1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /*
13  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
14  * Copyright 2020 RackTop Systems, Inc.
15  */
16 
17 /*
18  * Helper functions for SMB3 encryption using the
19  * Kernel Cryptographic Framework (KCF)
20  *
21  * There are two implementations of these functions:
22  * This one (for kernel) and another for user space:
23  * See: lib/smbsrv/libfksmbsrv/common/fksmb_encrypt_pkcs.c
24  */
25 
26 #include <sys/crypto/api.h>
27 #include <smbsrv/smb_kcrypt.h>
28 #include <smbsrv/smb2_kproto.h>
29 #include <sys/cmn_err.h>
30 
31 /*
32  * Common function to see if a mech is available.
33  */
34 static int
find_mech(smb_crypto_mech_t * mech,crypto_mech_name_t name)35 find_mech(smb_crypto_mech_t *mech, crypto_mech_name_t name)
36 {
37 	crypto_mech_type_t t;
38 
39 	t = crypto_mech2id(name);
40 	if (t == CRYPTO_MECH_INVALID) {
41 		cmn_err(CE_NOTE, "smb: no kcf mech: %s", name);
42 		return (-1);
43 	}
44 	mech->cm_type = t;
45 	return (0);
46 }
47 
48 /*
49  * SMB3 encryption helpers:
50  * (getmech, init, update, final)
51  */
52 
53 int
smb3_aes_ccm_getmech(smb_crypto_mech_t * mech)54 smb3_aes_ccm_getmech(smb_crypto_mech_t *mech)
55 {
56 	return (find_mech(mech, SUN_CKM_AES_CCM));
57 }
58 
59 int
smb3_aes_gcm_getmech(smb_crypto_mech_t * mech)60 smb3_aes_gcm_getmech(smb_crypto_mech_t *mech)
61 {
62 	return (find_mech(mech, SUN_CKM_AES_GCM));
63 }
64 
65 void
smb3_crypto_init_ccm_param(smb3_crypto_param_t * param,uint8_t * nonce,size_t noncesize,uint8_t * auth,size_t authsize,size_t datasize)66 smb3_crypto_init_ccm_param(smb3_crypto_param_t *param,
67     uint8_t *nonce, size_t noncesize, uint8_t *auth, size_t authsize,
68     size_t datasize)
69 {
70 	param->ccm.ulMACSize = SMB2_SIG_SIZE;
71 	param->ccm.ulNonceSize = noncesize;
72 	param->ccm.nonce = nonce;
73 	param->ccm.ulDataSize = datasize;
74 	param->ccm.ulAuthDataSize = authsize;
75 	param->ccm.authData = auth;
76 }
77 
78 void
smb3_crypto_init_gcm_param(smb3_crypto_param_t * param,uint8_t * nonce,size_t noncesize,uint8_t * auth,size_t authsize)79 smb3_crypto_init_gcm_param(smb3_crypto_param_t *param,
80     uint8_t *nonce, size_t noncesize, uint8_t *auth, size_t authsize)
81 {
82 	ASSERT3U(noncesize, ==, 12);
83 	param->gcm.pIv = nonce;
84 	param->gcm.ulIvLen = noncesize;		/* should be 12 bytes */
85 	/* tform hdr size - (protcolo id + signing) == 32 bytes */
86 	param->gcm.ulTagBits = SMB2_SIG_SIZE << 3; /* convert bytes to bits */
87 	param->gcm.pAAD = auth;			/* auth data */
88 	param->gcm.ulAADLen = authsize;		/* auth data len */
89 }
90 
91 /*
92  * Start the KCF session, load the key
93  */
94 static int
smb3_crypto_init(smb3_enc_ctx_t * ctxp,smb_crypto_mech_t * mech,uint8_t * key,size_t key_len,smb3_crypto_param_t * param,boolean_t is_encrypt)95 smb3_crypto_init(smb3_enc_ctx_t *ctxp, smb_crypto_mech_t *mech,
96     uint8_t *key, size_t key_len, smb3_crypto_param_t *param,
97     boolean_t is_encrypt)
98 {
99 	crypto_key_t ckey;
100 	int rv;
101 
102 	bzero(&ckey, sizeof (ckey));
103 	ckey.ck_format = CRYPTO_KEY_RAW;
104 	ckey.ck_data = key;
105 	ckey.ck_length = key_len * 8; /* in bits */
106 
107 	mech->cm_param = (caddr_t)param;
108 	mech->cm_param_len = sizeof (*param);
109 
110 	if (is_encrypt)
111 		rv = crypto_encrypt_init(mech, &ckey, NULL, &ctxp->ctx, NULL);
112 	else
113 		rv = crypto_decrypt_init(mech, &ckey, NULL, &ctxp->ctx, NULL);
114 
115 	if (rv != CRYPTO_SUCCESS) {
116 		if (is_encrypt)
117 			cmn_err(CE_WARN,
118 			    "crypto_encrypt_init failed: 0x%x", rv);
119 		else
120 			cmn_err(CE_WARN,
121 			    "crypto_decrypt_init failed: 0x%x", rv);
122 	}
123 
124 	return (rv == CRYPTO_SUCCESS ? 0 : -1);
125 }
126 
127 int
smb3_encrypt_init(smb3_enc_ctx_t * ctxp,smb_crypto_mech_t * mech,smb3_crypto_param_t * param,uint8_t * key,size_t keylen,uint8_t * buf,size_t buflen)128 smb3_encrypt_init(smb3_enc_ctx_t *ctxp, smb_crypto_mech_t *mech,
129     smb3_crypto_param_t *param, uint8_t *key, size_t keylen,
130     uint8_t *buf, size_t buflen)
131 {
132 
133 	bzero(&ctxp->output, sizeof (ctxp->output));
134 	ctxp->output.cd_format = CRYPTO_DATA_RAW;
135 	ctxp->output.cd_length = buflen;
136 	ctxp->output.cd_raw.iov_len = buflen;
137 	ctxp->output.cd_raw.iov_base = (void *)buf;
138 
139 	return (smb3_crypto_init(ctxp, mech, key, keylen,
140 	    param, B_TRUE));
141 }
142 
143 int
smb3_decrypt_init(smb3_enc_ctx_t * ctxp,smb_crypto_mech_t * mech,smb3_crypto_param_t * param,uint8_t * key,size_t keylen)144 smb3_decrypt_init(smb3_enc_ctx_t *ctxp, smb_crypto_mech_t *mech,
145     smb3_crypto_param_t *param, uint8_t *key, size_t keylen)
146 {
147 	return (smb3_crypto_init(ctxp, mech, key, keylen,
148 	    param, B_FALSE));
149 }
150 
151 /*
152  * Digest one segment
153  */
154 int
smb3_encrypt_update(smb3_enc_ctx_t * ctxp,uint8_t * in,size_t len)155 smb3_encrypt_update(smb3_enc_ctx_t *ctxp, uint8_t *in, size_t len)
156 {
157 	crypto_data_t data;
158 	int rv;
159 
160 	bzero(&data, sizeof (data));
161 	data.cd_format = CRYPTO_DATA_RAW;
162 	data.cd_length = len;
163 	data.cd_raw.iov_base = (void *)in;
164 	data.cd_raw.iov_len = len;
165 
166 	rv = crypto_encrypt_update(ctxp->ctx, &data, &ctxp->output, NULL);
167 
168 	if (rv != CRYPTO_SUCCESS) {
169 		cmn_err(CE_WARN, "crypto_encrypt_update failed: 0x%x", rv);
170 		crypto_cancel_ctx(ctxp->ctx);
171 		return (-1);
172 	}
173 
174 	len = ctxp->output.cd_length;
175 	ctxp->len -= len;
176 	ctxp->output.cd_offset += len;
177 	ctxp->output.cd_length = ctxp->len;
178 
179 	return (0);
180 }
181 
182 int
smb3_decrypt_update(smb3_enc_ctx_t * ctxp,uint8_t * in,size_t len)183 smb3_decrypt_update(smb3_enc_ctx_t *ctxp, uint8_t *in, size_t len)
184 {
185 	crypto_data_t data;
186 	int rv;
187 
188 	bzero(&data, sizeof (data));
189 	data.cd_format = CRYPTO_DATA_RAW;
190 	data.cd_length = len;
191 	data.cd_raw.iov_base = (void *)in;
192 	data.cd_raw.iov_len = len;
193 
194 	/*
195 	 * AES_CCM does not output data until decrypt_final,
196 	 * and only does so if the signature matches.
197 	 */
198 	rv = crypto_decrypt_update(ctxp->ctx, &data, NULL, NULL);
199 
200 	if (rv != CRYPTO_SUCCESS) {
201 		cmn_err(CE_WARN, "crypto_decrypt_update failed: 0x%x", rv);
202 		crypto_cancel_ctx(ctxp->ctx);
203 		return (-1);
204 	}
205 
206 	return (0);
207 }
208 
209 int
smb3_encrypt_final(smb3_enc_ctx_t * ctxp,uint8_t * digest16)210 smb3_encrypt_final(smb3_enc_ctx_t *ctxp, uint8_t *digest16)
211 {
212 	crypto_data_t out;
213 	int rv;
214 	uint8_t buf[SMB2_SIG_SIZE + 16] = {0};
215 	size_t outlen;
216 
217 	bzero(&out, sizeof (out));
218 	out.cd_format = CRYPTO_DATA_RAW;
219 	out.cd_length = sizeof (buf);
220 	out.cd_raw.iov_len = sizeof (buf);
221 	out.cd_raw.iov_base = (void *)buf;
222 
223 	rv = crypto_encrypt_final(ctxp->ctx, &out, 0);
224 
225 	if (rv != CRYPTO_SUCCESS) {
226 		cmn_err(CE_WARN, "crypto_encrypt_final failed: 0x%x", rv);
227 		return (-1);
228 	}
229 
230 	/*
231 	 * For some reason AES module processes ccm_encrypt_final and
232 	 * gcm_encrypt_final differently.
233 	 * For GCM it restores original offset (which is 0) and updates
234 	 * cd_length to size of residual data + mac len.
235 	 * For CCM it does nothing, what means offset is updated and cd_length
236 	 * is decreased by size of residual data + mac len.
237 	 */
238 	if (out.cd_offset == 0) {
239 		/* GCM */
240 		outlen = out.cd_length - SMB2_SIG_SIZE;
241 	} else {
242 		/* CCM */
243 		outlen = out.cd_offset - SMB2_SIG_SIZE;
244 	}
245 
246 	if (outlen > 0)
247 		bcopy(buf, ctxp->output.cd_raw.iov_base +
248 		    ctxp->output.cd_offset, outlen);
249 	bcopy(buf + outlen, digest16, SMB2_SIG_SIZE);
250 
251 	return (0);
252 }
253 
254 int
smb3_decrypt_final(smb3_enc_ctx_t * ctxp,uint8_t * buf,size_t buflen)255 smb3_decrypt_final(smb3_enc_ctx_t *ctxp, uint8_t *buf, size_t buflen)
256 {
257 	crypto_data_t out;
258 	int rv;
259 
260 	bzero(&out, sizeof (out));
261 	out.cd_format = CRYPTO_DATA_RAW;
262 	out.cd_length = buflen;
263 	out.cd_raw.iov_len = buflen;
264 	out.cd_raw.iov_base = (void *)buf;
265 
266 	rv = crypto_decrypt_final(ctxp->ctx, &out, NULL);
267 
268 	if (rv != CRYPTO_SUCCESS)
269 		cmn_err(CE_WARN, "crypto_decrypt_final failed: 0x%x", rv);
270 
271 	return (rv == CRYPTO_SUCCESS ? 0 : -1);
272 }
273 
274 void
smb3_encrypt_cancel(smb3_enc_ctx_t * ctxp)275 smb3_encrypt_cancel(smb3_enc_ctx_t *ctxp)
276 {
277 	crypto_cancel_ctx(ctxp->ctx);
278 }
279