/*
* Create one item of type mechlist_t with the mechanism name. A null is
* returned to indicate that the storage space available is insufficient.
*/
mechlist_t *
create_mech(char *name)
{
mechlist_t *pres = NULL;
char *first, *last;
if (name == NULL) {
return (NULL);
}
pres = malloc(sizeof (mechlist_t));
if (pres == NULL) {
cryptodebug("out of memory.");
return (NULL);
}
first = name;
while (isspace(*first)) /* nuke leading whitespace */
first++;
(void) strlcpy(pres->name, first, sizeof (pres->name));
last = strrchr(pres->name, '\0');
last--;
while (isspace(*last)) /* nuke trailing whitespace */
*last-- = '\0';
pres->next = NULL;
return (pres);
}
/*
* Prepare the calling argument for the GET_SOFT_INFO call for the provider
* with the number of mechanisms specified in the second argument.
*/
static crypto_get_soft_info_t *
setup_get_soft_info(char *provname, int count)
{
crypto_get_soft_info_t *psoft_info;
size_t extra_mech_size = 0;
if (provname == NULL) {
return (NULL);
}
if (count > 1) {
extra_mech_size = sizeof (crypto_mech_name_t) * (count - 1);
}
psoft_info = malloc(sizeof (crypto_get_soft_info_t) + extra_mech_size);
if (psoft_info == NULL) {
cryptodebug("out of memory.");
return (NULL);
}
(void) strlcpy(psoft_info->si_name, provname, MAXNAMELEN);
psoft_info->si_count = count;
return (psoft_info);
}
int
stop_daemon(void)
{
int fd = -1;
int err = 0;
struct door_info dinfo;
/* read PID of kcfd process from kcfd lock file */
if ((fd = open(_PATH_KCFD_DOOR, O_RDONLY)) == -1) {
err = errno;
cryptodebug("Can not open %s: %s", _PATH_KCFD_DOOR,
strerror(err));
goto stop_fail;
}
if (door_info(fd, &dinfo) == -1 || dinfo.di_target == -1) {
err = ENOENT; /* no errno if di_target == -1 */
cryptodebug("no door server listening on %s", _PATH_KCFD_DOOR);
goto stop_fail;
}
cryptodebug("Sending SIGINT to %d", dinfo.di_target);
/* send a signal to kcfd process */
if ((kill(dinfo.di_target, SIGINT)) != 0) {
err = errno;
cryptodebug("failed to send a signal to kcfd: %s",
strerror(errno));
goto stop_fail;
}
stop_fail:
if (fd != -1)
(void) close(fd);
if (err != 0) {
cryptoerror(LOG_STDERR, gettext(
"no kcfd available to stop - %s."),
strerror(err));
/*
* We return with SMF_EXIT_OK because this was a request
* to stop something that wasn't running.
*/
return (SMF_EXIT_OK);
}
return (SMF_EXIT_OK);
}
/*
* Provide help, in the form of displaying the usage.
*/
static int
pk_help(int argc, char *argv[])
/* ARGSUSED */
{
cryptodebug("inside pk_help");
usage();
return (0);
}
/*
* pkcs11_str2mech - convert a string into a PKCS#11 mech number.
*
* Since there isn't reserved value for an invalid mech we return
* CKR_MECHANISM_INVALID for anything we don't recognise.
* The value in mech isn't meaningful in these cases.
*/
CK_RV
pkcs11_str2mech(char *mech_str, CK_MECHANISM_TYPE_PTR mech)
{
int i;
char *tmech_str;
if (mech_str == NULL)
return (CKR_MECHANISM_INVALID);
if (strncasecmp(mech_str, "0x8", 3) == 0) {
cryptodebug("pkcs11_str2mech: hex string passed in: %s",
mech_str);
*mech = strtoll(mech_str, NULL, 16);
return (CKR_OK);
}
if (strncasecmp(mech_str, "CKM_", 4) != 0) {
size_t tmech_strlen = strlen(mech_str) + 4 + 1;
cryptodebug("pkcs11_str2mech: no CKM_ prefix: %s", mech_str);
tmech_str = malloc(tmech_strlen * sizeof (char));
(void) snprintf(tmech_str, tmech_strlen, "CKM_%s", mech_str);
cryptodebug("pkcs11_str2mech: with prefix: %s", tmech_str);
} else {
tmech_str = mech_str;
}
for (i = 0; mapping[i].str; i++) {
if (strcasecmp(mapping[i].str, tmech_str) == 0) {
*mech = mapping[i].mech;
if (tmech_str != mech_str)
free(tmech_str);
return (CKR_OK);
}
}
if (tmech_str != mech_str)
free(tmech_str);
return (CKR_MECHANISM_INVALID);
}
/*
* Prepare the argument for the LOAD_DEV_DISABLED ioctl call for the
* provider pointed by pent. Return NULL if out of memory.
*/
crypto_load_dev_disabled_t *
setup_dev_dis(entry_t *pent)
{
crypto_load_dev_disabled_t *pload_dev_dis;
mechlist_t *plist;
size_t extra_mech_size = 0;
uint_t dis_count;
int i;
char pname[MAXNAMELEN];
int inst_num;
if (pent == NULL) {
return (NULL);
}
/* get the device name and the instance number */
if (split_hw_provname(pent->name, pname, &inst_num) == FAILURE) {
return (NULL);
}
/* allocate space for pload_dev_des */
dis_count = pent->dis_count;
if (dis_count > 1) {
extra_mech_size = sizeof (crypto_mech_name_t) *
(dis_count - 1);
}
pload_dev_dis = malloc(sizeof (crypto_load_dev_disabled_t) +
extra_mech_size);
if (pload_dev_dis == NULL) {
cryptodebug("out of memory.");
return (NULL);
}
/* set the values for pload_dev_dis */
(void) strlcpy(pload_dev_dis->dd_dev_name, pname, MAXNAMELEN);
pload_dev_dis->dd_dev_instance = inst_num;
pload_dev_dis->dd_count = dis_count;
i = 0;
plist = pent->dislist;
while (i < dis_count) {
(void) strlcpy(pload_dev_dis->dd_list[i++],
plist->name, CRYPTO_MAX_MECH_NAME);
plist = plist->next;
}
return (pload_dev_dis);
}
/*
* Prepare the calling argument of the UNLOAD_SOFT_MODULE ioctl call for the
* provider pointed by pent. Return NULL if out of memory.
*/
crypto_unload_soft_module_t *
setup_unload_soft(entry_t *pent)
{
crypto_unload_soft_module_t *punload_soft;
if (pent == NULL) {
return (NULL);
}
punload_soft = malloc(sizeof (crypto_unload_soft_module_t));
if (punload_soft == NULL) {
cryptodebug("out of memory.");
return (NULL);
}
(void) strlcpy(punload_soft->sm_name, pent->name, MAXNAMELEN);
return (punload_soft);
}
/*
* Usage information. This function must be updated when new verbs or
* options are added.
*/
static void
usage(void)
{
int i;
cryptodebug("inside usage");
/* Display this block only in command-line mode. */
(void) fprintf(stdout, gettext("Usage:\n"));
(void) fprintf(stdout, gettext("\t%s -?\t(help and usage)\n"), prog);
(void) fprintf(stdout, gettext("\t%s subcommand [options...]\n"), prog);
(void) fprintf(stdout, gettext("where subcommands may be:\n"));
/* Display only those verbs that match the current tool mode. */
for (i = 0; i < num_cmds; i++) {
/* Do NOT i18n/l10n. */
(void) fprintf(stdout, "\t%s\n", cmds[i].synopsis);
}
}
/*
* Prepare the argument for the LOAD_SOFT_DISABLED ioctl call for the
* provider pointed by pent. Return NULL if out of memory.
*/
crypto_load_soft_disabled_t *
setup_soft_dis(entry_t *pent)
{
crypto_load_soft_disabled_t *pload_soft_dis;
mechlist_t *plist;
size_t extra_mech_size = 0;
uint_t dis_count;
int i;
if (pent == NULL) {
return (NULL);
}
dis_count = pent->dis_count;
if (dis_count > 1) {
extra_mech_size = sizeof (crypto_mech_name_t) *
(dis_count - 1);
}
pload_soft_dis = malloc(sizeof (crypto_load_soft_disabled_t) +
extra_mech_size);
if (pload_soft_dis == NULL) {
cryptodebug("out of memory.");
return (NULL);
}
(void) strlcpy(pload_soft_dis->sd_name, pent->name, MAXNAMELEN);
pload_soft_dis->sd_count = dis_count;
i = 0;
plist = pent->dislist;
while (i < dis_count) {
(void) strlcpy(pload_soft_dis->sd_list[i++],
plist->name, CRYPTO_MAX_MECH_NAME);
plist = plist->next;
}
return (pload_soft_dis);
}
/*
* Prepare the argument for the LOAD_SOFT_CONFIG ioctl call for the
* provider pointed by pent. Return NULL if out of memory.
*/
crypto_load_soft_config_t *
setup_soft_conf(entry_t *pent)
{
crypto_load_soft_config_t *pload_soft_conf;
mechlist_t *plist;
uint_t sup_count;
size_t extra_mech_size = 0;
int i;
if (pent == NULL) {
return (NULL);
}
sup_count = pent->sup_count;
if (sup_count > 1) {
extra_mech_size = sizeof (crypto_mech_name_t) *
(sup_count - 1);
}
pload_soft_conf = malloc(sizeof (crypto_load_soft_config_t) +
extra_mech_size);
if (pload_soft_conf == NULL) {
cryptodebug("out of memory.");
return (NULL);
}
(void) strlcpy(pload_soft_conf->sc_name, pent->name, MAXNAMELEN);
pload_soft_conf->sc_count = sup_count;
i = 0;
plist = pent->suplist;
while (i < sup_count) {
(void) strlcpy(pload_soft_conf->sc_list[i++],
plist->name, CRYPTO_MAX_MECH_NAME);
plist = plist->next;
}
return (pload_soft_conf);
}
/*
* Get the supported mechanism list of the software provider from kernel.
