ruby_smb 1.0.3 → 2.0.1

data/lib/ruby_smb/client/echo.rb

@@ -16,7 +16,16 @@ module RubySMB
         (count - 1).times do
           raw_response = dispatcher.recv_packet
         end
-        RubySMB::SMB1::Packet::EchoResponse.read(raw_response)
+        response = RubySMB::SMB1::Packet::EchoResponse.read(raw_response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB1::Packet::EchoResponse::COMMAND,
+            received_proto: response.smb_header.protocol,
+            received_cmd:   response.smb_header.command
+          )
+        end
+        response
       end
 
       # Sends an ECHO request packet and returns the
@@ -26,7 +35,16 @@ module RubySMB
       def smb2_echo
         request      = RubySMB::SMB2::Packet::EchoRequest.new
         raw_response = send_recv(request)
-        RubySMB::SMB2::Packet::EchoResponse.read(raw_response)
+        response = RubySMB::SMB2::Packet::EchoResponse.read(raw_response)
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::EchoResponse::COMMAND,
+            received_proto: response.smb2_header.protocol,
+            received_cmd:   response.smb2_header.command
+          )
+        end
+        response
       end
     end
   end

data/lib/ruby_smb/client/encryption.rb

@@ -0,0 +1,62 @@
+module RubySMB
+  class Client
+    # Contains the methods for handling encryption / decryption
+    module Encryption
+      def smb3_encrypt(data)
+        unless @client_encryption_key
+          case @dialect
+          when '0x0300', '0x0302'
+            @client_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMB2AESCCM\x00",
+              "ServerIn \x00"
+            )
+          when '0x0311'
+            @client_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMBC2SCipherKey\x00",
+              @preauth_integrity_hash_value
+            )
+          else
+            raise RubySMB::Error::EncryptionError.new('Dialect is incompatible with SMBv3 encryption')
+          end
+          ######
+          # DEBUG
+          #puts "Client encryption key = #{@client_encryption_key.each_byte.map {|e| '%02x' % e}.join}"
+          ######
+        end
+
+        th = RubySMB::SMB2::Packet::TransformHeader.new(flags: 1, session_id: @session_id)
+        th.encrypt(data, @client_encryption_key, algorithm: @encryption_algorithm)
+        th
+      end
+
+      def smb3_decrypt(th)
+        unless @server_encryption_key
+          case @dialect
+          when '0x0300', '0x0302'
+            @server_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMB2AESCCM\x00",
+              "ServerOut\x00"
+            )
+          when '0x0311'
+            @server_encryption_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMBS2CCipherKey\x00",
+              @preauth_integrity_hash_value
+            )
+          else
+            raise RubySMB::Error::EncryptionError.new('Dialect is incompatible with SMBv3 decryption')
+          end
+          ######
+          # DEBUG
+          #puts "Server encryption key = #{@server_encryption_key.each_byte.map {|e| '%02x' % e}.join}"
+          ######
+        end
+
+        th.decrypt(@server_encryption_key, algorithm: @encryption_algorithm)
+      end
+    end
+  end
+end

data/lib/ruby_smb/client/negotiation.rb

@@ -17,10 +17,30 @@ module RubySMB
         # internally to be able to retrieve the negotiated dialect later on.
         # This is only valid for SMB1.
         response_packet.dialects = request_packet.dialects if response_packet.respond_to? :dialects=
-        parse_negotiate_response(response_packet)
-      rescue RubySMB::Error::InvalidPacket, Errno::ECONNRESET
-        error = 'Unable to Negotiate with remote host'
-        error << ', SMB1 may be disabled' if smb1 && !smb2
+        version = parse_negotiate_response(response_packet)
+        case @dialect
+        when '0x0300', '0x0302'
+          @encryption_algorithm = RubySMB::SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP[RubySMB::SMB2::EncryptionCapabilities::AES_128_CCM]
+        when '0x0311'
+          parse_smb3_encryption_data(request_packet, response_packet)
+        end
+
+        # If the response contains the SMB2 wildcard revision number dialect;
+        # it indicates that the server implements SMB 2.1 or future dialect
+        # revisions and expects the client to send a subsequent SMB2 Negotiate
+        # request to negotiate the actual SMB 2 Protocol revision to be used.
+        # The wildcard revision number is sent only in response to a
+        # multi-protocol negotiate request with the "SMB 2.???" dialect string.
+        if @dialect == '0x02ff'
+          self.smb2_message_id += 1
+          version = negotiate
+        end
+        version
+      rescue RubySMB::Error::InvalidPacket, Errno::ECONNRESET, RubySMB::Error::CommunicationError => e
+        version = request_packet.packet_smb_version
+        version = 'SMB3' if version == 'SMB2' && !@smb2 && @smb3
+        version = 'SMB2 or SMB3' if version == 'SMB2' && @smb2 && @smb3
+        error = "Unable to negotiate #{version} with the remote host: #{e.message}"
         raise RubySMB::Error::NegotiationFailure, error
       end
 
