10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 51971Skrishna * Common Development and Distribution License (the "License"). 61971Skrishna * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*7334SDaniel.Anderson@Sun.COM * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate 270Sstevel@tonic-gate #include <fcntl.h> 280Sstevel@tonic-gate #include <stdio.h> 290Sstevel@tonic-gate #include <stdlib.h> 300Sstevel@tonic-gate #include <strings.h> 310Sstevel@tonic-gate #include <unistd.h> 320Sstevel@tonic-gate #include <locale.h> 330Sstevel@tonic-gate #include <libgen.h> 340Sstevel@tonic-gate #include <sys/types.h> 350Sstevel@tonic-gate #include <zone.h> 360Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 370Sstevel@tonic-gate #include <cryptoutil.h> 380Sstevel@tonic-gate #include "cryptoadm.h" 390Sstevel@tonic-gate 400Sstevel@tonic-gate #define REQ_ARG_CNT 2 410Sstevel@tonic-gate 420Sstevel@tonic-gate /* subcommand index */ 430Sstevel@tonic-gate enum subcommand_index { 440Sstevel@tonic-gate CRYPTO_LIST, 450Sstevel@tonic-gate CRYPTO_DISABLE, 460Sstevel@tonic-gate CRYPTO_ENABLE, 470Sstevel@tonic-gate CRYPTO_INSTALL, 480Sstevel@tonic-gate CRYPTO_UNINSTALL, 490Sstevel@tonic-gate CRYPTO_UNLOAD, 500Sstevel@tonic-gate CRYPTO_REFRESH, 510Sstevel@tonic-gate CRYPTO_START, 520Sstevel@tonic-gate CRYPTO_STOP, 530Sstevel@tonic-gate CRYPTO_HELP }; 540Sstevel@tonic-gate 550Sstevel@tonic-gate /* 56*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 570Sstevel@tonic-gate * Command keywords are not to be translated. 580Sstevel@tonic-gate */ 590Sstevel@tonic-gate static char *cmd_table[] = { 600Sstevel@tonic-gate "list", 610Sstevel@tonic-gate "disable", 620Sstevel@tonic-gate "enable", 630Sstevel@tonic-gate "install", 640Sstevel@tonic-gate "uninstall", 650Sstevel@tonic-gate "unload", 660Sstevel@tonic-gate "refresh", 670Sstevel@tonic-gate "start", 680Sstevel@tonic-gate "stop", 690Sstevel@tonic-gate "--help" }; 700Sstevel@tonic-gate 710Sstevel@tonic-gate /* provider type */ 720Sstevel@tonic-gate enum provider_type_index { 730Sstevel@tonic-gate PROV_UEF_LIB, 740Sstevel@tonic-gate PROV_KEF_SOFT, 750Sstevel@tonic-gate PROV_KEF_HARD, 760Sstevel@tonic-gate METASLOT, 770Sstevel@tonic-gate PROV_BADNAME }; 780Sstevel@tonic-gate 790Sstevel@tonic-gate typedef struct { 800Sstevel@tonic-gate char cp_name[MAXPATHLEN]; 810Sstevel@tonic-gate enum provider_type_index cp_type; 820Sstevel@tonic-gate } cryptoadm_provider_t; 830Sstevel@tonic-gate 840Sstevel@tonic-gate /* 85*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 860Sstevel@tonic-gate * Operand keywords are not to be translated. 870Sstevel@tonic-gate */ 880Sstevel@tonic-gate static const char *KN_PROVIDER = "provider="; 890Sstevel@tonic-gate static const char *KN_MECH = "mechanism="; 900Sstevel@tonic-gate static const char *KN_ALL = "all"; 910Sstevel@tonic-gate static const char *KN_TOKEN = "token="; 920Sstevel@tonic-gate static const char *KN_SLOT = "slot="; 930Sstevel@tonic-gate static const char *KN_DEFAULT_KS = "default-keystore"; 940Sstevel@tonic-gate static const char *KN_AUTO_KEY_MIGRATE = "auto-key-migrate"; 950Sstevel@tonic-gate 960Sstevel@tonic-gate /* static variables */ 970Sstevel@tonic-gate static boolean_t allflag = B_FALSE; 980Sstevel@tonic-gate static boolean_t rndflag = B_FALSE; 990Sstevel@tonic-gate static mechlist_t *mecharglist = NULL; 1000Sstevel@tonic-gate 1010Sstevel@tonic-gate /* static functions */ 1020Sstevel@tonic-gate static void usage(void); 1030Sstevel@tonic-gate static int get_provider_type(char *); 1040Sstevel@tonic-gate static int process_mech_operands(int, char **, boolean_t); 1050Sstevel@tonic-gate static int do_list(int, char **); 1060Sstevel@tonic-gate static int do_disable(int, char **); 1070Sstevel@tonic-gate static int do_enable(int, char **); 1080Sstevel@tonic-gate static int do_install(int, char **); 1090Sstevel@tonic-gate static int do_uninstall(int, char **); 1100Sstevel@tonic-gate static int do_unload(int, char **); 1110Sstevel@tonic-gate static int do_refresh(int); 1120Sstevel@tonic-gate static int do_start(int); 1130Sstevel@tonic-gate static int do_stop(int); 1140Sstevel@tonic-gate static int list_simple_for_all(boolean_t); 1150Sstevel@tonic-gate static int list_mechlist_for_all(boolean_t); 1160Sstevel@tonic-gate static int list_policy_for_all(void); 1170Sstevel@tonic-gate 1180Sstevel@tonic-gate int 1190Sstevel@tonic-gate main(int argc, char *argv[]) 1200Sstevel@tonic-gate { 1210Sstevel@tonic-gate char *subcmd; 1220Sstevel@tonic-gate int cmdnum; 1230Sstevel@tonic-gate int cmd_index = 0; 1240Sstevel@tonic-gate int rc = SUCCESS; 1250Sstevel@tonic-gate 1260Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1270Sstevel@tonic-gate 1280Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 1290Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 1300Sstevel@tonic-gate #endif 1310Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 1320Sstevel@tonic-gate 1330Sstevel@tonic-gate cryptodebug_init(basename(argv[0])); 1340Sstevel@tonic-gate 1350Sstevel@tonic-gate if (argc < REQ_ARG_CNT) { 1360Sstevel@tonic-gate usage(); 1370Sstevel@tonic-gate return (ERROR_USAGE); 1380Sstevel@tonic-gate } 1390Sstevel@tonic-gate 1400Sstevel@tonic-gate /* get the subcommand index */ 1410Sstevel@tonic-gate cmd_index = 0; 1420Sstevel@tonic-gate subcmd = argv[1]; 1430Sstevel@tonic-gate cmdnum = sizeof (cmd_table)/sizeof (cmd_table[0]); 1440Sstevel@tonic-gate 1450Sstevel@tonic-gate while ((cmd_index < cmdnum) && 1460Sstevel@tonic-gate (strcmp(subcmd, cmd_table[cmd_index]) != 0)) { 1470Sstevel@tonic-gate cmd_index++; 1480Sstevel@tonic-gate } 1490Sstevel@tonic-gate if (cmd_index >= cmdnum) { 1500Sstevel@tonic-gate usage(); 1510Sstevel@tonic-gate return (ERROR_USAGE); 1520Sstevel@tonic-gate } 1530Sstevel@tonic-gate 1540Sstevel@tonic-gate /* do the subcommand */ 1550Sstevel@tonic-gate switch (cmd_index) { 1560Sstevel@tonic-gate case CRYPTO_LIST: 1570Sstevel@tonic-gate rc = do_list(argc, argv); 1580Sstevel@tonic-gate break; 1590Sstevel@tonic-gate case CRYPTO_DISABLE: 1600Sstevel@tonic-gate rc = do_disable(argc, argv); 1610Sstevel@tonic-gate break; 1620Sstevel@tonic-gate case CRYPTO_ENABLE: 1630Sstevel@tonic-gate rc = do_enable(argc, argv); 1640Sstevel@tonic-gate break; 1650Sstevel@tonic-gate case CRYPTO_INSTALL: 1660Sstevel@tonic-gate rc = do_install(argc, argv); 1670Sstevel@tonic-gate break; 1680Sstevel@tonic-gate case CRYPTO_UNINSTALL: 1690Sstevel@tonic-gate rc = do_uninstall(argc, argv); 1700Sstevel@tonic-gate break; 1710Sstevel@tonic-gate case CRYPTO_UNLOAD: 1720Sstevel@tonic-gate rc = do_unload(argc, argv); 1730Sstevel@tonic-gate break; 1740Sstevel@tonic-gate case CRYPTO_REFRESH: 1750Sstevel@tonic-gate rc = do_refresh(argc); 1760Sstevel@tonic-gate break; 1770Sstevel@tonic-gate case CRYPTO_START: 1780Sstevel@tonic-gate rc = do_start(argc); 1790Sstevel@tonic-gate break; 1800Sstevel@tonic-gate case CRYPTO_STOP: 1810Sstevel@tonic-gate rc = do_stop(argc); 1820Sstevel@tonic-gate break; 1830Sstevel@tonic-gate case CRYPTO_HELP: 1840Sstevel@tonic-gate usage(); 1850Sstevel@tonic-gate rc = SUCCESS; 1860Sstevel@tonic-gate break; 1870Sstevel@tonic-gate default: /* should not come here */ 1880Sstevel@tonic-gate usage(); 1890Sstevel@tonic-gate rc = ERROR_USAGE; 1900Sstevel@tonic-gate break; 1910Sstevel@tonic-gate } 1920Sstevel@tonic-gate return (rc); 1930Sstevel@tonic-gate } 1940Sstevel@tonic-gate 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate static void 1970Sstevel@tonic-gate usage(void) 1980Sstevel@tonic-gate { 1990Sstevel@tonic-gate /* 200*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 2010Sstevel@tonic-gate * Command usage is not to be translated. Only the word "Usage:" 2020Sstevel@tonic-gate * along with localized expressions indicating what kind of value 2030Sstevel@tonic-gate * is expected for arguments. 2040Sstevel@tonic-gate */ 2050Sstevel@tonic-gate (void) fprintf(stderr, gettext("Usage:\n")); 2060Sstevel@tonic-gate (void) fprintf(stderr, 2070Sstevel@tonic-gate " cryptoadm list [-mpv] [provider=<%s> | metaslot]" 2080Sstevel@tonic-gate " [mechanism=<%s>]\n", 2090Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2100Sstevel@tonic-gate (void) fprintf(stderr, 2110Sstevel@tonic-gate " cryptoadm disable provider=<%s>" 2120Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2130Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2140Sstevel@tonic-gate (void) fprintf(stderr, 2150Sstevel@tonic-gate " cryptoadm disable metaslot" 2160Sstevel@tonic-gate " [auto-key-migrate] [mechanism=<%s>]\n", 2170Sstevel@tonic-gate gettext("mechanism-list")); 2180Sstevel@tonic-gate (void) fprintf(stderr, 2190Sstevel@tonic-gate " cryptoadm enable provider=<%s>" 2200Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2210Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2220Sstevel@tonic-gate (void) fprintf(stderr, 2230Sstevel@tonic-gate " cryptoadm enable metaslot [mechanism=<%s>]" 2240Sstevel@tonic-gate " [[token=<%s>] [slot=<%s>]" 2250Sstevel@tonic-gate " | [default-keystore]] | [auto-key-migrate]\n", 2260Sstevel@tonic-gate gettext("mechanism-list"), gettext("token-label"), 2270Sstevel@tonic-gate gettext("slot-description")); 2280Sstevel@tonic-gate (void) fprintf(stderr, 2290Sstevel@tonic-gate " cryptoadm install provider=<%s>\n", 2300Sstevel@tonic-gate gettext("provider-name")); 2310Sstevel@tonic-gate (void) fprintf(stderr, 2320Sstevel@tonic-gate " cryptoadm install provider=<%s> [mechanism=<%s>]\n", 2330Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2340Sstevel@tonic-gate (void) fprintf(stderr, 2350Sstevel@tonic-gate " cryptoadm uninstall provider=<%s>\n", 2360Sstevel@tonic-gate gettext("provider-name")); 2370Sstevel@tonic-gate (void) fprintf(stderr, 2380Sstevel@tonic-gate " cryptoadm unload provider=<%s>\n", 2390Sstevel@tonic-gate gettext("provider-name")); 2400Sstevel@tonic-gate (void) fprintf(stderr, 2410Sstevel@tonic-gate " cryptoadm refresh\n" 2420Sstevel@tonic-gate " cryptoadm start\n" 2430Sstevel@tonic-gate " cryptoadm stop\n" 2440Sstevel@tonic-gate " cryptoadm --help\n"); 2450Sstevel@tonic-gate } 2460Sstevel@tonic-gate 2470Sstevel@tonic-gate 2480Sstevel@tonic-gate /* 2490Sstevel@tonic-gate * Get the provider type. This function returns 2500Sstevel@tonic-gate * - PROV_UEF_LIB if provname contains an absolute path name 2510Sstevel@tonic-gate * - PROV_KEF_SOFT if provname is a base name only 2520Sstevel@tonic-gate * - PROV_KEF_HARD if provname contains one slash only and the slash is not 2530Sstevel@tonic-gate * the 1st character. 