Print this page
5031131 perf: pkcs11_kernel can benefit from a more efficient pkcs11_mech2str()
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c
+++ new/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 - * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
22 + * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 -#pragma ident "@(#)adm_uef.c 1.12 06/11/02 SMI"
26 +#pragma ident "@(#)adm_uef.c 1.13 08/06/27 SMI"
27 27
28 28 #include <cryptoutil.h>
29 29 #include <fcntl.h>
30 30 #include <libintl.h>
31 31 #include <stdio.h>
32 32 #include <stdlib.h>
33 33 #include <strings.h>
34 34 #include <unistd.h>
35 35 #include <errno.h>
36 36 #include <dlfcn.h>
37 37 #include <link.h>
38 38 #include <sys/types.h>
39 39 #include <sys/stat.h>
40 40 #include <security/cryptoki.h>
41 41 #include "cryptoadm.h"
42 42
43 43 #define HDR1 " P\n"
44 44 #define HDR2 " S V K a U D\n"
45 45 #define HDR3 " i e e i n e\n"
46 46 #define HDR4 " S g V r y r W w r\n"
47 47 #define HDR5 " E D D i n e i G G r r i\n"
48 48 #define HDR6 " H n e i g + r + e e a a v E\n"
49 49 #define HDR7 "min max W c c g n R i R n n p p e C\n"
50 50
51 51
52 52 static int err; /* To store errno which may be overwritten by gettext() */
53 53 static boolean_t is_in_policylist(midstr_t, umechlist_t *);
54 54 static char *uent2str(uentry_t *);
55 55 static boolean_t check_random(CK_SLOT_ID, CK_FUNCTION_LIST_PTR);
56 56
57 57 static void display_slot_flags(CK_FLAGS flags)
58 58 {
59 59 (void) printf(gettext("Slot Flags: "));
60 60 if (flags & CKF_TOKEN_PRESENT)
61 61 (void) printf("CKF_TOKEN_PRESENT ");
62 62 if (flags & CKF_REMOVABLE_DEVICE)
63 63 (void) printf("CKF_REMOVABLE_DEVICE ");
64 64 if (flags & CKF_HW_SLOT)
65 65 (void) printf("CKF_HW_SLOT ");
66 66 (void) printf("\n");
67 67 }
68 68
69 69 void
70 70 display_token_flags(CK_FLAGS flags)
71 71 {
72 72 (void) printf(gettext("Flags: "));
73 73 if (flags & CKF_RNG)
74 74 (void) printf("CKF_RNG ");
75 75 if (flags & CKF_WRITE_PROTECTED)
76 76 (void) printf("CKF_WRITE_PROTECTED ");
77 77 if (flags & CKF_LOGIN_REQUIRED)
78 78 (void) printf("CKF_LOGIN_REQUIRED ");
79 79 if (flags & CKF_USER_PIN_INITIALIZED)
80 80 (void) printf("CKF_USER_PIN_INITIALIZED ");
81 81 if (flags & CKF_RESTORE_KEY_NOT_NEEDED)
82 82 (void) printf("CKF_RESTORE_KEY_NOT_NEEDED ");
83 83 if (flags & CKF_CLOCK_ON_TOKEN)
84 84 (void) printf("CKF_CLOCK_ON_TOKEN ");
85 85 if (flags & CKF_PROTECTED_AUTHENTICATION_PATH)
86 86 (void) printf("CKF_PROTECTED_AUTHENTICATION_PATH ");
87 87 if (flags & CKF_DUAL_CRYPTO_OPERATIONS)
88 88 (void) printf("CKF_DUAL_CRYPTO_OPERATIONS ");
89 89 if (flags & CKF_TOKEN_INITIALIZED)
90 90 (void) printf("CKF_TOKEN_INITIALIZED ");
91 91 if (flags & CKF_SECONDARY_AUTHENTICATION)
92 92 (void) printf("CKF_SECONDARY_AUTHENTICATION ");
93 93 if (flags & CKF_USER_PIN_COUNT_LOW)
94 94 (void) printf("CKF_USER_PIN_COUNT_LOW ");
95 95 if (flags & CKF_USER_PIN_FINAL_TRY)
96 96 (void) printf("CKF_USER_PIN_FINAL_TRY ");
97 97 if (flags & CKF_USER_PIN_LOCKED)
98 98 (void) printf("CKF_USER_PIN_LOCKED ");
99 99 if (flags & CKF_USER_PIN_TO_BE_CHANGED)
100 100 (void) printf("CKF_USER_PIN_TO_BE_CHANGED ");
101 101 if (flags & CKF_SO_PIN_COUNT_LOW)
102 102 (void) printf("CKF_SO_PIN_COUNT_LOW ");
103 103 if (flags & CKF_SO_PIN_FINAL_TRY)
104 104 (void) printf("CKF_SO_PIN_FINAL_TRY ");
105 105 if (flags & CKF_SO_PIN_LOCKED)
106 106 (void) printf("CKF_SO_PIN_LOCKED ");
107 107 if (flags & CKF_SO_PIN_TO_BE_CHANGED)
|
↓ open down ↓ |
71 lines elided |
↑ open up ↑ |
108 108 (void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
109 109 if (flags & CKF_SO_PIN_TO_BE_CHANGED)
110 110 (void) printf("CKF_SO_PIN_TO_BE_CHANGED ");
111 111 (void) printf("\n");
112 112 }
113 113
114 114 void
115 115 display_mech_info(CK_MECHANISM_INFO *mechInfo)
116 116 {
117 117 CK_FLAGS ec_flags = CKF_EC_F_P | CKF_EC_F_2M | CKF_EC_ECPARAMETERS |
118 - CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS;
118 + CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS | CKF_EC_COMPRESS;
119 119
120 120 (void) printf("%-4ld %-4ld ", mechInfo->ulMinKeySize,
121 - mechInfo->ulMaxKeySize);
121 + mechInfo->ulMaxKeySize);
122 122 (void) printf("%s %s %s %s %s %s %s %s %s %s %s %s "
123 - "%s %s",
124 - (mechInfo->flags & CKF_HW) ? "X" : ".",
125 - (mechInfo->flags & CKF_ENCRYPT) ? "X" : ".",
126 - (mechInfo->flags & CKF_DECRYPT) ? "X" : ".",
127 - (mechInfo->flags & CKF_DIGEST) ? "X" : ".",
128 - (mechInfo->flags & CKF_SIGN) ? "X" : ".",
129 - (mechInfo->flags & CKF_SIGN_RECOVER) ? "X" : ".",
130 - (mechInfo->flags & CKF_VERIFY) ? "X" : ".",
131 - (mechInfo->flags & CKF_VERIFY_RECOVER) ? "X" : ".",
132 - (mechInfo->flags & CKF_GENERATE) ? "X" : ".",
133 - (mechInfo->flags & CKF_GENERATE_KEY_PAIR) ? "X" : ".",
134 - (mechInfo->flags & CKF_WRAP) ? "X" : ".",
135 - (mechInfo->flags & CKF_UNWRAP) ? "X" : ".",
136 - (mechInfo->flags & CKF_DERIVE) ? "X" : ".",
137 - (mechInfo->flags & ec_flags) ? "X" : ".");
123 + "%s %s",
124 + (mechInfo->flags & CKF_HW) ? "X" : ".",
125 + (mechInfo->flags & CKF_ENCRYPT) ? "X" : ".",
126 + (mechInfo->flags & CKF_DECRYPT) ? "X" : ".",
127 + (mechInfo->flags & CKF_DIGEST) ? "X" : ".",
128 + (mechInfo->flags & CKF_SIGN) ? "X" : ".",
129 + (mechInfo->flags & CKF_SIGN_RECOVER) ? "X" : ".",
130 + (mechInfo->flags & CKF_VERIFY) ? "X" : ".",
131 + (mechInfo->flags & CKF_VERIFY_RECOVER) ? "X" : ".",
132 + (mechInfo->flags & CKF_GENERATE) ? "X" : ".",
133 + (mechInfo->flags & CKF_GENERATE_KEY_PAIR) ? "X" : ".",
134 + (mechInfo->flags & CKF_WRAP) ? "X" : ".",
135 + (mechInfo->flags & CKF_UNWRAP) ? "X" : ".",
136 + (mechInfo->flags & CKF_DERIVE) ? "X" : ".",
137 + (mechInfo->flags & ec_flags) ? "X" : ".");
138 138 }
139 139
140 140 /*
141 141 * Converts the provided list of mechanism names in their string format to
142 - * their corrsponding PKCS#11 mechanism IDs.
142 + * their corresponding PKCS#11 mechanism IDs.
143 143 *
144 144 * The list of mechanism names to be converted is provided in the
145 145 * "mlist" argument. The list of converted mechanism IDs is returned
146 146 * in the "pmech_list" argument.
147 147 *
148 148 * This function is called by list_metaslot_info() and
149 149 * list_mechlist_for_lib() functions.
