xref: /illumos-gate/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c (revision e5803b76927480e8f9b67b22201c484ccf4c2bcf)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 /*
25  * Copyright 2010 Nexenta Systems, Inc.  All rights resrved.
26  */
27 
28 #include <cryptoutil.h>
29 #include <fcntl.h>
30 #include <libintl.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <strings.h>
34 #include <unistd.h>
35 #include <errno.h>
36 #include <dlfcn.h>
37 #include <link.h>
38 #include <sys/types.h>
39 #include <sys/stat.h>
40 #include <security/cryptoki.h>
41 #include "cryptoadm.h"
42 
43 #define	HDR1 "                                     P\n"
44 #define	HDR2 "                         S     V  K  a     U  D\n"
45 #define	HDR3 "                         i     e  e  i     n  e\n"
46 #define	HDR4 "                      S  g  V  r  y  r  W  w  r\n"
47 #define	HDR5 "             E  D  D  i  n  e  i  G  G  r  r  i\n"
48 #define	HDR6 "          H  n  e  i  g  +  r  +  e  e  a  a  v  E\n"
49 #define	HDR7 "min  max  W  c  c  g  n  R  i  R  n  n  p  p  e  C\n"
50 
51 
52 static int err; /* To store errno which may be overwritten by gettext() */
53 static boolean_t is_in_policylist(midstr_t, umechlist_t *);
54 static char *uent2str(uentry_t *);
55 static boolean_t check_random(CK_SLOT_ID, CK_FUNCTION_LIST_PTR);
56 
57 static void display_slot_flags(CK_FLAGS flags)
58 {
59 	(void) printf(gettext("Slot Flags: "));
60 	if (flags & CKF_TOKEN_PRESENT)
61 		(void) printf("CKF_TOKEN_PRESENT ");
62 	if (flags & CKF_REMOVABLE_DEVICE)
63 		(void) printf("CKF_REMOVABLE_DEVICE ");
64 	if (flags & CKF_HW_SLOT)
65 		(void) printf("CKF_HW_SLOT ");
66 	(void) printf("\n");
67 }
68 
69 void
70 display_token_flags(CK_FLAGS flags)
71 {
72 	(void) printf(gettext("Flags: "));
73 	if (flags & CKF_RNG)
74 		(void) printf("CKF_RNG ");
75 	if (flags & CKF_WRITE_PROTECTED)
76 		(void) printf("CKF_WRITE_PROTECTED ");
77 	if (flags & CKF_LOGIN_REQUIRED)
78 		(void) printf("CKF_LOGIN_REQUIRED ");
79 	if (flags & CKF_USER_PIN_INITIALIZED)
80 		(void) printf("CKF_USER_PIN_INITIALIZED ");
81 	if (flags & CKF_RESTORE_KEY_NOT_NEEDED)
82 		(void) printf("CKF_RESTORE_KEY_NOT_NEEDED ");
83 	if (flags & CKF_CLOCK_ON_TOKEN)
84 		(void) printf("CKF_CLOCK_ON_TOKEN ");
85 	if (flags & CKF_PROTECTED_AUTHENTICATION_PATH)
86 		(void) printf("CKF_PROTECTED_AUTHENTICATION_PATH ");
87 	if (flags & CKF_DUAL_CRYPTO_OPERATIONS)
88 		(void) printf("CKF_DUAL_CRYPTO_OPERATIONS ");
89 	if (flags & CKF_TOKEN_INITIALIZED)
90 		(void) printf("CKF_TOKEN_INITIALIZED ");
91 	if (flags & CKF_SECONDARY_AUTHENTICATION)
92 		(void) printf("CKF_SECONDARY_AUTHENTICATION ");
93 	if (flags & CKF_USER_PIN_COUNT_LOW)
94 		(void) printf("CKF_USER_PIN_COUNT_LOW ");
95 	if (flags & CKF_USER_PIN_FINAL_TRY)
96 		(void) printf("CKF_USER_PIN_FINAL_TRY ");
97 	if (flags & CKF_USER_PIN_LOCKED)
98 		(void) printf("CKF_USER_PIN_LOCKED ");
99 	if (flags & CKF_USER_PIN_TO_BE_CHANGED)
100 		(void) printf("CKF_USER_PIN_TO_BE_CHANGED ");
101 	if (flags & CKF_SO_PIN_COUNT_LOW)
102 		(void) printf("CKF_SO_PIN_COUNT_LOW ");
103 	if (flags & CKF_SO_PIN_FINAL_TRY)
104 		(void) printf("CKF_SO_PIN_FINAL_TRY ");
105 	if (flags & CKF_SO_PIN_LOCKED)
106 		(void) printf("CKF_SO_PIN_LOCKED ");
107 	if (flags & CKF_SO_PIN_TO_BE_CHANGED)
108 		(void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
109 	if (flags & CKF_SO_PIN_TO_BE_CHANGED)
110 		(void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
111 	(void) printf("\n");
112 }
113 
114 void
115 display_mech_info(CK_MECHANISM_INFO *mechInfo)
116 {
117 	CK_FLAGS ec_flags = CKF_EC_F_P | CKF_EC_F_2M | CKF_EC_ECPARAMETERS |
118 	    CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS;
119 
120 	(void) printf("%-4ld %-4ld ", mechInfo->ulMinKeySize,
121 	    mechInfo->ulMaxKeySize);
122 	(void) printf("%s  %s  %s  %s  %s  %s  %s  %s  %s  %s  %s  %s  "
123 	    "%s  %s",
124 	    (mechInfo->flags & CKF_HW) ? "X" : ".",
125 	    (mechInfo->flags & CKF_ENCRYPT) ? "X" : ".",
126 	    (mechInfo->flags & CKF_DECRYPT) ? "X" : ".",
127 	    (mechInfo->flags & CKF_DIGEST) ? "X" : ".",
128 	    (mechInfo->flags & CKF_SIGN) ? "X" : ".",
129 	    (mechInfo->flags & CKF_SIGN_RECOVER) ? "X" : ".",
130 	    (mechInfo->flags & CKF_VERIFY) ? "X" : ".",
131 	    (mechInfo->flags & CKF_VERIFY_RECOVER) ? "X" : ".",
132 	    (mechInfo->flags & CKF_GENERATE) ? "X" : ".",
133 	    (mechInfo->flags & CKF_GENERATE_KEY_PAIR) ? "X" : ".",
134 	    (mechInfo->flags & CKF_WRAP) ? "X" : ".",
135 	    (mechInfo->flags & CKF_UNWRAP) ? "X" : ".",
136 	    (mechInfo->flags & CKF_DERIVE) ? "X" : ".",
137 	    (mechInfo->flags & ec_flags) ? "X" : ".");
138 }
139 
140 /*
141  * Converts the provided list of mechanism names in their string format to
142  * their corresponding PKCS#11 mechanism IDs.
143  *
144  * The list of mechanism names to be converted is provided in the
145  * "mlist" argument.  The list of converted mechanism IDs is returned
146  * in the "pmech_list" argument.
147  *
148  * This function is called by list_metaslot_info() and
149  * list_mechlist_for_lib() functions.