@@ -32,8 +52,8 @@ module RubySMB
       def negotiate_request
         if smb1
           smb1_negotiate_request
-        elsif smb2
-          smb2_negotiate_request
+        else
+          smb2_3_negotiate_request
         end
       end
 
@@ -47,23 +67,38 @@ module RubySMB
       def negotiate_response(raw_data)
         response = nil
         if smb1
-          begin
-            packet = RubySMB::SMB1::Packet::NegotiateResponseExtended.read raw_data
-          rescue StandardError => e
-            raise RubySMB::Error::InvalidPacket, "Not a Valid SMB1 Negoitate Response #{e.message}"
-          end
+          packet = RubySMB::SMB1::Packet::NegotiateResponseExtended.read raw_data
           response = packet if packet.valid?
         end
-        if smb2 && response.nil?
-          begin
-            packet = RubySMB::SMB2::Packet::NegotiateResponse.read raw_data
-          rescue StandardError => e
-            raise RubySMB::Error::InvalidPacket, "Not a Valid SMB2 Negoitate Response #{e.message}"
-          end
-          response = packet
+        if (smb2 || smb3) && response.nil?
+          packet = RubySMB::SMB2::Packet::NegotiateResponse.read raw_data
+          response = packet if packet.valid?
         end
         if response.nil?
-          raise RubySMB::Error::InvalidPacket, 'No Valid Negotiate Response found'
+          if packet.packet_smb_version == 'SMB1'
+            extended_security = if packet.is_a? RubySMB::SMB1::Packet::NegotiateResponseExtended
+              packet.parameter_block.capabilities.extended_security
+            else
+              "n/a"
+            end
+            raise RubySMB::Error::InvalidPacket.new(
+              expected_proto:  RubySMB::SMB1::SMB_PROTOCOL_ID,
+              expected_cmd:    RubySMB::SMB1::Packet::NegotiateResponseExtended::COMMAND,
+              expected_custom: "extended_security=1",
+              received_proto:  packet.smb_header.protocol,
+              received_cmd:    packet.smb_header.command,
+              received_custom: "extended_security=#{extended_security}"
+            )
+          elsif packet.packet_smb_version == 'SMB2'
+            raise RubySMB::Error::InvalidPacket.new(
+              expected_proto:  RubySMB::SMB2::SMB2_PROTOCOL_ID,
+              expected_cmd:    RubySMB::SMB2::Packet::NegotiateResponse::COMMAND,
+              received_proto:  packet.smb2_header.protocol,
+              received_cmd:    packet.smb2_header.command
+            )
+          else
+            raise RubySMB::Error::InvalidPacket, 'Unknown SMB protocol version'
+          end
         end
         response
       end
@@ -80,26 +115,83 @@ module RubySMB
         when RubySMB::SMB1::Packet::NegotiateResponseExtended
           self.smb1 = true
           self.smb2 = false
+          self.smb3 = false
           self.signing_required = packet.parameter_block.security_mode.security_signatures_required == 1
           self.dialect = packet.negotiated_dialect.to_s
           # MaxBufferSize is largest message server will receive, measured from start of the SMB header. Subtract 260
           # for protocol overhead. Then this value can be used for max read/write size without having to factor in
           # protocol overhead every time.
           self.server_max_buffer_size = packet.parameter_block.max_buffer_size - 260
+          self.negotiated_smb_version = 1
           'SMB1'
         when RubySMB::SMB2::Packet::NegotiateResponse
           self.smb1 = false
-          self.smb2 = true
-          self.signing_required = packet.security_mode.signing_required == 1
+          unless packet.dialect_revision.to_i == 0x02ff
+            self.smb2 = packet.dialect_revision.to_i >= 0x0200 && packet.dialect_revision.to_i < 0x0300
+            self.smb3 = packet.dialect_revision.to_i >= 0x0300 && packet.dialect_revision.to_i < 0x0400
+            # Only enable session encryption if the server supports it
+            @session_encrypt_data = self.smb3 && @session_encrypt_data && packet.capabilities.encryption == 1
+          end
+          self.signing_required = packet.security_mode.signing_required == 1 if self.smb2 || self.smb3
           self.dialect = "0x%04x" % packet.dialect_revision
           self.server_max_read_size = packet.max_read_size
           self.server_max_write_size = packet.max_write_size
           self.server_max_transact_size = packet.max_transact_size
           # This value is used in SMB1 only but calculate a valid value anyway
           self.server_max_buffer_size = [self.server_max_read_size, self.server_max_write_size, self.server_max_transact_size].min
-          'SMB2'
+          self.negotiated_smb_version = self.smb2 ? 2 : 3
+          self.server_guid = packet.server_guid
+          self.server_start_time = packet.server_start_time.to_time if packet.server_start_time != 0
+          self.server_system_time = packet.system_time.to_time if packet.system_time != 0
+          return "SMB#{self.negotiated_smb_version}"
+        else
+          error = 'Unable to negotiate with remote host'
+          if packet.status_code == WindowsError::NTStatus::STATUS_NOT_SUPPORTED
+            error << ", SMB2" if @smb2
+            error << ", SMB3" if @smb3
+            error << ' not supported'
+          end
+          raise RubySMB::Error::NegotiationFailure, error
         end
+      end
 
+      def parse_smb3_encryption_data(request_packet, response_packet)
+        nc = response_packet.find_negotiate_context(
+          RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+        )
+        @preauth_integrity_hash_algorithm = RubySMB::SMB2::PreauthIntegrityCapabilities::HASH_ALGORITM_MAP[nc&.data&.hash_algorithms&.first]
+        unless @preauth_integrity_hash_algorithm
+          raise RubySMB::Error::EncryptionError.new(
+            'Unable to retrieve the Preauth Integrity Hash Algorithm from the Negotiate response'
+          )
+        end
+        # Set the encryption the client will use, prioritizing AES_128_GCM over AES_128_CCM
+        nc = response_packet.find_negotiate_context(
+          RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+        )
+        @server_encryption_algorithms = nc&.data&.ciphers&.to_ary
+        if @server_encryption_algorithms.nil? || @server_encryption_algorithms.empty?
+          raise RubySMB::Error::EncryptionError.new(
+            'Unable to retrieve the encryption cipher list supported by the server from the Negotiate response'
+          )
+        end
+        if @server_encryption_algorithms.include?(RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM)
+          @encryption_algorithm = RubySMB::SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP[RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM]
+        else
+          @encryption_algorithm = RubySMB::SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP[@server_encryption_algorithms.first]
+        end
+        unless @encryption_algorithm
+          raise RubySMB::Error::EncryptionError.new(
+            'Unable to retrieve the encryption cipher list supported by the server from the Negotiate response'
+          )
+        end
+        update_preauth_hash(request_packet)
+        update_preauth_hash(response_packet)
+
+        nc = response_packet.find_negotiate_context(
+          RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES
+        )
+        @server_compression_algorithms = nc&.data&.compression_algorithms&.to_ary || []
       end
 
