1*12929SMisaki.Miyashita@Oracle.COM /* 2*12929SMisaki.Miyashita@Oracle.COM * CDDL HEADER START 3*12929SMisaki.Miyashita@Oracle.COM * 4*12929SMisaki.Miyashita@Oracle.COM * The contents of this file are subject to the terms of the 5*12929SMisaki.Miyashita@Oracle.COM * Common Development and Distribution License (the "License"). 6*12929SMisaki.Miyashita@Oracle.COM * You may not use this file except in compliance with the License. 7*12929SMisaki.Miyashita@Oracle.COM * 8*12929SMisaki.Miyashita@Oracle.COM * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9*12929SMisaki.Miyashita@Oracle.COM * or http://www.opensolaris.org/os/licensing. 10*12929SMisaki.Miyashita@Oracle.COM * See the License for the specific language governing permissions 11*12929SMisaki.Miyashita@Oracle.COM * and limitations under the License. 12*12929SMisaki.Miyashita@Oracle.COM * 13*12929SMisaki.Miyashita@Oracle.COM * When distributing Covered Code, include this CDDL HEADER in each 14*12929SMisaki.Miyashita@Oracle.COM * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15*12929SMisaki.Miyashita@Oracle.COM * If applicable, add the following below this CDDL HEADER, with the 16*12929SMisaki.Miyashita@Oracle.COM * fields enclosed by brackets "[]" replaced with your own identifying 17*12929SMisaki.Miyashita@Oracle.COM * information: Portions Copyright [yyyy] [name of copyright owner] 18*12929SMisaki.Miyashita@Oracle.COM * 19*12929SMisaki.Miyashita@Oracle.COM * CDDL HEADER END 20*12929SMisaki.Miyashita@Oracle.COM */ 21*12929SMisaki.Miyashita@Oracle.COM /* 22*12929SMisaki.Miyashita@Oracle.COM * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 23*12929SMisaki.Miyashita@Oracle.COM */ 24*12929SMisaki.Miyashita@Oracle.COM 25*12929SMisaki.Miyashita@Oracle.COM #include <fcntl.h> 26*12929SMisaki.Miyashita@Oracle.COM #include <stdio.h> 27*12929SMisaki.Miyashita@Oracle.COM #include <stdlib.h> 28*12929SMisaki.Miyashita@Oracle.COM #include <strings.h> 29*12929SMisaki.Miyashita@Oracle.COM #include <unistd.h> 30*12929SMisaki.Miyashita@Oracle.COM #include <locale.h> 31*12929SMisaki.Miyashita@Oracle.COM #include <libgen.h> 32*12929SMisaki.Miyashita@Oracle.COM #include <sys/types.h> 33*12929SMisaki.Miyashita@Oracle.COM #include <sys/stat.h> 34*12929SMisaki.Miyashita@Oracle.COM #include <zone.h> 35*12929SMisaki.Miyashita@Oracle.COM #include <sys/crypto/ioctladmin.h> 36*12929SMisaki.Miyashita@Oracle.COM #include "cryptoadm.h" 37*12929SMisaki.Miyashita@Oracle.COM 38*12929SMisaki.Miyashita@Oracle.COM #define HW_CONF_DIR "/platform/sun4v/kernel/drv" 39*12929SMisaki.Miyashita@Oracle.COM 40*12929SMisaki.Miyashita@Oracle.COM 41*12929SMisaki.Miyashita@Oracle.COM /* Get FIPS-140 status from .conf */ 42*12929SMisaki.Miyashita@Oracle.COM int 43*12929SMisaki.Miyashita@Oracle.COM fips_hw_status(char *filename, char *property, int *hw_fips_mode) 44*12929SMisaki.Miyashita@Oracle.COM { 45*12929SMisaki.Miyashita@Oracle.COM FILE *pfile; 46*12929SMisaki.Miyashita@Oracle.COM char buffer[BUFSIZ]; 47*12929SMisaki.Miyashita@Oracle.COM char *str = NULL; 48*12929SMisaki.Miyashita@Oracle.COM char *cursor = NULL; 49*12929SMisaki.Miyashita@Oracle.COM 50*12929SMisaki.Miyashita@Oracle.COM /* Open the .conf file */ 51*12929SMisaki.Miyashita@Oracle.COM if ((pfile = fopen(filename, "r")) == NULL) { 52*12929SMisaki.Miyashita@Oracle.COM