1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
14 */
15
16 /*
17 * Routines for smb3 encryption.
18 */
19
20 #include <smbsrv/smb2_kproto.h>
21 #include <smbsrv/smb_kcrypt.h>
22 #include <sys/random.h>
23 #include <sys/cmn_err.h>
24
25 #define SMB3_NONCE_OFFS 20
26 #define SMB3_SIG_OFFS 4
27 #define SMB3_NONCE_SIZE 11 /* 12 for gcm later */
28
29 /*
30 * Inputs to KDF for EncryptionKey and DecryptionKey.
31 * See comment for smb3_do_kdf for content.
32 */
33 static uint8_t encrypt_kdf_input[30] = {
34 0, 0, 0, 1, 'S', 'M', 'B', '2',
35 'A', 'E', 'S', 'C', 'C', 'M', 0, 0,
36 'S', 'e', 'r', 'v', 'e', 'r', 'O',
37 'u', 't', 0, 0, 0, 0, 0x80 };
38
39 static uint8_t decrypt_kdf_input[30] = {
40 0, 0, 0, 1, 'S', 'M', 'B', '2',
41 'A', 'E', 'S', 'C', 'C', 'M', 0, 0,
42 'S', 'e', 'r', 'v', 'e', 'r', 'I',
43 'n', ' ', 0, 0, 0, 0, 0x80 };
44
45 /*
46 * Arbitrary value used to prevent nonce reuse via overflow. Currently
47 * 2^64 - 2^32 - 1. Assumes we can't have (or are unlikely to have)
48 * 2^32 concurrent messages when we hit this number.
49 */
50 static uint64_t smb3_max_nonce = 0xffffffff00000000ULL;
51
52 /*
53 * Nonce generation based on draft-mcgrew-iv-gen-01
54 * "Generation of Deterministic Initialization Vectors (IVs) and Nonces"
55 *
56 * Generate an 8-byte random salt and a 3-byte random 'fixed' value.
57 * then, nonce = (++counter ^ salt) || fixed
58 *
59 * This protects against nonce-reuse (8-byte counter), as well as known
60 * attacks on reusing nonces with different keys
61 */
62
63 void
64 smb3_encrypt_init_nonce(smb_user_t *user)
65 {
66 user->u_nonce_cnt = 0;
67 (void) random_get_pseudo_bytes(user->u_nonce_fixed,
68 sizeof (user->u_nonce_fixed));
69 (void) random_get_pseudo_bytes((uint8_t *)&user->u_salt,
70 sizeof (user->u_salt));
71 }
72
73 int
74 smb3_encrypt_gen_nonce(smb_user_t *user, uint8_t *buf, size_t len)
75 {
76 uint64_t cnt = atomic_inc_64_nv(&user->u_nonce_cnt);
77
78 /*
79 * Nonces must be unique per-key for the life of the key.
80 * Bail before we roll over to avoid breaking the crypto.
81 */
82
83 if (cnt > smb3_max_nonce)
84 return (-1);
85
86 cnt ^= user->u_salt;
87 bcopy((uint8_t *)&cnt, buf, sizeof (cnt));
88
89 ASSERT(len > sizeof (cnt));
90 bcopy(user->u_nonce_fixed, buf + sizeof (cnt), len - sizeof (cnt));
91 return (0);
92 }
93
94 int
95 smb3_encrypt_init_mech(smb_session_t *s)
96 {
97 smb_crypto_mech_t *mech;
98 int rc;
99
100 if (s->enc_mech != NULL)
101 return (0);
102
103 mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
104 rc = smb3_encrypt_getmech(mech);
105 if (rc != 0) {
106 kmem_free(mech, sizeof (*mech));
107 return (rc);
108 }
109 s->enc_mech = mech;
110
111 return (0);
112 }
113
114 /*
115 * Initializes keys/state required for SMB3 Encryption.
116 * Note: If a failure occurs here, don't fail the request.
117 * Instead, return an error when we attempt to encrypt/decrypt.
118 */
119 void
120 smb3_encrypt_begin(smb_request_t *sr, smb_token_t *token)
121 {
122 smb_session_t *s = sr->session;
123 smb_user_t *u = sr->uid_user;
124 struct smb_key *enc_key = &u->u_enc_key;
125 struct smb_key *dec_key = &u->u_dec_key;
126
127 /*
128 * In order to enforce encryption, all users need to
129 * have Session.EncryptData properly set, even anon/guest.
