new_host.c

IBM的Linux上的PKCS#11实现

   strftime( (char *)pInfo->utcTime, 16, "%X", localtime(&now) );

done:
   LLOCK;
   if (debugfile) {
      stlogit2(debugfile, "%-25s:  rc = 0x%08x\n", "C_GetTokenInfo", rc );

   }

   UNLOCKIT;
   return rc;
}


//
//
CK_RV SC_WaitForSlotEvent( CK_FLAGS        flags,
                          CK_SLOT_ID_PTR  pSlot,
                          CK_VOID_PTR     pReserved )
{
   if (st_Initialized() == FALSE){
      st_err_log(72, __FILE__, __LINE__);
      return CKR_CRYPTOKI_NOT_INITIALIZED;
   }
   st_err_log(142, __FILE__, __LINE__, __FUNCTION__);
   return CKR_FUNCTION_NOT_SUPPORTED;
}


//
//
CK_RV SC_GetMechanismList( CK_SLOT_ID             sid,
                          CK_MECHANISM_TYPE_PTR  pMechList,
                          CK_ULONG_PTR           count )
{
   CK_ULONG   i;
   CK_RV      rc = CKR_OK;
   char        *envrn;
   SLT_CHECK


      LOCKIT;
   if (st_Initialized() == FALSE) {
      st_err_log(72, __FILE__, __LINE__);
      rc = CKR_CRYPTOKI_NOT_INITIALIZED;
      goto done;
   }

   if (count == NULL) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   if (slot_id > MAX_SLOT_ID) {
      st_err_log(2, __FILE__, __LINE__); 
      rc = CKR_SLOT_ID_INVALID;
      goto done;
   }

   if (pMechList == NULL) {
      *count = mech_list_len;
      rc = CKR_OK;
      goto done;
   }

   if (*count < mech_list_len) {
      *count = mech_list_len;
      st_err_log(111, __FILE__, __LINE__); 
      rc = CKR_BUFFER_TOO_SMALL;
      goto done;
   }

   for (i=0; i < mech_list_len; i++)
      pMechList[i] = mech_list[i].mech_type;

#if 1
   //  For Netscape  we want to not support the
   //  SSL3 mechs since the native ones perform much better
   //  Force those slots to be RSA... it's ugly but it works
   if ( (envrn = getenv("NS_SERVER_HOME"))!= NULL) {
      for (i=0; i<mech_list_len; i++){
           switch (pMechList[i]) {

           case CKM_SSL3_PRE_MASTER_KEY_GEN:
           case CKM_SSL3_MASTER_KEY_DERIVE:
           case CKM_SSL3_KEY_AND_MAC_DERIVE:
           case CKM_SSL3_MD5_MAC:
           case CKM_SSL3_SHA1_MAC:
                   pMechList[i]=CKM_RSA_PKCS;
                   break;
           }
      }
   }
#endif


   *count = mech_list_len;
   rc = CKR_OK;

done:
   LLOCK;
   if (debugfile) {
      stlogit2(debugfile, "%-25s:  rc = 0x%08x, # mechanisms:  %d\n", "C_GetMechanismList", rc, *count );
   }
  UNLOCKIT;
   return rc;
}


//
//
CK_RV SC_GetMechanismInfo( CK_SLOT_ID             sid,
                          CK_MECHANISM_TYPE      type,
                          CK_MECHANISM_INFO_PTR  pInfo )
{
   CK_ULONG  i;
   CK_RV     rc = CKR_OK;
   SLT_CHECK

      LOCKIT;
   if (st_Initialized() == FALSE) {
      st_err_log(72, __FILE__, __LINE__);
      rc = CKR_CRYPTOKI_NOT_INITIALIZED;
      goto done;
   }

   if (pInfo == NULL) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   if (slot_id > MAX_SLOT_ID) {
      st_err_log(2, __FILE__, __LINE__); 
      rc = CKR_SLOT_ID_INVALID;
      goto done;
   }

   for (i=0; i < mech_list_len; i++) {
      if (mech_list[i].mech_type == type) {
         memcpy( pInfo, &mech_list[i].mech_info, sizeof(CK_MECHANISM_INFO) );
         rc = CKR_OK;
         goto done;
      }
   }

   st_err_log(28, __FILE__, __LINE__); 
   rc = CKR_MECHANISM_INVALID;

done:
   LLOCK;
   if (debugfile) {
      stlogit2(debugfile, "%-25s:  rc = 0x%08x, mech type = 0x%08x\n", "C_GetMechanismInfo", rc, type );
   }

   UNLOCKIT;
   return rc;
}


// this routine should only be called if no other processes are attached to
//         the token.  we need to somehow check that this is the only process
// Meta API should prevent this since it knows session states in the shared
// memory.
//
CK_RV SC_InitToken( CK_SLOT_ID   sid,
                    CK_CHAR_PTR  pPin,
                    CK_ULONG     ulPinLen,
                    CK_CHAR_PTR  pLabel )
{
   CK_RV      rc = CKR_OK;
   CK_BYTE    hash_sha[SHA1_HASH_SIZE];
   CK_SLOT_ID slotID;
   char       s[2048];