150  */
151 int
152 convert_mechlist(CK_MECHANISM_TYPE **pmech_list, CK_ULONG *mech_count,
153     mechlist_t *mlist)
154 {
155 	int i, n = 0;
156 	mechlist_t *p = mlist;
157 
158 	while (p != NULL) {
159 		p = p->next;
160 		n++;
161 	}
162 
163 	*pmech_list = malloc(n * sizeof (CK_MECHANISM_TYPE));
164 	if (pmech_list == NULL) {
165 		cryptodebug("out of memory");
166 		return (FAILURE);
167 	}
168 	p = mlist;
169 	for (i = 0; i < n; i++) {
170 		if (pkcs11_str2mech(p->name, &(*pmech_list[i])) != CKR_OK) {
171 			free(*pmech_list);
172 			return (FAILURE);
173 		}
174 		p = p->next;
175 	}
176 	*mech_count = n;
177 	return (SUCCESS);
178 }
179 
180 /*
181  * Display the mechanism list for a user-level library
182  */
183 int
184 list_mechlist_for_lib(char *libname, mechlist_t *mlist,
185 		flag_val_t *rng_flag, boolean_t no_warn,
186 		boolean_t verbose, boolean_t show_mechs)
187 {
188 	CK_RV	rv = CKR_OK;
189 	CK_RV	(*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
190 	CK_FUNCTION_LIST_PTR	prov_funcs; /* Provider's function list */
191 	CK_SLOT_ID_PTR		prov_slots = NULL; /* Provider's slot list */
192 	CK_MECHANISM_TYPE_PTR	pmech_list = NULL; /* mech list for a slot */
193 	CK_SLOT_INFO	slotinfo;
194 	CK_ULONG	slot_count;
195 	CK_ULONG	mech_count;
196 	uentry_t	*puent = NULL;
197 	boolean_t	lib_initialized = B_FALSE;
198 	void		*dldesc = NULL;
199 	char		*dl_error;
200 	const char 	*mech_name;
201 	char		*isa;
202 	char		libpath[MAXPATHLEN];
203 	char		buf[MAXPATHLEN];
204 	int		i, j;
205 	int		rc = SUCCESS;
206 
207 	if (libname == NULL) {
208 		/* should not happen */
209 		cryptoerror(LOG_STDERR, gettext("internal error."));
210 		cryptodebug("list_mechlist_for_lib() - libname is NULL.");
211 		return (FAILURE);
212 	}
213 
214 	/* Check if the library is in the pkcs11.conf file */
215 	if ((puent = getent_uef(libname)) == NULL) {
216 		cryptoerror(LOG_STDERR,
217 		    gettext("%s does not exist."), libname);
218 		return (FAILURE);
219 	}
220 	free_uentry(puent);
221 
222 	/* Remove $ISA from the library name */
223 	if (strlcpy(buf, libname, sizeof (buf)) >= sizeof (buf)) {
224 		(void) printf(gettext("%s: the provider name is too long."),
225 		    libname);
226 		return (FAILURE);
227 	}
228 
229 	if ((isa = strstr(buf, PKCS11_ISA)) != NULL) {
230 		*isa = '\000';
231 		isa += strlen(PKCS11_ISA);
232 		(void) snprintf(libpath, MAXPATHLEN, "%s%s%s", buf, "/", isa);
233 	} else {
234 		(void) strlcpy(libpath, libname, sizeof (libpath));
235 	}
236 
237 	/*
238 	 * Open the provider. Use RTLD_NOW here, as a way to
239 	 * catch any providers with incomplete symbols that
240 	 * might otherwise cause problems during libpkcs11's
241 	 * execution.
242 	 */
243 	dldesc = dlopen(libpath, RTLD_NOW);
244 	if (dldesc == NULL) {
245 		dl_error = dlerror();
246 		cryptodebug("Cannot load PKCS#11 library %s.  dlerror: %s",
247 		    libname, dl_error != NULL ? dl_error : "Unknown");
248 		rc = FAILURE;
249 		goto clean_exit;
250 	}
251 
252 	/* Get the pointer to provider's C_GetFunctionList() */
253 	Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
254 	if (Tmp_C_GetFunctionList == NULL) {
255 		cryptodebug("Cannot get the address of the C_GetFunctionList "
256 		    "from %s", libname);
257 		rc = FAILURE;
258 		goto clean_exit;
259 	}
260 
261 	/* Get the provider's function list */
262 	rv = Tmp_C_GetFunctionList(&prov_funcs);
263 	if (rv != CKR_OK) {
264 		cryptodebug("failed to call C_GetFunctionList from %s",
265 		    libname);
266 		rc = FAILURE;
267 		goto clean_exit;
268 	}
269 
270 	/* Initialize this provider */
271 	rv = prov_funcs->C_Initialize(NULL_PTR);
272 	if (rv != CKR_OK) {
273 		cryptodebug("failed to call C_Initialize from %s, "
274 		    "return code = %d", libname, rv);
275 		rc = FAILURE;
276 		goto clean_exit;
277 	} else {
278 		lib_initialized = B_TRUE;
279 	}
280 
281 	/*
282 	 * Find out how many slots this provider has, call with tokenPresent
283 	 * set to FALSE so all potential slots are returned.
284 	 */
285 	rv = prov_funcs->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
286 	if (rv != CKR_OK) {
287 		cryptodebug("failed to get the slotlist from %s.", libname);
288 		rc = FAILURE;
289 		goto clean_exit;
290 	} else if (slot_count == 0) {
291 		if (!no_warn)
292 			(void) printf(gettext("%s: no slots presented.\n"),
293 			    libname);
294 		rc = SUCCESS;
295 		goto clean_exit;
296 	}
297 
298 	/* Allocate memory for the slot list */
299 	prov_slots = malloc(slot_count * sizeof (CK_SLOT_ID));
300 	if (prov_slots == NULL) {
301 		cryptodebug("out of memory.");
302 		rc = FAILURE;
303 		goto clean_exit;
304 	}
305 
306 	/* Get the slot list from provider */
307 	rv = prov_funcs->C_GetSlotList(FALSE, prov_slots, &slot_count);
308 	if (rv != CKR_OK) {
309 		cryptodebug("failed to call C_GetSlotList() from %s.",
310 		    libname);
311 		rc = FAILURE;
312 		goto clean_exit;
313 	}
314 
315 	if (verbose) {
316 		(void) printf(gettext("Number of slots: %d\n"), slot_count);
317 	}
318 
319 	/* Get the mechanism list for each slot */
320 	for (i = 0; i < slot_count; i++) {
321 		if (verbose)
322 			/*
323 			 * TRANSLATION_NOTE
324 			 * In some languages, the # symbol should be
325 			 * converted to "no", an "n" followed by a
326 			 * superscript "o"..
327 			 */
328 			(void) printf(gettext("\nSlot #%d\n"), i+1);
329 
330 		if ((rng_flag != NULL) && (*rng_flag == NO_RNG)) {
331 			if (check_random(prov_slots[i], prov_funcs)) {
332 				*rng_flag = HAS_RNG;
333 				rc = SUCCESS;
334 				goto clean_exit;
335 			} else
336 				continue;
337 		}
338 
339 		rv = prov_funcs->C_GetSlotInfo(prov_slots[i], &slotinfo);
340 		if (rv != CKR_OK) {
341 			cryptodebug("failed to get slotinfo from %s", libname);
342 			rc = FAILURE;
343 			break;
344 		}
345 		if (verbose) {
346 			CK_TOKEN_INFO tokeninfo;
347 
348 			(void) printf(gettext("Description: %.64s\n"
349 			    "Manufacturer: %.32s\n"
350 			    "PKCS#11 Version: %d.%d\n"),
351 			    slotinfo.slotDescription,
352 			    slotinfo.manufacturerID,
353 			    prov_funcs->version.major,
354 			    prov_funcs->version.minor);
355 
356 			(void) printf(gettext("Hardware Version: %d.%d\n"
357 			    "Firmware Version: %d.%d\n"),
358 			    slotinfo.hardwareVersion.major,
359 			    slotinfo.hardwareVersion.minor,
360 			    slotinfo.firmwareVersion.major,
361 			    slotinfo.firmwareVersion.minor);
362 
363 			(void) printf(gettext("Token Present: %s\n"),
364 			    (slotinfo.flags & CKF_TOKEN_PRESENT ?
365 			    gettext("True") : gettext("False")));
366 
367 			display_slot_flags(slotinfo.flags);
368 
369 			rv = prov_funcs->C_GetTokenInfo(prov_slots[i],
370 			    &tokeninfo);
371 			if (rv != CKR_OK) {
372 				cryptodebug("Failed to get "
373 				    "token info from %s", libname);
374 				rc = FAILURE;
375 				break;
376 			}
377 
378 			(void) printf(gettext("Token Label: %.32s\n"
379 			    "Manufacturer ID: %.32s\n"
380 			    "Model: %.16s\n"
381 			    "Serial Number: %.16s\n"
382 			    "Hardware Version: %d.%d\n"
383 			    "Firmware Version: %d.%d\n"
384 			    "UTC Time: %.16s\n"
385 			    "PIN Min Length: %d\n"
386 			    "PIN Max Length: %d\n"),
387 			    tokeninfo.label,
388 			    tokeninfo.manufacturerID,
389 			    tokeninfo.model,
390 			    tokeninfo.serialNumber,
391 			    tokeninfo.hardwareVersion.major,
392 			    tokeninfo.hardwareVersion.minor,
393 			    tokeninfo.firmwareVersion.major,
394 			    tokeninfo.firmwareVersion.minor,
395 			    tokeninfo.utcTime,
396 			    tokeninfo.ulMinPinLen,
397 			    tokeninfo.ulMaxPinLen);
398 
399 			display_token_flags(tokeninfo.flags);
400 		}
401 
402 		if (mlist == NULL) {
403 			rv = prov_funcs->C_GetMechanismList(prov_slots[i],
404 			    NULL_PTR, &mech_count);
405 			if (rv != CKR_OK) {
406 				cryptodebug(
407 				    "failed to call C_GetMechanismList() "
408 				    "from %s.", libname);
409 				rc = FAILURE;
410 				break;
411 			}
412 
413 			if (mech_count == 0) {
414 				/* no mechanisms in this slot */
415 				continue;
416 			}
417 
418 			pmech_list = malloc(mech_count *
419 			    sizeof (CK_MECHANISM_TYPE));
420 			if (pmech_list == NULL) {
421 				cryptodebug("out of memory");
422 				rc = FAILURE;
423 				break;
424 			}
425 
426 			/* Get the actual mechanism list */
427 			rv = prov_funcs->C_GetMechanismList(prov_slots[i],
428 			    pmech_list, &mech_count);
429 			if (rv != CKR_OK) {
430 				cryptodebug(
431 				    "failed to call C_GetMechanismList() "
432 				    "from %s.", libname);
433 				free(pmech_list);
434 				rc = FAILURE;
435 				break;
436 			}
437 		} else  {
438 			/* use the mechanism list passed in */
439 			rc = convert_mechlist(&pmech_list, &mech_count, mlist);
440 			if (rc != SUCCESS) {
441 				goto clean_exit;
442 			}
443 		}
444 		if (show_mechs)
445 			(void) printf(gettext("Mechanisms:\n"));
446 
447 		if (verbose && show_mechs) {
448 			display_verbose_mech_header();
449 		}
450 		/*
451 		 * Merge the current mechanism list into the returning
452 		 * mechanism list.
453 		 */
454 		for (j = 0; show_mechs && j < mech_count; j++) {
455 			CK_MECHANISM_TYPE	mech = pmech_list[j];
456 			CK_MECHANISM_INFO mech_info;
457 
458 			rv = prov_funcs->C_GetMechanismInfo(
459 			    prov_slots[i], mech, &mech_info);
460 			if (rv != CKR_OK) {
461 				cryptodebug(
462 				    "failed to call "
463 				    "C_GetMechanismInfo() from %s.",
464 				    libname);
465 				free(pmech_list);
466 				pmech_list = NULL;
467 				rc = FAILURE;
468 				break;
469 			}
470 			if (mech >= CKM_VENDOR_DEFINED) {
471 				(void) printf("%#lx", mech);
472 			} else {
473 				mech_name = pkcs11_mech2str(mech);
474 				(void) printf("%-29s", mech_name);
475 			}
476 
477 			if (verbose) {
478 				display_mech_info(&mech_info);
479 			}
480 			(void) printf("\n");
481 		}
482 		if (pmech_list)
483 			free(pmech_list);
484 		if (rc == FAILURE) {
485 			break;
486 		}
487 	}
488 
489 	if (rng_flag != NULL || rc == FAILURE) {
490 		goto clean_exit;
491 	}
492 
493 clean_exit:
494 
495 	if (rc == FAILURE) {
496 		(void) printf(gettext(
497 		    "%s: failed to retrieve the mechanism list.\n"), libname);
498 	}
499 
500 	if (lib_initialized) {
501 		(void) prov_funcs->C_Finalize(NULL_PTR);
502 	}
503 
504 	if (dldesc != NULL) {
505 		(void) dlclose(dldesc);
506 	}
507 
508 	if (prov_slots != NULL) {
509 		free(prov_slots);
510 	}
511 
512 	return (rc);
513 }
514 
515 
516 /*
517  * Display the mechanism policy for a user-level library
518  */
519 int
520 list_policy_for_lib(char *libname)
521 {
522 	uentry_t *puent = NULL;
523 	int rc;
524 
525 	if (libname == NULL) {
526 		/* should not happen */
527 		cryptoerror(LOG_STDERR, gettext("internal error."));
528 		cryptodebug("list_policy_for_lib() - libname is NULL.");
529 		return (FAILURE);
530 	}
531 
532 	/* Get the library entry from the pkcs11.conf file */
533 	if ((puent = getent_uef(libname)) == NULL) {
534 		cryptoerror(LOG_STDERR,
535 		    gettext("%s does not exist."), libname);
536 		return (FAILURE);
537 	}
538 
539 	/* Print the policy for this library */
540 	rc = print_uef_policy(puent);
541 	free_uentry(puent);
542 
543 	return (rc);
544 }
545 
546 
547 /*
548  * Disable mechanisms for a user-level library
549  */
550 int
551 disable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
552     mechlist_t *marglist)
553 {
554 	uentry_t	*puent;
555 	int	rc;
556 
557 	if (libname == NULL) {
558 		/* should not happen */
559 		cryptoerror(LOG_STDERR, gettext("internal error."));
560 		cryptodebug("disable_uef_lib() - libname is NULL.");
561 		return (FAILURE);
562 	}
563 
564 	/* Get the provider entry from the pkcs11.conf file */
565 	if ((puent = getent_uef(libname)) == NULL) {
566 		cryptoerror(LOG_STDERR,
567 		    gettext("%s does not exist."), libname);
568 		return (FAILURE);
569 	}
570 
571 	/*
572 	 * Update the mechanism policy of this library entry, based on
573 	 * the current policy mode of the library and the mechanisms specified
574 	 * in CLI.
575 	 */
576 	if (allflag) {
577 		/*
578 		 * If disabling all, just need to clean up the policylist and
579 		 * set the flag_enabledlist flag to be B_TRUE.
580 		 */
581 		free_umechlist(puent->policylist);
582 		puent->policylist = NULL;
583 		puent->count = 0;
584 		puent->flag_enabledlist = B_TRUE;
585 		rc = SUCCESS;
586 	} else if (marglist != NULL) {
587 		if (puent->flag_enabledlist == B_TRUE) {
588 			/*
589 			 * The current default policy mode of this library
590 			 * is "all are disabled, except ...", so if a
591 			 * specified mechanism is in the exception list
592 			 * (the policylist), delete it from the policylist.
593 			 */
594 			rc = update_policylist(puent, marglist, DELETE_MODE);
595 		} else {
596 			/*
597 			 * The current default policy mode of this library
598 			 * is "all are enabled", so if a specified mechanism
599 			 * is not in the exception list (policylist), add
600 			 * it into the policylist.
601 			 */
602 			rc = update_policylist(puent, marglist, ADD_MODE);
603 		}
604 	} else if (!rndflag) {
605 		/* should not happen */
606 		cryptoerror(LOG_STDERR, gettext("internal error."));
607 		cryptodebug("disable_uef_lib() - wrong arguments.");
608 		return (FAILURE);
609 	}
610 
611 	if (rndflag)
612 		puent->flag_norandom = B_TRUE;
613 
614 	if (rc == FAILURE) {
615 		free_uentry(puent);
616 		return (FAILURE);
617 	}
618 
619 	/* Update the pkcs11.conf file with the updated entry */
620 	rc = update_pkcs11conf(puent);
621 	free_uentry(puent);
622 	return (rc);
623 }
624 
625 
626 /*
627  * Enable disabled mechanisms for a user-level library.
628  */
629 int
630 enable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
631     mechlist_t *marglist)
632 {
633 	uentry_t	*puent;
634 	int	rc = SUCCESS;
635 
636 	if (libname == NULL) {
637 		/* should not happen */
638 		cryptoerror(LOG_STDERR, gettext("internal error."));
639 		cryptodebug("enable_uef_lib() - libname is NULL.");
640 		return (FAILURE);
641 	}
642 
643 	/* Get the provider entry from the pkcs11.conf file */
644 	if ((puent = getent_uef(libname)) == NULL) {
645 		cryptoerror(LOG_STDERR,
646 		    gettext("%s does not exist."), libname);
647 		return (FAILURE);
648 	}
649 
650 	/*
651 	 * Update the mechanism policy of this library entry, based on
652 	 * the current policy mode of the library and the mechanisms
653 	 * specified in CLI.
654 	 */
655 	if (allflag) {
656 		/*
657 		 * If enabling all, what needs to be done are cleaning up the
658 		 * policylist and setting the "flag_enabledlist" flag to
659 		 * B_FALSE.
660 		 */
661 		free_umechlist(puent->policylist);
662 		puent->policylist = NULL;
663 		puent->count = 0;
664 		puent->flag_enabledlist = B_FALSE;
665 		rc = SUCCESS;
666 	} else if (marglist != NULL) {
667 		if (puent->flag_enabledlist == B_TRUE) {
668 			/*
669 			 * The current default policy mode of this library
670 			 * is "all are disabled, except ...", so if a
671 			 * specified mechanism is not in the exception list
672 			 * (policylist), add it.
673 			 */
674 			rc = update_policylist(puent, marglist, ADD_MODE);
675 		} else {
676 			/*
677 			 * The current default policy mode of this library
678 			 * is "all are enabled, except", so if a specified
679 			 * mechanism is in the exception list (policylist),
680 			 * delete it.
681 			 */
682 			rc = update_policylist(puent, marglist, DELETE_MODE);
683 		}
684 	} else if (!rndflag) {
685 		/* should not come here */
686 		cryptoerror(LOG_STDERR, gettext("internal error."));
687 		cryptodebug("enable_uef_lib() - wrong arguments.");
688 		return (FAILURE);
689 	}
690 
691 	if (rndflag)
692 		puent->flag_norandom = B_FALSE;
693 
694 	if (rc == FAILURE) {
695 		free_uentry(puent);
696 		return (FAILURE);
697 	}
698 
699 	/* Update the pkcs11.conf file with the updated entry */
700 	rc = update_pkcs11conf(puent);
701 	free_uentry(puent);
702 	return (rc);
703 }
704 
705 
706 /*
707  * Install a user-level library.
708  */
709 int
710 install_uef_lib(char *libname)
711 {
712 	uentry_t	*puent;
713 	struct stat 	statbuf;
714 	char	libpath[MAXPATHLEN];
715 	char	libbuf[MAXPATHLEN];
716 	char	*isa;
717 
718 	if (libname == NULL) {
719 		/* should not happen */
720 		cryptoerror(LOG_STDERR, gettext("internal error."));
721 		cryptodebug("install_uef_lib() - libname is NULL.");
722 		return (FAILURE);
723 	}
724 
725 	/* Check if the provider already exists in the framework */
726 	if ((puent = getent_uef(libname)) != NULL) {
727 		cryptoerror(LOG_STDERR, gettext("%s exists already."),
728 		    libname);
729 		free_uentry(puent);
730 		return (FAILURE);
731 	}
732 
733 	/*
734 	 * Check if the library exists in the system. if $ISA is in the
735 	 * path, only check the 32bit version.
736 	 */
737 	if (strlcpy(libbuf, libname, MAXPATHLEN) >= MAXPATHLEN) {
738 		cryptoerror(LOG_STDERR,
739 		    gettext("the provider name is too long - %s"), libname);
740 		return (FAILURE);
741 	}
742 
743 	if ((isa = strstr(libbuf, PKCS11_ISA)) != NULL) {
744 		*isa = '\000';
745 		isa += strlen(PKCS11_ISA);
746 		(void) snprintf(libpath, sizeof (libpath), "%s%s%s", libbuf,
747 		    "/", isa);
748 	} else {
749 		(void) strlcpy(libpath, libname, sizeof (libpath));
750 	}
751 
752 	/* Check if it is same as the framework library */
753 	if (strcmp(libpath, UEF_FRAME_LIB) == 0) {
754 		cryptoerror(LOG_STDERR, gettext(
755 		    "The framework library %s can not be installed."),
756 		    libname);
757 		return (FAILURE);
758 	}
759 
760 	if (stat(libpath, &statbuf) != 0) {
761 		cryptoerror(LOG_STDERR, gettext("%s not found"), libname);
762 		return (FAILURE);
763 	}
764 
765 	/* Need to add "\n" to libname for adding into the config file */
766 	if (strlcat(libname, "\n", MAXPATHLEN) >= MAXPATHLEN) {
767 		cryptoerror(LOG_STDERR, gettext(
768 		    "can not install %s; the name is too long."), libname);
769 		return (FAILURE);
770 	}
771 
772 	return (update_conf(_PATH_PKCS11_CONF, libname));
773 
774 }
775 
776 
777 /*
778  * Uninstall a user-level library.
779  */
780 int
781 uninstall_uef_lib(char *libname)
782 {
783 	uentry_t	*puent;
784 	FILE	*pfile;
785 	FILE	*pfile_tmp;
786 	char 	buffer[BUFSIZ];
787 	char 	buffer2[BUFSIZ];
788 	char	tmpfile_name[MAXPATHLEN];
789 	char 	*name;
790 	boolean_t	found;
791 	boolean_t	in_package;
792 	int	len;
793 	int	rc = SUCCESS;
794 
795 	if (libname == NULL) {
796 		/* should not happen */
797 		cryptoerror(LOG_STDERR, gettext("internal error."));
798 		cryptodebug("uninstall_uef_lib() - libname is NULL.");
799 		return (FAILURE);
800 	}
801 
802 	/* Check if the provider exists */
803 	if ((puent = getent_uef(libname)) == NULL) {
804 		cryptoerror(LOG_STDERR,
805 		    gettext("%s does not exist."), libname);
806 		return (FAILURE);
807 	}
808 	free_uentry(puent);
809 
810 	/*  Open the pkcs11.conf file and lock it */
811 	if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
812 		err = errno;
813 		cryptoerror(LOG_STDERR,
814 		    gettext("failed to update the configuration - %s"),
815 		    strerror(err));
816 		cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
817 		return (FAILURE);
818 	}
819 
820 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
821 		err = errno;
822 		cryptoerror(LOG_STDERR,
823 		    gettext("failed to lock the configuration - %s"),
824 		    strerror(err));
825 		(void) fclose(pfile);
826 		return (FAILURE);
827 	}
828 
829 	/*
830 	 * Create a temporary file in the /etc/crypto directory to save
831 	 * the new configuration file first.
832 	 */
833 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
834 	if (mkstemp(tmpfile_name) == -1) {
835 		err = errno;
836 		cryptoerror(LOG_STDERR,
837 		    gettext("failed to create a temporary file - %s"),
838 		    strerror(err));
839 		(void) fclose(pfile);
840 		return (FAILURE);
841 	}
842 
843 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
844 		err = errno;
845 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
846 		    tmpfile_name, strerror(err));
847 		if (unlink(tmpfile_name) != 0) {
848 			err = errno;
849 			cryptoerror(LOG_STDERR, gettext(
850 			    "(Warning) failed to remove %s: %s"),
851 			    tmpfile_name, strerror(err));
852 		}
853 		(void) fclose(pfile);
854 		return (FAILURE);
855 	}
856 
857 
858 	/*
859 	 * Loop thru the config file.  If the library to be uninstalled
860 	 * is in a package, just comment it off.
861 	 */
862 	in_package = B_FALSE;
863 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
864 		found = B_FALSE;
865 		if (!(buffer[0] == ' ' || buffer[0] == '\n' ||
866 		    buffer[0] == '\t')) {
867 			if (strstr(buffer, " Start ") != NULL) {
868 				in_package = B_TRUE;
869 			} else if (strstr(buffer, " End ") != NULL) {
870 				in_package = B_FALSE;
871 			} else if (buffer[0] != '#') {
872 				(void) strlcpy(buffer2, buffer, BUFSIZ);
873 
874 				/* get rid of trailing '\n' */
875 				len = strlen(buffer2);
876 				if (buffer2[len-1] == '\n') {
877 					len--;
878 				}
879 				buffer2[len] = '\0';
880 
881 				if ((name = strtok(buffer2, SEP_COLON))
882 				    == NULL) {
883 					rc = FAILURE;
884 					break;
885 				} else if (strcmp(libname, name) == 0) {
886 					found = B_TRUE;
887 				}
888 			}
889 		}
890 
891 		if (found) {
892 			if (in_package) {
893 				(void) snprintf(buffer2, sizeof (buffer2),
894 				    "%s%s%s", "#", libname, "\n");
895 				if (fputs(buffer2, pfile_tmp) == EOF) {
896 					rc = FAILURE;
897 				}
898 			}
899 		} else {
900 			if (fputs(buffer, pfile_tmp) == EOF) {
901 				rc = FAILURE;
902 			}
903 		}
904 
905 		if (rc == FAILURE) {
906 			break;
907 		}
908 	}
909 
910 	if (rc == FAILURE) {
911 		cryptoerror(LOG_STDERR, gettext("write error."));
912 		(void) fclose(pfile);
913 		(void) fclose(pfile_tmp);
914 		if (unlink(tmpfile_name) != 0) {
915 			err = errno;
916 			cryptoerror(LOG_STDERR, gettext(
917 			    "(Warning) failed to remove %s: %s"),
918 			    tmpfile_name, strerror(err));
919 		}
920 		return (FAILURE);
921 	}
922 
923 	(void) fclose(pfile);
924 	if (fclose(pfile_tmp) != 0) {
925 		err = errno;
926 		cryptoerror(LOG_STDERR,
927 		    gettext("failed to close a temporary file - %s"),
928 		    strerror(err));
929 		return (FAILURE);
930 	}
931 
932 	/* Now update the real config file */
933 	if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
934 		err = errno;
935 		cryptoerror(LOG_STDERR,
936 		    gettext("failed to update the configuration - %s"),
937 		    strerror(err));
938 		cryptodebug("failed to rename %s to %s: %s", tmpfile,
939 		    _PATH_PKCS11_CONF, strerror(err));
940 		rc = FAILURE;
941 	} else if (chmod(_PATH_PKCS11_CONF,
942 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
943 		err = errno;
944 		cryptoerror(LOG_STDERR,
945 		    gettext("failed to update the configuration - %s"),
946 		    strerror(err));
947 		cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
948 		    strerror(err));
949 		rc = FAILURE;
950 	} else {
951 		rc = SUCCESS;
952 	}
953 
954 	if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
955 		err = errno;
956 		cryptoerror(LOG_STDERR, gettext(
957 		    "(Warning) failed to remove %s: %s"),
958 		    tmpfile_name, strerror(err));
959 	}
960 
961 	return (rc);
962 }
963 
964 
965 int
966 display_policy(uentry_t *puent)
967 {
968 	CK_MECHANISM_TYPE	mech_id;
969 	const char		*mech_name;
970 	umechlist_t		*ptr;
971 
972 	if (puent == NULL) {
973 		return (SUCCESS);
974 	}
975 
976 	if (puent->flag_enabledlist == B_FALSE) {
977 		(void) printf(gettext("%s: all mechanisms are enabled"),
978 		    puent->name);
979 		ptr = puent->policylist;
980 		if (ptr == NULL) {
981 			(void) printf(".");
982 		} else {
983 			(void) printf(gettext(", except "));
984 			while (ptr != NULL) {
985 				mech_id = strtoul(ptr->name, NULL, 0);
986 				if (mech_id & CKO_VENDOR_DEFINED) {
987 					/* vendor defined mechanism */
988 					(void) printf("%s", ptr->name);
989 				} else {
990 					if (mech_id >= CKM_VENDOR_DEFINED) {
991 						(void) printf("%#lx", mech_id);
992 					} else {
993 						mech_name = pkcs11_mech2str(
994 						    mech_id);
995 						if (mech_name == NULL) {
996 							return (FAILURE);
997 						}
998 						(void) printf("%s", mech_name);
999 					}
1000 				}
1001 
1002 				ptr = ptr->next;
1003 				if (ptr == NULL) {
1004 					(void) printf(".");
1005 				} else {
1006 					(void) printf(",");
1007 				}
1008 			}
1009 		}
1010 	} else { /* puent->flag_enabledlist == B_TRUE */
1011 		(void) printf(gettext("%s: all mechanisms are disabled"),
1012 		    puent->name);
1013 		ptr = puent->policylist;
1014 		if (ptr == NULL) {
1015 			(void) printf(".");
1016 		} else {
1017 			(void) printf(gettext(", except "));
1018 			while (ptr != NULL) {
1019 				mech_id = strtoul(ptr->name, NULL, 0);
1020 				if (mech_id & CKO_VENDOR_DEFINED) {
1021 					/* vendor defined mechanism */
1022 					(void) printf("%s", ptr->name);
1023 				} else {
1024 					mech_name = pkcs11_mech2str(mech_id);
1025 					if (mech_name == NULL) {
1026 						return (FAILURE);
1027 					}
1028 					(void) printf("%s", mech_name);
1029 				}
1030 				ptr = ptr->next;
1031 				if (ptr == NULL) {
1032 					(void) printf(".");
1033 				} else {
1034 					(void) printf(",");
1035 				}
1036 			}
1037 		}
1038 	}
1039 	return (SUCCESS);
1040 }
1041 
1042 
1043 
1044 /*
1045  * Print out the mechanism policy for a user-level provider pointed by puent.
1046  */
1047 int
1048 print_uef_policy(uentry_t *puent)
1049 {
1050 	flag_val_t rng_flag;
1051 
1052 	if (puent == NULL) {
1053 		return (FAILURE);
1054 	}
1055 
1056 	rng_flag = NO_RNG;
1057 	if (list_mechlist_for_lib(puent->name, NULL, &rng_flag, B_TRUE,
1058 	    B_FALSE, B_FALSE) != SUCCESS) {
1059 		cryptoerror(LOG_STDERR,
1060 		    gettext("%s internal error."), puent->name);
1061 		return (FAILURE);
1062 	}
1063 
1064 	if (display_policy(puent) != SUCCESS) {
1065 		goto failed_exit;
1066 	}
1067 
1068 
1069 	if (puent->flag_norandom == B_TRUE)
1070 		/*
1071 		 * TRANSLATION_NOTE
1072 		 * "random" is a keyword and not to be translated.
1073 		 */
1074 		(void) printf(gettext(" %s is disabled."), "random");
1075 	else {
1076 		if (rng_flag == HAS_RNG)
1077 			/*
1078 			 * TRANSLATION_NOTE
1079 			 * "random" is a keyword and not to be translated.
1080 			 */
1081 			(void) printf(gettext(" %s is enabled."), "random");
1082 	}
1083 	(void) printf("\n");
1084 
1085 	return (SUCCESS);
1086 
1087 failed_exit:
1088 
1089 	(void) printf(gettext("\nout of memory.\n"));
1090 	return (FAILURE);
1091 }
1092 
1093 
1094 /*
1095  * Check if the mechanism is in the mechanism list.
1096  */
1097 static boolean_t
1098 is_in_policylist(midstr_t mechname, umechlist_t *plist)
1099 {
1100 	boolean_t found = B_FALSE;
1101 
1102 	if (mechname == NULL) {
1103 		return (B_FALSE);
1104 	}
1105 
1106 	while (plist != NULL) {
1107 		if (strcmp(plist->name, mechname) == 0) {
1108 			found = B_TRUE;
1109 			break;
1110 		}
1111 		plist = plist->next;
1112 	}
1113 
1114 	return (found);
1115 }
1116 
1117 
1118 /*
1119  * Update the pkcs11.conf file with the updated entry.
1120  */
1121 int
1122 update_pkcs11conf(uentry_t *puent)
1123 {
1124 	FILE	*pfile;
1125 	FILE	*pfile_tmp;
1126 	char buffer[BUFSIZ];
1127 	char buffer2[BUFSIZ];
1128 	char tmpfile_name[MAXPATHLEN];
1129 	char *name;
1130 	char *str;
1131 	int len;
1132 	int rc = SUCCESS;
1133 	boolean_t found;
1134 
1135 	if (puent == NULL) {
1136 		cryptoerror(LOG_STDERR, gettext("internal error."));
1137 		return (FAILURE);
1138 	}
1139 
1140 	/* Open the pkcs11.conf file */
1141 	if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
1142 		err = errno;
1143 		cryptoerror(LOG_STDERR,
1144 		    gettext("failed to update the configuration - %s"),
1145 		    strerror(err));
1146 		cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
1147 		return (FAILURE);
1148 	}
1149 
1150 	/* Lock the pkcs11.conf file */
1151 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
1152 		err = errno;
1153 		cryptoerror(LOG_STDERR,
1154 		    gettext("failed to update the configuration - %s"),
1155 		    strerror(err));
1156 		(void) fclose(pfile);
1157 		return (FAILURE);
1158 	}
1159 
1160 	/*
1161 	 * Create a temporary file in the /etc/crypto directory to save
1162 	 * updated configuration file first.
1163 	 */
1164 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
1165 	if (mkstemp(tmpfile_name) == -1) {
1166 		err = errno;
1167 		cryptoerror(LOG_STDERR,
1168 		    gettext("failed to create a temporary file - %s"),
1169 		    strerror(err));
1170 		(void) fclose(pfile);
1171 		return (FAILURE);
1172 	}
1173 
1174 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
1175 		err = errno;
1176 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
1177 		    tmpfile_name, strerror(err));
1178 		if (unlink(tmpfile_name) != 0) {
1179 			err = errno;
1180 			cryptoerror(LOG_STDERR, gettext(
1181 			    "(Warning) failed to remove %s: %s"),
1182 			    tmpfile_name, strerror(err));
1183 		}
1184 		(void) fclose(pfile);
1185 		return (FAILURE);
1186 	}
1187 
1188 
1189 	/*
1190 	 * Loop thru entire pkcs11.conf file, update the entry to be
1191 	 * updated and save the updated file to the temporary file first.
1192 	 */
1193 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
1194 		found = B_FALSE;
1195 		if (!(buffer[0] == '#' || buffer[0] == ' ' ||
1196 		    buffer[0] == '\n'|| buffer[0] == '\t')) {
1197 			/*
1198 			 * Get the provider name from this line and check if
1199 			 * this is the entry to be updated. Note: can not use
1200 			 * "buffer" directly because strtok will change its
1201 			 * value.
1202 			 */
1203 			(void) strlcpy(buffer2, buffer, BUFSIZ);
1204 
1205 			/* get rid of trailing '\n' */
1206 			len = strlen(buffer2);
1207 			if (buffer2[len-1] == '\n') {
1208 				len--;
1209 			}
1210 			buffer2[len] = '\0';
1211 
1212 			if ((name = strtok(buffer2, SEP_COLON)) == NULL) {
1213 				rc = FAILURE;
1214 				break;
1215 			} else if (strcmp(puent->name, name) == 0) {
1216 				found = B_TRUE;
1217 			}
1218 		}
1219 
1220 		if (found) {
1221 			/*
1222 			 * This is the entry to be modified, get the updated
1223 			 * string.
