/// <summary>
/// The server MUST sign the message under the following conditions
/// </summary>
private static void VerifyResponseShouldSign(
ModelSmb2Status status,
SigningModelRequest request,
SigningModelSessionId sessionId,
SigningFlagType signingFlagType)
{
if (request.signingFlagType == SigningFlagType.SignedFlagSet &&
sessionId == SigningModelSessionId.NonZeroSessionId &&
Session_SigningRequired)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, the response message being sent contains a nonzero SessionId and a zero TreeId in the SMB2 header, " +
"and the session identified by SessionId has Session.SigningRequired equal to TRUE.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
else if (request.signingFlagType == SigningFlagType.SignedFlagSet)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, and the response is not an interim response to an asynchronously processed request.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
}
public void NegotiateRequest(ModelDialectRevision maxSmbVersionClientSupported, SigningFlagType signingFlagType, SigningEnabledType signingEnabledType, SigningRequiredType signingRequiredType)
{
testClient = new Smb2FunctionalClient(testConfig.Timeout, testConfig, this.Site);
testClient.ConnectToServer(testConfig.UnderlyingTransport, testConfig.SutComputerName, testConfig.SutIPAddress);
DialectRevision[] dialects = Smb2Utility.GetDialects(ModelUtility.GetDialectRevision(maxSmbVersionClientSupported));
Packet_Header_Flags_Values headerFlags = (signingFlagType == SigningFlagType.SignedFlagSet) ? Packet_Header_Flags_Values.FLAGS_SIGNED : Packet_Header_Flags_Values.NONE;
SigningEnabledType resSigningEnabledType = SigningEnabledType.SigningEnabledNotSet;
SigningRequiredType resSigningRequiredType = SigningRequiredType.SigningRequiredNotSet;
uint status = testClient.Negotiate(
headerFlags,
dialects,
GetNegotiateSecurityMode(signingEnabledType, signingRequiredType),
checker: (header, response) =>
{
resSigningEnabledType =
response.SecurityMode.HasFlag(NEGOTIATE_Response_SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED) ?
SigningEnabledType.SigningEnabledSet : SigningEnabledType.SigningEnabledNotSet;
resSigningRequiredType =
response.SecurityMode.HasFlag(NEGOTIATE_Response_SecurityMode_Values.NEGOTIATE_SIGNING_REQUIRED) ?
SigningRequiredType.SigningRequiredSet : SigningRequiredType.SigningRequiredNotSet;
});
NegotiateResponse((ModelSmb2Status)status, resSigningEnabledType, resSigningRequiredType, signingConfig);
}
public void TreeConnectRequest(SigningFlagType signingFlagType)
{
uint treeId;
SigningModelSessionId modelSessionId = SigningModelSessionId.ZeroSessionId;
SigningFlagType responseSigningFlagType = SigningFlagType.SignedFlagNotSet;
string sharePath = Smb2Utility.GetUncPath(testConfig.SutComputerName, testConfig.BasicFileShare);
Packet_Header_Flags_Values headerFlags = (signingFlagType == SigningFlagType.SignedFlagSet) ? Packet_Header_Flags_Values.FLAGS_SIGNED : Packet_Header_Flags_Values.NONE;
// Inform SDK to disable/enable signing according to SigningFlagType.
