10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53812Shylee * Common Development and Distribution License (the "License"). 63812Shylee * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 211142Sjk115741 /* Portions Copyright 2005 Richard Lowe */ 220Sstevel@tonic-gate /* 239127SDina.Nimeh@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 240Sstevel@tonic-gate * Use is subject to license terms. 250Sstevel@tonic-gate */ 260Sstevel@tonic-gate 270Sstevel@tonic-gate /* 280Sstevel@tonic-gate * decrypt.c 290Sstevel@tonic-gate * 300Sstevel@tonic-gate * Implements encrypt(1) and decrypt(1) commands 310Sstevel@tonic-gate * 320Sstevel@tonic-gate * One binary performs both encrypt/decrypt operation. 330Sstevel@tonic-gate * 346535Sda73024 * Usage: 356535Sda73024 * -a algorithm mechanism name without CKM_ prefix. Case 366535Sda73024 * does not matter 376535Sda73024 * -k keyfile file containing key data. If not specified user is 386535Sda73024 * prompted to enter key. key length > 0 is required 396535Sda73024 * -i infile input file to encrypt/decrypt. If omitted, stdin used. 406535Sda73024 * -o outfile output file to encrypt/decrypt. If omitted, stdout used. 416535Sda73024 * if infile & outfile are same, a temp file is used for 426535Sda73024 * output and infile is replaced with this file after 436535Sda73024 * operation is complete 446535Sda73024 * -l Display the list of algorithms 456535Sda73024 * -v Display verbose information 466535Sda73024 * -T tokenspec Specify a PKCS#11 token (optionally used with -K) 476535Sda73024 * -K keylabel Specify the symmetric PKCS#11 token key label 480Sstevel@tonic-gate * 490Sstevel@tonic-gate * Implementation notes: 506535Sda73024 * IV data - It is generated by random bytes equal to one block size. 510Sstevel@tonic-gate * 526535Sda73024 * Encrypted output format - 536535Sda73024 * - Output format version number (1) - 4 bytes in network byte order. 546535Sda73024 * - Iterations used in key gen function, 4 bytes in network byte order. 556535Sda73024 * - IV ('ivlen' bytes). Length is algorithm-dependent (see mech_aliases) 560Sstevel@tonic-gate * - Salt data used in key gen (16 bytes) 576535Sda73024 * - Cipher text data (remainder of the file) 580Sstevel@tonic-gate */ 590Sstevel@tonic-gate 600Sstevel@tonic-gate #include <stdio.h> 610Sstevel@tonic-gate #include <stdlib.h> 620Sstevel@tonic-gate #include <unistd.h> 630Sstevel@tonic-gate #include <errno.h> 640Sstevel@tonic-gate #include <fcntl.h> 650Sstevel@tonic-gate #include <ctype.h> 660Sstevel@tonic-gate #include <strings.h> 670Sstevel@tonic-gate #include <libintl.h> 680Sstevel@tonic-gate #include <libgen.h> 690Sstevel@tonic-gate #include <locale.h> 700Sstevel@tonic-gate #include <limits.h> 710Sstevel@tonic-gate #include <sys/types.h> 720Sstevel@tonic-gate #include <sys/stat.h> 730Sstevel@tonic-gate #include <netinet/in.h> 740Sstevel@tonic-gate #include <security/cryptoki.h> 750Sstevel@tonic-gate #include <cryptoutil.h> 763812Shylee #include <kmfapi.h> 770Sstevel@tonic-gate 78*10017SBhargava.Yenduri@Sun.COM /* 79*10017SBhargava.Yenduri@Sun.COM * Buffer size for reading file. This is given a rather high value 80*10017SBhargava.Yenduri@Sun.COM * to get better performance when a hardware provider is present. 81*10017SBhargava.Yenduri@Sun.COM */ 82*10017SBhargava.Yenduri@Sun.COM #define BUFFERSIZE (1024 * 64) 830Sstevel@tonic-gate #define BLOCKSIZE (128) /* Largest guess for block size */ 84*10017SBhargava.Yenduri@Sun.COM #define PROGRESSSIZE (1024 * 40) /* stdin progress indicator size */ 850Sstevel@tonic-gate 860Sstevel@tonic-gate #define SUNW_ENCRYPT_FILE_VERSION 1 870Sstevel@tonic-gate 880Sstevel@tonic-gate /* 890Sstevel@tonic-gate * Exit Status codes 900Sstevel@tonic-gate */ 910Sstevel@tonic-gate #ifndef EXIT_SUCCESS 920Sstevel@tonic-gate #define EXIT_SUCCESS 0 /* No errors */ 930Sstevel@tonic-gate #define EXIT_FAILURE 1 /* All errors except usage */ 940Sstevel@tonic-gate #endif /* EXIT_SUCCESS */ 950Sstevel@tonic-gate 960Sstevel@tonic-gate #define EXIT_USAGE 2 /* usage/syntax error */ 970Sstevel@tonic-gate 980Sstevel@tonic-gate #define ENCRYPT_NAME "encrypt" /* name of encrypt command */ 993812Shylee #define ENCRYPT_OPTIONS "a:T:K:k:i:o:lv" /* options for encrypt */ 1000Sstevel@tonic-gate #define DECRYPT_NAME "decrypt" /* name of decrypt command */ 1013812Shylee #define DECRYPT_OPTIONS "a:T:K:k:i:o:lv" /* options for decrypt */ 1020Sstevel@tonic-gate 1030Sstevel@tonic-gate /* 1040Sstevel@tonic-gate * Structure containing info for encrypt/decrypt 1050Sstevel@tonic-gate * command 1060Sstevel@tonic-gate */ 1070Sstevel@tonic-gate struct CommandInfo { 1080Sstevel@tonic-gate char *name; /* name of the command */ 1090Sstevel@tonic-gate char *options; /* command line options */ 1100Sstevel@tonic-gate CK_FLAGS flags; 1110Sstevel@tonic-gate CK_ATTRIBUTE_TYPE type; /* type of command */ 1120Sstevel@tonic-gate 1130Sstevel@tonic-gate /* function pointers for various operations */ 1140Sstevel@tonic-gate CK_RV (*Init)(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE); 1150Sstevel@tonic-gate CK_RV (*Update)(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, 1160Sstevel@tonic-gate CK_ULONG_PTR); 1170Sstevel@tonic-gate CK_RV (*Crypt)(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, 1180Sstevel@tonic-gate CK_ULONG_PTR); 1190Sstevel@tonic-gate CK_RV (*Final)(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); 1200Sstevel@tonic-gate }; 1210Sstevel@tonic-gate 1220Sstevel@tonic-gate static struct CommandInfo encrypt_cmd = { 1230Sstevel@tonic-gate ENCRYPT_NAME, 1240Sstevel@tonic-gate ENCRYPT_OPTIONS, 1250Sstevel@tonic-gate CKF_ENCRYPT, 1260Sstevel@tonic-gate CKA_ENCRYPT, 1270Sstevel@tonic-gate C_EncryptInit, 1280Sstevel@tonic-gate C_EncryptUpdate, 1290Sstevel@tonic-gate C_Encrypt, 1300Sstevel@tonic-gate C_EncryptFinal 1310Sstevel@tonic-gate }; 1320Sstevel@tonic-gate 1330Sstevel@tonic-gate static struct CommandInfo decrypt_cmd = { 1340Sstevel@tonic-gate DECRYPT_NAME, 1350Sstevel@tonic-gate DECRYPT_OPTIONS, 1360Sstevel@tonic-gate CKF_DECRYPT, 1370Sstevel@tonic-gate CKA_DECRYPT, 1380Sstevel@tonic-gate C_DecryptInit, 1390Sstevel@tonic-gate C_DecryptUpdate, 1400Sstevel@tonic-gate C_Decrypt, 1410Sstevel@tonic-gate C_DecryptFinal 1420Sstevel@tonic-gate }; 1430Sstevel@tonic-gate 1440Sstevel@tonic-gate struct mech_alias { 1450Sstevel@tonic-gate CK_MECHANISM_TYPE type; 1460Sstevel@tonic-gate char *alias; 1470Sstevel@tonic-gate CK_ULONG keysize_min; 1480Sstevel@tonic-gate CK_ULONG keysize_max; 1490Sstevel@tonic-gate int keysize_unit; 1500Sstevel@tonic-gate int ivlen; 1510Sstevel@tonic-gate boolean_t available; 1520Sstevel@tonic-gate }; 1530Sstevel@tonic-gate 