1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 26 #include <fcntl.h> 27 #include <stdio.h> 28 #include <stdlib.h> 29 #include <strings.h> 30 #include <unistd.h> 31 #include <locale.h> 32 #include <libgen.h> 33 #include <sys/types.h> 34 #include <zone.h> 35 #include <sys/crypto/ioctladmin.h> 36 #include <cryptoutil.h> 37 #include "cryptoadm.h" 38 39 #define REQ_ARG_CNT 2 40 41 /* subcommand index */ 42 enum subcommand_index { 43 CRYPTO_LIST, 44 CRYPTO_DISABLE, 45 CRYPTO_ENABLE, 46 CRYPTO_INSTALL, 47 CRYPTO_UNINSTALL, 48 CRYPTO_UNLOAD, 49 CRYPTO_REFRESH, 50 CRYPTO_START, 51 CRYPTO_STOP, 52 CRYPTO_HELP }; 53 54 /* 55 * TRANSLATION_NOTE 56 * Command keywords are not to be translated. 57 */ 58 static char *cmd_table[] = { 59 "list", 60 "disable", 61 "enable", 62 "install", 63 "uninstall", 64 "unload", 65 "refresh", 66 "start", 67 "stop", 68 "--help" }; 69 70 /* provider type */ 71 enum provider_type_index { 72 PROV_UEF_LIB, 73 PROV_KEF_SOFT, 74 PROV_KEF_HARD, 75 METASLOT, 76 PROV_BADNAME }; 77 78 typedef struct { 79 char cp_name[MAXPATHLEN]; 80 enum provider_type_index cp_type; 81 } cryptoadm_provider_t; 82 83 /* 84 * TRANSLATION_NOTE 85 * Operand keywords are not to be translated. 86 */ 87 static const char *KN_PROVIDER = "provider="; 88 static const char *KN_MECH = "mechanism="; 89 static const char *KN_ALL = "all"; 90 static const char *KN_TOKEN = "token="; 91 static const char *KN_SLOT = "slot="; 92 static const char *KN_DEFAULT_KS = "default-keystore"; 93 static const char *KN_AUTO_KEY_MIGRATE = "auto-key-migrate"; 94 95 /* static variables */ 96 static boolean_t allflag = B_FALSE; 97 static boolean_t rndflag = B_FALSE; 98 static mechlist_t *mecharglist = NULL; 99 100 /* static functions */ 101 static void usage(void); 102 static int get_provider_type(char *); 103 static int process_mech_operands(int, char **, boolean_t); 104 static int do_list(int, char **); 105 static int do_disable(int, char **); 106 static int do_enable(int, char **); 107 static int do_install(int, char **); 108 static int do_uninstall(int, char **); 109 static int do_unload(int, char **); 110 static int do_refresh(int); 111 static int do_start(int); 112 static int do_stop(int); 113 static int list_simple_for_all(boolean_t); 114 static int list_mechlist_for_all(boolean_t); 115 static int list_policy_for_all(void); 116 117 int 118 main(int argc, char *argv[]) 119 { 120 char *subcmd; 121 int cmdnum; 122 int cmd_index = 0; 123 int rc = SUCCESS; 124 125 (void) setlocale(LC_ALL, ""); 126 127 #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 128 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 129 #endif 130 (void) textdomain(TEXT_DOMAIN); 131 132 cryptodebug_init(basename(argv[0])); 133 134 if (argc < REQ_ARG_CNT) { 135 usage(); 136 return (ERROR_USAGE); 137 } 138 139 /* get the subcommand index */ 140 cmd_index = 0; 141 subcmd = argv[1]; 142 cmdnum = sizeof (cmd_table)/sizeof (cmd_table[0]); 143 144 while ((cmd_index < cmdnum) && 145 (strcmp(subcmd, cmd_table[cmd_index]) != 0)) { 146 cmd_index++; 147 } 148 if (cmd_index >= cmdnum) { 149 usage(); 150 return (ERROR_USAGE); 151 } 152 153 /* do the subcommand */ 154 switch (cmd_index) { 155 case CRYPTO_LIST: 156 rc = do_list(argc, argv); 157 break; 158 case CRYPTO_DISABLE: 159 rc = do_disable(argc, argv); 160 break; 161 case CRYPTO_ENABLE: 162 rc = do_enable(argc, argv); 163 break; 164 case CRYPTO_INSTALL: 165 rc = do_install(argc, argv); 166 break; 167 case CRYPTO_UNINSTALL: 168 rc = do_uninstall(argc, argv); 169 break; 170 case CRYPTO_UNLOAD: 171 rc = do_unload(argc, argv); 172 break; 173 case CRYPTO_REFRESH: 174 rc = do_refresh(argc); 175 break; 176 case CRYPTO_START: 177 rc = do_start(argc); 178 break; 179 case CRYPTO_STOP: 180 rc = do_stop(argc); 181 break; 182 case CRYPTO_HELP: 183 usage(); 184 rc = SUCCESS; 185 break; 186 default: /* should not come here */ 187 usage(); 188 rc = ERROR_USAGE; 189 break; 190 } 191 return (rc); 192 } 193 194 195 static void 196 usage(void) 197 { 198 /* 199 * TRANSLATION_NOTE 200 * Command usage is not to be translated. Only the word "Usage:" 201 * along with localized expressions indicating what kind of value 202 * is expected for arguments. 203 */ 204 (void) fprintf(stderr, gettext("Usage:\n")); 205 (void) fprintf(stderr, 206 " cryptoadm list [-mpv] [provider=<%s> | metaslot]" 207 " [mechanism=<%s>]\n", 208 gettext("provider-name"), gettext("mechanism-list")); 209 (void) fprintf(stderr, 210 " cryptoadm disable provider=<%s>" 211 " mechanism=<%s> | random | all\n", 212 gettext("provider-name"), gettext("mechanism-list")); 213 (void) fprintf(stderr, 214 " cryptoadm disable metaslot" 215 " [auto-key-migrate] [mechanism=<%s>]\n", 216 gettext("mechanism-list")); 217 (void) fprintf(stderr, 218 " cryptoadm enable provider=<%s>" 219 " mechanism=<%s> | random | all\n", 220 gettext("provider-name"), gettext("mechanism-list")); 221 (void) fprintf(stderr, 222 " cryptoadm enable metaslot [mechanism=<%s>]" 223 " [[token=<%s>] [slot=<%s>]" 224 " | [default-keystore]] | [auto-key-migrate]\n", 225 gettext("mechanism-list"), gettext("token-label"), 226 gettext("slot-description")); 227 (void) fprintf(stderr, 228 " cryptoadm install provider=<%s>\n", 229 gettext("provider-name")); 230 (void) fprintf(stderr, 231 " cryptoadm install provider=<%s> [mechanism=<%s>]\n", 232 gettext("provider-name"), gettext("mechanism-list")); 233 (void) fprintf(stderr, 234 " cryptoadm uninstall provider=<%s>\n", 235 gettext("provider-name")); 236 (void) fprintf(stderr, 237 " cryptoadm unload provider=<%s>\n", 238 gettext("provider-name")); 239 (void) fprintf(stderr, 240 " cryptoadm refresh\n" 241 " cryptoadm start\n" 242 " cryptoadm stop\n" 243 " cryptoadm --help\n"); 244 } 245 246 247 /* 248 * Get the provider type. This function returns 249 * - PROV_UEF_LIB if provname contains an absolute path name 250 * - PROV_KEF_SOFT if provname is a base name only (e.g., "aes"). 