1 /*
   2  * This file and its contents are supplied under the terms of the
   3  * Common Development and Distribution License ("CDDL"), version 1.0.
   4  * You may only use this file in accordance with the terms of version
   5  * 1.0 of the CDDL.
   6  *
   7  * A full copy of the text of the CDDL should have accompanied this
   8  * source.  A copy of the CDDL is also available via the Internet at
   9  * http://www.illumos.org/license/CDDL.
  10  */
  11 
  12 /*
  13  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
  14  */
  15 
  16 /*
  17  * Routines for smb3 encryption.
  18  */
  19 
  20 #include <smbsrv/smb2_kproto.h>
  21 #include <smbsrv/smb_kcrypt.h>
  22 #include <sys/random.h>
  23 #include <sys/cmn_err.h>
  24 
  25 #define SMB3_NONCE_OFFS         20
  26 #define SMB3_SIG_OFFS           4
  27 #define SMB3_NONCE_SIZE         11 /* 12 for gcm later */
  28 
  29 /*
  30  * Inputs to KDF for EncryptionKey and DecryptionKey.
  31  * See comment for smb3_do_kdf for content.
  32  */
  33 static uint8_t encrypt_kdf_input[30] = {
  34         0, 0, 0, 1, 'S', 'M', 'B', '2',
  35         'A', 'E', 'S', 'C', 'C', 'M', 0, 0,
  36         'S', 'e', 'r', 'v', 'e', 'r', 'O',
  37         'u', 't', 0, 0, 0, 0, 0x80 };
  38 
  39 static uint8_t decrypt_kdf_input[30] = {
  40         0, 0, 0, 1, 'S', 'M', 'B', '2',
  41         'A', 'E', 'S', 'C', 'C', 'M', 0, 0,
  42         'S', 'e', 'r', 'v', 'e', 'r', 'I',
  43         'n', ' ', 0, 0, 0, 0, 0x80 };
  44 
  45 /*
  46  * Arbitrary value used to prevent nonce reuse via overflow. Currently
  47  * 2^64 - 2^32 - 1. Assumes we can't have (or are unlikely to have)
  48  * 2^32 concurrent messages when we hit this number.
  49  */
  50 static uint64_t smb3_max_nonce = 0xffffffff00000000ULL;
  51 
  52 /*
  53  * Nonce generation based on draft-mcgrew-iv-gen-01
  54  * "Generation of Deterministic Initialization Vectors (IVs) and Nonces"
  55  *
  56  * Generate an 8-byte random salt and a 3-byte random 'fixed' value.
  57  * then, nonce = (++counter ^ salt) || fixed
  58  *
  59  * This protects against nonce-reuse (8-byte counter), as well as known
  60  * attacks on reusing nonces with different keys
  61  */
  62 
  63 void
  64 smb3_encrypt_init_nonce(smb_user_t *user)
  65 {
  66         user->u_nonce_cnt = 0;
  67         (void) random_get_pseudo_bytes(user->u_nonce_fixed,
  68             sizeof (user->u_nonce_fixed));
  69         (void) random_get_pseudo_bytes((uint8_t *)&user->u_salt,
  70             sizeof (user->u_salt));
  71 }
  72 
  73 int
  74 smb3_encrypt_gen_nonce(smb_user_t *user, uint8_t *buf, size_t len)
  75 {
  76         uint64_t cnt = atomic_inc_64_nv(&user->u_nonce_cnt);
  77 
  78         /*
  79          * Nonces must be unique per-key for the life of the key.
  80          * Bail before we roll over to avoid breaking the crypto.
  81          */
  82 
  83         if (cnt > smb3_max_nonce)
  84                 return (-1);
  85 
  86         cnt ^= user->u_salt;
  87         bcopy((uint8_t *)&cnt, buf, sizeof (cnt));
  88 
  89         ASSERT(len > sizeof (cnt));
  90         bcopy(user->u_nonce_fixed, buf + sizeof (cnt), len - sizeof (cnt));
  91         return (0);
  92 }
  93 
  94 int
  95 smb3_encrypt_init_mech(smb_session_t *s)
  96 {
  97         smb_crypto_mech_t *mech;
  98         int rc;
  99 
 100         if (s->enc_mech != NULL)
 101                 return (0);
 102 
 103         mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
 104         rc = smb3_encrypt_getmech(mech);
 105         if (rc != 0) {
 106                 kmem_free(mech, sizeof (*mech));
 107                 return (rc);
 108         }
 109         s->enc_mech = mech;
 110 
 111         return (0);
 112 }
 113 
 114 /*
 115  * Initializes keys/state required for SMB3 Encryption.
 116  * Note: If a failure occurs here, don't fail the request.
 117  * Instead, return an error when we attempt to encrypt/decrypt.
 118  */
 119 void
 120 smb3_encrypt_begin(smb_request_t *sr, smb_token_t *token)
 121 {
 122         smb_session_t *s = sr->session;
 123         smb_user_t *u = sr->uid_user;
 124         struct smb_key *enc_key = &u->u_enc_key;
 125         struct smb_key *dec_key = &u->u_dec_key;
 126 
 127         /*
 128          * In order to enforce encryption, all users need to
 129          * have Session.EncryptData properly set, even anon/guest.
