14e065a9fSAlexander Stetsenko /*
24e065a9fSAlexander Stetsenko  * CDDL HEADER START
34e065a9fSAlexander Stetsenko  *
44e065a9fSAlexander Stetsenko  * The contents of this file are subject to the terms of the
54e065a9fSAlexander Stetsenko  * Common Development and Distribution License (the "License").
64e065a9fSAlexander Stetsenko  * You may not use this file except in compliance with the License.
74e065a9fSAlexander Stetsenko  *
84e065a9fSAlexander Stetsenko  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
94e065a9fSAlexander Stetsenko  * or http://www.opensolaris.org/os/licensing.
104e065a9fSAlexander Stetsenko  * See the License for the specific language governing permissions
114e065a9fSAlexander Stetsenko  * and limitations under the License.
124e065a9fSAlexander Stetsenko  *
134e065a9fSAlexander Stetsenko  * When distributing Covered Code, include this CDDL HEADER in each
144e065a9fSAlexander Stetsenko  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
154e065a9fSAlexander Stetsenko  * If applicable, add the following below this CDDL HEADER, with the
164e065a9fSAlexander Stetsenko  * fields enclosed by brackets "[]" replaced with your own identifying
174e065a9fSAlexander Stetsenko  * information: Portions Copyright [yyyy] [name of copyright owner]
184e065a9fSAlexander Stetsenko  *
194e065a9fSAlexander Stetsenko  * CDDL HEADER END
204e065a9fSAlexander Stetsenko  */
214e065a9fSAlexander Stetsenko /*
224e065a9fSAlexander Stetsenko  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
234e065a9fSAlexander Stetsenko  * Copyright 2018 Nexenta Systems, Inc.  All rights reserved.
24*a4568e19SAlexander Stetsenko  * Copyright 2022 RackTop Systems, Inc.
254e065a9fSAlexander Stetsenko  */
264e065a9fSAlexander Stetsenko 
274e065a9fSAlexander Stetsenko #include <smbsrv/smb_kcrypt.h>
284e065a9fSAlexander Stetsenko #include <sys/types.h>
294e065a9fSAlexander Stetsenko #include <sys/sysmacros.h>
304e065a9fSAlexander Stetsenko #include <sys/ddi.h>
314e065a9fSAlexander Stetsenko #include <sys/sunddi.h>
32*a4568e19SAlexander Stetsenko #include <sys/byteorder.h>
33*a4568e19SAlexander Stetsenko #include <sys/debug.h>
344e065a9fSAlexander Stetsenko 
354e065a9fSAlexander Stetsenko /*
364e065a9fSAlexander Stetsenko  * Derive SMB3 key as described in [MS-SMB2] 3.1.4.2
374e065a9fSAlexander Stetsenko  * and [NIST SP800-108]
384e065a9fSAlexander Stetsenko  *
39*a4568e19SAlexander Stetsenko  * r = 32, PRF = HMAC-SHA256, key = (session key),
40*a4568e19SAlexander Stetsenko  * L = 128 or 256
414e065a9fSAlexander Stetsenko  */
424e065a9fSAlexander Stetsenko 
434e065a9fSAlexander Stetsenko /*
444e065a9fSAlexander Stetsenko  * SMB 3.0.2 KDF Input
454e065a9fSAlexander Stetsenko  *
464e065a9fSAlexander Stetsenko  * Session.SigningKey for binding a session:
474e065a9fSAlexander Stetsenko  * - Session.SessionKey as K1
484e065a9fSAlexander Stetsenko  * - label = "SMB2AESCMAC" (size 12)
494e065a9fSAlexander Stetsenko  * - context = "SmbSign" (size 8)
504e065a9fSAlexander Stetsenko  * Channel.SigningKey for for all other requests
