diff options
author | Andreas Schneider <asn@samba.org> | 2021-08-02 16:21:19 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2022-07-28 11:51:28 +0000 |
commit | dc7f0f15ce05065bac2fbe134ae80dd87f6af4d0 (patch) | |
tree | b92febde674905b631f51e40560e1a57ee74dc5b /lib/crypto | |
parent | 8b22b448e84269f6f18c0e08d9ff1f0edeae0d31 (diff) | |
download | samba-dc7f0f15ce05065bac2fbe134ae80dd87f6af4d0.tar.gz |
lib:crypto: Implement samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt()
This is for [MS-SAMR] 3.2.2.4 AES Cipher Usage
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'lib/crypto')
-rw-r--r-- | lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c | 240 | ||||
-rw-r--r-- | lib/crypto/gnutls_helpers.h | 59 | ||||
-rw-r--r-- | lib/crypto/wscript | 1 |
3 files changed, 288 insertions, 12 deletions
diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c new file mode 100644 index 00000000000..1771b35ac92 --- /dev/null +++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c @@ -0,0 +1,240 @@ +/* + * Copyright (c) 2021-2022 Andreas Schneider <asn@samba.org> + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "includes.h" +#include "lib/util/data_blob.h" +#include <gnutls/gnutls.h> +#include <gnutls/crypto.h> +#include "gnutls_helpers.h" + +#define SAMR_AES_VERSION_BYTE 0x01 +#define SAMR_AES_VERSION_BYTE_LEN 1 + +static NTSTATUS calculate_enc_key(const DATA_BLOB *cek, + const DATA_BLOB *key_salt, + uint8_t enc_key[32]) +{ + gnutls_mac_algorithm_t hash_algo = GNUTLS_MAC_SHA512; + size_t hmac_size = gnutls_hmac_get_len(hash_algo); + uint8_t enc_key_data[hmac_size]; + int rc; + + rc = gnutls_hmac_fast(hash_algo, + cek->data, + cek->length, + key_salt->data, + key_salt->length, + enc_key_data); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + /* The key gets truncated to 32 byte */ + memcpy(enc_key, enc_key_data, 32); + BURN_DATA(enc_key_data); + + return NT_STATUS_OK; +} + +static NTSTATUS calculate_mac_key(const DATA_BLOB *cek, + const DATA_BLOB *mac_salt, + uint8_t mac_key[64]) +{ + int rc; + + rc = gnutls_hmac_fast(GNUTLS_MAC_SHA512, + cek->data, + cek->length, + mac_salt->data, + mac_salt->length, + mac_key); + if (rc < 0) { + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + return NT_STATUS_OK; +} + +/* This is an implementation of [MS-SAMR] 3.2.2.4 AES Cipher Usage */ + +NTSTATUS +samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx, + const DATA_BLOB *plaintext, + const DATA_BLOB *cek, + const DATA_BLOB *key_salt, + const DATA_BLOB *mac_salt, + const DATA_BLOB *iv, + DATA_BLOB *pciphertext, + uint8_t pauth_tag[64]) +{ + gnutls_hmac_hd_t hmac_hnd = NULL; + gnutls_mac_algorithm_t hmac_algo = GNUTLS_MAC_SHA512; + size_t hmac_size = gnutls_hmac_get_len(hmac_algo); + gnutls_cipher_hd_t cipher_hnd = NULL; + gnutls_cipher_algorithm_t cipher_algo = GNUTLS_CIPHER_AES_256_CBC; + uint32_t aes_block_size = gnutls_cipher_get_block_size(cipher_algo); + gnutls_datum_t iv_datum = { + .data = iv->data, + .size = iv->length, + }; + uint8_t enc_key_data[32] = {0}; + gnutls_datum_t enc_key = { + .data = enc_key_data, + .size = sizeof(enc_key_data), + }; + uint8_t *cipher_text = NULL; + size_t cipher_text_len = 0; + uint8_t mac_key_data[64] = {0}; + gnutls_datum_t mac_key = { + .data = mac_key_data, + .size = sizeof(mac_key_data), + }; + uint8_t