1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24 /*
25 * Copyright 2010 Nexenta Systems, Inc. All rights reserved.
26 */
27
28 #include <sys/types.h>
29 #include <sys/stat.h>
30 #include <dlfcn.h>
31 #include <fcntl.h>
32 #include <link.h>
33 #include <stdio.h>
34 #include <stdlib.h>
35 #include <strings.h>
36 #include <errno.h>
37 #include <pthread.h>
38 #include <sys/mman.h>
39
40 #include <sys/crypto/elfsign.h>
41 #include <cryptoutil.h>
42
43 #include <security/cryptoki.h>
44 #include "pkcs11Global.h"
45 #include "pkcs11Conf.h"
46 #include "pkcs11Slot.h"
47 #include "metaGlobal.h"
48
49 /*
50 * Fastpath is used when there is only one slot available from a single provider
51 * plugged into the framework this is the common case.
52 * These globals are used to track the function pointers and policy when
53 * the fast-path is activated.
54 * This will need to be revisted if per-slot policy is ever
55 * implemented.
56 */
57 boolean_t purefastpath = B_FALSE;
58 boolean_t policyfastpath = B_FALSE;
59 CK_FUNCTION_LIST_PTR fast_funcs = NULL;
60 CK_SLOT_ID fast_slot = 0;
61 boolean_t metaslot_enabled = B_FALSE;
62 boolean_t metaslot_auto_key_migrate = B_FALSE;
63 metaslot_config_t metaslot_config;
64 void (*Tmp_GetThreshold)(void *) = NULL;
65 cipher_mechs_threshold_t meta_mechs_threshold[MAX_NUM_THRESHOLD];
66
67 static const char *conf_err = "See cryptoadm(8). Skipping this plug-in.";
68
69 /*
70 * Set up metaslot for the framework using either user configuration
71 * or system wide configuration options
72 *
73 * Also sets up the global "slottable" to have the first slot be metaslot.
74 */
75 static CK_RV
setup_metaslot(uentry_t * metaslot_entry)76 setup_metaslot(uentry_t *metaslot_entry) {
77 CK_RV rv;
78 CK_MECHANISM_TYPE_PTR prov_pol_mechs = NULL;
79 pkcs11_slot_t *cur_slot;
80
81 /* process policies for mechanisms */
82 if ((metaslot_entry) && (metaslot_entry->count > 0)) {
83 rv = pkcs11_mech_parse(metaslot_entry->policylist,
84 &prov_pol_mechs, metaslot_entry->count);
85
86 if (rv == CKR_HOST_MEMORY) {
87 cryptoerror(LOG_ERR,
88 "libpkcs11: Could not parse configuration,"
89 "out of memory. Cannot continue parsing "
90 "%s.\n", _PATH_PKCS11_CONF);
91 return (rv);
92 } else if (rv == CKR_MECHANISM_INVALID) {
93 /*
94 * Configuration file is corrupted for metaslot
95 */
96 cryptoerror(LOG_ERR,
97 "libpkcs11: Policy invalid or corrupted "
98 "for metaslot. Use cryptoadm(8) to fix "
99 "this. Disabling metaslot functionality.\n");
100 metaslot_enabled = B_FALSE;
101 return (rv);
102 }
103 }
104
105 /*
106 * Check for metaslot policy. If all mechanisms are
107 * disabled, disable metaslot since there is nothing
108 * interesting for it to do
109 */
110 if ((metaslot_entry) && (metaslot_entry->flag_enabledlist) &&
111 (prov_pol_mechs == NULL)) {
112 metaslot_enabled = B_FALSE;
113 return (rv);
114 }
115
116 /*
117 * save system wide value for metaslot's keystore.
118 * If either slot description or token label is specified by
119 * the user, the system wide value for both is ignored.
120 */
121 if ((metaslot_entry) &&
122 (!metaslot_config.keystore_token_specified) &&
123 (!metaslot_config.keystore_slot_specified)) {
124 /*
125 * blank_str is used for comparing with token label,
126 * and slot description, make sure it is better than
127 * the larger of both
128 */
129 char blank_str[TOKEN_LABEL_SIZE + SLOT_DESCRIPTION_SIZE];
130
131 bzero(blank_str, sizeof (blank_str));
132
133 if (memcmp(metaslot_entry->metaslot_ks_token,
134 blank_str, TOKEN_LABEL_SIZE) != 0) {
135 metaslot_config.keystore_token_specified = B_TRUE;
136 (void) strlcpy(
137 (char *)metaslot_config.keystore_token,
138 (const char *)metaslot_entry->metaslot_ks_token,
139 TOKEN_LABEL_SIZE);
140 }
141
142 if (memcmp(metaslot_entry->metaslot_ks_slot,
143 blank_str, SLOT_DESCRIPTION_SIZE) != 0) {
144 metaslot_config.keystore_slot_specified = B_TRUE;
145 (void) strlcpy(
146 (char *)metaslot_config.keystore_slot,
147 (const char *)metaslot_entry->metaslot_ks_slot,
148 SLOT_DESCRIPTION_SIZE);
149 }
150 }
151
152 /* check system-wide value for auto_key_migrate */
153 if (metaslot_config.auto_key_migrate_specified) {
154 /* take user's specified value */
155 metaslot_auto_key_migrate = metaslot_config.auto_key_migrate;
156 } else {
157 if (metaslot_entry) {
158 /* use system-wide default */
159 metaslot_auto_key_migrate =
160 metaslot_entry->flag_metaslot_auto_key_migrate;
161 } else {
162 /*
163 * there's no system wide metaslot entry,
164 * default auto_key_migrate to true
165 */
166 metaslot_auto_key_migrate = B_TRUE;
167 }
168 }
169
170
171 /* Make first slotID be 0, for metaslot. */
172 slottable->st_first = 0;
173
174 /* Set up the slottable entry for metaslot */
175 slottable->st_slots[0] = NULL;
176 cur_slot = calloc(1, sizeof (pkcs11_slot_t));
177 if (cur_slot == NULL) {
178 rv = CKR_HOST_MEMORY;
179 return (rv);
180 }
181 cur_slot->sl_wfse_state = WFSE_CLEAR;
182 cur_slot->sl_enabledpol = B_FALSE;
183 cur_slot->sl_no_wfse = B_FALSE;
184 (void) pthread_mutex_init(&cur_slot->sl_mutex, NULL);
185
186 /*
187 * The metaslot entry was prealloc'd by
188 * pkcs11_slottable_increase()
189 */
190 (void) pthread_mutex_lock(&slottable->st_mutex);
191 slottable->st_slots[0] = cur_slot;
192 (void) pthread_mutex_unlock(&slottable->st_mutex);
193
194 (void) pthread_mutex_lock(&cur_slot->sl_mutex);
195 cur_slot->sl_id = METASLOT_SLOTID;
196 cur_slot->sl_func_list = &metaslot_functionList;
197 if (metaslot_entry) {
198 cur_slot->sl_enabledpol = metaslot_entry->flag_enabledlist;
199 cur_slot->sl_pol_count = metaslot_entry->count;
200 } else {
201 /* if no metaslot entry, assume all mechs are enabled */
202 cur_slot->sl_enabledpol = B_FALSE;
203 cur_slot->sl_pol_count = 0;
204 }
205 cur_slot->sl_pol_mechs = prov_pol_mechs;
206 cur_slot->sl_dldesc = NULL; /* not applicable */
207 cur_slot->sl_prov_id = 0;
208 (void) pthread_mutex_unlock(&cur_slot->sl_mutex);
209
210 /* Call the meta_Initialize() to initialize metaslot */
211 rv = meta_Initialize(NULL);
212 if (rv != CKR_OK) {
213 cryptoerror(LOG_ERR,
214 "libpkcs11: Can't initialize metaslot (%s)",
215 pkcs11_strerror(rv));
216 goto cleanup;
217 }
218
219 return (CKR_OK);
220
221 cleanup:
222 metaslot_enabled = B_FALSE;
223 slottable->st_slots[0] = NULL;
224
225 if (cur_slot) {
226 (void) pthread_mutex_destroy(&cur_slot->sl_mutex);
227 free(cur_slot);
228 }
229 return (rv);
230 }
231
232 /*
233 * For each provider found in pkcs11.conf: expand $ISA if necessary,
234 * verify the module is signed, load the provider, find all of its
235 * slots, and store the function list and disabled policy.
236 *
237 * This function requires that the uentrylist_t and pkcs11_slottable_t
238 * already have memory allocated, and that the uentrylist_t is already
239 * populated with provider and policy information.
240 *
241 * pInitArgs can be set to NULL, but is normally the same value
242 * the framework's C_Initialize() was called with.
243 *
244 * Unless metaslot is explicitly disabled, it is setup when all other
245 * providers are loaded.
246 */
247 CK_RV
pkcs11_slot_mapping(uentrylist_t * pplist,CK_VOID_PTR pInitArgs)248 pkcs11_slot_mapping(uentrylist_t *pplist, CK_VOID_PTR pInitArgs)
249 {
250 CK_RV rv = CKR_OK;
251 CK_RV prov_rv; /* Provider's return code */
252 CK_INFO prov_info;
253 CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
254 CK_FUNCTION_LIST_PTR prov_funcs = NULL; /* Provider's function list */
255 CK_ULONG prov_slot_count; /* Number of slots */
256 CK_SLOT_ID slot_id; /* slotID assigned for framework */
257 CK_SLOT_ID_PTR prov_slots = NULL; /* Provider's slot list */
258 /* Enabled or Disabled policy */
259 CK_MECHANISM_TYPE_PTR prov_pol_mechs = NULL;
260
261 void *dldesc = NULL;
262 char *isa, *fullpath = NULL, *dl_error;
263 uentrylist_t *phead;
264 uint_t prov_count = 0;
265 pkcs11_slot_t *cur_slot;
266 CK_ULONG i;
267 size_t len;
268 uentry_t *metaslot_entry = NULL;
269 /* number of slots in the framework, not including metaslot */
270 uint_t slot_count = 0;
271
272 phead = pplist;
273
274 /* Loop through all of the provider listed in pkcs11.conf */
275 while (phead != NULL) {
276 if (!strcasecmp(phead->puent->name, "metaslot")) {
277 /*
278 * Skip standard processing for metaslot
279 * entry since it is not an actual library
280 * that can be dlopened.
281 * It will be initialized later.
282 */
283 if (metaslot_entry != NULL) {
284 cryptoerror(LOG_ERR,
285 "libpkcs11: multiple entries for metaslot "
286 "detected. All but the first entry will "
287 "be ignored");
288 } else {
289 metaslot_entry = phead->puent;
290 }
291 goto contparse;
292 }
293
294 if (!strcasecmp(phead->puent->name, FIPS_KEYWORD)) {
295 /*
296 * Skip standard processing for fips-140
297 * entry since it is not an actual library
298 * that can be dlopened.
299 */
300 goto contparse;
301 }
302
303 /* Check for Instruction Set Architecture indicator */
304 if ((isa = strstr(phead->puent->name, PKCS11_ISA)) != NULL) {
305 /* Substitute the architecture dependent path */
306 len = strlen(phead->puent->name) -
307 strlen(PKCS11_ISA) +
308 strlen(PKCS11_ISA_DIR) + 1;
309 if ((fullpath = (char *)malloc(len)) == NULL) {
310 cryptoerror(LOG_ERR,
311 "libpksc11: parsing %s, out of memory. "
312 "Cannot continue parsing.",
313 _PATH_PKCS11_CONF);
314 rv = CKR_HOST_MEMORY;
315 goto conferror;
316 }
317 *isa = '\000';
318 isa += strlen(PKCS11_ISA);
319 (void) snprintf(fullpath, len, "%s%s%s",
320 phead->puent->name, PKCS11_ISA_DIR, isa);
321 } else if ((fullpath = strdup(phead->puent->name)) == 0) {
322 cryptoerror(LOG_ERR,
323 "libpkcs11: parsing %s, out of memory. "
324 "Cannot continue parsing.",
325 _PATH_PKCS11_CONF);
326 rv = CKR_HOST_MEMORY;
327 goto conferror;
328 }
329
330 /*
331 * Open the provider. We assume all of our plugins have
332 * their symbols properly defined, so the use of RTLD_NOW
333 * to flush out errors immediately is not necessary.
334 *
335 * Note that for proper operation, all plugins must be
336 * built with direct bindings enabled.
337 */
338 dldesc = dlopen(fullpath, RTLD_LAZY);
339
340 /*
341 * If we failed to load it, we will just skip this
342 * provider and move on to the next one.
343 */
344 if (dldesc == NULL) {
345 dl_error = dlerror();
346 cryptoerror(LOG_ERR,
347 "libpkcs11: Cannot load PKCS#11 library %s. "
348 "dlerror: %s. %s",
349 fullpath, dl_error != NULL ? dl_error : "Unknown",
350 conf_err);
351 goto contparse;
352 }
353
354 /* Get the pointer to provider's C_GetFunctionList() */
355 Tmp_C_GetFunctionList =
356 (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
357
358 /*
359 * If we failed to get the pointer to C_GetFunctionList(),
360 * skip this provider and continue to the next one.
