1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/softoken/pkcs11i.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,745 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +/*
1.8 + * Internal data structures and functions used by pkcs11.c
1.9 + */
1.10 +#ifndef _PKCS11I_H_
1.11 +#define _PKCS11I_H_ 1
1.12 +
1.13 +#include "nssilock.h"
1.14 +#include "seccomon.h"
1.15 +#include "secoidt.h"
1.16 +#include "lowkeyti.h"
1.17 +#include "pkcs11t.h"
1.18 +
1.19 +#include "sftkdbt.h"
1.20 +#include "hasht.h"
1.21 +
1.22 +/*
1.23 + * Configuration Defines
1.24 + *
1.25 + * The following defines affect the space verse speed trade offs of
1.26 + * the PKCS #11 module. For the most part the current settings are optimized
1.27 + * for web servers, where we want faster speed and lower lock contention at
1.28 + * the expense of space.
1.29 + */
1.30 +
1.31 +/*
1.32 + * The attribute allocation strategy is static allocation:
1.33 + * Attributes are pre-allocated as part of the session object and used from
1.34 + * the object array.
1.35 + */
1.36 +#define MAX_OBJS_ATTRS 45 /* number of attributes to preallocate in
1.37 + * the object (must me the absolute max) */
1.38 +#define ATTR_SPACE 50 /* Maximum size of attribute data before extra
1.39 + * data needs to be allocated. This is set to
1.40 + * enough space to hold an SSL MASTER secret */
1.41 +
1.42 +#define NSC_STRICT PR_FALSE /* forces the code to do strict template
1.43 + * matching when doing C_FindObject on token
1.44 + * objects. This will slow down search in
1.45 + * NSS. */
1.46 +/* default search block allocations and increments */
1.47 +#define NSC_CERT_BLOCK_SIZE 50
1.48 +#define NSC_SEARCH_BLOCK_SIZE 5
1.49 +#define NSC_SLOT_LIST_BLOCK_SIZE 10
1.50 +
1.51 +#define NSC_FIPS_MODULE 1
1.52 +#define NSC_NON_FIPS_MODULE 0
1.53 +
1.54 +/* these are data base storage hashes, not cryptographic hashes.. The define
1.55 + * the effective size of the various object hash tables */
1.56 +/* clients care more about memory usage than lookup performance on
1.57 + * cyrptographic objects. Clients also have less objects around to play with
1.58 + *
1.59 + * we eventually should make this configurable at runtime! Especially now that
1.60 + * NSS is a shared library.
1.61 + */
1.62 +#define SPACE_ATTRIBUTE_HASH_SIZE 32
1.63 +#define SPACE_SESSION_OBJECT_HASH_SIZE 32
1.64 +#define SPACE_SESSION_HASH_SIZE 32
1.65 +#define TIME_ATTRIBUTE_HASH_SIZE 32
1.66 +#define TIME_SESSION_OBJECT_HASH_SIZE 1024
1.67 +#define TIME_SESSION_HASH_SIZE 1024
1.68 +#define MAX_OBJECT_LIST_SIZE 800
1.69 + /* how many objects to keep on the free list
1.70 + * before we start freeing them */
1.71 +#define MAX_KEY_LEN 256 /* maximum symmetric key length in bytes */
1.72 +
1.73 +/*
1.74 + * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
1.75 + * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
1.76 + * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
1.77 + *
1.78 + * HASH_SIZE LOG2_BUCKETS_PER BUCKETS_PER_LOCK NUMBER_OF_BUCKETS
1.79 + * 1024 9 512 2
1.80 + * 1024 5 32 32
1.81 + * 1024 1 2 512
1.82 + * 1024 0 1 1024
1.83 + * 4096 11 2048 2
1.84 + * 4096 9 512 8
1.85 + * 4096 5 32 128
1.86 + * 4096 1 2 2048
1.87 + * 4096 0 1 4096
1.88 + */
1.89 +#define LOG2_BUCKETS_PER_SESSION_LOCK 1
1.90 +#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
1.91 +/* NOSPREAD sessionID to hash table index macro has been slower. */
1.92 +
1.93 +/* define typedefs, double as forward declarations as well */
1.94 +typedef struct SFTKAttributeStr SFTKAttribute;
