private void VerifyMessageSyntaxSmbComNegotiateExtendedSecurityServerResponse( SmbNegotiateResponsePacket response, bool isTokenConfiguredToUsed, bool isReAuthentSupported) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R9962"); // // Verify MS-SMB requirement: MS-SMB_R9962. // Site.CaptureRequirementIfAreEqual<uint>( 0, (uint)(~CapabilitiesAllSet & response.SmbParameters.Capabilities), 9962, @"[In Extended Security Response]Capabilities (4 bytes): The server MUST set the unused bits to zero."); // CAP_COMPRESSED_DATA, CAP_DYNAMIC_REAUTH, CAP_EXTENDED_SECURITY, CAP_INFOLEVEL_PASSTHRU, CAP_LARGE_WRITE, // CAP_LWIO, CAP_UNIX are the new capabilities. if (((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_COMPRESSED_DATA) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_COMPRESSED_DATA) || ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_DYNAMIC_REAUTH) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_DYNAMIC_REAUTH) || ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY) || ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_INFOLEVEL_PASSTHRU) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_INFOLEVEL_PASSTHRU) || ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LARGE_WRITE) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LARGE_WRITE) || ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO) || ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_UNIX) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_UNIX)) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R8558"); // The condition is verified if the new capabilities is used, If at least one of them was used, // it means new capabilities are considered. and the requirement can be captured directly. // And setting the SMB_Parameters.Words.Capabilities field of the response based on the server under // test. Capabilities attribute is server internal behavior. Site.CaptureRequirement( 8558, @"[In Receiving an SMB_COM_NEGOTIATE Request]New Capabilities: The new capabilities flags specified in section 2.2.4.5.1 MUST also be considered when setting the SMB_Parameters.Words.Capabilities field of the response based on the Server.Capabilities attribute."); } if ((Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY & response.SmbParameters.Capabilities) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R239"); // // Verify MS-SMB requirement: MS-SMB_R239. // Site.CaptureRequirementIfAreEqual<byte>( 0, response.SmbParameters.EncryptionKeyLength, 239, @"ChallengeLength (1 byte): When the CAP_EXTENDED_SECURITY bit is set, the server MUST set this value to zero."); } // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R5426:ServerGuid:{0}", response.SmbData.ServerGuid); // // Verify MS-SMB requirement: MS-SMB_R5426. // // Whether a field is unique or not couldn't be verified. Here verify this requirement partially, only // verify the type of the field. bool isVerifyR5426 = (typeof(Guid) == response.SmbData.ServerGuid.GetType()); Site.CaptureRequirementIfIsTrue( isVerifyR5426, 5426, @"[In Extended Security Response]ServerGUID (16 bytes):This field MUST be a GUID generated by the server to uniquely identify this server. "); // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R241,ByteCount:{0}", response.SmbData.ByteCount); // // Verify MS-SMB requirement: MS-SMB_R241. // bool isVerifyR241 = ((2 == Marshal.SizeOf(response.SmbData.ByteCount)) && (response.SmbData.ByteCount >= 0x0010)); Site.CaptureRequirementIfIsTrue( isVerifyR241, 241, @"[In Extended Security Response]ByteCount (2 bytes):This field MUST be greater than or equal to 0x0010."); // // Verify requirement MS-SMB_R5430 and MS-SMB_R105430 // string isR5430Implementated = Site.Properties.Get("SHOULDMAYR5430Implementation"); // The SecurityBlob is an array of bytes, if the length of the array is greater than 0, it means the // SecurityBlob is contained in the response. bool isR105430Satisfied = response.SmbData.SecurityBlob.Length > 0; if (isWindows && (sutOsVersion != Platform.Win2K)) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R105430,SecurityBlob.Length:{0}", response.SmbData.SecurityBlob.Length); // // Verify MS-SMB requirement: MS-SMB_R105430. // Site.CaptureRequirementIfIsTrue( isR105430Satisfied, 105430, @"[In Extended Security Response]SecurityBlob (variable):A security binary large object (BLOB) that contains an authentication token as produced by the GSS protocol (as specified in section 3.2.4.2.4 and [RFC2743]) in Windows(except windows 2000).