xref: /onnv-gate/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_ioctl.c (revision 12929)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <locale.h>
#include <libgen.h>
#include <sys/types.h>
#include <sys/varargs.h>
#include <zone.h>
#include <sys/crypto/ioctladmin.h>
#include "cryptoadm.h"

#define	DEFAULT_DEV_NUM 5
#define	DEFAULT_SOFT_NUM 10

#define	NUM_FIPS_SW_PROV	\
	(sizeof (fips_sw_providers) / sizeof (char *))

static char *fips_sw_providers[] = {
	"des",
	"aes",
	"ecc",
	"sha1",
	"sha2",
	"rsa",
	"swrand"
};

static crypto_get_soft_info_t *setup_get_soft_info(char *, int);

static void
fips_sw_printf(const char *format, ...)
{
	va_list	ap;
	char	message[1024];
	int	i;

	va_start(ap, format);
	(void) snprintf(message, sizeof (message), format, ap);
	va_end(ap);

	(void) printf(gettext("\nUser-level providers:\n"));
	(void) printf(gettext("=====================\n"));
	(void) printf(gettext("/usr/lib/security/$ISA/pkcs11_softtoken: %s\n"),
	    message);
	(void) printf(gettext("\nKernel software providers:\n"));
	(void) printf(gettext("==========================\n"));
	for (i = 0; i < NUM_FIPS_SW_PROV; i++) {
		(void) printf(gettext("%s: %s\n"),
		    fips_sw_providers[i], message);
	}
}

/*
 * Prepare the argument for the LOAD_SOFT_CONFIG ioctl call for the
 * provider pointed by pent.  Return NULL if out of memory.
 */
crypto_load_soft_config_t *
setup_soft_conf(entry_t *pent)
{
	crypto_load_soft_config_t	*pload_soft_conf;
	mechlist_t	*plist;
	uint_t		sup_count;
	size_t		extra_mech_size = 0;
	int		i;

	if (pent == NULL) {
		return (NULL);
	}

	sup_count = pent->sup_count;
	if (sup_count > 1) {
		extra_mech_size = sizeof (crypto_mech_name_t) *
		    (sup_count - 1);
	}

	pload_soft_conf = malloc(sizeof (crypto_load_soft_config_t) +
	    extra_mech_size);
	if (pload_soft_conf == NULL) {
		cryptodebug("out of memory.");
		return (NULL);
	}

	(void) strlcpy(pload_soft_conf->sc_name, pent->name, MAXNAMELEN);
	pload_soft_conf->sc_count = sup_count;

	i = 0;
	plist =  pent->suplist;
	while (i < sup_count) {
		(void) strlcpy(pload_soft_conf->sc_list[i++],
		    plist->name, CRYPTO_MAX_MECH_NAME);
		plist = plist->next;
	}

	return (pload_soft_conf);
}


/*
 * Prepare the argument for the LOAD_SOFT_DISABLED ioctl call for the
 * provider pointed by pent.  Return NULL if out of memory.
 */
crypto_load_soft_disabled_t *
setup_soft_dis(entry_t *pent)
{
	crypto_load_soft_disabled_t	*pload_soft_dis = NULL;
	mechlist_t	*plist = NULL;
	size_t		extra_mech_size = 0;
	uint_t		dis_count;
	int		i;

	if (pent == NULL) {
		return (NULL);
	}

	dis_count = pent->dis_count;
	if (dis_count > 1) {
		extra_mech_size = sizeof (crypto_mech_name_t) *
		    (dis_count - 1);
	}

	pload_soft_dis = malloc(sizeof (crypto_load_soft_disabled_t) +
	    extra_mech_size);
	if (pload_soft_dis == NULL) {
		cryptodebug("out of memory.");
		return (NULL);
	}

	(void) strlcpy(pload_soft_dis->sd_name, pent->name, MAXNAMELEN);
	pload_soft_dis->sd_count = dis_count;

	i = 0;
	plist =  pent->dislist;
	while (i < dis_count) {
		(void) strlcpy(pload_soft_dis->sd_list[i++],
		    plist->name, CRYPTO_MAX_MECH_NAME);
		plist = plist->next;
	}

	return (pload_soft_dis);
}


/*
 * Prepare the argument for the LOAD_DEV_DISABLED ioctl call for the
 * provider pointed by pent.  Return NULL if out of memory.
 */
crypto_load_dev_disabled_t *
setup_dev_dis(entry_t *pent)
{
	crypto_load_dev_disabled_t	*pload_dev_dis = NULL;
	mechlist_t	*plist = NULL;
	size_t		extra_mech_size = 0;
	uint_t		dis_count;
	int		i;
	char		pname[MAXNAMELEN];
	int		inst_num;

	if (pent == NULL) {
		return (NULL);
	}

	/* get the device name and the instance number */
	if (split_hw_provname(pent->name, pname, &inst_num) == FAILURE) {
		return (NULL);
	}

	/* allocate space for pload_dev_des */
	dis_count = pent->dis_count;
	if (dis_count > 1) {
		extra_mech_size = sizeof (crypto_mech_name_t) *
		    (dis_count - 1);
	}

	pload_dev_dis = malloc(sizeof (crypto_load_dev_disabled_t) +
	    extra_mech_size);
	if (pload_dev_dis == NULL) {
		cryptodebug("out of memory.");
		return (NULL);
	}

	/* set the values for pload_dev_dis */
	(void) strlcpy(pload_dev_dis->dd_dev_name, pname, MAXNAMELEN);
	pload_dev_dis->dd_dev_instance = inst_num;
	pload_dev_dis->dd_count = dis_count;

	i = 0;
	plist =  pent->dislist;
	while (i < dis_count) {
		(void) strlcpy(pload_dev_dis->dd_list[i++],
		    plist->name, CRYPTO_MAX_MECH_NAME);
		plist = plist->next;
	}

	return (pload_dev_dis);
}


/*
 * Prepare the calling argument of the UNLOAD_SOFT_MODULE ioctl call for the
 * provider pointed by pent.  Return NULL if out of memory.
 */
crypto_unload_soft_module_t *
setup_unload_soft(entry_t *pent)
{
	crypto_unload_soft_module_t *punload_soft;

	if (pent == NULL) {
		return (NULL);
	}

	punload_soft = malloc(sizeof (crypto_unload_soft_module_t));
	if (punload_soft == NULL) {
		cryptodebug("out of memory.");
		return (NULL);
	}

	(void) strlcpy(punload_soft->sm_name, pent->name, MAXNAMELEN);

	return (punload_soft);
}


/*
 * Prepare the calling argument for the GET_SOFT_INFO call for the provider
 * with the number of mechanisms specified in the second argument.
 *
 * Called by get_soft_info().
 */
static crypto_get_soft_info_t *
setup_get_soft_info(char *provname, int count)
{
	crypto_get_soft_info_t	*psoft_info;
	size_t			extra_mech_size = 0;

	if (provname == NULL) {
		return (NULL);
	}

	if (count > 1) {
		extra_mech_size = sizeof (crypto_mech_name_t) * (count - 1);
	}

	psoft_info = malloc(sizeof (crypto_get_soft_info_t) + extra_mech_size);
	if (psoft_info == NULL) {
		cryptodebug("out of memory.");
		return (NULL);
	}

	(void) strlcpy(psoft_info->si_name, provname, MAXNAMELEN);
	psoft_info->si_count = count;

	return (psoft_info);
}


/*
 * Get the device list from kernel.
 */
int
get_dev_list(crypto_get_dev_list_t **ppdevlist)
{
	crypto_get_dev_list_t	*pdevlist;
	int			fd = -1;
	int			count = DEFAULT_DEV_NUM;

	pdevlist = malloc(sizeof (crypto_get_dev_list_t) +
	    sizeof (crypto_dev_list_entry_t) * (count - 1));
	if (pdevlist == NULL) {
		cryptodebug("out of memory.");
		return (FAILURE);
	}

	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
		    ADMIN_IOCTL_DEVICE, strerror(errno));
		return (FAILURE);
	}

	pdevlist->dl_dev_count = count;
	if (ioctl(fd, CRYPTO_GET_DEV_LIST, pdevlist) == -1) {
		cryptodebug("CRYPTO_GET_DEV_LIST ioctl failed: %s",
		    strerror(errno));
		free(pdevlist);
		(void) close(fd);
		return (FAILURE);
	}

	/* BUFFER is too small, get the number of devices and retry it. */
	if (pdevlist->dl_return_value == CRYPTO_BUFFER_TOO_SMALL) {
		count = pdevlist->dl_dev_count;
		free(pdevlist);
		pdevlist = malloc(sizeof (crypto_get_dev_list_t) +
		    sizeof (crypto_dev_list_entry_t) * (count - 1));
		if (pdevlist == NULL) {
			cryptodebug("out of memory.");
			(void) close(fd);
			return (FAILURE);
		}

		if (ioctl(fd, CRYPTO_GET_DEV_LIST, pdevlist) == -1) {
			cryptodebug("CRYPTO_GET_DEV_LIST ioctl failed: %s",
			    strerror(errno));
			free(pdevlist);
			(void) close(fd);
			return (FAILURE);
		}
	}

	if (pdevlist->dl_return_value != CRYPTO_SUCCESS) {
		cryptodebug("CRYPTO_GET_DEV_LIST ioctl failed, "
		    "return_value = %d", pdevlist->dl_return_value);
		free(pdevlist);
		(void) close(fd);
		return (FAILURE);
	}

