From 94b8f3071fafea18ceb59098f8611a0f2cb5a655 Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Tue, 26 Feb 2019 16:43:36 +0100

Subject: [PATCH 125/187] libcli:smb: Support GnuTLS AES CCM and GCM in

 smb2_signing_decrypt_pdu()

This requires GnuTLS >= 3.4.0.

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Adapted to remove Samba AES support

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

(cherry picked from commit 3d2de36d9a08354fb775a5d93a9b40012bf6966f)

---

 libcli/smb/smb2_signing.c | 170 ++++++++++++++++++++++++++++----------

 1 file changed, 125 insertions(+), 45 deletions(-)

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c

index 52209d9553b..1d9c99337d8 100644

--- a/libcli/smb/smb2_signing.c

+++ b/libcli/smb/smb2_signing.c

@@ -558,7 +558,6 @@ out:

 	return status;

 }

-

 NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,

 				  uint16_t cipher_id,

 				  struct iovec *vector,

@@ -566,17 +565,20 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,

 {

 	uint8_t *tf;

 	uint16_t flags;

-	uint8_t *sig_ptr = NULL;

-	uint8_t sig[16];

 	int i;

 	size_t a_total;

 	ssize_t m_total;

 	uint32_t msg_size = 0;

-	union {

-		struct aes_ccm_128_context ccm;

-		struct aes_gcm_128_context gcm;

-	} c;

-	uint8_t key[AES_BLOCK_SIZE];

+	uint32_t iv_size = 0;

+	uint32_t key_size = 0;

+	uint32_t tag_size = 0;

+	uint8_t _key[16] = {0};

+	gnutls_cipher_algorithm_t algo = 0;

+	gnutls_aead_cipher_hd_t cipher_hnd = NULL;

+	gnutls_datum_t key;

+	gnutls_datum_t iv;

+	NTSTATUS status;

+	int rc;

 	if (count < 1) {

 		return NT_STATUS_INVALID_PARAMETER;

@@ -612,53 +614,131 @@ NTSTATUS smb2_signing_decrypt_pdu(DATA_BLOB decryption_key,

 		return NT_STATUS_INTERNAL_ERROR;

 	}

-	ZERO_STRUCT(key);

-	memcpy(key, decryption_key.data,

-	       MIN(decryption_key.length, AES_BLOCK_SIZE));

-

 	switch (cipher_id) {

 	case SMB2_ENCRYPTION_AES128_CCM:

-		aes_ccm_128_init(&c.ccm, key,

-				 tf + SMB2_TF_NONCE,

-				 a_total, m_total);

-		aes_ccm_128_update(&c.ccm, tf + SMB2_TF_NONCE, a_total);

-		for (i=1; i < count; i++) {

-			aes_ccm_128_crypt(&c.ccm,

-					(uint8_t *)vector[i].iov_base,

-					vector[i].iov_len);

-			aes_ccm_128_update(&c.ccm,

-					( uint8_t *)vector[i].iov_base,

-					vector[i].iov_len);

-		}

-		aes_ccm_128_digest(&c.ccm, sig);

+		algo = GNUTLS_CIPHER_AES_128_CCM;

+		iv_size = SMB2_AES_128_CCM_NONCE_SIZE;

 		break;

-

 	case SMB2_ENCRYPTION_AES128_GCM:

-		aes_gcm_128_init(&c.gcm, key, tf + SMB2_TF_NONCE);

-		aes_gcm_128_updateA(&c.gcm, tf + SMB2_TF_NONCE, a_total);

-		for (i=1; i < count; i++) {

-			aes_gcm_128_updateC(&c.gcm,

-					(const uint8_t *)vector[i].iov_base,

-					vector[i].iov_len);

-			aes_gcm_128_crypt(&c.gcm,

-					(uint8_t *)vector[i].iov_base,

-					vector[i].iov_len);

-		}

-		aes_gcm_128_digest(&c.gcm, sig);

+		algo = GNUTLS_CIPHER_AES_128_GCM;

+		iv_size = gnutls_cipher_get_iv_size(algo);

 		break;

-

 	default:

