diff options
| author | Valerie Bubb Fenwick <Valerie.Fenwick@Oracle.COM> | 2010-05-04 11:34:09 -0700 |
|---|---|---|
| committer | Valerie Bubb Fenwick <Valerie.Fenwick@Oracle.COM> | 2010-05-04 11:34:09 -0700 |
| commit | 9b009fc1b553084f6003dcd46b171890049de0ff (patch) | |
| tree | 4754b6aaf31ae2429a831953a81f2c9a5c05b8f0 /usr/src | |
| parent | c87dd6b73ce417a1c364f2b85436755e8e3ade21 (diff) | |
| download | illumos-joyent-9b009fc1b553084f6003dcd46b171890049de0ff.tar.gz | |
PSARC/2010/146 EOF unnecessary elfsign and kCF options
6855881 clean up unnecessary technology from elfsign and kcf
Diffstat (limited to 'usr/src')
27 files changed, 222 insertions, 990 deletions
diff --git a/usr/src/cmd/cmd-crypto/elfsign/elfsign.c b/usr/src/cmd/cmd-crypto/elfsign/elfsign.c index 026f106863..15f278842e 100644 --- a/usr/src/cmd/cmd-crypto/elfsign/elfsign.c +++ b/usr/src/cmd/cmd-crypto/elfsign/elfsign.c @@ -20,8 +20,7 @@ */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. */ /* @@ -46,7 +45,6 @@ #include <locale.h> #include <errno.h> #include <strings.h> -#include <langinfo.h> #include <cryptoutil.h> #include <sys/crypto/elfsign.h> @@ -55,7 +53,7 @@ #include <kmfapi.h> #define SIGN "sign" -#define SIGN_OPTS "ac:e:F:k:P:T:v" +#define SIGN_OPTS "c:e:F:k:P:T:v" #define VERIFY "verify" #define VERIFY_OPTS "c:e:v" #define REQUEST "request" @@ -132,7 +130,6 @@ static char *getpin(void); static ret_t do_sign(char *); static ret_t do_verify(char *); static ret_t do_cert_request(char *); -static ret_t do_gen_esa(char *); static ret_t do_list(char *); static void es_error(const char *fmt, ...); static char *time_str(time_t t); @@ -216,11 +213,6 @@ main(int argc, char **argv) cryptodebug("c=%c", c); switch (c) { - case 'a': - /* not a normal sign operation, change the action */ - cmd_info.es_action = ES_GET; - action = do_gen_esa; - break; case 'c': cmd_info.cert = optarg; break; @@ -381,10 +373,10 @@ usage(void) /* BEGIN CSTYLED */ (void) fprintf(stderr, gettext( "usage:\n" - "\telfsign sign [-a] [-v] [-e <elf_object>] -c <certificate_file>\n" + "\telfsign sign [-v] [-e <elf_object>] -c <certificate_file>\n" "\t\t[-F <format>] -k <private_key_file> [elf_object]..." "\n" - "\telfsign sign [-a] [-v] [-e <elf_object>] -c <certificate_file>\n" + "\telfsign sign [-v] [-e <elf_object>] -c <certificate_file>\n" "\t\t[-F <format>] -T <token_label> [-P <pin_file>] [elf_object]..." "\n\n" "\telfsign verify [-v] [-c <certificate_file>] [-e <elf_object>]\n" @@ -410,7 +402,6 @@ getelfobj(char *elfpath) estatus = elfsign_begin(elfpath, cmd_info.es_action, &(cmd_info.ess)); switch (estatus) { case ELFSIGN_SUCCESS: - case ELFSIGN_RESTRICTED: ret = EXIT_OKAY; break; case ELFSIGN_INVALID_ELFOBJ: @@ -665,295 +656,6 @@ cleanup: return (ret); } -#define ESA_ERROR(str, esa_file) { \ - int realerrno = errno; \ - es_error(gettext(str), esa_file, strerror(realerrno)); \ - goto clean_esa; \ -} - -/* - * Generate the elfsign activation file (.esa) for this request. - * The .esa file should contain the signature of main binary - * signed with an unlimited certificate, the DN and its own signature. - * - * The format is as follows: - * ----------------------------- - * A | main signature length | - * ----------------------------- - * B | main signature (copy of | - * | signature from original | - * | limited-use binary | - * ----------------------------- - * C | signing DN length | - * ----------------------------- - * D | signing DN | - * ----------------------------- - * E | esa signature length | - * ----------------------------- - * F | esa signature = | - * | RSA(HASH(A||B) | - * ----------------------------- - * (lengths are in the same endianness as the original object) - * - * cmd_info.ess set for the main binary is correct here, since this - * is the only elf object we are actually dealing with during the .esa - * generation. - */ -static ret_t -do_gen_esa(char *object) -{ - ret_t ret; - - /* variables used for signing and writing to .esa file */ - char *elfobj_esa; - size_t elfobj_esa_len; - int esa_fd; - mode_t mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH; - uchar_t *esa_buf = NULL; - size_t esa_buf_len = 0; - uchar_t hash[SIG_MAX_LENGTH], *hash_ptr = hash; - size_t hash_len = SIG_MAX_LENGTH; - uchar_t esa_sig[SIG_MAX_LENGTH]; - size_t esa_sig_len = SIG_MAX_LENGTH; - struct filesignatures *fssp = NULL; - size_t fslen; - ELFCert_t cert = NULL; - char *dn; - size_t dn_len; - uchar_t tmp_buf[sizeof (uint32_t)]; - int realerrno = 0; - - /* - * variables used for finding information on signer of main - * elfobject. - */ - uchar_t orig_signature[SIG_MAX_LENGTH]; - size_t orig_sig_len = sizeof (orig_signature); - - cryptodebug("do_gen_esa"); - if ((ret = getelfobj(object)) != EXIT_OKAY) - return (ret); - ret = EXIT_SIGN_FAILED; - - if (cmd_info.token_label && - !elfcertlib_settoken(cmd_info.ess, cmd_info.token_label)) { - es_error(gettext("Unable to access token: %s"), - cmd_info.token_label); - ret = EXIT_SIGN_FAILED; - goto clean_esa; - } - - if ((ret = setcertpath()) != EXIT_OKAY) - goto clean_esa; - - /* - * Find the certificate we need to sign the activation file with. - */ - if (!elfcertlib_getcert(cmd_info.ess, cmd_info.cert, NULL, &cert, - cmd_info.es_action)) { - es_error(gettext("Unable to load certificate: %s"), - cmd_info.cert); - ret = EXIT_BAD_CERT; - goto clean_esa; - } - - if (cmd_info.privpath != NULL) { - if (!elfcertlib_loadprivatekey(cmd_info.ess, cert, - cmd_info.privpath)) { - es_error(gettext("Unable to load private key: %s"), - cmd_info.privpath); - ret = EXIT_BAD_PRIVATEKEY; - goto clean_esa; - } - } else { - char *pin = getpin(); - - if (pin == NULL) { - cryptoerror(LOG_STDERR, gettext("Unable to get PIN")); - ret = EXIT_BAD_PRIVATEKEY; - goto clean_esa; - } - if (!elfcertlib_loadtokenkey(cmd_info.ess, cert, - cmd_info.token_label, pin)) { - es_error(gettext("Unable to access private key " - "in token %s"), cmd_info.token_label); - ret = EXIT_BAD_PRIVATEKEY; - goto clean_esa; - } - } - - /* - * Get the DN from the certificate. - */ - if ((dn = elfcertlib_getdn(cert)) == NULL) { - es_error(gettext("Unable to find DN in certifiate %s"), - cmd_info.cert); - goto clean_esa; - } - dn_len = strlen(dn); - cryptodebug("DN = %s", dn); - - /* - * Make sure they are not trying to sign .esa file with a - * limited certificate. - */ - if (strstr(dn, USAGELIMITED) != NULL) { - es_error(gettext("Activation file must be signed with a " - "certficate without %s."), USAGELIMITED); - goto clean_esa; - } - - /* - * Find information in the associated elfobject that will - * be needed to generate the activation file. - */ - if (elfsign_signatures(cmd_info.ess, &fssp, &fslen, ES_GET) != - ELFSIGN_SUCCESS) { - es_error(gettext("%s must be signed first, before an " - "associated activation file can be created."), - object); - goto clean_esa; - } - if (elfsign_extract_sig(cmd_info.ess, fssp, - orig_signature, &orig_sig_len) == FILESIG_UNKNOWN) { - es_error(gettext("elfsign can not create " - "an associated activation file for the " - "signature format of %s."), - object); - goto clean_esa; - } - { /* DEBUG START */ - const int sigstr_len = orig_sig_len * 2 + 1; - char *sigstr = malloc(sigstr_len); - - tohexstr(orig_signature, orig_sig_len, sigstr, sigstr_len); - cryptodebug("signature value is: %s", sigstr); - cryptodebug("sig size value is: %d", orig_sig_len); - free(sigstr); - } /* DEBUG END */ - - esa_buf_len = sizeof (uint32_t) + orig_sig_len; - esa_buf = malloc(esa_buf_len); - if (esa_buf == NULL) { - es_error(gettext("Unable to allocate memory for .esa buffer")); - goto clean_esa; - } - - /* - * Write eventual contents of .esa file to a temporary - * buffer, so we can sign it before writing out to - * the file. - */ - elfsign_buffer_len(cmd_info.ess, &orig_sig_len, esa_buf, ES_UPDATE); - (void) memcpy(esa_buf + sizeof (uint32_t), orig_signature, - orig_sig_len); - - if (elfsign_hash_esa(cmd_info.ess, esa_buf, esa_buf_len, - &hash_ptr, &hash_len) != ELFSIGN_SUCCESS) { - es_error(gettext("Unable to calculate activation hash")); - goto clean_esa; - } - - /* - * sign the buffer for the .esa file - */ - if (!elfcertlib_sign(cmd_info.ess, cert, - hash_ptr, hash_len, esa_sig, &esa_sig_len)) { - es_error(gettext("Unable to sign .esa data using key from %s"), - cmd_info.privpath ? - cmd_info.privpath : cmd_info.token_label); - goto clean_esa; - } - - { /* DEBUG START */ - const int sigstr_len = esa_sig_len * 2 + 1; - char *sigstr = malloc(sigstr_len); - - tohexstr(esa_sig, esa_sig_len, sigstr, sigstr_len); - cryptodebug("esa signature value is: %s", sigstr); - cryptodebug("esa size value is: %d", esa_sig_len); - free(sigstr); - } /* DEBUG END */ - - /* - * Create the empty activation file once we know - * we are working with the good data. - */ - elfobj_esa_len = strlen(object) + ESA_LEN + 1; - elfobj_esa = malloc(elfobj_esa_len); - - if (elfobj_esa == NULL) { - es_error(gettext("Unable to allocate buffer for esa filename")); - goto clean_esa; - } - - (void) strlcpy(elfobj_esa, object, elfobj_esa_len); - (void) strlcat(elfobj_esa, ESA, elfobj_esa_len); - - cryptodebug("Creating .esa file: %s", elfobj_esa); - - if ((esa_fd = open(elfobj_esa, O_WRONLY|O_CREAT|O_EXCL, mode)) == -1) { - ESA_ERROR("Unable to create activation file: %s. %s.", - elfobj_esa); - } - - if (write(esa_fd, esa_buf, esa_buf_len) != esa_buf_len) { - ESA_ERROR("Unable to write contents to %s. %s.", - elfobj_esa); - } - - { /* DEBUG START */ - const int sigstr_len = dn_len * 2 + 1; - char *sigstr = malloc(sigstr_len); - - tohexstr((uchar_t *)dn, dn_len, sigstr, sigstr_len); - cryptodebug("dn value is: %s", sigstr); - cryptodebug("dn size value is: %d", dn_len); - free(sigstr); - } /* DEBUG END */ - - elfsign_buffer_len(cmd_info.ess, &dn_len, tmp_buf, ES_UPDATE); - if (write(esa_fd, tmp_buf, sizeof (tmp_buf)) != sizeof (tmp_buf)) { - ESA_ERROR("Unable to write dn_len to %s. %s.", elfobj_esa); - } - - if (write(esa_fd, dn, dn_len) != dn_len) { - ESA_ERROR("Unable to write dn to %s. %s.", elfobj_esa); - } - - elfsign_buffer_len(cmd_info.ess, &esa_sig_len, tmp_buf, ES_UPDATE); - if (write(esa_fd, tmp_buf, sizeof (tmp_buf)) != sizeof (tmp_buf)) { - ESA_ERROR("Unable to write .esa signature len to %s. %s.", - elfobj_esa); - } - - if (write(esa_fd, esa_sig, esa_sig_len) != esa_sig_len) { - realerrno = errno; - es_error(gettext("Unable to write .esa signature. %s."), - strerror(realerrno)); - goto clean_esa; - } - - ret = EXIT_OKAY; - -clean_esa: - free(fssp); - if (esa_fd != -1) - (void) close(esa_fd); - - if (esa_buf != NULL) - free(esa_buf); - - bzero(esa_sig, esa_sig_len); - - if (cert != NULL) - elfcertlib_releasecert(cmd_info.ess, cert); - if (cmd_info.ess != NULL) - elfsign_end(cmd_info.ess); - - return (ret); -} - /* * Verify the signature of the object * This subcommand is intended to be used by developers during their build @@ -986,14 +688,6 @@ do_verify(char *object) sig_info_print(esip); retval = EXIT_OKAY; break; - case ELFSIGN_RESTRICTED: - (void) fprintf(stdout, - gettext("elfsign: verification of %s passed, " - "but restricted.\n"), object); - if (cmd_info.verbose) - sig_info_print(esip); - retval = EXIT_OKAY; - break; case ELFSIGN_FAILED: case ELFSIGN_INVALID_CERTPATH: es_error(gettext("verification of %s failed."), @@ -1171,95 +865,6 @@ cleanup: return (kmfrv); } -static boolean_t -is_restricted(void) -{ - char nr[80]; /* Non-retail provider? big buffer for l10n */ - char *yeschar = nl_langinfo(YESSTR); - char *nochar = nl_langinfo(NOSTR); - - /* - * Find out if user will need an activation file. - * These questions cover cases #1 and #2 from the Jumbo Export - * Control case. The logic of these questions should not be modified - * without consulting the jumbo case, unless there is a new - * export case or a change in export/import regulations for Sun - * and Sun customers. - * Case #3 should be covered in the developer documentation. - */ -/* BEGIN CSTYLED */ - (void) fprintf(stdout, gettext("\n" -"The government of the United States of America restricts the export of \n" -"\"open cryptographic interfaces\", also known as \"crypto-with-a-hole\".\n" -"Due to this restriction, all providers for the Solaris cryptographic\n" -"framework must be signed, regardless of the country of origin.\n\n")); - - (void) fprintf(stdout, gettext( -"The terms \"retail\" and \"non-retail\" refer to export classifications \n" -"for products manufactured in the USA. These terms define the portion of the\n" -"world where the product may be shipped. Roughly speaking, \"retail\" is \n" -"worldwide (minus certain excluded nations) and \"non-retail\" is domestic \n" -"only (plus some highly favored nations). If your provider is subject to\n" -"USA export control, then you must obtain an export approval (classification)\n" -"from the government of the USA before exporting your provider. It is\n" -"critical that you specify the obtained (or expected, when used during \n" -"development) classification to the following questions so that your provider\n" -"will be appropriately signed.\n\n")); - - for (;;) { - (void) fprintf(stdout, gettext( -"Do you have retail export approval for use without restrictions based \n" -"on the caller (for example, IPsec)? [Yes/No] ")); -/* END CSTYLED */ - - (void) fflush(stdout); - - (void) fgets(nr, sizeof (nr), stdin); - if (nr == NULL) - goto demand_answer; - - nr[strlen(nr) - 1] = '\0'; - - if (strncasecmp(nochar, nr, 1) == 0) { -/* BEGIN CSTYLED */ - (void) fprintf(stdout, gettext("\n" -"If you have non-retail export approval for unrestricted use of your provider\n" -"by callers, are you also planning to receive retail approval by restricting \n" -"which export sensitive callers (for example, IPsec) may use your \n" -"provider? [Yes/No] ")); -/* END CSTYLED */ - - (void) fflush(stdout); - - (void) fgets(nr, sizeof (nr), stdin); - - /* - * flush standard input so any remaining text - * does not affect next read. - */ - (void) fflush(stdin); - - if (nr == NULL) - goto demand_answer; - - nr[strlen(nr) - 1] = '\0'; - - if (strncasecmp(nochar, nr, 1) == 0) { - return (B_FALSE); - } else if (strncasecmp(yeschar, nr, 1) == 0) { - return (B_TRUE); - } else - goto demand_answer; - - } else if (strncasecmp(yeschar, nr, 1) == 0) { - return (B_FALSE); - } - - demand_answer: - (void) fprintf(stdout, - gettext("You must specify an answer.\n\n")); - } -} #define CN_MAX_LENGTH 64 /* Verisign implementation limit */ /* @@ -1272,26 +877,25 @@ do_cert_request(char *object) const char PartnerDNFMT[] = "CN=%s, " "OU=Class B, " - "%sOU=Solaris Cryptographic Framework, " + "OU=Solaris Cryptographic Framework, " "OU=Partner Object Signing, " "O=Sun Microsystems Inc"; const char SunCDNFMT[] = "CN=%s, " "OU=Class B, " - "%sOU=Solaris Cryptographic Framework, " + "OU=Solaris Cryptographic Framework, " "OU=Corporate Object Signing, " "O=Sun Microsystems Inc"; const char SunSDNFMT[] = "CN=%s, " "OU=Class B, " - "%sOU=Solaris Signed Execution, " + "OU=Solaris Signed Execution, " "OU=Corporate Object Signing, " "O=Sun Microsystems Inc"; const char *dnfmt = NULL; char cn[CN_MAX_LENGTH + 1]; char *dn = NULL; size_t dn_len; - char *restriction = ""; KMF_RETURN kmfret; cryptodebug("do_cert_request"); @@ -1334,22 +938,10 @@ do_cert_request(char *object) return (EXIT_INVALID_ARG); } - /* - * determine if there is an export restriction - */ - switch (cmd_info.internal_req) { - case 's': - restriction = ""; - break; - default: - restriction = is_restricted() ? USAGELIMITED ", " : ""; - break; - } - /* Update DN string */ - dn_len = strlen(cn) + strlen(dnfmt) + strlen(restriction); + dn_len = strlen(cn) + strlen(dnfmt); dn = malloc(dn_len + 1); - (void) snprintf(dn, dn_len, dnfmt, cn, restriction); + (void) snprintf(dn, dn_len, dnfmt, cn); cryptodebug("Generating Certificate request for DN: %s", dn); kmfret = create_csr(dn); diff --git a/usr/src/cmd/mdb/common/modules/crypto/impl.c b/usr/src/cmd/mdb/common/modules/crypto/impl.c index 69afb4ecc1..fe6b7a4150 100644 --- a/usr/src/cmd/mdb/common/modules/crypto/impl.c +++ b/usr/src/cmd/mdb/common/modules/crypto/impl.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ /* @@ -175,7 +174,7 @@ kcf_provider_desc(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv) mdb_printf("pd_provider_list:\t%p\n", desc.pd_provider_list); mdb_printf("pd_resume_cv:\t\t%hd\n", desc.pd_resume_cv._opaque); - mdb_printf("pd_flags:\t\t%s %s %s %s %s %s\n", + mdb_printf("pd_flags:\t\t%s %s %s %s %s\n", (desc.pd_flags & CRYPTO_HIDE_PROVIDER) ? "CRYPTO_HIDE_PROVIDER" : " ", (desc.pd_flags & CRYPTO_HASH_NO_UPDATE) ? @@ -185,9 +184,7 @@ kcf_provider_desc(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv) (desc.pd_flags & CRYPTO_SYNCHRONOUS) ? "CRYPTO_SYNCHRONOUS" : " ", (desc.pd_flags & KCF_LPROV_MEMBER) ? - "KCF_LPROV_MEMBER" : " ", - (desc.pd_flags & KCF_PROV_RESTRICTED) ? - "KCF_PROV_RESTRICTED" : " "); + "KCF_LPROV_MEMBER" : " "); if (desc.pd_flags & CRYPTO_HASH_NO_UPDATE) mdb_printf("pd_hash_limit:\t\t%u\n", desc.pd_hash_limit); if (desc.pd_flags & CRYPTO_HMAC_NO_UPDATE) diff --git a/usr/src/cmd/mdb/common/modules/crypto/sched_impl.c b/usr/src/cmd/mdb/common/modules/crypto/sched_impl.c index 6580465809..015f5699e2 100644 --- a/usr/src/cmd/mdb/common/modules/crypto/sched_impl.c +++ b/usr/src/cmd/mdb/common/modules/crypto/sched_impl.c @@ -20,12 +20,9 @@ */ /* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <stdio.h> #include <sys/mdb_modapi.h> #include <sys/modctl.h> @@ -66,7 +63,6 @@ static const mdb_bitmask_t call_flags[] = { { "CRYPTO_ALWAYS_QUEUE", CRYPTO_ALWAYS_QUEUE, CRYPTO_ALWAYS_QUEUE }, { "CRYPTO_NOTIFY_OPDONE", CRYPTO_NOTIFY_OPDONE, CRYPTO_NOTIFY_OPDONE }, { "CRYPTO_SKIP_REQID", CRYPTO_SKIP_REQID, CRYPTO_SKIP_REQID }, - { "CRYPTO_RESTRICTED", CRYPTO_RESTRICTED, CRYPTO_RESTRICTED }, { NULL, 0, 0 } }; @@ -85,7 +81,7 @@ kcf_areq_node_simple(kcf_areq_node_t *areqn) mdb_printf("\nan_context: %-16p\t", areqn->an_context); mdb_printf("an_is_my_turn: %s\t ", areqn->an_is_my_turn == B_FALSE ? - "B_FALSE" : "B_TRUE"); + "B_FALSE" : "B_TRUE"); mdb_printf("\ncr_reqid: %lx\n", areqn->an_reqarg.cr_reqid); return (DCMD_OK); @@ -118,35 +114,35 @@ v_kcf_areq_node(kcf_areq_node_t *areqn) /* First column again */ mdb_printf("%16s: '%16b'", "cr_flag", areqn->an_reqarg.cr_flag, - call_flags); + call_flags); /* Second column */ mdb_printf("\t%16s: %p\n", "cr_callback_func", - areqn->an_reqarg.cr_callback_func); + areqn->an_reqarg.cr_callback_func); /* First column again */ mdb_printf("%16s: %-16p", "cr_callback_arg", - areqn->an_reqarg.cr_callback_arg); + areqn->an_reqarg.cr_callback_arg); /* Second column */ mdb_printf("\t%16s: %lx\n", "cr_reqid", - (ulong_t)areqn->an_reqarg.cr_reqid); + (ulong_t)areqn->an_reqarg.cr_reqid); /* First column again */ mdb_printf("%16s: %d", "an_params.rp_opgrp", - areqn->an_params.rp_opgrp); + areqn->an_params.rp_opgrp); /* Second column */ mdb_printf("\t%16s: %d\n", "an_params.rp_optype", - areqn->an_params.rp_optype); + areqn->an_params.rp_optype); /* First column again */ mdb_printf("%16s: %-16p", "an_context", - areqn->an_context); + areqn->an_context); /* Second column */ mdb_printf("\t%16s: %p\n", "an_ctxchain_next", - areqn->an_ctxchain_next); + areqn->an_ctxchain_next); /* First column again */ mdb_printf("%16s: %s", "an_is_my_turn", @@ -158,28 +154,28 @@ v_kcf_areq_node(kcf_areq_node_t *areqn) /* First column again */ mdb_printf("%16s: %p", "an_next", - areqn->an_next); + areqn->an_next); /* Second column */ mdb_printf("\t\t%16s: %p\n", "an_prev", areqn->an_prev); /* First column again */ mdb_printf("%16s: %p", "an_provider", - areqn->an_provider); + areqn->an_provider); /* Second column */ mdb_printf("\t\t%16s: %p\n", "an_idnext", areqn->an_idnext); /* First column again */ mdb_printf("%16s: %p", "an_idprev", - areqn->an_idprev); + areqn->an_idprev); /* Second column */ mdb_printf("\t\t%16s: %hx\n", "an_done", areqn->an_done); /* First column again */ mdb_printf("%16s: %d\n", "an_refcnt", - areqn->an_refcnt); + areqn->an_refcnt); return (DCMD_OK); } @@ -247,8 +243,8 @@ areq_walk_init_common(mdb_walk_state_t *wsp, boolean_t use_first) uintptr_t gswq_ptr; if (mdb_readsym(&gswq_ptr, sizeof (gswq_ptr), "gswq") == -1) { - mdb_warn("failed to read 'gswq'"); - return (WALK_ERR); + mdb_warn("failed to read 'gswq'"); + return (WALK_ERR); } if (mdb_vread(&gswq_copy, sizeof (gswq_copy), gswq_ptr) == -1) { mdb_warn("cannot read %p", gswq_ptr); @@ -477,21 +473,22 @@ reqid_table_walk_init(mdb_walk_state_t *wsp) /* see if the walker was called from the command line or mdb_pwalk */ if (wsp->walk_cbdata == NULL) { /* command line */ - if ((wsp->walk_cbdata = mdb_zalloc(sizeof (reqid_cb_data_t), - UM_SLEEP)) == NULL) { - mdb_warn("couldn't get cb memory for reqid_table_walker"); - return (WALK_ERR); - } - /* initialize for a simple walk, as opposed to a reqid search */ - cbdata = wsp->walk_cbdata; - cbdata->verbose = TRUE; - cbdata->cb_reqid = 0; + if ((wsp->walk_cbdata = mdb_zalloc(sizeof (reqid_cb_data_t), + UM_SLEEP)) == NULL) { + mdb_warn("couldn't get cb memory for " + "reqid_table_walker"); + return (WALK_ERR); + } + /* initialize for a simple walk, as opposed to a reqid search */ + cbdata = wsp->walk_cbdata; + cbdata->verbose = TRUE; + cbdata->cb_reqid = 0; } wdata = (reqid_data_t *)wsp->walk_data; if (mdb_readsym(wdata->rd_tbl_ptrs, sizeof (wdata->rd_tbl_ptrs), - "kcf_reqid_table") == -1) { + "kcf_reqid_table") == -1) { mdb_warn("failed to read 'kcf_reqid_table'"); return (WALK_ERR); @@ -520,7 +517,7 @@ reqid_table_walk_step(mdb_walk_state_t *wsp) #ifdef DEBUG mdb_printf( "DEBUG: kcf_reqid_table at %p, sizeof kcf_reqid_table_t = %d\n", - wsp->walk_addr, sizeof (kcf_reqid_table_t)); + wsp->walk_addr, sizeof (kcf_reqid_table_t)); #endif status = wsp->walk_callback(wsp->walk_addr, wsp->walk_data, @@ -679,14 +676,14 @@ crypto_find_reqid(uintptr_t addr, uint_t flags, int argc, const mdb_arg_t *argv) } if (argc > i) - argp = &argv[i]; + argp = &argv[i]; if ((argp != NULL)) { - if (argp->a_type == MDB_TYPE_IMMEDIATE) - cbdata.cb_reqid = argp->a_un.a_val; - else - cbdata.cb_reqid = (crypto_req_id_t) - mdb_strtoull(argp->a_un.a_str); + if (argp->a_type == MDB_TYPE_IMMEDIATE) + cbdata.cb_reqid = argp->a_un.a_val; + else + cbdata.cb_reqid = (crypto_req_id_t) + mdb_strtoull(argp->a_un.a_str); } status = mdb_pwalk("kcf_reqid_table", (mdb_walk_cb_t)crypto_pr_reqid, &cbdata, addr); diff --git a/usr/src/lib/libelfsign/common/elfsignlib.c b/usr/src/lib/libelfsign/common/elfsignlib.c index 8ef0aa4d0b..e9653ed8e6 100644 --- a/usr/src/lib/libelfsign/common/elfsignlib.c +++ b/usr/src/lib/libelfsign/common/elfsignlib.c @@ -20,8 +20,7 @@ */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. */ #define ELF_TARGET_ALL /* get definitions of all section flags */ @@ -38,7 +37,6 @@ #include <errno.h> #include <libelf.h> #include <gelf.h> -#include <sys/mman.h> #include <cryptoutil.h> #include <sha1.h> #include <sys/crypto/elfsign.h> @@ -53,8 +51,6 @@ const char OID_sha1WithRSAEncryption[] = "1.2.840.113549.1.1.5"; static ELFsign_status_t elfsign_adjustoffsets(ELFsign_t ess, Elf_Scn *scn, uint64_t new_size); -static ELFsign_status_t elfsign_verify_esa(ELFsign_t ess, - uchar_t *sig, size_t sig_len); static uint32_t elfsign_switch_uint32(uint32_t i); static ELFsign_status_t elfsign_switch(ELFsign_t ess, struct filesignatures *fssp, enum ES_ACTION action); @@ -1011,52 +1007,6 @@ elfsign_hash_mem_resident(ELFsign_t ess, uchar_t *hash, size_t *hash_len) return (elfsign_hash_common(ess, hash, hash_len, B_TRUE)); } -/* - * elfsign_hash_esa = return the hash of the esa_buffer - * - * IN: ess, esa_buf, esa_buf_len, hash_len - * OUT: hash, hash_len - */ -ELFsign_status_t -elfsign_hash_esa(ELFsign_t ess, uchar_t *esa_buf, size_t esa_buf_len, - uchar_t **hash, size_t *hash_len) -{ - SHA1_CTX ctx; - - cryptodebug("esa_hash version is: %s", - version_to_str(ess->es_version)); - if (ess->es_version <= FILESIG_VERSION2) { - /* - * old rsa_md5_sha1 format - * signed with MD5 digest, just pass full esa_buf - */ - *hash = esa_buf; - *hash_len = esa_buf_len; - return (ELFSIGN_SUCCESS); - } - - if (*hash_len < SHA1_DIGEST_LENGTH) - return (ELFSIGN_FAILED); - - bzero(*hash, *hash_len); - SHA1Init(&ctx); - SHA1Update(&ctx, esa_buf, esa_buf_len); - SHA1Final(*hash, &ctx); - *hash_len = SHA1_DIGEST_LENGTH; - - { /* DEBUG START */ - const int hashstr_len = (*hash_len) * 2 + 1; - char *hashstr = malloc(hashstr_len); - - if (hashstr != NULL) { - tohexstr(*hash, *hash_len, hashstr, hashstr_len); - cryptodebug("esa_hash value is: %s", hashstr); - free(hashstr); - } - } /* DEBUG END */ - - return (ELFSIGN_SUCCESS); -} /* * elfsign_verify_signature - Verify the signature of the ELF object. @@ -1203,16 +1153,8 @@ elfsign_verify_signature(ELFsign_t ess, struct ELFsign_sig_info **esipp) (ess->es_callbackctx, fssp, fslen, cert); /* * The signature is verified! - * Check if this is a restricted provider */ - if (strstr(fsx.fsx_signer_DN, USAGELIMITED) == NULL) - ret = ELFSIGN_SUCCESS; - else { - cryptodebug("DN is tagged for usagelimited"); - ret = elfsign_verify_esa(ess, - fsx.fsx_signature, fsx.fsx_sig_len); - } - break; + ret = ELFSIGN_SUCCESS; } cryptodebug("elfsign_verify_signature: invalid signature"); @@ -1228,199 +1170,6 @@ cleanup: return (ret); } -/* - * Verify the contents of the .esa file, as per Jumbo export control - * document. Logic in this function should remain unchanged, unless - * a misinterpretation of the jumbo case was found or if there are - * changes in export regulations necessitating a change. - * - * If the .esa file exists, but is somehow corrupted, we just return - * that this is restricted. This is consistent with the Jumbo export - * case covering this library and other compenents of ON. Do not change - * this logic without consulting export control. - * - * Please see do_gen_esa() for a description of the esa file format. - * - */ -static ELFsign_status_t -elfsign_verify_esa(ELFsign_t ess, uchar_t *orig_sig, size_t orig_sig_len) -{ - ELFsign_status_t ret = ELFSIGN_RESTRICTED; - char *elfobj_esa = NULL; - size_t elfobj_esa_len; - int esa_fd = -1; - size_t esa_buf_len = 0; - uchar_t *main_sig; - size_t main_sig_len = 0; - uchar_t hash[SIG_MAX_LENGTH], *hash_ptr = hash; - size_t hash_len = SIG_MAX_LENGTH; - char *esa_dn = NULL; - size_t esa_dn_len = 0; - uchar_t *esa_sig; - size_t esa_sig_len = 0; - uchar_t *esa_file_buffer = NULL, *esa_file_ptr; - struct stat statbuf; - ELFCert_t cert = NULL; - - cryptodebug("elfsign_verify_esa"); - - /* does the activation file exist? */ - elfobj_esa_len = strlen(ess->es_pathname) + ESA_LEN + 1; - elfobj_esa = malloc(elfobj_esa_len); - if (elfobj_esa == NULL) { - cryptoerror(LOG_STDERR, - gettext("Unable to allocate buffer for esa filename.")); - goto cleanup; - } - - (void) strlcpy(elfobj_esa, ess->es_pathname, elfobj_esa_len); - (void) strlcat(elfobj_esa, ESA, elfobj_esa_len); - - if ((esa_fd = open(elfobj_esa, O_RDONLY|O_NONBLOCK)) == -1) { - cryptodebug("No .esa file was found, or it was unreadable"); - goto cleanup; - } - - cryptodebug("Reading contents of esa file %s", elfobj_esa); - - if (fstat(esa_fd, &statbuf) == -1) { - cryptoerror(LOG_STDERR, - gettext("Can't stat %s"), elfobj_esa); - goto cleanup; - } - - /* - * mmap the buffer to save on syscalls - */ - esa_file_buffer = (uchar_t *)mmap(NULL, statbuf.st_size, PROT_READ, - MAP_PRIVATE, esa_fd, 0); - - if (esa_file_buffer == MAP_FAILED) { - cryptoerror(LOG_STDERR, - gettext("Unable to mmap file to a buffer for %s."), - elfobj_esa); - goto cleanup; - } - - esa_file_ptr = esa_file_buffer; - elfsign_buffer_len(ess, &main_sig_len, esa_file_ptr, ES_GET); - esa_file_ptr += sizeof (uint32_t); - cryptodebug("Contents of esa file: main_sig_len=%d", main_sig_len); - main_sig = esa_file_ptr; - - esa_file_ptr += main_sig_len; - - /* verify .esa main signature versus original signature */ - if (main_sig_len != orig_sig_len || - memcmp(main_sig, orig_sig, orig_sig_len) != 0) { - cryptoerror(LOG_STDERR, - gettext("Unable to match original signature from %s."), - elfobj_esa); - goto cleanup; - } - - elfsign_buffer_len(ess, &esa_dn_len, esa_file_ptr, ES_GET); - esa_file_ptr += sizeof (uint32_t); - cryptodebug("Contents of esa file: esa_dn_len=%d", esa_dn_len); - - esa_dn = malloc(esa_dn_len + 1); - if (esa_dn == NULL) { - cryptoerror(LOG_ERR, - gettext("Unable to allocate memory for dn buffer.")); - goto cleanup; - } - (void) memcpy(esa_dn, esa_file_ptr, esa_dn_len); - esa_dn[esa_dn_len] = '\0'; - esa_file_ptr += esa_dn_len; - cryptodebug("Contents of esa file: esa_dn=%s", esa_dn); - - elfsign_buffer_len(ess, &esa_sig_len, esa_file_ptr, ES_GET); - esa_file_ptr += sizeof (uint32_t); - cryptodebug("Contents of esa file: esa_sig_len=%d", esa_sig_len); - - esa_sig = esa_file_ptr; - - cryptodebug("Read esa contents, now verifying"); - - /* - * dn used in .esa file should not be limited. - */ - if (strstr(esa_dn, USAGELIMITED) != NULL) { - cryptoerror(LOG_ERR, - gettext("DN for .esa file is tagged as limited for %s.\n" - "Activation files should only be tagged as unlimited.\n" - "Please contact vendor for this provider"), - ess->es_pathname); - goto cleanup; - } - - if (!elfcertlib_getcert(ess, ess->es_certpath, esa_dn, &cert, - ess->es_action)) { - cryptodebug(gettext("unable to find certificate " - "with DN=\"%s\" for %s"), - esa_dn, ess->es_pathname); - goto cleanup; - } - - /* - * Since we've already matched the original signature - * and the main file signature, we can just verify the esa signature - * against the main file signature. - */ - esa_buf_len = sizeof (uint32_t) + main_sig_len; - - if (elfsign_hash_esa(ess, esa_file_buffer, esa_buf_len, - &hash_ptr, &hash_len) != ELFSIGN_SUCCESS) { - cryptoerror(LOG_STDERR, - gettext("Unable to hash activation contents.")); - goto cleanup; - } - - - if (!elfcertlib_verifysig(ess, cert, esa_sig, esa_sig_len, - hash_ptr, hash_len)) { - cryptoerror(LOG_STDERR, - gettext("Unable to verify .esa contents for %s"), - ess->es_pathname); - goto cleanup; - } - - cryptodebug("Verified esa contents"); - if (ess->es_sigvercallback) - (ess->es_sigvercallback) (ess->es_callbackctx, - esa_file_buffer, statbuf.st_size, cert); - - /* - * validate the certificate used to sign the activation file - */ - if (!elfcertlib_verifycert(ess, cert)) { - cryptoerror(LOG_STDERR, - gettext("Unable to verify .esa certificate %s for %s"), - esa_dn, ess->es_pathname); - goto cleanup; - } - - cryptodebug("Verified esa certificate"); - ret = ELFSIGN_SUCCESS; - -cleanup: - if (elfobj_esa != NULL) - free(elfobj_esa); - - if (esa_fd != -1) - (void) close(esa_fd); - - if (esa_file_buffer != NULL) - (void) munmap((caddr_t)esa_file_buffer, statbuf.st_size); - - if (esa_dn != NULL) - free(esa_dn); - - if (cert != NULL) - elfcertlib_releasecert(ess, cert); - - return (ret); -} static uint32_t elfsign_switch_uint32(uint32_t i) @@ -1547,9 +1296,6 @@ elfsign_strerror(ELFsign_status_t elferror) case ELFSIGN_INVALID_ELFOBJ: msg = gettext("unable to open as an ELF object"); break; - case ELFSIGN_RESTRICTED: - msg = gettext("ELF object is restricted"); - break; case ELFSIGN_UNKNOWN: default: msg = gettext("Unknown error"); diff --git a/usr/src/lib/libelfsign/common/libelfsign.h b/usr/src/lib/libelfsign/common/libelfsign.h index cfbb627eea..27b72e18a1 100644 --- a/usr/src/lib/libelfsign/common/libelfsign.h +++ b/usr/src/lib/libelfsign/common/libelfsign.h @@ -20,8 +20,7 @@ */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. */ #ifndef _LIBELFSIGN_H @@ -33,7 +32,7 @@ extern "C" { /* * libelfsign Private Interfaces - * This Header file should not be shipped as part of Solaris binary or + * This header file should not be shipped as part of Solaris binary or * source products. */ @@ -49,8 +48,6 @@ extern "C" { */ #define ELFSIGN_CRYPTO "Solaris Cryptographic Framework" #define USAGELIMITED "OU=UsageLimited" -#define ESA ".esa" -#define ESA_LEN sizeof (".esa") typedef enum ELFCert_VStatus_e { E_UNCHECKED, @@ -134,8 +131,6 @@ extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash, size_t *hash_len); extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess, uchar_t *hash, size_t *hash_len); -extern ELFsign_status_t elfsign_hash_esa(ELFsign_t ess, - uchar_t *esa_buf, size_t esa_buf_len, uchar_t **hash, size_t *hash_len); extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp, enum ES_ACTION action); diff --git a/usr/src/lib/libelfsign/common/mapfile.map b/usr/src/lib/libelfsign/common/mapfile.map index 759927d980..a500384e1c 100644 --- a/usr/src/lib/libelfsign/common/mapfile.map +++ b/usr/src/lib/libelfsign/common/mapfile.map @@ -20,8 +20,7 @@ */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. */ @@ -46,7 +45,6 @@ SUNW_1.1 { elfsign_end; elfsign_extract_sig; elfsign_hash; - elfsign_hash_esa; elfsign_hash_mem_resident; elfsign_insert_dso; elfsign_setcallbackctx; diff --git a/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c b/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c index 00187d5021..d0b306c948 100644 --- a/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c +++ b/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c @@ -698,7 +698,6 @@ pkcs11_slot_mapping(uentrylist_t *pplist, CK_VOID_PTR pInitArgs) switch (estatus) { case ELFSIGN_SUCCESS: - case ELFSIGN_RESTRICTED: break; case ELFSIGN_NOTSIGNED: estatus_str = "not a signed provider."; diff --git a/usr/src/tools/codesign/creds b/usr/src/tools/codesign/creds index 37b268e9ff..4cba87e03d 100644 --- a/usr/src/tools/codesign/creds +++ b/usr/src/tools/codesign/creds @@ -18,20 +18,13 @@ # CDDL HEADER END # # -# Copyright 2007 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. -# -# ident "%Z%%M% %I% %E% SMI" +# Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. # # The following is a list of regular expressions that are matched against # the (temporary) signature on a crypto module created during the build # process. The first regular expression that matches is used to select the # signing credential to use for the file. # -# Order is important: Files marked UsageLimited will also match the -# "Solaris Cryptographic Framework" entry. -# # Credential name Regular expression # --------------- ------------------ -CryptoLimited_v2 UsageLimited Crypto_v2 Solaris Cryptographic Framework diff --git a/usr/src/uts/common/crypto/api/kcf_cipher.c b/usr/src/uts/common/crypto/api/kcf_cipher.c index 2cdacf1259..b365521690 100644 --- a/usr/src/uts/common/crypto/api/kcf_cipher.c +++ b/usr/src/uts/common/crypto/api/kcf_cipher.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/errno.h> @@ -119,12 +118,12 @@ crypto_cipher_init_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { if (func == CRYPTO_FG_ENCRYPT) { error = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_ENCRYPT); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_ENCRYPT); } else { error = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_DECRYPT); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_DECRYPT); } if (error != CRYPTO_SUCCESS) @@ -241,7 +240,7 @@ crypto_cipher_init(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, func, CHECK_RESTRICT(crq), 0)) == NULL) { + list, func, 0)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -330,8 +329,8 @@ crypto_encrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { error = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_ENCRYPT_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_ENCRYPT_ATOMIC); if (error != CRYPTO_SUCCESS) return (error); @@ -367,8 +366,7 @@ crypto_encrypt(crypto_mechanism_t *mech, crypto_data_t *plaintext, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, CRYPTO_FG_ENCRYPT_ATOMIC, CHECK_RESTRICT(crq), - plaintext->cd_length)) == NULL) { + list, CRYPTO_FG_ENCRYPT_ATOMIC, plaintext->cd_length)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -612,8 +610,8 @@ crypto_decrypt_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_DECRYPT_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_DECRYPT_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -650,8 +648,7 @@ crypto_decrypt(crypto_mechanism_t *mech, crypto_data_t *ciphertext, retry: /* pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, CRYPTO_FG_DECRYPT_ATOMIC, CHECK_RESTRICT(crq), - ciphertext->cd_length)) == NULL) { + list, CRYPTO_FG_DECRYPT_ATOMIC, ciphertext->cd_length)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); diff --git a/usr/src/uts/common/crypto/api/kcf_digest.c b/usr/src/uts/common/crypto/api/kcf_digest.c index 2a102ac410..7ed7d0fd91 100644 --- a/usr/src/uts/common/crypto/api/kcf_digest.c +++ b/usr/src/uts/common/crypto/api/kcf_digest.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/errno.h> @@ -106,8 +105,8 @@ crypto_digest_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_DIGEST_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_DIGEST_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -139,8 +138,7 @@ crypto_digest(crypto_mechanism_t *mech, crypto_data_t *data, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, NULL, &error, - list, CRYPTO_FG_DIGEST_ATOMIC, CHECK_RESTRICT(crq), - data->cd_length)) == NULL) { + list, CRYPTO_FG_DIGEST_ATOMIC, data->cd_length)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -221,8 +219,8 @@ crypto_digest_init_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { error = kcf_get_hardware_provider(mech->cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_DIGEST); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_DIGEST); if (error != CRYPTO_SUCCESS) return (error); @@ -281,7 +279,7 @@ crypto_digest_init(crypto_mechanism_t *mech, crypto_context_t *ctxp, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, NULL, NULL, &error, - list, CRYPTO_FG_DIGEST, CHECK_RESTRICT(crq), 0)) == NULL) { + list, CRYPTO_FG_DIGEST, 0)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); diff --git a/usr/src/uts/common/crypto/api/kcf_dual.c b/usr/src/uts/common/crypto/api/kcf_dual.c index 0582e5475d..7d6f726e72 100644 --- a/usr/src/uts/common/crypto/api/kcf_dual.c +++ b/usr/src/uts/common/crypto/api/kcf_dual.