6727960 C_Sign fails when using sensitive ECC private key

6731694 CCM unnecessarily allocates output buffers for uio data
6731818 sparc/kcf/Makefile has commented out linkage dependency

6 files changed, 63 insertions, 47 deletions

diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c
index ae24570f81..dec3ddd6e0 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softAttributeUtil.c
@@ -5095,7 +5095,7 @@ soft_set_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template,
 }
 
 CK_RV
-soft_get_public_attr(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
+soft_get_public_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
     uchar_t *value, uint32_t *value_len)
 {
 	uint32_t len = 0;
@@ -5309,7 +5309,7 @@ soft_get_public_attr(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
 
 
 CK_RV
-soft_get_private_attr(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
+soft_get_private_value(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
     uchar_t *value, uint32_t *value_len)
 {
 
@@ -5607,7 +5607,7 @@ soft_get_private_attr(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
 
 	case CKA_VALUE:
 
-		if (key->key_type == CKK_DSA)
+		if (key->key_type == CKK_DSA) {
 #ifdef	__sparcv9
 			len =
 			    /* LINTED */
@@ -5619,7 +5619,7 @@ soft_get_private_attr(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
 			    ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->
 			    big_value_len;
 #endif	/* __sparcv9 */
-		else
+		} else if (key->key_type == CKK_DH) {
 #ifdef	__sparcv9
 			len =
 			    /* LINTED */
@@ -5631,6 +5631,19 @@ soft_get_private_attr(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
 			    ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->
 			    big_value_len;
 #endif	/* __sparcv9 */
+		} else {
+#ifdef	__sparcv9
+			len =
+			    /* LINTED */
+			    (uint32_t)
+			    ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->
+			    big_value_len;
+#else	/* !__sparcv9 */
+			len =
+			    ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->
+			    big_value_len;
+#endif	/* __sparcv9 */
+		}
 
 		/* This attribute MUST BE set */
 		if (len == 0 || len > *value_len) {
@@ -5638,14 +5651,19 @@ soft_get_private_attr(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
 		}
 		*value_len = len;
 
-		if (key->key_type == CKK_DSA)
+		if (key->key_type == CKK_DSA) {
 			(void) memcpy(value,
 			    ((biginteger_t *)OBJ_PRI_DSA_VALUE(key))->big_value,
 			    *value_len);
-		else
+		} else if (key->key_type == CKK_DH) {
 			(void) memcpy(value,
 			    ((biginteger_t *)OBJ_PRI_DH_VALUE(key))->big_value,
 			    *value_len);
+		} else {
+			(void) memcpy(value,
+			    ((biginteger_t *)OBJ_PRI_EC_VALUE(key))->big_value,
+			    *value_len);
+		}
 
 		break;
 	}
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDH.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDH.c
index 57c085ec56..7991f7c267 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDH.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDH.c
@@ -140,7 +140,7 @@ soft_dh_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
 	 * The input to the first phase shall be the Diffie-Hellman
 	 * parameters, which include prime, base, and private-value length.
 	 */
-	rv = soft_get_public_attr(pubkey, CKA_PRIME, prime, &prime_len);
+	rv = soft_get_public_value(pubkey, CKA_PRIME, prime, &prime_len);
 
 	if (rv != CKR_OK) {
 		return (rv);
@@ -161,7 +161,7 @@ soft_dh_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
 	/* Convert the prime octet string to big integer format. */
 	bytestring2bignum(&bnprime, prime, prime_len);
 
-	rv = soft_get_public_attr(pubkey, CKA_BASE, base, &base_len);
+	rv = soft_get_public_value(pubkey, CKA_BASE, base, &base_len);
 
 	if (rv != CKR_OK) {
 		goto ret1;
@@ -315,13 +315,13 @@ soft_dh_key_derive(soft_object_t *basekey, soft_object_t *secretkey,
 	BIGNUM		bnprivate;
 	BIGNUM		bnsecret;
 
