Back to index

lightning-sunbird  0.9+nobinonly
fipsaudt.c
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is Network Security Services (NSS).
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Red Hat, Inc.
00018  * Portions created by the Initial Developer are Copyright (C) 2006
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 
00037 /*
00038  * This file implements audit logging required by FIPS 140-2 Security
00039  * Level 2.
00040  */
00041 
00042 #include "prprf.h"
00043 #include "softoken.h"
00044 
00045 /*
00046  * Print the value of the returned object handle in the output buffer
00047  * on a successful return of the PKCS #11 function.  If the PKCS #11
00048  * function failed or the pointer to object handle is NULL (which is
00049  * the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty
00050  * string is stored in the output buffer.
00051  *
00052  * out: the output buffer
00053  * outlen: the length of the output buffer
00054  * argName: the name of the "pointer to object handle" argument
00055  * phObject: the pointer to object handle
00056  * rv: the return value of the PKCS #11 function
00057  */
00058 static void sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen,
00059     const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
00060 {
00061     if ((rv == CKR_OK) && phObject) {
00062        PR_snprintf(out, outlen,
00063            " *%s=0x%08lX", argName, (PRUint32)*phObject);
00064     } else {
00065        PORT_Assert(outlen != 0);
00066        out[0] = '\0';
00067     }
00068 }
00069 
00070 /*
00071  * MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism,
00072  * which uses <= 49 bytes.
00073  */
00074 #define MECHANISM_BUFSIZE 64
00075 
00076 static void sftk_PrintMechanism(char *out, PRUint32 outlen,
00077     CK_MECHANISM_PTR pMechanism)
00078 {
00079     if (pMechanism) {
00080        /*
00081         * If we change the format string, we need to make sure
00082         * MECHANISM_BUFSIZE is still large enough.  We allow
00083         * 20 bytes for %p on a 64-bit platform.
00084         */
00085        PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}",
00086            pMechanism, (PRUint32)pMechanism->mechanism);
00087     } else {
00088        PR_snprintf(out, outlen, "%p", pMechanism);
00089     }
00090 }
00091 
00092 void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
00093     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
00094     CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
00095 {
00096     char msg[256];
00097     char shObject[32];
00098     NSSAuditSeverity severity = (rv == CKR_OK) ?
00099        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00100 
00101     sftk_PrintReturnedObjectHandle(shObject, sizeof shObject,
00102        "phObject", phObject, rv);
00103     PR_snprintf(msg, sizeof msg,
00104        "C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, "
00105        "phObject=%p)=0x%08lX%s",
00106        (PRUint32)hSession, pTemplate, (PRUint32)ulCount,
00107        phObject, (PRUint32)rv, shObject);
00108     sftk_LogAuditMessage(severity, msg);
00109 }
00110 
00111 void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
00112     CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
00113     CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv)
00114 {
00115     char msg[256];
00116     char shNewObject[32];
00117     NSSAuditSeverity severity = (rv == CKR_OK) ?
00118        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00119 
00120     sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject,
00121        "phNewObject", phNewObject, rv);
00122     PR_snprintf(msg, sizeof msg,
00123        "C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, "
00124        "pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s",
00125        (PRUint32)hSession, (PRUint32)hObject,
00126        pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject);
00127     sftk_LogAuditMessage(severity, msg);
00128 }
00129 
00130 /* WARNING: hObject has been destroyed and can only be printed. */
00131 void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
00132     CK_OBJECT_HANDLE hObject, CK_RV rv)
00133 {
00134     char msg[256];
00135     NSSAuditSeverity severity = (rv == CKR_OK) ?
00136        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00137 
00138     PR_snprintf(msg, sizeof msg,
00139        "C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX",
00140        (PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv);
00141     sftk_LogAuditMessage(severity, msg);
00142 }
00143 
00144 void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
00145     CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv)
00146 {
00147     char msg[256];
00148     NSSAuditSeverity severity = (rv == CKR_OK) ?
00149        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00150 
00151     PR_snprintf(msg, sizeof msg,
00152        "C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, "
00153        "pulSize=%p)=0x%08lX",
00154        (PRUint32)hSession, (PRUint32)hObject,
00155        pulSize, (PRUint32)rv);
00156     sftk_LogAuditMessage(severity, msg);
00157 }
00158 
00159 void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
00160     CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
00161     CK_ULONG ulCount, CK_RV rv)
00162 {
00163     char msg[256];
00164     NSSAuditSeverity severity = (rv == CKR_OK) ?
00165        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00166 
00167     PR_snprintf(msg, sizeof msg,
00168        "C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
00169        "pTemplate=%p, ulCount=%lu)=0x%08lX",
00170        (PRUint32)hSession, (PRUint32)hObject,
00171        pTemplate, (PRUint32)ulCount, (PRUint32)rv);
00172     sftk_LogAuditMessage(severity, msg);
00173 }
00174 
00175 void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
00176     CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
00177     CK_ULONG ulCount, CK_RV rv)
00178 {
00179     char msg[256];
00180     NSSAuditSeverity severity = (rv == CKR_OK) ?
00181        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00182 
00183     PR_snprintf(msg, sizeof msg,
00184        "C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
00185        "pTemplate=%p, ulCount=%lu)=0x%08lX",
00186        (PRUint32)hSession, (PRUint32)hObject,
00187        pTemplate, (PRUint32)ulCount, (PRUint32)rv);
00188     sftk_LogAuditMessage(severity, msg);
00189 }
00190 
00191 void sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession,
00192     CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv)
00193 {
00194     char msg[256];
00195     char mech[MECHANISM_BUFSIZE];
