The branch, master has been updated
via 584dfc15fd3 libsmb,s3/smbd: dump SMB3+ session keys if debug parm
is set
via 0732499f23c docs-xml: add "debug encryption" global parm
via 67825c96473 libcli: add getters for smb2
{signing,encryption,decryption} keys
from 7ff94b18e2e s3:vfs: Correctly check if OFD locks should be enabled
or not
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 584dfc15fd33f665a0bd2287a6a981568032ec74
Author: Aurelien Aptel <[email protected]>
Date: Fri Feb 8 12:13:25 2019 +0100
libsmb,s3/smbd: dump SMB3+ session keys if debug parm is set
Use of previously added smb.conf global param.
Sample usage:
$ smbclient //localhost/scratch --option='debugencryption=yes' \
-e -mSMB3 -U aaptel%aaptel -c quit
debug encryption: dumping generated session keys
Session Id [0000] 26 48 BF FD 00 00 00 00
&H......
Session Key [0000] 63 D6 CA BC 08 C8 4A D2 45 F6 AE 35 AB 4A B3 3B
c.....J. E..5.J.;
Signing Key [0000] 4E FE 35 92 AC 13 14 FC C9 17 62 B1 82 20 A4 12
N.5..... ..b.. ..
App Key [0000] A5 0F F4 8B 2F FB 0D FF F2 BF EE 39 E6 6D F5 0A
..../... ...9.m..
ServerIn Key [0000] 2A 02 7E E1 D3 58 D8 12 4C 63 76 AE 59 17 5A E4
*.~..X.. Lcv.Y.Z.
ServerOut Key [0000] 59 F2 5B 7F 66 8F 31 A0 A5 E4 A8 D8 2F BA 00 38
Y.[.f.1. ..../..8
We can now simply pass -ouat:smb2_seskey_list:<sesid>,<seskey> to
wireshark or tshark:
$ tshark
-ouat:smb2_seskey_list:2648BFFD00000000,63D6CABC08C84AD245F6AE35AB4AB33B \
-Y smb2 -r capture.pcap -Tfields -e _ws.col.Info
Negotiate Protocol Response
Negotiate Protocol Request
Negotiate Protocol Response
Session Setup Request, NTLMSSP_NEGOTIATE
Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED,
NTLMSSP_CHALLENGE
Session Setup Request, NTLMSSP_AUTH, User: WORKGROUP\aaptel
Session Setup Response
Tree Connect Request Tree: \\localhost\IPC$
Tree Connect Response
Decrypted SMB3;Ioctl Request FSCTL_DFS_GET_REFERRALS, File:
\localhost\scratch
Decrypted SMB3;Ioctl Response, Error: STATUS_NOT_FOUND
Decrypted SMB3;Tree Disconnect Request
Decrypted SMB3;Tree Disconnect Response
Decrypted SMB3;Tree Connect Request Tree: \\localhost\scratch
Decrypted SMB3;Tree Connect Response
Decrypted SMB3;Tree Disconnect Request
Decrypted SMB3;Tree Disconnect Response
For more info on Wireshark decryption support see
https://wiki.samba.org/index.php/Wireshark_Decryption
Signed-off-by: Aurelien Aptel <[email protected]>
Reviewed-by: Noel Power <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
Autobuild-User(master): David Disseldorp <[email protected]>
Autobuild-Date(master): Sat Feb 9 21:43:25 CET 2019 on sn-devel-144
commit 0732499f23cebe6c5e24f596ff4fe41f8ab1d156
Author: Aurelien Aptel <[email protected]>
Date: Fri Feb 8 12:04:42 2019 +0100
docs-xml: add "debug encryption" global parm
Add debug option to dump in the log the session id & keys in smbd and
libsmb-based code for offline decryption.
Wireshark can make use of this to decrypt encrypted traffic.
Signed-off-by: Aurelien Aptel <[email protected]>
Reviewed-by: Noel Power <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
commit 67825c96473ff8731af415683b4a74caca7a6809
Author: Aurelien Aptel <[email protected]>
Date: Wed Feb 6 19:23:35 2019 +0100
libcli: add getters for smb2 {signing,encryption,decryption} keys
Adds:
- smb2cli_session_signing_key()
- smb2cli_session_encryption_key()
- smb2cli_session_decryption_key()
Signed-off-by: Aurelien Aptel <[email protected]>
Reviewed-by: Noel Power <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Reviewed-by: David Disseldorp <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/debugencryption.xml | 22 +++++++
lib/param/loadparm.c | 2 +
libcli/smb/smbXcli_base.c | 79 ++++++++++++++++++++++++
libcli/smb/smbXcli_base.h | 9 +++
source3/libsmb/cliconnect.c | 57 +++++++++++++++++
source3/smbd/smb2_sesssetup.c | 25 ++++++++
6 files changed, 194 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/debugencryption.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/debugencryption.xml
b/docs-xml/smbdotconf/security/debugencryption.xml
new file mode 100644
index 00000000000..5b51b4afe0e
--- /dev/null
+++ b/docs-xml/smbdotconf/security/debugencryption.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="debug encryption"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+ <description>
+ <para>
+ This option will make the smbd server and client code using
+ libsmb (smbclient, smbget, smbspool, ...) dump the Session Id,
+ the decrypted Session Key, the Signing Key, the Application Key,
+ the Encryption Key and the Decryption Key every time an SMB3+
+ session is established. This information will be printed in logs
+ at level 0.
+ </para>
+ <para>
+ Warning: access to these values enables the decryption of any
+ encrypted traffic on the dumped sessions. This option should
+ only be enabled for debugging purposes.
+ </para>
+ </description>
+
+ <value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f31ef2319ac..84c83ae91ec 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3008,6 +3008,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "store dos attributes", "yes");
+ lpcfg_do_global_parameter(lp_ctx, "debug encryption", "no");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 3118365871a..2455b6deacd 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5561,6 +5561,85 @@ bool smbXcli_session_is_authenticated(struct
smbXcli_session *session)
return true;
}
+NTSTATUS smb2cli_session_signing_key(struct smbXcli_session *session,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *key)
+{
+ DATA_BLOB *sig = NULL;
+
+ if (session->conn == NULL) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ /*
+ * Use channel signing key if there is one, otherwise fallback
+ * to session.
+ */
+
+ if (session->smb2_channel.signing_key.length != 0) {
+ sig = &session->smb2_channel.signing_key;
+ } else if (session->smb2->signing_key.length != 0) {
+ sig = &session->smb2->signing_key;
+ } else {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ *key = data_blob_dup_talloc(mem_ctx, *sig);
+ if (key->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS smb2cli_session_encryption_key(struct smbXcli_session *session,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *key)
+{
+ if (session->conn == NULL) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ if (session->conn->protocol < PROTOCOL_SMB3_00) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ if (session->smb2->encryption_key.length == 0) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ *key = data_blob_dup_talloc(mem_ctx, session->smb2->encryption_key);
+ if (key->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS smb2cli_session_decryption_key(struct smbXcli_session *session,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *key)
+{
+ if (session->conn == NULL) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ if (session->conn->protocol < PROTOCOL_SMB3_00) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ if (session->smb2->decryption_key.length == 0) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
+ *key = data_blob_dup_talloc(mem_ctx, session->smb2->decryption_key);
+ if (key->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
DATA_BLOB *key)
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 42c2519c7ff..a7256490bd1 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -468,6 +468,15 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX
*mem_ctx,
struct smbXcli_session *src);
bool smbXcli_session_is_guest(struct smbXcli_session *session);
bool smbXcli_session_is_authenticated(struct smbXcli_session *session);
+NTSTATUS smb2cli_session_signing_key(struct smbXcli_session *session,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *key);
+NTSTATUS smb2cli_session_encryption_key(struct smbXcli_session *session,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *key);
+NTSTATUS smb2cli_session_decryption_key(struct smbXcli_session *session,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *key);
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
DATA_BLOB *key);
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 0a54d47227a..fcc8e0b67b8 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1132,6 +1132,58 @@ static void cli_session_setup_gensec_remote_done(struct
tevent_req *subreq)
cli_session_setup_gensec_local_next(req);
}
+static void cli_session_dump_keys(TALLOC_CTX *mem_ctx,
+ struct smbXcli_session *session,
+ DATA_BLOB session_key)
+{
+ NTSTATUS status;
+ DATA_BLOB sig = data_blob_null;
+ DATA_BLOB app = data_blob_null;
+ DATA_BLOB enc = data_blob_null;
+ DATA_BLOB dec = data_blob_null;
+ uint64_t sid = smb2cli_session_current_id(session);
+
+ status = smb2cli_session_signing_key(session, mem_ctx, &sig);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+ status = smbXcli_session_application_key(session, mem_ctx, &app);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+ status = smb2cli_session_encryption_key(session, mem_ctx, &enc);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+ status = smb2cli_session_decryption_key(session, mem_ctx, &dec);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ DEBUG(0, ("debug encryption: dumping generated session keys\n"));
+ DEBUGADD(0, ("Session Id "));
+ dump_data(0, (uint8_t*)&sid, sizeof(sid));
+ DEBUGADD(0, ("Session Key "));
+ dump_data(0, session_key.data, session_key.length);
+ DEBUGADD(0, ("Signing Key "));
+ dump_data(0, sig.data, sig.length);
+ DEBUGADD(0, ("App Key "));
+ dump_data(0, app.data, app.length);
+
+ /* In client code, ServerIn is the encryption key */
+
+ DEBUGADD(0, ("ServerIn Key "));
+ dump_data(0, enc.data, enc.length);
+ DEBUGADD(0, ("ServerOut Key "));
+ dump_data(0, dec.data, dec.length);
+
+out:
+ data_blob_clear_free(&sig);
+ data_blob_clear_free(&app);
+ data_blob_clear_free(&enc);
+ data_blob_clear_free(&dec);
+}
+
static void cli_session_setup_gensec_ready(struct tevent_req *req)
{
struct cli_session_setup_gensec_state *state =
@@ -1199,6 +1251,11 @@ static void cli_session_setup_gensec_ready(struct
tevent_req *req)
if (tevent_req_nterror(req, status)) {
return;
}
+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB3_00
+ && lp_debug_encryption())
+ {
+ cli_session_dump_keys(state, session,
state->session_key);
+ }
} else {
struct smbXcli_session *session = state->cli->smb1.session;
bool active;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 2c24e7a1abc..d34951a4eef 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -407,6 +407,31 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct
smbXsrv_session *session,
d->context.data, d->context.length,
x->global->application_key.data);
}
+
+ if (xconn->protocol >= PROTOCOL_SMB3_00 && lp_debug_encryption()) {
+ DEBUG(0, ("debug encryption: dumping generated session
keys\n"));
+ DEBUGADD(0, ("Session Id "));
+ dump_data(0, (uint8_t*)&session->global->session_wire_id,
+ sizeof(session->global->session_wire_id));
+ DEBUGADD(0, ("Session Key "));
+ dump_data(0, session_key, sizeof(session_key));
+ DEBUGADD(0, ("Signing Key "));
+ dump_data(0, x->global->signing_key.data,
+ x->global->signing_key.length);
+ DEBUGADD(0, ("App Key "));
+ dump_data(0, x->global->application_key.data,
+ x->global->application_key.length);
+
+ /* In server code, ServerIn is the decryption key */
+
+ DEBUGADD(0, ("ServerIn Key "));
+ dump_data(0, x->global->decryption_key.data,
+ x->global->decryption_key.length);
+ DEBUGADD(0, ("ServerOut Key "));
+ dump_data(0, x->global->encryption_key.data,
+ x->global->encryption_key.length);
+ }
+
ZERO_STRUCT(session_key);
x->global->channels[0].signing_key =
data_blob_dup_talloc(x->global->channels,
--
Samba Shared Repository
