search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import from 1.9a8 tarball
[mozilla-nss.git] / security / nss / lib / softoken / fipsaudt.c
blobd17496deb21bcc641207875aec46d559f5629f4c
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is Network Security Services (NSS).
15 *
16 * The Initial Developer of the Original Code is
17 * Red Hat, Inc.
18 * Portions created by the Initial Developer are Copyright (C) 2006
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 *
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
34 *
35 * ***** END LICENSE BLOCK ***** */
36
37 /*
38 * This file implements audit logging required by FIPS 140-2 Security
39 * Level 2.
40 */
41
42 #include "prprf.h"
43 #include "softoken.h"
44
45 /*
46 * Print the value of the returned object handle in the output buffer
47 * on a successful return of the PKCS #11 function. If the PKCS #11
48 * function failed or the pointer to object handle is NULL (which is
49 * the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty
50 * string is stored in the output buffer.
51 *
52 * out: the output buffer
53 * outlen: the length of the output buffer
54 * argName: the name of the "pointer to object handle" argument
55 * phObject: the pointer to object handle
56 * rv: the return value of the PKCS #11 function
57 */
58 static void sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen,
59 const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
60 {
61 if ((rv == CKR_OK) && phObject) {
62 PR_snprintf(out, outlen,
63 " *%s=0x%08lX", argName, (PRUint32)*phObject);
64 } else {
65 PORT_Assert(outlen != 0);
66 out[0] = '\0';
67 }
68 }
69
70 /*
71 * MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism,
72 * which uses <= 49 bytes.
73 */
74 #define MECHANISM_BUFSIZE 64
75
76 static void sftk_PrintMechanism(char *out, PRUint32 outlen,
77 CK_MECHANISM_PTR pMechanism)
78 {
79 if (pMechanism) {
80 /*
81 * If we change the format string, we need to make sure
82 * MECHANISM_BUFSIZE is still large enough. We allow
83 * 20 bytes for %p on a 64-bit platform.
84 */
85 PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}",
86 pMechanism, (PRUint32)pMechanism->mechanism);
87 } else {
88 PR_snprintf(out, outlen, "%p", pMechanism);
89 }
90 }
91
92 void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
93 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
94 CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
95 {
96 char msg[256];
97 char shObject[32];
98 NSSAuditSeverity severity = (rv == CKR_OK) ?
99 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
100
101 sftk_PrintReturnedObjectHandle(shObject, sizeof shObject,
102 "phObject", phObject, rv);
103 PR_snprintf(msg, sizeof msg,
104 "C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, "
105 "phObject=%p)=0x%08lX%s",
106 (PRUint32)hSession, pTemplate, (PRUint32)ulCount,
107 phObject, (PRUint32)rv, shObject);
108 sftk_LogAuditMessage(severity, msg);
109 }
110
111 void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
112 CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
113 CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv)
114 {
115 char msg[256];
116 char shNewObject[32];
117 NSSAuditSeverity severity = (rv == CKR_OK) ?
118 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
119
120 sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject,
121 "phNewObject", phNewObject, rv);
122 PR_snprintf(msg, sizeof msg,
123 "C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, "
124 "pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s",
125 (PRUint32)hSession, (PRUint32)hObject,
126 pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject);
127 sftk_LogAuditMessage(severity, msg);
128 }
129
130 /* WARNING: hObject has been destroyed and can only be printed. */
131 void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
132 CK_OBJECT_HANDLE hObject, CK_RV rv)
133 {
134 char msg[256];
135 NSSAuditSeverity severity = (rv == CKR_OK) ?
136 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
137
138 PR_snprintf(msg, sizeof msg,
139 "C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX",
140 (PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv);
141 sftk_LogAuditMessage(severity, msg);
142 }
143
144 void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
145 CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv)
146 {
147 char msg[256];
148 NSSAuditSeverity severity = (rv == CKR_OK) ?
149 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
150
151 PR_snprintf(msg, sizeof msg,
152 "C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, "
153 "pulSize=%p)=0x%08lX",
154 (PRUint32)hSession, (PRUint32)hObject,
155 pulSize, (PRUint32)rv);
156 sftk_LogAuditMessage(severity, msg);
157 }
158
159 void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
160 CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
161 CK_ULONG ulCount, CK_RV rv)
162 {
163 char msg[256];
164 NSSAuditSeverity severity = (rv == CKR_OK) ?
165 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
166
167 PR_snprintf(msg, sizeof msg,
168 "C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
169 "pTemplate=%p, ulCount=%lu)=0x%08lX",
170 (PRUint32)hSession, (PRUint32)hObject,
171 pTemplate, (PRUint32)ulCount, (PRUint32)rv);
172 sftk_LogAuditMessage(severity, msg);
173 }
174
175 void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
176 CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
177 CK_ULONG ulCount, CK_RV rv)
178 {
179 char msg[256];
180 NSSAuditSeverity severity = (rv == CKR_OK) ?
181 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
182
183 PR_snprintf(msg, sizeof msg,
184 "C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
185 "pTemplate=%p, ulCount=%lu)=0x%08lX",
186 (PRUint32)hSession, (PRUint32)hObject,
187 pTemplate, (PRUint32)ulCount, (PRUint32)rv);
188 sftk_LogAuditMessage(severity, msg);
189 }
190
191 void sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession,
192 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv)
193 {
194 char msg[256];
195 char mech[MECHANISM_BUFSIZE];
