1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2018 Nexenta Systems, Inc. All rights reserved.
24 * Copyright 2022 RackTop Systems, Inc.
25 */
26 /*
27 * These routines provide the SMB MAC signing for the SMB2 server.
28 * The routines calculate the signature of a SMB message in an mbuf chain.
29 *
30 * The following table describes the client server
31 * signing registry relationship
32 *
33 * | Required | Enabled | Disabled
34 * -------------+---------------+------------ +--------------
35 * Required | Signed | Signed | Fail
36 * -------------+---------------+-------------+-----------------
37 * Enabled | Signed | Signed | Not Signed
38 * -------------+---------------+-------------+----------------
39 * Disabled | Fail | Not Signed | Not Signed
40 */
41
42 #include <sys/uio.h>
43 #include <smbsrv/smb2_kproto.h>
44 #include <smbsrv/smb_kcrypt.h>
45 #include <sys/isa_defs.h>
46 #include <sys/byteorder.h>
47 #include <sys/cmn_err.h>
48
49 #define SMB2_SIG_OFFS 48
50 #define SMB2_SIG_SIZE 16
51
52 typedef struct mac_ops {
53 int (*mac_init)(smb_sign_ctx_t *, smb_crypto_mech_t *,
54 uint8_t *, size_t);
55 int (*mac_update)(smb_sign_ctx_t, uint8_t *, size_t);
56 int (*mac_final)(smb_sign_ctx_t, uint8_t *);
57 } mac_ops_t;
58
59 static int smb2_sign_calc_common(smb_request_t *, struct mbuf_chain *,
60 uint8_t *, mac_ops_t *);
61
62 /*
63 * SMB2 wrapper functions
64 */
65
66 static mac_ops_t
67 smb2_sign_ops = {
68 smb2_hmac_init,
69 smb2_hmac_update,
70 smb2_hmac_final
71 };
72
73 static int
smb2_sign_calc(smb_request_t * sr,struct mbuf_chain * mbc,uint8_t * digest16)74 smb2_sign_calc(smb_request_t *sr,
75 struct mbuf_chain *mbc,
76 uint8_t *digest16)
77 {
78 int rv;
79
80 rv = smb2_sign_calc_common(sr, mbc, digest16, &smb2_sign_ops);
81
82 return (rv);
83 }
84
85 /*
86 * Called during session destroy.
87 */
88 static void
smb2_sign_fini(smb_session_t * s)89 smb2_sign_fini(smb_session_t *s)
90 {
91 smb_crypto_mech_t *mech;
92
93 if ((mech = s->sign_mech) != NULL) {
94 kmem_free(mech, sizeof (*mech));
95 s->sign_mech = NULL;
96 }
97 }
98
99 /*
100 * SMB3 wrapper functions
101 */
102
103 static struct mac_ops
104 smb3_sign_ops = {
105 smb3_cmac_init,
106 smb3_cmac_update,
107 smb3_cmac_final
108 };
109
110 static int
smb3_sign_calc(smb_request_t * sr,struct mbuf_chain * mbc,uint8_t * digest16)111 smb3_sign_calc(smb_request_t *sr,
112 struct mbuf_chain *mbc,
113 uint8_t *digest16)
114 {
115 int rv;
116
117 rv = smb2_sign_calc_common(sr, mbc, digest16, &smb3_sign_ops);
118
119 return (rv);
120 }
121
122 void
smb2_sign_init_mech(smb_session_t * s)123 smb2_sign_init_mech(smb_session_t *s)
124 {
125 smb_crypto_mech_t *mech;
126 int (*get_mech)(smb_crypto_mech_t *);
127 int (*sign_calc)(smb_request_t *, struct mbuf_chain *, uint8_t *);
128 int rc;
129
130 if (s->sign_mech != NULL)
131 return;
132
133 if (s->dialect >= SMB_VERS_3_0) {
134 get_mech = smb3_cmac_getmech;
135 sign_calc = smb3_sign_calc;
136 } else {
137 get_mech = smb2_hmac_getmech;
138 sign_calc = smb2_sign_calc;
139 }
140
141 mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
142 rc = get_mech(mech);
143 if (rc != 0) {
144 kmem_free(mech, sizeof (*mech));
145 return;
146 }
147 s->sign_mech = mech;
148 s->sign_calc = sign_calc;
149 s->sign_fini = smb2_sign_fini;
150 }
151
152 /*
153 * smb2_sign_begin
154 * Handles both SMB2 & SMB3
155 *
156 * Get the mechanism info.