00196     NSSAuditSeverity severity = (rv == CKR_OK) ?
00197        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00198 
00199     sftk_PrintMechanism(mech, sizeof mech, pMechanism);
00200     PR_snprintf(msg, sizeof msg,
00201        "C_%sInit(hSession=0x%08lX, pMechanism=%s, "
00202        "hKey=0x%08lX)=0x%08lX",
00203        opName, (PRUint32)hSession, mech,
00204        (PRUint32)hKey, (PRUint32)rv);
00205     sftk_LogAuditMessage(severity, msg);
00206 }
00207 
00208 void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
00209     CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate,
00210     CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
00211 {
00212     char msg[256];
00213     char mech[MECHANISM_BUFSIZE];
00214     char shKey[32];
00215     NSSAuditSeverity severity = (rv == CKR_OK) ?
00216        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00217 
00218     sftk_PrintMechanism(mech, sizeof mech, pMechanism);
00219     sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
00220     PR_snprintf(msg, sizeof msg,
00221        "C_GenerateKey(hSession=0x%08lX, pMechanism=%s, "
00222        "pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s",
00223        (PRUint32)hSession, mech,
00224        pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey);
00225     sftk_LogAuditMessage(severity, msg);
00226 }
00227 
00228 void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
00229     CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
00230     CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
00231     CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
00232     CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv)
00233 {
00234     char msg[512];
00235     char mech[MECHANISM_BUFSIZE];
00236     char shPublicKey[32];
00237     char shPrivateKey[32];
00238     NSSAuditSeverity severity = (rv == CKR_OK) ?
00239        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00240 
00241     sftk_PrintMechanism(mech, sizeof mech, pMechanism);
00242     sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey,
00243        "phPublicKey", phPublicKey, rv);
00244     sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey,
00245        "phPrivateKey", phPrivateKey, rv);
00246     PR_snprintf(msg, sizeof msg,
00247        "C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, "
00248        "pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, "
00249        "pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, "
00250        "phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s",
00251        (PRUint32)hSession, mech,
00252        pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount,
00253        pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount,
00254        phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey);
00255     sftk_LogAuditMessage(severity, msg);
00256 }
00257 
00258 void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
00259     CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
00260     CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
00261     CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv)
00262 {
00263     char msg[256];
00264     char mech[MECHANISM_BUFSIZE];
00265     NSSAuditSeverity severity = (rv == CKR_OK) ?
00266        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00267 
00268     sftk_PrintMechanism(mech, sizeof mech, pMechanism);
00269     PR_snprintf(msg, sizeof msg,
00270        "C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, "
00271        "hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX",
00272        (PRUint32)hSession, mech, (PRUint32)hWrappingKey,
00273        (PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv);
00274     sftk_LogAuditMessage(severity, msg);
00275 }
00276 
00277 void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
00278     CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
00279     CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
00280     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
00281     CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
00282 {
00283     char msg[256];
00284     char mech[MECHANISM_BUFSIZE];
00285     char shKey[32];
00286     NSSAuditSeverity severity = (rv == CKR_OK) ?
00287        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00288 
00289     sftk_PrintMechanism(mech, sizeof mech, pMechanism);
00290     sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
00291     PR_snprintf(msg, sizeof msg,
00292        "C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, "
00293        "hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, "
00294        "pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s",
00295        (PRUint32)hSession, mech,
00296        (PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen,
00297        pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey);
00298     sftk_LogAuditMessage(severity, msg);
00299 }
00300 
00301 void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
00302     CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
00303     CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
00304     CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
00305 {
00306     char msg[512];
00307     char mech[MECHANISM_BUFSIZE];
00308     char shKey[32];
00309     char sTlsKeys[128];
00310     NSSAuditSeverity severity = (rv == CKR_OK) ?
00311        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00312 
00313     sftk_PrintMechanism(mech, sizeof mech, pMechanism);
00314     sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
00315     if ((rv == CKR_OK) &&
00316        (pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) {
00317        CK_SSL3_KEY_MAT_PARAMS *param =
00318            (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
00319        CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial;
00320        PR_snprintf(sTlsKeys, sizeof sTlsKeys,
00321            " hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX"
00322            " hClientKey=0x%08lX hServerKey=0x%08lX",
00323            (PRUint32)keymat->hClientMacSecret,
00324            (PRUint32)keymat->hServerMacSecret,
00325            (PRUint32)keymat->hClientKey,
00326            (PRUint32)keymat->hServerKey);
00327     } else {
00328        sTlsKeys[0] = '\0';
00329     }
00330     PR_snprintf(msg, sizeof msg,
00331        "C_DeriveKey(hSession=0x%08lX, pMechanism=%s, "
00332        "hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, "
00333        "phKey=%p)=0x%08lX%s%s",
00334        (PRUint32)hSession, mech,
00335        (PRUint32)hBaseKey, pTemplate,(PRUint32)ulAttributeCount,
00336        phKey, (PRUint32)rv, shKey, sTlsKeys);
00337     sftk_LogAuditMessage(severity, msg);
00338 }
00339 
00340 void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
00341     CK_OBJECT_HANDLE hKey, CK_RV rv)
00342 {
00343     char msg[256];
00344     NSSAuditSeverity severity = (rv == CKR_OK) ?
00345        NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
00346 
00347     PR_snprintf(msg, sizeof msg,
00348        "C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX",
00349        (PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv);
00350     sftk_LogAuditMessage(severity, msg);
00351 }