diff options
Diffstat (limited to 'usr/src/cmd')
30 files changed, 32 insertions, 3529 deletions
diff --git a/usr/src/cmd/Makefile.check b/usr/src/cmd/Makefile.check index 3158bdb9a5..ba624dfc73 100644 --- a/usr/src/cmd/Makefile.check +++ b/usr/src/cmd/Makefile.check @@ -21,7 +21,7 @@ # # Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved. -# Copyright 2014 Garrett D'Amore <garrett@damore.org> +# Copyright 2022 Garrett D'Amore <garrett@damore.org> # Copyright 2019 Peter Tribble # Copyright 2021 Tintri by DDN, Inc. All rights reserved. # @@ -100,7 +100,6 @@ MANIFEST_SUBDIRS= \ cmd-inet/usr.sbin/in.routed \ cmd-inet/usr.sbin/in.talkd \ cmd-inet/usr.sbin/ipsecutils \ - cmd-inet/usr.sbin/kssl/ksslcfg \ cmd-inet/usr.sbin/routeadm \ dcs/sparc/sun4u \ dfs.cmds/sharemgr \ diff --git a/usr/src/cmd/cmd-inet/usr.sbin/Makefile b/usr/src/cmd/cmd-inet/usr.sbin/Makefile index da9625bf85..3f794a331a 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/Makefile +++ b/usr/src/cmd/cmd-inet/usr.sbin/Makefile @@ -21,7 +21,7 @@ # # Copyright (c) 1990, 2010, Oracle and/or its affiliates. All rights reserved. -# Copyright 2014 Garrett D'Amore <garrett@damore.org> +# Copyright 2022 Garrett D'Amore <garrett@damore.org> # Copyright 2019, Joyent, Inc. # @@ -33,7 +33,7 @@ PROG= 6to4relay arp if_mpadm \ ndd ndp $(SYNCPROG) MANIFEST= rarp.xml telnet.xml comsat.xml finger.xml \ - login.xml shell.xml rexec.xml socket-filter-kssl.xml + login.xml shell.xml rexec.xml SVCMETHOD= svc-sockfilter ROOTFS_PROG= hostconfig route soconfig @@ -64,12 +64,12 @@ SRCS= $(PROGSRCS) $(OTHERSRC) SUBDIRS= ifconfig ilbadm in.rdisc in.routed \ in.talkd inetadm inetconv ipadm ipmpstat ipqosconf ipsecutils \ - kssl/kssladm kssl/ksslcfg nwamadm nwamcfg ping routeadm \ + nwamadm nwamcfg ping routeadm \ snoop sppptun traceroute wificonfig MSGSUBDIRS= ifconfig ilbadm in.routed in.talkd \ inetadm inetconv ipadm ipmpstat ipqosconf ipsecutils \ - kssl/ksslcfg nwamadm nwamcfg routeadm sppptun snoop wificonfig + nwamadm nwamcfg routeadm sppptun snoop wificonfig # This controls the degree of compiler warnings emitted, and is named for # 'lint' for historical reasons. Eventually this hack should go away, and all diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile deleted file mode 100644 index 00f4ffdb2e..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile +++ /dev/null @@ -1,66 +0,0 @@ -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# -# Copyright 2009 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. -# -# cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile -# - -PROG= kssladm - -include $(SRC)/cmd/Makefile.cmd - -OBJS = \ - kssladm.o \ - kssladm_create.o \ - kssladm_delete.o \ - ksslutil.o - -SRCS = $(OBJS:%.o=%.c) - -ROOTUSRLIBPROG = $(PROG:%=$(ROOTLIB)/%) - -.KEEP_STATE: - -CFLAGS += $(CCVERBOSE) -CERRWARN += $(CNOWARN_UNINIT) -CERRWARN += -_gcc=-Wno-address - -LDLIBS += -lkmf -lpkcs11 -lcryptoutil -lnsl -lsocket - -all: $(PROG) - -$(PROG): $(OBJS) - $(LINK.c) $(OBJS) -o $@ $(LDLIBS) $(DYNFLAGS) - $(POST_PROCESS) - -install: all $(ROOTUSRLIBPROG) - -clean: - $(RM) $(OBJS) - -check: - $(CSTYLE) -pP $(SRCS) - -lint: lint_SRCS - -include ../../../../Makefile.targ diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.c deleted file mode 100644 index 7eab57d0cc..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.c +++ /dev/null @@ -1,166 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#include <ctype.h> -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <fcntl.h> -#include <strings.h> -#include <libscf.h> -#include <sys/errno.h> -#include <errno.h> -#include <sys/stropts.h> -#include "kssladm.h" - - -/* - * kssladm(8) - * - * Command to manage the entries in kernel SSL proxy table. This is - * a private command called indirectly from ksslcfg(8). - */ - -boolean_t verbose = B_FALSE; - -static void -usage_all(void) -{ - (void) fprintf(stderr, "Usage:\n"); - usage_create(B_FALSE); - usage_delete(B_FALSE); -} - -int -main(int argc, char **argv) -{ - int rv = SUCCESS; - - if (argc < 2) { - usage_all(); - return (SMF_EXIT_ERR_CONFIG); - } - - if (strcmp(argv[1], "create") == 0) { - rv = do_create(argc, argv); - } else if (strcmp(argv[1], "delete") == 0) { - rv = do_delete(argc, argv); - } else { - (void) fprintf(stderr, "Unknown sub-command: %s\n", argv[1]); - usage_all(); - rv = SMF_EXIT_ERR_CONFIG; - } - - return (rv); -} - - -/* - * Read a passphrase from the file into the supplied buffer. - * A space character and the characters that follow - * the space character will be ignored. - * Return 0 when no valid passphrase was found in the file. - */ -static int -read_pass_from_file(const char *filename, char *buffer, size_t bufsize) -{ - char *line; - char *p; - FILE *fp; - - fp = fopen(filename, "r"); - if (fp == NULL) { - (void) fprintf(stderr, - "Unable to open password file for reading"); - return (1); - } - - line = fgets(buffer, bufsize, fp); - (void) fclose(fp); - if (line == NULL) { - return (0); - } - - for (p = buffer; *p != '\0'; p++) { - if (isspace(*p)) { - *p = '\0'; - break; - } - } - - return (p - buffer); -} - - -int -get_passphrase(const char *password_file, char *buf, int buf_size) -{ - if (password_file == NULL) { - char *passphrase = getpassphrase("Enter passphrase: "); - if (passphrase) { - return (strlcpy(buf, passphrase, buf_size)); - } - - return (0); - } - - return (read_pass_from_file(password_file, buf, buf_size)); -} - - -int -kssl_send_command(char *buf, int cmd) -{ - int ksslfd; - int rv; - - ksslfd = open("/dev/kssl", O_RDWR); - if (ksslfd < 0) { - perror("Cannot open /dev/kssl"); - return (-1); - } - - if ((rv = ioctl(ksslfd, cmd, buf)) < 0) { - switch (errno) { - case EEXIST: - (void) fprintf(stderr, - "Error: Can not create a INADDR_ANY instance" - " while another instance exists.\n"); - break; - case EADDRINUSE: - (void) fprintf(stderr, - "Error: Another instance with the same" - " proxy port exists.\n"); - break; - default: - perror("ioctl failure"); - break; - } - } - - (void) close(ksslfd); - - return (rv); -} diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h deleted file mode 100644 index 2029365f56..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm.h +++ /dev/null @@ -1,77 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2010 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#ifndef _KSSLADM_H -#define _KSSLADM_H - -/* - * Common routines and variables used by kssladm files. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -#include <netinet/in.h> -#include <kmfapi.h> - -#define SUCCESS 0 -#define FAILURE 1 -#define ERROR_USAGE 2 - -#define MAX_CHAIN_LENGTH 12 -#define REPORT_KMF_ERROR(r, t, e) { \ - (void) kmf_get_kmf_error_str(r, &e); \ - (void) fprintf(stderr, t ": %s\n", \ - (e != NULL ? e : "<unknown error>")); \ - if (e) free(e); \ -} - -#define MAX_ATTR_CNT 8 - -extern boolean_t verbose; - -extern int do_create(int argc, char *argv[]); -extern int do_delete(int argc, char *argv[]); -extern void usage_create(boolean_t do_print); -extern void usage_delete(boolean_t do_print); - -extern int PEM_get_rsa_key_certs(KMF_HANDLE_T, const char *, - char *, KMF_RAW_KEY_DATA **, KMF_X509_DER_CERT **); - -extern int PKCS12_get_rsa_key_certs(KMF_HANDLE_T, const char *, - const char *, KMF_RAW_KEY_DATA **, KMF_X509_DER_CERT **); - -extern int get_passphrase(const char *password_file, char *buf, int buf_size); -extern int kssl_send_command(char *buf, int cmd); -extern int parse_and_set_addr(char *arg1, char *arg2, - struct sockaddr_in6 *addr); - -#ifdef __cplusplus -} -#endif - -#endif /* _KSSLADM_H */ diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c deleted file mode 100644 index 7f3233154f..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c +++ /dev/null @@ -1,1224 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - */ - -#include <errno.h> -#include <sys/sysmacros.h> -#include <security/cryptoki.h> -#include <security/pkcs11.h> -#include <stdio.h> -#include <strings.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <netdb.h> -#include <fcntl.h> -#include <inet/kssl/kssl.h> -#include <cryptoutil.h> -#include <libscf.h> -#include "kssladm.h" - -#include <kmfapi.h> - -void -usage_create(boolean_t do_print) -{ - if (do_print) - (void) fprintf(stderr, "Usage:\n"); - (void) fprintf(stderr, "kssladm create" - " -f pkcs11 [-d softtoken_directory] -T <token_label>" - " -C <certificate_label> -x <proxy_port>" - " [-h <ca_certchain_file>]" - " [options] [<server_address>] [<server_port>]\n"); - - (void) fprintf(stderr, "kssladm create" - " -f pkcs12 -i <cert_and_key_pk12file> -x <proxy_port>" - " [options] [<server_address>] [<server_port>]\n"); - - (void) fprintf(stderr, "kssladm create" - " -f pem -i <cert_and_key_pemfile> -x <proxy_port>" - " [options] [<server_address>] [<server_port>]\n"); - - (void) fprintf(stderr, "options are:\n" - "\t[-c <ciphersuites>]\n" - "\t[-p <password_file>]\n" - "\t[-t <ssl_session_cache_timeout>]\n" - "\t[-z <ssl_session_cache_size>]\n" - "\t[-v]\n"); -} - -/* - * Everything is allocated in one single contiguous buffer. - * The layout is the following: - * . the kssl_params_t structure - * . optional buffer containing pin (if key is non extractable) - * . the array of key attribute structs, (value of ck_attrs) - * . the key attributes values (values of ck_attrs[i].ck_value); - * . the array of sizes of the certificates, (referred to as sc_sizes[]) - * . the certificates values (referred to as sc_certs[]) - * - * The address of the certs and key attributes values are offsets - * from the beginning of the big buffer. sc_sizes_offset points - * to sc_sizes[0] and sc_certs_offset points to sc_certs[0]. - */ -static kssl_params_t * -kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, - KMF_X509_DER_CERT *certs, int *paramsize, - char *token_label, KMF_DATA *idstr, - KMF_CREDENTIAL *creds) -{ - int i, tcsize; - kssl_params_t *kssl_params; - kssl_key_t *key; - char *buf; - uint32_t bufsize; - static CK_BBOOL true = TRUE; - static CK_BBOOL false = FALSE; - static CK_OBJECT_CLASS class = CKO_PRIVATE_KEY; - static CK_KEY_TYPE keytype = CKK_RSA; - kssl_object_attribute_t kssl_attrs[MAX_ATTR_CNT]; - CK_ATTRIBUTE exkey_attrs[MAX_ATTR_CNT] = { - {CKA_TOKEN, &true, sizeof (true)}, - {CKA_EXTRACTABLE, &false, sizeof (false)}, - {CKA_CLASS, &class, sizeof (class) }, - {CKA_KEY_TYPE, &keytype, sizeof (keytype) }, - {CKA_ID, NULL, 0} - }; - kssl_object_attribute_t kssl_tmpl_attrs[MAX_ATTR_CNT] = { - {SUN_CKA_MODULUS, 0, 0}, - {SUN_CKA_PUBLIC_EXPONENT, 0, 0}, - {SUN_CKA_PRIVATE_EXPONENT, 0, 0}, - {SUN_CKA_PRIME_1, 0, 0}, - {SUN_CKA_PRIME_2, 0, 0}, - {SUN_CKA_EXPONENT_1, 0, 0}, - {SUN_CKA_EXPONENT_2, 0, 0}, - {SUN_CKA_COEFFICIENT, 0, 0} - }; - KMF_BIGINT priv_key_bignums[MAX_ATTR_CNT]; - int attr_cnt; - - if (nxkey && idstr != NULL) { - exkey_attrs[4].pValue = idstr->Data; - exkey_attrs[4].ulValueLen = idstr->Length; - } - tcsize = 0; - for (i = 0; i < ncerts; i++) - tcsize += certs[i].certificate.Length; - - bufsize = sizeof (kssl_params_t); - bufsize += (tcsize + (MAX_CHAIN_LENGTH * sizeof (uint32_t))); - - if (!nxkey) { - bzero(priv_key_bignums, sizeof (KMF_BIGINT) * - MAX_ATTR_CNT); - /* and the key attributes */ - priv_key_bignums[0] = rsa->rawdata.rsa.mod; - priv_key_bignums[1] = rsa->rawdata.rsa.pubexp; - priv_key_bignums[2] = rsa->rawdata.rsa.priexp; - priv_key_bignums[3] = rsa->rawdata.rsa.prime1; - priv_key_bignums[4] = rsa->rawdata.rsa.prime2; - priv_key_bignums[5] = rsa->rawdata.rsa.exp1; - priv_key_bignums[6] = rsa->rawdata.rsa.exp2; - priv_key_bignums[7] = rsa->rawdata.rsa.coef; - - if (rsa->rawdata.rsa.mod.val == NULL || - rsa->rawdata.rsa.priexp.val == NULL) { - (void) fprintf(stderr, - "missing required attributes in private key.