xref: /titanic_44/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c (revision e4b86885570d77af552e9cf94f142f4d744fb8c8)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <cryptoutil.h>
27 #include <fcntl.h>
28 #include <libintl.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <strings.h>
32 #include <unistd.h>
33 #include <errno.h>
34 #include <dlfcn.h>
35 #include <link.h>
36 #include <sys/types.h>
37 #include <sys/stat.h>
38 #include <security/cryptoki.h>
39 #include "cryptoadm.h"
40 
41 #define	HDR1 "                                     P\n"
42 #define	HDR2 "                         S     V  K  a     U  D\n"
43 #define	HDR3 "                         i     e  e  i     n  e\n"
44 #define	HDR4 "                      S  g  V  r  y  r  W  w  r\n"
45 #define	HDR5 "             E  D  D  i  n  e  i  G  G  r  r  i\n"
46 #define	HDR6 "          H  n  e  i  g  +  r  +  e  e  a  a  v  E\n"
47 #define	HDR7 "min  max  W  c  c  g  n  R  i  R  n  n  p  p  e  C\n"
48 
49 
50 static int err; /* To store errno which may be overwritten by gettext() */
51 static boolean_t is_in_policylist(midstr_t, umechlist_t *);
52 static char *uent2str(uentry_t *);
53 static boolean_t check_random(CK_SLOT_ID, CK_FUNCTION_LIST_PTR);
54 
55 static void display_slot_flags(CK_FLAGS flags)
56 {
57 	(void) printf(gettext("Slot Flags: "));
58 	if (flags & CKF_TOKEN_PRESENT)
59 		(void) printf("CKF_TOKEN_PRESENT ");
60 	if (flags & CKF_REMOVABLE_DEVICE)
61 		(void) printf("CKF_REMOVABLE_DEVICE ");
62 	if (flags & CKF_HW_SLOT)
63 		(void) printf("CKF_HW_SLOT ");
64 	(void) printf("\n");
65 }
66 
67 void
68 display_token_flags(CK_FLAGS flags)
69 {
70 	(void) printf(gettext("Flags: "));
71 	if (flags & CKF_RNG)
72 		(void) printf("CKF_RNG ");
73 	if (flags & CKF_WRITE_PROTECTED)
74 		(void) printf("CKF_WRITE_PROTECTED ");
75 	if (flags & CKF_LOGIN_REQUIRED)
76 		(void) printf("CKF_LOGIN_REQUIRED ");
77 	if (flags & CKF_USER_PIN_INITIALIZED)
78 		(void) printf("CKF_USER_PIN_INITIALIZED ");
79 	if (flags & CKF_RESTORE_KEY_NOT_NEEDED)
80 		(void) printf("CKF_RESTORE_KEY_NOT_NEEDED ");
81 	if (flags & CKF_CLOCK_ON_TOKEN)
82 		(void) printf("CKF_CLOCK_ON_TOKEN ");
83 	if (flags & CKF_PROTECTED_AUTHENTICATION_PATH)
84 		(void) printf("CKF_PROTECTED_AUTHENTICATION_PATH ");
85 	if (flags & CKF_DUAL_CRYPTO_OPERATIONS)
86 		(void) printf("CKF_DUAL_CRYPTO_OPERATIONS ");
87 	if (flags & CKF_TOKEN_INITIALIZED)
88 		(void) printf("CKF_TOKEN_INITIALIZED ");
89 	if (flags & CKF_SECONDARY_AUTHENTICATION)
90 		(void) printf("CKF_SECONDARY_AUTHENTICATION ");
91 	if (flags & CKF_USER_PIN_COUNT_LOW)
92 		(void) printf("CKF_USER_PIN_COUNT_LOW ");
93 	if (flags & CKF_USER_PIN_FINAL_TRY)
94 		(void) printf("CKF_USER_PIN_FINAL_TRY ");
95 	if (flags & CKF_USER_PIN_LOCKED)
96 		(void) printf("CKF_USER_PIN_LOCKED ");
97 	if (flags & CKF_USER_PIN_TO_BE_CHANGED)
98 		(void) printf("CKF_USER_PIN_TO_BE_CHANGED ");
99 	if (flags & CKF_SO_PIN_COUNT_LOW)
100 		(void) printf("CKF_SO_PIN_COUNT_LOW ");
101 	if (flags & CKF_SO_PIN_FINAL_TRY)
102 		(void) printf("CKF_SO_PIN_FINAL_TRY ");
103 	if (flags & CKF_SO_PIN_LOCKED)
104 		(void) printf("CKF_SO_PIN_LOCKED ");
105 	if (flags & CKF_SO_PIN_TO_BE_CHANGED)
106 		(void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
107 	if (flags & CKF_SO_PIN_TO_BE_CHANGED)
108 		(void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
109 	(void) printf("\n");
110 }
111 
112 void
113 display_mech_info(CK_MECHANISM_INFO *mechInfo)
114 {
115 	CK_FLAGS ec_flags = CKF_EC_F_P | CKF_EC_F_2M | CKF_EC_ECPARAMETERS |
116 	    CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS;
117 
118 	(void) printf("%-4ld %-4ld ", mechInfo->ulMinKeySize,
119 	    mechInfo->ulMaxKeySize);
120 	(void) printf("%s  %s  %s  %s  %s  %s  %s  %s  %s  %s  %s  %s  "
121 	    "%s  %s",
122 	    (mechInfo->flags & CKF_HW) ? "X" : ".",
123 	    (mechInfo->flags & CKF_ENCRYPT) ? "X" : ".",
124 	    (mechInfo->flags & CKF_DECRYPT) ? "X" : ".",
125 	    (mechInfo->flags & CKF_DIGEST) ? "X" : ".",
126 	    (mechInfo->flags & CKF_SIGN) ? "X" : ".",
127 	    (mechInfo->flags & CKF_SIGN_RECOVER) ? "X" : ".",
128 	    (mechInfo->flags & CKF_VERIFY) ? "X" : ".",
129 	    (mechInfo->flags & CKF_VERIFY_RECOVER) ? "X" : ".",
130 	    (mechInfo->flags & CKF_GENERATE) ? "X" : ".",
131 	    (mechInfo->flags & CKF_GENERATE_KEY_PAIR) ? "X" : ".",
132 	    (mechInfo->flags & CKF_WRAP) ? "X" : ".",
133 	    (mechInfo->flags & CKF_UNWRAP) ? "X" : ".",
134 	    (mechInfo->flags & CKF_DERIVE) ? "X" : ".",
135 	    (mechInfo->flags & ec_flags) ? "X" : ".");
136 }
137 
138 /*
139  * Converts the provided list of mechanism names in their string format to
140  * their corresponding PKCS#11 mechanism IDs.
141  *
142  * The list of mechanism names to be converted is provided in the
143  * "mlist" argument.  The list of converted mechanism IDs is returned
144  * in the "pmech_list" argument.
145  *
146  * This function is called by list_metaslot_info() and
147  * list_mechlist_for_lib() functions.
