1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 
27 #include <stdio.h>
28 #include <errno.h>
29 #include <strings.h>
30 #include <locale.h>
31 #include <stdlib.h>
32 #include "cryptoutil.h"
33 
34 static int uef_interpret(char *, uentry_t **);
35 static int parse_policylist(char *, uentry_t *);
36 static boolean_t is_fips(char *);
37 
38 /*
39  * Retrieve the user-level provider info from the pkcs11.conf file.
40  * If successful, the result is returned from the ppliblist argument.
41  * This function returns SUCCESS if successfully done; otherwise it returns
42  * FAILURE.
43  */
44 int
get_pkcs11conf_info(uentrylist_t ** ppliblist)45 get_pkcs11conf_info(uentrylist_t **ppliblist)
46 {
47 	FILE *pfile;
48 	char buffer[BUFSIZ];
49 	size_t len;
50 	uentry_t *pent;
51 	uentrylist_t *pentlist;
52 	uentrylist_t *pcur;
53 	int rc = SUCCESS;
54 
55 	*ppliblist = NULL;
56 	if ((pfile = fopen(_PATH_PKCS11_CONF, "rF")) == NULL) {
57 		cryptoerror(LOG_ERR, "failed to open %s.\n", _PATH_PKCS11_CONF);
58 		return (FAILURE);
59 	}
60 
61 	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
62 		if (buffer[0] == '#' || buffer[0] == ' ' ||
63 		    buffer[0] == '\n'|| buffer[0] == '\t') {
64 			continue;   /* ignore comment lines */
65 		}
66 
67 		len = strlen(buffer);
68 		if (buffer[len-1] == '\n') { /* get rid of trailing '\n' */
69 			len--;
70 		}
71 		buffer[len] = '\0';
72 
73 		if ((rc = uef_interpret(buffer,  &pent)) != SUCCESS) {
74 			break;
75 		}
76 
77 		/* append pent into ppliblist */
78 		pentlist = malloc(sizeof (uentrylist_t));
79 		if (pentlist == NULL) {
80 			cryptoerror(LOG_ERR, "parsing %s, out of memory.\n",
81 			    _PATH_PKCS11_CONF);
82 			free_uentry(pent);
83 			rc = FAILURE;
84 			break;
85 		}
86 		pentlist->puent = pent;
87 		pentlist->next = NULL;
88 
89 		if (*ppliblist == NULL) {
90 			*ppliblist = pcur = pentlist;
91 		} else {
92 			pcur->next = pentlist;
93 			pcur = pcur->next;
94 		}
95 	}
96 
97 	(void) fclose(pfile);
98 
99 	if (rc != SUCCESS) {
100 		free_uentrylist(*ppliblist);
101 		*ppliblist = NULL;
102 	}
103 
104 	return (rc);
105 }
106 
107 static int
parse_fips_mode(char * buf,boolean_t * mode)108 parse_fips_mode(char *buf, boolean_t *mode)
109 {
110 	char *value;
111 
112 	if (strncmp(buf, EF_FIPS_STATUS, sizeof (EF_FIPS_STATUS) - 1) == 0) {
113 		if (value = strpbrk(buf, SEP_EQUAL)) {
114 			value++; /* get rid of = */
115 			if (strcmp(value, DISABLED_KEYWORD) == 0) {
116 				*mode = B_FALSE;
117 			} else if (strcmp(value, ENABLED_KEYWORD) == 0) {
118 				*mode = B_TRUE;
119 			} else {
120 				cryptoerror(LOG_ERR, gettext(
121 				    "Failed to parse pkcs11.conf file.\n"));
122 				return (CKR_FUNCTION_FAILED);
123 			}
124 			return (CKR_OK);
125 		} else {
126 			return (CKR_FUNCTION_FAILED);
127 		}
128 	} else {
129 		/* should not come here */
130 		cryptoerror(LOG_ERR, gettext(
131 		    "Failed to parse pkcs11.conf file.\n"));
132 		return (CKR_FUNCTION_FAILED);
133 	}
134 
135 }
136 
137 /*
138  * This routine converts a char string into a uentry_t structure
139  * The input string "buf" should be one of the following:
140  *	library_name
141  *	library_name:NO_RANDOM
142  *	library_name:disabledlist=m1,m2,...,mk
143  *	library_name:disabledlist=m1,m2,...,mk;NO_RANDOM
144  *	library_name:enabledlist=
145  *	library_name:enabledlist=;NO_RANDOM
146  *	library_name:enabledlist=m1,m2,...,mk
147  *	library_name:enabledlist=m1,m2,...,mk;NO_RANDOM
148  *	metaslot:status=enabled;enabledlist=m1,m2,....;slot=<slot-description>;\
149  *	token=<token-label>
150  *
151  * Note:
152  *	The mechanisms m1,..mk are in hex form. For example, "0x00000210"
153  *	for CKM_MD5.
154  *
155  *	For the metaslot entry, "enabledlist", "slot", "auto_key_migrate"
156  * 	or "token" is optional
157  */
158 static int
uef_interpret(char * buf,uentry_t ** ppent)159 uef_interpret(char *buf, uentry_t **ppent)
160 {
161 	uentry_t *pent;
162 	char	*token1;
163 	char	*token2;
164 	char	*lasts;
165 	int	rc;
166 
167 	*ppent = NULL;
168 	if ((token1 = strtok_r(buf, SEP_COLON, &lasts)) == NULL) {
169 		/* buf is NULL */
170 		return (FAILURE);
171 	};
172 
173 	pent = calloc(sizeof (uentry_t), 1);
174 	if (pent == NULL) {
175 		cryptoerror(LOG_ERR, "parsing %s, out of memory.\n",
176 		    _PATH_PKCS11_CONF);
177 		return (FAILURE);
178 	}
179 	(void) strlcpy(pent->name, token1, sizeof (pent->name));
180 
181 	if (is_fips(token1)) {
182 		if ((rc = parse_fips_mode(buf + strlen(token1) + 1,
183 		    &pent->flag_fips_enabled)) != SUCCESS) {
184 			free_uentry(pent);
185 			return (rc);
186 		}
187 
188 		*ppent = pent;
189 		return (SUCCESS);
190 	}
191 
192 	/*
193 	 * in case metaslot_auto_key_migrate is not specified, it should
194 	 * be default to true
195 	 */
196 	pent->flag_metaslot_auto_key_migrate = B_TRUE;
197 
198 	while ((token2 = strtok_r(NULL, SEP_SEMICOLON, &lasts)) != NULL) {
199 		if ((rc = parse_policylist(token2, pent)) != SUCCESS) {
200 			free_uentry(pent);
201 			return (rc);
202 		}
203 	}
204 
205 	*ppent = pent;
206 	return (SUCCESS);
207 }
208 
209 
210 /*
211  * This routine parses the policy list and stored the result in the argument
212  * pent.
213  *
214  * 	Arg buf: input only, its format should be one of the following:
215  *     		enabledlist=
216  *		enabledlist=m1,m2,...,mk
217  *		disabledlist=m1,m2,...,mk
218  *		NO_RANDOM
219  *		metaslot_status=enabled|disabled
220  *		metaslot_token=<token-label>
221  *		metaslot_slot=<slot-description.
222  *
223  *	Arg pent: input/output
224  *
225  *      return: SUCCESS or FAILURE
226  */
227 static int
parse_policylist(char * buf,uentry_t * pent)228 parse_policylist(char *buf, uentry_t *pent)
229 {
230 	umechlist_t *phead = NULL;
231 	umechlist_t *pcur = NULL;
232 	umechlist_t *pmech;
233 	char *next_token;
234 	char *value;
235 	char *lasts;
236 	int count = 0;
237 	int rc = SUCCESS;
238 
239 	if (pent == NULL) {
240 		return (FAILURE);
241 	}
242 
243 	if (strncmp(buf, EF_DISABLED, sizeof (EF_DISABLED) - 1) == 0) {
244 		pent->flag_enabledlist = B_FALSE;
245 	} else if (strncmp(buf, EF_ENABLED, sizeof (EF_ENABLED) - 1) == 0) {
246 		pent->flag_enabledlist = B_TRUE;
247 	} else if (strncmp(buf, EF_NORANDOM, sizeof (EF_NORANDOM) - 1) == 0) {
248 		pent->flag_norandom = B_TRUE;
249 		return (rc);
250 	} else if (strncmp(buf, METASLOT_TOKEN,
251 	    sizeof (METASLOT_TOKEN) - 1) == 0) {
252 		if (value = strpbrk(buf, SEP_EQUAL)) {
253 			value++; /* get rid of = */
254 			(void) strlcpy((char *)pent->metaslot_ks_token, value,
255 			    sizeof (pent->metaslot_ks_token));
256 			return (SUCCESS);
257 		} else {
258 			cryptoerror(LOG_ERR, "failed to parse %s.\n",
259 			    _PATH_PKCS11_CONF);
260 			return (FAILURE);
261 		}
262 	} else if (strncmp(buf, METASLOT_SLOT,
263 	    sizeof (METASLOT_SLOT) - 1) == 0) {
264 		if (value = strpbrk(buf, SEP_EQUAL)) {
265 			value++; /* get rid of = */
266 			(void) strlcpy((char *)pent->metaslot_ks_slot, value,
267 			    sizeof (pent->metaslot_ks_slot));
268 			return (SUCCESS);
269 		} else {
270 			cryptoerror(LOG_ERR, "failed to parse %s.\n",
271 			    _PATH_PKCS11_CONF);
272 			return (FAILURE);
273 		}
274 	} else if (strncmp(buf, METASLOT_STATUS,
275 	    sizeof (METASLOT_STATUS) - 1) == 0) {
276 		if (value = strpbrk(buf, SEP_EQUAL)) {
277 			value++; /* get rid of = */
278 			if (strcmp(value, DISABLED_KEYWORD) == 0) {
279 				pent->flag_metaslot_enabled = B_FALSE;
280 			} else if (strcmp(value, ENABLED_KEYWORD) == 0) {
281 				pent->flag_metaslot_enabled = B_TRUE;
282 			} else {
283 				cryptoerror(LOG_ERR, "failed to parse %s.\n",
284 				    _PATH_PKCS11_CONF);
285 				return (FAILURE);
286 			}
287 			return (SUCCESS);
288 		} else {
289 			cryptoerror(LOG_ERR, "failed to parse %s.\n",
290 			    _PATH_PKCS11_CONF);
291 			return (FAILURE);
292 		}
293 	} else if (strncmp(buf, METASLOT_AUTO_KEY_MIGRATE,
294 	    sizeof (METASLOT_AUTO_KEY_MIGRATE) - 1) == 0) {
295 		if (value = strpbrk(buf, SEP_EQUAL)) {
296 			value++; /* get rid of = */
297 			if (strcmp(value, DISABLED_KEYWORD) == 0) {
298 				pent->flag_metaslot_auto_key_migrate = B_FALSE;
299 			} else if (strcmp(value, ENABLED_KEYWORD) == 0) {
300 				pent->flag_metaslot_auto_key_migrate = B_TRUE;
301 			} else {
302 				cryptoerror(LOG_ERR, "failed to parse %s.\n",
303 				    _PATH_PKCS11_CONF);
304 				return (FAILURE);
305 			}
306 			return (SUCCESS);
307 		} else {
308 			cryptoerror(LOG_ERR, "failed to parse %s.\n",
309 			    _PATH_PKCS11_CONF);
310 			return (FAILURE);
311 		}
312 	} else {
313 		cryptoerror(LOG_ERR, "failed to parse %s.\n",
314 		    _PATH_PKCS11_CONF);
315 		return (FAILURE);
316 	}
317 
318 	if (value = strpbrk(buf, SEP_EQUAL)) {
319 		value++; /* get rid of = */
320 	}
321 
322 	if ((next_token = strtok_r(value, SEP_COMMA, &lasts)) == NULL) {
323 		if (pent->flag_enabledlist) {
324 			return (SUCCESS);
325 		} else {
326 			cryptoerror(LOG_ERR, "failed to parse %s.\n",
327 			    _PATH_PKCS11_CONF);
328 			return (FAILURE);
329 		}
330 	}
331 
332 	while (next_token) {
333 		if ((pmech = create_umech(next_token)) == NULL) {
334 			cryptoerror(LOG_ERR, "parsing %s, out of memory.\n",
335 			    _PATH_PKCS11_CONF);
336 			rc = FAILURE;
337 			break;
338 		}
339 
340 		if (phead == NULL) {
341 			phead = pcur = pmech;
342 		} else {
343 			pcur->next = pmech;
344 			pcur = pcur->next;
345 		}
346 		count++;
347 		next_token = strtok_r(NULL, SEP_COMMA, &lasts);
348 	}
349 
350 	if (rc == SUCCESS) {
351 		pent->policylist = phead;
352 		pent->count = count;
353 	} else {
354 		free_umechlist(phead);
355 	}
356 
357 	return (rc);
358 }
359 
360 
361 /*
362  * Create one item of type umechlist_t with the mechanism name.  A NULL is
363  * returned when the input name is NULL or the heap memory is insufficient.
364  */
365 umechlist_t *
create_umech(char * name)366 create_umech(char *name)
367 {
368 	umechlist_t *pmech = NULL;
369 
370 	if (name == NULL) {
371 		return (NULL);
372 	}
373 
374 	if ((pmech = malloc(sizeof (umechlist_t))) != NULL) {
375 		(void) strlcpy(pmech->name, name, sizeof (pmech->name));
376 		pmech->next = NULL;
377 	}
378 
379 	return (pmech);
380 }
381 
382 
383 void
free_umechlist(umechlist_t * plist)384 free_umechlist(umechlist_t *plist)
385 {
386 	umechlist_t *pnext;
387 
388 	while (plist != NULL) {
389 		pnext = plist->next;
390 		free(plist);
391 		plist = pnext;
392 	}
393 }
394 
395 
396 void
free_uentry(uentry_t * pent)397 free_uentry(uentry_t  *pent)
398 {
399 	if (pent == NULL) {
400 		return;
401 	} else {
402 		free_umechlist(pent->policylist);
403 		free(pent);
404 	}
405 }
406 
407 
408 void
free_uentrylist(uentrylist_t * entrylist)409 free_uentrylist(uentrylist_t *entrylist)
410 {
411 	uentrylist_t *pnext;
412 
413 	while (entrylist != NULL) {
414 		pnext = entrylist->next;
415 		free_uentry(entrylist->puent);
416 		free(entrylist);
417 		entrylist = pnext;
418 	}
419 }
420 
421 
422 
423 /*
424  * Duplicate an UEF mechanism list.  A NULL pointer is returned if out of
425  * memory or the input argument is NULL.
426  */
427 static umechlist_t *
dup_umechlist(umechlist_t * plist)428 dup_umechlist(umechlist_t *plist)
429 {
430 	umechlist_t *pres = NULL;
431 	umechlist_t *pcur;
432 	umechlist_t *ptmp;
433 	int rc = SUCCESS;
434 
435 	while (plist != NULL) {
436 		if (!(ptmp = create_umech(plist->name))) {
437 			rc = FAILURE;
438 			break;
439 		}
440 
441 		if (pres == NULL) {
442 			pres = pcur = ptmp;
443 		} else {
444 			pcur->next = ptmp;
445 			pcur = pcur->next;
446 		}
447 		plist = plist->next;
448 	}
449 
450 	if (rc != SUCCESS) {
451 		free_umechlist(pres);
452 		return (NULL);
453 	}
454 
455 	return (pres);
456 }
457 
458 
459 /*
460  * Duplicate an uentry.  A NULL pointer is returned if out of memory
461  * or the input argument is NULL.
462  */
463 static uentry_t *
dup_uentry(uentry_t * puent1)464 dup_uentry(uentry_t *puent1)
465 {
466 	uentry_t *puent2 = NULL;
467 
468 	if (puent1 == NULL) {
469 		return (NULL);
470 	}
471 
472 	if ((puent2 = malloc(sizeof (uentry_t))) == NULL) {
473 		cryptoerror(LOG_STDERR, gettext("out of memory."));
474 		return (NULL);
475 	} else {
476 		(void) strlcpy(puent2->name, puent1->name,
477 		    sizeof (puent2->name));
478 		puent2->flag_norandom = puent1->flag_norandom;
479 		puent2->flag_enabledlist = puent1->flag_enabledlist;
480 		puent2->policylist = dup_umechlist(puent1->policylist);
481 		puent2->flag_metaslot_enabled = puent1->flag_metaslot_enabled;
482 		puent2->flag_metaslot_auto_key_migrate
483 		    = puent1->flag_metaslot_auto_key_migrate;
484 		(void) memcpy(puent2->metaslot_ks_slot,
485 		    puent1->metaslot_ks_slot, SLOT_DESCRIPTION_SIZE);
486 		(void) memcpy(puent2->metaslot_ks_token,
487 		    puent1->metaslot_ks_token, TOKEN_LABEL_SIZE);
488 		puent2->count = puent1->count;
489 		puent2->flag_fips_enabled = puent1->flag_fips_enabled;
490 		return (puent2);
491 	}
492 }
493 
494 /*
495  * Find the entry in the "pkcs11.conf" file with "libname" as the provider
496  * name. Return the entry if found, otherwise return NULL.
497  */
498 uentry_t *
getent_uef(char * libname)499 getent_uef(char *libname)
500 {
501 	uentrylist_t	*pliblist = NULL;
502 	uentrylist_t	*plib = NULL;
503 	uentry_t	*puent = NULL;
504 	boolean_t	found = B_FALSE;
505 
506 	if (libname == NULL) {
507 		return (NULL);
508 	}
509 
510 	if ((get_pkcs11conf_info(&pliblist)) == FAILURE) {
511 		return (NULL);
512 	}
513 
514 	plib = pliblist;
515 	while (plib) {
516 		if (strcmp(plib->puent->name, libname) == 0) {
517 			found = B_TRUE;
518 			break;
519 		} else {
520 			plib = plib->next;
521 		}
522 	}
523 
524 	if (found) {
525 		puent = dup_uentry(plib->puent);
526 	}
527 
528 	free_uentrylist(pliblist);
529 	return (puent);
530 }
531 
532 
533 
534 /*
535  * Retrieve the metaslot information from the pkcs11.conf file.
536  * This function returns SUCCESS if successfully done; otherwise it returns
537  * FAILURE.   If successful, the caller is responsible to free the space
538  * allocated for objectstore_slot_info and objectstore_token_info.
539  */
540 int
get_metaslot_info(boolean_t * status_enabled,boolean_t * migrate_enabled,char ** objectstore_slot_info,char ** objectstore_token_info)541 get_metaslot_info(boolean_t  *status_enabled, boolean_t *migrate_enabled,
542     char **objectstore_slot_info, char **objectstore_token_info)
543 {
544 
545 	int rc = SUCCESS;
546 	uentry_t *puent;
547 	char *buf1 = NULL;
548 	char *buf2 = NULL;
549 
550 	if ((puent = getent_uef(METASLOT_KEYWORD)) == NULL) {
551 		/* metaslot entry doesn't exist */
552 		return (FAILURE);
553 	}
554 
555 	*status_enabled = puent->flag_metaslot_enabled;
556 	*migrate_enabled = puent->flag_metaslot_auto_key_migrate;
557 
558 	buf1 = malloc(SLOT_DESCRIPTION_SIZE);
559 	if (buf1 == NULL) {
560 		cryptoerror(LOG_ERR, "get_metaslot_info() - out of memory.\n");
561 		rc = FAILURE;
562 		goto out;
563 	}
564 	(void) strcpy(buf1, (const char *) puent->metaslot_ks_slot);
565 	*objectstore_slot_info = buf1;
566 
567 	buf2 = malloc(TOKEN_LABEL_SIZE);
568 	if (objectstore_slot_info == NULL) {
569 		cryptoerror(LOG_ERR, "get_metaslot_info() - out of memory.\n");
570 		rc = FAILURE;
571 		goto out;
572 	}
573 	(void) strcpy(buf2, (const char *) puent->metaslot_ks_token);
574 	*objectstore_token_info = buf2;
575 
576 out:
577 	if (puent != NULL) {
578 		free_uentry(puent);
579 	}
580 
581 	if (rc == FAILURE) {
582 		if (buf1 != NULL) {
583 			free(buf1);
584 		}
585 		if (buf2 != NULL) {
586 			free(buf2);
587 		}
588 	}
589 
590 	return (rc);
591 }
592 
593 static boolean_t
is_fips(char * name)594 is_fips(char *name)
595 {
596 	if (strcmp(name, FIPS_KEYWORD) == 0) {
597 		return (B_TRUE);
598 	} else {
599 		return (B_FALSE);
600 	}
601 }
602