10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 51971Skrishna * Common Development and Distribution License (the "License"). 61971Skrishna * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 227334SDaniel.Anderson@Sun.COM * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate 270Sstevel@tonic-gate #include <fcntl.h> 280Sstevel@tonic-gate #include <stdio.h> 290Sstevel@tonic-gate #include <stdlib.h> 300Sstevel@tonic-gate #include <strings.h> 310Sstevel@tonic-gate #include <unistd.h> 320Sstevel@tonic-gate #include <locale.h> 330Sstevel@tonic-gate #include <libgen.h> 340Sstevel@tonic-gate #include <sys/types.h> 350Sstevel@tonic-gate #include <zone.h> 360Sstevel@tonic-gate #include <sys/crypto/ioctladmin.h> 370Sstevel@tonic-gate #include <cryptoutil.h> 380Sstevel@tonic-gate #include "cryptoadm.h" 390Sstevel@tonic-gate 400Sstevel@tonic-gate #define REQ_ARG_CNT 2 410Sstevel@tonic-gate 420Sstevel@tonic-gate /* subcommand index */ 430Sstevel@tonic-gate enum subcommand_index { 440Sstevel@tonic-gate CRYPTO_LIST, 450Sstevel@tonic-gate CRYPTO_DISABLE, 460Sstevel@tonic-gate CRYPTO_ENABLE, 470Sstevel@tonic-gate CRYPTO_INSTALL, 480Sstevel@tonic-gate CRYPTO_UNINSTALL, 490Sstevel@tonic-gate CRYPTO_UNLOAD, 500Sstevel@tonic-gate CRYPTO_REFRESH, 510Sstevel@tonic-gate CRYPTO_START, 520Sstevel@tonic-gate CRYPTO_STOP, 530Sstevel@tonic-gate CRYPTO_HELP }; 540Sstevel@tonic-gate 550Sstevel@tonic-gate /* 567334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 570Sstevel@tonic-gate * Command keywords are not to be translated. 580Sstevel@tonic-gate */ 590Sstevel@tonic-gate static char *cmd_table[] = { 600Sstevel@tonic-gate "list", 610Sstevel@tonic-gate "disable", 620Sstevel@tonic-gate "enable", 630Sstevel@tonic-gate "install", 640Sstevel@tonic-gate "uninstall", 650Sstevel@tonic-gate "unload", 660Sstevel@tonic-gate "refresh", 670Sstevel@tonic-gate "start", 680Sstevel@tonic-gate "stop", 690Sstevel@tonic-gate "--help" }; 700Sstevel@tonic-gate 710Sstevel@tonic-gate /* provider type */ 720Sstevel@tonic-gate enum provider_type_index { 730Sstevel@tonic-gate PROV_UEF_LIB, 740Sstevel@tonic-gate PROV_KEF_SOFT, 750Sstevel@tonic-gate PROV_KEF_HARD, 760Sstevel@tonic-gate METASLOT, 770Sstevel@tonic-gate PROV_BADNAME }; 780Sstevel@tonic-gate 790Sstevel@tonic-gate typedef struct { 800Sstevel@tonic-gate char cp_name[MAXPATHLEN]; 810Sstevel@tonic-gate enum provider_type_index cp_type; 820Sstevel@tonic-gate } cryptoadm_provider_t; 830Sstevel@tonic-gate 840Sstevel@tonic-gate /* 857334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 860Sstevel@tonic-gate * Operand keywords are not to be translated. 870Sstevel@tonic-gate */ 880Sstevel@tonic-gate static const char *KN_PROVIDER = "provider="; 890Sstevel@tonic-gate static const char *KN_MECH = "mechanism="; 900Sstevel@tonic-gate static const char *KN_ALL = "all"; 910Sstevel@tonic-gate static const char *KN_TOKEN = "token="; 920Sstevel@tonic-gate static const char *KN_SLOT = "slot="; 930Sstevel@tonic-gate static const char *KN_DEFAULT_KS = "default-keystore"; 940Sstevel@tonic-gate static const char *KN_AUTO_KEY_MIGRATE = "auto-key-migrate"; 950Sstevel@tonic-gate 960Sstevel@tonic-gate /* static variables */ 970Sstevel@tonic-gate static boolean_t allflag = B_FALSE; 980Sstevel@tonic-gate static boolean_t rndflag = B_FALSE; 990Sstevel@tonic-gate static mechlist_t *mecharglist = NULL; 1000Sstevel@tonic-gate 1010Sstevel@tonic-gate /* static functions */ 1020Sstevel@tonic-gate static void usage(void); 1030Sstevel@tonic-gate static int get_provider_type(char *); 1040Sstevel@tonic-gate static int process_mech_operands(int, char **, boolean_t); 1050Sstevel@tonic-gate static int do_list(int, char **); 1060Sstevel@tonic-gate static int do_disable(int, char **); 1070Sstevel@tonic-gate static int do_enable(int, char **); 1080Sstevel@tonic-gate static int do_install(int, char **); 1090Sstevel@tonic-gate static int do_uninstall(int, char **); 1100Sstevel@tonic-gate static int do_unload(int, char **); 1110Sstevel@tonic-gate static int do_refresh(int); 1120Sstevel@tonic-gate static int do_start(int); 1130Sstevel@tonic-gate static int do_stop(int); 1140Sstevel@tonic-gate static int list_simple_for_all(boolean_t); 1150Sstevel@tonic-gate static int list_mechlist_for_all(boolean_t); 1160Sstevel@tonic-gate static int list_policy_for_all(void); 1170Sstevel@tonic-gate 1180Sstevel@tonic-gate int 1190Sstevel@tonic-gate main(int argc, char *argv[]) 1200Sstevel@tonic-gate { 1210Sstevel@tonic-gate char *subcmd; 1220Sstevel@tonic-gate int cmdnum; 1230Sstevel@tonic-gate int cmd_index = 0; 1240Sstevel@tonic-gate int rc = SUCCESS; 1250Sstevel@tonic-gate 1260Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 1270Sstevel@tonic-gate 1280Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 1290Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 1300Sstevel@tonic-gate #endif 1310Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 1320Sstevel@tonic-gate 1330Sstevel@tonic-gate cryptodebug_init(basename(argv[0])); 1340Sstevel@tonic-gate 1350Sstevel@tonic-gate if (argc < REQ_ARG_CNT) { 1360Sstevel@tonic-gate usage(); 1370Sstevel@tonic-gate return (ERROR_USAGE); 1380Sstevel@tonic-gate } 1390Sstevel@tonic-gate 1400Sstevel@tonic-gate /* get the subcommand index */ 1410Sstevel@tonic-gate cmd_index = 0; 1420Sstevel@tonic-gate subcmd = argv[1]; 1430Sstevel@tonic-gate cmdnum = sizeof (cmd_table)/sizeof (cmd_table[0]); 1440Sstevel@tonic-gate 1450Sstevel@tonic-gate while ((cmd_index < cmdnum) && 1460Sstevel@tonic-gate (strcmp(subcmd, cmd_table[cmd_index]) != 0)) { 1470Sstevel@tonic-gate cmd_index++; 1480Sstevel@tonic-gate } 1490Sstevel@tonic-gate if (cmd_index >= cmdnum) { 1500Sstevel@tonic-gate usage(); 1510Sstevel@tonic-gate return (ERROR_USAGE); 1520Sstevel@tonic-gate } 1530Sstevel@tonic-gate 1540Sstevel@tonic-gate /* do the subcommand */ 1550Sstevel@tonic-gate switch (cmd_index) { 1560Sstevel@tonic-gate case CRYPTO_LIST: 1570Sstevel@tonic-gate rc = do_list(argc, argv); 1580Sstevel@tonic-gate break; 1590Sstevel@tonic-gate case CRYPTO_DISABLE: 1600Sstevel@tonic-gate rc = do_disable(argc, argv); 1610Sstevel@tonic-gate break; 1620Sstevel@tonic-gate case CRYPTO_ENABLE: 1630Sstevel@tonic-gate rc = do_enable(argc, argv); 1640Sstevel@tonic-gate break; 1650Sstevel@tonic-gate case CRYPTO_INSTALL: 1660Sstevel@tonic-gate rc = do_install(argc, argv); 1670Sstevel@tonic-gate break; 1680Sstevel@tonic-gate case CRYPTO_UNINSTALL: 1690Sstevel@tonic-gate rc = do_uninstall(argc, argv); 1700Sstevel@tonic-gate break; 1710Sstevel@tonic-gate case CRYPTO_UNLOAD: 1720Sstevel@tonic-gate rc = do_unload(argc, argv); 1730Sstevel@tonic-gate break; 1740Sstevel@tonic-gate case CRYPTO_REFRESH: 1750Sstevel@tonic-gate rc = do_refresh(argc); 1760Sstevel@tonic-gate break; 1770Sstevel@tonic-gate case CRYPTO_START: 1780Sstevel@tonic-gate rc = do_start(argc); 1790Sstevel@tonic-gate break; 1800Sstevel@tonic-gate case CRYPTO_STOP: 1810Sstevel@tonic-gate rc = do_stop(argc); 1820Sstevel@tonic-gate break; 1830Sstevel@tonic-gate case CRYPTO_HELP: 1840Sstevel@tonic-gate usage(); 1850Sstevel@tonic-gate rc = SUCCESS; 1860Sstevel@tonic-gate break; 1870Sstevel@tonic-gate default: /* should not come here */ 1880Sstevel@tonic-gate usage(); 1890Sstevel@tonic-gate rc = ERROR_USAGE; 1900Sstevel@tonic-gate break; 1910Sstevel@tonic-gate } 1920Sstevel@tonic-gate return (rc); 1930Sstevel@tonic-gate } 1940Sstevel@tonic-gate 1950Sstevel@tonic-gate 1960Sstevel@tonic-gate static void 1970Sstevel@tonic-gate usage(void) 1980Sstevel@tonic-gate { 1990Sstevel@tonic-gate /* 2007334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 2010Sstevel@tonic-gate * Command usage is not to be translated. Only the word "Usage:" 2020Sstevel@tonic-gate * along with localized expressions indicating what kind of value 2030Sstevel@tonic-gate * is expected for arguments. 2040Sstevel@tonic-gate */ 2050Sstevel@tonic-gate (void) fprintf(stderr, gettext("Usage:\n")); 2060Sstevel@tonic-gate (void) fprintf(stderr, 2070Sstevel@tonic-gate " cryptoadm list [-mpv] [provider=<%s> | metaslot]" 2080Sstevel@tonic-gate " [mechanism=<%s>]\n", 2090Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2100Sstevel@tonic-gate (void) fprintf(stderr, 2110Sstevel@tonic-gate " cryptoadm disable provider=<%s>" 2120Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2130Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2140Sstevel@tonic-gate (void) fprintf(stderr, 2150Sstevel@tonic-gate " cryptoadm disable metaslot" 2160Sstevel@tonic-gate " [auto-key-migrate] [mechanism=<%s>]\n", 2170Sstevel@tonic-gate gettext("mechanism-list")); 2180Sstevel@tonic-gate (void) fprintf(stderr, 2190Sstevel@tonic-gate " cryptoadm enable provider=<%s>" 2200Sstevel@tonic-gate " mechanism=<%s> | random | all\n", 2210Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2220Sstevel@tonic-gate (void) fprintf(stderr, 2230Sstevel@tonic-gate " cryptoadm enable metaslot [mechanism=<%s>]" 2240Sstevel@tonic-gate " [[token=<%s>] [slot=<%s>]" 2250Sstevel@tonic-gate " | [default-keystore]] | [auto-key-migrate]\n", 2260Sstevel@tonic-gate gettext("mechanism-list"), gettext("token-label"), 2270Sstevel@tonic-gate gettext("slot-description")); 2280Sstevel@tonic-gate (void) fprintf(stderr, 2290Sstevel@tonic-gate " cryptoadm install provider=<%s>\n", 2300Sstevel@tonic-gate gettext("provider-name")); 2310Sstevel@tonic-gate (void) fprintf(stderr, 2320Sstevel@tonic-gate " cryptoadm install provider=<%s> [mechanism=<%s>]\n", 2330Sstevel@tonic-gate gettext("provider-name"), gettext("mechanism-list")); 2340Sstevel@tonic-gate (void) fprintf(stderr, 2350Sstevel@tonic-gate " cryptoadm uninstall provider=<%s>\n", 2360Sstevel@tonic-gate gettext("provider-name")); 2370Sstevel@tonic-gate (void) fprintf(stderr, 2380Sstevel@tonic-gate " cryptoadm unload provider=<%s>\n", 2390Sstevel@tonic-gate gettext("provider-name")); 2400Sstevel@tonic-gate (void) fprintf(stderr, 2410Sstevel@tonic-gate " cryptoadm refresh\n" 2420Sstevel@tonic-gate " cryptoadm start\n" 2430Sstevel@tonic-gate " cryptoadm stop\n" 2440Sstevel@tonic-gate " cryptoadm --help\n"); 2450Sstevel@tonic-gate } 2460Sstevel@tonic-gate 2470Sstevel@tonic-gate 2480Sstevel@tonic-gate /* 2490Sstevel@tonic-gate * Get the provider type. This function returns 2500Sstevel@tonic-gate * - PROV_UEF_LIB if provname contains an absolute path name 251*7968Sopensolaris@drydog.com * - PROV_KEF_SOFT if provname is a base name only (e.g., "aes"). 