bool isEnableSigning = !(signingFlagType == SigningFlagType.SignedFlagNotSet);
testClient.EnableSessionSigningAndEncryption(enableSigning: isEnableSigning, enableEncryption: false);
uint status = testClient.TreeConnect(
headerFlags,
sharePath,
out treeId,
checker: (header, response) =>
{
modelSessionId = GetModelSessionId(header.SessionId);
responseSigningFlagType = GetSigningFlagType(header.Flags);
});
TreeConnectResponse((ModelSmb2Status)status, modelSessionId, responseSigningFlagType);
}
public SigningModelRequest(
SigningFlagType signingFlagType,
SigningEnabledType signingEnabledType,
SigningRequiredType signingRequiredType)
: base(0)
{
this.signingFlagType = signingFlagType;
this.signingEnabledType = signingEnabledType;
this.signingRequiredType = signingRequiredType;
}
public static void SessionSetupResponse(
ModelSmb2Status status,
SigningModelSessionId sessionId,
SigningFlagType signingFlagType,
SessionFlags_Values sessionFlag,
SigningConfig c)
{
Condition.IsTrue(State == ModelState.Connected);
Condition.IsTrue(Config.IsServerSigningRequired == c.IsServerSigningRequired);
SigningModelRequest sessionSetupRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request);
if (!VerifySignature(status, sessionSetupRequest))
{
State = ModelState.Uninitialized;
return;
}
if (sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet ||
(!sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST) &&
!Session_IsAnonymous &&
(Connection_ShouldSign || c.IsServerSigningRequired)))
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.5.3: 5. Session.SigningRequired MUST be set to TRUE under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request.");
ModelHelper.Log(LogType.Requirement,
"\tIf the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags field " +
"and Session.IsAnonymous is FALSE and either Connection.ShouldSign or global RequireMessageSigning is TRUE.");
ModelHelper.Log(LogType.TestInfo,
"SMB2_NEGOTIATE_SIGNING_REQUIRED is {0}set.", sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet ? "" : "not ");
ModelHelper.Log(LogType.TestInfo,
"SMB2_SESSION_FLAG_IS_GUEST bit is {0}set.", sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST) ? "" : "not ");
ModelHelper.Log(LogType.TestInfo, "Session.IsAnonymous is {0}.", Session_IsAnonymous);
ModelHelper.Log(LogType.TestInfo, "Connection.ShouldSign is {0}.", Connection_ShouldSign);
ModelHelper.Log(LogType.TestInfo, "Global RequireMessageSigning is {0}.", c.IsServerSigningRequired);
ModelHelper.Log(LogType.TestInfo, "So Session.SigningRequired is set to TRUE.");
Session_SigningRequired = true;
}
VerifyResponseShouldSign(status, sessionSetupRequest, sessionId, signingFlagType);
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
Session_IsExisted = true;
}
public static void SessionSetupRequest(
SigningFlagType signingFlagType,
SigningEnabledType signingEnabledType,
SigningRequiredType signingRequiredType,
UserType userType)
{
Condition.IsTrue(State == ModelState.Connected);
// Add isolate for SigningFlagType to reduce redundant cases: If the signingFlagType is set to SignedFlagSet, server will always return
// error code STATUS_USER_SESSION_DELETED while verifying signature, we don't need to cover all the invalid combination with other params.
Combination.Isolated(signingFlagType == SigningFlagType.SignedFlagSet);
ModelHelper.Log(LogType.Requirement, "3.3.5.5.1: The other values MUST be initialized as follows:");
ModelHelper.Log(LogType.Requirement, "\tSession.SigningRequired is set to FALSE.");
Session_SigningRequired = false;
Request = new SigningModelRequest(signingFlagType);
}
public static void NegotiateRequest(
ModelDialectRevision maxSmbVersionClientSupported,
SigningFlagType signingFlagType,
SigningEnabledType signingEnabledType,
SigningRequiredType signingRequiredType)
{
Condition.IsTrue(State == ModelState.Initialized);
Condition.IsNull(Request);
// Add isolate for SigningFlagType to reduce redundant cases: If the signingFlagType is set to SignedFlagSet, server will always return error
// code STATUS_INVALID_PARAMETER, we don't need to cover all the invalid combination with other params.
Combination.Isolated(signingFlagType == SigningFlagType.SignedFlagSet);
NegotiateDialect = ModelHelper.DetermineNegotiateDialect(maxSmbVersionClientSupported, Config.MaxSmbVersionSupported);
Request = new SigningModelRequest(signingFlagType, signingEnabledType, signingRequiredType);
State = ModelState.Connected;
}
public static void NegotiateRequest(
ModelDialectRevision maxSmbVersionClientSupported,
SigningFlagType signingFlagType,
SigningEnabledType signingEnabledType,
SigningRequiredType signingRequiredType)
{
Condition.IsTrue(State == ModelState.Initialized);
Condition.IsNull(Request);
// Add isolate for SigningFlagType to reduce redundant cases: If the signingFlagType is set to SignedFlagSet, server will always return error
// code STATUS_INVALID_PARAMETER, we don't need to cover all the invalid combination with other params.
