1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <cryptoutil.h> 29 #include <fcntl.h> 30 #include <libintl.h> 31 #include <stdio.h> 32 #include <stdlib.h> 33 #include <strings.h> 34 #include <unistd.h> 35 #include <errno.h> 36 #include <dlfcn.h> 37 #include <link.h> 38 #include <sys/types.h> 39 #include <sys/stat.h> 40 #include <security/cryptoki.h> 41 #include "cryptoadm.h" 42 43 #define HDR1 " P\n" 44 #define HDR2 " S V K a U D\n" 45 #define HDR3 " i e e i n e\n" 46 #define HDR4 " S g V r y r W w r\n" 47 #define HDR5 " E D D i n e i G G r r i\n" 48 #define HDR6 " H n e i g + r + e e a a v E\n" 49 #define HDR7 "min max W c c g n R i R n n p p e C\n" 50 51 52 static int err; /* To store errno which may be overwritten by gettext() */ 53 static boolean_t is_in_policylist(midstr_t, umechlist_t *); 54 static char *uent2str(uentry_t *); 55 static boolean_t check_random(CK_SLOT_ID, CK_FUNCTION_LIST_PTR); 56 57 static void display_slot_flags(CK_FLAGS flags) 58 { 59 (void) printf(gettext("Slot Flags: ")); 60 if (flags & CKF_TOKEN_PRESENT) 61 (void) printf("CKF_TOKEN_PRESENT "); 62 if (flags & CKF_REMOVABLE_DEVICE) 63 (void) printf("CKF_REMOVABLE_DEVICE "); 64 if (flags & CKF_HW_SLOT) 65 (void) printf("CKF_HW_SLOT "); 66 (void) printf("\n"); 67 } 68 69 void 70 display_token_flags(CK_FLAGS flags) 71 { 72 (void) printf(gettext("Flags: ")); 73 if (flags & CKF_RNG) 74 (void) printf("CKF_RNG "); 75 if (flags & CKF_WRITE_PROTECTED) 76 (void) printf("CKF_WRITE_PROTECTED "); 77 if (flags & CKF_LOGIN_REQUIRED) 78 (void) printf("CKF_LOGIN_REQUIRED "); 79 if (flags & CKF_USER_PIN_INITIALIZED) 80 (void) printf("CKF_USER_PIN_INITIALIZED "); 81 if (flags & CKF_RESTORE_KEY_NOT_NEEDED) 82 (void) printf("CKF_RESTORE_KEY_NOT_NEEDED "); 83 if (flags & CKF_CLOCK_ON_TOKEN) 84 (void) printf("CKF_CLOCK_ON_TOKEN "); 85 if (flags & CKF_PROTECTED_AUTHENTICATION_PATH) 86 (void) printf("CKF_PROTECTED_AUTHENTICATION_PATH "); 87 if (flags & CKF_DUAL_CRYPTO_OPERATIONS) 88 (void) printf("CKF_DUAL_CRYPTO_OPERATIONS "); 89 if (flags & CKF_TOKEN_INITIALIZED) 90 (void) printf("CKF_TOKEN_INITIALIZED "); 91 if (flags & CKF_SECONDARY_AUTHENTICATION) 92 (void) printf("CKF_SECONDARY_AUTHENTICATION "); 93 if (flags & CKF_USER_PIN_COUNT_LOW) 94 (void) printf("CKF_USER_PIN_COUNT_LOW "); 95 if (flags & CKF_USER_PIN_FINAL_TRY) 96 (void) printf("CKF_USER_PIN_FINAL_TRY "); 97 if (flags & CKF_USER_PIN_LOCKED) 98 (void) printf("CKF_USER_PIN_LOCKED "); 99 if (flags & CKF_USER_PIN_TO_BE_CHANGED) 100 (void) printf("CKF_USER_PIN_TO_BE_CHANGED "); 101 if (flags & CKF_SO_PIN_COUNT_LOW) 102 (void) printf("CKF_SO_PIN_COUNT_LOW "); 103 if (flags & CKF_SO_PIN_FINAL_TRY) 104 (void) printf("CKF_SO_PIN_FINAL_TRY "); 105 if (flags & CKF_SO_PIN_LOCKED) 106 (void) printf("CKF_SO_PIN_LOCKED "); 107 if (flags & CKF_SO_PIN_TO_BE_CHANGED) 108 (void) printf("CKF_SO_PIN_TO_BE_CHANGED "); 109 if (flags & CKF_SO_PIN_TO_BE_CHANGED) 110 (void) printf("CKF_SO_PIN_TO_BE_CHANGED "); 111 (void) printf("\n"); 112 } 113 114 void 115 display_mech_info(CK_MECHANISM_INFO *mechInfo) 116 { 117 CK_FLAGS ec_flags = CKF_EC_F_P | CKF_EC_F_2M | CKF_EC_ECPARAMETERS | 118 CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS; 119 120 (void) printf("%-4ld %-4ld ", mechInfo->ulMinKeySize, 121 mechInfo->ulMaxKeySize); 122 (void) printf("%s %s %s %s %s %s %s %s %s %s %s %s " 123 "%s %s", 124 (mechInfo->flags & CKF_HW) ? "X" : ".", 125 (mechInfo->flags & CKF_ENCRYPT) ? "X" : ".", 126 (mechInfo->flags & CKF_DECRYPT) ? "X" : ".", 127 (mechInfo->flags & CKF_DIGEST) ? "X" : ".", 128 (mechInfo->flags & CKF_SIGN) ? "X" : ".", 129 (mechInfo->flags & CKF_SIGN_RECOVER) ? "X" : ".", 130 (mechInfo->flags & CKF_VERIFY) ? "X" : ".", 131 (mechInfo->flags & CKF_VERIFY_RECOVER) ? "X" : ".", 132 (mechInfo->flags & CKF_GENERATE) ? "X" : ".", 133 (mechInfo->flags & CKF_GENERATE_KEY_PAIR) ? "X" : ".", 134 (mechInfo->flags & CKF_WRAP) ? "X" : ".", 135 (mechInfo->flags & CKF_UNWRAP) ? "X" : ".", 136 (mechInfo->flags & CKF_DERIVE) ? "X" : ".", 137 (mechInfo->flags & ec_flags) ? "X" : "."); 138 } 139 140 /* 141 * Converts the provided list of mechanism names in their string format to 142 * their corresponding PKCS#11 mechanism IDs. 143 * 144 * The list of mechanism names to be converted is provided in the 145 * "mlist" argument. The list of converted mechanism IDs is returned 146 * in the "pmech_list" argument. 147 * 148 * This function is called by list_metaslot_info() and 149 * list_mechlist_for_lib() functions. 150 */ 151 int 152 convert_mechlist(CK_MECHANISM_TYPE **pmech_list, CK_ULONG *mech_count, 153 mechlist_t *mlist) 154 { 155 int i, n = 0; 156 mechlist_t *p = mlist; 157 158 while (p != NULL) { 159 p = p->next; 160 n++; 161 } 162 163 *pmech_list = malloc(n * sizeof (CK_MECHANISM_TYPE)); 164 if (pmech_list == NULL) { 165 cryptodebug("out of memory"); 166 return (FAILURE); 167 } 168 p = mlist; 169 for (i = 0; i < n; i++) { 170 if (pkcs11_str2mech(p->name, &(*pmech_list[i])) != CKR_OK) { 171 free(*pmech_list); 172 return (FAILURE); 173 } 174 p = p->next; 175 } 176 *mech_count = n; 177 return (SUCCESS); 178 } 179 180 /* 181 * Display the mechanism list for a user-level library 182 */ 183 int 184 list_mechlist_for_lib(char *libname, mechlist_t *mlist, 185 flag_val_t *rng_flag, boolean_t no_warn, 186 boolean_t verbose, boolean_t show_mechs) 187 { 188 CK_RV rv = CKR_OK; 189 CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR); 190 CK_FUNCTION_LIST_PTR prov_funcs; /* Provider's function list */ 191 CK_SLOT_ID_PTR prov_slots = NULL; /* Provider's slot list */ 192 CK_MECHANISM_TYPE_PTR pmech_list; /* mechanism list for a slot */ 193 CK_SLOT_INFO slotinfo; 194 CK_ULONG slot_count; 195 CK_ULONG mech_count; 196 uentry_t *puent = NULL; 197 boolean_t lib_initialized = B_FALSE; 198 void *dldesc = NULL; 199 char *dl_error; 200 const char *mech_name; 201 char *isa; 202 char libpath[MAXPATHLEN]; 203 char buf[MAXPATHLEN]; 204 int i, j; 205 int rc = SUCCESS; 206 207 if (libname == NULL) { 208 /* should not happen */ 209 