summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/softoken/softoken.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/softoken/softoken.h')
-rw-r--r--security/nss/lib/softoken/softoken.h265
1 files changed, 265 insertions, 0 deletions
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
new file mode 100644
index 000000000..0e943d3cb
--- /dev/null
+++ b/security/nss/lib/softoken/softoken.h
@@ -0,0 +1,265 @@
+/*
+ * softoken.h - private data structures and prototypes for the softoken lib
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _SOFTOKEN_H_
+#define _SOFTOKEN_H_
+
+#include "blapi.h"
+#include "lowkeyti.h"
+#include "softoknt.h"
+#include "secoidt.h"
+
+#include "pkcs11t.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * Convenience wrapper for doing a single PKCS#1 v1.5 RSA operations where the
+ * encoded digest info is computed internally, rather than by the caller.
+ *
+ * The HashSign variants expect as input the value of H, the computed hash
+ * from RFC 3447, Section 9.2, Step 1, and will compute the DER-encoded
+ * DigestInfo structure internally prior to signing/verifying.
+ */
+extern SECStatus
+RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
+ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen);
+
+extern SECStatus
+RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
+ const unsigned char *sig, unsigned int sigLen,
+ const unsigned char *hash, unsigned int hashLen);
+
+/*
+** Prepare a buffer for padded CBC encryption, growing to the appropriate
+** boundary, filling with the appropriate padding.
+**
+** blockSize must be a power of 2.
+**
+** We add from 1 to blockSize bytes -- we *always* grow.
+** The extra bytes contain the value of the length of the padding:
+** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+**
+** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+** we assume (and use) PR memory (re)allocation.
+*/
+extern unsigned char *CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf,
+ unsigned int inlen, unsigned int *outlen,
+ int blockSize);
+
+/****************************************/
+/*
+** Power-Up selftests are required for FIPS.
+*/
+/* make sure Power-up selftests have been run. */
+extern CK_RV sftk_FIPSEntryOK(void);
+
+/*
+** make known fixed PKCS #11 key types to their sizes in bytes
+*/
+unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
+
+/*
+** FIPS 140-2 auditing
+*/
+extern PRBool sftk_audit_enabled;
+
+extern void sftk_LogAuditMessage(NSSAuditSeverity severity,
+ NSSAuditType, const char *msg);
+
+extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phObject, CK_RV rv);
+
+extern void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv);
+
+extern void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_RV rv);
+
+extern void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize,
+ CK_RV rv);
+
+extern void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditCryptInit(const char *opName,
+ CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG ulPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG ulPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPublicKey,
+ CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv);
+
+extern void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
+ CK_BYTE_PTR pWrappedKey,
+ CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv);
+
+extern void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hUnwrappingKey,
+ CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hBaseKey,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+/*
+** FIPS 140-2 Error state
+*/
+extern PRBool sftk_fatalError;
+
+/*
+** macros to check for forked child process after C_Initialize
+*/
+#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
+
+#ifdef DEBUG
+
+#define FORK_ASSERT() \
+ { \
+ char *forkAssert = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \
+ if ((!forkAssert) || (0 == strcmp(forkAssert, "1"))) { \
+ PORT_Assert(0); \
+ } \
+ }
+
+#else
+
+#define FORK_ASSERT()
+
+#endif
+
+/* we have 3 methods of implementing the fork checks :
+ * - Solaris "mixed" method
+ * - pthread_atfork method
+ * - getpid method
+ */
+
+#if !defined(CHECK_FORK_MIXED) && !defined(CHECK_FORK_PTHREAD) && \
+ !defined(CHECK_FORK_GETPID)
+
+/* Choose fork check method automatically unless specified
+ * This section should be updated as more platforms get pthread fixes
+ * to unregister fork handlers in dlclose.
+ */
+
+#ifdef SOLARIS
+
+/* Solaris 8, s9 use PID checks, s10 uses pthread_atfork */
+
+#define CHECK_FORK_MIXED
+
+#elif defined(LINUX)
+
+#define CHECK_FORK_PTHREAD
+
+#else
+
+/* Other Unix platforms use only PID checks. Even if pthread_atfork is
+ * available, the behavior of dlclose isn't guaranteed by POSIX to
+ * unregister the fork handler. */
+
+#define CHECK_FORK_GETPID
+
+#endif
+
+#endif
+
+#if defined(CHECK_FORK_MIXED)
+
+extern PRBool usePthread_atfork;
+#include <unistd.h>
+extern pid_t myPid;
+extern PRBool forked;
+
+#define PARENT_FORKED() (usePthread_atfork ? forked : (myPid && myPid != getpid()))
+
+#elif defined(CHECK_FORK_PTHREAD)
+
+extern PRBool forked;
+
+#define PARENT_FORKED() forked
+
+#elif defined(CHECK_FORK_GETPID)
+
+#include <unistd.h>
+extern pid_t myPid;
+
+#define PARENT_FORKED() (myPid && myPid != getpid())
+
+#endif
+
+extern PRBool parentForkedAfterC_Initialize;
+extern PRBool sftkForkCheckDisabled;
+
+#define CHECK_FORK() \
+ do { \
+ if (!sftkForkCheckDisabled && PARENT_FORKED()) { \
+ FORK_ASSERT(); \
+ return CKR_DEVICE_ERROR; \
+ } \
+ } while (0)
+
+#define SKIP_AFTER_FORK(x) \
+ if (!parentForkedAfterC_Initialize) \
+ x
+
+#define ENABLE_FORK_CHECK() \
+ { \
+ char *doForkCheck = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \
+ if (doForkCheck && !strcmp(doForkCheck, "DISABLED")) { \
+ sftkForkCheckDisabled = PR_TRUE; \
+ } \
+ }
+
+#else
+
+/* non-Unix platforms, or fork check disabled */
+
+#define CHECK_FORK()
+#define SKIP_AFTER_FORK(x) x
+#define ENABLE_FORK_CHECK()
+
+#ifndef NO_FORK_CHECK
+#define NO_FORK_CHECK
+#endif
+
+#endif
+
+SEC_END_PROTOS
+
+#endif /* _SOFTOKEN_H_ */