security/nss/lib/softoken/pkcs11i.h@b8a032363ba2
security/nss/lib/softoken/pkcs11i.h
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /*
5 * Internal data structures and functions used by pkcs11.c
6 */
7 #ifndef _PKCS11I_H_
8 #define _PKCS11I_H_ 1
10 #include "nssilock.h"
11 #include "seccomon.h"
12 #include "secoidt.h"
13 #include "lowkeyti.h"
14 #include "pkcs11t.h"
16 #include "sftkdbt.h"
17 #include "hasht.h"
19 /*
20 * Configuration Defines
21 *
22 * The following defines affect the space verse speed trade offs of
23 * the PKCS #11 module. For the most part the current settings are optimized
24 * for web servers, where we want faster speed and lower lock contention at
25 * the expense of space.
26 */
28 /*
29 * The attribute allocation strategy is static allocation:
30 * Attributes are pre-allocated as part of the session object and used from
31 * the object array.
32 */
33 #define MAX_OBJS_ATTRS 45 /* number of attributes to preallocate in
34 * the object (must me the absolute max) */
35 #define ATTR_SPACE 50 /* Maximum size of attribute data before extra
36 * data needs to be allocated. This is set to
37 * enough space to hold an SSL MASTER secret */
39 #define NSC_STRICT PR_FALSE /* forces the code to do strict template
40 * matching when doing C_FindObject on token
41 * objects. This will slow down search in
42 * NSS. */
43 /* default search block allocations and increments */
44 #define NSC_CERT_BLOCK_SIZE 50
45 #define NSC_SEARCH_BLOCK_SIZE 5
46 #define NSC_SLOT_LIST_BLOCK_SIZE 10
48 #define NSC_FIPS_MODULE 1
49 #define NSC_NON_FIPS_MODULE 0
51 /* these are data base storage hashes, not cryptographic hashes.. The define
52 * the effective size of the various object hash tables */
53 /* clients care more about memory usage than lookup performance on
54 * cyrptographic objects. Clients also have less objects around to play with
55 *
56 * we eventually should make this configurable at runtime! Especially now that
57 * NSS is a shared library.
58 */
59 #define SPACE_ATTRIBUTE_HASH_SIZE 32
60 #define SPACE_SESSION_OBJECT_HASH_SIZE 32
61 #define SPACE_SESSION_HASH_SIZE 32
62 #define TIME_ATTRIBUTE_HASH_SIZE 32
63 #define TIME_SESSION_OBJECT_HASH_SIZE 1024
64 #define TIME_SESSION_HASH_SIZE 1024
65 #define MAX_OBJECT_LIST_SIZE 800
66 /* how many objects to keep on the free list
67 * before we start freeing them */
68 #define MAX_KEY_LEN 256 /* maximum symmetric key length in bytes */
70 /*
71 * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
72 * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
73 * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
74 *
75 * HASH_SIZE LOG2_BUCKETS_PER BUCKETS_PER_LOCK NUMBER_OF_BUCKETS
76 * 1024 9 512 2
77 * 1024 5 32 32
78 * 1024 1 2 512
79 * 1024 0 1 1024
80 * 4096 11 2048 2
81 * 4096 9 512 8
82 * 4096 5 32 128
83 * 4096 1 2 2048
84 * 4096 0 1 4096
85 */
86 #define LOG2_BUCKETS_PER_SESSION_LOCK 1
87 #define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
88 /* NOSPREAD sessionID to hash table index macro has been slower. */
90 /* define typedefs, double as forward declarations as well */
91 typedef struct SFTKAttributeStr SFTKAttribute;
92 typedef struct SFTKObjectListStr SFTKObjectList;
93 typedef struct SFTKObjectFreeListStr SFTKObjectFreeList;
94 typedef struct SFTKObjectListElementStr SFTKObjectListElement;
95 typedef struct SFTKObjectStr SFTKObject;
96 typedef struct SFTKSessionObjectStr SFTKSessionObject;
97 typedef struct SFTKTokenObjectStr SFTKTokenObject;
98 typedef struct SFTKSessionStr SFTKSession;
99 typedef struct SFTKSlotStr SFTKSlot;
100 typedef struct SFTKSessionContextStr SFTKSessionContext;
101 typedef struct SFTKSearchResultsStr SFTKSearchResults;
102 typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo;
103 typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
104 typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo;
105 typedef struct SFTKOAEPDecryptInfoStr SFTKOAEPDecryptInfo;
106 typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
107 typedef struct SFTKItemTemplateStr SFTKItemTemplate;
109 /* define function pointer typdefs for pointer tables */
110 typedef void (*SFTKDestroy)(void *, PRBool);
111 typedef void (*SFTKBegin)(void *);
112 typedef SECStatus (*SFTKCipher)(void *,void *,unsigned int *,unsigned int,
113 void *, unsigned int);
114 typedef SECStatus (*SFTKVerify)(void *,void *,unsigned int,void *,unsigned int);
115 typedef void (*SFTKHash)(void *,void *,unsigned int);
116 typedef void (*SFTKEnd)(void *,void *,unsigned int *,unsigned int);
117 typedef void (*SFTKFree)(void *);
119 /* Value to tell if an attribute is modifiable or not.
