Commit aa22ebc3 authored by Steve French's avatar Steve French

smb3.1.1: allow dumping GCM256 keys to improve debugging of encrypted shares

Previously we were only able to dump CCM or GCM-128 keys (see "smbinfo keys" e.g.)
to allow network debugging (e.g. wireshark) of mounts to SMB3.1.1 encrypted
shares.  But with the addition of GCM-256 support, we have to be able to dump
32 byte instead of 16 byte keys which requires adding an additional ioctl
for that.
Reviewed-by: default avatarShyam Prasad N <sprasad@microsoft.com>
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
parent 087f757b
...@@ -57,6 +57,12 @@ struct smb_query_info { ...@@ -57,6 +57,12 @@ struct smb_query_info {
/* char buffer[]; */ /* char buffer[]; */
} __packed; } __packed;
/*
* Dumping the commonly used 16 byte (e.g. CCM and GCM128) keys still supported
* for backlevel compatibility, but is not sufficient for dumping the less
* frequently used GCM256 (32 byte) keys (see the newer "CIFS_DUMP_FULL_KEY"
* ioctl for dumping decryption info for GCM256 mounts)
*/
struct smb3_key_debug_info { struct smb3_key_debug_info {
__u64 Suid; __u64 Suid;
__u16 cipher_type; __u16 cipher_type;
...@@ -65,6 +71,18 @@ struct smb3_key_debug_info { ...@@ -65,6 +71,18 @@ struct smb3_key_debug_info {
__u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE]; __u8 smb3decryptionkey[SMB3_SIGN_KEY_SIZE];
} __packed; } __packed;
/*
* Dump full key (32 byte encrypt/decrypt keys instead of 16 bytes)
* is needed if GCM256 (stronger encryption) negotiated
*/
struct smb3_full_key_debug_info {
__u64 Suid;
__u16 cipher_type;
__u8 auth_key[16]; /* SMB2_NTLMV2_SESSKEY_SIZE */
__u8 smb3encryptionkey[32]; /* SMB3_ENC_DEC_KEY_SIZE */
__u8 smb3decryptionkey[32]; /* SMB3_ENC_DEC_KEY_SIZE */
} __packed;
struct smb3_notify { struct smb3_notify {
__u32 completion_filter; __u32 completion_filter;
bool watch_tree; bool watch_tree;
...@@ -78,6 +96,7 @@ struct smb3_notify { ...@@ -78,6 +96,7 @@ struct smb3_notify {
#define CIFS_QUERY_INFO _IOWR(CIFS_IOCTL_MAGIC, 7, struct smb_query_info) #define CIFS_QUERY_INFO _IOWR(CIFS_IOCTL_MAGIC, 7, struct smb_query_info)
#define CIFS_DUMP_KEY _IOWR(CIFS_IOCTL_MAGIC, 8, struct smb3_key_debug_info) #define CIFS_DUMP_KEY _IOWR(CIFS_IOCTL_MAGIC, 8, struct smb3_key_debug_info)
#define CIFS_IOC_NOTIFY _IOW(CIFS_IOCTL_MAGIC, 9, struct smb3_notify) #define CIFS_IOC_NOTIFY _IOW(CIFS_IOCTL_MAGIC, 9, struct smb3_notify)
#define CIFS_DUMP_FULL_KEY _IOWR(CIFS_IOCTL_MAGIC, 10, struct smb3_full_key_debug_info)
#define CIFS_IOC_SHUTDOWN _IOR ('X', 125, __u32) #define CIFS_IOC_SHUTDOWN _IOR ('X', 125, __u32)
/* /*
......
...@@ -218,6 +218,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg) ...@@ -218,6 +218,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
{ {
struct inode *inode = file_inode(filep); struct inode *inode = file_inode(filep);
struct smb3_key_debug_info pkey_inf; struct smb3_key_debug_info pkey_inf;
struct smb3_full_key_debug_info pfull_key_inf;
int rc = -ENOTTY; /* strange error - but the precedent */ int rc = -ENOTTY; /* strange error - but the precedent */
unsigned int xid; unsigned int xid;
struct cifsFileInfo *pSMBFile = filep->private_data; struct cifsFileInfo *pSMBFile = filep->private_data;
...@@ -354,6 +355,38 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg) ...@@ -354,6 +355,38 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg)
else else
rc = 0; rc = 0;
break; break;
/*
* Dump full key (32 bytes instead of 16 bytes) is
* needed if GCM256 (stronger encryption) negotiated
*/
case CIFS_DUMP_FULL_KEY:
if (pSMBFile == NULL)
break;
if (!capable(CAP_SYS_ADMIN)) {
rc = -EACCES;
break;
}
tcon = tlink_tcon(pSMBFile->tlink);
if (!smb3_encryption_required(tcon)) {
rc = -EOPNOTSUPP;
break;
}
pfull_key_inf.cipher_type =
le16_to_cpu(tcon->ses->server->cipher_type);
pfull_key_inf.Suid = tcon->ses->Suid;
memcpy(pfull_key_inf.auth_key, tcon->ses->auth_key.response,
16 /* SMB2_NTLMV2_SESSKEY_SIZE */);
memcpy(pfull_key_inf.smb3decryptionkey,
tcon->ses->smb3decryptionkey, 32 /* SMB3_ENC_DEC_KEY_SIZE */);
memcpy(pfull_key_inf.smb3encryptionkey,
tcon->ses->smb3encryptionkey, 32 /* SMB3_ENC_DEC_KEY_SIZE */);
if (copy_to_user((void __user *)arg, &pfull_key_inf,
sizeof(struct smb3_full_key_debug_info)))
rc = -EFAULT;
else
rc = 0;
break;
case CIFS_IOC_NOTIFY: case CIFS_IOC_NOTIFY:
if (!S_ISDIR(inode->i_mode)) { if (!S_ISDIR(inode->i_mode)) {
/* Notify can only be done on directories */ /* Notify can only be done on directories */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment