Source code

Revision control

Copy as Markdown

Other Tools

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* session.c
*
* This file implements the NSSCKFWSession type and methods.
*/
#ifndef CK_T
#include "ck.h"
#endif /* CK_T */
/*
* NSSCKFWSession
*
* -- create/destroy --
* nssCKFWSession_Create
* nssCKFWSession_Destroy
*
* -- public accessors --
* NSSCKFWSession_GetMDSession
* NSSCKFWSession_GetArena
* NSSCKFWSession_CallNotification
* NSSCKFWSession_IsRWSession
* NSSCKFWSession_IsSO
* NSSCKFWSession_GetFWSlot
*
* -- implement public accessors --
* nssCKFWSession_GetMDSession
* nssCKFWSession_GetArena
* nssCKFWSession_CallNotification
* nssCKFWSession_IsRWSession
* nssCKFWSession_IsSO
* nssCKFWSession_GetFWSlot
*
* -- private accessors --
* nssCKFWSession_GetSessionState
* nssCKFWSession_SetFWFindObjects
* nssCKFWSession_GetFWFindObjects
* nssCKFWSession_SetMDSession
* nssCKFWSession_SetHandle
* nssCKFWSession_GetHandle
* nssCKFWSession_RegisterSessionObject
* nssCKFWSession_DeegisterSessionObject
*
* -- module fronts --
* nssCKFWSession_GetDeviceError
* nssCKFWSession_Login
* nssCKFWSession_Logout
* nssCKFWSession_InitPIN
* nssCKFWSession_SetPIN
* nssCKFWSession_GetOperationStateLen
* nssCKFWSession_GetOperationState
* nssCKFWSession_SetOperationState
* nssCKFWSession_CreateObject
* nssCKFWSession_CopyObject
* nssCKFWSession_FindObjectsInit
* nssCKFWSession_SeedRandom
* nssCKFWSession_GetRandom
*/
struct NSSCKFWSessionStr {
NSSArena *arena;
NSSCKMDSession *mdSession;
NSSCKFWToken *fwToken;
NSSCKMDToken *mdToken;
NSSCKFWInstance *fwInstance;
NSSCKMDInstance *mdInstance;
CK_VOID_PTR pApplication;
CK_NOTIFY Notify;
/*
* Everything above is set at creation time, and then not modified.
* The items below are atomic. No locking required. If we fear
* about pointer-copies being nonatomic, we'll lock fwFindObjects.
*/
CK_BBOOL rw;
NSSCKFWFindObjects *fwFindObjects;
NSSCKFWCryptoOperation *fwOperationArray[NSSCKFWCryptoOperationState_Max];
nssCKFWHash *sessionObjectHash;
CK_SESSION_HANDLE hSession;
};
#ifdef DEBUG
/*
* But first, the pointer-tracking stuff.
*
* NOTE: the pointer-tracking support in NSS/base currently relies
* upon NSPR's CallOnce support. That, however, relies upon NSPR's
* locking, which is tied into the runtime. We need a pointer-tracker
* implementation that uses the locks supplied through C_Initialize.
* That support, however, can be filled in later. So for now, I'll
* just do this routines as no-ops.
*/
static CK_RV
session_add_pointer(
const NSSCKFWSession *fwSession)
{
return CKR_OK;
}
static CK_RV
session_remove_pointer(
const NSSCKFWSession *fwSession)
{
return CKR_OK;
}
NSS_IMPLEMENT CK_RV
nssCKFWSession_verifyPointer(
const NSSCKFWSession *fwSession)
{
return CKR_OK;
}
#endif /* DEBUG */
/*
* nssCKFWSession_Create
*
*/
NSS_IMPLEMENT NSSCKFWSession *
nssCKFWSession_Create(
NSSCKFWToken *fwToken,
CK_BBOOL rw,
CK_VOID_PTR pApplication,
CK_NOTIFY Notify,
CK_RV *pError)
{
NSSArena *arena = (NSSArena *)NULL;
NSSCKFWSession *fwSession;
NSSCKFWSlot *fwSlot;
#ifdef NSSDEBUG
if (!pError) {
return (NSSCKFWSession *)NULL;
}
*pError = nssCKFWToken_verifyPointer(fwToken);
if (CKR_OK != *pError) {
return (NSSCKFWSession *)NULL;
}
#endif /* NSSDEBUG */
arena = NSSArena_Create();
if (!arena) {
*pError = CKR_HOST_MEMORY;
return (NSSCKFWSession *)NULL;
}
fwSession = nss_ZNEW(arena, NSSCKFWSession);
if (!fwSession) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
fwSession->arena = arena;
fwSession->mdSession = (NSSCKMDSession *)NULL; /* set later */
fwSession->fwToken = fwToken;
fwSession->mdToken = nssCKFWToken_GetMDToken(fwToken);
fwSlot = nssCKFWToken_GetFWSlot(fwToken);
fwSession->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
fwSession->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
fwSession->rw = rw;
fwSession->pApplication = pApplication;
fwSession->Notify = Notify;
fwSession->fwFindObjects = (NSSCKFWFindObjects *)NULL;
fwSession->sessionObjectHash = nssCKFWHash_Create(fwSession->fwInstance, arena, pError);
if (!fwSession->sessionObjectHash) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
goto loser;
}
#ifdef DEBUG
*pError = session_add_pointer(fwSession);
if (CKR_OK != *pError) {
goto loser;
}
#endif /* DEBUG */
return fwSession;
loser:
if (arena) {
if (fwSession && fwSession->sessionObjectHash) {
(void)nssCKFWHash_Destroy(fwSession->sessionObjectHash);
}
NSSArena_Destroy(arena);
}
return (NSSCKFWSession *)NULL;
}
static void
nss_ckfw_session_object_destroy_iterator(
const void *key,
void *value,
void *closure)
{
NSSCKFWObject *fwObject = (NSSCKFWObject *)value;
nssCKFWObject_Finalize(fwObject, PR_TRUE);
}
/*
* nssCKFWSession_Destroy
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_Destroy(
NSSCKFWSession *fwSession,
CK_BBOOL removeFromTokenHash)
{
CK_RV error = CKR_OK;
nssCKFWHash *sessionObjectHash;
NSSCKFWCryptoOperationState i;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
#endif /* NSSDEBUG */
if (removeFromTokenHash) {
error = nssCKFWToken_RemoveSession(fwSession->fwToken, fwSession);
}
/*
* Invalidate session objects
*/
sessionObjectHash = fwSession->sessionObjectHash;
fwSession->sessionObjectHash = (nssCKFWHash *)NULL;
nssCKFWHash_Iterate(sessionObjectHash,
nss_ckfw_session_object_destroy_iterator,
(void *)NULL);
for (i = 0; i < NSSCKFWCryptoOperationState_Max; i++) {
if (fwSession->fwOperationArray[i]) {
nssCKFWCryptoOperation_Destroy(fwSession->fwOperationArray[i]);
}
}
#ifdef DEBUG
(void)session_remove_pointer(fwSession);
#endif /* DEBUG */
(void)nssCKFWHash_Destroy(sessionObjectHash);
NSSArena_Destroy(fwSession->arena);
return error;
}
/*
* nssCKFWSession_GetMDSession
*
*/
NSS_IMPLEMENT NSSCKMDSession *
nssCKFWSession_GetMDSession(
NSSCKFWSession *fwSession)
{
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return (NSSCKMDSession *)NULL;
}
#endif /* NSSDEBUG */
return fwSession->mdSession;
}
/*
* nssCKFWSession_GetArena
*
*/
NSS_IMPLEMENT NSSArena *
nssCKFWSession_GetArena(
