ruby_smb 2.0.9 → 2.0.13

data/lib/ruby_smb/server/server_client/negotiation.rb

@@ -0,0 +1,156 @@
+require 'securerandom'
+
+module RubySMB
+  class Server
+    class ServerClient
+      module Negotiation
+        #
+        # Handle an SMB negotiation request. Once negotiation is complete, the state will be updated to :session_setup.
+        # At this point the @dialect will have been set along with other dialect-specific values.
+        #
+        # @param [String] raw_request the negotiation request to process
+        def handle_negotiate(raw_request)
+          response = nil
+          case raw_request[0...4].unpack1('L>')
+          when RubySMB::SMB1::SMB_PROTOCOL_ID
+            request = SMB1::Packet::NegotiateRequest.read(raw_request)
+            response = do_negotiate_smb1(request) if request.is_a?(SMB1::Packet::NegotiateRequest)
+          when RubySMB::SMB2::SMB2_PROTOCOL_ID
+            request = SMB2::Packet::NegotiateRequest.read(raw_request)
+            response = do_negotiate_smb2(request) if request.is_a?(SMB2::Packet::NegotiateRequest)
+          end
+
+          if response.nil?
+            disconnect!
+          else
+            send_packet(response)
+          end
+
+          nil
+        end
+
+        def do_negotiate_smb1(request)
+          client_dialects = request.dialects.map(&:dialect_string).map(&:value)
+
+          if client_dialects.include?(Client::SMB1_DIALECT_SMB2_WILDCARD) && \
+              @server.dialects.any? { |dialect| Dialect[dialect].order == Dialect::ORDER_SMB2 }
+            response = SMB2::Packet::NegotiateResponse.new
+            response.smb2_header.credits = 1
+            response.security_mode.signing_enabled = 1
+            response.dialect_revision = SMB2::SMB2_WILDCARD_REVISION
+            response.server_guid = @server.guid
+
+            response.max_transact_size = 0x800000
+            response.max_read_size = 0x800000
+            response.max_write_size = 0x800000
+            response.system_time.set(Time.now)
+            response.security_buffer_offset = response.security_buffer.abs_offset
+            response.security_buffer = process_gss.buffer
+            return response
+          end
+
+          server_dialects = @server.dialects.select { |dialect| Dialect[dialect].order == Dialect::ORDER_SMB1 }
+          dialect = (server_dialects & client_dialects).first
+          if dialect.nil?
+            # 'NT LM 0.12' is currently the only supported dialect
+            # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/80850595-e301-4464-9745-58e4945eb99b
+            response = SMB1::Packet::NegotiateResponse.new
+            response.parameter_block.word_count = 1
+            response.parameter_block.dialect_index = 0xffff
+            response.data_block.byte_count = 0
+            return response
+          end
+
+          response = SMB1::Packet::NegotiateResponseExtended.new
+          response.parameter_block.dialect_index = client_dialects.index(dialect)
+          response.parameter_block.max_mpx_count = 50
+          response.parameter_block.max_number_vcs = 1
+          response.parameter_block.max_buffer_size = 16644
+          response.parameter_block.max_raw_size = 65536
+          server_time = Time.now
+          response.parameter_block.system_time.set(server_time)
+          response.parameter_block.server_time_zone = server_time.utc_offset
+          response.data_block.server_guid = @server.guid
+          response.data_block.security_blob = process_gss.buffer
+
+          @state = :session_setup
+          @dialect = dialect
+          response
+        end
+
+        def do_negotiate_smb2(request)
+          client_dialects = request.dialects.map { |d| "0x%04x" % d }
+          server_dialects = @server.dialects.select { |dialect| Dialect[dialect].order == Dialect::ORDER_SMB2 }
+          dialect = (server_dialects & client_dialects).first
+
+          response = SMB2::Packet::NegotiateResponse.new
+          response.smb2_header.credits = 1
+          response.smb2_header.message_id = request.smb2_header.message_id
+          response.security_mode.signing_enabled = 1
+          response.server_guid = @server.guid
+          response.max_transact_size = 0x800000
+          response.max_read_size = 0x800000
+          response.max_write_size = 0x800000
+          response.system_time.set(Time.now)
+          if dialect.nil?
+            # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/b39f253e-4963-40df-8dff-2f9040ebbeb1
+            # > If a common dialect is not found, the server MUST fail the request with STATUS_NOT_SUPPORTED.
+            response.smb2_header.nt_status = WindowsError::NTStatus::STATUS_NOT_SUPPORTED.value
+            return response
+          end
+
+          contexts = []
+          hash_algorithm = hash_value = nil
+          if dialect == '0x0311'
+            # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/b39f253e-4963-40df-8dff-2f9040ebbeb1
+            nc = request.find_negotiate_context(SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES)
+            hash_algorithm = SMB2::PreauthIntegrityCapabilities::HASH_ALGORITM_MAP[nc&.data&.hash_algorithms&.first]
+            hash_value = "\x00" * 64
+            unless hash_algorithm
+              response.smb2_header.nt_status = WindowsError::NTStatus::STATUS_INVALID_PARAMETER.value
+              return response
+            end
+
+            contexts << SMB2::NegotiateContext.new(
+              context_type: SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
+              data: {
+                hash_algorithms: [ SMB2::PreauthIntegrityCapabilities::SHA_512 ],
+                salt: SecureRandom.random_bytes(32)
+              }
+            )
+
+            nc = request.find_negotiate_context(SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES)
+            cipher = nc&.data&.ciphers&.first
+            cipher = 0 unless SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP.include? cipher
+            contexts << SMB2::NegotiateContext.new(
+              context_type: SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES,
+              data: {
+                ciphers: [ cipher ]
+              }
+            )
+          end
+
+          # the order in which the response is built is important to ensure it is valid
+          response.dialect_revision = dialect.to_i(16)
+          response.security_buffer_offset = response.security_buffer.abs_offset
+          response.security_buffer = process_gss.buffer
+          if dialect == '0x0311'
+            response.negotiate_context_offset = response.negotiate_context_list.abs_offset
+            contexts.each { |nc| response.add_negotiate_context(nc) }
+          end
+          @preauth_integrity_hash_algorithm = hash_algorithm
+          @preauth_integrity_hash_value = hash_value
+
+          if dialect == '0x0311'
+            update_preauth_hash(request)
+            update_preauth_hash(response)
+          end
+
+          @state = :session_setup
+          @dialect = dialect
+          response
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/server/server_client/session_setup.rb

