xref: /illumos-gate/usr/src/uts/common/fs/smbsrv/smb3_kdf.c (revision 9d6ca3965c3358c32eb68544fe91ff8ad9c3fcde)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
24  * Copyright 2020 RackTop Systems, Inc.
25  */
26 
27 #include <smbsrv/smb_kcrypt.h>
28 #include <sys/types.h>
29 #include <sys/sysmacros.h>
30 #include <sys/ddi.h>
31 #include <sys/sunddi.h>
32 
33 /*
34  * Derive SMB3 key as described in [MS-SMB2] 3.1.4.2
35  * and [NIST SP800-108]
36  *
37  * r = 32, L = 128, PRF = HMAC-SHA256, key = (session key)
38  */
39 
40 /*
41  * SMB 3.0.2 KDF Input
42  *
43  * Session.SigningKey for binding a session:
44  * - Session.SessionKey as K1
45  * - label = "SMB2AESCMAC" (size 12)
46  * - context = "SmbSign" (size 8)
47  * Channel.SigningKey for for all other requests
48  * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
49  * - otherwise, Session.SessionKey as K1
50  * - label = "SMB2AESCMAC" (size 12)
51  * - context = "SmbSign" (size 8)
52  * Session.ApplicationKey for ... (not sure what yet)
53  * - Session.SessionKey as K1
54  * - label = "SMB2APP" (size 8)
55  * - context = "SmbRpc" (size 7)
56  * Session.EncryptionKey for encrypting server messages
57  * - Session.SessionKey as K1
58  * - label = "SMB2AESCCM" (size 11)
59  * - context = "ServerOut" (size 10)
60  * Session.DecryptionKey for decrypting client requests
61  * - Session.SessionKey as K1
62  * - label = "SMB2AESCCM" (size 11)
63  * - context = "ServerIn " (size 10) (Note the space)
64  */
65 
66 /*
67  * SMB 3.1.1 KDF Input
68  *
69  * Session.SigningKey for binding a session:
70  * - Session.SessionKey as K1
71  * - label = "SMBSigningKey" (size 14)
72  * - context = preauth hashval
73  * Channel.SigningKey for for all other requests
74  * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
75  * - otherwise, Session.SessionKey as K1
76  * - label = "SMBSigningKey" (size 14)
77  * - context = preauth hashval
78  * Session.EncryptionKey for encrypting server messages
79  * - Session.SessionKey as K1
80  * - label = "SMBS2CCipherKey" (size 16)
81  * - context = preauth hashval
82  * Session.DecryptionKey for decrypting client requests
83  * - Session.SessionKey as K1
84  * - label = "SMBC2SCipherKey" (size 16)
85  * - context = preauth hashval
86  */
87 
88 /*
89  * SMB3KDF(Ki, Label, Context)
90  * counter || Label || 0x00 || Context || L
91  */
92 int
93 smb3_kdf(uint8_t *outbuf,
94     uint8_t *key, size_t key_len,
95     uint8_t *label, size_t label_len,
96     uint8_t *context, size_t context_len)
97 {
98 	static uint8_t L[4] = { 0, 0, 0, 0x80 };
99 	uint8_t digest32[SHA256_DIGEST_LENGTH];
100 	/* Maximum length of kdf input is 89 for Encription/Decryption key */
101 	uint8_t kdfbuf[89] = { 0, 0, 0, 1 };	/* initialized by counter */
102 	smb_crypto_mech_t mech;
103 	smb_sign_ctx_t hctx = 0;
104 	int pos = 4;	/* skip counter */
105 	int rc;
106 
107 	bcopy(label, &kdfbuf[pos], label_len);
108 	pos += label_len;
109 
110 	kdfbuf[pos] = 0;
111 	pos++;
112 
113 	bcopy(context, &kdfbuf[pos], context_len);
114 	pos += context_len;
115 
116 	bcopy(L, &kdfbuf[pos], 4);
117 	pos += 4;
118 
119 	bzero(&mech, sizeof (mech));
120 	if ((rc = smb2_hmac_getmech(&mech)) != 0)
121 		return (rc);
122 
123 	/* Limit the SessionKey input to its maximum size (16 bytes) */
124 	rc = smb2_hmac_init(&hctx, &mech, key, MIN(key_len, SMB2_KEYLEN));
125 	if (rc != 0)
126 		return (rc);
127 
128 	if ((rc = smb2_hmac_update(hctx, kdfbuf, pos)) != 0)
129 		return (rc);
130 
131 	if ((rc = smb2_hmac_final(hctx, digest32)) != 0)
132 		return (rc);
133 
134 	/* Output is first 16 bytes of digest. */
135 	bcopy(digest32, outbuf, SMB3_KEYLEN);
136 	return (0);
137 }
138