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/errno.h> @@ -71,8 +70,8 @@ crypto_encrypt_mac_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(encr_mech->cm_type, encr_key, - mac_mech->cm_type, mac_key, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_ENCRYPT_MAC_ATOMIC); + mac_mech->cm_type, mac_key, pd, &real_provider, + CRYPTO_FG_ENCRYPT_MAC_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -200,7 +199,7 @@ retry: &prov_mac_mechid, &error, list, CRYPTO_FG_ENCRYPT_ATOMIC | CRYPTO_FG_ENCRYPT_MAC_ATOMIC, CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_ENCRYPT_MAC_ATOMIC, - CHECK_RESTRICT(crq), ct->dd_len1); + ct->dd_len1); if (pd == NULL) { if (list != NULL) kcf_free_triedlist(list); @@ -438,8 +437,8 @@ crypto_encrypt_mac_init_prov(crypto_provider_t provider, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(encr_mech->cm_type, encr_key, - mac_mech->cm_type, mac_key, CHECK_RESTRICT(cr), pd, - &real_provider, CRYPTO_FG_ENCRYPT_MAC); + mac_mech->cm_type, mac_key, pd, &real_provider, + CRYPTO_FG_ENCRYPT_MAC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -580,8 +579,7 @@ retry: pd = kcf_get_dual_provider(encr_mech, encr_key, mac_mech, mac_key, &me, &prov_encr_mechid, &prov_mac_mechid, &error, list, - CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_MAC, CRYPTO_FG_MAC, - CHECK_RESTRICT(cr), 0); + CRYPTO_FG_ENCRYPT | CRYPTO_FG_ENCRYPT_MAC, CRYPTO_FG_MAC, 0); if (pd == NULL) { if (list != NULL) kcf_free_triedlist(list); @@ -1157,8 +1155,7 @@ retry: &me, &prov_decr_mechid, &prov_mac_mechid, &error, list, CRYPTO_FG_DECRYPT_ATOMIC | CRYPTO_FG_MAC_DECRYPT_ATOMIC, - CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_MAC_DECRYPT_ATOMIC, - CHECK_RESTRICT(crq), ct->dd_len2); + CRYPTO_FG_MAC_ATOMIC | CRYPTO_FG_MAC_DECRYPT_ATOMIC, ct->dd_len2); if (pd == NULL) { if (list != NULL) kcf_free_triedlist(list); @@ -1414,8 +1411,8 @@ crypto_mac_decrypt_common_prov(crypto_provider_t provider, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { error = kcf_get_hardware_provider(decr_mech->cm_type, decr_key, - mac_mech->cm_type, mac_key, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_MAC_DECRYPT_ATOMIC); + mac_mech->cm_type, mac_key, pd, &real_provider, + CRYPTO_FG_MAC_DECRYPT_ATOMIC); if (error != CRYPTO_SUCCESS) return (error); @@ -1551,8 +1548,7 @@ retry: pd = kcf_get_dual_provider(decr_mech, decr_key, mac_mech, mac_key, &me, &prov_decr_mechid, &prov_mac_mechid, &error, list, - CRYPTO_FG_DECRYPT | CRYPTO_FG_MAC_DECRYPT, CRYPTO_FG_MAC, - CHECK_RESTRICT(cr), 0); + CRYPTO_FG_DECRYPT | CRYPTO_FG_MAC_DECRYPT, CRYPTO_FG_MAC, 0); if (pd == NULL) { if (list != NULL) kcf_free_triedlist(list); @@ -1864,8 +1860,8 @@ crypto_mac_decrypt_init_prov(crypto_provider_t provider, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(decr_mech->cm_type, decr_key, - mac_mech->cm_type, mac_key, CHECK_RESTRICT(cr), pd, - &real_provider, CRYPTO_FG_MAC_DECRYPT); + mac_mech->cm_type, mac_key, pd, &real_provider, + CRYPTO_FG_MAC_DECRYPT); if (rv != CRYPTO_SUCCESS) return (rv); diff --git a/usr/src/uts/common/crypto/api/kcf_keys.c b/usr/src/uts/common/crypto/api/kcf_keys.c index d6f35d2295..ed3bbfedb4 100644 --- a/usr/src/uts/common/crypto/api/kcf_keys.c +++ b/usr/src/uts/common/crypto/api/kcf_keys.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/errno.h> @@ -51,8 +50,8 @@ crypto_key_generate(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_GENERATE); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_GENERATE); if (rv != CRYPTO_SUCCESS) return (rv); @@ -90,8 +89,8 @@ crypto_key_generate_pair(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_GENERATE_KEY_PAIR); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_GENERATE_KEY_PAIR); if (rv != CRYPTO_SUCCESS) return (rv); @@ -130,8 +129,8 @@ crypto_key_wrap(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, wrapping_key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_WRAP); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_WRAP); if (rv != CRYPTO_SUCCESS) return (rv); @@ -170,8 +169,8 @@ crypto_key_unwrap(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, unwrapping_key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_UNWRAP); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_UNWRAP); if (rv != CRYPTO_SUCCESS) return (rv); @@ -210,8 +209,8 @@ crypto_key_derive(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, base_key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_DERIVE); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_DERIVE); if (rv != CRYPTO_SUCCESS) return (rv); diff --git a/usr/src/uts/common/crypto/api/kcf_mac.c b/usr/src/uts/common/crypto/api/kcf_mac.c index 601f67eb18..8f4f1e16ee 100644 --- a/usr/src/uts/common/crypto/api/kcf_mac.c +++ b/usr/src/uts/common/crypto/api/kcf_mac.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/errno.h> @@ -106,8 +105,8 @@ crypto_mac_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_MAC_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_MAC_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -142,8 +141,7 @@ crypto_mac(crypto_mechanism_t *mech, crypto_data_t *data, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq), - data->cd_length)) == NULL) { + list, CRYPTO_FG_MAC_ATOMIC, data->cd_length)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -231,8 +229,8 @@ crypto_mac_verify_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_MAC_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_MAC_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -267,8 +265,7 @@ crypto_mac_verify(crypto_mechanism_t *mech, crypto_data_t *data, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, CRYPTO_FG_MAC_ATOMIC, CHECK_RESTRICT(crq), - data->cd_length)) == NULL) { + list, CRYPTO_FG_MAC_ATOMIC, data->cd_length)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -385,8 +382,8 @@ crypto_mac_init_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_MAC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_MAC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -448,7 +445,7 @@ crypto_mac_init(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, CRYPTO_FG_MAC, CHECK_RESTRICT(crq), 0)) == NULL) { + list, CRYPTO_FG_MAC, 0)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); diff --git a/usr/src/uts/common/crypto/api/kcf_miscapi.c b/usr/src/uts/common/crypto/api/kcf_miscapi.c index 29fdab7a06..a8be13a09e 100644 --- a/usr/src/uts/common/crypto/api/kcf_miscapi.c +++ b/usr/src/uts/common/crypto/api/kcf_miscapi.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/types.h> @@ -860,7 +859,7 @@ crypto_get_provinfo(crypto_provider_t hndl, crypto_provider_ext_info_t *info) pd = (kcf_provider_desc_t *)hndl; rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(provider_ops), CRYPTO_PROVIDER_OFFSET(ext_info), - CHECK_RESTRICT_FALSE, pd, &real_provider); + pd, &real_provider); if (rv == CRYPTO_SUCCESS && real_provider != NULL) { ASSERT(real_provider == pd || diff --git a/usr/src/uts/common/crypto/api/kcf_object.c b/usr/src/uts/common/crypto/api/kcf_object.c index 148ed9a817..5789a73df8 100644 --- a/usr/src/uts/common/crypto/api/kcf_object.c +++ b/usr/src/uts/common/crypto/api/kcf_object.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,13 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <sys/errno.h> #include <sys/types.h> #include <sys/kmem.h> @@ -56,7 +52,7 @@ crypto_object_create(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_create), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -93,7 +89,7 @@ crypto_object_destroy(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_destroy), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -131,7 +127,7 @@ crypto_object_copy(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_copy), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -171,7 +167,7 @@ crypto_object_get_attribute_value(crypto_provider_t provider, rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_get_attribute_value), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -210,7 +206,7 @@ crypto_object_set_attribute_value(crypto_provider_t provider, rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_set_attribute_value), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -247,7 +243,7 @@ crypto_object_get_size(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_get_size), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -289,7 +285,7 @@ crypto_object_find_init(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_find_init), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -323,7 +319,7 @@ crypto_object_find_final(crypto_provider_t provider, void *cookie, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_find_final), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -360,7 +356,7 @@ crypto_object_find(crypto_provider_t provider, void *cookie, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( object_ops), CRYPTO_OBJECT_OFFSET(object_find), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); diff --git a/usr/src/uts/common/crypto/api/kcf_random.c b/usr/src/uts/common/crypto/api/kcf_random.c index daaa18d0f5..9b7c7155e9 100644 --- a/usr/src/uts/common/crypto/api/kcf_random.c +++ b/usr/src/uts/common/crypto/api/kcf_random.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. */ /* @@ -165,7 +164,7 @@ kcf_rngprov_check(void) kcf_provider_desc_t *pd; if ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv, - NULL, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) { + NULL, CRYPTO_FG_RANDOM, 0)) != NULL) { KCF_PROV_REFRELE(pd); /* * We logged a warning once about no provider being available @@ -223,7 +222,7 @@ rngprov_getbytes(uint8_t *ptr, size_t need, boolean_t is_taskq_thr) kcf_prov_tried_t *list = NULL; while ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv, - list, CRYPTO_FG_RANDOM, B_FALSE, 0)) != NULL) { + list, CRYPTO_FG_RANDOM, 0)) != NULL) { prov_cnt++; @@ -305,7 +304,7 @@ rngprov_getbytes_nblk(uint8_t *ptr, size_t len) req.cr_callback_func = notify_done; while ((pd = kcf_get_mech_provider(rngmech_type, NULL, NULL, &rv, - list, CRYPTO_FG_RANDOM, CHECK_RESTRICT(&req), 0)) != NULL) { + list, CRYPTO_FG_RANDOM, 0)) != NULL) { prov_cnt ++; switch (pd->pd_prov_type) { diff --git a/usr/src/uts/common/crypto/api/kcf_session.c b/usr/src/uts/common/crypto/api/kcf_session.c index b887829ea3..9d9cd69e6a 100644 --- a/usr/src/uts/common/crypto/api/kcf_session.c +++ b/usr/src/uts/common/crypto/api/kcf_session.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,13 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <sys/errno.h> #include <sys/types.h> #include <sys/kmem.h> @@ -54,8 +50,7 @@ crypto_call_req_t *crq) /* find a provider that supports session ops */ (void) kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET(session_ops), - CRYPTO_SESSION_OFFSET(session_open), - CHECK_RESTRICT(crq), pd, &real_provider); + CRYPTO_SESSION_OFFSET(session_open), pd, &real_provider); if (real_provider != NULL) { int rv; @@ -93,14 +88,13 @@ crypto_session_close(crypto_provider_t provider, crypto_session_id_t sid, kcf_provider_desc_t *pd = provider; if (pd == NULL) - return (CRYPTO_ARGUMENTS_BAD); + return (CRYPTO_ARGUMENTS_BAD); ASSERT(KCF_PROV_REFHELD(pd)); /* find a provider that supports session ops */ (void) kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET(session_ops), - CRYPTO_SESSION_OFFSET(session_close), CHECK_RESTRICT(crq), - pd, &real_provider); + CRYPTO_SESSION_OFFSET(session_close), pd, &real_provider); ASSERT(real_provider == pd || pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER); @@ -138,7 +132,7 @@ crypto_session_login(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( session_ops), CRYPTO_SESSION_OFFSET(session_login), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); @@ -174,7 +168,7 @@ crypto_session_logout(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET( session_ops), CRYPTO_SESSION_OFFSET(session_logout), - CHECK_RESTRICT(crq), pd, &real_provider); + pd, &real_provider); if (rv != CRYPTO_SUCCESS) return (rv); diff --git a/usr/src/uts/common/crypto/api/kcf_sign.c b/usr/src/uts/common/crypto/api/kcf_sign.c index f7394dceed..ff15bcd747 100644 --- a/usr/src/uts/common/crypto/api/kcf_sign.c +++ b/usr/src/uts/common/crypto/api/kcf_sign.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/errno.h> @@ -58,8 +57,8 @@ crypto_sign_init_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_SIGN); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_SIGN); if (rv != CRYPTO_SUCCESS) return (rv); @@ -102,7 +101,7 @@ crypto_sign_init(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, CRYPTO_FG_SIGN, CHECK_RESTRICT(crq), 0)) == NULL) { + list, CRYPTO_FG_SIGN, 0)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -239,8 +238,8 @@ crypto_sign_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_SIGN_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_SIGN_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -270,7 +269,7 @@ sign_sr_atomic_common(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, fg, CHECK_RESTRICT(crq), data->cd_length)) == NULL) { + list, fg, data->cd_length)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -359,8 +358,8 @@ crypto_sign_recover_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_SIGN_RECOVER_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_SIGN_RECOVER_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -398,8 +397,8 @@ crypto_sign_recover_init_prov(crypto_provider_t provider, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_SIGN_RECOVER); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_SIGN_RECOVER); if (rv != CRYPTO_SUCCESS) return (rv); diff --git a/usr/src/uts/common/crypto/api/kcf_verify.c b/usr/src/uts/common/crypto/api/kcf_verify.c index 16ff7a62a6..16c4e5279a 100644 --- a/usr/src/uts/common/crypto/api/kcf_verify.c +++ b/usr/src/uts/common/crypto/api/kcf_verify.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #include <sys/errno.h> @@ -58,8 +57,8 @@ crypto_verify_init_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_VERIFY); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_VERIFY); if (rv != CRYPTO_SUCCESS) return (rv); @@ -103,7 +102,7 @@ crypto_verify_init(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, CRYPTO_FG_VERIFY, CHECK_RESTRICT(crq), 0)) == NULL) { + list, CRYPTO_FG_VERIFY, 0)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -241,8 +240,8 @@ crypto_verify_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), - pd, &real_provider, CRYPTO_FG_VERIFY_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_VERIFY_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -272,7 +271,7 @@ verify_vr_atomic_common(crypto_mechanism_t *mech, crypto_key_t *key, retry: /* The pd is returned held */ if ((pd = kcf_get_mech_provider(mech->cm_type, key, &me, &error, - list, fg, CHECK_RESTRICT(crq), data->cd_length)) == NULL) { + list, fg, data->cd_length)) == NULL) { if (list != NULL) kcf_free_triedlist(list); return (error); @@ -361,8 +360,8 @@ crypto_verify_recover_prov(crypto_provider_t provider, crypto_session_id_t sid, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_VERIFY_RECOVER_ATOMIC); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_VERIFY_RECOVER_ATOMIC); if (rv != CRYPTO_SUCCESS) return (rv); @@ -400,8 +399,8 @@ crypto_verify_recover_init_prov(crypto_provider_t provider, if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) { rv = kcf_get_hardware_provider(mech->cm_type, key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT(crq), pd, - &real_provider, CRYPTO_FG_VERIFY_RECOVER); + CRYPTO_MECH_INVALID, NULL, pd, &real_provider, + CRYPTO_FG_VERIFY_RECOVER); if (rv != CRYPTO_SUCCESS) return (rv); diff --git a/usr/src/uts/common/crypto/core/kcf.c b/usr/src/uts/common/crypto/core/kcf.c index ea1f125821..e170b77977 100644 --- a/usr/src/uts/common/crypto/core/kcf.c +++ b/usr/src/uts/common/crypto/core/kcf.c @@ -18,9 +18,9 @@ * * CDDL HEADER END */ + /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ /* @@ -534,11 +534,11 @@ kcf_need_signature_verification(kcf_provider_desc_t *pd) * be called from user context or kernel context. * * We call kcfd with the full pathname of the module to be - * verified. kcfd will return success/restricted/fail, signature length - * and the actual signature in the ELF section of the module. If kcfd - * returns success or restricted, we compare the signature and the length - * with the values that krtld stored in the module structure. We log an - * error message in case of a failure. + * verified. kcfd will return success/fail, signature length + * and the actual signature in the ELF section of the module. If + * kcfd returns success, we compare the signature and the length + * with the values that krtld stored in the module structure. We + * log an error message in case of a failure. * * The provider state is changed to KCF_PROV_READY on success. */ @@ -667,8 +667,7 @@ kcf_verify_signature(void *arg) /* Check kcfd result and compare against module struct fields */ - if (((rkda->da_u.result.status != ELFSIGN_SUCCESS) && - (rkda->da_u.result.status != ELFSIGN_RESTRICTED)) || + if ((rkda->da_u.result.status != ELFSIGN_SUCCESS) || !(rkda->da_u.result.siglen == mp->sigsize) || (bcmp(rkda->da_u.result.signature, mp->sigdata, mp->sigsize))) { @@ -678,11 +677,6 @@ kcf_verify_signature(void *arg) error = 0; } - if (rkda->da_u.result.status == ELFSIGN_RESTRICTED) { - pd->pd_flags |= KCF_PROV_RESTRICTED; - KCF_FRMWRK_DEBUG(2, ("provider is restricted\n")); - } - if (rkda != kda) kmem_free(rkda, darg.rsize); diff --git a/usr/src/uts/common/crypto/core/kcf_callprov.c b/usr/src/uts/common/crypto/core/kcf_callprov.c index 29f151db90..6e0b620598 100644 --- a/usr/src/uts/common/crypto/core/kcf_callprov.c +++ b/usr/src/uts/common/crypto/core/kcf_callprov.