xref: /titanic_52/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef.c (revision 18c2aff776a775d34a4c9893a4c72e0434d68e36)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <fcntl.h>
29 #include <stdio.h>
30 #include <stdlib.h>
31 #include <strings.h>
32 #include <unistd.h>
33 #include <locale.h>
34 #include <libgen.h>
35 #include <sys/types.h>
36 #include <sys/stat.h>
37 #include <sys/crypto/ioctladmin.h>
38 #include <signal.h>
39 #include <sys/crypto/elfsign.h>
40 #include "cryptoadm.h"
41 
42 static int err; /* to store the value of errno in case being overwritten */
43 static int check_hardware_provider(char *, char *, int *, int *);
44 
45 /*
46  * Display the mechanism list for a kernel software provider.
47  */
48 int
49 list_mechlist_for_soft(char *provname)
50 {
51 	mechlist_t *pmechlist;
52 	int rc;
53 
54 	if (provname == NULL) {
55 		return (FAILURE);
56 	}
57 
58 	rc = get_soft_info(provname, &pmechlist);
59 	if (rc == SUCCESS) {
60 		(void) filter_mechlist(&pmechlist, RANDOM);
61 		print_mechlist(provname, pmechlist);
62 		free_mechlist(pmechlist);
63 	} else {
64 		cryptoerror(LOG_STDERR, gettext(
65 		    "failed to retrieve the mechanism list for %s."),
66 		    provname);
67 	}
68 
69 	return (rc);
70 
71 }
72 
73 /*
74  * Display the mechanism list for a kernel hardware provider.
75  */
76 int
77 list_mechlist_for_hard(char *provname)
78 {
79 	mechlist_t *pmechlist;
80 	char	devname[MAXNAMELEN];
81 	int	inst_num;
82 	int	count;
83 	int rc = SUCCESS;
84 
85 	if (provname == NULL) {
86 		return (FAILURE);
87 	}
88 
89 	/*
90 	 * Check if the provider is valid. If it is valid, get the number of
91 	 * mechanisms also.
92 	 */
93 	if (check_hardware_provider(provname, devname, &inst_num, &count) ==
94 	    FAILURE) {
95 		return (FAILURE);
96 	}
97 
98 	/* Get the mechanism list for the kernel hardware provider */
99 	if ((rc = get_dev_info(devname, inst_num, count, &pmechlist)) ==
100 	    SUCCESS) {
101 		(void) filter_mechlist(&pmechlist, RANDOM);
102 		print_mechlist(provname, pmechlist);
103 		free_mechlist(pmechlist);
104 	}
105 
106 	return (rc);
107 }
108 
109 
110 /*
111  * Display the policy information for a kernel software provider.
112  */
113 int
114 list_policy_for_soft(char *provname)
115 {
116 	int rc;
117 	entry_t *pent = NULL;
118 	mechlist_t *pmechlist;
119 	boolean_t has_random = B_FALSE;
120 	boolean_t has_mechs = B_FALSE;
121 
122 	if (provname == NULL) {
123 		return (FAILURE);
124 	}
125 
126 	if ((pent = getent_kef(provname)) == NULL) {
127 		cryptoerror(LOG_STDERR, gettext("%s does not exist."),
128 		    provname);
129 		return (FAILURE);
130 	}
131 
132 	rc = get_soft_info(provname, &pmechlist);
133 	if (rc == SUCCESS) {
134 		has_random = filter_mechlist(&pmechlist, RANDOM);
135 		if (pmechlist != NULL) {
136 			has_mechs = B_TRUE;
137 			free_mechlist(pmechlist);
138 		}
139 	} else {
140 		cryptoerror(LOG_STDERR, gettext(
141 		    "failed to retrieve the mechanism list for %s."),
142 		    provname);
143 		return (rc);
144 	}
145 
146 	print_kef_policy(pent, has_random, has_mechs);
147 	free_entry(pent);
148 	return (SUCCESS);
149 }
150 
151 
152 
153 /*
154  * Display the policy information for a kernel hardware provider.
155  */
156 int
157 list_policy_for_hard(char *provname)
158 {
159 	entry_t *pent;
160 	boolean_t is_active;
161 	mechlist_t *pmechlist;
162 	char	devname[MAXNAMELEN];
163 	int	inst_num;
164 	int	count;
165 	int rc = SUCCESS;
166 	boolean_t has_random = B_FALSE;
167 	boolean_t has_mechs = B_FALSE;
168 
169 	if (provname == NULL) {
170 		return (FAILURE);
171 	}
172 
173 	/*
174 	 * Check if the provider is valid. If it is valid, get the number of
175 	 * mechanisms also.
176 	 */
177 	if (check_hardware_provider(provname, devname, &inst_num, &count) ==
178 	    FAILURE) {
179 		return (FAILURE);
180 	}
181 
182 	/* Get the mechanism list for the kernel hardware provider */
183 	if ((rc = get_dev_info(devname, inst_num, count, &pmechlist)) ==
184 	    SUCCESS) {
185 		has_random = filter_mechlist(&pmechlist, RANDOM);
186 
187 		if (pmechlist != NULL) {
188 			has_mechs = B_TRUE;
189 			free_mechlist(pmechlist);
190 		}
191 	} else {
192 		cryptoerror(LOG_STDERR, gettext(
193 		    "failed to retrieve the mechanism list for %s."),
194 		    devname);
195 		return (rc);
196 	}
197 
198 	/*
199 	 * If the hardware provider has an entry in the kcf.conf file,
200 	 * some of its mechanisms must have been disabled.  Print out
201 	 * the disabled list from the config file entry.  Otherwise,
202 	 * if it is active, then all the mechanisms for it are enabled.
203 	 */
204 	if ((pent = getent_kef(provname)) != NULL) {
205 		print_kef_policy(pent, has_random, has_mechs);
206 		free_entry(pent);
207 		return (SUCCESS);
208 	} else {
209 		if (check_active_for_hard(provname, &is_active) ==
210 		    FAILURE) {
211 			return (FAILURE);
212 		} else if (is_active == B_TRUE) {
213 			(void) printf(gettext(
214 			    "%s: all mechanisms are enabled."), provname);
215 			if (has_random)
216 				/*
217 				 * TRANSLATION_NOTE:
218 				 * "random" is a keyword and not to be
219 				 * translated.