361 */
362 if (Tmp_C_GetFunctionList == NULL) {
363 cryptoerror(LOG_ERR,
364 "libpkcs11: Could not dlsym() C_GetFunctionList() "
365 "for %s. May not be a PKCS#11 library. %s",
366 fullpath, conf_err);
367 (void) dlclose(dldesc);
368 goto contparse;
369 }
370
371
372 /* Get the provider's function list */
373 prov_rv = Tmp_C_GetFunctionList(&prov_funcs);
374
375 /*
376 * If we failed to get the provider's function list,
377 * skip this provider and continue to the next one.
378 */
379 if (prov_rv != CKR_OK) {
380 cryptoerror(LOG_ERR,
381 "libpkcs11: Could not get function list for %s. "
382 "%s Error: %s.",
383 fullpath, conf_err, pkcs11_strerror(prov_rv));
384 (void) dlclose(dldesc);
385 goto contparse;
386 }
387
388 /* Initialize this provider */
389 prov_rv = prov_funcs->C_Initialize(pInitArgs);
390
391 /*
392 * If we failed to initialize this provider,
393 * skip this provider and continue to the next one.
394 */
395 if ((prov_rv != CKR_OK) &&
396 (prov_rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
397 cryptoerror(LOG_ERR,
398 "libpkcs11: Could not initialize %s. "
399 "%s Error: %s.",
400 fullpath, conf_err, pkcs11_strerror(prov_rv));
401 (void) dlclose(dldesc);
402 goto contparse;
403 }
404
405 /*
406 * Make sure this provider is implementing the same
407 * major version, and at least the same minor version
408 * that we are.
409 */
410 prov_rv = prov_funcs->C_GetInfo(&prov_info);
411
412 /*
413 * If we can't verify that we are implementing the
414 * same major version, or if it is definitely not the same
415 * version, we need to skip this provider.
416 */
417 if ((prov_rv != CKR_OK) ||
418 (prov_info.cryptokiVersion.major !=
419 CRYPTOKI_VERSION_MAJOR)) {
420 if (prov_rv != CKR_OK) {
421 cryptoerror(LOG_ERR,
422 "libpkcs11: Could not verify version of "
423 "%s. %s Error: %s.", fullpath,
424 conf_err, pkcs11_strerror(prov_rv));
425 } else {
426 cryptoerror(LOG_ERR,
427 "libpkcs11: Only CRYPTOKI major version "
428 "%d is supported. %s is major "
429 "version %d. %s",
430 CRYPTOKI_VERSION_MAJOR, fullpath,
431 prov_info.cryptokiVersion.major, conf_err);
432 }
433 (void) prov_funcs->C_Finalize(NULL);
434 (void) dlclose(dldesc);
435 goto contparse;
436 }
437
438 /*
439 * Warn the administrator (at debug) that a provider with
440 * a significantly older or newer version of
441 * CRYPTOKI is being used. It should not cause
442 * problems, but logging a warning makes it easier
443 * to debug later.
444 */
445 if ((prov_info.cryptokiVersion.minor <
446 CRYPTOKI_VERSION_WARN_MINOR) ||
447 (prov_info.cryptokiVersion.minor >
448 CRYPTOKI_VERSION_MINOR)) {
449 cryptoerror(LOG_DEBUG,
450 "libpkcs11: %s CRYPTOKI minor version, %d, may "
451 "not be compatible with minor version %d.",
452 fullpath, prov_info.cryptokiVersion.minor,
453 CRYPTOKI_VERSION_MINOR);
454 }
455
456 /*
457 * Find out how many slots this provider has,
458 * call with tokenPresent set to FALSE so all
459 * potential slots are returned.
460 */
461 prov_rv = prov_funcs->C_GetSlotList(FALSE,
462 NULL, &prov_slot_count);
463
464 /*
465 * If the call failed, or if no slots are returned,
466 * then skip this provider and continue to next one.
