xref: /titanic_44/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_util.c (revision a4aeef46cda1835da2b19f8f62b4526de6521e6c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <errno.h>
27 #include <fcntl.h>
28 #include <stdio.h>
29 #include <stdlib.h>
30 #include <strings.h>
31 #include <time.h>
32 #include <unistd.h>
33 #include <locale.h>
34 #include <sys/types.h>
35 #include <zone.h>
36 #include <sys/stat.h>
37 #include "cryptoadm.h"
38 
39 static int err; /* To store errno which may be overwritten by gettext() */
40 static int build_entrylist(entry_t *, entrylist_t **);
41 static entry_t *dup_entry(entry_t *);
42 static mechlist_t *dup_mechlist(mechlist_t *);
43 static entry_t *getent(char *, entrylist_t *);
44 static int interpret(char *, entry_t **);
45 static int parse_sup_dis_list(const char *buf, entry_t *pent);
46 
47 
48 /*
49  * Duplicate the mechanism list.  A null pointer is returned if the storage
50  * space available is insufficient or the input argument is NULL.
51  */
52 static mechlist_t *
53 dup_mechlist(mechlist_t *plist)
54 {
55 	mechlist_t	*pres = NULL;
56 	mechlist_t	*pcur;
57 	mechlist_t	*ptmp;
58 	int		rc = SUCCESS;
59 
60 	while (plist != NULL) {
61 		if (!(ptmp = create_mech(plist->name))) {
62 			rc = FAILURE;
63 			break;
64 		}
65 
66 		if (pres == NULL) {
67 			pres = pcur = ptmp;
68 		} else {
69 			pcur->next = ptmp;
70 			pcur = pcur->next;
71 		}
72 		plist = plist->next;
73 	}
74 
75 	if (rc != SUCCESS) {
76 		free_mechlist(pres);
77 		return (NULL);
78 	}
79 
80 	return (pres);
81 }
82 
83 
84 /*
85  * Get the number of mechanisms in the mechanism list.
86  */
87 int
88 get_mech_count(mechlist_t *plist)
89 {
90 	int count = 0;
91 
92 	while (plist != NULL) {
93 		count++;
94 		plist = plist->next;
95 	}
96 	return (count);
97 }
98 
99 /*
100  * Create one item of type entry_t with the provider name.
101  * Return NULL if there's not enough memory or provname is NULL.
102  */
103 entry_t *
104 create_entry(char *provname)
105 {
106 	entry_t		*pent = NULL;
107 
108 	if (provname == NULL) {
109 		return (NULL);
110 	}
111 
112 	pent = calloc(1, sizeof (entry_t));
113 	if (pent == NULL) {
114 		cryptodebug("out of memory.");
115 		return (NULL);
116 	}
117 
118 	(void) strlcpy(pent->name, provname, MAXNAMELEN);
119 	pent->suplist = NULL;
120 	pent->sup_count = 0;
121 	pent->dislist = NULL;
122 	pent->dis_count = 0;
123 	pent->load = B_TRUE;
124 
125 	return (pent);
126 }
127 
128 /*
129  * Duplicate an entry for a provider from kcf.conf.
130  * Return NULL if memory is insufficient or the input argument is NULL.
131  * Called by getent().
132  */
133 static entry_t *
134 dup_entry(entry_t *pent1)
135 {
136 	entry_t	*pent2 = NULL;
137 
138 	if (pent1 == NULL) {
139 		return (NULL);
140 	}
141 
142 	if ((pent2 = create_entry(pent1->name)) == NULL) {
143 		cryptodebug("out of memory.");
144 		return (NULL);
145 	}
146 
147 	pent2->sup_count = pent1->sup_count;
148 	pent2->dis_count = pent1->dis_count;
149 	pent2->load = pent1->load;
150 	if (pent1->suplist != NULL) {
151 		pent2->suplist = dup_mechlist(pent1->suplist);
152 		if (pent2->suplist == NULL) {
153 			free_entry(pent2);
154 			return (NULL);
155 		}
156 	}
157 	if (pent1->dislist != NULL) {
158 		pent2->dislist = dup_mechlist(pent1->dislist);
159 		if (pent2->dislist == NULL) {
160 			free_entry(pent2);
161 			return (NULL);
162 		}
163 	}
164 
165 	return (pent2);
166 }
167 
168 
169 /*
170  * This routine parses the disabledlist or the supportedlist of an entry
171  * in the kcf.conf configuration file.
172  *
173  * Arguments:
174  *	buf: an input argument which is a char string with the format of
175  *	     "disabledlist=m1,m2,..." or "supportedlist=m1,m2,..."
176  *	pent: the entry for the disabledlist.  This is an IN/OUT argument.
177  *
178  * Return value: SUCCESS or FAILURE.
