10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*3812Shylee * Common Development and Distribution License (the "License"). 6*3812Shylee * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 211142Sjk115741 /* Portions Copyright 2005 Richard Lowe */ 220Sstevel@tonic-gate /* 23*3812Shylee * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 240Sstevel@tonic-gate * Use is subject to license terms. 250Sstevel@tonic-gate */ 260Sstevel@tonic-gate 270Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 280Sstevel@tonic-gate 290Sstevel@tonic-gate /* 300Sstevel@tonic-gate * decrypt.c 310Sstevel@tonic-gate * 320Sstevel@tonic-gate * Implements encrypt(1) and decrypt(1) commands 330Sstevel@tonic-gate * 340Sstevel@tonic-gate * One binary performs both encrypt/decrypt operation. 350Sstevel@tonic-gate * 360Sstevel@tonic-gate * usage: 370Sstevel@tonic-gate * 380Sstevel@tonic-gate * algorithm - mechanism name without CKM_ prefix. Case 390Sstevel@tonic-gate * does not matter 400Sstevel@tonic-gate * keyfile - file containing key data. If not specified user is 410Sstevel@tonic-gate * prompted to enter key. key length > 0 is required 420Sstevel@tonic-gate * infile - input file to encrypt/decrypt. If omitted, stdin used. 430Sstevel@tonic-gate * outfile - output file to encrypt/decrypt. If omitted, stdout used. 440Sstevel@tonic-gate * if infile & outfile are same, a temp file is used for 450Sstevel@tonic-gate * output and infile is replaced with this file after 460Sstevel@tonic-gate * operation is complete. 470Sstevel@tonic-gate * 480Sstevel@tonic-gate * Implementation notes: 490Sstevel@tonic-gate * iv data - It is generated by random bytes equal to one block size. 500Sstevel@tonic-gate * 510Sstevel@tonic-gate * encrypted output format - 520Sstevel@tonic-gate * - Output format version number - 4 bytes in network byte order. 530Sstevel@tonic-gate * - Iterations used in key gen function, 4 bytes in network byte order. 540Sstevel@tonic-gate * - IV ( 'ivlen' bytes) 550Sstevel@tonic-gate * - Salt data used in key gen (16 bytes) 560Sstevel@tonic-gate * - cipher text data. 570Sstevel@tonic-gate * 580Sstevel@tonic-gate */ 590Sstevel@tonic-gate 600Sstevel@tonic-gate #include <stdio.h> 610Sstevel@tonic-gate #include <stdlib.h> 620Sstevel@tonic-gate #include <unistd.h> 630Sstevel@tonic-gate #include <errno.h> 640Sstevel@tonic-gate #include <fcntl.h> 650Sstevel@tonic-gate #include <ctype.h> 660Sstevel@tonic-gate #include <strings.h> 670Sstevel@tonic-gate #include <libintl.h> 680Sstevel@tonic-gate #include <libgen.h> 690Sstevel@tonic-gate #include <locale.h> 700Sstevel@tonic-gate #include <limits.h> 710Sstevel@tonic-gate #include <sys/types.h> 720Sstevel@tonic-gate #include <sys/stat.h> 730Sstevel@tonic-gate #include <netinet/in.h> 740Sstevel@tonic-gate #include <security/cryptoki.h> 750Sstevel@tonic-gate #include <cryptoutil.h> 76*3812Shylee #include <kmfapi.h> 770Sstevel@tonic-gate 780Sstevel@tonic-gate #define BUFFERSIZE (2048) /* Buffer size for reading file */ 790Sstevel@tonic-gate #define BLOCKSIZE (128) /* Largest guess for block size */ 800Sstevel@tonic-gate #define PROGRESSSIZE (BUFFERSIZE*20) /* stdin progress indicator size */ 810Sstevel@tonic-gate 820Sstevel@tonic-gate #define PBKD2_ITERATIONS (1000) 830Sstevel@tonic-gate #define PBKD2_SALT_SIZE 16 840Sstevel@tonic-gate 850Sstevel@tonic-gate #define SUNW_ENCRYPT_FILE_VERSION 1 860Sstevel@tonic-gate 870Sstevel@tonic-gate /* 880Sstevel@tonic-gate * Exit Status codes 890Sstevel@tonic-gate */ 900Sstevel@tonic-gate #ifndef EXIT_SUCCESS 910Sstevel@tonic-gate #define EXIT_SUCCESS 0 /* No errors */ 920Sstevel@tonic-gate #define EXIT_FAILURE 1 /* All errors except usage */ 930Sstevel@tonic-gate #endif /* EXIT_SUCCESS */ 940Sstevel@tonic-gate 950Sstevel@tonic-gate #define EXIT_USAGE 2 /* usage/syntax error */ 960Sstevel@tonic-gate 970Sstevel@tonic-gate #define RANDOM_DEVICE "/dev/urandom" /* random device name */ 980Sstevel@tonic-gate 990Sstevel@tonic-gate #define ENCRYPT_NAME "encrypt" /* name of encrypt command */ 100*3812Shylee #define ENCRYPT_OPTIONS "a:T:K:k:i:o:lv" /* options for encrypt */ 1010Sstevel@tonic-gate #define DECRYPT_NAME "decrypt" /* name of decrypt command */ 102*3812Shylee #define DECRYPT_OPTIONS "a:T:K:k:i:o:lv" /* options for decrypt */ 103*3812Shylee #define DEFAULT_TOKEN_PROMPT "Enter PIN for %s: " 104*3812Shylee #define PK_DEFAULT_PK11TOKEN SOFT_TOKEN_LABEL 1050Sstevel@tonic-gate 1060Sstevel@tonic-gate /* 1070Sstevel@tonic-gate * Structure containing info for encrypt/decrypt 1080Sstevel@tonic-gate * command 1090Sstevel@tonic-gate */ 1100Sstevel@tonic-gate struct CommandInfo { 1110Sstevel@tonic-gate char *name; /* name of the command */ 1120Sstevel@tonic-gate char *options; /* command line options */ 1130Sstevel@tonic-gate CK_FLAGS flags; 1140Sstevel@tonic-gate CK_ATTRIBUTE_TYPE type; /* type of command */ 1150Sstevel@tonic-gate 1160Sstevel@tonic-gate /* function pointers for various operations */ 1170Sstevel@tonic-gate CK_RV (*Init)(CK_SESSION_HANDLE, CK_MECHANISM_PTR, CK_OBJECT_HANDLE); 1180Sstevel@tonic-gate CK_RV (*Update)(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, 1190Sstevel@tonic-gate CK_ULONG_PTR); 1200Sstevel@tonic-gate CK_RV (*Crypt)(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG, CK_BYTE_PTR, 1210Sstevel@tonic-gate CK_ULONG_PTR); 1220Sstevel@tonic-gate CK_RV (*Final)(CK_SESSION_HANDLE, CK_BYTE_PTR, CK_ULONG_PTR); 1230Sstevel@tonic-gate }; 1240Sstevel@tonic-gate 1250Sstevel@tonic-gate static struct CommandInfo encrypt_cmd = { 1260Sstevel@tonic-gate ENCRYPT_NAME, 1270Sstevel@tonic-gate ENCRYPT_OPTIONS, 1280Sstevel@tonic-gate CKF_ENCRYPT, 1290Sstevel@tonic-gate CKA_ENCRYPT, 1300Sstevel@tonic-gate C_EncryptInit, 1310Sstevel@tonic-gate C_EncryptUpdate, 1320Sstevel@tonic-gate C_Encrypt, 1330Sstevel@tonic-gate C_EncryptFinal 1340Sstevel@tonic-gate }; 1350Sstevel@tonic-gate 1360Sstevel@tonic-gate static struct CommandInfo decrypt_cmd = { 1370Sstevel@tonic-gate DECRYPT_NAME, 1380Sstevel@tonic-gate DECRYPT_OPTIONS, 1390Sstevel@tonic-gate CKF_DECRYPT, 1400Sstevel@tonic-gate CKA_DECRYPT, 1410Sstevel@tonic-gate C_DecryptInit, 1420Sstevel@tonic-gate C_DecryptUpdate, 1430Sstevel@tonic-gate C_Decrypt, 1440Sstevel@tonic-gate C_DecryptFinal 1450Sstevel@tonic-gate }; 1460Sstevel@tonic-gate 1470Sstevel@tonic-gate struct mech_alias { 1480Sstevel@tonic-gate CK_MECHANISM_TYPE type; 1490Sstevel@tonic-gate char *alias; 1500Sstevel@tonic-gate CK_ULONG keysize_min; 1510Sstevel@tonic-gate CK_ULONG keysize_max; 1520Sstevel@tonic-gate int keysize_unit; 1530Sstevel@tonic-gate int ivlen; 1540Sstevel@tonic-gate boolean_t available; 1550Sstevel@tonic-gate }; 1560Sstevel@tonic-gate 1570Sstevel@tonic-gate #define MECH_ALIASES_COUNT 4 1580Sstevel@tonic-gate 1590Sstevel@tonic-gate static struct mech_alias mech_aliases[] = { 1600Sstevel@tonic-gate { CKM_AES_CBC_PAD, "aes", ULONG_MAX, 0L, 8, 16, B_FALSE }, 1610Sstevel@tonic-gate { CKM_RC4, "arcfour", ULONG_MAX, 0L, 1, 0, B_FALSE }, 1620Sstevel@tonic-gate { CKM_DES_CBC_PAD, "des", 8, 8, 8, 8, B_FALSE }, 1630Sstevel@tonic-gate { CKM_DES3_CBC_PAD, "3des", 24, 24, 8, 8, B_FALSE }, 1640Sstevel@tonic-gate }; 1650Sstevel@tonic-gate 1660Sstevel@tonic-gate static CK_BBOOL truevalue = TRUE; 1670Sstevel@tonic-gate static CK_BBOOL falsevalue = FALSE; 1680Sstevel@tonic-gate 1690Sstevel@tonic-gate static boolean_t aflag = B_FALSE; /* -a <algorithm> flag, required */ 1700Sstevel@tonic-gate static boolean_t kflag = B_FALSE; /* -k <keyfile> flag */ 1710Sstevel@tonic-gate static boolean_t iflag = B_FALSE; /* -i <infile> flag, use stdin if absent */ 1720Sstevel@tonic-gate static boolean_t oflag = B_FALSE; /* -o <outfile> flag, use stdout if absent */ 1730Sstevel@tonic-gate static boolean_t lflag = B_FALSE; /* -l flag (list) */ 1740Sstevel@tonic-gate static boolean_t vflag = B_FALSE; /* -v flag (verbose) */ 175*3812Shylee static boolean_t Tflag = B_FALSE; 176*3812Shylee static boolean_t Kflag = B_FALSE; 1770Sstevel@tonic-gate 1780Sstevel@tonic-gate static char *keyfile = NULL; /* name of keyfile */ 1790Sstevel@tonic-gate static char *inputfile = NULL; /* name of input file */ 1800Sstevel@tonic-gate static char *outputfile = NULL; /* name of output file */ 181*3812Shylee static char *token_label = NULL; 182*3812Shylee static char *key_label = NULL; 1830Sstevel@tonic-gate 1840Sstevel@tonic-gate static int status_pos = 0; /* current position of progress bar element */ 1850Sstevel@tonic-gate 1860Sstevel@tonic-gate /* 1870Sstevel@tonic-gate * function prototypes 1880Sstevel@tonic-gate */ 1890Sstevel@tonic-gate static void usage(struct CommandInfo *cmd); 1900Sstevel@tonic-gate static int execute_cmd(struct CommandInfo *cmd, char *algo_str); 191*3812Shylee static int cryptogetdata(char *, CK_BYTE_PTR *pkeydata, CK_ULONG_PTR pkeysize); 1920Sstevel@tonic-gate static int cryptoreadfile(char *filename, CK_BYTE_PTR *pdata, 1930Sstevel@tonic-gate CK_ULONG_PTR pdatalen); 1940Sstevel@tonic-gate static int get_random_data(CK_BYTE_PTR pivbuf, int ivlen); 1950Sstevel@tonic-gate static int crypt_multipart(struct CommandInfo *cmd, CK_SESSION_HANDLE hSession, 1961142Sjk115741 int infd, int outfd, off_t insize); 1970Sstevel@tonic-gate 1980Sstevel@tonic-gate int 1990Sstevel@tonic-gate main(int argc, char **argv) 2000Sstevel@tonic-gate { 2010Sstevel@tonic-gate 2020Sstevel@tonic-gate extern char *optarg; 2030Sstevel@tonic-gate extern int optind; 2040Sstevel@tonic-gate char *optstr; 2050Sstevel@tonic-gate char c; /* current getopts flag */ 2060Sstevel@tonic-gate char *algo_str = NULL; /* algorithm string */ 2070Sstevel@tonic-gate struct CommandInfo *cmd; 2080Sstevel@tonic-gate char *cmdname; /* name of command */ 2090Sstevel@tonic-gate boolean_t errflag = B_FALSE; 2100Sstevel@tonic-gate 2110Sstevel@tonic-gate (void) setlocale(LC_ALL, ""); 2120Sstevel@tonic-gate #if !defined(TEXT_DOMAIN) /* Should be defiend by cc -D */ 2130Sstevel@tonic-gate #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 2140Sstevel@tonic-gate #endif 2150Sstevel@tonic-gate (void) textdomain(TEXT_DOMAIN); 2160Sstevel@tonic-gate 2170Sstevel@tonic-gate /* 2180Sstevel@tonic-gate * Based on command name, determine 2190Sstevel@tonic-gate * type of command. 2200Sstevel@tonic-gate */ 2210Sstevel@tonic-gate cmdname = basename(argv[0]); 2220Sstevel@tonic-gate 2230Sstevel@tonic-gate cryptodebug_init(cmdname); 2240Sstevel@tonic-gate 2250Sstevel@tonic-gate if (strcmp(cmdname, encrypt_cmd.name) == 0) { 2260Sstevel@tonic-gate cmd = &encrypt_cmd; 2270Sstevel@tonic-gate } else if (strcmp(cmdname, decrypt_cmd.name) == 0) { 2280Sstevel@tonic-gate cmd = &decrypt_cmd; 2290Sstevel@tonic-gate } else { 2300Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 2310Sstevel@tonic-gate "command name must be either encrypt or decrypt")); 2320Sstevel@tonic-gate exit(EXIT_USAGE); 2330Sstevel@tonic-gate } 2340Sstevel@tonic-gate 2350Sstevel@tonic-gate optstr = cmd->options; 2360Sstevel@tonic-gate 2370Sstevel@tonic-gate /* Parse command line arguments */ 2380Sstevel@tonic-gate while (!errflag && (c = getopt(argc, argv, optstr)) != -1) { 2390Sstevel@tonic-gate 2400Sstevel@tonic-gate switch (c) { 2410Sstevel@tonic-gate case 'a': 2420Sstevel@tonic-gate aflag = B_TRUE; 2430Sstevel@tonic-gate algo_str = optarg; 2440Sstevel@tonic-gate break; 2450Sstevel@tonic-gate case 'k': 2460Sstevel@tonic-gate kflag = B_TRUE; 2470Sstevel@tonic-gate keyfile = optarg; 2480Sstevel@tonic-gate break; 249*3812Shylee case 'T': 250*3812Shylee Tflag = B_TRUE; 251*3812Shylee token_label = optarg; 252*3812Shylee break; 253*3812Shylee case 'K': 254*3812Shylee Kflag = B_TRUE; 255*3812Shylee key_label = optarg; 256*3812Shylee break; 2570Sstevel@tonic-gate case 'i': 2580Sstevel@tonic-gate iflag = B_TRUE; 2590Sstevel@tonic-gate inputfile = optarg; 2600Sstevel@tonic-gate break; 2610Sstevel@tonic-gate case 'o': 2620Sstevel@tonic-gate oflag = B_TRUE; 2630Sstevel@tonic-gate outputfile = optarg; 2640Sstevel@tonic-gate break; 2650Sstevel@tonic-gate case 'l': 2660Sstevel@tonic-gate lflag = B_TRUE; 2670Sstevel@tonic-gate break; 2680Sstevel@tonic-gate case 'v': 2690Sstevel@tonic-gate vflag = B_TRUE; 2700Sstevel@tonic-gate break; 2710Sstevel@tonic-gate default: 2720Sstevel@tonic-gate errflag = B_TRUE; 2730Sstevel@tonic-gate } 2740Sstevel@tonic-gate } 2750Sstevel@tonic-gate 2760Sstevel@tonic-gate if (errflag || (!aflag && !lflag) || (lflag && argc > 2) || 277*3812Shylee (kflag && Kflag) || (Tflag && !Kflag) || 2780Sstevel@tonic-gate (optind < argc)) { 2790Sstevel@tonic-gate usage(cmd); 2800Sstevel@tonic-gate exit(EXIT_USAGE); 2810Sstevel@tonic-gate } 2820Sstevel@tonic-gate 2830Sstevel@tonic-gate return (execute_cmd(cmd, algo_str)); 2840Sstevel@tonic-gate } 2850Sstevel@tonic-gate 2860Sstevel@tonic-gate /* 2870Sstevel@tonic-gate * usage message 2880Sstevel@tonic-gate */ 2890Sstevel@tonic-gate static void 2900Sstevel@tonic-gate usage(struct CommandInfo *cmd) 2910Sstevel@tonic-gate { 292*3812Shylee (void) fprintf(stderr, gettext("Usage:\n")); 2930Sstevel@tonic-gate if (cmd->type == CKA_ENCRYPT) { 294*3812Shylee (void) fprintf(stderr, gettext(" encrypt -l\n")); 295*3812Shylee (void) fprintf(stderr, gettext(" encrypt -a <algorithm> " 296*3812Shylee "[-v] [-k <keyfile> | -K <keylabel> [-T <tokenspec>]] " 297*3812Shylee "[-i <infile>] [-o <outfile>]\n")); 298*3812Shylee 2990Sstevel@tonic-gate } else { 300*3812Shylee (void) fprintf(stderr, gettext(" decrypt -l\n")); 301*3812Shylee (void) fprintf(stderr, gettext(" decrypt -a <algorithm> " 302*3812Shylee "[-v] [-k <keyfile> | -K <keylabel> [-T <tokenspec>]] " 303*3812Shylee "[-i <infile>] [-o <outfile>]\n")); 3040Sstevel@tonic-gate } 3050Sstevel@tonic-gate } 3060Sstevel@tonic-gate 3070Sstevel@tonic-gate /* 3080Sstevel@tonic-gate * Print out list of algorithms in default and verbose mode 3090Sstevel@tonic-gate */ 3100Sstevel@tonic-gate static void 3110Sstevel@tonic-gate algorithm_list() 3120Sstevel@tonic-gate { 3130Sstevel@tonic-gate int mech; 3140Sstevel@tonic-gate 3150Sstevel@tonic-gate (void) printf(gettext("Algorithm Keysize: Min Max (bits)\n" 3160Sstevel@tonic-gate "------------------------------------------\n")); 3170Sstevel@tonic-gate 3180Sstevel@tonic-gate for (mech = 0; mech < MECH_ALIASES_COUNT; mech++) { 3190Sstevel@tonic-gate 3200Sstevel@tonic-gate if (mech_aliases[mech].available == B_FALSE) 3210Sstevel@tonic-gate continue; 3220Sstevel@tonic-gate 3230Sstevel@tonic-gate (void) printf("%-15s", mech_aliases[mech].alias); 3240Sstevel@tonic-gate 3250Sstevel@tonic-gate if (mech_aliases[mech].keysize_min != UINT_MAX && 3260Sstevel@tonic-gate mech_aliases[mech].keysize_max != 0) 3270Sstevel@tonic-gate (void) printf(" %5lu %5lu\n", 3280Sstevel@tonic-gate (mech_aliases[mech].keysize_min * 3290Sstevel@tonic-gate mech_aliases[mech].keysize_unit), 3300Sstevel@tonic-gate (mech_aliases[mech].keysize_max * 3310Sstevel@tonic-gate mech_aliases[mech].keysize_unit)); 3320Sstevel@tonic-gate else 3330Sstevel@tonic-gate (void) printf("\n"); 3340Sstevel@tonic-gate 3350Sstevel@tonic-gate } 3360Sstevel@tonic-gate } 3370Sstevel@tonic-gate 3380Sstevel@tonic-gate static CK_RV 3390Sstevel@tonic-gate generate_pkcs5_key(CK_SESSION_HANDLE hSession, 3400Sstevel@tonic-gate CK_BYTE *pSaltData, 3410Sstevel@tonic-gate CK_ULONG saltLen, 3420Sstevel@tonic-gate CK_ULONG iterations, 3430Sstevel@tonic-gate CK_BYTE *pkeydata, /* user entered passphrase */ 3440Sstevel@tonic-gate CK_KEY_TYPE keytype, 3450Sstevel@tonic-gate CK_ULONG passwd_size, 3460Sstevel@tonic-gate CK_ULONG keylen, /* desired length of generated key */ 3470Sstevel@tonic-gate CK_ATTRIBUTE_TYPE operation, 3480Sstevel@tonic-gate CK_OBJECT_HANDLE *hKey) 3490Sstevel@tonic-gate { 3500Sstevel@tonic-gate CK_RV rv; 3510Sstevel@tonic-gate CK_PKCS5_PBKD2_PARAMS params; 3520Sstevel@tonic-gate CK_MECHANISM mechanism; 3530Sstevel@tonic-gate CK_OBJECT_CLASS class = CKO_SECRET_KEY; 3540Sstevel@tonic-gate CK_ATTRIBUTE tmpl[4]; 3550Sstevel@tonic-gate int attrs = 0; 3560Sstevel@tonic-gate 3570Sstevel@tonic-gate mechanism.mechanism = CKM_PKCS5_PBKD2; 3580Sstevel@tonic-gate mechanism.pParameter = ¶ms; 3590Sstevel@tonic-gate mechanism.ulParameterLen = sizeof (params); 3600Sstevel@tonic-gate 3610Sstevel@tonic-gate tmpl[attrs].type = CKA_CLASS; 3620Sstevel@tonic-gate tmpl[attrs].pValue = &class; 3630Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (class); 3640Sstevel@tonic-gate attrs++; 3650Sstevel@tonic-gate 3660Sstevel@tonic-gate tmpl[attrs].type = CKA_KEY_TYPE; 3670Sstevel@tonic-gate tmpl[attrs].pValue = &keytype; 3680Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (keytype); 3690Sstevel@tonic-gate attrs++; 3700Sstevel@tonic-gate 3710Sstevel@tonic-gate tmpl[attrs].type = operation; 3720Sstevel@tonic-gate tmpl[attrs].pValue = &truevalue; 3730Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (CK_BBOOL); 3740Sstevel@tonic-gate attrs++; 3750Sstevel@tonic-gate 3760Sstevel@tonic-gate if (keylen > 0) { 3770Sstevel@tonic-gate tmpl[attrs].type = CKA_VALUE_LEN; 3780Sstevel@tonic-gate tmpl[attrs].pValue = &keylen; 3790Sstevel@tonic-gate tmpl[attrs].ulValueLen = sizeof (keylen); 3800Sstevel@tonic-gate attrs++; 3810Sstevel@tonic-gate } 3820Sstevel@tonic-gate 3830Sstevel@tonic-gate params.saltSource = CKZ_SALT_SPECIFIED; 3840Sstevel@tonic-gate params.pSaltSourceData = (void *)pSaltData; 3850Sstevel@tonic-gate params.ulSaltSourceDataLen = saltLen; 3860Sstevel@tonic-gate params.iterations = iterations; 3870Sstevel@tonic-gate params.prf = CKP_PKCS5_PBKD2_HMAC_SHA1; 3880Sstevel@tonic-gate params.pPrfData = NULL; 3890Sstevel@tonic-gate params.ulPrfDataLen = 0; 3900Sstevel@tonic-gate params.pPassword = (CK_UTF8CHAR_PTR)pkeydata; 3910Sstevel@tonic-gate params.ulPasswordLen = &passwd_size; 3920Sstevel@tonic-gate 3930Sstevel@tonic-gate mechanism.mechanism = CKM_PKCS5_PBKD2; 3940Sstevel@tonic-gate mechanism.pParameter = ¶ms; 3950Sstevel@tonic-gate mechanism.ulParameterLen = sizeof (params); 3960Sstevel@tonic-gate 3970Sstevel@tonic-gate rv = C_GenerateKey(hSession, &mechanism, tmpl, 3980Sstevel@tonic-gate attrs, hKey); 3990Sstevel@tonic-gate 4000Sstevel@tonic-gate return (rv); 4010Sstevel@tonic-gate } 4020Sstevel@tonic-gate 403*3812Shylee /* 404*3812Shylee * This function will login into the token with the provided password and 405*3812Shylee * find the token key object with the specified keytype and keylabel. 406*3812Shylee */ 407*3812Shylee static int 408*3812Shylee get_token_key(CK_SESSION_HANDLE hSession, CK_KEY_TYPE keytype, 409*3812Shylee char *keylabel, CK_BYTE *password, int password_len, 410*3812Shylee CK_OBJECT_HANDLE *keyobj) 411*3812Shylee { 412*3812Shylee CK_RV rv; 413*3812Shylee CK_ATTRIBUTE pTmpl[10]; 414*3812Shylee CK_OBJECT_CLASS class = CKO_SECRET_KEY; 415*3812Shylee CK_BBOOL true = 1; 416*3812Shylee CK_BBOOL is_token = 1; 417*3812Shylee CK_ULONG key_obj_count = 1; 418*3812Shylee int i; 419*3812Shylee CK_KEY_TYPE ckKeyType = keytype; 420*3812Shylee 421*3812Shylee 422*3812Shylee rv = C_Login(hSession, CKU_USER, (CK_UTF8CHAR_PTR)password, 423*3812Shylee (CK_ULONG)password_len); 424*3812Shylee if (rv != CKR_OK) { 425*3812Shylee (void) fprintf(stderr, "Cannot login to the token." 426*3812Shylee " error = %s\n", pkcs11_strerror(rv)); 427*3812Shylee return (-1); 428*3812Shylee } 429*3812Shylee 430*3812Shylee i = 0; 431*3812Shylee pTmpl[i].type = CKA_TOKEN; 432*3812Shylee pTmpl[i].pValue = &is_token; 433*3812Shylee pTmpl[i].ulValueLen = sizeof (CK_BBOOL); 434*3812Shylee i++; 435*3812Shylee 436*3812Shylee pTmpl[i].type = CKA_CLASS; 437*3812Shylee pTmpl[i].pValue = &class; 438*3812Shylee pTmpl[i].ulValueLen = sizeof (class); 439*3812Shylee i++; 440*3812Shylee 441*3812Shylee pTmpl[i].type = CKA_LABEL; 442*3812Shylee pTmpl[i].pValue = keylabel; 443*3812Shylee pTmpl[i].ulValueLen = strlen(keylabel); 444*3812Shylee i++; 445*3812Shylee 446*3812Shylee pTmpl[i].type = CKA_KEY_TYPE; 447*3812Shylee pTmpl[i].pValue = &ckKeyType; 448*3812Shylee pTmpl[i].ulValueLen = sizeof (ckKeyType); 449*3812Shylee i++; 450*3812Shylee 451*3812Shylee pTmpl[i].type = CKA_PRIVATE; 452*3812Shylee pTmpl[i].pValue = &true; 453*3812Shylee pTmpl[i].ulValueLen = sizeof (true); 454*3812Shylee i++; 455*3812Shylee 456*3812Shylee rv = C_FindObjectsInit(hSession, pTmpl, i); 457*3812Shylee if (rv != CKR_OK) { 458*3812Shylee goto out; 459*3812Shylee } 460*3812Shylee 461*3812Shylee rv = C_FindObjects(hSession, keyobj, 1, &key_obj_count); 462*3812Shylee 463*3812Shylee (void) C_FindObjectsFinal(hSession); 464*3812Shylee 465*3812Shylee out: 466*3812Shylee if (rv != CKR_OK) { 467*3812Shylee (void) fprintf(stderr, 468*3812Shylee "Cannot retrieve key object. error = %s\n", 469*3812Shylee pkcs11_strerror(rv)); 470*3812Shylee return (-1); 471*3812Shylee } 472*3812Shylee 473*3812Shylee if (key_obj_count == 0) { 474*3812Shylee (void) fprintf(stderr, "Cannot find the key object.\n"); 475*3812Shylee return (-1); 476*3812Shylee } 477*3812Shylee 478*3812Shylee return (0); 479*3812Shylee } 480*3812Shylee 4810Sstevel@tonic-gate 4820Sstevel@tonic-gate /* 4830Sstevel@tonic-gate * Execute the command. 4840Sstevel@tonic-gate * cmd - command pointing to type of operation. 4850Sstevel@tonic-gate * algo_str - alias of the algorithm passed. 4860Sstevel@tonic-gate */ 4870Sstevel@tonic-gate static int 4880Sstevel@tonic-gate execute_cmd(struct CommandInfo *cmd, char *algo_str) 4890Sstevel@tonic-gate { 4900Sstevel@tonic-gate CK_RV rv; 4910Sstevel@tonic-gate CK_ULONG slotcount; 4920Sstevel@tonic-gate CK_SLOT_ID slotID; 4930Sstevel@tonic-gate CK_SLOT_ID_PTR pSlotList = NULL; 4940Sstevel@tonic-gate CK_MECHANISM_TYPE mech_type = 0; 4950Sstevel@tonic-gate CK_MECHANISM_INFO info, kg_info; 4960Sstevel@tonic-gate CK_MECHANISM mech; 4970Sstevel@tonic-gate CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE; 4980Sstevel@tonic-gate CK_BYTE_PTR pkeydata = NULL; 4990Sstevel@tonic-gate CK_BYTE salt[PBKD2_SALT_SIZE]; 5000Sstevel@tonic-gate CK_ULONG keysize = 0; 5010Sstevel@tonic-gate int i, slot, mek; /* index variables */ 5020Sstevel@tonic-gate int status; 5030Sstevel@tonic-gate struct stat insbuf; /* stat buf for infile */ 5040Sstevel@tonic-gate struct stat outsbuf; /* stat buf for outfile */ 5050Sstevel@tonic-gate char tmpnam[PATH_MAX]; /* tmp file name */ 5060Sstevel@tonic-gate CK_OBJECT_HANDLE key = (CK_OBJECT_HANDLE) 0; 5070Sstevel@tonic-gate int infd = 0; /* input file, stdin default */ 5080Sstevel@tonic-gate int outfd = 1; /* output file, stdout default */ 5090Sstevel@tonic-gate char *outfilename = NULL; 5100Sstevel@tonic-gate boolean_t errflag = B_TRUE; 5110Sstevel@tonic-gate boolean_t inoutsame = B_FALSE; /* if both input & output are same */ 5120Sstevel@tonic-gate CK_BYTE_PTR pivbuf = NULL_PTR; 5130Sstevel@tonic-gate CK_ULONG ivlen = 0L; 5140Sstevel@tonic-gate int mech_match = 0; 5150Sstevel@tonic-gate CK_ULONG iterations = PBKD2_ITERATIONS; 5160Sstevel@tonic-gate CK_ULONG keylen; 5170Sstevel@tonic-gate int version = SUNW_ENCRYPT_FILE_VERSION; 5180Sstevel@tonic-gate CK_KEY_TYPE keytype; 519*3812Shylee KMF_RETURN kmfrv; 520*3812Shylee CK_SLOT_ID token_slot_id; 5210Sstevel@tonic-gate 5220Sstevel@tonic-gate if (aflag) { 5230Sstevel@tonic-gate /* Determine if algorithm is valid */ 5240Sstevel@tonic-gate for (mech_match = 0; mech_match < MECH_ALIASES_COUNT; 5250Sstevel@tonic-gate mech_match++) { 5260Sstevel@tonic-gate if (strcmp(algo_str, 5270Sstevel@tonic-gate mech_aliases[mech_match].alias) == 0) { 5280Sstevel@tonic-gate mech_type = mech_aliases[mech_match].type; 5290Sstevel@tonic-gate break; 5300Sstevel@tonic-gate } 5310Sstevel@tonic-gate } 5320Sstevel@tonic-gate 5330Sstevel@tonic-gate if (mech_match == MECH_ALIASES_COUNT) { 5340Sstevel@tonic-gate cryptoerror(LOG_STDERR, 5350Sstevel@tonic-gate gettext("unknown algorithm -- %s"), algo_str); 5360Sstevel@tonic-gate return (EXIT_FAILURE); 5370Sstevel@tonic-gate } 5380Sstevel@tonic-gate 5390Sstevel@tonic-gate /* 540*3812Shylee * Process keyfile or get the token pin if -K is specified. 