1.95 +typedef struct SFTKObjectListStr SFTKObjectList;
1.96 +typedef struct SFTKObjectFreeListStr SFTKObjectFreeList;
1.97 +typedef struct SFTKObjectListElementStr SFTKObjectListElement;
1.98 +typedef struct SFTKObjectStr SFTKObject;
1.99 +typedef struct SFTKSessionObjectStr SFTKSessionObject;
1.100 +typedef struct SFTKTokenObjectStr SFTKTokenObject;
1.101 +typedef struct SFTKSessionStr SFTKSession;
1.102 +typedef struct SFTKSlotStr SFTKSlot;
1.103 +typedef struct SFTKSessionContextStr SFTKSessionContext;
1.104 +typedef struct SFTKSearchResultsStr SFTKSearchResults;
1.105 +typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo;
1.106 +typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
1.107 +typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo;
1.108 +typedef struct SFTKOAEPDecryptInfoStr SFTKOAEPDecryptInfo;
1.109 +typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
1.110 +typedef struct SFTKItemTemplateStr SFTKItemTemplate;
1.111 +
1.112 +/* define function pointer typdefs for pointer tables */
1.113 +typedef void (*SFTKDestroy)(void *, PRBool);
1.114 +typedef void (*SFTKBegin)(void *);
1.115 +typedef SECStatus (*SFTKCipher)(void *,void *,unsigned int *,unsigned int,
1.116 + void *, unsigned int);
1.117 +typedef SECStatus (*SFTKVerify)(void *,void *,unsigned int,void *,unsigned int);
1.118 +typedef void (*SFTKHash)(void *,void *,unsigned int);
1.119 +typedef void (*SFTKEnd)(void *,void *,unsigned int *,unsigned int);
1.120 +typedef void (*SFTKFree)(void *);
1.121 +
1.122 +/* Value to tell if an attribute is modifiable or not.
1.123 + * NEVER: attribute is only set on creation.
1.124 + * ONCOPY: attribute is set on creation and can only be changed on copy.
1.125 + * SENSITIVE: attribute can only be changed to TRUE.
1.126 + * ALWAYS: attribute can always be changed.
1.127 + */
1.128 +typedef enum {
1.129 + SFTK_NEVER = 0,
1.130 + SFTK_ONCOPY = 1,
1.131 + SFTK_SENSITIVE = 2,
1.132 + SFTK_ALWAYS = 3
1.133 +} SFTKModifyType;
1.134 +
1.135 +/*
1.136 + * Free Status Enum... tell us more information when we think we're
1.137 + * deleting an object.
1.138 + */
1.139 +typedef enum {
1.140 + SFTK_DestroyFailure,
1.141 + SFTK_Destroyed,
1.142 + SFTK_Busy
1.143 +} SFTKFreeStatus;
1.144 +
1.145 +/*
1.146 + * attribute values of an object.
1.147 + */
1.148 +struct SFTKAttributeStr {
1.149 + SFTKAttribute *next;
1.150 + SFTKAttribute *prev;
1.151 + PRBool freeAttr;
1.152 + PRBool freeData;
1.153 + /*must be called handle to make sftkqueue_find work */
1.154 + CK_ATTRIBUTE_TYPE handle;
1.155 + CK_ATTRIBUTE attrib;
1.156 + unsigned char space[ATTR_SPACE];
1.157 +};
1.158 +
1.159 +
1.160 +/*
1.161 + * doubly link list of objects
1.162 + */
1.163 +struct SFTKObjectListStr {
1.164 + SFTKObjectList *next;
1.165 + SFTKObjectList *prev;
1.166 + SFTKObject *parent;
1.167 +};
1.168 +
1.169 +struct SFTKObjectFreeListStr {
1.170 + SFTKObject *head;
1.171 + PZLock *lock;
1.172 + int count;
1.173 +};
1.174 +
1.175 +/*
1.176 + * PKCS 11 crypto object structure
1.177 + */
1.178 +struct SFTKObjectStr {
1.179 + SFTKObject *next;
1.180 + SFTKObject *prev;
1.181 + CK_OBJECT_CLASS objclass;
1.182 + CK_OBJECT_HANDLE handle;
1.183 + int refCount;
1.184 + PZLock *refLock;
1.185 + SFTKSlot *slot;
1.186 + void *objectInfo;
1.187 + SFTKFree infoFree;
1.188 +};
1.189 +
1.190 +struct SFTKTokenObjectStr {
1.191 + SFTKObject obj;
1.192 + SECItem dbKey;
1.193 +};
1.194 +
1.195 +struct SFTKSessionObjectStr {
1.196 + SFTKObject obj;
1.197 + SFTKObjectList sessionList;
1.198 + PZLock *attributeLock;
1.199 + SFTKSession *session;