-	rv = soft_get_private_attr(basekey, CKA_VALUE, privatevalue,
+	rv = soft_get_private_value(basekey, CKA_VALUE, privatevalue,
 	    &privatevaluelen);
 	if (rv != CKR_OK) {
 		return (rv);
 	}
 
-	rv = soft_get_private_attr(basekey, CKA_PRIME, privateprime,
+	rv = soft_get_private_value(basekey, CKA_PRIME, privateprime,
 	    &privateprimelen);
 	if (rv != CKR_OK) {
 		goto ret0;
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDSA.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDSA.c
index 2c652e820e..37c9c611f4 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDSA.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDSA.c
@@ -199,7 +199,7 @@ dsa_sign(soft_object_t *key, CK_BYTE_PTR in, CK_ULONG inlen, CK_BYTE_PTR out)
 	BIG_ERR_CODE err;
 	CK_RV rv;
 
-	rv = soft_get_private_attr(key, CKA_SUBPRIME, q, &qlen);
+	rv = soft_get_private_value(key, CKA_SUBPRIME, q, &qlen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
@@ -209,12 +209,12 @@ dsa_sign(soft_object_t *key, CK_BYTE_PTR in, CK_ULONG inlen, CK_BYTE_PTR out)
 		goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_PRIME, p, &plen);
+	rv = soft_get_private_value(key, CKA_PRIME, p, &plen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_BASE, g, &glen);
+	rv = soft_get_private_value(key, CKA_BASE, g, &glen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
@@ -224,7 +224,7 @@ dsa_sign(soft_object_t *key, CK_BYTE_PTR in, CK_ULONG inlen, CK_BYTE_PTR out)
 		goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_VALUE, x, &xlen);
+	rv = soft_get_private_value(key, CKA_VALUE, x, &xlen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
@@ -337,7 +337,7 @@ dsa_verify(soft_object_t *key, CK_BYTE_PTR data, CK_BYTE_PTR sig)
 	BIGNUM msg, tmp1, tmp2, tmp3;
 	CK_RV rv;
 
-	rv = soft_get_public_attr(key, CKA_SUBPRIME, q, &qlen);
+	rv = soft_get_public_value(key, CKA_SUBPRIME, q, &qlen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
@@ -347,12 +347,12 @@ dsa_verify(soft_object_t *key, CK_BYTE_PTR data, CK_BYTE_PTR sig)
 		goto clean1;
 	}
 
-	rv = soft_get_public_attr(key, CKA_PRIME, p, &plen);
+	rv = soft_get_public_value(key, CKA_PRIME, p, &plen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
 
-	rv = soft_get_public_attr(key, CKA_BASE, g, &glen);
+	rv = soft_get_public_value(key, CKA_BASE, g, &glen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
@@ -362,7 +362,7 @@ dsa_verify(soft_object_t *key, CK_BYTE_PTR data, CK_BYTE_PTR sig)
 		goto clean1;
 	}
 
-	rv = soft_get_public_attr(key, CKA_VALUE, y, &ylen);
+	rv = soft_get_public_value(key, CKA_VALUE, y, &ylen);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
@@ -744,7 +744,7 @@ soft_dsa_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
 	}
 
 	/* lookup prime, subprime and base */
-	rv = soft_get_public_attr(pubkey, CKA_PRIME, prime, &prime_len);
+	rv = soft_get_public_value(pubkey, CKA_PRIME, prime, &prime_len);
 	if (rv != CKR_OK) {
 		rv = CKR_TEMPLATE_INCOMPLETE;
 		goto cleanexit;
@@ -756,7 +756,7 @@ soft_dsa_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
 		goto cleanexit;
 	}
 
-	rv = soft_get_public_attr(pubkey, CKA_SUBPRIME, subprime,
+	rv = soft_get_public_value(pubkey, CKA_SUBPRIME, subprime,
 	    &subprime_len);
 	if (rv != CKR_OK) {
 		rv = CKR_TEMPLATE_INCOMPLETE;
@@ -768,7 +768,7 @@ soft_dsa_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
 		goto cleanexit;
 	}
 