5410Sstevel@tonic-gate * 5420Sstevel@tonic-gate * If a keyfile is provided, get the key data from 5430Sstevel@tonic-gate * the file. Otherwise, prompt for a passphrase. The 5440Sstevel@tonic-gate * passphrase is used as the key data. 5450Sstevel@tonic-gate */ 546*3812Shylee if (Kflag) { 547*3812Shylee /* get the pin of the token */ 548*3812Shylee if (token_label == NULL || !strlen(token_label)) { 549*3812Shylee token_label = PK_DEFAULT_PK11TOKEN; 550*3812Shylee } 551*3812Shylee 552*3812Shylee status = cryptogetdata(token_label, &pkeydata, 553*3812Shylee &keysize); 554*3812Shylee } else if (kflag) { 555*3812Shylee /* get the key file */ 5560Sstevel@tonic-gate status = cryptoreadfile(keyfile, &pkeydata, &keysize); 5570Sstevel@tonic-gate } else { 558*3812Shylee /* get the key from input */ 559*3812Shylee status = cryptogetdata(NULL, &pkeydata, &keysize); 5600Sstevel@tonic-gate } 5610Sstevel@tonic-gate 5620Sstevel@tonic-gate if (status == -1 || keysize == 0L) { 563*3812Shylee cryptoerror(LOG_STDERR, 564*3812Shylee Kflag ? gettext("invalid password.") : 565*3812Shylee gettext("invalid key.")); 5660Sstevel@tonic-gate return (EXIT_FAILURE); 5670Sstevel@tonic-gate } 5680Sstevel@tonic-gate } 5690Sstevel@tonic-gate 5700Sstevel@tonic-gate bzero(salt, sizeof (salt)); 5710Sstevel@tonic-gate /* Initialize pkcs */ 572*3812Shylee rv = C_Initialize(NULL); 573*3812Shylee if (rv != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) { 5740Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("failed to initialize " 5750Sstevel@tonic-gate "PKCS #11 framework: %s"), pkcs11_strerror(rv)); 5760Sstevel@tonic-gate goto cleanup; 5770Sstevel@tonic-gate } 5780Sstevel@tonic-gate 5790Sstevel@tonic-gate /* Get slot count */ 5800Sstevel@tonic-gate rv = C_GetSlotList(0, NULL_PTR, &slotcount); 5810Sstevel@tonic-gate if (rv != CKR_OK || slotcount == 0) { 5820Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 5830Sstevel@tonic-gate "failed to find any cryptographic provider," 5840Sstevel@tonic-gate "please check with your system administrator: %s"), 5850Sstevel@tonic-gate pkcs11_strerror(rv)); 5860Sstevel@tonic-gate goto cleanup; 5870Sstevel@tonic-gate } 5880Sstevel@tonic-gate 5890Sstevel@tonic-gate /* Found at least one slot, allocate memory for slot list */ 5900Sstevel@tonic-gate pSlotList = malloc(slotcount * sizeof (CK_SLOT_ID)); 5910Sstevel@tonic-gate if (pSlotList == NULL_PTR) { 5920Sstevel@tonic-gate int err = errno; 5930Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s"), strerror(err)); 5940Sstevel@tonic-gate goto cleanup; 5950Sstevel@tonic-gate } 5960Sstevel@tonic-gate 5970Sstevel@tonic-gate /* Get the list of slots */ 5980Sstevel@tonic-gate if ((rv = C_GetSlotList(0, pSlotList, &slotcount)) != CKR_OK) { 5990Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 6000Sstevel@tonic-gate "failed to find any cryptographic provider," 6010Sstevel@tonic-gate "please check with your system administrator: %s"), 6020Sstevel@tonic-gate pkcs11_strerror(rv)); 6030Sstevel@tonic-gate goto cleanup; 6040Sstevel@tonic-gate } 6050Sstevel@tonic-gate 6060Sstevel@tonic-gate if (lflag) { 6070Sstevel@tonic-gate 6080Sstevel@tonic-gate /* Iterate through slots */ 6090Sstevel@tonic-gate for (slot = 0; slot < slotcount; slot++) { 6100Sstevel@tonic-gate 6110Sstevel@tonic-gate /* Iterate through each mechanism */ 6120Sstevel@tonic-gate for (mek = 0; mek < MECH_ALIASES_COUNT; mek++) { 6130Sstevel@tonic-gate rv = C_GetMechanismInfo(pSlotList[slot], 6140Sstevel@tonic-gate mech_aliases[mek].type, &info); 6150Sstevel@tonic-gate 6160Sstevel@tonic-gate if (rv != CKR_OK) 6170Sstevel@tonic-gate continue; 6180Sstevel@tonic-gate 6190Sstevel@tonic-gate /* 6200Sstevel@tonic-gate * Set to minimum/maximum key sizes assuming 6210Sstevel@tonic-gate * the values available are not 0. 6220Sstevel@tonic-gate */ 6230Sstevel@tonic-gate if (info.ulMinKeySize && (info.ulMinKeySize < 6240Sstevel@tonic-gate mech_aliases[mek].keysize_min)) 6250Sstevel@tonic-gate mech_aliases[mek].keysize_min = 6260Sstevel@tonic-gate info.ulMinKeySize; 6270Sstevel@tonic-gate 6280Sstevel@tonic-gate if (info.ulMaxKeySize && (info.ulMaxKeySize > 6290Sstevel@tonic-gate mech_aliases[mek].keysize_max)) 6300Sstevel@tonic-gate mech_aliases[mek].keysize_max = 6310Sstevel@tonic-gate info.ulMaxKeySize; 6320Sstevel@tonic-gate 6330Sstevel@tonic-gate mech_aliases[mek].available = B_TRUE; 6340Sstevel@tonic-gate } 6350Sstevel@tonic-gate 6360Sstevel@tonic-gate } 6370Sstevel@tonic-gate 6380Sstevel@tonic-gate algorithm_list(); 6390Sstevel@tonic-gate 6400Sstevel@tonic-gate errflag = B_FALSE; 6410Sstevel@tonic-gate goto cleanup; 6420Sstevel@tonic-gate } 6430Sstevel@tonic-gate 644*3812Shylee 645*3812Shylee /* 646*3812Shylee * Find a slot with matching mechanism 647*3812Shylee * 648*3812Shylee * If -K is specified, we find the slot id for the token first, then 649*3812Shylee * check if the slot supports the algorithm. 650*3812Shylee */ 651*3812Shylee i = 0; 652*3812Shylee if (Kflag) { 653*3812Shylee kmfrv = KMF_PK11TokenLookup(NULL, token_label, &token_slot_id); 654*3812Shylee if (kmfrv != KMF_OK) { 655*3812Shylee cryptoerror(LOG_STDERR, 656*3812Shylee gettext("no matching PKCS#11 token")); 657*3812Shylee errflag = B_TRUE; 658*3812Shylee goto cleanup; 659*3812Shylee } 660*3812Shylee rv = C_GetMechanismInfo(token_slot_id, mech_type, &info); 661*3812Shylee if (rv == CKR_OK && (info.flags & cmd->flags)) 662*3812Shylee slotID = token_slot_id; 663*3812Shylee else 664*3812Shylee i = slotcount; 665*3812Shylee } else { 666*3812Shylee for (i = 0; i < slotcount; i++) { 667*3812Shylee slotID = pSlotList[i]; 668*3812Shylee rv = C_GetMechanismInfo(slotID, mech_type, &info); 669*3812Shylee if (rv != CKR_OK) { 670*3812Shylee continue; /* to the next slot */ 671*3812Shylee } else { 672*3812Shylee /* 673*3812Shylee * If the slot support the crypto, also 674*3812Shylee * make sure it supports the correct 675*3812Shylee * key generation mech if needed. 676*3812Shylee * 677*3812Shylee * We need PKCS5 when RC4 is used or 678*3812Shylee * when the key is entered on cmd line. 679*3812Shylee */ 680*3812Shylee if ((info.flags & cmd->flags) && 681*3812Shylee (mech_type == CKM_RC4) || 682*3812Shylee (keyfile == NULL)) { 683*3812Shylee rv = C_GetMechanismInfo(slotID, 684*3812Shylee CKM_PKCS5_PBKD2, &kg_info); 685*3812Shylee if (rv == CKR_OK) 686*3812Shylee break; 687*3812Shylee } else if (info.flags & cmd->flags) { 6880Sstevel@tonic-gate break; 689*3812Shylee } 6900Sstevel@tonic-gate } 6910Sstevel@tonic-gate } 6920Sstevel@tonic-gate } 6930Sstevel@tonic-gate 6940Sstevel@tonic-gate /* Show error if no matching mechanism found */ 6950Sstevel@tonic-gate if (i == slotcount) { 6960Sstevel@tonic-gate cryptoerror(LOG_STDERR, 6970Sstevel@tonic-gate gettext("no cryptographic provider was " 6980Sstevel@tonic-gate "found for this algorithm -- %s"), algo_str); 6990Sstevel@tonic-gate goto cleanup; 7000Sstevel@tonic-gate } 7010Sstevel@tonic-gate 7020Sstevel@tonic-gate /* Open a session */ 7030Sstevel@tonic-gate rv = C_OpenSession(slotID, CKF_SERIAL_SESSION, 7040Sstevel@tonic-gate NULL_PTR, NULL, &hSession); 7050Sstevel@tonic-gate 7060Sstevel@tonic-gate if (rv != CKR_OK) { 7070Sstevel@tonic-gate cryptoerror(LOG_STDERR, 7080Sstevel@tonic-gate gettext("can not open PKCS #11 session: %s"), 7090Sstevel@tonic-gate pkcs11_strerror(rv)); 7100Sstevel@tonic-gate goto cleanup; 7110Sstevel@tonic-gate } 7120Sstevel@tonic-gate 7130Sstevel@tonic-gate /* 7140Sstevel@tonic-gate * Generate IV data for encrypt. 