search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libcli/smb: Use gnutls_error_to_ntstatus() in smb2_signing_check_pdu()
[Samba.git] / libcli / smb / smb2_signing.c
blob1ec60a4f9a555fb0cd6a1bfecebcecf6256ef093
1 /*
2 Unix SMB/CIFS implementation.
3 SMB2 signing
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/filesys.h"
23 #include "../libcli/smb/smb_common.h"
24 #include "../lib/crypto/crypto.h"
25 #include "lib/util/iov_buf.h"
26
27 #ifndef HAVE_GNUTLS_AES_CMAC
28 #include "lib/crypto/aes.h"
29 #include "lib/crypto/aes_cmac_128.h"
30 #endif
31
32 #include "lib/crypto/gnutls_helpers.h"
33 #include <gnutls/gnutls.h>
34 #include <gnutls/crypto.h>
35
36 int smb2_signing_key_destructor(struct smb2_signing_key *key)
37 {
38 if (key->hmac_hnd != NULL) {
39 gnutls_hmac_deinit(key->hmac_hnd, NULL);
40 key->hmac_hnd = NULL;
41 }
42
43 if (key->cipher_hnd != NULL) {
44 gnutls_aead_cipher_deinit(key->cipher_hnd);
45 key->cipher_hnd = NULL;
46 }
47
48 return 0;
49 }
50
51 bool smb2_signing_key_valid(const struct smb2_signing_key *key)
52 {
53 if (key == NULL) {
54 return false;
55 }
56
57 if (key->blob.length == 0 || key->blob.data == NULL) {
58 return false;
59 }
60
61 return true;
62 }
63
64 NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
65 enum protocol_types protocol,
66 struct iovec *vector,
67 int count)
68 {
69 uint8_t *hdr;
70 uint64_t session_id;
71 uint8_t res[16];
72 int i;
73
74 if (count < 2) {
75 return NT_STATUS_INVALID_PARAMETER;
76 }
77
78 if (vector[0].iov_len != SMB2_HDR_BODY) {
79 return NT_STATUS_INVALID_PARAMETER;
80 }
81
82 hdr = (uint8_t *)vector[0].iov_base;
83
84 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
85 if (session_id == 0) {
86 /*
87 * do not sign messages with a zero session_id.
88 * See MS-SMB2 3.2.4.1.1
89 */
90 return NT_STATUS_OK;
91 }
92
93 if (!smb2_signing_key_valid(signing_key)) {
94 DBG_WARNING("Wrong session key length %zu for SMB2 signing\n",
95 signing_key->blob.length);
96 return NT_STATUS_ACCESS_DENIED;
97 }
98
99 memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);
100
101 SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
102
103 if (protocol >= PROTOCOL_SMB2_24) {
104 #ifdef HAVE_GNUTLS_AES_CMAC
105 gnutls_datum_t key = {
106 .data = signing_key->blob.data,
107 .size = MIN(signing_key->blob.length, 16),
108 };
109 int rc;
110
111 if (signing_key->hmac_hnd == NULL) {
112 rc = gnutls_hmac_init(&signing_key->hmac_hnd,
113 GNUTLS_MAC_AES_CMAC_128,
114 key.data,
115 key.size);
116 if (rc < 0) {
117 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
118 }
119 }
120
121 for (i = 0; i < count; i++) {
122 rc = gnutls_hmac(signing_key->hmac_hnd,
123 vector[i].iov_base,
124 vector[i].iov_len);
125 if (rc < 0) {
126 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
127 }
128 }
129 gnutls_hmac_output(signing_key->hmac_hnd, res);
130 #else /* NOT HAVE_GNUTLS_AES_CMAC */
131 struct aes_cmac_128_context ctx;
132 uint8_t key[AES_BLOCK_SIZE] = {0};
133
134 memcpy(key,
135 signing_key->blob.data,
136 MIN(signing_key->blob.length, 16));
137
138 aes_cmac_128_init(&ctx, key);
139 for (i=0; i < count; i++) {
140 aes_cmac_128_update(&ctx,
141 (const uint8_t *)vector[i].iov_base,
142 vector[i].iov_len);
143 }
144 aes_cmac_128_final(&ctx, res);
145
146 ZERO_ARRAY(key);
147 #endif /* HAVE_GNUTLS_AES_CMAC */
148 } else {
149 uint8_t digest[gnutls_hmac_get_len(GNUTLS_MAC_SHA256)];
150 int rc;
151
152 if (signing_key->hmac_hnd == NULL) {
153 rc = gnutls_hmac_init(&signing_key->hmac_hnd,
154 GNUTLS_MAC_SHA256,
155 signing_key->blob.data,
156 MIN(signing_key->blob.length, 16));
157 if (rc < 0) {
158 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
159 }
160 }
161
162 for (i = 0; i < count; i++) {
163 rc = gnutls_hmac(signing_key->hmac_hnd,
164 vector[i].iov_base,
165 vector[i].iov_len);
166 if (rc < 0) {
167 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
168 }
169 }
170 gnutls_hmac_output(signing_key->hmac_hnd, digest);
171 memcpy(res, digest, sizeof(res));
172 }
173 DEBUG(5,("signed SMB2 message\n"));
174
175 memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);
176
177 return NT_STATUS_OK;
178 }
179
180 NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
181 enum protocol_types protocol,
182 const struct iovec *vector,
183 int count)
184 {
185 const uint8_t *hdr;
186 const uint8_t *sig;
187 uint64_t session_id;
188 uint8_t res[16];
189 static const uint8_t zero_sig[16] = { 0, };
190 int i;
191
192 if (count < 2) {
193 return NT_STATUS_INVALID_PARAMETER;
194 }
195
196 if (vector[0].iov_len != SMB2_HDR_BODY) {
197 return NT_STATUS_INVALID_PARAMETER;
198 }
199
200 hdr = (const uint8_t *)vector[0].iov_base;
201
202 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
203 if (session_id == 0) {
204 /*
205 * do not sign messages with a zero session_id.
