xref: /illumos-gate/usr/src/lib/smbsrv/libfksmbsrv/common/fksmb_sign_pkcs.c (revision 9498083eeaed1aacdde41369b7fa6f3b84870791) 
1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
14  */
15 
16 /*
17  * Helper functions for SMB signing using PKCS#11
18  *
19  * There are two implementations of these functions:
20  * This one (for user space) and another for kernel.
21  * See: uts/common/fs/smbsrv/smb_sign_kcf.c
22  */
23 
24 #include <stdlib.h>
25 #include <smbsrv/smb_kproto.h>
26 #include <smbsrv/smb_signing.h>
27 #include <security/cryptoki.h>
28 #include <security/pkcs11.h>
29 
30 /*
31  * SMB1 signing helpers:
32  * (getmech, init, update, final)
33  */
34 
35 int
36 smb_md5_getmech(smb_sign_mech_t *mech)
37 {
38 	mech->mechanism = CKM_MD5;
39 	mech->pParameter = NULL;
40 	mech->ulParameterLen = 0;
41 	return (0);
42 }
43 
44 /*
45  * Start PKCS#11 session.
46  */
47 int
48 smb_md5_init(smb_sign_ctx_t *ctxp, smb_sign_mech_t *mech)
49 {
50 	CK_RV rv;
51 
52 	rv = SUNW_C_GetMechSession(mech->mechanism, ctxp);
53 	if (rv != CKR_OK)
54 		return (-1);
55 
56 	rv = C_DigestInit(*ctxp, mech);
57 
58 	return (rv == CKR_OK ? 0 : -1);
59 }
60 
61 /*
62  * Digest one segment
63  */
64 int
65 smb_md5_update(smb_sign_ctx_t ctx, void *buf, size_t len)
66 {
67 	CK_RV rv;
68 
69 	rv = C_DigestUpdate(ctx, buf, len);
70 	if (rv != CKR_OK)
71 		(void) C_CloseSession(ctx);
72 
73 	return (rv == CKR_OK ? 0 : -1);
74 }
75 
76 /*
77  * Get the final digest.
78  */
79 int
80 smb_md5_final(smb_sign_ctx_t ctx, uint8_t *digest16)
81 {
82 	CK_ULONG len = MD5_DIGEST_LENGTH;
83 	CK_RV rv;
84 
85 	rv = C_DigestFinal(ctx, digest16, &len);
86 	(void) C_CloseSession(ctx);
87 
88 	return (rv == CKR_OK ? 0 : -1);
89 }
90 
91 /*
92  * SMB2 signing helpers:
93  * (getmech, init, update, final)
94  */
95 
96 int
97 smb2_hmac_getmech(smb_sign_mech_t *mech)
98 {
99 	mech->mechanism = CKM_SHA256_HMAC;
100 	mech->pParameter = NULL;
101 	mech->ulParameterLen = 0;
102 	return (0);
103 }
104 
105 /*
106  * Start PKCS#11 session, load the key.
107  */
108 int
109 smb2_hmac_init(smb_sign_ctx_t *ctxp, smb_sign_mech_t *mech,
110     uint8_t *key, size_t key_len)
111 {
112 	CK_OBJECT_HANDLE hkey = 0;
113 	CK_RV rv;
114 
115 	rv = SUNW_C_GetMechSession(mech->mechanism, ctxp);
116 	if (rv != CKR_OK)
117 		return (-1);
118 
119 	rv = SUNW_C_KeyToObject(*ctxp, mech->mechanism,
120 	    key, key_len, &hkey);
121 	if (rv != CKR_OK)
122 		return (-1);
123 
124 	rv = C_SignInit(*ctxp, mech, hkey);
125 	(void) C_DestroyObject(*ctxp, hkey);
126 
127 	return (rv == CKR_OK ? 0 : -1);
128 }
129 
130 /*
131  * Digest one segment
132  */
133 int
134 smb2_hmac_update(smb_sign_ctx_t ctx, uint8_t *in, size_t len)
135 {
136 	CK_RV rv;
137 
138 	rv = C_SignUpdate(ctx, in, len);
139 	if (rv != CKR_OK)
140 		(void) C_CloseSession(ctx);
141 
142 	return (rv == CKR_OK ? 0 : -1);
143 }
144 
145 /*
146  * Note, the SMB2 signature is the first 16 bytes of the
147  * 32-byte SHA256 HMAC digest.
148  */
149 int
150 smb2_hmac_final(smb_sign_ctx_t ctx, uint8_t *digest16)
151 {
152 	uint8_t full_digest[SHA256_DIGEST_LENGTH];
153 	CK_ULONG len = SHA256_DIGEST_LENGTH;
154 	CK_RV rv;
155 
156 	rv = C_SignFinal(ctx, full_digest, &len);
157 	if (rv == CKR_OK)
158 		bcopy(full_digest, digest16, 16);
159 
160 	(void) C_CloseSession(ctx);
161 
162 	return (rv == CKR_OK ? 0 : -1);
163 }
164