1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2017 Nexenta Systems, Inc.  All rights reserved.
24  */
25 /*
26  * These routines provide the SMB MAC signing for the SMB server.
27  * The routines calculate the signature of a SMB message in an mbuf chain.
28  *
29  * The following table describes the client server
30  * signing registry relationship
31  *
32  *		| Required	| Enabled     | Disabled
33  * -------------+---------------+------------ +--------------
34  * Required	| Signed	| Signed      | Fail
35  * -------------+---------------+-------------+-----------------
36  * Enabled	| Signed	| Signed      | Not Signed
37  * -------------+---------------+-------------+----------------
38  * Disabled	| Fail		| Not Signed  | Not Signed
39  */
40 
41 #include <sys/uio.h>
42 #include <smbsrv/smb_kproto.h>
43 #include <smbsrv/smb_kcrypt.h>
44 #include <sys/isa_defs.h>
45 #include <sys/byteorder.h>
46 
47 #define	SMB_SIG_SIZE	8
48 #define	SMB_SIG_OFFS	14
49 #define	SMB_HDRLEN	32
50 
51 #ifdef _LITTLE_ENDIAN
52 #define	htolel(x)	((uint32_t)(x))
53 #else
54 #define	htolel(x)	BSWAP_32(x)
55 #endif
56 
57 static int
58 smb_sign_calc(smb_request_t *sr, struct mbuf_chain *mbc,
59     uint32_t seqnum, unsigned char *sig);
60 
61 #ifdef DEBUG
62 uint32_t smb_sign_debug_search = 10;
63 
64 /*
65  * Debug code to search +/- for the correct sequence number.
66  * If found, correct sign->seqnum and return 0, else return -1
67  */
68 static int
smb_sign_find_seqnum(smb_request_t * sr,struct mbuf_chain * mbc,unsigned char * mac_sig,unsigned char * sr_sig)69 smb_sign_find_seqnum(
70     smb_request_t *sr,
71     struct mbuf_chain *mbc,
72     unsigned char *mac_sig,
73     unsigned char *sr_sig)
74 {
75 	struct smb_sign *sign = &sr->session->signing;
76 	uint32_t i, t;
77 
78 	for (i = 1; i < smb_sign_debug_search; i++) {
79 		t = sr->sr_seqnum + i;
80 		(void) smb_sign_calc(sr, mbc, t, mac_sig);
81 		if (memcmp(mac_sig, sr_sig, SMB_SIG_SIZE) == 0) {
82 			goto found;
83 		}
84 		t = sr->sr_seqnum - i;
85 		(void) smb_sign_calc(sr, mbc, t, mac_sig);
86 		if (memcmp(mac_sig, sr_sig, SMB_SIG_SIZE) == 0) {
87 			goto found;
88 		}
89 	}
90 	cmn_err(CE_WARN, "smb_sign_find_seqnum: failed after %d", i);
91 	return (-1);
92 
93 found:
94 	cmn_err(CE_WARN, "smb_sign_find_seqnum: found! %d <- %d",
95 	    sign->seqnum, t);
96 	sign->seqnum = t;
97 	return (0);
98 }
99 #endif
100 
101 /*
102  * Called during session destroy.
103  */
104 static void
smb_sign_fini(smb_session_t * s)105 smb_sign_fini(smb_session_t *s)
106 {
107 	smb_crypto_mech_t *mech;
108 
109 	if ((mech = s->sign_mech) != NULL) {
110 		kmem_free(mech, sizeof (*mech));
111 		s->sign_mech = NULL;
112 	}
113 }
114 
115 /*
116  * smb_sign_begin
117  *
118  * Intializes MAC key based on the user session key and
119  * NTLM response and store it in the signing structure.
120  * This is what begins SMB signing.
121  */
122 void
smb_sign_begin(smb_request_t * sr,smb_token_t * token)123 smb_sign_begin(smb_request_t *sr, smb_token_t *token)
124 {
125 	smb_arg_sessionsetup_t *sinfo = sr->sr_ssetup;
126 	smb_session_t *session = sr->session;
127 	struct smb_sign *sign = &session->signing;
128 	smb_crypto_mech_t *mech;
129 	int rc;
130 
131 	/*
132 	 * We should normally have a session key here because
133 	 * our caller filters out Anonymous and Guest logons.
