These changes were part of a different patch, reviews are not yet complete.

Backing out to previous versions.
2024-12-02 01:48:05 +00:00 · 2005-08-01 18:31:12 +00:00 · 2005-08-01 18:31:12 +00:00 · 775b5372bc
commit 775b5372bc
parent 7af3f28d88
5 changed files with 312 additions and 515 deletions
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@ -2346,7 +2346,7 @@ static PLHashTable *nscSlotHashTable[2] = {NULL, NULL};
 static int
 sftk_GetModuleIndex(CK_SLOT_ID slotID)
 {
-    if ((slotID == FIPS_SLOT_ID) || (slotID > 100)) {
+    if ((slotID == FIPS_SLOT_ID) || (slotID >= MIN_FIPS_USER_SLOT_ID)) {
 	return NSC_FIPS_MODULE;
    }
    return NSC_NON_FIPS_MODULE;
@ -2357,9 +2357,13 @@ sftk_GetModuleIndex(CK_SLOT_ID slotID)
 SFTKSlot *
 sftk_SlotFromID(CK_SLOT_ID slotID)
 {
+    SFTKSlot *slot;
    int index = sftk_GetModuleIndex(slotID);
-    return (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], 
+    slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], 
 							(void *)slotID);
+    /* cleared slots shouldn't 'show up' */
+    if (slot && slot->slotID == 0) slot = NULL;
+    return slot;
 }

 SFTKSlot *
@ -2462,21 +2466,30 @@ sftk_DBVerify(SFTKSlot *slot)
    return;
 }

-/* forward static declaration. */
-static CK_RV sftk_DestroySlotData(SFTKSlot *slot);
-
 /*
 * initialize one of the slot structures. figure out which by the ID
 */
 CK_RV
-SFTK_SlotInit(char *configdir,sftk_token_parameters *params, int moduleIndex)
+SFTK_SlotInit(SFTKSlot *slot,
+	char *configdir,sftk_token_parameters *params, int moduleIndex)
 {
    unsigned int i;
    CK_SLOT_ID slotID = params->slotID;
-    SFTKSlot *slot = PORT_ZNew(SFTKSlot);
    PRBool needLogin = !params->noKeyDB;
+    PRBool reinit = PR_TRUE;
    CK_RV crv;

+    /* if slot as been supplied, we are reinitializing and existing slot.
+     * this means that we preserve some fields and don't try to register
+     * the slot again. To applications it looks like a token removal and
+     * insertion event . If we don't supply a slot (the normal case), we
+     * are creating a new slot, and thus need to fully initialize everything
+     * as well as registering the slot. */
+    if (slot == NULL) {
+	slot = PORT_ZNew(SFTKSlot);
+	reinit = PR_FALSE;
+    }
+
    if (slot == NULL) {
 	return CKR_HOST_MEMORY;
    }
@ -2520,11 +2533,17 @@ SFTK_SlotInit(char *configdir,sftk_token_parameters *params, int moduleIndex)

    slot->password = NULL;
    slot->hasTokens = PR_FALSE;
-    slot->sessionIDCount = 0;
+    /* if we are reinitalizing, don't clear the sessionIDCount 
+     * and tokenIDCount. We don't want the application to think that old
+     * sessions and tokens from the previous instance are still valid.
+     */
+    if (!reinit) {
+	slot->sessionIDCount = 0;
+	slot->tokenIDCount = 1;
+    }
    slot->sessionIDConflict = 0;
    slot->sessionCount = 0;
    slot->rwSessionCount = 0;
-    slot->tokenIDCount = 1;
    slot->needLogin = PR_FALSE;
    slot->isLoggedIn = PR_FALSE;
    slot->ssoLoggedIn = PR_FALSE;
@ -2565,16 +2584,20 @@ SFTK_SlotInit(char *configdir,sftk_token_parameters *params, int moduleIndex)
 	    slot->minimumPinLen = 1;
 	}
    }
-    crv = sftk_RegisterSlot(slot, moduleIndex);
-    if (crv != CKR_OK) {
-	goto loser;
+    if (!reinit) {
+	crv = sftk_RegisterSlot(slot, moduleIndex);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
    }
    return CKR_OK;

 mem_loser:
    crv = CKR_HOST_MEMORY;
 loser:
-    sftk_DestroySlotData(slot);
+    /* if we are reinitting the slot, don't free it, it's still on the slot
+     * list. */
+    SFTK_DestroySlotData(slot, !reinit);
    return crv;
 }

@ -2590,8 +2613,8 @@ sftk_freeHashItem(PLHashEntry* entry, PRIntn index, void *arg)
 /*
 * initialize one of the slot structures. figure out which by the ID
 */
-static CK_RV
-sftk_DestroySlotData(SFTKSlot *slot)
+CK_RV
+SFTK_DestroySlotData(SFTKSlot *slot, PRBool freeit)
 {
    unsigned int i;

@ -2645,7 +2668,17 @@ sftk_DestroySlotData(SFTKSlot *slot)
    slot->sessHashSize = 0;
    sftk_DBShutdown(slot->certDB,slot->keyDB);

-    PORT_Free(slot);
+    if (freeit) {
+	PORT_Free(slot);
+    } else {
+	/* paranoia, init should reinitialize everything. Note: we need to
+	 * preserve the sessionID and tokenID counts */
+	unsigned long sessionIDCount = slot->sessionIDCount;
+	unsigned long tokenIDCount = slot->tokenIDCount;
+	PORT_Memset(slot,0,sizeof(*slot));
+	slot->sessionIDCount = sessionIDCount;
+	slot->tokenIDCount = tokenIDCount;
+    }
    return CKR_OK;
 }

