2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "system/filesys.h"
23 #include "../libcli/smb/smb_common.h"
24 #include "../lib/crypto/crypto.h"
25 #include "lib/util/iov_buf.h"
27 #include "lib/crypto/gnutls_helpers.h"
28 #include <gnutls/gnutls.h>
29 #include <gnutls/crypto.h>
31 int smb2_signing_key_destructor(struct smb2_signing_key *key)
33 if (key->hmac_hnd != NULL) {
34 gnutls_hmac_deinit(key->hmac_hnd, NULL);
38 if (key->cipher_hnd != NULL) {
39 gnutls_aead_cipher_deinit(key->cipher_hnd);
40 key->cipher_hnd = NULL;
46 bool smb2_signing_key_valid(const struct smb2_signing_key *key)
52 if (key->blob.length == 0 || key->blob.data == NULL) {
59 NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
60 enum protocol_types protocol,
70 return NT_STATUS_INVALID_PARAMETER;
73 if (vector[0].iov_len != SMB2_HDR_BODY) {
74 return NT_STATUS_INVALID_PARAMETER;
77 hdr = (uint8_t *)vector[0].iov_base;
79 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
80 if (session_id == 0) {
82 * do not sign messages with a zero session_id.
83 * See MS-SMB2 3.2.4.1.1
88 if (!smb2_signing_key_valid(signing_key)) {
89 DBG_WARNING("Wrong session key length %zu for SMB2 signing\n",
90 signing_key->blob.length);
91 return NT_STATUS_ACCESS_DENIED;
94 memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);
96 SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
98 if (protocol >= PROTOCOL_SMB2_24) {
99 struct aes_cmac_128_context ctx;
100 uint8_t key[AES_BLOCK_SIZE] = {0};
103 signing_key->blob.data,
104 MIN(signing_key->blob.length, 16));
106 aes_cmac_128_init(&ctx, key);
107 for (i=0; i < count; i++) {
108 aes_cmac_128_update(&ctx,
109 (const uint8_t *)vector[i].iov_base,
112 aes_cmac_128_final(&ctx, res);
116 uint8_t digest[gnutls_hmac_get_len(GNUTLS_MAC_SHA256)];
119 if (signing_key->hmac_hnd == NULL) {
120 rc = gnutls_hmac_init(&signing_key->hmac_hnd,
122 signing_key->blob.data,
123 MIN(signing_key->blob.length, 16));
125 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
129 for (i = 0; i < count; i++) {
130 rc = gnutls_hmac(signing_key->hmac_hnd,
134 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
137 gnutls_hmac_output(signing_key->hmac_hnd, digest);
138 memcpy(res, digest, sizeof(res));
140 DEBUG(5,("signed SMB2 message\n"));
142 memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);
147 NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
148 enum protocol_types protocol,
149 const struct iovec *vector,
156 static const uint8_t zero_sig[16] = { 0, };
160 return NT_STATUS_INVALID_PARAMETER;
163 if (vector[0].iov_len != SMB2_HDR_BODY) {
164 return NT_STATUS_INVALID_PARAMETER;
167 hdr = (const uint8_t *)vector[0].iov_base;
169 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
170 if (session_id == 0) {
172 * do not sign messages with a zero session_id.