148  */
149 int
150 convert_mechlist(CK_MECHANISM_TYPE **pmech_list, CK_ULONG *mech_count,
151     mechlist_t *mlist)
152 {
153 	int i, n = 0;
154 	mechlist_t *p = mlist;
155 
156 	while (p != NULL) {
157 		p = p->next;
158 		n++;
159 	}
160 
161 	*pmech_list = malloc(n * sizeof (CK_MECHANISM_TYPE));
162 	if (pmech_list == NULL) {
163 		cryptodebug("out of memory");
164 		return (FAILURE);
165 	}
166 	p = mlist;
167 	for (i = 0; i < n; i++) {
168 		if (pkcs11_str2mech(p->name, &(*pmech_list[i])) != CKR_OK) {
169 			free(*pmech_list);
170 			return (FAILURE);
171 		}
172 		p = p->next;
173 	}
174 	*mech_count = n;
175 	return (SUCCESS);
176 }
177 
178 /*
179  * Display the mechanism list for a user-level library
180  */
181 int
182 list_mechlist_for_lib(char *libname, mechlist_t *mlist,
183 		flag_val_t *rng_flag, boolean_t no_warn,
184 		boolean_t verbose, boolean_t show_mechs)
185 {
186 	CK_RV	rv = CKR_OK;
187 	CK_RV	(*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
188 	CK_FUNCTION_LIST_PTR	prov_funcs; /* Provider's function list */
189 	CK_SLOT_ID_PTR		prov_slots = NULL; /* Provider's slot list */
190 	CK_MECHANISM_TYPE_PTR	pmech_list; /* mechanism list for a slot */
191 	CK_SLOT_INFO	slotinfo;
192 	CK_ULONG	slot_count;
193 	CK_ULONG	mech_count;
194 	uentry_t	*puent = NULL;
195 	boolean_t	lib_initialized = B_FALSE;
196 	void		*dldesc = NULL;
197 	char		*dl_error;
198 	const char 	*mech_name;
199 	char		*isa;
200 	char		libpath[MAXPATHLEN];
201 	char		buf[MAXPATHLEN];
202 	int		i, j;
203 	int		rc = SUCCESS;
204 
205 	if (libname == NULL) {
206 		/* should not happen */
207 		cryptoerror(LOG_STDERR, gettext("internal error."));
208 		cryptodebug("list_mechlist_for_lib() - libname is NULL.");
209 		return (FAILURE);
210 	}
211 
212 	/* Check if the library is in the pkcs11.conf file */
213 	if ((puent = getent_uef(libname)) == NULL) {
214 		cryptoerror(LOG_STDERR,
215 		    gettext("%s does not exist."), libname);
216 		return (FAILURE);
217 	}
218 	free_uentry(puent);
219 
220 	/* Remove $ISA from the library name */
221 	if (strlcpy(buf, libname, sizeof (buf)) >= sizeof (buf)) {
222 		(void) printf(gettext("%s: the provider name is too long."),
223 		    libname);
224 		return (FAILURE);
225 	}
226 
227 	if ((isa = strstr(buf, PKCS11_ISA)) != NULL) {
228 		*isa = '\000';
229 		isa += strlen(PKCS11_ISA);
230 		(void) snprintf(libpath, MAXPATHLEN, "%s%s%s", buf, "/", isa);
231 	} else {
232 		(void) strlcpy(libpath, libname, sizeof (libpath));
233 	}
234 
235 	/* Open the provider */
236 	dldesc = dlopen(libpath, RTLD_NOW);
237 	if (dldesc == NULL) {
238 		dl_error = dlerror();
239 		cryptodebug("Cannot load PKCS#11 library %s.  dlerror: %s",
240 		    libname, dl_error != NULL ? dl_error : "Unknown");
241 		rc = FAILURE;
242 		goto clean_exit;
243 	}
244 
245 	/* Get the pointer to provider's C_GetFunctionList() */
246 	Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
247 	if (Tmp_C_GetFunctionList == NULL) {
248 		cryptodebug("Cannot get the address of the C_GetFunctionList "
249 		    "from %s", libname);
250 		rc = FAILURE;
251 		goto clean_exit;
252 	}
253 
254 	/* Get the provider's function list */
255 	rv = Tmp_C_GetFunctionList(&prov_funcs);
256 	if (rv != CKR_OK) {
257 		cryptodebug("failed to call C_GetFunctionList from %s",
258 		    libname);
259 		rc = FAILURE;
260 		goto clean_exit;
261 	}
262 
263 	/* Initialize this provider */
264 	rv = prov_funcs->C_Initialize(NULL_PTR);
265 	if (rv != CKR_OK) {
266 		cryptodebug("failed to call C_Initialize from %s, "
267 		    "return code = %d", libname, rv);
268 		rc = FAILURE;
269 		goto clean_exit;
270 	} else {
271 		lib_initialized = B_TRUE;
272 	}
273 
274 	/*
275 	 * Find out how many slots this provider has, call with tokenPresent
276 	 * set to FALSE so all potential slots are returned.
277 	 */
278 	rv = prov_funcs->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
279 	if (rv != CKR_OK) {
280 		cryptodebug("failed to get the slotlist from %s.", libname);
281 		rc = FAILURE;
282 		goto clean_exit;
283 	} else if (slot_count == 0) {
284 		if (!no_warn)
285 			(void) printf(gettext("%s: no slots presented.\n"),
286 			    libname);
287 		rc = SUCCESS;
288 		goto clean_exit;
289 	}
290 
291 	/* Allocate memory for the slot list */
292 	prov_slots = malloc(slot_count * sizeof (CK_SLOT_ID));
293 	if (prov_slots == NULL) {
294 		cryptodebug("out of memory.");
295 		rc = FAILURE;
296 		goto clean_exit;
297 	}
298 
299 	/* Get the slot list from provider */
300 	rv = prov_funcs->C_GetSlotList(FALSE, prov_slots, &slot_count);
301 	if (rv != CKR_OK) {
302 		cryptodebug("failed to call C_GetSlotList() from %s.",
303 		    libname);
304 		rc = FAILURE;
305 		goto clean_exit;
306 	}
307 
308 	if (verbose) {
309 		(void) printf(gettext("Number of slots: %d\n"), slot_count);
310 	}
311 
312 	/* Get the mechanism list for each slot */
313 	for (i = 0; i < slot_count; i++) {
314 		if (verbose)
315 			/*
316 			 * TRANSLATION_NOTE
317 			 * In some languages, the # symbol should be
318 			 * converted to "no", an "n" followed by a
319 			 * superscript "o"..
320 			 */
321 			(void) printf(gettext("\nSlot #%d\n"), i+1);
322 
323 		if ((rng_flag != NULL) && (*rng_flag == NO_RNG)) {
324 			if (check_random(prov_slots[i], prov_funcs)) {
325 				*rng_flag = HAS_RNG;
326 				rc = SUCCESS;
327 				goto clean_exit;
328 			} else
329 				continue;
330 		}
331 
332 		rv = prov_funcs->C_GetSlotInfo(prov_slots[i], &slotinfo);
333 		if (rv != CKR_OK) {
334 			cryptodebug("failed to get slotinfo from %s", libname);
335 			rc = FAILURE;
336 			break;
337 		}
338 		if (verbose) {
339 			CK_TOKEN_INFO tokeninfo;
340 
341 			(void) printf(gettext("Description: %.64s\n"
342 			    "Manufacturer: %.32s\n"
343 			    "PKCS#11 Version: %d.%d\n"),
344 			    slotinfo.slotDescription,
345 			    slotinfo.manufacturerID,
346 			    prov_funcs->version.major,
347 			    prov_funcs->version.minor);
348 
349 			(void) printf(gettext("Hardware Version: %d.%d\n"
350 			    "Firmware Version: %d.%d\n"),
351 			    slotinfo.hardwareVersion.major,
352 			    slotinfo.hardwareVersion.minor,
353 			    slotinfo.firmwareVersion.major,
354 			    slotinfo.firmwareVersion.minor);
355 
356 			(void) printf(gettext("Token Present: %s\n"),
357 			    (slotinfo.flags & CKF_TOKEN_PRESENT ?