@ -2717,7 +2750,7 @@ static void nscFreeAllSlots(int moduleIndex)
 			PL_HashTableLookup(tmpSlotHashTable, (void *)slotID);
 	    PORT_Assert(slot);
 	    if (!slot) continue;
-	    sftk_DestroySlotData(slot);
+	    SFTK_DestroySlotData(slot, PR_TRUE);
 	    PL_HashTableRemove(tmpSlotHashTable, (void *)slotID);
 	}
 	PORT_Free(tmpSlotList);
@ -2827,8 +2860,8 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
 	}

 	for (i=0; i < paramStrings.token_count; i++) {
-	    crv = 
-		SFTK_SlotInit(paramStrings.configdir, &paramStrings.tokens[i],
+	    crv = SFTK_SlotInit(NULL, paramStrings.configdir, 
+			&paramStrings.tokens[i],
 			moduleIndex);
 	    if (crv != CKR_OK) {
                nscFreeAllSlots(moduleIndex);
@ -2927,7 +2960,7 @@ CK_RV  NSC_GetInfo(CK_INFO_PTR pInfo)

    c = __nss_softokn_rcsid[0] + __nss_softokn_sccsid[0]; 
    pInfo->cryptokiVersion.major = 2;
-    pInfo->cryptokiVersion.minor = 11;
+    pInfo->cryptokiVersion.minor = 20;
    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
    pInfo->libraryVersion.major = NSS_VMAJOR;
    pInfo->libraryVersion.minor = NSS_VMINOR;
@ -2969,6 +3002,10 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
    PORT_Memcpy(pInfo->manufacturerID,manufacturerID,32);
    PORT_Memcpy(pInfo->slotDescription,slot->slotDescription,64);
    pInfo->flags = CKF_TOKEN_PRESENT;
+    /* all user defined slots are defined as removable */
+    if (slotID > MIN_USER_SLOT_ID) {
+	pInfo->flags |= CKF_REMOVABLE_DEVICE;
+    }
    /* ok we really should read it out of the keydb file. */
    /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
    pInfo->hardwareVersion.major = NSS_VMAJOR;
@ -3661,6 +3698,81 @@ CK_RV NSC_Logout(CK_SESSION_HANDLE hSession)
    return CKR_OK;
 }

+/*
+ * Create a new slot on the fly. The slot that is passed in is the
+ * slot the request came from. Only the crypto or FIPS slots can
+ * be used. The resulting slot will live in the same module as
+ * the slot the request was passed to. object is the creation object
+ * that specifies the module spec for the new slot.
+ */
+static CK_RV sftk_CreateNewSlot(SFTKSlot *slot, SFTKObject *object)
+{
+    CK_SLOT_ID idMin, idMax;
+    PRBool isFIPS = PR_FALSE;
+    unsigned long moduleIndex;
+    SFTKAttribute *attribute;
+    sftk_parameters paramStrings;
+    char *paramString;
+    CK_RV crv = CKR_OK;
+    int i;
+
+    /* only the crypto or FIPS slots can create new slot objects */
+    if (slot->slotID == NETSCAPE_SLOT_ID) {
+	idMin = MIN_USER_SLOT_ID;
+	idMax = MAX_USER_SLOT_ID;
+	moduleIndex = NSC_NON_FIPS_MODULE;
+	isFIPS = PR_FALSE;
+    } else if (slot->slotID == FIPS_SLOT_ID) {
+	idMin = MIN_FIPS_USER_SLOT_ID;
+	idMax = MAX_FIPS_USER_SLOT_ID;
+	moduleIndex = NSC_FIPS_MODULE;
+	isFIPS = PR_TRUE;
+    } else {
+	return CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+    attribute = sftk_FindAttribute(object,CKA_NETSCAPE_MODULE_SPEC);
+    if (attribute == NULL) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    paramString = (unsigned char *)attribute->attrib.pValue;
+    crv = secmod_parseParameters(paramString, &paramStrings, isFIPS);
+    if (crv != CKR_OK) {
+	goto loser;
+    }
+
+    /* The API allows initialization of several tokens at once,
+     * but there is no way to back out reinitialization should one
+     * of these functions fail. In general it's probably best to
+     * only initialize one slot at a time here */
+    for (i=0; i < paramStrings.token_count; i++) {
+	CK_SLOT_ID slotID = paramStrings.tokens[i].slotID;
+	SFTKSlot *newSlot;
+
+	if ((slotID < idMin) || (slotID > idMax)) {
+	    crv = CKR_ATTRIBUTE_VALUE_INVALID;
+	    goto loser;
+	}
+
+        newSlot = sftk_SlotFromID(slotID);
+	if (newSlot) {
+	    crv = SFTK_DestroySlotData(newSlot, PR_FALSE);
+	    if (crv != CKR_OK) {
+		goto loser;
+	    }
+	}
+	crv = SFTK_SlotInit(newSlot, paramStrings.configdir, 
+			&paramStrings.tokens[i], moduleIndex);
+	if (crv != CKR_OK) {
+	    goto loser;
+	}
+    }
+loser:
+    secmod_freeParams(&paramStrings);
+    sftk_FreeAttribute(attribute);
+
+    return crv;
+}
+

 /* NSC_CreateObject creates a new object. */
 CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
@ -3670,6 +3782,7 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
    SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
    SFTKSession *session;
    SFTKObject *object;
+    CK_OBJECT_CLASS class;
    CK_RV crv;
    int i;

@ -3691,6 +3804,9 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
 	    sftk_FreeObject(object);
 	    return crv;
 	}
+	if ((pTemplate[i].type == CKA_CLASS) && pTemplate[i].pValue) {
+	    class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+	}
    }

    /* get the session */
@ -3700,11 +3816,20 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
        return CKR_SESSION_HANDLE_INVALID;
    }

+    /*
+     * handle pseudo objects (CKO_NEWSLOT)
+     */
+    if (class == CKO_NETSCAPE_NEWSLOT) {
+	crv = sftk_CreateNewSlot(slot, object);
+	goto done;
+    } 
+
    /*
     * handle the base object stuff
     */
    crv = sftk_handleObject(object,session);
    *phObject = object->handle;
+done:
    sftk_FreeSession(session);
    sftk_FreeObject(object);

