10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 51971Skrishna * Common Development and Distribution License (the "License"). 61971Skrishna * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*10500SHai-May.Chao@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate 270Sstevel@tonic-gate #include <fcntl.h> 280Sstevel@tonic-gate #include <stdio.h> 290Sstevel@tonic-gate #include <stdlib.h> 300Sstevel@tonic-gate #include <strings.h> 310Sstevel@tonic-gate #include <unistd.h> 320Sstevel@tonic-gate #include <locale.h> 330Sstevel@tonic-gate #include <libgen.h> 340Sstevel@tonic-gate #include <sys/types.h> 350Sstevel@tonic-gate #include <zone.h> 360Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 370Sstevel@tonic-gate #include <cryptoutil.h> 380Sstevel@tonic-gate #include "cryptoadm.h" 390Sstevel@tonic-gate 400Sstevel@tonic-gate #define REQ_ARG_CNT 2 410Sstevel@tonic-gate 420Sstevel@tonic-gate /* subcommand index */ 430Sstevel@tonic-gate enum subcommand_index { 440Sstevel@tonic-gate CRYPTO_LIST, 450Sstevel@tonic-gate CRYPTO_DISABLE, 460Sstevel@tonic-gate CRYPTO_ENABLE, 470Sstevel@tonic-gate CRYPTO_INSTALL, 480Sstevel@tonic-gate CRYPTO_UNINSTALL, 490Sstevel@tonic-gate CRYPTO_UNLOAD, 500Sstevel@tonic-gate CRYPTO_REFRESH, 510Sstevel@tonic-gate CRYPTO_START, 520Sstevel@tonic-gate CRYPTO_STOP, 530Sstevel@tonic-gate CRYPTO_HELP }; 540Sstevel@tonic-gate 550Sstevel@tonic-gate /* 567334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 570Sstevel@tonic-gate * Command keywords are not to be translated. 580Sstevel@tonic-gate */ 590Sstevel@tonic-gate static char *cmd_table[] = { 600Sstevel@tonic-gate "list", 610Sstevel@tonic-gate "disable", 620Sstevel@tonic-gate "enable", 630Sstevel@tonic-gate "install", 640Sstevel@tonic-gate "uninstall", 650Sstevel@tonic-gate "unload", 660Sstevel@tonic-gate "refresh", 670Sstevel@tonic-gate "start", 680Sstevel@tonic-gate "stop", 690Sstevel@tonic-gate "--help" }; 700Sstevel@tonic-gate 710Sstevel@tonic-gate /* provider type */ 720Sstevel@tonic-gate enum provider_type_index { 730Sstevel@tonic-gate PROV_UEF_LIB, 740Sstevel@tonic-gate PROV_KEF_SOFT, 750Sstevel@tonic-gate PROV_KEF_HARD, 760Sstevel@tonic-gate METASLOT, 770Sstevel@tonic-gate PROV_BADNAME }; 780Sstevel@tonic-gate 790Sstevel@tonic-gate typedef struct { 800Sstevel@tonic-gate char cp_name[MAXPATHLEN]; 810Sstevel@tonic-gate enum provider_type_index cp_type; 820Sstevel@tonic-gate } cryptoadm_provider_t; 830Sstevel@tonic-gate 840Sstevel@tonic-gate /* 857334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 860Sstevel@tonic-gate * Operand keywords are not to be translated. 870Sstevel@tonic-gate */ 880Sstevel@tonic-gate static const char *KN_PROVIDER = "provider="; 890Sstevel@tonic-gate static const char *KN_MECH = "mechanism="; 900Sstevel@tonic-gate static const char *KN_ALL = "all"; 910Sstevel@tonic-gate static const char *KN_TOKEN = "token="; 920Sstevel@tonic-gate static const char *KN_SLOT = "slot="; 930Sstevel@tonic-gate static const char *KN_DEFAULT_KS = "default-keystore"; 940Sstevel@tonic-gate static const char *KN_AUTO_KEY_MIGRATE = "auto-key-migrate"; 950Sstevel@tonic-gate 960Sstevel@tonic-gate /* static variables */ 970Sstevel@tonic-gate static boolean_t allflag = B_FALSE; 980Sstevel@tonic-gate static boolean_t rndflag = B_FALSE; 990Sstevel@tonic-gate static mechlist_t *mecharglist = NULL; 1000Sstevel@tonic-gate 1010Sstevel@tonic-gate /* static functions */ 1020Sstevel@tonic-gate static void usage(void); 1030Sstevel@tonic-gate static int get_provider_type(char *); 1040Sstevel@tonic-gate static int process_mech_operands(int, char **, boolean_t); 1050Sstevel@tonic-gate static int do_list(int, char **); 1060Sstevel@tonic-gate static int do_disable(int, char **); 1070Sstevel@tonic-gate static int do_enable(int, char **); 1080Sstevel@tonic-gate static int do_install(int, char **); 1090Sstevel@tonic-gate static int do_uninstall(int, char **); 1100Sstevel@tonic-gate static int do_unload(int, char **); 1110Sstevel@tonic-gate static int do_refresh(int); 1120Sstevel@tonic-gate static int do_start(int); 1130Sstevel@tonic-gate static int do_stop(int); 1140Sstevel@tonic-gate static int list_simple_for_all(boolean_t); 1150Sstevel@tonic-gate static int list_mechlist_for_all(boolean_t); 1160Sstevel@tonic-gate static int list_policy_for_all(void); 1170Sstevel@tonic-gate 1180Sstevel@tonic-gate int 1190Sstevel@tonic-gate main(int argc, char *argv[]) 1200Sstevel@tonic-gate { 1210Sstevel@tonic-gate char *subcmd; 1220Sstevel@tonic-gate int cmdnum; 1230Sstevel@tonic-gate int cmd_index = 0; 1240Sstevel@tonic-gate int rc = SUCCESS; 1250Sstevel@tonic-gate 1260Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1270Sstevel@tonic-gate 1280Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 1290Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 1300Sstevel@tonic-gate #endif 1310Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 1320Sstevel@tonic-gate 1330Sstevel@tonic-gate cryptodebug_init(basename(argv[0])); 1340Sstevel@tonic-gate 1350Sstevel@tonic-gate if (argc < REQ_ARG_CNT) { 1360Sstevel@tonic-gate usage(); 1370Sstevel@tonic-gate return (ERROR_USAGE); 1380Sstevel@tonic-gate } 1390Sstevel@tonic-gate 1400Sstevel@tonic-gate /* get the subcommand index */ 1410Sstevel@tonic-gate cmd_index = 0; 1420Sstevel@tonic-gate subcmd = argv[1]; 1430Sstevel@tonic-gate cmdnum = sizeof (cmd_table)/sizeof (cmd_table[0]); 1440Sstevel@tonic-gate 1450Sstevel@tonic-gate while ((cmd_index < cmdnum) && 1460Sstevel@tonic-gate (strcmp(subcmd, cmd_table[cmd_index]) != 0)) { 1470Sstevel@tonic-gate cmd_index++; 1480Sstevel@tonic-gate } 1490Sstevel@tonic-gate if (cmd_index >= cmdnum) { 1500Sstevel@tonic-gate usage(); 1510Sstevel@tonic-gate return (ERROR_USAGE); 1520Sstevel@tonic-gate } 1530Sstevel@tonic-gate 1540Sstevel@tonic-gate /* do the subcommand */ 1550Sstevel@tonic-gate switch (cmd_index) { 1560Sstevel@tonic-gate case CRYPTO_LIST: 1570Sstevel@tonic-gate rc = do_list(argc, argv); 1580Sstevel@tonic-gate break; 1590Sstevel@tonic-gate case CRYPTO_DISABLE: 1600Sstevel@tonic-gate rc = do_disable(argc, argv); 1610Sstevel@tonic-gate break; 1620Sstevel@tonic-gate case CRYPTO_ENABLE: 1630Sstevel@tonic-gate rc = do_enable(argc, argv); 1640Sstevel@tonic-gate break; 1650Sstevel@tonic-gate case CRYPTO_INSTALL: 1660Sstevel@tonic-gate rc = do_install(argc, argv); 1670Sstevel@tonic-gate break; 1680Sstevel@tonic-gate case CRYPTO_UNINSTALL: 1690Sstevel@tonic-gate rc = do_uninstall(argc, argv); 1700Sstevel@tonic-gate break; 1710Sstevel@tonic-gate case CRYPTO_UNLOAD: 1720Sstevel@tonic-gate rc = do_unload(argc, argv); 1730Sstevel@tonic-gate break; 1740Sstevel@tonic-gate case CRYPTO_REFRESH: 1750Sstevel@tonic-gate rc = do_refresh(argc); 1760Sstevel@tonic-gate break; 1770Sstevel@tonic-gate case CRYPTO_START: 1780Sstevel@tonic-gate rc = do_start(argc); 1790Sstevel@tonic-gate break; 1800Sstevel@tonic-gate case CRYPTO_STOP: 1810Sstevel@tonic-gate rc = do_stop(argc); 1820Sstevel@tonic-gate break; 1830Sstevel@tonic-gate case CRYPTO_HELP: 1840Sstevel@tonic-gate usage(); 1850Sstevel@tonic-gate rc = SUCCESS; 1860Sstevel@tonic-gate break; 1870Sstevel@tonic-gate default: /* should not come here */ 1880Sstevel@tonic-gate usage(); 1890Sstevel@tonic-gate rc = ERROR_USAGE; 1900Sstevel@tonic-gate break; 1910Sstevel@tonic-gate } 1920Sstevel@tonic-gate return (rc); 1930Sstevel@tonic-gate } 1940Sstevel@tonic-gate 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate static void 1970Sstevel@tonic-gate usage(void) 1980Sstevel@tonic-gate { 1990Sstevel@tonic-gate /* 2007334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 2010Sstevel@tonic-gate * Command usage is not to be translated. Only the word "Usage:" 2020Sstevel@tonic-gate * along with localized expressions indicating what kind of value 2030Sstevel@tonic-gate * is expected for arguments. 2040Sstevel@tonic-gate */ 2050Sstevel@tonic-gate (void) fprintf(stderr, gettext("Usage:\n")); 2060Sstevel@tonic-gate (void) fprintf(stderr, 2070Sstevel@tonic-gate " cryptoadm list [-mpv] [provider=<%s> | metaslot]" 2080Sstevel@tonic-gate " [mechanism=<%s>]\n", 2090Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2100Sstevel@tonic-gate (void) fprintf(stderr, 211*10500SHai-May.Chao@Sun.COM " cryptoadm list fips-140\n"); 212*10500SHai-May.Chao@Sun.COM (void) fprintf(stderr, 2130Sstevel@tonic-gate " cryptoadm disable provider=<%s>" 2140Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2150Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2160Sstevel@tonic-gate (void) fprintf(stderr, 2170Sstevel@tonic-gate " cryptoadm disable metaslot" 2180Sstevel@tonic-gate " [auto-key-migrate] [mechanism=<%s>]\n", 2190Sstevel@tonic-gate gettext("mechanism-list")); 2200Sstevel@tonic-gate (void) fprintf(stderr, 221*10500SHai-May.Chao@Sun.COM " cryptoadm disable fips-140\n"); 222*10500SHai-May.Chao@Sun.COM (void) fprintf(stderr, 2230Sstevel@tonic-gate " cryptoadm enable provider=<%s>" 2240Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2250Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2260Sstevel@tonic-gate (void) fprintf(stderr, 2270Sstevel@tonic-gate " cryptoadm enable metaslot [mechanism=<%s>]" 2280Sstevel@tonic-gate " [[token=<%s>] [slot=<%s>]" 2290Sstevel@tonic-gate " | [default-keystore]] | [auto-key-migrate]\n", 2300Sstevel@tonic-gate gettext("mechanism-list"), gettext("token-label"), 2310Sstevel@tonic-gate gettext("slot-description")); 2320Sstevel@tonic-gate (void) fprintf(stderr, 233*10500SHai-May.Chao@Sun.COM " cryptoadm enable fips-140\n"); 234*10500SHai-May.Chao@Sun.COM (void) fprintf(stderr, 2350Sstevel@tonic-gate " cryptoadm install provider=<%s>\n", 2360Sstevel@tonic-gate gettext("provider-name")); 2370Sstevel@tonic-gate (void) fprintf(stderr, 2380Sstevel@tonic-gate " cryptoadm install provider=<%s> [mechanism=<%s>]\n", 2390Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2400Sstevel@tonic-gate (void) fprintf(stderr, 2410Sstevel@tonic-gate " cryptoadm uninstall provider=<%s>\n", 2420Sstevel@tonic-gate gettext("provider-name")); 2430Sstevel@tonic-gate (void) fprintf(stderr, 2440Sstevel@tonic-gate " cryptoadm unload provider=<%s>\n", 2450Sstevel@tonic-gate gettext("provider-name")); 2460Sstevel@tonic-gate (void) fprintf(stderr, 2470Sstevel@tonic-gate " cryptoadm refresh\n" 2480Sstevel@tonic-gate " cryptoadm start\n" 2490Sstevel@tonic-gate " cryptoadm stop\n" 2500Sstevel@tonic-gate " cryptoadm --help\n"); 2510Sstevel@tonic-gate } 2520Sstevel@tonic-gate 2530Sstevel@tonic-gate 2540Sstevel@tonic-gate /* 2550Sstevel@tonic-gate * Get the provider type. This function returns 2560Sstevel@tonic-gate * - PROV_UEF_LIB if provname contains an absolute path name 2577968Sopensolaris@drydog.com * - PROV_KEF_SOFT if provname is a base name only (e.g., "aes"). 