130 */
131 u->u_encrypt = s->s_server->sv_cfg.skc_encrypt;
132 enc_key->len = 0;
133 dec_key->len = 0;
134
135 /*
136 * If we don't have a session key, we'll fail later when a
137 * request that requires (en/de)cryption can't be (en/de)crypted.
138 * Also don't bother initializing if we don't have a mechanism.
139 */
140 if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0 ||
141 s->enc_mech == NULL)
142 return;
143
144 /*
145 * Compute and store the encryption keys, which live in
146 * the user structure.
147 */
148
149 /*
150 * For SMB3, the encrypt/decrypt keys are derived from
151 * the session key using KDF in counter mode.
152 */
153 if (smb3_do_kdf(enc_key->key, encrypt_kdf_input,
154 sizeof (encrypt_kdf_input), token->tkn_ssnkey.val,
155 token->tkn_ssnkey.len) != 0)
156 return;
157
158 if (smb3_do_kdf(dec_key->key, decrypt_kdf_input,
159 sizeof (decrypt_kdf_input), token->tkn_ssnkey.val,
160 token->tkn_ssnkey.len) != 0)
161 return;
162
163 smb3_encrypt_init_nonce(u);
164
165 enc_key->len = SMB3_KEYLEN;
166 dec_key->len = SMB3_KEYLEN;
167 }
168
169 /*
170 * Decrypt the request in sr->command.
171 * This decrypts "in place", though due to CCM's design,
172 * it processes all input before doing any output.
173 */
174 int
175 smb3_decrypt_sr(smb_request_t *sr)
176 {
177 struct mbuf_chain *mbc = &sr->command;
178 smb_session_t *s = sr->session;
179 smb_user_t *u = sr->tform_ssn;
180 uint8_t tmp_hdr[SMB2_HDR_SIZE];
181 smb3_enc_ctx_t ctx;
182 struct smb_key *dec_key = &u->u_dec_key;
183 struct mbuf *mbuf;
184 int offset, resid, tlen, rc;
185 smb3_crypto_param_t param;
186 smb_crypto_mech_t mech;
187
188 ASSERT(u != NULL);
189 if (s->enc_mech == NULL || dec_key->len != 16) {
190 return (-1);
191 }
192
193 tlen = SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS;
194 offset = mbc->chain_offset + SMB3_NONCE_OFFS;
195 resid = mbc->max_bytes - offset;
196
197 if (resid < (sr->msgsize + tlen)) {
198 cmn_err(CE_WARN, "too little data to decrypt");
199 return (-1);
200 }
201
202 if (smb_mbc_peek(mbc, offset, "#c", tlen, tmp_hdr) != 0) {
203 return (-1);
204 }
205
206 offset += tlen;
207 resid -= tlen;
208
209 /*
210 * The transform header, minus the PROTOCOL_ID and the
211 * SIGNATURE, is authenticated but not encrypted.
212 */
213 smb3_crypto_init_param(¶m, sr->nonce, SMB3_NONCE_SIZE,
214 tmp_hdr, tlen, sr->msgsize + SMB2_SIG_SIZE);
215
216 /*
217 * Unlike signing, which uses one global mech struct,
218 * encryption requires modifying the mech to add a
219 * per-use param struct. Thus, we need to make a copy.
220 */
221 mech = *(smb_crypto_mech_t *)s->enc_mech;
222 rc = smb3_decrypt_init(&ctx, &mech, ¶m,
223 dec_key->key, dec_key->len);
224 if (rc != 0) {
225 return (rc);
226 }
227
228 /*
229 * Digest the rest of the SMB packet, starting at the data
230 * just after the SMB header.
231 *
232 * Advance to the src mbuf where we start digesting.
233 */
234 mbuf = mbc->chain;
235 while (mbuf != NULL && (offset >= mbuf->m_len)) {
236 offset -= mbuf->m_len;
237 mbuf = mbuf->m_next;
238 }
239
240 if (mbuf == NULL)
241 return (-1);
242
243 /*
244 * Digest the remainder of this mbuf, limited to the
245 * residual count, and starting at the current offset.
246 */
247 tlen = mbuf->m_len - offset;
248 if (tlen > resid)
249 tlen = resid;
250
251 rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data + offset, tlen);
252 if (rc != 0) {
253 return (rc);
254 }
255 resid -= tlen;
256
257 /*
258 * Digest any more mbufs in the chain.
259 */
260 while (resid > 0) {
261 mbuf = mbuf->m_next;
262 if (mbuf == NULL) {
263 smb3_encrypt_cancel(&ctx);
264 return (-1);
265 }
266 tlen = mbuf->m_len;
267 if (tlen > resid)
268 tlen = resid;
269 rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
270 if (rc != 0) {
271 return (rc);
272 }
273 resid -= tlen;
274 }
275
276 /*
277 * AES_CCM processes the signature like normal data.
