6948723 Crypto to pkcs11 error mapping has wrong boundary checks

6936557 kernel_get_func_list does not set fl_verify* flags
6949122 return is missing in aes_check_mech_param in aes crypto module

4 files changed, 21 insertions, 71 deletions

diff --git a/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelSlottable.c b/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelSlottable.c
index 68337cd503..1cada4b315 100644
--- a/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelSlottable.c
+++ b/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelSlottable.c
@@ -19,12 +19,12 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include <errno.h>
 #include <security/cryptoki.h>
+#include <strings.h>
 #include <sys/crypto/ioctl.h>
 #include "kernelGlobal.h"
 #include "kernelSlot.h"
@@ -107,6 +107,7 @@ kernel_get_func_list(kernel_slot_t *pslot)
 	int r;
 	int i;
 
+	(void) memset(&fl, 0, sizeof (fl));
 	fl.fl_provider_id = pslot->sl_provider_id;
 
 	while ((r = ioctl(kernel_fd, CRYPTO_GET_FUNCTION_LIST, &fl)) < 0) {
@@ -127,65 +128,8 @@ kernel_get_func_list(kernel_slot_t *pslot)
 		return (rv);
 	}
 
-	pslot->sl_func_list.fl_digest_init = fl.fl_list.fl_digest_init;
-	pslot->sl_func_list.fl_digest = fl.fl_list.fl_digest;
-	pslot->sl_func_list.fl_digest_update = fl.fl_list.fl_digest_update;
-	pslot->sl_func_list.fl_digest_key = fl.fl_list.fl_digest_key;
-	pslot->sl_func_list.fl_digest_final = fl.fl_list.fl_digest_final;
-	pslot->sl_func_list.fl_encrypt_init = fl.fl_list.fl_encrypt_init;
-	pslot->sl_func_list.fl_encrypt = fl.fl_list.fl_encrypt;
-	pslot->sl_func_list.fl_encrypt_update = fl.fl_list.fl_encrypt_update;
-	pslot->sl_func_list.fl_encrypt_final = fl.fl_list.fl_encrypt_final;
-	pslot->sl_func_list.fl_decrypt_init = fl.fl_list.fl_decrypt_init;
-	pslot->sl_func_list.fl_decrypt = fl.fl_list.fl_decrypt;
-	pslot->sl_func_list.fl_decrypt_update = fl.fl_list.fl_decrypt_update;
-	pslot->sl_func_list.fl_decrypt_final = fl.fl_list.fl_decrypt_final;
-	pslot->sl_func_list.fl_mac_init = fl.fl_list.fl_mac_init;
-	pslot->sl_func_list.fl_mac = fl.fl_list.fl_mac;
-	pslot->sl_func_list.fl_mac_update = fl.fl_list.fl_mac_update;
-	pslot->sl_func_list.fl_mac_final = fl.fl_list.fl_mac_final;
-	pslot->sl_func_list.fl_sign_init = fl.fl_list.fl_sign_init;
-	pslot->sl_func_list.fl_sign = fl.fl_list.fl_sign;
-	pslot->sl_func_list.fl_sign_update = fl.fl_list.fl_sign_update;
-	pslot->sl_func_list.fl_sign_final = fl.fl_list.fl_sign_final;
-	pslot->sl_func_list.fl_sign_recover_init =
-	    fl.fl_list.fl_sign_recover_init;
-	pslot->sl_func_list.fl_sign_recover = fl.fl_list.fl_sign_recover;
-	pslot->sl_func_list.fl_digest_encrypt_update =
-	    fl.fl_list.fl_digest_encrypt_update;
-	pslot->sl_func_list.fl_decrypt_digest_update =
-	    fl.fl_list.fl_decrypt_digest_update;
-	pslot->sl_func_list.fl_sign_encrypt_update =
-	    fl.fl_list.fl_sign_encrypt_update;
-	pslot->sl_func_list.fl_decrypt_verify_update =
-	    fl.fl_list.fl_decrypt_verify_update;
-	pslot->sl_func_list.fl_seed_random = fl.fl_list.fl_seed_random;
-	pslot->sl_func_list.fl_generate_random = fl.fl_list.fl_generate_random;
-	pslot->sl_func_list.fl_session_open = fl.fl_list.fl_session_open;
-	pslot->sl_func_list.fl_session_close = fl.fl_list.fl_session_close;
-	pslot->sl_func_list.fl_session_login = fl.fl_list.fl_session_login;
-	pslot->sl_func_list.fl_session_logout = fl.fl_list.fl_session_logout;
-	pslot->sl_func_list.fl_object_create = fl.fl_list.fl_object_create;
-	pslot->sl_func_list.fl_object_copy = fl.fl_list.fl_object_copy;
-	pslot->sl_func_list.fl_object_destroy = fl.fl_list.fl_object_destroy;
-	pslot->sl_func_list.fl_object_get_size = fl.fl_list.fl_object_get_size;
-	pslot->sl_func_list.fl_object_get_attribute_value =
-	    fl.fl_list.fl_object_get_attribute_value;
-	pslot->sl_func_list.fl_object_set_attribute_value =
-	    fl.fl_list.fl_object_set_attribute_value;
-	pslot->sl_func_list.fl_object_find_init =
-	    fl.fl_list.fl_object_find_init;
-	pslot->sl_func_list.fl_object_find = fl.fl_list.fl_object_find;
-	pslot->sl_func_list.fl_object_find_final =
-	    fl.fl_list.fl_object_find_final;
-	pslot->sl_func_list.fl_key_generate = fl.fl_list.fl_key_generate;
-	pslot->sl_func_list.fl_key_generate_pair =
-	    fl.fl_list.fl_key_generate_pair;
-	pslot->sl_func_list.fl_key_wrap = fl.fl_list.fl_key_wrap;
-	pslot->sl_func_list.fl_key_unwrap = fl.fl_list.fl_key_unwrap;
-	pslot->sl_func_list.fl_init_token = fl.fl_list.fl_init_token;
-	pslot->sl_func_list.fl_init_pin = fl.fl_list.fl_init_pin;
-	pslot->sl_func_list.fl_set_pin = fl.fl_list.fl_set_pin;
+	/* copy data structure received from kernel */
+	pslot->sl_func_list = fl.fl_list;
 