251 * - PROV_KEF_HARD if provname contains one slash only and the slash is not 252 * the 1st character (e.g., "mca/0"). 253 * - PROV_BADNAME otherwise. 254 */ 255 static int 256 get_provider_type(char *provname) 257 { 258 char *pslash1; 259 char *pslash2; 260 261 if (provname == NULL) { 262 return (FAILURE); 263 } 264 265 if (provname[0] == '/') { 266 return (PROV_UEF_LIB); 267 } else if ((pslash1 = strchr(provname, SEP_SLASH)) == NULL) { 268 /* no slash */ 269 return (PROV_KEF_SOFT); 270 } else { 271 pslash2 = strrchr(provname, SEP_SLASH); 272 if (pslash1 == pslash2) { 273 return (PROV_KEF_HARD); 274 } else { 275 return (PROV_BADNAME); 276 } 277 } 278 } 279 280 /* 281 * Get the provider structure. This function returns NULL if no valid 282 * provider= is found in argv[], otherwise a cryptoadm_provider_t is returned. 283 * If provider= is found but has no argument, then a cryptoadm_provider_t 284 * with cp_type = PROV_BADNAME is returned. 285 */ 286 static cryptoadm_provider_t * 287 get_provider(int argc, char **argv) 288 { 289 int c = 0; 290 boolean_t found = B_FALSE; 291 cryptoadm_provider_t *provider = NULL; 292 char *provstr = NULL, *savstr; 293 boolean_t is_metaslot = B_FALSE; 294 295 while (!found && ++c < argc) { 296 if (strncmp(argv[c], METASLOT_KEYWORD, 297 strlen(METASLOT_KEYWORD)) == 0) { 298 is_metaslot = B_TRUE; 299 found = B_TRUE; 300 } else if (strncmp(argv[c], KN_PROVIDER, 301 strlen(KN_PROVIDER)) == 0 && 302 strlen(argv[c]) > strlen(KN_PROVIDER)) { 303 if ((provstr = strdup(argv[c])) == NULL) { 304 int err = errno; 305 /* 306 * TRANSLATION_NOTE 307 * "get_provider" is a function name and should 308 * not be translated. 309 */ 310 cryptoerror(LOG_STDERR, "get_provider: %s.", 311 strerror(err)); 312 return (NULL); 313 } 314 found = B_TRUE; 315 } 316 } 317 if (!found) 318 return (NULL); 319 320 provider = malloc(sizeof (cryptoadm_provider_t)); 321 if (provider == NULL) { 322 cryptoerror(LOG_STDERR, gettext("out of memory.")); 323 if (provstr) { 324 free(provstr); 325 } 326 return (NULL); 327 } 328 329 if (is_metaslot) { 330 (void) strlcpy(provider->cp_name, METASLOT_KEYWORD, 331 strlen(METASLOT_KEYWORD)); 332 provider->cp_type = METASLOT; 333 } else { 334 335 savstr = provstr; 336 (void) strtok(provstr, "="); 337 provstr = strtok(NULL, "="); 338 if (provstr == NULL) { 339 cryptoerror(LOG_STDERR, gettext("bad provider name.")); 340 provider->cp_type = PROV_BADNAME; 341 free(savstr); 342 return (provider); 343 } 344 345 (void) strlcpy(provider->cp_name, provstr, 346 sizeof (provider->cp_name)); 347 provider->cp_type = get_provider_type(provider->cp_name); 348 349 free(savstr); 350 } 351 return (provider); 352 } 353 354 /* 355 * Process the "feature" operands. 356 * 357 * "argc" and "argv" contain values specified on the command line. 358 * All other arguments are used for returning parsing results. 359 * If any of these arguments are NULL, that keyword is not expected, 360 * and FAILURE will be returned. 361 */ 362 static int 363 process_metaslot_operands(int argc, char **argv, char **meta_ks_token, 364 char **meta_ks_slot, boolean_t *use_default, 365 boolean_t *auto_key_migrate_flag) 366 { 367 int c = 2; 368 int rc = SUCCESS; 369 370 while (++c < argc) { 371 if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 372 strlen(argv[c]) > strlen(KN_MECH)) { 373 374 /* process mechanism operands */ 375 if ((rc = process_mech_operands(argc, argv, B_TRUE)) 376 != SUCCESS) { 377 goto finish; 378 } 379 380 } else if ((strncmp(argv[c], KN_TOKEN, 381 strlen(KN_TOKEN)) == 0) && 382 strlen(argv[c]) > strlen(KN_TOKEN)) { 383 if ((meta_ks_token) && (strtok(argv[c], "=") != NULL)) { 384 char *tmp; 385 if ((tmp = strtok(NULL, "=")) != NULL) { 386 *meta_ks_token = strdup(tmp); 387 } else { 388 return (FAILURE); 389 } 390 } else { 391 return (FAILURE); 392 } 393 394 } else if ((strncmp(argv[c], KN_SLOT, 395 strlen(KN_SLOT)) == 0) && 396 strlen(argv[c]) > strlen(KN_SLOT)) { 397 398 if ((meta_ks_slot) && (strtok(argv[c], "=") != NULL)) { 399 char *tmp; 400 if ((tmp = strtok(NULL, "=")) != NULL) { 401 *meta_ks_slot = strdup(tmp); 402 } else { 403 return (FAILURE); 404 } 405 } else { 406 return (FAILURE); 407 } 408 409 } else if (strncmp(argv[c], KN_DEFAULT_KS, 410 strlen(KN_DEFAULT_KS)) == 0) { 411 412 if (use_default) { 413 *use_default = B_TRUE; 414 } else { 415 return (FAILURE); 416 } 417 } else if (strncmp(argv[c], KN_AUTO_KEY_MIGRATE, 418 strlen(KN_AUTO_KEY_MIGRATE)) == 0) { 419 420 if (auto_key_migrate_flag) { 421 *auto_key_migrate_flag = B_TRUE; 422 } else { 423 return (FAILURE); 424 } 425 } else { 426 return (FAILURE); 427 } 428 } 429 finish: 430 return (rc); 431 } 432 433 /* 434 * Process the "feature" operands. 435 */ 436 static int 437 process_feature_operands(int argc, char **argv) 438 { 439 int c = 2; 440 441 while (++c < argc) { 442 if (strcmp(argv[c], KN_ALL) == 0) { 443 allflag = B_TRUE; 444 rndflag = B_TRUE; /* all includes random also. */ 445 } else if (strcmp(argv[c], RANDOM) == 0) { 446 rndflag = B_TRUE; 447 } 448 } 449 return (SUCCESS); 450 } 451 452 /* 453 * Process the mechanism operands for the disable, enable and install 454 * subcommands. This function sets the static variable allflag to be B_TRUE 455 * if the keyword "all" is specified, otherwise builds a link list of the 456 * mechanism operands and save it in the static variable mecharglist. 457 * 458 * This function returns 459 * ERROR_USAGE: mechanism operand is missing. 