private void NegotiateWithEncryptionCapabilitiesContext(EncryptionAlgorithm cipherId) { if (cipherId == EncryptionAlgorithm.ENCRYPTION_NONE) { throw new ArgumentException("CipherId should be either AES-128-CCM or AES-128-GCM."); } #region Check Applicability TestConfig.CheckDialect(DialectRevision.Smb311); TestConfig.CheckCapabilities(NEGOTIATE_Response_Capabilities_Values.GLOBAL_CAP_ENCRYPTION); TestConfig.CheckEncryptionAlgorithm(cipherId); #endregion BaseTestSite.Log.Add( LogEntryKind.TestStep, "Client sends NEGOTIATE request with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context. {0} is as the preferred cipher algorithm. ", cipherId); BaseTestSite.Log.Add( LogEntryKind.TestStep, "Server should reply NEGOTIATE response with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context and {0} as cipher algorithm. ", cipherId); PreauthIntegrityHashID[] preauthHashAlgs = new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 }; EncryptionAlgorithm[] encryptionAlgs = new EncryptionAlgorithm[] { cipherId, cipherId == EncryptionAlgorithm.ENCRYPTION_AES128_CCM? EncryptionAlgorithm.ENCRYPTION_AES128_GCM : EncryptionAlgorithm.ENCRYPTION_AES128_CCM }; client.NegotiateWithContexts( Packet_Header_Flags_Values.NONE, TestConfig.RequestDialects, capabilityValue: Capabilities_Values.GLOBAL_CAP_DIRECTORY_LEASING | Capabilities_Values.GLOBAL_CAP_LARGE_MTU | Capabilities_Values.GLOBAL_CAP_LEASING | Capabilities_Values.GLOBAL_CAP_ENCRYPTION, preauthHashAlgs: preauthHashAlgs, encryptionAlgs: encryptionAlgs); BaseTestSite.Assert.AreEqual(cipherId, client.SelectedCipherID, "The selected Cipher Id should be {0}", cipherId); }
public void Signing_VerifyAesGmacSigning() { #region Check Applicability TestConfig.CheckDialect(DialectRevision.Smb311); TestConfig.CheckSigning(); #endregion var signingAlgorithms = new SigningAlgorithm[] { SigningAlgorithm.AES_GMAC }; BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends NEGOTIATE with the Aes-GMAC signing algorithm and NEGOTIATE_SIGNING_REQUIRED."); client.NegotiateWithContexts( Packet_Header_Flags_Values.NONE, Smb2Utility.GetDialects(DialectRevision.Smb311), SecurityMode_Values.NEGOTIATE_SIGNING_REQUIRED, preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 }, compressionFlags: SMB2_COMPRESSION_CAPABILITIES_Flags.SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE, signingAlgorithms: signingAlgorithms, checker: (Packet_Header header, NEGOTIATE_Response response) => { BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_SUCCESS, header.Status, "SUT MUST return STATUS_SUCCESS if the negotiation finished successfully."); }); BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends SESSION_SETUP request and expects response."); client.SessionSetup( TestConfig.DefaultSecurityPackage, TestConfig.SutComputerName, TestConfig.AccountCredential, TestConfig.UseServerGssToken, SESSION_SETUP_Request_SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED); string uncSharepath = Smb2Utility.GetUncPath(TestConfig.SutComputerName, TestConfig.BasicFileShare); uint treeId; BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends TREE_CONNECT to share: {0}", uncSharepath); client.TreeConnect( uncSharepath, out treeId, (Packet_Header header, TREE_CONNECT_Response response) => { BaseTestSite.Assert.AreEqual( Smb2Status.STATUS_SUCCESS, header.Status, "TreeConnect should succeed, actually server returns {0}.", Smb2Status.GetStatusCode(header.Status)); BaseTestSite.Assert.AreEqual( Packet_Header_Flags_Values.FLAGS_SIGNED, Packet_Header_Flags_Values.FLAGS_SIGNED & header.Flags, "Server should set SMB2_FLAGS_SIGNED bit in the Flags field of the SMB2 header"); }); BaseTestSite.Log.Add(LogEntryKind.TestStep, "Tear down the client by sending the following requests: TREE_DISCONNECT; LOG_OFF"); client.TreeDisconnect(treeId); client.LogOff(); }
public void Negotiate_SMB311_WithoutAnyContexts() { if (TestConfig.MaxSmbVersionSupported < DialectRevision.Smb311) { BaseTestSite.Assert.Inconclusive("Stop to run this test case because the configured server max dialect is lower than 3.11."); } BaseTestSite.Log.Add(LogEntryKind.TestStep, "Send Negotiate request with dialect SMB 3.11, and without any Negotiate Contexts."); client.NegotiateWithContexts( Packet_Header_Flags_Values.NONE, Smb2Utility.GetDialects(DialectRevision.Smb311), preauthHashAlgs: null, encryptionAlgs: null, checker: (Packet_Header header, NEGOTIATE_Response response) => { BaseTestSite.Log.Add(LogEntryKind.TestStep, "Verify server fails the negotiate request with STATUS_INVALID_PARAMETER."); BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_INVALID_PARAMETER, header.Status, "[MS-SMB2] 3.3.5.4 If the negotiate context list does not contain exactly one SMB2_PREAUTH_INTEGRITY_CAPABILITIES negotiate context, " + "then the server MUST fail the negotiate request with STATUS_INVALID_PARAMETER."); }); }