@@ -0,0 +1,82 @@
+module RubySMB
+  class Server
+    class ServerClient
+      module SessionSetup
+        #
+        # Setup a new session based on the negotiated dialect. Once session setup is complete, the state will be updated
+        # to :authenticated.
+        #
+        # @param [String] raw_request the session setup request to process
+        def handle_session_setup(raw_request)
+          response = nil
+
+          case metadialect.order
+          when Dialect::ORDER_SMB1
+            request = SMB1::Packet::SessionSetupRequest.read(raw_request)
+            response = do_session_setup_smb1(request)
+          when Dialect::ORDER_SMB2
+            request = SMB2::Packet::SessionSetupRequest.read(raw_request)
+            response = do_session_setup_smb2(request)
+          end
+
+          if response.nil?
+            disconnect!
+          else
+            send_packet(response)
+          end
+
+          nil
+        end
+
+        def do_session_setup_smb1(request)
+          gss_result = process_gss(request.data_block.security_blob)
+          return if gss_result.nil?
+
+          response = SMB1::Packet::SessionSetupResponse.new
+          response.smb_header.pid_low = request.smb_header.pid_low
+          response.smb_header.uid = rand(0x10000)
+          response.smb_header.mid = request.smb_header.mid
+          response.smb_header.nt_status = gss_result.nt_status.value
+          response.smb_header.flags.reply = true
+          response.smb_header.flags2.unicode = true
+          response.smb_header.flags2.extended_security = true
+          unless gss_result.buffer.nil?
+            response.parameter_block.security_blob_length = gss_result.buffer.length
+            response.data_block.security_blob = gss_result.buffer
+          end
+
+          if gss_result.nt_status == WindowsError::NTStatus::STATUS_SUCCESS
+            @state = :authenticated
+            @identity = gss_result.identity
+          end
+
+          response
+        end
+
+        def do_session_setup_smb2(request)
+          gss_result = process_gss(request.buffer)
+          return if gss_result.nil?
+
+          response = SMB2::Packet::SessionSetupResponse.new
+          response.smb2_header.nt_status = gss_result.nt_status.value
+          response.smb2_header.credits = 1
+          response.smb2_header.message_id = request.smb2_header.message_id
+          response.smb2_header.session_id = @session_id = @session_id || SecureRandom.random_bytes(4).unpack1('V')
+          response.buffer = gss_result.buffer
+
+          update_preauth_hash(request) if @dialect == '0x0311'
+          if gss_result.nt_status == WindowsError::NTStatus::STATUS_SUCCESS
+            @state = :authenticated
+            @identity = gss_result.identity
+            @session_key = @gss_authenticator.session_key
+          elsif gss_result.nt_status == WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED && @dialect == '0x0311'
+            update_preauth_hash(response)
+          end
+
+          response
+        end
+      end
+    end
+  end
+end
+

