search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / cmd / cmd-crypto / cryptoadm / adm_uef.c
blobc37b32b0306ef32604a94fc68401f105159f9a7c
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24 /*
25 * Copyright 2010 Nexenta Systems, Inc. All rights resrved.
26 */
27
28 #include <cryptoutil.h>
29 #include <fcntl.h>
30 #include <libintl.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <strings.h>
34 #include <unistd.h>
35 #include <errno.h>
36 #include <dlfcn.h>
37 #include <link.h>
38 #include <sys/types.h>
39 #include <sys/stat.h>
40 #include <security/cryptoki.h>
41 #include "cryptoadm.h"
42
43 #define HDR1 " P\n"
44 #define HDR2 " S V K a U D\n"
45 #define HDR3 " i e e i n e\n"
46 #define HDR4 " S g V r y r W w r\n"
47 #define HDR5 " E D D i n e i G G r r i\n"
48 #define HDR6 " H n e i g + r + e e a a v E\n"
49 #define HDR7 "min max W c c g n R i R n n p p e C\n"
50
51
52 static int err; /* To store errno which may be overwritten by gettext() */
53 static boolean_t is_in_policylist(midstr_t, umechlist_t *);
54 static char *uent2str(uentry_t *);
55 static boolean_t check_random(CK_SLOT_ID, CK_FUNCTION_LIST_PTR);
56
57 static void display_slot_flags(CK_FLAGS flags)
58 {
59 (void) printf(gettext("Slot Flags: "));
60 if (flags & CKF_TOKEN_PRESENT)
61 (void) printf("CKF_TOKEN_PRESENT ");
62 if (flags & CKF_REMOVABLE_DEVICE)
63 (void) printf("CKF_REMOVABLE_DEVICE ");
64 if (flags & CKF_HW_SLOT)
65 (void) printf("CKF_HW_SLOT ");
66 (void) printf("\n");
67 }
68
69 void
70 display_token_flags(CK_FLAGS flags)
71 {
72 (void) printf(gettext("Flags: "));
73 if (flags & CKF_RNG)
74 (void) printf("CKF_RNG ");
75 if (flags & CKF_WRITE_PROTECTED)
76 (void) printf("CKF_WRITE_PROTECTED ");
77 if (flags & CKF_LOGIN_REQUIRED)
78 (void) printf("CKF_LOGIN_REQUIRED ");
79 if (flags & CKF_USER_PIN_INITIALIZED)
80 (void) printf("CKF_USER_PIN_INITIALIZED ");
81 if (flags & CKF_RESTORE_KEY_NOT_NEEDED)
82 (void) printf("CKF_RESTORE_KEY_NOT_NEEDED ");
83 if (flags & CKF_CLOCK_ON_TOKEN)
84 (void) printf("CKF_CLOCK_ON_TOKEN ");
85 if (flags & CKF_PROTECTED_AUTHENTICATION_PATH)
86 (void) printf("CKF_PROTECTED_AUTHENTICATION_PATH ");
87 if (flags & CKF_DUAL_CRYPTO_OPERATIONS)
88 (void) printf("CKF_DUAL_CRYPTO_OPERATIONS ");
89 if (flags & CKF_TOKEN_INITIALIZED)
90 (void) printf("CKF_TOKEN_INITIALIZED ");
91 if (flags & CKF_SECONDARY_AUTHENTICATION)
92 (void) printf("CKF_SECONDARY_AUTHENTICATION ");
93 if (flags & CKF_USER_PIN_COUNT_LOW)
94 (void) printf("CKF_USER_PIN_COUNT_LOW ");
95 if (flags & CKF_USER_PIN_FINAL_TRY)
96 (void) printf("CKF_USER_PIN_FINAL_TRY ");
97 if (flags & CKF_USER_PIN_LOCKED)
98 (void) printf("CKF_USER_PIN_LOCKED ");
99 if (flags & CKF_USER_PIN_TO_BE_CHANGED)
100 (void) printf("CKF_USER_PIN_TO_BE_CHANGED ");
101 if (flags & CKF_SO_PIN_COUNT_LOW)
102 (void) printf("CKF_SO_PIN_COUNT_LOW ");
103 if (flags & CKF_SO_PIN_FINAL_TRY)
104 (void) printf("CKF_SO_PIN_FINAL_TRY ");
105 if (flags & CKF_SO_PIN_LOCKED)
106 (void) printf("CKF_SO_PIN_LOCKED ");
107 if (flags & CKF_SO_PIN_TO_BE_CHANGED)
108 (void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
109 if (flags & CKF_SO_PIN_TO_BE_CHANGED)
110 (void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
111 (void) printf("\n");
112 }
113
114 void
115 display_mech_info(CK_MECHANISM_INFO *mechInfo)
116 {
117 CK_FLAGS ec_flags = CKF_EC_F_P | CKF_EC_F_2M | CKF_EC_ECPARAMETERS |
118 CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS;
119
120 (void) printf("%-4ld %-4ld ", mechInfo->ulMinKeySize,
121 mechInfo->ulMaxKeySize);
122 (void) printf("%s %s %s %s %s %s %s %s %s %s %s %s "
123 "%s %s",
124 (mechInfo->flags & CKF_HW) ? "X" : ".",
125 (mechInfo->flags & CKF_ENCRYPT) ? "X" : ".",
126 (mechInfo->flags & CKF_DECRYPT) ? "X" : ".",
127 (mechInfo->flags & CKF_DIGEST) ? "X" : ".",
128 (mechInfo->flags & CKF_SIGN) ? "X" : ".",
129 (mechInfo->flags & CKF_SIGN_RECOVER) ? "X" : ".",
130 (mechInfo->flags & CKF_VERIFY) ? "X" : ".",
131 (mechInfo->flags & CKF_VERIFY_RECOVER) ? "X" : ".",
132 (mechInfo->flags & CKF_GENERATE) ? "X" : ".",
133 (mechInfo->flags & CKF_GENERATE_KEY_PAIR) ? "X" : ".",
134 (mechInfo->flags & CKF_WRAP) ? "X" : ".",
135 (mechInfo->flags & CKF_UNWRAP) ? "X" : ".",
136 (mechInfo->flags & CKF_DERIVE) ? "X" : ".",
137 (mechInfo->flags & ec_flags) ? "X" : ".");
138 }
139
140 /*
141 * Converts the provided list of mechanism names in their string format to
142 * their corresponding PKCS#11 mechanism IDs.
143 *
144 * The list of mechanism names to be converted is provided in the
145 * "mlist" argument. The list of converted mechanism IDs is returned
146 * in the "pmech_list" argument.
147 *
148 * This function is called by list_metaslot_info() and
149 * list_mechlist_for_lib() functions.
