private void VerifyMessageSyntaxSmbComNegotiateExtendedSecurityServerResponse(
SmbNegotiateResponsePacket response,
bool isTokenConfiguredToUsed,
bool isReAuthentSupported)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R9962");
//
// Verify MS-SMB requirement: MS-SMB_R9962.
//
Site.CaptureRequirementIfAreEqual<uint>(
0,
(uint)(~CapabilitiesAllSet & response.SmbParameters.Capabilities),
9962,
@"[In Extended Security Response]Capabilities (4 bytes): The server MUST set the unused bits to zero.");
// CAP_COMPRESSED_DATA, CAP_DYNAMIC_REAUTH, CAP_EXTENDED_SECURITY, CAP_INFOLEVEL_PASSTHRU, CAP_LARGE_WRITE,
// CAP_LWIO, CAP_UNIX are the new capabilities.
if (((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_COMPRESSED_DATA)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_COMPRESSED_DATA)
|| ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_DYNAMIC_REAUTH)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_DYNAMIC_REAUTH)
|| ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY)
|| ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_INFOLEVEL_PASSTHRU)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_INFOLEVEL_PASSTHRU)
|| ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LARGE_WRITE)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LARGE_WRITE)
|| ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO)
|| ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_UNIX)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_UNIX))
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R8558");
// The condition is verified if the new capabilities is used, If at least one of them was used,
// it means new capabilities are considered. and the requirement can be captured directly.
// And setting the SMB_Parameters.Words.Capabilities field of the response based on the server under
// test. Capabilities attribute is server internal behavior.
Site.CaptureRequirement(
8558,
@"[In Receiving an SMB_COM_NEGOTIATE Request]New Capabilities: The new capabilities flags specified
in section 2.2.4.5.1 MUST also be considered when setting the SMB_Parameters.Words.Capabilities
field of the response based on the Server.Capabilities attribute.");
}
if ((Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY
& response.SmbParameters.Capabilities)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R239");
//
// Verify MS-SMB requirement: MS-SMB_R239.
//
Site.CaptureRequirementIfAreEqual<byte>(
0,
response.SmbParameters.EncryptionKeyLength,
239,
@"ChallengeLength (1 byte): When the CAP_EXTENDED_SECURITY bit is set, the server MUST set this
value to zero.");
}
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R5426:ServerGuid:{0}",
response.SmbData.ServerGuid);
//
// Verify MS-SMB requirement: MS-SMB_R5426.
//
// Whether a field is unique or not couldn't be verified. Here verify this requirement partially, only
// verify the type of the field.
bool isVerifyR5426 = (typeof(Guid) == response.SmbData.ServerGuid.GetType());
Site.CaptureRequirementIfIsTrue(
isVerifyR5426,
5426,
@"[In Extended Security Response]ServerGUID (16 bytes):This field MUST be a GUID generated by the
server to uniquely identify this server. ");
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R241,ByteCount:{0}",
response.SmbData.ByteCount);
//
// Verify MS-SMB requirement: MS-SMB_R241.
//
bool isVerifyR241 = ((2 == Marshal.SizeOf(response.SmbData.ByteCount))
&& (response.SmbData.ByteCount >= 0x0010));
Site.CaptureRequirementIfIsTrue(
isVerifyR241,
241,
@"[In Extended Security Response]ByteCount (2 bytes):This field MUST be greater than or equal to
0x0010.");
//
// Verify requirement MS-SMB_R5430 and MS-SMB_R105430
//
string isR5430Implementated = Site.Properties.Get("SHOULDMAYR5430Implementation");
// The SecurityBlob is an array of bytes, if the length of the array is greater than 0, it means the
// SecurityBlob is contained in the response.
bool isR105430Satisfied = response.SmbData.SecurityBlob.Length > 0;
if (isWindows && (sutOsVersion != Platform.Win2K))
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R105430,SecurityBlob.Length:{0}",
response.SmbData.SecurityBlob.Length);
//
// Verify MS-SMB requirement: MS-SMB_R105430.
//
Site.CaptureRequirementIfIsTrue(
isR105430Satisfied,
105430,
@"[In Extended Security Response]SecurityBlob (variable):A security binary large object (BLOB) that
contains an authentication token as produced by the GSS protocol (as specified in section 3.2.4.2.4
and [RFC2743]) in Windows(except windows 2000).<40>");
if (null == isR5430Implementated)
{
Site.Properties.Add("SHOULDMAYR5430Implementation", Boolean.TrueString);
isR5430Implementated = Boolean.TrueString;
}
}
if (null != isR5430Implementated)
{
bool implemented = Boolean.Parse(isR5430Implementated);
bool isSatisfied = isR105430Satisfied;
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R5430,SecurityBlob.Length:{0}",
response.SmbData.SecurityBlob.Length);
//
// Verify MS-SMB requirement: MS-SMB_R5430.
//
Site.CaptureRequirementIfAreEqual<Boolean>(
implemented,
isSatisfied,
5430,
String.Format("[In Extended Security Response]SecurityBlob (variable):A security binary large " +
"object (BLOB) that SHOULD contain an authentication token as produced by the GSS protocol (as " +
"specified in section 3.2.4.2.4 and [RFC2743]).<41> This requirement is {0}" +
"implemented", implemented ? "" : "not "));
}
if ((sutOsVersion == Platform.Win2K3) ||
(sutOsVersion == Platform.Win2K3R2) ||
(sutOsVersion == Platform.WinVista) ||
(sutOsVersion == Platform.Win2K8) ||
(sutOsVersion == Platform.Win7) ||
(sutOsVersion == Platform.Win2K8R2))
{
if ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_LWIO)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R406932");
// If the OS is one of Win2K3, Win2K3R2, WinVista, Win2K8, Win7 or Win2K8R2, and the CAP_LWIO flag
// of Capabilities field of SmbParameter in the response is set, this requirement is covered. So
// here capture the requirement directly.
Site.CaptureRequirement(
406932,
@"<34> Section 2.2.4.5.2.1: Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2 clients and servers support CAP_LWIO.");
}
}
if (isWindows)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R6932");
//
// Verify MS-SMB requirement: MS-SMB_R6932.
//
Site.CaptureRequirementIfAreEqual<
Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities>(
0,
Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_COMPRESSED_DATA
& response.SmbParameters.Capabilities,
6932,
@"<36> Section 2.2.4.5.2.1: Windows-based clients and servers do not support
CAP_COMPRESSED_DATA and this capability is never set.");
// If isReAuthentSupported is true, it means dynamic re-authentication is supported.
if (isReAuthentSupported)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R6934");
//
// Verify MS-SMB requirement: MS-SMB_R6934.
//
Site.CaptureRequirementIfAreEqual<
Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities>(
0x00000000,
Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_DYNAMIC_REAUTH
& response.SmbParameters.Capabilities,
6934,
@"<37> Section 2.2.4.5.2.1: Windows servers do not set the CAP_DYNAMIC_REAUTH flag even
if dynamic re-authentication is supported.");
}
}
if ((response.SmbParameters.Capabilities
& Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY)
== Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities.CAP_EXTENDED_SECURITY)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R2172");
//
// Verify MS-SMB requirement: MS-SMB_R2172.
//
// SmbNegotiateResponsePacket is the packet specified in section 2.2.4.5.2.
Site.CaptureRequirementIfAreEqual<Type>(
typeof(SmbNegotiateResponsePacket),
response.GetType(),
2172,
@"[In Receiving an SMB_COM_NEGOTIATE Response]Storing extended security token: If the capabilities
returned in the SMB_COM_NEGOTIATE response include CAP_EXTENDED_SECURITY, then the response MUST
take the form defined in section 2.2.4.5.2).");
}
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R9952");
// The response's form have been verified in R239, R241, R5430, R2172. Here capture it directly.
Site.CaptureRequirement(
9952,
"[In Extended Security Response] If the selected dialect is NT LAN Manager and the client has " +
"indicated extended security is being used, a successful response MUST take the following form " +
"[SMB_Parameters" +
"{" +
"UCHAR WordCount;" +
"Words" +
"{" +
"USHORT DialectIndex;" +
"UCHAR SecurityMode;" +
"USHORT MaxMpxCount;" +
"USHORT MaxNumberVcs;" +
"ULONG MaxBufferSize;" +
"ULONG MaxRawSize;" +
"ULONG SessionKey;" +
"ULONG Capabilities;" +
"FILETIME SystemTime;" +
"SHORT ServerTimeZone;" +
"UCHAR ChallengeLength;" +
"}" +
"}" +
"SMB_Data" +
"{" +
"USHORT ByteCount;" +
"Bytes" +
"{" +
"USHORT ServerGUID;" +
"UCHAR SecurityBlob[];" +
"}" +
"}" +
"].");
// Win7, WinVista, WinXP is client versions of Windows.
if ((sutOsVersion == Platform.Win7) ||
(sutOsVersion == Platform.WinVista) ||
(sutOsVersion == Platform.WinXP))
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R6895");
//
// Verify MS-SMB requirement: MS-SMB_R6895.
//
Site.CaptureRequirementIfAreEqual<uint>(
4356,
response.SmbParameters.MaxBufferSize,
6895,
@"<27> Section 2.2.4.5.2.1: Windows defaults to a MaxBufferSize value of 4,356 bytes on client
versions of Windows.");
}
// Win2K, Win2K3,Win2k3R2,Win2K8,Win2K8R2 is server version of Windows.
if (isWindows &&
((sutOsVersion == Platform.Win2K) ||
(sutOsVersion == Platform.Win2K3) ||
(sutOsVersion == Platform.Win2K3R2) ||
(sutOsVersion == Platform.Win2K8) ||
(sutOsVersion == Platform.Win2K8R2)))
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R6894");
//
// Verify MS-SMB requirement: MS-SMB_R6894.
//
Site.CaptureRequirementIfAreEqual<uint>(
16644,
response.SmbParameters.MaxBufferSize,
6894,
@"<27> Section 2.2.4.5.2.1: Windows defaults to a MaxBufferSize value of 16,644 bytes on server
versions of Windows.");
}
if (isWindows)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R8573");
// The parameter of this method is an extended security response from the SUT, if the os
// is windows-based, it means that Windows-based SMB servers support Extended Security. Here capture
// this requirement directly.
Site.CaptureRequirement(
8573,
@"[In Receiving an SMB_COM_NEGOTIATE Response] <104> Section 3.2.5.2: Windows-based SMB servers
support Extended Security. ");
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R11004");
//
// Verify MS-SMB requirement: MS-SMB_R11004.
//
Site.CaptureRequirementIfAreEqual<
Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.Capabilities>(
0,
response.SmbParameters.Capabilities & Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb.
Capabilities.CAP_UNIX,
11004,
@"<35> Section 2.2.4.5.2.1: Windows-based clients and servers do not support CAP_UNIX;
therefore, this capability is never set.");
}
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R2309");
// If R9952 has been verified, this requirement is verified. Since the form specified in this
// requirement is of SmbNegotiateResponsePacket type.
Site.CaptureRequirement(
2309,
@"[In Receiving an SMB_COM_NEGOTIATE Request] Generating Extended Security Token: The response
[SMB_COM_NEGOTIATE response] MUST take the form specified in section 2.2.4.1.2. ");
if (((Capabilities)response.SmbParameters.Capabilities & Capabilities.CapNtSmbs)
== Capabilities.CapNtSmbs)
{
//
// Verify requirement MS-SMB_R9975 and MS-SMB_R106919
//
string isR9975Implementated = Site.Properties.Get("SHOULDMAYR9975Implementation");
bool isR106919Satisfied = (((Capabilities)response.SmbParameters.Capabilities
& Capabilities.CapNtFind)
== Capabilities.CapNtFind);
if (isWindows)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R106919,Capabilities:{0}",
(uint)response.SmbParameters.Capabilities);
//
// Verify MS-SMB requirement: MS-SMB_R106919.
//
Site.CaptureRequirementIfIsTrue(
isR106919Satisfied,
106919,
@"<30> Section 2.2.4.5.2.1: Windows-based clients assume that CAP_NT_FIND is set if CAP_NT_SMBS
is set.");
if (null == isR9975Implementated)
{
Site.Properties.Add("SHOULDMAYR9975Implementation", Boolean.TrueString);
isR9975Implementated = Boolean.TrueString;
}
}
if (null != isR9975Implementated)
{
bool implemented = Boolean.Parse(isR9975Implementated);
bool isSatisfied = isR106919Satisfied;
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R9975,Capabilities:{0}",
(uint)response.SmbParameters.Capabilities);
//
// Verify MS-SMB requirement: MS-SMB_R9975.
//
Site.CaptureRequirementIfAreEqual<Boolean>(
implemented,
isSatisfied,
9975,
String.Format("[In Extended Security Response]CAP_NT_FIND 0x00000200:This bit SHOULD<30> be " +
"set if CAP_NT_SMBS is set. This requirement is {0}implemented", implemented ? "" : "not "));
}
}
if ((sutOsVersion == Platform.Win2K) ||
(sutOsVersion == Platform.Win2K3) ||
(sutOsVersion == Platform.Win2K3R2) ||
(sutOsVersion == Platform.Win2K8) ||
(sutOsVersion == Platform.Win2K8R2))
{
if (response.SmbData.SecurityBlob.Length >= 0)
{
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R4748");
// Protocol SDK have ensured to encode SecurityBlob as GSS token. Here capture this requirement
// directly.
Site.CaptureRequirement(
4748,
@"[In Receiving an SMB_COM_NEGOTIATE Request] <112>Section 3.3.5.2: Windows-based SMB
serverssupport Extended Security, and are configured to use SPNEGO (as specified in [RFC4178])
as their GSS authentication protocol.");
//
// The following statement code will be run only when debugging.
//
Site.Log.Add(LogEntryKind.Debug,
@"Verify MS-SMB_R4749");
// The protocol SDK has ensured to encode SecurityBlob as GSS token. Here capture this requirement
// directly.
Site.CaptureRequirement(
4749,
@"[In Receiving an SMB_COM_NEGOTIATE Request] <112>Section 3.3.5.2: Windows operating systems
that use extended security send a GSS token (or fragment) if their SPNEGO implementation
supports it.");
}
}
}