2520Sstevel@tonic-gate * - PROV_KEF_HARD if provname contains one slash only and the slash is not 253*7968Sopensolaris@drydog.com * the 1st character (e.g., "mca/0"). 2547334SDaniel.Anderson@Sun.COM * - PROV_BADNAME otherwise. 2550Sstevel@tonic-gate */ 2560Sstevel@tonic-gate static int 2570Sstevel@tonic-gate get_provider_type(char *provname) 2580Sstevel@tonic-gate { 2590Sstevel@tonic-gate char *pslash1; 2600Sstevel@tonic-gate char *pslash2; 2610Sstevel@tonic-gate 2620Sstevel@tonic-gate if (provname == NULL) { 2630Sstevel@tonic-gate return (FAILURE); 2640Sstevel@tonic-gate } 2650Sstevel@tonic-gate 2660Sstevel@tonic-gate if (provname[0] == '/') { 2670Sstevel@tonic-gate return (PROV_UEF_LIB); 2680Sstevel@tonic-gate } else if ((pslash1 = strchr(provname, SEP_SLASH)) == NULL) { 2690Sstevel@tonic-gate /* no slash */ 2700Sstevel@tonic-gate return (PROV_KEF_SOFT); 2710Sstevel@tonic-gate } else { 2720Sstevel@tonic-gate pslash2 = strrchr(provname, SEP_SLASH); 2730Sstevel@tonic-gate if (pslash1 == pslash2) { 2740Sstevel@tonic-gate return (PROV_KEF_HARD); 2750Sstevel@tonic-gate } else { 2760Sstevel@tonic-gate return (PROV_BADNAME); 2770Sstevel@tonic-gate } 2780Sstevel@tonic-gate } 2790Sstevel@tonic-gate } 2800Sstevel@tonic-gate 2810Sstevel@tonic-gate /* 2820Sstevel@tonic-gate * Get the provider structure. This function returns NULL if no valid 2830Sstevel@tonic-gate * provider= is found in argv[], otherwise a cryptoadm_provider_t is returned. 2840Sstevel@tonic-gate * If provider= is found but has no argument, then a cryptoadm_provider_t 2850Sstevel@tonic-gate * with cp_type = PROV_BADNAME is returned. 2860Sstevel@tonic-gate */ 2870Sstevel@tonic-gate static cryptoadm_provider_t * 2880Sstevel@tonic-gate get_provider(int argc, char **argv) 2890Sstevel@tonic-gate { 290*7968Sopensolaris@drydog.com int c = 0; 291*7968Sopensolaris@drydog.com boolean_t found = B_FALSE; 292*7968Sopensolaris@drydog.com cryptoadm_provider_t *provider = NULL; 293*7968Sopensolaris@drydog.com char *provstr = NULL, *savstr; 294*7968Sopensolaris@drydog.com boolean_t is_metaslot = B_FALSE; 2950Sstevel@tonic-gate 2960Sstevel@tonic-gate while (!found && ++c < argc) { 2970Sstevel@tonic-gate if (strncmp(argv[c], METASLOT_KEYWORD, 2980Sstevel@tonic-gate strlen(METASLOT_KEYWORD)) == 0) { 2990Sstevel@tonic-gate is_metaslot = B_TRUE; 3000Sstevel@tonic-gate found = B_TRUE; 3010Sstevel@tonic-gate } else if (strncmp(argv[c], KN_PROVIDER, 3020Sstevel@tonic-gate strlen(KN_PROVIDER)) == 0 && 3030Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_PROVIDER)) { 3040Sstevel@tonic-gate if ((provstr = strdup(argv[c])) == NULL) { 3050Sstevel@tonic-gate int err = errno; 3060Sstevel@tonic-gate /* 3077334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 3080Sstevel@tonic-gate * "get_provider" is a function name and should 3090Sstevel@tonic-gate * not be translated. 3100Sstevel@tonic-gate */ 3110Sstevel@tonic-gate cryptoerror(LOG_STDERR, "get_provider: %s.", 3120Sstevel@tonic-gate strerror(err)); 3130Sstevel@tonic-gate return (NULL); 3140Sstevel@tonic-gate } 3150Sstevel@tonic-gate found = B_TRUE; 3160Sstevel@tonic-gate } 3170Sstevel@tonic-gate } 3180Sstevel@tonic-gate if (!found) 3190Sstevel@tonic-gate return (NULL); 3200Sstevel@tonic-gate 3210Sstevel@tonic-gate provider = malloc(sizeof (cryptoadm_provider_t)); 3220Sstevel@tonic-gate if (provider == NULL) { 3230Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 3240Sstevel@tonic-gate if (provstr) { 3250Sstevel@tonic-gate free(provstr); 3260Sstevel@tonic-gate } 3270Sstevel@tonic-gate return (NULL); 3280Sstevel@tonic-gate } 3290Sstevel@tonic-gate 3300Sstevel@tonic-gate if (is_metaslot) { 3310Sstevel@tonic-gate (void) strlcpy(provider->cp_name, METASLOT_KEYWORD, 3320Sstevel@tonic-gate strlen(METASLOT_KEYWORD)); 3330Sstevel@tonic-gate provider->cp_type = METASLOT; 3340Sstevel@tonic-gate } else { 3350Sstevel@tonic-gate 3360Sstevel@tonic-gate savstr = provstr; 3370Sstevel@tonic-gate (void) strtok(provstr, "="); 3380Sstevel@tonic-gate provstr = strtok(NULL, "="); 3390Sstevel@tonic-gate if (provstr == NULL) { 3400Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("bad provider name.")); 3410Sstevel@tonic-gate provider->cp_type = PROV_BADNAME; 3420Sstevel@tonic-gate free(savstr); 3430Sstevel@tonic-gate return (provider); 3440Sstevel@tonic-gate } 3450Sstevel@tonic-gate 3460Sstevel@tonic-gate (void) strlcpy(provider->cp_name, provstr, 3470Sstevel@tonic-gate sizeof (provider->cp_name)); 3480Sstevel@tonic-gate provider->cp_type = get_provider_type(provider->cp_name); 3490Sstevel@tonic-gate 3500Sstevel@tonic-gate free(savstr); 3510Sstevel@tonic-gate } 3520Sstevel@tonic-gate return (provider); 3530Sstevel@tonic-gate } 3540Sstevel@tonic-gate 3550Sstevel@tonic-gate /* 3560Sstevel@tonic-gate * Process the "feature" operands. 3570Sstevel@tonic-gate * 3580Sstevel@tonic-gate * "argc" and "argv" contain values specified on the command line. 3590Sstevel@tonic-gate * All other arguments are used for returning parsing results. 3600Sstevel@tonic-gate * If any of these arguments are NULL, that keyword is not expected, 3610Sstevel@tonic-gate * and FAILURE will be returned. 3620Sstevel@tonic-gate */ 3630Sstevel@tonic-gate static int 3640Sstevel@tonic-gate process_metaslot_operands(int argc, char **argv, char **meta_ks_token, 3650Sstevel@tonic-gate char **meta_ks_slot, boolean_t *use_default, 3660Sstevel@tonic-gate boolean_t *auto_key_migrate_flag) 3670Sstevel@tonic-gate { 3680Sstevel@tonic-gate int c = 2; 3690Sstevel@tonic-gate int rc = SUCCESS; 3700Sstevel@tonic-gate 3710Sstevel@tonic-gate while (++c < argc) { 3720Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 3730Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 3740Sstevel@tonic-gate 3750Sstevel@tonic-gate /* process mechanism operands */ 3760Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_TRUE)) 3770Sstevel@tonic-gate != SUCCESS) { 3780Sstevel@tonic-gate goto finish; 3790Sstevel@tonic-gate } 3800Sstevel@tonic-gate 3810Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_TOKEN, 3820Sstevel@tonic-gate strlen(KN_TOKEN)) == 0) && 3830Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_TOKEN)) { 3840Sstevel@tonic-gate if ((meta_ks_token) && (strtok(argv[c], "=") != NULL)) { 3850Sstevel@tonic-gate char *tmp; 3860Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 3870Sstevel@tonic-gate *meta_ks_token = strdup(tmp); 3880Sstevel@tonic-gate } else { 3890Sstevel@tonic-gate return (FAILURE); 3900Sstevel@tonic-gate } 3910Sstevel@tonic-gate } else { 3920Sstevel@tonic-gate return (FAILURE); 3930Sstevel@tonic-gate } 3940Sstevel@tonic-gate 3950Sstevel@tonic-gate } else if ((strncmp(argv[c], KN_SLOT, 3960Sstevel@tonic-gate strlen(KN_SLOT)) == 0) && 3970Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_SLOT)) { 3980Sstevel@tonic-gate 3990Sstevel@tonic-gate if ((meta_ks_slot) && (strtok(argv[c], "=") != NULL)) { 4000Sstevel@tonic-gate char *tmp; 4010Sstevel@tonic-gate if ((tmp = strtok(NULL, "=")) != NULL) { 4020Sstevel@tonic-gate *meta_ks_slot = strdup(tmp); 4030Sstevel@tonic-gate } else { 4040Sstevel@tonic-gate return (FAILURE); 4050Sstevel@tonic-gate } 4060Sstevel@tonic-gate } else { 4070Sstevel@tonic-gate return (FAILURE); 4080Sstevel@tonic-gate } 4090Sstevel@tonic-gate 4100Sstevel@tonic-gate } else if (strncmp(argv[c], KN_DEFAULT_KS, 4110Sstevel@tonic-gate strlen(KN_DEFAULT_KS)) == 0) { 4120Sstevel@tonic-gate 4130Sstevel@tonic-gate if (use_default) { 4140Sstevel@tonic-gate *use_default = B_TRUE; 4150Sstevel@tonic-gate } else { 4160Sstevel@tonic-gate return (FAILURE); 4170Sstevel@tonic-gate } 4180Sstevel@tonic-gate } else if (strncmp(argv[c], KN_AUTO_KEY_MIGRATE, 4190Sstevel@tonic-gate strlen(KN_AUTO_KEY_MIGRATE)) == 0) { 4200Sstevel@tonic-gate 4210Sstevel@tonic-gate if (auto_key_migrate_flag) { 4220Sstevel@tonic-gate *auto_key_migrate_flag = B_TRUE; 4230Sstevel@tonic-gate } else { 4240Sstevel@tonic-gate return (FAILURE); 4250Sstevel@tonic-gate } 4260Sstevel@tonic-gate } else { 4270Sstevel@tonic-gate return (FAILURE); 4280Sstevel@tonic-gate } 4290Sstevel@tonic-gate } 4300Sstevel@tonic-gate finish: 4310Sstevel@tonic-gate return (rc); 4320Sstevel@tonic-gate } 4330Sstevel@tonic-gate 4340Sstevel@tonic-gate /* 4350Sstevel@tonic-gate * Process the "feature" operands. 4360Sstevel@tonic-gate */ 4370Sstevel@tonic-gate static int 4380Sstevel@tonic-gate process_feature_operands(int argc, char **argv) 4390Sstevel@tonic-gate { 4400Sstevel@tonic-gate int c = 2; 4410Sstevel@tonic-gate 4420Sstevel@tonic-gate while (++c < argc) { 4430Sstevel@tonic-gate if (strcmp(argv[c], KN_ALL) == 0) { 4440Sstevel@tonic-gate allflag = B_TRUE; 4450Sstevel@tonic-gate rndflag = B_TRUE; /* all includes random also. */ 4460Sstevel@tonic-gate } else if (strcmp(argv[c], RANDOM) == 0) { 4470Sstevel@tonic-gate rndflag = B_TRUE; 4480Sstevel@tonic-gate } 4490Sstevel@tonic-gate } 4500Sstevel@tonic-gate return (SUCCESS); 4510Sstevel@tonic-gate } 4520Sstevel@tonic-gate 4530Sstevel@tonic-gate /* 4540Sstevel@tonic-gate * Process the mechanism operands for the disable, enable and install 4550Sstevel@tonic-gate * subcommands. This function sets the static variable allflag to be B_TRUE 4560Sstevel@tonic-gate * if the keyword "all" is specified, otherwise builds a link list of the 4570Sstevel@tonic-gate * mechanism operands and save it in the static variable mecharglist. 4580Sstevel@tonic-gate * 4590Sstevel@tonic-gate * This function returns 460*7968Sopensolaris@drydog.com * ERROR_USAGE: mechanism operand is missing. 461*7968Sopensolaris@drydog.com * FAILURE: out of memory. 462*7968Sopensolaris@drydog.com * SUCCESS: otherwise. 4630Sstevel@tonic-gate */ 4640Sstevel@tonic-gate static int 4650Sstevel@tonic-gate process_mech_operands(int argc, char **argv, boolean_t quiet) 4660Sstevel@tonic-gate { 467*7968Sopensolaris@drydog.com mechlist_t *pmech; 468*7968Sopensolaris@drydog.com mechlist_t *pcur = NULL; 469*7968Sopensolaris@drydog.com mechlist_t *phead = NULL; 470*7968Sopensolaris@drydog.com boolean_t found = B_FALSE; 471*7968Sopensolaris@drydog.com char *mechliststr = NULL; 472*7968Sopensolaris@drydog.com char *curmech = NULL; 473*7968Sopensolaris@drydog.com int c = -1; 474*7968Sopensolaris@drydog.com int rc = SUCCESS; 4750Sstevel@tonic-gate 4760Sstevel@tonic-gate while (!found && ++c < argc) { 4770Sstevel@tonic-gate if ((strncmp(argv[c], KN_MECH, strlen(KN_MECH)) == 0) && 4780Sstevel@tonic-gate strlen(argv[c]) > strlen(KN_MECH)) { 4790Sstevel@tonic-gate found = B_TRUE; 4800Sstevel@tonic-gate } 4810Sstevel@tonic-gate } 4820Sstevel@tonic-gate if (!found) { 4830Sstevel@tonic-gate if (!quiet) 4840Sstevel@tonic-gate /* 4857334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 4860Sstevel@tonic-gate * "mechanism" could be either a literal keyword 4870Sstevel@tonic-gate * and hence not to be translated, or a descriptive 4880Sstevel@tonic-gate * word and translatable. A choice was made to 4890Sstevel@tonic-gate * view it as a literal keyword. 4900Sstevel@tonic-gate */ 4910Sstevel@tonic-gate cryptoerror(LOG_STDERR, 492*7968Sopensolaris@drydog.com gettext("the %s operand is missing.\n"), 493*7968Sopensolaris@drydog.com "mechanism"); 4940Sstevel@tonic-gate return (ERROR_USAGE); 4950Sstevel@tonic-gate } 4960Sstevel@tonic-gate (void) strtok(argv[c], "="); 4970Sstevel@tonic-gate mechliststr = strtok(NULL, "="); 4980Sstevel@tonic-gate 4990Sstevel@tonic-gate if (strcmp(mechliststr, "all") == 0) { 5000Sstevel@tonic-gate allflag = B_TRUE; 5010Sstevel@tonic-gate mecharglist = NULL; 5020Sstevel@tonic-gate return (SUCCESS); 5030Sstevel@tonic-gate } 5040Sstevel@tonic-gate 5050Sstevel@tonic-gate curmech = strtok(mechliststr, ","); 5060Sstevel@tonic-gate do { 5070Sstevel@tonic-gate if ((pmech = create_mech(curmech)) == NULL) { 5080Sstevel@tonic-gate rc = FAILURE; 5090Sstevel@tonic-gate break; 5100Sstevel@tonic-gate } else { 5110Sstevel@tonic-gate if (phead == NULL) { 5120Sstevel@tonic-gate phead = pcur = pmech; 5130Sstevel@tonic-gate } else { 5140Sstevel@tonic-gate pcur->next = pmech; 5150Sstevel@tonic-gate pcur = pmech; 5160Sstevel@tonic-gate } 5170Sstevel@tonic-gate } 5180Sstevel@tonic-gate } while ((curmech = strtok(NULL, ",")) != NULL); 5190Sstevel@tonic-gate 5200Sstevel@tonic-gate if (rc == FAILURE) { 5210Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("out of memory.")); 5220Sstevel@tonic-gate free_mechlist(phead); 5230Sstevel@tonic-gate } else { 5240Sstevel@tonic-gate mecharglist = phead; 5250Sstevel@tonic-gate rc = SUCCESS; 5260Sstevel@tonic-gate } 5270Sstevel@tonic-gate return (rc); 5280Sstevel@tonic-gate } 5290Sstevel@tonic-gate 5300Sstevel@tonic-gate 5310Sstevel@tonic-gate 5320Sstevel@tonic-gate /* 533*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm list" subcommand and options. 5340Sstevel@tonic-gate */ 5350Sstevel@tonic-gate static int 5360Sstevel@tonic-gate do_list(int argc, char **argv) 5370Sstevel@tonic-gate { 538*7968Sopensolaris@drydog.com boolean_t mflag = B_FALSE; 539*7968Sopensolaris@drydog.com boolean_t pflag = B_FALSE; 540*7968Sopensolaris@drydog.com boolean_t vflag = B_FALSE; 541*7968Sopensolaris@drydog.com char ch; 542*7968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 543*7968Sopensolaris@drydog.com int rc = SUCCESS; 5440Sstevel@tonic-gate 5450Sstevel@tonic-gate argc -= 1; 5460Sstevel@tonic-gate argv += 1; 5470Sstevel@tonic-gate 5480Sstevel@tonic-gate if (argc == 1) { 5490Sstevel@tonic-gate rc = list_simple_for_all(B_FALSE); 5500Sstevel@tonic-gate goto out; 5510Sstevel@tonic-gate } 5520Sstevel@tonic-gate 5530Sstevel@tonic-gate /* 554*7968Sopensolaris@drydog.com * cryptoadm list [-v] [-m] [-p] [provider=<>] [mechanism=<>] 5550Sstevel@tonic-gate */ 5560Sstevel@tonic-gate if (argc > 5) { 5570Sstevel@tonic-gate usage(); 5580Sstevel@tonic-gate return (rc); 5590Sstevel@tonic-gate } 5600Sstevel@tonic-gate 5610Sstevel@tonic-gate while ((ch = getopt(argc, argv, "mpv")) != EOF) { 5620Sstevel@tonic-gate switch (ch) { 5630Sstevel@tonic-gate case 'm': 5640Sstevel@tonic-gate mflag = B_TRUE; 5650Sstevel@tonic-gate if (pflag) { 5660Sstevel@tonic-gate rc = ERROR_USAGE; 5670Sstevel@tonic-gate } 5680Sstevel@tonic-gate break; 5690Sstevel@tonic-gate case 'p': 5700Sstevel@tonic-gate pflag = B_TRUE; 5710Sstevel@tonic-gate if (mflag || vflag) { 5720Sstevel@tonic-gate rc = ERROR_USAGE; 5730Sstevel@tonic-gate } 5740Sstevel@tonic-gate break; 5750Sstevel@tonic-gate case 'v': 5760Sstevel@tonic-gate vflag = B_TRUE; 5770Sstevel@tonic-gate if (pflag) 5780Sstevel@tonic-gate rc = ERROR_USAGE; 5790Sstevel@tonic-gate break; 5800Sstevel@tonic-gate default: 5810Sstevel@tonic-gate rc = ERROR_USAGE; 5820Sstevel@tonic-gate break; 5830Sstevel@tonic-gate } 5840Sstevel@tonic-gate } 5850Sstevel@tonic-gate 5860Sstevel@tonic-gate if (rc == ERROR_USAGE) { 5870Sstevel@tonic-gate usage(); 5880Sstevel@tonic-gate return (rc); 5890Sstevel@tonic-gate } 5900Sstevel@tonic-gate 5910Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 5920Sstevel@tonic-gate goto out; 5930Sstevel@tonic-gate } 5940Sstevel@tonic-gate 5950Sstevel@tonic-gate prov = get_provider(argc, argv); 5960Sstevel@tonic-gate 5970Sstevel@tonic-gate if (mflag || vflag) { 5980Sstevel@tonic-gate if (argc > 0) { 5990Sstevel@tonic-gate rc = process_mech_operands(argc, argv, B_TRUE); 6000Sstevel@tonic-gate if (rc == FAILURE) 6010Sstevel@tonic-gate goto out; 6020Sstevel@tonic-gate /* "-m" is implied when a mechanism list is given */ 6030Sstevel@tonic-gate if (mecharglist != NULL || allflag) 6040Sstevel@tonic-gate mflag = B_TRUE; 6050Sstevel@tonic-gate } 6060Sstevel@tonic-gate } 6070Sstevel@tonic-gate 6080Sstevel@tonic-gate if (prov == NULL) { 6090Sstevel@tonic-gate if (mflag) { 6100Sstevel@tonic-gate rc = list_mechlist_for_all(vflag); 6110Sstevel@tonic-gate } else if (pflag) { 6120Sstevel@tonic-gate rc = list_policy_for_all(); 6130Sstevel@tonic-gate } else if (vflag) { 6140Sstevel@tonic-gate rc = list_simple_for_all(vflag); 6150Sstevel@tonic-gate } 6160Sstevel@tonic-gate } else if (prov->cp_type == METASLOT) { 6170Sstevel@tonic-gate if ((!mflag) && (!vflag) && (!pflag)) { 6180Sstevel@tonic-gate /* no flag is specified, just list metaslot status */ 6190Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6200Sstevel@tonic-gate } else if (mflag || vflag) { 6210Sstevel@tonic-gate rc = list_metaslot_info(mflag, vflag, mecharglist); 6220Sstevel@tonic-gate } else if (pflag) { 6230Sstevel@tonic-gate rc = list_metaslot_policy(); 6240Sstevel@tonic-gate } else { 6250Sstevel@tonic-gate /* error message */ 6260Sstevel@tonic-gate usage(); 6270Sstevel@tonic-gate rc = ERROR_USAGE; 6280Sstevel@tonic-gate } 6290Sstevel@tonic-gate } else if (prov->cp_type == PROV_BADNAME) { 6300Sstevel@tonic-gate usage(); 6310Sstevel@tonic-gate rc = ERROR_USAGE; 6320Sstevel@tonic-gate goto out; 6330Sstevel@tonic-gate } else { /* do the listing for a provider only */ 634*7968Sopensolaris@drydog.com char *provname = prov->cp_name; 635*7968Sopensolaris@drydog.com 6360Sstevel@tonic-gate if (mflag || vflag) { 6370Sstevel@tonic-gate if (vflag) 6380Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 639*7968Sopensolaris@drydog.com provname); 6400Sstevel@tonic-gate switch (prov->cp_type) { 6410Sstevel@tonic-gate case PROV_UEF_LIB: 642*7968Sopensolaris@drydog.com rc = list_mechlist_for_lib(provname, 643*7968Sopensolaris@drydog.com mecharglist, NULL, B_FALSE, vflag, mflag); 6440Sstevel@tonic-gate break; 6450Sstevel@tonic-gate case PROV_KEF_SOFT: 646*7968Sopensolaris@drydog.com rc = list_mechlist_for_soft(provname, 647*7968Sopensolaris@drydog.com NULL, NULL); 6480Sstevel@tonic-gate break; 6490Sstevel@tonic-gate case PROV_KEF_HARD: 650*7968Sopensolaris@drydog.com rc = list_mechlist_for_hard(provname); 6510Sstevel@tonic-gate break; 6520Sstevel@tonic-gate default: /* should not come here */ 6530Sstevel@tonic-gate rc = FAILURE; 6540Sstevel@tonic-gate break; 6550Sstevel@tonic-gate } 6560Sstevel@tonic-gate } else if (pflag) { 6570Sstevel@tonic-gate switch (prov->cp_type) { 6580Sstevel@tonic-gate case PROV_UEF_LIB: 659*7968Sopensolaris@drydog.com rc = list_policy_for_lib(provname); 6600Sstevel@tonic-gate break; 6610Sstevel@tonic-gate case PROV_KEF_SOFT: 6620Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 663*7968Sopensolaris@drydog.com rc = list_policy_for_soft(provname, 664*7968Sopensolaris@drydog.com NULL, NULL); 6650Sstevel@tonic-gate } else { 6660Sstevel@tonic-gate /* 6677334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 6680Sstevel@tonic-gate * "global" is keyword and not to 6690Sstevel@tonic-gate * be translated. 6700Sstevel@tonic-gate */ 6710Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6720Sstevel@tonic-gate "policy information for kernel " 6730Sstevel@tonic-gate "providers is available " 6740Sstevel@tonic-gate "in the %s zone only"), "global"); 6750Sstevel@tonic-gate rc = FAILURE; 6760Sstevel@tonic-gate } 6770Sstevel@tonic-gate break; 6780Sstevel@tonic-gate case PROV_KEF_HARD: 6790Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 6800Sstevel@tonic-gate rc = list_policy_for_hard( 681*7968Sopensolaris@drydog.com provname, NULL, NULL, NULL); 6820Sstevel@tonic-gate } else { 6830Sstevel@tonic-gate /* 6847334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 6850Sstevel@tonic-gate * "global" is keyword and not to 6860Sstevel@tonic-gate * be translated. 6870Sstevel@tonic-gate */ 6880Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6890Sstevel@tonic-gate "policy information for kernel " 6900Sstevel@tonic-gate "providers is available " 6910Sstevel@tonic-gate "in the %s zone only"), "global"); 6920Sstevel@tonic-gate rc = FAILURE; 6930Sstevel@tonic-gate } 6940Sstevel@tonic-gate 6950Sstevel@tonic-gate break; 6960Sstevel@tonic-gate default: /* should not come here */ 6970Sstevel@tonic-gate rc = FAILURE; 6980Sstevel@tonic-gate break; 6990Sstevel@tonic-gate } 7000Sstevel@tonic-gate } else { 7010Sstevel@tonic-gate /* error message */ 7020Sstevel@tonic-gate usage(); 7030Sstevel@tonic-gate rc = ERROR_USAGE; 7040Sstevel@tonic-gate } 7050Sstevel@tonic-gate } 7060Sstevel@tonic-gate 7070Sstevel@tonic-gate out: 7080Sstevel@tonic-gate if (prov != NULL) 7090Sstevel@tonic-gate free(prov); 7100Sstevel@tonic-gate 7110Sstevel@tonic-gate if (mecharglist != NULL) 7120Sstevel@tonic-gate free_mechlist(mecharglist); 7130Sstevel@tonic-gate return (rc); 7140Sstevel@tonic-gate } 7150Sstevel@tonic-gate 7160Sstevel@tonic-gate 7170Sstevel@tonic-gate /* 718*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm disable" subcommand. 7190Sstevel@tonic-gate */ 7200Sstevel@tonic-gate static int 7210Sstevel@tonic-gate do_disable(int argc, char **argv) 7220Sstevel@tonic-gate { 7230Sstevel@tonic-gate cryptoadm_provider_t *prov = NULL; 724*7968Sopensolaris@drydog.com int rc = SUCCESS; 725*7968Sopensolaris@drydog.com boolean_t auto_key_migrate_flag = B_FALSE; 7260Sstevel@tonic-gate 7270Sstevel@tonic-gate if ((argc < 3) || (argc > 5)) { 7280Sstevel@tonic-gate usage(); 7290Sstevel@tonic-gate return (ERROR_USAGE); 7300Sstevel@tonic-gate } 7310Sstevel@tonic-gate 7320Sstevel@tonic-gate prov = get_provider(argc, argv); 7330Sstevel@tonic-gate if (prov == NULL) { 7340Sstevel@tonic-gate usage(); 7350Sstevel@tonic-gate return (ERROR_USAGE); 7360Sstevel@tonic-gate } 7370Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 7380Sstevel@tonic-gate return (FAILURE); 7390Sstevel@tonic-gate } 7400Sstevel@tonic-gate 7410Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 7420Sstevel@tonic-gate goto out; 7430Sstevel@tonic-gate } 7440Sstevel@tonic-gate 7450Sstevel@tonic-gate /* 7460Sstevel@tonic-gate * If allflag or rndflag has already been set there is no reason to 7470Sstevel@tonic-gate * process mech= 7480Sstevel@tonic-gate */ 7490Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 7500Sstevel@tonic-gate if ((argc > 3) && 7510Sstevel@tonic-gate (rc = process_metaslot_operands(argc, argv, 7520Sstevel@tonic-gate NULL, NULL, NULL, &auto_key_migrate_flag)) != SUCCESS) { 7530Sstevel@tonic-gate usage(); 7540Sstevel@tonic-gate return (rc); 7550Sstevel@tonic-gate } 7560Sstevel@tonic-gate } else if (!allflag && !rndflag && 757*7968Sopensolaris@drydog.com (rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 7580Sstevel@tonic-gate return (rc); 7590Sstevel@tonic-gate } 7600Sstevel@tonic-gate 7610Sstevel@tonic-gate switch (prov->cp_type) { 7620Sstevel@tonic-gate case METASLOT: 7630Sstevel@tonic-gate rc = disable_metaslot(mecharglist, allflag, 7640Sstevel@tonic-gate auto_key_migrate_flag); 7650Sstevel@tonic-gate break; 7660Sstevel@tonic-gate case PROV_UEF_LIB: 7670Sstevel@tonic-gate rc = disable_uef_lib(prov->cp_name, rndflag, allflag, 7680Sstevel@tonic-gate mecharglist); 7690Sstevel@tonic-gate break; 7700Sstevel@tonic-gate case PROV_KEF_SOFT: 7710Sstevel@tonic-gate if (rndflag && !allflag) { 7720Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 7730Sstevel@tonic-gate rc = FAILURE; 7740Sstevel@tonic-gate break; 7750Sstevel@tonic-gate } 7760Sstevel@tonic-gate } 7770Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 7780Sstevel@tonic-gate rc = disable_kef_software(prov->cp_name, rndflag, 7790Sstevel@tonic-gate allflag, mecharglist); 7800Sstevel@tonic-gate } else { 7810Sstevel@tonic-gate /* 7827334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 7830Sstevel@tonic-gate * "disable" could be either a literal keyword 7840Sstevel@tonic-gate * and hence not to be translated, or a verb and 7850Sstevel@tonic-gate * translatable. A choice was made to view it as 7860Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 7870Sstevel@tonic-gate * to be translated. 7880Sstevel@tonic-gate */ 7890Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 7900Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 7910Sstevel@tonic-gate "disable", "global"); 7920Sstevel@tonic-gate rc = FAILURE; 7930Sstevel@tonic-gate } 7940Sstevel@tonic-gate break; 7950Sstevel@tonic-gate case PROV_KEF_HARD: 7960Sstevel@tonic-gate if (rndflag && !allflag) { 7970Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 7980Sstevel@tonic-gate rc = FAILURE; 7990Sstevel@tonic-gate break; 8000Sstevel@tonic-gate } 8010Sstevel@tonic-gate } 8020Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 8030Sstevel@tonic-gate rc = disable_kef_hardware(prov->cp_name, rndflag, 8040Sstevel@tonic-gate allflag, mecharglist); 8050Sstevel@tonic-gate } else { 8060Sstevel@tonic-gate /* 8077334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 8080Sstevel@tonic-gate * "disable" could be either a literal keyword 8090Sstevel@tonic-gate * and hence not to be translated, or a verb and 8100Sstevel@tonic-gate * translatable. A choice was made to view it as 8110Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 8120Sstevel@tonic-gate * to be translated. 8130Sstevel@tonic-gate */ 8140Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 8150Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 8160Sstevel@tonic-gate "disable", "global"); 8170Sstevel@tonic-gate rc = FAILURE; 8180Sstevel@tonic-gate } 8190Sstevel@tonic-gate break; 8200Sstevel@tonic-gate default: /* should not come here */ 8210Sstevel@tonic-gate rc = FAILURE; 8220Sstevel@tonic-gate break; 8230Sstevel@tonic-gate } 8240Sstevel@tonic-gate 8250Sstevel@tonic-gate out: 8260Sstevel@tonic-gate free(prov); 8270Sstevel@tonic-gate if (mecharglist != NULL) { 8280Sstevel@tonic-gate free_mechlist(mecharglist); 8290Sstevel@tonic-gate } 8300Sstevel@tonic-gate return (rc); 8310Sstevel@tonic-gate } 8320Sstevel@tonic-gate 8330Sstevel@tonic-gate 8340Sstevel@tonic-gate /* 835*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm enable" subcommand. 8360Sstevel@tonic-gate */ 8370Sstevel@tonic-gate static int 8380Sstevel@tonic-gate do_enable(int argc, char **argv) 8390Sstevel@tonic-gate { 840*7968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 841*7968Sopensolaris@drydog.com int rc = SUCCESS; 842*7968Sopensolaris@drydog.com char *alt_token = NULL, *alt_slot = NULL; 843*7968Sopensolaris@drydog.com boolean_t use_default = B_FALSE; 844*7968Sopensolaris@drydog.com boolean_t auto_key_migrate_flag = B_FALSE; 8450Sstevel@tonic-gate 8460Sstevel@tonic-gate if ((argc < 3) || (argc > 6)) { 8470Sstevel@tonic-gate usage(); 8480Sstevel@tonic-gate return (ERROR_USAGE); 8490Sstevel@tonic-gate } 8500Sstevel@tonic-gate 8510Sstevel@tonic-gate prov = get_provider(argc, argv); 8520Sstevel@tonic-gate if (prov == NULL) { 8530Sstevel@tonic-gate usage(); 8540Sstevel@tonic-gate return (ERROR_USAGE); 8550Sstevel@tonic-gate } 8560Sstevel@tonic-gate if ((prov->cp_type != METASLOT) && (argc != 4)) { 8570Sstevel@tonic-gate usage(); 8580Sstevel@tonic-gate return (ERROR_USAGE); 8590Sstevel@tonic-gate } 8600Sstevel@tonic-gate if (prov->cp_type == PROV_BADNAME) { 8610Sstevel@tonic-gate rc = FAILURE; 8620Sstevel@tonic-gate goto out; 8630Sstevel@tonic-gate } 8640Sstevel@tonic-gate 8650Sstevel@tonic-gate 8660Sstevel@tonic-gate if (prov->cp_type == METASLOT) { 8670Sstevel@tonic-gate if ((rc = process_metaslot_operands(argc, argv, &alt_token, 8680Sstevel@tonic-gate &alt_slot, &use_default, &auto_key_migrate_flag)) 8690Sstevel@tonic-gate != SUCCESS) { 8700Sstevel@tonic-gate usage(); 8710Sstevel@tonic-gate goto out; 8720Sstevel@tonic-gate } 8730Sstevel@tonic-gate if ((alt_slot || alt_token) && use_default) { 8740Sstevel@tonic-gate usage(); 8750Sstevel@tonic-gate rc = FAILURE; 8760Sstevel@tonic-gate goto out; 8770Sstevel@tonic-gate } 8780Sstevel@tonic-gate } else { 8790Sstevel@tonic-gate if ((rc = process_feature_operands(argc, argv)) != SUCCESS) { 8800Sstevel@tonic-gate goto out; 8810Sstevel@tonic-gate } 8820Sstevel@tonic-gate 8830Sstevel@tonic-gate /* 8840Sstevel@tonic-gate * If allflag or rndflag has already been set there is 8850Sstevel@tonic-gate * no reason to process mech= 8860Sstevel@tonic-gate */ 8870Sstevel@tonic-gate if (!allflag && !rndflag && 8880Sstevel@tonic-gate (rc = process_mech_operands(argc, argv, B_FALSE)) 8890Sstevel@tonic-gate != SUCCESS) { 8900Sstevel@tonic-gate goto out; 8910Sstevel@tonic-gate } 8920Sstevel@tonic-gate } 8930Sstevel@tonic-gate 8940Sstevel@tonic-gate switch (prov->cp_type) { 8950Sstevel@tonic-gate case METASLOT: 8960Sstevel@tonic-gate rc = enable_metaslot(alt_token, alt_slot, use_default, 8970Sstevel@tonic-gate mecharglist, allflag, auto_key_migrate_flag); 8980Sstevel@tonic-gate break; 8990Sstevel@tonic-gate case PROV_UEF_LIB: 9000Sstevel@tonic-gate rc = enable_uef_lib(prov->cp_name, rndflag, allflag, 9010Sstevel@tonic-gate mecharglist); 9020Sstevel@tonic-gate break; 9030Sstevel@tonic-gate case PROV_KEF_SOFT: 9040Sstevel@tonic-gate case PROV_KEF_HARD: 9050Sstevel@tonic-gate if (rndflag && !allflag) { 9060Sstevel@tonic-gate if ((mecharglist = create_mech(RANDOM)) == NULL) { 9070Sstevel@tonic-gate rc = FAILURE; 9080Sstevel@tonic-gate break; 9090Sstevel@tonic-gate } 9100Sstevel@tonic-gate } 9110Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 9120Sstevel@tonic-gate rc = enable_kef(prov->cp_name, rndflag, allflag, 9130Sstevel@tonic-gate mecharglist); 9140Sstevel@tonic-gate } else { 9150Sstevel@tonic-gate /* 9167334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 9170Sstevel@tonic-gate * "enable" could be either a literal keyword 9180Sstevel@tonic-gate * and hence not to be translated, or a verb and 9190Sstevel@tonic-gate * translatable. A choice was made to view it as 9200Sstevel@tonic-gate * a literal keyword. "global" is keyword and not 9210Sstevel@tonic-gate * to be translated. 9220Sstevel@tonic-gate */ 9230Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 9240Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 9250Sstevel@tonic-gate "enable", "global"); 9260Sstevel@tonic-gate rc = FAILURE; 9270Sstevel@tonic-gate } 9280Sstevel@tonic-gate break; 9290Sstevel@tonic-gate default: /* should not come here */ 9300Sstevel@tonic-gate rc = FAILURE; 9310Sstevel@tonic-gate break; 9320Sstevel@tonic-gate } 9330Sstevel@tonic-gate out: 9340Sstevel@tonic-gate free(prov); 9350Sstevel@tonic-gate if (mecharglist != NULL) { 9360Sstevel@tonic-gate free_mechlist(mecharglist); 9370Sstevel@tonic-gate } 9380Sstevel@tonic-gate if (alt_token != NULL) { 9390Sstevel@tonic-gate free(alt_token); 9400Sstevel@tonic-gate } 9410Sstevel@tonic-gate if (alt_slot != NULL) { 9420Sstevel@tonic-gate free(alt_slot); 9430Sstevel@tonic-gate } 9440Sstevel@tonic-gate return (rc); 9450Sstevel@tonic-gate } 9460Sstevel@tonic-gate 9470Sstevel@tonic-gate 9480Sstevel@tonic-gate 9490Sstevel@tonic-gate /* 950*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm install" subcommand. 9510Sstevel@tonic-gate */ 9520Sstevel@tonic-gate static int 9530Sstevel@tonic-gate do_install(int argc, char **argv) 9540Sstevel@tonic-gate { 955*7968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 9560Sstevel@tonic-gate int rc; 9570Sstevel@tonic-gate 9580Sstevel@tonic-gate if (argc < 3) { 9590Sstevel@tonic-gate usage(); 9600Sstevel@tonic-gate return (ERROR_USAGE); 9610Sstevel@tonic-gate } 9620Sstevel@tonic-gate 9630Sstevel@tonic-gate prov = get_provider(argc, argv); 9640Sstevel@tonic-gate if (prov == NULL || 9650Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 9660Sstevel@tonic-gate /* 9677334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 9680Sstevel@tonic-gate * "install" could be either a literal keyword and hence 9690Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 9700Sstevel@tonic-gate * choice was made to view it as a literal keyword. 9710Sstevel@tonic-gate */ 9720Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9730Sstevel@tonic-gate gettext("bad provider name for %s."), "install"); 9740Sstevel@tonic-gate rc = FAILURE; 9750Sstevel@tonic-gate goto out; 9760Sstevel@tonic-gate } 9770Sstevel@tonic-gate 9780Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 9790Sstevel@tonic-gate rc = install_uef_lib(prov->cp_name); 9800Sstevel@tonic-gate goto out; 9810Sstevel@tonic-gate } 9820Sstevel@tonic-gate 9830Sstevel@tonic-gate /* It is the PROV_KEF_SOFT type now */ 9840Sstevel@tonic-gate 9850Sstevel@tonic-gate /* check if there are mechanism operands */ 9860Sstevel@tonic-gate if (argc < 4) { 9870Sstevel@tonic-gate /* 9887334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 9890Sstevel@tonic-gate * "mechanism" could be either a literal keyword and hence 9900Sstevel@tonic-gate * not to be translated, or a descriptive word and 9910Sstevel@tonic-gate * translatable. A choice was made to view it as a literal 9920Sstevel@tonic-gate * keyword. 9930Sstevel@tonic-gate */ 9940Sstevel@tonic-gate cryptoerror(LOG_STDERR, 9950Sstevel@tonic-gate gettext("need %s operands for installing a" 9960Sstevel@tonic-gate " kernel software provider."), "mechanism"); 9970Sstevel@tonic-gate rc = ERROR_USAGE; 9980Sstevel@tonic-gate goto out; 9990Sstevel@tonic-gate } 10000Sstevel@tonic-gate 10010Sstevel@tonic-gate if ((rc = process_mech_operands(argc, argv, B_FALSE)) != SUCCESS) { 10020Sstevel@tonic-gate goto out; 10030Sstevel@tonic-gate } 10040Sstevel@tonic-gate 10050Sstevel@tonic-gate if (allflag == B_TRUE) { 10060Sstevel@tonic-gate /* 10077334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10080Sstevel@tonic-gate * "all", "mechanism", and "install" are all keywords and 10090Sstevel@tonic-gate * not to be translated. 10100Sstevel@tonic-gate */ 10110Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10120Sstevel@tonic-gate gettext("can not use the %1$s keyword for %2$s " 10130Sstevel@tonic-gate "in the %3$s subcommand."), "all", "mechanism", "install"); 10140Sstevel@tonic-gate rc = ERROR_USAGE; 10150Sstevel@tonic-gate goto out; 10160Sstevel@tonic-gate } 10170Sstevel@tonic-gate 10180Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 10190Sstevel@tonic-gate rc = install_kef(prov->cp_name, mecharglist); 10200Sstevel@tonic-gate } else { 10210Sstevel@tonic-gate /* 10227334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10230Sstevel@tonic-gate * "install" could be either a literal keyword and hence 10240Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10250Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10260Sstevel@tonic-gate * "global" is keyword and not to be translated. 10270Sstevel@tonic-gate */ 10280Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 10290Sstevel@tonic-gate "is supported in the %2$s zone only"), "install", "global"); 10300Sstevel@tonic-gate rc = FAILURE; 10310Sstevel@tonic-gate } 10320Sstevel@tonic-gate out: 10330Sstevel@tonic-gate free(prov); 10340Sstevel@tonic-gate return (rc); 10350Sstevel@tonic-gate } 10360Sstevel@tonic-gate 10370Sstevel@tonic-gate 10380Sstevel@tonic-gate 10390Sstevel@tonic-gate /* 1040*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm uninstall" subcommand. 10410Sstevel@tonic-gate */ 10420Sstevel@tonic-gate static int 10430Sstevel@tonic-gate do_uninstall(int argc, char **argv) 10440Sstevel@tonic-gate { 1045*7968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 10460Sstevel@tonic-gate int rc = SUCCESS; 10470Sstevel@tonic-gate 10480Sstevel@tonic-gate if (argc != 3) { 10490Sstevel@tonic-gate usage(); 10500Sstevel@tonic-gate return (ERROR_USAGE); 10510Sstevel@tonic-gate } 10520Sstevel@tonic-gate 10530Sstevel@tonic-gate prov = get_provider(argc, argv); 10540Sstevel@tonic-gate if (prov == NULL || 10550Sstevel@tonic-gate prov->cp_type == PROV_BADNAME || prov->cp_type == PROV_KEF_HARD) { 10560Sstevel@tonic-gate /* 10577334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10580Sstevel@tonic-gate * "uninstall" could be either a literal keyword and hence 10590Sstevel@tonic-gate * not to be translated, or a verb and translatable. A 10600Sstevel@tonic-gate * choice was made to view it as a literal keyword. 10610Sstevel@tonic-gate */ 10620Sstevel@tonic-gate cryptoerror(LOG_STDERR, 10630Sstevel@tonic-gate gettext("bad provider name for %s."), "uninstall"); 10640Sstevel@tonic-gate free(prov); 10650Sstevel@tonic-gate return (FAILURE); 10660Sstevel@tonic-gate } 10670Sstevel@tonic-gate 10680Sstevel@tonic-gate if (prov->cp_type == PROV_UEF_LIB) { 10690Sstevel@tonic-gate rc = uninstall_uef_lib(prov->cp_name); 1070*7968Sopensolaris@drydog.com 10710Sstevel@tonic-gate } else if (prov->cp_type == PROV_KEF_SOFT) { 10720Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 1073*7968Sopensolaris@drydog.com /* unload and remove from kcf.conf */ 10740Sstevel@tonic-gate rc = uninstall_kef(prov->cp_name); 10750Sstevel@tonic-gate } else { 10760Sstevel@tonic-gate /* 10777334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 10780Sstevel@tonic-gate * "uninstall" could be either a literal keyword and 10790Sstevel@tonic-gate * hence not to be translated, or a verb and 10800Sstevel@tonic-gate * translatable. A choice was made to view it as a 10810Sstevel@tonic-gate * literal keyword. "global" is keyword and not to 10820Sstevel@tonic-gate * be translated. 10830Sstevel@tonic-gate */ 10840Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel " 10850Sstevel@tonic-gate "providers is supported in the %2$s zone only"), 10860Sstevel@tonic-gate "uninstall", "global"); 10870Sstevel@tonic-gate rc = FAILURE; 10880Sstevel@tonic-gate } 10890Sstevel@tonic-gate } 10900Sstevel@tonic-gate 10910Sstevel@tonic-gate free(prov); 10920Sstevel@tonic-gate return (rc); 10930Sstevel@tonic-gate } 10940Sstevel@tonic-gate 10950Sstevel@tonic-gate 10960Sstevel@tonic-gate /* 1097*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm unload" subcommand. 10980Sstevel@tonic-gate */ 10990Sstevel@tonic-gate static int 11000Sstevel@tonic-gate do_unload(int argc, char **argv) 11010Sstevel@tonic-gate { 1102*7968Sopensolaris@drydog.com cryptoadm_provider_t *prov = NULL; 1103*7968Sopensolaris@drydog.com entry_t *pent = NULL; 1104*7968Sopensolaris@drydog.com boolean_t in_kernel = B_FALSE; 1105*7968Sopensolaris@drydog.com int rc = SUCCESS; 1106*7968Sopensolaris@drydog.com char *provname = NULL; 11070Sstevel@tonic-gate 11080Sstevel@tonic-gate if (argc != 3) { 11090Sstevel@tonic-gate usage(); 11100Sstevel@tonic-gate return (ERROR_USAGE); 11110Sstevel@tonic-gate } 11120Sstevel@tonic-gate 11130Sstevel@tonic-gate /* check if it is a kernel software provider */ 11140Sstevel@tonic-gate prov = get_provider(argc, argv); 11150Sstevel@tonic-gate if (prov == NULL) { 11160Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11170Sstevel@tonic-gate gettext("unable to determine provider name.")); 11180Sstevel@tonic-gate goto out; 11190Sstevel@tonic-gate } 1120*7968Sopensolaris@drydog.com provname = prov->cp_name; 11210Sstevel@tonic-gate if (prov->cp_type != PROV_KEF_SOFT) { 11220Sstevel@tonic-gate cryptoerror(LOG_STDERR, 11230Sstevel@tonic-gate gettext("%s is not a valid kernel software provider."), 1124*7968Sopensolaris@drydog.com provname); 11250Sstevel@tonic-gate rc = FAILURE; 11260Sstevel@tonic-gate goto out; 11270Sstevel@tonic-gate } 11280Sstevel@tonic-gate 11290Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 11300Sstevel@tonic-gate /* 11317334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 11320Sstevel@tonic-gate * "unload" could be either a literal keyword and hence 11330Sstevel@tonic-gate * not to be translated, or a verb and translatable. 