/// <summary> /// The server MUST sign the message under the following conditions /// </summary> private static void VerifyResponseShouldSign( ModelSmb2Status status, SigningModelRequest request, SigningModelSessionId sessionId, SigningFlagType signingFlagType) { if (request.signingFlagType == SigningFlagType.SignedFlagSet && sessionId == SigningModelSessionId.NonZeroSessionId && Session_SigningRequired) { ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:"); ModelHelper.Log(LogType.Requirement, "\tIf the request was signed by the client, the response message being sent contains a nonzero SessionId and a zero TreeId in the SMB2 header, " + "and the session identified by SessionId has Session.SigningRequired equal to TRUE."); ModelHelper.Log(LogType.TestInfo, "The condition is met."); Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet); } else if (request.signingFlagType == SigningFlagType.SignedFlagSet) { ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:"); ModelHelper.Log(LogType.Requirement, "\tIf the request was signed by the client, and the response is not an interim response to an asynchronously processed request."); ModelHelper.Log(LogType.TestInfo, "The condition is met."); Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet); } }
public static void SessionSetupResponse( ModelSmb2Status status, SigningModelSessionId sessionId, SigningFlagType signingFlagType, SessionFlags_Values sessionFlag, SigningConfig c) { Condition.IsTrue(State == ModelState.Connected); Condition.IsTrue(Config.IsServerSigningRequired == c.IsServerSigningRequired); SigningModelRequest sessionSetupRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request); if (!VerifySignature(status, sessionSetupRequest)) { State = ModelState.Uninitialized; return; } if (sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet || (!sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST) && !Session_IsAnonymous && (Connection_ShouldSign || c.IsServerSigningRequired))) { ModelHelper.Log(LogType.Requirement, "3.3.5.5.3: 5. Session.SigningRequired MUST be set to TRUE under the following conditions:"); ModelHelper.Log(LogType.Requirement, "\tIf the SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request."); ModelHelper.Log(LogType.Requirement, "\tIf the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags field " + "and Session.IsAnonymous is FALSE and either Connection.ShouldSign or global RequireMessageSigning is TRUE."); ModelHelper.Log(LogType.TestInfo, "SMB2_NEGOTIATE_SIGNING_REQUIRED is {0}set.", sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet ? "" : "not "); ModelHelper.Log(LogType.TestInfo, "SMB2_SESSION_FLAG_IS_GUEST bit is {0}set.", sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST) ? "" : "not "); ModelHelper.Log(LogType.TestInfo, "Session.IsAnonymous is {0}.", Session_IsAnonymous); ModelHelper.Log(LogType.TestInfo, "Connection.ShouldSign is {0}.", Connection_ShouldSign); ModelHelper.Log(LogType.TestInfo, "Global RequireMessageSigning is {0}.", c.IsServerSigningRequired); ModelHelper.Log(LogType.TestInfo, "So Session.SigningRequired is set to TRUE."); Session_SigningRequired = true; } VerifyResponseShouldSign(status, sessionSetupRequest, sessionId, signingFlagType); Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS); Session_IsExisted = true; }
public static void TreeConnectResponse(ModelSmb2Status status, SigningModelSessionId sessionId, SigningFlagType signingFlagType) { Condition.IsTrue(State == ModelState.Connected); SigningModelRequest treeConnectRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request); if (!VerifySignature(status, treeConnectRequest)) { return; } VerifyResponseShouldSign(status, treeConnectRequest, sessionId, signingFlagType); Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS); }
/// <summary> /// Cover section 3.3.5.2.4 /// </summary> private static bool VerifySignature(ModelSmb2Status status, SigningModelRequest request) { ModelHelper.Log(LogType.Requirement, "3.3.5.2.4: Verifying the Signature"); if (request.signingFlagType == SigningFlagType.SignedFlagSet) { ModelHelper.Log(LogType.Requirement, "If the SMB2 header of the request has SMB2_FLAGS_SIGNED set in the Flags field, the server MUST verify the signature. "); ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is set in SMB2 header."); if (!Session_IsExisted) { ModelHelper.Log(LogType.Requirement, "For all other requests, the server MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the request. " + "If the session is not found, the request MUST be failed, as specified in section Sending an Error Response (section 3.3.4.4), " + "with the error code STATUS_USER_SESSION_DELETED."); ModelHelper.Log(LogType.TestInfo, "The session is not found."); ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier); Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED); return(false); } } if (request.signingFlagType == SigningFlagType.SignedFlagNotSet) { ModelHelper.Log(LogType.Requirement, "If the SMB2 header of the request does not have SMB2_FLAGS_SIGNED set in the Flags field, " + "the server MUST determine if the client failed to sign a packet that required it. " + "The server MUST look up the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request."); ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is not set in the SMB2 header."); if (Session_IsExisted && Session_SigningRequired) { ModelHelper.Log(LogType.Requirement, "If the session is found and Session.SigningRequired is equal to TRUE, the server MUST fail this request with STATUS_ACCESS_DENIED. "); ModelHelper.Log(LogType.TestInfo, "The session is found and Session.SigningRequired is TRUE."); ModelHelper.Log(LogType.TestTag, TestTag.UnexpectedFields); Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED); return(false); } } return(true); }
public static void NegotiateResponse(ModelSmb2Status status, SigningEnabledType signingEnabledType, SigningRequiredType signingRequiredType, SigningConfig c) { Condition.IsTrue(State == ModelState.Connected); SigningModelRequest negotiateRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request); if (negotiateRequest.signingFlagType == SigningFlagType.SignedFlagSet) { ModelHelper.Log(LogType.Requirement, "3.3.5.2.4: If the SMB2 Header of the SMB2 NEGOTIATE request has the SMB2_FLAGS_SIGNED bit set in the Flags field, " + "the server MUST fail the request with STATUS_INVALID_PARAMETER."); ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED bit in the NEGOTIATE request is set."); ModelHelper.Log(LogType.TestTag, TestTag.UnexpectedFields); Condition.IsTrue(status == ModelSmb2Status.STATUS_INVALID_PARAMETER); State = ModelState.Uninitialized; return; } if (negotiateRequest.signingRequiredType == SigningRequiredType.SigningRequiredSet) { ModelHelper.Log(LogType.Requirement, "3.3.5.4: If SMB2_NEGOTIATE_SIGNING_REQUIRED is set in SecurityMode, the server MUST set Connection.ShouldSign to TRUE."); ModelHelper.Log(LogType.TestInfo, "Connection.ShouldSign is set to TRUE."); Connection_ShouldSign = true; } ModelHelper.Log(LogType.Requirement, "3.3.5.4: SecurityMode MUST have the SMB2_NEGOTIATE_SIGNING_ENABLED bit set."); Condition.IsTrue(signingEnabledType == SigningEnabledType.SigningEnabledSet); Condition.IsTrue(Config.IsServerSigningRequired == c.IsServerSigningRequired); if (Config.IsServerSigningRequired) { ModelHelper.Log(LogType.Requirement, "3.3.5.4: If RequireMessageSigning is TRUE, the server MUST also set SMB2_NEGOTIATE_SIGNING_REQUIRED in the SecurityMode field."); ModelHelper.Log(LogType.TestInfo, "RequireMessageSigning is TRUE."); Condition.IsTrue(signingRequiredType == SigningRequiredType.SigningRequiredSet); } Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS); }
/// <summary> /// Cover section 3.3.5.2.4 /// </summary> private static bool VerifySignature(ModelSmb2Status status, SigningModelRequest request) { ModelHelper.Log(LogType.Requirement, "3.3.5.2.4: Verifying the Signature"); if (request.signingFlagType == SigningFlagType.SignedFlagSet) { ModelHelper.Log(LogType.Requirement, "If the SMB2 header of the request has SMB2_FLAGS_SIGNED set in the Flags field, the server MUST verify the signature. "); ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is set in SMB2 header."); if (!Session_IsExisted) { ModelHelper.Log(LogType.Requirement, "For all other requests, the server MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the request. " + "If the session is not found, the request MUST be failed, as specified in section Sending an Error Response (section 3.3.4.4), " + "with the error code STATUS_USER_SESSION_DELETED."); ModelHelper.Log(LogType.TestInfo, "The session is not found."); ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier); Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED); return false; } } if (request.signingFlagType == SigningFlagType.SignedFlagNotSet) { ModelHelper.Log(LogType.Requirement, "If the SMB2 header of the request does not have SMB2_FLAGS_SIGNED set in the Flags field, " + "the server MUST determine if the client failed to sign a packet that required it. " + "The server MUST look up the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request."); ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is not set in the SMB2 header."); if (Session_IsExisted && Session_SigningRequired) { ModelHelper.Log(LogType.Requirement, "If the session is found and Session.SigningRequired is equal to TRUE, the server MUST fail this request with STATUS_ACCESS_DENIED. "); ModelHelper.Log(LogType.TestInfo, "The session is found and Session.SigningRequired is TRUE."); ModelHelper.Log(LogType.TestTag, TestTag.UnexpectedFields); Condition.IsTrue(status == ModelSmb2Status.STATUS_ACCESS_DENIED); return false; } } return true; }