1.200 + PRBool wasDerived;
1.201 + int nextAttr;
1.202 + SFTKAttribute attrList[MAX_OBJS_ATTRS];
1.203 + PRBool optimizeSpace;
1.204 + unsigned int hashSize;
1.205 + SFTKAttribute *head[1];
1.206 +};
1.207 +
1.208 +/*
1.209 + * struct to deal with a temparary list of objects
1.210 + */
1.211 +struct SFTKObjectListElementStr {
1.212 + SFTKObjectListElement *next;
1.213 + SFTKObject *object;
1.214 +};
1.215 +
1.216 +/*
1.217 + * Area to hold Search results
1.218 + */
1.219 +struct SFTKSearchResultsStr {
1.220 + CK_OBJECT_HANDLE *handles;
1.221 + int size;
1.222 + int index;
1.223 + int array_size;
1.224 +};
1.225 +
1.226 +
1.227 +/*
1.228 + * the universal crypto/hash/sign/verify context structure
1.229 + */
1.230 +typedef enum {
1.231 + SFTK_ENCRYPT,
1.232 + SFTK_DECRYPT,
1.233 + SFTK_HASH,
1.234 + SFTK_SIGN,
1.235 + SFTK_SIGN_RECOVER,
1.236 + SFTK_VERIFY,
1.237 + SFTK_VERIFY_RECOVER
1.238 +} SFTKContextType;
1.239 +
1.240 +/** max block size of supported block ciphers */
1.241 +#define SFTK_MAX_BLOCK_SIZE 16
1.242 +/** currently SHA512 is the biggest hash length */
1.243 +#define SFTK_MAX_MAC_LENGTH 64
1.244 +#define SFTK_INVALID_MAC_SIZE 0xffffffff
1.245 +
1.246 +/** Particular ongoing operation in session (sign/verify/digest/encrypt/...)
1.247 + *
1.248 + * Understanding sign/verify context:
1.249 + * multi=1 hashInfo=0 block (symmetric) cipher MACing
1.250 + * multi=1 hashInfo=X PKC S/V with prior hashing
1.251 + * multi=0 hashInfo=0 PKC S/V one shot (w/o hashing)
1.252 + * multi=0 hashInfo=X *** shouldn't happen ***
1.253 + */
1.254 +struct SFTKSessionContextStr {
1.255 + SFTKContextType type;
1.256 + PRBool multi; /* is multipart */
1.257 + PRBool rsa; /* is rsa */
1.258 + PRBool doPad; /* use PKCS padding for block ciphers */
1.259 + unsigned int blockSize; /* blocksize for padding */
1.260 + unsigned int padDataLength; /* length of the valid data in padbuf */
1.261 + /** latest incomplete block of data for block cipher */
1.262 + unsigned char padBuf[SFTK_MAX_BLOCK_SIZE];
1.263 + /** result of MAC'ing of latest full block of data with block cipher */
1.264 + unsigned char macBuf[SFTK_MAX_BLOCK_SIZE];
1.265 + CK_ULONG macSize; /* size of a general block cipher mac*/
1.266 + void *cipherInfo;
1.267 + void *hashInfo;
1.268 + unsigned int cipherInfoLen;
1.269 + CK_MECHANISM_TYPE currentMech;
1.270 + SFTKCipher update;
1.271 + SFTKHash hashUpdate;
1.272 + SFTKEnd end;
1.273 + SFTKDestroy destroy;
1.274 + SFTKDestroy hashdestroy;
1.275 + SFTKVerify verify;
1.276 + unsigned int maxLen;
1.277 + SFTKObject *key;
1.278 +};
1.279 +
1.280 +/*
1.281 + * Sessions (have objects)
1.282 + */
1.283 +struct SFTKSessionStr {
1.284 + SFTKSession *next;
1.285 + SFTKSession *prev;
1.286 + CK_SESSION_HANDLE handle;
1.287 + int refCount;
1.288 + PZLock *objectLock;
1.289 + int objectIDCount;
1.290 + CK_SESSION_INFO info;
1.291 + CK_NOTIFY notify;
1.292 + CK_VOID_PTR appData;
1.293 + SFTKSlot *slot;
1.294 + SFTKSearchResults *search;
1.295 + SFTKSessionContext *enc_context;
1.296 + SFTKSessionContext *hash_context;
1.297 + SFTKSessionContext *sign_context;
1.298 + SFTKObjectList *objects[1];
1.299 +};
1.300 +
1.301 +/*
1.302 + * slots (have sessions and objects)
1.303 + *
1.304 + * The array of sessionLock's protect the session hash table (head[])
1.305 + * as well as the reference count of session objects in that bucket
1.306 + * (head[]->refCount), objectLock protects all elements of the slot's
1.307 + * object hash tables (sessObjHashTable[] and tokObjHashTable), and
1.308 + * sessionObjectHandleCount.