120 * NEVER: attribute is only set on creation.
121 * ONCOPY: attribute is set on creation and can only be changed on copy.
122 * SENSITIVE: attribute can only be changed to TRUE.
123 * ALWAYS: attribute can always be changed.
124 */
125 typedef enum {
126 SFTK_NEVER = 0,
127 SFTK_ONCOPY = 1,
128 SFTK_SENSITIVE = 2,
129 SFTK_ALWAYS = 3
130 } SFTKModifyType;
132 /*
133 * Free Status Enum... tell us more information when we think we're
134 * deleting an object.
135 */
136 typedef enum {
137 SFTK_DestroyFailure,
138 SFTK_Destroyed,
139 SFTK_Busy
140 } SFTKFreeStatus;
142 /*
143 * attribute values of an object.
144 */
145 struct SFTKAttributeStr {
146 SFTKAttribute *next;
147 SFTKAttribute *prev;
148 PRBool freeAttr;
149 PRBool freeData;
150 /*must be called handle to make sftkqueue_find work */
151 CK_ATTRIBUTE_TYPE handle;
152 CK_ATTRIBUTE attrib;
153 unsigned char space[ATTR_SPACE];
154 };
157 /*
158 * doubly link list of objects
159 */
160 struct SFTKObjectListStr {
161 SFTKObjectList *next;
162 SFTKObjectList *prev;
163 SFTKObject *parent;
164 };
166 struct SFTKObjectFreeListStr {
167 SFTKObject *head;
168 PZLock *lock;
169 int count;
170 };
172 /*
173 * PKCS 11 crypto object structure
174 */
175 struct SFTKObjectStr {
176 SFTKObject *next;
177 SFTKObject *prev;
178 CK_OBJECT_CLASS objclass;
179 CK_OBJECT_HANDLE handle;
180 int refCount;
181 PZLock *refLock;
182 SFTKSlot *slot;
183 void *objectInfo;
184 SFTKFree infoFree;
185 };
187 struct SFTKTokenObjectStr {
188 SFTKObject obj;
189 SECItem dbKey;
190 };
192 struct SFTKSessionObjectStr {
193 SFTKObject obj;
194 SFTKObjectList sessionList;
195 PZLock *attributeLock;
196 SFTKSession *session;
197 PRBool wasDerived;
198 int nextAttr;
199 SFTKAttribute attrList[MAX_OBJS_ATTRS];
200 PRBool optimizeSpace;
201 unsigned int hashSize;
202 SFTKAttribute *head[1];
203 };
205 /*
206 * struct to deal with a temparary list of objects
207 */
208 struct SFTKObjectListElementStr {
209 SFTKObjectListElement *next;
210 SFTKObject *object;
211 };
213 /*
214 * Area to hold Search results
215 */
216 struct SFTKSearchResultsStr {
217 CK_OBJECT_HANDLE *handles;
218 int size;
219 int index;
220 int array_size;
221 };
224 /*
225 * the universal crypto/hash/sign/verify context structure
226 */
227 typedef enum {
228 SFTK_ENCRYPT,
229 SFTK_DECRYPT,
230 SFTK_HASH,
231 SFTK_SIGN,
232 SFTK_SIGN_RECOVER,
233 SFTK_VERIFY,
234 SFTK_VERIFY_RECOVER
235 } SFTKContextType;
237 /** max block size of supported block ciphers */
238 #define SFTK_MAX_BLOCK_SIZE 16
239 /** currently SHA512 is the biggest hash length */
240 #define SFTK_MAX_MAC_LENGTH 64
241 #define SFTK_INVALID_MAC_SIZE 0xffffffff
243 /** Particular ongoing operation in session (sign/verify/digest/encrypt/...)