467 */
468 if (prov_rv != CKR_OK) {
469 cryptoerror(LOG_ERR,
470 "libpksc11: Could not get slot list from %s. "
471 "%s Error: %s.",
472 fullpath, conf_err, pkcs11_strerror(prov_rv));
473 (void) prov_funcs->C_Finalize(NULL);
474 (void) dlclose(dldesc);
475 goto contparse;
476 }
477
478 if (prov_slot_count == 0) {
479 cryptodebug("libpkcs11: No slots presented from %s. "
480 "Skipping this plug-in at this time.\n",
481 fullpath);
482 (void) prov_funcs->C_Finalize(NULL);
483 (void) dlclose(dldesc);
484 goto contparse;
485 }
486
487 /* Allocate memory for the slot list */
488 prov_slots = calloc(prov_slot_count, sizeof (CK_SLOT_ID));
489
490 if (prov_slots == NULL) {
491 cryptoerror(LOG_ERR,
492 "libpkcs11: Could not allocate memory for "
493 "plug-in slots. Cannot continue parsing %s\n",
494 _PATH_PKCS11_CONF);
495 rv = CKR_HOST_MEMORY;
496 goto conferror;
497 }
498
499 /* Get slot list from provider */
500 prov_rv = prov_funcs->C_GetSlotList(FALSE,
501 prov_slots, &prov_slot_count);
502
503 /* if second call fails, drop this provider */
504 if (prov_rv != CKR_OK) {
505 cryptoerror(LOG_ERR,
506 "libpkcs11: Second call to C_GetSlotList() for %s "
507 "failed. %s Error: %s.",
508 fullpath, conf_err, pkcs11_strerror(prov_rv));
509 (void) prov_funcs->C_Finalize(NULL);
510 (void) dlclose(dldesc);
511 goto contparse;
512 }
513
514 /*
515 * Parse the list of disabled or enabled mechanisms, will
516 * apply to each of the provider's slots.
517 */
518 if (phead->puent->count > 0) {
519 rv = pkcs11_mech_parse(phead->puent->policylist,
520 &prov_pol_mechs, phead->puent->count);
521
522 if (rv == CKR_HOST_MEMORY) {
523 cryptoerror(LOG_ERR,
524 "libpkcs11: Could not parse configuration,"
525 "out of memory. Cannot continue parsing "
526 "%s.", _PATH_PKCS11_CONF);
527 goto conferror;
528 } else if (rv == CKR_MECHANISM_INVALID) {
529 /*
530 * Configuration file is corrupted for this
531 * provider.
532 */
533 cryptoerror(LOG_ERR,
534 "libpkcs11: Policy invalid or corrupted "
535 "for %s. Use cryptoadm(8) to fix "
536 "this. Skipping this plug-in.",
537 fullpath);
538 (void) prov_funcs->C_Finalize(NULL);
539 (void) dlclose(dldesc);
540 goto contparse;
541 }
542 }
543
544 /* Allocate memory in our slottable for these slots */
545 rv = pkcs11_slottable_increase(prov_slot_count);
546
547 /*
548 * If any error is returned, it will be memory related,
549 * so we need to abort the attempt at filling the
550 * slottable.
551 */
552 if (rv != CKR_OK) {
553 cryptoerror(LOG_ERR,
554 "libpkcs11: slottable could not increase. "
555 "Cannot continue parsing %s.",
556 _PATH_PKCS11_CONF);
557 goto conferror;
558 }
559
560 /* Configure information for each new slot */
561 for (i = 0; i < prov_slot_count; i++) {
562 /* allocate slot in framework */
563 rv = pkcs11_slot_allocate(&slot_id);
564 if (rv != CKR_OK) {
565 cryptoerror(LOG_ERR,
566 "libpkcs11: Could not allocate "
567 "new slot. Cannot continue parsing %s.",
568 _PATH_PKCS11_CONF);
569 goto conferror;
570 }
571 slot_count++;
572 cur_slot = slottable->st_slots[slot_id];
573 (void) pthread_mutex_lock(&cur_slot->sl_mutex);
574 cur_slot->sl_id = prov_slots[i];
575 cur_slot->sl_func_list = prov_funcs;
576 cur_slot->sl_enabledpol =
577 phead->puent->flag_enabledlist;
578 cur_slot->sl_pol_mechs = prov_pol_mechs;
579 cur_slot->sl_pol_count = phead->puent->count;
580 cur_slot->sl_norandom = phead->puent->flag_norandom;
581 cur_slot->sl_dldesc = dldesc;
582 cur_slot->sl_prov_id = prov_count + 1;
583 (void) pthread_mutex_unlock(&cur_slot->sl_mutex);
584 }
585
586 /*
587 * Get the pointer to private interface _SUNW_GetThreshold()
588 * in pkcs11_kernel.
