palemoon-dev/platform/security/nss/lib/ckfw/token.c

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * token.c
 *
 * This file implements the NSSCKFWToken type and methods.
 */

#ifndef CK_T
#include "ck.h"
#endif /* CK_T */

/*
 * NSSCKFWToken
 *
 *  -- create/destroy --
 *  nssCKFWToken_Create
 *  nssCKFWToken_Destroy
 *
 *  -- public accessors --
 *  NSSCKFWToken_GetMDToken
 *  NSSCKFWToken_GetFWSlot
 *  NSSCKFWToken_GetMDSlot
 *  NSSCKFWToken_GetSessionState
 *
 *  -- implement public accessors --
 *  nssCKFWToken_GetMDToken
 *  nssCKFWToken_GetFWSlot
 *  nssCKFWToken_GetMDSlot
 *  nssCKFWToken_GetSessionState
 *  nssCKFWToken_SetSessionState
 *
 *  -- private accessors --
 *  nssCKFWToken_SetSessionState
 *  nssCKFWToken_RemoveSession
 *  nssCKFWToken_CloseAllSessions
 *  nssCKFWToken_GetSessionCount
 *  nssCKFWToken_GetRwSessionCount
 *  nssCKFWToken_GetRoSessionCount
 *  nssCKFWToken_GetSessionObjectHash
 *  nssCKFWToken_GetMDObjectHash
 *  nssCKFWToken_GetObjectHandleHash
 *
 *  -- module fronts --
 *  nssCKFWToken_InitToken
 *  nssCKFWToken_GetLabel
 *  nssCKFWToken_GetManufacturerID
 *  nssCKFWToken_GetModel
 *  nssCKFWToken_GetSerialNumber
 *  nssCKFWToken_GetHasRNG
 *  nssCKFWToken_GetIsWriteProtected
 *  nssCKFWToken_GetLoginRequired
 *  nssCKFWToken_GetUserPinInitialized
 *  nssCKFWToken_GetRestoreKeyNotNeeded
 *  nssCKFWToken_GetHasClockOnToken
 *  nssCKFWToken_GetHasProtectedAuthenticationPath
 *  nssCKFWToken_GetSupportsDualCryptoOperations
 *  nssCKFWToken_GetMaxSessionCount
 *  nssCKFWToken_GetMaxRwSessionCount
 *  nssCKFWToken_GetMaxPinLen
 *  nssCKFWToken_GetMinPinLen
 *  nssCKFWToken_GetTotalPublicMemory
 *  nssCKFWToken_GetFreePublicMemory
 *  nssCKFWToken_GetTotalPrivateMemory
 *  nssCKFWToken_GetFreePrivateMemory
 *  nssCKFWToken_GetHardwareVersion
 *  nssCKFWToken_GetFirmwareVersion
 *  nssCKFWToken_GetUTCTime
 *  nssCKFWToken_OpenSession
 *  nssCKFWToken_GetMechanismCount
 *  nssCKFWToken_GetMechanismTypes
 *  nssCKFWToken_GetMechanism
 */

struct NSSCKFWTokenStr {
    NSSCKFWMutex *mutex;
    NSSArena *arena;
    NSSCKMDToken *mdToken;
    NSSCKFWSlot *fwSlot;
    NSSCKMDSlot *mdSlot;
    NSSCKFWInstance *fwInstance;
    NSSCKMDInstance *mdInstance;

    /*
     * Everything above is set at creation time, and then not modified.
     * The invariants the mutex protects are:
     *
     * 1) Each of the cached descriptions (versions, etc.) are in an
     *    internally consistant state.
     *
     * 2) The session counts and hashes are consistant.
     *
     * 3) The object hashes are consistant.
     *
     * Note that the calls accessing the cached descriptions will call
     * the NSSCKMDToken methods with the mutex locked.  Those methods
     * may then call the public NSSCKFWToken routines.  Those public
     * routines only access the constant data above and the atomic
     * CK_STATE session state variable below, so there's no problem.
     * But be careful if you add to this object; mutexes are in
     * general not reentrant, so don't create deadlock situations.
     */

    NSSUTF8 *label;
    NSSUTF8 *manufacturerID;
    NSSUTF8 *model;
    NSSUTF8 *serialNumber;
    CK_VERSION hardwareVersion;
    CK_VERSION firmwareVersion;

    CK_ULONG sessionCount;
    CK_ULONG rwSessionCount;
    nssCKFWHash *sessions;
    nssCKFWHash *sessionObjectHash;
    nssCKFWHash *mdObjectHash;
    nssCKFWHash *mdMechanismHash;

    CK_STATE state;
};

