_MD5) && - (type[i] != CKM_MD2)) { - listNeedLogin = PR_TRUE; - break; - } + for (i = 0; i < mech_count; i++) { + if ((type[i] != CKM_FAKE_RANDOM) && + (type[i] != CKM_SHA_1) && + (type[i] != CKM_SHA224) && + (type[i] != CKM_SHA256) && + (type[i] != CKM_SHA384) && + (type[i] != CKM_SHA512) && + (type[i] != CKM_MD5) && + (type[i] != CKM_MD2)) { + listNeedLogin = PR_TRUE; + break; + } } for (le = PK11_GetFirstSafe(list); le; - le = PK11_GetNextSafe(list,le,PR_TRUE)) { - if (PK11_IsPresent(le->slot)) { - PRBool doExit = PR_FALSE; - for (i=0; i < mech_count; i++) { - if (!PK11_DoesMechanism(le->slot,type[i])) { - doExit = PR_TRUE; - break; - } - if ((mechanismInfoFlags && mechanismInfoFlags[i]) || - (keySize && keySize[i])) { - if (pk11_filterSlot(le->slot, type[i], - mechanismInfoFlags ? mechanismInfoFlags[i] : 0, - keySize ? keySize[i] : 0)) { - doExit = PR_TRUE; - break; - } - } - } - - if (doExit) continue; - - if (listNeedLogin && le->slot->needLogin) { - rv = PK11_Authenticate(le->slot,PR_TRUE,wincx); - if (rv != SECSuccess) continue; - } - slot = le->slot; - PK11_ReferenceSlot(slot); - PK11_FreeSlotListElement(list,le); - if (freeit) { PK11_FreeSlotList(list); } - return slot; - } - } - if (freeit) { PK11_FreeSlotList(list); } + le = PK11_GetNextSafe(list, le, PR_TRUE)) { + if (PK11_IsPresent(le->slot)) { + PRBool doExit = PR_FALSE; + for (i = 0; i < mech_count; i++) { + if (!PK11_DoesMechanism(le->slot, type[i])) { + doExit = PR_TRUE; + break; + } + if ((mechanismInfoFlags && mechanismInfoFlags[i]) || + (keySize && keySize[i])) { + if (pk11_filterSlot(le->slot, type[i], + mechanismInfoFlags ? mechanismInfoFlags[i] : 0, + keySize ? keySize[i] : 0)) { + doExit = PR_TRUE; + break; + } + } + } + + if (doExit) + continue; + + if (listNeedLogin && le->slot->needLogin) { + rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); + if (rv != SECSuccess) + continue; + } + slot = le->slot; + PK11_ReferenceSlot(slot); + PK11_FreeSlotListElement(list, le); + if (freeit) { + PK11_FreeSlotList(list); + } + return slot; + } + } + if (freeit) { + PK11_FreeSlotList(list); + } if (PORT_GetError() == 0) { - PORT_SetError(SEC_ERROR_NO_TOKEN); + PORT_SetError(SEC_ERROR_NO_TOKEN); } return NULL; } PK11SlotInfo * -PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, - unsigned int mech_count, void *wincx) +PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, + unsigned int mech_count, void *wincx) { - return PK11_GetBestSlotMultipleWithAttributes(type, NULL, NULL, - mech_count, wincx); + return PK11_GetBestSlotMultipleWithAttributes(type, NULL, NULL, + mech_count, wincx); } /* original get best slot now calls the multiple version with only one type */ @@ -2143,30 +2214,32 @@ PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx) PK11SlotInfo * PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, CK_FLAGS mechanismFlags, - unsigned int keySize, void *wincx) + unsigned int keySize, void *wincx) { return PK11_GetBestSlotMultipleWithAttributes(&type, &mechanismFlags, - &keySize, 1, wincx); + &keySize, 1, wincx); } int -PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism) +PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism) { CK_MECHANISM_INFO mechanism_info; CK_RV crv; - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, - mechanism,&mechanism_info); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - if (crv != CKR_OK) return 0; - - if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) - return 0; + mechanism, &mechanism_info); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) + return 0; + + if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) + return 0; return mechanism_info.ulMaxKeySize; } - /* * This function uses the existing PKCS #11 module to find the * longest supported key length in the preferred token for a mechanism. @@ -2183,73 +2256,77 @@ PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism) { CK_MECHANISM_INFO mechanism_info; PK11SlotList *list = NULL; - PK11SlotListElement *le ; + PK11SlotListElement *le; PRBool freeit = PR_FALSE; int keyLength = 0; list = PK11_GetSlotList(mechanism); if ((list == NULL) || (list->head == NULL)) { - /* We need to look up all the tokens for the mechanism */ - list = PK11_GetAllTokens(mechanism,PR_FALSE,PR_FALSE,NULL); - freeit = PR_TRUE; + /* We need to look up all the tokens for the mechanism */ + list = PK11_GetAllTokens(mechanism, PR_FALSE, PR_FALSE, NULL); + freeit = PR_TRUE; } /* no tokens recognize this mechanism */ if (list == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return 0; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return 0; } for (le = PK11_GetFirstSafe(list); le; - le = PK11_GetNextSafe(list,le,PR_TRUE)) { - PK11SlotInfo *slot = le->slot; - CK_RV crv; - if (PK11_IsPresent(slot)) { - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, - mechanism,&mechanism_info); - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); - if ((crv == CKR_OK) && (mechanism_info.ulMaxKeySize != 0) - && (mechanism_info.ulMaxKeySize != 0xffffffff)) { - keyLength = mechanism_info.ulMaxKeySize; - break; - } - } - } - if (le) - PK11_FreeSlotListElement(list, le); - if (freeit) - PK11_FreeSlotList(list); + le = PK11_GetNextSafe(list, le, PR_TRUE)) { + PK11SlotInfo *slot = le->slot; + CK_RV crv; + if (PK11_IsPresent(slot)) { + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, + mechanism, &mechanism_info); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + if ((crv == CKR_OK) && (mechanism_info.ulMaxKeySize != 0) && (mechanism_info.ulMaxKeySize != 0xffffffff)) { + keyLength = mechanism_info.ulMaxKeySize; + break; + } + } + } + if (le) + PK11_FreeSlotListElement(list, le); + if (freeit) + PK11_FreeSlotList(list); return keyLength; } SECStatus -PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) { +PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) +{ CK_RV crv; PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, data, (CK_ULONG)len); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } - SECStatus -PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) { +PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) +{ CK_RV crv; - if (!slot->isInternal) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data, - (CK_ULONG)len); - if (!slot->isInternal) PK11_ExitSlotMonitor(slot); + if (!slot->isInternal) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, data, + (CK_ULONG)len); + if (!slot->isInternal) + PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECSuccess; } @@ -2263,14 +2340,14 @@ SECStatus PK11_RandomUpdate(void *data, size_t bytes) { PK11SlotInfo *slot; - PRBool bestIsInternal; - SECStatus status; + PRBool bestIsInternal; + SECStatus status; slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL); if (slot == NULL) { - slot = PK11_GetInternalSlot(); - if (!slot) - return SECFailure; + slot = PK11_GetInternalSlot(); + if (!slot) + return SECFailure; } bestIsInternal = PK11_IsInternal(slot); @@ -2278,22 +2355,23 @@ PK11_RandomUpdate(void *data, size_t bytes) PK11_FreeSlot(slot); if (!bestIsInternal) { - /* do internal slot, too. */ - slot = PK11_GetInternalSlot(); /* can't fail */ - status = PK11_SeedRandom(slot, data, bytes); - PK11_FreeSlot(slot); + /* do internal slot, too. */ + slot = PK11_GetInternalSlot(); /* can't fail */ + status = PK11_SeedRandom(slot, data, bytes); + PK11_FreeSlot(slot); } return status; } - SECStatus -PK11_GenerateRandom(unsigned char *data,int len) { +PK11_GenerateRandom(unsigned char *data, int len) +{ PK11SlotInfo *slot; SECStatus rv; - slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL); - if (slot == NULL) return SECFailure; + slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL); + if (slot == NULL) + return SECFailure; rv = PK11_GenerateRandomOnSlot(slot, data, len); PK11_FreeSlot(slot); @@ -2304,7 +2382,7 @@ PK11_GenerateRandom(unsigned char *data,int len) { * Reset the token to it's initial state. For the internal module, this will * Purge your keydb, and reset your cert db certs to USER_INIT. */ -SECStatus +SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd) { unsigned char tokenName[32]; @@ -2314,92 +2392,93 @@ PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd) /* reconstruct the token name */ tokenNameLen = PORT_Strlen(slot->token_name); if (tokenNameLen > sizeof(tokenName)) { - tokenNameLen = sizeof(tokenName); + tokenNameLen = sizeof(tokenName); } - PORT_Memcpy(tokenName,slot->token_name,tokenNameLen); + PORT_Memcpy(tokenName, slot->token_name, tokenNameLen); if (tokenNameLen < sizeof(tokenName)) { - PORT_Memset(&tokenName[tokenNameLen],' ', - sizeof(tokenName)-tokenNameLen); + PORT_Memset(&tokenName[tokenNameLen], ' ', + sizeof(tokenName) - tokenNameLen); } - /* initialize the token */ + /* initialize the token */ PK11_EnterSlotMonitor(slot); /* first shutdown the token. Existing sessions will get closed here */ - PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID); + PK11_GETTAB(slot) + ->C_CloseAllSessions(slot->slotID); slot->session = CK_INVALID_SESSION; - /* now re-init the token */ + /* now re-init the token */ crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID, - (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName); + (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd) : 0, tokenName); /* finally bring the token back up */ - PK11_InitToken(slot,PR_TRUE); + PK11_InitToken(slot, PR_TRUE); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, - slot->nssToken); + slot->nssToken); return SECSuccess; } void -PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) +PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) { sl->nssToken = nsst; } NSSToken * -PK11Slot_GetNSSToken(PK11SlotInfo *sl) +PK11Slot_GetNSSToken(PK11SlotInfo *sl) { return sl->nssToken; } /* * wait for a token to change it's state. The application passes in the expected - * new state in event. + * new state in event. */ PK11TokenStatus -PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, - PRIntervalTime timeout, PRIntervalTime latency, int series) -{ - PRIntervalTime first_time = 0; - PRBool first_time_set = PR_FALSE; - PRBool waitForRemoval; - - if (slot->isPerm) { - return PK11TokenNotRemovable; - } - if (latency == 0) { - latency = PR_SecondsToInterval(5); - } - waitForRemoval = (PRBool) (event == PK11TokenRemovedOrChangedEvent); - - if (series == 0) { - series = PK11_GetSlotSeries(slot); - } - while (PK11_IsPresent(slot) == waitForRemoval ) { - PRIntervalTime interval; - - if (waitForRemoval && series != PK11_GetSlotSeries(slot)) { - return PK11TokenChanged; - } - if (timeout == PR_INTERVAL_NO_WAIT) { - return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; - } - if (timeout != PR_INTERVAL_NO_TIMEOUT ) { - interval = PR_IntervalNow(); - if (!first_time_set) { - first_time = interval; - first_time_set = PR_TRUE; - } - if ((interval-first_time) > timeout) { - return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; - } - } - PR_Sleep(latency); - } - return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent; +PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, + PRIntervalTime timeout, PRIntervalTime latency, int series) +{ + PRIntervalTime first_time = 0; + PRBool first_time_set = PR_FALSE; + PRBool waitForRemoval; + + if (slot->isPerm) { + return PK11TokenNotRemovable; + } + if (latency == 0) { + latency = PR_SecondsToInterval(5); + } + waitForRemoval = (PRBool)(event == PK11TokenRemovedOrChangedEvent); + + if (series == 0) { + series = PK11_GetSlotSeries(slot); + } + while (PK11_IsPresent(slot) == waitForRemoval) { + PRIntervalTime interval; + + if (waitForRemoval && series != PK11_GetSlotSeries(slot)) { + return PK11TokenChanged; + } + if (timeout == PR_INTERVAL_NO_WAIT) { + return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; + } + if (timeout != PR_INTERVAL_NO_TIMEOUT) { + interval = PR_IntervalNow(); + if (!first_time_set) { + first_time = interval; + first_time_set = PR_TRUE; + } + if ((interval - first_time) > timeout) { + return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; + } + } + PR_Sleep(latency); + } + return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent; } diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c index 4a384ad..9636b07 100644 --- a/nss/lib/pk11wrap/pk11util.c +++ b/nss/lib/pk11wrap/pk11util.c @@ -17,12 +17,12 @@ /* these are for displaying error messages */ -static SECMODModuleList *modules = NULL; -static SECMODModuleList *modulesDB = NULL; -static SECMODModuleList *modulesUnload = NULL; -static SECMODModule *internalModule = NULL; -static SECMODModule *defaultDBModule = NULL; -static SECMODModule *pendingModule = NULL; +static SECMODModuleList *modules = NULL; +static SECMODModuleList *modulesDB = NULL; +static SECMODModuleList *modulesUnload = NULL; +static SECMODModule *internalModule = NULL; +static SECMODModule *defaultDBModule = NULL; +static SECMODModule *pendingModule = NULL; static SECMODListLock *moduleLock = NULL; int secmod_PrivateModuleCount = 0; @@ -30,52 +30,51 @@ int secmod_PrivateModuleCount = 0; extern const PK11DefaultArrayEntry PK11_DefaultArray[]; extern const int num_pk11_default_mechanisms; - void -SECMOD_Init() +SECMOD_Init() { /* don't initialize twice */ - if (moduleLock) return; + if (moduleLock) + return; moduleLock = SECMOD_NewListLock(); PK11_InitSlotLists(); } - SECStatus -SECMOD_Shutdown() +SECMOD_Shutdown() { /* destroy the lock */ if (moduleLock) { - SECMOD_DestroyListLock(moduleLock); - moduleLock = NULL; + SECMOD_DestroyListLock(moduleLock); + moduleLock = NULL; } /* free the internal module */ if (internalModule) { - SECMOD_DestroyModule(internalModule); - internalModule = NULL; + SECMOD_DestroyModule(internalModule); + internalModule = NULL; } /* free the default database module */ if (defaultDBModule) { - SECMOD_DestroyModule(defaultDBModule); - defaultDBModule = NULL; + SECMOD_DestroyModule(defaultDBModule); + defaultDBModule = NULL; } - + /* destroy the list */ if (modules) { - SECMOD_DestroyModuleList(modules); - modules = NULL; + SECMOD_DestroyModuleList(modules); + modules = NULL; } - + if (modulesDB) { - SECMOD_DestroyModuleList(modulesDB); - modulesDB = NULL; + SECMOD_DestroyModuleList(modulesDB); + modulesDB = NULL; } if (modulesUnload) { - SECMOD_DestroyModuleList(modulesUnload); - modulesUnload = NULL; + SECMOD_DestroyModuleList(modulesUnload); + modulesUnload = NULL; } /* make all the slots and the lists go away */ @@ -84,36 +83,34 @@ SECMOD_Shutdown() nss_DumpModuleLog(); #ifdef DEBUG - if (PR_GetEnv("NSS_STRICT_SHUTDOWN")) { - PORT_Assert(secmod_PrivateModuleCount == 0); + if (PR_GetEnvSecure("NSS_STRICT_SHUTDOWN")) { + PORT_Assert(secmod_PrivateModuleCount == 0); } #endif if (secmod_PrivateModuleCount) { - PORT_SetError(SEC_ERROR_BUSY); - return SECFailure; + PORT_SetError(SEC_ERROR_BUSY); + return SECFailure; } return SECSuccess; } - /* * retrieve the internal module */ SECMODModule * SECMOD_GetInternalModule(void) { - return internalModule; + return internalModule; } - SECStatus -secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule) +secmod_AddModuleToList(SECMODModuleList **moduleList, SECMODModule *newModule) { SECMODModuleList *mlp, *newListElement, *last = NULL; newListElement = SECMOD_NewModuleListElement(); if (newListElement == NULL) { - return SECFailure; + return SECFailure; } newListElement->module = SECMOD_ReferenceModule(newModule); @@ -122,14 +119,14 @@ secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule) /* Added it to the end (This is very inefficient, but Adding a module * on the fly should happen maybe 2-3 times through the life this program * on a given computer, and this list should be *SHORT*. */ - for(mlp = *moduleList; mlp != NULL; mlp = mlp->next) { - last = mlp; + for (mlp = *moduleList; mlp != NULL; mlp = mlp->next) { + last = mlp; } if (last == NULL) { - *moduleList = newListElement; + *moduleList = newListElement; } else { - SECMOD_AddList(last,newListElement,NULL); + SECMOD_AddList(last, newListElement, NULL); } SECMOD_ReleaseWriteLock(moduleLock); return SECSuccess; @@ -139,50 +136,64 @@ SECStatus SECMOD_AddModuleToList(SECMODModule *newModule) { if (newModule->internal && !internalModule) { - internalModule = SECMOD_ReferenceModule(newModule); + internalModule = SECMOD_ReferenceModule(newModule); } - return secmod_AddModuleToList(&modules,newModule); + return secmod_AddModuleToList(&modules, newModule); } SECStatus SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule) { if (defaultDBModule && SECMOD_GetDefaultModDBFlag(newModule)) { - SECMOD_DestroyModule(defaultDBModule); - defaultDBModule = SECMOD_ReferenceModule(newModule); + SECMOD_DestroyModule(defaultDBModule); + defaultDBModule = SECMOD_ReferenceModule(newModule); } else if (defaultDBModule == NULL) { - defaultDBModule = SECMOD_ReferenceModule(newModule); + defaultDBModule = SECMOD_ReferenceModule(newModule); } - return secmod_AddModuleToList(&modulesDB,newModule); + return secmod_AddModuleToList(&modulesDB, newModule); } SECStatus SECMOD_AddModuleToUnloadList(SECMODModule *newModule) { - return secmod_AddModuleToList(&modulesUnload,newModule); + return secmod_AddModuleToList(&modulesUnload, newModule); } /* * get the list of PKCS11 modules that are available. */ -SECMODModuleList * SECMOD_GetDefaultModuleList() { return modules; } -SECMODModuleList *SECMOD_GetDeadModuleList() { return modulesUnload; } -SECMODModuleList *SECMOD_GetDBModuleList() { return modulesDB; } +SECMODModuleList * +SECMOD_GetDefaultModuleList() +{ + return modules; +} +SECMODModuleList * +SECMOD_GetDeadModuleList() +{ + return modulesUnload; +} +SECMODModuleList * +SECMOD_GetDBModuleList() +{ + return modulesDB; +} /* * This lock protects the global module lists. - * it also protects changes to the slot array (module->slots[]) and slot count - * (module->slotCount) in each module. It is a read/write lock with multiple - * readers or one writer. Writes are uncommon. - * Because of legacy considerations protection of the slot array and count is - * only necessary in applications if the application calls + * it also protects changes to the slot array (module->slots[]) and slot count + * (module->slotCount) in each module. It is a read/write lock with multiple + * readers or one writer. Writes are uncommon. + * Because of legacy considerations protection of the slot array and count is + * only necessary in applications if the application calls * SECMOD_UpdateSlotList() or SECMOD_WaitForAnyTokenEvent(), though all new * applications are encouraged to acquire this lock when reading the * slot array information directly. */ -SECMODListLock *SECMOD_GetDefaultModuleListLock() { return moduleLock; } - - +SECMODListLock * +SECMOD_GetDefaultModuleListLock() +{ + return moduleLock; +} /* * find a module by name, and add a reference to it. @@ -195,26 +206,26 @@ SECMOD_FindModule(const char *name) SECMODModule *module = NULL; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return module; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return module; } SECMOD_GetReadLock(moduleLock); - for(mlp = modules; mlp != NULL; mlp = mlp->next) { - if (PORT_Strcmp(name,mlp->module->commonName) == 0) { - module = mlp->module; - SECMOD_ReferenceModule(module); - break; - } + for (mlp = modules; mlp != NULL; mlp = mlp->next) { + if (PORT_Strcmp(name, mlp->module->commonName) == 0) { + module = mlp->module; + SECMOD_ReferenceModule(module); + break; + } } if (module) { - goto found; + goto found; } - for(mlp = modulesUnload; mlp != NULL; mlp = mlp->next) { - if (PORT_Strcmp(name,mlp->module->commonName) == 0) { - module = mlp->module; - SECMOD_ReferenceModule(module); - break; - } + for (mlp = modulesUnload; mlp != NULL; mlp = mlp->next) { + if (PORT_Strcmp(name, mlp->module->commonName) == 0) { + module = mlp->module; + SECMOD_ReferenceModule(module); + break; + } } found: @@ -228,26 +239,26 @@ found: * return that module. */ SECMODModule * -SECMOD_FindModuleByID(SECMODModuleID id) +SECMOD_FindModuleByID(SECMODModuleID id) { SECMODModuleList *mlp; SECMODModule *module = NULL; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return module; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return module; } SECMOD_GetReadLock(moduleLock); - for(mlp = modules; mlp != NULL; mlp = mlp->next) { - if (id == mlp->module->moduleID) { - module = mlp->module; - SECMOD_ReferenceModule(module); - break; - } + for (mlp = modules; mlp != NULL; mlp = mlp->next) { + if (id == mlp->module->moduleID) { + module = mlp->module; + SECMOD_ReferenceModule(module); + break; + } } SECMOD_ReleaseReadLock(moduleLock); if (module == NULL) { - PORT_SetError(SEC_ERROR_NO_MODULE); + PORT_SetError(SEC_ERROR_NO_MODULE); } return module; } @@ -256,26 +267,26 @@ SECMOD_FindModuleByID(SECMODModuleID id) * find the function pointer. */ SECMODModule * -secmod_FindModuleByFuncPtr(void *funcPtr) +secmod_FindModuleByFuncPtr(void *funcPtr) { SECMODModuleList *mlp; SECMODModule *module = NULL; SECMOD_GetReadLock(moduleLock); - for(mlp = modules; mlp != NULL; mlp = mlp->next) { - /* paranoia, shouldn't ever happen */ - if (!mlp->module) { - continue; - } - if (funcPtr == mlp->module->functionList) { - module = mlp->module; - SECMOD_ReferenceModule(module); - break; - } + for (mlp = modules; mlp != NULL; mlp = mlp->next) { + /* paranoia, shouldn't ever happen */ + if (!mlp->module) { + continue; + } + if (funcPtr == mlp->module->functionList) { + module = mlp->module; + SECMOD_ReferenceModule(module); + break; + } } SECMOD_ReleaseReadLock(moduleLock); if (module == NULL) { - PORT_SetError(SEC_ERROR_NO_MODULE); + PORT_SetError(SEC_ERROR_NO_MODULE); } return module; } @@ -290,22 +301,22 @@ SECMOD_FindSlotByID(SECMODModule *module, CK_SLOT_ID slotID) PK11SlotInfo *slot = NULL; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return slot; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return slot; } SECMOD_GetReadLock(moduleLock); - for (i=0; i < module->slotCount; i++) { - PK11SlotInfo *cSlot = module->slots[i]; + for (i = 0; i < module->slotCount; i++) { + PK11SlotInfo *cSlot = module->slots[i]; - if (cSlot->slotID == slotID) { - slot = PK11_ReferenceSlot(cSlot); - break; - } + if (cSlot->slotID == slotID) { + slot = PK11_ReferenceSlot(cSlot); + break; + } } SECMOD_ReleaseReadLock(moduleLock); if (slot == NULL) { - PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED); + PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED); } return slot; } @@ -314,86 +325,85 @@ SECMOD_FindSlotByID(SECMODModule *module, CK_SLOT_ID slotID) * lookup the Slot module based on it's module ID and slot ID. */ PK11SlotInfo * -SECMOD_LookupSlot(SECMODModuleID moduleID,CK_SLOT_ID slotID) +SECMOD_LookupSlot(SECMODModuleID moduleID, CK_SLOT_ID slotID) { SECMODModule *module; PK11SlotInfo *slot; module = SECMOD_FindModuleByID(moduleID); - if (module == NULL) return NULL; + if (module == NULL) + return NULL; slot = SECMOD_FindSlotByID(module, slotID); SECMOD_DestroyModule(module); return slot; } - /* * find a module by name or module pointer and delete it off the module list. * optionally remove it from secmod.db. */ SECStatus -SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod, - int *type, PRBool permdb) +SECMOD_DeleteModuleEx(const char *name, SECMODModule *mod, + int *type, PRBool permdb) { SECMODModuleList *mlp; SECMODModuleList **mlpp; SECStatus rv = SECFailure; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return rv; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return rv; } *type = SECMOD_EXTERNAL; SECMOD_GetWriteLock(moduleLock); - for (mlpp = &modules,mlp = modules; - mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { - if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) || - mod == mlp->module) { - /* don't delete the internal module */ - if (!mlp->module->internal) { - SECMOD_RemoveList(mlpp,mlp); - /* delete it after we release the lock */ - rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module); - } else if (mlp->module->isFIPS) { - *type = SECMOD_FIPS; - } else { - *type = SECMOD_INTERNAL; - } - break; - } + for (mlpp = &modules, mlp = modules; + mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { + if ((name && (PORT_Strcmp(name, mlp->module->commonName) == 0)) || + mod == mlp->module) { + /* don't delete the internal module */ + if (!mlp->module->internal) { + SECMOD_RemoveList(mlpp, mlp); + /* delete it after we release the lock */ + rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module); + } else if (mlp->module->isFIPS) { + *type = SECMOD_FIPS; + } else { + *type = SECMOD_INTERNAL; + } + break; + } } if (mlp) { - goto found; + goto found; } /* not on the internal list, check the unload list */ - for (mlpp = &modulesUnload,mlp = modulesUnload; - mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { - if ((name && (PORT_Strcmp(name,mlp->module->commonName) == 0)) || - mod == mlp->module) { - /* don't delete the internal module */ - if (!mlp->module->internal) { - SECMOD_RemoveList(mlpp,mlp); - rv = SECSuccess; - } else if (mlp->module->isFIPS) { - *type = SECMOD_FIPS; - } else { - *type = SECMOD_INTERNAL; - } - break; - } + for (mlpp = &modulesUnload, mlp = modulesUnload; + mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { + if ((name && (PORT_Strcmp(name, mlp->module->commonName) == 0)) || + mod == mlp->module) { + /* don't delete the internal module */ + if (!mlp->module->internal) { + SECMOD_RemoveList(mlpp, mlp); + rv = SECSuccess; + } else if (mlp->module->isFIPS) { + *type = SECMOD_FIPS; + } else { + *type = SECMOD_INTERNAL; + } + break; + } } found: SECMOD_ReleaseWriteLock(moduleLock); - if (rv == SECSuccess) { - if (permdb) { - SECMOD_DeletePermDB(mlp->module); - } - SECMOD_DestroyModuleListElement(mlp); + if (permdb) { + SECMOD_DeletePermDB(mlp->module); + } + SECMOD_DestroyModuleListElement(mlp); } return rv; } @@ -402,7 +412,7 @@ found: * find a module by name and delete it off the module list */ SECStatus -SECMOD_DeleteModule(const char *name, int *type) +SECMOD_DeleteModule(const char *name, int *type) { return SECMOD_DeleteModuleEx(name, NULL, type, PR_TRUE); } @@ -411,96 +421,96 @@ SECMOD_DeleteModule(const char *name, int *type) * find a module by name and delete it off the module list */ SECStatus -SECMOD_DeleteInternalModule(const char *name) +SECMOD_DeleteInternalModule(const char *name) { SECMODModuleList *mlp; SECMODModuleList **mlpp; SECStatus rv = SECFailure; if (pendingModule) { - PORT_SetError(SEC_ERROR_MODULE_STUCK); - return rv; + PORT_SetError(SEC_ERROR_MODULE_STUCK); + return rv; } if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return rv; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return rv; } SECMOD_GetWriteLock(moduleLock); - for(mlpp = &modules,mlp = modules; - mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { - if (PORT_Strcmp(name,mlp->module->commonName) == 0) { - /* don't delete the internal module */ - if (mlp->module->internal) { - SECMOD_RemoveList(mlpp,mlp); - rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module); - } - break; - } + for (mlpp = &modules, mlp = modules; + mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) { + if (PORT_Strcmp(name, mlp->module->commonName) == 0) { + /* don't delete the internal module */ + if (mlp->module->internal) { + SECMOD_RemoveList(mlpp, mlp); + rv = STAN_RemoveModuleFromDefaultTrustDomain(mlp->module); + } + break; + } } SECMOD_ReleaseWriteLock(moduleLock); if (rv == SECSuccess) { - SECMODModule *newModule,*oldModule; - - if (mlp->module->isFIPS) { - newModule = SECMOD_CreateModule(NULL, SECMOD_INT_NAME, - NULL, SECMOD_INT_FLAGS); - } else { - newModule = SECMOD_CreateModule(NULL, SECMOD_FIPS_NAME, - NULL, SECMOD_FIPS_FLAGS); - } - if (newModule) { - PK11SlotInfo *slot; - newModule->libraryParams = - PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams); - /* if an explicit internal key slot has been set, reset it */ - slot = pk11_SwapInternalKeySlot(NULL); - if (slot) { - secmod_SetInternalKeySlotFlag(newModule, PR_TRUE); - } - rv = SECMOD_AddModule(newModule); - if (rv != SECSuccess) { - /* load failed, restore the internal key slot */ - pk11_SetInternalKeySlot(slot); - SECMOD_DestroyModule(newModule); - newModule = NULL; - } - /* free the old explicit internal key slot, we now have a new one */ - if (slot) { - PK11_FreeSlot(slot); - } - } - if (newModule == NULL) { - SECMODModuleList *last = NULL,*mlp2; - /* we're in pretty deep trouble if this happens...Security - * not going to work well... try to put the old module back on - * the list */ - SECMOD_GetWriteLock(moduleLock); - for(mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) { - last = mlp2; - } - - if (last == NULL) { - modules = mlp; - } else { - SECMOD_AddList(last,mlp,NULL); - } - SECMOD_ReleaseWriteLock(moduleLock); - return SECFailure; - } - pendingModule = oldModule = internalModule; - internalModule = NULL; - SECMOD_DestroyModule(oldModule); - SECMOD_DeletePermDB(mlp->module); - SECMOD_DestroyModuleListElement(mlp); - internalModule = newModule; /* adopt the module */ + SECMODModule *newModule, *oldModule; + + if (mlp->module->isFIPS) { + newModule = SECMOD_CreateModule(NULL, SECMOD_INT_NAME, + NULL, SECMOD_INT_FLAGS); + } else { + newModule = SECMOD_CreateModule(NULL, SECMOD_FIPS_NAME, + NULL, SECMOD_FIPS_FLAGS); + } + if (newModule) { + PK11SlotInfo *slot; + newModule->libraryParams = + PORT_ArenaStrdup(newModule->arena, mlp->module->libraryParams); + /* if an explicit internal key slot has been set, reset it */ + slot = pk11_SwapInternalKeySlot(NULL); + if (slot) { + secmod_SetInternalKeySlotFlag(newModule, PR_TRUE); + } + rv = SECMOD_AddModule(newModule); + if (rv != SECSuccess) { + /* load failed, restore the internal key slot */ + pk11_SetInternalKeySlot(slot); + SECMOD_DestroyModule(newModule); + newModule = NULL; + } + /* free the old explicit internal key slot, we now have a new one */ + if (slot) { + PK11_FreeSlot(slot); + } + } + if (newModule == NULL) { + SECMODModuleList *last = NULL, *mlp2; + /* we're in pretty deep trouble if this happens...Security + * not going to work well... try to put the old module back on + * the list */ + SECMOD_GetWriteLock(moduleLock); + for (mlp2 = modules; mlp2 != NULL; mlp2 = mlp->next) { + last = mlp2; + } + + if (last == NULL) { + modules = mlp; + } else { + SECMOD_AddList(last, mlp, NULL); + } + SECMOD_ReleaseWriteLock(moduleLock); + return SECFailure; + } + pendingModule = oldModule = internalModule; + internalModule = NULL; + SECMOD_DestroyModule(oldModule); + SECMOD_DeletePermDB(mlp->module); + SECMOD_DestroyModuleListElement(mlp); + internalModule = newModule; /* adopt the module */ } return rv; } SECStatus -SECMOD_AddModule(SECMODModule *newModule) +SECMOD_AddModule(SECMODModule *newModule) { SECStatus rv; SECMODModule *oldModule; @@ -511,18 +521,18 @@ SECMOD_AddModule(SECMODModule *newModule) /* SECDublicateModule, but to minimize ripples, I'll */ /* give SECWouldBlock a new meaning */ if ((oldModule = SECMOD_FindModule(newModule->commonName)) != NULL) { - SECMOD_DestroyModule(oldModule); + SECMOD_DestroyModule(oldModule); return SECWouldBlock; /* module already exists. */ } rv = secmod_LoadPKCS11Module(newModule, NULL); if (rv != SECSuccess) { - return rv; + return rv; } if (newModule->parent == NULL) { - newModule->parent = SECMOD_ReferenceModule(defaultDBModule); + newModule->parent = SECMOD_ReferenceModule(defaultDBModule); } SECMOD_AddPermDB(newModule); @@ -534,48 +544,49 @@ SECMOD_AddModule(SECMODModule *newModule) } PK11SlotInfo * -SECMOD_FindSlot(SECMODModule *module,const char *name) +SECMOD_FindSlot(SECMODModule *module, const char *name) { int i; char *string; PK11SlotInfo *retSlot = NULL; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return retSlot; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return retSlot; } SECMOD_GetReadLock(moduleLock); - for (i=0; i < module->slotCount; i++) { - PK11SlotInfo *slot = module->slots[i]; - - if (PK11_IsPresent(slot)) { - string = PK11_GetTokenName(slot); - } else { - string = PK11_GetSlotName(slot); - } - if (PORT_Strcmp(name,string) == 0) { - retSlot = PK11_ReferenceSlot(slot); - break; - } + for (i = 0; i < module->slotCount; i++) { + PK11SlotInfo *slot = module->slots[i]; + + if (PK11_IsPresent(slot)) { + string = PK11_GetTokenName(slot); + } else { + string = PK11_GetSlotName(slot); + } + if (PORT_Strcmp(name, string) == 0) { + retSlot = PK11_ReferenceSlot(slot); + break; + } } SECMOD_ReleaseReadLock(moduleLock); if (retSlot == NULL) { - PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED); + PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED); } return retSlot; } SECStatus -PK11_GetModInfo(SECMODModule *mod,CK_INFO *info) +PK11_GetModInfo(SECMODModule *mod, CK_INFO *info) { CK_RV crv; - if (mod->functionList == NULL) return SECFailure; + if (mod->functionList == NULL) + return SECFailure; crv = PK11_GETTAB(mod)->C_GetInfo(info); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - } + PORT_SetError(PK11_MapError(crv)); + } return (crv == CKR_OK) ? SECSuccess : SECFailure; } @@ -589,7 +600,7 @@ PK11_IsFIPS(void) SECMODModule *mod = SECMOD_GetInternalModule(); if (mod && mod->internal) { - return mod->isFIPS; + return mod->isFIPS; } return PR_FALSE; @@ -598,27 +609,27 @@ PK11_IsFIPS(void) /* combines NewModule() & AddModule */ /* give a string for the module name & the full-path for the dll, */ /* installs the PKCS11 module & update registry */ -SECStatus -SECMOD_AddNewModuleEx(const char* moduleName, const char* dllPath, - unsigned long defaultMechanismFlags, - unsigned long cipherEnableFlags, - char* modparms, char* nssparms) +SECStatus +SECMOD_AddNewModuleEx(const char *moduleName, const char *dllPath, + unsigned long defaultMechanismFlags, + unsigned long cipherEnableFlags, + char *modparms, char *nssparms) { SECMODModule *module; SECStatus result = SECFailure; - int s,i; - PK11SlotInfo* slot; + int s, i; + PK11SlotInfo *slot; PR_SetErrorText(0, NULL); if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return result; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return result; } module = SECMOD_CreateModule(dllPath, moduleName, modparms, nssparms); if (module == NULL) { - return result; + return result; } if (module->dllName != NULL) { @@ -628,29 +639,33 @@ SECMOD_AddNewModuleEx(const char* moduleName, const char* dllPath, /* turn on SSL cipher enable flags */ module->ssl[0] = cipherEnableFlags; - SECMOD_GetReadLock(moduleLock); + SECMOD_GetReadLock(moduleLock); /* check each slot to turn on appropriate mechanisms */ for (s = 0; s < module->slotCount; s++) { slot = (module->slots)[s]; /* for each possible mechanism */ - for (i=0; i < num_pk11_default_mechanisms; i++) { + for (i = 0; i < num_pk11_default_mechanisms; i++) { /* we are told to turn it on by default ? */ - PRBool add = - (PK11_DefaultArray[i].flag & defaultMechanismFlags) ? - PR_TRUE: PR_FALSE; - result = PK11_UpdateSlotAttribute(slot, - &(PK11_DefaultArray[i]), add); + PRBool add = + (PK11_DefaultArray[i].flag & defaultMechanismFlags) ? PR_TRUE : PR_FALSE; + result = PK11_UpdateSlotAttribute(slot, + &(PK11_DefaultArray[i]), add); + if (result != SECSuccess) { + SECMOD_ReleaseReadLock(moduleLock); + SECMOD_DestroyModule(module); + return result; + } } /* for each mechanism */ /* disable each slot if the defaultFlags say so */ if (defaultMechanismFlags & PK11_DISABLE_FLAG) { PK11_UserDisableSlot(slot); } } /* for each slot of this module */ - SECMOD_ReleaseReadLock(moduleLock); + SECMOD_ReleaseReadLock(moduleLock); - /* delete and re-add module in order to save changes - * to the module */ - result = SECMOD_UpdateModule(module); + /* delete and re-add module in order to save changes + * to the module */ + result = SECMOD_UpdateModule(module); } } } @@ -658,25 +673,25 @@ SECMOD_AddNewModuleEx(const char* moduleName, const char* dllPath, return result; } -SECStatus -SECMOD_AddNewModule(const char* moduleName, const char* dllPath, - unsigned long defaultMechanismFlags, - unsigned long cipherEnableFlags) +SECStatus +SECMOD_AddNewModule(const char *moduleName, const char *dllPath, + unsigned long defaultMechanismFlags, + unsigned long cipherEnableFlags) { return SECMOD_AddNewModuleEx(moduleName, dllPath, defaultMechanismFlags, - cipherEnableFlags, - NULL, NULL); /* don't pass module or nss params */ + cipherEnableFlags, + NULL, NULL); /* don't pass module or nss params */ } -SECStatus +SECStatus SECMOD_UpdateModule(SECMODModule *module) { SECStatus result; result = SECMOD_DeletePermDB(module); - - if (result == SECSuccess) { - result = SECMOD_AddPermDB(module); + + if (result == SECSuccess) { + result = SECMOD_AddPermDB(module); } return result; } @@ -684,11 +699,11 @@ SECMOD_UpdateModule(SECMODModule *module) /* Public & Internal(Security Library) representation of * encryption mechanism flags conversion */ -/* Currently, the only difference is that internal representation +/* Currently, the only difference is that internal representation * puts RANDOM_FLAG at bit 31 (Most-significant bit), but * public representation puts this bit at bit 28 */ -unsigned long +unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags) { unsigned long internalFlags = publicFlags; @@ -700,8 +715,8 @@ SECMOD_PubMechFlagstoInternal(unsigned long publicFlags) return internalFlags; } -unsigned long -SECMOD_InternaltoPubMechFlags(unsigned long internalFlags) +unsigned long +SECMOD_InternaltoPubMechFlags(unsigned long internalFlags) { unsigned long publicFlags = internalFlags; @@ -712,38 +727,37 @@ SECMOD_InternaltoPubMechFlags(unsigned long internalFlags) return publicFlags; } - /* Public & Internal(Security Library) representation of */ /* cipher flags conversion */ /* Note: currently they are just stubs */ -unsigned long -SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags) +unsigned long +SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags) { return publicFlags; } -unsigned long -SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags) +unsigned long +SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags) { return internalFlags; } /* Funtion reports true if module of modType is installed/configured */ -PRBool -SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags ) +PRBool +SECMOD_IsModulePresent(unsigned long int pubCipherEnableFlags) { PRBool result = PR_FALSE; SECMODModuleList *mods; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return result; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return result; } SECMOD_GetReadLock(moduleLock); mods = SECMOD_GetDefaultModuleList(); - for ( ; mods != NULL; mods = mods->next) { - if (mods->module->ssl[0] & - SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) { + for (; mods != NULL; mods = mods->next) { + if (mods->module->ssl[0] & + SECMOD_PubCipherFlagstoInternal(pubCipherEnableFlags)) { result = PR_TRUE; } } @@ -753,14 +767,15 @@ SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags ) } /* create a new ModuleListElement */ -SECMODModuleList *SECMOD_NewModuleListElement(void) +SECMODModuleList * +SECMOD_NewModuleListElement(void) { SECMODModuleList *newModList; - newModList= (SECMODModuleList *) PORT_Alloc(sizeof(SECMODModuleList)); + newModList = (SECMODModuleList *)PORT_Alloc(sizeof(SECMODModuleList)); if (newModList) { - newModList->next = NULL; - newModList->module = NULL; + newModList->next = NULL; + newModList->module = NULL; } return newModList; } @@ -769,7 +784,7 @@ SECMODModuleList *SECMOD_NewModuleListElement(void) * make a new reference to a module so It doesn't go away on us */ SECMODModule * -SECMOD_ReferenceModule(SECMODModule *module) +SECMOD_ReferenceModule(SECMODModule *module) { PZ_Lock(module->refLock); PORT_Assert(module->refCount > 0); @@ -779,10 +794,9 @@ SECMOD_ReferenceModule(SECMODModule *module) return module; } - /* destroy an existing module */ void -SECMOD_DestroyModule(SECMODModule *module) +SECMOD_DestroyModule(SECMODModule *module) { PRBool willfree = PR_FALSE; int slotCount; @@ -790,69 +804,69 @@ SECMOD_DestroyModule(SECMODModule *module) PZ_Lock(module->refLock); if (module->refCount-- == 1) { - willfree = PR_TRUE; + willfree = PR_TRUE; } PORT_Assert(willfree || (module->refCount > 0)); PZ_Unlock(module->refLock); if (!willfree) { - return; + return; } - + if (module->parent != NULL) { - SECMODModule *parent = module->parent; - /* paranoia, don't loop forever if the modules are looped */ - module->parent = NULL; - SECMOD_DestroyModule(parent); + SECMODModule *parent = module->parent; + /* paranoia, don't loop forever if the modules are looped */ + module->parent = NULL; + SECMOD_DestroyModule(parent); } /* slots can't really disappear until our module starts freeing them, * so this check is safe */ slotCount = module->slotCount; if (slotCount == 0) { - SECMOD_SlotDestroyModule(module,PR_FALSE); - return; + SECMOD_SlotDestroyModule(module, PR_FALSE); + return; } /* now free all out slots, when they are done, they will cause the * module to disappear altogether */ - for (i=0 ; i < slotCount; i++) { - if (!module->slots[i]->disabled) { - PK11_ClearSlotList(module->slots[i]); - } - PK11_FreeSlot(module->slots[i]); + for (i = 0; i < slotCount; i++) { + if (!module->slots[i]->disabled) { + PK11_ClearSlotList(module->slots[i]); + } + PK11_FreeSlot(module->slots[i]); } /* WARNING: once the last slot has been freed is it possible (even likely) * that module is no more... touching it now is a good way to go south */ } - /* we can only get here if we've destroyed the module, or some one has * erroneously freed a slot that wasn't referenced. */ void -SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) +SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) { PRBool willfree = PR_FALSE; if (fromSlot) { PORT_Assert(module->refCount == 0); - PZ_Lock(module->refLock); - if (module->slotCount-- == 1) { - willfree = PR_TRUE; - } - PORT_Assert(willfree || (module->slotCount > 0)); - PZ_Unlock(module->refLock); - if (!willfree) return; + PZ_Lock(module->refLock); + if (module->slotCount-- == 1) { + willfree = PR_TRUE; + } + PORT_Assert(willfree || (module->slotCount > 0)); + PZ_Unlock(module->refLock); + if (!willfree) + return; } if (module == pendingModule) { - pendingModule = NULL; + pendingModule = NULL; } if (module->loaded) { - SECMOD_UnloadModule(module); + SECMOD_UnloadModule(module); } PZ_DestroyLock(module->refLock); - PORT_FreeArena(module->arena,PR_FALSE); + PORT_FreeArena(module->arena, PR_FALSE); secmod_PrivateModuleCount--; } @@ -861,39 +875,39 @@ SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) * on the chain. It makes it easy to implement for loops to delete * the chain. It also make deleting a single element easy */ SECMODModuleList * -SECMOD_DestroyModuleListElement(SECMODModuleList *element) +SECMOD_DestroyModuleListElement(SECMODModuleList *element) { SECMODModuleList *next = element->next; if (element->module) { - SECMOD_DestroyModule(element->module); - element->module = NULL; + SECMOD_DestroyModule(element->module); + element->module = NULL; } PORT_Free(element); return next; } - /* * Destroy an entire module list */ void -SECMOD_DestroyModuleList(SECMODModuleList *list) +SECMOD_DestroyModuleList(SECMODModuleList *list) { SECMODModuleList *lp; - for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ; + for (lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) + ; } PRBool SECMOD_CanDeleteInternalModule(void) { - return (PRBool) (pendingModule == NULL); + return (PRBool)(pendingModule == NULL); } /* * check to see if the module has added new slots. PKCS 11 v2.20 allows for - * modules to add new slots, but never remove them. Slots cannot be added + * modules to add new slots, but never remove them. Slots cannot be added * between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently * grow on the caller. It is permissible for the slots to increase between @@ -912,67 +926,67 @@ SECMOD_UpdateSlotList(SECMODModule *mod) PK11SlotInfo **oldSlots = NULL; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } - /* C_GetSlotList is not a session function, make sure + /* C_GetSlotList is not a session function, make sure * calls are serialized */ PZ_Lock(mod->refLock); freeRef = PR_TRUE; /* see if the number of slots have changed */ crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, NULL, &count); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } /* nothing new, blow out early, we want this function to be quick * and cheap in the normal case */ if (count == mod->slotCount) { - PZ_Unlock(mod->refLock); - return SECSuccess; + PZ_Unlock(mod->refLock); + return SECSuccess; } if (count < (CK_ULONG)mod->slotCount) { - /* shouldn't happen with a properly functioning PKCS #11 module */ - PORT_SetError( SEC_ERROR_INCOMPATIBLE_PKCS11 ); - goto loser; + /* shouldn't happen with a properly functioning PKCS #11 module */ + PORT_SetError(SEC_ERROR_INCOMPATIBLE_PKCS11); + goto loser; } /* get the new slot list */ slotIDs = PORT_NewArray(CK_SLOT_ID, count); if (slotIDs == NULL) { - goto loser; + goto loser; } crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, slotIDs, &count); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } freeRef = PR_FALSE; PZ_Unlock(mod->refLock); mark = PORT_ArenaMark(mod->arena); if (mark == NULL) { - goto loser; + goto loser; } - newSlots = PORT_ArenaZNewArray(mod->arena,PK11SlotInfo *,count); + newSlots = PORT_ArenaZNewArray(mod->arena, PK11SlotInfo *, count); /* walk down the new slot ID list returned from the module. We keep - * the old slots which match a returned ID, and we initialize the new + * the old slots which match a returned ID, and we initialize the new * slots. */ - for (i=0; i < count; i++) { - PK11SlotInfo *slot = SECMOD_FindSlotByID(mod,slotIDs[i]); - - if (!slot) { - /* we have a new slot create a new slot data structure */ - slot = PK11_NewSlotInfo(mod); - if (!slot) { - goto loser; - } - PK11_InitSlot(mod, slotIDs[i], slot); - STAN_InitTokenForSlotInfo(NULL, slot); - } - newSlots[i] = slot; + for (i = 0; i < count; i++) { + PK11SlotInfo *slot = SECMOD_FindSlotByID(mod, slotIDs[i]); + + if (!slot) { + /* we have a new slot create a new slot data structure */ + slot = PK11_NewSlotInfo(mod); + if (!slot) { + goto loser; + } + PK11_InitSlot(mod, slotIDs[i], slot); + STAN_InitTokenForSlotInfo(NULL, slot); + } + newSlots[i] = slot; } STAN_ResetTokenInterator(NULL); PORT_Free(slotIDs); @@ -980,46 +994,46 @@ SECMOD_UpdateSlotList(SECMODModule *mod) PORT_ArenaUnmark(mod->arena, mark); /* until this point we're still using the old slot list. Now we update - * module slot list. We update the slots (array) first then the count, - * since we've already guarrenteed that count has increased (just in case - * someone is looking at the slots field of module without holding the + * module slot list. We update the slots (array) first then the count, + * since we've already guarrenteed that count has increased (just in case + * someone is looking at the slots field of module without holding the * moduleLock */ SECMOD_GetWriteLock(moduleLock); - oldCount =mod->slotCount; + oldCount = mod->slotCount; oldSlots = mod->slots; mod->slots = newSlots; /* typical arena 'leak'... old mod->slots is - * allocated out of the module arena and won't - * be freed until the module is freed */ + * allocated out of the module arena and won't + * be freed until the module is freed */ mod->slotCount = count; SECMOD_ReleaseWriteLock(moduleLock); /* free our old references before forgetting about oldSlot*/ - for (i=0; i < oldCount; i++) { - PK11_FreeSlot(oldSlots[i]); + for (i = 0; i < oldCount; i++) { + PK11_FreeSlot(oldSlots[i]); } return SECSuccess; loser: if (freeRef) { - PZ_Unlock(mod->refLock); + PZ_Unlock(mod->refLock); } if (slotIDs) { - PORT_Free(slotIDs); + PORT_Free(slotIDs); } /* free all the slots we allocated. newSlots are part of the * mod arena. NOTE: the newSlots array contain both new and old * slots, but we kept a reference to the old slots when we built the new * array, so we need to free all the slots in newSlots array. */ if (newSlots) { - for (i=0; i < count; i++) { - if (newSlots[i] == NULL) { - break; /* hit the last one */ - } - PK11_FreeSlot(newSlots[i]); - } + for (i = 0; i < count; i++) { + if (newSlots[i] == NULL) { + break; /* hit the last one */ + } + PK11_FreeSlot(newSlots[i]); + } } /* must come after freeing newSlots */ if (mark) { - PORT_ArenaRelease(mod->arena, mark); + PORT_ArenaRelease(mod->arena, mark); } return SECFailure; } @@ -1030,69 +1044,69 @@ loser: * have a timeout, so we don't have one for handleWaitForSlotEvent() either. */ PK11SlotInfo * -secmod_HandleWaitForSlotEvent(SECMODModule *mod, unsigned long flags, - PRIntervalTime latency) +secmod_HandleWaitForSlotEvent(SECMODModule *mod, unsigned long flags, + PRIntervalTime latency) { PRBool removableSlotsFound = PR_FALSE; int i; int error = SEC_ERROR_NO_EVENT; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return NULL; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return NULL; } PZ_Lock(mod->refLock); if (mod->evControlMask & SECMOD_END_WAIT) { - mod->evControlMask &= ~SECMOD_END_WAIT; - PZ_Unlock(mod->refLock); - PORT_SetError(SEC_ERROR_NO_EVENT); - return NULL; + mod->evControlMask &= ~SECMOD_END_WAIT; + PZ_Unlock(mod->refLock); + PORT_SetError(SEC_ERROR_NO_EVENT); + return NULL; } mod->evControlMask |= SECMOD_WAIT_SIMULATED_EVENT; while (mod->evControlMask & SECMOD_WAIT_SIMULATED_EVENT) { - PZ_Unlock(mod->refLock); - /* now is a good time to see if new slots have been added */ - SECMOD_UpdateSlotList(mod); - - /* loop through all the slots on a module */ - SECMOD_GetReadLock(moduleLock); - for (i=0; i < mod->slotCount; i++) { - PK11SlotInfo *slot = mod->slots[i]; - PRUint16 series; - PRBool present; - - /* perm modules do not change */ - if (slot->isPerm) { - continue; - } - removableSlotsFound = PR_TRUE; - /* simulate the PKCS #11 module flags. are the flags different - * from the last time we called? */ - series = slot->series; - present = PK11_IsPresent(slot); - if ((slot->flagSeries != series) || (slot->flagState != present)) { - slot->flagState = present; - slot->flagSeries = series; - SECMOD_ReleaseReadLock(moduleLock); - PZ_Lock(mod->refLock); - mod->evControlMask &= ~SECMOD_END_WAIT; - PZ_Unlock(mod->refLock); - return PK11_ReferenceSlot(slot); - } - } - SECMOD_ReleaseReadLock(moduleLock); - /* if everything was perm modules, don't lock up forever */ - if ((mod->slotCount !=0) && !removableSlotsFound) { - error =SEC_ERROR_NO_SLOT_SELECTED; - PZ_Lock(mod->refLock); - break; - } - if (flags & CKF_DONT_BLOCK) { - PZ_Lock(mod->refLock); - break; - } - PR_Sleep(latency); - PZ_Lock(mod->refLock); + PZ_Unlock(mod->refLock); + /* now is a good time to see if new slots have been added */ + SECMOD_UpdateSlotList(mod); + + /* loop through all the slots on a module */ + SECMOD_GetReadLock(moduleLock); + for (i = 0; i < mod->slotCount; i++) { + PK11SlotInfo *slot = mod->slots[i]; + PRUint16 series; + PRBool present; + + /* perm modules do not change */ + if (slot->isPerm) { + continue; + } + removableSlotsFound = PR_TRUE; + /* simulate the PKCS #11 module flags. are the flags different + * from the last time we called? */ + series = slot->series; + present = PK11_IsPresent(slot); + if ((slot->flagSeries != series) || (slot->flagState != present)) { + slot->flagState = present; + slot->flagSeries = series; + SECMOD_ReleaseReadLock(moduleLock); + PZ_Lock(mod->refLock); + mod->evControlMask &= ~SECMOD_END_WAIT; + PZ_Unlock(mod->refLock); + return PK11_ReferenceSlot(slot); + } + } + SECMOD_ReleaseReadLock(moduleLock); + /* if everything was perm modules, don't lock up forever */ + if ((mod->slotCount != 0) && !removableSlotsFound) { + error = SEC_ERROR_NO_SLOT_SELECTED; + PZ_Lock(mod->refLock); + break; + } + if (flags & CKF_DONT_BLOCK) { + PZ_Lock(mod->refLock); + break; + } + PR_Sleep(latency); + PZ_Lock(mod->refLock); } mod->evControlMask &= ~SECMOD_END_WAIT; PZ_Unlock(mod->refLock); @@ -1108,7 +1122,7 @@ secmod_HandleWaitForSlotEvent(SECMODModule *mod, unsigned long flags, */ PK11SlotInfo * SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, unsigned long flags, - PRIntervalTime latency) + PRIntervalTime latency) { CK_SLOT_ID id; CK_RV crv; @@ -1116,17 +1130,17 @@ SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, unsigned long flags, if (!pk11_getFinalizeModulesOption() || ((mod->cryptokiVersion.major == 2) && - (mod->cryptokiVersion.minor < 1))) { + (mod->cryptokiVersion.minor < 1))) { /* if we are sharing the module with other software in our * address space, we can't reliably use C_WaitForSlotEvent(), * and if the module is version 2.0, C_WaitForSlotEvent() doesn't * exist */ - return secmod_HandleWaitForSlotEvent(mod, flags, latency); + return secmod_HandleWaitForSlotEvent(mod, flags, latency); } /* first the the PKCS #11 call */ PZ_Lock(mod->refLock); if (mod->evControlMask & SECMOD_END_WAIT) { - goto end_wait; + goto end_wait; } mod->evControlMask |= SECMOD_WAIT_PKCS11_EVENT; PZ_Unlock(mod->refLock); @@ -1136,39 +1150,39 @@ SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, unsigned long flags, /* if we are in end wait, short circuit now, don't even risk * going into secmod_HandleWaitForSlotEvent */ if (mod->evControlMask & SECMOD_END_WAIT) { - goto end_wait; + goto end_wait; } PZ_Unlock(mod->refLock); if (crv == CKR_FUNCTION_NOT_SUPPORTED) { - /* module doesn't support that call, simulate it */ - return secmod_HandleWaitForSlotEvent(mod, flags, latency); + /* module doesn't support that call, simulate it */ + return secmod_HandleWaitForSlotEvent(mod, flags, latency); } if (crv != CKR_OK) { - /* we can get this error if finalize was called while we were - * still running. This is the only way to force a C_WaitForSlotEvent() - * to return in PKCS #11. In this case, just return that there - * was no event. */ - if (crv == CKR_CRYPTOKI_NOT_INITIALIZED) { - PORT_SetError(SEC_ERROR_NO_EVENT); - } else { - PORT_SetError(PK11_MapError(crv)); - } - return NULL; + /* we can get this error if finalize was called while we were + * still running. This is the only way to force a C_WaitForSlotEvent() + * to return in PKCS #11. In this case, just return that there + * was no event. */ + if (crv == CKR_CRYPTOKI_NOT_INITIALIZED) { + PORT_SetError(SEC_ERROR_NO_EVENT); + } else { + PORT_SetError(PK11_MapError(crv)); + } + return NULL; } slot = SECMOD_FindSlotByID(mod, id); if (slot == NULL) { - /* possibly a new slot that was added? */ - SECMOD_UpdateSlotList(mod); - slot = SECMOD_FindSlotByID(mod, id); + /* possibly a new slot that was added? */ + SECMOD_UpdateSlotList(mod); + slot = SECMOD_FindSlotByID(mod, id); } /* if we are in the delay period for the "isPresent" call, reset * the delay since we know things have probably changed... */ if (slot && slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); + nssSlot_ResetDelay(slot->nssToken->slot); } return slot; - /* must be called with the lock on. */ +/* must be called with the lock on. */ end_wait: mod->evControlMask &= ~SECMOD_END_WAIT; PZ_Unlock(mod->refLock); @@ -1200,27 +1214,27 @@ SECMOD_CancelWait(SECMODModule *mod) rv = SECFailure; goto loser; } - /* NOTE: this call will drop all transient keys, in progress - * operations, and any authentication. This is the only documented - * way to get WaitForSlotEvent to return. Also note: for non-thread - * safe tokens, we need to hold the module lock, this is not yet at - * system shutdown/startup time, so we need to protect these calls */ - crv = PK11_GETTAB(mod)->C_Finalize(NULL); - /* ok, we slammed the module down, now we need to reinit it in case - * we intend to use it again */ - if (CKR_OK == crv) { + /* NOTE: this call will drop all transient keys, in progress + * operations, and any authentication. This is the only documented + * way to get WaitForSlotEvent to return. Also note: for non-thread + * safe tokens, we need to hold the module lock, this is not yet at + * system shutdown/startup time, so we need to protect these calls */ + crv = PK11_GETTAB(mod)->C_Finalize(NULL); + /* ok, we slammed the module down, now we need to reinit it in case + * we intend to use it again */ + if (CKR_OK == crv) { PRBool alreadyLoaded; - secmod_ModuleInit(mod, NULL, &alreadyLoaded); - } else { - /* Finalized failed for some reason, notify the application - * so maybe it has a prayer of recovering... */ - PORT_SetError(PK11_MapError(crv)); - rv = SECFailure; - } + secmod_ModuleInit(mod, NULL, &alreadyLoaded); + } else { + /* Finalized failed for some reason, notify the application + * so maybe it has a prayer of recovering... */ + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; + } } else if (controlMask & SECMOD_WAIT_SIMULATED_EVENT) { - mod->evControlMask &= ~SECMOD_WAIT_SIMULATED_EVENT; - /* Simulated events will eventually timeout - * and wake up in the loop */ + mod->evControlMask &= ~SECMOD_WAIT_SIMULATED_EVENT; + /* Simulated events will eventually timeout + * and wake up in the loop */ } loser: PZ_Unlock(mod->refLock); @@ -1238,21 +1252,21 @@ SECMOD_HasRemovableSlots(SECMODModule *mod) PRBool ret = PR_FALSE; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return ret; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return ret; } SECMOD_GetReadLock(moduleLock); - for (i=0; i < mod->slotCount; i++) { - PK11SlotInfo *slot = mod->slots[i]; - /* perm modules are not inserted or removed */ - if (slot->isPerm) { - continue; - } - ret = PR_TRUE; - break; - } - if (mod->slotCount == 0 ) { - ret = PR_TRUE; + for (i = 0; i < mod->slotCount; i++) { + PK11SlotInfo *slot = mod->slots[i]; + /* perm modules are not inserted or removed */ + if (slot->isPerm) { + continue; + } + ret = PR_TRUE; + break; + } + if (mod->slotCount == 0) { + ret = PR_TRUE; } SECMOD_ReleaseReadLock(moduleLock); return ret; @@ -1262,29 +1276,30 @@ SECMOD_HasRemovableSlots(SECMODModule *mod) * helper function to actually create and destroy user defined slots */ static SECStatus -secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass, - const char *sendSpec) +secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass, + const char *sendSpec) { CK_OBJECT_HANDLE dummy; - CK_ATTRIBUTE template[2] ; + CK_ATTRIBUTE template[2]; CK_ATTRIBUTE *attrs = template; CK_RV crv; - PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++; - PK11_SETATTRS(attrs, CKA_NETSCAPE_MODULE_SPEC , (unsigned char *)sendSpec, - strlen(sendSpec)+1); attrs++; - - PORT_Assert(attrs-template <= 2); + PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_NETSCAPE_MODULE_SPEC, (unsigned char *)sendSpec, + strlen(sendSpec) + 1); + attrs++; + PORT_Assert(attrs - template <= 2); PK11_EnterSlotMonitor(slot); crv = PK11_CreateNewObject(slot, slot->session, - template, attrs-template, PR_FALSE, &dummy); + template, attrs - template, PR_FALSE, &dummy); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { - PORT_SetError(PK11_MapError(crv)); - return SECFailure; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; } return SECMOD_UpdateSlotList(slot->module); } @@ -1293,15 +1308,15 @@ secmod_UserDBOp(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass, * return true if the selected slot ID is not present or doesn't exist */ static PRBool -secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID) +secmod_SlotIsEmpty(SECMODModule *mod, CK_SLOT_ID slotID) { PK11SlotInfo *slot = SECMOD_LookupSlot(mod->moduleID, slotID); if (slot) { - PRBool present = PK11_IsPresent(slot); - PK11_FreeSlot(slot); - if (present) { - return PR_FALSE; - } + PRBool present = PK11_IsPresent(slot); + PK11_FreeSlot(slot); + if (present) { + return PR_FALSE; + } } /* it doesn't exist or isn't present, it's available */ return PR_TRUE; @@ -1317,19 +1332,19 @@ secmod_FindFreeSlot(SECMODModule *mod) /* look for a free slot id on the internal module */ if (mod->internal && mod->isFIPS) { - minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID; - maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID; + minSlotID = SFTK_MIN_FIPS_USER_SLOT_ID; + maxSlotID = SFTK_MAX_FIPS_USER_SLOT_ID; } else { - minSlotID = SFTK_MIN_USER_SLOT_ID; - maxSlotID = SFTK_MAX_USER_SLOT_ID; + minSlotID = SFTK_MIN_USER_SLOT_ID; + maxSlotID = SFTK_MAX_USER_SLOT_ID; } - for (i=minSlotID; i < maxSlotID; i++) { - if (secmod_SlotIsEmpty(mod,i)) { - return i; - } + for (i = minSlotID; i < maxSlotID; i++) { + if (secmod_SlotIsEmpty(mod, i)) { + return i; + } } PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED); - return (CK_SLOT_ID) -1; + return (CK_SLOT_ID)-1; } /* @@ -1338,10 +1353,10 @@ secmod_FindFreeSlot(SECMODModule *mod) * This works the same os OpenUserDB except it can be called against * any module that understands the softoken protocol for opening new * slots, not just the softoken itself. If the selected module does not - * understand the protocol, C_CreateObject will fail with + * understand the protocol, C_CreateObject will fail with * CKR_INVALID_ATTRIBUTE, and SECMOD_OpenNewSlot will return NULL and set * SEC_ERROR_BAD_DATA. - * + * * NewSlots can be closed with SECMOD_CloseUserDB(); * * Modulespec is module dependent. @@ -1356,66 +1371,80 @@ SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec) SECStatus rv; slotID = secmod_FindFreeSlot(mod); - if (slotID == (CK_SLOT_ID) -1) { - return NULL; + if (slotID == (CK_SLOT_ID)-1) { + return NULL; } if (mod->slotCount == 0) { - return NULL; + return NULL; } /* just grab the first slot in the module, any present slot should work */ slot = PK11_ReferenceSlot(mod->slots[0]); if (slot == NULL) { - return NULL; + return NULL; } /* we've found the slot, now build the moduleSpec */ escSpec = NSSUTIL_DoubleEscape(moduleSpec, '>', ']'); if (escSpec == NULL) { - PK11_FreeSlot(slot); - return NULL; + PK11_FreeSlot(slot); + return NULL; } sendSpec = PR_smprintf("tokens=[0x%x=<%s>]", slotID, escSpec); PORT_Free(escSpec); if (sendSpec == NULL) { - /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */ - PK11_FreeSlot(slot); - PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + /* PR_smprintf does not set SEC_ERROR_NO_MEMORY on failure. */ + PK11_FreeSlot(slot); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } rv = secmod_UserDBOp(slot, CKO_NETSCAPE_NEWSLOT, sendSpec); PR_smprintf_free(sendSpec); PK11_FreeSlot(slot); if (rv != SECSuccess) { - return NULL; + return NULL; } slot = SECMOD_FindSlotByID(mod, slotID); if (slot) { - /* if we are in the delay period for the "isPresent" call, reset - * the delay since we know things have probably changed... */ - if (slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); - } - /* force the slot info structures to properly reset */ - (void)PK11_IsPresent(slot); + /* if we are in the delay period for the "isPresent" call, reset + * the delay since we know things have probably changed... */ + if (slot->nssToken && slot->nssToken->slot) { + nssSlot_ResetDelay(slot->nssToken->slot); + } + /* force the slot info structures to properly reset */ + (void)PK11_IsPresent(slot); } return slot; } /* + * given a module spec, find the slot in the module for it. + */ +PK11SlotInfo * +secmod_FindSlotFromModuleSpec(const char *moduleSpec, SECMODModule *module) +{ + CK_SLOT_ID slot_id = secmod_GetSlotIDFromModuleSpec(moduleSpec, module); + if (slot_id == -1) { + return NULL; + } + + return SECMOD_FindSlotByID(module, slot_id); +} + +/* * Open a new database using the softoken. The caller is responsible for making * sure the module spec is correct and usable. The caller should ask for one - * new database per call if the caller wants to get meaningful information + * new database per call if the caller wants to get meaningful information * about the new database. * - * moduleSpec is the same data that you would pass to softoken at + * moduleSpec is the same data that you would pass to softoken at * initialization time under the 'tokens' options. For example, if you were * to specify tokens=<0x4=[configdir='./mybackup' tokenDescription='Backup']> * You would specify "configdir='./mybackup' tokenDescription='Backup'" as your - * module spec here. The slot ID will be calculated for you by + * module spec here. The slot ID will be calculated for you by * SECMOD_OpenUserDB(). * * Typical parameters here are configdir, tokenDescription and flags. @@ -1423,22 +1452,22 @@ SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec) * a Full list is below: * * - * configDir - The location of the databases for this token. If configDir is + * configDir - The location of the databases for this token. If configDir is * not specified, and noCertDB and noKeyDB is not specified, the load * will fail. * certPrefix - Cert prefix for this token. * keyPrefix - Prefix for the key database for this token. (if not specified, * certPrefix will be used). - * tokenDescription - The label value for this token returned in the - * CK_TOKEN_INFO structure with an internationalize string (UTF8). - * This value will be truncated at 32 bytes (no NULL, partial UTF8 + * tokenDescription - The label value for this token returned in the + * CK_TOKEN_INFO structure with an internationalize string (UTF8). + * This value will be truncated at 32 bytes (no NULL, partial UTF8 * characters dropped). You should specify a user friendly name here - * as this is the value the token will be referred to in most + * as this is the value the token will be referred to in most * application UI's. You should make sure tokenDescription is unique. - * slotDescription - The slotDescription value for this token returned - * in the CK_SLOT_INFO structure with an internationalize string - * (UTF8). This value will be truncated at 64 bytes (no NULL, partial - * UTF8 characters dropped). This name will not change after the + * slotDescription - The slotDescription value for this token returned + * in the CK_SLOT_INFO structure with an internationalize string + * (UTF8). This value will be truncated at 64 bytes (no NULL, partial + * UTF8 characters dropped). This name will not change after the * database is closed. It should have some number to make this unique. * minPWLen - minimum password length for this token. * flags - comma separated list of flag values, parsed case-insensitive. @@ -1446,35 +1475,51 @@ SECMOD_OpenNewSlot(SECMODModule *mod, const char *moduleSpec) * readOnly - Databases should be opened read only. * noCertDB - Don't try to open a certificate database. * noKeyDB - Don't try to open a key database. - * forceOpen - Don't fail to initialize the token if the + * forceOpen - Don't fail to initialize the token if the * databases could not be opened. - * passwordRequired - zero length passwords are not acceptable + * passwordRequired - zero length passwords are not acceptable * (valid only if there is a keyDB). * optimizeSpace - allocate smaller hash tables and lock tables. - * When this flag is not specified, Softoken will allocate - * large tables to prevent lock contention. + * When this flag is not specified, Softoken will allocate + * large tables to prevent lock contention. */ PK11SlotInfo * SECMOD_OpenUserDB(const char *moduleSpec) { SECMODModule *mod; + SECMODConfigList *conflist = NULL; + int count = 0; if (moduleSpec == NULL) { - return NULL; + return NULL; } /* NOTE: unlike most PK11 function, this does not return a reference * to the module */ mod = SECMOD_GetInternalModule(); if (!mod) { - /* shouldn't happen */ - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; + /* shouldn't happen */ + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + /* make sure we don't open the same database twice. We only understand + * the moduleSpec for internal databases well enough to do this, so only + * do this in OpenUserDB */ + conflist = secmod_GetConfigList(mod->isFIPS, mod->libraryParams, &count); + if (conflist) { + PK11SlotInfo *slot = NULL; + if (secmod_MatchConfigList(moduleSpec, conflist, count)) { + slot = secmod_FindSlotFromModuleSpec(moduleSpec, mod); + } + secmod_FreeConfigList(conflist, count); + if (slot) { + return slot; + } } return SECMOD_OpenNewSlot(mod, moduleSpec); } - /* * close an already opened user database. NOTE: the database must be * in the internal token, and must be one created with SECMOD_OpenUserDB(). @@ -1486,21 +1531,21 @@ SECMOD_CloseUserDB(PK11SlotInfo *slot) { SECStatus rv; char *sendSpec; - + sendSpec = PR_smprintf("tokens=[0x%x=<>]", slot->slotID); if (sendSpec == NULL) { - /* PR_smprintf does not set no memory error */ - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; + /* PR_smprintf does not set no memory error */ + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; } rv = secmod_UserDBOp(slot, CKO_NETSCAPE_DELSLOT, sendSpec); PR_smprintf_free(sendSpec); /* if we are in the delay period for the "isPresent" call, reset * the delay since we know things have probably changed... */ if (slot->nssToken && slot->nssToken->slot) { - nssSlot_ResetDelay(slot->nssToken->slot); - /* force the slot info structures to properly reset */ - (void)PK11_IsPresent(slot); + nssSlot_ResetDelay(slot->nssToken->slot); + /* force the slot info structures to properly reset */ + (void)PK11_IsPresent(slot); } return rv; } @@ -1516,59 +1561,58 @@ SECMOD_RestartModules(PRBool force) int lastError = 0; if (!moduleLock) { - PORT_SetError(SEC_ERROR_NOT_INITIALIZED); - return SECFailure; + PORT_SetError(SEC_ERROR_NOT_INITIALIZED); + return SECFailure; } /* Only need to restart the PKCS #11 modules that were initialized */ SECMOD_GetReadLock(moduleLock); for (mlp = modules; mlp != NULL; mlp = mlp->next) { - SECMODModule *mod = mlp->module; - CK_ULONG count; - SECStatus rv; - int i; - - /* If the module needs to be reset, do so */ - if (force || (PK11_GETTAB(mod)-> - C_GetSlotList(CK_FALSE, NULL, &count) != CKR_OK)) { + SECMODModule *mod = mlp->module; + CK_ULONG count; + SECStatus rv; + int i; + + /* If the module needs to be reset, do so */ + if (force || (PK11_GETTAB(mod)->C_GetSlotList(CK_FALSE, NULL, &count) != CKR_OK)) { PRBool alreadyLoaded; - /* first call Finalize. This is not required by PKCS #11, but some + /* first call Finalize. This is not required by PKCS #11, but some * older modules require it, and it doesn't hurt (compliant modules * will return CKR_NOT_INITIALIZED */ - (void) PK11_GETTAB(mod)->C_Finalize(NULL); - /* now initialize the module, this function reinitializes - * a module in place, preserving existing slots (even if they - * no longer exist) */ - rv = secmod_ModuleInit(mod, NULL, &alreadyLoaded); - if (rv != SECSuccess) { - /* save the last error code */ - lastError = PORT_GetError(); - rrv = rv; - /* couldn't reinit the module, disable all its slots */ - for (i=0; i < mod->slotCount; i++) { - mod->slots[i]->disabled = PR_TRUE; - mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; - } - continue; - } - for (i=0; i < mod->slotCount; i++) { - /* get new token sessions, bump the series up so that - * we refresh other old sessions. This will tell much of - * NSS to flush cached handles it may hold as well */ - rv = PK11_InitToken(mod->slots[i],PR_TRUE); - /* PK11_InitToken could fail if the slot isn't present. - * If it is present, though, something is wrong and we should - * disable the slot and let the caller know. */ - if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) { - /* save the last error code */ - lastError = PORT_GetError(); - rrv = rv; - /* disable the token */ - mod->slots[i]->disabled = PR_TRUE; - mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; - } - } - } + (void)PK11_GETTAB(mod)->C_Finalize(NULL); + /* now initialize the module, this function reinitializes + * a module in place, preserving existing slots (even if they + * no longer exist) */ + rv = secmod_ModuleInit(mod, NULL, &alreadyLoaded); + if (rv != SECSuccess) { + /* save the last error code */ + lastError = PORT_GetError(); + rrv = rv; + /* couldn't reinit the module, disable all its slots */ + for (i = 0; i < mod->slotCount; i++) { + mod->slots[i]->disabled = PR_TRUE; + mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + } + continue; + } + for (i = 0; i < mod->slotCount; i++) { + /* get new token sessions, bump the series up so that + * we refresh other old sessions. This will tell much of + * NSS to flush cached handles it may hold as well */ + rv = PK11_InitToken(mod->slots[i], PR_TRUE); + /* PK11_InitToken could fail if the slot isn't present. + * If it is present, though, something is wrong and we should + * disable the slot and let the caller know. */ + if (rv != SECSuccess && PK11_IsPresent(mod->slots[i])) { + /* save the last error code */ + lastError = PORT_GetError(); + rrv = rv; + /* disable the token */ + mod->slots[i]->disabled = PR_TRUE; + mod->slots[i]->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + } + } + } } SECMOD_ReleaseReadLock(moduleLock); @@ -1577,8 +1621,8 @@ SECMOD_RestartModules(PRBool force) * can determine which slots are bad by calling PK11_IsDisabled(). */ if (rrv != SECSuccess) { - /* restore the last error code */ - PORT_SetError(lastError); + /* restore the last error code */ + PORT_SetError(lastError); } return rrv; diff --git a/nss/lib/pk11wrap/pk11wrap.gyp b/nss/lib/pk11wrap/pk11wrap.gyp new file mode 100644 index 0000000..2af27a0 --- /dev/null +++ b/nss/lib/pk11wrap/pk11wrap.gyp @@ -0,0 +1,51 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'pk11wrap', + 'type': 'static_library', + 'sources': [ + 'dev3hack.c', + 'pk11akey.c', + 'pk11auth.c', + 'pk11cert.c', + 'pk11cxt.c', + 'pk11err.c', + 'pk11kea.c', + 'pk11list.c', + 'pk11load.c', + 'pk11mech.c', + 'pk11merge.c', + 'pk11nobj.c', + 'pk11obj.c', + 'pk11pars.c', + 'pk11pbe.c', + 'pk11pk12.c', + 'pk11pqg.c', + 'pk11sdr.c', + 'pk11skey.c', + 'pk11slot.c', + 'pk11util.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'target_defaults': { + 'defines': [ + 'SHLIB_SUFFIX=\"<(dll_suffix)\"', + 'SHLIB_PREFIX=\"<(dll_prefix)\"', + 'SHLIB_VERSION=\"3\"', + 'SOFTOKEN_SHLIB_VERSION=\"3\"' + ] + }, + 'variables': { + 'module': 'nss' + } +}