 130          */
 131         u->u_encrypt = s->s_server->sv_cfg.skc_encrypt;
 132         enc_key->len = 0;
 133         dec_key->len = 0;
 134 
 135         /*
 136          * If we don't have a session key, we'll fail later when a
 137          * request that requires (en/de)cryption can't be (en/de)crypted.
 138          * Also don't bother initializing if we don't have a mechanism.
 139          */
 140         if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0 ||
 141             s->enc_mech == NULL)
 142                 return;
 143 
 144         /*
 145          * Compute and store the encryption keys, which live in
 146          * the user structure.
 147          */
 148 
 149         /*
 150          * For SMB3, the encrypt/decrypt keys are derived from
 151          * the session key using KDF in counter mode.
 152          */
 153         if (smb3_do_kdf(enc_key->key, encrypt_kdf_input,
 154             sizeof (encrypt_kdf_input), token->tkn_ssnkey.val,
 155             token->tkn_ssnkey.len) != 0)
 156                 return;
 157 
 158         if (smb3_do_kdf(dec_key->key, decrypt_kdf_input,
 159             sizeof (decrypt_kdf_input), token->tkn_ssnkey.val,
 160             token->tkn_ssnkey.len) != 0)
 161                 return;
 162 
 163         smb3_encrypt_init_nonce(u);
 164 
 165         enc_key->len = SMB3_KEYLEN;
 166         dec_key->len = SMB3_KEYLEN;
 167 }
 168 
 169 /*
 170  * Decrypt the request in sr->command.
 171  * This decrypts "in place", though due to CCM's design,
 172  * it processes all input before doing any output.
 173  */
 174 int
 175 smb3_decrypt_sr(smb_request_t *sr)
 176 {
 177         struct mbuf_chain *mbc = &sr->command;
 178         smb_session_t *s = sr->session;
 179         smb_user_t *u = sr->tform_ssn;
 180         uint8_t tmp_hdr[SMB2_HDR_SIZE];
 181         smb3_enc_ctx_t ctx;
 182         struct smb_key *dec_key = &u->u_dec_key;
 183         struct mbuf *mbuf;
 184         int offset, resid, tlen, rc;
 185         smb3_crypto_param_t param;
 186         smb_crypto_mech_t mech;
 187 
 188         ASSERT(u != NULL);
 189         if (s->enc_mech == NULL || dec_key->len != 16) {
 190                 return (-1);
 191         }
 192 
 193         tlen = SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS;
 194         offset = mbc->chain_offset + SMB3_NONCE_OFFS;
 195         resid = mbc->max_bytes - offset;
 196 
 197         if (resid < (sr->msgsize + tlen)) {
 198                 cmn_err(CE_WARN, "too little data to decrypt");
 199                 return (-1);
 200         }
 201 
 202         if (smb_mbc_peek(mbc, offset, "#c", tlen, tmp_hdr) != 0) {
 203                 return (-1);
 204         }
 205 
 206         offset += tlen;
 207         resid -= tlen;
 208 
 209         /*
 210          * The transform header, minus the PROTOCOL_ID and the
 211          * SIGNATURE, is authenticated but not encrypted.
 212          */
 213         smb3_crypto_init_param(&param, sr->nonce, SMB3_NONCE_SIZE,
 214             tmp_hdr, tlen, sr->msgsize + SMB2_SIG_SIZE);
 215 
 216         /*
 217          * Unlike signing, which uses one global mech struct,
 218          * encryption requires modifying the mech to add a
 219          * per-use param struct. Thus, we need to make a copy.
 220          */
 221         mech = *(smb_crypto_mech_t *)s->enc_mech;
 222         rc = smb3_decrypt_init(&ctx, &mech, &param,
 223             dec_key->key, dec_key->len);
 224         if (rc != 0) {
 225                 return (rc);
 226         }
 227 
 228         /*
 229          * Digest the rest of the SMB packet, starting at the data
 230          * just after the SMB header.
 231          *
 232          * Advance to the src mbuf where we start digesting.
 233          */
 234         mbuf = mbc->chain;
 235         while (mbuf != NULL && (offset >= mbuf->m_len)) {
 236                 offset -= mbuf->m_len;
 237                 mbuf = mbuf->m_next;
 238         }
 239 
 240         if (mbuf == NULL)
 241                 return (-1);
 242 
 243         /*
 244          * Digest the remainder of this mbuf, limited to the
 245          * residual count, and starting at the current offset.
 246          */
 247         tlen = mbuf->m_len - offset;
 248         if (tlen > resid)
 249                 tlen = resid;
 250 
 251         rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data + offset, tlen);
 252         if (rc != 0) {
 253                 return (rc);
 254         }
 255         resid -= tlen;
 256 
 257         /*
 258          * Digest any more mbufs in the chain.