150 150 */
151 151 int
152 152 convert_mechlist(CK_MECHANISM_TYPE **pmech_list, CK_ULONG *mech_count,
153 153 mechlist_t *mlist)
154 154 {
155 155 int i, n = 0;
156 156 mechlist_t *p = mlist;
157 157
158 158 while (p != NULL) {
159 159 p = p->next;
160 160 n++;
161 161 }
162 162
163 163 *pmech_list = malloc(n * sizeof (CK_MECHANISM_TYPE));
164 164 if (pmech_list == NULL) {
165 165 cryptodebug("out of memory");
166 166 return (FAILURE);
167 167 }
168 168 p = mlist;
169 169 for (i = 0; i < n; i++) {
170 170 if (pkcs11_str2mech(p->name, &(*pmech_list[i])) != CKR_OK) {
171 171 free(*pmech_list);
172 172 return (FAILURE);
173 173 }
174 174 p = p->next;
175 175 }
176 176 *mech_count = n;
177 177 return (SUCCESS);
178 178 }
179 179
180 180 /*
181 181 * Display the mechanism list for a user-level library
182 182 */
183 183 int
184 184 list_mechlist_for_lib(char *libname, mechlist_t *mlist,
185 185 flag_val_t *rng_flag, boolean_t no_warn,
186 186 boolean_t verbose, boolean_t show_mechs)
|
↓ open down ↓ |
34 lines elided |
↑ open up ↑ |
187 187 {
188 188 CK_RV rv = CKR_OK;
189 189 CK_RV (*Tmp_C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR);
190 190 CK_FUNCTION_LIST_PTR prov_funcs; /* Provider's function list */
191 191 CK_SLOT_ID_PTR prov_slots = NULL; /* Provider's slot list */
192 192 CK_MECHANISM_TYPE_PTR pmech_list; /* mechanism list for a slot */
193 193 CK_SLOT_INFO slotinfo;
194 194 CK_ULONG slot_count;
195 195 CK_ULONG mech_count;
196 196 uentry_t *puent = NULL;
197 - boolean_t lib_initialized = B_FALSE;
198 - void *dldesc = NULL;
199 - char *dl_error;
200 - char *mech_name;
201 - char *isa;
202 - char libpath[MAXPATHLEN];
203 - char buf[MAXPATHLEN];
204 - int i, j;
205 - int rc = SUCCESS;
197 + boolean_t lib_initialized = B_FALSE;
198 + void *dldesc = NULL;
199 + char *dl_error;
200 + const char *mech_name;
201 + char *isa;
202 + char libpath[MAXPATHLEN];
203 + char buf[MAXPATHLEN];
204 + int i, j;
205 + int rc = SUCCESS;
206 206
207 207 if (libname == NULL) {
208 208 /* should not happen */
209 209 cryptoerror(LOG_STDERR, gettext("internal error."));
210 210 cryptodebug("list_mechlist_for_lib() - libname is NULL.");
211 211 return (FAILURE);
212 212 }
213 213
214 214 /* Check if the library is in the pkcs11.conf file */
215 215 if ((puent = getent_uef(libname)) == NULL) {
216 216 cryptoerror(LOG_STDERR,
217 217 gettext("%s does not exist."), libname);
218 218 return (FAILURE);
219 219 }
220 220 free_uentry(puent);
221 221
222 222 /* Remove $ISA from the library name */
223 223 if (strlcpy(buf, libname, sizeof (buf)) >= sizeof (buf)) {
224 224 (void) printf(gettext("%s: the provider name is too long."),
225 225 libname);
226 226 return (FAILURE);
227 227 }
228 228
229 229 if ((isa = strstr(buf, PKCS11_ISA)) != NULL) {
230 230 *isa = '\000';
231 231 isa += strlen(PKCS11_ISA);
232 232 (void) snprintf(libpath, MAXPATHLEN, "%s%s%s", buf, "/", isa);
233 233 } else {
234 234 (void) strlcpy(libpath, libname, sizeof (libpath));
235 235 }
236 236
237 237 /* Open the provider */
238 238 dldesc = dlopen(libpath, RTLD_NOW);
239 239 if (dldesc == NULL) {
240 240 dl_error = dlerror();
241 241 cryptodebug("Cannot load PKCS#11 library %s. dlerror: %s",
242 242 libname, dl_error != NULL ? dl_error : "Unknown");
243 243 rc = FAILURE;
244 244 goto clean_exit;
245 245 }
246 246
247 247 /* Get the pointer to provider's C_GetFunctionList() */
248 248 Tmp_C_GetFunctionList = (CK_RV(*)())dlsym(dldesc, "C_GetFunctionList");
249 249 if (Tmp_C_GetFunctionList == NULL) {
250 250 cryptodebug("Cannot get the address of the C_GetFunctionList "
251 251 "from %s", libname);
252 252 rc = FAILURE;
253 253 goto clean_exit;
254 254 }
255 255
256 256 /* Get the provider's function list */
257 257 rv = Tmp_C_GetFunctionList(&prov_funcs);
258 258 if (rv != CKR_OK) {
259 259 cryptodebug("failed to call C_GetFunctionList from %s",
260 260 libname);
261 261 rc = FAILURE;
262 262 goto clean_exit;
263 263 }
264 264
265 265 /* Initialize this provider */
266 266 rv = prov_funcs->C_Initialize(NULL_PTR);
267 267 if (rv != CKR_OK) {
268 268 cryptodebug("failed to call C_Initialize from %s, "
269 269 "return code = %d", libname, rv);
270 270 rc = FAILURE;
271 271 goto clean_exit;
272 272 } else {
273 273 lib_initialized = B_TRUE;
274 274 }
275 275
276 276 /*
277 277 * Find out how many slots this provider has, call with tokenPresent
|
↓ open down ↓ |
62 lines elided |
↑ open up ↑ |
278 278 * set to FALSE so all potential slots are returned.
279 279 */
280 280 rv = prov_funcs->C_GetSlotList(FALSE, NULL_PTR, &slot_count);
281 281 if (rv != CKR_OK) {
282 282 cryptodebug("failed to get the slotlist from %s.", libname);
283 283 rc = FAILURE;
284 284 goto clean_exit;
285 285 } else if (slot_count == 0) {
286 286 if (!no_warn)
287 287 (void) printf(gettext("%s: no slots presented.\n"),
288 - libname);
288 + libname);
289 289 rc = SUCCESS;
290 290 goto clean_exit;
291 291 }
292 292
293 293 /* Allocate memory for the slot list */
294 294 prov_slots = malloc(slot_count * sizeof (CK_SLOT_ID));
295 295 if (prov_slots == NULL) {
296 296 cryptodebug("out of memory.");
297 297 rc = FAILURE;
298 298 goto clean_exit;
299 299 }
300 300
301 301 /* Get the slot list from provider */
302 302 rv = prov_funcs->C_GetSlotList(FALSE, prov_slots, &slot_count);
303 303 if (rv != CKR_OK) {
304 304 cryptodebug("failed to call C_GetSlotList() from %s.",
305 305 libname);
306 306 rc = FAILURE;
307 307 goto clean_exit;
308 308 }
309 309
310 310 if (verbose) {
311 311 (void) printf(gettext("Number of slots: %d\n"), slot_count);
312 312 }
313 313
314 314 /* Get the mechanism list for each slot */
315 315 for (i = 0; i < slot_count; i++) {
316 316 if (verbose)
317 317 /*
318 318 * TRANSLATION_NOTE:
319 319 * In some languages, the # symbol should be
320 320 * converted to "no", an "n" followed by a
321 321 * superscript "o"..
322 322 */
323 323 (void) printf(gettext("\nSlot #%d\n"), i+1);
324 324
325 325 if ((rng_flag != NULL) && (*rng_flag == NO_RNG)) {
326 326 if (check_random(prov_slots[i], prov_funcs)) {
327 327 *rng_flag = HAS_RNG;
328 328 rc = SUCCESS;
329 329 goto clean_exit;
330 330 } else
331 331 continue;
332 332 }
333 333
|
↓ open down ↓ |
35 lines elided |
↑ open up ↑ |
334 334 rv = prov_funcs->C_GetSlotInfo(prov_slots[i], &slotinfo);
335 335 if (rv != CKR_OK) {
336 336 cryptodebug("failed to get slotinfo from %s", libname);
337 337 rc = FAILURE;
338 338 break;
339 339 }
340 340 if (verbose) {
341 341 CK_TOKEN_INFO tokeninfo;
342 342
343 343 (void) printf(gettext("Description: %.64s\n"
344 - "Manufacturer: %.32s\n"
345 - "PKCS#11 Version: %d.%d\n"),
346 - slotinfo.slotDescription,
347 - slotinfo.manufacturerID,
348 - prov_funcs->version.major,
349 - prov_funcs->version.minor);
344 + "Manufacturer: %.32s\n"
345 + "PKCS#11 Version: %d.%d\n"),
346 + slotinfo.slotDescription,
347 + slotinfo.manufacturerID,
348 + prov_funcs->version.major,
349 + prov_funcs->version.minor);
350 350
351 351 (void) printf(gettext("Hardware Version: %d.%d\n"
352 - "Firmware Version: %d.%d\n"),
353 - slotinfo.hardwareVersion.major,
354 - slotinfo.hardwareVersion.minor,
355 - slotinfo.firmwareVersion.major,
356 - slotinfo.firmwareVersion.minor);
352 + "Firmware Version: %d.%d\n"),
353 + slotinfo.hardwareVersion.major,
354 + slotinfo.hardwareVersion.minor,
355 + slotinfo.firmwareVersion.major,
356 + slotinfo.firmwareVersion.minor);
357 357
358 358 (void) printf(gettext("Token Present: %s\n"),
359 - (slotinfo.flags & CKF_TOKEN_PRESENT ?
360 - gettext("True") : gettext("False")));
359 + (slotinfo.flags & CKF_TOKEN_PRESENT ?
