xref: /illumos-gate/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c (revision a07094369b21309434206d9b3601d162693466fc)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <sys/types.h>
30 #include <sys/stat.h>
31 #include <dlfcn.h>
32 #include <fcntl.h>
33 #include <link.h>
34 #include <stdio.h>
35 #include <stdlib.h>
36 #include <strings.h>
37 #include <errno.h>
38 #include <door.h>
39 #include <pthread.h>
40 #include <sys/mman.h>
41 
42 #include <sys/crypto/elfsign.h>
43 #include <cryptoutil.h>
44 
45 #include <security/cryptoki.h>
46 #include "pkcs11Global.h"
47 #include "pkcs11Conf.h"
48 #include "pkcs11Slot.h"
49 #include "metaGlobal.h"
50 
51 /*
52  * Fastpath is used when there is only one slot available from a single provider
53  * plugged into the framework this is the common case.
54  * These globals are used to track the function pointers and policy when
55  * the fast-path is activated.
56  * This will need to be revisted if per-slot policy is ever
57  * implemented.
58  */
59 boolean_t purefastpath = B_FALSE;
60 boolean_t policyfastpath = B_FALSE;
61 CK_FUNCTION_LIST_PTR fast_funcs = NULL;
62 CK_SLOT_ID fast_slot = 0;
63 boolean_t metaslot_enabled = B_FALSE;
64 boolean_t metaslot_auto_key_migrate = B_FALSE;
65 metaslot_config_t metaslot_config;
66 
67 static const char *conf_err = "See cryptoadm(1M). Skipping this plug-in.";
68 
69 /*
70  * Set up metaslot for the framework using either user configuration
71  * or system wide configuration options
72  *
73  * Also sets up the global "slottable" to have the first slot be metaslot.
74  */
75 static CK_RV
76 setup_metaslot(uentry_t *metaslot_entry) {
77 	CK_RV rv;
78 	CK_MECHANISM_TYPE_PTR prov_pol_mechs = NULL;
79 	pkcs11_slot_t *cur_slot;
80 
81 	/* process policies for mechanisms */
82 	if ((metaslot_entry) && (metaslot_entry->count > 0)) {
83 		rv = pkcs11_mech_parse(metaslot_entry->policylist,
84 		    &prov_pol_mechs, metaslot_entry->count);
85 
86 		if (rv == CKR_HOST_MEMORY) {
87 			cryptoerror(LOG_ERR,
88 			    "libpkcs11: Could not parse configuration,"
89 			    "out of memory. Cannot continue parsing "
90 			    "%s.\n", _PATH_PKCS11_CONF);
91 			return (rv);
92 		} else if (rv == CKR_MECHANISM_INVALID) {
93 			/*
94 			 * Configuration file is corrupted for metaslot
95 			 */
96 			cryptoerror(LOG_ERR,
97 			    "libpkcs11: Policy invalid or corrupted "
98 			    "for metaslot. Use cryptoadm(1M) to fix "
99 			    "this. Disabling metaslot functionality.\n");
100 			metaslot_enabled = B_FALSE;
101 			return (rv);
102 		}
103 	}
104 
105 	/*
106 	 * Check for metaslot policy.  If all mechanisms are
107 	 * disabled, disable metaslot since there is nothing
108 	 * interesting for it to do
109 	 */
110 	if ((metaslot_entry) && (metaslot_entry->flag_enabledlist) &&
111 	    (prov_pol_mechs == NULL)) {
112 		metaslot_enabled = B_FALSE;
113 		return (rv);
114 	}
115 
116 	/*
117 	 * save system wide value for metaslot's keystore.
118 	 * If either slot description or token label is specified by
119 	 * the user, the system wide value for both is ignored.
120 	 */
121 	if ((metaslot_entry) &&
122 	    (!metaslot_config.keystore_token_specified) &&
123 	    (!metaslot_config.keystore_slot_specified)) {
124 		/*
125 		 * blank_str is used for comparing with token label,
126 		 * and slot description, make sure it is better than
127 		 * the larger of both
128 		 */
129 		char blank_str[TOKEN_LABEL_SIZE + SLOT_DESCRIPTION_SIZE];
130 
131 		bzero(blank_str, sizeof (blank_str));
132 
133 		if (memcmp(metaslot_entry->metaslot_ks_token,
134 		    blank_str, TOKEN_LABEL_SIZE) != 0) {
135 			metaslot_config.keystore_token_specified = B_TRUE;
136 			(void) strlcpy(
137 			    (char *)metaslot_config.keystore_token,
138 			    (const char *)metaslot_entry->metaslot_ks_token,
139 			    TOKEN_LABEL_SIZE);
140 		}
141 
142 		if (memcmp(metaslot_entry->metaslot_ks_slot,
143 		    blank_str, SLOT_DESCRIPTION_SIZE) != 0) {
144 			metaslot_config.keystore_slot_specified = B_TRUE;
145 			(void) strlcpy(
146 			    (char *)metaslot_config.keystore_slot,
147 			    (const char *)metaslot_entry->metaslot_ks_slot,
148 			    SLOT_DESCRIPTION_SIZE);
149 		}
150 	}
151 
152 	/* check system-wide value for auto_key_migrate */
153 	if (metaslot_config.auto_key_migrate_specified) {
154 		/* take user's specified value */
155 		metaslot_auto_key_migrate = metaslot_config.auto_key_migrate;
156 	} else {
157 		if (metaslot_entry) {
158 			/* use system-wide default */
159 			metaslot_auto_key_migrate =
160 			    metaslot_entry->flag_metaslot_auto_key_migrate;
161 		} else {
162 			/*
163 			 * there's no system wide metaslot entry,
164 			 * default auto_key_migrate to true
165 			 */
166 			metaslot_auto_key_migrate = B_TRUE;
167 		}
168 	}
169 
170 
171 	/* Make first slotID be 0, for metaslot. */
172 	slottable->st_first = 0;
173 
174 	/* Set up the slottable entry for metaslot */
175 	slottable->st_slots[0] = NULL;
176 	cur_slot = calloc(1, sizeof (pkcs11_slot_t));
177 	if (cur_slot == NULL) {
178 		rv = CKR_HOST_MEMORY;
179 		return (rv);
180 	}
181 	cur_slot->sl_wfse_state = WFSE_CLEAR;
182 	cur_slot->sl_enabledpol = B_FALSE;
183 	cur_slot->sl_no_wfse = B_FALSE;
184 	(void) pthread_mutex_init(&cur_slot->sl_mutex, NULL);
185 
186 	/*
187 	 * The metaslot entry was prealloc'd by
188 	 * pkcs11_slottable_increase()
189 	 */
190 	(void) pthread_mutex_lock(&slottable->st_mutex);
191 	slottable->st_slots[0] = cur_slot;
192 	(void) pthread_mutex_unlock(&slottable->st_mutex);
193 
194 	(void) pthread_mutex_lock(&cur_slot->sl_mutex);
195 	cur_slot->sl_id = METASLOT_SLOTID;
196 	cur_slot->sl_func_list = &metaslot_functionList;
197 	if (metaslot_entry) {
198 		cur_slot->sl_enabledpol = metaslot_entry->flag_enabledlist;
199 		cur_slot->sl_pol_count = metaslot_entry->count;
200 	} else {
201 		/* if no metaslot entry, assume all mechs are enabled */
202 		cur_slot->sl_enabledpol = B_FALSE;
203 		cur_slot->sl_pol_count = 0;
204 	}
205 	cur_slot->sl_pol_mechs = prov_pol_mechs;
206 	cur_slot->sl_dldesc = NULL; /* not applicable */
207 	cur_slot->sl_prov_id = 0;
208 	(void) pthread_mutex_unlock(&cur_slot->sl_mutex);
209 
210 	/* Call the meta_Initialize() to initialize metaslot */
211 	rv = meta_Initialize(NULL);
212 	if (rv != CKR_OK) {
213 		cryptoerror(LOG_ERR,
214 		    "libpkcs11: Can't initialize metaslot (%s)",
215 		    pkcs11_strerror(rv));
216 		goto cleanup;
217 	}
218 
219 	return (CKR_OK);
220 
221 cleanup:
222 	metaslot_enabled = B_FALSE;
223 	slottable->st_slots[0] = NULL;
224 
225 	if (cur_slot) {
226 		(void) pthread_mutex_destroy(&cur_slot->sl_mutex);
227 		free(cur_slot);
228 	}
229 	return (rv);
230 }
231 
232 /*
233  * For each provider found in pkcs11.conf: expand $ISA if necessary,
234  * verify the module is signed, load the provider, find all of its
235  * slots, and store the function list and disabled policy.
236  *
237  * This function requires that the uentrylist_t and pkcs11_slottable_t
238  * already have memory allocated, and that the uentrylist_t is already
239  * populated with provider and policy information.
240  *
241  * pInitArgs can be set to NULL, but is normally the same value
242  * the framework's C_Initialize() was called with.
243  *
244  * Unless metaslot is explicitly disabled, it is setup when all other
245  * providers are loaded.
246  */
247 CK_RV
248 pkcs11_slot_mapping(uentrylist_t *pplist, CK_VOID_PTR pInitArgs)
249 {
250 	CK_RV rv = CKR_OK;
251 	CK_RV prov_rv;			/* Provider's return code */
252 	CK_INFO prov_info;
253 	CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
254 	CK_FUNCTION_LIST_PTR prov_funcs = NULL; /* Provider's function list */
255 	CK_ULONG prov_slot_count; 		/* Number of slots */
256 	CK_SLOT_ID slot_id; 		/* slotID assigned for framework */
257 	CK_SLOT_ID_PTR prov_slots = NULL; 	/* Provider's slot list */
258 					/* Enabled or Disabled policy */
259 	CK_MECHANISM_TYPE_PTR prov_pol_mechs = NULL;
260 
261 	void *dldesc = NULL;
262 	char *isa, *fullpath = NULL, *dl_error;
263 	uentrylist_t *phead;
264 	uint_t prov_count = 0;
265 	pkcs11_slot_t *cur_slot;
266 	CK_ULONG i;
267 	size_t len;
268 	uentry_t *metaslot_entry = NULL;
269 	/* number of slots in the framework, not including metaslot */
270 	uint_t slot_count = 0;
271 
272 	ELFsign_status_t estatus = ELFSIGN_UNKNOWN;
273 	char *estatus_str = NULL;
274 	int kcfdfd = -1;
275 	door_arg_t	darg;
276 	kcf_door_arg_t *kda = NULL;
277 	kcf_door_arg_t *rkda = NULL;
278 	int r;
279 
280 	phead = pplist;
281 
282 	/* Loop through all of the provider listed in pkcs11.conf */
283 	while (phead != NULL) {
284 		if (!strcasecmp(phead->puent->name, "metaslot")) {
285 			/*
286 			 * Skip standard processing for metaslot
287 			 * entry since it is not an actual library
288 			 * that can be dlopened.
289 			 * It will be initialized later.
290 			 */
291 			if (metaslot_entry != NULL) {
292 				cryptoerror(LOG_ERR,
293 				    "libpkcs11: multiple entries for metaslot "
294 				    "detected.  All but the first entry will "
295 				    "be ignored");
296 			} else {
297 				metaslot_entry = phead->puent;
298 			}
299 			goto contparse;
300 		}
301 
302 		/* Check for Instruction Set Architecture indicator */
303 		if ((isa = strstr(phead->puent->name, PKCS11_ISA)) != NULL) {
304 			/* Substitute the architecture dependent path */
305 			len = strlen(phead->puent->name) -
306 			    strlen(PKCS11_ISA) +
307 			    strlen(PKCS11_ISA_DIR) + 1;
308 			if ((fullpath = (char *)malloc(len)) == NULL) {
309 				cryptoerror(LOG_ERR,
310 				    "libpksc11: parsing %s, out of memory. "
311 				    "Cannot continue parsing.",
312 				    _PATH_PKCS11_CONF);
313 				rv = CKR_HOST_MEMORY;
314 				goto conferror;
315 			}
316 			*isa = '\000';
317 			isa += strlen(PKCS11_ISA);
318 			(void) snprintf(fullpath, len, "%s%s%s",
319 			    phead->puent->name, PKCS11_ISA_DIR, isa);
320 		} else if ((fullpath = strdup(phead->puent->name)) == 0) {
321 			cryptoerror(LOG_ERR,
322 			    "libpkcs11: parsing %s, out of memory. "
323 			    "Cannot continue parsing.",
324 			    _PATH_PKCS11_CONF);
325 			rv = CKR_HOST_MEMORY;
326 			goto conferror;
327 		}
328 
329 		/*
330 		 * Open the provider. Use RTLD_NOW to make sure we
331 		 * will not encounter symbol referencing errors later.
332 		 * Use RTLD_GROUP to limit the provider to it's own
333 		 * symbols, which prevents it from mistakenly accessing
334 		 * the framework's C_* functions.
335 		 */
336 		dldesc = dlopen(fullpath, RTLD_NOW|RTLD_GROUP);
337 
338 		/*
339 		 * If we failed to load it, we will just skip this
340 		 * provider and move on to the next one.
341 		 */
342 		if (dldesc == NULL) {
343 			dl_error = dlerror();
344 			cryptoerror(LOG_ERR,
345 			    "libpkcs11: Cannot load PKCS#11 library %s.  "
346 			    "dlerror: %s. %s",
347 			    fullpath, dl_error != NULL ? dl_error : "Unknown",
348 			    conf_err);
349 			goto contparse;
350 		}
351 
352 		/* Get the pointer to provider's C_GetFunctionList() */
353 		Tmp_C_GetFunctionList =
354 		    (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
355 
356 		/*
357 		 * If we failed to get the pointer to C_GetFunctionList(),
358 		 * skip this provider and continue to the next one.