460 * FAILURE: out of memory. 461 * SUCCESS: otherwise. 462 */ 463 static int 464 process_mech_operands(int argc, char **argv, boolean_t quiet) 465 { 466 mechlist_t *pmech; 467 mechlist_t *pcur = NULL; 468 mechlist_t *phead = NULL; 469 boolean_t found = B_FALSE; 470 char *mechliststr = NULL; 471 char *curmech = NULL; 472 int c = -1; 473 int rc = SUCCESS; 474 475 while (!found && ++c < argc) { 476 if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 477 strlen(argv[c]) > strlen(KN_MECH)) { 478 found = B_TRUE; 479 } 480 } 481 if (!found) { 482 if (!quiet) 483 /* 484 * TRANSLATION_NOTE 485 * "mechanism" could be either a literal keyword 486 * and hence not to be translated, or a descriptive 487 * word and translatable. A choice was made to 488 * view it as a literal keyword. 489 */ 490 cryptoerror(LOG_STDERR, 491 gettext("the %s operand is missing.\n"), 492 "mechanism"); 493 return (ERROR_USAGE); 494 } 495 (void) strtok(argv[c], "="); 496 mechliststr = strtok(NULL, "="); 497 498 if (strcmp(mechliststr, "all") == 0) { 499 allflag = B_TRUE; 500 mecharglist = NULL; 501 return (SUCCESS); 502 } 503 504 curmech = strtok(mechliststr, ","); 505 do { 506 if ((pmech = create_mech(curmech)) == NULL) { 507 rc = FAILURE; 508 break; 509 } else { 510 if (phead == NULL) { 511 phead = pcur = pmech; 512 } else { 513 pcur->next = pmech; 514 pcur = pmech; 515 } 516 } 517 } while ((curmech = strtok(NULL, ",")) != NULL); 518 519 if (rc == FAILURE) { 520 cryptoerror(LOG_STDERR, gettext("out of memory.")); 521 free_mechlist(phead); 522 } else { 523 mecharglist = phead; 524 rc = SUCCESS; 525 } 526 return (rc); 527 } 528 529 530 531 /* 532 * The top level function for the "cryptoadm list" subcommand and options. 533 */ 534 static int 535 do_list(int argc, char **argv) 536 { 537 boolean_t mflag = B_FALSE; 538 boolean_t pflag = B_FALSE; 539 boolean_t vflag = B_FALSE; 540 char ch; 541 cryptoadm_provider_t *prov = NULL; 542 int rc = SUCCESS; 543 544 argc -= 1; 545 argv += 1; 546 547 if (argc == 1) { 548 rc = list_simple_for_all(B_FALSE); 549 goto out; 550 } 551 552 /* 553 * cryptoadm list [-v] [-m] [-p] [provider=<>] [mechanism=<>] 554 */ 555 if (argc > 5) { 556 usage(); 557 return (rc); 558 } 559 560 while ((ch = getopt(argc, argv, "mpv")) != EOF) { 561 switch (ch) { 562 case 'm': 563 mflag = B_TRUE; 564 if (pflag) { 565 rc = ERROR_USAGE; 566 } 567 break; 568 case 'p': 569 pflag = B_TRUE; 570 if (mflag || vflag) { 571 rc = ERROR_USAGE; 572 } 573 break; 574 case 'v': 575 vflag = B_TRUE; 576 if (pflag) 577 rc = ERROR_USAGE; 578 break; 579 default: 580 rc = ERROR_USAGE; 581 break; 582 } 583 } 584 585 if (rc == ERROR_USAGE) { 586 usage(); 587 return (rc); 588 } 589 590 if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 591 goto out; 592 } 593 594 prov = get_provider(argc, argv); 595 596 if (mflag || vflag) { 597 if (argc > 0) { 598 rc = process_mech_operands(argc, argv, B_TRUE); 599 if (rc == FAILURE) 600 goto out; 601 /* "-m" is implied when a mechanism list is given */ 602 if (mecharglist != NULL || allflag) 603 mflag = B_TRUE; 604 } 605 } 606 607 if (prov == NULL) { 608 if (mflag) { 609 rc = list_mechlist_for_all(vflag); 610 } else if (pflag) { 611 rc = list_policy_for_all(); 612 } else if (vflag) { 613 rc = list_simple_for_all(vflag); 614 } 615 } else if (prov->cp_type == METASLOT) { 616 if ((!mflag) && (!vflag) && (!pflag)) { 617 /* no flag is specified, just list metaslot status */ 618 rc = list_metaslot_info(mflag, vflag, mecharglist); 619 } else if (mflag || vflag) { 620 rc = list_metaslot_info(mflag, vflag, mecharglist); 621 } else if (pflag) { 622 rc = list_metaslot_policy(); 623 } else { 624 /* error message */ 625 usage(); 626 rc = ERROR_USAGE; 627 } 628 } else if (prov->cp_type == PROV_BADNAME) { 629 usage(); 630 rc = ERROR_USAGE; 631 goto out; 632 } else { /* do the listing for a provider only */ 633 char *provname = prov->cp_name; 634 635 if (mflag || vflag) { 636 if (vflag) 637 (void) printf(gettext("Provider: %s\n"), 638 provname); 639 switch (prov->cp_type) { 640 case PROV_UEF_LIB: 641 rc = list_mechlist_for_lib(provname, 642 mecharglist, NULL, B_FALSE, vflag, mflag); 643 break; 644 case PROV_KEF_SOFT: 645 rc = list_mechlist_for_soft(provname, 646 NULL, NULL); 647 break; 648 case PROV_KEF_HARD: 649 rc = list_mechlist_for_hard(provname); 650 break; 651 default: /* should not come here */ 652 rc = FAILURE; 653 break; 654 } 655 } else if (pflag) { 656 switch (prov->cp_type) { 657 case PROV_UEF_LIB: 658 rc = list_policy_for_lib(provname); 659 break; 660 case PROV_KEF_SOFT: 661 if (getzoneid() == GLOBAL_ZONEID) { 662 rc = list_policy_for_soft(provname, 663 NULL, NULL); 664 } else { 665 /* 666 * TRANSLATION_NOTE 667 * "global" is keyword and not to 668 * be translated. 669 */ 670 cryptoerror(LOG_STDERR, gettext( 671 "policy information for kernel " 672 "providers is available " 673 "in the %s zone only"), "global"); 674 rc = FAILURE; 675 } 676 break; 677 case PROV_KEF_HARD: 678 if (getzoneid() == GLOBAL_ZONEID) { 679 rc = list_policy_for_hard( 680 provname, NULL, NULL, NULL); 681 } else { 682 /* 683 * TRANSLATION_NOTE 684 * "global" is keyword and not to 685 * be translated. 686 */ 687 cryptoerror(LOG_STDERR, gettext( 688 "policy information for kernel " 689 "providers is available " 690 "in the %s zone only"), "global"); 691 rc = FAILURE; 692 } 693 694 break; 695 default: /* should not come here */ 696 rc = FAILURE; 697 break; 698 } 699 } else { 700 /* error message */ 701 usage(); 702 rc = ERROR_USAGE; 703 } 704 } 705 706 out: 707 if (prov != NULL) 708 free(prov); 709 710 if (mecharglist != NULL) 711 free_mechlist(mecharglist); 712 return (rc); 713 } 714 715 716 /* 717 * The top level function for the "cryptoadm disable" subcommand. 