1 /*
2 * This file and its contents are supplied under the terms of the
3 * Common Development and Distribution License ("CDDL"), version 1.0.
4 * You may only use this file in accordance with the terms of version
5 * 1.0 of the CDDL.
6 *
7 * A full copy of the text of the CDDL should have accompanied this
8 * source. A copy of the CDDL is also available via the Internet at
9 * http://www.illumos.org/license/CDDL.
10 */
11
12 /*
13 * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
14 * Copyright 2020 RackTop Systems, Inc.
15 */
16
17 /*
18 * Routines for smb3 encryption.
19 */
20
21 #include <smbsrv/smb2_kproto.h>
22 #include <smbsrv/smb_kcrypt.h>
23 #include <sys/random.h>
24 #include <sys/cmn_err.h>
25
26 #define SMB3_NONCE_OFFS 20
27 #define SMB3_SIG_OFFS 4
28 #define SMB3_AES128_CCM_NONCE_SIZE 11
29 #define SMB3_AES128_GCM_NONCE_SIZE 12
30
31 /*
32 * Arbitrary value used to prevent nonce reuse via overflow. Currently
33 * 2^64 - 2^32 - 1. Assumes we can't have (or are unlikely to have)
34 * 2^32 concurrent messages when we hit this number.
35 */
36 static uint64_t smb3_max_nonce = 0xffffffff00000000ULL;
37
38 /*
39 * Nonce generation based on draft-mcgrew-iv-gen-01
40 * "Generation of Deterministic Initialization Vectors (IVs) and Nonces"
41 *
42 * Generate an 8-byte random salt and a 3-byte random 'fixed' value.
43 * then, nonce = (++counter ^ salt) || fixed
44 *
45 * This protects against nonce-reuse (8-byte counter), as well as known
46 * attacks on reusing nonces with different keys
47 */
48
49 void
50 smb3_encrypt_init_nonce(smb_user_t *user)
51 {
52 user->u_nonce_cnt = 0;
53 (void) random_get_pseudo_bytes(user->u_nonce_fixed,
54 sizeof (user->u_nonce_fixed));
55 (void) random_get_pseudo_bytes((uint8_t *)&user->u_salt,
56 sizeof (user->u_salt));
57 }
58
59 int
60 smb3_encrypt_gen_nonce(smb_user_t *user, uint8_t *buf, size_t len)
61 {
62 uint64_t cnt = atomic_inc_64_nv(&user->u_nonce_cnt);
63
64 /*
65 * Nonces must be unique per-key for the life of the key.
66 * Bail before we roll over to avoid breaking the crypto.
67 */
68
69 if (cnt > smb3_max_nonce)
70 return (-1);
71
72 cnt ^= user->u_salt;
73 bcopy((uint8_t *)&cnt, buf, sizeof (cnt));
74
75 ASSERT(len > sizeof (cnt));
76 bcopy(user->u_nonce_fixed, buf + sizeof (cnt), len - sizeof (cnt));
77 return (0);
78 }
79
80 int
81 smb3_encrypt_init_mech(smb_session_t *s)
82 {
83 smb_crypto_mech_t *mech;
84 int rc;
85
86 if (s->enc_mech != NULL)
87 return (0);
88
89 if (s->dialect < SMB_VERS_3_11)
90 s->smb31_enc_cipherid = SMB3_CIPHER_AES128_CCM;
91
92 mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
93
94 switch (s->smb31_enc_cipherid) {
95 case SMB3_CIPHER_AES128_GCM:
96 rc = smb3_aes_gcm_getmech(mech);
97 break;
98 case SMB3_CIPHER_AES128_CCM:
99 rc = smb3_aes_ccm_getmech(mech);
100 break;
101 default:
102 return (-1);
103 }
104
105 if (rc != 0) {
106 kmem_free(mech, sizeof (*mech));
107 return (rc);
108 }
109 s->enc_mech = mech;
110
111 return (0);
112 }
113
114 /*
115 * Initializes keys/state required for SMB3 Encryption.
