diff options
Diffstat (limited to 'usr/src/cmd/cmd-crypto')
| -rw-r--r-- | usr/src/cmd/cmd-crypto/cryptoadm/adm_kef.c | 108 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_ioctl.c | 23 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_util.c | 86 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c | 41 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/cryptoadm/adm_util.c | 31 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.c | 60 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.h | 21 |
7 files changed, 148 insertions, 222 deletions
diff --git a/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef.c b/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef.c index 1f383d9580..370eeab5ae 100644 --- a/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef.c +++ b/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef.c @@ -43,15 +43,14 @@ static int check_hardware_provider(char *, char *, int *, int *); * Display the mechanism list for a kernel software provider. * This implements part of the "cryptoadm list -m" command. * - * Parameters phardlist, psoftlist and pfipslist are supplied by + * Parameters phardlist and psoftlist are supplied by * get_soft_info(). * If NULL, this function obtains it by calling getent_kef() and * then get_kcfconf_info() via get_soft_info() internally. */ int list_mechlist_for_soft(char *provname, - entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist) + entrylist_t *phardlist, entrylist_t *psoftlist) { mechlist_t *pmechlist = NULL; int rc; @@ -60,8 +59,7 @@ list_mechlist_for_soft(char *provname, return (FAILURE); } - rc = get_soft_info(provname, &pmechlist, phardlist, psoftlist, - pfipslist); + rc = get_soft_info(provname, &pmechlist, phardlist, psoftlist); if (rc == SUCCESS) { (void) filter_mechlist(&pmechlist, RANDOM); print_mechlist(provname, pmechlist); @@ -117,15 +115,14 @@ list_mechlist_for_hard(char *provname) * Display the policy information for a kernel software provider. * This implements part of the "cryptoadm list -p" command. * - * Parameters phardlist, psoftlist and pfipslist are supplied by + * Parameters phardlist and psoftlist are supplied by * getent_kef(). * If NULL, this function obtains it by calling get_kcfconf_info() * via getent_kef() internally. */ int list_policy_for_soft(char *provname, - entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist) + entrylist_t *phardlist, entrylist_t *psoftlist) { int rc; entry_t *pent = NULL; @@ -145,11 +142,9 @@ list_policy_for_soft(char *provname, provname); return (FAILURE); } - pent = getent_kef(provname, phardlist, psoftlist, - pfipslist); + pent = getent_kef(provname, phardlist, psoftlist); - rc = get_soft_info(provname, &pmechlist, phardlist, psoftlist, - pfipslist); + rc = get_soft_info(provname, &pmechlist, phardlist, psoftlist); if (rc == SUCCESS) { has_random = filter_mechlist(&pmechlist, RANDOM); if (pmechlist != NULL) { @@ -174,7 +169,7 @@ list_policy_for_soft(char *provname, * Display the policy information for a kernel hardware provider. * This implements part of the "cryptoadm list -p" command. * - * Parameters phardlist, psoftlist and pfipslist are supplied by getent_kef(). + * Parameters phardlist and psoftlist are supplied by getent_kef(). * If NULL, this function obtains it by calling get_kcfconf_info() via * getent_kef() internally. * Parameter pdevlist is supplied by check_kernel_for_hard(). @@ -184,7 +179,7 @@ list_policy_for_soft(char *provname, int list_policy_for_hard(char *provname, entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist, crypto_get_dev_list_t *pdevlist) + crypto_get_dev_list_t *pdevlist) { entry_t *pent = NULL; boolean_t in_kernel; @@ -231,8 +226,7 @@ list_policy_for_hard(char *provname, * the disabled list from the config file entry. Otherwise, * if it is active, then all the mechanisms for