@ -3712,6 +3837,7 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
 }


+
 /* NSC_CopyObject copies an object, creating a new object for the copy. */
 CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession,
       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
--- a/security/nss/lib/softoken/pkcs11f.h
+++ b/security/nss/lib/softoken/pkcs11f.h
@ -14,7 +14,7 @@
 * The Original Code is the Netscape security libraries.
 *
 * The Initial Developer of the Original Code is
- * RSA Security INC.
+ * Netscape Communications Corporation.
 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 * the Initial Developer. All Rights Reserved.
 *
@ -152,10 +152,10 @@ CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
 /* C_InitToken initializes a token. */
 CK_PKCS11_FUNCTION_INFO(C_InitToken)
 #ifdef CK_NEED_ARG_LIST
-/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
 (
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
  CK_SLOT_ID         slotID,    /* ID of the token's slot */
-  CK_UTF8CHAR_PTR    pPin,      /* the SO's initial PIN */
+  CK_CHAR_PTR        pPin,      /* the SO's initial PIN */
  CK_ULONG           ulPinLen,  /* length in bytes of the PIN */
  CK_UTF8CHAR_PTR    pLabel     /* 32-byte token label (blank padded) */
 );
@ -167,7 +167,7 @@ CK_PKCS11_FUNCTION_INFO(C_InitPIN)
 #ifdef CK_NEED_ARG_LIST
 (
  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_CHAR_PTR       pPin,      /* the normal user's PIN */
  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
 );
 #endif
@ -178,9 +178,9 @@ CK_PKCS11_FUNCTION_INFO(C_SetPIN)
 #ifdef CK_NEED_ARG_LIST
 (
  CK_SESSION_HANDLE hSession,  /* the session's handle */
-  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_CHAR_PTR       pOldPin,   /* the old PIN */
  CK_ULONG          ulOldLen,  /* length of the old PIN */
-  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_CHAR_PTR       pNewPin,   /* the new PIN */
  CK_ULONG          ulNewLen   /* length of the new PIN */
 );
 #endif
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@ -411,10 +411,6 @@ struct SFTKSSLMACInfoStr {
 #define NETSCAPE_SLOT_ID 1
 #define PRIVATE_KEY_SLOT_ID 2
 #define FIPS_SLOT_ID 3
-#define MIN_USER_SLOT_ID 4
-#define MAX_USER_SLOT_ID 100
-#define MIN_FIPS_USER_SLOT_ID 101
-#define MAX_FIPS_USER_SLOT_ID 127

 /* slot helper macros */
 #define sftk_SlotFromSession(sp) ((sp)->slot)
@ -543,10 +539,8 @@ extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
 extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent, 
 	CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, int moduleIndex);
 /* shared functions between PKCS11.c and SFTKFIPS.c */
-extern CK_RV SFTK_SlotInit(SFTKSlot *slot, char *configdir,
-			sftk_token_parameters *params, int moduleIndex);
-extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot, PRBool freeit);
-
+extern CK_RV SFTK_SlotInit(char *configdir,sftk_token_parameters *params, 
+							int moduleIndex);

 /* internal utility functions used by pkcs11.c */
 extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object,
--- a/security/nss/lib/softoken/pkcs11n.h
+++ b/security/nss/lib/softoken/pkcs11n.h
@ -39,7 +39,7 @@
 #define _PKCS11N_H_

 #ifdef DEBUG
-static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.13 $ $Date: 2005/08/01 18:23:56 $";
+static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.14 $ $Date: 2005/08/01 18:31:12 $";
 #endif /* DEBUG */

 /*
@ -73,7 +73,6 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.13 $
 #define CKO_NETSCAPE_SMIME              (CKO_NETSCAPE + 2)
 #define CKO_NETSCAPE_TRUST              (CKO_NETSCAPE + 3)
 #define CKO_NETSCAPE_BUILTIN_ROOT_LIST  (CKO_NETSCAPE + 4)
-#define CKO_NETSCAPE_NEWSLOT            (CKO_NETSCAPE + 5)

 /*
 * Netscape-defined key types
@ -107,7 +106,6 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.13 $
 #define CKA_NETSCAPE_PQG_SEED           (CKA_NETSCAPE +  21)
 #define CKA_NETSCAPE_PQG_H              (CKA_NETSCAPE +  22)
 #define CKA_NETSCAPE_PQG_SEED_BITS      (CKA_NETSCAPE +  23)
-#define CKA_NETSCAPE_MODULE_SPEC        (CKA_NETSCAPE +  24)

 /*
 * Trust attributes:
--- a/security/nss/lib/softoken/pkcs11t.h
+++ b/security/nss/lib/softoken/pkcs11t.h
@ -14,7 +14,7 @@
 * The Original Code is the Netscape security libraries.
 *
 * The Initial Developer of the Original Code is
- * RSA Security, Inc.
+ * Netscape Communications Corporation.
 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 * the Initial Developer. All Rights Reserved.
 *
@ -34,27 +34,27 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* License to copy and use this software is granted provided that it is
- * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
- * (Cryptoki)" in all material mentioning or referencing this software.
-
- * License is also granted to make and use derivative works provided that
- * such works are identified as "derived from the RSA Security Inc. PKCS #11
- * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
- * referencing the derived work.
-
- * RSA Security Inc. makes no representations concerning either the
- * merchantability of this software or the suitability of this software for
- * any particular purpose. It is provided "as is" without express or implied
- * warranty of any kind.
+/*
+ * Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
+ * is granted provided that it is identified as "RSA Security In.c Public-Key
+ * Cryptography Standards (PKCS)" in all material mentioning or referencing
+ * this document.
+ */
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file.
 */
-

 #ifndef _PKCS11T_H_
 #define _PKCS11T_H_ 1

-#define CK_TRUE 1
-#define CK_FALSE 0
+#ifndef CK_FALSE
+#define CK_FALSE             0
+#endif
+
+#ifndef CK_TRUE
+#define CK_TRUE              (!CK_FALSE)
+#endif

 #include "prtypes.h"

@ -64,7 +64,7 @@
 #define CK_DECLARE_FUNCTION(rv,func) PR_EXTERN(rv) func
 #define CK_DECLARE_FUNCTION_POINTER(rv,func) rv (PR_CALLBACK * func)

-#define CK_INVALID_SESSION    0
+#define CK_INVALID_SESSION	0

 /* an unsigned 8-bit value */
 typedef unsigned char     CK_BYTE;
@ -72,7 +72,7 @@ typedef unsigned char     CK_BYTE;
 /* an unsigned 8-bit character */
 typedef CK_BYTE           CK_CHAR;

-/* an 8-bit UTF-8 character */
+/* an unsigned 8-bit character */
 typedef CK_BYTE           CK_UTF8CHAR;

 /* a BYTE-sized Boolean flag */
@ -121,8 +121,8 @@ typedef CK_VERSION CK_PTR CK_VERSION_PTR;


 typedef struct CK_INFO {
-  /* manufacturerID and libraryDecription have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ /* manufacturerID and libraryDecription have been changed from
+  * CK_CHAR to CK_UTF8CHAR for v2.10 */
  CK_VERSION    cryptokiVersion;     /* PKCS #11 interface ver */
  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
  CK_FLAGS      flags;               /* must be zero */
@ -150,8 +150,8 @@ typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;

