Package com.hierynomus.smbj.connection.packet

Class SMB3DecryptingPacketHandler

  • All Implemented Interfaces:
    IncomingPacketHandler
    public class SMB3DecryptingPacketHandler
extends AbstractIncomingPacketHandler
    3.2.5.1.1 Decrypting the Message

    This section is applicable for only the SMB 3.x dialect family.<149>

    The client MUST perform the following:

    If the size of the message received from the server is not greater than the size of SMB2 TRANSFORM_HEADER as specified in section 2.2.41, the client MUST discard the message.

    If the Flags/EncryptionAlgorithm in the SMB2 TRANSFORM_HEADER is not 0x0001, the client MUST discard the message.

    The client MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 TRANSFORM_HEADER of the response. If the session is not found, the response MUST be discarded.

    The client MUST decrypt the message using Session.DecryptionKey. If Connection.Dialect is "3.1.1", the algorithm specified by Connection.CipherId is used. Otherwise, the AES-128-CCM algorithm is used. The client passes in the Nonce, OriginalMessageSize, Flags/EncryptionAlgorithm, and SessionId fields of the SMB2 TRANSFORM_HEADER and the encrypted SMB2 message as the Optional Authenticated Data input for the algorithm. If decryption succeeds, the client MUST compare the signature in the SMB2 TRANSFORM_HEADER with the signature returned by the decryption algorithm. If signature verification fails, the client MUST fail the application request with an implementation-specific error.

    If signature verification succeeds, the client MUST perform the following:

    • If ProtocolId in the header of the decrypted message is 0x424d53FD indicating a nested encrypted message, the client MUST disconnect the connection.
    • If ProtocolId in the header of the decrypted message is 0x424d53FC indicating a nested compressed message, the client MUST decompress the message as specified in section 3.2.5.1.10.

      If decompression succeeds, the client MUST further validate the message:

      • If the NextCommand field in the first SMB2 header of the message is equal to 0 and SessionId of the first SMB2 header is not equal to the SessionId field in SMB2 TRANSFORM_HEADER of response, the client MUST discard the message.
      • For each response in a compounded response, if the SessionId field of SMB2 header is not equal to the SessionId field in the SMB2 TRANSFORM_HEADER, the client SHOULD<150> discard the entire compounded response and stop processing.
    • If ProtocolId in the header of the decrypted message is 0x424d53FE indicating an SMB2 header, the client MUST further validate the decrypted message:
      • If the NextCommand field in the first SMB2 header of the message is equal to 0 and SessionId of the first SMB2 header is not equal to the SessionId field in SMB2 TRANSFORM_HEADER of response, the client MUST discard the message.
      • For each response in a compounded response, if the SessionId field of SMB2 header is not equal to the SessionId field in the SMB2 TRANSFORM_HEADER, the client SHOULD<151> discard the entire compounded response and stop processing.
    • Otherwise, the client MUST disconnect the connection.