 	pslot->sl_flags = 0;
 	if (fl.fl_list.prov_is_hash_limited) {
diff --git a/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelUtil.c b/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelUtil.c
index 4aa118e2fe..e6f914e070 100644
--- a/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelUtil.c
+++ b/usr/src/lib/pkcs11/pkcs11_kernel/common/kernelUtil.c
@@ -19,8 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #include <stdlib.h>
@@ -44,15 +43,13 @@
 	cur_attr++;				\
 }
 
-#define	CRYPTO_LAST_ERROR	(CRYPTO_WEAK_KEY + 1)
-
 /*
  * In order to fit everything on one line, the 'CRYPTO_' prefix
  * has been dropped from the KCF #defines, e.g.
  * CRYPTO_SUCCESS becomes SUCCESS.
  */
 
-static CK_RV error_number_table[CRYPTO_LAST_ERROR] = {
+static CK_RV error_number_table[CRYPTO_LAST_ERROR+1] = {
 CKR_OK,					/* SUCCESS */
 CKR_CANCEL,				/* CANCEL */
 CKR_HOST_MEMORY,			/* HOST_MEMORY */
@@ -136,15 +133,20 @@ CKR_GENERAL_ERROR,			/* UNKNOWN_PROVIDER */
 CKR_GENERAL_ERROR,			/* MODVERIFICATION_FAILED */
 CKR_GENERAL_ERROR,			/* OLD_CTX_TEMPLATE */
 CKR_GENERAL_ERROR,			/* WEAK_KEY */
+CKR_GENERAL_ERROR			/* FIPS140_ERROR */
 };
 
+#if CRYPTO_LAST_ERROR != CRYPTO_FIPS140_ERROR
+#error "Crypto to PKCS11 error mapping table needs to be updated!"
+#endif
+
 /*
  * Map KCF error codes into PKCS11 error codes.
  */
 CK_RV
 crypto2pkcs11_error_number(uint_t n)
 {
-	if (n > CRYPTO_LAST_ERROR)
+	if (n >= sizeof (error_number_table) / sizeof (error_number_table[0]))
 		return (CKR_GENERAL_ERROR);
 
 	return (error_number_table[n]);
diff --git a/usr/src/uts/common/crypto/io/aes.c b/usr/src/uts/common/crypto/io/aes.c
index 328599e331..2c966064cd 100644
--- a/usr/src/uts/common/crypto/io/aes.c
+++ b/usr/src/uts/common/crypto/io/aes.c
@@ -19,8 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 /*
@@ -301,6 +300,7 @@ aes_check_mech_param(crypto_mechanism_t *mechanism, aes_ctx_t **ctx, int kmflag)
 		break;
 	default:
 		rv = CRYPTO_MECHANISM_INVALID;
+		return (rv);
 	}
 	if (param_required && mechanism->cm_param != NULL &&
 	    mechanism->cm_param_len != param_len) {
diff --git a/usr/src/uts/common/sys/crypto/common.h b/usr/src/uts/common/sys/crypto/common.h
index 22fc0fa6da..8fc7b05de6 100644
--- a/usr/src/uts/common/sys/crypto/common.h
+++ b/usr/src/uts/common/sys/crypto/common.h
@@ -19,8 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  */
 
 #ifndef _SYS_CRYPTO_COMMON_H
@@ -571,6 +570,11 @@ typedef enum cmd_type {
 #define	CRYPTO_OLD_CTX_TEMPLATE			0x00000051
 #define	CRYPTO_WEAK_KEY				0x00000052
 #define	CRYPTO_FIPS140_ERROR			0x00000053
+/*
+ * Don't forget to update CRYPTO_LAST_ERROR and the error_number_table[]
+ * in kernelUtil.c when new error code is added.
+ */
+#define	CRYPTO_LAST_ERROR			0x00000053
 
 /*
  * Special values that can be used to indicate that information is unavailable