Re: [SMB3][PATCH] dump encryption keys to allow wireshark debugging of encrypted

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



And updated patch for cifs-utils ("smbinfo keys <filename>")


On Fri, Sep 20, 2019 at 2:07 AM Steve French <smfrench@xxxxxxxxx> wrote:
>
> kernel patch updated to check if encryption is enabled
>
> In order to debug certain problems it is important to be able
> to decrypt network traces (e.g. wireshark) but to do this we
> need to be able to dump out the encryption/decryption keys.
> Dumping them to an ioctl is safer than dumping then to dmesg,
> (and better than showing all keys in a pseudofile).
>
> Restrict this to root (CAP_SYS_ADMIN), and only for a mount
> that this admin has access to.
>
> Sample smbinfo output:
> SMB3.0 encryption
> Session Id:   0x82d2ec52
> Session Key:  a5 6d 81 d0 e c1 ca e1 d8 13 aa 20 e8 f2 cc 71
> Server Encryption Key:  1a c3 be ba 3d fc dc 3c e bc 93 9e 50 9e 19 c1
> Server Decryption Key:  e0 d4 d9 43 1b a2 1b e3 d8 76 77 49 56 f7 20 88
>
>
> --
> Thanks,
>
> Steve



-- 
Thanks,

Steve
From 3c2f15537850ede5cca0feb1dc008cc76042c67f Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@xxxxxxxxxxxxx>
Date: Thu, 19 Sep 2019 04:21:16 -0500
Subject: [PATCH] smbinfo: print the security information needed to decrypt
 wireshark trace

Sample output:

    SMB3.0 encryption
    Session Id:   0x82d2ec52
    Session Key:  a5 6d 81 d0 e c1 ca e1 d8 13 aa 20 e8 f2 cc 71
    Server Encryption Key:  1a c3 be ba 3d fc dc 3c e bc 93 9e 50 9e 19 c1
    Server Decryption Key:  e0 d4 d9 43 1b a2 1b e3 d8 76 77 49 56 f7 20 88

Signed-off-by: Steve French <stfrench@xxxxxxxxxxxxx>

merge
---
 smbinfo.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/smbinfo.c b/smbinfo.c
index f9de7fd..383df33 100644
--- a/smbinfo.c
+++ b/smbinfo.c
@@ -54,7 +54,17 @@ struct smb_query_info {
 	/* char buffer[]; */
 } __packed;
 
+#define SMB3_SIGN_KEY_SIZE 16
+struct smb3_key_debug_info {
+	uint64_t Suid;
+	uint16_t cipher_type;
+	uint8_t auth_key[16]; /* SMB2_NTLMV2_SESSKEY_SIZE */
+	uint8_t	smb3encryptionkey[SMB3_SIGN_KEY_SIZE];
+	uint8_t	smb3decryptionkey[SMB3_SIGN_KEY_SIZE];
+} __attribute__((packed));
+
 #define CIFS_QUERY_INFO _IOWR(CIFS_IOCTL_MAGIC, 7, struct smb_query_info)
+#define CIFS_DUMP_KEY _IOWR(CIFS_IOCTL_MAGIC, 8, struct smb3_key_debug_info)
 #define INPUT_BUFFER_LENGTH 16384
 
 int verbose;
@@ -92,7 +102,9 @@ usage(char *name)
 		"  quota:\n"
 		"      Prints the quota for a cifs file.\n"
 		"  secdesc:\n"
-		"      Prints the security descriptor for a cifs file.\n",
+		"      Prints the security descriptor for a cifs file.\n"
+		"  keys:\n"
+		"      Prints the decryption information needed to view encrypted network traces.\n",
 		name);
 	exit(1);
 }
@@ -1015,6 +1027,37 @@ static void print_snapshots(struct smb_snapshot_array *psnap)
 	printf("\n");
 }
 
+static void
+dump_keys(int f)
+{
+	struct smb3_key_debug_info keys_info;
+
+	if (ioctl(f, CIFS_DUMP_KEY, &keys_info) < 0) {
+		fprintf(stderr, "Querying keys information failed with %s\n", strerror(errno));
+		exit(1);
+	}
+
+	if (keys_info.cipher_type == 1)
+		printf("CCM encryption");
+	else if (keys_info.cipher_type == 2)
+		printf("GCM encryption");
+	else if (keys_info.cipher_type == 0)
+		printf("SMB3.0 encryption");
+	else
+		printf("unknown encryption type");
+	printf("\nSession Id:   0x%lx", keys_info.Suid);
+	printf("\nSession Key: ");
+	for (int i = 0; i < 16; i++)
+		printf(" %x", keys_info.auth_key[i]);
+	printf("\nServer Encryption Key: ");
+	for (int i = 0; i < SMB3_SIGN_KEY_SIZE; i++)
+		printf(" %x", keys_info.smb3encryptionkey[i]);
+	printf("\nServer Decryption Key: ");
+	for (int i = 0; i < SMB3_SIGN_KEY_SIZE; i++)
+		printf(" %x", keys_info.smb3decryptionkey[i]);
+	printf("\n");
+}
+
 #define CIFS_ENUMERATE_SNAPSHOTS _IOR(CIFS_IOCTL_MAGIC, 6, struct smb_snapshot_array)
 
 #define MIN_SNAPSHOT_ARRAY_SIZE 16 /* See MS-SMB2 section 3.3.5.15.1 */
@@ -1124,6 +1167,8 @@ int main(int argc, char *argv[])
 		quota(f);
 	else if (!strcmp(argv[optind], "secdesc"))
 		secdesc(f);
+	else if (!strcmp(argv[optind], "keys"))
+		dump_keys(f);
 	else {
 		fprintf(stderr, "Unknown command %s\n", argv[optind]);
 		exit(1);
-- 
2.20.1


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux