1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 */
25 /*
26 * These routines provide the SMB MAC signing for the SMB2 server.
27 * The routines calculate the signature of a SMB message in an mbuf chain.
28 *
29 * The following table describes the client server
30 * signing registry relationship
31 *
32 * | Required | Enabled | Disabled
33 * -------------+---------------+------------ +--------------
34 * Required | Signed | Signed | Fail
35 * -------------+---------------+-------------+-----------------
36 * Enabled | Signed | Signed | Not Signed
37 * -------------+---------------+-------------+----------------
38 * Disabled | Fail | Not Signed | Not Signed
39 */
40
41 #include <sys/uio.h>
42 #include <smbsrv/smb2_kproto.h>
43 #include <smbsrv/smb_kcrypt.h>
44 #include <sys/isa_defs.h>
45 #include <sys/byteorder.h>
46 #include <sys/cmn_err.h>
47
48 #define SMB2_SIG_OFFS 48
49 #define SMB2_SIG_SIZE 16
50
51 typedef struct mac_ops {
52 int (*mac_init)(smb_sign_ctx_t *, smb_crypto_mech_t *,
53 uint8_t *, size_t);
54 int (*mac_update)(smb_sign_ctx_t, uint8_t *, size_t);
55 int (*mac_final)(smb_sign_ctx_t, uint8_t *);
56 } mac_ops_t;
57
58 static int smb2_sign_calc_common(smb_request_t *, struct mbuf_chain *,
59 uint8_t *, mac_ops_t *);
60
61 /*
62 * SMB2 wrapper functions
63 */
64
65 static mac_ops_t
66 smb2_sign_ops = {
67 smb2_hmac_init,
68 smb2_hmac_update,
69 smb2_hmac_final
70 };
71
72 static int
73 smb2_sign_calc(smb_request_t *sr,
74 struct mbuf_chain *mbc,
75 uint8_t *digest16)
76 {
77 int rv;
78
79 rv = smb2_sign_calc_common(sr, mbc, digest16, &smb2_sign_ops);
80
81 return (rv);
82 }
83
84 /*
85 * Called during session destroy.
86 */
87 static void
88 smb2_sign_fini(smb_session_t *s)
89 {
90 smb_crypto_mech_t *mech;
91
92 if ((mech = s->sign_mech) != NULL) {
93 kmem_free(mech, sizeof (*mech));
94 s->sign_mech = NULL;
95 }
96 }
97
98 /*
99 * SMB3 wrapper functions
100 */
101
102 static struct mac_ops
103 smb3_sign_ops = {
104 smb3_cmac_init,
105 smb3_cmac_update,
106 smb3_cmac_final
107 };
108
109 static int
110 smb3_sign_calc(smb_request_t *sr,
111 struct mbuf_chain *mbc,
112 uint8_t *digest16)
113 {
114 int rv;
115
116 rv = smb2_sign_calc_common(sr, mbc, digest16, &smb3_sign_ops);
117
118 return (rv);
119 }
120
121 /*
122 * Input to KDF for SigningKey.
123 * See comment for smb3_do_kdf for content.
124 */
125 static uint8_t sign_kdf_input[29] = {
126 0, 0, 0, 1, 'S', 'M', 'B', '2',
127 'A', 'E', 'S', 'C', 'M', 'A', 'C', 0,
128 0, 'S', 'm', 'b', 'S', 'i', 'g', 'n',
129 0, 0, 0, 0, 0x80 };
130
131 void
132 smb2_sign_init_mech(smb_session_t *s)
133 {
134 smb_crypto_mech_t *mech;
135 int (*get_mech)(smb_crypto_mech_t *);
136 int (*sign_calc)(smb_request_t *, struct mbuf_chain *, uint8_t *);
137 int rc;
138
139 if (s->sign_mech != NULL)
140 return;
141
142 if (s->dialect >= SMB_VERS_3_0) {
143 get_mech = smb3_cmac_getmech;
144 sign_calc = smb3_sign_calc;
145 } else {
146 get_mech = smb2_hmac_getmech;
147 sign_calc = smb2_sign_calc;
148 }
149
150 mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
151 rc = get_mech(mech);
152 if (rc != 0) {
153 kmem_free(mech, sizeof (*mech));
154 return;
155 }
156 s->sign_mech = mech;
157 s->sign_calc = sign_calc;
158 s->sign_fini = smb2_sign_fini;
159 }
160
161 /*
162 * smb2_sign_begin
163 * Handles both SMB2 & SMB3
164 *
165 * Get the mechanism info.
166 * Intializes MAC key based on the user session key and store it in
167 * the signing structure. This begins signing on this session.
168 */
169 void
170 smb2_sign_begin(smb_request_t *sr, smb_token_t *token)
171 {
172 smb_session_t *s = sr->session;
173 smb_user_t *u = sr->uid_user;
174 struct smb_key *sign_key = &u->u_sign_key;
175
176 sign_key->len = 0;
177
178 /*
179 * We should normally have a session key here because
180 * our caller filters out Anonymous and Guest logons.
181 * However, buggy clients could get us here without a
182 * session key, in which case we'll fail later when a
183 * request that requires signing can't be checked.
184 * Also, don't bother initializing if we don't have a mechanism.
185 */
186 if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0 ||
187 s->sign_mech == NULL)
188 return;
189
190 /*
191 * Compute and store the signing key, which lives in
192 * the user structure.
193 */
194 if (s->dialect >= SMB_VERS_3_0) {
195 /*
196 * For SMB3, the signing key is a "KDF" hash of the
197 * session key.
198 */
199 if (smb3_do_kdf(sign_key->key, sign_kdf_input,
200 sizeof (sign_kdf_input), token->tkn_ssnkey.val,
201 token->tkn_ssnkey.len) != 0)
202 return;
203 sign_key->len = SMB3_KEYLEN;
204 } else {
205 /*
206 * For SMB2, the signing key is just the first 16 bytes
207 * of the session key (truncated or padded with zeros).
208 * [MS-SMB2] 3.2.5.3.1
209 */
210 sign_key->len = SMB2_KEYLEN;
211 bcopy(token->tkn_ssnkey.val, sign_key->key,
212 MIN(token->tkn_ssnkey.len, sign_key->len));
213 }
214
215 mutex_enter(&u->u_mutex);
216 if ((s->srv_secmode & SMB2_NEGOTIATE_SIGNING_ENABLED) != 0)
217 u->u_sign_flags |= SMB_SIGNING_ENABLED;
218 if ((s->srv_secmode & SMB2_NEGOTIATE_SIGNING_REQUIRED) != 0 ||
219 (s->cli_secmode & SMB2_NEGOTIATE_SIGNING_REQUIRED) != 0)
220 u->u_sign_flags |=
221 SMB_SIGNING_ENABLED | SMB_SIGNING_CHECK;
222 mutex_exit(&u->u_mutex);
223
224 /*
225 * If we just turned on signing, the current request
226 * (an SMB2 session setup) will have come in without
227 * SMB2_FLAGS_SIGNED (and not signed) but the response
228 * is is supposed to be signed. [MS-SMB2] 3.3.5.5
229 */
230 if (u->u_sign_flags & SMB_SIGNING_ENABLED)
231 sr->smb2_hdr_flags |= SMB2_FLAGS_SIGNED;
232 }
233
234 /*
235 * smb2_sign_calc_common
236 *
237 * Calculates MAC signature for the given buffer and returns
238 * it in the mac_sign parameter.
239 *
240 * The signature algorithm is to compute HMAC SHA256 or AES_CMAC
241 * over the entire command, with the signature field set to zeros.
242 *
243 * Return 0 if success else -1
244 */
245
246 static int
247 smb2_sign_calc_common(smb_request_t *sr, struct mbuf_chain *mbc,
248 uint8_t *digest, mac_ops_t *ops)
249 {
250 uint8_t tmp_hdr[SMB2_HDR_SIZE];
251 smb_sign_ctx_t ctx = 0;
252 smb_session_t *s = sr->session;
253 smb_user_t *u = sr->uid_user;
254 struct smb_key *sign_key = &u->u_sign_key;
255 struct mbuf *mbuf;
256 int offset, resid, tlen, rc;
257
258 if (s->sign_mech == NULL || sign_key->len == 0)
259 return (-1);
260
261 /* smb2_hmac_init or smb3_cmac_init */
262 rc = ops->mac_init(&ctx, s->sign_mech, sign_key->key, sign_key->len);
263 if (rc != 0)
264 return (rc);
265
266 /*
267 * Work with a copy of the SMB2 header so we can
268 * clear the signature field without modifying
269 * the original message.
