10124 smatch fixes for cryptoadm

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24 
  25 /*
  26  * Copyright (c) 2018, Joyent, Inc.
  27  */
  28 
  29 #include <fcntl.h>
  30 #include <stdio.h>
  31 #include <stdlib.h>
  32 #include <strings.h>
  33 #include <unistd.h>
  34 #include <locale.h>
  35 #include <libgen.h>
  36 #include <sys/types.h>
  37 #include <zone.h>
  38 #include <sys/crypto/ioctladmin.h>
  39 #include <cryptoutil.h>
  40 #include "cryptoadm.h"
  41 
  42 #define REQ_ARG_CNT     2
  43 
  44 /* subcommand index */
  45 enum subcommand_index {
  46         CRYPTO_LIST,
  47         CRYPTO_DISABLE,
  48         CRYPTO_ENABLE,
  49         CRYPTO_INSTALL,
  50         CRYPTO_UNINSTALL,
  51         CRYPTO_UNLOAD,
  52         CRYPTO_REFRESH,
  53         CRYPTO_START,
  54         CRYPTO_STOP,
  55         CRYPTO_HELP };
  56 
  57 /*
  58  * TRANSLATION_NOTE
  59  * Command keywords are not to be translated.
  60  */
  61 static char *cmd_table[] = {
  62         "list",
  63         "disable",
  64         "enable",
  65         "install",
  66         "uninstall",
  67         "unload",
  68         "refresh",
  69         "start",
  70         "stop",
  71         "--help" };
  72 
  73 /* provider type */
  74 enum provider_type_index {
  75         PROV_UEF_LIB,
  76         PROV_KEF_SOFT,
  77         PROV_KEF_HARD,
  78         METASLOT,
  79         PROV_BADNAME };
  80 
  81 typedef struct {
  82         char cp_name[MAXPATHLEN];
  83         enum provider_type_index cp_type;
  84 } cryptoadm_provider_t;
  85 
  86 /*
  87  * TRANSLATION_NOTE
  88  * Operand keywords are not to be translated.
  89  */
  90 static const char *KN_PROVIDER = "provider=";
  91 static const char *KN_MECH = "mechanism=";
  92 static const char *KN_ALL = "all";
  93 static const char *KN_TOKEN = "token=";
  94 static const char *KN_SLOT = "slot=";
  95 static const char *KN_DEFAULT_KS = "default-keystore";
  96 static const char *KN_AUTO_KEY_MIGRATE = "auto-key-migrate";
  97 
  98 /* static variables */
  99 static boolean_t        allflag = B_FALSE;
 100 static boolean_t        rndflag = B_FALSE;
 101 static mechlist_t       *mecharglist = NULL;
 102 
 103 /* static functions */
 104 static void usage(void);
 105 static int get_provider_type(char *);
 106 static int process_mech_operands(int, char **, boolean_t);
 107 static int do_list(int, char **);
 108 static int do_disable(int, char **);
 109 static int do_enable(int, char **);
 110 static int do_install(int, char **);
 111 static int do_uninstall(int, char **);
 112 static int do_unload(int, char **);
 113 static int do_refresh(int);
 114 static int do_start(int);
 115 static int do_stop(int);
 116 static int list_simple_for_all(boolean_t);
 117 static int list_mechlist_for_all(boolean_t);
 118 static int list_policy_for_all(void);
 119 
 120 int
 121 main(int argc, char *argv[])
 122 {
 123         char    *subcmd;
 124         int     cmdnum;
 125         int     cmd_index = 0;
 126         int     rc = SUCCESS;
 127 
 128         (void) setlocale(LC_ALL, "");
 129 
 130 #if !defined(TEXT_DOMAIN)       /* Should be defined by cc -D */
 131 #define TEXT_DOMAIN "SYS_TEST"  /* Use this only if it weren't */
 132 #endif
 133         (void) textdomain(TEXT_DOMAIN);
 134 
 135         cryptodebug_init(basename(argv[0]));
 136 
 137         if (argc < REQ_ARG_CNT) {
 138                 usage();
 139                 return (ERROR_USAGE);
 140         }
 141 
 142         /* get the subcommand index */
 143         cmd_index = 0;
 144         subcmd = argv[1];
 145         cmdnum = sizeof (cmd_table)/sizeof (cmd_table[0]);
 146 
 147         while ((cmd_index < cmdnum) &&
 148             (strcmp(subcmd, cmd_table[cmd_index]) != 0)) {
 149                 cmd_index++;
 150         }
 151         if (cmd_index >= cmdnum) {
 152                 usage();
 153                 return (ERROR_USAGE);
 154         }
 155 
 156         /* do the subcommand */
 157         switch (cmd_index) {
 158         case CRYPTO_LIST:
 159                 rc = do_list(argc, argv);
 160                 break;
 161         case CRYPTO_DISABLE:
 162                 rc = do_disable(argc, argv);
 163                 break;
 164         case CRYPTO_ENABLE:
 165                 rc = do_enable(argc, argv);
 166                 break;
 167         case CRYPTO_INSTALL:
 168                 rc = do_install(argc, argv);
 169                 break;
 170         case CRYPTO_UNINSTALL:
 171                 rc = do_uninstall(argc, argv);
 172                 break;
 173         case CRYPTO_UNLOAD:
 174                 rc = do_unload(argc, argv);
 175                 break;
 176         case CRYPTO_REFRESH:
 177                 rc = do_refresh(argc);
 178                 break;
 179         case CRYPTO_START:
 180                 rc = do_start(argc);
 181                 break;
 182         case CRYPTO_STOP:
 183                 rc = do_stop(argc);
 184                 break;
 185         case CRYPTO_HELP:
 186                 usage();
 187                 rc = SUCCESS;
 188                 break;
 189         default: /* should not come here */
 190                 usage();
 191                 rc = ERROR_USAGE;
 192                 break;
 193         }
 194         return (rc);
 195 }
 196 
 197 
 198 static void
 199 usage(void)
 200 {
 201         /*
 202          * TRANSLATION_NOTE
 203          * Command usage is not to be translated.  Only the word "Usage:"
 204          * along with localized expressions indicating what kind of value
 205          * is expected for arguments.
 206          */
 207         (void) fprintf(stderr, gettext("Usage:\n"));
 208         (void) fprintf(stderr,
 209             "  cryptoadm list [-mpv] [provider=<%s> | metaslot]"
 210             " [mechanism=<%s>]\n",
 211             gettext("provider-name"), gettext("mechanism-list"));
 212         (void) fprintf(stderr,
 213             "  cryptoadm disable provider=<%s>"
 214             " mechanism=<%s> | random | all\n",
 215             gettext("provider-name"), gettext("mechanism-list"));
 216         (void) fprintf(stderr,
 217             "  cryptoadm disable metaslot"
 218             " [auto-key-migrate] [mechanism=<%s>]\n",
 219             gettext("mechanism-list"));
 220         (void) fprintf(stderr,
 221             "  cryptoadm enable provider=<%s>"
 222             " mechanism=<%s> | random | all\n",
 223             gettext("provider-name"), gettext("mechanism-list"));
 224         (void) fprintf(stderr,
 225             "  cryptoadm enable metaslot [mechanism=<%s>]"
 226             " [[token=<%s>] [slot=<%s>]"
 227             " | [default-keystore]] | [auto-key-migrate]\n",
 228             gettext("mechanism-list"), gettext("token-label"),
 229             gettext("slot-description"));
 230         (void) fprintf(stderr,
 231             "  cryptoadm install provider=<%s>\n",
 232             gettext("provider-name"));
 233         (void) fprintf(stderr,
 234             "  cryptoadm install provider=<%s> [mechanism=<%s>]\n",
 235             gettext("provider-name"), gettext("mechanism-list"));
 236         (void) fprintf(stderr,
 237             "  cryptoadm uninstall provider=<%s>\n",
 238             gettext("provider-name"));
 239         (void) fprintf(stderr,
 240             "  cryptoadm unload provider=<%s>\n",
 241             gettext("provider-name"));
 242         (void) fprintf(stderr,
 243             "  cryptoadm refresh\n"
 244             "  cryptoadm start\n"
 245             "  cryptoadm stop\n"
 246             "  cryptoadm --help\n");
 247 }
 248 
 249 
 250 /*
 251  * Get the provider type.  This function returns
 252  * - PROV_UEF_LIB if provname contains an absolute path name
 253  * - PROV_KEF_SOFT if provname is a base name only (e.g., "aes").
