2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "system/filesys.h"
23 #include "../libcli/smb/smb_common.h"
24 #include "../lib/crypto/crypto.h"
26 NTSTATUS
smb2_signing_sign_pdu(DATA_BLOB signing_key
,
27 enum protocol_types protocol
,
37 return NT_STATUS_INVALID_PARAMETER
;
40 if (vector
[0].iov_len
!= SMB2_HDR_BODY
) {
41 return NT_STATUS_INVALID_PARAMETER
;
44 hdr
= (uint8_t *)vector
[0].iov_base
;
46 session_id
= BVAL(hdr
, SMB2_HDR_SESSION_ID
);
47 if (session_id
== 0) {
49 * do not sign messages with a zero session_id.
50 * See MS-SMB2 3.2.4.1.1
55 if (signing_key
.length
== 0) {
56 DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
57 (unsigned)signing_key
.length
));
58 return NT_STATUS_ACCESS_DENIED
;
61 memset(hdr
+ SMB2_HDR_SIGNATURE
, 0, 16);
63 SIVAL(hdr
, SMB2_HDR_FLAGS
, IVAL(hdr
, SMB2_HDR_FLAGS
) | SMB2_HDR_FLAG_SIGNED
);
65 if (protocol
>= PROTOCOL_SMB2_24
) {
66 struct aes_cmac_128_context ctx
;
67 uint8_t key
[AES_BLOCK_SIZE
];
70 memcpy(key
, signing_key
.data
, MIN(signing_key
.length
, 16));
72 aes_cmac_128_init(&ctx
, key
);
73 for (i
=0; i
< count
; i
++) {
74 aes_cmac_128_update(&ctx
,
75 (const uint8_t *)vector
[i
].iov_base
,
78 aes_cmac_128_final(&ctx
, res
);
80 struct HMACSHA256Context m
;
81 uint8_t digest
[SHA256_DIGEST_LENGTH
];
84 hmac_sha256_init(signing_key
.data
, MIN(signing_key
.length
, 16), &m
);
85 for (i
=0; i
< count
; i
++) {
86 hmac_sha256_update((const uint8_t *)vector
[i
].iov_base
,
87 vector
[i
].iov_len
, &m
);
89 hmac_sha256_final(digest
, &m
);
90 memcpy(res
, digest
, 16);
92 DEBUG(5,("signed SMB2 message\n"));
94 memcpy(hdr
+ SMB2_HDR_SIGNATURE
, res
, 16);
99 NTSTATUS
smb2_signing_check_pdu(DATA_BLOB signing_key
,
100 enum protocol_types protocol
,
101 const struct iovec
*vector
,
108 static const uint8_t zero_sig
[16] = { 0, };
112 return NT_STATUS_INVALID_PARAMETER
;
115 if (vector
[0].iov_len
!= SMB2_HDR_BODY
) {
116 return NT_STATUS_INVALID_PARAMETER
;
119 hdr
= (const uint8_t *)vector
[0].iov_base
;
121 session_id
= BVAL(hdr
, SMB2_HDR_SESSION_ID
);
122 if (session_id
== 0) {
124 * do not sign messages with a zero session_id.
125 * See MS-SMB2 3.2.4.1.1
130 if (signing_key
.length
== 0) {
131 /* we don't have the session key yet */
135 sig
= hdr
+SMB2_HDR_SIGNATURE
;
137 if (protocol
>= PROTOCOL_SMB2_24
) {
138 struct aes_cmac_128_context ctx
;
139 uint8_t key
[AES_BLOCK_SIZE
];
142 memcpy(key
, signing_key
.data
, MIN(signing_key
.length
, 16));
144 aes_cmac_128_init(&ctx
, key
);
145 aes_cmac_128_update(&ctx
, hdr
, SMB2_HDR_SIGNATURE
);
146 aes_cmac_128_update(&ctx
, zero_sig
, 16);
147 for (i
=1; i
< count
; i
++) {
148 aes_cmac_128_update(&ctx
,
149 (const uint8_t *)vector
[i
].iov_base
,
152 aes_cmac_128_final(&ctx
, res
);
154 struct HMACSHA256Context m
;
155 uint8_t digest
[SHA256_DIGEST_LENGTH
];
158 hmac_sha256_init(signing_key
.data
, MIN(signing_key
.length
, 16), &m
);
159 hmac_sha256_update(hdr
, SMB2_HDR_SIGNATURE
, &m
);
160 hmac_sha256_update(zero_sig
, 16, &m
);
161 for (i
=1; i
< count
; i
++) {
162 hmac_sha256_update((const uint8_t *)vector
[i
].iov_base
,
163 vector
[i
].iov_len
, &m
);
165 hmac_sha256_final(digest
, &m
);
166 memcpy(res
, digest
, 16);
169 if (memcmp(res
, sig
, 16) != 0) {
170 DEBUG(0,("Bad SMB2 signature for message\n"));
171 dump_data(0, sig
, 16);
172 dump_data(0, res
, 16);
173 return NT_STATUS_ACCESS_DENIED
;
179 void smb2_key_derivation(const uint8_t *KI
, size_t KI_len
,
180 const uint8_t *Label
, size_t Label_len
,
181 const uint8_t *Context
, size_t Context_len
,
184 struct HMACSHA256Context ctx
;
186 static const uint8_t zero
= 0;
187 uint8_t digest
[SHA256_DIGEST_LENGTH
];
192 * a simplified version of
193 * "NIST Special Publication 800-108" section 5.1
196 hmac_sha256_init(KI
, KI_len
, &ctx
);
199 hmac_sha256_update(buf
, sizeof(buf
), &ctx
);
200 hmac_sha256_update(Label
, Label_len
, &ctx
);
201 hmac_sha256_update(&zero
, 1, &ctx
);
202 hmac_sha256_update(Context
, Context_len
, &ctx
);
204 hmac_sha256_update(buf
, sizeof(buf
), &ctx
);
206 hmac_sha256_final(digest
, &ctx
);
208 memcpy(KO
, digest
, 16);
211 NTSTATUS
smb2_signing_encrypt_pdu(DATA_BLOB encryption_key
,
213 struct iovec
*vector
,
222 struct aes_ccm_128_context ccm
;
223 struct aes_gcm_128_context gcm
;
225 uint8_t key
[AES_BLOCK_SIZE
];
228 return NT_STATUS_INVALID_PARAMETER
;
231 if (vector
[0].iov_len
!= SMB2_TF_HDR_SIZE
) {
232 return NT_STATUS_INVALID_PARAMETER
;
235 tf
= (uint8_t *)vector
[0].iov_base
;
237 if (encryption_key
.length
== 0) {
238 DEBUG(2,("Wrong encryption key length %u for SMB2 signing\n",
239 (unsigned)encryption_key
.length
));
240 return NT_STATUS_ACCESS_DENIED
;
243 a_total
= SMB2_TF_HDR_SIZE
- SMB2_TF_NONCE
;
244 for (i
=1; i
< count
; i
++) {
245 m_total
+= vector
[i
].iov_len
;
248 SSVAL(tf
, SMB2_TF_FLAGS
, SMB2_TF_FLAGS_ENCRYPTED
);
249 SIVAL(tf
, SMB2_TF_MSG_SIZE
, m_total
);
252 memcpy(key
, encryption_key
.data
,
253 MIN(encryption_key
.length
, AES_BLOCK_SIZE
));
256 case SMB2_ENCRYPTION_AES128_CCM
:
257 aes_ccm_128_init(&c
.ccm
, key
,
260 memset(tf
+ SMB2_TF_NONCE