244 *
245 * Understanding sign/verify context:
246 * multi=1 hashInfo=0 block (symmetric) cipher MACing
247 * multi=1 hashInfo=X PKC S/V with prior hashing
248 * multi=0 hashInfo=0 PKC S/V one shot (w/o hashing)
249 * multi=0 hashInfo=X *** shouldn't happen ***
250 */
251 struct SFTKSessionContextStr {
252 SFTKContextType type;
253 PRBool multi; /* is multipart */
254 PRBool rsa; /* is rsa */
255 PRBool doPad; /* use PKCS padding for block ciphers */
256 unsigned int blockSize; /* blocksize for padding */
257 unsigned int padDataLength; /* length of the valid data in padbuf */
258 /** latest incomplete block of data for block cipher */
259 unsigned char padBuf[SFTK_MAX_BLOCK_SIZE];
260 /** result of MAC'ing of latest full block of data with block cipher */
261 unsigned char macBuf[SFTK_MAX_BLOCK_SIZE];
262 CK_ULONG macSize; /* size of a general block cipher mac*/
263 void *cipherInfo;
264 void *hashInfo;
265 unsigned int cipherInfoLen;
266 CK_MECHANISM_TYPE currentMech;
267 SFTKCipher update;
268 SFTKHash hashUpdate;
269 SFTKEnd end;
270 SFTKDestroy destroy;
271 SFTKDestroy hashdestroy;
272 SFTKVerify verify;
273 unsigned int maxLen;
274 SFTKObject *key;
275 };
277 /*
278 * Sessions (have objects)
279 */
280 struct SFTKSessionStr {
281 SFTKSession *next;
282 SFTKSession *prev;
283 CK_SESSION_HANDLE handle;
284 int refCount;
285 PZLock *objectLock;
286 int objectIDCount;
287 CK_SESSION_INFO info;
288 CK_NOTIFY notify;
289 CK_VOID_PTR appData;
290 SFTKSlot *slot;
291 SFTKSearchResults *search;
292 SFTKSessionContext *enc_context;
293 SFTKSessionContext *hash_context;
294 SFTKSessionContext *sign_context;
295 SFTKObjectList *objects[1];
296 };
298 /*
299 * slots (have sessions and objects)
300 *
301 * The array of sessionLock's protect the session hash table (head[])
302 * as well as the reference count of session objects in that bucket
303 * (head[]->refCount), objectLock protects all elements of the slot's
304 * object hash tables (sessObjHashTable[] and tokObjHashTable), and
305 * sessionObjectHandleCount.
306 * slotLock protects the remaining protected elements:
307 * password, isLoggedIn, ssoLoggedIn, and sessionCount,
308 * and pwCheckLock serializes the key database password checks in
309 * NSC_SetPIN and NSC_Login.
310 *
311 * Each of the fields below has the following lifetime as commented
312 * next to the fields:
313 * invariant - This value is set when the slot is first created and
314 * never changed until it is destroyed.
315 * per load - This value is set when the slot is first created, or
316 * when the slot is used to open another directory. Between open and close
317 * this field does not change.
318 * variable - This value changes through the normal process of slot operation.
319 * - reset. The value of this variable is cleared during an open/close
320 * cycles.
321 * - preserved. The value of this variable is preserved over open/close
322 * cycles.