1.309 + * slotLock protects the remaining protected elements:
1.310 + * password, isLoggedIn, ssoLoggedIn, and sessionCount,
1.311 + * and pwCheckLock serializes the key database password checks in
1.312 + * NSC_SetPIN and NSC_Login.
1.313 + *
1.314 + * Each of the fields below has the following lifetime as commented
1.315 + * next to the fields:
1.316 + * invariant - This value is set when the slot is first created and
1.317 + * never changed until it is destroyed.
1.318 + * per load - This value is set when the slot is first created, or
1.319 + * when the slot is used to open another directory. Between open and close
1.320 + * this field does not change.
1.321 + * variable - This value changes through the normal process of slot operation.
1.322 + * - reset. The value of this variable is cleared during an open/close
1.323 + * cycles.
1.324 + * - preserved. The value of this variable is preserved over open/close
1.325 + * cycles.
1.326 + */
1.327 +struct SFTKSlotStr {
1.328 + CK_SLOT_ID slotID; /* invariant */
1.329 + PZLock *slotLock; /* invariant */
1.330 + PZLock **sessionLock; /* invariant */
1.331 + unsigned int numSessionLocks; /* invariant */
1.332 + unsigned long sessionLockMask; /* invariant */
1.333 + PZLock *objectLock; /* invariant */
1.334 + PRLock *pwCheckLock; /* invariant */
1.335 + PRBool present; /* variable -set */
1.336 + PRBool hasTokens; /* per load */
1.337 + PRBool isLoggedIn; /* variable - reset */
1.338 + PRBool ssoLoggedIn; /* variable - reset */
1.339 + PRBool needLogin; /* per load */
1.340 + PRBool DB_loaded; /* per load */
1.341 + PRBool readOnly; /* per load */
1.342 + PRBool optimizeSpace; /* invariant */
1.343 + SFTKDBHandle *certDB; /* per load */
1.344 + SFTKDBHandle *keyDB; /* per load */
1.345 + int minimumPinLen; /* per load */
1.346 + PRInt32 sessionIDCount; /* atomically incremented */
1.347 + /* (preserved) */
1.348 + int sessionIDConflict; /* not protected by a lock */
1.349 + /* (preserved) */
1.350 + int sessionCount; /* variable - reset */
1.351 + PRInt32 rwSessionCount; /* set by atomic operations */
1.352 + /* (reset) */
1.353 + int sessionObjectHandleCount;/* variable - perserved */
1.354 + int index; /* invariant */
1.355 + PLHashTable *tokObjHashTable; /* invariant */
1.356 + SFTKObject **sessObjHashTable; /* variable - reset */
1.357 + unsigned int sessObjHashSize; /* invariant */
1.358 + SFTKSession **head; /* variable -reset */
1.359 + unsigned int sessHashSize; /* invariant */
1.360 + char tokDescription[33]; /* per load */
1.361 + char updateTokDescription[33]; /* per load */
1.362 + char slotDescription[65]; /* invariant */
1.363 +};
1.364 +
1.365 +/*
1.366 + * special joint operations Contexts
1.367 + */
1.368 +struct SFTKHashVerifyInfoStr {
1.369 + SECOidTag hashOid;
1.370 + void *params;
1.371 + NSSLOWKEYPublicKey *key;
1.372 +};
1.373 +
1.374 +struct SFTKHashSignInfoStr {
1.375 + SECOidTag hashOid;
1.376 + void *params;
1.377 + NSSLOWKEYPrivateKey *key;
1.378 +};
1.379 +
1.380 +/**
1.381 + * Contexts for RSA-OAEP
1.382 + */
1.383 +struct SFTKOAEPEncryptInfoStr {
1.384 + CK_RSA_PKCS_OAEP_PARAMS *params;
1.385 + NSSLOWKEYPublicKey *key;
1.386 +};
1.387 +
1.388 +struct SFTKOAEPDecryptInfoStr {
1.389 + CK_RSA_PKCS_OAEP_PARAMS *params;
1.390 + NSSLOWKEYPrivateKey *key;
1.391 +};
1.392 +
1.393 +/* context for the Final SSLMAC message */
1.394 +struct SFTKSSLMACInfoStr {
1.395 + void *hashContext;
1.396 + SFTKBegin begin;
1.397 + SFTKHash update;
1.398 + SFTKEnd end;
1.399 + CK_ULONG macSize;
1.400 + int padSize;
1.401 + unsigned char key[MAX_KEY_LEN];
1.402 + unsigned int keySize;
1.403 +};
1.404 +
1.405 +/*
1.406 + * Template based on SECItems, suitable for passing as arrays
1.407 + */
1.408 +struct SFTKItemTemplateStr {
1.409 + CK_ATTRIBUTE_TYPE type;
1.410 + SECItem *item;
1.411 +};
1.412 +
1.413 +/* macro for setting SFTKTemplates. */
1.414 +#define SFTK_SET_ITEM_TEMPLATE(templ, count, itemPtr, attr) \
1.415 + templ[count].type = attr; \
1.416 + templ[count].item = itemPtr
1.417 +
1.418 +#define SFTK_MAX_ITEM_TEMPLATE 10
1.419 +
1.420 +/*
1.421 + * session handle modifiers
1.422 + */
1.423 +#define SFTK_SESSION_SLOT_MASK 0xff000000L
1.424 +
1.425 +/*
1.426 + * object handle modifiers
1.427 + */
1.428 +#define SFTK_TOKEN_MASK 0x80000000L
1.429 +#define SFTK_TOKEN_MAGIC 0x80000000L
1.430 +#define SFTK_TOKEN_TYPE_MASK 0x70000000L
1.431 +/* keydb (high bit == 0) */
1.432 +#define SFTK_TOKEN_TYPE_PRIV 0x10000000L
1.433 +#define SFTK_TOKEN_TYPE_PUB 0x20000000L
1.434 +#define SFTK_TOKEN_TYPE_KEY 0x30000000L
1.435 +/* certdb (high bit == 1) */
1.436 +#define SFTK_TOKEN_TYPE_TRUST 0x40000000L
1.437 +#define SFTK_TOKEN_TYPE_CRL 0x50000000L
1.438 +#define SFTK_TOKEN_TYPE_SMIME 0x60000000L
1.439 +#define SFTK_TOKEN_TYPE_CERT 0x70000000L
1.440 +
1.441 +#define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC|SFTK_TOKEN_TYPE_CRL|1)
1.442 +/* how big (in bytes) a password/pin we can deal with */
1.443 +#define SFTK_MAX_PIN 255
1.444 +/* minimum password/pin length (in Unicode characters) in FIPS mode */
1.445 +#define FIPS_MIN_PIN 7
1.446 +
1.447 +/* slot ID's */
1.448 +#define NETSCAPE_SLOT_ID 1
1.449 +#define PRIVATE_KEY_SLOT_ID 2
1.450 +#define FIPS_SLOT_ID 3
1.451 +
1.452 +/* slot helper macros */
1.453 +#define sftk_SlotFromSession(sp) ((sp)->slot)
1.454 +#define sftk_isToken(id) (((id) & SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC)
1.455 +
1.456 +/* the session hash multiplier (see bug 201081) */
1.457 +#define SHMULTIPLIER 1791398085
1.458 +
1.459 +/* queueing helper macros */
1.460 +#define sftk_hash(value,size) \
1.461 + ((PRUint32)((value) * SHMULTIPLIER) & (size-1))
1.462 +#define sftkqueue_add(element,id,head,hash_size) \
1.463 + { int tmp = sftk_hash(id,hash_size); \
1.464 + (element)->next = (head)[tmp]; \
1.465 + (element)->prev = NULL; \
1.466 + if ((head)[tmp]) (head)[tmp]->prev = (element); \
1.467 + (head)[tmp] = (element); }
1.468 +#define sftkqueue_find(element,id,head,hash_size) \
1.469 + for( (element) = (head)[sftk_hash(id,hash_size)]; (element) != NULL; \
1.470 + (element) = (element)->next) { \
1.471 + if ((element)->handle == (id)) { break; } }
1.472 +#define sftkqueue_is_queued(element,id,head,hash_size) \
1.473 + ( ((element)->next) || ((element)->prev) || \
1.474 + ((head)[sftk_hash(id,hash_size)] == (element)) )
1.475 +#define sftkqueue_delete(element,id,head,hash_size) \
1.476 + if ((element)->next) (element)->next->prev = (element)->prev; \
1.477 + if ((element)->prev) (element)->prev->next = (element)->next; \
1.478 + else (head)[sftk_hash(id,hash_size)] = ((element)->next); \