358 			    gettext("True") : gettext("False")));
359 
360 			display_slot_flags(slotinfo.flags);
361 
362 			rv = prov_funcs->C_GetTokenInfo(prov_slots[i],
363 			    &tokeninfo);
364 			if (rv != CKR_OK) {
365 				cryptodebug("Failed to get "
366 				    "token info from %s", libname);
367 				rc = FAILURE;
368 				break;
369 			}
370 
371 			(void) printf(gettext("Token Label: %.32s\n"
372 			    "Manufacturer ID: %.32s\n"
373 			    "Model: %.16s\n"
374 			    "Serial Number: %.16s\n"
375 			    "Hardware Version: %d.%d\n"
376 			    "Firmware Version: %d.%d\n"
377 			    "UTC Time: %.16s\n"
378 			    "PIN Min Length: %d\n"
379 			    "PIN Max Length: %d\n"),
380 			    tokeninfo.label,
381 			    tokeninfo.manufacturerID,
382 			    tokeninfo.model,
383 			    tokeninfo.serialNumber,
384 			    tokeninfo.hardwareVersion.major,
385 			    tokeninfo.hardwareVersion.minor,
386 			    tokeninfo.firmwareVersion.major,
387 			    tokeninfo.firmwareVersion.minor,
388 			    tokeninfo.utcTime,
389 			    tokeninfo.ulMinPinLen,
390 			    tokeninfo.ulMaxPinLen);
391 
392 			display_token_flags(tokeninfo.flags);
393 		}
394 
395 		if (mlist == NULL) {
396 			rv = prov_funcs->C_GetMechanismList(prov_slots[i],
397 			    NULL_PTR, &mech_count);
398 			if (rv != CKR_OK) {
399 				cryptodebug(
400 				    "failed to call C_GetMechanismList() "
401 				    "from %s.", libname);
402 				rc = FAILURE;
403 				break;
404 			}
405 
406 			if (mech_count == 0) {
407 				/* no mechanisms in this slot */
408 				continue;
409 			}
410 
411 			pmech_list = malloc(mech_count *
412 			    sizeof (CK_MECHANISM_TYPE));
413 			if (pmech_list == NULL) {
414 				cryptodebug("out of memory");
415 				rc = FAILURE;
416 				break;
417 			}
418 
419 			/* Get the actual mechanism list */
420 			rv = prov_funcs->C_GetMechanismList(prov_slots[i],
421 			    pmech_list, &mech_count);
422 			if (rv != CKR_OK) {
423 				cryptodebug(
424 				    "failed to call C_GetMechanismList() "
425 				    "from %s.", libname);
426 				(void) free(pmech_list);
427 				rc = FAILURE;
428 				break;
429 			}
430 		} else  {
431 			/* use the mechanism list passed in */
432 			rc = convert_mechlist(&pmech_list, &mech_count, mlist);
433 			if (rc != SUCCESS) {
434 				goto clean_exit;
435 			}
436 		}
437 		if (show_mechs)
438 			(void) printf(gettext("Mechanisms:\n"));
439 
440 		if (verbose && show_mechs) {
441 			display_verbose_mech_header();
442 		}
443 		/*
444 		 * Merge the current mechanism list into the returning
445 		 * mechanism list.
446 		 */
447 		for (j = 0; show_mechs && j < mech_count; j++) {
448 			CK_MECHANISM_TYPE	mech = pmech_list[j];
449 
450 			if (mech >= CKM_VENDOR_DEFINED) {
451 				(void) printf("%#lx", mech);
452 			} else {
453 				mech_name = pkcs11_mech2str(mech);
454 				(void) printf("%-29s", mech_name);
455 			}
456 
457 			if (verbose) {
458 				CK_MECHANISM_INFO mech_info;
459 				rv = prov_funcs->C_GetMechanismInfo(
460 				    prov_slots[i], mech, &mech_info);
461 				if (rv != CKR_OK) {
462 					cryptodebug(
463 					    "failed to call "
464 					    "C_GetMechanismInfo() from %s.",
465 					    libname);
466 					(void) free(pmech_list);
467 					rc = FAILURE;
468 					break;
469 				}
470 				display_mech_info(&mech_info);
471 			}
472 			(void) printf("\n");
473 		}
474 		(void) free(pmech_list);
475 		if (rc == FAILURE) {
476 			break;
477 		}
478 	}
479 
480 	if (rng_flag != NULL || rc == FAILURE) {
481 		goto clean_exit;
482 	}
483 
484 clean_exit:
485 
486 	if (rc == FAILURE) {
487 		(void) printf(gettext(
488 		    "%s: failed to retrieve the mechanism list.\n"), libname);
489 	}
490 
491 	if (lib_initialized) {
492 		(void) prov_funcs->C_Finalize(NULL_PTR);
493 	}
494 
495 	if (dldesc != NULL) {
496 		(void) dlclose(dldesc);
497 	}
498 
499 	if (prov_slots != NULL) {
500 		(void) free(prov_slots);
501 	}
502 
503 	return (rc);
504 }
505 
506 
507 /*
508  * Display the mechanism policy for a user-level library
509  */
510 int
511 list_policy_for_lib(char *libname)
512 {
513 	uentry_t *puent = NULL;
514 	int rc;
515 
516 	if (libname == NULL) {
517 		/* should not happen */
518 		cryptoerror(LOG_STDERR, gettext("internal error."));
519 		cryptodebug("list_policy_for_lib() - libname is NULL.");
520 		return (FAILURE);
521 	}
522 
523 	/* Get the library entry from the pkcs11.conf file */
524 	if ((puent = getent_uef(libname)) == NULL) {
525 		cryptoerror(LOG_STDERR,
526 		    gettext("%s does not exist."), libname);
527 		return (FAILURE);
528 	}
529 
530 	/* Print the policy for this library */
531 	rc = print_uef_policy(puent);
532 	free_uentry(puent);
533 
534 	return (rc);
535 }
536 
537 
538 /*
539  * Disable mechanisms for a user-level library
540  */
541 int
542 disable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
543     mechlist_t *marglist)
544 {
545 	uentry_t	*puent;
546 	int	rc;
547 
548 	if (libname == NULL) {
549 		/* should not happen */
550 		cryptoerror(LOG_STDERR, gettext("internal error."));
551 		cryptodebug("disable_uef_lib() - libname is NULL.");
552 		return (FAILURE);
553 	}
554 
555 	/* Get the provider entry from the pkcs11.conf file */
556 	if ((puent = getent_uef(libname)) == NULL) {
557 		cryptoerror(LOG_STDERR,
558 		    gettext("%s does not exist."), libname);
559 		return (FAILURE);
560 	}
561 
562 	/*
563 	 * Update the mechanism policy of this library entry, based on
564 	 * the current policy mode of the library and the mechanisms specified
565 	 * in CLI.
566 	 */
567 	if (allflag) {
568 		/*
569 		 * If disabling all, just need to clean up the policylist and
570 		 * set the flag_enabledlist flag to be B_TRUE.
571 		 */
572 		free_umechlist(puent->policylist);
573 		puent->policylist = NULL;
574 		puent->count = 0;
575 		puent->flag_enabledlist = B_TRUE;
576 		rc = SUCCESS;
577 	} else if (marglist != NULL) {
578 		if (puent->flag_enabledlist == B_TRUE) {
579 			/*
580 			 * The current default policy mode of this library
581 			 * is "all are disabled, except ...", so if a
582 			 * specified mechanism is in the exception list
583 			 * (the policylist), delete it from the policylist.
584 			 */
585 			rc = update_policylist(puent, marglist, DELETE_MODE);
586 		} else {
587 			/*
588 			 * The current default policy mode of this library
589 			 * is "all are enabled", so if a specified mechanism
590 			 * is not in the exception list (policylist), add
591 			 * it into the policylist.
592 			 */
593 			rc = update_policylist(puent, marglist, ADD_MODE);
594 		}
595 	} else if (!rndflag) {
596 		/* should not happen */
597 		cryptoerror(LOG_STDERR, gettext("internal error."));
598 		cryptodebug("disable_uef_lib() - wrong arguments.");
599 		return (FAILURE);
600 	}
601 
602 	if (rndflag)
603 		puent->flag_norandom = B_TRUE;
604 
605 	if (rc == FAILURE) {
606 		free_uentry(puent);
607 		return (FAILURE);
608 	}
609 
610 	/* Update the pkcs11.conf file with the updated entry */
611 	rc = update_pkcs11conf(puent);
612 	free_uentry(puent);
613 	return (rc);
614 }
615 
616 
617 /*
618  * Enable disabled mechanisms for a user-level library.
619  */
620 int
621 enable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
622     mechlist_t *marglist)
623 {
624 	uentry_t	*puent;
625 	int	rc = SUCCESS;
626 
627 	if (libname == NULL) {
628 		/* should not happen */
629 		cryptoerror(LOG_STDERR, gettext("internal error."));
630 		cryptodebug("enable_uef_lib() - libname is NULL.");
631 		return (FAILURE);
632 	}
633 
634 	/* Get the provider entry from the pkcs11.conf file */
635 	if ((puent = getent_uef(libname)) == NULL) {
636 		cryptoerror(LOG_STDERR,
637 		    gettext("%s does not exist."), libname);
638 		return (FAILURE);
639 	}
640 
641 	/*
642 	 * Update the mechanism policy of this library entry, based on
643 	 * the current policy mode of the library and the mechanisms
644 	 * specified in CLI.