323 */
324 struct SFTKSlotStr {
325 CK_SLOT_ID slotID; /* invariant */
326 PZLock *slotLock; /* invariant */
327 PZLock **sessionLock; /* invariant */
328 unsigned int numSessionLocks; /* invariant */
329 unsigned long sessionLockMask; /* invariant */
330 PZLock *objectLock; /* invariant */
331 PRLock *pwCheckLock; /* invariant */
332 PRBool present; /* variable -set */
333 PRBool hasTokens; /* per load */
334 PRBool isLoggedIn; /* variable - reset */
335 PRBool ssoLoggedIn; /* variable - reset */
336 PRBool needLogin; /* per load */
337 PRBool DB_loaded; /* per load */
338 PRBool readOnly; /* per load */
339 PRBool optimizeSpace; /* invariant */
340 SFTKDBHandle *certDB; /* per load */
341 SFTKDBHandle *keyDB; /* per load */
342 int minimumPinLen; /* per load */
343 PRInt32 sessionIDCount; /* atomically incremented */
344 /* (preserved) */
345 int sessionIDConflict; /* not protected by a lock */
346 /* (preserved) */
347 int sessionCount; /* variable - reset */
348 PRInt32 rwSessionCount; /* set by atomic operations */
349 /* (reset) */
350 int sessionObjectHandleCount;/* variable - perserved */
351 int index; /* invariant */
352 PLHashTable *tokObjHashTable; /* invariant */
353 SFTKObject **sessObjHashTable; /* variable - reset */
354 unsigned int sessObjHashSize; /* invariant */
355 SFTKSession **head; /* variable -reset */
356 unsigned int sessHashSize; /* invariant */
357 char tokDescription[33]; /* per load */
358 char updateTokDescription[33]; /* per load */
359 char slotDescription[65]; /* invariant */
360 };
362 /*
363 * special joint operations Contexts
364 */
365 struct SFTKHashVerifyInfoStr {
366 SECOidTag hashOid;
367 void *params;
368 NSSLOWKEYPublicKey *key;
369 };
371 struct SFTKHashSignInfoStr {
372 SECOidTag hashOid;
373 void *params;
374 NSSLOWKEYPrivateKey *key;
375 };
377 /**
378 * Contexts for RSA-OAEP
379 */
380 struct SFTKOAEPEncryptInfoStr {
381 CK_RSA_PKCS_OAEP_PARAMS *params;
382 NSSLOWKEYPublicKey *key;
383 };
385 struct SFTKOAEPDecryptInfoStr {
386 CK_RSA_PKCS_OAEP_PARAMS *params;
387 NSSLOWKEYPrivateKey *key;
388 };
390 /* context for the Final SSLMAC message */
391 struct SFTKSSLMACInfoStr {
392 void *hashContext;
393 SFTKBegin begin;
394 SFTKHash update;
395 SFTKEnd end;
396 CK_ULONG macSize;
397 int padSize;
398 unsigned char key[MAX_KEY_LEN];
399 unsigned int keySize;
400 };
402 /*
403 * Template based on SECItems, suitable for passing as arrays
404 */
405 struct SFTKItemTemplateStr {
406 CK_ATTRIBUTE_TYPE type;
407 SECItem *item;
408 };
410 /* macro for setting SFTKTemplates. */
411 #define SFTK_SET_ITEM_TEMPLATE(templ, count, itemPtr, attr) \
412 templ[count].type = attr; \
413 templ[count].item = itemPtr
415 #define SFTK_MAX_ITEM_TEMPLATE 10
417 /*
418 * session handle modifiers
419 */
420 #define SFTK_SESSION_SLOT_MASK 0xff000000L
422 /*
423 * object handle modifiers
424 */
425 #define SFTK_TOKEN_MASK 0x80000000L
426 #define SFTK_TOKEN_MAGIC 0x80000000L
427 #define SFTK_TOKEN_TYPE_MASK 0x70000000L
428 /* keydb (high bit == 0) */
429 #define SFTK_TOKEN_TYPE_PRIV 0x10000000L
430 #define SFTK_TOKEN_TYPE_PUB 0x20000000L
431 #define SFTK_TOKEN_TYPE_KEY 0x30000000L
432 /* certdb (high bit == 1) */
433 #define SFTK_TOKEN_TYPE_TRUST 0x40000000L
434 #define SFTK_TOKEN_TYPE_CRL 0x50000000L
435 #define SFTK_TOKEN_TYPE_SMIME 0x60000000L
436 #define SFTK_TOKEN_TYPE_CERT 0x70000000L
438 #define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC|SFTK_TOKEN_TYPE_CRL|1)
439 /* how big (in bytes) a password/pin we can deal with */
440 #define SFTK_MAX_PIN 255
441 /* minimum password/pin length (in Unicode characters) in FIPS mode */
442 #define FIPS_MIN_PIN 7
444 /* slot ID's */