 /* CK_SLOT_INFO provides information about a slot */
 typedef struct CK_SLOT_INFO {
-  /* slotDescription and manufacturerID have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ /* slotDescription and manufacturerID have been changed from
+  * CK_CHAR to CK_UTF8CHAR for v2.10 */
  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
  CK_FLAGS      flags;
@ -173,8 +173,8 @@ typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;

 /* CK_TOKEN_INFO provides information about a token */
 typedef struct CK_TOKEN_INFO {
-  /* label, manufacturerID, and model have been changed from
-   * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ /* label, manufacturerID, and model have been changed from
+  * CK_CHAR to CK_UTF8CHAR for v2.10 */
  CK_UTF8CHAR   label[32];           /* blank padded */
  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
  CK_UTF8CHAR   model[16];           /* blank padded */
@ -247,8 +247,8 @@ typedef struct CK_TOKEN_INFO {

 /* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is 
 * true, the token supports secondary authentication for 
- * private key objects. This flag is deprecated in v2.11 and
-   onwards. */
+ * private key objects. */
+/* DEPRICATED in v2.11 */
 #define CKF_SECONDARY_AUTHENTICATION  0x00000800

 /* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an 
@ -267,8 +267,7 @@ typedef struct CK_TOKEN_INFO {

 /* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true, 
 * the user PIN value is the default value set by token 
- * initialization or manufacturing, or the PIN has been
- * expired by the card. */
+ * initialization or manufacturing. */
 #define CKF_USER_PIN_TO_BE_CHANGED   0x00080000

 /* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an 
@ -287,8 +286,7 @@ typedef struct CK_TOKEN_INFO {

 /* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true, 
 * the SO PIN value is the default value set by token 
- * initialization or manufacturing, or the PIN has been
- * expired by the card. */
+ * initialization or manufacturing. */
 #define CKF_SO_PIN_TO_BE_CHANGED     0x00800000

 typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
@ -309,8 +307,7 @@ typedef CK_ULONG          CK_USER_TYPE;
 #define CKU_SO    0
 /* Normal user */
 #define CKU_USER  1
-/* Context specific (added in v2.20) */
-#define CKU_CONTEXT_SPECIFIC   2
+

 /* CK_STATE enumerates the session states */
 /* CK_STATE has been changed from an enum to a CK_ULONG for
@ -360,7 +357,6 @@ typedef CK_ULONG          CK_OBJECT_CLASS;
 /* The following classes of objects are defined: */
 /* CKO_HW_FEATURE is new for v2.10 */
 /* CKO_DOMAIN_PARAMETERS is new for v2.11 */
-/* CKO_MECHANISM is new for v2.20 */
 #define CKO_DATA              0x00000000
 #define CKO_CERTIFICATE       0x00000001
 #define CKO_PUBLIC_KEY        0x00000002
@ -369,7 +365,6 @@ typedef CK_ULONG          CK_OBJECT_CLASS;
 #define CKO_HW_FEATURE        0x00000005
 #define CKO_DOMAIN_PARAMETERS 0x00000006
 #define CKO_KG_PARAMETERS     0x00000006
-#define CKO_MECHANISM         0x00000007
 #define CKO_VENDOR_DEFINED    0x80000000

 typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
@ -380,10 +375,8 @@ typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
 typedef CK_ULONG          CK_HW_FEATURE_TYPE;
 
 /* The following hardware feature types are defined */
-/* CKH_USER_INTERFACE is new for v2.20 */
 #define CKH_MONOTONIC_COUNTER  0x00000001
 #define CKH_CLOCK           0x00000002
-#define CKH_USER_INTERFACE  0x00000003
 #define CKH_VENDOR_DEFINED  0x80000000

 /* CK_KEY_TYPE is a value that identifies a key type */
@ -396,10 +389,10 @@ typedef CK_ULONG          CK_KEY_TYPE;
 #define CKK_DH              0x00000002

 /* CKK_ECDSA and CKK_KEA are new for v2.0 */
-/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
-#define CKK_ECDSA           0x00000003
+/* CKK_X9_42_DH is new for v2.11 */
+#define CKK_ECDSA           0x00000003 /* deprecated in v2.11 */
 #define CKK_EC              0x00000003
-#define CKK_X9_42_DH        0x00000004
+#define CKK_X9_42_DH	    0x00000004
 #define CKK_KEA             0x00000005

 #define CKK_GENERIC_SECRET  0x00000010
@ -412,8 +405,7 @@ typedef CK_ULONG          CK_KEY_TYPE;
 /* all these key types are new for v2.0 */
 #define CKK_CAST            0x00000016
 #define CKK_CAST3           0x00000017
-/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
-#define CKK_CAST5           0x00000018
+#define CKK_CAST5           0x00000018 /* deprecated in v2.11 */
 #define CKK_CAST128         0x00000018
 #define CKK_RC5             0x00000019
 #define CKK_IDEA            0x0000001A
@ -421,11 +413,9 @@ typedef CK_ULONG          CK_KEY_TYPE;
 #define CKK_BATON           0x0000001C
 #define CKK_JUNIPER         0x0000001D
 #define CKK_CDMF            0x0000001E
-#define CKK_AES             0x0000001F

-/* BlowFish and TwoFish are new for v2.20 */
-#define CKK_BLOWFISH        0x00000020
-#define CKK_TWOFISH         0x00000021
+/* all these key types are new for v2.11 */
+#define CKK_AES             0x0000001F

 #define CKK_VENDOR_DEFINED  0x80000000
 #define CKK_INVALID_KEY_TYPE 0xffffffff
@ -439,10 +429,8 @@ typedef CK_ULONG          CK_CERTIFICATE_TYPE;

 /* The following certificate types are defined: */
 /* CKC_X_509_ATTR_CERT is new for v2.10 */
-/* CKC_WTLS is new for v2.20 */
 #define CKC_X_509           0x00000000
 #define CKC_X_509_ATTR_CERT 0x00000001
-#define CKC_WTLS            0x00000002
 #define CKC_VENDOR_DEFINED  0x80000000


@ -452,10 +440,6 @@ typedef CK_ULONG          CK_CERTIFICATE_TYPE;
 * v2.0 */
 typedef CK_ULONG          CK_ATTRIBUTE_TYPE;

