Merge pull request #31 from AvivNaaman/27-support-smb-302

27 support smb 302

Author: afiffon

Cargo.lock

@@ -1,7 +1,12 @@
 use crate::cli::Cli;
 use maybe_async::*;
 use smb::{
-    connection::Connection, packets::smb2::*, resource::Resource, session::Session, tree::Tree,
+    connection::{Connection, EncryptionMode},
+    packets::smb2::*,
+    resource::Resource,
+    session::Session,
+    tree::Tree,
+    ConnectionConfig,
 };
 use std::{error::Error, str::FromStr};
 
@@ -18,7 +23,11 @@ impl UncPath {
         &self,
         cli: &Cli,
     ) -> Result<(Connection, Session, Tree, Option<Resource>), Box<dyn Error>> {
-        let mut smb = Connection::new();
+        let mut smb = Connection::build(ConnectionConfig {
+            max_dialect: Some(Dialect::MAX),
+            encryption_mode: EncryptionMode::Allowed,
+            ..Default::default()
+        })?;
         smb.set_timeout(Some(std::time::Duration::from_secs(10)))
             .await?;
         smb.connect(format!("{}:{}", self.server, cli.port).as_str())

smb-cli/src/path.rs

@@ -50,7 +50,8 @@ lz4_flex = { version = "0.11", default-features = false, features = [
 
 # Dev - Tests
 [dev-dependencies]
-env_logger = "0.11"
+test-log = "0.2"
+serial_test = "3.2"
 
 [features]
 default = ["sign", "encrypt", "compress"]

smb/Cargo.toml

@@ -1,9 +1,11 @@
+pub mod config;
 pub mod negotiation_state;
 pub mod netbios_client;
 pub mod preauth_hash;
 pub mod transformer;
 pub mod worker;
 
+use crate::dialects::get_dialect_impl;
 use crate::packets::guid::Guid;
 use crate::packets::smb2::{Command, Message};
 use crate::Error;
@@ -19,8 +21,9 @@ use crate::{
     session::Session,
 };
 use binrw::prelude::*;
+pub use config::*;
 use maybe_async::*;
-use negotiation_state::NegotiateState;
+use negotiation_state::{ConnectionInfo, NegotiatedProperties};
 use netbios_client::NetBiosClient;
 use std::cmp::max;
 use std::sync::atomic::{AtomicU16, AtomicU64};
@@ -31,20 +34,21 @@ use worker::{Worker, WorkerImpl};
 
 pub struct Connection {
     handler: HandlerReference<ConnectionMessageHandler>,
-    timeout: Option<std::time::Duration>,
+    config: ConnectionConfig,
 }
 
 impl Connection {
-    pub fn new() -> Connection {
-        Connection {
+    pub fn build(config: ConnectionConfig) -> crate::Result<Connection> {
+        config.validate()?;
+        Ok(Connection {
             handler: HandlerReference::new(ConnectionMessageHandler::new()),
-            timeout: None,
-        }
+            config,
+        })
     }
 
     #[maybe_async]
     pub async fn set_timeout(&mut self, timeout: Option<Duration>) -> crate::Result<()> {
-        self.timeout = timeout;
+        self.config.timeout = timeout;
         if let Some(worker) = self.handler.worker.get() {
             worker.set_timeout(timeout).await?;
         }
@@ -53,7 +57,7 @@ impl Connection {
 
     #[maybe_async]
     pub async fn connect(&mut self, address: &str) -> crate::Result<()> {
-        let mut netbios_client = NetBiosClient::new(self.timeout);
+        let mut netbios_client = NetBiosClient::new(self.config.timeout);
 
         log::debug!("Connecting to {}...", address);
         netbios_client.connect(address).await?;
@@ -118,26 +122,48 @@ impl Connection {
             }
         }
 
-        Ok(WorkerImpl::start(netbios_client, self.timeout).await?)
+        Ok(WorkerImpl::start(netbios_client, self.config.timeout).await?)
     }
 
     #[maybe_async]
     async fn negotiate_smb2(&mut self) -> crate::Result<()> {
         // Confirm that we're not already negotiated.
-        if self.handler.negotiate_state().is_some() {
+        if self.handler.negotiate_info().is_some() {
             return Err(Error::InvalidState("Already negotiated".into()));
         }
 
         log::debug!("Negotiating SMB2");
 
+        // List possible versions to run with.
+        let min_dialect = self.config.min_dialect.unwrap_or(Dialect::MIN);
+        let max_dialect = self.config.max_dialect.unwrap_or(Dialect::MAX);
+        let dialects: Vec<Dialect> = Dialect::ALL
+            .iter()
+            .filter(|dialect| **dialect >= min_dialect && **dialect <= max_dialect)
+            .copied()
+            .collect();
+
+        if dialects.is_empty() {
+            return Err(Error::InvalidConfiguration(
+                "No dialects to negotiate".to_string(),
+            ));
+        }
+
+        let encryption_algos = if !self.config.encryption_mode.is_disabled() {
+            crypto::SIGNING_ALGOS.into()
+        } else {
+            vec![]
+        };
+
         // Send SMB2 negotiate request
         let client_guid = self.handler.client_guid;
         let response = self
             .handler
             .send_recv(Content::NegotiateRequest(NegotiateRequest::new(
                 "AVIV-MBP".to_string(),
                 client_guid,
-                crypto::SIGNING_ALGOS.into(),
+                dialects.clone(),
+                encryption_algos,
                 crypto::ENCRYPTING_ALGOS.to_vec(),
                 compression::SUPPORTED_ALGORITHMS.to_vec(),
             )))
@@ -152,72 +178,55 @@ impl Connection {
         ))?;
 
