michael@0: /* michael@0: * softoken.h - private data structures and prototypes for the softoken lib michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifndef _SOFTOKEN_H_ michael@0: #define _SOFTOKEN_H_ michael@0: michael@0: #include "blapi.h" michael@0: #include "lowkeyti.h" michael@0: #include "softoknt.h" michael@0: #include "secoidt.h" michael@0: michael@0: #include "pkcs11t.h" michael@0: michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: /* michael@0: * Convenience wrapper for doing a single PKCS#1 v1.5 RSA operations where the michael@0: * encoded digest info is computed internally, rather than by the caller. michael@0: * michael@0: * The HashSign variants expect as input the value of H, the computed hash michael@0: * from RFC 3447, Section 9.2, Step 1, and will compute the DER-encoded michael@0: * DigestInfo structure internally prior to signing/verifying. michael@0: */ michael@0: extern SECStatus michael@0: RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, michael@0: unsigned char *sig, unsigned int *sigLen, unsigned int maxLen, michael@0: const unsigned char *hash, unsigned int hashLen); michael@0: michael@0: extern SECStatus michael@0: RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key, michael@0: const unsigned char *sig, unsigned int sigLen, michael@0: const unsigned char *hash, unsigned int hashLen); michael@0: michael@0: /* michael@0: ** Prepare a buffer for padded CBC encryption, growing to the appropriate michael@0: ** boundary, filling with the appropriate padding. michael@0: ** michael@0: ** blockSize must be a power of 2. michael@0: ** michael@0: ** We add from 1 to blockSize bytes -- we *always* grow. michael@0: ** The extra bytes contain the value of the length of the padding: michael@0: ** if we have 2 bytes of padding, then the padding is "0x02, 0x02". michael@0: ** michael@0: ** NOTE: If arena is non-NULL, we re-allocate from there, otherwise michael@0: ** we assume (and use) PR memory (re)allocation. michael@0: */ michael@0: extern unsigned char * CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf, michael@0: unsigned int inlen, unsigned int *outlen, michael@0: int blockSize); michael@0: michael@0: michael@0: /****************************************/ michael@0: /* michael@0: ** Power-Up selftests required for FIPS and invoked only michael@0: ** under PKCS #11 FIPS mode. michael@0: */ michael@0: extern CK_RV sftk_fipsPowerUpSelfTest( void ); michael@0: michael@0: /* michael@0: ** make known fixed PKCS #11 key types to their sizes in bytes michael@0: */ michael@0: unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType); michael@0: michael@0: /* michael@0: ** FIPS 140-2 auditing michael@0: */ michael@0: extern PRBool sftk_audit_enabled; michael@0: michael@0: extern void sftk_LogAuditMessage(NSSAuditSeverity severity, michael@0: NSSAuditType, const char *msg); michael@0: michael@0: extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession, michael@0: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, michael@0: CK_OBJECT_HANDLE_PTR phObject, CK_RV rv); michael@0: michael@0: extern void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession, michael@0: CK_OBJECT_HANDLE hObject, michael@0: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, michael@0: CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv); michael@0: michael@0: extern void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession, michael@0: CK_OBJECT_HANDLE hObject, CK_RV rv); michael@0: michael@0: extern void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession, michael@0: CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, michael@0: CK_RV rv); michael@0: michael@0: extern void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession, michael@0: CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, michael@0: CK_ULONG ulCount, CK_RV rv); michael@0: michael@0: extern void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession, michael@0: CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, michael@0: CK_ULONG ulCount, CK_RV rv); michael@0: michael@0: extern void sftk_AuditCryptInit(const char *opName, michael@0: CK_SESSION_HANDLE hSession, michael@0: CK_MECHANISM_PTR pMechanism, michael@0: CK_OBJECT_HANDLE hKey, CK_RV rv); michael@0: michael@0: extern void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession, michael@0: CK_MECHANISM_PTR pMechanism, michael@0: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, michael@0: CK_OBJECT_HANDLE_PTR phKey, CK_RV rv); michael@0: michael@0: extern void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession, michael@0: CK_MECHANISM_PTR pMechanism, michael@0: CK_ATTRIBUTE_PTR pPublicKeyTemplate, michael@0: CK_ULONG ulPublicKeyAttributeCount, michael@0: CK_ATTRIBUTE_PTR pPrivateKeyTemplate, michael@0: CK_ULONG ulPrivateKeyAttributeCount, michael@0: CK_OBJECT_HANDLE_PTR phPublicKey, michael@0: CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv); michael@0: michael@0: extern void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession, michael@0: CK_MECHANISM_PTR pMechanism, michael@0: CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey, michael@0: CK_BYTE_PTR pWrappedKey, michael@0: CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv); michael@0: michael@0: extern void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession, michael@0: CK_MECHANISM_PTR pMechanism, michael@0: CK_OBJECT_HANDLE hUnwrappingKey, michael@0: CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen, michael@0: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, michael@0: CK_OBJECT_HANDLE_PTR phKey, CK_RV rv); michael@0: michael@0: extern void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession, michael@0: CK_MECHANISM_PTR pMechanism, michael@0: CK_OBJECT_HANDLE hBaseKey, michael@0: CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, michael@0: CK_OBJECT_HANDLE_PTR phKey, CK_RV rv); michael@0: michael@0: extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession, michael@0: CK_OBJECT_HANDLE hKey, CK_RV rv); michael@0: michael@0: /* michael@0: ** FIPS 140-2 Error state michael@0: */ michael@0: extern PRBool sftk_fatalError; michael@0: michael@0: /* michael@0: ** macros to check for forked child process after C_Initialize michael@0: */ michael@0: #if defined(XP_UNIX) && !defined(NO_FORK_CHECK) michael@0: michael@0: #ifdef DEBUG michael@0: michael@0: #define FORK_ASSERT() \ michael@0: { \ michael@0: char* forkAssert = getenv("NSS_STRICT_NOFORK"); \ michael@0: if ( (!forkAssert) || (0 == strcmp(forkAssert, "1")) ) { \ michael@0: PORT_Assert(0); \ michael@0: } \ michael@0: } michael@0: michael@0: #else michael@0: michael@0: #define FORK_ASSERT() michael@0: michael@0: #endif michael@0: michael@0: /* we have 3 methods of implementing the fork checks : michael@0: * - Solaris "mixed" method michael@0: * - pthread_atfork method michael@0: * - getpid method michael@0: */ michael@0: michael@0: #if !defined (CHECK_FORK_MIXED) && !defined(CHECK_FORK_PTHREAD) && \ michael@0: !defined (CHECK_FORK_GETPID) michael@0: michael@0: /* Choose fork check method automatically unless specified michael@0: * This section should be updated as more platforms get pthread fixes michael@0: * to unregister fork handlers in dlclose. michael@0: */ michael@0: michael@0: #ifdef SOLARIS michael@0: michael@0: /* Solaris 8, s9 use PID checks, s10 uses pthread_atfork */ michael@0: michael@0: #define CHECK_FORK_MIXED michael@0: michael@0: #elif defined(LINUX) michael@0: michael@0: #define CHECK_FORK_PTHREAD michael@0: michael@0: #else michael@0: michael@0: /* Other Unix platforms use only PID checks. Even if pthread_atfork is michael@0: * available, the behavior of dlclose isn't guaranteed by POSIX to michael@0: * unregister the fork handler. */ michael@0: michael@0: #define CHECK_FORK_GETPID michael@0: michael@0: #endif michael@0: michael@0: #endif michael@0: michael@0: #if defined(CHECK_FORK_MIXED) michael@0: michael@0: extern PRBool usePthread_atfork; michael@0: #include michael@0: extern pid_t myPid; michael@0: extern PRBool forked; michael@0: michael@0: #define PARENT_FORKED() (usePthread_atfork ? forked : (myPid && myPid != getpid())) michael@0: michael@0: #elif defined(CHECK_FORK_PTHREAD) michael@0: michael@0: extern PRBool forked; michael@0: michael@0: #define PARENT_FORKED() forked michael@0: michael@0: #elif defined(CHECK_FORK_GETPID) michael@0: michael@0: #include michael@0: extern pid_t myPid; michael@0: michael@0: #define PARENT_FORKED() (myPid && myPid != getpid()) michael@0: michael@0: #endif michael@0: michael@0: extern PRBool parentForkedAfterC_Initialize; michael@0: extern PRBool sftkForkCheckDisabled; michael@0: michael@0: #define CHECK_FORK() \ michael@0: do { \ michael@0: if (!sftkForkCheckDisabled && PARENT_FORKED()) { \ michael@0: FORK_ASSERT(); \ michael@0: return CKR_DEVICE_ERROR; \ michael@0: } \ michael@0: } while (0) michael@0: michael@0: #define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x michael@0: michael@0: #define ENABLE_FORK_CHECK() \ michael@0: { \ michael@0: char* doForkCheck = getenv("NSS_STRICT_NOFORK"); \ michael@0: if ( doForkCheck && !strcmp(doForkCheck, "DISABLED") ) { \ michael@0: sftkForkCheckDisabled = PR_TRUE; \ michael@0: } \ michael@0: } michael@0: michael@0: michael@0: #else michael@0: michael@0: /* non-Unix platforms, or fork check disabled */ michael@0: michael@0: #define CHECK_FORK() michael@0: #define SKIP_AFTER_FORK(x) x michael@0: #define ENABLE_FORK_CHECK() michael@0: michael@0: #ifndef NO_FORK_CHECK michael@0: #define NO_FORK_CHECK michael@0: #endif michael@0: michael@0: #endif michael@0: michael@0: michael@0: SEC_END_PROTOS michael@0: michael@0: #endif /* _SOFTOKEN_H_ */