Combination.Isolated(signingFlagType == SigningFlagType.SignedFlagSet);
NegotiateDialect = ModelHelper.DetermineNegotiateDialect(maxSmbVersionClientSupported, Config.MaxSmbVersionSupported);
Request = new SigningModelRequest(signingFlagType, signingEnabledType, signingRequiredType);
State = ModelState.Connected;
}
public void SessionSetupRequest(SigningFlagType signingFlagType, SigningEnabledType signingEnabledType, SigningRequiredType signingRequiredType, UserType userType)
{
SigningModelSessionId modelSessionId = SigningModelSessionId.ZeroSessionId;
SessionFlags_Values sessionFlag = SessionFlags_Values.NONE;
SigningFlagType responseSigningFlagType = SigningFlagType.SignedFlagNotSet;
Packet_Header_Flags_Values headerFlags = (signingFlagType == SigningFlagType.SignedFlagSet) ? Packet_Header_Flags_Values.FLAGS_SIGNED : Packet_Header_Flags_Values.NONE;
uint status = testClient.SessionSetup(
headerFlags,
testConfig.DefaultSecurityPackage,
testConfig.SutComputerName,
GetAccountCredential(userType),
true,
GetSessionSetupSecurityMode(signingEnabledType, signingRequiredType),
checker: (header, response) =>
{
modelSessionId = GetModelSessionId(header.SessionId);
responseSigningFlagType = GetSigningFlagType(header.Flags);
sessionFlag = response.SessionFlags;
});
SessionSetupResponse((ModelSmb2Status)status, modelSessionId, responseSigningFlagType, sessionFlag, signingConfig);
}
public void SessionSetupRequest(SigningFlagType signingFlagType, SigningEnabledType signingEnabledType, SigningRequiredType signingRequiredType, UserType userType)
{
SigningModelSessionId modelSessionId = SigningModelSessionId.ZeroSessionId;
SessionFlags_Values sessionFlag = SessionFlags_Values.NONE;
SigningFlagType responseSigningFlagType = SigningFlagType.SignedFlagNotSet;
Packet_Header_Flags_Values headerFlags = (signingFlagType == SigningFlagType.SignedFlagSet) ? Packet_Header_Flags_Values.FLAGS_SIGNED : Packet_Header_Flags_Values.NONE;
uint status = testClient.SessionSetup(
headerFlags,
testConfig.DefaultSecurityPackage,
testConfig.SutComputerName,
GetAccountCredential(userType),
true,
GetSessionSetupSecurityMode(signingEnabledType, signingRequiredType),
checker: (header, response) =>
{
modelSessionId = GetModelSessionId(header.SessionId);
responseSigningFlagType = GetSigningFlagType(header.Flags);
sessionFlag = response.SessionFlags;
});
SessionSetupResponse((ModelSmb2Status)status, modelSessionId, responseSigningFlagType, sessionFlag, signingConfig);
}
public static void SessionSetupRequest(
SigningFlagType signingFlagType,
SigningEnabledType signingEnabledType,
SigningRequiredType signingRequiredType,
UserType userType)
{
Condition.IsTrue(State == ModelState.Connected);
// Add isolate for SigningFlagType to reduce redundant cases: If the signingFlagType is set to SignedFlagSet, server will always return
// error code STATUS_USER_SESSION_DELETED while verifying signature, we don't need to cover all the invalid combination with other params.
Combination.Isolated(signingFlagType == SigningFlagType.SignedFlagSet);
ModelHelper.Log(LogType.Requirement, "3.3.5.5.1: The other values MUST be initialized as follows:");
ModelHelper.Log(LogType.Requirement, "\tSession.SigningRequired is set to FALSE.");
Session_SigningRequired = false;
Request = new SigningModelRequest(signingFlagType);
}
public void TreeConnectRequest(SigningFlagType signingFlagType)
{
uint treeId;
SigningModelSessionId modelSessionId = SigningModelSessionId.ZeroSessionId;
SigningFlagType responseSigningFlagType = SigningFlagType.SignedFlagNotSet;
string sharePath = Smb2Utility.GetUncPath(testConfig.SutComputerName, testConfig.BasicFileShare);
Packet_Header_Flags_Values headerFlags = (signingFlagType == SigningFlagType.SignedFlagSet) ? Packet_Header_Flags_Values.FLAGS_SIGNED : Packet_Header_Flags_Values.NONE;
if (signingFlagType == SigningFlagType.SignedFlagNotSet)
{
// Inform SDK to disable signning.