445 #define NETSCAPE_SLOT_ID 1
446 #define PRIVATE_KEY_SLOT_ID 2
447 #define FIPS_SLOT_ID 3
449 /* slot helper macros */
450 #define sftk_SlotFromSession(sp) ((sp)->slot)
451 #define sftk_isToken(id) (((id) & SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC)
453 /* the session hash multiplier (see bug 201081) */
454 #define SHMULTIPLIER 1791398085
456 /* queueing helper macros */
457 #define sftk_hash(value,size) \
458 ((PRUint32)((value) * SHMULTIPLIER) & (size-1))
459 #define sftkqueue_add(element,id,head,hash_size) \
460 { int tmp = sftk_hash(id,hash_size); \
461 (element)->next = (head)[tmp]; \
462 (element)->prev = NULL; \
463 if ((head)[tmp]) (head)[tmp]->prev = (element); \
464 (head)[tmp] = (element); }
465 #define sftkqueue_find(element,id,head,hash_size) \
466 for( (element) = (head)[sftk_hash(id,hash_size)]; (element) != NULL; \
467 (element) = (element)->next) { \
468 if ((element)->handle == (id)) { break; } }
469 #define sftkqueue_is_queued(element,id,head,hash_size) \
470 ( ((element)->next) || ((element)->prev) || \
471 ((head)[sftk_hash(id,hash_size)] == (element)) )
472 #define sftkqueue_delete(element,id,head,hash_size) \
473 if ((element)->next) (element)->next->prev = (element)->prev; \
474 if ((element)->prev) (element)->prev->next = (element)->next; \
475 else (head)[sftk_hash(id,hash_size)] = ((element)->next); \
476 (element)->next = NULL; \
477 (element)->prev = NULL; \
479 #define sftkqueue_init_element(element) \
480 (element)->prev = NULL;
482 #define sftkqueue_add2(element, id, index, head) \
483 { \
484 (element)->next = (head)[index]; \
485 if ((head)[index]) \
486 (head)[index]->prev = (element); \
487 (head)[index] = (element); \
488 }
490 #define sftkqueue_find2(element, id, index, head) \
491 for ( (element) = (head)[index]; \
492 (element) != NULL; \
493 (element) = (element)->next) { \
494 if ((element)->handle == (id)) { break; } \
495 }
497 #define sftkqueue_delete2(element, id, index, head) \
498 if ((element)->next) (element)->next->prev = (element)->prev; \
499 if ((element)->prev) (element)->prev->next = (element)->next; \
500 else (head)[index] = ((element)->next);
502 #define sftkqueue_clear_deleted_element(element) \
503 (element)->next = NULL; \
504 (element)->prev = NULL; \
507 /* sessionID (handle) is used to determine session lock bucket */
508 #ifdef NOSPREAD
509 /* NOSPREAD: (ID>>L2LPB) & (perbucket-1) */
510 #define SFTK_SESSION_LOCK(slot,handle) \
511 ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) \
512 & (slot)->sessionLockMask])
513 #else
514 /* SPREAD: ID & (perbucket-1) */
515 #define SFTK_SESSION_LOCK(slot,handle) \
516 ((slot)->sessionLock[(handle) & (slot)->sessionLockMask])
517 #endif
519 /* expand an attribute & secitem structures out */
520 #define sftk_attr_expand(ap) (ap)->type,(ap)->pValue,(ap)->ulValueLen
521 #define sftk_item_expand(ip) (ip)->data,(ip)->len
523 typedef struct sftk_token_parametersStr {
524 CK_SLOT_ID slotID;
525 char *configdir;
526 char *certPrefix;
527 char *keyPrefix;
528 char *updatedir;
529 char *updCertPrefix;
530 char *updKeyPrefix;
531 char *updateID;
532 char *tokdes;
533 char *slotdes;
534 char *updtokdes;
535 int minPW;
536 PRBool readOnly;
537 PRBool noCertDB;
538 PRBool noKeyDB;
539 PRBool forceOpen;
540 PRBool pwRequired;
541 PRBool optimizeSpace;
542 } sftk_token_parameters;
544 typedef struct sftk_parametersStr {
545 char *configdir;
546 char *updatedir;
547 char *updateID;
548 char *secmodName;
549 char *man;
550 char *libdes;
551 PRBool readOnly;
552 PRBool noModDB;
553 PRBool noCertDB;
554 PRBool forceOpen;
555 PRBool pwRequired;
556 PRBool optimizeSpace;
557 sftk_token_parameters *tokens;
