private void NegotiateWithEncryptionCapabilitiesContext(EncryptionAlgorithm cipherId)
{
if (cipherId == EncryptionAlgorithm.ENCRYPTION_NONE)
{
throw new ArgumentException("CipherId should be either AES-128-CCM or AES-128-GCM.");
}
#region Check Applicability
TestConfig.CheckDialect(DialectRevision.Smb311);
TestConfig.CheckCapabilities(NEGOTIATE_Response_Capabilities_Values.GLOBAL_CAP_ENCRYPTION);
TestConfig.CheckEncryptionAlgorithm(cipherId);
#endregion
BaseTestSite.Log.Add(
LogEntryKind.TestStep,
"Client sends NEGOTIATE request with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context. {0} is as the preferred cipher algorithm. ", cipherId);
BaseTestSite.Log.Add(
LogEntryKind.TestStep,
"Server should reply NEGOTIATE response with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context and {0} as cipher algorithm. ", cipherId);
PreauthIntegrityHashID[] preauthHashAlgs = new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 };
EncryptionAlgorithm[] encryptionAlgs = new EncryptionAlgorithm[] {
cipherId,
cipherId == EncryptionAlgorithm.ENCRYPTION_AES128_CCM? EncryptionAlgorithm.ENCRYPTION_AES128_GCM : EncryptionAlgorithm.ENCRYPTION_AES128_CCM
};
client.NegotiateWithContexts(
Packet_Header_Flags_Values.NONE,
TestConfig.RequestDialects,
capabilityValue: Capabilities_Values.GLOBAL_CAP_DIRECTORY_LEASING | Capabilities_Values.GLOBAL_CAP_LARGE_MTU | Capabilities_Values.GLOBAL_CAP_LEASING | Capabilities_Values.GLOBAL_CAP_ENCRYPTION,
preauthHashAlgs: preauthHashAlgs,
encryptionAlgs: encryptionAlgs);
BaseTestSite.Assert.AreEqual(cipherId, client.SelectedCipherID, "The selected Cipher Id should be {0}", cipherId);
}
public void Signing_VerifyAesGmacSigning()
{
#region Check Applicability
TestConfig.CheckDialect(DialectRevision.Smb311);
TestConfig.CheckSigning();
#endregion
var signingAlgorithms = new SigningAlgorithm[] { SigningAlgorithm.AES_GMAC };
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends NEGOTIATE with the Aes-GMAC signing algorithm and NEGOTIATE_SIGNING_REQUIRED.");
client.NegotiateWithContexts(
Packet_Header_Flags_Values.NONE,
Smb2Utility.GetDialects(DialectRevision.Smb311),
SecurityMode_Values.NEGOTIATE_SIGNING_REQUIRED,
preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 },
compressionFlags: SMB2_COMPRESSION_CAPABILITIES_Flags.SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE,
signingAlgorithms: signingAlgorithms,
checker: (Packet_Header header, NEGOTIATE_Response response) =>
{
BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_SUCCESS, header.Status, "SUT MUST return STATUS_SUCCESS if the negotiation finished successfully.");
});
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends SESSION_SETUP request and expects response.");
client.SessionSetup(
TestConfig.DefaultSecurityPackage,
TestConfig.SutComputerName,
TestConfig.AccountCredential,
TestConfig.UseServerGssToken,
SESSION_SETUP_Request_SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED);
string uncSharepath =
Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.BasicFileShare);
uint treeId;
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends TREE_CONNECT to share: {0}", uncSharepath);
client.TreeConnect(
uncSharepath,
out treeId,
(Packet_Header header, TREE_CONNECT_Response response) =>
{
BaseTestSite.Assert.AreEqual(
Smb2Status.STATUS_SUCCESS,
header.Status,
"TreeConnect should succeed, actually server returns {0}.", Smb2Status.GetStatusCode(header.Status));
BaseTestSite.Assert.AreEqual(
Packet_Header_Flags_Values.FLAGS_SIGNED,
Packet_Header_Flags_Values.FLAGS_SIGNED & header.Flags,
"Server should set SMB2_FLAGS_SIGNED bit in the Flags field of the SMB2 header");
});
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Tear down the client by sending the following requests: TREE_DISCONNECT; LOG_OFF");
client.TreeDisconnect(treeId);
client.LogOff();
}
public void Negotiate_SMB311_WithoutAnyContexts()
{
if (TestConfig.MaxSmbVersionSupported < DialectRevision.Smb311)
{
BaseTestSite.Assert.Inconclusive("Stop to run this test case because the configured server max dialect is lower than 3.11.");
}
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Send Negotiate request with dialect SMB 3.11, and without any Negotiate Contexts.");
client.NegotiateWithContexts(
Packet_Header_Flags_Values.NONE,
Smb2Utility.GetDialects(DialectRevision.Smb311),
preauthHashAlgs: null,
encryptionAlgs: null,
checker: (Packet_Header header, NEGOTIATE_Response response) =>
{
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Verify server fails the negotiate request with STATUS_INVALID_PARAMETER.");
BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_INVALID_PARAMETER, header.Status,
"[MS-SMB2] 3.3.5.4 If the negotiate context list does not contain exactly one SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context, " +
"then the server MUST fail the negotiate request with STATUS_INVALID_PARAMETER.");
});
}
private void NegotiateWithEncryptionCapabilitiesContext(EncryptionAlgorithm cipherId, bool sendCipherArray = false)
{
if (cipherId == EncryptionAlgorithm.ENCRYPTION_NONE)
{
throw new ArgumentException("CipherId should be either AES-128-CCM or AES-128-GCM.");
}
#region Check Applicability
TestConfig.CheckDialect(DialectRevision.Smb311);
TestConfig.CheckCapabilities(NEGOTIATE_Response_Capabilities_Values.GLOBAL_CAP_ENCRYPTION);
TestConfig.CheckEncryptionAlgorithm(cipherId);
#endregion
BaseTestSite.Log.Add(
LogEntryKind.TestStep,
"Client sends NEGOTIATE request with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context. {0} is as the preferred cipher algorithm. ", cipherId);
BaseTestSite.Log.Add(
LogEntryKind.TestStep,
"Server should reply NEGOTIATE response with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context and {0} as cipher algorithm. ", cipherId);
PreauthIntegrityHashID[] preauthHashAlgs = new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 };
EncryptionAlgorithm[] encryptionAlgs = null;
if (sendCipherArray)
{
encryptionAlgs = new EncryptionAlgorithm[] {
cipherId,
cipherId == EncryptionAlgorithm.ENCRYPTION_AES128_CCM? EncryptionAlgorithm.ENCRYPTION_AES128_GCM : EncryptionAlgorithm.ENCRYPTION_AES128_CCM
};
}
else
{
encryptionAlgs = new EncryptionAlgorithm[] { cipherId };
}
client.NegotiateWithContexts(
Packet_Header_Flags_Values.NONE,
TestConfig.RequestDialects,
capabilityValue: Capabilities_Values.GLOBAL_CAP_DIRECTORY_LEASING | Capabilities_Values.GLOBAL_CAP_LARGE_MTU | Capabilities_Values.GLOBAL_CAP_LEASING | Capabilities_Values.GLOBAL_CAP_ENCRYPTION,
preauthHashAlgs: preauthHashAlgs,
encryptionAlgs: encryptionAlgs);
if (sendCipherArray)
{
BaseTestSite.Assert.IsTrue(
TestConfig.SupportedEncryptionAlgorithmList.Contains(client.SelectedCipherID),
"[MS-SMB2] 3.3.5.4 The server MUST set Connection.CipherId to one of the ciphers in the client's " +
"SMB2_ENCRYPTION_CAPABILITIES Ciphers array in an implementation-specific manner.");
}
else
{
BaseTestSite.Assert.AreEqual(cipherId, client.SelectedCipherID, "The selected Cipher Id should be {0}", cipherId);
}
}
private void CreateTestFile(CompressionAlgorithm[] compressionAlgorithms, bool enableEncryption, out uint treeId, out FILEID fileId, bool enableChainedCompression = false)
{
var capabilities = Capabilities_Values.NONE;
if (enableEncryption)
{
capabilities |= Capabilities_Values.GLOBAL_CAP_ENCRYPTION;
}
EncryptionAlgorithm[] encryptionAlgorithms = null;
if (enableEncryption)
{
encryptionAlgorithms = new EncryptionAlgorithm[] { EncryptionAlgorithm.ENCRYPTION_AES128_CCM, EncryptionAlgorithm.ENCRYPTION_AES128_GCM };
}
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Starts a client by sending the following requests: NEGOTIATE; SESSION_SETUP; TREE_CONNECT.");
client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite);
client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress);
client.NegotiateWithContexts(
Packet_Header_Flags_Values.NONE,
TestConfig.RequestDialects,
preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 },
encryptionAlgs: encryptionAlgorithms,
compressionAlgorithms: compressionAlgorithms,
compressionFlags: enableChainedCompression ? SMB2_COMPRESSION_CAPABILITIES_Flags.SMB2_COMPRESSION_CAPABILITIES_FLAG_CHAINED : SMB2_COMPRESSION_CAPABILITIES_Flags.SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE,
capabilityValue: capabilities,
checker: (Packet_Header header, NEGOTIATE_Response response) =>
{
BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_SUCCESS, header.Status, "SUT MUST return STATUS_SUCCESS if the negotiation finished successfully.");
if (TestConfig.IsWindowsPlatform)
{
CheckCompressionAlgorithmsForWindowsImplementation(compressionAlgorithms);
}
else
{
bool isExpectedNonWindowsCompressionContext = Enumerable.SequenceEqual(client.Smb2Client.CompressionInfo.CompressionIds, compressionAlgorithms);
{
BaseTestSite.Assert.IsTrue(isExpectedNonWindowsCompressionContext, "[MS-SMB2] section 3.3.5.4: Non-Windows implementation MUST set CompressionAlgorithms to the CompressionIds in request if they are all supported by SUT.");
}
}
});
client.SessionSetup(
TestConfig.DefaultSecurityPackage,
TestConfig.SutComputerName,
TestConfig.AccountCredential,
TestConfig.UseServerGssToken);
if (enableEncryption)
{
client.EnableSessionSigningAndEncryption(enableSigning: false, enableEncryption: true);
}
client.TreeConnect(uncSharePath, out treeId);
BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends CREATE request with desired access set to GENERIC_READ and GENERIC_WRITE to create a file.");
Smb2CreateContextResponse[] serverCreateContexts;
string fileName = GetTestFileName(uncSharePath);
client.Create(
treeId,
fileName,
CreateOptions_Values.FILE_NON_DIRECTORY_FILE,
out fileId,
out serverCreateContexts,
accessMask: AccessMask.GENERIC_READ | AccessMask.GENERIC_WRITE
);
}