<40>"); if (null == isR5430Implementated) { Site.Properties.Add("SHOULDMAYR5430Implementation", Boolean.TrueString); isR5430Implementated = Boolean.TrueString; } } if (null != isR5430Implementated) { bool implemented = Boolean.Parse(isR5430Implementated); bool isSatisfied = isR105430Satisfied; // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R5430,SecurityBlob.Length:{0}", response.SmbData.SecurityBlob.Length); // // Verify MS-SMB requirement: MS-SMB_R5430. // Site.CaptureRequirementIfAreEqual<Boolean>( implemented, isSatisfied, 5430, String.Format("[In Extended Security Response]SecurityBlob (variable):A security binary large " + "object (BLOB) that SHOULD contain an authentication token as produced by the GSS protocol (as " + "specified in section 3.2.4.2.4 and [RFC2743]).<41> This requirement is {0}" + "implemented", implemented ? "" : "not ")); } if ((sutOsVersion == Platform.Win2K3) || (sutOsVersion == Platform.Win2K3R2) || (sutOsVersion == Platform.WinVista) || (sutOsVersion == Platform.Win2K8) || (sutOsVersion == Platform.Win7) || (sutOsVersion == Platform.Win2K8R2)) { if ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R406932"); // If the OS is one of Win2K3, Win2K3R2, WinVista, Win2K8, Win7 or Win2K8R2, and the CAP_LWIO flag // of Capabilities field of SmbParameter in the response is set, this requirement is covered. So // here capture the requirement directly. Site.CaptureRequirement( 406932, @"<34> Section 2.2.4.5.2.1: Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 clients and servers support CAP_LWIO."); } } if (isWindows) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R6932"); // // Verify MS-SMB requirement: MS-SMB_R6932. // Site.CaptureRequirementIfAreEqual< Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities>( 0, Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_COMPRESSED_DATA & response.SmbParameters.Capabilities, 6932, @"<36> Section 2.2.4.5.2.1: Windows-based clients and servers do not support CAP_COMPRESSED_DATA and this capability is never set."); // If isReAuthentSupported is true, it means dynamic re-authentication is supported. if (isReAuthentSupported) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R6934"); // // Verify MS-SMB requirement: MS-SMB_R6934. // Site.CaptureRequirementIfAreEqual< Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities>( 0x00000000, Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_DYNAMIC_REAUTH & response.SmbParameters.Capabilities, 6934, @"<37> Section 2.2.4.5.2.1: Windows servers do not set the CAP_DYNAMIC_REAUTH flag even if dynamic re-authentication is supported."); } } if ((response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY) == Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R2172"); // // Verify MS-SMB requirement: MS-SMB_R2172. // // SmbNegotiateResponsePacket is the packet specified in section 2.2.4.5.2. Site.CaptureRequirementIfAreEqual<Type>( typeof(SmbNegotiateResponsePacket), response.GetType(), 2172, @"[In Receiving an SMB_COM_NEGOTIATE Response]Storing extended security token: If the capabilities returned in the SMB_COM_NEGOTIATE response include CAP_EXTENDED_SECURITY, then the response MUST take the form defined in section 2.2.4.5.2)."); } // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R9952"); // The response's form have been verified in R239, R241, R5430, R2172. Here capture it directly. Site.CaptureRequirement( 9952, "[In Extended Security Response] If the selected dialect is NT LAN Manager and the client has " + "indicated extended security is being used, a successful response MUST take the following form " + "[SMB_Parameters" + "{" + "UCHAR WordCount;" + "Words" + "{" + "USHORT DialectIndex;" + "UCHAR SecurityMode;" + "USHORT MaxMpxCount;" + "USHORT MaxNumberVcs;" + "ULONG MaxBufferSize;" + "ULONG MaxRawSize;" + "ULONG SessionKey;" + "ULONG Capabilities;" + "FILETIME SystemTime;" + "SHORT ServerTimeZone;" + "UCHAR ChallengeLength;" + "}" + "}" + "SMB_Data" + "{" + "USHORT ByteCount;" + "Bytes" + "{" + "USHORT ServerGUID;" + "UCHAR SecurityBlob[];" + "}" + "}" + "]."); // Win7, WinVista, WinXP is client versions of Windows. if ((sutOsVersion == Platform.Win7) || (sutOsVersion == Platform.WinVista) || (sutOsVersion == Platform.WinXP)) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R6895"); // // Verify MS-SMB requirement: MS-SMB_R6895. // Site.CaptureRequirementIfAreEqual<uint>( 4356, response.SmbParameters.MaxBufferSize, 6895, @"<27> Section 2.2.4.5.2.1: Windows defaults to a MaxBufferSize value of 4,356 bytes on client versions of