1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 /* 5 * Internal data structures and functions used by pkcs11.c 6 */ 7 #ifndef _PKCS11I_H_ 8 #define _PKCS11I_H_ 1 9 10 #include "nssilock.h" 11 #include "seccomon.h" 12 #include "secoidt.h" 13 #include "lowkeyti.h" 14 #include "pkcs11t.h" 15 16 #include "sftkdbt.h" 17 #include "chacha20poly1305.h" 18 #include "hasht.h" 19 20 /* 21 * Configuration Defines 22 * 23 * The following defines affect the space verse speed trade offs of 24 * the PKCS #11 module. For the most part the current settings are optimized 25 * for web servers, where we want faster speed and lower lock contention at 26 * the expense of space. 27 */ 28 29 /* 30 * The attribute allocation strategy is static allocation: 31 * Attributes are pre-allocated as part of the session object and used from 32 * the object array. 33 */ 34 #define MAX_OBJS_ATTRS 45 /* number of attributes to preallocate in \ 35 * the object (must me the absolute max) */ 36 #define ATTR_SPACE 50 /* Maximum size of attribute data before extra \ 37 * data needs to be allocated. This is set to \ 38 * enough space to hold an SSL MASTER secret */ 39 40 #define NSC_STRICT PR_FALSE /* forces the code to do strict template \ 41 * matching when doing C_FindObject on token \ 42 * objects. This will slow down search in \ 43 * NSS. */ 44 /* default search block allocations and increments */ 45 #define NSC_CERT_BLOCK_SIZE 50 46 #define NSC_SEARCH_BLOCK_SIZE 5 47 #define NSC_SLOT_LIST_BLOCK_SIZE 10 48 49 #define NSC_FIPS_MODULE 1 50 #define NSC_NON_FIPS_MODULE 0 51 52 /* these are data base storage hashes, not cryptographic hashes.. The define 53 * the effective size of the various object hash tables */ 54 /* clients care more about memory usage than lookup performance on 55 * cyrptographic objects. Clients also have less objects around to play with 56 * 57 * we eventually should make this configurable at runtime! Especially now that 58 * NSS is a shared library. 59 */ 60 #define SPACE_ATTRIBUTE_HASH_SIZE 32 61 #define SPACE_SESSION_OBJECT_HASH_SIZE 32 62 #define SPACE_SESSION_HASH_SIZE 32 63 #define TIME_ATTRIBUTE_HASH_SIZE 32 64 #define TIME_SESSION_OBJECT_HASH_SIZE 1024 65 #define TIME_SESSION_HASH_SIZE 1024 66 #define MAX_OBJECT_LIST_SIZE 800 67 /* how many objects to keep on the free list 68 * before we start freeing them */ 69 #define MAX_KEY_LEN 256 /* maximum symmetric key length in bytes */ 70 71 /* 72 * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number. 73 * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0. 74 * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0. 75 * 76 * HASH_SIZE LOG2_BUCKETS_PER BUCKETS_PER_LOCK NUMBER_OF_BUCKETS 77 * 1024 9 512 2 78 * 1024 5 32 32 79 * 1024 1 2 512 80 * 1024 0 1 1024 81 * 4096 11 2048 2 82 * 4096 9 512 8 83 * 4096 5 32 128 84 * 4096 1 2 2048 85 * 4096 0 1 4096 86 */ 87 #define LOG2_BUCKETS_PER_SESSION_LOCK 1 88 #define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK)) 89 /* NOSPREAD sessionID to hash table index macro has been slower. */ 90 91 /* define typedefs, double as forward declarations as well */ 92 typedef struct SFTKAttributeStr SFTKAttribute; 93 typedef struct SFTKObjectListStr SFTKObjectList; 94 typedef struct SFTKObjectFreeListStr SFTKObjectFreeList; 95 typedef struct SFTKObjectListElementStr SFTKObjectListElement; 96 typedef struct SFTKObjectStr SFTKObject; 97 typedef struct SFTKSessionObjectStr SFTKSessionObject; 98 typedef struct SFTKTokenObjectStr SFTKTokenObject; 99 typedef struct SFTKSessionStr SFTKSession; 100 typedef struct SFTKSlotStr SFTKSlot; 101 typedef struct SFTKSessionContextStr SFTKSessionContext; 102 typedef struct SFTKSearchResultsStr SFTKSearchResults; 103 typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo; 104 typedef struct SFTKHashSignInfoStr SFTKHashSignInfo; 105 typedef struct SFTKOAEPEncryptInfoStr SFTKOAEPEncryptInfo; 106 typedef struct SFTKOAEPDecryptInfoStr SFTKOAEPDecryptInfo; 107 typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo; 108 typedef struct SFTKChaCha20Poly1305InfoStr SFTKChaCha20Poly1305Info; 109 typedef struct SFTKItemTemplateStr SFTKItemTemplate; 110 111 /* define function pointer typdefs for pointer tables */ 112 typedef void (*SFTKDestroy)(void *, PRBool); 113 typedef void (*SFTKBegin)(void *); 114 typedef SECStatus (*SFTKCipher)(void *, void *, unsigned int *, unsigned int, 115 void *, unsigned int); 116 typedef SECStatus (*SFTKVerify)(void *, void *, unsigned int, void *, unsigned int); 117 typedef void (*SFTKHash)(void *, const void *, unsigned int); 118 typedef void (*SFTKEnd)(void *, void *, unsigned int *, unsigned int); 119 typedef void (*SFTKFree)(void *); 120 121 /* Value to tell if an attribute is modifiable or not. 122 * NEVER: attribute is only set on creation. 123 * ONCOPY: attribute is set on creation and can only be changed on copy. 124 * SENSITIVE: attribute can only be changed to TRUE. 125 * ALWAYS: attribute can always be changed. 126 */ 127 typedef enum { 128 SFTK_NEVER = 0, 129 SFTK_ONCOPY = 1, 130 SFTK_SENSITIVE = 2, 131 SFTK_ALWAYS = 3 132 } SFTKModifyType; 133 134 /* 135 * Free Status Enum... tell us more information when we think we're 136 * deleting an object. 137 */ 138 typedef enum { 139 SFTK_DestroyFailure, 140 SFTK_Destroyed, 141 SFTK_Busy 142 } SFTKFreeStatus; 143 144 /* 145 * attribute values of an object. 146 */ 147 struct SFTKAttributeStr { 148 SFTKAttribute *next; 149 SFTKAttribute *prev; 150 PRBool freeAttr; 151 PRBool freeData; 152 /*must be called handle to make sftkqueue_find work */ 153 CK_ATTRIBUTE_TYPE handle; 154 CK_ATTRIBUTE attrib; 155 unsigned char space[ATTR_SPACE]; 156 }; 157 158 /* 159 * doubly link list of objects 160 */ 161 struct SFTKObjectListStr { 162 SFTKObjectList *next; 163 SFTKObjectList *prev; 164 SFTKObject *parent; 165 }; 166 167 struct SFTKObjectFreeListStr { 168 SFTKObject *head; 169 PZLock *lock; 170 int count; 171 }; 172 173 /* 174 * PKCS 11 crypto object structure 175 */ 176 struct SFTKObjectStr { 177 SFTKObject *next; 178 SFTKObject *prev; 179 CK_OBJECT_CLASS objclass; 180 CK_OBJECT_HANDLE handle; 181 int refCount; 182 PZLock *refLock; 183 SFTKSlot *slot; 184 void *objectInfo; 185 SFTKFree infoFree; 186 }; 187 188 struct SFTKTokenObjectStr { 189 SFTKObject obj; 190 SECItem dbKey; 191 }; 192 193 struct SFTKSessionObjectStr { 194 SFTKObject obj; 195 SFTKObjectList sessionList; 196 PZLock *attributeLock; 197 SFTKSession *session; 198 PRBool wasDerived; 199 int nextAttr; 200 SFTKAttribute attrList[MAX_OBJS_ATTRS]; 201 PRBool optimizeSpace; 202 unsigned int hashSize; 203 SFTKAttribute *head[1]; 204 }; 205 206 /* 207 * struct to deal with a temparary list of objects 208 */ 209 struct SFTKObjectListElementStr { 210 SFTKObjectListElement *next; 211 SFTKObject *object; 212 }; 213 214 /* 215 * Area to hold Search results 216 */ 217 struct SFTKSearchResultsStr { 218 CK_OBJECT_HANDLE *handles; 219 int size; 220 int index; 221 int array_size; 222 }; 223 224 /* 225 * the universal crypto/hash/sign/verify context structure 226 */ 227 typedef enum { 228 SFTK_ENCRYPT, 229 SFTK_DECRYPT, 230 SFTK_HASH, 231 SFTK_SIGN, 232 SFTK_SIGN_RECOVER, 233 SFTK_VERIFY, 234 SFTK_VERIFY_RECOVER 235 } SFTKContextType; 236 237 /** max block size of supported block ciphers */ 238 #define SFTK_MAX_BLOCK_SIZE 16 239 /** currently SHA512 is the biggest hash length */ 240 #define SFTK_MAX_MAC_LENGTH 64 241 #define SFTK_INVALID_MAC_SIZE 0xffffffff 242 243 /** Particular ongoing operation in session (sign/verify/digest/encrypt/...) 244 * 245 * Understanding sign/verify context: 246 * multi=1 hashInfo=0 block (symmetric) cipher MACing 247 * multi=1 hashInfo=X PKC S/V with prior hashing 248 * multi=0 hashInfo=0 PKC S/V one shot (w/o hashing) 249 * multi=0 hashInfo=X *** shouldn't happen *** 250 */ 251 struct SFTKSessionContextStr { 252 SFTKContextType type; 253 PRBool multi; /* is multipart */ 254 PRBool rsa; /* is rsa */ 255 PRBool doPad; /* use PKCS padding for block ciphers */ 256 unsigned int blockSize; /* blocksize for padding */ 257 unsigned int padDataLength; /* length of the valid data in padbuf */ 258 /** latest incomplete block of data for block cipher */ 259 unsigned char padBuf[SFTK_MAX_BLOCK_SIZE]; 260 /** result of MAC'ing of latest full block of data with block cipher */ 261 unsigned char macBuf[SFTK_MAX_BLOCK_SIZE]; 262 CK_ULONG macSize; /* size of a general block cipher mac*/ 263 void *cipherInfo; 264 void *hashInfo; 265 unsigned int cipherInfoLen; 266 CK_MECHANISM_TYPE currentMech; 267 SFTKCipher update; 268 SFTKHash hashUpdate; 269 SFTKEnd end; 270 SFTKDestroy destroy; 271 SFTKDestroy hashdestroy; 272 SFTKVerify verify; 273 unsigned int maxLen; 274 SFTKObject *key; 275 }; 276 277 /* 278 * Sessions (have objects) 279 */ 280 struct SFTKSessionStr { 281 SFTKSession *next; 282 SFTKSession *prev; 283 CK_SESSION_HANDLE handle; 284 int refCount; 285 PZLock *objectLock; 286 int objectIDCount; 287 CK_SESSION_INFO info; 288 CK_NOTIFY notify; 289 CK_VOID_PTR appData; 290 SFTKSlot *slot; 291 SFTKSearchResults *search; 292 SFTKSessionContext *enc_context; 293 SFTKSessionContext *hash_context; 294 SFTKSessionContext *sign_context; 295 SFTKObjectList *objects[1]; 296 }; 297 298 /* 299 * slots (have sessions and objects) 300 * 301 * The array of sessionLock's protect the session hash table (head[]) 302 * as well as the reference count of session objects in that bucket 303 * (head[]->refCount), objectLock protects all elements of the slot's 304 * object hash tables (sessObjHashTable[] and tokObjHashTable), and 305 * sessionObjectHandleCount. 306 * slotLock protects the remaining protected elements: 307 * password, isLoggedIn, ssoLoggedIn, and sessionCount, 308 * and pwCheckLock serializes the key database password checks in 309 * NSC_SetPIN and NSC_Login. 310 * 311 * Each of the fields below has the following lifetime as commented 312 * next to the fields: 313 * invariant - This value is set when the slot is first created and 314 * never changed until it is destroyed. 315 * per load - This value is set when the slot is first created, or 316 * when the slot is used to open another directory. Between open and close 317 * this field does not change. 318 * variable - This value changes through the normal process of slot operation. 319 * - reset. The value of this variable is cleared during an open/close 320 * cycles. 321 * - preserved. The value of this variable is preserved over open/close 322 * cycles. 323 */ 324 struct SFTKSlotStr { 325 CK_SLOT_ID slotID; /* invariant */ 326 PZLock *slotLock; /* invariant */ 327 PZLock **sessionLock; /* invariant */ 328 unsigned int numSessionLocks; /* invariant */ 329 unsigned long sessionLockMask; /* invariant */ 330 PZLock *objectLock; /* invariant */ 331 PRLock *pwCheckLock; /* invariant */ 332 PRBool present; /* variable -set */ 333 PRBool hasTokens; /* per load */ 334 PRBool isLoggedIn; /* variable - reset */ 335 PRBool ssoLoggedIn; /* variable - reset */ 336 PRBool needLogin; /* per load */ 337 PRBool DB_loaded; /* per load */ 338 PRBool readOnly; /* per load */ 339 PRBool optimizeSpace; /* invariant */ 340 SFTKDBHandle *certDB; /* per load */ 341 SFTKDBHandle *keyDB; /* per load */ 342 int minimumPinLen; /* per load */ 343 PRInt32 sessionIDCount; /* atomically incremented */ 344 /* (preserved) */ 345 int sessionIDConflict; /* not protected by a lock */ 346 /* (preserved) */ 347 int sessionCount; /* variable - reset */ 348 PRInt32 rwSessionCount; /* set by atomic operations */ 349 /* (reset) */ 350 int sessionObjectHandleCount; /* variable - perserved */ 351 CK_ULONG index; /* invariant */ 352 PLHashTable *tokObjHashTable; /* invariant */ 353 SFTKObject **sessObjHashTable; /* variable - reset */ 354 unsigned int sessObjHashSize; /* invariant */ 355 SFTKSession **head; /* variable -reset */ 356 unsigned int sessHashSize; /* invariant */ 357 char tokDescription[33]; /* per load */ 358 char updateTokDescription[33]; /* per load */ 359 char slotDescription[65]; /* invariant */ 360 }; 361 362 /* 363 * special joint operations Contexts 364 */ 365 struct SFTKHashVerifyInfoStr { 366 SECOidTag hashOid; 367 void *params; 368 NSSLOWKEYPublicKey *key; 369 }; 370 371 struct SFTKHashSignInfoStr { 372 SECOidTag hashOid; 373 void *params; 374 NSSLOWKEYPrivateKey *key; 375 }; 376 377 /** 378 * Contexts for RSA-OAEP 379 */ 380 struct SFTKOAEPEncryptInfoStr { 381 CK_RSA_PKCS_OAEP_PARAMS *params; 382 NSSLOWKEYPublicKey *key; 383 }; 384 385 struct SFTKOAEPDecryptInfoStr { 386 CK_RSA_PKCS_OAEP_PARAMS *params; 387 NSSLOWKEYPrivateKey *key; 388 }; 389 390 /* context for the Final SSLMAC message */ 391 struct SFTKSSLMACInfoStr { 392 void *hashContext; 393 SFTKBegin begin; 394 SFTKHash update; 395 SFTKEnd end; 396 CK_ULONG macSize; 397 int padSize; 398 unsigned char key[MAX_KEY_LEN]; 399 unsigned int keySize; 400 }; 401 402 /* SFTKChaCha20Poly1305Info saves the key, tag length, nonce, 403 * and additional data for a ChaCha20+Poly1305 AEAD operation. */ 404 struct SFTKChaCha20Poly1305InfoStr { 405 ChaCha20Poly1305Context freeblCtx; 406 unsigned char nonce[12]; 407 unsigned char ad[16]; 408 unsigned char *adOverflow; 409 unsigned int adLen; 410 }; 411 412 /* 413 * Template based on SECItems, suitable for passing as arrays 414 */ 415 struct SFTKItemTemplateStr { 416 CK_ATTRIBUTE_TYPE type; 417 SECItem *item; 418 }; 419 420 /* macro for setting SFTKTemplates. */ 421 #define SFTK_SET_ITEM_TEMPLATE(templ, count, itemPtr, attr) \ 422 templ[count].type = attr; \ 423 templ[count].item = itemPtr 424 425 #define SFTK_MAX_ITEM_TEMPLATE 10 426 427 /* 428 * session handle modifiers 429 */ 430 #define SFTK_SESSION_SLOT_MASK 0xff000000L 431 432 /* 433 * object handle modifiers 434 */ 435 #define SFTK_TOKEN_MASK 0x80000000L 436 #define SFTK_TOKEN_MAGIC 0x80000000L 437 #define SFTK_TOKEN_TYPE_MASK 0x70000000L 438 /* keydb (high bit == 0) */ 439 #define SFTK_TOKEN_TYPE_PRIV 0x10000000L 440 #define SFTK_TOKEN_TYPE_PUB 0x20000000L 441 #define SFTK_TOKEN_TYPE_KEY 0x30000000L 442 /* certdb (high bit == 1) */ 443 #define SFTK_TOKEN_TYPE_TRUST 0x40000000L 444 #define SFTK_TOKEN_TYPE_CRL 0x50000000L 445 #define SFTK_TOKEN_TYPE_SMIME 0x60000000L 446 #define SFTK_TOKEN_TYPE_CERT 0x70000000L 447 448 #define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC | SFTK_TOKEN_TYPE_CRL | 1) 449 /* how big (in bytes) a password/pin we can deal with */ 450 #define SFTK_MAX_PIN 255 451 /* minimum password/pin length (in Unicode characters) in FIPS mode */ 452 #define FIPS_MIN_PIN 7 453 454 /* slot ID's */ 455 #define NETSCAPE_SLOT_ID 1 456 #define PRIVATE_KEY_SLOT_ID 2 457 #define FIPS_SLOT_ID 3 458 459 /* slot helper macros */ 460 #define sftk_SlotFromSession(sp) ((sp)->slot) 461 #define sftk_isToken(id) (((id)&SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC) 462 463 /* the session hash multiplier (see bug 201081) */ 464 #define SHMULTIPLIER 1791398085 465 466 /* queueing helper macros */ 467 #define sftk_hash(value, size) \ 468 ((PRUint32)((value)*SHMULTIPLIER) & (size - 1)) 469 #define sftkqueue_add(element, id, head, hash_size) \ 470 { \ 471 int tmp = sftk_hash(id, hash_size); \ 472 (element)->next = (head)[tmp]; \ 473 (element)->prev = NULL; \ 474 if ((head)[tmp]) \ 475 (head)[tmp]->prev = (element); \ 476 (head)[tmp] = (element); \ 477 } 478 #define sftkqueue_find(element, id, head, hash_size) \ 479 for ((element) = (head)[sftk_hash(id, hash_size)]; (element) != NULL; \ 480 (element) = (element)->next) { \ 481 if ((element)->handle == (id)) { \ 482 break; \ 483 } \ 484 } 485 #define sftkqueue_is_queued(element, id, head, hash_size) \ 486 (((element)->next) || ((element)->prev) || \ 487 ((head)[sftk_hash(id, hash_size)] == (element))) 488 #define sftkqueue_delete(element, id, head, hash_size) \ 489 if ((element)->next) \ 490 (element)->next->prev = (element)->prev; \ 491 if ((element)->prev) \ 492 (element)->prev->next = (element)->next; \ 493 else \ 494 (head)[sftk_hash(id, hash_size)] = ((element)->next); \ 495 (element)->next = NULL; \ 496 (element)->prev = NULL; 497 498 #define sftkqueue_init_element(element) \ 499 (element)->prev = NULL; 500 501 #define sftkqueue_add2(element, id, index, head) \ 502 { \ 503 (element)->next = (head)[index]; \ 504 if ((head)[index]) \ 505 (head)[index]->prev = (element); \ 506 (head)[index] = (element); \ 507 } 508 509 #define sftkqueue_find2(element, id, index, head) \ 510 for ((element) = (head)[index]; \ 511 (element) != NULL; \ 512 (element) = (element)->next) { \ 513 if ((element)->handle == (id)) { \ 514 break; \ 515 } \ 516 } 517 518 #define sftkqueue_delete2(element, id, index, head) \ 519 if ((element)->next) \ 520 (element)->next->prev = (element)->prev; \ 521 if ((element)->prev) \ 522 (element)->prev->next = (element)->next; \ 523 else \ 524 (head)[index] = ((element)->next); 525 526 #define sftkqueue_clear_deleted_element(element) \ 527 (element)->next = NULL; \ 528 (element)->prev = NULL; 529 530 /* sessionID (handle) is used to determine session lock bucket */ 531 #ifdef NOSPREAD 532 /* NOSPREAD: (ID>>L2LPB) & (perbucket-1) */ 533 #define SFTK_SESSION_LOCK(slot, handle) \ 534 ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) & (slot)->sessionLockMask]) 535 #else 536 /* SPREAD: ID & (perbucket-1) */ 537 #define SFTK_SESSION_LOCK(slot, handle) \ 538 ((slot)->sessionLock[(handle) & (slot)->sessionLockMask]) 539 #endif 540 541 /* expand an attribute & secitem structures out */ 542 #define sftk_attr_expand(ap) (ap)->type, (ap)->pValue, (ap)->ulValueLen 543 #define sftk_item_expand(ip) (ip)->data, (ip)->len 544 545 typedef struct sftk_token_parametersStr { 546 CK_SLOT_ID slotID; 547 char *configdir; 548 char *certPrefix; 549 char *keyPrefix; 550 char *updatedir; 551 char *updCertPrefix; 552 char *updKeyPrefix; 553 char *updateID; 554 char *tokdes; 555 char *slotdes; 556 char *updtokdes; 557 int minPW; 558 PRBool readOnly; 559 PRBool noCertDB; 560 PRBool noKeyDB; 561 PRBool forceOpen; 562 PRBool pwRequired; 563 PRBool optimizeSpace; 564 } sftk_token_parameters; 565 566 typedef struct sftk_parametersStr { 567 char *configdir; 568 char *updatedir; 569 char *updateID; 570 char *secmodName; 571 char *man; 572 char *libdes; 573 PRBool readOnly; 574 PRBool noModDB; 575 PRBool noCertDB; 576 PRBool forceOpen; 577 PRBool pwRequired; 578 PRBool optimizeSpace; 579 sftk_token_parameters *tokens; 580 int token_count; 581 } sftk_parameters; 582 583 /* path stuff (was machine dependent) used by dbinit.c and pk11db.c */ 584 #define CERT_DB_FMT "%scert%s.db" 585 #define KEY_DB_FMT "%skey%s.db" 586 587 SEC_BEGIN_PROTOS 588 589 /* shared functions between pkcs11.c and fipstokn.c */ 590 extern PRBool nsf_init; 591 extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS); 592 extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS); 593 extern PRBool sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV *crv); 594 extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, 595 CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex); 596 597 /* slot initialization, reinit, shutdown and destruction */ 598 extern CK_RV SFTK_SlotInit(char *configdir, char *updatedir, char *updateID, 599 sftk_token_parameters *params, int moduleIndex); 600 extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir, 601 char *updatedir, char *updateID, 602 sftk_token_parameters *params, int moduleIndex); 603 extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot); 604 extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot); 605 extern CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout); 606 607 /* internal utility functions used by pkcs11.c */ 608 extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object, 609 CK_ATTRIBUTE_TYPE type); 610 extern void sftk_FreeAttribute(SFTKAttribute *attribute); 611 extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type, 612 const void *valPtr, CK_ULONG length); 613 extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item, 614 SFTKObject *object, CK_ATTRIBUTE_TYPE type); 615 extern CK_RV sftk_MultipleAttribute2SecItem(PLArenaPool *arena, 616 SFTKObject *object, 617 SFTKItemTemplate *templ, int count); 618 extern unsigned int sftk_GetLengthInBits(unsigned char *buf, 619 unsigned int bufLen); 620 extern CK_RV sftk_ConstrainAttribute(SFTKObject *object, 621 CK_ATTRIBUTE_TYPE type, int minLength, 622 int maxLength, int minMultiple); 623 extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type); 624 extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type); 625 extern void sftk_DeleteAttributeType(SFTKObject *object, 626 CK_ATTRIBUTE_TYPE type); 627 extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item, 628 SFTKObject *object, CK_ATTRIBUTE_TYPE type); 629 extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item, 630 SFTKObject *object, 631 CK_ATTRIBUTE_TYPE type); 632 extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type, 633 CK_OBJECT_CLASS inClass); 634 extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass); 635 extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type); 636 extern void sftk_nullAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type); 637 extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, 638 CK_ULONG *longData); 639 extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, 640 const void *value, unsigned int len); 641 extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, 642 const void *value, unsigned int len); 643 extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth); 644 645 extern SFTKObject *sftk_NewObject(SFTKSlot *slot); 646 extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject); 647 extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object); 648 extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object); 649 extern void sftk_ReferenceObject(SFTKObject *object); 650 extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle, 651 SFTKSession *session); 652 extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object); 653 extern void sftk_AddObject(SFTKSession *session, SFTKObject *object); 654 /* clear out all the existing object ID to database key mappings. 655 * used to reinit a token */ 656 extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot); 657 658 extern CK_RV sftk_searchObjectList(SFTKSearchResults *search, 659 SFTKObject **head, unsigned int size, 660 PZLock *lock, CK_ATTRIBUTE_PTR inTemplate, 661 int count, PRBool isLoggedIn); 662 extern SFTKObjectListElement *sftk_FreeObjectListElement( 663 SFTKObjectListElement *objectList); 664 extern void sftk_FreeObjectList(SFTKObjectListElement *objectList); 665 extern void sftk_FreeSearch(SFTKSearchResults *search); 666 extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session); 667 668 extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all); 669 extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle); 670 extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle); 671 extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle); 672 extern void sftk_FreeSession(SFTKSession *session); 673 extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, 674 CK_VOID_PTR pApplication, CK_FLAGS flags); 675 extern void sftk_update_state(SFTKSlot *slot, SFTKSession *session); 676 extern void sftk_update_all_states(SFTKSlot *slot); 677 extern void sftk_FreeContext(SFTKSessionContext *context); 678 extern void sftk_InitFreeLists(void); 679 extern void sftk_CleanupFreeLists(void); 680 681 extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object, 682 CK_KEY_TYPE key_type, CK_RV *crvp); 683 extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object, 684 CK_KEY_TYPE key_type, CK_RV *crvp); 685 extern void sftk_FormatDESKey(unsigned char *key, int length); 686 extern PRBool sftk_CheckDESKey(unsigned char *key); 687 extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type); 688 689 /* mechanism allows this operation */ 690 extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op); 691 692 /* helper function which calls nsslowkey_FindKeyByPublicKey after safely 693 * acquiring a reference to the keydb from the slot */ 694 NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey); 695 696 /* 697 * parameter parsing functions 698 */ 699 CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS); 700 void sftk_freeParams(sftk_parameters *params); 701 702 /* 703 * narrow objects 704 */ 705 SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *); 706 SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *); 707 708 /* 709 * token object utilities 710 */ 711 void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle); 712 PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey, 713 CK_OBJECT_HANDLE handle); 714 SFTKObject *sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, 715 CK_OBJECT_HANDLE handle); 716 SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so); 717 718 /* J-PAKE (jpakesftk.c) */ 719 extern CK_RV jpake_Round1(HASH_HashType hashType, 720 CK_NSS_JPAKERound1Params *params, 721 SFTKObject *key); 722 extern CK_RV jpake_Round2(HASH_HashType hashType, 723 CK_NSS_JPAKERound2Params *params, 724 SFTKObject *sourceKey, SFTKObject *key); 725 extern CK_RV jpake_Final(HASH_HashType hashType, 726 const CK_NSS_JPAKEFinalParams *params, 727 SFTKObject *sourceKey, SFTKObject *key); 728 729 /* Constant time MAC functions (hmacct.c) */ 730 731 struct sftk_MACConstantTimeCtxStr { 732 const SECHashObject *hash; 733 unsigned char mac[64]; 734 unsigned char secret[64]; 735 unsigned int headerLength; 736 unsigned int secretLength; 737 unsigned int totalLength; 738 unsigned char header[75]; 739 }; 740 typedef struct sftk_MACConstantTimeCtxStr sftk_MACConstantTimeCtx; 741 sftk_MACConstantTimeCtx *sftk_HMACConstantTime_New( 742 CK_MECHANISM_PTR mech, SFTKObject *key); 743 sftk_MACConstantTimeCtx *sftk_SSLv3MACConstantTime_New( 744 CK_MECHANISM_PTR mech, SFTKObject *key); 745 void sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len); 746 void sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len); 747 void sftk_MACConstantTime_EndHash( 748 void *pctx, void *out, unsigned int *outLength, unsigned int maxLength); 749 void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool); 750 751 /**************************************** 752 * implement TLS Pseudo Random Function (PRF) 753 */ 754 755 extern CK_RV 756 sftk_TLSPRFInit(SFTKSessionContext *context, 757 SFTKObject *key, 758 CK_KEY_TYPE key_type, 759 HASH_HashType hash_alg, 760 unsigned int out_len); 761 762 SEC_END_PROTOS 763 764 #endif /* _PKCS11I_H_ */ 765