1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * Core KCF (Kernel Cryptographic Framework). This file implements
28  * the cryptoadm entry points.
29  */
30 
31 #include <sys/systm.h>
32 #include <sys/errno.h>
33 #include <sys/cmn_err.h>
34 #include <sys/rwlock.h>
35 #include <sys/kmem.h>
36 #include <sys/modctl.h>
37 #include <sys/sunddi.h>
38 #include <sys/door.h>
39 #include <sys/crypto/common.h>
40 #include <sys/crypto/api.h>
41 #include <sys/crypto/spi.h>
42 #include <sys/crypto/impl.h>
43 #include <sys/crypto/sched_impl.h>
44 
45 /* protects the the soft_config_list. */
46 kmutex_t soft_config_mutex;
47 
48 /*
49  * This linked list contains software configuration entries.
50  * The initial list is just software providers loaded by kcf_soft_config_init().
51  * Additional entries may appear for both hardware and software providers
52  * from kcf.conf.  These come from "cryptoadm start", which reads file kcf.conf
53  * and updates this table using the CRYPTO_LOAD_SOFT_CONFIG ioctl.
54  * Further cryptoadm commands modify this file and update this table with ioctl.
55  * This list is protected by the soft_config_mutex.
56  */
57 kcf_soft_conf_entry_t *soft_config_list;
58 
59 static int add_soft_config(char *, uint_t, crypto_mech_name_t *);
60 static int dup_mech_names(kcf_provider_desc_t *, crypto_mech_name_t **,
61     uint_t *, int);
62 static void free_soft_config_entry(kcf_soft_conf_entry_t *);
63 
64 #define	KCF_MAX_CONFIG_ENTRIES 512 /* maximum entries in soft_config_list */
65 
66 #if DEBUG
67 extern int kcf_frmwrk_debug;
68 static void kcf_soft_config_dump(char *message);
69 #endif /* DEBUG */
70 
71 /*
72  * Count and return the number of mechanisms in an array of crypto_mech_name_t
73  * (excluding final NUL-character string element).
74  */
75 static int
count_mechanisms(crypto_mech_name_t mechs[])76 count_mechanisms(crypto_mech_name_t mechs[])
77 {
78 	int	count;
79 	for (count = 0; mechs[count][0] != '\0'; ++count)
80 		;
81 	return (count);
82 }
83 
84 /*
85  * Initialize a mutex and populate soft_config_list with default entries
86  * of kernel software providers.
87  * Called from kcf module _init().
88  */
89 	void
kcf_soft_config_init(void)90 kcf_soft_config_init(void)
91 {
92 	typedef struct {
93 		char			*name;
94 		crypto_mech_name_t	*mechs;
95 	} initial_soft_config_entry_t;
96 
97 	/*
98 	 * This provides initial default values to soft_config_list.
99 	 * It is equivalent to these lines in /etc/crypto/kcf.conf
100 	 * (without line breaks and indenting):
101 	 *
102 	 * # /etc/crypto/kcf.conf
103 	 * des:supportedlist=CKM_DES_CBC,CKM_DES_ECB,CKM_DES3_CBC,CKM_DES3_ECB
104 	 * aes:supportedlist=CKM_AES_ECB,CKM_AES_CBC,CKM_AES_CTR,CKM_AES_CCM,\
105 	 * CKM_AES_GCM,CKM_AES_GMAC,CKM_AES_CMAC
106 	 * arcfour:supportedlist=CKM_RC4
107 	 * blowfish:supportedlist=CKM_BLOWFISH_ECB,CKM_BLOWFISH_CBC
108 	 * ecc:supportedlist=CKM_EC_KEY_PAIR_GEN,CKM_ECDH1_DERIVE,CKM_ECDSA,\
109 	 * CKM_ECDSA_SHA1
110 	 * sha1:supportedlist=CKM_SHA_1,CKM_SHA_1_HMAC_GENERAL,CKM_SHA_1_HMAC
111 	 * sha2:supportedlist=CKM_SHA256,CKM_SHA256_HMAC,\
112 	 * CKM_SHA256_HMAC_GENERAL,CKM_SHA384,CKM_SHA384_HMAC,\
113 	 * CKM_SHA384_HMAC_GENERAL,CKM_SHA512,CKM_SHA512_HMAC,\
114 	 * CKM_SHA512_HMAC_GENERAL
115 	 * md4:supportedlist=CKM_MD4
116 	 * md5:supportedlist=CKM_MD5,CKM_MD5_HMAC_GENERAL,CKM_MD5_HMAC
117 	 * rsa:supportedlist=CKM_RSA_PKCS,CKM_RSA_X_509,CKM_MD5_RSA_PKCS,\
118 	 * CKM_SHA1_RSA_PKCS,CKM_SHA256_RSA_PKCS,CKM_SHA384_RSA_PKCS,\
119 	 * CKM_SHA512_RSA_PKCS
120 	 * swrand:supportedlist=random
121 	 *
122 	 * WARNING: If you add a new kernel crypto provider or mechanism,
123 	 * you must update these structures.
124 	 *
125 	 * 1. To add a new mechanism to a provider add the string to the
126 	 * appropriate array below and comment above.
127 	 *
128 	 * 2. To add a new provider, create a new *_mechs array listing the
129 	 * provider's mechanism(s) and a new comment line above.
130 	 * Add the new *_mechs array to initial_soft_config_entry[].
131 	 *
132 	 * 3. If appropriate (that is the new mechanism is needed before
133 	 * cryptosvc runs), add to kcf_init_mech_tabs() in kcf_mech_tabs.c.
134 	 */
135 	static crypto_mech_name_t	des_mechs[] = {
136 		"CKM_DES_CBC", "CKM_DES_ECB", "CKM_DES3_CBC", "CKM_DES3_ECB",
137 		""};
138 	static crypto_mech_name_t	aes_mechs[] = {
139 		"CKM_AES_ECB", "CKM_AES_CBC", "CKM_AES_CTR", "CKM_AES_CCM",
140 		"CKM_AES_GCM", "CKM_AES_GMAC", "CKM_AES_CMAC", ""};
141 	static crypto_mech_name_t	arcfour_mechs[] = {
142 		"CKM_RC4", ""};
143 	static crypto_mech_name_t	blowfish_mechs[] = {
144 		"CKM_BLOWFISH_ECB", "CKM_BLOWFISH_CBC", ""};
145 	static crypto_mech_name_t	ecc_mechs[] = {
146 		"CKM_EC_KEY_PAIR_GEN", "CKM_ECDH1_DERIVE", "CKM_ECDSA",
147 		"CKM_ECDSA_SHA1", ""};
148 	static crypto_mech_name_t	sha1_mechs[] = {
149 		"CKM_SHA_1", "CKM_SHA_1_HMAC_GENERAL", "CKM_SHA_1_HMAC", ""};
150 	static crypto_mech_name_t	sha2_mechs[] = {
151 		"CKM_SHA256", "CKM_SHA256_HMAC", "CKM_SHA256_HMAC_GENERAL",
152 		"CKM_SHA384", "CKM_SHA384_HMAC", "CKM_SHA384_HMAC_GENERAL",
153 		"CKM_SHA512", "CKM_SHA512_HMAC", "CKM_SHA512_HMAC_GENERAL", ""};
154 	static crypto_mech_name_t	md4_mechs[] = {
155 		"CKM_MD4", ""};
156 	static crypto_mech_name_t	md5_mechs[] = {
157 		"CKM_MD5", "CKM_MD5_HMAC_GENERAL", "CKM_MD5_HMAC", ""};
158 	static crypto_mech_name_t	rsa_mechs[] = {
159 		"CKM_RSA_PKCS", "CKM_RSA_X_509", "CKM_MD5_RSA_PKCS",
160 		"CKM_SHA1_RSA_PKCS", "CKM_SHA256_RSA_PKCS",
161 		"CKM_SHA384_RSA_PKCS",
162 		"CKM_SHA512_RSA_PKCS", ""};
163 	static crypto_mech_name_t	swrand_mechs[] = {
164 		"random", ""};
165 	static initial_soft_config_entry_t
166 		initial_soft_config_entry[] = {
167 			"des", des_mechs,
168 			"aes", aes_mechs,
169 			"arcfour", arcfour_mechs,
170 			"blowfish", blowfish_mechs,
171 			"ecc", ecc_mechs,
172 			"sha1", sha1_mechs,
173 			"sha2", sha2_mechs,
174 			"md4", md4_mechs,
175 			"md5", md5_mechs,
176 			"rsa", rsa_mechs,
177 			"swrand", swrand_mechs
178 		};
179 	const int initial_soft_config_entries =
180 	    sizeof (initial_soft_config_entry)
181 	    / sizeof (initial_soft_config_entry_t);
182 	int i;
183 
184 	mutex_init(&soft_config_mutex, NULL, MUTEX_DRIVER, NULL);
185 
186 	/*
187 	 * Initialize soft_config_list with default providers.
188 	 * Populate the linked list backwards so the first entry appears first.
189 	 */
190 	for (i = initial_soft_config_entries - 1; i >= 0; --i) {
191 		initial_soft_config_entry_t *p = &initial_soft_config_entry[i];
192 		crypto_mech_name_t	*mechsp;
193 		uint_t			alloc_size;
194 		int			mech_count, r;
195 
196 		/* allocate/initialize memory for mechanism list */
197 		mech_count = count_mechanisms(p->mechs);
198 		alloc_size = mech_count * CRYPTO_MAX_MECH_NAME;
199 		mechsp = kmem_alloc(alloc_size, KM_SLEEP);
200 		bcopy(p->mechs, mechsp, alloc_size);
201 
202 		r = add_soft_config(p->name, mech_count, mechsp);
203 		if (r != 0) {
204 			cmn_err(CE_WARN,
205 			    "add_soft_config(%s) failed; returned %d\n",
206 			    p->name, r);
207 		}
208 	}
209 #if DEBUG
210 	if (kcf_frmwrk_debug >= 1)
211 		kcf_soft_config_dump("kcf_soft_config_init");
212 #endif /* DEBUG */
213 }
214 
215 
216 #if DEBUG
217 /*
218  * Dump soft_config_list, containing a list of kernel software providers
219  * and (optionally) hardware providers, with updates from kcf.conf.
220  * Dump mechanism lists too if kcf_frmwrk_debug is >= 2.
221  */
222 static void
kcf_soft_config_dump(char * message)223 kcf_soft_config_dump(char *message)
224 {
225 	kcf_soft_conf_entry_t	*p;
226 	uint_t			i;
227 
228 	mutex_enter(&soft_config_mutex);
229 	printf("Soft provider config list soft_config_list: %s\n",
230 	    message != NULL ? message : "");
231 
232 	for (p = soft_config_list; p != NULL; p = p->ce_next) {
233 		printf("ce_name: %s, %d ce_mechs\n", p->ce_name, p->ce_count);
234 		if (kcf_frmwrk_debug >= 2) {
235 			printf("\tce_mechs: ");
236 			for (i = 0; i < p->ce_count; i++) {
237 				printf("%s ", p->ce_mechs[i]);
238 			}
239 			printf("\n");
240 		}
241 	}
242 	printf("(end of soft_config_list)\n");
243 
244 	mutex_exit(&soft_config_mutex);
245 }
246 #endif /* DEBUG */
247 
248 
249 /*
250  * Utility routine to identify the providers to filter out and
251  * present only one provider. This happens when a hardware provider
252  * registers multiple units of the same device instance.
253  *
254  * Called from crypto_get_dev_list().
255  */
256 static void
filter_providers(uint_t count,kcf_provider_desc_t ** provider_array,char * skip_providers,int * mech_counts,int * new_count)257 filter_providers(uint_t count, kcf_provider_desc_t **provider_array,
258     char *skip_providers, int *mech_counts, int *new_count)
259 {
260 	int i, j;
261 	kcf_provider_desc_t *prov1, *prov2;
262 	int n = 0;
263 
264 	for (i = 0; i < count; i++) {
265 		if (skip_providers[i] == 1)
266 			continue;
267 
268 		prov1 = provider_array[i];
269 		mech_counts[i] = prov1->pd_mech_list_count;
270 		for (j = i + 1; j < count; j++) {
271 			prov2 = provider_array[j];
272 			if (strncmp(prov1->pd_name, prov2->pd_name,
273 			    MAXNAMELEN) == 0 &&
274 			    prov1->pd_instance == prov2->pd_instance) {
275 				skip_providers[j] = 1;
276 				mech_counts[i] += prov2->pd_mech_list_count;
277 			}
278 		}
279 		n++;
280 	}
281 
282 	*new_count = n;
283 }
284 
285 
286 /*
287  * Return a list of kernel hardware providers and a count of each
288  * provider's supported mechanisms.
289  * Called from the CRYPTO_GET_DEV_LIST ioctl.
290  */
291 int
crypto_get_dev_list(uint_t * count,crypto_dev_list_entry_t ** array)292 crypto_get_dev_list(uint_t *count, crypto_dev_list_entry_t **array)
293 {
294 	kcf_provider_desc_t **provider_array;
295 	kcf_provider_desc_t *pd;
296 	crypto_dev_list_entry_t *p;
297 	size_t skip_providers_size, mech_counts_size;
298 	char *skip_providers;
299 	uint_t provider_count;
300 	int rval, i, j, new_count, *mech_counts;
301 
302 	/*
303 	 * Take snapshot of provider table returning only hardware providers
304 	 * that are in a usable state. Logical providers not included.
305 	 */
306 	rval = kcf_get_hw_prov_tab(&provider_count, &provider_array, KM_SLEEP,
307 	    NULL, 0, B_FALSE);
308 	if (rval != CRYPTO_SUCCESS)
309 		return (rval);
310 
311 	if (provider_count == 0) {
312 		*array = NULL;
313 		*count = 0;
314 		return (CRYPTO_SUCCESS);
315 	}
316 
317 	skip_providers_size = provider_count * sizeof (char);
318 	mech_counts_size = provider_count * sizeof (int);
319 
320 	skip_providers = kmem_zalloc(skip_providers_size, KM_SLEEP);
321 	mech_counts = kmem_zalloc(mech_counts_size, KM_SLEEP);
322 	filter_providers(provider_count, provider_array, skip_providers,
323 	    mech_counts, &new_count);
324 
325 	p = kmem_alloc(new_count * sizeof (crypto_dev_list_entry_t), KM_SLEEP);
326 	for (i = 0, j = 0; i < provider_count; i++) {
327 		if (skip_providers[i] == 1) {
328 			ASSERT(mech_counts[i] == 0);
329 			continue;
330 		}
331 		pd = provider_array[i];
332 		p[j].le_mechanism_count = mech_counts[i];
333 		p[j].le_dev_instance = pd->pd_instance;
334 		(void) strncpy(p[j].le_dev_name, pd->pd_name, MAXNAMELEN);
335 		j++;
336 	}
337 
338 	kcf_free_provider_tab(provider_count, provider_array);
339 	kmem_free(skip_providers, skip_providers_size);
340 	kmem_free(mech_counts, mech_counts_size);
341 
342 	*array = p;
343 	*count = new_count;
344 	return (CRYPTO_SUCCESS);
345 }
346 
347 /*
348  * Return a buffer containing the null terminated names of software providers
349  * loaded by CRYPTO_LOAD_SOFT_CONFIG.
350  * Called from the CRYPTO_GET_SOFT_LIST ioctl.
351  */
352 int
crypto_get_soft_list(uint_t * count,char ** array,size_t * len)353 crypto_get_soft_list(uint_t *count, char **array, size_t *len)
354 {
355 	char *names = NULL, *namep, *end;
356 	kcf_soft_conf_entry_t *p;
357 	uint_t n = 0, cnt = 0, final_count = 0;
358 	size_t name_len, final_size = 0;
359 
360 	/* first estimate */
361 	mutex_enter(&soft_config_mutex);
362 	for (p = soft_config_list; p != NULL; p = p->ce_next) {
363 		n += strlen(p->ce_name) + 1;
364 		cnt++;
365 	}
366 	mutex_exit(&soft_config_mutex);
367 
368 	if (cnt == 0)
369 		goto out;
370 
371 again:
372 	namep = names = kmem_alloc(n, KM_SLEEP);
373 	end = names + n;
374 	final_size = 0;
375 	final_count = 0;
376 
377 	mutex_enter(&soft_config_mutex);
378 	for (p = soft_config_list; p != NULL; p = p->ce_next) {
379 		name_len = strlen(p->ce_name) + 1;
380 		/* check for enough space */
381 		if ((namep + name_len) > end) {
382 			mutex_exit(&soft_config_mutex);
383 			kmem_free(names, n);
384 			n = n << 1;
385 			goto again;
386 		}
387 		(void) strcpy(namep, p->ce_name);
388 		namep += name_len;
389 		final_size += name_len;
390 		final_count++;
391 	}
392 	mutex_exit(&soft_config_mutex);
393 
394 	ASSERT(final_size <= n);
395 
396 	/* check if buffer we allocated is too large */
397 	if (final_size < n) {
398 		char *final_buffer;
399 
400 		final_buffer = kmem_alloc(final_size, KM_SLEEP);
401 		bcopy(names, final_buffer, final_size);
402 		kmem_free(names, n);
403 		names = final_buffer;
404 	}
405 out:
406 	*array = names;
407 	*count = final_count;
408 	*len = final_size;
409 	return (CRYPTO_SUCCESS);
410 }
411 
412 /*
413  * Check if a mechanism name is already in a mechanism name array
414  * Called by crypto_get_dev_info().
415  */
416 static boolean_t
duplicate(char * name,crypto_mech_name_t * array,int count)417 duplicate(char *name, crypto_mech_name_t *array, int count)
418 {
419 	int i;
420 
421 	for (i = 0; i < count; i++) {
422 		if (strncmp(name, &array[i][0],
423 		    sizeof (crypto_mech_name_t)) == 0)
424 			return (B_TRUE);
425 	}
426 	return (B_FALSE);
427 }
428 
429 /*
430  * Return a list of kernel hardware providers for a given name and instance.
431  * For each entry, also return a list of their supported mechanisms.
432  * Called from the CRYPTO_GET_DEV_INFO ioctl.
433  */
434 int
crypto_get_dev_info(char * name,uint_t instance,uint_t * count,crypto_mech_name_t ** array)435 crypto_get_dev_info(char *name, uint_t instance, uint_t *count,
436     crypto_mech_name_t **array)
437 {
438 	int rv;
439 	crypto_mech_name_t *mech_names, *resized_array;
440 	int i, j, k = 0, max_count;
441 	uint_t provider_count;
442 	kcf_provider_desc_t **provider_array;
443 	kcf_provider_desc_t *pd;
444 
445 	/*
446 	 * Get provider table entries matching name and instance
447 	 * for hardware providers that are in a usable state.
448 	 * Logical providers not included. NULL name matches
449 	 * all hardware providers.
450 	 */
451 	rv = kcf_get_hw_prov_tab(&provider_count, &provider_array, KM_SLEEP,
452 	    name, instance, B_FALSE);
453 	if (rv != CRYPTO_SUCCESS)
454 		return (rv);
455 
456 	if (provider_count == 0)
457 		return (CRYPTO_ARGUMENTS_BAD);
458 
459 	/* Count all mechanisms supported by all providers */
460 	max_count = 0;
461 	for (i = 0; i < provider_count; i++)
462 		max_count += provider_array[i]->pd_mech_list_count;
463 
464 	if (max_count == 0) {
465 		mech_names = NULL;
466 		goto out;
467 	}
468 
469 	/* Allocate space and copy mech names */
470 	mech_names = kmem_alloc(max_count * sizeof (crypto_mech_name_t),
471 	    KM_SLEEP);
472 
473 	k = 0;
474 	for (i = 0; i < provider_count; i++) {
475 		pd = provider_array[i];
476 		for (j = 0; j < pd->pd_mech_list_count; j++) {
477 			/* check for duplicate */
478 			if (duplicate(&pd->pd_mechanisms[j].cm_mech_name[0],
479 			    mech_names, k))
480 				continue;
481 			bcopy(&pd->pd_mechanisms[j].cm_mech_name[0],
482 			    &mech_names[k][0], sizeof (crypto_mech_name_t));
483 			k++;
484 		}
485 	}
486 
487 	/* resize */
488 	if (k != max_count) {
489 		resized_array =
490 		    kmem_alloc(k * sizeof (crypto_mech_name_t), KM_SLEEP);
491 		bcopy(mech_names, resized_array,
492 		    k * sizeof (crypto_mech_name_t));
493 		kmem_free(mech_names,
494 		    max_count * sizeof (crypto_mech_name_t));
495 		mech_names = resized_array;
496 	}
497 
498 out:
499 	kcf_free_provider_tab(provider_count, provider_array);
500 	*count = k;
501 	*array = mech_names;
502 
503 	return (CRYPTO_SUCCESS);
504 }
505 
506 /*
507  * Given a kernel software provider name, return a list of mechanisms
508  * it supports.
509  * Called from the CRYPTO_GET_SOFT_INFO ioctl.
510  */
511 int
crypto_get_soft_info(caddr_t name,uint_t * count,crypto_mech_name_t ** array)512 crypto_get_soft_info(caddr_t name, uint_t *count, crypto_mech_name_t **array)
513 {
514 	ddi_modhandle_t modh = NULL;
515 	kcf_provider_desc_t *provider;
516 	int rv;
517 
518 	provider = kcf_prov_tab_lookup_by_name(name);
519 	if (provider == NULL) {
520 		char *tmp;
521 		int name_len;
522 
523 		/* strlen("crypto/") + NULL terminator == 8 */
524 		name_len = strlen(name);
525 		tmp = kmem_alloc(name_len + 8, KM_SLEEP);
526 		bcopy("crypto/", tmp, 7);
527 		bcopy(name, &tmp[7], name_len);
528 		tmp[name_len + 7] = '\0';
529 
530 		modh = ddi_modopen(tmp, KRTLD_MODE_FIRST, NULL);
531 		kmem_free(tmp, name_len + 8);
532 
533 		if (modh == NULL) {
534 			return (CRYPTO_ARGUMENTS_BAD);
535 		}
536 
537 		provider = kcf_prov_tab_lookup_by_name(name);
538 		if (provider == NULL) {
539 			return (CRYPTO_ARGUMENTS_BAD);
540 		}
541 	}
542 
543 	rv = dup_mech_names(provider, array, count, KM_SLEEP);
544 	KCF_PROV_REFRELE(provider);
545 	if (modh != NULL)
546 		(void) ddi_modclose(modh);
547 	return (rv);
548 }
549 
550 
551 /*
552  * Change the mechanism list for a provider.
553  * If "direction" is CRYPTO_MECH_ADDED, add new mechanisms.
554  * If "direction" is CRYPTO_MECH_REMOVED, remove the mechanism list.
555  * Called from crypto_load_dev_disabled().
556  */
557 static void
kcf_change_mechs(kcf_provider_desc_t * provider,uint_t count,crypto_mech_name_t * array,crypto_event_change_t direction)558 kcf_change_mechs(kcf_provider_desc_t *provider, uint_t count,
559     crypto_mech_name_t *array, crypto_event_change_t direction)
560 {
561 	crypto_notify_event_change_t ec;
562 	crypto_mech_info_t *mi;
563 	kcf_prov_mech_desc_t *pmd;
564 	char *mech;
565 	int i, j, n;
566 
567 	ASSERT(direction == CRYPTO_MECH_ADDED ||
568 	    direction == CRYPTO_MECH_REMOVED);
569 
570 	if (provider == NULL) {
571 		/*
572 		 * Nothing to add or remove from the tables since
573 		 * the provider isn't registered.
574 		 */
575 		return;
576 	}
577 
578 	for (i = 0; i < count; i++) {
579 		if (array[i][0] == '\0')
580 			continue;
581 
582 		mech = &array[i][0];
583 
584 		n = provider->pd_mech_list_count;
585 		for (j = 0; j < n; j++) {
586 			mi = &provider->pd_mechanisms[j];
587 			if (strncmp(mi->cm_mech_name, mech,
588 			    CRYPTO_MAX_MECH_NAME) == 0)
589 				break;
590 		}
591 		if (j == n)
592 			continue;
593 
594 		switch (direction) {
595 		case CRYPTO_MECH_ADDED:
596 			(void) kcf_add_mech_provider(j, provider, &pmd);
597 			break;
598 
599 		case CRYPTO_MECH_REMOVED:
600 			kcf_remove_mech_provider(mech, provider);
601 			break;
602 		}
603 
604 		/* Inform interested clients of the event */
605 		ec.ec_provider_type = provider->pd_prov_type;
606 		ec.ec_change = direction;
607 
608 		(void) strncpy(ec.ec_mech_name, mech, CRYPTO_MAX_MECH_NAME);
609 		kcf_walk_ntfylist(CRYPTO_EVENT_MECHS_CHANGED, &ec);
610 	}
611 }
612 
613 /*
614  * If a mech name in the second array (prev_array) is also in the
615  * first array, then a NULL character is written into the first byte
616  * of the mech name in the second array.  This effectively removes
617  * the mech name from the second array.
618  */
619 static void
kcf_compare_mechs(uint_t count,crypto_mech_name_t * array,uint_t prev_count,crypto_mech_name_t * prev_array)620 kcf_compare_mechs(uint_t count, crypto_mech_name_t *array, uint_t prev_count,
621     crypto_mech_name_t *prev_array)
622 {
623 	int i, j;
624 
625 	for (i = 0; i < prev_count; i++) {
626 		for (j = 0; j < count; j++) {
627 			if (strncmp(&prev_array[i][0], &array[j][0],
628 			    CRYPTO_MAX_MECH_NAME) == 0) {
629 				prev_array[i][0] = '\0';
630 			}
631 		}
632 	}
633 }
634 
635 /*
636  * Called from CRYPTO_LOAD_DEV_DISABLED ioctl.
637  * If new_count is 0, then completely remove the entry.
638  */
639 int
crypto_load_dev_disabled(char * name,uint_t instance,uint_t new_count,crypto_mech_name_t * new_array)640 crypto_load_dev_disabled(char *name, uint_t instance, uint_t new_count,
641     crypto_mech_name_t *new_array)
642 {
643 	kcf_provider_desc_t *provider = NULL;
644 	kcf_provider_desc_t **provider_array;
645 	crypto_mech_name_t *prev_array;
646 	uint_t provider_count, prev_count;
647 	int i, rv = CRYPTO_SUCCESS;
648 
649 	/*
650 	 * Remove the policy entry if new_count is 0, otherwise put disabled
651 	 * mechanisms into policy table.
652 	 */
653 	if (new_count == 0) {
654 		kcf_policy_remove_by_dev(name, instance, &prev_count,
655 		    &prev_array);
656 	} else if ((rv = kcf_policy_load_dev_disabled(name, instance, new_count,
657 	    new_array, &prev_count, &prev_array)) != CRYPTO_SUCCESS) {
658 		return (rv);
659 	}
660 
661 	/*
662 	 * Get provider table entries matching name and instance
663 	 * for providers that are are in a usable or unverified state.
664 	 */
665 	rv = kcf_get_hw_prov_tab(&provider_count, &provider_array, KM_SLEEP,
666 	    name, instance, B_TRUE);
667 	if (rv != CRYPTO_SUCCESS)
668 		return (rv);
669 
670 	for (i = 0; i < provider_count; i++) {
671 		provider = provider_array[i];
672 
673 		/* previously disabled mechanisms may become enabled */
674 		if (prev_array != NULL) {
675 			kcf_compare_mechs(new_count, new_array,
676 			    prev_count, prev_array);
677 			kcf_change_mechs(provider, prev_count, prev_array,
678 			    CRYPTO_MECH_ADDED);
679 		}
680 
681 		kcf_change_mechs(provider, new_count, new_array,
682 		    CRYPTO_MECH_REMOVED);
683 	}
684 
685 	kcf_free_provider_tab(provider_count, provider_array);
686 	crypto_free_mech_list(prev_array, prev_count);
687 	return (rv);
688 }
689 
690 /*
691  * Called from CRYPTO_LOAD_SOFT_DISABLED ioctl.
692  * If new_count is 0, then completely remove the entry.
693  */
694 int
crypto_load_soft_disabled(char * name,uint_t new_count,crypto_mech_name_t * new_array)695 crypto_load_soft_disabled(char *name, uint_t new_count,
696     crypto_mech_name_t *new_array)
697 {
698 	kcf_provider_desc_t *provider = NULL;
699 	crypto_mech_name_t *prev_array;
700 	uint_t prev_count = 0;
701 	int rv;
702 
703 	provider = kcf_prov_tab_lookup_by_name(name);
704 	if (provider != NULL) {
705 		mutex_enter(&provider->pd_lock);
706 		/*
707 		 * Check if any other thread is disabling or removing
708 		 * this provider. We return if this is the case.
709 		 */
710 		if (provider->pd_state >= KCF_PROV_DISABLED) {
711 			mutex_exit(&provider->pd_lock);
712 			KCF_PROV_REFRELE(provider);
713 			return (CRYPTO_BUSY);
714 		}
715 		provider->pd_state = KCF_PROV_DISABLED;
716 		mutex_exit(&provider->pd_lock);
717 
718 		undo_register_provider(provider, B_TRUE);
719 		KCF_PROV_REFRELE(provider);
720 		if (provider->pd_kstat != NULL)
721 			KCF_PROV_REFRELE(provider);
722 
723 		/* Wait till the existing requests complete. */
724 		while (kcf_get_refcnt(provider, B_TRUE) > 0) {
725 			/* wait 1 second and try again. */
726 			delay(1 * drv_usectohz(1000000));
727 		}
728 	}
729 
730 	if (new_count == 0) {
731 		kcf_policy_remove_by_name(name, &prev_count, &prev_array);
732 		crypto_free_mech_list(prev_array, prev_count);
733 		rv = CRYPTO_SUCCESS;
734 		goto out;
735 	}
736 
737 	/* put disabled mechanisms into policy table */
738 	if ((rv = kcf_policy_load_soft_disabled(name, new_count, new_array,
739 	    &prev_count, &prev_array)) == CRYPTO_SUCCESS) {
740 		crypto_free_mech_list(prev_array, prev_count);
741 	}
742 
743 out:
744 	if (provider != NULL) {
745 		redo_register_provider(provider);
746 		if (provider->pd_kstat != NULL)
747 			KCF_PROV_REFHOLD(provider);
748 		mutex_enter(&provider->pd_lock);
749 		provider->pd_state = KCF_PROV_READY;
750 		mutex_exit(&provider->pd_lock);
751 	} else if (rv == CRYPTO_SUCCESS) {
752 		/*
753 		 * There are some cases where it is useful to kCF clients
754 		 * to have a provider whose mechanism is enabled now to be
755 		 * available. So, we attempt to load it here.
756 		 *
757 		 * The check, new_count < prev_count, ensures that we do this
758 		 * only in the case where a mechanism(s) is now enabled.
759 		 * This check assumes that enable and disable are separate
760 		 * administrative actions and are not done in a single action.
761 		 */
762 		if ((new_count < prev_count) &&
763 		    (modload("crypto", name) != -1)) {
764 			struct modctl *mcp;
765 			boolean_t load_again = B_FALSE;
766 
767 			if ((mcp = mod_hold_by_name(name)) != NULL) {
768 				mcp->mod_loadflags |= MOD_NOAUTOUNLOAD;
769 
770 				/* memory pressure may have unloaded module */
771 				if (!mcp->mod_installed)
772 					load_again = B_TRUE;
773 				mod_release_mod(mcp);
774 
775 				if (load_again)
776 					(void) modload("crypto", name);
777 			}
778 		}
779 	}
780 
781 	return (rv);
782 }
783 
784 /* called from the CRYPTO_LOAD_SOFT_CONFIG ioctl */
785 int
crypto_load_soft_config(caddr_t name,uint_t count,crypto_mech_name_t * array)786 crypto_load_soft_config(caddr_t name, uint_t count, crypto_mech_name_t *array)
787 {
788 	return (add_soft_config(name, count, array));
789 }
790 
791 /*
792  * Unload a kernel software crypto module.
793  * Called from the CRYPTO_UNLOAD_SOFT_MODULE ioctl.
794  */
795 int
crypto_unload_soft_module(caddr_t name)796 crypto_unload_soft_module(caddr_t name)
797 {
798 	int error;
799 	modid_t id;
800 	kcf_provider_desc_t *provider;
801 	struct modctl *mcp;
802 
803 	/* verify that 'name' refers to a registered crypto provider */
804 	if ((provider = kcf_prov_tab_lookup_by_name(name)) == NULL)
805 		return (CRYPTO_UNKNOWN_PROVIDER);
806 
807 	/*
808 	 * We save the module id and release the reference. We need to
809 	 * do this as modunload() calls unregister which waits for the
810 	 * refcnt to drop to zero.
811 	 */
812 	id = provider->pd_module_id;
813 	KCF_PROV_REFRELE(provider);
814 
815 	if ((mcp = mod_hold_by_name(name)) != NULL) {
816 		mcp->mod_loadflags &= ~(MOD_NOAUTOUNLOAD);
817 		mod_release_mod(mcp);
818 	}
819 
820 	if ((error = modunload(id)) != 0) {
821 		return (error == EBUSY ? CRYPTO_BUSY : CRYPTO_FAILED);
822 	}
823 
824 	return (CRYPTO_SUCCESS);
825 }
826 
827 /*
828  * Free the list of kernel hardware crypto providers.
829  * Called by get_dev_list() for the CRYPTO_GET_DEV_LIST ioctl.
830  */
831 void
crypto_free_dev_list(crypto_dev_list_entry_t * array,uint_t count)832 crypto_free_dev_list(crypto_dev_list_entry_t *array, uint_t count)
833 {
834 	if (count == 0 || array == NULL)
835 		return;
836 
837 	kmem_free(array, count * sizeof (crypto_dev_list_entry_t));
838 }
839 
840 /*
841  * Returns duplicate array of mechanisms.  The array is allocated and
842  * must be freed by the caller.
843  */
844 static int
dup_mech_names(kcf_provider_desc_t * provider,crypto_mech_name_t ** array,uint_t * count,int kmflag)845 dup_mech_names(kcf_provider_desc_t *provider, crypto_mech_name_t **array,
846     uint_t *count, int kmflag)
847 {
848 	crypto_mech_name_t *mech_names;
849 	uint_t n;
850 	uint_t i;
851 
852 	if ((n = provider->pd_mech_list_count) == 0) {
853 		*count = 0;
854 		*array = NULL;
855 		return (CRYPTO_SUCCESS);
856 	}
857 
858 	mech_names = kmem_alloc(n * sizeof (crypto_mech_name_t), kmflag);
859 	if (mech_names == NULL)
860 		return (CRYPTO_HOST_MEMORY);
861 
862 	for (i = 0; i < n; i++) {
863 		bcopy(&provider->pd_mechanisms[i].cm_mech_name[0],
864 		    &mech_names[i][0], sizeof (crypto_mech_name_t));
865 	}
866 
867 	*count = n;
868 	*array = mech_names;
869 	return (CRYPTO_SUCCESS);
870 }
871 
872 /*
873  * Returns B_TRUE if the specified mechanism is disabled, B_FALSE otherwise.
874  */
875 boolean_t
is_mech_disabled_byname(crypto_provider_type_t prov_type,char * pd_name,uint_t pd_instance,crypto_mech_name_t mech_name)876 is_mech_disabled_byname(crypto_provider_type_t prov_type, char *pd_name,
877     uint_t pd_instance, crypto_mech_name_t mech_name)
878 {
879 	kcf_policy_desc_t *policy;
880 	uint_t i;
881 
882 	ASSERT(prov_type == CRYPTO_SW_PROVIDER ||
883 	    prov_type == CRYPTO_HW_PROVIDER);
884 
885 	switch (prov_type) {
886 	case CRYPTO_SW_PROVIDER:
887 		policy = kcf_policy_lookup_by_name(pd_name);
888 		/* no policy for provider - so mechanism can't be disabled */
889 		if (policy == NULL)
890 			return (B_FALSE);
891 		break;
892 
893 	case CRYPTO_HW_PROVIDER:
894 		policy = kcf_policy_lookup_by_dev(pd_name, pd_instance);
895 		/* no policy for provider - so mechanism can't be disabled */
896 		if (policy == NULL)
897 			return (B_FALSE);
898 		break;
899 	}
900 
901 	mutex_enter(&policy->pd_mutex);
902 	for (i = 0; i < policy->pd_disabled_count; i ++) {
903 		if (strncmp(mech_name, &policy->pd_disabled_mechs[i][0],
904 		    CRYPTO_MAX_MECH_NAME) == 0) {
905 			mutex_exit(&policy->pd_mutex);
906 			KCF_POLICY_REFRELE(policy);
907 			return (B_TRUE);
908 		}
909 	}
910 	mutex_exit(&policy->pd_mutex);
911 	KCF_POLICY_REFRELE(policy);
912 	return (B_FALSE);
913 }
914 
915 /*
916  * Returns B_TRUE if the specified mechanism is disabled, B_FALSE otherwise.
917  *
918  * This is a wrapper routine around is_mech_disabled_byname() above and
919  * takes a pointer kcf_provider_desc structure as argument.
920  */
921 boolean_t
is_mech_disabled(kcf_provider_desc_t * provider,crypto_mech_name_t name)922 is_mech_disabled(kcf_provider_desc_t *provider, crypto_mech_name_t name)
923 {
924 	kcf_provider_list_t *e;
925 	kcf_provider_desc_t *pd;
926 	boolean_t found = B_FALSE;
927 	uint_t count, i;
928 
929 	if (provider->pd_prov_type != CRYPTO_LOGICAL_PROVIDER) {
930 		return (is_mech_disabled_byname(provider->pd_prov_type,
931 		    provider->pd_name, provider->pd_instance, name));
932 	}
933 
934 	/*
935 	 * Lock the logical provider just in case one of its hardware
936 	 * provider members unregisters.
937 	 */
938 	mutex_enter(&provider->pd_lock);
939 	for (e = provider->pd_provider_list; e != NULL; e = e->pl_next) {
940 
941 		pd = e->pl_provider;
942 		ASSERT(pd->pd_prov_type == CRYPTO_HW_PROVIDER);
943 
944 		/* find out if mechanism is offered by hw provider */
945 		count = pd->pd_mech_list_count;
946 		for (i = 0; i < count; i++) {
947 			if (strncmp(&pd->pd_mechanisms[i].cm_mech_name[0],
948 			    name, MAXNAMELEN) == 0) {
949 				break;
950 			}
951 		}
952 		if (i == count)
953 			continue;
954 
955 		found = !is_mech_disabled_byname(pd->pd_prov_type,
956 		    pd->pd_name, pd->pd_instance, name);
957 
958 		if (found)
959 			break;
960 	}
961 	mutex_exit(&provider->pd_lock);
962 	/*
963 	 * If we found the mechanism, then it means it is still enabled for
964 	 * at least one hardware provider, so the mech can't be disabled
965 	 * for the logical provider.
966 	 */
967 	return (!found);
968 }
969 
970 /*
971  * Builds array of permitted mechanisms.  The array is allocated and
972  * must be freed by the caller.
973  */
974 int
crypto_build_permitted_mech_names(kcf_provider_desc_t * provider,crypto_mech_name_t ** array,uint_t * count,int kmflag)975 crypto_build_permitted_mech_names(kcf_provider_desc_t *provider,
976     crypto_mech_name_t **array, uint_t *count, int kmflag)
977 {
978 	crypto_mech_name_t *mech_names, *p;
979 	uint_t i;
980 	uint_t scnt = provider->pd_mech_list_count;
981 	uint_t dcnt = 0;
982 
983 	/*
984 	 * Compute number of 'permitted mechanisms', which is
985 	 * 'supported mechanisms' - 'disabled mechanisms'.
986 	 */
987 	for (i = 0; i < scnt; i++) {
988 		if (is_mech_disabled(provider,
989 		    &provider->pd_mechanisms[i].cm_mech_name[0])) {
990 			dcnt++;
991 		}
992 	}
993 
994 	/* all supported mechanisms have been disabled */
995 	if (scnt == dcnt) {
996 		*count = 0;
997 		*array = NULL;
998 		return (CRYPTO_SUCCESS);
999 	}
1000 
1001 	mech_names = kmem_alloc((scnt - dcnt) * sizeof (crypto_mech_name_t),
1002 	    kmflag);
1003 	if (mech_names == NULL)
1004 		return (CRYPTO_HOST_MEMORY);
1005 
1006 	/* build array of permitted mechanisms */
1007 	for (i = 0, p = mech_names; i < scnt; i++) {
1008 		if (!is_mech_disabled(provider,
1009 		    &provider->pd_mechanisms[i].cm_mech_name[0])) {
1010 			bcopy(&provider->pd_mechanisms[i].cm_mech_name[0],
1011 			    p++, sizeof (crypto_mech_name_t));
1012 		}
1013 	}
1014 
1015 	*count = scnt - dcnt;
1016 	*array = mech_names;
1017 	return (CRYPTO_SUCCESS);
1018 }
1019 
1020 /*
1021  * Free memory for elements in a kcf_soft_config_entry_t.  This entry must
1022  * have been previously removed from the soft_config_list linked list.
1023  */
1024 static void
free_soft_config_entry(kcf_soft_conf_entry_t * p)1025 free_soft_config_entry(kcf_soft_conf_entry_t *p)
1026 {
1027 	kmem_free(p->ce_name, strlen(p->ce_name) + 1);
1028 	crypto_free_mech_list(p->ce_mechs, p->ce_count);
1029 	kmem_free(p, sizeof (kcf_soft_conf_entry_t));
1030 }
1031 
1032 /*
1033  * Store configuration information for software providers in a linked list.
1034  * If the list already contains an entry for the specified provider
1035  * and the specified mechanism list has at least one mechanism, then
1036  * the mechanism list for the provider is updated. If the mechanism list
1037  * is empty, the entry for the provider is removed.
1038  *
1039  * Called from kcf_soft_config_init() (to initially populate the list
1040  * with default kernel providers) and from crypto_load_soft_config() for
1041  * the CRYPTO_LOAD_SOFT_CONFIG ioctl (for third-party kernel modules).
1042  *
1043  * Important note: the array argument must be allocated memory
1044  * since it is consumed in soft_config_list.
1045  *
1046  * Parameters:
1047  * name		Provider name to add or remove.
1048  * count	Number of mechanisms to add.
1049  *		If 0, then remove provider from the list (instead of add).
1050  * array	An array of "count" mechanism names (use only if count > 0).
1051  */
1052 static int
add_soft_config(char * name,uint_t count,crypto_mech_name_t * array)1053 add_soft_config(char *name, uint_t count, crypto_mech_name_t *array)
1054 {
1055 	static uint_t soft_config_count = 0;
1056 	kcf_soft_conf_entry_t *prev = NULL, *entry = NULL, *new_entry, *p;
1057 	size_t name_len;
1058 
1059 	/*
1060 	 * Allocate storage for a new entry.
1061 	 * Free later if an entry already exists.
1062 	 */
1063 	name_len = strlen(name) + 1;
1064 	new_entry = kmem_zalloc(sizeof (kcf_soft_conf_entry_t), KM_SLEEP);
1065 	new_entry->ce_name = kmem_alloc(name_len, KM_SLEEP);
1066 	(void) strcpy(new_entry->ce_name, name);
1067 
1068 	mutex_enter(&soft_config_mutex);
1069 
1070 	/* Search to see if provider already in soft_config_list */
1071 	for (p = soft_config_list; p != NULL; p = p->ce_next) {
1072 		if (strncmp(name, p->ce_name, MAXNAMELEN) == 0) { /* found */
1073 			entry = p;
1074 			break;
1075 		}
1076 		prev = p;
1077 	}
1078 
1079 	if (entry == NULL) { /* new provider (not in soft_config_list) */
1080 		if (count == 0) { /* free memory--no entry exists to remove */
1081 			mutex_exit(&soft_config_mutex);
1082 			kmem_free(new_entry->ce_name, name_len);
1083 			kmem_free(new_entry, sizeof (kcf_soft_conf_entry_t));
1084 			return (CRYPTO_SUCCESS);
1085 		}
1086 
1087 		if (soft_config_count > KCF_MAX_CONFIG_ENTRIES) { /* full */
1088 			mutex_exit(&soft_config_mutex);
1089 			kmem_free(new_entry->ce_name, name_len);
1090 			kmem_free(new_entry, sizeof (kcf_soft_conf_entry_t));
1091 			cmn_err(CE_WARN, "out of soft_config_list entries");
1092 			return (CRYPTO_FAILED);
1093 		}
1094 
1095 		/* add new provider to head of list */
1096 		new_entry->ce_next = soft_config_list;
1097 		soft_config_list = new_entry;
1098 		soft_config_count++;
1099 		entry = new_entry;
1100 
1101 	} else { /* mechanism already in soft_config_list */
1102 		kmem_free(new_entry->ce_name, name_len);
1103 		kmem_free(new_entry, sizeof (kcf_soft_conf_entry_t));
1104 	}
1105 
1106 	if (count == 0) { /* remove provider entry from soft_config_list */
1107 		if (prev == NULL) {
1108 			/* entry to remove is at the head of the list */
1109 			soft_config_list = entry->ce_next;
1110 		} else {
1111 			prev->ce_next = entry->ce_next;
1112 		}
1113 		soft_config_count--;
1114 		mutex_exit(&soft_config_mutex);
1115 
1116 		/* free entry */
1117 		free_soft_config_entry(entry);
1118 
1119 	} else { /* add provider entry to soft_config_list */
1120 		/*
1121 		 * Don't replace a mechanism list if it's already present.
1122 		 * This is because the default entries for Software providers
1123 		 * are more up-to-date than possibly stale entries in kcf.conf.
1124 		 * If an entry is to be deleted, the proper way to do it is
1125 		 * to add it to the disablelist (with cryptoadm(8)),
1126 		 * instead of removing it from the supportedlist.
1127 		 */
1128 		if (entry->ce_mechs == NULL) { /* add new mechanisms */
1129 			entry->ce_mechs = array;
1130 			entry->ce_count = count;
1131 			mutex_exit(&soft_config_mutex);
1132 		} else { /* ignore replacement mechanism list */
1133 			mutex_exit(&soft_config_mutex);
1134 			crypto_free_mech_list(array, count);
1135 		}
1136 	}
1137 
1138 	return (CRYPTO_SUCCESS);
1139 }
1140 
1141 /*
1142  * This function removes a module entry from the soft_config_list.
1143  *
1144  * This comes in handy if FIPS 140 is enabled, but fails to validate.  At
1145  * which point when the kernel reports its' supported modules, it shows only
1146  * those that are not within the boundary
1147  */
1148 void
remove_soft_config(char * name)1149 remove_soft_config(char *name)
1150 {
1151 	kcf_soft_conf_entry_t *p, *entry = NULL, *prev = NULL;
1152 
1153 	mutex_enter(&soft_config_mutex);
1154 	/* Search for provider in soft_config_list */
1155 	for (p = soft_config_list; p != NULL; p = p->ce_next) {
1156 		if (strncmp(name, p->ce_name, MAXNAMELEN) == 0) {
1157 			entry = p;
1158 			break;
1159 		}
1160 		prev = p;
1161 	}
1162 
1163 	if (prev == NULL) {
1164 		/* entry to remove is at the head of the list */
1165 		soft_config_list = entry->ce_next;
1166 	} else {
1167 		prev->ce_next = entry->ce_next;
1168 	}
1169 
1170 	mutex_exit(&soft_config_mutex);
1171 
1172 	/* free entry */
1173 	free_soft_config_entry(entry);
1174 }
1175 
1176 /*
1177  * This routine searches the soft_config_list for the first entry that
1178  * has the specified mechanism in its mechanism list.  If found,
1179  * a buffer containing the name of the software module that implements
1180  * the mechanism is allocated and stored in 'name'.
1181  */
1182 int
get_sw_provider_for_mech(crypto_mech_name_t mech,char ** name)1183 get_sw_provider_for_mech(crypto_mech_name_t mech, char **name)
1184 {
1185 	kcf_soft_conf_entry_t *p, *next;
1186 	char tmp_name[MAXNAMELEN];
1187 	size_t name_len = 0;
1188 	int i;
1189 
1190 	mutex_enter(&soft_config_mutex);
1191 	p = soft_config_list;
1192 	while (p != NULL) {
1193 		next = p->ce_next;
1194 		for (i = 0; i < p->ce_count; i++) {
1195 			if (strncmp(mech, &p->ce_mechs[i][0],
1196 			    CRYPTO_MAX_MECH_NAME) == 0) {
1197 				name_len = strlen(p->ce_name) + 1;
1198 				bcopy(p->ce_name, tmp_name, name_len);
1199 				break;
1200 			}
1201 		}
1202 		p = next;
1203 	}
1204 	mutex_exit(&soft_config_mutex);
1205 
1206 	if (name_len == 0)
1207 		return (CRYPTO_FAILED);
1208 
1209 	*name = kmem_alloc(name_len, KM_SLEEP);
1210 	bcopy(tmp_name, *name, name_len);
1211 	return (CRYPTO_SUCCESS);
1212 }
1213