589 */
590
591 if (Tmp_GetThreshold == NULL) {
592 Tmp_GetThreshold =
593 (void(*)())dlsym(dldesc, "_SUNW_GetThreshold");
594
595 /* Get the threshold values for the supported mechs */
596 if (Tmp_GetThreshold != NULL) {
597 (void) memset(meta_mechs_threshold, 0,
598 sizeof (meta_mechs_threshold));
599 Tmp_GetThreshold(meta_mechs_threshold);
600 }
601 }
602
603 /* Set and reset values to process next provider */
604 prov_count++;
605 contparse:
606 prov_slot_count = 0;
607 Tmp_C_GetFunctionList = NULL;
608 prov_funcs = NULL;
609 dldesc = NULL;
610 if (fullpath != NULL) {
611 free(fullpath);
612 fullpath = NULL;
613 }
614 if (prov_slots != NULL) {
615 free(prov_slots);
616 prov_slots = NULL;
617 }
618 phead = phead->next;
619 }
620
621 if (slot_count == 0) {
622 /*
623 * there's no other slot in the framework,
624 * there is nothing to do
625 */
626 goto config_complete;
627 }
628
629 /* determine if metaslot should be enabled */
630
631 /*
632 * Check to see if any environment variable is defined
633 * by the user for configuring metaslot. Users'
634 * setting always take precedence over the system wide
635 * setting. So, we will first check for any user's
636 * defined env variables before looking at the system-wide
637 * configuration.
638 */
639 get_user_metaslot_config();
640
641 /* no metaslot entry in /etc/crypto/pkcs11.conf */
642 if (!metaslot_entry) {
643 /*
644 * If user env variable indicates metaslot should be enabled,
645 * but there's no entry in /etc/crypto/pkcs11.conf for
646 * metaslot at all, will respect the user's defined value
647 */
648 if ((metaslot_config.enabled_specified) &&
649 (metaslot_config.enabled)) {
650 metaslot_enabled = B_TRUE;
651 }
652 } else {
653 if (!metaslot_config.enabled_specified) {
654 /*
655 * take system wide value if
656 * it is not specified by user
657 */
658 metaslot_enabled
659 = metaslot_entry->flag_metaslot_enabled;
660 } else {
661 metaslot_enabled = metaslot_config.enabled;
662 }
663 }
664
665 /*
666 *
667 * As long as the user or system configuration file does not
668 * disable metaslot, it will be enabled regardless of the
669 * number of slots plugged into the framework. Therefore,
670 * metaslot is enabled even when there's only one slot
671 * plugged into the framework. This is necessary for
672 * presenting a consistent token label view to applications.
673 *
674 * However, for the case where there is only 1 slot plugged into
675 * the framework, we can use "fastpath".
676 *
677 * "fastpath" will pass all of the application's requests
678 * directly to the underlying provider. Only when policy is in
679 * effect will we need to keep slotID around.
680 *
681 * When metaslot is enabled, and fastpath is enabled,
682 * all the metaslot processing will be skipped.
683 * When there is only 1 slot, there's
684 * really not much metaslot can do in terms of combining functionality
685 * of different slots, and object migration.
686 *
687 */
688
689 /* check to see if fastpath can be used */
690 if (slottable->st_last == slottable->st_first) {
691
692 cur_slot = slottable->st_slots[slottable->st_first];
693
694 (void) pthread_mutex_lock(&cur_slot->sl_mutex);
695
696 if ((cur_slot->sl_pol_count == 0) &&
697 (!cur_slot->sl_enabledpol) && (!cur_slot->sl_norandom)) {
698 /* No policy is in effect, don't need slotid */
699 fast_funcs = cur_slot->sl_func_list;
700 purefastpath = B_TRUE;
701 } else {
702 fast_funcs = cur_slot->sl_func_list;
703 fast_slot = slottable->st_first;
704 policyfastpath = B_TRUE;
705 }
706
707 (void) pthread_mutex_unlock(&cur_slot->sl_mutex);
708 }
709
710 if ((purefastpath || policyfastpath) && (!metaslot_enabled)) {
711 goto config_complete;
712 }
713
714 /*
715 * If we get here, there are more than 2 slots in the framework,
716 * we need to set up metaslot if it is enabled
717 */
718 if (metaslot_enabled) {
719 rv = setup_metaslot(metaslot_entry);
720 if (rv != CKR_OK) {
721 goto conferror;
722 }
723 }
724
725
726 config_complete:
727
728 return (CKR_OK);
729
730 conferror:
731 /*
732 * This cleanup code is only exercised when a major,
733 * unrecoverable error like "out of memory".