cryptodebug("failed to open %s for write.", filename); 53*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 54*12929SMisaki.Miyashita@Oracle.COM } 55*12929SMisaki.Miyashita@Oracle.COM 56*12929SMisaki.Miyashita@Oracle.COM while (fgets(buffer, BUFSIZ, pfile) != NULL) { 57*12929SMisaki.Miyashita@Oracle.COM if (buffer[0] == '#') { 58*12929SMisaki.Miyashita@Oracle.COM /* skip comments */ 59*12929SMisaki.Miyashita@Oracle.COM continue; 60*12929SMisaki.Miyashita@Oracle.COM } 61*12929SMisaki.Miyashita@Oracle.COM 62*12929SMisaki.Miyashita@Oracle.COM /* find the property string */ 63*12929SMisaki.Miyashita@Oracle.COM if ((str = strstr(buffer, property)) == NULL) { 64*12929SMisaki.Miyashita@Oracle.COM /* didn't find the property string in this line */ 65*12929SMisaki.Miyashita@Oracle.COM continue; 66*12929SMisaki.Miyashita@Oracle.COM } 67*12929SMisaki.Miyashita@Oracle.COM 68*12929SMisaki.Miyashita@Oracle.COM cursor = strtok(str, "= ;"); 69*12929SMisaki.Miyashita@Oracle.COM cursor = strtok(NULL, "= ;"); 70*12929SMisaki.Miyashita@Oracle.COM if (cursor == NULL) { 71*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, gettext( 72*12929SMisaki.Miyashita@Oracle.COM "Invalid config file contents: %s."), filename); 73*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile); 74*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 75*12929SMisaki.Miyashita@Oracle.COM } 76*12929SMisaki.Miyashita@Oracle.COM *hw_fips_mode = atoi(cursor); 77*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile); 78*12929SMisaki.Miyashita@Oracle.COM return (SUCCESS); 79*12929SMisaki.Miyashita@Oracle.COM } 80*12929SMisaki.Miyashita@Oracle.COM 81*12929SMisaki.Miyashita@Oracle.COM /* 82*12929SMisaki.Miyashita@Oracle.COM * If the fips property is not found in the config file, 83*12929SMisaki.Miyashita@Oracle.COM * FIPS mode is false by default. 84*12929SMisaki.Miyashita@Oracle.COM */ 85*12929SMisaki.Miyashita@Oracle.COM *hw_fips_mode = CRYPTO_FIPS_MODE_DISABLED; 86*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile); 87*12929SMisaki.Miyashita@Oracle.COM 88*12929SMisaki.Miyashita@Oracle.COM return (SUCCESS); 89*12929SMisaki.Miyashita@Oracle.COM } 90*12929SMisaki.Miyashita@Oracle.COM 91*12929SMisaki.Miyashita@Oracle.COM /* 92*12929SMisaki.Miyashita@Oracle.COM * Update the HW .conf file with the updated entry. 93*12929SMisaki.Miyashita@Oracle.COM */ 94*12929SMisaki.Miyashita@Oracle.COM int 95*12929SMisaki.Miyashita@Oracle.COM fips_update_hw_conf(char *filename, char *property, int action) 96*12929SMisaki.Miyashita@Oracle.COM { 97*12929SMisaki.Miyashita@Oracle.COM FILE *pfile; 98*12929SMisaki.Miyashita@Oracle.COM FILE *pfile_tmp; 99*12929SMisaki.Miyashita@Oracle.COM char buffer[BUFSIZ]; 100*12929SMisaki.Miyashita@Oracle.COM char buffer2[BUFSIZ]; 101*12929SMisaki.Miyashita@Oracle.COM char *tmpfile_name = NULL; 102*12929SMisaki.Miyashita@Oracle.COM char *str = NULL; 103*12929SMisaki.Miyashita@Oracle.COM char *cursor = NULL; 104*12929SMisaki.Miyashita@Oracle.COM int rc = SUCCESS; 105*12929SMisaki.Miyashita@Oracle.COM boolean_t found = B_FALSE; 106*12929SMisaki.Miyashita@Oracle.COM 107*12929SMisaki.Miyashita@Oracle.COM /* Open the .conf file */ 108*12929SMisaki.Miyashita@Oracle.COM if ((pfile = fopen(filename, "r+")) == NULL) { 109*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, 