10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*1971Skrishna * Common Development and Distribution License (the "License"). 6*1971Skrishna * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*1971Skrishna * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate #include <fcntl.h> 290Sstevel@tonic-gate #include <stdio.h> 300Sstevel@tonic-gate #include <stdlib.h> 310Sstevel@tonic-gate #include <strings.h> 320Sstevel@tonic-gate #include <unistd.h> 330Sstevel@tonic-gate #include <locale.h> 340Sstevel@tonic-gate #include <libgen.h> 350Sstevel@tonic-gate #include <sys/types.h> 360Sstevel@tonic-gate #include <zone.h> 370Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 380Sstevel@tonic-gate #include <cryptoutil.h> 390Sstevel@tonic-gate #include "cryptoadm.h" 400Sstevel@tonic-gate 410Sstevel@tonic-gate #define REQ_ARG_CNT 2 420Sstevel@tonic-gate 430Sstevel@tonic-gate /* subcommand index */ 440Sstevel@tonic-gate enum subcommand_index { 450Sstevel@tonic-gate CRYPTO_LIST, 460Sstevel@tonic-gate CRYPTO_DISABLE, 470Sstevel@tonic-gate CRYPTO_ENABLE, 480Sstevel@tonic-gate CRYPTO_INSTALL, 490Sstevel@tonic-gate CRYPTO_UNINSTALL, 500Sstevel@tonic-gate CRYPTO_UNLOAD, 510Sstevel@tonic-gate CRYPTO_REFRESH, 520Sstevel@tonic-gate CRYPTO_START, 530Sstevel@tonic-gate CRYPTO_STOP, 540Sstevel@tonic-gate CRYPTO_HELP }; 550Sstevel@tonic-gate 560Sstevel@tonic-gate /* 570Sstevel@tonic-gate * TRANSLATION_NOTE: 580Sstevel@tonic-gate * Command keywords are not to be translated. 590Sstevel@tonic-gate */ 600Sstevel@tonic-gate static char *cmd_table[] = { 610Sstevel@tonic-gate "list", 620Sstevel@tonic-gate "disable", 630Sstevel@tonic-gate "enable", 640Sstevel@tonic-gate "install", 650Sstevel@tonic-gate "uninstall", 660Sstevel@tonic-gate "unload", 670Sstevel@tonic-gate "refresh", 680Sstevel@tonic-gate "start", 690Sstevel@tonic-gate "stop", 700Sstevel@tonic-gate "--help" }; 710Sstevel@tonic-gate 720Sstevel@tonic-gate /* provider type */ 730Sstevel@tonic-gate enum provider_type_index { 740Sstevel@tonic-gate PROV_UEF_LIB, 750Sstevel@tonic-gate PROV_KEF_SOFT, 760Sstevel@tonic-gate PROV_KEF_HARD, 770Sstevel@tonic-gate METASLOT, 780Sstevel@tonic-gate PROV_BADNAME }; 790Sstevel@tonic-gate 800Sstevel@tonic-gate typedef struct { 810Sstevel@tonic-gate char cp_name[MAXPATHLEN]; 820Sstevel@tonic-gate enum provider_type_index cp_type; 830Sstevel@tonic-gate } cryptoadm_provider_t; 840Sstevel@tonic-gate 850Sstevel@tonic-gate /* 860Sstevel@tonic-gate * TRANSLATION_NOTE: 870Sstevel@tonic-gate * Operand keywords are not to be translated. 880Sstevel@tonic-gate */ 890Sstevel@tonic-gate static const char *KN_PROVIDER = "provider="; 900Sstevel@tonic-gate static const char *KN_MECH = "mechanism="; 910Sstevel@tonic-gate static const char *KN_ALL = "all"; 920Sstevel@tonic-gate static const char *KN_TOKEN = "token="; 930Sstevel@tonic-gate static const char *KN_SLOT = "slot="; 940Sstevel@tonic-gate static const char *KN_DEFAULT_KS = "default-keystore"; 950Sstevel@tonic-gate static const char *KN_AUTO_KEY_MIGRATE = "auto-key-migrate"; 960Sstevel@tonic-gate 970Sstevel@tonic-gate /* static variables */ 980Sstevel@tonic-gate static boolean_t allflag = B_FALSE; 990Sstevel@tonic-gate static boolean_t rndflag = B_FALSE; 1000Sstevel@tonic-gate static mechlist_t *mecharglist = NULL; 1010Sstevel@tonic-gate 1020Sstevel@tonic-gate /* static functions */ 1030Sstevel@tonic-gate static void usage(void); 1040Sstevel@tonic-gate static int get_provider_type(char *); 1050Sstevel@tonic-gate static int process_mech_operands(int, char **, boolean_t); 1060Sstevel@tonic-gate static int do_list(int, char **); 1070Sstevel@tonic-gate static int do_disable(int, char **); 1080Sstevel@tonic-gate static int do_enable(int, char **); 1090Sstevel@tonic-gate static int do_install(int, char **); 1100Sstevel@tonic-gate static int do_uninstall(int, char **); 1110Sstevel@tonic-gate static int do_unload(int, char **); 1120Sstevel@tonic-gate static int do_refresh(int); 1130Sstevel@tonic-gate static int do_start(int); 1140Sstevel@tonic-gate static int do_stop(int); 1150Sstevel@tonic-gate static int list_simple_for_all(boolean_t); 1160Sstevel@tonic-gate static int list_mechlist_for_all(boolean_t); 1170Sstevel@tonic-gate static int list_policy_for_all(void); 1180Sstevel@tonic-gate 1190Sstevel@tonic-gate int 1200Sstevel@tonic-gate main(int argc, char *argv[]) 1210Sstevel@tonic-gate { 1220Sstevel@tonic-gate char *subcmd; 1230Sstevel@tonic-gate int cmdnum; 1240Sstevel@tonic-gate int cmd_index = 0; 1250Sstevel@tonic-gate int rc = SUCCESS; 1260Sstevel@tonic-gate 1270Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1280Sstevel@tonic-gate 1290Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 1300Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 1310Sstevel@tonic-gate #endif 1320Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 1330Sstevel@tonic-gate 1340Sstevel@tonic-gate cryptodebug_init(basename(argv[0])); 1350Sstevel@tonic-gate 1360Sstevel@tonic-gate if (argc < REQ_ARG_CNT) { 1370Sstevel@tonic-gate usage(); 1380Sstevel@tonic-gate return (ERROR_USAGE); 1390Sstevel@tonic-gate } 1400Sstevel@tonic-gate 1410Sstevel@tonic-gate /* get the subcommand index */ 1420Sstevel@tonic-gate cmd_index = 0; 1430Sstevel@tonic-gate subcmd = argv[1]; 1440Sstevel@tonic-gate cmdnum = sizeof (cmd_table)/sizeof (cmd_table[0]); 1450Sstevel@tonic-gate 1460Sstevel@tonic-gate while ((cmd_index < cmdnum) && 1470Sstevel@tonic-gate (strcmp(subcmd, cmd_table[cmd_index]) != 0)) { 1480Sstevel@tonic-gate cmd_index++; 1490Sstevel@tonic-gate } 1500Sstevel@tonic-gate if (cmd_index >= cmdnum) { 1510Sstevel@tonic-gate usage(); 1520Sstevel@tonic-gate return (ERROR_USAGE); 1530Sstevel@tonic-gate } 1540Sstevel@tonic-gate 1550Sstevel@tonic-gate /* do the subcommand */ 1560Sstevel@tonic-gate switch (cmd_index) { 1570Sstevel@tonic-gate case CRYPTO_LIST: 1580Sstevel@tonic-gate rc = do_list(argc, argv); 1590Sstevel@tonic-gate break; 1600Sstevel@tonic-gate case CRYPTO_DISABLE: 1610Sstevel@tonic-gate rc = do_disable(argc, argv); 1620Sstevel@tonic-gate break; 1630Sstevel@tonic-gate case CRYPTO_ENABLE: 1640Sstevel@tonic-gate rc = do_enable(argc, argv); 1650Sstevel@tonic-gate break; 1660Sstevel@tonic-gate case CRYPTO_INSTALL: 1670Sstevel@tonic-gate rc = do_install(argc, argv); 1680Sstevel@tonic-gate break; 1690Sstevel@tonic-gate case CRYPTO_UNINSTALL: 1700Sstevel@tonic-gate rc = do_uninstall(argc, argv); 1710Sstevel@tonic-gate break; 1720Sstevel@tonic-gate case CRYPTO_UNLOAD: 1730Sstevel@tonic-gate rc = do_unload(argc, argv); 1740Sstevel@tonic-gate break; 1750Sstevel@tonic-gate case CRYPTO_REFRESH: 1760Sstevel@tonic-gate rc = do_refresh(argc); 1770Sstevel@tonic-gate break; 1780Sstevel@tonic-gate case CRYPTO_START: 1790Sstevel@tonic-gate rc = do_start(argc); 1800Sstevel@tonic-gate break; 1810Sstevel@tonic-gate case CRYPTO_STOP: 1820Sstevel@tonic-gate rc = do_stop(argc); 1830Sstevel@tonic-gate break; 1840Sstevel@tonic-gate case CRYPTO_HELP: 1850Sstevel@tonic-gate usage(); 1860Sstevel@tonic-gate rc = SUCCESS; 1870Sstevel@tonic-gate break; 1880Sstevel@tonic-gate default: /* should not come here */ 1890Sstevel@tonic-gate usage(); 1900Sstevel@tonic-gate rc = ERROR_USAGE; 1910Sstevel@tonic-gate break; 1920Sstevel@tonic-gate } 1930Sstevel@tonic-gate return (rc); 1940Sstevel@tonic-gate } 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate 1970Sstevel@tonic-gate static void 1980Sstevel@tonic-gate usage(void) 1990Sstevel@tonic-gate { 2000Sstevel@tonic-gate /* 2010Sstevel@tonic-gate * TRANSLATION_NOTE: 2020Sstevel@tonic-gate * Command usage is not to be translated. Only the word "Usage:" 2030Sstevel@tonic-gate * along with localized expressions indicating what kind of value 2040Sstevel@tonic-gate * is expected for arguments. 2050Sstevel@tonic-gate */ 2060Sstevel@tonic-gate (void) fprintf(stderr, gettext("Usage:\n")); 2070Sstevel@tonic-gate (void) fprintf(stderr, 2080Sstevel@tonic-gate " cryptoadm list [-mpv] [provider=<%s> | metaslot]" 2090Sstevel@tonic-gate " [mechanism=<%s>]\n", 2100Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2110Sstevel@tonic-gate (void) fprintf(stderr, 2120Sstevel@tonic-gate " cryptoadm disable provider=<%s>" 2130Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2140Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2150Sstevel@tonic-gate (void) fprintf(stderr, 2160Sstevel@tonic-gate " cryptoadm disable metaslot" 2170Sstevel@tonic-gate " [auto-key-migrate] [mechanism=<%s>]\n", 2180Sstevel@tonic-gate gettext("mechanism-list")); 2190Sstevel@tonic-gate (void) fprintf(stderr, 2200Sstevel@tonic-gate " cryptoadm enable provider=<%s>" 2210Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2220Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2230Sstevel@tonic-gate (void) fprintf(stderr, 2240Sstevel@tonic-gate " cryptoadm enable metaslot [mechanism=<%s>]" 2250Sstevel@tonic-gate " [[token=<%s>] [slot=<%s>]" 2260Sstevel@tonic-gate " | [default-keystore]] | [auto-key-migrate]\n", 2270Sstevel@tonic-gate gettext("mechanism-list"), gettext("token-label"), 2280Sstevel@tonic-gate gettext("slot-description")); 2290Sstevel@tonic-gate (void) fprintf(stderr, 2300Sstevel@tonic-gate " cryptoadm install provider=<%s>\n", 2310Sstevel@tonic-gate gettext("provider-name")); 2320Sstevel@tonic-gate (void) fprintf(stderr, 2330Sstevel@tonic-gate " cryptoadm install provider=<%s> [mechanism=<%s>]\n", 2340Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2350Sstevel@tonic-gate (void) fprintf(stderr, 2360Sstevel@tonic-gate " cryptoadm uninstall provider=<%s>\n", 2370Sstevel@tonic-gate gettext("provider-name")); 2380Sstevel@tonic-gate (void) fprintf(stderr, 2390Sstevel@tonic-gate " cryptoadm unload provider=<%s>\n", 2400Sstevel@tonic-gate gettext("provider-name")); 2410Sstevel@tonic-gate (void) fprintf(stderr, 2420Sstevel@tonic-gate " cryptoadm refresh\n" 2430Sstevel@tonic-gate " cryptoadm start\n" 2440Sstevel@tonic-gate " cryptoadm stop\n" 2450Sstevel@tonic-gate " cryptoadm --help\n"); 2460Sstevel@tonic-gate } 2470Sstevel@tonic-gate 2480Sstevel@tonic-gate 2490Sstevel@tonic-gate /* 2500Sstevel@tonic-gate * Get the provider type. This function returns 2510Sstevel@tonic-gate * - PROV_UEF_LIB if provname contains an absolute path name 2520Sstevel@tonic-gate * - PROV_KEF_SOFT if provname is a base name only 2530Sstevel@tonic-gate * - PROV_KEF_HARD if provname contains one slash only and the slash is not 2540Sstevel@tonic-gate * the 1st character. 