 254  * - PROV_KEF_HARD if provname contains one slash only and the slash is not
 255  *      the 1st character (e.g., "mca/0").
 256  * - PROV_BADNAME otherwise.
 257  */
 258 static int
 259 get_provider_type(char *provname)
 260 {
 261         char *pslash1;
 262         char *pslash2;
 263 
 264         if (provname == NULL) {
 265                 return (FAILURE);
 266         }
 267 
 268         if (provname[0] == '/') {
 269                 return (PROV_UEF_LIB);
 270         } else if ((pslash1 = strchr(provname, SEP_SLASH)) == NULL) {
 271                 /* no slash */
 272                 return (PROV_KEF_SOFT);
 273         } else {
 274                 pslash2 = strrchr(provname, SEP_SLASH);
 275                 if (pslash1 == pslash2) {
 276                         return (PROV_KEF_HARD);
 277                 } else {
 278                         return (PROV_BADNAME);
 279                 }
 280         }
 281 }
 282 
 283 /*
 284  * Get the provider structure.  This function returns NULL if no valid
 285  * provider= is found in argv[], otherwise a cryptoadm_provider_t is returned.
 286  * If provider= is found but has no argument, then a cryptoadm_provider_t
 287  * with cp_type = PROV_BADNAME is returned.
 288  */
 289 static cryptoadm_provider_t *
 290 get_provider(int argc, char **argv)
 291 {
 292         int                     c = 0;
 293         boolean_t               found = B_FALSE;
 294         cryptoadm_provider_t    *provider = NULL;
 295         char                    *provstr = NULL, *savstr;
 296         boolean_t               is_metaslot = B_FALSE;
 297 
 298         while (!found && ++c < argc) {
 299                 if (strncmp(argv[c], METASLOT_KEYWORD,
 300                     strlen(METASLOT_KEYWORD)) == 0) {
 301                         is_metaslot = B_TRUE;
 302                         found = B_TRUE;
 303                 } else if (strncmp(argv[c], KN_PROVIDER,
 304                     strlen(KN_PROVIDER)) == 0 &&
 305                     strlen(argv[c]) > strlen(KN_PROVIDER)) {
 306                         if ((provstr = strdup(argv[c])) == NULL) {
 307                                 int err = errno;
 308                                 /*
 309                                  * TRANSLATION_NOTE
 310                                  * "get_provider" is a function name and should
 311                                  * not be translated.
 312                                  */
 313                                 cryptoerror(LOG_STDERR, "get_provider: %s.",
 314                                     strerror(err));
 315                                 return (NULL);
 316                         }
 317                         found = B_TRUE;
 318                 }
 319         }
 320         if (!found)
 321                 return (NULL);
 322 
 323         provider = malloc(sizeof (cryptoadm_provider_t));
 324         if (provider == NULL) {
 325                 cryptoerror(LOG_STDERR, gettext("out of memory."));
 326                 if (provstr) {
 327                         free(provstr);
 328                 }
 329                 return (NULL);
 330         }
 331 
 332         if (is_metaslot) {
 333                 (void) strlcpy(provider->cp_name, METASLOT_KEYWORD,
 334                     strlen(METASLOT_KEYWORD));
 335                 provider->cp_type = METASLOT;
 336         } else {
 337 
 338                 savstr = provstr;
 339                 (void) strtok(provstr, "=");
 340                 provstr = strtok(NULL, "=");
 341                 if (provstr == NULL) {
 342                         cryptoerror(LOG_STDERR, gettext("bad provider name."));
 343                         provider->cp_type = PROV_BADNAME;
 344                         free(savstr);
 345                         return (provider);
 346                 }
 347 
 348                 (void) strlcpy(provider->cp_name, provstr,
 349                     sizeof (provider->cp_name));
 350                 provider->cp_type = get_provider_type(provider->cp_name);
 351 
 352                 free(savstr);
 353         }
 354         return (provider);
 355 }
 356 
 357 /*
 358  * Process the "feature" operands.
 359  *
 360  * "argc" and "argv" contain values specified on the command line.
 361  * All other arguments are used for returning parsing results.
 362  * If any of these arguments are NULL, that keyword is not expected,
 363  * and FAILURE will be returned.
 364  */
 365 static int
 366 process_metaslot_operands(int argc, char **argv, char **meta_ks_token,
 367     char **meta_ks_slot, boolean_t *use_default,
 368     boolean_t *auto_key_migrate_flag)
 369 {
 370         int c = 2;
 371         int rc = SUCCESS;
 372 
 373         while (++c < argc) {
 374                 if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) &&
 375                     strlen(argv[c]) > strlen(KN_MECH)) {
 376 
 377                         /* process mechanism operands */
 378                         if ((rc = process_mech_operands(argc, argv, B_TRUE))
 379                             != SUCCESS) {
 380                                 goto finish;
 381                         }
 382 
 383                 } else if ((strncmp(argv[c], KN_TOKEN,
 384                     strlen(KN_TOKEN)) == 0) &&
 385                     strlen(argv[c]) > strlen(KN_TOKEN)) {
 386                         if ((meta_ks_token) && (strtok(argv[c], "=") != NULL)) {
 387                                 char *tmp;
 388                                 if ((tmp = strtok(NULL, "=")) != NULL) {
 389                                         *meta_ks_token = strdup(tmp);
 390                                 } else {
 391                                         return (FAILURE);
 392                                 }
 393                         } else {
 394                                 return (FAILURE);
 395                         }
 396 
 397                 } else if ((strncmp(argv[c], KN_SLOT,
 398                     strlen(KN_SLOT)) == 0) &&
 399                     strlen(argv[c]) > strlen(KN_SLOT)) {
 400 
 401                         if ((meta_ks_slot) && (strtok(argv[c], "=") != NULL)) {
 402                                 char *tmp;
 403                                 if ((tmp = strtok(NULL, "=")) != NULL) {
 404                                         *meta_ks_slot = strdup(tmp);
 405                                 } else {
 406                                         return (FAILURE);
 407                                 }
 408                         } else {
 409                                 return (FAILURE);
 410                         }
 411 
 412                 } else if (strncmp(argv[c], KN_DEFAULT_KS,
 413                     strlen(KN_DEFAULT_KS)) == 0) {
 414 
 415                         if (use_default) {
 416                                 *use_default = B_TRUE;
 417                         } else {
 418                                 return (FAILURE);
 419                         }
 420                 } else if (strncmp(argv[c], KN_AUTO_KEY_MIGRATE,
 421                     strlen(KN_AUTO_KEY_MIGRATE)) == 0) {
 422 
 423                         if (auto_key_migrate_flag) {
 424                                 *auto_key_migrate_flag = B_TRUE;
 425                         } else {
 426                                 return (FAILURE);
 427                         }
 428                 } else {
 429                         return (FAILURE);
 430                 }
 431         }
 432 finish:
 433         return (rc);
 434 }
 435 
 436 /*
 437  * Process the "feature" operands.
 438  */
 439 static int
 440 process_feature_operands(int argc, char **argv)
 441 {
 442         int c = 2;
 443 
 444         while (++c < argc) {
 445                 if (strcmp(argv[c], KN_ALL) == 0) {
 446                         allflag = B_TRUE;
 447                         rndflag = B_TRUE; /* all includes random also. */
 448                 } else if (strcmp(argv[c], RANDOM) == 0) {
 449                         rndflag = B_TRUE;
 450                 }
 451         }
 452         return (SUCCESS);
 453 }
 454 
 455 /*
 456  * Process the mechanism operands for the disable, enable and install
 457  * subcommands.  This function sets the static variable allflag to be B_TRUE
 458  * if the keyword "all" is specified, otherwise builds a link list of the
 459  * mechanism operands and save it in the static variable mecharglist.
 460  *
 461  * This function returns
 462  *      ERROR_USAGE: mechanism operand is missing.
 463  *      FAILURE: out of memory.
 464  *      SUCCESS: otherwise.
 465  */
 466 static int
 467 process_mech_operands(int argc, char **argv, boolean_t quiet)
 468 {
 469         mechlist_t      *pmech;
 470         mechlist_t      *pcur = NULL;
 471         mechlist_t      *phead = NULL;
 472         boolean_t       found = B_FALSE;
 473         char            *mechliststr = NULL;
 474         char            *curmech = NULL;
 475         int             c = -1;
 476         int             rc = SUCCESS;
 477 
 478         while (!found && ++c < argc) {
 479                 if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) &&
 480                     strlen(argv[c]) > strlen(KN_MECH)) {
 481                         found = B_TRUE;
 482                 }
 483         }
 484         if (!found) {
 485                 if (!quiet)
 486                         /*
 487                          * TRANSLATION_NOTE
 488                          * "mechanism" could be either a literal keyword
 489                          * and hence not to be translated, or a descriptive
 490                          * word and translatable.  A choice was made to
 491                          * view it as a literal keyword.
 492                          */
 493                         cryptoerror(LOG_STDERR,
 494                             gettext("the %s operand is missing.\n"),
 495                             "mechanism");
 496                 return (ERROR_USAGE);
 497         }
 498         (void) strtok(argv[c], "=");
 499         mechliststr = strtok(NULL, "=");
 500 
 501         if (strcmp(mechliststr, "all") == 0) {
 502                 allflag = B_TRUE;
 503                 mecharglist = NULL;
 504                 return (SUCCESS);
 505         }
 506 
 507         curmech = strtok(mechliststr, ",");
 508         do {
 509                 if ((pmech = create_mech(curmech)) == NULL) {
 510                         rc = FAILURE;
 511                         break;
 512                 } else {
 513                         if (phead == NULL) {
 514                                 phead = pcur = pmech;
 515                         } else {
 516                                 pcur->next = pmech;
 517                                 pcur = pmech;
 518                         }
 519                 }
 520         } while ((curmech = strtok(NULL, ",")) != NULL);
 521 
 522         if (rc == FAILURE) {
 523                 cryptoerror(LOG_STDERR, gettext("out of memory."));
 524                 free_mechlist(phead);
 525         } else {
 526                 mecharglist = phead;
 527                 rc = SUCCESS;
 528         }
 529         return (rc);
 530 }
 531 
 532 
 533 
 534 /*
 535  * The top level function for the "cryptoadm list" subcommand and options.
 536  */
 537 static int
 538 do_list(int argc, char **argv)
 539 {
 540         boolean_t               mflag = B_FALSE;
 541         boolean_t               pflag = B_FALSE;
 542         boolean_t               vflag = B_FALSE;
 543         char                    ch;
 544         cryptoadm_provider_t    *prov = NULL;
 545         int                     rc = SUCCESS;
 546 
 547         argc -= 1;
 548         argv += 1;
 549 
 550         if (argc == 1) {
 551                 rc = list_simple_for_all(B_FALSE);
 552                 goto out;
 553         }
 554 
 555         /*
 556          * cryptoadm list [-v] [-m] [-p] [provider=<>] [mechanism=<>]
 557          */
 558         if (argc > 5) {
 559                 usage();
 560                 return (rc);
 561         }
 562 
 563         while ((ch = getopt(argc, argv, "mpv")) != EOF) {
 564                 switch (ch) {
 565                 case 'm':
 566                         mflag = B_TRUE;
 567                         if (pflag) {
 568                                 rc = ERROR_USAGE;
 569                         }
 570                         break;
 571                 case 'p':
 572                         pflag = B_TRUE;
 573                         if (mflag || vflag) {
 574                                 rc = ERROR_USAGE;
 575                         }
 576                         break;
 577                 case 'v':
 578                         vflag = B_TRUE;
 579                         if (pflag)
 580                                 rc = ERROR_USAGE;
 581                         break;
 582                 default:
 583                         rc = ERROR_USAGE;
 584                         break;
 585                 }
 586         }
 587 
 588         if (rc == ERROR_USAGE) {
 589                 usage();
 590                 return (rc);
 591         }
 592 
 593         if ((rc = process_feature_operands(argc, argv)) != SUCCESS) {
 594                 goto out;
 595         }
 596 
 597         prov = get_provider(argc, argv);
 598 
 599         if (mflag || vflag) {
 600                 if (argc > 0) {
 601                         rc = process_mech_operands(argc, argv, B_TRUE);
 602                         if (rc == FAILURE)
 603                                 goto out;
 604                         /* "-m" is implied when a mechanism list is given */
 605                         if (mecharglist != NULL || allflag)
 606                                 mflag = B_TRUE;
 607                 }
 608         }
 609 
 610         if (prov == NULL) {
 611                 if (mflag) {
 612                         rc = list_mechlist_for_all(vflag);
 613                 } else if (pflag) {
 614                         rc = list_policy_for_all();
 615                 } else if (vflag) {
 616                         rc = list_simple_for_all(vflag);
 617                 }
 618         } else if (prov->cp_type == METASLOT) {
 619                 if ((!mflag) && (!vflag) && (!pflag)) {
 620                         /* no flag is specified, just list metaslot status */
 621                         rc = list_metaslot_info(mflag, vflag, mecharglist);
 622                 } else if (mflag || vflag) {
 623                         rc = list_metaslot_info(mflag, vflag, mecharglist);
 624                 } else if (pflag) {
 625                         rc = list_metaslot_policy();
 626                 } else {
 627                         /* error message */
 628                         usage();
 629                         rc = ERROR_USAGE;
 630                 }
 631         } else if (prov->cp_type == PROV_BADNAME) {
 632                 usage();
 633                 rc = ERROR_USAGE;
 634                 goto out;
 635         } else { /* do the listing for a provider only */
 636                 char    *provname = prov->cp_name;
 637 
 638                 if (mflag || vflag) {
 639                         if (vflag)
 640                                 (void) printf(gettext("Provider: %s\n"),
 641                                     provname);
 642                         switch (prov->cp_type) {
 643                         case PROV_UEF_LIB:
 644                                 rc = list_mechlist_for_lib(provname,
 645                                     mecharglist, NULL, B_FALSE, vflag, mflag);
 646                                 break;
 647                         case PROV_KEF_SOFT:
 648                                 rc = list_mechlist_for_soft(provname,
 649                                     NULL, NULL);
 650                                 break;
 651                         case PROV_KEF_HARD:
 652                                 rc = list_mechlist_for_hard(provname);
 653                                 break;
 654                         default: /* should not come here */
 655                                 rc = FAILURE;
 656                                 break;
 657                         }
 658                 } else if (pflag) {
 659                         switch (prov->cp_type) {
 660                         case PROV_UEF_LIB:
 661                                 rc = list_policy_for_lib(provname);
 662                                 break;
 663                         case PROV_KEF_SOFT:
 664                                 if (getzoneid() == GLOBAL_ZONEID) {
 665                                         rc = list_policy_for_soft(provname,
 666                                             NULL, NULL);
 667                                 } else {
 668                                         /*
 669                                          * TRANSLATION_NOTE
 670                                          * "global" is keyword and not to
 671                                          * be translated.