*/
int
get_soft_info(char *provname, mechlist_t **ppmechlist)
{
crypto_get_soft_info_t *psoft_info;
mechlist_t *phead;
mechlist_t *pmech;
mechlist_t *pcur;
entry_t *pent;
int count;
int fd;
int rc;
int i;
if (provname == NULL) {
return (FAILURE);
}
if (getzoneid() == GLOBAL_ZONEID) {
/* use kcf.conf for kernel software providers in global zone */
if ((pent = getent_kef(provname)) == NULL) {
cryptoerror(LOG_STDERR, gettext("%s does not exist."),
provname);
return (FAILURE);
}
count = pent->sup_count;
free_entry(pent);
} else {
/*
* kcf.conf not there in non-global zone, set mech count to 1;
* it will be reset to the correct value later if the setup
* buffer is too small
*/
count = 1;
}
if ((psoft_info = setup_get_soft_info(provname, count)) == NULL) {
return (FAILURE);
}
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
free(psoft_info);
return (FAILURE);
}
/* make GET_SOFT_INFO ioctl call */
if ((rc = ioctl(fd, CRYPTO_GET_SOFT_INFO, psoft_info)) == -1) {
cryptodebug("CRYPTO_GET_SOFT_INFO ioctl failed: %s",
strerror(errno));
(void) close(fd);
free(psoft_info);
return (FAILURE);
}
/* BUFFER is too small, get the number of mechanisms and retry it. */
if (psoft_info->si_return_value == CRYPTO_BUFFER_TOO_SMALL) {
count = psoft_info->si_count;
free(psoft_info);
if ((psoft_info = setup_get_soft_info(provname, count))
== NULL) {
(void) close(fd);
return (FAILURE);
} else {
rc = ioctl(fd, CRYPTO_GET_SOFT_INFO, psoft_info);
if (rc == -1) {
cryptodebug("CRYPTO_GET_SOFT_INFO ioctl "
"failed: %s", strerror(errno));
(void) close(fd);
free(psoft_info);
return (FAILURE);
}
}
}
(void) close(fd);
if (psoft_info->si_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_GET_SOFT_INFO ioctl failed, "
"return_value = %d", psoft_info->si_return_value);
free(psoft_info);
return (FAILURE);
}
/* Get the mechanism list and return it */
rc = SUCCESS;
phead = pcur = NULL;
for (i = 0; i < psoft_info->si_count; i++) {
pmech = create_mech(&psoft_info->si_list[i][0]);
if (pmech == NULL) {
rc = FAILURE;
break;
} else {
if (phead == NULL) {
phead = pcur = pmech;
} else {
pcur->next = pmech;
pcur = pmech;
}
}
}
if (rc == FAILURE) {
free_mechlist(phead);
} else {
*ppmechlist = phead;
}
free(psoft_info);
return (rc);
}
/*
* Get the device list from kernel.
*/
int
get_dev_list(crypto_get_dev_list_t **ppdevlist)
{
crypto_get_dev_list_t *pdevlist;
int fd;
int count = DEFAULT_DEV_NUM;
pdevlist = malloc(sizeof (crypto_get_dev_list_t) +
sizeof (crypto_dev_list_entry_t) * (count - 1));
if (pdevlist == NULL) {
cryptodebug("out of memory.");
return (FAILURE);
}
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
return (FAILURE);
}
pdevlist->dl_dev_count = count;
if (ioctl(fd, CRYPTO_GET_DEV_LIST, pdevlist) == -1) {
cryptodebug("CRYPTO_GET_DEV_LIST ioctl failed: %s",
strerror(errno));
free(pdevlist);
(void) close(fd);
return (FAILURE);
}
/* BUFFER is too small, get the number of devices and retry it. */
if (pdevlist->dl_return_value == CRYPTO_BUFFER_TOO_SMALL) {
count = pdevlist->dl_dev_count;
free(pdevlist);
pdevlist = malloc(sizeof (crypto_get_dev_list_t) +
sizeof (crypto_dev_list_entry_t) * (count - 1));
if (pdevlist == NULL) {
cryptodebug("out of memory.");
(void) close(fd);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_GET_DEV_LIST, pdevlist) == -1) {
cryptodebug("CRYPTO_GET_DEV_LIST ioctl failed: %s",
strerror(errno));
free(pdevlist);
(void) close(fd);
return (FAILURE);
}
}
if (pdevlist->dl_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_GET_DEV_LIST ioctl failed, "
"return_value = %d", pdevlist->dl_return_value);
free(pdevlist);
(void) close(fd);
return (FAILURE);
}
*ppdevlist = pdevlist;
(void) close(fd);
return (SUCCESS);
}
/*
* Get all the mechanisms supported by the hardware provider.
* The result will be stored in the second argument.
*/
int
get_dev_info(char *devname, int inst_num, int count, mechlist_t **ppmechlist)
{
crypto_get_dev_info_t *dev_info;
mechlist_t *phead;
mechlist_t *pcur;
mechlist_t *pmech;
int fd;
int i;
int rc;
if (devname == NULL || count < 1) {
cryptodebug("get_dev_info(): devname is NULL or bogus count");
return (FAILURE);
}
/* Set up the argument for the CRYPTO_GET_DEV_INFO ioctl call */
dev_info = malloc(sizeof (crypto_get_dev_info_t) +
sizeof (crypto_mech_name_t) * (count - 1));
if (dev_info == NULL) {
cryptodebug("out of memory.");
return (FAILURE);
}
(void) strlcpy(dev_info->di_dev_name, devname, MAXNAMELEN);
dev_info->di_dev_instance = inst_num;
dev_info->di_count = count;
/* Open the ioctl device */
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
free(dev_info);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_GET_DEV_INFO, dev_info) == -1) {
cryptodebug("CRYPTO_GET_DEV_INFO ioctl failed: %s",
strerror(errno));
free(dev_info);
(void) close(fd);
return (FAILURE);
}
if (dev_info->di_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_GET_DEV_INFO ioctl failed, "
"return_value = %d", dev_info->di_return_value);
free(dev_info);
(void) close(fd);
return (FAILURE);
}
phead = pcur = NULL;
rc = SUCCESS;
for (i = 0; i < dev_info->di_count; i++) {
pmech = create_mech(&dev_info->di_list[i][0]);
if (pmech == NULL) {
rc = FAILURE;
break;
} else {
if (phead == NULL) {
phead = pcur = pmech;
} else {
pcur->next = pmech;
pcur = pmech;
}
}
}
if (rc == SUCCESS) {
*ppmechlist = phead;
} else {
free_mechlist(phead);
}
free(dev_info);
(void) close(fd);
return (rc);
}
/*
* Implement the "cryptoadm refresh" command for global zones.
* That is, send the current contents of kcf.conf to the kernel via ioctl().
*/
int
refresh(void)
{
crypto_load_soft_config_t *pload_soft_conf = NULL;
crypto_load_soft_disabled_t *pload_soft_dis = NULL;
crypto_load_dev_disabled_t *pload_dev_dis = NULL;
entrylist_t *pdevlist = NULL;
entrylist_t *psoftlist = NULL;
entrylist_t *ptr;
int fd = -1;
int rc = SUCCESS;
int err;
if (get_kcfconf_info(&pdevlist, &psoftlist) == FAILURE) {
cryptoerror(LOG_ERR, "failed to retrieve the providers' "
"information from the configuration file - %s.",
_PATH_KCF_CONF);
return (FAILURE);
}
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
err = errno;
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(err));
free(psoftlist);
free(pdevlist);
return (FAILURE);
}
/*
* For each software provider module, pass two sets of information to
* the kernel: the supported list and the disabled list.
*/
for (ptr = psoftlist; ptr != NULL; ptr = ptr->next) {
entry_t *pent = ptr->pent;
/* load the supported list */
if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) {
cryptodebug("setup_soft_conf() failed");
rc = FAILURE;
break;
}
if (!pent->load) { /* unloaded--mark as loaded */
pent->load = B_TRUE;
rc = update_kcfconf(pent, MODIFY_MODE);
if (rc != SUCCESS) {
free(pload_soft_conf);
break;
}
}
if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, pload_soft_conf)
== -1) {
cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s",
strerror(errno));
free(pload_soft_conf);
rc = FAILURE;
break;
}
if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl "
"return_value = %d",
pload_soft_conf->sc_return_value);
free(pload_soft_conf);
rc = FAILURE;
break;
}
free(pload_soft_conf);
/* load the disabled list */
if (ptr->pent->dis_count != 0) {
pload_soft_dis = setup_soft_dis(ptr->pent);
if (pload_soft_dis == NULL) {
cryptodebug("setup_soft_dis() failed");
free(pload_soft_dis);
rc = FAILURE;
break;
}
if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED,
pload_soft_dis) == -1) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl "
"failed: %s", strerror(errno));
free(pload_soft_dis);
rc = FAILURE;
break;
}
if (pload_soft_dis->sd_return_value !=
CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl "
"return_value = %d",
pload_soft_dis->sd_return_value);
free(pload_soft_dis);
rc = FAILURE;
break;
}
free(pload_soft_dis);
}
}
if (rc != SUCCESS) {
(void) close(fd);
return (rc);
}
/*
* For each hardware provider module, pass the disabled list
* information to the kernel.
*/
for (ptr = pdevlist; ptr != NULL; ptr = ptr->next) {
/* load the disabled list */
if (ptr->pent->dis_count != 0) {
pload_dev_dis = setup_dev_dis(ptr->pent);
if (pload_dev_dis == NULL) {
rc = FAILURE;
break;
}
if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis)
== -1) {
cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl "
"failed: %s", strerror(errno));
free(pload_dev_dis);
rc = FAILURE;
break;
}
if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl "
"return_value = %d",
pload_dev_dis->dd_return_value);
free(pload_dev_dis);
rc = FAILURE;
break;
}
free(pload_dev_dis);
}
}
/*
* handle fips_status=enabled|disabled
*/
{
int pkcs11_fips_mode = 0;
/* Get FIPS-140 status from pkcs11.conf */
fips_status_pkcs11conf(&pkcs11_fips_mode);
if (pkcs11_fips_mode == CRYPTO_FIPS_MODE_ENABLED) {
rc = do_fips_actions(FIPS140_ENABLE, REFRESH);
} else {
rc = do_fips_actions(FIPS140_DISABLE, REFRESH);
}
}
(void) close(fd);
return (rc);
}
/*
* Lists all slots with tokens in them.
*/
int
pk_tokens(int argc, char *argv[])
{
CK_SLOT_ID_PTR slots = NULL;
CK_ULONG slot_count = 0;
CK_TOKEN_INFO token_info;
const char *fmt = NULL;
CK_RV rv = CKR_OK;
int i;
cryptodebug("inside pk_tokens");
/* Get rid of subcommand word "tokens". */
argc--;
argv++;
/* No additional args allowed. */
if (argc != 0)
return (PK_ERR_USAGE);
/* Done parsing command line options. */
/* Get the list of slots with tokens in them. */
if ((rv = get_token_slots(&slots, &slot_count)) != CKR_OK) {
cryptoerror(LOG_STDERR,
gettext("Unable to get token slot list (%s)."),
pkcs11_strerror(rv));
return (PK_ERR_PK11);
}
/* Make sure we have something to display. */
if (slot_count == 0) {
cryptoerror(LOG_STDERR, gettext("No slots with tokens found."));
return (0);
}
/* Display the list. */
fmt = "%-30.30s %-15.15s %-15.15s %-10.10s\n"; /* No I18N/L10N. */
(void) fprintf(stdout, fmt, gettext("Token Label"), gettext("Manuf ID"),
gettext("Serial No"), gettext("PIN State"));
for (i = 0; i < slot_count; i++) {
cryptodebug("calling C_GetTokenInfo");
if ((rv = C_GetTokenInfo(slots[i], &token_info)) != CKR_OK) {
cryptoerror(LOG_STDERR,
gettext("Unable to get slot %d token info (%s)."),
i, pkcs11_strerror(rv));
cryptodebug("token info error, slot %d (%s)", i,
pkcs11_strerror(rv));
continue;
}
(void) fprintf(stdout, fmt, token_info.label,
token_info.manufacturerID, token_info.serialNumber,
(token_info.flags & CKF_USER_PIN_TO_BE_CHANGED) ?
gettext("default") : gettext("user set"));
}
/* Clean up. */
free(slots);
quick_finish(NULL);
return (0);
}
/*
* Disable a kernel hardware provider.
* This implements the "cryptoadm disable" command for
* kernel hardware providers.
*/
int
disable_kef_hardware(char *provname, boolean_t rndflag, boolean_t allflag,
mechlist_t *dislist)
{
crypto_load_dev_disabled_t *pload_dev_dis = NULL;
mechlist_t *infolist = NULL;
entry_t *pent = NULL;
boolean_t new_dev_entry = B_FALSE;
char devname[MAXNAMELEN];
int inst_num;
int count;
int fd = -1;
int rc = SUCCESS;
if (provname == NULL) {
return (FAILURE);
}
/*
* Check if the provider is valid. If it is valid, get the number of
* mechanisms also.
*/
if (check_hardware_provider(provname, devname, &inst_num, &count)
== FAILURE) {
return (FAILURE);
}
/* Get the mechanism list for the kernel hardware provider */
if (get_dev_info(devname, inst_num, count, &infolist) == FAILURE) {
return (FAILURE);
}
/*
* Get the entry of this hardware provider from the config file.
* If there is no entry yet, create one for it.
*/
if ((pent = getent_kef(provname, NULL, NULL)) == NULL) {
if ((pent = create_entry(provname)) == NULL) {
cryptoerror(LOG_STDERR, gettext("out of memory."));
free_mechlist(infolist);
return (FAILURE);
}
new_dev_entry = B_TRUE;
}
/*
* kCF treats random as an internal mechanism. So, we need to
* filter it from the mechanism list here, if we are NOT disabling
* or enabling the random feature. Note that we map random feature at
* cryptoadm(1M) level to the "random" mechanism in kCF.
*/
if (!rndflag) {
(void) filter_mechlist(&dislist, RANDOM);
}
/* Calculate the new disabled list */
if (disable_mechs(&pent, infolist, allflag, dislist) == FAILURE) {
free_mechlist(infolist);
free_entry(pent);
return (FAILURE);
}
free_mechlist(infolist);
/* If no mechanisms are to be disabled, return */
if (pent->dis_count == 0) {
free_entry(pent);
return (SUCCESS);
}
/* Update the config file with the new entry or the updated entry */
if (new_dev_entry) {
rc = update_kcfconf(pent, ADD_MODE);
} else {
rc = update_kcfconf(pent, MODIFY_MODE);
}
if (rc == FAILURE) {
free_entry(pent);
return (FAILURE);
}
/* Inform kernel about the new disabled mechanism list */
if ((pload_dev_dis = setup_dev_dis(pent)) == NULL) {
free_entry(pent);
return (FAILURE);
}
free_entry(pent);
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
free(pload_dev_dis);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis) == -1) {
cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl failed: %s",
strerror(errno));
free(pload_dev_dis);
(void) close(fd);
return (FAILURE);
}
if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl return_value = "
"%d", pload_dev_dis->dd_return_value);
free(pload_dev_dis);
(void) close(fd);
return (FAILURE);
}
free(pload_dev_dis);
(void) close(fd);
return (SUCCESS);
}
/*
* Install a software module with the specified mechanism list into the system.
* This routine adds an entry into the config file for this software module
* first, then makes a CRYPTO_LOAD_SOFT_CONFIG ioctl call to inform kernel
* about the new addition.
*/
int
install_kef(char *provname, mechlist_t *mlist)
{
crypto_load_soft_config_t *pload_soft_conf = NULL;
boolean_t found;
entry_t *pent = NULL;
FILE *pfile = NULL;
FILE *pfile_tmp = NULL;
char tmpfile_name[MAXPATHLEN];
char *ptr;
char *str;
char *name;
char buffer[BUFSIZ];
char buffer2[BUFSIZ];
int found_count;
int fd = -1;
int rc = SUCCESS;
int err;
if ((provname == NULL) || (mlist == NULL)) {
return (FAILURE);
}
/* Check if the provider already exists */
if ((pent = getent_kef(provname, NULL, NULL)) != NULL) {
cryptoerror(LOG_STDERR, gettext("%s exists already."),
provname);
free_entry(pent);
return (FAILURE);
}
/* Create an entry with provname and mlist. */
if ((pent = create_entry(provname)) == NULL) {
cryptoerror(LOG_STDERR, gettext("out of memory."));
return (FAILURE);
}
pent->sup_count = get_mech_count(mlist);
pent->suplist = mlist;
/* Append an entry for this software module to the kcf.conf file. */
if ((str = ent2str(pent)) == NULL) {
free_entry(pent);
return (FAILURE);
}
if ((pfile = fopen(_PATH_KCF_CONF, "r+")) == NULL) {
err = errno;
cryptoerror(LOG_STDERR,
gettext("failed to update the configuration - %s"),
strerror(err));
cryptodebug("failed to open %s for write.", _PATH_KCF_CONF);
free_entry(pent);
return (FAILURE);
}
if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
err = errno;
cryptoerror(LOG_STDERR,
gettext("failed to lock the configuration - %s"),
strerror(err));
free_entry(pent);
(void) fclose(pfile);
return (FAILURE);
}
/*
* Create a temporary file in the /etc/crypto directory.
*/
(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
if (mkstemp(tmpfile_name) == -1) {
err = errno;
cryptoerror(LOG_STDERR,
gettext("failed to create a temporary file - %s"),
strerror(err));
free_entry(pent);
(void) fclose(pfile);
return (FAILURE);
}
if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
err = errno;
cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
tmpfile_name, strerror(err));
free_entry(pent);
(void) fclose(pfile);
return (FAILURE);
}
/*
* Loop thru the config file. If the provider was reserved within a
* package bracket, just uncomment it. Otherwise, append it at
* the end. The resulting file will be saved in the temp file first.
*/
found_count = 0;
rc = SUCCESS;
while (fgets(buffer, BUFSIZ, pfile) != NULL) {
found = B_FALSE;
if (buffer[0] == '#') {
(void) strlcpy(buffer2, buffer, BUFSIZ);
ptr = buffer2;
ptr++;
if ((name = strtok(ptr, SEP_COLON)) == NULL) {
rc = FAILURE;
break;
} else if (strcmp(provname, name) == 0) {
found = B_TRUE;
found_count++;
}
}
if (found == B_FALSE) {
if (fputs(buffer, pfile_tmp) == EOF) {
rc = FAILURE;
}
} else {
if (found_count == 1) {
if (fputs(str, pfile_tmp) == EOF) {
rc = FAILURE;
}
} else {
/*
* Found a second entry with #libname.
* Should not happen. The kcf.conf file
* is corrupted. Give a warning and skip
* this entry.
*/
cryptoerror(LOG_STDERR, gettext(
"(Warning) Found an additional reserved "
"entry for %s."), provname);
}
}
if (rc == FAILURE) {
break;
}
}
(void) fclose(pfile);
if (rc == FAILURE) {
cryptoerror(LOG_STDERR, gettext("write error."));
(void) fclose(pfile_tmp);
if (unlink(tmpfile_name) != 0) {
err = errno;
cryptoerror(LOG_STDERR, gettext(
"(Warning) failed to remove %s: %s"), tmpfile_name,
strerror(err));
}
free_entry(pent);
return (FAILURE);
}
if (found_count == 0) {
/*
* This libname was not in package before, append it to the
* end of the temp file.