       # Create a {RubySMB::SMB1::Packet::NegotiateRequest} packet with the
@@ -112,10 +204,17 @@ module RubySMB
         # while being guaranteed to work with any modern Windows system. We can get more sophisticated
         # with switching this on and off at a later date if the need arises.
         packet.smb_header.flags2.extended_security = 1
+        # Recent Mac OS X requires the unicode flag to be set on the Negotiate
+        # SMB Header request, even if this packet does not contain string fields
+        # (see Flags2 SMB_FLAGS2_UNICODE definition in "2.2.3.1 The SMB Header"
+        # documentation:
+        # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/69a29f73-de0c-45a6-a1aa-8ceeea42217f
+        packet.smb_header.flags2.unicode = 1
         # There is no real good reason to ever send an SMB1 Negotiate packet
         # to Negotiate strictly SMB2, but the protocol WILL support it
         packet.add_dialect(SMB1_DIALECT_SMB1_DEFAULT) if smb1
         packet.add_dialect(SMB1_DIALECT_SMB2_DEFAULT) if smb2
+        packet.add_dialect(SMB1_DIALECT_SMB2_WILDCARD) if smb2 || smb3
         packet
       end
 
@@ -124,11 +223,60 @@ module RubySMB
       # may want to communicate over SMB1
       #
       # @ return [RubySMB::SMB2::Packet::NegotiateRequest] a completed SMB2 Negotiate Request packet
-      def smb2_negotiate_request
+      def smb2_3_negotiate_request
         packet = RubySMB::SMB2::Packet::NegotiateRequest.new
         packet.security_mode.signing_enabled = 1
-        packet.add_dialect(SMB2_DIALECT_DEFAULT)
         packet.client_guid = SecureRandom.random_bytes(16)
+        packet.set_dialects(SMB2_DIALECT_DEFAULT.map {|d| d.to_i(16)}) if smb2
+        packet = add_smb3_to_negotiate_request(packet) if smb3
+        packet
+      end
+
+      # This adds SMBv3 specific information: SMBv3 supported dialects,
+      # encryption capability, Negotiate Contexts if the dialect requires them
+      #
+      # @param packet [RubySMB::SMB2::Packet::NegotiateRequest] the NegotiateRequest
+      #   to add SMB3 specific info to
+      # @param dialects [Array<String>] the dialects to negotiate. This must be
+      #   an array of strings. Default is SMB3_DIALECT_DEFAULT
+      # @return [RubySMB::SMB2::Packet::NegotiateRequest] a completed SMB3 Negotiate Request packet
+      # @raise [ArgumentError] if dialects is not an array of strings
+      def add_smb3_to_negotiate_request(packet, dialects = SMB3_DIALECT_DEFAULT)
+        dialects.each do |dialect|
+          raise ArgumentError, 'Must be an array of strings' unless dialect.is_a? String
+          packet.add_dialect(dialect.to_i(16))
+        end
+        packet.capabilities.encryption = 1
+
+        if packet.dialects.include?(0x0311)
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES
+          )
+          nc.data.hash_algorithms << RubySMB::SMB2::PreauthIntegrityCapabilities::SHA_512
+          nc.data.salt = SecureRandom.random_bytes(32)
+          packet.add_negotiate_context(nc)
+
+          @preauth_integrity_hash_value = "\x00" * 64
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES
+          )
+          nc.data.ciphers << RubySMB::SMB2::EncryptionCapabilities::AES_128_CCM
+          nc.data.ciphers << RubySMB::SMB2::EncryptionCapabilities::AES_128_GCM
+          packet.add_negotiate_context(nc)
+
+          nc = RubySMB::SMB2::NegotiateContext.new(
+            context_type: RubySMB::SMB2::NegotiateContext::SMB2_COMPRESSION_CAPABILITIES
+          )
+          # Adding all possible compression algorithm even if we don't support
+          # them yet. This will force the server to disclose the support
+          # algorithms in the repsonse.
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZNT1
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::LZ77_Huffman
+          nc.data.compression_algorithms << RubySMB::SMB2::CompressionCapabilities::Pattern_V1
+          packet.add_negotiate_context(nc)
+        end
+
         packet
       end
     end