 259          */
 260         while (resid > 0) {
 261                 mbuf = mbuf->m_next;
 262                 if (mbuf == NULL) {
 263                         smb3_encrypt_cancel(&ctx);
 264                         return (-1);
 265                 }
 266                 tlen = mbuf->m_len;
 267                 if (tlen > resid)
 268                         tlen = resid;
 269                 rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
 270                 if (rc != 0) {
 271                         return (rc);
 272                 }
 273                 resid -= tlen;
 274         }
 275 
 276         /*
 277          * AES_CCM processes the signature like normal data.
 278          */
 279         rc = smb3_decrypt_update(&ctx, sr->smb2_sig, SMB2_SIG_SIZE);
 280 
 281         if (rc != 0) {
 282                 cmn_err(CE_WARN, "failed to process signature");
 283                 return (rc);
 284         }
 285         /*
 286          * smb3_decrypt_final will return an error
 287          * if the signatures don't match.
 288          */
 289         rc = smb3_decrypt_final(&ctx, sr->sr_request_buf, sr->sr_req_length);
 290 
 291         /*
 292          * We had to decode TFORM_HDR_SIZE bytes before we got here,
 293          * and we just peeked the first TFORM_HDR_SIZE bytes at the
 294          * beginning of this function, so this can't underflow.
 295          */
 296         ASSERT(sr->command.max_bytes > SMB3_TFORM_HDR_SIZE);
 297         sr->command.max_bytes -= SMB3_TFORM_HDR_SIZE;
 298         return (rc);
 299 }
 300 
 301 /*
 302  * Encrypt the response in in_mbc, and output
 303  * an encrypted response in out_mbc.
 304  * The data in in_mbc is preserved.
 305  */
 306 int
 307 smb3_encrypt_sr(smb_request_t *sr, struct mbuf_chain *in_mbc,
 308     struct mbuf_chain *out_mbc)
 309 {
 310         smb_session_t *s = sr->session;
 311         smb_user_t *u = sr->tform_ssn;
 312         uint8_t *buf = (uint8_t *)out_mbc->chain->m_data;
 313         size_t buflen = out_mbc->max_bytes;
 314         smb3_enc_ctx_t ctx;
 315         struct smb_key *enc_key = &u->u_enc_key;
 316         struct mbuf *mbuf;
 317         int resid, tlen, rc;
 318         smb3_crypto_param_t param;
 319         smb_crypto_mech_t mech;
 320 
 321         ASSERT(u != NULL);
 322         if (s->enc_mech == NULL || enc_key->len != 16) {
 323                 return (-1);
 324         }
 325 
 326         rc = smb3_encrypt_gen_nonce(u, sr->nonce, SMB3_NONCE_SIZE);
 327 
 328         if (rc != 0) {
 329                 cmn_err(CE_WARN, "ran out of nonces");
 330                 return (-1);
 331         }
 332 
 333         (void) smb_mbc_poke(out_mbc, SMB3_NONCE_OFFS, "#c",
 334             SMB3_NONCE_SIZE, sr->nonce);
 335 
 336         resid = in_mbc->max_bytes;
 337 
 338         /*
 339          * The transform header, minus the PROTOCOL_ID and the
 340          * SIGNATURE, is authenticated but not encrypted.
 341          */
 342         smb3_crypto_init_param(&param,
 343             sr->nonce, SMB3_NONCE_SIZE,
 344             buf + SMB3_NONCE_OFFS, SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS,
 345             resid);
 346 
 347         /*
 348          * Unlike signing, which uses one global mech struct,
 349          * encryption requires modifying the mech to add a
 350          * per-use param struct. Thus, we need to make a copy.
 351          */
 352         mech = *(smb_crypto_mech_t *)s->enc_mech;
 353         rc = smb3_encrypt_init(&ctx, &mech, &param,
 354             enc_key->key, enc_key->len, buf + SMB3_TFORM_HDR_SIZE,
 355             buflen - SMB3_TFORM_HDR_SIZE);
 356         if (rc != 0) {
 357                 return (rc);
 358         }
 359 
 360         /*
 361          * Unlike signing and decryption, we're processing the entirety of the
 362          * message here, so we don't skip anything.
 363          */
 364         mbuf = in_mbc->chain;
 365         while (resid > 0 && mbuf != NULL) {
 366                 tlen = mbuf->m_len;
 367                 if (tlen > resid)
 368                         tlen = resid;
 369                 rc = smb3_encrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
 370                 if (rc != 0) {
 371                         return (rc);
 372                 }
 373                 resid -= tlen;
 374                 mbuf = mbuf->m_next;
 375         }
 376 
 377         if (mbuf == NULL && resid > 0) {
 378                 cmn_err(CE_WARN, "not enough data to encrypt");
 379                 smb3_encrypt_cancel(&ctx);
 380                 return (-1);
 381         }
 382 
 383         rc = smb3_encrypt_final(&ctx, buf + SMB3_SIG_OFFS);
 384 
 385         return (rc);
 386 }
 387 
 388 void
 389 smb3_encrypt_fini(smb_session_t *s)
 390 {
 391         smb_crypto_mech_t *mech;
 392 
 393         if ((mech = s->enc_mech) != NULL) {
 394                 kmem_free(mech, sizeof (*mech));
 395                 s->enc_mech = NULL;
 396         }
 397 }