/// <summary>
/// The server MUST sign the message under the following conditions
/// </summary>
private static void VerifyResponseShouldSign(
ModelSmb2Status status,
SigningModelRequest request,
SigningModelSessionId sessionId,
SigningFlagType signingFlagType)
{
if (request.signingFlagType == SigningFlagType.SignedFlagSet &&
sessionId == SigningModelSessionId.NonZeroSessionId &&
Session_SigningRequired)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, the response message being sent contains a nonzero SessionId and a zero TreeId in the SMB2 header, " +
"and the session identified by SessionId has Session.SigningRequired equal to TRUE.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
else if (request.signingFlagType == SigningFlagType.SignedFlagSet)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, and the response is not an interim response to an asynchronously processed request.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
}
public static void SessionSetupResponse(
ModelSmb2Status status,
SigningModelSessionId sessionId,
SigningFlagType signingFlagType,
SessionFlags_Values sessionFlag,
SigningConfig c)
{
Condition.IsTrue(State == ModelState.Connected);
Condition.IsTrue(Config.IsServerSigningRequired == c.IsServerSigningRequired);
SigningModelRequest sessionSetupRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request);
if (!VerifySignature(status, sessionSetupRequest))
{
State = ModelState.Uninitialized;
return;
}
if (sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet ||
(!sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST) &&
!Session_IsAnonymous &&
(Connection_ShouldSign || c.IsServerSigningRequired)))
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.5.3: 5. Session.SigningRequired MUST be set to TRUE under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request.");
ModelHelper.Log(LogType.Requirement,
"\tIf the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags field " +
"and Session.IsAnonymous is FALSE and either Connection.ShouldSign or global RequireMessageSigning is TRUE.");
ModelHelper.Log(LogType.TestInfo,
"SMB2_NEGOTIATE_SIGNING_REQUIRED is {0}set.", sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet ? "" : "not ");
ModelHelper.Log(LogType.TestInfo,
"SMB2_SESSION_FLAG_IS_GUEST bit is {0}set.", sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST) ? "" : "not ");
ModelHelper.Log(LogType.TestInfo, "Session.IsAnonymous is {0}.", Session_IsAnonymous);
ModelHelper.Log(LogType.TestInfo, "Connection.ShouldSign is {0}.", Connection_ShouldSign);
ModelHelper.Log(LogType.TestInfo, "Global RequireMessageSigning is {0}.", c.IsServerSigningRequired);
ModelHelper.Log(LogType.TestInfo, "So Session.SigningRequired is set to TRUE.");
Session_SigningRequired = true;
}
VerifyResponseShouldSign(status, sessionSetupRequest, sessionId, signingFlagType);
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
Session_IsExisted = true;
}
public static void TreeConnectResponse(ModelSmb2Status status, SigningModelSessionId sessionId, SigningFlagType signingFlagType)
{
Condition.IsTrue(State == ModelState.Connected);
SigningModelRequest treeConnectRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request);
if (!VerifySignature(status, treeConnectRequest))
{
return;
}
VerifyResponseShouldSign(status, treeConnectRequest, sessionId, signingFlagType);
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
}
/// <summary>
/// Cover section 3.3.5.2.4
/// </summary>
private static bool VerifySignature(ModelSmb2Status status, SigningModelRequest request)
{
ModelHelper.Log(LogType.Requirement, "3.3.5.2.4: Verifying the Signature");
if (request.signingFlagType == SigningFlagType.SignedFlagSet)
{
ModelHelper.Log(LogType.Requirement,
"If the SMB2 header of the request has SMB2_FLAGS_SIGNED set in the Flags field, the server MUST verify the signature. ");
ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is set in SMB2 header.");
if (!Session_IsExisted)
{
ModelHelper.Log(LogType.Requirement,
"For all other requests, the server MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the request. " +
"If the session is not found, the request MUST be failed, as specified in section Sending an Error Response (section 3.3.4.4), " +
"with the error code STATUS_USER_SESSION_DELETED.");
ModelHelper.Log(LogType.TestInfo, "The session is not found.");
ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier);
Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED);
return(false);
}
}
if (request.signingFlagType == SigningFlagType.SignedFlagNotSet)
{
ModelHelper.Log(LogType.Requirement,
"If the SMB2 header of the request does not have SMB2_FLAGS_SIGNED set in the Flags field, " +
"the server MUST determine if the client failed to sign a packet that required it. " +
"The server MUST look up the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request.");
ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is not set in the SMB2 header.");
if (Session_IsExisted && Session_SigningRequired)
{
ModelHelper.Log(LogType.Requirement,
"If the session is found and Session.SigningRequired is equal to TRUE, the server MUST fail this request with STATUS_ACCESS_DENIED. ");
ModelHelper.Log(LogType.TestInfo, "The session is found and Session.SigningRequired is TRUE.");
ModelHelper.Log(LogType.TestTag, TestTag.UnexpectedFields);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return(false);
}
}
return(true);
}
public static void NegotiateResponse(ModelSmb2Status status, SigningEnabledType signingEnabledType, SigningRequiredType signingRequiredType, SigningConfig c)
{
Condition.IsTrue(State == ModelState.Connected);
SigningModelRequest negotiateRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request);
if (negotiateRequest.signingFlagType == SigningFlagType.SignedFlagSet)
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.2.4: If the SMB2 Header of the SMB2 NEGOTIATE request has the SMB2_FLAGS_SIGNED bit set in the Flags field, " +
"the server MUST fail the request with STATUS_INVALID_PARAMETER.");
ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED bit in the NEGOTIATE request is set.");
ModelHelper.Log(LogType.TestTag, TestTag.UnexpectedFields);
Condition.IsTrue(status == ModelSmb2Status.STATUS_INVALID_PARAMETER);
State = ModelState.Uninitialized;
return;
}
if (negotiateRequest.signingRequiredType == SigningRequiredType.SigningRequiredSet)
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.4: If SMB2_NEGOTIATE_SIGNING_REQUIRED is set in SecurityMode, the server MUST set Connection.ShouldSign to TRUE.");
ModelHelper.Log(LogType.TestInfo, "Connection.ShouldSign is set to TRUE.");
Connection_ShouldSign = true;
}
ModelHelper.Log(LogType.Requirement, "3.3.5.4: SecurityMode MUST have the SMB2_NEGOTIATE_SIGNING_ENABLED bit set.");
Condition.IsTrue(signingEnabledType == SigningEnabledType.SigningEnabledSet);
Condition.IsTrue(Config.IsServerSigningRequired == c.IsServerSigningRequired);
if (Config.IsServerSigningRequired)
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.4: If RequireMessageSigning is TRUE, the server MUST also set SMB2_NEGOTIATE_SIGNING_REQUIRED in the SecurityMode field.");
ModelHelper.Log(LogType.TestInfo, "RequireMessageSigning is TRUE.");
Condition.IsTrue(signingRequiredType == SigningRequiredType.SigningRequiredSet);
}
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
}
/// <summary>
/// Cover section 3.3.5.2.4
/// </summary>
private static bool VerifySignature(ModelSmb2Status status, SigningModelRequest request)
{
ModelHelper.Log(LogType.Requirement, "3.3.5.2.4: Verifying the Signature");
if (request.signingFlagType == SigningFlagType.SignedFlagSet)
{
ModelHelper.Log(LogType.Requirement,
"If the SMB2 header of the request has SMB2_FLAGS_SIGNED set in the Flags field, the server MUST verify the signature. ");
ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is set in SMB2 header.");
if (!Session_IsExisted)
{
ModelHelper.Log(LogType.Requirement,
"For all other requests, the server MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the request. " +
"If the session is not found, the request MUST be failed, as specified in section Sending an Error Response (section 3.3.4.4), " +
"with the error code STATUS_USER_SESSION_DELETED.");
ModelHelper.Log(LogType.TestInfo, "The session is not found.");
ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier);
Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED);
return false;
}
}
if (request.signingFlagType == SigningFlagType.SignedFlagNotSet)
{
ModelHelper.Log(LogType.Requirement,
"If the SMB2 header of the request does not have SMB2_FLAGS_SIGNED set in the Flags field, " +
"the server MUST determine if the client failed to sign a packet that required it. " +
"The server MUST look up the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request.");
ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is not set in the SMB2 header.");
if (Session_IsExisted && Session_SigningRequired)
{
ModelHelper.Log(LogType.Requirement,
"If the session is found and Session.SigningRequired is equal to TRUE, the server MUST fail this request with STATUS_ACCESS_DENIED. ");
ModelHelper.Log(LogType.TestInfo, "The session is found and Session.SigningRequired is TRUE.");
ModelHelper.Log(LogType.TestTag, TestTag.UnexpectedFields);
Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED);
return false;
}
}
return true;
}
/// <summary>
/// The server MUST sign the message under the following conditions
/// </summary>
private static void VerifyResponseShouldSign(
ModelSmb2Status status,
SigningModelRequest request,
SigningModelSessionId sessionId,
SigningFlagType signingFlagType)
{
if (request.signingFlagType == SigningFlagType.SignedFlagSet
&& sessionId == SigningModelSessionId.NonZeroSessionId
&& Session_SigningRequired)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, the response message being sent contains a nonzero SessionId and a zero TreeId in the SMB2 header, " +
"and the session identified by SessionId has Session.SigningRequired equal to TRUE.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
else if (request.signingFlagType == SigningFlagType.SignedFlagSet)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, and the response is not an interim response to an asynchronously processed request.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
}