196 NSSAuditSeverity severity = (rv == CKR_OK) ?
197 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
198
199 sftk_PrintMechanism(mech, sizeof mech, pMechanism);
200 PR_snprintf(msg, sizeof msg,
201 "C_%sInit(hSession=0x%08lX, pMechanism=%s, "
202 "hKey=0x%08lX)=0x%08lX",
203 opName, (PRUint32)hSession, mech,
204 (PRUint32)hKey, (PRUint32)rv);
205 sftk_LogAuditMessage(severity, msg);
206 }
207
208 void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
209 CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate,
210 CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
211 {
212 char msg[256];
213 char mech[MECHANISM_BUFSIZE];
214 char shKey[32];
215 NSSAuditSeverity severity = (rv == CKR_OK) ?
216 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
217
218 sftk_PrintMechanism(mech, sizeof mech, pMechanism);
219 sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
220 PR_snprintf(msg, sizeof msg,
221 "C_GenerateKey(hSession=0x%08lX, pMechanism=%s, "
222 "pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s",
223 (PRUint32)hSession, mech,
224 pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey);
225 sftk_LogAuditMessage(severity, msg);
226 }
227
228 void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
229 CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
230 CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
231 CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
232 CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv)
233 {
234 char msg[512];
235 char mech[MECHANISM_BUFSIZE];
236 char shPublicKey[32];
237 char shPrivateKey[32];
238 NSSAuditSeverity severity = (rv == CKR_OK) ?
239 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
240
241 sftk_PrintMechanism(mech, sizeof mech, pMechanism);
242 sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey,
243 "phPublicKey", phPublicKey, rv);
244 sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey,
245 "phPrivateKey", phPrivateKey, rv);
246 PR_snprintf(msg, sizeof msg,
247 "C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, "
248 "pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, "
249 "pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, "
250 "phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s",
251 (PRUint32)hSession, mech,
252 pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount,
253 pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount,
254 phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey);
255 sftk_LogAuditMessage(severity, msg);
256 }
257
258 void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
259 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
260 CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
261 CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv)
262 {
263 char msg[256];
264 char mech[MECHANISM_BUFSIZE];
265 NSSAuditSeverity severity = (rv == CKR_OK) ?
266 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
267
268 sftk_PrintMechanism(mech, sizeof mech, pMechanism);
269 PR_snprintf(msg, sizeof msg,
270 "C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, "
271 "hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX",
272 (PRUint32)hSession, mech, (PRUint32)hWrappingKey,
273 (PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv);
274 sftk_LogAuditMessage(severity, msg);
275 }
276
277 void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
278 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
279 CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
280 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
281 CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
282 {
283 char msg[256];
284 char mech[MECHANISM_BUFSIZE];
285 char shKey[32];
286 NSSAuditSeverity severity = (rv == CKR_OK) ?
287 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
288
289 sftk_PrintMechanism(mech, sizeof mech, pMechanism);
290 sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
291 PR_snprintf(msg, sizeof msg,
292 "C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, "
293 "hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, "
294 "pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s",
295 (PRUint32)hSession, mech,
296 (PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen,
297 pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey);
298 sftk_LogAuditMessage(severity, msg);
299 }
300
301 void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
302 CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
303 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
304 CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
305 {
306 char msg[512];
307 char mech[MECHANISM_BUFSIZE];
308 char shKey[32];
309 char sTlsKeys[128];
310 NSSAuditSeverity severity = (rv == CKR_OK) ?
311 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
312
313 sftk_PrintMechanism(mech, sizeof mech, pMechanism);
314 sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
315 if ((rv == CKR_OK) &&
316 (pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) {
317 CK_SSL3_KEY_MAT_PARAMS *param =
318 (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
319 CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial;
320 PR_snprintf(sTlsKeys, sizeof sTlsKeys,
321 " hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX"
322 " hClientKey=0x%08lX hServerKey=0x%08lX",
323 (PRUint32)keymat->hClientMacSecret,
324 (PRUint32)keymat->hServerMacSecret,
325 (PRUint32)keymat->hClientKey,
326 (PRUint32)keymat->hServerKey);
327 } else {
328 sTlsKeys[0] = '\0';
329 }
330 PR_snprintf(msg, sizeof msg,
331 "C_DeriveKey(hSession=0x%08lX, pMechanism=%s, "
332 "hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, "
333 "phKey=%p)=0x%08lX%s%s",
334 (PRUint32)hSession, mech,
335 (PRUint32)hBaseKey, pTemplate,(PRUint32)ulAttributeCount,
336 phKey, (PRUint32)rv, shKey, sTlsKeys);
337 sftk_LogAuditMessage(severity, msg);
338 }
339
340 void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
341 CK_OBJECT_HANDLE hKey, CK_RV rv)
342 {
343 char msg[256];
344 NSSAuditSeverity severity = (rv == CKR_OK) ?
345 NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
346
347 PR_snprintf(msg, sizeof msg,
348 "C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX",
349 (PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv);
350 sftk_LogAuditMessage(severity, msg);
351 }
Mozilla NSS module