*/
if (fputs(str, pfile_tmp) == EOF) {
cryptoerror(LOG_STDERR, gettext(
"failed to write to %s: %s"), tmpfile_name,
strerror(errno));
(void) fclose(pfile_tmp);
if (unlink(tmpfile_name) != 0) {
err = errno;
cryptoerror(LOG_STDERR, gettext(
"(Warning) failed to remove %s: %s"),
tmpfile_name, strerror(err));
}
free_entry(pent);
return (FAILURE);
}
}
if (fclose(pfile_tmp) != 0) {
err = errno;
cryptoerror(LOG_STDERR,
gettext("failed to close %s: %s"), tmpfile_name,
strerror(err));
free_entry(pent);
return (FAILURE);
}
if (rename(tmpfile_name, _PATH_KCF_CONF) == -1) {
err = errno;
cryptoerror(LOG_STDERR,
gettext("failed to update the configuration - %s"),
strerror(err));
cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
_PATH_KCF_CONF, strerror(err));
rc = FAILURE;
} else if (chmod(_PATH_KCF_CONF,
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
err = errno;
cryptoerror(LOG_STDERR,
gettext("failed to update the configuration - %s"),
strerror(err));
cryptodebug("failed to chmod to %s: %s", _PATH_KCF_CONF,
strerror(err));
rc = FAILURE;
} else {
rc = SUCCESS;
}
if (rc == FAILURE) {
if (unlink(tmpfile_name) != 0) {
err = errno;
cryptoerror(LOG_STDERR, gettext(
"(Warning) failed to remove %s: %s"),
tmpfile_name, strerror(err));
}
free_entry(pent);
return (FAILURE);
}
/* Inform kernel of this new software module. */
if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) {
free_entry(pent);
return (FAILURE);
}
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
free_entry(pent);
free(pload_soft_conf);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, pload_soft_conf) == -1) {
cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s",
strerror(errno));
free_entry(pent);
free(pload_soft_conf);
(void) close(fd);
return (FAILURE);
}
if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed, "
"return_value = %d", pload_soft_conf->sc_return_value);
free_entry(pent);
free(pload_soft_conf);
(void) close(fd);
return (FAILURE);
}
free_entry(pent);
free(pload_soft_conf);
(void) close(fd);
return (SUCCESS);
}
/*
* For each provider found in pkcs11.conf: expand $ISA if necessary,
* verify the module is signed, load the provider, find all of its
* slots, and store the function list and disabled policy.
*
* This function requires that the uentrylist_t and pkcs11_slottable_t
* already have memory allocated, and that the uentrylist_t is already
* populated with provider and policy information.
*
* pInitArgs can be set to NULL, but is normally the same value
* the framework's C_Initialize() was called with.
*
* Unless metaslot is explicitly disabled, it is setup when all other
* providers are loaded.
*/
CK_RV
pkcs11_slot_mapping(uentrylist_t *pplist, CK_VOID_PTR pInitArgs)
{
CK_RV rv = CKR_OK;
CK_RV prov_rv; /* Provider's return code */
CK_INFO prov_info;
CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
CK_FUNCTION_LIST_PTR prov_funcs = NULL; /* Provider's function list */
CK_ULONG prov_slot_count; /* Number of slots */
CK_SLOT_ID slot_id; /* slotID assigned for framework */
CK_SLOT_ID_PTR prov_slots = NULL; /* Provider's slot list */
/* Enabled or Disabled policy */
CK_MECHANISM_TYPE_PTR prov_pol_mechs = NULL;
void *dldesc = NULL;
char *isa, *fullpath = NULL, *dl_error;
uentrylist_t *phead;
uint_t prov_count = 0;
pkcs11_slot_t *cur_slot;
CK_ULONG i;
size_t len;
uentry_t *metaslot_entry = NULL;
/* number of slots in the framework, not including metaslot */
uint_t slot_count = 0;
ELFsign_status_t estatus = ELFSIGN_UNKNOWN;
char *estatus_str = NULL;
int kcfdfd = -1;
door_arg_t darg;
kcf_door_arg_t *kda = NULL;
kcf_door_arg_t *rkda = NULL;
int r;
phead = pplist;
/* Loop through all of the provider listed in pkcs11.conf */
while (phead != NULL) {
if (!strcasecmp(phead->puent->name, "metaslot")) {
/*
* Skip standard processing for metaslot
* entry since it is not an actual library
* that can be dlopened.
* It will be initialized later.
*/
if (metaslot_entry != NULL) {
cryptoerror(LOG_ERR,
"libpkcs11: multiple entries for metaslot "
"detected. All but the first entry will "
"be ignored");
} else {
metaslot_entry = phead->puent;
}
goto contparse;
}
/* Check for Instruction Set Architecture indicator */
if ((isa = strstr(phead->puent->name, PKCS11_ISA)) != NULL) {
/* Substitute the architecture dependent path */
len = strlen(phead->puent->name) -
strlen(PKCS11_ISA) +
strlen(PKCS11_ISA_DIR) + 1;
if ((fullpath = (char *)malloc(len)) == NULL) {
cryptoerror(LOG_ERR,
"libpksc11: parsing %s, out of memory. "
"Cannot continue parsing.",
_PATH_PKCS11_CONF);
rv = CKR_HOST_MEMORY;
goto conferror;
}
*isa = '\000';
isa += strlen(PKCS11_ISA);
(void) snprintf(fullpath, len, "%s%s%s",
phead->puent->name, PKCS11_ISA_DIR, isa);
} else if ((fullpath = strdup(phead->puent->name)) == 0) {
cryptoerror(LOG_ERR,
"libpkcs11: parsing %s, out of memory. "
"Cannot continue parsing.",
_PATH_PKCS11_CONF);
rv = CKR_HOST_MEMORY;
goto conferror;
}
/*
* Open the provider. Use RTLD_NOW to make sure we
* will not encounter symbol referencing errors later.
* Use RTLD_GROUP to limit the provider to it's own
* symbols, which prevents it from mistakenly accessing
* the framework's C_* functions.
*/
dldesc = dlopen(fullpath, RTLD_NOW|RTLD_GROUP);
/*
* If we failed to load it, we will just skip this
* provider and move on to the next one.
*/
if (dldesc == NULL) {
dl_error = dlerror();
cryptoerror(LOG_ERR,
"libpkcs11: Cannot load PKCS#11 library %s. "
"dlerror: %s. %s",
fullpath, dl_error != NULL ? dl_error : "Unknown",
conf_err);
goto contparse;
}
/* Get the pointer to provider's C_GetFunctionList() */
Tmp_C_GetFunctionList =
(CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
/*
* If we failed to get the pointer to C_GetFunctionList(),
* skip this provider and continue to the next one.
*/
if (Tmp_C_GetFunctionList == NULL) {
cryptoerror(LOG_ERR,
"libpkcs11: Could not dlsym() C_GetFunctionList() "
"for %s. May not be a PKCS#11 library. %s",
fullpath, conf_err);
(void) dlclose(dldesc);
goto contparse;
}
/* Get the provider's function list */
prov_rv = Tmp_C_GetFunctionList(&prov_funcs);
/*
* If we failed to get the provider's function list,
* skip this provider and continue to the next one.
*/
if (prov_rv != CKR_OK) {
cryptoerror(LOG_ERR,
"libpkcs11: Could not get function list for %s. "
"%s Error: %s.",
fullpath, conf_err, pkcs11_strerror(prov_rv));
(void) dlclose(dldesc);
goto contparse;
}
/* Initialize this provider */
prov_rv = prov_funcs->C_Initialize(pInitArgs);
/*
* If we failed to initialize this provider,
* skip this provider and continue to the next one.
*/
if ((prov_rv != CKR_OK) &&
(prov_rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
cryptoerror(LOG_ERR,
"libpkcs11: Could not initialize %s. "
"%s Error: %s.",
fullpath, conf_err, pkcs11_strerror(prov_rv));
(void) dlclose(dldesc);
goto contparse;
}
/*
* Make sure this provider is implementing the same
* major version, and at least the same minor version
* that we are.
*/
prov_rv = prov_funcs->C_GetInfo(&prov_info);
/*
* If we can't verify that we are implementing the
* same major version, or if it is definitely not the same
* version, we need to skip this provider.
*/
if ((prov_rv != CKR_OK) ||
(prov_info.cryptokiVersion.major !=
CRYPTOKI_VERSION_MAJOR)) {
if (prov_rv != CKR_OK) {
cryptoerror(LOG_ERR,
"libpkcs11: Could not verify version of "
"%s. %s Error: %s.", fullpath,
conf_err, pkcs11_strerror(prov_rv));
} else {
cryptoerror(LOG_ERR,
"libpkcs11: Only CRYPTOKI major version "
"%d is supported. %s is major "
"version %d. %s",
CRYPTOKI_VERSION_MAJOR, fullpath,
prov_info.cryptokiVersion.major, conf_err);
}
(void) prov_funcs->C_Finalize(NULL);
(void) dlclose(dldesc);
goto contparse;
}
/*
* Warn the administrator (at debug) that a provider with
* a significantly older or newer version of
* CRYPTOKI is being used. It should not cause
* problems, but logging a warning makes it easier
* to debug later.
*/
if ((prov_info.cryptokiVersion.minor <
CRYPTOKI_VERSION_WARN_MINOR) ||
(prov_info.cryptokiVersion.minor >
CRYPTOKI_VERSION_MINOR)) {
cryptoerror(LOG_DEBUG,
"libpkcs11: %s CRYPTOKI minor version, %d, may "
"not be compatible with minor version %d.",
fullpath, prov_info.cryptokiVersion.minor,
CRYPTOKI_VERSION_MINOR);
}
/*
* Find out how many slots this provider has,
* call with tokenPresent set to FALSE so all
* potential slots are returned.
*/
prov_rv = prov_funcs->C_GetSlotList(FALSE,
NULL, &prov_slot_count);
/*
* If the call failed, or if no slots are returned,
* then skip this provider and continue to next one.