it are enabled. */ - if ((pent = getent_kef(provname, phardlist, psoftlist, - pfipslist)) != NULL) { + if ((pent = getent_kef(provname, phardlist, psoftlist)) != NULL) { print_kef_policy(provname, pent, has_random, has_mechs); free_entry(pent); return (SUCCESS); @@ -304,7 +298,7 @@ disable_kef_hardware(char *provname, boolean_t rndflag, boolean_t allflag, * Get the entry of this hardware provider from the config file. * If there is no entry yet, create one for it. */ - if ((pent = getent_kef(provname, NULL, NULL, NULL)) == NULL) { + if ((pent = getent_kef(provname, NULL, NULL)) == NULL) { if ((pent = create_entry(provname)) == NULL) { cryptoerror(LOG_STDERR, gettext("out of memory.")); free_mechlist(infolist); @@ -399,7 +393,6 @@ disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag, entry_t *pent = NULL; entrylist_t *phardlist = NULL; entrylist_t *psoftlist = NULL; - entrylist_t *pfipslist = NULL; boolean_t in_kernel = B_FALSE; int fd = -1; int rc = SUCCESS; @@ -413,8 +406,7 @@ disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag, * If it is unloaded, return FAILURE, because the disable subcommand * can not perform on inactive (unloaded) providers. */ - if (check_kernel_for_soft(provname, NULL, &in_kernel) == - FAILURE) { + if (check_kernel_for_soft(provname, NULL, &in_kernel) == FAILURE) { return (FAILURE); } else if (in_kernel == B_FALSE) { cryptoerror(LOG_STDERR, @@ -423,8 +415,7 @@ disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag, return (FAILURE); } - if (get_kcfconf_info(&phardlist, &psoftlist, &pfipslist) == - FAILURE) { + if (get_kcfconf_info(&phardlist, &psoftlist) == FAILURE) { cryptoerror(LOG_ERR, "failed to retrieve the providers' " "information from the configuration file - %s.", @@ -436,7 +427,7 @@ disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag, * Get the entry of this provider from the kcf.conf file, if any. * Otherwise, create a new kcf.conf entry for writing back to the file. */ - pent = getent_kef(provname, phardlist, psoftlist, pfipslist); + pent = getent_kef(provname, phardlist, psoftlist); if (pent == NULL) { /* create a new entry */ pent = create_entry(provname); if (pent == NULL) { @@ -447,8 +438,8 @@ disable_kef_software(char *provname, boolean_t rndflag, boolean_t allflag, } /* Get the mechanism list for the software provider from the kernel */ - if (get_soft_info(provname, &infolist, phardlist, psoftlist, - pfipslist) == FAILURE) { + if (get_soft_info(provname, &infolist, phardlist, psoftlist) == + FAILURE) { rc = FAILURE; goto out; } @@ -545,7 +536,7 @@ enable_kef(char *provname, boolean_t rndflag, boolean_t allflag, /* Get the entry of this provider from the kcf.conf file, if any. */ - pent = getent_kef(provname, NULL, NULL, NULL); + pent = getent_kef(provname, NULL, NULL); if (is_device(provname)) { if (pent == NULL) { @@ -726,7 +717,7 @@ install_kef(char *provname, mechlist_t *mlist) } /* Check if the provider already exists */ - if ((pent = getent_kef(provname, NULL, NULL, NULL)) != NULL) { + if ((pent = getent_kef(provname, NULL, NULL)) != NULL) { cryptoerror(LOG_STDERR, gettext("%s exists already."), provname); free_entry(pent); @@ -997,7 +988,7 @@ uninstall_kef(char *provname) */ /* Setup ioctl() parameter */ - pent = getent_kef(provname, NULL, NULL, NULL); + pent = getent_kef(provname, NULL, NULL); if (pent != NULL) { /* in kcf.conf */ in_kcfconf = B_TRUE; free_mechlist(pent->suplist); @@ -1068,14 +1059,12 @@ refresh(void) crypto_load_dev_disabled_t *pload_dev_dis = NULL; entrylist_t *pdevlist = NULL; entrylist_t *psoftlist = NULL; - entrylist_t *pfipslist = NULL; entrylist_t *ptr; int fd = -1; int rc = SUCCESS; int err; - if (get_kcfconf_info(&pdevlist, &psoftlist, &pfipslist) == - FAILURE) { + if (get_kcfconf_info(&pdevlist, &psoftlist) == FAILURE) { cryptoerror(LOG_ERR, "failed to retrieve the providers' " "information from the configuration file - %s.", _PATH_KCF_CONF); @@ -1209,11 +1198,16 @@ refresh(void) /* * handle fips_status=enabled|disabled */ - ptr = pfipslist; - if (ptr != NULL && ptr->pent->flag_fips_enabled) { - rc = do_fips_actions(FIPS140_ENABLE, REFRESH); - } else { - rc = do_fips_actions(FIPS140_DISABLE, REFRESH); + { + int pkcs11_fips_mode = 0; + + /* Get FIPS-140 status from pkcs11.conf */ + fips_status_pkcs11conf(&pkcs11_fips_mode); + if (pkcs11_fips_mode == CRYPTO_FIPS_MODE_ENABLED) { + rc = do_fips_actions(FIPS140_ENABLE, REFRESH); + } else { + rc = do_fips_actions(FIPS140_DISABLE, REFRESH); + } } (void) close(fd); @@ -1244,7 +1238,7 @@ unload_kef_soft(char *provname) return (FAILURE); } - pent = getent_kef(provname, NULL, NULL, NULL); + pent = getent_kef(provname, NULL, NULL); if (pent == NULL) { /* not in kcf.conf */ /* Construct an entry using the provname */ pent = create_entry(provname); @@ -1387,43 +1381,3 @@ check_hardware_provider(char *provname, char *pname, int *pnum, int *pcount) free(dev_list); return (SUCCESS); } - -int -fips_update_kcfconf(int action) -{ - - char *str; - - if (action == FIPS140_ENABLE) - str = "fips-140:fips_status=enabled\n"; - else - str = "fips-140:fips_status=disabled\n"; - - if (update_conf(_PATH_KCF_CONF, str) != SUCCESS) - return (FAILURE); - - return (SUCCESS); -} - -void -fips_status_kcfconf(int *status) -{ - - entry_t *pent = NULL; - - if ((pent = getent_kef(FIPS_KEYWORD, NULL, NULL, NULL)) == NULL) { - /* - * By default (no FIPS entry), we assume FIPS is disabled. - */ - *status = CRYPTO_FIPS_MODE_DISABLED; - return; - } - - if (pent->flag_fips_enabled) - *status = CRYPTO_FIPS_MODE_ENABLED; - else - *status = CRYPTO_FIPS_MODE_DISABLED; - - return; - -} diff --git a/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_ioctl.c b/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_ioctl.c index c1c759d86a..9dad6d3d78 100644 --- a/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_ioctl.c +++ b/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_ioctl.c @@ -402,8 +402,7 @@ get_dev_info(char *devname, int inst_num, int count, mechlist_t **ppmechlist) */ int get_soft_info(char *provname, mechlist_t **ppmechlist, - entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist) + entrylist_t *phardlist, entrylist_t *psoftlist) { boolean_t in_kernel = B_FALSE; crypto_get_soft_info_t *psoft_info; @@ -422,8 +421,8 @@ get_soft_info(char *provname, mechlist_t **ppmechlist, if (getzoneid() == GLOBAL_ZONEID) { /* use kcf.conf for kernel software providers in global zone */ - if ((pent = getent_kef(provname, phardlist, psoftlist, - pfipslist)) == NULL) { + if ((pent = getent_kef(provname, phardlist, psoftlist)) == + NULL) { /* No kcf.conf entry for this provider */ if (check_kernel_for_soft(provname, NULL, &in_kernel) @@ -617,13 +616,13 @@ do_fips_actions(int action, int caller) crypto_fips140_t fips_info; int fd; int rc = SUCCESS; - int kcf_fips_mode = 0; + int pkcs11_fips_mode = 0; - /* Get FIPS-140 status from kcf.conf */ - fips_status_kcfconf(&kcf_fips_mode); + /* Get FIPS-140 status from pkcs11.conf */ + fips_status_pkcs11conf(&pkcs11_fips_mode); if (action == FIPS140_STATUS) { - if (kcf_fips_mode == CRYPTO_FIPS_MODE_ENABLED) + if (pkcs11_fips_mode == CRYPTO_FIPS_MODE_ENABLED) (void) printf(gettext( "\tFIPS-140 mode is enabled.\n")); else @@ -635,7 +634,7 @@ do_fips_actions(int action, int caller) if (caller == NOT_REFRESH) { /* Is it a duplicate operation? */ if ((action == FIPS140_ENABLE) && - (kcf_fips_mode == CRYPTO_FIPS_MODE_ENABLED)) { + (pkcs11_fips_mode == CRYPTO_FIPS_MODE_ENABLED)) { cryptoerror(LOG_STDERR, gettext("FIPS-140 mode has already " "been enabled.\n")); @@ -643,7 +642,7 @@ do_fips_actions(int action, int caller) } if ((action == FIPS140_DISABLE) && - (kcf_fips_mode == CRYPTO_FIPS_MODE_DISABLED)) { + (pkcs11_fips_mode == CRYPTO_FIPS_MODE_DISABLED)) { cryptoerror(LOG_STDERR, gettext("FIPS-140 mode has already " "been disabled.