645 	 */
646 	if (allflag) {
647 		/*
648 		 * If enabling all, what needs to be done are cleaning up the
649 		 * policylist and setting the "flag_enabledlist" flag to
650 		 * B_FALSE.
651 		 */
652 		free_umechlist(puent->policylist);
653 		puent->policylist = NULL;
654 		puent->count = 0;
655 		puent->flag_enabledlist = B_FALSE;
656 		rc = SUCCESS;
657 	} else if (marglist != NULL) {
658 		if (puent->flag_enabledlist == B_TRUE) {
659 			/*
660 			 * The current default policy mode of this library
661 			 * is "all are disabled, except ...", so if a
662 			 * specified mechanism is not in the exception list
663 			 * (policylist), add it.
664 			 */
665 			rc = update_policylist(puent, marglist, ADD_MODE);
666 		} else {
667 			/*
668 			 * The current default policy mode of this library
669 			 * is "all are enabled, except", so if a specified
670 			 * mechanism is in the exception list (policylist),
671 			 * delete it.
672 			 */
673 			rc = update_policylist(puent, marglist, DELETE_MODE);
674 		}
675 	} else if (!rndflag) {
676 		/* should not come here */
677 		cryptoerror(LOG_STDERR, gettext("internal error."));
678 		cryptodebug("enable_uef_lib() - wrong arguments.");
679 		return (FAILURE);
680 	}
681 
682 	if (rndflag)
683 		puent->flag_norandom = B_FALSE;
684 
685 	if (rc == FAILURE) {
686 		free_uentry(puent);
687 		return (FAILURE);
688 	}
689 
690 	/* Update the pkcs11.conf file with the updated entry */
691 	rc = update_pkcs11conf(puent);
692 	free_uentry(puent);
693 	return (rc);
694 }
695 
696 
697 /*
698  * Install a user-level library.
699  */
700 int
701 install_uef_lib(char *libname)
702 {
703 	uentry_t	*puent;
704 	struct stat 	statbuf;
705 	boolean_t	found;
706 	FILE	*pfile;
707 	FILE	*pfile_tmp;
708 	char	tmpfile_name[MAXPATHLEN];
709 	char	libpath[MAXPATHLEN];
710 	char	libbuf[MAXPATHLEN];
711 	char	*isa;
712 	char 	buffer[BUFSIZ];
713 	char 	*ptr;
714 	int	found_count;
715 	int	rc = SUCCESS;
716 
717 
718 	if (libname == NULL) {
719 		/* should not happen */
720 		cryptoerror(LOG_STDERR, gettext("internal error."));
721 		cryptodebug("install_uef_lib() - libname is NULL.");
722 		return (FAILURE);
723 	}
724 
725 	/* Check if the provider already exists in the framework */
726 	if ((puent = getent_uef(libname)) != NULL) {
727 		cryptoerror(LOG_STDERR, gettext("%s exists already."),
728 		    libname);
729 		free_uentry(puent);
730 		return (FAILURE);
731 	}
732 
733 	/*
734 	 * Check if the library exists in the system. if $ISA is in the
735 	 * path, only check the 32bit version.
736 	 */
737 	if (strlcpy(libbuf, libname, MAXPATHLEN) >= MAXPATHLEN) {
738 		cryptoerror(LOG_STDERR,
739 		    gettext("the provider name is too long - %s"), libname);
740 		return (FAILURE);
741 	}
742 
743 	if ((isa = strstr(libbuf, PKCS11_ISA)) != NULL) {
744 		*isa = '\000';
745 		isa += strlen(PKCS11_ISA);
746 		(void) snprintf(libpath, sizeof (libpath), "%s%s%s", libbuf,
747 		    "/", isa);
748 	} else {
749 		(void) strlcpy(libpath, libname, sizeof (libpath));
750 	}
751 
752 	/* Check if it is same as the framework library */
753 	if (strcmp(libpath, UEF_FRAME_LIB) == 0) {
754 		cryptoerror(LOG_STDERR, gettext(
755 		    "The framework library %s can not be installed."),
756 		    libname);
757 		return (FAILURE);
758 	}
759 
760 	if (stat(libpath, &statbuf) != 0) {
761 		cryptoerror(LOG_STDERR, gettext("%s not found"), libname);
762 		return (FAILURE);
763 	}
764 
765 	/* Need to add "\n" to libname for adding into the config file */
766 	if (strlcat(libname, "\n", MAXPATHLEN) >= MAXPATHLEN) {
767 		cryptoerror(LOG_STDERR, gettext(
768 		    "can not install %s; the name is too long."), libname);
769 		return (FAILURE);
770 	}
771 
772 	if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
773 		err = errno;
774 		cryptoerror(LOG_STDERR,
775 		    gettext("failed to update the configuration - %s"),
776 		    strerror(err));
777 		cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
778 		return (FAILURE);
779 	}
780 
781 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
782 		err = errno;
783 		cryptoerror(LOG_STDERR,
784 		    gettext("failed to lock the configuration - %s"),
785 		    strerror(err));
786 		(void) fclose(pfile);
787 		return (FAILURE);
788 	}
789 
790 	/*
791 	 * Create a temporary file in the /etc/crypto directory.
792 	 */
793 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
794 	if (mkstemp(tmpfile_name) == -1) {
795 		err = errno;
796 		cryptoerror(LOG_STDERR,
797 		    gettext("failed to create a temporary file - %s"),
798 		    strerror(err));
799 		(void) fclose(pfile);
800 		return (FAILURE);
801 	}
802 
803 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
804 		err = errno;
805 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
806 		    tmpfile_name, strerror(err));
807 		(void) fclose(pfile);
808 		return (FAILURE);
809 	}
810 
811 	/*
812 	 * Loop thru the config file. If the file was reserved within a
813 	 * package bracket, just uncomment it.  Other wise, append it at
814 	 * the end.  The resulting file will be saved in the temp file first.
815 	 */
816 	found_count = 0;
817 	rc = SUCCESS;
818 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
819 		found = B_FALSE;
820 		if (buffer[0] == '#') {
821 			ptr = buffer;
822 			ptr++;
823 			if (strcmp(libname, ptr) == 0) {
824 				found = B_TRUE;
825 				found_count++;
826 			}
827 		}
828 
829 		if (found == B_FALSE) {
830 			if (fputs(buffer, pfile_tmp) == EOF) {
831 				rc = FAILURE;
832 			}
833 		} else {
834 			if (found_count == 1) {
835 				if (fputs(ptr, pfile_tmp) == EOF) {
836 					rc = FAILURE;
837 				}
838 			} else {
839 				/*
840 				 * Found a second entry with #libname.
841 				 * Should not happen. The pkcs11.conf file
842 				 * is corrupted. Give a warning and skip
843 				 * this entry.
844 				 */
845 				cryptoerror(LOG_STDERR, gettext(
846 				    "(Warning) Found an additional reserved "
847 				    "entry for %s."), libname);
848 			}
849 		}
850 
851 		if (rc == FAILURE) {
852 			break;
853 		}
854 	}
855 
856 	if (rc == FAILURE) {
857 		cryptoerror(LOG_STDERR, gettext("write error."));
858 		(void) fclose(pfile);
859 		(void) fclose(pfile_tmp);
860 		if (unlink(tmpfile_name) != 0) {
861 			err = errno;
862 			cryptoerror(LOG_STDERR, gettext(
863 			    "(Warning) failed to remove %s: %s"), tmpfile_name,
864 			    strerror(err));
865 		}
866 		return (FAILURE);
867 	}
868 
869 	if (found_count == 0) {
870 		/*
871 		 * This libname was not in package before, append it to the
872 		 * end of the temp file.