	*ppdevlist = pdevlist;
	(void) close(fd);
	return (SUCCESS);
}


/*
 * Get all the mechanisms supported by the hardware provider.
 * The result will be stored in the second argument.
 */
int
get_dev_info(char *devname, int inst_num, int count, mechlist_t **ppmechlist)
{
	crypto_get_dev_info_t	*dev_info;
	mechlist_t	*phead;
	mechlist_t	*pcur;
	mechlist_t	*pmech;
	int		fd = -1;
	int		i;
	int		rc;

	if (devname == NULL || count < 1) {
		cryptodebug("get_dev_info(): devname is NULL or bogus count");
		return (FAILURE);
	}

	/* Set up the argument for the CRYPTO_GET_DEV_INFO ioctl call */
	dev_info = malloc(sizeof (crypto_get_dev_info_t) +
	    sizeof (crypto_mech_name_t) * (count - 1));
	if (dev_info == NULL) {
		cryptodebug("out of memory.");
		return (FAILURE);
	}
	(void) strlcpy(dev_info->di_dev_name, devname, MAXNAMELEN);
	dev_info->di_dev_instance = inst_num;
	dev_info->di_count = count;

	/* Open the ioctl device */
	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
		    ADMIN_IOCTL_DEVICE, strerror(errno));
		free(dev_info);
		return (FAILURE);
	}

	if (ioctl(fd, CRYPTO_GET_DEV_INFO, dev_info) == -1) {
		cryptodebug("CRYPTO_GET_DEV_INFO ioctl failed: %s",
		    strerror(errno));
		free(dev_info);
		(void) close(fd);
		return (FAILURE);
	}

	if (dev_info->di_return_value != CRYPTO_SUCCESS) {
		cryptodebug("CRYPTO_GET_DEV_INFO ioctl failed, "
		    "return_value = %d", dev_info->di_return_value);
		free(dev_info);
		(void) close(fd);
		return (FAILURE);
	}

	phead = pcur = NULL;
	rc = SUCCESS;
	for (i = 0; i < dev_info->di_count; i++) {
		pmech = create_mech(&dev_info->di_list[i][0]);
		if (pmech == NULL) {
			rc = FAILURE;
			break;
		} else {
			if (phead == NULL) {
				phead = pcur = pmech;
			} else {
				pcur->next = pmech;
				pcur = pmech;
			}
		}
	}

	if (rc == SUCCESS) {
		*ppmechlist = phead;
	} else {
		free_mechlist(phead);
	}

	free(dev_info);
	(void) close(fd);
	return (rc);
}


/*
 * Get the supported mechanism list of the software provider from kernel.
 *
 * Parameters phardlist and psoftlist are supplied by get_kcfconf_info().
 * If NULL, this function calls get_kcfconf_info() internally.
 */
int
get_soft_info(char *provname, mechlist_t **ppmechlist,
	entrylist_t *phardlist, entrylist_t *psoftlist)
{
	boolean_t		in_kernel = B_FALSE;
	crypto_get_soft_info_t	*psoft_info;
	mechlist_t		*phead;
	mechlist_t		*pmech;
	mechlist_t		*pcur;
	entry_t			*pent = NULL;
	int			count;
	int			fd = -1;
	int			rc;
	int			i;

	if (provname == NULL) {
		return (FAILURE);
	}

	if (getzoneid() == GLOBAL_ZONEID) {
		/* use kcf.conf for kernel software providers in global zone */
		if ((pent = getent_kef(provname, phardlist, psoftlist)) ==
		    NULL) {

			/* No kcf.conf entry for this provider */
			if (check_kernel_for_soft(provname, NULL, &in_kernel)
			    == FAILURE) {
				return (FAILURE);
			} else if (in_kernel == B_FALSE) {
				cryptoerror(LOG_STDERR,
				    gettext("%s does not exist."), provname);
				return (FAILURE);
			}