 672                                          */
 673                                         cryptoerror(LOG_STDERR, gettext(
 674                                             "policy information for kernel "
 675                                             "providers is available "
 676                                             "in the %s zone only"), "global");
 677                                         rc = FAILURE;
 678                                 }
 679                                 break;
 680                         case PROV_KEF_HARD:
 681                                 if (getzoneid() == GLOBAL_ZONEID) {
 682                                         rc = list_policy_for_hard(
 683                                             provname, NULL, NULL, NULL);
 684                                 } else {
 685                                         /*
 686                                          * TRANSLATION_NOTE
 687                                          * "global" is keyword and not to
 688                                          * be translated.
 689                                          */
 690                                         cryptoerror(LOG_STDERR, gettext(
 691                                             "policy information for kernel "
 692                                             "providers is available "
 693                                             "in the %s zone only"), "global");
 694                                         rc = FAILURE;
 695                                 }
 696 
 697                                 break;
 698                         default: /* should not come here */
 699                                 rc = FAILURE;
 700                                 break;
 701                         }
 702                 } else {
 703                         /* error message */
 704                         usage();
 705                         rc = ERROR_USAGE;
 706                 }
 707         }
 708 
 709 out:
 710         if (prov != NULL)
 711                 free(prov);
 712 
 713         if (mecharglist != NULL)
 714                 free_mechlist(mecharglist);
 715         return (rc);
 716 }
 717 
 718 
 719 /*
 720  * The top level function for the "cryptoadm disable" subcommand.
 721  */
 722 static int
 723 do_disable(int argc, char **argv)
 724 {
 725         cryptoadm_provider_t    *prov = NULL;
 726         int                     rc = SUCCESS;
 727         boolean_t               auto_key_migrate_flag = B_FALSE;
 728 
 729         if ((argc < 3) || (argc > 5)) {
 730                 usage();
 731                 return (ERROR_USAGE);
 732         }
 733 
 734         prov = get_provider(argc, argv);
 735         if (prov == NULL) {
 736                 usage();
 737                 return (ERROR_USAGE);
 738         }
 739         if (prov->cp_type == PROV_BADNAME) {
 740                 return (FAILURE);
 741         }
 742 
 743         if ((rc = process_feature_operands(argc, argv)) != SUCCESS) {
 744                 goto out;
 745         }
 746 
 747         /*
 748          * If allflag or rndflag has already been set there is no reason to
 749          * process mech=
 750          */
 751         if (prov->cp_type == METASLOT) {
 752                 if ((argc > 3) &&
 753                     (rc = process_metaslot_operands(argc, argv,
 754                     NULL, NULL, NULL, &auto_key_migrate_flag)) != SUCCESS) {
 755                         usage();
 756                         return (rc);
 757                 }
 758         } else if (!allflag && !rndflag &&
 759             (rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) {
 760                         return (rc);
 761         }
 762 
 763         switch (prov->cp_type) {
 764         case METASLOT:
 765                 rc = disable_metaslot(mecharglist, allflag,
 766                     auto_key_migrate_flag);
 767                 break;
 768         case PROV_UEF_LIB:
 769                 rc = disable_uef_lib(prov->cp_name, rndflag, allflag,
 770                     mecharglist);
 771                 break;
 772         case PROV_KEF_SOFT:
 773                 if (rndflag && !allflag) {
 774                         if ((mecharglist = create_mech(RANDOM)) == NULL) {
 775                                 rc = FAILURE;
 776                                 break;
 777                         }
 778                 }
 779                 if (getzoneid() == GLOBAL_ZONEID) {
 780                         rc = disable_kef_software(prov->cp_name, rndflag,
 781                             allflag, mecharglist);
 782                 } else {
 783                         /*
 784                          * TRANSLATION_NOTE
 785                          * "disable" could be either a literal keyword
 786                          * and hence not to be translated, or a verb and
 787                          * translatable.  A choice was made to view it as
 788                          * a literal keyword.  "global" is keyword and not
 789                          * to be translated.
 790                          */
 791                         cryptoerror(LOG_STDERR, gettext("%1$s for kernel "
 792                             "providers is supported in the %2$s zone only"),
 793                             "disable", "global");
 794                         rc = FAILURE;
 795                 }
 796                 break;
 797         case PROV_KEF_HARD:
 798                 if (rndflag && !allflag) {
 799                         if ((mecharglist = create_mech(RANDOM)) == NULL) {
 800                                 rc = FAILURE;
 801                                 break;
 802                         }
 803                 }
 804                 if (getzoneid() == GLOBAL_ZONEID) {
 805                         rc = disable_kef_hardware(prov->cp_name, rndflag,
 806                             allflag, mecharglist);
 807                 } else {
 808                         /*
 809                          * TRANSLATION_NOTE
 810                          * "disable" could be either a literal keyword
 811                          * and hence not to be translated, or a verb and
 812                          * translatable.  A choice was made to view it as
 813                          * a literal keyword.  "global" is keyword and not
 814                          * to be translated.
 815                          */
 816                         cryptoerror(LOG_STDERR, gettext("%1$s for kernel "
 817                             "providers is supported in the %2$s zone only"),
 818                             "disable", "global");
 819                         rc = FAILURE;
 820                 }
 821                 break;
 822         default: /* should not come here */
 823                 rc = FAILURE;
 824                 break;
 825         }
 826 
 827 out:
 828         free(prov);
 829         if (mecharglist != NULL) {
 830                 free_mechlist(mecharglist);
 831         }
 832         return (rc);
 833 }
 834 
 835 
 836 /*
 837  * The top level function for the "cryptoadm enable" subcommand.
 838  */
 839 static int
 840 do_enable(int argc, char **argv)
 841 {
 842         cryptoadm_provider_t    *prov = NULL;
 843         int                     rc = SUCCESS;
 844         char                    *alt_token = NULL, *alt_slot = NULL;
 845         boolean_t               use_default = B_FALSE;
 846         boolean_t               auto_key_migrate_flag = B_FALSE;
 847 
 848         if ((argc < 3) || (argc > 6)) {
 849                 usage();
 850                 return (ERROR_USAGE);
 851         }
 852 
 853         prov = get_provider(argc, argv);
 854         if (prov == NULL) {
 855                 usage();
 856                 return (ERROR_USAGE);
 857         }
 858         if ((prov->cp_type != METASLOT) && (argc != 4)) {
 859                 usage();
 860                 return (ERROR_USAGE);
 861         }
 862         if (prov->cp_type == PROV_BADNAME) {
 863                 rc = FAILURE;
 864                 goto out;
 865         }
 866 
 867 
 868         if (prov->cp_type == METASLOT) {
 869                 if ((rc = process_metaslot_operands(argc, argv, &alt_token,
 870                     &alt_slot, &use_default, &auto_key_migrate_flag))
 871                     != SUCCESS) {
 872                         usage();
 873                         goto out;
 874                 }
 875                 if ((alt_slot || alt_token) && use_default) {
 876                         usage();
 877                         rc = FAILURE;
 878                         goto out;
 879                 }
 880         } else {
 881                 if ((rc = process_feature_operands(argc, argv)) != SUCCESS) {
 882                         goto out;
 883                 }
 884 
 885                 /*
 886                  * If allflag or rndflag has already been set there is
 887                  * no reason to process mech=
 888                  */
 889                 if (!allflag && !rndflag &&
 890                     (rc = process_mech_operands(argc, argv, B_FALSE))
 891                     != SUCCESS) {
 892                         goto out;
 893                 }
 894         }
 895 
 896         switch (prov->cp_type) {
 897         case METASLOT:
 898                 rc = enable_metaslot(alt_token, alt_slot, use_default,
 899                     mecharglist, allflag, auto_key_migrate_flag);
 900                 break;
 901         case PROV_UEF_LIB:
 902                 rc = enable_uef_lib(prov->cp_name, rndflag, allflag,
 903                     mecharglist);
 904                 break;
 905         case PROV_KEF_SOFT:
 906         case PROV_KEF_HARD:
 907                 if (rndflag && !allflag) {
 908                         if ((mecharglist = create_mech(RANDOM)) == NULL) {
 909                                 rc = FAILURE;
 910                                 break;
 911                         }
 912                 }
 913                 if (getzoneid() == GLOBAL_ZONEID) {
 914                         rc = enable_kef(prov->cp_name, rndflag, allflag,
 915                             mecharglist);
 916                 } else {
 917                         /*
 918                          * TRANSLATION_NOTE
 919                          * "enable" could be either a literal keyword
 920                          * and hence not to be translated, or a verb and
 921                          * translatable.  A choice was made to view it as
 922                          * a literal keyword.  "global" is keyword and not
 923                          * to be translated.
 924                          */
 925                         cryptoerror(LOG_STDERR, gettext("%1$s for kernel "
 926                             "providers is supported in the %2$s zone only"),
 927                             "enable", "global");
 928                         rc = FAILURE;
 929                 }
 930                 break;
 931         default: /* should not come here */
 932                 rc = FAILURE;
 933                 break;
 934         }
 935 out:
 936         free(prov);
 937         if (mecharglist != NULL) {
 938                 free_mechlist(mecharglist);
 939         }
 940         if (alt_token != NULL) {
 941                 free(alt_token);
 942         }
 943         if (alt_slot != NULL) {
 944                 free(alt_slot);
 945         }
 946         return (rc);
 947 }
 948 
 949 
 950 
 951 /*
 952  * The top level function for the "cryptoadm install" subcommand.
 953  */
 954 static int
 955 do_install(int argc, char **argv)
 956 {
 957         cryptoadm_provider_t    *prov = NULL;
 958         int     rc;
 959 
 960         if (argc < 3) {
 961                 usage();
 962                 return (ERROR_USAGE);
 963         }
 964 
 965         prov = get_provider(argc, argv);
 966         if (prov == NULL ||
 967             prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) {
 968                 /*
 969                  * TRANSLATION_NOTE
 970                  * "install" could be either a literal keyword and hence
 971                  * not to be translated, or a verb and translatable.  A
 972                  * choice was made to view it as a literal keyword.
 973                  */
 974                 cryptoerror(LOG_STDERR,
 975                     gettext("bad provider name for %s."), "install");
 976                 rc = FAILURE;
 977                 goto out;
 978         }
 979 
 980         if (prov->cp_type == PROV_UEF_LIB) {
 981                 rc = install_uef_lib(prov->cp_name);
 982                 goto out;
 983         }
 984 
 985         /* It is the PROV_KEF_SOFT type now  */
 986 
 987         /* check if there are mechanism operands */
 988         if (argc < 4) {
 989                 /*
 990                  * TRANSLATION_NOTE
 991                  * "mechanism" could be either a literal keyword and hence
 992                  * not to be translated, or a descriptive word and
 993                  * translatable.  A choice was made to view it as a literal
 994                  * keyword.
 995                  */
 996                 cryptoerror(LOG_STDERR,
 997                     gettext("need %s operands for installing a"
 998                     " kernel software provider."), "mechanism");
 999                 rc = ERROR_USAGE;
1000                 goto out;
1001         }
1002 
1003         if ((rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) {
1004                 goto out;
1005         }
1006 
1007         if (allflag == B_TRUE) {
1008                 /*
1009                  * TRANSLATION_NOTE
1010                  * "all", "mechanism", and "install" are all keywords and
1011                  * not to be translated.
1012                  */
1013                 cryptoerror(LOG_STDERR,
1014                     gettext("can not use the %1$s keyword for %2$s "
1015                     "in the %3$s subcommand."), "all", "mechanism", "install");
1016                 rc = ERROR_USAGE;
1017                 goto out;
1018         }
1019 
1020         if (getzoneid() == GLOBAL_ZONEID) {
1021                 rc = install_kef(prov->cp_name, mecharglist);
1022         } else {
1023                 /*
1024                  * TRANSLATION_NOTE
1025                  * "install" could be either a literal keyword and hence
1026                  * not to be translated, or a verb and translatable.  A
1027                  * choice was made to view it as a literal keyword.
1028                  * "global" is keyword and not to be translated.
1029                  */
1030                 cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers "
1031                     "is supported in the %2$s zone only"), "install", "global");
1032                 rc = FAILURE;
1033         }
1034 out:
1035         free(prov);
1036         return (rc);
1037 }
1038 
1039 
1040 
1041 /*
1042  * The top level function for the "cryptoadm uninstall" subcommand.
1043  */
1044 static int
1045 do_uninstall(int argc, char **argv)
1046 {
1047         cryptoadm_provider_t    *prov = NULL;
1048         int     rc = SUCCESS;
1049 
1050         if (argc != 3) {
1051                 usage();
1052                 return (ERROR_USAGE);
1053         }
1054 
1055         prov = get_provider(argc, argv);
1056         if (prov == NULL ||
1057             prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) {
1058                 /*
1059                  * TRANSLATION_NOTE
1060                  * "uninstall" could be either a literal keyword and hence
1061                  * not to be translated, or a verb and translatable.  A
1062                  * choice was made to view it as a literal keyword.
1063                  */
1064                 cryptoerror(LOG_STDERR,
1065                     gettext("bad provider name for %s."), "uninstall");
1066                 free(prov);
1067                 return (FAILURE);
1068         }
1069 
1070         if (prov->cp_type == PROV_UEF_LIB) {
1071                 rc = uninstall_uef_lib(prov->cp_name);
1072 
1073         } else if (prov->cp_type == PROV_KEF_SOFT) {
1074                 if (getzoneid() == GLOBAL_ZONEID) {
1075                         /* unload and remove from kcf.conf */
1076                         rc = uninstall_kef(prov->cp_name);
1077                 } else {
1078                         /*
1079                          * TRANSLATION_NOTE
1080                          * "uninstall" could be either a literal keyword and
1081                          * hence not to be translated, or a verb and
1082                          * translatable.  A choice was made to view it as a
1083                          * literal keyword.  "global" is keyword and not to
1084                          * be translated.
1085                          */
1086                         cryptoerror(LOG_STDERR, gettext("%1$s for kernel "
1087                             "providers is supported in the %2$s zone only"),
1088                             "uninstall", "global");
1089                         rc = FAILURE;
1090                 }
1091         }
1092 
1093         free(prov);
1094         return (rc);
1095 }
1096 
1097 
1098 /*
1099  * The top level function for the "cryptoadm unload" subcommand.
1100  */
1101 static int
1102 do_unload(int argc, char **argv)
1103 {
1104         cryptoadm_provider_t    *prov = NULL;
1105         entry_t                 *pent = NULL;
1106         boolean_t               in_kernel = B_FALSE;
1107         int                     rc = SUCCESS;
1108         char                    *provname = NULL;
1109 
1110         if (argc != 3) {
1111                 usage();
1112                 return (ERROR_USAGE);
1113         }
1114 
1115         /* check if it is a kernel software provider */
1116         prov = get_provider(argc, argv);
1117         if (prov == NULL) {
1118                 cryptoerror(LOG_STDERR,
1119                     gettext("unable to determine provider name."));
1120                 goto out;
1121         }
1122         provname = prov->cp_name;
1123         if (prov->cp_type != PROV_KEF_SOFT) {
1124                 cryptoerror(LOG_STDERR,
1125                     gettext("%s is not a valid kernel software provider."),
1126                     provname);
1127                 rc = FAILURE;
1128                 goto out;
1129         }
1130 
1131         if (getzoneid() != GLOBAL_ZONEID) {
1132                 /*
1133                  * TRANSLATION_NOTE
1134                  * "unload" could be either a literal keyword and hence
1135                  * not to be translated, or a verb and translatable.