\ No newline at end of file diff --git a/nss/lib/pk11wrap/secmod.h b/nss/lib/pk11wrap/secmod.h index c194d9a..fcc7707 100644 --- a/nss/lib/pk11wrap/secmod.h +++ b/nss/lib/pk11wrap/secmod.h @@ -10,38 +10,38 @@ /* These mechanisms flags are visible to all other libraries. */ /* They must be converted to internal SECMOD_*_FLAG */ /* if used inside the functions of the security library */ -#define PUBLIC_MECH_RSA_FLAG 0x00000001ul -#define PUBLIC_MECH_DSA_FLAG 0x00000002ul -#define PUBLIC_MECH_RC2_FLAG 0x00000004ul -#define PUBLIC_MECH_RC4_FLAG 0x00000008ul -#define PUBLIC_MECH_DES_FLAG 0x00000010ul -#define PUBLIC_MECH_DH_FLAG 0x00000020ul -#define PUBLIC_MECH_FORTEZZA_FLAG 0x00000040ul -#define PUBLIC_MECH_RC5_FLAG 0x00000080ul -#define PUBLIC_MECH_SHA1_FLAG 0x00000100ul -#define PUBLIC_MECH_MD5_FLAG 0x00000200ul -#define PUBLIC_MECH_MD2_FLAG 0x00000400ul -#define PUBLIC_MECH_SSL_FLAG 0x00000800ul -#define PUBLIC_MECH_TLS_FLAG 0x00001000ul -#define PUBLIC_MECH_AES_FLAG 0x00002000ul -#define PUBLIC_MECH_SHA256_FLAG 0x00004000ul -#define PUBLIC_MECH_SHA512_FLAG 0x00008000ul -#define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul -#define PUBLIC_MECH_SEED_FLAG 0x00020000ul -#define PUBLIC_MECH_ECC_FLAG 0x00040000ul - -#define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul -#define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul -#define PUBLIC_OWN_PW_DEFAULTS 0X20000000ul -#define PUBLIC_DISABLE_FLAG 0x40000000ul +#define PUBLIC_MECH_RSA_FLAG 0x00000001ul +#define PUBLIC_MECH_DSA_FLAG 0x00000002ul +#define PUBLIC_MECH_RC2_FLAG 0x00000004ul +#define PUBLIC_MECH_RC4_FLAG 0x00000008ul +#define PUBLIC_MECH_DES_FLAG 0x00000010ul +#define PUBLIC_MECH_DH_FLAG 0x00000020ul +#define PUBLIC_MECH_FORTEZZA_FLAG 0x00000040ul +#define PUBLIC_MECH_RC5_FLAG 0x00000080ul +#define PUBLIC_MECH_SHA1_FLAG 0x00000100ul +#define PUBLIC_MECH_MD5_FLAG 0x00000200ul +#define PUBLIC_MECH_MD2_FLAG 0x00000400ul +#define PUBLIC_MECH_SSL_FLAG 0x00000800ul +#define PUBLIC_MECH_TLS_FLAG 0x00001000ul +#define PUBLIC_MECH_AES_FLAG 0x00002000ul +#define PUBLIC_MECH_SHA256_FLAG 0x00004000ul +#define PUBLIC_MECH_SHA512_FLAG 0x00008000ul +#define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul +#define PUBLIC_MECH_SEED_FLAG 0x00020000ul +#define PUBLIC_MECH_ECC_FLAG 0x00040000ul + +#define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul +#define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul +#define PUBLIC_OWN_PW_DEFAULTS 0X20000000ul +#define PUBLIC_DISABLE_FLAG 0x40000000ul /* warning: reserved means reserved */ -#define PUBLIC_MECH_RESERVED_FLAGS 0x87FF0000ul +#define PUBLIC_MECH_RESERVED_FLAGS 0x87FF0000ul /* These cipher flags are visible to all other libraries, */ /* But they must be converted before used in functions */ /* withing the security module */ -#define PUBLIC_CIPHER_FORTEZZA_FLAG 0x00000001ul +#define PUBLIC_CIPHER_FORTEZZA_FLAG 0x00000001ul /* warning: reserved means reserved */ #define PUBLIC_CIPHER_RESERVED_FLAGS 0xFFFFFFFEul @@ -54,41 +54,39 @@ SEC_BEGIN_PROTOS */ /* Initialization */ -extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, - PRBool recurse); +extern SECMODModule *SECMOD_LoadModule(char *moduleSpec, SECMODModule *parent, + PRBool recurse); -extern SECMODModule *SECMOD_LoadUserModule(char *moduleSpec,SECMODModule *parent, - PRBool recurse); +extern SECMODModule *SECMOD_LoadUserModule(char *moduleSpec, SECMODModule *parent, + PRBool recurse); SECStatus SECMOD_UnloadUserModule(SECMODModule *mod); -SECMODModule * SECMOD_CreateModule(const char *lib, const char *name, - const char *param, const char *nss); -SECMODModule * SECMOD_CreateModuleEx(const char *lib, const char *name, - const char *param, const char *nss, - const char *config); +SECMODModule *SECMOD_CreateModule(const char *lib, const char *name, + const char *param, const char *nss); +SECMODModule *SECMOD_CreateModuleEx(const char *lib, const char *name, + const char *param, const char *nss, + const char *config); /* * After a fork(), PKCS #11 says we need to call C_Initialize again in - * the child before we can use the module. This function causes this + * the child before we can use the module. This function causes this * reinitialization. * NOTE: Any outstanding handles will become invalid, which means your * keys and contexts will fail, but new ones can be created. * - * Setting 'force' to true means to do the reinitialization even if the - * PKCS #11 module does not seem to need it. This allows software modules + * Setting 'force' to true means to do the reinitialization even if the + * PKCS #11 module does not seem to need it. This allows software modules * which ignore fork to preserve their keys across the fork(). */ SECStatus SECMOD_RestartModules(PRBool force); - /* Module Management */ char **SECMOD_GetModuleSpecList(SECMODModule *module); -SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module,char **moduleSpecList); +SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module, char **moduleSpecList); - /* protoypes */ /* Get a list of active PKCS #11 modules */ -extern SECMODModuleList *SECMOD_GetDefaultModuleList(void); +extern SECMODModuleList *SECMOD_GetDefaultModuleList(void); /* Get a list of defined but not loaded PKCS #11 modules */ extern SECMODModuleList *SECMOD_GetDeadModuleList(void); /* Get a list of Modules which define PKCS #11 modules to load */ @@ -106,34 +104,34 @@ extern void SECMOD_ReleaseReadLock(SECMODListLock *); /* Operate on modules by name */ extern SECMODModule *SECMOD_FindModule(const char *name); extern SECStatus SECMOD_DeleteModule(const char *name, int *type); -extern SECStatus SECMOD_DeleteModuleEx(const char * name, - SECMODModule *mod, - int *type, +extern SECStatus SECMOD_DeleteModuleEx(const char *name, + SECMODModule *mod, + int *type, PRBool permdb); extern SECStatus SECMOD_DeleteInternalModule(const char *name); extern PRBool SECMOD_CanDeleteInternalModule(void); -extern SECStatus SECMOD_AddNewModule(const char* moduleName, - const char* dllPath, - unsigned long defaultMechanismFlags, - unsigned long cipherEnableFlags); -extern SECStatus SECMOD_AddNewModuleEx(const char* moduleName, - const char* dllPath, - unsigned long defaultMechanismFlags, - unsigned long cipherEnableFlags, - char* modparms, - char* nssparms); +extern SECStatus SECMOD_AddNewModule(const char *moduleName, + const char *dllPath, + unsigned long defaultMechanismFlags, + unsigned long cipherEnableFlags); +extern SECStatus SECMOD_AddNewModuleEx(const char *moduleName, + const char *dllPath, + unsigned long defaultMechanismFlags, + unsigned long cipherEnableFlags, + char *modparms, + char *nssparms); /* database/memory management */ extern SECMODModule *SECMOD_GetInternalModule(void); extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module); extern void SECMOD_DestroyModule(SECMODModule *module); extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module, - unsigned long slotID); -extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,const char *name); + unsigned long slotID); +extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module, const char *name); /* Funtion reports true if at least one of the modules */ /* of modType has been installed */ -PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags ); +PRBool SECMOD_IsModulePresent(unsigned long int pubCipherEnableFlags); /* accessors */ PRBool SECMOD_GetSkipFirstFlag(SECMODModule *mod); @@ -146,18 +144,18 @@ extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags); extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags); PRBool SECMOD_HasRemovableSlots(SECMODModule *mod); -PK11SlotInfo *SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, - unsigned long flags, PRIntervalTime latency); +PK11SlotInfo *SECMOD_WaitForAnyTokenEvent(SECMODModule *mod, + unsigned long flags, PRIntervalTime latency); /* - * Warning: the SECMOD_CancelWait function is highly destructive, potentially - * finalizing the module 'mod' (causing inprogress operations to fail, - * and session key material to disappear). It should only be called when - * shutting down the module. + * Warning: the SECMOD_CancelWait function is highly destructive, potentially + * finalizing the module 'mod' (causing inprogress operations to fail, + * and session key material to disappear). It should only be called when + * shutting down the module. */ SECStatus SECMOD_CancelWait(SECMODModule *mod); /* * check to see if the module has added new slots. PKCS 11 v2.20 allows for - * modules to add new slots, but never remove them. Slots not be added between + * modules to add new slots, but never remove them. Slots not be added between * a call to C_GetSlotLlist(Flag, NULL, &count) and the corresponding * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently * grow on the caller. It is permissible for the slots to increase between diff --git a/nss/lib/pk11wrap/secmodi.h b/nss/lib/pk11wrap/secmodi.h index 830fb67..1225661 100644 --- a/nss/lib/pk11wrap/secmodi.h +++ b/nss/lib/pk11wrap/secmodi.h @@ -27,14 +27,14 @@ extern int secmod_PrivateModuleCount; extern void SECMOD_Init(void); SECStatus secmod_ModuleInit(SECMODModule *mod, SECMODModule **oldModule, - PRBool* alreadyLoaded); + PRBool *alreadyLoaded); /* list managment */ extern SECStatus SECMOD_AddModuleToList(SECMODModule *newModule); extern SECStatus SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule); extern SECStatus SECMOD_AddModuleToUnloadList(SECMODModule *newModule); -extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *); -extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *); +extern void SECMOD_RemoveList(SECMODModuleList **, SECMODModuleList *); +extern void SECMOD_AddList(SECMODModuleList *, SECMODModuleList *, SECMODListLock *); extern SECMODListLock *SECMOD_NewListLock(void); extern void SECMOD_DestroyListLock(SECMODListLock *); extern void SECMOD_GetWriteLock(SECMODListLock *); @@ -59,14 +59,15 @@ void SECMOD_SetInternalModule(SECMODModule *); PRBool secmod_IsInternalKeySlot(SECMODModule *); void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val); - /* tools for checking if we are loading the same database twice */ typedef struct SECMODConfigListStr SECMODConfigList; /* collect all the databases in a given spec */ SECMODConfigList *secmod_GetConfigList(PRBool isFIPS, char *spec, int *count); /* see is a spec matches a database on the list */ -PRBool secmod_MatchConfigList(char *spec, - SECMODConfigList *conflist, int count); +PRBool secmod_MatchConfigList(const char *spec, + SECMODConfigList *conflist, int count); +/* returns the slot id from a module and modulespec */ +CK_SLOT_ID secmod_GetSlotIDFromModuleSpec(const char *moduleSpec, SECMODModule *module); /* free our list of databases */ void secmod_FreeConfigList(SECMODConfigList *conflist, int count); @@ -75,45 +76,44 @@ void secmod_FreeConfigList(SECMODConfigList *conflist, int count); /* children and ids are null terminated arrays which must be freed with * secmod_FreeChildren */ char *secmod_ParseModuleSpecForTokens(PRBool convert, - PRBool isFIPS, - char *moduleSpec, - char ***children, - CK_SLOT_ID **ids); + PRBool isFIPS, + const char *moduleSpec, + char ***children, + CK_SLOT_ID **ids); void secmod_FreeChildren(char **children, CK_SLOT_ID *ids); char *secmod_MkAppendTokensList(PLArenaPool *arena, char *origModuleSpec, - char *newModuleSpec, CK_SLOT_ID newID, - char **children, CK_SLOT_ID *ids); - + char *newModuleSpec, CK_SLOT_ID newID, + char **children, CK_SLOT_ID *ids); void SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot); CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, - CK_VOID_PTR pdata); + CK_VOID_PTR pdata); void pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib); CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot, - CK_ATTRIBUTE *inTemplate,int tsize); + CK_ATTRIBUTE *inTemplate, int tsize); CK_OBJECT_HANDLE *pk11_FindObjectsByTemplate(PK11SlotInfo *slot, - CK_ATTRIBUTE *inTemplate,int tsize, int *objCount); + CK_ATTRIBUTE *inTemplate, int tsize, int *objCount); #define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList)) -#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ - (x)->pValue=(v); (x)->ulValueLen = (l); +#define PK11_SETATTRS(x, id, v, l) \ + (x)->type = (id); \ + (x)->pValue = (v); \ + (x)->ulValueLen = (l); SECStatus PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session, const CK_ATTRIBUTE *theTemplate, int count, - PRBool token, CK_OBJECT_HANDLE *objectID); + PRBool token, CK_OBJECT_HANDLE *objectID); -SECStatus pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech); -SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, - PLArenaPool *arena, SECAlgorithmID *algId); +SECStatus pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech); +SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param, + PLArenaPool *arena, SECAlgorithmID *algId); PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, - CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType, - int keySize, SECItem *keyId, CK_FLAGS opFlags, - PK11AttrFlags attrFlags, void *wincx); + CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType, + int keySize, SECItem *keyId, CK_FLAGS opFlags, + PK11AttrFlags attrFlags, void *wincx); CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, - SECItem **param, SECItem *pwd, PRBool faulty3DES); - - + SECItem **param, SECItem *pwd, PRBool faulty3DES); extern void pk11sdr_Init(void); extern void pk11sdr_Shutdown(void); @@ -126,46 +126,45 @@ PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx); CK_SESSION_HANDLE pk11_GetNewSession(PK11SlotInfo *slot, PRBool *owner); void pk11_CloseSession(PK11SlotInfo *slot, CK_SESSION_HANDLE sess, PRBool own); PK11SymKey *pk11_ForceSlot(PK11SymKey *symKey, CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation); + CK_ATTRIBUTE_TYPE operation); /* Convert key operation flags to PKCS #11 attributes. */ -unsigned int pk11_OpFlagsToAttributes(CK_FLAGS flags, - CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue); +unsigned int pk11_OpFlagsToAttributes(CK_FLAGS flags, + CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue); /* Check for bad (conflicting) attribute flags */ PRBool pk11_BadAttrFlags(PK11AttrFlags attrFlags); /* Convert key attribute flags to PKCS #11 attributes. */ unsigned int pk11_AttrFlagsToAttributes(PK11AttrFlags attrFlags, - CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue, CK_BBOOL *ckFalse); + CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue, CK_BBOOL *ckFalse); PRBool pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs, - CK_ATTRIBUTE_TYPE target); + CK_ATTRIBUTE_TYPE target); CK_MECHANISM_TYPE pk11_mapWrapKeyType(KeyType keyType); PK11SymKey *pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, PRBool isPerm, - PK11SymKey *symKey); + CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, PRBool isPerm, + PK11SymKey *symKey); PRBool pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, - CERTCertTrust *trust); + CERTCertTrust *trust); CK_OBJECT_HANDLE pk11_FindPubKeyByAnyCert(CERTCertificate *cert, - PK11SlotInfo **slot, void *wincx); + PK11SlotInfo **slot, void *wincx); SECStatus pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts, - void *wincx); + void *wincx); int PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, - int templateCount); -SECItem *pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, - CK_OBJECT_HANDLE handle); + int templateCount); +SECItem *pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, + CK_OBJECT_HANDLE handle); SECStatus PK11_TraverseSlot(PK11SlotInfo *slot, void *arg); -CK_OBJECT_HANDLE pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, - SECItem *keyID); -SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, - PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx); +CK_OBJECT_HANDLE pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, + SECItem *keyID); +SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, + PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx); CERTCertificate *PK11_MakeCertFromHandle(PK11SlotInfo *slot, - CK_OBJECT_HANDLE certID, CK_ATTRIBUTE *privateLabel); + CK_OBJECT_HANDLE certID, CK_ATTRIBUTE *privateLabel); SECItem *pk11_GenerateNewParamWithKeyLen(CK_MECHANISM_TYPE type, int keyLen); -SECItem *pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, - SECItem *iv, int keyLen); +SECItem *pk11_ParamFromIVWithLen(CK_MECHANISM_TYPE type, + SECItem *iv, int keyLen); SEC_END_PROTOS #endif - diff --git a/nss/lib/pk11wrap/secmodt.h b/nss/lib/pk11wrap/secmodt.h index 33e7f1b..23abe30 100644 --- a/nss/lib/pk11wrap/secmodt.h +++ b/nss/lib/pk11wrap/secmodt.h @@ -29,10 +29,10 @@ SEC_END_PROTOS typedef struct SECMODModuleStr SECMODModule; typedef struct SECMODModuleListStr SECMODModuleList; typedef NSSRWLock SECMODListLock; -typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ +typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ typedef struct NSSUTILPreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ -typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ -typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ +typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ +typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ typedef struct PK11SlotListStr PK11SlotList; typedef struct PK11SlotListElementStr PK11SlotListElement; typedef struct PK11RSAGenParamsStr PK11RSAGenParams; @@ -42,37 +42,37 @@ typedef struct PK11GenericObjectStr PK11GenericObject; typedef void (*PK11FreeDataFunc)(void *); struct SECMODModuleStr { - PLArenaPool *arena; - PRBool internal; /* true of internally linked modules, false - * for the loaded modules */ - PRBool loaded; /* Set to true if module has been loaded */ - PRBool isFIPS; /* Set to true if module is finst internal */ - char *dllName; /* name of the shared library which implements - * this module */ - char *commonName; /* name of the module to display to the user */ - void *library; /* pointer to the library. opaque. used only by - * pk11load.c */ - void *functionList; /* The PKCS #11 function table */ - PZLock *refLock; /* only used pk11db.c */ - int refCount; /* Module reference count */ - PK11SlotInfo **slots; /* array of slot points attached to this mod*/ - int slotCount; /* count of slot in above array */ - PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ - int slotInfoCount; /* count */ - SECMODModuleID moduleID; /* ID so we can find this module again */ - PRBool isThreadSafe; - unsigned long ssl[2]; /* SSL cipher enable flags */ - char *libraryParams; /* Module specific parameters */ - void *moduleDBFunc; /* function to return module configuration data*/ - SECMODModule *parent; /* module that loaded us */ - PRBool isCritical; /* This module must load successfully */ - PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ - PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ - int trustOrder; /* order for this module's certificate trust rollup */ - int cipherOrder; /* order for cipher operations */ + PLArenaPool *arena; + PRBool internal; /* true of internally linked modules, false + * for the loaded modules */ + PRBool loaded; /* Set to true if module has been loaded */ + PRBool isFIPS; /* Set to true if module is finst internal */ + char *dllName; /* name of the shared library which implements + * this module */ + char *commonName; /* name of the module to display to the user */ + void *library; /* pointer to the library. opaque. used only by + * pk11load.c */ + void *functionList; /* The PKCS #11 function table */ + PZLock *refLock; /* only used pk11db.c */ + int refCount; /* Module reference count */ + PK11SlotInfo **slots; /* array of slot points attached to this mod*/ + int slotCount; /* count of slot in above array */ + PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ + int slotInfoCount; /* count */ + SECMODModuleID moduleID; /* ID so we can find this module again */ + PRBool isThreadSafe; + unsigned long ssl[2]; /* SSL cipher enable flags */ + char *libraryParams; /* Module specific parameters */ + void *moduleDBFunc; /* function to return module configuration data*/ + SECMODModule *parent; /* module that loaded us */ + PRBool isCritical; /* This module must load successfully */ + PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ + PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ + int trustOrder; /* order for this module's certificate trust rollup */ + int cipherOrder; /* order for cipher operations */ unsigned long evControlMask; /* control the running and shutdown of slot - * events (SECMOD_WaitForAnyTokenEvent) */ - CK_VERSION cryptokiVersion; /* version of this library */ + * events (SECMOD_WaitForAnyTokenEvent) */ + CK_VERSION cryptokiVersion; /* version of this library */ }; /* evControlMask flags */ @@ -86,14 +86,14 @@ struct SECMODModuleStr { * SECMOD_END_WAIT - SECMOD_CancelWait has been called while the module is * waiting in SECMOD_WaitForAnyTokenEvent. SECMOD_WaitForAnyTokenEvent * should return immediately to it's caller. - */ -#define SECMOD_END_WAIT 0x01 -#define SECMOD_WAIT_SIMULATED_EVENT 0x02 -#define SECMOD_WAIT_PKCS11_EVENT 0x04 + */ +#define SECMOD_END_WAIT 0x01 +#define SECMOD_WAIT_SIMULATED_EVENT 0x02 +#define SECMOD_WAIT_PKCS11_EVENT 0x04 struct SECMODModuleListStr { - SECMODModuleList *next; - SECMODModule *module; + SECMODModuleList *next; + SECMODModule *module; }; struct PK11SlotListStr { @@ -115,27 +115,27 @@ struct PK11RSAGenParamsStr { }; typedef enum { - PK11CertListUnique = 0, /* get one instance of all certs */ - PK11CertListUser = 1, /* get all instances of user certs */ - PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. - * deprecated. Use PK11CertListCAUnique - */ - PK11CertListCA = 3, /* get all instances of CA certs */ - PK11CertListCAUnique = 4, /* get one instance of CA certs */ - PK11CertListUserUnique = 5, /* get one instance of user certs */ - PK11CertListAll = 6 /* get all instances of all certs */ + PK11CertListUnique = 0, /* get one instance of all certs */ + PK11CertListUser = 1, /* get all instances of user certs */ + PK11CertListRootUnique = 2, /* get one instance of CA certs without a private key. + * deprecated. Use PK11CertListCAUnique + */ + PK11CertListCA = 3, /* get all instances of CA certs */ + PK11CertListCAUnique = 4, /* get one instance of CA certs */ + PK11CertListUserUnique = 5, /* get one instance of user certs */ + PK11CertListAll = 6 /* get all instances of all certs */ } PK11CertListType; /* * Entry into the array which lists all the legal bits for the default flags * in the slot, their definition, and the PKCS #11 mechanism they represent. - * Always statically allocated. + * Always statically allocated. */ struct PK11DefaultArrayEntryStr { const char *name; unsigned long flag; - unsigned long mechanism; /* this is a long so we don't include the - * whole pkcs 11 world to use this header */ + unsigned long mechanism; /* this is a long so we don't include the + * whole pkcs 11 world to use this header */ }; /* @@ -187,8 +187,8 @@ typedef PRUint32 PK11AttrFlags; * These two flags specify the value of the PKCS #11 CKA_TOKEN * attribute. */ -#define PK11_ATTR_TOKEN 0x00000001L -#define PK11_ATTR_SESSION 0x00000002L +#define PK11_ATTR_TOKEN 0x00000001L +#define PK11_ATTR_SESSION 0x00000002L /* * PK11_ATTR_PRIVATE @@ -209,8 +209,8 @@ typedef PRUint32 PK11AttrFlags; * keys, so public keys created by NSS get the token-specific * default value of the CKA_PRIVATE attribute. */ -#define PK11_ATTR_PRIVATE 0x00000004L -#define PK11_ATTR_PUBLIC 0x00000008L +#define PK11_ATTR_PRIVATE 0x00000004L +#define PK11_ATTR_PUBLIC 0x00000008L /* * PK11_ATTR_MODIFIABLE @@ -228,8 +228,8 @@ typedef PRUint32 PK11AttrFlags; * These two flags specify the value of the PKCS #11 CKA_MODIFIABLE * attribute. */ -#define PK11_ATTR_MODIFIABLE 0x00000010L -#define PK11_ATTR_UNMODIFIABLE 0x00000020L +#define PK11_ATTR_MODIFIABLE 0x00000010L +#define PK11_ATTR_UNMODIFIABLE 0x00000020L /* Attributes for PKCS #11 key objects. */ @@ -253,8 +253,8 @@ typedef PRUint32 PK11AttrFlags; * is allowed. So in practice the default value of this attribute * is token-specific, hence the need for two bitflags. */ -#define PK11_ATTR_SENSITIVE 0x00000040L -#define PK11_ATTR_INSENSITIVE 0x00000080L +#define PK11_ATTR_SENSITIVE 0x00000040L +#define PK11_ATTR_INSENSITIVE 0x00000080L /* * PK11_ATTR_EXTRACTABLE @@ -271,24 +271,24 @@ typedef PRUint32 PK11AttrFlags; * These two flags specify the value of the PKCS #11 CKA_EXTRACTABLE * attribute. */ -#define PK11_ATTR_EXTRACTABLE 0x00000100L +#define PK11_ATTR_EXTRACTABLE 0x00000100L #define PK11_ATTR_UNEXTRACTABLE 0x00000200L /* Cryptographic module types */ -#define SECMOD_EXTERNAL 0 /* external module */ -#define SECMOD_INTERNAL 1 /* internal default module */ -#define SECMOD_FIPS 2 /* internal fips module */ +#define SECMOD_EXTERNAL 0 /* external module */ +#define SECMOD_INTERNAL 1 /* internal default module */ +#define SECMOD_FIPS 2 /* internal fips module */ /* default module configuration strings */ #define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" -#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \ -"Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" +#define SECMOD_MAKE_NSS_FLAGS(fips, slot) \ + "Flags=internal,critical" fips " slotparams=(" #slot "={" SECMOD_SLOT_FLAGS "})" #define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" -#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1) +#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("", 1) #define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" -#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3) +#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips", 3) /* * What is the origin of a given Key. Normally this doesn't matter, but @@ -296,11 +296,11 @@ typedef PRUint32 PK11AttrFlags; * hack. */ typedef enum { - PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ - PK11_OriginDerive = 1, /* Key was derived from some other key */ - PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ - PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */ - PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ + PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ + PK11_OriginDerive = 1, /* Key was derived from some other key */ + PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ + PK11_OriginFortezzaHack = 3, /* Key was marked for fortezza hack */ + PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ } PK11Origin; /* PKCS #11 disable reasons */ @@ -312,8 +312,8 @@ typedef enum { PK11_DIS_TOKEN_NOT_PRESENT = 4 } PK11DisableReasons; -/* types of PKCS #11 objects - * used to identify which NSS data structure is +/* types of PKCS #11 objects + * used to identify which NSS data structure is * passed to the PK11_Raw* functions. Types map as follows: * PK11_TypeGeneric PK11GenericObject * * PK11_TypePrivKey SECKEYPrivateKey * @@ -322,38 +322,36 @@ typedef enum { * PK11_TypeCert CERTCertificate * (currently not used). */ typedef enum { - PK11_TypeGeneric = 0, - PK11_TypePrivKey = 1, - PK11_TypePubKey = 2, - PK11_TypeCert = 3, - PK11_TypeSymKey = 4 + PK11_TypeGeneric = 0, + PK11_TypePrivKey = 1, + PK11_TypePubKey = 2, + PK11_TypeCert = 3, + PK11_TypeSymKey = 4 } PK11ObjectType; - - /* function pointer type for password callback function. - * This type is passed in to PK11_SetPasswordFunc() + * This type is passed in to PK11_SetPasswordFunc() */ typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); -typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); -typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); +typedef PRBool(PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); +typedef PRBool(PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); /* * Special strings the password callback function can return only if * the slot is an protected auth path slot. - */ -#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate - * has already been made, just retry - * the operation */ -#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate - * has completed. Continue without - * another call to C_Login */ + */ +#define PK11_PW_RETRY "RETRY" /* an failed attempt to authenticate \ + * has already been made, just retry \ + * the operation */ +#define PK11_PW_AUTHENTICATED "AUTH" /* a successful attempt to authenticate \ + * has completed. Continue without \ + * another call to C_Login */ /* All other non-null values mean that that NSS could call C_Login to force - * the authentication. The following define is to aid applications in + * the authentication. The following define is to aid applications in * documenting that is what it's trying to do */ -#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented - * to the user, initiate a C_Login - * to authenticate the token */ +#define PK11_PW_TRY "TRY" /* Default: a prompt has been presented \ + * to the user, initiate a C_Login \ + * to authenticate the token */ /* * PKCS #11 key structures @@ -394,23 +392,22 @@ typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; * token removal detection */ typedef enum { - PK11TokenNotRemovable = 0, - PK11TokenPresent = 1, - PK11TokenChanged = 2, - PK11TokenRemoved = 3 + PK11TokenNotRemovable = 0, + PK11TokenPresent = 1, + PK11TokenChanged = 2, + PK11TokenRemoved = 3 } PK11TokenStatus; typedef enum { - PK11TokenRemovedOrChangedEvent = 0, - PK11TokenPresentEvent = 1 + PK11TokenRemovedOrChangedEvent = 0, + PK11TokenPresentEvent = 1 } PK11TokenEvent; /* * CRL Import Flags */ #define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 -#define CRL_IMPORT_BYPASS_CHECKS 0x00000001 - +#define CRL_IMPORT_BYPASS_CHECKS 0x00000001 /* * Merge Error Log @@ -421,15 +418,15 @@ typedef struct PK11MergeLogNodeStr PK11MergeLogNode; /* These need to be global, leave some open fields so we can 'expand' * these without breaking binary compatibility */ struct PK11MergeLogNodeStr { - PK11MergeLogNode *next; /* next entry in the list */ - PK11MergeLogNode *prev; /* last entry in the list */ + PK11MergeLogNode *next; /* next entry in the list */ + PK11MergeLogNode *prev; /* last entry in the list */ PK11GenericObject *object; /* object that failed */ - int error; /* what the error was */ + int error; /* what the error was */ CK_RV reserved1; unsigned long reserved2; /* future flags */ unsigned long reserved3; /* future scalar */ - void *reserved4; /* future pointer */ - void *reserved5; /* future expansion pointer */ + void *reserved4; /* future pointer */ + void *reserved5; /* future expansion pointer */ }; struct PK11MergeLogStr { @@ -443,6 +440,5 @@ struct PK11MergeLogStr { void *reserverd4; void *reserverd5; }; - #endif /*_SECMODT_H_ */ diff --git a/nss/lib/pk11wrap/secmodti.h b/nss/lib/pk11wrap/secmodti.h index 2b63130..5201655 100644 --- a/nss/lib/pk11wrap/secmodti.h +++ b/nss/lib/pk11wrap/secmodti.h @@ -6,8 +6,8 @@ * pkcs11 specific client and server files. */ -#ifndef _SECMODTI_H_ -#define _SECMODTI_H_ 1 +#ifndef _SECMODTI_H_ +#define _SECMODTI_H_ 1 #include "prmon.h" #include "prtypes.h" #include "nssilckt.h" @@ -20,38 +20,37 @@ /* Traverse slots callback */ typedef struct pk11TraverseSlotStr { - SECStatus (*callback)(PK11SlotInfo *,CK_OBJECT_HANDLE, void *); + SECStatus (*callback)(PK11SlotInfo *, CK_OBJECT_HANDLE, void *); void *callbackArg; CK_ATTRIBUTE *findTemplate; int templateCount; } pk11TraverseSlot; - /* represent a pkcs#11 slot reference counted. */ struct PK11SlotInfoStr { /* the PKCS11 function list for this slot */ void *functionList; SECMODModule *module; /* our parent module */ /* Boolean to indicate the current state of this slot */ - PRBool needTest; /* Has this slot been tested for Export complience */ - PRBool isPerm; /* is this slot a permanment device */ - PRBool isHW; /* is this slot a hardware device */ - PRBool isInternal; /* is this slot one of our internal PKCS #11 devices */ - PRBool disabled; /* is this slot disabled... */ - PK11DisableReasons reason; /* Why this slot is disabled */ - PRBool readOnly; /* is the token in this slot read-only */ - PRBool needLogin; /* does the token of the type that needs - * authentication (still true even if token is logged - * in) */ - PRBool hasRandom; /* can this token generated random numbers */ - PRBool defRWSession; /* is the default session RW (we open our default - * session rw if the token can only handle one session - * at a time. */ - PRBool isThreadSafe; /* copied from the module */ + PRBool needTest; /* Has this slot been tested for Export complience */ + PRBool isPerm; /* is this slot a permanment device */ + PRBool isHW; /* is this slot a hardware device */ + PRBool isInternal; /* is this slot one of our internal PKCS #11 devices */ + PRBool disabled; /* is this slot disabled... */ + PK11DisableReasons reason; /* Why this slot is disabled */ + PRBool readOnly; /* is the token in this slot read-only */ + PRBool needLogin; /* does the token of the type that needs + * authentication (still true even if token is logged + * in) */ + PRBool hasRandom; /* can this token generated random numbers */ + PRBool defRWSession; /* is the default session RW (we open our default + * session rw if the token can only handle one session + * at a time. */ + PRBool isThreadSafe; /* copied from the module */ /* The actual flags (many of which are distilled into the above PRBools) */ - CK_FLAGS flags; /* flags from PKCS #11 token Info */ + CK_FLAGS flags; /* flags from PKCS #11 token Info */ /* a default session handle to do quick and dirty functions */ - CK_SESSION_HANDLE session; + CK_SESSION_HANDLE session; PZLock *sessionLock; /* lock for this session */ /* our ID */ CK_SLOT_ID slotID; @@ -59,7 +58,7 @@ struct PK11SlotInfoStr { unsigned long defaultFlags; /* keep track of who is using us so we don't accidently get freed while * still in use */ - PRInt32 refCount; /* to be in/decremented by atomic calls ONLY! */ + PRInt32 refCount; /* to be in/decremented by atomic calls ONLY! */ PZLock *freeListLock; PK11SymKey *freeSymKeysWithSessionHead; PK11SymKey *freeSymKeysHead; @@ -67,34 +66,34 @@ struct PK11SlotInfoStr { int maxKeyCount; /* Password control functions for this slot. many of these are only * active if the appropriate flag is on in defaultFlags */ - int askpw; /* what our password options are */ - int timeout; /* If we're ask_timeout, what is our timeout time is - * seconds */ - int authTransact; /* allow multiple authentications off one password if - * they are all part of the same transaction */ - PRTime authTime; /* when were we last authenticated */ - int minPassword; /* smallest legal password */ - int maxPassword; /* largest legal password */ - PRUint16 series; /* break up the slot info into various groups of - * inserted tokens so that keys and certs can be - * invalidated */ - PRUint16 flagSeries;/* record the last series for the last event - * returned for this slot */ - PRBool flagState; /* record the state of the last event returned for this - * slot. */ - PRUint16 wrapKey; /* current wrapping key for SSL master secrets */ + int askpw; /* what our password options are */ + int timeout; /* If we're ask_timeout, what is our timeout time is + * seconds */ + int authTransact; /* allow multiple authentications off one password if + * they are all part of the same transaction */ + PRTime authTime; /* when were we last authenticated */ + int minPassword; /* smallest legal password */ + int maxPassword; /* largest legal password */ + PRUint16 series; /* break up the slot info into various groups of + * inserted tokens so that keys and certs can be + * invalidated */ + PRUint16 flagSeries; /* record the last series for the last event + * returned for this slot */ + PRBool flagState; /* record the state of the last event returned for this + * slot. */ + PRUint16 wrapKey; /* current wrapping key for SSL master secrets */ CK_MECHANISM_TYPE wrapMechanism; - /* current wrapping mechanism for current wrapKey */ - CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */ + /* current wrapping mechanism for current wrapKey */ + CK_OBJECT_HANDLE refKeys[1]; /* array of existing wrapping keys for */ CK_MECHANISM_TYPE *mechanismList; /* list of mechanism supported by this - * token */ + * token */ int mechanismCount; /* cache the certificates stored on the token of this slot */ CERTCertificate **cert_array; int array_size; int cert_count; char serial[16]; - /* since these are odd sizes, keep them last. They are odd sizes to + /* since these are odd sizes, keep them last. They are odd sizes to * allow them to become null terminated strings */ char slot_name[65]; char token_name[33]; @@ -114,60 +113,59 @@ struct PK11SlotInfoStr { /* Symetric Key structure. Reference Counted */ struct PK11SymKeyStr { - CK_MECHANISM_TYPE type; /* type of operation this key was created for*/ - CK_OBJECT_HANDLE objectID; /* object id of this key in the slot */ - PK11SlotInfo *slot; /* Slot this key is loaded into */ - void *cx; /* window context in case we need to loggin */ - PK11SymKey *next; - PRBool owner; - SECItem data; /* raw key data if available */ + CK_MECHANISM_TYPE type; /* type of operation this key was created for*/ + CK_OBJECT_HANDLE objectID; /* object id of this key in the slot */ + PK11SlotInfo *slot; /* Slot this key is loaded into */ + void *cx; /* window context in case we need to loggin */ + PK11SymKey *next; + PRBool owner; + SECItem data; /* raw key data if available */ CK_SESSION_HANDLE session; - PRBool sessionOwner; - PRInt32 refCount; /* number of references to this key */ - int size; /* key size in bytes */ - PK11Origin origin; /* where this key came from - * (see def in secmodt.h) */ - PK11SymKey *parent; /* potential owner key of the session */ - PRUint16 series; /* break up the slot info into various groups - * of inserted tokens so that keys and certs - * can be invalidated */ - void *userData; /* random data the application can attach to - * this key */ - PK11FreeDataFunc freeFunc; /* function to free the user data */ + PRBool sessionOwner; + PRInt32 refCount; /* number of references to this key */ + int size; /* key size in bytes */ + PK11Origin origin; /* where this key came from + * (see def in secmodt.h) */ + PK11SymKey *parent; /* potential owner key of the session */ + PRUint16 series; /* break up the slot info into various groups + * of inserted tokens so that keys and certs + * can be invalidated */ + void *userData; /* random data the application can attach to + * this key */ + PK11FreeDataFunc freeFunc; /* function to free the user data */ }; - /* * hold a hash, encryption or signing context for multi-part operations. * hold enough information so that multiple contexts can be interleaved * if necessary. ... Not RefCounted. */ struct PK11ContextStr { - CK_ATTRIBUTE_TYPE operation; /* type of operation this context is doing - * (CKA_ENCRYPT, CKA_SIGN, CKA_HASH, etc. */ - PK11SymKey *key; /* symetric key used in this context */ - PK11SlotInfo *slot; /* slot this context is operationing on */ - CK_SESSION_HANDLE session; /* session this context is using */ - PZLock *sessionLock; /* lock before accessing a PKCS #11 - * session */ - PRBool ownSession;/* do we own the session? */ - void *cx; /* window context in case we need to loggin*/ - void *savedData;/* save data when we are multiplexing on a - * single context */ - unsigned long savedLength; /* length of the saved context */ - SECItem *param; /* mechanism parameters used to build this - context */ - PRBool init; /* has this contexted been initialized */ - CK_MECHANISM_TYPE type; /* what is the PKCS #11 this context is - * representing (usually what algorithm is - * being used (CKM_RSA_PKCS, CKM_DES, - * CKM_SHA, etc.*/ - PRBool fortezzaHack; /*Fortezza SSL has some special - * non-standard semantics*/ + CK_ATTRIBUTE_TYPE operation; /* type of operation this context is doing + * (CKA_ENCRYPT, CKA_SIGN, CKA_HASH, etc. */ + PK11SymKey *key; /* symetric key used in this context */ + PK11SlotInfo *slot; /* slot this context is operationing on */ + CK_SESSION_HANDLE session; /* session this context is using */ + PZLock *sessionLock; /* lock before accessing a PKCS #11 + * session */ + PRBool ownSession; /* do we own the session? */ + void *cx; /* window context in case we need to loggin*/ + void *savedData; /* save data when we are multiplexing on a + * single context */ + unsigned long savedLength; /* length of the saved context */ + SECItem *param; /* mechanism parameters used to build this + context */ + PRBool init; /* has this contexted been initialized */ + CK_MECHANISM_TYPE type; /* what is the PKCS #11 this context is + * representing (usually what algorithm is + * being used (CKM_RSA_PKCS, CKM_DES, + * CKM_SHA, etc.*/ + PRBool fortezzaHack; /* Fortezza SSL has some special + * non-standard semantics*/ }; /* - * structure to hold a pointer to a unique PKCS #11 object + * structure to hold a pointer to a unique PKCS #11 object * (pointer to the slot and the object id). */ struct PK11GenericObjectStr { @@ -177,11 +175,9 @@ struct PK11GenericObjectStr { CK_OBJECT_HANDLE objectID; }; - #define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */ /* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */ #define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL - #endif /* _SECMODTI_H_ */ diff --git a/nss/lib/pk11wrap/secpkcs5.h b/nss/lib/pk11wrap/secpkcs5.h index ac863b1..5785676 100644 --- a/nss/lib/pk11wrap/secpkcs5.h +++ b/nss/lib/pk11wrap/secpkcs5.h @@ -21,8 +21,8 @@ SEC_BEGIN_PROTOS /* private */ SECAlgorithmID * sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, SECOidTag cipherAlgorithm, - SECOidTag prfAlg, SECOidTag *pPbeAlgorithm, - int keyLengh, SECItem *salt, int iteration); + SECOidTag prfAlg, SECOidTag *pPbeAlgorithm, + int keyLengh, SECItem *salt, int iteration); /* Get the initialization vector. The password is passed in, hashing * is performed, and the initialization vector is returned. @@ -47,13 +47,12 @@ int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid); PBEBitGenContext * PBE_CreateContext(SECOidTag hashAlgorithm, PBEBitGenID bitGenPurpose, - SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, - unsigned int iterations); + SECItem *pwitem, SECItem *salt, unsigned int bitsNeeded, + unsigned int iterations); void PBE_DestroyContext(PBEBitGenContext *context); - SECItem * PBE_GenerateBits(PBEBitGenContext *context); |