10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 51971Skrishna * Common Development and Distribution License (the "License"). 61971Skrishna * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*12929SMisaki.Miyashita@Oracle.COM * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 230Sstevel@tonic-gate */ 240Sstevel@tonic-gate 250Sstevel@tonic-gate 260Sstevel@tonic-gate #include <fcntl.h> 270Sstevel@tonic-gate #include <stdio.h> 280Sstevel@tonic-gate #include <stdlib.h> 290Sstevel@tonic-gate #include <strings.h> 300Sstevel@tonic-gate #include <unistd.h> 310Sstevel@tonic-gate #include <locale.h> 320Sstevel@tonic-gate #include <libgen.h> 330Sstevel@tonic-gate #include <sys/types.h> 340Sstevel@tonic-gate #include <zone.h> 350Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 360Sstevel@tonic-gate #include <cryptoutil.h> 370Sstevel@tonic-gate #include "cryptoadm.h" 380Sstevel@tonic-gate 390Sstevel@tonic-gate #define REQ_ARG_CNT 2 400Sstevel@tonic-gate 410Sstevel@tonic-gate /* subcommand index */ 420Sstevel@tonic-gate enum subcommand_index { 430Sstevel@tonic-gate CRYPTO_LIST, 440Sstevel@tonic-gate CRYPTO_DISABLE, 450Sstevel@tonic-gate CRYPTO_ENABLE, 460Sstevel@tonic-gate CRYPTO_INSTALL, 470Sstevel@tonic-gate CRYPTO_UNINSTALL, 480Sstevel@tonic-gate CRYPTO_UNLOAD, 490Sstevel@tonic-gate CRYPTO_REFRESH, 500Sstevel@tonic-gate CRYPTO_START, 510Sstevel@tonic-gate CRYPTO_STOP, 520Sstevel@tonic-gate CRYPTO_HELP }; 530Sstevel@tonic-gate 540Sstevel@tonic-gate /* 557334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 560Sstevel@tonic-gate * Command keywords are not to be translated. 570Sstevel@tonic-gate */ 580Sstevel@tonic-gate static char *cmd_table[] = { 590Sstevel@tonic-gate "list", 600Sstevel@tonic-gate "disable", 610Sstevel@tonic-gate "enable", 620Sstevel@tonic-gate "install", 630Sstevel@tonic-gate "uninstall", 640Sstevel@tonic-gate "unload", 650Sstevel@tonic-gate "refresh", 660Sstevel@tonic-gate "start", 670Sstevel@tonic-gate "stop", 680Sstevel@tonic-gate "--help" }; 690Sstevel@tonic-gate 700Sstevel@tonic-gate /* provider type */ 710Sstevel@tonic-gate enum provider_type_index { 720Sstevel@tonic-gate PROV_UEF_LIB, 730Sstevel@tonic-gate PROV_KEF_SOFT, 740Sstevel@tonic-gate PROV_KEF_HARD, 750Sstevel@tonic-gate METASLOT, 760Sstevel@tonic-gate PROV_BADNAME }; 770Sstevel@tonic-gate 780Sstevel@tonic-gate typedef struct { 790Sstevel@tonic-gate char cp_name[MAXPATHLEN]; 800Sstevel@tonic-gate enum provider_type_index cp_type; 810Sstevel@tonic-gate } cryptoadm_provider_t; 820Sstevel@tonic-gate 830Sstevel@tonic-gate /* 847334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 850Sstevel@tonic-gate * Operand keywords are not to be translated. 860Sstevel@tonic-gate */ 870Sstevel@tonic-gate static const char *KN_PROVIDER = "provider="; 880Sstevel@tonic-gate static const char *KN_MECH = "mechanism="; 890Sstevel@tonic-gate static const char *KN_ALL = "all"; 900Sstevel@tonic-gate static const char *KN_TOKEN = "token="; 910Sstevel@tonic-gate static const char *KN_SLOT = "slot="; 920Sstevel@tonic-gate static const char *KN_DEFAULT_KS = "default-keystore"; 930Sstevel@tonic-gate static const char *KN_AUTO_KEY_MIGRATE = "auto-key-migrate"; 940Sstevel@tonic-gate 950Sstevel@tonic-gate /* static variables */ 960Sstevel@tonic-gate static boolean_t allflag = B_FALSE; 970Sstevel@tonic-gate static boolean_t rndflag = B_FALSE; 980Sstevel@tonic-gate static mechlist_t *mecharglist = NULL; 990Sstevel@tonic-gate 1000Sstevel@tonic-gate /* static functions */ 1010Sstevel@tonic-gate static void usage(void); 1020Sstevel@tonic-gate static int get_provider_type(char *); 1030Sstevel@tonic-gate static int process_mech_operands(int, char **, boolean_t); 1040Sstevel@tonic-gate static int do_list(int, char **); 1050Sstevel@tonic-gate static int do_disable(int, char **); 1060Sstevel@tonic-gate static int do_enable(int, char **); 1070Sstevel@tonic-gate static int do_install(int, char **); 1080Sstevel@tonic-gate static int do_uninstall(int, char **); 1090Sstevel@tonic-gate static int do_unload(int, char **); 1100Sstevel@tonic-gate static int do_refresh(int); 1110Sstevel@tonic-gate static int do_start(int); 1120Sstevel@tonic-gate static int do_stop(int); 1130Sstevel@tonic-gate static int list_simple_for_all(boolean_t); 1140Sstevel@tonic-gate static int list_mechlist_for_all(boolean_t); 1150Sstevel@tonic-gate static int list_policy_for_all(void); 1160Sstevel@tonic-gate 1170Sstevel@tonic-gate int 1180Sstevel@tonic-gate main(int argc, char *argv[]) 1190Sstevel@tonic-gate { 1200Sstevel@tonic-gate char *subcmd; 1210Sstevel@tonic-gate int cmdnum; 1220Sstevel@tonic-gate int cmd_index = 0; 1230Sstevel@tonic-gate int rc = SUCCESS; 1240Sstevel@tonic-gate 1250Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1260Sstevel@tonic-gate 1270Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 1280Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 1290Sstevel@tonic-gate #endif 1300Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 1310Sstevel@tonic-gate 1320Sstevel@tonic-gate cryptodebug_init(basename(argv[0])); 1330Sstevel@tonic-gate 1340Sstevel@tonic-gate if (argc < REQ_ARG_CNT) { 1350Sstevel@tonic-gate usage(); 1360Sstevel@tonic-gate return (ERROR_USAGE); 1370Sstevel@tonic-gate } 1380Sstevel@tonic-gate 1390Sstevel@tonic-gate /* get the subcommand index */ 1400Sstevel@tonic-gate cmd_index = 0; 1410Sstevel@tonic-gate subcmd = argv[1]; 1420Sstevel@tonic-gate cmdnum = sizeof (cmd_table)/sizeof (cmd_table[0]); 1430Sstevel@tonic-gate 1440Sstevel@tonic-gate while ((cmd_index < cmdnum) && 1450Sstevel@tonic-gate (strcmp(subcmd, cmd_table[cmd_index]) != 0)) { 1460Sstevel@tonic-gate cmd_index++; 1470Sstevel@tonic-gate } 1480Sstevel@tonic-gate if (cmd_index >= cmdnum) { 1490Sstevel@tonic-gate usage(); 1500Sstevel@tonic-gate return (ERROR_USAGE); 1510Sstevel@tonic-gate } 1520Sstevel@tonic-gate 1530Sstevel@tonic-gate /* do the subcommand */ 1540Sstevel@tonic-gate switch (cmd_index) { 1550Sstevel@tonic-gate case CRYPTO_LIST: 1560Sstevel@tonic-gate rc = do_list(argc, argv); 1570Sstevel@tonic-gate break; 1580Sstevel@tonic-gate case CRYPTO_DISABLE: 1590Sstevel@tonic-gate rc = do_disable(argc, argv); 1600Sstevel@tonic-gate break; 1610Sstevel@tonic-gate case CRYPTO_ENABLE: 1620Sstevel@tonic-gate rc = do_enable(argc, argv); 1630Sstevel@tonic-gate break; 1640Sstevel@tonic-gate case CRYPTO_INSTALL: 1650Sstevel@tonic-gate rc = do_install(argc, argv); 1660Sstevel@tonic-gate break; 1670Sstevel@tonic-gate case CRYPTO_UNINSTALL: 1680Sstevel@tonic-gate rc = do_uninstall(argc, argv); 1690Sstevel@tonic-gate break; 1700Sstevel@tonic-gate case CRYPTO_UNLOAD: 1710Sstevel@tonic-gate rc = do_unload(argc, argv); 1720Sstevel@tonic-gate break; 1730Sstevel@tonic-gate case CRYPTO_REFRESH: 1740Sstevel@tonic-gate rc = do_refresh(argc); 1750Sstevel@tonic-gate break; 1760Sstevel@tonic-gate case CRYPTO_START: 1770Sstevel@tonic-gate rc = do_start(argc); 1780Sstevel@tonic-gate break; 1790Sstevel@tonic-gate case CRYPTO_STOP: 1800Sstevel@tonic-gate rc = do_stop(argc); 1810Sstevel@tonic-gate break; 1820Sstevel@tonic-gate case CRYPTO_HELP: 1830Sstevel@tonic-gate usage(); 1840Sstevel@tonic-gate rc = SUCCESS; 1850Sstevel@tonic-gate break; 1860Sstevel@tonic-gate default: /* should not come here */ 1870Sstevel@tonic-gate usage(); 1880Sstevel@tonic-gate rc = ERROR_USAGE; 1890Sstevel@tonic-gate break; 1900Sstevel@tonic-gate } 1910Sstevel@tonic-gate return (rc); 1920Sstevel@tonic-gate } 1930Sstevel@tonic-gate 1940Sstevel@tonic-gate 1950Sstevel@tonic-gate static void 1960Sstevel@tonic-gate usage(void) 1970Sstevel@tonic-gate { 1980Sstevel@tonic-gate /* 1997334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 2000Sstevel@tonic-gate * Command usage is not to be translated. Only the word "Usage:" 2010Sstevel@tonic-gate * along with localized expressions indicating what kind of value 2020Sstevel@tonic-gate * is expected for arguments. 2030Sstevel@tonic-gate */ 2040Sstevel@tonic-gate (void) fprintf(stderr, gettext("Usage:\n")); 2050Sstevel@tonic-gate (void) fprintf(stderr, 2060Sstevel@tonic-gate " cryptoadm list [-mpv] [provider=<%s> | metaslot]" 2070Sstevel@tonic-gate " [mechanism=<%s>]\n", 2080Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2090Sstevel@tonic-gate (void) fprintf(stderr, 21010500SHai-May.Chao@Sun.COM " cryptoadm list fips-140\n"); 21110500SHai-May.Chao@Sun.COM (void) fprintf(stderr, 2120Sstevel@tonic-gate " cryptoadm disable provider=<%s>" 2130Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2140Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2150Sstevel@tonic-gate (void) fprintf(stderr, 2160Sstevel@tonic-gate " cryptoadm disable metaslot" 2170Sstevel@tonic-gate " [auto-key-migrate] [mechanism=<%s>]\n", 2180Sstevel@tonic-gate gettext("mechanism-list")); 2190Sstevel@tonic-gate (void) fprintf(stderr, 22010500SHai-May.Chao@Sun.COM " cryptoadm disable fips-140\n"); 22110500SHai-May.Chao@Sun.COM (void) fprintf(stderr, 2220Sstevel@tonic-gate " cryptoadm enable provider=<%s>" 2230Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2240Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2250Sstevel@tonic-gate (void) fprintf(stderr, 2260Sstevel@tonic-gate " cryptoadm enable metaslot [mechanism=<%s>]" 2270Sstevel@tonic-gate " [[token=<%s>] [slot=<%s>]" 2280Sstevel@tonic-gate " | [default-keystore]] | [auto-key-migrate]\n", 2290Sstevel@tonic-gate gettext("mechanism-list"), gettext("token-label"), 2300Sstevel@tonic-gate gettext("slot-description")); 2310Sstevel@tonic-gate (void) fprintf(stderr, 23210500SHai-May.Chao@Sun.COM " cryptoadm enable fips-140\n"); 23310500SHai-May.Chao@Sun.COM (void) fprintf(stderr, 2340Sstevel@tonic-gate " cryptoadm install provider=<%s>\n", 2350Sstevel@tonic-gate gettext("provider-name")); 2360Sstevel@tonic-gate (void) fprintf(stderr, 2370Sstevel@tonic-gate " cryptoadm install provider=<%s> [mechanism=<%s>]\n", 2380Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2390Sstevel@tonic-gate (void) fprintf(stderr, 2400Sstevel@tonic-gate " cryptoadm uninstall provider=<%s>\n", 2410Sstevel@tonic-gate gettext("provider-name")); 2420Sstevel@tonic-gate (void) fprintf(stderr, 2430Sstevel@tonic-gate " cryptoadm unload provider=<%s>\n", 2440Sstevel@tonic-gate gettext("provider-name")); 2450Sstevel@tonic-gate (void) fprintf(stderr, 2460Sstevel@tonic-gate " cryptoadm refresh\n" 2470Sstevel@tonic-gate " cryptoadm start\n" 2480Sstevel@tonic-gate " cryptoadm stop\n" 2490Sstevel@tonic-gate " cryptoadm --help\n"); 2500Sstevel@tonic-gate } 2510Sstevel@tonic-gate 2520Sstevel@tonic-gate 2530Sstevel@tonic-gate /* 2540Sstevel@tonic-gate * Get the provider type. This function returns 2550Sstevel@tonic-gate * - PROV_UEF_LIB if provname contains an absolute path name 2567968Sopensolaris@drydog.com * - PROV_KEF_SOFT if provname is a base name only (e.g., "aes"). 2570Sstevel@tonic-gate * - PROV_KEF_HARD if provname contains one slash only and the slash is not 2587968Sopensolaris@drydog.com * the 1st character (e.g., "mca/0"). 2597334SDaniel.Anderson@Sun.COM * - PROV_BADNAME otherwise. 2600Sstevel@tonic-gate */ 2610Sstevel@tonic-gate static int 2620Sstevel@tonic-gate get_provider_type(char *provname) 2630Sstevel@tonic-gate { 2640Sstevel@tonic-gate char *pslash1; 2650Sstevel@tonic-gate char *pslash2; 2660Sstevel@tonic-gate 2670Sstevel@tonic-gate if (provname == NULL) { 2680Sstevel@tonic-gate return (FAILURE); 2690Sstevel@tonic-gate } 2700Sstevel@tonic-gate 2710Sstevel@tonic-gate if (provname[0] == '/') { 2720Sstevel@tonic-gate return (PROV_UEF_LIB); 2730Sstevel@tonic-gate } else if ((pslash1 = strchr(provname, SEP_SLASH)) == NULL) { 2740Sstevel@tonic-gate /* no slash */ 2750Sstevel@tonic-gate return (PROV_KEF_SOFT); 2760Sstevel@tonic-gate } else { 2770Sstevel@tonic-gate pslash2 = strrchr(provname, SEP_SLASH); 2780Sstevel@tonic-gate if (pslash1 == pslash2) { 2790Sstevel@tonic-gate return (PROV_KEF_HARD); 2800Sstevel@tonic-gate } else { 2810Sstevel@tonic-gate return (PROV_BADNAME); 2820Sstevel@tonic-gate } 2830Sstevel@tonic-gate } 2840Sstevel@tonic-gate } 2850Sstevel@tonic-gate 2860Sstevel@tonic-gate /* 2870Sstevel@tonic-gate * Get the provider structure. This function returns NULL if no valid 2880Sstevel@tonic-gate * provider= is found in argv[], otherwise a cryptoadm_provider_t is returned. 2890Sstevel@tonic-gate * If provider= is found but has no argument, then a cryptoadm_provider_t 2900Sstevel@tonic-gate * with cp_type = PROV_BADNAME is returned. 2910Sstevel@tonic-gate */ 2920Sstevel@tonic-gate static cryptoadm_provider_t * 2930Sstevel@tonic-gate get_provider(int argc, char **argv) 2940Sstevel@tonic-gate { 2957968Sopensolaris@drydog.com int c = 0; 2967968Sopensolaris@drydog.com boolean_t found = B_FALSE; 2977968Sopensolaris@drydog.com cryptoadm_provider_t *provider = NULL; 2987968Sopensolaris@drydog.com char *provstr = NULL, *savstr; 2997968Sopensolaris@drydog.com boolean_t is_metaslot = B_FALSE; 3000Sstevel@tonic-gate 3010Sstevel@tonic-gate while (!found && ++c < argc) { 3020Sstevel@tonic-gate if (strncmp(argv[c], METASLOT_KEYWORD, 3030Sstevel@tonic-gate strlen(METASLOT_KEYWORD)) == 0) { 3040Sstevel@tonic-gate is_metaslot = B_TRUE; 3050Sstevel@tonic-gate found = B_TRUE; 3060Sstevel@tonic-gate } else if (strncmp(argv[c], KN_PROVIDER, 3070Sstevel@tonic-gate strlen(KN_PROVIDER)) == 0 && 3080Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_PROVIDER)) { 3090Sstevel@tonic-gate if ((provstr = strdup(argv[c])) == NULL) { 3100Sstevel@tonic-gate int err = errno; 3110Sstevel@tonic-gate /* 3127334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 3130Sstevel@tonic-gate * "get_provider" is a function name and should 3140Sstevel@tonic-gate * not be translated. 3150Sstevel@tonic-gate */ 3160Sstevel@tonic-gate cryptoerror(LOG_STDERR, "get_provider: %s.", 3170Sstevel@tonic-gate strerror(err)); 3180Sstevel@tonic-gate return (NULL); 3190Sstevel@tonic-gate } 3200Sstevel@tonic-gate found = B_TRUE; 3210Sstevel@tonic-gate } 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate if (!found) 3240Sstevel@tonic-gate return (NULL); 3250Sstevel@tonic-gate 3260Sstevel@tonic-gate provider = malloc(sizeof (cryptoadm_provider_t)); 3270Sstevel@tonic-gate if (provider == NULL) { 3280Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 3290Sstevel@tonic-gate if (provstr) { 3300Sstevel@tonic-gate free(provstr); 3310Sstevel@tonic-gate } 3320Sstevel@tonic-gate return (NULL); 3330Sstevel@tonic-gate } 3340Sstevel@tonic-gate 3350Sstevel@tonic-gate if (is_metaslot) { 3360Sstevel@tonic-gate (void) strlcpy(provider->cp_name, METASLOT_KEYWORD, 3370Sstevel@tonic-gate strlen(METASLOT_KEYWORD)); 3380Sstevel@tonic-gate provider->cp_type = METASLOT; 3390Sstevel@tonic-gate } else { 3400Sstevel@tonic-gate 3410Sstevel@tonic-gate savstr = provstr; 3420Sstevel@tonic-gate (void) strtok(provstr, "="); 3430Sstevel@tonic-gate provstr = strtok(NULL, "="); 3440Sstevel@tonic-gate if (provstr == NULL) { 3450Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("bad provider name.")); 3460Sstevel@tonic-gate provider->cp_type = PROV_BADNAME; 3470Sstevel@tonic-gate free(savstr); 3480Sstevel@tonic-gate return (provider); 3490Sstevel@tonic-gate } 3500Sstevel@tonic-gate 3510Sstevel@tonic-gate (void) strlcpy(provider->cp_name, provstr, 3520Sstevel@tonic-gate sizeof (provider->cp_name)); 3530Sstevel@tonic-gate provider->cp_type = get_provider_type(provider->cp_name); 3540Sstevel@tonic-gate 3550Sstevel@tonic-gate free(savstr); 3560Sstevel@tonic-gate } 3570Sstevel@tonic-gate return (provider); 3580Sstevel@tonic-gate } 3590Sstevel@tonic-gate 3600Sstevel@tonic-gate /* 3610Sstevel@tonic-gate * Process the "feature" operands. 3620Sstevel@tonic-gate * 3630Sstevel@tonic-gate * "argc" and "argv" contain values specified on the command line. 3640Sstevel@tonic-gate * All other arguments are used for returning parsing results. 3650Sstevel@tonic-gate * If any of these arguments are NULL, that keyword is not expected, 3660Sstevel@tonic-gate * and FAILURE will be returned. 3670Sstevel@tonic-gate */ 3680Sstevel@tonic-gate static int 3690Sstevel@tonic-gate process_metaslot_operands(int argc, char **argv, char **meta_ks_token, 3700Sstevel@tonic-gate char **meta_ks_slot, boolean_t *use_default, 3710Sstevel@tonic-gate boolean_t *auto_key_migrate_flag) 3720Sstevel@tonic-gate { 3730Sstevel@tonic-gate int c = 2; 3740Sstevel@tonic-gate int rc = SUCCESS; 3750Sstevel@tonic-gate 3760Sstevel@tonic-gate while (++c < argc) { 3770Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 3780Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 3790Sstevel@tonic-gate 3800Sstevel@tonic-gate /* process mechanism operands */ 3810Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_TRUE)) 3820Sstevel@tonic-gate != SUCCESS) { 3830Sstevel@tonic-gate goto finish; 3840Sstevel@tonic-gate } 3850Sstevel@tonic-gate 3860Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_TOKEN, 3870Sstevel@tonic-gate strlen(KN_TOKEN)) == 0) && 3880Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_TOKEN)) { 3890Sstevel@tonic-gate if ((meta_ks_token) && (strtok(argv[c], "=") != NULL)) { 3900Sstevel@tonic-gate char *tmp; 3910Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 3920Sstevel@tonic-gate *meta_ks_token = strdup(tmp); 3930Sstevel@tonic-gate } else { 3940Sstevel@tonic-gate return (FAILURE); 3950Sstevel@tonic-gate } 3960Sstevel@tonic-gate } else { 3970Sstevel@tonic-gate return (FAILURE); 3980Sstevel@tonic-gate } 3990Sstevel@tonic-gate 4000Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_SLOT, 4010Sstevel@tonic-gate strlen(KN_SLOT)) == 0) && 4020Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_SLOT)) { 4030Sstevel@tonic-gate 4040Sstevel@tonic-gate if ((meta_ks_slot) && (strtok(argv[c], "=") != NULL)) { 4050Sstevel@tonic-gate char *tmp; 4060Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 4070Sstevel@tonic-gate *meta_ks_slot = strdup(tmp); 4080Sstevel@tonic-gate } else { 4090Sstevel@tonic-gate return (FAILURE); 4100Sstevel@tonic-gate } 4110Sstevel@tonic-gate } else { 4120Sstevel@tonic-gate return (FAILURE); 4130Sstevel@tonic-gate } 4140Sstevel@tonic-gate 4150Sstevel@tonic-gate } else if (strncmp(argv[c], KN_DEFAULT_KS, 4160Sstevel@tonic-gate strlen(KN_DEFAULT_KS)) == 0) { 4170Sstevel@tonic-gate 4180Sstevel@tonic-gate if (use_default) { 4190Sstevel@tonic-gate *use_default = B_TRUE; 4200Sstevel@tonic-gate } else { 4210Sstevel@tonic-gate return (FAILURE); 4220Sstevel@tonic-gate } 4230Sstevel@tonic-gate } else if (strncmp(argv[c], KN_AUTO_KEY_MIGRATE, 4240Sstevel@tonic-gate strlen(KN_AUTO_KEY_MIGRATE)) == 0) { 4250Sstevel@tonic-gate 4260Sstevel@tonic-gate if (auto_key_migrate_flag) { 4270Sstevel@tonic-gate *auto_key_migrate_flag = B_TRUE; 4280Sstevel@tonic-gate } else { 4290Sstevel@tonic-gate return (FAILURE); 4300Sstevel@tonic-gate } 4310Sstevel@tonic-gate } else { 4320Sstevel@tonic-gate return (FAILURE); 4330Sstevel@tonic-gate } 4340Sstevel@tonic-gate } 4350Sstevel@tonic-gate finish: 4360Sstevel@tonic-gate return (rc); 4370Sstevel@tonic-gate } 4380Sstevel@tonic-gate 4390Sstevel@tonic-gate /* 4400Sstevel@tonic-gate * Process the "feature" operands. 4410Sstevel@tonic-gate */ 4420Sstevel@tonic-gate static int 4430Sstevel@tonic-gate process_feature_operands(int argc, char **argv) 4440Sstevel@tonic-gate { 4450Sstevel@tonic-gate int c = 2; 4460Sstevel@tonic-gate 4470Sstevel@tonic-gate while (++c < argc) { 4480Sstevel@tonic-gate if (strcmp(argv[c], KN_ALL) == 0) { 4490Sstevel@tonic-gate allflag = B_TRUE; 4500Sstevel@tonic-gate rndflag = B_TRUE; /* all includes random also. */ 4510Sstevel@tonic-gate } else if (strcmp(argv[c], RANDOM) == 0) { 4520Sstevel@tonic-gate rndflag = B_TRUE; 4530Sstevel@tonic-gate } 4540Sstevel@tonic-gate } 4550Sstevel@tonic-gate return (SUCCESS); 4560Sstevel@tonic-gate } 4570Sstevel@tonic-gate 4580Sstevel@tonic-gate /* 4590Sstevel@tonic-gate * Process the mechanism operands for the disable, enable and install 4600Sstevel@tonic-gate * subcommands. This function sets the static variable allflag to be B_TRUE 4610Sstevel@tonic-gate * if the keyword "all" is specified, otherwise builds a link list of the 4620Sstevel@tonic-gate * mechanism operands and save it in the static variable mecharglist. 4630Sstevel@tonic-gate * 4640Sstevel@tonic-gate * This function returns 4657968Sopensolaris@drydog.com * ERROR_USAGE: mechanism operand is missing. 4667968Sopensolaris@drydog.com * FAILURE: out of memory. 4677968Sopensolaris@drydog.com * SUCCESS: otherwise. 4680Sstevel@tonic-gate */ 4690Sstevel@tonic-gate static int 4700Sstevel@tonic-gate process_mech_operands(int argc, char **argv, boolean_t quiet) 4710Sstevel@tonic-gate { 4727968Sopensolaris@drydog.com mechlist_t *pmech; 4737968Sopensolaris@drydog.com mechlist_t *pcur = NULL; 4747968Sopensolaris@drydog.com mechlist_t *phead = NULL; 4757968Sopensolaris@drydog.com boolean_t found = B_FALSE; 4767968Sopensolaris@drydog.com char *mechliststr = NULL; 4777968Sopensolaris@drydog.com char *curmech = NULL; 4787968Sopensolaris@drydog.com int c = -1; 4797968Sopensolaris@drydog.com int rc = SUCCESS; 4800Sstevel@tonic-gate 4810Sstevel@tonic-gate while (!found && ++c < argc) { 4820Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 4830Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 4840Sstevel@tonic-gate found = B_TRUE; 4850Sstevel@tonic-gate } 4860Sstevel@tonic-gate } 4870Sstevel@tonic-gate if (!found) { 4880Sstevel@tonic-gate if (!quiet) 4890Sstevel@tonic-gate /* 4907334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 4910Sstevel@tonic-gate * "mechanism" could be either a literal keyword 4920Sstevel@tonic-gate * and hence not to be translated, or a descriptive 4930Sstevel@tonic-gate * word and translatable. A choice was made to 4940Sstevel@tonic-gate * view it as a literal keyword. 4950Sstevel@tonic-gate */ 4960Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4977968Sopensolaris@drydog.com gettext("the %s operand is missing.\n"), 4987968Sopensolaris@drydog.com "mechanism"); 4990Sstevel@tonic-gate return (ERROR_USAGE); 5000Sstevel@tonic-gate } 5010Sstevel@tonic-gate (void) strtok(argv[c], "="); 5020Sstevel@tonic-gate mechliststr = strtok(NULL, "="); 5030Sstevel@tonic-gate 5040Sstevel@tonic-gate if (strcmp(mechliststr, "all") == 0) { 5050Sstevel@tonic-gate allflag = B_TRUE; 5060Sstevel@tonic-gate mecharglist = NULL; 5070Sstevel@tonic-gate return (SUCCESS); 5080Sstevel@tonic-gate } 5090Sstevel@tonic-gate 5100Sstevel@tonic-gate curmech = strtok(mechliststr, ","); 5110Sstevel@tonic-gate do { 5120Sstevel@tonic-gate if ((pmech = create_mech(curmech)) == NULL) { 5130Sstevel@tonic-gate rc = FAILURE; 5140Sstevel@tonic-gate break; 5150Sstevel@tonic-gate } else { 5160Sstevel@tonic-gate if (phead == NULL) { 5170Sstevel@tonic-gate phead = pcur = pmech; 5180Sstevel@tonic-gate } else { 5190Sstevel@tonic-gate pcur->next = pmech; 5200Sstevel@tonic-gate pcur = pmech; 5210Sstevel@tonic-gate } 5220Sstevel@tonic-gate } 5230Sstevel@tonic-gate } while ((curmech = strtok(NULL, ",")) != NULL); 5240Sstevel@tonic-gate 5250Sstevel@tonic-gate if (rc == FAILURE) { 5260Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 5270Sstevel@tonic-gate free_mechlist(phead); 5280Sstevel@tonic-gate } else { 5290Sstevel@tonic-gate mecharglist = phead; 5300Sstevel@tonic-gate rc = SUCCESS; 5310Sstevel@tonic-gate } 5320Sstevel@tonic-gate return (rc); 5330Sstevel@tonic-gate } 5340Sstevel@tonic-gate 5350Sstevel@tonic-gate 5360Sstevel@tonic-gate 5370Sstevel@tonic-gate /* 5387968Sopensolaris@drydog.com * The top level function for the "cryptoadm list" subcommand and options. 5390Sstevel@tonic-gate */ 5400Sstevel@tonic-gate static int 5410Sstevel@tonic-gate do_list(int argc, char **argv) 5420Sstevel@tonic-gate { 5437968Sopensolaris@drydog.com boolean_t mflag = B_FALSE; 5447968Sopensolaris@drydog.com boolean_t pflag = B_FALSE; 5457968Sopensolaris@drydog.com boolean_t vflag = B_FALSE; 5467968Sopensolaris@drydog.com char ch; 5477968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 5487968Sopensolaris@drydog.com int rc = SUCCESS; 5490Sstevel@tonic-gate 55010500SHai-May.Chao@Sun.COM if ((argc == 3) && (strncmp(argv[2], FIPS_KEYWORD, 55110500SHai-May.Chao@Sun.COM strlen(FIPS_KEYWORD))) == 0) { 552*12929SMisaki.Miyashita@Oracle.COM int success_count = 0; 55310500SHai-May.Chao@Sun.COM /* 55410500SHai-May.Chao@Sun.COM * cryptoadm list fips-140 55510500SHai-May.Chao@Sun.COM */ 55610500SHai-May.Chao@Sun.COM rc = do_fips_actions(FIPS140_STATUS, NOT_REFRESH); 557*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 558*12929SMisaki.Miyashita@Oracle.COM success_count++; 559*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext("\nKernel hardware providers:\n")); 560*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext("=========================:\n")); 561*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_STATUS, HW_PROVIDER_NCP); 562*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 563*12929SMisaki.Miyashita@Oracle.COM success_count++; 564*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_STATUS, HW_PROVIDER_N2CP); 565*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 566*12929SMisaki.Miyashita@Oracle.COM success_count++; 567*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_STATUS, HW_PROVIDER_N2RNG); 568*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 569*12929SMisaki.Miyashita@Oracle.COM success_count++; 570*12929SMisaki.Miyashita@Oracle.COM /* succeed to get status from config file? */ 571*12929SMisaki.Miyashita@Oracle.COM return ((success_count > 0) ? SUCCESS: FAILURE); 57210500SHai-May.Chao@Sun.COM } 57310500SHai-May.Chao@Sun.COM 5740Sstevel@tonic-gate argc -= 1; 5750Sstevel@tonic-gate argv += 1; 5760Sstevel@tonic-gate 5770Sstevel@tonic-gate if (argc == 1) { 5780Sstevel@tonic-gate rc = list_simple_for_all(B_FALSE); 5790Sstevel@tonic-gate goto out; 5800Sstevel@tonic-gate } 5810Sstevel@tonic-gate 5820Sstevel@tonic-gate /* 5837968Sopensolaris@drydog.com * cryptoadm list [-v] [-m] [-p] [provider=<>] [mechanism=<>] 5840Sstevel@tonic-gate */ 5850Sstevel@tonic-gate if (argc > 5) { 5860Sstevel@tonic-gate usage(); 5870Sstevel@tonic-gate return (rc); 5880Sstevel@tonic-gate } 5890Sstevel@tonic-gate 5900Sstevel@tonic-gate while ((ch = getopt(argc, argv, "mpv")) != EOF) { 5910Sstevel@tonic-gate switch (ch) { 5920Sstevel@tonic-gate case 'm': 5930Sstevel@tonic-gate mflag = B_TRUE; 5940Sstevel@tonic-gate if (pflag) { 5950Sstevel@tonic-gate rc = ERROR_USAGE; 5960Sstevel@tonic-gate } 5970Sstevel@tonic-gate break; 5980Sstevel@tonic-gate case 'p': 5990Sstevel@tonic-gate pflag = B_TRUE; 6000Sstevel@tonic-gate if (mflag || vflag) { 6010Sstevel@tonic-gate rc = ERROR_USAGE; 6020Sstevel@tonic-gate } 6030Sstevel@tonic-gate break; 6040Sstevel@tonic-gate case 'v': 6050Sstevel@tonic-gate vflag = B_TRUE; 6060Sstevel@tonic-gate if (pflag) 6070Sstevel@tonic-gate rc = ERROR_USAGE; 6080Sstevel@tonic-gate break; 6090Sstevel@tonic-gate default: 6100Sstevel@tonic-gate rc = ERROR_USAGE; 6110Sstevel@tonic-gate break; 6120Sstevel@tonic-gate } 6130Sstevel@tonic-gate } 6140Sstevel@tonic-gate 6150Sstevel@tonic-gate if (rc == ERROR_USAGE) { 6160Sstevel@tonic-gate usage(); 6170Sstevel@tonic-gate return (rc); 6180Sstevel@tonic-gate } 6190Sstevel@tonic-gate 6200Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 6210Sstevel@tonic-gate goto out; 6220Sstevel@tonic-gate } 6230Sstevel@tonic-gate 6240Sstevel@tonic-gate prov = get_provider(argc, argv); 6250Sstevel@tonic-gate 6260Sstevel@tonic-gate if (mflag || vflag) { 6270Sstevel@tonic-gate if (argc > 0) { 6280Sstevel@tonic-gate rc = process_mech_operands(argc, argv, B_TRUE); 6290Sstevel@tonic-gate if (rc == FAILURE) 6300Sstevel@tonic-gate goto out; 6310Sstevel@tonic-gate /* "-m" is implied when a mechanism list is given */ 6320Sstevel@tonic-gate if (mecharglist != NULL || allflag) 6330Sstevel@tonic-gate mflag = B_TRUE; 6340Sstevel@tonic-gate } 6350Sstevel@tonic-gate } 6360Sstevel@tonic-gate 6370Sstevel@tonic-gate if (prov == NULL) { 6380Sstevel@tonic-gate if (mflag) { 6390Sstevel@tonic-gate rc = list_mechlist_for_all(vflag); 6400Sstevel@tonic-gate } else if (pflag) { 6410Sstevel@tonic-gate rc = list_policy_for_all(); 6420Sstevel@tonic-gate } else if (vflag) { 6430Sstevel@tonic-gate rc = list_simple_for_all(vflag); 6440Sstevel@tonic-gate } 6450Sstevel@tonic-gate } else if (prov->cp_type == METASLOT) { 6460Sstevel@tonic-gate if ((!mflag) && (!vflag) && (!pflag)) { 6470Sstevel@tonic-gate /* no flag is specified, just list metaslot status */ 6480Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6490Sstevel@tonic-gate } else if (mflag || vflag) { 6500Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6510Sstevel@tonic-gate } else if (pflag) { 6520Sstevel@tonic-gate rc = list_metaslot_policy(); 6530Sstevel@tonic-gate } else { 6540Sstevel@tonic-gate /* error message */ 6550Sstevel@tonic-gate usage(); 6560Sstevel@tonic-gate rc = ERROR_USAGE; 6570Sstevel@tonic-gate } 6580Sstevel@tonic-gate } else if (prov->cp_type == PROV_BADNAME) { 6590Sstevel@tonic-gate usage(); 6600Sstevel@tonic-gate rc = ERROR_USAGE; 6610Sstevel@tonic-gate goto out; 6620Sstevel@tonic-gate } else { /* do the listing for a provider only */ 6637968Sopensolaris@drydog.com char *provname = prov->cp_name; 6647968Sopensolaris@drydog.com 6650Sstevel@tonic-gate if (mflag || vflag) { 6660Sstevel@tonic-gate if (vflag) 6670Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 6687968Sopensolaris@drydog.com provname); 6690Sstevel@tonic-gate switch (prov->cp_type) { 6700Sstevel@tonic-gate case PROV_UEF_LIB: 6717968Sopensolaris@drydog.com rc = list_mechlist_for_lib(provname, 6727968Sopensolaris@drydog.com mecharglist, NULL, B_FALSE, vflag, mflag); 6730Sstevel@tonic-gate break; 6740Sstevel@tonic-gate case PROV_KEF_SOFT: 6757968Sopensolaris@drydog.com rc = list_mechlist_for_soft(provname, 67610979SHai-May.Chao@Sun.COM NULL, NULL); 6770Sstevel@tonic-gate break; 6780Sstevel@tonic-gate case PROV_KEF_HARD: 6797968Sopensolaris@drydog.com rc = list_mechlist_for_hard(provname); 6800Sstevel@tonic-gate break; 6810Sstevel@tonic-gate default: /* should not come here */ 6820Sstevel@tonic-gate rc = FAILURE; 6830Sstevel@tonic-gate break; 6840Sstevel@tonic-gate } 6850Sstevel@tonic-gate } else if (pflag) { 6860Sstevel@tonic-gate switch (prov->cp_type) { 6870Sstevel@tonic-gate case PROV_UEF_LIB: 6887968Sopensolaris@drydog.com rc = list_policy_for_lib(provname); 6890Sstevel@tonic-gate break; 6900Sstevel@tonic-gate case PROV_KEF_SOFT: 6910Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6927968Sopensolaris@drydog.com rc = list_policy_for_soft(provname, 69310979SHai-May.Chao@Sun.COM NULL, NULL); 6940Sstevel@tonic-gate } else { 6950Sstevel@tonic-gate /* 6967334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 6970Sstevel@tonic-gate * "global" is keyword and not to 6980Sstevel@tonic-gate * be translated. 6990Sstevel@tonic-gate */ 7000Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7010Sstevel@tonic-gate "policy information for kernel " 7020Sstevel@tonic-gate "providers is available " 7030Sstevel@tonic-gate "in the %s zone only"), "global"); 7040Sstevel@tonic-gate rc = FAILURE; 7050Sstevel@tonic-gate } 7060Sstevel@tonic-gate break; 7070Sstevel@tonic-gate case PROV_KEF_HARD: 7080Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 7090Sstevel@tonic-gate rc = list_policy_for_hard( 71010979SHai-May.Chao@Sun.COM provname, NULL, NULL, NULL); 7110Sstevel@tonic-gate } else { 7120Sstevel@tonic-gate /* 7137334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 7140Sstevel@tonic-gate * "global" is keyword and not to 7150Sstevel@tonic-gate * be translated. 