359 		 */
360 		if (Tmp_C_GetFunctionList == NULL) {
361 			cryptoerror(LOG_ERR,
362 			    "libpkcs11: Could not dlsym() C_GetFunctionList() "
363 			    "for %s. May not be a PKCS#11 library. %s",
364 			    fullpath, conf_err);
365 			(void) dlclose(dldesc);
366 			goto contparse;
367 		}
368 
369 
370 		/* Get the provider's function list */
371 		prov_rv = Tmp_C_GetFunctionList(&prov_funcs);
372 
373 		/*
374 		 * If we failed to get the provider's function list,
375 		 * skip this provider and continue to the next one.
376 		 */
377 		if (prov_rv != CKR_OK) {
378 			cryptoerror(LOG_ERR,
379 			    "libpkcs11: Could not get function list for %s. "
380 			    "%s Error: %s.",
381 			    fullpath, conf_err, pkcs11_strerror(prov_rv));
382 			(void) dlclose(dldesc);
383 			goto contparse;
384 		}
385 
386 		/* Initialize this provider */
387 		prov_rv = prov_funcs->C_Initialize(pInitArgs);
388 
389 		/*
390 		 * If we failed to initialize this provider,
391 		 * skip this provider and continue to the next one.
392 		 */
393 		if ((prov_rv != CKR_OK) &&
394 		    (prov_rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
395 			cryptoerror(LOG_ERR,
396 			    "libpkcs11: Could not initialize %s. "
397 			    "%s Error: %s.",
398 			    fullpath, conf_err, pkcs11_strerror(prov_rv));
399 			(void) dlclose(dldesc);
400 			goto contparse;
401 		}
402 
403 		/*
404 		 * Make sure this provider is implementing the same
405 		 * major version, and at least the same minor version
406 		 * that we are.
407 		 */
408 		prov_rv = prov_funcs->C_GetInfo(&prov_info);
409 
410 		/*
411 		 * If we can't verify that we are implementing the
412 		 * same major version, or if it is definitely not the same
413 		 * version, we need to skip this provider.
414 		 */
415 		if ((prov_rv != CKR_OK) ||
416 		    (prov_info.cryptokiVersion.major !=
417 			CRYPTOKI_VERSION_MAJOR))  {
418 			if (prov_rv != CKR_OK) {
419 				cryptoerror(LOG_ERR,
420 				    "libpkcs11: Could not verify version of "
421 				    "%s. %s Error: %s.", fullpath,
422 				    conf_err, pkcs11_strerror(prov_rv));
423 			} else {
424 				cryptoerror(LOG_ERR,
425 				    "libpkcs11: Only CRYPTOKI major version "
426 				    "%d is supported.  %s is major "
427 				    "version %d. %s",
428 				    CRYPTOKI_VERSION_MAJOR, fullpath,
429 				    prov_info.cryptokiVersion.major, conf_err);
430 			}
431 			(void) prov_funcs->C_Finalize(NULL);
432 			(void) dlclose(dldesc);
433 			goto contparse;
434 		}
435 
436 		/*
437 		 * Warn the administrator (at debug) that a provider with
438 		 * a significantly older or newer version of
439 		 * CRYPTOKI is being used.  It should not cause
440 		 * problems, but logging a warning makes it easier
441 		 * to debug later.
442 		 */
443 		if ((prov_info.cryptokiVersion.minor <
444 			CRYPTOKI_VERSION_WARN_MINOR) ||
445 		    (prov_info.cryptokiVersion.minor >
446 			CRYPTOKI_VERSION_MINOR)) {
447 			cryptoerror(LOG_DEBUG,
448 			    "libpkcs11: %s CRYPTOKI minor version, %d, may "
449 			    "not be compatible with minor version %d.",
450 			    fullpath, prov_info.cryptokiVersion.minor,
451 			    CRYPTOKI_VERSION_MINOR);
452 		}
453 
454 		/*
455 		 * Find out how many slots this provider has,
456 		 * call with tokenPresent set to FALSE so all
457 		 * potential slots are returned.
458 		 */
459 		prov_rv = prov_funcs->C_GetSlotList(FALSE,
460 		    NULL, &prov_slot_count);
461 
462 		/*
463 		 * If the call failed, or if no slots are returned,
464 		 * then skip this provider and continue to next one.
465 		 */
466 		if (prov_rv != CKR_OK) {
467 			cryptoerror(LOG_ERR,
468 			    "libpksc11: Could not get slot list from %s. "
469 			    "%s Error: %s.",
470 			    fullpath, conf_err, pkcs11_strerror(prov_rv));
471 			(void) prov_funcs->C_Finalize(NULL);
472 			(void) dlclose(dldesc);
473 			goto contparse;
474 		}
475 
476 		if (prov_slot_count == 0) {
477 			cryptodebug("libpkcs11: No slots presented from %s. "
478 			    "Skipping this plug-in at this time.\n",
479 			    fullpath);
480 			(void) prov_funcs->C_Finalize(NULL);
481 			(void) dlclose(dldesc);
482 			goto contparse;
483 		}
484 
485 		/*
486 		 * Verify that the module is signed correctly.
487 		 *
488 		 * NOTE: there is a potential race condition here,
489 		 * since the module is verified well after we have
490 		 * opened the provider via dlopen().  This could be
491 		 * resolved by a variant of dlopen() that would take a
492 		 * file descriptor as an argument and by changing the
493 		 * kcfd libelfsign door protocol to use and fd instead
494 		 * of a path - but that wouldn't work in the kernel case.
495 		 */
496 		while ((kcfdfd = open(_PATH_KCFD_DOOR, O_RDONLY)) == -1) {
497 			if (errno != EINTR)
498 				break;
499 		}
500 		if (kcfdfd == -1) {
501 			cryptoerror(LOG_ERR, "libpkcs11: open %s: %s",
502 				_PATH_KCFD_DOOR,
503 			    strerror(errno));
504 			goto verifycleanup;
505 		}
506 
507 		/* Mark the door "close on exec" */
508 		(void) fcntl(kcfdfd, F_SETFD, FD_CLOEXEC);
509 
510 		if ((kda = malloc(sizeof (kcf_door_arg_t))) == NULL) {
511 			cryptoerror(LOG_ERR, "libpkcs11: malloc of kda "
512 				"failed: %s", strerror(errno));
513 			goto verifycleanup;
514 		}
515 		kda->da_version = KCF_KCFD_VERSION1;
516 		kda->da_iskernel = B_FALSE;
517 		(void) strlcpy(kda->da_u.filename, fullpath,
518 		    strlen(fullpath) + 1);
519 
520 		darg.data_ptr = (char *)kda;
521 		darg.data_size = sizeof (kcf_door_arg_t);
522 		darg.desc_ptr = NULL;
523 		darg.desc_num = 0;
524 		darg.rbuf = (char *)kda;
525 		darg.rsize = sizeof (kcf_door_arg_t);
526 
527 		while ((r = door_call(kcfdfd, &darg)) != 0) {
528 			if (errno != EINTR)
529 				break;
530 		}
531 
532 		if (r != 0) {
533 			cryptoerror(LOG_ERR,
534 			    "libpkcs11: Unable to contact kcfd: %s",
535 			    strerror(errno));
536 			goto verifycleanup;
537 		}
538 
539 		/*LINTED*/
540 		rkda = (kcf_door_arg_t *)darg.rbuf;
541 		if (rkda->da_version != KCF_KCFD_VERSION1) {
542 			cryptoerror(LOG_ERR,
543 			    "libpkcs11: kcfd and libelfsign versions "
544 			    "don't match: got %d expected %d",
545 			    rkda->da_version, KCF_KCFD_VERSION1);
546 			goto verifycleanup;
547 		}
548 		estatus = rkda->da_u.result.status;
549 verifycleanup:
550 		if (kcfdfd != -1) {
551 			(void) close(kcfdfd);
552 		}
553 		if (rkda != NULL && rkda != kda)
554 			(void) munmap((char *)rkda, darg.rsize);
555 		if (kda != NULL) {
556 			bzero(kda, sizeof (kda));
557 			free(kda);
558 			kda = NULL;
559 			rkda = NULL;	/* rkda is an alias of kda */
560 		}
561 
562 		switch (estatus) {
563 		case ELFSIGN_SUCCESS:
564 		case ELFSIGN_RESTRICTED:
565 			break;
566 		case ELFSIGN_NOTSIGNED:
567 			estatus_str = strdup("not a signed provider.");
568 			break;
569 		case ELFSIGN_FAILED:
570 			estatus_str = strdup("signature verification failed.");
571 			break;
572 		default:
573 			estatus_str = strdup("unexpected failure in ELF "
574 			    "signature verification. "
575 			    "System may have been tampered with.");
576 		}
577 		if (estatus_str != NULL) {
578 			cryptoerror(LOG_ERR, "libpkcs11: %s %s %s",
579 			    fullpath, estatus_str ? estatus_str : "",
580 			    estatus == ELFSIGN_UNKNOWN ?
