ctdbd_conn: Fix CID 1301580 Explicit null dereferenced
[Samba.git] / libcli / smb / smb2_signing.c
blob489e18bbd114b30f6e4255ee2037cf18272d3208
1 /*
2 Unix SMB/CIFS implementation.
3 SMB2 signing
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "includes.h"
22 #include "system/filesys.h"
23 #include "../libcli/smb/smb_common.h"
24 #include "../lib/crypto/crypto.h"
26 NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
27 enum protocol_types protocol,
28 struct iovec *vector,
29 int count)
31 uint8_t *hdr;
32 uint64_t session_id;
33 uint8_t res[16];
34 int i;
36 if (count < 2) {
37 return NT_STATUS_INVALID_PARAMETER;
40 if (vector[0].iov_len != SMB2_HDR_BODY) {
41 return NT_STATUS_INVALID_PARAMETER;
44 hdr = (uint8_t *)vector[0].iov_base;
46 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
47 if (session_id == 0) {
49 * do not sign messages with a zero session_id.
50 * See MS-SMB2 3.2.4.1.1
52 return NT_STATUS_OK;
55 if (signing_key.length == 0) {
56 DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
57 (unsigned)signing_key.length));
58 return NT_STATUS_ACCESS_DENIED;
61 memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);
63 SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
65 if (protocol >= PROTOCOL_SMB2_24) {
66 struct aes_cmac_128_context ctx;
67 uint8_t key[AES_BLOCK_SIZE];
69 ZERO_STRUCT(key);
70 memcpy(key, signing_key.data, MIN(signing_key.length, 16));
72 aes_cmac_128_init(&ctx, key);
73 for (i=0; i < count; i++) {
74 aes_cmac_128_update(&ctx,
75 (const uint8_t *)vector[i].iov_base,
76 vector[i].iov_len);
78 aes_cmac_128_final(&ctx, res);
79 } else {
80 struct HMACSHA256Context m;
81 uint8_t digest[SHA256_DIGEST_LENGTH];
83 ZERO_STRUCT(m);
84 hmac_sha256_init(signing_key.data, MIN(signing_key.length, 16), &m);
85 for (i=0; i < count; i++) {
86 hmac_sha256_update((const uint8_t *)vector[i].iov_base,
87 vector[i].iov_len, &m);
89 hmac_sha256_final(digest, &m);
90 memcpy(res, digest, 16);
92 DEBUG(5,("signed SMB2 message\n"));
94 memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);
96 return NT_STATUS_OK;
99 NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
100 enum protocol_types protocol,
101 const struct iovec *vector,
102 int count)
104 const uint8_t *hdr;
105 const uint8_t *sig;
106 uint64_t session_id;
107 uint8_t res[16];
108 static const uint8_t zero_sig[16] = { 0, };
109 int i;
111 if (count < 2) {
112 return NT_STATUS_INVALID_PARAMETER;
115 if (vector[0].iov_len != SMB2_HDR_BODY) {
116 return NT_STATUS_INVALID_PARAMETER;
119 hdr = (const uint8_t *)vector[0].iov_base;
121 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
122 if (session_id == 0) {
124 * do not sign messages with a zero session_id.
125 * See MS-SMB2 3.2.4.1.1
127 return NT_STATUS_OK;
130 if (signing_key.length == 0) {
131 /* we don't have the session key yet */
132 return NT_STATUS_OK;
135 sig = hdr+SMB2_HDR_SIGNATURE;
137 if (protocol >= PROTOCOL_SMB2_24) {
138 struct aes_cmac_128_context ctx;
139 uint8_t key[AES_BLOCK_SIZE];
141 ZERO_STRUCT(key);
142 memcpy(key, signing_key.data, MIN(signing_key.length, 16));
144 aes_cmac_128_init(&ctx, key);
145 aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
146 aes_cmac_128_update(&ctx, zero_sig, 16);
147 for (i=1; i < count; i++) {
148 aes_cmac_128_update(&ctx,
149 (const uint8_t *)vector[i].iov_base,
150 vector[i].iov_len);
152 aes_cmac_128_final(&ctx, res);
153 } else {
154 struct HMACSHA256Context m;
155 uint8_t digest[SHA256_DIGEST_LENGTH];
157 ZERO_STRUCT(m);
158 hmac_sha256_init(signing_key.data, MIN(signing_key.length, 16), &m);
159 hmac_sha256_update(hdr, SMB2_HDR_SIGNATURE, &m);
160 hmac_sha256_update(zero_sig, 16, &m);
161 for (i=1; i < count; i++) {
162 hmac_sha256_update((const uint8_t *)vector[i].iov_base,
163 vector[i].iov_len, &m);
165 hmac_sha256_final(digest, &m);
166 memcpy(res, digest, 16);
169 if (memcmp(res, sig, 16) != 0) {
170 DEBUG(0,("Bad SMB2 signature for message\n"));
171 dump_data(0, sig, 16);
172 dump_data(0, res, 16);
173 return NT_STATUS_ACCESS_DENIED;
176 return NT_STATUS_OK;
179 void smb2_key_derivation(const uint8_t *KI, size_t KI_len,
180 const uint8_t *Label, size_t Label_len,
181 const uint8_t *Context, size_t Context_len,
182 uint8_t KO[16])
184 struct HMACSHA256Context ctx;
185 uint8_t buf[4];
186 static const uint8_t zero = 0;
187 uint8_t digest[SHA256_DIGEST_LENGTH];
188 uint32_t i = 1;
189 uint32_t L = 128;
192 * a simplified version of
193 * "NIST Special Publication 800-108" section 5.1
194 * using hmac-sha256.
196 hmac_sha256_init(KI, KI_len, &ctx);
198 RSIVAL(buf, 0, i);
199 hmac_sha256_update(buf, sizeof(buf), &ctx);
200 hmac_sha256_update(Label, Label_len, &ctx);
201 hmac_sha256_update(&zero, 1, &ctx);
202 hmac_sha256_update(Context, Context_len, &ctx);
203 RSIVAL(buf, 0, L);
204 hmac_sha256_update(buf, sizeof(buf), &ctx);
206 hmac_sha256_final(digest, &ctx);
208 memcpy(KO, digest, 16);
211 NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
212 uint16_t cipher_id,
213 struct iovec *vector,
214 int count)
216 uint8_t *tf;
217 uint8_t sig[16];
218 int i;
219 size_t a_total;
220 size_t m_total = 0;
221 union {
222 struct aes_ccm_128_context ccm;
223 struct aes_gcm_128_context gcm;
224 } c;
225 uint8_t key[AES_BLOCK_SIZE];
227 if (count < 1) {
228 return NT_STATUS_INVALID_PARAMETER;
231 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
232 return NT_STATUS_INVALID_PARAMETER;
235 tf = (uint8_t *)vector[0].iov_base;
237 if (encryption_key.length == 0) {
238 DEBUG(2,("Wrong encryption key length %u for SMB2 signing\n",
239 (unsigned)encryption_key.length));
240 return NT_STATUS_ACCESS_DENIED;
243 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
244 for (i=1; i < count; i++) {
245 m_total += vector[i].iov_len;
248 SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED);
249 SIVAL(tf, SMB2_TF_MSG_SIZE, m_total);
251 ZERO_STRUCT(key);
252 memcpy(key, encryption_key.data,
253 MIN(encryption_key.length, AES_BLOCK_SIZE));
255 switch (cipher_id) {
256 case SMB2_ENCRYPTION_AES128_CCM:
257 aes_ccm_128_init(&c.ccm, key,
258 tf + SMB2_TF_NONCE,
259 a_total, m_total);
260 memset(tf + SMB2_TF_NONCE + AES_CCM_128_NONCE_SIZE, 0,