220 				 */
221 				(void) printf(gettext(" %s is enabled.\n"),
222 				    "random");
223 			else
224 				(void) printf("\n");
225 			return (SUCCESS);
226 		} else {
227 			cryptoerror(LOG_STDERR,
228 			    gettext("%s does not exist."), provname);
229 			return (FAILURE);
230 		}
231 	}
232 }
233 
234 
235 
236 int
237 disable_kef_hardware(char *provname, boolean_t rndflag, boolean_t allflag,
238     mechlist_t *dislist)
239 {
240 	crypto_load_dev_disabled_t	*pload_dev_dis;
241 	mechlist_t 	*infolist;
242 	entry_t		*pent;
243 	boolean_t	new_dev_entry = B_FALSE;
244 	char	devname[MAXNAMELEN];
245 	int	inst_num;
246 	int	count;
247 	int	fd;
248 	int	rc = SUCCESS;
249 
250 	if (provname == NULL) {
251 		return (FAILURE);
252 	}
253 
254 	/*
255 	 * Check if the provider is valid. If it is valid, get the number of
256 	 * mechanisms also.
257 	 */
258 	if (check_hardware_provider(provname, devname, &inst_num, &count)
259 	    == FAILURE) {
260 		return (FAILURE);
261 	}
262 
263 	/* Get the mechanism list for the kernel hardware provider */
264 	if (get_dev_info(devname, inst_num, count, &infolist) == FAILURE) {
265 		return (FAILURE);
266 	}
267 
268 	/*
269 	 * Get the entry of this hardware provider from the config file.
270 	 * If there is no entry yet, create one for it.
271 	 */
272 	if ((pent = getent_kef(provname)) == NULL) {
273 		if ((pent = malloc(sizeof (entry_t))) == NULL) {
274 			cryptoerror(LOG_STDERR, gettext("out of memory."));
275 			free_mechlist(infolist);
276 			return (FAILURE);
277 		}
278 		new_dev_entry = B_TRUE;
279 		(void) strlcpy(pent->name, provname, MAXNAMELEN);
280 		pent->suplist = NULL;
281 		pent->sup_count = 0;
282 		pent->dislist = NULL;
283 		pent->dis_count = 0;
284 	}
285 
286 	/*
287 	 * kCF treats random as an internal mechanism. So, we need to
288 	 * filter it from the mechanism list here, if we are NOT disabling
289 	 * or enabling the random feature. Note that we map random feature at
290 	 * cryptoadm(1M) level to the "random" mechanism in kCF.
291 	 */
292 	if (!rndflag) {
293 		(void) filter_mechlist(&dislist, RANDOM);
294 	}
295 
296 	/* Calculate the new disabled list */
297 	if (disable_mechs(&pent, infolist, allflag, dislist) == FAILURE) {
298 		free_mechlist(infolist);
299 		free_entry(pent);
300 		return (FAILURE);
301 	}
302 	free_mechlist(infolist);
303 
304 	/* If no mechanisms are to be disabled, return */
305 	if (pent->dis_count == 0) {
306 		free_entry(pent);
307 		return (SUCCESS);
308 	}
309 
310 	/* Update the config file with the new entry or the updated entry */
311 	if (new_dev_entry) {
312 		rc = update_kcfconf(pent, ADD_MODE);
313 	} else {
314 		rc = update_kcfconf(pent, MODIFY_MODE);
315 	}
316 
317 	if (rc == FAILURE) {
318 		free_entry(pent);
319 		return (FAILURE);
320 	}
321 
322 	/* Inform kernel about the new disabled mechanism list */
323 	if ((pload_dev_dis = setup_dev_dis(pent)) == NULL) {
324 		free_entry(pent);
325 		return (FAILURE);
326 	}
327 	free_entry(pent);
328 
329 	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
330 		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
331 		    ADMIN_IOCTL_DEVICE, strerror(errno));
332 		free(pload_dev_dis);
333 		return (FAILURE);
334 	}
335 
336 	if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis) == -1) {
337 		cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl failed: %s",
338 		    strerror(errno));
339 		free(pload_dev_dis);
340 		(void) close(fd);
341 		return (FAILURE);
342 	}
343 
344 	if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) {
345 		cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl return_value = "
346 		    "%d", pload_dev_dis->dd_return_value);
347 		free(pload_dev_dis);
348 		(void) close(fd);
349 		return (FAILURE);
350 	}
351 
352 	free(pload_dev_dis);
353 	(void) close(fd);
354 	return (SUCCESS);
355 }
356 
357 
358 
359 int
360 disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag,
361     mechlist_t *dislist)
362 {
363 	crypto_load_soft_disabled_t	*pload_soft_dis = NULL;
364 	mechlist_t 	*infolist;
365 	entry_t		*pent;
366 	boolean_t	is_active;
367 	int	fd;
368 
369 	if (provname == NULL) {
370 		return (FAILURE);
371 	}
372 
373 	/* Get the entry of this provider from the config file. */
374 	if ((pent = getent_kef(provname)) == NULL) {
375 		cryptoerror(LOG_STDERR,
376 		    gettext("%s does not exist."), provname);
377 		return (FAILURE);
378 	}
379 
380 	/*
381 	 * Check if the kernel software provider is currently unloaded.
382 	 * If it is unloaded, return FAILURE, because the disable subcommand
383 	 * can not perform on inactive (unloaded) providers.
384 	 */
385 	if (check_active_for_soft(provname, &is_active) == FAILURE) {
386 		free_entry(pent);
387 		return (FAILURE);
388 	} else if (is_active == B_FALSE) {
389 		/*
390 		 * TRANSLATION_NOTE:
391 		 * "disable" is a keyword and not to be translated.