#ifdef DEBUG
/*
 * But first, the pointer-tracking stuff.
 *
 * NOTE: the pointer-tracking support in NSS/base currently relies
 * upon NSPR's CallOnce support.  That, however, relies upon NSPR's
 * locking, which is tied into the runtime.  We need a pointer-tracker
 * implementation that uses the locks supplied through C_Initialize.
 * That support, however, can be filled in later.  So for now, I'll
 * just do this routines as no-ops.
 */

static CK_RV
token_add_pointer(
    const NSSCKFWToken *fwToken)
{
    return CKR_OK;
}

static CK_RV
token_remove_pointer(
    const NSSCKFWToken *fwToken)
{
    return CKR_OK;
}

NSS_IMPLEMENT CK_RV
nssCKFWToken_verifyPointer(
    const NSSCKFWToken *fwToken)
{
    return CKR_OK;
}

#endif /* DEBUG */

/*
 * nssCKFWToken_Create
 *
 */
NSS_IMPLEMENT NSSCKFWToken *
nssCKFWToken_Create(
    NSSCKFWSlot *fwSlot,
    NSSCKMDToken *mdToken,
    CK_RV *pError)
{
    NSSArena *arena = (NSSArena *)NULL;
    NSSCKFWToken *fwToken = (NSSCKFWToken *)NULL;
    CK_BBOOL called_setup = CK_FALSE;

    /*
     * We have already verified the arguments in nssCKFWSlot_GetToken.
     */

    arena = NSSArena_Create();
    if (!arena) {
        *pError = CKR_HOST_MEMORY;
        goto loser;
    }

    fwToken = nss_ZNEW(arena, NSSCKFWToken);
    if (!fwToken) {
        *pError = CKR_HOST_MEMORY;
        goto loser;
    }

    fwToken->arena = arena;
    fwToken->mdToken = mdToken;
    fwToken->fwSlot = fwSlot;
    fwToken->fwInstance = nssCKFWSlot_GetFWInstance(fwSlot);
    fwToken->mdInstance = nssCKFWSlot_GetMDInstance(fwSlot);
    fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
    fwToken->sessionCount = 0;
    fwToken->rwSessionCount = 0;

    fwToken->mutex = nssCKFWInstance_CreateMutex(fwToken->fwInstance, arena, pError);
    if (!fwToken->mutex) {
        if (CKR_OK == *pError) {
            *pError = CKR_GENERAL_ERROR;
        }
        goto loser;
    }

    fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, arena, pError);
    if (!fwToken->sessions) {
        if (CKR_OK == *pError) {
            *pError = CKR_GENERAL_ERROR;
        }
        goto loser;
    }

    if (CK_TRUE != nssCKFWInstance_GetModuleHandlesSessionObjects(
                       fwToken->fwInstance)) {
        fwToken->sessionObjectHash = nssCKFWHash_Create(fwToken->fwInstance,
                                                        arena, pError);
        if (!fwToken->sessionObjectHash) {
            if (CKR_OK == *pError) {
                *pError = CKR_GENERAL_ERROR;
            }
            goto loser;
        }
    }

    fwToken->mdObjectHash = nssCKFWHash_Create(fwToken->fwInstance,
                                               arena, pError);
    if (!fwToken->mdObjectHash) {
        if (CKR_OK == *pError) {
            *pError = CKR_GENERAL_ERROR;
        }
        goto loser;
    }

    fwToken->mdMechanismHash = nssCKFWHash_Create(fwToken->fwInstance,
                                                  arena, pError);
    if (!fwToken->mdMechanismHash) {
        if (CKR_OK == *pError) {
            *pError = CKR_GENERAL_ERROR;
        }
        goto loser;
    }

    /* More here */

    if (mdToken->Setup) {
        *pError = mdToken->Setup(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
        if (CKR_OK != *pError) {
            goto loser;
        }
    }

    called_setup = CK_TRUE;

#ifdef DEBUG
    *pError = token_add_pointer(fwToken);
    if (CKR_OK != *pError) {
        goto loser;
    }
#endif /* DEBUG */

    *pError = CKR_OK;
    return fwToken;

loser:

    if (CK_TRUE == called_setup) {
        if (mdToken->Invalidate) {
            mdToken->Invalidate(mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
        }
    }

    if (arena) {
        (void)NSSArena_Destroy(arena);
    }

    return (NSSCKFWToken *)NULL;
}

static void
nss_ckfwtoken_session_iterator(
    const void *key,
    void *value,
    void *closure)
{
    /*
     * Remember that the fwToken->mutex is locked
     */
    NSSCKFWSession *fwSession = (NSSCKFWSession *)value;
    (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
    return;
}

static void
nss_ckfwtoken_object_iterator(
    const void *key,
    void *value,
    void *closure)
{
    /*
     * Remember that the fwToken->mutex is locked
     */
    NSSCKFWObject *fwObject = (NSSCKFWObject *)value;
    (void)nssCKFWObject_Finalize(fwObject, CK_FALSE);
    return;
}

/*
 * nssCKFWToken_Destroy
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_Destroy(
    NSSCKFWToken *fwToken)
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }
#endif /* NSSDEBUG */

