git.samba.org / kai / samba-autobuild / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: 67825c9)
docs-xml: add "debug encryption" global parm
authorAurelien Aptel <aaptel@suse.com>
Fri, 8 Feb 2019 11:04:42 +0000 (12:04 +0100)
committerDavid Disseldorp <ddiss@samba.org>
Sat, 9 Feb 2019 17:30:14 +0000 (18:30 +0100)
Add debug option to dump in the log the session id & keys in smbd and
libsmb-based code for offline decryption.

Wireshark can make use of this to decrypt encrypted traffic.

Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
docs-xml/smbdotconf/security/debugencryption.xml [new file with mode: 0644] patch | blob
lib/param/loadparm.c patch | blob | history

diff --git a/docs-xml/smbdotconf/security/debugencryption.xml b/docs-xml/smbdotconf/security/debugencryption.xml
new file mode 100644 (file)
index 0000000..5b51b4a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/debugencryption.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="debug encryption"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+  <description>
+    <para>
+      This option will make the smbd server and client code using
+      libsmb (smbclient, smbget, smbspool, ...) dump the Session Id,
+      the decrypted Session Key, the Signing Key, the Application Key,
+      the Encryption Key and the Decryption Key every time an SMB3+
+      session is established. This information will be printed in logs
+      at level 0.
+    </para>
+    <para>
+      Warning: access to these values enables the decryption of any
+      encrypted traffic on the dumped sessions. This option should
+      only be enabled for debugging purposes.
+    </para>
+  </description>
+
+  <value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f31ef2319ac67b9b5d09cc90a0592ae07742a9e5..84c83ae91ec68b352cbc69a3fc4b1cb468ab1d71 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3008,6 +3008,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "store dos attributes", "yes");
 
+       lpcfg_do_global_parameter(lp_ctx, "debug encryption", "no");
+
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;
Unnamed repository; edit this file 'description' to name the repository.