734 */
735 if (prov_funcs != NULL) {
736 (void) prov_funcs->C_Finalize(NULL);
737 }
738 if (dldesc != NULL) {
739 (void) dlclose(dldesc);
740 }
741 if (fullpath != NULL) {
742 free(fullpath);
743 fullpath = NULL;
744 }
745 if (prov_slots != NULL) {
746 free(prov_slots);
747 prov_slots = NULL;
748 }
749
750 return (rv);
751 }
752
753 /*
754 * pkcs11_mech_parse will take hex mechanism ids, as a list of
755 * strings, and convert them to CK_MECHANISM_TYPE_PTR.
756 */
757 CK_RV
pkcs11_mech_parse(umechlist_t * str_list,CK_MECHANISM_TYPE_PTR * mech_list,int mech_count)758 pkcs11_mech_parse(umechlist_t *str_list, CK_MECHANISM_TYPE_PTR *mech_list,
759 int mech_count)
760 {
761 CK_MECHANISM_TYPE_PTR tmp_list;
762 umechlist_t *shead = str_list;
763
764 tmp_list = malloc(mech_count * sizeof (CK_MECHANISM_TYPE));
765
766 if (tmp_list == NULL) {
767 cryptoerror(LOG_ERR, "libpkcs11: parsing %s, out of memory. "
768 "Cannot continue.",
769 _PATH_PKCS11_CONF);
770 return (CKR_HOST_MEMORY);
771 }
772
773 *mech_list = tmp_list;
774
775 /*
776 * The following will loop mech_count times, as there are
777 * exactly mech_count items in the str_list.
778 */
779 while (shead != NULL) {
780 CK_MECHANISM_TYPE cur_mech;
781
782 errno = 0;
783
784 /*
785 * "name" is a hexadecimal number, preceded by 0x.
786 */
787 cur_mech = strtoul(shead->name, NULL, 16);
788
789 if ((cur_mech == 0) &&
790 ((errno == EINVAL) || (errno == ERANGE))) {
791 free(mech_list);
792 return (CKR_MECHANISM_INVALID);
793 }
794 *tmp_list = (CK_MECHANISM_TYPE)cur_mech;
795 tmp_list++;
796 shead = shead->next;
797 }
798
799 return (CKR_OK);
800 }
801
802 /*
803 * pkcs11_is_dismech is provided a slotid and a mechanism.
804 * If mech is not disabled, then return B_FALSE.
805 */
806 boolean_t
pkcs11_is_dismech(CK_SLOT_ID slotid,CK_MECHANISM_TYPE mech)807 pkcs11_is_dismech(CK_SLOT_ID slotid, CK_MECHANISM_TYPE mech)
808 {
809 ulong_t i;
810 boolean_t enabled_pol;
811 CK_MECHANISM_TYPE_PTR pol_mechs;
812 ulong_t pol_count;
813
814 /* Find the associated slot and get the mech policy info */
815 (void) pthread_mutex_lock(&slottable->st_slots[slotid]->sl_mutex);
816 enabled_pol = slottable->st_slots[slotid]->sl_enabledpol;
817 pol_mechs = slottable->st_slots[slotid]->sl_pol_mechs;
818 pol_count = slottable->st_slots[slotid]->sl_pol_count;
819 (void) pthread_mutex_unlock(&slottable->st_slots[slotid]->sl_mutex);
820
821 /* Check for policy */
822 if ((!enabled_pol) && (pol_mechs == NULL)) {
823 /* no policy */
824 return (B_FALSE);
825 } else if (pol_mechs == NULL) {
826 /*
827 * We have an empty enabled list, which means no
828 * mechanisms are exempted from this policy: all
829 * are disabled.
830 */
831 return (B_TRUE);
832 }
833
834 for (i = 0; i < pol_count; i++) {
835 /*
836 * If it matches, return status based on this
837 * being and enabled or a disabled list of mechs.
838 */
839 if (pol_mechs[i] == mech) {
840 return (enabled_pol ? B_FALSE : B_TRUE);
841 }
842 }
843
844 /* mech was not found in list */
845 return (enabled_pol ? B_TRUE : B_FALSE);
846 }
847