cryptoerror(LOG_STDERR, gettext("internal error.")); 210 cryptodebug("list_mechlist_for_lib() - libname is NULL."); 211 return (FAILURE); 212 } 213 214 /* Check if the library is in the pkcs11.conf file */ 215 if ((puent = getent_uef(libname)) == NULL) { 216 cryptoerror(LOG_STDERR, 217 gettext("%s does not exist."), libname); 218 return (FAILURE); 219 } 220 free_uentry(puent); 221 222 /* Remove $ISA from the library name */ 223 if (strlcpy(buf, libname, sizeof (buf)) >= sizeof (buf)) { 224 (void) printf(gettext("%s: the provider name is too long."), 225 libname); 226 return (FAILURE); 227 } 228 229 if ((isa = strstr(buf, PKCS11_ISA)) != NULL) { 230 *isa = '\000'; 231 isa += strlen(PKCS11_ISA); 232 (void) snprintf(libpath, MAXPATHLEN, "%s%s%s", buf, "/", isa); 233 } else { 234 (void) strlcpy(libpath, libname, sizeof (libpath)); 235 } 236 237 /* Open the provider */ 238 dldesc = dlopen(libpath, RTLD_NOW); 239 if (dldesc == NULL) { 240 dl_error = dlerror(); 241 cryptodebug("Cannot load PKCS#11 library %s. dlerror: %s", 242 libname, dl_error != NULL ? dl_error : "Unknown"); 243 rc = FAILURE; 244 goto clean_exit; 245 } 246 247 /* Get the pointer to provider's C_GetFunctionList() */ 248 Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList"); 249 if (Tmp_C_GetFunctionList == NULL) { 250 cryptodebug("Cannot get the address of the C_GetFunctionList " 251 "from %s", libname); 252 rc = FAILURE; 253 goto clean_exit; 254 } 255 256 /* Get the provider's function list */ 257 rv = Tmp_C_GetFunctionList(&prov_funcs); 258 if (rv != CKR_OK) { 259 cryptodebug("failed to call C_GetFunctionList from %s", 260 libname); 261 rc = FAILURE; 262 goto clean_exit; 263 } 264 265 /* Initialize this provider */ 266 rv = prov_funcs->C_Initialize(NULL_PTR); 267 if (rv != CKR_OK) { 268 cryptodebug("failed to call C_Initialize from %s, " 269 "return code = %d", libname, rv); 270 rc = FAILURE; 271 goto clean_exit; 272 } else { 273 lib_initialized = B_TRUE; 274 } 275 276 /* 277 * Find out how many slots this provider has, call with tokenPresent 278 * set to FALSE so all potential slots are returned. 279 */ 280 rv = prov_funcs->C_GetSlotList(FALSE, NULL_PTR, &slot_count); 281 if (rv != CKR_OK) { 282 cryptodebug("failed to get the slotlist from %s.", libname); 283 rc = FAILURE; 284 goto clean_exit; 285 } else if (slot_count == 0) { 286 if (!no_warn) 287 (void) printf(gettext("%s: no slots presented.\n"), 288 libname); 289 rc = SUCCESS; 290 goto clean_exit; 291 } 292 293 /* Allocate memory for the slot list */ 294 prov_slots = malloc(slot_count * sizeof (CK_SLOT_ID)); 295 if (prov_slots == NULL) { 296 cryptodebug("out of memory."); 297 rc = FAILURE; 298 goto clean_exit; 299 } 300 301 /* Get the slot list from provider */ 302 rv = prov_funcs->C_GetSlotList(FALSE, prov_slots, &slot_count); 303 if (rv != CKR_OK) { 304 cryptodebug("failed to call C_GetSlotList() from %s.", 305 libname); 306 rc = FAILURE; 307 goto clean_exit; 308 } 309 310 if (verbose) { 311 (void) printf(gettext("Number of slots: %d\n"), slot_count); 312 } 313 314 /* Get the mechanism list for each slot */ 315 for (i = 0; i < slot_count; i++) { 316 if (verbose) 317 /* 318 * TRANSLATION_NOTE: 319 * In some languages, the # symbol should be 320 * converted to "no", an "n" followed by a 321 * superscript "o".. 322 */ 323 (void) printf(gettext("\nSlot #%d\n"), i+1); 324 325 if ((rng_flag != NULL) && (*rng_flag == NO_RNG)) { 326 if (check_random(prov_slots[i], prov_funcs)) { 327 *rng_flag = HAS_RNG; 328 rc = SUCCESS; 329 goto clean_exit; 330 } else 331 continue; 332 } 333 334 rv = prov_funcs->C_GetSlotInfo(prov_slots[i], &slotinfo); 335 if (rv != CKR_OK) { 336 cryptodebug("failed to get slotinfo from %s", libname); 337 rc = FAILURE; 338 break; 339 } 340 if (verbose) { 341 CK_TOKEN_INFO tokeninfo; 342 343 (void) printf(gettext("Description: %.64s\n" 344 "Manufacturer: %.32s\n" 345 "PKCS#11 Version: %d.%d\n"), 346 slotinfo.slotDescription, 347 slotinfo.manufacturerID, 348 prov_funcs->version.major, 349 prov_funcs->version.minor); 350 351 (void) printf(gettext("Hardware Version: %d.%d\n" 352 "Firmware Version: %d.%d\n"), 353 slotinfo.hardwareVersion.major, 354 slotinfo.hardwareVersion.minor, 355 slotinfo.firmwareVersion.major, 356 slotinfo.firmwareVersion.minor); 357 358 (void) printf(gettext("Token Present: %s\n"), 359 (slotinfo.flags & CKF_TOKEN_PRESENT ? 360 gettext("True") : gettext("False"))); 361 362 display_slot_flags(slotinfo.flags); 363 364 rv = prov_funcs->C_GetTokenInfo(prov_slots[i], 365 &tokeninfo); 366 if (rv != CKR_OK) { 367 cryptodebug("Failed to get " 368 "token info from %s", libname); 369 rc = FAILURE; 370 break; 371 } 372 373 (void) printf(gettext("Token Label: %.32s\n" 374 "Manufacturer ID: %.32s\n" 375 "Model: %.16s\n" 376 "Serial Number: %.16s\n" 377 "Hardware Version: %d.%d\n" 378 "Firmware Version: %d.%d\n" 379 "UTC Time: %.16s\n" 380 "PIN Length: %d-%d\n"), 381 tokeninfo.label, 382 tokeninfo.manufacturerID, 383 tokeninfo.model, 384 tokeninfo.serialNumber, 385 tokeninfo.hardwareVersion.major, 386 tokeninfo.hardwareVersion.minor, 387 tokeninfo.firmwareVersion.major, 388 tokeninfo.firmwareVersion.minor, 389 tokeninfo.utcTime, 390 tokeninfo.ulMinPinLen, 391 tokeninfo.ulMaxPinLen); 392 393 display_token_flags(tokeninfo.flags); 394 } 395 396 if (mlist == NULL) { 397 rv = prov_funcs->C_GetMechanismList(prov_slots[i], 398 NULL_PTR, &mech_count); 399 if (rv != CKR_OK) { 400 cryptodebug( 401 "failed to call C_GetMechanismList() " 402 "from %s.", libname); 403 rc = FAILURE; 404 break; 405 } 406 407 if (mech_count == 0) { 408 /* no mechanisms in this slot */ 409 continue; 410 } 411 412 pmech_list = malloc(mech_count * 413 sizeof (CK_MECHANISM_TYPE)); 414 if (pmech_list == NULL) { 415 cryptodebug("out of memory"); 416 rc = FAILURE; 417 break; 418 } 419 420 /* Get the actual mechanism list */ 421 rv = prov_funcs->C_GetMechanismList(prov_slots[i], 422 pmech_list, &mech_count); 423 if (rv != CKR_OK) { 424 cryptodebug( 425 "failed to call C_GetMechanismList() " 