558 int token_count;
559 } sftk_parameters;
562 /* path stuff (was machine dependent) used by dbinit.c and pk11db.c */
563 #define CERT_DB_FMT "%scert%s.db"
564 #define KEY_DB_FMT "%skey%s.db"
566 SEC_BEGIN_PROTOS
568 /* shared functions between pkcs11.c and fipstokn.c */
569 extern PRBool nsf_init;
570 extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
571 extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
572 extern PRBool sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV* crv);
573 extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent,
574 CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex);
576 /* slot initialization, reinit, shutdown and destruction */
577 extern CK_RV SFTK_SlotInit(char *configdir, char *updatedir, char *updateID,
578 sftk_token_parameters *params, int moduleIndex);
579 extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir,
580 char *updatedir, char *updateID,
581 sftk_token_parameters *params, int moduleIndex);
582 extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot);
583 extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot);
584 extern CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout);
587 /* internal utility functions used by pkcs11.c */
588 extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object,
589 CK_ATTRIBUTE_TYPE type);
590 extern void sftk_FreeAttribute(SFTKAttribute *attribute);
591 extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
592 const void *valPtr, CK_ULONG length);
593 extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
594 SFTKObject *object, CK_ATTRIBUTE_TYPE type);
595 extern CK_RV sftk_MultipleAttribute2SecItem(PLArenaPool *arena,
596 SFTKObject *object, SFTKItemTemplate *templ, int count);
597 extern unsigned int sftk_GetLengthInBits(unsigned char *buf,
598 unsigned int bufLen);
599 extern CK_RV sftk_ConstrainAttribute(SFTKObject *object,
600 CK_ATTRIBUTE_TYPE type, int minLength, int maxLength, int minMultiple);
601 extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
602 extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
603 extern void sftk_DeleteAttributeType(SFTKObject *object,
604 CK_ATTRIBUTE_TYPE type);
605 extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
606 SFTKObject *object, CK_ATTRIBUTE_TYPE type);
607 extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
608 SFTKObject *object,
609 CK_ATTRIBUTE_TYPE type);
610 extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type,
611 CK_OBJECT_CLASS inClass);
612 extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
613 extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
614 extern void sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type);
615 extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
616 CK_ULONG *longData);
617 extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
618 const void *value, unsigned int len);
619 extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
620 const void *value, unsigned int len);
621 extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth);
623 extern SFTKObject *sftk_NewObject(SFTKSlot *slot);
624 extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject);
625 extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object);
626 extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object);
627 extern void sftk_ReferenceObject(SFTKObject *object);
628 extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
629 SFTKSession *session);
630 extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
631 extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
632 /* clear out all the existing object ID to database key mappings.