version_byte = SAMR_AES_VERSION_BYTE; + uint8_t version_byte_len = SAMR_AES_VERSION_BYTE_LEN; + uint8_t auth_data[hmac_size]; + DATA_BLOB padded_plaintext; + size_t padding; + NTSTATUS status; + int rc; + + if (plaintext->length == 0 || cek->length == 0 || + key_salt->length == 0 || mac_salt->length == 0 || iv->length == 0) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* + * PKCS#7 padding + * + * TODO: Use gnutls_cipher_encrypt3() + */ + + if (plaintext->length + aes_block_size < plaintext->length) { + return NT_STATUS_INVALID_BUFFER_SIZE; + } + + padded_plaintext.length = + aes_block_size * (plaintext->length / aes_block_size) + + aes_block_size; + + padding = padded_plaintext.length - plaintext->length; + + padded_plaintext = + data_blob_talloc(mem_ctx, NULL, padded_plaintext.length); + if (padded_plaintext.data == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* Allocate buffer for cipher text */ + cipher_text_len = padded_plaintext.length; + cipher_text = talloc_size(mem_ctx, cipher_text_len); + if (cipher_text == NULL) { + data_blob_free(&padded_plaintext); + return NT_STATUS_NO_MEMORY; + } + + memcpy(padded_plaintext.data, plaintext->data, plaintext->length); + memset(padded_plaintext.data + plaintext->length, padding, padding); + + status = calculate_enc_key(cek, key_salt, enc_key_data); + if (!NT_STATUS_IS_OK(status)) { + data_blob_clear_free(&padded_plaintext); + return status; + } + + /* Encrypt plaintext */ + rc = gnutls_cipher_init(&cipher_hnd, cipher_algo, &enc_key, &iv_datum); + if (rc < 0) { + data_blob_clear_free(&padded_plaintext); + BURN_DATA(enc_key_data); + TALLOC_FREE(cipher_text); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + rc = gnutls_cipher_encrypt2(cipher_hnd, + padded_plaintext.data, + padded_plaintext.length, + cipher_text, + cipher_text_len); + gnutls_cipher_deinit(cipher_hnd); + data_blob_clear_free(&padded_plaintext); + BURN_DATA(enc_key_data); + if (rc < 0) { + TALLOC_FREE(cipher_text); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + /* Calculate mac key */ + status = calculate_mac_key(cek, mac_salt, mac_key_data); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(cipher_text); + return status; + } + + /* Generate auth tag */ + rc = gnutls_hmac_init(&hmac_hnd, hmac_algo, mac_key.data, mac_key.size); + BURN_DATA(mac_key_data); + if (rc < 0) { + TALLOC_FREE(cipher_text); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, &version_byte, sizeof(uint8_t)); + if (rc < 0) { + TALLOC_FREE(cipher_text); + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, iv->data, iv->length); + if (rc < 0) { + TALLOC_FREE(cipher_text); + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, cipher_text, cipher_text_len); + if (rc < 0) { + TALLOC_FREE(cipher_text); + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + + rc = gnutls_hmac(hmac_hnd, &version_byte_len, sizeof(uint8_t)); + if (rc < 0) { + TALLOC_FREE(cipher_text); + gnutls_hmac_deinit(hmac_hnd, NULL); + return gnutls_error_to_ntstatus(rc, + NT_STATUS_ENCRYPTION_FAILED); + } + gnutls_hmac_deinit(hmac_hnd, auth_data); + + if (pciphertext != NULL) { + pciphertext->length = cipher_text_len; + pciphertext->data = cipher_text; + } + (void)memcpy(pauth_tag, auth_data, hmac_size); + + return NT_STATUS_OK; +} diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h index e74dcc833f2..eb6e469fa0c 100644 --- a/lib/crypto/gnutls_helpers.h +++ b/lib/crypto/gnutls_helpers.h @@ -44,16 +44,17 @@ * * @return A corresponding NTSTATUS code. */ -NTSTATUS gnutls_error_to_ntstatus(int gnutls_rc, - NTSTATUS blocked_status); +NTSTATUS gnutls_error_to_ntstatus(int gnutls_rc, NTSTATUS blocked_status); #else NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc, NTSTATUS blocked_status, const char *function, const char *location); #define gnutls_error_to_ntstatus(gnutls_rc, blocked_status) \ - _gnutls_error_to_ntstatus(gnutls_rc, blocked_status, \ - __FUNCTION__, __location__) + _gnutls_error_to_ntstatus(gnutls_rc, \ + blocked_status, \ + __FUNCTION__, \ + __location__) #endif #ifdef DOXYGEN @@ -68,22 +69,20 @@ NTSTATUS _gnutls_error_to_ntstatus(int gnutls_rc, * * @return A corresponding WERROR code. */ -WERROR gnutls_error_to_werror(int gnutls_rc, - WERROR blocked_werr); +WERROR gnutls_error_to_werror(int gnutls_rc, WERROR blocked_werr); #else WERROR _gnutls_error_to_werror(int gnutls_rc, WERROR blocked_werr, const char *function, const char *location); #define gnutls_error_to_werror(gnutls_rc, blocked_werr) \ - _gnutls_error_to_werror(gnutls_rc, blocked_werr, \ - __FUNCTION__, __location__) + _gnutls_error_to_werror(gnutls_rc, \ + blocked_werr, \ + __FUNCTION__, \ + __location__) #endif -enum samba_gnutls_direction { - SAMBA_GNUTLS_ENCRYPT, - SAMBA_GNUTLS_DECRYPT -}; +enum samba_gnutls_direction { SAMBA_GNUTLS_ENCRYPT, SAMBA_GNUTLS_DECRYPT }; /** * @brief Encrypt or decrypt a data blob using RC4 with a key and salt. @@ -109,6 +108,42 @@ int samba_gnutls_arcfour_confounded_md5(const DATA_BLOB *key_input1, enum samba_gnutls_direction encrypt); /** + * @brief Encrypted a secret plaintext using AEAD_AES_256_CBC_HMAC_SHA512 and + * the session key. + * + * This encrypts a secret plaintext using AEAD_AES_256_CBC_HMAC_SHA512 with a + * key (can be the session key or PBKDF2 password). This is used in SAMR and + * LSA. + * + * @param mem_ctx The memory context to allocate the cipher text pointer. + * + * @param plaintext The secret to encrypt + * + * @param cek The content encryption key to encrypt the secret. + * + * @param key_salt The salt used to calculate the encryption key. + * + * @param key_salt The salt used to calculate the mac key. + + * @param iv The initialization vector used for the encryption. + * + * @param pciphertext A pointer to store the cipher text. + * + * @param pauth_tag[64] An array to store the auth tag. + * + * @return NT_STATUS_OK on success, an nt status error code otherwise. + */ +NTSTATUS +samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx, + const DATA_BLOB *plaintext, + const DATA_BLOB *cek, + const DATA_BLOB *key_salt, + const DATA_BLOB *mac_salt, + const DATA_BLOB *iv, + DATA_BLOB *pciphertext, + uint8_t pauth_tag[64]); + +/** * @brief Check if weak crypto is allowed. * * @return true if weak crypo is allowed, false otherwise. diff --git a/lib/crypto/wscript b/lib/crypto/wscript index 9089123be54..cd032f5e9c3 100644 --- a/lib/crypto/wscript +++ b/lib/crypto/wscript @@ -39,6 +39,7 @@ def build(bld): bld.SAMBA_SUBSYSTEM("GNUTLS_HELPERS", source=''' gnutls_error.c + gnutls_aead_aes_256_cbc_hmac_sha512.c gnutls_arcfour_confounded_md5.c gnutls_weak_crypto.c ''', |