1224 			 */
1225 			if ((str = uent2str(puent)) == NULL) {
1226 				rc = FAILURE;
1227 				break;
1228 			} else {
1229 				(void) strlcpy(buffer, str, BUFSIZ);
1230 				free(str);
1231 			}
1232 		}
1233 
1234 		if (fputs(buffer, pfile_tmp) == EOF) {
1235 			err = errno;
1236 			cryptoerror(LOG_STDERR, gettext(
1237 			    "failed to write to a temp file: %s."),
1238 			    strerror(err));
1239 			rc = FAILURE;
1240 			break;
1241 		}
1242 	}
1243 
1244 	if (rc == FAILURE) {
1245 		(void) fclose(pfile);
1246 		(void) fclose(pfile_tmp);
1247 		if (unlink(tmpfile_name) != 0) {
1248 			err = errno;
1249 			cryptoerror(LOG_STDERR, gettext(
1250 			    "(Warning) failed to remove %s: %s"),
1251 			    tmpfile_name, strerror(err));
1252 		}
1253 		return (FAILURE);
1254 	}
1255 
1256 	(void) fclose(pfile);
1257 	if (fclose(pfile_tmp) != 0) {
1258 		err = errno;
1259 		cryptoerror(LOG_STDERR,
1260 		    gettext("failed to close %s: %s"), tmpfile_name,
1261 		    strerror(err));
1262 		return (FAILURE);
1263 	}
1264 
1265 	/* Copy the temporary file to the pkcs11.conf file */
1266 	if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
1267 		err = errno;
1268 		cryptoerror(LOG_STDERR,
1269 		    gettext("failed to update the configuration - %s"),
1270 		    strerror(err));
1271 		cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
1272 		    _PATH_PKCS11_CONF, strerror(err));
1273 		rc = FAILURE;
1274 	} else if (chmod(_PATH_PKCS11_CONF,
1275 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1276 		err = errno;
1277 		cryptoerror(LOG_STDERR,
1278 		    gettext("failed to update the configuration - %s"),
1279 		    strerror(err));
1280 		cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
1281 		    strerror(err));
1282 		rc = FAILURE;
1283 	} else {
1284 		rc = SUCCESS;
1285 	}
1286 
1287 	if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1288 		err = errno;
1289 		cryptoerror(LOG_STDERR, gettext(
1290 		    "(Warning) failed to remove %s: %s"),
1291 		    tmpfile_name, strerror(err));
1292 	}
1293 
1294 	return (rc);
1295 }
1296 
1297 
1298 /*
1299  * Convert an uentry to a character string
1300  */
1301 static char *
1302 uent2str(uentry_t *puent)
1303 {
1304 	umechlist_t	*phead;
1305 	boolean_t tok1_present = B_FALSE;
1306 	char *buf;
1307 	char blank_buf[128];
1308 
1309 	if (puent == NULL) {
1310 		cryptoerror(LOG_STDERR, gettext("internal error."));
1311 		return (NULL);
1312 	}
1313 
1314 	buf = malloc(BUFSIZ);
1315 	if (buf == NULL) {
1316 		cryptoerror(LOG_STDERR, gettext("out of memory."));
1317 		return (NULL);
1318 	}
1319 
1320 	/* convert the library name */
1321 	if (strlcpy(buf, puent->name, BUFSIZ) >= BUFSIZ) {
1322 		free(buf);
1323 		return (NULL);
1324 	}
1325 
1326 
1327 	/* convert the enabledlist or the disabledlist */
1328 	if (puent->flag_enabledlist == B_TRUE) {
1329 		if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1330 			free(buf);
1331 			return (NULL);
1332 		}
1333 
1334 		if (strlcat(buf, EF_ENABLED, BUFSIZ) >= BUFSIZ) {
1335 			free(buf);
1336 			return (NULL);
1337 		}
1338 
1339 		phead = puent->policylist;
1340 		while (phead != NULL) {
1341 			if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1342 				free(buf);
1343 				return (NULL);
1344 			}
1345 
1346 			phead = phead->next;
1347 			if (phead != NULL) {
1348 				if (strlcat(buf, SEP_COMMA, BUFSIZ)
1349 				    >= BUFSIZ) {
1350 					free(buf);
1351 					return (NULL);
1352 				}
1353 			}
1354 		}
1355 		tok1_present = B_TRUE;
1356 	} else if (puent->policylist != NULL) {
1357 		if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1358 			free(buf);
1359 			return (NULL);
1360 		}
1361 
1362 		if (strlcat(buf, EF_DISABLED, BUFSIZ) >= BUFSIZ) {
1363 			free(buf);
1364 			return (NULL);
1365 		}
1366 		phead = puent->policylist;
1367 		while (phead != NULL) {
1368 			if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1369 				free(buf);
1370 				return (NULL);
1371 			}
1372 
1373 			phead = phead->next;
1374 			if (phead != NULL) {
1375 				if (strlcat(buf, SEP_COMMA, BUFSIZ)
1376 				    >= BUFSIZ) {
1377 					free(buf);
1378 					return (NULL);
1379 				}
1380 			}
1381 		}
1382 		tok1_present = B_TRUE;
1383 	}
1384 
1385 	if (puent->flag_norandom == B_TRUE) {
1386 		if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1387 		    BUFSIZ) >= BUFSIZ) {
1388 			free(buf);
1389 			return (NULL);
1390 		}
1391 
1392 		if (strlcat(buf, EF_NORANDOM, BUFSIZ) >= BUFSIZ) {
1393 			free(buf);
1394 			return (NULL);
1395 		}
1396 	}
1397 
1398 	if (strcmp(puent->name, METASLOT_KEYWORD) == 0) {
1399 
1400 		/* write the metaslot_status= value */
1401 		if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1402 		    BUFSIZ) >= BUFSIZ) {
1403 			free(buf);
1404 			return (NULL);
1405 		}
1406 
1407 		if (strlcat(buf, METASLOT_STATUS, BUFSIZ) >= BUFSIZ) {
1408 			free(buf);
1409 			return (NULL);
1410 		}
1411 
1412 		if (puent->flag_metaslot_enabled) {
1413 			if (strlcat(buf, ENABLED_KEYWORD, BUFSIZ) >= BUFSIZ) {
1414 				free(buf);
1415 				return (NULL);
1416 			}
1417 		} else {
1418 			if (strlcat(buf, DISABLED_KEYWORD, BUFSIZ)
1419 			    >= BUFSIZ) {
1420 				free(buf);
1421 				return (NULL);
1422 			}
1423 		}
1424 
1425 		if (!tok1_present) {
1426 			tok1_present = B_TRUE;
1427 		}
1428 
1429 		if (strlcat(buf, SEP_SEMICOLON, BUFSIZ) >= BUFSIZ) {
1430 			free(buf);
1431 			return (NULL);
1432 		}
1433 
1434 		if (strlcat(buf, METASLOT_AUTO_KEY_MIGRATE, BUFSIZ) >= BUFSIZ) {
1435 			free(buf);
1436 			return (NULL);
1437 		}
1438 
1439 		if (puent->flag_metaslot_auto_key_migrate) {
1440 			if (strlcat(buf, ENABLED_KEYWORD, BUFSIZ) >= BUFSIZ) {
1441 				free(buf);
1442 				return (NULL);
1443 			}
1444 		} else {
1445 			if (strlcat(buf, DISABLED_KEYWORD, BUFSIZ) >= BUFSIZ) {
1446 				free(buf);
1447 				return (NULL);
1448 			}
1449 		}
1450 
1451 		bzero(blank_buf, sizeof (blank_buf));
1452 
1453 		/* write metaslot_token= if specified */
1454 		if (memcmp(puent->metaslot_ks_token, blank_buf,
1455 		    TOKEN_LABEL_SIZE) != 0) {
1456 			/* write the metaslot_status= value */
1457 			if (strlcat(buf, (tok1_present ?
1458 			    SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1459 				free(buf);
1460 				return (NULL);
1461 			}
1462 
1463 			if (strlcat(buf, METASLOT_TOKEN, BUFSIZ) >= BUFSIZ) {
1464 				free(buf);
1465 				return (NULL);
1466 			}
1467 
1468 			if (strlcat(buf,
1469 			    (const char *)puent->metaslot_ks_token, BUFSIZ)
1470 			    >= BUFSIZ) {
1471 				free(buf);
1472 				return (NULL);
1473 			}
1474 		}
1475 
1476 		/* write metaslot_slot= if specified */
1477 		if (memcmp(puent->metaslot_ks_slot, blank_buf,
1478 		    SLOT_DESCRIPTION_SIZE) != 0) {
1479 			/* write the metaslot_status= value */
1480 			if (strlcat(buf, (tok1_present ?