			/*
			 * Set mech count to 1.  It will be reset to the
			 * correct value later if the setup buffer is too small.
			 */
			count = 1;
		} else {
			count = pent->sup_count;
			free_entry(pent);
		}
	} else {
		/*
		 * kcf.conf not there in non-global zone: set mech count to 1.
		 * It will be reset to the correct value later if the setup
		 * buffer is too small.
		 */
		count = 1;
	}

	if ((psoft_info = setup_get_soft_info(provname, count)) == NULL) {
		return (FAILURE);
	}

	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
		    ADMIN_IOCTL_DEVICE, strerror(errno));
		free(psoft_info);
		return (FAILURE);
	}

	/* make GET_SOFT_INFO ioctl call */
	if ((rc = ioctl(fd, CRYPTO_GET_SOFT_INFO, psoft_info)) == -1) {
		cryptodebug("CRYPTO_GET_SOFT_INFO ioctl failed: %s",
		    strerror(errno));
		(void) close(fd);
		free(psoft_info);
		return (FAILURE);
	}

	/* BUFFER is too small, get the number of mechanisms and retry it. */
	if (psoft_info->si_return_value == CRYPTO_BUFFER_TOO_SMALL) {
		count = psoft_info->si_count;
		free(psoft_info);
		if ((psoft_info = setup_get_soft_info(provname, count))
		    == NULL) {
			(void) close(fd);
			return (FAILURE);
		} else {
			rc = ioctl(fd, CRYPTO_GET_SOFT_INFO, psoft_info);
			if (rc == -1) {
				cryptodebug("CRYPTO_GET_SOFT_INFO ioctl "
				    "failed: %s", strerror(errno));
				(void) close(fd);
				free(psoft_info);
				return (FAILURE);
			}
		}
	}

	(void) close(fd);
	if (psoft_info->si_return_value != CRYPTO_SUCCESS) {
		cryptodebug("CRYPTO_GET_SOFT_INFO ioctl failed, "
		    "return_value = %d", psoft_info->si_return_value);
		free(psoft_info);
		return (FAILURE);
	}


	/* Build the mechanism linked list and return it */
	rc = SUCCESS;
	phead = pcur = NULL;
	for (i = 0; i < psoft_info->si_count; i++) {
		pmech = create_mech(&psoft_info->si_list[i][0]);
		if (pmech == NULL) {
			rc = FAILURE;
			break;
		} else {
			if (phead == NULL) {
				phead = pcur = pmech;
			} else {
				pcur->next = pmech;
				pcur = pmech;
			}
		}
	}

	if (rc == FAILURE) {
		free_mechlist(phead);
	} else {
		*ppmechlist = phead;
	}

	free(psoft_info);
	return (rc);
}


/*
 * Get the kernel software provider list from kernel.
 */
int
get_soft_list(crypto_get_soft_list_t **ppsoftlist)
{
	crypto_get_soft_list_t *psoftlist = NULL;
	int	count = DEFAULT_SOFT_NUM;
	int	len;
	int	fd = -1;

	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
		    ADMIN_IOCTL_DEVICE, strerror(errno));
		return (FAILURE);
	}

	len = MAXNAMELEN * count;
	psoftlist = malloc(sizeof (crypto_get_soft_list_t) + len);
	if (psoftlist == NULL) {
		cryptodebug("out of memory.");
		(void) close(fd);
		return (FAILURE);
	}
	psoftlist->sl_soft_names = (caddr_t)(psoftlist + 1);
	psoftlist->sl_soft_count = count;
	psoftlist->sl_soft_len = len;

	if (ioctl(fd, CRYPTO_GET_SOFT_LIST, psoftlist) == -1) {
		cryptodebug("CRYPTO_GET_SOFT_LIST ioctl failed: %s",
		    strerror(errno));
		free(psoftlist);
		(void) close(fd);
		return (FAILURE);
	}

	/*
	 * if BUFFER is too small, get the number of software providers and
	 * the minimum length needed for names and length and retry it.
	 */
	if (psoftlist->sl_return_value == CRYPTO_BUFFER_TOO_SMALL) {
		count = psoftlist->sl_soft_count;
		len = psoftlist->sl_soft_len;
		free(psoftlist);
		psoftlist = malloc(sizeof (crypto_get_soft_list_t) + len);
		if (psoftlist == NULL) {
			cryptodebug("out of memory.");
			(void) close(fd);
			return (FAILURE);
		}
		psoftlist->sl_soft_names = (caddr_t)(psoftlist + 1);
		psoftlist->sl_soft_count = count;
		psoftlist->sl_soft_len = len;

		if (ioctl(fd, CRYPTO_GET_SOFT_LIST, psoftlist) == -1) {
			cryptodebug("CRYPTO_GET_SOFT_LIST ioctl failed:"
			    "%s", strerror(errno));
			free(psoftlist);
			(void) close(fd);
			return (FAILURE);
		}
	}

	if (psoftlist->sl_return_value != CRYPTO_SUCCESS) {
		cryptodebug("CRYPTO_GET_SOFT_LIST ioctl failed, "
		    "return_value = %d", psoftlist->sl_return_value);
		free(psoftlist);
		(void) close(fd);
		return (FAILURE);
	}