254*7334SDaniel.Anderson@Sun.COM * - PROV_BADNAME otherwise. 2550Sstevel@tonic-gate */ 2560Sstevel@tonic-gate static int 2570Sstevel@tonic-gate get_provider_type(char *provname) 2580Sstevel@tonic-gate { 2590Sstevel@tonic-gate char *pslash1; 2600Sstevel@tonic-gate char *pslash2; 2610Sstevel@tonic-gate 2620Sstevel@tonic-gate if (provname == NULL) { 2630Sstevel@tonic-gate return (FAILURE); 2640Sstevel@tonic-gate } 2650Sstevel@tonic-gate 2660Sstevel@tonic-gate if (provname[0] == '/') { 2670Sstevel@tonic-gate return (PROV_UEF_LIB); 2680Sstevel@tonic-gate } else if ((pslash1 = strchr(provname, SEP_SLASH)) == NULL) { 2690Sstevel@tonic-gate /* no slash */ 2700Sstevel@tonic-gate return (PROV_KEF_SOFT); 2710Sstevel@tonic-gate } else { 2720Sstevel@tonic-gate pslash2 = strrchr(provname, SEP_SLASH); 2730Sstevel@tonic-gate if (pslash1 == pslash2) { 2740Sstevel@tonic-gate return (PROV_KEF_HARD); 2750Sstevel@tonic-gate } else { 2760Sstevel@tonic-gate return (PROV_BADNAME); 2770Sstevel@tonic-gate } 2780Sstevel@tonic-gate } 2790Sstevel@tonic-gate } 2800Sstevel@tonic-gate 2810Sstevel@tonic-gate /* 2820Sstevel@tonic-gate * Get the provider structure. This function returns NULL if no valid 2830Sstevel@tonic-gate * provider= is found in argv[], otherwise a cryptoadm_provider_t is returned. 2840Sstevel@tonic-gate * If provider= is found but has no argument, then a cryptoadm_provider_t 2850Sstevel@tonic-gate * with cp_type = PROV_BADNAME is returned. 2860Sstevel@tonic-gate */ 2870Sstevel@tonic-gate static cryptoadm_provider_t * 2880Sstevel@tonic-gate get_provider(int argc, char **argv) 2890Sstevel@tonic-gate { 2900Sstevel@tonic-gate int c = 0; 2910Sstevel@tonic-gate boolean_t found = B_FALSE; 2920Sstevel@tonic-gate cryptoadm_provider_t *provider = NULL; 2930Sstevel@tonic-gate char *provstr = NULL, *savstr; 2940Sstevel@tonic-gate boolean_t is_metaslot = B_FALSE; 2950Sstevel@tonic-gate 2960Sstevel@tonic-gate while (!found && ++c < argc) { 2970Sstevel@tonic-gate if (strncmp(argv[c], METASLOT_KEYWORD, 2980Sstevel@tonic-gate strlen(METASLOT_KEYWORD)) == 0) { 2990Sstevel@tonic-gate is_metaslot = B_TRUE; 3000Sstevel@tonic-gate found = B_TRUE; 3010Sstevel@tonic-gate } else if (strncmp(argv[c], KN_PROVIDER, 3020Sstevel@tonic-gate strlen(KN_PROVIDER)) == 0 && 3030Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_PROVIDER)) { 3040Sstevel@tonic-gate if ((provstr = strdup(argv[c])) == NULL) { 3050Sstevel@tonic-gate int err = errno; 3060Sstevel@tonic-gate /* 307*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 3080Sstevel@tonic-gate * "get_provider" is a function name and should 3090Sstevel@tonic-gate * not be translated. 3100Sstevel@tonic-gate */ 3110Sstevel@tonic-gate cryptoerror(LOG_STDERR, "get_provider: %s.", 3120Sstevel@tonic-gate strerror(err)); 3130Sstevel@tonic-gate return (NULL); 3140Sstevel@tonic-gate } 3150Sstevel@tonic-gate found = B_TRUE; 3160Sstevel@tonic-gate } 3170Sstevel@tonic-gate } 3180Sstevel@tonic-gate if (!found) 3190Sstevel@tonic-gate return (NULL); 3200Sstevel@tonic-gate 3210Sstevel@tonic-gate provider = malloc(sizeof (cryptoadm_provider_t)); 3220Sstevel@tonic-gate if (provider == NULL) { 3230Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 3240Sstevel@tonic-gate if (provstr) { 3250Sstevel@tonic-gate free(provstr); 3260Sstevel@tonic-gate } 3270Sstevel@tonic-gate return (NULL); 3280Sstevel@tonic-gate } 3290Sstevel@tonic-gate 3300Sstevel@tonic-gate if (is_metaslot) { 3310Sstevel@tonic-gate (void) strlcpy(provider->cp_name, METASLOT_KEYWORD, 3320Sstevel@tonic-gate strlen(METASLOT_KEYWORD)); 3330Sstevel@tonic-gate provider->cp_type = METASLOT; 3340Sstevel@tonic-gate } else { 3350Sstevel@tonic-gate 3360Sstevel@tonic-gate savstr = provstr; 3370Sstevel@tonic-gate (void) strtok(provstr, "="); 3380Sstevel@tonic-gate provstr = strtok(NULL, "="); 3390Sstevel@tonic-gate if (provstr == NULL) { 3400Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("bad provider name.")); 3410Sstevel@tonic-gate provider->cp_type = PROV_BADNAME; 3420Sstevel@tonic-gate free(savstr); 3430Sstevel@tonic-gate return (provider); 3440Sstevel@tonic-gate } 3450Sstevel@tonic-gate 3460Sstevel@tonic-gate (void) strlcpy(provider->cp_name, provstr, 3470Sstevel@tonic-gate sizeof (provider->cp_name)); 3480Sstevel@tonic-gate provider->cp_type = get_provider_type(provider->cp_name); 3490Sstevel@tonic-gate 3500Sstevel@tonic-gate free(savstr); 3510Sstevel@tonic-gate } 3520Sstevel@tonic-gate return (provider); 3530Sstevel@tonic-gate } 3540Sstevel@tonic-gate 3550Sstevel@tonic-gate /* 3560Sstevel@tonic-gate * Process the "feature" operands. 3570Sstevel@tonic-gate * 3580Sstevel@tonic-gate * "argc" and "argv" contain values specified on the command line. 3590Sstevel@tonic-gate * All other arguments are used for returning parsing results. 3600Sstevel@tonic-gate * If any of these arguments are NULL, that keyword is not expected, 3610Sstevel@tonic-gate * and FAILURE will be returned. 3620Sstevel@tonic-gate */ 3630Sstevel@tonic-gate static int 3640Sstevel@tonic-gate process_metaslot_operands(int argc, char **argv, char **meta_ks_token, 3650Sstevel@tonic-gate char **meta_ks_slot, boolean_t *use_default, 3660Sstevel@tonic-gate boolean_t *auto_key_migrate_flag) 3670Sstevel@tonic-gate { 3680Sstevel@tonic-gate int c = 2; 3690Sstevel@tonic-gate int rc = SUCCESS; 3700Sstevel@tonic-gate 3710Sstevel@tonic-gate while (++c < argc) { 3720Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 3730Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 3740Sstevel@tonic-gate 3750Sstevel@tonic-gate /* process mechanism operands */ 3760Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_TRUE)) 3770Sstevel@tonic-gate != SUCCESS) { 3780Sstevel@tonic-gate goto finish; 3790Sstevel@tonic-gate } 3800Sstevel@tonic-gate 3810Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_TOKEN, 3820Sstevel@tonic-gate strlen(KN_TOKEN)) == 0) && 3830Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_TOKEN)) { 3840Sstevel@tonic-gate if ((meta_ks_token) && (strtok(argv[c], "=") != NULL)) { 3850Sstevel@tonic-gate char *tmp; 3860Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 3870Sstevel@tonic-gate *meta_ks_token = strdup(tmp); 3880Sstevel@tonic-gate } else { 3890Sstevel@tonic-gate return (FAILURE); 3900Sstevel@tonic-gate } 3910Sstevel@tonic-gate } else { 3920Sstevel@tonic-gate return (FAILURE); 3930Sstevel@tonic-gate } 3940Sstevel@tonic-gate 3950Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_SLOT, 3960Sstevel@tonic-gate strlen(KN_SLOT)) == 0) && 3970Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_SLOT)) { 3980Sstevel@tonic-gate 3990Sstevel@tonic-gate if ((meta_ks_slot) && (strtok(argv[c], "=") != NULL)) { 4000Sstevel@tonic-gate char *tmp; 4010Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 4020Sstevel@tonic-gate *meta_ks_slot = strdup(tmp); 4030Sstevel@tonic-gate } else { 4040Sstevel@tonic-gate return (FAILURE); 4050Sstevel@tonic-gate } 4060Sstevel@tonic-gate } else { 4070Sstevel@tonic-gate return (FAILURE); 4080Sstevel@tonic-gate } 4090Sstevel@tonic-gate 4100Sstevel@tonic-gate } else if (strncmp(argv[c], KN_DEFAULT_KS, 4110Sstevel@tonic-gate strlen(KN_DEFAULT_KS)) == 0) { 4120Sstevel@tonic-gate 4130Sstevel@tonic-gate if (use_default) { 4140Sstevel@tonic-gate *use_default = B_TRUE; 4150Sstevel@tonic-gate } else { 4160Sstevel@tonic-gate return (FAILURE); 4170Sstevel@tonic-gate } 4180Sstevel@tonic-gate } else if (strncmp(argv[c], KN_AUTO_KEY_MIGRATE, 4190Sstevel@tonic-gate strlen(KN_AUTO_KEY_MIGRATE)) == 0) { 4200Sstevel@tonic-gate 4210Sstevel@tonic-gate if (auto_key_migrate_flag) { 4220Sstevel@tonic-gate *auto_key_migrate_flag = B_TRUE; 4230Sstevel@tonic-gate } else { 4240Sstevel@tonic-gate return (FAILURE); 4250Sstevel@tonic-gate } 4260Sstevel@tonic-gate } else { 4270Sstevel@tonic-gate return (FAILURE); 4280Sstevel@tonic-gate } 4290Sstevel@tonic-gate } 4300Sstevel@tonic-gate finish: 4310Sstevel@tonic-gate return (rc); 4320Sstevel@tonic-gate } 4330Sstevel@tonic-gate 4340Sstevel@tonic-gate /* 4350Sstevel@tonic-gate * Process the "feature" operands. 