1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  24  */
  25 /*
  26  * These routines provide the SMB MAC signing for the SMB2 server.
  27  * The routines calculate the signature of a SMB message in an mbuf chain.
  28  *
  29  * The following table describes the client server
  30  * signing registry relationship
  31  *
  32  *              | Required      | Enabled     | Disabled
  33  * -------------+---------------+------------ +--------------
  34  * Required     | Signed        | Signed      | Fail
  35  * -------------+---------------+-------------+-----------------
  36  * Enabled      | Signed        | Signed      | Not Signed
  37  * -------------+---------------+-------------+----------------
  38  * Disabled     | Fail          | Not Signed  | Not Signed
  39  */
  40 
  41 #include <sys/uio.h>
  42 #include <smbsrv/smb2_kproto.h>
  43 #include <smbsrv/smb_kcrypt.h>
  44 #include <sys/isa_defs.h>
  45 #include <sys/byteorder.h>
  46 #include <sys/cmn_err.h>
  47 
  48 #define SMB2_SIG_OFFS   48
  49 #define SMB2_SIG_SIZE   16
  50 
  51 typedef struct mac_ops {
  52         int (*mac_init)(smb_sign_ctx_t *, smb_crypto_mech_t *,
  53                         uint8_t *, size_t);
  54         int (*mac_update)(smb_sign_ctx_t, uint8_t *, size_t);
  55         int (*mac_final)(smb_sign_ctx_t, uint8_t *);
  56 } mac_ops_t;
  57 
  58 static int smb2_sign_calc_common(smb_request_t *, struct mbuf_chain *,
  59     uint8_t *, mac_ops_t *);
  60 
  61 /*
  62  * SMB2 wrapper functions
  63  */
  64 
  65 static mac_ops_t
  66 smb2_sign_ops = {
  67         smb2_hmac_init,
  68         smb2_hmac_update,
  69         smb2_hmac_final
  70 };
  71 
  72 static int
  73 smb2_sign_calc(smb_request_t *sr,
  74     struct mbuf_chain *mbc,
  75     uint8_t *digest16)
  76 {
  77         int rv;
  78 
  79         rv = smb2_sign_calc_common(sr, mbc, digest16, &smb2_sign_ops);
  80 
  81         return (rv);
  82 }
  83 
  84 /*
  85  * Called during session destroy.
  86  */
  87 static void
  88 smb2_sign_fini(smb_session_t *s)
  89 {
  90         smb_crypto_mech_t *mech;
  91 
  92         if ((mech = s->sign_mech) != NULL) {
  93                 kmem_free(mech, sizeof (*mech));
  94                 s->sign_mech = NULL;
  95         }
  96 }
  97 
  98 /*
  99  * SMB3 wrapper functions
 100  */
 101 
 102 static struct mac_ops
 103 smb3_sign_ops = {
 104         smb3_cmac_init,
 105         smb3_cmac_update,
 106         smb3_cmac_final
 107 };
 108 
 109 static int
 110 smb3_sign_calc(smb_request_t *sr,
 111     struct mbuf_chain *mbc,
 112     uint8_t *digest16)
 113 {
 114         int rv;
 115 
 116         rv = smb2_sign_calc_common(sr, mbc, digest16, &smb3_sign_ops);
 117 
 118         return (rv);
 119 }
 120 
 121 /*
 122  * Input to KDF for SigningKey.
 123  * See comment for smb3_do_kdf for content.
 124  */
 125 static uint8_t sign_kdf_input[29] = {
 126         0, 0, 0, 1, 'S', 'M', 'B', '2',
 127         'A', 'E', 'S', 'C', 'M', 'A', 'C', 0,
 128         0, 'S', 'm', 'b', 'S', 'i', 'g', 'n',
 129         0, 0, 0, 0, 0x80 };
 130 
 131 void
 132 smb2_sign_init_mech(smb_session_t *s)
 133 {
 134         smb_crypto_mech_t *mech;
 135         int (*get_mech)(smb_crypto_mech_t *);
 136         int (*sign_calc)(smb_request_t *, struct mbuf_chain *, uint8_t *);
 137         int rc;
 138 
 139         if (s->sign_mech != NULL)
 140                 return;
 141 
 142         if (s->dialect >= SMB_VERS_3_0) {
 143                 get_mech = smb3_cmac_getmech;
 144                 sign_calc = smb3_sign_calc;
 145         } else {
 146                 get_mech = smb2_hmac_getmech;
 147                 sign_calc = smb2_sign_calc;
 148         }
 149 
 150         mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
 151         rc = get_mech(mech);
 152         if (rc != 0) {
 153                 kmem_free(mech, sizeof (*mech));
 154                 return;
 155         }
 156         s->sign_mech = mech;
 157         s->sign_calc = sign_calc;
 158         s->sign_fini = smb2_sign_fini;
 159 }
 160 
 161 /*
 162  * smb2_sign_begin
 163  * Handles both SMB2 & SMB3
 164  *
 165  * Get the mechanism info.