   SLT_CHECK;

   slotID = slot_id;

   LOCKIT;
   if (st_Initialized() == FALSE) {
      st_err_log(72, __FILE__, __LINE__);
      rc = CKR_CRYPTOKI_NOT_INITIALIZED;
      goto done;
   }

   if (!pPin || !pLabel) {
      st_err_log(5, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_ARGUMENTS_BAD;
      goto done;
   }

   if (nv_token_data->token_info.flags & CKF_SO_PIN_LOCKED) {
      st_err_log(37, __FILE__, __LINE__);
      rc = CKR_PIN_LOCKED;
      goto done;
   }
   
   rc = compute_sha( pPin, ulPinLen, hash_sha );
   if (memcmp(nv_token_data->so_pin_sha, hash_sha, SHA1_HASH_SIZE) != 0) {
      st_err_log(33, __FILE__, __LINE__);
      rc = CKR_PIN_INCORRECT;
      goto done;
   }

   rc  = rng_generate( master_key, 3 * DES_KEY_SIZE );
   if (rc != CKR_OK) {
      st_err_log(4, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_FUNCTION_FAILED;
      goto done;
   }

   // Before we reconstruct all the data, we should delete the
   // token objects from the filesystem.
   //
   // Construct a string to delete the token objects.
   //
   object_mgr_destroy_token_objects();

   sprintf(s, "%s %s/%s/* > /dev/null 2>&1", DEL_CMD, pk_dir, PK_LITE_OBJ_DIR);
   system(s);

   //
   //META This should be fine since the open session checking should occur at
   //the API not the STDLL

   init_token_data();
   init_slotInfo();

   memcpy( nv_token_data->token_info.label, pLabel, 32 );
   memcpy( nv_token_data->so_pin_sha, hash_sha, SHA1_HASH_SIZE);

   // XXX New for v2.11 - KEY
   nv_token_data->token_info.flags |= CKF_TOKEN_INITIALIZED;

   rc = save_token_data();
   if (rc != CKR_OK){
      st_err_log(104, __FILE__, __LINE__, __FUNCTION__);
      goto done;
   }
   rc = save_masterkey_so();
   if (rc != CKR_OK){
      st_err_log(149, __FILE__, __LINE__, __FUNCTION__);
      goto done;
   }

done:
   LLOCK;
   if (debugfile) {
      stlogit2(debugfile, "%-25s:  rc = 0x%08x\n", "C_InitToken", rc );
   }
   UNLOCKIT;

   return rc;
}


//
//
CK_RV SC_InitPIN( ST_SESSION_HANDLE  sSession,
                  CK_CHAR_PTR        pPin,
                  CK_ULONG           ulPinLen )
{
   SESSION         * sess = NULL;
   CK_BYTE           hash_sha[SHA1_HASH_SIZE];
   CK_BYTE           hash_md5[MD5_HASH_SIZE];
   CK_RV             rc = CKR_OK;
   SESS_SET

      LOCKIT;
   if (st_Initialized() == FALSE) {
      st_err_log(72, __FILE__, __LINE__);
      rc = CKR_CRYPTOKI_NOT_INITIALIZED;
      goto done;
   }

   if (!pPin) {
      st_err_log(5, __FILE__, __LINE__, __FUNCTION__);
      rc = CKR_ARGUMENTS_BAD;
      goto done;
   }

   sess = SESSION_MGR_FIND( hSession );
   if (!sess) {
      st_err_log(40, __FILE__, __LINE__);
      rc = CKR_SESSION_HANDLE_INVALID;
      goto done;
   }

   if (pin_locked(&sess->session_info) == TRUE) {
      st_err_log(37, __FILE__, __LINE__);
      rc = CKR_PIN_LOCKED;
      goto done;
   }
   
   if (sess->session_info.state != CKS_RW_SO_FUNCTIONS) {
      st_err_log(57, __FILE__, __LINE__);
      rc = CKR_USER_NOT_LOGGED_IN;
      goto done;
   }

   if ((ulPinLen < MIN_PIN_LEN) || (ulPinLen > MAX_PIN_LEN)) {
      st_err_log(35, __FILE__, __LINE__); 
      rc = CKR_PIN_LEN_RANGE;
      goto done;
   }