116 * Note: If a failure occurs here, don't fail the request.
117 * Instead, return an error when we attempt to encrypt/decrypt.
118 */
119 void
120 smb3_encrypt_begin(smb_request_t *sr, smb_token_t *token)
121 {
122 smb_session_t *s = sr->session;
123 smb_user_t *u = sr->uid_user;
124 struct smb_key *enc_key = &u->u_enc_key;
125 struct smb_key *dec_key = &u->u_dec_key;
126
127 /*
128 * In order to enforce encryption, all users need to
129 * have Session.EncryptData properly set, even anon/guest.
130 */
131 u->u_encrypt = s->s_server->sv_cfg.skc_encrypt;
132 enc_key->len = 0;
133 dec_key->len = 0;
134
135 /*
136 * If we don't have a session key, we'll fail later when a
137 * request that requires (en/de)cryption can't be (en/de)crypted.
138 * Also don't bother initializing if we don't have a mechanism.
139 */
140 if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0 ||
141 s->enc_mech == NULL)
142 return;
143
144 /*
145 * Compute and store the encryption keys, which live in
146 * the user structure.
147 */
148
149 /*
150 * For SMB3, the encrypt/decrypt keys are derived from
151 * the session key using KDF in counter mode.
152 */
153 if (s->dialect >= SMB_VERS_3_11) {
154 if (smb3_kdf(enc_key->key,
155 token->tkn_ssnkey.val, token->tkn_ssnkey.len,
156 (uint8_t *)"SMBS2CCipherKey", 16,
157 s->smb31_preauth_hashval, SHA512_DIGEST_LENGTH) != 0)
158 return;
159
160 if (smb3_kdf(dec_key->key,
161 token->tkn_ssnkey.val, token->tkn_ssnkey.len,
162 (uint8_t *)"SMBC2SCipherKey", 16,
163 s->smb31_preauth_hashval, SHA512_DIGEST_LENGTH) != 0)
164 return;
165 } else {
166 if (smb3_kdf(enc_key->key,
167 token->tkn_ssnkey.val, token->tkn_ssnkey.len,
168 (uint8_t *)"SMB2AESCCM", 11,
169 (uint8_t *)"ServerOut", 10) != 0)
170 return;
171
172 if (smb3_kdf(dec_key->key,
173 token->tkn_ssnkey.val, token->tkn_ssnkey.len,
174 (uint8_t *)"SMB2AESCCM", 11,
175 (uint8_t *)"ServerIn ", 10) != 0)
176 return;
177 }
178
179 smb3_encrypt_init_nonce(u);
180
181 enc_key->len = SMB3_KEYLEN;
182 dec_key->len = SMB3_KEYLEN;
183 }
184
185 /*
186 * Decrypt the request in sr->command.
187 * This decrypts "in place", though due to CCM's design,
188 * it processes all input before doing any output.
189 */
190 int
191 smb3_decrypt_sr(smb_request_t *sr)
192 {
193 struct mbuf_chain *mbc = &sr->command;
194 smb_session_t *s = sr->session;
195 smb_user_t *u = sr->tform_ssn;
196 uint8_t tmp_hdr[SMB2_HDR_SIZE];
197 smb3_enc_ctx_t ctx;
198 struct smb_key *dec_key = &u->u_dec_key;
199 struct mbuf *mbuf;
200 int offset, resid, tlen, rc;
201 smb3_crypto_param_t param;
202 smb_crypto_mech_t mech;
203 boolean_t gcm = sr->session->smb31_enc_cipherid ==
204 SMB3_CIPHER_AES128_GCM;
205 size_t nonce_size = (gcm ? SMB3_AES128_GCM_NONCE_SIZE :
206 SMB3_AES128_CCM_NONCE_SIZE);
207
208 ASSERT(u != NULL);
209 if (s->enc_mech == NULL || dec_key->len != 16) {
210 return (-1);
211 }
212
213 tlen = SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS;
214 offset = mbc->chain_offset + SMB3_NONCE_OFFS;
215 resid = mbc->max_bytes - offset;
216
217 if (resid < (sr->msgsize + tlen)) {
218 cmn_err(CE_WARN, "too little data to decrypt");
219 return (-1);
220 }
221
222 if (smb_mbc_peek(mbc, offset, "#c", tlen, tmp_hdr) != 0) {
223 return (-1);
224 }
225
226 offset += tlen;
227 resid -= tlen;
228
229 /*
230 * The transform header, minus the PROTOCOL_ID and the
231 * SIGNATURE, is authenticated but not encrypted.
232 */
233 if (gcm)
234 smb3_crypto_init_gcm_param(¶m, sr->nonce, nonce_size,
235 tmp_hdr, tlen);
236 else
237 smb3_crypto_init_ccm_param(¶m, sr->nonce, nonce_size,
238 tmp_hdr, tlen, sr->msgsize + SMB2_SIG_SIZE);
239
240 /*
241 * Unlike signing, which uses one global mech struct,
242 * encryption requires modifying the mech to add a
243 * per-use param struct. Thus, we need to make a copy.
244 */
245 mech = *(smb_crypto_mech_t *)s->enc_mech;
246 rc = smb3_decrypt_init(&ctx, &mech, ¶m,
247 dec_key->key, dec_key->len);
248 if (rc != 0) {
249 return (rc);
250 }
251
252 /*
253 * Digest the rest of the SMB packet, starting at the data
254 * just after the SMB header.
255 *
256 * Advance to the src mbuf where we start digesting.
257 */
258 mbuf = mbc->chain;
259 while (mbuf != NULL && (offset >= mbuf->m_len)) {
260 offset -= mbuf->m_len;
261 mbuf = mbuf->m_next;
262 }
263
264 if (mbuf == NULL)
265 return (-1);
266
267 /*
268 * Digest the remainder of this mbuf, limited to the
269 * residual count, and starting at the current offset.
270 */
271 tlen = mbuf->m_len - offset;
272 if (tlen > resid)
273 tlen = resid;
274
275 rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data + offset, tlen);
276 if (rc != 0) {
277 return (rc);
278 }
279 resid -= tlen;
280
281 /*
282 * Digest any more mbufs in the chain.
283 */
284 while (resid > 0) {
285 mbuf = mbuf->m_next;
286 if (mbuf == NULL) {
287 smb3_encrypt_cancel(&ctx);
288 return (-1);
289 }
290 tlen = mbuf->m_len;
291 if (tlen > resid)
292 tlen = resid;
293 rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
294 if (rc != 0) {
295 return (rc);
296 }
297 resid -= tlen;
298 }
299
300 /*
301 * AES_CCM processes the signature like normal data.
302 */
303 rc = smb3_decrypt_update(&ctx, sr->smb2_sig, SMB2_SIG_SIZE);
304
305 if (rc != 0) {
306 cmn_err(CE_WARN, "failed to process signature");
307 return (rc);
308 }
309 /*
310 * smb3_decrypt_final will return an error
311 * if the signatures don't match.
312 */
313 rc = smb3_decrypt_final(&ctx, sr->sr_request_buf, sr->sr_req_length);
314
315 /*
316 * We had to decode TFORM_HDR_SIZE bytes before we got here,
317 * and we just peeked the first TFORM_HDR_SIZE bytes at the
318 * beginning of this function, so this can't underflow.
319 */
320 ASSERT(sr->command.max_bytes > SMB3_TFORM_HDR_SIZE);
321 sr->command.max_bytes -= SMB3_TFORM_HDR_SIZE;
322 return (rc);
323 }
324
325 /*
326 * Encrypt the response in in_mbc, and output
327 * an encrypted response in out_mbc.