1136                  * A choice was made to view it as a literal keyword.
1137                  * "global" is keyword and not to be translated.
1138                  */
1139                 cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers "
1140                     "is supported in the %2$s zone only"), "unload", "global");
1141                 rc = FAILURE;
1142                 goto out;
1143         }
1144 
1145         if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) {
1146                 cryptodebug("internal error");
1147                 rc = FAILURE;
1148                 goto out;
1149         } else if (in_kernel == B_FALSE) {
1150                 cryptoerror(LOG_STDERR,
1151                     gettext("provider %s is not loaded or does not exist."),
1152                     provname);
1153                 rc = FAILURE;
1154                 goto out;
1155         }
1156 
1157         /* Get kcf.conf entry.  If none, build a new entry */
1158         if ((pent = getent_kef(provname, NULL, NULL)) == NULL) {
1159                 if ((pent = create_entry(provname)) == NULL) {
1160                         cryptoerror(LOG_STDERR, gettext("out of memory."));
1161                         rc = FAILURE;
1162                         goto out;
1163                 }
1164         }
1165 
1166         /* If it is unloaded already, return  */
1167         if (!pent->load) { /* unloaded already */
1168                 cryptoerror(LOG_STDERR,
1169                     gettext("failed to unload %s."), provname);
1170                 rc = FAILURE;
1171                 goto out;
1172         } else if (unload_kef_soft(provname) != FAILURE) {
1173                 /* Mark as unloaded in kcf.conf */
1174                 pent->load = B_FALSE;
1175                 rc = update_kcfconf(pent, MODIFY_MODE);
1176         } else {
1177                 cryptoerror(LOG_STDERR,
1178                     gettext("failed to unload %s."), provname);
1179                 rc = FAILURE;
1180         }
1181 out:
1182         free(prov);
1183         free_entry(pent);
1184         return (rc);
1185 }
1186 
1187 
1188 
1189 /*
1190  * The top level function for the "cryptoadm refresh" subcommand.
1191  */
1192 static int
1193 do_refresh(int argc)
1194 {
1195         if (argc != 2) {
1196                 usage();
1197                 return (ERROR_USAGE);
1198         }
1199 
1200         if (getzoneid() == GLOBAL_ZONEID) {
1201                 return (refresh());
1202         } else { /* non-global zone */
1203                 /*
1204                  * Note:  in non-global zone, this must silently return SUCCESS
1205                  * due to integration with SMF, for "svcadm refresh cryptosvc"
1206                  */
1207                 return (SUCCESS);
1208         }
1209 }
1210 
1211 
1212 /*
1213  * The top level function for the "cryptoadm start" subcommand.
1214  * This used to start up kcfd, but now all it does is load up the
1215  * initial providers.
1216  */
1217 static int
1218 do_start(int argc)
1219 {
1220         if (argc != 2) {
1221                 usage();
1222                 return (ERROR_USAGE);
1223         }
1224 
1225         return (do_refresh(argc));
1226 }
1227 
1228 /*
1229  * The top level function for the "cryptoadm stop" subcommand.
1230  * This no longer does anything useful, but we leave it here
1231  * for compatibility.
1232  */
1233 static int
1234 do_stop(int argc)
1235 {
1236         if (argc != 2) {
1237                 usage();
1238                 return (ERROR_USAGE);
1239         }
1240 
1241         return (SUCCESS);
1242 }
1243 
1244 
1245 
1246 /*
1247  * Print a list all the the providers.
1248  * Called for "cryptoadm list" or "cryptoadm list -v" (no -m or -p).
1249  */
1250 static int
1251 list_simple_for_all(boolean_t verbose)
1252 {
1253         uentrylist_t            *pliblist = NULL;
1254         uentrylist_t            *plibptr = NULL;
1255         entry_t                 *pent = NULL;
1256         crypto_get_dev_list_t   *pdevlist_kernel = NULL;
1257         int                     rc = SUCCESS;
1258         int                     i;
1259 
1260         /* get user-level providers */
1261         (void) printf(gettext("\nUser-level providers:\n"));
1262         if (get_pkcs11conf_info(&pliblist) != SUCCESS) {
1263                 cryptoerror(LOG_STDERR, gettext(
1264                     "failed to retrieve the list of user-level providers."));
1265                 rc = FAILURE;
1266         }
1267 
1268         for (plibptr = pliblist; plibptr != NULL; plibptr = plibptr->next) {
1269                 /* skip metaslot and fips-140 entry */
1270                 if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) &&
1271                     (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) {
1272                         (void) printf(gettext("Provider: %s\n"),
1273                             plibptr->puent->name);
1274                         if (verbose) {
1275                                 (void) list_mechlist_for_lib(
1276                                     plibptr->puent->name, mecharglist, NULL,
1277                                     B_FALSE, verbose, B_FALSE);
1278                                 (void) printf("\n");
1279                         }
1280                 }
1281         }
1282         free_uentrylist(pliblist);
1283 
1284         /* get kernel software providers */
1285         (void) printf(gettext("\nKernel software providers:\n"));
1286 
1287         if (getzoneid() == GLOBAL_ZONEID) {
1288                 /* get kernel software providers from kernel ioctl */
1289                 crypto_get_soft_list_t          *psoftlist_kernel = NULL;
1290                 uint_t                          sl_soft_count;
1291                 char                            *psoftname;
1292                 entrylist_t                     *pdevlist_conf = NULL;
1293                 entrylist_t                     *psoftlist_conf = NULL;
1294 
1295                 if (get_soft_list(&psoftlist_kernel) == FAILURE) {
1296                         cryptoerror(LOG_ERR, gettext("Failed to retrieve the "
1297                             "software provider list from kernel."));
1298                         rc = FAILURE;
1299                 } else {
1300                         sl_soft_count = psoftlist_kernel->sl_soft_count;
1301 
1302                         if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf)
1303                             == FAILURE) {
1304                                 cryptoerror(LOG_ERR,
1305                                     "failed to retrieve the providers' "
1306                                     "information from file kcf.conf - %s.",
1307                                     _PATH_KCF_CONF);

1308                                 rc = FAILURE;
1309                         } else {
1310 
1311                                 for (i = 0,
1312                                     psoftname = psoftlist_kernel->sl_soft_names;
1313                                     i < sl_soft_count;
1314                                     ++i, psoftname += strlen(psoftname) + 1) {
1315                                         pent = getent_kef(psoftname,
1316                                             pdevlist_conf, psoftlist_conf);
1317                                         (void) printf("\t%s%s\n", psoftname,
1318                                             (pent == NULL) || (pent->load) ?