718 */ 719 static int 720 do_disable(int argc, char **argv) 721 { 722 cryptoadm_provider_t *prov = NULL; 723 int rc = SUCCESS; 724 boolean_t auto_key_migrate_flag = B_FALSE; 725 726 if ((argc < 3) || (argc > 5)) { 727 usage(); 728 return (ERROR_USAGE); 729 } 730 731 prov = get_provider(argc, argv); 732 if (prov == NULL) { 733 usage(); 734 return (ERROR_USAGE); 735 } 736 if (prov->cp_type == PROV_BADNAME) { 737 return (FAILURE); 738 } 739 740 if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 741 goto out; 742 } 743 744 /* 745 * If allflag or rndflag has already been set there is no reason to 746 * process mech= 747 */ 748 if (prov->cp_type == METASLOT) { 749 if ((argc > 3) && 750 (rc = process_metaslot_operands(argc, argv, 751 NULL, NULL, NULL, &auto_key_migrate_flag)) != SUCCESS) { 752 usage(); 753 return (rc); 754 } 755 } else if (!allflag && !rndflag && 756 (rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 757 return (rc); 758 } 759 760 switch (prov->cp_type) { 761 case METASLOT: 762 rc = disable_metaslot(mecharglist, allflag, 763 auto_key_migrate_flag); 764 break; 765 case PROV_UEF_LIB: 766 rc = disable_uef_lib(prov->cp_name, rndflag, allflag, 767 mecharglist); 768 break; 769 case PROV_KEF_SOFT: 770 if (rndflag && !allflag) { 771 if ((mecharglist = create_mech(RANDOM)) == NULL) { 772 rc = FAILURE; 773 break; 774 } 775 } 776 if (getzoneid() == GLOBAL_ZONEID) { 777 rc = disable_kef_software(prov->cp_name, rndflag, 778 allflag, mecharglist); 779 } else { 780 /* 781 * TRANSLATION_NOTE 782 * "disable" could be either a literal keyword 783 * and hence not to be translated, or a verb and 784 * translatable. A choice was made to view it as 785 * a literal keyword. "global" is keyword and not 786 * to be translated. 787 */ 788 cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 789 "providers is supported in the %2$s zone only"), 790 "disable", "global"); 791 rc = FAILURE; 792 } 793 break; 794 case PROV_KEF_HARD: 795 if (rndflag && !allflag) { 796 if ((mecharglist = create_mech(RANDOM)) == NULL) { 797 rc = FAILURE; 798 break; 799 } 800 } 801 if (getzoneid() == GLOBAL_ZONEID) { 802 rc = disable_kef_hardware(prov->cp_name, rndflag, 803 allflag, mecharglist); 804 } else { 805 /* 806 * TRANSLATION_NOTE 807 * "disable" could be either a literal keyword 808 * and hence not to be translated, or a verb and 809 * translatable. A choice was made to view it as 810 * a literal keyword. "global" is keyword and not 811 * to be translated. 812 */ 813 cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 814 "providers is supported in the %2$s zone only"), 815 "disable", "global"); 816 rc = FAILURE; 817 } 818 break; 819 default: /* should not come here */ 820 rc = FAILURE; 821 break; 822 } 823 824 out: 825 free(prov); 826 if (mecharglist != NULL) { 827 free_mechlist(mecharglist); 828 } 829 return (rc); 830 } 831 832 833 /* 834 * The top level function for the "cryptoadm enable" subcommand. 835 */ 836 static int 837 do_enable(int argc, char **argv) 838 { 839 cryptoadm_provider_t *prov = NULL; 840 int rc = SUCCESS; 841 char *alt_token = NULL, *alt_slot = NULL; 842 boolean_t use_default = B_FALSE; 843 boolean_t auto_key_migrate_flag = B_FALSE; 844 845 if ((argc < 3) || (argc > 6)) { 846 usage(); 847 return (ERROR_USAGE); 848 } 849 850 prov = get_provider(argc, argv); 851 if (prov == NULL) { 852 usage(); 853 return (ERROR_USAGE); 854 } 855 if ((prov->cp_type != METASLOT) && (argc != 4)) { 856 usage(); 857 return (ERROR_USAGE); 858 } 859 if (prov->cp_type == PROV_BADNAME) { 860 rc = FAILURE; 861 goto out; 862 } 863 864 865 if (prov->cp_type == METASLOT) { 866 if ((rc = process_metaslot_operands(argc, argv, &alt_token, 867 &alt_slot, &use_default, &auto_key_migrate_flag)) 868 != SUCCESS) { 869 usage(); 870 goto out; 871 } 872 if ((alt_slot || alt_token) && use_default) { 873 usage(); 874 rc = FAILURE; 875 goto out; 876 } 877 } else { 878 if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 879 goto out; 880 } 881 882 /* 883 * If allflag or rndflag has already been set there is 884 * no reason to process mech= 885 */ 886 if (!allflag && !rndflag && 887 (rc = process_mech_operands(argc, argv, B_FALSE)) 888 != SUCCESS) { 889 goto out; 890 } 891 } 892 893 switch (prov->cp_type) { 894 case METASLOT: 895 rc = enable_metaslot(alt_token, alt_slot, use_default, 896 mecharglist, allflag, auto_key_migrate_flag); 897 break; 898 case PROV_UEF_LIB: 899 rc = enable_uef_lib(prov->cp_name, rndflag, allflag, 900 mecharglist); 901 break; 902 case PROV_KEF_SOFT: 903 case PROV_KEF_HARD: 904 if (rndflag && !allflag) { 905 if ((mecharglist = create_mech(RANDOM)) == NULL) { 906 rc = FAILURE; 907 break; 908 } 909 } 910 if (getzoneid() == GLOBAL_ZONEID) { 911 rc = enable_kef(prov->cp_name, rndflag, allflag, 912 mecharglist); 913 } else { 914 /* 915 * TRANSLATION_NOTE 916 * "enable" could be either a literal keyword 917 * and hence not to be translated, or a verb and 918 * translatable. A choice was made to view it as 919 * a literal keyword. "global" is keyword and not 920 * to be translated. 921 */ 922 cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 923 "providers is supported in the %2$s zone only"), 924 "enable", "global"); 925 rc = FAILURE; 926 } 927 break; 928 default: /* should not come here */ 929 rc = FAILURE; 930 break; 931 } 932 out: 933 free(prov); 934 if (mecharglist != NULL) { 935 free_mechlist(mecharglist); 936 } 937 if (alt_token != NULL) { 938 free(alt_token); 939 } 940 if (alt_slot != NULL) { 941 free(alt_slot); 942 } 943 return (rc); 944 } 945 946 947 948 /* 949 * The top level function for the "cryptoadm install" subcommand. 