data/lib/ruby_smb/client/signing.rb

@@ -40,6 +40,25 @@ module RubySMB
         end
         packet
       end
+
+      def smb3_sign(packet)
+        if !session_key.empty? && (signing_required || packet.is_a?(RubySMB::SMB2::Packet::TreeConnectRequest))
+          case @dialect
+          when '0x0300', '0x0302'
+            signing_key = RubySMB::Crypto::KDF.counter_mode(@session_key, "SMB2AESCMAC\x00", "SmbSign\x00")
+          when '0x0311'
+            signing_key = RubySMB::Crypto::KDF.counter_mode(@session_key, "SMBSigningKey\x00", @preauth_integrity_hash_value)
+          else
+            raise RubySMB::Error::SigningError.new('Dialect is incompatible with SMBv3 signing')
+          end
+
+          packet.smb2_header.flags.signed = 1
+          packet.smb2_header.signature = "\x00" * 16
+          hmac = OpenSSL::CMAC.digest('AES', signing_key, packet.to_binary_s)
+          packet.smb2_header.signature = hmac[0, 16]
+        end
+        packet
+      end
     end
   end
 end

data/lib/ruby_smb/client/tree_connect.rb

@@ -17,11 +17,7 @@ module RubySMB
         request.smb_header.tid = 65_535
         request.data_block.path = share
         raw_response = send_recv(request)
-        begin
-          response = RubySMB::SMB1::Packet::TreeConnectResponse.read(raw_response)
-        rescue EOFError
-          response = RubySMB::SMB1::Packet::EmptyPacket.read(raw_response)
-        end
+        response = RubySMB::SMB1::Packet::TreeConnectResponse.read(raw_response)
         smb1_tree_from_response(share, response)
       end
 
@@ -30,12 +26,19 @@ module RubySMB
       # @param share [String] the share path to connect to
       # @param response [RubySMB::SMB1::Packet::TreeConnectResponse] the response packet to parse into our Tree
       # @return [RubySMB::SMB1::Tree]
+      # @raise [RubySMB::Error::InvalidPacket] if the response command is not a TreeConnectResponse packet
+      # @raise [RubySMB::Error::UnexpectedStatusCode] if the response status code is not STATUS_SUCCESS
       def smb1_tree_from_response(share, response)
-        unless response.smb_header.command == RubySMB::SMB1::Commands::SMB_COM_TREE_CONNECT
-          raise RubySMB::Error::InvalidPacket, 'Not a TreeConnectResponse'
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB1::Packet::TreeConnectResponse::COMMAND,
+            received_proto: response.smb_header.protocol,
+            received_cmd:   response.smb_header.command
+          )
         end
         unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
         RubySMB::SMB1::Tree.new(client: self, share: share, response: response)
       end
@@ -52,13 +55,9 @@ module RubySMB
       def smb2_tree_connect(share)
         request = RubySMB::SMB2::Packet::TreeConnectRequest.new
         request.smb2_header.tree_id = 65_535
-        request.encode_path(share)
+        request.path = share
         raw_response = send_recv(request)
-        begin
-          response = RubySMB::SMB2::Packet::TreeConnectResponse.read(raw_response)
-        rescue EOFError
-          response = RubySMB::SMB2::Packet::ErrorPacket.read(raw_response)
-        end
+        response = RubySMB::SMB2::Packet::TreeConnectResponse.read(raw_response)
         smb2_tree_from_response(share, response)
       end
 
@@ -67,14 +66,21 @@ module RubySMB
       # @param share [String] the share path to connect to
       # @param response [RubySMB::SMB2::Packet::TreeConnectResponse] the response packet to parse into our Tree
       # @return [RubySMB::SMB2::Tree]
+      # @raise [RubySMB::Error::InvalidPacket] if the response command is not a TreeConnectResponse packet
+      # @raise [RubySMB::Error::UnexpectedStatusCode] if the response status code is not STATUS_SUCCESS
       def smb2_tree_from_response(share, response)
-        unless response.smb2_header.command == RubySMB::SMB2::Commands::TREE_CONNECT
-          raise RubySMB::Error::InvalidPacket, 'Not a TreeConnectResponse'
+        unless response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::TreeConnectResponse::COMMAND,
+            received_proto: response.smb2_header.protocol,
+            received_cmd:   response.smb2_header.command
+          )
         end
         unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
-        RubySMB::SMB2::Tree.new(client: self, share: share, response: response)
+        RubySMB::SMB2::Tree.new(client: self, share: share, response: response, encrypt: response.share_flags.encrypt == 1)
       end
     end
   end