data/lib/ruby_smb/server/server_client.rb

@@ -0,0 +1,162 @@
+module RubySMB
+  class Server
+    # This class represents a single connected client to the server. It stores and processes connection specific related
+    # information.
+    class ServerClient
+
+      require 'ruby_smb/dialect'
+      require 'ruby_smb/signing'
+      require 'ruby_smb/server/server_client/negotiation'
+      require 'ruby_smb/server/server_client/session_setup'
+
+      include RubySMB::Signing
+      include RubySMB::Server::ServerClient::Negotiation
+      include RubySMB::Server::ServerClient::SessionSetup
+
+      attr_reader :dialect, :identity, :state, :session_key
+
+      # @param [Server] server the server that accepted this connection
+      # @param [Dispatcher::Socket] dispatcher the connection's socket dispatcher
+      def initialize(server, dispatcher)
+        @server = server
+        @dispatcher = dispatcher
+        @state = :negotiate
+        @dialect = nil
+        @session_id = nil
+        @session_key = nil
+        @gss_authenticator = server.gss_provider.new_authenticator(self)
+        @identity = nil
+        @tree_connections = {}
+        @preauth_integrity_hash_algorithm = nil
+        @preauth_integrity_hash_value = nil
+      end
+
+      #
+      # The dialects metadata definition.
+      #
+      # @return [Dialect::Definition]
+      def metadialect
+        Dialect::ALL[@dialect]
+      end
+
+      #
+      # The peername of the connected socket. This is a combination of the IPv4 or IPv6 address and port number.
+      #
+      # @example Parse the value into an IP address
+      #   ::Socket::unpack_sockaddr_in(server_client.getpeername)
+      #
+      # @return [String]
+      def getpeername
+        @dispatcher.tcp_socket.getpeername
+      end
+
+      #
+      # Handle an authenticated request. This is the main handler for all requests after the connection has been
+      # authenticated.
+      #
+      # @param [String] raw_request the request that should be handled
+      def handle_authenticated(raw_request)
+        response = nil
+
+        case raw_request[0...4].unpack1('L>')
+        when RubySMB::SMB1::SMB_PROTOCOL_ID
+          raise NotImplementedError
+        when RubySMB::SMB2::SMB2_PROTOCOL_ID
+          raise NotImplementedError
+        end
+
+        if response.nil?
+          disconnect!
+          return
+        end
+
+        send_packet(response)
+      end
+
+      #
+      # Process a GSS authentication buffer. If no buffer is specified, the request is assumed to be the first in the
+      # negotiation sequence.
+      #
+      # @param [String, nil] buffer the request GSS request buffer that should be processed
+      # @return [Gss::Provider::Result] the result of the processed GSS request
+      def process_gss(buffer=nil)
+        @gss_authenticator.process(buffer)
+      end
+
+      #
+      # Run the processing loop to receive and handle requests. This loop runs until an exception occurs or the
+      # dispatcher socket is closed.
+      #
+      def run
+        loop do
+          begin
+            raw_request = recv_packet
+          rescue RubySMB::Error::CommunicationError
+            break
+          end
+
+          case @state
+          when :negotiate
+            handle_negotiate(raw_request)
+          when :session_setup
+            handle_session_setup(raw_request)
+          when :authenticated
+            handle_authenticated(raw_request)
+          end
+
+          break if @dispatcher.tcp_socket.closed?
+        end
+      end
+
+      #
+      # Disconnect the remote client.
+      #
+      def disconnect!
+        @state = nil
+        @dispatcher.tcp_socket.close
+      end
+
+      #
+      # Receive a single SMB packet from the dispatcher.
+      #
+      # @return [String] the raw packet
+      def recv_packet
+        @dispatcher.recv_packet
+      end
+
+      #
+      # Send a single SMB packet using the dispatcher. If necessary, the packet will be signed.
+      #
+      # @param [GenericPacket] packet the packet to send
+      def send_packet(packet)
+        if @state == :authenticated && @identity != Gss::Provider::IDENTITY_ANONYMOUS && !@session_key.nil?
+          case metadialect.family
+          when Dialect::FAMILY_SMB2
+            packet = smb2_sign(packet)
+          when Dialect::FAMILY_SMB3
+            packet = smb3_sign(packet)
+          end
+        end
+
+        @dispatcher.send_packet(packet)
+      end
+
+      #
+      # Update the preauth integrity hash as used by dialect 3.1.1 for various cryptographic operations. The algorithm
+      # and hash values must have been initialized prior to calling this.
+      #
+      # @param [String] data the data with which to update the preauth integrity hash
+      def update_preauth_hash(data)
+        unless @preauth_integrity_hash_algorithm
+          raise RubySMB::Error::EncryptionError.new(
+            'Cannot compute the Preauth Integrity Hash value: Preauth Integrity Hash Algorithm is nil'
+          )
+        end
+        @preauth_integrity_hash_value = OpenSSL::Digest.digest(
+          @preauth_integrity_hash_algorithm,
+          @preauth_integrity_hash_value + data.to_binary_s
+        )
+      end
+    end
+  end
+end

