1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <fcntl.h> 27 #include <stdio.h> 28 #include <stdlib.h> 29 #include <strings.h> 30 #include <unistd.h> 31 #include <locale.h> 32 #include <libgen.h> 33 #include <sys/types.h> 34 #include <sys/stat.h> 35 #include <sys/crypto/ioctladmin.h> 36 #include <signal.h> 37 #include <sys/crypto/elfsign.h> 38 #include "cryptoadm.h" 39 40 static int check_hardware_provider(char *, char *, int *, int *); 41 42 /* 43 * Display the mechanism list for a kernel software provider. 44 * This implements part of the "cryptoadm list -m" command. 45 * 46 * Parameters phardlist and psoftlist are supplied by 47 * get_soft_info(). 48 * If NULL, this function obtains it by calling getent_kef() and 49 * then get_kcfconf_info() via get_soft_info() internally. 50 */ 51 int 52 list_mechlist_for_soft(char *provname, 53 entrylist_t *phardlist, entrylist_t *psoftlist) 54 { 55 mechlist_t *pmechlist = NULL; 56 int rc; 57 58 if (provname == NULL) { 59 return (FAILURE); 60 } 61 62 rc = get_soft_info(provname, &pmechlist, phardlist, psoftlist); 63 if (rc == SUCCESS) { 64 (void) filter_mechlist(&pmechlist, RANDOM); 65 print_mechlist(provname, pmechlist); 66 free_mechlist(pmechlist); 67 } else { 68 cryptoerror(LOG_STDERR, gettext( 69 "failed to retrieve the mechanism list for %s."), 70 provname); 71 } 72 73 return (rc); 74 } 75 76 /* 77 * Display the mechanism list for a kernel hardware provider. 78 * This implements part of the "cryptoadm list -m" command. 79 */ 80 int 81 list_mechlist_for_hard(char *provname) 82 { 83 mechlist_t *pmechlist = NULL; 84 char devname[MAXNAMELEN]; 85 int inst_num; 86 int count; 87 int rc = SUCCESS; 88 89 if (provname == NULL) { 90 return (FAILURE); 91 } 92 93 /* 94 * Check if the provider is valid. If it is valid, get the number of 95 * mechanisms also. 96 */ 97 if (check_hardware_provider(provname, devname, &inst_num, &count) == 98 FAILURE) { 99 return (FAILURE); 100 } 101 102 /* Get the mechanism list for the kernel hardware provider */ 103 if ((rc = get_dev_info(devname, inst_num, count, &pmechlist)) == 104 SUCCESS) { 105 (void) filter_mechlist(&pmechlist, RANDOM); 106 print_mechlist(provname, pmechlist); 107 free_mechlist(pmechlist); 108 } 109 110 return (rc); 111 } 112 113 114 /* 115 * Display the policy information for a kernel software provider. 116 * This implements part of the "cryptoadm list -p" command. 117 * 118 * Parameters phardlist and psoftlist are supplied by 119 * getent_kef(). 120 * If NULL, this function obtains it by calling get_kcfconf_info() 121 * via getent_kef() internally. 122 */ 123 int 124 list_policy_for_soft(char *provname, 125 entrylist_t *phardlist, entrylist_t *psoftlist) 126 { 127 int rc; 128 entry_t *pent = NULL; 129 mechlist_t *pmechlist = NULL; 130 boolean_t has_random = B_FALSE; 131 boolean_t has_mechs = B_FALSE; 132 boolean_t in_kernel = B_FALSE; 133 134 if (provname == NULL) { 135 return (FAILURE); 136 } 137 138 if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { 139 return (FAILURE); 140 } else if (in_kernel == B_FALSE) { 141 cryptoerror(LOG_STDERR, gettext("%s does not exist."), 142 provname); 143 return (FAILURE); 144 } 145 pent = getent_kef(provname, phardlist, psoftlist); 146 147 rc = get_soft_info(provname, &pmechlist, phardlist, psoftlist); 148 if (rc == SUCCESS) { 149 has_random = filter_mechlist(&pmechlist, RANDOM); 150 if (pmechlist != NULL) { 151 has_mechs = B_TRUE; 152 free_mechlist(pmechlist); 153 } 154 } else { 155 cryptoerror(LOG_STDERR, gettext( 156 "failed to retrieve the mechanism list for %s."), 157 provname); 158 return (rc); 159 } 160 161 print_kef_policy(provname, pent, has_random, has_mechs); 162 free_entry(pent); 163 return (SUCCESS); 164 } 165 166 167 168 /* 169 * Display the policy information for a kernel hardware provider. 170 * This implements part of the "cryptoadm list -p" command. 171 * 172 * Parameters phardlist and psoftlist are supplied by getent_kef(). 173 * If NULL, this function obtains it by calling get_kcfconf_info() via 174 * getent_kef() internally. 175 * Parameter pdevlist is supplied by check_kernel_for_hard(). 176 * If NULL, this function obtains it by calling get_dev_list() via 177 * check_kernel_for_hard() internally. 