1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
samba-mirror/lib/crypto/gkdi.c
Jo Sutton e7a96915e8 lib:crypto: Check for overflow in GKDI rollover interval calculation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00

696 lines
16 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Unix SMB/CIFS implementation.
Group Key Distribution Protocol functions
Copyright (C) Catalyst.Net Ltd 2023
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
#include "lib/crypto/gnutls_helpers.h"
#include "lib/util/bytearray.h"
#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/gen_ndr/gkdi.h"
#include "librpc/gen_ndr/ndr_gkdi.h"
#include "lib/crypto/gkdi.h"
#include "lib/util/data_blob.h"
static const uint8_t kds_service[] = {
/* “KDS service” as a NULLterminated UTF16LE string. */
'K', 0, 'D', 0, 'S', 0, ' ', 0, 's', 0, 'e', 0,
'r', 0, 'v', 0, 'i', 0, 'c', 0, 'e', 0, 0, 0,
};
static struct Gkid gkid_from_u32_indices(const uint32_t l0_idx,
const uint32_t l1_idx,
const uint32_t l2_idx)
{
/* Catch outofrange indices. */
if (l0_idx > INT32_MAX || l1_idx > INT8_MAX || l2_idx > INT8_MAX) {
return invalid_gkid;
}
return Gkid(l0_idx, l1_idx, l2_idx);
}
NTSTATUS gkdi_pull_KeyEnvelope(TALLOC_CTX *mem_ctx,
const DATA_BLOB *key_env_blob,
struct KeyEnvelope *key_env_out)
{
NTSTATUS status = NT_STATUS_OK;
enum ndr_err_code err;
if (key_env_blob == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
if (key_env_out == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
err = ndr_pull_struct_blob(key_env_blob,
mem_ctx,
key_env_out,
(ndr_pull_flags_fn_t)ndr_pull_KeyEnvelope);
status = ndr_map_error2ntstatus(err);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/* If we felt so inclined, we could check the version field here. */
return status;
}
/*
* Retrieve the GKID and root key ID from a KeyEnvelope blob. The returned
* structure is guaranteed to have a valid GKID.
*/
const struct KeyEnvelopeId *gkdi_pull_KeyEnvelopeId(
const DATA_BLOB key_env_blob,
struct KeyEnvelopeId *key_env_out)
{
TALLOC_CTX *tmp_ctx = NULL;
struct KeyEnvelope key_env;
const struct KeyEnvelopeId *key_env_ret = NULL;
NTSTATUS status;
if (key_env_out == NULL) {
goto out;
}
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
goto out;
}
status = gkdi_pull_KeyEnvelope(tmp_ctx, &key_env_blob, &key_env);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
{
const struct Gkid gkid = gkid_from_u32_indices(
key_env.l0_index, key_env.l1_index, key_env.l2_index);
if (!gkid_is_valid(gkid)) {
/* The KeyId is not valid: we cant use it. */
goto out;
}
*key_env_out = (struct KeyEnvelopeId){
.root_key_id = key_env.root_key_id, .gkid = gkid};
}
/* Return a pointer to the buffer passed in by the caller. */
key_env_ret = key_env_out;
out:
TALLOC_FREE(tmp_ctx);
return key_env_ret;
}
NTSTATUS ProvRootKey(TALLOC_CTX *mem_ctx,
const struct GUID root_key_id,
const int32_t version,
const DATA_BLOB root_key_data,
const NTTIME create_time,
const NTTIME use_start_time,
const char *const domain_id,
const struct KdfAlgorithm kdf_algorithm,
const struct ProvRootKey **const root_key_out)
{
NTSTATUS status = NT_STATUS_OK;
struct ProvRootKey *root_key = NULL;
if (root_key_out == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
*root_key_out = NULL;
root_key = talloc(mem_ctx, struct ProvRootKey);
if (root_key == NULL) {
return NT_STATUS_NO_MEMORY;
}
*root_key = (struct ProvRootKey){
.id = root_key_id,
.data = {.data = talloc_steal(root_key, root_key_data.data),
.length = root_key_data.length},
.create_time = create_time,
.use_start_time = use_start_time,
.domain_id = talloc_steal(root_key, domain_id),
.kdf_algorithm = kdf_algorithm,
.version = version,
};
*root_key_out = root_key;
return status;
}
struct Gkid gkdi_get_interval_id(const NTTIME time)
{
return Gkid(time / (gkdi_l1_key_iteration * gkdi_l2_key_iteration *
gkdi_key_cycle_duration),
time / (gkdi_l2_key_iteration * gkdi_key_cycle_duration) %
gkdi_l1_key_iteration,
time / gkdi_key_cycle_duration % gkdi_l2_key_iteration);
}
bool gkdi_get_key_start_time(const struct Gkid gkid, NTTIME *start_time_out)
{
if (!gkid_is_valid(gkid)) {
return false;
}
{
enum GkidType key_type = gkid_key_type(gkid);
if (key_type != GKID_L2_SEED_KEY) {
return false;
}
}
{
/*
* Make sure that the GKID is not so large its start time cant
* be represented in NTTIME.
*/
static const struct Gkid max_gkid = {
UINT64_MAX /
(gkdi_l1_key_iteration * gkdi_l2_key_iteration *
gkdi_key_cycle_duration),
UINT64_MAX /
(gkdi_l2_key_iteration *
gkdi_key_cycle_duration) %
gkdi_l1_key_iteration,
UINT64_MAX / gkdi_key_cycle_duration %
gkdi_l2_key_iteration};
if (!gkid_less_than_or_equal_to(gkid, max_gkid)) {
return false;
}
}
*start_time_out = ((uint64_t)gkid.l0_idx * gkdi_l1_key_iteration *
gkdi_l2_key_iteration +
(uint64_t)gkid.l1_idx * gkdi_l2_key_iteration +
(uint64_t)gkid.l2_idx) *
gkdi_key_cycle_duration;
return true;
}
/*
* This returns the equivalent of
* gkdi_get_key_start_time(gkdi_get_interval_id(time)).
*/
NTTIME gkdi_get_interval_start_time(const NTTIME time)
{
return time / gkdi_key_cycle_duration * gkdi_key_cycle_duration;
}
bool gkid_less_than_or_equal_to(const struct Gkid g1, const struct Gkid g2)
{
if (g1.l0_idx != g2.l0_idx) {
return g1.l0_idx < g2.l0_idx;
}
if (g1.l1_idx != g2.l1_idx) {
return g1.l1_idx < g2.l1_idx;
}
return g1.l2_idx <= g2.l2_idx;
}
bool gkdi_rollover_interval(const int64_t managed_password_interval,
NTTIME *result)
{
/*
* This is actually a conservative reckoning. The interval could be one
* higher than this maximum and not overflow. But theres no reason to
* support intervals that high (and Windows will start producing strange
* results for intervals beyond that).
*/
const int64_t maximum_interval = UINT64_MAX / gkdi_key_cycle_duration *
10 / 24;
if (managed_password_interval < 0 ||
managed_password_interval > maximum_interval)
{
return false;
}
*result = (uint64_t)managed_password_interval * 24 / 10 *
gkdi_key_cycle_duration;
return true;
}
struct GkdiContextShort {
uint8_t buf[sizeof((struct GUID_ndr_buf){}.buf) + sizeof(int32_t) +
sizeof(int32_t) + sizeof(int32_t)];
};
static NTSTATUS make_gkdi_context(const struct GkdiDerivationCtx *ctx,
struct GkdiContextShort *out_ctx)
{
enum ndr_err_code ndr_err;
DATA_BLOB b = {.data = out_ctx->buf, .length = sizeof out_ctx->buf};
if (ctx->target_security_descriptor.length) {
return NT_STATUS_INVALID_PARAMETER;
}
ndr_err = ndr_push_struct_into_fixed_blob(
&b, ctx, (ndr_push_flags_fn_t)ndr_push_GkdiDerivationCtx);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return ndr_map_error2ntstatus(ndr_err);
}
return NT_STATUS_OK;
}
static NTSTATUS make_gkdi_context_security_descriptor(
TALLOC_CTX *mem_ctx,
const struct GkdiDerivationCtx *ctx,
const DATA_BLOB security_descriptor,
DATA_BLOB *out_ctx)
{
enum ndr_err_code ndr_err;
struct GkdiDerivationCtx ctx_with_sd = *ctx;
if (ctx_with_sd.target_security_descriptor.length != 0) {
return NT_STATUS_INVALID_PARAMETER;
}
ctx_with_sd.target_security_descriptor = security_descriptor;
ndr_err = ndr_push_struct_blob(out_ctx,
mem_ctx,
&ctx_with_sd,
(ndr_push_flags_fn_t)
ndr_push_GkdiDerivationCtx);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
return ndr_map_error2ntstatus(ndr_err);
}
return NT_STATUS_OK;
}
struct GkdiContext {
struct GkdiDerivationCtx ctx;
gnutls_mac_algorithm_t algorithm;
};
gnutls_mac_algorithm_t get_sp800_108_mac_algorithm(
const struct KdfAlgorithm kdf_algorithm)
{
switch (kdf_algorithm.id) {
case KDF_ALGORITHM_SP800_108_CTR_HMAC:
switch (kdf_algorithm.param.sp800_108) {
case KDF_PARAM_SHA1:
return GNUTLS_MAC_SHA1;
case KDF_PARAM_SHA256:
return GNUTLS_MAC_SHA256;
case KDF_PARAM_SHA384:
return GNUTLS_MAC_SHA384;
case KDF_PARAM_SHA512:
return GNUTLS_MAC_SHA512;
}
break;
}
return GNUTLS_MAC_UNKNOWN;
}
static NTSTATUS GkdiContext(const struct ProvRootKey *const root_key,
struct GkdiContext *const ctx)
{
NTSTATUS status = NT_STATUS_OK;
gnutls_mac_algorithm_t algorithm = GNUTLS_MAC_UNKNOWN;
if (ctx == NULL) {
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
if (root_key == NULL) {
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
if (root_key->version != root_key_version_1) {
status = NT_STATUS_NOT_SUPPORTED;
goto out;
}
if (root_key->data.length != GKDI_KEY_LEN) {
status = NT_STATUS_NOT_SUPPORTED;
goto out;
}
algorithm = get_sp800_108_mac_algorithm(root_key->kdf_algorithm);
if (algorithm == GNUTLS_MAC_UNKNOWN) {
status = NT_STATUS_NOT_SUPPORTED;
goto out;
}
/*
* The context comprises the GUID corresponding to the root key, the
* GKID (which we shall initialize to zero), and the encoded target
* security descriptor (which will initially be empty).
*/
*ctx = (struct GkdiContext){
.ctx = {.guid = root_key->id,
.l0_idx = 0,
.l1_idx = 0,
.l2_idx = 0,
.target_security_descriptor = {}},
.algorithm = algorithm,
};
out:
return status;
}
static NTSTATUS compute_l1_seed_key(TALLOC_CTX *mem_ctx,
struct GkdiContext *ctx,
const DATA_BLOB security_descriptor,
const struct ProvRootKey *const root_key,
const struct Gkid gkid,
uint8_t key[static const GKDI_KEY_LEN])
{
NTSTATUS status = NT_STATUS_OK;
struct GkdiContextShort short_ctx;
int8_t n;
ctx->ctx.l0_idx = gkid.l0_idx;
ctx->ctx.l1_idx = -1;
ctx->ctx.l2_idx = -1;
status = make_gkdi_context(&ctx->ctx, &short_ctx);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
/* Derive an L0 seed key with GKID = (L0, 1, 1). */
status = samba_gnutls_sp800_108_derive_key(root_key->data.data,
root_key->data.length,
NULL,
0,
kds_service,
sizeof kds_service,
short_ctx.buf,
sizeof short_ctx.buf,
ctx->algorithm,
key,
GKDI_KEY_LEN);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
/* Derive an L1 seed key with GKID = (L0, 31, 1). */
ctx->ctx.l1_idx = 31;
{
DATA_BLOB security_descriptor_ctx;
status = make_gkdi_context_security_descriptor(
mem_ctx,
&ctx->ctx,
security_descriptor,
&security_descriptor_ctx);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = samba_gnutls_sp800_108_derive_key(
key,
GKDI_KEY_LEN,
NULL,
0,
kds_service,
sizeof kds_service,
security_descriptor_ctx.data,
security_descriptor_ctx.length,
ctx->algorithm,
key,
GKDI_KEY_LEN);
data_blob_free(&security_descriptor_ctx);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
}
for (n = 30; n >= gkid.l1_idx; --n) {
/* Derive an L1 seed key with GKID = (L0, n, 1). */
ctx->ctx.l1_idx = n;
status = make_gkdi_context(&ctx->ctx, &short_ctx);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = samba_gnutls_sp800_108_derive_key(key,
GKDI_KEY_LEN,
NULL,
0,
kds_service,
sizeof kds_service,
short_ctx.buf,
sizeof short_ctx.buf,
ctx->algorithm,
key,
GKDI_KEY_LEN);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
}
out:
return status;
}
static NTSTATUS derive_l2_seed_key(struct GkdiContext *ctx,
const struct Gkid gkid,
uint8_t key[static const GKDI_KEY_LEN])
{
NTSTATUS status = NT_STATUS_OK;
int8_t n;
ctx->ctx.l0_idx = gkid.l0_idx;
ctx->ctx.l1_idx = gkid.l1_idx;
for (n = 31; n >= gkid.l2_idx; --n) {
struct GkdiContextShort short_ctx;
/* Derive an L2 seed key with GKID = (L0, L1, n). */
ctx->ctx.l2_idx = n;
status = make_gkdi_context(&ctx->ctx, &short_ctx);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = samba_gnutls_sp800_108_derive_key(key,
GKDI_KEY_LEN,
NULL,
0,
kds_service,
sizeof kds_service,
short_ctx.buf,
sizeof short_ctx.buf,
ctx->algorithm,
key,
GKDI_KEY_LEN);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
}
out:
return status;
}
enum GkidType gkid_key_type(const struct Gkid gkid)
{
if (gkid.l0_idx == -1) {
return GKID_DEFAULT;
}
if (gkid.l1_idx == -1) {
return GKID_L0_SEED_KEY;
}
if (gkid.l2_idx == -1) {
return GKID_L1_SEED_KEY;
}
return GKID_L2_SEED_KEY;
}
bool gkid_is_valid(const struct Gkid gkid)
{
if (gkid.l0_idx < -1) {
return false;
}
if (gkid.l1_idx < -1 || gkid.l1_idx >= gkdi_l1_key_iteration) {
return false;
}
if (gkid.l2_idx < -1 || gkid.l2_idx >= gkdi_l2_key_iteration) {
return false;
}
if (gkid.l0_idx == -1 && gkid.l1_idx != -1) {
return false;
}
if (gkid.l1_idx == -1 && gkid.l2_idx != -1) {
return false;
}
return true;
}
NTSTATUS compute_seed_key(TALLOC_CTX *mem_ctx,
const DATA_BLOB target_security_descriptor,
const struct ProvRootKey *const root_key,
const struct Gkid gkid,
uint8_t key[static const GKDI_KEY_LEN])
{
NTSTATUS status = NT_STATUS_OK;
enum GkidType gkid_type;
struct GkdiContext ctx;
if (!gkid_is_valid(gkid)) {
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
gkid_type = gkid_key_type(gkid);
if (gkid_type < GKID_L1_SEED_KEY) {
/* Dont allow derivation of L0 seed keys. */
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
status = GkdiContext(root_key, &ctx);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = compute_l1_seed_key(
mem_ctx, &ctx, target_security_descriptor, root_key, gkid, key);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
if (gkid_type == GKID_L2_SEED_KEY) {
status = derive_l2_seed_key(&ctx, gkid, key);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
}
out:
return status;
}
NTSTATUS kdf_sp_800_108_from_params(
const DATA_BLOB *const kdf_param,
struct KdfAlgorithm *const kdf_algorithm_out)
{
TALLOC_CTX *tmp_ctx = NULL;
NTSTATUS status = NT_STATUS_OK;
enum ndr_err_code err;
enum KdfSp800_108Param sp800_108_param = KDF_PARAM_SHA256;
struct KdfParameters kdf_parameters;
if (kdf_param != NULL) {
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
err = ndr_pull_struct_blob(kdf_param,
tmp_ctx,
&kdf_parameters,
(ndr_pull_flags_fn_t)
ndr_pull_KdfParameters);
if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
status = ndr_map_error2ntstatus(err);
DBG_WARNING("KdfParameters pull failed: %s\n",
nt_errstr(status));
goto out;
}
if (kdf_parameters.hash_algorithm == NULL) {
status = NT_STATUS_NOT_SUPPORTED;
goto out;
}
/* These string comparisons are casesensitive. */
if (strcmp(kdf_parameters.hash_algorithm, "SHA1") == 0) {
sp800_108_param = KDF_PARAM_SHA1;
} else if (strcmp(kdf_parameters.hash_algorithm, "SHA256") == 0)
{
sp800_108_param = KDF_PARAM_SHA256;
} else if (strcmp(kdf_parameters.hash_algorithm, "SHA384") == 0)
{
sp800_108_param = KDF_PARAM_SHA384;
} else if (strcmp(kdf_parameters.hash_algorithm, "SHA512") == 0)
{
sp800_108_param = KDF_PARAM_SHA512;
} else {
status = NT_STATUS_NOT_SUPPORTED;
goto out;
}
}
*kdf_algorithm_out = (struct KdfAlgorithm){
.id = KDF_ALGORITHM_SP800_108_CTR_HMAC,
.param.sp800_108 = sp800_108_param,
};
out:
talloc_free(tmp_ctx);
return status;
}
NTSTATUS kdf_algorithm_from_params(const char *const kdf_algorithm_id,
const DATA_BLOB *const kdf_param,
struct KdfAlgorithm *const kdf_algorithm_out)
{
if (kdf_algorithm_id == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
/* This string comparison is casesensitive. */
if (strcmp(kdf_algorithm_id, "SP800_108_CTR_HMAC") == 0) {
return kdf_sp_800_108_from_params(kdf_param, kdf_algorithm_out);
}
/* Unknown algorithm. */
return NT_STATUS_NOT_SUPPORTED;
}