1540Sstevel@tonic-gate #define MECH_ALIASES_COUNT 4 1550Sstevel@tonic-gate 1560Sstevel@tonic-gate static struct mech_alias mech_aliases[] = { 1570Sstevel@tonic-gate { CKM_AES_CBC_PAD, "aes", ULONG_MAX, 0L, 8, 16, B_FALSE }, 1580Sstevel@tonic-gate { CKM_RC4, "arcfour", ULONG_MAX, 0L, 1, 0, B_FALSE }, 1590Sstevel@tonic-gate { CKM_DES_CBC_PAD, "des", 8, 8, 8, 8, B_FALSE }, 1600Sstevel@tonic-gate { CKM_DES3_CBC_PAD, "3des", 24, 24, 8, 8, B_FALSE }, 1610Sstevel@tonic-gate }; 1620Sstevel@tonic-gate 1630Sstevel@tonic-gate static CK_BBOOL truevalue = TRUE; 1640Sstevel@tonic-gate static CK_BBOOL falsevalue = FALSE; 1650Sstevel@tonic-gate 1660Sstevel@tonic-gate static boolean_t aflag = B_FALSE; /* -a <algorithm> flag, required */ 1670Sstevel@tonic-gate static boolean_t kflag = B_FALSE; /* -k <keyfile> flag */ 1680Sstevel@tonic-gate static boolean_t iflag = B_FALSE; /* -i <infile> flag, use stdin if absent */ 1690Sstevel@tonic-gate static boolean_t oflag = B_FALSE; /* -o <outfile> flag, use stdout if absent */ 1700Sstevel@tonic-gate static boolean_t lflag = B_FALSE; /* -l flag (list) */ 1710Sstevel@tonic-gate static boolean_t vflag = B_FALSE; /* -v flag (verbose) */ 1726535Sda73024 static boolean_t Tflag = B_FALSE; /* -T flag (tokenspec) */ 1736535Sda73024 static boolean_t Kflag = B_FALSE; /* -K flag (keylabel) */ 1740Sstevel@tonic-gate 1756535Sda73024 static char *keyfile = NULL; /* name of keyfile */ 1766535Sda73024 static char *inputfile = NULL; /* name of input file */ 1776535Sda73024 static char *outputfile = NULL; /* name of output file */ 1786535Sda73024 static char *token_label = NULL; /* name of PKCS#11 token */ 1796535Sda73024 static char *key_label = NULL; /* name of PKCS#11 token key label */ 1800Sstevel@tonic-gate 1810Sstevel@tonic-gate static int status_pos = 0; /* current position of progress bar element */ 1820Sstevel@tonic-gate 1830Sstevel@tonic-gate /* 1840Sstevel@tonic-gate * function prototypes 1850Sstevel@tonic-gate */ 1860Sstevel@tonic-gate static void usage(struct CommandInfo *cmd); 1870Sstevel@tonic-gate static int execute_cmd(struct CommandInfo *cmd, char *algo_str); 1880Sstevel@tonic-gate static int crypt_multipart(struct CommandInfo *cmd, CK_SESSION_HANDLE hSession, 1891142Sjk115741 int infd, int outfd, off_t insize); 1900Sstevel@tonic-gate 1910Sstevel@tonic-gate int 1920Sstevel@tonic-gate main(int argc, char **argv) 1930Sstevel@tonic-gate { 1940Sstevel@tonic-gate 1950Sstevel@tonic-gate extern char *optarg; 1960Sstevel@tonic-gate extern int optind; 1970Sstevel@tonic-gate char *optstr; 1980Sstevel@tonic-gate char c; /* current getopts flag */ 1990Sstevel@tonic-gate char *algo_str = NULL; /* algorithm string */ 2000Sstevel@tonic-gate struct CommandInfo *cmd; 2010Sstevel@tonic-gate char *cmdname; /* name of command */ 2020Sstevel@tonic-gate boolean_t errflag = B_FALSE; 2030Sstevel@tonic-gate 2040Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 2056535Sda73024 #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 2060Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 2070Sstevel@tonic-gate #endif 2080Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 2090Sstevel@tonic-gate 2100Sstevel@tonic-gate /* 2110Sstevel@tonic-gate * Based on command name, determine 2120Sstevel@tonic-gate * type of command. 2130Sstevel@tonic-gate */ 2140Sstevel@tonic-gate cmdname = basename(argv[0]); 2150Sstevel@tonic-gate 2160Sstevel@tonic-gate cryptodebug_init(cmdname); 2170Sstevel@tonic-gate 2180Sstevel@tonic-gate if (strcmp(cmdname, encrypt_cmd.name) == 0) { 2190Sstevel@tonic-gate cmd = &encrypt_cmd; 2200Sstevel@tonic-gate } else if (strcmp(cmdname, decrypt_cmd.name) == 0) { 2210Sstevel@tonic-gate cmd = &decrypt_cmd; 2220Sstevel@tonic-gate } else { 2230Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 2240Sstevel@tonic-gate "command name must be either encrypt or decrypt")); 2250Sstevel@tonic-gate exit(EXIT_USAGE); 2260Sstevel@tonic-gate } 2270Sstevel@tonic-gate 2280Sstevel@tonic-gate optstr = cmd->options; 2290Sstevel@tonic-gate 2300Sstevel@tonic-gate /* Parse command line arguments */ 2310Sstevel@tonic-gate while (!errflag && (c = getopt(argc, argv, optstr)) != -1) { 2320Sstevel@tonic-gate 2330Sstevel@tonic-gate switch (c) { 2340Sstevel@tonic-gate case 'a': 2350Sstevel@tonic-gate aflag = B_TRUE; 2360Sstevel@tonic-gate algo_str = optarg; 2370Sstevel@tonic-gate break; 2380Sstevel@tonic-gate case 'k': 2390Sstevel@tonic-gate kflag = B_TRUE; 2400Sstevel@tonic-gate keyfile = optarg; 2410Sstevel@tonic-gate break; 2423812Shylee case 'T': 2433812Shylee Tflag = B_TRUE; 2443812Shylee token_label = optarg; 2453812Shylee break; 2463812Shylee case 'K': 2473812Shylee Kflag = B_TRUE; 2483812Shylee key_label = optarg; 2493812Shylee break; 2500Sstevel@tonic-gate case 'i': 2510Sstevel@tonic-gate iflag = B_TRUE; 2520Sstevel@tonic-gate inputfile = optarg; 2530Sstevel@tonic-gate break; 2540Sstevel@tonic-gate case 'o': 2550Sstevel@tonic-gate oflag = B_TRUE; 2560Sstevel@tonic-gate outputfile = optarg; 2570Sstevel@tonic-gate break; 2580Sstevel@tonic-gate case 'l': 2590Sstevel@tonic-gate lflag = B_TRUE; 2600Sstevel@tonic-gate break; 2610Sstevel@tonic-gate case 'v': 2620Sstevel@tonic-gate vflag = B_TRUE; 2630Sstevel@tonic-gate break; 2640Sstevel@tonic-gate default: 2650Sstevel@tonic-gate errflag = B_TRUE; 2660Sstevel@tonic-gate } 2670Sstevel@tonic-gate } 2680Sstevel@tonic-gate 2690Sstevel@tonic-gate if (errflag || (!aflag && !lflag) || (lflag && argc > 2) || 2703812Shylee (kflag && Kflag) || (Tflag && !Kflag) || 2710Sstevel@tonic-gate (optind < argc)) { 2720Sstevel@tonic-gate usage(cmd); 2730Sstevel@tonic-gate exit(EXIT_USAGE); 2740Sstevel@tonic-gate } 2750Sstevel@tonic-gate 2760Sstevel@tonic-gate return (execute_cmd(cmd, algo_str)); 2770Sstevel@tonic-gate } 2780Sstevel@tonic-gate 2790Sstevel@tonic-gate /* 2800Sstevel@tonic-gate * usage message 2810Sstevel@tonic-gate */ 2820Sstevel@tonic-gate static void 2830Sstevel@tonic-gate usage(struct CommandInfo *cmd) 2840Sstevel@tonic-gate { 2853812Shylee (void) fprintf(stderr, gettext("Usage:\n")); 2860Sstevel@tonic-gate if (cmd->type == CKA_ENCRYPT) { 2873812Shylee (void) fprintf(stderr, gettext(" encrypt -l\n")); 2883812Shylee (void) fprintf(stderr, gettext(" encrypt -a <algorithm> " 2893812Shylee "[-v] [-k <keyfile> | -K <keylabel> [-T <tokenspec>]] " 2903812Shylee "[-i <infile>] [-o <outfile>]\n")); 2913812Shylee 2920Sstevel@tonic-gate } else { 2933812Shylee (void) fprintf(stderr, gettext(" decrypt -l\n")); 2943812Shylee (void) fprintf(stderr, gettext(" decrypt -a <algorithm> " 2953812Shylee "[-v] [-k <keyfile> | -K <keylabel> [-T <tokenspec>]] " 2963812Shylee "[-i <infile>] [-o <outfile>]\n")); 2970Sstevel@tonic-gate } 2980Sstevel@tonic-gate } 2990Sstevel@tonic-gate 3000Sstevel@tonic-gate /* 3010Sstevel@tonic-gate * Print out list of algorithms in default and verbose mode 3020Sstevel@tonic-gate */ 3030Sstevel@tonic-gate static void 3040Sstevel@tonic-gate algorithm_list() 3050Sstevel@tonic-gate { 3060Sstevel@tonic-gate int mech; 3070Sstevel@tonic-gate 3080Sstevel@tonic-gate (void) printf(gettext("Algorithm Keysize: Min Max (bits)\n" 3090Sstevel@tonic-gate "------------------------------------------\n")); 3100Sstevel@tonic-gate 3110Sstevel@tonic-gate for (mech = 0; mech < MECH_ALIASES_COUNT; mech++) { 3120Sstevel@tonic-gate 3130Sstevel@tonic-gate if (mech_aliases[mech].available == B_FALSE) 3140Sstevel@tonic-gate continue; 3150Sstevel@tonic-gate 3160Sstevel@tonic-gate (void) printf("%-15s", mech_aliases[mech].alias); 3170Sstevel@tonic-gate 3180Sstevel@tonic-gate if (mech_aliases[mech].keysize_min != UINT_MAX && 3190Sstevel@tonic-gate mech_aliases[mech].keysize_max != 0) 3200Sstevel@tonic-gate (void) printf(" %5lu %5lu\n", 3210Sstevel@tonic-gate (mech_aliases[mech].keysize_min * 3225051Swyllys mech_aliases[mech].keysize_unit), 3230Sstevel@tonic-gate (mech_aliases[mech].keysize_max * 3245051Swyllys mech_aliases[mech].keysize_unit)); 3250Sstevel@tonic-gate else 3260Sstevel@tonic-gate (void) printf("\n"); 3270Sstevel@tonic-gate 3280Sstevel@tonic-gate } 3290Sstevel@tonic-gate } 3300Sstevel@tonic-gate 3313812Shylee /* 3323812Shylee * This function will login into the token with the provided password and 3333812Shylee * find the token key object with the specified keytype and keylabel. 3343812Shylee */ 3353812Shylee static int 3363812Shylee get_token_key(CK_SESSION_HANDLE hSession, CK_KEY_TYPE keytype, 3373812Shylee char *keylabel, CK_BYTE *password, int password_len, 3383812Shylee CK_OBJECT_HANDLE *keyobj) 3393812Shylee { 3403812Shylee CK_RV rv; 3413812Shylee CK_ATTRIBUTE pTmpl[10]; 3423812Shylee CK_OBJECT_CLASS class = CKO_SECRET_KEY; 3433812Shylee CK_BBOOL true = 1; 3443812Shylee CK_BBOOL is_token = 1; 3453812Shylee CK_ULONG key_obj_count = 1; 3463812Shylee int i; 3473812Shylee CK_KEY_TYPE ckKeyType = keytype; 3483812Shylee 3493812Shylee 3503812Shylee rv = C_Login(hSession, CKU_USER, (CK_UTF8CHAR_PTR)password, 3513812Shylee (CK_ULONG)password_len); 3523812Shylee if (rv != CKR_OK) { 3533812Shylee (void) fprintf(stderr, "Cannot login to the token." 3543812Shylee " error = %s\n", pkcs11_strerror(rv)); 3553812Shylee return (-1); 3563812Shylee } 3573812Shylee 3583812Shylee i = 0; 3593812Shylee pTmpl[i].type = CKA_TOKEN; 3603812Shylee pTmpl[i].pValue = &is_token; 3613812Shylee pTmpl[i].ulValueLen = sizeof (CK_BBOOL); 3623812Shylee i++; 3633812Shylee 3643812Shylee pTmpl[i].type = CKA_CLASS; 3653812Shylee pTmpl[i].pValue = &class; 3663812Shylee pTmpl[i].ulValueLen = sizeof (class); 3673812Shylee i++; 3683812Shylee 3693812Shylee pTmpl[i].type = CKA_LABEL; 3703812Shylee pTmpl[i].pValue = keylabel; 3713812Shylee pTmpl[i].ulValueLen = strlen(keylabel); 3723812Shylee i++; 3733812Shylee 3743812Shylee pTmpl[i].type = CKA_KEY_TYPE; 3753812Shylee pTmpl[i].pValue = &ckKeyType; 3763812Shylee pTmpl[i].ulValueLen = sizeof (ckKeyType); 3773812Shylee i++; 3783812Shylee 3793812Shylee pTmpl[i].type = CKA_PRIVATE; 3803812Shylee pTmpl[i].pValue = &true; 3813812Shylee pTmpl[i].ulValueLen = sizeof (true); 3823812Shylee i++; 3833812Shylee 3843812Shylee rv = C_FindObjectsInit(hSession, pTmpl, i); 3853812Shylee if (rv != CKR_OK) { 3863812Shylee goto out; 3873812Shylee } 3883812Shylee 3893812Shylee rv = C_FindObjects(hSession, keyobj, 1, &key_obj_count); 3903812Shylee 3913812Shylee (void) C_FindObjectsFinal(hSession); 3923812Shylee 3933812Shylee out: 3943812Shylee if (rv != CKR_OK) { 3953812Shylee (void) fprintf(stderr, 3963812Shylee "Cannot retrieve key object. error = %s\n", 3973812Shylee pkcs11_strerror(rv)); 3983812Shylee return (-1); 3993812Shylee } 4003812Shylee 4013812Shylee if (key_obj_count == 0) { 4023812Shylee (void) fprintf(stderr, "Cannot find the key object.\n"); 4033812Shylee return (-1); 4043812Shylee } 4053812Shylee 4063812Shylee return (0); 4073812Shylee } 4083812Shylee 4090Sstevel@tonic-gate 4100Sstevel@tonic-gate /* 4110Sstevel@tonic-gate * Execute the command. 4120Sstevel@tonic-gate * cmd - command pointing to type of operation. 4130Sstevel@tonic-gate * algo_str - alias of the algorithm passed. 4140Sstevel@tonic-gate */ 4150Sstevel@tonic-gate static int 4160Sstevel@tonic-gate execute_cmd(struct CommandInfo *cmd, char *algo_str) 4170Sstevel@tonic-gate { 4180Sstevel@tonic-gate CK_RV rv; 4190Sstevel@tonic-gate CK_ULONG slotcount; 4200Sstevel@tonic-gate CK_SLOT_ID slotID; 4210Sstevel@tonic-gate CK_SLOT_ID_PTR pSlotList = NULL; 4220Sstevel@tonic-gate CK_MECHANISM_TYPE mech_type = 0; 4230Sstevel@tonic-gate CK_MECHANISM_INFO info, kg_info; 4240Sstevel@tonic-gate CK_MECHANISM mech; 4250Sstevel@tonic-gate CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE; 4260Sstevel@tonic-gate CK_BYTE_PTR pkeydata = NULL; 4275252Sdinak CK_BYTE salt[CK_PKCS5_PBKD2_SALT_SIZE]; 4280Sstevel@tonic-gate CK_ULONG keysize = 0; 4290Sstevel@tonic-gate int i, slot, mek; /* index variables */ 4300Sstevel@tonic-gate int status; 4310Sstevel@tonic-gate struct stat insbuf; /* stat buf for infile */ 4320Sstevel@tonic-gate struct stat outsbuf; /* stat buf for outfile */ 4330Sstevel@tonic-gate char tmpnam[PATH_MAX]; /* tmp file name */ 4340Sstevel@tonic-gate CK_OBJECT_HANDLE key = (CK_OBJECT_HANDLE) 0; 4350Sstevel@tonic-gate int infd = 0; /* input file, stdin default */ 4360Sstevel@tonic-gate int outfd = 1; /* output file, stdout default */ 4370Sstevel@tonic-gate char *outfilename = NULL; 4380Sstevel@tonic-gate boolean_t errflag = B_TRUE; 4390Sstevel@tonic-gate boolean_t inoutsame = B_FALSE; /* if both input & output are same */ 4409650SValerie.Fenwick@Sun.COM boolean_t leavefilealone = B_FALSE; 4410Sstevel@tonic-gate CK_BYTE_PTR pivbuf = NULL_PTR; 4420Sstevel@tonic-gate CK_ULONG ivlen = 0L; 4436535Sda73024 int mech_match = 0; 4446535Sda73024 uint32_t iterations = CK_PKCS5_PBKD2_ITERATIONS; 4450Sstevel@tonic-gate CK_ULONG keylen; 4466535Sda73024 uint32_t version = SUNW_ENCRYPT_FILE_VERSION; 4470Sstevel@tonic-gate CK_KEY_TYPE keytype; 4483812Shylee KMF_RETURN kmfrv; 4493812Shylee CK_SLOT_ID token_slot_id; 4500Sstevel@tonic-gate 4510Sstevel@tonic-gate if (aflag) { 4520Sstevel@tonic-gate /* Determine if algorithm is valid */ 4530Sstevel@tonic-gate for (mech_match = 0; mech_match < MECH_ALIASES_COUNT; 4545051Swyllys mech_match++) { 4550Sstevel@tonic-gate if (strcmp(algo_str, 4560Sstevel@tonic-gate mech_aliases[mech_match].alias) == 0) { 4570Sstevel@tonic-gate mech_type = mech_aliases[mech_match].type; 4580Sstevel@tonic-gate break; 4590Sstevel@tonic-gate } 4600Sstevel@tonic-gate } 4610Sstevel@tonic-gate 4620Sstevel@tonic-gate if (mech_match == MECH_ALIASES_COUNT) { 4630Sstevel@tonic-gate cryptoerror(LOG_STDERR, 4640Sstevel@tonic-gate gettext("unknown algorithm -- %s"), algo_str); 4650Sstevel@tonic-gate return (EXIT_FAILURE); 4660Sstevel@tonic-gate } 4670Sstevel@tonic-gate 4680Sstevel@tonic-gate /* 4693812Shylee * Process keyfile or get the token pin if -K is specified. 