7150Sstevel@tonic-gate */ 7160Sstevel@tonic-gate ivlen = mech_aliases[mech_match].ivlen; 7170Sstevel@tonic-gate if ((pivbuf = malloc((size_t)ivlen)) == NULL) { 7180Sstevel@tonic-gate int err = errno; 7190Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s"), 7200Sstevel@tonic-gate strerror(err)); 7210Sstevel@tonic-gate goto cleanup; 7220Sstevel@tonic-gate } 7230Sstevel@tonic-gate 7240Sstevel@tonic-gate if (cmd->type == CKA_ENCRYPT) { 7250Sstevel@tonic-gate if ((get_random_data(pivbuf, 7260Sstevel@tonic-gate mech_aliases[mech_match].ivlen)) != 0) { 7270Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7280Sstevel@tonic-gate "Unable to generate random " 7290Sstevel@tonic-gate "data for initialization vector.")); 7300Sstevel@tonic-gate goto cleanup; 7310Sstevel@tonic-gate } 7320Sstevel@tonic-gate } 7330Sstevel@tonic-gate 7340Sstevel@tonic-gate /* 7350Sstevel@tonic-gate * Create the key object 7360Sstevel@tonic-gate */ 7370Sstevel@tonic-gate rv = pkcs11_mech2keytype(mech_type, &keytype); 7380Sstevel@tonic-gate if (rv != CKR_OK) { 7390Sstevel@tonic-gate cryptoerror(LOG_STDERR, 7400Sstevel@tonic-gate gettext("unable to find key type for algorithm.")); 7410Sstevel@tonic-gate goto cleanup; 7420Sstevel@tonic-gate } 7430Sstevel@tonic-gate 7440Sstevel@tonic-gate /* Open input file */ 7450Sstevel@tonic-gate if (iflag) { 7460Sstevel@tonic-gate if ((infd = open(inputfile, O_RDONLY | O_NONBLOCK)) == -1) { 7470Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7480Sstevel@tonic-gate "can not open input file %s"), inputfile); 7490Sstevel@tonic-gate goto cleanup; 7500Sstevel@tonic-gate } 7510Sstevel@tonic-gate 7520Sstevel@tonic-gate /* Get info on input file */ 7530Sstevel@tonic-gate if (fstat(infd, &insbuf) == -1) { 7540Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7550Sstevel@tonic-gate "can not stat input file %s"), inputfile); 7560Sstevel@tonic-gate goto cleanup; 7570Sstevel@tonic-gate } 7580Sstevel@tonic-gate } 7590Sstevel@tonic-gate 7600Sstevel@tonic-gate /* 7610Sstevel@tonic-gate * Prepare output file 7620Sstevel@tonic-gate * If the input & output file are same, 7630Sstevel@tonic-gate * the output is written to a temp 7640Sstevel@tonic-gate * file first, then renamed to the original file 7650Sstevel@tonic-gate * after the crypt operation 7660Sstevel@tonic-gate */ 7670Sstevel@tonic-gate inoutsame = B_FALSE; 7680Sstevel@tonic-gate if (oflag) { 7690Sstevel@tonic-gate outfilename = outputfile; 7700Sstevel@tonic-gate if ((stat(outputfile, &outsbuf) != -1) && 7710Sstevel@tonic-gate (insbuf.st_ino == outsbuf.st_ino)) { 7720Sstevel@tonic-gate char *dir; 7730Sstevel@tonic-gate 7740Sstevel@tonic-gate /* create temp file on same dir */ 7750Sstevel@tonic-gate dir = dirname(outputfile); 7760Sstevel@tonic-gate (void) snprintf(tmpnam, sizeof (tmpnam), 7770Sstevel@tonic-gate "%s/encrXXXXXX", dir); 7780Sstevel@tonic-gate outfilename = tmpnam; 7790Sstevel@tonic-gate if ((outfd = mkstemp(tmpnam)) == -1) { 7800Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7810Sstevel@tonic-gate "cannot create temp file")); 7820Sstevel@tonic-gate goto cleanup; 7830Sstevel@tonic-gate } 7840Sstevel@tonic-gate inoutsame = B_TRUE; 7850Sstevel@tonic-gate } else { 7860Sstevel@tonic-gate /* Create file for output */ 7870Sstevel@tonic-gate if ((outfd = open(outfilename, 7880Sstevel@tonic-gate O_CREAT|O_WRONLY|O_TRUNC, 7890Sstevel@tonic-gate 0644)) == -1) { 7900Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 7910Sstevel@tonic-gate "cannot open output file %s"), 7920Sstevel@tonic-gate outfilename); 7930Sstevel@tonic-gate goto cleanup; 7940Sstevel@tonic-gate } 7950Sstevel@tonic-gate } 7960Sstevel@tonic-gate } 7970Sstevel@tonic-gate 7980Sstevel@tonic-gate /* 7990Sstevel@tonic-gate * Read the version number from the head of the file 8000Sstevel@tonic-gate * to know how to interpret the data that follows. 8010Sstevel@tonic-gate */ 8020Sstevel@tonic-gate if (cmd->type == CKA_DECRYPT) { 8030Sstevel@tonic-gate if (read(infd, &version, sizeof (version)) != 8040Sstevel@tonic-gate sizeof (version)) { 8050Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 8060Sstevel@tonic-gate "failed to get format version from " 8070Sstevel@tonic-gate "input file.")); 8080Sstevel@tonic-gate goto cleanup; 8090Sstevel@tonic-gate } 8100Sstevel@tonic-gate /* convert to host byte order */ 8110Sstevel@tonic-gate version = ntohl(version); 8120Sstevel@tonic-gate 8130Sstevel@tonic-gate switch (version) { 8140Sstevel@tonic-gate case 1: 8150Sstevel@tonic-gate /* 8160Sstevel@tonic-gate * Version 1 output format: 8170Sstevel@tonic-gate * - Iterations used in key gen function (4 bytes) 8180Sstevel@tonic-gate * - IV ( 'ivlen' bytes) 8190Sstevel@tonic-gate * - Salt data used in key gen (16 bytes) 8200Sstevel@tonic-gate * 8210Sstevel@tonic-gate * An encrypted file has IV as first block (0 or 8220Sstevel@tonic-gate * more bytes depending on mechanism) followed 8230Sstevel@tonic-gate * by cipher text. Get the IV from the encrypted 8240Sstevel@tonic-gate * file. 8250Sstevel@tonic-gate */ 8260Sstevel@tonic-gate /* 8270Sstevel@tonic-gate * Read iteration count and salt data. 8280Sstevel@tonic-gate */ 8290Sstevel@tonic-gate if (read(infd, &iterations, 8300Sstevel@tonic-gate sizeof (iterations)) != 8310Sstevel@tonic-gate sizeof (iterations)) { 8320Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 8330Sstevel@tonic-gate "failed to get iterations from " 8340Sstevel@tonic-gate "input file.")); 8350Sstevel@tonic-gate goto cleanup; 8360Sstevel@tonic-gate } 8370Sstevel@tonic-gate /* convert to host byte order */ 8380Sstevel@tonic-gate iterations = ntohl(iterations); 8390Sstevel@tonic-gate if (ivlen > 0 && 8400Sstevel@tonic-gate read(infd, pivbuf, ivlen) != ivlen) { 8410Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 8420Sstevel@tonic-gate "failed to get initialization " 8430Sstevel@tonic-gate "vector from input file.")); 8440Sstevel@tonic-gate goto cleanup; 8450Sstevel@tonic-gate } 8460Sstevel@tonic-gate if (read(infd, salt, sizeof (salt)) 8470Sstevel@tonic-gate != sizeof (salt)) { 8480Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 8490Sstevel@tonic-gate "failed to get salt data from " 8500Sstevel@tonic-gate "input file.")); 8510Sstevel@tonic-gate goto cleanup; 8520Sstevel@tonic-gate } 8530Sstevel@tonic-gate break; 8540Sstevel@tonic-gate default: 8550Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 8560Sstevel@tonic-gate "Unrecognized format version read from " 8570Sstevel@tonic-gate "input file - expected %d, got %d."), 8580Sstevel@tonic-gate SUNW_ENCRYPT_FILE_VERSION, version); 8590Sstevel@tonic-gate goto cleanup; 8600Sstevel@tonic-gate break; 8610Sstevel@tonic-gate } 8620Sstevel@tonic-gate } 863*3812Shylee 8640Sstevel@tonic-gate /* 865*3812Shylee * If Kflag is set, let's find the token key now. 866*3812Shylee * 867*3812Shylee * If Kflag is not set and if encrypting, we need some random 8680Sstevel@tonic-gate * salt data to create the key. If decrypting, 8690Sstevel@tonic-gate * the salt should come from head of the file 8700Sstevel@tonic-gate * to be decrypted. 8710Sstevel@tonic-gate */ 872*3812Shylee if (Kflag) { 873*3812Shylee rv = get_token_key(hSession, keytype, key_label, pkeydata, 874*3812Shylee keysize, &key); 875*3812Shylee if (rv != CKR_OK) { 876*3812Shylee cryptoerror(LOG_STDERR, gettext( 877*3812Shylee "Can not find the token key")); 878*3812Shylee goto cleanup; 879*3812Shylee } else { 880*3812Shylee goto do_crypto; 881*3812Shylee } 882*3812Shylee } else if (cmd->type == CKA_ENCRYPT) { 8830Sstevel@tonic-gate rv = get_random_data(salt, sizeof (salt)); 8840Sstevel@tonic-gate if (rv != 0) { 8850Sstevel@tonic-gate cryptoerror(LOG_STDERR, 8860Sstevel@tonic-gate gettext("unable to generate random " 8870Sstevel@tonic-gate "data for key salt.")); 8880Sstevel@tonic-gate goto cleanup; 8890Sstevel@tonic-gate } 8900Sstevel@tonic-gate } 8910Sstevel@tonic-gate 892*3812Shylee 8930Sstevel@tonic-gate /* 8940Sstevel@tonic-gate * If key input is read from a file, treat it as 8950Sstevel@tonic-gate * raw key data, unless it is to be used with RC4, 8960Sstevel@tonic-gate * in which case it must be used to generate a pkcs5 8970Sstevel@tonic-gate * key to address security concerns with RC4 keys. 8980Sstevel@tonic-gate */ 8990Sstevel@tonic-gate if (kflag && keyfile != NULL && keytype != CKK_RC4) { 9000Sstevel@tonic-gate CK_OBJECT_CLASS objclass = CKO_SECRET_KEY; 9010Sstevel@tonic-gate CK_ATTRIBUTE template[5]; 9020Sstevel@tonic-gate int nattr = 0; 9030Sstevel@tonic-gate 9040Sstevel@tonic-gate template[nattr].type = CKA_CLASS; 9050Sstevel@tonic-gate template[nattr].pValue = &objclass; 9060Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (objclass); 9070Sstevel@tonic-gate nattr++; 9080Sstevel@tonic-gate 9090Sstevel@tonic-gate template[nattr].type = CKA_KEY_TYPE; 9100Sstevel@tonic-gate template[nattr].pValue = &keytype; 9110Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (keytype); 9120Sstevel@tonic-gate nattr++; 9130Sstevel@tonic-gate 9140Sstevel@tonic-gate template[nattr].type = cmd->type; 9150Sstevel@tonic-gate template[nattr].pValue = &truevalue; 9160Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (truevalue); 9170Sstevel@tonic-gate nattr++; 9180Sstevel@tonic-gate 9190Sstevel@tonic-gate template[nattr].type = CKA_TOKEN; 9200Sstevel@tonic-gate template[nattr].pValue = &falsevalue; 9210Sstevel@tonic-gate template[nattr].ulValueLen = sizeof (falsevalue); 9220Sstevel@tonic-gate nattr++; 9230Sstevel@tonic-gate 9240Sstevel@tonic-gate template[nattr].type = CKA_VALUE; 9250Sstevel@tonic-gate template[nattr].pValue = pkeydata; 9260Sstevel@tonic-gate template[nattr].ulValueLen = keysize; 9270Sstevel@tonic-gate nattr++; 9280Sstevel@tonic-gate 9290Sstevel@tonic-gate rv = C_CreateObject(hSession, template, 9300Sstevel@tonic-gate nattr, &key); 9310Sstevel@tonic-gate } else { 9320Sstevel@tonic-gate /* 9330Sstevel@tonic-gate * If the encryption type has a fixed key length, 9340Sstevel@tonic-gate * then its not necessary to set the key length 9350Sstevel@tonic-gate * parameter when generating the key. 9360Sstevel@tonic-gate */ 9370Sstevel@tonic-gate if (keytype == CKK_DES || keytype == CKK_DES3) 9380Sstevel@tonic-gate keylen = 0; 9390Sstevel@tonic-gate else 9400Sstevel@tonic-gate keylen = 16; 9410Sstevel@tonic-gate 9420Sstevel@tonic-gate /* 9430Sstevel@tonic-gate * Generate a cryptographically secure key using 9440Sstevel@tonic-gate * the key read from the file given (-k keyfile) or 9450Sstevel@tonic-gate * the passphrase entered by the user. 9460Sstevel@tonic-gate */ 9470Sstevel@tonic-gate rv = generate_pkcs5_key(hSession, 9480Sstevel@tonic-gate salt, sizeof (salt), 9490Sstevel@tonic-gate iterations, 9500Sstevel@tonic-gate pkeydata, keytype, keysize, 9510Sstevel@tonic-gate keylen, cmd->type, &key); 9520Sstevel@tonic-gate } 9530Sstevel@tonic-gate 9540Sstevel@tonic-gate if (rv != CKR_OK) { 9550Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9560Sstevel@tonic-gate "failed to generate a key: %s"), 9570Sstevel@tonic-gate pkcs11_strerror(rv)); 9580Sstevel@tonic-gate goto cleanup; 9590Sstevel@tonic-gate } 9600Sstevel@tonic-gate 961*3812Shylee 962*3812Shylee do_crypto: 9630Sstevel@tonic-gate /* Setup up mechanism */ 9640Sstevel@tonic-gate mech.mechanism = mech_type; 9650Sstevel@tonic-gate mech.pParameter = (CK_VOID_PTR)pivbuf; 9660Sstevel@tonic-gate mech.ulParameterLen = ivlen; 9670Sstevel@tonic-gate 9680Sstevel@tonic-gate if ((rv = cmd->Init(hSession, &mech, key)) != CKR_OK) { 9690Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9700Sstevel@tonic-gate "failed to initialize crypto operation: %s"), 9710Sstevel@tonic-gate pkcs11_strerror(rv)); 9720Sstevel@tonic-gate goto cleanup; 9730Sstevel@tonic-gate } 9740Sstevel@tonic-gate 9750Sstevel@tonic-gate /* Write the version header encrypt command */ 9760Sstevel@tonic-gate if (cmd->type == CKA_ENCRYPT) { 9770Sstevel@tonic-gate /* convert to network order for storage */ 9780Sstevel@tonic-gate int netversion = htonl(version); 9790Sstevel@tonic-gate CK_ULONG netiter; 9800Sstevel@tonic-gate 9810Sstevel@tonic-gate if (write(outfd, &netversion, sizeof (netversion)) 9820Sstevel@tonic-gate != sizeof (netversion)) { 9830Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9840Sstevel@tonic-gate "failed to write version number " 9850Sstevel@tonic-gate "to output file.")); 9860Sstevel@tonic-gate goto cleanup; 9870Sstevel@tonic-gate } 9880Sstevel@tonic-gate /* 9890Sstevel@tonic-gate * Write the iteration and salt data, even if they 9900Sstevel@tonic-gate * were not used to generate a key. 9910Sstevel@tonic-gate */ 9920Sstevel@tonic-gate netiter = htonl(iterations); 9930Sstevel@tonic-gate if (write(outfd, &netiter, 9940Sstevel@tonic-gate sizeof (netiter)) != sizeof (netiter)) { 9950Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 9960Sstevel@tonic-gate "failed to write iterations to output")); 9970Sstevel@tonic-gate goto cleanup; 9980Sstevel@tonic-gate } 9990Sstevel@tonic-gate if (ivlen > 0 && 10000Sstevel@tonic-gate write(outfd, pivbuf, ivlen) != ivlen) { 10010Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10020Sstevel@tonic-gate "failed to write initialization vector " 10030Sstevel@tonic-gate "to output")); 10040Sstevel@tonic-gate goto cleanup; 10050Sstevel@tonic-gate } 10060Sstevel@tonic-gate if (write(outfd, salt, sizeof (salt)) != sizeof (salt)) { 10070Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 10080Sstevel@tonic-gate "failed to write salt data to output")); 10090Sstevel@tonic-gate goto cleanup; 10100Sstevel@tonic-gate } 10110Sstevel@tonic-gate } 10120Sstevel@tonic-gate 10131142Sjk115741 if (crypt_multipart(cmd, hSession, infd, outfd, insbuf.st_size) == -1) { 10140Sstevel@tonic-gate goto cleanup; 10150Sstevel@tonic-gate } 10160Sstevel@tonic-gate 10170Sstevel@tonic-gate errflag = B_FALSE; 10180Sstevel@tonic-gate 10190Sstevel@tonic-gate /* 10200Sstevel@tonic-gate * Clean up 10210Sstevel@tonic-gate */ 10220Sstevel@tonic-gate cleanup: 10230Sstevel@tonic-gate /* Clear the key data, so others cannot snoop */ 10240Sstevel@tonic-gate if (pkeydata != NULL) { 10250Sstevel@tonic-gate bzero(pkeydata, keysize); 10260Sstevel@tonic-gate free(pkeydata); 10270Sstevel@tonic-gate pkeydata = NULL; 10280Sstevel@tonic-gate } 10290Sstevel@tonic-gate 10300Sstevel@tonic-gate /* Destroy key object */ 1031*3812Shylee if (Kflag != B_FALSE && key != (CK_OBJECT_HANDLE) 0) { 10320Sstevel@tonic-gate (void) C_DestroyObject(hSession, key); 10330Sstevel@tonic-gate } 10340Sstevel@tonic-gate 10350Sstevel@tonic-gate /* free allocated memory */ 10360Sstevel@tonic-gate if (pSlotList != NULL) 10370Sstevel@tonic-gate free(pSlotList); 10380Sstevel@tonic-gate if (pivbuf != NULL) 10390Sstevel@tonic-gate free(pivbuf); 10400Sstevel@tonic-gate 10410Sstevel@tonic-gate /* close all the files */ 10421142Sjk115741 if (iflag && (infd != -1)) 10430Sstevel@tonic-gate (void) close(infd); 10441142Sjk115741 if (oflag && (outfd != -1)) 10450Sstevel@tonic-gate (void) close(outfd); 10460Sstevel@tonic-gate 10470Sstevel@tonic-gate /* rename tmp output to input file */ 10480Sstevel@tonic-gate if (inoutsame) { 10490Sstevel@tonic-gate if (rename(outfilename, inputfile) == -1) { 10500Sstevel@tonic-gate (void) unlink(outfilename); 10510Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("rename failed.")); 10520Sstevel@tonic-gate } 10530Sstevel@tonic-gate } 10540Sstevel@tonic-gate 10550Sstevel@tonic-gate /* If error occurred, remove the output file */ 10560Sstevel@tonic-gate if (errflag && outfilename != NULL) { 10570Sstevel@tonic-gate (void) unlink(outfilename); 10580Sstevel@tonic-gate } 10590Sstevel@tonic-gate 10600Sstevel@tonic-gate /* close pkcs11 session */ 10610Sstevel@tonic-gate if (hSession != CK_INVALID_HANDLE) 10620Sstevel@tonic-gate (void) C_CloseSession(hSession); 10630Sstevel@tonic-gate 10640Sstevel@tonic-gate (void) C_Finalize(NULL); 10650Sstevel@tonic-gate 10660Sstevel@tonic-gate return (errflag); 10670Sstevel@tonic-gate } 10680Sstevel@tonic-gate 10690Sstevel@tonic-gate /* 10700Sstevel@tonic-gate * Function for printing progress bar when the verbose flag 10710Sstevel@tonic-gate * is set. 10720Sstevel@tonic-gate * 10730Sstevel@tonic-gate * The vertical bar is printed at 25, 50, and 75% complete. 