| blob | cf06e75767b67faf4d3d6b0b7dba1e4accd069dd |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
22 /*
23 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
26 /*
27 * Support for SMB "signing" (message integrity)
28 */
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/conf.h>
33 #include <sys/proc.h>
34 #include <sys/fcntl.h>
35 #include <sys/socket.h>
36 #include <sys/md4.h>
37 #include <sys/md5.h>
38 #include <sys/des.h>
39 #include <sys/kmem.h>
40 #include <sys/crypto/api.h>
41 #include <sys/crypto/common.h>
42 #include <sys/cmn_err.h>
43 #include <sys/stream.h>
44 #include <sys/strsun.h>
45 #include <sys/sdt.h>
47 #include <netsmb/smb_osdep.h>
48 #include <netsmb/smb.h>
49 #include <netsmb/smb_conn.h>
50 #include <netsmb/smb_subr.h>
51 #include <netsmb/smb_dev.h>
52 #include <netsmb/smb_rq.h>
54 #ifdef DEBUG
55 /*
56 * Set this to a small number to debug sequence numbers
57 * that seem to get out of step.
58 */
60 #endif
62 /* Mechanism definitions */
65 void
67 {
69 }
76 /*
77 * Compute HMAC-MD5 of packet data, using the stored MAC key.
78 *
79 * See similar code for the server side:
80 * uts/common/fs/smbsrv/smb_signing.c : smb_sign_calc
81 */
82 static int
85 {
86 crypto_context_t crypto_ctx;
87 crypto_data_t key;
88 crypto_data_t data;
89 crypto_data_t digest;
92 /*
93 * This union is a little bit of trickery to:
94 * (1) get the sequence number int aligned, and
95 * (2) reduce the number of digest calls, at the
96 * cost of a copying 32 bytes instead of 8.
97 * Both sides of this union are 2+32 bytes.
98 */
116 /*
117 * Make an aligned copy of the SMB header
118 * and fill in the sequence number.
119 */
124 /*
125 * Compute the MAC: MD5(concat(Key, message))
126 */
130 }
135 /* Digest the MAC Key */
146 /* Digest the (copied) SMB header */
157 /* Digest rest of the SMB message. */
167 /* Final */
178 /*
179 * Finally, store the signature.
180 * (first 8 bytes of the mac)
181 */
186 }
188 /*
189 * Sign a request with HMAC-MD5.
190 */
191 void
193 {
199 /*
200 * Our mblk allocation ensures this,
201 * but just in case...
202 */
206 }
210 /*
211 * Signing is required, but we have no key yet
212 * fill in with the magic fake signing value.
213 * This happens with SPNEGO, NTLMSSP, ...
214 */
217 }
219 /*
220 * This will compute the MAC and store it
221 * directly into the message at sigloc.
222 */
227 }
228 }
230 /*
231 * Verify reply signature.
232 */
233 int
235 {
242 /*
243 * Note vc_mackey and vc_mackeylen gets filled in by
244 * smb_usr_iod_work as the connection comes in.
245 */
249 }
251 /*
252 * Let caller deal with empty reply or short messages by
253 * returning zero. Caller will fail later, in parsing.
254 */
258 }
262 }
265 /*
266 * Compute the expected signature in sigbuf.
267 */
272 /*
273 * If we can't compute a MAC, then there's
274 * no point trying other seqno values.
275 */
277 }
279 /*
280 * Compare the computed signature with the
281 * one found in the message (at sigloc)
282 */
289 #ifdef DEBUG
290 /*
291 * For diag purposes, we check whether the client/server idea
292 * of the sequence # has gotten a bit out of sync.
293 */
302 }
303 }
307 }
308 #endif
310 }