270 */
271 tlen = SMB2_HDR_SIZE;
272 offset = mbc->chain_offset;
273 resid = mbc->max_bytes - offset;
274 if (smb_mbc_peek(mbc, offset, "#c", tlen, tmp_hdr) != 0)
275 return (-1);
276 bzero(tmp_hdr + SMB2_SIG_OFFS, SMB2_SIG_SIZE);
277 /* smb2_hmac_update or smb3_cmac_update */
278 if ((rc = ops->mac_update(ctx, tmp_hdr, tlen)) != 0)
279 return (rc);
280 offset += tlen;
281 resid -= tlen;
282
283 /*
284 * Digest the rest of the SMB packet, starting at the data
285 * just after the SMB header.
286 *
287 * Advance to the src mbuf where we start digesting.
288 */
289 mbuf = mbc->chain;
290 while (mbuf != NULL && (offset >= mbuf->m_len)) {
291 offset -= mbuf->m_len;
292 mbuf = mbuf->m_next;
293 }
294
295 if (mbuf == NULL)
296 return (-1);
297
298 /*
299 * Digest the remainder of this mbuf, limited to the
300 * residual count, and starting at the current offset.
301 * (typically SMB2_HDR_SIZE)
302 */
303 tlen = mbuf->m_len - offset;
304 if (tlen > resid)
305 tlen = resid;
306 /* smb2_hmac_update or smb3_cmac_update */
307 rc = ops->mac_update(ctx, (uint8_t *)mbuf->m_data + offset, tlen);
308 if (rc != 0)
309 return (rc);
310 resid -= tlen;
311
312 /*
313 * Digest any more mbufs in the chain.
314 */
315 while (resid > 0) {
316 mbuf = mbuf->m_next;
317 if (mbuf == NULL)
318 return (-1);
319 tlen = mbuf->m_len;
320 if (tlen > resid)
321 tlen = resid;
322 rc = ops->mac_update(ctx, (uint8_t *)mbuf->m_data, tlen);
323 if (rc != 0)
324 return (rc);
325 resid -= tlen;
326 }
327
328 /*
329 * smb2_hmac_final or smb3_cmac_final
330 * Note: digest is _always_ SMB2_SIG_SIZE,
331 * even if the mech uses a longer one.
332 *
333 * smb2_hmac_update or smb3_cmac_update
334 */
335 if ((rc = ops->mac_final(ctx, digest)) != 0)
336 return (rc);
337
338 return (0);
339 }
340
341 /*
342 * smb2_sign_check_request
343 *
344 * Calculates MAC signature for the request mbuf chain
345 * using the next expected sequence number and compares
346 * it to the given signature.
347 *
348 * Note it does not check the signature for secondary transactions
349 * as their sequence number is the same as the original request.
350 *
351 * Return 0 if the signature verifies, otherwise, returns -1;
352 *
353 */
354 int
355 smb2_sign_check_request(smb_request_t *sr)
356 {
357 uint8_t req_sig[SMB2_SIG_SIZE];
358 uint8_t vfy_sig[SMB2_SIG_SIZE];
359 struct mbuf_chain *mbc = &sr->smb_data;
360 smb_session_t *s = sr->session;
361 smb_user_t *u = sr->uid_user;
362 int sig_off;
363
364 /*
365 * Don't check commands with a zero session ID.
366 * [MS-SMB2] 3.3.4.1.1
367 */
368 if (sr->smb2_ssnid == 0 || u == NULL)
369 return (0);
370
371 /* In case _sign_begin failed. */
372 if (s->sign_calc == NULL)
373 return (-1);
374
375 /* Get the request signature. */
376 sig_off = sr->smb2_cmd_hdr + SMB2_SIG_OFFS;
377 if (smb_mbc_peek(mbc, sig_off, "#c", SMB2_SIG_SIZE, req_sig) != 0)
378 return (-1);
379
380 /*
381 * Compute the correct signature and compare.
