andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: /* andre@0: * Deal with PKCS #11 Slots. andre@0: */ andre@0: #include "seccomon.h" andre@0: #include "secmod.h" andre@0: #include "nssilock.h" andre@0: #include "secmodi.h" andre@0: #include "secmodti.h" andre@0: #include "pkcs11t.h" andre@0: #include "pk11func.h" andre@0: #include "secitem.h" andre@0: #include "secerr.h" andre@0: andre@0: #include "dev.h" andre@0: #include "dev3hack.h" andre@0: #include "pkim.h" andre@0: #include "utilpars.h" andre@0: andre@0: andre@0: /************************************************************* andre@0: * local static and global data andre@0: *************************************************************/ andre@0: andre@0: /* andre@0: * This array helps parsing between names, mechanisms, and flags. andre@0: * to make the config files understand more entries, add them andre@0: * to this table. andre@0: */ andre@0: const PK11DefaultArrayEntry PK11_DefaultArray[] = { andre@0: { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, andre@0: { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, andre@0: { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA }, andre@0: { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, andre@0: { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, andre@0: { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, andre@0: { "DES", SECMOD_DES_FLAG, CKM_DES_CBC }, andre@0: { "AES", SECMOD_AES_FLAG, CKM_AES_CBC }, andre@0: { "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC }, andre@0: { "SEED", SECMOD_SEED_FLAG, CKM_SEED_CBC }, andre@0: { "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC }, andre@0: { "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 }, andre@0: /* { "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */ andre@0: { "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 }, andre@0: /* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */ andre@0: { "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 }, andre@0: { "MD5", SECMOD_MD5_FLAG, CKM_MD5 }, andre@0: { "MD2", SECMOD_MD2_FLAG, CKM_MD2 }, andre@0: { "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN }, andre@0: { "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE }, andre@0: { "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 }, andre@0: { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM }, andre@0: { "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM }, andre@0: }; andre@0: const int num_pk11_default_mechanisms = andre@0: sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]); andre@0: andre@0: const PK11DefaultArrayEntry * andre@0: PK11_GetDefaultArray(int *size) andre@0: { andre@0: if (size) { andre@0: *size = num_pk11_default_mechanisms; andre@0: } andre@0: return PK11_DefaultArray; andre@0: } andre@0: andre@0: /* andre@0: * These slotlists are lists of modules which provide default support for andre@0: * a given algorithm or mechanism. andre@0: */ andre@0: static PK11SlotList andre@0: pk11_seedSlotList, andre@0: pk11_camelliaSlotList, andre@0: pk11_aesSlotList, andre@0: pk11_desSlotList, andre@0: pk11_rc4SlotList, andre@0: pk11_rc2SlotList, andre@0: pk11_rc5SlotList, andre@0: pk11_sha1SlotList, andre@0: pk11_md5SlotList, andre@0: pk11_md2SlotList, andre@0: pk11_rsaSlotList, andre@0: pk11_dsaSlotList, andre@0: pk11_dhSlotList, andre@0: pk11_ecSlotList, andre@0: pk11_ideaSlotList, andre@0: pk11_sslSlotList, andre@0: pk11_tlsSlotList, andre@0: pk11_randomSlotList, andre@0: pk11_sha256SlotList, andre@0: pk11_sha512SlotList; /* slots do SHA512 and SHA384 */ andre@0: andre@0: /************************************************************ andre@0: * Generic Slot List and Slot List element manipulations andre@0: ************************************************************/ andre@0: andre@0: /* andre@0: * allocate a new list andre@0: */ andre@0: PK11SlotList * andre@0: PK11_NewSlotList(void) andre@0: { andre@0: PK11SlotList *list; andre@0: andre@0: list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList)); andre@0: if (list == NULL) return NULL; andre@0: list->head = NULL; andre@0: list->tail = NULL; andre@0: list->lock = PZ_NewLock(nssILockList); andre@0: if (list->lock == NULL) { andre@0: PORT_Free(list); andre@0: return NULL; andre@0: } andre@0: andre@0: return list; andre@0: } andre@0: andre@0: /* andre@0: * free a list element when all the references go away. andre@0: */ andre@0: SECStatus andre@0: PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le) andre@0: { andre@0: PRBool freeit = PR_FALSE; andre@0: andre@0: if (list == NULL || le == NULL) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return SECFailure; andre@0: } andre@0: andre@0: PZ_Lock(list->lock); andre@0: if (le->refCount-- == 1) { andre@0: freeit = PR_TRUE; andre@0: } andre@0: PZ_Unlock(list->lock); andre@0: if (freeit) { andre@0: PK11_FreeSlot(le->slot); andre@0: PORT_Free(le); andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: static void andre@0: pk11_FreeSlotListStatic(PK11SlotList *list) andre@0: { andre@0: PK11SlotListElement *le, *next ; andre@0: if (list == NULL) return; andre@0: andre@0: for (le = list->head ; le; le = next) { andre@0: next = le->next; andre@0: PK11_FreeSlotListElement(list,le); andre@0: } andre@0: if (list->lock) { andre@0: PZ_DestroyLock(list->lock); andre@0: } andre@0: list->lock = NULL; andre@0: list->head = NULL; andre@0: } andre@0: andre@0: /* andre@0: * if we are freeing the list, we must be the only ones with a pointer andre@0: * to the list. andre@0: */ andre@0: void andre@0: PK11_FreeSlotList(PK11SlotList *list) andre@0: { andre@0: pk11_FreeSlotListStatic(list); andre@0: PORT_Free(list); andre@0: } andre@0: andre@0: /* andre@0: * add a slot to a list andre@0: * "slot" is the slot to be added. Ownership is not transferred. andre@0: * "sorted" indicates whether or not the slot should be inserted according to andre@0: * cipherOrder of the associated module. PR_FALSE indicates that the slot andre@0: * should be inserted to the head of the list. andre@0: */ andre@0: SECStatus andre@0: PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot, PRBool sorted) andre@0: { andre@0: PK11SlotListElement *le; andre@0: PK11SlotListElement *element; andre@0: andre@0: le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement)); andre@0: if (le == NULL) return SECFailure; andre@0: andre@0: le->slot = PK11_ReferenceSlot(slot); andre@0: le->prev = NULL; andre@0: le->refCount = 1; andre@0: PZ_Lock(list->lock); andre@0: element = list->head; andre@0: /* Insertion sort, with higher cipherOrders are sorted first in the list */ andre@0: while (element && sorted && (element->slot->module->cipherOrder > andre@0: le->slot->module->cipherOrder)) { andre@0: element = element->next; andre@0: } andre@0: if (element) { andre@0: le->prev = element->prev; andre@0: element->prev = le; andre@0: le->next = element; andre@0: } else { andre@0: le->prev = list->tail; andre@0: le->next = NULL; andre@0: list->tail = le; andre@0: } andre@0: if (le->prev) le->prev->next = le; andre@0: if (list->head == element) list->head = le; andre@0: PZ_Unlock(list->lock); andre@0: andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * remove a slot entry from the list andre@0: */ andre@0: SECStatus andre@0: PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le) andre@0: { andre@0: PZ_Lock(list->lock); andre@0: if (le->prev) le->prev->next = le->next; else list->head = le->next; andre@0: if (le->next) le->next->prev = le->prev; else list->tail = le->prev; andre@0: le->next = le->prev = NULL; andre@0: PZ_Unlock(list->lock); andre@0: PK11_FreeSlotListElement(list,le); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * Move a list to the end of the target list. andre@0: * NOTE: There is no locking here... This assumes BOTH lists are private copy andre@0: * lists. It also does not re-sort the target list. andre@0: */ andre@0: SECStatus andre@0: pk11_MoveListToList(PK11SlotList *target,PK11SlotList *src) andre@0: { andre@0: if (src->head == NULL) return SECSuccess; andre@0: andre@0: if (target->tail == NULL) { andre@0: target->head = src->head; andre@0: } else { andre@0: target->tail->next = src->head; andre@0: } andre@0: src->head->prev = target->tail; andre@0: target->tail = src->tail; andre@0: src->head = src->tail = NULL; andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * get an element from the list with a reference. You must own the list. andre@0: */ andre@0: PK11SlotListElement * andre@0: PK11_GetFirstRef(PK11SlotList *list) andre@0: { andre@0: PK11SlotListElement *le; andre@0: andre@0: le = list->head; andre@0: if (le != NULL) (le)->refCount++; andre@0: return le; andre@0: } andre@0: andre@0: /* andre@0: * get the next element from the list with a reference. You must own the list. andre@0: */ andre@0: PK11SlotListElement * andre@0: PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) andre@0: { andre@0: PK11SlotListElement *new_le; andre@0: new_le = le->next; andre@0: if (new_le) new_le->refCount++; andre@0: PK11_FreeSlotListElement(list,le); andre@0: return new_le; andre@0: } andre@0: andre@0: /* andre@0: * get an element safely from the list. This just makes sure that if andre@0: * this element is not deleted while we deal with it. andre@0: */ andre@0: PK11SlotListElement * andre@0: PK11_GetFirstSafe(PK11SlotList *list) andre@0: { andre@0: PK11SlotListElement *le; andre@0: andre@0: PZ_Lock(list->lock); andre@0: le = list->head; andre@0: if (le != NULL) (le)->refCount++; andre@0: PZ_Unlock(list->lock); andre@0: return le; andre@0: } andre@0: andre@0: /* andre@0: * NOTE: if this element gets deleted, we can no longer safely traverse using andre@0: * it's pointers. We can either terminate the loop, or restart from the andre@0: * beginning. This is controlled by the restart option. andre@0: */ andre@0: PK11SlotListElement * andre@0: PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) andre@0: { andre@0: PK11SlotListElement *new_le; andre@0: PZ_Lock(list->lock); andre@0: new_le = le->next; andre@0: if (le->next == NULL) { andre@0: /* if the prev and next fields are NULL then either this element andre@0: * has been removed and we need to walk the list again (if restart andre@0: * is true) or this was the only element on the list */ andre@0: if ((le->prev == NULL) && restart && (list->head != le)) { andre@0: new_le = list->head; andre@0: } andre@0: } andre@0: if (new_le) new_le->refCount++; andre@0: PZ_Unlock(list->lock); andre@0: PK11_FreeSlotListElement(list,le); andre@0: return new_le; andre@0: } andre@0: andre@0: andre@0: /* andre@0: * Find the element that holds this slot andre@0: */ andre@0: PK11SlotListElement * andre@0: PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot) andre@0: { andre@0: PK11SlotListElement *le; andre@0: andre@0: for (le = PK11_GetFirstSafe(list); le; andre@0: le = PK11_GetNextSafe(list,le,PR_TRUE)) { andre@0: if (le->slot == slot) return le; andre@0: } andre@0: return NULL; andre@0: } andre@0: andre@0: /************************************************************ andre@0: * Generic Slot Utilities andre@0: ************************************************************/ andre@0: /* andre@0: * Create a new slot structure andre@0: */ andre@0: PK11SlotInfo * andre@0: PK11_NewSlotInfo(SECMODModule *mod) andre@0: { andre@0: PK11SlotInfo *slot; andre@0: andre@0: slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo)); andre@0: if (slot == NULL) return slot; andre@0: andre@0: slot->sessionLock = mod->isThreadSafe ? andre@0: PZ_NewLock(nssILockSession) : mod->refLock; andre@0: if (slot->sessionLock == NULL) { andre@0: PORT_Free(slot); andre@0: return NULL; andre@0: } andre@0: slot->freeListLock = PZ_NewLock(nssILockFreelist); andre@0: if (slot->freeListLock == NULL) { andre@0: if (mod->isThreadSafe) { andre@0: PZ_DestroyLock(slot->sessionLock); andre@0: } andre@0: PORT_Free(slot); andre@0: return NULL; andre@0: } andre@0: slot->freeSymKeysWithSessionHead = NULL; andre@0: slot->freeSymKeysHead = NULL; andre@0: slot->keyCount = 0; andre@0: slot->maxKeyCount = 0; andre@0: slot->functionList = NULL; andre@0: slot->needTest = PR_TRUE; andre@0: slot->isPerm = PR_FALSE; andre@0: slot->isHW = PR_FALSE; andre@0: slot->isInternal = PR_FALSE; andre@0: slot->isThreadSafe = PR_FALSE; andre@0: slot->disabled = PR_FALSE; andre@0: slot->series = 1; andre@0: slot->wrapKey = 0; andre@0: slot->wrapMechanism = CKM_INVALID_MECHANISM; andre@0: slot->refKeys[0] = CK_INVALID_HANDLE; andre@0: slot->reason = PK11_DIS_NONE; andre@0: slot->readOnly = PR_TRUE; andre@0: slot->needLogin = PR_FALSE; andre@0: slot->hasRandom = PR_FALSE; andre@0: slot->defRWSession = PR_FALSE; andre@0: slot->protectedAuthPath = PR_FALSE; andre@0: slot->flags = 0; andre@0: slot->session = CK_INVALID_SESSION; andre@0: slot->slotID = 0; andre@0: slot->defaultFlags = 0; andre@0: slot->refCount = 1; andre@0: slot->askpw = 0; andre@0: slot->timeout = 0; andre@0: slot->mechanismList = NULL; andre@0: slot->mechanismCount = 0; andre@0: slot->cert_array = NULL; andre@0: slot->cert_count = 0; andre@0: slot->slot_name[0] = 0; andre@0: slot->token_name[0] = 0; andre@0: PORT_Memset(slot->serial,' ',sizeof(slot->serial)); andre@0: slot->module = NULL; andre@0: slot->authTransact = 0; andre@0: slot->authTime = LL_ZERO; andre@0: slot->minPassword = 0; andre@0: slot->maxPassword = 0; andre@0: slot->hasRootCerts = PR_FALSE; andre@0: slot->nssToken = NULL; andre@0: return slot; andre@0: } andre@0: andre@0: /* create a new reference to a slot so it doesn't go away */ andre@0: PK11SlotInfo * andre@0: PK11_ReferenceSlot(PK11SlotInfo *slot) andre@0: { andre@0: PR_ATOMIC_INCREMENT(&slot->refCount); andre@0: return slot; andre@0: } andre@0: andre@0: /* Destroy all info on a slot we have built up */ andre@0: void andre@0: PK11_DestroySlot(PK11SlotInfo *slot) andre@0: { andre@0: /* free up the cached keys and sessions */ andre@0: PK11_CleanKeyList(slot); andre@0: andre@0: /* free up all the sessions on this slot */ andre@0: if (slot->functionList) { andre@0: PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID); andre@0: } andre@0: andre@0: if (slot->mechanismList) { andre@0: PORT_Free(slot->mechanismList); andre@0: } andre@0: if (slot->isThreadSafe && slot->sessionLock) { andre@0: PZ_DestroyLock(slot->sessionLock); andre@0: } andre@0: slot->sessionLock = NULL; andre@0: if (slot->freeListLock) { andre@0: PZ_DestroyLock(slot->freeListLock); andre@0: slot->freeListLock = NULL; andre@0: } andre@0: andre@0: /* finally Tell our parent module that we've gone away so it can unload */ andre@0: if (slot->module) { andre@0: SECMOD_SlotDestroyModule(slot->module,PR_TRUE); andre@0: } andre@0: andre@0: /* ok, well not quit finally... now we free the memory */ andre@0: PORT_Free(slot); andre@0: } andre@0: andre@0: andre@0: /* We're all done with the slot, free it */ andre@0: void andre@0: PK11_FreeSlot(PK11SlotInfo *slot) andre@0: { andre@0: if (PR_ATOMIC_DECREMENT(&slot->refCount) == 0) { andre@0: PK11_DestroySlot(slot); andre@0: } andre@0: } andre@0: andre@0: void andre@0: PK11_EnterSlotMonitor(PK11SlotInfo *slot) { andre@0: PZ_Lock(slot->sessionLock); andre@0: } andre@0: andre@0: void andre@0: PK11_ExitSlotMonitor(PK11SlotInfo *slot) { andre@0: PZ_Unlock(slot->sessionLock); andre@0: } andre@0: andre@0: /*********************************************************** andre@0: * Functions to find specific slots. andre@0: ***********************************************************/ andre@0: PRBool andre@0: SECMOD_HasRootCerts(void) andre@0: { andre@0: SECMODModuleList *mlp; andre@0: SECMODModuleList *modules; andre@0: SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); andre@0: int i; andre@0: PRBool found = PR_FALSE; andre@0: andre@0: if (!moduleLock) { andre@0: PORT_SetError(SEC_ERROR_NOT_INITIALIZED); andre@0: return found; andre@0: } andre@0: andre@0: /* work through all the slots */ andre@0: SECMOD_GetReadLock(moduleLock); andre@0: modules = SECMOD_GetDefaultModuleList(); andre@0: for(mlp = modules; mlp != NULL; mlp = mlp->next) { andre@0: for (i=0; i < mlp->module->slotCount; i++) { andre@0: PK11SlotInfo *tmpSlot = mlp->module->slots[i]; andre@0: if (PK11_IsPresent(tmpSlot)) { andre@0: if (tmpSlot->hasRootCerts) { andre@0: found = PR_TRUE; andre@0: break; andre@0: } andre@0: } andre@0: } andre@0: if (found) break; andre@0: } andre@0: SECMOD_ReleaseReadLock(moduleLock); andre@0: andre@0: return found; andre@0: } andre@0: andre@0: /*********************************************************** andre@0: * Functions to find specific slots. andre@0: ***********************************************************/ andre@0: PK11SlotList * andre@0: PK11_FindSlotsByNames(const char *dllName, const char* slotName, andre@0: const char* tokenName, PRBool presentOnly) andre@0: { andre@0: SECMODModuleList *mlp; andre@0: SECMODModuleList *modules; andre@0: SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); andre@0: int i; andre@0: PK11SlotList* slotList = NULL; andre@0: PRUint32 slotcount = 0; andre@0: SECStatus rv = SECSuccess; andre@0: andre@0: if (!moduleLock) { andre@0: PORT_SetError(SEC_ERROR_NOT_INITIALIZED); andre@0: return slotList; andre@0: } andre@0: andre@0: slotList = PK11_NewSlotList(); andre@0: if (!slotList) { andre@0: PORT_SetError(SEC_ERROR_NO_MEMORY); andre@0: return slotList; andre@0: } andre@0: andre@0: if ( ((NULL == dllName) || (0 == *dllName)) && andre@0: ((NULL == slotName) || (0 == *slotName)) && andre@0: ((NULL == tokenName) || (0 == *tokenName)) ) { andre@0: /* default to softoken */ andre@0: PK11_AddSlotToList(slotList, PK11_GetInternalKeySlot(), PR_TRUE); andre@0: return slotList; andre@0: } andre@0: andre@0: /* work through all the slots */ andre@0: SECMOD_GetReadLock(moduleLock); andre@0: modules = SECMOD_GetDefaultModuleList(); andre@0: for (mlp = modules; mlp != NULL; mlp = mlp->next) { andre@0: PORT_Assert(mlp->module); andre@0: if (!mlp->module) { andre@0: rv = SECFailure; andre@0: break; andre@0: } andre@0: if ((!dllName) || (mlp->module->dllName && andre@0: (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) { andre@0: for (i=0; i < mlp->module->slotCount; i++) { andre@0: PK11SlotInfo *tmpSlot = (mlp->module->slots?mlp->module->slots[i]:NULL); andre@0: PORT_Assert(tmpSlot); andre@0: if (!tmpSlot) { andre@0: rv = SECFailure; andre@0: break; andre@0: } andre@0: if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) && andre@0: ( (!tokenName) || (tmpSlot->token_name && andre@0: (0==PORT_Strcmp(tmpSlot->token_name, tokenName)))) && andre@0: ( (!slotName) || (tmpSlot->slot_name && andre@0: (0==PORT_Strcmp(tmpSlot->slot_name, slotName)))) ) { andre@0: if (tmpSlot) { andre@0: PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE); andre@0: slotcount++; andre@0: } andre@0: } andre@0: } andre@0: } andre@0: } andre@0: SECMOD_ReleaseReadLock(moduleLock); andre@0: andre@0: if ( (0 == slotcount) || (SECFailure == rv) ) { andre@0: PORT_SetError(SEC_ERROR_NO_TOKEN); andre@0: PK11_FreeSlotList(slotList); andre@0: slotList = NULL; andre@0: } andre@0: andre@0: if (SECFailure == rv) { andre@0: PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); andre@0: } andre@0: andre@0: return slotList; andre@0: } andre@0: andre@0: PK11SlotInfo * andre@0: PK11_FindSlotByName(const char *name) andre@0: { andre@0: SECMODModuleList *mlp; andre@0: SECMODModuleList *modules; andre@0: SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); andre@0: int i; andre@0: PK11SlotInfo *slot = NULL; andre@0: andre@0: if (!moduleLock) { andre@0: PORT_SetError(SEC_ERROR_NOT_INITIALIZED); andre@0: return slot; andre@0: } andre@0: if ((name == NULL) || (*name == 0)) { andre@0: return PK11_GetInternalKeySlot(); andre@0: } andre@0: andre@0: /* work through all the slots */ andre@0: SECMOD_GetReadLock(moduleLock); andre@0: modules = SECMOD_GetDefaultModuleList(); andre@0: for(mlp = modules; mlp != NULL; mlp = mlp->next) { andre@0: for (i=0; i < mlp->module->slotCount; i++) { andre@0: PK11SlotInfo *tmpSlot = mlp->module->slots[i]; andre@0: if (PK11_IsPresent(tmpSlot)) { andre@0: if (PORT_Strcmp(tmpSlot->token_name,name) == 0) { andre@0: slot = PK11_ReferenceSlot(tmpSlot); andre@0: break; andre@0: } andre@0: } andre@0: } andre@0: if (slot != NULL) break; andre@0: } andre@0: SECMOD_ReleaseReadLock(moduleLock); andre@0: andre@0: if (slot == NULL) { andre@0: PORT_SetError(SEC_ERROR_NO_TOKEN); andre@0: } andre@0: andre@0: return slot; andre@0: } andre@0: andre@0: andre@0: PK11SlotInfo * andre@0: PK11_FindSlotBySerial(char *serial) andre@0: { andre@0: SECMODModuleList *mlp; andre@0: SECMODModuleList *modules; andre@0: SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); andre@0: int i; andre@0: PK11SlotInfo *slot = NULL; andre@0: andre@0: if (!moduleLock) { andre@0: PORT_SetError(SEC_ERROR_NOT_INITIALIZED); andre@0: return slot; andre@0: } andre@0: /* work through all the slots */ andre@0: SECMOD_GetReadLock(moduleLock); andre@0: modules = SECMOD_GetDefaultModuleList(); andre@0: for(mlp = modules; mlp != NULL; mlp = mlp->next) { andre@0: for (i=0; i < mlp->module->slotCount; i++) { andre@0: PK11SlotInfo *tmpSlot = mlp->module->slots[i]; andre@0: if (PK11_IsPresent(tmpSlot)) { andre@0: if (PORT_Memcmp(tmpSlot->serial,serial, andre@0: sizeof(tmpSlot->serial)) == 0) { andre@0: slot = PK11_ReferenceSlot(tmpSlot); andre@0: break; andre@0: } andre@0: } andre@0: } andre@0: if (slot != NULL) break; andre@0: } andre@0: SECMOD_ReleaseReadLock(moduleLock); andre@0: andre@0: if (slot == NULL) { andre@0: PORT_SetError(SEC_ERROR_NO_TOKEN); andre@0: } andre@0: andre@0: return slot; andre@0: } andre@0: andre@0: /* andre@0: * notification stub. If we ever get interested in any events that andre@0: * the pkcs11 functions may pass back to use, we can catch them here... andre@0: * currently pdata is a slotinfo structure. andre@0: */ andre@0: CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, andre@0: CK_VOID_PTR pdata) andre@0: { andre@0: return CKR_OK; andre@0: } andre@0: andre@0: /* andre@0: * grab a new RW session andre@0: * !!! has a side effect of grabbing the Monitor if either the slot's default andre@0: * session is RW or the slot is not thread safe. Monitor is release in function andre@0: * below andre@0: */ andre@0: CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot) andre@0: { andre@0: CK_SESSION_HANDLE rwsession; andre@0: CK_RV crv; andre@0: PRBool haveMonitor = PR_FALSE; andre@0: andre@0: if (!slot->isThreadSafe || slot->defRWSession) { andre@0: PK11_EnterSlotMonitor(slot); andre@0: haveMonitor = PR_TRUE; andre@0: } andre@0: if (slot->defRWSession) { andre@0: PORT_Assert(slot->session != CK_INVALID_SESSION); andre@0: if (slot->session != CK_INVALID_SESSION) andre@0: return slot->session; andre@0: } andre@0: andre@0: crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, andre@0: CKF_RW_SESSION|CKF_SERIAL_SESSION, andre@0: slot, pk11_notify,&rwsession); andre@0: PORT_Assert(rwsession != CK_INVALID_SESSION || crv != CKR_OK); andre@0: if (crv != CKR_OK || rwsession == CK_INVALID_SESSION) { andre@0: if (crv == CKR_OK) andre@0: crv = CKR_DEVICE_ERROR; andre@0: if (haveMonitor) andre@0: PK11_ExitSlotMonitor(slot); andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return CK_INVALID_SESSION; andre@0: } andre@0: if (slot->defRWSession) { /* we have the monitor */ andre@0: slot->session = rwsession; andre@0: } andre@0: return rwsession; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) andre@0: { andre@0: PRBool hasLock; andre@0: hasLock = (PRBool)(!slot->isThreadSafe || andre@0: (slot->defRWSession && slot->session != CK_INVALID_SESSION)); andre@0: return hasLock; andre@0: } andre@0: andre@0: static PRBool andre@0: pk11_RWSessionIsDefault(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession) andre@0: { andre@0: PRBool isDefault; andre@0: isDefault = (PRBool)(slot->session == rwsession && andre@0: slot->defRWSession && andre@0: slot->session != CK_INVALID_SESSION); andre@0: return isDefault; andre@0: } andre@0: andre@0: /* andre@0: * close the rwsession and restore our readonly session andre@0: * !!! has a side effect of releasing the Monitor if either the slot's default andre@0: * session is RW or the slot is not thread safe. andre@0: */ andre@0: void andre@0: PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession) andre@0: { andre@0: PORT_Assert(rwsession != CK_INVALID_SESSION); andre@0: if (rwsession != CK_INVALID_SESSION) { andre@0: PRBool doExit = PK11_RWSessionHasLock(slot, rwsession); andre@0: if (!pk11_RWSessionIsDefault(slot, rwsession)) andre@0: PK11_GETTAB(slot)->C_CloseSession(rwsession); andre@0: if (doExit) andre@0: PK11_ExitSlotMonitor(slot); andre@0: } andre@0: } andre@0: andre@0: /************************************************************ andre@0: * Manage the built-In Slot Lists andre@0: ************************************************************/ andre@0: andre@0: /* Init the static built int slot list (should actually integrate andre@0: * with PK11_NewSlotList */ andre@0: static void andre@0: pk11_InitSlotListStatic(PK11SlotList *list) andre@0: { andre@0: list->lock = PZ_NewLock(nssILockList); andre@0: list->head = NULL; andre@0: } andre@0: andre@0: andre@0: /* initialize the system slotlists */ andre@0: SECStatus andre@0: PK11_InitSlotLists(void) andre@0: { andre@0: pk11_InitSlotListStatic(&pk11_seedSlotList); andre@0: pk11_InitSlotListStatic(&pk11_camelliaSlotList); andre@0: pk11_InitSlotListStatic(&pk11_aesSlotList); andre@0: pk11_InitSlotListStatic(&pk11_desSlotList); andre@0: pk11_InitSlotListStatic(&pk11_rc4SlotList); andre@0: pk11_InitSlotListStatic(&pk11_rc2SlotList); andre@0: pk11_InitSlotListStatic(&pk11_rc5SlotList); andre@0: pk11_InitSlotListStatic(&pk11_md5SlotList); andre@0: pk11_InitSlotListStatic(&pk11_md2SlotList); andre@0: pk11_InitSlotListStatic(&pk11_sha1SlotList); andre@0: pk11_InitSlotListStatic(&pk11_rsaSlotList); andre@0: pk11_InitSlotListStatic(&pk11_dsaSlotList); andre@0: pk11_InitSlotListStatic(&pk11_dhSlotList); andre@0: pk11_InitSlotListStatic(&pk11_ecSlotList); andre@0: pk11_InitSlotListStatic(&pk11_ideaSlotList); andre@0: pk11_InitSlotListStatic(&pk11_sslSlotList); andre@0: pk11_InitSlotListStatic(&pk11_tlsSlotList); andre@0: pk11_InitSlotListStatic(&pk11_randomSlotList); andre@0: pk11_InitSlotListStatic(&pk11_sha256SlotList); andre@0: pk11_InitSlotListStatic(&pk11_sha512SlotList); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: void andre@0: PK11_DestroySlotLists(void) andre@0: { andre@0: pk11_FreeSlotListStatic(&pk11_seedSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_camelliaSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_aesSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_desSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_rc4SlotList); andre@0: pk11_FreeSlotListStatic(&pk11_rc2SlotList); andre@0: pk11_FreeSlotListStatic(&pk11_rc5SlotList); andre@0: pk11_FreeSlotListStatic(&pk11_md5SlotList); andre@0: pk11_FreeSlotListStatic(&pk11_md2SlotList); andre@0: pk11_FreeSlotListStatic(&pk11_sha1SlotList); andre@0: pk11_FreeSlotListStatic(&pk11_rsaSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_dsaSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_dhSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_ecSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_ideaSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_sslSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_tlsSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_randomSlotList); andre@0: pk11_FreeSlotListStatic(&pk11_sha256SlotList); andre@0: pk11_FreeSlotListStatic(&pk11_sha512SlotList); andre@0: return; andre@0: } andre@0: andre@0: /* return a system slot list based on mechanism */ andre@0: PK11SlotList * andre@0: PK11_GetSlotList(CK_MECHANISM_TYPE type) andre@0: { andre@0: /* XXX a workaround for Bugzilla bug #55267 */ andre@0: #if defined(HPUX) && defined(__LP64__) andre@0: if (CKM_INVALID_MECHANISM == type) andre@0: return NULL; andre@0: #endif andre@0: switch (type) { andre@0: case CKM_SEED_CBC: andre@0: case CKM_SEED_ECB: andre@0: return &pk11_seedSlotList; andre@0: case CKM_CAMELLIA_CBC: andre@0: case CKM_CAMELLIA_ECB: andre@0: return &pk11_camelliaSlotList; andre@0: case CKM_AES_CBC: andre@0: case CKM_AES_CCM: andre@0: case CKM_AES_CTR: andre@0: case CKM_AES_CTS: andre@0: case CKM_AES_GCM: andre@0: case CKM_AES_ECB: andre@0: return &pk11_aesSlotList; andre@0: case CKM_DES_CBC: andre@0: case CKM_DES_ECB: andre@0: case CKM_DES3_ECB: andre@0: case CKM_DES3_CBC: andre@0: return &pk11_desSlotList; andre@0: case CKM_RC4: andre@0: return &pk11_rc4SlotList; andre@0: case CKM_RC5_CBC: andre@0: return &pk11_rc5SlotList; andre@0: case CKM_SHA_1: andre@0: return &pk11_sha1SlotList; andre@0: case CKM_SHA224: andre@0: case CKM_SHA256: andre@0: return &pk11_sha256SlotList; andre@0: case CKM_SHA384: andre@0: case CKM_SHA512: andre@0: return &pk11_sha512SlotList; andre@0: case CKM_MD5: andre@0: return &pk11_md5SlotList; andre@0: case CKM_MD2: andre@0: return &pk11_md2SlotList; andre@0: case CKM_RC2_ECB: andre@0: case CKM_RC2_CBC: andre@0: return &pk11_rc2SlotList; andre@0: case CKM_RSA_PKCS: andre@0: case CKM_RSA_PKCS_KEY_PAIR_GEN: andre@0: case CKM_RSA_X_509: andre@0: return &pk11_rsaSlotList; andre@0: case CKM_DSA: andre@0: return &pk11_dsaSlotList; andre@0: case CKM_DH_PKCS_KEY_PAIR_GEN: andre@0: case CKM_DH_PKCS_DERIVE: andre@0: return &pk11_dhSlotList; andre@0: case CKM_ECDSA: andre@0: case CKM_ECDSA_SHA1: andre@0: case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ andre@0: case CKM_ECDH1_DERIVE: andre@0: return &pk11_ecSlotList; andre@0: case CKM_SSL3_PRE_MASTER_KEY_GEN: andre@0: case CKM_SSL3_MASTER_KEY_DERIVE: andre@0: case CKM_SSL3_SHA1_MAC: andre@0: case CKM_SSL3_MD5_MAC: andre@0: return &pk11_sslSlotList; andre@0: case CKM_TLS_MASTER_KEY_DERIVE: andre@0: case CKM_TLS_KEY_AND_MAC_DERIVE: andre@0: case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: andre@0: return &pk11_tlsSlotList; andre@0: case CKM_IDEA_CBC: andre@0: case CKM_IDEA_ECB: andre@0: return &pk11_ideaSlotList; andre@0: case CKM_FAKE_RANDOM: andre@0: return &pk11_randomSlotList; andre@0: } andre@0: return NULL; andre@0: } andre@0: andre@0: /* andre@0: * load the static SlotInfo structures used to select a PKCS11 slot. andre@0: * preSlotInfo has a list of all the default flags for the slots on this andre@0: * module. andre@0: */ andre@0: void andre@0: PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count) andre@0: { andre@0: int i; andre@0: andre@0: for (i=0; i < count; i++) { andre@0: if (psi[i].slotID == slot->slotID) andre@0: break; andre@0: } andre@0: andre@0: if (i == count) return; andre@0: andre@0: slot->defaultFlags = psi[i].defaultFlags; andre@0: slot->askpw = psi[i].askpw; andre@0: slot->timeout = psi[i].timeout; andre@0: slot->hasRootCerts = psi[i].hasRootCerts; andre@0: andre@0: /* if the slot is already disabled, don't load them into the andre@0: * default slot lists. We get here so we can save the default andre@0: * list value. */ andre@0: if (slot->disabled) return; andre@0: andre@0: /* if the user has disabled us, don't load us in */ andre@0: if (slot->defaultFlags & PK11_DISABLE_FLAG) { andre@0: slot->disabled = PR_TRUE; andre@0: slot->reason = PK11_DIS_USER_SELECTED; andre@0: /* free up sessions and things?? */ andre@0: return; andre@0: } andre@0: andre@0: for (i=0; i < num_pk11_default_mechanisms; i++) { andre@0: if (slot->defaultFlags & PK11_DefaultArray[i].flag) { andre@0: CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; andre@0: PK11SlotList *slotList = PK11_GetSlotList(mechanism); andre@0: andre@0: if (slotList) PK11_AddSlotToList(slotList,slot,PR_FALSE); andre@0: } andre@0: } andre@0: andre@0: return; andre@0: } andre@0: andre@0: andre@0: /* andre@0: * update a slot to its new attribute according to the slot list andre@0: * returns: SECSuccess if nothing to do or add/delete is successful andre@0: */ andre@0: SECStatus andre@0: PK11_UpdateSlotAttribute(PK11SlotInfo *slot, andre@0: const PK11DefaultArrayEntry *entry, andre@0: PRBool add) andre@0: /* add: PR_TRUE if want to turn on */ andre@0: { andre@0: SECStatus result = SECSuccess; andre@0: PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism); andre@0: andre@0: if (add) { /* trying to turn on a mechanism */ andre@0: andre@0: /* turn on the default flag in the slot */ andre@0: slot->defaultFlags |= entry->flag; andre@0: andre@0: /* add this slot to the list */ andre@0: if (slotList!=NULL) andre@0: result = PK11_AddSlotToList(slotList, slot, PR_FALSE); andre@0: andre@0: } else { /* trying to turn off */ andre@0: andre@0: /* turn OFF the flag in the slot */ andre@0: slot->defaultFlags &= ~entry->flag; andre@0: andre@0: if (slotList) { andre@0: /* find the element in the list & delete it */ andre@0: PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot); andre@0: andre@0: /* remove the slot from the list */ andre@0: if (le) andre@0: result = PK11_DeleteSlotFromList(slotList, le); andre@0: } andre@0: } andre@0: return result; andre@0: } andre@0: andre@0: /* andre@0: * clear a slot off of all of it's default list andre@0: */ andre@0: void andre@0: PK11_ClearSlotList(PK11SlotInfo *slot) andre@0: { andre@0: int i; andre@0: andre@0: if (slot->disabled) return; andre@0: if (slot->defaultFlags == 0) return; andre@0: andre@0: for (i=0; i < num_pk11_default_mechanisms; i++) { andre@0: if (slot->defaultFlags & PK11_DefaultArray[i].flag) { andre@0: CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; andre@0: PK11SlotList *slotList = PK11_GetSlotList(mechanism); andre@0: PK11SlotListElement *le = NULL; andre@0: andre@0: if (slotList) le = PK11_FindSlotElement(slotList,slot); andre@0: andre@0: if (le) { andre@0: PK11_DeleteSlotFromList(slotList,le); andre@0: PK11_FreeSlotListElement(slotList,le); andre@0: } andre@0: } andre@0: } andre@0: } andre@0: andre@0: andre@0: /****************************************************************** andre@0: * Slot initialization andre@0: ******************************************************************/ andre@0: /* andre@0: * turn a PKCS11 Static Label into a string andre@0: */ andre@0: char * andre@0: PK11_MakeString(PLArenaPool *arena,char *space, andre@0: char *staticString,int stringLen) andre@0: { andre@0: int i; andre@0: char *newString; andre@0: for(i=(stringLen-1); i >= 0; i--) { andre@0: if (staticString[i] != ' ') break; andre@0: } andre@0: /* move i to point to the last space */ andre@0: i++; andre@0: if (arena) { andre@0: newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */); andre@0: } else if (space) { andre@0: newString = space; andre@0: } else { andre@0: newString = (char*)PORT_Alloc(i+1 /* space for NULL */); andre@0: } andre@0: if (newString == NULL) return NULL; andre@0: andre@0: if (i) PORT_Memcpy(newString,staticString, i); andre@0: newString[i] = 0; andre@0: andre@0: return newString; andre@0: } andre@0: andre@0: /* andre@0: * Reads in the slots mechanism list for later use andre@0: */ andre@0: SECStatus andre@0: PK11_ReadMechanismList(PK11SlotInfo *slot) andre@0: { andre@0: CK_ULONG count; andre@0: CK_RV crv; andre@0: PRUint32 i; andre@0: andre@0: if (slot->mechanismList) { andre@0: PORT_Free(slot->mechanismList); andre@0: slot->mechanismList = NULL; andre@0: } andre@0: slot->mechanismCount = 0; andre@0: andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count); andre@0: if (crv != CKR_OK) { andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: andre@0: slot->mechanismList = (CK_MECHANISM_TYPE *) andre@0: PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE)); andre@0: if (slot->mechanismList == NULL) { andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, andre@0: slot->mechanismList, &count); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_Free(slot->mechanismList); andre@0: slot->mechanismList = NULL; andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECSuccess; andre@0: } andre@0: slot->mechanismCount = count; andre@0: PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits)); andre@0: andre@0: for (i=0; i < count; i++) { andre@0: CK_MECHANISM_TYPE mech = slot->mechanismList[i]; andre@0: if (mech < 0x7ff) { andre@0: slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); andre@0: } andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * initialize a new token andre@0: * unlike initialize slot, this can be called multiple times in the lifetime andre@0: * of NSS. It reads the information associated with a card or token, andre@0: * that is not going to change unless the card or token changes. andre@0: */ andre@0: SECStatus andre@0: PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) andre@0: { andre@0: CK_TOKEN_INFO tokenInfo; andre@0: CK_RV crv; andre@0: char *tmp; andre@0: SECStatus rv; andre@0: PRStatus status; andre@0: andre@0: /* set the slot flags to the current token values */ andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: andre@0: /* set the slot flags to the current token values */ andre@0: slot->series++; /* allow other objects to detect that the andre@0: * slot is different */ andre@0: slot->flags = tokenInfo.flags; andre@0: slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? andre@0: PR_TRUE : PR_FALSE); andre@0: slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? andre@0: PR_TRUE : PR_FALSE); andre@0: andre@0: andre@0: slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); andre@0: slot->protectedAuthPath = andre@0: ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) andre@0: ? PR_TRUE : PR_FALSE); andre@0: slot->lastLoginCheck = 0; andre@0: slot->lastState = 0; andre@0: /* on some platforms Active Card incorrectly sets the andre@0: * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ andre@0: if (slot->isActiveCard) { andre@0: slot->protectedAuthPath = PR_FALSE; andre@0: } andre@0: tmp = PK11_MakeString(NULL,slot->token_name, andre@0: (char *)tokenInfo.label, sizeof(tokenInfo.label)); andre@0: slot->minPassword = tokenInfo.ulMinPinLen; andre@0: slot->maxPassword = tokenInfo.ulMaxPinLen; andre@0: PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial)); andre@0: andre@0: nssToken_UpdateName(slot->nssToken); andre@0: andre@0: slot->defRWSession = (PRBool)((!slot->readOnly) && andre@0: (tokenInfo.ulMaxSessionCount == 1)); andre@0: rv = PK11_ReadMechanismList(slot); andre@0: if (rv != SECSuccess) return rv; andre@0: andre@0: slot->hasRSAInfo = PR_FALSE; andre@0: slot->RSAInfoFlags = 0; andre@0: andre@0: /* initialize the maxKeyCount value */ andre@0: if (tokenInfo.ulMaxSessionCount == 0) { andre@0: slot->maxKeyCount = 800; /* should be #define or a config param */ andre@0: } else if (tokenInfo.ulMaxSessionCount < 20) { andre@0: /* don't have enough sessions to keep that many keys around */ andre@0: slot->maxKeyCount = 0; andre@0: } else { andre@0: slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2; andre@0: } andre@0: andre@0: /* Make sure our session handle is valid */ andre@0: if (slot->session == CK_INVALID_SESSION) { andre@0: /* we know we don't have a valid session, go get one */ andre@0: CK_SESSION_HANDLE session; andre@0: andre@0: /* session should be Readonly, serial */ andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, andre@0: (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, andre@0: slot,pk11_notify,&session); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: slot->session = session; andre@0: } else { andre@0: /* The session we have may be defunct (the token associated with it) andre@0: * has been removed */ andre@0: CK_SESSION_INFO sessionInfo; andre@0: andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo); andre@0: if (crv == CKR_DEVICE_ERROR) { andre@0: PK11_GETTAB(slot)->C_CloseSession(slot->session); andre@0: crv = CKR_SESSION_CLOSED; andre@0: } andre@0: if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) { andre@0: crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID, andre@0: (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, andre@0: slot,pk11_notify,&slot->session); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: slot->session = CK_INVALID_SESSION; andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: return SECFailure; andre@0: } andre@0: } andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: } andre@0: andre@0: status = nssToken_Refresh(slot->nssToken); andre@0: if (status != PR_SUCCESS) andre@0: return SECFailure; andre@0: andre@0: if (!(slot->isInternal) && (slot->hasRandom)) { andre@0: /* if this slot has a random number generater, use it to add entropy andre@0: * to the internal slot. */ andre@0: PK11SlotInfo *int_slot = PK11_GetInternalSlot(); andre@0: andre@0: if (int_slot) { andre@0: unsigned char random_bytes[32]; andre@0: andre@0: /* if this slot can issue random numbers, get some entropy from andre@0: * that random number generater and give it to our internal token. andre@0: */ andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GenerateRandom andre@0: (slot->session,random_bytes, sizeof(random_bytes)); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv == CKR_OK) { andre@0: PK11_EnterSlotMonitor(int_slot); andre@0: PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session, andre@0: random_bytes, sizeof(random_bytes)); andre@0: PK11_ExitSlotMonitor(int_slot); andre@0: } andre@0: andre@0: /* Now return the favor and send entropy to the token's random andre@0: * number generater */ andre@0: PK11_EnterSlotMonitor(int_slot); andre@0: crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, andre@0: random_bytes, sizeof(random_bytes)); andre@0: PK11_ExitSlotMonitor(int_slot); andre@0: if (crv == CKR_OK) { andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, andre@0: random_bytes, sizeof(random_bytes)); andre@0: PK11_ExitSlotMonitor(slot); andre@0: } andre@0: PK11_FreeSlot(int_slot); andre@0: } andre@0: } andre@0: /* work around a problem in softoken where it incorrectly andre@0: * reports databases opened read only as read/write. */ andre@0: if (slot->isInternal && !slot->readOnly) { andre@0: CK_SESSION_HANDLE session = CK_INVALID_SESSION; andre@0: andre@0: /* try to open a R/W session */ andre@0: crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID, andre@0: CKF_RW_SESSION|CKF_SERIAL_SESSION, slot, pk11_notify ,&session); andre@0: /* what a well behaved token should return if you open andre@0: * a RW session on a read only token */ andre@0: if (crv == CKR_TOKEN_WRITE_PROTECTED) { andre@0: slot->readOnly = PR_TRUE; andre@0: } else if (crv == CKR_OK) { andre@0: CK_SESSION_INFO sessionInfo; andre@0: andre@0: /* Because of a second bug in softoken, which silently returns andre@0: * a RO session, we need to check what type of session we got. */ andre@0: crv = PK11_GETTAB(slot)->C_GetSessionInfo(session, &sessionInfo); andre@0: if (crv == CKR_OK) { andre@0: if ((sessionInfo.flags & CKF_RW_SESSION) == 0) { andre@0: /* session was readonly, so this softoken slot must be * readonly */ andre@0: slot->readOnly = PR_TRUE; andre@0: } andre@0: } andre@0: PK11_GETTAB(slot)->C_CloseSession(session); andre@0: } andre@0: } andre@0: andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * initialize a new token andre@0: * unlike initialize slot, this can be called multiple times in the lifetime andre@0: * of NSS. It reads the information associated with a card or token, andre@0: * that is not going to change unless the card or token changes. andre@0: */ andre@0: SECStatus andre@0: PK11_TokenRefresh(PK11SlotInfo *slot) andre@0: { andre@0: CK_TOKEN_INFO tokenInfo; andre@0: CK_RV crv; andre@0: andre@0: /* set the slot flags to the current token values */ andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: andre@0: slot->flags = tokenInfo.flags; andre@0: slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? andre@0: PR_TRUE : PR_FALSE); andre@0: slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? andre@0: PR_TRUE : PR_FALSE); andre@0: slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); andre@0: slot->protectedAuthPath = andre@0: ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) andre@0: ? PR_TRUE : PR_FALSE); andre@0: /* on some platforms Active Card incorrectly sets the andre@0: * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ andre@0: if (slot->isActiveCard) { andre@0: slot->protectedAuthPath = PR_FALSE; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: static PRBool andre@0: pk11_isRootSlot(PK11SlotInfo *slot) andre@0: { andre@0: CK_ATTRIBUTE findTemp[1]; andre@0: CK_ATTRIBUTE *attrs; andre@0: CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST; andre@0: int tsize; andre@0: CK_OBJECT_HANDLE handle; andre@0: andre@0: attrs = findTemp; andre@0: PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++; andre@0: tsize = attrs - findTemp; andre@0: PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); andre@0: andre@0: handle = pk11_FindObjectByTemplate(slot,findTemp,tsize); andre@0: if (handle == CK_INVALID_HANDLE) { andre@0: return PR_FALSE; andre@0: } andre@0: return PR_TRUE; andre@0: } andre@0: andre@0: /* andre@0: * Initialize the slot : andre@0: * This initialization code is called on each slot a module supports when andre@0: * it is loaded. It does the bringup initialization. The difference between andre@0: * this and InitToken is Init slot does those one time initialization stuff, andre@0: * usually associated with the reader, while InitToken may get called multiple andre@0: * times as tokens are removed and re-inserted. andre@0: */ andre@0: void andre@0: PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) andre@0: { andre@0: SECStatus rv; andre@0: char *tmp; andre@0: CK_SLOT_INFO slotInfo; andre@0: andre@0: slot->functionList = mod->functionList; andre@0: slot->isInternal = mod->internal; andre@0: slot->slotID = slotID; andre@0: slot->isThreadSafe = mod->isThreadSafe; andre@0: slot->hasRSAInfo = PR_FALSE; andre@0: andre@0: if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) { andre@0: slot->disabled = PR_TRUE; andre@0: slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; andre@0: return; andre@0: } andre@0: andre@0: /* test to make sure claimed mechanism work */ andre@0: slot->needTest = mod->internal ? PR_FALSE : PR_TRUE; andre@0: slot->module = mod; /* NOTE: we don't make a reference here because andre@0: * modules have references to their slots. This andre@0: * works because modules keep implicit references andre@0: * from their slots, and won't unload and disappear andre@0: * until all their slots have been freed */ andre@0: tmp = PK11_MakeString(NULL,slot->slot_name, andre@0: (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription)); andre@0: slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT); andre@0: #define ACTIVE_CARD "ActivCard SA" andre@0: slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID, andre@0: ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0); andre@0: if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) { andre@0: slot->isPerm = PR_TRUE; andre@0: /* permanment slots must have the token present always */ andre@0: if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { andre@0: slot->disabled = PR_TRUE; andre@0: slot->reason = PK11_DIS_TOKEN_NOT_PRESENT; andre@0: return; /* nothing else to do */ andre@0: } andre@0: } andre@0: /* if the token is present, initialize it */ andre@0: if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { andre@0: rv = PK11_InitToken(slot,PR_TRUE); andre@0: /* the only hard failures are on permanent devices, or function andre@0: * verify failures... function verify failures are already handled andre@0: * by tokenInit */ andre@0: if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) { andre@0: slot->disabled = PR_TRUE; andre@0: slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; andre@0: } andre@0: if (rv == SECSuccess && pk11_isRootSlot(slot)) { andre@0: if (!slot->hasRootCerts) { andre@0: slot->module->trustOrder = 100; andre@0: } andre@0: slot->hasRootCerts= PR_TRUE; andre@0: } andre@0: } andre@0: } andre@0: andre@0: andre@0: andre@0: /********************************************************************* andre@0: * Slot mapping utility functions. andre@0: *********************************************************************/ andre@0: andre@0: /* andre@0: * determine if the token is present. If the token is present, make sure andre@0: * we have a valid session handle. Also set the value of needLogin andre@0: * appropriately. andre@0: */ andre@0: static PRBool andre@0: pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts) andre@0: { andre@0: CK_SLOT_INFO slotInfo; andre@0: CK_SESSION_INFO sessionInfo; andre@0: CK_RV crv; andre@0: andre@0: /* disabled slots are never present */ andre@0: if (slot->disabled) { andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: /* permanent slots are always present */ andre@0: if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) { andre@0: return PR_TRUE; andre@0: } andre@0: andre@0: if (slot->nssToken) { andre@0: return nssToken_IsPresent(slot->nssToken); andre@0: } andre@0: andre@0: /* removable slots have a flag that says they are present */ andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) { andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: return PR_FALSE; andre@0: } andre@0: if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { andre@0: /* if the slot is no longer present, close the session */ andre@0: if (slot->session != CK_INVALID_SESSION) { andre@0: PK11_GETTAB(slot)->C_CloseSession(slot->session); andre@0: slot->session = CK_INVALID_SESSION; andre@0: } andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: /* use the session Info to determine if the card has been removed and then andre@0: * re-inserted */ andre@0: if (slot->session != CK_INVALID_SESSION) { andre@0: if (slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); andre@0: if (crv != CKR_OK) { andre@0: PK11_GETTAB(slot)->C_CloseSession(slot->session); andre@0: slot->session = CK_INVALID_SESSION; andre@0: } andre@0: if (slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: } andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: andre@0: /* card has not been removed, current token info is correct */ andre@0: if (slot->session != CK_INVALID_SESSION) return PR_TRUE; andre@0: andre@0: /* initialize the token info state */ andre@0: if (PK11_InitToken(slot,loadCerts) != SECSuccess) { andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: return PR_TRUE; andre@0: } andre@0: andre@0: /* andre@0: * old version of the routine andre@0: */ andre@0: PRBool andre@0: PK11_IsPresent(PK11SlotInfo *slot) { andre@0: return pk11_IsPresentCertLoad(slot,PR_TRUE); andre@0: } andre@0: andre@0: /* is the slot disabled? */ andre@0: PRBool andre@0: PK11_IsDisabled(PK11SlotInfo *slot) andre@0: { andre@0: return slot->disabled; andre@0: } andre@0: andre@0: /* and why? */ andre@0: PK11DisableReasons andre@0: PK11_GetDisabledReason(PK11SlotInfo *slot) andre@0: { andre@0: return slot->reason; andre@0: } andre@0: andre@0: /* returns PR_TRUE if successfully disable the slot */ andre@0: /* returns PR_FALSE otherwise */ andre@0: PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) { andre@0: andre@0: /* Prevent users from disabling the internal module. */ andre@0: if (slot->isInternal) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: slot->defaultFlags |= PK11_DISABLE_FLAG; andre@0: slot->disabled = PR_TRUE; andre@0: slot->reason = PK11_DIS_USER_SELECTED; andre@0: andre@0: return PR_TRUE; andre@0: } andre@0: andre@0: PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) { andre@0: andre@0: slot->defaultFlags &= ~PK11_DISABLE_FLAG; andre@0: slot->disabled = PR_FALSE; andre@0: slot->reason = PK11_DIS_NONE; andre@0: return PR_TRUE; andre@0: } andre@0: andre@0: PRBool PK11_HasRootCerts(PK11SlotInfo *slot) { andre@0: return slot->hasRootCerts; andre@0: } andre@0: andre@0: /* Get the module this slot is attached to */ andre@0: SECMODModule * andre@0: PK11_GetModule(PK11SlotInfo *slot) andre@0: { andre@0: return slot->module; andre@0: } andre@0: andre@0: /* return the default flags of a slot */ andre@0: unsigned long andre@0: PK11_GetDefaultFlags(PK11SlotInfo *slot) andre@0: { andre@0: return slot->defaultFlags; andre@0: } andre@0: andre@0: /* andre@0: * The following wrapper functions allow us to export an opaque slot andre@0: * function to the rest of libsec and the world... */ andre@0: PRBool andre@0: PK11_IsReadOnly(PK11SlotInfo *slot) andre@0: { andre@0: return slot->readOnly; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_IsHW(PK11SlotInfo *slot) andre@0: { andre@0: return slot->isHW; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_IsRemovable(PK11SlotInfo *slot) andre@0: { andre@0: return !slot->isPerm; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_IsInternal(PK11SlotInfo *slot) andre@0: { andre@0: return slot->isInternal; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_IsInternalKeySlot(PK11SlotInfo *slot) andre@0: { andre@0: PK11SlotInfo *int_slot; andre@0: PRBool result; andre@0: andre@0: if (!slot->isInternal) { andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: int_slot = PK11_GetInternalKeySlot(); andre@0: result = (int_slot == slot) ? PR_TRUE : PR_FALSE; andre@0: PK11_FreeSlot(int_slot); andre@0: return result; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_NeedLogin(PK11SlotInfo *slot) andre@0: { andre@0: return slot->needLogin; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_IsFriendly(PK11SlotInfo *slot) andre@0: { andre@0: /* internal slot always has public readable certs */ andre@0: return (PRBool)(slot->isInternal || andre@0: ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == andre@0: SECMOD_FRIENDLY_FLAG)); andre@0: } andre@0: andre@0: char * andre@0: PK11_GetTokenName(PK11SlotInfo *slot) andre@0: { andre@0: return slot->token_name; andre@0: } andre@0: andre@0: char * andre@0: PK11_GetSlotName(PK11SlotInfo *slot) andre@0: { andre@0: return slot->slot_name; andre@0: } andre@0: andre@0: int andre@0: PK11_GetSlotSeries(PK11SlotInfo *slot) andre@0: { andre@0: return slot->series; andre@0: } andre@0: andre@0: int andre@0: PK11_GetCurrentWrapIndex(PK11SlotInfo *slot) andre@0: { andre@0: return slot->wrapKey; andre@0: } andre@0: andre@0: CK_SLOT_ID andre@0: PK11_GetSlotID(PK11SlotInfo *slot) andre@0: { andre@0: return slot->slotID; andre@0: } andre@0: andre@0: SECMODModuleID andre@0: PK11_GetModuleID(PK11SlotInfo *slot) andre@0: { andre@0: return slot->module->moduleID; andre@0: } andre@0: andre@0: static void andre@0: pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size) andre@0: { andre@0: CK_CHAR *walk = buffer; andre@0: CK_CHAR *end = buffer + buffer_size; andre@0: andre@0: /* find the NULL */ andre@0: while (walk < end && *walk != '\0') { andre@0: walk++; andre@0: } andre@0: andre@0: /* clear out the buffer */ andre@0: while (walk < end) { andre@0: *walk++ = ' '; andre@0: } andre@0: } andre@0: andre@0: /* return the slot info structure */ andre@0: SECStatus andre@0: PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info) andre@0: { andre@0: CK_RV crv; andre@0: andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: /* andre@0: * some buggy drivers do not fill the buffer completely, andre@0: * erase the buffer first andre@0: */ andre@0: PORT_Memset(info->slotDescription,' ',sizeof(info->slotDescription)); andre@0: PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID)); andre@0: crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info); andre@0: pk11_zeroTerminatedToBlankPadded(info->slotDescription, andre@0: sizeof(info->slotDescription)); andre@0: pk11_zeroTerminatedToBlankPadded(info->manufacturerID, andre@0: sizeof(info->manufacturerID)); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* return the token info structure */ andre@0: SECStatus andre@0: PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info) andre@0: { andre@0: CK_RV crv; andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: /* andre@0: * some buggy drivers do not fill the buffer completely, andre@0: * erase the buffer first andre@0: */ andre@0: PORT_Memset(info->label,' ',sizeof(info->label)); andre@0: PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID)); andre@0: PORT_Memset(info->model,' ',sizeof(info->model)); andre@0: PORT_Memset(info->serialNumber,' ',sizeof(info->serialNumber)); andre@0: crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info); andre@0: pk11_zeroTerminatedToBlankPadded(info->label,sizeof(info->label)); andre@0: pk11_zeroTerminatedToBlankPadded(info->manufacturerID, andre@0: sizeof(info->manufacturerID)); andre@0: pk11_zeroTerminatedToBlankPadded(info->model,sizeof(info->model)); andre@0: pk11_zeroTerminatedToBlankPadded(info->serialNumber, andre@0: sizeof(info->serialNumber)); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* Find out if we need to initialize the user's pin */ andre@0: PRBool andre@0: PK11_NeedUserInit(PK11SlotInfo *slot) andre@0: { andre@0: PRBool needUserInit = (PRBool) ((slot->flags & CKF_USER_PIN_INITIALIZED) andre@0: == 0); andre@0: andre@0: if (needUserInit) { andre@0: CK_TOKEN_INFO info; andre@0: SECStatus rv; andre@0: andre@0: /* see if token has been initialized off line */ andre@0: rv = PK11_GetTokenInfo(slot, &info); andre@0: if (rv == SECSuccess) { andre@0: slot->flags = info.flags; andre@0: } andre@0: } andre@0: return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0); andre@0: } andre@0: andre@0: static PK11SlotInfo *pk11InternalKeySlot = NULL; andre@0: andre@0: /* andre@0: * Set a new default internal keyslot. If one has already been set, clear it. andre@0: * Passing NULL falls back to the NSS normally selected default internal key andre@0: * slot. andre@0: */ andre@0: void andre@0: pk11_SetInternalKeySlot(PK11SlotInfo *slot) andre@0: { andre@0: if (pk11InternalKeySlot) { andre@0: PK11_FreeSlot(pk11InternalKeySlot); andre@0: } andre@0: pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; andre@0: } andre@0: andre@0: /* andre@0: * Set a new default internal keyslot if the normal key slot has not already andre@0: * been overridden. Subsequent calls to this function will be ignored unless andre@0: * pk11_SetInternalKeySlot is used to clear the current default. andre@0: */ andre@0: void andre@0: pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot) andre@0: { andre@0: if (pk11InternalKeySlot) { andre@0: return; andre@0: } andre@0: pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; andre@0: } andre@0: andre@0: /* andre@0: * Swap out a default internal keyslot. Caller owns the Slot Reference andre@0: */ andre@0: PK11SlotInfo * andre@0: pk11_SwapInternalKeySlot(PK11SlotInfo *slot) andre@0: { andre@0: PK11SlotInfo *swap = pk11InternalKeySlot; andre@0: andre@0: pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; andre@0: return swap; andre@0: } andre@0: andre@0: andre@0: /* get the internal key slot. FIPS has only one slot for both key slots and andre@0: * default slots */ andre@0: PK11SlotInfo * andre@0: PK11_GetInternalKeySlot(void) andre@0: { andre@0: SECMODModule *mod; andre@0: andre@0: if (pk11InternalKeySlot) { andre@0: return PK11_ReferenceSlot(pk11InternalKeySlot); andre@0: } andre@0: andre@0: mod = SECMOD_GetInternalModule(); andre@0: PORT_Assert(mod != NULL); andre@0: if (!mod) { andre@0: PORT_SetError( SEC_ERROR_NO_MODULE ); andre@0: return NULL; andre@0: } andre@0: return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]); andre@0: } andre@0: andre@0: /* get the internal default slot */ andre@0: PK11SlotInfo * andre@0: PK11_GetInternalSlot(void) andre@0: { andre@0: SECMODModule * mod = SECMOD_GetInternalModule(); andre@0: PORT_Assert(mod != NULL); andre@0: if (!mod) { andre@0: PORT_SetError( SEC_ERROR_NO_MODULE ); andre@0: return NULL; andre@0: } andre@0: if (mod->isFIPS) { andre@0: return PK11_GetInternalKeySlot(); andre@0: } andre@0: return PK11_ReferenceSlot(mod->slots[0]); andre@0: } andre@0: andre@0: /* andre@0: * check if a given slot supports the requested mechanism andre@0: */ andre@0: PRBool andre@0: PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type) andre@0: { andre@0: int i; andre@0: andre@0: /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to andre@0: * tell us we're looking form someone that has implemented get andre@0: * random bits */ andre@0: if (type == CKM_FAKE_RANDOM) { andre@0: return slot->hasRandom; andre@0: } andre@0: andre@0: /* for most mechanism, bypass the linear lookup */ andre@0: if (type < 0x7ff) { andre@0: return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? andre@0: PR_TRUE : PR_FALSE; andre@0: } andre@0: andre@0: for (i=0; i < (int) slot->mechanismCount; i++) { andre@0: if (slot->mechanismList[i] == type) return PR_TRUE; andre@0: } andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: /* andre@0: * Return true if a token that can do the desired mechanism exists. andre@0: * This allows us to have hardware tokens that can do function XYZ magically andre@0: * allow SSL Ciphers to appear if they are plugged in. andre@0: */ andre@0: PRBool andre@0: PK11_TokenExists(CK_MECHANISM_TYPE type) andre@0: { andre@0: SECMODModuleList *mlp; andre@0: SECMODModuleList *modules; andre@0: SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); andre@0: PK11SlotInfo *slot; andre@0: PRBool found = PR_FALSE; andre@0: int i; andre@0: andre@0: if (!moduleLock) { andre@0: PORT_SetError(SEC_ERROR_NOT_INITIALIZED); andre@0: return found; andre@0: } andre@0: /* we only need to know if there is a token that does this mechanism. andre@0: * check the internal module first because it's fast, and supports andre@0: * almost everything. */ andre@0: slot = PK11_GetInternalSlot(); andre@0: if (slot) { andre@0: found = PK11_DoesMechanism(slot,type); andre@0: PK11_FreeSlot(slot); andre@0: } andre@0: if (found) return PR_TRUE; /* bypass getting module locks */ andre@0: andre@0: SECMOD_GetReadLock(moduleLock); andre@0: modules = SECMOD_GetDefaultModuleList(); andre@0: for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) { andre@0: for (i=0; i < mlp->module->slotCount; i++) { andre@0: slot = mlp->module->slots[i]; andre@0: if (PK11_IsPresent(slot)) { andre@0: if (PK11_DoesMechanism(slot,type)) { andre@0: found = PR_TRUE; andre@0: break; andre@0: } andre@0: } andre@0: } andre@0: } andre@0: SECMOD_ReleaseReadLock(moduleLock); andre@0: return found; andre@0: } andre@0: andre@0: /* andre@0: * get all the currently available tokens in a list. andre@0: * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM, andre@0: * get all the tokens. Make sure tokens that need authentication are put at andre@0: * the end of this list. andre@0: */ andre@0: PK11SlotList * andre@0: PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, andre@0: void *wincx) andre@0: { andre@0: PK11SlotList * list; andre@0: PK11SlotList * loginList; andre@0: PK11SlotList * friendlyList; andre@0: SECMODModuleList * mlp; andre@0: SECMODModuleList * modules; andre@0: SECMODListLock * moduleLock; andre@0: int i; andre@0: #if defined( XP_WIN32 ) andre@0: int j = 0; andre@0: PRInt32 waste[16]; andre@0: #endif andre@0: andre@0: moduleLock = SECMOD_GetDefaultModuleListLock(); andre@0: if (!moduleLock) { andre@0: PORT_SetError(SEC_ERROR_NOT_INITIALIZED); andre@0: return NULL; andre@0: } andre@0: andre@0: list = PK11_NewSlotList(); andre@0: loginList = PK11_NewSlotList(); andre@0: friendlyList = PK11_NewSlotList(); andre@0: if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) { andre@0: if (list) PK11_FreeSlotList(list); andre@0: if (loginList) PK11_FreeSlotList(loginList); andre@0: if (friendlyList) PK11_FreeSlotList(friendlyList); andre@0: return NULL; andre@0: } andre@0: andre@0: SECMOD_GetReadLock(moduleLock); andre@0: andre@0: modules = SECMOD_GetDefaultModuleList(); andre@0: for(mlp = modules; mlp != NULL; mlp = mlp->next) { andre@0: andre@0: #if defined( XP_WIN32 ) andre@0: /* This is works around some horrible cache/page thrashing problems andre@0: ** on Win32. Without this, this loop can take up to 6 seconds at andre@0: ** 100% CPU on a Pentium-Pro 200. The thing this changes is to andre@0: ** increase the size of the stack frame and modify it. andre@0: ** Moving the loop code itself seems to have no effect. andre@0: ** Dunno why this combination makes a difference, but it does. andre@0: */ andre@0: waste[ j & 0xf] = j++; andre@0: #endif andre@0: andre@0: for (i = 0; i < mlp->module->slotCount; i++) { andre@0: PK11SlotInfo *slot = mlp->module->slots[i]; andre@0: andre@0: if (pk11_IsPresentCertLoad(slot, loadCerts)) { andre@0: if (needRW && slot->readOnly) continue; andre@0: if ((type == CKM_INVALID_MECHANISM) andre@0: || PK11_DoesMechanism(slot, type)) { andre@0: if (pk11_LoginStillRequired(slot,wincx)) { andre@0: if (PK11_IsFriendly(slot)) { andre@0: PK11_AddSlotToList(friendlyList, slot, PR_TRUE); andre@0: } else { andre@0: PK11_AddSlotToList(loginList, slot, PR_TRUE); andre@0: } andre@0: } else { andre@0: PK11_AddSlotToList(list, slot, PR_TRUE); andre@0: } andre@0: } andre@0: } andre@0: } andre@0: } andre@0: SECMOD_ReleaseReadLock(moduleLock); andre@0: andre@0: pk11_MoveListToList(list,friendlyList); andre@0: PK11_FreeSlotList(friendlyList); andre@0: pk11_MoveListToList(list,loginList); andre@0: PK11_FreeSlotList(loginList); andre@0: andre@0: return list; andre@0: } andre@0: andre@0: /* andre@0: * NOTE: This routine is working from a private List generated by andre@0: * PK11_GetAllTokens. That is why it does not need to lock. andre@0: */ andre@0: PK11SlotList * andre@0: PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx) andre@0: { andre@0: PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx); andre@0: PK11SlotListElement *le, *next ; andre@0: SECStatus rv; andre@0: andre@0: if (list == NULL) return list; andre@0: andre@0: for (le = list->head ; le; le = next) { andre@0: next = le->next; /* save the pointer here in case we have to andre@0: * free the element later */ andre@0: rv = PK11_Authenticate(le->slot,PR_TRUE,wincx); andre@0: if (rv != SECSuccess) { andre@0: PK11_DeleteSlotFromList(list,le); andre@0: continue; andre@0: } andre@0: } andre@0: return list; andre@0: } andre@0: andre@0: /* andre@0: * returns true if the slot doesn't conform to the requested attributes andre@0: */ andre@0: PRBool andre@0: pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, andre@0: CK_FLAGS mechanismInfoFlags, unsigned int keySize) andre@0: { andre@0: CK_MECHANISM_INFO mechanism_info; andre@0: CK_RV crv = CKR_OK; andre@0: andre@0: /* handle the only case where we don't actually fetch the mechanisms andre@0: * on the fly */ andre@0: if ((keySize == 0) && (mechanism == CKM_RSA_PKCS) && (slot->hasRSAInfo)) { andre@0: mechanism_info.flags = slot->RSAInfoFlags; andre@0: } else { andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism, andre@0: &mechanism_info); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: /* if we were getting the RSA flags, save them */ andre@0: if ((crv == CKR_OK) && (mechanism == CKM_RSA_PKCS) andre@0: && (!slot->hasRSAInfo)) { andre@0: slot->RSAInfoFlags = mechanism_info.flags; andre@0: slot->hasRSAInfo = PR_TRUE; andre@0: } andre@0: } andre@0: /* couldn't get the mechanism info */ andre@0: if (crv != CKR_OK ) { andre@0: return PR_TRUE; andre@0: } andre@0: if (keySize && ((mechanism_info.ulMinKeySize > keySize) andre@0: || (mechanism_info.ulMaxKeySize < keySize)) ) { andre@0: /* Token can do mechanism, but not at the key size we andre@0: * want */ andre@0: return PR_TRUE; andre@0: } andre@0: if (mechanismInfoFlags && ((mechanism_info.flags & mechanismInfoFlags) != andre@0: mechanismInfoFlags) ) { andre@0: return PR_TRUE; andre@0: } andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: andre@0: /* andre@0: * Find the best slot which supports the given set of mechanisms and key sizes. andre@0: * In normal cases this should grab the first slot on the list with no fuss. andre@0: * The size array is presumed to match one for one with the mechanism type andre@0: * array, which allows you to specify the required key size for each andre@0: * mechanism in the list. Whether key size is in bits or bytes is mechanism andre@0: * dependent. Typically asymetric keys are in bits and symetric keys are in andre@0: * bytes. andre@0: */ andre@0: PK11SlotInfo * andre@0: PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, andre@0: CK_FLAGS *mechanismInfoFlags, unsigned int *keySize, andre@0: unsigned int mech_count, void *wincx) andre@0: { andre@0: PK11SlotList *list = NULL; andre@0: PK11SlotListElement *le ; andre@0: PK11SlotInfo *slot = NULL; andre@0: PRBool freeit = PR_FALSE; andre@0: PRBool listNeedLogin = PR_FALSE; andre@0: int i; andre@0: SECStatus rv; andre@0: andre@0: list = PK11_GetSlotList(type[0]); andre@0: andre@0: if ((list == NULL) || (list->head == NULL)) { andre@0: /* We need to look up all the tokens for the mechanism */ andre@0: list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx); andre@0: freeit = PR_TRUE; andre@0: } andre@0: andre@0: /* no one can do it! */ andre@0: if (list == NULL) { andre@0: PORT_SetError(SEC_ERROR_NO_TOKEN); andre@0: return NULL; andre@0: } andre@0: andre@0: PORT_SetError(0); andre@0: andre@0: andre@0: listNeedLogin = PR_FALSE; andre@0: for (i=0; i < mech_count; i++) { andre@0: if ((type[i] != CKM_FAKE_RANDOM) && andre@0: (type[i] != CKM_SHA_1) && andre@0: (type[i] != CKM_SHA224) && andre@0: (type[i] != CKM_SHA256) && andre@0: (type[i] != CKM_SHA384) && andre@0: (type[i] != CKM_SHA512) && andre@0: (type[i] != CKM_MD5) && andre@0: (type[i] != CKM_MD2)) { andre@0: listNeedLogin = PR_TRUE; andre@0: break; andre@0: } andre@0: } andre@0: andre@0: for (le = PK11_GetFirstSafe(list); le; andre@0: le = PK11_GetNextSafe(list,le,PR_TRUE)) { andre@0: if (PK11_IsPresent(le->slot)) { andre@0: PRBool doExit = PR_FALSE; andre@0: for (i=0; i < mech_count; i++) { andre@0: if (!PK11_DoesMechanism(le->slot,type[i])) { andre@0: doExit = PR_TRUE; andre@0: break; andre@0: } andre@0: if ((mechanismInfoFlags && mechanismInfoFlags[i]) || andre@0: (keySize && keySize[i])) { andre@0: if (pk11_filterSlot(le->slot, type[i], andre@0: mechanismInfoFlags ? mechanismInfoFlags[i] : 0, andre@0: keySize ? keySize[i] : 0)) { andre@0: doExit = PR_TRUE; andre@0: break; andre@0: } andre@0: } andre@0: } andre@0: andre@0: if (doExit) continue; andre@0: andre@0: if (listNeedLogin && le->slot->needLogin) { andre@0: rv = PK11_Authenticate(le->slot,PR_TRUE,wincx); andre@0: if (rv != SECSuccess) continue; andre@0: } andre@0: slot = le->slot; andre@0: PK11_ReferenceSlot(slot); andre@0: PK11_FreeSlotListElement(list,le); andre@0: if (freeit) { PK11_FreeSlotList(list); } andre@0: return slot; andre@0: } andre@0: } andre@0: if (freeit) { PK11_FreeSlotList(list); } andre@0: if (PORT_GetError() == 0) { andre@0: PORT_SetError(SEC_ERROR_NO_TOKEN); andre@0: } andre@0: return NULL; andre@0: } andre@0: andre@0: PK11SlotInfo * andre@0: PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, andre@0: unsigned int mech_count, void *wincx) andre@0: { andre@0: return PK11_GetBestSlotMultipleWithAttributes(type, NULL, NULL, andre@0: mech_count, wincx); andre@0: } andre@0: andre@0: /* original get best slot now calls the multiple version with only one type */ andre@0: PK11SlotInfo * andre@0: PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx) andre@0: { andre@0: return PK11_GetBestSlotMultipleWithAttributes(&type, NULL, NULL, 1, wincx); andre@0: } andre@0: andre@0: PK11SlotInfo * andre@0: PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, CK_FLAGS mechanismFlags, andre@0: unsigned int keySize, void *wincx) andre@0: { andre@0: return PK11_GetBestSlotMultipleWithAttributes(&type, &mechanismFlags, andre@0: &keySize, 1, wincx); andre@0: } andre@0: andre@0: int andre@0: PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism) andre@0: { andre@0: CK_MECHANISM_INFO mechanism_info; andre@0: CK_RV crv; andre@0: andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, andre@0: mechanism,&mechanism_info); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) return 0; andre@0: andre@0: if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) andre@0: return 0; andre@0: return mechanism_info.ulMaxKeySize; andre@0: } andre@0: andre@0: andre@0: /* andre@0: * This function uses the existing PKCS #11 module to find the andre@0: * longest supported key length in the preferred token for a mechanism. andre@0: * This varies from the above function in that 1) it returns the key length andre@0: * even for fixed key algorithms, and 2) it looks through the tokens andre@0: * generally rather than for a specific token. This is used in liu of andre@0: * a PK11_GetKeyLength function in pk11mech.c since we can actually read andre@0: * supported key lengths from PKCS #11. andre@0: * andre@0: * For symmetric key operations the length is returned in bytes. andre@0: */ andre@0: int andre@0: PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism) andre@0: { andre@0: CK_MECHANISM_INFO mechanism_info; andre@0: PK11SlotList *list = NULL; andre@0: PK11SlotListElement *le ; andre@0: PRBool freeit = PR_FALSE; andre@0: int keyLength = 0; andre@0: andre@0: list = PK11_GetSlotList(mechanism); andre@0: andre@0: if ((list == NULL) || (list->head == NULL)) { andre@0: /* We need to look up all the tokens for the mechanism */ andre@0: list = PK11_GetAllTokens(mechanism,PR_FALSE,PR_FALSE,NULL); andre@0: freeit = PR_TRUE; andre@0: } andre@0: andre@0: /* no tokens recognize this mechanism */ andre@0: if (list == NULL) { andre@0: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); andre@0: return 0; andre@0: } andre@0: andre@0: for (le = PK11_GetFirstSafe(list); le; andre@0: le = PK11_GetNextSafe(list,le,PR_TRUE)) { andre@0: PK11SlotInfo *slot = le->slot; andre@0: CK_RV crv; andre@0: if (PK11_IsPresent(slot)) { andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, andre@0: mechanism,&mechanism_info); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: if ((crv == CKR_OK) && (mechanism_info.ulMaxKeySize != 0) andre@0: && (mechanism_info.ulMaxKeySize != 0xffffffff)) { andre@0: keyLength = mechanism_info.ulMaxKeySize; andre@0: break; andre@0: } andre@0: } andre@0: } andre@0: if (le) andre@0: PK11_FreeSlotListElement(list, le); andre@0: if (freeit) andre@0: PK11_FreeSlotList(list); andre@0: return keyLength; andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) { andre@0: CK_RV crv; andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, data, (CK_ULONG)len); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: andre@0: SECStatus andre@0: PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) { andre@0: CK_RV crv; andre@0: andre@0: if (!slot->isInternal) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data, andre@0: (CK_ULONG)len); andre@0: if (!slot->isInternal) PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* Attempts to update the Best Slot for "FAKE RANDOM" generation. andre@0: ** If that's not the internal slot, then it also attempts to update the andre@0: ** internal slot. andre@0: ** The return value indicates if the INTERNAL slot was updated OK. andre@0: */ andre@0: SECStatus andre@0: PK11_RandomUpdate(void *data, size_t bytes) andre@0: { andre@0: PK11SlotInfo *slot; andre@0: PRBool bestIsInternal; andre@0: SECStatus status; andre@0: andre@0: slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL); andre@0: if (slot == NULL) { andre@0: slot = PK11_GetInternalSlot(); andre@0: if (!slot) andre@0: return SECFailure; andre@0: } andre@0: andre@0: bestIsInternal = PK11_IsInternal(slot); andre@0: status = PK11_SeedRandom(slot, data, bytes); andre@0: PK11_FreeSlot(slot); andre@0: andre@0: if (!bestIsInternal) { andre@0: /* do internal slot, too. */ andre@0: slot = PK11_GetInternalSlot(); /* can't fail */ andre@0: status = PK11_SeedRandom(slot, data, bytes); andre@0: PK11_FreeSlot(slot); andre@0: } andre@0: return status; andre@0: } andre@0: andre@0: andre@0: SECStatus andre@0: PK11_GenerateRandom(unsigned char *data,int len) { andre@0: PK11SlotInfo *slot; andre@0: SECStatus rv; andre@0: andre@0: slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL); andre@0: if (slot == NULL) return SECFailure; andre@0: andre@0: rv = PK11_GenerateRandomOnSlot(slot, data, len); andre@0: PK11_FreeSlot(slot); andre@0: return rv; andre@0: } andre@0: andre@0: /* andre@0: * Reset the token to it's initial state. For the internal module, this will andre@0: * Purge your keydb, and reset your cert db certs to USER_INIT. andre@0: */ andre@0: SECStatus andre@0: PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd) andre@0: { andre@0: unsigned char tokenName[32]; andre@0: int tokenNameLen; andre@0: CK_RV crv; andre@0: andre@0: /* reconstruct the token name */ andre@0: tokenNameLen = PORT_Strlen(slot->token_name); andre@0: if (tokenNameLen > sizeof(tokenName)) { andre@0: tokenNameLen = sizeof(tokenName); andre@0: } andre@0: andre@0: PORT_Memcpy(tokenName,slot->token_name,tokenNameLen); andre@0: if (tokenNameLen < sizeof(tokenName)) { andre@0: PORT_Memset(&tokenName[tokenNameLen],' ', andre@0: sizeof(tokenName)-tokenNameLen); andre@0: } andre@0: andre@0: /* initialize the token */ andre@0: PK11_EnterSlotMonitor(slot); andre@0: andre@0: /* first shutdown the token. Existing sessions will get closed here */ andre@0: PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID); andre@0: slot->session = CK_INVALID_SESSION; andre@0: andre@0: /* now re-init the token */ andre@0: crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID, andre@0: (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName); andre@0: andre@0: /* finally bring the token back up */ andre@0: PK11_InitToken(slot,PR_TRUE); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, andre@0: slot->nssToken); andre@0: return SECSuccess; andre@0: } andre@0: void andre@0: PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) andre@0: { andre@0: sl->nssToken = nsst; andre@0: } andre@0: andre@0: NSSToken * andre@0: PK11Slot_GetNSSToken(PK11SlotInfo *sl) andre@0: { andre@0: return sl->nssToken; andre@0: } andre@0: andre@0: /* andre@0: * wait for a token to change it's state. The application passes in the expected andre@0: * new state in event. andre@0: */ andre@0: PK11TokenStatus andre@0: PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, andre@0: PRIntervalTime timeout, PRIntervalTime latency, int series) andre@0: { andre@0: PRIntervalTime first_time = 0; andre@0: PRBool first_time_set = PR_FALSE; andre@0: PRBool waitForRemoval; andre@0: andre@0: if (slot->isPerm) { andre@0: return PK11TokenNotRemovable; andre@0: } andre@0: if (latency == 0) { andre@0: latency = PR_SecondsToInterval(5); andre@0: } andre@0: waitForRemoval = (PRBool) (event == PK11TokenRemovedOrChangedEvent); andre@0: andre@0: if (series == 0) { andre@0: series = PK11_GetSlotSeries(slot); andre@0: } andre@0: while (PK11_IsPresent(slot) == waitForRemoval ) { andre@0: PRIntervalTime interval; andre@0: andre@0: if (waitForRemoval && series != PK11_GetSlotSeries(slot)) { andre@0: return PK11TokenChanged; andre@0: } andre@0: if (timeout == PR_INTERVAL_NO_WAIT) { andre@0: return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; andre@0: } andre@0: if (timeout != PR_INTERVAL_NO_TIMEOUT ) { andre@0: interval = PR_IntervalNow(); andre@0: if (!first_time_set) { andre@0: first_time = interval; andre@0: first_time_set = PR_TRUE; andre@0: } andre@0: if ((interval-first_time) > timeout) { andre@0: return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; andre@0: } andre@0: } andre@0: PR_Sleep(latency); andre@0: } andre@0: return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent; andre@0: }