    (void)nssCKFWMutex_Destroy(fwToken->mutex);

    if (fwToken->mdToken->Invalidate) {
        fwToken->mdToken->Invalidate(fwToken->mdToken, fwToken,
                                     fwToken->mdInstance, fwToken->fwInstance);
    }
    /* we can destroy the list without locking now because no one else is
     * referencing us (or _Destroy was invalidly called!)
     */
    nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator,
                        (void *)NULL);
    nssCKFWHash_Destroy(fwToken->sessions);

    /* session objects go away when their sessions are removed */
    if (fwToken->sessionObjectHash) {
        nssCKFWHash_Destroy(fwToken->sessionObjectHash);
    }

    /* free up the token objects */
    if (fwToken->mdObjectHash) {
        nssCKFWHash_Iterate(fwToken->mdObjectHash, nss_ckfwtoken_object_iterator,
                            (void *)NULL);
        nssCKFWHash_Destroy(fwToken->mdObjectHash);
    }
    if (fwToken->mdMechanismHash) {
        nssCKFWHash_Destroy(fwToken->mdMechanismHash);
    }

    nssCKFWSlot_ClearToken(fwToken->fwSlot);

#ifdef DEBUG
    error = token_remove_pointer(fwToken);
#endif /* DEBUG */

    (void)NSSArena_Destroy(fwToken->arena);
    return error;
}

/*
 * nssCKFWToken_GetMDToken
 *
 */
NSS_IMPLEMENT NSSCKMDToken *
nssCKFWToken_GetMDToken(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (NSSCKMDToken *)NULL;
    }
#endif /* NSSDEBUG */

    return fwToken->mdToken;
}

/*
 * nssCKFWToken_GetArena
 *
 */
NSS_IMPLEMENT NSSArena *
nssCKFWToken_GetArena(
    NSSCKFWToken *fwToken,
    CK_RV *pError)
{
#ifdef NSSDEBUG
    if (!pError) {
        return (NSSArena *)NULL;
    }

    *pError = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != *pError) {
        return (NSSArena *)NULL;
    }
#endif /* NSSDEBUG */

    return fwToken->arena;
}

/*
 * nssCKFWToken_GetFWSlot
 *
 */
NSS_IMPLEMENT NSSCKFWSlot *
nssCKFWToken_GetFWSlot(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (NSSCKFWSlot *)NULL;
    }
#endif /* NSSDEBUG */

    return fwToken->fwSlot;
}

/*
 * nssCKFWToken_GetMDSlot
 *
 */
NSS_IMPLEMENT NSSCKMDSlot *
nssCKFWToken_GetMDSlot(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (NSSCKMDSlot *)NULL;
    }
#endif /* NSSDEBUG */

    return fwToken->mdSlot;
}

/*
 * nssCKFWToken_GetSessionState
 *
 */
NSS_IMPLEMENT CK_STATE
nssCKFWToken_GetSessionState(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CKS_RO_PUBLIC_SESSION; /* whatever */
    }
#endif /* NSSDEBUG */

    /*
     * BTW, do not lock the token in this method.
     */

    /*
     * Theoretically, there is no state if there aren't any
     * sessions open.  But then we'd need to worry about
     * reporting an error, etc.  What the heck-- let's just
     * revert to CKR_RO_PUBLIC_SESSION as the "default."
     */

    return fwToken->state;
}

/*
 * nssCKFWToken_InitToken
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_InitToken(
    NSSCKFWToken *fwToken,
    NSSItem *pin,
    NSSUTF8 *label)
{
    CK_RV error;

#ifdef NSSDEBUG
    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return CKR_ARGUMENTS_BAD;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    if (fwToken->sessionCount > 0) {
        error = CKR_SESSION_EXISTS;
        goto done;
    }

    if (!fwToken->mdToken->InitToken) {
        error = CKR_DEVICE_ERROR;
        goto done;
    }

    if (!pin) {
        if (nssCKFWToken_GetHasProtectedAuthenticationPath(fwToken)) {
            ; /* okay */
        } else {
            error = CKR_PIN_INCORRECT;
            goto done;
        }
    }

    if (!label) {
        label = (NSSUTF8 *)"";
    }

    error = fwToken->mdToken->InitToken(fwToken->mdToken, fwToken,
                                        fwToken->mdInstance, fwToken->fwInstance, pin, label);

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return error;
}

/*
 * nssCKFWToken_GetLabel
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_GetLabel(
    NSSCKFWToken *fwToken,
    CK_CHAR label[32])
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    if ((CK_CHAR_PTR)NULL == label) {
        return CKR_ARGUMENTS_BAD;
    }

    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    if (!fwToken->label) {
        if (fwToken->mdToken->GetLabel) {
            fwToken->label = fwToken->mdToken->GetLabel(fwToken->mdToken, fwToken,
                                                        fwToken->mdInstance, fwToken->fwInstance, &error);
            if ((!fwToken->label) && (CKR_OK != error)) {
                goto done;
            }
        } else {
            fwToken->label = (NSSUTF8 *)"";
        }
    }