1.479 + (element)->next = NULL; \
1.480 + (element)->prev = NULL; \
1.481 +
1.482 +#define sftkqueue_init_element(element) \
1.483 + (element)->prev = NULL;
1.484 +
1.485 +#define sftkqueue_add2(element, id, index, head) \
1.486 + { \
1.487 + (element)->next = (head)[index]; \
1.488 + if ((head)[index]) \
1.489 + (head)[index]->prev = (element); \
1.490 + (head)[index] = (element); \
1.491 + }
1.492 +
1.493 +#define sftkqueue_find2(element, id, index, head) \
1.494 + for ( (element) = (head)[index]; \
1.495 + (element) != NULL; \
1.496 + (element) = (element)->next) { \
1.497 + if ((element)->handle == (id)) { break; } \
1.498 + }
1.499 +
1.500 +#define sftkqueue_delete2(element, id, index, head) \
1.501 + if ((element)->next) (element)->next->prev = (element)->prev; \
1.502 + if ((element)->prev) (element)->prev->next = (element)->next; \
1.503 + else (head)[index] = ((element)->next);
1.504 +
1.505 +#define sftkqueue_clear_deleted_element(element) \
1.506 + (element)->next = NULL; \
1.507 + (element)->prev = NULL; \
1.508 +
1.509 +
1.510 +/* sessionID (handle) is used to determine session lock bucket */
1.511 +#ifdef NOSPREAD
1.512 +/* NOSPREAD: (ID>>L2LPB) & (perbucket-1) */
1.513 +#define SFTK_SESSION_LOCK(slot,handle) \
1.514 + ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) \
1.515 + & (slot)->sessionLockMask])
1.516 +#else
1.517 +/* SPREAD: ID & (perbucket-1) */
1.518 +#define SFTK_SESSION_LOCK(slot,handle) \
1.519 + ((slot)->sessionLock[(handle) & (slot)->sessionLockMask])
1.520 +#endif
1.521 +
1.522 +/* expand an attribute & secitem structures out */
1.523 +#define sftk_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
1.524 +#define sftk_item_expand(ip) (ip)->data,(ip)->len
1.525 +
1.526 +typedef struct sftk_token_parametersStr {
1.527 + CK_SLOT_ID slotID;
1.528 + char *configdir;
1.529 + char *certPrefix;
1.530 + char *keyPrefix;
1.531 + char *updatedir;
1.532 + char *updCertPrefix;
1.533 + char *updKeyPrefix;
1.534 + char *updateID;
1.535 + char *tokdes;
1.536 + char *slotdes;
1.537 + char *updtokdes;
1.538 + int minPW;
1.539 + PRBool readOnly;
1.540 + PRBool noCertDB;
1.541 + PRBool noKeyDB;
1.542 + PRBool forceOpen;
1.543 + PRBool pwRequired;
1.544 + PRBool optimizeSpace;
1.545 +} sftk_token_parameters;
1.546 +
1.547 +typedef struct sftk_parametersStr {
1.548 + char *configdir;
1.549 + char *updatedir;
1.550 + char *updateID;
1.551 + char *secmodName;
1.552 + char *man;
1.553 + char *libdes;
1.554 + PRBool readOnly;
1.555 + PRBool noModDB;
1.556 + PRBool noCertDB;
1.557 + PRBool forceOpen;
1.558 + PRBool pwRequired;
1.559 + PRBool optimizeSpace;
1.560 + sftk_token_parameters *tokens;
1.561 + int token_count;
1.562 +} sftk_parameters;
1.563 +
1.564 +
1.565 +/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */
1.566 +#define CERT_DB_FMT "%scert%s.db"
1.567 +#define KEY_DB_FMT "%skey%s.db"
1.568 +
1.569 +SEC_BEGIN_PROTOS
1.570 +
1.571 +/* shared functions between pkcs11.c and fipstokn.c */
1.572 +extern PRBool nsf_init;
1.573 +extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
1.574 +extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
1.575 +extern PRBool sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV* crv);
1.576 +extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent,
1.577 + CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex);
1.578 +
1.579 +/* slot initialization, reinit, shutdown and destruction */
1.580 +extern CK_RV SFTK_SlotInit(char *configdir, char *updatedir, char *updateID,
1.581 + sftk_token_parameters *params, int moduleIndex);
1.582 +extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir,
1.583 + char *updatedir, char *updateID,
1.584 + sftk_token_parameters *params, int moduleIndex);
1.585 +extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot);
1.586 +extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot);
1.587 +extern CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout);
1.588 +
1.589 +
1.590 +/* internal utility functions used by pkcs11.c */
1.591 +extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object,
1.592 + CK_ATTRIBUTE_TYPE type);
1.593 +extern void sftk_FreeAttribute(SFTKAttribute *attribute);
1.594 +extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
1.595 + const void *valPtr, CK_ULONG length);
1.596 +extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
1.597 + SFTKObject *object, CK_ATTRIBUTE_TYPE type);
1.598 +extern CK_RV sftk_MultipleAttribute2SecItem(PLArenaPool *arena,
1.599 + SFTKObject *object, SFTKItemTemplate *templ, int count);
1.600 +extern unsigned int sftk_GetLengthInBits(unsigned char *buf,
1.601 + unsigned int bufLen);
1.602 +extern CK_RV sftk_ConstrainAttribute(SFTKObject *object,
1.603 + CK_ATTRIBUTE_TYPE type, int minLength, int maxLength, int minMultiple);
1.604 +extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
1.605 +extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
1.606 +extern void sftk_DeleteAttributeType(SFTKObject *object,
1.607 + CK_ATTRIBUTE_TYPE type);
1.608 +extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
1.609 + SFTKObject *object, CK_ATTRIBUTE_TYPE type);
1.610 +extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
1.611 + SFTKObject *object,
1.612 + CK_ATTRIBUTE_TYPE type);
1.613 +extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type,
1.614 + CK_OBJECT_CLASS inClass);
1.615 +extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
1.616 +extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
1.617 +extern void sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type);
1.618 +extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
1.619 + CK_ULONG *longData);
1.620 +extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
1.621 + const void *value, unsigned int len);
1.622 +extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
1.623 + const void *value, unsigned int len);
1.624 +extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth);
1.625 +
1.626 +extern SFTKObject *sftk_NewObject(SFTKSlot *slot);
1.627 +extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject);
1.628 +extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object);
1.629 +extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object);
1.630 +extern void sftk_ReferenceObject(SFTKObject *object);
1.631 +extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
1.632 + SFTKSession *session);
1.633 +extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
1.634 +extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
1.635 +/* clear out all the existing object ID to database key mappings.