278 */
279 rc = smb3_decrypt_update(&ctx, sr->smb2_sig, SMB2_SIG_SIZE);
280
281 if (rc != 0) {
282 cmn_err(CE_WARN, "failed to process signature");
283 return (rc);
284 }
285 /*
286 * smb3_decrypt_final will return an error
287 * if the signatures don't match.
288 */
289 rc = smb3_decrypt_final(&ctx, sr->sr_request_buf, sr->sr_req_length);
290
291 /*
292 * We had to decode TFORM_HDR_SIZE bytes before we got here,
293 * and we just peeked the first TFORM_HDR_SIZE bytes at the
294 * beginning of this function, so this can't underflow.
295 */
296 ASSERT(sr->command.max_bytes > SMB3_TFORM_HDR_SIZE);
297 sr->command.max_bytes -= SMB3_TFORM_HDR_SIZE;
298 return (rc);
299 }
300
301 /*
302 * Encrypt the response in in_mbc, and output
303 * an encrypted response in out_mbc.
304 * The data in in_mbc is preserved.
305 */
306 int
307 smb3_encrypt_sr(smb_request_t *sr, struct mbuf_chain *in_mbc,
308 struct mbuf_chain *out_mbc)
309 {
310 smb_session_t *s = sr->session;
311 smb_user_t *u = sr->tform_ssn;
312 uint8_t *buf = (uint8_t *)out_mbc->chain->m_data;
313 size_t buflen = out_mbc->max_bytes;
314 smb3_enc_ctx_t ctx;
315 struct smb_key *enc_key = &u->u_enc_key;
316 struct mbuf *mbuf;
317 int resid, tlen, rc;
318 smb3_crypto_param_t param;
319 smb_crypto_mech_t mech;
320
321 ASSERT(u != NULL);
322 if (s->enc_mech == NULL || enc_key->len != 16) {
323 return (-1);
324 }
325
326 rc = smb3_encrypt_gen_nonce(u, sr->nonce, SMB3_NONCE_SIZE);
327
328 if (rc != 0) {
329 cmn_err(CE_WARN, "ran out of nonces");
330 return (-1);
331 }
332
333 (void) smb_mbc_poke(out_mbc, SMB3_NONCE_OFFS, "#c",
334 SMB3_NONCE_SIZE, sr->nonce);
335
336 resid = in_mbc->max_bytes;
337
338 /*
339 * The transform header, minus the PROTOCOL_ID and the
340 * SIGNATURE, is authenticated but not encrypted.
341 */
342 smb3_crypto_init_param(¶m,
343 sr->nonce, SMB3_NONCE_SIZE,
344 buf + SMB3_NONCE_OFFS, SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS,
345 resid);
346
347 /*
348 * Unlike signing, which uses one global mech struct,
349 * encryption requires modifying the mech to add a
350 * per-use param struct. Thus, we need to make a copy.
351 */
352 mech = *(smb_crypto_mech_t *)s->enc_mech;
353 rc = smb3_encrypt_init(&ctx, &mech, ¶m,
354 enc_key->key, enc_key->len, buf + SMB3_TFORM_HDR_SIZE,
355 buflen - SMB3_TFORM_HDR_SIZE);
356 if (rc != 0) {
357 return (rc);
358 }
359
360 /*
361 * Unlike signing and decryption, we're processing the entirety of the
362 * message here, so we don't skip anything.
363 */
364 mbuf = in_mbc->chain;
365 while (resid > 0 && mbuf != NULL) {
366 tlen = mbuf->m_len;
367 if (tlen > resid)
368 tlen = resid;
369 rc = smb3_encrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
370 if (rc != 0) {
371 return (rc);
372 }
373 resid -= tlen;
374 mbuf = mbuf->m_next;
375 }
376
377 if (mbuf == NULL && resid > 0) {
378 cmn_err(CE_WARN, "not enough data to encrypt");
379 smb3_encrypt_cancel(&ctx);
380 return (-1);
381 }
382
383 rc = smb3_encrypt_final(&ctx, buf + SMB3_SIG_OFFS);
384
385 return (rc);
386 }
387
388 void
389 smb3_encrypt_fini(smb_session_t *s)
390 {
391 smb_crypto_mech_t *mech;
392
393 if ((mech = s->enc_mech) != NULL) {
394 kmem_free(mech, sizeof (*mech));
395 s->enc_mech = NULL;
396 }
397 }