10740Sstevel@tonic-gate * 10750Sstevel@tonic-gate * The function is passed the number of positions on the screen it needs to 10760Sstevel@tonic-gate * advance and loops. 10770Sstevel@tonic-gate */ 10780Sstevel@tonic-gate 10790Sstevel@tonic-gate static void 10800Sstevel@tonic-gate print_status(int pos_to_advance) 10810Sstevel@tonic-gate { 10820Sstevel@tonic-gate 10830Sstevel@tonic-gate while (pos_to_advance > 0) { 10840Sstevel@tonic-gate switch (status_pos) { 10850Sstevel@tonic-gate case 0: 10860Sstevel@tonic-gate (void) fprintf(stderr, gettext("[")); 10870Sstevel@tonic-gate break; 10880Sstevel@tonic-gate case 19: 10890Sstevel@tonic-gate case 39: 10900Sstevel@tonic-gate case 59: 10910Sstevel@tonic-gate (void) fprintf(stderr, gettext("|")); 10920Sstevel@tonic-gate break; 10930Sstevel@tonic-gate default: 10940Sstevel@tonic-gate (void) fprintf(stderr, gettext(".")); 10950Sstevel@tonic-gate } 10960Sstevel@tonic-gate pos_to_advance--; 10970Sstevel@tonic-gate status_pos++; 10980Sstevel@tonic-gate } 10990Sstevel@tonic-gate } 11000Sstevel@tonic-gate 11010Sstevel@tonic-gate /* 11020Sstevel@tonic-gate * Encrypt/Decrypt in multi part. 11030Sstevel@tonic-gate * 11040Sstevel@tonic-gate * This function reads the input file (infd) and writes the 11050Sstevel@tonic-gate * encrypted/decrypted output to file (outfd). 11060Sstevel@tonic-gate * 11070Sstevel@tonic-gate * cmd - pointing to commandinfo 11080Sstevel@tonic-gate * hSession - pkcs session 11090Sstevel@tonic-gate * infd - input file descriptor 11100Sstevel@tonic-gate * outfd - output file descriptor 11110Sstevel@tonic-gate * 11120Sstevel@tonic-gate */ 11130Sstevel@tonic-gate 11140Sstevel@tonic-gate static int 11150Sstevel@tonic-gate crypt_multipart(struct CommandInfo *cmd, CK_SESSION_HANDLE hSession, 11161142Sjk115741 int infd, int outfd, off_t insize) 11170Sstevel@tonic-gate { 11180Sstevel@tonic-gate CK_RV rv; 11190Sstevel@tonic-gate CK_ULONG resultlen; 11200Sstevel@tonic-gate CK_ULONG resultbuflen; 11210Sstevel@tonic-gate CK_BYTE_PTR resultbuf; 11220Sstevel@tonic-gate CK_ULONG datalen; 11230Sstevel@tonic-gate CK_BYTE databuf[BUFFERSIZE]; 11240Sstevel@tonic-gate CK_BYTE outbuf[BUFFERSIZE+BLOCKSIZE]; 11250Sstevel@tonic-gate CK_ULONG status_index = 0; /* current total file size read */ 11260Sstevel@tonic-gate float status_last = 0.0; /* file size of last element used */ 11270Sstevel@tonic-gate float status_incr = 0.0; /* file size element increments */ 11280Sstevel@tonic-gate int pos; /* # of progress bar elements to be print */ 11290Sstevel@tonic-gate ssize_t nread; 11300Sstevel@tonic-gate boolean_t errflag = B_FALSE; 11310Sstevel@tonic-gate 11320Sstevel@tonic-gate datalen = sizeof (databuf); 11330Sstevel@tonic-gate resultbuflen = sizeof (outbuf); 11340Sstevel@tonic-gate resultbuf = outbuf; 11350Sstevel@tonic-gate 11360Sstevel@tonic-gate /* Divide into 79 increments for progress bar element spacing */ 11370Sstevel@tonic-gate if (vflag && iflag) 11381142Sjk115741 status_incr = (insize / 79.0); 11390Sstevel@tonic-gate 11400Sstevel@tonic-gate while ((nread = read(infd, databuf, datalen)) > 0) { 11410Sstevel@tonic-gate 11420Sstevel@tonic-gate /* Start with the initial buffer */ 11430Sstevel@tonic-gate resultlen = resultbuflen; 11440Sstevel@tonic-gate rv = cmd->Update(hSession, databuf, (CK_ULONG)nread, 11450Sstevel@tonic-gate resultbuf, &resultlen); 11460Sstevel@tonic-gate 11470Sstevel@tonic-gate /* Need a bigger buffer? */ 11480Sstevel@tonic-gate if (rv == CKR_BUFFER_TOO_SMALL) { 11490Sstevel@tonic-gate 11500Sstevel@tonic-gate /* free the old buffer */ 11510Sstevel@tonic-gate if (resultbuf != NULL && resultbuf != outbuf) { 11520Sstevel@tonic-gate bzero(resultbuf, resultbuflen); 11530Sstevel@tonic-gate free(resultbuf); 11540Sstevel@tonic-gate } 11550Sstevel@tonic-gate 11560Sstevel@tonic-gate /* allocate a new big buffer */ 11570Sstevel@tonic-gate if ((resultbuf = malloc((size_t)resultlen)) == NULL) { 11580Sstevel@tonic-gate int err = errno; 11590Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s"), 11600Sstevel@tonic-gate strerror(err)); 11610Sstevel@tonic-gate return (-1); 11620Sstevel@tonic-gate } 11630Sstevel@tonic-gate resultbuflen = resultlen; 11640Sstevel@tonic-gate 11650Sstevel@tonic-gate /* Try again with bigger buffer */ 11660Sstevel@tonic-gate rv = cmd->Update(hSession, databuf, (CK_ULONG)nread, 11670Sstevel@tonic-gate resultbuf, &resultlen); 11680Sstevel@tonic-gate } 11690Sstevel@tonic-gate 11700Sstevel@tonic-gate if (rv != CKR_OK) { 11710Sstevel@tonic-gate errflag = B_TRUE; 11720Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 11730Sstevel@tonic-gate "crypto operation failed: %s"), 11740Sstevel@tonic-gate pkcs11_strerror(rv)); 11750Sstevel@tonic-gate break; 11760Sstevel@tonic-gate } 11770Sstevel@tonic-gate 11780Sstevel@tonic-gate /* write the output */ 11790Sstevel@tonic-gate if (write(outfd, resultbuf, resultlen) != resultlen) { 11800Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 11810Sstevel@tonic-gate "failed to write result to output file.")); 11820Sstevel@tonic-gate errflag = B_TRUE; 11830Sstevel@tonic-gate break; 11840Sstevel@tonic-gate } 11850Sstevel@tonic-gate 11860Sstevel@tonic-gate if (vflag) { 11870Sstevel@tonic-gate status_index += resultlen; 11880Sstevel@tonic-gate 11890Sstevel@tonic-gate /* 11900Sstevel@tonic-gate * If input is from stdin, do a our own progress bar 11910Sstevel@tonic-gate * by printing periods at a pre-defined increment 11920Sstevel@tonic-gate * until the file is done. 11930Sstevel@tonic-gate */ 11940Sstevel@tonic-gate if (!iflag) { 11950Sstevel@tonic-gate 11960Sstevel@tonic-gate /* 11970Sstevel@tonic-gate * Print at least 1 element in case the file 11980Sstevel@tonic-gate * is small, it looks better than nothing. 11990Sstevel@tonic-gate */ 12000Sstevel@tonic-gate if (status_pos == 0) { 12010Sstevel@tonic-gate (void) fprintf(stderr, gettext(".")); 12020Sstevel@tonic-gate status_pos = 1; 12030Sstevel@tonic-gate } 12040Sstevel@tonic-gate 12050Sstevel@tonic-gate if ((status_index - status_last) > 12060Sstevel@tonic-gate (PROGRESSSIZE)) { 12070Sstevel@tonic-gate (void) fprintf(stderr, gettext(".")); 12080Sstevel@tonic-gate status_last = status_index; 12090Sstevel@tonic-gate } 12100Sstevel@tonic-gate continue; 12110Sstevel@tonic-gate } 12120Sstevel@tonic-gate 12130Sstevel@tonic-gate /* Calculate the number of elements need to be print */ 12141142Sjk115741 if (insize <= BUFFERSIZE) 12150Sstevel@tonic-gate pos = 78; 12160Sstevel@tonic-gate else 12170Sstevel@tonic-gate pos = (int)((status_index - status_last) / 12180Sstevel@tonic-gate status_incr); 12190Sstevel@tonic-gate 12200Sstevel@tonic-gate /* Add progress bar elements, if needed */ 12210Sstevel@tonic-gate if (pos > 0) { 12220Sstevel@tonic-gate print_status(pos); 12230Sstevel@tonic-gate status_last += (status_incr * pos); 12240Sstevel@tonic-gate } 12250Sstevel@tonic-gate } 12260Sstevel@tonic-gate } 12270Sstevel@tonic-gate 12280Sstevel@tonic-gate /* Print verbose completion */ 12290Sstevel@tonic-gate if (vflag) { 12300Sstevel@tonic-gate if (iflag) 12310Sstevel@tonic-gate (void) fprintf(stderr, "]"); 12320Sstevel@tonic-gate 12330Sstevel@tonic-gate (void) fprintf(stderr, "\n%s\n", gettext("Done.")); 12340Sstevel@tonic-gate } 12350Sstevel@tonic-gate 12360Sstevel@tonic-gate /* Error in reading */ 12370Sstevel@tonic-gate