206 * See MS-SMB2 3.2.4.1.1
207 */
208 return NT_STATUS_OK;
209 }
210
211 if (!smb2_signing_key_valid(signing_key)) {
212 /* we don't have the session key yet */
213 return NT_STATUS_OK;
214 }
215
216 sig = hdr+SMB2_HDR_SIGNATURE;
217
218 if (protocol >= PROTOCOL_SMB2_24) {
219 #ifdef HAVE_GNUTLS_AES_CMAC
220 gnutls_datum_t key = {
221 .data = signing_key->blob.data,
222 .size = MIN(signing_key->blob.length, 16),
223 };
224 int rc;
225
226 if (signing_key->hmac_hnd == NULL) {
227 rc = gnutls_hmac_init(&signing_key->hmac_hnd,
228 GNUTLS_MAC_AES_CMAC_128,
229 key.data,
230 key.size);
231 if (rc < 0) {
232 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
233 }
234 }
235
236 rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
237 if (rc < 0) {
238 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
239 }
240
241 rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16);
242 if (rc < 0) {
243 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
244 }
245
246 for (i = 1; i < count; i++) {
247 rc = gnutls_hmac(signing_key->hmac_hnd,
248 vector[i].iov_base,
249 vector[i].iov_len);
250 if (rc < 0) {
251 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
252 }
253 }
254 gnutls_hmac_output(signing_key->hmac_hnd, res);
255 #else /* NOT HAVE_GNUTLS_AES_CMAC */
256 struct aes_cmac_128_context ctx;
257 uint8_t key[AES_BLOCK_SIZE] = {0};
258
259 memcpy(key,
260 signing_key->blob.data,
261 MIN(signing_key->blob.length, 16));
262
263 aes_cmac_128_init(&ctx, key);
264 aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
265 aes_cmac_128_update(&ctx, zero_sig, 16);
266 for (i=1; i < count; i++) {
267 aes_cmac_128_update(&ctx,
268 (const uint8_t *)vector[i].iov_base,
269 vector[i].iov_len);
270 }
271 aes_cmac_128_final(&ctx, res);
272
273 ZERO_ARRAY(key);
274 #endif
275 } else {
276 uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
277 int rc;
278
279 if (signing_key->hmac_hnd == NULL) {
280 rc = gnutls_hmac_init(&signing_key->hmac_hnd,
281 GNUTLS_MAC_SHA256,
282 signing_key->blob.data,
283 MIN(signing_key->blob.length, 16));
284 if (rc < 0) {
285 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
286 }
287 }
288
289 rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
290 if (rc < 0) {
291 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
292 }
293 rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16);
294 if (rc < 0) {
295 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
296 }
297
298 for (i = 1; i < count; i++) {
299 rc = gnutls_hmac(signing_key->hmac_hnd,
300 vector[i].iov_base,
301 vector[i].iov_len);
302 if (rc < 0) {
303 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
304 }
305 }
306 gnutls_hmac_output(signing_key->hmac_hnd, digest);
307 memcpy(res, digest, 16);
308 ZERO_ARRAY(digest);
309 }
310
311 if (memcmp_const_time(res, sig, 16) != 0) {
312 DEBUG(0,("Bad SMB2 signature for message\n"));
313 dump_data(0, sig, 16);
314 dump_data(0, res, 16);
315 return NT_STATUS_ACCESS_DENIED;
316 }
317
318 return NT_STATUS_OK;
319 }
320
321 NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len,
322 const uint8_t *Label, size_t Label_len,
323 const uint8_t *Context, size_t Context_len,
324 uint8_t KO[16])
325 {
326 gnutls_hmac_hd_t hmac_hnd = NULL;
327 uint8_t buf[4];
328 static const uint8_t zero = 0;
329 uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
330 uint32_t i = 1;
331 uint32_t L = 128;
332 int rc;
333
334 /*
335 * a simplified version of
336 * "NIST Special Publication 800-108" section 5.1
337 * using hmac-sha256.