873 		 */
874 		if (fputs(libname, pfile_tmp) == EOF) {
875 			err = errno;
876 			cryptoerror(LOG_STDERR, gettext(
877 			    "failed to write to %s: %s"), tmpfile_name,
878 			    strerror(err));
879 			(void) fclose(pfile);
880 			(void) fclose(pfile_tmp);
881 			if (unlink(tmpfile_name) != 0) {
882 				err = errno;
883 				cryptoerror(LOG_STDERR, gettext(
884 				    "(Warning) failed to remove %s: %s"),
885 				    tmpfile_name, strerror(err));
886 			}
887 			return (FAILURE);
888 		}
889 	}
890 
891 	(void) fclose(pfile);
892 	if (fclose(pfile_tmp) != 0) {
893 		err = errno;
894 		cryptoerror(LOG_STDERR,
895 		    gettext("failed to close %s: %s"), tmpfile_name,
896 		    strerror(err));
897 		return (FAILURE);
898 	}
899 
900 	if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
901 		err = errno;
902 		cryptoerror(LOG_STDERR,
903 		    gettext("failed to update the configuration - %s"),
904 		    strerror(err));
905 		cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
906 		    _PATH_PKCS11_CONF, strerror(err));
907 		rc = FAILURE;
908 	} else if (chmod(_PATH_PKCS11_CONF,
909 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
910 		err = errno;
911 		cryptoerror(LOG_STDERR,
912 		    gettext("failed to update the configuration - %s"),
913 		    strerror(err));
914 		cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
915 		    strerror(err));
916 		rc = FAILURE;
917 	} else {
918 		rc = SUCCESS;
919 	}
920 
921 	if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
922 		err = errno;
923 		cryptoerror(LOG_STDERR, gettext(
924 		    "(Warning) failed to remove %s: %s"), tmpfile_name,
925 		    strerror(err));
926 	}
927 
928 	return (rc);
929 }
930 
931 
932 /*
933  * Uninstall a user-level library.
934  */
935 int
936 uninstall_uef_lib(char *libname)
937 {
938 	uentry_t	*puent;
939 	FILE	*pfile;
940 	FILE	*pfile_tmp;
941 	char 	buffer[BUFSIZ];
942 	char 	buffer2[BUFSIZ];
943 	char	tmpfile_name[MAXPATHLEN];
944 	char 	*name;
945 	boolean_t	found;
946 	boolean_t	in_package;
947 	int	len;
948 	int	rc = SUCCESS;
949 
950 	if (libname == NULL) {
951 		/* should not happen */
952 		cryptoerror(LOG_STDERR, gettext("internal error."));
953 		cryptodebug("uninstall_uef_lib() - libname is NULL.");
954 		return (FAILURE);
955 	}
956 
957 	/* Check if the provider exists */
958 	if ((puent = getent_uef(libname)) == NULL) {
959 		cryptoerror(LOG_STDERR,
960 		    gettext("%s does not exist."), libname);
961 		return (FAILURE);
962 	}
963 	free_uentry(puent);
964 
965 	/*  Open the pkcs11.conf file and lock it */
966 	if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
967 		err = errno;
968 		cryptoerror(LOG_STDERR,
969 		    gettext("failed to update the configuration - %s"),
970 		    strerror(err));
971 		cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
972 		return (FAILURE);
973 	}
974 
975 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
976 		err = errno;
977 		cryptoerror(LOG_STDERR,
978 		    gettext("failed to lock the configuration - %s"),
979 		    strerror(err));
980 		(void) fclose(pfile);
981 		return (FAILURE);
982 	}
983 
984 	/*
985 	 * Create a temporary file in the /etc/crypto directory to save
986 	 * the new configuration file first.
987 	 */
988 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
989 	if (mkstemp(tmpfile_name) == -1) {
990 		err = errno;
991 		cryptoerror(LOG_STDERR,
992 		    gettext("failed to create a temporary file - %s"),
993 		    strerror(err));
994 		(void) fclose(pfile);
995 		return (FAILURE);
996 	}
997 
998 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
999 		err = errno;
1000 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
1001 		    tmpfile_name, strerror(err));
1002 		if (unlink(tmpfile_name) != 0) {
1003 			err = errno;
1004 			cryptoerror(LOG_STDERR, gettext(
1005 			    "(Warning) failed to remove %s: %s"),
1006 			    tmpfile_name, strerror(err));
1007 		}
1008 		(void) fclose(pfile);
1009 		return (FAILURE);
1010 	}
1011 
1012 
1013 	/*
1014 	 * Loop thru the config file.  If the library to be uninstalled
1015 	 * is in a package, just comment it off.
1016 	 */
1017 	in_package = B_FALSE;
1018 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
1019 		found = B_FALSE;
1020 		if (!(buffer[0] == ' ' || buffer[0] == '\n' ||
1021 		    buffer[0] == '\t')) {
1022 			if (strstr(buffer, " Start ") != NULL) {
1023 				in_package = B_TRUE;
1024 			} else if (strstr(buffer, " End ") != NULL) {
1025 				in_package = B_FALSE;
1026 			} else if (buffer[0] != '#') {
1027 				(void) strlcpy(buffer2, buffer, BUFSIZ);
1028 
1029 				/* get rid of trailing '\n' */
1030 				len = strlen(buffer2);
1031 				if (buffer2[len-1] == '\n') {
1032 					len--;
1033 				}
1034 				buffer2[len] = '\0';
1035 
1036 				if ((name = strtok(buffer2, SEP_COLON))
1037 				    == NULL) {
1038 					rc = FAILURE;
1039 					break;
1040 				} else if (strcmp(libname, name) == 0) {
1041 					found = B_TRUE;
1042 				}
1043 			}
1044 		}
1045 
1046 		if (found) {
1047 			if (in_package) {
1048 				(void) snprintf(buffer2, sizeof (buffer2),
1049 				    "%s%s%s", "#", libname, "\n");
1050 				if (fputs(buffer2, pfile_tmp) == EOF) {
1051 					rc = FAILURE;
1052 				}
1053 			}
1054 		} else {
1055 			if (fputs(buffer, pfile_tmp) == EOF) {
1056 				rc = FAILURE;
1057 			}
1058 		}
1059 
1060 		if (rc == FAILURE) {
1061 			break;
1062 		}
1063 	}
1064 
1065 	if (rc == FAILURE) {
1066 		cryptoerror(LOG_STDERR, gettext("write error."));
1067 		(void) fclose(pfile);
1068 		(void) fclose(pfile_tmp);
1069 		if (unlink(tmpfile_name) != 0) {
1070 			err = errno;
1071 			cryptoerror(LOG_STDERR, gettext(
1072 			    "(Warning) failed to remove %s: %s"),
1073 			    tmpfile_name, strerror(err));
1074 		}
1075 		return (FAILURE);
1076 	}
1077 
1078 	(void) fclose(pfile);
1079 	if (fclose(pfile_tmp) != 0) {
1080 		err = errno;
1081 		cryptoerror(LOG_STDERR,
1082 		    gettext("failed to close a temporary file - %s"),
1083 		    strerror(err));
1084 		return (FAILURE);
1085 	}
1086 
1087 	/* Now update the real config file */
1088 	if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
1089 		err = errno;
1090 		cryptoerror(LOG_STDERR,
1091 		    gettext("failed to update the configuration - %s"),
1092 		    strerror(err));
1093 		cryptodebug("failed to rename %s to %s: %s", tmpfile,
1094 		    _PATH_PKCS11_CONF, strerror(err));
1095 		rc = FAILURE;
1096 	} else if (chmod(_PATH_PKCS11_CONF,
1097 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1098 		err = errno;
1099 		cryptoerror(LOG_STDERR,
1100 		    gettext("failed to update the configuration - %s"),
1101 		    strerror(err));
1102 		cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
1103 		    strerror(err));
1104 		rc = FAILURE;
1105 	} else {
1106 		rc = SUCCESS;
1107 	}
1108 
1109 	if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1110 		err = errno;
1111 		cryptoerror(LOG_STDERR, gettext(
1112 		    "(Warning) failed to remove %s: %s"),
1113 		    tmpfile_name, strerror(err));