*/
if (prov_rv != CKR_OK) {
cryptoerror(LOG_ERR,
"libpksc11: Could not get slot list from %s. "
"%s Error: %s.",
fullpath, conf_err, pkcs11_strerror(prov_rv));
(void) prov_funcs->C_Finalize(NULL);
(void) dlclose(dldesc);
goto contparse;
}
if (prov_slot_count == 0) {
cryptodebug("libpkcs11: No slots presented from %s. "
"Skipping this plug-in at this time.\n",
fullpath);
(void) prov_funcs->C_Finalize(NULL);
(void) dlclose(dldesc);
goto contparse;
}
/*
* Verify that the module is signed correctly.
*
* NOTE: there is a potential race condition here,
* since the module is verified well after we have
* opened the provider via dlopen(). This could be
* resolved by a variant of dlopen() that would take a
* file descriptor as an argument and by changing the
* kcfd libelfsign door protocol to use and fd instead
* of a path - but that wouldn't work in the kernel case.
*/
while ((kcfdfd = open(_PATH_KCFD_DOOR, O_RDONLY)) == -1) {
if (!(errno == EINTR || errno == EAGAIN))
break;
}
if (kcfdfd == -1) {
cryptoerror(LOG_ERR, "libpkcs11: open %s: %s",
_PATH_KCFD_DOOR,
strerror(errno));
goto verifycleanup;
}
/* Mark the door "close on exec" */
(void) fcntl(kcfdfd, F_SETFD, FD_CLOEXEC);
if ((kda = malloc(sizeof (kcf_door_arg_t))) == NULL) {
cryptoerror(LOG_ERR, "libpkcs11: malloc of kda "
"failed: %s", strerror(errno));
goto verifycleanup;
}
kda->da_version = KCF_KCFD_VERSION1;
kda->da_iskernel = B_FALSE;
(void) strlcpy(kda->da_u.filename, fullpath,
strlen(fullpath) + 1);
darg.data_ptr = (char *)kda;
darg.data_size = sizeof (kcf_door_arg_t);
darg.desc_ptr = NULL;
darg.desc_num = 0;
darg.rbuf = (char *)kda;
darg.rsize = sizeof (kcf_door_arg_t);
while ((r = door_call(kcfdfd, &darg)) != 0) {
if (!(errno == EINTR || errno == EAGAIN))
break;
}
if (r != 0) {
cryptoerror(LOG_ERR,
"libpkcs11: Unable to contact kcfd: %s",
strerror(errno));
goto verifycleanup;
}
/*LINTED*/
rkda = (kcf_door_arg_t *)darg.rbuf;
if (rkda->da_version != KCF_KCFD_VERSION1) {
cryptoerror(LOG_ERR,
"libpkcs11: kcfd and libelfsign versions "
"don't match: got %d expected %d",
rkda->da_version, KCF_KCFD_VERSION1);
goto verifycleanup;
}
estatus = rkda->da_u.result.status;
verifycleanup:
if (kcfdfd != -1) {
(void) close(kcfdfd);
}
if (rkda != NULL && rkda != kda)
(void) munmap((char *)rkda, darg.rsize);
if (kda != NULL) {
bzero(kda, sizeof (kda));
free(kda);
kda = NULL;
rkda = NULL; /* rkda is an alias of kda */
}
switch (estatus) {
case ELFSIGN_SUCCESS:
case ELFSIGN_RESTRICTED:
break;
case ELFSIGN_NOTSIGNED:
estatus_str = strdup("not a signed provider.");
break;
case ELFSIGN_FAILED:
estatus_str = strdup("signature verification failed.");
break;
default:
estatus_str = strdup("unexpected failure in ELF "
"signature verification. "
"System may have been tampered with.");
}
if (estatus_str != NULL) {
cryptoerror(LOG_ERR, "libpkcs11: %s %s %s",
fullpath, estatus_str ? estatus_str : "",
estatus == ELFSIGN_UNKNOWN ?
"Cannot continue parsing " _PATH_PKCS11_CONF:
conf_err);
(void) prov_funcs->C_Finalize(NULL);
(void) dlclose(dldesc);
free(estatus_str);
estatus_str = NULL;
if (estatus == ELFSIGN_UNKNOWN) {
prov_funcs = NULL;
dldesc = NULL;
rv = CKR_GENERAL_ERROR;
goto conferror;
}
goto contparse;
}
/* Allocate memory for the slot list */
prov_slots = calloc(prov_slot_count, sizeof (CK_SLOT_ID));
if (prov_slots == NULL) {
cryptoerror(LOG_ERR,
"libpkcs11: Could not allocate memory for "
"plug-in slots. Cannot continue parsing %s\n",
_PATH_PKCS11_CONF);
rv = CKR_HOST_MEMORY;
goto conferror;
}
/* Get slot list from provider */
prov_rv = prov_funcs->C_GetSlotList(FALSE,
prov_slots, &prov_slot_count);
/* if second call fails, drop this provider */
if (prov_rv != CKR_OK) {
cryptoerror(LOG_ERR,
"libpkcs11: Second call to C_GetSlotList() for %s "
"failed. %s Error: %s.",
fullpath, conf_err, pkcs11_strerror(prov_rv));
(void) prov_funcs->C_Finalize(NULL);
(void) dlclose(dldesc);
goto contparse;
}
/*
* Parse the list of disabled or enabled mechanisms, will
* apply to each of the provider's slots.
*/
if (phead->puent->count > 0) {
rv = pkcs11_mech_parse(phead->puent->policylist,
&prov_pol_mechs, phead->puent->count);
if (rv == CKR_HOST_MEMORY) {
cryptoerror(LOG_ERR,
"libpkcs11: Could not parse configuration,"
"out of memory. Cannot continue parsing "
"%s.", _PATH_PKCS11_CONF);
goto conferror;
} else if (rv == CKR_MECHANISM_INVALID) {
/*
* Configuration file is corrupted for this
* provider.
*/
cryptoerror(LOG_ERR,
"libpkcs11: Policy invalid or corrupted "
"for %s. Use cryptoadm(1M) to fix "
"this. Skipping this plug-in.",
fullpath);
(void) prov_funcs->C_Finalize(NULL);
(void) dlclose(dldesc);
goto contparse;
}
}
/* Allocate memory in our slottable for these slots */
rv = pkcs11_slottable_increase(prov_slot_count);
/*
* If any error is returned, it will be memory related,
* so we need to abort the attempt at filling the
* slottable.
*/
if (rv != CKR_OK) {
cryptoerror(LOG_ERR,
"libpkcs11: slottable could not increase. "
"Cannot continue parsing %s.",
_PATH_PKCS11_CONF);
goto conferror;
}
/* Configure information for each new slot */
for (i = 0; i < prov_slot_count; i++) {
/* allocate slot in framework */
rv = pkcs11_slot_allocate(&slot_id);
if (rv != CKR_OK) {
cryptoerror(LOG_ERR,
"libpkcs11: Could not allocate "
"new slot. Cannot continue parsing %s.",
_PATH_PKCS11_CONF);
goto conferror;
}
slot_count++;
cur_slot = slottable->st_slots[slot_id];
(void) pthread_mutex_lock(&cur_slot->sl_mutex);
cur_slot->sl_id = prov_slots[i];
cur_slot->sl_func_list = prov_funcs;
cur_slot->sl_enabledpol =
phead->puent->flag_enabledlist;
cur_slot->sl_pol_mechs = prov_pol_mechs;
cur_slot->sl_pol_count = phead->puent->count;
cur_slot->sl_norandom = phead->puent->flag_norandom;
cur_slot->sl_dldesc = dldesc;
cur_slot->sl_prov_id = prov_count + 1;
(void) pthread_mutex_unlock(&cur_slot->sl_mutex);
}
/* Set and reset values to process next provider */
prov_count++;
contparse:
prov_slot_count = 0;
Tmp_C_GetFunctionList = NULL;
prov_funcs = NULL;
dldesc = NULL;
if (fullpath != NULL) {
free(fullpath);
fullpath = NULL;
}
if (prov_slots != NULL) {
free(prov_slots);
prov_slots = NULL;
}
phead = phead->next;
}
if (slot_count == 0) {
/*
* there's no other slot in the framework,
* there is nothing to do
*/
goto config_complete;
}
/* determine if metaslot should be enabled */
/*
* Check to see if any environment variable is defined
* by the user for configuring metaslot. Users'
* setting always take precedence over the system wide
* setting. So, we will first check for any user's
* defined env variables before looking at the system-wide
* configuration.
*/
get_user_metaslot_config();
/* no metaslot entry in /etc/crypto/pkcs11.conf */
if (!metaslot_entry) {
/*
* If user env variable indicates metaslot should be enabled,
* but there's no entry in /etc/crypto/pkcs11.conf for
* metaslot at all, will respect the user's defined value
*/
if ((metaslot_config.enabled_specified) &&
(metaslot_config.enabled)) {
metaslot_enabled = B_TRUE;
}
} else {
if (!metaslot_config.enabled_specified) {
/*
* take system wide value if
* it is not specified by user
*/
metaslot_enabled
= metaslot_entry->flag_metaslot_enabled;
} else {
metaslot_enabled = metaslot_config.enabled;
}
}
/*
*
* As long as the user or system configuration file does not
* disable metaslot, it will be enabled regardless of the
* number of slots plugged into the framework. Therefore,
* metaslot is enabled even when there's only one slot
* plugged into the framework. This is necessary for
* presenting a consistent token label view to applications.
*
* However, for the case where there is only 1 slot plugged into
* the framework, we can use "fastpath".
*
* "fastpath" will pass all of the application's requests
* directly to the underlying provider. Only when policy is in
* effect will we need to keep slotID around.
*
* When metaslot is enabled, and fastpath is enabled,
* all the metaslot processing will be skipped.
* When there is only 1 slot, there's
* really not much metaslot can do in terms of combining functionality
* of different slots, and object migration.
*
*/
/* check to see if fastpath can be used */
if (slottable->st_last == slottable->st_first) {
cur_slot = slottable->st_slots[slottable->st_first];
(void) pthread_mutex_lock(&cur_slot->sl_mutex);
if ((cur_slot->sl_pol_count == 0) &&
(!cur_slot->sl_enabledpol) && (!cur_slot->sl_norandom)) {
/* No policy is in effect, don't need slotid */
fast_funcs = cur_slot->sl_func_list;
purefastpath = B_TRUE;
} else {
fast_funcs = cur_slot->sl_func_list;
fast_slot = slottable->st_first;
policyfastpath = B_TRUE;
}
(void) pthread_mutex_unlock(&cur_slot->sl_mutex);
}
if ((purefastpath || policyfastpath) && (!metaslot_enabled)) {
goto config_complete;
}
/*
* If we get here, there are more than 2 slots in the framework,
* we need to set up metaslot if it is enabled
*/
if (metaslot_enabled) {
rv = setup_metaslot(metaslot_entry);
if (rv != CKR_OK) {
goto conferror;
}
}
config_complete:
return (CKR_OK);
conferror:
/*
* This cleanup code is only exercised when a major,
* unrecoverable error like "out of memory" occurs.
*/
if (prov_funcs != NULL) {
(void) prov_funcs->C_Finalize(NULL);
}
if (dldesc != NULL) {
(void) dlclose(dldesc);
}
if (fullpath != NULL) {
free(fullpath);
fullpath = NULL;
}
if (prov_slots != NULL) {
free(prov_slots);
prov_slots = NULL;
}
return (rv);
}
/*
* The top level function for the "cryptoadm unload" subcommand.
*/
static int
do_unload(int argc, char **argv)
{
cryptoadm_provider_t *prov = NULL;
entry_t *pent = NULL;
boolean_t in_kernel = B_FALSE;
int rc = SUCCESS;
char *provname = NULL;
if (argc != 3) {
usage();
return (ERROR_USAGE);
}
/* check if it is a kernel software provider */
prov = get_provider(argc, argv);
if (prov == NULL) {
cryptoerror(LOG_STDERR,
gettext("unable to determine provider name."));
goto out;
}
provname = prov->cp_name;
if (prov->cp_type != PROV_KEF_SOFT) {
cryptoerror(LOG_STDERR,
gettext("%s is not a valid kernel software provider."),
provname);
rc = FAILURE;
goto out;
}
if (getzoneid() != GLOBAL_ZONEID) {
/*
* TRANSLATION_NOTE
* "unload" could be either a literal keyword and hence
* not to be translated, or a verb and translatable.
* A choice was made to view it as a literal keyword.
* "global" is keyword and not to be translated.
*/
cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers "
"is supported in the %2$s zone only"), "unload", "global");
rc = FAILURE;
goto out;
}
if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) {
cryptodebug("internal error");
rc = FAILURE;
goto out;
} else if (in_kernel == B_FALSE) {
cryptoerror(LOG_STDERR,
gettext("provider %s is not loaded or does not exist."),
provname);
rc = FAILURE;
goto out;
}
/* Get kcf.conf entry. If none, build a new entry */
if ((pent = getent_kef(provname, NULL, NULL)) == NULL) {
if ((pent = create_entry(provname)) == NULL) {
cryptoerror(LOG_STDERR, gettext("out of memory."));
rc = FAILURE;
goto out;
}
}
/* If it is unloaded already, return */
if (!pent->load) { /* unloaded already */
cryptoerror(LOG_STDERR,
gettext("failed to unload %s."), provname);
rc = FAILURE;
goto out;
} else if (unload_kef_soft(provname) != FAILURE) {
/* Mark as unloaded in kcf.conf */
pent->load = B_FALSE;
rc = update_kcfconf(pent, MODIFY_MODE);
} else {
cryptoerror(LOG_STDERR,
gettext("failed to unload %s."), provname);
rc = FAILURE;
}
out:
free(prov);
free_entry(pent);
return (rc);
}
/*
* MAIN() -- where all the action is
*/
int
main(int argc, char *argv[], char *envp[])
/* ARGSUSED2 */
{
int i, found = -1;
int rv;
int pk_argc = 0;
char **pk_argv = NULL;
int save_errno = 0;
/* Set up for i18n/l10n. */
(void) setlocale(LC_ALL, "");
#if !defined(TEXT_DOMAIN) /* Should be defined by cc -D. */
#define TEXT_DOMAIN "SYS_TEST" /* Use this only if it isn't. */
#endif
(void) textdomain(TEXT_DOMAIN);
/* Get program base name and move pointer over 0th arg. */
prog = basename(argv[0]);
argv++, argc--;
/* Set up for debug and error output. */
cryptodebug_init(prog);
if (argc == 0) {
usage();
return (1);
}
/* Check for help options. For CLIP-compliance. */
if (argc == 1 && argv[0][0] == '-') {
switch (argv[0][1]) {
case '?':
return (pk_help(argc, argv));
default:
usage();
return (1);
}
}
/* Always turns off Metaslot so that we can see softtoken. */
cryptodebug("disabling Metaslot");
if (setenv("METASLOT_ENABLED", "false", 1) < 0) {
save_errno = errno;
cryptoerror(LOG_STDERR,
gettext("Disabling Metaslot failed (%s)."),
strerror(save_errno));
return (1);
}
/* Begin parsing command line. */
cryptodebug("begin parsing command line");
pk_argc = argc;
pk_argv = argv;
/* Check for valid verb (or an abbreviation of it). */
found = -1;
for (i = 0; i < num_cmds; i++) {
if (strcmp(cmds[i].verb, pk_argv[0]) == 0) {
if (found < 0) {
cryptodebug("found cmd %s", cmds[i].verb);
found = i;
break;
} else {
cryptodebug("also found cmd %s, skipping",
cmds[i].verb);
}
}
}
/* Stop here if no valid verb found. */
if (found < 0) {
cryptoerror(LOG_STDERR, gettext("Invalid verb: %s"),
pk_argv[0]);
return (1);
}
/* Get to work! */
cryptodebug("begin executing cmd action");
rv = (*cmds[found].action)(pk_argc, pk_argv);
cryptodebug("end executing cmd action");
switch (rv) {
case PK_ERR_NONE:
cryptodebug("subcommand succeeded");
break; /* Command succeeded, do nothing. */
case PK_ERR_USAGE:
cryptodebug("usage error detected");
usage();
break;
case PK_ERR_QUIT:
cryptodebug("quit command received");
exit(0);
/* NOTREACHED */
case PK_ERR_PK11:
cryptoerror(LOG_STDERR, "%s",
gettext("Command failed due to PKCS#11 error."));
break;
case PK_ERR_SYSTEM:
cryptoerror(LOG_STDERR, "%s",
gettext("Command failed due to system error."));
break;
case PK_ERR_OPENSSL:
cryptoerror(LOG_STDERR, "%s",
gettext("Command failed due to OpenSSL error."));
break;
default:
cryptoerror(LOG_STDERR, "%s (%d).",
gettext("Unknown error value"), rv);
break;
}
return (rv);
}
/*
* Disable a kernel software provider.
* This implements the "cryptoadm disable" command for
* kernel software providers.
*/
int
disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag,
mechlist_t *dislist)
{
crypto_load_soft_disabled_t *pload_soft_dis = NULL;
mechlist_t *infolist = NULL;
entry_t *pent = NULL;
entrylist_t *phardlist = NULL;
entrylist_t *psoftlist = NULL;
boolean_t in_kernel = B_FALSE;
int fd = -1;
int rc = SUCCESS;
if (provname == NULL) {
return (FAILURE);
}
/*
* Check if the kernel software provider is currently unloaded.
* If it is unloaded, return FAILURE, because the disable subcommand
* can not perform on inactive (unloaded) providers.
*/
if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) {
return (FAILURE);
} else if (in_kernel == B_FALSE) {
cryptoerror(LOG_STDERR,
gettext("%s is not loaded or does not exist."),
provname);
return (FAILURE);
}
if (get_kcfconf_info(&phardlist, &psoftlist) == FAILURE) {
cryptoerror(LOG_ERR,
"failed to retrieve the providers' "
"information from the configuration file - %s.",
_PATH_KCF_CONF);
return (FAILURE);
}
/*
* Get the entry of this provider from the kcf.conf file, if any.
* Otherwise, create a new kcf.conf entry for writing back to the file.
*/
pent = getent_kef(provname, phardlist, psoftlist);
if (pent == NULL) { /* create a new entry */
pent = create_entry(provname);
if (pent == NULL) {
cryptodebug("out of memory.");
rc = FAILURE;
goto out;
}
}
/* Get the mechanism list for the software provider from the kernel */
if (get_soft_info(provname, &infolist, phardlist, psoftlist) ==
FAILURE) {
rc = FAILURE;
goto out;
}
if ((infolist != NULL) && (infolist->name[0] != '\0')) {
/*
* Replace the supportedlist from kcf.conf with possibly
* more-up-to-date list from the kernel. This is the case
* for default software providers that had more mechanisms
* added in the current version of the kernel.
*/
free_mechlist(pent->suplist);
pent->suplist = infolist;
}
/*
* kCF treats random as an internal mechanism. So, we need to
* filter it from the mechanism list here, if we are NOT disabling
* or enabling the random feature. Note that we map random feature at
* cryptoadm(1M) level to the "random" mechanism in kCF.
*/
if (!rndflag) {
(void) filter_mechlist(&infolist, RANDOM);
}
/* Calculate the new disabled list */
if (disable_mechs(&pent, infolist, allflag, dislist) == FAILURE) {
rc = FAILURE;
goto out;
}
/* Update the kcf.conf file with the updated entry */
if (update_kcfconf(pent, MODIFY_MODE) == FAILURE) {
rc = FAILURE;
goto out;
}
/* Setup argument to inform kernel about the new disabled list. */
if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) {
rc = FAILURE;
goto out;
}
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
cryptoerror(LOG_STDERR,
gettext("failed to open %s for RW: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
rc = FAILURE;
goto out;
}
/* Inform kernel about the new disabled list. */
if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis) == -1) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: %s",
strerror(errno));
rc = FAILURE;
goto out;
}
if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl return_value = "
"%d", pload_soft_dis->sd_return_value);
rc = FAILURE;
goto out;
}
out:
free_entrylist(phardlist);
free_entrylist(psoftlist);
free_mechlist(infolist);
free_entry(pent);
free(pload_soft_dis);
if (fd != -1)
(void) close(fd);
return (rc);
}
/*
* Uninstall the software module. This routine first unloads the software
* module with 3 ioctl calls, then deletes its entry from the config file.
* Removing an entry from the config file needs to be done last to ensure
* that there is still an entry if the earlier unload failed for any reason.
*/
int
uninstall_kef(char *provname)
{
entry_t *pent = NULL;
int rc = SUCCESS;
boolean_t in_kernel = B_FALSE;
boolean_t in_kcfconf = B_FALSE;
int fd = -1;
crypto_load_soft_config_t *pload_soft_conf = NULL;
/* Check to see if the provider exists first. */
if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) {
return (FAILURE);
} else if (in_kernel == B_FALSE) {
cryptoerror(LOG_STDERR, gettext("%s does not exist."),
provname);
return (FAILURE);
}
/*
* If it is loaded, unload it first. This does 2 ioctl calls:
* CRYPTO_UNLOAD_SOFT_MODULE and CRYPTO_LOAD_SOFT_DISABLED.
*/
if (unload_kef_soft(provname) == FAILURE) {
cryptoerror(LOG_STDERR,
gettext("failed to unload %s during uninstall.\n"),
provname);
return (FAILURE);
}
/*
* Inform kernel to remove the configuration of this software module.
*/
/* Setup ioctl() parameter */
pent = getent_kef(provname, NULL, NULL);
if (pent != NULL) { /* in kcf.conf */
in_kcfconf = B_TRUE;
free_mechlist(pent->suplist);
pent->suplist = NULL;
pent->sup_count = 0;
} else if ((pent = create_entry(provname)) == NULL) {
cryptoerror(LOG_STDERR, gettext("out of memory."));
return (FAILURE);
}
if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) {
free_entry(pent);
return (FAILURE);
}
/* Open the /dev/cryptoadm device */
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
int err = errno;
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(err));
free_entry(pent);
free(pload_soft_conf);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG,
pload_soft_conf) == -1) {
cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s",
strerror(errno));
free_entry(pent);
free(pload_soft_conf);
(void) close(fd);
return (FAILURE);
}
if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl = return_value = %d",
pload_soft_conf->sc_return_value);
free_entry(pent);
free(pload_soft_conf);
(void) close(fd);
return (FAILURE);
}
/* ioctl cleanup */
free(pload_soft_conf);
(void) close(fd);
/* Finally, remove entry from kcf.conf, if present */
if (in_kcfconf && (pent != NULL)) {
rc = update_kcfconf(pent, DELETE_MODE);
}
free_entry(pent);
return (rc);
}
/*
* Get the kernel software provider list from kernel.
*/
int
get_soft_list(crypto_get_soft_list_t **ppsoftlist)
{
crypto_get_soft_list_t *psoftlist = NULL;
int count = DEFAULT_SOFT_NUM;
int len;
int fd;
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
return (FAILURE);
}
len = MAXNAMELEN * count;
psoftlist = malloc(sizeof (crypto_get_soft_list_t) + len);
if (psoftlist == NULL) {
cryptodebug("out of memory.");
(void) close(fd);
return (FAILURE);
}
psoftlist->sl_soft_names = (caddr_t)(psoftlist + 1);
psoftlist->sl_soft_count = count;
psoftlist->sl_soft_len = len;
if (ioctl(fd, CRYPTO_GET_SOFT_LIST, psoftlist) == -1) {
cryptodebug("CRYPTO_GET_SOFT_LIST ioctl failed: %s",
strerror(errno));
free(psoftlist);
(void) close(fd);
return (FAILURE);
}
/*
* if BUFFER is too small, get the number of software providers and
* the minimum length needed for names and length and retry it.
*/
if (psoftlist->sl_return_value == CRYPTO_BUFFER_TOO_SMALL) {
count = psoftlist->sl_soft_count;
len = psoftlist->sl_soft_len;
free(psoftlist);
psoftlist = malloc(sizeof (crypto_get_soft_list_t) + len);
if (psoftlist == NULL) {
cryptodebug("out of memory.");
(void) close(fd);
return (FAILURE);
}
psoftlist->sl_soft_names = (caddr_t)(psoftlist + 1);
psoftlist->sl_soft_count = count;
psoftlist->sl_soft_len = len;
if (ioctl(fd, CRYPTO_GET_SOFT_LIST, psoftlist) == -1) {
cryptodebug("CRYPTO_GET_SOFT_LIST ioctl failed:"
"%s", strerror(errno));
free(psoftlist);
(void) close(fd);
return (FAILURE);
}
}
if (psoftlist->sl_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_GET_SOFT_LIST ioctl failed, "
"return_value = %d", psoftlist->sl_return_value);
free(psoftlist);
(void) close(fd);
return (FAILURE);
}
*ppsoftlist = psoftlist;
(void) close(fd);
return (SUCCESS);
}
/*
* Unload the kernel software provider. Before calling this function, the
* caller should check to see if the provider is in the kernel.
*
* This routine makes 2 ioctl calls to remove it completely from the kernel:
* CRYPTO_UNLOAD_SOFT_MODULE - does a modunload of the KCF module
* CRYPTO_LOAD_SOFT_DISABLED - updates kernel disabled mechanism list
*
* This implements part of "cryptoadm unload" and "cryptoadm uninstall".
*/
int
unload_kef_soft(char *provname)
{
crypto_unload_soft_module_t *punload_soft = NULL;
crypto_load_soft_disabled_t *pload_soft_dis = NULL;
entry_t *pent = NULL;
int fd = -1;
int err;
if (provname == NULL) {
cryptoerror(LOG_STDERR, gettext("internal error."));
return (FAILURE);
}
pent = getent_kef(provname, NULL, NULL);
if (pent == NULL) { /* not in kcf.conf */
/* Construct an entry using the provname */
pent = create_entry(provname);
if (pent == NULL) {
cryptoerror(LOG_STDERR, gettext("out of memory."));
return (FAILURE);
}
}
/* Open the admin_ioctl_device */
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
err = errno;
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(err));
free_entry(pent);
return (FAILURE);
}
/* Inform kernel to unload this software module */
if ((punload_soft = setup_unload_soft(pent)) == NULL) {
free_entry(pent);
(void) close(fd);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_UNLOAD_SOFT_MODULE, punload_soft) == -1) {
cryptodebug("CRYPTO_UNLOAD_SOFT_MODULE ioctl failed: %s",
strerror(errno));
free_entry(pent);
free(punload_soft);
(void) close(fd);
return (FAILURE);
}
if (punload_soft->sm_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_UNLOAD_SOFT_MODULE ioctl return_value = "
"%d", punload_soft->sm_return_value);
/*
* If the return value is CRYPTO_UNKNOWN_PROVIDER, it means
* that the provider is not registered yet. Should just
* continue.
*/
if (punload_soft->sm_return_value != CRYPTO_UNKNOWN_PROVIDER) {
free_entry(pent);
free(punload_soft);
(void) close(fd);
return (FAILURE);
}
}
free(punload_soft);
/* Inform kernel to remove the disabled entries if any */
if (pent->dis_count == 0) {
free_entry(pent);
(void) close(fd);
return (SUCCESS);
} else {
free_mechlist(pent->dislist);
pent->dislist = NULL;
pent->dis_count = 0;
}
if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) {
free_entry(pent);
(void) close(fd);
return (FAILURE);
}
/* pent is no longer needed; free it */
free_entry(pent);
if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis) == -1) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: %s",
strerror(errno));
free(pload_soft_dis);
(void) close(fd);
return (FAILURE);
}
if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl return_value = "
"%d", pload_soft_dis->sd_return_value);
free(pload_soft_dis);
(void) close(fd);
return (FAILURE);
}
free(pload_soft_dis);
(void) close(fd);
return (SUCCESS);
}
int
list_metaslot_info(boolean_t show_mechs, boolean_t verbose,
mechlist_t *mechlist)
{
int rc = SUCCESS;
CK_RV rv;
CK_SLOT_INFO slot_info;
CK_TOKEN_INFO token_info;
CK_MECHANISM_TYPE_PTR pmech_list = NULL;
CK_ULONG mech_count;
int i;
CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
CK_FUNCTION_LIST_PTR funcs;
void *dldesc = NULL;
boolean_t lib_initialized = B_FALSE;
uentry_t *puent;
char buf[128];
/*
* Display the system-wide metaslot settings as specified
* in pkcs11.conf file.
*/
if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
cryptoerror(LOG_STDERR,
gettext("metaslot entry doesn't exist."));
return (FAILURE);
}
(void) printf(gettext("System-wide Meta Slot Configuration:\n"));
/*
* TRANSLATION_NOTE
* Strictly for appearance's sake, this line should be as long as
* the length of the translated text above.
*/
(void) printf(gettext("------------------------------------\n"));
(void) printf(gettext("Status: %s\n"), puent->flag_metaslot_enabled ?
gettext("enabled") : gettext("disabled"));
(void) printf(gettext("Sensitive Token Object Automatic Migrate: %s\n"),
puent->flag_metaslot_auto_key_migrate ? gettext("enabled") :
gettext("disabled"));
bzero(buf, sizeof (buf));
if (memcmp(puent->metaslot_ks_slot, buf, SLOT_DESCRIPTION_SIZE) != 0) {
(void) printf(gettext("Persistent object store slot: %s\n"),
puent->metaslot_ks_slot);
}
if (memcmp(puent->metaslot_ks_token, buf, TOKEN_LABEL_SIZE) != 0) {
(void) printf(gettext("Persistent object store token: %s\n"),
puent->metaslot_ks_token);
}
if ((!verbose) && (!show_mechs)) {
return (SUCCESS);
}
if (verbose) {
(void) printf(gettext("\nDetailed Meta Slot Information:\n"));
/*
* TRANSLATION_NOTE
* Strictly for appearance's sake, this line should be as
* long as the length of the translated text above.
