none
On Win10(client) to Win7(server) machines, SMB transfer shows for unaccounted 64 bytes in NegotiateRequest PDU RRS feed

  • Question

  • Hi,

    I am currently testing with a Win10 client machine talking to a Windows 7 server machine.

    I see that when the Win10 client machine sends a NegotiateRequest, after the variable dialects, there are 64 bytes of unaccounted bytes shown in Wireshark

    So the bytes are

    Structure Size - 2 bytes

    Dialect Count - 2 bytes

    Security Mode - 2 bytes

    Reserved -2 bytes

    Capabilities - 4 bytes

    Client GUID - 16 bytes

    ClientStartTime - 8 bytes

    Dialects(variable) - <see the dialects here>

    <64 bytes of unaccounted bytes in wireshark>

    What are these 64 bytes?  Are these some other protocol?  Are they pad?  I see that these extra 64 bytes after NegotiateRequest PDU are accounted in the upper layer nbss_len.

    The SMB specification doesn't have mention of any data after the dialects(variable) in the NegotiateRequest PDU.

    From a padding perspective, 64 bytes of padding sounds suspicious.  So I am wondering if they are some valid bytes introduced in Win10, which we don't know about.

    I am wondering what these 64 bytes are.

    I can share the pcap if needed.

    Wednesday, September 2, 2015 12:51 PM

Answers

  • Cressnet,

    Thank you for reaching out and sending the network trace. SMB2 Negotiate has been extended in SMB 3.1.1 dialect introduced in Windows 10.  Negotiate contexts have been added, similar to the notion of Create contexts. This is documented in MS-SMB2 (see reference).

    If the client sends 0x0311 dialect, it must send pre-authentication integrity negotiate context. Encryption capability negotiate context is also offered by default by Windows 10 client. The client does know beforehand what dialect the server is capable of, so it sends everything it supports.

    The receiver should ignore unknown negotiate contexts.

    A server implementation should not hard code request length, rather cast to the structure after it passes the transport layer. That way, a server SKU does not need to worry about what was added in the end of a given packet. It does its cast and will only process relevant fields/data that are meaningful for its dialect.

    See 2014 SNIA SDC and MS-SMB2 references.

    Reviewing your trace, if you parse with Microsoft Network Monitor you see padding of 64 bytes because the parser does not include the changes in SMB 3.1.1.

    However, Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=44226) can parse SMB 3.1.1 and shows the correct field layout as shown below.

    Microsoft Network Monitor

    + SMBOverTCP: Length = 174

    - SMB2: C   NEGOTIATE (0x0), ClientGUID= {A73C3758-5011-11E5-9BD8-ECF4BB1AAE9D},

        SMBIdByte: 254 (0xFE)

        SMBIdentifier: SMB

      + SMB2Header: C NEGOTIATE (0x0),TID=0x0000, MID=0x0001, PID=0xFEFF, SID=0x0000

      - CNegotiate:

         StructureSize: 36 (0x24)

         DialectCount: 5 (0x5)

       + SecurityMode: 1 (0x1)

         Reserved: 0 (0x0)

       + Capabilities: 0x7F

         ClientGuid: {A73C3758-5011-11E5-9BD8-ECF4BB1AAE9D}

         ClientStartTime: 01/01/1601, 00:14:18.993470 UTC

       - Dialects:

          Dialects: 514 (0x202)

          Dialects: 528 (0x210)

          Dialects: 768 (0x300)

          Dialects: 770 (0x302)

          Dialects: 785 (0x311)

        padding: Binary Large Object (64 Bytes)

    With the introduction of Dialect 0x311, a padding and negotiate contexts are added accordingly.

    Note that in relation to the Negotiate contexts, some unused fields in negotiate request/response have been repurposed as NegotiateContextOffset and NegotiateContextCount fields.

    New Dialect added in Dialects array: 11 03

    What you named (unaccounted 64 bytes) is actually these fields (see Message Analyzer parsing and MS-SMB2 for full layout reference):

    Padding: 00 00

    NegotiateContextList:  01 00 26 00 00 00

    00 00 01 00 20 00 01 00 A4 F3 38 41 B6 B4 59 A5

    8F AA 91 FC 33 D4 15 23 46 53 EC 5F 4A 35 61 6E

    90 5A C6 FF 6D EE EA 9A 00 00 02 00 06 00 00 00

    00 00 02 00 02 00 01 00

    Microsoft Message Analyzer

    http://www.microsoft.com/en-us/download/details.aspx?id=44226

    Name   Value   Bit Offset        Bit Length       Type   

    Header Command: SMB2Negotiate, SessionId: 0x0000000000000000, TreeId: 0x00000000, MessageId: 0x0000000000000001, Credit: 0x0000, CreditCharge: 0x0000        0          512      SMB2.SMB2PacketHeader           

    Request           Dialects: [SMB 2.0.2, SMB 2.1, SMB 3.0, SMB 3.0.2, SMB 3.1.1], Capabilities: SMB2GlobalCapDfs|SMB2GlobalCapLeasing|SMB2GlobalCapLargeMtu|SMB2GlobalCapMultiChannel|SMB2GlobalCapPersistentHandles|SMB2GlobalCapDirectoryLeasing|SMB2GlobalCapEncryption, ClientGuid: {a73c3758-5011-11e5-9bd8-ecf4bb1aae9d}     512      880      SMB2.SMB2NegotiateRequest           

    StructureSize   36        512      16        UInt16

    DialectCount   5          528      16        UInt16

    SecurityMode SMB2NegotiateSigningEnabled(1)    544      16        SMB2NegotiateRequestSecurityMode           

    Reserved         0          560      16        UInt16

    Capabilities SMB2GlobalCapDfs|SMB2GlobalCapLeasing|SMB2GlobalCapLargeMtu|SMB2GlobalCapMultiChannel|SMB2GlobalCapPersistentHandles|SMB2GlobalCapDirectoryLeasing|SMB2GlobalCapEncryption(127)            576      32        SMB2NegotiateRequestCapabilities 

    ClientGuid      a73c3758-5011-11e5-9bd8-ecf4bb1aae9d     608      128      Guid   

    NegotiateContextOffset         112      736      32        UInt32

    NegotiateContextCount         2          768      16        UInt16

    Reserved2       0          784      16        UInt16

    Dialects [SMB2002DialectRevisionNumber,SMB21DialectRevisionNumber,SMB30DialectRevisionNumber,SMB302DialectRevisionNumber,SMB311DialectRevisionNumber]            800      80        ArrayValue`1 

    [0]        SMB2002DialectRevisionNumber(514)                                 UInt16

    [1]        SMB21DialectRevisionNumber(528)                                     UInt16

    [2]        SMB30DialectRevisionNumber(768)                                     UInt16

    [3]        SMB302DialectRevisionNumber(770)                                   UInt16

    [4]        SMB311DialectRevisionNumber(785)                                   UInt16

    Padding           binary[0,0]       880      16        BinaryValue   

    NegotiateContextList [SMB2NegotiateContext{ContextType=1,DataLength=38,Reserved=0,Data=SMB2PreauthIntegrityCapabilities{HashAlgorithmCount=1,SaltLength=32,HashAlgorithms=[1],Salt=binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]},Padding=binary[0,0]},SMB2NegotiateContext{ContextType=2,DataLength=6,Reserved=0,Data=SMB2EncryptionCapabilities{CipherCount=2,Ciphers=[2,1]},Padding=nothing}]            896      496      ArrayValue`1 

    [0] SMB2NegotiateContext{ContextType=1,DataLength=38,Reserved=0,Data=SMB2PreauthIntegrityCapabilities{HashAlgorithmCount=1,SaltLength=32,HashAlgorithms=[1],Salt=binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]},Padding=binary[0,0]}                                    SMB2.SMB2NegotiateContext        

    ContextType   SMB2_PREAUTH_INTEGRITY_CAPABILITIES(1)        896      16            SMB2NegotiateContextContextType

    DataLength     38        912      16        UInt16

    Reserved         0          928      32        UInt32

    Data SMB2PreauthIntegrityCapabilities{HashAlgorithmCount=1,SaltLength=32,HashAlgorithms=[1],Salt=binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]}            960      304      SMB2.SMB2PreauthIntegrityCapabilities    

    HashAlgorithmCount 1          960      16        UInt16

    SaltLength      32        976      16        UInt16

    HashAlgorithms          [SHA-512]      992      16        ArrayValue`1 

    Salt binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]            1008    256      BinaryValue   

    Padding           binary[0,0]       1264    16        BinaryValue   

    [1] SMB2NegotiateContext{ContextType=2,DataLength=6,Reserved=0,Data=SMB2EncryptionCapabilities{CipherCount=2,Ciphers=[2,1]},Padding=nothing}                                    SMB2.SMB2NegotiateContext        

    ContextType   SMB2_ENCRYPTION_CAPABILITIES(2) 1280    16            SMB2NegotiateContextContextType

    DataLength     6          1296    16        UInt16

    Reserved         0          1312    32        UInt32

    Data    SMB2EncryptionCapabilities{CipherCount=2,Ciphers=[2,1]}         1344    48            SMB2.SMB2EncryptionCapabilities 

    CipherCount   2          1344    16        UInt16

    Ciphers            [AES128GCM,AES128CCM]           1360    32        ArrayValue`1 

    This has been discussed at 2014 SNIA SDC: Implementations are expected to handle Negotiate requests larger than SMB2_Header + SMB2_REQ_Negotiate + Dialects array. The receiver should ignore unknown negotiate contexts.

    Slide 7 of 2014 SNIA SDC presentation: Introduction to SMB 3.1

    http://www.snia.org/sites/default/files/DavidKruse_Kramer_%20Introduction_to_SMB-3-1_Rev.pdf

    MS-SMB2

    https://msdn.microsoft.com/en-us/library/cc246482.aspx

    2.2.3      SMB2 NEGOTIATE Request

    Dialects (variable): An array of one or more 16-bit integers specifying the supported dialect revision numbers. The array MUST contain at least one of the following values. <11>      

      

    Value

      
      

    Meaning

      

    0x0202

    SMB 2.0.2 dialect revision   number.

    0x0210

    SMB 2.1 dialect revision   number.<12>

    0x0300

    SMB 3.0 dialect revision   number. <13>

    0x0302

    SMB 3.0.2 dialect revision   number.<14>

    0x0311

    SMB 3.1.1 dialect revision   number.<15>

    Padding (variable): Optional padding between the end of the Dialects array and the first negotiate context in NegotiateContextList so that the first negotiate context is 8-byte aligned.

    NegotiateContextList (variable): If the Dialects field contains 0x0311, then this field will contain an array of SMB2 NEGOTIATE_CONTEXTs. The first negotiate context in the list MUST appear at the byte offset indicated by the SMB2 NEGOTIATE request's NegotiateContextOffset field. Subsequent negotiate contexts MUST appear at the first 8-byte-aligned offset following the previous negotiate context.

    3.2.4.2.2.2           SMB2-Only Negotiate

    • If the client implements the SMB 3.1.1 dialect, it MUST do the following:
      • Set NegotiateContextOffset to 0.
      • Set NegotiateContextCount to 0.
      • Add optional padding after Dialects array to make the next field 8-byte aligned.
      • Add an SMB2 NEGOTIATE_CONTEXT with ContextType as SMB2_PREAUTH_INTEGRITY_CAPABILITIES to the negotiate request as specified in section 2.2.3.1:
        • Increment NegotiateContextCount by 1
        • Set NegotiateContextOffset to the offset of the SMB2 NEGOTIATE_CONTEXT added above.
        • The SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context's Salt buffer SHOULD <106> be initialized to an implementation-specific number of bytes generated for this request by a cryptographically secure pseudo-random number generator.
      • If the client supports encryption, it MUST do the following:
        • Increment NegotiateContextCount by 1.
        • Add an SMB2_NEGOTIATE_CONTEXT with ContextType as SMB2_ENCRYPTION_CAPABILITIES to the negotiate request as specified in section 2.2.3.1 and initialize the Ciphers field with the ciphers supported by the client in the order of preference.<107>

    3.3.5.4   Receiving an SMB2 NEGOTIATE Request

    If the Connection.Dialect is "3.1.1", then the server must process the negotiate context list that is specified by the request's NegotiateContextOffset and NegotiateContextCount fields as follows:

    • Processing the SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context:
      • If the negotiate context list does not contain exactly one SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context, then the server MUST fail the negotiate request with STATUS_INVALID_PARAMETER.
      • If the SMB2_PREAUTH_INTEGRITY_CAPABILITIES HashAlgorithms array does not contain any hash algorithms that the server supports, then the server MUST fail the negotiate request with STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP (0xC05D0000).
      • The server MUST set Connection.PreauthIntegrityHashId to one of the hash algorithms in the client's SMB2_PREAUTH_INTEGRITY_CAPABILITIES HashAlgorithms array. When more than one hash algorithm is supported by the server, the policy for selecting a hash algorithm from the set of hash algorithms that the client and server support is implementation-dependent.
      • The server MUST initialize Connection.PreauthIntegrityHashValue with zero.
      • The server MUST generate a hash using the Connection.PreauthIntegrityHashId algorithm on the string  constructed by concatenating Connection.PreauthIntegrityHashValue and the negotiate request message, including all bytes from the request's SMB2 header to the last byte received from the network. The server MUST set Connection.PreauthIntegrityHashValue to the hash value generated above.
        • Processing the SMB2_ENCRYPTION_CAPABILITIES negotiate context:
      • If the negotiate context list contains more than one SMB2_ENCRYPTION_CAPABILITIES negotiate context, then the server MUST fail the negotiate request with STATUS_INVALID_PARAMETER.
      • The server MUST set Connection.CipherId to one of the ciphers in the client's SMB2_ENCRYPTION_CAPABILITIES Ciphers array in an implementation-specific manner. If the client and server have no common cipher, then the server must set Connection.CipherId to 0.

    Thanks,

    Edgar


    Wednesday, September 2, 2015 7:01 PM
    Moderator

All replies

  • Hi Cressnet,

    I'm with the Protocols team.  Can you send your trace to "dochelp (at) Microsoft (dot) com"?


    Bryan S. Burgin Senior Escalation Engineer Microsoft Protocol Open Specifications Team

    Wednesday, September 2, 2015 2:23 PM
    Moderator
  • Hi cressnet,
                      Thank you for your inquiry about Filesharing protocols. We have created an incident for investigating this issue. One of the Open specifications team member will contact you shortly.

     
    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open specifications
    Wednesday, September 2, 2015 3:40 PM
    Moderator
  • Hi all,

    I have mailed the pcap.  The pcap contains only 1 packet, which is the offending packet.

    Thanks for the time.

    Wednesday, September 2, 2015 4:56 PM
  • Cressnet,

    Thank you for reaching out and sending the network trace. SMB2 Negotiate has been extended in SMB 3.1.1 dialect introduced in Windows 10.  Negotiate contexts have been added, similar to the notion of Create contexts. This is documented in MS-SMB2 (see reference).

    If the client sends 0x0311 dialect, it must send pre-authentication integrity negotiate context. Encryption capability negotiate context is also offered by default by Windows 10 client. The client does know beforehand what dialect the server is capable of, so it sends everything it supports.

    The receiver should ignore unknown negotiate contexts.

    A server implementation should not hard code request length, rather cast to the structure after it passes the transport layer. That way, a server SKU does not need to worry about what was added in the end of a given packet. It does its cast and will only process relevant fields/data that are meaningful for its dialect.

    See 2014 SNIA SDC and MS-SMB2 references.

    Reviewing your trace, if you parse with Microsoft Network Monitor you see padding of 64 bytes because the parser does not include the changes in SMB 3.1.1.

    However, Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=44226) can parse SMB 3.1.1 and shows the correct field layout as shown below.

    Microsoft Network Monitor

    + SMBOverTCP: Length = 174

    - SMB2: C   NEGOTIATE (0x0), ClientGUID= {A73C3758-5011-11E5-9BD8-ECF4BB1AAE9D},

        SMBIdByte: 254 (0xFE)

        SMBIdentifier: SMB

      + SMB2Header: C NEGOTIATE (0x0),TID=0x0000, MID=0x0001, PID=0xFEFF, SID=0x0000

      - CNegotiate:

         StructureSize: 36 (0x24)

         DialectCount: 5 (0x5)

       + SecurityMode: 1 (0x1)

         Reserved: 0 (0x0)

       + Capabilities: 0x7F

         ClientGuid: {A73C3758-5011-11E5-9BD8-ECF4BB1AAE9D}

         ClientStartTime: 01/01/1601, 00:14:18.993470 UTC

       - Dialects:

          Dialects: 514 (0x202)

          Dialects: 528 (0x210)

          Dialects: 768 (0x300)

          Dialects: 770 (0x302)

          Dialects: 785 (0x311)

        padding: Binary Large Object (64 Bytes)

    With the introduction of Dialect 0x311, a padding and negotiate contexts are added accordingly.

    Note that in relation to the Negotiate contexts, some unused fields in negotiate request/response have been repurposed as NegotiateContextOffset and NegotiateContextCount fields.

    New Dialect added in Dialects array: 11 03

    What you named (unaccounted 64 bytes) is actually these fields (see Message Analyzer parsing and MS-SMB2 for full layout reference):

    Padding: 00 00

    NegotiateContextList:  01 00 26 00 00 00

    00 00 01 00 20 00 01 00 A4 F3 38 41 B6 B4 59 A5

    8F AA 91 FC 33 D4 15 23 46 53 EC 5F 4A 35 61 6E

    90 5A C6 FF 6D EE EA 9A 00 00 02 00 06 00 00 00

    00 00 02 00 02 00 01 00

    Microsoft Message Analyzer

    http://www.microsoft.com/en-us/download/details.aspx?id=44226

    Name   Value   Bit Offset        Bit Length       Type   

    Header Command: SMB2Negotiate, SessionId: 0x0000000000000000, TreeId: 0x00000000, MessageId: 0x0000000000000001, Credit: 0x0000, CreditCharge: 0x0000        0          512      SMB2.SMB2PacketHeader           

    Request           Dialects: [SMB 2.0.2, SMB 2.1, SMB 3.0, SMB 3.0.2, SMB 3.1.1], Capabilities: SMB2GlobalCapDfs|SMB2GlobalCapLeasing|SMB2GlobalCapLargeMtu|SMB2GlobalCapMultiChannel|SMB2GlobalCapPersistentHandles|SMB2GlobalCapDirectoryLeasing|SMB2GlobalCapEncryption, ClientGuid: {a73c3758-5011-11e5-9bd8-ecf4bb1aae9d}     512      880      SMB2.SMB2NegotiateRequest           

    StructureSize   36        512      16        UInt16

    DialectCount   5          528      16        UInt16

    SecurityMode SMB2NegotiateSigningEnabled(1)    544      16        SMB2NegotiateRequestSecurityMode           

    Reserved         0          560      16        UInt16

    Capabilities SMB2GlobalCapDfs|SMB2GlobalCapLeasing|SMB2GlobalCapLargeMtu|SMB2GlobalCapMultiChannel|SMB2GlobalCapPersistentHandles|SMB2GlobalCapDirectoryLeasing|SMB2GlobalCapEncryption(127)            576      32        SMB2NegotiateRequestCapabilities 

    ClientGuid      a73c3758-5011-11e5-9bd8-ecf4bb1aae9d     608      128      Guid   

    NegotiateContextOffset         112      736      32        UInt32

    NegotiateContextCount         2          768      16        UInt16

    Reserved2       0          784      16        UInt16

    Dialects [SMB2002DialectRevisionNumber,SMB21DialectRevisionNumber,SMB30DialectRevisionNumber,SMB302DialectRevisionNumber,SMB311DialectRevisionNumber]            800      80        ArrayValue`1 

    [0]        SMB2002DialectRevisionNumber(514)                                 UInt16

    [1]        SMB21DialectRevisionNumber(528)                                     UInt16

    [2]        SMB30DialectRevisionNumber(768)                                     UInt16

    [3]        SMB302DialectRevisionNumber(770)                                   UInt16

    [4]        SMB311DialectRevisionNumber(785)                                   UInt16

    Padding           binary[0,0]       880      16        BinaryValue   

    NegotiateContextList [SMB2NegotiateContext{ContextType=1,DataLength=38,Reserved=0,Data=SMB2PreauthIntegrityCapabilities{HashAlgorithmCount=1,SaltLength=32,HashAlgorithms=[1],Salt=binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]},Padding=binary[0,0]},SMB2NegotiateContext{ContextType=2,DataLength=6,Reserved=0,Data=SMB2EncryptionCapabilities{CipherCount=2,Ciphers=[2,1]},Padding=nothing}]            896      496      ArrayValue`1 

    [0] SMB2NegotiateContext{ContextType=1,DataLength=38,Reserved=0,Data=SMB2PreauthIntegrityCapabilities{HashAlgorithmCount=1,SaltLength=32,HashAlgorithms=[1],Salt=binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]},Padding=binary[0,0]}                                    SMB2.SMB2NegotiateContext        

    ContextType   SMB2_PREAUTH_INTEGRITY_CAPABILITIES(1)        896      16            SMB2NegotiateContextContextType

    DataLength     38        912      16        UInt16

    Reserved         0          928      32        UInt32

    Data SMB2PreauthIntegrityCapabilities{HashAlgorithmCount=1,SaltLength=32,HashAlgorithms=[1],Salt=binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]}            960      304      SMB2.SMB2PreauthIntegrityCapabilities    

    HashAlgorithmCount 1          960      16        UInt16

    SaltLength      32        976      16        UInt16

    HashAlgorithms          [SHA-512]      992      16        ArrayValue`1 

    Salt binary[164,243,56,65,182,180,89,165,143,170,145,252,51,212,21,35,70,83,236,95,74,53,97,110,144,90,198,255,109,238,234,154]            1008    256      BinaryValue   

    Padding           binary[0,0]       1264    16        BinaryValue   

    [1] SMB2NegotiateContext{ContextType=2,DataLength=6,Reserved=0,Data=SMB2EncryptionCapabilities{CipherCount=2,Ciphers=[2,1]},Padding=nothing}                                    SMB2.SMB2NegotiateContext        

    ContextType   SMB2_ENCRYPTION_CAPABILITIES(2) 1280    16            SMB2NegotiateContextContextType

    DataLength     6          1296    16        UInt16

    Reserved         0          1312    32        UInt32

    Data    SMB2EncryptionCapabilities{CipherCount=2,Ciphers=[2,1]}         1344    48            SMB2.SMB2EncryptionCapabilities 

    CipherCount   2          1344    16        UInt16

    Ciphers            [AES128GCM,AES128CCM]           1360    32        ArrayValue`1 

    This has been discussed at 2014 SNIA SDC: Implementations are expected to handle Negotiate requests larger than SMB2_Header + SMB2_REQ_Negotiate + Dialects array. The receiver should ignore unknown negotiate contexts.

    Slide 7 of 2014 SNIA SDC presentation: Introduction to SMB 3.1

    http://www.snia.org/sites/default/files/DavidKruse_Kramer_%20Introduction_to_SMB-3-1_Rev.pdf

    MS-SMB2

    https://msdn.microsoft.com/en-us/library/cc246482.aspx

    2.2.3      SMB2 NEGOTIATE Request

    Dialects (variable): An array of one or more 16-bit integers specifying the supported dialect revision numbers. The array MUST contain at least one of the following values. <11>      

      

    Value

      
      

    Meaning

      

    0x0202

    SMB 2.0.2 dialect revision   number.

    0x0210

    SMB 2.1 dialect revision   number.<12>

    0x0300

    SMB 3.0 dialect revision   number. <13>

    0x0302

    SMB 3.0.2 dialect revision   number.<14>

    0x0311

    SMB 3.1.1 dialect revision   number.<15>

    Padding (variable): Optional padding between the end of the Dialects array and the first negotiate context in NegotiateContextList so that the first negotiate context is 8-byte aligned.

    NegotiateContextList (variable): If the Dialects field contains 0x0311, then this field will contain an array of SMB2 NEGOTIATE_CONTEXTs. The first negotiate context in the list MUST appear at the byte offset indicated by the SMB2 NEGOTIATE request's NegotiateContextOffset field. Subsequent negotiate contexts MUST appear at the first 8-byte-aligned offset following the previous negotiate context.

    3.2.4.2.2.2           SMB2-Only Negotiate

    • If the client implements the SMB 3.1.1 dialect, it MUST do the following:
      • Set NegotiateContextOffset to 0.
      • Set NegotiateContextCount to 0.
      • Add optional padding after Dialects array to make the next field 8-byte aligned.
      • Add an SMB2 NEGOTIATE_CONTEXT with ContextType as SMB2_PREAUTH_INTEGRITY_CAPABILITIES to the negotiate request as specified in section 2.2.3.1:
        • Increment NegotiateContextCount by 1
        • Set NegotiateContextOffset to the offset of the SMB2 NEGOTIATE_CONTEXT added above.
        • The SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context's Salt buffer SHOULD <106> be initialized to an implementation-specific number of bytes generated for this request by a cryptographically secure pseudo-random number generator.
      • If the client supports encryption, it MUST do the following:
        • Increment NegotiateContextCount by 1.
        • Add an SMB2_NEGOTIATE_CONTEXT with ContextType as SMB2_ENCRYPTION_CAPABILITIES to the negotiate request as specified in section 2.2.3.1 and initialize the Ciphers field with the ciphers supported by the client in the order of preference.<107>

    3.3.5.4   Receiving an SMB2 NEGOTIATE Request

    If the Connection.Dialect is "3.1.1", then the server must process the negotiate context list that is specified by the request's NegotiateContextOffset and NegotiateContextCount fields as follows:

    • Processing the SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context:
      • If the negotiate context list does not contain exactly one SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context, then the server MUST fail the negotiate request with STATUS_INVALID_PARAMETER.
      • If the SMB2_PREAUTH_INTEGRITY_CAPABILITIES HashAlgorithms array does not contain any hash algorithms that the server supports, then the server MUST fail the negotiate request with STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP (0xC05D0000).
      • The server MUST set Connection.PreauthIntegrityHashId to one of the hash algorithms in the client's SMB2_PREAUTH_INTEGRITY_CAPABILITIES HashAlgorithms array. When more than one hash algorithm is supported by the server, the policy for selecting a hash algorithm from the set of hash algorithms that the client and server support is implementation-dependent.
      • The server MUST initialize Connection.PreauthIntegrityHashValue with zero.
      • The server MUST generate a hash using the Connection.PreauthIntegrityHashId algorithm on the string  constructed by concatenating Connection.PreauthIntegrityHashValue and the negotiate request message, including all bytes from the request's SMB2 header to the last byte received from the network. The server MUST set Connection.PreauthIntegrityHashValue to the hash value generated above.
        • Processing the SMB2_ENCRYPTION_CAPABILITIES negotiate context:
      • If the negotiate context list contains more than one SMB2_ENCRYPTION_CAPABILITIES negotiate context, then the server MUST fail the negotiate request with STATUS_INVALID_PARAMETER.
      • The server MUST set Connection.CipherId to one of the ciphers in the client's SMB2_ENCRYPTION_CAPABILITIES Ciphers array in an implementation-specific manner. If the client and server have no common cipher, then the server must set Connection.CipherId to 0.

    Thanks,

    Edgar


    Wednesday, September 2, 2015 7:01 PM
    Moderator
  • Thank you for the detailed answer.  That answers my question.
    Monday, September 14, 2015 4:52 AM