1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
/*
* This file and its contents are supplied under the terms of the
* Common Development and Distribution License ("CDDL"), version 1.0.
* You may only use this file in accordance with the terms of version
* 1.0 of the CDDL.
*
* A full copy of the text of the CDDL should have accompanied this
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
* Copyright 2021 RackTop Systems, Inc.
*/
#include <stdlib.h>
#include <smbsrv/smb_kproto.h>
#include <smbsrv/smb_kcrypt.h>
#include <security/cryptoki.h>
#include <security/pkcs11.h>
/*
* SMB 3.1.1 Preauth Integrity
*/
static int
getmech_sha512(smb_crypto_mech_t *mech)
{
ulong_t mid = CKM_SHA512;
CK_SESSION_HANDLE hdl;
CK_RV rv;
rv = SUNW_C_GetMechSession(mid, &hdl);
if (rv != CKR_OK) {
cmn_err(CE_NOTE, "PKCS#11: no mech 0x%x",
(unsigned int)mid);
return (-1);
}
(void) C_CloseSession(hdl);
mech->mechanism = mid;
mech->pParameter = NULL;
mech->ulParameterLen = 0;
return (0);
}
/*
* (called from smb2_negotiate_common)
*/
void
smb31_preauth_init_mech(smb_session_t *s)
{
smb_crypto_mech_t *mech;
int rc;
ASSERT3S(s->dialect, >=, SMB_VERS_3_11);
if (s->preauth_mech != NULL)
return;
mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
rc = getmech_sha512(mech);
if (rc != 0) {
kmem_free(mech, sizeof (*mech));
return;
}
s->preauth_mech = mech;
}
void
smb31_preauth_fini(smb_session_t *s)
{
smb_crypto_mech_t *mech;
if ((mech = s->preauth_mech) != NULL) {
kmem_free(mech, sizeof (*mech));
s->preauth_mech = NULL;
}
}
/*
* Start the KCF session, load the key
*/
int
smb_sha512_init(smb_sign_ctx_t *ctxp, smb_crypto_mech_t *mech)
{
CK_RV rv;
rv = SUNW_C_GetMechSession(mech->mechanism, ctxp);
if (rv != CKR_OK)
return (-1);
rv = C_DigestInit(*ctxp, mech);
return (rv == CKR_OK ? 0 : -1);
}
/*
* Digest one segment
*/
int
smb_sha512_update(smb_sign_ctx_t ctx, void *buf, size_t len)
{
CK_RV rv;
rv = C_DigestUpdate(ctx, buf, len);
if (rv != CKR_OK)
(void) C_CloseSession(ctx);
return (rv == CKR_OK ? 0 : -1);
}
/*
* Get the final digest.
*/
int
smb_sha512_final(smb_sign_ctx_t ctx, uint8_t *digest)
{
CK_ULONG len = SHA512_DIGEST_LENGTH;
CK_RV rv;
rv = C_DigestFinal(ctx, digest, &len);
(void) C_CloseSession(ctx);
return (rv == CKR_OK ? 0 : -1);
}
int
smb31_preauth_sha512_calc(smb_request_t *sr, struct mbuf_chain *mbc,
uint8_t *in_hashval, uint8_t *out_hashval)
{
smb_session_t *s = sr->session;
smb_sign_ctx_t ctx = 0;
struct mbuf *mbuf = mbc->chain;
int rc;
ASSERT3U(s->smb31_preauth_hashid, !=, 0);
if (s->preauth_mech == NULL)
return (-1);
if ((rc = smb_sha512_init(&ctx, s->preauth_mech)) != 0)
return (rc);
/* Digest current hashval */
rc = smb_sha512_update(ctx, in_hashval, SHA512_DIGEST_LENGTH);
if (rc != 0)
return (rc);
while (mbuf != NULL) {
rc = smb_sha512_update(ctx, mbuf->m_data, mbuf->m_len);
if (rc != 0)
return (rc);
mbuf = mbuf->m_next;
}
rc = smb_sha512_final(ctx, out_hashval);
return (rc);
}
|