2550Sstevel@tonic-gate * - PROV_BADNAME othewise. 2560Sstevel@tonic-gate */ 2570Sstevel@tonic-gate static int 2580Sstevel@tonic-gate get_provider_type(char *provname) 2590Sstevel@tonic-gate { 2600Sstevel@tonic-gate char *pslash1; 2610Sstevel@tonic-gate char *pslash2; 2620Sstevel@tonic-gate 2630Sstevel@tonic-gate if (provname == NULL) { 2640Sstevel@tonic-gate return (FAILURE); 2650Sstevel@tonic-gate } 2660Sstevel@tonic-gate 2670Sstevel@tonic-gate if (provname[0] == '/') { 2680Sstevel@tonic-gate return (PROV_UEF_LIB); 2690Sstevel@tonic-gate } else if ((pslash1 = strchr(provname, SEP_SLASH)) == NULL) { 2700Sstevel@tonic-gate /* no slash */ 2710Sstevel@tonic-gate return (PROV_KEF_SOFT); 2720Sstevel@tonic-gate } else { 2730Sstevel@tonic-gate pslash2 = strrchr(provname, SEP_SLASH); 2740Sstevel@tonic-gate if (pslash1 == pslash2) { 2750Sstevel@tonic-gate return (PROV_KEF_HARD); 2760Sstevel@tonic-gate } else { 2770Sstevel@tonic-gate return (PROV_BADNAME); 2780Sstevel@tonic-gate } 2790Sstevel@tonic-gate } 2800Sstevel@tonic-gate } 2810Sstevel@tonic-gate 2820Sstevel@tonic-gate /* 2830Sstevel@tonic-gate * Get the provider structure. This function returns NULL if no valid 2840Sstevel@tonic-gate * provider= is found in argv[], otherwise a cryptoadm_provider_t is returned. 2850Sstevel@tonic-gate * If provider= is found but has no argument, then a cryptoadm_provider_t 2860Sstevel@tonic-gate * with cp_type = PROV_BADNAME is returned. 2870Sstevel@tonic-gate */ 2880Sstevel@tonic-gate static cryptoadm_provider_t * 2890Sstevel@tonic-gate get_provider(int argc, char **argv) 2900Sstevel@tonic-gate { 2910Sstevel@tonic-gate int c = 0; 2920Sstevel@tonic-gate boolean_t found = B_FALSE; 2930Sstevel@tonic-gate cryptoadm_provider_t *provider = NULL; 2940Sstevel@tonic-gate char *provstr = NULL, *savstr; 2950Sstevel@tonic-gate boolean_t is_metaslot = B_FALSE; 2960Sstevel@tonic-gate 2970Sstevel@tonic-gate while (!found && ++c < argc) { 2980Sstevel@tonic-gate if (strncmp(argv[c], METASLOT_KEYWORD, 2990Sstevel@tonic-gate strlen(METASLOT_KEYWORD)) == 0) { 3000Sstevel@tonic-gate is_metaslot = B_TRUE; 3010Sstevel@tonic-gate found = B_TRUE; 3020Sstevel@tonic-gate } else if (strncmp(argv[c], KN_PROVIDER, 3030Sstevel@tonic-gate strlen(KN_PROVIDER)) == 0 && 3040Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_PROVIDER)) { 3050Sstevel@tonic-gate if ((provstr = strdup(argv[c])) == NULL) { 3060Sstevel@tonic-gate int err = errno; 3070Sstevel@tonic-gate /* 3080Sstevel@tonic-gate * TRANSLATION_NOTE: 3090Sstevel@tonic-gate * "get_provider" is a function name and should 3100Sstevel@tonic-gate * not be translated. 3110Sstevel@tonic-gate */ 3120Sstevel@tonic-gate cryptoerror(LOG_STDERR, "get_provider: %s.", 3130Sstevel@tonic-gate strerror(err)); 3140Sstevel@tonic-gate return (NULL); 3150Sstevel@tonic-gate } 3160Sstevel@tonic-gate found = B_TRUE; 3170Sstevel@tonic-gate } 3180Sstevel@tonic-gate } 3190Sstevel@tonic-gate if (!found) 3200Sstevel@tonic-gate return (NULL); 3210Sstevel@tonic-gate 3220Sstevel@tonic-gate provider = malloc(sizeof (cryptoadm_provider_t)); 3230Sstevel@tonic-gate if (provider == NULL) { 3240Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 3250Sstevel@tonic-gate if (provstr) { 3260Sstevel@tonic-gate free(provstr); 3270Sstevel@tonic-gate } 3280Sstevel@tonic-gate return (NULL); 3290Sstevel@tonic-gate } 3300Sstevel@tonic-gate 3310Sstevel@tonic-gate if (is_metaslot) { 3320Sstevel@tonic-gate (void) strlcpy(provider->cp_name, METASLOT_KEYWORD, 3330Sstevel@tonic-gate strlen(METASLOT_KEYWORD)); 3340Sstevel@tonic-gate provider->cp_type = METASLOT; 3350Sstevel@tonic-gate } else { 3360Sstevel@tonic-gate 3370Sstevel@tonic-gate savstr = provstr; 3380Sstevel@tonic-gate (void) strtok(provstr, "="); 3390Sstevel@tonic-gate provstr = strtok(NULL, "="); 3400Sstevel@tonic-gate if (provstr == NULL) { 3410Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("bad provider name.")); 3420Sstevel@tonic-gate provider->cp_type = PROV_BADNAME; 3430Sstevel@tonic-gate free(savstr); 3440Sstevel@tonic-gate return (provider); 3450Sstevel@tonic-gate } 3460Sstevel@tonic-gate 3470Sstevel@tonic-gate (void) strlcpy(provider->cp_name, provstr, 3480Sstevel@tonic-gate sizeof (provider->cp_name)); 3490Sstevel@tonic-gate provider->cp_type = get_provider_type(provider->cp_name); 3500Sstevel@tonic-gate 3510Sstevel@tonic-gate free(savstr); 3520Sstevel@tonic-gate } 3530Sstevel@tonic-gate return (provider); 3540Sstevel@tonic-gate } 3550Sstevel@tonic-gate 3560Sstevel@tonic-gate /* 3570Sstevel@tonic-gate * Process the "feature" operands. 3580Sstevel@tonic-gate * 3590Sstevel@tonic-gate * "argc" and "argv" contain values specified on the command line. 3600Sstevel@tonic-gate * All other arguments are used for returning parsing results. 3610Sstevel@tonic-gate * If any of these arguments are NULL, that keyword is not expected, 3620Sstevel@tonic-gate * and FAILURE will be returned. 3630Sstevel@tonic-gate */ 3640Sstevel@tonic-gate static int 3650Sstevel@tonic-gate process_metaslot_operands(int argc, char **argv, char **meta_ks_token, 3660Sstevel@tonic-gate char **meta_ks_slot, boolean_t *use_default, 3670Sstevel@tonic-gate boolean_t *auto_key_migrate_flag) 3680Sstevel@tonic-gate { 3690Sstevel@tonic-gate int c = 2; 3700Sstevel@tonic-gate int rc = SUCCESS; 3710Sstevel@tonic-gate 3720Sstevel@tonic-gate while (++c < argc) { 3730Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 3740Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 3750Sstevel@tonic-gate 3760Sstevel@tonic-gate /* process mechanism operands */ 3770Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_TRUE)) 3780Sstevel@tonic-gate != SUCCESS) { 3790Sstevel@tonic-gate goto finish; 3800Sstevel@tonic-gate } 3810Sstevel@tonic-gate 3820Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_TOKEN, 3830Sstevel@tonic-gate strlen(KN_TOKEN)) == 0) && 3840Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_TOKEN)) { 3850Sstevel@tonic-gate if ((meta_ks_token) && (strtok(argv[c], "=") != NULL)) { 3860Sstevel@tonic-gate char *tmp; 3870Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 3880Sstevel@tonic-gate *meta_ks_token = strdup(tmp); 3890Sstevel@tonic-gate } else { 3900Sstevel@tonic-gate return (FAILURE); 3910Sstevel@tonic-gate } 3920Sstevel@tonic-gate } else { 3930Sstevel@tonic-gate return (FAILURE); 3940Sstevel@tonic-gate } 3950Sstevel@tonic-gate 3960Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_SLOT, 3970Sstevel@tonic-gate strlen(KN_SLOT)) == 0) && 3980Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_SLOT)) { 3990Sstevel@tonic-gate 4000Sstevel@tonic-gate if ((meta_ks_slot) && (strtok(argv[c], "=") != NULL)) { 4010Sstevel@tonic-gate char *tmp; 4020Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 4030Sstevel@tonic-gate *meta_ks_slot = strdup(tmp); 4040Sstevel@tonic-gate } else { 4050Sstevel@tonic-gate return (FAILURE); 4060Sstevel@tonic-gate } 4070Sstevel@tonic-gate } else { 4080Sstevel@tonic-gate return (FAILURE); 4090Sstevel@tonic-gate } 4100Sstevel@tonic-gate 4110Sstevel@tonic-gate } else if (strncmp(argv[c], KN_DEFAULT_KS, 4120Sstevel@tonic-gate strlen(KN_DEFAULT_KS)) == 0) { 4130Sstevel@tonic-gate 4140Sstevel@tonic-gate if (use_default) { 4150Sstevel@tonic-gate *use_default = B_TRUE; 4160Sstevel@tonic-gate } else { 4170Sstevel@tonic-gate return (FAILURE); 4180Sstevel@tonic-gate } 4190Sstevel@tonic-gate } else if (strncmp(argv[c], KN_AUTO_KEY_MIGRATE, 4200Sstevel@tonic-gate strlen(KN_AUTO_KEY_MIGRATE)) == 0) { 4210Sstevel@tonic-gate 4220Sstevel@tonic-gate if (auto_key_migrate_flag) { 4230Sstevel@tonic-gate *auto_key_migrate_flag = B_TRUE; 4240Sstevel@tonic-gate } else { 4250Sstevel@tonic-gate return (FAILURE); 4260Sstevel@tonic-gate } 4270Sstevel@tonic-gate } else { 4280Sstevel@tonic-gate return (FAILURE); 4290Sstevel@tonic-gate } 4300Sstevel@tonic-gate } 4310Sstevel@tonic-gate finish: 4320Sstevel@tonic-gate return (rc); 4330Sstevel@tonic-gate } 4340Sstevel@tonic-gate 4350Sstevel@tonic-gate /* 4360Sstevel@tonic-gate * Process the "feature" operands. 4370Sstevel@tonic-gate */ 4380Sstevel@tonic-gate static int 4390Sstevel@tonic-gate process_feature_operands(int argc, char **argv) 4400Sstevel@tonic-gate { 4410Sstevel@tonic-gate int c = 2; 4420Sstevel@tonic-gate 4430Sstevel@tonic-gate while (++c < argc) { 4440Sstevel@tonic-gate if (strcmp(argv[c], KN_ALL) == 0) { 4450Sstevel@tonic-gate allflag = B_TRUE; 4460Sstevel@tonic-gate rndflag = B_TRUE; /* all includes random also. */ 4470Sstevel@tonic-gate } else if (strcmp(argv[c], RANDOM) == 0) { 4480Sstevel@tonic-gate rndflag = B_TRUE; 4490Sstevel@tonic-gate } 4500Sstevel@tonic-gate } 4510Sstevel@tonic-gate return (SUCCESS); 4520Sstevel@tonic-gate } 4530Sstevel@tonic-gate 4540Sstevel@tonic-gate /* 4550Sstevel@tonic-gate * Process the mechanism operands for the disable, enable and install 4560Sstevel@tonic-gate * subcommands. This function sets the static variable allflag to be B_TRUE 4570Sstevel@tonic-gate * if the keyword "all" is specified, otherwise builds a link list of the 4580Sstevel@tonic-gate * mechanism operands and save it in the static variable mecharglist. 4590Sstevel@tonic-gate * 4600Sstevel@tonic-gate * This function returns 4610Sstevel@tonic-gate * ERROR_USAGE: mechanism operand is missing. 4620Sstevel@tonic-gate * FAILURE: out of memory. 4630Sstevel@tonic-gate * SUCCESS: otherwise. 4640Sstevel@tonic-gate */ 4650Sstevel@tonic-gate static int 4660Sstevel@tonic-gate process_mech_operands(int argc, char **argv, boolean_t quiet) 4670Sstevel@tonic-gate { 4680Sstevel@tonic-gate mechlist_t *pmech; 4690Sstevel@tonic-gate mechlist_t *pcur = NULL; 4700Sstevel@tonic-gate mechlist_t *phead = NULL; 4710Sstevel@tonic-gate boolean_t found = B_FALSE; 4720Sstevel@tonic-gate char *mechliststr = NULL; 4730Sstevel@tonic-gate char *curmech = NULL; 4740Sstevel@tonic-gate int c = -1; 4750Sstevel@tonic-gate int rc = SUCCESS; 4760Sstevel@tonic-gate 4770Sstevel@tonic-gate while (!found && ++c < argc) { 4780Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 4790Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 4800Sstevel@tonic-gate found = B_TRUE; 4810Sstevel@tonic-gate } 4820Sstevel@tonic-gate } 4830Sstevel@tonic-gate if (!found) { 4840Sstevel@tonic-gate if (!quiet) 4850Sstevel@tonic-gate /* 4860Sstevel@tonic-gate * TRANSLATION_NOTE: 4870Sstevel@tonic-gate * "mechanism" could be either a literal keyword 4880Sstevel@tonic-gate * and hence not to be translated, or a descriptive 4890Sstevel@tonic-gate * word and translatable. A choice was made to 4900Sstevel@tonic-gate * view it as a literal keyword. 4910Sstevel@tonic-gate */ 4920Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4930Sstevel@tonic-gate gettext("the %s operand is missing.\n"), 4940Sstevel@tonic-gate "mechanism"); 4950Sstevel@tonic-gate return (ERROR_USAGE); 4960Sstevel@tonic-gate } 4970Sstevel@tonic-gate (void) strtok(argv[c], "="); 4980Sstevel@tonic-gate mechliststr = strtok(NULL, "="); 4990Sstevel@tonic-gate 5000Sstevel@tonic-gate if (strcmp(mechliststr, "all") == 0) { 5010Sstevel@tonic-gate allflag = B_TRUE; 5020Sstevel@tonic-gate mecharglist = NULL; 5030Sstevel@tonic-gate return (SUCCESS); 5040Sstevel@tonic-gate } 5050Sstevel@tonic-gate 5060Sstevel@tonic-gate curmech = strtok(mechliststr, ","); 5070Sstevel@tonic-gate do { 5080Sstevel@tonic-gate if ((pmech = create_mech(curmech)) == NULL) { 5090Sstevel@tonic-gate rc = FAILURE; 5100Sstevel@tonic-gate break; 5110Sstevel@tonic-gate } else { 5120Sstevel@tonic-gate if (phead == NULL) { 5130Sstevel@tonic-gate phead = pcur = pmech; 5140Sstevel@tonic-gate } else { 5150Sstevel@tonic-gate pcur->next = pmech; 5160Sstevel@tonic-gate pcur = pmech; 5170Sstevel@tonic-gate } 5180Sstevel@tonic-gate } 5190Sstevel@tonic-gate } while ((curmech = strtok(NULL, ",")) != NULL); 5200Sstevel@tonic-gate 5210Sstevel@tonic-gate if (rc == FAILURE) { 5220Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 5230Sstevel@tonic-gate free_mechlist(phead); 5240Sstevel@tonic-gate } else { 5250Sstevel@tonic-gate mecharglist = phead; 5260Sstevel@tonic-gate rc = SUCCESS; 5270Sstevel@tonic-gate } 5280Sstevel@tonic-gate return (rc); 5290Sstevel@tonic-gate } 5300Sstevel@tonic-gate 5310Sstevel@tonic-gate 5320Sstevel@tonic-gate 5330Sstevel@tonic-gate /* 5340Sstevel@tonic-gate * The top level function for the list subcommand and options. 5350Sstevel@tonic-gate */ 5360Sstevel@tonic-gate static int 5370Sstevel@tonic-gate do_list(int argc, char **argv) 5380Sstevel@tonic-gate { 5390Sstevel@tonic-gate boolean_t mflag = B_FALSE; 5400Sstevel@tonic-gate boolean_t pflag = B_FALSE; 5410Sstevel@tonic-gate boolean_t vflag = B_FALSE; 5420Sstevel@tonic-gate char ch; 5430Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 5440Sstevel@tonic-gate int rc = SUCCESS; 5450Sstevel@tonic-gate 5460Sstevel@tonic-gate argc -= 1; 5470Sstevel@tonic-gate argv += 1; 5480Sstevel@tonic-gate 5490Sstevel@tonic-gate if (argc == 1) { 5500Sstevel@tonic-gate rc = list_simple_for_all(B_FALSE); 5510Sstevel@tonic-gate goto out; 5520Sstevel@tonic-gate } 5530Sstevel@tonic-gate 5540Sstevel@tonic-gate /* 5550Sstevel@tonic-gate * [-v] [-m] [-p] [provider=<>] [mechanism=<>] 5560Sstevel@tonic-gate */ 5570Sstevel@tonic-gate if (argc > 5) { 5580Sstevel@tonic-gate usage(); 5590Sstevel@tonic-gate return (rc); 5600Sstevel@tonic-gate } 5610Sstevel@tonic-gate 5620Sstevel@tonic-gate while ((ch = getopt(argc, argv, "mpv")) != EOF) { 5630Sstevel@tonic-gate switch (ch) { 5640Sstevel@tonic-gate case 'm': 5650Sstevel@tonic-gate mflag = B_TRUE; 5660Sstevel@tonic-gate if (pflag) { 5670Sstevel@tonic-gate rc = ERROR_USAGE; 5680Sstevel@tonic-gate } 5690Sstevel@tonic-gate break; 5700Sstevel@tonic-gate case 'p': 5710Sstevel@tonic-gate pflag = B_TRUE; 5720Sstevel@tonic-gate if (mflag || vflag) { 5730Sstevel@tonic-gate rc = ERROR_USAGE; 5740Sstevel@tonic-gate } 5750Sstevel@tonic-gate break; 5760Sstevel@tonic-gate case 'v': 5770Sstevel@tonic-gate vflag = B_TRUE; 5780Sstevel@tonic-gate if (pflag) 5790Sstevel@tonic-gate rc = ERROR_USAGE; 5800Sstevel@tonic-gate break; 5810Sstevel@tonic-gate default: 5820Sstevel@tonic-gate rc = ERROR_USAGE; 5830Sstevel@tonic-gate break; 5840Sstevel@tonic-gate } 5850Sstevel@tonic-gate } 5860Sstevel@tonic-gate 5870Sstevel@tonic-gate if (rc == ERROR_USAGE) { 5880Sstevel@tonic-gate usage(); 5890Sstevel@tonic-gate return (rc); 5900Sstevel@tonic-gate } 5910Sstevel@tonic-gate 5920Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 5930Sstevel@tonic-gate goto out; 5940Sstevel@tonic-gate } 5950Sstevel@tonic-gate 5960Sstevel@tonic-gate prov = get_provider(argc, argv); 5970Sstevel@tonic-gate 5980Sstevel@tonic-gate if (mflag || vflag) { 5990Sstevel@tonic-gate if (argc > 0) { 6000Sstevel@tonic-gate rc = process_mech_operands(argc, argv, B_TRUE); 6010Sstevel@tonic-gate if (rc == FAILURE) 6020Sstevel@tonic-gate goto out; 6030Sstevel@tonic-gate /* "-m" is implied when a mechanism list is given */ 6040Sstevel@tonic-gate if (mecharglist != NULL || allflag) 6050Sstevel@tonic-gate mflag = B_TRUE; 6060Sstevel@tonic-gate } 6070Sstevel@tonic-gate } 6080Sstevel@tonic-gate 6090Sstevel@tonic-gate if (prov == NULL) { 6100Sstevel@tonic-gate if (mflag) { 6110Sstevel@tonic-gate rc = list_mechlist_for_all(vflag); 6120Sstevel@tonic-gate } else if (pflag) { 6130Sstevel@tonic-gate rc = list_policy_for_all(); 6140Sstevel@tonic-gate } else if (vflag) { 6150Sstevel@tonic-gate rc = list_simple_for_all(vflag); 6160Sstevel@tonic-gate } 6170Sstevel@tonic-gate } else if (prov->cp_type == METASLOT) { 6180Sstevel@tonic-gate if ((!mflag) && (!vflag) && (!pflag)) { 6190Sstevel@tonic-gate /* no flag is specified, just list metaslot status */ 6200Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6210Sstevel@tonic-gate } else if (mflag || vflag) { 6220Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6230Sstevel@tonic-gate } else if (pflag) { 6240Sstevel@tonic-gate rc = list_metaslot_policy(); 6250Sstevel@tonic-gate } else { 6260Sstevel@tonic-gate /* error message */ 6270Sstevel@tonic-gate usage(); 6280Sstevel@tonic-gate rc = ERROR_USAGE; 6290Sstevel@tonic-gate } 6300Sstevel@tonic-gate } else if (prov->cp_type == PROV_BADNAME) { 6310Sstevel@tonic-gate usage(); 6320Sstevel@tonic-gate rc = ERROR_USAGE; 6330Sstevel@tonic-gate goto out; 6340Sstevel@tonic-gate } else { /* do the listing for a provider only */ 6350Sstevel@tonic-gate if (mflag || vflag) { 6360Sstevel@tonic-gate if (vflag) 6370Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 6380Sstevel@tonic-gate prov->cp_name); 6390Sstevel@tonic-gate switch (prov->cp_type) { 6400Sstevel@tonic-gate case PROV_UEF_LIB: 6410Sstevel@tonic-gate rc = list_mechlist_for_lib(prov->cp_name, 6420Sstevel@tonic-gate mecharglist, NULL, B_FALSE, 6430Sstevel@tonic-gate vflag, mflag); 6440Sstevel@tonic-gate break; 6450Sstevel@tonic-gate case PROV_KEF_SOFT: 6460Sstevel@tonic-gate rc = list_mechlist_for_soft(prov->cp_name); 6470Sstevel@tonic-gate break; 6480Sstevel@tonic-gate case PROV_KEF_HARD: 6490Sstevel@tonic-gate rc = list_mechlist_for_hard(prov->cp_name); 6500Sstevel@tonic-gate break; 6510Sstevel@tonic-gate default: /* should not come here */ 6520Sstevel@tonic-gate rc = FAILURE; 6530Sstevel@tonic-gate break; 6540Sstevel@tonic-gate } 6550Sstevel@tonic-gate } else if (pflag) { 6560Sstevel@tonic-gate switch (prov->cp_type) { 6570Sstevel@tonic-gate case PROV_UEF_LIB: 6580Sstevel@tonic-gate rc = list_policy_for_lib(prov->cp_name); 6590Sstevel@tonic-gate break; 6600Sstevel@tonic-gate case PROV_KEF_SOFT: 6610Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6620Sstevel@tonic-gate rc = list_policy_for_soft( 6630Sstevel@tonic-gate prov->cp_name); 6640Sstevel@tonic-gate } else { 6650Sstevel@tonic-gate /* 6660Sstevel@tonic-gate * TRANSLATION_NOTE: 6670Sstevel@tonic-gate * "global" is keyword and not to 6680Sstevel@tonic-gate * be translated. 