    (void)nssUTF8_CopyIntoFixedBuffer(fwToken->label, (char *)label, 32, ' ');
    error = CKR_OK;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return error;
}

/*
 * nssCKFWToken_GetManufacturerID
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_GetManufacturerID(
    NSSCKFWToken *fwToken,
    CK_CHAR manufacturerID[32])
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    if ((CK_CHAR_PTR)NULL == manufacturerID) {
        return CKR_ARGUMENTS_BAD;
    }

    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    if (!fwToken->manufacturerID) {
        if (fwToken->mdToken->GetManufacturerID) {
            fwToken->manufacturerID = fwToken->mdToken->GetManufacturerID(fwToken->mdToken,
                                                                          fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
            if ((!fwToken->manufacturerID) && (CKR_OK != error)) {
                goto done;
            }
        } else {
            fwToken->manufacturerID = (NSSUTF8 *)"";
        }
    }

    (void)nssUTF8_CopyIntoFixedBuffer(fwToken->manufacturerID, (char *)manufacturerID, 32, ' ');
    error = CKR_OK;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return error;
}

/*
 * nssCKFWToken_GetModel
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_GetModel(
    NSSCKFWToken *fwToken,
    CK_CHAR model[16])
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    if ((CK_CHAR_PTR)NULL == model) {
        return CKR_ARGUMENTS_BAD;
    }

    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    if (!fwToken->model) {
        if (fwToken->mdToken->GetModel) {
            fwToken->model = fwToken->mdToken->GetModel(fwToken->mdToken, fwToken,
                                                        fwToken->mdInstance, fwToken->fwInstance, &error);
            if ((!fwToken->model) && (CKR_OK != error)) {
                goto done;
            }
        } else {
            fwToken->model = (NSSUTF8 *)"";
        }
    }

    (void)nssUTF8_CopyIntoFixedBuffer(fwToken->model, (char *)model, 16, ' ');
    error = CKR_OK;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return error;
}

/*
 * nssCKFWToken_GetSerialNumber
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_GetSerialNumber(
    NSSCKFWToken *fwToken,
    CK_CHAR serialNumber[16])
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    if ((CK_CHAR_PTR)NULL == serialNumber) {
        return CKR_ARGUMENTS_BAD;
    }

    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    if (!fwToken->serialNumber) {
        if (fwToken->mdToken->GetSerialNumber) {
            fwToken->serialNumber = fwToken->mdToken->GetSerialNumber(fwToken->mdToken,
                                                                      fwToken, fwToken->mdInstance, fwToken->fwInstance, &error);
            if ((!fwToken->serialNumber) && (CKR_OK != error)) {
                goto done;
            }
        } else {
            fwToken->serialNumber = (NSSUTF8 *)"";
        }
    }

    (void)nssUTF8_CopyIntoFixedBuffer(fwToken->serialNumber, (char *)serialNumber, 16, ' ');
    error = CKR_OK;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return error;
}

/*
 * nssCKFWToken_GetHasRNG
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetHasRNG(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetHasRNG) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetHasRNG(fwToken->mdToken, fwToken,
                                       fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetIsWriteProtected
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetIsWriteProtected(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetIsWriteProtected) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetIsWriteProtected(fwToken->mdToken, fwToken,
                                                 fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetLoginRequired
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetLoginRequired(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetLoginRequired) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetLoginRequired(fwToken->mdToken, fwToken,
                                              fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetUserPinInitialized
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetUserPinInitialized(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetUserPinInitialized) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetUserPinInitialized(fwToken->mdToken, fwToken,
                                                   fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetRestoreKeyNotNeeded
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetRestoreKeyNotNeeded(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetRestoreKeyNotNeeded) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetRestoreKeyNotNeeded(fwToken->mdToken, fwToken,
                                                    fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetHasClockOnToken
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetHasClockOnToken(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetHasClockOnToken) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetHasClockOnToken(fwToken->mdToken, fwToken,
                                                fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetHasProtectedAuthenticationPath
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetHasProtectedAuthenticationPath(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetHasProtectedAuthenticationPath) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetHasProtectedAuthenticationPath(fwToken->mdToken,
                                                               fwToken, fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetSupportsDualCryptoOperations
 *
 */
NSS_IMPLEMENT CK_BBOOL
nssCKFWToken_GetSupportsDualCryptoOperations(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_FALSE;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetSupportsDualCryptoOperations) {
        return CK_FALSE;
    }