\n")); @@ -651,8 +650,8 @@ do_fips_actions(int action, int caller) } if ((action == FIPS140_ENABLE) || (action == FIPS140_DISABLE)) { - /* Update kcf.conf */ - if ((rc = fips_update_kcfconf(action)) != SUCCESS) + /* Update pkcs11.conf */ + if ((rc = fips_update_pkcs11conf(action)) != SUCCESS) return (rc); } diff --git a/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_util.c b/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_util.c index e858a38d33..c84fc21f24 100644 --- a/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_util.c +++ b/usr/src/cmd/cmd-crypto/cryptoadm/adm_kef_util.c @@ -35,7 +35,6 @@ #include <zone.h> #include <sys/stat.h> #include "cryptoadm.h" -#include <cryptoutil.h> static int err; /* To store errno which may be overwritten by gettext() */ static int build_entrylist(entry_t *, entrylist_t **); @@ -145,7 +144,6 @@ dup_entry(entry_t *pent1) return (NULL); } - pent2->flag_fips_enabled = pent1->flag_fips_enabled; pent2->sup_count = pent1->sup_count; pent2->dis_count = pent1->dis_count; pent2->load = pent1->load; @@ -248,35 +246,6 @@ parse_sup_dis_list(char *buf, entry_t *pent) return (rc); } -static int -parse_fips(char *buf, entry_t *pent) -{ - char *value; - - if (strncmp(buf, EF_FIPS_STATUS, sizeof (EF_FIPS_STATUS) - 1) == 0) { - if (value = strpbrk(buf, SEP_EQUAL)) { - value++; /* get rid of = */ - if (strcmp(value, DISABLED_KEYWORD) == 0) { - pent->flag_fips_enabled = B_FALSE; - } else if (strcmp(value, ENABLED_KEYWORD) == 0) { - pent->flag_fips_enabled = B_TRUE; - } else { - cryptoerror(LOG_ERR, gettext( - "Failed to parse kcf.conf file.\n")); - return (FAILURE); - } - return (SUCCESS); - } else { - return (FAILURE); - } - } else { - /* should not come here */ - cryptoerror(LOG_ERR, gettext( - "Failed to parse kcf.conf file.\n")); - return (FAILURE); - } - -} /* * Convert a char string containing a line about a provider @@ -305,15 +274,6 @@ interpret(char *buf, entry_t **ppent) return (FAILURE); } - if (is_fips(token1)) { - if ((rc = parse_fips(buf + strlen(token1) + 1, - pent)) != SUCCESS) { - free_entry(pent); - } - *ppent = pent; - return (rc); - } - if ((token2 = strtok(NULL, SEP_SEMICOLON)) == NULL) { /* The entry contains a provider name only */ free_entry(pent); @@ -666,16 +626,6 @@ is_device(char *path) } } -boolean_t -is_fips(char *name) -{ - if (strcmp(name, FIPS_KEYWORD) == 0) { - return (B_TRUE); - } else { - return (B_FALSE); - } -} - /* * Split a hardware provider name with the "name/inst_num" format into * a name and a number (e.g., split "mca/0" into "mca" instance 0). @@ -717,8 +667,7 @@ split_hw_provname(char *provname, char *pname, int *inst_num) * The kcf.conf file is available only in the global zone. */ int -get_kcfconf_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist, - entrylist_t **ppfipslist) +get_kcfconf_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist) { FILE *pfile = NULL; char buffer[BUFSIZ]; @@ -733,8 +682,6 @@ get_kcfconf_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist, *ppdevlist = NULL; *ppsoftlist = NULL; - *ppfipslist = NULL; - while (fgets(buffer, BUFSIZ, pfile) != NULL) { if (buffer[0] == '#' || buffer[0] == ' ' || buffer[0] == '\n'|| buffer[0] == '\t') { @@ -748,15 +695,7 @@ get_kcfconf_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist, buffer[len] = '\0'; if ((rc = interpret(buffer, &pent)) == SUCCESS) { - if (is_fips(pent->name)) { - if (*ppfipslist != NULL) { - cryptoerror(LOG_STDERR, gettext( - "multiple fips entries.")); - rc = FAILURE; - } else { - rc = build_entrylist(pent, ppfipslist); - } - } else if (is_device(pent->name)) { + if (is_device(pent->name)) { rc = build_entrylist(pent, ppdevlist); } else { rc = build_entrylist(pent, ppsoftlist); @@ -764,13 +703,11 @@ get_kcfconf_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist, } else { cryptoerror(LOG_STDERR, gettext( "failed to parse configuration.")); - rc = FAILURE; } if (rc != SUCCESS) { free_entrylist(*ppdevlist); free_entrylist(*ppsoftlist); - free_entrylist(*ppfipslist); free_entry(pent); break; } @@ -800,7 +737,6 @@ get_admindev_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist) entrylist_t *tmp_pdev = NULL; entrylist_t *tmp_psoft = NULL; entrylist_t *phardlist = NULL, *psoftlist = NULL; - entrylist_t *pfipslist = NULL; /* * Get hardware providers @@ -844,8 +780,7 @@ get_admindev_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist) * Get software providers */ if (getzoneid() == GLOBAL_ZONEID) { - if (get_kcfconf_info(&phardlist, &psoftlist, &pfipslist) != - SUCCESS) { + if (get_kcfconf_info(&phardlist, &psoftlist) != SUCCESS) { goto fail_out; } } @@ -859,8 +794,8 @@ get_admindev_info(entrylist_t **ppdevlist, entrylist_t **ppsoftlist) i < psoftlist_kernel->sl_soft_count; i++, psoftname = psoftname + strlen(psoftname) + 1) { pmech = NULL; - if (get_soft_info(psoftname, &pmech, phardlist, psoftlist, - pfipslist) != SUCCESS) { + if (get_soft_info(psoftname, &pmech, phardlist, psoftlist) != + SUCCESS) { cryptodebug( "failed to retrieve the mechanism list for %s.", psoftname); @@ -914,15 +849,13 @@ fail_out: * If NULL, this function calls get_kcfconf_info() internally. */ entry_t * -getent_kef(char *provname, entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist) +getent_kef(char *provname, entrylist_t *phardlist, entrylist_t *psoftlist) { entry_t *pent = NULL; boolean_t memory_allocated = B_FALSE; - if ((phardlist == NULL) || (psoftlist == NULL) || (pfipslist == NULL)) { - if (get_kcfconf_info(&phardlist, &psoftlist, &pfipslist) != - SUCCESS) { + if ((phardlist == NULL) || (psoftlist == NULL)) { + if (get_kcfconf_info(&phardlist, &psoftlist) != SUCCESS) { return (NULL); } memory_allocated = B_TRUE; @@ -930,8 +863,6 @@ getent_kef(char *provname, entrylist_t *phardlist, entrylist_t *psoftlist, if (is_device(provname)) { pent = getent(provname, phardlist); - } else if (is_fips(provname)) { - pent = getent(provname, pfipslist); } else { pent = getent(provname, psoftlist); } @@ -939,7 +870,6 @@ getent_kef(char *provname, entrylist_t *phardlist, entrylist_t *psoftlist, if (memory_allocated) { free_entrylist(phardlist); free_entrylist(psoftlist); - free_entrylist(pfipslist); } return (pent); diff --git a/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c b/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c index bf64d845cf..bd016ec2d1 100644 --- a/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c +++ b/usr/src/cmd/cmd-crypto/cryptoadm/adm_uef.c @@ -1655,3 +1655,44 @@ display_verbose_mech_header() "- - - - - - - - - - - - - -\n", gettext("----------------------------")); } + +int +fips_update_pkcs11conf(int action) +{ + + char *str; + + if (action == FIPS140_ENABLE) + str = "fips-140:fips_status=enabled\n"; + else + str = "fips-140:fips_status=disabled\n"; + + if (update_conf(_PATH_PKCS11_CONF, str) != SUCCESS) + return (FAILURE); + + return (SUCCESS); +} + +void +fips_status_pkcs11conf(int *status) +{ + + uentry_t *puent = NULL; + + if ((puent = getent_uef(FIPS_KEYWORD)) == NULL) { + /* + * By default (no fips-140 entry), we assume fips-140 + * mode is disabled. + */ + *status = CRYPTO_FIPS_MODE_DISABLED; + return; + } + + if (puent->flag_fips_enabled) + *status = CRYPTO_FIPS_MODE_ENABLED; + else + *status = CRYPTO_FIPS_MODE_DISABLED; + + return; + +} diff --git a/usr/src/cmd/cmd-crypto/cryptoadm/adm_util.c b/usr/src/cmd/cmd-crypto/cryptoadm/adm_util.c index 84eb911d21..f816a02870 100644 --- a/usr/src/cmd/cmd-crypto/cryptoadm/adm_util.c +++ b/usr/src/cmd/cmd-crypto/cryptoadm/adm_util.c @@ -110,6 +110,7 @@ update_conf(char *conf_file, char *entry) { boolean_t found; + boolean_t fips_entry = B_FALSE; FILE *pfile; FILE *pfile_tmp; char tmpfile_name[MAXPATHLEN]; @@ -179,6 +180,17 @@ update_conf(char *conf_file, char *entry) found = B_TRUE; found_count++; } + } else { + (void) strlcpy(buffer2, buffer, BUFSIZ); + ptr = buffer2; + if ((name = strtok(ptr, SEP_COLON)) == NULL) { + rc = FAILURE; + break; + } else if (strcmp(FIPS_KEYWORD, name) == 0) { + found = B_TRUE; + found_count++; + fips_entry = B_TRUE; + } } } else { /* _PATH_KCF_CONF */ if (buffer[0] == '#') { @@ -188,9 +200,6 @@ update_conf(char *conf_file, char *entry) if ((name = strtok(ptr, SEP_COLON)) == NULL) { rc = FAILURE; break; - } else if (strcmp(FIPS_KEYWORD, name) == 0) { - found = B_TRUE; - found_count++; } } else { (void) strlcpy(buffer2, buffer, BUFSIZ); @@ -198,9 +207,6 @@ update_conf(char *conf_file, char *entry) if ((name = strtok(ptr, SEP_COLON)) == NULL) { rc = FAILURE; break; - } else if (strcmp(FIPS_KEYWORD, name) == 0) { - found = B_TRUE; - found_count++; } } } @@ -212,8 +218,17 @@ update_conf(char *conf_file, char *entry) } else { if (found_count == 1) { if (strcmp(conf_file, _PATH_PKCS11_CONF) == 0) { - if (fputs(ptr, pfile_tmp) == EOF) { - rc = FAILURE; + if (fips_entry == B_TRUE) { + if (fputs(entry, pfile_tmp) == + EOF) { + rc = FAILURE; + } + fips_entry = B_FALSE; + } else { + if (fputs(ptr, pfile_tmp) == + EOF) { + rc = FAILURE; + } } } else { if (fputs(entry, pfile_tmp) == EOF) { diff --git a/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.c b/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.c index 145c33fad9..1dd7ed669e 100644 --- a/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.c +++ b/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.c @@ -659,7 +659,7 @@ do_list(int argc, char **argv) break; case PROV_KEF_SOFT: rc = list_mechlist_for_soft(provname, - NULL, NULL, NULL); + NULL, NULL); break; case PROV_KEF_HARD: rc = list_mechlist_for_hard(provname); @@ -676,7 +676,7 @@ do_list(int argc, char **argv) case PROV_KEF_SOFT: if (getzoneid() == GLOBAL_ZONEID) { rc = list_policy_for_soft(provname, - NULL, NULL, NULL); + NULL, NULL); } else { /* * TRANSLATION_NOTE @@ -693,7 +693,7 @@ do_list(int argc, char **argv) case PROV_KEF_HARD: if (getzoneid() == GLOBAL_ZONEID) { rc = list_policy_for_hard( - provname, NULL, NULL, NULL, NULL); + provname, NULL, NULL, NULL); } else { /* * TRANSLATION_NOTE @@ -1186,7 +1186,7 @@ do_unload(int argc, char **argv) } /* Get kcf.conf entry. If none, build a new entry */ - if ((pent = getent_kef(provname, NULL, NULL, NULL)) == NULL) { + if ((pent = getent_kef(provname, NULL, NULL)) == NULL) { if ((pent = create_entry(provname)) == NULL) { cryptoerror(LOG_STDERR, gettext("out of memory.")); rc = FAILURE; @@ -1299,7 +1299,9 @@ list_simple_for_all(boolean_t verbose) } for (plibptr = pliblist; plibptr != NULL; plibptr = plibptr->next) { - if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { + /* skip metaslot and fips-140 entry */ + if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) && + (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) { (void) printf(gettext("Provider: %s\n"), plibptr->puent->name); if (verbose) { @@ -1322,7 +1324,6 @@ list_simple_for_all(boolean_t verbose) char *psoftname; entrylist_t *pdevlist_conf = NULL; entrylist_t *psoftlist_conf = NULL; - entrylist_t *pfipslist_conf = NULL; if (get_soft_list(&psoftlist_kernel) == FAILURE) { cryptoerror(LOG_ERR, gettext("Failed to retrieve the " @@ -1331,8 +1332,8 @@ list_simple_for_all(boolean_t verbose) } else { sl_soft_count = psoftlist_kernel->sl_soft_count; - if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf, - &pfipslist_conf) == FAILURE) { + if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) + == FAILURE) { cryptoerror(LOG_ERR, "failed to retrieve the