178 */ 179 int 180 list_policy_for_hard(char *provname, 181 entrylist_t *phardlist, entrylist_t *psoftlist, 182 crypto_get_dev_list_t *pdevlist) 183 { 184 entry_t *pent = NULL; 185 boolean_t in_kernel; 186 mechlist_t *pmechlist = NULL; 187 char devname[MAXNAMELEN]; 188 int inst_num; 189 int count; 190 int rc = SUCCESS; 191 boolean_t has_random = B_FALSE; 192 boolean_t has_mechs = B_FALSE; 193 194 if (provname == NULL) { 195 return (FAILURE); 196 } 197 198 /* 199 * Check if the provider is valid. If it is valid, get the number of 200 * mechanisms also. 201 */ 202 if (check_hardware_provider(provname, devname, &inst_num, &count) == 203 FAILURE) { 204 return (FAILURE); 205 } 206 207 /* Get the mechanism list for the kernel hardware provider */ 208 if ((rc = get_dev_info(devname, inst_num, count, &pmechlist)) == 209 SUCCESS) { 210 has_random = filter_mechlist(&pmechlist, RANDOM); 211 212 if (pmechlist != NULL) { 213 has_mechs = B_TRUE; 214 free_mechlist(pmechlist); 215 } 216 } else { 217 cryptoerror(LOG_STDERR, gettext( 218 "failed to retrieve the mechanism list for %s."), 219 devname); 220 return (rc); 221 } 222 223 /* 224 * If the hardware provider has an entry in the kcf.conf file, 225 * some of its mechanisms must have been disabled. Print out 226 * the disabled list from the config file entry. Otherwise, 227 * if it is active, then all the mechanisms for it are enabled. 228 */ 229 if ((pent = getent_kef(provname, phardlist, psoftlist)) != NULL) { 230 print_kef_policy(provname, pent, has_random, has_mechs); 231 free_entry(pent); 232 return (SUCCESS); 233 } else { 234 if (check_kernel_for_hard(provname, pdevlist, 235 &in_kernel) == FAILURE) { 236 return (FAILURE); 237 } else if (in_kernel == B_TRUE) { 238 (void) printf(gettext( 239 "%s: all mechanisms are enabled."), provname); 240 if (has_random) 241 /* 242 * TRANSLATION_NOTE 243 * "random" is a keyword and not to be 244 * translated. 245 */ 246 (void) printf(gettext(" %s is enabled.\n"), 247 "random"); 248 else 249 (void) printf("\n"); 250 return (SUCCESS); 251 } else { 252 cryptoerror(LOG_STDERR, 253 gettext("%s does not exist."), provname); 254 return (FAILURE); 255 } 256 } 257 } 258 259 260 /* 261 * Disable a kernel hardware provider. 262 * This implements the "cryptoadm disable" command for 263 * kernel hardware providers. 264 */ 265 int 266 disable_kef_hardware(char *provname, boolean_t rndflag, boolean_t allflag, 267 mechlist_t *dislist) 268 { 269 crypto_load_dev_disabled_t *pload_dev_dis = NULL; 270 mechlist_t *infolist = NULL; 271 entry_t *pent = NULL; 272 boolean_t new_dev_entry = B_FALSE; 273 char devname[MAXNAMELEN]; 274 int inst_num; 275 int count; 276 int fd = -1; 277 int rc = SUCCESS; 278 279 if (provname == NULL) { 280 return (FAILURE); 281 } 282 283 /* 284 * Check if the provider is valid. If it is valid, get the number of 285 * mechanisms also. 286 */ 287 if (check_hardware_provider(provname, devname, &inst_num, &count) 288 == FAILURE) { 289 return (FAILURE); 290 } 291 292 /* Get the mechanism list for the kernel hardware provider */ 293 if (get_dev_info(devname, inst_num, count, &infolist) == FAILURE) { 294 return (FAILURE); 295 } 296 297 /* 298 * Get the entry of this hardware provider from the config file. 299 * If there is no entry yet, create one for it. 300 */ 301 if ((pent = getent_kef(provname, NULL, NULL)) == NULL) { 302 if ((pent = create_entry(provname)) == NULL) { 303 cryptoerror(LOG_STDERR, gettext("out of memory.")); 304 free_mechlist(infolist); 305 return (FAILURE); 306 } 307 new_dev_entry = B_TRUE; 308 } 309 310 /* 311 * kCF treats random as an internal mechanism. So, we need to 312 * filter it from the mechanism list here, if we are NOT disabling 313 * or enabling the random feature. Note that we map random feature at 314 * cryptoadm(1M) level to the "random" mechanism in kCF. 315 */ 316 if (!rndflag) { 317 (void) filter_mechlist(&dislist, RANDOM); 318 } 319 320 /* Calculate the new disabled list */ 321 if (disable_mechs(&pent, infolist, allflag, dislist) == FAILURE) { 322 free_mechlist(infolist); 323 free_entry(pent); 324 return (FAILURE); 325 } 326 free_mechlist(infolist); 327 328 /* If no mechanisms are to be disabled, return */ 329 if (pent->dis_count == 0) { 330 free_entry(pent); 331 return (SUCCESS); 332 } 333 334 /* Update the config file with the new entry or the updated entry */ 335 if (new_dev_entry) { 336 rc = update_kcfconf(pent, ADD_MODE); 337 } else { 338 rc = update_kcfconf(pent, MODIFY_MODE); 339 } 340 341 if (rc == FAILURE) { 342 free_entry(pent); 343 return (FAILURE); 344 } 345 346 /* Inform kernel about the new disabled mechanism list */ 347 if ((pload_dev_dis = setup_dev_dis(pent)) == NULL) { 348 free_entry(pent); 349 return (FAILURE); 350 } 351 free_entry(pent); 352 353 if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) { 354 cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"), 355 ADMIN_IOCTL_DEVICE, strerror(errno)); 356 free(pload_dev_dis); 357 return (FAILURE); 358 } 359 360 if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis) == -1) { 361 cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl failed: %s", 362 strerror(errno)); 363 free(pload_dev_dis); 364 (void) close(fd); 365 return (FAILURE); 366 } 367 368 if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) { 369 cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl return_value = " 370 "%d", pload_dev_dis->dd_return_value); 371 free(pload_dev_dis); 372 (void) close(fd); 373 return (FAILURE); 374 } 375 376 free(pload_dev_dis); 377 (void) close(fd); 378 return (SUCCESS); 379 } 380 381 382 /* 383 * Disable a kernel software provider. 384 * This implements the "cryptoadm disable" command for 385 * kernel software providers. 386 */ 387 int 388 disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag, 389 mechlist_t *dislist) 390 { 391 crypto_load_soft_disabled_t *pload_soft_dis = NULL; 392 mechlist_t *infolist = NULL; 393 entry_t *pent = NULL; 394 entrylist_t *phardlist = NULL; 395 entrylist_t *psoftlist = NULL; 396 boolean_t in_kernel = B_FALSE; 397 int fd = -1; 398 int rc = SUCCESS; 399 400 if (provname == NULL) { 401 return (FAILURE); 402 } 403 404 /* 405 * Check if the kernel software provider is currently unloaded. 406 * If it is unloaded, return FAILURE, because the disable subcommand 407 * can not perform on inactive (unloaded) providers. 408 */ 409 if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { 410 return (FAILURE); 411 } else if (in_kernel == B_FALSE) { 412 cryptoerror(LOG_STDERR, 413 gettext("%s is not loaded or does not exist."), 414 provname); 415 return (FAILURE); 416 } 417 418 if (get_kcfconf_info(&phardlist, &psoftlist) == FAILURE) { 419 cryptoerror(LOG_ERR, 420 "failed to retrieve the providers' " 421 "information from the configuration file - %s.", 422 _PATH_KCF_CONF); 423 return (FAILURE); 424 } 425 426 /* 427 * Get the entry of this provider from the kcf.conf file, if any. 428 * Otherwise, create a new kcf.conf entry for writing back to the file. 429 */ 430 pent = getent_kef(provname, phardlist, psoftlist); 431 if (pent == NULL) { /* create a new entry */ 432 pent = create_entry(provname); 433 if (pent == NULL) { 434 cryptodebug("out of memory."); 435 rc = FAILURE; 436 goto out; 437 } 438 } 439 440 /* Get the mechanism list for the software provider from the kernel */ 441 if (get_soft_info(provname, &infolist, phardlist, psoftlist) == 442 FAILURE) { 443 rc = FAILURE; 444 goto out; 445 } 446 447 if ((infolist != NULL) && (infolist->name[0] != '\0')) { 448 /* 449 * Replace the supportedlist from kcf.conf with possibly 450 * more-up-to-date list from the kernel. This is the case 451 * for default software providers that had more mechanisms 452 * added in the current version of the kernel. 453 */ 454 free_mechlist(pent->suplist); 455 pent->suplist = infolist; 456 } 457 458 /* 459 * kCF treats random as an internal mechanism. So, we need to 460 * filter it from the mechanism list here, if we are NOT disabling 461 * or enabling the random feature. Note that we map random feature at 462 * cryptoadm(1M) level to the "random" mechanism in kCF. 463 */ 464 if (!rndflag) { 465 (void) filter_mechlist(&infolist, RANDOM); 466 } 467 468 /* Calculate the new disabled list */ 469 if (disable_mechs(&pent, infolist, allflag, dislist) == FAILURE) { 470 rc = FAILURE; 471 goto out; 472 } 473 474 /* Update the kcf.conf file with the updated entry */ 475 if (update_kcfconf(pent, MODIFY_MODE) == FAILURE) { 476 rc = FAILURE; 477 goto out; 478 } 479 480 /* Setup argument to inform kernel about the new disabled list. */ 481 if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) { 482 rc = FAILURE; 483 goto out; 484 } 485 486 if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) { 487 cryptoerror(LOG_STDERR, 488 gettext("failed to open %s for RW: %s"), 489 ADMIN_IOCTL_DEVICE, strerror(errno)); 490 rc = FAILURE; 491 goto out; 492 } 493 494 /* Inform kernel about the new disabled list. */ 495 if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis) == -1) { 496 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: %s", 497 strerror(errno)); 498 rc = FAILURE; 499 goto out; 500 } 501 502 if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) { 503 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl return_value = " 504 "%d", pload_soft_dis->sd_return_value); 505 rc = FAILURE; 506 goto out; 507 } 508 509 out: 510 free_entrylist(phardlist); 511 free_entrylist(psoftlist); 512 free_mechlist(infolist); 513 free_entry(pent); 514 free(pload_soft_dis); 515 if (fd != -1) 516 (void) close(fd); 517 return (rc); 518 } 519 520 521 /* 522 * Enable a kernel software or hardware provider. 523 * This implements the "cryptoadm enable" command for kernel providers. 524 */ 525 int 526 enable_kef(char *provname, boolean_t rndflag, boolean_t allflag, 527 mechlist_t *mlist) 528 { 529 crypto_load_soft_disabled_t *pload_soft_dis = NULL; 530 crypto_load_dev_disabled_t *pload_dev_dis = NULL; 531 entry_t *pent = NULL; 532 boolean_t redo_flag = B_FALSE; 533 boolean_t in_kernel = B_FALSE; 534 int fd = -1; 535 int rc = SUCCESS; 536 537 538 /* Get the entry of this provider from the kcf.conf file, if any. */ 539 pent = getent_kef(provname, NULL, NULL); 540 541 if (is_device(provname)) { 542 if (pent == NULL) { 543 /* 544 * This device doesn't have an entry in the config 545 * file, therefore nothing is disabled. 546 */ 547 cryptoerror(LOG_STDERR, gettext( 548 "all mechanisms are enabled already for %s."), 549 provname); 550 free_entry(pent); 551 return (SUCCESS); 552 } 553 } else { /* a software module */ 554 if (check_kernel_for_soft(provname, NULL, &in_kernel) == 555 FAILURE) { 556 free_entry(pent); 557 return (FAILURE); 558 } else if (in_kernel == B_FALSE) { 559 cryptoerror(LOG_STDERR, gettext("%s does not exist."), 560 provname); 561 free_entry(pent); 562 return (FAILURE); 563 } else if ((pent == NULL) || (pent->dis_count == 0)) { 564 /* nothing to be enabled. */ 565 cryptoerror(LOG_STDERR, gettext( 566 "all mechanisms are enabled already for %s."), 567 provname); 568 free_entry(pent); 569 return (SUCCESS); 570 } 571 } 572 573 /* 574 * kCF treats random as an internal mechanism. So, we need to 575 * filter it from the mechanism list here, if we are NOT disabling 576 * or enabling the random feature. Note that we map random feature at 577 * cryptoadm(1M) level to the "random" mechanism in kCF. 578 */ 579 if (!rndflag) { 580 redo_flag = filter_mechlist(&pent->dislist, RANDOM); 581 if (redo_flag) 582 pent->dis_count--; 583 } 584 585 /* Update the entry by enabling mechanisms for this provider */ 586 if ((rc = enable_mechs(&pent, allflag, mlist)) != SUCCESS) { 587 free_entry(pent); 588 return (rc); 589 } 590 591 if (redo_flag) { 592 mechlist_t *tmp; 593 594 if ((tmp = create_mech(RANDOM)) == NULL) { 595 free_entry(pent); 596 return (FAILURE); 597 } 598 tmp->next = pent->dislist; 599 pent->dislist = tmp; 600 pent->dis_count++; 601 } 602 603 /* 604 * Update the kcf.conf file with the updated entry. 605 * For a hardware provider, if there is no more disabled mechanism, 606 * remove the entire kcf.conf entry. 607 */ 608 if (is_device(pent->name) && (pent->dis_count == 0)) { 609 rc = update_kcfconf(pent, DELETE_MODE); 610 } else { 611 rc = update_kcfconf(pent, MODIFY_MODE); 612 } 613 614 if (rc == FAILURE) { 615 free_entry(pent); 616 return (FAILURE); 617 } 618 619 620 /* Inform Kernel about the policy change */ 621 622 if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) { 623 cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"), 624 ADMIN_IOCTL_DEVICE, strerror(errno)); 625 free_entry(pent); 626 return (FAILURE); 627 } 628 629 if (is_device(provname)) { 630 /* LOAD_DEV_DISABLED */ 631 if ((pload_dev_dis = setup_dev_dis(pent)) == NULL) { 632 free_entry(pent); 633 return (FAILURE); 634 } 635 636 if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis) == -1) { 637 cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl failed: " 638 "%s", strerror(errno)); 639 free_entry(pent); 640 free(pload_dev_dis); 641 (void) close(fd); 642 return (FAILURE); 643 } 644 645 if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) { 646 cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl " 647 "return_value = %d", 648 pload_dev_dis->dd_return_value); 649 free_entry(pent); 650 free(pload_dev_dis); 651 (void) close(fd); 652 return (FAILURE); 653 } 654 655 } else { /* a software module */ 656 /* LOAD_SOFT_DISABLED */ 657 if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) { 658 free_entry(pent); 659 return (FAILURE); 660 } 661 662 if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis) 663 == -1) { 664 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: " 665 "%s", strerror(errno)); 666 free_entry(pent); 667 free(pload_soft_dis); 668 (void) close(fd); 669 return (FAILURE); 670 } 671 672 if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) { 673 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl " 674 "return_value = %d", 675 pload_soft_dis->sd_return_value); 676 free_entry(pent); 677 free(pload_soft_dis); 678 (void) close(fd); 679 return (FAILURE); 680 } 681 } 682 683 free_entry(pent); 684 free(pload_soft_dis); 685 (void) close(fd); 686 return (SUCCESS); 687 } 688 689 690 /* 691 * Install a software module with the specified mechanism list into the system. 692 * This routine adds an entry into the config file for this software module 693 * first, then makes a CRYPTO_LOAD_SOFT_CONFIG ioctl call to inform kernel 694 * about the new addition. 695 */ 696 int 697 install_kef(char *provname, mechlist_t *mlist) 698 { 699 crypto_load_soft_config_t *pload_soft_conf = NULL; 700 boolean_t found; 701 entry_t *pent = NULL; 702 FILE *pfile = NULL; 703 FILE *pfile_tmp = NULL; 704 char tmpfile_name[MAXPATHLEN]; 705 char *ptr; 706 char *str; 707 char *name; 708 char buffer[BUFSIZ]; 709 char buffer2[BUFSIZ]; 710 int found_count; 711 int fd = -1; 712 int rc = SUCCESS; 713 int err; 714 715 if ((provname == NULL) || (mlist == NULL)) { 716 return (FAILURE); 717 } 718 719 /* Check if the provider already exists */ 720 if ((pent = getent_kef(provname, NULL, NULL)) != NULL) { 721 cryptoerror(LOG_STDERR, gettext("%s exists already."), 722 provname); 723 free_entry(pent); 724 return (FAILURE); 725 } 726 727 /* Create an entry with provname and mlist. */ 728 if ((pent = create_entry(provname)) == NULL) { 729 cryptoerror(LOG_STDERR, gettext("out of memory.")); 730 return (FAILURE); 731 } 732 pent->sup_count = get_mech_count(mlist); 733 pent->suplist = mlist; 734 735 /* Append an entry for this software module to the kcf.conf file. */ 736 if ((str = ent2str(pent)) == NULL) { 737 free_entry(pent); 738 return (FAILURE); 739 } 740 741 if ((pfile = fopen(_PATH_KCF_CONF, "r+")) == NULL) { 742 err = errno; 743 cryptoerror(LOG_STDERR, 744 gettext("failed to update the configuration - %s"), 745 strerror(err)); 746 cryptodebug("failed to open %s for write.", _PATH_KCF_CONF); 747 free_entry(pent); 748 return (FAILURE); 749 } 750 751 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) { 752 err = errno; 753 cryptoerror(LOG_STDERR, 754 gettext("failed to lock the configuration - %s"), 755 strerror(err)); 756 free_entry(pent); 757 (void) fclose(pfile); 758 return (FAILURE); 759 } 760 761 /* 762 * Create a temporary file in the /etc/crypto directory. 763 */ 764 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name)); 765 if (mkstemp(tmpfile_name) == -1) { 766 err = errno; 767 cryptoerror(LOG_STDERR, 768 gettext("failed to create a temporary file - %s"), 769 strerror(err)); 770 free_entry(pent); 771 (void) fclose(pfile); 772 return (FAILURE); 773 } 774 775 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) { 776 err = errno; 777 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"), 778 tmpfile_name, strerror(err)); 779 free_entry(pent); 780 (void) fclose(pfile); 781 return (FAILURE); 782 } 783 784 785 /* 786 * Loop thru the config file. If the provider was reserved within a 787 * package bracket, just uncomment it. Otherwise, append it at 788 * the end. The resulting file will be saved in the temp file first. 789 */ 790 found_count = 0; 791 rc = SUCCESS; 792 while (fgets(buffer, BUFSIZ, pfile) != NULL) { 793 found = B_FALSE; 794 if (buffer[0] == '#') { 795 (void) strlcpy(buffer2, buffer, BUFSIZ); 796 ptr = buffer2; 797 ptr++; 798 if ((name = strtok(ptr, SEP_COLON)) == NULL) { 799 rc = FAILURE; 800 break; 801 } else if (strcmp(provname, name) == 0) { 802 found = B_TRUE; 803 found_count++; 804 } 805 } 806 807 if (found == B_FALSE) { 808 if (fputs(buffer, pfile_tmp) == EOF) { 809 rc = FAILURE; 810 } 811 } else { 812 if (found_count == 1) { 813 if (fputs(str, pfile_tmp) == EOF) { 814 rc = FAILURE; 815 } 816 } else { 817 /* 818 * Found a second entry with #libname. 819 * Should not happen. The kcf.conf file 820 * is corrupted. Give a warning and skip 821 * this entry. 822 */ 823 cryptoerror(LOG_STDERR, gettext( 824 "(Warning) Found an additional reserved " 825 "entry for %s."), provname); 826 } 827 } 828 829 if (rc == FAILURE) { 830 break; 831 } 832 } 833 (void) fclose(pfile); 834 835 if (rc == FAILURE) { 836 cryptoerror(LOG_STDERR, gettext("write error.")); 837 (void) fclose(pfile_tmp); 838 if (unlink(tmpfile_name) != 0) { 839 err = errno; 840 cryptoerror(LOG_STDERR, gettext( 841 "(Warning) failed to remove %s: %s"), tmpfile_name, 842 strerror(err)); 843 } 844 free_entry(pent); 845 return (FAILURE); 846 } 847 848 if (found_count == 0) { 849 /* 850 * This libname was not in package before, append it to the 851 * end of the temp file. 852 */ 853 if (fputs(str, pfile_tmp) == EOF) { 854 cryptoerror(LOG_STDERR, gettext( 855 "failed to write to %s: %s"), tmpfile_name, 856 strerror(errno)); 857 (void) fclose(pfile_tmp); 858 if (unlink(tmpfile_name) != 0) { 859 err = errno; 860 cryptoerror(LOG_STDERR, gettext( 861 "(Warning) failed to remove %s: %s"), 862 tmpfile_name, strerror(err)); 863 } 864 free_entry(pent); 865 return (FAILURE); 866 } 867 } 868 869 if (fclose(pfile_tmp) != 0) { 870 err = errno; 871 cryptoerror(LOG_STDERR, 872 gettext("failed to close %s: %s"), tmpfile_name, 873 strerror(err)); 874 free_entry(pent); 875 return (FAILURE); 876 } 877 878 if (rename(tmpfile_name, _PATH_KCF_CONF) == -1) { 879 err = errno; 880 cryptoerror(LOG_STDERR, 881 gettext("failed to update the configuration - %s"), 882 strerror(err)); 883 cryptodebug("failed to rename %s to %s: %s", tmpfile_name, 884 _PATH_KCF_CONF, strerror(err)); 885 rc = FAILURE; 886 } else if (chmod(_PATH_KCF_CONF, 887 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) { 888 err = errno; 889 cryptoerror(LOG_STDERR, 890 gettext("failed to update the configuration - %s"), 891 strerror(err)); 892 cryptodebug("failed to chmod to %s: %s", _PATH_KCF_CONF, 893 strerror(err)); 894 rc = FAILURE; 895 } else { 896 rc = SUCCESS; 897 } 898 899 if (rc == FAILURE) { 900 if (unlink(tmpfile_name) != 0) { 901 err = errno; 902 cryptoerror(LOG_STDERR, gettext( 903 "(Warning) failed to remove %s: %s"), 904 tmpfile_name, strerror(err)); 905 } 906 free_entry(pent); 907 return (FAILURE); 908 } 909 910 911 /* Inform kernel of this new software module. */ 912 913 if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) { 914 free_entry(pent); 915 return (FAILURE); 916 } 917 918 if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) { 919 cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"), 920 ADMIN_IOCTL_DEVICE, strerror(errno)); 921 free_entry(pent); 922 free(pload_soft_conf); 923 return (FAILURE); 924 } 925 926 if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, pload_soft_conf) == -1) { 927 cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s", 928 strerror(errno)); 929 free_entry(pent); 930 free(pload_soft_conf); 931 (void) close(fd); 932 return (FAILURE); 933 } 934 935 if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) { 936 cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed, " 937 "return_value = %d", pload_soft_conf->sc_return_value); 938 free_entry(pent); 939 free(pload_soft_conf); 940 (void) close(fd); 941 return (FAILURE); 942 } 943 944 free_entry(pent); 945 free(pload_soft_conf); 946 (void) close(fd); 947 return (SUCCESS); 948 } 949 950 /* 951 * Uninstall the software module. This routine first unloads the software 952 * module with 3 ioctl calls, then deletes its entry from the config file. 953 * Removing an entry from the config file needs to be done last to ensure 954 * that there is still an entry if the earlier unload failed for any reason. 955 */ 956 int 957 uninstall_kef(char *provname) 958 { 959 entry_t *pent = NULL; 960 int rc = SUCCESS; 961 boolean_t in_kernel = B_FALSE; 962 boolean_t in_kcfconf = B_FALSE; 963 int fd = -1; 964 crypto_load_soft_config_t *pload_soft_conf = NULL; 965 966 /* Check to see if the provider exists first. */ 967 if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { 968 return (FAILURE); 969 } else if (in_kernel == B_FALSE) { 970 cryptoerror(LOG_STDERR, gettext("%s does not exist."), 971 provname); 972 return (FAILURE); 973 } 974 975 /* 976 * If it is loaded, unload it first. This does 2 ioctl calls: 977 * CRYPTO_UNLOAD_SOFT_MODULE and CRYPTO_LOAD_SOFT_DISABLED. 978 */ 979 if (unload_kef_soft(provname) == FAILURE) { 980 cryptoerror(LOG_STDERR, 981 gettext("failed to unload %s during uninstall.\n"), 982 provname); 983 return (FAILURE); 984 } 985 986 /* 987 * Inform kernel to remove the configuration of this software module. 988 */ 989 990 /* Setup ioctl() parameter */ 991 pent = getent_kef(provname, NULL, NULL); 992 if (pent != NULL) { /* in kcf.conf */ 993 in_kcfconf = B_TRUE; 994 free_mechlist(pent->suplist); 995 pent->suplist = NULL; 996 pent->sup_count = 0; 997 } else if ((pent = create_entry(provname)) == NULL) { 998 cryptoerror(LOG_STDERR, gettext("out of memory.")); 999 return (FAILURE); 1000 } 1001 if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) { 1002 free_entry(pent); 1003 return (FAILURE); 1004 } 1005 1006 /* Open the /dev/cryptoadm device */ 1007 if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) { 1008 int err = errno; 1009 cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"), 1010 ADMIN_IOCTL_DEVICE, strerror(err)); 1011 free_entry(pent); 1012 free(pload_soft_conf); 1013 return (FAILURE); 1014 } 1015 1016 if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, 1017 pload_soft_conf) == -1) { 1018 cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s", 1019 strerror(errno)); 1020 free_entry(pent); 1021 free(pload_soft_conf); 1022 (void) close(fd); 1023 return (FAILURE); 1024 } 1025 1026 if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) { 1027 cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl = return_value = %d", 1028 pload_soft_conf->sc_return_value); 1029 free_entry(pent); 1030 free(pload_soft_conf); 1031 (void) close(fd); 1032 return (FAILURE); 1033 } 1034 1035 /* ioctl cleanup */ 1036 free(pload_soft_conf); 1037 (void) close(fd); 1038 1039 1040 /* Finally, remove entry from kcf.conf, if present */ 1041 if (in_kcfconf && (pent != NULL)) { 1042 rc = update_kcfconf(pent, DELETE_MODE); 1043 } 1044 1045 free_entry(pent); 1046 return (rc); 1047 } 1048 1049 1050 /* 1051 * Implement the "cryptoadm refresh" command for global zones. 