360 + gettext("True") : gettext("False")));
361 361
362 362 display_slot_flags(slotinfo.flags);
363 363
364 364 rv = prov_funcs->C_GetTokenInfo(prov_slots[i],
365 - &tokeninfo);
365 + &tokeninfo);
366 366 if (rv != CKR_OK) {
367 367 cryptodebug("Failed to get "
368 - "token info from %s", libname);
368 + "token info from %s", libname);
369 369 rc = FAILURE;
370 370 break;
371 371 }
372 372
373 373 (void) printf(gettext("Token Label: %.32s\n"
374 - "Manufacturer ID: %.32s\n"
375 - "Model: %.16s\n"
376 - "Serial Number: %.16s\n"
377 - "Hardware Version: %d.%d\n"
378 - "Firmware Version: %d.%d\n"
379 - "UTC Time: %.16s\n"
380 - "PIN Length: %d-%d\n"),
381 - tokeninfo.label,
382 - tokeninfo.manufacturerID,
383 - tokeninfo.model,
384 - tokeninfo.serialNumber,
385 - tokeninfo.hardwareVersion.major,
386 - tokeninfo.hardwareVersion.minor,
387 - tokeninfo.firmwareVersion.major,
388 - tokeninfo.firmwareVersion.minor,
389 - tokeninfo.utcTime,
390 - tokeninfo.ulMinPinLen,
391 - tokeninfo.ulMaxPinLen);
374 + "Manufacturer ID: %.32s\n"
375 + "Model: %.16s\n"
376 + "Serial Number: %.16s\n"
377 + "Hardware Version: %d.%d\n"
378 + "Firmware Version: %d.%d\n"
379 + "UTC Time: %.16s\n"
380 + "PIN Length: %d-%d\n"),
381 + tokeninfo.label,
382 + tokeninfo.manufacturerID,
383 + tokeninfo.model,
384 + tokeninfo.serialNumber,
385 + tokeninfo.hardwareVersion.major,
386 + tokeninfo.hardwareVersion.minor,
387 + tokeninfo.firmwareVersion.major,
388 + tokeninfo.firmwareVersion.minor,
389 + tokeninfo.utcTime,
390 + tokeninfo.ulMinPinLen,
391 + tokeninfo.ulMaxPinLen);
392 392
393 393 display_token_flags(tokeninfo.flags);
394 394 }
395 395
396 396 if (mlist == NULL) {
397 397 rv = prov_funcs->C_GetMechanismList(prov_slots[i],
398 - NULL_PTR, &mech_count);
398 + NULL_PTR, &mech_count);
399 399 if (rv != CKR_OK) {
400 400 cryptodebug(
401 - "failed to call C_GetMechanismList() "
402 - "from %s.", libname);
401 + "failed to call C_GetMechanismList() "
402 + "from %s.", libname);
403 403 rc = FAILURE;
404 404 break;
405 405 }
406 406
407 407 if (mech_count == 0) {
408 408 /* no mechanisms in this slot */
409 409 continue;
410 410 }
411 411
412 412 pmech_list = malloc(mech_count *
413 - sizeof (CK_MECHANISM_TYPE));
413 + sizeof (CK_MECHANISM_TYPE));
414 414 if (pmech_list == NULL) {
415 415 cryptodebug("out of memory");
416 416 rc = FAILURE;
417 417 break;
418 418 }
419 419
420 420 /* Get the actual mechanism list */
421 421 rv = prov_funcs->C_GetMechanismList(prov_slots[i],
422 - pmech_list, &mech_count);
422 + pmech_list, &mech_count);
423 423 if (rv != CKR_OK) {
424 424 cryptodebug(
425 - "failed to call C_GetMechanismList() "
426 - "from %s.", libname);
425 + "failed to call C_GetMechanismList() "
426 + "from %s.", libname);
427 427 (void) free(pmech_list);
428 428 rc = FAILURE;
429 429 break;
430 430 }
431 431 } else {
432 432 /* use the mechanism list passed in */
433 433 rc = convert_mechlist(&pmech_list, &mech_count, mlist);
434 434 if (rc != SUCCESS) {
435 435 goto clean_exit;
436 436 }
437 437 }
438 438 if (show_mechs)
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
439 439 (void) printf(gettext("Mechanisms:\n"));
440 440
441 441 if (verbose && show_mechs) {
442 442 display_verbose_mech_header();
443 443 }
444 444 /*
445 445 * Merge the current mechanism list into the returning
446 446 * mechanism list.
447 447 */
448 448 for (j = 0; show_mechs && j < mech_count; j++) {
449 - mech_name = pkcs11_mech2str(pmech_list[j]);
450 - (void) printf("%-29s", mech_name);
449 + CK_MECHANISM_TYPE mech = pmech_list[j];
450 +
451 + if (mech > CKM_VENDOR_DEFINED) {
452 + (void) printf("%#lx", mech);
453 + } else {
454 + mech_name = pkcs11_mech2str(mech);
455 + (void) printf("%-29s", mech_name);
456 + }
457 +
451 458 if (verbose) {
452 459 CK_MECHANISM_INFO mech_info;
453 460 rv = prov_funcs->C_GetMechanismInfo(
454 - prov_slots[i], pmech_list[j], &mech_info);
461 + prov_slots[i], mech, &mech_info);
455 462 if (rv != CKR_OK) {
456 463 cryptodebug(
457 464 "failed to call "
458 465 "C_GetMechanismInfo() from %s.",
459 466 libname);
460 467 (void) free(pmech_list);
461 468 rc = FAILURE;
462 469 break;
463 470 }
464 471 display_mech_info(&mech_info);
465 472 }
466 473 (void) printf("\n");
467 474 }
468 475 (void) free(pmech_list);
469 476 if (rc == FAILURE) {
470 477 break;
471 478 }
472 479 }
473 480
474 481 if (rng_flag != NULL || rc == FAILURE) {
475 482 goto clean_exit;
476 483 }
477 484
478 485 clean_exit:
479 486
480 487 if (rc == FAILURE) {
481 488 (void) printf(gettext(
482 489 "%s: failed to retrieve the mechanism list.\n"), libname);
483 490 }
484 491
485 492 if (lib_initialized) {
486 493 (void) prov_funcs->C_Finalize(NULL_PTR);
487 494 }
488 495
489 496 if (dldesc != NULL) {
490 497 (void) dlclose(dldesc);
491 498 }
492 499
493 500 if (prov_slots != NULL) {
494 501 (void) free(prov_slots);
495 502 }
496 503
497 504 return (rc);
498 505 }
499 506
500 507
501 508 /*
502 509 * Display the mechanism policy for a user-level library
503 510 */
504 511 int
505 512 list_policy_for_lib(char *libname)
506 513 {
507 514 uentry_t *puent = NULL;
508 515 int rc;
509 516
510 517 if (libname == NULL) {
511 518 /* should not happen */
512 519 cryptoerror(LOG_STDERR, gettext("internal error."));
513 520 cryptodebug("list_policy_for_lib() - libname is NULL.");
514 521 return (FAILURE);
515 522 }
516 523
517 524 /* Get the library entry from the pkcs11.conf file */
518 525 if ((puent = getent_uef(libname)) == NULL) {
519 526 cryptoerror(LOG_STDERR,
520 527 gettext("%s does not exist."), libname);
521 528 return (FAILURE);
522 529 }
523 530
524 531 /* Print the policy for this library */
525 532 rc = print_uef_policy(puent);
526 533 free_uentry(puent);
527 534
528 535 return (rc);
529 536 }
530 537
531 538
532 539 /*
533 540 * Disable mechanisms for a user-level library
534 541 */
535 542 int
536 543 disable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
537 544 mechlist_t *marglist)
538 545 {
539 546 uentry_t *puent;
540 547 int rc;
541 548
542 549 if (libname == NULL) {
543 550 /* should not happen */
544 551 cryptoerror(LOG_STDERR, gettext("internal error."));
545 552 cryptodebug("disable_uef_lib() - libname is NULL.");
546 553 return (FAILURE);
547 554 }
548 555
549 556 /* Get the provider entry from the pkcs11.conf file */
550 557 if ((puent = getent_uef(libname)) == NULL) {
551 558 cryptoerror(LOG_STDERR,
552 559 gettext("%s does not exist."), libname);
553 560 return (FAILURE);
554 561 }
555 562
556 563 /*
557 564 * Update the mechanism policy of this library entry, based on
558 565 * the current policy mode of the library and the mechanisms specified
559 566 * in CLI.
560 567 */
561 568 if (allflag) {
562 569 /*
563 570 * If disabling all, just need to clean up the policylist and
564 571 * set the flag_enabledlist flag to be B_TRUE.
565 572 */
566 573 free_umechlist(puent->policylist);
567 574 puent->policylist = NULL;
568 575 puent->count = 0;
569 576 puent->flag_enabledlist = B_TRUE;
570 577 rc = SUCCESS;
571 578 } else if (marglist != NULL) {
572 579 if (puent->flag_enabledlist == B_TRUE) {
573 580 /*
574 581 * The current default policy mode of this library
575 582 * is "all are disabled, except ...", so if a
576 583 * specified mechanism is in the exception list
577 584 * (the policylist), delete it from the policylist.
578 585 */
579 586 rc = update_policylist(puent, marglist, DELETE_MODE);
580 587 } else {
581 588 /*
582 589 * The current default policy mode of this library
583 590 * is "all are enabled", so if a specified mechanism
584 591 * is not in the exception list (policylist), add
585 592 * it into the policylist.
586 593 */
587 594 rc = update_policylist(puent, marglist, ADD_MODE);
588 595 }
589 596 } else if (!rndflag) {
590 597 /* should not happen */
591 598 cryptoerror(LOG_STDERR, gettext("internal error."));
592 599 cryptodebug("disable_uef_lib() - wrong arguments.");
593 600 return (FAILURE);
594 601 }
595 602
596 603 if (rndflag)
597 604 puent->flag_norandom = B_TRUE;
598 605
599 606 if (rc == FAILURE) {
600 607 free_uentry(puent);
601 608 return (FAILURE);
602 609 }
603 610
604 611 /* Update the pkcs11.conf file with the updated entry */
605 612 rc = update_pkcs11conf(puent);
606 613 free_uentry(puent);
607 614 return (rc);
608 615 }
609 616
610 617
611 618 /*
612 619 * Enable disabled mechanisms for a user-level library.