950 */ 951 static int 952 do_install(int argc, char **argv) 953 { 954 cryptoadm_provider_t *prov = NULL; 955 int rc; 956 957 if (argc < 3) { 958 usage(); 959 return (ERROR_USAGE); 960 } 961 962 prov = get_provider(argc, argv); 963 if (prov == NULL || 964 prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 965 /* 966 * TRANSLATION_NOTE 967 * "install" could be either a literal keyword and hence 968 * not to be translated, or a verb and translatable. A 969 * choice was made to view it as a literal keyword. 970 */ 971 cryptoerror(LOG_STDERR, 972 gettext("bad provider name for %s."), "install"); 973 rc = FAILURE; 974 goto out; 975 } 976 977 if (prov->cp_type == PROV_UEF_LIB) { 978 rc = install_uef_lib(prov->cp_name); 979 goto out; 980 } 981 982 /* It is the PROV_KEF_SOFT type now */ 983 984 /* check if there are mechanism operands */ 985 if (argc < 4) { 986 /* 987 * TRANSLATION_NOTE 988 * "mechanism" could be either a literal keyword and hence 989 * not to be translated, or a descriptive word and 990 * translatable. A choice was made to view it as a literal 991 * keyword. 992 */ 993 cryptoerror(LOG_STDERR, 994 gettext("need %s operands for installing a" 995 " kernel software provider."), "mechanism"); 996 rc = ERROR_USAGE; 997 goto out; 998 } 999 1000 if ((rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 1001 goto out; 1002 } 1003 1004 if (allflag == B_TRUE) { 1005 /* 1006 * TRANSLATION_NOTE 1007 * "all", "mechanism", and "install" are all keywords and 1008 * not to be translated. 1009 */ 1010 cryptoerror(LOG_STDERR, 1011 gettext("can not use the %1$s keyword for %2$s " 1012 "in the %3$s subcommand."), "all", "mechanism", "install"); 1013 rc = ERROR_USAGE; 1014 goto out; 1015 } 1016 1017 if (getzoneid() == GLOBAL_ZONEID) { 1018 rc = install_kef(prov->cp_name, mecharglist); 1019 } else { 1020 /* 1021 * TRANSLATION_NOTE 1022 * "install" could be either a literal keyword and hence 1023 * not to be translated, or a verb and translatable. A 1024 * choice was made to view it as a literal keyword. 1025 * "global" is keyword and not to be translated. 1026 */ 1027 cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 1028 "is supported in the %2$s zone only"), "install", "global"); 1029 rc = FAILURE; 1030 } 1031 out: 1032 free(prov); 1033 return (rc); 1034 } 1035 1036 1037 1038 /* 1039 * The top level function for the "cryptoadm uninstall" subcommand. 1040 */ 1041 static int 1042 do_uninstall(int argc, char **argv) 1043 { 1044 cryptoadm_provider_t *prov = NULL; 1045 int rc = SUCCESS; 1046 1047 if (argc != 3) { 1048 usage(); 1049 return (ERROR_USAGE); 1050 } 1051 1052 prov = get_provider(argc, argv); 1053 if (prov == NULL || 1054 prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 1055 /* 1056 * TRANSLATION_NOTE 1057 * "uninstall" could be either a literal keyword and hence 1058 * not to be translated, or a verb and translatable. A 1059 * choice was made to view it as a literal keyword. 1060 */ 1061 cryptoerror(LOG_STDERR, 1062 gettext("bad provider name for %s."), "uninstall"); 1063 free(prov); 1064 return (FAILURE); 1065 } 1066 1067 if (prov->cp_type == PROV_UEF_LIB) { 1068 rc = uninstall_uef_lib(prov->cp_name); 1069 1070 } else if (prov->cp_type == PROV_KEF_SOFT) { 1071 if (getzoneid() == GLOBAL_ZONEID) { 1072 /* unload and remove from kcf.conf */ 1073 rc = uninstall_kef(prov->cp_name); 1074 } else { 1075 /* 1076 * TRANSLATION_NOTE 1077 * "uninstall" could be either a literal keyword and 1078 * hence not to be translated, or a verb and 1079 * translatable. A choice was made to view it as a 1080 * literal keyword. "global" is keyword and not to 1081 * be translated. 1082 */ 1083 cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 1084 "providers is supported in the %2$s zone only"), 1085 "uninstall", "global"); 1086 rc = FAILURE; 1087 } 1088 } 1089 1090 free(prov); 1091 return (rc); 1092 } 1093 1094 1095 /* 1096 * The top level function for the "cryptoadm unload" subcommand. 1097 */ 1098 static int 1099 do_unload(int argc, char **argv) 1100 { 1101 cryptoadm_provider_t *prov = NULL; 1102 entry_t *pent = NULL; 1103 boolean_t in_kernel = B_FALSE; 1104 int rc = SUCCESS; 1105 char *provname = NULL; 1106 1107 if (argc != 3) { 1108 usage(); 1109 return (ERROR_USAGE); 1110 } 1111 1112 /* check if it is a kernel software provider */ 1113 prov = get_provider(argc, argv); 1114 if (prov == NULL) { 1115 cryptoerror(LOG_STDERR, 1116 gettext("unable to determine provider name.")); 1117 goto out; 1118 } 1119 provname = prov->cp_name; 1120 if (prov->cp_type != PROV_KEF_SOFT) { 1121 cryptoerror(LOG_STDERR, 1122 gettext("%s is not a valid kernel software provider."), 1123 provname); 1124 rc = FAILURE; 1125 goto out; 1126 } 1127 1128 if (getzoneid() != GLOBAL_ZONEID) { 1129 /* 1130 * TRANSLATION_NOTE 1131 * "unload" could be either a literal keyword and hence 1132 * not to be translated, or a verb and translatable. 1133 * A choice was made to view it as a literal keyword. 1134 * "global" is keyword and not to be translated. 