/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
*/
/*
* Support for SMB "signing" (message integrity)
*/
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/conf.h>
#include <sys/proc.h>
#include <sys/fcntl.h>
#include <sys/socket.h>
#include <sys/md4.h>
#include <sys/md5.h>
#include <sys/des.h>
#include <sys/kmem.h>
#include <sys/crypto/api.h>
#include <sys/crypto/common.h>
#include <sys/cmn_err.h>
#include <sys/stream.h>
#include <sys/strsun.h>
#include <sys/sdt.h>
#include <netsmb/smb_osdep.h>
#include <netsmb/smb.h>
#include <netsmb/smb_conn.h>
#include <netsmb/smb_subr.h>
#include <netsmb/smb_dev.h>
#include <netsmb/smb_rq.h>
#ifdef DEBUG
/*
* Set this to a small number to debug sequence numbers
* that seem to get out of step.
*/
int nsmb_signing_fudge = 0;
#endif
/* Mechanism definitions */
static crypto_mechanism_t crypto_mech_md5 = { CRYPTO_MECH_INVALID };
void
smb_crypto_mech_init(void)
{
crypto_mech_md5.cm_type = crypto_mech2id(SUN_CKM_MD5);
}
#define SMBSIGLEN 8 /* SMB signature length */
#define SMBSIGOFF 14 /* SMB signature offset */
/*
* Compute HMAC-MD5 of packet data, using the stored MAC key.
*
* See similar code for the server side:
* uts/common/fs/smbsrv/smb_signing.c : smb_sign_calc
*/
static int
smb_compute_MAC(struct smb_vc *vcp, mblk_t *mp,
uint32_t seqno, uchar_t *signature)
{
crypto_context_t crypto_ctx;
crypto_data_t key;
crypto_data_t data;
crypto_data_t digest;
uchar_t mac[16];
int status;
/*
* This union is a little bit of trickery to:
* (1) get the sequence number int aligned, and
* (2) reduce the number of digest calls, at the
* cost of a copying 32 bytes instead of 8.
* Both sides of this union are 2+32 bytes.
*/
union {
struct {
uint8_t skip[2]; /* not used - just alignment */
uint8_t raw[SMB_HDRLEN]; /* header length (32) */
} r;
struct {
uint8_t skip[2]; /* not used - just alignment */
uint8_t hdr[SMBSIGOFF]; /* sig. offset (14) */
uint32_t sig[2]; /* MAC signature, aligned! */
uint16_t ids[5]; /* pad, Tid, Pid, Uid, Mid */
} s;
} smbhdr;
ASSERT(mp != NULL);
ASSERT(MBLKL(mp) >= SMB_HDRLEN);
ASSERT(vcp->vc_mackey != NULL);
/*
* Make an aligned copy of the SMB header
* and fill in the sequence number.
*/
bcopy(mp->b_rptr, smbhdr.r.raw, SMB_HDRLEN);
smbhdr.s.sig[0] = htolel(seqno);
smbhdr.s.sig[1] = 0;
/*
* Compute the MAC: MD5(concat(Key, message))
*/
if (crypto_mech_md5.cm_type == CRYPTO_MECH_INVALID) {
SMBSDEBUG("crypto_mech_md5 invalid\n");
return (CRYPTO_MECHANISM_INVALID);
}
status = crypto_digest_init(&crypto_mech_md5, &crypto_ctx, 0);
if (status != CRYPTO_SUCCESS)
return (status);
/* Digest the MAC Key */
key.cd_format = CRYPTO_DATA_RAW;
key.cd_offset = 0;
key.cd_length = vcp->vc_mackeylen;
key.cd_miscdata = 0;
key.cd_raw.iov_base = (char *)vcp->vc_mackey;
key.cd_raw.iov_len = vcp->vc_mackeylen;
status = crypto_digest_update(crypto_ctx, &key, 0);
if (status != CRYPTO_SUCCESS)
return (status);
/* Digest the (copied) SMB header */
data.cd_format = CRYPTO_DATA_RAW;
data.cd_offset = 0;
data.cd_length = SMB_HDRLEN;
data.cd_miscdata = 0;
data.cd_raw.iov_base = (char *)smbhdr.r.raw;
data.cd_raw.iov_len = SMB_HDRLEN;
status = crypto_digest_update(crypto_ctx, &data, 0);
if (status != CRYPTO_SUCCESS)
return (status);
/* Digest rest of the SMB message. */
data.cd_format = CRYPTO_DATA_MBLK;
data.cd_offset = SMB_HDRLEN;
data.cd_length = msgdsize(mp) - SMB_HDRLEN;
data.cd_miscdata = 0;
data.cd_mp = mp;
status = crypto_digest_update(crypto_ctx, &data, 0);
if (status != CRYPTO_SUCCESS)
return (status);
/* Final */
digest.cd_format = CRYPTO_DATA_RAW;
digest.cd_offset = 0;
digest.cd_length = sizeof (mac);
digest.cd_miscdata = 0;
digest.cd_raw.iov_base = (char *)mac;
digest.cd_raw.iov_len = sizeof (mac);
status = crypto_digest_final(crypto_ctx, &digest, 0);
if (status != CRYPTO_SUCCESS)
return (status);
/*
* Finally, store the signature.