150 */
151 int
152 convert_mechlist(CK_MECHANISM_TYPE **pmech_list, CK_ULONG *mech_count,
153 mechlist_t *mlist)
154 {
155 int i, n = 0;
156 mechlist_t *p = mlist;
157
158 while (p != NULL) {
159 p = p->next;
160 n++;
161 }
162
163 *pmech_list = malloc(n * sizeof (CK_MECHANISM_TYPE));
164 if (pmech_list == NULL) {
165 cryptodebug("out of memory");
166 return (FAILURE);
167 }
168 p = mlist;
169 for (i = 0; i < n; i++) {
170 if (pkcs11_str2mech(p->name, &(*pmech_list[i])) != CKR_OK) {
171 free(*pmech_list);
172 return (FAILURE);
173 }
174 p = p->next;
175 }
176 *mech_count = n;
177 return (SUCCESS);
178 }
179
180 /*
181 * Display the mechanism list for a user-level library
182 */
183 int
184 list_mechlist_for_lib(char *libname, mechlist_t *mlist,
185 flag_val_t *rng_flag, boolean_t no_warn,
186 boolean_t verbose, boolean_t show_mechs)
187 {
188 CK_RV rv = CKR_OK;
189 CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
190 CK_FUNCTION_LIST_PTR prov_funcs; /* Provider's function list */
191 CK_SLOT_ID_PTR prov_slots = NULL; /* Provider's slot list */
192 CK_MECHANISM_TYPE_PTR pmech_list = NULL; /* mech list for a slot */
193 CK_SLOT_INFO slotinfo;
194 CK_ULONG slot_count;
195 CK_ULONG mech_count;
196 uentry_t *puent = NULL;
197 boolean_t lib_initialized = B_FALSE;
198 void *dldesc = NULL;
199 char *dl_error;
200 const char *mech_name;
201 char *isa;
202 char libpath[MAXPATHLEN];
203 char buf[MAXPATHLEN];
204 int i, j;
205 int rc = SUCCESS;
206
207 if (libname == NULL) {
208 /* should not happen */
209 cryptoerror(LOG_STDERR, gettext("internal error."));
210 cryptodebug("list_mechlist_for_lib() - libname is NULL.");
211 return (FAILURE);
212 }
213
214 /* Check if the library is in the pkcs11.conf file */
215 if ((puent = getent_uef(libname)) == NULL) {
216 cryptoerror(LOG_STDERR,
217 gettext("%s does not exist."), libname);
218 return (FAILURE);
219 }
220 free_uentry(puent);
221
222 /* Remove $ISA from the library name */
223 if (strlcpy(buf, libname, sizeof (buf)) >= sizeof (buf)) {
224 (void) printf(gettext("%s: the provider name is too long."),
225 libname);
226 return (FAILURE);
227 }
228
229 if ((isa = strstr(buf, PKCS11_ISA)) != NULL) {
230 *isa = '\000';
231 isa += strlen(PKCS11_ISA);
232 (void) snprintf(libpath, MAXPATHLEN, "%s%s%s", buf, "/", isa);
233 } else {
234 (void) strlcpy(libpath, libname, sizeof (libpath));
235 }
236
237 /*
238 * Open the provider. Use RTLD_NOW here, as a way to
239 * catch any providers with incomplete symbols that
240 * might otherwise cause problems during libpkcs11's
241 * execution.
242 */
243 dldesc = dlopen(libpath, RTLD_NOW);
244 if (dldesc == NULL) {
245 dl_error = dlerror();
246 cryptodebug("Cannot load PKCS#11 library %s. dlerror: %s",
247 libname, dl_error != NULL ? dl_error : "Unknown");
248 rc = FAILURE;
249 goto clean_exit;
250 }
251
252 /* Get the pointer to provider's C_GetFunctionList() */
253 Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
254 if (Tmp_C_GetFunctionList == NULL) {
255 cryptodebug("Cannot get the address of the C_GetFunctionList "
256 "from %s", libname);
257 rc = FAILURE;
258 goto clean_exit;
259 }
260
261 /* Get the provider's function list */
262 rv = Tmp_C_GetFunctionList(&prov_funcs);
263 if (rv != CKR_OK) {
264 cryptodebug("failed to call C_GetFunctionList from %s",
265 libname);
266 rc = FAILURE;
267 goto clean_exit;
268 }
269
270 /* Initialize this provider */
271 rv = prov_funcs->C_Initialize(NULL_PTR);
272 if (rv != CKR_OK) {
273 cryptodebug("failed to call C_Initialize from %s, "
274 "return code = %d", libname, rv);
275 rc = FAILURE;
276 goto clean_exit;
277 } else {
278 lib_initialized = B_TRUE;
279 }
280
281 /*
282 * Find out how many slots this provider has, call with tokenPresent
283 * set to FALSE so all potential slots are returned.
284 */
285 rv = prov_funcs->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
286 if (rv != CKR_OK) {
287 cryptodebug("failed to get the slotlist from %s.", libname);
288 rc = FAILURE;
289 goto clean_exit;
290 } else if (slot_count == 0) {
291 if (!no_warn)
292 (void) printf(gettext("%s: no slots presented.\n"),
293 libname);
294 rc = SUCCESS;
295 goto clean_exit;
296 }
297
298 /* Allocate memory for the slot list */
299 prov_slots = malloc(slot_count * sizeof (CK_SLOT_ID));
300 if (prov_slots == NULL) {
301 cryptodebug("out of memory.");
302 rc = FAILURE;
303 goto clean_exit;
304 }
305
306 /* Get the slot list from provider */
307 rv = prov_funcs->C_GetSlotList(FALSE, prov_slots, &slot_count);
308 if (rv != CKR_OK) {
309 cryptodebug("failed to call C_GetSlotList() from %s.",
310 libname);
311 rc = FAILURE;
312 goto clean_exit;
313 }
314
315 if (verbose) {
316 (void) printf(gettext("Number of slots: %d\n"), slot_count);
317 }
318
319 /* Get the mechanism list for each slot */
320 for (i = 0; i < slot_count; i++) {
321 if (verbose)
322 /*
323 * TRANSLATION_NOTE
324 * In some languages, the # symbol should be
325 * converted to "no", an "n" followed by a
326 * superscript "o"..
327 */
328 (void) printf(gettext("\nSlot #%d\n"), i+1);
329
330 if ((rng_flag != NULL) && (*rng_flag == NO_RNG)) {
331 if (check_random(prov_slots[i], prov_funcs)) {
332 *rng_flag = HAS_RNG;
333 rc = SUCCESS;
334 goto clean_exit;
335 } else
336 continue;
337 }
338
339 rv = prov_funcs->C_GetSlotInfo(prov_slots[i], &slotinfo);
340 if (rv != CKR_OK) {
341 cryptodebug("failed to get slotinfo from %s", libname);
342 rc = FAILURE;
343 break;
344 }
345 if (verbose) {
346 CK_TOKEN_INFO tokeninfo;
347
348 (void) printf(gettext("Description: %.64s\n"
349 "Manufacturer: %.32s\n"
350 "PKCS#11 Version: %d.%d\n"),
351 slotinfo.slotDescription,
352 slotinfo.manufacturerID,
353 prov_funcs->version.major,
354 prov_funcs->version.minor);
355
356 (void) printf(gettext("Hardware Version: %d.%d\n"
357 "Firmware Version: %d.%d\n"),
358 slotinfo.hardwareVersion.major,
359 slotinfo.hardwareVersion.minor,
360 slotinfo.firmwareVersion.major,
361 slotinfo.firmwareVersion.minor);
362
363 (void) printf(gettext("Token Present: %s\n"),
364 (slotinfo.flags & CKF_TOKEN_PRESENT ?