633 * used to reinit a token */
634 extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot);
636 extern CK_RV sftk_searchObjectList(SFTKSearchResults *search,
637 SFTKObject **head, unsigned int size,
638 PZLock *lock, CK_ATTRIBUTE_PTR inTemplate,
639 int count, PRBool isLoggedIn);
640 extern SFTKObjectListElement *sftk_FreeObjectListElement(
641 SFTKObjectListElement *objectList);
642 extern void sftk_FreeObjectList(SFTKObjectListElement *objectList);
643 extern void sftk_FreeSearch(SFTKSearchResults *search);
644 extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
646 extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
647 extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
648 extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
649 extern void sftk_FreeSession(SFTKSession *session);
650 extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
651 CK_VOID_PTR pApplication, CK_FLAGS flags);
652 extern void sftk_update_state(SFTKSlot *slot,SFTKSession *session);
653 extern void sftk_update_all_states(SFTKSlot *slot);
654 extern void sftk_FreeContext(SFTKSessionContext *context);
655 extern void sftk_InitFreeLists(void);
656 extern void sftk_CleanupFreeLists(void);
658 extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,
659 CK_KEY_TYPE key_type, CK_RV *crvp);
660 extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
661 CK_KEY_TYPE key_type, CK_RV *crvp);
662 extern void sftk_FormatDESKey(unsigned char *key, int length);
663 extern PRBool sftk_CheckDESKey(unsigned char *key);
664 extern PRBool sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type);
666 /* mechanism allows this operation */
667 extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op);
669 /* helper function which calls nsslowkey_FindKeyByPublicKey after safely
670 * acquiring a reference to the keydb from the slot */
671 NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
673 /*
674 * parameter parsing functions
675 */
676 CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
677 void sftk_freeParams(sftk_parameters *params);
680 /*
681 * narrow objects
682 */
683 SFTKSessionObject * sftk_narrowToSessionObject(SFTKObject *);
684 SFTKTokenObject * sftk_narrowToTokenObject(SFTKObject *);
686 /*
687 * token object utilities
688 */
689 void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle);
690 PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey,
691 CK_OBJECT_HANDLE handle);
692 SFTKObject * sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey,
693 CK_OBJECT_HANDLE handle);
694 SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so);
697 /* J-PAKE (jpakesftk.c) */
698 extern
699 CK_RV jpake_Round1(HASH_HashType hashType,
700 CK_NSS_JPAKERound1Params * params,
701 SFTKObject * key);
702 extern
703 CK_RV jpake_Round2(HASH_HashType hashType,
704 CK_NSS_JPAKERound2Params * params,
705 SFTKObject * sourceKey, SFTKObject * key);
706 extern
707 CK_RV jpake_Final(HASH_HashType hashType,
708 const CK_NSS_JPAKEFinalParams * params,
709 SFTKObject * sourceKey, SFTKObject * key);
711 /* Constant time MAC functions (hmacct.c) */
713 struct sftk_MACConstantTimeCtxStr {
714 const SECHashObject *hash;
715 unsigned char mac[64];
716 unsigned char secret[64];
717 unsigned int headerLength;
718 unsigned int secretLength;
719 unsigned int totalLength;
720 unsigned char header[75];
721 };
722 typedef struct sftk_MACConstantTimeCtxStr sftk_MACConstantTimeCtx;
723 sftk_MACConstantTimeCtx* sftk_HMACConstantTime_New(
724 CK_MECHANISM_PTR mech, SFTKObject *key);
725 sftk_MACConstantTimeCtx* sftk_SSLv3MACConstantTime_New(
726 CK_MECHANISM_PTR mech, SFTKObject *key);
727 void sftk_HMACConstantTime_Update(void *pctx, void *data, unsigned int len);
728 void sftk_SSLv3MACConstantTime_Update(void *pctx, void *data, unsigned int len);
729 void sftk_MACConstantTime_EndHash(
730 void *pctx, void *out, unsigned int *outLength, unsigned int maxLength);
731 void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool);
733 /****************************************
734 * implement TLS Pseudo Random Function (PRF)
735 */
737 extern CK_RV
738 sftk_TLSPRFInit(SFTKSessionContext *context,
739 SFTKObject * key,
740 CK_KEY_TYPE key_type,
741 HASH_HashType hash_alg);
743 SEC_END_PROTOS
745 #endif /* _PKCS11I_H_ */