6690Sstevel@tonic-gate */ 6700Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6710Sstevel@tonic-gate "policy information for kernel " 6720Sstevel@tonic-gate "providers is available " 6730Sstevel@tonic-gate "in the %s zone only"), "global"); 6740Sstevel@tonic-gate rc = FAILURE; 6750Sstevel@tonic-gate } 6760Sstevel@tonic-gate break; 6770Sstevel@tonic-gate case PROV_KEF_HARD: 6780Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6790Sstevel@tonic-gate rc = list_policy_for_hard( 6800Sstevel@tonic-gate prov->cp_name); 6810Sstevel@tonic-gate } else { 6820Sstevel@tonic-gate /* 6830Sstevel@tonic-gate * TRANSLATION_NOTE: 6840Sstevel@tonic-gate * "global" is keyword and not to 6850Sstevel@tonic-gate * be translated. 6860Sstevel@tonic-gate */ 6870Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6880Sstevel@tonic-gate "policy information for kernel " 6890Sstevel@tonic-gate "providers is available " 6900Sstevel@tonic-gate "in the %s zone only"), "global"); 6910Sstevel@tonic-gate rc = FAILURE; 6920Sstevel@tonic-gate } 6930Sstevel@tonic-gate 6940Sstevel@tonic-gate break; 6950Sstevel@tonic-gate default: /* should not come here */ 6960Sstevel@tonic-gate rc = FAILURE; 6970Sstevel@tonic-gate break; 6980Sstevel@tonic-gate } 6990Sstevel@tonic-gate } else { 7000Sstevel@tonic-gate /* error message */ 7010Sstevel@tonic-gate usage(); 7020Sstevel@tonic-gate rc = ERROR_USAGE; 7030Sstevel@tonic-gate } 7040Sstevel@tonic-gate } 7050Sstevel@tonic-gate 7060Sstevel@tonic-gate out: 7070Sstevel@tonic-gate if (prov != NULL) 7080Sstevel@tonic-gate free(prov); 7090Sstevel@tonic-gate 7100Sstevel@tonic-gate if (mecharglist != NULL) 7110Sstevel@tonic-gate free_mechlist(mecharglist); 7120Sstevel@tonic-gate return (rc); 7130Sstevel@tonic-gate } 7140Sstevel@tonic-gate 7150Sstevel@tonic-gate 7160Sstevel@tonic-gate /* 7170Sstevel@tonic-gate * The top level function for the disable subcommand. 7180Sstevel@tonic-gate */ 7190Sstevel@tonic-gate static int 7200Sstevel@tonic-gate do_disable(int argc, char **argv) 7210Sstevel@tonic-gate { 7220Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 7230Sstevel@tonic-gate int rc = SUCCESS; 7240Sstevel@tonic-gate boolean_t auto_key_migrate_flag = B_FALSE; 7250Sstevel@tonic-gate 7260Sstevel@tonic-gate if ((argc < 3) || (argc > 5)) { 7270Sstevel@tonic-gate usage(); 7280Sstevel@tonic-gate return (ERROR_USAGE); 7290Sstevel@tonic-gate } 7300Sstevel@tonic-gate 7310Sstevel@tonic-gate prov = get_provider(argc, argv); 7320Sstevel@tonic-gate if (prov == NULL) { 7330Sstevel@tonic-gate usage(); 7340Sstevel@tonic-gate return (ERROR_USAGE); 7350Sstevel@tonic-gate } 7360Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 7370Sstevel@tonic-gate return (FAILURE); 7380Sstevel@tonic-gate } 7390Sstevel@tonic-gate 7400Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 7410Sstevel@tonic-gate goto out; 7420Sstevel@tonic-gate } 7430Sstevel@tonic-gate 7440Sstevel@tonic-gate /* 7450Sstevel@tonic-gate * If allflag or rndflag has already been set there is no reason to 7460Sstevel@tonic-gate * process mech= 7470Sstevel@tonic-gate */ 7480Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 7490Sstevel@tonic-gate if ((argc > 3) && 7500Sstevel@tonic-gate (rc = process_metaslot_operands(argc, argv, 7510Sstevel@tonic-gate NULL, NULL, NULL, &auto_key_migrate_flag)) != SUCCESS) { 7520Sstevel@tonic-gate usage(); 7530Sstevel@tonic-gate return (rc); 7540Sstevel@tonic-gate } 7550Sstevel@tonic-gate } else if (!allflag && !rndflag && 7560Sstevel@tonic-gate (rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 7570Sstevel@tonic-gate return (rc); 7580Sstevel@tonic-gate } 7590Sstevel@tonic-gate 7600Sstevel@tonic-gate switch (prov->cp_type) { 7610Sstevel@tonic-gate case METASLOT: 7620Sstevel@tonic-gate rc = disable_metaslot(mecharglist, allflag, 7630Sstevel@tonic-gate auto_key_migrate_flag); 7640Sstevel@tonic-gate break; 7650Sstevel@tonic-gate case PROV_UEF_LIB: 7660Sstevel@tonic-gate rc = disable_uef_lib(prov->cp_name, rndflag, allflag, 7670Sstevel@tonic-gate mecharglist); 7680Sstevel@tonic-gate break; 7690Sstevel@tonic-gate case PROV_KEF_SOFT: 7700Sstevel@tonic-gate if (rndflag && !allflag) { 7710Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 7720Sstevel@tonic-gate rc = FAILURE; 7730Sstevel@tonic-gate break; 7740Sstevel@tonic-gate } 7750Sstevel@tonic-gate } 7760Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 7770Sstevel@tonic-gate rc = disable_kef_software(prov->cp_name, rndflag, 7780Sstevel@tonic-gate allflag, mecharglist); 7790Sstevel@tonic-gate } else { 7800Sstevel@tonic-gate /* 7810Sstevel@tonic-gate * TRANSLATION_NOTE: 7820Sstevel@tonic-gate * "disable" could be either a literal keyword 7830Sstevel@tonic-gate * and hence not to be translated, or a verb and 7840Sstevel@tonic-gate * translatable. A choice was made to view it as 7850Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 7860Sstevel@tonic-gate * to be translated. 7870Sstevel@tonic-gate */ 7880Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 7890Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 7900Sstevel@tonic-gate "disable", "global"); 7910Sstevel@tonic-gate rc = FAILURE; 7920Sstevel@tonic-gate } 7930Sstevel@tonic-gate break; 7940Sstevel@tonic-gate case PROV_KEF_HARD: 7950Sstevel@tonic-gate if (rndflag && !allflag) { 7960Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 7970Sstevel@tonic-gate rc = FAILURE; 7980Sstevel@tonic-gate break; 7990Sstevel@tonic-gate } 8000Sstevel@tonic-gate } 8010Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 8020Sstevel@tonic-gate rc = disable_kef_hardware(prov->cp_name, rndflag, 8030Sstevel@tonic-gate allflag, mecharglist); 8040Sstevel@tonic-gate } else { 8050Sstevel@tonic-gate /* 8060Sstevel@tonic-gate * TRANSLATION_NOTE: 8070Sstevel@tonic-gate * "disable" could be either a literal keyword 8080Sstevel@tonic-gate * and hence not to be translated, or a verb and 8090Sstevel@tonic-gate * translatable. A choice was made to view it as 8100Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 8110Sstevel@tonic-gate * to be translated. 8120Sstevel@tonic-gate */ 8130Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 8140Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 8150Sstevel@tonic-gate "disable", "global"); 8160Sstevel@tonic-gate rc = FAILURE; 8170Sstevel@tonic-gate } 8180Sstevel@tonic-gate break; 8190Sstevel@tonic-gate default: /* should not come here */ 8200Sstevel@tonic-gate rc = FAILURE; 8210Sstevel@tonic-gate break; 8220Sstevel@tonic-gate } 8230Sstevel@tonic-gate 8240Sstevel@tonic-gate out: 8250Sstevel@tonic-gate free(prov); 8260Sstevel@tonic-gate if (mecharglist != NULL) { 8270Sstevel@tonic-gate free_mechlist(mecharglist); 8280Sstevel@tonic-gate } 8290Sstevel@tonic-gate return (rc); 8300Sstevel@tonic-gate } 8310Sstevel@tonic-gate 8320Sstevel@tonic-gate 8330Sstevel@tonic-gate /* 8340Sstevel@tonic-gate * The top level function fo the enable subcommand. 8350Sstevel@tonic-gate */ 8360Sstevel@tonic-gate static int 8370Sstevel@tonic-gate do_enable(int argc, char **argv) 8380Sstevel@tonic-gate { 8390Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 8400Sstevel@tonic-gate int rc = SUCCESS; 8410Sstevel@tonic-gate char *alt_token = NULL, *alt_slot = NULL; 8420Sstevel@tonic-gate boolean_t use_default = B_FALSE, auto_key_migrate_flag = B_FALSE; 8430Sstevel@tonic-gate 8440Sstevel@tonic-gate if ((argc < 3) || (argc > 6)) { 8450Sstevel@tonic-gate usage(); 8460Sstevel@tonic-gate return (ERROR_USAGE); 8470Sstevel@tonic-gate } 8480Sstevel@tonic-gate 8490Sstevel@tonic-gate prov = get_provider(argc, argv); 8500Sstevel@tonic-gate if (prov == NULL) { 8510Sstevel@tonic-gate usage(); 8520Sstevel@tonic-gate return (ERROR_USAGE); 8530Sstevel@tonic-gate } 8540Sstevel@tonic-gate if ((prov->cp_type != METASLOT) && (argc != 4)) { 8550Sstevel@tonic-gate usage(); 8560Sstevel@tonic-gate return (ERROR_USAGE); 8570Sstevel@tonic-gate } 8580Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 8590Sstevel@tonic-gate rc = FAILURE; 8600Sstevel@tonic-gate goto out; 8610Sstevel@tonic-gate } 8620Sstevel@tonic-gate 8630Sstevel@tonic-gate 8640Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 8650Sstevel@tonic-gate if ((rc = process_metaslot_operands(argc, argv, &alt_token, 8660Sstevel@tonic-gate &alt_slot, &use_default, &auto_key_migrate_flag)) 8670Sstevel@tonic-gate != SUCCESS) { 8680Sstevel@tonic-gate usage(); 8690Sstevel@tonic-gate goto out; 8700Sstevel@tonic-gate } 8710Sstevel@tonic-gate if ((alt_slot || alt_token) && use_default) { 8720Sstevel@tonic-gate usage(); 8730Sstevel@tonic-gate rc = FAILURE; 8740Sstevel@tonic-gate goto out; 8750Sstevel@tonic-gate } 8760Sstevel@tonic-gate } else { 8770Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 8780Sstevel@tonic-gate goto out; 8790Sstevel@tonic-gate } 8800Sstevel@tonic-gate 8810Sstevel@tonic-gate /* 8820Sstevel@tonic-gate * If allflag or rndflag has already been set there is 8830Sstevel@tonic-gate * no reason to process mech= 8840Sstevel@tonic-gate */ 8850Sstevel@tonic-gate if (!allflag && !rndflag && 8860Sstevel@tonic-gate (rc = process_mech_operands(argc, argv, B_FALSE)) 8870Sstevel@tonic-gate != SUCCESS) { 8880Sstevel@tonic-gate goto out; 8890Sstevel@tonic-gate } 8900Sstevel@tonic-gate } 8910Sstevel@tonic-gate 8920Sstevel@tonic-gate switch (prov->cp_type) { 8930Sstevel@tonic-gate case METASLOT: 8940Sstevel@tonic-gate rc = enable_metaslot(alt_token, alt_slot, use_default, 8950Sstevel@tonic-gate mecharglist, allflag, auto_key_migrate_flag); 8960Sstevel@tonic-gate break; 8970Sstevel@tonic-gate case PROV_UEF_LIB: 8980Sstevel@tonic-gate rc = enable_uef_lib(prov->cp_name, rndflag, allflag, 8990Sstevel@tonic-gate mecharglist); 9000Sstevel@tonic-gate break; 9010Sstevel@tonic-gate case PROV_KEF_SOFT: 9020Sstevel@tonic-gate case PROV_KEF_HARD: 9030Sstevel@tonic-gate if (rndflag && !allflag) { 9040Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 9050Sstevel@tonic-gate rc = FAILURE; 9060Sstevel@tonic-gate break; 9070Sstevel@tonic-gate } 9080Sstevel@tonic-gate } 9090Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 9100Sstevel@tonic-gate rc = enable_kef(prov->cp_name, rndflag, allflag, 9110Sstevel@tonic-gate mecharglist); 9120Sstevel@tonic-gate } else { 9130Sstevel@tonic-gate /* 9140Sstevel@tonic-gate * TRANSLATION_NOTE: 9150Sstevel@tonic-gate * "enable" could be either a literal keyword 9160Sstevel@tonic-gate * and hence not to be translated, or a verb and 9170Sstevel@tonic-gate * translatable. A choice was made to view it as 9180Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 9190Sstevel@tonic-gate * to be translated. 9200Sstevel@tonic-gate */ 9210Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 9220Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 9230Sstevel@tonic-gate "enable", "global"); 9240Sstevel@tonic-gate rc = FAILURE; 9250Sstevel@tonic-gate } 9260Sstevel@tonic-gate break; 9270Sstevel@tonic-gate default: /* should not come here */ 9280Sstevel@tonic-gate rc = FAILURE; 9290Sstevel@tonic-gate break; 9300Sstevel@tonic-gate } 9310Sstevel@tonic-gate out: 9320Sstevel@tonic-gate free(prov); 9330Sstevel@tonic-gate if (mecharglist != NULL) { 9340Sstevel@tonic-gate free_mechlist(mecharglist); 9350Sstevel@tonic-gate } 9360Sstevel@tonic-gate if (alt_token != NULL) { 9370Sstevel@tonic-gate free(alt_token); 9380Sstevel@tonic-gate } 9390Sstevel@tonic-gate if (alt_slot != NULL) { 9400Sstevel@tonic-gate free(alt_slot); 9410Sstevel@tonic-gate } 9420Sstevel@tonic-gate return (rc); 9430Sstevel@tonic-gate } 9440Sstevel@tonic-gate 9450Sstevel@tonic-gate 9460Sstevel@tonic-gate 9470Sstevel@tonic-gate /* 9480Sstevel@tonic-gate * The top level function fo the install subcommand. 9490Sstevel@tonic-gate */ 9500Sstevel@tonic-gate static int 9510Sstevel@tonic-gate do_install(int argc, char **argv) 9520Sstevel@tonic-gate { 9530Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 9540Sstevel@tonic-gate int rc; 9550Sstevel@tonic-gate 9560Sstevel@tonic-gate if (argc < 3) { 9570Sstevel@tonic-gate usage(); 9580Sstevel@tonic-gate return (ERROR_USAGE); 9590Sstevel@tonic-gate } 9600Sstevel@tonic-gate 9610Sstevel@tonic-gate prov = get_provider(argc, argv); 9620Sstevel@tonic-gate if (prov == NULL || 9630Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 9640Sstevel@tonic-gate /* 9650Sstevel@tonic-gate * TRANSLATION_NOTE: 9660Sstevel@tonic-gate * "install" could be either a literal keyword and hence 9670Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 9680Sstevel@tonic-gate * choice was made to view it as a literal keyword. 9690Sstevel@tonic-gate */ 9700Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9710Sstevel@tonic-gate gettext("bad provider name for %s."), "install"); 9720Sstevel@tonic-gate rc = FAILURE; 9730Sstevel@tonic-gate goto out; 9740Sstevel@tonic-gate } 9750Sstevel@tonic-gate 9760Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 9770Sstevel@tonic-gate rc = install_uef_lib(prov->cp_name); 9780Sstevel@tonic-gate goto out; 9790Sstevel@tonic-gate } 9800Sstevel@tonic-gate 9810Sstevel@tonic-gate /* It is the PROV_KEF_SOFT type now */ 9820Sstevel@tonic-gate 9830Sstevel@tonic-gate /* check if there are mechanism operands */ 9840Sstevel@tonic-gate if (argc < 4) { 9850Sstevel@tonic-gate /* 9860Sstevel@tonic-gate * TRANSLATION_NOTE: 9870Sstevel@tonic-gate * "mechanism" could be either a literal keyword and hence 9880Sstevel@tonic-gate * not to be translated, or a descriptive word and 9890Sstevel@tonic-gate * translatable. A choice was made to view it as a literal 9900Sstevel@tonic-gate * keyword. 9910Sstevel@tonic-gate */ 9920Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9930Sstevel@tonic-gate gettext("need %s operands for installing a" 9940Sstevel@tonic-gate " kernel software provider."), "mechanism"); 9950Sstevel@tonic-gate rc = ERROR_USAGE; 9960Sstevel@tonic-gate goto out; 9970Sstevel@tonic-gate } 9980Sstevel@tonic-gate 9990Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 10000Sstevel@tonic-gate goto out; 10010Sstevel@tonic-gate } 10020Sstevel@tonic-gate 10030Sstevel@tonic-gate if (allflag == B_TRUE) { 10040Sstevel@tonic-gate /* 10050Sstevel@tonic-gate * TRANSLATION_NOTE: 10060Sstevel@tonic-gate * "all", "mechanism", and "install" are all keywords and 10070Sstevel@tonic-gate * not to be translated. 10080Sstevel@tonic-gate */ 10090Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10100Sstevel@tonic-gate gettext("can not use the %1$s keyword for %2$s " 10110Sstevel@tonic-gate "in the %3$s subcommand."), "all", "mechanism", "install"); 10120Sstevel@tonic-gate rc = ERROR_USAGE; 10130Sstevel@tonic-gate goto out; 10140Sstevel@tonic-gate } 10150Sstevel@tonic-gate 10160Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 10170Sstevel@tonic-gate rc = install_kef(prov->cp_name, mecharglist); 10180Sstevel@tonic-gate } else { 10190Sstevel@tonic-gate /* 10200Sstevel@tonic-gate * TRANSLATION_NOTE: 10210Sstevel@tonic-gate * "install" could be either a literal keyword and hence 10220Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10230Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10240Sstevel@tonic-gate * "global" is keyword and not to be translated. 10250Sstevel@tonic-gate */ 10260Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 10270Sstevel@tonic-gate "is supported in the %2$s zone only"), "install", "global"); 10280Sstevel@tonic-gate rc = FAILURE; 10290Sstevel@tonic-gate } 10300Sstevel@tonic-gate out: 10310Sstevel@tonic-gate free(prov); 10320Sstevel@tonic-gate return (rc); 10330Sstevel@tonic-gate } 10340Sstevel@tonic-gate 10350Sstevel@tonic-gate 10360Sstevel@tonic-gate 10370Sstevel@tonic-gate /* 10380Sstevel@tonic-gate * The top level function for the uninstall subcommand. 10390Sstevel@tonic-gate */ 10400Sstevel@tonic-gate static int 10410Sstevel@tonic-gate do_uninstall(int argc, char **argv) 10420Sstevel@tonic-gate { 10430Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 10440Sstevel@tonic-gate int rc = SUCCESS; 10450Sstevel@tonic-gate 10460Sstevel@tonic-gate if (argc != 3) { 10470Sstevel@tonic-gate usage(); 10480Sstevel@tonic-gate return (ERROR_USAGE); 10490Sstevel@tonic-gate } 10500Sstevel@tonic-gate 10510Sstevel@tonic-gate prov = get_provider(argc, argv); 10520Sstevel@tonic-gate if (prov == NULL || 10530Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 10540Sstevel@tonic-gate /* 10550Sstevel@tonic-gate * TRANSLATION_NOTE: 10560Sstevel@tonic-gate * "uninstall" could be either a literal keyword and hence 10570Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10580Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10590Sstevel@tonic-gate */ 10600Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10610Sstevel@tonic-gate gettext("bad provider name for %s."), "uninstall"); 10620Sstevel@tonic-gate free(prov); 10630Sstevel@tonic-gate return (FAILURE); 10640Sstevel@tonic-gate } 10650Sstevel@tonic-gate 10660Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 10670Sstevel@tonic-gate rc = uninstall_uef_lib(prov->cp_name); 10680Sstevel@tonic-gate } else if (prov->cp_type == PROV_KEF_SOFT) { 10690Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 10700Sstevel@tonic-gate rc = uninstall_kef(prov->cp_name); 10710Sstevel@tonic-gate } else { 10720Sstevel@tonic-gate /* 10730Sstevel@tonic-gate * TRANSLATION_NOTE: 10740Sstevel@tonic-gate * "uninstall" could be either a literal keyword and 10750Sstevel@tonic-gate * hence not to be translated, or a verb and 10760Sstevel@tonic-gate * translatable. A choice was made to view it as a 10770Sstevel@tonic-gate * literal keyword. "global" is keyword and not to 10780Sstevel@tonic-gate * be translated. 