NSSCKFWSession *fwSession,
CK_RV *pError)
{
#ifdef NSSDEBUG
if (!pError) {
return (NSSArena *)NULL;
}
*pError = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != *pError) {
return (NSSArena *)NULL;
}
#endif /* NSSDEBUG */
return fwSession->arena;
}
/*
* nssCKFWSession_CallNotification
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_CallNotification(
NSSCKFWSession *fwSession,
CK_NOTIFICATION event)
{
CK_RV error = CKR_OK;
CK_SESSION_HANDLE handle;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
#endif /* NSSDEBUG */
if ((CK_NOTIFY)NULL == fwSession->Notify) {
return CKR_OK;
}
handle = nssCKFWInstance_FindSessionHandle(fwSession->fwInstance, fwSession);
if ((CK_SESSION_HANDLE)0 == handle) {
return CKR_GENERAL_ERROR;
}
error = fwSession->Notify(handle, event, fwSession->pApplication);
return error;
}
/*
* nssCKFWSession_IsRWSession
*
*/
NSS_IMPLEMENT CK_BBOOL
nssCKFWSession_IsRWSession(
NSSCKFWSession *fwSession)
{
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return CK_FALSE;
}
#endif /* NSSDEBUG */
return fwSession->rw;
}
/*
* nssCKFWSession_IsSO
*
*/
NSS_IMPLEMENT CK_BBOOL
nssCKFWSession_IsSO(
NSSCKFWSession *fwSession)
{
CK_STATE state;
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return CK_FALSE;
}
#endif /* NSSDEBUG */
state = nssCKFWToken_GetSessionState(fwSession->fwToken);
switch (state) {
case CKS_RO_PUBLIC_SESSION:
case CKS_RO_USER_FUNCTIONS:
case CKS_RW_PUBLIC_SESSION:
case CKS_RW_USER_FUNCTIONS:
return CK_FALSE;
case CKS_RW_SO_FUNCTIONS:
return CK_TRUE;
default:
return CK_FALSE;
}
}
/*
* nssCKFWSession_GetFWSlot
*
*/
NSS_IMPLEMENT NSSCKFWSlot *
nssCKFWSession_GetFWSlot(
NSSCKFWSession *fwSession)
{
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return (NSSCKFWSlot *)NULL;
}
#endif /* NSSDEBUG */
return nssCKFWToken_GetFWSlot(fwSession->fwToken);
}
/*
* nssCFKWSession_GetSessionState
*
*/
NSS_IMPLEMENT CK_STATE
nssCKFWSession_GetSessionState(
NSSCKFWSession *fwSession)
{
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return CKS_RO_PUBLIC_SESSION; /* whatever */
}
#endif /* NSSDEBUG */
return nssCKFWToken_GetSessionState(fwSession->fwToken);
}
/*
* nssCKFWSession_SetFWFindObjects
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_SetFWFindObjects(
NSSCKFWSession *fwSession,
NSSCKFWFindObjects *fwFindObjects)
{
#ifdef NSSDEBUG
CK_RV error = CKR_OK;
#endif /* NSSDEBUG */
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
/* fwFindObjects may be null */
#endif /* NSSDEBUG */
if ((fwSession->fwFindObjects) &&
(fwFindObjects)) {
return CKR_OPERATION_ACTIVE;
}
fwSession->fwFindObjects = fwFindObjects;
return CKR_OK;
}
/*
* nssCKFWSession_GetFWFindObjects
*
*/
NSS_IMPLEMENT NSSCKFWFindObjects *
nssCKFWSession_GetFWFindObjects(
NSSCKFWSession *fwSession,
CK_RV *pError)
{
#ifdef NSSDEBUG
if (!pError) {
return (NSSCKFWFindObjects *)NULL;
}
*pError = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != *pError) {
return (NSSCKFWFindObjects *)NULL;
}
#endif /* NSSDEBUG */
if (!fwSession->fwFindObjects) {
*pError = CKR_OPERATION_NOT_INITIALIZED;
return (NSSCKFWFindObjects *)NULL;
}
return fwSession->fwFindObjects;
}
/*
* nssCKFWSession_SetMDSession
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_SetMDSession(
NSSCKFWSession *fwSession,
NSSCKMDSession *mdSession)
{
#ifdef NSSDEBUG
CK_RV error = CKR_OK;
#endif /* NSSDEBUG */
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!mdSession) {
return CKR_ARGUMENTS_BAD;
}
#endif /* NSSDEBUG */
if (fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
fwSession->mdSession = mdSession;
return CKR_OK;
}
/*
* nssCKFWSession_SetHandle
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_SetHandle(
NSSCKFWSession *fwSession,
CK_SESSION_HANDLE hSession)
{
#ifdef NSSDEBUG
CK_RV error = CKR_OK;
#endif /* NSSDEBUG */
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
#endif /* NSSDEBUG */
if ((CK_SESSION_HANDLE)0 != fwSession->hSession) {
return CKR_GENERAL_ERROR;
}
fwSession->hSession = hSession;
return CKR_OK;
}
/*
* nssCKFWSession_GetHandle
*
*/
NSS_IMPLEMENT CK_SESSION_HANDLE
nssCKFWSession_GetHandle(
NSSCKFWSession *fwSession)
{
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return NULL;
}
#endif /* NSSDEBUG */
return fwSession->hSession;
}
/*
* nssCKFWSession_RegisterSessionObject
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_RegisterSessionObject(
NSSCKFWSession *fwSession,
NSSCKFWObject *fwObject)
{
CK_RV rv = CKR_OK;
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
if (fwSession->sessionObjectHash) {
rv = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
}
return rv;
}
/*
* nssCKFWSession_DeregisterSessionObject
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_DeregisterSessionObject(
NSSCKFWSession *fwSession,
NSSCKFWObject *fwObject)
{
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
if (fwSession->sessionObjectHash) {
nssCKFWHash_Remove(fwSession->sessionObjectHash, fwObject);
}
return CKR_OK;
}
/*
* nssCKFWSession_GetDeviceError
*
*/
NSS_IMPLEMENT CK_ULONG
nssCKFWSession_GetDeviceError(
NSSCKFWSession *fwSession)
{
#ifdef NSSDEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return (CK_ULONG)0;
}
if (!fwSession->mdSession) {
return (CK_ULONG)0;
}
#endif /* NSSDEBUG */
if (!fwSession->mdSession->GetDeviceError) {
return (CK_ULONG)0;
}
return fwSession->mdSession->GetDeviceError(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance);
}
/*
* nssCKFWSession_Login
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_Login(
NSSCKFWSession *fwSession,
CK_USER_TYPE userType,
NSSItem *pin)
{
CK_RV error = CKR_OK;
CK_STATE oldState;
CK_STATE newState;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
switch (userType) {
case CKU_SO:
case CKU_USER:
break;
default:
return CKR_USER_TYPE_INVALID;
}
if (!pin) {
if (CK_TRUE != nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken)) {
return CKR_ARGUMENTS_BAD;
}
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
/*
* It's not clear what happens when you're already logged in.