426 "from %s.", libname); 427 (void) free(pmech_list); 428 rc = FAILURE; 429 break; 430 } 431 } else { 432 /* use the mechanism list passed in */ 433 rc = convert_mechlist(&pmech_list, &mech_count, mlist); 434 if (rc != SUCCESS) { 435 goto clean_exit; 436 } 437 } 438 if (show_mechs) 439 (void) printf(gettext("Mechanisms:\n")); 440 441 if (verbose && show_mechs) { 442 display_verbose_mech_header(); 443 } 444 /* 445 * Merge the current mechanism list into the returning 446 * mechanism list. 447 */ 448 for (j = 0; show_mechs && j < mech_count; j++) { 449 CK_MECHANISM_TYPE mech = pmech_list[j]; 450 451 if (mech > CKM_VENDOR_DEFINED) { 452 (void) printf("%#lx", mech); 453 } else { 454 mech_name = pkcs11_mech2str(mech); 455 (void) printf("%-29s", mech_name); 456 } 457 458 if (verbose) { 459 CK_MECHANISM_INFO mech_info; 460 rv = prov_funcs->C_GetMechanismInfo( 461 prov_slots[i], mech, &mech_info); 462 if (rv != CKR_OK) { 463 cryptodebug( 464 "failed to call " 465 "C_GetMechanismInfo() from %s.", 466 libname); 467 (void) free(pmech_list); 468 rc = FAILURE; 469 break; 470 } 471 display_mech_info(&mech_info); 472 } 473 (void) printf("\n"); 474 } 475 (void) free(pmech_list); 476 if (rc == FAILURE) { 477 break; 478 } 479 } 480 481 if (rng_flag != NULL || rc == FAILURE) { 482 goto clean_exit; 483 } 484 485 clean_exit: 486 487 if (rc == FAILURE) { 488 (void) printf(gettext( 489 "%s: failed to retrieve the mechanism list.\n"), libname); 490 } 491 492 if (lib_initialized) { 493 (void) prov_funcs->C_Finalize(NULL_PTR); 494 } 495 496 if (dldesc != NULL) { 497 (void) dlclose(dldesc); 498 } 499 500 if (prov_slots != NULL) { 501 (void) free(prov_slots); 502 } 503 504 return (rc); 505 } 506 507 508 /* 509 * Display the mechanism policy for a user-level library 510 */ 511 int 512 list_policy_for_lib(char *libname) 513 { 514 uentry_t *puent = NULL; 515 int rc; 516 517 if (libname == NULL) { 518 /* should not happen */ 519 cryptoerror(LOG_STDERR, gettext("internal error.")); 520 cryptodebug("list_policy_for_lib() - libname is NULL."); 521 return (FAILURE); 522 } 523 524 /* Get the library entry from the pkcs11.conf file */ 525 if ((puent = getent_uef(libname)) == NULL) { 526 cryptoerror(LOG_STDERR, 527 gettext("%s does not exist."), libname); 528 return (FAILURE); 529 } 530 531 /* Print the policy for this library */ 532 rc = print_uef_policy(puent); 533 free_uentry(puent); 534 535 return (rc); 536 } 537 538 539 /* 540 * Disable mechanisms for a user-level library 541 */ 542 int 543 disable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag, 544 mechlist_t *marglist) 545 { 546 uentry_t *puent; 547 int rc; 548 549 if (libname == NULL) { 550 /* should not happen */ 551 cryptoerror(LOG_STDERR, gettext("internal error.")); 552 cryptodebug("disable_uef_lib() - libname is NULL."); 553 return (FAILURE); 554 } 555 556 /* Get the provider entry from the pkcs11.conf file */ 557 if ((puent = getent_uef(libname)) == NULL) { 558 cryptoerror(LOG_STDERR, 559 gettext("%s does not exist."), libname); 560 return (FAILURE); 561 } 562 563 /* 564 * Update the mechanism policy of this library entry, based on 565 * the current policy mode of the library and the mechanisms specified 566 * in CLI. 567 */ 568 if (allflag) { 569 /* 570 * If disabling all, just need to clean up the policylist and 571 * set the flag_enabledlist flag to be B_TRUE. 572 */ 573 free_umechlist(puent->policylist); 574 puent->policylist = NULL; 575 puent->count = 0; 576 puent->flag_enabledlist = B_TRUE; 577 rc = SUCCESS; 578 } else if (marglist != NULL) { 579 if (puent->flag_enabledlist == B_TRUE) { 580 /* 581 * The current default policy mode of this library 582 * is "all are disabled, except ...", so if a 583 * specified mechanism is in the exception list 584 * (the policylist), delete it from the policylist. 585 */ 586 rc = update_policylist(puent, marglist, DELETE_MODE); 587 } else { 588 /* 589 * The current default policy mode of this library 590 * is "all are enabled", so if a specified mechanism 591 * is not in the exception list (policylist), add 592 * it into the policylist. 593 */ 594 rc = update_policylist(puent, marglist, ADD_MODE); 595 } 596 } else if (!rndflag) { 597 /* should not happen */ 598 cryptoerror(LOG_STDERR, gettext("internal error.")); 599 cryptodebug("disable_uef_lib() - wrong arguments."); 600 return (FAILURE); 601 } 602 603 if (rndflag) 604 puent->flag_norandom = B_TRUE; 605 606 if (rc == FAILURE) { 607 free_uentry(puent); 608 return (FAILURE); 609 } 610 611 /* Update the pkcs11.conf file with the updated entry */ 612 rc = update_pkcs11conf(puent); 613 free_uentry(puent); 614 return (rc); 615 } 616 617 618 /* 619 * Enable disabled mechanisms for a user-level library. 620 */ 621 int 622 enable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag, 623 mechlist_t *marglist) 624 { 625 uentry_t *puent; 626 int rc = SUCCESS; 627 628 if (libname == NULL) { 629 /* should not happen */ 630 cryptoerror(LOG_STDERR, gettext("internal error.")); 631 cryptodebug("enable_uef_lib() - libname is NULL."); 632 return (FAILURE); 633 } 634 635 /* Get the provider entry from the pkcs11.conf file */ 636 if ((puent = getent_uef(libname)) == NULL) { 637 cryptoerror(LOG_STDERR, 638 gettext("%s does not exist."), libname); 639 return (FAILURE); 640 } 641 642 /* 643 * Update the mechanism policy of this library entry, based on 644 * the current policy mode of the library and the mechanisms 645 * specified in CLI. 646 */ 647 if (allflag) { 648 /* 649 * If enabling all, what needs to be done are cleaning up the 650 * policylist and setting the "flag_enabledlist" flag to 651 * B_FALSE. 652 */ 653 free_umechlist(puent->policylist); 654 puent->policylist = NULL; 655 puent->count = 0; 656 puent->flag_enabledlist = B_FALSE; 657 rc = SUCCESS; 658 } else if (marglist != NULL) { 659 if (puent->flag_enabledlist == B_TRUE) { 660 /* 661 * The current default policy mode of this library 662 * is "all are disabled, except ...", so if a 663 * specified mechanism is not in the exception list 664 * (policylist), add it. 665 */ 666 rc = update_policylist(puent, marglist, ADD_MODE); 667 } else { 668 /* 669 * The current default policy mode of this library 670 * is "all are enabled, except", so if a specified 671 * mechanism is in the exception list (policylist), 672 * delete it. 673 */ 674 rc = update_policylist(puent, marglist, DELETE_MODE); 675 } 676 } else if (!rndflag) { 677 /* should not come here */ 678 cryptoerror(LOG_STDERR, gettext("internal error.")); 679 cryptodebug("enable_uef_lib() - wrong arguments."); 680 return (FAILURE); 681 } 682 683 if (rndflag) 684 puent->flag_norandom = B_FALSE; 685 686 if (rc == FAILURE) { 687 free_uentry(puent); 688 return (FAILURE); 689 } 690 691 /* Update the pkcs11.conf file with the updated entry */ 692 rc = update_pkcs11conf(puent); 693 free_uentry(puent); 694 return (rc); 695 } 696 697 698 /* 699 * Install a user-level library. 700 */ 701 int 702 install_uef_lib(char *libname) 703 { 704 uentry_t *puent; 705 struct stat statbuf; 706 boolean_t found; 707 FILE *pfile; 708 FILE *pfile_tmp; 709 char tmpfile_name[MAXPATHLEN]; 710 char libpath[MAXPATHLEN]; 711 char libbuf[MAXPATHLEN]; 712 char *isa; 713 char buffer[BUFSIZ]; 714 char *ptr; 715 int found_count; 716 int rc = SUCCESS; 717 718 719 if (libname == NULL) { 720 /* should not happen */ 721 cryptoerror(LOG_STDERR, gettext("internal error.")); 722 cryptodebug("install_uef_lib() - libname is NULL."); 723 return (FAILURE); 724 } 725 726 /* Check if the provider already exists in the framework */ 727 if ((puent = getent_uef(libname)) != NULL) { 728 cryptoerror(LOG_STDERR, gettext("%s exists already."), 729 libname); 730 free_uentry(puent); 731 return (FAILURE); 732 } 733 734 /* 735 * Check if the library exists in the system. if $ISA is in the 736 * path, only check the 32bit version. 737 */ 738 if (strlcpy(libbuf, libname, MAXPATHLEN) >= MAXPATHLEN) { 739 cryptoerror(LOG_STDERR, 740 gettext("the provider name is too long - %s"), libname); 741 return (FAILURE); 742 } 743 744 if ((isa = strstr(libbuf, PKCS11_ISA)) != NULL) { 745 *isa = '\000'; 746 isa += strlen(PKCS11_ISA); 747 (void) snprintf(libpath, sizeof (libpath), "%s%s%s", libbuf, 748 "/", isa); 749 } else { 750 (void) strlcpy(libpath, libname, sizeof (libpath)); 751 } 752 753 /* Check if it is same as the framework library */ 754 if (strcmp(libpath, UEF_FRAME_LIB) == 0) { 755 cryptoerror(LOG_STDERR, gettext( 756 "The framework library %s can not be installed."), 757 libname); 758 return (FAILURE); 759 } 760 761 if (stat(libpath, &statbuf) != 0) { 762 cryptoerror(LOG_STDERR, gettext("%s not found"), libname); 763 return (FAILURE); 764 } 765 766 /* Need to add "\n" to libname for adding into the config file */ 767 if (strlcat(libname, "\n", MAXPATHLEN) >= MAXPATHLEN) { 768 cryptoerror(LOG_STDERR, gettext( 769 "can not install %s; the name is too long."), libname); 770 return (FAILURE); 771 } 772 773 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) { 774 err = errno; 775 cryptoerror(LOG_STDERR, 776 gettext("failed to update the configuration - %s"), 777 strerror(err)); 778 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF); 779 return (FAILURE); 780 } 781 782 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) { 783 err = errno; 784 cryptoerror(LOG_STDERR, 785 gettext("failed to lock the configuration - %s"), 786 strerror(err)); 787 (void) fclose(pfile); 788 return (FAILURE); 789 } 790 791 /* 792 * Create a temporary file in the /etc/crypto directory. 793 */ 794 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name)); 795 if (mkstemp(tmpfile_name) == -1) { 796 err = errno; 797 cryptoerror(LOG_STDERR, 798 gettext("failed to create a temporary file - %s"), 799 strerror(err)); 800 (void) fclose(pfile); 801 return (FAILURE); 802 } 803 804 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) { 805 err = errno; 806 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"), 807 tmpfile_name, strerror(err)); 808 (void) fclose(pfile); 809 return (FAILURE); 810 } 811 812 /* 813 * Loop thru the config file. If the file was reserved within a 814 * package bracket, just uncomment it. Other wise, append it at 815 * the end. The resulting file will be saved in the temp file first. 816 */ 817 found_count = 0; 818 rc = SUCCESS; 819 while (fgets(buffer, BUFSIZ, pfile) != NULL) { 820 found = B_FALSE; 821 if (buffer[0] == '#') { 822 ptr = buffer; 823 ptr++; 824 if (strcmp(libname, ptr) == 0) { 825 found = B_TRUE; 826 found_count++; 827 } 828 } 829 830 if (found == B_FALSE) { 831 if (fputs(buffer, pfile_tmp) == EOF) { 832 rc = FAILURE; 833 } 834 } else { 835 if (found_count == 1) { 836 if (fputs(ptr, pfile_tmp) == EOF) { 837 rc = FAILURE; 838 } 839 } else { 840 /* 841 * Found a second entry with #libname. 842 * Should not happen. The pkcs11.conf file 843 * is corrupted. Give a warning and skip 844 * this entry. 845 */ 846 cryptoerror(LOG_STDERR, gettext( 847 "(Warning) Found an additional reserved " 848 "entry for %s."), libname); 849 } 850 } 851 852 if (rc == FAILURE) { 853 break; 854 } 855 } 856 857 if (rc == FAILURE) { 858 cryptoerror(LOG_STDERR, gettext("write error.")); 859 (void) fclose(pfile); 860 (void) fclose(pfile_tmp); 861 if (unlink(tmpfile_name) != 0) { 862 err = errno; 863 cryptoerror(LOG_STDERR, gettext( 864 "(Warning) failed to remove %s: %s"), tmpfile_name, 865 strerror(err)); 866 } 867 return (FAILURE); 868 } 869 870 if (found_count == 0) { 871 /* 872 * This libname was not in package before, append it to the 873 * end of the temp file. 874 */ 875 if (fputs(libname, pfile_tmp) == EOF) { 876 err = errno; 877 cryptoerror(LOG_STDERR, gettext( 878 "failed to write to %s: %s"), tmpfile_name, 879 strerror(err)); 880 (void) fclose(pfile); 881 (void) fclose(pfile_tmp); 882 if (unlink(tmpfile_name) != 0) { 883 err = errno; 884 cryptoerror(LOG_STDERR, gettext( 885 "(Warning) failed to remove %s: %s"), 886 tmpfile_name, strerror(err)); 887 } 888 return (FAILURE); 889 } 890 } 891 892 (void) fclose(pfile); 893 if (fclose(pfile_tmp) != 0) { 894 err = errno; 895 cryptoerror(LOG_STDERR, 896 gettext("failed to close %s: %s"), tmpfile_name, 897 strerror(err)); 898 return (FAILURE); 899 } 900 901 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) { 902 err = errno; 903 cryptoerror(LOG_STDERR, 904 gettext("failed to update the configuration - %s"), 905 strerror(err)); 906 cryptodebug("failed to rename %s to %s: %s", tmpfile_name, 907 _PATH_PKCS11_CONF, strerror(err)); 908 rc = FAILURE; 909 } else if (chmod(_PATH_PKCS11_CONF, 910 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) { 911 err = errno; 912 cryptoerror(LOG_STDERR, 913 gettext("failed to update the configuration - %s"), 914 strerror(err)); 915 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF, 916 strerror(err)); 917 rc = FAILURE; 918 } else { 919 rc = SUCCESS; 920 } 921 922 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) { 923 err = errno; 924 cryptoerror(LOG_STDERR, gettext( 925 "(Warning) failed to remove %s: %s"), tmpfile_name, 926 strerror(err)); 927 } 928 929 return (rc); 930 } 931 932 933 /* 934 * Uninstall a user-level library. 935 */ 936 int 937 uninstall_uef_lib(char *libname) 938 { 939 uentry_t *puent; 940 FILE *pfile; 941 FILE *pfile_tmp; 942 char buffer[BUFSIZ]; 943 char buffer2[BUFSIZ]; 944 char tmpfile_name[MAXPATHLEN]; 945 char *name; 946 boolean_t found; 947 boolean_t in_package; 948 int len; 949 int rc = SUCCESS; 950 951 if (libname == NULL) { 952 /* should not happen */ 953 cryptoerror(LOG_STDERR, gettext("internal error.")); 954 cryptodebug("uninstall_uef_lib() - libname is NULL."); 955 return (FAILURE); 956 } 957 958 /* Check if the provider exists */ 959 if ((puent = getent_uef(libname)) == NULL) { 960 cryptoerror(LOG_STDERR, 961 gettext("%s does not exist."), libname); 962 return (FAILURE); 963 } 964 free_uentry(puent); 965 966 /* Open the pkcs11.conf file and lock it */ 967 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) { 968 err = errno; 969 cryptoerror(LOG_STDERR, 970 gettext("failed to update the configuration - %s"), 971 strerror(err)); 972 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF); 973 return (FAILURE); 974 } 975 976 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) { 977 err = errno; 978 cryptoerror(LOG_STDERR, 979 gettext("failed to lock the configuration - %s"), 980 strerror(err)); 981 (void) fclose(pfile); 982 return (FAILURE); 983 } 984 985 /* 986 * Create a temporary file in the /etc/crypto directory to save 987 * the new configuration file first. 988 */ 989 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name)); 990 if (mkstemp(tmpfile_name) == -1) { 991 err = errno; 992 cryptoerror(LOG_STDERR, 993 gettext("failed to create a temporary file - %s"), 994 strerror(err)); 995 (void) fclose(pfile); 996 return (FAILURE); 997 } 998 999 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) { 1000 err = errno; 1001 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"), 1002 tmpfile_name, strerror(err)); 1003 if (unlink(tmpfile_name) != 0) { 1004 err = errno; 1005 cryptoerror(LOG_STDERR, gettext( 1006 "(Warning) failed to remove %s: %s"), 1007 tmpfile_name, strerror(err)); 1008 } 1009 (void) fclose(pfile); 1010 return (FAILURE); 1011 } 1012 1013 1014 /* 1015 * Loop thru the config file. If the library to be uninstalled 1016 * is in a package, just comment it off. 1017 */ 1018 in_package = B_FALSE; 1019 while (fgets(buffer, BUFSIZ, pfile) != NULL) { 1020 found = B_FALSE; 1021 if (!(buffer[0] == ' ' || buffer[0] == '\n' || 1022 buffer[0] == '\t')) { 1023 if (strstr(buffer, " Start ") != NULL) { 1024 in_package = B_TRUE; 1025 } else if (strstr(buffer, " End ") != NULL) { 1026 in_package = B_FALSE; 1027 } else if (buffer[0] != '#') { 1028 (void) strlcpy(buffer2, buffer, BUFSIZ); 1029 1030 /* get rid of trailing '\n' */ 1031 len = strlen(buffer2); 1032 if (buffer2[len-1] == '\n') { 1033 len--; 1034 } 1035 buffer2[len] = '\0'; 1036 1037 if ((name = strtok(buffer2, SEP_COLON)) 1038 == NULL) { 1039 rc = FAILURE; 1040 break; 1041 } else if (strcmp(libname, name) == 0) { 1042 found = B_TRUE; 1043 } 1044 } 1045 } 1046 1047 if (found) { 1048 if (in_package) { 1049 (void) snprintf(buffer2, sizeof (buffer2), 1050 "%s%s%s", "#", libname, "\n"); 1051 if (fputs(buffer2, pfile_tmp) == EOF) { 1052 rc = FAILURE; 1053 } 1054 } 1055 } else { 1056 if (fputs(buffer, pfile_tmp) == EOF) { 1057 rc = FAILURE; 1058 } 1059 } 1060 1061 if (rc == FAILURE) { 1062 break; 1063 } 1064 } 1065 1066 if (rc == FAILURE) { 1067 cryptoerror(LOG_STDERR, gettext("write error.")); 1068 (void) fclose(pfile); 1069 (void) fclose(pfile_tmp); 1070 if (unlink(tmpfile_name) != 0) { 1071 err = errno; 1072 cryptoerror(LOG_STDERR, gettext( 1073 "(Warning) failed to remove %s: %s"), 1074 tmpfile_name, strerror(err)); 1075 } 1076 return (FAILURE); 1077 } 1078 1079 (void) fclose(pfile); 1080 if (fclose(pfile_tmp) != 0) { 1081 err = errno; 1082 cryptoerror(LOG_STDERR, 1083 gettext("failed to close a temporary file - %s"), 1084 strerror(err)); 1085 return (FAILURE); 1086 } 1087 1088 /* Now update the real config file */ 1089 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) { 1090 err = errno; 1091 cryptoerror(LOG_STDERR, 1092 gettext("failed to update the configuration - %s"), 1093 strerror(err)); 1094 cryptodebug("failed to rename %s to %s: %s", tmpfile, 1095 _PATH_PKCS11_CONF, strerror(err)); 1096 rc = FAILURE; 1097 } else if (chmod(_PATH_PKCS11_CONF, 1098 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) { 1099 err = errno; 1100 cryptoerror(LOG_STDERR, 1101 gettext("failed to update the configuration - %s"), 1102 strerror(err)); 1103 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF, 1104 strerror(err)); 1105 rc = FAILURE; 1106 } else { 1107 rc = SUCCESS; 1108 } 1109 1110 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) { 1111 err = errno; 1112 cryptoerror(LOG_STDERR, gettext( 1113 "(Warning) failed to remove %s: %s"), 1114 tmpfile_name, strerror(err)); 1115 } 1116 1117 return (rc); 1118 } 1119 1120 1121 int 