10790Sstevel@tonic-gate */ 10800Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 10810Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 10820Sstevel@tonic-gate "uninstall", "global"); 10830Sstevel@tonic-gate rc = FAILURE; 10840Sstevel@tonic-gate } 10850Sstevel@tonic-gate } 10860Sstevel@tonic-gate 10870Sstevel@tonic-gate free(prov); 10880Sstevel@tonic-gate return (rc); 10890Sstevel@tonic-gate } 10900Sstevel@tonic-gate 10910Sstevel@tonic-gate 10920Sstevel@tonic-gate /* 10930Sstevel@tonic-gate * The top level function for the unload subcommand. 10940Sstevel@tonic-gate */ 10950Sstevel@tonic-gate static int 10960Sstevel@tonic-gate do_unload(int argc, char **argv) 10970Sstevel@tonic-gate { 10980Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 10990Sstevel@tonic-gate entry_t *pent; 11000Sstevel@tonic-gate boolean_t is_active; 11010Sstevel@tonic-gate int rc = SUCCESS; 11020Sstevel@tonic-gate 11030Sstevel@tonic-gate if (argc != 3) { 11040Sstevel@tonic-gate usage(); 11050Sstevel@tonic-gate return (ERROR_USAGE); 11060Sstevel@tonic-gate } 11070Sstevel@tonic-gate 11080Sstevel@tonic-gate /* check if it is a kernel software provider */ 11090Sstevel@tonic-gate prov = get_provider(argc, argv); 11100Sstevel@tonic-gate if (prov == NULL) { 11110Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11120Sstevel@tonic-gate gettext("unable to determine provider name.")); 11130Sstevel@tonic-gate goto out; 11140Sstevel@tonic-gate } 11150Sstevel@tonic-gate if (prov->cp_type != PROV_KEF_SOFT) { 11160Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11170Sstevel@tonic-gate gettext("%s is not a valid kernel software provider."), 11180Sstevel@tonic-gate prov->cp_name); 11190Sstevel@tonic-gate rc = FAILURE; 11200Sstevel@tonic-gate goto out; 11210Sstevel@tonic-gate } 11220Sstevel@tonic-gate 11230Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 11240Sstevel@tonic-gate /* 11250Sstevel@tonic-gate * TRANSLATION_NOTE: 11260Sstevel@tonic-gate * "unload" could be either a literal keyword and hence 11270Sstevel@tonic-gate * not to be translated, or a verb and translatable. 11280Sstevel@tonic-gate * A choice was made to view it as a literal keyword. 11290Sstevel@tonic-gate * "global" is keyword and not to be translated. 11300Sstevel@tonic-gate */ 11310Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 11320Sstevel@tonic-gate "is supported in the %2$s zone only"), "unload", "global"); 11330Sstevel@tonic-gate rc = FAILURE; 11340Sstevel@tonic-gate goto out; 11350Sstevel@tonic-gate } 11360Sstevel@tonic-gate 11370Sstevel@tonic-gate /* Check if it is in the kcf.conf file first */ 11380Sstevel@tonic-gate if ((pent = getent_kef(prov->cp_name)) == NULL) { 11390Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11400Sstevel@tonic-gate gettext("provider %s does not exist."), prov->cp_name); 11410Sstevel@tonic-gate rc = FAILURE; 11420Sstevel@tonic-gate goto out; 11430Sstevel@tonic-gate } 11440Sstevel@tonic-gate free_entry(pent); 11450Sstevel@tonic-gate 11460Sstevel@tonic-gate /* If it is unloaded already, return */ 11470Sstevel@tonic-gate if (check_active_for_soft(prov->cp_name, &is_active) == FAILURE) { 11480Sstevel@tonic-gate cryptodebug("internal error"); 11490Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11500Sstevel@tonic-gate gettext("failed to unload %s."), prov->cp_name); 11510Sstevel@tonic-gate rc = FAILURE; 11520Sstevel@tonic-gate goto out; 11530Sstevel@tonic-gate } 11540Sstevel@tonic-gate 11550Sstevel@tonic-gate if (is_active == B_FALSE) { /* unloaded already */ 11560Sstevel@tonic-gate rc = SUCCESS; 11570Sstevel@tonic-gate goto out; 1158*1971Skrishna } else if (unload_kef_soft(prov->cp_name, B_TRUE) == FAILURE) { 11590Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11600Sstevel@tonic-gate gettext("failed to unload %s."), prov->cp_name); 11610Sstevel@tonic-gate rc = FAILURE; 11620Sstevel@tonic-gate } else { 11630Sstevel@tonic-gate rc = SUCCESS; 11640Sstevel@tonic-gate } 11650Sstevel@tonic-gate out: 11660Sstevel@tonic-gate free(prov); 11670Sstevel@tonic-gate return (rc); 11680Sstevel@tonic-gate } 11690Sstevel@tonic-gate 11700Sstevel@tonic-gate 11710Sstevel@tonic-gate 11720Sstevel@tonic-gate /* 11730Sstevel@tonic-gate * The top level function for the refresh subcommand. 11740Sstevel@tonic-gate */ 11750Sstevel@tonic-gate static int 11760Sstevel@tonic-gate do_refresh(int argc) 11770Sstevel@tonic-gate { 11780Sstevel@tonic-gate if (argc != 2) { 11790Sstevel@tonic-gate usage(); 11800Sstevel@tonic-gate return (ERROR_USAGE); 11810Sstevel@tonic-gate } 11820Sstevel@tonic-gate 11830Sstevel@tonic-gate /* 11840Sstevel@tonic-gate * Note: in non-global zone, this must silently return SUCCESS 11850Sstevel@tonic-gate * due to integration with SMF, for "svcadm refresh cryptosvc" 11860Sstevel@tonic-gate */ 11870Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) 11880Sstevel@tonic-gate return (SUCCESS); 11890Sstevel@tonic-gate 11900Sstevel@tonic-gate return (refresh()); 11910Sstevel@tonic-gate } 11920Sstevel@tonic-gate 11930Sstevel@tonic-gate 11940Sstevel@tonic-gate /* 11950Sstevel@tonic-gate * The top level function for the start subcommand. 11960Sstevel@tonic-gate */ 11970Sstevel@tonic-gate static int 11980Sstevel@tonic-gate do_start(int argc) 11990Sstevel@tonic-gate { 12000Sstevel@tonic-gate int ret; 12010Sstevel@tonic-gate 12020Sstevel@tonic-gate if (argc != 2) { 12030Sstevel@tonic-gate usage(); 12040Sstevel@tonic-gate return (ERROR_USAGE); 12050Sstevel@tonic-gate } 12060Sstevel@tonic-gate 12070Sstevel@tonic-gate ret = do_refresh(argc); 12080Sstevel@tonic-gate if (ret != SUCCESS) 12090Sstevel@tonic-gate return (ret); 12100Sstevel@tonic-gate 12110Sstevel@tonic-gate return (start_daemon()); 12120Sstevel@tonic-gate } 12130Sstevel@tonic-gate 12140Sstevel@tonic-gate /* 12150Sstevel@tonic-gate * The top level function for the stop subcommand. 12160Sstevel@tonic-gate */ 12170Sstevel@tonic-gate static int 12180Sstevel@tonic-gate do_stop(int argc) 12190Sstevel@tonic-gate { 12200Sstevel@tonic-gate if (argc != 2) { 12210Sstevel@tonic-gate usage(); 12220Sstevel@tonic-gate return (ERROR_USAGE); 12230Sstevel@tonic-gate } 12240Sstevel@tonic-gate 12250Sstevel@tonic-gate return (stop_daemon()); 12260Sstevel@tonic-gate } 12270Sstevel@tonic-gate 12280Sstevel@tonic-gate 12290Sstevel@tonic-gate 12300Sstevel@tonic-gate /* 12310Sstevel@tonic-gate * List all the providers. 12320Sstevel@tonic-gate */ 12330Sstevel@tonic-gate static int 12340Sstevel@tonic-gate list_simple_for_all(boolean_t verbose) 12350Sstevel@tonic-gate { 12360Sstevel@tonic-gate uentrylist_t *pliblist; 12370Sstevel@tonic-gate uentrylist_t *plibptr; 12380Sstevel@tonic-gate entrylist_t *pdevlist_conf; 12390Sstevel@tonic-gate entrylist_t *psoftlist_conf; 12400Sstevel@tonic-gate entrylist_t *pdevlist_zone; 12410Sstevel@tonic-gate entrylist_t *psoftlist_zone; 12420Sstevel@tonic-gate entrylist_t *ptr; 12430Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel = NULL; 12440Sstevel@tonic-gate boolean_t is_active; 12450Sstevel@tonic-gate int ru = SUCCESS; 12460Sstevel@tonic-gate int rs = SUCCESS; 12470Sstevel@tonic-gate int rd = SUCCESS; 12480Sstevel@tonic-gate int i; 12490Sstevel@tonic-gate 12500Sstevel@tonic-gate /* get user-level providers */ 12510Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 12520Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 12530Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 12540Sstevel@tonic-gate "failed to retrieve the list of user-level providers.")); 12550Sstevel@tonic-gate ru = FAILURE; 12560Sstevel@tonic-gate } 12570Sstevel@tonic-gate plibptr = pliblist; 12580Sstevel@tonic-gate while (plibptr != NULL) { 12590Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 12600Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 12610Sstevel@tonic-gate plibptr->puent->name); 12620Sstevel@tonic-gate if (verbose) { 12630Sstevel@tonic-gate (void) list_mechlist_for_lib( 12640Sstevel@tonic-gate plibptr->puent->name, mecharglist, NULL, 12650Sstevel@tonic-gate B_FALSE, verbose, B_FALSE); 12660Sstevel@tonic-gate (void) printf("\n"); 12670Sstevel@tonic-gate } 12680Sstevel@tonic-gate } 12690Sstevel@tonic-gate plibptr = plibptr->next; 12700Sstevel@tonic-gate } 12710Sstevel@tonic-gate free_uentrylist(pliblist); 12720Sstevel@tonic-gate 12730Sstevel@tonic-gate /* get kernel software providers */ 12740Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 12750Sstevel@tonic-gate 12760Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 12770Sstevel@tonic-gate /* use kcf.conf for kernel software providers in global zone */ 12780Sstevel@tonic-gate pdevlist_conf = NULL; 12790Sstevel@tonic-gate psoftlist_conf = NULL; 12800Sstevel@tonic-gate 12810Sstevel@tonic-gate if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) != 12820Sstevel@tonic-gate SUCCESS) { 12830Sstevel@tonic-gate cryptoerror(LOG_STDERR, 12840Sstevel@tonic-gate gettext("failed to retrieve the " 12850Sstevel@tonic-gate "list of kernel software providers.\n")); 12860Sstevel@tonic-gate rs = FAILURE; 12870Sstevel@tonic-gate } 12880Sstevel@tonic-gate 12890Sstevel@tonic-gate ptr = psoftlist_conf; 12900Sstevel@tonic-gate while (ptr != NULL) { 12910Sstevel@tonic-gate if (check_active_for_soft(ptr->pent->name, &is_active) 12920Sstevel@tonic-gate == FAILURE) { 12930Sstevel@tonic-gate rs = FAILURE; 12940Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to " 12950Sstevel@tonic-gate "get the state of a kernel software " 12960Sstevel@tonic-gate "providers.\n")); 12970Sstevel@tonic-gate break; 12980Sstevel@tonic-gate } 12990Sstevel@tonic-gate 13000Sstevel@tonic-gate (void) printf("\t%s", ptr->pent->name); 13010Sstevel@tonic-gate if (is_active == B_FALSE) { 13020Sstevel@tonic-gate (void) printf(gettext(" (inactive)\n")); 13030Sstevel@tonic-gate } else { 13040Sstevel@tonic-gate (void) printf("\n"); 13050Sstevel@tonic-gate } 13060Sstevel@tonic-gate ptr = ptr->next; 13070Sstevel@tonic-gate } 13080Sstevel@tonic-gate 13090Sstevel@tonic-gate free_entrylist(pdevlist_conf); 13100Sstevel@tonic-gate free_entrylist(psoftlist_conf); 13110Sstevel@tonic-gate } else { 13120Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 13130Sstevel@tonic-gate pdevlist_zone = NULL; 13140Sstevel@tonic-gate psoftlist_zone = NULL; 13150Sstevel@tonic-gate 13160Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 13170Sstevel@tonic-gate SUCCESS) { 13180Sstevel@tonic-gate cryptoerror(LOG_STDERR, 13190Sstevel@tonic-gate gettext("failed to retrieve the " 13200Sstevel@tonic-gate "list of kernel software providers.\n")); 13210Sstevel@tonic-gate rs = FAILURE; 13220Sstevel@tonic-gate } 13230Sstevel@tonic-gate 13240Sstevel@tonic-gate ptr = psoftlist_zone; 13250Sstevel@tonic-gate while (ptr != NULL) { 13260Sstevel@tonic-gate (void) printf("\t%s\n", ptr->pent->name); 13270Sstevel@tonic-gate ptr = ptr->next; 13280Sstevel@tonic-gate } 13290Sstevel@tonic-gate 13300Sstevel@tonic-gate free_entrylist(pdevlist_zone); 13310Sstevel@tonic-gate free_entrylist(psoftlist_zone); 13320Sstevel@tonic-gate } 13330Sstevel@tonic-gate 13340Sstevel@tonic-gate /* get kernel hardware providers */ 13350Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 13360Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) == FAILURE) { 13370Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 13380Sstevel@tonic-gate "the list of kernel hardware providers.\n")); 13390Sstevel@tonic-gate rd = FAILURE; 13400Sstevel@tonic-gate } else { 13410Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 13420Sstevel@tonic-gate (void) printf("\t%s/%d\n", 13430Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 13440Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 13450Sstevel@tonic-gate } 13460Sstevel@tonic-gate } 13470Sstevel@tonic-gate free(pdevlist_kernel); 13480Sstevel@tonic-gate 13490Sstevel@tonic-gate if (ru == FAILURE || rs == FAILURE || rd == FAILURE) { 13500Sstevel@tonic-gate return (FAILURE); 13510Sstevel@tonic-gate } else { 13520Sstevel@tonic-gate return (SUCCESS); 13530Sstevel@tonic-gate } 13540Sstevel@tonic-gate } 13550Sstevel@tonic-gate 13560Sstevel@tonic-gate 13570Sstevel@tonic-gate 13580Sstevel@tonic-gate /* 13590Sstevel@tonic-gate * List all the providers. And for each provider, list the mechanism list. 13600Sstevel@tonic-gate */ 13610Sstevel@tonic-gate static int 13620Sstevel@tonic-gate list_mechlist_for_all(boolean_t verbose) 13630Sstevel@tonic-gate { 13640Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel; 13650Sstevel@tonic-gate uentrylist_t *pliblist; 13660Sstevel@tonic-gate uentrylist_t *plibptr; 13670Sstevel@tonic-gate entrylist_t *pdevlist_conf; 13680Sstevel@tonic-gate entrylist_t *psoftlist_conf; 13690Sstevel@tonic-gate entrylist_t *pdevlist_zone; 13700Sstevel@tonic-gate entrylist_t *psoftlist_zone; 13710Sstevel@tonic-gate entrylist_t *ptr; 13720Sstevel@tonic-gate mechlist_t *pmechlist; 13730Sstevel@tonic-gate boolean_t is_active; 13740Sstevel@tonic-gate char provname[MAXNAMELEN]; 13750Sstevel@tonic-gate char devname[MAXNAMELEN]; 13760Sstevel@tonic-gate int inst_num; 13770Sstevel@tonic-gate int count; 13780Sstevel@tonic-gate int i; 13790Sstevel@tonic-gate int rv; 13800Sstevel@tonic-gate int rc = SUCCESS; 13810Sstevel@tonic-gate 13820Sstevel@tonic-gate /* get user-level providers */ 13830Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 13840Sstevel@tonic-gate /* 13850Sstevel@tonic-gate * TRANSLATION_NOTE: 13860Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 13870Sstevel@tonic-gate * the length of the translated text above. 13880Sstevel@tonic-gate */ 13890Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 13900Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 13910Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 13920Sstevel@tonic-gate "the list of user-level providers.\n")); 13930Sstevel@tonic-gate rc = FAILURE; 13940Sstevel@tonic-gate } 13950Sstevel@tonic-gate 13960Sstevel@tonic-gate plibptr = pliblist; 13970Sstevel@tonic-gate while (plibptr != NULL) { 13980Sstevel@tonic-gate /* skip metaslot entry */ 13990Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 14000Sstevel@tonic-gate (void) printf(gettext("\nProvider: %s\n"), 14010Sstevel@tonic-gate plibptr->puent->name); 14020Sstevel@tonic-gate rv = list_mechlist_for_lib(plibptr->puent->name, 14030Sstevel@tonic-gate mecharglist, NULL, B_FALSE, verbose, B_TRUE); 14040Sstevel@tonic-gate if (rv == FAILURE) { 14050Sstevel@tonic-gate rc = FAILURE; 14060Sstevel@tonic-gate } 14070Sstevel@tonic-gate } 14080Sstevel@tonic-gate plibptr = plibptr->next; 14090Sstevel@tonic-gate } 14100Sstevel@tonic-gate free_uentrylist(pliblist); 14110Sstevel@tonic-gate 14120Sstevel@tonic-gate /* get kernel software providers */ 14130Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 14140Sstevel@tonic-gate /* 14150Sstevel@tonic-gate * TRANSLATION_NOTE: 14160Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14170Sstevel@tonic-gate * the length of the translated text above. 14180Sstevel@tonic-gate */ 14190Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 14200Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 14210Sstevel@tonic-gate /* use kcf.conf for kernel software providers in global zone */ 14220Sstevel@tonic-gate pdevlist_conf = NULL; 14230Sstevel@tonic-gate psoftlist_conf = NULL; 14240Sstevel@tonic-gate 14250Sstevel@tonic-gate if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) != 14260Sstevel@tonic-gate SUCCESS) { 14270Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14280Sstevel@tonic-gate "the list of kernel software providers.\n")); 14290Sstevel@tonic-gate rc = FAILURE; 14300Sstevel@tonic-gate } 14310Sstevel@tonic-gate 14320Sstevel@tonic-gate ptr = psoftlist_conf; 14330Sstevel@tonic-gate while (ptr != NULL) { 14340Sstevel@tonic-gate if (check_active_for_soft(ptr->pent->name, &is_active) 14350Sstevel@tonic-gate == SUCCESS) { 14360Sstevel@tonic-gate if (is_active) { 14370Sstevel@tonic-gate rv = list_mechlist_for_soft( 14380Sstevel@tonic-gate ptr->pent->name); 14390Sstevel@tonic-gate if (rv == FAILURE) { 14400Sstevel@tonic-gate rc = FAILURE; 14410Sstevel@tonic-gate } 14420Sstevel@tonic-gate } else { 14430Sstevel@tonic-gate (void) printf(gettext( 14440Sstevel@tonic-gate "%s: (inactive)\n"), 14450Sstevel@tonic-gate ptr->pent->name); 14460Sstevel@tonic-gate } 14470Sstevel@tonic-gate } else { 14480Sstevel@tonic-gate /* should not happen */ 14490Sstevel@tonic-gate (void) printf(gettext( 14500Sstevel@tonic-gate "%s: failed to get the mechanism list.\n"), 14510Sstevel@tonic-gate ptr->pent->name); 14520Sstevel@tonic-gate rc = FAILURE; 14530Sstevel@tonic-gate } 14540Sstevel@tonic-gate ptr = ptr->next; 14550Sstevel@tonic-gate } 14560Sstevel@tonic-gate 14570Sstevel@tonic-gate free_entrylist(pdevlist_conf); 14580Sstevel@tonic-gate free_entrylist(psoftlist_conf); 14590Sstevel@tonic-gate } else { 14600Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 14610Sstevel@tonic-gate pdevlist_zone = NULL; 14620Sstevel@tonic-gate psoftlist_zone = NULL; 14630Sstevel@tonic-gate 14640Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 14650Sstevel@tonic-gate SUCCESS) { 14660Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14670Sstevel@tonic-gate "the list of kernel software providers.\n")); 14680Sstevel@tonic-gate rc = FAILURE; 14690Sstevel@tonic-gate } 14700Sstevel@tonic-gate 14710Sstevel@tonic-gate ptr = psoftlist_zone; 14720Sstevel@tonic-gate while (ptr != NULL) { 14730Sstevel@tonic-gate rv = list_mechlist_for_soft(ptr->pent->name); 14740Sstevel@tonic-gate if (rv == FAILURE) { 14750Sstevel@tonic-gate (void) printf(gettext( 14760Sstevel@tonic-gate "%s: failed to get the mechanism list.\n"), 14770Sstevel@tonic-gate ptr->pent->name); 14780Sstevel@tonic-gate rc = FAILURE; 14790Sstevel@tonic-gate } 14800Sstevel@tonic-gate ptr = ptr->next; 14810Sstevel@tonic-gate } 14820Sstevel@tonic-gate 14830Sstevel@tonic-gate free_entrylist(pdevlist_zone); 14840Sstevel@tonic-gate free_entrylist(psoftlist_zone); 14850Sstevel@tonic-gate } 14860Sstevel@tonic-gate 14870Sstevel@tonic-gate /* Get kernel hardware providers and their mechanism lists */ 14880Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 14890Sstevel@tonic-gate /* 14900Sstevel@tonic-gate * TRANSLATION_NOTE: 14910Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14920Sstevel@tonic-gate * the length of the translated text above. 14930Sstevel@tonic-gate */ 14940Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 14950Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 14960Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14970Sstevel@tonic-gate "the list of hardware providers.