* (first 8 bytes of the mac)
*/
if (signature)
bcopy(mac, signature, SMBSIGLEN);
return (0);
}
/*
* Sign a request with HMAC-MD5.
*/
void
smb_rq_sign(struct smb_rq *rqp)
{
struct smb_vc *vcp = rqp->sr_vc;
mblk_t *mp = rqp->sr_rq.mb_top;
uint8_t *sigloc;
int status;
/*
* Our mblk allocation ensures this,
* but just in case...
*/
if (MBLKL(mp) < SMB_HDRLEN) {
if (!pullupmsg(mp, SMB_HDRLEN))
return;
}
sigloc = mp->b_rptr + SMBSIGOFF;
if (vcp->vc_mackey == NULL) {
/*
* Signing is required, but we have no key yet
* fill in with the magic fake signing value.
* This happens with SPNEGO, NTLMSSP, ...
*/
bcopy("BSRSPLY", sigloc, 8);
return;
}
/*
* This will compute the MAC and store it
* directly into the message at sigloc.
*/
status = smb_compute_MAC(vcp, mp, rqp->sr_seqno, sigloc);
if (status != CRYPTO_SUCCESS) {
SMBSDEBUG("Crypto error %d", status);
bzero(sigloc, SMBSIGLEN);
}
}
/*
* Verify reply signature.
*/
int
smb_rq_verify(struct smb_rq *rqp)
{
struct smb_vc *vcp = rqp->sr_vc;
mblk_t *mp = rqp->sr_rp.md_top;
uint8_t sigbuf[SMBSIGLEN];
uint8_t *sigloc;
int fudge, rsn, status;
/*
* Note vc_mackey and vc_mackeylen gets filled in by
* smb_usr_iod_work as the connection comes in.
*/
if (vcp->vc_mackey == NULL) {
SMBSDEBUG("no mac key\n");
return (0);
}
/*
* Let caller deal with empty reply or short messages by
* returning zero. Caller will fail later, in parsing.
*/
if (mp == NULL) {
SMBSDEBUG("empty reply\n");
return (0);
}
if (MBLKL(mp) < SMB_HDRLEN) {
if (!pullupmsg(mp, SMB_HDRLEN))
return (0);
}
sigloc = mp->b_rptr + SMBSIGOFF;
/*
* Compute the expected signature in sigbuf.
*/
rsn = rqp->sr_rseqno;
status = smb_compute_MAC(vcp, mp, rsn, sigbuf);
if (status != CRYPTO_SUCCESS) {
SMBSDEBUG("Crypto error %d", status);
/*
* If we can't compute a MAC, then there's
* no point trying other seqno values.
*/
return (EBADRPC);
}
/*
* Compare the computed signature with the
* one found in the message (at sigloc)
*/
if (bcmp(sigbuf, sigloc, SMBSIGLEN) == 0)
return (0);
SMBERROR("BAD signature, Server=%s MID=0x%x Seq=%d\n",
vcp->vc_srvname, rqp->sr_mid, rsn);
#ifdef DEBUG
/*
* For diag purposes, we check whether the client/server idea
* of the sequence # has gotten a bit out of sync.
*/
for (fudge = 1; fudge <= nsmb_signing_fudge; fudge++) {
(void) smb_compute_MAC(vcp, mp, rsn + fudge, sigbuf);
if (bcmp(sigbuf, sigloc, SMBSIGLEN) == 0)
break;
(void) smb_compute_MAC(vcp, mp, rsn - fudge, sigbuf);
if (bcmp(sigbuf, sigloc, SMBSIGLEN) == 0) {
fudge = -fudge;
break;
}
}
if (fudge <= nsmb_signing_fudge) {
SMBERROR("MID=0x%x, Seq=%d, but %d would have worked\n",
rqp->sr_mid, rsn, rsn + fudge);
}
#endif
return (EBADRPC);
}