-/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
-   consists of an array of values. */
-#define CKF_ARRAY_ATTRIBUTE    0x40000000
-
 /* The following attribute types are defined: */
 #define CKA_CLASS              0x00000000
 #define CKA_TOKEN              0x00000001
@ -476,19 +460,9 @@ typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 #define CKA_AC_ISSUER          0x00000083
 #define CKA_OWNER              0x00000084
 #define CKA_ATTR_TYPES         0x00000085
-
 /* CKA_TRUSTED is new for v2.11 */
 #define CKA_TRUSTED            0x00000086

-/* CKA_CERTIFICATE_CATEGORY ...
- * CKA_CHECK_VALUE are new for v2.20 */
-#define CKA_CERTIFICATE_CATEGORY        0x00000087
-#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
-#define CKA_URL                         0x00000089
-#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
-#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
-#define CKA_CHECK_VALUE                 0x00000090
-
 #define CKA_KEY_TYPE           0x00000100
 #define CKA_SUBJECT            0x00000101
 #define CKA_ID                 0x00000102
@ -516,13 +490,9 @@ typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 #define CKA_PRIME              0x00000130
 #define CKA_SUBPRIME           0x00000131
 #define CKA_BASE               0x00000132
-
 /* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
 #define CKA_PRIME_BITS         0x00000133
-#define CKA_SUBPRIME_BITS      0x00000134
-#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
-/* (To retain backwards-compatibility) */
-
+#define CKA_SUB_PRIME_BITS     0x00000134
 #define CKA_VALUE_BITS         0x00000160
 #define CKA_VALUE_LEN          0x00000161

@ -533,55 +503,22 @@ typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 #define CKA_LOCAL              0x00000163
 #define CKA_NEVER_EXTRACTABLE  0x00000164
 #define CKA_ALWAYS_SENSITIVE   0x00000165
-
 /* CKA_KEY_GEN_MECHANISM is new for v2.11 */
 #define CKA_KEY_GEN_MECHANISM  0x00000166
-
 #define CKA_MODIFIABLE         0x00000170
-
-/* CKA_ECDSA_PARAMS is deprecated in v2.11,
- * CKA_EC_PARAMS is preferred. */
-#define CKA_ECDSA_PARAMS       0x00000180
+#define CKA_ECDSA_PARAMS       0x00000180 /* depricated v2.11 */
 #define CKA_EC_PARAMS          0x00000180
-
 #define CKA_EC_POINT           0x00000181

 /* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, 
- * are new for v2.10. Deprecated in v2.11 and onwards. */
-#define CKA_SECONDARY_AUTH     0x00000200
-#define CKA_AUTH_PIN_FLAGS     0x00000201
-
-/* CKA_ALWAYS_AUTHENTICATE ...
- * CKA_UNWRAP_TEMPLATE are new for v2.20 */
-#define CKA_ALWAYS_AUTHENTICATE  0x00000202
-
-#define CKA_WRAP_WITH_TRUSTED    0x00000210
-#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
-#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
-
-/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
 * are new for v2.10 */
+#define CKA_SECONDARY_AUTH     0x00000200 /* depricated v2.11 */
+#define CKA_AUTH_PIN_FLAGS     0x00000201 /* depricated v2.11 */
 #define CKA_HW_FEATURE_TYPE    0x00000300
 #define CKA_RESET_ON_INIT      0x00000301
 #define CKA_HAS_RESET          0x00000302

-/* The following attributes are new for v2.20 */
-#define CKA_PIXEL_X                     0x00000400
-#define CKA_PIXEL_Y                     0x00000401
-#define CKA_RESOLUTION                  0x00000402
-#define CKA_CHAR_ROWS                   0x00000403
-#define CKA_CHAR_COLUMNS                0x00000404
-#define CKA_COLOR                       0x00000405
-#define CKA_BITS_PER_PIXEL              0x00000406
-#define CKA_CHAR_SETS                   0x00000480
-#define CKA_ENCODING_METHODS            0x00000481
-#define CKA_MIME_TYPES                  0x00000482
-#define CKA_MECHANISM_TYPE              0x00000500
-#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
-#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
-#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
-#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
-
 #define CKA_VENDOR_DEFINED     0x80000000


@ -624,19 +561,17 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_MD5_RSA_PKCS               0x00000005
 #define CKM_SHA1_RSA_PKCS              0x00000006

-/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
- * CKM_RSA_PKCS_OAEP are new for v2.10 */
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS & CKM_RSA_OAEP
+ * are new for 2.10 */
 #define CKM_RIPEMD128_RSA_PKCS         0x00000007
 #define CKM_RIPEMD160_RSA_PKCS         0x00000008
 #define CKM_RSA_PKCS_OAEP              0x00000009

-/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
- * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+/* CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31 & CKM_RSA_X9_31_KEY_PAIR_GEN
+ * are new for 2.11 */
 #define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
 #define CKM_RSA_X9_31                  0x0000000B
 #define CKM_SHA1_RSA_X9_31             0x0000000C
-#define CKM_RSA_PKCS_PSS               0x0000000D
-#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E

 #define CKM_DSA_KEY_PAIR_GEN           0x00000010
 #define CKM_DSA                        0x00000011
@ -644,21 +579,17 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
 #define CKM_DH_PKCS_DERIVE             0x00000021

-/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
- * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
- * v2.11 */
-#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
+/* CKM_X9_42_DH_PKCS_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, & CKM_X9_42_MQV_DERIVE
+ * are new for v2.11 */
+#define CKM_X9_42_DH_PKCS_KEY_PAIR_GEN 0x00000030
 #define CKM_X9_42_DH_DERIVE            0x00000031
 #define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
 #define CKM_X9_42_MQV_DERIVE           0x00000033

-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256_RSA_PKCS            0x00000040
-#define CKM_SHA384_RSA_PKCS            0x00000041
-#define CKM_SHA512_RSA_PKCS            0x00000042
-#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
-#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
-#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
+#define CKM_SHA256_RSA_PKCS            0x00000040	/* v2.20 */
+#define CKM_SHA384_RSA_PKCS            0x00000041	/* v2.20 */
+#define CKM_SHA512_RSA_PKCS            0x00000042	/* v2.20 */

 #define CKM_RC2_KEY_GEN                0x00000100
 #define CKM_RC2_ECB                    0x00000101
@ -698,12 +629,6 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_CDMF_MAC_GENERAL           0x00000144
 #define CKM_CDMF_CBC_PAD               0x00000145