+ AES_CCM_128_NONCE_SIZE
, 0,
261 16 - AES_CCM_128_NONCE_SIZE
);
262 aes_ccm_128_update(&c
.ccm
, tf
+ SMB2_TF_NONCE
, a_total
);
263 for (i
=1; i
< count
; i
++) {
264 aes_ccm_128_update(&c
.ccm
,
265 (const uint8_t *)vector
[i
].iov_base
,
267 aes_ccm_128_crypt(&c
.ccm
,
268 (uint8_t *)vector
[i
].iov_base
,
271 aes_ccm_128_digest(&c
.ccm
, sig
);
274 case SMB2_ENCRYPTION_AES128_GCM
:
275 aes_gcm_128_init(&c
.gcm
, key
, tf
+ SMB2_TF_NONCE
);
276 memset(tf
+ SMB2_TF_NONCE
+ AES_GCM_128_IV_SIZE
, 0,
277 16 - AES_GCM_128_IV_SIZE
);
278 aes_gcm_128_updateA(&c
.gcm
, tf
+ SMB2_TF_NONCE
, a_total
);
279 for (i
=1; i
< count
; i
++) {
280 aes_gcm_128_crypt(&c
.gcm
,
281 (uint8_t *)vector
[i
].iov_base
,
283 aes_gcm_128_updateC(&c
.gcm
,
284 (const uint8_t *)vector
[i
].iov_base
,
287 aes_gcm_128_digest(&c
.gcm
, sig
);
292 return NT_STATUS_INVALID_PARAMETER
;
296 memcpy(tf
+ SMB2_TF_SIGNATURE
, sig
, 16);
298 DEBUG(5,("encrypt SMB2 message\n"));
303 NTSTATUS
smb2_signing_decrypt_pdu(DATA_BLOB decryption_key
,
305 struct iovec
*vector
,
310 uint8_t *sig_ptr
= NULL
;
315 uint32_t msg_size
= 0;
317 struct aes_ccm_128_context ccm
;
318 struct aes_gcm_128_context gcm
;
320 uint8_t key
[AES_BLOCK_SIZE
];
323 return NT_STATUS_INVALID_PARAMETER
;
326 if (vector
[0].iov_len
!= SMB2_TF_HDR_SIZE
) {
327 return NT_STATUS_INVALID_PARAMETER
;
330 tf
= (uint8_t *)vector
[0].iov_base
;
332 if (decryption_key
.length
== 0) {
333 DEBUG(2,("Wrong decryption key length %u for SMB2 signing\n",
334 (unsigned)decryption_key
.length
));
335 return NT_STATUS_ACCESS_DENIED
;
338 a_total
= SMB2_TF_HDR_SIZE
- SMB2_TF_NONCE
;
339 for (i
=1; i
< count
; i
++) {
340 m_total
+= vector
[i
].iov_len
;
343 flags
= SVAL(tf
, SMB2_TF_FLAGS
);
344 msg_size
= IVAL(tf
, SMB2_TF_MSG_SIZE
);
346 if (flags
!= SMB2_TF_FLAGS_ENCRYPTED
) {
347 return NT_STATUS_ACCESS_DENIED
;
350 if (msg_size
!= m_total
) {
351 return NT_STATUS_INTERNAL_ERROR
;
355 memcpy(key
, decryption_key
.data
,
356 MIN(decryption_key
.length
, AES_BLOCK_SIZE
));
359 case SMB2_ENCRYPTION_AES128_CCM
:
360 aes_ccm_128_init(&c
.ccm
, key
,
363 aes_ccm_128_update(&c
.ccm
, tf
+ SMB2_TF_NONCE
, a_total
);
364 for (i
=1; i
< count
; i
++) {
365 aes_ccm_128_crypt(&c
.ccm
,
366 (uint8_t *)vector
[i
].iov_base
,
368 aes_ccm_128_update(&c
.ccm
,
369 ( uint8_t *)vector
[i
].iov_base
,
372 aes_ccm_128_digest(&c
.ccm
, sig
);
375 case SMB2_ENCRYPTION_AES128_GCM
:
376 aes_gcm_128_init(&c
.gcm
, key
, tf
+ SMB2_TF_NONCE
);
377 aes_gcm_128_updateA(&c
.gcm
, tf
+ SMB2_TF_NONCE
, a_total
);
378 for (i
=1; i
< count
; i
++) {
379 aes_gcm_128_updateC(&c
.gcm
,
380 (const uint8_t *)vector
[i
].iov_base
,
382 aes_gcm_128_crypt(&c
.gcm
,
383 (uint8_t *)vector
[i
].iov_base
,
386 aes_gcm_128_digest(&c
.gcm
, sig
);
391 return NT_STATUS_INVALID_PARAMETER
;
395 sig_ptr
= tf
+ SMB2_TF_SIGNATURE
;
396 if (memcmp(sig_ptr
, sig
, 16) != 0) {
397 return NT_STATUS_ACCESS_DENIED
;
400 DEBUG(5,("decrypt SMB2 message\n"));