613 620 */
614 621 int
615 622 enable_uef_lib(char *libname, boolean_t rndflag, boolean_t allflag,
616 623 mechlist_t *marglist)
617 624 {
618 625 uentry_t *puent;
619 626 int rc = SUCCESS;
620 627
621 628 if (libname == NULL) {
622 629 /* should not happen */
623 630 cryptoerror(LOG_STDERR, gettext("internal error."));
624 631 cryptodebug("enable_uef_lib() - libname is NULL.");
625 632 return (FAILURE);
626 633 }
627 634
628 635 /* Get the provider entry from the pkcs11.conf file */
629 636 if ((puent = getent_uef(libname)) == NULL) {
630 637 cryptoerror(LOG_STDERR,
631 638 gettext("%s does not exist."), libname);
632 639 return (FAILURE);
633 640 }
634 641
635 642 /*
636 643 * Update the mechanism policy of this library entry, based on
637 644 * the current policy mode of the library and the mechanisms
638 645 * specified in CLI.
639 646 */
640 647 if (allflag) {
641 648 /*
642 649 * If enabling all, what needs to be done are cleaning up the
643 650 * policylist and setting the "flag_enabledlist" flag to
644 651 * B_FALSE.
645 652 */
646 653 free_umechlist(puent->policylist);
647 654 puent->policylist = NULL;
648 655 puent->count = 0;
649 656 puent->flag_enabledlist = B_FALSE;
650 657 rc = SUCCESS;
651 658 } else if (marglist != NULL) {
652 659 if (puent->flag_enabledlist == B_TRUE) {
653 660 /*
654 661 * The current default policy mode of this library
655 662 * is "all are disabled, except ...", so if a
656 663 * specified mechanism is not in the exception list
657 664 * (policylist), add it.
658 665 */
659 666 rc = update_policylist(puent, marglist, ADD_MODE);
660 667 } else {
661 668 /*
662 669 * The current default policy mode of this library
663 670 * is "all are enabled, except", so if a specified
664 671 * mechanism is in the exception list (policylist),
665 672 * delete it.
666 673 */
667 674 rc = update_policylist(puent, marglist, DELETE_MODE);
668 675 }
669 676 } else if (!rndflag) {
670 677 /* should not come here */
671 678 cryptoerror(LOG_STDERR, gettext("internal error."));
672 679 cryptodebug("enable_uef_lib() - wrong arguments.");
673 680 return (FAILURE);
674 681 }
675 682
676 683 if (rndflag)
677 684 puent->flag_norandom = B_FALSE;
678 685
679 686 if (rc == FAILURE) {
680 687 free_uentry(puent);
681 688 return (FAILURE);
682 689 }
683 690
684 691 /* Update the pkcs11.conf file with the updated entry */
685 692 rc = update_pkcs11conf(puent);
686 693 free_uentry(puent);
687 694 return (rc);
688 695 }
689 696
690 697
691 698 /*
692 699 * Install a user-level library.
693 700 */
694 701 int
695 702 install_uef_lib(char *libname)
696 703 {
697 704 uentry_t *puent;
698 705 struct stat statbuf;
699 706 boolean_t found;
700 707 FILE *pfile;
701 708 FILE *pfile_tmp;
702 709 char tmpfile_name[MAXPATHLEN];
703 710 char libpath[MAXPATHLEN];
704 711 char libbuf[MAXPATHLEN];
705 712 char *isa;
706 713 char buffer[BUFSIZ];
707 714 char *ptr;
708 715 int found_count;
709 716 int rc = SUCCESS;
710 717
711 718
712 719 if (libname == NULL) {
713 720 /* should not happen */
714 721 cryptoerror(LOG_STDERR, gettext("internal error."));
715 722 cryptodebug("install_uef_lib() - libname is NULL.");
716 723 return (FAILURE);
717 724 }
718 725
719 726 /* Check if the provider already exists in the framework */
720 727 if ((puent = getent_uef(libname)) != NULL) {
721 728 cryptoerror(LOG_STDERR, gettext("%s exists already."),
722 729 libname);
723 730 free_uentry(puent);
724 731 return (FAILURE);
725 732 }
726 733
727 734 /*
728 735 * Check if the library exists in the system. if $ISA is in the
729 736 * path, only check the 32bit version.
730 737 */
731 738 if (strlcpy(libbuf, libname, MAXPATHLEN) >= MAXPATHLEN) {
732 739 cryptoerror(LOG_STDERR,
733 740 gettext("the provider name is too long - %s"), libname);
734 741 return (FAILURE);
735 742 }
736 743
737 744 if ((isa = strstr(libbuf, PKCS11_ISA)) != NULL) {
738 745 *isa = '\000';
739 746 isa += strlen(PKCS11_ISA);
740 747 (void) snprintf(libpath, sizeof (libpath), "%s%s%s", libbuf,
741 748 "/", isa);
742 749 } else {
743 750 (void) strlcpy(libpath, libname, sizeof (libpath));
744 751 }
745 752
746 753 /* Check if it is same as the framework library */
747 754 if (strcmp(libpath, UEF_FRAME_LIB) == 0) {
748 755 cryptoerror(LOG_STDERR, gettext(
749 756 "The framework library %s can not be installed."),
750 757 libname);
751 758 return (FAILURE);
752 759 }
753 760
754 761 if (stat(libpath, &statbuf) != 0) {
755 762 cryptoerror(LOG_STDERR, gettext("%s not found"), libname);
756 763 return (FAILURE);
757 764 }
758 765
759 766 /* Need to add "\n" to libname for adding into the config file */
760 767 if (strlcat(libname, "\n", MAXPATHLEN) >= MAXPATHLEN) {
761 768 cryptoerror(LOG_STDERR, gettext(
762 769 "can not install %s; the name is too long."), libname);
763 770 return (FAILURE);
764 771 }
765 772
766 773 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
767 774 err = errno;
768 775 cryptoerror(LOG_STDERR,
769 776 gettext("failed to update the configuration - %s"),
770 777 strerror(err));
771 778 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
772 779 return (FAILURE);
773 780 }
774 781
775 782 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
776 783 err = errno;
777 784 cryptoerror(LOG_STDERR,
778 785 gettext("failed to lock the configuration - %s"),
779 786 strerror(err));
780 787 (void) fclose(pfile);
781 788 return (FAILURE);
782 789 }
783 790
784 791 /*
785 792 * Create a temporary file in the /etc/crypto directory.
786 793 */
787 794 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
788 795 if (mkstemp(tmpfile_name) == -1) {
789 796 err = errno;
790 797 cryptoerror(LOG_STDERR,
791 798 gettext("failed to create a temporary file - %s"),
792 799 strerror(err));
793 800 (void) fclose(pfile);
794 801 return (FAILURE);
795 802 }
796 803
797 804 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
798 805 err = errno;
799 806 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
800 807 tmpfile_name, strerror(err));
801 808 (void) fclose(pfile);
802 809 return (FAILURE);
803 810 }
804 811
805 812 /*
806 813 * Loop thru the config file. If the file was reserved within a
807 814 * package bracket, just uncomment it. Other wise, append it at
808 815 * the end. The resulting file will be saved in the temp file first.
809 816 */
810 817 found_count = 0;
811 818 rc = SUCCESS;
812 819 while (fgets(buffer, BUFSIZ, pfile) != NULL) {
813 820 found = B_FALSE;
814 821 if (buffer[0] == '#') {
815 822 ptr = buffer;
816 823 ptr++;
817 824 if (strcmp(libname, ptr) == 0) {
818 825 found = B_TRUE;
819 826 found_count++;
820 827 }
821 828 }
822 829
823 830 if (found == B_FALSE) {
824 831 if (fputs(buffer, pfile_tmp) == EOF) {
825 832 rc = FAILURE;
826 833 }
827 834 } else {
828 835 if (found_count == 1) {
829 836 if (fputs(ptr, pfile_tmp) == EOF) {
830 837 rc = FAILURE;
831 838 }
832 839 } else {
833 840 /*
834 841 * Found a second entry with #libname.
835 842 * Should not happen. The pkcs11.conf file
836 843 * is corrupted. Give a warning and skip
837 844 * this entry.
838 845 */
839 846 cryptoerror(LOG_STDERR, gettext(
840 847 "(Warning) Found an additional reserved "
841 848 "entry for %s."), libname);
842 849 }
843 850 }
844 851
845 852 if (rc == FAILURE) {
846 853 break;
847 854 }
848 855 }
849 856
850 857 if (rc == FAILURE) {
851 858 cryptoerror(LOG_STDERR, gettext("write error."));
852 859 (void) fclose(pfile);
853 860 (void) fclose(pfile_tmp);
854 861 if (unlink(tmpfile_name) != 0) {
855 862 err = errno;
856 863 cryptoerror(LOG_STDERR, gettext(
857 864 "(Warning) failed to remove %s: %s"), tmpfile_name,
858 865 strerror(err));
859 866 }
860 867 return (FAILURE);
861 868 }
862 869
863 870 if (found_count == 0) {
864 871 /*
865 872 * This libname was not in package before, append it to the
866 873 * end of the temp file.