1122 display_policy(uentry_t *puent) 1123 { 1124 CK_MECHANISM_TYPE mech_id; 1125 const char *mech_name; 1126 umechlist_t *ptr; 1127 1128 if (puent == NULL) { 1129 return (SUCCESS); 1130 } 1131 1132 if (puent->flag_enabledlist == B_FALSE) { 1133 (void) printf(gettext("%s: all mechanisms are enabled"), 1134 puent->name); 1135 ptr = puent->policylist; 1136 if (ptr == NULL) { 1137 (void) printf("."); 1138 } else { 1139 (void) printf(gettext(", except ")); 1140 while (ptr != NULL) { 1141 mech_id = strtoul(ptr->name, NULL, 0); 1142 if (mech_id & CKO_VENDOR_DEFINED) { 1143 /* vendor defined mechanism */ 1144 (void) printf("%s", ptr->name); 1145 } else { 1146 if (mech_id > CKM_VENDOR_DEFINED) { 1147 (void) printf("%#lx", mech_id); 1148 } else { 1149 mech_name = pkcs11_mech2str( 1150 mech_id); 1151 if (mech_name == NULL) { 1152 return (FAILURE); 1153 } 1154 (void) printf("%s", mech_name); 1155 } 1156 } 1157 1158 ptr = ptr->next; 1159 if (ptr == NULL) { 1160 (void) printf("."); 1161 } else { 1162 (void) printf(","); 1163 } 1164 } 1165 } 1166 } else { /* puent->flag_enabledlist == B_TRUE */ 1167 (void) printf(gettext("%s: all mechanisms are disabled"), 1168 puent->name); 1169 ptr = puent->policylist; 1170 if (ptr == NULL) { 1171 (void) printf("."); 1172 } else { 1173 (void) printf(gettext(", except ")); 1174 while (ptr != NULL) { 1175 mech_id = strtoul(ptr->name, NULL, 0); 1176 if (mech_id & CKO_VENDOR_DEFINED) { 1177 /* vendor defined mechanism */ 1178 (void) printf("%s", ptr->name); 1179 } else { 1180 mech_name = pkcs11_mech2str(mech_id); 1181 if (mech_name == NULL) { 1182 return (FAILURE); 1183 } 1184 (void) printf("%s", mech_name); 1185 } 1186 ptr = ptr->next; 1187 if (ptr == NULL) { 1188 (void) printf("."); 1189 } else { 1190 (void) printf(","); 1191 } 1192 } 1193 } 1194 } 1195 return (SUCCESS); 1196 } 1197 1198 1199 1200 /* 1201 * Print out the mechanism policy for a user-level provider pointed by puent. 1202 */ 1203 int 1204 print_uef_policy(uentry_t *puent) 1205 { 1206 flag_val_t rng_flag; 1207 1208 if (puent == NULL) { 1209 return (FAILURE); 1210 } 1211 1212 rng_flag = NO_RNG; 1213 if (list_mechlist_for_lib(puent->name, NULL, &rng_flag, B_TRUE, 1214 B_FALSE, B_FALSE) != SUCCESS) { 1215 cryptoerror(LOG_STDERR, 1216 gettext("%s internal error."), puent->name); 1217 return (FAILURE); 1218 } 1219 1220 if (display_policy(puent) != SUCCESS) { 1221 goto failed_exit; 1222 } 1223 1224 1225 if (puent->flag_norandom == B_TRUE) 1226 /* 1227 * TRANSLATION_NOTE: 1228 * "random" is a keyword and not to be translated. 1229 */ 1230 (void) printf(gettext(" %s is disabled."), "random"); 1231 else { 1232 if (rng_flag == HAS_RNG) 1233 /* 1234 * TRANSLATION_NOTE: 1235 * "random" is a keyword and not to be translated. 1236 */ 1237 (void) printf(gettext(" %s is enabled."), "random"); 1238 } 1239 (void) printf("\n"); 1240 1241 return (SUCCESS); 1242 1243 failed_exit: 1244 1245 (void) printf(gettext("\nout of memory.\n")); 1246 return (FAILURE); 1247 } 1248 1249 1250 /* 1251 * Check if the mechanism is in the mechanism list. 1252 */ 1253 static boolean_t 1254 is_in_policylist(midstr_t mechname, umechlist_t *plist) 1255 { 1256 boolean_t found = B_FALSE; 1257 1258 if (mechname == NULL) { 1259 return (B_FALSE); 1260 } 1261 1262 while (plist != NULL) { 1263 if (strcmp(plist->name, mechname) == 0) { 1264 found = B_TRUE; 1265 break; 1266 } 1267 plist = plist->next; 1268 } 1269 1270 return (found); 1271 } 1272 1273 1274 /* 1275 * Update the pkcs11.conf file with the updated entry. 1276 */ 1277 int 1278 update_pkcs11conf(uentry_t *puent) 1279 { 1280 FILE *pfile; 1281 FILE *pfile_tmp; 1282 char buffer[BUFSIZ]; 1283 char buffer2[BUFSIZ]; 1284 char tmpfile_name[MAXPATHLEN]; 1285 char *name; 1286 char *str; 1287 int len; 1288 int rc = SUCCESS; 1289 boolean_t found; 1290 1291 if (puent == NULL) { 1292 cryptoerror(LOG_STDERR, gettext("internal error.")); 1293 return (FAILURE); 1294 } 1295 1296 /* Open the pkcs11.conf file */ 1297 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) { 1298 err = errno; 1299 cryptoerror(LOG_STDERR, 1300 gettext("failed to update the configuration - %s"), 1301 strerror(err)); 1302 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF); 1303 return (FAILURE); 1304 } 1305 1306 /* Lock the pkcs11.conf file */ 1307 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) { 1308 err = errno; 1309 cryptoerror(LOG_STDERR, 1310 gettext("failed to update the configuration - %s"), 1311 strerror(err)); 1312 (void) fclose(pfile); 1313 return (FAILURE); 1314 } 1315 1316 /* 1317 * Create a temporary file in the /etc/crypto directory to save 1318 * updated configuration file first. 1319 */ 1320 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name)); 1321 if (mkstemp(tmpfile_name) == -1) { 1322 err = errno; 1323 cryptoerror(LOG_STDERR, 1324 gettext("failed to create a temporary file - %s"), 1325 strerror(err)); 1326 (void) fclose(pfile); 1327 return (FAILURE); 1328 } 1329 1330 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) { 1331 err = errno; 1332 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"), 1333 tmpfile_name, strerror(err)); 1334 if (unlink(tmpfile_name) != 0) { 1335 err = errno; 1336 cryptoerror(LOG_STDERR, gettext( 1337 "(Warning) failed to remove %s: %s"), 1338 tmpfile_name, strerror(err)); 1339 } 1340 (void) fclose(pfile); 1341 return (FAILURE); 1342 } 1343 1344 1345 /* 1346 * Loop thru entire pkcs11.conf file, update the entry to be 1347 * updated and save the updated file to the temporary file first. 1348 */ 1349 while (fgets(buffer, BUFSIZ, pfile) != NULL) { 1350 found = B_FALSE; 1351 if (!(buffer[0] == '#' || buffer[0] == ' ' || 1352 buffer[0] == '\n'|| buffer[0] == '\t')) { 1353 /* 1354 * Get the provider name from this line and check if 1355 * this is the entry to be updated. Note: can not use 1356 * "buffer" directly because strtok will change its 1357 * value. 