providers' " "information from file kcf.conf - %s.", @@ -1346,15 +1347,13 @@ list_simple_for_all(boolean_t verbose) i < sl_soft_count; ++i, psoftname += strlen(psoftname) + 1) { pent = getent_kef(psoftname, - pdevlist_conf, psoftlist_conf, - pfipslist_conf); + pdevlist_conf, psoftlist_conf); (void) printf("\t%s%s\n", psoftname, (pent == NULL) || (pent->load) ? "" : gettext(" (inactive)")); } free_entrylist(pdevlist_conf); free_entrylist(psoftlist_conf); - free_entrylist(pfipslist_conf); } free(psoftlist_kernel); } @@ -1439,8 +1438,9 @@ list_mechlist_for_all(boolean_t verbose) plibptr = pliblist; while (plibptr != NULL) { - /* skip metaslot entry */ - if (strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) { + /* skip metaslot and fips-140 entry */ + if ((strcmp(plibptr->puent->name, METASLOT_KEYWORD) != 0) && + (strcmp(plibptr->puent->name, FIPS_KEYWORD) != 0)) { (void) printf(gettext("\nProvider: %s\n"), plibptr->puent->name); rv = list_mechlist_for_lib(plibptr->puent->name, @@ -1470,7 +1470,6 @@ list_mechlist_for_all(boolean_t verbose) int i; entrylist_t *pdevlist_conf = NULL; entrylist_t *psoftlist_conf = NULL; - entrylist_t *pfipslist_conf = NULL; if (get_soft_list(&psoftlist_kernel) == FAILURE) { cryptoerror(LOG_ERR, gettext("Failed to retrieve the " @@ -1479,8 +1478,8 @@ list_mechlist_for_all(boolean_t verbose) } sl_soft_count = psoftlist_kernel->sl_soft_count; - if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf, - &pfipslist_conf) == FAILURE) { + if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) + == FAILURE) { cryptoerror(LOG_ERR, "failed to retrieve the providers' " "information from file kcf.conf - %s.", @@ -1493,10 +1492,10 @@ list_mechlist_for_all(boolean_t verbose) i < sl_soft_count; ++i, psoftname += strlen(psoftname) + 1) { pent = getent_kef(psoftname, pdevlist_conf, - psoftlist_conf, pfipslist_conf); + psoftlist_conf); if ((pent == NULL) || (pent->load)) { rv = list_mechlist_for_soft(psoftname, - NULL, NULL, NULL); + NULL, NULL); if (rv == FAILURE) { rc = FAILURE; } @@ -1509,13 +1508,11 @@ list_mechlist_for_all(boolean_t verbose) free(psoftlist_kernel); free_entrylist(pdevlist_conf); free_entrylist(psoftlist_conf); - free_entrylist(pfipslist_conf); } else { /* kcf.conf not there in non-global zone, use /dev/cryptoadm */ entrylist_t *pdevlist_zone = NULL; entrylist_t *psoftlist_zone = NULL; - entrylist_t *pfipslist_zone = NULL; entrylist_t *ptr; if (get_admindev_info(&pdevlist_zone, &psoftlist_zone) != @@ -1527,7 +1524,7 @@ list_mechlist_for_all(boolean_t verbose) for (ptr = psoftlist_zone; ptr != NULL; ptr = ptr->next) { rv = list_mechlist_for_soft(ptr->pent->name, - pdevlist_zone, psoftlist_zone, pfipslist_zone); + pdevlist_zone, psoftlist_zone); if (rv == FAILURE) { (void) printf(gettext( "%s: failed to get the mechanism list.\n"), @@ -1588,7 +1585,6 @@ list_policy_for_all(void) uentrylist_t *pliblist = NULL; entrylist_t *pdevlist_conf = NULL; entrylist_t *psoftlist_conf = NULL; - entrylist_t *pfipslist_conf = NULL; entrylist_t *ptr = NULL; entrylist_t *phead = NULL; boolean_t found = B_FALSE; @@ -1612,9 +1608,11 @@ list_policy_for_all(void) uentrylist_t *plibptr = pliblist; while (plibptr != NULL) { - /* skip metaslot entry */ - if (strcmp(plibptr->puent->name, - METASLOT_KEYWORD) != 0) { + /* skip metaslot and fips-140 entry */ + if ((strcmp(plibptr->puent->name, + METASLOT_KEYWORD) != 0) && + (strcmp(plibptr->puent->name, + FIPS_KEYWORD) != 0)) { if (print_uef_policy(plibptr->puent) == FAILURE) { rc = FAILURE; @@ -1653,8 +1651,7 @@ list_policy_for_all(void) i < sl_soft_count; ++i, psoftname += strlen(psoftname) + 1) { (void) list_policy_for_soft(psoftname, - pdevlist_conf, psoftlist_conf, - pfipslist_conf); + pdevlist_conf, psoftlist_conf); } free(psoftlist_kernel); } @@ -1698,8 +1695,7 @@ list_policy_for_all(void) return (FAILURE); } - if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf, - &pfipslist_conf) == FAILURE) { + if (get_kcfconf_info(&pdevlist_conf, &psoftlist_conf) == FAILURE) { cryptoerror(LOG_ERR, "failed to retrieve the providers' " "information from file kcf.conf - %s.", _PATH_KCF_CONF); @@ -1733,8 +1729,7 @@ list_policy_for_all(void) if (found) { (void) list_policy_for_hard(ptr->pent->name, - pdevlist_conf, psoftlist_conf, pfipslist_conf, - pdevlist_kernel); + pdevlist_conf, psoftlist_conf, pdevlist_kernel); if (phead == ptr) { pdevlist_conf = pdevlist_conf->next; } else { @@ -1744,7 +1739,7 @@ list_policy_for_all(void) free(ptr); } else { (void) list_policy_for_hard(provname, pdevlist_conf, - psoftlist_conf, pfipslist_conf, pdevlist_kernel); + psoftlist_conf, pdevlist_kernel); } } @@ -1759,7 +1754,6 @@ list_policy_for_all(void) free_entrylist(pdevlist_conf); free_entrylist(psoftlist_conf); - free_entrylist(pfipslist_conf); free(pdevlist_kernel); return (rc); diff --git a/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.h b/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.h index 5122c3e452..6b197d9e3d 100644 --- a/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.h +++ b/usr/src/cmd/cmd-crypto/cryptoadm/cryptoadm.h @@ -74,7 +74,6 @@ typedef struct entry { mechlist_t *dislist; /* disabled list */ uint_t dis_count; boolean_t load; /* B_FALSE after cryptoadm unload */ - boolean_t flag_fips_enabled; } entry_t; @@ -97,20 +96,18 @@ extern void free_mechlist(mechlist_t *); /* adm_kef_util */ extern boolean_t is_device(char *); -extern boolean_t is_fips(char *); -extern int fips_update_kcfconf(int); -extern void fips_status_kcfconf(int *); +extern int fips_update_pkcs11conf(int); +extern void fips_status_pkcs11conf(int *); extern char *ent2str(entry_t *); extern entry_t *getent_kef(char *provname, - entrylist_t *pdevlist, entrylist_t *psoftlist, - entrylist_t *pfipslist); + entrylist_t *pdevlist, entrylist_t *psoftlist); extern int check_kernel_for_soft(char *provname, crypto_get_soft_list_t *psoftlist, boolean_t *in_kernel); extern int check_kernel_for_hard(char *provname, crypto_get_dev_list_t *pdevlist, boolean_t *in_kernel); extern int disable_mechs(entry_t **, mechlist_t *, boolean_t, mechlist_t *); extern int enable_mechs(entry_t **, boolean_t, mechlist_t *); -extern int get_kcfconf_info(entrylist_t **, entrylist_t **, entrylist_t **); +extern int get_kcfconf_info(entrylist_t **, entrylist_t **); extern int get_admindev_info(entrylist_t **, entrylist_t **); extern int get_mech_count(mechlist_t *); extern entry_t *create_entry(char *provname); @@ -145,15 +142,12 @@ extern int update_policylist(uentry_t *, mechlist_t *, int); /* adm_kef */ extern int list_mechlist_for_soft(char *provname, - entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist); + entrylist_t *phardlist, entrylist_t *psoftlist); extern int list_mechlist_for_hard(char *); extern int list_policy_for_soft(char *provname, - entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist); + entrylist_t *phardlist, entrylist_t *psoftlist); extern int list_policy_for_hard(char *provname, entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist, crypto_get_dev_list_t *pdevlist); extern int disable_kef_software(char *, boolean_t, boolean_t, mechlist_t *); extern int disable_kef_hardware(char *, boolean_t, boolean_t, mechlist_t *); @@ -173,8 +167,7 @@ extern crypto_unload_soft_module_t *setup_unload_soft(entry_t *); extern int get_dev_info(char *, int, int, mechlist_t **); extern int get_dev_list(crypto_get_dev_list_t **); extern int get_soft_info(char *provname, mechlist_t **ppmechlist, - entrylist_t *phardlist, entrylist_t *psoftlist, - entrylist_t *pfipslist); + entrylist_t *phardlist, entrylist_t *psoftlist); extern int get_soft_list(crypto_get_soft_list_t **); extern int do_fips_actions(int, int); |