179  */
180 static int
181 parse_sup_dis_list(const char *buf, entry_t *pent)
182 {
183 	mechlist_t	*pmech = NULL;
184 	mechlist_t	*phead = NULL;
185 	char		*next_token;
186 	char		*value;
187 	int		count;
188 	int		supflag = B_FALSE;
189 	int		disflag = B_FALSE;
190 	int		rc = SUCCESS;
191 
192 	if (strncmp(buf, EF_SUPPORTED, strlen(EF_SUPPORTED)) == 0) {
193 		supflag = B_TRUE;
194 	} else if (strncmp(buf, EF_DISABLED, strlen(EF_DISABLED)) == 0) {
195 		disflag = B_TRUE;
196 	} else {
197 		/* should not come here */
198 		return (FAILURE);
199 	}
200 
201 	if (value = strpbrk(buf, SEP_EQUAL)) {
202 		value++; /* get rid of = */
203 	} else {
204 		cryptodebug("failed to parse the kcf.conf file.");
205 		return (FAILURE);
206 	}
207 
208 	if ((next_token = strtok(value, SEP_COMMA)) == NULL) {
209 		cryptodebug("failed to parse the kcf.conf file.");
210 		return (FAILURE);
211 	}
212 
213 	if ((pmech = create_mech(next_token)) == NULL) {
214 		return (FAILURE);
215 	}
216 
217 	if (supflag) {
218 			if (pent->suplist != NULL) {
219 				cryptodebug("multiple supportedlist entries "
220 				    "for a mechanism in file kcf.conf.");
221 				return (FAILURE);
222 			} else {
223 				pent->suplist = phead = pmech;
224 			}
225 	} else if (disflag) {
226 			if (pent->dislist != NULL) {
227 				cryptodebug("multiple disabledlist entries "
228 				    "for a mechanism in file kcf.conf.");
229 				return (FAILURE);
230 			} else {
231 				pent->dislist = phead = pmech;
232 			}
233 	}
234 
235 	count = 1;
236 	while (next_token) {
237 		if (next_token = strtok(NULL, SEP_COMMA)) {
238 			if ((pmech = create_mech(next_token)) == NULL) {
239 				rc = FAILURE;
240 				break;
241 			}
242 			count++;
243 			phead->next = pmech;
244 			phead = phead->next;
245 		}
246 	}
247 
248 	if (rc == SUCCESS) {
249 		if (supflag) {
250 			pent->sup_count = count;
251 		} else if (disflag) {
252 			pent->dis_count = count;
253 		}
254 	} else {
255 		free_mechlist(phead);
256 	}
257 
258 	return (rc);
259 }
260 
261 
262 /*
263  * Convert a char string containing a line about a provider
264  * from kcf.conf into an entry_t structure.
265  *
266  * Note: the input string, buf, may be modified by this function.
267  *
268  * See ent2str(), the reverse of this function, for the format of
269  * kcf.conf lines.
270  */
271 static int
272 interpret(char *buf, entry_t **ppent)
273 {
274 	entry_t	*pent = NULL;
275 	char	*token1;
276 	char	*token2;
277 	char	*token3;
278 	int	rc;
279 
280 	/* Get provider name */
281 	if ((token1 = strtok(buf, SEP_COLON)) == NULL) { /* buf is NULL */
282 		return (FAILURE);
283 	};
284 
285 	pent = create_entry(token1);
286 	if (pent == NULL) {
287 		cryptodebug("out of memory.");
288 		return (FAILURE);
289 	}
290 
291 	if ((token2 = strtok(NULL, SEP_SEMICOLON)) == NULL) {
292 		/* The entry contains a provider name only */
293 		free_entry(pent);
294 		return (FAILURE);
295 	}
296 
297 	if (strncmp(token2, EF_UNLOAD, strlen(EF_UNLOAD)) == 0) {
298 		pent->load = B_FALSE; /* cryptoadm unload */
299 		token2 = strtok(NULL, SEP_SEMICOLON);
300 		/*
301 		 * If token2 is NULL, the entry contains a
302 		 * provider name:unload only
303 		 */
304 	}
305 
306 	if (token2 != NULL) {
307 		/*
308 		 * Either supportedlist or disabledlist or both are present.
309 		 * Need to call strtok() to get token3 first, as function
310 		 * parse_sup_dis_list() makes strtok() calls on the
311 		 * token2 substring.
312 		 */
313 		token3 = strtok(NULL, SEP_SEMICOLON); /* optional */
314 
315 		/* parse supportedlist (or disabledlist if no supportedlist) */
316 		if ((rc = parse_sup_dis_list(token2, pent)) != SUCCESS) {
317 			free_entry(pent);
318 			return (rc);
319 		}
320 
321 		/* parse disabledlist (if there's a supportedlist) */
322 		if ((token3 != NULL) && ((rc = parse_sup_dis_list(token3,
323 		    pent)) != SUCCESS)) {
324 			free_entry(pent);
325 			return (rc);
326 		}
327 	}
328 
329 	*ppent = pent;
330 	return (SUCCESS);
331 }
332 
333 
334 /*
335  * Add an entry about a provider from kcf.conf to the end of an entry list.
336  * If the entry list pplist is NULL, create the linked list with pent as the
337  * first element.
338  */
339 static int
340 build_entrylist(entry_t *pent, entrylist_t **pplist)
341 {
342 	entrylist_t	*pentlist;
343 	entrylist_t	*pcur = NULL;
344 
345 	pentlist = malloc(sizeof (entrylist_t));
346 	if (pentlist == NULL) {
347 		cryptodebug("out of memory.");
348 		return (FAILURE);
349 	}
350 	pentlist->pent = pent;
351 	pentlist->next = NULL;
352 
353 	if (*pplist) {
354 		pcur = *pplist;
355 		while (pcur->next != NULL)
356 			pcur = pcur->next;
357 		pcur->next = pentlist;
358 	} else { /* empty list */
359 		*pplist = pentlist;
360 	}
361 
362 	return (SUCCESS);
363 }
364 
365 
366 
367 /*
368  * Find the entry with the "provname" name from the entry list and duplicate
369  * it.  Called by getent_kef().
370  */
371 static entry_t *
372 getent(char *provname, entrylist_t *entrylist)
373 {
374 	boolean_t	found = B_FALSE;
375 	entry_t		*pent1 = NULL;
376 
377 	if ((provname == NULL) || (entrylist == NULL)) {
378 		return (NULL);
379 	}
380 
381 	while (!found && entrylist) {
382 		if (strcmp(entrylist->pent->name, provname) == 0) {
383 			found = B_TRUE;
384 			pent1 = entrylist->pent;
385 		} else {
386 			entrylist = entrylist->next;
387 		}
388 	}
389 
390 	if (!found) {
391 		return (NULL);
392 	}
393 
394 	/* duplicate the entry to be returned */
395 	return (dup_entry(pent1));
396 }
397 
398 
399 /*
400  * Free memory in entry_t.