testClient.EnableSessionSigningAndEncryption(enableSigning: false, enableEncryption: false);
}
uint status = testClient.TreeConnect(
headerFlags,
sharePath,
out treeId,
checker: (header, response) =>
{
modelSessionId = GetModelSessionId(header.SessionId);
responseSigningFlagType = GetSigningFlagType(header.Flags);
});
TreeConnectResponse((ModelSmb2Status)status, modelSessionId, responseSigningFlagType);
}
public static void SessionSetupResponse(
ModelSmb2Status status,
SigningModelSessionId sessionId,
SigningFlagType signingFlagType,
SessionFlags_Values sessionFlag,
SigningConfig c)
{
Condition.IsTrue(State == ModelState.Connected);
Condition.IsTrue(Config.IsServerSigningRequired == c.IsServerSigningRequired);
SigningModelRequest sessionSetupRequest = ModelHelper.RetrieveOutstandingRequest<SigningModelRequest>(ref Request);
if (!VerifySignature(status, sessionSetupRequest))
{
State = ModelState.Uninitialized;
return;
}
if (sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet
|| (!sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST)
&& !Session_IsAnonymous
&& (Connection_ShouldSign || c.IsServerSigningRequired)))
{
ModelHelper.Log(LogType.Requirement,
"3.3.5.5.3: 5. Session.SigningRequired MUST be set to TRUE under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the SMB2_NEGOTIATE_SIGNING_REQUIRED bit is set in the SecurityMode field of the client request.");
ModelHelper.Log(LogType.Requirement,
"\tIf the SMB2_SESSION_FLAG_IS_GUEST bit is not set in the SessionFlags field " +
"and Session.IsAnonymous is FALSE and either Connection.ShouldSign or global RequireMessageSigning is TRUE.");
ModelHelper.Log(LogType.TestInfo,
"SMB2_NEGOTIATE_SIGNING_REQUIRED is {0}set.", sessionSetupRequest.signingFlagType == SigningFlagType.SignedFlagSet ? "" : "not ");
ModelHelper.Log(LogType.TestInfo,
"SMB2_SESSION_FLAG_IS_GUEST bit is {0}set.", sessionFlag.HasFlag(SessionFlags_Values.SESSION_FLAG_IS_GUEST) ? "" : "not ");
ModelHelper.Log(LogType.TestInfo, "Session.IsAnonymous is {0}.", Session_IsAnonymous);
ModelHelper.Log(LogType.TestInfo, "Connection.ShouldSign is {0}.", Connection_ShouldSign);
ModelHelper.Log(LogType.TestInfo, "Global RequireMessageSigning is {0}.", c.IsServerSigningRequired);
ModelHelper.Log(LogType.TestInfo, "So Session.SigningRequired is set to TRUE.");
Session_SigningRequired = true;
}
VerifyResponseShouldSign(status, sessionSetupRequest, sessionId, signingFlagType);
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
Session_IsExisted = true;
}
public static void TreeConnectRequest(SigningFlagType signingFlagType)
{
Condition.IsTrue(State == ModelState.Connected);
Request = new SigningModelRequest(signingFlagType);
}
public SigningModelRequest(
SigningFlagType signingFlagType)
: base(0)
{
this.signingFlagType = signingFlagType;
}
public void NegotiateRequest(ModelDialectRevision maxSmbVersionClientSupported, SigningFlagType signingFlagType, SigningEnabledType signingEnabledType, SigningRequiredType signingRequiredType)
{
testClient = new Smb2FunctionalClient(testConfig.Timeout, testConfig, this.Site);
testClient.ConnectToServer(testConfig.UnderlyingTransport, testConfig.SutComputerName, testConfig.SutIPAddress);
DialectRevision[] dialects = Smb2Utility.GetDialects(ModelUtility.GetDialectRevision(maxSmbVersionClientSupported));
Packet_Header_Flags_Values headerFlags = (signingFlagType == SigningFlagType.SignedFlagSet) ? Packet_Header_Flags_Values.FLAGS_SIGNED : Packet_Header_Flags_Values.NONE;
SigningEnabledType resSigningEnabledType = SigningEnabledType.SigningEnabledNotSet;
SigningRequiredType resSigningRequiredType = SigningRequiredType.SigningRequiredNotSet;
uint status = testClient.Negotiate(
headerFlags,
dialects,
GetNegotiateSecurityMode(signingEnabledType, signingRequiredType),
checker: (header, response) =>
{
resSigningEnabledType =
response.SecurityMode.HasFlag(NEGOTIATE_Response_SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED) ?