\n")); 14980Sstevel@tonic-gate return (FAILURE); 14990Sstevel@tonic-gate } 15000Sstevel@tonic-gate 15010Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 15020Sstevel@tonic-gate (void) strlcpy(devname, 15030Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, MAXNAMELEN); 15040Sstevel@tonic-gate inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance; 15050Sstevel@tonic-gate count = pdevlist_kernel->dl_devs[i].le_mechanism_count; 15060Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", devname, 15070Sstevel@tonic-gate inst_num); 15080Sstevel@tonic-gate if (get_dev_info(devname, inst_num, count, &pmechlist) == 15090Sstevel@tonic-gate SUCCESS) { 15100Sstevel@tonic-gate (void) filter_mechlist(&pmechlist, RANDOM); 15110Sstevel@tonic-gate print_mechlist(provname, pmechlist); 15120Sstevel@tonic-gate free_mechlist(pmechlist); 15130Sstevel@tonic-gate } else { 15140Sstevel@tonic-gate (void) printf(gettext("%s: failed to get the mechanism" 15150Sstevel@tonic-gate " list.\n"), provname); 15160Sstevel@tonic-gate rc = FAILURE; 15170Sstevel@tonic-gate } 15180Sstevel@tonic-gate } 15190Sstevel@tonic-gate free(pdevlist_kernel); 15200Sstevel@tonic-gate return (rc); 15210Sstevel@tonic-gate } 15220Sstevel@tonic-gate 15230Sstevel@tonic-gate 15240Sstevel@tonic-gate /* 15250Sstevel@tonic-gate * List all the providers. And for each provider, list the policy information. 15260Sstevel@tonic-gate */ 15270Sstevel@tonic-gate static int 15280Sstevel@tonic-gate list_policy_for_all(void) 15290Sstevel@tonic-gate { 15300Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel; 15310Sstevel@tonic-gate uentrylist_t *pliblist; 15320Sstevel@tonic-gate uentrylist_t *plibptr; 15330Sstevel@tonic-gate entrylist_t *pdevlist_conf; 15340Sstevel@tonic-gate entrylist_t *psoftlist_conf; 15350Sstevel@tonic-gate entrylist_t *ptr; 15360Sstevel@tonic-gate entrylist_t *phead; 15370Sstevel@tonic-gate boolean_t found; 15380Sstevel@tonic-gate char provname[MAXNAMELEN]; 15390Sstevel@tonic-gate int i; 15400Sstevel@tonic-gate int rc = SUCCESS; 15410Sstevel@tonic-gate 15420Sstevel@tonic-gate /* Get user-level providers */ 15430Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 15440Sstevel@tonic-gate /* 15450Sstevel@tonic-gate * TRANSLATION_NOTE: 15460Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15470Sstevel@tonic-gate * the length of the translated text above. 15480Sstevel@tonic-gate */ 15490Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 15500Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) == FAILURE) { 15510Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 15520Sstevel@tonic-gate "the list of user-level providers.\n")); 15530Sstevel@tonic-gate } else { 15540Sstevel@tonic-gate plibptr = pliblist; 15550Sstevel@tonic-gate while (plibptr != NULL) { 15560Sstevel@tonic-gate /* skip metaslot entry */ 15570Sstevel@tonic-gate if (strcmp(plibptr->puent->name, 15580Sstevel@tonic-gate METASLOT_KEYWORD) != 0) { 15590Sstevel@tonic-gate if (print_uef_policy(plibptr->puent) 15600Sstevel@tonic-gate == FAILURE) { 15610Sstevel@tonic-gate rc = FAILURE; 15620Sstevel@tonic-gate } 15630Sstevel@tonic-gate } 15640Sstevel@tonic-gate plibptr = plibptr->next; 15650Sstevel@tonic-gate } 15660Sstevel@tonic-gate free_uentrylist(pliblist); 15670Sstevel@tonic-gate } 15680Sstevel@tonic-gate 15690Sstevel@tonic-gate /* kernel software providers */ 15700Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 15710Sstevel@tonic-gate /* 15720Sstevel@tonic-gate * TRANSLATION_NOTE: 15730Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15740Sstevel@tonic-gate * the length of the translated text above. 15750Sstevel@tonic-gate */ 15760Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 15770Sstevel@tonic-gate 15780Sstevel@tonic-gate /* Get all entries from the kcf.conf file */ 15790Sstevel@tonic-gate pdevlist_conf = NULL; 15800Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 15810Sstevel@tonic-gate /* use kcf.conf for kernel software providers in global zone */ 15820Sstevel@tonic-gate psoftlist_conf = NULL; 15830Sstevel@tonic-gate 15840Sstevel@tonic-gate if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) == 15850Sstevel@tonic-gate FAILURE) { 15860Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 15870Sstevel@tonic-gate "failed to retrieve the list of kernel " 15880Sstevel@tonic-gate "providers.\n")); 15890Sstevel@tonic-gate return (FAILURE); 15900Sstevel@tonic-gate } 15910Sstevel@tonic-gate 15920Sstevel@tonic-gate ptr = psoftlist_conf; 15930Sstevel@tonic-gate while (ptr != NULL) { 15940Sstevel@tonic-gate (void) list_policy_for_soft(ptr->pent->name); 15950Sstevel@tonic-gate ptr = ptr->next; 15960Sstevel@tonic-gate } 15970Sstevel@tonic-gate 15980Sstevel@tonic-gate free_entrylist(psoftlist_conf); 15990Sstevel@tonic-gate } else { 16000Sstevel@tonic-gate /* kcf.conf not there in non-global zone, no policy info */ 16010Sstevel@tonic-gate 16020Sstevel@tonic-gate /* 16030Sstevel@tonic-gate * TRANSLATION_NOTE: 16040Sstevel@tonic-gate * "global" is keyword and not to be translated. 16050Sstevel@tonic-gate */ 16060Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16070Sstevel@tonic-gate "policy information for kernel software providers is " 16080Sstevel@tonic-gate "available in the %s zone only"), "global"); 16090Sstevel@tonic-gate } 16100Sstevel@tonic-gate 16110Sstevel@tonic-gate /* Kernel hardware providers */ 16120Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 16130Sstevel@tonic-gate /* 16140Sstevel@tonic-gate * TRANSLATION_NOTE: 16150Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16160Sstevel@tonic-gate * the length of the translated text above. 16170Sstevel@tonic-gate */ 16180Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 16190Sstevel@tonic-gate 16200Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 16210Sstevel@tonic-gate /* 16220Sstevel@tonic-gate * TRANSLATION_NOTE: 16230Sstevel@tonic-gate * "global" is keyword and not to be translated. 16240Sstevel@tonic-gate */ 16250Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16260Sstevel@tonic-gate "policy information for kernel hardware providers is " 16270Sstevel@tonic-gate "available in the %s zone only"), "global"); 16280Sstevel@tonic-gate return (FAILURE); 16290Sstevel@tonic-gate } 16300Sstevel@tonic-gate 16310Sstevel@tonic-gate /* Get the hardware provider list from kernel */ 16320Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 16330Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16340Sstevel@tonic-gate "failed to retrieve the list of hardware providers.\n")); 16350Sstevel@tonic-gate free_entrylist(pdevlist_conf); 16360Sstevel@tonic-gate return (FAILURE); 16370Sstevel@tonic-gate } 16380Sstevel@tonic-gate 16390Sstevel@tonic-gate /* 16400Sstevel@tonic-gate * For each hardware provider from kernel, check if it has an entry 16410Sstevel@tonic-gate * in the config file. If it has an entry, print out the policy from 16420Sstevel@tonic-gate * config file and remove the entry from the hardware provider list 16430Sstevel@tonic-gate * of the config file. If it does not have an entry in the config 16440Sstevel@tonic-gate * file, no mechanisms of it have been disabled. But, we still call 16450Sstevel@tonic-gate * list_policy_for_hard() to account for the "random" feature. 16460Sstevel@tonic-gate */ 16470Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 16480Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", 16490Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 16500Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 16510Sstevel@tonic-gate found = B_FALSE; 16520Sstevel@tonic-gate phead = ptr = pdevlist_conf; 16530Sstevel@tonic-gate while (!found && ptr) { 16540Sstevel@tonic-gate if (strcmp(ptr->pent->name, provname) == 0) { 16550Sstevel@tonic-gate found = B_TRUE; 16560Sstevel@tonic-gate } else { 16570Sstevel@tonic-gate phead = ptr; 16580Sstevel@tonic-gate ptr = ptr->next; 16590Sstevel@tonic-gate } 16600Sstevel@tonic-gate } 16610Sstevel@tonic-gate 16620Sstevel@tonic-gate if (found) { 16630Sstevel@tonic-gate (void) list_policy_for_hard(ptr->pent->name); 16640Sstevel@tonic-gate if (phead == ptr) { 16650Sstevel@tonic-gate pdevlist_conf = pdevlist_conf->next; 16660Sstevel@tonic-gate } else { 16670Sstevel@tonic-gate phead->next = ptr->next; 16680Sstevel@tonic-gate } 16690Sstevel@tonic-gate free_entry(ptr->pent); 16700Sstevel@tonic-gate free(ptr); 16710Sstevel@tonic-gate } else { 16720Sstevel@tonic-gate (void) list_policy_for_hard(provname); 16730Sstevel@tonic-gate } 16740Sstevel@tonic-gate } 16750Sstevel@tonic-gate 16760Sstevel@tonic-gate /* 16770Sstevel@tonic-gate * If there are still entries left in the pdevlist_conf list from 16780Sstevel@tonic-gate * the config file, these providers must have been detached. 16790Sstevel@tonic-gate * Should print out their policy information also. 16800Sstevel@tonic-gate */ 16810Sstevel@tonic-gate ptr = pdevlist_conf; 16820Sstevel@tonic-gate while (ptr != NULL) { 16830Sstevel@tonic-gate print_kef_policy(ptr->pent, B_FALSE, B_TRUE); 16840Sstevel@tonic-gate ptr = ptr->next; 16850Sstevel@tonic-gate } 16860Sstevel@tonic-gate 16870Sstevel@tonic-gate free_entrylist(pdevlist_conf); 16880Sstevel@tonic-gate free(pdevlist_kernel); 16890Sstevel@tonic-gate 16900Sstevel@tonic-gate return (rc); 16910Sstevel@tonic-gate } 1692