365 gettext("True") : gettext("False")));
366
367 display_slot_flags(slotinfo.flags);
368
369 rv = prov_funcs->C_GetTokenInfo(prov_slots[i],
370 &tokeninfo);
371 if (rv != CKR_OK) {
372 cryptodebug("Failed to get "
373 "token info from %s", libname);
374 rc = FAILURE;
375 break;
376 }
377
378 (void) printf(gettext("Token Label: %.32s\n"
379 "Manufacturer ID: %.32s\n"
380 "Model: %.16s\n"
381 "Serial Number: %.16s\n"
382 "Hardware Version: %d.%d\n"
383 "Firmware Version: %d.%d\n"
384 "UTC Time: %.16s\n"
385 "PIN Min Length: %d\n"
386 "PIN Max Length: %d\n"),
387 tokeninfo.label,
388 tokeninfo.manufacturerID,
389 tokeninfo.model,
390 tokeninfo.serialNumber,
391 tokeninfo.hardwareVersion.major,
392 tokeninfo.hardwareVersion.minor,
393 tokeninfo.firmwareVersion.major,
394 tokeninfo.firmwareVersion.minor,
395 tokeninfo.utcTime,
396 tokeninfo.ulMinPinLen,
397 tokeninfo.ulMaxPinLen);
398
399 display_token_flags(tokeninfo.flags);
400 }
401
402 if (mlist == NULL) {
403 rv = prov_funcs->C_GetMechanismList(prov_slots[i],
404 NULL_PTR, &mech_count);
405 if (rv != CKR_OK) {
406 cryptodebug(
407 "failed to call C_GetMechanismList() "
408 "from %s.", libname);
409 rc = FAILURE;
410 break;
411 }
412
413 if (mech_count == 0) {
414 /* no mechanisms in this slot */
415 continue;
416 }
417
418 pmech_list = malloc(mech_count *
419 sizeof (CK_MECHANISM_TYPE));
420 if (pmech_list == NULL) {
421 cryptodebug("out of memory");
422 rc = FAILURE;
423 break;
424 }
425
426 /* Get the actual mechanism list */
427 rv = prov_funcs->C_GetMechanismList(prov_slots[i],
428 pmech_list, &mech_count);
429 if (rv != CKR_OK) {
430 cryptodebug(
431 "failed to call C_GetMechanismList() "
432 "from %s.", libname);
433 free(pmech_list);
434 rc = FAILURE;
435 break;
436 }
437 } else {
438 /* use the mechanism list passed in */
439 rc = convert_mechlist(&pmech_list, &mech_count, mlist);
440 if (rc != SUCCESS) {
441 goto clean_exit;
442 }
443 }
444 if (show_mechs)
445 (void) printf(gettext("Mechanisms:\n"));
446
447 if (verbose && show_mechs) {
448 display_verbose_mech_header();
449 }
450 /*
451 * Merge the current mechanism list into the returning
452 * mechanism list.
453 */
454 for (j = 0; show_mechs && j < mech_count; j++) {
455 CK_MECHANISM_TYPE mech = pmech_list[j];
456 CK_MECHANISM_INFO mech_info;
457
458 rv = prov_funcs->C_GetMechanismInfo(
459 prov_slots[i], mech, &mech_info);
460 if (rv != CKR_OK) {
461 cryptodebug(
462 "failed to call "
463 "C_GetMechanismInfo() from %s.",
464 libname);
465 free(pmech_list);
466 pmech_list = NULL;
467 rc = FAILURE;
468 break;
469 }
470 if (mech >= CKM_VENDOR_DEFINED) {
471 (void) printf("%#lx", mech);
472 } else {
473 mech_name = pkcs11_mech2str(mech);
474 (void) printf("%-29s", mech_name);
475 }
476
477 if (verbose) {
478 display_mech_info(&mech_info);
479 }
480 (void) printf("\n");
481 }
482 free(pmech_list);
483 if (rc == FAILURE) {
484 break;
485 }
486 }
487
488 if (rng_flag != NULL || rc == FAILURE) {
489 goto clean_exit;
490 }
491
492 clean_exit:
493
494 if (rc == FAILURE) {
495 (void) printf(gettext(
496 "%s: failed to retrieve the mechanism list.\n"), libname);
497 }
498
499 if (lib_initialized) {
500 (void) prov_funcs->C_Finalize(NULL_PTR);
501 }
502
503 if (dldesc != NULL) {
504 (void) dlclose(dldesc);
505 }
506
507 if (prov_slots != NULL) {
508 free(prov_slots);
509 }
510
511 return (rc);
512 }
513
514
515 /*
516 * Display the mechanism policy for a user-level library
517 */
518 int
519 list_policy_for_lib(char *libname)
520 {
521 uentry_t *puent = NULL;
522 int rc;
523
524 if (libname == NULL) {
525 /* should not happen */
526 cryptoerror(LOG_STDERR, gettext("internal error."));
527 cryptodebug("list_policy_for_lib() - libname is NULL.");
528 return (FAILURE);
529 }
530
531 /* Get the library entry from the pkcs11.conf file */
532 if ((puent = getent_uef(libname)) == NULL) {
533 cryptoerror(LOG_STDERR,
534 gettext("%s does not exist."), libname);
535 return (FAILURE);
536 }
537
538 /* Print the policy for this library */
539 rc = print_uef_policy(puent);
540 free_uentry(puent);
541
542 return (rc);
543 }
544
545
546 /*
547 * Disable mechanisms for a user-level library
548 */
549 int
550 disable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
551 mechlist_t *marglist)
552 {
553 uentry_t *puent;
554 int rc;
555
556 if (libname == NULL) {
557 /* should not happen */
558 cryptoerror(LOG_STDERR, gettext("internal error."));
559 cryptodebug("disable_uef_lib() - libname is NULL.");
560 return (FAILURE);
561 }
562
563 /* Get the provider entry from the pkcs11.conf file */
564 if ((puent = getent_uef(libname)) == NULL) {
565 cryptoerror(LOG_STDERR,
566 gettext("%s does not exist."), libname);
567 return (FAILURE);
568 }
569
570 /*
571 * Update the mechanism policy of this library entry, based on
572 * the current policy mode of the library and the mechanisms specified
573 * in CLI.
574 */
575 if (allflag) {
576 /*
577 * If disabling all, just need to clean up the policylist and
578 * set the flag_enabledlist flag to be B_TRUE.