* I'll just fail; but if we decide to change, the logic is
* all right here.
*/
if (CKU_SO == userType) {
switch (oldState) {
case CKS_RO_PUBLIC_SESSION:
/*
* There's no such thing as a read-only security officer
* session, so fail. The error should be CKR_SESSION_READ_ONLY,
* except that C_Login isn't defined to return that. So we'll
* do CKR_SESSION_READ_ONLY_EXISTS, which is what is documented.
*/
return CKR_SESSION_READ_ONLY_EXISTS;
case CKS_RO_USER_FUNCTIONS:
return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
case CKS_RW_PUBLIC_SESSION:
newState =
CKS_RW_SO_FUNCTIONS;
break;
case CKS_RW_USER_FUNCTIONS:
return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
case CKS_RW_SO_FUNCTIONS:
return CKR_USER_ALREADY_LOGGED_IN;
default:
return CKR_GENERAL_ERROR;
}
} else /* CKU_USER == userType */ {
switch (oldState) {
case CKS_RO_PUBLIC_SESSION:
newState =
CKS_RO_USER_FUNCTIONS;
break;
case CKS_RO_USER_FUNCTIONS:
return CKR_USER_ALREADY_LOGGED_IN;
case CKS_RW_PUBLIC_SESSION:
newState =
CKS_RW_USER_FUNCTIONS;
break;
case CKS_RW_USER_FUNCTIONS:
return CKR_USER_ALREADY_LOGGED_IN;
case CKS_RW_SO_FUNCTIONS:
return CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
default:
return CKR_GENERAL_ERROR;
}
}
/*
* So now we're in one of three cases:
*
* Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_SO_FUNCTIONS;
* Old == CKS_RW_PUBLIC_SESSION, New == CKS_RW_USER_FUNCTIONS;
* Old == CKS_RO_PUBLIC_SESSION, New == CKS_RO_USER_FUNCTIONS;
*/
if (!fwSession->mdSession->Login) {
/*
* The Module doesn't want to be informed (or check the pin)
* it'll just rely on the Framework as needed.
*/
;
} else {
error = fwSession->mdSession->Login(fwSession->mdSession, fwSession,
fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, userType, pin, oldState, newState);
if (CKR_OK != error) {
return error;
}
}
(void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
return CKR_OK;
}
/*
* nssCKFWSession_Logout
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_Logout(
NSSCKFWSession *fwSession)
{
CK_RV error = CKR_OK;
CK_STATE oldState;
CK_STATE newState;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
oldState = nssCKFWToken_GetSessionState(fwSession->fwToken);
switch (oldState) {
case CKS_RO_PUBLIC_SESSION:
return CKR_USER_NOT_LOGGED_IN;
case CKS_RO_USER_FUNCTIONS:
newState = CKS_RO_PUBLIC_SESSION;
break;
case CKS_RW_PUBLIC_SESSION:
return CKR_USER_NOT_LOGGED_IN;
case CKS_RW_USER_FUNCTIONS:
newState = CKS_RW_PUBLIC_SESSION;
break;
case CKS_RW_SO_FUNCTIONS:
newState = CKS_RW_PUBLIC_SESSION;
break;
default:
return CKR_GENERAL_ERROR;
}
/*
* So now we're in one of three cases:
*
* Old == CKS_RW_SO_FUNCTIONS, New == CKS_RW_PUBLIC_SESSION;
* Old == CKS_RW_USER_FUNCTIONS, New == CKS_RW_PUBLIC_SESSION;
* Old == CKS_RO_USER_FUNCTIONS, New == CKS_RO_PUBLIC_SESSION;
*/
if (!fwSession->mdSession->Logout) {
/*
* The Module doesn't want to be informed. Okay.
*/
;
} else {
error = fwSession->mdSession->Logout(fwSession->mdSession, fwSession,
fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, oldState, newState);
if (CKR_OK != error) {
/*
* Now what?! A failure really should end up with the Framework
* considering it logged out, right?
*/
;
}
}
(void)nssCKFWToken_SetSessionState(fwSession->fwToken, newState);
return error;
}
/*
* nssCKFWSession_InitPIN
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_InitPIN(
NSSCKFWSession *fwSession,
NSSItem *pin)
{
CK_RV error = CKR_OK;
CK_STATE state;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
state = nssCKFWToken_GetSessionState(fwSession->fwToken);
if (CKS_RW_SO_FUNCTIONS != state) {
return CKR_USER_NOT_LOGGED_IN;
}
if (!pin) {
CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
if (CK_TRUE != has) {
return CKR_ARGUMENTS_BAD;
}
}
if (!fwSession->mdSession->InitPIN) {
return CKR_TOKEN_WRITE_PROTECTED;
}
error = fwSession->mdSession->InitPIN(fwSession->mdSession, fwSession,
fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, pin);
return error;
}
/*
* nssCKFWSession_SetPIN
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_SetPIN(
NSSCKFWSession *fwSession,
const NSSItem *oldPin,
NSSItem *newPin)
{
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
if (!newPin) {
CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
if (CK_TRUE != has) {
return CKR_ARGUMENTS_BAD;
}
}
if (!oldPin) {
CK_BBOOL has = nssCKFWToken_GetHasProtectedAuthenticationPath(fwSession->fwToken);
if (CK_TRUE != has) {
return CKR_ARGUMENTS_BAD;
}
}
if (!fwSession->mdSession->SetPIN) {
return CKR_TOKEN_WRITE_PROTECTED;
}
error = fwSession->mdSession->SetPIN(fwSession->mdSession, fwSession,
fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, (NSSItem *)oldPin, newPin);
return error;
}
/*
* nssCKFWSession_GetOperationStateLen
*
*/
NSS_IMPLEMENT CK_ULONG
nssCKFWSession_GetOperationStateLen(
NSSCKFWSession *fwSession,
CK_RV *pError)
{
CK_ULONG mdAmt;
CK_ULONG fwAmt;
#ifdef NSSDEBUG
if (!pError) {
return (CK_ULONG)0;
}
*pError = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != *pError) {
return (CK_ULONG)0;
}
if (!fwSession->mdSession) {
*pError = CKR_GENERAL_ERROR;
return (CK_ULONG)0;
}
#endif /* NSSDEBUG */
if (!fwSession->mdSession->GetOperationStateLen) {
*pError = CKR_STATE_UNSAVEABLE;
return (CK_ULONG)0;
}
/*
* We could check that the session is actually in some state..