392 		 */
393 		cryptoerror(LOG_STDERR,
394 		    gettext("can not do %1$s on an unloaded "
395 		    "kernel software provider -- %2$s."), "disable", provname);
396 		free_entry(pent);
397 		return (FAILURE);
398 	}
399 
400 	/* Get the mechanism list for the software provider */
401 	if (get_soft_info(provname, &infolist) == FAILURE) {
402 		free(pent);
403 		return (FAILURE);
404 	}
405 
406 	/* See comments in disable_kef_hardware() */
407 	if (!rndflag) {
408 		(void) filter_mechlist(&infolist, RANDOM);
409 	}
410 
411 	/* Calculate the new disabled list */
412 	if (disable_mechs(&pent, infolist, allflag, dislist) == FAILURE) {
413 		free_entry(pent);
414 		free_mechlist(infolist);
415 		return (FAILURE);
416 	}
417 
418 	/* infolist is no longer needed; free it */
419 	free_mechlist(infolist);
420 
421 	/* Update the kcf.conf file with the updated entry */
422 	if (update_kcfconf(pent, MODIFY_MODE) == FAILURE) {
423 		free_entry(pent);
424 		return (FAILURE);
425 	}
426 
427 	/* Inform kernel about the new disabled list. */
428 	if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) {
429 		free_entry(pent);
430 		return (FAILURE);
431 	}
432 
433 	/* pent is no longer needed; free it. */
434 	free_entry(pent);
435 
436 	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
437 		cryptoerror(LOG_STDERR,
438 		    gettext("failed to open %s for RW: %s"),
439 		    ADMIN_IOCTL_DEVICE, strerror(errno));
440 		free(pload_soft_dis);
441 		return (FAILURE);
442 	}
443 
444 	if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis) == -1) {
445 		cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: %s",
446 		    strerror(errno));
447 		free(pload_soft_dis);
448 		(void) close(fd);
449 		return (FAILURE);
450 	}
451 
452 	if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) {
453 		cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl return_value = "
454 		    "%d", pload_soft_dis->sd_return_value);
455 		free(pload_soft_dis);
456 		(void) close(fd);
457 		return (FAILURE);
458 	}
459 
460 	free(pload_soft_dis);
461 	(void) close(fd);
462 	return (SUCCESS);
463 }
464 
465 
466 int
467 enable_kef(char *provname, boolean_t rndflag, boolean_t allflag,
468     mechlist_t *mlist)
469 {
470 	crypto_load_soft_disabled_t	*pload_soft_dis = NULL;
471 	crypto_load_dev_disabled_t	*pload_dev_dis = NULL;
472 	entry_t		*pent;
473 	boolean_t redo_flag = B_FALSE;
474 	int	fd;
475 	int	rc = SUCCESS;
476 
477 
478 	/* Get the entry with the provider name from the kcf.conf file */
479 	pent = getent_kef(provname);
480 
481 	if (is_device(provname)) {
482 		if (pent == NULL) {
483 			/*
484 			 * This device doesn't have an entry in the config
485 			 * file, therefore nothing is disabled.
486 			 */
487 			cryptoerror(LOG_STDERR, gettext(
488 			    "all mechanisms are enabled already for %s."),
489 			    provname);
490 			return (SUCCESS);
491 		}
492 	} else { /* a software module */
493 		if (pent == NULL) {
494 			cryptoerror(LOG_STDERR,
495 			    gettext("%s does not exist."), provname);
496 			return (FAILURE);
497 		} else if (pent->dis_count == 0) {
498 			/* nothing to be enabled. */
499 			cryptoerror(LOG_STDERR, gettext(
500 			    "all mechanisms are enabled already for %s."),
501 			    provname);
502 			free_entry(pent);
503 			return (SUCCESS);
504 		}
505 	}
506 
507 	if (!rndflag) {
508 		/* See comments in disable_kef_hardware() */
509 		redo_flag = filter_mechlist(&pent->dislist, RANDOM);
510 		if (redo_flag)
511 			pent->dis_count--;
512 	}
513 
514 	/* Update the entry by enabling mechanisms for this provider */
515 	if ((rc = enable_mechs(&pent, allflag, mlist)) != SUCCESS) {
516 		free_entry(pent);
517 		return (rc);
518 	}
519 
520 	if (redo_flag) {
521 		mechlist_t *tmp;
522 
523 		if ((tmp = create_mech(RANDOM)) == NULL) {
524 			free_entry(pent);
525 			return (FAILURE);
526 		}
527 		tmp->next = pent->dislist;
528 		pent->dislist = tmp;
529 		pent->dis_count++;
530 	}
531 
532 	/*
533 	 * Update the kcf.conf file  with the updated entry.
534 	 * For a hardware provider, if there is no more disabled mechanism,
535 	 * the entire entry in the config file should be removed.
536 	 */
537 	if (is_device(pent->name) && (pent->dis_count == 0)) {
538 		rc = update_kcfconf(pent, DELETE_MODE);
539 	} else {
540 		rc = update_kcfconf(pent, MODIFY_MODE);
541 	}
542 
543 	if (rc == FAILURE) {
544 		free_entry(pent);
545 		return (FAILURE);
546 	}
547 
548 
549 	/* Inform Kernel about the policy change */
550 
551 	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
552 		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
553 		    ADMIN_IOCTL_DEVICE, strerror(errno));
554 		return (FAILURE);
555 	}
556 
557 	if (is_device(provname)) {
558 		/*  LOAD_DEV_DISABLED */
559 		if ((pload_dev_dis = setup_dev_dis(pent)) == NULL) {
560 			return (FAILURE);
561 		}
562 
563 		if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis) == -1) {
564 			cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl failed: "
565 			    "%s", strerror(errno));
566 			free(pload_dev_dis);
567 			(void) close(fd);
568 			return (FAILURE);
569 		}
570 
571 		if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) {
572 			cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl "
573 			    "return_value = %d",
574 			    pload_dev_dis->dd_return_value);
575 			free(pload_dev_dis);
576 			(void) close(fd);
577 			return (FAILURE);
578 		}
579 
580 	} else {
581 		/* LOAD_SOFT_DISABLED */
582 		if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) {
583 			return (FAILURE);
584 		}
585 
586 		if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis)
587 		    == -1) {
588 			cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: "
589 			    "%s", strerror(errno));
590 			free(pload_soft_dis);
591 			(void) close(fd);
592 			return (FAILURE);
593 		}
594 
595 		if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) {
596 			cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl "
597 			    "return_value = %d",
598 			    pload_soft_dis->sd_return_value);
599 			free(pload_soft_dis);
600 			(void) close(fd);
601 			return (FAILURE);
602 		}
603 	}
604 
605 	(void) close(fd);
606 	return (SUCCESS);
607 }
608 
609 
610 /*
611  * Install a software module with the specified mechanism list into the system.
612  * This routine adds an entry into the config file for this software module
613  * first, then makes a CRYPTO_LOAD_SOFT_CONFIG ioctl call to inform kernel
614  * about the new addition.
615  */
616 int
617 install_kef(char *provname, mechlist_t *mlist)
618 {
619 	crypto_load_soft_config_t	*pload_soft_conf = NULL;
620 	boolean_t	found;
621 	entry_t	*pent;
622 	FILE	*pfile;
623 	FILE	*pfile_tmp;
624 	char	tmpfile_name[MAXPATHLEN];
625 	char	*ptr;
626 	char	*str;
627 	char	*name;
628 	char	buffer[BUFSIZ];
629 	char	buffer2[BUFSIZ];
630 	int	found_count;
631 	int	fd;
632 	int	rc = SUCCESS;
633 
634 	if ((provname == NULL) || (mlist == NULL)) {
635 		return (FAILURE);
636 	}
637 
638 	/* Check if the provider already exists */
639 	if ((pent = getent_kef(provname)) != NULL) {
640 		cryptoerror(LOG_STDERR, gettext("%s exists already."),
641 		    provname);
642 		free_entry(pent);
643 		return (FAILURE);
644 	}
645 
646 	/* Create an entry with provname and mlist. */
647 	if ((pent = malloc(sizeof (entry_t))) == NULL) {
648 		cryptoerror(LOG_STDERR, gettext("out of memory."));
649 		return (FAILURE);
650 	}
651 
652 	(void) strlcpy(pent->name, provname, MAXNAMELEN);
653 	pent->sup_count = get_mech_count(mlist);
654 	pent->suplist = mlist;
655 	pent->dis_count = 0;
656 	pent->dislist = NULL;
657 
658 	/* Append an entry for this software module to the kcf.conf file. */
659 	if ((str = ent2str(pent)) == NULL) {
660 		free_entry(pent);
661 		return (FAILURE);
662 	}
663 
664 	if ((pfile = fopen(_PATH_KCF_CONF, "r+")) == NULL) {
665 		err = errno;
666 		cryptoerror(LOG_STDERR,
667 		    gettext("failed to update the configuration - %s"),
668 		    strerror(err));
669 		cryptodebug("failed to open %s for write.", _PATH_KCF_CONF);
670 		free_entry(pent);
671 		return (FAILURE);
672 	}
673 
674 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
675 		err = errno;
676 		cryptoerror(LOG_STDERR,
677 		    gettext("failed to lock the configuration - %s"),
678 		    strerror(err));
679 		free_entry(pent);
680 		(void) fclose(pfile);
681 		return (FAILURE);
682 	}
683 
684 	/*
685 	 * Create a temporary file in the /etc/crypto directory.
686 	 */
687 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
688 	if (mkstemp(tmpfile_name) == -1) {
689 		err = errno;
690 		cryptoerror(LOG_STDERR,
691 		    gettext("failed to create a temporary file - %s"),
692 		    strerror(err));
693 		free_entry(pent);
694 		(void) fclose(pfile);
695 		return (FAILURE);
696 	}
697 
698 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
699 		err = errno;
700 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
701 		    tmpfile_name, strerror(err));
702 		free_entry(pent);
703 		(void) fclose(pfile);
704 		return (FAILURE);
705 	}
706 
707 
708 	/*
709 	 * Loop thru the config file. If the provider was reserved within a
710 	 * package bracket, just uncomment it.  Otherwise, append it at
711 	 * the end.  The resulting file will be saved in the temp file first.
712 	 */
713 	found_count = 0;
714 	rc = SUCCESS;
715 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
716 		found = B_FALSE;
717 		if (buffer[0] == '#') {
718 			(void) strlcpy(buffer2, buffer, BUFSIZ);
719 			ptr = buffer2;
720 			ptr++;
721 			if ((name = strtok(ptr, SEP_COLON)) == NULL) {
722 				rc = FAILURE;
723 				break;
724 			} else if (strcmp(provname, name) == 0) {
725 				found = B_TRUE;
726 				found_count++;
727 			}
728 		}
729 
730 		if (found == B_FALSE) {
731 			if (fputs(buffer, pfile_tmp) == EOF) {
732 				rc = FAILURE;
733 			}
734 		} else {
735 			if (found_count == 1) {
736 				if (fputs(str, pfile_tmp) == EOF) {
737 					rc = FAILURE;
738 				}
739 			} else {
740 				/*
741 				 * Found a second entry with #libname.
742 				 * Should not happen. The kcf.conf ffile
743 				 * is corrupted. Give a warning and skip
744 				 * this entry.
745 				 */
746 				cryptoerror(LOG_STDERR, gettext(
747 				    "(Warning) Found an additional reserved "
748 				    "entry for %s."), provname);
749 			}
750 		}
751 
752 		if (rc == FAILURE) {
753 			break;
754 		}
755 	}
756 	(void) fclose(pfile);
757 
758 	if (rc == FAILURE) {
759 		cryptoerror(LOG_STDERR, gettext("write error."));
760 		(void) fclose(pfile_tmp);
761 		if (unlink(tmpfile_name) != 0) {
762 			err = errno;
763 			cryptoerror(LOG_STDERR, gettext(
764 			    "(Warning) failed to remove %s: %s"), tmpfile_name,
765 			    strerror(err));
766 		}
767 		free_entry(pent);
768 		return (FAILURE);
769 	}
770 
771 	if (found_count == 0) {
772 		/*
773 		 * This libname was not in package before, append it to the
774 		 * end of the temp file.
775 		 */
776 		if (fputs(str, pfile_tmp) == EOF) {
777 			cryptoerror(LOG_STDERR, gettext(
778 			    "failed to write to %s: %s"), tmpfile_name,
779 			    strerror(errno));
780 			(void) fclose(pfile_tmp);
781 			if (unlink(tmpfile_name) != 0) {
782 				err = errno;
783 				cryptoerror(LOG_STDERR, gettext(
784 				    "(Warning) failed to remove %s: %s"),
785 				    tmpfile_name, strerror(err));
786 			}
787 			free_entry(pent);
788 			return (FAILURE);
789 		}
790 	}
791 
792 	if (fclose(pfile_tmp) != 0) {
793 		err = errno;
794 		cryptoerror(LOG_STDERR,
795 		    gettext("failed to close %s: %s"), tmpfile_name,
796 		    strerror(err));
797 		return (FAILURE);
798 	}
799 
800 	if (rename(tmpfile_name, _PATH_KCF_CONF) == -1) {
801 		err = errno;
802 		cryptoerror(LOG_STDERR,
803 		    gettext("failed to update the configuration - %s"),
804 			strerror(err));
805 		cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
806 		    _PATH_KCF_CONF, strerror(err));
807 		rc = FAILURE;
808 	} else if (chmod(_PATH_KCF_CONF,
809 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
810 		err = errno;
811 		cryptoerror(LOG_STDERR,
812 		    gettext("failed to update the configuration - %s"),
813 		    strerror(err));
814 		cryptodebug("failed to chmod to %s: %s", _PATH_KCF_CONF,
815 		    strerror(err));
816 		rc = FAILURE;
817 	} else {
818 		rc = SUCCESS;
819 	}
820 
821 	if (rc == FAILURE) {
822 		if (unlink(tmpfile_name) != 0) {
823 			err = errno;
824 			cryptoerror(LOG_STDERR, gettext(
825 			    "(Warning) failed to remove %s: %s"),
826 			    tmpfile_name, strerror(err));
827 		}
828 		return (FAILURE);
829 	}
830 
831 
832 	/* Inform kernel of this new software module. */
833 
834 	if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) {
835 		free_entry(pent);
836 		return (FAILURE);
837 	}
838 
839 	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
840 		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
841 		    ADMIN_IOCTL_DEVICE, strerror(errno));
842 		free_entry(pent);
843 		free(pload_soft_conf);
844 		return (FAILURE);
845 	}
846 
847 	if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, pload_soft_conf) == -1) {
848 		cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s",
849 		    strerror(errno));
850 		free_entry(pent);
851 		free(pload_soft_conf);
852 		(void) close(fd);
853 		return (FAILURE);
854 	}
855 
856 	if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) {
857 		cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed, "
858 		    "return_value = %d", pload_soft_conf->sc_return_value);
859 		free_entry(pent);
860 		free(pload_soft_conf);
861 		(void) close(fd);
862 		return (FAILURE);
863 	}
864 
865 	free_entry(pent);
866 	free(pload_soft_conf);
867 	(void) close(fd);
868 	return (SUCCESS);
869 }
870 
871 /*
872  * Uninstall the software module. This routine first unloads the software
873  * module with 3 ioctl calls, then deletes its entry from the config file.
874  * Removing an entry from the config file needs to be done last to ensure
875  * that there is still an entry if the earlier unload failed for any reason.
876  */
877 int
878 uninstall_kef(char *provname)
879 {
880 	entry_t		*pent;
881 	boolean_t	is_active;
882 	boolean_t	in_package;
883 	boolean_t	found;
884 	FILE	*pfile;
885 	FILE	*pfile_tmp;
886 	char	tmpfile_name[MAXPATHLEN];
887 	char	*name;
888 	char	strbuf[BUFSIZ];
889 	char	buffer[BUFSIZ];
890 	char	buffer2[BUFSIZ];
891 	char	*str;
892 	int	len;
893 	int	rc = SUCCESS;
894 
895 
896 	/* Check if it is in the kcf.conf file first. */
897 	if ((pent = getent_kef(provname)) == NULL) {
898 		cryptoerror(LOG_STDERR,
899 		    gettext("%s does not exist."), provname);
900 		return (FAILURE);
901 	}
902 
903 
904 	/*
905 	 * Get rid of the disabled list for the provider and get the converted
906 	 * string for the entry.  This is to prepare the string for a provider
907 	 * that is in a package.
908 	 */
909 	free_mechlist(pent->dislist);
910 	pent->dis_count = 0;
911 	pent->dislist = NULL;
912 	str = ent2str(pent);
913 	free_entry(pent);
914 	if (str == NULL) {
915 		cryptoerror(LOG_STDERR, gettext("internal error."));
916 		return (FAILURE);
917 	}
918 	(void) snprintf(strbuf, sizeof (strbuf), "%s%s", "#", str);
919 	free(str);
920 
921 	/* If it is not loaded, unload it first  */
922 	if (check_active_for_soft(provname, &is_active) == FAILURE) {
923 		return (FAILURE);
924 	} else if ((is_active == B_TRUE) &&
925 	    (unload_kef_soft(provname, B_TRUE) == FAILURE)) {
926 		cryptoerror(LOG_STDERR,
927 		    gettext("failed to uninstall %s.\n"), provname);
928 		return (FAILURE);
929 	}
930 
931 	/*
932 	 * Remove the entry from the config file.  If the provider to be
933 	 * uninstalled is in a package, just comment it off.
934 	 */
935 	if ((pfile = fopen(_PATH_KCF_CONF, "r+")) == NULL) {
936 		err = errno;
937 		cryptoerror(LOG_STDERR,
938 		    gettext("failed to update the configuration - %s"),
939 		    strerror(err));
940 		cryptodebug("failed to open %s for write.", _PATH_KCF_CONF);
941 		return (FAILURE);
942 	}
943 
944 	if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
945 		err = errno;
946 		cryptoerror(LOG_STDERR,
947 		    gettext("failed to lock the configuration - %s"),
948 		    strerror(err));
949 		(void) fclose(pfile);
950 		return (FAILURE);
951 	}
952 
953 	/*
954 	 * Create a temporary file in the /etc/crypto directory to save
955 	 * the new configuration file first.
956 	 */
957 	(void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
958 	if (mkstemp(tmpfile_name) == -1) {
959 		err = errno;
960 		cryptoerror(LOG_STDERR,
961 		    gettext("failed to create a temporary file - %s"),
962 		    strerror(err));
963 		(void) fclose(pfile);
964 		return (FAILURE);
965 	}
966 
967 	if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
968 		err = errno;
969 		cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
970 		    tmpfile_name, strerror(err));
971 		if (unlink(tmpfile_name) != 0) {
972 			err = errno;
973 			cryptoerror(LOG_STDERR, gettext(
974 			    "(Warning) failed to remove %s: %s"), tmpfile_name,
975 			    strerror(err));
976 		}
977 		(void) fclose(pfile);
978 		return (FAILURE);
979 	}
980 
981 	/*
982 	 * Loop thru the config file.  If the kernel software provider
983 	 * to be uninstalled is in a package, just comment it off.
984 	 */
985 	in_package = B_FALSE;
986 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
987 		found = B_FALSE;
988 		if (!(buffer[0] == ' ' || buffer[0] == '\n' ||
989 		    buffer[0] == '\t')) {
990 			if (strstr(buffer, " Start ") != NULL) {
991 				in_package = B_TRUE;
992 			} else if (strstr(buffer, " End ") != NULL) {
993 				in_package = B_FALSE;
994 			} else if (buffer[0] != '#') {
995 				(void) strlcpy(buffer2, buffer, BUFSIZ);
996 
997 				/* get rid of trailing '\n' */
998 				len = strlen(buffer2);
999 				if (buffer2[len-1] == '\n') {
1000 					len--;
1001 				}
1002 				buffer2[len] = '\0';
1003 
1004 				if ((name = strtok(buffer2, SEP_COLON))
1005 				    == NULL) {
1006 					rc = FAILURE;
1007 					break;
1008 				} else if (strcmp(provname, name) == 0) {
1009 					found = B_TRUE;
1010 				}
1011 			}
1012 		}
1013 
1014 		if (found) {
1015 			if (in_package) {
1016 				if (fputs(strbuf, pfile_tmp) == EOF) {
1017 					rc = FAILURE;
1018 				}
1019 			}
1020 		} else {
1021 			if (fputs(buffer, pfile_tmp) == EOF) {
1022 				rc = FAILURE;
1023 			}
1024 		}
1025 
1026 		if (rc == FAILURE) {
1027 			break;
1028 		}
1029 	}
1030 
1031 	if (rc == FAILURE) {
1032 		cryptoerror(LOG_STDERR, gettext("write error."));
1033 		(void) fclose(pfile);
1034 		(void) fclose(pfile_tmp);
1035 		if (unlink(tmpfile_name) != 0) {
1036 			err = errno;
1037 			cryptoerror(LOG_STDERR, gettext(
1038 			    "(Warning) failed to remove %s: %s"), tmpfile_name,
1039 			    strerror(err));
1040 		}
1041 		return (FAILURE);
1042 	}
1043 
1044 	(void) fclose(pfile);
1045 	if (fclose(pfile_tmp) != 0) {
1046 		err = errno;
1047 		cryptoerror(LOG_STDERR,
1048 		    gettext("failed to close %s: %s"), tmpfile_name,
1049 		    strerror(err));
1050 		return (FAILURE);
1051 	}
1052 
1053 	/* Now update the real config file */
1054 	if (rename(tmpfile_name, _PATH_KCF_CONF) == -1) {
1055 		err = errno;
1056 		cryptoerror(LOG_STDERR,
1057 		    gettext("failed to update the configuration - %s"),
1058 		    strerror(err));
1059 		cryptodebug("failed to rename %1$s to %2$s: %3$s", tmpfile,
1060 		    _PATH_KCF_CONF, strerror(err));
1061 		rc = FAILURE;
1062 	} else if (chmod(_PATH_KCF_CONF,
1063 	    S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1064 		err = errno;
1065 		cryptoerror(LOG_STDERR,
1066 		    gettext("failed to update the configuration - %s"),
1067 		    strerror(err));
1068 		cryptodebug("failed to chmod to %s: %s", _PATH_KCF_CONF,
1069 		    strerror(err));
1070 		rc = FAILURE;
1071 	} else {
1072 		rc = SUCCESS;
1073 	}
1074 
1075 	if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1076 		err = errno;
1077 		cryptoerror(LOG_STDERR, gettext(
1078 		    "(Warning) failed to remove %s: %s"), tmpfile_name,
1079 		    strerror(err));
1080 	}
1081 
1082 	return (rc);
1083 
1084 }
1085 
1086 
1087 int
1088 refresh(void)
1089 {
1090 	crypto_get_soft_list_t		*psoftlist_kernel = NULL;
1091 	crypto_load_soft_config_t	*pload_soft_conf = NULL;
1092 	crypto_load_soft_disabled_t	*pload_soft_dis = NULL;
1093 	crypto_load_dev_disabled_t	*pload_dev_dis = NULL;
1094 	entrylist_t	*pdevlist = NULL;
1095 	entrylist_t	*psoftlist = NULL;
1096 	entrylist_t	*ptr;
1097 	boolean_t	found;
1098 	char 	*psoftname;
1099 	int	fd;
1100 	int	rc = SUCCESS;
1101 	int	i;
1102 
1103 	if (get_soft_list(&psoftlist_kernel) == FAILURE) {
1104 		cryptoerror(LOG_ERR, gettext("Failed to retrieve the "
1105 		    "software provider list from kernel."));
1106 		return (FAILURE);
1107 	}
1108 
1109 	if (get_kcfconf_info(&pdevlist, &psoftlist) == FAILURE) {
1110 		cryptoerror(LOG_ERR, "failed to retrieve the providers' "
1111 		    "information from the configuration file - %s.",
1112 		    _PATH_KCF_CONF);
1113 		return (FAILURE);
1114 	}
1115 
1116 	/*
1117 	 * If a kernel software provider is in kernel, but it is not in the
1118 	 * kcf.conf file, it must have been pkgrm'ed and needs to be unloaded
1119 	 * now.