579 */
580 free_umechlist(puent->policylist);
581 puent->policylist = NULL;
582 puent->count = 0;
583 puent->flag_enabledlist = B_TRUE;
584 rc = SUCCESS;
585 } else if (marglist != NULL) {
586 if (puent->flag_enabledlist == B_TRUE) {
587 /*
588 * The current default policy mode of this library
589 * is "all are disabled, except ...", so if a
590 * specified mechanism is in the exception list
591 * (the policylist), delete it from the policylist.
592 */
593 rc = update_policylist(puent, marglist, DELETE_MODE);
594 } else {
595 /*
596 * The current default policy mode of this library
597 * is "all are enabled", so if a specified mechanism
598 * is not in the exception list (policylist), add
599 * it into the policylist.
600 */
601 rc = update_policylist(puent, marglist, ADD_MODE);
602 }
603 } else if (!rndflag) {
604 /* should not happen */
605 cryptoerror(LOG_STDERR, gettext("internal error."));
606 cryptodebug("disable_uef_lib() - wrong arguments.");
607 return (FAILURE);
608 }
609
610 if (rndflag)
611 puent->flag_norandom = B_TRUE;
612
613 if (rc == FAILURE) {
614 free_uentry(puent);
615 return (FAILURE);
616 }
617
618 /* Update the pkcs11.conf file with the updated entry */
619 rc = update_pkcs11conf(puent);
620 free_uentry(puent);
621 return (rc);
622 }
623
624
625 /*
626 * Enable disabled mechanisms for a user-level library.
627 */
628 int
629 enable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
630 mechlist_t *marglist)
631 {
632 uentry_t *puent;
633 int rc = SUCCESS;
634
635 if (libname == NULL) {
636 /* should not happen */
637 cryptoerror(LOG_STDERR, gettext("internal error."));
638 cryptodebug("enable_uef_lib() - libname is NULL.");
639 return (FAILURE);
640 }
641
642 /* Get the provider entry from the pkcs11.conf file */
643 if ((puent = getent_uef(libname)) == NULL) {
644 cryptoerror(LOG_STDERR,
645 gettext("%s does not exist."), libname);
646 return (FAILURE);
647 }
648
649 /*
650 * Update the mechanism policy of this library entry, based on
651 * the current policy mode of the library and the mechanisms
652 * specified in CLI.
653 */
654 if (allflag) {
655 /*
656 * If enabling all, what needs to be done are cleaning up the
657 * policylist and setting the "flag_enabledlist" flag to
658 * B_FALSE.
659 */
660 free_umechlist(puent->policylist);
661 puent->policylist = NULL;
662 puent->count = 0;
663 puent->flag_enabledlist = B_FALSE;
664 rc = SUCCESS;
665 } else if (marglist != NULL) {
666 if (puent->flag_enabledlist == B_TRUE) {
667 /*
668 * The current default policy mode of this library
669 * is "all are disabled, except ...", so if a
670 * specified mechanism is not in the exception list
671 * (policylist), add it.
672 */
673 rc = update_policylist(puent, marglist, ADD_MODE);
674 } else {
675 /*
676 * The current default policy mode of this library
677 * is "all are enabled, except", so if a specified
678 * mechanism is in the exception list (policylist),
679 * delete it.
680 */
681 rc = update_policylist(puent, marglist, DELETE_MODE);
682 }
683 } else if (!rndflag) {
684 /* should not come here */
685 cryptoerror(LOG_STDERR, gettext("internal error."));
686 cryptodebug("enable_uef_lib() - wrong arguments.");
687 return (FAILURE);
688 }
689
690 if (rndflag)
691 puent->flag_norandom = B_FALSE;
692
693 if (rc == FAILURE) {
694 free_uentry(puent);
695 return (FAILURE);
696 }
697
698 /* Update the pkcs11.conf file with the updated entry */
699 rc = update_pkcs11conf(puent);
700 free_uentry(puent);
701 return (rc);
702 }
703
704
705 /*
706 * Install a user-level library.
707 */
708 int
709 install_uef_lib(char *libname)
710 {
711 uentry_t *puent;
712 struct stat statbuf;
713 char libpath[MAXPATHLEN];
714 char libbuf[MAXPATHLEN];
715 char *isa;
716
717 if (libname == NULL) {
718 /* should not happen */
719 cryptoerror(LOG_STDERR, gettext("internal error."));
720 cryptodebug("install_uef_lib() - libname is NULL.");
721 return (FAILURE);
722 }
723
724 /* Check if the provider already exists in the framework */
725 if ((puent = getent_uef(libname)) != NULL) {
726 cryptoerror(LOG_STDERR, gettext("%s exists already."),
727 libname);
728 free_uentry(puent);
729 return (FAILURE);
730 }
731
732 /*
733 * Check if the library exists in the system. if $ISA is in the
734 * path, only check the 32bit version.
735 */
736 if (strlcpy(libbuf, libname, MAXPATHLEN) >= MAXPATHLEN) {
737 cryptoerror(LOG_STDERR,
738 gettext("the provider name is too long - %s"), libname);
739 return (FAILURE);
740 }
741
742 if ((isa = strstr(libbuf, PKCS11_ISA)) != NULL) {
743 *isa = '\000';
744 isa += strlen(PKCS11_ISA);
745 (void) snprintf(libpath, sizeof (libpath), "%s%s%s", libbuf,
746 "/", isa);
747 } else {
748 (void) strlcpy(libpath, libname, sizeof (libpath));
749 }
750
751 /* Check if it is same as the framework library */
752 if (strcmp(libpath, UEF_FRAME_LIB) == 0) {
753 cryptoerror(LOG_STDERR, gettext(
754 "The framework library %s can not be installed."),
755 libname);
756 return (FAILURE);
757 }
758
759 if (stat(libpath, &statbuf) != 0) {
760 cryptoerror(LOG_STDERR, gettext("%s not found"), libname);
761 return (FAILURE);
762 }
763
764 /* Need to add "\n" to libname for adding into the config file */
765 if (strlcat(libname, "\n", MAXPATHLEN) >= MAXPATHLEN) {
766 cryptoerror(LOG_STDERR, gettext(
767 "can not install %s; the name is too long."), libname);
768 return (FAILURE);
769 }
770
771 return (update_conf(_PATH_PKCS11_CONF, libname));
772
773 }
774
775
776 /*
777 * Uninstall a user-level library.
