6900477 libpkcs11 needs to be friendlier

6903648 pInfo->libraryVersion.minor left uninitialized in pkcs11_softtoken

3 files changed, 21 insertions, 14 deletions

diff --git a/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c b/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c
index 9a2a3b7c47..2ee6204bc7 100644
--- a/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c
+++ b/usr/src/lib/pkcs11/libpkcs11/common/pkcs11Conf.c
@@ -305,8 +305,8 @@ open_door_file:
 	}
 	if (kcfdfd == -1) {
 		if (!cryptosvc_is_online()) {
-			cryptoerror(LOG_ERR, "libpkcs11: unable to open"
-			    " kcfd door_file %s: %s.  %s is not online."
+			cryptoerror(LOG_ERR, "libpkcs11: unable to communicate"
+			    " with kcfd, door_file %s: %s.  %s is not online."
 			    " (see svcs -xv for details).",
 			    _PATH_KCFD_DOOR, strerror(door_errno),
 			    CRYPTOSVC_DEFAULT_INSTANCE_FMRI);
@@ -316,7 +316,7 @@ open_door_file:
 			    strerror(door_errno));
 		}
 		*rv = CKR_CRYPTOKI_NOT_INITIALIZED;
-		estatus = ELFSIGN_UNKNOWN;
+		estatus = ELFSIGN_UNAVAILABLE;
 		goto verifycleanup;
 	}
 
@@ -379,7 +379,7 @@ open_door_file:
 			    _PATH_KCFD_DOOR, strerror(door_errno));
 		}
 		*rv = CKR_CRYPTOKI_NOT_INITIALIZED;
-		estatus = ELFSIGN_UNKNOWN;
+		estatus = ELFSIGN_UNAVAILABLE;
 		goto verifycleanup;
 	}
 
@@ -698,7 +698,6 @@ pkcs11_slot_mapping(uentrylist_t *pplist, CK_VOID_PTR pInitArgs)
 		estatus = kcfd_door_call(fullpath, B_FALSE, &rv);
 
 		switch (estatus) {
-		case ELFSIGN_UNKNOWN:
 		case ELFSIGN_SUCCESS:
 		case ELFSIGN_RESTRICTED:
 			break;
@@ -708,22 +707,28 @@ pkcs11_slot_mapping(uentrylist_t *pplist, CK_VOID_PTR pInitArgs)
 		case ELFSIGN_FAILED:
 			estatus_str = strdup("signature verification failed.");
 			break;
+		case ELFSIGN_UNAVAILABLE:
+			estatus_str = strdup("kcfd(1m) is not available for "
+			    "signature verification. Cannot continue loading "
+			    "the cryptographic framework.");
+			break;
 		default:
 			estatus_str = strdup("unexpected failure in ELF "
-			    "signature verification. "
-			    "System may have been tampered with.");
+			    "signature verification.");
 		}
 		if (estatus_str != NULL) {
 			cryptoerror(LOG_ERR, "libpkcs11: %s %s %s",
-			    fullpath, estatus_str ? estatus_str : "",
-			    estatus == ELFSIGN_UNKNOWN ?
-			    "Cannot continue parsing " _PATH_PKCS11_CONF:
-			    conf_err);
+			    fullpath, estatus_str,
+			    (estatus == ELFSIGN_UNKNOWN ||
+			    estatus == ELFSIGN_UNAVAILABLE) ?
+			    "See cryptoadm (1M). Cannot continue parsing "
+			    _PATH_PKCS11_CONF : conf_err);
 			(void) prov_funcs->C_Finalize(NULL);
 			(void) dlclose(dldesc);
 			free(estatus_str);
 			estatus_str = NULL;
-			if (estatus == ELFSIGN_UNKNOWN) {
+			if (estatus == ELFSIGN_UNKNOWN ||
+			    estatus == ELFSIGN_UNAVAILABLE) {
 				prov_funcs = NULL;
 				dldesc = NULL;
 				rv = CKR_GENERAL_ERROR;
diff --git a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
index 2df2a11926..d8a36a7b3f 100644
--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softGeneral.c
@@ -455,7 +455,7 @@ C_GetInfo(CK_INFO_PTR pInfo)
 	(void) strncpy((char *)pInfo->libraryDescription,
 	    LIBRARY_DESCRIPTION, 32);
 	pInfo->libraryVersion.major = LIBRARY_VERSION_MAJOR;
-	pInfo->libraryVersion.major = LIBRARY_VERSION_MINOR;
+	pInfo->libraryVersion.minor = LIBRARY_VERSION_MINOR;
 
 	return (CKR_OK);
 }
diff --git a/usr/src/uts/common/sys/crypto/elfsign.h b/usr/src/uts/common/sys/crypto/elfsign.h
index b50c1d5d28..35f5657e41 100644
--- a/usr/src/uts/common/sys/crypto/elfsign.h
+++ b/usr/src/uts/common/sys/crypto/elfsign.h
@@ -49,9 +49,11 @@ typedef enum ELFsign_status_e {
 	ELFSIGN_NOTSIGNED,
 	ELFSIGN_INVALID_CERTPATH,
 	ELFSIGN_INVALID_ELFOBJ,
-	ELFSIGN_RESTRICTED
+	ELFSIGN_RESTRICTED,
+	ELFSIGN_UNAVAILABLE
 } ELFsign_status_t;
 
+
 /* Version values for da_version in kcf_door_args_t */
 #define	KCF_KCFD_VERSION1	1
 #define	KCFD_FIPS140_INTCHECK	2