1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
|
/*
* This file and its contents are supplied under the terms of the
* Common Development and Distribution License ("CDDL"), version 1.0.
* You may only use this file in accordance with the terms of version
* 1.0 of the CDDL.
*
* A full copy of the text of the CDDL should have accompanied this
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
* Copyright 2017 Nexenta Systems, Inc. All rights reserved.
* Copyright 2020 RackTop Systems, Inc.
*/
/*
* Routines for smb3 encryption.
*/
#include <smbsrv/smb2_kproto.h>
#include <smbsrv/smb_kcrypt.h>
#include <sys/random.h>
#include <sys/cmn_err.h>
#define SMB3_NONCE_OFFS 20
#define SMB3_SIG_OFFS 4
#define SMB3_AES128_CCM_NONCE_SIZE 11
#define SMB3_AES128_GCM_NONCE_SIZE 12
/*
* Arbitrary value used to prevent nonce reuse via overflow. Currently
* 2^64 - 2^32 - 1. Assumes we can't have (or are unlikely to have)
* 2^32 concurrent messages when we hit this number.
*/
static uint64_t smb3_max_nonce = 0xffffffff00000000ULL;
/*
* Nonce generation based on draft-mcgrew-iv-gen-01
* "Generation of Deterministic Initialization Vectors (IVs) and Nonces"
*
* Generate an 8-byte random salt and a 3-byte random 'fixed' value.
* then, nonce = (++counter ^ salt) || fixed
*
* This protects against nonce-reuse (8-byte counter), as well as known
* attacks on reusing nonces with different keys
*/
void
smb3_encrypt_init_nonce(smb_user_t *user)
{
user->u_nonce_cnt = 0;
(void) random_get_pseudo_bytes(user->u_nonce_fixed,
sizeof (user->u_nonce_fixed));
(void) random_get_pseudo_bytes((uint8_t *)&user->u_salt,
sizeof (user->u_salt));
}
int
smb3_encrypt_gen_nonce(smb_user_t *user, uint8_t *buf, size_t len)
{
uint64_t cnt = atomic_inc_64_nv(&user->u_nonce_cnt);
/*
* Nonces must be unique per-key for the life of the key.
* Bail before we roll over to avoid breaking the crypto.
*/
if (cnt > smb3_max_nonce)
return (-1);
cnt ^= user->u_salt;
bcopy((uint8_t *)&cnt, buf, sizeof (cnt));
ASSERT(len > sizeof (cnt));
bcopy(user->u_nonce_fixed, buf + sizeof (cnt), len - sizeof (cnt));
return (0);
}
int
smb3_encrypt_init_mech(smb_session_t *s)
{
smb_crypto_mech_t *mech;
int rc;
if (s->enc_mech != NULL)
return (0);
if (s->dialect < SMB_VERS_3_11)
s->smb31_enc_cipherid = SMB3_CIPHER_AES128_CCM;
mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
switch (s->smb31_enc_cipherid) {
case SMB3_CIPHER_AES128_GCM:
rc = smb3_aes_gcm_getmech(mech);
break;
case SMB3_CIPHER_AES128_CCM:
rc = smb3_aes_ccm_getmech(mech);
break;
default:
rc = -1;
break;
}
if (rc != 0) {
kmem_free(mech, sizeof (*mech));
return (rc);
}
s->enc_mech = mech;
return (0);
}
/*
* Initializes keys/state required for SMB3 Encryption.
* Note: If a failure occurs here, don't fail the request.
* Instead, return an error when we attempt to encrypt/decrypt.
*/
void
smb3_encrypt_begin(smb_request_t *sr, smb_token_t *token)
{
smb_session_t *s = sr->session;
smb_user_t *u = sr->uid_user;
struct smb_key *enc_key = &u->u_enc_key;
struct smb_key *dec_key = &u->u_dec_key;
/*
* In order to enforce encryption, all users need to
* have Session.EncryptData properly set, even anon/guest.
*/
u->u_encrypt = s->s_server->sv_cfg.skc_encrypt;
enc_key->len = 0;
dec_key->len = 0;
/*
* If we don't have a session key, we'll fail later when a
* request that requires (en/de)cryption can't be (en/de)crypted.
* Also don't bother initializing if we don't have a mechanism.
*/
if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0 ||
s->enc_mech == NULL)
return;
/*
* Compute and store the encryption keys, which live in
* the user structure.
*/
/*
* For SMB3, the encrypt/decrypt keys are derived from
* the session key using KDF in counter mode.
*/
if (s->dialect >= SMB_VERS_3_11) {
if (smb3_kdf(enc_key->key,
token->tkn_ssnkey.val, token->tkn_ssnkey.len,
(uint8_t *)"SMBS2CCipherKey", 16,
u->u_preauth_hashval, SHA512_DIGEST_LENGTH) != 0)
return;
if (smb3_kdf(dec_key->key,
token->tkn_ssnkey.val, token->tkn_ssnkey.len,
(uint8_t *)"SMBC2SCipherKey", 16,
u->u_preauth_hashval, SHA512_DIGEST_LENGTH) != 0)
return;
} else {
if (smb3_kdf(enc_key->key,
token->tkn_ssnkey.val, token->tkn_ssnkey.len,
(uint8_t *)"SMB2AESCCM", 11,
(uint8_t *)"ServerOut", 10) != 0)
return;
if (smb3_kdf(dec_key->key,
token->tkn_ssnkey.val, token->tkn_ssnkey.len,
(uint8_t *)"SMB2AESCCM", 11,
(uint8_t *)"ServerIn ", 10) != 0)
return;
}
smb3_encrypt_init_nonce(u);
enc_key->len = SMB3_KEYLEN;
dec_key->len = SMB3_KEYLEN;
}
/*
* Decrypt the request in sr->command.
* This decrypts "in place", though due to CCM's design,
* it processes all input before doing any output.
*/
int
smb3_decrypt_sr(smb_request_t *sr)
{
struct mbuf_chain *mbc = &sr->command;
smb_session_t *s = sr->session;
smb_user_t *u = sr->tform_ssn;
uint8_t tmp_hdr[SMB2_HDR_SIZE];
smb3_enc_ctx_t ctx;
struct smb_key *dec_key = &u->u_dec_key;
struct mbuf *mbuf;
int offset, resid, tlen, rc;
smb3_crypto_param_t param;
smb_crypto_mech_t mech;
boolean_t gcm = sr->session->smb31_enc_cipherid ==
SMB3_CIPHER_AES128_GCM;
size_t nonce_size = (gcm ? SMB3_AES128_GCM_NONCE_SIZE :
SMB3_AES128_CCM_NONCE_SIZE);
ASSERT(u != NULL);
if (s->enc_mech == NULL || dec_key->len != 16) {
return (-1);
}
tlen = SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS;
offset = mbc->chain_offset + SMB3_NONCE_OFFS;
resid = mbc->max_bytes - offset;
if (resid < (sr->msgsize + tlen)) {
cmn_err(CE_WARN, "too little data to decrypt");
return (-1);
}
if (smb_mbc_peek(mbc, offset, "#c", tlen, tmp_hdr) != 0) {
return (-1);
}
offset += tlen;
resid -= tlen;
/*
* The transform header, minus the PROTOCOL_ID and the
* SIGNATURE, is authenticated but not encrypted.
*/
if (gcm)
smb3_crypto_init_gcm_param(¶m, sr->nonce, nonce_size,
tmp_hdr, tlen);
else
smb3_crypto_init_ccm_param(¶m, sr->nonce, nonce_size,
tmp_hdr, tlen, sr->msgsize + SMB2_SIG_SIZE);
/*
* Unlike signing, which uses one global mech struct,
* encryption requires modifying the mech to add a
* per-use param struct. Thus, we need to make a copy.
*/
mech = *(smb_crypto_mech_t *)s->enc_mech;
rc = smb3_decrypt_init(&ctx, &mech, ¶m,
dec_key->key, dec_key->len);
if (rc != 0) {
return (rc);
}
/*
* Digest the rest of the SMB packet, starting at the data
* just after the SMB header.
*
* Advance to the src mbuf where we start digesting.
*/
mbuf = mbc->chain;
while (mbuf != NULL && (offset >= mbuf->m_len)) {
offset -= mbuf->m_len;
mbuf = mbuf->m_next;
}
if (mbuf == NULL)
return (-1);
/*
* Digest the remainder of this mbuf, limited to the
* residual count, and starting at the current offset.
*/
tlen = mbuf->m_len - offset;
if (tlen > resid)
tlen = resid;
rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data + offset, tlen);
if (rc != 0) {
return (rc);
}
resid -= tlen;
/*
* Digest any more mbufs in the chain.
*/
while (resid > 0) {
mbuf = mbuf->m_next;
if (mbuf == NULL) {
smb3_encrypt_cancel(&ctx);
return (-1);
}
tlen = mbuf->m_len;
if (tlen > resid)
tlen = resid;
rc = smb3_decrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
if (rc != 0) {
return (rc);
}
resid -= tlen;
}
/*
* AES_CCM processes the signature like normal data.
*/
rc = smb3_decrypt_update(&ctx, sr->smb2_sig, SMB2_SIG_SIZE);
if (rc != 0) {
cmn_err(CE_WARN, "failed to process signature");
return (rc);
}
/*
* smb3_decrypt_final will return an error
* if the signatures don't match.
*/
rc = smb3_decrypt_final(&ctx, sr->sr_request_buf, sr->sr_req_length);
/*
* We had to decode TFORM_HDR_SIZE bytes before we got here,
* and we just peeked the first TFORM_HDR_SIZE bytes at the
* beginning of this function, so this can't underflow.
*/
ASSERT(sr->command.max_bytes > SMB3_TFORM_HDR_SIZE);
sr->command.max_bytes -= SMB3_TFORM_HDR_SIZE;
return (rc);
}
/*
* Encrypt the response in in_mbc, and output
* an encrypted response in out_mbc.
* The data in in_mbc is preserved.
*/
int
smb3_encrypt_sr(smb_request_t *sr, struct mbuf_chain *in_mbc,
struct mbuf_chain *out_mbc)
{
smb_session_t *s = sr->session;
smb_user_t *u = sr->tform_ssn;
uint8_t *buf = (uint8_t *)out_mbc->chain->m_data;
size_t buflen = out_mbc->max_bytes;
smb3_enc_ctx_t ctx;
struct smb_key *enc_key = &u->u_enc_key;
struct mbuf *mbuf;
int resid, tlen, rc;
smb3_crypto_param_t param;
smb_crypto_mech_t mech;
boolean_t gcm = sr->session->smb31_enc_cipherid ==
SMB3_CIPHER_AES128_GCM;
size_t nonce_size = (gcm ? SMB3_AES128_GCM_NONCE_SIZE :
SMB3_AES128_CCM_NONCE_SIZE);
ASSERT(u != NULL);
if (s->enc_mech == NULL || enc_key->len != 16) {
return (-1);
}
rc = smb3_encrypt_gen_nonce(u, sr->nonce, nonce_size);
if (rc != 0) {
cmn_err(CE_WARN, "ran out of nonces");
return (-1);
}
(void) smb_mbc_poke(out_mbc, SMB3_NONCE_OFFS, "#c",
nonce_size, sr->nonce);
resid = in_mbc->max_bytes;
/*
* The transform header, minus the PROTOCOL_ID and the
* SIGNATURE, is authenticated but not encrypted.
*/
if (gcm)
smb3_crypto_init_gcm_param(¶m, sr->nonce, nonce_size,
buf + SMB3_NONCE_OFFS,
SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS);
else
smb3_crypto_init_ccm_param(¶m, sr->nonce, nonce_size,
buf + SMB3_NONCE_OFFS,
SMB3_TFORM_HDR_SIZE - SMB3_NONCE_OFFS, resid);
/*
* Unlike signing, which uses one global mech struct,
* encryption requires modifying the mech to add a
* per-use param struct. Thus, we need to make a copy.
*/
mech = *(smb_crypto_mech_t *)s->enc_mech;
rc = smb3_encrypt_init(&ctx, &mech, ¶m,
enc_key->key, enc_key->len, buf + SMB3_TFORM_HDR_SIZE,
buflen - SMB3_TFORM_HDR_SIZE);
if (rc != 0) {
return (rc);
}
/*
* Unlike signing and decryption, we're processing the entirety of the
* message here, so we don't skip anything.
*/
mbuf = in_mbc->chain;
while (resid > 0 && mbuf != NULL) {
tlen = mbuf->m_len;
if (tlen > resid)
tlen = resid;
rc = smb3_encrypt_update(&ctx, (uint8_t *)mbuf->m_data, tlen);
if (rc != 0) {
return (rc);
}
resid -= tlen;
mbuf = mbuf->m_next;
}
if (mbuf == NULL && resid > 0) {
cmn_err(CE_WARN, "not enough data to encrypt");
smb3_encrypt_cancel(&ctx);
return (-1);
}
rc = smb3_encrypt_final(&ctx, buf + SMB3_SIG_OFFS);
return (rc);
}
void
smb3_encrypt_fini(smb_session_t *s)
{
smb_crypto_mech_t *mech;
if ((mech = s->enc_mech) != NULL) {
kmem_free(mech, sizeof (*mech));
s->enc_mech = NULL;
}
}
|