1052 * That is, send the current contents of kcf.conf to the kernel via ioctl(). 1053 */ 1054 int 1055 refresh(void) 1056 { 1057 crypto_load_soft_config_t *pload_soft_conf = NULL; 1058 crypto_load_soft_disabled_t *pload_soft_dis = NULL; 1059 crypto_load_dev_disabled_t *pload_dev_dis = NULL; 1060 entrylist_t *pdevlist = NULL; 1061 entrylist_t *psoftlist = NULL; 1062 entrylist_t *ptr; 1063 int fd = -1; 1064 int rc = SUCCESS; 1065 int err; 1066 1067 if (get_kcfconf_info(&pdevlist, &psoftlist) == FAILURE) { 1068 cryptoerror(LOG_ERR, "failed to retrieve the providers' " 1069 "information from the configuration file - %s.", 1070 _PATH_KCF_CONF); 1071 return (FAILURE); 1072 } 1073 1074 if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) { 1075 err = errno; 1076 cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"), 1077 ADMIN_IOCTL_DEVICE, strerror(err)); 1078 free(psoftlist); 1079 free(pdevlist); 1080 return (FAILURE); 1081 } 1082 1083 /* 1084 * For each software provider module, pass two sets of information to 1085 * the kernel: the supported list and the disabled list. 1086 */ 1087 for (ptr = psoftlist; ptr != NULL; ptr = ptr->next) { 1088 entry_t *pent = ptr->pent; 1089 1090 /* load the supported list */ 1091 if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) { 1092 cryptodebug("setup_soft_conf() failed"); 1093 rc = FAILURE; 1094 break; 1095 } 1096 1097 if (!pent->load) { /* unloaded--mark as loaded */ 1098 pent->load = B_TRUE; 1099 rc = update_kcfconf(pent, MODIFY_MODE); 1100 if (rc != SUCCESS) { 1101 free(pload_soft_conf); 1102 break; 1103 } 1104 } 1105 1106 if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, pload_soft_conf) 1107 == -1) { 1108 cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s", 1109 strerror(errno)); 1110 free(pload_soft_conf); 1111 rc = FAILURE; 1112 break; 1113 } 1114 1115 if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) { 1116 cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl " 1117 "return_value = %d", 1118 pload_soft_conf->sc_return_value); 1119 free(pload_soft_conf); 1120 rc = FAILURE; 1121 break; 1122 } 1123 1124 free(pload_soft_conf); 1125 1126 /* load the disabled list */ 1127 if (ptr->pent->dis_count != 0) { 1128 pload_soft_dis = setup_soft_dis(ptr->pent); 1129 if (pload_soft_dis == NULL) { 1130 cryptodebug("setup_soft_dis() failed"); 1131 free(pload_soft_dis); 1132 rc = FAILURE; 1133 break; 1134 } 1135 1136 if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, 1137 pload_soft_dis) == -1) { 1138 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl " 1139 "failed: %s", strerror(errno)); 1140 free(pload_soft_dis); 1141 rc = FAILURE; 1142 break; 1143 } 1144 1145 if (pload_soft_dis->sd_return_value != 1146 CRYPTO_SUCCESS) { 1147 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl " 1148 "return_value = %d", 1149 pload_soft_dis->sd_return_value); 1150 free(pload_soft_dis); 1151 rc = FAILURE; 1152 break; 1153 } 1154 free(pload_soft_dis); 1155 } 1156 } 1157 1158 if (rc != SUCCESS) { 1159 (void) close(fd); 1160 return (rc); 1161 } 1162 1163 1164 /* 1165 * For each hardware provider module, pass the disabled list 1166 * information to the kernel. 1167 */ 1168 for (ptr = pdevlist; ptr != NULL; ptr = ptr->next) { 1169 /* load the disabled list */ 1170 if (ptr->pent->dis_count != 0) { 1171 pload_dev_dis = setup_dev_dis(ptr->pent); 1172 if (pload_dev_dis == NULL) { 1173 rc = FAILURE; 1174 break; 1175 } 1176 1177 if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis) 1178 == -1) { 1179 cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl " 1180 "failed: %s", strerror(errno)); 1181 free(pload_dev_dis); 1182 rc = FAILURE; 1183 break; 1184 } 1185 1186 if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) { 1187 cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl " 1188 "return_value = %d", 1189 pload_dev_dis->dd_return_value); 1190 free(pload_dev_dis); 1191 rc = FAILURE; 1192 break; 1193 } 1194 free(pload_dev_dis); 1195 } 1196 } 1197 1198 /* 1199 * handle fips_status=enabled|disabled 1200 */ 1201 { 1202 int pkcs11_fips_mode = 0; 1203 1204 /* Get FIPS-140 status from pkcs11.conf */ 1205 fips_status_pkcs11conf(&pkcs11_fips_mode); 1206 if (pkcs11_fips_mode == CRYPTO_FIPS_MODE_ENABLED) { 1207 rc = do_fips_actions(FIPS140_ENABLE, REFRESH); 1208 } else { 1209 rc = do_fips_actions(FIPS140_DISABLE, REFRESH); 1210 } 1211 } 1212 1213 (void) close(fd); 1214 return (rc); 1215 } 1216 1217 /* 1218 * Unload the kernel software provider. Before calling this function, the 1219 * caller should check to see if the provider is in the kernel. 