Print this page
NEX-5665 SMB2 oplock leases
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-5665 SMB2 oplock leases
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-5273 SMB 3 Encryption
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
NEX-3728 SMB1 signing should use KCF like SMB2/3
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Dan Fields <dan.fields@nexenta.com>
NEX-3610 CLONE NEX-3591 SMB3 signing
Reviewed by: Gordon Ross <gwr@nexenta.com>
Reviewed by: Dan Fields <dan.fields@nexenta.com>
*** 8,18 ****
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
! * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Helper functions for SMB signing using PKCS#11
*
--- 8,18 ----
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
! * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Helper functions for SMB signing using PKCS#11
*
*** 21,53 ****
* See: uts/common/fs/smbsrv/smb_sign_kcf.c
*/
#include <stdlib.h>
#include <smbsrv/smb_kproto.h>
! #include <smbsrv/smb_signing.h>
#include <security/cryptoki.h>
#include <security/pkcs11.h>
/*
* SMB1 signing helpers:
* (getmech, init, update, final)
*/
int
! smb_md5_getmech(smb_sign_mech_t *mech)
{
! mech->mechanism = CKM_MD5;
! mech->pParameter = NULL;
! mech->ulParameterLen = 0;
! return (0);
}
/*
* Start PKCS#11 session.
*/
int
! smb_md5_init(smb_sign_ctx_t *ctxp, smb_sign_mech_t *mech)
{
CK_RV rv;
rv = SUNW_C_GetMechSession(mech->mechanism, ctxp);
if (rv != CKR_OK)
--- 21,76 ----
* See: uts/common/fs/smbsrv/smb_sign_kcf.c
*/
#include <stdlib.h>
#include <smbsrv/smb_kproto.h>
! #include <smbsrv/smb_kcrypt.h>
#include <security/cryptoki.h>
#include <security/pkcs11.h>
/*
+ * Common function to see if a mech is available.
+ */
+ static int
+ find_mech(smb_crypto_mech_t *mech, ulong_t mid)
+ {
+ CK_SESSION_HANDLE hdl;
+ CK_RV rv;
+
+ rv = SUNW_C_GetMechSession(mid, &hdl);
+ if (rv != CKR_OK) {
+ cmn_err(CE_NOTE, "PKCS#11: no mech 0x%x",
+ (unsigned int)mid);
+ return (-1);
+ }
+ (void) C_CloseSession(hdl);
+
+ mech->mechanism = mid;
+ mech->pParameter = NULL;
+ mech->ulParameterLen = 0;
+ return (0);
+ }
+
+ /*
* SMB1 signing helpers:
* (getmech, init, update, final)
*/
+ /*
+ * Find out if we have this mech.
+ */
int
! smb_md5_getmech(smb_crypto_mech_t *mech)
{
! return (find_mech(mech, CKM_MD5));
}
/*
* Start PKCS#11 session.
*/
int
! smb_md5_init(smb_sign_ctx_t *ctxp, smb_crypto_mech_t *mech)
{
CK_RV rv;
rv = SUNW_C_GetMechSession(mech->mechanism, ctxp);
if (rv != CKR_OK)
*** 91,114 ****
/*
* SMB2 signing helpers:
* (getmech, init, update, final)
*/
int
! smb2_hmac_getmech(smb_sign_mech_t *mech)
{
! mech->mechanism = CKM_SHA256_HMAC;
! mech->pParameter = NULL;
! mech->ulParameterLen = 0;
! return (0);
}
/*
* Start PKCS#11 session, load the key.
*/
int
! smb2_hmac_init(smb_sign_ctx_t *ctxp, smb_sign_mech_t *mech,
uint8_t *key, size_t key_len)
{
CK_OBJECT_HANDLE hkey = 0;
CK_RV rv;
--- 114,137 ----
/*
* SMB2 signing helpers:
* (getmech, init, update, final)
*/
+ /*
+ * Find out if we have this mech.
+ */
int
! smb2_hmac_getmech(smb_crypto_mech_t *mech)
{
! return (find_mech(mech, CKM_SHA256_HMAC));
}
/*
* Start PKCS#11 session, load the key.
*/
int
! smb2_hmac_init(smb_sign_ctx_t *ctxp, smb_crypto_mech_t *mech,
uint8_t *key, size_t key_len)
{
CK_OBJECT_HANDLE hkey = 0;
CK_RV rv;
*** 157,163 ****
--- 180,256 ----
if (rv == CKR_OK)
bcopy(full_digest, digest16, 16);
(void) C_CloseSession(ctx);
+ return (rv == CKR_OK ? 0 : -1);
+ }
+
+ /*
+ * SMB3 signing helpers:
+ * (getmech, init, update, final)
+ */
+
+ /*
+ * Find out if we have this mech.
+ */
+ int
+ smb3_cmac_getmech(smb_crypto_mech_t *mech)
+ {
+ return (find_mech(mech, CKM_AES_CMAC));
+ }
+
+ /*
+ * Start PKCS#11 session, load the key.
+ */
+ int
+ smb3_cmac_init(smb_sign_ctx_t *ctxp, smb_crypto_mech_t *mech,
+ uint8_t *key, size_t key_len)
+ {
+ CK_OBJECT_HANDLE hkey = 0;
+ CK_RV rv;
+
+ rv = SUNW_C_GetMechSession(mech->mechanism, ctxp);
+ if (rv != CKR_OK)
+ return (-1);
+
+ rv = SUNW_C_KeyToObject(*ctxp, mech->mechanism,
+ key, key_len, &hkey);
+ if (rv != CKR_OK)
+ return (-1);
+
+ rv = C_SignInit(*ctxp, mech, hkey);
+ (void) C_DestroyObject(*ctxp, hkey);
+
+ return (rv == CKR_OK ? 0 : -1);
+ }
+
+ /*
+ * Digest one segment
+ */
+ int
+ smb3_cmac_update(smb_sign_ctx_t ctx, uint8_t *in, size_t len)
+ {
+ CK_RV rv;
+
+ rv = C_SignUpdate(ctx, in, len);
+ if (rv != CKR_OK)
+ (void) C_CloseSession(ctx);
+
+ return (rv == CKR_OK ? 0 : -1);
+ }
+
+ /*
+ * Note, the SMB2 signature is just the AES CMAC digest.
+ * (both are 16 bytes long)
+ */
+ int
+ smb3_cmac_final(smb_sign_ctx_t ctx, uint8_t *digest)
+ {
+ CK_ULONG len = SMB2_SIG_SIZE;
+ CK_RV rv;
+
+ rv = C_SignFinal(ctx, digest, &len);
+ (void) C_CloseSession(ctx);
+
return (rv == CKR_OK ? 0 : -1);
}