778 */
779 int
780 uninstall_uef_lib(char *libname)
781 {
782 uentry_t *puent;
783 FILE *pfile;
784 FILE *pfile_tmp;
785 char buffer[BUFSIZ];
786 char buffer2[BUFSIZ];
787 char tmpfile_name[MAXPATHLEN];
788 char *name;
789 boolean_t found;
790 boolean_t in_package;
791 int len;
792 int rc = SUCCESS;
793
794 if (libname == NULL) {
795 /* should not happen */
796 cryptoerror(LOG_STDERR, gettext("internal error."));
797 cryptodebug("uninstall_uef_lib() - libname is NULL.");
798 return (FAILURE);
799 }
800
801 /* Check if the provider exists */
802 if ((puent = getent_uef(libname)) == NULL) {
803 cryptoerror(LOG_STDERR,
804 gettext("%s does not exist."), libname);
805 return (FAILURE);
806 }
807 free_uentry(puent);
808
809 /* Open the pkcs11.conf file and lock it */
810 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
811 err = errno;
812 cryptoerror(LOG_STDERR,
813 gettext("failed to update the configuration - %s"),
814 strerror(err));
815 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
816 return (FAILURE);
817 }
818
819 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
820 err = errno;
821 cryptoerror(LOG_STDERR,
822 gettext("failed to lock the configuration - %s"),
823 strerror(err));
824 (void) fclose(pfile);
825 return (FAILURE);
826 }
827
828 /*
829 * Create a temporary file in the /etc/crypto directory to save
830 * the new configuration file first.
831 */
832 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
833 if (mkstemp(tmpfile_name) == -1) {
834 err = errno;
835 cryptoerror(LOG_STDERR,
836 gettext("failed to create a temporary file - %s"),
837 strerror(err));
838 (void) fclose(pfile);
839 return (FAILURE);
840 }
841
842 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
843 err = errno;
844 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
845 tmpfile_name, strerror(err));
846 if (unlink(tmpfile_name) != 0) {
847 err = errno;
848 cryptoerror(LOG_STDERR, gettext(
849 "(Warning) failed to remove %s: %s"),
850 tmpfile_name, strerror(err));
851 }
852 (void) fclose(pfile);
853 return (FAILURE);
854 }
855
856
857 /*
858 * Loop thru the config file. If the library to be uninstalled
859 * is in a package, just comment it off.
860 */
861 in_package = B_FALSE;
862 while (fgets(buffer, BUFSIZ, pfile) != NULL) {
863 found = B_FALSE;
864 if (!(buffer[0] == ' ' || buffer[0] == '\n' ||
865 buffer[0] == '\t')) {
866 if (strstr(buffer, " Start ") != NULL) {
867 in_package = B_TRUE;
868 } else if (strstr(buffer, " End ") != NULL) {
869 in_package = B_FALSE;
870 } else if (buffer[0] != '#') {
871 (void) strlcpy(buffer2, buffer, BUFSIZ);
872
873 /* get rid of trailing '\n' */
874 len = strlen(buffer2);
875 if (buffer2[len-1] == '\n') {
876 len--;
877 }
878 buffer2[len] = '\0';
879
880 if ((name = strtok(buffer2, SEP_COLON))
881 == NULL) {
882 rc = FAILURE;
883 break;
884 } else if (strcmp(libname, name) == 0) {
885 found = B_TRUE;
886 }
887 }
888 }
889
890 if (found) {
891 if (in_package) {
892 (void) snprintf(buffer2, sizeof (buffer2),
893 "%s%s%s", "#", libname, "\n");
894 if (fputs(buffer2, pfile_tmp) == EOF) {
895 rc = FAILURE;
896 }
897 }
898 } else {
899 if (fputs(buffer, pfile_tmp) == EOF) {
900 rc = FAILURE;
901 }
902 }
903
904 if (rc == FAILURE) {
905 break;
906 }
907 }
908
909 if (rc == FAILURE) {
910 cryptoerror(LOG_STDERR, gettext("write error."));
911 (void) fclose(pfile);
912 (void) fclose(pfile_tmp);
913 if (unlink(tmpfile_name) != 0) {
914 err = errno;
915 cryptoerror(LOG_STDERR, gettext(
916 "(Warning) failed to remove %s: %s"),
917 tmpfile_name, strerror(err));
918 }
919 return (FAILURE);
920 }
921
922 (void) fclose(pfile);
923 if (fclose(pfile_tmp) != 0) {
924 err = errno;
925 cryptoerror(LOG_STDERR,
926 gettext("failed to close a temporary file - %s"),
927 strerror(err));
928 return (FAILURE);
929 }
930
931 /* Now update the real config file */
932 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
933 err = errno;
934 cryptoerror(LOG_STDERR,
935 gettext("failed to update the configuration - %s"),
936 strerror(err));
937 cryptodebug("failed to rename %s to %s: %s", tmpfile,
938 _PATH_PKCS11_CONF, strerror(err));
939 rc = FAILURE;
940 } else if (chmod(_PATH_PKCS11_CONF,
941 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
942 err = errno;
943 cryptoerror(LOG_STDERR,
944 gettext("failed to update the configuration - %s"),
945 strerror(err));
946 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
947 strerror(err));
948 rc = FAILURE;
949 } else {
950 rc = SUCCESS;
951 }
952
953 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
954 err = errno;
955 cryptoerror(LOG_STDERR, gettext(
956 "(Warning) failed to remove %s: %s"),
957 tmpfile_name, strerror(err));
958 }
959
960 return (rc);
961 }
962
963
964 int
965 display_policy(uentry_t *puent)
966 {
967 CK_MECHANISM_TYPE mech_id;
968 const char *mech_name;
969 umechlist_t *ptr;
970
971 if (puent == NULL) {
972 return (SUCCESS);
973 }
974
975 if (puent->flag_enabledlist == B_FALSE) {
976 (void) printf(gettext("%s: all mechanisms are enabled"),
977 puent->name);
978 ptr = puent->policylist;
979 if (ptr == NULL) {
980 (void) printf(".");
981 } else {
982 (void) printf(gettext(", except "));
983 while (ptr != NULL) {
984 mech_id = strtoul(ptr->name, NULL, 0);
985 if (mech_id & CKO_VENDOR_DEFINED) {
986 /* vendor defined mechanism */
987 (void) printf("%s", ptr->name);
988 } else {
989 if (mech_id >= CKM_VENDOR_DEFINED) {
990 (void) printf("%#lx", mech_id);
991 } else {
992 mech_name = pkcs11_mech2str(
993 mech_id);
994 if (mech_name == NULL) {
995 return (FAILURE);
996 }
997 (void) printf("%s", mech_name);
998 }
999 }
1000
1001 ptr = ptr->next;
1002 if (ptr == NULL) {
1003 (void) printf(".");
1004 } else {
1005 (void) printf(",");
1006 }
1007 }
1008 }
1009 } else { /* puent->flag_enabledlist == B_TRUE */
1010 (void) printf(gettext("%s: all mechanisms are disabled"),
1011 puent->name);
1012 ptr = puent->policylist;
1013 if (ptr == NULL) {
1014 (void) printf(".");
1015 } else {
1016 (void) printf(gettext(", except "));
1017 while (ptr != NULL) {
1018 mech_id = strtoul(ptr->name, NULL, 0);
1019 if (mech_id & CKO_VENDOR_DEFINED) {
1020 /* vendor defined mechanism */
1021 (void) printf("%s", ptr->name);
1022 } else {
1023 mech_name = pkcs11_mech2str(mech_id);
1024 if (mech_name == NULL) {
1025 return (FAILURE);
1026 }
1027 (void) printf("%s", mech_name);
1028 }
1029 ptr = ptr->next;
1030 if (ptr == NULL) {
1031 (void) printf(".");
1032 } else {
1033 (void) printf(",");
1034 }
1035 }
1036 }
1037 }
1038 return (SUCCESS);
1039 }
1040
1041
1042
1043 /*
1044 * Print out the mechanism policy for a user-level provider pointed by puent.