338 */
339 rc = gnutls_hmac_init(&hmac_hnd,
340 GNUTLS_MAC_SHA256,
341 KI,
342 KI_len);
343 if (rc < 0) {
344 return gnutls_error_to_ntstatus(rc,
345 NT_STATUS_HMAC_NOT_SUPPORTED);
346 }
347
348 RSIVAL(buf, 0, i);
349 rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
350 if (rc < 0) {
351 return gnutls_error_to_ntstatus(rc,
352 NT_STATUS_HMAC_NOT_SUPPORTED);
353 }
354 rc = gnutls_hmac(hmac_hnd, Label, Label_len);
355 if (rc < 0) {
356 gnutls_hmac_deinit(hmac_hnd, NULL);
357 return gnutls_error_to_ntstatus(rc,
358 NT_STATUS_HMAC_NOT_SUPPORTED);
359 }
360 rc = gnutls_hmac(hmac_hnd, &zero, 1);
361 if (rc < 0) {
362 gnutls_hmac_deinit(hmac_hnd, NULL);
363 return gnutls_error_to_ntstatus(rc,
364 NT_STATUS_HMAC_NOT_SUPPORTED);
365 }
366 rc = gnutls_hmac(hmac_hnd, Context, Context_len);
367 if (rc < 0) {
368 gnutls_hmac_deinit(hmac_hnd, NULL);
369 return gnutls_error_to_ntstatus(rc,
370 NT_STATUS_HMAC_NOT_SUPPORTED);
371 }
372 RSIVAL(buf, 0, L);
373 rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
374 if (rc < 0) {
375 gnutls_hmac_deinit(hmac_hnd, NULL);
376 return gnutls_error_to_ntstatus(rc,
377 NT_STATUS_HMAC_NOT_SUPPORTED);
378 }
379
380 gnutls_hmac_deinit(hmac_hnd, digest);
381
382 memcpy(KO, digest, 16);
383
384 ZERO_ARRAY(digest);
385
386 return NT_STATUS_OK;
387 }
388
389 NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
390 uint16_t cipher_id,
391 struct iovec *vector,
392 int count)
393 {
394 uint8_t *tf;
395 uint8_t sig[16];
396 int i;
397 size_t a_total;
398 ssize_t m_total;
399 union {
400 struct aes_ccm_128_context ccm;
401 struct aes_gcm_128_context gcm;
402 } c;
403 uint8_t key[AES_BLOCK_SIZE];
404
405 if (count < 1) {
406 return NT_STATUS_INVALID_PARAMETER;
407 }
408
409 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
410 return NT_STATUS_INVALID_PARAMETER;
411 }
412
413 tf = (uint8_t *)vector[0].iov_base;
414
415 if (encryption_key.length == 0) {
416 DEBUG(2,("Wrong encryption key length %u for SMB2 signing\n",
417 (unsigned)encryption_key.length));
418 return NT_STATUS_ACCESS_DENIED;
419 }
420
421 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
422
423 m_total = iov_buflen(&vector[1], count-1);
424 if (m_total == -1) {
425 return NT_STATUS_BUFFER_TOO_SMALL;
426 }
427
428 SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED);
429 SIVAL(tf, SMB2_TF_MSG_SIZE, m_total);
430
431 ZERO_STRUCT(key);
432 memcpy(key, encryption_key.data,
433 MIN(encryption_key.length, AES_BLOCK_SIZE));
434
435 switch (cipher_id) {
436 case SMB2_ENCRYPTION_AES128_CCM:
437 aes_ccm_128_init(&c.ccm, key,
438 tf + SMB2_TF_NONCE,
439 a_total, m_total);
440 memset(tf + SMB2_TF_NONCE + AES_CCM_128_NONCE_SIZE, 0,
441 16 - AES_CCM_128_NONCE_SIZE);
442 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
443 for (i=1; i < count; i++) {
444 aes_ccm_128_update(&c.ccm,
445 (const uint8_t *)vector[i].iov_base,
446 vector[i].iov_len);
447 aes_ccm_128_crypt(&c.ccm,
448 (uint8_t *)vector[i].iov_base,
449 vector[i].iov_len);
450 }
451 aes_ccm_128_digest(&c.ccm, sig);
452 break;
453
454 case SMB2_ENCRYPTION_AES128_GCM:
455 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
456 memset(tf + SMB2_TF_NONCE + AES_GCM_128_IV_SIZE, 0,
457 16 - AES_GCM_128_IV_SIZE);
458 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
459 for (i=1; i < count; i++) {
460 aes_gcm_128_crypt(&c.gcm,
461 (uint8_t *)vector[i].iov_base,
462 vector[i].iov_len);
463 aes_gcm_128_updateC(&c.gcm,
464 (const uint8_t *)vector[i].iov_base,
465 vector[i].iov_len);
466 }
467 aes_gcm_128_digest(&c.gcm, sig);
468 break;
469
470 default:
471 ZERO_STRUCT(key);
472 return NT_STATUS_INVALID_PARAMETER;
473 }
474 ZERO_STRUCT(key);
475
476 memcpy(tf + SMB2_TF_SIGNATURE, sig, 16);
477
478 DEBUG(5,("encrypt SMB2 message\n"));
479
480 return NT_STATUS_OK;
481 }
482
483 NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
484 uint16_t cipher_id,
485 struct iovec *vector,
486 int count)
487 {
488 uint8_t *tf;
489 uint16_t flags;
490 uint8_t *sig_ptr = NULL;
491 uint8_t sig[16];
492 int i;
493 size_t a_total;
494 ssize_t m_total;
495 uint32_t msg_size = 0;
496 union {
497 struct aes_ccm_128_context ccm;
498 struct aes_gcm_128_context gcm;
499 } c;
500 uint8_t key[AES_BLOCK_SIZE];
501
502 if (count < 1) {
503 return NT_STATUS_INVALID_PARAMETER;
504 }
505
506 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
507 return NT_STATUS_INVALID_PARAMETER;
508 }
509
510 tf = (uint8_t *)vector[0].iov_base;
511
512 if (decryption_key.length == 0) {
513 DEBUG(2,("Wrong decryption key length %u for SMB2 signing\n",
514 (unsigned)decryption_key.length));
515 return NT_STATUS_ACCESS_DENIED;
516 }
517
518 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
519
520 m_total = iov_buflen(&vector[1], count-1);
521 if (m_total == -1) {
522 return NT_STATUS_BUFFER_TOO_SMALL;
523 }
524
525 flags = SVAL(tf, SMB2_TF_FLAGS);
526 msg_size = IVAL(tf, SMB2_TF_MSG_SIZE);
527
528 if (flags != SMB2_TF_FLAGS_ENCRYPTED) {
529 return NT_STATUS_ACCESS_DENIED;
530 }
531
532 if (msg_size != m_total) {
533 return NT_STATUS_INTERNAL_ERROR;
534 }
535
536 ZERO_STRUCT(key);
537 memcpy(key, decryption_key.data,
538 MIN(decryption_key.length, AES_BLOCK_SIZE));
539
540 switch (cipher_id) {
541 case SMB2_ENCRYPTION_AES128_CCM:
542 aes_ccm_128_init(&c.ccm, key,
543 tf + SMB2_TF_NONCE,
544 a_total, m_total);
545 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
546 for (i=1; i < count; i++) {
547 aes_ccm_128_crypt(&c.ccm,
548 (uint8_t *)vector[i].iov_base,
549 vector[i].iov_len);
550 aes_ccm_128_update(&c.ccm,
551 ( uint8_t *)vector[i].iov_base,
552 vector[i].iov_len);
553 }
554 aes_ccm_128_digest(&c.ccm, sig);
555 break;
556
557 case SMB2_ENCRYPTION_AES128_GCM:
558 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
559 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
560 for (i=1; i < count; i++) {
561 aes_gcm_128_updateC(&c.gcm,
562 (const uint8_t *)vector[i].iov_base,
563 vector[i].iov_len);
564 aes_gcm_128_crypt(&c.gcm,
565 (uint8_t *)vector[i].iov_base,
566 vector[i].iov_len);
567 }
568 aes_gcm_128_digest(&c.gcm, sig);
569 break;
570
571 default:
572 ZERO_STRUCT(key);
573 return NT_STATUS_INVALID_PARAMETER;
574 }
575 ZERO_STRUCT(key);
576
577 sig_ptr = tf + SMB2_TF_SIGNATURE;
578 if (memcmp(sig_ptr, sig, 16) != 0) {
579 return NT_STATUS_ACCESS_DENIED;
580 }
581
582 DEBUG(5,("decrypt SMB2 message\n"));
583
584 return NT_STATUS_OK;
585 }
Samba GIT mirror