401  * That is, the supported and disabled lists for a provider
402  * from kcf.conf.
403  */
404 void
405 free_entry(entry_t  *pent)
406 {
407 	if (pent == NULL) {
408 		return;
409 	} else {
410 		free_mechlist(pent->suplist);
411 		free_mechlist(pent->dislist);
412 		free(pent);
413 	}
414 }
415 
416 
417 /*
418  * Free elements in a entrylist_t linked list,
419  * which lists providers in kcf.conf.
420  */
421 void
422 free_entrylist(entrylist_t *entrylist)
423 {
424 	entrylist_t *pnext;
425 
426 	while (entrylist != NULL) {
427 		pnext = entrylist->next;
428 		free_entry(entrylist->pent);
429 		entrylist = pnext;
430 	}
431 }
432 
433 
434 /*
435  * Convert an entry to a string.  This routine builds a string for the entry
436  * to be inserted in the kcf.conf file.  Based on the content of each entry,
437  * the result string can be one of these 7 forms:
438  *  - name:supportedlist=m1,m2,...,mj
439  *  - name:disabledlist=m1,m2,...,mj
440  *  - name:supportedlist=m1,...,mj;disabledlist=m1,m2,...,mk
441  *
442  *  - name:unload
443  *  - name:unload;supportedlist=m1,m2,...,mj
444  *  - name:unload;disabledlist=m1,m2,...,mj
445  *  - name:unload;supportedlist=m1,...,mj;disabledlist=m1,m2,...,mk
446  *
447  * Note that the caller is responsible for freeing the returned string
448  * (with free_entry()).
449  * See interpret() for the reverse of this function: converting a string
450  * to an entry_t.
451  */
452 char *
453 ent2str(entry_t *pent)
454 {
455 	char		*buf;
456 	mechlist_t	*pcur = NULL;
457 	boolean_t	semicolon_separator = B_FALSE;
458 
459 
460 	if (pent == NULL) {
461 		return (NULL);
462 	}
463 
464 	if ((buf = malloc(BUFSIZ)) == NULL) {
465 		return (NULL);
466 	}
467 
468 	/* convert the provider name */
469 	if (strlcpy(buf, pent->name, BUFSIZ) >= BUFSIZ) {
470 		free(buf);
471 		return (NULL);
472 	}
473 
474 	if (!pent->load) { /* add "unload" keyword */
475 		if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
476 			free(buf);
477 			return (NULL);
478 		}
479 
480 		if (strlcat(buf, EF_UNLOAD, BUFSIZ) >= BUFSIZ) {
481 			free(buf);
482 			return (NULL);
483 		}
484 
485 		semicolon_separator = B_TRUE;
486 	}
487 
488 	/* convert the supported list if any */
489 	pcur = pent->suplist;
490 	if (pcur != NULL) {
491 		if (strlcat(buf,
492 		    semicolon_separator ? SEP_SEMICOLON : SEP_COLON,
493 		    BUFSIZ) >= BUFSIZ) {
494 			free(buf);
495 			return (NULL);
496 		}
497 
498 		if (strlcat(buf, EF_SUPPORTED, BUFSIZ) >= BUFSIZ) {
499 			free(buf);
500 			return (NULL);
501 		}
502 
503 		while (pcur != NULL) {
504 			if (strlcat(buf, pcur->name, BUFSIZ) >= BUFSIZ) {
505 				free(buf);
506 				return (NULL);
507 			}
508 
509 			pcur = pcur->next;
510 			if (pcur != NULL) {
511 				if (strlcat(buf, SEP_COMMA, BUFSIZ)
512 				    >= BUFSIZ) {
513 					free(buf);
514 					return (NULL);
515 				}
516 			}
517 		}
518 		semicolon_separator = B_TRUE;
519 	}
520 
521 	/* convert the disabled list if any */
522 	pcur = pent->dislist;
523 	if (pcur != NULL) {
524 		if (strlcat(buf,
525 		    semicolon_separator ? SEP_SEMICOLON : SEP_COLON,
526 		    BUFSIZ) >= BUFSIZ) {
527 			free(buf);
528 			return (NULL);
529 		}
530 
531 		if (strlcat(buf, EF_DISABLED, BUFSIZ) >= BUFSIZ) {
532 			free(buf);
533 			return (NULL);
534 		}
535 
536 		while (pcur != NULL) {
537 			if (strlcat(buf, pcur->name, BUFSIZ) >= BUFSIZ) {
538 				free(buf);
539 				return (NULL);
540 			}
541 
542 			pcur = pcur->next;
543 			if (pcur != NULL) {
544 				if (strlcat(buf, SEP_COMMA, BUFSIZ)
545 				    >= BUFSIZ) {
546 					free(buf);
547 					return (NULL);
548 				}
549 			}
550 		}
551 		semicolon_separator = B_TRUE;
552 	}
553 
554 	if (strlcat(buf, "\n", BUFSIZ) >= BUFSIZ) {
555 		free(buf);
556 		return (NULL);
557 	}
558 
559 	return (buf);
560 }
561 
562 
563 /*
564  * Enable the mechanisms for the provider pointed by *ppent.  If allflag is
565  * TRUE, enable all.  Otherwise, enable the mechanisms specified in the 3rd
566  * argument "mlist".  The result will be stored in ppent also.
567  */
568 int
569 enable_mechs(entry_t **ppent, boolean_t allflag, mechlist_t *mlist)
570 {
571 	entry_t		*pent;
572 	mechlist_t	*phead; /* the current and resulting disabled list */
573 	mechlist_t	*ptr = NULL;
574 	mechlist_t	*pcur = NULL;
575 	boolean_t	found;
576 
577 	pent = *ppent;
578 	if (pent == NULL) {
579 		return (FAILURE);
580 	}
581 
582 	if (allflag) {
583 		free_mechlist(pent->dislist);
584 		pent->dis_count = 0;
585 		pent->dislist = NULL;
586 		return (SUCCESS);
587 	}
588 
589 	/*
590 	 * for each mechanism in the to-be-enabled mechanism list,
591 	 * -	check if it is in the current disabled list
592 	 * -	if found, delete it from the disabled list
593 	 *	otherwise, give a warning.
594 	 */
595 	ptr = mlist;
596 	while (ptr != NULL) {
597 		found = B_FALSE;
598 		phead = pcur =  pent->dislist;
599 		while (!found && pcur) {
600 			if (strcmp(pcur->name, ptr->name) == 0) {
601 				found = B_TRUE;
602 			} else {
603 				phead = pcur;
604 				pcur = pcur->next;
605 			}
606 		}
607 
608 		if (found) {
609 			if (phead == pcur) {
610 				pent->dislist = pent->dislist->next;
611 				free(pcur);
612 			} else {
613 				phead->next = pcur->next;
614 				free(pcur);
615 			}
616 			pent->dis_count--;
617 		} else {
618 			cryptoerror(LOG_STDERR, gettext(
619 			    "(Warning) %1$s is either enabled already or not "
620 			    "a valid mechanism for %2$s"), ptr->name,
621 			    pent->name);
622 		}
623 		ptr = ptr->next;
624 	}
625 
626 	if (pent->dis_count == 0) {
627 		pent->dislist = NULL;
628 	}
629 
630 	return (SUCCESS);
631 
632 }
633 
634 
635 /*
636  * Determine if the kernel provider name, path, is a device
637  * (that is, it contains a slash character (e.g., "mca/0").
638  * If so, it is a hardware provider; otherwise it is a software provider.
639  */
640 boolean_t
641 is_device(char *path)
642 {
643 	if (strchr(path, SEP_SLASH) != NULL) {
644 		return (B_TRUE);
645 	} else {
646 		return (B_FALSE);
647 	}
648 }
649 
650 /*
651  * Split a hardware provider name with the "name/inst_num" format into
652  * a name and a number (e.g., split "mca/0" into "mca" instance 0).
653  */
654 int
655 split_hw_provname(char *provname, char *pname, int *inst_num)
656 {
657 	char	name[MAXNAMELEN];
658 	char	*inst_str;
659 
660 	if (provname == NULL) {
661 		return (FAILURE);
662 	}
663 
664 	(void) strlcpy(name, provname, MAXNAMELEN);
665 	if (strtok(name, "/") == NULL) {
666 		return (FAILURE);
667 	}
668 
669 	if ((inst_str = strtok(NULL, "/")) == NULL) {
670 		return (FAILURE);
671 	}
672 
673 	(void) strlcpy(pname, name, MAXNAMELEN);
674 	*inst_num = atoi(inst_str);
675 
676 	return (SUCCESS);
677 }
678 
679 
680 /*
681  * Retrieve information from kcf.conf and build a hardware device entry list
682  * and a software entry list of kernel crypto providers.
683  *
684  * This list is usually incomplete, as kernel crypto providers only have to
685  * be listed in kcf.conf if a mechanism is disabled (by cryptoadm) or
686  * if the kernel provider module is not one of the default kernel providers.
687  *
688  * The kcf.conf file is available only in the global zone.
689  */
690 int
691 get_kcfconf_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist)
692 {
693 	FILE	*pfile = NULL;
694 	char	buffer[BUFSIZ];
695 	int	len;
696 	entry_t	*pent = NULL;
697 	int	rc = SUCCESS;
698 
699 	if ((pfile = fopen(_PATH_KCF_CONF, "r")) == NULL) {
700 		cryptodebug("failed to open the kcf.conf file for read only");
701 		return (FAILURE);
702 	}
703 
704 	*ppdevlist = NULL;
705 	*ppsoftlist = NULL;
706 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
707 		if (buffer[0] == '#' || buffer[0] == ' ' ||
708 		    buffer[0] == '\n'|| buffer[0] == '\t') {
709 			continue;   /* ignore comment lines */
710 		}
711 
712 		len = strlen(buffer);
713 		if (buffer[len - 1] == '\n') { /* get rid of trailing '\n' */
714 			len--;
715 		}
716 		buffer[len] = '\0';
717 
718 		if ((rc = interpret(buffer,  &pent)) == SUCCESS) {
719 			if (is_device(pent->name)) {
720 				rc = build_entrylist(pent, ppdevlist);
721 			} else {
722 				rc = build_entrylist(pent, ppsoftlist);
723 			}
724 		} else {
725 			cryptoerror(LOG_STDERR, gettext(
726 			    "failed to parse configuration."));
727 		}
728 
729 		if (rc != SUCCESS) {
730 			free_entrylist(*ppdevlist);
731 			free_entrylist(*ppsoftlist);
732 			free_entry(pent);
733 			break;
734 		}
735 	}
736 
737 	(void) fclose(pfile);
738 	return (rc);
739 }
740 
741 /*
742  * Retrieve information from admin device and build a device entry list and
743  * a software entry list.  This is used where there is no kcf.conf, e.g., the
744  * non-global zone.