261 16 - AES_CCM_128_NONCE_SIZE);
262 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
263 for (i=1; i < count; i++) {
264 aes_ccm_128_update(&c.ccm,
265 (const uint8_t *)vector[i].iov_base,
266 vector[i].iov_len);
267 aes_ccm_128_crypt(&c.ccm,
268 (uint8_t *)vector[i].iov_base,
269 vector[i].iov_len);
271 aes_ccm_128_digest(&c.ccm, sig);
272 break;
274 case SMB2_ENCRYPTION_AES128_GCM:
275 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
276 memset(tf + SMB2_TF_NONCE + AES_GCM_128_IV_SIZE, 0,
277 16 - AES_GCM_128_IV_SIZE);
278 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
279 for (i=1; i < count; i++) {
280 aes_gcm_128_crypt(&c.gcm,
281 (uint8_t *)vector[i].iov_base,
282 vector[i].iov_len);
283 aes_gcm_128_updateC(&c.gcm,
284 (const uint8_t *)vector[i].iov_base,
285 vector[i].iov_len);
287 aes_gcm_128_digest(&c.gcm, sig);
288 break;
290 default:
291 ZERO_STRUCT(key);
292 return NT_STATUS_INVALID_PARAMETER;
294 ZERO_STRUCT(key);
296 memcpy(tf + SMB2_TF_SIGNATURE, sig, 16);
298 DEBUG(5,("encrypt SMB2 message\n"));
300 return NT_STATUS_OK;
303 NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
304 uint16_t cipher_id,
305 struct iovec *vector,
306 int count)
308 uint8_t *tf;
309 uint16_t flags;
310 uint8_t *sig_ptr = NULL;
311 uint8_t sig[16];
312 int i;
313 size_t a_total;
314 size_t m_total = 0;
315 uint32_t msg_size = 0;
316 union {
317 struct aes_ccm_128_context ccm;
318 struct aes_gcm_128_context gcm;
319 } c;
320 uint8_t key[AES_BLOCK_SIZE];
322 if (count < 1) {
323 return NT_STATUS_INVALID_PARAMETER;
326 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
327 return NT_STATUS_INVALID_PARAMETER;
330 tf = (uint8_t *)vector[0].iov_base;
332 if (decryption_key.length == 0) {
333 DEBUG(2,("Wrong decryption key length %u for SMB2 signing\n",
334 (unsigned)decryption_key.length));
335 return NT_STATUS_ACCESS_DENIED;
338 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
339 for (i=1; i < count; i++) {
340 m_total += vector[i].iov_len;
343 flags = SVAL(tf, SMB2_TF_FLAGS);
344 msg_size = IVAL(tf, SMB2_TF_MSG_SIZE);
346 if (flags != SMB2_TF_FLAGS_ENCRYPTED) {
347 return NT_STATUS_ACCESS_DENIED;
350 if (msg_size != m_total) {
351 return NT_STATUS_INTERNAL_ERROR;
354 ZERO_STRUCT(key);
355 memcpy(key, decryption_key.data,
356 MIN(decryption_key.length, AES_BLOCK_SIZE));
358 switch (cipher_id) {
359 case SMB2_ENCRYPTION_AES128_CCM:
360 aes_ccm_128_init(&c.ccm, key,
361 tf + SMB2_TF_NONCE,
362 a_total, m_total);
363 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
364 for (i=1; i < count; i++) {
365 aes_ccm_128_crypt(&c.ccm,
366 (uint8_t *)vector[i].iov_base,
367 vector[i].iov_len);
368 aes_ccm_128_update(&c.ccm,
369 ( uint8_t *)vector[i].iov_base,
370 vector[i].iov_len);
372 aes_ccm_128_digest(&c.ccm, sig);
373 break;
375 case SMB2_ENCRYPTION_AES128_GCM:
376 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
377 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
378 for (i=1; i < count; i++) {
379 aes_gcm_128_updateC(&c.gcm,
380 (const uint8_t *)vector[i].iov_base,
381 vector[i].iov_len);
382 aes_gcm_128_crypt(&c.gcm,
383 (uint8_t *)vector[i].iov_base,
384 vector[i].iov_len);
386 aes_gcm_128_digest(&c.gcm, sig);
387 break;
389 default:
390 ZERO_STRUCT(key);
391 return NT_STATUS_INVALID_PARAMETER;
393 ZERO_STRUCT(key);
395 sig_ptr = tf + SMB2_TF_SIGNATURE;
396 if (memcmp(sig_ptr, sig, 16) != 0) {
397 return NT_STATUS_ACCESS_DENIED;
400 DEBUG(5,("decrypt SMB2 message\n"));
402 return NT_STATUS_OK;