4360Sstevel@tonic-gate */ 4370Sstevel@tonic-gate static int 4380Sstevel@tonic-gate process_feature_operands(int argc, char **argv) 4390Sstevel@tonic-gate { 4400Sstevel@tonic-gate int c = 2; 4410Sstevel@tonic-gate 4420Sstevel@tonic-gate while (++c < argc) { 4430Sstevel@tonic-gate if (strcmp(argv[c], KN_ALL) == 0) { 4440Sstevel@tonic-gate allflag = B_TRUE; 4450Sstevel@tonic-gate rndflag = B_TRUE; /* all includes random also. */ 4460Sstevel@tonic-gate } else if (strcmp(argv[c], RANDOM) == 0) { 4470Sstevel@tonic-gate rndflag = B_TRUE; 4480Sstevel@tonic-gate } 4490Sstevel@tonic-gate } 4500Sstevel@tonic-gate return (SUCCESS); 4510Sstevel@tonic-gate } 4520Sstevel@tonic-gate 4530Sstevel@tonic-gate /* 4540Sstevel@tonic-gate * Process the mechanism operands for the disable, enable and install 4550Sstevel@tonic-gate * subcommands. This function sets the static variable allflag to be B_TRUE 4560Sstevel@tonic-gate * if the keyword "all" is specified, otherwise builds a link list of the 4570Sstevel@tonic-gate * mechanism operands and save it in the static variable mecharglist. 4580Sstevel@tonic-gate * 4590Sstevel@tonic-gate * This function returns 4600Sstevel@tonic-gate * ERROR_USAGE: mechanism operand is missing. 4610Sstevel@tonic-gate * FAILURE: out of memory. 4620Sstevel@tonic-gate * SUCCESS: otherwise. 4630Sstevel@tonic-gate */ 4640Sstevel@tonic-gate static int 4650Sstevel@tonic-gate process_mech_operands(int argc, char **argv, boolean_t quiet) 4660Sstevel@tonic-gate { 4670Sstevel@tonic-gate mechlist_t *pmech; 4680Sstevel@tonic-gate mechlist_t *pcur = NULL; 4690Sstevel@tonic-gate mechlist_t *phead = NULL; 4700Sstevel@tonic-gate boolean_t found = B_FALSE; 4710Sstevel@tonic-gate char *mechliststr = NULL; 4720Sstevel@tonic-gate char *curmech = NULL; 4730Sstevel@tonic-gate int c = -1; 4740Sstevel@tonic-gate int rc = SUCCESS; 4750Sstevel@tonic-gate 4760Sstevel@tonic-gate while (!found && ++c < argc) { 4770Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 4780Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 4790Sstevel@tonic-gate found = B_TRUE; 4800Sstevel@tonic-gate } 4810Sstevel@tonic-gate } 4820Sstevel@tonic-gate if (!found) { 4830Sstevel@tonic-gate if (!quiet) 4840Sstevel@tonic-gate /* 485*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 4860Sstevel@tonic-gate * "mechanism" could be either a literal keyword 4870Sstevel@tonic-gate * and hence not to be translated, or a descriptive 4880Sstevel@tonic-gate * word and translatable. A choice was made to 4890Sstevel@tonic-gate * view it as a literal keyword. 4900Sstevel@tonic-gate */ 4910Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4920Sstevel@tonic-gate gettext("the %s operand is missing.\n"), 4930Sstevel@tonic-gate "mechanism"); 4940Sstevel@tonic-gate return (ERROR_USAGE); 4950Sstevel@tonic-gate } 4960Sstevel@tonic-gate (void) strtok(argv[c], "="); 4970Sstevel@tonic-gate mechliststr = strtok(NULL, "="); 4980Sstevel@tonic-gate 4990Sstevel@tonic-gate if (strcmp(mechliststr, "all") == 0) { 5000Sstevel@tonic-gate allflag = B_TRUE; 5010Sstevel@tonic-gate mecharglist = NULL; 5020Sstevel@tonic-gate return (SUCCESS); 5030Sstevel@tonic-gate } 5040Sstevel@tonic-gate 5050Sstevel@tonic-gate curmech = strtok(mechliststr, ","); 5060Sstevel@tonic-gate do { 5070Sstevel@tonic-gate if ((pmech = create_mech(curmech)) == NULL) { 5080Sstevel@tonic-gate rc = FAILURE; 5090Sstevel@tonic-gate break; 5100Sstevel@tonic-gate } else { 5110Sstevel@tonic-gate if (phead == NULL) { 5120Sstevel@tonic-gate phead = pcur = pmech; 5130Sstevel@tonic-gate } else { 5140Sstevel@tonic-gate pcur->next = pmech; 5150Sstevel@tonic-gate pcur = pmech; 5160Sstevel@tonic-gate } 5170Sstevel@tonic-gate } 5180Sstevel@tonic-gate } while ((curmech = strtok(NULL, ",")) != NULL); 5190Sstevel@tonic-gate 5200Sstevel@tonic-gate if (rc == FAILURE) { 5210Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 5220Sstevel@tonic-gate free_mechlist(phead); 5230Sstevel@tonic-gate } else { 5240Sstevel@tonic-gate mecharglist = phead; 5250Sstevel@tonic-gate rc = SUCCESS; 5260Sstevel@tonic-gate } 5270Sstevel@tonic-gate return (rc); 5280Sstevel@tonic-gate } 5290Sstevel@tonic-gate 5300Sstevel@tonic-gate 5310Sstevel@tonic-gate 5320Sstevel@tonic-gate /* 5330Sstevel@tonic-gate * The top level function for the list subcommand and options. 5340Sstevel@tonic-gate */ 5350Sstevel@tonic-gate static int 5360Sstevel@tonic-gate do_list(int argc, char **argv) 5370Sstevel@tonic-gate { 5380Sstevel@tonic-gate boolean_t mflag = B_FALSE; 5390Sstevel@tonic-gate boolean_t pflag = B_FALSE; 5400Sstevel@tonic-gate boolean_t vflag = B_FALSE; 5410Sstevel@tonic-gate char ch; 5420Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 5430Sstevel@tonic-gate int rc = SUCCESS; 5440Sstevel@tonic-gate 5450Sstevel@tonic-gate argc -= 1; 5460Sstevel@tonic-gate argv += 1; 5470Sstevel@tonic-gate 5480Sstevel@tonic-gate if (argc == 1) { 5490Sstevel@tonic-gate rc = list_simple_for_all(B_FALSE); 5500Sstevel@tonic-gate goto out; 5510Sstevel@tonic-gate } 5520Sstevel@tonic-gate 5530Sstevel@tonic-gate /* 5540Sstevel@tonic-gate * [-v] [-m] [-p] [provider=<>] [mechanism=<>] 5550Sstevel@tonic-gate */ 5560Sstevel@tonic-gate if (argc > 5) { 5570Sstevel@tonic-gate usage(); 5580Sstevel@tonic-gate return (rc); 5590Sstevel@tonic-gate } 5600Sstevel@tonic-gate 5610Sstevel@tonic-gate while ((ch = getopt(argc, argv, "mpv")) != EOF) { 5620Sstevel@tonic-gate switch (ch) { 5630Sstevel@tonic-gate case 'm': 5640Sstevel@tonic-gate mflag = B_TRUE; 5650Sstevel@tonic-gate if (pflag) { 5660Sstevel@tonic-gate rc = ERROR_USAGE; 5670Sstevel@tonic-gate } 5680Sstevel@tonic-gate break; 5690Sstevel@tonic-gate case 'p': 5700Sstevel@tonic-gate pflag = B_TRUE; 5710Sstevel@tonic-gate if (mflag || vflag) { 5720Sstevel@tonic-gate rc = ERROR_USAGE; 5730Sstevel@tonic-gate } 5740Sstevel@tonic-gate break; 5750Sstevel@tonic-gate case 'v': 5760Sstevel@tonic-gate vflag = B_TRUE; 5770Sstevel@tonic-gate if (pflag) 5780Sstevel@tonic-gate rc = ERROR_USAGE; 5790Sstevel@tonic-gate break; 5800Sstevel@tonic-gate default: 5810Sstevel@tonic-gate rc = ERROR_USAGE; 5820Sstevel@tonic-gate break; 5830Sstevel@tonic-gate } 5840Sstevel@tonic-gate } 5850Sstevel@tonic-gate 5860Sstevel@tonic-gate if (rc == ERROR_USAGE) { 5870Sstevel@tonic-gate usage(); 5880Sstevel@tonic-gate return (rc); 5890Sstevel@tonic-gate } 5900Sstevel@tonic-gate 5910Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 5920Sstevel@tonic-gate goto out; 5930Sstevel@tonic-gate } 5940Sstevel@tonic-gate 5950Sstevel@tonic-gate prov = get_provider(argc, argv); 5960Sstevel@tonic-gate 5970Sstevel@tonic-gate if (mflag || vflag) { 5980Sstevel@tonic-gate if (argc > 0) { 5990Sstevel@tonic-gate rc = process_mech_operands(argc, argv, B_TRUE); 6000Sstevel@tonic-gate if (rc == FAILURE) 6010Sstevel@tonic-gate goto out; 6020Sstevel@tonic-gate /* "-m" is implied when a mechanism list is given */ 6030Sstevel@tonic-gate if (mecharglist != NULL || allflag) 6040Sstevel@tonic-gate mflag = B_TRUE; 6050Sstevel@tonic-gate } 6060Sstevel@tonic-gate } 6070Sstevel@tonic-gate 6080Sstevel@tonic-gate if (prov == NULL) { 6090Sstevel@tonic-gate if (mflag) { 6100Sstevel@tonic-gate rc = list_mechlist_for_all(vflag); 6110Sstevel@tonic-gate } else if (pflag) { 6120Sstevel@tonic-gate rc = list_policy_for_all(); 6130Sstevel@tonic-gate } else if (vflag) { 6140Sstevel@tonic-gate rc = list_simple_for_all(vflag); 6150Sstevel@tonic-gate } 6160Sstevel@tonic-gate } else if (prov->cp_type == METASLOT) { 6170Sstevel@tonic-gate if ((!mflag) && (!vflag) && (!pflag)) { 6180Sstevel@tonic-gate /* no flag is specified, just list metaslot status */ 6190Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6200Sstevel@tonic-gate } else if (mflag || vflag) { 6210Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6220Sstevel@tonic-gate } else if (pflag) { 6230Sstevel@tonic-gate rc = list_metaslot_policy(); 6240Sstevel@tonic-gate } else { 6250Sstevel@tonic-gate /* error message */ 6260Sstevel@tonic-gate usage(); 6270Sstevel@tonic-gate rc = ERROR_USAGE; 6280Sstevel@tonic-gate } 6290Sstevel@tonic-gate } else if (prov->cp_type == PROV_BADNAME) { 6300Sstevel@tonic-gate usage(); 6310Sstevel@tonic-gate rc = ERROR_USAGE; 6320Sstevel@tonic-gate goto out; 6330Sstevel@tonic-gate } else { /* do the listing for a provider only */ 6340Sstevel@tonic-gate if (mflag || vflag) { 6350Sstevel@tonic-gate if (vflag) 6360Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 6370Sstevel@tonic-gate prov->cp_name); 6380Sstevel@tonic-gate switch (prov->cp_type) { 6390Sstevel@tonic-gate case PROV_UEF_LIB: 6400Sstevel@tonic-gate rc = list_mechlist_for_lib(prov->cp_name, 6410Sstevel@tonic-gate mecharglist, NULL, B_FALSE, 6420Sstevel@tonic-gate vflag, mflag); 6430Sstevel@tonic-gate break; 6440Sstevel@tonic-gate case PROV_KEF_SOFT: 6450Sstevel@tonic-gate rc = list_mechlist_for_soft(prov->cp_name); 6460Sstevel@tonic-gate break; 6470Sstevel@tonic-gate case PROV_KEF_HARD: 6480Sstevel@tonic-gate rc = list_mechlist_for_hard(prov->cp_name); 6490Sstevel@tonic-gate break; 6500Sstevel@tonic-gate default: /* should not come here */ 6510Sstevel@tonic-gate rc = FAILURE; 6520Sstevel@tonic-gate break; 6530Sstevel@tonic-gate } 6540Sstevel@tonic-gate } else if (pflag) { 6550Sstevel@tonic-gate switch (prov->cp_type) { 6560Sstevel@tonic-gate case PROV_UEF_LIB: 6570Sstevel@tonic-gate rc = list_policy_for_lib(prov->cp_name); 6580Sstevel@tonic-gate break; 6590Sstevel@tonic-gate case PROV_KEF_SOFT: 6600Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6610Sstevel@tonic-gate rc = list_policy_for_soft( 6620Sstevel@tonic-gate prov->cp_name); 6630Sstevel@tonic-gate } else { 6640Sstevel@tonic-gate /* 665*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 6660Sstevel@tonic-gate * "global" is keyword and not to 6670Sstevel@tonic-gate * be translated. 