867 874 */
868 875 if (fputs(libname, pfile_tmp) == EOF) {
869 876 err = errno;
870 877 cryptoerror(LOG_STDERR, gettext(
871 878 "failed to write to %s: %s"), tmpfile_name,
872 879 strerror(err));
873 880 (void) fclose(pfile);
874 881 (void) fclose(pfile_tmp);
875 882 if (unlink(tmpfile_name) != 0) {
876 883 err = errno;
877 884 cryptoerror(LOG_STDERR, gettext(
878 885 "(Warning) failed to remove %s: %s"),
879 886 tmpfile_name, strerror(err));
880 887 }
881 888 return (FAILURE);
882 889 }
883 890 }
884 891
885 892 (void) fclose(pfile);
886 893 if (fclose(pfile_tmp) != 0) {
887 894 err = errno;
888 895 cryptoerror(LOG_STDERR,
889 896 gettext("failed to close %s: %s"), tmpfile_name,
890 897 strerror(err));
891 898 return (FAILURE);
892 899 }
893 900
894 901 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
895 902 err = errno;
896 903 cryptoerror(LOG_STDERR,
897 904 gettext("failed to update the configuration - %s"),
898 905 strerror(err));
899 906 cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
900 907 _PATH_PKCS11_CONF, strerror(err));
901 908 rc = FAILURE;
902 909 } else if (chmod(_PATH_PKCS11_CONF,
903 910 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
904 911 err = errno;
905 912 cryptoerror(LOG_STDERR,
906 913 gettext("failed to update the configuration - %s"),
907 914 strerror(err));
908 915 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
909 916 strerror(err));
910 917 rc = FAILURE;
911 918 } else {
912 919 rc = SUCCESS;
913 920 }
914 921
915 922 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
916 923 err = errno;
917 924 cryptoerror(LOG_STDERR, gettext(
918 925 "(Warning) failed to remove %s: %s"), tmpfile_name,
919 926 strerror(err));
920 927 }
921 928
922 929 return (rc);
923 930 }
924 931
925 932
926 933 /*
927 934 * Uninstall a user-level library.
928 935 */
929 936 int
930 937 uninstall_uef_lib(char *libname)
931 938 {
932 939 uentry_t *puent;
933 940 FILE *pfile;
934 941 FILE *pfile_tmp;
935 942 char buffer[BUFSIZ];
936 943 char buffer2[BUFSIZ];
937 944 char tmpfile_name[MAXPATHLEN];
938 945 char *name;
939 946 boolean_t found;
940 947 boolean_t in_package;
941 948 int len;
942 949 int rc = SUCCESS;
943 950
944 951 if (libname == NULL) {
945 952 /* should not happen */
946 953 cryptoerror(LOG_STDERR, gettext("internal error."));
947 954 cryptodebug("uninstall_uef_lib() - libname is NULL.");
948 955 return (FAILURE);
949 956 }
950 957
951 958 /* Check if the provider exists */
952 959 if ((puent = getent_uef(libname)) == NULL) {
953 960 cryptoerror(LOG_STDERR,
954 961 gettext("%s does not exist."), libname);
955 962 return (FAILURE);
956 963 }
957 964 free_uentry(puent);
958 965
959 966 /* Open the pkcs11.conf file and lock it */
960 967 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
961 968 err = errno;
962 969 cryptoerror(LOG_STDERR,
963 970 gettext("failed to update the configuration - %s"),
964 971 strerror(err));
965 972 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
966 973 return (FAILURE);
967 974 }
968 975
969 976 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
970 977 err = errno;
971 978 cryptoerror(LOG_STDERR,
972 979 gettext("failed to lock the configuration - %s"),
973 980 strerror(err));
974 981 (void) fclose(pfile);
975 982 return (FAILURE);
976 983 }
977 984
978 985 /*
979 986 * Create a temporary file in the /etc/crypto directory to save
980 987 * the new configuration file first.
981 988 */
982 989 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
983 990 if (mkstemp(tmpfile_name) == -1) {
984 991 err = errno;
985 992 cryptoerror(LOG_STDERR,
986 993 gettext("failed to create a temporary file - %s"),
987 994 strerror(err));
988 995 (void) fclose(pfile);
989 996 return (FAILURE);
990 997 }
991 998
992 999 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
993 1000 err = errno;
994 1001 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
995 1002 tmpfile_name, strerror(err));
996 1003 if (unlink(tmpfile_name) != 0) {
997 1004 err = errno;
998 1005 cryptoerror(LOG_STDERR, gettext(
999 1006 "(Warning) failed to remove %s: %s"),
1000 1007 tmpfile_name, strerror(err));
1001 1008 }
1002 1009 (void) fclose(pfile);
1003 1010 return (FAILURE);
1004 1011 }
1005 1012
1006 1013
1007 1014 /*
1008 1015 * Loop thru the config file. If the library to be uninstalled
1009 1016 * is in a package, just comment it off.
1010 1017 */
1011 1018 in_package = B_FALSE;
1012 1019 while (fgets(buffer, BUFSIZ, pfile) != NULL) {
1013 1020 found = B_FALSE;
1014 1021 if (!(buffer[0] == ' ' || buffer[0] == '\n' ||
1015 1022 buffer[0] == '\t')) {
1016 1023 if (strstr(buffer, " Start ") != NULL) {
1017 1024 in_package = B_TRUE;
1018 1025 } else if (strstr(buffer, " End ") != NULL) {
1019 1026 in_package = B_FALSE;
1020 1027 } else if (buffer[0] != '#') {
1021 1028 (void) strlcpy(buffer2, buffer, BUFSIZ);
1022 1029
1023 1030 /* get rid of trailing '\n' */
1024 1031 len = strlen(buffer2);
1025 1032 if (buffer2[len-1] == '\n') {
1026 1033 len--;
1027 1034 }
1028 1035 buffer2[len] = '\0';
1029 1036
1030 1037 if ((name = strtok(buffer2, SEP_COLON))
1031 1038 == NULL) {
1032 1039 rc = FAILURE;
1033 1040 break;
1034 1041 } else if (strcmp(libname, name) == 0) {
1035 1042 found = B_TRUE;
1036 1043 }
1037 1044 }
1038 1045 }
1039 1046
1040 1047 if (found) {
1041 1048 if (in_package) {
1042 1049 (void) snprintf(buffer2, sizeof (buffer2),
1043 1050 "%s%s%s", "#", libname, "\n");
1044 1051 if (fputs(buffer2, pfile_tmp) == EOF) {
1045 1052 rc = FAILURE;
1046 1053 }
1047 1054 }
1048 1055 } else {
1049 1056 if (fputs(buffer, pfile_tmp) == EOF) {
1050 1057 rc = FAILURE;
1051 1058 }
1052 1059 }
1053 1060
1054 1061 if (rc == FAILURE) {
1055 1062 break;
1056 1063 }
1057 1064 }
1058 1065
1059 1066 if (rc == FAILURE) {
1060 1067 cryptoerror(LOG_STDERR, gettext("write error."));
1061 1068 (void) fclose(pfile);
1062 1069 (void) fclose(pfile_tmp);
1063 1070 if (unlink(tmpfile_name) != 0) {
1064 1071 err = errno;
1065 1072 cryptoerror(LOG_STDERR, gettext(
1066 1073 "(Warning) failed to remove %s: %s"),
1067 1074 tmpfile_name, strerror(err));
1068 1075 }
1069 1076 return (FAILURE);
1070 1077 }
1071 1078
1072 1079 (void) fclose(pfile);
1073 1080 if (fclose(pfile_tmp) != 0) {
1074 1081 err = errno;
1075 1082 cryptoerror(LOG_STDERR,
1076 1083 gettext("failed to close a temporary file - %s"),
1077 1084 strerror(err));
1078 1085 return (FAILURE);
1079 1086 }
1080 1087
1081 1088 /* Now update the real config file */
1082 1089 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
1083 1090 err = errno;
1084 1091 cryptoerror(LOG_STDERR,
1085 1092 gettext("failed to update the configuration - %s"),
1086 1093 strerror(err));
1087 1094 cryptodebug("failed to rename %s to %s: %s", tmpfile,
1088 1095 _PATH_PKCS11_CONF, strerror(err));
1089 1096 rc = FAILURE;
1090 1097 } else if (chmod(_PATH_PKCS11_CONF,
1091 1098 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1092 1099 err = errno;
1093 1100 cryptoerror(LOG_STDERR,
1094 1101 gettext("failed to update the configuration - %s"),
1095 1102 strerror(err));
1096 1103 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
1097 1104 strerror(err));
1098 1105 rc = FAILURE;
1099 1106 } else {
1100 1107 rc = SUCCESS;
1101 1108 }
1102 1109
1103 1110 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1104 1111 err = errno;
1105 1112 cryptoerror(LOG_STDERR, gettext(
1106 1113 "(Warning) failed to remove %s: %s"),
|
↓ open down ↓ |
642 lines elided |
↑ open up ↑ |
1107 1114 tmpfile_name, strerror(err));
1108 1115 }
1109 1116
1110 1117 return (rc);
1111 1118 }
1112 1119
1113 1120
1114 1121 int
1115 1122 display_policy(uentry_t *puent)
1116 1123 {
1117 - CK_MECHANISM_TYPE mech_id;
1118 - char *mech_name;
1119 - umechlist_t *ptr;
1124 + CK_MECHANISM_TYPE mech_id;
1125 + const char *mech_name;
1126 + umechlist_t *ptr;
1120 1127
1121 1128 if (puent == NULL) {
1122 1129 return (SUCCESS);
1123 1130 }
1124 1131
1125 1132 if (puent->flag_enabledlist == B_FALSE) {
1126 1133 (void) printf(gettext("%s: all mechanisms are enabled"),
1127 1134 puent->name);
1128 1135 ptr = puent->policylist;
1129 1136 if (ptr == NULL) {
1130 1137 (void) printf(".");
1131 1138 } else {
1132 1139 (void) printf(gettext(", except "));
1133 1140 while (ptr != NULL) {
1134 1141 mech_id = strtoul(ptr->name, NULL, 0);
1135 1142 if (mech_id & CKO_VENDOR_DEFINED) {
1136 1143 /* vendor defined mechanism */
1137 1144 (void) printf("%s", ptr->name);
1138 1145 } else {
1139 - mech_name = pkcs11_mech2str(mech_id);
1140 - if (mech_name == NULL) {
1141 - return (FAILURE);
1146 + if (mech_id > CKM_VENDOR_DEFINED) {
1147 + (void) printf("%#lx", mech_id);
1148 + } else {
1149 + mech_name = pkcs11_mech2str(
1150 + mech_id);
1151 + if (mech_name == NULL) {
1152 + return (FAILURE);
1153 + }
1154 + (void) printf("%s", mech_name);
1142 1155 }
1143 - (void) printf("%s", mech_name);
1144 - free(mech_name);
1145 1156 }
1146 1157
1147 1158 ptr = ptr->next;
1148 1159 if (ptr == NULL) {
1149 1160 (void) printf(".");
1150 1161 } else {
1151 1162 (void) printf(",");
1152 1163 }
1153 1164 }
1154 1165 }
1155 1166 } else { /* puent->flag_enabledlist == B_TRUE */
1156 1167 (void) printf(gettext("%s: all mechanisms are disabled"),
1157 1168 puent->name);
1158 1169 ptr = puent->policylist;
1159 1170 if (ptr == NULL) {
1160 1171 (void) printf(".");
1161 1172 } else {
1162 1173 (void) printf(gettext(", except "));
1163 1174 while (ptr != NULL) {
|
↓ open down ↓ |
9 lines elided |
↑ open up ↑ |
1164 1175 mech_id = strtoul(ptr->name, NULL, 0);
1165 1176 if (mech_id & CKO_VENDOR_DEFINED) {
1166 1177 /* vendor defined mechanism */
1167 1178 (void) printf("%s", ptr->name);
1168 1179 } else {
1169 1180 mech_name = pkcs11_mech2str(mech_id);
1170 1181 if (mech_name == NULL) {
1171 1182 return (FAILURE);
1172 1183 }
1173 1184 (void) printf("%s", mech_name);
1174 - free(mech_name);
1175 1185 }
1176 1186 ptr = ptr->next;
1177 1187 if (ptr == NULL) {
1178 1188 (void) printf(".");
1179 1189 } else {
1180 1190 (void) printf(",");
1181 1191 }
1182 1192 }
1183 1193 }
1184 1194 }
1185 1195 return (SUCCESS);
1186 1196 }
1187 1197
1188 1198
1189 1199
1190 1200 /*
1191 1201 * Print out the mechanism policy for a user-level provider pointed by puent.