110*12929SMisaki.Miyashita@Oracle.COM gettext("failed to update the configuration - %s"), 111*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 112*12929SMisaki.Miyashita@Oracle.COM cryptodebug("failed to open %s for write.", filename); 113*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 114*12929SMisaki.Miyashita@Oracle.COM } 115*12929SMisaki.Miyashita@Oracle.COM 116*12929SMisaki.Miyashita@Oracle.COM /* Lock the .conf file */ 117*12929SMisaki.Miyashita@Oracle.COM if (lockf(fileno(pfile), F_TLOCK, 0) == -1) { 118*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, 119*12929SMisaki.Miyashita@Oracle.COM gettext("failed to update the configuration - %s"), 120*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 121*12929SMisaki.Miyashita@Oracle.COM cryptodebug(gettext("failed to lock %s"), filename); 122*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile); 123*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 124*12929SMisaki.Miyashita@Oracle.COM } 125*12929SMisaki.Miyashita@Oracle.COM 126*12929SMisaki.Miyashita@Oracle.COM /* 127*12929SMisaki.Miyashita@Oracle.COM * Create a temporary file to save updated configuration file first. 128*12929SMisaki.Miyashita@Oracle.COM */ 129*12929SMisaki.Miyashita@Oracle.COM tmpfile_name = tempnam(HW_CONF_DIR, NULL); 130*12929SMisaki.Miyashita@Oracle.COM if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) { 131*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"), 132*12929SMisaki.Miyashita@Oracle.COM tmpfile_name, strerror(errno)); 133*12929SMisaki.Miyashita@Oracle.COM free(tmpfile_name); 134*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile); 135*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 136*12929SMisaki.Miyashita@Oracle.COM } 137*12929SMisaki.Miyashita@Oracle.COM 138*12929SMisaki.Miyashita@Oracle.COM 139*12929SMisaki.Miyashita@Oracle.COM /* 140*12929SMisaki.Miyashita@Oracle.COM * Loop thru entire .conf file, update the entry to be 141*12929SMisaki.Miyashita@Oracle.COM * updated and save the updated file to the temporary file first. 142*12929SMisaki.Miyashita@Oracle.COM */ 143*12929SMisaki.Miyashita@Oracle.COM while (fgets(buffer, BUFSIZ, pfile) != NULL) { 144*12929SMisaki.Miyashita@Oracle.COM if (buffer[0] == '#') { 145*12929SMisaki.Miyashita@Oracle.COM /* comments: write to the file without modification */ 146*12929SMisaki.Miyashita@Oracle.COM goto write_to_tmp; 147*12929SMisaki.Miyashita@Oracle.COM } 148*12929SMisaki.Miyashita@Oracle.COM 149*12929SMisaki.Miyashita@Oracle.COM (void) strlcpy(buffer2, buffer, BUFSIZ); 150*12929SMisaki.Miyashita@Oracle.COM 151*12929SMisaki.Miyashita@Oracle.COM /* find the property string */ 152*12929SMisaki.Miyashita@Oracle.COM if ((str = strstr(buffer2, property)) == NULL) { 153*12929SMisaki.Miyashita@Oracle.COM /* 154*12929SMisaki.Miyashita@Oracle.COM * Didn't find the property string in this line. 155*12929SMisaki.Miyashita@Oracle.COM * Write to the file without modification. 156*12929SMisaki.Miyashita@Oracle.COM */ 157*12929SMisaki.Miyashita@Oracle.COM goto write_to_tmp; 158*12929SMisaki.Miyashita@Oracle.COM } 159*12929SMisaki.Miyashita@Oracle.COM 160*12929SMisaki.Miyashita@Oracle.COM found = B_TRUE; 161*12929SMisaki.Miyashita@Oracle.COM 162*12929SMisaki.Miyashita@Oracle.COM cursor = strtok(str, "= ;"); 163*12929SMisaki.Miyashita@Oracle.COM cursor = strtok(NULL, "= ;"); 164*12929SMisaki.Miyashita@Oracle.COM if (cursor == NULL) { 165*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, gettext( 166*12929SMisaki.Miyashita@Oracle.COM "Invalid config file contents %s: %s."), 167*12929SMisaki.Miyashita@Oracle.COM filename, strerror(errno)); 168*12929SMisaki.Miyashita@Oracle.COM goto errorexit; 169*12929SMisaki.Miyashita@Oracle.COM } 170*12929SMisaki.Miyashita@Oracle.COM 171*12929SMisaki.Miyashita@Oracle.COM cursor = buffer + (cursor - buffer2); 172*12929SMisaki.Miyashita@Oracle.COM *cursor = (action == FIPS140_ENABLE) ? '1' : '0'; 173*12929SMisaki.Miyashita@Oracle.COM 174*12929SMisaki.Miyashita@Oracle.COM write_to_tmp: 175*12929SMisaki.Miyashita@Oracle.COM 176*12929SMisaki.Miyashita@Oracle.COM if (fputs(buffer, pfile_tmp) == EOF) { 177*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, gettext( 178*12929SMisaki.Miyashita@Oracle.COM "failed to write to a temp file: %s."), 179*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 180*12929SMisaki.Miyashita@Oracle.COM goto errorexit; 181*12929SMisaki.Miyashita@Oracle.COM } 182*12929SMisaki.Miyashita@Oracle.COM } 183*12929SMisaki.Miyashita@Oracle.COM 184*12929SMisaki.Miyashita@Oracle.COM /* if the fips mode property is not specified, FALSE by default */ 185*12929SMisaki.Miyashita@Oracle.COM if (found == B_FALSE) { 186*12929SMisaki.Miyashita@Oracle.COM (void) snprintf(buffer, BUFSIZ, "%s=%c;\n", 187*12929SMisaki.Miyashita@Oracle.COM property, (action == FIPS140_ENABLE) ? '1' : '0'); 188*12929SMisaki.Miyashita@Oracle.COM if (fputs(buffer, pfile_tmp) == EOF) { 189*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, gettext( 190*12929SMisaki.Miyashita@Oracle.COM "failed to write to a tmp file: %s."), 191*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 192*12929SMisaki.Miyashita@Oracle.COM goto errorexit; 193*12929SMisaki.Miyashita@Oracle.COM } 194*12929SMisaki.Miyashita@Oracle.COM } 195*12929SMisaki.Miyashita@Oracle.COM 196*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile); 197*12929SMisaki.Miyashita@Oracle.COM if (fclose(pfile_tmp) != 0) { 198*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, 199*12929SMisaki.Miyashita@Oracle.COM gettext("failed to close %s: %s"), tmpfile_name, 200*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 201*12929SMisaki.Miyashita@Oracle.COM free(tmpfile_name); 202*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 203*12929SMisaki.Miyashita@Oracle.COM } 204*12929SMisaki.Miyashita@Oracle.COM 205*12929SMisaki.Miyashita@Oracle.COM /* Copy the temporary file to the .conf file */ 206*12929SMisaki.Miyashita@Oracle.COM if (rename(tmpfile_name, filename) == -1) { 207*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, 208*12929SMisaki.Miyashita@Oracle.COM gettext("failed to update the configuration - %s"), 209*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 210*12929SMisaki.Miyashita@Oracle.COM cryptodebug("failed to rename %s to %s: %s", tmpfile_name, 211*12929SMisaki.Miyashita@Oracle.COM filename, strerror(errno)); 212*12929SMisaki.Miyashita@Oracle.COM rc = FAILURE; 213*12929SMisaki.Miyashita@Oracle.COM } else if (chmod(filename, 214*12929SMisaki.Miyashita@Oracle.COM S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) { 215*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, 216*12929SMisaki.Miyashita@Oracle.COM