*/
mdAmt = fwSession->mdSession->GetOperationStateLen(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, pError);
if (((CK_ULONG)0 == mdAmt) && (CKR_OK != *pError)) {
return (CK_ULONG)0;
}
/*
* Add a bit of sanity-checking
*/
fwAmt = mdAmt + 2 * sizeof(CK_ULONG);
return fwAmt;
}
/*
* nssCKFWSession_GetOperationState
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_GetOperationState(
NSSCKFWSession *fwSession,
NSSItem *buffer)
{
CK_RV error = CKR_OK;
CK_ULONG fwAmt;
CK_ULONG *ulBuffer;
NSSItem i2;
CK_ULONG n, i;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!buffer) {
return CKR_ARGUMENTS_BAD;
}
if (!buffer->data) {
return CKR_ARGUMENTS_BAD;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
if (!fwSession->mdSession->GetOperationState) {
return CKR_STATE_UNSAVEABLE;
}
/*
* Sanity-check the caller's buffer.
*/
error = CKR_OK;
fwAmt = nssCKFWSession_GetOperationStateLen(fwSession, &error);
if (((CK_ULONG)0 == fwAmt) && (CKR_OK != error)) {
return error;
}
if (buffer->size < fwAmt) {
return CKR_BUFFER_TOO_SMALL;
}
ulBuffer = (CK_ULONG *)buffer->data;
i2.size = buffer->size - 2 * sizeof(CK_ULONG);
i2.data = (void *)&ulBuffer[2];
error = fwSession->mdSession->GetOperationState(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance, &i2);
if (CKR_OK != error) {
return error;
}
/*
* Add a little integrety/identity check.
* NOTE: right now, it's pretty stupid.
* A CRC or something would be better.
*/
ulBuffer[0] = 0x434b4657; /* CKFW */
ulBuffer[1] = 0;
n = i2.size / sizeof(CK_ULONG);
for (i = 0; i < n; i++) {
ulBuffer[1] ^= ulBuffer[2 + i];
}
return CKR_OK;
}
/*
* nssCKFWSession_SetOperationState
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_SetOperationState(
NSSCKFWSession *fwSession,
NSSItem *state,
NSSCKFWObject *encryptionKey,
NSSCKFWObject *authenticationKey)
{
CK_RV error = CKR_OK;
CK_ULONG *ulBuffer;
CK_ULONG n, i;
CK_ULONG x;
NSSItem s;
NSSCKMDObject *mdek;
NSSCKMDObject *mdak;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!state) {
return CKR_ARGUMENTS_BAD;
}
if (!state->data) {
return CKR_ARGUMENTS_BAD;
}
if (encryptionKey) {
error = nssCKFWObject_verifyPointer(encryptionKey);
if (CKR_OK != error) {
return error;
}
}
if (authenticationKey) {
error = nssCKFWObject_verifyPointer(authenticationKey);
if (CKR_OK != error) {
return error;
}
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
ulBuffer = (CK_ULONG *)state->data;
if (0x43b4657 != ulBuffer[0]) {
return CKR_SAVED_STATE_INVALID;
}
n = (state->size / sizeof(CK_ULONG)) - 2;
x = (CK_ULONG)0;
for (i = 0; i < n; i++) {
x ^= ulBuffer[2 + i];
}
if (x != ulBuffer[1]) {
return CKR_SAVED_STATE_INVALID;
}
if (!fwSession->mdSession->SetOperationState) {
return CKR_GENERAL_ERROR;
}
s.size = state->size - 2 * sizeof(CK_ULONG);
s.data = (void *)&ulBuffer[2];
if (encryptionKey) {
mdek = nssCKFWObject_GetMDObject(encryptionKey);
} else {
mdek = (NSSCKMDObject *)NULL;
}
if (authenticationKey) {
mdak = nssCKFWObject_GetMDObject(authenticationKey);
} else {
mdak = (NSSCKMDObject *)NULL;
}
error = fwSession->mdSession->SetOperationState(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, &s, mdek, encryptionKey, mdak, authenticationKey);
if (CKR_OK != error) {
return error;
}
/*
* Here'd we restore any session data
*/
return CKR_OK;
}
static CK_BBOOL
nss_attributes_form_token_object(
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount)
{
CK_ULONG i;
CK_BBOOL rv;
for (i = 0; i < ulAttributeCount; i++) {
if (CKA_TOKEN == pTemplate[i].type) {
/* If we sanity-check, we can remove this sizeof check */
if (sizeof(CK_BBOOL) == pTemplate[i].ulValueLen) {
(void)nsslibc_memcpy(&rv, pTemplate[i].pValue, sizeof(CK_BBOOL));
return rv;
} else {
return CK_FALSE;
}
}
}
return CK_FALSE;
}
/*
* nssCKFWSession_CreateObject
*
*/
NSS_IMPLEMENT NSSCKFWObject *
nssCKFWSession_CreateObject(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
NSSArena *arena;
NSSCKMDObject *mdObject;
NSSCKFWObject *fwObject;
CK_BBOOL isTokenObject;
#ifdef NSSDEBUG
if (!pError) {
return (NSSCKFWObject *)NULL;
}
*pError = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != pError) {
return (NSSCKFWObject *)NULL;
}
if ((CK_ATTRIBUTE_PTR)NULL == pTemplate) {
*pError = CKR_ARGUMENTS_BAD;
return (NSSCKFWObject *)NULL;
}
if (!fwSession->mdSession) {
*pError = CKR_GENERAL_ERROR;
return (NSSCKFWObject *)NULL;
}
#endif /* NSSDEBUG */
/*
* Here would be an excellent place to sanity-check the object.