\n"); - return (NULL); - } - - attr_cnt = 0; - for (i = 0; i < MAX_ATTR_CNT; i++) { - if (priv_key_bignums[i].val == NULL) - continue; - kssl_attrs[attr_cnt].ka_type = - kssl_tmpl_attrs[i].ka_type; - kssl_attrs[attr_cnt].ka_value_len = - priv_key_bignums[i].len; - bufsize += sizeof (crypto_object_attribute_t) + - kssl_attrs[attr_cnt].ka_value_len; - attr_cnt++; - } - } else { - /* - * Compute space for the attributes and values that the - * kssl kernel module will need in order to search for - * the private key. - */ - for (attr_cnt = 0; attr_cnt < 5; attr_cnt++) { - bufsize += sizeof (crypto_object_attribute_t) + - exkey_attrs[attr_cnt].ulValueLen; - } - if (creds) - bufsize += creds->credlen; - } - - /* Add 4-byte cushion as sc_sizes[0] needs 32-bit alignment */ - bufsize += sizeof (uint32_t); - - /* Now the big memory allocation */ - if ((buf = calloc(bufsize, 1)) == NULL) { - (void) fprintf(stderr, - "Cannot allocate memory for the kssl_params " - "and values\n"); - return (NULL); - } - - /* LINTED */ - kssl_params = (kssl_params_t *)buf; - - buf = (char *)(kssl_params + 1); - - if (!nxkey) { - /* the keys attributes structs array */ - key = &kssl_params->kssl_privkey; - key->ks_format = CRYPTO_KEY_ATTR_LIST; - key->ks_count = attr_cnt; - key->ks_attrs_offset = buf - (char *)kssl_params; - buf += attr_cnt * sizeof (kssl_object_attribute_t); - - attr_cnt = 0; - /* then the key attributes values */ - for (i = 0; i < MAX_ATTR_CNT; i++) { - if (priv_key_bignums[i].val == NULL) - continue; - (void) memcpy(buf, priv_key_bignums[i].val, - priv_key_bignums[i].len); - kssl_attrs[attr_cnt].ka_value_offset = - buf - (char *)kssl_params; - buf += kssl_attrs[attr_cnt].ka_value_len; - attr_cnt++; - } - } else { - char tlabel[CRYPTO_EXT_SIZE_LABEL]; - bzero(tlabel, sizeof (tlabel)); - (void) strlcpy(tlabel, token_label, sizeof (tlabel)); - - /* - * For a non-extractable key, we must provide the PIN - * so the kssl module can access the token to find - * the key handle. - */ - kssl_params->kssl_is_nxkey = 1; - bcopy(tlabel, kssl_params->kssl_token.toklabel, - CRYPTO_EXT_SIZE_LABEL); - kssl_params->kssl_token.pinlen = creds->credlen; - kssl_params->kssl_token.tokpin_offset = - buf - (char *)kssl_params; - kssl_params->kssl_token.ck_rv = 0; - bcopy(creds->cred, buf, creds->credlen); - buf += creds->credlen; - - /* - * Next in the buffer, we must provide the attributes - * that the kssl module will use to search in the - * token to find the protected key handle. - */ - key = &kssl_params->kssl_privkey; - key->ks_format = CRYPTO_KEY_ATTR_LIST; - key->ks_count = attr_cnt; - key->ks_attrs_offset = buf - (char *)kssl_params; - - buf += attr_cnt * sizeof (kssl_object_attribute_t); - for (i = 0; i < attr_cnt; i++) { - bcopy(exkey_attrs[i].pValue, buf, - exkey_attrs[i].ulValueLen); - - kssl_attrs[i].ka_type = exkey_attrs[i].type; - kssl_attrs[i].ka_value_offset = - buf - (char *)kssl_params; - kssl_attrs[i].ka_value_len = exkey_attrs[i].ulValueLen; - - buf += exkey_attrs[i].ulValueLen; - } - } - /* Copy the key attributes array here */ - bcopy(kssl_attrs, ((char *)kssl_params) + key->ks_attrs_offset, - attr_cnt * sizeof (kssl_object_attribute_t)); - - buf = (char *)P2ROUNDUP((uintptr_t)buf, sizeof (uint32_t)); - - /* - * Finally, add the certificate chain to the buffer. - */ - kssl_params->kssl_certs.sc_count = ncerts; - - /* First, an array of certificate sizes */ - for (i = 0; i < ncerts; i++) { - uint32_t certsz = (uint32_t)certs[i].certificate.Length; - char *p = buf + (i * sizeof (uint32_t)); - bcopy(&certsz, p, sizeof (uint32_t)); - } - - kssl_params->kssl_certs.sc_sizes_offset = buf - (char *)kssl_params; - buf += MAX_CHAIN_LENGTH * sizeof (uint32_t); - - kssl_params->kssl_certs.sc_certs_offset = buf - (char *)kssl_params; - - /* Now add the certificate data (ASN.1 DER encoded) */ - for (i = 0; i < ncerts; i++) { - bcopy(certs[i].certificate.Data, buf, - certs[i].certificate.Length); - buf += certs[i].certificate.Length; - } - - *paramsize = bufsize; - return (kssl_params); -} - -/* - * Extract a sensitive key via wrap/unwrap operations. - * - * This function requires that we call PKCS#11 API directly since - * KMF does not yet support wrapping/unwrapping of keys. By extracting - * a sensitive key in wrapped form, we then unwrap it into a session key - * object. KMF is then used to find the session key and return it in - * KMF_RAW_KEY format which is then passed along to KSSL by the caller. - */ -static KMF_RETURN -get_sensitive_key_data(KMF_HANDLE_T kmfh, - KMF_CREDENTIAL *creds, char *keylabel, - char *idstr, KMF_KEY_HANDLE *key, KMF_KEY_HANDLE *rawkey) -{ - KMF_RETURN rv = KMF_OK; - static CK_BYTE aes_param[16]; - static CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY; - static CK_KEY_TYPE privkey_type = CKK_RSA; - static CK_BBOOL false = FALSE; - boolean_t kmftrue = B_TRUE; - boolean_t kmffalse = B_FALSE; - char *err = NULL; - char wrapkey_label[BUFSIZ]; - int fd; - uint32_t nkeys = 0; - CK_RV ckrv; - CK_SESSION_HANDLE pk11session; - CK_BYTE aes_key_val[16]; - int numattr = 0; - int idx; - KMF_ATTRIBUTE attrlist[16]; - KMF_KEYSTORE_TYPE kstype; - KMF_KEY_CLASS kclass; - KMF_ENCODE_FORMAT format; - - CK_MECHANISM aes_cbc_pad_mech = {CKM_AES_CBC_PAD, aes_param, - sizeof (aes_param)}; - CK_OBJECT_HANDLE aes_key_obj = CK_INVALID_HANDLE; - CK_OBJECT_HANDLE sess_privkey_obj = CK_INVALID_HANDLE; - CK_BYTE *wrapped_privkey = NULL; - CK_ULONG wrapped_privkey_len = 0; - - CK_ATTRIBUTE unwrap_tmpl[] = { - /* code below depends on the following attribute order */ - {CKA_TOKEN, &false, sizeof (false)}, - {CKA_CLASS, &privkey_class, sizeof (privkey_class)}, - {CKA_KEY_TYPE, &privkey_type, sizeof (privkey_type)}, - {CKA_SENSITIVE, &false, sizeof (false)}, - {CKA_PRIVATE, &false, sizeof (false)}, - {CKA_LABEL, NULL, 0} - }; - - /* - * Create a wrap key with random data. - */ - fd = open("/dev/urandom", O_RDONLY); - if (fd == -1) { - perror("Error reading /dev/urandom"); - return (KMF_ERR_INTERNAL); - } - if (read(fd, aes_key_val, sizeof (aes_key_val)) != - sizeof (aes_key_val)) { - perror("Error reading from /dev/urandom"); - (void) close(fd); - return (KMF_ERR_INTERNAL); - } - (void) close(fd); - - pk11session = kmf_get_pk11_handle(kmfh); - - /* - * Login to create the wrap key stuff. - */ - ckrv = C_Login(pk11session, CKU_USER, - (CK_UTF8CHAR_PTR)creds->cred, creds->credlen); - if (ckrv != CKR_OK && ckrv != CKR_USER_ALREADY_LOGGED_IN) { - (void) fprintf(stderr, - "Cannot login to the token. error = %s\n", - pkcs11_strerror(ckrv)); - return (KMF_ERR_INTERNAL); - } - - /* - * Turn the random key into a PKCS#11 session object. - */ - ckrv = SUNW_C_KeyToObject(pk11session, CKM_AES_CBC_PAD, aes_key_val, - sizeof (aes_key_val), &aes_key_obj); - if (ckrv != CKR_OK) { - (void) fprintf(stderr, - "Cannot create wrapping key. error = %s\n", - pkcs11_strerror(ckrv)); - return (KMF_ERR_INTERNAL); - } - - /* - * Find the original private key that we are going to wrap. - */ - kstype = KMF_KEYSTORE_PK11TOKEN; - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, - &kstype, sizeof (kstype)); - numattr++; - - kclass = KMF_ASYM_PRI; - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR, - &kclass, sizeof (kclass)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, - creds, sizeof (KMF_CREDENTIAL)); - numattr++; - - if (keylabel) { - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, - keylabel, strlen(keylabel)); - numattr++; - } - if (idstr) { - kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR, - idstr, strlen(idstr)); - numattr++; - } - format = KMF_FORMAT_NATIVE; - kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, - &format, sizeof (format)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, - &kmftrue, sizeof (kmftrue)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR, - &kmftrue, sizeof (kmftrue)); - numattr++; - - nkeys = 1; - kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, - &nkeys, sizeof (nkeys)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, - key, sizeof (KMF_KEY_HANDLE)); - numattr++; - - rv = kmf_find_key(kmfh, numattr, attrlist); - if (rv != KMF_OK) { - REPORT_KMF_ERROR(rv, "Error finding private key", err); - goto out; - } - - /* - * Get the size of the wrapped private key. - */ - bzero(aes_param, sizeof (aes_param)); - ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech, - aes_key_obj, (CK_OBJECT_HANDLE)key->keyp, - NULL, &wrapped_privkey_len); - if (ckrv != CKR_OK) { - /* - * Most common error here is that the token doesn't - * support the wrapping mechanism or the key is - * marked non-extractable. Return an error and let - * the caller deal with it gracefully. - */ - (void) fprintf(stderr, - "Cannot get wrap key size. error = %s\n", - pkcs11_strerror(ckrv)); - rv = KMF_ERR_INTERNAL; - goto out; - } - wrapped_privkey = malloc(wrapped_privkey_len); - if (wrapped_privkey == NULL) { - rv = KMF_ERR_MEMORY; - goto out; - } - /* - * Now get the actual wrapped key data. - */ - ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech, - aes_key_obj, (CK_OBJECT_HANDLE)key->keyp, - wrapped_privkey, &wrapped_privkey_len); - if (ckrv != CKR_OK) { - (void) fprintf(stderr, - "Cannot wrap private key. error = %s\n", - pkcs11_strerror(ckrv)); - rv = KMF_ERR_INTERNAL; - goto out; - } - /* - * Create a label for the wrapped session key so we can find - * it easier later. - */ - (void) snprintf(wrapkey_label, sizeof (wrapkey_label), "ksslprikey_%d", - getpid()); - - unwrap_tmpl[5].pValue = wrapkey_label; - unwrap_tmpl[5].ulValueLen = strlen(wrapkey_label); - - /* - * Unwrap the key into the template and create a temporary - * session private key. - */ - ckrv = C_UnwrapKey(pk11session, &aes_cbc_pad_mech, aes_key_obj, - wrapped_privkey, wrapped_privkey_len, - unwrap_tmpl, 6, &sess_privkey_obj); - if (ckrv != CKR_OK) { - (void) fprintf(stderr, - "Cannot unwrap private key. error = %s\n", - pkcs11_strerror(ckrv)); - rv = KMF_ERR_INTERNAL; - goto out; - } - - /* - * Use KMF to find the session key and return it as RAW data - * so we can pass it along to KSSL. - */ - kclass = KMF_ASYM_PRI; - if ((idx = kmf_find_attr(KMF_KEYCLASS_ATTR, attrlist, numattr)) != -1) { - attrlist[idx].pValue = &kclass; - } - - format = KMF_FORMAT_RAWKEY; - if ((idx = kmf_find_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, - numattr)) != -1) { - attrlist[idx].pValue = &format; - } - if (wrapkey_label != NULL && - (idx = kmf_find_attr(KMF_KEYLABEL_ATTR, attrlist, numattr)) != -1) { - attrlist[idx].pValue = wrapkey_label; - attrlist[idx].valueLen = strlen(wrapkey_label); - } - - if ((idx = kmf_find_attr(KMF_PRIVATE_BOOL_ATTR, attrlist, - numattr)) != -1) { - attrlist[idx].pValue = &kmffalse; - } - if ((idx = kmf_find_attr(KMF_TOKEN_BOOL_ATTR, attrlist, - numattr)) != -1) { - attrlist[idx].pValue = &kmffalse; - } - - if ((idx = kmf_find_attr(KMF_KEY_HANDLE_ATTR, attrlist, - numattr)) != -1) { - attrlist[idx].pValue = rawkey; - } - /* - * Clear the IDSTR attribute since it is not part of the - * wrapped session key. - */ - if ((idx = kmf_find_attr(KMF_IDSTR_ATTR, attrlist, - numattr)) != -1) { - attrlist[idx].pValue = NULL; - attrlist[idx].valueLen = 0; - } - - /* The wrapped key should not be sensitive. */ - kmf_set_attr_at_index(attrlist, numattr, KMF_SENSITIVE_BOOL_ATTR, - &false, sizeof (false)); - numattr++; - - rv = kmf_find_key(kmfh, numattr, attrlist); - if (rv != KMF_OK) { - REPORT_KMF_ERROR(rv, "Error finding raw private key", err); - goto out; - } -out: - if (wrapped_privkey) - free(wrapped_privkey); - - if (aes_key_obj != CK_INVALID_HANDLE) - (void) C_DestroyObject(pk11session, aes_key_obj); - - if (sess_privkey_obj != CK_INVALID_HANDLE) - (void) C_DestroyObject(pk11session, sess_privkey_obj); - - return (rv); -} - -static kssl_params_t * -load_from_pkcs11(KMF_HANDLE_T kmfh, - const char *token_label, const char *password_file, - const char *certname, int *bufsize) -{ - KMF_RETURN rv; - KMF_X509_DER_CERT cert; - KMF_KEY_HANDLE key, rawkey; - KMF_CREDENTIAL creds; - KMF_DATA iddata = { 0, NULL }; - kssl_params_t *kssl_params = NULL; - uint32_t ncerts, nkeys; - char *err, *idstr = NULL; - char password_buf[1024]; - int nxkey = 0; - int numattr = 0; - KMF_ATTRIBUTE attrlist[16]; - KMF_KEYSTORE_TYPE kstype; - KMF_KEY_CLASS kclass; - KMF_ENCODE_FORMAT format; - boolean_t false = B_FALSE; - boolean_t true = B_TRUE; - - if (get_passphrase(password_file, password_buf, - sizeof (password_buf)) <= 0) { - perror("Unable to read passphrase"); - goto done; - } - creds.cred = password_buf; - creds.credlen = strlen(password_buf); - - (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE)); - (void) memset(&rawkey, 0, sizeof (KMF_KEY_HANDLE)); - - kstype = KMF_KEYSTORE_PK11TOKEN; - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, - &kstype, sizeof (kstype)); - numattr++; - - if (token_label && strlen(token_label)) { - kmf_set_attr_at_index(attrlist, numattr, - KMF_TOKEN_LABEL_ATTR, - (void *)token_label, strlen(token_label)); - numattr++; - } - - kmf_set_attr_at_index(attrlist, numattr, KMF_READONLY_ATTR, - &false, sizeof (false)); - numattr++; - - rv = kmf_configure_keystore(kmfh, numattr, attrlist); - if (rv != KMF_OK) { - REPORT_KMF_ERROR(rv, "Error configuring KMF keystore", err); - goto done; - } - - /* - * Find the certificate matching the given label. - */ - numattr = 0; - kstype = KMF_KEYSTORE_PK11TOKEN; - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, - &kstype, sizeof (kstype)); - numattr++; - - if (certname) { - kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, - (void *)certname, strlen(certname)); - numattr++; - } - ncerts = 1; - - kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, - &ncerts, sizeof (ncerts)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR, - &cert, sizeof (cert)); - numattr++; - - rv = kmf_find_cert(kmfh, numattr, attrlist); - if (rv != KMF_OK || ncerts == 0) - goto done; - - /* - * Find the associated private key for this cert by - * keying off of the label and the ASCII ID string. - */ - rv = kmf_get_cert_id_str(&cert.certificate, &idstr); - if (rv != KMF_OK) - goto done; - - numattr = 1; /* attrlist[0] is already set to kstype */ - - kclass = KMF_ASYM_PRI; - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR, - &kclass, sizeof (kclass)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, - &creds, sizeof (KMF_CREDENTIAL)); - numattr++; - - format = KMF_FORMAT_RAWKEY; - kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, - &format, sizeof (format)); - numattr++; - - if (certname) { - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, - (void *)certname, strlen(certname)); - numattr++; - } - if (idstr) { - kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR, - (void *)idstr, strlen(idstr)); - numattr++; - } - kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, - &true, sizeof (true)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR, - &true, sizeof (true)); - numattr++; - - /* We only expect to find 1 key at most */ - nkeys = 1; - kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, - &nkeys, sizeof (nkeys)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, - &key, sizeof (KMF_KEY_HANDLE)); - numattr++; - - rv = kmf_find_key(kmfh, numattr, attrlist); - if (rv == KMF_ERR_SENSITIVE_KEY) { - kmf_free_kmf_key(kmfh, &key); - /* - * Get a normal key handle and then do a wrap/unwrap - * in order to get the necessary raw data fields needed - * to send to KSSL. - */ - format = KMF_FORMAT_NATIVE; - rv = get_sensitive_key_data(kmfh, &creds, - (char *)certname, idstr, &key, &rawkey); - if (rv == KMF_OK) { - /* Swap "key" for "rawkey" */ - kmf_free_kmf_key(kmfh, &key); - - key = rawkey; - } else { - kmf_free_kmf_key(kmfh, &key); - - /* Let kssl try to find the key. */ - nxkey = 1; - rv = kmf_get_cert_id_data(&cert.certificate, &iddata); - } - } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) { - kmf_free_kmf_key(kmfh, &key); - - /* Let kssl try to find the key. */ - nxkey = 1; - rv = kmf_get_cert_id_data(&cert.certificate, &iddata); - } else if (rv != KMF_OK || nkeys == 0) - goto done; - - if (rv == KMF_OK) - kssl_params = kmf_to_kssl(nxkey, (KMF_RAW_KEY_DATA *)key.keyp, - 1, &cert, bufsize, (char *)token_label, &iddata, &creds); -done: - if (ncerts != 0) - kmf_free_kmf_cert(kmfh, &cert); - if (nkeys != 0) - kmf_free_kmf_key(kmfh, &key); - if (idstr) - free(idstr); - - return (kssl_params); -} - -/* - * add_cacerts - * - * Load a chain of certificates from a PEM file. - */ -static kssl_params_t * -add_cacerts(KMF_HANDLE_T kmfh, - kssl_params_t *old_params, const char *cacert_chain_file) -{ - int i, newlen; - uint32_t certlen = 0, ncerts; - char *buf; - KMF_RETURN rv; - KMF_X509_DER_CERT *certs = NULL; - kssl_params_t *kssl_params; - char *err = NULL; - int numattr = 0; - KMF_ATTRIBUTE attrlist[16]; - KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; - - kstype = KMF_KEYSTORE_OPENSSL; - - ncerts = 0; - kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, - &kstype, sizeof (KMF_KEYSTORE_TYPE)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR, - (void *)cacert_chain_file, strlen(cacert_chain_file)); - numattr++; - - kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, - &ncerts, sizeof (ncerts)); - numattr++; - - rv = kmf_find_cert(kmfh, numattr, attrlist); - if (rv != KMF_OK) { - REPORT_KMF_ERROR(rv, "Error finding CA certificates", err); - return (0); - } - certs = (KMF_X509_DER_CERT *)malloc(ncerts * - sizeof (KMF_X509_DER_CERT)); - if (certs == NULL) { - (void) fprintf(stderr, "memory allocation error.\n"); - return (NULL); - } - bzero(certs, ncerts * sizeof (KMF_X509_DER_CERT)); - - /* add new attribute for the cert list to be returned */ - kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR, - certs, (ncerts * sizeof (KMF_X509_DER_CERT))); - numattr++; - rv = kmf_find_cert(kmfh, numattr, attrlist); - - if (rv != KMF_OK || ncerts == 0) { - bzero(old_params, old_params->kssl_params_size); - free(old_params); - return (NULL); - } - - if (verbose) { - (void) printf("%d certificates read successfully\n", ncerts); - } - - newlen = old_params->kssl_params_size; - for (i = 0; i < ncerts; i++) - newlen += certs[i].certificate.Length; - - /* - * Get a bigger structure and update the - * fields to account for the additional certs. - */ - kssl_params = realloc(old_params, newlen); - - kssl_params->kssl_params_size = newlen; - kssl_params->kssl_certs.sc_count += ncerts; - - /* Put the cert size info starting from sc_sizes[1] */ - buf = (char *)kssl_params; - buf += kssl_params->kssl_certs.sc_sizes_offset; - bcopy(buf, &certlen, sizeof (uint32_t)); - buf += sizeof (uint32_t); - for (i = 0; i < ncerts; i++) { - uint32_t size = (uint32_t)certs[i].certificate.Length; - bcopy(&size, buf, sizeof (uint32_t)); - buf += sizeof (uint32_t); - } - - /* Put the cert_bufs starting from sc_certs[1] */ - buf = (char *)kssl_params; - buf += kssl_params->kssl_certs.sc_certs_offset; - buf += certlen; - - /* now the certs values */ - for (i = 0; i < ncerts; i++) { - bcopy(certs[i].certificate.Data, buf, - certs[i].certificate.Length); - buf += certs[i].certificate.Length; - } - - for (i = 0; i < ncerts; i++) - kmf_free_kmf_cert(kmfh, &certs[i]); - free(certs); - - return (kssl_params); -} - -/* - * Find a key and certificate(s) from a single PEM file. - */ -static kssl_params_t * -load_from_pem(KMF_HANDLE_T kmfh, const char *filename, - const char *password_file, int *paramsize) -{ - int ncerts = 0, i; - kssl_params_t *kssl_params; - KMF_RAW_KEY_DATA *rsa = NULL; - KMF_X509_DER_CERT *certs = NULL; - - ncerts = PEM_get_rsa_key_certs(kmfh, - filename, (char *)password_file, &rsa, &certs); - if (rsa == NULL || certs == NULL || ncerts == 0) { - return (NULL); - } - - if (verbose) - (void) printf("%d certificates read successfully\n", ncerts); - - kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL, - NULL, NULL); - - for (i = 0; i < ncerts; i++) - kmf_free_kmf_cert(kmfh, &certs[i]); - free(certs); - kmf_free_raw_key(rsa); - - return (kssl_params); -} - -/* - * Load a raw key and certificate(s) from a PKCS#12 file. - */ -static kssl_params_t * -load_from_pkcs12(KMF_HANDLE_T kmfh, const char *filename, - const char *password_file, int *paramsize) -{ - KMF_RAW_KEY_DATA *rsa = NULL; - kssl_params_t *kssl_params; - KMF_X509_DER_CERT *certs = NULL; - int ncerts = 0, i; - - ncerts = PKCS12_get_rsa_key_certs(kmfh, filename, - password_file, &rsa, &certs); - - if (certs == NULL || ncerts == 0) { - (void) fprintf(stderr, - "Unable to read cert and/or key from %s\n", filename); - return (NULL); - } - - if (verbose) - (void) printf("%d certificates read successfully\n", ncerts); - - kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL, - NULL, NULL); - - for (i = 0; i < ncerts; i++) - kmf_free_kmf_cert(kmfh, &certs[i]); - free(certs); - - kmf_free_raw_key(rsa); - return (kssl_params); -} - -int -parse_and_set_addr(char *server_address, char *server_port, - struct sockaddr_in6 *addr) -{ - long long tmp_port; - char *ep; - - if (server_port == NULL) { - return (-1); - } - - if (server_address == NULL) { - addr->sin6_addr = in6addr_any; - } else { - struct hostent *hp; - int error_num; - - if ((hp = (getipnodebyname(server_address, AF_INET6, - AI_DEFAULT, &error_num))) == NULL) { - (void) fprintf(stderr, "Error: Unknown host: %s\n", - server_address); - return (-1); - } - - (void) memcpy((caddr_t)&addr->sin6_addr, hp->h_addr, - hp->h_length); - freehostent(hp); - } - - errno = 0; - tmp_port = strtoll(server_port, &ep, 10); - if (server_port == ep || *ep != '\0' || errno != 0) { - (void) fprintf(stderr, "Error: Invalid Port value: %s\n", - server_port); - return (-1); - } - if (tmp_port < 1 || tmp_port > 65535) { - (void) fprintf(stderr, "Error: Port out of range: %s\n", - server_port); - return (-1); - } - /* It is safe to convert since the value is inside the boundaries. */ - addr->sin6_port = tmp_port; - - return (0); -} - -/* - * The order of the ciphers is important. It is used as the - * default order (when -c is not specified). - */ -struct csuite { - const char *suite; - uint16_t val; - boolean_t seen; -} cipher_suites[CIPHER_SUITE_COUNT - 1] = { - {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, B_FALSE}, - {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, B_FALSE}, - {"rsa_aes_256_cbc_sha", TLS_RSA_WITH_AES_256_CBC_SHA, B_FALSE}, - {"rsa_aes_128_cbc_sha", TLS_RSA_WITH_AES_128_CBC_SHA, B_FALSE}, - {"rsa_3des_ede_cbc_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, B_FALSE}, - {"rsa_des_cbc_sha", SSL_RSA_WITH_DES_CBC_SHA, B_FALSE}, -}; - -static int -check_suites(char *suites, uint16_t *sarray) -{ - int i; - int err = 0; - char *suite; - int sindx = 0; - - if (suites != NULL) { - for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++) - sarray[i] = CIPHER_NOTSET; - } else { - for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++) - sarray[i] = cipher_suites[i].val; - return (err); - } - - suite = strtok(suites, ","); - do { - for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++) { - if (strcasecmp(suite, cipher_suites[i].suite) == 0) { - if (!cipher_suites[i].seen) { - sarray[sindx++] = cipher_suites[i].val; - cipher_suites[i].seen = B_TRUE; - } - break; - } - } - - if (i == (CIPHER_SUITE_COUNT - 1)) { - (void) fprintf(stderr, - "Unknown Cipher suite name: %s\n", suite); - err++; - } - } while ((suite = strtok(NULL, ",")) != NULL); - - return (err); -} - -int -do_create(int argc, char *argv[]) -{ - const char *softtoken_dir = NULL; - const char *token_label = NULL; - const char *password_file = NULL; - const char *cert_key_file = NULL; - const char *cacert_chain_file = NULL; - const char *certname = NULL; - char *suites = NULL; - uint32_t timeout = DEFAULT_SID_TIMEOUT; - uint32_t scache_size = DEFAULT_SID_CACHE_NENTRIES; - uint16_t kssl_suites[CIPHER_SUITE_COUNT - 1]; - int proxy_port = -1; - struct sockaddr_in6 server_addr; - char *format = NULL; - char *port, *addr; - char c; - int