514e065a9fSAlexander Stetsenko  * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
524e065a9fSAlexander Stetsenko  * - otherwise, Session.SessionKey as K1
534e065a9fSAlexander Stetsenko  * - label = "SMB2AESCMAC" (size 12)
544e065a9fSAlexander Stetsenko  * - context = "SmbSign" (size 8)
554e065a9fSAlexander Stetsenko  * Session.ApplicationKey for ... (not sure what yet)
564e065a9fSAlexander Stetsenko  * - Session.SessionKey as K1
574e065a9fSAlexander Stetsenko  * - label = "SMB2APP" (size 8)
584e065a9fSAlexander Stetsenko  * - context = "SmbRpc" (size 7)
594e065a9fSAlexander Stetsenko  * Session.EncryptionKey for encrypting server messages
604e065a9fSAlexander Stetsenko  * - Session.SessionKey as K1
614e065a9fSAlexander Stetsenko  * - label = "SMB2AESCCM" (size 11)
624e065a9fSAlexander Stetsenko  * - context = "ServerOut" (size 10)
634e065a9fSAlexander Stetsenko  * Session.DecryptionKey for decrypting client requests
644e065a9fSAlexander Stetsenko  * - Session.SessionKey as K1
654e065a9fSAlexander Stetsenko  * - label = "SMB2AESCCM" (size 11)
664e065a9fSAlexander Stetsenko  * - context = "ServerIn " (size 10) (Note the space)
674e065a9fSAlexander Stetsenko  */
684e065a9fSAlexander Stetsenko 
694e065a9fSAlexander Stetsenko /*
704e065a9fSAlexander Stetsenko  * SMB 3.1.1 KDF Input
714e065a9fSAlexander Stetsenko  *
724e065a9fSAlexander Stetsenko  * Session.SigningKey for binding a session:
734e065a9fSAlexander Stetsenko  * - Session.SessionKey as K1
744e065a9fSAlexander Stetsenko  * - label = "SMBSigningKey" (size 14)
754e065a9fSAlexander Stetsenko  * - context = preauth hashval
764e065a9fSAlexander Stetsenko  * Channel.SigningKey for for all other requests
774e065a9fSAlexander Stetsenko  * - if SMB2_SESSION_FLAG_BINDING, GSS key (in Session.SessionKey?) as K1;
784e065a9fSAlexander Stetsenko  * - otherwise, Session.SessionKey as K1
794e065a9fSAlexander Stetsenko  * - label = "SMBSigningKey" (size 14)
804e065a9fSAlexander Stetsenko  * - context = preauth hashval
814e065a9fSAlexander Stetsenko  * Session.EncryptionKey for encrypting server messages
824e065a9fSAlexander Stetsenko  * - Session.SessionKey as K1
834e065a9fSAlexander Stetsenko  * - label = "SMBS2CCipherKey" (size 16)
844e065a9fSAlexander Stetsenko  * - context = preauth hashval
854e065a9fSAlexander Stetsenko  * Session.DecryptionKey for decrypting client requests
864e065a9fSAlexander Stetsenko  * - Session.SessionKey as K1
874e065a9fSAlexander Stetsenko  * - label = "SMBC2SCipherKey" (size 16)
884e065a9fSAlexander Stetsenko  * - context = preauth hashval
894e065a9fSAlexander Stetsenko  */
904e065a9fSAlexander Stetsenko 
91*a4568e19SAlexander Stetsenko #define	KDF_LABEL_MAXLEN	16
92*a4568e19SAlexander Stetsenko #define	KDF_CONTEXT_MAXLEN	64
93*a4568e19SAlexander Stetsenko #define	KDF_FIXEDPART_LEN	9
94*a4568e19SAlexander Stetsenko #define	KDF_BUFLEN		89	/* total of above */
95*a4568e19SAlexander Stetsenko 
964e065a9fSAlexander Stetsenko /*
974e065a9fSAlexander Stetsenko  * SMB3KDF(Ki, Label, Context)
984e065a9fSAlexander Stetsenko  * counter || Label || 0x00 || Context || L
994e065a9fSAlexander Stetsenko  */