1114 	}
1115 
1116 	return (rc);
1117 }
1118 
1119 
1120 int
1121 display_policy(uentry_t *puent)
1122 {
1123 	CK_MECHANISM_TYPE	mech_id;
1124 	const char		*mech_name;
1125 	umechlist_t		*ptr;
1126 
1127 	if (puent == NULL) {
1128 		return (SUCCESS);
1129 	}
1130 
1131 	if (puent->flag_enabledlist == B_FALSE) {
1132 		(void) printf(gettext("%s: all mechanisms are enabled"),
1133 		    puent->name);
1134 		ptr = puent->policylist;
1135 		if (ptr == NULL) {
1136 			(void) printf(".");
1137 		} else {
1138 			(void) printf(gettext(", except "));
1139 			while (ptr != NULL) {
1140 				mech_id = strtoul(ptr->name, NULL, 0);
1141 				if (mech_id & CKO_VENDOR_DEFINED) {
1142 					/* vendor defined mechanism */
1143 					(void) printf("%s", ptr->name);
1144 				} else {
1145 					if (mech_id >= CKM_VENDOR_DEFINED) {
1146 						(void) printf("%#lx", mech_id);
1147 					} else {
1148 						mech_name = pkcs11_mech2str(
1149 						    mech_id);
1150 						if (mech_name == NULL) {
1151 							return (FAILURE);
1152 						}
1153 						(void) printf("%s", mech_name);
1154 					}
1155 				}
1156 
1157 				ptr = ptr->next;
1158 				if (ptr == NULL) {
1159 					(void) printf(".");
1160 				} else {
1161 					(void) printf(",");
1162 				}
1163 			}
1164 		}
1165 	} else { /* puent->flag_enabledlist == B_TRUE */
1166 		(void) printf(gettext("%s: all mechanisms are disabled"),
1167 		    puent->name);
1168 		ptr = puent->policylist;
1169 		if (ptr == NULL) {
1170 			(void) printf(".");
1171 		} else {
1172 			(void) printf(gettext(", except "));
1173 			while (ptr != NULL) {
1174 				mech_id = strtoul(ptr->name, NULL, 0);
1175 				if (mech_id & CKO_VENDOR_DEFINED) {
1176 					/* vendor defined mechanism */
1177 					(void) printf("%s", ptr->name);
1178 				} else {
1179 					mech_name = pkcs11_mech2str(mech_id);
1180 					if (mech_name == NULL) {
1181 						return (FAILURE);
1182 					}
1183 					(void) printf("%s", mech_name);
1184 				}
1185 				ptr = ptr->next;
1186 				if (ptr == NULL) {
1187 					(void) printf(".");
1188 				} else {
1189 					(void) printf(",");
1190 				}
1191 			}
1192 		}
1193 	}
1194 	return (SUCCESS);
1195 }
1196 
1197 
1198 
1199 /*
1200  * Print out the mechanism policy for a user-level provider pointed by puent.
1201  */
1202 int
1203 print_uef_policy(uentry_t *puent)
1204 {
1205 	flag_val_t rng_flag;
1206 
1207 	if (puent == NULL) {
1208 		return (FAILURE);
1209 	}
1210 
1211 	rng_flag = NO_RNG;
1212 	if (list_mechlist_for_lib(puent->name, NULL, &rng_flag, B_TRUE,
1213 	    B_FALSE, B_FALSE) != SUCCESS) {
1214 		cryptoerror(LOG_STDERR,
1215 		    gettext("%s internal error."), puent->name);
1216 		return (FAILURE);
1217 	}
1218 
1219 	if (display_policy(puent) != SUCCESS) {
1220 		goto failed_exit;
1221 	}
1222 
1223 
1224 	if (puent->flag_norandom == B_TRUE)
1225 		/*
1226 		 * TRANSLATION_NOTE
1227 		 * "random" is a keyword and not to be translated.
1228 		 */
1229 		(void) printf(gettext(" %s is disabled."), "random");
1230 	else {
1231 		if (rng_flag == HAS_RNG)
1232 			/*
1233 			 * TRANSLATION_NOTE
1234 			 * "random" is a keyword and not to be translated.
1235 			 */
1236 			(void) printf(gettext(" %s is enabled."), "random");
1237 	}
1238 	(void) printf("\n");
1239 
1240 	return (SUCCESS);
1241 
1242 failed_exit:
1243 
1244 	(void) printf(gettext("\nout of memory.\n"));
1245 	return (FAILURE);
1246 }
1247 
1248 
1249 /*
1250  * Check if the mechanism is in the mechanism list.
1251  */
1252 static boolean_t
1253 is_in_policylist(midstr_t mechname, umechlist_t *plist)
1254 {
1255 	boolean_t found = B_FALSE;
1256 
1257 	if (mechname == NULL) {
1258 		return (B_FALSE);
1259 	}
1260 
1261 	while (plist != NULL) {
1262 		if (strcmp(plist->name, mechname) == 0) {
1263 			found = B_TRUE;
1264 			break;
1265 		}
1266 		plist = plist->next;
1267 	}
1268 
1269 	return (found);
1270 }
1271 
1272 
1273 /*
1274  * Update the pkcs11.conf file with the updated entry.
1275  */
1276 int
1277 update_pkcs11conf(uentry_t *puent)
1278 {
1279 	FILE	*pfile;
1280 	FILE	*pfile_tmp;
1281 	char buffer[BUFSIZ];
1282 	char buffer2[BUFSIZ];
1283 	char tmpfile_name[MAXPATHLEN];
1284 	char *name;
1285 	char *str;
1286 	int len;
1287 	int rc = SUCCESS;
1288 	boolean_t found;
1289 
1290 	if (puent == NULL) {
1291 		cryptoerror(LOG_STDERR, gettext("internal error."));
1292 		return (FAILURE);
1293 	}
1294 
1295 	/* Open the pkcs11.conf file */
1296 	if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
1297 		err = errno;
1298 		cryptoerror(LOG_STDERR,
1299 		    gettext("failed to update the configuration - %s"),
1300 		    strerror(err));
1301 		cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
1302 		return (FAILURE);
1303 	}
1304 
1305 	/* Lock the pkcs11.conf file */
1306 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
1307 		err = errno;
1308 		cryptoerror(LOG_STDERR,
1309 		    gettext("failed to update the configuration - %s"),
1310 		    strerror(err));
1311 		(void) fclose(pfile);
1312 		return (FAILURE);
1313 	}
1314 
1315 	/*
1316 	 * Create a temporary file in the /etc/crypto directory to save
1317 	 * updated configuration file first.
1318 	 */
1319 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
1320 	if (mkstemp(tmpfile_name) == -1) {
1321 		err = errno;
1322 		cryptoerror(LOG_STDERR,
1323 		    gettext("failed to create a temporary file - %s"),
1324 		    strerror(err));
1325 		(void) fclose(pfile);
1326 		return (FAILURE);
1327 	}
1328 
1329 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
1330 		err = errno;
1331 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
1332 		    tmpfile_name, strerror(err));
1333 		if (unlink(tmpfile_name) != 0) {
1334 			err = errno;
1335 			cryptoerror(LOG_STDERR, gettext(
1336 			    "(Warning) failed to remove %s: %s"),
1337 			    tmpfile_name, strerror(err));
1338 		}
1339 		(void) fclose(pfile);
1340 		return (FAILURE);
1341 	}
1342 
1343 
1344 	/*
1345 	 * Loop thru entire pkcs11.conf file, update the entry to be
1346 	 * updated and save the updated file to the temporary file first.
1347 	 */
1348 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
1349 		found = B_FALSE;
1350 		if (!(buffer[0] == '#' || buffer[0] == ' ' ||
1351 		    buffer[0] == '\n'|| buffer[0] == '\t')) {
1352 			/*
1353 			 * Get the provider name from this line and check if
1354 			 * this is the entry to be updated. Note: can not use
1355 			 * "buffer" directly because strtok will change its
1356 			 * value.
1357 			 */
1358 			(void) strlcpy(buffer2, buffer, BUFSIZ);
1359 
1360 			/* get rid of trailing '\n' */
1361 			len = strlen(buffer2);
1362 			if (buffer2[len-1] == '\n') {
1363 				len--;
1364 			}
1365 			buffer2[len] = '\0';
1366 
1367 			if ((name = strtok(buffer2, SEP_COLON)) == NULL) {
1368 				rc = FAILURE;
1369 				break;
1370 			} else if (strcmp(puent->name, name) == 0) {
1371 				found = B_TRUE;
1372 			}
1373 		}
1374 
1375 		if (found) {
1376 			/*
1377 			 * This is the entry to be modified, get the updated
1378 			 * string.