6680Sstevel@tonic-gate */ 6690Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6700Sstevel@tonic-gate "policy information for kernel " 6710Sstevel@tonic-gate "providers is available " 6720Sstevel@tonic-gate "in the %s zone only"), "global"); 6730Sstevel@tonic-gate rc = FAILURE; 6740Sstevel@tonic-gate } 6750Sstevel@tonic-gate break; 6760Sstevel@tonic-gate case PROV_KEF_HARD: 6770Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6780Sstevel@tonic-gate rc = list_policy_for_hard( 6790Sstevel@tonic-gate prov->cp_name); 6800Sstevel@tonic-gate } else { 6810Sstevel@tonic-gate /* 682*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 6830Sstevel@tonic-gate * "global" is keyword and not to 6840Sstevel@tonic-gate * be translated. 6850Sstevel@tonic-gate */ 6860Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6870Sstevel@tonic-gate "policy information for kernel " 6880Sstevel@tonic-gate "providers is available " 6890Sstevel@tonic-gate "in the %s zone only"), "global"); 6900Sstevel@tonic-gate rc = FAILURE; 6910Sstevel@tonic-gate } 6920Sstevel@tonic-gate 6930Sstevel@tonic-gate break; 6940Sstevel@tonic-gate default: /* should not come here */ 6950Sstevel@tonic-gate rc = FAILURE; 6960Sstevel@tonic-gate break; 6970Sstevel@tonic-gate } 6980Sstevel@tonic-gate } else { 6990Sstevel@tonic-gate /* error message */ 7000Sstevel@tonic-gate usage(); 7010Sstevel@tonic-gate rc = ERROR_USAGE; 7020Sstevel@tonic-gate } 7030Sstevel@tonic-gate } 7040Sstevel@tonic-gate 7050Sstevel@tonic-gate out: 7060Sstevel@tonic-gate if (prov != NULL) 7070Sstevel@tonic-gate free(prov); 7080Sstevel@tonic-gate 7090Sstevel@tonic-gate if (mecharglist != NULL) 7100Sstevel@tonic-gate free_mechlist(mecharglist); 7110Sstevel@tonic-gate return (rc); 7120Sstevel@tonic-gate } 7130Sstevel@tonic-gate 7140Sstevel@tonic-gate 7150Sstevel@tonic-gate /* 7160Sstevel@tonic-gate * The top level function for the disable subcommand. 7170Sstevel@tonic-gate */ 7180Sstevel@tonic-gate static int 7190Sstevel@tonic-gate do_disable(int argc, char **argv) 7200Sstevel@tonic-gate { 7210Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 7220Sstevel@tonic-gate int rc = SUCCESS; 7230Sstevel@tonic-gate boolean_t auto_key_migrate_flag = B_FALSE; 7240Sstevel@tonic-gate 7250Sstevel@tonic-gate if ((argc < 3) || (argc > 5)) { 7260Sstevel@tonic-gate usage(); 7270Sstevel@tonic-gate return (ERROR_USAGE); 7280Sstevel@tonic-gate } 7290Sstevel@tonic-gate 7300Sstevel@tonic-gate prov = get_provider(argc, argv); 7310Sstevel@tonic-gate if (prov == NULL) { 7320Sstevel@tonic-gate usage(); 7330Sstevel@tonic-gate return (ERROR_USAGE); 7340Sstevel@tonic-gate } 7350Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 7360Sstevel@tonic-gate return (FAILURE); 7370Sstevel@tonic-gate } 7380Sstevel@tonic-gate 7390Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 7400Sstevel@tonic-gate goto out; 7410Sstevel@tonic-gate } 7420Sstevel@tonic-gate 7430Sstevel@tonic-gate /* 7440Sstevel@tonic-gate * If allflag or rndflag has already been set there is no reason to 7450Sstevel@tonic-gate * process mech= 7460Sstevel@tonic-gate */ 7470Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 7480Sstevel@tonic-gate if ((argc > 3) && 7490Sstevel@tonic-gate (rc = process_metaslot_operands(argc, argv, 7500Sstevel@tonic-gate NULL, NULL, NULL, &auto_key_migrate_flag)) != SUCCESS) { 7510Sstevel@tonic-gate usage(); 7520Sstevel@tonic-gate return (rc); 7530Sstevel@tonic-gate } 7540Sstevel@tonic-gate } else if (!allflag && !rndflag && 7550Sstevel@tonic-gate (rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 7560Sstevel@tonic-gate return (rc); 7570Sstevel@tonic-gate } 7580Sstevel@tonic-gate 7590Sstevel@tonic-gate switch (prov->cp_type) { 7600Sstevel@tonic-gate case METASLOT: 7610Sstevel@tonic-gate rc = disable_metaslot(mecharglist, allflag, 7620Sstevel@tonic-gate auto_key_migrate_flag); 7630Sstevel@tonic-gate break; 7640Sstevel@tonic-gate case PROV_UEF_LIB: 7650Sstevel@tonic-gate rc = disable_uef_lib(prov->cp_name, rndflag, allflag, 7660Sstevel@tonic-gate mecharglist); 7670Sstevel@tonic-gate break; 7680Sstevel@tonic-gate case PROV_KEF_SOFT: 7690Sstevel@tonic-gate if (rndflag && !allflag) { 7700Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 7710Sstevel@tonic-gate rc = FAILURE; 7720Sstevel@tonic-gate break; 7730Sstevel@tonic-gate } 7740Sstevel@tonic-gate } 7750Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 7760Sstevel@tonic-gate rc = disable_kef_software(prov->cp_name, rndflag, 7770Sstevel@tonic-gate allflag, mecharglist); 7780Sstevel@tonic-gate } else { 7790Sstevel@tonic-gate /* 780*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 7810Sstevel@tonic-gate * "disable" could be either a literal keyword 7820Sstevel@tonic-gate * and hence not to be translated, or a verb and 7830Sstevel@tonic-gate * translatable. A choice was made to view it as 7840Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 7850Sstevel@tonic-gate * to be translated. 7860Sstevel@tonic-gate */ 7870Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 7880Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 7890Sstevel@tonic-gate "disable", "global"); 7900Sstevel@tonic-gate rc = FAILURE; 7910Sstevel@tonic-gate } 7920Sstevel@tonic-gate break; 7930Sstevel@tonic-gate case PROV_KEF_HARD: 7940Sstevel@tonic-gate if (rndflag && !allflag) { 7950Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 7960Sstevel@tonic-gate rc = FAILURE; 7970Sstevel@tonic-gate break; 7980Sstevel@tonic-gate } 7990Sstevel@tonic-gate } 8000Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 8010Sstevel@tonic-gate rc = disable_kef_hardware(prov->cp_name, rndflag, 8020Sstevel@tonic-gate allflag, mecharglist); 8030Sstevel@tonic-gate } else { 8040Sstevel@tonic-gate /* 805*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 8060Sstevel@tonic-gate * "disable" could be either a literal keyword 8070Sstevel@tonic-gate * and hence not to be translated, or a verb and 8080Sstevel@tonic-gate * translatable. A choice was made to view it as 8090Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 8100Sstevel@tonic-gate * to be translated. 8110Sstevel@tonic-gate */ 8120Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 8130Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 8140Sstevel@tonic-gate "disable", "global"); 8150Sstevel@tonic-gate rc = FAILURE; 8160Sstevel@tonic-gate } 8170Sstevel@tonic-gate break; 8180Sstevel@tonic-gate default: /* should not come here */ 8190Sstevel@tonic-gate rc = FAILURE; 8200Sstevel@tonic-gate break; 8210Sstevel@tonic-gate } 8220Sstevel@tonic-gate 8230Sstevel@tonic-gate out: 8240Sstevel@tonic-gate free(prov); 8250Sstevel@tonic-gate if (mecharglist != NULL) { 8260Sstevel@tonic-gate free_mechlist(mecharglist); 8270Sstevel@tonic-gate } 8280Sstevel@tonic-gate return (rc); 8290Sstevel@tonic-gate } 8300Sstevel@tonic-gate 8310Sstevel@tonic-gate 8320Sstevel@tonic-gate /* 8330Sstevel@tonic-gate * The top level function fo the enable subcommand. 8340Sstevel@tonic-gate */ 8350Sstevel@tonic-gate static int 8360Sstevel@tonic-gate do_enable(int argc, char **argv) 8370Sstevel@tonic-gate { 8380Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 8390Sstevel@tonic-gate int rc = SUCCESS; 8400Sstevel@tonic-gate char *alt_token = NULL, *alt_slot = NULL; 8410Sstevel@tonic-gate boolean_t use_default = B_FALSE, auto_key_migrate_flag = B_FALSE; 8420Sstevel@tonic-gate 8430Sstevel@tonic-gate if ((argc < 3) || (argc > 6)) { 8440Sstevel@tonic-gate usage(); 8450Sstevel@tonic-gate return (ERROR_USAGE); 8460Sstevel@tonic-gate } 8470Sstevel@tonic-gate 8480Sstevel@tonic-gate prov = get_provider(argc, argv); 8490Sstevel@tonic-gate if (prov == NULL) { 8500Sstevel@tonic-gate usage(); 8510Sstevel@tonic-gate return (ERROR_USAGE); 8520Sstevel@tonic-gate } 8530Sstevel@tonic-gate if ((prov->cp_type != METASLOT) && (argc != 4)) { 8540Sstevel@tonic-gate usage(); 8550Sstevel@tonic-gate return (ERROR_USAGE); 8560Sstevel@tonic-gate } 8570Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 8580Sstevel@tonic-gate rc = FAILURE; 8590Sstevel@tonic-gate goto out; 8600Sstevel@tonic-gate } 8610Sstevel@tonic-gate 8620Sstevel@tonic-gate 8630Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 8640Sstevel@tonic-gate if ((rc = process_metaslot_operands(argc, argv, &alt_token, 8650Sstevel@tonic-gate &alt_slot, &use_default, &auto_key_migrate_flag)) 8660Sstevel@tonic-gate != SUCCESS) { 8670Sstevel@tonic-gate usage(); 8680Sstevel@tonic-gate goto out; 8690Sstevel@tonic-gate } 8700Sstevel@tonic-gate if ((alt_slot || alt_token) && use_default) { 8710Sstevel@tonic-gate usage(); 8720Sstevel@tonic-gate rc = FAILURE; 8730Sstevel@tonic-gate goto out; 8740Sstevel@tonic-gate } 8750Sstevel@tonic-gate } else { 8760Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 8770Sstevel@tonic-gate goto out; 8780Sstevel@tonic-gate } 8790Sstevel@tonic-gate 8800Sstevel@tonic-gate /* 8810Sstevel@tonic-gate * If allflag or rndflag has already been set there is 8820Sstevel@tonic-gate * no reason to process mech= 8830Sstevel@tonic-gate */ 8840Sstevel@tonic-gate if (!allflag && !rndflag && 8850Sstevel@tonic-gate (rc = process_mech_operands(argc, argv, B_FALSE)) 8860Sstevel@tonic-gate != SUCCESS) { 8870Sstevel@tonic-gate goto out; 8880Sstevel@tonic-gate } 8890Sstevel@tonic-gate } 8900Sstevel@tonic-gate 8910Sstevel@tonic-gate switch (prov->cp_type) { 8920Sstevel@tonic-gate case METASLOT: 8930Sstevel@tonic-gate rc = enable_metaslot(alt_token, alt_slot, use_default, 8940Sstevel@tonic-gate mecharglist, allflag, auto_key_migrate_flag); 8950Sstevel@tonic-gate break; 8960Sstevel@tonic-gate case PROV_UEF_LIB: 8970Sstevel@tonic-gate rc = enable_uef_lib(prov->cp_name, rndflag, allflag, 8980Sstevel@tonic-gate mecharglist); 8990Sstevel@tonic-gate break; 9000Sstevel@tonic-gate case PROV_KEF_SOFT: 9010Sstevel@tonic-gate case PROV_KEF_HARD: 9020Sstevel@tonic-gate if (rndflag && !allflag) { 9030Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 9040Sstevel@tonic-gate rc = FAILURE; 9050Sstevel@tonic-gate break; 9060Sstevel@tonic-gate } 9070Sstevel@tonic-gate } 9080Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 9090Sstevel@tonic-gate rc = enable_kef(prov->cp_name, rndflag, allflag, 9100Sstevel@tonic-gate mecharglist); 9110Sstevel@tonic-gate } else { 9120Sstevel@tonic-gate /* 913*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 9140Sstevel@tonic-gate * "enable" could be either a literal keyword 9150Sstevel@tonic-gate * and hence not to be translated, or a verb and 9160Sstevel@tonic-gate * translatable. A choice was made to view it as 9170Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 9180Sstevel@tonic-gate * to be translated. 9190Sstevel@tonic-gate */ 9200Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 9210Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 9220Sstevel@tonic-gate "enable", "global"); 9230Sstevel@tonic-gate rc = FAILURE; 9240Sstevel@tonic-gate } 9250Sstevel@tonic-gate break; 9260Sstevel@tonic-gate default: /* should not come here */ 9270Sstevel@tonic-gate rc = FAILURE; 9280Sstevel@tonic-gate break; 9290Sstevel@tonic-gate } 9300Sstevel@tonic-gate out: 9310Sstevel@tonic-gate free(prov); 9320Sstevel@tonic-gate if (mecharglist != NULL) { 9330Sstevel@tonic-gate free_mechlist(mecharglist); 9340Sstevel@tonic-gate } 9350Sstevel@tonic-gate if (alt_token != NULL) { 9360Sstevel@tonic-gate free(alt_token); 9370Sstevel@tonic-gate } 9380Sstevel@tonic-gate if (alt_slot != NULL) { 9390Sstevel@tonic-gate free(alt_slot); 9400Sstevel@tonic-gate } 9410Sstevel@tonic-gate return (rc); 9420Sstevel@tonic-gate } 9430Sstevel@tonic-gate 9440Sstevel@tonic-gate 9450Sstevel@tonic-gate 9460Sstevel@tonic-gate /* 9470Sstevel@tonic-gate * The top level function fo the install subcommand. 9480Sstevel@tonic-gate */ 9490Sstevel@tonic-gate static int 9500Sstevel@tonic-gate do_install(int argc, char **argv) 9510Sstevel@tonic-gate { 9520Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 9530Sstevel@tonic-gate int rc; 9540Sstevel@tonic-gate 9550Sstevel@tonic-gate if (argc < 3) { 9560Sstevel@tonic-gate usage(); 9570Sstevel@tonic-gate return (ERROR_USAGE); 9580Sstevel@tonic-gate } 9590Sstevel@tonic-gate 9600Sstevel@tonic-gate prov = get_provider(argc, argv); 9610Sstevel@tonic-gate if (prov == NULL || 9620Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 9630Sstevel@tonic-gate /* 964*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 9650Sstevel@tonic-gate * "install" could be either a literal keyword and hence 9660Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 9670Sstevel@tonic-gate * choice was made to view it as a literal keyword. 9680Sstevel@tonic-gate */ 9690Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9700Sstevel@tonic-gate gettext("bad provider name for %s."), "install"); 9710Sstevel@tonic-gate rc = FAILURE; 9720Sstevel@tonic-gate goto out; 9730Sstevel@tonic-gate } 9740Sstevel@tonic-gate 9750Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 9760Sstevel@tonic-gate rc = install_uef_lib(prov->cp_name); 9770Sstevel@tonic-gate goto out; 9780Sstevel@tonic-gate } 9790Sstevel@tonic-gate 9800Sstevel@tonic-gate /* It is the PROV_KEF_SOFT type now */ 9810Sstevel@tonic-gate 9820Sstevel@tonic-gate /* check if there are mechanism operands */ 9830Sstevel@tonic-gate if (argc < 4) { 9840Sstevel@tonic-gate /* 985*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 9860Sstevel@tonic-gate * "mechanism" could be either a literal keyword and hence 9870Sstevel@tonic-gate * not to be translated, or a descriptive word and 9880Sstevel@tonic-gate * translatable. A choice was made to view it as a literal 9890Sstevel@tonic-gate * keyword. 9900Sstevel@tonic-gate */ 9910Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9920Sstevel@tonic-gate gettext("need %s operands for installing a" 9930Sstevel@tonic-gate " kernel software provider."), "mechanism"); 9940Sstevel@tonic-gate rc = ERROR_USAGE; 9950Sstevel@tonic-gate goto out; 9960Sstevel@tonic-gate } 9970Sstevel@tonic-gate 9980Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 9990Sstevel@tonic-gate goto out; 10000Sstevel@tonic-gate } 10010Sstevel@tonic-gate 10020Sstevel@tonic-gate if (allflag == B_TRUE) { 10030Sstevel@tonic-gate /* 1004*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10050Sstevel@tonic-gate * "all", "mechanism", and "install" are all keywords and 10060Sstevel@tonic-gate * not to be translated. 10070Sstevel@tonic-gate */ 10080Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10090Sstevel@tonic-gate gettext("can not use the %1$s keyword for %2$s " 10100Sstevel@tonic-gate "in the %3$s subcommand."), "all", "mechanism", "install"); 10110Sstevel@tonic-gate rc = ERROR_USAGE; 10120Sstevel@tonic-gate goto out; 10130Sstevel@tonic-gate } 10140Sstevel@tonic-gate 10150Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 10160Sstevel@tonic-gate rc = install_kef(prov->cp_name, mecharglist); 10170Sstevel@tonic-gate } else { 10180Sstevel@tonic-gate /* 1019*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10200Sstevel@tonic-gate * "install" could be either a literal keyword and hence 10210Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10220Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10230Sstevel@tonic-gate * "global" is keyword and not to be translated. 10240Sstevel@tonic-gate */ 10250Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 10260Sstevel@tonic-gate "is supported in the %2$s zone only"), "install", "global"); 10270Sstevel@tonic-gate rc = FAILURE; 10280Sstevel@tonic-gate } 10290Sstevel@tonic-gate out: 10300Sstevel@tonic-gate free(prov); 10310Sstevel@tonic-gate return (rc); 10320Sstevel@tonic-gate } 10330Sstevel@tonic-gate 10340Sstevel@tonic-gate 10350Sstevel@tonic-gate 10360Sstevel@tonic-gate /* 10370Sstevel@tonic-gate * The top level function for the uninstall subcommand. 10380Sstevel@tonic-gate */ 10390Sstevel@tonic-gate static int 10400Sstevel@tonic-gate do_uninstall(int argc, char **argv) 10410Sstevel@tonic-gate { 10420Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 10430Sstevel@tonic-gate int rc = SUCCESS; 10440Sstevel@tonic-gate 10450Sstevel@tonic-gate if (argc != 3) { 10460Sstevel@tonic-gate usage(); 10470Sstevel@tonic-gate return (ERROR_USAGE); 10480Sstevel@tonic-gate } 10490Sstevel@tonic-gate 10500Sstevel@tonic-gate prov = get_provider(argc, argv); 10510Sstevel@tonic-gate if (prov == NULL || 10520Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 10530Sstevel@tonic-gate /* 1054*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10550Sstevel@tonic-gate * "uninstall" could be either a literal keyword and hence 10560Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10570Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10580Sstevel@tonic-gate */ 10590Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10600Sstevel@tonic-gate gettext("bad provider name for %s."), "uninstall"); 10610Sstevel@tonic-gate free(prov); 10620Sstevel@tonic-gate return (FAILURE); 10630Sstevel@tonic-gate } 10640Sstevel@tonic-gate 10650Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 10660Sstevel@tonic-gate rc = uninstall_uef_lib(prov->cp_name); 10670Sstevel@tonic-gate } else if (prov->cp_type == PROV_KEF_SOFT) { 10680Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 10690Sstevel@tonic-gate rc = uninstall_kef(prov->cp_name); 10700Sstevel@tonic-gate } else { 10710Sstevel@tonic-gate /* 1072*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10730Sstevel@tonic-gate * "uninstall" could be either a literal keyword and 10740Sstevel@tonic-gate * hence not to be translated, or a verb and 10750Sstevel@tonic-gate * translatable. A choice was made to view it as a 10760Sstevel@tonic-gate * literal keyword. "global" is keyword and not to 10770Sstevel@tonic-gate * be translated. 