1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2018 Nexenta Systems, Inc. All rights reserved. 24 * Copyright 2020 RackTop Systems, Inc. 25 */ 26 27 #include <smbsrv/smb_kcrypt.h> 28 #include <sys/types.h> 29 #include <sys/sysmacros.h> 30 #include <sys/ddi.h> 31 #include <sys/sunddi.h> 32 33 /* 34 * Derive SMB3 key as described in [MS-SMB2] 3.1.4.2 35 * and [NIST SP800-108] 36 * 37 * r = 32, L = 128, PRF = HMAC-SHA256, key = (session key) 38 */ 39 40 /* 41 * SMB 3.0.2 KDF Input 42 * 43 * Session.SigningKey for binding a session: 44 * - Session.SessionKey as K1 45 * - label = "SMB2AESCMAC" (size 12) 46 * - context = "SmbSign" (size 8) 47 * Channel.SigningKey for for all other requests 48 * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1; 49 * - otherwise, Session.SessionKey as K1 50 * - label = "SMB2AESCMAC" (size 12) 51 * - context = "SmbSign" (size 8) 52 * Session.ApplicationKey for ... (not sure what yet) 53 * - Session.SessionKey as K1 54 * - label = "SMB2APP" (size 8) 55 * - context = "SmbRpc" (size 7) 56 * Session.EncryptionKey for encrypting server messages 57 * - Session.SessionKey as K1 58 * - label = "SMB2AESCCM" (size 11) 59 * - context = "ServerOut" (size 10) 60 * Session.DecryptionKey for decrypting client requests 61 * - Session.SessionKey as K1 62 * - label = "SMB2AESCCM" (size 11) 63 * - context = "ServerIn " (size 10) (Note the space) 64 */ 65 66 /* 67 * SMB 3.1.1 KDF Input 68 * 69 * Session.SigningKey for binding a session: 70 * - Session.SessionKey as K1 71 * - label = "SMBSigningKey" (size 14) 72 * - context = preauth hashval 73 * Channel.SigningKey for for all other requests 74 * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1; 75 * - otherwise, Session.SessionKey as K1 76 * - label = "SMBSigningKey" (size 14) 77 * - context = preauth hashval 78 * Session.EncryptionKey for encrypting server messages 79 * - Session.SessionKey as K1 80 * - label = "SMBS2CCipherKey" (size 16) 81 * - context = preauth hashval 82 * Session.DecryptionKey for decrypting client requests 83 * - Session.SessionKey as K1 84 * - label = "SMBC2SCipherKey" (size 16) 85 * - context = preauth hashval 86 */ 87 88 /* 89 * SMB3KDF(Ki, Label, Context) 90 * counter || Lebel || 0x00 || Context || L 91 */ 92 int 93 smb3_kdf(uint8_t *outbuf, 94 uint8_t *key, size_t key_len, 95 uint8_t *label, size_t label_len, 96 uint8_t *context, size_t context_len) 97 { 98 static uint8_t L[4] = { 0, 0, 0, 0x80 }; 99 uint8_t digest32[SHA256_DIGEST_LENGTH]; 100 uint8_t kdfbuf[89] = { 0, 0, 0, 1 }; /* initialized by counter */ 101 smb_crypto_mech_t mech; 102 smb_sign_ctx_t hctx = 0; 103 int pos = 4; /* skip counter */ 104 int rc; 105 106 bcopy(label, &kdfbuf[pos], label_len); 107 pos += label_len; 108 109 kdfbuf[pos] = 0; 110 pos++; 111 112 bcopy(context, &kdfbuf[pos], context_len); 113 pos += context_len; 114 115 bcopy(L, &kdfbuf[pos], 4); 116 pos += 4; 117 118 bzero(&mech, sizeof (mech)); 119 if ((rc = smb2_hmac_getmech(&mech)) != 0) 120 return (rc); 121 122 /* Limit the SessionKey input to its maximum size (16 bytes) */ 123 rc = smb2_hmac_init(&hctx, &mech, key, MIN(key_len, SMB2_KEYLEN)); 124 if (rc != 0) 125 return (rc); 126 127 if ((rc = smb2_hmac_update(hctx, kdfbuf, pos)) != 0) 128 return (rc); 129 130 if ((rc = smb2_hmac_final(hctx, digest32)) != 0) 131 return (rc); 132 133 /* Output is first 16 bytes of digest. */ 134 bcopy(digest32, outbuf, SMB3_KEYLEN); 135 return (0); 136 }