Do not send SMB2EncryptionCapabilities NegotiationContext is !isEncry… (

#752) * Do not send SMB2EncryptionCapabilities NegotiationContext is !isEncryptionSupported (Fixes #747) * Add test for SMB2EncryptionCapabilities
hierynomus · May 8, 2023 · 2e3f845 · 2e3f845
1 parent 07c92dc
commit 2e3f845
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 5 deletions.
diff --git a/src/main/java/com/hierynomus/mssmb2/messages/SMB2NegotiateRequest.java b/src/main/java/com/hierynomus/mssmb2/messages/SMB2NegotiateRequest.java
@@ -56,11 +56,13 @@ private List<SMB2NegotiateContext> buildNegotiateContextList(byte[] salt) {
             List<SMB2NegotiateContext> contexts = new ArrayList<>();
             List<SMB3HashAlgorithm> hashAlgorithmList = Arrays.asList(SMB3HashAlgorithm.SHA_512);
             contexts.add(new SMB2PreauthIntegrityCapabilities(hashAlgorithmList, salt));
-            // [MS-SMB2].pdf <104> Section 3.2.4.2.2.2: Windows 10, Windows Server 2016, and
-            // Windows Server operating system initialize with AES-128-GCM(0x0002)
-            // followed by AES-128-CCM(0x0001).
-            List<SMB3EncryptionCipher> cipherList = Arrays.asList(SMB3EncryptionCipher.AES_128_GCM, SMB3EncryptionCipher.AES_128_CCM);
-            contexts.add(new SMB2EncryptionCapabilities(cipherList));
+            if (this.capabilities.contains(SMB2GlobalCapability.SMB2_GLOBAL_CAP_ENCRYPTION)) { // SMB2_GLOBAL_CAP_ENCRYPTION is only present if isEncryptionSupported is true
+                // [MS-SMB2].pdf <104> Section 3.2.4.2.2.2: Windows 10, Windows Server 2016, and
+                // Windows Server operating system initialize with AES-128-GCM(0x0002)
+                // followed by AES-128-CCM(0x0001).
+                List<SMB3EncryptionCipher> cipherList = Arrays.asList(SMB3EncryptionCipher.AES_128_GCM, SMB3EncryptionCipher.AES_128_CCM);
+                contexts.add(new SMB2EncryptionCapabilities(cipherList));
+            }
             return contexts;
         }
         return Collections.emptyList();

diff --git a/src/test/groovy/com/hierynomus/smbj/connection/ProtocolNegotiatorSpec.groovy b/src/test/groovy/com/hierynomus/smbj/connection/ProtocolNegotiatorSpec.groovy
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C)2016 - SMBJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.smbj.connection
+
+import com.hierynomus.mssmb2.SMB2Dialect
+import com.hierynomus.mssmb2.messages.SMB2NegotiateRequest
+import com.hierynomus.mssmb2.messages.SMB2NegotiateResponse
+import com.hierynomus.mssmb2.messages.SMB2TreeConnectRequest
+import com.hierynomus.mssmb2.messages.negotiate.SMB2EncryptionCapabilities
+import com.hierynomus.mssmb2.messages.negotiate.SMB2PreauthIntegrityCapabilities
+import com.hierynomus.smbj.SMBClient
+import com.hierynomus.smbj.SmbConfig
+import com.hierynomus.smbj.event.ConnectionClosed
+import com.hierynomus.smbj.event.SMBEventBus
+import spock.lang.Specification
+
+class ProtocolNegotiatorSpec extends Specification {
+  def bus = new SMBEventBus()
+
+  private SmbConfig buildConfig(SmbConfig.Builder builder, packetProcessor) {
+    builder
+      .withTransportLayerFactory(new StubTransportLayerFactory(new BasicPacketProcessor(packetProcessor).&processPacket))
+      .withAuthenticators(new StubAuthenticator.Factory())
+      .build()
+  }
+
+
+  def "should not add SMB2EncryptionCapabilities to SMB2NegotiateRequest if encryptData is false"() {
+    def r = _
+    given:
+    def config = buildConfig(SmbConfig.builder().withDialects(SMB2Dialect.SMB_3_1_1).withEncryptData(false), { req ->
+      req = req.packet
+      if (req instanceof SMB2NegotiateRequest) {
+        r = req
+        return null
+      }
+    })
+    def client = new SMBClient(config, bus)
+
+    when:
+    def connect = client.connect("localhost")
+
+    then:
+    r.negotiateContextList.size() == 1
+    r.negotiateContextList.get(0) instanceof SMB2PreauthIntegrityCapabilities
+  }
+
+  def "should add SMB2EncryptionCapabilities to SMB2NegotiateRequest if encryptData is true"() {
+    def r = _
+    given:
+    def config = buildConfig(SmbConfig.builder().withDialects(SMB2Dialect.SMB_3_1_1).withEncryptData(true), { req ->
+      req = req.packet
+      if (req instanceof SMB2NegotiateRequest) {
+        r = req
+        return null
+      }
+    })
+    def client = new SMBClient(config, bus)
+
+    when:
+    def connect = client.connect("localhost")
+
+    then:
+    r.negotiateContextList.size() == 2
+    r.negotiateContextList.get(0) instanceof SMB2PreauthIntegrityCapabilities
+    r.negotiateContextList.get(1) instanceof SMB2EncryptionCapabilities
+  }
+
+}