10780Sstevel@tonic-gate */ 10790Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 10800Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 10810Sstevel@tonic-gate "uninstall", "global"); 10820Sstevel@tonic-gate rc = FAILURE; 10830Sstevel@tonic-gate } 10840Sstevel@tonic-gate } 10850Sstevel@tonic-gate 10860Sstevel@tonic-gate free(prov); 10870Sstevel@tonic-gate return (rc); 10880Sstevel@tonic-gate } 10890Sstevel@tonic-gate 10900Sstevel@tonic-gate 10910Sstevel@tonic-gate /* 10920Sstevel@tonic-gate * The top level function for the unload subcommand. 10930Sstevel@tonic-gate */ 10940Sstevel@tonic-gate static int 10950Sstevel@tonic-gate do_unload(int argc, char **argv) 10960Sstevel@tonic-gate { 10970Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 10980Sstevel@tonic-gate entry_t *pent; 10990Sstevel@tonic-gate boolean_t is_active; 11000Sstevel@tonic-gate int rc = SUCCESS; 11010Sstevel@tonic-gate 11020Sstevel@tonic-gate if (argc != 3) { 11030Sstevel@tonic-gate usage(); 11040Sstevel@tonic-gate return (ERROR_USAGE); 11050Sstevel@tonic-gate } 11060Sstevel@tonic-gate 11070Sstevel@tonic-gate /* check if it is a kernel software provider */ 11080Sstevel@tonic-gate prov = get_provider(argc, argv); 11090Sstevel@tonic-gate if (prov == NULL) { 11100Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11110Sstevel@tonic-gate gettext("unable to determine provider name.")); 11120Sstevel@tonic-gate goto out; 11130Sstevel@tonic-gate } 11140Sstevel@tonic-gate if (prov->cp_type != PROV_KEF_SOFT) { 11150Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11160Sstevel@tonic-gate gettext("%s is not a valid kernel software provider."), 11170Sstevel@tonic-gate prov->cp_name); 11180Sstevel@tonic-gate rc = FAILURE; 11190Sstevel@tonic-gate goto out; 11200Sstevel@tonic-gate } 11210Sstevel@tonic-gate 11220Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 11230Sstevel@tonic-gate /* 1124*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11250Sstevel@tonic-gate * "unload" could be either a literal keyword and hence 11260Sstevel@tonic-gate * not to be translated, or a verb and translatable. 11270Sstevel@tonic-gate * A choice was made to view it as a literal keyword. 11280Sstevel@tonic-gate * "global" is keyword and not to be translated. 11290Sstevel@tonic-gate */ 11300Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 11310Sstevel@tonic-gate "is supported in the %2$s zone only"), "unload", "global"); 11320Sstevel@tonic-gate rc = FAILURE; 11330Sstevel@tonic-gate goto out; 11340Sstevel@tonic-gate } 11350Sstevel@tonic-gate 11360Sstevel@tonic-gate /* Check if it is in the kcf.conf file first */ 11370Sstevel@tonic-gate if ((pent = getent_kef(prov->cp_name)) == NULL) { 11380Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11390Sstevel@tonic-gate gettext("provider %s does not exist."), prov->cp_name); 11400Sstevel@tonic-gate rc = FAILURE; 11410Sstevel@tonic-gate goto out; 11420Sstevel@tonic-gate } 11430Sstevel@tonic-gate free_entry(pent); 11440Sstevel@tonic-gate 11450Sstevel@tonic-gate /* If it is unloaded already, return */ 11460Sstevel@tonic-gate if (check_active_for_soft(prov->cp_name, &is_active) == FAILURE) { 11470Sstevel@tonic-gate cryptodebug("internal error"); 11480Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11490Sstevel@tonic-gate gettext("failed to unload %s."), prov->cp_name); 11500Sstevel@tonic-gate rc = FAILURE; 11510Sstevel@tonic-gate goto out; 11520Sstevel@tonic-gate } 11530Sstevel@tonic-gate 11540Sstevel@tonic-gate if (is_active == B_FALSE) { /* unloaded already */ 11550Sstevel@tonic-gate rc = SUCCESS; 11560Sstevel@tonic-gate goto out; 11571971Skrishna } else if (unload_kef_soft(prov->cp_name, B_TRUE) == FAILURE) { 11580Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11590Sstevel@tonic-gate gettext("failed to unload %s."), prov->cp_name); 11600Sstevel@tonic-gate rc = FAILURE; 11610Sstevel@tonic-gate } else { 11620Sstevel@tonic-gate rc = SUCCESS; 11630Sstevel@tonic-gate } 11640Sstevel@tonic-gate out: 11650Sstevel@tonic-gate free(prov); 11660Sstevel@tonic-gate return (rc); 11670Sstevel@tonic-gate } 11680Sstevel@tonic-gate 11690Sstevel@tonic-gate 11700Sstevel@tonic-gate 11710Sstevel@tonic-gate /* 11720Sstevel@tonic-gate * The top level function for the refresh subcommand. 11730Sstevel@tonic-gate */ 11740Sstevel@tonic-gate static int 11750Sstevel@tonic-gate do_refresh(int argc) 11760Sstevel@tonic-gate { 11770Sstevel@tonic-gate if (argc != 2) { 11780Sstevel@tonic-gate usage(); 11790Sstevel@tonic-gate return (ERROR_USAGE); 11800Sstevel@tonic-gate } 11810Sstevel@tonic-gate 11820Sstevel@tonic-gate /* 11830Sstevel@tonic-gate * Note: in non-global zone, this must silently return SUCCESS 11840Sstevel@tonic-gate * due to integration with SMF, for "svcadm refresh cryptosvc" 11850Sstevel@tonic-gate */ 11860Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) 11870Sstevel@tonic-gate return (SUCCESS); 11880Sstevel@tonic-gate 11890Sstevel@tonic-gate return (refresh()); 11900Sstevel@tonic-gate } 11910Sstevel@tonic-gate 11920Sstevel@tonic-gate 11930Sstevel@tonic-gate /* 11940Sstevel@tonic-gate * The top level function for the start subcommand. 11950Sstevel@tonic-gate */ 11960Sstevel@tonic-gate static int 11970Sstevel@tonic-gate do_start(int argc) 11980Sstevel@tonic-gate { 11990Sstevel@tonic-gate int ret; 12000Sstevel@tonic-gate 12010Sstevel@tonic-gate if (argc != 2) { 12020Sstevel@tonic-gate usage(); 12030Sstevel@tonic-gate return (ERROR_USAGE); 12040Sstevel@tonic-gate } 12050Sstevel@tonic-gate 12060Sstevel@tonic-gate ret = do_refresh(argc); 12070Sstevel@tonic-gate if (ret != SUCCESS) 12080Sstevel@tonic-gate return (ret); 12090Sstevel@tonic-gate 12100Sstevel@tonic-gate return (start_daemon()); 12110Sstevel@tonic-gate } 12120Sstevel@tonic-gate 12130Sstevel@tonic-gate /* 12140Sstevel@tonic-gate * The top level function for the stop subcommand. 12150Sstevel@tonic-gate */ 12160Sstevel@tonic-gate static int 12170Sstevel@tonic-gate do_stop(int argc) 12180Sstevel@tonic-gate { 12190Sstevel@tonic-gate if (argc != 2) { 12200Sstevel@tonic-gate usage(); 12210Sstevel@tonic-gate return (ERROR_USAGE); 12220Sstevel@tonic-gate } 12230Sstevel@tonic-gate 12240Sstevel@tonic-gate return (stop_daemon()); 12250Sstevel@tonic-gate } 12260Sstevel@tonic-gate 12270Sstevel@tonic-gate 12280Sstevel@tonic-gate 12290Sstevel@tonic-gate /* 12300Sstevel@tonic-gate * List all the providers. 12310Sstevel@tonic-gate */ 12320Sstevel@tonic-gate static int 12330Sstevel@tonic-gate list_simple_for_all(boolean_t verbose) 12340Sstevel@tonic-gate { 12350Sstevel@tonic-gate uentrylist_t *pliblist; 12360Sstevel@tonic-gate uentrylist_t *plibptr; 12370Sstevel@tonic-gate entrylist_t *pdevlist_conf; 12380Sstevel@tonic-gate entrylist_t *psoftlist_conf; 12390Sstevel@tonic-gate entrylist_t *pdevlist_zone; 12400Sstevel@tonic-gate entrylist_t *psoftlist_zone; 12410Sstevel@tonic-gate entrylist_t *ptr; 12420Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel = NULL; 12430Sstevel@tonic-gate boolean_t is_active; 12440Sstevel@tonic-gate int ru = SUCCESS; 12450Sstevel@tonic-gate int rs = SUCCESS; 12460Sstevel@tonic-gate int rd = SUCCESS; 12470Sstevel@tonic-gate int i; 12480Sstevel@tonic-gate 12490Sstevel@tonic-gate /* get user-level providers */ 12500Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 12510Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 12520Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 12530Sstevel@tonic-gate "failed to retrieve the list of user-level providers.")); 12540Sstevel@tonic-gate ru = FAILURE; 12550Sstevel@tonic-gate } 12560Sstevel@tonic-gate plibptr = pliblist; 12570Sstevel@tonic-gate while (plibptr != NULL) { 12580Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 12590Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 12600Sstevel@tonic-gate plibptr->puent->name); 12610Sstevel@tonic-gate if (verbose) { 12620Sstevel@tonic-gate (void) list_mechlist_for_lib( 12630Sstevel@tonic-gate plibptr->puent->name, mecharglist, NULL, 12640Sstevel@tonic-gate B_FALSE, verbose, B_FALSE); 12650Sstevel@tonic-gate (void) printf("\n"); 12660Sstevel@tonic-gate } 12670Sstevel@tonic-gate } 12680Sstevel@tonic-gate plibptr = plibptr->next; 12690Sstevel@tonic-gate } 12700Sstevel@tonic-gate free_uentrylist(pliblist); 12710Sstevel@tonic-gate 12720Sstevel@tonic-gate /* get kernel software providers */ 12730Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 12740Sstevel@tonic-gate 12750Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 12760Sstevel@tonic-gate /* use kcf.conf for kernel software providers in global zone */ 12770Sstevel@tonic-gate pdevlist_conf = NULL; 12780Sstevel@tonic-gate psoftlist_conf = NULL; 12790Sstevel@tonic-gate 12800Sstevel@tonic-gate if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) != 12810Sstevel@tonic-gate SUCCESS) { 12820Sstevel@tonic-gate cryptoerror(LOG_STDERR, 12830Sstevel@tonic-gate gettext("failed to retrieve the " 12840Sstevel@tonic-gate "list of kernel software providers.\n")); 12850Sstevel@tonic-gate rs = FAILURE; 12860Sstevel@tonic-gate } 12870Sstevel@tonic-gate 12880Sstevel@tonic-gate ptr = psoftlist_conf; 12890Sstevel@tonic-gate while (ptr != NULL) { 12900Sstevel@tonic-gate if (check_active_for_soft(ptr->pent->name, &is_active) 12910Sstevel@tonic-gate == FAILURE) { 12920Sstevel@tonic-gate rs = FAILURE; 12930Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to " 12940Sstevel@tonic-gate "get the state of a kernel software " 12950Sstevel@tonic-gate "providers.\n")); 12960Sstevel@tonic-gate break; 12970Sstevel@tonic-gate } 12980Sstevel@tonic-gate 12990Sstevel@tonic-gate (void) printf("\t%s", ptr->pent->name); 13000Sstevel@tonic-gate if (is_active == B_FALSE) { 13010Sstevel@tonic-gate (void) printf(gettext(" (inactive)\n")); 13020Sstevel@tonic-gate } else { 13030Sstevel@tonic-gate (void) printf("\n"); 13040Sstevel@tonic-gate } 13050Sstevel@tonic-gate ptr = ptr->next; 13060Sstevel@tonic-gate } 13070Sstevel@tonic-gate 13080Sstevel@tonic-gate free_entrylist(pdevlist_conf); 13090Sstevel@tonic-gate free_entrylist(psoftlist_conf); 13100Sstevel@tonic-gate } else { 13110Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 13120Sstevel@tonic-gate pdevlist_zone = NULL; 13130Sstevel@tonic-gate psoftlist_zone = NULL; 13140Sstevel@tonic-gate 13150Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 13160Sstevel@tonic-gate SUCCESS) { 13170Sstevel@tonic-gate cryptoerror(LOG_STDERR, 13180Sstevel@tonic-gate gettext("failed to retrieve the " 13190Sstevel@tonic-gate "list of kernel software providers.\n")); 13200Sstevel@tonic-gate rs = FAILURE; 13210Sstevel@tonic-gate } 13220Sstevel@tonic-gate 13230Sstevel@tonic-gate ptr = psoftlist_zone; 13240Sstevel@tonic-gate while (ptr != NULL) { 13250Sstevel@tonic-gate (void) printf("\t%s\n", ptr->pent->name); 13260Sstevel@tonic-gate ptr = ptr->next; 13270Sstevel@tonic-gate } 13280Sstevel@tonic-gate 13290Sstevel@tonic-gate free_entrylist(pdevlist_zone); 13300Sstevel@tonic-gate free_entrylist(psoftlist_zone); 13310Sstevel@tonic-gate } 13320Sstevel@tonic-gate 13330Sstevel@tonic-gate /* get kernel hardware providers */ 13340Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 13350Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) == FAILURE) { 13360Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 13370Sstevel@tonic-gate "the list of kernel hardware providers.\n")); 13380Sstevel@tonic-gate rd = FAILURE; 13390Sstevel@tonic-gate } else { 13400Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 13410Sstevel@tonic-gate (void) printf("\t%s/%d\n", 13420Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 13430Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 13440Sstevel@tonic-gate } 13450Sstevel@tonic-gate } 13460Sstevel@tonic-gate free(pdevlist_kernel); 13470Sstevel@tonic-gate 13480Sstevel@tonic-gate if (ru == FAILURE || rs == FAILURE || rd == FAILURE) { 13490Sstevel@tonic-gate return (FAILURE); 13500Sstevel@tonic-gate } else { 13510Sstevel@tonic-gate return (SUCCESS); 13520Sstevel@tonic-gate } 13530Sstevel@tonic-gate } 13540Sstevel@tonic-gate 13550Sstevel@tonic-gate 13560Sstevel@tonic-gate 13570Sstevel@tonic-gate /* 13580Sstevel@tonic-gate * List all the providers. And for each provider, list the mechanism list. 13590Sstevel@tonic-gate */ 13600Sstevel@tonic-gate static int 13610Sstevel@tonic-gate list_mechlist_for_all(boolean_t verbose) 13620Sstevel@tonic-gate { 13630Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel; 13640Sstevel@tonic-gate uentrylist_t *pliblist; 13650Sstevel@tonic-gate uentrylist_t *plibptr; 13660Sstevel@tonic-gate entrylist_t *pdevlist_conf; 13670Sstevel@tonic-gate entrylist_t *psoftlist_conf; 13680Sstevel@tonic-gate entrylist_t *pdevlist_zone; 13690Sstevel@tonic-gate entrylist_t *psoftlist_zone; 13700Sstevel@tonic-gate entrylist_t *ptr; 13710Sstevel@tonic-gate mechlist_t *pmechlist; 13720Sstevel@tonic-gate boolean_t is_active; 13730Sstevel@tonic-gate char provname[MAXNAMELEN]; 13740Sstevel@tonic-gate char devname[MAXNAMELEN]; 13750Sstevel@tonic-gate int inst_num; 13760Sstevel@tonic-gate int count; 13770Sstevel@tonic-gate int i; 13780Sstevel@tonic-gate int rv; 13790Sstevel@tonic-gate int rc = SUCCESS; 13800Sstevel@tonic-gate 13810Sstevel@tonic-gate /* get user-level providers */ 13820Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 13830Sstevel@tonic-gate /* 1384*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 13850Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 13860Sstevel@tonic-gate * the length of the translated text above. 13870Sstevel@tonic-gate */ 13880Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 13890Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 13900Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 13910Sstevel@tonic-gate "the list of user-level providers.\n")); 13920Sstevel@tonic-gate rc = FAILURE; 13930Sstevel@tonic-gate } 13940Sstevel@tonic-gate 13950Sstevel@tonic-gate plibptr = pliblist; 13960Sstevel@tonic-gate while (plibptr != NULL) { 13970Sstevel@tonic-gate /* skip metaslot entry */ 13980Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 13990Sstevel@tonic-gate (void) printf(gettext("\nProvider: %s\n"), 14000Sstevel@tonic-gate plibptr->puent->name); 14010Sstevel@tonic-gate rv = list_mechlist_for_lib(plibptr->puent->name, 14020Sstevel@tonic-gate mecharglist, NULL, B_FALSE, verbose, B_TRUE); 14030Sstevel@tonic-gate if (rv == FAILURE) { 14040Sstevel@tonic-gate rc = FAILURE; 14050Sstevel@tonic-gate } 14060Sstevel@tonic-gate } 14070Sstevel@tonic-gate plibptr = plibptr->next; 14080Sstevel@tonic-gate } 14090Sstevel@tonic-gate free_uentrylist(pliblist); 14100Sstevel@tonic-gate 14110Sstevel@tonic-gate /* get kernel software providers */ 14120Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 14130Sstevel@tonic-gate /* 1414*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 14150Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14160Sstevel@tonic-gate * the length of the translated text above. 14170Sstevel@tonic-gate */ 14180Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 14190Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 14200Sstevel@tonic-gate /* use kcf.conf for kernel software providers in global zone */ 14210Sstevel@tonic-gate pdevlist_conf = NULL; 14220Sstevel@tonic-gate psoftlist_conf = NULL; 14230Sstevel@tonic-gate 14240Sstevel@tonic-gate if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) != 14250Sstevel@tonic-gate SUCCESS) { 14260Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14270Sstevel@tonic-gate "the list of kernel software providers.\n")); 14280Sstevel@tonic-gate rc = FAILURE; 14290Sstevel@tonic-gate } 14300Sstevel@tonic-gate 14310Sstevel@tonic-gate ptr = psoftlist_conf; 14320Sstevel@tonic-gate while (ptr != NULL) { 14330Sstevel@tonic-gate if (check_active_for_soft(ptr->pent->name, &is_active) 14340Sstevel@tonic-gate == SUCCESS) { 14350Sstevel@tonic-gate if (is_active) { 14360Sstevel@tonic-gate rv = list_mechlist_for_soft( 14370Sstevel@tonic-gate ptr->pent->name); 14380Sstevel@tonic-gate if (rv == FAILURE) { 14390Sstevel@tonic-gate rc = FAILURE; 14400Sstevel@tonic-gate } 14410Sstevel@tonic-gate } else { 14420Sstevel@tonic-gate (void) printf(gettext( 14430Sstevel@tonic-gate "%s: (inactive)\n"), 14440Sstevel@tonic-gate ptr->pent->name); 14450Sstevel@tonic-gate } 14460Sstevel@tonic-gate } else { 14470Sstevel@tonic-gate /* should not happen */ 14480Sstevel@tonic-gate (void) printf(gettext( 14490Sstevel@tonic-gate "%s: failed to get the mechanism list.\n"), 14500Sstevel@tonic-gate ptr->pent->name); 14510Sstevel@tonic-gate rc = FAILURE; 14520Sstevel@tonic-gate } 14530Sstevel@tonic-gate ptr = ptr->next; 14540Sstevel@tonic-gate } 14550Sstevel@tonic-gate 14560Sstevel@tonic-gate free_entrylist(pdevlist_conf); 14570Sstevel@tonic-gate free_entrylist(psoftlist_conf); 14580Sstevel@tonic-gate } else { 14590Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 14600Sstevel@tonic-gate pdevlist_zone = NULL; 14610Sstevel@tonic-gate psoftlist_zone = NULL; 14620Sstevel@tonic-gate 14630Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 14640Sstevel@tonic-gate SUCCESS) { 14650Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14660Sstevel@tonic-gate "the list of kernel software providers.\n")); 14670Sstevel@tonic-gate rc = FAILURE; 14680Sstevel@tonic-gate } 14690Sstevel@tonic-gate 14700Sstevel@tonic-gate ptr = psoftlist_zone; 14710Sstevel@tonic-gate while (ptr != NULL) { 14720Sstevel@tonic-gate rv = list_mechlist_for_soft(ptr->pent->name); 14730Sstevel@tonic-gate if (rv == FAILURE) { 14740Sstevel@tonic-gate (void) printf(gettext( 14750Sstevel@tonic-gate "%s: failed to get the mechanism list.\n"), 14760Sstevel@tonic-gate ptr->pent->name); 14770Sstevel@tonic-gate rc = FAILURE; 14780Sstevel@tonic-gate } 14790Sstevel@tonic-gate ptr = ptr->next; 14800Sstevel@tonic-gate } 14810Sstevel@tonic-gate 14820Sstevel@tonic-gate free_entrylist(pdevlist_zone); 14830Sstevel@tonic-gate free_entrylist(psoftlist_zone); 14840Sstevel@tonic-gate } 14850Sstevel@tonic-gate 14860Sstevel@tonic-gate /* Get kernel hardware providers and their mechanism lists */ 14870Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 14880Sstevel@tonic-gate /* 1489*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 14900Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14910Sstevel@tonic-gate * the length of the translated text above. 14920Sstevel@tonic-gate */ 14930Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 14940Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 14950Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14960Sstevel@tonic-gate "the list of hardware providers.