1045 */
1046 int
1047 print_uef_policy(uentry_t *puent)
1048 {
1049 flag_val_t rng_flag;
1050
1051 if (puent == NULL) {
1052 return (FAILURE);
1053 }
1054
1055 rng_flag = NO_RNG;
1056 if (list_mechlist_for_lib(puent->name, NULL, &rng_flag, B_TRUE,
1057 B_FALSE, B_FALSE) != SUCCESS) {
1058 cryptoerror(LOG_STDERR,
1059 gettext("%s internal error."), puent->name);
1060 return (FAILURE);
1061 }
1062
1063 if (display_policy(puent) != SUCCESS) {
1064 goto failed_exit;
1065 }
1066
1067
1068 if (puent->flag_norandom == B_TRUE)
1069 /*
1070 * TRANSLATION_NOTE
1071 * "random" is a keyword and not to be translated.
1072 */
1073 (void) printf(gettext(" %s is disabled."), "random");
1074 else {
1075 if (rng_flag == HAS_RNG)
1076 /*
1077 * TRANSLATION_NOTE
1078 * "random" is a keyword and not to be translated.
1079 */
1080 (void) printf(gettext(" %s is enabled."), "random");
1081 }
1082 (void) printf("\n");
1083
1084 return (SUCCESS);
1085
1086 failed_exit:
1087
1088 (void) printf(gettext("\nout of memory.\n"));
1089 return (FAILURE);
1090 }
1091
1092
1093 /*
1094 * Check if the mechanism is in the mechanism list.
1095 */
1096 static boolean_t
1097 is_in_policylist(midstr_t mechname, umechlist_t *plist)
1098 {
1099 boolean_t found = B_FALSE;
1100
1101 if (mechname == NULL) {
1102 return (B_FALSE);
1103 }
1104
1105 while (plist != NULL) {
1106 if (strcmp(plist->name, mechname) == 0) {
1107 found = B_TRUE;
1108 break;
1109 }
1110 plist = plist->next;
1111 }
1112
1113 return (found);
1114 }
1115
1116
1117 /*
1118 * Update the pkcs11.conf file with the updated entry.
1119 */
1120 int
1121 update_pkcs11conf(uentry_t *puent)
1122 {
1123 FILE *pfile;
1124 FILE *pfile_tmp;
1125 char buffer[BUFSIZ];
1126 char buffer2[BUFSIZ];
1127 char tmpfile_name[MAXPATHLEN];
1128 char *name;
1129 char *str;
1130 int len;
1131 int rc = SUCCESS;
1132 boolean_t found;
1133
1134 if (puent == NULL) {
1135 cryptoerror(LOG_STDERR, gettext("internal error."));
1136 return (FAILURE);
1137 }
1138
1139 /* Open the pkcs11.conf file */
1140 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
1141 err = errno;
1142 cryptoerror(LOG_STDERR,
1143 gettext("failed to update the configuration - %s"),
1144 strerror(err));
1145 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
1146 return (FAILURE);
1147 }
1148
1149 /* Lock the pkcs11.conf file */
1150 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
1151 err = errno;
1152 cryptoerror(LOG_STDERR,
1153 gettext("failed to update the configuration - %s"),
1154 strerror(err));
1155 (void) fclose(pfile);
1156 return (FAILURE);
1157 }
1158
1159 /*
1160 * Create a temporary file in the /etc/crypto directory to save
1161 * updated configuration file first.
1162 */
1163 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
1164 if (mkstemp(tmpfile_name) == -1) {
1165 err = errno;
1166 cryptoerror(LOG_STDERR,
1167 gettext("failed to create a temporary file - %s"),
1168 strerror(err));
1169 (void) fclose(pfile);
1170 return (FAILURE);
1171 }
1172
1173 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
1174 err = errno;
1175 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
1176 tmpfile_name, strerror(err));
1177 if (unlink(tmpfile_name) != 0) {
1178 err = errno;
1179 cryptoerror(LOG_STDERR, gettext(
1180 "(Warning) failed to remove %s: %s"),
1181 tmpfile_name, strerror(err));
1182 }
1183 (void) fclose(pfile);
1184 return (FAILURE);
1185 }
1186
1187
1188 /*
1189 * Loop thru entire pkcs11.conf file, update the entry to be
1190 * updated and save the updated file to the temporary file first.
1191 */
1192 while (fgets(buffer, BUFSIZ, pfile) != NULL) {
1193 found = B_FALSE;
1194 if (!(buffer[0] == '#' || buffer[0] == ' ' ||
1195 buffer[0] == '\n'|| buffer[0] == '\t')) {
1196 /*
1197 * Get the provider name from this line and check if
1198 * this is the entry to be updated. Note: can not use
1199 * "buffer" directly because strtok will change its
1200 * value.
1201 */
1202 (void) strlcpy(buffer2, buffer, BUFSIZ);
1203
1204 /* get rid of trailing '\n' */
1205 len = strlen(buffer2);
1206 if (buffer2[len-1] == '\n') {
1207 len--;
1208 }
1209 buffer2[len] = '\0';
1210
1211 if ((name = strtok(buffer2, SEP_COLON)) == NULL) {
1212 rc = FAILURE;
1213 break;
1214 } else if (strcmp(puent->name, name) == 0) {
1215 found = B_TRUE;
1216 }
1217 }
1218
1219 if (found) {
1220 /*
1221 * This is the entry to be modified, get the updated
1222 * string.
1223 */
1224 if ((str = uent2str(puent)) == NULL) {
1225 rc = FAILURE;
1226 break;
1227 } else {
1228 (void) strlcpy(buffer, str, BUFSIZ);
1229 free(str);
1230 }
1231 }
1232
1233 if (fputs(buffer, pfile_tmp) == EOF) {
1234 err = errno;
1235 cryptoerror(LOG_STDERR, gettext(
1236 "failed to write to a temp file: %s."),
1237 strerror(err));
1238 rc = FAILURE;
1239 break;
1240 }
1241 }
1242
1243 if (rc == FAILURE) {
1244 (void) fclose(pfile);
1245 (void) fclose(pfile_tmp);
1246 if (unlink(tmpfile_name) != 0) {
1247 err = errno;
1248 cryptoerror(LOG_STDERR, gettext(
1249 "(Warning) failed to remove %s: %s"),
1250 tmpfile_name, strerror(err));
1251 }
1252 return (FAILURE);
1253 }
1254
1255 (void) fclose(pfile);
1256 if (fclose(pfile_tmp) != 0) {
1257 err = errno;
1258 cryptoerror(LOG_STDERR,
1259 gettext("failed to close %s: %s"), tmpfile_name,
1260 strerror(err));
1261 return (FAILURE);
1262 }
1263
1264 /* Copy the temporary file to the pkcs11.conf file */
1265 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
1266 err = errno;
1267 cryptoerror(LOG_STDERR,
1268 gettext("failed to update the configuration - %s"),
1269 strerror(err));
1270 cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
1271 _PATH_PKCS11_CONF, strerror(err));
1272 rc = FAILURE;
1273 } else if (chmod(_PATH_PKCS11_CONF,
1274 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1275 err = errno;
1276 cryptoerror(LOG_STDERR,
1277 gettext("failed to update the configuration - %s"),
1278 strerror(err));
1279 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
1280 strerror(err));
1281 rc = FAILURE;
1282 } else {
1283 rc = SUCCESS;
1284 }
1285
1286 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1287 err = errno;
1288 cryptoerror(LOG_STDERR, gettext(
1289 "(Warning) failed to remove %s: %s"),
1290 tmpfile_name, strerror(err));
1291 }
1292
1293 return (rc);
1294 }
1295
1296
1297 /*
1298 * Convert an uentry to a character string
1299 */
1300 static char *
1301 uent2str(uentry_t *puent)
1302 {
1303 umechlist_t *phead;
1304 boolean_t tok1_present = B_FALSE;
1305 char *buf;
1306 char blank_buf[128];
1307
1308 if (puent == NULL) {
1309 cryptoerror(LOG_STDERR, gettext("internal error."));
1310 return (NULL);
1311 }
1312
1313 buf = malloc(BUFSIZ);
1314 if (buf == NULL) {
1315 cryptoerror(LOG_STDERR, gettext("out of memory."));
1316 return (NULL);
1317 }
1318
1319 /* convert the library name */
1320 if (strlcpy(buf, puent->name, BUFSIZ) >= BUFSIZ) {
1321 free(buf);
1322 return (NULL);
1323 }
1324
1325
1326 /* convert the enabledlist or the disabledlist */
1327 if (puent->flag_enabledlist == B_TRUE) {
1328 if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1329 free(buf);
1330 return (NULL);
1331 }
1332
1333 if (strlcat(buf, EF_ENABLED, BUFSIZ) >= BUFSIZ) {
1334 free(buf);
1335 return (NULL);
1336 }
1337
1338 phead = puent->policylist;
1339 while (phead != NULL) {
1340 if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1341 free(buf);
1342 return (NULL);
1343 }
1344
1345 phead = phead->next;
1346 if (phead != NULL) {
1347 if (strlcat(buf, SEP_COMMA, BUFSIZ)
1348 >= BUFSIZ) {
1349 free(buf);
1350 return (NULL);
1351 }
1352 }
1353 }
1354 tok1_present = B_TRUE;
1355 } else if (puent->policylist != NULL) {
1356 if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1357 free(buf);
1358 return (NULL);
1359 }
1360
1361 if (strlcat(buf, EF_DISABLED, BUFSIZ) >= BUFSIZ) {
1362 free(buf);
1363 return (NULL);
1364 }
1365 phead = puent->policylist;
1366 while (phead != NULL) {
1367 if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1368 free(buf);
1369 return (NULL);
1370 }
1371
1372 phead = phead->next;
1373 if (phead != NULL) {
1374 if (strlcat(buf, SEP_COMMA, BUFSIZ)
1375 >= BUFSIZ) {
1376 free(buf);
1377 return (NULL);
1378 }
1379 }
1380 }
1381 tok1_present = B_TRUE;
1382 }
1383
1384 if (puent->flag_norandom == B_TRUE) {
1385 if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1386 BUFSIZ) >= BUFSIZ) {
1387 free(buf);
1388 return (NULL);
1389 }
1390
1391 if (strlcat(buf, EF_NORANDOM, BUFSIZ) >= BUFSIZ) {
1392 free(buf);
1393 return (NULL);
1394 }
1395 }
1396
1397 if (strcmp(puent->name, METASLOT_KEYWORD) == 0) {
1398
1399 /* write the metaslot_status= value */
1400 if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1401 BUFSIZ) >= BUFSIZ) {
1402 free(buf);
1403 return (NULL);
1404 }
1405
1406 if (strlcat(buf, METASLOT_STATUS, BUFSIZ) >= BUFSIZ) {
1407 free(buf);
1408 return (NULL);
1409 }
1410
1411 if (puent->flag_metaslot_enabled) {
1412 if (strlcat(buf, ENABLED_KEYWORD, BUFSIZ) >= BUFSIZ) {
1413 free(buf);
1414 return (NULL);
1415 }
1416 } else {
1417 if (strlcat(buf, DISABLED_KEYWORD, BUFSIZ)
1418 >= BUFSIZ) {
1419 free(buf);
1420 return (NULL);
1421 }
1422 }
1423
1424 if (!tok1_present) {
1425 tok1_present = B_TRUE;
1426 }
1427
1428 if (strlcat(buf, SEP_SEMICOLON, BUFSIZ) >= BUFSIZ) {
1429 free(buf);
1430 return (NULL);
1431 }
1432
1433 if (strlcat(buf, METASLOT_AUTO_KEY_MIGRATE, BUFSIZ) >= BUFSIZ) {
1434 free(buf);
1435 return (NULL);
1436 }
1437
1438 if (puent->flag_metaslot_auto_key_migrate) {
1439 if (strlcat(buf, ENABLED_KEYWORD, BUFSIZ) >= BUFSIZ) {
1440 free(buf);
1441 return (NULL);
1442 }
1443 } else {
1444 if (strlcat(buf, DISABLED_KEYWORD, BUFSIZ) >= BUFSIZ) {
1445 free(buf);
1446 return (NULL);
1447 }
1448 }
1449
1450 bzero(blank_buf, sizeof (blank_buf));
1451
1452 /* write metaslot_token= if specified */
1453 if (memcmp(puent->metaslot_ks_token, blank_buf,
1454 TOKEN_LABEL_SIZE) != 0) {
1455 /* write the metaslot_status= value */
1456 if (strlcat(buf, (tok1_present ?
1457 SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1458 free(buf);
1459 return (NULL);
1460 }
1461
1462 if (strlcat(buf, METASLOT_TOKEN, BUFSIZ) >= BUFSIZ) {
1463 free(buf);
1464 return (NULL);
1465 }
1466
1467 if (strlcat(buf,
1468 (const char *)puent->metaslot_ks_token, BUFSIZ)
1469 >= BUFSIZ) {
1470 free(buf);
1471 return (NULL);
1472 }
1473 }
1474
1475 /* write metaslot_slot= if specified */
1476 if (memcmp(puent->metaslot_ks_slot, blank_buf,
1477 SLOT_DESCRIPTION_SIZE) != 0) {
1478 /* write the metaslot_status= value */
1479 if (strlcat(buf, (tok1_present ?