328 * The data in in_mbc is preserved.
329 */
330 int
331 smb3_encrypt_sr(smb_request_t *sr, struct mbuf_chain *in_mbc,
332 struct mbuf_chain *out_mbc)
333 {
334 smb_session_t *s = sr->session;
335 smb_user_t *u = sr->tform_ssn;
336 uint8_t *buf = (uint8_t *)out_mbc->chain->m_data;
337 size_t buflen = out_mbc->max_bytes;
338 smb3_enc_ctx_t ctx;
339 struct smb_key *enc_key = &u->u_enc_key;
340 struct mbuf *mbuf;
341 int resid, tlen, rc;
342 smb3_crypto_param_t param;
343 smb_crypto_mech_t mech;
344 boolean_t gcm = sr->session->smb31_enc_cipherid ==
345 SMB3_CIPHER_AES128_GCM;
346 size_t nonce_size = (gcm ? SMB3_AES128_GCM_NONCE_SIZE :
347 SMB3_AES128_CCM_NONCE_SIZE);
348
349 ASSERT(u != NULL);
350 if (s->enc_mech == NULL || enc_key->len != 16) {
351 return (-1);
352 }
353
354 rc = smb3_encrypt_gen_nonce(u, sr->nonce, nonce_size);
355
356 if (rc != 0) {
357 cmn_err(CE_WARN, "ran out of nonces");
358 return (-1);
359 }
360
361 (void) smb_mbc_poke(out_mbc, SMB3_NONCE_OFFS, "#c",
362 nonce_size, sr->nonce);
363
364 resid = in_mbc->max_bytes;
365
366 /*
367 * The transform header, minus the PROTOCOL_ID and the
368 * SIGNATURE, is authenticated but not encrypted.
369 */
370 if (gcm)
371 smb3_crypto_init_gcm_param(¶m, sr->nonce, nonce_size,
372 buf + SMB3_NONCE_OFFS,
373 SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS);
374 else
375 smb3_crypto_init_ccm_param(¶m, sr->nonce, nonce_size,
376 buf + SMB3_NONCE_OFFS,
377 SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS, resid);
378
379 /*
380 * Unlike signing, which uses one global mech struct,
381 * encryption requires modifying the mech to add a
382 * per-use param struct. Thus, we need to make a copy.
383 */
384 mech = *(smb_crypto_mech_t *)s->enc_mech;
385 rc = smb3_encrypt_init(&ctx, &mech, ¶m,
386 enc_key->key, enc_key->len, buf + SMB3_TFORM_HDR_SIZE,
387 buflen - SMB3_TFORM_HDR_SIZE);
388 if (rc != 0) {
389 return (rc);
390 }
391
392 /*
393 * Unlike signing and decryption, we're processing the entirety of the
394 * message here, so we don't skip anything.
395 */
396 mbuf = in_mbc->chain;
397 while (resid > 0 && mbuf != NULL) {
398 tlen = mbuf->m_len;
399 if (tlen > resid)
400 tlen = resid;
401 rc = smb3_encrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
402 if (rc != 0) {
403 return (rc);
404 }
405 resid -= tlen;
406 mbuf = mbuf->m_next;
407 }
408
409 if (mbuf == NULL && resid > 0) {
410 cmn_err(CE_WARN, "not enough data to encrypt");
411 smb3_encrypt_cancel(&ctx);
412 return (-1);
413 }
414
415 rc = smb3_encrypt_final(&ctx, buf + SMB3_SIG_OFFS);
416
417 return (rc);
418 }
419
420 void
421 smb3_encrypt_fini(smb_session_t *s)
422 {
423 smb_crypto_mech_t *mech;
424
425 if ((mech = s->enc_mech) != NULL) {
426 kmem_free(mech, sizeof (*mech));
427 s->enc_mech = NULL;
428 }
429 }