NSS_IMPLEMENT PRStatus
STAN_LoadDefaultNSS3TrustDomain (
void
)
{
NSSTrustDomain *td;
SECMODModuleList *mlp;
SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
int i;
if (g_default_trust_domain || g_default_crypto_context) {
/* Stan is already initialized or a previous shutdown failed. */
nss_SetError(NSS_ERROR_ALREADY_INITIALIZED);
return PR_FAILURE;
}
td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL);
if (!td) {
return PR_FAILURE;
}
/*
* Deadlock warning: we should never acquire the moduleLock while
* we hold the tokensLock. We can use the NSSRWLock Rank feature to
* guarrentee this. tokensLock have a higher rank than module lock.
*/
td->tokenList = nssList_Create(td->arena, PR_TRUE);
if (!td->tokenList) {
goto loser;
}
SECMOD_GetReadLock(moduleLock);
NSSRWLock_LockWrite(td->tokensLock);
for (mlp = SECMOD_GetDefaultModuleList(); mlp != NULL; mlp=mlp->next) {
for (i=0; i < mlp->module->slotCount; i++) {
STAN_InitTokenForSlotInfo(td, mlp->module->slots[i]);
}
}
td->tokens = nssList_CreateIterator(td->tokenList);
NSSRWLock_UnlockWrite(td->tokensLock);
SECMOD_ReleaseReadLock(moduleLock);
if (!td->tokens) {
goto loser;
}
g_default_crypto_context = NSSTrustDomain_CreateCryptoContext(td, NULL);
if (!g_default_crypto_context) {
goto loser;
}
g_default_trust_domain = td;
return PR_SUCCESS;
loser:
NSSTrustDomain_Destroy(td);
return PR_FAILURE;
}
/*
* must be called holding the ModuleListLock (either read or write).
*/
NSS_IMPLEMENT SECStatus
STAN_AddModuleToDefaultTrustDomain(
SECMODModule *module)
{
NSSTrustDomain *td;
int i;
td = STAN_GetDefaultTrustDomain();
for (i = 0; i < module->slotCount; i++) {
STAN_InitTokenForSlotInfo(td, module->slots[i]);
}
STAN_ResetTokenInterator(td);
return SECSuccess;
}
/*
* check to see if the module has added new slots. PKCS 11 v2.20 allows for
* modules to add new slots, but never remove them. Slots cannot be added
* between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent
* C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
* grow on the caller. It is permissible for the slots to increase between
* successive calls with NULL to get the size.
*/
SECStatus
SECMOD_UpdateSlotList(SECMODModule *mod)
{
CK_RV crv;
CK_ULONG count;
CK_ULONG i, oldCount;
PRBool freeRef = PR_FALSE;
void *mark = NULL;
CK_ULONG *slotIDs = NULL;
PK11SlotInfo **newSlots = NULL;
PK11SlotInfo **oldSlots = NULL;
if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return SECFailure;
}
/* C_GetSlotList is not a session function, make sure
* calls are serialized */
PZ_Lock(mod->refLock);
freeRef = PR_TRUE;
/* see if the number of slots have changed */
crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, NULL, &count);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
goto loser;
}
/* nothing new, blow out early, we want this function to be quick
* and cheap in the normal case */
if (count == mod->slotCount) {
PZ_Unlock(mod->refLock);
return SECSuccess;
}
if (count < (CK_ULONG)mod->slotCount) {
/* shouldn't happen with a properly functioning PKCS #11 module */
PORT_SetError( SEC_ERROR_INCOMPATIBLE_PKCS11 );
goto loser;
}
/* get the new slot list */
slotIDs = PORT_NewArray(CK_SLOT_ID, count);
if (slotIDs == NULL) {
goto loser;
}
crv = PK11_GETTAB(mod)->C_GetSlotList(PR_FALSE, slotIDs, &count);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
goto loser;
}
freeRef = PR_FALSE;
PZ_Unlock(mod->refLock);
mark = PORT_ArenaMark(mod->arena);
if (mark == NULL) {
goto loser;
}
newSlots = PORT_ArenaZNewArray(mod->arena,PK11SlotInfo *,count);
/* walk down the new slot ID list returned from the module. We keep
* the old slots which match a returned ID, and we initialize the new
* slots. */
for (i=0; i < count; i++) {
PK11SlotInfo *slot = SECMOD_FindSlotByID(mod,slotIDs[i]);
if (!slot) {
/* we have a new slot create a new slot data structure */
slot = PK11_NewSlotInfo(mod);
if (!slot) {
goto loser;
}
PK11_InitSlot(mod, slotIDs[i], slot);
STAN_InitTokenForSlotInfo(NULL, slot);
}
newSlots[i] = slot;
}
STAN_ResetTokenInterator(NULL);
PORT_Free(slotIDs);
slotIDs = NULL;
PORT_ArenaUnmark(mod->arena, mark);
/* until this point we're still using the old slot list. Now we update
* module slot list. We update the slots (array) first then the count,
* since we've already guarrenteed that count has increased (just in case
* someone is looking at the slots field of module without holding the
* moduleLock */
SECMOD_GetWriteLock(moduleLock);
oldCount =mod->slotCount;
oldSlots = mod->slots;
mod->slots = newSlots; /* typical arena 'leak'... old mod->slots is
* allocated out of the module arena and won't
* be freed until the module is freed */
mod->slotCount = count;
SECMOD_ReleaseWriteLock(moduleLock);
/* free our old references before forgetting about oldSlot*/
for (i=0; i < oldCount; i++) {
PK11_FreeSlot(oldSlots[i]);
}
return SECSuccess;
loser:
if (freeRef) {
PZ_Unlock(mod->refLock);
}
if (slotIDs) {
PORT_Free(slotIDs);
}
/* free all the slots we allocated. newSlots are part of the
* mod arena. NOTE: the newSlots array contain both new and old
* slots, but we kept a reference to the old slots when we built the new
* array, so we need to free all the slots in newSlots array. */
if (newSlots) {
for (i=0; i < count; i++) {
if (newSlots[i] == NULL) {
break; /* hit the last one */
}
PK11_FreeSlot(newSlots[i]);
}
}
/* must come after freeing newSlots */
if (mark) {
PORT_ArenaRelease(mod->arena, mark);
}
return SECFailure;
}