private void NegotiateWithEncryptionCapabilitiesContext(EncryptionAlgorithm cipherId, bool sendCipherArray = false) { if (cipherId == EncryptionAlgorithm.ENCRYPTION_NONE) { throw new ArgumentException("CipherId should be either AES-128-CCM or AES-128-GCM."); } #region Check Applicability TestConfig.CheckDialect(DialectRevision.Smb311); TestConfig.CheckCapabilities(NEGOTIATE_Response_Capabilities_Values.GLOBAL_CAP_ENCRYPTION); TestConfig.CheckEncryptionAlgorithm(cipherId); #endregion BaseTestSite.Log.Add( LogEntryKind.TestStep, "Client sends NEGOTIATE request with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context. {0} is as the preferred cipher algorithm. ", cipherId); BaseTestSite.Log.Add( LogEntryKind.TestStep, "Server should reply NEGOTIATE response with dialect 3.11, SMB2_ENCRYPTION_CAPABILITIES context and {0} as cipher algorithm. ", cipherId); PreauthIntegrityHashID[] preauthHashAlgs = new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 }; EncryptionAlgorithm[] encryptionAlgs = null; if (sendCipherArray) { encryptionAlgs = new EncryptionAlgorithm[] { cipherId, cipherId == EncryptionAlgorithm.ENCRYPTION_AES128_CCM? EncryptionAlgorithm.ENCRYPTION_AES128_GCM : EncryptionAlgorithm.ENCRYPTION_AES128_CCM }; } else { encryptionAlgs = new EncryptionAlgorithm[] { cipherId }; } client.NegotiateWithContexts( Packet_Header_Flags_Values.NONE, TestConfig.RequestDialects, capabilityValue: Capabilities_Values.GLOBAL_CAP_DIRECTORY_LEASING | Capabilities_Values.GLOBAL_CAP_LARGE_MTU | Capabilities_Values.GLOBAL_CAP_LEASING | Capabilities_Values.GLOBAL_CAP_ENCRYPTION, preauthHashAlgs: preauthHashAlgs, encryptionAlgs: encryptionAlgs); if (sendCipherArray) { BaseTestSite.Assert.IsTrue( TestConfig.SupportedEncryptionAlgorithmList.Contains(client.SelectedCipherID), "[MS-SMB2] 3.3.5.4 The server MUST set Connection.CipherId to one of the ciphers in the client's " + "SMB2_ENCRYPTION_CAPABILITIES Ciphers array in an implementation-specific manner."); } else { BaseTestSite.Assert.AreEqual(cipherId, client.SelectedCipherID, "The selected Cipher Id should be {0}", cipherId); } }
private void CreateTestFile(CompressionAlgorithm[] compressionAlgorithms, bool enableEncryption, out uint treeId, out FILEID fileId, bool enableChainedCompression = false) { var capabilities = Capabilities_Values.NONE; if (enableEncryption) { capabilities |= Capabilities_Values.GLOBAL_CAP_ENCRYPTION; } EncryptionAlgorithm[] encryptionAlgorithms = null; if (enableEncryption) { encryptionAlgorithms = new EncryptionAlgorithm[] { EncryptionAlgorithm.ENCRYPTION_AES128_CCM, EncryptionAlgorithm.ENCRYPTION_AES128_GCM }; } BaseTestSite.Log.Add(LogEntryKind.TestStep, "Starts a client by sending the following requests: NEGOTIATE; SESSION_SETUP; TREE_CONNECT."); client = new Smb2FunctionalClient(TestConfig.Timeout, TestConfig, BaseTestSite); client.ConnectToServer(TestConfig.UnderlyingTransport, TestConfig.SutComputerName, TestConfig.SutIPAddress); client.NegotiateWithContexts( Packet_Header_Flags_Values.NONE, TestConfig.RequestDialects, preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 }, encryptionAlgs: encryptionAlgorithms, compressionAlgorithms: compressionAlgorithms, compressionFlags: enableChainedCompression ? SMB2_COMPRESSION_CAPABILITIES_Flags.SMB2_COMPRESSION_CAPABILITIES_FLAG_CHAINED : SMB2_COMPRESSION_CAPABILITIES_Flags.SMB2_COMPRESSION_CAPABILITIES_FLAG_NONE, capabilityValue: capabilities, checker: (Packet_Header header, NEGOTIATE_Response response) => { BaseTestSite.Assert.AreEqual(Smb2Status.STATUS_SUCCESS, header.Status, "SUT MUST return STATUS_SUCCESS if the negotiation finished successfully."); if (TestConfig.IsWindowsPlatform) { CheckCompressionAlgorithmsForWindowsImplementation(compressionAlgorithms); } else { bool isExpectedNonWindowsCompressionContext = Enumerable.SequenceEqual(client.Smb2Client.CompressionInfo.CompressionIds, compressionAlgorithms); { BaseTestSite.Assert.IsTrue(isExpectedNonWindowsCompressionContext, "[MS-SMB2] section 3.3.5.4: Non-Windows implementation MUST set CompressionAlgorithms to the CompressionIds in request if they are all supported by SUT."); } } }); client.SessionSetup( TestConfig.DefaultSecurityPackage, TestConfig.SutComputerName, TestConfig.AccountCredential, TestConfig.UseServerGssToken); if (enableEncryption) { client.EnableSessionSigningAndEncryption(enableSigning: false, enableEncryption: true); } client.TreeConnect(uncSharePath, out treeId); BaseTestSite.Log.Add(LogEntryKind.TestStep, "Client sends CREATE request with desired access set to GENERIC_READ and GENERIC_WRITE to create a file."); Smb2CreateContextResponse[] serverCreateContexts; string fileName = GetTestFileName(uncSharePath); client.Create( treeId, fileName, CreateOptions_Values.FILE_NON_DIRECTORY_FILE, out fileId, out serverCreateContexts, accessMask: AccessMask.GENERIC_READ | AccessMask.GENERIC_WRITE ); }