	*ppsoftlist = psoftlist;
	(void) close(fd);
	return (SUCCESS);
}

/*
 * Perform the FIPS related actions
 */
int
do_fips_actions(int action, int caller)
{

	crypto_fips140_t	fips_info;
	int	fd;
	int	rc = SUCCESS;
	int	pkcs11_fips_mode = 0;

	/* Get FIPS-140 status from pkcs11.conf */
	fips_status_pkcs11conf(&pkcs11_fips_mode);

	if (action == FIPS140_STATUS) {
		if (pkcs11_fips_mode == CRYPTO_FIPS_MODE_ENABLED)
			fips_sw_printf(gettext("FIPS-140 mode is enabled."));
		else
			fips_sw_printf(gettext("FIPS-140 mode is disabled."));
		return (SUCCESS);
	}

	if (caller == NOT_REFRESH) {
		/* Is it a duplicate operation? */
		if ((action == FIPS140_ENABLE) &&
		    (pkcs11_fips_mode == CRYPTO_FIPS_MODE_ENABLED)) {
			fips_sw_printf(gettext("FIPS-140 mode has already "
			    "been enabled."));
			return (FAILURE);
		}

		if ((action == FIPS140_DISABLE) &&
		    (pkcs11_fips_mode == CRYPTO_FIPS_MODE_DISABLED)) {
			fips_sw_printf(gettext("FIPS-140 mode has already "
			    "been disabled."));
			return (FAILURE);
		}

		if ((action == FIPS140_ENABLE) || (action == FIPS140_DISABLE)) {
			/* Update pkcs11.conf */
			if ((rc = fips_update_pkcs11conf(action)) != SUCCESS)
				return (rc);
		}

		/* No need to inform kernel */
		if (action == FIPS140_ENABLE) {
			fips_sw_printf(gettext("FIPS-140 mode was enabled "
			    "successfully."));
		} else {
			fips_sw_printf(gettext("FIPS-140 mode was disabled "
			    "successfully."));
		}

		return (SUCCESS);

	}

	/* This is refresh, need to inform kernel */
	(void) memset(&fips_info, 0, sizeof (crypto_fips140_t));

	if ((fd = open(ADMIN_IOCTL_DEVICE, O_RDONLY)) == -1) {
		cryptoerror(LOG_STDERR, gettext("failed to open %s: %s"),
		    ADMIN_IOCTL_DEVICE, strerror(errno));
		return (FAILURE);
	}

	switch (action) {
	case FIPS140_ENABLE:
		/* make CRYPTO_FIPS_SET ioctl call */
		fips_info.fips140_op = FIPS140_ENABLE;
		if ((rc = ioctl(fd, CRYPTO_FIPS140_SET, &fips_info)) == -1) {
			cryptodebug("CRYPTO_FIPS140_ENABLE ioctl failed: %s",
			    strerror(errno));
			rc = FAILURE;
			goto out;
		}

		if (fips_info.fips140_return_value != CRYPTO_SUCCESS) {
			cryptodebug("CRYPTO_FIPS140_ENABLE ioctl failed, "
			    "return_value = %d",
			    fips_info.fips140_return_value);
			rc = FAILURE;
		}

		break;

	case FIPS140_DISABLE:
		/* make CRYPTO_FIPS140_SET ioctl call */
		fips_info.fips140_op = FIPS140_DISABLE;
		if ((rc = ioctl(fd, CRYPTO_FIPS140_SET, &fips_info)) == -1) {
			cryptodebug("CRYPTO_FIPS140_DISABLE ioctl failed: %s",
			    strerror(errno));
			rc = FAILURE;
			goto out;
		}

		if (fips_info.fips140_return_value != CRYPTO_SUCCESS) {
			cryptodebug("CRYPTO_FIPS140_DISABLE ioctl failed, "
			    "return_value = %d",
			    fips_info.fips140_return_value);
			rc = FAILURE;
		}

		break;

	default:
		rc = FAILURE;
		break;
	};

out:
	(void) close(fd);
	return (rc);
}