1319                                             "" : gettext(" (inactive)"));
1320                                 }
1321                                 free_entrylist(pdevlist_conf);
1322                                 free_entrylist(psoftlist_conf);
1323                         }
1324                         free(psoftlist_kernel);
1325                 }
1326 
1327         } else {
1328                 /* kcf.conf not there in non-global zone, use /dev/cryptoadm */
1329                 entrylist_t     *pdevlist_zone = NULL;
1330                 entrylist_t     *psoftlist_zone = NULL;
1331                 entrylist_t     *ptr;
1332 
1333                 if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) !=
1334                     SUCCESS) {
1335                         cryptoerror(LOG_STDERR,
1336                             gettext("failed to retrieve the "
1337                             "list of kernel software providers.\n"));
1338                         rc = FAILURE;
1339                 }
1340 
1341                 ptr = psoftlist_zone;
1342                 while (ptr != NULL) {
1343                         (void) printf("\t%s\n", ptr->pent->name);
1344                         ptr = ptr->next;
1345                 }
1346 
1347                 free_entrylist(pdevlist_zone);
1348                 free_entrylist(psoftlist_zone);
1349         }
1350 
1351         /* get kernel hardware providers */
1352         (void) printf(gettext("\nKernel hardware providers:\n"));
1353         if (get_dev_list(&pdevlist_kernel) == FAILURE) {
1354                 cryptoerror(LOG_STDERR, gettext("failed to retrieve "
1355                     "the list of kernel hardware providers.\n"));
1356                 rc = FAILURE;
1357         } else {
1358                 for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) {
1359                         (void) printf("\t%s/%d\n",
1360                             pdevlist_kernel->dl_devs[i].le_dev_name,
1361                             pdevlist_kernel->dl_devs[i].le_dev_instance);
1362                 }
1363         }
1364         free(pdevlist_kernel);
1365 
1366         return (rc);
1367 }
1368 
1369 
1370 
1371 /*
1372  * List all the providers. And for each provider, list the mechanism list.
1373  * Called for "cryptoadm list -m" or "cryptoadm list -mv" .
1374  */
1375 static int
1376 list_mechlist_for_all(boolean_t verbose)
1377 {
1378         crypto_get_dev_list_t   *pdevlist_kernel = NULL;
1379         uentrylist_t            *pliblist = NULL;
1380         uentrylist_t            *plibptr = NULL;
1381         entry_t                 *pent = NULL;
1382         mechlist_t              *pmechlist = NULL;
1383         char                    provname[MAXNAMELEN];
1384         char                    devname[MAXNAMELEN];
1385         int                     inst_num;
1386         int                     count;
1387         int                     i;
1388         int                     rv;
1389         int                     rc = SUCCESS;
1390 
1391         /* get user-level providers */
1392         (void) printf(gettext("\nUser-level providers:\n"));
1393         /*
1394          * TRANSLATION_NOTE
1395          * Strictly for appearance's sake, this line should be as long as
1396          * the length of the translated text above.
1397          */
1398         (void) printf(gettext("=====================\n"));
1399         if (get_pkcs11conf_info(&pliblist) != SUCCESS) {
1400                 cryptoerror(LOG_STDERR, gettext("failed to retrieve "
1401                     "the list of user-level providers.\n"));
1402                 rc = FAILURE;
1403         }
1404 
1405         plibptr = pliblist;
1406         while (plibptr != NULL) {
1407                 /* skip metaslot and fips-140 entry */
1408                 if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) &&
1409                     (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) {
1410                         (void) printf(gettext("\nProvider: %s\n"),
1411                             plibptr->puent->name);
1412                         rv = list_mechlist_for_lib(plibptr->puent->name,
1413                             mecharglist, NULL, B_FALSE, verbose, B_TRUE);
1414                         if (rv == FAILURE) {
1415                                 rc = FAILURE;
1416                         }
1417                 }
1418                 plibptr = plibptr->next;
1419         }
1420         free_uentrylist(pliblist);
1421 
1422         /* get kernel software providers */
1423         (void) printf(gettext("\nKernel software providers:\n"));
1424 
1425         /*
1426          * TRANSLATION_NOTE
1427          * Strictly for appearance's sake, this line should be as long as
1428          * the length of the translated text above.
1429          */
1430         (void) printf(gettext("==========================\n"));
1431         if (getzoneid() == GLOBAL_ZONEID) {
1432                 /* get kernel software providers from kernel ioctl */
1433                 crypto_get_soft_list_t          *psoftlist_kernel = NULL;
1434                 uint_t                          sl_soft_count;
1435                 char                            *psoftname;
1436                 int                             i;
1437                 entrylist_t                     *pdevlist_conf = NULL;
1438                 entrylist_t                     *psoftlist_conf = NULL;
1439 
1440                 if (get_soft_list(&psoftlist_kernel) == FAILURE) {
1441                         cryptoerror(LOG_ERR, gettext("Failed to retrieve the "
1442                             "software provider list from kernel."));
1443                         return (FAILURE);
1444                 }
1445                 sl_soft_count = psoftlist_kernel->sl_soft_count;
1446 
1447                 if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf)
1448                     == FAILURE) {
1449                         cryptoerror(LOG_ERR,
1450                             "failed to retrieve the providers' "
1451                             "information from file kcf.conf - %s.",
1452                             _PATH_KCF_CONF);
1453                         free(psoftlist_kernel);
1454                         return (FAILURE);
1455                 }
1456 
1457                 for (i = 0, psoftname = psoftlist_kernel->sl_soft_names;
1458                     i < sl_soft_count;
1459                     ++i, psoftname += strlen(psoftname) + 1) {
1460                         pent = getent_kef(psoftname, pdevlist_conf,
1461                             psoftlist_conf);
1462                         if ((pent == NULL) || (pent->load)) {
1463                                 rv = list_mechlist_for_soft(psoftname,
1464                                     NULL, NULL);
1465                                 if (rv == FAILURE) {
1466                                         rc = FAILURE;
1467                                 }
1468                         } else {
1469                                 (void) printf(gettext("%s: (inactive)\n"),
1470                                     psoftname);
1471                         }
1472                 }
1473 
1474                 free(psoftlist_kernel);
1475                 free_entrylist(pdevlist_conf);
1476                 free_entrylist(psoftlist_conf);
1477 
1478         } else {
1479                 /* kcf.conf not there in non-global zone, use /dev/cryptoadm */
1480                 entrylist_t     *pdevlist_zone = NULL;
1481                 entrylist_t     *psoftlist_zone = NULL;
1482                 entrylist_t     *ptr;
1483 
1484                 if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) !=
1485                     SUCCESS) {
1486                         cryptoerror(LOG_STDERR, gettext("failed to retrieve "
1487                             "the list of kernel software providers.\n"));
1488                         rc = FAILURE;
1489                 }
1490 
1491                 for (ptr = psoftlist_zone; ptr != NULL; ptr = ptr->next) {
1492                         rv = list_mechlist_for_soft(ptr->pent->name,
1493                             pdevlist_zone, psoftlist_zone);
1494                         if (rv == FAILURE) {
1495                                 (void) printf(gettext(
1496                                     "%s: failed to get the mechanism list.\n"),
1497                                     ptr->pent->name);
1498                                 rc = FAILURE;
1499                         }
1500                 }
1501 
1502                 free_entrylist(pdevlist_zone);
1503                 free_entrylist(psoftlist_zone);
1504         }
1505 
1506         /* Get kernel hardware providers and their mechanism lists */
1507         (void) printf(gettext("\nKernel hardware providers:\n"));
1508         /*
1509          * TRANSLATION_NOTE
1510          * Strictly for appearance's sake, this line should be as long as
1511          * the length of the translated text above.
1512          */
1513         (void) printf(gettext("==========================\n"));
1514         if (get_dev_list(&pdevlist_kernel) != SUCCESS) {
1515                 cryptoerror(LOG_STDERR, gettext("failed to retrieve "
1516                     "the list of hardware providers.\n"));
1517                 return (FAILURE);
1518         }
1519 
1520         for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) {
1521                 (void) strlcpy(devname,
1522                     pdevlist_kernel->dl_devs[i].le_dev_name, MAXNAMELEN);
1523                 inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance;
1524                 count = pdevlist_kernel->dl_devs[i].le_mechanism_count;
1525                 (void) snprintf(provname, sizeof (provname), "%s/%d", devname,
1526                     inst_num);
1527                 if (get_dev_info(devname, inst_num, count, &pmechlist) ==
1528                     SUCCESS) {
1529                         (void) filter_mechlist(&pmechlist, RANDOM);
1530                         print_mechlist(provname, pmechlist);
1531                         free_mechlist(pmechlist);
1532                 } else {
1533                         (void) printf(gettext("%s: failed to get the mechanism"
1534                             " list.\n"), provname);
1535                         rc = FAILURE;
1536                 }
1537         }
1538         free(pdevlist_kernel);
1539         return (rc);
1540 }
1541 
1542 
1543 /*
1544  * List all the providers. And for each provider, list the policy information.