1192 1202 */
1193 1203 int
|
↓ open down ↓ |
9 lines elided |
↑ open up ↑ |
1194 1204 print_uef_policy(uentry_t *puent)
1195 1205 {
1196 1206 flag_val_t rng_flag;
1197 1207
1198 1208 if (puent == NULL) {
1199 1209 return (FAILURE);
1200 1210 }
1201 1211
1202 1212 rng_flag = NO_RNG;
1203 1213 if (list_mechlist_for_lib(puent->name, NULL, &rng_flag, B_TRUE,
1204 - B_FALSE, B_FALSE) != SUCCESS) {
1214 + B_FALSE, B_FALSE) != SUCCESS) {
1205 1215 cryptoerror(LOG_STDERR,
1206 1216 gettext("%s internal error."), puent->name);
1207 1217 return (FAILURE);
1208 1218 }
1209 1219
1210 1220 if (display_policy(puent) != SUCCESS) {
1211 1221 goto failed_exit;
1212 1222 }
1213 1223
1214 1224
1215 1225 if (puent->flag_norandom == B_TRUE)
1216 1226 /*
1217 1227 * TRANSLATION_NOTE:
1218 1228 * "random" is a keyword and not to be translated.
1219 1229 */
1220 1230 (void) printf(gettext(" %s is disabled."), "random");
1221 1231 else {
1222 1232 if (rng_flag == HAS_RNG)
1223 1233 /*
1224 1234 * TRANSLATION_NOTE:
1225 1235 * "random" is a keyword and not to be translated.
1226 1236 */
1227 1237 (void) printf(gettext(" %s is enabled."), "random");
1228 1238 }
1229 1239 (void) printf("\n");
1230 1240
1231 1241 return (SUCCESS);
1232 1242
1233 1243 failed_exit:
1234 1244
1235 1245 (void) printf(gettext("\nout of memory.\n"));
1236 1246 return (FAILURE);
1237 1247 }
1238 1248
1239 1249
1240 1250 /*
1241 1251 * Check if the mechanism is in the mechanism list.
1242 1252 */
1243 1253 static boolean_t
1244 1254 is_in_policylist(midstr_t mechname, umechlist_t *plist)
1245 1255 {
1246 1256 boolean_t found = B_FALSE;
1247 1257
1248 1258 if (mechname == NULL) {
1249 1259 return (B_FALSE);
1250 1260 }
1251 1261
1252 1262 while (plist != NULL) {
1253 1263 if (strcmp(plist->name, mechname) == 0) {
1254 1264 found = B_TRUE;
1255 1265 break;
1256 1266 }
1257 1267 plist = plist->next;
1258 1268 }
1259 1269
1260 1270 return (found);
1261 1271 }
1262 1272
1263 1273
1264 1274 /*
1265 1275 * Update the pkcs11.conf file with the updated entry.
1266 1276 */
1267 1277 int
1268 1278 update_pkcs11conf(uentry_t *puent)
1269 1279 {
1270 1280 FILE *pfile;
1271 1281 FILE *pfile_tmp;
1272 1282 char buffer[BUFSIZ];
1273 1283 char buffer2[BUFSIZ];
1274 1284 char tmpfile_name[MAXPATHLEN];
1275 1285 char *name;
1276 1286 char *str;
1277 1287 int len;
1278 1288 int rc = SUCCESS;
1279 1289 boolean_t found;
1280 1290
1281 1291 if (puent == NULL) {
1282 1292 cryptoerror(LOG_STDERR, gettext("internal error."));
1283 1293 return (FAILURE);
1284 1294 }
1285 1295
1286 1296 /* Open the pkcs11.conf file */
1287 1297 if ((pfile = fopen(_PATH_PKCS11_CONF, "r+")) == NULL) {
1288 1298 err = errno;
1289 1299 cryptoerror(LOG_STDERR,
1290 1300 gettext("failed to update the configuration - %s"),
|
↓ open down ↓ |
76 lines elided |
↑ open up ↑ |
1291 1301 strerror(err));
1292 1302 cryptodebug("failed to open %s for write.", _PATH_PKCS11_CONF);
1293 1303 return (FAILURE);
1294 1304 }
1295 1305
1296 1306 /* Lock the pkcs11.conf file */
1297 1307 if (lockf(fileno(pfile), F_TLOCK, 0) == -1) {
1298 1308 err = errno;
1299 1309 cryptoerror(LOG_STDERR,
1300 1310 gettext("failed to update the configuration - %s"),
1301 - strerror(err));
1311 + strerror(err));
1302 1312 (void) fclose(pfile);
1303 1313 return (FAILURE);
1304 1314 }
1305 1315
1306 1316 /*
1307 1317 * Create a temporary file in the /etc/crypto directory to save
1308 1318 * updated configuration file first.
1309 1319 */
1310 1320 (void) strlcpy(tmpfile_name, TMPFILE_TEMPLATE, sizeof (tmpfile_name));
1311 1321 if (mkstemp(tmpfile_name) == -1) {
1312 1322 err = errno;
1313 1323 cryptoerror(LOG_STDERR,
1314 1324 gettext("failed to create a temporary file - %s"),
1315 1325 strerror(err));
1316 1326 (void) fclose(pfile);
1317 1327 return (FAILURE);
1318 1328 }
1319 1329
1320 1330 if ((pfile_tmp = fopen(tmpfile_name, "w")) == NULL) {
1321 1331 err = errno;
1322 1332 cryptoerror(LOG_STDERR, gettext("failed to open %s - %s"),
1323 1333 tmpfile_name, strerror(err));
1324 1334 if (unlink(tmpfile_name) != 0) {
1325 1335 err = errno;
1326 1336 cryptoerror(LOG_STDERR, gettext(
1327 1337 "(Warning) failed to remove %s: %s"),
1328 1338 tmpfile_name, strerror(err));
1329 1339 }
1330 1340 (void) fclose(pfile);
1331 1341 return (FAILURE);
1332 1342 }
1333 1343
1334 1344
1335 1345 /*
1336 1346 * Loop thru entire pkcs11.conf file, update the entry to be
1337 1347 * updated and save the updated file to the temporary file first.
1338 1348 */
1339 1349 while (fgets(buffer, BUFSIZ, pfile) != NULL) {
1340 1350 found = B_FALSE;
1341 1351 if (!(buffer[0] == '#' || buffer[0] == ' ' ||
1342 1352 buffer[0] == '\n'|| buffer[0] == '\t')) {
1343 1353 /*
1344 1354 * Get the provider name from this line and check if
1345 1355 * this is the entry to be updated. Note: can not use
1346 1356 * "buffer" directly because strtok will change its
1347 1357 * value.