1358 */ 1359 (void) strlcpy(buffer2, buffer, BUFSIZ); 1360 1361 /* get rid of trailing '\n' */ 1362 len = strlen(buffer2); 1363 if (buffer2[len-1] == '\n') { 1364 len--; 1365 } 1366 buffer2[len] = '\0'; 1367 1368 if ((name = strtok(buffer2, SEP_COLON)) == NULL) { 1369 rc = FAILURE; 1370 break; 1371 } else if (strcmp(puent->name, name) == 0) { 1372 found = B_TRUE; 1373 } 1374 } 1375 1376 if (found) { 1377 /* 1378 * This is the entry to be modified, get the updated 1379 * string. 1380 */ 1381 if ((str = uent2str(puent)) == NULL) { 1382 rc = FAILURE; 1383 break; 1384 } else { 1385 (void) strlcpy(buffer, str, BUFSIZ); 1386 free(str); 1387 } 1388 } 1389 1390 if (fputs(buffer, pfile_tmp) == EOF) { 1391 err = errno; 1392 cryptoerror(LOG_STDERR, gettext( 1393 "failed to write to a temp file: %s."), 1394 strerror(err)); 1395 rc = FAILURE; 1396 break; 1397 } 1398 } 1399 1400 if (rc == FAILURE) { 1401 (void) fclose(pfile); 1402 (void) fclose(pfile_tmp); 1403 if (unlink(tmpfile_name) != 0) { 1404 err = errno; 1405 cryptoerror(LOG_STDERR, gettext( 1406 "(Warning) failed to remove %s: %s"), 1407 tmpfile_name, strerror(err)); 1408 } 1409 return (FAILURE); 1410 } 1411 1412 (void) fclose(pfile); 1413 if (fclose(pfile_tmp) != 0) { 1414 err = errno; 1415 cryptoerror(LOG_STDERR, 1416 gettext("failed to close %s: %s"), tmpfile_name, 1417 strerror(err)); 1418 return (FAILURE); 1419 } 1420 1421 /* Copy the temporary file to the pkcs11.conf file */ 1422 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) { 1423 err = errno; 1424 cryptoerror(LOG_STDERR, 1425 gettext("failed to update the configuration - %s"), 1426 strerror(err)); 1427 cryptodebug("failed to rename %s to %s: %s", tmpfile_name, 1428 _PATH_PKCS11_CONF, strerror(err)); 1429 rc = FAILURE; 1430 } else if (chmod(_PATH_PKCS11_CONF, 1431 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) { 1432 err = errno; 1433 cryptoerror(LOG_STDERR, 1434 gettext("failed to update the configuration - %s"), 1435 strerror(err)); 1436 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF, 1437 strerror(err)); 1438 rc = FAILURE; 1439 } else { 1440 rc = SUCCESS; 1441 } 1442 1443 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) { 1444 err = errno; 1445 cryptoerror(LOG_STDERR, gettext( 1446 "(Warning) failed to remove %s: %s"), 1447 tmpfile_name, strerror(err)); 1448 } 1449 1450 return (rc); 1451 } 1452 1453 1454 /* 1455 * Convert an uentry to a character string 1456 */ 1457 static char * 1458 uent2str(uentry_t *puent) 1459 { 1460 umechlist_t *phead; 1461 boolean_t tok1_present = B_FALSE; 1462 char *buf; 1463 char blank_buf[128]; 1464 1465 if (puent == NULL) { 1466 cryptoerror(LOG_STDERR, gettext("internal error.")); 1467 return (NULL); 1468 } 1469 1470 buf = malloc(BUFSIZ); 1471 if (buf == NULL) { 1472 cryptoerror(LOG_STDERR, gettext("out of memory.")); 1473 return (NULL); 1474 } 1475 1476 /* convert the library name */ 1477 if (strlcpy(buf, puent->name, BUFSIZ) >= BUFSIZ) { 1478 free(buf); 1479 return (NULL); 1480 } 1481 1482 1483 /* convert the enabledlist or the disabledlist */ 1484 if (puent->flag_enabledlist == B_TRUE) { 1485 if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) { 1486 free(buf); 1487 return (NULL); 1488 } 1489 1490 if (strlcat(buf, EF_ENABLED, BUFSIZ) >= BUFSIZ) { 1491 free(buf); 1492 return (NULL); 1493 } 1494 1495 phead = puent->policylist; 1496 while (phead != NULL) { 1497 if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) { 1498 free(buf); 1499 return (NULL); 1500 } 1501 1502 phead = phead->next; 1503 if (phead != NULL) { 1504 if (strlcat(buf, SEP_COMMA, BUFSIZ) 1505 >= BUFSIZ) { 1506 free(buf); 1507 return (NULL); 1508 } 1509 } 1510 } 1511 tok1_present = B_TRUE; 1512 } else if (puent->policylist != NULL) { 1513 if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) { 1514 free(buf); 1515 return (NULL); 1516 } 1517 1518 if (strlcat(buf, EF_DISABLED, BUFSIZ) >= BUFSIZ) { 1519 free(buf); 1520 return (NULL); 1521 } 1522 phead = puent->policylist; 1523 while (phead != NULL) { 1524 if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) { 1525 free(buf); 1526 return (NULL); 1527 } 1528 1529 phead = phead->next; 1530 if (phead != NULL) { 1531 if (strlcat(buf, SEP_COMMA, BUFSIZ) 1532 >= BUFSIZ) { 1533 free(buf); 1534 return (NULL); 1535 } 1536 } 1537 } 1538 tok1_present = B_TRUE; 1539 } 1540 1541 if (puent->flag_norandom == B_TRUE) { 1542 if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON), 1543 BUFSIZ) >= BUFSIZ) { 1544 free(buf); 1545 return (NULL); 1546 } 1547 1548 if (strlcat(buf, EF_NORANDOM, BUFSIZ) >= BUFSIZ) { 1549 free(buf); 1550 return (NULL); 1551 } 1552 } 1553 1554 if (strcmp(puent->name, METASLOT_KEYWORD) == 0) { 1555 1556 /* write the metaslot_status= value */ 1557 if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON), 1558 BUFSIZ) >= BUFSIZ) { 1559 free(buf); 1560 return (NULL); 1561 } 1562 1563 if (strlcat(buf, METASLOT_STATUS, BUFSIZ) >= BUFSIZ) { 1564 free(buf); 1565 return (NULL); 1566 } 1567 1568 if (puent->flag_metaslot_enabled) { 1569 if (strlcat(buf, METASLOT_ENABLED, BUFSIZ) >= BUFSIZ) { 1570 free(buf); 1571 return (NULL); 1572 } 1573 } else { 1574 if (strlcat(buf, METASLOT_DISABLED, BUFSIZ) 1575 >= BUFSIZ) { 1576 free(buf); 1577 return (NULL); 1578 } 1579 } 1580 1581 if (!tok1_present) { 1582 tok1_present = B_TRUE; 1583 } 1584 1585 if (strlcat(buf, SEP_SEMICOLON, BUFSIZ) >= BUFSIZ) { 1586 free(buf); 1587 return (NULL); 1588 } 1589 1590 if (strlcat(buf, METASLOT_AUTO_KEY_MIGRATE, BUFSIZ) >= BUFSIZ) { 1591 free(buf); 1592 return (NULL); 1593 } 1594 1595 if (puent->flag_metaslot_auto_key_migrate) { 1596 if (strlcat(buf, METASLOT_ENABLED, BUFSIZ) >= BUFSIZ) { 1597 free(buf); 1598 return (NULL); 1599 } 1600 } else { 1601 if (strlcat(buf, METASLOT_DISABLED, BUFSIZ) >= BUFSIZ) { 1602 free(buf); 1603 return (NULL); 1604 } 1605 } 1606 1607 bzero(blank_buf, sizeof (blank_buf)); 1608 1609 /* write metaslot_token= if specified */ 1610 if (memcmp(puent->metaslot_ks_token, blank_buf, 1611 TOKEN_LABEL_SIZE) != 0) { 1612 /* write the metaslot_status= value */ 1613 if (strlcat(buf, (tok1_present ? 