11340Sstevel@tonic-gate * A choice was made to view it as a literal keyword. 11350Sstevel@tonic-gate * "global" is keyword and not to be translated. 11360Sstevel@tonic-gate */ 11370Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("%1$s for kernel providers " 11380Sstevel@tonic-gate "is supported in the %2$s zone only"), "unload", "global"); 11390Sstevel@tonic-gate rc = FAILURE; 11400Sstevel@tonic-gate goto out; 11410Sstevel@tonic-gate } 11420Sstevel@tonic-gate 1143*7968Sopensolaris@drydog.com if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { 1144*7968Sopensolaris@drydog.com cryptodebug("internal error"); 11450Sstevel@tonic-gate rc = FAILURE; 11460Sstevel@tonic-gate goto out; 1147*7968Sopensolaris@drydog.com } else if (in_kernel == B_FALSE) { 11480Sstevel@tonic-gate cryptoerror(LOG_STDERR, 1149*7968Sopensolaris@drydog.com gettext("provider %s is not loaded or does not exist."), 1150*7968Sopensolaris@drydog.com provname); 11510Sstevel@tonic-gate rc = FAILURE; 11520Sstevel@tonic-gate goto out; 11530Sstevel@tonic-gate } 11540Sstevel@tonic-gate 1155*7968Sopensolaris@drydog.com /* Get kcf.conf entry. If none, build a new entry */ 1156*7968Sopensolaris@drydog.com if ((pent = getent_kef(provname, NULL, NULL)) == NULL) { 1157*7968Sopensolaris@drydog.com if ((pent = create_entry(provname)) == NULL) { 1158*7968Sopensolaris@drydog.com cryptoerror(LOG_STDERR, gettext("out of memory.")); 1159*7968Sopensolaris@drydog.com rc = FAILURE; 1160*7968Sopensolaris@drydog.com goto out; 1161*7968Sopensolaris@drydog.com } 1162*7968Sopensolaris@drydog.com } 1163*7968Sopensolaris@drydog.com 1164*7968Sopensolaris@drydog.com /* If it is unloaded already, return */ 1165*7968Sopensolaris@drydog.com if (!pent->load) { /* unloaded already */ 11660Sstevel@tonic-gate cryptoerror(LOG_STDERR, 1167*7968Sopensolaris@drydog.com gettext("failed to unload %s."), provname); 11680Sstevel@tonic-gate rc = FAILURE; 1169*7968Sopensolaris@drydog.com goto out; 1170*7968Sopensolaris@drydog.com } else if (unload_kef_soft(provname) != FAILURE) { 1171*7968Sopensolaris@drydog.com /* Mark as unloaded in kcf.conf */ 1172*7968Sopensolaris@drydog.com pent->load = B_FALSE; 1173*7968Sopensolaris@drydog.com rc = update_kcfconf(pent, MODIFY_MODE); 11740Sstevel@tonic-gate } else { 1175*7968Sopensolaris@drydog.com cryptoerror(LOG_STDERR, 1176*7968Sopensolaris@drydog.com gettext("failed to unload %s."), provname); 1177*7968Sopensolaris@drydog.com rc = FAILURE; 11780Sstevel@tonic-gate } 11790Sstevel@tonic-gate out: 11800Sstevel@tonic-gate free(prov); 1181*7968Sopensolaris@drydog.com free_entry(pent); 11820Sstevel@tonic-gate return (rc); 11830Sstevel@tonic-gate } 11840Sstevel@tonic-gate 11850Sstevel@tonic-gate 11860Sstevel@tonic-gate 11870Sstevel@tonic-gate /* 1188*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm refresh" subcommand. 11890Sstevel@tonic-gate */ 11900Sstevel@tonic-gate static int 11910Sstevel@tonic-gate do_refresh(int argc) 11920Sstevel@tonic-gate { 11930Sstevel@tonic-gate if (argc != 2) { 11940Sstevel@tonic-gate usage(); 11950Sstevel@tonic-gate return (ERROR_USAGE); 11960Sstevel@tonic-gate } 11970Sstevel@tonic-gate 1198*7968Sopensolaris@drydog.com if (getzoneid() == GLOBAL_ZONEID) { 1199*7968Sopensolaris@drydog.com return (refresh()); 1200*7968Sopensolaris@drydog.com } else { /* non-global zone */ 1201*7968Sopensolaris@drydog.com /* 1202*7968Sopensolaris@drydog.com * Note: in non-global zone, this must silently return SUCCESS 1203*7968Sopensolaris@drydog.com * due to integration with SMF, for "svcadm refresh cryptosvc" 1204*7968Sopensolaris@drydog.com */ 12050Sstevel@tonic-gate return (SUCCESS); 1206*7968Sopensolaris@drydog.com } 12070Sstevel@tonic-gate } 12080Sstevel@tonic-gate 12090Sstevel@tonic-gate 12100Sstevel@tonic-gate /* 1211*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm start" subcommand. 12120Sstevel@tonic-gate */ 12130Sstevel@tonic-gate static int 12140Sstevel@tonic-gate do_start(int argc) 12150Sstevel@tonic-gate { 12160Sstevel@tonic-gate int ret; 12170Sstevel@tonic-gate 12180Sstevel@tonic-gate if (argc != 2) { 12190Sstevel@tonic-gate usage(); 12200Sstevel@tonic-gate return (ERROR_USAGE); 12210Sstevel@tonic-gate } 12220Sstevel@tonic-gate 12230Sstevel@tonic-gate ret = do_refresh(argc); 12240Sstevel@tonic-gate if (ret != SUCCESS) 12250Sstevel@tonic-gate return (ret); 12260Sstevel@tonic-gate 12270Sstevel@tonic-gate return (start_daemon()); 12280Sstevel@tonic-gate } 12290Sstevel@tonic-gate 12300Sstevel@tonic-gate /* 1231*7968Sopensolaris@drydog.com * The top level function for the "cryptoadm stop" subcommand. 12320Sstevel@tonic-gate */ 12330Sstevel@tonic-gate static int 12340Sstevel@tonic-gate do_stop(int argc) 12350Sstevel@tonic-gate { 12360Sstevel@tonic-gate if (argc != 2) { 12370Sstevel@tonic-gate usage(); 12380Sstevel@tonic-gate return (ERROR_USAGE); 12390Sstevel@tonic-gate } 12400Sstevel@tonic-gate 12410Sstevel@tonic-gate return (stop_daemon()); 12420Sstevel@tonic-gate } 12430Sstevel@tonic-gate 12440Sstevel@tonic-gate 12450Sstevel@tonic-gate 12460Sstevel@tonic-gate /* 1247*7968Sopensolaris@drydog.com * Print a list all the the providers. 1248*7968Sopensolaris@drydog.com * Called for "cryptoadm list" or "cryptoadm list -v" (no -m or -p). 12490Sstevel@tonic-gate */ 12500Sstevel@tonic-gate static int 12510Sstevel@tonic-gate list_simple_for_all(boolean_t verbose) 12520Sstevel@tonic-gate { 1253*7968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 1254*7968Sopensolaris@drydog.com uentrylist_t *plibptr = NULL; 1255*7968Sopensolaris@drydog.com entry_t *pent = NULL; 12560Sstevel@tonic-gate crypto_get_dev_list_t *pdevlist_kernel = NULL; 1257*7968Sopensolaris@drydog.com int rc = SUCCESS; 1258*7968Sopensolaris@drydog.com int i; 12590Sstevel@tonic-gate 12600Sstevel@tonic-gate /* get user-level providers */ 12610Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 12620Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 12630Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 12640Sstevel@tonic-gate "failed to retrieve the list of user-level providers.")); 1265*7968Sopensolaris@drydog.com rc = FAILURE; 12660Sstevel@tonic-gate } 1267*7968Sopensolaris@drydog.com 1268*7968Sopensolaris@drydog.com for (plibptr = pliblist; plibptr != NULL; plibptr = plibptr->next) { 12690Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 12700Sstevel@tonic-gate (void) printf(gettext("Provider: %s\n"), 12710Sstevel@tonic-gate plibptr->puent->name); 12720Sstevel@tonic-gate if (verbose) { 12730Sstevel@tonic-gate (void) list_mechlist_for_lib( 12740Sstevel@tonic-gate plibptr->puent->name, mecharglist, NULL, 12750Sstevel@tonic-gate B_FALSE, verbose, B_FALSE); 12760Sstevel@tonic-gate (void) printf("\n"); 12770Sstevel@tonic-gate } 12780Sstevel@tonic-gate } 12790Sstevel@tonic-gate } 12800Sstevel@tonic-gate free_uentrylist(pliblist); 12810Sstevel@tonic-gate 12820Sstevel@tonic-gate /* get kernel software providers */ 12830Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 12840Sstevel@tonic-gate 12850Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 1286*7968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 1287*7968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 1288*7968Sopensolaris@drydog.com uint_t sl_soft_count; 1289*7968Sopensolaris@drydog.com char *psoftname; 1290*7968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 1291*7968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 1292*7968Sopensolaris@drydog.com 1293*7968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 1294*7968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 1295*7968Sopensolaris@drydog.com "software provider list from kernel.")); 1296*7968Sopensolaris@drydog.com rc = FAILURE; 1297*7968Sopensolaris@drydog.com } else { 1298*7968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 12990Sstevel@tonic-gate 1300*7968Sopensolaris@drydog.com if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) 1301*7968Sopensolaris@drydog.com == FAILURE) { 1302*7968Sopensolaris@drydog.com cryptoerror(LOG_ERR, 1303*7968Sopensolaris@drydog.com "failed to retrieve the providers' " 1304*7968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 1305*7968Sopensolaris@drydog.com _PATH_KCF_CONF); 1306*7968Sopensolaris@drydog.com free(psoftlist_kernel); 1307*7968Sopensolaris@drydog.com rc = FAILURE; 1308*7968Sopensolaris@drydog.com } else { 1309*7968Sopensolaris@drydog.com 1310*7968Sopensolaris@drydog.com for (i = 0, 1311*7968Sopensolaris@drydog.com psoftname = psoftlist_kernel->sl_soft_names; 1312*7968Sopensolaris@drydog.com i < sl_soft_count; 1313*7968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 1314*7968Sopensolaris@drydog.com pent = getent_kef(psoftname, 1315*7968Sopensolaris@drydog.com pdevlist_conf, psoftlist_conf); 1316*7968Sopensolaris@drydog.com (void) printf("\t%s%s\n", psoftname, 1317*7968Sopensolaris@drydog.com (pent == NULL) || (pent->load) ? 1318*7968Sopensolaris@drydog.com "" : gettext(" (inactive)")); 1319*7968Sopensolaris@drydog.com } 1320*7968Sopensolaris@drydog.com free_entrylist(pdevlist_conf); 1321*7968Sopensolaris@drydog.com free_entrylist(psoftlist_conf); 1322*7968Sopensolaris@drydog.com } 1323*7968Sopensolaris@drydog.com free(psoftlist_kernel); 13240Sstevel@tonic-gate } 13250Sstevel@tonic-gate 13260Sstevel@tonic-gate } else { 13270Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 1328*7968Sopensolaris@drydog.com entrylist_t *pdevlist_zone = NULL; 1329*7968Sopensolaris@drydog.com entrylist_t *psoftlist_zone = NULL; 1330*7968Sopensolaris@drydog.com entrylist_t *ptr; 13310Sstevel@tonic-gate 13320Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 13330Sstevel@tonic-gate SUCCESS) { 13340Sstevel@tonic-gate cryptoerror(LOG_STDERR, 13350Sstevel@tonic-gate gettext("failed to retrieve the " 13360Sstevel@tonic-gate "list of kernel software providers.