1135 */ 1136 cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 1137 "is supported in the %2$s zone only"), "unload", "global"); 1138 rc = FAILURE; 1139 goto out; 1140 } 1141 1142 if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { 1143 cryptodebug("internal error"); 1144 rc = FAILURE; 1145 goto out; 1146 } else if (in_kernel == B_FALSE) { 1147 cryptoerror(LOG_STDERR, 1148 gettext("provider %s is not loaded or does not exist."), 1149 provname); 1150 rc = FAILURE; 1151 goto out; 1152 } 1153 1154 /* Get kcf.conf entry. If none, build a new entry */ 1155 if ((pent = getent_kef(provname, NULL, NULL)) == NULL) { 1156 if ((pent = create_entry(provname)) == NULL) { 1157 cryptoerror(LOG_STDERR, gettext("out of memory.")); 1158 rc = FAILURE; 1159 goto out; 1160 } 1161 } 1162 1163 /* If it is unloaded already, return */ 1164 if (!pent->load) { /* unloaded already */ 1165 cryptoerror(LOG_STDERR, 1166 gettext("failed to unload %s."), provname); 1167 rc = FAILURE; 1168 goto out; 1169 } else if (unload_kef_soft(provname) != FAILURE) { 1170 /* Mark as unloaded in kcf.conf */ 1171 pent->load = B_FALSE; 1172 rc = update_kcfconf(pent, MODIFY_MODE); 1173 } else { 1174 cryptoerror(LOG_STDERR, 1175 gettext("failed to unload %s."), provname); 1176 rc = FAILURE; 1177 } 1178 out: 1179 free(prov); 1180 free_entry(pent); 1181 return (rc); 1182 } 1183 1184 1185 1186 /* 1187 * The top level function for the "cryptoadm refresh" subcommand. 1188 */ 1189 static int 1190 do_refresh(int argc) 1191 { 1192 if (argc != 2) { 1193 usage(); 1194 return (ERROR_USAGE); 1195 } 1196 1197 if (getzoneid() == GLOBAL_ZONEID) { 1198 return (refresh()); 1199 } else { /* non-global zone */ 1200 /* 1201 * Note: in non-global zone, this must silently return SUCCESS 1202 * due to integration with SMF, for "svcadm refresh cryptosvc" 1203 */ 1204 return (SUCCESS); 1205 } 1206 } 1207 1208 1209 /* 1210 * The top level function for the "cryptoadm start" subcommand. 1211 * This used to start up kcfd, but now all it does is load up the 1212 * initial providers. 1213 */ 1214 static int 1215 do_start(int argc) 1216 { 1217 if (argc != 2) { 1218 usage(); 1219 return (ERROR_USAGE); 1220 } 1221 1222 return (do_refresh(argc)); 1223 } 1224 1225 /* 1226 * The top level function for the "cryptoadm stop" subcommand. 1227 * This no longer does anything useful, but we leave it here 1228 * for compatibility. 1229 */ 1230 static int 1231 do_stop(int argc) 1232 { 1233 if (argc != 2) { 1234 usage(); 1235 return (ERROR_USAGE); 1236 } 1237 1238 return (SUCCESS); 1239 } 1240 1241 1242 1243 /* 1244 * Print a list all the the providers. 1245 * Called for "cryptoadm list" or "cryptoadm list -v" (no -m or -p). 1246 */ 1247 static int 1248 list_simple_for_all(boolean_t verbose) 1249 { 1250 uentrylist_t *pliblist = NULL; 1251 uentrylist_t *plibptr = NULL; 1252 entry_t *pent = NULL; 1253 crypto_get_dev_list_t *pdevlist_kernel = NULL; 1254 int rc = SUCCESS; 1255 int i; 1256 1257 /* get user-level providers */ 1258 (void) printf(gettext("\nUser-level providers:\n")); 1259 if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 1260 cryptoerror(LOG_STDERR, gettext( 1261 "failed to retrieve the list of user-level providers.")); 1262 rc = FAILURE; 1263 } 1264 1265 for (plibptr = pliblist; plibptr != NULL; plibptr = plibptr->next) { 1266 /* skip metaslot and fips-140 entry */ 1267 if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) && 1268 (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) { 1269 (void) printf(gettext("Provider: %s\n"), 1270 plibptr->puent->name); 1271 if (verbose) { 1272 (void) list_mechlist_for_lib( 1273 plibptr->puent->name, mecharglist, NULL, 1274 B_FALSE, verbose, B_FALSE); 1275 (void) printf("\n"); 1276 } 1277 } 1278 } 1279 free_uentrylist(pliblist); 1280 1281 /* get kernel software providers */ 1282 (void) printf(gettext("\nKernel software providers:\n")); 1283 1284 if (getzoneid() == GLOBAL_ZONEID) { 1285 /* get kernel software providers from kernel ioctl */ 1286 crypto_get_soft_list_t *psoftlist_kernel = NULL; 1287 uint_t sl_soft_count; 1288 char *psoftname; 1289 entrylist_t *pdevlist_conf = NULL; 1290 entrylist_t *psoftlist_conf = NULL; 1291 1292 if (get_soft_list(&psoftlist_kernel) == FAILURE) { 1293 cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 1294 "software provider list from kernel.")); 1295 rc = FAILURE; 1296 } else { 1297 sl_soft_count = psoftlist_kernel->sl_soft_count; 1298 1299 if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) 1300 == FAILURE) { 1301 cryptoerror(LOG_ERR, 1302 "failed to retrieve the providers' " 1303 "information from file kcf.conf - %s.", 1304 _PATH_KCF_CONF); 1305 free(psoftlist_kernel); 1306 rc = FAILURE; 1307 } else { 1308 1309 for (i = 0, 1310 psoftname = psoftlist_kernel->sl_soft_names; 1311 i < sl_soft_count; 1312 ++i, psoftname += strlen(psoftname) + 1) { 1313 pent = getent_kef(psoftname, 1314 pdevlist_conf, psoftlist_conf); 1315 (void) printf("\t%s%s\n", psoftname, 1316 (pent == NULL) || (pent->load) ? 1317 "" : gettext(" (inactive)")); 1318 } 1319 free_entrylist(pdevlist_conf); 1320 free_entrylist(psoftlist_conf); 1321 } 1322 free(psoftlist_kernel); 1323 } 1324 1325 } else { 1326 /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 1327 entrylist_t *pdevlist_zone = NULL; 1328 entrylist_t *psoftlist_zone = NULL; 1329 entrylist_t *ptr; 1330 1331 if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 1332 SUCCESS) { 1333 cryptoerror(LOG_STDERR, 1334 gettext("failed to retrieve the " 1335 "list of kernel software providers.\n")); 1336 rc = FAILURE; 1337 } 1338 1339 ptr = psoftlist_zone; 1340 while (ptr != NULL) { 1341 (void) printf("\t%s\n", ptr->pent->name); 1342 ptr = ptr->next; 1343 } 1344 1345 free_entrylist(pdevlist_zone); 1346 free_entrylist(psoftlist_zone); 1347 } 1348 1349 /* get kernel hardware providers */ 1350 (void) printf(gettext("\nKernel hardware providers:\n")); 1351 if (get_dev_list(&pdevlist_kernel) == FAILURE) { 1352 cryptoerror(LOG_STDERR, gettext("failed to retrieve " 1353 "the list of kernel hardware providers.\n")); 1354 rc = FAILURE; 1355 } else { 1356 for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 1357 (void) printf("\t%s/%d\n", 1358 pdevlist_kernel->dl_devs[i].le_dev_name, 1359 pdevlist_kernel->dl_devs[i].le_dev_instance); 1360 } 1361 } 1362 free(pdevlist_kernel); 1363 1364 return (rc); 1365 } 1366 1367 1368 1369 /* 1370 * List all the providers. And for each provider, list the mechanism list. 1371 * Called for "cryptoadm list -m" or "cryptoadm list -mv" . 