         // well, only 3.1 is supported for starters.
-        if smb2_negotiate_response.dialect_revision != NegotiateDialect::Smb0311 {
-            return Err(Error::UnsupportedDialect(
-                smb2_negotiate_response.dialect_revision,
-            ));
-        }
-
-        if let None = smb2_negotiate_response.negotiate_context_list {
-            return Err(Error::InvalidMessage(
-                "Expected negotiate context list".to_string(),
+        if !dialects.contains(&smb2_negotiate_response.dialect_revision.try_into()?) {
+            return Err(Error::NegotiationError(
+                "Server selected an unsupported dialect.".into(),
             ));
         }
 
-        let signing_algo = if let Some(signing_algo) = smb2_negotiate_response.get_signing_algo() {
-            if !crypto::SIGNING_ALGOS.contains(&signing_algo) {
-                return Err(Error::NegotiationError(
-                    "Unsupported signing algorithm selected!".into(),
-                ));
-            }
-            Some(signing_algo)
-        } else {
-            None
-        };
-
-        // Make sure preauth integrity capability is SHA-512, if it exists in response:
-        if let Some(algo) = smb2_negotiate_response.get_preauth_integrity_algo() {
-            if !preauth_hash::SUPPORTED_ALGOS.contains(&algo) {
-                return Err(Error::NegotiationError(
-                    "Unsupported preauth integrity algorithm received".into(),
-                ));
-            }
-        }
-
-        // And verify that the encryption algorithm is supported.
-        let encryption_cipher = smb2_negotiate_response.get_encryption_cipher();
-        if let Some(encryption_cipher) = &encryption_cipher {
-            if !crypto::ENCRYPTING_ALGOS.contains(&encryption_cipher) {
-                return Err(Error::NegotiationError(
-                    "Unsupported encryption algorithm received".into(),
-                ));
-            }
-        }
-
-        let compression: Option<CompressionCaps> = match smb2_negotiate_response.get_compression() {
-            Some(compression) => Some(compression.clone()),
-            None => None,
-        };
-
-        let negotiate_state = NegotiateState {
+        let dialect_rev = smb2_negotiate_response.dialect_revision.try_into()?;
+        let dialect_impl = get_dialect_impl(&dialect_rev);
+        let mut state = NegotiatedProperties {
             server_guid: smb2_negotiate_response.server_guid,
-            global_caps: smb2_negotiate_response.capabilities.clone(),
+            caps: smb2_negotiate_response.capabilities.clone(),
             max_transact_size: smb2_negotiate_response.max_transact_size,
             max_read_size: smb2_negotiate_response.max_read_size,
             max_write_size: smb2_negotiate_response.max_write_size,
-            gss_token: smb2_negotiate_response.buffer,
-            selected_dialect: smb2_negotiate_response.dialect_revision.try_into()?,
-            signing_algo,
-            encryption_cipher,
-            compression,
+            gss_token: smb2_negotiate_response.buffer.clone(),
+            signing_algo: None,
+            encryption_cipher: None,
+            compression: None,
+            dialect_rev,
         };
+
+        dialect_impl.process_negotiate_request(
+            &smb2_negotiate_response,
+            &mut state,
+            &self.config,
+        )?;
+        if ((!u32::from_le_bytes(dialect_impl.get_negotiate_caps_mask().into_bytes()))
+            & u32::from_le_bytes(state.caps.into_bytes()))
+            != 0
+        {
+            return Err(Error::NegotiationError(
+                "Server capabilities are invalid for the selected dialect.".into(),
+            ));
+        }
+
         log::trace!(
             "Negotiated SMB results: dialect={:?}, state={:?}",
-            negotiate_state.selected_dialect,
-            &negotiate_state
+            dialect_rev,
+            &state
         );
 
-        self.handler.negotiate_state.set(negotiate_state).unwrap();
+        self.handler
+            .negotiate_info
+            .set(ConnectionInfo {
+                state,
+                dialect: dialect_impl,
+                config: self.config.clone(),
+            })
+            .unwrap();
 
         Ok(())
     }
@@ -229,7 +238,7 @@ impl Connection {
         netbios_client: NetBiosClient,
         multi_protocol: bool,
     ) -> crate::Result<()> {
-        if self.handler.negotiate_state().is_some() {
+        if self.handler.negotiate_info().is_some() {
             return Err(Error::InvalidState("Already negotiated".into()));
         }
 
@@ -247,7 +256,7 @@ impl Connection {
             .get()
             .ok_or("Worker is uninitialized")
             .unwrap()
-            .negotaite_complete(&self.handler.negotiate_state().unwrap())
+            .negotaite_complete(&self.handler.negotiate_info().unwrap())
             .await;
         log::info!("Negotiation successful");
         Ok(())
@@ -277,7 +286,7 @@ pub struct ConnectionMessageHandler {
     worker: OnceCell<Arc<WorkerImpl>>,
 
     // Negotiation-related state.
-    negotiate_state: OnceCell<NegotiateState>,
+    negotiate_info: OnceCell<ConnectionInfo>,
 
     /// Number of credits available to the client at the moment, for the next requests.
     curr_credits: Semaphore,
@@ -292,16 +301,16 @@ impl ConnectionMessageHandler {
         ConnectionMessageHandler {
             client_guid: Guid::gen(),
             worker: OnceCell::new(),
-            negotiate_state: OnceCell::new(),
+            negotiate_info: OnceCell::new(),
             extra_credits_to_request: 4,
             curr_credits: Semaphore::new(1),
             curr_msg_id: AtomicU64::new(1),
             credit_pool: AtomicU16::new(1),
         }
     }
 
-    pub fn negotiate_state(&self) -> Option<&NegotiateState> {
-        self.negotiate_state.get()
+    pub fn negotiate_info(&self) -> Option<&ConnectionInfo> {
+        self.negotiate_info.get()
     }
 
     pub fn worker(&self) -> Option<&Arc<WorkerImpl>> {
@@ -319,8 +328,8 @@ impl ConnectionMessageHandler {
 
     #[maybe_async]
     async fn process_sequence_outgoing(&self, msg: &mut OutgoingMessage) -> crate::Result<()> {
-        if let Some(neg) = self.negotiate_state() {
-            if neg.selected_dialect > Dialect::Smb0202 && neg.global_caps.large_mtu() {
+        if let Some(neg) = self.negotiate_info() {
+            if neg.state.dialect_rev > Dialect::Smb0202 && neg.state.caps.large_mtu() {
                 // Calculate the cost of the message (charge).
                 let cost = if Self::SET_CREDIT_CHARGE_CMDS
                     .iter()
@@ -370,8 +379,8 @@ impl ConnectionMessageHandler {
 
     #[maybe_async]
     async fn process_sequence_incoming(&self, msg: &IncomingMessage) -> crate::Result<()> {
-        if let Some(neg) = self.negotiate_state() {
-            if neg.selected_dialect > Dialect::Smb0202 && neg.global_caps.large_mtu() {
+        if let Some(neg) = self.negotiate_info() {
+            if neg.state.dialect_rev > Dialect::Smb0202 && neg.state.caps.large_mtu() {
                 let granted_credits = msg.message.header.credit_request;
                 let charged_credits = msg.message.header.credit_charge;
                 // Update the pool size - return how many EXTRA credits were granted.
@@ -400,8 +409,8 @@ impl MessageHandler for ConnectionMessageHandler {
     #[maybe_async]
     async fn sendo(&self, mut msg: OutgoingMessage) -> crate::Result<SendMessageResult> {
         // TODO: Add assertion in the struct regarding the selected dialect!
-        let priority_value = match self.negotiate_state.get() {
-            Some(negotiate_state) => match negotiate_state.selected_dialect {
+        let priority_value = match self.negotiate_info.get() {
+            Some(neg_info) => match neg_info.state.dialect_rev {
                 Dialect::Smb0311 => 1,
                 _ => 0,
             },

smb/src/connection.rs

@@ -0,0 +1,50 @@
+use std::time::Duration;
+
+use crate::packets::smb2::Dialect;
+
+#[derive(Debug, Default, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
+pub enum EncryptionMode {
+    /// Encryption is allowed but not required, it's up to the server to decide.
+    #[default]
+    Allowed,
+    /// Encryption is required, and connection will fail if the server does not support it.
+    Required,
+    /// Encryption is disabled, server might fail the connection if it requires encryption.
+    Disabled,
+}
+
+impl EncryptionMode {
+    /// Returns true if encryption is required.
+    pub fn is_required(&self) -> bool {
+        matches!(self, Self::Required)
+    }
+
+    /// Returns true if encryption is disabled.
+    pub fn is_disabled(&self) -> bool {
+        matches!(self, Self::Disabled)
+    }
+}
+
+/// Specifies the configuration for a connection.
+#[derive(Debug, Default, Clone)]
+pub struct ConnectionConfig {
+    pub timeout: Option<Duration>,
+    pub min_dialect: Option<Dialect>,
+    pub max_dialect: Option<Dialect>,
+    pub encryption_mode: EncryptionMode,
+}
+
+impl ConnectionConfig {
+    /// Validates the configuration.
+    pub fn validate(&self) -> crate::Result<()> {
+        // Make sure dialects min <= max.
+        if let (Some(min), Some(max)) = (self.min_dialect, self.max_dialect) {
+            if min > max {
+                return Err(crate::Error::InvalidConfiguration(
+                    "Minimum dialect is greater than maximum dialect".to_string(),
+                ));
+            }
+        }
+        Ok(())
+    }
+}