 166  * Intializes MAC key based on the user session key and store it in
 167  * the signing structure.  This begins signing on this session.
 168  */
 169 void
 170 smb2_sign_begin(smb_request_t *sr, smb_token_t *token)
 171 {
 172         smb_session_t *s = sr->session;
 173         smb_user_t *u = sr->uid_user;
 174         struct smb_key *sign_key = &u->u_sign_key;
 175 
 176         sign_key->len = 0;
 177 
 178         /*
 179          * We should normally have a session key here because
 180          * our caller filters out Anonymous and Guest logons.
 181          * However, buggy clients could get us here without a
 182          * session key, in which case we'll fail later when a
 183          * request that requires signing can't be checked.
 184          * Also, don't bother initializing if we don't have a mechanism.
 185          */
 186         if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0 ||
 187             s->sign_mech == NULL)
 188                 return;
 189 
 190         /*
 191          * Compute and store the signing key, which lives in
 192          * the user structure.
 193          */
 194         if (s->dialect >= SMB_VERS_3_0) {
 195                 /*
 196                  * For SMB3, the signing key is a "KDF" hash of the
 197                  * session key.
 198                  */
 199                 if (smb3_do_kdf(sign_key->key, sign_kdf_input,
 200                     sizeof (sign_kdf_input), token->tkn_ssnkey.val,
 201                     token->tkn_ssnkey.len) != 0)
 202                         return;
 203                 sign_key->len = SMB3_KEYLEN;
 204         } else {
 205                 /*
 206                  * For SMB2, the signing key is just the first 16 bytes
 207                  * of the session key (truncated or padded with zeros).
 208                  * [MS-SMB2] 3.2.5.3.1
 209                  */
 210                 sign_key->len = SMB2_KEYLEN;
 211                 bcopy(token->tkn_ssnkey.val, sign_key->key,
 212                     MIN(token->tkn_ssnkey.len, sign_key->len));
 213         }
 214 
 215         mutex_enter(&u->u_mutex);
 216         if ((s->srv_secmode & SMB2_NEGOTIATE_SIGNING_ENABLED) != 0)
 217                 u->u_sign_flags |= SMB_SIGNING_ENABLED;
 218         if ((s->srv_secmode & SMB2_NEGOTIATE_SIGNING_REQUIRED) != 0 ||
 219             (s->cli_secmode & SMB2_NEGOTIATE_SIGNING_REQUIRED) != 0)
 220                 u->u_sign_flags |=
 221                     SMB_SIGNING_ENABLED | SMB_SIGNING_CHECK;
 222         mutex_exit(&u->u_mutex);
 223 
 224         /*
 225          * If we just turned on signing, the current request
 226          * (an SMB2 session setup) will have come in without
 227          * SMB2_FLAGS_SIGNED (and not signed) but the response
 228          * is is supposed to be signed. [MS-SMB2] 3.3.5.5
 229          */
 230         if (u->u_sign_flags & SMB_SIGNING_ENABLED)
 231                 sr->smb2_hdr_flags |= SMB2_FLAGS_SIGNED;
 232 }
 233 
 234 /*
 235  * smb2_sign_calc_common
 236  *
 237  * Calculates MAC signature for the given buffer and returns
 238  * it in the mac_sign parameter.
 239  *
 240  * The signature algorithm is to compute HMAC SHA256 or AES_CMAC
 241  * over the entire command, with the signature field set to zeros.
 242  *
 243  * Return 0 if  success else -1
 244  */
 245 
 246 static int
 247 smb2_sign_calc_common(smb_request_t *sr, struct mbuf_chain *mbc,
 248     uint8_t *digest, mac_ops_t *ops)
 249 {
 250         uint8_t tmp_hdr[SMB2_HDR_SIZE];
 251         smb_sign_ctx_t ctx = 0;
 252         smb_session_t *s = sr->session;
 253         smb_user_t *u = sr->uid_user;
 254         struct smb_key *sign_key = &u->u_sign_key;
 255         struct mbuf *mbuf;
 256         int offset, resid, tlen, rc;
 257 
 258         if (s->sign_mech == NULL || sign_key->len == 0)
 259                 return (-1);
 260 
 261         /* smb2_hmac_init or smb3_cmac_init */
 262         rc = ops->mac_init(&ctx, s->sign_mech, sign_key->key, sign_key->len);
 263         if (rc != 0)
 264                 return (rc);
 265 
 266         /*
 267          * Work with a copy of the SMB2 header so we can
 268          * clear the signature field without modifying
 269          * the original message.
 270          */
 271         tlen = SMB2_HDR_SIZE;
 272         offset = mbc->chain_offset;
 273         resid = mbc->max_bytes - offset;
 274         if (smb_mbc_peek(mbc, offset, "#c", tlen, tmp_hdr) != 0)
 275                 return (-1);
 276         bzero(tmp_hdr + SMB2_SIG_OFFS, SMB2_SIG_SIZE);
 277         /* smb2_hmac_update or smb3_cmac_update */
 278         if ((rc = ops->mac_update(ctx, tmp_hdr, tlen)) != 0)
 279                 return (rc);
 280         offset += tlen;
 281         resid -= tlen;
 282 
 283         /*
 284          * Digest the rest of the SMB packet, starting at the data
 285          * just after the SMB header.
 286          *
 287          * Advance to the src mbuf where we start digesting.
 288          */
 289         mbuf = mbc->chain;
 290         while (mbuf != NULL && (offset >= mbuf->m_len)) {
 291                 offset -= mbuf->m_len;
 292                 mbuf = mbuf->m_next;
 293         }
 294 
 295         if (mbuf == NULL)
 296                 return (-1);
 297 
 298         /*
 299          * Digest the remainder of this mbuf, limited to the
 300          * residual count, and starting at the current offset.
 301          * (typically SMB2_HDR_SIZE)
 302          */
 303         tlen = mbuf->m_len - offset;
 304         if (tlen > resid)
 305                 tlen = resid;
 306         /* smb2_hmac_update or smb3_cmac_update */
 307         rc = ops->mac_update(ctx, (uint8_t *)mbuf->m_data + offset, tlen);
 308         if (rc != 0)
 309                 return (rc);
 310         resid -= tlen;
 311 
 312         /*
 313          * Digest any more mbufs in the chain.
 314          */
 315         while (resid > 0) {
 316                 mbuf = mbuf->m_next;
 317                 if (mbuf == NULL)
 318                         return (-1);
 319                 tlen = mbuf->m_len;
 320                 if (tlen > resid)
 321                         tlen = resid;
 322                 rc = ops->mac_update(ctx, (uint8_t *)mbuf->m_data, tlen);
 323                 if (rc != 0)
 324                         return (rc);
 325                 resid -= tlen;
 326         }
 327 
 328         /*
 329          * smb2_hmac_final or smb3_cmac_final
 330          * Note: digest is _always_ SMB2_SIG_SIZE,
 331          * even if the mech uses a longer one.
 332          *
 333          * smb2_hmac_update or smb3_cmac_update
 334          */
 335         if ((rc = ops->mac_final(ctx, digest)) != 0)
 336                 return (rc);
 337 
 338         return (0);
 339 }
 340 
 341 /*
 342  * smb2_sign_check_request
 343  *
 344  * Calculates MAC signature for the request mbuf chain
 345  * using the next expected sequence number and compares
 346  * it to the given signature.
 347  *
 348  * Note it does not check the signature for secondary transactions
 349  * as their sequence number is the same as the original request.
 350  *
 351  * Return 0 if the signature verifies, otherwise, returns -1;
 352  *
 353  */
 354 int
 355 smb2_sign_check_request(smb_request_t *sr)
 356 {
 357         uint8_t req_sig[SMB2_SIG_SIZE];
 358         uint8_t vfy_sig[SMB2_SIG_SIZE];
 359         struct mbuf_chain *mbc = &sr->smb_data;
 360         smb_session_t *s = sr->session;
 361         smb_user_t *u = sr->uid_user;
 362         int sig_off;
 363 
 364         /*
 365          * Don't check commands with a zero session ID.
 366          * [MS-SMB2] 3.3.4.1.1
 367          */
 368         if (sr->smb2_ssnid == 0 || u == NULL)
 369                 return (0);
 370 
 371         /* In case _sign_begin failed. */
 372         if (s->sign_calc == NULL)
 373                 return (-1);
 374 
 375         /* Get the request signature. */
 376         sig_off = sr->smb2_cmd_hdr + SMB2_SIG_OFFS;
 377         if (smb_mbc_peek(mbc, sig_off, "#c", SMB2_SIG_SIZE, req_sig) != 0)
 378                 return (-1);
 379 
 380         /*
 381          * Compute the correct signature and compare.