data/lib/ruby_smb/server.rb

@@ -0,0 +1,54 @@
+require 'socket'
+
+module RubySMB
+  # This class provides the SMB server core. Settings that are relevant server wide are managed by this object.
+  # Currently, the server only supports negotiating and authenticating requests. No other server functionality is
+  # available at this time. The negotiating and authentication is supported for SMB versions 1 through 3.1.1.
+  class Server
+    require 'ruby_smb/server/server_client'
+    require 'ruby_smb/gss/provider/ntlm'
+
+    Connection = Struct.new(:client, :thread)
+
+    # @param server_sock the socket on which the server should listen
+    # @param [Gss::Provider] the authentication provider
+    def initialize(server_sock: nil, gss_provider: nil)
+      server_sock = ::TCPServer.new(445) if server_sock.nil?
+
+      @guid = Random.new.bytes(16)
+      @socket = server_sock
+      @connections = []
+      @gss_provider = gss_provider || Gss::Provider::NTLM.new
+      # reject the wildcard dialect because it's not a real dialect we can use for this purpose
+      @dialects = RubySMB::Dialect::ALL.keys.reject { |dialect| dialect == "0x%04x" % RubySMB::SMB2::SMB2_WILDCARD_REVISION }.reverse
+    end
+
+    # Run the server and accept any connections. For each connection, the block will be executed if specified. When the
+    # block returns false, the loop will exit and the server will no long accept new connections.
+    def run(&block)
+      loop do
+        sock = @socket.accept
+        server_client = ServerClient.new(self, RubySMB::Dispatcher::Socket.new(sock))
+        @connections << Connection.new(server_client, Thread.new { server_client.run })
+
+        break unless block.nil? || block.call(server_client)
+      end
+    end
+
+    # The dialects that this server will negotiate with clients, in ascending order of preference.
+    # @!attribute [r] dialects
+    #   @return [Array<String>]
+    attr_accessor :dialects
+
+    # The GSS Provider instance that this server will use to authenticate
+    # incoming client connections.
+    # @!attribute [r] gss_provider
+    #   @return [RubySMB::Gss::Provider::Base]
+    attr_reader :gss_provider
+
+    # The 16 byte GUID that uniquely identifies this server instance.
+    # @!attribute [r] guid
+    attr_reader :guid
+  end
+end
+