\n")); 1337*7968Sopensolaris@drydog.com rc = FAILURE; 13380Sstevel@tonic-gate } 13390Sstevel@tonic-gate 13400Sstevel@tonic-gate ptr = psoftlist_zone; 13410Sstevel@tonic-gate while (ptr != NULL) { 13420Sstevel@tonic-gate (void) printf("\t%s\n", ptr->pent->name); 13430Sstevel@tonic-gate ptr = ptr->next; 13440Sstevel@tonic-gate } 13450Sstevel@tonic-gate 13460Sstevel@tonic-gate free_entrylist(pdevlist_zone); 13470Sstevel@tonic-gate free_entrylist(psoftlist_zone); 13480Sstevel@tonic-gate } 13490Sstevel@tonic-gate 13500Sstevel@tonic-gate /* get kernel hardware providers */ 13510Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 13520Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) == FAILURE) { 13530Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 13540Sstevel@tonic-gate "the list of kernel hardware providers.\n")); 1355*7968Sopensolaris@drydog.com rc = FAILURE; 13560Sstevel@tonic-gate } else { 13570Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 13580Sstevel@tonic-gate (void) printf("\t%s/%d\n", 13590Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 13600Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 13610Sstevel@tonic-gate } 13620Sstevel@tonic-gate } 13630Sstevel@tonic-gate free(pdevlist_kernel); 13640Sstevel@tonic-gate 1365*7968Sopensolaris@drydog.com return (rc); 13660Sstevel@tonic-gate } 13670Sstevel@tonic-gate 13680Sstevel@tonic-gate 13690Sstevel@tonic-gate 13700Sstevel@tonic-gate /* 13710Sstevel@tonic-gate * List all the providers. And for each provider, list the mechanism list. 1372*7968Sopensolaris@drydog.com * Called for "cryptoadm list -m" or "cryptoadm list -mv" . 13730Sstevel@tonic-gate */ 13740Sstevel@tonic-gate static int 13750Sstevel@tonic-gate list_mechlist_for_all(boolean_t verbose) 13760Sstevel@tonic-gate { 1377*7968Sopensolaris@drydog.com crypto_get_dev_list_t *pdevlist_kernel = NULL; 1378*7968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 1379*7968Sopensolaris@drydog.com uentrylist_t *plibptr = NULL; 1380*7968Sopensolaris@drydog.com entry_t *pent = NULL; 1381*7968Sopensolaris@drydog.com mechlist_t *pmechlist = NULL; 1382*7968Sopensolaris@drydog.com char provname[MAXNAMELEN]; 1383*7968Sopensolaris@drydog.com char devname[MAXNAMELEN]; 1384*7968Sopensolaris@drydog.com int inst_num; 1385*7968Sopensolaris@drydog.com int count; 1386*7968Sopensolaris@drydog.com int i; 1387*7968Sopensolaris@drydog.com int rv; 1388*7968Sopensolaris@drydog.com int rc = SUCCESS; 13890Sstevel@tonic-gate 13900Sstevel@tonic-gate /* get user-level providers */ 13910Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 13920Sstevel@tonic-gate /* 13937334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 13940Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 13950Sstevel@tonic-gate * the length of the translated text above. 13960Sstevel@tonic-gate */ 13970Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 13980Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) != SUCCESS) { 13990Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14000Sstevel@tonic-gate "the list of user-level providers.\n")); 14010Sstevel@tonic-gate rc = FAILURE; 14020Sstevel@tonic-gate } 14030Sstevel@tonic-gate 14040Sstevel@tonic-gate plibptr = pliblist; 14050Sstevel@tonic-gate while (plibptr != NULL) { 14060Sstevel@tonic-gate /* skip metaslot entry */ 14070Sstevel@tonic-gate if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { 14080Sstevel@tonic-gate (void) printf(gettext("\nProvider: %s\n"), 14090Sstevel@tonic-gate plibptr->puent->name); 14100Sstevel@tonic-gate rv = list_mechlist_for_lib(plibptr->puent->name, 14110Sstevel@tonic-gate mecharglist, NULL, B_FALSE, verbose, B_TRUE); 14120Sstevel@tonic-gate if (rv == FAILURE) { 14130Sstevel@tonic-gate rc = FAILURE; 14140Sstevel@tonic-gate } 14150Sstevel@tonic-gate } 14160Sstevel@tonic-gate plibptr = plibptr->next; 14170Sstevel@tonic-gate } 14180Sstevel@tonic-gate free_uentrylist(pliblist); 14190Sstevel@tonic-gate 14200Sstevel@tonic-gate /* get kernel software providers */ 14210Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 1422*7968Sopensolaris@drydog.com 14230Sstevel@tonic-gate /* 14247334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 14250Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 14260Sstevel@tonic-gate * the length of the translated text above. 14270Sstevel@tonic-gate */ 14280Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 14290Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 1430*7968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 1431*7968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 1432*7968Sopensolaris@drydog.com uint_t sl_soft_count; 1433*7968Sopensolaris@drydog.com char *psoftname; 1434*7968Sopensolaris@drydog.com int i; 1435*7968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 1436*7968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 14370Sstevel@tonic-gate 1438*7968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 1439*7968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 1440*7968Sopensolaris@drydog.com "software provider list from kernel.")); 1441*7968Sopensolaris@drydog.com return (FAILURE); 1442*7968Sopensolaris@drydog.com } 1443*7968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 1444*7968Sopensolaris@drydog.com 1445*7968Sopensolaris@drydog.com if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) 1446*7968Sopensolaris@drydog.com == FAILURE) { 1447*7968Sopensolaris@drydog.com cryptoerror(LOG_ERR, 1448*7968Sopensolaris@drydog.com "failed to retrieve the providers' " 1449*7968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 1450*7968Sopensolaris@drydog.com _PATH_KCF_CONF); 1451*7968Sopensolaris@drydog.com free(psoftlist_kernel); 1452*7968Sopensolaris@drydog.com return (FAILURE); 14530Sstevel@tonic-gate } 14540Sstevel@tonic-gate 1455*7968Sopensolaris@drydog.com for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 1456*7968Sopensolaris@drydog.com i < sl_soft_count; 1457*7968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 1458*7968Sopensolaris@drydog.com pent = getent_kef(psoftname, pdevlist_conf, 1459*7968Sopensolaris@drydog.com psoftlist_conf); 1460*7968Sopensolaris@drydog.com if ((pent == NULL) || (pent->load)) { 1461*7968Sopensolaris@drydog.com rv = list_mechlist_for_soft(psoftname, 1462*7968Sopensolaris@drydog.com NULL, NULL); 1463*7968Sopensolaris@drydog.com if (rv == FAILURE) { 1464*7968Sopensolaris@drydog.com rc = FAILURE; 14650Sstevel@tonic-gate } 14660Sstevel@tonic-gate } else { 1467*7968Sopensolaris@drydog.com (void) printf(gettext("%s: (inactive)\n"), 1468*7968Sopensolaris@drydog.com psoftname); 14690Sstevel@tonic-gate } 14700Sstevel@tonic-gate } 14710Sstevel@tonic-gate 1472*7968Sopensolaris@drydog.com free(psoftlist_kernel); 14730Sstevel@tonic-gate free_entrylist(pdevlist_conf); 14740Sstevel@tonic-gate free_entrylist(psoftlist_conf); 1475*7968Sopensolaris@drydog.com 14760Sstevel@tonic-gate } else { 14770Sstevel@tonic-gate /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ 1478*7968Sopensolaris@drydog.com entrylist_t *pdevlist_zone = NULL; 1479*7968Sopensolaris@drydog.com entrylist_t *psoftlist_zone = NULL; 1480*7968Sopensolaris@drydog.com entrylist_t *ptr; 14810Sstevel@tonic-gate 14820Sstevel@tonic-gate if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != 14830Sstevel@tonic-gate SUCCESS) { 14840Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 14850Sstevel@tonic-gate "the list of kernel software providers.\n")); 14860Sstevel@tonic-gate rc = FAILURE; 14870Sstevel@tonic-gate } 14880Sstevel@tonic-gate 1489*7968Sopensolaris@drydog.com for (ptr = psoftlist_zone; ptr != NULL; ptr = ptr->next) { 1490*7968Sopensolaris@drydog.com rv = list_mechlist_for_soft(ptr->pent->name, 1491*7968Sopensolaris@drydog.com pdevlist_zone, psoftlist_zone); 14920Sstevel@tonic-gate if (rv == FAILURE) { 14930Sstevel@tonic-gate (void) printf(gettext( 14940Sstevel@tonic-gate "%s: failed to get the mechanism list.\n"), 14950Sstevel@tonic-gate ptr->pent->name); 14960Sstevel@tonic-gate rc = FAILURE; 14970Sstevel@tonic-gate } 14980Sstevel@tonic-gate } 14990Sstevel@tonic-gate 15000Sstevel@tonic-gate free_entrylist(pdevlist_zone); 15010Sstevel@tonic-gate free_entrylist(psoftlist_zone); 15020Sstevel@tonic-gate } 15030Sstevel@tonic-gate 15040Sstevel@tonic-gate /* Get kernel hardware providers and their mechanism lists */ 15050Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 15060Sstevel@tonic-gate /* 15077334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 15080Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15090Sstevel@tonic-gate * the length of the translated text above. 15100Sstevel@tonic-gate */ 15110Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 15120Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 15130Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 15140Sstevel@tonic-gate "the list of hardware providers.\n")); 15150Sstevel@tonic-gate return (FAILURE); 15160Sstevel@tonic-gate } 15170Sstevel@tonic-gate 15180Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 15190Sstevel@tonic-gate (void) strlcpy(devname, 15200Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, MAXNAMELEN); 15210Sstevel@tonic-gate inst_num = pdevlist_kernel->dl_devs[i].le_dev_instance; 15220Sstevel@tonic-gate count = pdevlist_kernel->dl_devs[i].le_mechanism_count; 15230Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", devname, 15240Sstevel@tonic-gate inst_num); 15250Sstevel@tonic-gate if (get_dev_info(devname, inst_num, count, &pmechlist) == 15260Sstevel@tonic-gate SUCCESS) { 15270Sstevel@tonic-gate (void) filter_mechlist(&pmechlist, RANDOM); 15280Sstevel@tonic-gate print_mechlist(provname, pmechlist); 15290Sstevel@tonic-gate free_mechlist(pmechlist); 15300Sstevel@tonic-gate } else { 15310Sstevel@tonic-gate (void) printf(gettext("%s: failed to get the mechanism" 15320Sstevel@tonic-gate " list.