4700Sstevel@tonic-gate * 4710Sstevel@tonic-gate * If a keyfile is provided, get the key data from 4720Sstevel@tonic-gate * the file. Otherwise, prompt for a passphrase. The 4730Sstevel@tonic-gate * passphrase is used as the key data. 4740Sstevel@tonic-gate */ 4753812Shylee if (Kflag) { 4763812Shylee /* get the pin of the token */ 4773812Shylee if (token_label == NULL || !strlen(token_label)) { 4785252Sdinak token_label = pkcs11_default_token(); 4793812Shylee } 4803812Shylee 4815252Sdinak status = pkcs11_get_pass(token_label, 4825252Sdinak (char **)&pkeydata, (size_t *)&keysize, 0, B_FALSE); 4833812Shylee } else if (kflag) { 4843812Shylee /* get the key file */ 4855252Sdinak status = pkcs11_read_data(keyfile, (void **)&pkeydata, 4865252Sdinak (size_t *)&keysize); 4870Sstevel@tonic-gate } else { 4883812Shylee /* get the key from input */ 4895252Sdinak status = pkcs11_get_pass(NULL, (char **)&pkeydata, 4908407SDina.Nimeh@Sun.Com (size_t *)&keysize, 0, 4918407SDina.Nimeh@Sun.Com (cmd->type == CKA_ENCRYPT) ? B_TRUE : B_FALSE); 4920Sstevel@tonic-gate } 4930Sstevel@tonic-gate 4948309SAnthony.Scarpino@Sun.COM if (status != 0 || keysize == 0L) { 4953812Shylee cryptoerror(LOG_STDERR, 4968407SDina.Nimeh@Sun.Com kflag ? gettext("invalid key.") : 4978407SDina.Nimeh@Sun.Com gettext("invalid passphrase.")); 4980Sstevel@tonic-gate return (EXIT_FAILURE); 4990Sstevel@tonic-gate } 5000Sstevel@tonic-gate } 5010Sstevel@tonic-gate 5020Sstevel@tonic-gate bzero(salt, sizeof (salt)); 5030Sstevel@tonic-gate /* Initialize pkcs */ 5043812Shylee rv = C_Initialize(NULL); 5053812Shylee if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) { 5060Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to initialize " 5070Sstevel@tonic-gate "PKCS #11 framework: %s"), pkcs11_strerror(rv)); 5080Sstevel@tonic-gate goto cleanup; 5090Sstevel@tonic-gate } 5100Sstevel@tonic-gate 5110Sstevel@tonic-gate /* Get slot count */ 5120Sstevel@tonic-gate rv = C_GetSlotList(0, NULL_PTR, &slotcount); 5130Sstevel@tonic-gate if (rv != CKR_OK || slotcount == 0) { 5140Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 5150Sstevel@tonic-gate "failed to find any cryptographic provider," 5160Sstevel@tonic-gate "please check with your system administrator: %s"), 5170Sstevel@tonic-gate pkcs11_strerror(rv)); 5180Sstevel@tonic-gate goto cleanup; 5190Sstevel@tonic-gate } 5200Sstevel@tonic-gate 5210Sstevel@tonic-gate /* Found at least one slot, allocate memory for slot list */ 5220Sstevel@tonic-gate pSlotList = malloc(slotcount * sizeof (CK_SLOT_ID)); 5230Sstevel@tonic-gate if (pSlotList == NULL_PTR) { 5240Sstevel@tonic-gate int err = errno; 5250Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s"), strerror(err)); 5260Sstevel@tonic-gate goto cleanup; 5270Sstevel@tonic-gate } 5280Sstevel@tonic-gate 5290Sstevel@tonic-gate /* Get the list of slots */ 5300Sstevel@tonic-gate if ((rv = C_GetSlotList(0, pSlotList, &slotcount)) != CKR_OK) { 5310Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 5320Sstevel@tonic-gate "failed to find any cryptographic provider," 5330Sstevel@tonic-gate "please check with your system administrator: %s"), 5340Sstevel@tonic-gate pkcs11_strerror(rv)); 5350Sstevel@tonic-gate goto cleanup; 5360Sstevel@tonic-gate } 5370Sstevel@tonic-gate 5380Sstevel@tonic-gate if (lflag) { 5390Sstevel@tonic-gate 5400Sstevel@tonic-gate /* Iterate through slots */ 5410Sstevel@tonic-gate for (slot = 0; slot < slotcount; slot++) { 5420Sstevel@tonic-gate 5430Sstevel@tonic-gate /* Iterate through each mechanism */ 5440Sstevel@tonic-gate for (mek = 0; mek < MECH_ALIASES_COUNT; mek++) { 5450Sstevel@tonic-gate rv = C_GetMechanismInfo(pSlotList[slot], 5460Sstevel@tonic-gate mech_aliases[mek].type, &info); 5470Sstevel@tonic-gate 5480Sstevel@tonic-gate if (rv != CKR_OK) 5490Sstevel@tonic-gate continue; 5500Sstevel@tonic-gate 5510Sstevel@tonic-gate /* 5520Sstevel@tonic-gate * Set to minimum/maximum key sizes assuming 5530Sstevel@tonic-gate * the values available are not 0. 5540Sstevel@tonic-gate */ 5550Sstevel@tonic-gate if (info.ulMinKeySize && (info.ulMinKeySize < 5560Sstevel@tonic-gate mech_aliases[mek].keysize_min)) 5570Sstevel@tonic-gate mech_aliases[mek].keysize_min = 5585051Swyllys info.ulMinKeySize; 5590Sstevel@tonic-gate 5600Sstevel@tonic-gate if (info.ulMaxKeySize && (info.ulMaxKeySize > 5610Sstevel@tonic-gate mech_aliases[mek].keysize_max)) 5620Sstevel@tonic-gate mech_aliases[mek].keysize_max = 5635051Swyllys info.ulMaxKeySize; 5640Sstevel@tonic-gate 5650Sstevel@tonic-gate mech_aliases[mek].available = B_TRUE; 5660Sstevel@tonic-gate } 5670Sstevel@tonic-gate 5680Sstevel@tonic-gate } 5690Sstevel@tonic-gate 5700Sstevel@tonic-gate algorithm_list(); 5710Sstevel@tonic-gate 5720Sstevel@tonic-gate errflag = B_FALSE; 5730Sstevel@tonic-gate goto cleanup; 5740Sstevel@tonic-gate } 5750Sstevel@tonic-gate 5763812Shylee 5773812Shylee /* 5783812Shylee * Find a slot with matching mechanism 5793812Shylee * 5803812Shylee * If -K is specified, we find the slot id for the token first, then 5813812Shylee * check if the slot supports the algorithm. 5823812Shylee */ 5833812Shylee i = 0; 5843812Shylee if (Kflag) { 5855051Swyllys kmfrv = kmf_pk11_token_lookup(NULL, token_label, 5865051Swyllys &token_slot_id); 5873812Shylee if (kmfrv != KMF_OK) { 5883812Shylee cryptoerror(LOG_STDERR, 5893812Shylee gettext("no matching PKCS#11 token")); 5903812Shylee errflag = B_TRUE; 5913812Shylee goto cleanup; 5923812Shylee } 5933812Shylee rv = C_GetMechanismInfo(token_slot_id, mech_type, &info); 5943812Shylee if (rv == CKR_OK && (info.flags & cmd->flags)) 5953812Shylee slotID = token_slot_id; 5963812Shylee else 5973812Shylee i = slotcount; 5983812Shylee } else { 5993812Shylee for (i = 0; i < slotcount; i++) { 6003812Shylee slotID = pSlotList[i]; 6013812Shylee rv = C_GetMechanismInfo(slotID, mech_type, &info); 6023812Shylee if (rv != CKR_OK) { 6033812Shylee continue; /* to the next slot */ 6043812Shylee } else { 6053812Shylee /* 6063812Shylee * If the slot support the crypto, also 6073812Shylee * make sure it supports the correct 6083812Shylee * key generation mech if needed. 6093812Shylee * 6103812Shylee * We need PKCS5 when RC4 is used or 6113812Shylee * when the key is entered on cmd line. 6123812Shylee */ 6133812Shylee if ((info.flags & cmd->flags) && 6143812Shylee (mech_type == CKM_RC4) || 6153812Shylee (keyfile == NULL)) { 6163812Shylee rv = C_GetMechanismInfo(slotID, 6173812Shylee CKM_PKCS5_PBKD2, &kg_info); 6183812Shylee if (rv == CKR_OK) 6193812Shylee break; 6203812Shylee } else if (info.flags & cmd->flags) { 6210Sstevel@tonic-gate break; 6223812Shylee } 6230Sstevel@tonic-gate } 6240Sstevel@tonic-gate } 6250Sstevel@tonic-gate } 6260Sstevel@tonic-gate 6270Sstevel@tonic-gate /* Show error if no matching mechanism found */ 6280Sstevel@tonic-gate if (i == slotcount) { 6290Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6300Sstevel@tonic-gate gettext("no cryptographic provider was " 6310Sstevel@tonic-gate "found for this algorithm -- %s"), algo_str); 6320Sstevel@tonic-gate goto cleanup; 6330Sstevel@tonic-gate } 6340Sstevel@tonic-gate 6350Sstevel@tonic-gate /* Open a session */ 6360Sstevel@tonic-gate rv = C_OpenSession(slotID, CKF_SERIAL_SESSION, 6375051Swyllys NULL_PTR, NULL, &hSession); 6380Sstevel@tonic-gate 6390Sstevel@tonic-gate if (rv != CKR_OK) { 6400Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6410Sstevel@tonic-gate gettext("can not open PKCS #11 session: %s"), 6420Sstevel@tonic-gate pkcs11_strerror(rv)); 6430Sstevel@tonic-gate goto cleanup; 6440Sstevel@tonic-gate } 6450Sstevel@tonic-gate 6460Sstevel@tonic-gate /* 6470Sstevel@tonic-gate * Generate IV data for encrypt. 6480Sstevel@tonic-gate */ 6490Sstevel@tonic-gate ivlen = mech_aliases[mech_match].ivlen; 6500Sstevel@tonic-gate if ((pivbuf = malloc((size_t)ivlen)) == NULL) { 6510Sstevel@tonic-gate int err = errno; 6520Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s"), 6530Sstevel@tonic-gate strerror(err)); 6540Sstevel@tonic-gate goto cleanup; 6550Sstevel@tonic-gate } 6560Sstevel@tonic-gate 6570Sstevel@tonic-gate if (cmd->type == CKA_ENCRYPT) { 6589127SDina.Nimeh@Sun.COM if ((pkcs11_get_urandom((void *)pivbuf, 6590Sstevel@tonic-gate mech_aliases[mech_match].ivlen)) != 0) { 6600Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6615051Swyllys "Unable to generate random " 6625051Swyllys "data for initialization vector.")); 6630Sstevel@tonic-gate goto cleanup; 6640Sstevel@tonic-gate } 6650Sstevel@tonic-gate } 6660Sstevel@tonic-gate 6670Sstevel@tonic-gate /* 6680Sstevel@tonic-gate * Create the key object 6690Sstevel@tonic-gate */ 6700Sstevel@tonic-gate rv = pkcs11_mech2keytype(mech_type, &keytype); 6710Sstevel@tonic-gate if (rv != CKR_OK) { 6720Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6735051Swyllys gettext("unable to find key type for algorithm.")); 6740Sstevel@tonic-gate goto cleanup; 6750Sstevel@tonic-gate } 6760Sstevel@tonic-gate 6770Sstevel@tonic-gate /* Open input file */ 6780Sstevel@tonic-gate if (iflag) { 6790Sstevel@tonic-gate if ((infd = open(inputfile, O_RDONLY | O_NONBLOCK)) == -1) { 6800Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6815051Swyllys "can not open input file %s"), inputfile); 6820Sstevel@tonic-gate goto cleanup; 6830Sstevel@tonic-gate } 6840Sstevel@tonic-gate 6850Sstevel@tonic-gate /* Get info on input file */ 6860Sstevel@tonic-gate if (fstat(infd, &insbuf) == -1) { 6870Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6885051Swyllys "can not stat input file %s"), inputfile); 6890Sstevel@tonic-gate goto cleanup; 6900Sstevel@tonic-gate } 6910Sstevel@tonic-gate } 6920Sstevel@tonic-gate 6930Sstevel@tonic-gate /* 6940Sstevel@tonic-gate * Prepare output file 6950Sstevel@tonic-gate * If the input & output file are same, 6960Sstevel@tonic-gate * the output is written to a temp 6970Sstevel@tonic-gate * file first, then renamed to the original file 6980Sstevel@tonic-gate * after the crypt operation 6990Sstevel@tonic-gate */ 7000Sstevel@tonic-gate inoutsame = B_FALSE; 7010Sstevel@tonic-gate if (oflag) { 7020Sstevel@tonic-gate outfilename = outputfile; 7030Sstevel@tonic-gate if ((stat(outputfile, &outsbuf) != -1) && 7045051Swyllys (insbuf.st_ino == outsbuf.st_ino)) { 7050Sstevel@tonic-gate char *dir; 7060Sstevel@tonic-gate 7070Sstevel@tonic-gate /* create temp file on same dir */ 7080Sstevel@tonic-gate dir = dirname(outputfile); 7090Sstevel@tonic-gate (void) snprintf(tmpnam, sizeof (tmpnam), 7105051Swyllys "%s/encrXXXXXX", dir); 7110Sstevel@tonic-gate outfilename = tmpnam; 7120Sstevel@tonic-gate if ((outfd = mkstemp(tmpnam)) == -1) { 7130Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7140Sstevel@tonic-gate "cannot create temp file")); 7150Sstevel@tonic-gate goto cleanup; 7160Sstevel@tonic-gate } 7170Sstevel@tonic-gate inoutsame = B_TRUE; 7180Sstevel@tonic-gate } else { 7190Sstevel@tonic-gate /* Create file for output */ 7200Sstevel@tonic-gate if ((outfd = open(outfilename, 7215051Swyllys O_CREAT|O_WRONLY|O_TRUNC, 0644)) == -1) { 7220Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7230Sstevel@tonic-gate "cannot open output file %s"), 7240Sstevel@tonic-gate outfilename); 7259650SValerie.Fenwick@Sun.COM /* Cannot open file, should leave it alone */ 7269650SValerie.Fenwick@Sun.COM leavefilealone = B_TRUE; 7270Sstevel@tonic-gate goto cleanup; 7280Sstevel@tonic-gate } 7290Sstevel@tonic-gate } 7300Sstevel@tonic-gate } 7310Sstevel@tonic-gate 7320Sstevel@tonic-gate /* 7330Sstevel@tonic-gate * Read the version number from the head of the file 7340Sstevel@tonic-gate * to know how to interpret the data that follows. 7350Sstevel@tonic-gate */ 7360Sstevel@tonic-gate if (cmd->type == CKA_DECRYPT) { 7370Sstevel@tonic-gate if (read(infd, &version, sizeof (version)) != 7385051Swyllys sizeof (version)) { 7390Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7400Sstevel@tonic-gate "failed to get format version from " 7410Sstevel@tonic-gate "input file.")); 7420Sstevel@tonic-gate goto cleanup; 7430Sstevel@tonic-gate } 7440Sstevel@tonic-gate /* convert to host byte order */ 7450Sstevel@tonic-gate version = ntohl(version); 7460Sstevel@tonic-gate 7470Sstevel@tonic-gate switch (version) { 7480Sstevel@tonic-gate case 1: 7490Sstevel@tonic-gate /* 7500Sstevel@tonic-gate * Version 1 output format: 7516535Sda73024 * - Output format version 1 (4 bytes) 7520Sstevel@tonic-gate * - Iterations used in key gen function (4 bytes) 7536535Sda73024 * - IV ('ivlen' bytes). The length algorithm-dependent 7540Sstevel@tonic-gate * - Salt data used in key gen (16 bytes) 7556535Sda73024 * - Cipher text data (remainder of the file) 7560Sstevel@tonic-gate * 7570Sstevel@tonic-gate * An encrypted file has IV as first block (0 or 7580Sstevel@tonic-gate * more bytes depending on mechanism) followed 7590Sstevel@tonic-gate * by cipher text. Get the IV from the encrypted 7600Sstevel@tonic-gate * file. 7610Sstevel@tonic-gate */ 7620Sstevel@tonic-gate /* 7630Sstevel@tonic-gate * Read iteration count and salt data. 7640Sstevel@tonic-gate */ 7650Sstevel@tonic-gate if (read(infd, &iterations, 7665051Swyllys sizeof (iterations)) != sizeof (iterations)) { 7670Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7685051Swyllys "failed to get iterations from " 7695051Swyllys "input file.")); 7700Sstevel@tonic-gate goto cleanup; 7710Sstevel@tonic-gate } 7720Sstevel@tonic-gate /* convert to host byte order */ 7730Sstevel@tonic-gate iterations = ntohl(iterations); 7740Sstevel@tonic-gate if (ivlen > 0 && 7750Sstevel@tonic-gate read(infd, pivbuf, ivlen) != ivlen) { 7760Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7770Sstevel@tonic-gate "failed to get initialization " 7780Sstevel@tonic-gate "vector from input file.")); 7790Sstevel@tonic-gate goto cleanup; 7800Sstevel@tonic-gate } 7810Sstevel@tonic-gate if (read(infd, salt, sizeof (salt)) 7825051Swyllys != sizeof (salt)) { 7830Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7845051Swyllys "failed to get salt data from " 7855051Swyllys "input file.")); 7860Sstevel@tonic-gate goto cleanup; 7870Sstevel@tonic-gate } 7880Sstevel@tonic-gate break; 7890Sstevel@tonic-gate default: 7900Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7915051Swyllys "Unrecognized format version read from " 7925051Swyllys "input file - expected %d, got %d."), 7935051Swyllys SUNW_ENCRYPT_FILE_VERSION, version); 7940Sstevel@tonic-gate goto cleanup; 7950Sstevel@tonic-gate break; 7960Sstevel@tonic-gate } 7970Sstevel@tonic-gate } 7983812Shylee 7990Sstevel@tonic-gate /* 8003812Shylee * If Kflag is set, let's find the token key now. 8013812Shylee * 8023812Shylee * If Kflag is not set and if encrypting, we need some random 8030Sstevel@tonic-gate * salt data to create the key. If decrypting, 8040Sstevel@tonic-gate * the salt should come from head of the file 8050Sstevel@tonic-gate * to be decrypted. 8060Sstevel@tonic-gate */ 8073812Shylee if (Kflag) { 8083812Shylee rv = get_token_key(hSession, keytype, key_label, pkeydata, 8093812Shylee keysize, &key); 8103812Shylee if (rv != CKR_OK) { 8113812Shylee cryptoerror(LOG_STDERR, gettext( 8123812Shylee "Can not find the token key")); 8133812Shylee goto cleanup; 8143812Shylee } else { 8153812Shylee goto do_crypto; 8163812Shylee } 8173812Shylee } else if (cmd->type == CKA_ENCRYPT) { 8189127SDina.Nimeh@Sun.COM rv = pkcs11_get_urandom((void *)salt, sizeof (salt)); 8190Sstevel@tonic-gate if (rv != 0) { 8200Sstevel@tonic-gate cryptoerror(LOG_STDERR, 8210Sstevel@tonic-gate gettext("unable to generate random " 8225051Swyllys "data for key salt.")); 8230Sstevel@tonic-gate goto cleanup; 8240Sstevel@tonic-gate } 8250Sstevel@tonic-gate } 8260Sstevel@tonic-gate 8273812Shylee 8280Sstevel@tonic-gate /* 8290Sstevel@tonic-gate * If key input is read from a file, treat it as 8300Sstevel@tonic-gate * raw key data, unless it is to be used with RC4, 8310Sstevel@tonic-gate * in which case it must be used to generate a pkcs5 8320Sstevel@tonic-gate * key to address security concerns with RC4 keys. 8330Sstevel@tonic-gate */ 8340Sstevel@tonic-gate if (kflag && keyfile != NULL && keytype != CKK_RC4) { 8355252Sdinak /* XXX : why wasn't SUNW_C_KeyToObject used here? */ 8360Sstevel@tonic-gate CK_OBJECT_CLASS objclass = CKO_SECRET_KEY; 8370Sstevel@tonic-gate CK_ATTRIBUTE template[5]; 8380Sstevel@tonic-gate int nattr = 0; 8390Sstevel@tonic-gate 8400Sstevel@tonic-gate template[nattr].type = CKA_CLASS; 8410Sstevel@tonic-gate template[nattr].pValue = &objclass; 8420Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (objclass); 8430Sstevel@tonic-gate nattr++; 8440Sstevel@tonic-gate 8450Sstevel@tonic-gate template[nattr].type = CKA_KEY_TYPE; 8460Sstevel@tonic-gate template[nattr].pValue = &keytype; 8470Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (keytype); 8480Sstevel@tonic-gate nattr++; 8490Sstevel@tonic-gate 8500Sstevel@tonic-gate template[nattr].type = cmd->type; 8510Sstevel@tonic-gate template[nattr].pValue = &truevalue; 8520Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (truevalue); 8530Sstevel@tonic-gate nattr++; 8540Sstevel@tonic-gate 8550Sstevel@tonic-gate template[nattr].type = CKA_TOKEN; 8560Sstevel@tonic-gate template[nattr].pValue = &falsevalue; 8570Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (falsevalue); 8580Sstevel@tonic-gate nattr++; 8590Sstevel@tonic-gate 8600Sstevel@tonic-gate template[nattr].type = CKA_VALUE; 8610Sstevel@tonic-gate template[nattr].pValue = pkeydata; 8620Sstevel@tonic-gate template[nattr].ulValueLen = keysize; 8630Sstevel@tonic-gate nattr++; 8640Sstevel@tonic-gate 8655051Swyllys rv = C_CreateObject(hSession, template, nattr, &key); 8660Sstevel@tonic-gate } else { 8670Sstevel@tonic-gate /* 8680Sstevel@tonic-gate * If the encryption type has a fixed key length, 8690Sstevel@tonic-gate * then its not necessary to set the key length 8700Sstevel@tonic-gate * parameter when generating the key. 8710Sstevel@tonic-gate */ 8720Sstevel@tonic-gate if (keytype == CKK_DES || keytype == CKK_DES3) 8730Sstevel@tonic-gate keylen = 0; 8740Sstevel@tonic-gate else 8750Sstevel@tonic-gate keylen = 16; 8760Sstevel@tonic-gate 8770Sstevel@tonic-gate /* 8780Sstevel@tonic-gate * Generate a cryptographically secure key using 8790Sstevel@tonic-gate * the key read from the file given (-k keyfile) or 8800Sstevel@tonic-gate * the passphrase entered by the user. 8810Sstevel@tonic-gate */ 8825252Sdinak rv = pkcs11_PasswdToPBKD2Object(hSession, (char *)pkeydata, 8835252Sdinak (size_t)keysize, (void *)salt, sizeof (salt), iterations, 8845252Sdinak keytype, keylen, cmd->flags, &key); 8850Sstevel@tonic-gate } 8860Sstevel@tonic-gate 8870Sstevel@tonic-gate if (rv != CKR_OK) { 8880Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 8890Sstevel@tonic-gate "failed to generate a key: %s"), 8900Sstevel@tonic-gate pkcs11_strerror(rv)); 8910Sstevel@tonic-gate goto cleanup; 8920Sstevel@tonic-gate } 8930Sstevel@tonic-gate 8943812Shylee 8953812Shylee do_crypto: 8960Sstevel@tonic-gate /* Setup up mechanism */ 8970Sstevel@tonic-gate mech.mechanism = mech_type; 8980Sstevel@tonic-gate mech.pParameter = (CK_VOID_PTR)pivbuf; 8990Sstevel@tonic-gate mech.ulParameterLen = ivlen; 9000Sstevel@tonic-gate 9010Sstevel@tonic-gate if ((rv = cmd->Init(hSession, &mech, key)) != CKR_OK) { 9020Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9030Sstevel@tonic-gate "failed to initialize crypto operation: %s"), 9040Sstevel@tonic-gate pkcs11_strerror(rv)); 9050Sstevel@tonic-gate goto cleanup; 9060Sstevel@tonic-gate } 9070Sstevel@tonic-gate 9080Sstevel@tonic-gate /* Write the version header encrypt command */ 9090Sstevel@tonic-gate if (cmd->type == CKA_ENCRYPT) { 9100Sstevel@tonic-gate /* convert to network order for storage */ 9116535Sda73024 uint32_t netversion = htonl(version); 9126535Sda73024 uint32_t netiter; 9130Sstevel@tonic-gate 9140Sstevel@tonic-gate if (write(outfd, &netversion, sizeof (netversion)) 9155051Swyllys != sizeof (netversion)) { 9160Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9175051Swyllys "failed to write version number " 9185051Swyllys "to output file.")); 9190Sstevel@tonic-gate goto cleanup; 9200Sstevel@tonic-gate } 9210Sstevel@tonic-gate /* 9220Sstevel@tonic-gate * Write the iteration and salt data, even if they 9230Sstevel@tonic-gate * were not used to generate a key. 9240Sstevel@tonic-gate */ 9250Sstevel@tonic-gate netiter = htonl(iterations); 9260Sstevel@tonic-gate if (write(outfd, &netiter, 9275051Swyllys sizeof (netiter)) != sizeof (netiter)) { 9280Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9290Sstevel@tonic-gate "failed to write iterations to output")); 9300Sstevel@tonic-gate goto cleanup; 9310Sstevel@tonic-gate } 9325051Swyllys if (ivlen > 0 && write(outfd, pivbuf, ivlen) != ivlen) { 9330Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9345051Swyllys "failed to write initialization vector " 9355051Swyllys "to output")); 9360Sstevel@tonic-gate goto cleanup; 9370Sstevel@tonic-gate } 9380Sstevel@tonic-gate if (write(outfd, salt, sizeof (salt)) != sizeof (salt)) { 9390Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9400Sstevel@tonic-gate "failed to write salt data to output")); 9410Sstevel@tonic-gate goto cleanup; 9420Sstevel@tonic-gate } 9430Sstevel@tonic-gate } 9440Sstevel@tonic-gate 9451142Sjk115741 if (crypt_multipart(cmd, hSession, infd, outfd, insbuf.st_size) == -1) { 9460Sstevel@tonic-gate goto cleanup; 9470Sstevel@tonic-gate } 9480Sstevel@tonic-gate 9490Sstevel@tonic-gate errflag = B_FALSE; 9500Sstevel@tonic-gate 9510Sstevel@tonic-gate /* 9520Sstevel@tonic-gate * Clean up 9530Sstevel@tonic-gate */ 9540Sstevel@tonic-gate cleanup: 9550Sstevel@tonic-gate /* Clear the key data, so others cannot snoop */ 9560Sstevel@tonic-gate if (pkeydata != NULL) { 9570Sstevel@tonic-gate bzero(pkeydata, keysize); 9580Sstevel@tonic-gate free(pkeydata); 9590Sstevel@tonic-gate pkeydata = NULL; 9600Sstevel@tonic-gate } 9610Sstevel@tonic-gate 9620Sstevel@tonic-gate /* Destroy key object */ 9633812Shylee if (Kflag != B_FALSE && key != (CK_OBJECT_HANDLE) 0) { 9640Sstevel@tonic-gate (void) C_DestroyObject(hSession, key); 9650Sstevel@tonic-gate } 9660Sstevel@tonic-gate 9670Sstevel@tonic-gate /* free allocated memory */ 9680Sstevel@tonic-gate if (pSlotList != NULL) 9690Sstevel@tonic-gate free(pSlotList); 9700Sstevel@tonic-gate if (pivbuf != NULL) 9710Sstevel@tonic-gate free(pivbuf); 9720Sstevel@tonic-gate 9730Sstevel@tonic-gate /* close all the files */ 9741142Sjk115741 if (iflag && (infd != -1)) 9750Sstevel@tonic-gate (void) close(infd); 9761142Sjk115741 if (oflag && (outfd != -1)) 9770Sstevel@tonic-gate (void) close(outfd); 9780Sstevel@tonic-gate 9790Sstevel@tonic-gate /* rename tmp output to input file */ 9800Sstevel@tonic-gate if (inoutsame) { 9810Sstevel@tonic-gate if (rename(outfilename, inputfile) == -1) { 9820Sstevel@tonic-gate (void) unlink(outfilename); 9830Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("rename failed.")); 9840Sstevel@tonic-gate } 9850Sstevel@tonic-gate } 9860Sstevel@tonic-gate 9879650SValerie.Fenwick@Sun.COM /* If error occurred and the file was new, remove the output file */ 9889650SValerie.Fenwick@Sun.COM if (errflag && (outfilename != NULL) && !leavefilealone) { 9890Sstevel@tonic-gate (void) unlink(outfilename); 9900Sstevel@tonic-gate } 9910Sstevel@tonic-gate 9920Sstevel@tonic-gate /* close pkcs11 session */ 9930Sstevel@tonic-gate if (hSession != CK_INVALID_HANDLE) 9940Sstevel@tonic-gate (void) C_CloseSession(hSession); 9950Sstevel@tonic-gate 9960Sstevel@tonic-gate (void) C_Finalize(NULL); 9970Sstevel@tonic-gate 9980Sstevel@tonic-gate return (errflag); 9990Sstevel@tonic-gate } 10000Sstevel@tonic-gate 10010Sstevel@tonic-gate /* 10020Sstevel@tonic-gate * Function for printing progress bar when the verbose flag 10030Sstevel@tonic-gate * is set. 10040Sstevel@tonic-gate * 10050Sstevel@tonic-gate * The vertical bar is printed at 25, 50, and 75% complete. 10060Sstevel@tonic-gate * 10070Sstevel@tonic-gate * The function is passed the number of positions on the screen it needs to 10080Sstevel@tonic-gate * advance and loops. 10090Sstevel@tonic-gate */ 10100Sstevel@tonic-gate 10110Sstevel@tonic-gate static void 10120Sstevel@tonic-gate print_status(int pos_to_advance) 10130Sstevel@tonic-gate { 10140Sstevel@tonic-gate 10150Sstevel@tonic-gate while (pos_to_advance > 0) { 10160Sstevel@tonic-gate switch (status_pos) { 10170Sstevel@tonic-gate case 0: 10180Sstevel@tonic-gate (void) fprintf(stderr, gettext("[")); 10190Sstevel@tonic-gate break; 10200Sstevel@tonic-gate case 19: 10210Sstevel@tonic-gate case 39: 10220Sstevel@tonic-gate case 59: 10230Sstevel@tonic-gate (void) fprintf(stderr, gettext("|")); 10240Sstevel@tonic-gate break; 10250Sstevel@tonic-gate default: 10260Sstevel@tonic-gate (void) fprintf(stderr, gettext(".")); 10270Sstevel@tonic-gate } 10280Sstevel@tonic-gate pos_to_advance--; 10290Sstevel@tonic-gate status_pos++; 10300Sstevel@tonic-gate } 10310Sstevel@tonic-gate } 10320Sstevel@tonic-gate 10330Sstevel@tonic-gate /* 10340Sstevel@tonic-gate * Encrypt/Decrypt in multi part. 10350Sstevel@tonic-gate * 10360Sstevel@tonic-gate * This function reads the input file (infd) and writes the 10370Sstevel@tonic-gate * encrypted/decrypted output to file (outfd). 10380Sstevel@tonic-gate * 10390Sstevel@tonic-gate * cmd - pointing to commandinfo 10400Sstevel@tonic-gate * hSession - pkcs session 10410Sstevel@tonic-gate * infd - input file descriptor 10420Sstevel@tonic-gate * outfd - output file descriptor 10430Sstevel@tonic-gate * 10440Sstevel@tonic-gate */ 10450Sstevel@tonic-gate 10460Sstevel@tonic-gate static int 10470Sstevel@tonic-gate crypt_multipart(struct CommandInfo *cmd, CK_SESSION_HANDLE hSession, 10481142Sjk115741 int infd, int outfd, off_t insize) 10490Sstevel@tonic-gate { 10500Sstevel@tonic-gate CK_RV rv; 10510Sstevel@tonic-gate CK_ULONG resultlen; 10520Sstevel@tonic-gate CK_ULONG resultbuflen; 10530Sstevel@tonic-gate CK_BYTE_PTR resultbuf; 10540Sstevel@tonic-gate CK_ULONG datalen; 10550Sstevel@tonic-gate CK_BYTE databuf[BUFFERSIZE]; 10560Sstevel@tonic-gate CK_BYTE outbuf[BUFFERSIZE+BLOCKSIZE]; 10570Sstevel@tonic-gate CK_ULONG status_index = 0; /* current total file size read */ 10580Sstevel@tonic-gate float status_last = 0.0; /* file size of last element used */ 10590Sstevel@tonic-gate float status_incr = 0.0; /* file size element increments */ 10600Sstevel@tonic-gate int pos; /* # of progress bar elements to be print */ 10610Sstevel@tonic-gate ssize_t nread; 10620Sstevel@tonic-gate boolean_t errflag = B_FALSE; 10630Sstevel@tonic-gate 10640Sstevel@tonic-gate datalen = sizeof (databuf); 10650Sstevel@tonic-gate resultbuflen = sizeof (outbuf); 10660Sstevel@tonic-gate resultbuf = outbuf; 10670Sstevel@tonic-gate 10680Sstevel@tonic-gate /* Divide into 79 increments for progress bar element spacing */ 10690Sstevel@tonic-gate if (vflag && iflag) 10701142Sjk115741 status_incr = (insize / 79.0); 10710Sstevel@tonic-gate 10720Sstevel@tonic-gate while ((nread = read(infd, databuf, datalen)) > 0) { 10730Sstevel@tonic-gate 10740Sstevel@tonic-gate /* Start with the initial buffer */ 10750Sstevel@tonic-gate resultlen = resultbuflen; 10760Sstevel@tonic-gate rv = cmd->Update(hSession, databuf, (CK_ULONG)nread, 10775051Swyllys resultbuf, &resultlen); 10780Sstevel@tonic-gate 10790Sstevel@tonic-gate /* Need a bigger buffer? */ 10800Sstevel@tonic-gate if (rv == CKR_BUFFER_TOO_SMALL) { 10810Sstevel@tonic-gate 10820Sstevel@tonic-gate /* free the old buffer */ 10830Sstevel@tonic-gate if (resultbuf != NULL && resultbuf != outbuf) { 10840Sstevel@tonic-gate bzero(resultbuf, resultbuflen); 10850Sstevel@tonic-gate free(resultbuf); 10860Sstevel@tonic-gate } 10870Sstevel@tonic-gate 10880Sstevel@tonic-gate /* allocate a new big buffer */ 10890Sstevel@tonic-gate if ((resultbuf = malloc((size_t)resultlen)) == NULL) { 10900Sstevel@tonic-gate int err = errno; 10910Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s"), 10920Sstevel@tonic-gate strerror(err)); 10930Sstevel@tonic-gate return (-1); 10940Sstevel@tonic-gate } 10950Sstevel@tonic-gate resultbuflen = resultlen; 10960Sstevel@tonic-gate 10970Sstevel@tonic-gate /* Try again with bigger buffer */ 10980Sstevel@tonic-gate rv = cmd->Update(hSession, databuf, (CK_ULONG)nread, 10995051Swyllys resultbuf, &resultlen); 11000Sstevel@tonic-gate } 11010Sstevel@tonic-gate 11020Sstevel@tonic-gate if (rv != CKR_OK) { 11030Sstevel@tonic-gate errflag = B_TRUE; 11040Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 11050Sstevel@tonic-gate "crypto operation failed: %s"), 11060Sstevel@tonic-gate pkcs11_strerror(rv)); 11070Sstevel@tonic-gate break; 11080Sstevel@tonic-gate } 11090Sstevel@tonic-gate 11100Sstevel@tonic-gate /* write the output */ 11110Sstevel@tonic-gate if (write(outfd, resultbuf, resultlen) != resultlen) { 11120Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 11130Sstevel@tonic-gate "failed to write result to output file.")); 11140Sstevel@tonic-gate errflag = B_TRUE; 11150Sstevel@tonic-gate break; 11160Sstevel@tonic-gate } 11170Sstevel@tonic-gate 11180Sstevel@tonic-gate if (vflag) { 11190Sstevel@tonic-gate status_index += resultlen; 11200Sstevel@tonic-gate 11210Sstevel@tonic-gate /* 11220Sstevel@tonic-gate * If input is from stdin, do a our own progress bar 11230Sstevel@tonic-gate * by printing periods at a pre-defined increment 11240Sstevel@tonic-gate * until the file is done. 11250Sstevel@tonic-gate */ 11260Sstevel@tonic-gate if (!iflag) { 11270Sstevel@tonic-gate 11280Sstevel@tonic-gate /* 11290Sstevel@tonic-gate * Print at least 1 element in case the file 11300Sstevel@tonic-gate * is small, it looks better than nothing. 11310Sstevel@tonic-gate */ 11320Sstevel@tonic-gate if (status_pos == 0) { 11330Sstevel@tonic-gate (void) fprintf(stderr, gettext(".")); 11340Sstevel@tonic-gate status_pos = 1; 11350Sstevel@tonic-gate } 11360Sstevel@tonic-gate 1137*10017SBhargava.Yenduri@Sun.COM while ((status_index - status_last) > 11380Sstevel@tonic-gate (PROGRESSSIZE)) { 11390Sstevel@tonic-gate (void) fprintf(stderr, gettext(".")); 1140*10017SBhargava.Yenduri@Sun.COM status_last += PROGRESSSIZE; 11410Sstevel@tonic-gate } 11420Sstevel@tonic-gate continue; 11430Sstevel@tonic-gate } 11440Sstevel@tonic-gate 11450Sstevel@tonic-gate /* Calculate the number of elements need to be print */ 11461142Sjk115741 if (insize <= BUFFERSIZE) 11470Sstevel@tonic-gate pos = 78; 11480Sstevel@tonic-gate else 11490Sstevel@tonic-gate pos = (int)((status_index - status_last) / 11500Sstevel@tonic-gate status_incr); 11510Sstevel@tonic-gate 11520Sstevel@tonic-gate /* Add progress bar elements, if needed */ 11530Sstevel@tonic-gate if (pos > 0) { 11540Sstevel@tonic-gate print_status(pos); 11550Sstevel@tonic-gate status_last += (status_incr * pos); 11560Sstevel@tonic-gate } 11570Sstevel@tonic-gate } 11580Sstevel@tonic-gate } 11590Sstevel@tonic-gate 11600Sstevel@tonic-gate /* Print verbose completion */ 11610Sstevel@tonic-gate if (vflag) { 11620Sstevel@tonic-gate if (iflag) 11630Sstevel@tonic-gate (void) fprintf(stderr, "]"); 11640Sstevel@tonic-gate 11650Sstevel@tonic-gate (void) fprintf(stderr, "\n%s\n", gettext("Done.")); 11660Sstevel@tonic-gate } 11670Sstevel@tonic-gate 11680Sstevel@tonic-gate /* Error in reading */ 11690Sstevel@tonic-gate if (nread == -1) { 11700Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 11710Sstevel@tonic-gate "error reading from input file")); 11720Sstevel@tonic-gate errflag = B_TRUE; 11730Sstevel@tonic-gate } 11740Sstevel@tonic-gate 11750Sstevel@tonic-gate if (!errflag) { 11760Sstevel@tonic-gate 11770Sstevel@tonic-gate /* Do the final part */ 11780Sstevel@tonic-gate 11790Sstevel@tonic-gate rv = cmd->Final(hSession, resultbuf, &resultlen); 11800Sstevel@tonic-gate 11810Sstevel@tonic-gate if (rv == CKR_OK) { 11820Sstevel@tonic-gate /* write the output */ 11830Sstevel@tonic-gate if (write(outfd, resultbuf, resultlen) != resultlen) { 11840Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 11850Sstevel@tonic-gate "failed to write result to output file.")); 11860Sstevel@tonic-gate errflag = B_TRUE; 11870Sstevel@tonic-gate } 11880Sstevel@tonic-gate } else { 11890Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 11900Sstevel@tonic-gate "crypto operation failed: %s"), 11910Sstevel@tonic-gate pkcs11_strerror(rv)); 11920Sstevel@tonic-gate errflag = B_TRUE; 11930Sstevel@tonic-gate } 11940Sstevel@tonic-gate 11950Sstevel@tonic-gate } 11960Sstevel@tonic-gate 11970Sstevel@tonic-gate if (resultbuf != NULL && resultbuf != outbuf) { 11980Sstevel@tonic-gate bzero(resultbuf, resultbuflen); 11990Sstevel@tonic-gate free(resultbuf); 12000Sstevel@tonic-gate } 12010Sstevel@tonic-gate 12020Sstevel@tonic-gate if (errflag) { 12030Sstevel@tonic-gate return (-1); 12040Sstevel@tonic-gate } else { 12050Sstevel@tonic-gate return (0); 12060Sstevel@tonic-gate } 12070Sstevel@tonic-gate } 1208