173 * See MS-SMB2 3.2.4.1.1
178 if (!smb2_signing_key_valid(signing_key)) {
179 /* we don't have the session key yet */
183 sig = hdr+SMB2_HDR_SIGNATURE;
185 if (protocol >= PROTOCOL_SMB2_24) {
186 struct aes_cmac_128_context ctx;
187 uint8_t key[AES_BLOCK_SIZE] = {0};
190 signing_key->blob.data,
191 MIN(signing_key->blob.length, 16));
193 aes_cmac_128_init(&ctx, key);
194 aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
195 aes_cmac_128_update(&ctx, zero_sig, 16);
196 for (i=1; i < count; i++) {
197 aes_cmac_128_update(&ctx,
198 (const uint8_t *)vector[i].iov_base,
201 aes_cmac_128_final(&ctx, res);
205 uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
208 if (signing_key->hmac_hnd == NULL) {
209 rc = gnutls_hmac_init(&signing_key->hmac_hnd,
211 signing_key->blob.data,
212 MIN(signing_key->blob.length, 16));
214 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
218 rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
220 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
222 rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16);
224 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
227 for (i = 1; i < count; i++) {
228 rc = gnutls_hmac(signing_key->hmac_hnd,
232 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
235 gnutls_hmac_output(signing_key->hmac_hnd, digest);
236 memcpy(res, digest, 16);
240 if (memcmp_const_time(res, sig, 16) != 0) {
241 DEBUG(0,("Bad SMB2 signature for message\n"));
242 dump_data(0, sig, 16);
243 dump_data(0, res, 16);
244 return NT_STATUS_ACCESS_DENIED;
250 NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len,
251 const uint8_t *Label, size_t Label_len,
252 const uint8_t *Context, size_t Context_len,
255 gnutls_hmac_hd_t hmac_hnd = NULL;
257 static const uint8_t zero = 0;
258 uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
264 * a simplified version of
265 * "NIST Special Publication 800-108" section 5.1
268 rc = gnutls_hmac_init(&hmac_hnd,
273 return gnutls_error_to_ntstatus(rc,
274 NT_STATUS_HMAC_NOT_SUPPORTED);
278 rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
280 return gnutls_error_to_ntstatus(rc,
281 NT_STATUS_HMAC_NOT_SUPPORTED);
283 rc = gnutls_hmac(hmac_hnd, Label, Label_len);
285 gnutls_hmac_deinit(hmac_hnd, NULL);
286 return gnutls_error_to_ntstatus(rc,
287 NT_STATUS_HMAC_NOT_SUPPORTED);
289 rc = gnutls_hmac(hmac_hnd, &zero, 1);
291 gnutls_hmac_deinit(hmac_hnd, NULL);
292 return gnutls_error_to_ntstatus(rc,
293 NT_STATUS_HMAC_NOT_SUPPORTED);
295 rc = gnutls_hmac(hmac_hnd, Context, Context_len);
297 gnutls_hmac_deinit(hmac_hnd, NULL);
298 return gnutls_error_to_ntstatus(rc,
299 NT_STATUS_HMAC_NOT_SUPPORTED);
302 rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
304 gnutls_hmac_deinit(hmac_hnd, NULL);
305 return gnutls_error_to_ntstatus(rc,
306 NT_STATUS_HMAC_NOT_SUPPORTED);
309 gnutls_hmac_deinit(hmac_hnd, digest);
311 memcpy(KO, digest, 16);
318 NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
320 struct iovec *vector,
329 struct aes_ccm_128_context ccm;
330 struct aes_gcm_128_context gcm;
332 uint8_t key[AES_BLOCK_SIZE];
335 return NT_STATUS_INVALID_PARAMETER;
338 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
339 return NT_STATUS_INVALID_PARAMETER;
342 tf = (uint8_t *)vector[0].iov_base;
344 if (encryption_key.length == 0) {
345 DEBUG(2,("Wrong encryption key length %u for SMB2 signing\n",