-	rv = soft_get_public_attr(pubkey, CKA_BASE, base, &base_len);
+	rv = soft_get_public_value(pubkey, CKA_BASE, base, &base_len);
 	if (rv != CKR_OK) {
 		rv = CKR_TEMPLATE_INCOMPLETE;
 		goto cleanexit;
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c
index e57fb014dd..27d18b290b 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEC.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -472,10 +472,10 @@ soft_ecc_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
 	soft_ecc_ctx_t *ecc_ctx = session_p->sign.context;
 	soft_object_t *key = ecc_ctx->key;
 	uchar_t value[EC_MAX_VALUE_LEN];
-	CK_ATTRIBUTE template;
 	ECPrivateKey ECkey;
 	SECItem signature_item;
 	SECItem digest_item;
+	uint_t value_len;
 
 	if ((key->class != CKO_PRIVATE_KEY) || (key->key_type != CKK_EC)) {
 		rv = CKR_KEY_TYPE_INCONSISTENT;
@@ -490,16 +490,14 @@ soft_ecc_sign(soft_session_t *session_p, CK_BYTE_PTR pData,
 	/* structure assignment */
 	ECkey.ecParams = ecc_ctx->ecparams;
 
-	template.type = CKA_VALUE;
-	template.pValue = value;
-	template.ulValueLen = sizeof (value);
-	rv = soft_get_private_key_attribute(key, &template);
+	value_len = EC_MAX_VALUE_LEN;
+	rv = soft_get_private_value(key, CKA_VALUE, value, &value_len);
 	if (rv != CKR_OK) {
 		goto clean_exit;
 	}
 
 	ECkey.privateValue.data = value;
-	ECkey.privateValue.len = template.ulValueLen;
+	ECkey.privateValue.len = value_len;
 
 	signature_item.data = pSigned;
 	signature_item.len = *pulSignedLen;
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObject.h b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObject.h
index 5cd118cb94..2d15d61818 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObject.h
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softObject.h
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -828,10 +828,10 @@ CK_RV soft_set_attribute(soft_object_t *object_p, CK_ATTRIBUTE_PTR template,
 CK_RV soft_set_common_storage_attribute(soft_object_t *object_p,
 	CK_ATTRIBUTE_PTR template, boolean_t copy);
 
-CK_RV soft_get_public_attr(soft_object_t *, CK_ATTRIBUTE_TYPE, uchar_t *,
+CK_RV soft_get_public_value(soft_object_t *, CK_ATTRIBUTE_TYPE, uchar_t *,
 	uint32_t *);
 
-CK_RV soft_get_private_attr(soft_object_t *, CK_ATTRIBUTE_TYPE, uchar_t *,
+CK_RV soft_get_private_value(soft_object_t *, CK_ATTRIBUTE_TYPE, uchar_t *,
 	uint32_t *);
 
 CK_RV get_ulong_attr_from_object(CK_ULONG value, CK_ATTRIBUTE_PTR template);
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRSA.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRSA.c
index 3568a99657..669c1bfda4 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRSA.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRSA.c
@@ -58,20 +58,20 @@ soft_rsa_encrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
 	RSAkey *rsakey;
 
 	if (realpublic) {
-		rv = soft_get_public_attr(key, CKA_PUBLIC_EXPONENT, expo,
+		rv = soft_get_public_value(key, CKA_PUBLIC_EXPONENT, expo,
 		    &expo_len);
 		if (rv != CKR_OK) {
 			goto clean1;
 		}
 	} else {
-		rv = soft_get_private_attr(key, CKA_PRIVATE_EXPONENT, expo,
+		rv = soft_get_private_value(key, CKA_PRIVATE_EXPONENT, expo,
 		    &expo_len);
 		if (rv != CKR_OK) {
 			goto clean1;
 		}
 	}
 
-	rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
@@ -160,12 +160,12 @@ soft_rsa_decrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
 	BIGNUM msg;
 	RSAkey *rsakey;
 
-	rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_PRIME_1, prime1, &prime1_len);
+	rv = soft_get_private_value(key, CKA_PRIME_1, prime1, &prime1_len);
 
 	if ((prime1_len == 0) && (rv == CKR_OK)) {
 		rv = soft_rsa_encrypt(key, in, in_len, out, 0);
@@ -175,7 +175,7 @@ soft_rsa_decrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
 			goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_PRIME_2, prime2, &prime2_len);
+	rv = soft_get_private_value(key, CKA_PRIME_2, prime2, &prime2_len);
 
 	if ((prime2_len == 0) && (rv == CKR_OK)) {
 		rv = soft_rsa_encrypt(key, in, in_len, out, 0);
@@ -185,7 +185,7 @@ soft_rsa_decrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
 			goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_EXPONENT_1, expo1, &expo1_len);
+	rv = soft_get_private_value(key, CKA_EXPONENT_1, expo1, &expo1_len);
 
 	if ((expo1_len == 0) && (rv == CKR_OK)) {
 		rv = soft_rsa_encrypt(key, in, in_len, out, 0);
@@ -195,7 +195,7 @@ soft_rsa_decrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
 			goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_EXPONENT_2, expo2, &expo2_len);
+	rv = soft_get_private_value(key, CKA_EXPONENT_2, expo2, &expo2_len);
 
 	if ((expo2_len == 0) && (rv == CKR_OK)) {
 		rv = soft_rsa_encrypt(key, in, in_len, out, 0);
@@ -205,7 +205,7 @@ soft_rsa_decrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
 			goto clean1;
 	}
 
-	rv = soft_get_private_attr(key, CKA_COEFFICIENT, coef, &coef_len);
+	rv = soft_get_private_value(key, CKA_COEFFICIENT, coef, &coef_len);
 
 	if ((coef_len == 0) && (rv == CKR_OK)) {
 		rv = soft_rsa_encrypt(key, in, in_len, out, 0);
@@ -351,7 +351,7 @@ soft_rsa_encrypt_common(soft_session_t *session_p, CK_BYTE_PTR pData,
 	CK_BYTE	cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 	CK_RV rv = CKR_OK;
 
-	rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		goto clean_exit;
 	}
@@ -440,7 +440,7 @@ soft_rsa_decrypt_common(soft_session_t *session_p, CK_BYTE_PTR pEncrypted,
 	CK_BYTE	plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 	CK_RV rv = CKR_OK;
 
-	rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		goto clean_exit;
 	}
@@ -634,7 +634,7 @@ soft_rsa_sign_common(soft_session_t *session_p, CK_BYTE_PTR pData,
 	CK_BYTE	plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 	CK_BYTE	signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 
-	rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		goto clean_exit;
 	}
@@ -750,7 +750,7 @@ soft_rsa_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
 	uint32_t modulus_len = sizeof (modulus);
 	CK_BYTE	plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 
-	rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		goto clean_exit;
 	}
@@ -1171,7 +1171,7 @@ soft_rsa_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
 		goto clean0;
 	}
 
-	rv = soft_get_public_attr(pubkey, CKA_PUBLIC_EXPONENT, pub_expo,
+	rv = soft_get_public_value(pubkey, CKA_PUBLIC_EXPONENT, pub_expo,
 	    &pub_expo_len);
 	if (rv != CKR_OK) {
 		goto clean0;
@@ -1287,7 +1287,7 @@ soft_rsa_digest_sign_common(soft_session_t *session_p, CK_BYTE_PTR pData,
 	CK_ULONG der_len;
 	CK_BYTE_PTR der_prefix;
 
-	rv = soft_get_private_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		(void) pthread_mutex_lock(&session_p->session_mutex);
 		free(session_p->digest.context);
@@ -1485,7 +1485,7 @@ soft_rsa_verify_recover(soft_session_t *session_p, CK_BYTE_PTR pSignature,
 	uint32_t modulus_len = sizeof (modulus);
 	CK_BYTE	plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
 
-	rv = soft_get_public_attr(key, CKA_MODULUS, modulus, &modulus_len);
+	rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
 	if (rv != CKR_OK) {
 		goto clean_exit;
 	}