SigningEnabledType.SigningEnabledSet : SigningEnabledType.SigningEnabledNotSet;
resSigningRequiredType =
response.SecurityMode.HasFlag(NEGOTIATE_Response_SecurityMode_Values.NEGOTIATE_SIGNING_REQUIRED) ?
SigningRequiredType.SigningRequiredSet : SigningRequiredType.SigningRequiredNotSet;
});
NegotiateResponse((ModelSmb2Status)status, resSigningEnabledType, resSigningRequiredType, signingConfig);
}
/// <summary>
/// The server MUST sign the message under the following conditions
/// </summary>
private static void VerifyResponseShouldSign(
ModelSmb2Status status,
SigningModelRequest request,
SigningModelSessionId sessionId,
SigningFlagType signingFlagType)
{
if (request.signingFlagType == SigningFlagType.SignedFlagSet
&& sessionId == SigningModelSessionId.NonZeroSessionId
&& Session_SigningRequired)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, the response message being sent contains a nonzero SessionId and a zero TreeId in the SMB2 header, " +
"and the session identified by SessionId has Session.SigningRequired equal to TRUE.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
else if (request.signingFlagType == SigningFlagType.SignedFlagSet)
{
ModelHelper.Log(LogType.Requirement, "3.3.4.1.1: The server SHOULD<182> sign the message under the following conditions:");
ModelHelper.Log(LogType.Requirement,
"\tIf the request was signed by the client, and the response is not an interim response to an asynchronously processed request.");
ModelHelper.Log(LogType.TestInfo, "The condition is met.");
Condition.IsTrue(signingFlagType == SigningFlagType.SignedFlagSet);
}
}
public static void TreeConnectResponse(ModelSmb2Status status, SigningModelSessionId sessionId, SigningFlagType signingFlagType)
{
Condition.IsTrue(State == ModelState.Connected);
SigningModelRequest treeConnectRequest = ModelHelper.RetrieveOutstandingRequest<SigningModelRequest>(ref Request);
if (!VerifySignature(status, treeConnectRequest))
{
return;
}
VerifyResponseShouldSign(status, treeConnectRequest, sessionId, signingFlagType);
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
}
public static void TreeConnectRequest(SigningFlagType signingFlagType)
{
Condition.IsTrue(State == ModelState.Connected);
Request = new SigningModelRequest(signingFlagType);
}
public static void TreeConnectResponse(ModelSmb2Status status, SigningModelSessionId sessionId, SigningFlagType signingFlagType)
{
Condition.IsTrue(State == ModelState.Connected);
SigningModelRequest treeConnectRequest = ModelHelper.RetrieveOutstandingRequest <SigningModelRequest>(ref Request);
if (!VerifySignature(status, treeConnectRequest))
{
return;
}
VerifyResponseShouldSign(status, treeConnectRequest, sessionId, signingFlagType);
Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS);
}
public SigningModelRequest(
SigningFlagType signingFlagType,
SigningEnabledType signingEnabledType,
SigningRequiredType signingRequiredType)
: base(0)
{
this.signingFlagType = signingFlagType;
this.signingEnabledType = signingEnabledType;
this.signingRequiredType = signingRequiredType;
}
public SigningModelRequest(
SigningFlagType signingFlagType)
: base(0)
{
this.signingFlagType = signingFlagType;
}