1.636 + * used to reinit a token */
1.637 +extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot);
1.638 +
1.639 +extern CK_RV sftk_searchObjectList(SFTKSearchResults *search,
1.640 + SFTKObject **head, unsigned int size,
1.641 + PZLock *lock, CK_ATTRIBUTE_PTR inTemplate,
1.642 + int count, PRBool isLoggedIn);
1.643 +extern SFTKObjectListElement *sftk_FreeObjectListElement(
1.644 + SFTKObjectListElement *objectList);
1.645 +extern void sftk_FreeObjectList(SFTKObjectListElement *objectList);
1.646 +extern void sftk_FreeSearch(SFTKSearchResults *search);
1.647 +extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
1.648 +
1.649 +extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
1.650 +extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
1.651 +extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
1.652 +extern void sftk_FreeSession(SFTKSession *session);
1.653 +extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
1.654 + CK_VOID_PTR pApplication, CK_FLAGS flags);
1.655 +extern void sftk_update_state(SFTKSlot *slot,SFTKSession *session);
1.656 +extern void sftk_update_all_states(SFTKSlot *slot);
1.657 +extern void sftk_FreeContext(SFTKSessionContext *context);
1.658 +extern void sftk_InitFreeLists(void);
1.659 +extern void sftk_CleanupFreeLists(void);
1.660 +
1.661 +extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,
1.662 + CK_KEY_TYPE key_type, CK_RV *crvp);
1.663 +extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
1.664 + CK_KEY_TYPE key_type, CK_RV *crvp);
1.665 +extern void sftk_FormatDESKey(unsigned char *key, int length);
1.666 +extern PRBool sftk_CheckDESKey(unsigned char *key);
1.667 +extern PRBool sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
1.668 +
1.669 +/* mechanism allows this operation */
1.670 +extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op);
1.671 +
1.672 +/* helper function which calls nsslowkey_FindKeyByPublicKey after safely
1.673 + * acquiring a reference to the keydb from the slot */
1.674 +NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
1.675 +
1.676 +/*
1.677 + * parameter parsing functions
1.678 + */
1.679 +CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
1.680 +void sftk_freeParams(sftk_parameters *params);
1.681 +
1.682 +
1.683 +/*
1.684 + * narrow objects
1.685 + */
1.686 +SFTKSessionObject * sftk_narrowToSessionObject(SFTKObject *);
1.687 +SFTKTokenObject * sftk_narrowToTokenObject(SFTKObject *);
1.688 +
1.689 +/*
1.690 + * token object utilities
1.691 + */
1.692 +void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle);
1.693 +PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey,
1.694 + CK_OBJECT_HANDLE handle);
1.695 +SFTKObject * sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey,
1.696 + CK_OBJECT_HANDLE handle);
1.697 +SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so);
1.698 +
1.699 +
1.700 +/* J-PAKE (jpakesftk.c) */
1.701 +extern
1.702 +CK_RV jpake_Round1(HASH_HashType hashType,
1.703 + CK_NSS_JPAKERound1Params * params,
1.704 + SFTKObject * key);
1.705 +extern
1.706 +CK_RV jpake_Round2(HASH_HashType hashType,
1.707 + CK_NSS_JPAKERound2Params * params,
1.708 + SFTKObject * sourceKey, SFTKObject * key);
1.709 +extern
1.710 +CK_RV jpake_Final(HASH_HashType hashType,
1.711 + const CK_NSS_JPAKEFinalParams * params,
1.712 + SFTKObject * sourceKey, SFTKObject * key);
1.713 +
1.714 +/* Constant time MAC functions (hmacct.c) */
1.715 +
1.716 +struct sftk_MACConstantTimeCtxStr {
1.717 + const SECHashObject *hash;
1.718 + unsigned char mac[64];
1.719 + unsigned char secret[64];
1.720 + unsigned int headerLength;
1.721 + unsigned int secretLength;
1.722 + unsigned int totalLength;
1.723 + unsigned char header[75];
1.724 +};
1.725 +typedef struct sftk_MACConstantTimeCtxStr sftk_MACConstantTimeCtx;
1.726 +sftk_MACConstantTimeCtx* sftk_HMACConstantTime_New(
1.727 + CK_MECHANISM_PTR mech, SFTKObject *key);
1.728 +sftk_MACConstantTimeCtx* sftk_SSLv3MACConstantTime_New(
1.729 + CK_MECHANISM_PTR mech, SFTKObject *key);
1.730 +void sftk_HMACConstantTime_Update(void *pctx, void *data, unsigned int len);
1.731 +void sftk_SSLv3MACConstantTime_Update(void *pctx, void *data, unsigned int len);
1.732 +void sftk_MACConstantTime_EndHash(
1.733 + void *pctx, void *out, unsigned int *outLength, unsigned int maxLength);
1.734 +void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool);
1.735 +
1.736 +/****************************************
1.737 + * implement TLS Pseudo Random Function (PRF)
1.738 + */
1.739 +
1.740 +extern CK_RV
1.741 +sftk_TLSPRFInit(SFTKSessionContext *context,
1.742 + SFTKObject * key,
1.743 + CK_KEY_TYPE key_type,
1.744 + HASH_HashType hash_alg);
1.745 +
1.746 +SEC_END_PROTOS
1.747 +
1.748 +#endif /* _PKCS11I_H_ */