 382          * smb2_sign_calc() or smb3_sign_calc()
 383          */
 384         if (s->sign_calc(sr, mbc, vfy_sig) != 0)
 385                 return (-1);
 386         if (memcmp(vfy_sig, req_sig, SMB2_SIG_SIZE) != 0) {
 387                 cmn_err(CE_NOTE, "smb2_sign_check_request: bad signature");
 388                 return (-1);
 389         }
 390 
 391         return (0);
 392 }
 393 
 394 /*
 395  * smb2_sign_reply
 396  *
 397  * Calculates MAC signature for the given mbuf chain,
 398  * and write it to the signature field in the mbuf.
 399  *
 400  */
 401 void
 402 smb2_sign_reply(smb_request_t *sr)
 403 {
 404         uint8_t reply_sig[SMB2_SIG_SIZE];
 405         struct mbuf_chain tmp_mbc;
 406         smb_session_t *s = sr->session;
 407         smb_user_t *u = sr->uid_user;
 408         int hdr_off, msg_len;
 409 
 410         if (u == NULL)
 411                 return;
 412         if (s->sign_calc == NULL)
 413                 return;
 414 
 415         msg_len = sr->reply.chain_offset - sr->smb2_reply_hdr;
 416         (void) MBC_SHADOW_CHAIN(&tmp_mbc, &sr->reply,
 417             sr->smb2_reply_hdr, msg_len);
 418 
 419         /*
 420          * Calculate the MAC signature for this reply.
 421          * smb2_sign_calc() or smb3_sign_calc()
 422          */
 423         if (s->sign_calc(sr, &tmp_mbc, reply_sig) != 0)
 424                 return;
 425 
 426         /*
 427          * Poke the signature into the response.
 428          */
 429         hdr_off = sr->smb2_reply_hdr + SMB2_SIG_OFFS;
 430         (void) smb_mbc_poke(&sr->reply, hdr_off, "#c",
 431             SMB2_SIG_SIZE, reply_sig);
 432 }
 433 
 434 /*
 435  * Derive SMB3 key as described in [MS-SMB2] 3.1.4.2
 436  * and [NIST SP800-108]
 437  *
 438  * r = 32, L = 128, PRF = HMAC-SHA256, key = (session key)
 439  *
 440  * Note that these describe pre-3.1.1 inputs.
 441  *
 442  * Session.SigningKey for binding a session:
 443  * - Session.SessionKey as K1
 444  * - label = SMB2AESCMAC (size 12)
 445  * - context = SmbSign (size 8)
 446  * Channel.SigningKey for for all other requests
 447  * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
 448  * - otherwise, Session.SessionKey as K1
 449  * - label = SMB2AESCMAC (size 12)
 450  * - context = SmbSign (size 8)
 451  * Session.ApplicationKey for ... (not sure what yet)
 452  * - Session.SessionKey as K1
 453  * - label = SMB2APP (size 8)
 454  * - context = SmbRpc (size 7)
 455  * Session.EncryptionKey for encrypting server messages
 456  * - Session.SessionKey as K1
 457  * - label = "SMB2AESCCM" (size 11)
 458  * - context = "ServerOut" (size 10)
 459  * Session.DecryptionKey for decrypting client requests
 460  * - Session.SessionKey as K1
 461  * - label = "SMB2AESCCM" (size 11)
 462  * - context = "ServerIn " (size 10) (Note the space)
 463  */
 464 
 465 int
 466 smb3_do_kdf(void *outbuf, void *input, size_t input_len,
 467     uint8_t *key, uint32_t key_len)
 468 {
 469         uint8_t digest32[SHA256_DIGEST_LENGTH];
 470         smb_crypto_mech_t mech;
 471         smb_sign_ctx_t hctx = 0;
 472         int rc;
 473 
 474         bzero(&mech, sizeof (mech));
 475         if ((rc = smb2_hmac_getmech(&mech)) != 0)
 476                 return (rc);
 477 
 478         /* Limit the SessionKey input to its maximum size (16 bytes) */
 479         rc = smb2_hmac_init(&hctx, &mech, key, MIN(key_len, SMB2_KEYLEN));
 480         if (rc != 0)
 481                 return (rc);
 482 
 483         if ((rc = smb2_hmac_update(hctx, input, input_len)) != 0)
 484                 return (rc);
 485 
 486         if ((rc = smb2_hmac_final(hctx, digest32)) != 0)
 487                 return (rc);
 488 
 489         /* Output is first 16 bytes of digest. */
 490         bcopy(digest32, outbuf, SMB3_KEYLEN);
 491         return (0);
 492 }