-/* the following four DES mechanisms are new for v2.20 */
-#define CKM_DES_OFB64                  0x00000150
-#define CKM_DES_OFB8                   0x00000151
-#define CKM_DES_CFB64                  0x00000152
-#define CKM_DES_CFB8                   0x00000153
-
 #define CKM_MD2                        0x00000200

 /* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
@ -732,16 +657,17 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_RIPEMD160_HMAC             0x00000241
 #define CKM_RIPEMD160_HMAC_GENERAL     0x00000242

-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256                     0x00000250
-#define CKM_SHA256_HMAC                0x00000251
-#define CKM_SHA256_HMAC_GENERAL        0x00000252
-#define CKM_SHA384                     0x00000260
-#define CKM_SHA384_HMAC                0x00000261
-#define CKM_SHA384_HMAC_GENERAL        0x00000262
-#define CKM_SHA512                     0x00000270
-#define CKM_SHA512_HMAC                0x00000271
-#define CKM_SHA512_HMAC_GENERAL        0x00000272
+#define CKM_SHA256                     0x00000250	/* v2.20 */
+#define CKM_SHA256_HMAC                0x00000251	/* v2.20 */
+#define CKM_SHA256_HMAC_GENERAL        0x00000252	/* v2.20 */
+
+#define CKM_SHA384                     0x00000260	/* v2.20 */
+#define CKM_SHA384_HMAC                0x00000261	/* v2.20 */
+#define CKM_SHA384_HMAC_GENERAL        0x00000262	/* v2.20 */
+
+#define CKM_SHA512                     0x00000270	/* v2.20 */
+#define CKM_SHA512_HMAC                0x00000271	/* v2.20 */
+#define CKM_SHA512_HMAC_GENERAL        0x00000272	/* v2.20 */

 /* All of the following mechanisms are new for v2.0 */
 /* Note that CAST128 and CAST5 are the same algorithm */
@ -792,27 +718,23 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372

 /* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
- * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
- * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE,
+ * CKM_TLS_MASTER_KEY_DERIVE_DH, & CKM_SSL3_MASTER_KEY_DERIVE_DH
+ * are new for v2.11. */
 #define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
 #define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
 #define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
 #define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
 #define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377

-/* CKM_TLS_PRF is new for v2.20 */
-#define CKM_TLS_PRF                    0x00000378
-
 #define CKM_SSL3_MD5_MAC               0x00000380
 #define CKM_SSL3_SHA1_MAC              0x00000381
 #define CKM_MD5_KEY_DERIVATION         0x00000390
 #define CKM_MD2_KEY_DERIVATION         0x00000391
 #define CKM_SHA1_KEY_DERIVATION        0x00000392
-
-/* CKM_SHA256/384/512 are new for v2.20 */
-#define CKM_SHA256_KEY_DERIVATION      0x00000393
-#define CKM_SHA384_KEY_DERIVATION      0x00000394
-#define CKM_SHA512_KEY_DERIVATION      0x00000395
+#define CKM_SHA256_KEY_DERIVATION      0x00000393	/* v2.20 */
+#define CKM_SHA384_KEY_DERIVATION      0x00000394	/* v2.20 */
+#define CKM_SHA512_KEY_DERIVATION      0x00000395	/* v2.20 */

 #define CKM_PBE_MD2_DES_CBC            0x000003A0
 #define CKM_PBE_MD5_DES_CBC            0x000003A1
@ -833,21 +755,9 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_PKCS5_PBKD2                0x000003B0

 #define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
-
-/* WTLS mechanisms are new for v2.20 */
-#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
-#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
-#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
-#define CKM_WTLS_PRF                        0x000003D3
-#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
-#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
-
 #define CKM_KEY_WRAP_LYNKS             0x00000400
 #define CKM_KEY_WRAP_SET_OAEP          0x00000401

-/* CKM_CMS_SIG is new for v2.20 */
-#define CKM_CMS_SIG                    0x00000500
-
 /* Fortezza mechanisms */
 #define CKM_SKIPJACK_KEY_GEN           0x00001000
 #define CKM_SKIPJACK_ECB64             0x00001001
@ -870,17 +780,12 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_BATON_COUNTER              0x00001034
 #define CKM_BATON_SHUFFLE              0x00001035
 #define CKM_BATON_WRAP                 0x00001036
-
-/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
- * CKM_EC_KEY_PAIR_GEN is preferred */
-#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040 /* depricated in v2.11 */
 #define CKM_EC_KEY_PAIR_GEN            0x00001040
-
 #define CKM_ECDSA                      0x00001041
 #define CKM_ECDSA_SHA1                 0x00001042

-/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
- * are new for v2.11 */
+/* ECDH1 is new for 2.11 */
 #define CKM_ECDH1_DERIVE               0x00001050
 #define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
 #define CKM_ECMQV_DERIVE               0x00001052
@ -893,10 +798,7 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_JUNIPER_WRAP               0x00001065
 #define CKM_FASTHASH                   0x00001070

-/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
- * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
- * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
- * new for v2.11 */
+/* AES is new for 2.11 */
 #define CKM_AES_KEY_GEN                0x00001080
 #define CKM_AES_ECB                    0x00001081
 #define CKM_AES_CBC                    0x00001082
@ -904,24 +806,11 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_AES_MAC_GENERAL            0x00001084
 #define CKM_AES_CBC_PAD                0x00001085

-/* BlowFish and TwoFish are new for v2.20 */
-#define CKM_BLOWFISH_KEY_GEN           0x00001090
-#define CKM_BLOWFISH_CBC               0x00001091
-#define CKM_TWOFISH_KEY_GEN            0x00001092
-#define CKM_TWOFISH_CBC                0x00001093
-
-
-/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
-#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
-#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
-#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
-#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
-#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
-#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
-
+/* CKM_DSA_PARAMETER_GEN, CKM_DH_PKCS_PARAMETER_GEN,
+ * and CKM_DH_X9_42_PARAMETER_GEN are new for 2.11 */
 #define CKM_DSA_PARAMETER_GEN          0x00002000
 #define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
-#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
+#define CKM_DH_X9_42_PARAMETER_GEN     0x00002002

 #define CKM_VENDOR_DEFINED             0x80000000

@ -959,6 +848,8 @@ typedef struct CK_MECHANISM_INFO {
 * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
 * and CKF_DERIVE are new for v2.0.  They specify whether or not
 * a mechanism can be used for a particular task */
+/* The flags CKF_EC_FP, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and  CKF_EC_COMPRESS are new for v2.11 */
 #define CKF_ENCRYPT            0x00000100
 #define CKF_DECRYPT            0x00000200
 #define CKF_DIGEST             0x00000400
@ -971,20 +862,14 @@ typedef struct CK_MECHANISM_INFO {
 #define CKF_WRAP               0x00020000
 #define CKF_UNWRAP             0x00040000
 #define CKF_DERIVE             0x00080000
-
-/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
- * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
- * describe a token's EC capabilities not available in mechanism
- * information. */
 #define CKF_EC_FP              0x00100000
-#define CKF_EC_F_P             0x00100000
 #define CKF_EC_F_2M            0x00200000
 #define CKF_EC_ECPARAMETERS    0x00400000
 #define CKF_EC_NAMEDCURVE      0x00800000
 #define CKF_EC_UNCOMPRESS      0x01000000
 #define CKF_EC_COMPRESS        0x02000000

-#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
+#define CKF_EXTENSION          0x80000000  /* FALSE for 2.01 */

 typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;

@ -1047,7 +932,8 @@ typedef CK_ULONG          CK_RV;
 #define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
 #define CKR_KEY_NOT_WRAPPABLE                 0x00000069
 #define CKR_KEY_UNEXTRACTABLE                 0x0000006A
-/* new in v2.11 depricated by 2.20 */
+
+/* CKR_KEY_PARAMS_INVALID is new for v2.11 */
 #define CKR_KEY_PARAMS_INVALID                0x0000006B

 #define CKR_MECHANISM_INVALID                 0x00000070
@ -1105,10 +991,10 @@ typedef CK_ULONG          CK_RV;
 #define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
 #define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120

-/* These are new to v2.0 */
+/* New for v2.0 */
 #define CKR_RANDOM_NO_RNG                     0x00000121

-/* These are new to v2.11 */
+/* New for v2.11 */
 #define CKR_DOMAIN_PARAMS_INVALID             0x00000130

 /* These are new to v2.0 */
@ -1123,9 +1009,6 @@ typedef CK_ULONG          CK_RV;
 #define CKR_MUTEX_BAD                         0x000001A0
 #define CKR_MUTEX_NOT_LOCKED                  0x000001A1

-/* This is new to v2.20 */
-#define CKR_FUNCTION_REJECTED                 0x00000200
-
 #define CKR_VENDOR_DEFINED                    0x80000000


@ -1206,17 +1089,12 @@ typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
 * Generation Function (MGF) applied to a message block when 
 * formatting a message block for the PKCS #1 OAEP encryption 
 * scheme. */
-typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+typedef CK_ULONG CK_RSA_PKCS_OAEP_MGF_TYPE;

-typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+typedef CK_RSA_PKCS_OAEP_MGF_TYPE CK_PTR CK_RSA_PKCS_OAEP_MGF_TYPE_PTR;

 /* The following MGFs are defined */
-/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
- * are new for v2.20 */
 #define CKG_MGF1_SHA1         0x00000001
-#define CKG_MGF1_SHA256       0x00000002
-#define CKG_MGF1_SHA384       0x00000003
-#define CKG_MGF1_SHA512       0x00000004

 /* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10. 
 * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
@ -1233,138 +1111,15 @@ typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
 * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the 
 * CKM_RSA_PKCS_OAEP mechanism. */
 typedef struct CK_RSA_PKCS_OAEP_PARAMS {
-        CK_MECHANISM_TYPE hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
-        CK_VOID_PTR pSourceData;
-        CK_ULONG ulSourceDataLen;
+       CK_MECHANISM_TYPE hashAlg;
+       CK_RSA_PKCS_OAEP_MGF_TYPE mgf;
+       CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+       CK_VOID_PTR pSourceData;
+       CK_ULONG ulSourceDataLen;
 } CK_RSA_PKCS_OAEP_PARAMS;

 typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;

-/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
- * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
- * CKM_RSA_PKCS_PSS mechanism(s). */
-typedef struct CK_RSA_PKCS_PSS_PARAMS {
-        CK_MECHANISM_TYPE    hashAlg;
-        CK_RSA_PKCS_MGF_TYPE mgf;
-        CK_ULONG             sLen;
-} CK_RSA_PKCS_PSS_PARAMS;
-
-typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
-
-/* CK_EC_KDF_TYPE is new for v2.11. */
-typedef CK_ULONG CK_EC_KDF_TYPE;
-
-/* The following EC Key Derivation Functions are defined */
-#define CKD_NULL                 0x00000001
-#define CKD_SHA1_KDF             0x00000002
-
-/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
- * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
- * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
- * where each party contributes one key pair.
- */
-typedef struct CK_ECDH1_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_ECDH1_DERIVE_PARAMS;
-
-typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
-
-
-/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
- * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
- * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
-typedef struct CK_ECDH2_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_ECDH2_DERIVE_PARAMS;
-
-typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_ECMQV_DERIVE_PARAMS {
-  CK_EC_KDF_TYPE kdf;
-  CK_ULONG ulSharedDataLen;
-  CK_BYTE_PTR pSharedData;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_ECMQV_DERIVE_PARAMS;
-
-typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
-
-/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
- * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
-typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
-typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
-
-/* The following X9.42 DH key derivation functions are defined
-   (besides CKD_NULL already defined : */
-#define CKD_SHA1_KDF_ASN1        0x00000003
-#define CKD_SHA1_KDF_CONCATENATE 0x00000004
-
-/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
- * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
- * contributes one key pair */
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-} CK_X9_42_DH1_DERIVE_PARAMS;
-
-typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
-
-/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
- * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
- * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
- * mechanisms, where each party contributes two key pairs */
-typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-} CK_X9_42_DH2_DERIVE_PARAMS;
-
-typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
-
-typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
-  CK_X9_42_DH_KDF_TYPE kdf;
-  CK_ULONG ulOtherInfoLen;
-  CK_BYTE_PTR pOtherInfo;
-  CK_ULONG ulPublicDataLen;
-  CK_BYTE_PTR pPublicData;
-  CK_ULONG ulPrivateDataLen;
-  CK_OBJECT_HANDLE hPrivateData;
-  CK_ULONG ulPublicDataLen2;
-  CK_BYTE_PTR pPublicData2;
-  CK_OBJECT_HANDLE publicKey;
-} CK_X9_42_MQV_DERIVE_PARAMS;
-
-typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
-
 /* CK_KEA_DERIVE_PARAMS provides the parameters to the
 * CKM_KEA_DERIVE mechanism */
 /* CK_KEA_DERIVE_PARAMS is new for v2.0 */
@ -1458,22 +1213,6 @@ typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;

 typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;

-/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
-typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[8];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
-
-typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
-  CK_BYTE      iv[16];
-  CK_BYTE_PTR  pData;
-  CK_ULONG     length;
-} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
-
-typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;

 /* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
 * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
@ -1521,12 +1260,12 @@ typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \


 typedef struct CK_PBE_PARAMS {
-  CK_BYTE_PTR      pInitVector;
-  CK_UTF8CHAR_PTR  pPassword;
-  CK_ULONG         ulPasswordLen;
-  CK_BYTE_PTR      pSalt;
-  CK_ULONG         ulSaltLen;
-  CK_ULONG         ulIteration;
+  CK_CHAR_PTR  pInitVector;
+  CK_CHAR_PTR  pPassword;
+  CK_ULONG     ulPasswordLen;
+  CK_CHAR_PTR  pSalt;
+  CK_ULONG     ulSaltLen;
+  CK_ULONG     ulIteration;
 } CK_PBE_PARAMS;

 typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
@ -1585,83 +1324,6 @@ typedef struct CK_SSL3_KEY_MAT_PARAMS {

 typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;

-/* CK_TLS_PRF_PARAMS is new for version 2.20 */
-typedef struct CK_TLS_PRF_PARAMS {
-  CK_BYTE_PTR  pSeed;
-  CK_ULONG     ulSeedLen;
-  CK_BYTE_PTR  pLabel;
-  CK_ULONG     ulLabelLen;
-  CK_BYTE_PTR  pOutput;
-  CK_ULONG_PTR pulOutputLen;
-} CK_TLS_PRF_PARAMS;
-
-typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
-
-/* WTLS is new for version 2.20 */
-typedef struct CK_WTLS_RANDOM_DATA {
-  CK_BYTE_PTR pClientRandom;
-  CK_ULONG    ulClientRandomLen;
-  CK_BYTE_PTR pServerRandom;
-  CK_ULONG    ulServerRandomLen;
-} CK_WTLS_RANDOM_DATA;
-
-typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
-
-typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
-  CK_MECHANISM_TYPE   DigestMechanism;
-  CK_WTLS_RANDOM_DATA RandomInfo;
-  CK_BYTE_PTR         pVersion;
-} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
-
-typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
-  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
-
-typedef struct CK_WTLS_PRF_PARAMS {
-  CK_MECHANISM_TYPE DigestMechanism;
-  CK_BYTE_PTR       pSeed;
-  CK_ULONG          ulSeedLen;
-  CK_BYTE_PTR       pLabel;
-  CK_ULONG          ulLabelLen;
-  CK_BYTE_PTR       pOutput;
-  CK_ULONG_PTR      pulOutputLen;
-} CK_WTLS_PRF_PARAMS;
-
-typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_OUT {
-  CK_OBJECT_HANDLE hMacSecret;
-  CK_OBJECT_HANDLE hKey;
-  CK_BYTE_PTR      pIV;
-} CK_WTLS_KEY_MAT_OUT;
-
-typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
-
-typedef struct CK_WTLS_KEY_MAT_PARAMS {
-  CK_MECHANISM_TYPE       DigestMechanism;
-  CK_ULONG                ulMacSizeInBits;
-  CK_ULONG                ulKeySizeInBits;
-  CK_ULONG                ulIVSizeInBits;
-  CK_ULONG                ulSequenceNumber;
-  CK_BBOOL                bIsExport;
-  CK_WTLS_RANDOM_DATA     RandomInfo;
-  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
-} CK_WTLS_KEY_MAT_PARAMS;
-
-typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
-
-/* CMS is new for version 2.20 */
-typedef struct CK_CMS_SIG_PARAMS {
-  CK_OBJECT_HANDLE      certificateHandle;
-  CK_MECHANISM_PTR      pSigningMechanism;
-  CK_MECHANISM_PTR      pDigestMechanism;
-  CK_UTF8CHAR_PTR       pContentType;
-  CK_BYTE_PTR           pRequestedAttributes;
-  CK_ULONG              ulRequestedAttributesLen;
-  CK_BYTE_PTR           pRequiredAttributes;
-  CK_ULONG              ulRequiredAttributesLen;
-} CK_CMS_SIG_PARAMS;
-
-typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;

 typedef struct CK_KEY_DERIVATION_STRING_DATA {
  CK_BYTE_PTR pData;
@ -1693,8 +1355,8 @@ typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_
 #define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001


-/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
- * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+/* CK_PKCS5_PBKD2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_SALT_SOURCE_TYPE is used to indicate the 
 * source of the salt value when deriving a key using PKCS #5 
 * PBKDF2. */
 typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
@ -1708,20 +1370,37 @@ typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE
 * CK_PKCS5_PBKD2_PARAMS is a structure that provides the 
 * parameters to the CKM_PKCS5_PBKD2 mechanism. */
 typedef struct CK_PKCS5_PBKD2_PARAMS {
-        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
-        CK_VOID_PTR                                pSaltSourceData;
-        CK_ULONG                                   ulSaltSourceDataLen;
-        CK_ULONG                                   iterations;
-        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
-        CK_VOID_PTR                                pPrfData;
-        CK_ULONG                                   ulPrfDataLen;
-        CK_UTF8CHAR_PTR                            pPassword;
-        CK_ULONG_PTR                               ulPasswordLen;
+       CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+       CK_VOID_PTR pSaltSourceData;
+       CK_ULONG ulSaltSourceDataLen;
+       CK_ULONG iterations;
+       CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+       CK_VOID_PTR pPrfData;
+       CK_ULONG ulPrfDataLen;
 } CK_PKCS5_PBKD2_PARAMS;
 
 typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;

-/* NSS Specific defines */
+/* CK_ECDH1_DERIVE_PARAMS is defined in Section 12.4.4 of 
+ * PKCS#11v2.11. This structure provides parameters for
+ * the CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE key
+ * derivation mechanisms.
+ */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+#define CKD_NULL                 0x00000001
+#define CKD_SHA1_KDF             0x00000002
+ 
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+/* Netscape Specific defines */
 #include "pkcs11n.h"

 /* undo packing */