745  */
746 int
747 get_admindev_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist)
748 {
749 	crypto_get_dev_list_t	*pdevlist_kernel = NULL;
750 	crypto_get_soft_list_t	*psoftlist_kernel = NULL;
751 	char			*devname;
752 	int			inst_num;
753 	int			mcount;
754 	mechlist_t		*pmech = NULL;
755 	entry_t			*pent_dev = NULL, *pent_soft = NULL;
756 	int			i;
757 	char			*psoftname;
758 	entrylist_t		*tmp_pdev = NULL;
759 	entrylist_t		*tmp_psoft = NULL;
760 	entrylist_t		*phardlist = NULL, *psoftlist = NULL;
761 
762 	/*
763 	 * Get hardware providers
764 	 */
765 	if (get_dev_list(&pdevlist_kernel) != SUCCESS) {
766 		cryptodebug("failed to get hardware provider list from kernel");
767 		return (FAILURE);
768 	}
769 
770 	for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) {
771 		devname = pdevlist_kernel->dl_devs[i].le_dev_name;
772 		inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance;
773 		mcount = pdevlist_kernel->dl_devs[i].le_mechanism_count;
774 
775 		pmech = NULL;
776 		if (get_dev_info(devname, inst_num, mcount, &pmech) !=
777 		    SUCCESS) {
778 			cryptodebug(
779 			    "failed to retrieve the mechanism list for %s/%d.",
780 			    devname, inst_num);
781 			goto fail_out;
782 		}
783 
784 		if ((pent_dev = create_entry(devname)) == NULL) {
785 			cryptodebug("out of memory.");
786 			free_mechlist(pmech);
787 			goto fail_out;
788 		}
789 		pent_dev->suplist = pmech;
790 		pent_dev->sup_count = mcount;
791 
792 		if (build_entrylist(pent_dev, &tmp_pdev) != SUCCESS) {
793 			goto fail_out;
794 		}
795 	}
796 
797 	free(pdevlist_kernel);
798 	pdevlist_kernel = NULL;
799 
800 	/*
801 	 * Get software providers
802 	 */
803 	if (getzoneid() == GLOBAL_ZONEID) {
804 		if (get_kcfconf_info(&phardlist, &psoftlist) != SUCCESS) {
805 			goto fail_out;
806 		}
807 	}
808 
809 	if (get_soft_list(&psoftlist_kernel) != SUCCESS) {
810 		cryptodebug("failed to get software provider list from kernel");
811 		goto fail_out;
812 	}
813 
814 	for (i = 0, psoftname = psoftlist_kernel->sl_soft_names;
815 	    i < psoftlist_kernel->sl_soft_count;
816 	    i++, psoftname = psoftname + strlen(psoftname) + 1) {
817 		pmech = NULL;
818 		if (get_soft_info(psoftname, &pmech, phardlist, psoftlist) !=
819 		    SUCCESS) {
820 			cryptodebug(
821 			    "failed to retrieve the mechanism list for %s.",
822 			    psoftname);
823 			goto fail_out;
824 		}
825 
826 		if ((pent_soft = create_entry(psoftname)) == NULL) {
827 			cryptodebug("out of memory.");
828 			free_mechlist(pmech);
829 			goto fail_out;
830 		}
831 		pent_soft->suplist = pmech;
832 		pent_soft->sup_count = get_mech_count(pmech);
833 
834 		if (build_entrylist(pent_soft, &tmp_psoft) != SUCCESS) {
835 			goto fail_out;
836 		}
837 	}
838 
839 	free(psoftlist_kernel);
840 	psoftlist_kernel = NULL;
841 
842 	*ppdevlist = tmp_pdev;
843 	*ppsoftlist = tmp_psoft;
844 
845 	return (SUCCESS);
846 
847 fail_out:
848 	if (pent_dev != NULL)
849 		free_entry(pent_dev);
850 	if (pent_soft != NULL)
851 		free_entry(pent_soft);
852 
853 	free_entrylist(tmp_pdev);
854 	free_entrylist(tmp_psoft);
855 
856 	if (pdevlist_kernel != NULL)
857 		free(pdevlist_kernel);
858 	if (psoftlist_kernel != NULL)
859 		free(psoftlist_kernel);
860 
861 	return (FAILURE);
862 }
863 
864 /*
865  * Return configuration information for a kernel provider from kcf.conf.
866  * For kernel software providers return a enabled list and disabled list.
867  * For kernel hardware providers return just a disabled list.
868  *
869  * Parameters phardlist and psoftlist are supplied by get_kcfconf_info().
870  * If NULL, this function calls get_kcfconf_info() internally.
871  */
872 entry_t *
873 getent_kef(char *provname, entrylist_t *phardlist, entrylist_t *psoftlist)
874 {
875 	entry_t		*pent = NULL;
876 	boolean_t	memory_allocated = B_FALSE;
877 
878 	if ((phardlist == NULL) || (psoftlist == NULL)) {
879 		if (get_kcfconf_info(&phardlist, &psoftlist) != SUCCESS) {
880 			return (NULL);
881 		}
882 		memory_allocated = B_TRUE;
883 	}
884 
885 	if (is_device(provname)) {
886 		pent = getent(provname, phardlist);
887 	} else {
888 		pent = getent(provname, psoftlist);
889 	}
890 
891 	if (memory_allocated) {
892 		free_entrylist(phardlist);
893 		free_entrylist(psoftlist);
894 	}
895 
896 	return (pent);
897 }
898 
899 /*
900  * Print out the provider name and the mechanism list.
901  */
902 void
903 print_mechlist(char *provname, mechlist_t *pmechlist)
904 {
905 	mechlist_t *ptr = NULL;
906 
907 	if (provname == NULL) {
908 		return;
909 	}
910 
911 	(void) printf("%s: ", provname);
912 	if (pmechlist == NULL) {
913 		(void) printf(gettext("No mechanisms presented.\n"));
914 		return;
915 	}
916 
917 	ptr = pmechlist;
918 	while (ptr != NULL) {
919 		(void) printf("%s", ptr->name);
920 		ptr = ptr->next;
921 		if (ptr == NULL) {
922 			(void) printf("\n");
923 		} else {
924 			(void) printf(",");
925 		}
926 	}
927 }
928 
929 
930 /*
931  * Update the kcf.conf file based on the update mode:
932  * - If update_mode is MODIFY_MODE, modify the entry with the same name.