*/
isTokenObject = nss_attributes_form_token_object(pTemplate, ulAttributeCount);
if (CK_TRUE == isTokenObject) {
/* === TOKEN OBJECT === */
if (!fwSession->mdSession->CreateObject) {
*pError = CKR_TOKEN_WRITE_PROTECTED;
return (NSSCKFWObject *)NULL;
}
arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
if (!arena) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
return (NSSCKFWObject *)NULL;
}
goto callmdcreateobject;
} else {
/* === SESSION OBJECT === */
arena = nssCKFWSession_GetArena(fwSession, pError);
if (!arena) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
return (NSSCKFWObject *)NULL;
}
if (CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
fwSession->fwInstance)) {
/* --- module handles the session object -- */
if (!fwSession->mdSession->CreateObject) {
*pError = CKR_GENERAL_ERROR;
return (NSSCKFWObject *)NULL;
}
goto callmdcreateobject;
} else {
/* --- framework handles the session object -- */
mdObject = nssCKMDSessionObject_Create(fwSession->fwToken,
arena, pTemplate, ulAttributeCount, pError);
goto gotmdobject;
}
}
callmdcreateobject:
mdObject = fwSession->mdSession->CreateObject(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance, arena, pTemplate,
ulAttributeCount, pError);
gotmdobject:
if (!mdObject) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
return (NSSCKFWObject *)NULL;
}
fwObject = nssCKFWObject_Create(isTokenObject ? arena : NULL, mdObject,
isTokenObject ? NULL
: fwSession,
fwSession->fwToken, fwSession->fwInstance, pError);
if (!fwObject) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
if (mdObject->Destroy) {
(void)mdObject->Destroy(mdObject, (NSSCKFWObject *)NULL,
fwSession->mdSession, fwSession, fwSession->mdToken,
fwSession->fwToken, fwSession->mdInstance, fwSession->fwInstance);
}
return (NSSCKFWObject *)NULL;
}
if (CK_FALSE == isTokenObject) {
if (CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, fwObject)) {
*pError = nssCKFWHash_Add(fwSession->sessionObjectHash, fwObject, fwObject);
if (CKR_OK != *pError) {
nssCKFWObject_Finalize(fwObject, PR_TRUE);
return (NSSCKFWObject *)NULL;
}
}
}
return fwObject;
}
/*
* nssCKFWSession_CopyObject
*
*/
NSS_IMPLEMENT NSSCKFWObject *
nssCKFWSession_CopyObject(
NSSCKFWSession *fwSession,
NSSCKFWObject *fwObject,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
CK_BBOOL oldIsToken;
CK_BBOOL newIsToken;
CK_ULONG i;
NSSCKFWObject *rv;
#ifdef NSSDEBUG
if (!pError) {
return (NSSCKFWObject *)NULL;
}
*pError = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != *pError) {
return (NSSCKFWObject *)NULL;
}
*pError = nssCKFWObject_verifyPointer(fwObject);
if (CKR_OK != *pError) {
return (NSSCKFWObject *)NULL;
}
if (!fwSession->mdSession) {
*pError = CKR_GENERAL_ERROR;
return (NSSCKFWObject *)NULL;
}
#endif /* NSSDEBUG */
/*
* Sanity-check object
*/
if (!fwObject) {
*pError = CKR_ARGUMENTS_BAD;
return (NSSCKFWObject *)NULL;
}
oldIsToken = nssCKFWObject_IsTokenObject(fwObject);
newIsToken = oldIsToken;
for (i = 0; i < ulAttributeCount; i++) {
if (CKA_TOKEN == pTemplate[i].type) {
/* Since we sanity-checked the object, we know this is the right size. */
(void)nsslibc_memcpy(&newIsToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
break;
}
}
/*
* If the Module handles its session objects, or if both the new
* and old object are token objects, use CopyObject if it exists.
*/
if ((fwSession->mdSession->CopyObject) &&
(((CK_TRUE == oldIsToken) && (CK_TRUE == newIsToken)) ||
(CK_TRUE == nssCKFWInstance_GetModuleHandlesSessionObjects(
fwSession->fwInstance)))) {
/* use copy object */
NSSArena *arena;
NSSCKMDObject *mdOldObject;
NSSCKMDObject *mdObject;
mdOldObject = nssCKFWObject_GetMDObject(fwObject);
if (CK_TRUE == newIsToken) {
arena = nssCKFWToken_GetArena(fwSession->fwToken, pError);
} else {
arena = nssCKFWSession_GetArena(fwSession, pError);
}
if (!arena) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
return (NSSCKFWObject *)NULL;
}
mdObject = fwSession->mdSession->CopyObject(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance, mdOldObject,
fwObject, arena, pTemplate, ulAttributeCount, pError);
if (!mdObject) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
return (NSSCKFWObject *)NULL;
}
rv = nssCKFWObject_Create(newIsToken ? arena : NULL, mdObject,
newIsToken ? NULL
: fwSession,
fwSession->fwToken, fwSession->fwInstance, pError);
if (CK_FALSE == newIsToken) {
if (CK_FALSE == nssCKFWHash_Exists(fwSession->sessionObjectHash, rv)) {
*pError = nssCKFWHash_Add(fwSession->sessionObjectHash, rv, rv);
if (CKR_OK != *pError) {
nssCKFWObject_Finalize(rv, PR_TRUE);
return (NSSCKFWObject *)NULL;
}
}
}
return rv;
} else {
/* use create object */
NSSArena *tmpArena;
CK_ATTRIBUTE_PTR newTemplate;
CK_ULONG j, n, newLength, k;
CK_ATTRIBUTE_TYPE_PTR oldTypes;
n = nssCKFWObject_GetAttributeCount(fwObject, pError);
if ((0 == n) && (CKR_OK != *pError)) {
return (NSSCKFWObject *)NULL;
}
tmpArena = NSSArena_Create();
if (!tmpArena) {
*pError = CKR_HOST_MEMORY;
return (NSSCKFWObject *)NULL;
}
oldTypes = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE_TYPE, n);
if ((CK_ATTRIBUTE_TYPE_PTR)NULL == oldTypes) {
NSSArena_Destroy(tmpArena);
*pError = CKR_HOST_MEMORY;
return (NSSCKFWObject *)NULL;
}
*pError = nssCKFWObject_GetAttributeTypes(fwObject, oldTypes, n);
if (CKR_OK != *pError) {
NSSArena_Destroy(tmpArena);
return (NSSCKFWObject *)NULL;
}
newLength = n;
for (i = 0; i < ulAttributeCount; i++) {
for (j = 0; j < n; j++) {
if (oldTypes[j] == pTemplate[i].type) {
if ((CK_VOID_PTR)NULL ==
pTemplate[i].pValue) {
/* Removing the attribute */
newLength--;
}
break;
}
}
if (j == n) {
/* Not found */
newLength++;
}
}
newTemplate = nss_ZNEWARRAY(tmpArena, CK_ATTRIBUTE, newLength);
if ((CK_ATTRIBUTE_PTR)NULL == newTemplate) {
NSSArena_Destroy(tmpArena);
*pError = CKR_HOST_MEMORY;
return (NSSCKFWObject *)NULL;
}
k = 0;
for (j = 0; j < n; j++) {
for (i = 0; i < ulAttributeCount; i++) {
if (oldTypes[j] == pTemplate[i].type) {
if ((CK_VOID_PTR)NULL ==
pTemplate[i].pValue) {
/* This attribute is being deleted */
;
} else {
/* This attribute is being replaced */
newTemplate[k].type =
pTemplate[i].type;
newTemplate[k].pValue =
pTemplate[i].pValue;
newTemplate[k].ulValueLen =
pTemplate[i].ulValueLen;
k++;
}
break;
}
}
if (i == ulAttributeCount) {
/* This attribute is being copied over from the old object */
NSSItem item, *it;
item.size = 0;
item.data = (void *)NULL;
it = nssCKFWObject_GetAttribute(fwObject, oldTypes[j],
&item, tmpArena, pError);
if (!it) {
if (CKR_OK ==
*pError) {
*pError =
CKR_GENERAL_ERROR;
}
NSSArena_Destroy(tmpArena);
return (NSSCKFWObject *)NULL;
}
newTemplate[k].type = oldTypes[j];
newTemplate[k].pValue = it->data;
newTemplate[k].ulValueLen = it->size;
k++;
}
}
/* assert that k == newLength */
rv = nssCKFWSession_CreateObject(fwSession, newTemplate, newLength, pError);
if (!rv) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
NSSArena_Destroy(tmpArena);
return (NSSCKFWObject *)NULL;
}
NSSArena_Destroy(tmpArena);
return rv;
}
}
/*
* nssCKFWSession_FindObjectsInit
*
*/
NSS_IMPLEMENT NSSCKFWFindObjects *
nssCKFWSession_FindObjectsInit(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
NSSCKMDFindObjects *mdfo1 = (NSSCKMDFindObjects *)NULL;
NSSCKMDFindObjects *mdfo2 = (NSSCKMDFindObjects *)NULL;
#ifdef NSSDEBUG
if (!pError) {
return (NSSCKFWFindObjects *)NULL;
}
*pError = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != *pError) {
return (NSSCKFWFindObjects *)NULL;
}
if (((CK_ATTRIBUTE_PTR)NULL == pTemplate) && (ulAttributeCount != 0)) {
*pError = CKR_ARGUMENTS_BAD;
return (NSSCKFWFindObjects *)NULL;
}
if (!fwSession->mdSession) {
*pError = CKR_GENERAL_ERROR;
return (NSSCKFWFindObjects *)NULL;
}
#endif /* NSSDEBUG */
if (CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
fwSession->fwInstance)) {
CK_ULONG i;
/*
* Does the search criteria restrict us to token or session
* objects?