581 			    "Cannot continue parsing " _PATH_PKCS11_CONF:
582 			    conf_err);
583 			(void) prov_funcs->C_Finalize(NULL);
584 			(void) dlclose(dldesc);
585 			free(estatus_str);
586 			estatus_str = NULL;
587 			if (estatus == ELFSIGN_UNKNOWN) {
588 				prov_funcs = NULL;
589 				dldesc = NULL;
590 				rv = CKR_GENERAL_ERROR;
591 				goto conferror;
592 			}
593 			goto contparse;
594 		}
595 
596 		/* Allocate memory for the slot list */
597 		prov_slots = calloc(prov_slot_count, sizeof (CK_SLOT_ID));
598 
599 		if (prov_slots == NULL) {
600 			cryptoerror(LOG_ERR,
601 			    "libpkcs11: Could not allocate memory for "
602 			    "plug-in slots. Cannot continue parsing %s\n",
603 			    _PATH_PKCS11_CONF);
604 			rv = CKR_HOST_MEMORY;
605 			goto conferror;
606 		}
607 
608 		/* Get slot list from provider */
609 		prov_rv = prov_funcs->C_GetSlotList(FALSE,
610 		    prov_slots, &prov_slot_count);
611 
612 		/* if second call fails, drop this provider */
613 		if (prov_rv != CKR_OK) {
614 			cryptoerror(LOG_ERR,
615 			    "libpkcs11: Second call to C_GetSlotList() for %s "
616 			    "failed. %s Error: %s.",
617 			    fullpath, conf_err, pkcs11_strerror(prov_rv));
618 			(void) prov_funcs->C_Finalize(NULL);
619 			(void) dlclose(dldesc);
620 			goto contparse;
621 		}
622 
623 		/*
624 		 * Parse the list of disabled or enabled mechanisms, will
625 		 * apply to each of the provider's slots.
626 		 */
627 		if (phead->puent->count > 0) {
628 			rv = pkcs11_mech_parse(phead->puent->policylist,
629 			    &prov_pol_mechs, phead->puent->count);
630 
631 			if (rv == CKR_HOST_MEMORY) {
632 				cryptoerror(LOG_ERR,
633 				    "libpkcs11: Could not parse configuration,"
634 				    "out of memory. Cannot continue parsing "
635 				    "%s.", _PATH_PKCS11_CONF);
636 				goto conferror;
637 			} else if (rv == CKR_MECHANISM_INVALID) {
638 				/*
639 				 * Configuration file is corrupted for this
640 				 * provider.
641 				 */
642 				cryptoerror(LOG_ERR,
643 				    "libpkcs11: Policy invalid or corrupted "
644 				    "for %s. Use cryptoadm(1M) to fix "
645 				    "this. Skipping this plug-in.",
646 				    fullpath);
647 				(void) prov_funcs->C_Finalize(NULL);
648 				(void) dlclose(dldesc);
649 				goto contparse;
650 			}
651 		}
652 
653 		/* Allocate memory in our slottable for these slots */
654 		rv = pkcs11_slottable_increase(prov_slot_count);
655 
656 		/*
657 		 * If any error is returned, it will be memory related,
658 		 * so we need to abort the attempt at filling the
659 		 * slottable.
660 		 */
661 		if (rv != CKR_OK) {
662 			cryptoerror(LOG_ERR,
663 			    "libpkcs11: slottable could not increase. "
664 			    "Cannot continue parsing %s.",
665 			    _PATH_PKCS11_CONF);
666 			goto conferror;
667 		}
668 
669 		/* Configure information for each new slot */
670 		for (i = 0; i < prov_slot_count; i++) {
671 			/* allocate slot in framework */
672 			rv = pkcs11_slot_allocate(&slot_id);
673 			if (rv != CKR_OK) {
674 				cryptoerror(LOG_ERR,
675 				    "libpkcs11: Could not allocate "
676 				    "new slot.  Cannot continue parsing %s.",
677 				    _PATH_PKCS11_CONF);
678 				goto conferror;
679 			}
680 			slot_count++;
681 			cur_slot = slottable->st_slots[slot_id];
682 			(void) pthread_mutex_lock(&cur_slot->sl_mutex);
683 			cur_slot->sl_id = prov_slots[i];
684 			cur_slot->sl_func_list = prov_funcs;
685 			cur_slot->sl_enabledpol =
686 			    phead->puent->flag_enabledlist;
687 			cur_slot->sl_pol_mechs = prov_pol_mechs;
688 			cur_slot->sl_pol_count = phead->puent->count;
689 			cur_slot->sl_norandom = phead->puent->flag_norandom;
690 			cur_slot->sl_dldesc = dldesc;
691 			cur_slot->sl_prov_id = prov_count + 1;
692 			(void) pthread_mutex_unlock(&cur_slot->sl_mutex);
693 		}
694 
695 
696 		/* Set and reset values to process next provider */
697 		prov_count++;
698 contparse:
699 		prov_slot_count = 0;
700 		Tmp_C_GetFunctionList = NULL;
701 		prov_funcs = NULL;
702 		dldesc = NULL;
703 		if (fullpath != NULL) {
704 			free(fullpath);
705 			fullpath = NULL;
706 		}
707 		if (prov_slots != NULL) {
708 			free(prov_slots);
709 			prov_slots = NULL;
710 		}
711 		phead = phead->next;
712 	}
713 
714 	if (slot_count == 0) {
715 		/*
716 		 * there's no other slot in the framework,
717 		 * there is nothing to do
718 		 */
719 		goto config_complete;
720 	}
721 
722 	/* determine if metaslot should be enabled */
723 
724 	/*
725 	 * Check to see if any environment variable is defined
726 	 * by the user for configuring metaslot.  Users'
727 	 * setting always take precedence over the system wide
728 	 * setting.  So, we will first check for any user's
729 	 * defined env variables before looking at the system-wide
730 	 * configuration.
731 	 */
732 	get_user_metaslot_config();
733 
734 	/* no metaslot entry in /etc/crypto/pkcs11.conf */
735 	if (!metaslot_entry) {
736 		/*
737 		 * If user env variable indicates metaslot should be enabled,
738 		 * but there's no entry in /etc/crypto/pkcs11.conf for
739 		 * metaslot at all, will respect the user's defined value
740 		 */
741 		if ((metaslot_config.enabled_specified) &&
742 		    (metaslot_config.enabled)) {
743 			metaslot_enabled = B_TRUE;
744 		}
745 	} else {
746 		if (!metaslot_config.enabled_specified) {
747 			/*
748 			 * take system wide value if
749 			 * it is not specified by user
750 			 */
751 			metaslot_enabled
752 			    = metaslot_entry->flag_metaslot_enabled;
753 		} else {
754 			metaslot_enabled = metaslot_config.enabled;
755 		}
756 	}
757 
758 	/*
759 	 *
760 	 * As long as the user or system configuration file does not
761 	 * disable metaslot, it will be enabled regardless of the
762 	 * number of slots plugged into the framework.  Therefore,
763 	 * metaslot is enabled even when there's only one slot
764 	 * plugged into the framework.  This is necessary for
765 	 * presenting a consistent token label view to applications.
766 	 *
767 	 * However, for the case where there is only 1 slot plugged into
768 	 * the framework, we can use "fastpath".
769 	 *
770 	 * "fastpath" will pass all of the application's requests
771 	 * directly to the underlying provider.  Only when policy is in
772 	 * effect will we need to keep slotID around.
773 	 *
774 	 * When metaslot is enabled, and fastpath is enabled,
775 	 * all the metaslot processing will be skipped.
776 	 * When there is only 1 slot, there's
777 	 * really not much metaslot can do in terms of combining functionality
778 	 * of different slots, and object migration.
779 	 *
780 	 */
781 
782 	/* check to see if fastpath can be used */
783 	if (slottable->st_last == slottable->st_first) {
784 
785 		cur_slot = slottable->st_slots[slottable->st_first];
786 
787 		(void) pthread_mutex_lock(&cur_slot->sl_mutex);
788 
789 		if ((cur_slot->sl_pol_count == 0) &&
790 		    (!cur_slot->sl_enabledpol) && (!cur_slot->sl_norandom)) {
791 			/* No policy is in effect, don't need slotid */
792 			fast_funcs = cur_slot->sl_func_list;
793 			purefastpath = B_TRUE;
794 		} else {
795 			fast_funcs = cur_slot->sl_func_list;
796 			fast_slot = slottable->st_first;
797 			policyfastpath = B_TRUE;
798 		}
799 
800 		(void) pthread_mutex_unlock(&cur_slot->sl_mutex);
801 	}
802 
803 	if ((purefastpath || policyfastpath) && (!metaslot_enabled)) {
804 		goto config_complete;
805 	}
806 
807 	/*
808 	 * If we get here, there are more than 2 slots in the framework,
809 	 * we need to set up metaslot if it is enabled
810 	 */
811 	if (metaslot_enabled) {
812 		rv = setup_metaslot(metaslot_entry);
813 		if (rv != CKR_OK) {
814 			goto conferror;
815 		}
816 	}
817 
818 
819 config_complete:
820 
821 	return (CKR_OK);
822 
823 conferror:
824 	/*
825 	 * This cleanup code is only exercised when a major,
826 	 * unrecoverable error like "out of memory" occurs.
827 	 */
828 	if (prov_funcs != NULL) {
829 		(void) prov_funcs->C_Finalize(NULL);
830 	}
831 	if (dldesc != NULL) {
832 		(void) dlclose(dldesc);
833 	}
834 	if (fullpath != NULL) {
835 		free(fullpath);
836 		fullpath = NULL;
837 	}
838 	if (prov_slots != NULL) {
839 		free(prov_slots);
840 		prov_slots = NULL;
841 	}
842 
843 	return (rv);
844 }
845 
846 /*
847  * pkcs11_mech_parse will take hex mechanism ids, as a list of
848  * strings, and convert them to CK_MECHANISM_TYPE_PTR.
849  */
850 CK_RV
851 pkcs11_mech_parse(umechlist_t *str_list, CK_MECHANISM_TYPE_PTR *mech_list,
852     int mech_count)
853 {
854 	CK_MECHANISM_TYPE_PTR tmp_list;
855 	umechlist_t *shead = str_list;
856 
857 	tmp_list = malloc(mech_count * sizeof (CK_MECHANISM_TYPE));
858 
859 	if (tmp_list == NULL) {
860 		cryptoerror(LOG_ERR, "libpkcs11: parsing %s, out of memory. "
861 		    "Cannot continue.",
862 		    _PATH_PKCS11_CONF);
863 		return (CKR_HOST_MEMORY);
864 	}
865 
866 	*mech_list = tmp_list;
867 
868 	/*
869 	 * The following will loop mech_count times, as there are
870 	 * exactly mech_count items in the str_list.
871 	 */
872 	while (shead != NULL) {
873 		CK_MECHANISM_TYPE cur_mech;
874 
875 		errno = 0;
876 
877 		/*
878 		 * "name" is a hexadecimal number, preceded by 0x.
879 		 */
880 		cur_mech = strtoul(shead->name, NULL, 16);
881 
882 		if ((cur_mech == 0) &&
883 		    ((errno == EINVAL) || (errno == ERANGE))) {
884 			free(mech_list);
885 			return (CKR_MECHANISM_INVALID);
886 		}
887 		*tmp_list = (CK_MECHANISM_TYPE)cur_mech;
888 		tmp_list++;
889 		shead = shead->next;
890 	}
891 
892 	return (CKR_OK);
893 }
894 
895 /*
896  * pkcs11_is_dismech is provided a slotid and a mechanism.
897  * If mech is not disabled, then return B_FALSE.
898  */
899 boolean_t
900 pkcs11_is_dismech(CK_SLOT_ID slotid, CK_MECHANISM_TYPE mech)
901 {
902 	ulong_t i;
903 	boolean_t enabled_pol;
904 	CK_MECHANISM_TYPE_PTR pol_mechs;
905 	ulong_t pol_count;
906 
907 	/* Find the associated slot and get the mech policy info */
908 	(void) pthread_mutex_lock(&slottable->st_slots[slotid]->sl_mutex);
909 	enabled_pol = slottable->st_slots[slotid]->sl_enabledpol;
910 	pol_mechs = slottable->st_slots[slotid]->sl_pol_mechs;
911 	pol_count = slottable->st_slots[slotid]->sl_pol_count;
912 	(void) pthread_mutex_unlock(&slottable->st_slots[slotid]->sl_mutex);
913 
914 	/* Check for policy */
915 	if ((!enabled_pol) && (pol_mechs == NULL)) {
916 		/* no policy */
917 		return (B_FALSE);
918 	} else if (pol_mechs == NULL) {
919 		/*
920 		 * We have an empty enabled list, which means no
921 		 * mechanisms are exempted from this policy: all
922 		 * are disabled.
923 		 */
924 		return (B_TRUE);
925 	}
926 
927 	for (i = 0; i < pol_count; i++) {
928 		/*
929 		 * If it matches, return status based on this
930 		 * being and enabled or a disabled list of mechs.
931 		 */
932 		if (pol_mechs[i] == mech) {
933 			return (enabled_pol ? B_FALSE : B_TRUE);
934 		}
935 	}
936 
937 	/* mech was not found in list */
938 	return (enabled_pol ? B_TRUE : B_FALSE);
939 }
940