\n"), provname); 15330Sstevel@tonic-gate rc = FAILURE; 15340Sstevel@tonic-gate } 15350Sstevel@tonic-gate } 15360Sstevel@tonic-gate free(pdevlist_kernel); 15370Sstevel@tonic-gate return (rc); 15380Sstevel@tonic-gate } 15390Sstevel@tonic-gate 15400Sstevel@tonic-gate 15410Sstevel@tonic-gate /* 15420Sstevel@tonic-gate * List all the providers. And for each provider, list the policy information. 1543*7968Sopensolaris@drydog.com * Called for "cryptoadm list -p". 15440Sstevel@tonic-gate */ 15450Sstevel@tonic-gate static int 15460Sstevel@tonic-gate list_policy_for_all(void) 15470Sstevel@tonic-gate { 1548*7968Sopensolaris@drydog.com crypto_get_dev_list_t *pdevlist_kernel = NULL; 1549*7968Sopensolaris@drydog.com uentrylist_t *pliblist = NULL; 1550*7968Sopensolaris@drydog.com entrylist_t *pdevlist_conf = NULL; 1551*7968Sopensolaris@drydog.com entrylist_t *psoftlist_conf = NULL; 1552*7968Sopensolaris@drydog.com entrylist_t *ptr = NULL; 1553*7968Sopensolaris@drydog.com entrylist_t *phead = NULL; 1554*7968Sopensolaris@drydog.com boolean_t found = B_FALSE; 1555*7968Sopensolaris@drydog.com char provname[MAXNAMELEN]; 1556*7968Sopensolaris@drydog.com int i; 1557*7968Sopensolaris@drydog.com int rc = SUCCESS; 15580Sstevel@tonic-gate 15590Sstevel@tonic-gate /* Get user-level providers */ 15600Sstevel@tonic-gate (void) printf(gettext("\nUser-level providers:\n")); 15610Sstevel@tonic-gate /* 15627334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 15630Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15640Sstevel@tonic-gate * the length of the translated text above. 15650Sstevel@tonic-gate */ 15660Sstevel@tonic-gate (void) printf(gettext("=====================\n")); 15670Sstevel@tonic-gate if (get_pkcs11conf_info(&pliblist) == FAILURE) { 15680Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to retrieve " 15690Sstevel@tonic-gate "the list of user-level providers.\n")); 1570*7968Sopensolaris@drydog.com rc = FAILURE; 15710Sstevel@tonic-gate } else { 1572*7968Sopensolaris@drydog.com uentrylist_t *plibptr = pliblist; 1573*7968Sopensolaris@drydog.com 15740Sstevel@tonic-gate while (plibptr != NULL) { 15750Sstevel@tonic-gate /* skip metaslot entry */ 15760Sstevel@tonic-gate if (strcmp(plibptr->puent->name, 15770Sstevel@tonic-gate METASLOT_KEYWORD) != 0) { 15780Sstevel@tonic-gate if (print_uef_policy(plibptr->puent) 15790Sstevel@tonic-gate == FAILURE) { 15800Sstevel@tonic-gate rc = FAILURE; 15810Sstevel@tonic-gate } 15820Sstevel@tonic-gate } 15830Sstevel@tonic-gate plibptr = plibptr->next; 15840Sstevel@tonic-gate } 15850Sstevel@tonic-gate free_uentrylist(pliblist); 15860Sstevel@tonic-gate } 15870Sstevel@tonic-gate 15880Sstevel@tonic-gate /* kernel software providers */ 15890Sstevel@tonic-gate (void) printf(gettext("\nKernel software providers:\n")); 15900Sstevel@tonic-gate /* 15917334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 15920Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 15930Sstevel@tonic-gate * the length of the translated text above. 15940Sstevel@tonic-gate */ 15950Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 15960Sstevel@tonic-gate 1597*7968Sopensolaris@drydog.com /* Get all entries from the kernel */ 15980Sstevel@tonic-gate if (getzoneid() == GLOBAL_ZONEID) { 1599*7968Sopensolaris@drydog.com /* get kernel software providers from kernel ioctl */ 1600*7968Sopensolaris@drydog.com crypto_get_soft_list_t *psoftlist_kernel = NULL; 1601*7968Sopensolaris@drydog.com uint_t sl_soft_count; 1602*7968Sopensolaris@drydog.com char *psoftname; 1603*7968Sopensolaris@drydog.com int i; 16040Sstevel@tonic-gate 1605*7968Sopensolaris@drydog.com if (get_soft_list(&psoftlist_kernel) == FAILURE) { 1606*7968Sopensolaris@drydog.com cryptoerror(LOG_ERR, gettext("Failed to retrieve the " 1607*7968Sopensolaris@drydog.com "software provider list from kernel.")); 1608*7968Sopensolaris@drydog.com rc = FAILURE; 1609*7968Sopensolaris@drydog.com } else { 1610*7968Sopensolaris@drydog.com sl_soft_count = psoftlist_kernel->sl_soft_count; 1611*7968Sopensolaris@drydog.com 1612*7968Sopensolaris@drydog.com for (i = 0, psoftname = psoftlist_kernel->sl_soft_names; 1613*7968Sopensolaris@drydog.com i < sl_soft_count; 1614*7968Sopensolaris@drydog.com ++i, psoftname += strlen(psoftname) + 1) { 1615*7968Sopensolaris@drydog.com (void) list_policy_for_soft(psoftname, 1616*7968Sopensolaris@drydog.com pdevlist_conf, psoftlist_conf); 1617*7968Sopensolaris@drydog.com } 1618*7968Sopensolaris@drydog.com free(psoftlist_kernel); 16190Sstevel@tonic-gate } 16200Sstevel@tonic-gate 16210Sstevel@tonic-gate } else { 16220Sstevel@tonic-gate /* kcf.conf not there in non-global zone, no policy info */ 16230Sstevel@tonic-gate 16240Sstevel@tonic-gate /* 16257334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16260Sstevel@tonic-gate * "global" is keyword and not to be translated. 16270Sstevel@tonic-gate */ 16280Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16290Sstevel@tonic-gate "policy information for kernel software providers is " 16300Sstevel@tonic-gate "available in the %s zone only"), "global"); 16310Sstevel@tonic-gate } 16320Sstevel@tonic-gate 16330Sstevel@tonic-gate /* Kernel hardware providers */ 16340Sstevel@tonic-gate (void) printf(gettext("\nKernel hardware providers:\n")); 16350Sstevel@tonic-gate /* 16367334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16370Sstevel@tonic-gate * Strictly for appearance's sake, this line should be as long as 16380Sstevel@tonic-gate * the length of the translated text above. 16390Sstevel@tonic-gate */ 16400Sstevel@tonic-gate (void) printf(gettext("==========================\n")); 16410Sstevel@tonic-gate 16420Sstevel@tonic-gate if (getzoneid() != GLOBAL_ZONEID) { 16430Sstevel@tonic-gate /* 16447334SDaniel.Anderson@Sun.COM * TRANSLATION_NOTE 16450Sstevel@tonic-gate * "global" is keyword and not to be translated. 16460Sstevel@tonic-gate */ 16470Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16480Sstevel@tonic-gate "policy information for kernel hardware providers is " 16490Sstevel@tonic-gate "available in the %s zone only"), "global"); 16500Sstevel@tonic-gate return (FAILURE); 16510Sstevel@tonic-gate } 16520Sstevel@tonic-gate 16530Sstevel@tonic-gate /* Get the hardware provider list from kernel */ 16540Sstevel@tonic-gate if (get_dev_list(&pdevlist_kernel) != SUCCESS) { 16550Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 16560Sstevel@tonic-gate "failed to retrieve the list of hardware providers.\n")); 16570Sstevel@tonic-gate return (FAILURE); 16580Sstevel@tonic-gate } 16590Sstevel@tonic-gate 1660*7968Sopensolaris@drydog.com if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) == FAILURE) { 1661*7968Sopensolaris@drydog.com cryptoerror(LOG_ERR, "failed to retrieve the providers' " 1662*7968Sopensolaris@drydog.com "information from file kcf.conf - %s.", 1663*7968Sopensolaris@drydog.com _PATH_KCF_CONF); 1664*7968Sopensolaris@drydog.com return (FAILURE); 1665*7968Sopensolaris@drydog.com } 1666*7968Sopensolaris@drydog.com 1667*7968Sopensolaris@drydog.com 16680Sstevel@tonic-gate /* 16690Sstevel@tonic-gate * For each hardware provider from kernel, check if it has an entry 16700Sstevel@tonic-gate * in the config file. If it has an entry, print out the policy from 16710Sstevel@tonic-gate * config file and remove the entry from the hardware provider list 16720Sstevel@tonic-gate * of the config file. If it does not have an entry in the config 16730Sstevel@tonic-gate * file, no mechanisms of it have been disabled. But, we still call 16740Sstevel@tonic-gate * list_policy_for_hard() to account for the "random" feature. 16750Sstevel@tonic-gate */ 16760Sstevel@tonic-gate for (i = 0; i < pdevlist_kernel->dl_dev_count; i++) { 16770Sstevel@tonic-gate (void) snprintf(provname, sizeof (provname), "%s/%d", 16780Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_name, 16790Sstevel@tonic-gate pdevlist_kernel->dl_devs[i].le_dev_instance); 1680*7968Sopensolaris@drydog.com 16810Sstevel@tonic-gate found = B_FALSE; 16820Sstevel@tonic-gate phead = ptr = pdevlist_conf; 16830Sstevel@tonic-gate while (!found && ptr) { 16840Sstevel@tonic-gate if (strcmp(ptr->pent->name, provname) == 0) { 16850Sstevel@tonic-gate found = B_TRUE; 16860Sstevel@tonic-gate } else { 16870Sstevel@tonic-gate phead = ptr; 16880Sstevel@tonic-gate ptr = ptr->next; 16890Sstevel@tonic-gate } 16900Sstevel@tonic-gate } 16910Sstevel@tonic-gate 16920Sstevel@tonic-gate if (found) { 1693*7968Sopensolaris@drydog.com (void) list_policy_for_hard(ptr->pent->name, 1694*7968Sopensolaris@drydog.com pdevlist_conf, psoftlist_conf, pdevlist_kernel); 16950Sstevel@tonic-gate if (phead == ptr) { 16960Sstevel@tonic-gate pdevlist_conf = pdevlist_conf->next; 16970Sstevel@tonic-gate } else { 16980Sstevel@tonic-gate phead->next = ptr->next; 16990Sstevel@tonic-gate } 17000Sstevel@tonic-gate free_entry(ptr->pent); 17010Sstevel@tonic-gate free(ptr); 17020Sstevel@tonic-gate } else { 1703*7968Sopensolaris@drydog.com (void) list_policy_for_hard(provname, pdevlist_conf, 1704*7968Sopensolaris@drydog.com psoftlist_conf, pdevlist_kernel); 17050Sstevel@tonic-gate } 17060Sstevel@tonic-gate } 17070Sstevel@tonic-gate 17080Sstevel@tonic-gate /* 17090Sstevel@tonic-gate * If there are still entries left in the pdevlist_conf list from 17100Sstevel@tonic-gate * the config file, these providers must have been detached. 17110Sstevel@tonic-gate * Should print out their policy information also. 17120Sstevel@tonic-gate */ 1713*7968Sopensolaris@drydog.com for (ptr = pdevlist_conf; ptr != NULL; ptr = ptr->next) { 1714*7968Sopensolaris@drydog.com print_kef_policy(ptr->pent->name, ptr->pent, B_FALSE, B_TRUE); 17150Sstevel@tonic-gate } 17160Sstevel@tonic-gate 17170Sstevel@tonic-gate free_entrylist(pdevlist_conf); 1718*7968Sopensolaris@drydog.com free_entrylist(psoftlist_conf); 17190Sstevel@tonic-gate free(pdevlist_kernel); 17200Sstevel@tonic-gate 17210Sstevel@tonic-gate return (rc); 17220Sstevel@tonic-gate } 1723