Merge pull request #36 from AvivNaaman/28-support-smb-300

28 support smb 300

Author: afiffon

docker-compose.yml

@@ -3,6 +3,10 @@ services:
     build:
       context: smb/tests
       dockerfile: Dockerfile
+      tags:
+        - ghcr.io/avivnaaman/smb-tests:latest
+      platforms:
+        - linux/amd64
     ports:
       - 445:445
     networks:

smb/src/connection.rs

@@ -5,7 +5,7 @@ pub mod preauth_hash;
 pub mod transformer;
 pub mod worker;
 
-use crate::dialects::get_dialect_impl;
+use crate::dialects::DialectImpl;
 use crate::packets::guid::Guid;
 use crate::packets::smb2::{Command, Message};
 use crate::Error;
@@ -185,7 +185,7 @@ impl Connection {
         }
 
         let dialect_rev = smb2_negotiate_response.dialect_revision.try_into()?;
-        let dialect_impl = get_dialect_impl(&dialect_rev);
+        let dialect_impl = DialectImpl::new(dialect_rev);
         let mut state = NegotiatedProperties {
             server_guid: smb2_negotiate_response.server_guid,
             caps: smb2_negotiate_response.capabilities.clone(),

smb/src/connection/config.rs

@@ -32,6 +32,7 @@ pub struct ConnectionConfig {
     pub min_dialect: Option<Dialect>,
     pub max_dialect: Option<Dialect>,
     pub encryption_mode: EncryptionMode,
+    pub compression_enabled: bool,
 }
 
 impl ConnectionConfig {

smb/src/connection/negotiation_state.rs

@@ -43,6 +43,6 @@ impl NegotiatedProperties {
 #[derive(Debug)]
 pub struct ConnectionInfo {
     pub state: NegotiatedProperties,
-    pub dialect: Arc<dyn DialectImpl>,
+    pub dialect: Arc<DialectImpl>,
     pub config: ConnectionConfig,
 }

smb/src/connection/transformer.rs

@@ -47,7 +47,7 @@ impl Transformer {
         }
 
         let mut config = self.config.write().await?;
-        if neg_info.dialect.supports_compression() {
+        if neg_info.dialect.supports_compression() && neg_info.config.compression_enabled {
             let compress = match &neg_info.state.compression {
                 Some(compression) => {
                     Some((Compressor::new(compression), Decompressor::new(compression)))

smb/src/dialects.rs

@@ -7,54 +7,161 @@ use crate::{
     crypto,
     packets::smb2::{
         CompressionCaps, Dialect, GlobalCapabilities, NegotiateResponse, SigningAlgorithmId,
+        TreeCapabilities, TreeConnectShareFlagsCacheMode, TreeShareFlags,
     },
     ConnectionConfig, Error,
 };
 
-pub trait DialectImpl: std::fmt::Debug + Send + Sync {
-    fn get_dialect(&self) -> Dialect;
-    fn get_negotiate_caps_mask(&self) -> GlobalCapabilities;
-    fn process_negotiate_request(
+/// This is a utility struct that returns constants and functions for the given dialect.
+#[derive(Debug)]
+pub struct DialectImpl {
+    pub dialect: Dialect,
+}
+
+impl DialectImpl {
+    pub fn new(dialect: Dialect) -> Arc<Self> {
+        Arc::new(Self { dialect })
+    }
+
+    pub fn get_negotiate_caps_mask(&self) -> GlobalCapabilities {
+        let mut mask = GlobalCapabilities::new()
+            .with_dfs(true)
+            .with_leasing(true)
+            .with_large_mtu(true)
+            .with_multi_channel(true)
+            .with_persistent_handles(true)
+            .with_directory_leasing(true);
+
+        mask.set_encryption(Dialect::Smb030 <= self.dialect && self.dialect <= Dialect::Smb0302);
+        mask.set_notifications(self.dialect == Dialect::Smb0311);
+
+        mask
+    }
+
+    pub fn get_share_flags_mask(&self) -> TreeShareFlags {
+        let mut mask = TreeShareFlags::new()
+            .with_caching_mode(TreeConnectShareFlagsCacheMode::All)
+            .with_dfs(true)
+            .with_dfs_root(true)
+            .with_restrict_exclusive_opens(true)
+            .with_force_shared_delete(true)
+            .with_allow_namespace_caching(true)
+            .with_access_based_directory_enum(true)
+            .with_force_levelii_oplock(true)
+            .with_identity_remoting(true)
+            .with_isolated_transport(true);
+
+        if self.dialect > Dialect::Smb0202 {
+            mask.set_enable_hash_v1(true);
+        }
+        if self.dialect >= Dialect::Smb021 {
+            mask.set_enable_hash_v2(true);
+        }
+        if self.dialect.is_smb3() {
+            mask.set_encrypt_data(true);
+        }
+        if self.dialect >= Dialect::Smb0311 {
+            mask.set_compress_data(true);
+        }
+
+        mask
+    }
+
+    pub fn get_tree_connect_caps_mask(&self) -> TreeCapabilities {
+        let mut mask = TreeCapabilities::new().with_dfs(true);
+
+        if self.dialect.is_smb3() {
+            mask = mask
+                .with_continuous_availability(true)
+                .with_scaleout(true)
+                .with_cluster(true);
+        }
+
+        if self.dialect >= Dialect::Smb0302 {
+            mask.set_asymmetric(true);
+        }
+
+        if self.dialect == Dialect::Smb0311 {
+            mask = mask.with_redirect_to_owner(true);
+        }
+
+        mask
+    }
+
+    pub fn process_negotiate_request(
         &self,
         response: &NegotiateResponse,
         state: &mut NegotiatedProperties,
         config: &ConnectionConfig,
-    ) -> crate::Result<()>;
+    ) -> crate::Result<()> {
+        match self.dialect {
+            Dialect::Smb0311 => Smb311.process_negotiate_request(response, state, config),
+            Dialect::Smb0302 | Dialect::Smb030 => {
+                Smb300_302.process_negotiate_request(response, state, config)
+            }
+            _ => unimplemented!(),
+        }
+    }
 
-    fn get_signing_nonce(&self) -> &[u8];
-    fn preauth_hash_supported(&self) -> bool;
-    fn default_signing_algo(&self) -> SigningAlgorithmId {
-        SigningAlgorithmId::HmacSha256
+    pub fn get_signing_derive_label(&self) -> &[u8] {
+        match self.dialect {
+            Dialect::Smb0311 => Smb311::SIGNING_KEY_LABEL,
+            Dialect::Smb0302 | Dialect::Smb030 => Smb300_302::SIGNING_KEY_LABEL,
+            _ => unimplemented!(),
+        }
+    }
+    pub fn preauth_hash_supported(&self) -> bool {
+        self.dialect == Dialect::Smb0311
+    }
+    pub fn default_signing_algo(&self) -> SigningAlgorithmId {
+        match self.dialect {
+            Dialect::Smb0311 | Dialect::Smb0302 | Dialect::Smb030 => SigningAlgorithmId::AesCmac,
+            Dialect::Smb0202 | Dialect::Smb021 => SigningAlgorithmId::HmacSha256,
+        }
     }
 
-    fn supports_compression(&self) -> bool {
-        false
+    pub fn supports_compression(&self) -> bool {
+        self.dialect == Dialect::Smb0311
     }
 
-    fn supports_encryption(&self) -> bool {
-        false
+    pub fn supports_encryption(&self) -> bool {
+        self.dialect.is_smb3()
     }
-    fn s2c_encryption_key_label(&self) -> &[u8];
-    fn c2s_encryption_key_label(&self) -> &[u8];
-}
 
-/// Get the dialect implementation for the given dialect.
-pub fn get_dialect_impl(dialect: &Dialect) -> Arc<dyn DialectImpl> {
-    match dialect {
-        Dialect::Smb0311 => Arc::new(Smb0311Dialect),
-        Dialect::Smb0302 => Arc::new(Smb302Dialect),
-        _ => unimplemented!(),
+    pub fn s2c_encrypt_key_derive_label(&self) -> &[u8] {
+        match self.dialect {
+            Dialect::Smb0311 => Smb311::ENCRYPTION_S2C_KEY_LABEL,
+            Dialect::Smb0302 | Dialect::Smb030 => Smb300_302::ENCRYPTION_KEY_LABEL,
+            _ => panic!("Encryption is not supported for this dialect!"),
+        }
+    }
+    pub fn c2s_encrypt_key_derive_label(&self) -> &[u8] {
+        match self.dialect {
+            Dialect::Smb0311 => Smb311::ENCRYPTION_C2S_KEY_LABEL,
+            Dialect::Smb0302 | Dialect::Smb030 => Smb300_302::ENCRYPTION_KEY_LABEL,
+            _ => panic!("Encryption is not supported for this dialect!"),
+        }
     }
 }
 
-#[derive(Debug)]
-struct Smb0311Dialect;
+trait DialectMethods {
+    const SIGNING_KEY_LABEL: &[u8];
+    fn process_negotiate_request(
+        &self,
+        response: &NegotiateResponse,
+        _state: &mut NegotiatedProperties,
+        config: &ConnectionConfig,
+    ) -> crate::Result<()>;
+}
 
-impl DialectImpl for Smb0311Dialect {
-    fn get_dialect(&self) -> Dialect {
-        Dialect::Smb0311
-    }
+struct Smb311;
+impl Smb311 {
+    pub const ENCRYPTION_S2C_KEY_LABEL: &[u8] = b"SMBS2CCipherKey\x00";
+    pub const ENCRYPTION_C2S_KEY_LABEL: &[u8] = b"SMBC2SCipherKey\x00";
+}
 
+impl DialectMethods for Smb311 {
+    const SIGNING_KEY_LABEL: &[u8] = b"SMBSigningKey\x00";
     fn process_negotiate_request(
         &self,
         response: &NegotiateResponse,
@@ -112,55 +219,15 @@ impl DialectImpl for Smb0311Dialect {
 
         Ok(())
     }
-
-    fn get_negotiate_caps_mask(&self) -> GlobalCapabilities {
-        GlobalCapabilities::new()
-            .with_dfs(true)
-            .with_leasing(true)
-            .with_large_mtu(true)
-            .with_multi_channel(true)
-            .with_persistent_handles(true)
-            .with_directory_leasing(true)
-            .with_encryption(false)
-            .with_notifications(true)
-    }
-
-    fn get_signing_nonce(&self) -> &[u8] {
-        b"SMBSigningKey\x00"
-    }
-
-    fn preauth_hash_supported(&self) -> bool {
-        true
-    }
-
-    fn default_signing_algo(&self) -> SigningAlgorithmId {
-        SigningAlgorithmId::AesCmac
-    }
-
-    fn supports_compression(&self) -> bool {
-        true
-    }
-    fn supports_encryption(&self) -> bool {
-        true
-    }
-    fn s2c_encryption_key_label(&self) -> &[u8] {
-        b"SMBS2CCipherKey\x00"
-    }
-    fn c2s_encryption_key_label(&self) -> &[u8] {
-        b"SMBC2SCipherKey\x00"
-    }
 }
 
-const SMB2_ENCRYPTION_KEY_LABEL: &[u8] = b"SMB2AESCCM\x00";
-
-#[derive(Debug)]
-struct Smb302Dialect;
-
-impl DialectImpl for Smb302Dialect {
-    fn get_dialect(&self) -> Dialect {
-        Dialect::Smb0302
-    }
+struct Smb300_302;
+impl Smb300_302 {
+    pub const ENCRYPTION_KEY_LABEL: &[u8] = b"SMB2AESCCM\x00";
+}
 
+impl DialectMethods for Smb300_302 {
+    const SIGNING_KEY_LABEL: &[u8] = b"SMB2AESCMAC\x00";
     fn process_negotiate_request(
         &self,
         response: &NegotiateResponse,
@@ -181,40 +248,4 @@ impl DialectImpl for Smb302Dialect {
 
         Ok(())
     }
-
-    fn get_negotiate_caps_mask(&self) -> GlobalCapabilities {
-        GlobalCapabilities::new()
-            .with_dfs(true)
-            .with_leasing(true)
-            .with_large_mtu(true)
-            .with_multi_channel(true)
-            .with_persistent_handles(true)
-            .with_directory_leasing(true)
-            .with_encryption(true)
-            .with_notifications(false)
-    }
-
-    fn get_signing_nonce(&self) -> &[u8] {
-        b"SMB2AESCMAC\x00"
-    }
-
-    fn preauth_hash_supported(&self) -> bool {
-        false
-    }
-
-    fn default_signing_algo(&self) -> SigningAlgorithmId {
-        SigningAlgorithmId::AesCmac
-    }
-
-    fn supports_encryption(&self) -> bool {
-        true
-    }
-
-    fn s2c_encryption_key_label(&self) -> &[u8] {
-        SMB2_ENCRYPTION_KEY_LABEL
-    }
-
-    fn c2s_encryption_key_label(&self) -> &[u8] {
-        SMB2_ENCRYPTION_KEY_LABEL
-    }
 }

smb/src/packets/smb2/negotiate.rs

@@ -78,10 +78,10 @@ impl NegotiateRequest {
         encrypting_algorithms: Vec<EncryptionCipher>,
         compression_algorithms: Vec<CompressionAlgorithm>,
     ) -> NegotiateRequest {
-        let mut caps = GlobalCapabilities::new();
+        let mut capabilities = GlobalCapabilities::new();
         let mut security_mode = NegotiateSecurityMode::new();
         if signing_algorithms.len() > 0 {
-            caps.set_encryption(true);
+            capabilities.set_encryption(true);
         }
 
         let ctx_list = if supported_dialects.contains(&Dialect::Smb0311) {
@@ -134,15 +134,23 @@ impl NegotiateRequest {
         } else {
             None
         };
-        NegotiateRequest {
-            security_mode: security_mode,
-            capabilities: caps
+
+        // Set capabilities to 0 if no SMB3 dialects are supported.
+        capabilities = if supported_dialects.iter().all(|d| !d.is_smb3()) {
+            GlobalCapabilities::new()
+        } else {
+            capabilities
                 .with_dfs(true)
                 .with_leasing(true)
                 .with_large_mtu(true)
                 .with_multi_channel(true)
                 .with_persistent_handles(true)
-                .with_directory_leasing(true),
+                .with_directory_leasing(true)
+        };
+
+        NegotiateRequest {
+            security_mode: security_mode,
+            capabilities,
             client_guid,
             dialects: supported_dialects,
             negotiate_context_list: ctx_list,
@@ -268,6 +276,11 @@ impl Dialect {
         Dialect::Smb0302,
         Dialect::Smb0311,
     ];
+
+    #[inline]
+    pub fn is_smb3(&self) -> bool {
+        matches!(self, Dialect::Smb030 | Dialect::Smb0302 | Dialect::Smb0311)
+    }
 }
 
 /// Dialects that may be used in the SMB Negotiate Request.