1004e065a9fSAlexander Stetsenko int
smb3_kdf(uint8_t * outbuf,uint32_t keylen,uint8_t * ssn_key,size_t ssn_keylen,uint8_t * label,size_t label_len,uint8_t * context,size_t context_len)101*a4568e19SAlexander Stetsenko smb3_kdf(uint8_t *outbuf, uint32_t keylen,
102*a4568e19SAlexander Stetsenko     uint8_t *ssn_key, size_t ssn_keylen,
1034e065a9fSAlexander Stetsenko     uint8_t *label, size_t label_len,
1044e065a9fSAlexander Stetsenko     uint8_t *context, size_t context_len)
1054e065a9fSAlexander Stetsenko {
1064e065a9fSAlexander Stetsenko 	smb_crypto_mech_t mech;
107*a4568e19SAlexander Stetsenko 	uint8_t digest32[SHA256_DIGEST_LENGTH];
108*a4568e19SAlexander Stetsenko 	uint8_t kdfbuf[KDF_BUFLEN];
109*a4568e19SAlexander Stetsenko 	uint32_t L = keylen << 3; /* key len in bits */
110*a4568e19SAlexander Stetsenko 	int pos = 0;
1114e065a9fSAlexander Stetsenko 	int rc;
1124e065a9fSAlexander Stetsenko 
113*a4568e19SAlexander Stetsenko 	if (label_len > KDF_LABEL_MAXLEN ||
114*a4568e19SAlexander Stetsenko 	    context_len > KDF_CONTEXT_MAXLEN) {
115*a4568e19SAlexander Stetsenko 		ASSERT(0);
116*a4568e19SAlexander Stetsenko 		return (-1);
117*a4568e19SAlexander Stetsenko 	}
118*a4568e19SAlexander Stetsenko 
119*a4568e19SAlexander Stetsenko 	/* Counter=1 (big-endian) */
120*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = 0;
121*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = 0;
122*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = 0;
123*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = 1;
124*a4568e19SAlexander Stetsenko 
1254e065a9fSAlexander Stetsenko 	bcopy(label, &kdfbuf[pos], label_len);
1264e065a9fSAlexander Stetsenko 	pos += label_len;
1274e065a9fSAlexander Stetsenko 
128*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = 0;
1294e065a9fSAlexander Stetsenko 
1304e065a9fSAlexander Stetsenko 	bcopy(context, &kdfbuf[pos], context_len);
1314e065a9fSAlexander Stetsenko 	pos += context_len;
1324e065a9fSAlexander Stetsenko 
133*a4568e19SAlexander Stetsenko 	/* Key lemgth in bits, big-endian, possibly misaligned */
134*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = 0;
135*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = 0;
136*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = (uint8_t)(L >> 8);
137*a4568e19SAlexander Stetsenko 	kdfbuf[pos++] = (uint8_t)L;
1384e065a9fSAlexander Stetsenko 
1394e065a9fSAlexander Stetsenko 	bzero(&mech, sizeof (mech));
1404e065a9fSAlexander Stetsenko 	if ((rc = smb2_hmac_getmech(&mech)) != 0)
1414e065a9fSAlexander Stetsenko 		return (rc);
1424e065a9fSAlexander Stetsenko 
143*a4568e19SAlexander Stetsenko 	rc = smb2_hmac_one(&mech,
144*a4568e19SAlexander Stetsenko 	    ssn_key, ssn_keylen,
145*a4568e19SAlexander Stetsenko 	    kdfbuf, pos,
146*a4568e19SAlexander Stetsenko 	    digest32, SHA256_DIGEST_LENGTH);
1474e065a9fSAlexander Stetsenko 	if (rc != 0)
1484e065a9fSAlexander Stetsenko 		return (rc);
1494e065a9fSAlexander Stetsenko 
150*a4568e19SAlexander Stetsenko 	bcopy(digest32, outbuf, keylen);
1514e065a9fSAlexander Stetsenko 	return (0);
1524e065a9fSAlexander Stetsenko }
153