*/
for (i = 0; i < ulAttributeCount; i++) {
if (CKA_TOKEN == pTemplate[i].type) {
/* Yes, it does. */
CK_BBOOL isToken;
if (sizeof(CK_BBOOL) != pTemplate[i].ulValueLen) {
*pError =
CKR_ATTRIBUTE_VALUE_INVALID;
return (NSSCKFWFindObjects *)NULL;
}
(void)nsslibc_memcpy(&isToken, pTemplate[i].pValue, sizeof(CK_BBOOL));
if (CK_TRUE == isToken) {
/* Pass it on to the module's search routine */
if (!fwSession->mdSession->FindObjectsInit) {
goto wrap;
}
mdfo1 =
fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance,
pTemplate, ulAttributeCount, pError);
} else {
/* Do the search ourselves */
mdfo1 =
nssCKMDFindSessionObjects_Create(fwSession->fwToken,
pTemplate, ulAttributeCount, pError);
}
if (!mdfo1) {
if (CKR_OK ==
*pError) {
*pError =
CKR_GENERAL_ERROR;
}
return (NSSCKFWFindObjects *)NULL;
}
goto wrap;
}
}
if (i == ulAttributeCount) {
/* No, it doesn't. Do a hybrid search. */
mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance,
pTemplate, ulAttributeCount, pError);
if (!mdfo1) {
if (CKR_OK == *pError) {
*pError =
CKR_GENERAL_ERROR;
}
return (NSSCKFWFindObjects *)NULL;
}
mdfo2 = nssCKMDFindSessionObjects_Create(fwSession->fwToken,
pTemplate, ulAttributeCount, pError);
if (!mdfo2) {
if (CKR_OK == *pError) {
*pError =
CKR_GENERAL_ERROR;
}
if (mdfo1->Final) {
mdfo1->Final(mdfo1, (NSSCKFWFindObjects *)NULL, fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance);
}
return (NSSCKFWFindObjects *)NULL;
}
goto wrap;
}
/*NOTREACHED*/
} else {
/* Module handles all its own objects. Pass on to module's search */
mdfo1 = fwSession->mdSession->FindObjectsInit(fwSession->mdSession,
fwSession, fwSession->mdToken, fwSession->fwToken,
fwSession->mdInstance, fwSession->fwInstance,
pTemplate, ulAttributeCount, pError);
if (!mdfo1) {
if (CKR_OK == *pError) {
*pError = CKR_GENERAL_ERROR;
}
return (NSSCKFWFindObjects *)NULL;
}
goto wrap;
}
wrap:
return nssCKFWFindObjects_Create(fwSession, fwSession->fwToken,
fwSession->fwInstance, mdfo1, mdfo2, pError);
}
/*
* nssCKFWSession_SeedRandom
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_SeedRandom(
NSSCKFWSession *fwSession,
NSSItem *seed)
{
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!seed) {
return CKR_ARGUMENTS_BAD;
}
if (!seed->data) {
return CKR_ARGUMENTS_BAD;
}
if (0 == seed->size) {
return CKR_ARGUMENTS_BAD;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
if (!fwSession->mdSession->SeedRandom) {
return CKR_RANDOM_SEED_NOT_SUPPORTED;
}
error = fwSession->mdSession->SeedRandom(fwSession->mdSession, fwSession,
fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, seed);
return error;
}
/*
* nssCKFWSession_GetRandom
*
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_GetRandom(
NSSCKFWSession *fwSession,
NSSItem *buffer)
{
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!buffer) {
return CKR_ARGUMENTS_BAD;
}
if (!buffer->data) {
return CKR_ARGUMENTS_BAD;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
if (!fwSession->mdSession->GetRandom) {
if (CK_TRUE == nssCKFWToken_GetHasRNG(fwSession->fwToken)) {
return CKR_GENERAL_ERROR;
} else {
return CKR_RANDOM_NO_RNG;
}
}
if (0 == buffer->size) {
return CKR_OK;
}
error = fwSession->mdSession->GetRandom(fwSession->mdSession, fwSession,
fwSession->mdToken, fwSession->fwToken, fwSession->mdInstance,
fwSession->fwInstance, buffer);
return error;
}
/*
* nssCKFWSession_SetCurrentCryptoOperation
*/
NSS_IMPLEMENT void
nssCKFWSession_SetCurrentCryptoOperation(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperation *fwOperation,
NSSCKFWCryptoOperationState state)
{
#ifdef NSSDEBUG
CK_RV error = CKR_OK;
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return;
}
if (state >= NSSCKFWCryptoOperationState_Max) {
return;
}
if (!fwSession->mdSession) {
return;
}
#endif /* NSSDEBUG */
fwSession->fwOperationArray[state] = fwOperation;
return;
}
/*
* nssCKFWSession_GetCurrentCryptoOperation
*/
NSS_IMPLEMENT NSSCKFWCryptoOperation *
nssCKFWSession_GetCurrentCryptoOperation(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationState state)
{
#ifdef NSSDEBUG
CK_RV error = CKR_OK;
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return (NSSCKFWCryptoOperation *)NULL;
}
if (state >= NSSCKFWCryptoOperationState_Max) {
return (NSSCKFWCryptoOperation *)NULL;
}
if (!fwSession->mdSession) {
return (NSSCKFWCryptoOperation *)NULL;
}
#endif /* NSSDEBUG */
return fwSession->fwOperationArray[state];
}
/*
* nssCKFWSession_Final
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_Final(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationType type,
NSSCKFWCryptoOperationState state,
CK_BYTE_PTR outBuf,
CK_ULONG_PTR outBufLen)
{
NSSCKFWCryptoOperation *fwOperation;
NSSItem outputBuffer;
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
/* make sure we have a valid operation initialized */
fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
if (!fwOperation) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure it's the correct type */
if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* handle buffer issues, note for Verify, the type is an input buffer. */
if (NSSCKFWCryptoOperationType_Verify == type) {
if ((CK_BYTE_PTR)NULL == outBuf) {
error = CKR_ARGUMENTS_BAD;
goto done;
}
} else {
CK_ULONG len = nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
CK_ULONG maxBufLen = *outBufLen;
if (CKR_OK != error) {
goto done;
}
*outBufLen = len;
if ((CK_BYTE_PTR)NULL == outBuf) {
return CKR_OK;
}
if (len > maxBufLen) {
return CKR_BUFFER_TOO_SMALL;
}
}
outputBuffer.data = outBuf;
outputBuffer.size = *outBufLen;
error = nssCKFWCryptoOperation_Final(fwOperation, &outputBuffer);
done:
if (CKR_BUFFER_TOO_SMALL == error) {
return error;
}
/* clean up our state */
nssCKFWCryptoOperation_Destroy(fwOperation);
nssCKFWSession_SetCurrentCryptoOperation(fwSession, NULL, state);
return error;
}
/*
* nssCKFWSession_Update
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_Update(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationType type,
NSSCKFWCryptoOperationState state,
CK_BYTE_PTR inBuf,
CK_ULONG inBufLen,
CK_BYTE_PTR outBuf,
CK_ULONG_PTR outBufLen)
{
NSSCKFWCryptoOperation *fwOperation;
NSSItem inputBuffer;
NSSItem outputBuffer;
CK_ULONG len;
CK_ULONG maxBufLen;
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
/* make sure we have a valid operation initialized */
fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
if (!fwOperation) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure it's the correct type */
if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
return CKR_OPERATION_NOT_INITIALIZED;
}
inputBuffer.data = inBuf;
inputBuffer.size = inBufLen;
/* handle buffer issues, note for Verify, the type is an input buffer. */
len = nssCKFWCryptoOperation_GetOperationLength(fwOperation, &inputBuffer,
&error);
if (CKR_OK != error) {
return error;
}
maxBufLen = *outBufLen;
*outBufLen = len;
if ((CK_BYTE_PTR)NULL == outBuf) {
return CKR_OK;
}
if (len > maxBufLen) {
return CKR_BUFFER_TOO_SMALL;
}
outputBuffer.data = outBuf;
outputBuffer.size = *outBufLen;
return nssCKFWCryptoOperation_Update(fwOperation,
&inputBuffer, &outputBuffer);
}
/*
* nssCKFWSession_DigestUpdate
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_DigestUpdate(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationType type,
NSSCKFWCryptoOperationState state,
CK_BYTE_PTR inBuf,
CK_ULONG inBufLen)
{
NSSCKFWCryptoOperation *fwOperation;
NSSItem inputBuffer;
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
/* make sure we have a valid operation initialized */
fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
if (!fwOperation) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure it's the correct type */
if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
return CKR_OPERATION_NOT_INITIALIZED;
}
inputBuffer.data = inBuf;
inputBuffer.size = inBufLen;
error = nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
return error;
}
/*
* nssCKFWSession_DigestUpdate
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_DigestKey(
NSSCKFWSession *fwSession,
NSSCKFWObject *fwKey)
{
NSSCKFWCryptoOperation *fwOperation;
NSSItem *inputBuffer;
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
/* make sure we have a valid operation initialized */
fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession,
NSSCKFWCryptoOperationState_Digest);
if (!fwOperation) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure it's the correct type */
if (NSSCKFWCryptoOperationType_Digest !=
nssCKFWCryptoOperation_GetType(fwOperation)) {
return CKR_OPERATION_NOT_INITIALIZED;
}
error = nssCKFWCryptoOperation_DigestKey(fwOperation, fwKey);
if (CKR_FUNCTION_FAILED != error) {
return error;
}
/* no machine depended way for this to happen, do it by hand */
inputBuffer = nssCKFWObject_GetAttribute(fwKey, CKA_VALUE, NULL, NULL, &error);
if (!inputBuffer) {
/* couldn't get the value, just fail then */
return error;
}
error = nssCKFWCryptoOperation_DigestUpdate(fwOperation, inputBuffer);
nssItem_Destroy(inputBuffer);
return error;
}
/*
* nssCKFWSession_UpdateFinal
*/
NSS_IMPLEMENT CK_RV
nssCKFWSession_UpdateFinal(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationType type,
NSSCKFWCryptoOperationState state,
CK_BYTE_PTR inBuf,
CK_ULONG inBufLen,
CK_BYTE_PTR outBuf,
CK_ULONG_PTR outBufLen)
{
NSSCKFWCryptoOperation *fwOperation;
NSSItem inputBuffer;
NSSItem outputBuffer;
PRBool isEncryptDecrypt;
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
/* make sure we have a valid operation initialized */
fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
if (!fwOperation) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure it's the correct type */
if (type != nssCKFWCryptoOperation_GetType(fwOperation)) {
return CKR_OPERATION_NOT_INITIALIZED;
}
inputBuffer.data = inBuf;
inputBuffer.size = inBufLen;
isEncryptDecrypt = (PRBool)((NSSCKFWCryptoOperationType_Encrypt == type) ||
(NSSCKFWCryptoOperationType_Decrypt == type));
/* handle buffer issues, note for Verify, the type is an input buffer. */
if (NSSCKFWCryptoOperationType_Verify == type) {
if ((CK_BYTE_PTR)NULL == outBuf) {
error = CKR_ARGUMENTS_BAD;
goto done;
}
} else {
CK_ULONG maxBufLen = *outBufLen;
CK_ULONG len;
len = (isEncryptDecrypt) ? nssCKFWCryptoOperation_GetOperationLength(fwOperation,
&inputBuffer, &error)
: nssCKFWCryptoOperation_GetFinalLength(fwOperation, &error);
if (CKR_OK != error) {
goto done;
}
*outBufLen = len;
if ((CK_BYTE_PTR)NULL == outBuf) {
return CKR_OK;
}
if (len > maxBufLen) {
return CKR_BUFFER_TOO_SMALL;
}
}
outputBuffer.data = outBuf;
outputBuffer.size = *outBufLen;
error = nssCKFWCryptoOperation_UpdateFinal(fwOperation,
&inputBuffer, &outputBuffer);
/* UpdateFinal isn't support, manually use Update and Final */
if (CKR_FUNCTION_FAILED == error) {
error = isEncryptDecrypt ? nssCKFWCryptoOperation_Update(fwOperation, &inputBuffer, &outputBuffer)
: nssCKFWCryptoOperation_DigestUpdate(fwOperation, &inputBuffer);
if (CKR_OK == error) {
error = nssCKFWCryptoOperation_Final(fwOperation, &outputBuffer);
}
}
done:
if (CKR_BUFFER_TOO_SMALL == error) {
/* if we return CKR_BUFFER_TOO_SMALL, we the caller is not expecting.
* the crypto state to be freed */
return error;
}
/* clean up our state */
nssCKFWCryptoOperation_Destroy(fwOperation);
nssCKFWSession_SetCurrentCryptoOperation(fwSession, NULL, state);
return error;
}
NSS_IMPLEMENT CK_RV
nssCKFWSession_UpdateCombo(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationType encryptType,
NSSCKFWCryptoOperationType digestType,
NSSCKFWCryptoOperationState digestState,
CK_BYTE_PTR inBuf,
CK_ULONG inBufLen,
CK_BYTE_PTR outBuf,
CK_ULONG_PTR outBufLen)
{
NSSCKFWCryptoOperation *fwOperation;
NSSCKFWCryptoOperation *fwPeerOperation;
NSSItem inputBuffer;
NSSItem outputBuffer;
CK_ULONG maxBufLen = *outBufLen;
CK_ULONG len;
CK_RV error = CKR_OK;
#ifdef NSSDEBUG
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
if (!fwSession->mdSession) {
return CKR_GENERAL_ERROR;
}
#endif /* NSSDEBUG */
/* make sure we have a valid operation initialized */
fwOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession,
NSSCKFWCryptoOperationState_EncryptDecrypt);
if (!fwOperation) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure it's the correct type */
if (encryptType != nssCKFWCryptoOperation_GetType(fwOperation)) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure we have a valid operation initialized */
fwPeerOperation = nssCKFWSession_GetCurrentCryptoOperation(fwSession,
digestState);
if (!fwPeerOperation) {
return CKR_OPERATION_NOT_INITIALIZED;
}
/* make sure it's the correct type */
if (digestType != nssCKFWCryptoOperation_GetType(fwOperation)) {
return CKR_OPERATION_NOT_INITIALIZED;
}
inputBuffer.data = inBuf;
inputBuffer.size = inBufLen;
len = nssCKFWCryptoOperation_GetOperationLength(fwOperation,
&inputBuffer, &error);
if (CKR_OK != error) {
return error;
}
*outBufLen = len;
if ((CK_BYTE_PTR)NULL == outBuf) {
return CKR_OK;
}
if (len > maxBufLen) {
return CKR_BUFFER_TOO_SMALL;
}
outputBuffer.data = outBuf;
outputBuffer.size = *outBufLen;
error = nssCKFWCryptoOperation_UpdateCombo(fwOperation, fwPeerOperation,
&inputBuffer, &outputBuffer);
if (CKR_FUNCTION_FAILED == error) {
PRBool isEncrypt =
(PRBool)(NSSCKFWCryptoOperationType_Encrypt == encryptType);
if (isEncrypt) {
error = nssCKFWCryptoOperation_DigestUpdate(fwPeerOperation,
&inputBuffer);
if (CKR_OK != error) {
return error;
}
}
error = nssCKFWCryptoOperation_Update(fwOperation,
&inputBuffer, &outputBuffer);
if (CKR_OK != error) {
return error;
}
if (!isEncrypt) {
error = nssCKFWCryptoOperation_DigestUpdate(fwPeerOperation,
&outputBuffer);
}
}
return error;
}
/*
* NSSCKFWSession_GetMDSession
*
*/
NSS_IMPLEMENT NSSCKMDSession *
NSSCKFWSession_GetMDSession(
NSSCKFWSession *fwSession)
{
#ifdef DEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return (NSSCKMDSession *)NULL;
}
#endif /* DEBUG */
return nssCKFWSession_GetMDSession(fwSession);
}
/*
* NSSCKFWSession_GetArena
*
*/
NSS_IMPLEMENT NSSArena *
NSSCKFWSession_GetArena(
NSSCKFWSession *fwSession,
CK_RV *pError)
{
#ifdef DEBUG
if (!pError) {
return (NSSArena *)NULL;
}
*pError = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != *pError) {
return (NSSArena *)NULL;
}
#endif /* DEBUG */
return nssCKFWSession_GetArena(fwSession, pError);
}
/*
* NSSCKFWSession_CallNotification
*
*/
NSS_IMPLEMENT CK_RV
NSSCKFWSession_CallNotification(
NSSCKFWSession *fwSession,
CK_NOTIFICATION event)
{
#ifdef DEBUG
CK_RV error = CKR_OK;
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return error;
}
#endif /* DEBUG */
return nssCKFWSession_CallNotification(fwSession, event);
}
/*
* NSSCKFWSession_IsRWSession
*
*/
NSS_IMPLEMENT CK_BBOOL
NSSCKFWSession_IsRWSession(
NSSCKFWSession *fwSession)
{
#ifdef DEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return CK_FALSE;
}
#endif /* DEBUG */
return nssCKFWSession_IsRWSession(fwSession);
}
/*
* NSSCKFWSession_IsSO
*
*/
NSS_IMPLEMENT CK_BBOOL
NSSCKFWSession_IsSO(
NSSCKFWSession *fwSession)
{
#ifdef DEBUG
if (CKR_OK != nssCKFWSession_verifyPointer(fwSession)) {
return CK_FALSE;
}
#endif /* DEBUG */
return nssCKFWSession_IsSO(fwSession);
}
NSS_IMPLEMENT NSSCKFWCryptoOperation *
NSSCKFWSession_GetCurrentCryptoOperation(
NSSCKFWSession *fwSession,
NSSCKFWCryptoOperationState state)
{
#ifdef DEBUG
CK_RV error = CKR_OK;
error = nssCKFWSession_verifyPointer(fwSession);
if (CKR_OK != error) {
return (NSSCKFWCryptoOperation *)NULL;
}
if (state >= NSSCKFWCryptoOperationState_Max) {
return (NSSCKFWCryptoOperation *)NULL;
}
#endif /* DEBUG */
return nssCKFWSession_GetCurrentCryptoOperation(fwSession, state);
}
/*
* NSSCKFWSession_GetFWSlot
*
*/
NSS_IMPLEMENT NSSCKFWSlot *
NSSCKFWSession_GetFWSlot(
NSSCKFWSession *fwSession)
{
return nssCKFWSession_GetFWSlot(fwSession);
}