1481 			    SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1482 				free(buf);
1483 				return (NULL);
1484 			}
1485 
1486 			if (strlcat(buf, METASLOT_SLOT, BUFSIZ) >= BUFSIZ) {
1487 				free(buf);
1488 				return (NULL);
1489 			}
1490 
1491 			if (strlcat(buf,
1492 			    (const char *)puent->metaslot_ks_slot, BUFSIZ)
1493 			    >= BUFSIZ) {
1494 				free(buf);
1495 				return (NULL);
1496 			}
1497 		}
1498 	}
1499 
1500 	if (strlcat(buf, "\n", BUFSIZ) >= BUFSIZ) {
1501 		free(buf);
1502 		return (NULL);
1503 	}
1504 
1505 	return (buf);
1506 }
1507 
1508 
1509 /*
1510  * This function updates the default policy mode and the policy exception list
1511  * for a user-level provider based on the mechanism specified in the disable
1512  * or enable subcommand and the update mode.   This function is called by the
1513  * enable_uef_lib() or disable_uef_lib().
1514  */
1515 int
1516 update_policylist(uentry_t *puent, mechlist_t *marglist, int update_mode)
1517 {
1518 	CK_MECHANISM_TYPE mech_type;
1519 	midstr_t	midname;
1520 	umechlist_t	*phead;
1521 	umechlist_t	*pcur;
1522 	umechlist_t	*pumech;
1523 	boolean_t	found;
1524 	int	rc = SUCCESS;
1525 
1526 	if ((puent == NULL) || (marglist == NULL)) {
1527 		/* should not happen */
1528 		cryptoerror(LOG_STDERR, gettext("internal error."));
1529 		cryptodebug("update_policylist()- puent or marglist is NULL.");
1530 		return (FAILURE);
1531 	}
1532 
1533 	if ((update_mode != ADD_MODE) && (update_mode != DELETE_MODE)) {
1534 		/* should not happen */
1535 		cryptoerror(LOG_STDERR, gettext("internal error."));
1536 		cryptodebug("update_policylist() - update_mode is incorrect.");
1537 		return (FAILURE);
1538 	}
1539 
1540 	/*
1541 	 * For each mechanism operand, get its mechanism type first.
1542 	 * If fails to get the mechanism type, the mechanism operand must be
1543 	 * invalid, gives an warning and ignore it. Otherwise,
1544 	 * - convert the mechanism type to the internal representation (hex)
1545 	 *   in the pkcs11.conf file
1546 	 * - If update_mode == DELETE_MODE,
1547 	 *	If the mechanism is in the policy list, delete it.
1548 	 *	If the mechanism is not in the policy list, do nothing.
1549 	 * - If update_mode == ADD_MODE,
1550 	 *	If the mechanism is not in the policy list, add it.
1551 	 *	If the mechanism is in the policy list already, do nothing.
1552 	 */
1553 	while (marglist) {
1554 		if (pkcs11_str2mech(marglist->name, &mech_type) != CKR_OK) {
1555 			/*
1556 			 * This mechanism is not a valid PKCS11 mechanism,
1557 			 * give warning and ignore it.
1558 			 */
1559 			cryptoerror(LOG_STDERR, gettext(
1560 			    "(Warning) %s is not a valid PKCS#11 mechanism."),
1561 			    marglist->name);
1562 			rc = FAILURE;
1563 		} else {
1564 			(void) snprintf(midname, sizeof (midname), "%#010x",
1565 			    (int)mech_type);
1566 			if (update_mode == DELETE_MODE) {
1567 				found = B_FALSE;
1568 				phead = pcur = puent->policylist;
1569 				while (!found && pcur) {
1570 					if (strcmp(pcur->name, midname) == 0) {
1571 						found = B_TRUE;
1572 					} else {
1573 						phead = pcur;
1574 						pcur = pcur->next;
1575 					}
1576 				}
1577 
1578 				if (found) {
1579 					if (phead == pcur) {
1580 						puent->policylist =
1581 						    puent->policylist->next;
1582 						free(pcur);
1583 					} else {
1584 						phead->next = pcur->next;
1585 						free(pcur);
1586 					}
1587 					puent->count--;
1588 					if (puent->count == 0) {
1589 						puent->policylist = NULL;
1590 					}
1591 				}
1592 			} else if (update_mode == ADD_MODE) {
1593 				if (!is_in_policylist(midname,
1594 				    puent->policylist)) {
1595 					pumech = create_umech(midname);
1596 					if (pumech == NULL) {
1597 						rc = FAILURE;
1598 						break;
1599 					}
1600 					phead = puent->policylist;
1601 					puent->policylist = pumech;
1602 					pumech->next = phead;
1603 					puent->count++;
1604 				}
1605 			}
1606 		}
1607 		marglist = marglist->next;
1608 	}
1609 
1610 	return (rc);
1611 }
1612 
1613 /*
1614  * Open a session to the given slot and check if we can do
1615  * random numbers by asking for one byte.
1616  */
1617 static boolean_t
1618 check_random(CK_SLOT_ID slot_id, CK_FUNCTION_LIST_PTR prov_funcs)
1619 {
1620 	CK_RV rv;
1621 	CK_SESSION_HANDLE hSession;
1622 	CK_BYTE test_byte;
1623 	CK_BYTE_PTR test_byte_ptr = &test_byte;
1624 
1625 	rv = prov_funcs->C_OpenSession(slot_id, CKF_SERIAL_SESSION,
1626 	    NULL_PTR, NULL, &hSession);
1627 	if (rv != CKR_OK)
1628 		return (B_FALSE);
1629 
1630 	/* We care only about the return value */
1631 	rv = prov_funcs->C_GenerateRandom(hSession, test_byte_ptr,
1632 	    sizeof (test_byte));
1633 	(void) prov_funcs->C_CloseSession(hSession);
1634 
1635 	/*
1636 	 * These checks are purely to determine whether the slot can do
1637 	 * random numbers. So, we don't check whether the routine
1638 	 * succeeds. The reason we check for CKR_RANDOM_NO_RNG also is that
1639 	 * this error effectively means CKR_FUNCTION_NOT_SUPPORTED.
1640 	 */
1641 	if (rv != CKR_FUNCTION_NOT_SUPPORTED && rv != CKR_RANDOM_NO_RNG)
1642 		return (B_TRUE);
1643 	else
1644 		return (B_FALSE);
1645 }
1646 
1647 void
1648 display_verbose_mech_header()
1649 {
1650 	(void) printf("%28s %s", " ", HDR1);
1651 	(void) printf("%28s %s", " ", HDR2);
1652 	(void) printf("%28s %s", " ", HDR3);
1653 	(void) printf("%28s %s", " ", HDR4);
1654 	(void) printf("%28s %s", " ", HDR5);
1655 	(void) printf("%28s %s", " ", HDR6);
1656 	(void) printf("%-28.28s %s", gettext("mechanism name"), HDR7);
1657 	/*
1658 	 * TRANSLATION_NOTE
1659 	 * Strictly for appearance's sake, the first header line should be
1660 	 * as long as the length of the translated text above.  The format
1661 	 * lengths should all match too.
1662 	 */
1663 	(void) printf("%28s ---- ---- "
1664 	    "-  -  -  -  -  -  -  -  -  -  -  -  -  -\n",
1665 	    gettext("----------------------------"));
1666 }
1667