1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
  23  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
  24  * Copyright 2020 RackTop Systems, Inc.
  25  */
  26 
  27 #include <smbsrv/smb_kcrypt.h>
  28 #include <sys/types.h>
  29 #include <sys/sysmacros.h>
  30 #include <sys/ddi.h>
  31 #include <sys/sunddi.h>
  32 
  33 /*
  34  * Derive SMB3 key as described in [MS-SMB2] 3.1.4.2
  35  * and [NIST SP800-108]
  36  *
  37  * r = 32, L = 128, PRF = HMAC-SHA256, key = (session key)
  38  */
  39 
  40 /*
  41  * SMB 3.0.2 KDF Input
  42  *
  43  * Session.SigningKey for binding a session:
  44  * - Session.SessionKey as K1
  45  * - label = "SMB2AESCMAC" (size 12)
  46  * - context = "SmbSign" (size 8)
  47  * Channel.SigningKey for for all other requests
  48  * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
  49  * - otherwise, Session.SessionKey as K1
  50  * - label = "SMB2AESCMAC" (size 12)
  51  * - context = "SmbSign" (size 8)
  52  * Session.ApplicationKey for ... (not sure what yet)
  53  * - Session.SessionKey as K1
  54  * - label = "SMB2APP" (size 8)
  55  * - context = "SmbRpc" (size 7)
  56  * Session.EncryptionKey for encrypting server messages
  57  * - Session.SessionKey as K1
  58  * - label = "SMB2AESCCM" (size 11)
  59  * - context = "ServerOut" (size 10)
  60  * Session.DecryptionKey for decrypting client requests
  61  * - Session.SessionKey as K1
  62  * - label = "SMB2AESCCM" (size 11)
  63  * - context = "ServerIn " (size 10) (Note the space)
  64  */
  65 
  66 /*
  67  * SMB 3.1.1 KDF Input
  68  *
  69  * Session.SigningKey for binding a session:
  70  * - Session.SessionKey as K1
  71  * - label = "SMBSigningKey" (size 14)
  72  * - context = preauth hashval
  73  * Channel.SigningKey for for all other requests
  74  * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
  75  * - otherwise, Session.SessionKey as K1
  76  * - label = "SMBSigningKey" (size 14)
  77  * - context = preauth hashval
  78  * Session.EncryptionKey for encrypting server messages
  79  * - Session.SessionKey as K1
  80  * - label = "SMBS2CCipherKey" (size 16)
  81  * - context = preauth hashval
  82  * Session.DecryptionKey for decrypting client requests
  83  * - Session.SessionKey as K1
  84  * - label = "SMBC2SCipherKey" (size 16)
  85  * - context = preauth hashval
  86  */
  87 
  88 /*
  89  * SMB3KDF(Ki, Label, Context)
  90  * counter || Lebel || 0x00 || Context || L
  91  */
  92 int
  93 smb3_kdf(uint8_t *outbuf,
  94     uint8_t *key, size_t key_len,
  95     uint8_t *label, size_t label_len,
  96     uint8_t *context, size_t context_len)
  97 {
  98         static uint8_t L[4] = { 0, 0, 0, 0x80 };
  99         uint8_t digest32[SHA256_DIGEST_LENGTH];
 100         uint8_t kdfbuf[89] = { 0, 0, 0, 1 }; /* initialized by counter */
 101         smb_crypto_mech_t mech;
 102         smb_sign_ctx_t hctx = 0;
 103         int pos = 4;    /* skip counter */
 104         int rc;
 105 
 106         bcopy(label, &kdfbuf[pos], label_len);
 107         pos += label_len;
 108 
 109         kdfbuf[pos] = 0;
 110         pos++;
 111 
 112         bcopy(context, &kdfbuf[pos], context_len);
 113         pos += context_len;
 114 
 115         bcopy(L, &kdfbuf[pos], 4);
 116         pos += 4;
 117 
 118         bzero(&mech, sizeof (mech));
 119         if ((rc = smb2_hmac_getmech(&mech)) != 0)
 120                 return (rc);
 121 
 122         /* Limit the SessionKey input to its maximum size (16 bytes) */
 123         rc = smb2_hmac_init(&hctx, &mech, key, MIN(key_len, SMB2_KEYLEN));
 124         if (rc != 0)
 125                 return (rc);
 126 
 127         if ((rc = smb2_hmac_update(hctx, kdfbuf, pos)) != 0)
 128                 return (rc);
 129 
 130         if ((rc = smb2_hmac_final(hctx, digest32)) != 0)
 131                 return (rc);
 132 
 133         /* Output is first 16 bytes of digest. */
 134         bcopy(digest32, outbuf, SMB3_KEYLEN);
 135         return (0);
 136 }