933  *   If not found, append a new entry to the kcf.conf file.
934  * - If update_mode is DELETE_MODE, delete the entry with the same name.
935  * - If update_mode is ADD_MODE, append a new entry to the kcf.conf file.
936  */
937 int
938 update_kcfconf(entry_t *pent, int update_mode)
939 {
940 	boolean_t	add_it = B_FALSE;
941 	boolean_t	delete_it = B_FALSE;
942 	boolean_t	this_entry_matches = B_FALSE;
943 	boolean_t	found_entry = B_FALSE;
944 	FILE		*pfile = NULL;
945 	FILE		*pfile_tmp = NULL;
946 	char		buffer[BUFSIZ];
947 	char		buffer2[BUFSIZ];
948 	char		tmpfile_name[MAXPATHLEN];
949 	char		*name;
950 	char		*new_str = NULL;
951 	int		rc = SUCCESS;
952 
953 	if (pent == NULL) {
954 		cryptoerror(LOG_STDERR, gettext("internal error."));
955 		return (FAILURE);
956 	}
957 
958 	/* Check the update_mode */
959 	switch (update_mode) {
960 	case ADD_MODE:
961 		add_it = B_TRUE;
962 		/* FALLTHROUGH */
963 	case MODIFY_MODE:
964 		/* Convert the entry a string to add to kcf.conf  */
965 		if ((new_str = ent2str(pent)) == NULL) {
966 			return (FAILURE);
967 		}
968 		break;
969 	case DELETE_MODE:
970 		delete_it = B_TRUE;
971 		break;
972 	default:
973 		cryptoerror(LOG_STDERR, gettext("internal error."));
974 		return (FAILURE);
975 	}
976 
977 	/* Open the kcf.conf file */
978 	if ((pfile = fopen(_PATH_KCF_CONF, "r+")) == NULL) {
979 		err = errno;
980 		cryptoerror(LOG_STDERR,
981 		    gettext("failed to update the configuration - %s"),
982 		    strerror(err));
983 		cryptodebug("failed to open %s for write.", _PATH_KCF_CONF);
984 		return (FAILURE);
985 	}
986 
987 	/* Lock the kcf.conf file */
988 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
989 		err = errno;
990 		cryptoerror(LOG_STDERR,
991 		    gettext("failed to update the configuration - %s"),
992 		    strerror(err));
993 		(void) fclose(pfile);
994 		return (FAILURE);
995 	}
996 
997 	/*
998 	 * Create a temporary file in the /etc/crypto directory to save
999 	 * updated configuration file first.
1000 	 */
1001 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
1002 	if (mkstemp(tmpfile_name) == -1) {
1003 		err = errno;
1004 		cryptoerror(LOG_STDERR,
1005 		    gettext("failed to create a temporary file - %s"),
1006 		    strerror(err));
1007 		(void) fclose(pfile);
1008 		return (FAILURE);
1009 	}
1010 
1011 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
1012 		err = errno;
1013 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
1014 		    tmpfile_name, strerror(err));
1015 		(void) fclose(pfile);
1016 		return (FAILURE);
1017 	}
1018 
1019 	/*
1020 	 * Loop thru the entire kcf.conf file, insert, modify or delete
1021 	 * an entry.
1022 	 */
1023 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
1024 		if (add_it) {
1025 			if (fputs(buffer, pfile_tmp) == EOF) {
1026 				err = errno;
1027 				cryptoerror(LOG_STDERR, gettext(
1028 				    "failed to write to a temp file: %s."),
1029 				    strerror(err));
1030 				rc = FAILURE;
1031 				break;
1032 			}
1033 
1034 		} else { /* modify or delete */
1035 			this_entry_matches = B_FALSE;
1036 
1037 			if (!(buffer[0] == '#' || buffer[0] == ' ' ||
1038 			    buffer[0] == '\n'|| buffer[0] == '\t')) {
1039 				/*
1040 				 * Get the provider name from this line and
1041 				 * check if this is the entry to be updated
1042 				 * or deleted. Note: can not use "buffer"
1043 				 * directly because strtok will change its
1044 				 * value.
1045 				 */
1046 				(void) strlcpy(buffer2, buffer, BUFSIZ);
1047 				if ((name = strtok(buffer2, SEP_COLON)) ==
1048 				    NULL) {
1049 					rc = FAILURE;
1050 					break;
1051 				}
1052 
1053 				if (strcmp(pent->name, name) == 0) {
1054 					this_entry_matches = B_TRUE;
1055 					found_entry = B_TRUE;
1056 				}
1057 			}
1058 
1059 
1060 			if (!this_entry_matches || !delete_it) {
1061 				/* write this entry */
1062 				if (this_entry_matches) {
1063 					/*
1064 					 * Modify this entry: get the
1065 					 * updated string and place into buffer.
1066 					 */
1067 					(void) strlcpy(buffer, new_str, BUFSIZ);
1068 					free(new_str);
1069 				}
1070 				/* write the (unchanged or modified) entry */
1071 				if (fputs(buffer, pfile_tmp) == EOF) {
1072 					err = errno;
1073 					cryptoerror(LOG_STDERR, gettext(
1074 					    "failed to write to a temp file: "
1075 					    "%s."), strerror(err));
1076 					rc = FAILURE;
1077 					break;
1078 				}
1079 			}
1080 		}
1081 	}
1082 
1083 	if ((!delete_it) && (rc != FAILURE)) {
1084 		if (add_it || !found_entry) {
1085 			/* append new entry to end of file */
1086 			if (fputs(new_str, pfile_tmp) == EOF) {
1087 				err = errno;
1088 				cryptoerror(LOG_STDERR, gettext(
1089 				    "failed to write to a temp file: %s."),
1090 				    strerror(err));
1091 				rc = FAILURE;
1092 			}
1093 			free(new_str);
1094 		}
1095 	}
1096 
1097 	(void) fclose(pfile);
1098 	if (fclose(pfile_tmp) != 0) {
1099 		err = errno;
1100 		cryptoerror(LOG_STDERR,
1101 		    gettext("failed to close %s: %s"), tmpfile_name,
1102 		    strerror(err));
1103 		return (FAILURE);
1104 	}
1105 
1106 	/* Copy the temporary file to the kcf.conf file */
1107 	if (rename(tmpfile_name, _PATH_KCF_CONF) == -1) {
1108 		err = errno;
1109 		cryptoerror(LOG_STDERR,
1110 		    gettext("failed to update the configuration - %s"),
1111 		    strerror(err));
1112 		cryptodebug("failed to rename %s to %s: %s", tmpfile,
1113 		    _PATH_KCF_CONF, strerror(err));
1114 		rc = FAILURE;
1115 	} else if (chmod(_PATH_KCF_CONF,
1116 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1117 		err = errno;
1118 		cryptoerror(LOG_STDERR,
1119 		    gettext("failed to update the configuration - %s"),
1120 		    strerror(err));
1121 		cryptodebug("failed to chmod to %s: %s", _PATH_KCF_CONF,
1122 		    strerror(err));
1123 		rc = FAILURE;
1124 	} else {
1125 		rc = SUCCESS;
1126 	}
1127 
1128 	if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1129 		err = errno;
1130 		cryptoerror(LOG_STDERR, gettext(
1131 		    "(Warning) failed to remove %s: %s"),
1132 		    tmpfile_name, strerror(err));
1133 	}
1134 
1135 	return (rc);
1136 }
1137 
1138 
1139 /*
1140  * Disable the mechanisms for the provider pointed by *ppent.  If allflag is
1141  * TRUE, disable all.  Otherwise, disable the mechanisms specified in the
1142  * dislist argument.  The "infolist" argument contains the mechanism list
1143  * supported by this provider.
1144  */
1145 int
1146 disable_mechs(entry_t **ppent, mechlist_t *infolist, boolean_t allflag,
1147 mechlist_t *dislist)
1148 {
1149 	entry_t		*pent;
1150 	mechlist_t	*plist = NULL;
1151 	mechlist_t	*phead = NULL;
1152 	mechlist_t	*pmech = NULL;
1153 	int		rc = SUCCESS;
1154 
1155 	pent = *ppent;
1156 	if (pent == NULL) {
1157 		return (FAILURE);
1158 	}
1159 
1160 	if (allflag) {
1161 		free_mechlist(pent->dislist);
1162 		pent->dis_count = get_mech_count(infolist);
1163 		if (!(pent->dislist = dup_mechlist(infolist))) {
1164 			return (FAILURE);
1165 		} else {
1166 			return (SUCCESS);
1167 		}
1168 	}
1169 
1170 	/*
1171 	 * Not disable all. Now loop thru the mechanisms specified in the
1172 	 * dislist.  If the mechanism is not supported by the provider,
1173 	 * ignore it with a warning.  If the mechanism is disabled already,
1174 	 * do nothing. Otherwise, prepend it to the beginning of the disabled
1175 	 * list of the provider.
1176 	 */
1177 	plist = dislist;
1178 	while (plist != NULL) {
1179 		if (!is_in_list(plist->name, infolist)) {
1180 			cryptoerror(LOG_STDERR, gettext("(Warning) "
1181 			    "%1$s is not a valid mechanism for %2$s."),
1182 			    plist->name, pent->name);
1183 		} else if (!is_in_list(plist->name, pent->dislist)) {
1184 			/* Add this mechanism into the disabled list */
1185 			if ((pmech = create_mech(plist->name)) == NULL) {
1186 				rc = FAILURE;
1187 				break;
1188 			}
1189 
1190 			if (pent->dislist == NULL) {
1191 				pent->dislist = pmech;
1192 			} else {
1193 				phead = pent->dislist;
1194 				pent->dislist = pmech;
1195 				pmech->next = phead;
1196 			}
1197 			pent->dis_count++;
1198 		}
1199 		plist = plist->next;
1200 	}
1201 
1202 	return (rc);
1203 }
1204 
1205 /*
1206  * Remove the mechanism passed, specified by mech, from the list of
1207  * mechanisms, if present in the list. Else, do nothing.
1208  *
1209  * Returns B_TRUE if mechanism is present in the list.
1210  */
1211 boolean_t
1212 filter_mechlist(mechlist_t **pmechlist, const char *mech)
1213 {
1214 	int		cnt = 0;
1215 	mechlist_t	*ptr, *pptr;
1216 	boolean_t	mech_present = B_FALSE;
1217 
1218 	ptr = pptr = *pmechlist;
1219 
1220 	while (ptr != NULL) {
1221 		if (strncmp(ptr->name, mech, sizeof (mech_name_t)) == 0) {
1222 			mech_present = B_TRUE;
1223 			if (ptr == *pmechlist) {
1224 				pptr = *pmechlist = ptr->next;
1225 				free(ptr);
1226 				ptr = pptr;
1227 			} else {
1228 				pptr->next = ptr->next;
1229 				free(ptr);
1230 				ptr = pptr->next;
1231 			}
1232 		} else {
1233 			pptr = ptr;
1234 			ptr = ptr->next;
1235 			cnt++;
1236 		}
1237 	}
1238 
1239 	/* Only one entry is present */
1240 	if (cnt == 0)
1241 		*pmechlist = NULL;
1242 
1243 	return (mech_present);
1244 }
1245 
1246 
1247 
1248 /*
1249  * Print out the mechanism policy for a kernel provider that has an entry
1250  * in the kcf.conf file.