if (nread == -1) { 12380Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 12390Sstevel@tonic-gate "error reading from input file")); 12400Sstevel@tonic-gate errflag = B_TRUE; 12410Sstevel@tonic-gate } 12420Sstevel@tonic-gate 12430Sstevel@tonic-gate if (!errflag) { 12440Sstevel@tonic-gate 12450Sstevel@tonic-gate /* Do the final part */ 12460Sstevel@tonic-gate 12470Sstevel@tonic-gate rv = cmd->Final(hSession, resultbuf, &resultlen); 12480Sstevel@tonic-gate 12490Sstevel@tonic-gate if (rv == CKR_OK) { 12500Sstevel@tonic-gate /* write the output */ 12510Sstevel@tonic-gate if (write(outfd, resultbuf, resultlen) != resultlen) { 12520Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 12530Sstevel@tonic-gate "failed to write result to output file.")); 12540Sstevel@tonic-gate errflag = B_TRUE; 12550Sstevel@tonic-gate } 12560Sstevel@tonic-gate } else { 12570Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 12580Sstevel@tonic-gate "crypto operation failed: %s"), 12590Sstevel@tonic-gate pkcs11_strerror(rv)); 12600Sstevel@tonic-gate errflag = B_TRUE; 12610Sstevel@tonic-gate } 12620Sstevel@tonic-gate 12630Sstevel@tonic-gate } 12640Sstevel@tonic-gate 12650Sstevel@tonic-gate if (resultbuf != NULL && resultbuf != outbuf) { 12660Sstevel@tonic-gate bzero(resultbuf, resultbuflen); 12670Sstevel@tonic-gate free(resultbuf); 12680Sstevel@tonic-gate } 12690Sstevel@tonic-gate 12700Sstevel@tonic-gate if (errflag) { 12710Sstevel@tonic-gate return (-1); 12720Sstevel@tonic-gate } else { 12730Sstevel@tonic-gate return (0); 12740Sstevel@tonic-gate } 12750Sstevel@tonic-gate } 12760Sstevel@tonic-gate 12770Sstevel@tonic-gate /* 12780Sstevel@tonic-gate * cryptoreadfile - reads file into a buffer 12790Sstevel@tonic-gate * This function can be used for reading files 12800Sstevel@tonic-gate * containing key or initialization vector data. 12810Sstevel@tonic-gate * 12820Sstevel@tonic-gate * filename - name of file 12830Sstevel@tonic-gate * pdata - entire file returned in this buffer 12840Sstevel@tonic-gate * must be freed by caller using free() 12850Sstevel@tonic-gate * pdatalen - length of data returned 12860Sstevel@tonic-gate * 12870Sstevel@tonic-gate * returns 0 if success, -1 if error 12880Sstevel@tonic-gate */ 12890Sstevel@tonic-gate static int 12900Sstevel@tonic-gate cryptoreadfile(char *filename, CK_BYTE_PTR *pdata, CK_ULONG_PTR pdatalen) 12910Sstevel@tonic-gate { 12920Sstevel@tonic-gate struct stat statbuf; 12930Sstevel@tonic-gate char *filebuf; 12940Sstevel@tonic-gate int filesize; 12950Sstevel@tonic-gate int fd; 12960Sstevel@tonic-gate 12970Sstevel@tonic-gate if (filename == NULL) 12980Sstevel@tonic-gate return (-1); 12990Sstevel@tonic-gate 13000Sstevel@tonic-gate /* read the file into a buffer */ 13010Sstevel@tonic-gate if ((fd = open(filename, O_RDONLY | O_NONBLOCK)) == -1) { 13020Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 13030Sstevel@tonic-gate "cannot open %s"), filename); 13040Sstevel@tonic-gate return (-1); 13050Sstevel@tonic-gate 13060Sstevel@tonic-gate } 13070Sstevel@tonic-gate 13080Sstevel@tonic-gate if (fstat(fd, &statbuf) == -1) { 13090Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 13100Sstevel@tonic-gate "cannot stat %s"), filename); 13110Sstevel@tonic-gate (void) close(fd); 13120Sstevel@tonic-gate return (-1); 13130Sstevel@tonic-gate } 13140Sstevel@tonic-gate 1315871Scasper if (!S_ISREG(statbuf.st_mode)) { 13160Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext( 13170Sstevel@tonic-gate "%s not a regular file"), filename); 13180Sstevel@tonic-gate (void) close(fd); 13190Sstevel@tonic-gate return (-1); 13200Sstevel@tonic-gate } 13210Sstevel@tonic-gate 13220Sstevel@tonic-gate filesize = (size_t)statbuf.st_size; 13230Sstevel@tonic-gate 13240Sstevel@tonic-gate if (filesize == 0) { 13250Sstevel@tonic-gate (void) close(fd); 13260Sstevel@tonic-gate return (-1); 13270Sstevel@tonic-gate } 13280Sstevel@tonic-gate 13290Sstevel@tonic-gate /* allocate a buffer to hold the entire key */ 13300Sstevel@tonic-gate if ((filebuf = malloc(filesize)) == NULL) { 13310Sstevel@tonic-gate int err = errno; 13320Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("malloc: %s"), strerror(err)); 13330Sstevel@tonic-gate (void) close(fd); 13340Sstevel@tonic-gate return (-1); 13350Sstevel@tonic-gate } 13360Sstevel@tonic-gate 13370Sstevel@tonic-gate if (read(fd, filebuf, filesize) != filesize) { 13380Sstevel@tonic-gate int err = errno; 13390Sstevel@tonic-gate cryptoerror(LOG_STDERR, gettext("error reading file: %s"), 13400Sstevel@tonic-gate strerror(err)); 13410Sstevel@tonic-gate (void) close(fd); 13420Sstevel@tonic-gate free(filebuf); 13430Sstevel@tonic-gate return (-1); 13440Sstevel@tonic-gate } 13450Sstevel@tonic-gate 13460Sstevel@tonic-gate (void) close(fd); 13470Sstevel@tonic-gate 13480Sstevel@tonic-gate *pdata = (CK_BYTE_PTR)filebuf; 13490Sstevel@tonic-gate *pdatalen = (CK_ULONG)filesize; 13500Sstevel@tonic-gate 13510Sstevel@tonic-gate return (0); 13520Sstevel@tonic-gate } 1353*3812Shylee 13540Sstevel@tonic-gate /* 1355*3812Shylee * cryptogetdata - prompt user for a key or the PIN for a token 13560Sstevel@tonic-gate * 1357*3812Shylee * pdata - buffer for returning key or pin data 13580Sstevel@tonic-gate * must be freed by caller using free() 1359*3812Shylee * psize - size of buffer returned 13600Sstevel@tonic-gate * 13610Sstevel@tonic-gate * returns 13620Sstevel@tonic-gate * 0 for success, -1 for failure 13630Sstevel@tonic-gate */ 13640Sstevel@tonic-gate 13650Sstevel@tonic-gate static int 1366*3812Shylee cryptogetdata(char *token_spec, CK_BYTE_PTR *pdata, CK_ULONG_PTR psize) 13670Sstevel@tonic-gate { 1368*3812Shylee char *databuf = NULL; 1369*3812Shylee char *tmpbuf = NULL; 1370*3812Shylee char prompt[1024]; 13710Sstevel@tonic-gate 1372*3812Shylee if (token_spec != NULL) { 1373*3812Shylee (void) snprintf(prompt, sizeof (prompt), 1374*3812Shylee DEFAULT_TOKEN_PROMPT, token_spec); 1375*3812Shylee tmpbuf = getpassphrase(gettext(prompt)); 1376*3812Shylee } else { 1377*3812Shylee tmpbuf = getpassphrase(gettext("Enter key:")); 1378*3812Shylee } 13790Sstevel@tonic-gate 13800Sstevel@tonic-gate if (tmpbuf == NULL) { 13810Sstevel@tonic-gate return (-1); /* error */ 13820Sstevel@tonic-gate } else { 1383*3812Shylee databuf = strdup(tmpbuf); 1384*3812Shylee (void) memset(tmpbuf, 0, strlen(tmpbuf)); /* clean up */ 1385*3812Shylee if (databuf == NULL) 1386*3812Shylee return (-1); 13870Sstevel@tonic-gate } 13880Sstevel@tonic-gate 1389*3812Shylee *pdata = (CK_BYTE_PTR)databuf; 1390*3812Shylee *psize = (CK_ULONG)strlen(databuf); 13910Sstevel@tonic-gate 13920Sstevel@tonic-gate return (0); 13930Sstevel@tonic-gate } 13940Sstevel@tonic-gate 13950Sstevel@tonic-gate /* 13960Sstevel@tonic-gate * get_random_data - generate initialization vector data 13970Sstevel@tonic-gate * iv data is random bytes 13980Sstevel@tonic-gate * hSession - a pkcs session 13990Sstevel@tonic-gate * pivbuf - buffer where data is returned 14000Sstevel@tonic-gate * ivlen - size of iv data 14010Sstevel@tonic-gate */ 14020Sstevel@tonic-gate static int 14030Sstevel@tonic-gate get_random_data(CK_BYTE_PTR pivbuf, int ivlen) 14040Sstevel@tonic-gate { 14050Sstevel@tonic-gate int fd; 14060Sstevel@tonic-gate 14070Sstevel@tonic-gate if (ivlen == 0) { 14080Sstevel@tonic-gate /* nothing to generate */ 14090Sstevel@tonic-gate return (0); 14100Sstevel@tonic-gate } 14110Sstevel@tonic-gate 14120Sstevel@tonic-gate /* Read random data directly from /dev/random */ 14130Sstevel@tonic-gate if ((fd = open(RANDOM_DEVICE, O_RDONLY)) != -1) { 14140Sstevel@tonic-gate if (read(fd, pivbuf, (size_t)ivlen) == ivlen) { 14150Sstevel@tonic-gate (void) close(fd); 14160Sstevel@tonic-gate return (0); 14170Sstevel@tonic-gate } 14180Sstevel@tonic-gate } 14190Sstevel@tonic-gate (void) close(fd); 14200Sstevel@tonic-gate return (-1); 14210Sstevel@tonic-gate } 1422