1372 */ 1373 static int 1374 list_mechlist_for_all(boolean_t verbose) 1375 { 1376 crypto_get_dev_list_t *pdevlist_kernel = NULL; 1377 uentrylist_t *pliblist = NULL; 1378 uentrylist_t *plibptr = NULL; 1379 entry_t *pent = NULL; 1380 mechlist_t *pmechlist = NULL; 1381 char provname[MAXNAMELEN]; 1382 char devname[MAXNAMELEN]; 1383 int inst_num; 1384 int count; 1385 int i; 1386 int rv; 1387 int rc = SUCCESS; 1388 1389 /* get user-level providers */ 1390 (void) printf(gettext("\nUser-level providers:\n")); 1391 /* 1392 * TRANSLATION_NOTE 1393 * Strictly for appearance's sake, this line should be as long as 1394 * the length of the translated text above. 1395 */ 1396 (void) printf(gettext("=====================\n")); 1397 if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 1398 cryptoerror(LOG_STDERR, gettext("failed to retrieve " 1399 "the list of user-level providers.\n")); 1400 rc = FAILURE; 1401 } 1402 1403 plibptr = pliblist; 1404 while (plibptr != NULL) { 1405 /* skip metaslot and fips-140 entry */ 1406 if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) && 1407 (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) { 1408 (void) printf(gettext("\nProvider: %s\n"), 1409 plibptr->puent->name); 1410 rv = list_mechlist_for_lib(plibptr->puent->name, 1411 mecharglist, NULL, B_FALSE, verbose, B_TRUE); 1412 if (rv == FAILURE) { 1413 rc = FAILURE; 1414 } 1415 } 1416 plibptr = plibptr->next; 1417 } 1418 free_uentrylist(pliblist); 1419 1420 /* get kernel software providers */ 1421 (void) printf(gettext("\nKernel software providers:\n")); 1422 1423 /* 1424 * TRANSLATION_NOTE 1425 * Strictly for appearance's sake, this line should be as long as 1426 * the length of the translated text above. 1427 */ 1428 (void) printf(gettext("==========================\n")); 1429 if (getzoneid() == GLOBAL_ZONEID) { 1430 /* get kernel software providers from kernel ioctl */ 1431 crypto_get_soft_list_t *psoftlist_kernel = NULL; 1432 uint_t sl_soft_count; 1433 char *psoftname; 1434 int i; 1435 entrylist_t *pdevlist_conf = NULL; 1436 entrylist_t *psoftlist_conf = NULL; 1437 1438 if (get_soft_list(&psoftlist_kernel) == FAILURE) { 1439 cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 1440 "software provider list from kernel.")); 1441 return (FAILURE); 1442 } 1443 sl_soft_count = psoftlist_kernel->sl_soft_count; 1444 1445 if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) 1446 == FAILURE) { 1447 cryptoerror(LOG_ERR, 1448 "failed to retrieve the providers' " 1449 "information from file kcf.conf - %s.", 1450 _PATH_KCF_CONF); 1451 free(psoftlist_kernel); 1452 return (FAILURE); 1453 } 1454 1455 for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 1456 i < sl_soft_count; 1457 ++i, psoftname += strlen(psoftname) + 1) { 1458 pent = getent_kef(psoftname, pdevlist_conf, 1459 psoftlist_conf); 1460 if ((pent == NULL) || (pent->load)) { 1461 rv = list_mechlist_for_soft(psoftname, 1462 NULL, NULL); 1463 if (rv == FAILURE) { 1464 rc = FAILURE; 1465 } 1466 } else { 1467 (void) printf(gettext("%s: (inactive)\n"), 1468 psoftname); 1469 } 1470 } 1471 1472 free(psoftlist_kernel); 1473 free_entrylist(pdevlist_conf); 1474 free_entrylist(psoftlist_conf); 1475 1476 } else { 1477 /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 1478 entrylist_t *pdevlist_zone = NULL; 1479 entrylist_t *psoftlist_zone = NULL; 1480 entrylist_t *ptr; 1481 1482 if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 1483 SUCCESS) { 1484 cryptoerror(LOG_STDERR, gettext("failed to retrieve " 1485 "the list of kernel software providers.\n")); 1486 rc = FAILURE; 1487 } 1488 1489 for (ptr = psoftlist_zone; ptr != NULL; ptr = ptr->next) { 1490 rv = list_mechlist_for_soft(ptr->pent->name, 1491 pdevlist_zone, psoftlist_zone); 1492 if (rv == FAILURE) { 1493 (void) printf(gettext( 1494 "%s: failed to get the mechanism list.\n"), 1495 ptr->pent->name); 1496 rc = FAILURE; 1497 } 1498 } 1499 1500 free_entrylist(pdevlist_zone); 1501 free_entrylist(psoftlist_zone); 1502 } 1503 1504 /* Get kernel hardware providers and their mechanism lists */ 1505 (void) printf(gettext("\nKernel hardware providers:\n")); 1506 /* 1507 * TRANSLATION_NOTE 1508 * Strictly for appearance's sake, this line should be as long as 1509 * the length of the translated text above. 1510 */ 1511 (void) printf(gettext("==========================\n")); 1512 if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 1513 cryptoerror(LOG_STDERR, gettext("failed to retrieve " 1514 "the list of hardware providers.\n")); 1515 return (FAILURE); 1516 } 1517 1518 for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 1519 (void) strlcpy(devname, 1520 pdevlist_kernel->dl_devs[i].le_dev_name, MAXNAMELEN); 1521 inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance; 1522 count = pdevlist_kernel->dl_devs[i].le_mechanism_count; 1523 (void) snprintf(provname, sizeof (provname), "%s/%d", devname, 1524 inst_num); 1525 if (get_dev_info(devname, inst_num, count, &pmechlist) == 1526 SUCCESS) { 1527 (void) filter_mechlist(&pmechlist, RANDOM); 1528 print_mechlist(provname, pmechlist); 1529 free_mechlist(pmechlist); 1530 } else { 1531 (void) printf(gettext("%s: failed to get the mechanism" 1532 " list.\n"), provname); 1533 rc = FAILURE; 1534 } 1535 } 1536 free(pdevlist_kernel); 1537 return (rc); 1538 } 1539 1540 1541 /* 1542 * List all the providers. And for each provider, list the policy information. 1543 * Called for "cryptoadm list -p". 