   // compute the SHA and MD5 hashes of the user pin
   //
   rc  = compute_sha( pPin, ulPinLen, hash_sha );
   rc |= compute_md5( pPin, ulPinLen, hash_md5 );
   if (rc != CKR_OK){
      st_err_log(148, __FILE__, __LINE__); 	
      goto done;
   }
   rc = XProcLock( xproclock );
   if (rc != CKR_OK){
      st_err_log(150, __FILE__, __LINE__);
      goto done;
   }
      memcpy( nv_token_data->user_pin_sha, hash_sha, SHA1_HASH_SIZE );
      nv_token_data->token_info.flags |= CKF_USER_PIN_INITIALIZED;
   XProcUnLock( xproclock );

   memcpy( user_pin_md5, hash_md5, MD5_HASH_SIZE  );

   rc = save_token_data();
   if (rc != CKR_OK){
      st_err_log(104, __FILE__, __LINE__);
      goto done;
   }
   rc = save_masterkey_user();
   if (rc != CKR_OK){
      st_err_log(149, __FILE__, __LINE__);
   }
done:
   LLOCK;

   if (debugfile) {
      stlogit2(debugfile, "%-25s:  session = %08x\n", "C_InitPin", rc, hSession );
   }

   UNLOCKIT;
   return rc;
}


//
//
CK_RV SC_SetPIN( ST_SESSION_HANDLE  sSession,
                 CK_CHAR_PTR        pOldPin,
                 CK_ULONG           ulOldLen,
                 CK_CHAR_PTR        pNewPin,
                 CK_ULONG           ulNewLen )
{
   SESSION         * sess = NULL;
   CK_BYTE	     old_hash_sha[SHA1_HASH_SIZE];
   CK_BYTE           new_hash_sha[SHA1_HASH_SIZE];
   CK_BYTE           hash_md5[MD5_HASH_SIZE];
   CK_MECHANISM      mech;
   DIGEST_CONTEXT    digest_ctx;
   CK_ULONG          hash_len;
   CK_RV             rc = CKR_OK;
   SESS_SET

      LOCKIT;
   if (st_Initialized() == FALSE) {
      st_err_log(72, __FILE__, __LINE__);
      rc = CKR_CRYPTOKI_NOT_INITIALIZED;
      goto done;
   }

   sess = SESSION_MGR_FIND( hSession );
   if (!sess) {
      st_err_log(40, __FILE__, __LINE__);
      rc = CKR_SESSION_HANDLE_INVALID;
      goto done;
   }

   if (pin_locked(&sess->session_info) == TRUE) {
      st_err_log(37, __FILE__, __LINE__);
      rc = CKR_PIN_LOCKED;
      goto done;
   }

   if ((ulNewLen < MIN_PIN_LEN) || (ulNewLen > MAX_PIN_LEN)) {
      st_err_log(35, __FILE__, __LINE__); 
      rc = CKR_PIN_LEN_RANGE;
      goto done;
   }

   rc = compute_sha( pOldPin, ulOldLen, old_hash_sha );
   if (rc != CKR_OK){
      st_err_log(148, __FILE__, __LINE__); 	
      goto done;
   }
   if (sess->session_info.state == CKS_RW_USER_FUNCTIONS) {
      if (memcmp(nv_token_data->user_pin_sha, old_hash_sha, SHA1_HASH_SIZE) != 0) {
         st_err_log(33, __FILE__, __LINE__); 	
         rc = CKR_PIN_INCORRECT;
         goto done;
      }

      rc  = compute_sha( pNewPin, ulNewLen, new_hash_sha );
      rc |= compute_md5( pNewPin, ulNewLen, hash_md5 );
      if (rc != CKR_OK){
         st_err_log(148, __FILE__, __LINE__); 	
         goto done;
      }

      /* The old PIN matches, now make sure its different than the new.
       * If so, reset the CKF_USER_PIN_TO_BE_CHANGED flag. -KEY 
       */
      if (memcmp(old_hash_sha, new_hash_sha, SHA1_HASH_SIZE) == 0) {
	 st_err_log(34, __FILE__, __LINE__);
	 rc = CKR_PIN_INVALID;
	 goto done;
      }
      
      rc = XProcLock( xproclock );
      if (rc != CKR_OK){
         st_err_log(150, __FILE__, __LINE__);
         goto done;
      }
         memcpy( nv_token_data->user_pin_sha, new_hash_sha, SHA1_HASH_SIZE );
         memcpy( user_pin_md5, hash_md5, MD5_HASH_SIZE );

	 // New in v2.11 - XXX KEY
	 sess->session_info.flags &= ~(CKF_USER_PIN_TO_BE_CHANGED);
      
         XProcUnLock( xproclock );
         rc = save_token_data();

      if (rc != CKR_OK){
          st_err_log(104, __FILE__, __LINE__);
          goto done;
      }
      rc = save_masterkey_user();
   }
   else if (sess->session_info.state == CKS_RW_SO_FUNCTIONS) {
      if (memcmp(nv_token_data->so_pin_sha, old_hash_sha, SHA1_HASH_SIZE) != 0) {
         rc = CKR_PIN_INCORRECT;
         st_err_log(33, __FILE__, __LINE__); 	
         goto done;
      }

      rc  = compute_sha( pNewPin, ulNewLen, new_hash_sha );
      rc |= compute_md5( pNewPin, ulNewLen, hash_md5 );
      if (rc != CKR_OK){
         st_err_log(148, __FILE__, __LINE__); 	
         goto done;
      }

      /* The old PIN matches, now make sure its different than the new.