2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "system/filesys.h"
23 #include "../libcli/smb/smb_common.h"
24 #include "../lib/crypto/crypto.h"
25 #include "lib/util/iov_buf.h"
27 #include <gnutls/gnutls.h>
28 #include <gnutls/crypto.h>
30 bool smb2_signing_key_valid(const struct smb2_signing_key *key)
36 if (key->blob.length == 0 || key->blob.data == NULL) {
43 NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
44 enum protocol_types protocol,
54 return NT_STATUS_INVALID_PARAMETER;
57 if (vector[0].iov_len != SMB2_HDR_BODY) {
58 return NT_STATUS_INVALID_PARAMETER;
61 hdr = (uint8_t *)vector[0].iov_base;
63 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
64 if (session_id == 0) {
66 * do not sign messages with a zero session_id.
67 * See MS-SMB2 3.2.4.1.1
72 if (signing_key.length == 0) {
73 DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
74 (unsigned)signing_key.length));
75 return NT_STATUS_ACCESS_DENIED;
78 memset(hdr + SMB2_HDR_SIGNATURE, 0, 16);
80 SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
82 if (protocol >= PROTOCOL_SMB2_24) {
83 struct aes_cmac_128_context ctx;
84 uint8_t key[AES_BLOCK_SIZE] = {0};
86 memcpy(key, signing_key.data, MIN(signing_key.length, 16));
88 aes_cmac_128_init(&ctx, key);
89 for (i=0; i < count; i++) {
90 aes_cmac_128_update(&ctx,
91 (const uint8_t *)vector[i].iov_base,
94 aes_cmac_128_final(&ctx, res);
98 gnutls_hmac_hd_t hmac_hnd = NULL;
99 uint8_t digest[gnutls_hmac_get_len(GNUTLS_MAC_SHA256)];
102 rc = gnutls_hmac_init(&hmac_hnd,
105 MIN(signing_key.length, 16));
107 return NT_STATUS_NO_MEMORY;
110 for (i = 0; i < count; i++) {
111 rc = gnutls_hmac(hmac_hnd,
115 gnutls_hmac_deinit(hmac_hnd, NULL);
116 return NT_STATUS_NO_MEMORY;
119 gnutls_hmac_deinit(hmac_hnd, digest);
120 memcpy(res, digest, sizeof(res));
122 DEBUG(5,("signed SMB2 message\n"));
124 memcpy(hdr + SMB2_HDR_SIGNATURE, res, 16);
129 NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
130 enum protocol_types protocol,
131 const struct iovec *vector,
138 static const uint8_t zero_sig[16] = { 0, };
142 return NT_STATUS_INVALID_PARAMETER;
145 if (vector[0].iov_len != SMB2_HDR_BODY) {
146 return NT_STATUS_INVALID_PARAMETER;
149 hdr = (const uint8_t *)vector[0].iov_base;
151 session_id = BVAL(hdr, SMB2_HDR_SESSION_ID);
152 if (session_id == 0) {
154 * do not sign messages with a zero session_id.
155 * See MS-SMB2 3.2.4.1.1
160 if (signing_key.length == 0) {
161 /* we don't have the session key yet */
165 sig = hdr+SMB2_HDR_SIGNATURE;
167 if (protocol >= PROTOCOL_SMB2_24) {
168 struct aes_cmac_128_context ctx;
169 uint8_t key[AES_BLOCK_SIZE] = {0};
171 memcpy(key, signing_key.data, MIN(signing_key.length, 16));
173 aes_cmac_128_init(&ctx, key);
174 aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
175 aes_cmac_128_update(&ctx, zero_sig, 16);
176 for (i=1; i < count; i++) {
177 aes_cmac_128_update(&ctx,
178 (const uint8_t *)vector[i].iov_base,
181 aes_cmac_128_final(&ctx, res);
185 gnutls_hmac_hd_t hmac_hnd = NULL;
186 uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
189 rc = gnutls_hmac_init(&hmac_hnd,
192 MIN(signing_key.length, 16));
194 return NT_STATUS_NO_MEMORY;
197 rc = gnutls_hmac(hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
199 gnutls_hmac_deinit(hmac_hnd, NULL);
200 return NT_STATUS_INTERNAL_ERROR;
202 rc = gnutls_hmac(hmac_hnd, zero_sig, 16);
204 gnutls_hmac_deinit(hmac_hnd, NULL);
205 return NT_STATUS_INTERNAL_ERROR;
208 for (i = 1; i < count; i++) {
209 rc = gnutls_hmac(hmac_hnd,
213 gnutls_hmac_deinit(hmac_hnd, NULL);
214 return NT_STATUS_INTERNAL_ERROR;
217 gnutls_hmac_deinit(hmac_hnd, digest);
218 memcpy(res, digest, 16);
222 if (memcmp_const_time(res, sig, 16) != 0) {
223 DEBUG(0,("Bad SMB2 signature for message\n"));
224 dump_data(0, sig, 16);
225 dump_data(0, res, 16);
226 return NT_STATUS_ACCESS_DENIED;
232 void smb2_key_derivation(const uint8_t *KI, size_t KI_len,
233 const uint8_t *Label, size_t Label_len,
234 const uint8_t *Context, size_t Context_len,
237 gnutls_hmac_hd_t hmac_hnd = NULL;
239 static const uint8_t zero = 0;
240 uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
246 * a simplified version of
247 * "NIST Special Publication 800-108" section 5.1
250 rc = gnutls_hmac_init(&hmac_hnd,
259 rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
261 gnutls_hmac_deinit(hmac_hnd, NULL);
264 rc = gnutls_hmac(hmac_hnd, Label, Label_len);
266 gnutls_hmac_deinit(hmac_hnd, NULL);
269 rc = gnutls_hmac(hmac_hnd, &zero, 1);
271 gnutls_hmac_deinit(hmac_hnd, NULL);
274 rc = gnutls_hmac(hmac_hnd, Context, Context_len);
276 gnutls_hmac_deinit(hmac_hnd, NULL);
280 rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
282 gnutls_hmac_deinit(hmac_hnd, NULL);
286 gnutls_hmac_deinit(hmac_hnd, digest);
288 memcpy(KO, digest, 16);
293 NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
295 struct iovec *vector,
304 struct aes_ccm_128_context ccm;
305 struct aes_gcm_128_context gcm;
307 uint8_t key[AES_BLOCK_SIZE];
310 return NT_STATUS_INVALID_PARAMETER;
313 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
314 return NT_STATUS_INVALID_PARAMETER;
317 tf = (uint8_t *)vector[0].iov_base;
319 if (encryption_key.length == 0) {
320 DEBUG(2,("Wrong encryption key length %u for SMB2 signing\n",
321 (unsigned)encryption_key.length));
322 return NT_STATUS_ACCESS_DENIED;
325 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
327 m_total = iov_buflen(&vector[1], count-1);
329 return NT_STATUS_BUFFER_TOO_SMALL;
332 SSVAL(tf, SMB2_TF_FLAGS, SMB2_TF_FLAGS_ENCRYPTED);
333 SIVAL(tf, SMB2_TF_MSG_SIZE, m_total);
336 memcpy(key, encryption_key.data,
337 MIN(encryption_key.length, AES_BLOCK_SIZE));
340 case SMB2_ENCRYPTION_AES128_CCM:
341 aes_ccm_128_init(&c.ccm, key,
344 memset(tf + SMB2_TF_NONCE + AES_CCM_128_NONCE_SIZE, 0,
345 16 - AES_CCM_128_NONCE_SIZE);
346 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
347 for (i=1; i < count; i++) {
348 aes_ccm_128_update(&c.ccm,
349 (const uint8_t *)vector[i].iov_base,
351 aes_ccm_128_crypt(&c.ccm,
352 (uint8_t *)vector[i].iov_base,
355 aes_ccm_128_digest(&c.ccm, sig);
358 case SMB2_ENCRYPTION_AES128_GCM:
359 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
360 memset(tf + SMB2_TF_NONCE + AES_GCM_128_IV_SIZE, 0,
361 16 - AES_GCM_128_IV_SIZE);
362 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
363 for (i=1; i < count; i++) {
364 aes_gcm_128_crypt(&c.gcm,
365 (uint8_t *)vector[i].iov_base,
367 aes_gcm_128_updateC(&c.gcm,
368 (const uint8_t *)vector[i].iov_base,
371 aes_gcm_128_digest(&c.gcm, sig);
376 return NT_STATUS_INVALID_PARAMETER;
380 memcpy(tf + SMB2_TF_SIGNATURE, sig, 16);
382 DEBUG(5,("encrypt SMB2 message\n"));
387 NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,
389 struct iovec *vector,
394 uint8_t *sig_ptr = NULL;
399 uint32_t msg_size = 0;
401 struct aes_ccm_128_context ccm;
402 struct aes_gcm_128_context gcm;
404 uint8_t key[AES_BLOCK_SIZE];
407 return NT_STATUS_INVALID_PARAMETER;
410 if (vector[0].iov_len != SMB2_TF_HDR_SIZE) {
411 return NT_STATUS_INVALID_PARAMETER;
414 tf = (uint8_t *)vector[0].iov_base;
416 if (decryption_key.length == 0) {
417 DEBUG(2,("Wrong decryption key length %u for SMB2 signing\n",
418 (unsigned)decryption_key.length));
419 return NT_STATUS_ACCESS_DENIED;
422 a_total = SMB2_TF_HDR_SIZE - SMB2_TF_NONCE;
424 m_total = iov_buflen(&vector[1], count-1);
426 return NT_STATUS_BUFFER_TOO_SMALL;
429 flags = SVAL(tf, SMB2_TF_FLAGS);
430 msg_size = IVAL(tf, SMB2_TF_MSG_SIZE);
432 if (flags != SMB2_TF_FLAGS_ENCRYPTED) {
433 return NT_STATUS_ACCESS_DENIED;
436 if (msg_size != m_total) {
437 return NT_STATUS_INTERNAL_ERROR;
441 memcpy(key, decryption_key.data,
442 MIN(decryption_key.length, AES_BLOCK_SIZE));
445 case SMB2_ENCRYPTION_AES128_CCM:
446 aes_ccm_128_init(&c.ccm, key,
449 aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);
450 for (i=1; i < count; i++) {
451 aes_ccm_128_crypt(&c.ccm,
452 (uint8_t *)vector[i].iov_base,
454 aes_ccm_128_update(&c.ccm,
455 ( uint8_t *)vector[i].iov_base,
458 aes_ccm_128_digest(&c.ccm, sig);
461 case SMB2_ENCRYPTION_AES128_GCM:
462 aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);
463 aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);
464 for (i=1; i < count; i++) {
465 aes_gcm_128_updateC(&c.gcm,
466 (const uint8_t *)vector[i].iov_base,
468 aes_gcm_128_crypt(&c.gcm,
469 (uint8_t *)vector[i].iov_base,
472 aes_gcm_128_digest(&c.gcm, sig);
477 return NT_STATUS_INVALID_PARAMETER;
481 sig_ptr = tf + SMB2_TF_SIGNATURE;
482 if (memcmp(sig_ptr, sig, 16) != 0) {
483 return NT_STATUS_ACCESS_DENIED;
486 DEBUG(5,("decrypt SMB2 message\n"));