1251  *
1252  * The flag has_random is set to B_TRUE if the provider does random
1253  * numbers. The flag has_mechs is set by the caller to B_TRUE if the provider
1254  * has some mechanisms.
1255  *
1256  * If pent is NULL, the provider doesn't have a kcf.conf entry.
1257  */
1258 void
1259 print_kef_policy(char *provname, entry_t *pent, boolean_t has_random,
1260     boolean_t has_mechs)
1261 {
1262 	mechlist_t	*ptr = NULL;
1263 	boolean_t	rnd_disabled = B_FALSE;
1264 
1265 	if (pent != NULL) {
1266 		rnd_disabled = filter_mechlist(&pent->dislist, RANDOM);
1267 		ptr = pent->dislist;
1268 	}
1269 
1270 	(void) printf("%s:", provname);
1271 
1272 	if (has_mechs == B_TRUE) {
1273 		/*
1274 		 * TRANSLATION_NOTE
1275 		 * This code block may need to be modified a bit to avoid
1276 		 * constructing the text message on the fly.
1277 		 */
1278 		(void) printf(gettext(" all mechanisms are enabled"));
1279 		if (ptr != NULL)
1280 			(void) printf(gettext(", except "));
1281 		while (ptr != NULL) {
1282 			(void) printf("%s", ptr->name);
1283 			ptr = ptr->next;
1284 			if (ptr != NULL)
1285 				(void) printf(",");
1286 		}
1287 		if (ptr == NULL)
1288 			(void) printf(".");
1289 	}
1290 
1291 	/*
1292 	 * TRANSLATION_NOTE
1293 	 * "random" is a keyword and not to be translated.
1294 	 */
1295 	if (rnd_disabled)
1296 		(void) printf(gettext(" %s is disabled."), "random");
1297 	else if (has_random)
1298 		(void) printf(gettext(" %s is enabled."), "random");
1299 	(void) printf("\n");
1300 }
1301 
1302 
1303 /*
1304  * Check if a kernel software provider is in the kernel.
1305  *
1306  * Parameters:
1307  * provname		Provider name
1308  * psoftlist_kernel	Optional software provider list.  If NULL, it will be
1309  *			obtained from get_soft_list().
1310  * in_kernel		Set to B_TRUE if device is in the kernel, else B_FALSE
1311  */
1312 int
1313 check_kernel_for_soft(char *provname, crypto_get_soft_list_t *psoftlist_kernel,
1314     boolean_t *in_kernel)
1315 {
1316 	char		*ptr;
1317 	int		i;
1318 	boolean_t	psoftlist_allocated = B_FALSE;
1319 
1320 	if (provname == NULL) {
1321 		cryptoerror(LOG_STDERR, gettext("internal error."));
1322 		return (FAILURE);
1323 	}
1324 
1325 	if (psoftlist_kernel == NULL) {
1326 		if (get_soft_list(&psoftlist_kernel) == FAILURE) {
1327 			cryptodebug("failed to get the software provider list"
1328 			" from kernel.");
1329 			return (FAILURE);
1330 		}
1331 		psoftlist_allocated = B_TRUE;
1332 	}
1333 
1334 	*in_kernel = B_FALSE;
1335 	ptr = psoftlist_kernel->sl_soft_names;
1336 	for (i = 0; i < psoftlist_kernel->sl_soft_count; i++) {
1337 		if (strcmp(provname, ptr) == 0) {
1338 			*in_kernel = B_TRUE;
1339 			break;
1340 		}
1341 		ptr = ptr + strlen(ptr) + 1;
1342 	}
1343 
1344 	if (psoftlist_allocated)
1345 		free(psoftlist_kernel);
1346 
1347 	return (SUCCESS);
1348 }
1349 
1350 
1351 /*
1352  * Check if a kernel hardware provider is in the kernel.
1353  *
1354  * Parameters:
1355  * provname	Provider name
1356  * pdevlist	Optional Hardware Crypto Device List.  If NULL, it will be
1357  *		obtained from get_dev_list().
1358  * in_kernel	Set to B_TRUE if device is in the kernel, otherwise B_FALSE
1359  */
1360 int
1361 check_kernel_for_hard(char *provname,
1362     crypto_get_dev_list_t *pdevlist, boolean_t *in_kernel)
1363 {
1364 	char		devname[MAXNAMELEN];
1365 	int		inst_num;
1366 	int		i;
1367 	boolean_t	dev_list_allocated = B_FALSE;
1368 
1369 	if (provname == NULL) {
1370 		cryptoerror(LOG_STDERR, gettext("internal error."));
1371 		return (FAILURE);
1372 	}
1373 
1374 	if (split_hw_provname(provname, devname, &inst_num) == FAILURE) {
1375 		return (FAILURE);
1376 	}
1377 
1378 	if (pdevlist == NULL) {
1379 		if (get_dev_list(&pdevlist) == FAILURE) {
1380 			cryptoerror(LOG_STDERR, gettext("internal error."));
1381 			return (FAILURE);
1382 		}
1383 		dev_list_allocated = B_TRUE;
1384 	}
1385 
1386 	*in_kernel = B_FALSE;
1387 	for (i = 0; i < pdevlist->dl_dev_count; i++) {
1388 		if ((strcmp(pdevlist->dl_devs[i].le_dev_name, devname) == 0) &&
1389 		    (pdevlist->dl_devs[i].le_dev_instance == inst_num)) {
1390 			*in_kernel = B_TRUE;
1391 			break;
1392 		}
1393 	}
1394 
1395 	if (dev_list_allocated)
1396 		free(pdevlist);
1397 
1398 	return (SUCCESS);
1399 }
1400