1120 	 */
1121 	if (psoftlist_kernel->sl_soft_count > 0) {
1122 		psoftname = psoftlist_kernel->sl_soft_names;
1123 		for (i = 0; i < psoftlist_kernel->sl_soft_count; i++) {
1124 			ptr = psoftlist;
1125 			found = B_FALSE;
1126 			while (ptr != NULL) {
1127 				if (strcmp(psoftname, ptr->pent->name) == 0) {
1128 					found = B_TRUE;
1129 					break;
1130 				}
1131 				ptr = ptr->next;
1132 			}
1133 
1134 			if (!found) {
1135 				rc = unload_kef_soft(psoftname, B_FALSE);
1136 				if (rc == FAILURE) {
1137 					cryptoerror(LOG_ERR, gettext(
1138 					    "WARNING - the provider %s is "
1139 					    "still in kernel."), psoftname);
1140 				}
1141 			}
1142 			psoftname = psoftname + strlen(psoftname) + 1;
1143 		}
1144 	}
1145 	free(psoftlist_kernel);
1146 
1147 	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
1148 		err = errno;
1149 		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
1150 		    ADMIN_IOCTL_DEVICE, strerror(err));
1151 		free(psoftlist);
1152 		free(pdevlist);
1153 		return (FAILURE);
1154 	}
1155 
1156 	/*
1157 	 * For each software module, pass two sets of information to kernel
1158 	 * - the supported list and the disabled list
1159 	 */
1160 	ptr = psoftlist;
1161 	while (ptr != NULL) {
1162 		/* load the supported list */
1163 		if ((pload_soft_conf = setup_soft_conf(ptr->pent)) == NULL) {
1164 			rc = FAILURE;
1165 			break;
1166 		}
1167 
1168 		if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, pload_soft_conf)
1169 		    == -1) {
1170 			cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s",
1171 			    strerror(errno));
1172 			free(pload_soft_conf);
1173 			rc = FAILURE;
1174 			break;
1175 		}
1176 
1177 		if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) {
1178 			cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl "
1179 			    "return_value = %d",
1180 			    pload_soft_conf->sc_return_value);
1181 			free(pload_soft_conf);
1182 			rc = FAILURE;
1183 			break;
1184 		}
1185 
1186 		/* load the disabled list */
1187 		if (ptr->pent->dis_count != 0) {
1188 			pload_soft_dis = setup_soft_dis(ptr->pent);
1189 			if (pload_soft_dis == NULL) {
1190 				rc = FAILURE;
1191 				break;
1192 			}
1193 
1194 			if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED,
1195 			    pload_soft_dis) == -1) {
1196 				cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl "
1197 				    "failed: %s", strerror(errno));
1198 				free(pload_soft_dis);
1199 				rc = FAILURE;
1200 				break;
1201 			}
1202 
1203 			if (pload_soft_dis->sd_return_value !=
1204 			    CRYPTO_SUCCESS) {
1205 				cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl "
1206 				    "return_value = %d",
1207 				    pload_soft_dis->sd_return_value);
1208 				free(pload_soft_dis);
1209 				rc = FAILURE;
1210 				break;
1211 			}
1212 			free(pload_soft_dis);
1213 		}
1214 
1215 		free(pload_soft_conf);
1216 		ptr = ptr->next;
1217 	}
1218 
1219 	if (rc != SUCCESS) {
1220 		(void) close(fd);
1221 		return (rc);
1222 	}
1223 
1224 
1225 	/* Pass the disabledlist information for Device to kernel */
1226 	ptr = pdevlist;
1227 	while (ptr != NULL) {
1228 		/* load the disabled list */
1229 		if (ptr->pent->dis_count != 0) {
1230 			pload_dev_dis = setup_dev_dis(ptr->pent);
1231 			if (pload_dev_dis == NULL) {
1232 				rc = FAILURE;
1233 				break;
1234 			}
1235 
1236 			if (ioctl(fd, CRYPTO_LOAD_DEV_DISABLED, pload_dev_dis)
1237 			    == -1) {
1238 				cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl "
1239 				    "failed: %s", strerror(errno));
1240 				free(pload_dev_dis);
1241 				rc = FAILURE;
1242 				break;
1243 			}
1244 
1245 			if (pload_dev_dis->dd_return_value != CRYPTO_SUCCESS) {
1246 				cryptodebug("CRYPTO_LOAD_DEV_DISABLED ioctl "
1247 				    "return_value = %d",
1248 				    pload_dev_dis->dd_return_value);
1249 				free(pload_dev_dis);
1250 				rc = FAILURE;
1251 				break;
1252 			}
1253 			free(pload_dev_dis);
1254 		}
1255 
1256 		ptr = ptr->next;
1257 	}
1258 
1259 	(void) close(fd);
1260 	return (rc);
1261 }
1262 
1263 /*
1264  * Unload the kernel software provider. Before calling this function, the
1265  * caller should check if the provider is in the config file and if it
1266  * is kernel. This routine makes 3 ioctl calls to remove it from kernel
1267  * completely. The argument do_check set to B_FALSE means that the
1268  * caller knows the provider is not the config file and hence the check
1269  * is skipped.
1270  */
1271 int
1272 unload_kef_soft(char *provname, boolean_t do_check)
1273 {
1274 	crypto_unload_soft_module_t 	*punload_soft = NULL;
1275 	crypto_load_soft_config_t	*pload_soft_conf = NULL;
1276 	crypto_load_soft_disabled_t	*pload_soft_dis = NULL;
1277 	entry_t	*pent = NULL;
1278 	int	fd;
1279 
1280 	if (provname == NULL) {
1281 		cryptoerror(LOG_STDERR, gettext("internal error."));
1282 		return (FAILURE);
1283 	}
1284 
1285 	if (!do_check) {
1286 		/* Construct an entry using the provname */
1287 		pent = calloc(1, sizeof (entry_t));
1288 		if (pent == NULL) {
1289 			cryptoerror(LOG_STDERR, gettext("out of memory."));
1290 			return (FAILURE);
1291 		}
1292 		(void) strlcpy(pent->name, provname, MAXNAMELEN);
1293 	} else if ((pent = getent_kef(provname)) == NULL) {
1294 		cryptoerror(LOG_STDERR, gettext("%s does not exist."),
1295 		    provname);
1296 		return (FAILURE);
1297 	}
1298 
1299 	/* Open the admin_ioctl_device */
1300 	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDWR)) == -1) {
1301 		err = errno;
1302 		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
1303 		    ADMIN_IOCTL_DEVICE, strerror(err));
1304 		return (FAILURE);
1305 	}
1306 
1307 	/* Inform kernel to unload this software module */
1308 	if ((punload_soft = setup_unload_soft(pent)) == NULL) {
1309 		(void) close(fd);
1310 		return (FAILURE);
1311 	}
1312 
1313 	if (ioctl(fd, CRYPTO_UNLOAD_SOFT_MODULE, punload_soft) == -1) {
1314 		cryptodebug("CRYPTO_UNLOAD_SOFT_MODULE ioctl failed: %s",
1315 		    strerror(errno));
1316 		free_entry(pent);
1317 		free(punload_soft);
1318 		(void) close(fd);
1319 		return (FAILURE);
1320 	}
1321 
1322 	if (punload_soft->sm_return_value != CRYPTO_SUCCESS) {
1323 		cryptodebug("CRYPTO_UNLOAD_SOFT_MODULE ioctl return_value = "
1324 		    "%d", punload_soft->sm_return_value);
1325 		/*
1326 		 * If the return value is CRYPTO_UNKNOWN_PRIVDER, it means
1327 		 * that the provider is not registered yet.  Should just
1328 		 * continue.
1329 		 */
1330 		if (punload_soft->sm_return_value != CRYPTO_UNKNOWN_PROVIDER) {
1331 			free_entry(pent);
1332 			free(punload_soft);
1333 			(void) close(fd);
1334 			return (FAILURE);
1335 		}
1336 	}
1337 
1338 	free(punload_soft);
1339 
1340 	/*
1341 	 * Inform kernel to remove the configuration of this software
1342 	 * module.
1343 	 */
1344 	free_mechlist(pent->suplist);
1345 	pent->suplist = NULL;
1346 	pent->sup_count = 0;
1347 	if ((pload_soft_conf = setup_soft_conf(pent)) == NULL) {
1348 		free_entry(pent);
1349 		(void) close(fd);
1350 		return (FAILURE);
1351 	}
1352 
1353 	if (ioctl(fd, CRYPTO_LOAD_SOFT_CONFIG, pload_soft_conf) == -1) {
1354 		cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl failed: %s",
1355 		    strerror(errno));
1356 		free_entry(pent);
1357 		free(pload_soft_conf);
1358 		(void) close(fd);
1359 		return (FAILURE);
1360 	}
1361 
1362 	if (pload_soft_conf->sc_return_value != CRYPTO_SUCCESS) {
1363 		cryptodebug("CRYPTO_LOAD_SOFT_CONFIG ioctl return_value = "
1364 		    "%d", pload_soft_conf->sc_return_value);
1365 		free_entry(pent);
1366 		free(pload_soft_conf);
1367 		(void) close(fd);
1368 		return (FAILURE);
1369 	}
1370 
1371 	free(pload_soft_conf);
1372 
1373 	/* Inform kernel to remove the disabled entries if any */
1374 	if (pent->dis_count == 0) {
1375 		free_entry(pent);
1376 		(void) close(fd);
1377 		return (SUCCESS);
1378 	} else {
1379 		free_mechlist(pent->dislist);
1380 		pent->dislist = NULL;
1381 		pent->dis_count = 0;
1382 	}
1383 
1384 	if ((pload_soft_dis = setup_soft_dis(pent)) == NULL) {
1385 		free_entry(pent);
1386 		(void) close(fd);
1387 		return (FAILURE);
1388 	}
1389 
1390 	/* pent is no longer needed; free it */
1391 	free_entry(pent);
1392 
1393 	if (ioctl(fd, CRYPTO_LOAD_SOFT_DISABLED, pload_soft_dis) == -1) {
1394 		cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl failed: %s",
1395 		    strerror(errno));
1396 		free(pload_soft_dis);
1397 		(void) close(fd);
1398 		return (FAILURE);
1399 	}
1400 
1401 	if (pload_soft_dis->sd_return_value != CRYPTO_SUCCESS) {
1402 		cryptodebug("CRYPTO_LOAD_SOFT_DISABLED ioctl return_value = "
1403 		    "%d", pload_soft_dis->sd_return_value);
1404 		free(pload_soft_dis);
1405 		(void) close(fd);
1406 		return (FAILURE);
1407 	}
1408 
1409 	free(pload_soft_dis);
1410 	(void) close(fd);
1411 	return (SUCCESS);
1412 }
1413 
1414 
1415 /*
1416  * Check if a hardware provider is valid.  If it is valid, returns its device
1417  * name,  instance number and the number of mechanisms it supports.
1418  */
1419 static int
1420 check_hardware_provider(char *provname, char *pname, int *pnum, int *pcount)
1421 {
1422 	crypto_get_dev_list_t *dev_list = NULL;
1423 	int	i;
1424 
1425 	if (provname == NULL) {
1426 		return (FAILURE);
1427 	}
1428 
1429 	/* First, get the device name and the instance number from provname */
1430 	if (split_hw_provname(provname, pname, pnum) == FAILURE) {
1431 		return (FAILURE);
1432 	}
1433 
1434 	/*
1435 	 * Get the complete device list from kernel and check if this provider
1436 	 * is in the list.
1437 	 */
1438 	if (get_dev_list(&dev_list) == FAILURE) {
1439 		return (FAILURE);
1440 	}
1441 
1442 	for (i = 0; i < dev_list->dl_dev_count; i++) {
1443 		if ((strcmp(dev_list->dl_devs[i].le_dev_name, pname) == 0) &&
1444 		    (dev_list->dl_devs[i].le_dev_instance == *pnum)) {
1445 			break;
1446 		}
1447 	}
1448 
1449 	if (i == dev_list->dl_dev_count) {
1450 		/* didn't find this provider in the kernel device list */
1451 		cryptoerror(LOG_STDERR, gettext("%s does not exist."),
1452 		    provname);
1453 		free(dev_list);
1454 		return (FAILURE);
1455 	}
1456 
1457 	/* This provider is valid.  Get its mechanism count */
1458 	*pcount = dev_list->dl_devs[i].le_mechanism_count;
1459 
1460 	free(dev_list);
1461 	return (SUCCESS);
1462 }
1463