-		ZERO_STRUCT(key);

 		return NT_STATUS_INVALID_PARAMETER;

 	}

-	ZERO_STRUCT(key);

-	sig_ptr = tf + SMB2_TF_SIGNATURE;

-	if (memcmp(sig_ptr, sig, 16) != 0) {

-		return NT_STATUS_ACCESS_DENIED;

+	key_size = gnutls_cipher_get_key_size(algo);

+	tag_size = gnutls_cipher_get_tag_size(algo);

+

+	if (key_size > sizeof(_key)) {

+		return NT_STATUS_BUFFER_TOO_SMALL;

 	}

-	DEBUG(5,("decrypt SMB2 message\n"));

+	key = (gnutls_datum_t) {

+		.data = _key,

+		.size = key_size,

+	};

-	return NT_STATUS_OK;

+	memcpy(key.data,

+	       decryption_key.data,

+	       MIN(decryption_key.length, key.size));

+

+	iv = (gnutls_datum_t) {

+		.data = tf + SMB2_TF_NONCE,

+		.size = iv_size,

+	};

+

+	rc = gnutls_aead_cipher_init(&cipher_hnd,

+				     algo,

+				     &key);

+	if (rc < 0) {

+		status = NT_STATUS_NO_MEMORY;

+		goto out;

+	}

+

+	{

+		size_t ctext_size = m_total + tag_size;

+		uint8_t *ctext = NULL;

+		size_t ptext_size = m_total;

+		uint8_t *ptext = NULL;

+		size_t len = 0;

+

+		/* GnuTLS doesn't have a iovec API for decryption yet */

+

+		ptext = talloc_size(talloc_tos(), ptext_size);

+		if (ptext == NULL) {

+			gnutls_aead_cipher_deinit(cipher_hnd);

+			status = NT_STATUS_NO_MEMORY;

+			goto out;

+		}

+

+		ctext = talloc_size(talloc_tos(), ctext_size);

+		if (ctext == NULL) {

+			TALLOC_FREE(ptext);

+			gnutls_aead_cipher_deinit(cipher_hnd);

+			status = NT_STATUS_NO_MEMORY;

+			goto out;

+		}

+

+

+		for (i = 1; i < count; i++) {

+			memcpy(ctext + len,

+			       vector[i].iov_base,

+			       vector[i].iov_len);

+

+			len += vector[i].iov_len;

+		}

+		if (len != m_total) {

+			TALLOC_FREE(ptext);

+			TALLOC_FREE(ctext);

+			gnutls_aead_cipher_deinit(cipher_hnd);

+			status = NT_STATUS_INTERNAL_ERROR;

+			goto out;

+		}

+

+		memcpy(ctext + len,

+		       tf + SMB2_TF_SIGNATURE,

+		       tag_size);

+

+		/* This function will verify the tag */

+		rc = gnutls_aead_cipher_decrypt(cipher_hnd,

+						iv.data,

+						iv.size,

+						tf + SMB2_TF_NONCE,

+						a_total,

+						tag_size,

+						ctext,

+						ctext_size,

+						ptext,

+						&ptext_size);

+		if (rc < 0 || ptext_size != m_total) {

+			DBG_ERR("ERROR: %s\n", gnutls_strerror(rc));

+			TALLOC_FREE(ptext);

+			TALLOC_FREE(ctext);

+			gnutls_aead_cipher_deinit(cipher_hnd);

+			status = NT_STATUS_INTERNAL_ERROR;

+			goto out;

+		}

+

+		len = 0;

+		for (i = 1; i < count; i++) {

+			memcpy(vector[i].iov_base,

+			       ptext + len,

+			       vector[i].iov_len);

+

+			len += vector[i].iov_len;

+		}

+

+		TALLOC_FREE(ptext);

+		TALLOC_FREE(ctext);

+	}

+	gnutls_aead_cipher_deinit(cipher_hnd);

+

+	DBG_INFO("Decrypted SMB2 message\n");

+

+	status = NT_STATUS_OK;

+out:

+	ZERO_ARRAY(_key);

+

+	return status;

 }

-- 

2.23.0