*/
(void) printf(gettext("-------------------------------\n"));
}
/*
* Need to actually make calls to libpkcs11.so to get
* information about metaslot.
*/
dldesc = dlopen(UEF_FRAME_LIB, RTLD_NOW);
if (dldesc == NULL) {
char *dl_error;
dl_error = dlerror();
cryptodebug("Cannot load PKCS#11 framework library. "
"dlerror:%s", dl_error);
return (FAILURE);
}
/* Get the pointer to library's C_GetFunctionList() */
Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
if (Tmp_C_GetFunctionList == NULL) {
cryptodebug("Cannot get the address of the C_GetFunctionList "
"from framework");
rc = FAILURE;
goto finish;
}
/* Get the provider's function list */
rv = Tmp_C_GetFunctionList(&funcs);
if (rv != CKR_OK) {
cryptodebug("failed to call C_GetFunctionList in "
"framework library");
rc = FAILURE;
goto finish;
}
/* Initialize this provider */
rv = funcs->C_Initialize(NULL_PTR);
if (rv != CKR_OK) {
cryptodebug("C_Initialize failed with error code 0x%x\n", rv);
rc = FAILURE;
goto finish;
} else {
lib_initialized = B_TRUE;
}
/*
* We know for sure that metaslot is slot 0 in the framework,
* so, we will do a C_GetSlotInfo() trying to see if it works.
* If it fails with CKR_SLOT_ID_INVALID, we know that metaslot
* is not really enabled.
*/
rv = funcs->C_GetSlotInfo(METASLOT_ID, &slot_info);
if (rv == CKR_SLOT_ID_INVALID) {
(void) printf(gettext("actual status: disabled.\n"));
/*
* Even if the -m and -v flag is supplied, there's nothing
* interesting to display about metaslot since it is disabled,
* so, just stop right here.
*/
goto finish;
}
if (rv != CKR_OK) {
cryptodebug("C_GetSlotInfo failed with error "
"code 0x%x\n", rv);
rc = FAILURE;
goto finish;
}
if (!verbose) {
goto display_mechs;
}
(void) printf(gettext("actual status: enabled.\n"));
(void) printf(gettext("Description: %.64s\n"),
slot_info.slotDescription);
(void) printf(gettext("Token Present: %s\n"),
(slot_info.flags & CKF_TOKEN_PRESENT ?
gettext("True") : gettext("False")));
rv = funcs->C_GetTokenInfo(METASLOT_ID, &token_info);
if (rv != CKR_OK) {
cryptodebug("C_GetTokenInfo failed with error "
"code 0x%x\n", rv);
rc = FAILURE;
goto finish;
}
(void) printf(gettext("Token Label: %.32s\n"
"Manufacturer ID: %.32s\n"
"Model: %.16s\n"
"Serial Number: %.16s\n"
"Hardware Version: %d.%d\n"
"Firmware Version: %d.%d\n"
"UTC Time: %.16s\n"
"PIN Min Length: %d\n"
"PIN Max Length: %d\n"),
token_info.label,
token_info.manufacturerID,
token_info.model,
token_info.serialNumber,
token_info.hardwareVersion.major,
token_info.hardwareVersion.minor,
token_info.firmwareVersion.major,
token_info.firmwareVersion.minor,
token_info.utcTime,
token_info.ulMinPinLen,
token_info.ulMaxPinLen);
display_token_flags(token_info.flags);
if (!show_mechs) {
goto finish;
}
display_mechs:
if (mechlist == NULL) {
rv = funcs->C_GetMechanismList(METASLOT_ID, NULL_PTR,
&mech_count);
if (rv != CKR_OK) {
cryptodebug("C_GetMechanismList failed with error "
"code 0x%x\n", rv);
rc = FAILURE;
goto finish;
}
if (mech_count > 0) {
pmech_list = malloc(mech_count *
sizeof (CK_MECHANISM_TYPE));
if (pmech_list == NULL) {
cryptodebug("out of memory");
rc = FAILURE;
goto finish;
}
rv = funcs->C_GetMechanismList(METASLOT_ID, pmech_list,
&mech_count);
if (rv != CKR_OK) {
cryptodebug("C_GetMechanismList failed with "
"error code 0x%x\n", rv);
rc = FAILURE;
goto finish;
}
}
} else {
rc = convert_mechlist(&pmech_list, &mech_count, mechlist);
if (rc != SUCCESS) {
goto finish;
}
}
(void) printf(gettext("Mechanisms:\n"));
if (mech_count == 0) {
/* should never be this case */
(void) printf(gettext("No mechanisms\n"));
goto finish;
}
if (verbose) {
display_verbose_mech_header();
}
for (i = 0; i < mech_count; i++) {
CK_MECHANISM_TYPE mech = pmech_list[i];
if (mech >= CKM_VENDOR_DEFINED) {
(void) printf("%#lx", mech);
} else {
(void) printf("%-29s", pkcs11_mech2str(mech));
}
if (verbose) {
CK_MECHANISM_INFO mech_info;
rv = funcs->C_GetMechanismInfo(METASLOT_ID,
mech, &mech_info);
if (rv != CKR_OK) {
cryptodebug("C_GetMechanismInfo failed with "
"error code 0x%x\n", rv);
rc = FAILURE;
goto finish;
}
display_mech_info(&mech_info);
}
(void) printf("\n");
}
finish:
if ((rc == FAILURE) && (show_mechs)) {
(void) printf(gettext(
"metaslot: failed to retrieve the mechanism list.\n"));
}
if (lib_initialized) {
(void) funcs->C_Finalize(NULL_PTR);
}
if (dldesc != NULL) {
(void) dlclose(dldesc);
}
if (pmech_list != NULL) {
(void) free(pmech_list);
}
return (rc);
}
/*
* Enable a kernel software or hardware provider.
* This implements the "cryptoadm enable" command for kernel providers.
*/
int
enable_kef(char *provname, boolean_t rndflag, boolean_t allflag,
mechlist_t *mlist)
{
crypto_load_soft_disabled_t *pload_soft_dis = NULL;
crypto_load_dev_disabled_t *pload_dev_dis = NULL;
entry_t *pent = NULL;
boolean_t redo_flag = B_FALSE;
boolean_t in_kernel = B_FALSE;
int fd = -1;
int rc = SUCCESS;
/* Get the entry of this provider from the kcf.conf file, if any. */
pent = getent_kef(provname, NULL, NULL);
if (is_device(provname)) {
if (pent == NULL) {
/*
* This device doesn't have an entry in the config
* file, therefore nothing is disabled.
*/
cryptoerror(LOG_STDERR, gettext(
"all mechanisms are enabled already for %s."),
provname);
free_entry(pent);
return (SUCCESS);
}
} else { /* a software module */
if (check_kernel_for_soft(provname, NULL, &in_kernel) ==
FAILURE) {
free_entry(pent);
return (FAILURE);
} else if (in_kernel == B_FALSE) {
cryptoerror(LOG_STDERR, gettext("%s does not exist."),
provname);
free_entry(pent);
return (FAILURE);
} else if ((pent == NULL) || (pent->dis_count == 0)) {
/* nothing to be enabled. */
cryptoerror(LOG_STDERR, gettext(
"all mechanisms are enabled already for %s."),
provname);
free_entry(pent);
return (SUCCESS);
}
}
/*
* kCF treats random as an internal mechanism. So, we need to
* filter it from the mechanism list here, if we are NOT disabling
* or enabling the random feature. Note that we map random feature at
* cryptoadm(1M) level to the "random" mechanism in kCF.
*/
if (!rndflag) {
redo_flag = filter_mechlist(&pent->dislist, RANDOM);
if (redo_flag)
pent->dis_count--;
}
/* Update the entry by enabling mechanisms for this provider */
if ((rc = enable_mechs(&pent, allflag, mlist)) != SUCCESS) {
free_entry(pent);
return (rc);
}
if (redo_flag) {
mechlist_t *tmp;
if ((tmp = create_mech(RANDOM)) == NULL) {
free_entry(pent);
return (FAILURE);
}
tmp->next = pent->dislist;
pent->dislist = tmp;
pent->dis_count++;
}
/*
* Update the kcf.conf file with the updated entry.
* For a hardware provider, if there is no more disabled mechanism,
* remove the entire kcf.conf entry.
*/
if (is_device(pent->name) && (pent->dis_count == 0)) {
rc = update_kcfconf(pent, DELETE_MODE);
} else {
rc = update_kcfconf(pent, MODIFY_MODE);
}
if (rc == FAILURE) {
free_entry(pent);
return (FAILURE);
}
/* Inform Kernel about the policy change */
if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
ADMIN_IOCTL_DEVICE, strerror(errno));
free_entry(pent);
return (FAILURE);
}
if (is_device(provname)) {
/* LOAD_DEV_DISABLED */
if ((pload_dev_dis = setup_dev_dis(pent)) == NULL) {
free_entry(pent);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis) == -1) {
cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl failed: "
"%s", strerror(errno));
free_entry(pent);
free(pload_dev_dis);
(void) close(fd);
return (FAILURE);
}
if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl "
"return_value = %d",
pload_dev_dis->dd_return_value);
free_entry(pent);
free(pload_dev_dis);
(void) close(fd);
return (FAILURE);
}
} else { /* a software module */
/* LOAD_SOFT_DISABLED */
if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) {
free_entry(pent);
return (FAILURE);
}
if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis)
== -1) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: "
"%s", strerror(errno));
free_entry(pent);
free(pload_soft_dis);
(void) close(fd);
return (FAILURE);
}
if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) {
cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl "
"return_value = %d",
pload_soft_dis->sd_return_value);
free_entry(pent);
free(pload_soft_dis);
(void) close(fd);
return (FAILURE);
}
}
free_entry(pent);
free(pload_soft_dis);
(void) close(fd);
return (SUCCESS);
}