1220 * 1221 * This routine makes 2 ioctl calls to remove it completely from the kernel: 1222 * CRYPTO_UNLOAD_SOFT_MODULE - does a modunload of the KCF module 1223 * CRYPTO_LOAD_SOFT_DISABLED - updates kernel disabled mechanism list 1224 * 1225 * This implements part of "cryptoadm unload" and "cryptoadm uninstall". 1226 */ 1227 int 1228 unload_kef_soft(char *provname) 1229 { 1230 crypto_unload_soft_module_t *punload_soft = NULL; 1231 crypto_load_soft_disabled_t *pload_soft_dis = NULL; 1232 entry_t *pent = NULL; 1233 int fd = -1; 1234 int err; 1235 1236 if (provname == NULL) { 1237 cryptoerror(LOG_STDERR, gettext("internal error.")); 1238 return (FAILURE); 1239 } 1240 1241 pent = getent_kef(provname, NULL, NULL); 1242 if (pent == NULL) { /* not in kcf.conf */ 1243 /* Construct an entry using the provname */ 1244 pent = create_entry(provname); 1245 if (pent == NULL) { 1246 cryptoerror(LOG_STDERR, gettext("out of memory.")); 1247 return (FAILURE); 1248 } 1249 } 1250 1251 /* Open the admin_ioctl_device */ 1252 if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) { 1253 err = errno; 1254 cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"), 1255 ADMIN_IOCTL_DEVICE, strerror(err)); 1256 free_entry(pent); 1257 return (FAILURE); 1258 } 1259 1260 /* Inform kernel to unload this software module */ 1261 if ((punload_soft = setup_unload_soft(pent)) == NULL) { 1262 free_entry(pent); 1263 (void) close(fd); 1264 return (FAILURE); 1265 } 1266 1267 if (ioctl(fd, CRYPTO_UNLOAD_SOFT_MODULE, punload_soft) == -1) { 1268 cryptodebug("CRYPTO_UNLOAD_SOFT_MODULE ioctl failed: %s", 1269 strerror(errno)); 1270 free_entry(pent); 1271 free(punload_soft); 1272 (void) close(fd); 1273 return (FAILURE); 1274 } 1275 1276 if (punload_soft->sm_return_value != CRYPTO_SUCCESS) { 1277 cryptodebug("CRYPTO_UNLOAD_SOFT_MODULE ioctl return_value = " 1278 "%d", punload_soft->sm_return_value); 1279 /* 1280 * If the return value is CRYPTO_UNKNOWN_PROVIDER, it means 1281 * that the provider is not registered yet. Should just 1282 * continue. 1283 */ 1284 if (punload_soft->sm_return_value != CRYPTO_UNKNOWN_PROVIDER) { 1285 free_entry(pent); 1286 free(punload_soft); 1287 (void) close(fd); 1288 return (FAILURE); 1289 } 1290 } 1291 1292 free(punload_soft); 1293 1294 /* Inform kernel to remove the disabled entries if any */ 1295 if (pent->dis_count == 0) { 1296 free_entry(pent); 1297 (void) close(fd); 1298 return (SUCCESS); 1299 } else { 1300 free_mechlist(pent->dislist); 1301 pent->dislist = NULL; 1302 pent->dis_count = 0; 1303 } 1304 1305 if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) { 1306 free_entry(pent); 1307 (void) close(fd); 1308 return (FAILURE); 1309 } 1310 1311 /* pent is no longer needed; free it */ 1312 free_entry(pent); 1313 1314 if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis) == -1) { 1315 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: %s", 1316 strerror(errno)); 1317 free(pload_soft_dis); 1318 (void) close(fd); 1319 return (FAILURE); 1320 } 1321 1322 if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) { 1323 cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl return_value = " 1324 "%d", pload_soft_dis->sd_return_value); 1325 free(pload_soft_dis); 1326 (void) close(fd); 1327 return (FAILURE); 1328 } 1329 1330 free(pload_soft_dis); 1331 (void) close(fd); 1332 return (SUCCESS); 1333 } 1334 1335 1336 /* 1337 * Check if a hardware provider is valid. If it is valid, returns its device 1338 * name, instance number and the number of mechanisms it supports. 1339 */ 1340 static int 1341 check_hardware_provider(char *provname, char *pname, int *pnum, int *pcount) 1342 { 1343 crypto_get_dev_list_t *dev_list = NULL; 1344 int i; 1345 1346 if (provname == NULL) { 1347 return (FAILURE); 1348 } 1349 1350 /* First, get the device name and the instance number from provname */ 1351 if (split_hw_provname(provname, pname, pnum) == FAILURE) { 1352 return (FAILURE); 1353 } 1354 1355 /* 1356 * Get the complete device list from kernel and check if this provider 1357 * is in the list. 1358 */ 1359 if (get_dev_list(&dev_list) == FAILURE) { 1360 return (FAILURE); 1361 } 1362 1363 for (i = 0; i < dev_list->dl_dev_count; i++) { 1364 if ((strcmp(dev_list->dl_devs[i].le_dev_name, pname) == 0) && 1365 (dev_list->dl_devs[i].le_dev_instance == *pnum)) { 1366 break; 1367 } 1368 } 1369 1370 if (i == dev_list->dl_dev_count) { 1371 /* didn't find this provider in the kernel device list */ 1372 cryptoerror(LOG_STDERR, gettext("%s does not exist."), 1373 provname); 1374 free(dev_list); 1375 return (FAILURE); 1376 } 1377 1378 /* This provider is valid. Get its mechanism count */ 1379 *pcount = dev_list->dl_devs[i].le_mechanism_count; 1380 1381 free(dev_list); 1382 return (SUCCESS); 1383 } 1384