pcnt; - kssl_params_t *kssl_params; - int bufsize; - KMF_HANDLE_T kmfh = NULL; - KMF_RETURN rv = KMF_OK; - char *err = NULL; - - argc -= 1; - argv += 1; - - while ((c = getopt(argc, argv, "vT:d:f:h:i:p:c:C:t:x:z:")) != -1) { - switch (c) { - case 'd': - softtoken_dir = optarg; - break; - case 'c': - suites = optarg; - break; - case 'C': - certname = optarg; - break; - case 'f': - format = optarg; - break; - case 'h': - cacert_chain_file = optarg; - break; - case 'i': - cert_key_file = optarg; - break; - case 'T': - token_label = optarg; - break; - case 'p': - password_file = optarg; - break; - case 't': - timeout = atoi(optarg); - break; - case 'x': - proxy_port = atoi(optarg); - break; - case 'v': - verbose = B_TRUE; - break; - case 'z': - scache_size = atoi(optarg); - break; - default: - goto err; - } - } - - pcnt = argc - optind; - if (pcnt == 0) { - port = "443"; /* default SSL port */ - addr = NULL; - } else if (pcnt == 1) { - port = argv[optind]; - addr = NULL; - } else if (pcnt == 2) { - addr = argv[optind]; - port = argv[optind + 1]; - } else { - goto err; - } - - if (parse_and_set_addr(addr, port, &server_addr) < 0) { - goto err; - } - - if (verbose) { - char buffer[128]; - - (void) inet_ntop(AF_INET6, &server_addr.sin6_addr, buffer, - sizeof (buffer)); - (void) printf("addr = %s, port = %d\n", buffer, - server_addr.sin6_port); - } - - if (format == NULL || proxy_port == -1) { - goto err; - } - - if (check_suites(suites, kssl_suites) != 0) { - goto err; - } - - rv = kmf_initialize(&kmfh, NULL, NULL); - if (rv != KMF_OK) { - REPORT_KMF_ERROR(rv, "Error initializing KMF", err); - return (0); - } - - if (strcmp(format, "pkcs11") == 0) { - if (token_label == NULL || certname == NULL) { - goto err; - } - if (softtoken_dir != NULL) { - (void) setenv("SOFTTOKEN_DIR", softtoken_dir, 1); - if (verbose) { - (void) printf( - "SOFTTOKEN_DIR=%s\n", - getenv("SOFTTOKEN_DIR")); - } - } - kssl_params = load_from_pkcs11(kmfh, - token_label, password_file, certname, &bufsize); - } else if (strcmp(format, "pkcs12") == 0) { - if (cert_key_file == NULL) { - goto err; - } - kssl_params = load_from_pkcs12(kmfh, - cert_key_file, password_file, &bufsize); - } else if (strcmp(format, "pem") == 0) { - if (cert_key_file == NULL) { - goto err; - } - kssl_params = load_from_pem(kmfh, - cert_key_file, password_file, &bufsize); - } else { - (void) fprintf(stderr, "Unsupported cert format: %s\n", format); - goto err; - } - - if (kssl_params == NULL) { - (void) kmf_finalize(kmfh); - return (FAILURE); - } - - /* - * Add the list of supported ciphers to the buffer. - */ - bcopy(kssl_suites, kssl_params->kssl_suites, - sizeof (kssl_params->kssl_suites)); - kssl_params->kssl_params_size = bufsize; - kssl_params->kssl_addr = server_addr; - kssl_params->kssl_session_cache_timeout = timeout; - kssl_params->kssl_proxy_port = proxy_port; - kssl_params->kssl_session_cache_size = scache_size; - - if (cacert_chain_file != NULL) { - kssl_params = add_cacerts(kmfh, kssl_params, cacert_chain_file); - if (kssl_params == NULL) { - bzero(kssl_params, bufsize); - free(kssl_params); - (void) kmf_finalize(kmfh); - return (FAILURE); - } - } - - if (kssl_send_command((char *)kssl_params, KSSL_ADD_ENTRY) < 0) { - int err = CRYPTO_FAILED; - - if (kssl_params->kssl_is_nxkey) - err = kssl_params->kssl_token.ck_rv; - (void) fprintf(stderr, - "Error loading cert and key: 0x%x\n", err); - bzero(kssl_params, bufsize); - free(kssl_params); - (void) kmf_finalize(kmfh); - return (FAILURE); - } - - if (verbose) - (void) printf("Successfully loaded cert and key\n"); - - bzero(kssl_params, bufsize); - free(kssl_params); - (void) kmf_finalize(kmfh); - return (SUCCESS); - -err: - usage_create(B_TRUE); - (void) kmf_finalize(kmfh); - return (SMF_EXIT_ERR_CONFIG); -} diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c deleted file mode 100644 index bd5a6b45a4..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_delete.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#include <netinet/in.h> /* struct sockaddr_in */ -#include <stdio.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <libscf.h> -#include <inet/kssl/kssl.h> -#include "kssladm.h" - -void -usage_delete(boolean_t do_print) -{ - if (do_print) - (void) fprintf(stderr, "Usage:\n"); - (void) fprintf(stderr, - "kssladm delete [-v] [<server_address>] <server_port>\n"); -} - -int -do_delete(int argc, char *argv[]) -{ - struct sockaddr_in6 server_addr; - char c; - char *port, *addr; - int pcnt; - - if (argc < 3) { - goto err; - } - - argc -= 1; - argv += 1; - - while ((c = getopt(argc, argv, "v")) != -1) { - switch (c) { - case 'v': - verbose = B_TRUE; - break; - default: - goto err; - } - } - - pcnt = argc - optind; - if (pcnt == 1) { - port = argv[optind]; - addr = NULL; - } else if (pcnt == 2) { - addr = argv[optind]; - port = argv[optind + 1]; - } - - if (parse_and_set_addr(addr, port, &server_addr) < 0) { - goto err; - } - - if (kssl_send_command((char *)&server_addr, KSSL_DELETE_ENTRY) < 0) { - perror("Error deleting entry"); - return (FAILURE); - } - - if (verbose) - (void) printf("Successfully loaded cert and key\n"); - - return (SUCCESS); - -err: - usage_delete(B_TRUE); - return (SMF_EXIT_ERR_CONFIG); -} diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/ksslutil.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/ksslutil.c deleted file mode 100644 index dae4d83a2e..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/ksslutil.c +++ /dev/null @@ -1,156 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2007 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#pragma ident "%Z%%M% %I% %E% SMI" - -#include <stdio.h> -#include <assert.h> -#include <strings.h> - -#include <kmfapi.h> -#include "kssladm.h" - -/* - * Extract the Certificate and raw key data from a PKCS#12 file. - * The password needed for decrypting the PKCS#12 PDU is stored - * in plaintext in the given "password_file" parameter. - */ -int -PKCS12_get_rsa_key_certs(KMF_HANDLE_T kmfh, - const char *filename, const char *password_file, - KMF_RAW_KEY_DATA **rsa, KMF_X509_DER_CERT **certs) -{ - char password_buf[1024]; - KMF_RETURN rv = KMF_OK; - KMF_CREDENTIAL pk12cred; - KMF_X509_DER_CERT *tcerts; - KMF_RAW_KEY_DATA *keys; - int ncerts, nkeys; - char *err = NULL; - - tcerts = NULL; - keys = NULL; - ncerts = 0; - nkeys = 0; - - if (get_passphrase(password_file, password_buf, - sizeof (password_buf)) <= 0) { - perror("Unable to read passphrase"); - goto done; - } - pk12cred.cred = password_buf; - pk12cred.credlen = strlen(password_buf); - - rv = kmf_import_objects(kmfh, (char *)filename, &pk12cred, &tcerts, - &ncerts, &keys, &nkeys); - if (rv != KMF_OK) { - REPORT_KMF_ERROR(rv, "Error importing PKCS12 data", err); - } - -done: - if (rv != KMF_OK) { - int i; - if (tcerts != NULL) { - for (i = 0; i < ncerts; i++) - kmf_free_kmf_cert(kmfh, &tcerts[i]); - free(tcerts); - } - tcerts = NULL; - ncerts = 0; - if (keys != NULL) { - for (i = 0; i < nkeys; i++) - kmf_free_raw_key(&keys[i]); - free(keys); - } - keys = NULL; - } - *certs = tcerts; - *rsa = keys; - - return (ncerts); -} - -/* - * Parse a PEM file which should contain RSA private keys and - * their associated X.509v3 certificates. More than 1 may - * be present in the file. - */ -int -PEM_get_rsa_key_certs(KMF_HANDLE_T kmfh, - const char *filename, char *password_file, - KMF_RAW_KEY_DATA **rsa, KMF_X509_DER_CERT **certs) -{ - KMF_RETURN rv = KMF_OK; - KMF_CREDENTIAL creds; - KMF_X509_DER_CERT *tcerts; - KMF_RAW_KEY_DATA *keys; - int ncerts, nkeys; - char *err = NULL; - char password_buf[1024]; - - tcerts = NULL; - keys = NULL; - ncerts = 0; - nkeys = 0; - - if (get_passphrase(password_file, password_buf, - sizeof (password_buf)) <= 0) { - perror("Unable to read passphrase"); - goto done; - } - creds.cred = password_buf; - creds.credlen = strlen(password_buf); - - rv = kmf_import_objects(kmfh, (char *)filename, &creds, &tcerts, - &ncerts, &keys, &nkeys); - if (rv != KMF_OK) { - REPORT_KMF_ERROR(rv, "Error importing key data", err); - } - -done: - if (rv != KMF_OK) { - int i; - if (tcerts != NULL) { - for (i = 0; i < ncerts; i++) - kmf_free_kmf_cert(kmfh, &tcerts[i]); - free(tcerts); - } - tcerts = NULL; - ncerts = 0; - if (keys != NULL) { - for (i = 0; i < nkeys; i++) - kmf_free_raw_key(&keys[i]); - free(keys); - } - keys = NULL; - } - if (certs != NULL) - *certs = tcerts; - if (rsa != NULL) - *rsa = keys; - - return (ncerts); -} diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/Makefile b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/Makefile deleted file mode 100644 index 7adf6a121a..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/Makefile +++ /dev/null @@ -1,77 +0,0 @@ -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# -# Copyright 2006 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. -# -# ident "%Z%%M% %I% %E% SMI" -# -# cmd/cmd-inet/usr.sbin/kssl/kssladm/Makefile -# - -PROG= ksslcfg -MANIFEST= kssl-proxy.xml - -include $(SRC)/cmd/Makefile.cmd - -OBJS = \ - ksslcfg.o \ - ksslcfg_create.o \ - ksslcfg_delete.o - -POFILES = $(OBJS:%.o=%.po) -POFILE = $(PROG)_all.po - -SRCS = $(OBJS:%.o=%.c) - -ROOTMANIFESTDIR= $(ROOTSVCNETWORKSSL) - -.KEEP_STATE: - -CFLAGS += $(CCVERBOSE) - -LDLIBS += -lscf -lnsl - -all: $(PROG) - -$(PROG): $(OBJS) - $(LINK.c) $(OBJS) -o $@ $(LDLIBS) $(DYNFLAGS) - $(POST_PROCESS) - -$(POFILE): $(POFILES) - $(RM) $@; cat $(POFILES) > $@ - -install: all $(ROOTUSRSBINPROG) $(ROOTMANIFEST) - -clean: - $(RM) $(OBJS) - -check: $(CHKMANIFEST) - $(CSTYLE) -pP $(SRCS) - -lint: lint_SRCS - -$(ROOTUSRSBINPROG): $(ROOTUSRSBIN) - -$(ROOTUSRSBIN): - $(MKDIR) -p $@ - -include ../../../../Makefile.targ diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/kssl-proxy.xml b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/kssl-proxy.xml deleted file mode 100644 index 3728239974..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/kssl-proxy.xml +++ /dev/null @@ -1,82 +0,0 @@ -<?xml version="1.0"?> -<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> -<!-- - Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - - CDDL HEADER START - - The contents of this file are subject to the terms of the - Common Development and Distribution License (the "License"). - You may not use this file except in compliance with the License. - - You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - or http://www.opensolaris.org/os/licensing. - See the License for the specific language governing permissions - and limitations under the License. - - When distributing Covered Code, include this CDDL HEADER in each - file and include the License file at usr/src/OPENSOLARIS.LICENSE. - If applicable, add the following below this CDDL HEADER, with the - fields enclosed by brackets "[]" replaced with your own identifying - information: Portions Copyright [yyyy] [name of copyright owner] - - CDDL HEADER END - - NOTE: This service manifest is not editable; its contents will - be overwritten by package or patch operations, including - operating system upgrade. Make customizations in a different - file. ---> - -<service_bundle type='manifest' name='SUNWcsr:kssl-proxy'> - -<service - name='network/ssl/proxy' - type='service' - version='1'> - - <dependency - name='socket-filter' - grouping='require_all' - restart_on='restart' - type='service'> - <service_fmri value='svc:/network/socket-filter:kssl' /> - </dependency> - - <dependency - name='cryptosvc' - grouping='require_all' - restart_on='none' - type='service'> - <service_fmri value='svc:/system/cryptosvc' /> - </dependency> - - <dependency - name='name-services' - grouping='require_all' - restart_on='none' - type='service'> - <service_fmri value='svc:/milestone/name-services' /> - </dependency> - - <property_group name='startd' type='framework'> - <propval name='duration' type='astring' value='transient' /> - </property_group> - - <stability value='Unstable' /> - - <template> - <common_name> - <loctext xml:lang='C'> - kernel ssl proxy configuration - </loctext> - </common_name> - <documentation> - <manpage title='ksslcfg' section='8' - manpath='/usr/share/man' /> - </documentation> - </template> - -</service> - -</service_bundle> diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c deleted file mode 100644 index 84336d0923..