382 * smb2_sign_calc() or smb3_sign_calc()
383 */
384 if (s->sign_calc(sr, mbc, vfy_sig) != 0)
385 return (-1);
386 if (memcmp(vfy_sig, req_sig, SMB2_SIG_SIZE) != 0) {
387 cmn_err(CE_NOTE, "smb2_sign_check_request: bad signature");
388 return (-1);
389 }
390
391 return (0);
392 }
393
394 /*
395 * smb2_sign_reply
396 *
397 * Calculates MAC signature for the given mbuf chain,
398 * and write it to the signature field in the mbuf.
399 *
400 */
401 void
402 smb2_sign_reply(smb_request_t *sr)
403 {
404 uint8_t reply_sig[SMB2_SIG_SIZE];
405 struct mbuf_chain tmp_mbc;
406 smb_session_t *s = sr->session;
407 smb_user_t *u = sr->uid_user;
408 int hdr_off, msg_len;
409
410 if (u == NULL)
411 return;
412 if (s->sign_calc == NULL)
413 return;
414
415 msg_len = sr->reply.chain_offset - sr->smb2_reply_hdr;
416 (void) MBC_SHADOW_CHAIN(&tmp_mbc, &sr->reply,
417 sr->smb2_reply_hdr, msg_len);
418
419 /*
420 * Calculate the MAC signature for this reply.
421 * smb2_sign_calc() or smb3_sign_calc()
422 */
423 if (s->sign_calc(sr, &tmp_mbc, reply_sig) != 0)
424 return;
425
426 /*
427 * Poke the signature into the response.
428 */
429 hdr_off = sr->smb2_reply_hdr + SMB2_SIG_OFFS;
430 (void) smb_mbc_poke(&sr->reply, hdr_off, "#c",
431 SMB2_SIG_SIZE, reply_sig);
432 }
433
434 /*
435 * Derive SMB3 key as described in [MS-SMB2] 3.1.4.2
436 * and [NIST SP800-108]
437 *
438 * r = 32, L = 128, PRF = HMAC-SHA256, key = (session key)
439 *
440 * Note that these describe pre-3.1.1 inputs.
441 *
442 * Session.SigningKey for binding a session:
443 * - Session.SessionKey as K1
444 * - label = SMB2AESCMAC (size 12)
445 * - context = SmbSign (size 8)
446 * Channel.SigningKey for for all other requests
447 * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
448 * - otherwise, Session.SessionKey as K1
449 * - label = SMB2AESCMAC (size 12)
450 * - context = SmbSign (size 8)
451 * Session.ApplicationKey for ... (not sure what yet)
452 * - Session.SessionKey as K1
453 * - label = SMB2APP (size 8)
454 * - context = SmbRpc (size 7)
455 * Session.EncryptionKey for encrypting server messages
456 * - Session.SessionKey as K1
457 * - label = "SMB2AESCCM" (size 11)
458 * - context = "ServerOut" (size 10)
459 * Session.DecryptionKey for decrypting client requests
460 * - Session.SessionKey as K1
461 * - label = "SMB2AESCCM" (size 11)
462 * - context = "ServerIn " (size 10) (Note the space)
463 */
464
465 int
466 smb3_do_kdf(void *outbuf, void *input, size_t input_len,
467 uint8_t *key, uint32_t key_len)
468 {
469 uint8_t digest32[SHA256_DIGEST_LENGTH];
470 smb_crypto_mech_t mech;
471 smb_sign_ctx_t hctx = 0;
472 int rc;
473
474 bzero(&mech, sizeof (mech));
475 if ((rc = smb2_hmac_getmech(&mech)) != 0)
476 return (rc);
477
478 /* Limit the SessionKey input to its maximum size (16 bytes) */
479 rc = smb2_hmac_init(&hctx, &mech, key, MIN(key_len, SMB2_KEYLEN));
480 if (rc != 0)
481 return (rc);
482
483 if ((rc = smb2_hmac_update(hctx, input, input_len)) != 0)
484 return (rc);
485
486 if ((rc = smb2_hmac_final(hctx, digest32)) != 0)
487 return (rc);
488
489 /* Output is first 16 bytes of digest. */
490 bcopy(digest32, outbuf, SMB3_KEYLEN);
491 return (0);
492 }