1348 1358 */
1349 1359 (void) strlcpy(buffer2, buffer, BUFSIZ);
1350 1360
1351 1361 /* get rid of trailing '\n' */
1352 1362 len = strlen(buffer2);
1353 1363 if (buffer2[len-1] == '\n') {
1354 1364 len--;
1355 1365 }
1356 1366 buffer2[len] = '\0';
1357 1367
1358 1368 if ((name = strtok(buffer2, SEP_COLON)) == NULL) {
1359 1369 rc = FAILURE;
1360 1370 break;
1361 1371 } else if (strcmp(puent->name, name) == 0) {
1362 1372 found = B_TRUE;
1363 1373 }
1364 1374 }
1365 1375
1366 1376 if (found) {
1367 1377 /*
1368 1378 * This is the entry to be modified, get the updated
1369 1379 * string.
1370 1380 */
1371 1381 if ((str = uent2str(puent)) == NULL) {
1372 1382 rc = FAILURE;
1373 1383 break;
1374 1384 } else {
1375 1385 (void) strlcpy(buffer, str, BUFSIZ);
1376 1386 free(str);
1377 1387 }
1378 1388 }
1379 1389
1380 1390 if (fputs(buffer, pfile_tmp) == EOF) {
1381 1391 err = errno;
1382 1392 cryptoerror(LOG_STDERR, gettext(
1383 1393 "failed to write to a temp file: %s."),
1384 1394 strerror(err));
1385 1395 rc = FAILURE;
1386 1396 break;
1387 1397 }
1388 1398 }
1389 1399
1390 1400 if (rc == FAILURE) {
1391 1401 (void) fclose(pfile);
1392 1402 (void) fclose(pfile_tmp);
1393 1403 if (unlink(tmpfile_name) != 0) {
1394 1404 err = errno;
1395 1405 cryptoerror(LOG_STDERR, gettext(
1396 1406 "(Warning) failed to remove %s: %s"),
1397 1407 tmpfile_name, strerror(err));
1398 1408 }
1399 1409 return (FAILURE);
1400 1410 }
1401 1411
1402 1412 (void) fclose(pfile);
1403 1413 if (fclose(pfile_tmp) != 0) {
1404 1414 err = errno;
1405 1415 cryptoerror(LOG_STDERR,
1406 1416 gettext("failed to close %s: %s"), tmpfile_name,
1407 1417 strerror(err));
1408 1418 return (FAILURE);
1409 1419 }
1410 1420
1411 1421 /* Copy the temporary file to the pkcs11.conf file */
1412 1422 if (rename(tmpfile_name, _PATH_PKCS11_CONF) == -1) {
1413 1423 err = errno;
1414 1424 cryptoerror(LOG_STDERR,
1415 1425 gettext("failed to update the configuration - %s"),
1416 1426 strerror(err));
1417 1427 cryptodebug("failed to rename %s to %s: %s", tmpfile_name,
1418 1428 _PATH_PKCS11_CONF, strerror(err));
1419 1429 rc = FAILURE;
1420 1430 } else if (chmod(_PATH_PKCS11_CONF,
1421 1431 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
1422 1432 err = errno;
1423 1433 cryptoerror(LOG_STDERR,
1424 1434 gettext("failed to update the configuration - %s"),
1425 1435 strerror(err));
1426 1436 cryptodebug("failed to chmod to %s: %s", _PATH_PKCS11_CONF,
1427 1437 strerror(err));
1428 1438 rc = FAILURE;
1429 1439 } else {
1430 1440 rc = SUCCESS;
1431 1441 }
1432 1442
1433 1443 if ((rc == FAILURE) && (unlink(tmpfile_name) != 0)) {
1434 1444 err = errno;
1435 1445 cryptoerror(LOG_STDERR, gettext(
1436 1446 "(Warning) failed to remove %s: %s"),
1437 1447 tmpfile_name, strerror(err));
1438 1448 }
1439 1449
1440 1450 return (rc);
1441 1451 }
1442 1452
1443 1453
1444 1454 /*
1445 1455 * Convert an uentry to a character string
1446 1456 */
1447 1457 static char *
1448 1458 uent2str(uentry_t *puent)
1449 1459 {
1450 1460 umechlist_t *phead;
1451 1461 boolean_t tok1_present = B_FALSE;
1452 1462 char *buf;
1453 1463 char blank_buf[128];
1454 1464
1455 1465 if (puent == NULL) {
1456 1466 cryptoerror(LOG_STDERR, gettext("internal error."));
1457 1467 return (NULL);
1458 1468 }
1459 1469
1460 1470 buf = malloc(BUFSIZ);
1461 1471 if (buf == NULL) {
1462 1472 cryptoerror(LOG_STDERR, gettext("out of memory."));
1463 1473 return (NULL);
1464 1474 }
1465 1475
1466 1476 /* convert the library name */
1467 1477 if (strlcpy(buf, puent->name, BUFSIZ) >= BUFSIZ) {
1468 1478 free(buf);
1469 1479 return (NULL);
1470 1480 }
1471 1481
1472 1482
1473 1483 /* convert the enabledlist or the disabledlist */
1474 1484 if (puent->flag_enabledlist == B_TRUE) {
1475 1485 if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1476 1486 free(buf);
1477 1487 return (NULL);
1478 1488 }
1479 1489
1480 1490 if (strlcat(buf, EF_ENABLED, BUFSIZ) >= BUFSIZ) {
1481 1491 free(buf);
1482 1492 return (NULL);
1483 1493 }
1484 1494
1485 1495 phead = puent->policylist;
1486 1496 while (phead != NULL) {
1487 1497 if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1488 1498 free(buf);
1489 1499 return (NULL);
1490 1500 }
1491 1501
1492 1502 phead = phead->next;
1493 1503 if (phead != NULL) {
1494 1504 if (strlcat(buf, SEP_COMMA, BUFSIZ)
1495 1505 >= BUFSIZ) {
1496 1506 free(buf);
1497 1507 return (NULL);
1498 1508 }
1499 1509 }
1500 1510 }
1501 1511 tok1_present = B_TRUE;
1502 1512 } else if (puent->policylist != NULL) {
1503 1513 if (strlcat(buf, SEP_COLON, BUFSIZ) >= BUFSIZ) {
1504 1514 free(buf);
1505 1515 return (NULL);
1506 1516 }
1507 1517
1508 1518 if (strlcat(buf, EF_DISABLED, BUFSIZ) >= BUFSIZ) {
1509 1519 free(buf);
1510 1520 return (NULL);
1511 1521 }
1512 1522 phead = puent->policylist;
1513 1523 while (phead != NULL) {
1514 1524 if (strlcat(buf, phead->name, BUFSIZ) >= BUFSIZ) {
1515 1525 free(buf);
1516 1526 return (NULL);
1517 1527 }
1518 1528
1519 1529 phead = phead->next;
1520 1530 if (phead != NULL) {
1521 1531 if (strlcat(buf, SEP_COMMA, BUFSIZ)
1522 1532 >= BUFSIZ) {
1523 1533 free(buf);
1524 1534 return (NULL);
1525 1535 }
1526 1536 }
1527 1537 }
1528 1538 tok1_present = B_TRUE;
1529 1539 }
1530 1540
1531 1541 if (puent->flag_norandom == B_TRUE) {
1532 1542 if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1533 1543 BUFSIZ) >= BUFSIZ) {
1534 1544 free(buf);
1535 1545 return (NULL);
1536 1546 }
1537 1547
1538 1548 if (strlcat(buf, EF_NORANDOM, BUFSIZ) >= BUFSIZ) {
1539 1549 free(buf);
1540 1550 return (NULL);
1541 1551 }
1542 1552 }
1543 1553
1544 1554 if (strcmp(puent->name, METASLOT_KEYWORD) == 0) {
1545 1555
1546 1556 /* write the metaslot_status= value */
1547 1557 if (strlcat(buf, (tok1_present ? SEP_SEMICOLON : SEP_COLON),
1548 1558 BUFSIZ) >= BUFSIZ) {
1549 1559 free(buf);
1550 1560 return (NULL);
1551 1561 }
1552 1562
1553 1563 if (strlcat(buf, METASLOT_STATUS, BUFSIZ) >= BUFSIZ) {
1554 1564 free(buf);
1555 1565 return (NULL);
1556 1566 }
1557 1567
1558 1568 if (puent->flag_metaslot_enabled) {
1559 1569 if (strlcat(buf, METASLOT_ENABLED, BUFSIZ) >= BUFSIZ) {
1560 1570 free(buf);
1561 1571 return (NULL);
1562 1572 }
1563 1573 } else {
1564 1574 if (strlcat(buf, METASLOT_DISABLED, BUFSIZ)
1565 1575 >= BUFSIZ) {
1566 1576 free(buf);
1567 1577 return (NULL);
1568 1578 }
1569 1579 }
1570 1580
1571 1581 if (!tok1_present) {
1572 1582 tok1_present = B_TRUE;
1573 1583 }
1574 1584
1575 1585 if (strlcat(buf, SEP_SEMICOLON, BUFSIZ) >= BUFSIZ) {
1576 1586 free(buf);
1577 1587 return (NULL);
1578 1588 }
1579 1589
1580 1590 if (strlcat(buf, METASLOT_AUTO_KEY_MIGRATE, BUFSIZ) >= BUFSIZ) {
1581 1591 free(buf);
1582 1592 return (NULL);
1583 1593 }
1584 1594
1585 1595 if (puent->flag_metaslot_auto_key_migrate) {
1586 1596 if (strlcat(buf, METASLOT_ENABLED, BUFSIZ) >= BUFSIZ) {
1587 1597 free(buf);
1588 1598 return (NULL);
1589 1599 }
1590 1600 } else {
1591 1601 if (strlcat(buf, METASLOT_DISABLED, BUFSIZ) >= BUFSIZ) {
1592 1602 free(buf);
1593 1603 return (NULL);
1594 1604 }
1595 1605 }
1596 1606
1597 1607 bzero(blank_buf, sizeof (blank_buf));
1598 1608
1599 1609 /* write metaslot_token= if specified */
1600 1610 if (memcmp(puent->metaslot_ks_token, blank_buf,
1601 1611 TOKEN_LABEL_SIZE) != 0) {
1602 1612 /* write the metaslot_status= value */
1603 1613 if (strlcat(buf, (tok1_present ?