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.c +++ /dev/null @@ -1,272 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - */ - -#include <arpa/inet.h> /* inet_addr() */ -#include <ctype.h> -#include <libscf.h> -#include <netdb.h> /* hostent */ -#include <netinet/in.h> /* ip_addr_t */ -#include <stdio.h> -#include <errno.h> -#include <limits.h> -#include <stdlib.h> -#include <fcntl.h> -#include <strings.h> -#include <sys/varargs.h> -#include <zone.h> -#include "ksslcfg.h" - -/* - * ksslcfg(8) - * - * ksslcfg manages smf(7) instances for the Kernel SSL proxy module. - * It makes use of kssladm(8) which does the grunt work. - */ - -/* - * This version number is rather meaningless. In any case, - * version 2.0 adds support for IPv6 addresses. - */ -#define KSSLCFG_VERSION "Version 2.0" - -boolean_t verbose = B_FALSE; -const char *SERVICE_NAME = "network/ssl/proxy"; - -void -KSSL_DEBUG(const char *format, ...) -{ - va_list ap; - - if (verbose) { - va_start(ap, format); - (void) vprintf(format, ap); - va_end(ap); - } -} - -/* - * Convert string to port number and check for errors. Return 0 on error, - * 1 on success. - */ -int -get_portnum(const char *s, ushort_t *rport) -{ - long long tmp_port; - char *ep; - - errno = 0; - tmp_port = strtoll(s, &ep, 10); - if (s == ep || *ep != '\0' || errno != 0) - return (0); - if (tmp_port < 1 || tmp_port > 65535) - return (0); - - if (rport != NULL) - *rport = (ushort_t)tmp_port; - - return (1); -} - -#define ANY_ADDR "INADDR_ANY" - -/* - * An instance name is formed using either the host name in the fully - * qualified domain name form (FQDN) which should map to a specific IP address - * or using INADDR_ANY which means all IP addresses. - * - * We do a lookup or reverse lookup to get the host name. It is assumed that - * the returned name is in the FQDN form. i.e. DNS is used. - */ -char * -create_instance_name(const char *arg, char **inaddr_any_name, - boolean_t is_create) -{ - int len; - uint16_t port; - char *cname; - char *instance_name; - const char *prefix = "kssl-"; - char *first_space; - - first_space = strchr(arg, ' '); - if (first_space == NULL) { /* No host name. Use INADDR_ANY. */ - if (get_portnum(arg, &port) == 0) { - (void) fprintf(stderr, - gettext("Error: Invalid port value -- %s\n"), - arg); - return (NULL); - } - KSSL_DEBUG("port=%d\n", port); - if ((cname = strdup(ANY_ADDR)) == NULL) - return (NULL); - } else { - char *temp_str; - char *ptr; - struct hostent *hp; - boolean_t do_warn; - int error_num; - in_addr_t v4addr; - in6_addr_t v6addr; - - if (get_portnum(first_space + 1, &port) == 0) { - (void) fprintf(stderr, - gettext("Error: Invalid port value -- %s\n"), - first_space + 1); - return (NULL); - } - KSSL_DEBUG("port=%d\n", port); - - if ((temp_str = strdup(arg)) == NULL) - return (NULL); - *(strchr(temp_str, ' ')) = '\0'; - - if (inet_pton(AF_INET6, temp_str, &v6addr) == 1) { - /* Do a reverse lookup for the IPv6 address */ - hp = getipnodebyaddr(&v6addr, sizeof (v6addr), - AF_INET6, &error_num); - } else if (inet_pton(AF_INET, temp_str, &v4addr) == 1) { - /* Do a reverse lookup for the IPv4 address */ - hp = getipnodebyaddr(&v4addr, sizeof (v4addr), - AF_INET, &error_num); - } else { - /* Do a lookup for the host name */ - hp = getipnodebyname(temp_str, AF_INET6, AI_DEFAULT, - &error_num); - } - - if (hp == NULL) { - (void) fprintf(stderr, - gettext("Error: Unknown host -- %s\n"), temp_str); - free(temp_str); - return (NULL); - } - - if ((ptr = cname = strdup(hp->h_name)) == NULL) { - freehostent(hp); - free(temp_str); - return (NULL); - } - - freehostent(hp); - - do_warn = B_TRUE; - /* "s/./-/g" */ - while ((ptr = strchr(ptr, '.')) != NULL) { - if (do_warn) - do_warn = B_FALSE; - *ptr = '-'; - ptr++; - } - - if (do_warn && is_create) { - (void) fprintf(stderr, - gettext("Warning: %s does not appear to have a" - " registered DNS name.\n"), temp_str); - } - - free(temp_str); - } - - KSSL_DEBUG("Cannonical host name =%s\n", cname); - - len = strlen(prefix) + strlen(cname) + 10; - if ((instance_name = malloc(len)) == NULL) { - (void) fprintf(stderr, - gettext("Error: memory allocation failure.\n")); - return (NULL); - } - (void) snprintf(instance_name, len, "%s%s-%d", prefix, cname, port); - - if (is_create) { - len = strlen(prefix) + strlen(ANY_ADDR) + 10; - if ((*inaddr_any_name = malloc(len)) == NULL) { - (void) fprintf(stderr, - gettext("Error: memory allocation failure.\n")); - free(instance_name); - free(cname); - return (NULL); - } - - (void) snprintf(*inaddr_any_name, len, - "%s%s-%d", prefix, ANY_ADDR, port); - } - - free(cname); - KSSL_DEBUG("instance_name=%s\n", instance_name); - return (instance_name); -} - -static void -usage_all(void) -{ - (void) fprintf(stderr, gettext("Usage:\n")); - usage_create(B_FALSE); - usage_delete(B_FALSE); - (void) fprintf(stderr, "ksslcfg -V\n"); - (void) fprintf(stderr, "ksslcfg -?\n"); -} - - -int -main(int argc, char **argv) -{ - int rv = SUCCESS; - - (void) setlocale(LC_ALL, ""); -#if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ -#define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ -#endif - (void) textdomain(TEXT_DOMAIN); - - /* Running from within a non-global zone is not supported yet. */ - if (getzoneid() != GLOBAL_ZONEID) { - (void) fprintf(stderr, - gettext("Error: Configuring KSSL from within a non-global " - "zone is not supported.\nPlease run the command from " - "the global zone.\n")); - return (ERROR_USAGE); - } - - if (argc < 2) { - usage_all(); - return (ERROR_USAGE); - } - - if (strcmp(argv[1], "create") == 0) { - rv = do_create(argc, argv); - } else if (strcmp(argv[1], "delete") == 0) { - rv = do_delete(argc, argv); - } else if (strcmp(argv[1], "-V") == 0) { - (void) printf("%s\n", KSSLCFG_VERSION); - } else if (strcmp(argv[1], "-?") == 0) { - usage_all(); - } else { - (void) fprintf(stderr, - gettext("Error: Unknown subcommand -- %s\n"), argv[1]); - usage_all(); - rv = ERROR_USAGE; - } - - return (rv); -} diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.h b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.h deleted file mode 100644 index 9ebbfba989..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - */ - -#ifndef _KSSLCFG_H -#define _KSSLCFG_H - -/* - * Common routines and variables used by ksslcfg files. - */ - -#ifdef __cplusplus -extern "C" { -#endif - -#include <sys/types.h> -#include <libintl.h> -#include <locale.h> - -#define MAX_ADRPORT_LEN 128 /* sufficient for host name/IP address + port */ - -#define SUCCESS 0 -#define FAILURE 1 -#define ERROR_USAGE 2 -#define INSTANCE_ANY_EXISTS 3 -#define INSTANCE_OTHER_EXISTS 4 - -#define KSSL_FILTER_SVC_NAME "svc:/network/socket-filter:kssl" - -extern const char *SERVICE_NAME; -extern boolean_t verbose; - -extern char *create_instance_name(const char *arg, char **inaddr_any_name, - boolean_t is_create); -int get_portnum(const char *, ushort_t *); -extern void KSSL_DEBUG(const char *format, ...); -extern int do_create(int argc, char *argv[]); -extern int do_delete(int argc, char *argv[]); -extern int delete_instance(const char *instance_name); -extern void usage_create(boolean_t do_print); -extern void usage_delete(boolean_t do_print); - -#ifdef __cplusplus -} -#endif - -#endif /* _KSSLCFG_H */ diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg_create.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg_create.c deleted file mode 100644 index 87c789fd92..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg_create.c +++ /dev/null @@ -1,677 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - */ - -#include <libscf.h> -#include <netinet/in.h> -#include <stdio.h> -#include <stdlib.h> -#include <strings.h> -#include <sys/types.h> -#include "ksslcfg.h" - -void -usage_create(boolean_t do_print) -{ - if (do_print) - (void) fprintf(stderr, gettext("Usage:\n")); - (void) fprintf(stderr, "ksslcfg create" - " -f pkcs11 [-d softtoken_directory] -T <token_label>" - " -C <certificate_label> -x <proxy_port>" - " [-h <ca_certchain_file>]" - " [options] [<server_address>] <server_port>\n"); - - (void) fprintf(stderr, "ksslcfg create" - " -f pkcs12 -i <cert_and_key_pk12file> -x <proxy_port>" - " [options] [<server_address>] <server_port>\n"); - - (void) fprintf(stderr, "ksslcfg create" - " -f pem -i <cert_and_key_pemfile> -x <proxy_port>" - " [options] [<server_address>] <server_port>\n"); - - (void) fprintf(stderr, gettext("options are:\n")); - (void) fprintf(stderr, "\t[-c <ciphersuites>]\n" - "\t[-p <password_file>]\n" - "\t[-t <ssl_session_cache_timeout>]\n" - "\t[-u <username>]\n" - "\t[-z <ssl_session_cache_size>]\n" - "\t[-v]\n"); -} - -static scf_propertygroup_t * -add_property_group_to_instance(scf_handle_t *handle, scf_instance_t *instance, - const char *pg_name, const char *pg_type) -{ - scf_propertygroup_t *pg; - - pg = scf_pg_create(handle); - if (pg == NULL) { - KSSL_DEBUG("scf_pg_create failed: %s\n", - scf_strerror(scf_error())); - (void) fprintf(stderr, gettext( - "Unexpected fatal libscf error: %s. Exiting.\n"), - scf_strerror(scf_error())); - return (NULL); - } - - if (scf_instance_add_pg(instance, pg_name, pg_type, 0, pg) != 0) { - KSSL_DEBUG("ERROR: scf_instance_add_pg failed: %s\n", - scf_strerror(scf_error())); - if (scf_error() == SCF_ERROR_EXISTS) - (void) fprintf(stderr, gettext( - "Error: another process is modifying this instance." - " Exiting.\n")); - else - (void) fprintf(stderr, gettext( - "Unexpected fatal libscf error: %s. Exiting.\n"), - scf_strerror(scf_error())); - scf_pg_destroy(pg); - return (NULL); - } else { - KSSL_DEBUG("property group created\n"); - } - - return (pg); -} - -static int -add_new_property(scf_handle_t *handle, const char *prop_name, - scf_type_t type, const char *val, scf_transaction_t *tx) -{ - scf_value_t *value = NULL; - scf_transaction_entry_t *entry = NULL; - int status = FAILURE; - - entry = scf_entry_create(handle); - if (entry == NULL) { - KSSL_DEBUG("scf_entry_create failed: %s\n", - scf_strerror(scf_error())); - goto out; - } - KSSL_DEBUG("scf_entry_create succeeded\n"); - - value = scf_value_create(handle); - if (value == NULL) { - goto out; - } - KSSL_DEBUG("scf_value_create succeeded\n"); - - if (scf_transaction_property_new(tx, entry, prop_name, type) != 0) { - goto out; - } - KSSL_DEBUG("scf_transaction_property_new succeeded\n"); - - if (scf_value_set_from_string(value, type, val) != 0) { - goto out; - } - KSSL_DEBUG("scf_value_set_from_string \'%s\' succeeded\n", val); - - if (scf_entry_add_value(entry, value) != 0) { - KSSL_DEBUG( - "scf_entry_add_value failed: %s\n", - scf_strerror(scf_error())); - goto out; - } - KSSL_DEBUG("scf_entry_add_value succeeded\n"); - - status = SUCCESS; - -out: - if (status != SUCCESS) - (void) fprintf(stderr, gettext( - "Unexpected fatal libscf error: %s. Exiting.\n"), - scf_strerror(scf_error())); - return (status); -} - -static int -set_method_context(scf_handle_t *handle, scf_transaction_t *tran, - const char *value_str) -{ - if ((add_new_property(handle, SCF_PROPERTY_USE_PROFILE, - SCF_TYPE_BOOLEAN, "false", tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_USER, SCF_TYPE_ASTRING, - value_str, tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_GROUP, SCF_TYPE_ASTRING, - ":default", tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_LIMIT_PRIVILEGES, - SCF_TYPE_ASTRING, ":default", tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_WORKING_DIRECTORY, - SCF_TYPE_ASTRING, ":default", tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_SUPP_GROUPS, - SCF_TYPE_ASTRING, ":default", tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_RESOURCE_POOL, - SCF_TYPE_ASTRING, ":default", tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_PROJECT, SCF_TYPE_ASTRING, - ":default", tran) != SUCCESS) || - (add_new_property(handle, SCF_PROPERTY_PRIVILEGES, - SCF_TYPE_ASTRING, "basic,sys_net_config", tran) != SUCCESS)) - return (FAILURE); - - return (SUCCESS); -} - -static int -add_pg_method(scf_handle_t *handle, scf_instance_t *instance, - const char *kssl_entry, const char *pg_name, const char *flags, - const char *value_str) -{ - int len, rv; - char *command; - const char *base_command; - int status = FAILURE; - boolean_t errflag = B_FALSE; - scf_transaction_t *tran; - scf_propertygroup_t *pg; - - pg = add_property_group_to_instance(handle, instance, - pg_name, SCF_GROUP_METHOD); - if (pg == NULL) { - /* flag is false to suppress duplicate error messages */ - errflag = B_FALSE; - goto out0; - } - KSSL_DEBUG("%s method added\n", pg_name); - - tran = scf_transaction_create(handle); - if (tran == NULL) { - KSSL_DEBUG("scf_transaction_create failed: %s\n", - scf_strerror(scf_error())); - errflag = B_TRUE; - goto out0; - } - KSSL_DEBUG("scf_transaction_create succeeded\n"); - - do { - if (scf_transaction_start(tran, pg) != 0) { - KSSL_DEBUG("scf_transaction_start failed: %s\n", - scf_strerror(scf_error())); - if (scf_error() == SCF_ERROR_PERMISSION_DENIED) { - (void) fprintf(stderr, gettext( - "Error: Permission denied.\n")); - errflag = B_FALSE; - } else if (scf_error() == SCF_ERROR_DELETED) { - (void) fprintf(stderr, gettext( - "Error: property group %s has" - " been deleted.\n"), pg_name); - errflag = B_FALSE; - } else - errflag = B_TRUE; - goto out1; - } - KSSL_DEBUG("scf_transaction_start succeeded\n"); - - if (strcmp(pg_name, "stop") == 0) - base_command = "/usr/lib/kssladm delete"; - else - base_command = "/usr/lib/kssladm create"; - - len = strlen(base_command) + strlen(flags) + - strlen(kssl_entry) + 3; - - command = malloc(len); - if (command == NULL) { - goto out2; - } - - (void) snprintf(command, len, "%s %s %s", - base_command, flags, kssl_entry); - KSSL_DEBUG("command=%s\n", command); - - if (add_new_property(handle, SCF_PROPERTY_EXEC, - SCF_TYPE_ASTRING, command, tran) != SUCCESS) { - free(command); - goto out2; - } - free(command); - - if (add_new_property(handle, SCF_PROPERTY_TIMEOUT, - SCF_TYPE_COUNT, "60", tran) != SUCCESS) - goto out2; - - if (set_method_context(handle, tran, value_str) != SUCCESS) - goto out2; - - rv = scf_transaction_commit(tran); - switch (rv) { - case 1: - KSSL_DEBUG("scf_transaction_commit succeeded\n"); - status = SUCCESS; - goto out2; - case 0: - scf_transaction_reset(tran); - if (scf_pg_update(pg) == -1) { - goto out2; - } - break; - case -1: - default: - KSSL_DEBUG("ERROR: scf_transaction_commit failed: %s\n", - scf_strerror(scf_error())); - if (scf_error() == SCF_ERROR_PERMISSION_DENIED) { - (void) fprintf(stderr, gettext( - "Error: Permission denied.\n")); - errflag = B_FALSE; - } else { - errflag = B_TRUE; - } - goto out2; - } - } while (rv == 0); - -out2: - scf_transaction_reset(tran); -out1: - scf_transaction_destroy_children(tran); - scf_transaction_destroy(tran); -out0: - if (pg != NULL) - scf_pg_destroy(pg); - if (errflag) - (void) fprintf(stderr, gettext( - "Unexpected fatal libscf error: %s. Exiting.\n"), - scf_strerror(scf_error())); - return (status); -} - -static int -create_instance(scf_handle_t *handle, scf_service_t *svc, - const char *instance_name, const char *kssl_entry, const char *command, - const char *username, char *inaddr_any_name) -{ - int status = FAILURE; - char *buf; - boolean_t errflag = B_FALSE; - ssize_t max_fmri_len; - scf_instance_t *instance; - - instance = scf_instance_create(handle); - if (instance == NULL) { - errflag = B_TRUE; - KSSL_DEBUG("scf_instance_create failed: %s\n", - scf_strerror(scf_error())); - goto out; - } - KSSL_DEBUG("scf_instance_create succeeded\n"); - - if (scf_service_get_instance(svc, inaddr_any_name, instance) == 0) { - /* Let the caller deal with the duplicate instance */ - status = INSTANCE_ANY_EXISTS; - goto out; - } - - if (scf_service_add_instance(svc, instance_name, instance) != 0) { - if (scf_error() == SCF_ERROR_EXISTS) { - /* Let the caller deal with the duplicate instance */ - status = INSTANCE_OTHER_EXISTS; - goto out; - } - - errflag = B_TRUE; - KSSL_DEBUG("scf_service_add_instance failed: %s\n", - scf_strerror(scf_error())); - goto out; - } - KSSL_DEBUG("scf_service_add_instance succeeded\n"); - - if ((add_pg_method(handle, instance, kssl_entry, "start", - command, username) != SUCCESS) || - (add_pg_method(handle, instance, kssl_entry, "refresh", - command, username) != SUCCESS) || - (add_pg_method(handle, instance, kssl_entry, "stop", - "", username) != SUCCESS)) { - scf_instance_destroy(instance); - return (status); - } - - /* enabling the instance */ - max_fmri_len = scf_limit(SCF_LIMIT_MAX_FMRI_LENGTH); - if ((buf = malloc(max_fmri_len + 1)) == NULL) - goto out; - - if (scf_instance_to_fmri(instance, buf, max_fmri_len + 1) > 0) { - KSSL_DEBUG("instance_fmri=%s\n", buf); - if (smf_enable_instance(buf, 0) != 0) { - errflag = B_TRUE; - KSSL_DEBUG( - "smf_enable_instance failed: %s\n", - scf_strerror(scf_error())); - goto out; - } - status = SUCCESS; - } - -out: - if (instance != NULL) - scf_instance_destroy(instance); - if (errflag) - (void) fprintf(stderr, gettext( - "Unexpected fatal libscf error: %s. Exiting.\n"), - scf_strerror(scf_error())); - return (status); -} - -static int -create_service(const char *instance_name, const char *kssl_entry, - const char *command, const char *username, char *inaddr_any_name) -{ - int status = FAILURE; - scf_scope_t *scope; - scf_service_t *svc; - scf_handle_t *handle; - boolean_t errflag = B_TRUE; - - handle = scf_handle_create(SCF_VERSION); - if (handle == NULL) { - KSSL_DEBUG("scf_handle_create failed: %s\n", - scf_strerror(scf_error())); - goto out1; - } - KSSL_DEBUG("scf_handle_create succeeded\n"); - - if (scf_handle_bind(handle) == -1) { - KSSL_DEBUG("scf_handle_bind failed: %s\n", - scf_strerror(scf_error())); - goto out1; - } - KSSL_DEBUG("scf_handle_bind succeeded\n"); - - if ((scope = scf_scope_create(handle)) == NULL) { - KSSL_DEBUG("scf_scope_create failed: %s\n", - scf_strerror(scf_error())); - goto out2; - } - KSSL_DEBUG("scf_scope_create succeeded\n"); - - if ((svc = scf_service_create(handle)) == NULL) { - KSSL_DEBUG("scf_service_create failed: %s\n", - scf_strerror(scf_error())); - goto out3; - } - KSSL_DEBUG("scf_service_create succeeded\n"); - - if (scf_handle_decode_fmri(handle, SERVICE_NAME, NULL, svc, - NULL, NULL, NULL, SCF_DECODE_FMRI_EXACT) != 0) { - KSSL_DEBUG("scf_handle_decode_fmri failed: %s\n", - scf_strerror(scf_error())); - if (scf_error() == SCF_ERROR_NOT_FOUND) { - (void) fprintf(stderr, gettext( - "service %s not found in the repository." - " Exiting.\n"), SERVICE_NAME); - errflag = B_FALSE; - } - goto out4; - } - - status = create_instance(handle, svc, instance_name, kssl_entry, - command, username, inaddr_any_name); - -out4: - scf_service_destroy(svc); -out3: - scf_scope_destroy(scope); -out2: - (void) scf_handle_unbind(handle); -out1: - if (handle != NULL) - scf_handle_destroy(handle); - - if (status != SUCCESS && status != INSTANCE_OTHER_EXISTS && - status != INSTANCE_ANY_EXISTS && errflag) - (void) fprintf(stderr, gettext( - "Unexpected fatal libscf error: %s. Exiting.\n"), - scf_strerror(scf_error())); - return (status); -} - -int -do_create(int argc, char *argv[]) -{ - char c; - char *buf, *ptr, *instance_name; - char *inaddr_any_name = NULL; - int i, status, len, pcnt; - const char *token_label = NULL; - const char *filename = NULL; - const char *certname = NULL; - const char *username = NULL; - const char *proxy_port = NULL; - char *format = NULL; - boolean_t quote_next; - char address_port[MAX_ADRPORT_LEN + 1]; - - argc -= 1; - argv += 1; - - /* - * Many of these arguments are passed on to kssladm command - * in the start method of the SMF instance created. So, we do only - * the basic usage checks here and let kssladm check the validity - * of the arguments. This is the reason we ignore optarg - * for some of the cases below. - */ - while ((c = getopt(argc, argv, "vT:d:f:h:i:p:c:C:t:u:x:z:")) != -1) { - switch (c) { - case 'd': - break; - case 'c': - break; - case 'C': - certname = optarg; - break; - case 'f': - format = optarg; - break; - case 'h': - break; - case 'i': - filename = optarg; - break; - case 'T': - token_label = optarg; - break; - case 'p': - break; - case 't': - break; - case 'u': - username = optarg; - break; - case 'x': - proxy_port = optarg; - break; - case 'v': - verbose = B_TRUE; - break; - case 'z': - break; - default: - goto err; - } - } - - if (format == NULL || proxy_port == NULL) { - goto err; - } - - if (get_portnum(proxy_port, NULL) == 0) { - (void) fprintf(stderr, - gettext("Error: Invalid proxy port value %s\n"), - proxy_port); - goto err; - } - - if (strcmp(format, "pkcs11") == 0) { - if (token_label == NULL || certname == NULL) { - goto err; - } - } else if (strcmp(format, "pkcs12") == 0 || - strcmp(format, "pem") == 0) { - if (filename == NULL) { - goto err; - } - } else { - goto err; - } - - pcnt = argc - optind; - if (pcnt == 1) { - if (strlen(argv[optind]) < MAX_ADRPORT_LEN) { - (void) strcpy(address_port, argv[optind]); - } else { - (void) fprintf(stderr, gettext( - "argument too long -- %s\n"), - argv[optind]); - return (FAILURE); - } - } else if (pcnt == 2) { - if ((len = strlen(argv[optind])) + - (strlen(argv[optind + 1])) < MAX_ADRPORT_LEN) { - (void) strcpy(address_port, argv[optind]); - address_port[len] = ' '; - (void) strcpy(address_port + len + 1, argv[optind + 1]); - } else { - (void) fprintf(stderr, gettext( - "arguments too long -- %s %s\n"), - argv[optind], argv[optind + 1]); - return (FAILURE); - } - } else { - goto err; - } - - /* - * We need to create the kssladm command line in - * the SMF instance from the current arguments. - * - * Construct a buffer with all the arguments except - * the -u argument. We have to quote the string arguments, - * -T and -C, as they can contain white space. - */ - len = 0; - for (i = 1; i < optind; i++) { - len += strlen(argv[i]) + 3; - } - - if ((buf = malloc(len)) == NULL) { - return (FAILURE); - } - - ptr = buf; - quote_next = B_FALSE; - for (i = 1; i < optind; i++) { - int arglen = strlen(argv[i]) + 1; - - if (strncmp(argv[i], "-u", 2) == 0) { - i++; - continue; - } - - if (quote_next) { - (void) snprintf(ptr, len, "\"%s\" ", argv[i]); - quote_next = B_FALSE; - arglen += 2; - } else { - (void) snprintf(ptr, len, "%s ", argv[i]); - } - - quote_next = (strncmp(argv[i], "-T", 2) == 0 || - strncmp(argv[i], "-C", 2) == 0); - - ptr += arglen; - len -= arglen; - } - KSSL_DEBUG("buf=%s\n", buf); - - instance_name = create_instance_name(address_port, - &inaddr_any_name, B_TRUE); - if (instance_name == NULL || inaddr_any_name == NULL) { - free(buf); - return (FAILURE); - } - KSSL_DEBUG("instance_name=%s\n", instance_name); - KSSL_DEBUG("inaddr_any_name=%s\n", inaddr_any_name); - - if (username == NULL) - username = "root"; - status = create_service(instance_name, address_port, - buf, username, inaddr_any_name); - if (status == INSTANCE_OTHER_EXISTS || status == INSTANCE_ANY_EXISTS) { - if (status == INSTANCE_ANY_EXISTS && - (strcmp(instance_name, inaddr_any_name) != SUCCESS)) { - /* - * The following could result in a misconfiguration. - * Better bail out with an error. - */ - (void) fprintf(stderr, - gettext("Error: INADDR_ANY instance exists." - " Can not create a new instance %s.\n"), - instance_name); - free(instance_name); - free(inaddr_any_name); - free(buf); - return (status); - } - - /* - * Delete the existing instance and create a new instance - * with the supplied arguments. - */ - KSSL_DEBUG("Deleting duplicate instance\n"); - if (delete_instance(instance_name) != SUCCESS) { - (void) fprintf(stderr, - gettext( - "Error: Can not delete existing instance %s.