Coverage Report

Created: 2024-11-21 07:03

/src/nss-nspr/nss/lib/softoken/fipsaudt.c
Line
Count
Source (jump to first uncovered line)
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5
/*
6
 * This file implements audit logging required by FIPS 140-2 Security
7
 * Level 2.
8
 */
9
10
#include "prprf.h"
11
#include "softoken.h"
12
13
/*
14
 * Print the value of the returned object handle in the output buffer
15
 * on a successful return of the PKCS #11 function.  If the PKCS #11
16
 * function failed or the pointer to object handle is NULL (which is
17
 * the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty
18
 * string is stored in the output buffer.
19
 *
20
 * out: the output buffer
21
 * outlen: the length of the output buffer
22
 * argName: the name of the "pointer to object handle" argument
23
 * phObject: the pointer to object handle
24
 * rv: the return value of the PKCS #11 function
25
 */
26
static void
27
sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen,
28
                               const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
29
0
{
30
0
    if ((rv == CKR_OK) && phObject) {
31
0
        PR_snprintf(out, outlen,
32
0
                    " *%s=0x%08lX", argName, (PRUint32)*phObject);
33
0
    } else {
34
0
        PORT_Assert(outlen != 0);
35
0
        out[0] = '\0';
36
0
    }
37
0
}
38
39
/*
40
 * MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism,
41
 * which uses <= 49 bytes.
42
 */
43
#define MECHANISM_BUFSIZE 64
44
45
static void
46
sftk_PrintMechanism(char *out, PRUint32 outlen,
47
                    CK_MECHANISM_PTR pMechanism)
48
0
{
49
0
    if (pMechanism) {
50
        /*
51
         * If we change the format string, we need to make sure
52
         * MECHANISM_BUFSIZE is still large enough.  We allow
53
         * 20 bytes for %p on a 64-bit platform.
54
         */
55
0
        PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}",
56
0
                    pMechanism, (PRUint32)pMechanism->mechanism);
57
0
    } else {
58
0
        PR_snprintf(out, outlen, "%p", pMechanism);
59
0
    }
60
0
}
61
62
void
63
sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
64
                       CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
65
                       CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
66
0
{
67
0
    char msg[256];
68
0
    char shObject[32];
69
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
70
71
0
    sftk_PrintReturnedObjectHandle(shObject, sizeof shObject,
72
0
                                   "phObject", phObject, rv);
73
0
    PR_snprintf(msg, sizeof msg,
74
0
                "C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, "
75
0
                "phObject=%p)=0x%08lX%s",
76
0
                (PRUint32)hSession, pTemplate, (PRUint32)ulCount,
77
0
                phObject, (PRUint32)rv, shObject);
78
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_LOAD_KEY, msg);
79
0
}
80
81
void
82
sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
83
                     CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
84
                     CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv)
85
0
{
86
0
    char msg[256];
87
0
    char shNewObject[32];
88
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
89
90
0
    sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject,
91
0
                                   "phNewObject", phNewObject, rv);
92
0
    PR_snprintf(msg, sizeof msg,
93
0
                "C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, "
94
0
                "pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s",
95
0
                (PRUint32)hSession, (PRUint32)hObject,
96
0
                pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject);
97
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_COPY_KEY, msg);
98
0
}
99
100
/* WARNING: hObject has been destroyed and can only be printed. */
101
void
102
sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
103
                        CK_OBJECT_HANDLE hObject, CK_RV rv)
104
0
{
105
0
    char msg[256];
106
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
107
108
0
    PR_snprintf(msg, sizeof msg,
109
0
                "C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX",
110
0
                (PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv);
111
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_DESTROY_KEY, msg);
112
0
}
113
114
void
115
sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
116
                        CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv)
117
0
{
118
0
    char msg[256];
119
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
120
121
0
    PR_snprintf(msg, sizeof msg,
122
0
                "C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, "
123
0
                "pulSize=%p)=0x%08lX",
124
0
                (PRUint32)hSession, (PRUint32)hObject,
125
0
                pulSize, (PRUint32)rv);
126
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg);
127
0
}
128
129
void
130
sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
131
                            CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
132
                            CK_ULONG ulCount, CK_RV rv)
133
0
{
134
0
    char msg[256];
135
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
136
137
0
    PR_snprintf(msg, sizeof msg,
138
0
                "C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
139
0
                "pTemplate=%p, ulCount=%lu)=0x%08lX",
140
0
                (PRUint32)hSession, (PRUint32)hObject,
141
0
                pTemplate, (PRUint32)ulCount, (PRUint32)rv);
142
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg);
143
0
}
144
145
void
146
sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
147
                            CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
148
                            CK_ULONG ulCount, CK_RV rv)
149
0
{
150
0
    char msg[256];
151
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
152
153
0
    PR_snprintf(msg, sizeof msg,
154
0
                "C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
155
0
                "pTemplate=%p, ulCount=%lu)=0x%08lX",
156
0
                (PRUint32)hSession, (PRUint32)hObject,
157
0
                pTemplate, (PRUint32)ulCount, (PRUint32)rv);
158
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_CHANGE_KEY, msg);
159
0
}
160
161
void
162
sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession,
163
                    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv)
164
0
{
165
0
    char msg[256];
166
0
    char mech[MECHANISM_BUFSIZE];
167
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
168
169
0
    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
170
0
    PR_snprintf(msg, sizeof msg,
171
0
                "C_%sInit(hSession=0x%08lX, pMechanism=%s, "
172
0
                "hKey=0x%08lX)=0x%08lX",
173
0
                opName, (PRUint32)hSession, mech,
174
0
                (PRUint32)hKey, (PRUint32)rv);
175
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_CRYPT, msg);
176
0
}
177
178
void
179
sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