1480 SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1481 free(buf);
1482 return (NULL);
1483 }
1484
1485 if (strlcat(buf, METASLOT_SLOT, BUFSIZ) >= BUFSIZ) {
1486 free(buf);
1487 return (NULL);
1488 }
1489
1490 if (strlcat(buf,
1491 (const char *)puent->metaslot_ks_slot, BUFSIZ)
1492 >= BUFSIZ) {
1493 free(buf);
1494 return (NULL);
1495 }
1496 }
1497 }
1498
1499 if (strlcat(buf, "\n", BUFSIZ) >= BUFSIZ) {
1500 free(buf);
1501 return (NULL);
1502 }
1503
1504 return (buf);
1505 }
1506
1507
1508 /*
1509 * This function updates the default policy mode and the policy exception list
1510 * for a user-level provider based on the mechanism specified in the disable
1511 * or enable subcommand and the update mode. This function is called by the
1512 * enable_uef_lib() or disable_uef_lib().
1513 */
1514 int
1515 update_policylist(uentry_t *puent, mechlist_t *marglist, int update_mode)
1516 {
1517 CK_MECHANISM_TYPE mech_type;
1518 midstr_t midname;
1519 umechlist_t *phead;
1520 umechlist_t *pcur;
1521 umechlist_t *pumech;
1522 boolean_t found;
1523 int rc = SUCCESS;
1524
1525 if ((puent == NULL) || (marglist == NULL)) {
1526 /* should not happen */
1527 cryptoerror(LOG_STDERR, gettext("internal error."));
1528 cryptodebug("update_policylist()- puent or marglist is NULL.");
1529 return (FAILURE);
1530 }
1531
1532 if ((update_mode != ADD_MODE) && (update_mode != DELETE_MODE)) {
1533 /* should not happen */
1534 cryptoerror(LOG_STDERR, gettext("internal error."));
1535 cryptodebug("update_policylist() - update_mode is incorrect.");
1536 return (FAILURE);
1537 }
1538
1539 /*
1540 * For each mechanism operand, get its mechanism type first.
1541 * If fails to get the mechanism type, the mechanism operand must be
1542 * invalid, gives an warning and ignore it. Otherwise,
1543 * - convert the mechanism type to the internal representation (hex)
1544 * in the pkcs11.conf file
1545 * - If update_mode == DELETE_MODE,
1546 * If the mechanism is in the policy list, delete it.
1547 * If the mechanism is not in the policy list, do nothing.
1548 * - If update_mode == ADD_MODE,
1549 * If the mechanism is not in the policy list, add it.
1550 * If the mechanism is in the policy list already, do nothing.
1551 */
1552 while (marglist) {
1553 if (pkcs11_str2mech(marglist->name, &mech_type) != CKR_OK) {
1554 /*
1555 * This mechanism is not a valid PKCS11 mechanism,
1556 * give warning and ignore it.
1557 */
1558 cryptoerror(LOG_STDERR, gettext(
1559 "(Warning) %s is not a valid PKCS#11 mechanism."),
1560 marglist->name);
1561 rc = FAILURE;
1562 } else {
1563 (void) snprintf(midname, sizeof (midname), "%#010x",
1564 (int)mech_type);
1565 if (update_mode == DELETE_MODE) {
1566 found = B_FALSE;
1567 phead = pcur = puent->policylist;
1568 while (!found && pcur) {
1569 if (strcmp(pcur->name, midname) == 0) {
1570 found = B_TRUE;
1571 } else {
1572 phead = pcur;
1573 pcur = pcur->next;
1574 }
1575 }
1576
1577 if (found) {
1578 if (phead == pcur) {
1579 puent->policylist =
1580 puent->policylist->next;
1581 free(pcur);
1582 } else {
1583 phead->next = pcur->next;
1584 free(pcur);
1585 }
1586 puent->count--;
1587 if (puent->count == 0) {
1588 puent->policylist = NULL;
1589 }
1590 }
1591 } else if (update_mode == ADD_MODE) {
1592 if (!is_in_policylist(midname,
1593 puent->policylist)) {
1594 pumech = create_umech(midname);
1595 if (pumech == NULL) {
1596 rc = FAILURE;
1597 break;
1598 }
1599 phead = puent->policylist;
1600 puent->policylist = pumech;
1601 pumech->next = phead;
1602 puent->count++;
1603 }
1604 }
1605 }
1606 marglist = marglist->next;
1607 }
1608
1609 return (rc);
1610 }
1611
1612 /*
1613 * Open a session to the given slot and check if we can do
1614 * random numbers by asking for one byte.
1615 */
1616 static boolean_t
1617 check_random(CK_SLOT_ID slot_id, CK_FUNCTION_LIST_PTR prov_funcs)
1618 {
1619 CK_RV rv;
1620 CK_SESSION_HANDLE hSession;
1621 CK_BYTE test_byte;
1622 CK_BYTE_PTR test_byte_ptr = &test_byte;
1623
1624 rv = prov_funcs->C_OpenSession(slot_id, CKF_SERIAL_SESSION,
1625 NULL_PTR, NULL, &hSession);
1626 if (rv != CKR_OK)
1627 return (B_FALSE);
1628
1629 /* We care only about the return value */
1630 rv = prov_funcs->C_GenerateRandom(hSession, test_byte_ptr,
1631 sizeof (test_byte));
1632 (void) prov_funcs->C_CloseSession(hSession);
1633
1634 /*
1635 * These checks are purely to determine whether the slot can do
1636 * random numbers. So, we don't check whether the routine
1637 * succeeds. The reason we check for CKR_RANDOM_NO_RNG also is that
1638 * this error effectively means CKR_FUNCTION_NOT_SUPPORTED.
1639 */
1640 if (rv != CKR_FUNCTION_NOT_SUPPORTED && rv != CKR_RANDOM_NO_RNG)
1641 return (B_TRUE);
1642 else
1643 return (B_FALSE);
1644 }
1645
1646 void
1647 display_verbose_mech_header()
1648 {
1649 (void) printf("%28s %s", " ", HDR1);
1650 (void) printf("%28s %s", " ", HDR2);
1651 (void) printf("%28s %s", " ", HDR3);
1652 (void) printf("%28s %s", " ", HDR4);
1653 (void) printf("%28s %s", " ", HDR5);
1654 (void) printf("%28s %s", " ", HDR6);
1655 (void) printf("%-28.28s %s", gettext("mechanism name"), HDR7);
1656 /*
1657 * TRANSLATION_NOTE
1658 * Strictly for appearance's sake, the first header line should be
1659 * as long as the length of the translated text above. The format
1660 * lengths should all match too.
1661 */
1662 (void) printf("%28s ---- ---- "
1663 "- - - - - - - - - - - - - -\n",
1664 gettext("----------------------------"));
1665 }
unleashed repo fork