\n"), - instance_name); - } else { - (void) fprintf(stdout, gettext( - "Note: reconfiguring the existing instance %s.\n"), - instance_name); - status = create_service(instance_name, address_port, - buf, username, inaddr_any_name); - } - } - - /* - * network/ssl/proxy depends on network/socket-filter:kssl; - * enable that service now. - */ - if (smf_enable_instance(KSSL_FILTER_SVC_NAME, 0) != 0) { - KSSL_DEBUG( - "smf_enable_instance failed: %s\n" KSSL_FILTER_SVC_NAME); - (void) fprintf(stderr, gettext( - "Unable to enable required service \"%s\". Error: %s"), - KSSL_FILTER_SVC_NAME, scf_strerror(scf_error())); - status = FAILURE; - } - - free(instance_name); - free(inaddr_any_name); - free(buf); - return (status); - -err: - usage_create(B_TRUE); - return (ERROR_USAGE); -} diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg_delete.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg_delete.c deleted file mode 100644 index 31553002f4..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/ksslcfg/ksslcfg_delete.c +++ /dev/null @@ -1,327 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. - */ - -#include <libscf.h> -#include <libscf_priv.h> -#include <stdio.h> -#include <unistd.h> -#include <stdlib.h> -#include <strings.h> -#include <sys/types.h> -#include "ksslcfg.h" - -void -usage_delete(boolean_t do_print) -{ - if (do_print) - (void) fprintf(stderr, gettext("Usage:\n")); - (void) fprintf(stderr, - "ksslcfg delete [-v] [<server_address>] <server_port>\n"); -} - -#define DEFAULT_TIMEOUT 60000000 -#define INIT_WAIT_USECS 50000 - -void -wait_till_to(char *fmri) -{ - char *state; - useconds_t max; - useconds_t usecs; - uint64_t *cp = NULL; - scf_simple_prop_t *sp = NULL; - - max = DEFAULT_TIMEOUT; - - if (((sp = scf_simple_prop_get(NULL, fmri, "stop", - SCF_PROPERTY_TIMEOUT)) != NULL) && - ((cp = scf_simple_prop_next_count(sp)) != NULL) && (*cp != 0)) - max = (*cp) * 1000000; /* convert to usecs */ - - if (sp != NULL) - scf_simple_prop_free(sp); - - for (usecs = INIT_WAIT_USECS; max > 0; max -= usecs) { - /* incremental wait */ - usecs *= 2; - usecs = (usecs > max) ? max : usecs; - - (void) usleep(usecs); - - /* Check state after the wait */ - if ((state = smf_get_state(fmri)) != NULL) { - if (strcmp(state, "disabled") == 0) - return; - } - } - - (void) fprintf(stderr, gettext("Warning: delete %s timed out.\n"), - fmri); -} - -static int -count_inst_cb(void *arg, scf_walkinfo_t *wip) -{ - int *num_inst = arg; - - if (wip->inst != NULL) - (*num_inst)++; - - return (0); -} - -/*ARGSUSED*/ -static void -ign_err(const char *unused, ...) -{ -} - -int -delete_instance(const char *instance_name) -{ - int status = FAILURE; - char *buf; - boolean_t errflag = B_FALSE; - ssize_t max_fmri_len; - scf_scope_t *scope; - scf_service_t *svc; - scf_handle_t *handle; - scf_instance_t *instance; - int num_inst = 0, exit_status = 0; - - handle = scf_handle_create(SCF_VERSION); - if (handle == NULL) { - errflag = B_TRUE; - KSSL_DEBUG("scf_handle_create failed: %s\n", - scf_strerror(scf_error())); - goto out1; - } - KSSL_DEBUG("scf_handle_create succeeded\n"); - - if (scf_handle_bind(handle) == -1) { - errflag = B_TRUE; - KSSL_DEBUG("scf_handle_bind failed: %s\n", - scf_strerror(scf_error())); - goto out1; - } - KSSL_DEBUG("scf_handle_bind succeeded\n"); - - if ((scope = scf_scope_create(handle)) == NULL) { - errflag = B_TRUE; - KSSL_DEBUG("scf_scope_create failed: %s\n", - scf_strerror(scf_error())); - goto out2; - } - KSSL_DEBUG("scf_scope_create succeeded\n"); - - if ((svc = scf_service_create(handle)) == NULL) { - errflag = B_TRUE; - KSSL_DEBUG("scf_service_create failed: %s\n", - scf_strerror(scf_error())); - goto out3; - } - KSSL_DEBUG("scf_service_create succeeded\n"); - - if (scf_handle_get_scope(handle, SCF_SCOPE_LOCAL, scope) == -1) { - errflag = B_TRUE; - KSSL_DEBUG("scf_handle_get_scope failed: %s\n", - scf_strerror(scf_error())); - goto out4; - } - KSSL_DEBUG("scf_handle_get_scope succeeded\n"); - - if (scf_scope_get_service(scope, SERVICE_NAME, svc) < 0) { - scf_error_t scf_errnum = scf_error(); - - if (scf_errnum != SCF_ERROR_NOT_FOUND) { - errflag = B_TRUE; - KSSL_DEBUG( - "ERROR scf_scope_get_service failed: %s\n", - scf_strerror(scf_errnum)); - } - goto out4; - } else { - KSSL_DEBUG("scf_scope_get_service succeeded\n"); - } - - instance = scf_instance_create(handle); - if (instance == NULL) { - errflag = B_TRUE; - KSSL_DEBUG("scf_instance_create failed: %s\n", - scf_strerror(scf_error())); - goto out4; - } - - if (scf_service_get_instance(svc, instance_name, instance) != 0) { - scf_error_t scf_errnum = scf_error(); - - if (scf_errnum == SCF_ERROR_NOT_FOUND) { - status = SUCCESS; - } else { - errflag = B_TRUE; - KSSL_DEBUG( - "ERROR scf_scope_get_service failed: %s\n", - scf_strerror(scf_errnum)); - } - scf_instance_destroy(instance); - goto out4; - } - - max_fmri_len = scf_limit(SCF_LIMIT_MAX_FMRI_LENGTH); - if ((buf = malloc(max_fmri_len + 1)) == NULL) - goto out4; - - if (scf_instance_to_fmri(instance, buf, max_fmri_len + 1) > 0) { - char *state; - - KSSL_DEBUG("instance_fmri=%s\n", buf); - state = smf_get_state(buf); - if (state) - KSSL_DEBUG("state=%s\n", state); - if (state && strcmp(state, "online") == 0) { - if (smf_disable_instance(buf, 0) != 0) { - errflag = B_TRUE; - KSSL_DEBUG( - "smf_disable_instance failed: %s\n", - scf_strerror(scf_error())); - } else { - /* - * Wait for some time till timeout to avoid - * a race with scf_instance_delete() below. - */ - wait_till_to(buf); - } - } - } - - if (scf_instance_delete(instance) != 0) { - errflag = B_TRUE; - KSSL_DEBUG( - "ERROR scf_instance_delete failed: %s\n", - scf_strerror(scf_error())); - goto out4; - } else { - KSSL_DEBUG("deleted %s\n", instance_name); - } - - if (scf_walk_fmri(handle, 1, (char **)&SERVICE_NAME, - SCF_WALK_MULTIPLE, count_inst_cb, &num_inst, &exit_status, - ign_err) == 0) { - /* - * Disable the kssl socket filter if this is the last - * kssl instance. - */ - if (num_inst == 0) { - if (smf_disable_instance(KSSL_FILTER_SVC_NAME, 0) != 0) - (void) fprintf(stderr, - gettext("Unable to disable service \"%s\". " - "Error: %s"), KSSL_FILTER_SVC_NAME, - scf_strerror(scf_error())); - } - } - - status = SUCCESS; - -out4: - scf_service_destroy(svc); -out3: - scf_scope_destroy(scope); -out2: - (void) scf_handle_unbind(handle); -out1: - if (handle != NULL) - scf_handle_destroy(handle); - if (errflag) - (void) fprintf(stderr, gettext( - "Unexpected fatal libscf error: %s. Exiting.\n"), - scf_strerror(scf_error())); - return (status); -} - -int -do_delete(int argc, char *argv[]) -{ - char c; - int status, len, pcnt; - char address_port[MAX_ADRPORT_LEN + 1]; - char *instance_name; - - if (argc < 3) { - goto err; - } - - argc -= 1; - argv += 1; - - while ((c = getopt(argc, argv, "v")) != -1) { - switch (c) { - case 'v': - verbose = B_TRUE; - break; - default: - goto err; - } - } - - pcnt = argc - optind; - if (pcnt == 1) { - if (strlen(argv[optind]) < MAX_ADRPORT_LEN) { - (void) strcpy(address_port, argv[optind]); - } else { - (void) fprintf(stderr, gettext( - "argument too long -- %s\n"), - argv[optind]); - return (FAILURE); - } - } else if (pcnt == 2) { - if ((len = strlen(argv[optind])) + - (strlen(argv[optind + 1])) < MAX_ADRPORT_LEN) { - (void) strcpy(address_port, argv[optind]); - address_port[len] = ' '; - (void) strcpy(address_port + len + 1, argv[optind + 1]); - } else { - (void) fprintf(stderr, gettext( - "arguments too long -- %s %s\n"), - argv[optind], argv[optind + 1]); - return (FAILURE); - } - } else { - goto err; - } - - instance_name = create_instance_name(address_port, NULL, B_FALSE); - if (instance_name == NULL) { - return (FAILURE); - } - - KSSL_DEBUG("instance_name=%s\n", instance_name); - status = delete_instance(instance_name); - free(instance_name); - - return (status); - -err: - usage_delete(B_TRUE); - return (ERROR_USAGE); -} diff --git a/usr/src/cmd/cmd-inet/usr.sbin/socket-filter-kssl.xml b/usr/src/cmd/cmd-inet/usr.sbin/socket-filter-kssl.xml deleted file mode 100644 index e821a9c964..0000000000 --- a/usr/src/cmd/cmd-inet/usr.sbin/socket-filter-kssl.xml +++ /dev/null @@ -1,90 +0,0 @@ -<?xml version="1.0"?> -<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> -<!-- - Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. - - CDDL HEADER START - - The contents of this file are subject to the terms of the - Common Development and Distribution License (the "License"). - You may not use this file except in compliance with the License. - - You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - or http://www.opensolaris.org/os/licensing. - See the License for the specific language governing permissions - and limitations under the License. - - When distributing Covered Code, include this CDDL HEADER in each - file and include the License file at usr/src/OPENSOLARIS.LICENSE. - If applicable, add the following below this CDDL HEADER, with the - fields enclosed by brackets "[]" replaced with your own identifying - information: Portions Copyright [yyyy] [name of copyright owner] - - CDDL HEADER END - - NOTE: This service manifest is not editable; its contents will - be overwritten by package or patch operations, including - operating system upgrade. Make customizations in a different - file. ---> - -<service_bundle type='manifest' name='SUNWcs:socket-filter-kssl'> - -<service - name='network/socket-filter' - type='service' - version='1'> - - <instance name='kssl' enabled='false'> - <dependency - name='kssl-filter-filesystem-root' - grouping='require_all' - restart_on='none' - type='service'> - <service_fmri value='svc:/system/filesystem/root' /> - </dependency> - - <exec_method - type='method' - name='start' - exec='/lib/svc/method/svc-sockfilter start' - timeout_seconds='60' /> - - <exec_method - type='method' - name='stop' - exec='/lib/svc/method/svc-sockfilter stop' - timeout_seconds='60' /> - - <property_group name='startd' type='framework'> - <propval name='duration' type='astring' - value='transient' /> - </property_group> - - <property_group name='socket-filter' type='framework'> - <propval name='name' type='astring' value='ksslf' /> - <propval name='module_name' type='astring' - value='ksslf' /> - <propval name='attach_semantics' type='astring' - value='auto' /> - <propval name='socket_tuples' type='astring' - value='2:2:0,2:2:6,26:2:0,26:2:6' /> - </property_group> - - <template> - <common_name> - <loctext xml:lang='C'> - kernel SSL socket filter - </loctext> - </common_name> - <documentation> - <manpage title='ksslcfg' section='8' - manpath='/usr/share/man' /> - </documentation> - </template> - </instance> - - <stability value='Unstable' /> -</service> - -</service_bundle> diff --git a/usr/src/cmd/devfsadm/misc_link.c b/usr/src/cmd/devfsadm/misc_link.c index 93112628a4..7cc2c1812b 100644 --- a/usr/src/cmd/devfsadm/misc_link.c +++ b/usr/src/cmd/devfsadm/misc_link.c @@ -22,6 +22,7 @@ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright 2011 Nexenta Systems, Inc. All rights reserved. * Copyright 2019 Joyent, Inc. + * Copyright 2022 Garrett D'Amore <garrett@damore.org> */ #include <regex.h> @@ -106,7 +107,7 @@ static devfsadm_create_t misc_cbt[] = { "(^ptsl$)|(^mm$)|(^wc$)|(^dump$)|(^cn$)|(^svvslo$)|(^ptm$)|" "(^ptc$)|(^openeepr$)|(^poll$)|(^sysmsg$)|(^random$)|(^trapstat$)|" "(^cryptoadm$)|(^crypto$)|(^pool$)|(^poolctl$)|(^bl$)|(^kmdb$)|" - "(^sysevent$)|(^kssl$)|(^physmem$)", + "(^sysevent$)|(^physmem$)", TYPE_EXACT | DRV_RE, ILEVEL_1, minor_name }, { "pseudo", "ddi_pseudo", diff --git a/usr/src/cmd/sgs/Makefile.sub b/usr/src/cmd/sgs/Makefile.sub index f127f18287..a56899c95d 100644 --- a/usr/src/cmd/sgs/Makefile.sub +++ b/usr/src/cmd/sgs/Makefile.sub @@ -27,7 +27,8 @@ include $(SRC)/Makefile.master -SUBDIRS = $(MACH) $(EXTRASUBDIRS) +SUBDIRS = $(EXTRASUBDIRS) +$(BUILD32)SUBDIRS += $(MACH) $(BUILD64)SUBDIRS += $(MACH64) all := TARGET= all diff --git a/usr/src/cmd/sgs/ld/Makefile b/usr/src/cmd/sgs/ld/Makefile index 75eeaf1889..35c78efe07 100644 --- a/usr/src/cmd/sgs/ld/Makefile +++ b/usr/src/cmd/sgs/ld/Makefile @@ -23,6 +23,7 @@ # Copyright 2006 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # -# ident "%Z%%M% %I% %E% SMI" + +BUILD32 = $(POUND_SIGN) include $(SRC)/cmd/sgs/Makefile.sub diff --git a/usr/src/cmd/sgs/ld/Makefile.com b/usr/src/cmd/sgs/ld/Makefile.com index 32d435cc67..12187dbd21 100644 --- a/usr/src/cmd/sgs/ld/Makefile.com +++ b/usr/src/cmd/sgs/ld/Makefile.com @@ -41,12 +41,11 @@ SRCDIR = $(SGSHOME)/ld MAPFILES = $(SRCDIR)/common/mapfile-intf $(MAPFILE.NGB) MAPOPTS = $(MAPFILES:%=-Wl,-M%) -RPATH = '-R$$ORIGIN/../../lib' -RPATH64 = '-R$$ORIGIN/../../../lib/$(MACH64)' +RPATH = '-R$$ORIGIN/../../lib/$(MACH64)' LDFLAGS += $(VERSREF) $(MAPOPTS) $(RPATH) -LDLIBS += -lumem $(LDLIBDIR) -lld $(ELFLIBDIR) -lelf \ - $(LDDBGLIBDIR) -llddbg $(CONVLIBDIR) -lconv +LDLIBS += -lumem $(LDLIBDIR64) -lld $(ELFLIBDIR64) -lelf \ + $(LDDBGLIBDIR64) -llddbg $(CONVLIBDIR64) -lconv CERRWARN += -_gcc=-Wno-switch CERRWARN += -_gcc=-Wno-parentheses diff --git a/usr/src/cmd/sgs/ld/amd64/Makefile b/usr/src/cmd/sgs/ld/amd64/Makefile index 1315c657ff..2a4c3c5d37 100644 --- a/usr/src/cmd/sgs/ld/amd64/Makefile +++ b/usr/src/cmd/sgs/ld/amd64/Makefile @@ -27,14 +27,11 @@ include ../Makefile.com -LDLIBDIR = $(LDLIBDIR64) -ELFLIBDIR = $(ELFLIBDIR64) -LDDBGLIBDIR = $(LDDBGLIBDIR64) -CONVLIBDIR = $(CONVLIBDIR64) +install: all $(ROOTPROG) $(ROOTPROG64) \ + $(ROOTCCSBINLINK) $(ROOTCCSBINLINK64) -RPATH = $(RPATH64) - -install: all $(ROOTPROG64) $(ROOTCCSBINLINK64) +$(ROOTBIN64)/ld: + $(RM) $@; $(SYMLINK) ../../bin/ld $@ .KEEP_STATE: diff --git a/usr/src/cmd/sgs/ld/common/ld.c b/usr/src/cmd/sgs/ld/common/ld.c index 794f5e5e09..90e14b46c3 100644 --- a/usr/src/cmd/sgs/ld/common/ld.c +++ b/usr/src/cmd/sgs/ld/common/ld.c @@ -226,12 +226,11 @@ archive(int fd, Elf *elf, uchar_t *class_ret, Half *mach_ret) /* * Determine: * - ELFCLASS of resulting object (class) - * - Whether user specified class of the linker (ldclass) * - ELF machine type of resulting object (m_mach) * * In order of priority, we determine this information as follows: * - * - Command line options (-32, -64, -z altexec64, -z target). + * - Command line options (-32, -64 -z target). * - From the first plain object seen on the command line. (This is * by far the most common case.) * - From the first object contained within the first archive @@ -241,17 +240,11 @@ archive(int fd, Elf *elf, uchar_t *class_ret, Half *mach_ret) * entry: * argc, argv - Command line argument vector * class_ret - Address of variable to receive ELFCLASS of output object - * ldclass_ret - Address of variable to receive ELFCLASS of - * linker to use. This will be ELFCLASS32/ELFCLASS64 if one - * is explicitly specified, and ELFCLASSNONE otherwise. - * ELFCLASSNONE therefore means that we should use the best - * link-editor that the system/kernel will allow. */ static int -process_args(int argc, char **argv, uchar_t *class_ret, uchar_t *ldclass_ret, - Half *mach) +process_args(int argc, char **argv, uchar_t *class_ret, Half *mach) { - uchar_t ldclass = ELFCLASSNONE, class = ELFCLASSNONE, ar_class; + uchar_t class = ELFCLASSNONE, ar_class; Half mach32 = EM_NONE, mach64 = EM_NONE, ar_mach; int c, ar_found = 0; @@ -278,10 +271,6 @@ process_args(int argc, char **argv, uchar_t *class_ret, uchar_t *ldclass_ret, * a mix of 32 and 64-bit objects, and the first object * in that archive is 32-bit. * - * -z altexec64 - * Use the 64-bit linker regardless of the class - * of the output object. - * * -z target=platform * Produce output object for the specified platform. * This option is needed when producing an object @@ -313,14 +302,6 @@ getmore: break; case 'z': -#if !defined(_LP64) - /* -z altexec64 */ - if (strncmp(optarg, MSG_ORIG(MSG_ARG_ALTEXEC64), - MSG_ARG_ALTEXEC64_SIZE) == 0) { - ldclass = ELFCLASS64; - break; - } -#endif /* -z target=platform */ if (strncmp(optarg, MSG_ORIG(MSG_ARG_TARGET), MSG_ARG_TARGET_SIZE) == 0) { @@ -459,9 +440,6 @@ getmore: class = ar_found ? ar_class : ELFCLASS32; *class_ret = class; - /* ELFCLASS of link-editor to use */ - *ldclass_ret = ldclass; - /* * Machine type of output object: If we did not establish a machine * type from the command line, or from the first plain object, then @@ -660,8 +638,7 @@ ld_altexec(char **argv, char **envp) int main(int argc, char **argv, char **envp) { - char **oargv = argv; - uchar_t class, ldclass, checkclass; + uchar_t class; Half mach; /* @@ -690,31 +667,9 @@ main(int argc, char **argv, char **envp) * - link-editor class * - target machine */ - if (process_args(argc, argv, &class, &ldclass, &mach)) + if (process_args(argc, argv, &class, &mach)) return (1); - /* - * Unless a 32-bit link-editor was explicitly requested, try - * to exec the 64-bit version. - */ - if (ldclass != ELFCLASS32) - checkclass = conv_check_native(oargv, envp); - - /* - * If an attempt to exec the 64-bit link-editor fails: - * - Bail if the 64-bit linker was explicitly requested - * - Continue quietly if the 64-bit linker was not requested. - * This is undoubtedly due to hardware/kernel limitations, - * and therefore represents the best we can do. Note that - * the 32-bit linker is capable of linking anything the - * 64-bit version is, subject to a 4GB limit on memory, and - * 2GB object size. - */ - if ((ldclass == ELFCLASS64) && (checkclass != ELFCLASS64)) { - eprintf(0, ERR_FATAL, MSG_INTL(MSG_SYS_64)); - return (1); - } - /* Call the libld entry point for the specified ELFCLASS */ if (class == ELFCLASS64) return (ld64_main(argc, argv, mach)); diff --git a/usr/src/cmd/sgs/ld/common/ld.msg b/usr/src/cmd/sgs/ld/common/ld.msg index cc3dcd56c4..3b31deb37f 100644 --- a/usr/src/cmd/sgs/ld/common/ld.msg +++ b/usr/src/cmd/sgs/ld/common/ld.msg @@ -35,7 +35,6 @@ @ MSG_SYS_EXEC "file %s: exec failed: %s" @ MSG_SYS_ALLOC "alloc failed: %s" -@ MSG_SYS_64 "unable to execute 64-bit version of ld" @ MSG_ERR_BADTARG "unknown target platform: %s" @@ -60,7 +59,6 @@ @ MSG_ARG_TWO "2" @ MSG_ARG_FOUR "4" -@ MSG_ARG_ALTEXEC64 "altexec64" @ MSG_ARG_TARGET "target=" @ MSG_LD_OPTIONS "LD_OPTIONS" diff --git a/usr/src/cmd/sgs/ld/i386/Makefile b/usr/src/cmd/sgs/ld/i386/Makefile deleted file mode 100644 index c9a167d407..0000000000 --- a/usr/src/cmd/sgs/ld/i386/Makefile +++ /dev/null @@ -1,31 +0,0 @@ -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# Copyright (c) 1996 by Sun Microsystems, Inc. -# All rights reserved. - -include ../Makefile.com - -.KEEP_STATE: - -install: all $(ROOTPROG) $(ROOTCCSBINLINK) - -include ../Makefile.targ diff --git a/usr/src/cmd/sgs/ld/sparc/Makefile b/usr/src/cmd/sgs/ld/sparc/Makefile deleted file mode 100644 index 999606887c..0000000000 --- a/usr/src/cmd/sgs/ld/sparc/Makefile +++ /dev/null @@ -1,31 +0,0 @@ -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License, Version 1.0 only -# (the "License"). You may not use this file except in compliance -# with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# -# Copyright (c) 1996 by Sun Microsystems, Inc. -# All rights reserved. - -include ../Makefile.com - -.KEEP_STATE: - -install: all $(ROOTBIN) $(ROOTCCSBINLINK) - -include ../Makefile.targ diff --git a/usr/src/cmd/sgs/ld/sparcv9/Makefile b/usr/src/cmd/sgs/ld/sparcv9/Makefile index 8cc2aab477..6ad7730834 100644 --- a/usr/src/cmd/sgs/ld/sparcv9/Makefile +++ b/usr/src/cmd/sgs/ld/sparcv9/Makefile @@ -26,16 +26,13 @@ include ../Makefile.com -LDLIBDIR = $(LDLIBDIR64) -ELFLIBDIR = $(ELFLIBDIR64) -LDDBGLIBDIR = $(LDDBGLIBDIR64) -CONVLIBDIR = $(CONVLIBDIR64) +install: all $(ROOTPROG) $(ROOTPROG64) \ + $(ROOTCCSBINLINK) $(ROOTCCSBINLINK64) -RPATH = $(RPATH64) +$(ROOTBIN64)/ld: + $(RM) $@; $(SYMLINK) ../../bin/ld $@ .KEEP_STATE: -install: all $(ROOTBIN64) $(ROOTCCSBINLINK64) - include ../Makefile.targ include $(SRC)/Makefile.master.64 diff --git a/usr/src/cmd/sgs/libld/common/args.c b/usr/src/cmd/sgs/libld/common/args.c index 2dfa6e4ca3..0ad5299b0a 100644 --- a/usr/src/cmd/sgs/libld/common/args.c +++ b/usr/src/cmd/sgs/libld/common/args.c @@ -192,7 +192,6 @@ usage_mesg(Boolean detail) (void) fprintf(stderr, MSG_INTL(MSG_ARG_DETAIL_CY)); (void) fprintf(stderr, MSG_INTL(MSG_ARG_DETAIL_ZA)); (void) fprintf(stderr, MSG_INTL(MSG_ARG_DETAIL_ZAE)); - (void) fprintf(stderr, MSG_INTL(MSG_ARG_DETAIL_ZAL)); (void) fprintf(stderr, MSG_INTL(MSG_ARG_DETAIL_ZADLIB)); (void) fprintf(stderr, MSG_INTL(MSG_ARG_DETAIL_ZC)); (void) fprintf(stderr, MSG_INTL(MSG_ARG_DETAIL_ZDEF)); @@ -1580,8 +1579,9 @@ parseopt_pass1(Ofl_desc *ofl, int argc, char **argv, int *usage) } /* * The following options just need validation as they - * are interpreted on the second pass through the - * command line arguments. + * are interpreted either on the second pass through + * the command line arguments, by ld(1) directly, or + * are merely accepted for compatibility. */ } else if ( strncmp(optarg, MSG_ORIG(MSG_ARG_INITARRAY), diff --git a/usr/src/cmd/sgs/libld/common/libld.msg b/usr/src/cmd/sgs/libld/common/libld.msg index 93e9889c0f..c14d1a7ff4 100644 --- a/usr/src/cmd/sgs/libld/common/libld.msg +++ b/usr/src/cmd/sgs/libld/common/libld.msg @@ -140,7 +140,6 @@ allow extraction of\n\ \t\t\tarchive members to resolve weak references from \ \n\t\t\t\archive files\n" -@ MSG_ARG_DETAIL_ZAL "\t[-z altexec64]\texecute the 64-bit link-editor\n" @ MSG_ARG_DETAIL_ZADLIB "\t[-z assert-deflib]\n\ \t\t\tenables warnings for linking with libraries in \ the \n\t\t\tdefault search path\n\ diff --git a/usr/src/cmd/sgs/tools/SUNWonld-README b/usr/src/cmd/sgs/tools/SUNWonld-README index 83906f59c3..fdcbd59a76 100644 --- a/usr/src/cmd/sgs/tools/SUNWonld-README +++ b/usr/src/cmd/sgs/tools/SUNWonld-README @@ -1689,3 +1689,4 @@ Bugid Risk Synopsis 4795 /usr/bin/ld manpage and help should indicate '-soname' not '--soname' 14090 ld(1) could use a normal allocator 14722 ld should keep group members in separate output sections +14770 ld(1) should be 64bit only diff --git a/usr/src/cmd/svc/shell/mfsthistory b/usr/src/cmd/svc/shell/mfsthistory index 7a719d1c49..2a1bac3b74 100644 --- a/usr/src/cmd/svc/shell/mfsthistory +++ b/usr/src/cmd/svc/shell/mfsthistory @@ -311,7 +311,6 @@ svc:/network/routing/legacy-routing:ipv4 var/svc/manifest/network/routing/legacy svc:/network/routing/legacy-routing var/svc/manifest/network/routing/legacy-routing.xml svc:/network/shares/group:default var/svc/manifest/network/shares/group.xml svc:/network/shares/group var/svc/manifest/network/shares/group.xml -svc:/network/ssl/proxy var/svc/manifest/network/ssl/kssl-proxy.xml svc:/system/auditd:default var/svc/manifest/system/auditd.xml svc:/system/auditd var/svc/manifest/system/auditd.xml svc:/system/boot-archive-update:default var/svc/manifest/system/boot-archive-update.xml diff --git a/usr/src/cmd/truss/codes.c b/usr/src/cmd/truss/codes.c index 1c15c31b5c..a8a4ab4dfa 100644 --- a/usr/src/cmd/truss/codes.c +++ b/usr/src/cmd/truss/codes.c @@ -26,6 +26,7 @@ * Copyright 2020 Joyent, Inc. * Copyright (c) 2014, OmniTI Computer Consulting, Inc. All rights reserved. * Copyright 2021 OmniOS Community Edition (OmniOSce) Association. + * Copyright 2022 Garrett D'Amore <garrett@damore.org> */ /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ @@ -91,7 +92,6 @@ #include <net/simnet.h> #include <sys/vnic.h> #include <sys/fs/zfs.h> -#include <inet/kssl/kssl.h> #include <sys/dkio.h> #include <sys/fdio.h> #include <sys/cdio.h> @@ -1307,12 +1307,6 @@ const struct ioc { { (uint_t)ZFS_IOC_GET_BOOTENV, "ZFS_IOC_GET_BOOTENV", "zfs_cmd_t" }, - /* kssl ioctls */ - { (uint_t)KSSL_ADD_ENTRY, "KSSL_ADD_ENTRY", - "kssl_params_t"}, - { (uint_t)KSSL_DELETE_ENTRY, "KSSL_DELETE_ENTRY", - "sockaddr_in"}, - /* disk ioctls - (0x04 << 8) - dkio.h */ { (uint_t)DKIOCGGEOM, "DKIOCGGEOM", "struct dk_geom"}, |