180
                      CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate,
181
                      CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
182
0
{
183
0
    char msg[256];
184
0
    char mech[MECHANISM_BUFSIZE];
185
0
    char shKey[32];
186
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
187
188
0
    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
189
0
    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
190
0
    PR_snprintf(msg, sizeof msg,
191
0
                "C_GenerateKey(hSession=0x%08lX, pMechanism=%s, "
192
0
                "pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s",
193
0
                (PRUint32)hSession, mech,
194
0
                pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey);
195
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg);
196
0
}
197
198
void
199
sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
200
                          CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
201
                          CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
202
                          CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
203
                          CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv)
204
0
{
205
0
    char msg[512];
206
0
    char mech[MECHANISM_BUFSIZE];
207
0
    char shPublicKey[32];
208
0
    char shPrivateKey[32];
209
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
210
211
0
    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
212
0
    sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey,
213
0
                                   "phPublicKey", phPublicKey, rv);
214
0
    sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey,
215
0
                                   "phPrivateKey", phPrivateKey, rv);
216
0
    PR_snprintf(msg, sizeof msg,
217
0
                "C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, "
218
0
                "pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, "
219
0
                "pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, "
220
0
                "phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s",
221
0
                (PRUint32)hSession, mech,
222
0
                pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount,
223
0
                pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount,
224
0
                phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey);
225
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg);
226
0
}
227
228
void
229
sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
230
                  CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
231
                  CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
232
                  CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv)
233
0
{
234
0
    char msg[256];
235
0
    char mech[MECHANISM_BUFSIZE];
236
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
237
238
0
    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
239
0
    PR_snprintf(msg, sizeof msg,
240
0
                "C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, "
241
0
                "hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX",
242
0
                (PRUint32)hSession, mech, (PRUint32)hWrappingKey,
243
0
                (PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv);
244
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_WRAP_KEY, msg);
245
0
}
246
247
void
248
sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
249
                    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
250
                    CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
251
                    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
252
                    CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
253
0
{
254
0
    char msg[256];
255
0
    char mech[MECHANISM_BUFSIZE];
256
0
    char shKey[32];
257
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
258
259
0
    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
260
0
    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
261
0
    PR_snprintf(msg, sizeof msg,
262
0
                "C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, "
263
0
                "hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, "
264
0
                "pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s",
265
0
                (PRUint32)hSession, mech,
266
0
                (PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen,
267
0
                pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey);
268
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_UNWRAP_KEY, msg);
269
0
}
270
271
void
272
sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
273
                    CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
274
                    CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
275
                    CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
276
0
{
277
0
    char msg[512];
278
0
    char mech[MECHANISM_BUFSIZE];
279
0
    char shKey[32];
280
0
    char sTlsKeys[128];
281
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
282
283
0
    sftk_PrintMechanism(mech, sizeof mech, pMechanism);
284
0
    sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
285
0
    if ((rv == CKR_OK) &&
286
0
        (pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) {
287
0
        CK_SSL3_KEY_MAT_PARAMS *param =
288
0
            (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
289
0
        CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial;
290
0
        PR_snprintf(sTlsKeys, sizeof sTlsKeys,
291
0
                    " hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX"
292
0
                    " hClientKey=0x%08lX hServerKey=0x%08lX",
293
0
                    (PRUint32)keymat->hClientMacSecret,
294
0
                    (PRUint32)keymat->hServerMacSecret,
295
0
                    (PRUint32)keymat->hClientKey,
296
0
                    (PRUint32)keymat->hServerKey);
297
0
    } else {
298
0
        sTlsKeys[0] = '\0';
299
0
    }
300
0
    PR_snprintf(msg, sizeof msg,
301
0
                "C_DeriveKey(hSession=0x%08lX, pMechanism=%s, "
302
0
                "hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, "
303
0
                "phKey=%p)=0x%08lX%s%s",
304
0
                (PRUint32)hSession, mech,
305
0
                (PRUint32)hBaseKey, pTemplate, (PRUint32)ulAttributeCount,
306
0
                phKey, (PRUint32)rv, shKey, sTlsKeys);
307
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_DERIVE_KEY, msg);
308
0
}
309
310
void
311
sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
312
                    CK_OBJECT_HANDLE hKey, CK_RV rv)
313
0
{
314
0
    char msg[256];
315
0
    NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
316
317
0
    PR_snprintf(msg, sizeof msg,
318
0
                "C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX",
319
0
                (PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv);
320
0
    sftk_LogAuditMessage(severity, NSS_AUDIT_DIGEST_KEY, msg);
321
0
}