[Bug 1886551] Re: wireshark trace decryption

Łukasz Zemczak 1886551 at bugs.launchpad.net
Mon Sep 21 10:20:17 UTC 2020 

Hello Rakesh, or anyone else affected,

Accepted cifs-utils into bionic-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/cifs-
utils/2:6.8-1ubuntu1.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: cifs-utils (Ubuntu Bionic)
       Status: Confirmed => Fix Committed

** Tags added: verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1886551

Title:
   wireshark trace decryption

Status in cifs-utils package in Ubuntu:
  Fix Released
Status in cifs-utils source package in Bionic:
  Fix Committed
Status in cifs-utils source package in Focal:
  Fix Committed

Bug description:
  [Impact]

  For Bionic release, current cifs-utils package version is 6.8-1. This
  version is missing below two commits

  https://git.samba.org/?p=cifs-utils.git;a=commit;h=74a1ced5f706ea6a9cab885693c7755657b81a2a
  https://git.samba.org/?p=cifs-utils.git;a=commit;h=6df98da5cd3fbb33f6f535c6784f037bbadadb84

   * Without above feature, we won’t be able to analyze most part of
  network traces on a client side in case customers have problems
  accessing Azure Files service from VMs running Ubuntu Bionic.

  [Test Case]
  * Setup an ubuntu vm, of the release you are going to test

  * Install the packages:
  sudo apt update
  sudo apt install samba cifs-utils -y

  * With the new cifs-utils package, you should have the smbinfo command available:
  ubuntu at bionic-smbinfo:~$ smbinfo
  Usage: smbinfo [-v] [-V] <command> <file>
  Try 'smbinfo -h' for more information.

  * To test the extraction of encryption keys, the HWE kernel in the case of bionic (or another kernel version 5 or higher) must be installed (focal already has the right kernel version, so no change needed there):
  sudo apt install linux-image-generic-hwe-18.04

  * Reboot into the new kernel if you were on an older one, like in bionic:
  sudo reboot

  * Setup a share:
  echo -e "[myshare]\npath=/myshare\n" | sudo tee -a /etc/samba/smb.conf
  sudo mkdir /myshare
  echo "Hello World" | sudo tee /myshare/hello.txt

  * Create a samba user ubuntu, with a password of your choice (you will be prompted for it):
  sudo smbpasswd -a ubuntu

  * Mount the new share with encryption options:
  ubuntu at bionic-smbinfo:~$ sudo mount //localhost/myshare /mnt -o seal,user=ubuntu
  Password for ubuntu@//localhost/myshare:  ******

  * Confirm with smbstatus that the connection is encrypted:
  ubuntu at bionic-smbinfo:~$ sudo smbstatus

  Samba version 4.7.6-Ubuntu
  PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing
  ----------------------------------------------------------------------------------------------------------------------------------------
  4516    ubuntu       ubuntu       127.0.0.1 (ipv4:127.0.0.1:45794)          SMB3_11           partial(AES-128-CCM) partial(AES-128-CMAC)

  Service      pid     Machine       Connected at                     Encryption   Signing
  ---------------------------------------------------------------------------------------------
  IPC$         4516    127.0.0.1     Thu Sep 10 20:41:14 2020 UTC     AES-128-CCM  AES-128-CMAC
  myshare      4516    127.0.0.1     Thu Sep 10 20:41:14 2020 UTC     AES-128-CCM  AES-128-CMAC

  No locked files

  * Obtain the encryption keys:
  ubuntu at bionic-smbinfo:~$ sudo smbinfo keys /mnt/hello.txt
  CCM encryption
  Session Id:   b6 4c 21 8f 00 00 00 00
  Session Key:  42 26 cf 6d d1 55 c7 80 b4 27 10 c2 a8 d2 26 31
  Server Encryption Key:  c9 37 6c 10 14 0e 1f f6 ea c7 5e d7 e0 76 79 a7
  Server Decryption Key:  97 4e 2e 99 ec 27 66 a4 95 b5 a4 f9 8c 17 c7 ee

  * There are many other subcommands available in smbinfo. For a list, run:
  smbinfo -h

  [Regression Potential]

  These patches cherry pick and touch 2 files : smbinfo.c and smbinfo.rst.
  They add the smbinfo utility which is required for the 2 commits mentioned in the <Impact> section. Since smbinfo does not interact with the rest of the code any regression potential would involve smbinfo itself.

  [Other]

  The smbinfo utility to work properly requires kernel >5.0  and the
  'keys' command which is the one used for dumping session id,
  encryption and decryption keys requires kernel > 5.4.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1886551/+subscriptions

More information about the foundations-bugs mailing list