    return fwToken->mdToken->GetSupportsDualCryptoOperations(fwToken->mdToken,
                                                             fwToken, fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetMaxSessionCount
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetMaxSessionCount(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetMaxSessionCount) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetMaxSessionCount(fwToken->mdToken, fwToken,
                                                fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetMaxRwSessionCount
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetMaxRwSessionCount(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetMaxRwSessionCount) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetMaxRwSessionCount(fwToken->mdToken, fwToken,
                                                  fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetMaxPinLen
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetMaxPinLen(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetMaxPinLen) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetMaxPinLen(fwToken->mdToken, fwToken,
                                          fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetMinPinLen
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetMinPinLen(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetMinPinLen) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetMinPinLen(fwToken->mdToken, fwToken,
                                          fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetTotalPublicMemory
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetTotalPublicMemory(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetTotalPublicMemory) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetTotalPublicMemory(fwToken->mdToken, fwToken,
                                                  fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetFreePublicMemory
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetFreePublicMemory(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetFreePublicMemory) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetFreePublicMemory(fwToken->mdToken, fwToken,
                                                 fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetTotalPrivateMemory
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetTotalPrivateMemory(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetTotalPrivateMemory) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetTotalPrivateMemory(fwToken->mdToken, fwToken,
                                                   fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetFreePrivateMemory
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetFreePrivateMemory(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CK_UNAVAILABLE_INFORMATION;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetFreePrivateMemory) {
        return CK_UNAVAILABLE_INFORMATION;
    }

    return fwToken->mdToken->GetFreePrivateMemory(fwToken->mdToken, fwToken,
                                                  fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetHardwareVersion
 *
 */
NSS_IMPLEMENT CK_VERSION
nssCKFWToken_GetHardwareVersion(
    NSSCKFWToken *fwToken)
{
    CK_VERSION rv;

#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        rv.major = rv.minor = 0;
        return rv;
    }
#endif /* NSSDEBUG */

    if (CKR_OK != nssCKFWMutex_Lock(fwToken->mutex)) {
        rv.major = rv.minor = 0;
        return rv;
    }

    if ((0 != fwToken->hardwareVersion.major) ||
        (0 != fwToken->hardwareVersion.minor)) {
        rv = fwToken->hardwareVersion;
        goto done;
    }

    if (fwToken->mdToken->GetHardwareVersion) {
        fwToken->hardwareVersion = fwToken->mdToken->GetHardwareVersion(
            fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
    } else {
        fwToken->hardwareVersion.major = 0;
        fwToken->hardwareVersion.minor = 1;
    }

    rv = fwToken->hardwareVersion;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return rv;
}

/*
 * nssCKFWToken_GetFirmwareVersion
 *
 */
NSS_IMPLEMENT CK_VERSION
nssCKFWToken_GetFirmwareVersion(
    NSSCKFWToken *fwToken)
{
    CK_VERSION rv;

#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        rv.major = rv.minor = 0;
        return rv;
    }
#endif /* NSSDEBUG */

    if (CKR_OK != nssCKFWMutex_Lock(fwToken->mutex)) {
        rv.major = rv.minor = 0;
        return rv;
    }

    if ((0 != fwToken->firmwareVersion.major) ||
        (0 != fwToken->firmwareVersion.minor)) {
        rv = fwToken->firmwareVersion;
        goto done;
    }

    if (fwToken->mdToken->GetFirmwareVersion) {
        fwToken->firmwareVersion = fwToken->mdToken->GetFirmwareVersion(
            fwToken->mdToken, fwToken, fwToken->mdInstance, fwToken->fwInstance);
    } else {
        fwToken->firmwareVersion.major = 0;
        fwToken->firmwareVersion.minor = 1;
    }

    rv = fwToken->firmwareVersion;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return rv;
}

/*
 * nssCKFWToken_GetUTCTime
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_GetUTCTime(
    NSSCKFWToken *fwToken,
    CK_CHAR utcTime[16])
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }

    if ((CK_CHAR_PTR)NULL == utcTime) {
        return CKR_ARGUMENTS_BAD;
    }
#endif /* DEBUG */

    if (CK_TRUE != nssCKFWToken_GetHasClockOnToken(fwToken)) {
        /* return CKR_DEVICE_ERROR; */
        (void)nssUTF8_CopyIntoFixedBuffer((NSSUTF8 *)NULL, (char *)utcTime, 16, ' ');
        return CKR_OK;
    }

    if (!fwToken->mdToken->GetUTCTime) {
        /* It said it had one! */
        return CKR_GENERAL_ERROR;
    }

    error = fwToken->mdToken->GetUTCTime(fwToken->mdToken, fwToken,
                                         fwToken->mdInstance, fwToken->fwInstance, utcTime);
    if (CKR_OK != error) {
        return error;
    }

    /* Sanity-check the data */
    {
        /* Format is YYYYMMDDhhmmss00 */
        int i;
        int Y, M, D, h, m, s;
        static int dims[] = { 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };

        for (i = 0; i < 16; i++) {
            if ((utcTime[i] < '0') || (utcTime[i] > '9')) {
                goto badtime;
            }
        }

        Y = ((utcTime[0] - '0') * 1000) + ((utcTime[1] - '0') * 100) +
            ((utcTime[2] - '0') * 10) + (utcTime[3] - '0');
        M = ((utcTime[4] - '0') * 10) + (utcTime[5] - '0');
        D = ((utcTime[6] - '0') * 10) + (utcTime[7] - '0');
        h = ((utcTime[8] - '0') * 10) + (utcTime[9] - '0');
        m = ((utcTime[10] - '0') * 10) + (utcTime[11] - '0');
        s = ((utcTime[12] - '0') * 10) + (utcTime[13] - '0');

        if ((Y < 1990) || (Y > 3000))
            goto badtime; /* Y3K problem.  heh heh heh */
        if ((M < 1) || (M > 12))
            goto badtime;
        if ((D < 1) || (D > 31))
            goto badtime;

        if (D > dims[M - 1])
            goto badtime; /* per-month check */
        if ((2 == M) && (((Y % 4) || !(Y % 100)) &&
                         (Y % 400)) &&
            (D > 28))
            goto badtime; /* leap years */

        if ((h < 0) || (h > 23))
            goto badtime;
        if ((m < 0) || (m > 60))
            goto badtime;
        if ((s < 0) || (s > 61))
            goto badtime;

        /* 60m and 60 or 61s is only allowed for leap seconds. */
        if ((60 == m) || (s >= 60)) {
            if ((23 != h) || (60 != m) || (s < 60))
                goto badtime;
            /* leap seconds can only happen on June 30 or Dec 31.. I think */
            /* if( ((6 != M) || (30 != D)) && ((12 != M) || (31 != D)) ) goto badtime; */
        }
    }

    return CKR_OK;

badtime:
    return CKR_GENERAL_ERROR;
}

/*
 * nssCKFWToken_OpenSession
 *
 */
NSS_IMPLEMENT NSSCKFWSession *
nssCKFWToken_OpenSession(
    NSSCKFWToken *fwToken,
    CK_BBOOL rw,
    CK_VOID_PTR pApplication,
    CK_NOTIFY Notify,
    CK_RV *pError)
{
    NSSCKFWSession *fwSession = (NSSCKFWSession *)NULL;
    NSSCKMDSession *mdSession;

#ifdef NSSDEBUG
    if (!pError) {
        return (NSSCKFWSession *)NULL;
    }

    *pError = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != *pError) {
        return (NSSCKFWSession *)NULL;
    }

    switch (rw) {
        case CK_TRUE:
        case CK_FALSE:
            break;
        default:
            *pError = CKR_ARGUMENTS_BAD;
            return (NSSCKFWSession *)NULL;
    }
#endif /* NSSDEBUG */

    *pError = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != *pError) {
        return (NSSCKFWSession *)NULL;
    }

    if (CK_TRUE == rw) {
        /* Read-write session desired */
        if (CK_TRUE == nssCKFWToken_GetIsWriteProtected(fwToken)) {
            *pError = CKR_TOKEN_WRITE_PROTECTED;
            goto done;
        }
    } else {
        /* Read-only session desired */
        if (CKS_RW_SO_FUNCTIONS == nssCKFWToken_GetSessionState(fwToken)) {
            *pError = CKR_SESSION_READ_WRITE_SO_EXISTS;
            goto done;
        }
    }

    /* We could compare sesion counts to any limits we know of, I guess.. */

    if (!fwToken->mdToken->OpenSession) {
        /*
         * I'm not sure that the Module actually needs to implement
         * mdSessions -- the Framework can keep track of everything
         * needed, really.  But I'll sort out that detail later..
         */
        *pError = CKR_GENERAL_ERROR;
        goto done;
    }

    fwSession = nssCKFWSession_Create(fwToken, rw, pApplication, Notify, pError);
    if (!fwSession) {
        if (CKR_OK == *pError) {
            *pError = CKR_GENERAL_ERROR;
        }
        goto done;
    }

    mdSession = fwToken->mdToken->OpenSession(fwToken->mdToken, fwToken,
                                              fwToken->mdInstance, fwToken->fwInstance, fwSession,
                                              rw, pError);
    if (!mdSession) {
        (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
        if (CKR_OK == *pError) {
            *pError = CKR_GENERAL_ERROR;
        }
        goto done;
    }

    *pError = nssCKFWSession_SetMDSession(fwSession, mdSession);
    if (CKR_OK != *pError) {
        if (mdSession->Close) {
            mdSession->Close(mdSession, fwSession, fwToken->mdToken, fwToken,
                             fwToken->mdInstance, fwToken->fwInstance);
        }
        (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
        goto done;
    }

    *pError = nssCKFWHash_Add(fwToken->sessions, fwSession, fwSession);
    if (CKR_OK != *pError) {
        (void)nssCKFWSession_Destroy(fwSession, CK_FALSE);
        fwSession = (NSSCKFWSession *)NULL;
        goto done;
    }

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return fwSession;
}

/*
 * nssCKFWToken_GetMechanismCount
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetMechanismCount(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return 0;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetMechanismCount) {
        return 0;
    }

    return fwToken->mdToken->GetMechanismCount(fwToken->mdToken, fwToken,
                                               fwToken->mdInstance, fwToken->fwInstance);
}

/*
 * nssCKFWToken_GetMechanismTypes
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_GetMechanismTypes(
    NSSCKFWToken *fwToken,
    CK_MECHANISM_TYPE types[])
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CKR_ARGUMENTS_BAD;
    }

    if (!types) {
        return CKR_ARGUMENTS_BAD;
    }
#endif /* NSSDEBUG */

    if (!fwToken->mdToken->GetMechanismTypes) {
        /*
         * This should only be called with a sufficiently-large
         * "types" array, which can only be done if GetMechanismCount
         * is implemented.  If that's implemented (and returns nonzero),
         * then this should be too.  So return an error.
         */
        return CKR_GENERAL_ERROR;
    }

    return fwToken->mdToken->GetMechanismTypes(fwToken->mdToken, fwToken,
                                               fwToken->mdInstance, fwToken->fwInstance, types);
}

/*
 * nssCKFWToken_GetMechanism
 *
 */
NSS_IMPLEMENT NSSCKFWMechanism *
nssCKFWToken_GetMechanism(
    NSSCKFWToken *fwToken,
    CK_MECHANISM_TYPE which,
    CK_RV *pError)
{
    NSSCKMDMechanism *mdMechanism;
    if (!fwToken->mdMechanismHash) {
        *pError = CKR_GENERAL_ERROR;
        return (NSSCKFWMechanism *)NULL;
    }

    if (!fwToken->mdToken->GetMechanism) {
        /*
         * If we don't implement any GetMechanism function, then we must
         * not support any.
         */
        *pError = CKR_MECHANISM_INVALID;
        return (NSSCKFWMechanism *)NULL;
    }

    /* lookup in hash table */
    mdMechanism = fwToken->mdToken->GetMechanism(fwToken->mdToken, fwToken,
                                                 fwToken->mdInstance, fwToken->fwInstance, which, pError);
    if (!mdMechanism) {
        return (NSSCKFWMechanism *)NULL;
    }
    /* store in hash table */
    return nssCKFWMechanism_Create(mdMechanism, fwToken->mdToken, fwToken,
                                   fwToken->mdInstance, fwToken->fwInstance);
}

NSS_IMPLEMENT CK_RV
nssCKFWToken_SetSessionState(
    NSSCKFWToken *fwToken,
    CK_STATE newState)
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }

    switch (newState) {
        case CKS_RO_PUBLIC_SESSION:
        case CKS_RO_USER_FUNCTIONS:
        case CKS_RW_PUBLIC_SESSION:
        case CKS_RW_USER_FUNCTIONS:
        case CKS_RW_SO_FUNCTIONS:
            break;
        default:
            return CKR_ARGUMENTS_BAD;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    fwToken->state = newState;
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return CKR_OK;
}

/*
 * nssCKFWToken_RemoveSession
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_RemoveSession(
    NSSCKFWToken *fwToken,
    NSSCKFWSession *fwSession)
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }

    error = nssCKFWSession_verifyPointer(fwSession);
    if (CKR_OK != error) {
        return error;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    if (CK_TRUE != nssCKFWHash_Exists(fwToken->sessions, fwSession)) {
        error = CKR_SESSION_HANDLE_INVALID;
        goto done;
    }

    nssCKFWHash_Remove(fwToken->sessions, fwSession);
    fwToken->sessionCount--;

    if (nssCKFWSession_IsRWSession(fwSession)) {
        fwToken->rwSessionCount--;
    }

    if (0 == fwToken->sessionCount) {
        fwToken->rwSessionCount = 0;            /* sanity */
        fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
    }

    error = CKR_OK;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return error;
}

/*
 * nssCKFWToken_CloseAllSessions
 *
 */
NSS_IMPLEMENT CK_RV
nssCKFWToken_CloseAllSessions(
    NSSCKFWToken *fwToken)
{
    CK_RV error = CKR_OK;

#ifdef NSSDEBUG
    error = nssCKFWToken_verifyPointer(fwToken);
    if (CKR_OK != error) {
        return error;
    }
#endif /* NSSDEBUG */

    error = nssCKFWMutex_Lock(fwToken->mutex);
    if (CKR_OK != error) {
        return error;
    }

    nssCKFWHash_Iterate(fwToken->sessions, nss_ckfwtoken_session_iterator, (void *)NULL);

    nssCKFWHash_Destroy(fwToken->sessions);

    fwToken->sessions = nssCKFWHash_Create(fwToken->fwInstance, fwToken->arena, &error);
    if (!fwToken->sessions) {
        if (CKR_OK == error) {
            error = CKR_GENERAL_ERROR;
        }
        goto done;
    }

    fwToken->state = CKS_RO_PUBLIC_SESSION; /* some default */
    fwToken->sessionCount = 0;
    fwToken->rwSessionCount = 0;

    error = CKR_OK;

done:
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return error;
}

/*
 * nssCKFWToken_GetSessionCount
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetSessionCount(
    NSSCKFWToken *fwToken)
{
    CK_ULONG rv;

#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (CK_ULONG)0;
    }
#endif /* NSSDEBUG */

    if (CKR_OK != nssCKFWMutex_Lock(fwToken->mutex)) {
        return (CK_ULONG)0;
    }

    rv = fwToken->sessionCount;
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return rv;
}

/*
 * nssCKFWToken_GetRwSessionCount
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetRwSessionCount(
    NSSCKFWToken *fwToken)
{
    CK_ULONG rv;

#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (CK_ULONG)0;
    }
#endif /* NSSDEBUG */

    if (CKR_OK != nssCKFWMutex_Lock(fwToken->mutex)) {
        return (CK_ULONG)0;
    }

    rv = fwToken->rwSessionCount;
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return rv;
}

/*
 * nssCKFWToken_GetRoSessionCount
 *
 */
NSS_IMPLEMENT CK_ULONG
nssCKFWToken_GetRoSessionCount(
    NSSCKFWToken *fwToken)
{
    CK_ULONG rv;

#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (CK_ULONG)0;
    }
#endif /* NSSDEBUG */

    if (CKR_OK != nssCKFWMutex_Lock(fwToken->mutex)) {
        return (CK_ULONG)0;
    }

    rv = fwToken->sessionCount - fwToken->rwSessionCount;
    (void)nssCKFWMutex_Unlock(fwToken->mutex);
    return rv;
}

/*
 * nssCKFWToken_GetSessionObjectHash
 *
 */
NSS_IMPLEMENT nssCKFWHash *
nssCKFWToken_GetSessionObjectHash(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (nssCKFWHash *)NULL;
    }
#endif /* NSSDEBUG */

    return fwToken->sessionObjectHash;
}

/*
 * nssCKFWToken_GetMDObjectHash
 *
 */
NSS_IMPLEMENT nssCKFWHash *
nssCKFWToken_GetMDObjectHash(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (nssCKFWHash *)NULL;
    }
#endif /* NSSDEBUG */

    return fwToken->mdObjectHash;
}

/*
 * nssCKFWToken_GetObjectHandleHash
 *
 */
NSS_IMPLEMENT nssCKFWHash *
nssCKFWToken_GetObjectHandleHash(
    NSSCKFWToken *fwToken)
{
#ifdef NSSDEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (nssCKFWHash *)NULL;
    }
#endif /* NSSDEBUG */

    return fwToken->mdObjectHash;
}

/*
 * NSSCKFWToken_GetMDToken
 *
 */

NSS_IMPLEMENT NSSCKMDToken *
NSSCKFWToken_GetMDToken(
    NSSCKFWToken *fwToken)
{
#ifdef DEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (NSSCKMDToken *)NULL;
    }
#endif /* DEBUG */

    return nssCKFWToken_GetMDToken(fwToken);
}

/*
 * NSSCKFWToken_GetArena
 *
 */

NSS_IMPLEMENT NSSArena *
NSSCKFWToken_GetArena(
    NSSCKFWToken *fwToken,
    CK_RV *pError)
{
#ifdef DEBUG
    if (!pError) {
        return (NSSArena *)NULL;
    }

    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        *pError = CKR_ARGUMENTS_BAD;
        return (NSSArena *)NULL;
    }
#endif /* DEBUG */

    return nssCKFWToken_GetArena(fwToken, pError);
}

/*
 * NSSCKFWToken_GetFWSlot
 *
 */

NSS_IMPLEMENT NSSCKFWSlot *
NSSCKFWToken_GetFWSlot(
    NSSCKFWToken *fwToken)
{
#ifdef DEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (NSSCKFWSlot *)NULL;
    }
#endif /* DEBUG */

    return nssCKFWToken_GetFWSlot(fwToken);
}

/*
 * NSSCKFWToken_GetMDSlot
 *
 */

NSS_IMPLEMENT NSSCKMDSlot *
NSSCKFWToken_GetMDSlot(
    NSSCKFWToken *fwToken)
{
#ifdef DEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return (NSSCKMDSlot *)NULL;
    }
#endif /* DEBUG */

    return nssCKFWToken_GetMDSlot(fwToken);
}

/*
 * NSSCKFWToken_GetSessionState
 *
 */

NSS_IMPLEMENT CK_STATE
NSSCKFWSession_GetSessionState(
    NSSCKFWToken *fwToken)
{
#ifdef DEBUG
    if (CKR_OK != nssCKFWToken_verifyPointer(fwToken)) {
        return CKS_RO_PUBLIC_SESSION;
    }
#endif /* DEBUG */

    return nssCKFWToken_GetSessionState(fwToken);
}