7160Sstevel@tonic-gate */ 7170Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7180Sstevel@tonic-gate "policy information for kernel " 7190Sstevel@tonic-gate "providers is available " 7200Sstevel@tonic-gate "in the %s zone only"), "global"); 7210Sstevel@tonic-gate rc = FAILURE; 7220Sstevel@tonic-gate } 7230Sstevel@tonic-gate 7240Sstevel@tonic-gate break; 7250Sstevel@tonic-gate default: /* should not come here */ 7260Sstevel@tonic-gate rc = FAILURE; 7270Sstevel@tonic-gate break; 7280Sstevel@tonic-gate } 7290Sstevel@tonic-gate } else { 7300Sstevel@tonic-gate /* error message */ 7310Sstevel@tonic-gate usage(); 7320Sstevel@tonic-gate rc = ERROR_USAGE; 7330Sstevel@tonic-gate } 7340Sstevel@tonic-gate } 7350Sstevel@tonic-gate 7360Sstevel@tonic-gate out: 7370Sstevel@tonic-gate if (prov != NULL) 7380Sstevel@tonic-gate free(prov); 7390Sstevel@tonic-gate 7400Sstevel@tonic-gate if (mecharglist != NULL) 7410Sstevel@tonic-gate free_mechlist(mecharglist); 7420Sstevel@tonic-gate return (rc); 7430Sstevel@tonic-gate } 7440Sstevel@tonic-gate 7450Sstevel@tonic-gate 7460Sstevel@tonic-gate /* 7477968Sopensolaris@drydog.com * The top level function for the "cryptoadm disable" subcommand. 7480Sstevel@tonic-gate */ 7490Sstevel@tonic-gate static int 7500Sstevel@tonic-gate do_disable(int argc, char **argv) 7510Sstevel@tonic-gate { 7520Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 7537968Sopensolaris@drydog.com int rc = SUCCESS; 7547968Sopensolaris@drydog.com boolean_t auto_key_migrate_flag = B_FALSE; 7550Sstevel@tonic-gate 75610500SHai-May.Chao@Sun.COM if ((argc == 3) && (strncmp(argv[2], FIPS_KEYWORD, 75710500SHai-May.Chao@Sun.COM strlen(FIPS_KEYWORD))) == 0) { 758*12929SMisaki.Miyashita@Oracle.COM int success_count = 0; 75910500SHai-May.Chao@Sun.COM /* 76010500SHai-May.Chao@Sun.COM * cryptoadm disable fips-140 76110500SHai-May.Chao@Sun.COM */ 76210500SHai-May.Chao@Sun.COM rc = do_fips_actions(FIPS140_DISABLE, NOT_REFRESH); 763*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 764*12929SMisaki.Miyashita@Oracle.COM success_count++; 765*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext("\nKernel hardware providers:\n")); 766*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext("=========================:\n")); 767*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_DISABLE, HW_PROVIDER_NCP); 768*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 769*12929SMisaki.Miyashita@Oracle.COM success_count++; 770*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_DISABLE, HW_PROVIDER_N2CP); 771*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 772*12929SMisaki.Miyashita@Oracle.COM success_count++; 773*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_DISABLE, HW_PROVIDER_N2RNG); 774*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 775*12929SMisaki.Miyashita@Oracle.COM success_count++; 776*12929SMisaki.Miyashita@Oracle.COM 777*12929SMisaki.Miyashita@Oracle.COM if (success_count > 0) { 778*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 779*12929SMisaki.Miyashita@Oracle.COM "\nThe FIPS-140 mode has changed.\n")); 780*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 781*12929SMisaki.Miyashita@Oracle.COM "The system will require a reboot.\n")); 782*12929SMisaki.Miyashita@Oracle.COM return (SUCCESS); 783*12929SMisaki.Miyashita@Oracle.COM } else { 784*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 785*12929SMisaki.Miyashita@Oracle.COM } 78610500SHai-May.Chao@Sun.COM } 78710500SHai-May.Chao@Sun.COM 7880Sstevel@tonic-gate if ((argc < 3) || (argc > 5)) { 7890Sstevel@tonic-gate usage(); 7900Sstevel@tonic-gate return (ERROR_USAGE); 7910Sstevel@tonic-gate } 7920Sstevel@tonic-gate 7930Sstevel@tonic-gate prov = get_provider(argc, argv); 7940Sstevel@tonic-gate if (prov == NULL) { 7950Sstevel@tonic-gate usage(); 7960Sstevel@tonic-gate return (ERROR_USAGE); 7970Sstevel@tonic-gate } 7980Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 7990Sstevel@tonic-gate return (FAILURE); 8000Sstevel@tonic-gate } 8010Sstevel@tonic-gate 8020Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 8030Sstevel@tonic-gate goto out; 8040Sstevel@tonic-gate } 8050Sstevel@tonic-gate 8060Sstevel@tonic-gate /* 8070Sstevel@tonic-gate * If allflag or rndflag has already been set there is no reason to 8080Sstevel@tonic-gate * process mech= 8090Sstevel@tonic-gate */ 8100Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 8110Sstevel@tonic-gate if ((argc > 3) && 8120Sstevel@tonic-gate (rc = process_metaslot_operands(argc, argv, 8130Sstevel@tonic-gate NULL, NULL, NULL, &auto_key_migrate_flag)) != SUCCESS) { 8140Sstevel@tonic-gate usage(); 8150Sstevel@tonic-gate return (rc); 8160Sstevel@tonic-gate } 8170Sstevel@tonic-gate } else if (!allflag && !rndflag && 8187968Sopensolaris@drydog.com (rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 8190Sstevel@tonic-gate return (rc); 8200Sstevel@tonic-gate } 8210Sstevel@tonic-gate 8220Sstevel@tonic-gate switch (prov->cp_type) { 8230Sstevel@tonic-gate case METASLOT: 8240Sstevel@tonic-gate rc = disable_metaslot(mecharglist, allflag, 8250Sstevel@tonic-gate auto_key_migrate_flag); 8260Sstevel@tonic-gate break; 8270Sstevel@tonic-gate case PROV_UEF_LIB: 8280Sstevel@tonic-gate rc = disable_uef_lib(prov->cp_name, rndflag, allflag, 8290Sstevel@tonic-gate mecharglist); 8300Sstevel@tonic-gate break; 8310Sstevel@tonic-gate case PROV_KEF_SOFT: 8320Sstevel@tonic-gate if (rndflag && !allflag) { 8330Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 8340Sstevel@tonic-gate rc = FAILURE; 8350Sstevel@tonic-gate break; 8360Sstevel@tonic-gate } 8370Sstevel@tonic-gate } 8380Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 8390Sstevel@tonic-gate rc = disable_kef_software(prov->cp_name, rndflag, 8400Sstevel@tonic-gate allflag, mecharglist); 8410Sstevel@tonic-gate } else { 8420Sstevel@tonic-gate /* 8437334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 8440Sstevel@tonic-gate * "disable" could be either a literal keyword 8450Sstevel@tonic-gate * and hence not to be translated, or a verb and 8460Sstevel@tonic-gate * translatable. A choice was made to view it as 8470Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 8480Sstevel@tonic-gate * to be translated. 8490Sstevel@tonic-gate */ 8500Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 8510Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 8520Sstevel@tonic-gate "disable", "global"); 8530Sstevel@tonic-gate rc = FAILURE; 8540Sstevel@tonic-gate } 8550Sstevel@tonic-gate break; 8560Sstevel@tonic-gate case PROV_KEF_HARD: 8570Sstevel@tonic-gate if (rndflag && !allflag) { 8580Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 8590Sstevel@tonic-gate rc = FAILURE; 8600Sstevel@tonic-gate break; 8610Sstevel@tonic-gate } 8620Sstevel@tonic-gate } 8630Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 8640Sstevel@tonic-gate rc = disable_kef_hardware(prov->cp_name, rndflag, 8650Sstevel@tonic-gate allflag, mecharglist); 8660Sstevel@tonic-gate } else { 8670Sstevel@tonic-gate /* 8687334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 8690Sstevel@tonic-gate * "disable" could be either a literal keyword 8700Sstevel@tonic-gate * and hence not to be translated, or a verb and 8710Sstevel@tonic-gate * translatable. A choice was made to view it as 8720Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 8730Sstevel@tonic-gate * to be translated. 8740Sstevel@tonic-gate */ 8750Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 8760Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 8770Sstevel@tonic-gate "disable", "global"); 8780Sstevel@tonic-gate rc = FAILURE; 8790Sstevel@tonic-gate } 8800Sstevel@tonic-gate break; 8810Sstevel@tonic-gate default: /* should not come here */ 8820Sstevel@tonic-gate rc = FAILURE; 8830Sstevel@tonic-gate break; 8840Sstevel@tonic-gate } 8850Sstevel@tonic-gate 8860Sstevel@tonic-gate out: 8870Sstevel@tonic-gate free(prov); 8880Sstevel@tonic-gate if (mecharglist != NULL) { 8890Sstevel@tonic-gate free_mechlist(mecharglist); 8900Sstevel@tonic-gate } 8910Sstevel@tonic-gate return (rc); 8920Sstevel@tonic-gate } 8930Sstevel@tonic-gate 8940Sstevel@tonic-gate 8950Sstevel@tonic-gate /* 8967968Sopensolaris@drydog.com * The top level function for the "cryptoadm enable" subcommand. 8970Sstevel@tonic-gate */ 8980Sstevel@tonic-gate static int 8990Sstevel@tonic-gate do_enable(int argc, char **argv) 9000Sstevel@tonic-gate { 9017968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 9027968Sopensolaris@drydog.com int rc = SUCCESS; 9037968Sopensolaris@drydog.com char *alt_token = NULL, *alt_slot = NULL; 9047968Sopensolaris@drydog.com boolean_t use_default = B_FALSE; 9057968Sopensolaris@drydog.com boolean_t auto_key_migrate_flag = B_FALSE; 9060Sstevel@tonic-gate 90710500SHai-May.Chao@Sun.COM if ((argc == 3) && (strncmp(argv[2], FIPS_KEYWORD, 90810500SHai-May.Chao@Sun.COM strlen(FIPS_KEYWORD))) == 0) { 909*12929SMisaki.Miyashita@Oracle.COM int success_count = 0; 91010500SHai-May.Chao@Sun.COM /* 91110500SHai-May.Chao@Sun.COM * cryptoadm enable fips-140 91210500SHai-May.Chao@Sun.COM */ 91310500SHai-May.Chao@Sun.COM rc = do_fips_actions(FIPS140_ENABLE, NOT_REFRESH); 914*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 915*12929SMisaki.Miyashita@Oracle.COM success_count++; 916*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext("\nKernel hardware providers:\n")); 917*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext("=========================:\n")); 918*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_ENABLE, HW_PROVIDER_NCP); 919*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 920*12929SMisaki.Miyashita@Oracle.COM success_count++; 921*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_ENABLE, HW_PROVIDER_N2CP); 922*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 923*12929SMisaki.Miyashita@Oracle.COM success_count++; 924*12929SMisaki.Miyashita@Oracle.COM rc = do_fips_hw_actions(FIPS140_ENABLE, HW_PROVIDER_N2RNG); 925*12929SMisaki.Miyashita@Oracle.COM if (rc == SUCCESS) 926*12929SMisaki.Miyashita@Oracle.COM success_count++; 927*12929SMisaki.Miyashita@Oracle.COM 928*12929SMisaki.Miyashita@Oracle.COM if (success_count > 0) { 929*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 930*12929SMisaki.Miyashita@Oracle.COM "\nThe FIPS-140 mode has changed.\n")); 931*12929SMisaki.Miyashita@Oracle.COM (void) printf(gettext( 932*12929SMisaki.Miyashita@Oracle.COM "The system will require a reboot.\n")); 933*12929SMisaki.Miyashita@Oracle.COM return (SUCCESS); 934*12929SMisaki.Miyashita@Oracle.COM } else { 935*12929SMisaki.Miyashita@Oracle.COM return (FAILURE); 936*12929SMisaki.Miyashita@Oracle.COM } 93710500SHai-May.Chao@Sun.COM } 93810500SHai-May.Chao@Sun.COM 9390Sstevel@tonic-gate if ((argc < 3) || (argc > 6)) { 9400Sstevel@tonic-gate usage(); 9410Sstevel@tonic-gate return (ERROR_USAGE); 9420Sstevel@tonic-gate } 9430Sstevel@tonic-gate 9440Sstevel@tonic-gate prov = get_provider(argc, argv); 9450Sstevel@tonic-gate if (prov == NULL) { 9460Sstevel@tonic-gate usage(); 9470Sstevel@tonic-gate return (ERROR_USAGE); 9480Sstevel@tonic-gate } 9490Sstevel@tonic-gate if ((prov->cp_type != METASLOT) && (argc != 4)) { 9500Sstevel@tonic-gate usage(); 9510Sstevel@tonic-gate return (ERROR_USAGE); 9520Sstevel@tonic-gate } 9530Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 9540Sstevel@tonic-gate rc = FAILURE; 9550Sstevel@tonic-gate goto out; 9560Sstevel@tonic-gate } 9570Sstevel@tonic-gate 9580Sstevel@tonic-gate 9590Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 9600Sstevel@tonic-gate if ((rc = process_metaslot_operands(argc, argv, &alt_token, 9610Sstevel@tonic-gate &alt_slot, &use_default, &auto_key_migrate_flag)) 9620Sstevel@tonic-gate != SUCCESS) { 9630Sstevel@tonic-gate usage(); 9640Sstevel@tonic-gate goto out; 9650Sstevel@tonic-gate } 9660Sstevel@tonic-gate if ((alt_slot || alt_token) && use_default) { 9670Sstevel@tonic-gate usage(); 9680Sstevel@tonic-gate rc = FAILURE; 9690Sstevel@tonic-gate goto out; 9700Sstevel@tonic-gate } 9710Sstevel@tonic-gate } else { 9720Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 9730Sstevel@tonic-gate goto out; 9740Sstevel@tonic-gate } 9750Sstevel@tonic-gate 9760Sstevel@tonic-gate /* 9770Sstevel@tonic-gate * If allflag or rndflag has already been set there is 9780Sstevel@tonic-gate * no reason to process mech= 9790Sstevel@tonic-gate */ 9800Sstevel@tonic-gate if (!allflag && !rndflag && 9810Sstevel@tonic-gate (rc = process_mech_operands(argc, argv, B_FALSE)) 9820Sstevel@tonic-gate != SUCCESS) { 9830Sstevel@tonic-gate goto out; 9840Sstevel@tonic-gate } 9850Sstevel@tonic-gate } 9860Sstevel@tonic-gate 9870Sstevel@tonic-gate switch (prov->cp_type) { 9880Sstevel@tonic-gate case METASLOT: 9890Sstevel@tonic-gate rc = enable_metaslot(alt_token, alt_slot, use_default, 9900Sstevel@tonic-gate mecharglist, allflag, auto_key_migrate_flag); 9910Sstevel@tonic-gate break; 9920Sstevel@tonic-gate case PROV_UEF_LIB: 9930Sstevel@tonic-gate rc = enable_uef_lib(prov->cp_name, rndflag, allflag, 9940Sstevel@tonic-gate mecharglist); 9950Sstevel@tonic-gate break; 9960Sstevel@tonic-gate case PROV_KEF_SOFT: 9970Sstevel@tonic-gate case PROV_KEF_HARD: 9980Sstevel@tonic-gate if (rndflag && !allflag) { 9990Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 10000Sstevel@tonic-gate rc = FAILURE; 10010Sstevel@tonic-gate break; 10020Sstevel@tonic-gate } 10030Sstevel@tonic-gate } 10040Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 10050Sstevel@tonic-gate rc = enable_kef(prov->cp_name, rndflag, allflag, 10060Sstevel@tonic-gate mecharglist); 10070Sstevel@tonic-gate } else { 10080Sstevel@tonic-gate /* 10097334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10100Sstevel@tonic-gate * "enable" could be either a literal keyword 10110Sstevel@tonic-gate * and hence not to be translated, or a verb and 10120Sstevel@tonic-gate * translatable. A choice was made to view it as 10130Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 10140Sstevel@tonic-gate * to be translated. 10150Sstevel@tonic-gate */ 10160Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 10170Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 10180Sstevel@tonic-gate "enable", "global"); 10190Sstevel@tonic-gate rc = FAILURE; 10200Sstevel@tonic-gate } 10210Sstevel@tonic-gate break; 10220Sstevel@tonic-gate default: /* should not come here */ 10230Sstevel@tonic-gate rc = FAILURE; 10240Sstevel@tonic-gate break; 10250Sstevel@tonic-gate } 10260Sstevel@tonic-gate out: 10270Sstevel@tonic-gate free(prov); 10280Sstevel@tonic-gate if (mecharglist != NULL) { 10290Sstevel@tonic-gate free_mechlist(mecharglist); 10300Sstevel@tonic-gate } 10310Sstevel@tonic-gate if (alt_token != NULL) { 10320Sstevel@tonic-gate free(alt_token); 10330Sstevel@tonic-gate } 10340Sstevel@tonic-gate if (alt_slot != NULL) { 10350Sstevel@tonic-gate free(alt_slot); 10360Sstevel@tonic-gate } 10370Sstevel@tonic-gate return (rc); 10380Sstevel@tonic-gate } 10390Sstevel@tonic-gate 10400Sstevel@tonic-gate 10410Sstevel@tonic-gate 10420Sstevel@tonic-gate /* 10437968Sopensolaris@drydog.com * The top level function for the "cryptoadm install" subcommand. 10440Sstevel@tonic-gate */ 10450Sstevel@tonic-gate static int 10460Sstevel@tonic-gate do_install(int argc, char **argv) 10470Sstevel@tonic-gate { 10487968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 10490Sstevel@tonic-gate int rc; 10500Sstevel@tonic-gate 10510Sstevel@tonic-gate if (argc < 3) { 10520Sstevel@tonic-gate usage(); 10530Sstevel@tonic-gate return (ERROR_USAGE); 10540Sstevel@tonic-gate } 10550Sstevel@tonic-gate 10560Sstevel@tonic-gate prov = get_provider(argc, argv); 10570Sstevel@tonic-gate if (prov == NULL || 10580Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 10590Sstevel@tonic-gate /* 10607334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10610Sstevel@tonic-gate * "install" could be either a literal keyword and hence 10620Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10630Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10640Sstevel@tonic-gate */ 10650Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10660Sstevel@tonic-gate gettext("bad provider name for %s."), "install"); 10670Sstevel@tonic-gate rc = FAILURE; 10680Sstevel@tonic-gate goto out; 10690Sstevel@tonic-gate } 10700Sstevel@tonic-gate 10710Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 10720Sstevel@tonic-gate rc = install_uef_lib(prov->cp_name); 10730Sstevel@tonic-gate goto out; 10740Sstevel@tonic-gate } 10750Sstevel@tonic-gate 10760Sstevel@tonic-gate /* It is the PROV_KEF_SOFT type now */ 10770Sstevel@tonic-gate 10780Sstevel@tonic-gate /* check if there are mechanism operands */ 10790Sstevel@tonic-gate if (argc < 4) { 10800Sstevel@tonic-gate /* 10817334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10820Sstevel@tonic-gate * "mechanism" could be either a literal keyword and hence 10830Sstevel@tonic-gate * not to be translated, or a descriptive word and 10840Sstevel@tonic-gate * translatable. A choice was made to view it as a literal 10850Sstevel@tonic-gate * keyword. 10860Sstevel@tonic-gate */ 10870Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10880Sstevel@tonic-gate gettext("need %s operands for installing a" 10890Sstevel@tonic-gate " kernel software provider."), "mechanism"); 10900Sstevel@tonic-gate rc = ERROR_USAGE; 10910Sstevel@tonic-gate goto out; 10920Sstevel@tonic-gate } 10930Sstevel@tonic-gate 10940Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 10950Sstevel@tonic-gate goto out; 10960Sstevel@tonic-gate } 10970Sstevel@tonic-gate 10980Sstevel@tonic-gate if (allflag == B_TRUE) { 10990Sstevel@tonic-gate /* 11007334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11010Sstevel@tonic-gate * "all", "mechanism", and "install" are all keywords and 11020Sstevel@tonic-gate * not to be translated. 11030Sstevel@tonic-gate */ 11040Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11050Sstevel@tonic-gate gettext("can not use the %1$s keyword for %2$s " 11060Sstevel@tonic-gate "in the %3$s subcommand."), "all", "mechanism", "install"); 11070Sstevel@tonic-gate rc = ERROR_USAGE; 11080Sstevel@tonic-gate goto out; 11090Sstevel@tonic-gate } 11100Sstevel@tonic-gate 11110Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 11120Sstevel@tonic-gate rc = install_kef(prov->cp_name, mecharglist); 11130Sstevel@tonic-gate } else { 11140Sstevel@tonic-gate /* 11157334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11160Sstevel@tonic-gate * "install" could be either a literal keyword and hence 11170Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 11180Sstevel@tonic-gate * choice was made to view it as a literal keyword. 11190Sstevel@tonic-gate * "global" is keyword and not to be translated. 11200Sstevel@tonic-gate */ 11210Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 11220Sstevel@tonic-gate "is supported in the %2$s zone only"), "install", "global"); 11230Sstevel@tonic-gate rc = FAILURE; 11240Sstevel@tonic-gate } 11250Sstevel@tonic-gate out: 11260Sstevel@tonic-gate free(prov); 11270Sstevel@tonic-gate return (rc); 11280Sstevel@tonic-gate } 11290Sstevel@tonic-gate 11300Sstevel@tonic-gate 11310Sstevel@tonic-gate 11320Sstevel@tonic-gate /* 11337968Sopensolaris@drydog.com * The top level function for the "cryptoadm uninstall" subcommand. 11340Sstevel@tonic-gate */ 11350Sstevel@tonic-gate static int 11360Sstevel@tonic-gate do_uninstall(int argc, char **argv) 11370Sstevel@tonic-gate { 11387968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 11390Sstevel@tonic-gate int rc = SUCCESS; 11400Sstevel@tonic-gate 11410Sstevel@tonic-gate if (argc != 3) { 11420Sstevel@tonic-gate usage(); 11430Sstevel@tonic-gate return (ERROR_USAGE); 11440Sstevel@tonic-gate } 11450Sstevel@tonic-gate 11460Sstevel@tonic-gate prov = get_provider(argc, argv); 11470Sstevel@tonic-gate if (prov == NULL || 11480Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 11490Sstevel@tonic-gate /* 11507334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11510Sstevel@tonic-gate * "uninstall" could be either a literal keyword and hence 11520Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 11530Sstevel@tonic-gate * choice was made to view it as a literal keyword. 11540Sstevel@tonic-gate */ 11550Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11560Sstevel@tonic-gate gettext("bad provider name for %s."), "uninstall"); 11570Sstevel@tonic-gate free(prov); 11580Sstevel@tonic-gate return (FAILURE); 11590Sstevel@tonic-gate } 11600Sstevel@tonic-gate 11610Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 11620Sstevel@tonic-gate rc = uninstall_uef_lib(prov->cp_name); 11637968Sopensolaris@drydog.com 11640Sstevel@tonic-gate } else if (prov->cp_type == PROV_KEF_SOFT) { 11650Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 11667968Sopensolaris@drydog.com /* unload and remove from kcf.conf */ 11670Sstevel@tonic-gate rc = uninstall_kef(prov->cp_name); 11680Sstevel@tonic-gate } else { 11690Sstevel@tonic-gate /* 11707334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11710Sstevel@tonic-gate * "uninstall" could be either a literal keyword and 11720Sstevel@tonic-gate * hence not to be translated, or a verb and 11730Sstevel@tonic-gate * translatable. A choice was made to view it as a 11740Sstevel@tonic-gate * literal keyword. "global" is keyword and not to 11750Sstevel@tonic-gate * be translated. 11760Sstevel@tonic-gate */ 11770Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 11780Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 11790Sstevel@tonic-gate "uninstall", "global"); 11800Sstevel@tonic-gate rc = FAILURE; 11810Sstevel@tonic-gate } 11820Sstevel@tonic-gate } 11830Sstevel@tonic-gate 11840Sstevel@tonic-gate free(prov); 11850Sstevel@tonic-gate return (rc); 11860Sstevel@tonic-gate } 11870Sstevel@tonic-gate 11880Sstevel@tonic-gate 11890Sstevel@tonic-gate /* 11907968Sopensolaris@drydog.com * The top level function for the "cryptoadm unload" subcommand. 11910Sstevel@tonic-gate */ 11920Sstevel@tonic-gate static int 11930Sstevel@tonic-gate do_unload(int argc, char **argv) 11940Sstevel@tonic-gate { 11957968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 11967968Sopensolaris@drydog.com entry_t *pent = NULL; 11977968Sopensolaris@drydog.com boolean_t in_kernel = B_FALSE; 11987968Sopensolaris@drydog.com int rc = SUCCESS; 11997968Sopensolaris@drydog.com char *provname = NULL; 12000Sstevel@tonic-gate 12010Sstevel@tonic-gate if (argc != 3) { 12020Sstevel@tonic-gate usage(); 12030Sstevel@tonic-gate return (ERROR_USAGE); 12040Sstevel@tonic-gate } 12050Sstevel@tonic-gate 12060Sstevel@tonic-gate /* check if it is a kernel software provider */ 12070Sstevel@tonic-gate prov = get_provider(argc, argv); 12080Sstevel@tonic-gate if (prov == NULL) { 12090Sstevel@tonic-gate cryptoerror(LOG_STDERR, 12100Sstevel@tonic-gate gettext("unable to determine provider name.")); 12110Sstevel@tonic-gate goto out; 12120Sstevel@tonic-gate } 12137968Sopensolaris@drydog.com provname = prov->cp_name; 12140Sstevel@tonic-gate if (prov->cp_type != PROV_KEF_SOFT) { 12150Sstevel@tonic-gate cryptoerror(LOG_STDERR, 12160Sstevel@tonic-gate gettext("%s is not a valid kernel software provider."), 12177968Sopensolaris@drydog.com provname); 12180Sstevel@tonic-gate rc = FAILURE; 12190Sstevel@tonic-gate goto out; 12200Sstevel@tonic-gate } 12210Sstevel@tonic-gate 12220Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 12230Sstevel@tonic-gate /* 12247334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 12250Sstevel@tonic-gate * "unload" could be either a literal keyword and hence 12260Sstevel@tonic-gate * not to be translated, or a verb and translatable. 12270Sstevel@tonic-gate * A choice was made to view it as a literal keyword. 12280Sstevel@tonic-gate * "global" is keyword and not to be translated. 12290Sstevel@tonic-gate */ 12300Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 12310Sstevel@tonic-gate "is supported in the %2$s zone only"), "unload", "global"); 12320Sstevel@tonic-gate rc = FAILURE; 12330Sstevel@tonic-gate goto out; 12340Sstevel@tonic-gate } 12350Sstevel@tonic-gate 12367968Sopensolaris@drydog.com if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { 12377968Sopensolaris@drydog.com cryptodebug("internal error"); 12380Sstevel@tonic-gate rc = FAILURE; 12390Sstevel@tonic-gate goto out; 12407968Sopensolaris@drydog.com } else if (in_kernel == B_FALSE) { 12410Sstevel@tonic-gate cryptoerror(LOG_STDERR, 12427968Sopensolaris@drydog.com gettext("provider %s is not loaded or does not exist."), 12437968Sopensolaris@drydog.com provname); 12440Sstevel@tonic-gate rc = FAILURE; 12450Sstevel@tonic-gate goto out; 12460Sstevel@tonic-gate } 12470Sstevel@tonic-gate 12487968Sopensolaris@drydog.com /* Get kcf.conf entry. If none, build a new entry */ 124910979SHai-May.Chao@Sun.COM if ((pent = getent_kef(provname, NULL, NULL)) == NULL) { 12507968Sopensolaris@drydog.com if ((pent = create_entry(provname)) == NULL) { 12517968Sopensolaris@drydog.com cryptoerror(LOG_STDERR, gettext("out of memory.")); 12527968Sopensolaris@drydog.com rc = FAILURE; 12537968Sopensolaris@drydog.com goto out; 12547968Sopensolaris@drydog.com } 12557968Sopensolaris@drydog.com } 12567968Sopensolaris@drydog.com 12577968Sopensolaris@drydog.com /* If it is unloaded already, return */ 12587968Sopensolaris@drydog.com if (!pent->load) { /* unloaded already */ 12590Sstevel@tonic-gate cryptoerror(LOG_STDERR, 12607968Sopensolaris@drydog.com gettext("failed to unload %s."), provname); 12610Sstevel@tonic-gate rc = FAILURE; 12627968Sopensolaris@drydog.com goto out; 12637968Sopensolaris@drydog.com } else if (unload_kef_soft(provname) != FAILURE) { 12647968Sopensolaris@drydog.com /* Mark as unloaded in kcf.conf */ 12657968Sopensolaris@drydog.com pent->load = B_FALSE; 12667968Sopensolaris@drydog.com rc = update_kcfconf(pent, MODIFY_MODE); 12670Sstevel@tonic-gate } else { 12687968Sopensolaris@drydog.com cryptoerror(LOG_STDERR, 12697968Sopensolaris@drydog.com gettext("failed to unload %s."), provname); 12707968Sopensolaris@drydog.com rc = FAILURE; 12710Sstevel@tonic-gate } 12720Sstevel@tonic-gate out: 12730Sstevel@tonic-gate free(prov); 12747968Sopensolaris@drydog.com free_entry(pent); 12750Sstevel@tonic-gate return (rc); 12760Sstevel@tonic-gate } 12770Sstevel@tonic-gate 12780Sstevel@tonic-gate 12790Sstevel@tonic-gate 12800Sstevel@tonic-gate /* 12817968Sopensolaris@drydog.com * The top level function for the "cryptoadm refresh" subcommand. 12820Sstevel@tonic-gate */ 12830Sstevel@tonic-gate static int 12840Sstevel@tonic-gate do_refresh(int argc) 12850Sstevel@tonic-gate { 12860Sstevel@tonic-gate if (argc != 2) { 12870Sstevel@tonic-gate usage(); 12880Sstevel@tonic-gate return (ERROR_USAGE); 12890Sstevel@tonic-gate } 12900Sstevel@tonic-gate 12917968Sopensolaris@drydog.com if (getzoneid() == GLOBAL_ZONEID) { 12927968Sopensolaris@drydog.com return (refresh()); 12937968Sopensolaris@drydog.com } else { /* non-global zone */ 12947968Sopensolaris@drydog.com /* 12957968Sopensolaris@drydog.com * Note: in non-global zone, this must silently return SUCCESS 12967968Sopensolaris@drydog.com * due to integration with SMF, for "svcadm refresh cryptosvc" 12977968Sopensolaris@drydog.com */ 12980Sstevel@tonic-gate return (SUCCESS); 12997968Sopensolaris@drydog.com } 13000Sstevel@tonic-gate } 13010Sstevel@tonic-gate 13020Sstevel@tonic-gate 13030Sstevel@tonic-gate /* 13047968Sopensolaris@drydog.com * The top level function for the "cryptoadm start" subcommand. 13050Sstevel@tonic-gate */ 13060Sstevel@tonic-gate static int 13070Sstevel@tonic-gate do_start(int argc) 13080Sstevel@tonic-gate { 13090Sstevel@tonic-gate int ret; 13100Sstevel@tonic-gate 13110Sstevel@tonic-gate if (argc != 2) { 13120Sstevel@tonic-gate usage(); 13130Sstevel@tonic-gate return (ERROR_USAGE); 13140Sstevel@tonic-gate } 13150Sstevel@tonic-gate 13160Sstevel@tonic-gate ret = do_refresh(argc); 13170Sstevel@tonic-gate if (ret != SUCCESS) 13180Sstevel@tonic-gate return (ret); 13190Sstevel@tonic-gate 13200Sstevel@tonic-gate return (start_daemon()); 13210Sstevel@tonic-gate } 13220Sstevel@tonic-gate 13230Sstevel@tonic-gate /* 13247968Sopensolaris@drydog.com * The top level function for the "cryptoadm stop" subcommand. 13250Sstevel@tonic-gate */ 13260Sstevel@tonic-gate static int 13270Sstevel@tonic-gate do_stop(int argc) 13280Sstevel@tonic-gate { 13290Sstevel@tonic-gate if (argc != 2) { 13300Sstevel@tonic-gate usage(); 13310Sstevel@tonic-gate return (ERROR_USAGE); 13320Sstevel@tonic-gate } 13330Sstevel@tonic-gate 13340Sstevel@tonic-gate return (stop_daemon()); 13350Sstevel@tonic-gate } 13360Sstevel@tonic-gate 13370Sstevel@tonic-gate 13380Sstevel@tonic-gate 13390Sstevel@tonic-gate /* 13407968Sopensolaris@drydog.com * Print a list all the the providers. 13417968Sopensolaris@drydog.com * Called for "cryptoadm list" or "cryptoadm list -v" (no -m or -p). 13420Sstevel@tonic-gate */ 13430Sstevel@tonic-gate static int 13440Sstevel@tonic-gate list_simple_for_all(boolean_t verbose) 13450Sstevel@tonic-gate { 13467968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 13477968Sopensolaris@drydog.com uentrylist_t *plibptr = NULL; 13487968Sopensolaris@drydog.com entry_t *pent = NULL; 13490Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel = NULL; 13507968Sopensolaris@drydog.com int rc = SUCCESS; 13517968Sopensolaris@drydog.com int i; 13520Sstevel@tonic-gate 13530Sstevel@tonic-gate /* get user-level providers */ 13540Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 13550Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 13560Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 13570Sstevel@tonic-gate "failed to retrieve the list of user-level providers.")); 13587968Sopensolaris@drydog.com rc = FAILURE; 13590Sstevel@tonic-gate } 13607968Sopensolaris@drydog.com 13617968Sopensolaris@drydog.com for (plibptr = pliblist; plibptr != NULL; plibptr = plibptr->next) { 136210979SHai-May.Chao@Sun.COM /* skip metaslot and fips-140 entry */ 136310979SHai-May.Chao@Sun.COM if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) && 136410979SHai-May.Chao@Sun.COM (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) { 13650Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 13660Sstevel@tonic-gate plibptr->puent->name); 13670Sstevel@tonic-gate if (verbose) { 13680Sstevel@tonic-gate (void) list_mechlist_for_lib( 13690Sstevel@tonic-gate plibptr->puent->name, mecharglist, NULL, 13700Sstevel@tonic-gate B_FALSE, verbose, B_FALSE); 13710Sstevel@tonic-gate (void) printf("\n"); 13720Sstevel@tonic-gate } 13730Sstevel@tonic-gate } 13740Sstevel@tonic-gate } 13750Sstevel@tonic-gate free_uentrylist(pliblist); 13760Sstevel@tonic-gate 13770Sstevel@tonic-gate /* get kernel software providers */ 13780Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 13790Sstevel@tonic-gate 13800Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 13817968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 13827968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 13837968Sopensolaris@drydog.com uint_t sl_soft_count; 13847968Sopensolaris@drydog.com char *psoftname; 13857968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 13867968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 13877968Sopensolaris@drydog.com 13887968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 13897968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 13907968Sopensolaris@drydog.com "software provider list from kernel.")); 13917968Sopensolaris@drydog.com rc = FAILURE; 13927968Sopensolaris@drydog.com } else { 13937968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 13940Sstevel@tonic-gate 139510979SHai-May.Chao@Sun.COM if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) 139610979SHai-May.Chao@Sun.COM == FAILURE) { 13977968Sopensolaris@drydog.com cryptoerror(LOG_ERR, 13987968Sopensolaris@drydog.com "failed to retrieve the providers' " 13997968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 14007968Sopensolaris@drydog.com _PATH_KCF_CONF); 14017968Sopensolaris@drydog.com free(psoftlist_kernel); 14027968Sopensolaris@drydog.com rc = FAILURE; 14037968Sopensolaris@drydog.com } else { 14047968Sopensolaris@drydog.com 14057968Sopensolaris@drydog.com for (i = 0, 14067968Sopensolaris@drydog.com psoftname = psoftlist_kernel->sl_soft_names; 14077968Sopensolaris@drydog.com i < sl_soft_count; 14087968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 14097968Sopensolaris@drydog.com pent = getent_kef(psoftname, 141010979SHai-May.Chao@Sun.COM pdevlist_conf, psoftlist_conf); 14117968Sopensolaris@drydog.com (void) printf("\t%s%s\n", psoftname, 14127968Sopensolaris@drydog.com (pent == NULL) || (pent->load) ? 14137968Sopensolaris@drydog.com "" : gettext(" (inactive)")); 14147968Sopensolaris@drydog.com } 14157968Sopensolaris@drydog.com free_entrylist(pdevlist_conf); 14167968Sopensolaris@drydog.com free_entrylist(psoftlist_conf); 14177968Sopensolaris@drydog.com } 14187968Sopensolaris@drydog.com free(psoftlist_kernel); 14190Sstevel@tonic-gate } 14200Sstevel@tonic-gate 14210Sstevel@tonic-gate } else { 14220Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 14237968Sopensolaris@drydog.com entrylist_t *pdevlist_zone = NULL; 14247968Sopensolaris@drydog.com entrylist_t *psoftlist_zone = NULL; 14257968Sopensolaris@drydog.com entrylist_t *ptr; 14260Sstevel@tonic-gate 14270Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 14280Sstevel@tonic-gate SUCCESS) { 14290Sstevel@tonic-gate cryptoerror(LOG_STDERR, 14300Sstevel@tonic-gate gettext("failed to retrieve the " 14310Sstevel@tonic-gate "list of kernel software providers.\n")); 14327968Sopensolaris@drydog.com rc = FAILURE; 14330Sstevel@tonic-gate } 14340Sstevel@tonic-gate 14350Sstevel@tonic-gate ptr = psoftlist_zone; 14360Sstevel@tonic-gate while (ptr != NULL) { 14370Sstevel@tonic-gate (void) printf("\t%s\n", ptr->pent->name); 14380Sstevel@tonic-gate ptr = ptr->next; 14390Sstevel@tonic-gate } 14400Sstevel@tonic-gate 14410Sstevel@tonic-gate free_entrylist(pdevlist_zone); 14420Sstevel@tonic-gate free_entrylist(psoftlist_zone); 14430Sstevel@tonic-gate } 14440Sstevel@tonic-gate 14450Sstevel@tonic-gate /* get kernel hardware providers */ 14460Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 14470Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) == FAILURE) { 14480Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14490Sstevel@tonic-gate "the list of kernel hardware providers.\n")); 14507968Sopensolaris@drydog.com rc = FAILURE; 14510Sstevel@tonic-gate } else { 14520Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 14530Sstevel@tonic-gate (void) printf("\t%s/%d\n", 14540Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 14550Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 14560Sstevel@tonic-gate } 14570Sstevel@tonic-gate } 14580Sstevel@tonic-gate free(pdevlist_kernel); 14590Sstevel@tonic-gate 14607968Sopensolaris@drydog.com return (rc); 14610Sstevel@tonic-gate } 14620Sstevel@tonic-gate 14630Sstevel@tonic-gate 14640Sstevel@tonic-gate 14650Sstevel@tonic-gate /* 14660Sstevel@tonic-gate * List all the providers. And for each provider, list the mechanism list. 14677968Sopensolaris@drydog.com * Called for "cryptoadm list -m" or "cryptoadm list -mv" . 14680Sstevel@tonic-gate */ 14690Sstevel@tonic-gate static int 14700Sstevel@tonic-gate list_mechlist_for_all(boolean_t verbose) 14710Sstevel@tonic-gate { 14727968Sopensolaris@drydog.com crypto_get_dev_list_t *pdevlist_kernel = NULL; 14737968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 14747968Sopensolaris@drydog.com uentrylist_t *plibptr = NULL; 14757968Sopensolaris@drydog.com entry_t *pent = NULL; 14767968Sopensolaris@drydog.com mechlist_t *pmechlist = NULL; 14777968Sopensolaris@drydog.com char provname[MAXNAMELEN]; 14787968Sopensolaris@drydog.com char devname[MAXNAMELEN]; 14797968Sopensolaris@drydog.com int inst_num; 14807968Sopensolaris@drydog.com int count; 14817968Sopensolaris@drydog.com int i; 14827968Sopensolaris@drydog.com int rv; 14837968Sopensolaris@drydog.com int rc = SUCCESS; 14840Sstevel@tonic-gate 14850Sstevel@tonic-gate /* get user-level providers */ 14860Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 14870Sstevel@tonic-gate /* 14887334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 14890Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14900Sstevel@tonic-gate * the length of the translated text above. 14910Sstevel@tonic-gate */ 14920Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 14930Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 14940Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14950Sstevel@tonic-gate "the list of user-level providers.\n")); 14960Sstevel@tonic-gate rc = FAILURE; 14970Sstevel@tonic-gate } 14980Sstevel@tonic-gate 14990Sstevel@tonic-gate plibptr = pliblist; 15000Sstevel@tonic-gate while (plibptr != NULL) { 150110979SHai-May.Chao@Sun.COM /* skip metaslot and fips-140 entry */ 150210979SHai-May.Chao@Sun.COM if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) && 150310979SHai-May.Chao@Sun.COM (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) { 15040Sstevel@tonic-gate (void) printf(gettext("\nProvider: %s\n"), 15050Sstevel@tonic-gate plibptr->puent->name); 15060Sstevel@tonic-gate rv = list_mechlist_for_lib(plibptr->puent->name, 15070Sstevel@tonic-gate mecharglist, NULL, B_FALSE, verbose, B_TRUE); 15080Sstevel@tonic-gate if (rv == FAILURE) { 15090Sstevel@tonic-gate rc = FAILURE; 15100Sstevel@tonic-gate } 15110Sstevel@tonic-gate } 15120Sstevel@tonic-gate plibptr = plibptr->next; 15130Sstevel@tonic-gate } 15140Sstevel@tonic-gate free_uentrylist(pliblist); 15150Sstevel@tonic-gate 15160Sstevel@tonic-gate /* get kernel software providers */ 15170Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 15187968Sopensolaris@drydog.com 15190Sstevel@tonic-gate /* 15207334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 15210Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15220Sstevel@tonic-gate * the length of the translated text above. 15230Sstevel@tonic-gate */ 15240Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 15250Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 15267968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 15277968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 15287968Sopensolaris@drydog.com uint_t sl_soft_count; 15297968Sopensolaris@drydog.com char *psoftname; 15307968Sopensolaris@drydog.com int i; 15317968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 15327968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 15330Sstevel@tonic-gate 15347968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 15357968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 15367968Sopensolaris@drydog.com "software provider list from kernel.")); 15377968Sopensolaris@drydog.com return (FAILURE); 15387968Sopensolaris@drydog.com } 15397968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 15407968Sopensolaris@drydog.com 154110979SHai-May.Chao@Sun.COM if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) 154210979SHai-May.Chao@Sun.COM == FAILURE) { 15437968Sopensolaris@drydog.com cryptoerror(LOG_ERR, 15447968Sopensolaris@drydog.com "failed to retrieve the providers' " 15457968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 15467968Sopensolaris@drydog.com _PATH_KCF_CONF); 15477968Sopensolaris@drydog.com free(psoftlist_kernel); 15487968Sopensolaris@drydog.com return (FAILURE); 15490Sstevel@tonic-gate } 15500Sstevel@tonic-gate 15517968Sopensolaris@drydog.com for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 15527968Sopensolaris@drydog.com i < sl_soft_count; 15537968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 15547968Sopensolaris@drydog.com pent = getent_kef(psoftname, pdevlist_conf, 155510979SHai-May.Chao@Sun.COM psoftlist_conf); 15567968Sopensolaris@drydog.com if ((pent == NULL) || (pent->load)) { 15577968Sopensolaris@drydog.com rv = list_mechlist_for_soft(psoftname, 155810979SHai-May.Chao@Sun.COM NULL, NULL); 15597968Sopensolaris@drydog.com if (rv == FAILURE) { 15607968Sopensolaris@drydog.com rc = FAILURE; 15610Sstevel@tonic-gate } 15620Sstevel@tonic-gate } else { 15637968Sopensolaris@drydog.com (void) printf(gettext("%s: (inactive)\n"), 15647968Sopensolaris@drydog.com psoftname); 15650Sstevel@tonic-gate } 15660Sstevel@tonic-gate } 15670Sstevel@tonic-gate 15687968Sopensolaris@drydog.com free(psoftlist_kernel); 15690Sstevel@tonic-gate free_entrylist(pdevlist_conf); 15700Sstevel@tonic-gate free_entrylist(psoftlist_conf); 15717968Sopensolaris@drydog.com 15720Sstevel@tonic-gate } else { 15730Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 15747968Sopensolaris@drydog.com entrylist_t *pdevlist_zone = NULL; 15757968Sopensolaris@drydog.com entrylist_t *psoftlist_zone = NULL; 15767968Sopensolaris@drydog.com entrylist_t *ptr; 15770Sstevel@tonic-gate 15780Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 15790Sstevel@tonic-gate SUCCESS) { 15800Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 15810Sstevel@tonic-gate "the list of kernel software providers.\n")); 15820Sstevel@tonic-gate rc = FAILURE; 15830Sstevel@tonic-gate } 15840Sstevel@tonic-gate 15857968Sopensolaris@drydog.com for (ptr = psoftlist_zone; ptr != NULL; ptr = ptr->next) { 15867968Sopensolaris@drydog.com rv = list_mechlist_for_soft(ptr->pent->name, 158710979SHai-May.Chao@Sun.COM pdevlist_zone, psoftlist_zone); 15880Sstevel@tonic-gate if (rv == FAILURE) { 15890Sstevel@tonic-gate (void) printf(gettext( 15900Sstevel@tonic-gate "%s: failed to get the mechanism list.\n"), 15910Sstevel@tonic-gate ptr->pent->name); 15920Sstevel@tonic-gate rc = FAILURE; 15930Sstevel@tonic-gate } 15940Sstevel@tonic-gate } 15950Sstevel@tonic-gate 15960Sstevel@tonic-gate free_entrylist(pdevlist_zone); 15970Sstevel@tonic-gate free_entrylist(psoftlist_zone); 15980Sstevel@tonic-gate } 15990Sstevel@tonic-gate 16000Sstevel@tonic-gate /* Get kernel hardware providers and their mechanism lists */ 16010Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 16020Sstevel@tonic-gate /* 16037334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16040Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16050Sstevel@tonic-gate * the length of the translated text above. 16060Sstevel@tonic-gate */ 16070Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 16080Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 16090Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 16100Sstevel@tonic-gate "the list of hardware providers.\n")); 16110Sstevel@tonic-gate return (FAILURE); 16120Sstevel@tonic-gate } 16130Sstevel@tonic-gate 16140Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 16150Sstevel@tonic-gate (void) strlcpy(devname, 16160Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, MAXNAMELEN); 16170Sstevel@tonic-gate inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance; 16180Sstevel@tonic-gate count = pdevlist_kernel->dl_devs[i].le_mechanism_count; 16190Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", devname, 16200Sstevel@tonic-gate inst_num); 16210Sstevel@tonic-gate if (get_dev_info(devname, inst_num, count, &pmechlist) == 16220Sstevel@tonic-gate SUCCESS) { 16230Sstevel@tonic-gate (void) filter_mechlist(&pmechlist, RANDOM); 16240Sstevel@tonic-gate print_mechlist(provname, pmechlist); 16250Sstevel@tonic-gate free_mechlist(pmechlist); 16260Sstevel@tonic-gate } else { 16270Sstevel@tonic-gate (void) printf(gettext("%s: failed to get the mechanism" 16280Sstevel@tonic-gate " list.\n"), provname); 16290Sstevel@tonic-gate rc = FAILURE; 16300Sstevel@tonic-gate } 16310Sstevel@tonic-gate } 16320Sstevel@tonic-gate free(pdevlist_kernel); 16330Sstevel@tonic-gate return (rc); 16340Sstevel@tonic-gate } 16350Sstevel@tonic-gate 16360Sstevel@tonic-gate 16370Sstevel@tonic-gate /* 16380Sstevel@tonic-gate * List all the providers. And for each provider, list the policy information. 16397968Sopensolaris@drydog.com * Called for "cryptoadm list -p". 16400Sstevel@tonic-gate */ 16410Sstevel@tonic-gate static int 16420Sstevel@tonic-gate list_policy_for_all(void) 16430Sstevel@tonic-gate { 16447968Sopensolaris@drydog.com crypto_get_dev_list_t *pdevlist_kernel = NULL; 16457968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 16467968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 16477968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 16487968Sopensolaris@drydog.com entrylist_t *ptr = NULL; 16497968Sopensolaris@drydog.com entrylist_t *phead = NULL; 16507968Sopensolaris@drydog.com boolean_t found = B_FALSE; 16517968Sopensolaris@drydog.com char provname[MAXNAMELEN]; 16527968Sopensolaris@drydog.com int i; 16537968Sopensolaris@drydog.com int rc = SUCCESS; 16540Sstevel@tonic-gate 16550Sstevel@tonic-gate /* Get user-level providers */ 16560Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 16570Sstevel@tonic-gate /* 16587334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16590Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16600Sstevel@tonic-gate * the length of the translated text above. 16610Sstevel@tonic-gate */ 16620Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 16630Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) == FAILURE) { 16640Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 16650Sstevel@tonic-gate "the list of user-level providers.\n")); 16667968Sopensolaris@drydog.com rc = FAILURE; 16670Sstevel@tonic-gate } else { 16687968Sopensolaris@drydog.com uentrylist_t *plibptr = pliblist; 16697968Sopensolaris@drydog.com 16700Sstevel@tonic-gate while (plibptr != NULL) { 167110979SHai-May.Chao@Sun.COM /* skip metaslot and fips-140 entry */ 167210979SHai-May.Chao@Sun.COM if ((strcmp(plibptr->puent->name, 167310979SHai-May.Chao@Sun.COM METASLOT_KEYWORD) != 0) && 167410979SHai-May.Chao@Sun.COM (strcmp(plibptr->puent->name, 167510979SHai-May.Chao@Sun.COM FIPS_KEYWORD) != 0)) { 16760Sstevel@tonic-gate if (print_uef_policy(plibptr->puent) 16770Sstevel@tonic-gate == FAILURE) { 16780Sstevel@tonic-gate rc = FAILURE; 16790Sstevel@tonic-gate } 16800Sstevel@tonic-gate } 16810Sstevel@tonic-gate plibptr = plibptr->next; 16820Sstevel@tonic-gate } 16830Sstevel@tonic-gate free_uentrylist(pliblist); 16840Sstevel@tonic-gate } 16850Sstevel@tonic-gate 16860Sstevel@tonic-gate /* kernel software providers */ 16870Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 16880Sstevel@tonic-gate /* 16897334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16900Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16910Sstevel@tonic-gate * the length of the translated text above. 16920Sstevel@tonic-gate */ 16930Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 16940Sstevel@tonic-gate 16957968Sopensolaris@drydog.com /* Get all entries from the kernel */ 16960Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 16977968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 16987968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 16997968Sopensolaris@drydog.com uint_t sl_soft_count; 17007968Sopensolaris@drydog.com char *psoftname; 17017968Sopensolaris@drydog.com int i; 17020Sstevel@tonic-gate 17037968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 17047968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 17057968Sopensolaris@drydog.com "software provider list from kernel.")); 17067968Sopensolaris@drydog.com rc = FAILURE; 17077968Sopensolaris@drydog.com } else { 17087968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 17097968Sopensolaris@drydog.com 17107968Sopensolaris@drydog.com for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 17117968Sopensolaris@drydog.com i < sl_soft_count; 17127968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 17137968Sopensolaris@drydog.com (void) list_policy_for_soft(psoftname, 171410979SHai-May.Chao@Sun.COM pdevlist_conf, psoftlist_conf); 17157968Sopensolaris@drydog.com } 17167968Sopensolaris@drydog.com free(psoftlist_kernel); 17170Sstevel@tonic-gate } 17180Sstevel@tonic-gate 17190Sstevel@tonic-gate } else { 17200Sstevel@tonic-gate /* kcf.conf not there in non-global zone, no policy info */ 17210Sstevel@tonic-gate 17220Sstevel@tonic-gate /* 17237334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 17240Sstevel@tonic-gate * "global" is keyword and not to be translated. 17250Sstevel@tonic-gate */ 17260Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 17270Sstevel@tonic-gate "policy information for kernel software providers is " 17280Sstevel@tonic-gate "available in the %s zone only"), "global"); 17290Sstevel@tonic-gate } 17300Sstevel@tonic-gate 17310Sstevel@tonic-gate /* Kernel hardware providers */ 17320Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 17330Sstevel@tonic-gate /* 17347334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 17350Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 17360Sstevel@tonic-gate * the length of the translated text above. 17370Sstevel@tonic-gate */ 17380Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 17390Sstevel@tonic-gate 17400Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 17410Sstevel@tonic-gate /* 17427334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 17430Sstevel@tonic-gate * "global" is keyword and not to be translated. 17440Sstevel@tonic-gate */ 17450Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 17460Sstevel@tonic-gate "policy information for kernel hardware providers is " 17470Sstevel@tonic-gate "available in the %s zone only"), "global"); 17480Sstevel@tonic-gate return (FAILURE); 17490Sstevel@tonic-gate } 17500Sstevel@tonic-gate 17510Sstevel@tonic-gate /* Get the hardware provider list from kernel */ 17520Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 17530Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 17540Sstevel@tonic-gate "failed to retrieve the list of hardware providers.\n")); 17550Sstevel@tonic-gate return (FAILURE); 17560Sstevel@tonic-gate } 17570Sstevel@tonic-gate 175810979SHai-May.Chao@Sun.COM if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) == FAILURE) { 17597968Sopensolaris@drydog.com cryptoerror(LOG_ERR, "failed to retrieve the providers' " 17607968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 17617968Sopensolaris@drydog.com _PATH_KCF_CONF); 17627968Sopensolaris@drydog.com return (FAILURE); 17637968Sopensolaris@drydog.com } 17647968Sopensolaris@drydog.com 17657968Sopensolaris@drydog.com 17660Sstevel@tonic-gate /* 17670Sstevel@tonic-gate * For each hardware provider from kernel, check if it has an entry 17680Sstevel@tonic-gate * in the config file. If it has an entry, print out the policy from 17690Sstevel@tonic-gate * config file and remove the entry from the hardware provider list 17700Sstevel@tonic-gate * of the config file. If it does not have an entry in the config 17710Sstevel@tonic-gate * file, no mechanisms of it have been disabled. But, we still call 17720Sstevel@tonic-gate * list_policy_for_hard() to account for the "random" feature. 17730Sstevel@tonic-gate */ 17740Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 17750Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", 17760Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 17770Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 17787968Sopensolaris@drydog.com 17790Sstevel@tonic-gate found = B_FALSE; 17800Sstevel@tonic-gate phead = ptr = pdevlist_conf; 17810Sstevel@tonic-gate while (!found && ptr) { 17820Sstevel@tonic-gate if (strcmp(ptr->pent->name, provname) == 0) { 17830Sstevel@tonic-gate found = B_TRUE; 17840Sstevel@tonic-gate } else { 17850Sstevel@tonic-gate phead = ptr; 17860Sstevel@tonic-gate ptr = ptr->next; 17870Sstevel@tonic-gate } 17880Sstevel@tonic-gate } 17890Sstevel@tonic-gate 17900Sstevel@tonic-gate if (found) { 17917968Sopensolaris@drydog.com (void) list_policy_for_hard(ptr->pent->name, 179210979SHai-May.Chao@Sun.COM pdevlist_conf, psoftlist_conf, pdevlist_kernel); 17930Sstevel@tonic-gate if (phead == ptr) { 17940Sstevel@tonic-gate pdevlist_conf = pdevlist_conf->next; 17950Sstevel@tonic-gate } else { 17960Sstevel@tonic-gate phead->next = ptr->next; 17970Sstevel@tonic-gate } 17980Sstevel@tonic-gate free_entry(ptr->pent); 17990Sstevel@tonic-gate free(ptr); 18000Sstevel@tonic-gate } else { 18017968Sopensolaris@drydog.com (void) list_policy_for_hard(provname, pdevlist_conf, 180210979SHai-May.Chao@Sun.COM psoftlist_conf, pdevlist_kernel); 18030Sstevel@tonic-gate } 18040Sstevel@tonic-gate } 18050Sstevel@tonic-gate 18060Sstevel@tonic-gate /* 18070Sstevel@tonic-gate * If there are still entries left in the pdevlist_conf list from 18080Sstevel@tonic-gate * the config file, these providers must have been detached. 18090Sstevel@tonic-gate * Should print out their policy information also. 18100Sstevel@tonic-gate */ 18117968Sopensolaris@drydog.com for (ptr = pdevlist_conf; ptr != NULL; ptr = ptr->next) { 18127968Sopensolaris@drydog.com print_kef_policy(ptr->pent->name, ptr->pent, B_FALSE, B_TRUE); 18130Sstevel@tonic-gate } 18140Sstevel@tonic-gate 18150Sstevel@tonic-gate free_entrylist(pdevlist_conf); 18167968Sopensolaris@drydog.com free_entrylist(psoftlist_conf); 18170Sstevel@tonic-gate free(pdevlist_kernel); 18180Sstevel@tonic-gate 18190Sstevel@tonic-gate return (rc); 18200Sstevel@tonic-gate } 1821