2580Sstevel@tonic-gate * - PROV_KEF_HARD if provname contains one slash only and the slash is not 2597968Sopensolaris@drydog.com * the 1st character (e.g., "mca/0"). 2607334SDaniel.Anderson@Sun.COM * - PROV_BADNAME otherwise. 2610Sstevel@tonic-gate */ 2620Sstevel@tonic-gate static int 2630Sstevel@tonic-gate get_provider_type(char *provname) 2640Sstevel@tonic-gate { 2650Sstevel@tonic-gate char *pslash1; 2660Sstevel@tonic-gate char *pslash2; 2670Sstevel@tonic-gate 2680Sstevel@tonic-gate if (provname == NULL) { 2690Sstevel@tonic-gate return (FAILURE); 2700Sstevel@tonic-gate } 2710Sstevel@tonic-gate 2720Sstevel@tonic-gate if (provname[0] == '/') { 2730Sstevel@tonic-gate return (PROV_UEF_LIB); 2740Sstevel@tonic-gate } else if ((pslash1 = strchr(provname, SEP_SLASH)) == NULL) { 2750Sstevel@tonic-gate /* no slash */ 2760Sstevel@tonic-gate return (PROV_KEF_SOFT); 2770Sstevel@tonic-gate } else { 2780Sstevel@tonic-gate pslash2 = strrchr(provname, SEP_SLASH); 2790Sstevel@tonic-gate if (pslash1 == pslash2) { 2800Sstevel@tonic-gate return (PROV_KEF_HARD); 2810Sstevel@tonic-gate } else { 2820Sstevel@tonic-gate return (PROV_BADNAME); 2830Sstevel@tonic-gate } 2840Sstevel@tonic-gate } 2850Sstevel@tonic-gate } 2860Sstevel@tonic-gate 2870Sstevel@tonic-gate /* 2880Sstevel@tonic-gate * Get the provider structure. This function returns NULL if no valid 2890Sstevel@tonic-gate * provider= is found in argv[], otherwise a cryptoadm_provider_t is returned. 2900Sstevel@tonic-gate * If provider= is found but has no argument, then a cryptoadm_provider_t 2910Sstevel@tonic-gate * with cp_type = PROV_BADNAME is returned. 2920Sstevel@tonic-gate */ 2930Sstevel@tonic-gate static cryptoadm_provider_t * 2940Sstevel@tonic-gate get_provider(int argc, char **argv) 2950Sstevel@tonic-gate { 2967968Sopensolaris@drydog.com int c = 0; 2977968Sopensolaris@drydog.com boolean_t found = B_FALSE; 2987968Sopensolaris@drydog.com cryptoadm_provider_t *provider = NULL; 2997968Sopensolaris@drydog.com char *provstr = NULL, *savstr; 3007968Sopensolaris@drydog.com boolean_t is_metaslot = B_FALSE; 3010Sstevel@tonic-gate 3020Sstevel@tonic-gate while (!found && ++c < argc) { 3030Sstevel@tonic-gate if (strncmp(argv[c], METASLOT_KEYWORD, 3040Sstevel@tonic-gate strlen(METASLOT_KEYWORD)) == 0) { 3050Sstevel@tonic-gate is_metaslot = B_TRUE; 3060Sstevel@tonic-gate found = B_TRUE; 3070Sstevel@tonic-gate } else if (strncmp(argv[c], KN_PROVIDER, 3080Sstevel@tonic-gate strlen(KN_PROVIDER)) == 0 && 3090Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_PROVIDER)) { 3100Sstevel@tonic-gate if ((provstr = strdup(argv[c])) == NULL) { 3110Sstevel@tonic-gate int err = errno; 3120Sstevel@tonic-gate /* 3137334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 3140Sstevel@tonic-gate * "get_provider" is a function name and should 3150Sstevel@tonic-gate * not be translated. 3160Sstevel@tonic-gate */ 3170Sstevel@tonic-gate cryptoerror(LOG_STDERR, "get_provider: %s.", 3180Sstevel@tonic-gate strerror(err)); 3190Sstevel@tonic-gate return (NULL); 3200Sstevel@tonic-gate } 3210Sstevel@tonic-gate found = B_TRUE; 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate } 3240Sstevel@tonic-gate if (!found) 3250Sstevel@tonic-gate return (NULL); 3260Sstevel@tonic-gate 3270Sstevel@tonic-gate provider = malloc(sizeof (cryptoadm_provider_t)); 3280Sstevel@tonic-gate if (provider == NULL) { 3290Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 3300Sstevel@tonic-gate if (provstr) { 3310Sstevel@tonic-gate free(provstr); 3320Sstevel@tonic-gate } 3330Sstevel@tonic-gate return (NULL); 3340Sstevel@tonic-gate } 3350Sstevel@tonic-gate 3360Sstevel@tonic-gate if (is_metaslot) { 3370Sstevel@tonic-gate (void) strlcpy(provider->cp_name, METASLOT_KEYWORD, 3380Sstevel@tonic-gate strlen(METASLOT_KEYWORD)); 3390Sstevel@tonic-gate provider->cp_type = METASLOT; 3400Sstevel@tonic-gate } else { 3410Sstevel@tonic-gate 3420Sstevel@tonic-gate savstr = provstr; 3430Sstevel@tonic-gate (void) strtok(provstr, "="); 3440Sstevel@tonic-gate provstr = strtok(NULL, "="); 3450Sstevel@tonic-gate if (provstr == NULL) { 3460Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("bad provider name.")); 3470Sstevel@tonic-gate provider->cp_type = PROV_BADNAME; 3480Sstevel@tonic-gate free(savstr); 3490Sstevel@tonic-gate return (provider); 3500Sstevel@tonic-gate } 3510Sstevel@tonic-gate 3520Sstevel@tonic-gate (void) strlcpy(provider->cp_name, provstr, 3530Sstevel@tonic-gate sizeof (provider->cp_name)); 3540Sstevel@tonic-gate provider->cp_type = get_provider_type(provider->cp_name); 3550Sstevel@tonic-gate 3560Sstevel@tonic-gate free(savstr); 3570Sstevel@tonic-gate } 3580Sstevel@tonic-gate return (provider); 3590Sstevel@tonic-gate } 3600Sstevel@tonic-gate 3610Sstevel@tonic-gate /* 3620Sstevel@tonic-gate * Process the "feature" operands. 3630Sstevel@tonic-gate * 3640Sstevel@tonic-gate * "argc" and "argv" contain values specified on the command line. 3650Sstevel@tonic-gate * All other arguments are used for returning parsing results. 3660Sstevel@tonic-gate * If any of these arguments are NULL, that keyword is not expected, 3670Sstevel@tonic-gate * and FAILURE will be returned. 3680Sstevel@tonic-gate */ 3690Sstevel@tonic-gate static int 3700Sstevel@tonic-gate process_metaslot_operands(int argc, char **argv, char **meta_ks_token, 3710Sstevel@tonic-gate char **meta_ks_slot, boolean_t *use_default, 3720Sstevel@tonic-gate boolean_t *auto_key_migrate_flag) 3730Sstevel@tonic-gate { 3740Sstevel@tonic-gate int c = 2; 3750Sstevel@tonic-gate int rc = SUCCESS; 3760Sstevel@tonic-gate 3770Sstevel@tonic-gate while (++c < argc) { 3780Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 3790Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 3800Sstevel@tonic-gate 3810Sstevel@tonic-gate /* process mechanism operands */ 3820Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_TRUE)) 3830Sstevel@tonic-gate != SUCCESS) { 3840Sstevel@tonic-gate goto finish; 3850Sstevel@tonic-gate } 3860Sstevel@tonic-gate 3870Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_TOKEN, 3880Sstevel@tonic-gate strlen(KN_TOKEN)) == 0) && 3890Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_TOKEN)) { 3900Sstevel@tonic-gate if ((meta_ks_token) && (strtok(argv[c], "=") != NULL)) { 3910Sstevel@tonic-gate char *tmp; 3920Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 3930Sstevel@tonic-gate *meta_ks_token = strdup(tmp); 3940Sstevel@tonic-gate } else { 3950Sstevel@tonic-gate return (FAILURE); 3960Sstevel@tonic-gate } 3970Sstevel@tonic-gate } else { 3980Sstevel@tonic-gate return (FAILURE); 3990Sstevel@tonic-gate } 4000Sstevel@tonic-gate 4010Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_SLOT, 4020Sstevel@tonic-gate strlen(KN_SLOT)) == 0) && 4030Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_SLOT)) { 4040Sstevel@tonic-gate 4050Sstevel@tonic-gate if ((meta_ks_slot) && (strtok(argv[c], "=") != NULL)) { 4060Sstevel@tonic-gate char *tmp; 4070Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 4080Sstevel@tonic-gate *meta_ks_slot = strdup(tmp); 4090Sstevel@tonic-gate } else { 4100Sstevel@tonic-gate return (FAILURE); 4110Sstevel@tonic-gate } 4120Sstevel@tonic-gate } else { 4130Sstevel@tonic-gate return (FAILURE); 4140Sstevel@tonic-gate } 4150Sstevel@tonic-gate 4160Sstevel@tonic-gate } else if (strncmp(argv[c], KN_DEFAULT_KS, 4170Sstevel@tonic-gate strlen(KN_DEFAULT_KS)) == 0) { 4180Sstevel@tonic-gate 4190Sstevel@tonic-gate if (use_default) { 4200Sstevel@tonic-gate *use_default = B_TRUE; 4210Sstevel@tonic-gate } else { 4220Sstevel@tonic-gate return (FAILURE); 4230Sstevel@tonic-gate } 4240Sstevel@tonic-gate } else if (strncmp(argv[c], KN_AUTO_KEY_MIGRATE, 4250Sstevel@tonic-gate strlen(KN_AUTO_KEY_MIGRATE)) == 0) { 4260Sstevel@tonic-gate 4270Sstevel@tonic-gate if (auto_key_migrate_flag) { 4280Sstevel@tonic-gate *auto_key_migrate_flag = B_TRUE; 4290Sstevel@tonic-gate } else { 4300Sstevel@tonic-gate return (FAILURE); 4310Sstevel@tonic-gate } 4320Sstevel@tonic-gate } else { 4330Sstevel@tonic-gate return (FAILURE); 4340Sstevel@tonic-gate } 4350Sstevel@tonic-gate } 4360Sstevel@tonic-gate finish: 4370Sstevel@tonic-gate return (rc); 4380Sstevel@tonic-gate } 4390Sstevel@tonic-gate 4400Sstevel@tonic-gate /* 4410Sstevel@tonic-gate * Process the "feature" operands. 4420Sstevel@tonic-gate */ 4430Sstevel@tonic-gate static int 4440Sstevel@tonic-gate process_feature_operands(int argc, char **argv) 4450Sstevel@tonic-gate { 4460Sstevel@tonic-gate int c = 2; 4470Sstevel@tonic-gate 4480Sstevel@tonic-gate while (++c < argc) { 4490Sstevel@tonic-gate if (strcmp(argv[c], KN_ALL) == 0) { 4500Sstevel@tonic-gate allflag = B_TRUE; 4510Sstevel@tonic-gate rndflag = B_TRUE; /* all includes random also. */ 4520Sstevel@tonic-gate } else if (strcmp(argv[c], RANDOM) == 0) { 4530Sstevel@tonic-gate rndflag = B_TRUE; 4540Sstevel@tonic-gate } 4550Sstevel@tonic-gate } 4560Sstevel@tonic-gate return (SUCCESS); 4570Sstevel@tonic-gate } 4580Sstevel@tonic-gate 4590Sstevel@tonic-gate /* 4600Sstevel@tonic-gate * Process the mechanism operands for the disable, enable and install 4610Sstevel@tonic-gate * subcommands. This function sets the static variable allflag to be B_TRUE 4620Sstevel@tonic-gate * if the keyword "all" is specified, otherwise builds a link list of the 4630Sstevel@tonic-gate * mechanism operands and save it in the static variable mecharglist. 4640Sstevel@tonic-gate * 4650Sstevel@tonic-gate * This function returns 4667968Sopensolaris@drydog.com * ERROR_USAGE: mechanism operand is missing. 4677968Sopensolaris@drydog.com * FAILURE: out of memory. 4687968Sopensolaris@drydog.com * SUCCESS: otherwise. 4690Sstevel@tonic-gate */ 4700Sstevel@tonic-gate static int 4710Sstevel@tonic-gate process_mech_operands(int argc, char **argv, boolean_t quiet) 4720Sstevel@tonic-gate { 4737968Sopensolaris@drydog.com mechlist_t *pmech; 4747968Sopensolaris@drydog.com mechlist_t *pcur = NULL; 4757968Sopensolaris@drydog.com mechlist_t *phead = NULL; 4767968Sopensolaris@drydog.com boolean_t found = B_FALSE; 4777968Sopensolaris@drydog.com char *mechliststr = NULL; 4787968Sopensolaris@drydog.com char *curmech = NULL; 4797968Sopensolaris@drydog.com int c = -1; 4807968Sopensolaris@drydog.com int rc = SUCCESS; 4810Sstevel@tonic-gate 4820Sstevel@tonic-gate while (!found && ++c < argc) { 4830Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 4840Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 4850Sstevel@tonic-gate found = B_TRUE; 4860Sstevel@tonic-gate } 4870Sstevel@tonic-gate } 4880Sstevel@tonic-gate if (!found) { 4890Sstevel@tonic-gate if (!quiet) 4900Sstevel@tonic-gate /* 4917334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 4920Sstevel@tonic-gate * "mechanism" could be either a literal keyword 4930Sstevel@tonic-gate * and hence not to be translated, or a descriptive 4940Sstevel@tonic-gate * word and translatable. A choice was made to 4950Sstevel@tonic-gate * view it as a literal keyword. 4960Sstevel@tonic-gate */ 4970Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4987968Sopensolaris@drydog.com gettext("the %s operand is missing.\n"), 4997968Sopensolaris@drydog.com "mechanism"); 5000Sstevel@tonic-gate return (ERROR_USAGE); 5010Sstevel@tonic-gate } 5020Sstevel@tonic-gate (void) strtok(argv[c], "="); 5030Sstevel@tonic-gate mechliststr = strtok(NULL, "="); 5040Sstevel@tonic-gate 5050Sstevel@tonic-gate if (strcmp(mechliststr, "all") == 0) { 5060Sstevel@tonic-gate allflag = B_TRUE; 5070Sstevel@tonic-gate mecharglist = NULL; 5080Sstevel@tonic-gate return (SUCCESS); 5090Sstevel@tonic-gate } 5100Sstevel@tonic-gate 5110Sstevel@tonic-gate curmech = strtok(mechliststr, ","); 5120Sstevel@tonic-gate do { 5130Sstevel@tonic-gate if ((pmech = create_mech(curmech)) == NULL) { 5140Sstevel@tonic-gate rc = FAILURE; 5150Sstevel@tonic-gate break; 5160Sstevel@tonic-gate } else { 5170Sstevel@tonic-gate if (phead == NULL) { 5180Sstevel@tonic-gate phead = pcur = pmech; 5190Sstevel@tonic-gate } else { 5200Sstevel@tonic-gate pcur->next = pmech; 5210Sstevel@tonic-gate pcur = pmech; 5220Sstevel@tonic-gate } 5230Sstevel@tonic-gate } 5240Sstevel@tonic-gate } while ((curmech = strtok(NULL, ",")) != NULL); 5250Sstevel@tonic-gate 5260Sstevel@tonic-gate if (rc == FAILURE) { 5270Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 5280Sstevel@tonic-gate free_mechlist(phead); 5290Sstevel@tonic-gate } else { 5300Sstevel@tonic-gate mecharglist = phead; 5310Sstevel@tonic-gate rc = SUCCESS; 5320Sstevel@tonic-gate } 5330Sstevel@tonic-gate return (rc); 5340Sstevel@tonic-gate } 5350Sstevel@tonic-gate 5360Sstevel@tonic-gate 5370Sstevel@tonic-gate 5380Sstevel@tonic-gate /* 5397968Sopensolaris@drydog.com * The top level function for the "cryptoadm list" subcommand and options. 5400Sstevel@tonic-gate */ 5410Sstevel@tonic-gate static int 5420Sstevel@tonic-gate do_list(int argc, char **argv) 5430Sstevel@tonic-gate { 5447968Sopensolaris@drydog.com boolean_t mflag = B_FALSE; 5457968Sopensolaris@drydog.com boolean_t pflag = B_FALSE; 5467968Sopensolaris@drydog.com boolean_t vflag = B_FALSE; 5477968Sopensolaris@drydog.com char ch; 5487968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 5497968Sopensolaris@drydog.com int rc = SUCCESS; 5500Sstevel@tonic-gate 551*10500SHai-May.Chao@Sun.COM if ((argc == 3) && (strncmp(argv[2], FIPS_KEYWORD, 552*10500SHai-May.Chao@Sun.COM strlen(FIPS_KEYWORD))) == 0) { 553*10500SHai-May.Chao@Sun.COM /* 554*10500SHai-May.Chao@Sun.COM * cryptoadm list fips-140 555*10500SHai-May.Chao@Sun.COM */ 556*10500SHai-May.Chao@Sun.COM rc = do_fips_actions(FIPS140_STATUS, NOT_REFRESH); 557*10500SHai-May.Chao@Sun.COM return (rc); 558*10500SHai-May.Chao@Sun.COM } 559*10500SHai-May.Chao@Sun.COM 5600Sstevel@tonic-gate argc -= 1; 5610Sstevel@tonic-gate argv += 1; 5620Sstevel@tonic-gate 5630Sstevel@tonic-gate if (argc == 1) { 5640Sstevel@tonic-gate rc = list_simple_for_all(B_FALSE); 5650Sstevel@tonic-gate goto out; 5660Sstevel@tonic-gate } 5670Sstevel@tonic-gate 5680Sstevel@tonic-gate /* 5697968Sopensolaris@drydog.com * cryptoadm list [-v] [-m] [-p] [provider=<>] [mechanism=<>] 5700Sstevel@tonic-gate */ 5710Sstevel@tonic-gate if (argc > 5) { 5720Sstevel@tonic-gate usage(); 5730Sstevel@tonic-gate return (rc); 5740Sstevel@tonic-gate } 5750Sstevel@tonic-gate 5760Sstevel@tonic-gate while ((ch = getopt(argc, argv, "mpv")) != EOF) { 5770Sstevel@tonic-gate switch (ch) { 5780Sstevel@tonic-gate case 'm': 5790Sstevel@tonic-gate mflag = B_TRUE; 5800Sstevel@tonic-gate if (pflag) { 5810Sstevel@tonic-gate rc = ERROR_USAGE; 5820Sstevel@tonic-gate } 5830Sstevel@tonic-gate break; 5840Sstevel@tonic-gate case 'p': 5850Sstevel@tonic-gate pflag = B_TRUE; 5860Sstevel@tonic-gate if (mflag || vflag) { 5870Sstevel@tonic-gate rc = ERROR_USAGE; 5880Sstevel@tonic-gate } 5890Sstevel@tonic-gate break; 5900Sstevel@tonic-gate case 'v': 5910Sstevel@tonic-gate vflag = B_TRUE; 5920Sstevel@tonic-gate if (pflag) 5930Sstevel@tonic-gate rc = ERROR_USAGE; 5940Sstevel@tonic-gate break; 5950Sstevel@tonic-gate default: 5960Sstevel@tonic-gate rc = ERROR_USAGE; 5970Sstevel@tonic-gate break; 5980Sstevel@tonic-gate } 5990Sstevel@tonic-gate } 6000Sstevel@tonic-gate 6010Sstevel@tonic-gate if (rc == ERROR_USAGE) { 6020Sstevel@tonic-gate usage(); 6030Sstevel@tonic-gate return (rc); 6040Sstevel@tonic-gate } 6050Sstevel@tonic-gate 6060Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 6070Sstevel@tonic-gate goto out; 6080Sstevel@tonic-gate } 6090Sstevel@tonic-gate 6100Sstevel@tonic-gate prov = get_provider(argc, argv); 6110Sstevel@tonic-gate 6120Sstevel@tonic-gate if (mflag || vflag) { 6130Sstevel@tonic-gate if (argc > 0) { 6140Sstevel@tonic-gate rc = process_mech_operands(argc, argv, B_TRUE); 6150Sstevel@tonic-gate if (rc == FAILURE) 6160Sstevel@tonic-gate goto out; 6170Sstevel@tonic-gate /* "-m" is implied when a mechanism list is given */ 6180Sstevel@tonic-gate if (mecharglist != NULL || allflag) 6190Sstevel@tonic-gate mflag = B_TRUE; 6200Sstevel@tonic-gate } 6210Sstevel@tonic-gate } 6220Sstevel@tonic-gate 6230Sstevel@tonic-gate if (prov == NULL) { 6240Sstevel@tonic-gate if (mflag) { 6250Sstevel@tonic-gate rc = list_mechlist_for_all(vflag); 6260Sstevel@tonic-gate } else if (pflag) { 6270Sstevel@tonic-gate rc = list_policy_for_all(); 6280Sstevel@tonic-gate } else if (vflag) { 6290Sstevel@tonic-gate rc = list_simple_for_all(vflag); 6300Sstevel@tonic-gate } 6310Sstevel@tonic-gate } else if (prov->cp_type == METASLOT) { 6320Sstevel@tonic-gate if ((!mflag) && (!vflag) && (!pflag)) { 6330Sstevel@tonic-gate /* no flag is specified, just list metaslot status */ 6340Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6350Sstevel@tonic-gate } else if (mflag || vflag) { 6360Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6370Sstevel@tonic-gate } else if (pflag) { 6380Sstevel@tonic-gate rc = list_metaslot_policy(); 6390Sstevel@tonic-gate } else { 6400Sstevel@tonic-gate /* error message */ 6410Sstevel@tonic-gate usage(); 6420Sstevel@tonic-gate rc = ERROR_USAGE; 6430Sstevel@tonic-gate } 6440Sstevel@tonic-gate } else if (prov->cp_type == PROV_BADNAME) { 6450Sstevel@tonic-gate usage(); 6460Sstevel@tonic-gate rc = ERROR_USAGE; 6470Sstevel@tonic-gate goto out; 6480Sstevel@tonic-gate } else { /* do the listing for a provider only */ 6497968Sopensolaris@drydog.com char *provname = prov->cp_name; 6507968Sopensolaris@drydog.com 6510Sstevel@tonic-gate if (mflag || vflag) { 6520Sstevel@tonic-gate if (vflag) 6530Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 6547968Sopensolaris@drydog.com provname); 6550Sstevel@tonic-gate switch (prov->cp_type) { 6560Sstevel@tonic-gate case PROV_UEF_LIB: 6577968Sopensolaris@drydog.com rc = list_mechlist_for_lib(provname, 6587968Sopensolaris@drydog.com mecharglist, NULL, B_FALSE, vflag, mflag); 6590Sstevel@tonic-gate break; 6600Sstevel@tonic-gate case PROV_KEF_SOFT: 6617968Sopensolaris@drydog.com rc = list_mechlist_for_soft(provname, 662*10500SHai-May.Chao@Sun.COM NULL, NULL, NULL); 6630Sstevel@tonic-gate break; 6640Sstevel@tonic-gate case PROV_KEF_HARD: 6657968Sopensolaris@drydog.com rc = list_mechlist_for_hard(provname); 6660Sstevel@tonic-gate break; 6670Sstevel@tonic-gate default: /* should not come here */ 6680Sstevel@tonic-gate rc = FAILURE; 6690Sstevel@tonic-gate break; 6700Sstevel@tonic-gate } 6710Sstevel@tonic-gate } else if (pflag) { 6720Sstevel@tonic-gate switch (prov->cp_type) { 6730Sstevel@tonic-gate case PROV_UEF_LIB: 6747968Sopensolaris@drydog.com rc = list_policy_for_lib(provname); 6750Sstevel@tonic-gate break; 6760Sstevel@tonic-gate case PROV_KEF_SOFT: 6770Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6787968Sopensolaris@drydog.com rc = list_policy_for_soft(provname, 679*10500SHai-May.Chao@Sun.COM NULL, NULL, NULL); 6800Sstevel@tonic-gate } else { 6810Sstevel@tonic-gate /* 6827334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 6830Sstevel@tonic-gate * "global" is keyword and not to 6840Sstevel@tonic-gate * be translated. 6850Sstevel@tonic-gate */ 6860Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6870Sstevel@tonic-gate "policy information for kernel " 6880Sstevel@tonic-gate "providers is available " 6890Sstevel@tonic-gate "in the %s zone only"), "global"); 6900Sstevel@tonic-gate rc = FAILURE; 6910Sstevel@tonic-gate } 6920Sstevel@tonic-gate break; 6930Sstevel@tonic-gate case PROV_KEF_HARD: 6940Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6950Sstevel@tonic-gate rc = list_policy_for_hard( 696*10500SHai-May.Chao@Sun.COM provname, NULL, NULL, NULL, NULL); 6970Sstevel@tonic-gate } else { 6980Sstevel@tonic-gate /* 6997334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 7000Sstevel@tonic-gate * "global" is keyword and not to 7010Sstevel@tonic-gate * be translated. 7020Sstevel@tonic-gate */ 7030Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7040Sstevel@tonic-gate "policy information for kernel " 7050Sstevel@tonic-gate "providers is available " 7060Sstevel@tonic-gate "in the %s zone only"), "global"); 7070Sstevel@tonic-gate rc = FAILURE; 7080Sstevel@tonic-gate } 7090Sstevel@tonic-gate 7100Sstevel@tonic-gate break; 7110Sstevel@tonic-gate default: /* should not come here */ 7120Sstevel@tonic-gate rc = FAILURE; 7130Sstevel@tonic-gate break; 7140Sstevel@tonic-gate } 7150Sstevel@tonic-gate } else { 7160Sstevel@tonic-gate /* error message */ 7170Sstevel@tonic-gate usage(); 7180Sstevel@tonic-gate rc = ERROR_USAGE; 7190Sstevel@tonic-gate } 7200Sstevel@tonic-gate } 7210Sstevel@tonic-gate 7220Sstevel@tonic-gate out: 7230Sstevel@tonic-gate if (prov != NULL) 7240Sstevel@tonic-gate free(prov); 7250Sstevel@tonic-gate 7260Sstevel@tonic-gate if (mecharglist != NULL) 7270Sstevel@tonic-gate free_mechlist(mecharglist); 7280Sstevel@tonic-gate return (rc); 7290Sstevel@tonic-gate } 7300Sstevel@tonic-gate 7310Sstevel@tonic-gate 7320Sstevel@tonic-gate /* 7337968Sopensolaris@drydog.com * The top level function for the "cryptoadm disable" subcommand. 7340Sstevel@tonic-gate */ 7350Sstevel@tonic-gate static int 7360Sstevel@tonic-gate do_disable(int argc, char **argv) 7370Sstevel@tonic-gate { 7380Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 7397968Sopensolaris@drydog.com int rc = SUCCESS; 7407968Sopensolaris@drydog.com boolean_t auto_key_migrate_flag = B_FALSE; 7410Sstevel@tonic-gate 742*10500SHai-May.Chao@Sun.COM if ((argc == 3) && (strncmp(argv[2], FIPS_KEYWORD, 743*10500SHai-May.Chao@Sun.COM strlen(FIPS_KEYWORD))) == 0) { 744*10500SHai-May.Chao@Sun.COM /* 745*10500SHai-May.Chao@Sun.COM * cryptoadm disable fips-140 746*10500SHai-May.Chao@Sun.COM */ 747*10500SHai-May.Chao@Sun.COM rc = do_fips_actions(FIPS140_DISABLE, NOT_REFRESH); 748*10500SHai-May.Chao@Sun.COM return (rc); 749*10500SHai-May.Chao@Sun.COM } 750*10500SHai-May.Chao@Sun.COM 7510Sstevel@tonic-gate if ((argc < 3) || (argc > 5)) { 7520Sstevel@tonic-gate usage(); 7530Sstevel@tonic-gate return (ERROR_USAGE); 7540Sstevel@tonic-gate } 7550Sstevel@tonic-gate 7560Sstevel@tonic-gate prov = get_provider(argc, argv); 7570Sstevel@tonic-gate if (prov == NULL) { 7580Sstevel@tonic-gate usage(); 7590Sstevel@tonic-gate return (ERROR_USAGE); 7600Sstevel@tonic-gate } 7610Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 7620Sstevel@tonic-gate return (FAILURE); 7630Sstevel@tonic-gate } 7640Sstevel@tonic-gate 7650Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 7660Sstevel@tonic-gate goto out; 7670Sstevel@tonic-gate } 7680Sstevel@tonic-gate 7690Sstevel@tonic-gate /* 7700Sstevel@tonic-gate * If allflag or rndflag has already been set there is no reason to 7710Sstevel@tonic-gate * process mech= 7720Sstevel@tonic-gate */ 7730Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 7740Sstevel@tonic-gate if ((argc > 3) && 7750Sstevel@tonic-gate (rc = process_metaslot_operands(argc, argv, 7760Sstevel@tonic-gate NULL, NULL, NULL, &auto_key_migrate_flag)) != SUCCESS) { 7770Sstevel@tonic-gate usage(); 7780Sstevel@tonic-gate return (rc); 7790Sstevel@tonic-gate } 7800Sstevel@tonic-gate } else if (!allflag && !rndflag && 7817968Sopensolaris@drydog.com (rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 7820Sstevel@tonic-gate return (rc); 7830Sstevel@tonic-gate } 7840Sstevel@tonic-gate 7850Sstevel@tonic-gate switch (prov->cp_type) { 7860Sstevel@tonic-gate case METASLOT: 7870Sstevel@tonic-gate rc = disable_metaslot(mecharglist, allflag, 7880Sstevel@tonic-gate auto_key_migrate_flag); 7890Sstevel@tonic-gate break; 7900Sstevel@tonic-gate case PROV_UEF_LIB: 7910Sstevel@tonic-gate rc = disable_uef_lib(prov->cp_name, rndflag, allflag, 7920Sstevel@tonic-gate mecharglist); 7930Sstevel@tonic-gate break; 7940Sstevel@tonic-gate case PROV_KEF_SOFT: 7950Sstevel@tonic-gate if (rndflag && !allflag) { 7960Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 7970Sstevel@tonic-gate rc = FAILURE; 7980Sstevel@tonic-gate break; 7990Sstevel@tonic-gate } 8000Sstevel@tonic-gate } 8010Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 8020Sstevel@tonic-gate rc = disable_kef_software(prov->cp_name, rndflag, 8030Sstevel@tonic-gate allflag, mecharglist); 8040Sstevel@tonic-gate } else { 8050Sstevel@tonic-gate /* 8067334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 8070Sstevel@tonic-gate * "disable" could be either a literal keyword 8080Sstevel@tonic-gate * and hence not to be translated, or a verb and 8090Sstevel@tonic-gate * translatable. A choice was made to view it as 8100Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 8110Sstevel@tonic-gate * to be translated. 8120Sstevel@tonic-gate */ 8130Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 8140Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 8150Sstevel@tonic-gate "disable", "global"); 8160Sstevel@tonic-gate rc = FAILURE; 8170Sstevel@tonic-gate } 8180Sstevel@tonic-gate break; 8190Sstevel@tonic-gate case PROV_KEF_HARD: 8200Sstevel@tonic-gate if (rndflag && !allflag) { 8210Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 8220Sstevel@tonic-gate rc = FAILURE; 8230Sstevel@tonic-gate break; 8240Sstevel@tonic-gate } 8250Sstevel@tonic-gate } 8260Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 8270Sstevel@tonic-gate rc = disable_kef_hardware(prov->cp_name, rndflag, 8280Sstevel@tonic-gate allflag, mecharglist); 8290Sstevel@tonic-gate } else { 8300Sstevel@tonic-gate /* 8317334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 8320Sstevel@tonic-gate * "disable" could be either a literal keyword 8330Sstevel@tonic-gate * and hence not to be translated, or a verb and 8340Sstevel@tonic-gate * translatable. A choice was made to view it as 8350Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 8360Sstevel@tonic-gate * to be translated. 8370Sstevel@tonic-gate */ 8380Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 8390Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 8400Sstevel@tonic-gate "disable", "global"); 8410Sstevel@tonic-gate rc = FAILURE; 8420Sstevel@tonic-gate } 8430Sstevel@tonic-gate break; 8440Sstevel@tonic-gate default: /* should not come here */ 8450Sstevel@tonic-gate rc = FAILURE; 8460Sstevel@tonic-gate break; 8470Sstevel@tonic-gate } 8480Sstevel@tonic-gate 8490Sstevel@tonic-gate out: 8500Sstevel@tonic-gate free(prov); 8510Sstevel@tonic-gate if (mecharglist != NULL) { 8520Sstevel@tonic-gate free_mechlist(mecharglist); 8530Sstevel@tonic-gate } 8540Sstevel@tonic-gate return (rc); 8550Sstevel@tonic-gate } 8560Sstevel@tonic-gate 8570Sstevel@tonic-gate 8580Sstevel@tonic-gate /* 8597968Sopensolaris@drydog.com * The top level function for the "cryptoadm enable" subcommand. 8600Sstevel@tonic-gate */ 8610Sstevel@tonic-gate static int 8620Sstevel@tonic-gate do_enable(int argc, char **argv) 8630Sstevel@tonic-gate { 8647968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 8657968Sopensolaris@drydog.com int rc = SUCCESS; 8667968Sopensolaris@drydog.com char *alt_token = NULL, *alt_slot = NULL; 8677968Sopensolaris@drydog.com boolean_t use_default = B_FALSE; 8687968Sopensolaris@drydog.com boolean_t auto_key_migrate_flag = B_FALSE; 8690Sstevel@tonic-gate 870*10500SHai-May.Chao@Sun.COM if ((argc == 3) && (strncmp(argv[2], FIPS_KEYWORD, 871*10500SHai-May.Chao@Sun.COM strlen(FIPS_KEYWORD))) == 0) { 872*10500SHai-May.Chao@Sun.COM /* 873*10500SHai-May.Chao@Sun.COM * cryptoadm enable fips-140 874*10500SHai-May.Chao@Sun.COM */ 875*10500SHai-May.Chao@Sun.COM rc = do_fips_actions(FIPS140_ENABLE, NOT_REFRESH); 876*10500SHai-May.Chao@Sun.COM return (rc); 877*10500SHai-May.Chao@Sun.COM } 878*10500SHai-May.Chao@Sun.COM 8790Sstevel@tonic-gate if ((argc < 3) || (argc > 6)) { 8800Sstevel@tonic-gate usage(); 8810Sstevel@tonic-gate return (ERROR_USAGE); 8820Sstevel@tonic-gate } 8830Sstevel@tonic-gate 8840Sstevel@tonic-gate prov = get_provider(argc, argv); 8850Sstevel@tonic-gate if (prov == NULL) { 8860Sstevel@tonic-gate usage(); 8870Sstevel@tonic-gate return (ERROR_USAGE); 8880Sstevel@tonic-gate } 8890Sstevel@tonic-gate if ((prov->cp_type != METASLOT) && (argc != 4)) { 8900Sstevel@tonic-gate usage(); 8910Sstevel@tonic-gate return (ERROR_USAGE); 8920Sstevel@tonic-gate } 8930Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 8940Sstevel@tonic-gate rc = FAILURE; 8950Sstevel@tonic-gate goto out; 8960Sstevel@tonic-gate } 8970Sstevel@tonic-gate 8980Sstevel@tonic-gate 8990Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 9000Sstevel@tonic-gate if ((rc = process_metaslot_operands(argc, argv, &alt_token, 9010Sstevel@tonic-gate &alt_slot, &use_default, &auto_key_migrate_flag)) 9020Sstevel@tonic-gate != SUCCESS) { 9030Sstevel@tonic-gate usage(); 9040Sstevel@tonic-gate goto out; 9050Sstevel@tonic-gate } 9060Sstevel@tonic-gate if ((alt_slot || alt_token) && use_default) { 9070Sstevel@tonic-gate usage(); 9080Sstevel@tonic-gate rc = FAILURE; 9090Sstevel@tonic-gate goto out; 9100Sstevel@tonic-gate } 9110Sstevel@tonic-gate } else { 9120Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 9130Sstevel@tonic-gate goto out; 9140Sstevel@tonic-gate } 9150Sstevel@tonic-gate 9160Sstevel@tonic-gate /* 9170Sstevel@tonic-gate * If allflag or rndflag has already been set there is 9180Sstevel@tonic-gate * no reason to process mech= 9190Sstevel@tonic-gate */ 9200Sstevel@tonic-gate if (!allflag && !rndflag && 9210Sstevel@tonic-gate (rc = process_mech_operands(argc, argv, B_FALSE)) 9220Sstevel@tonic-gate != SUCCESS) { 9230Sstevel@tonic-gate goto out; 9240Sstevel@tonic-gate } 9250Sstevel@tonic-gate } 9260Sstevel@tonic-gate 9270Sstevel@tonic-gate switch (prov->cp_type) { 9280Sstevel@tonic-gate case METASLOT: 9290Sstevel@tonic-gate rc = enable_metaslot(alt_token, alt_slot, use_default, 9300Sstevel@tonic-gate mecharglist, allflag, auto_key_migrate_flag); 9310Sstevel@tonic-gate break; 9320Sstevel@tonic-gate case PROV_UEF_LIB: 9330Sstevel@tonic-gate rc = enable_uef_lib(prov->cp_name, rndflag, allflag, 9340Sstevel@tonic-gate mecharglist); 9350Sstevel@tonic-gate break; 9360Sstevel@tonic-gate case PROV_KEF_SOFT: 9370Sstevel@tonic-gate case PROV_KEF_HARD: 9380Sstevel@tonic-gate if (rndflag && !allflag) { 9390Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 9400Sstevel@tonic-gate rc = FAILURE; 9410Sstevel@tonic-gate break; 9420Sstevel@tonic-gate } 9430Sstevel@tonic-gate } 9440Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 9450Sstevel@tonic-gate rc = enable_kef(prov->cp_name, rndflag, allflag, 9460Sstevel@tonic-gate mecharglist); 9470Sstevel@tonic-gate } else { 9480Sstevel@tonic-gate /* 9497334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 9500Sstevel@tonic-gate * "enable" could be either a literal keyword 9510Sstevel@tonic-gate * and hence not to be translated, or a verb and 9520Sstevel@tonic-gate * translatable. A choice was made to view it as 9530Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 9540Sstevel@tonic-gate * to be translated. 9550Sstevel@tonic-gate */ 9560Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 9570Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 9580Sstevel@tonic-gate "enable", "global"); 9590Sstevel@tonic-gate rc = FAILURE; 9600Sstevel@tonic-gate } 9610Sstevel@tonic-gate break; 9620Sstevel@tonic-gate default: /* should not come here */ 9630Sstevel@tonic-gate rc = FAILURE; 9640Sstevel@tonic-gate break; 9650Sstevel@tonic-gate } 9660Sstevel@tonic-gate out: 9670Sstevel@tonic-gate free(prov); 9680Sstevel@tonic-gate if (mecharglist != NULL) { 9690Sstevel@tonic-gate free_mechlist(mecharglist); 9700Sstevel@tonic-gate } 9710Sstevel@tonic-gate if (alt_token != NULL) { 9720Sstevel@tonic-gate free(alt_token); 9730Sstevel@tonic-gate } 9740Sstevel@tonic-gate if (alt_slot != NULL) { 9750Sstevel@tonic-gate free(alt_slot); 9760Sstevel@tonic-gate } 9770Sstevel@tonic-gate return (rc); 9780Sstevel@tonic-gate } 9790Sstevel@tonic-gate 9800Sstevel@tonic-gate 9810Sstevel@tonic-gate 9820Sstevel@tonic-gate /* 9837968Sopensolaris@drydog.com * The top level function for the "cryptoadm install" subcommand. 9840Sstevel@tonic-gate */ 9850Sstevel@tonic-gate static int 9860Sstevel@tonic-gate do_install(int argc, char **argv) 9870Sstevel@tonic-gate { 9887968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 9890Sstevel@tonic-gate int rc; 9900Sstevel@tonic-gate 9910Sstevel@tonic-gate if (argc < 3) { 9920Sstevel@tonic-gate usage(); 9930Sstevel@tonic-gate return (ERROR_USAGE); 9940Sstevel@tonic-gate } 9950Sstevel@tonic-gate 9960Sstevel@tonic-gate prov = get_provider(argc, argv); 9970Sstevel@tonic-gate if (prov == NULL || 9980Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 9990Sstevel@tonic-gate /* 10007334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10010Sstevel@tonic-gate * "install" could be either a literal keyword and hence 10020Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10030Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10040Sstevel@tonic-gate */ 10050Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10060Sstevel@tonic-gate gettext("bad provider name for %s."), "install"); 10070Sstevel@tonic-gate rc = FAILURE; 10080Sstevel@tonic-gate goto out; 10090Sstevel@tonic-gate } 10100Sstevel@tonic-gate 10110Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 10120Sstevel@tonic-gate rc = install_uef_lib(prov->cp_name); 10130Sstevel@tonic-gate goto out; 10140Sstevel@tonic-gate } 10150Sstevel@tonic-gate 10160Sstevel@tonic-gate /* It is the PROV_KEF_SOFT type now */ 10170Sstevel@tonic-gate 10180Sstevel@tonic-gate /* check if there are mechanism operands */ 10190Sstevel@tonic-gate if (argc < 4) { 10200Sstevel@tonic-gate /* 10217334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10220Sstevel@tonic-gate * "mechanism" could be either a literal keyword and hence 10230Sstevel@tonic-gate * not to be translated, or a descriptive word and 10240Sstevel@tonic-gate * translatable. A choice was made to view it as a literal 10250Sstevel@tonic-gate * keyword. 10260Sstevel@tonic-gate */ 10270Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10280Sstevel@tonic-gate gettext("need %s operands for installing a" 10290Sstevel@tonic-gate " kernel software provider."), "mechanism"); 10300Sstevel@tonic-gate rc = ERROR_USAGE; 10310Sstevel@tonic-gate goto out; 10320Sstevel@tonic-gate } 10330Sstevel@tonic-gate 10340Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 10350Sstevel@tonic-gate goto out; 10360Sstevel@tonic-gate } 10370Sstevel@tonic-gate 10380Sstevel@tonic-gate if (allflag == B_TRUE) { 10390Sstevel@tonic-gate /* 10407334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10410Sstevel@tonic-gate * "all", "mechanism", and "install" are all keywords and 10420Sstevel@tonic-gate * not to be translated. 10430Sstevel@tonic-gate */ 10440Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10450Sstevel@tonic-gate gettext("can not use the %1$s keyword for %2$s " 10460Sstevel@tonic-gate "in the %3$s subcommand."), "all", "mechanism", "install"); 10470Sstevel@tonic-gate rc = ERROR_USAGE; 10480Sstevel@tonic-gate goto out; 10490Sstevel@tonic-gate } 10500Sstevel@tonic-gate 10510Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 10520Sstevel@tonic-gate rc = install_kef(prov->cp_name, mecharglist); 10530Sstevel@tonic-gate } else { 10540Sstevel@tonic-gate /* 10557334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10560Sstevel@tonic-gate * "install" could be either a literal keyword and hence 10570Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10580Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10590Sstevel@tonic-gate * "global" is keyword and not to be translated. 10600Sstevel@tonic-gate */ 10610Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 10620Sstevel@tonic-gate "is supported in the %2$s zone only"), "install", "global"); 10630Sstevel@tonic-gate rc = FAILURE; 10640Sstevel@tonic-gate } 10650Sstevel@tonic-gate out: 10660Sstevel@tonic-gate free(prov); 10670Sstevel@tonic-gate return (rc); 10680Sstevel@tonic-gate } 10690Sstevel@tonic-gate 10700Sstevel@tonic-gate 10710Sstevel@tonic-gate 10720Sstevel@tonic-gate /* 10737968Sopensolaris@drydog.com * The top level function for the "cryptoadm uninstall" subcommand. 10740Sstevel@tonic-gate */ 10750Sstevel@tonic-gate static int 10760Sstevel@tonic-gate do_uninstall(int argc, char **argv) 10770Sstevel@tonic-gate { 10787968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 10790Sstevel@tonic-gate int rc = SUCCESS; 10800Sstevel@tonic-gate 10810Sstevel@tonic-gate if (argc != 3) { 10820Sstevel@tonic-gate usage(); 10830Sstevel@tonic-gate return (ERROR_USAGE); 10840Sstevel@tonic-gate } 10850Sstevel@tonic-gate 10860Sstevel@tonic-gate prov = get_provider(argc, argv); 10870Sstevel@tonic-gate if (prov == NULL || 10880Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 10890Sstevel@tonic-gate /* 10907334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10910Sstevel@tonic-gate * "uninstall" could be either a literal keyword and hence 10920Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10930Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10940Sstevel@tonic-gate */ 10950Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10960Sstevel@tonic-gate gettext("bad provider name for %s."), "uninstall"); 10970Sstevel@tonic-gate free(prov); 10980Sstevel@tonic-gate return (FAILURE); 10990Sstevel@tonic-gate } 11000Sstevel@tonic-gate 11010Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 11020Sstevel@tonic-gate rc = uninstall_uef_lib(prov->cp_name); 11037968Sopensolaris@drydog.com 11040Sstevel@tonic-gate } else if (prov->cp_type == PROV_KEF_SOFT) { 11050Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 11067968Sopensolaris@drydog.com /* unload and remove from kcf.conf */ 11070Sstevel@tonic-gate rc = uninstall_kef(prov->cp_name); 11080Sstevel@tonic-gate } else { 11090Sstevel@tonic-gate /* 11107334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11110Sstevel@tonic-gate * "uninstall" could be either a literal keyword and 11120Sstevel@tonic-gate * hence not to be translated, or a verb and 11130Sstevel@tonic-gate * translatable. A choice was made to view it as a 11140Sstevel@tonic-gate * literal keyword. "global" is keyword and not to 11150Sstevel@tonic-gate * be translated. 11160Sstevel@tonic-gate */ 11170Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 11180Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 11190Sstevel@tonic-gate "uninstall", "global"); 11200Sstevel@tonic-gate rc = FAILURE; 11210Sstevel@tonic-gate } 11220Sstevel@tonic-gate } 11230Sstevel@tonic-gate 11240Sstevel@tonic-gate free(prov); 11250Sstevel@tonic-gate return (rc); 11260Sstevel@tonic-gate } 11270Sstevel@tonic-gate 11280Sstevel@tonic-gate 11290Sstevel@tonic-gate /* 11307968Sopensolaris@drydog.com * The top level function for the "cryptoadm unload" subcommand. 11310Sstevel@tonic-gate */ 11320Sstevel@tonic-gate static int 11330Sstevel@tonic-gate do_unload(int argc, char **argv) 11340Sstevel@tonic-gate { 11357968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 11367968Sopensolaris@drydog.com entry_t *pent = NULL; 11377968Sopensolaris@drydog.com boolean_t in_kernel = B_FALSE; 11387968Sopensolaris@drydog.com int rc = SUCCESS; 11397968Sopensolaris@drydog.com char *provname = NULL; 11400Sstevel@tonic-gate 11410Sstevel@tonic-gate if (argc != 3) { 11420Sstevel@tonic-gate usage(); 11430Sstevel@tonic-gate return (ERROR_USAGE); 11440Sstevel@tonic-gate } 11450Sstevel@tonic-gate 11460Sstevel@tonic-gate /* check if it is a kernel software provider */ 11470Sstevel@tonic-gate prov = get_provider(argc, argv); 11480Sstevel@tonic-gate if (prov == NULL) { 11490Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11500Sstevel@tonic-gate gettext("unable to determine provider name.")); 11510Sstevel@tonic-gate goto out; 11520Sstevel@tonic-gate } 11537968Sopensolaris@drydog.com provname = prov->cp_name; 11540Sstevel@tonic-gate if (prov->cp_type != PROV_KEF_SOFT) { 11550Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11560Sstevel@tonic-gate gettext("%s is not a valid kernel software provider."), 11577968Sopensolaris@drydog.com provname); 11580Sstevel@tonic-gate rc = FAILURE; 11590Sstevel@tonic-gate goto out; 11600Sstevel@tonic-gate } 11610Sstevel@tonic-gate 11620Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 11630Sstevel@tonic-gate /* 11647334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11650Sstevel@tonic-gate * "unload" could be either a literal keyword and hence 11660Sstevel@tonic-gate * not to be translated, or a verb and translatable. 11670Sstevel@tonic-gate * A choice was made to view it as a literal keyword. 11680Sstevel@tonic-gate * "global" is keyword and not to be translated. 11690Sstevel@tonic-gate */ 11700Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 11710Sstevel@tonic-gate "is supported in the %2$s zone only"), "unload", "global"); 11720Sstevel@tonic-gate rc = FAILURE; 11730Sstevel@tonic-gate goto out; 11740Sstevel@tonic-gate } 11750Sstevel@tonic-gate 11767968Sopensolaris@drydog.com if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { 11777968Sopensolaris@drydog.com cryptodebug("internal error"); 11780Sstevel@tonic-gate rc = FAILURE; 11790Sstevel@tonic-gate goto out; 11807968Sopensolaris@drydog.com } else if (in_kernel == B_FALSE) { 11810Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11827968Sopensolaris@drydog.com gettext("provider %s is not loaded or does not exist."), 11837968Sopensolaris@drydog.com provname); 11840Sstevel@tonic-gate rc = FAILURE; 11850Sstevel@tonic-gate goto out; 11860Sstevel@tonic-gate } 11870Sstevel@tonic-gate 11887968Sopensolaris@drydog.com /* Get kcf.conf entry. If none, build a new entry */ 1189*10500SHai-May.Chao@Sun.COM if ((pent = getent_kef(provname, NULL, NULL, NULL)) == NULL) { 11907968Sopensolaris@drydog.com if ((pent = create_entry(provname)) == NULL) { 11917968Sopensolaris@drydog.com cryptoerror(LOG_STDERR, gettext("out of memory.")); 11927968Sopensolaris@drydog.com rc = FAILURE; 11937968Sopensolaris@drydog.com goto out; 11947968Sopensolaris@drydog.com } 11957968Sopensolaris@drydog.com } 11967968Sopensolaris@drydog.com 11977968Sopensolaris@drydog.com /* If it is unloaded already, return */ 11987968Sopensolaris@drydog.com if (!pent->load) { /* unloaded already */ 11990Sstevel@tonic-gate cryptoerror(LOG_STDERR, 12007968Sopensolaris@drydog.com gettext("failed to unload %s."), provname); 12010Sstevel@tonic-gate rc = FAILURE; 12027968Sopensolaris@drydog.com goto out; 12037968Sopensolaris@drydog.com } else if (unload_kef_soft(provname) != FAILURE) { 12047968Sopensolaris@drydog.com /* Mark as unloaded in kcf.conf */ 12057968Sopensolaris@drydog.com pent->load = B_FALSE; 12067968Sopensolaris@drydog.com rc = update_kcfconf(pent, MODIFY_MODE); 12070Sstevel@tonic-gate } else { 12087968Sopensolaris@drydog.com cryptoerror(LOG_STDERR, 12097968Sopensolaris@drydog.com gettext("failed to unload %s."), provname); 12107968Sopensolaris@drydog.com rc = FAILURE; 12110Sstevel@tonic-gate } 12120Sstevel@tonic-gate out: 12130Sstevel@tonic-gate free(prov); 12147968Sopensolaris@drydog.com free_entry(pent); 12150Sstevel@tonic-gate return (rc); 12160Sstevel@tonic-gate } 12170Sstevel@tonic-gate 12180Sstevel@tonic-gate 12190Sstevel@tonic-gate 12200Sstevel@tonic-gate /* 12217968Sopensolaris@drydog.com * The top level function for the "cryptoadm refresh" subcommand. 12220Sstevel@tonic-gate */ 12230Sstevel@tonic-gate static int 12240Sstevel@tonic-gate do_refresh(int argc) 12250Sstevel@tonic-gate { 12260Sstevel@tonic-gate if (argc != 2) { 12270Sstevel@tonic-gate usage(); 12280Sstevel@tonic-gate return (ERROR_USAGE); 12290Sstevel@tonic-gate } 12300Sstevel@tonic-gate 12317968Sopensolaris@drydog.com if (getzoneid() == GLOBAL_ZONEID) { 12327968Sopensolaris@drydog.com return (refresh()); 12337968Sopensolaris@drydog.com } else { /* non-global zone */ 12347968Sopensolaris@drydog.com /* 12357968Sopensolaris@drydog.com * Note: in non-global zone, this must silently return SUCCESS 12367968Sopensolaris@drydog.com * due to integration with SMF, for "svcadm refresh cryptosvc" 12377968Sopensolaris@drydog.com */ 12380Sstevel@tonic-gate return (SUCCESS); 12397968Sopensolaris@drydog.com } 12400Sstevel@tonic-gate } 12410Sstevel@tonic-gate 12420Sstevel@tonic-gate 12430Sstevel@tonic-gate /* 12447968Sopensolaris@drydog.com * The top level function for the "cryptoadm start" subcommand. 12450Sstevel@tonic-gate */ 12460Sstevel@tonic-gate static int 12470Sstevel@tonic-gate do_start(int argc) 12480Sstevel@tonic-gate { 12490Sstevel@tonic-gate int ret; 12500Sstevel@tonic-gate 12510Sstevel@tonic-gate if (argc != 2) { 12520Sstevel@tonic-gate usage(); 12530Sstevel@tonic-gate return (ERROR_USAGE); 12540Sstevel@tonic-gate } 12550Sstevel@tonic-gate 12560Sstevel@tonic-gate ret = do_refresh(argc); 12570Sstevel@tonic-gate if (ret != SUCCESS) 12580Sstevel@tonic-gate return (ret); 12590Sstevel@tonic-gate 12600Sstevel@tonic-gate return (start_daemon()); 12610Sstevel@tonic-gate } 12620Sstevel@tonic-gate 12630Sstevel@tonic-gate /* 12647968Sopensolaris@drydog.com * The top level function for the "cryptoadm stop" subcommand. 12650Sstevel@tonic-gate */ 12660Sstevel@tonic-gate static int 12670Sstevel@tonic-gate do_stop(int argc) 12680Sstevel@tonic-gate { 12690Sstevel@tonic-gate if (argc != 2) { 12700Sstevel@tonic-gate usage(); 12710Sstevel@tonic-gate return (ERROR_USAGE); 12720Sstevel@tonic-gate } 12730Sstevel@tonic-gate 12740Sstevel@tonic-gate return (stop_daemon()); 12750Sstevel@tonic-gate } 12760Sstevel@tonic-gate 12770Sstevel@tonic-gate 12780Sstevel@tonic-gate 12790Sstevel@tonic-gate /* 12807968Sopensolaris@drydog.com * Print a list all the the providers. 12817968Sopensolaris@drydog.com * Called for "cryptoadm list" or "cryptoadm list -v" (no -m or -p). 12820Sstevel@tonic-gate */ 12830Sstevel@tonic-gate static int 12840Sstevel@tonic-gate list_simple_for_all(boolean_t verbose) 12850Sstevel@tonic-gate { 12867968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 12877968Sopensolaris@drydog.com uentrylist_t *plibptr = NULL; 12887968Sopensolaris@drydog.com entry_t *pent = NULL; 12890Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel = NULL; 12907968Sopensolaris@drydog.com int rc = SUCCESS; 12917968Sopensolaris@drydog.com int i; 12920Sstevel@tonic-gate 12930Sstevel@tonic-gate /* get user-level providers */ 12940Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 12950Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 12960Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 12970Sstevel@tonic-gate "failed to retrieve the list of user-level providers.")); 12987968Sopensolaris@drydog.com rc = FAILURE; 12990Sstevel@tonic-gate } 13007968Sopensolaris@drydog.com 13017968Sopensolaris@drydog.com for (plibptr = pliblist; plibptr != NULL; plibptr = plibptr->next) { 13020Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 13030Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 13040Sstevel@tonic-gate plibptr->puent->name); 13050Sstevel@tonic-gate if (verbose) { 13060Sstevel@tonic-gate (void) list_mechlist_for_lib( 13070Sstevel@tonic-gate plibptr->puent->name, mecharglist, NULL, 13080Sstevel@tonic-gate B_FALSE, verbose, B_FALSE); 13090Sstevel@tonic-gate (void) printf("\n"); 13100Sstevel@tonic-gate } 13110Sstevel@tonic-gate } 13120Sstevel@tonic-gate } 13130Sstevel@tonic-gate free_uentrylist(pliblist); 13140Sstevel@tonic-gate 13150Sstevel@tonic-gate /* get kernel software providers */ 13160Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 13170Sstevel@tonic-gate 13180Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 13197968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 13207968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 13217968Sopensolaris@drydog.com uint_t sl_soft_count; 13227968Sopensolaris@drydog.com char *psoftname; 13237968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 13247968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 1325*10500SHai-May.Chao@Sun.COM entrylist_t *pfipslist_conf = NULL; 13267968Sopensolaris@drydog.com 13277968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 13287968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 13297968Sopensolaris@drydog.com "software provider list from kernel.")); 13307968Sopensolaris@drydog.com rc = FAILURE; 13317968Sopensolaris@drydog.com } else { 13327968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 13330Sstevel@tonic-gate 1334*10500SHai-May.Chao@Sun.COM if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf, 1335*10500SHai-May.Chao@Sun.COM &pfipslist_conf) == FAILURE) { 13367968Sopensolaris@drydog.com cryptoerror(LOG_ERR, 13377968Sopensolaris@drydog.com "failed to retrieve the providers' " 13387968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 13397968Sopensolaris@drydog.com _PATH_KCF_CONF); 13407968Sopensolaris@drydog.com free(psoftlist_kernel); 13417968Sopensolaris@drydog.com rc = FAILURE; 13427968Sopensolaris@drydog.com } else { 13437968Sopensolaris@drydog.com 13447968Sopensolaris@drydog.com for (i = 0, 13457968Sopensolaris@drydog.com psoftname = psoftlist_kernel->sl_soft_names; 13467968Sopensolaris@drydog.com i < sl_soft_count; 13477968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 13487968Sopensolaris@drydog.com pent = getent_kef(psoftname, 1349*10500SHai-May.Chao@Sun.COM pdevlist_conf, psoftlist_conf, 1350*10500SHai-May.Chao@Sun.COM pfipslist_conf); 13517968Sopensolaris@drydog.com (void) printf("\t%s%s\n", psoftname, 13527968Sopensolaris@drydog.com (pent == NULL) || (pent->load) ? 13537968Sopensolaris@drydog.com "" : gettext(" (inactive)")); 13547968Sopensolaris@drydog.com } 13557968Sopensolaris@drydog.com free_entrylist(pdevlist_conf); 13567968Sopensolaris@drydog.com free_entrylist(psoftlist_conf); 1357*10500SHai-May.Chao@Sun.COM free_entrylist(pfipslist_conf); 13587968Sopensolaris@drydog.com } 13597968Sopensolaris@drydog.com free(psoftlist_kernel); 13600Sstevel@tonic-gate } 13610Sstevel@tonic-gate 13620Sstevel@tonic-gate } else { 13630Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 13647968Sopensolaris@drydog.com entrylist_t *pdevlist_zone = NULL; 13657968Sopensolaris@drydog.com entrylist_t *psoftlist_zone = NULL; 13667968Sopensolaris@drydog.com entrylist_t *ptr; 13670Sstevel@tonic-gate 13680Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 13690Sstevel@tonic-gate SUCCESS) { 13700Sstevel@tonic-gate cryptoerror(LOG_STDERR, 13710Sstevel@tonic-gate gettext("failed to retrieve the " 13720Sstevel@tonic-gate "list of kernel software providers.\n")); 13737968Sopensolaris@drydog.com rc = FAILURE; 13740Sstevel@tonic-gate } 13750Sstevel@tonic-gate 13760Sstevel@tonic-gate ptr = psoftlist_zone; 13770Sstevel@tonic-gate while (ptr != NULL) { 13780Sstevel@tonic-gate (void) printf("\t%s\n", ptr->pent->name); 13790Sstevel@tonic-gate ptr = ptr->next; 13800Sstevel@tonic-gate } 13810Sstevel@tonic-gate 13820Sstevel@tonic-gate free_entrylist(pdevlist_zone); 13830Sstevel@tonic-gate free_entrylist(psoftlist_zone); 13840Sstevel@tonic-gate } 13850Sstevel@tonic-gate 13860Sstevel@tonic-gate /* get kernel hardware providers */ 13870Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 13880Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) == FAILURE) { 13890Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 13900Sstevel@tonic-gate "the list of kernel hardware providers.\n")); 13917968Sopensolaris@drydog.com rc = FAILURE; 13920Sstevel@tonic-gate } else { 13930Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 13940Sstevel@tonic-gate (void) printf("\t%s/%d\n", 13950Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 13960Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 13970Sstevel@tonic-gate } 13980Sstevel@tonic-gate } 13990Sstevel@tonic-gate free(pdevlist_kernel); 14000Sstevel@tonic-gate 14017968Sopensolaris@drydog.com return (rc); 14020Sstevel@tonic-gate } 14030Sstevel@tonic-gate 14040Sstevel@tonic-gate 14050Sstevel@tonic-gate 14060Sstevel@tonic-gate /* 14070Sstevel@tonic-gate * List all the providers. And for each provider, list the mechanism list. 14087968Sopensolaris@drydog.com * Called for "cryptoadm list -m" or "cryptoadm list -mv" . 14090Sstevel@tonic-gate */ 14100Sstevel@tonic-gate static int 14110Sstevel@tonic-gate list_mechlist_for_all(boolean_t verbose) 14120Sstevel@tonic-gate { 14137968Sopensolaris@drydog.com crypto_get_dev_list_t *pdevlist_kernel = NULL; 14147968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 14157968Sopensolaris@drydog.com uentrylist_t *plibptr = NULL; 14167968Sopensolaris@drydog.com entry_t *pent = NULL; 14177968Sopensolaris@drydog.com mechlist_t *pmechlist = NULL; 14187968Sopensolaris@drydog.com char provname[MAXNAMELEN]; 14197968Sopensolaris@drydog.com char devname[MAXNAMELEN]; 14207968Sopensolaris@drydog.com int inst_num; 14217968Sopensolaris@drydog.com int count; 14227968Sopensolaris@drydog.com int i; 14237968Sopensolaris@drydog.com int rv; 14247968Sopensolaris@drydog.com int rc = SUCCESS; 14250Sstevel@tonic-gate 14260Sstevel@tonic-gate /* get user-level providers */ 14270Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 14280Sstevel@tonic-gate /* 14297334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 14300Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14310Sstevel@tonic-gate * the length of the translated text above. 14320Sstevel@tonic-gate */ 14330Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 14340Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 14350Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14360Sstevel@tonic-gate "the list of user-level providers.\n")); 14370Sstevel@tonic-gate rc = FAILURE; 14380Sstevel@tonic-gate } 14390Sstevel@tonic-gate 14400Sstevel@tonic-gate plibptr = pliblist; 14410Sstevel@tonic-gate while (plibptr != NULL) { 14420Sstevel@tonic-gate /* skip metaslot entry */ 14430Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 14440Sstevel@tonic-gate (void) printf(gettext("\nProvider: %s\n"), 14450Sstevel@tonic-gate plibptr->puent->name); 14460Sstevel@tonic-gate rv = list_mechlist_for_lib(plibptr->puent->name, 14470Sstevel@tonic-gate mecharglist, NULL, B_FALSE, verbose, B_TRUE); 14480Sstevel@tonic-gate if (rv == FAILURE) { 14490Sstevel@tonic-gate rc = FAILURE; 14500Sstevel@tonic-gate } 14510Sstevel@tonic-gate } 14520Sstevel@tonic-gate plibptr = plibptr->next; 14530Sstevel@tonic-gate } 14540Sstevel@tonic-gate free_uentrylist(pliblist); 14550Sstevel@tonic-gate 14560Sstevel@tonic-gate /* get kernel software providers */ 14570Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 14587968Sopensolaris@drydog.com 14590Sstevel@tonic-gate /* 14607334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 14610Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14620Sstevel@tonic-gate * the length of the translated text above. 14630Sstevel@tonic-gate */ 14640Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 14650Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 14667968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 14677968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 14687968Sopensolaris@drydog.com uint_t sl_soft_count; 14697968Sopensolaris@drydog.com char *psoftname; 14707968Sopensolaris@drydog.com int i; 14717968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 14727968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 1473*10500SHai-May.Chao@Sun.COM entrylist_t *pfipslist_conf = NULL; 14740Sstevel@tonic-gate 14757968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 14767968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 14777968Sopensolaris@drydog.com "software provider list from kernel.")); 14787968Sopensolaris@drydog.com return (FAILURE); 14797968Sopensolaris@drydog.com } 14807968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 14817968Sopensolaris@drydog.com 1482*10500SHai-May.Chao@Sun.COM if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf, 1483*10500SHai-May.Chao@Sun.COM &pfipslist_conf) == FAILURE) { 14847968Sopensolaris@drydog.com cryptoerror(LOG_ERR, 14857968Sopensolaris@drydog.com "failed to retrieve the providers' " 14867968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 14877968Sopensolaris@drydog.com _PATH_KCF_CONF); 14887968Sopensolaris@drydog.com free(psoftlist_kernel); 14897968Sopensolaris@drydog.com return (FAILURE); 14900Sstevel@tonic-gate } 14910Sstevel@tonic-gate 14927968Sopensolaris@drydog.com for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 14937968Sopensolaris@drydog.com i < sl_soft_count; 14947968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 14957968Sopensolaris@drydog.com pent = getent_kef(psoftname, pdevlist_conf, 1496*10500SHai-May.Chao@Sun.COM psoftlist_conf, pfipslist_conf); 14977968Sopensolaris@drydog.com if ((pent == NULL) || (pent->load)) { 14987968Sopensolaris@drydog.com rv = list_mechlist_for_soft(psoftname, 1499*10500SHai-May.Chao@Sun.COM NULL, NULL, NULL); 15007968Sopensolaris@drydog.com if (rv == FAILURE) { 15017968Sopensolaris@drydog.com rc = FAILURE; 15020Sstevel@tonic-gate } 15030Sstevel@tonic-gate } else { 15047968Sopensolaris@drydog.com (void) printf(gettext("%s: (inactive)\n"), 15057968Sopensolaris@drydog.com psoftname); 15060Sstevel@tonic-gate } 15070Sstevel@tonic-gate } 15080Sstevel@tonic-gate 15097968Sopensolaris@drydog.com free(psoftlist_kernel); 15100Sstevel@tonic-gate free_entrylist(pdevlist_conf); 15110Sstevel@tonic-gate free_entrylist(psoftlist_conf); 1512*10500SHai-May.Chao@Sun.COM free_entrylist(pfipslist_conf); 15137968Sopensolaris@drydog.com 15140Sstevel@tonic-gate } else { 15150Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 15167968Sopensolaris@drydog.com entrylist_t *pdevlist_zone = NULL; 15177968Sopensolaris@drydog.com entrylist_t *psoftlist_zone = NULL; 1518*10500SHai-May.Chao@Sun.COM entrylist_t *pfipslist_zone = NULL; 15197968Sopensolaris@drydog.com entrylist_t *ptr; 15200Sstevel@tonic-gate 15210Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 15220Sstevel@tonic-gate SUCCESS) { 15230Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 15240Sstevel@tonic-gate "the list of kernel software providers.\n")); 15250Sstevel@tonic-gate rc = FAILURE; 15260Sstevel@tonic-gate } 15270Sstevel@tonic-gate 15287968Sopensolaris@drydog.com for (ptr = psoftlist_zone; ptr != NULL; ptr = ptr->next) { 15297968Sopensolaris@drydog.com rv = list_mechlist_for_soft(ptr->pent->name, 1530*10500SHai-May.Chao@Sun.COM pdevlist_zone, psoftlist_zone, pfipslist_zone); 15310Sstevel@tonic-gate if (rv == FAILURE) { 15320Sstevel@tonic-gate (void) printf(gettext( 15330Sstevel@tonic-gate "%s: failed to get the mechanism list.\n"), 15340Sstevel@tonic-gate ptr->pent->name); 15350Sstevel@tonic-gate rc = FAILURE; 15360Sstevel@tonic-gate } 15370Sstevel@tonic-gate } 15380Sstevel@tonic-gate 15390Sstevel@tonic-gate free_entrylist(pdevlist_zone); 15400Sstevel@tonic-gate free_entrylist(psoftlist_zone); 15410Sstevel@tonic-gate } 15420Sstevel@tonic-gate 15430Sstevel@tonic-gate /* Get kernel hardware providers and their mechanism lists */ 15440Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 15450Sstevel@tonic-gate /* 15467334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 15470Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15480Sstevel@tonic-gate * the length of the translated text above. 15490Sstevel@tonic-gate */ 15500Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 15510Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 15520Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 15530Sstevel@tonic-gate "the list of hardware providers.\n")); 15540Sstevel@tonic-gate return (FAILURE); 15550Sstevel@tonic-gate } 15560Sstevel@tonic-gate 15570Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 15580Sstevel@tonic-gate (void) strlcpy(devname, 15590Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, MAXNAMELEN); 15600Sstevel@tonic-gate inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance; 15610Sstevel@tonic-gate count = pdevlist_kernel->dl_devs[i].le_mechanism_count; 15620Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", devname, 15630Sstevel@tonic-gate inst_num); 15640Sstevel@tonic-gate if (get_dev_info(devname, inst_num, count, &pmechlist) == 15650Sstevel@tonic-gate SUCCESS) { 15660Sstevel@tonic-gate (void) filter_mechlist(&pmechlist, RANDOM); 15670Sstevel@tonic-gate print_mechlist(provname, pmechlist); 15680Sstevel@tonic-gate free_mechlist(pmechlist); 15690Sstevel@tonic-gate } else { 15700Sstevel@tonic-gate (void) printf(gettext("%s: failed to get the mechanism" 15710Sstevel@tonic-gate " list.\n"), provname); 15720Sstevel@tonic-gate rc = FAILURE; 15730Sstevel@tonic-gate } 15740Sstevel@tonic-gate } 15750Sstevel@tonic-gate free(pdevlist_kernel); 15760Sstevel@tonic-gate return (rc); 15770Sstevel@tonic-gate } 15780Sstevel@tonic-gate 15790Sstevel@tonic-gate 15800Sstevel@tonic-gate /* 15810Sstevel@tonic-gate * List all the providers. And for each provider, list the policy information. 15827968Sopensolaris@drydog.com * Called for "cryptoadm list -p". 15830Sstevel@tonic-gate */ 15840Sstevel@tonic-gate static int 15850Sstevel@tonic-gate list_policy_for_all(void) 15860Sstevel@tonic-gate { 15877968Sopensolaris@drydog.com crypto_get_dev_list_t *pdevlist_kernel = NULL; 15887968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 15897968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 15907968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 1591*10500SHai-May.Chao@Sun.COM entrylist_t *pfipslist_conf = NULL; 15927968Sopensolaris@drydog.com entrylist_t *ptr = NULL; 15937968Sopensolaris@drydog.com entrylist_t *phead = NULL; 15947968Sopensolaris@drydog.com boolean_t found = B_FALSE; 15957968Sopensolaris@drydog.com char provname[MAXNAMELEN]; 15967968Sopensolaris@drydog.com int i; 15977968Sopensolaris@drydog.com int rc = SUCCESS; 15980Sstevel@tonic-gate 15990Sstevel@tonic-gate /* Get user-level providers */ 16000Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 16010Sstevel@tonic-gate /* 16027334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16030Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16040Sstevel@tonic-gate * the length of the translated text above. 16050Sstevel@tonic-gate */ 16060Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 16070Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) == FAILURE) { 16080Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 16090Sstevel@tonic-gate "the list of user-level providers.\n")); 16107968Sopensolaris@drydog.com rc = FAILURE; 16110Sstevel@tonic-gate } else { 16127968Sopensolaris@drydog.com uentrylist_t *plibptr = pliblist; 16137968Sopensolaris@drydog.com 16140Sstevel@tonic-gate while (plibptr != NULL) { 16150Sstevel@tonic-gate /* skip metaslot entry */ 16160Sstevel@tonic-gate if (strcmp(plibptr->puent->name, 16170Sstevel@tonic-gate METASLOT_KEYWORD) != 0) { 16180Sstevel@tonic-gate if (print_uef_policy(plibptr->puent) 16190Sstevel@tonic-gate == FAILURE) { 16200Sstevel@tonic-gate rc = FAILURE; 16210Sstevel@tonic-gate } 16220Sstevel@tonic-gate } 16230Sstevel@tonic-gate plibptr = plibptr->next; 16240Sstevel@tonic-gate } 16250Sstevel@tonic-gate free_uentrylist(pliblist); 16260Sstevel@tonic-gate } 16270Sstevel@tonic-gate 16280Sstevel@tonic-gate /* kernel software providers */ 16290Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 16300Sstevel@tonic-gate /* 16317334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16320Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16330Sstevel@tonic-gate * the length of the translated text above. 16340Sstevel@tonic-gate */ 16350Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 16360Sstevel@tonic-gate 16377968Sopensolaris@drydog.com /* Get all entries from the kernel */ 16380Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 16397968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 16407968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 16417968Sopensolaris@drydog.com uint_t sl_soft_count; 16427968Sopensolaris@drydog.com char *psoftname; 16437968Sopensolaris@drydog.com int i; 16440Sstevel@tonic-gate 16457968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 16467968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 16477968Sopensolaris@drydog.com "software provider list from kernel.")); 16487968Sopensolaris@drydog.com rc = FAILURE; 16497968Sopensolaris@drydog.com } else { 16507968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 16517968Sopensolaris@drydog.com 16527968Sopensolaris@drydog.com for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 16537968Sopensolaris@drydog.com i < sl_soft_count; 16547968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 16557968Sopensolaris@drydog.com (void) list_policy_for_soft(psoftname, 1656*10500SHai-May.Chao@Sun.COM pdevlist_conf, psoftlist_conf, 1657*10500SHai-May.Chao@Sun.COM pfipslist_conf); 16587968Sopensolaris@drydog.com } 16597968Sopensolaris@drydog.com free(psoftlist_kernel); 16600Sstevel@tonic-gate } 16610Sstevel@tonic-gate 16620Sstevel@tonic-gate } else { 16630Sstevel@tonic-gate /* kcf.conf not there in non-global zone, no policy info */ 16640Sstevel@tonic-gate 16650Sstevel@tonic-gate /* 16667334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16670Sstevel@tonic-gate * "global" is keyword and not to be translated. 16680Sstevel@tonic-gate */ 16690Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16700Sstevel@tonic-gate "policy information for kernel software providers is " 16710Sstevel@tonic-gate "available in the %s zone only"), "global"); 16720Sstevel@tonic-gate } 16730Sstevel@tonic-gate 16740Sstevel@tonic-gate /* Kernel hardware providers */ 16750Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 16760Sstevel@tonic-gate /* 16777334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16780Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16790Sstevel@tonic-gate * the length of the translated text above. 16800Sstevel@tonic-gate */ 16810Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 16820Sstevel@tonic-gate 16830Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 16840Sstevel@tonic-gate /* 16857334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16860Sstevel@tonic-gate * "global" is keyword and not to be translated. 16870Sstevel@tonic-gate */ 16880Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16890Sstevel@tonic-gate "policy information for kernel hardware providers is " 16900Sstevel@tonic-gate "available in the %s zone only"), "global"); 16910Sstevel@tonic-gate return (FAILURE); 16920Sstevel@tonic-gate } 16930Sstevel@tonic-gate 16940Sstevel@tonic-gate /* Get the hardware provider list from kernel */ 16950Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 16960Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16970Sstevel@tonic-gate "failed to retrieve the list of hardware providers.\n")); 16980Sstevel@tonic-gate return (FAILURE); 16990Sstevel@tonic-gate } 17000Sstevel@tonic-gate 1701*10500SHai-May.Chao@Sun.COM if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf, 1702*10500SHai-May.Chao@Sun.COM &pfipslist_conf) == FAILURE) { 17037968Sopensolaris@drydog.com cryptoerror(LOG_ERR, "failed to retrieve the providers' " 17047968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 17057968Sopensolaris@drydog.com _PATH_KCF_CONF); 17067968Sopensolaris@drydog.com return (FAILURE); 17077968Sopensolaris@drydog.com } 17087968Sopensolaris@drydog.com 17097968Sopensolaris@drydog.com 17100Sstevel@tonic-gate /* 17110Sstevel@tonic-gate * For each hardware provider from kernel, check if it has an entry 17120Sstevel@tonic-gate * in the config file. If it has an entry, print out the policy from 17130Sstevel@tonic-gate * config file and remove the entry from the hardware provider list 17140Sstevel@tonic-gate * of the config file. If it does not have an entry in the config 17150Sstevel@tonic-gate * file, no mechanisms of it have been disabled. But, we still call 17160Sstevel@tonic-gate * list_policy_for_hard() to account for the "random" feature. 17170Sstevel@tonic-gate */ 17180Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 17190Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", 17200Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 17210Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 17227968Sopensolaris@drydog.com 17230Sstevel@tonic-gate found = B_FALSE; 17240Sstevel@tonic-gate phead = ptr = pdevlist_conf; 17250Sstevel@tonic-gate while (!found && ptr) { 17260Sstevel@tonic-gate if (strcmp(ptr->pent->name, provname) == 0) { 17270Sstevel@tonic-gate found = B_TRUE; 17280Sstevel@tonic-gate } else { 17290Sstevel@tonic-gate phead = ptr; 17300Sstevel@tonic-gate ptr = ptr->next; 17310Sstevel@tonic-gate } 17320Sstevel@tonic-gate } 17330Sstevel@tonic-gate 17340Sstevel@tonic-gate if (found) { 17357968Sopensolaris@drydog.com (void) list_policy_for_hard(ptr->pent->name, 1736*10500SHai-May.Chao@Sun.COM pdevlist_conf, psoftlist_conf, pfipslist_conf, 1737*10500SHai-May.Chao@Sun.COM pdevlist_kernel); 17380Sstevel@tonic-gate if (phead == ptr) { 17390Sstevel@tonic-gate pdevlist_conf = pdevlist_conf->next; 17400Sstevel@tonic-gate } else { 17410Sstevel@tonic-gate phead->next = ptr->next; 17420Sstevel@tonic-gate } 17430Sstevel@tonic-gate free_entry(ptr->pent); 17440Sstevel@tonic-gate free(ptr); 17450Sstevel@tonic-gate } else { 17467968Sopensolaris@drydog.com (void) list_policy_for_hard(provname, pdevlist_conf, 1747*10500SHai-May.Chao@Sun.COM psoftlist_conf, pfipslist_conf, pdevlist_kernel); 17480Sstevel@tonic-gate } 17490Sstevel@tonic-gate } 17500Sstevel@tonic-gate 17510Sstevel@tonic-gate /* 17520Sstevel@tonic-gate * If there are still entries left in the pdevlist_conf list from 17530Sstevel@tonic-gate * the config file, these providers must have been detached. 17540Sstevel@tonic-gate * Should print out their policy information also. 17550Sstevel@tonic-gate */ 17567968Sopensolaris@drydog.com for (ptr = pdevlist_conf; ptr != NULL; ptr = ptr->next) { 17577968Sopensolaris@drydog.com print_kef_policy(ptr->pent->name, ptr->pent, B_FALSE, B_TRUE); 17580Sstevel@tonic-gate } 17590Sstevel@tonic-gate 17600Sstevel@tonic-gate free_entrylist(pdevlist_conf); 17617968Sopensolaris@drydog.com free_entrylist(psoftlist_conf); 1762*10500SHai-May.Chao@Sun.COM free_entrylist(pfipslist_conf); 17630Sstevel@tonic-gate free(pdevlist_kernel); 17640Sstevel@tonic-gate 17650Sstevel@tonic-gate return (rc); 17660Sstevel@tonic-gate } 1767