134 	 * However, buggy clients could get us here without a
135 	 * session key, in which case: just don't sign.
136 	 */
137 	if (token->tkn_ssnkey.val == NULL || token->tkn_ssnkey.len == 0)
138 		return;
139 
140 	/*
141 	 * Session-level initialization (once per session)
142 	 */
143 	smb_rwx_rwenter(&session->s_lock, RW_WRITER);
144 
145 	/*
146 	 * Signing may already have been setup by a prior logon,
147 	 * in which case we're done here.
148 	 */
149 	if (sign->mackey != NULL) {
150 		smb_rwx_rwexit(&session->s_lock);
151 		return;
152 	}
153 
154 	/*
155 	 * Get the mech handle
156 	 */
157 	if (session->sign_mech == NULL) {
158 		mech = kmem_zalloc(sizeof (*mech), KM_SLEEP);
159 		rc = smb_md5_getmech(mech);
160 		if (rc != 0) {
161 			kmem_free(mech, sizeof (*mech));
162 			smb_rwx_rwexit(&session->s_lock);
163 			return;
164 		}
165 		session->sign_mech = mech;
166 		session->sign_fini = smb_sign_fini;
167 	}
168 
169 	/*
170 	 * Compute and store the signing (MAC) key.
171 	 *
172 	 * With extended security, the MAC key is the same as the
173 	 * session key (and we'll have sinfo->ssi_ntpwlen == 0).
174 	 * With non-extended security, it's the concatenation of
175 	 * the session key and the "NT response" we received.
176 	 */
177 	sign->mackey_len = token->tkn_ssnkey.len + sinfo->ssi_ntpwlen;
178 	sign->mackey = kmem_alloc(sign->mackey_len, KM_SLEEP);
179 	bcopy(token->tkn_ssnkey.val, sign->mackey, token->tkn_ssnkey.len);
180 	if (sinfo->ssi_ntpwlen > 0) {
181 		bcopy(sinfo->ssi_ntpwd, sign->mackey + token->tkn_ssnkey.len,
182 		    sinfo->ssi_ntpwlen);
183 	}
184 
185 	session->signing.seqnum = 0;
186 	sr->sr_seqnum = 2;
187 	sr->reply_seqnum = 1;
188 	sign->flags = 0;
189 
190 	if (session->srv_secmode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) {
191 		sign->flags |= SMB_SIGNING_ENABLED;
192 		if (session->srv_secmode &
193 		    NEGOTIATE_SECURITY_SIGNATURES_REQUIRED)
194 			sign->flags |= SMB_SIGNING_CHECK;
195 	}
196 
197 	smb_rwx_rwexit(&session->s_lock);
198 }
199 
200 /*
201  * smb_sign_calc
202  *
203  * Calculates MAC signature for the given buffer and returns
204  * it in the mac_sign parameter.
205  *
206  * The sequence number is placed in the first four bytes of the signature
207  * field of the signature and the other 4 bytes are zeroed.
208  * The signature is the first 8 bytes of the MD5 result of the
209  * concatenated MAC key and the SMB message.
210  *
211  * MACsig = head(MD5(concat(MACKey, SMBMsg)), 8)
212  *
213  * where
214  *
215  *	MACKey = concat( UserSessionKey, NTLMResp )
216  *
217  * and
218  *
219  *	SMBMsg is the SMB message containing the sequence number.
220  *
221  * Return 0 if success
222  *
223  */
224 static int
smb_sign_calc(smb_request_t * sr,struct mbuf_chain * mbc,uint32_t seqnum,unsigned char * mac_sign)225 smb_sign_calc(smb_request_t *sr, struct mbuf_chain *mbc,
226     uint32_t seqnum, unsigned char *mac_sign)
227 {
228 	smb_session_t *s = sr->session;
229 	struct smb_sign *sign = &s->signing;
230 	smb_sign_ctx_t ctx = 0;
231 	uchar_t digest[MD5_DIGEST_LENGTH];
232 	uchar_t *hdrp;
233 	struct mbuf *mbuf = mbc->chain;
234 	int offset = mbc->chain_offset;
235 	int size;
236 	int rc;
237 
238 	/*
239 	 * This union is a little bit of trickery to:
240 	 * (1) get the sequence number int aligned, and
241 	 * (2) reduce the number of digest calls, at the
242 	 * cost of a copying 32 bytes instead of 8.
243 	 * Both sides of this union are 2+32 bytes.
244 	 */
245 	union {
246 		struct {
247 			uint8_t skip[2]; /* not used - just alignment */
248 			uint8_t raw[SMB_HDRLEN];  /* header length (32) */
249 		} r;
250 		struct {
251 			uint8_t skip[2]; /* not used - just alignment */
252 			uint8_t hdr[SMB_SIG_OFFS]; /* sig. offset (14) */
253 			uint32_t sig[2]; /* MAC signature, aligned! */
254 			uint16_t ids[5]; /* pad, Tid, Pid, Uid, Mid */
255 		} s;
256 	} smbhdr;
257 
258 	if (s->sign_mech == NULL || sign->mackey == NULL)
259 		return (-1);
260 
261 	if ((rc = smb_md5_init(&ctx, s->sign_mech)) != 0)
262 		return (rc);
263 
264 	/* Digest the MAC Key */
265 	rc = smb_md5_update(ctx, sign->mackey, sign->mackey_len);
266 	if (rc != 0)
267 		return (rc);
268 
269 	/*
270 	 * Make an aligned copy of the SMB header,
271 	 * fill in the sequence number, and digest.
272 	 */
273 	hdrp = (unsigned char *)&smbhdr.r.raw;
274 	size = SMB_HDRLEN;
275 	if (smb_mbc_peek(mbc, offset, "#c", size, hdrp) != 0)
276 		return (-1);
277 	smbhdr.s.sig[0] = htolel(seqnum);
278 	smbhdr.s.sig[1] = 0;
279 
280 	rc = smb_md5_update(ctx, &smbhdr.r.raw, size);
281 	if (rc != 0)
282 		return (rc);
283 
284 	/*
285 	 * Digest the rest of the SMB packet, starting at the data
286 	 * just after the SMB header.
287 	 */
288 	offset += size;
289 	while (mbuf != NULL && (offset >= mbuf->m_len)) {
290 		offset -= mbuf->m_len;
291 		mbuf = mbuf->m_next;
292 	}
293 	if (mbuf != NULL && (size = (mbuf->m_len - offset)) > 0) {
294 		rc = smb_md5_update(ctx, &mbuf->m_data[offset], size);
295 		if (rc != 0)
296 			return (rc);
297 		offset = 0;
298 		mbuf = mbuf->m_next;
299 	}
300 	while (mbuf != NULL) {
301 		rc = smb_md5_update(ctx, mbuf->m_data, mbuf->m_len);
302 		if (rc != 0)
303 			return (rc);
304 		mbuf = mbuf->m_next;
305 	}
306 	rc = smb_md5_final(ctx, digest);
307 	if (rc == 0)
308 		bcopy(digest, mac_sign, SMB_SIG_SIZE);
309 
310 	return (rc);
311 }
312 
313 
314 /*
315  * smb_sign_check_request
316  *
317  * Calculates MAC signature for the request mbuf chain
318  * using the next expected sequence number and compares
319  * it to the given signature.
320  *
321  * Note it does not check the signature for secondary transactions
322  * as their sequence number is the same as the original request.
323  *
324  * Return 0 if the signature verifies, otherwise, returns -1;
325  *
326  */
327 int
smb_sign_check_request(smb_request_t * sr)328 smb_sign_check_request(smb_request_t *sr)
329 {
330 	struct mbuf_chain mbc = sr->command;
331 	unsigned char mac_sig[SMB_SIG_SIZE];
332 
333 	/*
334 	 * Don't check secondary transactions - we dont know the sequence
335 	 * number.