1614 SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) { 1615 free(buf); 1616 return (NULL); 1617 } 1618 1619 if (strlcat(buf, METASLOT_TOKEN, BUFSIZ) >= BUFSIZ) { 1620 free(buf); 1621 return (NULL); 1622 } 1623 1624 if (strlcat(buf, 1625 (const char *)puent->metaslot_ks_token, BUFSIZ) 1626 >= BUFSIZ) { 1627 free(buf); 1628 return (NULL); 1629 } 1630 } 1631 1632 /* write metaslot_slot= if specified */ 1633 if (memcmp(puent->metaslot_ks_slot, blank_buf, 1634 SLOT_DESCRIPTION_SIZE) != 0) { 1635 /* write the metaslot_status= value */ 1636 if (strlcat(buf, (tok1_present ? 1637 SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) { 1638 free(buf); 1639 return (NULL); 1640 } 1641 1642 if (strlcat(buf, METASLOT_SLOT, BUFSIZ) >= BUFSIZ) { 1643 free(buf); 1644 return (NULL); 1645 } 1646 1647 if (strlcat(buf, 1648 (const char *)puent->metaslot_ks_slot, BUFSIZ) 1649 >= BUFSIZ) { 1650 free(buf); 1651 return (NULL); 1652 } 1653 } 1654 } 1655 1656 if (strlcat(buf, "\n", BUFSIZ) >= BUFSIZ) { 1657 free(buf); 1658 return (NULL); 1659 } 1660 1661 return (buf); 1662 } 1663 1664 1665 /* 1666 * This function updates the default policy mode and the policy exception list 1667 * for a user-level provider based on the mechanism specified in the disable 1668 * or enable subcommand and the update mode. This function is called by the 1669 * enable_uef_lib() or disable_uef_lib(). 1670 */ 1671 int 1672 update_policylist(uentry_t *puent, mechlist_t *marglist, int update_mode) 1673 { 1674 CK_MECHANISM_TYPE mech_type; 1675 midstr_t midname; 1676 umechlist_t *phead; 1677 umechlist_t *pcur; 1678 umechlist_t *pumech; 1679 boolean_t found; 1680 int rc = SUCCESS; 1681 1682 if ((puent == NULL) || (marglist == NULL)) { 1683 /* should not happen */ 1684 cryptoerror(LOG_STDERR, gettext("internal error.")); 1685 cryptodebug("update_policylist()- puent or marglist is NULL."); 1686 return (FAILURE); 1687 } 1688 1689 if ((update_mode != ADD_MODE) && (update_mode != DELETE_MODE)) { 1690 /* should not happen */ 1691 cryptoerror(LOG_STDERR, gettext("internal error.")); 1692 cryptodebug("update_policylist() - update_mode is incorrect."); 1693 return (FAILURE); 1694 } 1695 1696 /* 1697 * For each mechanism operand, get its mechanism type first. 1698 * If fails to get the mechanism type, the mechanism operand must be 1699 * invalid, gives an warning and ignore it. Otherwise, 1700 * - convert the mechanism type to the internal representation (hex) 1701 * in the pkcs11.conf file 1702 * - If update_mode == DELETE_MODE, 1703 * If the mechanism is in the policy list, delete it. 1704 * If the mechanism is not in the policy list, do nothing. 1705 * - If update_mode == ADD_MODE, 1706 * If the mechanism is not in the policy list, add it. 1707 * If the mechanism is in the policy list already, do nothing. 1708 */ 1709 while (marglist) { 1710 if (pkcs11_str2mech(marglist->name, &mech_type) != CKR_OK) { 1711 /* 1712 * This mechanism is not a valid PKCS11 mechanism, 1713 * give warning and ignore it. 1714 */ 1715 cryptoerror(LOG_STDERR, gettext( 1716 "(Warning) %s is not a valid PKCS#11 mechanism."), 1717 marglist->name); 1718 rc = FAILURE; 1719 } else { 1720 (void) snprintf(midname, sizeof (midname), "%#010x", 1721 (int)mech_type); 1722 if (update_mode == DELETE_MODE) { 1723 found = B_FALSE; 1724 phead = pcur = puent->policylist; 1725 while (!found && pcur) { 1726 if (strcmp(pcur->name, midname) == 0) { 1727 found = B_TRUE; 1728 } else { 1729 phead = pcur; 1730 pcur = pcur->next; 1731 } 1732 } 1733 1734 if (found) { 1735 if (phead == pcur) { 1736 puent->policylist = 1737 puent->policylist->next; 1738 free(pcur); 1739 } else { 1740 phead->next = pcur->next; 1741 free(pcur); 1742 } 1743 puent->count--; 1744 if (puent->count == 0) { 1745 puent->policylist = NULL; 1746 } 1747 } 1748 } else if (update_mode == ADD_MODE) { 1749 if (!is_in_policylist(midname, 1750 puent->policylist)) { 1751 pumech = create_umech(midname); 1752 if (pumech == NULL) { 1753 rc = FAILURE; 1754 break; 1755 } 1756 phead = puent->policylist; 1757 puent->policylist = pumech; 1758 pumech->next = phead; 1759 puent->count++; 1760 } 1761 } 1762 } 1763 marglist = marglist->next; 1764 } 1765 1766 return (rc); 1767 } 1768 1769 /* 1770 * Open a session to the given slot and check if we can do 1771 * random numbers by asking for one byte. 1772 */ 1773 static boolean_t 1774 check_random(CK_SLOT_ID slot_id, CK_FUNCTION_LIST_PTR prov_funcs) 1775 { 1776 CK_RV rv; 1777 CK_SESSION_HANDLE hSession; 1778 CK_BYTE test_byte; 1779 CK_BYTE_PTR test_byte_ptr = &test_byte; 1780 1781 rv = prov_funcs->C_OpenSession(slot_id, CKF_SERIAL_SESSION, 1782 NULL_PTR, NULL, &hSession); 1783 if (rv != CKR_OK) 1784 return (B_FALSE); 1785 1786 /* We care only about the return value */ 1787 rv = prov_funcs->C_GenerateRandom(hSession, test_byte_ptr, 1788 sizeof (test_byte)); 1789 (void) prov_funcs->C_CloseSession(hSession); 1790 1791 /* 1792 * These checks are purely to determine whether the slot can do 1793 * random numbers. So, we don't check whether the routine 1794 * succeeds. The reason we check for CKR_RANDOM_NO_RNG also is that 1795 * this error effectively means CKR_FUNCTION_NOT_SUPPORTED. 1796 */ 1797 if (rv != CKR_FUNCTION_NOT_SUPPORTED && rv != CKR_RANDOM_NO_RNG) 1798 return (B_TRUE); 1799 else 1800 return (B_FALSE); 1801 } 1802 1803 void 1804 display_verbose_mech_header() 1805 { 1806 (void) printf("%28s %s", " ", HDR1); 1807 (void) printf("%28s %s", " ", HDR2); 1808 (void) printf("%28s %s", " ", HDR3); 1809 (void) printf("%28s %s", " ", HDR4); 1810 (void) printf("%28s %s", " ", HDR5); 1811 (void) printf("%28s %s", " ", HDR6); 1812 (void) printf("%-28.28s %s", gettext("mechanism name"), HDR7); 1813 /* 1814 * TRANSLATION_NOTE: 1815 * Strictly for appearance's sake, the first header line should be 1816 * as long as the length of the translated text above. The format 1817 * lengths should all match too. 1818 */ 1819 (void) printf("%28s ---- ---- " 1820 "- - - - - - - - - - - - - -\n", 1821 gettext("----------------------------")); 1822 } 1823