gettext("failed to update the configuration - %s"), 217*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 218*12929SMisaki.Miyashita@Oracle.COM cryptodebug("failed to chmod to %s: %s", filename, 219*12929SMisaki.Miyashita@Oracle.COM strerror(errno)); 220*12929SMisaki.Miyashita@Oracle.COM rc = FAILURE; 221*12929SMisaki.Miyashita@Oracle.COM } else { 222*12929SMisaki.Miyashita@Oracle.COM rc = SUCCESS; 223*12929SMisaki.Miyashita@Oracle.COM } 224*12929SMisaki.Miyashita@Oracle.COM 225*12929SMisaki.Miyashita@Oracle.COM if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) { 226*12929SMisaki.Miyashita@Oracle.COM cryptoerror(LOG_STDERR, gettext( 227*12929SMisaki.Miyashita@Oracle.COM "(Warning) failed to remove %s: %s"), 228*12929SMisaki.Miyashita@Oracle.COM tmpfile_name, strerror(errno)); 229*12929SMisaki.Miyashita@Oracle.COM } 230*12929SMisaki.Miyashita@Oracle.COM 231*12929SMisaki.Miyashita@Oracle.COM free(tmpfile_name); 232*12929SMisaki.Miyashita@Oracle.COM return (rc); 233*12929SMisaki.Miyashita@Oracle.COM 234*12929SMisaki.Miyashita@Oracle.COM errorexit: 235*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile); 236*12929SMisaki.Miyashita@Oracle.COM (void) fclose(pfile_tmp); 237*12929SMisaki.Miyashita@Oracle.COM free(tmpfile_name); 238*12929SMisaki.Miyashita@Oracle.COM 239*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 240*12929SMisaki.Miyashita@Oracle.COM } 241*12929SMisaki.Miyashita@Oracle.COM 242*12929SMisaki.Miyashita@Oracle.COM 243*12929SMisaki.Miyashita@Oracle.COM /* 244*12929SMisaki.Miyashita@Oracle.COM * Perform the FIPS related actions 245*12929SMisaki.Miyashita@Oracle.COM */ 246*12929SMisaki.Miyashita@Oracle.COM int 247*12929SMisaki.Miyashita@Oracle.COM do_fips_hw_actions(int action, int provider) 248*12929SMisaki.Miyashita@Oracle.COM { 249*12929SMisaki.Miyashita@Oracle.COM int rc = SUCCESS; 250*12929SMisaki.Miyashita@Oracle.COM int fips_mode = 0; 251*12929SMisaki.Miyashita@Oracle.COM char *filename; 252*12929SMisaki.Miyashita@Oracle.COM char *propname; 253*12929SMisaki.Miyashita@Oracle.COM char *provname; 254*12929SMisaki.Miyashita@Oracle.COM 255*12929SMisaki.Miyashita@Oracle.COM switch (provider) { 256*12929SMisaki.Miyashita@Oracle.COM case HW_PROVIDER_NCP: 257*12929SMisaki.Miyashita@Oracle.COM filename = "/platform/sun4v/kernel/drv/ncp.conf"; 258*12929SMisaki.Miyashita@Oracle.COM propname = "ncp-fips-140"; 259*12929SMisaki.Miyashita@Oracle.COM provname = "ncp"; 260*12929SMisaki.Miyashita@Oracle.COM break; 261*12929SMisaki.Miyashita@Oracle.COM case HW_PROVIDER_N2CP: 262*12929SMisaki.Miyashita@Oracle.COM filename = "/platform/sun4v/kernel/drv/n2cp.conf"; 263*12929SMisaki.Miyashita@Oracle.COM propname = "n2cp-fips-140"; 264*12929SMisaki.Miyashita@Oracle.COM provname = "n2cp"; 265*12929SMisaki.Miyashita@Oracle.COM break; 266*12929SMisaki.Miyashita@Oracle.COM case HW_PROVIDER_N2RNG: 267*12929SMisaki.Miyashita@Oracle.COM filename = "/platform/sun4v/kernel/drv/n2rng.conf"; 268*12929SMisaki.Miyashita@Oracle.COM propname = "n2rng-fips-140"; 269*12929SMisaki.Miyashita@Oracle.COM provname = "n2rng"; 270*12929SMisaki.Miyashita@Oracle.COM break; 271*12929SMisaki.Miyashita@Oracle.COM default: 272*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext("Internal Error: Invalid HW " 273*12929SMisaki.Miyashita@Oracle.COM "provider [%d] specified.\n")); 274*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 275*12929SMisaki.Miyashita@Oracle.COM } 276*12929SMisaki.Miyashita@Oracle.COM 277*12929SMisaki.Miyashita@Oracle.COM /* Get FIPS-140 status from .conf */ 278*12929SMisaki.Miyashita@Oracle.COM if (fips_hw_status(filename, propname, &fips_mode) != SUCCESS) { 279*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 280*12929SMisaki.Miyashita@Oracle.COM } 281*12929SMisaki.Miyashita@Oracle.COM 282*12929SMisaki.Miyashita@Oracle.COM if (action == FIPS140_STATUS) { 283*12929SMisaki.Miyashita@Oracle.COM if (fips_mode == CRYPTO_FIPS_MODE_ENABLED) 284*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 285*12929SMisaki.Miyashita@Oracle.COM "%s: FIPS-140 mode is enabled.\n"), provname); 286*12929SMisaki.Miyashita@Oracle.COM else 287*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 288*12929SMisaki.Miyashita@Oracle.COM "%s: FIPS-140 mode is disabled.\n"), provname); 289*12929SMisaki.Miyashita@Oracle.COM return (SUCCESS); 290*12929SMisaki.Miyashita@Oracle.COM } 291*12929SMisaki.Miyashita@Oracle.COM 292*12929SMisaki.Miyashita@Oracle.COM /* Is it a duplicate operation? */ 293*12929SMisaki.Miyashita@Oracle.COM if ((action == FIPS140_ENABLE) && 294*12929SMisaki.Miyashita@Oracle.COM (fips_mode == CRYPTO_FIPS_MODE_ENABLED)) { 295*12929SMisaki.Miyashita@Oracle.COM (void) printf( 296*12929SMisaki.Miyashita@Oracle.COM gettext("%s: FIPS-140 mode has already been enabled.\n"), 297*12929SMisaki.Miyashita@Oracle.COM provname); 298*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 299*12929SMisaki.Miyashita@Oracle.COM } 300*12929SMisaki.Miyashita@Oracle.COM 301*12929SMisaki.Miyashita@Oracle.COM if ((action == FIPS140_DISABLE) && 302*12929SMisaki.Miyashita@Oracle.COM (fips_mode == CRYPTO_FIPS_MODE_DISABLED)) { 303*12929SMisaki.Miyashita@Oracle.COM (void) printf( 304*12929SMisaki.Miyashita@Oracle.COM gettext("%s: FIPS-140 mode has already been disabled.\n"), 305*12929SMisaki.Miyashita@Oracle.COM provname); 306*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 307*12929SMisaki.Miyashita@Oracle.COM } 308*12929SMisaki.Miyashita@Oracle.COM 309*12929SMisaki.Miyashita@Oracle.COM if ((action == FIPS140_ENABLE) || (action == FIPS140_DISABLE)) { 310*12929SMisaki.Miyashita@Oracle.COM /* Update .conf */ 311*12929SMisaki.Miyashita@Oracle.COM if ((rc = fips_update_hw_conf(filename, propname, action)) 312*12929SMisaki.Miyashita@Oracle.COM != SUCCESS) 313*12929SMisaki.Miyashita@Oracle.COM return (rc); 314*12929SMisaki.Miyashita@Oracle.COM } 315*12929SMisaki.Miyashita@Oracle.COM 316*12929SMisaki.Miyashita@Oracle.COM /* No need to inform kernel */ 317*12929SMisaki.Miyashita@Oracle.COM if (action == FIPS140_ENABLE) { 318*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 319*12929SMisaki.Miyashita@Oracle.COM "%s: FIPS-140 mode was enabled successfully.\n"), 320*12929SMisaki.Miyashita@Oracle.COM provname); 321*12929SMisaki.Miyashita@Oracle.COM } else { 322*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 323*12929SMisaki.Miyashita@Oracle.COM "%s: FIPS-140 mode was disabled successfully.\n"), 324*12929SMisaki.Miyashita@Oracle.COM provname); 325*12929SMisaki.Miyashita@Oracle.COM } 326*12929SMisaki.Miyashita@Oracle.COM 327*12929SMisaki.Miyashita@Oracle.COM return (SUCCESS); 328*12929SMisaki.Miyashita@Oracle.COM } 329