1379 			 */
1380 			if ((str = uent2str(puent)) == NULL) {
1381 				rc = FAILURE;
1382 				break;
1383 			} else {
1384 				(void) strlcpy(buffer, str, BUFSIZ);
1385 				free(str);
1386 			}
1387 		}
1388 
1389 		if (fputs(buffer, pfile_tmp) == EOF) {
1390 			err = errno;
1391 			cryptoerror(LOG_STDERR, gettext(
1392 			    "failed to write to a temp file: %s."),
1393 			    strerror(err));
1394 			rc = FAILURE;
1395 			break;
1396 		}
1397 	}
1398 
1399 	if (rc == FAILURE) {
1400 		(void) fclose(pfile);
1401 		(void) fclose(pfile_tmp);
1402 		if (unlink(tmpfile_name) != 0) {
1403 			err = errno;
1404 			cryptoerror(LOG_STDERR, gettext(
1405 			    "(Warning) failed to remove %s: %s"),
1406 			    tmpfile_name, strerror(err));
1407 		}
1408 		return (FAILURE);
1409 	}
1410 
1411 	(void) fclose(pfile);
1412 	if (fclose(pfile_tmp) != 0) {
1413 		err = errno;
1414 		cryptoerror(LOG_STDERR,
1415 		    gettext("failed to close %s: %s"), tmpfile_name,
1416 		    strerror(err));
1417 		return (FAILURE);
1418 	}
1419 
1420 	/* Copy the temporary file to the pkcs11.conf file */
1421 	if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
1422 		err = errno;
1423 		cryptoerror(LOG_STDERR,
1424 		    gettext("failed to update the configuration - %s"),
1425 		    strerror(err));
1426 		cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
1427 		    _PATH_PKCS11_CONF, strerror(err));
1428 		rc = FAILURE;
1429 	} else if (chmod(_PATH_PKCS11_CONF,
1430 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1431 		err = errno;
1432 		cryptoerror(LOG_STDERR,
1433 		    gettext("failed to update the configuration - %s"),
1434 		    strerror(err));
1435 		cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
1436 		    strerror(err));
1437 		rc = FAILURE;
1438 	} else {
1439 		rc = SUCCESS;
1440 	}
1441 
1442 	if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1443 		err = errno;
1444 		cryptoerror(LOG_STDERR, gettext(
1445 		    "(Warning) failed to remove %s: %s"),
1446 		    tmpfile_name, strerror(err));
1447 	}
1448 
1449 	return (rc);
1450 }
1451 
1452 
1453 /*
1454  * Convert an uentry to a character string
1455  */
1456 static char *
1457 uent2str(uentry_t *puent)
1458 {
1459 	umechlist_t	*phead;
1460 	boolean_t tok1_present = B_FALSE;
1461 	char *buf;
1462 	char blank_buf[128];
1463 
1464 	if (puent == NULL) {
1465 		cryptoerror(LOG_STDERR, gettext("internal error."));
1466 		return (NULL);
1467 	}
1468 
1469 	buf = malloc(BUFSIZ);
1470 	if (buf == NULL) {
1471 		cryptoerror(LOG_STDERR, gettext("out of memory."));
1472 		return (NULL);
1473 	}
1474 
1475 	/* convert the library name */
1476 	if (strlcpy(buf, puent->name, BUFSIZ) >= BUFSIZ) {
1477 		free(buf);
1478 		return (NULL);
1479 	}
1480 
1481 
1482 	/* convert the enabledlist or the disabledlist */
1483 	if (puent->flag_enabledlist == B_TRUE) {
1484 		if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1485 			free(buf);
1486 			return (NULL);
1487 		}
1488 
1489 		if (strlcat(buf, EF_ENABLED, BUFSIZ) >= BUFSIZ) {
1490 			free(buf);
1491 			return (NULL);
1492 		}
1493 
1494 		phead = puent->policylist;
1495 		while (phead != NULL) {
1496 			if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1497 				free(buf);
1498 				return (NULL);
1499 			}
1500 
1501 			phead = phead->next;
1502 			if (phead != NULL) {
1503 				if (strlcat(buf, SEP_COMMA, BUFSIZ)
1504 				    >= BUFSIZ) {
1505 					free(buf);
1506 					return (NULL);
1507 				}
1508 			}
1509 		}
1510 		tok1_present = B_TRUE;
1511 	} else if (puent->policylist != NULL) {
1512 		if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1513 			free(buf);
1514 			return (NULL);
1515 		}
1516 
1517 		if (strlcat(buf, EF_DISABLED, BUFSIZ) >= BUFSIZ) {
1518 			free(buf);
1519 			return (NULL);
1520 		}
1521 		phead = puent->policylist;
1522 		while (phead != NULL) {
1523 			if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1524 				free(buf);
1525 				return (NULL);
1526 			}
1527 
1528 			phead = phead->next;
1529 			if (phead != NULL) {
1530 				if (strlcat(buf, SEP_COMMA, BUFSIZ)
1531 				    >= BUFSIZ) {
1532 					free(buf);
1533 					return (NULL);
1534 				}
1535 			}
1536 		}
1537 		tok1_present = B_TRUE;
1538 	}
1539 
1540 	if (puent->flag_norandom == B_TRUE) {
1541 		if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1542 		    BUFSIZ) >= BUFSIZ) {
1543 			free(buf);
1544 			return (NULL);
1545 		}
1546 
1547 		if (strlcat(buf, EF_NORANDOM, BUFSIZ) >= BUFSIZ) {
1548 			free(buf);
1549 			return (NULL);
1550 		}
1551 	}
1552 
1553 	if (strcmp(puent->name, METASLOT_KEYWORD) == 0) {
1554 
1555 		/* write the metaslot_status= value */
1556 		if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1557 		    BUFSIZ) >= BUFSIZ) {
1558 			free(buf);
1559 			return (NULL);
1560 		}
1561 
1562 		if (strlcat(buf, METASLOT_STATUS, BUFSIZ) >= BUFSIZ) {
1563 			free(buf);
1564 			return (NULL);
1565 		}
1566 
1567 		if (puent->flag_metaslot_enabled) {
1568 			if (strlcat(buf, METASLOT_ENABLED, BUFSIZ) >= BUFSIZ) {
1569 				free(buf);
1570 				return (NULL);
1571 			}
1572 		} else {
1573 			if (strlcat(buf, METASLOT_DISABLED, BUFSIZ)
1574 			    >= BUFSIZ) {
1575 				free(buf);
1576 				return (NULL);
1577 			}
1578 		}
1579 
1580 		if (!tok1_present) {
1581 			tok1_present = B_TRUE;
1582 		}
1583 
1584 		if (strlcat(buf, SEP_SEMICOLON, BUFSIZ) >= BUFSIZ) {
1585 			free(buf);
1586 			return (NULL);
1587 		}
1588 
1589 		if (strlcat(buf, METASLOT_AUTO_KEY_MIGRATE, BUFSIZ) >= BUFSIZ) {
1590 			free(buf);
1591 			return (NULL);
1592 		}
1593 
1594 		if (puent->flag_metaslot_auto_key_migrate) {
1595 			if (strlcat(buf, METASLOT_ENABLED, BUFSIZ) >= BUFSIZ) {
1596 				free(buf);
1597 				return (NULL);
1598 			}
1599 		} else {
1600 			if (strlcat(buf, METASLOT_DISABLED, BUFSIZ) >= BUFSIZ) {
1601 				free(buf);
1602 				return (NULL);
1603 			}
1604 		}
1605 
1606 		bzero(blank_buf, sizeof (blank_buf));
1607 
1608 		/* write metaslot_token= if specified */
1609 		if (memcmp(puent->metaslot_ks_token, blank_buf,
1610 		    TOKEN_LABEL_SIZE) != 0) {
1611 			/* write the metaslot_status= value */
1612 			if (strlcat(buf, (tok1_present ?
1613 			    SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1614 				free(buf);
1615 				return (NULL);
1616 			}
1617 
1618 			if (strlcat(buf, METASLOT_TOKEN, BUFSIZ) >= BUFSIZ) {
1619 				free(buf);
1620 				return (NULL);
1621 			}
1622 
1623 			if (strlcat(buf,
1624 			    (const char *)puent->metaslot_ks_token, BUFSIZ)
1625 			    >= BUFSIZ) {
1626 				free(buf);
1627 				return (NULL);
1628 			}
1629 		}
1630 
1631 		/* write metaslot_slot= if specified */
1632 		if (memcmp(puent->metaslot_ks_slot, blank_buf,
1633 		    SLOT_DESCRIPTION_SIZE) != 0) {
1634 			/* write the metaslot_status= value */
1635 			if (strlcat(buf, (tok1_present ?
1636 			    SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1637 				free(buf);
1638 				return (NULL);
1639 			}
1640 
1641 			if (strlcat(buf, METASLOT_SLOT, BUFSIZ) >= BUFSIZ) {
1642 				free(buf);
1643 				return (NULL);
1644 			}
1645 
1646 			if (strlcat(buf,
1647 			    (const char *)puent->metaslot_ks_slot, BUFSIZ)
1648 			    >= BUFSIZ) {
1649 				free(buf);
1650 				return (NULL);
1651 			}
1652 		}
1653 	}
1654 
1655 	if (strlcat(buf, "\n", BUFSIZ) >= BUFSIZ) {
1656 		free(buf);
1657 		return (NULL);
1658 	}
1659 
1660 	return (buf);
1661 }
1662 
1663 
1664 /*
1665  * This function updates the default policy mode and the policy exception list
1666  * for a user-level provider based on the mechanism specified in the disable
1667  * or enable subcommand and the update mode.   This function is called by the
1668  * enable_uef_lib() or disable_uef_lib().
1669  */
1670 int
1671 update_policylist(uentry_t *puent, mechlist_t *marglist, int update_mode)
1672 {
1673 	CK_MECHANISM_TYPE mech_type;
1674 	midstr_t	midname;
1675 	umechlist_t	*phead;
1676 	umechlist_t	*pcur;
1677 	umechlist_t	*pumech;
1678 	boolean_t	found;
1679 	int	rc = SUCCESS;
1680 
1681 	if ((puent == NULL) || (marglist == NULL)) {
1682 		/* should not happen */
1683 		cryptoerror(LOG_STDERR, gettext("internal error."));
1684 		cryptodebug("update_policylist()- puent or marglist is NULL.");
1685 		return (FAILURE);
1686 	}
1687 
1688 	if ((update_mode != ADD_MODE) && (update_mode != DELETE_MODE)) {
1689 		/* should not happen */
1690 		cryptoerror(LOG_STDERR, gettext("internal error."));
1691 		cryptodebug("update_policylist() - update_mode is incorrect.");
1692 		return (FAILURE);
1693 	}
1694 
1695 	/*
1696 	 * For each mechanism operand, get its mechanism type first.
1697 	 * If fails to get the mechanism type, the mechanism operand must be
1698 	 * invalid, gives an warning and ignore it. Otherwise,
1699 	 * - convert the mechanism type to the internal representation (hex)
1700 	 *   in the pkcs11.conf file
1701 	 * - If update_mode == DELETE_MODE,
1702 	 *	If the mechanism is in the policy list, delete it.
1703 	 *	If the mechanism is not in the policy list, do nothing.
1704 	 * - If update_mode == ADD_MODE,
1705 	 *	If the mechanism is not in the policy list, add it.
1706 	 *	If the mechanism is in the policy list already, do nothing.
1707 	 */
1708 	while (marglist) {
1709 		if (pkcs11_str2mech(marglist->name, &mech_type) != CKR_OK) {
1710 			/*
1711 			 * This mechanism is not a valid PKCS11 mechanism,
1712 			 * give warning and ignore it.
1713 			 */
1714 			cryptoerror(LOG_STDERR, gettext(
1715 			    "(Warning) %s is not a valid PKCS#11 mechanism."),
1716 			    marglist->name);
1717 			rc = FAILURE;
1718 		} else {
1719 			(void) snprintf(midname, sizeof (midname), "%#010x",
1720 			    (int)mech_type);
1721 			if (update_mode == DELETE_MODE) {
1722 				found = B_FALSE;
1723 				phead = pcur = puent->policylist;
1724 				while (!found && pcur) {
1725 					if (strcmp(pcur->name, midname) == 0) {
1726 						found = B_TRUE;
1727 					} else {
1728 						phead = pcur;
1729 						pcur = pcur->next;
1730 					}
1731 				}
1732 
1733 				if (found) {
1734 					if (phead == pcur) {
1735 						puent->policylist =
1736 						    puent->policylist->next;
1737 						free(pcur);
1738 					} else {
1739 						phead->next = pcur->next;
1740 						free(pcur);
1741 					}
1742 					puent->count--;
1743 					if (puent->count == 0) {
1744 						puent->policylist = NULL;
1745 					}
1746 				}
1747 			} else if (update_mode == ADD_MODE) {
1748 				if (!is_in_policylist(midname,
1749 				    puent->policylist)) {
1750 					pumech = create_umech(midname);
1751 					if (pumech == NULL) {
1752 						rc = FAILURE;
1753 						break;
1754 					}
1755 					phead = puent->policylist;
1756 					puent->policylist = pumech;
1757 					pumech->next = phead;
1758 					puent->count++;
1759 				}
1760 			}
1761 		}
1762 		marglist = marglist->next;
1763 	}
1764 
1765 	return (rc);
1766 }
1767 
1768 /*
1769  * Open a session to the given slot and check if we can do
1770  * random numbers by asking for one byte.
1771  */
1772 static boolean_t
1773 check_random(CK_SLOT_ID slot_id, CK_FUNCTION_LIST_PTR prov_funcs)
1774 {
1775 	CK_RV rv;
1776 	CK_SESSION_HANDLE hSession;
1777 	CK_BYTE test_byte;
1778 	CK_BYTE_PTR test_byte_ptr = &test_byte;
1779 
1780 	rv = prov_funcs->C_OpenSession(slot_id, CKF_SERIAL_SESSION,
1781 	    NULL_PTR, NULL, &hSession);
1782 	if (rv != CKR_OK)
1783 		return (B_FALSE);
1784 
1785 	/* We care only about the return value */
1786 	rv = prov_funcs->C_GenerateRandom(hSession, test_byte_ptr,
1787 	    sizeof (test_byte));
1788 	(void) prov_funcs->C_CloseSession(hSession);
1789 
1790 	/*
1791 	 * These checks are purely to determine whether the slot can do
1792 	 * random numbers. So, we don't check whether the routine
1793 	 * succeeds. The reason we check for CKR_RANDOM_NO_RNG also is that
1794 	 * this error effectively means CKR_FUNCTION_NOT_SUPPORTED.
1795 	 */
1796 	if (rv != CKR_FUNCTION_NOT_SUPPORTED && rv != CKR_RANDOM_NO_RNG)
1797 		return (B_TRUE);
1798 	else
1799 		return (B_FALSE);
1800 }
1801 
1802 void
1803 display_verbose_mech_header()
1804 {
1805 	(void) printf("%28s %s", " ", HDR1);
1806 	(void) printf("%28s %s", " ", HDR2);
1807 	(void) printf("%28s %s", " ", HDR3);
1808 	(void) printf("%28s %s", " ", HDR4);
1809 	(void) printf("%28s %s", " ", HDR5);
1810 	(void) printf("%28s %s", " ", HDR6);
1811 	(void) printf("%-28.28s %s", gettext("mechanism name"), HDR7);
1812 	/*
1813 	 * TRANSLATION_NOTE
1814 	 * Strictly for appearance's sake, the first header line should be
1815 	 * as long as the length of the translated text above.  The format
1816 	 * lengths should all match too.
1817 	 */
1818 	(void) printf("%28s ---- ---- "
1819 	    "-  -  -  -  -  -  -  -  -  -  -  -  -  -\n",
1820 	    gettext("----------------------------"));
1821 }
1822