157 * Intializes MAC key based on the user session key and store it in
158 * the signing structure. This begins signing on this session.
159 */
160 void
smb2_sign_begin(smb_request_t * sr,smb_token_t * token)161 smb2_sign_begin(smb_request_t *sr, smb_token_t *token)
162 {
163 smb_session_t *s = sr->session;
164 smb_user_t *u = sr->uid_user;
165 struct smb_key *sign_key = &u->u_sign_key;
166
167 sign_key->len = 0;
168
169 /*
170 * We should normally have a session key here because
171 * our caller filters out Anonymous and Guest logons.
172 * However, buggy clients could get us here without a
173 * session key, in which case we'll fail later when a
174 * request that requires signing can't be checked.
175 * Also, don't bother initializing if we don't have a mechanism.
176 */
177 if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0 ||
178 s->sign_mech == NULL)
179 return;
180
181 /*
182 * Compute and store the signing key, which lives in
183 * the user structure.
184 */
185 if (s->dialect >= SMB_VERS_3_0) {
186 /*
187 * For SMB3, the signing key is a "KDF" hash of the
188 * session key. Limit the SessionKey input to its
189 * maximum size (16 bytes)
190 */
191 uint32_t ssnkey_len = MIN(token->tkn_ssnkey.len, SMB2_KEYLEN);
192 if (s->dialect >= SMB_VERS_3_11) {
193 if (smb3_kdf(sign_key->key, SMB2_KEYLEN,
194 token->tkn_ssnkey.val, ssnkey_len,
195 (uint8_t *)"SMBSigningKey", 14,
196 u->u_preauth_hashval, SHA512_DIGEST_LENGTH)
197 != 0)
198 return;
199 } else {
200 if (smb3_kdf(sign_key->key, SMB2_KEYLEN,
201 token->tkn_ssnkey.val, ssnkey_len,
202 (uint8_t *)"SMB2AESCMAC", 12,
203 (uint8_t *)"SmbSign", 8)
204 != 0)
205 return;
206 }
207 sign_key->len = SMB2_KEYLEN;
208 } else {
209 /*
210 * For SMB2, the signing key is just the first 16 bytes
211 * of the session key (truncated or padded with zeros).
212 * [MS-SMB2] 3.2.5.3.1
213 */
214 sign_key->len = SMB2_KEYLEN;
215 bcopy(token->tkn_ssnkey.val, sign_key->key,
216 MIN(token->tkn_ssnkey.len, sign_key->len));
217 }
218
219 mutex_enter(&u->u_mutex);
220 if ((s->srv_secmode & SMB2_NEGOTIATE_SIGNING_ENABLED) != 0)
221 u->u_sign_flags |= SMB_SIGNING_ENABLED;
222 if ((s->srv_secmode & SMB2_NEGOTIATE_SIGNING_REQUIRED) != 0 ||
223 (s->cli_secmode & SMB2_NEGOTIATE_SIGNING_REQUIRED) != 0)
224 u->u_sign_flags |=
225 SMB_SIGNING_ENABLED | SMB_SIGNING_CHECK;
226 mutex_exit(&u->u_mutex);
227
228 /*
229 * If we just turned on signing, the current request
230 * (an SMB2 session setup) will have come in without
231 * SMB2_FLAGS_SIGNED (and not signed) but the response
232 * is is supposed to be signed. [MS-SMB2] 3.3.5.5
233 */
234 if (u->u_sign_flags & SMB_SIGNING_ENABLED)
235 sr->smb2_hdr_flags |= SMB2_FLAGS_SIGNED;
236 }
237
238 /*
239 * smb2_sign_calc_common
240 *
241 * Calculates MAC signature for the given buffer and returns
242 * it in the mac_sign parameter.
243 *
244 * The signature algorithm is to compute HMAC SHA256 or AES_CMAC
245 * over the entire command, with the signature field set to zeros.
246 *
247 * Return 0 if success else -1
248 */
249
250 static int
smb2_sign_calc_common(smb_request_t * sr,struct mbuf_chain * mbc,uint8_t * digest,mac_ops_t * ops)251 smb2_sign_calc_common(smb_request_t *sr, struct mbuf_chain *mbc,
252 uint8_t *digest, mac_ops_t *ops)
253 {
254 uint8_t tmp_hdr[SMB2_HDR_SIZE];
255 smb_sign_ctx_t ctx = 0;
256 smb_session_t *s = sr->session;
257 smb_user_t *u = sr->uid_user;
258 struct smb_key *sign_key = &u->u_sign_key;
259 struct mbuf *mbuf;
260 int offset, resid, tlen, rc;
261
262 if (s->sign_mech == NULL || sign_key->len == 0)
263 return (-1);
264
265 /* smb2_hmac_init or smb3_cmac_init */
266 rc = ops->mac_init(&ctx, s->sign_mech, sign_key->key, sign_key->len);
267 if (rc != 0)
268 return (rc);
269
270 /*
271 * Work with a copy of the SMB2 header so we can
272 * clear the signature field without modifying
273 * the original message.
274 */
275 tlen = SMB2_HDR_SIZE;
276 offset = mbc->chain_offset;
277 resid = mbc->max_bytes - offset;
278 if (smb_mbc_peek(mbc, offset, "#c", tlen, tmp_hdr) != 0)
279 return (-1);
280 bzero(tmp_hdr + SMB2_SIG_OFFS, SMB2_SIG_SIZE);
281 /* smb2_hmac_update or smb3_cmac_update */
282 if ((rc = ops->mac_update(ctx, tmp_hdr, tlen)) != 0)
283 return (rc);
284 offset += tlen;
285 resid -= tlen;
286
287 /*
288 * Digest the rest of the SMB packet, starting at the data
289 * just after the SMB header.
290 *
291 * Advance to the src mbuf where we start digesting.
292 */
293 mbuf = mbc->chain;
294 while (mbuf != NULL && (offset >= mbuf->m_len)) {
295 offset -= mbuf->m_len;
296 mbuf = mbuf->m_next;
297 }
298
299 if (mbuf == NULL)
300 return (-1);
301
302 /*
303 * Digest the remainder of this mbuf, limited to the
304 * residual count, and starting at the current offset.
305 * (typically SMB2_HDR_SIZE)
306 */
307 tlen = mbuf->m_len - offset;
308 if (tlen > resid)
309 tlen = resid;
310 /* smb2_hmac_update or smb3_cmac_update */
311 rc = ops->mac_update(ctx, (uint8_t *)mbuf->m_data + offset, tlen);
312 if (rc != 0)
313 return (rc);
314 resid -= tlen;
315
316 /*
317 * Digest any more mbufs in the chain.
318 */
319 while (resid > 0) {
320 mbuf = mbuf->m_next;
321 if (mbuf == NULL)
322 return (-1);
323 tlen = mbuf->m_len;
324 if (tlen > resid)
325 tlen = resid;
326 rc = ops->mac_update(ctx, (uint8_t *)mbuf->m_data, tlen);
327 if (rc != 0)
328 return (rc);
329 resid -= tlen;
330 }
331
332 /*
333 * smb2_hmac_final or smb3_cmac_final
334 * Note: digest is _always_ SMB2_SIG_SIZE,
335 * even if the mech uses a longer one.
336 *
337 * smb2_hmac_update or smb3_cmac_update
338 */
339 if ((rc = ops->mac_final(ctx, digest)) != 0)
340 return (rc);
341
342 return (0);
343 }
344
345 /*
346 * smb2_sign_check_request
347 *
348 * Calculates MAC signature for the request mbuf chain
349 * using the next expected sequence number and compares
350 * it to the given signature.
351 *
352 * Note it does not check the signature for secondary transactions
353 * as their sequence number is the same as the original request.
354 *
355 * Return 0 if the signature verifies, otherwise, returns -1;
356 *
357 */
358 int
smb2_sign_check_request(smb_request_t * sr)359 smb2_sign_check_request(smb_request_t *sr)
360 {
361 uint8_t req_sig[SMB2_SIG_SIZE];
362 uint8_t vfy_sig[SMB2_SIG_SIZE];
363 struct mbuf_chain *mbc = &sr->smb_data;
364 smb_session_t *s = sr->session;
365 smb_user_t *u = sr->uid_user;
366 int sig_off;
367
368 /*
369 * Don't check commands with a zero session ID.
370 * [MS-SMB2] 3.3.4.1.1
371 */
372 if (sr->smb2_ssnid == 0 || u == NULL)
373 return (0);
374
375 /* In case _sign_begin failed. */
376 if (s->sign_calc == NULL)
377 return (-1);
378
379 /* Get the request signature. */
380 sig_off = sr->smb2_cmd_hdr + SMB2_SIG_OFFS;
381 if (smb_mbc_peek(mbc, sig_off, "#c", SMB2_SIG_SIZE, req_sig) != 0)
382 return (-1);
383
384 /*
385 * Compute the correct signature and compare.
386 * smb2_sign_calc() or smb3_sign_calc()
387 */
388 if (s->sign_calc(sr, mbc, vfy_sig) != 0)
389 return (-1);
390
391 if (memcmp(vfy_sig, req_sig, SMB2_SIG_SIZE) == 0) {
392 return (0);
393 }
394
395 DTRACE_PROBE2(signature__mismatch, smb_request_t *, sr,
396 uint8_t *, vfy_sig);
397
398 return (-1);
399 }
400
401 /*
402 * smb2_sign_reply
403 *
404 * Calculates MAC signature for the given mbuf chain,
405 * and write it to the signature field in the mbuf.
406 *
407 */
408 void
smb2_sign_reply(smb_request_t * sr)409 smb2_sign_reply(smb_request_t *sr)
410 {
411 uint8_t reply_sig[SMB2_SIG_SIZE];
412 struct mbuf_chain tmp_mbc;
413 smb_session_t *s = sr->session;
414 smb_user_t *u = sr->uid_user;
415 int hdr_off, msg_len;
416
417 if (u == NULL)
418 return;
419 if (s->sign_calc == NULL)
420 return;
421
422 msg_len = sr->reply.chain_offset - sr->smb2_reply_hdr;
423 (void) MBC_SHADOW_CHAIN(&tmp_mbc, &sr->reply,
424 sr->smb2_reply_hdr, msg_len);
425
426 /*
427 * Calculate the MAC signature for this reply.
428 * smb2_sign_calc() or smb3_sign_calc()
429 */
430 if (s->sign_calc(sr, &tmp_mbc, reply_sig) != 0)
431 return;
432
433 /*
434 * Poke the signature into the response.
435 */
436 hdr_off = sr->smb2_reply_hdr + SMB2_SIG_OFFS;
437 (void) smb_mbc_poke(&sr->reply, hdr_off, "#c",
438 SMB2_SIG_SIZE, reply_sig);
439 }
440