346 (unsigned)encryption_key.length));
347 return NT_STATUS_ACCESS_DENIED;
350 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
352 m_total = iov_buflen(&vector[1], count-1);
354 return NT_STATUS_BUFFER_TOO_SMALL;
357 SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED);
358 SIVAL(tf, SMB2_TF_MSG_SIZE, m_total);
361 memcpy(key, encryption_key.data,
362 MIN(encryption_key.length, AES_BLOCK_SIZE));
365 case SMB2_ENCRYPTION_AES128_CCM:
366 aes_ccm_128_init(&c.ccm, key,
369 memset(tf + SMB2_TF_NONCE + AES_CCM_128_NONCE_SIZE, 0,
370 16 - AES_CCM_128_NONCE_SIZE);
371 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
372 for (i=1; i < count; i++) {
373 aes_ccm_128_update(&c.ccm,
374 (const uint8_t *)vector[i].iov_base,
376 aes_ccm_128_crypt(&c.ccm,
377 (uint8_t *)vector[i].iov_base,
380 aes_ccm_128_digest(&c.ccm, sig);
383 case SMB2_ENCRYPTION_AES128_GCM:
384 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
385 memset(tf + SMB2_TF_NONCE + AES_GCM_128_IV_SIZE, 0,
386 16 - AES_GCM_128_IV_SIZE);
387 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
388 for (i=1; i < count; i++) {
389 aes_gcm_128_crypt(&c.gcm,
390 (uint8_t *)vector[i].iov_base,
392 aes_gcm_128_updateC(&c.gcm,
393 (const uint8_t *)vector[i].iov_base,
396 aes_gcm_128_digest(&c.gcm, sig);
401 return NT_STATUS_INVALID_PARAMETER;
405 memcpy(tf + SMB2_TF_SIGNATURE, sig, 16);
407 DEBUG(5,("encrypt SMB2 message\n"));
412 NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
414 struct iovec *vector,
419 uint8_t *sig_ptr = NULL;
424 uint32_t msg_size = 0;
426 struct aes_ccm_128_context ccm;
427 struct aes_gcm_128_context gcm;
429 uint8_t key[AES_BLOCK_SIZE];
432 return NT_STATUS_INVALID_PARAMETER;
435 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
436 return NT_STATUS_INVALID_PARAMETER;
439 tf = (uint8_t *)vector[0].iov_base;
441 if (decryption_key.length == 0) {
442 DEBUG(2,("Wrong decryption key length %u for SMB2 signing\n",
443 (unsigned)decryption_key.length));
444 return NT_STATUS_ACCESS_DENIED;
447 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
449 m_total = iov_buflen(&vector[1], count-1);
451 return NT_STATUS_BUFFER_TOO_SMALL;
454 flags = SVAL(tf, SMB2_TF_FLAGS);
455 msg_size = IVAL(tf, SMB2_TF_MSG_SIZE);
457 if (flags != SMB2_TF_FLAGS_ENCRYPTED) {
458 return NT_STATUS_ACCESS_DENIED;
461 if (msg_size != m_total) {
462 return NT_STATUS_INTERNAL_ERROR;
466 memcpy(key, decryption_key.data,
467 MIN(decryption_key.length, AES_BLOCK_SIZE));
470 case SMB2_ENCRYPTION_AES128_CCM:
471 aes_ccm_128_init(&c.ccm, key,
474 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
475 for (i=1; i < count; i++) {
476 aes_ccm_128_crypt(&c.ccm,
477 (uint8_t *)vector[i].iov_base,
479 aes_ccm_128_update(&c.ccm,
480 ( uint8_t *)vector[i].iov_base,
483 aes_ccm_128_digest(&c.ccm, sig);
486 case SMB2_ENCRYPTION_AES128_GCM:
487 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
488 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
489 for (i=1; i < count; i++) {
490 aes_gcm_128_updateC(&c.gcm,
491 (const uint8_t *)vector[i].iov_base,
493 aes_gcm_128_crypt(&c.gcm,
494 (uint8_t *)vector[i].iov_base,
497 aes_gcm_128_digest(&c.gcm, sig);
502 return NT_STATUS_INVALID_PARAMETER;
506 sig_ptr = tf + SMB2_TF_SIGNATURE;
507 if (memcmp(sig_ptr, sig, 16) != 0) {
508 return NT_STATUS_ACCESS_DENIED;
511 DEBUG(5,("decrypt SMB2 message\n"));