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ /* @@ -222,7 +221,7 @@ is_valid_provider_for_mech(kcf_provider_desc_t *pd, kcf_mech_entry_t *me, */ int kcf_get_hardware_provider(crypto_mech_type_t mech_type_1, crypto_key_t *key1, - crypto_mech_type_t mech_type_2, crypto_key_t *key2, boolean_t call_restrict, + crypto_mech_type_t mech_type_2, crypto_key_t *key2, kcf_provider_desc_t *old, kcf_provider_desc_t **new, crypto_func_group_t fg) { kcf_provider_desc_t *provider, *real_pd = old; @@ -275,12 +274,6 @@ kcf_get_hardware_provider(crypto_mech_type_t mech_type_1, crypto_key_t *key1, ASSERT(provider->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - if (call_restrict && - (provider->pd_flags & KCF_PROV_RESTRICTED)) { - p = p->pl_next; - continue; - } - if (!is_valid_provider_for_mech(provider, me, fg)) { p = p->pl_next; continue; @@ -351,8 +344,7 @@ kcf_get_hardware_provider(crypto_mech_type_t mech_type_1, crypto_key_t *key1, mutex_exit(&old->pd_lock); } else { - if (!KCF_IS_PROV_USABLE(old) || - (call_restrict && (old->pd_flags & KCF_PROV_RESTRICTED))) { + if (!KCF_IS_PROV_USABLE(old)) { real_pd = NULL; rv = CRYPTO_DEVICE_ERROR; goto out; @@ -390,8 +382,7 @@ out: */ int kcf_get_hardware_provider_nomech(offset_t offset_1, offset_t offset_2, - boolean_t call_restrict, kcf_provider_desc_t *old, - kcf_provider_desc_t **new) + kcf_provider_desc_t *old, kcf_provider_desc_t **new) { kcf_provider_desc_t *provider, *real_pd = old; kcf_provider_desc_t *gpd = NULL; /* good provider */ @@ -424,11 +415,6 @@ kcf_get_hardware_provider_nomech(offset_t offset_1, offset_t offset_2, ASSERT(provider->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); - if (call_restrict && - (provider->pd_flags & KCF_PROV_RESTRICTED)) { - p = p->pl_next; - continue; - } if (KCF_PROV_NULL_ENTRY_POINT(provider, offset_1, offset_2, ops)) { p = p->pl_next; @@ -469,8 +455,7 @@ kcf_get_hardware_provider_nomech(offset_t offset_1, offset_t offset_2, } } else { - if (!KCF_IS_PROV_USABLE(old) || - (call_restrict && (old->pd_flags & KCF_PROV_RESTRICTED))) { + if (!KCF_IS_PROV_USABLE(old)) { real_pd = NULL; rv = CRYPTO_DEVICE_ERROR; goto out; @@ -539,13 +524,11 @@ found: * number of providers in this list. If this assumption ever changes, * we should revisit this. * - * call_restrict represents if the caller should not be allowed to - * use restricted providers. */ kcf_provider_desc_t * kcf_get_mech_provider(crypto_mech_type_t mech_type, crypto_key_t *key, kcf_mech_entry_t **mepp, int *error, kcf_prov_tried_t *triedl, - crypto_func_group_t fg, boolean_t call_restrict, size_t data_size) + crypto_func_group_t fg, size_t data_size) { kcf_provider_desc_t *pd = NULL, *gpd = NULL; kcf_prov_mech_desc_t *prov_chain, *mdesc; @@ -602,9 +585,7 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, crypto_key_t *key, if (!IS_FG_SUPPORTED(prov_chain, fg) || !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && - (pd->pd_flags & KCF_PROV_RESTRICTED))) { + IS_PROVIDER_TRIED(pd, triedl)) { prov_chain = prov_chain->pm_next; continue; } @@ -637,8 +618,7 @@ kcf_get_mech_provider(crypto_mech_type_t mech_type, crypto_key_t *key, pd = mdesc->pm_prov_desc; if (!IS_FG_SUPPORTED(mdesc, fg) || !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && (pd->pd_flags & KCF_PROV_RESTRICTED))) + IS_PROVIDER_TRIED(pd, triedl)) pd = NULL; } @@ -679,7 +659,7 @@ kcf_get_dual_provider(crypto_mechanism_t *mech1, crypto_key_t *key1, crypto_mechanism_t *mech2, crypto_key_t *key2, kcf_mech_entry_t **mepp, crypto_mech_type_t *prov_mt1, crypto_mech_type_t *prov_mt2, int *error, kcf_prov_tried_t *triedl, - crypto_func_group_t fg1, crypto_func_group_t fg2, boolean_t call_restrict, + crypto_func_group_t fg1, crypto_func_group_t fg2, size_t data_size) { kcf_provider_desc_t *pd = NULL, *pdm1 = NULL, *pdm1m2 = NULL; @@ -730,9 +710,7 @@ kcf_get_dual_provider(crypto_mechanism_t *mech1, crypto_key_t *key1, if (!IS_FG_SUPPORTED(prov_chain, fg1) || !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && - (pd->pd_flags & KCF_PROV_RESTRICTED))) { + IS_PROVIDER_TRIED(pd, triedl)) { prov_chain = prov_chain->pm_next; continue; } @@ -807,8 +785,7 @@ kcf_get_dual_provider(crypto_mechanism_t *mech1, crypto_key_t *key1, pd = mdesc->pm_prov_desc; if (!IS_FG_SUPPORTED(mdesc, fg1) || !KCF_IS_PROV_USABLE(pd) || - IS_PROVIDER_TRIED(pd, triedl) || - (call_restrict && (pd->pd_flags & KCF_PROV_RESTRICTED))) + IS_PROVIDER_TRIED(pd, triedl)) pd = NULL; else { /* See if pd can do me2 too */ diff --git a/usr/src/uts/common/crypto/core/kcf_sched.c b/usr/src/uts/common/crypto/core/kcf_sched.c index 91b0f8c50c..2e48aa29ee 100644 --- a/usr/src/uts/common/crypto/core/kcf_sched.c +++ b/usr/src/uts/common/crypto/core/kcf_sched.c @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ /* @@ -537,15 +536,13 @@ kcf_resubmit_request(kcf_areq_node_t *areq) if (mech1 && !mech2) { new_pd = kcf_get_mech_provider(mech1->cm_type, NULL, NULL, - &error, areq->an_tried_plist, fg, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), 0); + &error, areq->an_tried_plist, fg, 0); } else { ASSERT(mech1 != NULL && mech2 != NULL); new_pd = kcf_get_dual_provider(mech1, NULL, mech2, NULL, NULL, &prov_mt1, - &prov_mt2, &error, areq->an_tried_plist, fg, fg, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), 0); + &prov_mt2, &error, areq->an_tried_plist, fg, fg, 0); } if (new_pd == NULL) @@ -1936,8 +1933,7 @@ out: /* No expected recoverable failures, so no retry list */ pd = kcf_get_mech_provider(mops->mo_framework_mechtype, NULL, - &me, &error, NULL, CRYPTO_FG_MAC_ATOMIC, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), ct->dd_len2); + &me, &error, NULL, CRYPTO_FG_MAC_ATOMIC, ct->dd_len2); if (pd == NULL) { error = CRYPTO_MECH_NOT_SUPPORTED; @@ -1968,7 +1964,7 @@ out: /* No expected recoverable failures, so no retry list */ pd = kcf_get_mech_provider(dcrops->dop_framework_mechtype, NULL, NULL, &error, NULL, CRYPTO_FG_DECRYPT_ATOMIC, - (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED), ct->dd_len1); + ct->dd_len1); if (pd == NULL) { error = CRYPTO_MECH_NOT_SUPPORTED; @@ -1984,12 +1980,7 @@ out: ct->dd_offset1 = ct->dd_offset2; ct->dd_len1 = ct->dd_len2; - /* preserve if the caller is restricted */ - if (areq->an_reqarg.cr_flag & CRYPTO_RESTRICTED) { - areq->an_reqarg.cr_flag = CRYPTO_RESTRICTED; - } else { - areq->an_reqarg.cr_flag = 0; - } + areq->an_reqarg.cr_flag = 0; areq->an_reqarg.cr_callback_func = kcf_last_req; areq->an_reqarg.cr_callback_arg = next_req; diff --git a/usr/src/uts/common/crypto/io/crypto.c b/usr/src/uts/common/crypto/io/crypto.c index fbc08a0223..47ce67d708 100644 --- a/usr/src/uts/common/crypto/io/crypto.c +++ b/usr/src/uts/common/crypto/io/crypto.c @@ -1463,7 +1463,7 @@ get_provider_info(dev_t dev, caddr_t arg, int mode, int *rval) (void) kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(provider_ops), CRYPTO_PROVIDER_OFFSET(ext_info), - CHECK_RESTRICT_FALSE, provider, &real_provider); + provider, &real_provider); if (real_provider != NULL) { ASSERT(real_provider == provider || @@ -1729,8 +1729,7 @@ again: /* find a hardware provider that supports session ops */ (void) kcf_get_hardware_provider_nomech(CRYPTO_OPS_OFFSET(session_ops), - CRYPTO_SESSION_OFFSET(session_open), CHECK_RESTRICT_FALSE, - pd, &real_provider); + CRYPTO_SESSION_OFFSET(session_open), pd, &real_provider); if (real_provider != NULL) { ASSERT(real_provider == pd || @@ -2660,8 +2659,7 @@ cipher_init(dev_t dev, caddr_t arg, int mode, int (*init)(crypto_provider_t, } if ((rv = kcf_get_hardware_provider(mech.cm_type, &key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, - &real_provider, fg)) + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, fg)) != CRYPTO_SUCCESS) { goto out; } @@ -3226,8 +3224,8 @@ digest_init(dev_t dev, caddr_t arg, int mode, int *rval) } if ((rv = kcf_get_hardware_provider(mech.cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, - &real_provider, CRYPTO_FG_DIGEST)) != CRYPTO_SUCCESS) { + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, + CRYPTO_FG_DIGEST)) != CRYPTO_SUCCESS) { goto out; } @@ -3648,8 +3646,7 @@ set_pin(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(provider_ops), CRYPTO_PROVIDER_OFFSET(set_pin), - CHECK_RESTRICT_FALSE, sp->sd_provider, &real_provider)) - != CRYPTO_SUCCESS) { + sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { goto out; } @@ -3727,9 +3724,8 @@ login(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(session_ops), - CRYPTO_SESSION_OFFSET(session_login), - CHECK_RESTRICT_FALSE, sp->sd_provider, &real_provider)) - != CRYPTO_SUCCESS) { + CRYPTO_SESSION_OFFSET(session_login), sp->sd_provider, + &real_provider)) != CRYPTO_SUCCESS) { goto out; } @@ -3789,8 +3785,8 @@ logout(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(session_ops), - CRYPTO_SESSION_OFFSET(session_logout), CHECK_RESTRICT_FALSE, - sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { + CRYPTO_SESSION_OFFSET(session_logout), sp->sd_provider, + &real_provider)) != CRYPTO_SUCCESS) { goto out; } @@ -3924,8 +3920,8 @@ sign_verify_init(dev_t dev, caddr_t arg, int mode, } if ((rv = kcf_get_hardware_provider(mech.cm_type, &key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, - &real_provider, fg)) != CRYPTO_SUCCESS) { + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, + fg)) != CRYPTO_SUCCESS) { goto out; } @@ -4343,8 +4339,7 @@ seed_random(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(random_ops), CRYPTO_RANDOM_OFFSET(seed_random), - CHECK_RESTRICT_FALSE, sp->sd_provider, &real_provider)) - != CRYPTO_SUCCESS) { + sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -4429,8 +4424,8 @@ generate_random(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(random_ops), - CRYPTO_RANDOM_OFFSET(generate_random), CHECK_RESTRICT_FALSE, - sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { + CRYPTO_RANDOM_OFFSET(generate_random), sp->sd_provider, + &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -4570,9 +4565,8 @@ object_create(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), - CRYPTO_OBJECT_OFFSET(object_create), - CHECK_RESTRICT_FALSE, sp->sd_provider, &real_provider)) - != CRYPTO_SUCCESS) { + CRYPTO_OBJECT_OFFSET(object_create), sp->sd_provider, + &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -4666,8 +4660,8 @@ object_copy(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), - CRYPTO_OBJECT_OFFSET(object_copy), CHECK_RESTRICT_FALSE, - sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { + CRYPTO_OBJECT_OFFSET(object_copy), sp->sd_provider, + &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -4748,8 +4742,8 @@ object_destroy(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), - CRYPTO_OBJECT_OFFSET(object_destroy), CHECK_RESTRICT_FALSE, - sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { + CRYPTO_OBJECT_OFFSET(object_destroy), sp->sd_provider, + &real_provider)) != CRYPTO_SUCCESS) { goto out; } @@ -4838,8 +4832,7 @@ object_get_attribute_value(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), CRYPTO_OBJECT_OFFSET(object_get_attribute_value), - CHECK_RESTRICT_FALSE, sp->sd_provider, &real_provider)) - != CRYPTO_SUCCESS) { + sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { goto out; } @@ -4918,7 +4911,7 @@ object_get_size(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), - CRYPTO_OBJECT_OFFSET(object_get_size), CHECK_RESTRICT_FALSE, + CRYPTO_OBJECT_OFFSET(object_get_size), sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5001,8 +4994,7 @@ object_set_attribute_value(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), CRYPTO_OBJECT_OFFSET(object_set_attribute_value), - CHECK_RESTRICT_FALSE, sp->sd_provider, &real_provider)) - != CRYPTO_SUCCESS) { + sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5081,7 +5073,7 @@ object_find_init(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), - CRYPTO_OBJECT_OFFSET(object_find_init), CHECK_RESTRICT_FALSE, + CRYPTO_OBJECT_OFFSET(object_find_init), sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5181,8 +5173,8 @@ object_find_update(dev_t dev, caddr_t arg, int mode, int *rval) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), - CRYPTO_OBJECT_OFFSET(object_find), CHECK_RESTRICT_FALSE, - sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { + CRYPTO_OBJECT_OFFSET(object_find), sp->sd_provider, + &real_provider)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5242,7 +5234,7 @@ crypto_free_find_ctx(crypto_session_data_t *sp) if ((rv = kcf_get_hardware_provider_nomech( CRYPTO_OPS_OFFSET(object_ops), - CRYPTO_OBJECT_OFFSET(object_find_final), CHECK_RESTRICT_FALSE, + CRYPTO_OBJECT_OFFSET(object_find_final), sp->sd_provider, &real_provider)) != CRYPTO_SUCCESS) { return (rv); } @@ -5353,7 +5345,7 @@ object_generate_key(dev_t dev, caddr_t arg, int mode, int *rval) sizeof (crypto_mech_type_t)); if ((rv = kcf_get_hardware_provider(mech.cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_GENERATE)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5486,7 +5478,7 @@ nostore_generate_key(dev_t dev, caddr_t arg, int mode, int *rval) sizeof (crypto_mech_type_t)); if ((rv = kcf_get_hardware_provider(mech.cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_GENERATE)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5623,7 +5615,7 @@ object_generate_key_pair(dev_t dev, caddr_t arg, int mode, int *rval) sizeof (crypto_mech_type_t)); if ((rv = kcf_get_hardware_provider(mech.cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_GENERATE_KEY_PAIR)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5793,7 +5785,7 @@ nostore_generate_key_pair(dev_t dev, caddr_t arg, int mode, int *rval) sizeof (crypto_mech_type_t)); if ((rv = kcf_get_hardware_provider(mech.cm_type, NULL, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_GENERATE_KEY_PAIR)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -5974,7 +5966,7 @@ object_wrap_key(dev_t dev, caddr_t arg, int mode, int *rval) wrapped_key_len = STRUCT_FGET(wrap_key, wk_wrapped_key_len); if ((rv = kcf_get_hardware_provider(mech.cm_type, &key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_WRAP)) != CRYPTO_SUCCESS) { goto out; } @@ -6136,7 +6128,7 @@ object_unwrap_key(dev_t dev, caddr_t arg, int mode, int *rval) } if ((rv = kcf_get_hardware_provider(mech.cm_type, &unwrapping_key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_UNWRAP)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -6300,7 +6292,7 @@ object_derive_key(dev_t dev, caddr_t arg, int mode, int *rval) } if ((rv = kcf_get_hardware_provider(mech.cm_type, &base_key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_DERIVE)) != CRYPTO_SUCCESS) { goto release_minor; } @@ -6460,7 +6452,7 @@ nostore_derive_key(dev_t dev, caddr_t arg, int mode, int *rval) } if ((rv = kcf_get_hardware_provider(mech.cm_type, &base_key, - CRYPTO_MECH_INVALID, NULL, CHECK_RESTRICT_FALSE, sp->sd_provider, + CRYPTO_MECH_INVALID, NULL, sp->sd_provider, &real_provider, CRYPTO_FG_DERIVE)) != CRYPTO_SUCCESS) { goto release_minor; } diff --git a/usr/src/uts/common/sys/crypto/api.h b/usr/src/uts/common/sys/crypto/api.h index ca789230f4..9dd62eb73e 100644 --- a/usr/src/uts/common/sys/crypto/api.h +++ b/usr/src/uts/common/sys/crypto/api.h @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #ifndef _SYS_CRYPTO_API_H @@ -47,7 +46,6 @@ typedef uint32_t crypto_call_flag_t; #define CRYPTO_ALWAYS_QUEUE 0x00000001 /* ALWAYS queue the req. */ #define CRYPTO_NOTIFY_OPDONE 0x00000002 /* Notify intermediate steps */ #define CRYPTO_SKIP_REQID 0x00000004 /* Skip request ID generation */ -#define CRYPTO_RESTRICTED 0x00000008 /* cannot use restricted prov */ typedef struct { crypto_call_flag_t cr_flag; diff --git a/usr/src/uts/common/sys/crypto/elfsign.h b/usr/src/uts/common/sys/crypto/elfsign.h index 35f5657e41..82f2afca2a 100644 --- a/usr/src/uts/common/sys/crypto/elfsign.h +++ b/usr/src/uts/common/sys/crypto/elfsign.h @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #ifndef _SYS_CRYPTO_ELFSIGN_H @@ -49,7 +48,6 @@ typedef enum ELFsign_status_e { ELFSIGN_NOTSIGNED, ELFSIGN_INVALID_CERTPATH, ELFSIGN_INVALID_ELFOBJ, - ELFSIGN_RESTRICTED, ELFSIGN_UNAVAILABLE } ELFsign_status_t; diff --git a/usr/src/uts/common/sys/crypto/impl.h b/usr/src/uts/common/sys/crypto/impl.h index bcfbc56466..d01758fc25 100644 --- a/usr/src/uts/common/sys/crypto/impl.h +++ b/usr/src/uts/common/sys/crypto/impl.h @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #ifndef _SYS_CRYPTO_IMPL_H @@ -167,7 +166,6 @@ typedef enum { #define KCF_IS_PROV_REMOVED(pd) ((pd)->pd_state >= KCF_PROV_UNREGISTERING) /* Internal flags valid for pd_flags field */ -#define KCF_PROV_RESTRICTED 0x40000000 #define KCF_LPROV_MEMBER 0x80000000 /* is member of a logical provider */ /* diff --git a/usr/src/uts/common/sys/crypto/sched_impl.h b/usr/src/uts/common/sys/crypto/sched_impl.h index 73585d4fa3..9b4beb1baa 100644 --- a/usr/src/uts/common/sys/crypto/sched_impl.h +++ b/usr/src/uts/common/sys/crypto/sched_impl.h @@ -19,8 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. + * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. */ #ifndef _SYS_CRYPTO_SCHED_IMPL_H @@ -59,11 +58,6 @@ typedef enum kcf_call_type { CRYPTO_ASYNCH } kcf_call_type_t; -#define CHECK_RESTRICT(crq) (crq != NULL && \ - ((crq)->cr_flag & CRYPTO_RESTRICTED)) - -#define CHECK_RESTRICT_FALSE B_FALSE - #define CHECK_FASTPATH(crq, pd) ((crq) == NULL || \ !((crq)->cr_flag & CRYPTO_ALWAYS_QUEUE)) && \ (pd)->pd_prov_type == CRYPTO_SW_PROVIDER @@ -495,21 +489,21 @@ boolean_t kcf_get_next_logical_provider_member(kcf_provider_desc_t *, kcf_provider_desc_t *, kcf_provider_desc_t **); extern int kcf_get_hardware_provider(crypto_mech_type_t, crypto_key_t *, crypto_mech_type_t, crypto_key_t *, - boolean_t, kcf_provider_desc_t *, kcf_provider_desc_t **, + kcf_provider_desc_t *, kcf_provider_desc_t **, crypto_func_group_t); extern int kcf_get_hardware_provider_nomech(offset_t, offset_t, - boolean_t, kcf_provider_desc_t *, kcf_provider_desc_t **); + kcf_provider_desc_t *, kcf_provider_desc_t **); extern void kcf_free_triedlist(kcf_prov_tried_t *); extern kcf_prov_tried_t *kcf_insert_triedlist(kcf_prov_tried_t **, kcf_provider_desc_t *, int); extern kcf_provider_desc_t *kcf_get_mech_provider(crypto_mech_type_t, crypto_key_t *, kcf_mech_entry_t **, int *, kcf_prov_tried_t *, - crypto_func_group_t, boolean_t, size_t); + crypto_func_group_t, size_t); extern kcf_provider_desc_t *kcf_get_dual_provider(crypto_mechanism_t *, crypto_key_t *, crypto_mechanism_t *, crypto_key_t *, kcf_mech_entry_t **, crypto_mech_type_t *, crypto_mech_type_t *, int *, kcf_prov_tried_t *, - crypto_func_group_t, crypto_func_group_t, boolean_t, size_t); + crypto_func_group_t, crypto_func_group_t, size_t); extern crypto_ctx_t *kcf_new_ctx(crypto_call_req_t *, kcf_provider_desc_t *, crypto_session_id_t); extern int kcf_submit_request(kcf_provider_desc_t *, crypto_ctx_t *, |