1545  * Called for "cryptoadm list -p".
1546  */
1547 static int
1548 list_policy_for_all(void)
1549 {
1550         crypto_get_dev_list_t   *pdevlist_kernel = NULL;
1551         uentrylist_t            *pliblist = NULL;
1552         entrylist_t             *pdevlist_conf = NULL;
1553         entrylist_t             *psoftlist_conf = NULL;
1554         entrylist_t             *ptr = NULL;
1555         entrylist_t             *phead = NULL;
1556         boolean_t               found = B_FALSE;
1557         char                    provname[MAXNAMELEN];
1558         int                     i;
1559         int                     rc = SUCCESS;
1560 
1561         /* Get user-level providers */
1562         (void) printf(gettext("\nUser-level providers:\n"));
1563         /*
1564          * TRANSLATION_NOTE
1565          * Strictly for appearance's sake, this line should be as long as
1566          * the length of the translated text above.
1567          */
1568         (void) printf(gettext("=====================\n"));
1569         if (get_pkcs11conf_info(&pliblist) == FAILURE) {
1570                 cryptoerror(LOG_STDERR, gettext("failed to retrieve "
1571                     "the list of user-level providers.\n"));
1572                 rc = FAILURE;
1573         } else {
1574                 uentrylist_t    *plibptr = pliblist;
1575 
1576                 while (plibptr != NULL) {
1577                         /* skip metaslot and fips-140 entry */
1578                         if ((strcmp(plibptr->puent->name,
1579                             METASLOT_KEYWORD) != 0) &&
1580                             (strcmp(plibptr->puent->name,
1581                             FIPS_KEYWORD) != 0)) {
1582                                 if (print_uef_policy(plibptr->puent)
1583                                     == FAILURE) {
1584                                         rc = FAILURE;
1585                                 }
1586                         }
1587                         plibptr = plibptr->next;
1588                 }
1589                 free_uentrylist(pliblist);
1590         }
1591 
1592         /* kernel software providers */
1593         (void) printf(gettext("\nKernel software providers:\n"));
1594         /*
1595          * TRANSLATION_NOTE
1596          * Strictly for appearance's sake, this line should be as long as
1597          * the length of the translated text above.
1598          */
1599         (void) printf(gettext("==========================\n"));
1600 
1601         /* Get all entries from the kernel */
1602         if (getzoneid() == GLOBAL_ZONEID) {
1603                 /* get kernel software providers from kernel ioctl */
1604                 crypto_get_soft_list_t          *psoftlist_kernel = NULL;
1605                 uint_t                          sl_soft_count;
1606                 char                            *psoftname;
1607                 int                             i;
1608 
1609                 if (get_soft_list(&psoftlist_kernel) == FAILURE) {
1610                         cryptoerror(LOG_ERR, gettext("Failed to retrieve the "
1611                             "software provider list from kernel."));
1612                         rc = FAILURE;
1613                 } else {
1614                         sl_soft_count = psoftlist_kernel->sl_soft_count;
1615 
1616                         for (i = 0, psoftname = psoftlist_kernel->sl_soft_names;
1617                             i < sl_soft_count;
1618                             ++i, psoftname += strlen(psoftname) + 1) {
1619                                 (void) list_policy_for_soft(psoftname,
1620                                     pdevlist_conf, psoftlist_conf);
1621                         }
1622                         free(psoftlist_kernel);
1623                 }
1624 
1625         } else {
1626                 /* kcf.conf not there in non-global zone, no policy info */
1627 
1628                 /*
1629                  * TRANSLATION_NOTE
1630                  * "global" is keyword and not to be translated.
1631                  */
1632                 cryptoerror(LOG_STDERR, gettext(
1633                     "policy information for kernel software providers is "
1634                     "available in the %s zone only"), "global");
1635         }
1636 
1637         /* Kernel hardware providers */
1638         (void) printf(gettext("\nKernel hardware providers:\n"));
1639         /*
1640          * TRANSLATION_NOTE
1641          * Strictly for appearance's sake, this line should be as long as
1642          * the length of the translated text above.
1643          */
1644         (void) printf(gettext("==========================\n"));
1645 
1646         if (getzoneid() != GLOBAL_ZONEID) {
1647                 /*
1648                  * TRANSLATION_NOTE
1649                  * "global" is keyword and not to be translated.
1650                  */
1651                 cryptoerror(LOG_STDERR, gettext(
1652                     "policy information for kernel hardware providers is "
1653                     "available in the %s zone only"), "global");
1654                 return (FAILURE);
1655         }
1656 
1657         /* Get the hardware provider list from kernel */
1658         if (get_dev_list(&pdevlist_kernel) != SUCCESS) {
1659                 cryptoerror(LOG_STDERR, gettext(
1660                     "failed to retrieve the list of hardware providers.\n"));
1661                 return (FAILURE);
1662         }
1663 
1664         if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) == FAILURE) {
1665                 cryptoerror(LOG_ERR, "failed to retrieve the providers' "
1666                     "information from file kcf.conf - %s.",
1667                     _PATH_KCF_CONF);
1668                 return (FAILURE);
1669         }
1670 
1671 
1672         /*
1673          * For each hardware provider from kernel, check if it has an entry
1674          * in the config file.  If it has an entry, print out the policy from
1675          * config file and remove the entry from the hardware provider list
1676          * of the config file.  If it does not have an entry in the config
1677          * file, no mechanisms of it have been disabled. But, we still call
1678          * list_policy_for_hard() to account for the "random" feature.
1679          */
1680         for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) {
1681                 (void) snprintf(provname, sizeof (provname), "%s/%d",
1682                     pdevlist_kernel->dl_devs[i].le_dev_name,
1683                     pdevlist_kernel->dl_devs[i].le_dev_instance);
1684 
1685                 found = B_FALSE;
1686                 phead = ptr = pdevlist_conf;
1687                 while (!found && ptr) {
1688                         if (strcmp(ptr->pent->name, provname) == 0) {
1689                                 found = B_TRUE;
1690                         } else {
1691                                 phead = ptr;
1692                                 ptr = ptr->next;
1693                         }
1694                 }
1695 
1696                 if (found) {
1697                         (void) list_policy_for_hard(ptr->pent->name,
1698                             pdevlist_conf, psoftlist_conf, pdevlist_kernel);
1699                         if (phead == ptr) {
1700                                 pdevlist_conf = pdevlist_conf->next;
1701                         } else {
1702                                 phead->next = ptr->next;
1703                         }
1704                         free_entry(ptr->pent);
1705                         free(ptr);
1706                 } else {
1707                         (void) list_policy_for_hard(provname, pdevlist_conf,
1708                             psoftlist_conf, pdevlist_kernel);
1709                 }
1710         }
1711 
1712         /*
1713          * If there are still entries left in the pdevlist_conf list from
1714          * the config file, these providers must have been detached.
1715          * Should print out their policy information also.
1716          */
1717         for (ptr = pdevlist_conf; ptr != NULL; ptr = ptr->next) {
1718                 print_kef_policy(ptr->pent->name, ptr->pent, B_FALSE, B_TRUE);
1719         }
1720 
1721         free_entrylist(pdevlist_conf);
1722         free_entrylist(psoftlist_conf);
1723         free(pdevlist_kernel);
1724 
1725         return (rc);
1726 }
--- EOF ---