Windows."); } // Win2K, Win2K3,Win2k3R2,Win2K8,Win2K8R2 is server version of Windows. if (isWindows && ((sutOsVersion == Platform.Win2K) || (sutOsVersion == Platform.Win2K3) || (sutOsVersion == Platform.Win2K3R2) || (sutOsVersion == Platform.Win2K8) || (sutOsVersion == Platform.Win2K8R2))) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R6894"); // // Verify MS-SMB requirement: MS-SMB_R6894. // Site.CaptureRequirementIfAreEqual<uint>( 16644, response.SmbParameters.MaxBufferSize, 6894, @"<27> Section 2.2.4.5.2.1: Windows defaults to a MaxBufferSize value of 16,644 bytes on server versions of Windows."); } if (isWindows) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R8573"); // The parameter of this method is an extended security response from the SUT, if the os // is windows-based, it means that Windows-based SMB servers support Extended Security. Here capture // this requirement directly. Site.CaptureRequirement( 8573, @"[In Receiving an SMB_COM_NEGOTIATE Response] <104> Section 3.2.5.2: Windows-based SMB servers support Extended Security. "); // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R11004"); // // Verify MS-SMB requirement: MS-SMB_R11004. // Site.CaptureRequirementIfAreEqual< Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities>( 0, response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb. Capabilities.CAP_UNIX, 11004, @"<35> Section 2.2.4.5.2.1: Windows-based clients and servers do not support CAP_UNIX; therefore, this capability is never set."); } // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R2309"); // If R9952 has been verified, this requirement is verified. Since the form specified in this // requirement is of SmbNegotiateResponsePacket type. Site.CaptureRequirement( 2309, @"[In Receiving an SMB_COM_NEGOTIATE Request] Generating Extended Security Token: The response [SMB_COM_NEGOTIATE response] MUST take the form specified in section 2.2.4.1.2. "); if (((Capabilities)response.SmbParameters.Capabilities & Capabilities.CapNtSmbs) == Capabilities.CapNtSmbs) { // // Verify requirement MS-SMB_R9975 and MS-SMB_R106919 // string isR9975Implementated = Site.Properties.Get("SHOULDMAYR9975Implementation"); bool isR106919Satisfied = (((Capabilities)response.SmbParameters.Capabilities & Capabilities.CapNtFind) == Capabilities.CapNtFind); if (isWindows) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R106919,Capabilities:{0}", (uint)response.SmbParameters.Capabilities); // // Verify MS-SMB requirement: MS-SMB_R106919. // Site.CaptureRequirementIfIsTrue( isR106919Satisfied, 106919, @"<30> Section 2.2.4.5.2.1: Windows-based clients assume that CAP_NT_FIND is set if CAP_NT_SMBS is set."); if (null == isR9975Implementated) { Site.Properties.Add("SHOULDMAYR9975Implementation", Boolean.TrueString); isR9975Implementated = Boolean.TrueString; } } if (null != isR9975Implementated) { bool implemented = Boolean.Parse(isR9975Implementated); bool isSatisfied = isR106919Satisfied; // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R9975,Capabilities:{0}", (uint)response.SmbParameters.Capabilities); // // Verify MS-SMB requirement: MS-SMB_R9975. // Site.CaptureRequirementIfAreEqual<Boolean>( implemented, isSatisfied, 9975, String.Format("[In Extended Security Response]CAP_NT_FIND 0x00000200:This bit SHOULD<30> be " + "set if CAP_NT_SMBS is set. This requirement is {0}implemented", implemented ? "" : "not ")); } } if ((sutOsVersion == Platform.Win2K) || (sutOsVersion == Platform.Win2K3) || (sutOsVersion == Platform.Win2K3R2) || (sutOsVersion == Platform.Win2K8) || (sutOsVersion == Platform.Win2K8R2)) { if (response.SmbData.SecurityBlob.Length >= 0) { // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R4748"); // Protocol SDK have ensured to encode SecurityBlob as GSS token. Here capture this requirement // directly. Site.CaptureRequirement( 4748, @"[In Receiving an SMB_COM_NEGOTIATE Request] <112>Section 3.3.5.2: Windows-based SMB serverssupport Extended Security, and are configured to use SPNEGO (as specified in [RFC4178]) as their GSS authentication protocol."); // // The following statement code will be run only when debugging. // Site.Log.Add(LogEntryKind.Debug, @"Verify MS-SMB_R4749"); // The protocol SDK has ensured to encode SecurityBlob as GSS token. Here capture this requirement // directly. Site.CaptureRequirement( 4749, @"[In Receiving an SMB_COM_NEGOTIATE Request] <112>Section 3.3.5.2: Windows operating systems that use extended security send a GSS token (or fragment) if their SPNEGO implementation supports it."); } } }