1544 */ 1545 static int 1546 list_policy_for_all(void) 1547 { 1548 crypto_get_dev_list_t *pdevlist_kernel = NULL; 1549 uentrylist_t *pliblist = NULL; 1550 entrylist_t *pdevlist_conf = NULL; 1551 entrylist_t *psoftlist_conf = NULL; 1552 entrylist_t *ptr = NULL; 1553 entrylist_t *phead = NULL; 1554 boolean_t found = B_FALSE; 1555 char provname[MAXNAMELEN]; 1556 int i; 1557 int rc = SUCCESS; 1558 1559 /* Get user-level providers */ 1560 (void) printf(gettext("\nUser-level providers:\n")); 1561 /* 1562 * TRANSLATION_NOTE 1563 * Strictly for appearance's sake, this line should be as long as 1564 * the length of the translated text above. 1565 */ 1566 (void) printf(gettext("=====================\n")); 1567 if (get_pkcs11conf_info(&pliblist) == FAILURE) { 1568 cryptoerror(LOG_STDERR, gettext("failed to retrieve " 1569 "the list of user-level providers.\n")); 1570 rc = FAILURE; 1571 } else { 1572 uentrylist_t *plibptr = pliblist; 1573 1574 while (plibptr != NULL) { 1575 /* skip metaslot and fips-140 entry */ 1576 if ((strcmp(plibptr->puent->name, 1577 METASLOT_KEYWORD) != 0) && 1578 (strcmp(plibptr->puent->name, 1579 FIPS_KEYWORD) != 0)) { 1580 if (print_uef_policy(plibptr->puent) 1581 == FAILURE) { 1582 rc = FAILURE; 1583 } 1584 } 1585 plibptr = plibptr->next; 1586 } 1587 free_uentrylist(pliblist); 1588 } 1589 1590 /* kernel software providers */ 1591 (void) printf(gettext("\nKernel software providers:\n")); 1592 /* 1593 * TRANSLATION_NOTE 1594 * Strictly for appearance's sake, this line should be as long as 1595 * the length of the translated text above. 1596 */ 1597 (void) printf(gettext("==========================\n")); 1598 1599 /* Get all entries from the kernel */ 1600 if (getzoneid() == GLOBAL_ZONEID) { 1601 /* get kernel software providers from kernel ioctl */ 1602 crypto_get_soft_list_t *psoftlist_kernel = NULL; 1603 uint_t sl_soft_count; 1604 char *psoftname; 1605 int i; 1606 1607 if (get_soft_list(&psoftlist_kernel) == FAILURE) { 1608 cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 1609 "software provider list from kernel.")); 1610 rc = FAILURE; 1611 } else { 1612 sl_soft_count = psoftlist_kernel->sl_soft_count; 1613 1614 for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 1615 i < sl_soft_count; 1616 ++i, psoftname += strlen(psoftname) + 1) { 1617 (void) list_policy_for_soft(psoftname, 1618 pdevlist_conf, psoftlist_conf); 1619 } 1620 free(psoftlist_kernel); 1621 } 1622 1623 } else { 1624 /* kcf.conf not there in non-global zone, no policy info */ 1625 1626 /* 1627 * TRANSLATION_NOTE 1628 * "global" is keyword and not to be translated. 1629 */ 1630 cryptoerror(LOG_STDERR, gettext( 1631 "policy information for kernel software providers is " 1632 "available in the %s zone only"), "global"); 1633 } 1634 1635 /* Kernel hardware providers */ 1636 (void) printf(gettext("\nKernel hardware providers:\n")); 1637 /* 1638 * TRANSLATION_NOTE 1639 * Strictly for appearance's sake, this line should be as long as 1640 * the length of the translated text above. 1641 */ 1642 (void) printf(gettext("==========================\n")); 1643 1644 if (getzoneid() != GLOBAL_ZONEID) { 1645 /* 1646 * TRANSLATION_NOTE 1647 * "global" is keyword and not to be translated. 1648 */ 1649 cryptoerror(LOG_STDERR, gettext( 1650 "policy information for kernel hardware providers is " 1651 "available in the %s zone only"), "global"); 1652 return (FAILURE); 1653 } 1654 1655 /* Get the hardware provider list from kernel */ 1656 if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 1657 cryptoerror(LOG_STDERR, gettext( 1658 "failed to retrieve the list of hardware providers.\n")); 1659 return (FAILURE); 1660 } 1661 1662 if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) == FAILURE) { 1663 cryptoerror(LOG_ERR, "failed to retrieve the providers' " 1664 "information from file kcf.conf - %s.", 1665 _PATH_KCF_CONF); 1666 return (FAILURE); 1667 } 1668 1669 1670 /* 1671 * For each hardware provider from kernel, check if it has an entry 1672 * in the config file. If it has an entry, print out the policy from 1673 * config file and remove the entry from the hardware provider list 1674 * of the config file. If it does not have an entry in the config 1675 * file, no mechanisms of it have been disabled. But, we still call 1676 * list_policy_for_hard() to account for the "random" feature. 1677 */ 1678 for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 1679 (void) snprintf(provname, sizeof (provname), "%s/%d", 1680 pdevlist_kernel->dl_devs[i].le_dev_name, 1681 pdevlist_kernel->dl_devs[i].le_dev_instance); 1682 1683 found = B_FALSE; 1684 phead = ptr = pdevlist_conf; 1685 while (!found && ptr) { 1686 if (strcmp(ptr->pent->name, provname) == 0) { 1687 found = B_TRUE; 1688 } else { 1689 phead = ptr; 1690 ptr = ptr->next; 1691 } 1692 } 1693 1694 if (found) { 1695 (void) list_policy_for_hard(ptr->pent->name, 1696 pdevlist_conf, psoftlist_conf, pdevlist_kernel); 1697 if (phead == ptr) { 1698 pdevlist_conf = pdevlist_conf->next; 1699 } else { 1700 phead->next = ptr->next; 1701 } 1702 free_entry(ptr->pent); 1703 free(ptr); 1704 } else { 1705 (void) list_policy_for_hard(provname, pdevlist_conf, 1706 psoftlist_conf, pdevlist_kernel); 1707 } 1708 } 1709 1710 /* 1711 * If there are still entries left in the pdevlist_conf list from 1712 * the config file, these providers must have been detached. 1713 * Should print out their policy information also. 1714 */ 1715 for (ptr = pdevlist_conf; ptr != NULL; ptr = ptr->next) { 1716 print_kef_policy(ptr->pent->name, ptr->pent, B_FALSE, B_TRUE); 1717 } 1718 1719 free_entrylist(pdevlist_conf); 1720 free_entrylist(psoftlist_conf); 1721 free(pdevlist_kernel); 1722 1723 return (rc); 1724 }