336 	 */
337 	if (sr->smb_com == SMB_COM_TRANSACTION_SECONDARY ||
338 	    sr->smb_com == SMB_COM_TRANSACTION2_SECONDARY ||
339 	    sr->smb_com == SMB_COM_NT_TRANSACT_SECONDARY)
340 		return (0);
341 
342 	/* Reset the offset to begining of header */
343 	mbc.chain_offset = sr->orig_request_hdr;
344 
345 	/* calculate mac signature */
346 	if (smb_sign_calc(sr, &mbc, sr->sr_seqnum, mac_sig) != 0)
347 		return (-1);
348 
349 	/* compare the signatures */
350 	if (memcmp(mac_sig, sr->smb_sig, SMB_SIG_SIZE) == 0) {
351 		/* They match! OK, we're done. */
352 		return (0);
353 	}
354 
355 	DTRACE_PROBE2(smb__signature__mismatch, smb_request_t, sr,
356 	    unsigned char *, mac_sig);
357 	cmn_err(CE_NOTE, "smb_sign_check_request: bad signature");
358 
359 	/*
360 	 * check nearby sequence numbers in debug mode
361 	 */
362 #ifdef	DEBUG
363 	if (smb_sign_debug) {
364 		return (smb_sign_find_seqnum(sr, &mbc, mac_sig, sr->smb_sig));
365 	}
366 #endif
367 	return (-1);
368 }
369 
370 /*
371  * smb_sign_check_secondary
372  *
373  * Calculates MAC signature for the secondary transaction mbuf chain
374  * and compares it to the given signature.
375  * Return 0 if the signature verifies, otherwise, returns -1;
376  *
377  */
378 int
smb_sign_check_secondary(smb_request_t * sr,unsigned int reply_seqnum)379 smb_sign_check_secondary(smb_request_t *sr, unsigned int reply_seqnum)
380 {
381 	struct mbuf_chain mbc = sr->command;
382 	unsigned char mac_sig[SMB_SIG_SIZE];
383 	int rtn = 0;
384 
385 	/* Reset the offset to begining of header */
386 	mbc.chain_offset = sr->orig_request_hdr;
387 
388 	/* calculate mac signature */
389 	if (smb_sign_calc(sr, &mbc, reply_seqnum - 1, mac_sig) != 0)
390 		return (-1);
391 
392 
393 	/* compare the signatures */
394 	if (memcmp(mac_sig, sr->smb_sig, SMB_SIG_SIZE) != 0) {
395 		cmn_err(CE_WARN, "SmbSignCheckSecond: bad signature");
396 		rtn = -1;
397 	}
398 	/* Save the reply sequence number */
399 	sr->reply_seqnum = reply_seqnum;
400 
401 	return (rtn);
402 }
403 
404 /*
405  * smb_sign_reply
406  *
407  * Calculates MAC signature for the given mbuf chain,
408  * and write it to the signature field in the mbuf.
409  *
410  */
411 void
smb_sign_reply(smb_request_t * sr,struct mbuf_chain * reply)412 smb_sign_reply(smb_request_t *sr, struct mbuf_chain *reply)
413 {
414 	struct mbuf_chain mbc;
415 	unsigned char mac[SMB_SIG_SIZE];
416 
417 	if (reply)
418 		mbc = *reply;
419 	else
420 		mbc = sr->reply;
421 
422 	/* Reset offset to start of reply */
423 	mbc.chain_offset = 0;
424 
425 	/*
426 	 * Calculate MAC signature
427 	 */
428 	if (smb_sign_calc(sr, &mbc, sr->reply_seqnum, mac) != 0) {
429 		cmn_err(CE_WARN, "smb_sign_reply: error in smb_sign_calc");
430 		return;
431 	}
432 
433 	/*
434 	 * Put signature in the response
435 	 */
436 	(void) smb_mbc_poke(&mbc, SMB_SIG_OFFS, "#c",
437 	    SMB_SIG_SIZE, mac);
438 }
439