pkcs11Conf.c revision 2
2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. 2N/A * Fastpath is used when there is only one slot available from a single provider 2N/A * plugged into the framework this is the common case. 2N/A * These globals are used to track the function pointers and policy when 2N/A * the fast-path is activated. 2N/A * This will need to be revisited if per-slot policy is ever 2N/Astatic const char *
conf_err =
"See cryptoadm(1M). Skipping this plug-in.";
2N/A * Set up metaslot for the framework using either user configuration 2N/A * or system wide configuration options 2N/A * Also sets up the global "slottable" to have the first slot be metaslot. 2N/A /* process policies for mechanisms */ 2N/A "libpkcs11: Could not parse configuration," 2N/A "out of memory. Cannot continue parsing " 2N/A * Configuration file is corrupted for metaslot 2N/A "libpkcs11: Policy invalid or corrupted " 2N/A "for metaslot. Use cryptoadm(1M) to fix " 2N/A "this. Disabling metaslot functionality.\n");
2N/A * Check for metaslot policy. If all mechanisms are 2N/A * disabled, disable metaslot since there is nothing 2N/A * interesting for it to do 2N/A * save system wide value for metaslot's keystore. 2N/A * If either slot description or token label is specified by 2N/A * the user, the system wide value for both is ignored. 2N/A * blank_str is used for comparing with token label, 2N/A * and slot description, make sure it is better than 2N/A * the larger of both 2N/A /* check system-wide value for auto_key_migrate */ 2N/A /* take user's specified value */ 2N/A /* use system-wide default */ 2N/A * there's no system wide metaslot entry, 2N/A * default auto_key_migrate to true 2N/A /* Make first slotID be 0, for metaslot. */ 2N/A /* Set up the slottable entry for metaslot */ 2N/A * The metaslot entry was prealloc'd by 2N/A * pkcs11_slottable_increase() 2N/A /* if no metaslot entry, assume all mechs are enabled */ 2N/A /* Call the meta_Initialize() to initialize metaslot */ 2N/A "libpkcs11: Can't initialize metaslot (%s)",
2N/A * cryptosvc_is_online() 2N/A * Determine if the SMF service instance is in the online state or 2N/A * not. A number of operations depend on this state. 2N/A * cryptosvc_is_down() 2N/A * Determine if the SMF service instance is in the disabled state or 2N/A * maintenance state. A number of operations depend on this state. 2N/A/* Generic function for all door calls to kcfd. */ 2N/A /* save errno and test for EINTR or EAGAIN */ 2N/A /* if disabled or maintenance mode - bail */ 2N/A /* exceeded our number of tries? */ 2N/A /* any other state, try again up to 1/2 minute */ 2N/A " with kcfd, door_file %s: %s. %s is not online." 2N/A " (see svcs -xv for details).",
2N/A /* Mark the door "close on exec" */ 2N/A /* save errno and test for certain errors */ 2N/A /* if disabled or maintenance mode - bail */ 2N/A /* exceeded our number of tries? */ 2N/A /* if stale door_handle, retry the open */ 2N/A " - unable to utilize cryptographic " 2N/A "services. (see svcs -xv for details).",
2N/A "of door_file %s failed with error %s.",
2N/A "libpkcs11: kcfd and libelfsign versions " 2N/A/* Userland FIPS 140 Boundary Files */ 2N/A * verify the module is signed, load the provider, find all of its 2N/A * slots, and store the function list and disabled policy. 2N/A * This function requires that the uentrylist_t and pkcs11_slottable_t 2N/A * already have memory allocated, and that the uentrylist_t is already 2N/A * populated with provider and policy information. 2N/A * pInitArgs can be set to NULL, but is normally the same value 2N/A * the framework's C_Initialize() was called with. 2N/A * Unless metaslot is explicitly disabled, it is setup when all other 2N/A * providers are loaded. 2N/A /* Enabled or Disabled policy */ 2N/A /* number of slots in the framework, not including metaslot */ 2N/A /* Check FIPS 140 configuration and execute check if enabled */ 2N/A "140 integrity check for %s.",
2N/A * Skip standard processing for metaslot 2N/A * entry since it is not an actual library 2N/A * that can be dlopened. 2N/A * It will be initialized later. 2N/A "libpkcs11: multiple entries for metaslot " 2N/A "detected. All but the first entry will " 2N/A * Skip standard processing for fips-140 2N/A * entry since it is not an actual library 2N/A * that can be dlopened. 2N/A /* Check for Instruction Set Architecture indicator */ 2N/A /* Substitute the architecture dependent path */ 2N/A "libpksc11: parsing %s, out of memory. " 2N/A "Cannot continue parsing.",
2N/A "libpkcs11: parsing %s, out of memory. " 2N/A "Cannot continue parsing.",
2N/A * Open the provider. We assume all of our plugins have 2N/A * their symbols properly defined, so the use of RTLD_NOW 2N/A * to flush out errors immediately is not necessary. 2N/A * Note that for proper operation, all plugins must be 2N/A * built with direct bindings enabled. 2N/A * If we failed to load it, we will just skip this 2N/A * provider and move on to the next one. 2N/A "libpkcs11: Cannot load PKCS#11 library %s. " 2N/A /* Get the pointer to provider's C_GetFunctionList() */ 2N/A * If we failed to get the pointer to C_GetFunctionList(), 2N/A * skip this provider and continue to the next one. 2N/A "libpkcs11: Could not dlsym() C_GetFunctionList() " 2N/A "for %s. May not be a PKCS#11 library. %s",
2N/A /* Get the provider's function list */ 2N/A * If we failed to get the provider's function list, 2N/A * skip this provider and continue to the next one. 2N/A "libpkcs11: Could not get function list for %s. " 2N/A /* Initialize this provider */ 2N/A * If we failed to initialize this provider, 2N/A * skip this provider and continue to the next one. 2N/A "libpkcs11: Could not initialize %s. " 2N/A * Make sure this provider is implementing the same 2N/A * major version, and at least the same minor version 2N/A * If we can't verify that we are implementing the 2N/A * same major version, or if it is definitely not the same 2N/A * version, we need to skip this provider. 2N/A "libpkcs11: Could not verify version of " 2N/A "libpkcs11: Only CRYPTOKI major version " 2N/A "%d is supported. %s is major " 2N/A * Warn the administrator (at debug) that a provider with 2N/A * a significantly older or newer version of 2N/A * CRYPTOKI is being used. It should not cause 2N/A * problems, but logging a warning makes it easier 2N/A "libpkcs11: %s CRYPTOKI minor version, %d, may " 2N/A "not be compatible with minor version %d.",
2N/A * Find out how many slots this provider has, 2N/A * call with tokenPresent set to FALSE so all 2N/A * potential slots are returned. 2N/A * If the call failed, or if no slots are returned, 2N/A * then skip this provider and continue to next one. 2N/A "libpksc11: Could not get slot list from %s. " 2N/A "Skipping this plug-in at this time.\n",
2N/A * Verify that the module is signed correctly. 2N/A * NOTE: there is a potential race condition here, 2N/A * since the module is verified well after we have 2N/A * opened the provider via dlopen(). This could be 2N/A * resolved by a variant of dlopen() that would take a 2N/A * file descriptor as an argument and by changing the 2N/A * kcfd libelfsign door protocol to use and fd instead 2N/A * of a path - but that wouldn't work in the kernel case. 2N/A "signature verification. Cannot continue loading " 2N/A "the cryptographic framework.";
2N/A "signature verification.";
2N/A "See cryptoadm (1M). " 2N/A "Cannot continue parsing " 2N/A /* Allocate memory for the slot list */ 2N/A "libpkcs11: Could not allocate memory for " 2N/A "plug-in slots. Cannot continue parsing %s\n",
2N/A /* Get slot list from provider */ 2N/A /* if second call fails, drop this provider */ 2N/A "libpkcs11: Second call to C_GetSlotList() for %s " 2N/A "failed. %s Error: %s.",
2N/A * Parse the list of disabled or enabled mechanisms, will 2N/A * apply to each of the provider's slots. 2N/A "libpkcs11: Could not parse configuration," 2N/A "out of memory. Cannot continue parsing " 2N/A * Configuration file is corrupted for this 2N/A "libpkcs11: Policy invalid or corrupted " 2N/A "for %s. Use cryptoadm(1M) to fix " 2N/A "this. Skipping this plug-in.",
2N/A /* Allocate memory in our slottable for these slots */ 2N/A * If any error is returned, it will be memory related, 2N/A * so we need to abort the attempt at filling the 2N/A "libpkcs11: slottable could not increase. " 2N/A "Cannot continue parsing %s.",
2N/A /* Configure information for each new slot */ 2N/A /* allocate slot in framework */ 2N/A "libpkcs11: Could not allocate " 2N/A "new slot. Cannot continue parsing %s.",
2N/A * Get the pointer to private interface _SUNW_GetThreshold() 2N/A /* Get the threshold values for the supported mechs */ 2N/A /* Set and reset values to process next provider */ 2N/A * there's no other slot in the framework, 2N/A * there is nothing to do 2N/A /* determine if metaslot should be enabled */ 2N/A * Check to see if any environment variable is defined 2N/A * by the user for configuring metaslot. Users' 2N/A * setting always take precedence over the system wide 2N/A * setting. So, we will first check for any user's 2N/A * defined env variables before looking at the system-wide 2N/A * If user env variable indicates metaslot should be enabled, 2N/A * metaslot at all, will respect the user's defined value 2N/A * take system wide value if 2N/A * it is not specified by user 2N/A * As long as the user or system configuration file does not 2N/A * disable metaslot, it will be enabled regardless of the 2N/A * number of slots plugged into the framework. Therefore, 2N/A * metaslot is enabled even when there's only one slot 2N/A * plugged into the framework. This is necessary for 2N/A * presenting a consistent token label view to applications. 2N/A * However, for the case where there is only 1 slot plugged into 2N/A * the framework, we can use "fastpath". 2N/A * "fastpath" will pass all of the application's requests 2N/A * directly to the underlying provider. Only when policy is in 2N/A * effect will we need to keep slotID around. 2N/A * When metaslot is enabled, and fastpath is enabled, 2N/A * all the metaslot processing will be skipped. 2N/A * When there is only 1 slot, there's 2N/A * really not much metaslot can do in terms of combining functionality 2N/A * of different slots, and object migration. 2N/A /* check to see if fastpath can be used */ 2N/A /* No policy is in effect, don't need slotid */ 2N/A * If we get here, there are more than 2 slots in the framework, 2N/A * we need to set up metaslot if it is enabled 2N/A * This cleanup code is only exercised when a major, 2N/A * unrecoverable error like "out of memory" or 2N/A * kcfd is not reachable occurs. 2N/A * pkcs11_mech_parse will take hex mechanism ids, as a list of 2N/A * strings, and convert them to CK_MECHANISM_TYPE_PTR. 2N/A * The following will loop mech_count times, as there are 2N/A * exactly mech_count items in the str_list. 2N/A * "name" is a hexadecimal number, preceded by 0x. 2N/A * pkcs11_is_dismech is provided a slotid and a mechanism. 2N/A * If mech is not disabled, then return B_FALSE. 2N/A /* Find the associated slot and get the mech policy info */ 2N/A /* If there is a mech list, check it based on the policy in effect */ 2N/A * mech found in metaslot's enabledlist=... 2N/A * doesn't ensure it is also enabled by at 2N/A * least one other underlying provider 2N/A /* stop and check providers */ 2N/A /* mech was not found in list */ 2N/A * ASSERT(slotid == METASLOT_FRAMEWORK_ID); 2N/A * One of these conditions should be true: 2N/A * a. metaslot has no explicit enabledlist=... nor disabledlist=... 2N/A * b. mech is explicitly listed in metaslot's enabledlist=... 2N/A * c. mech is explicitly omitted from metaslot's disabledlist=... 2N/A * It is still possible for the mech to be disabled or unavailable 2N/A * at the underlying provider level, thus not usable by Metaslot. 2N/A * If even one mech instance is enabled, return FALSE immediately.