private static void ReAuthentication(ModelSmb2Status status, ModelSessionSetupRequest sessionSetupRequest) { // Update both GlobalSessionTable and ConnectionList ModelHelper.Log(LogType.Requirement, "3.3.5.5.2: Session.State MUST be set to InProgress"); GlobalSessionTable[sessionSetupRequest.sessionId].State = ModelSessionState.InProgress; ModelHelper.Log(LogType.Requirement, "Authentication is continued as specified in section 3.3.5.5.3."); HandleGssApiAuth(status, sessionSetupRequest); }
private static void AuthNewSession(ModelSmb2Status status, ModelSessionSetupRequest sessionSetupRequest) { ModelHelper.Log(LogType.Requirement, "3.3.5.5.1: A session object MUST be allocated for this request. "); ModelSession session = new ModelSession(); ModelSessionId?sessionId = null; if (!GlobalSessionTable.ContainsKey(ModelSessionId.MainSessionId)) { sessionId = ModelSessionId.MainSessionId; } else { sessionId = ModelSessionId.AlternativeSessionId; } // Update sessionId to new created one from zero sessionSetupRequest.sessionId = sessionId.Value; ModelHelper.Log(LogType.Requirement, "The other values MUST be initialized as follows:"); session.Dialect = ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect; ModelHelper.Log(LogType.Requirement, "Session.State is set to InProgress."); session.State = ModelSessionState.InProgress; session.SessionId = sessionId.Value; ModelHelper.Log(LogType.Requirement, "The session MUST be inserted into the GlobalSessionTable and a unique Session.SessionId is assigned to serve as a lookup key in the table. "); GlobalSessionTable.Add(sessionSetupRequest.sessionId, session); ModelHelper.Log(LogType.Requirement, "The session MUST be inserted into Connection.SessionTable. "); ConnectionList[sessionSetupRequest.connectionId].Session = session; ModelHelper.Log(LogType.Requirement, "Using this session, authentication is continued as specified in section 3.3.5.5.3."); HandleGssApiAuth(status, sessionSetupRequest); }
private static void HandleGssApiAuth(ModelSmb2Status status, ModelSessionSetupRequest sessionSetupRequest) { ModelHelper.Log(LogType.Requirement, "3.3.5.5.3: 1. The status code in the SMB2 header of the response MUST be set to STATUS_SUCCESS. "); if (status != ModelSmb2Status.STATUS_SUCCESS) { return; } if (ModelUtility.IsSmb3xFamily(ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect)) { ModelHelper.Log(LogType.Requirement, "If Connection.Dialect belongs to the SMB 3.x dialect family, the server MUST insert the Session into Connection.SessionTable. "); ModelHelper.Log(LogType.TestInfo, "Connection.Dialect is {0}", ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect); ConnectionList[sessionSetupRequest.connectionId].Session = GlobalSessionTable[sessionSetupRequest.sessionId]; } ModelHelper.Log(LogType.Requirement, "If Session.IsAnonymous is FALSE, the server MUST set Connection.ConstrainedConnection to FALSE."); ModelHelper.Log(LogType.TestInfo, "Session.IsAnonymous is FALSE, so set Connection.ConstrainedConnection to FALSE"); ConnectionList[sessionSetupRequest.connectionId].ConstrainedConnection = false; /* * Assuming STATUS_SUCCESS indicates final message in the authentication exchange * * Skip following requirement according to assumption 6. * If the returned anon_state is TRUE, the server MUST set Session.IsAnonymous to TRUE and the server MAY set * the SMB2_SESSION_FLAG_IS_NULL flag in the SessionFlags field of the SMB2 SESSION_SETUP Response. * Otherwise, if the returned src_name corresponds to an implementation-specific guest user,<211> * the server MUST set the SMB2_SESSION_FLAG_IS_GUEST in the SessionFlags field of the SMB2 SESSION_SETUP Response * and MUST set Session.IsGuest to TRUE. */ if (sessionSetupRequest.previousSessionId != ModelSessionId.ZeroSessionId) { ModelHelper.Log(LogType.Requirement, "12. If the PreviousSessionId field of the request is not equal to zero, the server MUST take the following actions:"); ModelHelper.Log(LogType.TestInfo, "PreviousSessionId is not equal to zero."); ModelHelper.Log(LogType.Requirement, "1. The server MUST look up the old session in GlobalSessionTable, where Session.SessionId matches PreviousSessionId. "); if (GlobalSessionTable.ContainsKey(sessionSetupRequest.previousSessionId)) { ModelHelper.Log(LogType.Requirement, "If a session is found with Session.SessionId equal to PreviousSessionId, " + "the server MUST determine if the old session and the newly established session are created by the same user " + "by comparing the user identifiers obtained from the Session.SecurityContext on the new and old session."); ModelHelper.Log(LogType.TestInfo, "There is a session with Session.SessionId equal to PreviousSessionId."); if (sessionSetupRequest.previousSessionId == sessionSetupRequest.sessionId) { ModelHelper.Log(LogType.Requirement, "1. If the PreviousSessionId and SessionId values in the SMB2 header of the request are equal, " + "the server SHOULD<230> ignore PreviousSessionId and no other processing is required."); ModelHelper.Log(LogType.TestInfo, "PreviousSessionId is equal to SessionId."); // Do nothing } else if (sessionSetupRequest.user == ModelUser.DefaultUser) { ModelHelper.Log(LogType.Requirement, "2. Otherwise, if the server determines the authentications were for the same user, " + "the server MUST remove the old session from the GlobalSessionTable and also from the Connection.SessionTable, as specified in section 3.3.7.1."); ModelHelper.Log(LogType.TestInfo, "The authentications were for the same user"); GlobalSessionTable.Remove(sessionSetupRequest.previousSessionId); } } } ModelHelper.Log(LogType.Requirement, "13. Session.State MUST be set to Valid."); // Update both GlobalSessionTable and ConnectionList GlobalSessionTable[sessionSetupRequest.sessionId].State = ModelSessionState.Valid; ConnectionList[sessionSetupRequest.connectionId].Session.State = ModelSessionState.Valid; }
public static void SessionSetupResponse(ModelSmb2Status status, ModelConnectionId connectionId, SessionMgmtConfig c) { VerifyConnection(connectionId); Condition.IsNotNull(ConnectionList[connectionId].Request); Condition.IsTrue(config.Platform == c.Platform); Condition.IsTrue(config.IsMultiChannelCapable == c.IsMultiChannelCapable); ModelSessionSetupRequest sessionSetupRequest = RetrieveOutstandingRequest <ModelSessionSetupRequest>(connectionId); if (sessionSetupRequest.isSigned) { ModelHelper.Log(LogType.Requirement, "3.3.5.2.4: If the SMB2 header of the request has SMB2_FLAGS_SIGNED set in the Flags field, the server MUST verify the signature."); ModelHelper.Log(LogType.TestInfo, "SMB2_FLAGS_SIGNED is set in the SMB2 header of the SessionSetup Request."); // If server does not support Multiple channel then whether binding is set is meaningless. if (config.IsMultiChannelCapable && sessionSetupRequest.flags == ModelFlags.Binding) { ModelHelper.Log(LogType.Requirement, "If the request is for binding the session, the server MUST look up the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request. "); ModelHelper.Log(LogType.TestInfo, "SMB2_SESSION_FLAG_BINDING bit is set."); if (!GlobalSessionTable.ContainsKey(sessionSetupRequest.sessionId)) { ModelHelper.Log(LogType.Requirement, "If the session is not found, the request MUST be failed, as specified in section Sending an Error Response (section 3.3.4.4), " + "with the error code STATUS_USER_SESSION_DELETED. "); ModelHelper.Log(LogType.TestInfo, "The session is not found in GlobalSessionTable."); ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier); Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED); return; } } else { ModelHelper.Log(LogType.Requirement, "For all other requests, the server MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the request."); ModelHelper.Log(LogType.TestInfo, "SMB2_SESSION_FLAG_BINDING bit is not set."); if (ConnectionList[connectionId].Session == null || ConnectionList[connectionId].Session.SessionId != sessionSetupRequest.sessionId) { ModelHelper.Log(LogType.Requirement, "If the session is not found, the request MUST be failed, as specified in section Sending an Error Response (section 3.3.4.4), " + "with the error code STATUS_USER_SESSION_DELETED. "); ModelHelper.Log(LogType.TestInfo, "The session is not found in Connection.SessionTable."); ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier); Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED); return; } } } if (sessionSetupRequest.sessionId == ModelSessionId.ZeroSessionId) { ModelHelper.Log(LogType.Requirement, "3.3.5.5: 3. If SessionId in the SMB2 header of the request is zero, the server MUST process the authentication request as specified in section 3.3.5.5.1."); ModelHelper.Log(LogType.TestInfo, "The SessionId of the SessionSetup Request is zero"); AuthNewSession(status, sessionSetupRequest); Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS || status == ModelSmb2Status.STATUS_MORE_PROCESSING_REQUIRED); return; } if (ModelUtility.IsSmb3xFamily(ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect) && config.IsMultiChannelCapable && sessionSetupRequest.flags == ModelFlags.Binding) { ModelHelper.Log(LogType.Requirement, "3.3.5.5: 4. If Connection.Dialect belongs to the SMB 3.x dialect family, IsMultiChannelCapable is TRUE," + "and the SMB2_SESSION_FLAG_BINDING bit is set in the Flags field of the request, the server MUST perform the following:" + "The server MUST look up the session in GlobalSessionTable using the SessionId from the SMB2 header."); ModelHelper.Log(LogType.TestInfo, "Connection.Dialect is {0}, IsMultiChannelCapable is TRUE, and the SMB2_SESSION_FLAG_BINDING bit is set", ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect); if (!GlobalSessionTable.ContainsKey(sessionSetupRequest.sessionId)) { ModelHelper.Log(LogType.Requirement, "If the session is not found, the server MUST fail the session setup request with STATUS_USER_SESSION_DELETED."); ModelHelper.Log(LogType.TestInfo, "The SessionId cannot be found in GlobalSessionTable"); ModelHelper.Log(LogType.TestTag, TestTag.InvalidIdentifier); Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED); return; } ModelHelper.Log(LogType.Requirement, "If a session is found, the server MUST do the following:"); if (ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect != GlobalSessionTable[sessionSetupRequest.sessionId].Dialect) { ModelHelper.Log(LogType.Requirement, "If Connection.Dialect is not the same as Session.Connection.Dialect, the server MUST fail the request with STATUS_INVALID_PARAMETER."); ModelHelper.Log(LogType.TestInfo, "The Connection.Dialect is {0}, Session.Connection.Dialect is {1}", ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect, GlobalSessionTable[sessionSetupRequest.sessionId].Dialect); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); Condition.IsTrue(status == ModelSmb2Status.STATUS_INVALID_PARAMETER); return; } if (!sessionSetupRequest.isSigned) { ModelHelper.Log(LogType.Requirement, "If the SMB2_FLAGS_SIGNED bit is not set in the Flags field in the header, the server MUST fail the request with error STATUS_INVALID_PARAMETER."); ModelHelper.Log(LogType.TestInfo, "The SMB2_FLAGS_SIGNED bit is not set in the SessionSetup Request"); ModelHelper.Log(LogType.TestTag, TestTag.UnexpectedFields); Condition.IsTrue(status == ModelSmb2Status.STATUS_INVALID_PARAMETER); return; } if (GlobalSessionTable[sessionSetupRequest.sessionId].State == ModelSessionState.InProgress) { ModelHelper.Log(LogType.Requirement, "If Session.State is InProgress, the server MUST fail the request with STATUS_REQUEST_NOT_ACCEPTED."); ModelHelper.Log(LogType.TestInfo, "Session.State is InProgress"); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); Condition.IsTrue(status == ModelSmb2Status.STATUS_REQUEST_NOT_ACCEPTED); return; } // If Session.IsAnonymousor Session.IsGuestis TRUE, the server MUST fail the request with STATUS_NOT_SUPPORTED. // Skip above requirement according to assumption 6. if (ConnectionList[sessionSetupRequest.connectionId].Session != null && ConnectionList[sessionSetupRequest.connectionId].Session.SessionId == sessionSetupRequest.sessionId) { ModelHelper.Log(LogType.Requirement, "If there is a session in Connection.SessionTable identified by the SessionId in the request, the server MUST fail the request with STATUS_REQUEST_NOT_ACCEPTED."); ModelHelper.Log(LogType.TestInfo, "There is a session in Connection.SessionTable which has a same SessionId in the request"); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); Condition.IsTrue(status == ModelSmb2Status.STATUS_REQUEST_NOT_ACCEPTED); return; } // The server MUST verify the signature as specified in section 3.3.5.2.4, using the Session.SessionKey. // Skip above requirement as it is verified in signing model if (sessionSetupRequest.user == ModelUser.DiffUser) { ModelHelper.Log(LogType.Requirement, "The server MUST obtain the security context from the GSS authentication subsystem, " + "and it MUST invoke the GSS_Inquire_context call as specified in [RFC2743] section 2.2.6, " + "passing the security context as the input parameter." + "If the returned \"src_name\" does not match with the Session.Username, the server MUST fail the request with error code STATUS_NOT_SUPPORTED."); ModelHelper.Log(LogType.TestInfo, "A different user is used when binding to an existing session"); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); Condition.IsTrue(status == ModelSmb2Status.STATUS_NOT_SUPPORTED); return; } } else { if (config.Platform == Platform.WindowsServer2012 && sessionSetupRequest.flags == ModelFlags.Binding) { ModelHelper.Log(LogType.Requirement, "<232> Section 3.3.5.5: Windows 8 and Windows Server 2012 look up the session in GlobalSessionTable using the SessionId from the SMB2 header " + "if the SMB2_SESSION_FLAG_BINDING bit is set in the Flags field of the request. "); ModelHelper.Log(LogType.TestInfo, "The SUT platform is {0}. The SMB2_SESSION_FLAG_BINDING bit is set.", config.Platform); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); if (GlobalSessionTable.ContainsKey(sessionSetupRequest.sessionId)) { ModelHelper.Log(LogType.Requirement, "If the session is found, the server fails the request with STATUS_REQUEST_NOT_ACCEPTED. "); ModelHelper.Log(LogType.TestInfo, "The session is found"); Condition.IsTrue(status == ModelSmb2Status.STATUS_REQUEST_NOT_ACCEPTED); return; } else { ModelHelper.Log(LogType.Requirement, "If the session is not found, the server fails the request with STATUS_USER_SESSION_DELETED."); ModelHelper.Log(LogType.TestInfo, "The session is not found"); Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED); return; } } if (ModelUtility.IsSmb3xFamily(config.MaxSmbVersionSupported) && ((ModelUtility.IsSmb2Family(ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect) || !config.IsMultiChannelCapable)) && sessionSetupRequest.flags == ModelFlags.Binding) { ModelHelper.Log(LogType.Requirement, "3.3.5.5: Otherwise, if the server implements the SMB 3.x dialect family, " + "and Connection.Dialect is equal to \"2.002\" or \"2.100\" or IsMultiChannelCapable is FALSE, " + "and SMB2_SESSION_FLAG_BINDING bit is set in the Flags field of the request, " + "the server SHOULD<225> fail the session setup request with STATUS_REQUEST_NOT_ACCEPTED."); ModelHelper.Log(LogType.TestInfo, "Connection.Dialect is {0}, IsMultiChannelCapable is {1}, SUT platform is {2}, Max Smb version supported is {3} and SMB2_SESSION_FLAG_BINDING bit is set.", ConnectionList[sessionSetupRequest.connectionId].NegotiateDialect, config.IsMultiChannelCapable, config.Platform, config.MaxSmbVersionSupported); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); if (config.Platform != Platform.NonWindows) { Condition.IsTrue(status == ModelSmb2Status.STATUS_REQUEST_NOT_ACCEPTED); } else { ModelHelper.Log(LogType.TestInfo, "The SUT platform is NonWindows, so the server could fail the request with other error code."); Condition.IsTrue(status != ModelSmb2Status.STATUS_SUCCESS); } return; } else { if (ConnectionList[sessionSetupRequest.connectionId].Session == null || ConnectionList[sessionSetupRequest.connectionId].Session.SessionId != sessionSetupRequest.sessionId) { ModelHelper.Log(LogType.Requirement, "3.3.5.5: Otherwise, the server MUST look up the session in Connection.SessionTable using the SessionId from the SMB2 header." + "If the session is not found, the server MUST fail the session setup request with STATUS_USER_SESSION_DELETED. "); ModelHelper.Log(LogType.TestInfo, "The session is not found using the SessionId of the request"); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); Condition.IsTrue(status == ModelSmb2Status.STATUS_USER_SESSION_DELETED); return; } } } if (GlobalSessionTable[sessionSetupRequest.sessionId].State == ModelSessionState.Valid) { ModelHelper.Log(LogType.Requirement, "3.3.5.5: 6. If Session.State is Valid, the server SHOULD process the session setup request as specified in section 3.3.5.5.2."); ModelHelper.Log(LogType.TestInfo, "Session.State is Valid"); if (config.Platform == Platform.WindowsServer2008) { ModelHelper.Log(LogType.Requirement, "Footnote: Windows Vista SP1 and Windows Server 2008 servers fail the session setup request with STATUS_REQUEST_NOT_ACCEPTED."); ModelHelper.Log(LogType.TestInfo, "The SUT platform is Windows Server 2008"); ModelHelper.Log(LogType.TestTag, TestTag.Compatibility); Condition.IsTrue(status == ModelSmb2Status.STATUS_REQUEST_NOT_ACCEPTED); return; } if (config.Platform != Platform.NonWindows) { ModelHelper.Log(LogType.TestInfo, "The SUT platform is Windows"); ReAuthentication(status, sessionSetupRequest); Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS || status == ModelSmb2Status.STATUS_MORE_PROCESSING_REQUIRED); return; } } ModelHelper.Log(LogType.Requirement, "3.3.5.5: 7. The server MUST continue processing the request as specified in section 3.3.5.5.3."); HandleGssApiAuth(status, sessionSetupRequest); ModelHelper.Log(LogType.TestInfo, "The authentication should succeed."); Condition.IsTrue(status == ModelSmb2Status.STATUS_SUCCESS || status == ModelSmb2Status.STATUS_MORE_PROCESSING_REQUIRED); }