\n")); 14970Sstevel@tonic-gate return (FAILURE); 14980Sstevel@tonic-gate } 14990Sstevel@tonic-gate 15000Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 15010Sstevel@tonic-gate (void) strlcpy(devname, 15020Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, MAXNAMELEN); 15030Sstevel@tonic-gate inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance; 15040Sstevel@tonic-gate count = pdevlist_kernel->dl_devs[i].le_mechanism_count; 15050Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", devname, 15060Sstevel@tonic-gate inst_num); 15070Sstevel@tonic-gate if (get_dev_info(devname, inst_num, count, &pmechlist) == 15080Sstevel@tonic-gate SUCCESS) { 15090Sstevel@tonic-gate (void) filter_mechlist(&pmechlist, RANDOM); 15100Sstevel@tonic-gate print_mechlist(provname, pmechlist); 15110Sstevel@tonic-gate free_mechlist(pmechlist); 15120Sstevel@tonic-gate } else { 15130Sstevel@tonic-gate (void) printf(gettext("%s: failed to get the mechanism" 15140Sstevel@tonic-gate " list.\n"), provname); 15150Sstevel@tonic-gate rc = FAILURE; 15160Sstevel@tonic-gate } 15170Sstevel@tonic-gate } 15180Sstevel@tonic-gate free(pdevlist_kernel); 15190Sstevel@tonic-gate return (rc); 15200Sstevel@tonic-gate } 15210Sstevel@tonic-gate 15220Sstevel@tonic-gate 15230Sstevel@tonic-gate /* 15240Sstevel@tonic-gate * List all the providers. And for each provider, list the policy information. 15250Sstevel@tonic-gate */ 15260Sstevel@tonic-gate static int 15270Sstevel@tonic-gate list_policy_for_all(void) 15280Sstevel@tonic-gate { 15290Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel; 15300Sstevel@tonic-gate uentrylist_t *pliblist; 15310Sstevel@tonic-gate uentrylist_t *plibptr; 15320Sstevel@tonic-gate entrylist_t *pdevlist_conf; 15330Sstevel@tonic-gate entrylist_t *psoftlist_conf; 15340Sstevel@tonic-gate entrylist_t *ptr; 15350Sstevel@tonic-gate entrylist_t *phead; 15360Sstevel@tonic-gate boolean_t found; 15370Sstevel@tonic-gate char provname[MAXNAMELEN]; 15380Sstevel@tonic-gate int i; 15390Sstevel@tonic-gate int rc = SUCCESS; 15400Sstevel@tonic-gate 15410Sstevel@tonic-gate /* Get user-level providers */ 15420Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 15430Sstevel@tonic-gate /* 1544*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 15450Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15460Sstevel@tonic-gate * the length of the translated text above. 15470Sstevel@tonic-gate */ 15480Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 15490Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) == FAILURE) { 15500Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 15510Sstevel@tonic-gate "the list of user-level providers.\n")); 15520Sstevel@tonic-gate } else { 15530Sstevel@tonic-gate plibptr = pliblist; 15540Sstevel@tonic-gate while (plibptr != NULL) { 15550Sstevel@tonic-gate /* skip metaslot entry */ 15560Sstevel@tonic-gate if (strcmp(plibptr->puent->name, 15570Sstevel@tonic-gate METASLOT_KEYWORD) != 0) { 15580Sstevel@tonic-gate if (print_uef_policy(plibptr->puent) 15590Sstevel@tonic-gate == FAILURE) { 15600Sstevel@tonic-gate rc = FAILURE; 15610Sstevel@tonic-gate } 15620Sstevel@tonic-gate } 15630Sstevel@tonic-gate plibptr = plibptr->next; 15640Sstevel@tonic-gate } 15650Sstevel@tonic-gate free_uentrylist(pliblist); 15660Sstevel@tonic-gate } 15670Sstevel@tonic-gate 15680Sstevel@tonic-gate /* kernel software providers */ 15690Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 15700Sstevel@tonic-gate /* 1571*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 15720Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15730Sstevel@tonic-gate * the length of the translated text above. 15740Sstevel@tonic-gate */ 15750Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 15760Sstevel@tonic-gate 15770Sstevel@tonic-gate /* Get all entries from the kcf.conf file */ 15780Sstevel@tonic-gate pdevlist_conf = NULL; 15790Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 15800Sstevel@tonic-gate /* use kcf.conf for kernel software providers in global zone */ 15810Sstevel@tonic-gate psoftlist_conf = NULL; 15820Sstevel@tonic-gate 15830Sstevel@tonic-gate if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) == 15840Sstevel@tonic-gate FAILURE) { 15850Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 15860Sstevel@tonic-gate "failed to retrieve the list of kernel " 15870Sstevel@tonic-gate "providers.\n")); 15880Sstevel@tonic-gate return (FAILURE); 15890Sstevel@tonic-gate } 15900Sstevel@tonic-gate 15910Sstevel@tonic-gate ptr = psoftlist_conf; 15920Sstevel@tonic-gate while (ptr != NULL) { 15930Sstevel@tonic-gate (void) list_policy_for_soft(ptr->pent->name); 15940Sstevel@tonic-gate ptr = ptr->next; 15950Sstevel@tonic-gate } 15960Sstevel@tonic-gate 15970Sstevel@tonic-gate free_entrylist(psoftlist_conf); 15980Sstevel@tonic-gate } else { 15990Sstevel@tonic-gate /* kcf.conf not there in non-global zone, no policy info */ 16000Sstevel@tonic-gate 16010Sstevel@tonic-gate /* 1602*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16030Sstevel@tonic-gate * "global" is keyword and not to be translated. 16040Sstevel@tonic-gate */ 16050Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16060Sstevel@tonic-gate "policy information for kernel software providers is " 16070Sstevel@tonic-gate "available in the %s zone only"), "global"); 16080Sstevel@tonic-gate } 16090Sstevel@tonic-gate 16100Sstevel@tonic-gate /* Kernel hardware providers */ 16110Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 16120Sstevel@tonic-gate /* 1613*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16140Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16150Sstevel@tonic-gate * the length of the translated text above. 16160Sstevel@tonic-gate */ 16170Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 16180Sstevel@tonic-gate 16190Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 16200Sstevel@tonic-gate /* 1621*7334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16220Sstevel@tonic-gate * "global" is keyword and not to be translated. 16230Sstevel@tonic-gate */ 16240Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16250Sstevel@tonic-gate "policy information for kernel hardware providers is " 16260Sstevel@tonic-gate "available in the %s zone only"), "global"); 16270Sstevel@tonic-gate return (FAILURE); 16280Sstevel@tonic-gate } 16290Sstevel@tonic-gate 16300Sstevel@tonic-gate /* Get the hardware provider list from kernel */ 16310Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 16320Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16330Sstevel@tonic-gate "failed to retrieve the list of hardware providers.\n")); 16340Sstevel@tonic-gate free_entrylist(pdevlist_conf); 16350Sstevel@tonic-gate return (FAILURE); 16360Sstevel@tonic-gate } 16370Sstevel@tonic-gate 16380Sstevel@tonic-gate /* 16390Sstevel@tonic-gate * For each hardware provider from kernel, check if it has an entry 16400Sstevel@tonic-gate * in the config file. If it has an entry, print out the policy from 16410Sstevel@tonic-gate * config file and remove the entry from the hardware provider list 16420Sstevel@tonic-gate * of the config file. If it does not have an entry in the config 16430Sstevel@tonic-gate * file, no mechanisms of it have been disabled. But, we still call 16440Sstevel@tonic-gate * list_policy_for_hard() to account for the "random" feature. 16450Sstevel@tonic-gate */ 16460Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 16470Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", 16480Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 16490Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 16500Sstevel@tonic-gate found = B_FALSE; 16510Sstevel@tonic-gate phead = ptr = pdevlist_conf; 16520Sstevel@tonic-gate while (!found && ptr) { 16530Sstevel@tonic-gate if (strcmp(ptr->pent->name, provname) == 0) { 16540Sstevel@tonic-gate found = B_TRUE; 16550Sstevel@tonic-gate } else { 16560Sstevel@tonic-gate phead = ptr; 16570Sstevel@tonic-gate ptr = ptr->next; 16580Sstevel@tonic-gate } 16590Sstevel@tonic-gate } 16600Sstevel@tonic-gate 16610Sstevel@tonic-gate if (found) { 16620Sstevel@tonic-gate (void) list_policy_for_hard(ptr->pent->name); 16630Sstevel@tonic-gate if (phead == ptr) { 16640Sstevel@tonic-gate pdevlist_conf = pdevlist_conf->next; 16650Sstevel@tonic-gate } else { 16660Sstevel@tonic-gate phead->next = ptr->next; 16670Sstevel@tonic-gate } 16680Sstevel@tonic-gate free_entry(ptr->pent); 16690Sstevel@tonic-gate free(ptr); 16700Sstevel@tonic-gate } else { 16710Sstevel@tonic-gate (void) list_policy_for_hard(provname); 16720Sstevel@tonic-gate } 16730Sstevel@tonic-gate } 16740Sstevel@tonic-gate 16750Sstevel@tonic-gate /* 16760Sstevel@tonic-gate * If there are still entries left in the pdevlist_conf list from 16770Sstevel@tonic-gate * the config file, these providers must have been detached. 16780Sstevel@tonic-gate * Should print out their policy information also. 16790Sstevel@tonic-gate */ 16800Sstevel@tonic-gate ptr = pdevlist_conf; 16810Sstevel@tonic-gate while (ptr != NULL) { 16820Sstevel@tonic-gate print_kef_policy(ptr->pent, B_FALSE, B_TRUE); 16830Sstevel@tonic-gate ptr = ptr->next; 16840Sstevel@tonic-gate } 16850Sstevel@tonic-gate 16860Sstevel@tonic-gate free_entrylist(pdevlist_conf); 16870Sstevel@tonic-gate free(pdevlist_kernel); 16880Sstevel@tonic-gate 16890Sstevel@tonic-gate return (rc); 16900Sstevel@tonic-gate } 1691