data/lib/ruby_smb/signing.rb

@@ -0,0 +1,59 @@
+module RubySMB
+  # Contains the methods for handling packet signing
+  module Signing
+    # The NTLM Session Key used for signing
+    # @!attribute [rw] session_key
+    #   @return [String]
+    attr_accessor :session_key
+
+    # Take an SMB1 packet and sign it.
+    #
+    # @param packet [RubySMB::GenericPacket] the packet to sign
+    # @return [RubySMB::GenericPacket] the signed packet
+    def smb1_sign(packet)
+      # Pack the Sequence counter into a int64le
+      packed_sequence_counter = [sequence_counter].pack('Q<')
+      packet.smb_header.security_features = packed_sequence_counter
+      signature = OpenSSL::Digest::MD5.digest(session_key + packet.to_binary_s)[0, 8]
+      packet.smb_header.security_features = signature
+      @sequence_counter += 1
+
+      packet
+    end
+
+    # Take an SMB2 packet and sign it.
+    #
+    # @param packet [RubySMB::GenericPacket] the packet to sign
+    # @return [RubySMB::GenericPacket] the signed packet
+    def smb2_sign(packet)
+      packet.smb2_header.flags.signed = 1
+      packet.smb2_header.signature = "\x00" * 16
+      hmac = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), session_key, packet.to_binary_s)
+      packet.smb2_header.signature = hmac[0, 16]
+
+      packet
+    end
+
+    # Take an SMB3 packet and sign it.
+    #
+    # @param packet [RubySMB::GenericPacket] the packet to sign
+    # @return [RubySMB::GenericPacket] the signed packet
+    def smb3_sign(packet)
+      case @dialect
+      when '0x0300', '0x0302'
+        signing_key = Crypto::KDF.counter_mode(@session_key, "SMB2AESCMAC\x00", "SmbSign\x00")
+      when '0x0311'
+        signing_key = Crypto::KDF.counter_mode(@session_key, "SMBSigningKey\x00", @preauth_integrity_hash_value)
+      else
+        raise Error::SigningError.new("Dialect #{@dialect.inspect} is incompatible with SMBv3 signing")
+      end
+
+      packet.smb2_header.flags.signed = 1
+      packet.smb2_header.signature = "\x00" * 16
+      hmac = OpenSSL::CMAC.digest('AES', signing_key, packet.to_binary_s)
+      packet.smb2_header.signature = hmac[0, 16]
+
+      packet
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/negotiate_response.rb

@@ -8,17 +8,17 @@ module RubySMB
 
         # An SMB_Parameters Block as defined by the {NegotiateResponse}.
         class ParameterBlock < RubySMB::SMB1::ParameterBlock
-          uint16          :dialect_index, label: 'Dialect Index'
-          security_mode   :security_mode
-          uint16          :max_mpx_count,     label: 'Max Multiplex Count'
-          uint16          :max_number_vcs,    label: 'Max Virtual Circuits'
-          uint32          :max_buffer_size,   label: 'Max Buffer Size'
-          uint32          :max_raw_size,      label: 'Max Raw Size'
-          uint32          :session_key,       label: 'Session Key'
-          capabilities    :capabilities
-          file_time       :system_time,       label: 'Server System Time'
-          int16           :server_time_zone,  label: 'Server TimeZone'
-          uint8           :challenge_length,  label: 'Challenge Length', initial_value: 0x08
+          uint16          :dialect_index,     label: 'Dialect Index'
+          security_mode   :security_mode,     onlyif: -> { dialect_index != 0xffff }
+          uint16          :max_mpx_count,     label: 'Max Multiplex Count', onlyif: -> { dialect_index != 0xffff }
+          uint16          :max_number_vcs,    label: 'Max Virtual Circuits', onlyif: -> { dialect_index != 0xffff }
+          uint32          :max_buffer_size,   label: 'Max Buffer Size', onlyif: -> { dialect_index != 0xffff }
+          uint32          :max_raw_size,      label: 'Max Raw Size', onlyif: -> { dialect_index != 0xffff }
+          uint32          :session_key,       label: 'Session Key', onlyif: -> { dialect_index != 0xffff }
+          capabilities    :capabilities,      onlyif: -> { dialect_index != 0xffff }
+          file_time       :system_time,       label: 'Server System Time', onlyif: -> { dialect_index != 0xffff }
+          int16           :server_time_zone,  label: 'Server TimeZone', onlyif: -> { dialect_index != 0xffff }
+          uint8           :challenge_length,  label: 'Challenge Length', initial_value: 0x08, onlyif: -> { dialect_index != 0xffff }
         end
 
         # An SMB_Data Block as defined by the {NegotiateResponse}

data/lib/ruby_smb/smb1/packet/negotiate_response_extended.rb

@@ -8,7 +8,7 @@ module RubySMB
 
         # An SMB_Parameters Block as defined by the {NegotiateResponseExtended}.
         class ParameterBlock < RubySMB::SMB1::ParameterBlock
-          uint16          :dialect_index, label: 'Dialect Index'
+          uint16          :dialect_index,     label: 'Dialect Index'
           security_mode   :security_mode
           uint16          :max_mpx_count,     label: 'Max Multiplex Count'
           uint16          :max_number_vcs,    label: 'Max Virtual Circuits'

data/lib/ruby_smb/smb1/packet/session_setup_request.rb

@@ -47,7 +47,7 @@ module RubySMB
 
         # Takes an NTLM Type 3 Message and creates the GSS Security Blob
         # for it and sets it in the {RubySMB::SMB1::Packet::SessionSetupRequest::DataBlock#security_blob}
-        # field. It also automaticaly sets the length in
+        # field. It also automatically sets the length in
         # {RubySMB::SMB1::Packet::SessionSetupRequest::ParameterBlock#security_blob_length}
         #
         # @param type3_message [String] the serialized Type 3 NTLM message

data/lib/ruby_smb/smb1/pipe.rb

@@ -24,6 +24,10 @@ module RubySMB
           extend RubySMB::Dcerpc::Svcctl
         when 'winreg', '\\winreg'
           extend RubySMB::Dcerpc::Winreg
+        when 'samr', '\\samr'
+          extend RubySMB::Dcerpc::Samr
+        when 'wkssvc', '\\wkssvc'
+          extend RubySMB::Dcerpc::Wkssvc
         end
         super(tree: tree, response: response, name: name)
       end

data/lib/ruby_smb/smb1/tree.rb

@@ -60,7 +60,7 @@ module RubySMB
         opts = opts.dup
         opts[:filename] = opts[:filename].dup
         opts[:filename].prepend('\\') unless opts[:filename].start_with?('\\')
-        open_file(opts)
+        open_file(**opts)
       end
 
       # Open a file on the remote share.

data/lib/ruby_smb/smb2/negotiate_context.rb

@@ -69,9 +69,22 @@ module RubySMB
     class NetnameNegotiateContextId < BinData::Record
       endian  :little
 
-      stringz16 :net_name, label: 'Net Name'
+      count_bytes_remaining :bytes_remaining
+      default_parameter data_length: nil
+      hide :bytes_remaining
+
+      string16 :net_name, label: 'Net Name', read_length: -> { data_length.nil? ? bytes_remaining : data_length }
     end
 
+    # An SMB2 TRANSPORT_CAPABILITIES context struct as defined in
+    # [2.2.3.1.5 SMB2_TRANSPORT_CAPABILITIES](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/450a1888-a645-4988-8638-5a11f4617545)
+    class TransportCapabilities < BinData::Record
+      SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY = 1 # Transport security is offered to skip SMB2 encryption on this connection.
+
+      endian :little
+
+      uint32 :flags, label: 'Flags'
+    end
 
     # An SMB2 NEGOTIATE_CONTEXT struct as defined in
     # [2.2.3.1 SMB2 NEGOTIATE_CONTEXT Request Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/15332256-522e-4a53-8cd7-0bd17678a2f7)
@@ -84,6 +97,8 @@ module RubySMB
       SMB2_COMPRESSION_CAPABILITIES        = 0x0003
       # The NegotiateContext Data field contains the server name to which the client connects.
       SMB2_NETNAME_NEGOTIATE_CONTEXT_ID    = 0x0005
+      # The NegotiateContext Data field contains the transport capabilities, as specified in section 2.2.3.1.5.
+      SMB2_TRANSPORT_CAPABILITIES          = 0x0006
 
       endian  :little
 
@@ -95,7 +110,8 @@ module RubySMB
         preauth_integrity_capabilities SMB2_PREAUTH_INTEGRITY_CAPABILITIES, label: 'Preauthentication Integrity Capabilities'
         encryption_capabilities        SMB2_ENCRYPTION_CAPABILITIES,        label: 'Encryption Capabilities'
         compression_capabilities       SMB2_COMPRESSION_CAPABILITIES,       label: 'Compression Capabilities'
-        netname_negotiate_context_id   SMB2_NETNAME_NEGOTIATE_CONTEXT_ID,   label: 'Netname Negotiate Context ID'
+        netname_negotiate_context_id   SMB2_NETNAME_NEGOTIATE_CONTEXT_ID,   label: 'Netname Negotiate Context ID', data_length: :data_length
+        transport_capabilities         SMB2_TRANSPORT_CAPABILITIES,         label: 'Transport Capabilities'
       end
 
       def pad_length

data/lib/ruby_smb/smb2/packet/negotiate_request.rb

@@ -64,6 +64,15 @@ module RubySMB
           self.negotiate_context_list
         end
 
+        # Find the first Negotiate Context structure that matches the given
+        # context type
+        #
+        # @param [Integer] the Negotiate Context structure you wish to add
+        # @return [NegotiateContext] the Negotiate Context structure or nil if
+        # not found
+        def find_negotiate_context(type)
+          negotiate_context_list.find { |nc| nc.context_type == type }
+        end
 
         private
 

data/lib/ruby_smb/smb2/packet/negotiate_response.rb

@@ -59,7 +59,6 @@ module RubySMB
           self.negotiate_context_list
         end
 
-
         private
 
         # Determines the correct length for the padding, so that the next

data/lib/ruby_smb/smb2/packet/session_setup_response.rb

@@ -11,8 +11,8 @@ module RubySMB
         uint16              :structure_size, label: 'Structure Size', initial_value: 9
         session_flags       :session_flags
         uint16              :security_buffer_offset,  label: 'Security Buffer Offset', initial_value: 0x48
-        uint16              :security_buffer_length,  label: 'Security Buffer Length'
-        string              :buffer,                  label: 'Security Buffer', length: -> { security_buffer_length }
+        uint16              :security_buffer_length,  label: 'Security Buffer Length', initial_value: -> { buffer.length }
+        string              :buffer,                  label: 'Security Buffer', read_length: -> { security_buffer_length }
 
         def initialize_instance
           super

data/lib/ruby_smb/smb2/packet/tree_connect_request.rb

@@ -101,7 +101,7 @@ module RubySMB
             path.to_binary_s.length
           end
         end
-        string16     :path,           label: 'Path Buffer',    onlyif: -> { flags != SMB2_TREE_CONNECT_FLAG_EXTENSION_PRESENT }
+        string16     :path,           label: 'Path Buffer',    onlyif: -> { flags != SMB2_TREE_CONNECT_FLAG_EXTENSION_PRESENT }, read_length: -> { path_length }
         tree_connect_request_extension :tree_connect_request_extension, label: 'Tree Connect Request Extension', onlyif: -> { flags == SMB2_TREE_CONNECT_FLAG_EXTENSION_PRESENT }
       end
     end