Linux-CIFS Archive on lore.kernel.org
 help / color / Atom feed
* [SMB3][PATCH] dump encryption keys to allow wireshark debugging of encrypted
@ 2019-09-20  7:07 Steve French
  2019-09-20  7:20 ` Steve French
  0 siblings, 1 reply; 4+ messages in thread
From: Steve French @ 2019-09-20  7:07 UTC (permalink / raw)
  To: Aurélien Aptel, CIFS, samba-technical

[-- Attachment #1: Type: text/plain, Size: 737 bytes --]

kernel patch updated to check if encryption is enabled

In order to debug certain problems it is important to be able
to decrypt network traces (e.g. wireshark) but to do this we
need to be able to dump out the encryption/decryption keys.
Dumping them to an ioctl is safer than dumping then to dmesg,
(and better than showing all keys in a pseudofile).

Restrict this to root (CAP_SYS_ADMIN), and only for a mount
that this admin has access to.

Sample smbinfo output:
SMB3.0 encryption
Session Id:   0x82d2ec52
Session Key:  a5 6d 81 d0 e c1 ca e1 d8 13 aa 20 e8 f2 cc 71
Server Encryption Key:  1a c3 be ba 3d fc dc 3c e bc 93 9e 50 9e 19 c1
Server Decryption Key:  e0 d4 d9 43 1b a2 1b e3 d8 76 77 49 56 f7 20 88


-- 
Thanks,

Steve

[-- Attachment #2: 0001-smb3-allow-decryption-keys-to-be-dumped-by-admin-for.patch --]
[-- Type: text/x-patch, Size: 3676 bytes --]

From 3cee2eec9c2849bf1148b5d51b5e7147e97b0b55 Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Thu, 19 Sep 2019 04:00:55 -0500
Subject: [PATCH] smb3: allow decryption keys to be dumped by admin for
 debugging

In order to debug certain problems it is important to be able
to decrypt network traces (e.g. wireshark) but to do this we
need to be able to dump out the encryption/decryption keys.
Dumping them to an ioctl is safer than dumping then to dmesg,
(and better than showing all keys in a pseudofile).

Restrict this to root (CAP_SYS_ADMIN), and only for a mount
that this admin has access to.

Sample smbinfo output:
SMB3.0 encryption
Session Id:   0x82d2ec52
Session Key:  a5 6d 81 d0 e c1 ca e1 d8 13 aa 20 e8 f2 cc 71
Server Encryption Key:  1a c3 be ba 3d fc dc 3c e bc 93 9e 50 9e 19 c1
Server Decryption Key:  e0 d4 d9 43 1b a2 1b e3 d8 76 77 49 56 f7 20 88

Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 fs/cifs/cifs_ioctl.h |  9 +++++++++
 fs/cifs/ioctl.c      | 29 +++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/fs/cifs/cifs_ioctl.h b/fs/cifs/cifs_ioctl.h
index 6c3bd07868d7..0f0dc1c1fe41 100644
--- a/fs/cifs/cifs_ioctl.h
+++ b/fs/cifs/cifs_ioctl.h
@@ -57,9 +57,18 @@ struct smb_query_info {
 	/* char buffer[]; */
 } __packed;
 
+struct smb3_key_debug_info {
+	__u64	Suid;
+	__u16	cipher_type;
+	__u8	auth_key[16]; /* SMB2_NTLMV2_SESSKEY_SIZE */
+	__u8	smb3encryptionkey[SMB3_SIGN_KEY_SIZE];
+	__u8	smb3decryptionkey[SMB3_SIGN_KEY_SIZE];
+} __packed;
+
 #define CIFS_IOCTL_MAGIC	0xCF
 #define CIFS_IOC_COPYCHUNK_FILE	_IOW(CIFS_IOCTL_MAGIC, 3, int)
 #define CIFS_IOC_SET_INTEGRITY  _IO(CIFS_IOCTL_MAGIC, 4)
 #define CIFS_IOC_GET_MNT_INFO _IOR(CIFS_IOCTL_MAGIC, 5, struct smb_mnt_fs_info)
 #define CIFS_ENUMERATE_SNAPSHOTS _IOR(CIFS_IOCTL_MAGIC, 6, struct smb_snapshot_array)
 #define CIFS_QUERY_INFO _IOWR(CIFS_IOCTL_MAGIC, 7, struct smb_query_info)
+#define CIFS_DUMP_KEY _IOWR(CIFS_IOCTL_MAGIC, 8, struct smb3_key_debug_info)
diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c
index 76ddd98b6298..48c23929350c 100644
--- a/fs/cifs/ioctl.c
+++ b/fs/cifs/ioctl.c
@@ -164,6 +164,7 @@ static long smb_mnt_get_fsinfo(unsigned int xid, struct cifs_tcon *tcon,
 long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
 {
 	struct inode *inode = file_inode(filep);
+	struct smb3_key_debug_info pkey_inf;
 	int rc = -ENOTTY; /* strange error - but the precedent */
 	unsigned int xid;
 	struct cifsFileInfo *pSMBFile = filep->private_data;
@@ -270,6 +271,34 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
 			else
 				rc = -EOPNOTSUPP;
 			break;
+		case CIFS_DUMP_KEY:
+			cifs_dbg(VFS, "ioctl dumpkey\n"); /* BB REMOVEME */
+			if (pSMBFile == NULL)
+				break;
+			if (!capable(CAP_SYS_ADMIN)) {
+				rc = -EACCES;
+				break;
+			}
+			tcon = tlink_tcon(pSMBFile->tlink);
+			if (!smb3_encryption_required(tcon)) {
+				rc = -EOPNOTSUPP;
+				break;
+			}
+			pkey_inf.cipher_type =
+				le16_to_cpu(tcon->ses->server->cipher_type);
+			pkey_inf.Suid = tcon->ses->Suid;
+			memcpy(pkey_inf.auth_key, tcon->ses->auth_key.response,
+					16 /* SMB2_NTLMV2_SESSKEY_SIZE */);
+			memcpy(pkey_inf.smb3decryptionkey,
+			      tcon->ses->smb3decryptionkey, SMB3_SIGN_KEY_SIZE);
+			memcpy(pkey_inf.smb3encryptionkey,
+			      tcon->ses->smb3encryptionkey, SMB3_SIGN_KEY_SIZE);
+			if (copy_to_user((void __user *)arg, &pkey_inf,
+					sizeof(struct smb3_key_debug_info)))
+				rc = -EFAULT;
+			else
+				rc = 0;
+			break;
 		default:
 			cifs_dbg(FYI, "unsupported ioctl\n");
 			break;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [SMB3][PATCH] dump encryption keys to allow wireshark debugging of encrypted
  2019-09-20  7:07 [SMB3][PATCH] dump encryption keys to allow wireshark debugging of encrypted Steve French
@ 2019-09-20  7:20 ` Steve French
  2019-09-20 17:14   ` Pavel Shilovsky
  0 siblings, 1 reply; 4+ messages in thread
From: Steve French @ 2019-09-20  7:20 UTC (permalink / raw)
  To: Aurélien Aptel, CIFS, samba-technical

[-- Attachment #1: Type: text/plain, Size: 936 bytes --]

And updated patch for cifs-utils ("smbinfo keys <filename>")


On Fri, Sep 20, 2019 at 2:07 AM Steve French <smfrench@gmail.com> wrote:
>
> kernel patch updated to check if encryption is enabled
>
> In order to debug certain problems it is important to be able
> to decrypt network traces (e.g. wireshark) but to do this we
> need to be able to dump out the encryption/decryption keys.
> Dumping them to an ioctl is safer than dumping then to dmesg,
> (and better than showing all keys in a pseudofile).
>
> Restrict this to root (CAP_SYS_ADMIN), and only for a mount
> that this admin has access to.
>
> Sample smbinfo output:
> SMB3.0 encryption
> Session Id:   0x82d2ec52
> Session Key:  a5 6d 81 d0 e c1 ca e1 d8 13 aa 20 e8 f2 cc 71
> Server Encryption Key:  1a c3 be ba 3d fc dc 3c e bc 93 9e 50 9e 19 c1
> Server Decryption Key:  e0 d4 d9 43 1b a2 1b e3 d8 76 77 49 56 f7 20 88
>
>
> --
> Thanks,
>
> Steve



-- 
Thanks,

Steve

[-- Attachment #2: 0001-smbinfo-print-the-security-information-needed-to-dec.patch --]
[-- Type: text/x-patch, Size: 3208 bytes --]

From 3c2f15537850ede5cca0feb1dc008cc76042c67f Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Thu, 19 Sep 2019 04:21:16 -0500
Subject: [PATCH] smbinfo: print the security information needed to decrypt
 wireshark trace

Sample output:

    SMB3.0 encryption
    Session Id:   0x82d2ec52
    Session Key:  a5 6d 81 d0 e c1 ca e1 d8 13 aa 20 e8 f2 cc 71
    Server Encryption Key:  1a c3 be ba 3d fc dc 3c e bc 93 9e 50 9e 19 c1
    Server Decryption Key:  e0 d4 d9 43 1b a2 1b e3 d8 76 77 49 56 f7 20 88

Signed-off-by: Steve French <stfrench@microsoft.com>

merge
---
 smbinfo.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/smbinfo.c b/smbinfo.c
index f9de7fd..383df33 100644
--- a/smbinfo.c
+++ b/smbinfo.c
@@ -54,7 +54,17 @@ struct smb_query_info {
 	/* char buffer[]; */
 } __packed;
 
+#define SMB3_SIGN_KEY_SIZE 16
+struct smb3_key_debug_info {
+	uint64_t Suid;
+	uint16_t cipher_type;
+	uint8_t auth_key[16]; /* SMB2_NTLMV2_SESSKEY_SIZE */
+	uint8_t	smb3encryptionkey[SMB3_SIGN_KEY_SIZE];
+	uint8_t	smb3decryptionkey[SMB3_SIGN_KEY_SIZE];
+} __attribute__((packed));
+
 #define CIFS_QUERY_INFO _IOWR(CIFS_IOCTL_MAGIC, 7, struct smb_query_info)
+#define CIFS_DUMP_KEY _IOWR(CIFS_IOCTL_MAGIC, 8, struct smb3_key_debug_info)
 #define INPUT_BUFFER_LENGTH 16384
 
 int verbose;
@@ -92,7 +102,9 @@ usage(char *name)
 		"  quota:\n"
 		"      Prints the quota for a cifs file.\n"
 		"  secdesc:\n"
-		"      Prints the security descriptor for a cifs file.\n",
+		"      Prints the security descriptor for a cifs file.\n"
+		"  keys:\n"
+		"      Prints the decryption information needed to view encrypted network traces.\n",
 		name);
 	exit(1);
 }
@@ -1015,6 +1027,37 @@ static void print_snapshots(struct smb_snapshot_array *psnap)
 	printf("\n");
 }
 
+static void
+dump_keys(int f)
+{
+	struct smb3_key_debug_info keys_info;
+
+	if (ioctl(f, CIFS_DUMP_KEY, &keys_info) < 0) {
+		fprintf(stderr, "Querying keys information failed with %s\n", strerror(errno));
+		exit(1);
+	}
+
+	if (keys_info.cipher_type == 1)
+		printf("CCM encryption");
+	else if (keys_info.cipher_type == 2)
+		printf("GCM encryption");
+	else if (keys_info.cipher_type == 0)
+		printf("SMB3.0 encryption");
+	else
+		printf("unknown encryption type");
+	printf("\nSession Id:   0x%lx", keys_info.Suid);
+	printf("\nSession Key: ");
+	for (int i = 0; i < 16; i++)
+		printf(" %x", keys_info.auth_key[i]);
+	printf("\nServer Encryption Key: ");
+	for (int i = 0; i < SMB3_SIGN_KEY_SIZE; i++)
+		printf(" %x", keys_info.smb3encryptionkey[i]);
+	printf("\nServer Decryption Key: ");
+	for (int i = 0; i < SMB3_SIGN_KEY_SIZE; i++)
+		printf(" %x", keys_info.smb3decryptionkey[i]);
+	printf("\n");
+}
+
 #define CIFS_ENUMERATE_SNAPSHOTS _IOR(CIFS_IOCTL_MAGIC, 6, struct smb_snapshot_array)
 
 #define MIN_SNAPSHOT_ARRAY_SIZE 16 /* See MS-SMB2 section 3.3.5.15.1 */
@@ -1124,6 +1167,8 @@ int main(int argc, char *argv[])
 		quota(f);
 	else if (!strcmp(argv[optind], "secdesc"))
 		secdesc(f);
+	else if (!strcmp(argv[optind], "keys"))
+		dump_keys(f);
 	else {
 		fprintf(stderr, "Unknown command %s\n", argv[optind]);
 		exit(1);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [SMB3][PATCH] dump encryption keys to allow wireshark debugging of encrypted
  2019-09-20  7:20 ` Steve French
@ 2019-09-20 17:14   ` Pavel Shilovsky
  2019-09-21 11:04     ` Steve French
  0 siblings, 1 reply; 4+ messages in thread
From: Pavel Shilovsky @ 2019-09-20 17:14 UTC (permalink / raw)
  To: Steve French; +Cc: Aurélien Aptel, CIFS, samba-technical

Thanks, this is very useful functionality! A couple comments below.

kernel patch:

+ cifs_dbg(VFS, "ioctl dumpkey\n"); /* BB REMOVEME */

please remove this or change to FYI.

user space patch:

+ if (keys_info.cipher_type == 1)
+ printf("CCM encryption");
+ else if (keys_info.cipher_type == 2)
+ printf("GCM encryption");
+ else if (keys_info.cipher_type == 0)
+ printf("SMB3.0 encryption");
^^^
SMB3.0 encryption is CCM, so, let's not confuse users and print "CCM
encryption" for both cipher_type values of 0 and 1.


Best regards,
Pavel Shilovskiy

пт, 20 сент. 2019 г. в 00:20, Steve French via samba-technical
<samba-technical@lists.samba.org>:
>
> And updated patch for cifs-utils ("smbinfo keys <filename>")
>
>
> On Fri, Sep 20, 2019 at 2:07 AM Steve French <smfrench@gmail.com> wrote:
> >
> > kernel patch updated to check if encryption is enabled
> >
> > In order to debug certain problems it is important to be able
> > to decrypt network traces (e.g. wireshark) but to do this we
> > need to be able to dump out the encryption/decryption keys.
> > Dumping them to an ioctl is safer than dumping then to dmesg,
> > (and better than showing all keys in a pseudofile).
> >
> > Restrict this to root (CAP_SYS_ADMIN), and only for a mount
> > that this admin has access to.
> >
> > Sample smbinfo output:
> > SMB3.0 encryption
> > Session Id:   0x82d2ec52
> > Session Key:  a5 6d 81 d0 e c1 ca e1 d8 13 aa 20 e8 f2 cc 71
> > Server Encryption Key:  1a c3 be ba 3d fc dc 3c e bc 93 9e 50 9e 19 c1
> > Server Decryption Key:  e0 d4 d9 43 1b a2 1b e3 d8 76 77 49 56 f7 20 88
> >
> >
> > --
> > Thanks,
> >
> > Steve
>
>
>
> --
> Thanks,
>
> Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [SMB3][PATCH] dump encryption keys to allow wireshark debugging of encrypted
  2019-09-20 17:14   ` Pavel Shilovsky
@ 2019-09-21 11:04     ` Steve French
  0 siblings, 0 replies; 4+ messages in thread
From: Steve French @ 2019-09-21 11:04 UTC (permalink / raw)
  To: Pavel Shilovsky; +Cc: Aurélien Aptel, CIFS, samba-technical

On Fri, Sep 20, 2019 at 12:14 PM Pavel Shilovsky
<pavel.shilovsky@gmail.com> wrote:
>
> Thanks, this is very useful functionality! A couple comments below.
>
> kernel patch:
>
> + cifs_dbg(VFS, "ioctl dumpkey\n"); /* BB REMOVEME */
>
> please remove this or change to FYI.

Good catch - removed and repushed

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-20  7:07 [SMB3][PATCH] dump encryption keys to allow wireshark debugging of encrypted Steve French
2019-09-20  7:20 ` Steve French
2019-09-20 17:14   ` Pavel Shilovsky
2019-09-21 11:04     ` Steve French

Linux-CIFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-cifs/0 linux-cifs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-cifs linux-cifs/ https://lore.kernel.org/linux-cifs \
		linux-cifs@vger.kernel.org
	public-inbox-index linux-cifs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-cifs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git