1604 1614 SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1605 1615 free(buf);
1606 1616 return (NULL);
1607 1617 }
1608 1618
1609 1619 if (strlcat(buf, METASLOT_TOKEN, BUFSIZ) >= BUFSIZ) {
1610 1620 free(buf);
1611 1621 return (NULL);
1612 1622 }
1613 1623
1614 1624 if (strlcat(buf,
1615 1625 (const char *)puent->metaslot_ks_token, BUFSIZ)
1616 1626 >= BUFSIZ) {
1617 1627 free(buf);
1618 1628 return (NULL);
1619 1629 }
1620 1630 }
1621 1631
1622 1632 /* write metaslot_slot= if specified */
1623 1633 if (memcmp(puent->metaslot_ks_slot, blank_buf,
1624 1634 SLOT_DESCRIPTION_SIZE) != 0) {
1625 1635 /* write the metaslot_status= value */
1626 1636 if (strlcat(buf, (tok1_present ?
1627 1637 SEP_SEMICOLON : SEP_COLON), BUFSIZ) >= BUFSIZ) {
1628 1638 free(buf);
1629 1639 return (NULL);
1630 1640 }
1631 1641
1632 1642 if (strlcat(buf, METASLOT_SLOT, BUFSIZ) >= BUFSIZ) {
1633 1643 free(buf);
1634 1644 return (NULL);
1635 1645 }
1636 1646
1637 1647 if (strlcat(buf,
1638 1648 (const char *)puent->metaslot_ks_slot, BUFSIZ)
1639 1649 >= BUFSIZ) {
1640 1650 free(buf);
1641 1651 return (NULL);
1642 1652 }
1643 1653 }
1644 1654 }
1645 1655
1646 1656 if (strlcat(buf, "\n", BUFSIZ) >= BUFSIZ) {
1647 1657 free(buf);
1648 1658 return (NULL);
1649 1659 }
1650 1660
1651 1661 return (buf);
1652 1662 }
1653 1663
1654 1664
1655 1665 /*
1656 1666 * This function updates the default policy mode and the policy exception list
1657 1667 * for a user-level provider based on the mechanism specified in the disable
1658 1668 * or enable subcommand and the update mode. This function is called by the
1659 1669 * enable_uef_lib() or disable_uef_lib().
1660 1670 */
1661 1671 int
1662 1672 update_policylist(uentry_t *puent, mechlist_t *marglist, int update_mode)
1663 1673 {
1664 1674 CK_MECHANISM_TYPE mech_type;
1665 1675 midstr_t midname;
1666 1676 umechlist_t *phead;
1667 1677 umechlist_t *pcur;
1668 1678 umechlist_t *pumech;
1669 1679 boolean_t found;
1670 1680 int rc = SUCCESS;
1671 1681
1672 1682 if ((puent == NULL) || (marglist == NULL)) {
1673 1683 /* should not happen */
1674 1684 cryptoerror(LOG_STDERR, gettext("internal error."));
1675 1685 cryptodebug("update_policylist()- puent or marglist is NULL.");
1676 1686 return (FAILURE);
1677 1687 }
1678 1688
1679 1689 if ((update_mode != ADD_MODE) && (update_mode != DELETE_MODE)) {
1680 1690 /* should not happen */
1681 1691 cryptoerror(LOG_STDERR, gettext("internal error."));
1682 1692 cryptodebug("update_policylist() - update_mode is incorrect.");
1683 1693 return (FAILURE);
1684 1694 }
1685 1695
1686 1696 /*
1687 1697 * For each mechanism operand, get its mechanism type first.
1688 1698 * If fails to get the mechanism type, the mechanism operand must be
1689 1699 * invalid, gives an warning and ignore it. Otherwise,
1690 1700 * - convert the mechanism type to the internal representation (hex)
1691 1701 * in the pkcs11.conf file
1692 1702 * - If update_mode == DELETE_MODE,
1693 1703 * If the mechanism is in the policy list, delete it.
1694 1704 * If the mechanism is not in the policy list, do nothing.
1695 1705 * - If update_mode == ADD_MODE,
1696 1706 * If the mechanism is not in the policy list, add it.
1697 1707 * If the mechanism is in the policy list already, do nothing.
1698 1708 */
1699 1709 while (marglist) {
1700 1710 if (pkcs11_str2mech(marglist->name, &mech_type) != CKR_OK) {
1701 1711 /*
1702 1712 * This mechanism is not a valid PKCS11 mechanism,
1703 1713 * give warning and ignore it.
1704 1714 */
1705 1715 cryptoerror(LOG_STDERR, gettext(
1706 1716 "(Warning) %s is not a valid PKCS#11 mechanism."),
1707 1717 marglist->name);
1708 1718 rc = FAILURE;
1709 1719 } else {
1710 1720 (void) snprintf(midname, sizeof (midname), "%#010x",
1711 1721 (int)mech_type);
1712 1722 if (update_mode == DELETE_MODE) {
1713 1723 found = B_FALSE;
1714 1724 phead = pcur = puent->policylist;
1715 1725 while (!found && pcur) {
1716 1726 if (strcmp(pcur->name, midname) == 0) {
1717 1727 found = B_TRUE;
1718 1728 } else {
1719 1729 phead = pcur;
1720 1730 pcur = pcur->next;
1721 1731 }
1722 1732 }
1723 1733
1724 1734 if (found) {
1725 1735 if (phead == pcur) {
1726 1736 puent->policylist =
1727 1737 puent->policylist->next;
1728 1738 free(pcur);
1729 1739 } else {
1730 1740 phead->next = pcur->next;
1731 1741 free(pcur);
1732 1742 }
1733 1743 puent->count--;
1734 1744 if (puent->count == 0) {
1735 1745 puent->policylist = NULL;
1736 1746 }
1737 1747 }
1738 1748 } else if (update_mode == ADD_MODE) {
1739 1749 if (!is_in_policylist(midname,
1740 1750 puent->policylist)) {
1741 1751 pumech = create_umech(midname);
1742 1752 if (pumech == NULL) {
1743 1753 rc = FAILURE;
1744 1754 break;
1745 1755 }
1746 1756 phead = puent->policylist;
1747 1757 puent->policylist = pumech;
1748 1758 pumech->next = phead;
1749 1759 puent->count++;
1750 1760 }
1751 1761 }
1752 1762 }
1753 1763 marglist = marglist->next;
1754 1764 }
1755 1765
1756 1766 return (rc);
1757 1767 }
1758 1768
1759 1769 /*
1760 1770 * Open a session to the given slot and check if we can do
1761 1771 * random numbers by asking for one byte.
1762 1772 */
1763 1773 static boolean_t
1764 1774 check_random(CK_SLOT_ID slot_id, CK_FUNCTION_LIST_PTR prov_funcs)
1765 1775 {
1766 1776 CK_RV rv;
1767 1777 CK_SESSION_HANDLE hSession;
1768 1778 CK_BYTE test_byte;
1769 1779 CK_BYTE_PTR test_byte_ptr = &test_byte;
1770 1780
1771 1781 rv = prov_funcs->C_OpenSession(slot_id, CKF_SERIAL_SESSION,
1772 1782 NULL_PTR, NULL, &hSession);
1773 1783 if (rv != CKR_OK)
1774 1784 return (B_FALSE);
1775 1785
1776 1786 /* We care only about the return value */
1777 1787 rv = prov_funcs->C_GenerateRandom(hSession, test_byte_ptr,
1778 1788 sizeof (test_byte));
1779 1789 (void) prov_funcs->C_CloseSession(hSession);
1780 1790
1781 1791 /*
1782 1792 * These checks are purely to determine whether the slot can do
1783 1793 * random numbers. So, we don't check whether the routine
1784 1794 * succeeds. The reason we check for CKR_RANDOM_NO_RNG also is that
1785 1795 * this error effectively means CKR_FUNCTION_NOT_SUPPORTED.
1786 1796 */
1787 1797 if (rv != CKR_FUNCTION_NOT_SUPPORTED && rv != CKR_RANDOM_NO_RNG)
1788 1798 return (B_TRUE);
1789 1799 else
1790 1800 return (B_FALSE);
1791 1801 }
1792 1802
1793 1803 void
1794 1804 display_verbose_mech_header()
1795 1805 {
1796 1806 (void) printf("%28s %s", " ", HDR1);
1797 1807 (void) printf("%28s %s", " ", HDR2);
1798 1808 (void) printf("%28s %s", " ", HDR3);
1799 1809 (void) printf("%28s %s", " ", HDR4);
1800 1810 (void) printf("%28s %s", " ", HDR5);
1801 1811 (void) printf("%28s %s", " ", HDR6);
1802 1812 (void) printf("%-28.28s %s", gettext("mechanism name"), HDR7);
1803 1813 /*
1804 1814 * TRANSLATION_NOTE:
1805 1815 * Strictly for appearance's sake, the first header line should be
1806 1816 * as long as the length of the translated text above. The format
1807 1817 * lengths should all match too.
1808 1818 */
1809 1819 (void) printf("%28s ---- ---- "
1810 1820 "- - - - - - - - - - - - - -\n",
1811 1821 gettext("----------------------------"));
1812 1822 }
|
↓ open down ↓ |
501 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX