LCOV - code coverage report
Current view: top level - source4/torture/smb2 - session.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 2364 2562 92.3 %
Date: 2021-08-25 13:27:56 Functions: 71 71 100.0 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    test suite for SMB2 session setups
       5             : 
       6             :    Copyright (C) Michael Adam 2012
       7             : 
       8             :    This program is free software; you can redistribute it and/or modify
       9             :    it under the terms of the GNU General Public License as published by
      10             :    the Free Software Foundation; either version 3 of the License, or
      11             :    (at your option) any later version.
      12             : 
      13             :    This program is distributed in the hope that it will be useful,
      14             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      15             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      16             :    GNU General Public License for more details.
      17             : 
      18             :    You should have received a copy of the GNU General Public License
      19             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      20             : */
      21             : 
      22             : #include "includes.h"
      23             : #include "libcli/smb2/smb2.h"
      24             : #include "libcli/smb2/smb2_calls.h"
      25             : #include "torture/torture.h"
      26             : #include "torture/util.h"
      27             : #include "torture/smb2/proto.h"
      28             : #include "../libcli/smb/smbXcli_base.h"
      29             : #include "lib/cmdline/cmdline.h"
      30             : #include "auth/credentials/credentials.h"
      31             : #include "auth/credentials/credentials_krb5.h"
      32             : #include "libcli/security/security.h"
      33             : #include "libcli/resolve/resolve.h"
      34             : #include "lib/param/param.h"
      35             : #include "lib/util/tevent_ntstatus.h"
      36             : 
      37             : #define CHECK_CREATED(tctx, __io, __created, __attribute)                       \
      38             :         do {                                                                    \
      39             :                 torture_assert_int_equal(tctx, (__io)->out.create_action,    \
      40             :                                                 NTCREATEX_ACTION_ ## __created, \
      41             :                                                 "out.create_action incorrect");       \
      42             :                 torture_assert_int_equal(tctx, (__io)->out.size, 0,          \
      43             :                                                 "out.size incorrect");                \
      44             :                 torture_assert_int_equal(tctx, (__io)->out.file_attr,                \
      45             :                                                 (__attribute),                  \
      46             :                                                 "out.file_attr incorrect");   \
      47             :                 torture_assert_int_equal(tctx, (__io)->out.reserved2, 0,     \
      48             :                                 "out.reserverd2 incorrect");                  \
      49             :         } while(0)
      50             : 
      51             : #define WAIT_FOR_ASYNC_RESPONSE(req) \
      52             :         while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) { \
      53             :                 if (tevent_loop_once(tctx->ev) != 0) { \
      54             :                         break; \
      55             :                 } \
      56             :         }
      57             : 
      58             : /**
      59             :  * basic test for doing a session reconnect
      60             :  */
      61          10 : bool test_session_reconnect1(struct torture_context *tctx, struct smb2_tree *tree)
      62             : {
      63             :         NTSTATUS status;
      64          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
      65             :         char fname[256];
      66             :         struct smb2_handle _h1;
      67          10 :         struct smb2_handle *h1 = NULL;
      68             :         struct smb2_handle _h2;
      69          10 :         struct smb2_handle *h2 = NULL;
      70             :         struct smb2_create io1, io2;
      71             :         uint64_t previous_session_id;
      72          10 :         bool ret = true;
      73          10 :         struct smb2_tree *tree2 = NULL;
      74             :         union smb_fileinfo qfinfo;
      75             : 
      76             :         /* Add some random component to the file name. */
      77          10 :         snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
      78             :                  generate_random_str(tctx, 8));
      79             : 
      80          10 :         smb2_util_unlink(tree, fname);
      81             : 
      82          10 :         smb2_oplock_create_share(&io1, fname,
      83             :                                  smb2_util_share_access(""),
      84          10 :                                  smb2_util_oplock_level("b"));
      85             : 
      86          10 :         status = smb2_create(tree, mem_ctx, &io1);
      87          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
      88             :                                         "smb2_create failed");
      89          10 :         _h1 = io1.out.file.handle;
      90          10 :         h1 = &_h1;
      91          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
      92          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
      93             :                                         smb2_util_oplock_level("b"),
      94             :                                         "oplock_level incorrect");
      95             : 
      96             :         /* disconnect, reconnect and then do durable reopen */
      97          10 :         previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
      98             : 
      99          10 :         torture_assert_goto(tctx, torture_smb2_connection_ext(tctx, previous_session_id,
     100             :                             &tree->session->transport->options, &tree2),
     101             :                             ret, done,
     102             :                             "session reconnect failed\n");
     103             : 
     104             :         /* try to access the file via the old handle */
     105             : 
     106          10 :         ZERO_STRUCT(qfinfo);
     107          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
     108          10 :         qfinfo.generic.in.file.handle = _h1;
     109          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     110          10 :         torture_assert_ntstatus_equal_goto(tctx, status,
     111             :                                            NT_STATUS_USER_SESSION_DELETED,
     112             :                                            ret, done, "smb2_getinfo_file "
     113             :                                            "returned unexpected status");
     114           8 :         h1 = NULL;
     115             : 
     116           8 :         smb2_oplock_create_share(&io2, fname,
     117             :                                  smb2_util_share_access(""),
     118           8 :                                  smb2_util_oplock_level("b"));
     119             : 
     120           8 :         status = smb2_create(tree2, mem_ctx, &io2);
     121           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     122             :                                         "smb2_create failed");
     123             : 
     124           8 :         CHECK_CREATED(tctx, &io2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
     125           8 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     126             :                                         smb2_util_oplock_level("b"),
     127             :                                         "oplock_level incorrect");
     128           8 :         _h2 = io2.out.file.handle;
     129           8 :         h2 = &_h2;
     130             : 
     131          10 : done:
     132          10 :         if (h1 != NULL) {
     133           2 :                 smb2_util_close(tree, *h1);
     134             :         }
     135          10 :         if (h2 != NULL) {
     136           8 :                 smb2_util_close(tree2, *h2);
     137             :         }
     138             : 
     139          10 :         if (tree2 != NULL) {
     140          10 :                 smb2_util_unlink(tree2, fname);
     141             :         }
     142          10 :         smb2_util_unlink(tree, fname);
     143             : 
     144          10 :         talloc_free(tree);
     145          10 :         talloc_free(tree2);
     146             : 
     147          10 :         talloc_free(mem_ctx);
     148             : 
     149          10 :         return ret;
     150             : }
     151             : 
     152             : /**
     153             :  * basic test for doing a session reconnect on one connection
     154             :  */
     155          10 : bool test_session_reconnect2(struct torture_context *tctx, struct smb2_tree *tree)
     156             : {
     157             :         NTSTATUS status;
     158          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
     159             :         char fname[256];
     160             :         struct smb2_handle _h1;
     161          10 :         struct smb2_handle *h1 = NULL;
     162             :         struct smb2_create io1;
     163             :         uint64_t previous_session_id;
     164          10 :         bool ret = true;
     165          10 :         struct smb2_session *session2 = NULL;
     166             :         union smb_fileinfo qfinfo;
     167             : 
     168             :         /* Add some random component to the file name. */
     169          10 :         snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
     170             :                  generate_random_str(tctx, 8));
     171             : 
     172          10 :         smb2_util_unlink(tree, fname);
     173             : 
     174          10 :         smb2_oplock_create_share(&io1, fname,
     175             :                                  smb2_util_share_access(""),
     176          10 :                                  smb2_util_oplock_level("b"));
     177          10 :         io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
     178             : 
     179          10 :         status = smb2_create(tree, mem_ctx, &io1);
     180          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     181             :                                         "smb2_create failed");
     182          10 :         _h1 = io1.out.file.handle;
     183          10 :         h1 = &_h1;
     184          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
     185          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     186             :                                         smb2_util_oplock_level("b"),
     187             :                                         "oplock_level incorrect");
     188             : 
     189             :         /* disconnect, reconnect and then do durable reopen */
     190          10 :         previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
     191             : 
     192          10 :         torture_assert(tctx, torture_smb2_session_setup(tctx, tree->session->transport,
     193             :                                 previous_session_id, tctx, &session2),
     194             :                                 "session reconnect (on the same connection) failed");
     195             : 
     196             :         /* try to access the file via the old handle */
     197             : 
     198          10 :         ZERO_STRUCT(qfinfo);
     199          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
     200          10 :         qfinfo.generic.in.file.handle = _h1;
     201          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     202          10 :         torture_assert_ntstatus_equal_goto(tctx, status,
     203             :                                            NT_STATUS_USER_SESSION_DELETED,
     204             :                                            ret, done, "smb2_getinfo_file "
     205             :                                            "returned unexpected status");
     206           8 :         h1 = NULL;
     207             : 
     208          10 : done:
     209          10 :         if (h1 != NULL) {
     210           2 :                 smb2_util_close(tree, *h1);
     211             :         }
     212             : 
     213          10 :         talloc_free(tree);
     214          10 :         talloc_free(session2);
     215             : 
     216          10 :         talloc_free(mem_ctx);
     217             : 
     218          10 :         return ret;
     219             : }
     220             : 
     221          10 : bool test_session_reauth1(struct torture_context *tctx, struct smb2_tree *tree)
     222             : {
     223             :         NTSTATUS status;
     224          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
     225             :         char fname[256];
     226             :         struct smb2_handle _h1;
     227          10 :         struct smb2_handle *h1 = NULL;
     228             :         struct smb2_create io1;
     229          10 :         bool ret = true;
     230             :         union smb_fileinfo qfinfo;
     231             : 
     232             :         /* Add some random component to the file name. */
     233          10 :         snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
     234             :                  generate_random_str(tctx, 8));
     235             : 
     236          10 :         smb2_util_unlink(tree, fname);
     237             : 
     238          10 :         smb2_oplock_create_share(&io1, fname,
     239             :                                  smb2_util_share_access(""),
     240          10 :                                  smb2_util_oplock_level("b"));
     241             : 
     242          10 :         status = smb2_create(tree, mem_ctx, &io1);
     243          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     244             :                                         "smb2_create failed");
     245          10 :         _h1 = io1.out.file.handle;
     246          10 :         h1 = &_h1;
     247          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
     248          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     249             :                                         smb2_util_oplock_level("b"),
     250             :                                         "oplock_level incorrect");
     251             : 
     252          10 :         status = smb2_session_setup_spnego(tree->session,
     253             :                                            samba_cmdline_get_creds(),
     254             :                                            0 /* previous_session_id */);
     255          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     256             :                                         "smb2_session_setup_spnego failed");
     257             : 
     258             :         /* try to access the file via the old handle */
     259             : 
     260          10 :         ZERO_STRUCT(qfinfo);
     261          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
     262          10 :         qfinfo.generic.in.file.handle = _h1;
     263          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     264          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     265             :                                         "smb2_getinfo_file failed");
     266             : 
     267          10 :         status = smb2_session_setup_spnego(tree->session,
     268             :                                            samba_cmdline_get_creds(),
     269             :                                            0 /* previous_session_id */);
     270          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     271             :                                         "smb2_session_setup_spnego failed");
     272             : 
     273             :         /* try to access the file via the old handle */
     274             : 
     275          10 :         ZERO_STRUCT(qfinfo);
     276          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
     277          10 :         qfinfo.generic.in.file.handle = _h1;
     278          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     279          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     280             :                                         "smb2_getinfo_file failed");
     281             : 
     282          10 : done:
     283          10 :         if (h1 != NULL) {
     284          10 :                 smb2_util_close(tree, *h1);
     285             :         }
     286             : 
     287          10 :         smb2_util_unlink(tree, fname);
     288             : 
     289          10 :         talloc_free(tree);
     290             : 
     291          10 :         talloc_free(mem_ctx);
     292             : 
     293          10 :         return ret;
     294             : }
     295             : 
     296          10 : bool test_session_reauth2(struct torture_context *tctx, struct smb2_tree *tree)
     297             : {
     298             :         NTSTATUS status;
     299          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
     300             :         char fname[256];
     301             :         struct smb2_handle _h1;
     302          10 :         struct smb2_handle *h1 = NULL;
     303             :         struct smb2_create io1;
     304          10 :         bool ret = true;
     305             :         union smb_fileinfo qfinfo;
     306          10 :         struct cli_credentials *anon_creds = NULL;
     307             : 
     308             :         /* Add some random component to the file name. */
     309          10 :         snprintf(fname, sizeof(fname), "session_reauth2_%s.dat",
     310             :                  generate_random_str(tctx, 8));
     311             : 
     312          10 :         smb2_util_unlink(tree, fname);
     313             : 
     314          10 :         smb2_oplock_create_share(&io1, fname,
     315             :                                  smb2_util_share_access(""),
     316          10 :                                  smb2_util_oplock_level("b"));
     317             : 
     318          10 :         status = smb2_create(tree, mem_ctx, &io1);
     319          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     320             :                                         "smb2_create failed");
     321          10 :         _h1 = io1.out.file.handle;
     322          10 :         h1 = &_h1;
     323          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
     324          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     325             :                                         smb2_util_oplock_level("b"),
     326             :                                         "oplock_level incorrect");
     327             : 
     328             :         /* re-authenticate as anonymous */
     329             : 
     330          10 :         anon_creds = cli_credentials_init_anon(mem_ctx);
     331          10 :         torture_assert(tctx, (anon_creds != NULL), "talloc error");
     332             : 
     333          10 :         status = smb2_session_setup_spnego(tree->session,
     334             :                                            anon_creds,
     335             :                                            0 /* previous_session_id */);
     336          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     337             :                                         "smb2_session_setup_spnego failed");
     338             : 
     339             :         /* try to access the file via the old handle */
     340             : 
     341          10 :         ZERO_STRUCT(qfinfo);
     342          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
     343          10 :         qfinfo.generic.in.file.handle = _h1;
     344          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     345          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     346             :                                         "smb2_getinfo_file failed");
     347             : 
     348             :         /* re-authenticate as original user again */
     349             : 
     350          10 :         status = smb2_session_setup_spnego(tree->session,
     351             :                                            samba_cmdline_get_creds(),
     352             :                                            0 /* previous_session_id */);
     353          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     354             :                                         "smb2_session_setup_spnego failed");
     355             : 
     356             :         /* try to access the file via the old handle */
     357             : 
     358          10 :         ZERO_STRUCT(qfinfo);
     359          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
     360          10 :         qfinfo.generic.in.file.handle = _h1;
     361          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     362          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     363             :                                         "smb2_getinfo_file failed");
     364             : 
     365          10 : done:
     366          10 :         if (h1 != NULL) {
     367          10 :                 smb2_util_close(tree, *h1);
     368             :         }
     369             : 
     370          10 :         smb2_util_unlink(tree, fname);
     371             : 
     372          10 :         talloc_free(tree);
     373             : 
     374          10 :         talloc_free(mem_ctx);
     375             : 
     376          10 :         return ret;
     377             : }
     378             : 
     379             : /**
     380             :  * test getting security descriptor after reauth
     381             :  */
     382          10 : bool test_session_reauth3(struct torture_context *tctx, struct smb2_tree *tree)
     383             : {
     384             :         NTSTATUS status;
     385          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
     386             :         char fname[256];
     387             :         struct smb2_handle _h1;
     388          10 :         struct smb2_handle *h1 = NULL;
     389             :         struct smb2_create io1;
     390          10 :         bool ret = true;
     391             :         union smb_fileinfo qfinfo;
     392          10 :         struct cli_credentials *anon_creds = NULL;
     393          10 :         uint32_t secinfo_flags = SECINFO_OWNER
     394             :                                 | SECINFO_GROUP
     395             :                                 | SECINFO_DACL
     396             :                                 | SECINFO_PROTECTED_DACL
     397             :                                 | SECINFO_UNPROTECTED_DACL;
     398             : 
     399             :         /* Add some random component to the file name. */
     400          10 :         snprintf(fname, sizeof(fname), "session_reauth3_%s.dat",
     401             :                  generate_random_str(tctx, 8));
     402             : 
     403          10 :         smb2_util_unlink(tree, fname);
     404             : 
     405          10 :         smb2_oplock_create_share(&io1, fname,
     406             :                                  smb2_util_share_access(""),
     407          10 :                                  smb2_util_oplock_level("b"));
     408             : 
     409          10 :         status = smb2_create(tree, mem_ctx, &io1);
     410          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     411             :                                         "smb2_create failed");
     412          10 :         _h1 = io1.out.file.handle;
     413          10 :         h1 = &_h1;
     414          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
     415          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     416             :                                         smb2_util_oplock_level("b"),
     417             :                                         "oplock_level incorrect");
     418             : 
     419             :         /* get the security descriptor */
     420             : 
     421          10 :         ZERO_STRUCT(qfinfo);
     422             : 
     423          10 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     424          10 :         qfinfo.query_secdesc.in.file.handle = _h1;
     425          10 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     426             : 
     427          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     428          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     429             :                                         "smb2_getinfo_file failed");
     430             : 
     431             :         /* re-authenticate as anonymous */
     432             : 
     433          10 :         anon_creds = cli_credentials_init_anon(mem_ctx);
     434          10 :         torture_assert(tctx, (anon_creds != NULL), "talloc error");
     435             : 
     436          10 :         status = smb2_session_setup_spnego(tree->session,
     437             :                                            anon_creds,
     438             :                                            0 /* previous_session_id */);
     439          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     440             :                                         "smb2_session_setup_spnego failed");
     441             : 
     442             :         /* try to access the file via the old handle */
     443             : 
     444          10 :         ZERO_STRUCT(qfinfo);
     445             : 
     446          10 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     447          10 :         qfinfo.query_secdesc.in.file.handle = _h1;
     448          10 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     449             : 
     450          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     451          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     452             :                                         "smb2_getinfo_file failed");
     453             : 
     454             :         /* re-authenticate as original user again */
     455             : 
     456          10 :         status = smb2_session_setup_spnego(tree->session,
     457             :                                            samba_cmdline_get_creds(),
     458             :                                            0 /* previous_session_id */);
     459          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     460             :                                         "smb2_session_setup_spnego failed");
     461             : 
     462             :         /* try to access the file via the old handle */
     463             : 
     464          10 :         ZERO_STRUCT(qfinfo);
     465             : 
     466          10 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     467          10 :         qfinfo.query_secdesc.in.file.handle = _h1;
     468          10 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     469             : 
     470          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     471          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     472             :                                         "smb2_getinfo_file failed");
     473             : 
     474          10 : done:
     475          10 :         if (h1 != NULL) {
     476          10 :                 smb2_util_close(tree, *h1);
     477             :         }
     478             : 
     479          10 :         smb2_util_unlink(tree, fname);
     480             : 
     481          10 :         talloc_free(tree);
     482             : 
     483          10 :         talloc_free(mem_ctx);
     484             : 
     485          10 :         return ret;
     486             : }
     487             : 
     488             : /**
     489             :  * test setting security descriptor after reauth.
     490             :  */
     491          10 : bool test_session_reauth4(struct torture_context *tctx, struct smb2_tree *tree)
     492             : {
     493             :         NTSTATUS status;
     494          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
     495             :         char fname[256];
     496             :         struct smb2_handle _h1;
     497          10 :         struct smb2_handle *h1 = NULL;
     498             :         struct smb2_create io1;
     499          10 :         bool ret = true;
     500             :         union smb_fileinfo qfinfo;
     501             :         union smb_setfileinfo sfinfo;
     502          10 :         struct cli_credentials *anon_creds = NULL;
     503          10 :         uint32_t secinfo_flags = SECINFO_OWNER
     504             :                                 | SECINFO_GROUP
     505             :                                 | SECINFO_DACL
     506             :                                 | SECINFO_PROTECTED_DACL
     507             :                                 | SECINFO_UNPROTECTED_DACL;
     508             :         struct security_descriptor *sd1;
     509             :         struct security_ace ace;
     510             :         struct dom_sid *extra_sid;
     511             : 
     512             :         /* Add some random component to the file name. */
     513          10 :         snprintf(fname, sizeof(fname), "session_reauth4_%s.dat",
     514             :                  generate_random_str(tctx, 8));
     515             : 
     516          10 :         smb2_util_unlink(tree, fname);
     517             : 
     518          10 :         smb2_oplock_create_share(&io1, fname,
     519             :                                  smb2_util_share_access(""),
     520          10 :                                  smb2_util_oplock_level("b"));
     521             : 
     522          10 :         status = smb2_create(tree, mem_ctx, &io1);
     523          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     524             :                                         "smb2_create failed");
     525          10 :         _h1 = io1.out.file.handle;
     526          10 :         h1 = &_h1;
     527          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
     528          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     529             :                                         smb2_util_oplock_level("b"),
     530             :                                         "oplock_level incorrect");
     531             : 
     532             :         /* get the security descriptor */
     533             : 
     534          10 :         ZERO_STRUCT(qfinfo);
     535             : 
     536          10 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     537          10 :         qfinfo.query_secdesc.in.file.handle = _h1;
     538          10 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     539             : 
     540          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     541          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     542             :                                         "smb2_getinfo_file failed");
     543             : 
     544          10 :         sd1 = qfinfo.query_secdesc.out.sd;
     545             : 
     546             :         /* re-authenticate as anonymous */
     547             : 
     548          10 :         anon_creds = cli_credentials_init_anon(mem_ctx);
     549          10 :         torture_assert(tctx, (anon_creds != NULL), "talloc error");
     550             : 
     551          10 :         status = smb2_session_setup_spnego(tree->session,
     552             :                                            anon_creds,
     553             :                                            0 /* previous_session_id */);
     554          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     555             :                                         "smb2_session_setup_spnego failed");
     556             : 
     557             :         /* give full access on the file to anonymous */
     558             : 
     559          10 :         extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
     560             : 
     561          10 :         ZERO_STRUCT(ace);
     562          10 :         ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
     563          10 :         ace.flags = 0;
     564          10 :         ace.access_mask = SEC_STD_ALL | SEC_FILE_ALL;
     565          10 :         ace.trustee = *extra_sid;
     566             : 
     567          10 :         status = security_descriptor_dacl_add(sd1, &ace);
     568          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     569             :                                         "security_descriptor_dacl_add failed");
     570             : 
     571          10 :         ZERO_STRUCT(sfinfo);
     572          10 :         sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
     573          10 :         sfinfo.set_secdesc.in.file.handle = _h1;
     574          10 :         sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
     575          10 :         sfinfo.set_secdesc.in.sd = sd1;
     576             : 
     577          10 :         status = smb2_setinfo_file(tree, &sfinfo);
     578          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     579             :                                         "smb2_setinfo_file failed");
     580             : 
     581             :         /* re-authenticate as original user again */
     582             : 
     583          10 :         status = smb2_session_setup_spnego(tree->session,
     584             :                                            samba_cmdline_get_creds(),
     585             :                                            0 /* previous_session_id */);
     586          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     587             :                                         "smb2_session_setup_spnego failed");
     588             : 
     589             :         /* re-get the security descriptor */
     590             : 
     591          10 :         ZERO_STRUCT(qfinfo);
     592             : 
     593          10 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     594          10 :         qfinfo.query_secdesc.in.file.handle = _h1;
     595          10 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     596             : 
     597          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     598          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     599             :                                         "smb2_getinfo_file failed");
     600             : 
     601          10 :         ret = true;
     602             : 
     603          10 : done:
     604          10 :         if (h1 != NULL) {
     605          10 :                 smb2_util_close(tree, *h1);
     606             :         }
     607             : 
     608          10 :         smb2_util_unlink(tree, fname);
     609             : 
     610          10 :         talloc_free(tree);
     611             : 
     612          10 :         talloc_free(mem_ctx);
     613             : 
     614          10 :         return ret;
     615             : }
     616             : 
     617             : /**
     618             :  * test renaming after reauth.
     619             :  * compare security descriptors before and after rename/reauth
     620             :  */
     621          10 : bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
     622             : {
     623             :         NTSTATUS status;
     624          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
     625             :         char dname[128];
     626             :         char fname[256];
     627             :         char fname2[256];
     628             :         struct smb2_handle _dh1;
     629          10 :         struct smb2_handle *dh1 = NULL;
     630             :         struct smb2_handle _h1;
     631          10 :         struct smb2_handle *h1 = NULL;
     632             :         struct smb2_create io1;
     633          10 :         bool ret = true;
     634             :         bool ok;
     635             :         union smb_fileinfo qfinfo;
     636             :         union smb_setfileinfo sfinfo;
     637          10 :         struct cli_credentials *anon_creds = NULL;
     638          10 :         uint32_t secinfo_flags = SECINFO_OWNER
     639             :                                 | SECINFO_GROUP
     640             :                                 | SECINFO_DACL
     641             :                                 | SECINFO_PROTECTED_DACL
     642             :                                 | SECINFO_UNPROTECTED_DACL;
     643             :         struct security_descriptor *f_sd1;
     644          10 :         struct security_descriptor *d_sd1 = NULL;
     645             :         struct security_ace ace;
     646             :         struct dom_sid *extra_sid;
     647             : 
     648             :         /* Add some random component to the file name. */
     649          10 :         snprintf(dname, sizeof(dname), "session_reauth5_%s.d",
     650             :                  generate_random_str(tctx, 8));
     651          10 :         snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
     652             : 
     653          10 :         ok = smb2_util_setup_dir(tctx, tree, dname);
     654          10 :         torture_assert(tctx, ok, "smb2_util_setup_dir not ok");
     655             : 
     656          10 :         status = torture_smb2_testdir(tree, dname, &_dh1);
     657          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     658             :                                         "torture_smb2_testdir failed");
     659          10 :         dh1 = &_dh1;
     660             : 
     661          10 :         smb2_oplock_create_share(&io1, fname,
     662             :                                  smb2_util_share_access(""),
     663          10 :                                  smb2_util_oplock_level("b"));
     664             : 
     665          10 :         status = smb2_create(tree, mem_ctx, &io1);
     666          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     667             :                                         "smb2_create failed");
     668          10 :         _h1 = io1.out.file.handle;
     669          10 :         h1 = &_h1;
     670          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
     671          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     672             :                                         smb2_util_oplock_level("b"),
     673             :                                         "oplock_level incorrect");
     674             : 
     675             :         /* get the security descriptor */
     676             : 
     677          10 :         ZERO_STRUCT(qfinfo);
     678             : 
     679          10 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     680          10 :         qfinfo.query_secdesc.in.file.handle = _h1;
     681          10 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     682             : 
     683          10 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     684          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     685             :                                         "smb2_getinfo_file failed");
     686             : 
     687          10 :         f_sd1 = qfinfo.query_secdesc.out.sd;
     688             : 
     689             :         /* re-authenticate as anonymous */
     690             : 
     691          10 :         anon_creds = cli_credentials_init_anon(mem_ctx);
     692          10 :         torture_assert(tctx, (anon_creds != NULL), "talloc error");
     693             : 
     694          10 :         status = smb2_session_setup_spnego(tree->session,
     695             :                                            anon_creds,
     696             :                                            0 /* previous_session_id */);
     697          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     698             :                                         "smb2_session_setup_spnego failed");
     699             : 
     700             :         /* try to rename the file: fails */
     701             : 
     702          10 :         snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
     703             : 
     704          10 :         status = smb2_util_unlink(tree, fname2);
     705          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     706             :                                         "smb2_util_unlink failed");
     707             : 
     708             : 
     709           0 :         ZERO_STRUCT(sfinfo);
     710           0 :         sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
     711           0 :         sfinfo.rename_information.in.file.handle = _h1;
     712           0 :         sfinfo.rename_information.in.overwrite = true;
     713           0 :         sfinfo.rename_information.in.new_name = fname2;
     714             : 
     715           0 :         status = smb2_setinfo_file(tree, &sfinfo);
     716           0 :         torture_assert_ntstatus_equal_goto(tctx, status,
     717             :                                            NT_STATUS_ACCESS_DENIED,
     718             :                                            ret, done, "smb2_setinfo_file "
     719             :                                            "returned unexpected status");
     720             : 
     721             :         /* re-authenticate as original user again */
     722             : 
     723           0 :         status = smb2_session_setup_spnego(tree->session,
     724             :                                            samba_cmdline_get_creds(),
     725             :                                            0 /* previous_session_id */);
     726           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     727             :                                         "smb2_session_setup_spnego failed");
     728             : 
     729             :         /* give full access on the file to anonymous */
     730             : 
     731           0 :         extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
     732             : 
     733           0 :         ZERO_STRUCT(ace);
     734           0 :         ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
     735           0 :         ace.flags = 0;
     736           0 :         ace.access_mask = SEC_RIGHTS_FILE_ALL;
     737           0 :         ace.trustee = *extra_sid;
     738             : 
     739           0 :         status = security_descriptor_dacl_add(f_sd1, &ace);
     740           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     741             :                                         "security_descriptor_dacl_add failed");
     742             : 
     743           0 :         ZERO_STRUCT(sfinfo);
     744           0 :         sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
     745           0 :         sfinfo.set_secdesc.in.file.handle = _h1;
     746           0 :         sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
     747           0 :         sfinfo.set_secdesc.in.sd = f_sd1;
     748             : 
     749           0 :         status = smb2_setinfo_file(tree, &sfinfo);
     750           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     751             :                                         "smb2_setinfo_file failed");
     752             : 
     753             :         /* re-get the security descriptor */
     754             : 
     755           0 :         ZERO_STRUCT(qfinfo);
     756             : 
     757           0 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     758           0 :         qfinfo.query_secdesc.in.file.handle = _h1;
     759           0 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     760             : 
     761           0 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     762           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     763             :                                         "smb2_getinfo_file failed");
     764             : 
     765             :         /* re-authenticate as anonymous - again */
     766             : 
     767           0 :         anon_creds = cli_credentials_init_anon(mem_ctx);
     768           0 :         torture_assert(tctx, (anon_creds != NULL), "talloc error");
     769             : 
     770           0 :         status = smb2_session_setup_spnego(tree->session,
     771             :                                            anon_creds,
     772             :                                            0 /* previous_session_id */);
     773           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     774             :                                         "smb2_session_setup_spnego failed");
     775             : 
     776             :         /* try to rename the file: fails */
     777             : 
     778           0 :         ZERO_STRUCT(sfinfo);
     779           0 :         sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
     780           0 :         sfinfo.rename_information.in.file.handle = _h1;
     781           0 :         sfinfo.rename_information.in.overwrite = true;
     782           0 :         sfinfo.rename_information.in.new_name = fname2;
     783             : 
     784           0 :         status = smb2_setinfo_file(tree, &sfinfo);
     785           0 :         torture_assert_ntstatus_equal_goto(tctx, status,
     786             :                                            NT_STATUS_ACCESS_DENIED,
     787             :                                            ret, done, "smb2_setinfo_file "
     788             :                                            "returned unexpected status");
     789             : 
     790             :         /* give full access on the parent dir to anonymous */
     791             : 
     792           0 :         ZERO_STRUCT(qfinfo);
     793             : 
     794           0 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     795           0 :         qfinfo.query_secdesc.in.file.handle = _dh1;
     796           0 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     797             : 
     798           0 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     799           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     800             :                                         "smb2_getinfo_file failed");
     801             : 
     802           0 :         d_sd1 = qfinfo.query_secdesc.out.sd;
     803             : 
     804           0 :         ZERO_STRUCT(ace);
     805           0 :         ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
     806           0 :         ace.flags = 0;
     807           0 :         ace.access_mask = SEC_RIGHTS_FILE_ALL;
     808           0 :         ace.trustee = *extra_sid;
     809             : 
     810           0 :         status = security_descriptor_dacl_add(d_sd1, &ace);
     811           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     812             :                                         "security_descriptor_dacl_add failed");
     813             : 
     814           0 :         ZERO_STRUCT(sfinfo);
     815           0 :         sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
     816           0 :         sfinfo.set_secdesc.in.file.handle = _dh1;
     817           0 :         sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
     818           0 :         sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
     819           0 :         sfinfo.set_secdesc.in.sd = d_sd1;
     820             : 
     821           0 :         status = smb2_setinfo_file(tree, &sfinfo);
     822           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     823             :                                         "smb2_setinfo_file failed");
     824             : 
     825           0 :         ZERO_STRUCT(qfinfo);
     826             : 
     827           0 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     828           0 :         qfinfo.query_secdesc.in.file.handle = _dh1;
     829           0 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     830             : 
     831           0 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     832           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     833             :                                         "smb2_getinfo_file failed");
     834             : 
     835           0 :         status = smb2_util_close(tree, _dh1);
     836           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     837             :                                         "smb2_util_close failed");
     838           0 :         dh1 = NULL;
     839             : 
     840             :         /* try to rename the file: still fails */
     841             : 
     842           0 :         ZERO_STRUCT(sfinfo);
     843           0 :         sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
     844           0 :         sfinfo.rename_information.in.file.handle = _h1;
     845           0 :         sfinfo.rename_information.in.overwrite = true;
     846           0 :         sfinfo.rename_information.in.new_name = fname2;
     847             : 
     848           0 :         status = smb2_setinfo_file(tree, &sfinfo);
     849           0 :         torture_assert_ntstatus_equal_goto(tctx, status,
     850             :                                         NT_STATUS_ACCESS_DENIED,
     851             :                                         ret, done, "smb2_setinfo_file "
     852             :                                         "returned unexpected status");
     853             : 
     854             :         /* re-authenticate as original user - again */
     855             : 
     856           0 :         status = smb2_session_setup_spnego(tree->session,
     857             :                                            samba_cmdline_get_creds(),
     858             :                                            0 /* previous_session_id */);
     859           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     860             :                                         "smb2_session_setup_spnego failed");
     861             : 
     862             :         /* rename the file - for verification that it works */
     863             : 
     864           0 :         ZERO_STRUCT(sfinfo);
     865           0 :         sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
     866           0 :         sfinfo.rename_information.in.file.handle = _h1;
     867           0 :         sfinfo.rename_information.in.overwrite = true;
     868           0 :         sfinfo.rename_information.in.new_name = fname2;
     869             : 
     870           0 :         status = smb2_setinfo_file(tree, &sfinfo);
     871           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     872             :                                         "smb2_setinfo_file failed");
     873             : 
     874             :         /* closs the file, check it is gone and reopen under the new name */
     875             : 
     876           0 :         status = smb2_util_close(tree, _h1);
     877           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     878             :                                         "smb2_util_close failed");
     879           0 :         ZERO_STRUCT(io1);
     880             : 
     881           0 :         smb2_generic_create_share(&io1,
     882             :                                   NULL /* lease */, false /* dir */,
     883             :                                   fname,
     884             :                                   NTCREATEX_DISP_OPEN,
     885             :                                   smb2_util_share_access(""),
     886           0 :                                   smb2_util_oplock_level("b"),
     887             :                                   0 /* leasekey */, 0 /* leasestate */);
     888             : 
     889           0 :         status = smb2_create(tree, mem_ctx, &io1);
     890           0 :         torture_assert_ntstatus_equal_goto(tctx, status,
     891             :                                         NT_STATUS_OBJECT_NAME_NOT_FOUND,
     892             :                                         ret, done, "smb2_create "
     893             :                                         "returned unexpected status");
     894             : 
     895           0 :         ZERO_STRUCT(io1);
     896             : 
     897           0 :         smb2_generic_create_share(&io1,
     898             :                                   NULL /* lease */, false /* dir */,
     899             :                                   fname2,
     900             :                                   NTCREATEX_DISP_OPEN,
     901             :                                   smb2_util_share_access(""),
     902           0 :                                   smb2_util_oplock_level("b"),
     903             :                                   0 /* leasekey */, 0 /* leasestate */);
     904             : 
     905           0 :         status = smb2_create(tree, mem_ctx, &io1);
     906           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     907             :                                         "smb2_create failed");
     908           0 :         _h1 = io1.out.file.handle;
     909           0 :         h1 = &_h1;
     910           0 :         CHECK_CREATED(tctx, &io1, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
     911           0 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     912             :                                         smb2_util_oplock_level("b"),
     913             :                                         "oplock_level incorrect");
     914             : 
     915             :         /* try to access the file via the old handle */
     916             : 
     917           0 :         ZERO_STRUCT(qfinfo);
     918             : 
     919           0 :         qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
     920           0 :         qfinfo.query_secdesc.in.file.handle = _h1;
     921           0 :         qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
     922             : 
     923           0 :         status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
     924           0 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     925             :                                         "smb2_getinfo_file failed");
     926             : 
     927          10 : done:
     928          10 :         if (dh1 != NULL) {
     929          10 :                 smb2_util_close(tree, *dh1);
     930             :         }
     931          10 :         if (h1 != NULL) {
     932          10 :                 smb2_util_close(tree, *h1);
     933             :         }
     934             : 
     935          10 :         smb2_deltree(tree, dname);
     936             : 
     937          10 :         talloc_free(tree);
     938             : 
     939          10 :         talloc_free(mem_ctx);
     940             : 
     941          10 :         return ret;
     942             : }
     943             : 
     944             : /**
     945             :  * do reauth with wrong credentials,
     946             :  * hence triggering the error path in reauth.
     947             :  * The invalid reauth deletes the session.
     948             :  */
     949          10 : bool test_session_reauth6(struct torture_context *tctx, struct smb2_tree *tree)
     950             : {
     951             :         NTSTATUS status;
     952          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
     953             :         char fname[256];
     954             :         struct smb2_handle _h1;
     955          10 :         struct smb2_handle *h1 = NULL;
     956             :         struct smb2_create io1;
     957          10 :         bool ret = true;
     958             :         char *corrupted_password;
     959             :         struct cli_credentials *broken_creds;
     960             :         bool ok;
     961             :         bool encrypted;
     962             :         NTSTATUS expected;
     963             :         enum credentials_use_kerberos krb_state;
     964             : 
     965          10 :         krb_state = cli_credentials_get_kerberos_state(
     966             :                         samba_cmdline_get_creds());
     967          10 :         if (krb_state == CRED_USE_KERBEROS_REQUIRED) {
     968           4 :                 torture_skip(tctx,
     969             :                              "Can't test failing session setup with kerberos.");
     970             :         }
     971             : 
     972           6 :         encrypted = smb2cli_tcon_is_encryption_on(tree->smbXcli);
     973             : 
     974             :         /* Add some random component to the file name. */
     975           6 :         snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
     976             :                  generate_random_str(tctx, 8));
     977             : 
     978           6 :         smb2_util_unlink(tree, fname);
     979             : 
     980           6 :         smb2_oplock_create_share(&io1, fname,
     981             :                                  smb2_util_share_access(""),
     982           6 :                                  smb2_util_oplock_level("b"));
     983           6 :         io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
     984             : 
     985           6 :         status = smb2_create(tree, mem_ctx, &io1);
     986           6 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
     987             :                                         "smb2_create failed");
     988           6 :         _h1 = io1.out.file.handle;
     989           6 :         h1 = &_h1;
     990           6 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
     991           6 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
     992             :                                         smb2_util_oplock_level("b"),
     993             :                                         "oplock_level incorrect");
     994             : 
     995             :         /*
     996             :          * reauthentication with invalid credentials:
     997             :          */
     998             : 
     999           6 :         broken_creds = cli_credentials_shallow_copy(mem_ctx,
    1000             :                                             samba_cmdline_get_creds());
    1001           6 :         torture_assert(tctx, (broken_creds != NULL), "talloc error");
    1002             : 
    1003           6 :         corrupted_password = talloc_asprintf(mem_ctx, "%s%s",
    1004             :                                 cli_credentials_get_password(broken_creds),
    1005             :                                 "corrupt");
    1006           6 :         torture_assert(tctx, (corrupted_password != NULL), "talloc error");
    1007             : 
    1008           6 :         ok = cli_credentials_set_password(broken_creds, corrupted_password,
    1009             :                                           CRED_SPECIFIED);
    1010           6 :         torture_assert(tctx, ok, "cli_credentials_set_password not ok");
    1011             : 
    1012           6 :         status = smb2_session_setup_spnego(tree->session,
    1013             :                                            broken_creds,
    1014             :                                            0 /* previous_session_id */);
    1015           6 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1016             :                                         NT_STATUS_LOGON_FAILURE, ret, done,
    1017             :                                         "smb2_session_setup_spnego "
    1018             :                                         "returned unexpected status");
    1019             : 
    1020           6 :         torture_comment(tctx, "did failed reauth\n");
    1021             :         /*
    1022             :          * now verify that the invalid session reauth has closed our session
    1023             :          */
    1024             : 
    1025           6 :         if (encrypted) {
    1026           2 :                 expected = NT_STATUS_CONNECTION_DISCONNECTED;
    1027             :         } else {
    1028           4 :                 expected = NT_STATUS_USER_SESSION_DELETED;
    1029             :         }
    1030             : 
    1031           6 :         smb2_oplock_create_share(&io1, fname,
    1032             :                                  smb2_util_share_access(""),
    1033           6 :                                  smb2_util_oplock_level("b"));
    1034             : 
    1035           6 :         status = smb2_create(tree, mem_ctx, &io1);
    1036           6 :         torture_assert_ntstatus_equal_goto(tctx, status, expected,
    1037             :                                         ret, done, "smb2_create "
    1038             :                                         "returned unexpected status");
    1039             : 
    1040           6 : done:
    1041           6 :         if (h1 != NULL) {
    1042           6 :                 smb2_util_close(tree, *h1);
    1043             :         }
    1044             : 
    1045           6 :         smb2_util_unlink(tree, fname);
    1046             : 
    1047           6 :         talloc_free(tree);
    1048             : 
    1049           6 :         talloc_free(mem_ctx);
    1050             : 
    1051           6 :         return ret;
    1052             : }
    1053             : 
    1054             : 
    1055          30 : static bool test_session_expire1i(struct torture_context *tctx,
    1056             :                                   bool force_signing,
    1057             :                                   bool force_encryption)
    1058             : {
    1059             :         NTSTATUS status;
    1060          30 :         bool ret = false;
    1061             :         struct smbcli_options options;
    1062          30 :         const char *host = torture_setting_string(tctx, "host", NULL);
    1063          30 :         const char *share = torture_setting_string(tctx, "share", NULL);
    1064          30 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    1065          30 :         struct smb2_tree *tree = NULL;
    1066             :         enum credentials_use_kerberos use_kerberos;
    1067             :         char fname[256];
    1068             :         struct smb2_handle _h1;
    1069          30 :         struct smb2_handle *h1 = NULL;
    1070             :         struct smb2_create io1;
    1071             :         union smb_fileinfo qfinfo;
    1072             :         size_t i;
    1073             : 
    1074          30 :         use_kerberos = cli_credentials_get_kerberos_state(credentials);
    1075          30 :         if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
    1076          18 :                 torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
    1077          18 :                 torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
    1078             :         }
    1079             : 
    1080          12 :         torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
    1081             :                                  "please use -k yes");
    1082             : 
    1083          12 :         cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
    1084             : 
    1085          12 :         lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
    1086             : 
    1087          12 :         lpcfg_smbcli_options(tctx->lp_ctx, &options);
    1088          12 :         if (force_signing) {
    1089           8 :                 options.signing = SMB_SIGNING_REQUIRED;
    1090             :         }
    1091             : 
    1092          12 :         status = smb2_connect(tctx,
    1093             :                               host,
    1094             :                               lpcfg_smb_ports(tctx->lp_ctx),
    1095             :                               share,
    1096             :                               lpcfg_resolve_context(tctx->lp_ctx),
    1097             :                               credentials,
    1098             :                               &tree,
    1099             :                               tctx->ev,
    1100             :                               &options,
    1101             :                               lpcfg_socket_options(tctx->lp_ctx),
    1102             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    1103             :                               );
    1104          12 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1105             :                                         "smb2_connect failed");
    1106             : 
    1107          12 :         if (force_encryption) {
    1108           4 :                 status = smb2cli_session_encryption_on(tree->session->smbXcli);
    1109           4 :                 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1110             :                                         "smb2cli_session_encryption_on failed");
    1111             :         }
    1112             : 
    1113             :         /* Add some random component to the file name. */
    1114          12 :         snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
    1115             :                  generate_random_str(tctx, 8));
    1116             : 
    1117          12 :         smb2_util_unlink(tree, fname);
    1118             : 
    1119          12 :         smb2_oplock_create_share(&io1, fname,
    1120             :                                  smb2_util_share_access(""),
    1121          12 :                                  smb2_util_oplock_level("b"));
    1122          12 :         io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
    1123             : 
    1124          12 :         status = smb2_create(tree, tctx, &io1);
    1125          12 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1126             :                                         "smb2_create failed");
    1127          12 :         _h1 = io1.out.file.handle;
    1128          12 :         h1 = &_h1;
    1129          12 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    1130          12 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
    1131             :                                         smb2_util_oplock_level("b"),
    1132             :                                         "oplock_level incorrect");
    1133             : 
    1134             :         /* get the security descriptor */
    1135             : 
    1136          12 :         ZERO_STRUCT(qfinfo);
    1137             : 
    1138          12 :         qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
    1139          12 :         qfinfo.access_information.in.file.handle = _h1;
    1140             : 
    1141          36 :         for (i=0; i < 2; i++) {
    1142          24 :                 torture_comment(tctx, "query info => OK\n");
    1143             : 
    1144          24 :                 ZERO_STRUCT(qfinfo.access_information.out);
    1145          24 :                 status = smb2_getinfo_file(tree, tctx, &qfinfo);
    1146          24 :                 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1147             :                                                 "smb2_getinfo_file failed");
    1148             : 
    1149          24 :                 torture_comment(tctx, "sleep 10 seconds\n");
    1150          24 :                 smb_msleep(10*1000);
    1151             : 
    1152          24 :                 torture_comment(tctx, "query info => EXPIRED\n");
    1153          24 :                 ZERO_STRUCT(qfinfo.access_information.out);
    1154          24 :                 status = smb2_getinfo_file(tree, tctx, &qfinfo);
    1155          24 :                 torture_assert_ntstatus_equal_goto(tctx, status,
    1156             :                                         NT_STATUS_NETWORK_SESSION_EXPIRED,
    1157             :                                         ret, done, "smb2_getinfo_file "
    1158             :                                         "returned unexpected status");
    1159             : 
    1160             :                 /*
    1161             :                  * the krb5 library may not handle expired creds
    1162             :                  * well, lets start with an empty ccache.
    1163             :                  */
    1164          24 :                 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
    1165             : 
    1166          24 :                 if (!force_encryption) {
    1167          16 :                         smb2cli_session_require_signed_response(
    1168          16 :                                 tree->session->smbXcli, true);
    1169             :                 }
    1170             : 
    1171          24 :                 torture_comment(tctx, "reauth => OK\n");
    1172          24 :                 status = smb2_session_setup_spnego(tree->session,
    1173             :                                                    credentials,
    1174             :                                                    0 /* previous_session_id */);
    1175          24 :                 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1176             :                                         "smb2_session_setup_spnego failed");
    1177             : 
    1178          24 :                 smb2cli_session_require_signed_response(
    1179          24 :                         tree->session->smbXcli, false);
    1180             :         }
    1181             : 
    1182          12 :         ZERO_STRUCT(qfinfo.access_information.out);
    1183          12 :         status = smb2_getinfo_file(tree, tctx, &qfinfo);
    1184          12 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1185             :                                         "smb2_getinfo_file failed");
    1186             : 
    1187          12 :         ret = true;
    1188          12 : done:
    1189          12 :         cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
    1190             : 
    1191          12 :         if (h1 != NULL) {
    1192          12 :                 smb2_util_close(tree, *h1);
    1193             :         }
    1194             : 
    1195          12 :         talloc_free(tree);
    1196          12 :         lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
    1197          12 :         return ret;
    1198             : }
    1199             : 
    1200          10 : static bool test_session_expire1n(struct torture_context *tctx)
    1201             : {
    1202          10 :         return test_session_expire1i(tctx,
    1203             :                                      false,   /* force_signing */
    1204             :                                      false); /* force_encryption */
    1205             : }
    1206             : 
    1207          10 : static bool test_session_expire1s(struct torture_context *tctx)
    1208             : {
    1209          10 :         return test_session_expire1i(tctx,
    1210             :                                      true,   /* force_signing */
    1211             :                                      false); /* force_encryption */
    1212             : }
    1213             : 
    1214          10 : static bool test_session_expire1e(struct torture_context *tctx)
    1215             : {
    1216          10 :         return test_session_expire1i(tctx,
    1217             :                                      true,   /* force_signing */
    1218             :                                      true); /* force_encryption */
    1219             : }
    1220             : 
    1221          20 : static bool test_session_expire2i(struct torture_context *tctx,
    1222             :                                   bool force_encryption)
    1223             : {
    1224             :         NTSTATUS status;
    1225          20 :         bool ret = false;
    1226             :         struct smbcli_options options;
    1227          20 :         const char *host = torture_setting_string(tctx, "host", NULL);
    1228          20 :         const char *share = torture_setting_string(tctx, "share", NULL);
    1229          20 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    1230          20 :         struct smb2_tree *tree = NULL;
    1231          20 :         const char *unc = NULL;
    1232          20 :         struct smb2_tree *tree2 = NULL;
    1233          20 :         struct tevent_req *subreq = NULL;
    1234             :         uint32_t timeout_msec;
    1235             :         enum credentials_use_kerberos use_kerberos;
    1236             :         uint32_t caps;
    1237             :         char fname[256];
    1238             :         struct smb2_handle dh;
    1239             :         struct smb2_handle dh2;
    1240             :         struct smb2_handle _h1;
    1241          20 :         struct smb2_handle *h1 = NULL;
    1242             :         struct smb2_create io1;
    1243             :         union smb_fileinfo qfinfo;
    1244             :         union smb_setfileinfo sfinfo;
    1245             :         struct smb2_flush flsh;
    1246             :         struct smb2_read rd;
    1247          20 :         const uint8_t wd = 0;
    1248             :         struct smb2_lock lck;
    1249             :         struct smb2_lock_element el;
    1250             :         struct smb2_ioctl ctl;
    1251             :         struct smb2_break oack;
    1252             :         struct smb2_lease_break_ack lack;
    1253             :         struct smb2_find fnd;
    1254          20 :         union smb_search_data *d = NULL;
    1255             :         unsigned int count;
    1256          20 :         struct smb2_request *req = NULL;
    1257             :         struct smb2_notify ntf1;
    1258             :         struct smb2_notify ntf2;
    1259             : 
    1260          20 :         use_kerberos = cli_credentials_get_kerberos_state(credentials);
    1261          20 :         if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
    1262          12 :                 torture_warning(tctx, "smb2.session.expire2 requires -k yes!");
    1263          12 :                 torture_skip(tctx, "smb2.session.expire2 requires -k yes!");
    1264             :         }
    1265             : 
    1266           8 :         torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
    1267             :                                  "please use -k yes");
    1268             : 
    1269           8 :         cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
    1270             : 
    1271           8 :         lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
    1272             : 
    1273           8 :         lpcfg_smbcli_options(tctx->lp_ctx, &options);
    1274           8 :         options.signing = SMB_SIGNING_REQUIRED;
    1275             : 
    1276           8 :         unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
    1277           8 :         torture_assert(tctx, unc != NULL, "talloc_asprintf");
    1278             : 
    1279           8 :         status = smb2_connect(tctx,
    1280             :                               host,
    1281             :                               lpcfg_smb_ports(tctx->lp_ctx),
    1282             :                               share,
    1283             :                               lpcfg_resolve_context(tctx->lp_ctx),
    1284             :                               credentials,
    1285             :                               &tree,
    1286             :                               tctx->ev,
    1287             :                               &options,
    1288             :                               lpcfg_socket_options(tctx->lp_ctx),
    1289             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    1290             :                               );
    1291           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1292             :                                         "smb2_connect failed");
    1293             : 
    1294           8 :         if (force_encryption) {
    1295           4 :                 status = smb2cli_session_encryption_on(tree->session->smbXcli);
    1296           4 :                 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1297             :                                         "smb2cli_session_encryption_on failed");
    1298             :         }
    1299             : 
    1300           8 :         caps = smb2cli_conn_server_capabilities(tree->session->transport->conn);
    1301             : 
    1302             :         /* Add some random component to the file name. */
    1303           8 :         snprintf(fname, sizeof(fname), "session_expire2_%s.dat",
    1304             :                  generate_random_str(tctx, 8));
    1305             : 
    1306           8 :         smb2_util_unlink(tree, fname);
    1307             : 
    1308           8 :         status = smb2_util_roothandle(tree, &dh);
    1309           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1310             :                                         "smb2_util_roothandle failed");
    1311             : 
    1312           8 :         smb2_oplock_create_share(&io1, fname,
    1313             :                                  smb2_util_share_access(""),
    1314           8 :                                  smb2_util_oplock_level("b"));
    1315           8 :         io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
    1316             : 
    1317           8 :         status = smb2_create(tree, tctx, &io1);
    1318           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1319             :                                         "smb2_create failed");
    1320           8 :         _h1 = io1.out.file.handle;
    1321           8 :         h1 = &_h1;
    1322           8 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    1323           8 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
    1324             :                                         smb2_util_oplock_level("b"),
    1325             :                                         "oplock_level incorrect");
    1326             : 
    1327             :         /* get the security descriptor */
    1328             : 
    1329           8 :         ZERO_STRUCT(qfinfo);
    1330             : 
    1331           8 :         qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
    1332           8 :         qfinfo.access_information.in.file.handle = _h1;
    1333             : 
    1334           8 :         torture_comment(tctx, "query info => OK\n");
    1335             : 
    1336           8 :         ZERO_STRUCT(qfinfo.access_information.out);
    1337           8 :         status = smb2_getinfo_file(tree, tctx, &qfinfo);
    1338           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1339             :                                         "smb2_getinfo_file failed");
    1340             : 
    1341           8 :         torture_comment(tctx, "lock => OK\n");
    1342           8 :         ZERO_STRUCT(lck);
    1343           8 :         lck.in.locks            = &el;
    1344           8 :         lck.in.lock_count       = 0x0001;
    1345           8 :         lck.in.lock_sequence    = 0x00000000;
    1346           8 :         lck.in.file.handle      = *h1;
    1347           8 :         ZERO_STRUCT(el);
    1348           8 :         el.flags                = SMB2_LOCK_FLAG_EXCLUSIVE |
    1349             :                                   SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
    1350           8 :         el.offset               = 0x0000000000000000;
    1351           8 :         el.length               = 0x0000000000000001;
    1352           8 :         status = smb2_lock(tree, &lck);
    1353           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1354             :                                         "smb2_lock lock failed");
    1355             : 
    1356           8 :         torture_comment(tctx, "1st notify => PENDING\n");
    1357           8 :         ZERO_STRUCT(ntf1);
    1358           8 :         ntf1.in.file.handle     = dh;
    1359           8 :         ntf1.in.recursive       = 0x0000;
    1360           8 :         ntf1.in.buffer_size     = 128;
    1361           8 :         ntf1.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
    1362           8 :         ntf1.in.unknown         = 0x00000000;
    1363           8 :         req = smb2_notify_send(tree, &ntf1);
    1364             : 
    1365           8 :         while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) {
    1366          32 :                 if (tevent_loop_once(tctx->ev) != 0) {
    1367           0 :                         break;
    1368             :                 }
    1369             :         }
    1370             : 
    1371           8 :         torture_assert_goto(tctx, req->state <= SMB2_REQUEST_RECV, ret, done,
    1372             :                             "smb2_notify finished");
    1373             : 
    1374           8 :         torture_comment(tctx, "sleep 10 seconds\n");
    1375           8 :         smb_msleep(10*1000);
    1376             : 
    1377           8 :         torture_comment(tctx, "query info => EXPIRED\n");
    1378           8 :         ZERO_STRUCT(qfinfo.access_information.out);
    1379           8 :         status = smb2_getinfo_file(tree, tctx, &qfinfo);
    1380           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1381             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1382             :                                 ret, done, "smb2_getinfo_file "
    1383             :                                 "returned unexpected status");
    1384             : 
    1385             : 
    1386           8 :         torture_comment(tctx, "set info => EXPIRED\n");
    1387           8 :         ZERO_STRUCT(sfinfo);
    1388           8 :         sfinfo.end_of_file_info.level = RAW_SFILEINFO_END_OF_FILE_INFORMATION;
    1389           8 :         sfinfo.end_of_file_info.in.file.handle = *h1;
    1390           8 :         sfinfo.end_of_file_info.in.size = 1;
    1391           8 :         status = smb2_setinfo_file(tree, &sfinfo);
    1392           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1393             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1394             :                                 ret, done, "smb2_setinfo_file "
    1395             :                                 "returned unexpected status");
    1396             : 
    1397           8 :         torture_comment(tctx, "flush => EXPIRED\n");
    1398           8 :         ZERO_STRUCT(flsh);
    1399           8 :         flsh.in.file.handle = *h1;
    1400           8 :         status = smb2_flush(tree, &flsh);
    1401           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1402             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1403             :                                 ret, done, "smb2_flush "
    1404             :                                 "returned unexpected status");
    1405             : 
    1406           8 :         torture_comment(tctx, "read => EXPIRED\n");
    1407           8 :         ZERO_STRUCT(rd);
    1408           8 :         rd.in.file.handle = *h1;
    1409           8 :         rd.in.length      = 5;
    1410           8 :         rd.in.offset      = 0;
    1411           8 :         status = smb2_read(tree, tctx, &rd);
    1412           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1413             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1414             :                                 ret, done, "smb2_read "
    1415             :                                 "returned unexpected status");
    1416             : 
    1417           8 :         torture_comment(tctx, "write => EXPIRED\n");
    1418           8 :         status = smb2_util_write(tree, *h1, &wd, 0, 1);
    1419           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1420             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1421             :                                 ret, done, "smb2_util_write "
    1422             :                                 "returned unexpected status");
    1423             : 
    1424           8 :         torture_comment(tctx, "ioctl => EXPIRED\n");
    1425           8 :         ZERO_STRUCT(ctl);
    1426           8 :         ctl.in.file.handle = *h1;
    1427           8 :         ctl.in.function = FSCTL_SRV_ENUM_SNAPS;
    1428           8 :         ctl.in.max_output_response = 16;
    1429           8 :         ctl.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL;
    1430           8 :         status = smb2_ioctl(tree, tctx, &ctl);
    1431           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1432             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1433             :                                 ret, done, "smb2_ioctl "
    1434             :                                 "returned unexpected status");
    1435             : 
    1436           8 :         torture_comment(tctx, "oplock ack => EXPIRED\n");
    1437           8 :         ZERO_STRUCT(oack);
    1438           8 :         oack.in.file.handle = *h1;
    1439           8 :         status = smb2_break(tree, &oack);
    1440           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1441             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1442             :                                 ret, done, "smb2_break "
    1443             :                                 "returned unexpected status");
    1444             : 
    1445           8 :         if (caps & SMB2_CAP_LEASING) {
    1446           4 :                 torture_comment(tctx, "lease ack => EXPIRED\n");
    1447           4 :                 ZERO_STRUCT(lack);
    1448           4 :                 lack.in.lease.lease_version = 1;
    1449           4 :                 lack.in.lease.lease_key.data[0] = 1;
    1450           4 :                 lack.in.lease.lease_key.data[1] = 2;
    1451           4 :                 status = smb2_lease_break_ack(tree, &lack);
    1452           4 :                 torture_assert_ntstatus_equal_goto(tctx, status,
    1453             :                                         NT_STATUS_NETWORK_SESSION_EXPIRED,
    1454             :                                         ret, done, "smb2_break "
    1455             :                                         "returned unexpected status");
    1456             :         }
    1457             : 
    1458           8 :         torture_comment(tctx, "query directory => EXPIRED\n");
    1459           8 :         ZERO_STRUCT(fnd);
    1460           8 :         fnd.in.file.handle      = dh;
    1461           8 :         fnd.in.pattern          = "*";
    1462           8 :         fnd.in.continue_flags   = SMB2_CONTINUE_FLAG_SINGLE;
    1463           8 :         fnd.in.max_response_size= 0x100;
    1464           8 :         fnd.in.level            = SMB2_FIND_BOTH_DIRECTORY_INFO;
    1465           8 :         status = smb2_find_level(tree, tree, &fnd, &count, &d);
    1466           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1467             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1468             :                                 ret, done, "smb2_find_level "
    1469             :                                 "returned unexpected status");
    1470             : 
    1471           8 :         torture_comment(tctx, "1st notify => CANCEL\n");
    1472           8 :         smb2_cancel(req);
    1473             : 
    1474           8 :         torture_comment(tctx, "2nd notify => EXPIRED\n");
    1475           8 :         ZERO_STRUCT(ntf2);
    1476           8 :         ntf2.in.file.handle     = dh;
    1477           8 :         ntf2.in.recursive       = 0x0000;
    1478           8 :         ntf2.in.buffer_size     = 128;
    1479           8 :         ntf2.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
    1480           8 :         ntf2.in.unknown         = 0x00000000;
    1481           8 :         status = smb2_notify(tree, tctx, &ntf2);
    1482           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1483             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1484             :                                 ret, done, "smb2_notify "
    1485             :                                 "returned unexpected status");
    1486             : 
    1487           8 :         torture_assert_goto(tctx, req->state > SMB2_REQUEST_RECV, ret, done,
    1488             :                             "smb2_notify (1st) not finished");
    1489             : 
    1490           8 :         status = smb2_notify_recv(req, tctx, &ntf1);
    1491           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1492             :                                 NT_STATUS_CANCELLED,
    1493             :                                 ret, done, "smb2_notify cancelled"
    1494             :                                 "returned unexpected status");
    1495             : 
    1496           8 :         torture_comment(tctx, "tcon => EXPIRED\n");
    1497           8 :         tree2 = smb2_tree_init(tree->session, tctx, false);
    1498           8 :         torture_assert(tctx, tree2 != NULL, "smb2_tree_init");
    1499           8 :         timeout_msec = tree->session->transport->options.request_timeout * 1000;
    1500          24 :         subreq = smb2cli_tcon_send(tree2, tctx->ev,
    1501           8 :                                    tree2->session->transport->conn,
    1502             :                                    timeout_msec,
    1503           8 :                                    tree2->session->smbXcli,
    1504             :                                    tree2->smbXcli,
    1505             :                                    0, /* flags */
    1506             :                                    unc);
    1507           8 :         torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
    1508           8 :         torture_assert(tctx,
    1509             :                        tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
    1510             :                        "tevent_req_poll_ntstatus");
    1511           8 :         status = smb2cli_tcon_recv(subreq);
    1512           8 :         TALLOC_FREE(subreq);
    1513           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1514             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1515             :                                 ret, done, "smb2cli_tcon"
    1516             :                                 "returned unexpected status");
    1517             : 
    1518           8 :         torture_comment(tctx, "create => EXPIRED\n");
    1519           8 :         status = smb2_util_roothandle(tree, &dh2);
    1520           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1521             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1522             :                                 ret, done, "smb2_util_roothandle"
    1523             :                                 "returned unexpected status");
    1524             : 
    1525           8 :         torture_comment(tctx, "tdis => EXPIRED\n");
    1526           8 :         status = smb2_tdis(tree);
    1527           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1528             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1529             :                                 ret, done, "smb2cli_tdis"
    1530             :                                 "returned unexpected status");
    1531             : 
    1532             :         /*
    1533             :          * (Un)Lock, Close and Logoff are still possible
    1534             :          */
    1535             : 
    1536           8 :         torture_comment(tctx, "1st unlock => OK\n");
    1537           8 :         el.flags                = SMB2_LOCK_FLAG_UNLOCK;
    1538           8 :         status = smb2_lock(tree, &lck);
    1539           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1540             :                                         "smb2_lock unlock failed");
    1541             : 
    1542           8 :         torture_comment(tctx, "2nd unlock => RANGE_NOT_LOCKED\n");
    1543           8 :         status = smb2_lock(tree, &lck);
    1544           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1545             :                                 NT_STATUS_RANGE_NOT_LOCKED,
    1546             :                                 ret, done, "smb2_lock 2nd unlock"
    1547             :                                 "returned unexpected status");
    1548             : 
    1549           8 :         torture_comment(tctx, "lock => EXPIRED\n");
    1550           8 :         el.flags                = SMB2_LOCK_FLAG_EXCLUSIVE |
    1551             :                                   SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
    1552           8 :         status = smb2_lock(tree, &lck);
    1553           8 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1554             :                                 NT_STATUS_NETWORK_SESSION_EXPIRED,
    1555             :                                 ret, done, "smb2_util_roothandle"
    1556             :                                 "returned unexpected status");
    1557             : 
    1558           8 :         torture_comment(tctx, "close => OK\n");
    1559           8 :         status = smb2_util_close(tree, *h1);
    1560           8 :         h1 = NULL;
    1561           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1562             :                                         "smb2_close failed");
    1563             : 
    1564           8 :         torture_comment(tctx, "echo without session => OK\n");
    1565           8 :         status = smb2_keepalive(tree->session->transport);
    1566           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1567             :                                         "smb2_keepalive without session failed");
    1568             : 
    1569           8 :         torture_comment(tctx, "echo with session => OK\n");
    1570           8 :         req = smb2_keepalive_send(tree->session->transport, tree->session);
    1571           8 :         status = smb2_keepalive_recv(req);
    1572           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1573             :                                         "smb2_keepalive with session failed");
    1574             : 
    1575           8 :         torture_comment(tctx, "logoff => OK\n");
    1576           8 :         status = smb2_logoff(tree->session);
    1577           8 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1578             :                                         "smb2_logoff failed");
    1579             : 
    1580           8 :         ret = true;
    1581           8 : done:
    1582           8 :         cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
    1583             : 
    1584           8 :         if (h1 != NULL) {
    1585           0 :                 smb2_util_close(tree, *h1);
    1586             :         }
    1587             : 
    1588           8 :         talloc_free(tree);
    1589           8 :         lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
    1590           8 :         return ret;
    1591             : }
    1592             : 
    1593          10 : static bool test_session_expire2s(struct torture_context *tctx)
    1594             : {
    1595          10 :         return test_session_expire2i(tctx,
    1596             :                                      false); /* force_encryption */
    1597             : }
    1598             : 
    1599          10 : static bool test_session_expire2e(struct torture_context *tctx)
    1600             : {
    1601          10 :         return test_session_expire2i(tctx,
    1602             :                                      true); /* force_encryption */
    1603             : }
    1604             : 
    1605          10 : static bool test_session_expire_disconnect(struct torture_context *tctx)
    1606             : {
    1607             :         NTSTATUS status;
    1608          10 :         bool ret = false;
    1609             :         struct smbcli_options options;
    1610          10 :         const char *host = torture_setting_string(tctx, "host", NULL);
    1611          10 :         const char *share = torture_setting_string(tctx, "share", NULL);
    1612          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    1613          10 :         struct smb2_tree *tree = NULL;
    1614             :         enum credentials_use_kerberos use_kerberos;
    1615             :         char fname[256];
    1616             :         struct smb2_handle _h1;
    1617          10 :         struct smb2_handle *h1 = NULL;
    1618             :         struct smb2_create io1;
    1619             :         union smb_fileinfo qfinfo;
    1620             :         bool connected;
    1621             : 
    1622          10 :         use_kerberos = cli_credentials_get_kerberos_state(credentials);
    1623          10 :         if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
    1624           6 :                 torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
    1625           6 :                 torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
    1626             :         }
    1627             : 
    1628           4 :         cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
    1629             : 
    1630           4 :         lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
    1631           4 :         lpcfg_smbcli_options(tctx->lp_ctx, &options);
    1632           4 :         options.signing = SMB_SIGNING_REQUIRED;
    1633             : 
    1634           4 :         status = smb2_connect(tctx,
    1635             :                               host,
    1636             :                               lpcfg_smb_ports(tctx->lp_ctx),
    1637             :                               share,
    1638             :                               lpcfg_resolve_context(tctx->lp_ctx),
    1639             :                               credentials,
    1640             :                               &tree,
    1641             :                               tctx->ev,
    1642             :                               &options,
    1643             :                               lpcfg_socket_options(tctx->lp_ctx),
    1644             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    1645             :                               );
    1646           4 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1647             :                                         "smb2_connect failed");
    1648             : 
    1649           4 :         smbXcli_session_set_disconnect_expired(tree->session->smbXcli);
    1650             : 
    1651             :         /* Add some random component to the file name. */
    1652           4 :         snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
    1653             :                  generate_random_str(tctx, 8));
    1654             : 
    1655           4 :         smb2_util_unlink(tree, fname);
    1656             : 
    1657           4 :         smb2_oplock_create_share(&io1, fname,
    1658             :                                  smb2_util_share_access(""),
    1659           4 :                                  smb2_util_oplock_level("b"));
    1660           4 :         io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
    1661             : 
    1662           4 :         status = smb2_create(tree, tctx, &io1);
    1663           4 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1664             :                                         "smb2_create failed");
    1665           4 :         _h1 = io1.out.file.handle;
    1666           4 :         h1 = &_h1;
    1667           4 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    1668           4 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
    1669             :                                         smb2_util_oplock_level("b"),
    1670             :                                         "oplock_level incorrect");
    1671             : 
    1672             :         /* get the security descriptor */
    1673             : 
    1674           4 :         ZERO_STRUCT(qfinfo);
    1675             : 
    1676           4 :         qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
    1677           4 :         qfinfo.access_information.in.file.handle = _h1;
    1678             : 
    1679           4 :         torture_comment(tctx, "query info => OK\n");
    1680             : 
    1681           4 :         ZERO_STRUCT(qfinfo.access_information.out);
    1682           4 :         status = smb2_getinfo_file(tree, tctx, &qfinfo);
    1683           4 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1684             :                                         "smb2_getinfo_file failed");
    1685             : 
    1686           4 :         torture_comment(tctx, "sleep 10 seconds\n");
    1687           4 :         smb_msleep(10*1000);
    1688             : 
    1689           4 :         torture_comment(tctx, "query info => EXPIRED\n");
    1690           4 :         ZERO_STRUCT(qfinfo.access_information.out);
    1691           4 :         status = smb2_getinfo_file(tree, tctx, &qfinfo);
    1692           4 :         torture_assert_ntstatus_equal_goto(tctx, status,
    1693             :                                            NT_STATUS_NETWORK_SESSION_EXPIRED,
    1694             :                                            ret, done, "smb2_getinfo_file "
    1695             :                                            "returned unexpected status");
    1696             : 
    1697           4 :         connected = smbXcli_conn_is_connected(tree->session->transport->conn);
    1698           4 :         torture_assert_goto(tctx, !connected, ret, done, "connected\n");
    1699             : 
    1700           4 :         ret = true;
    1701           4 : done:
    1702           4 :         cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
    1703             : 
    1704           4 :         if (h1 != NULL) {
    1705           4 :                 smb2_util_close(tree, *h1);
    1706             :         }
    1707             : 
    1708           4 :         talloc_free(tree);
    1709           4 :         lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
    1710           4 :         return ret;
    1711             : }
    1712             : 
    1713          10 : bool test_session_bind1(struct torture_context *tctx, struct smb2_tree *tree1)
    1714             : {
    1715          10 :         const char *host = torture_setting_string(tctx, "host", NULL);
    1716          10 :         const char *share = torture_setting_string(tctx, "share", NULL);
    1717          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    1718             :         NTSTATUS status;
    1719          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
    1720             :         char fname[256];
    1721             :         struct smb2_handle _h1;
    1722          10 :         struct smb2_handle *h1 = NULL;
    1723             :         struct smb2_create io1;
    1724             :         union smb_fileinfo qfinfo;
    1725          10 :         bool ret = false;
    1726          10 :         struct smb2_tree *tree2 = NULL;
    1727          10 :         struct smb2_transport *transport1 = tree1->session->transport;
    1728             :         struct smbcli_options options2;
    1729          10 :         struct smb2_transport *transport2 = NULL;
    1730          10 :         struct smb2_session *session1_1 = tree1->session;
    1731          10 :         struct smb2_session *session1_2 = NULL;
    1732          10 :         struct smb2_session *session2_1 = NULL;
    1733          10 :         struct smb2_session *session2_2 = NULL;
    1734             :         uint32_t caps;
    1735             : 
    1736          10 :         caps = smb2cli_conn_server_capabilities(transport1->conn);
    1737          10 :         if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
    1738           0 :                 torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
    1739             :         }
    1740             : 
    1741             :         /*
    1742             :          * We always want signing for this test!
    1743             :          */
    1744          10 :         smb2cli_tcon_should_sign(tree1->smbXcli, true);
    1745          10 :         options2 = transport1->options;
    1746          10 :         options2.signing = SMB_SIGNING_REQUIRED;
    1747             : 
    1748             :         /* Add some random component to the file name. */
    1749          10 :         snprintf(fname, sizeof(fname), "session_bind1_%s.dat",
    1750             :                  generate_random_str(tctx, 8));
    1751             : 
    1752          10 :         smb2_util_unlink(tree1, fname);
    1753             : 
    1754          10 :         smb2_oplock_create_share(&io1, fname,
    1755             :                                  smb2_util_share_access(""),
    1756          10 :                                  smb2_util_oplock_level("b"));
    1757             : 
    1758          10 :         status = smb2_create(tree1, mem_ctx, &io1);
    1759          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1760             :                                         "smb2_create failed");
    1761          10 :         _h1 = io1.out.file.handle;
    1762          10 :         h1 = &_h1;
    1763          10 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    1764          10 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
    1765             :                                         smb2_util_oplock_level("b"),
    1766             :                                         "oplock_level incorrect");
    1767             : 
    1768          10 :         status = smb2_connect(tctx,
    1769             :                               host,
    1770             :                               lpcfg_smb_ports(tctx->lp_ctx),
    1771             :                               share,
    1772             :                               lpcfg_resolve_context(tctx->lp_ctx),
    1773             :                               credentials,
    1774             :                               &tree2,
    1775             :                               tctx->ev,
    1776             :                               &options2,
    1777             :                               lpcfg_socket_options(tctx->lp_ctx),
    1778             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    1779             :                               );
    1780          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1781             :                                         "smb2_connect failed");
    1782          10 :         session2_2 = tree2->session;
    1783          10 :         transport2 = tree2->session->transport;
    1784             : 
    1785             :         /*
    1786             :          * Now bind the 2nd transport connection to the 1st session
    1787             :          */
    1788          10 :         session1_2 = smb2_session_channel(transport2,
    1789             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    1790             :                                           tree2,
    1791             :                                           session1_1);
    1792          10 :         torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
    1793             : 
    1794          10 :         status = smb2_session_setup_spnego(session1_2,
    1795             :                                            samba_cmdline_get_creds(),
    1796             :                                            0 /* previous_session_id */);
    1797          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1798             :                                         "smb2_session_setup_spnego failed");
    1799             : 
    1800             :         /* use the 1st connection, 1st session */
    1801          10 :         ZERO_STRUCT(qfinfo);
    1802          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    1803          10 :         qfinfo.generic.in.file.handle = _h1;
    1804          10 :         tree1->session = session1_1;
    1805          10 :         status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
    1806          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1807             :                                         "smb2_getinfo_file failed");
    1808             : 
    1809             :         /* use the 2nd connection, 1st session */
    1810          10 :         ZERO_STRUCT(qfinfo);
    1811          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    1812          10 :         qfinfo.generic.in.file.handle = _h1;
    1813          10 :         tree1->session = session1_2;
    1814          10 :         status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
    1815          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1816             :                                         "smb2_getinfo_file failed");
    1817             : 
    1818          10 :         tree1->session = session1_1;
    1819          10 :         status = smb2_util_close(tree1, *h1);
    1820          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1821             :                                         "smb2_util_close failed");
    1822          10 :         h1 = NULL;
    1823             : 
    1824             :         /*
    1825             :          * Now bind the 1st transport connection to the 2nd session
    1826             :          */
    1827          10 :         session2_1 = smb2_session_channel(transport1,
    1828             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    1829             :                                           tree1,
    1830             :                                           session2_2);
    1831          10 :         torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
    1832             : 
    1833          10 :         status = smb2_session_setup_spnego(session2_1,
    1834             :                                            samba_cmdline_get_creds(),
    1835             :                                            0 /* previous_session_id */);
    1836          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1837             :                                         "smb2_session_setup_spnego failed");
    1838             : 
    1839          10 :         tree2->session = session2_1;
    1840          10 :         status = smb2_util_unlink(tree2, fname);
    1841          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1842             :                                         "smb2_util_unlink failed");
    1843          10 :         ret = true;
    1844          10 : done:
    1845          10 :         talloc_free(tree2);
    1846          10 :         tree1->session = session1_1;
    1847             : 
    1848          10 :         if (h1 != NULL) {
    1849           0 :                 smb2_util_close(tree1, *h1);
    1850             :         }
    1851             : 
    1852          10 :         smb2_util_unlink(tree1, fname);
    1853             : 
    1854          10 :         talloc_free(tree1);
    1855             : 
    1856          10 :         talloc_free(mem_ctx);
    1857             : 
    1858          10 :         return ret;
    1859             : }
    1860             : 
    1861          10 : static bool test_session_bind2(struct torture_context *tctx, struct smb2_tree *tree1)
    1862             : {
    1863          10 :         const char *host = torture_setting_string(tctx, "host", NULL);
    1864          10 :         const char *share = torture_setting_string(tctx, "share", NULL);
    1865          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    1866             :         NTSTATUS status;
    1867          10 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
    1868             :         char fname1[256];
    1869             :         char fname2[256];
    1870             :         struct smb2_handle _h1f1;
    1871          10 :         struct smb2_handle *h1f1 = NULL;
    1872             :         struct smb2_handle _h1f2;
    1873          10 :         struct smb2_handle *h1f2 = NULL;
    1874             :         struct smb2_handle _h2f2;
    1875          10 :         struct smb2_handle *h2f2 = NULL;
    1876             :         struct smb2_create io1f1;
    1877             :         struct smb2_create io1f2;
    1878             :         struct smb2_create io2f1;
    1879             :         struct smb2_create io2f2;
    1880             :         union smb_fileinfo qfinfo;
    1881          10 :         bool ret = false;
    1882          10 :         struct smb2_transport *transport1 = tree1->session->transport;
    1883             :         struct smbcli_options options2;
    1884          10 :         struct smb2_tree *tree2 = NULL;
    1885          10 :         struct smb2_transport *transport2 = NULL;
    1886             :         struct smbcli_options options3;
    1887          10 :         struct smb2_tree *tree3 = NULL;
    1888          10 :         struct smb2_transport *transport3 = NULL;
    1889          10 :         struct smb2_session *session1_1 = tree1->session;
    1890          10 :         struct smb2_session *session1_2 = NULL;
    1891          10 :         struct smb2_session *session1_3 = NULL;
    1892          10 :         struct smb2_session *session2_1 = NULL;
    1893          10 :         struct smb2_session *session2_2 = NULL;
    1894          10 :         struct smb2_session *session2_3 = NULL;
    1895             :         uint32_t caps;
    1896             : 
    1897          10 :         caps = smb2cli_conn_server_capabilities(transport1->conn);
    1898          10 :         if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
    1899           0 :                 torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
    1900             :         }
    1901             : 
    1902             :         /*
    1903             :          * We always want signing for this test!
    1904             :          */
    1905          10 :         smb2cli_tcon_should_sign(tree1->smbXcli, true);
    1906          10 :         options2 = transport1->options;
    1907          10 :         options2.signing = SMB_SIGNING_REQUIRED;
    1908             : 
    1909             :         /* Add some random component to the file name. */
    1910          10 :         snprintf(fname1, sizeof(fname1), "session_bind2_1_%s.dat",
    1911             :                  generate_random_str(tctx, 8));
    1912          10 :         snprintf(fname2, sizeof(fname2), "session_bind2_2_%s.dat",
    1913             :                  generate_random_str(tctx, 8));
    1914             : 
    1915          10 :         smb2_util_unlink(tree1, fname1);
    1916          10 :         smb2_util_unlink(tree1, fname2);
    1917             : 
    1918          10 :         smb2_oplock_create_share(&io1f1, fname1,
    1919             :                                  smb2_util_share_access(""),
    1920          10 :                                  smb2_util_oplock_level(""));
    1921          10 :         smb2_oplock_create_share(&io1f2, fname2,
    1922             :                                  smb2_util_share_access(""),
    1923          10 :                                  smb2_util_oplock_level(""));
    1924             : 
    1925          10 :         status = smb2_create(tree1, mem_ctx, &io1f1);
    1926          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1927             :                                         "smb2_create failed");
    1928          10 :         _h1f1 = io1f1.out.file.handle;
    1929          10 :         h1f1 = &_h1f1;
    1930          10 :         CHECK_CREATED(tctx, &io1f1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    1931          10 :         torture_assert_int_equal(tctx, io1f1.out.oplock_level,
    1932             :                                         smb2_util_oplock_level(""),
    1933             :                                         "oplock_level incorrect");
    1934             : 
    1935          10 :         status = smb2_connect(tctx,
    1936             :                               host,
    1937             :                               lpcfg_smb_ports(tctx->lp_ctx),
    1938             :                               share,
    1939             :                               lpcfg_resolve_context(tctx->lp_ctx),
    1940             :                               credentials,
    1941             :                               &tree2,
    1942             :                               tctx->ev,
    1943             :                               &options2,
    1944             :                               lpcfg_socket_options(tctx->lp_ctx),
    1945             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    1946             :                               );
    1947          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1948             :                                         "smb2_connect failed");
    1949          10 :         session2_2 = tree2->session;
    1950          10 :         transport2 = tree2->session->transport;
    1951          10 :         smb2cli_tcon_should_sign(tree2->smbXcli, true);
    1952             : 
    1953          10 :         smb2_oplock_create_share(&io2f1, fname1,
    1954             :                                  smb2_util_share_access(""),
    1955          10 :                                  smb2_util_oplock_level(""));
    1956          10 :         smb2_oplock_create_share(&io2f2, fname2,
    1957             :                                  smb2_util_share_access(""),
    1958          10 :                                  smb2_util_oplock_level(""));
    1959             : 
    1960          10 :         status = smb2_create(tree2, mem_ctx, &io2f2);
    1961          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1962             :                                         "smb2_create failed");
    1963          10 :         _h2f2 = io2f2.out.file.handle;
    1964          10 :         h2f2 = &_h2f2;
    1965          10 :         CHECK_CREATED(tctx, &io2f2, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    1966          10 :         torture_assert_int_equal(tctx, io2f2.out.oplock_level,
    1967             :                                         smb2_util_oplock_level(""),
    1968             :                                         "oplock_level incorrect");
    1969             : 
    1970          10 :         options3 = transport1->options;
    1971          10 :         options3.signing = SMB_SIGNING_REQUIRED;
    1972          10 :         options3.only_negprot = true;
    1973             : 
    1974          10 :         status = smb2_connect(tctx,
    1975             :                               host,
    1976             :                               lpcfg_smb_ports(tctx->lp_ctx),
    1977             :                               share,
    1978             :                               lpcfg_resolve_context(tctx->lp_ctx),
    1979             :                               credentials,
    1980             :                               &tree3,
    1981             :                               tctx->ev,
    1982             :                               &options3,
    1983             :                               lpcfg_socket_options(tctx->lp_ctx),
    1984             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    1985             :                               );
    1986          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    1987             :                                         "smb2_connect failed");
    1988          10 :         transport3 = tree3->session->transport;
    1989             : 
    1990             :         /*
    1991             :          * Create a fake session for the 2nd transport connection to the 1st session
    1992             :          */
    1993          10 :         session1_2 = smb2_session_channel(transport2,
    1994             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    1995             :                                           tree1,
    1996             :                                           session1_1);
    1997          10 :         torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
    1998             : 
    1999             :         /*
    2000             :          * Now bind the 3rd transport connection to the 1st session
    2001             :          */
    2002          10 :         session1_3 = smb2_session_channel(transport3,
    2003             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2004             :                                           tree1,
    2005             :                                           session1_1);
    2006          10 :         torture_assert(tctx, session1_3 != NULL, "smb2_session_channel failed");
    2007             : 
    2008          10 :         status = smb2_session_setup_spnego(session1_3,
    2009             :                                            credentials,
    2010             :                                            0 /* previous_session_id */);
    2011          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2012             :                                         "smb2_session_setup_spnego failed");
    2013             : 
    2014             :         /*
    2015             :          * Create a fake session for the 1st transport connection to the 2nd session
    2016             :          */
    2017          10 :         session2_1 = smb2_session_channel(transport1,
    2018             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2019             :                                           tree2,
    2020             :                                           session2_2);
    2021          10 :         torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
    2022             : 
    2023             :         /*
    2024             :          * Now bind the 3rd transport connection to the 2nd session
    2025             :          */
    2026          10 :         session2_3 = smb2_session_channel(transport3,
    2027             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2028             :                                           tree2,
    2029             :                                           session2_2);
    2030          10 :         torture_assert(tctx, session2_3 != NULL, "smb2_session_channel failed");
    2031             : 
    2032          10 :         status = smb2_session_setup_spnego(session2_3,
    2033             :                                            credentials,
    2034             :                                            0 /* previous_session_id */);
    2035          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2036             :                                         "smb2_session_setup_spnego failed");
    2037             : 
    2038          10 :         ZERO_STRUCT(qfinfo);
    2039          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2040          10 :         qfinfo.generic.in.file.handle = _h1f1;
    2041          10 :         tree1->session = session1_1;
    2042          10 :         status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
    2043          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2044             :                                         "smb2_getinfo_file failed");
    2045          10 :         tree1->session = session1_2;
    2046          10 :         status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
    2047          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2048             :                                         "smb2_getinfo_file failed");
    2049          10 :         tree1->session = session1_3;
    2050          10 :         status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
    2051          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2052             :                                         "smb2_getinfo_file failed");
    2053             : 
    2054          10 :         ZERO_STRUCT(qfinfo);
    2055          10 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2056          10 :         qfinfo.generic.in.file.handle = _h2f2;
    2057          10 :         tree2->session = session2_1;
    2058          10 :         status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
    2059          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2060             :                                         "smb2_getinfo_file failed");
    2061          10 :         tree2->session = session2_2;
    2062          10 :         status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
    2063          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2064             :                                         "smb2_getinfo_file failed");
    2065          10 :         tree2->session = session2_3;
    2066          10 :         status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
    2067          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2068             :                                         "smb2_getinfo_file failed");
    2069             : 
    2070          10 :         tree1->session = session1_1;
    2071          10 :         status = smb2_create(tree1, mem_ctx, &io1f2);
    2072          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
    2073             :                                         "smb2_create failed");
    2074          10 :         tree1->session = session1_2;
    2075          10 :         status = smb2_create(tree1, mem_ctx, &io1f2);
    2076          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2077             :                                         "smb2_create failed");
    2078          10 :         tree1->session = session1_3;
    2079          10 :         status = smb2_create(tree1, mem_ctx, &io1f2);
    2080          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
    2081             :                                         "smb2_create failed");
    2082             : 
    2083          10 :         tree2->session = session2_1;
    2084          10 :         status = smb2_create(tree2, mem_ctx, &io2f1);
    2085          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2086             :                                         "smb2_create failed");
    2087          10 :         tree2->session = session2_2;
    2088          10 :         status = smb2_create(tree2, mem_ctx, &io2f1);
    2089          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
    2090             :                                         "smb2_create failed");
    2091          10 :         tree2->session = session2_3;
    2092          10 :         status = smb2_create(tree2, mem_ctx, &io2f1);
    2093          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
    2094             :                                         "smb2_create failed");
    2095             : 
    2096          10 :         smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
    2097          10 :         smb_msleep(500);
    2098             : 
    2099          10 :         tree1->session = session1_1;
    2100          10 :         status = smb2_create(tree1, mem_ctx, &io1f2);
    2101          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
    2102             :                                         "smb2_create failed");
    2103          10 :         tree1->session = session1_2;
    2104          10 :         status = smb2_create(tree1, mem_ctx, &io1f2);
    2105          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2106             :                                         "smb2_create failed");
    2107             : 
    2108          10 :         tree2->session = session2_1;
    2109          10 :         status = smb2_create(tree2, mem_ctx, &io2f1);
    2110          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2111             :                                         "smb2_create failed");
    2112          10 :         tree2->session = session2_2;
    2113          10 :         status = smb2_create(tree2, mem_ctx, &io2f1);
    2114          10 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
    2115             :                                         "smb2_create failed");
    2116             : 
    2117          10 :         smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
    2118          10 :         smb_msleep(500);
    2119          10 :         h2f2 = NULL;
    2120             : 
    2121          10 :         tree1->session = session1_1;
    2122          10 :         status = smb2_create(tree1, mem_ctx, &io1f2);
    2123          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2124             :                                         "smb2_create failed");
    2125          10 :         _h1f2 = io1f2.out.file.handle;
    2126          10 :         h1f2 = &_h1f2;
    2127          10 :         CHECK_CREATED(tctx, &io1f2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
    2128          10 :         torture_assert_int_equal(tctx, io1f2.out.oplock_level,
    2129             :                                         smb2_util_oplock_level(""),
    2130             :                                         "oplock_level incorrect");
    2131             : 
    2132          10 :         tree1->session = session1_1;
    2133          10 :         status = smb2_util_close(tree1, *h1f1);
    2134          10 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2135             :                                         "smb2_util_close failed");
    2136          10 :         h1f1 = NULL;
    2137             : 
    2138          10 :         ret = true;
    2139          10 : done:
    2140             : 
    2141          10 :         smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
    2142          10 :         smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
    2143             : 
    2144          10 :         tree1->session = session1_1;
    2145          10 :         tree2->session = session2_2;
    2146             : 
    2147          10 :         if (h1f1 != NULL) {
    2148           0 :                 smb2_util_close(tree1, *h1f1);
    2149             :         }
    2150          10 :         if (h1f2 != NULL) {
    2151          10 :                 smb2_util_close(tree1, *h1f2);
    2152             :         }
    2153          10 :         if (h2f2 != NULL) {
    2154           0 :                 smb2_util_close(tree2, *h2f2);
    2155             :         }
    2156             : 
    2157          10 :         smb2_util_unlink(tree1, fname1);
    2158          10 :         smb2_util_unlink(tree1, fname2);
    2159             : 
    2160          10 :         talloc_free(tree1);
    2161             : 
    2162          10 :         talloc_free(mem_ctx);
    2163             : 
    2164          10 :         return ret;
    2165             : }
    2166             : 
    2167          14 : static bool test_session_bind_auth_mismatch(struct torture_context *tctx,
    2168             :                                             struct smb2_tree *tree1,
    2169             :                                             const char *testname,
    2170             :                                             struct cli_credentials *creds1,
    2171             :                                             struct cli_credentials *creds2,
    2172             :                                             bool creds2_require_ok)
    2173             : {
    2174          14 :         const char *host = torture_setting_string(tctx, "host", NULL);
    2175          14 :         const char *share = torture_setting_string(tctx, "share", NULL);
    2176             :         NTSTATUS status;
    2177          14 :         TALLOC_CTX *mem_ctx = talloc_new(tctx);
    2178             :         char fname[256];
    2179             :         struct smb2_handle _h1;
    2180          14 :         struct smb2_handle *h1 = NULL;
    2181             :         struct smb2_create io1;
    2182             :         union smb_fileinfo qfinfo;
    2183          14 :         bool ret = false;
    2184          14 :         struct smb2_tree *tree2 = NULL;
    2185          14 :         struct smb2_transport *transport1 = tree1->session->transport;
    2186             :         struct smbcli_options options2;
    2187          14 :         struct smb2_transport *transport2 = NULL;
    2188          14 :         struct smb2_session *session1_1 = tree1->session;
    2189          14 :         struct smb2_session *session1_2 = NULL;
    2190          14 :         struct smb2_session *session2_1 = NULL;
    2191          14 :         struct smb2_session *session2_2 = NULL;
    2192          14 :         struct smb2_session *session3_1 = NULL;
    2193             :         uint32_t caps;
    2194             :         bool encrypted;
    2195          14 :         bool creds2_got_ok = false;
    2196             : 
    2197          14 :         encrypted = smb2cli_tcon_is_encryption_on(tree1->smbXcli);
    2198             : 
    2199          14 :         caps = smb2cli_conn_server_capabilities(transport1->conn);
    2200          14 :         if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
    2201           0 :                 torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
    2202             :         }
    2203             : 
    2204             :         /*
    2205             :          * We always want signing for this test!
    2206             :          */
    2207          14 :         smb2cli_tcon_should_sign(tree1->smbXcli, true);
    2208          14 :         options2 = transport1->options;
    2209          14 :         options2.signing = SMB_SIGNING_REQUIRED;
    2210             : 
    2211             :         /* Add some random component to the file name. */
    2212          14 :         snprintf(fname, sizeof(fname), "%s_%s.dat", testname,
    2213             :                  generate_random_str(tctx, 8));
    2214             : 
    2215          14 :         smb2_util_unlink(tree1, fname);
    2216             : 
    2217          14 :         smb2_oplock_create_share(&io1, fname,
    2218             :                                  smb2_util_share_access(""),
    2219          14 :                                  smb2_util_oplock_level("b"));
    2220             : 
    2221          14 :         status = smb2_create(tree1, mem_ctx, &io1);
    2222          14 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2223             :                                         "smb2_create failed");
    2224          14 :         _h1 = io1.out.file.handle;
    2225          14 :         h1 = &_h1;
    2226          14 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    2227          14 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
    2228             :                                         smb2_util_oplock_level("b"),
    2229             :                                         "oplock_level incorrect");
    2230             : 
    2231          14 :         status = smb2_connect(tctx,
    2232             :                               host,
    2233             :                               lpcfg_smb_ports(tctx->lp_ctx),
    2234             :                               share,
    2235             :                               lpcfg_resolve_context(tctx->lp_ctx),
    2236             :                               creds1,
    2237             :                               &tree2,
    2238             :                               tctx->ev,
    2239             :                               &options2,
    2240             :                               lpcfg_socket_options(tctx->lp_ctx),
    2241             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    2242             :                               );
    2243          14 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2244             :                                         "smb2_connect failed");
    2245          14 :         session2_2 = tree2->session;
    2246          14 :         transport2 = tree2->session->transport;
    2247             : 
    2248             :         /*
    2249             :          * Now bind the 2nd transport connection to the 1st session
    2250             :          */
    2251          14 :         session1_2 = smb2_session_channel(transport2,
    2252             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2253             :                                           tree2,
    2254             :                                           session1_1);
    2255          14 :         torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
    2256             : 
    2257          14 :         status = smb2_session_setup_spnego(session1_2,
    2258             :                                            creds1,
    2259             :                                            0 /* previous_session_id */);
    2260          14 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2261             :                                         "smb2_session_setup_spnego failed");
    2262             : 
    2263             :         /* use the 1st connection, 1st session */
    2264          14 :         ZERO_STRUCT(qfinfo);
    2265          14 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2266          14 :         qfinfo.generic.in.file.handle = _h1;
    2267          14 :         tree1->session = session1_1;
    2268          14 :         status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
    2269          14 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2270             :                                         "smb2_getinfo_file failed");
    2271             : 
    2272             :         /* use the 2nd connection, 1st session */
    2273          14 :         ZERO_STRUCT(qfinfo);
    2274          14 :         qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2275          14 :         qfinfo.generic.in.file.handle = _h1;
    2276          14 :         tree1->session = session1_2;
    2277          14 :         status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
    2278          14 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2279             :                                         "smb2_getinfo_file failed");
    2280             : 
    2281          14 :         tree1->session = session1_1;
    2282          14 :         status = smb2_util_close(tree1, *h1);
    2283          14 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2284             :                                         "smb2_util_close failed");
    2285          14 :         h1 = NULL;
    2286             : 
    2287             :         /*
    2288             :          * Create a 3rd session in order to check if the invalid (creds2)
    2289             :          * are mapped to guest.
    2290             :          */
    2291          14 :         session3_1 = smb2_session_init(transport1,
    2292             :                                        lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2293             :                                        tctx);
    2294          14 :         torture_assert(tctx, session3_1 != NULL, "smb2_session_channel failed");
    2295             : 
    2296          14 :         status = smb2_session_setup_spnego(session3_1,
    2297             :                                            creds2,
    2298             :                                            0 /* previous_session_id */);
    2299          14 :         if (creds2_require_ok) {
    2300           4 :                 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2301             :                                         "smb2_session_setup_spnego worked");
    2302           4 :                 creds2_got_ok = true;
    2303          10 :         } else if (NT_STATUS_IS_OK(status)) {
    2304           2 :                 bool authentiated = smbXcli_session_is_authenticated(session3_1->smbXcli);
    2305           2 :                 torture_assert(tctx, !authentiated, "Invalid credentials allowed!");
    2306           2 :                 creds2_got_ok = true;
    2307             :         } else {
    2308           8 :                 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
    2309             :                                         "smb2_session_setup_spnego worked");
    2310             :         }
    2311             : 
    2312             :         /*
    2313             :          * Now bind the 1st transport connection to the 2nd session
    2314             :          */
    2315          14 :         session2_1 = smb2_session_channel(transport1,
    2316             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2317             :                                           tree1,
    2318             :                                           session2_2);
    2319          14 :         torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
    2320             : 
    2321          14 :         tree2->session = session2_1;
    2322          14 :         status = smb2_util_unlink(tree2, fname);
    2323          14 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2324             :                                         "smb2_util_unlink worked on invalid channel");
    2325             : 
    2326          14 :         status = smb2_session_setup_spnego(session2_1,
    2327             :                                            creds2,
    2328             :                                            0 /* previous_session_id */);
    2329          14 :         if (creds2_got_ok) {
    2330             :                 /*
    2331             :                  * attaching with a different user (guest or anonymous) results
    2332             :                  * in ACCESS_DENIED.
    2333             :                  */
    2334           6 :                 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_ACCESS_DENIED, ret, done,
    2335             :                                         "smb2_session_setup_spnego worked");
    2336             :         } else {
    2337           8 :                 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
    2338             :                                         "smb2_session_setup_spnego worked");
    2339             :         }
    2340             : 
    2341          14 :         tree2->session = session2_1;
    2342          14 :         status = smb2_util_unlink(tree2, fname);
    2343          14 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2344             :                                         "smb2_util_unlink worked on invalid channel");
    2345             : 
    2346          14 :         tree2->session = session2_2;
    2347          14 :         status = smb2_util_unlink(tree2, fname);
    2348          14 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2349             :                                         "smb2_util_unlink failed");
    2350          14 :         status = smb2_util_unlink(tree2, fname);
    2351          14 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
    2352             :                                         "smb2_util_unlink worked");
    2353          14 :         if (creds2_got_ok) {
    2354             :                 /*
    2355             :                  * We got ACCESS_DENIED on the session bind
    2356             :                  * with a different user, now check that
    2357             :                  * the correct user can actually bind on
    2358             :                  * the same connection.
    2359             :                  */
    2360           6 :                 TALLOC_FREE(session2_1);
    2361           6 :                 session2_1 = smb2_session_channel(transport1,
    2362             :                                                   lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2363             :                                                   tree1,
    2364             :                                                   session2_2);
    2365           6 :                 torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
    2366             : 
    2367           6 :                 status = smb2_session_setup_spnego(session2_1,
    2368             :                                                    creds1,
    2369             :                                                    0 /* previous_session_id */);
    2370           6 :                 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2371             :                                         "smb2_session_setup_spnego failed");
    2372           6 :                 tree2->session = session2_1;
    2373           6 :                 status = smb2_util_unlink(tree2, fname);
    2374           6 :                 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
    2375             :                                                 "smb2_util_unlink worked");
    2376           6 :                 tree2->session = session2_2;
    2377             :         }
    2378             : 
    2379          14 :         tree1->session = session1_1;
    2380          14 :         status = smb2_util_unlink(tree1, fname);
    2381          14 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
    2382             :                                         "smb2_util_unlink worked");
    2383             : 
    2384          14 :         tree1->session = session1_2;
    2385          14 :         status = smb2_util_unlink(tree1, fname);
    2386          14 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
    2387             :                                         "smb2_util_unlink worked");
    2388             : 
    2389          14 :         if (creds2_got_ok) {
    2390             :                 /*
    2391             :                  * With valid credentials, there's no point to test a failing
    2392             :                  * reauth.
    2393             :                  */
    2394           6 :                 ret = true;
    2395           6 :                 goto done;
    2396             :         }
    2397             : 
    2398             :         /*
    2399             :          * Do a failing reauth the 2nd channel
    2400             :          */
    2401           8 :         status = smb2_session_setup_spnego(session1_2,
    2402             :                                            creds2,
    2403             :                                            0 /* previous_session_id */);
    2404           8 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
    2405             :                                         "smb2_session_setup_spnego worked");
    2406             : 
    2407           8 :         tree1->session = session1_1;
    2408           8 :         status = smb2_util_unlink(tree1, fname);
    2409           8 :         if (encrypted) {
    2410           2 :                 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
    2411             :                                                 "smb2_util_unlink worked");
    2412             :         } else {
    2413           6 :                 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2414             :                                                 "smb2_util_unlink worked");
    2415             :         }
    2416             : 
    2417           8 :         tree1->session = session1_2;
    2418           8 :         status = smb2_util_unlink(tree1, fname);
    2419           8 :         if (encrypted) {
    2420           2 :                 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
    2421             :                                                 "smb2_util_unlink worked");
    2422             :         } else {
    2423           6 :                 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
    2424             :                                                 "smb2_util_unlink worked");
    2425             :         }
    2426             : 
    2427           8 :         status = smb2_util_unlink(tree2, fname);
    2428           8 :         if (encrypted) {
    2429           2 :                 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
    2430             :                                                 "smb2_util_unlink worked");
    2431           2 :                 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
    2432             :                                                 "smb2_util_unlink worked");
    2433             :         } else {
    2434           6 :                 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
    2435             :                                                 "smb2_util_unlink worked");
    2436             :         }
    2437             : 
    2438           8 :         ret = true;
    2439          14 : done:
    2440          14 :         talloc_free(tree2);
    2441          14 :         tree1->session = session1_1;
    2442             : 
    2443          14 :         if (h1 != NULL) {
    2444           0 :                 smb2_util_close(tree1, *h1);
    2445             :         }
    2446             : 
    2447          14 :         smb2_util_unlink(tree1, fname);
    2448             : 
    2449          14 :         talloc_free(tree1);
    2450             : 
    2451          14 :         talloc_free(mem_ctx);
    2452             : 
    2453          14 :         return ret;
    2454             : }
    2455             : 
    2456          10 : static bool test_session_bind_invalid_auth(struct torture_context *tctx, struct smb2_tree *tree1)
    2457             : {
    2458          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2459          10 :         struct cli_credentials *invalid_credentials = NULL;
    2460          10 :         bool ret = false;
    2461             : 
    2462          10 :         invalid_credentials = cli_credentials_init(tctx);
    2463          10 :         torture_assert(tctx, (invalid_credentials != NULL), "talloc error");
    2464          10 :         cli_credentials_set_username(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
    2465          10 :         cli_credentials_set_domain(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
    2466          10 :         cli_credentials_set_password(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
    2467          10 :         cli_credentials_set_realm(invalid_credentials, NULL, CRED_SPECIFIED);
    2468          10 :         cli_credentials_set_workstation(invalid_credentials, "", CRED_UNINITIALISED);
    2469             : 
    2470          10 :         ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
    2471             :                                               credentials,
    2472             :                                               invalid_credentials,
    2473             :                                               false);
    2474          10 :         return ret;
    2475             : }
    2476             : 
    2477          10 : static bool test_session_bind_different_user(struct torture_context *tctx, struct smb2_tree *tree1)
    2478             : {
    2479          10 :         struct cli_credentials *credentials1 = samba_cmdline_get_creds();
    2480          10 :         struct cli_credentials *credentials2 = torture_user2_credentials(tctx, tctx);
    2481          10 :         char *u1 = cli_credentials_get_unparsed_name(credentials1, tctx);
    2482          10 :         char *u2 = cli_credentials_get_unparsed_name(credentials2, tctx);
    2483          10 :         bool ret = false;
    2484             :         bool bval;
    2485             : 
    2486          10 :         torture_assert(tctx, (credentials2 != NULL), "talloc error");
    2487          10 :         bval = cli_credentials_is_anonymous(credentials2);
    2488          10 :         if (bval) {
    2489           6 :                 torture_skip(tctx, "valid user2 credentials are required");
    2490             :         }
    2491           4 :         bval = strequal(u1, u2);
    2492           4 :         if (bval) {
    2493           0 :                 torture_skip(tctx, "different user2 credentials are required");
    2494             :         }
    2495             : 
    2496           4 :         ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
    2497             :                                               credentials1,
    2498             :                                               credentials2,
    2499             :                                               true);
    2500           4 :         return ret;
    2501             : }
    2502             : 
    2503         368 : static bool test_session_bind_negative_smbXtoX(struct torture_context *tctx,
    2504             :                                                const char *testname,
    2505             :                                                struct cli_credentials *credentials,
    2506             :                                                const struct smbcli_options *options1,
    2507             :                                                const struct smbcli_options *options2,
    2508             :                                                NTSTATUS bind_reject_status)
    2509             : {
    2510         368 :         const char *host = torture_setting_string(tctx, "host", NULL);
    2511         368 :         const char *share = torture_setting_string(tctx, "share", NULL);
    2512             :         NTSTATUS status;
    2513         368 :         bool ret = false;
    2514         368 :         struct smb2_tree *tree1 = NULL;
    2515         368 :         struct smb2_session *session1_1 = NULL;
    2516             :         char fname[256];
    2517             :         struct smb2_handle _h1;
    2518         368 :         struct smb2_handle *h1 = NULL;
    2519             :         struct smb2_create io1;
    2520             :         union smb_fileinfo qfinfo1;
    2521         368 :         struct smb2_tree *tree2_0 = NULL;
    2522         368 :         struct smb2_transport *transport2 = NULL;
    2523         368 :         struct smb2_session *session1_2 = NULL;
    2524         368 :         uint64_t session1_id = 0;
    2525         368 :         uint16_t session1_flags = 0;
    2526         368 :         NTSTATUS deleted_status = NT_STATUS_USER_SESSION_DELETED;
    2527             : 
    2528         368 :         status = smb2_connect(tctx,
    2529             :                               host,
    2530             :                               lpcfg_smb_ports(tctx->lp_ctx),
    2531             :                               share,
    2532             :                               lpcfg_resolve_context(tctx->lp_ctx),
    2533             :                               credentials,
    2534             :                               &tree1,
    2535             :                               tctx->ev,
    2536             :                               options1,
    2537             :                               lpcfg_socket_options(tctx->lp_ctx),
    2538             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    2539             :                               );
    2540         368 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2541             :                                         "smb2_connect options1 failed");
    2542         368 :         session1_1 = tree1->session;
    2543         368 :         session1_id = smb2cli_session_current_id(session1_1->smbXcli);
    2544         368 :         session1_flags = smb2cli_session_get_flags(session1_1->smbXcli);
    2545             : 
    2546             :         /* Add some random component to the file name. */
    2547         368 :         snprintf(fname, sizeof(fname), "%s_%s.dat",
    2548             :                  testname, generate_random_str(tctx, 8));
    2549             : 
    2550         368 :         smb2_util_unlink(tree1, fname);
    2551             : 
    2552         368 :         smb2_oplock_create_share(&io1, fname,
    2553             :                                  smb2_util_share_access(""),
    2554         368 :                                  smb2_util_oplock_level("b"));
    2555             : 
    2556         368 :         io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
    2557         368 :         status = smb2_create(tree1, tctx, &io1);
    2558         368 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2559             :                                         "smb2_create failed");
    2560         368 :         _h1 = io1.out.file.handle;
    2561         368 :         h1 = &_h1;
    2562         368 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    2563         368 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
    2564             :                                         smb2_util_oplock_level("b"),
    2565             :                                         "oplock_level incorrect");
    2566             : 
    2567         368 :         status = smb2_connect(tctx,
    2568             :                               host,
    2569             :                               lpcfg_smb_ports(tctx->lp_ctx),
    2570             :                               share,
    2571             :                               lpcfg_resolve_context(tctx->lp_ctx),
    2572             :                               credentials,
    2573             :                               &tree2_0,
    2574             :                               tctx->ev,
    2575             :                               options2,
    2576             :                               lpcfg_socket_options(tctx->lp_ctx),
    2577             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    2578             :                               );
    2579         368 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2580             :                                         "smb2_connect options2 failed");
    2581         368 :         transport2 = tree2_0->session->transport;
    2582             : 
    2583             :         /*
    2584             :          * Now bind the 2nd transport connection to the 1st session
    2585             :          */
    2586         368 :         session1_2 = smb2_session_channel(transport2,
    2587             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2588             :                                           tree2_0,
    2589             :                                           session1_1);
    2590         368 :         torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
    2591             : 
    2592         368 :         status = smb2_session_setup_spnego(session1_2,
    2593             :                                            credentials,
    2594             :                                            0 /* previous_session_id */);
    2595         368 :         torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
    2596             :                                            "smb2_session_setup_spnego failed");
    2597         348 :         if (NT_STATUS_IS_OK(bind_reject_status)) {
    2598          20 :                 ZERO_STRUCT(qfinfo1);
    2599          20 :                 qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2600          20 :                 qfinfo1.generic.in.file.handle = _h1;
    2601          20 :                 tree1->session = session1_2;
    2602          20 :                 status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
    2603          20 :                 tree1->session = session1_1;
    2604          20 :                 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2605             :                                         "smb2_getinfo_file failed");
    2606             :         }
    2607         348 :         TALLOC_FREE(session1_2);
    2608             : 
    2609             :         /* Check the initial session is still alive */
    2610         348 :         ZERO_STRUCT(qfinfo1);
    2611         348 :         qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2612         348 :         qfinfo1.generic.in.file.handle = _h1;
    2613         348 :         status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
    2614         348 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2615             :                                         "smb2_getinfo_file failed");
    2616             : 
    2617         348 :         if (NT_STATUS_IS_OK(bind_reject_status)) {
    2618          20 :                 deleted_status = NT_STATUS_ACCESS_DENIED;
    2619          20 :                 bind_reject_status = NT_STATUS_ACCESS_DENIED;
    2620             :         }
    2621             : 
    2622             :         /*
    2623             :          * I guess this is not part of MultipleChannel_Negative_SMB2002,
    2624             :          * but we should also check the status without
    2625             :          * SMB2_SESSION_FLAG_BINDING.
    2626             :          */
    2627         348 :         session1_2 = smb2_session_channel(transport2,
    2628             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2629             :                                           tree2_0,
    2630             :                                           session1_1);
    2631         348 :         torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
    2632         348 :         session1_2->needs_bind = false;
    2633             : 
    2634         348 :         status = smb2_session_setup_spnego(session1_2,
    2635             :                                            credentials,
    2636             :                                            0 /* previous_session_id */);
    2637         348 :         torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
    2638             :                                            "smb2_session_setup_spnego failed");
    2639         348 :         TALLOC_FREE(session1_2);
    2640             : 
    2641             :         /*
    2642             :          * ... and we should also check the status without any existing
    2643             :          * session keys.
    2644             :          */
    2645         348 :         session1_2 = smb2_session_init(transport2,
    2646             :                                        lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2647             :                                        tree2_0);
    2648         348 :         torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
    2649         348 :         talloc_steal(tree2_0->session, transport2);
    2650         348 :         smb2cli_session_set_id_and_flags(session1_2->smbXcli,
    2651             :                                          session1_id, session1_flags);
    2652             : 
    2653         348 :         status = smb2_session_setup_spnego(session1_2,
    2654             :                                            credentials,
    2655             :                                            0 /* previous_session_id */);
    2656         348 :         torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
    2657             :                                            "smb2_session_setup_spnego failed");
    2658         348 :         TALLOC_FREE(session1_2);
    2659             : 
    2660             :         /* Check the initial session is still alive */
    2661         348 :         ZERO_STRUCT(qfinfo1);
    2662         348 :         qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2663         348 :         qfinfo1.generic.in.file.handle = _h1;
    2664         348 :         status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
    2665         348 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2666             :                                         "smb2_getinfo_file failed");
    2667             : 
    2668             :         /*
    2669             :          * Now bind the 2nd transport connection to the 1st session (again)
    2670             :          */
    2671         348 :         session1_2 = smb2_session_channel(transport2,
    2672             :                                           lpcfg_gensec_settings(tctx, tctx->lp_ctx),
    2673             :                                           tree2_0,
    2674             :                                           session1_1);
    2675         348 :         torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
    2676             : 
    2677         348 :         status = smb2_session_setup_spnego(session1_2,
    2678             :                                            credentials,
    2679             :                                            0 /* previous_session_id */);
    2680         348 :         torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
    2681             :                                            "smb2_session_setup_spnego failed");
    2682         348 :         TALLOC_FREE(session1_2);
    2683             : 
    2684             :         /* Check the initial session is still alive */
    2685         348 :         ZERO_STRUCT(qfinfo1);
    2686         348 :         qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    2687         348 :         qfinfo1.generic.in.file.handle = _h1;
    2688         348 :         status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
    2689         348 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    2690             :                                         "smb2_getinfo_file failed");
    2691             : 
    2692         348 :         ret = true;
    2693         368 : done:
    2694         368 :         talloc_free(tree2_0);
    2695         368 :         if (h1 != NULL) {
    2696         368 :                 smb2_util_close(tree1, *h1);
    2697             :         }
    2698         368 :         talloc_free(tree1);
    2699             : 
    2700         368 :         return ret;
    2701             : }
    2702             : 
    2703             : /*
    2704             :  * This is similar to the MultipleChannel_Negative_SMB2002 test
    2705             :  * from the Windows Protocol Test Suite.
    2706             :  *
    2707             :  * It demonstrates that the server needs to do lookup
    2708             :  * in the global session table in order to get the signing
    2709             :  * and error code of invalid session setups correct.
    2710             :  *
    2711             :  * See: https://bugzilla.samba.org/show_bug.cgi?id=14512
    2712             :  *
    2713             :  * Note you can ignore tree0...
    2714             :  */
    2715          10 : static bool test_session_bind_negative_smb202(struct torture_context *tctx, struct smb2_tree *tree0)
    2716             : {
    2717          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2718          10 :         bool ret = false;
    2719          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    2720             :         struct smbcli_options options1;
    2721             :         struct smbcli_options options2;
    2722             :         bool encrypted;
    2723             : 
    2724          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    2725          10 :         if (encrypted) {
    2726           2 :                 torture_skip(tctx,
    2727             :                              "Can't test SMB 2.02 if encrytion is required");
    2728             :         }
    2729             : 
    2730           8 :         options1 = transport0->options;
    2731           8 :         options1.client_guid = GUID_zero();
    2732           8 :         options1.max_protocol = PROTOCOL_SMB2_02;
    2733             : 
    2734           8 :         options2 = options1;
    2735           8 :         options2.only_negprot = true;
    2736             : 
    2737           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    2738             :                                                  credentials,
    2739             :                                                  &options1, &options2,
    2740           8 :                                                  NT_STATUS_REQUEST_NOT_ACCEPTED);
    2741           8 :         talloc_free(tree0);
    2742           8 :         return ret;
    2743             : }
    2744             : 
    2745          10 : static bool test_session_bind_negative_smb210s(struct torture_context *tctx, struct smb2_tree *tree0)
    2746             : {
    2747          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2748          10 :         bool ret = false;
    2749          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    2750             :         struct smbcli_options options1;
    2751             :         struct smbcli_options options2;
    2752             :         bool encrypted;
    2753             : 
    2754          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    2755          10 :         if (encrypted) {
    2756           2 :                 torture_skip(tctx,
    2757             :                              "Can't test SMB 2.10 if encrytion is required");
    2758             :         }
    2759             : 
    2760           8 :         options1 = transport0->options;
    2761           8 :         options1.client_guid = GUID_random();
    2762           8 :         options1.max_protocol = PROTOCOL_SMB2_10;
    2763             : 
    2764             :         /* same client guid */
    2765           8 :         options2 = options1;
    2766           8 :         options2.only_negprot = true;
    2767             : 
    2768           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    2769             :                                                  credentials,
    2770             :                                                  &options1, &options2,
    2771           8 :                                                  NT_STATUS_REQUEST_NOT_ACCEPTED);
    2772           8 :         talloc_free(tree0);
    2773           8 :         return ret;
    2774             : }
    2775             : 
    2776          10 : static bool test_session_bind_negative_smb210d(struct torture_context *tctx, struct smb2_tree *tree0)
    2777             : {
    2778          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2779          10 :         bool ret = false;
    2780          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    2781             :         struct smbcli_options options1;
    2782             :         struct smbcli_options options2;
    2783             :         bool encrypted;
    2784             : 
    2785          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    2786          10 :         if (encrypted) {
    2787           2 :                 torture_skip(tctx,
    2788             :                              "Can't test SMB 2.10 if encrytion is required");
    2789             :         }
    2790             : 
    2791           8 :         options1 = transport0->options;
    2792           8 :         options1.client_guid = GUID_random();
    2793           8 :         options1.max_protocol = PROTOCOL_SMB2_10;
    2794             : 
    2795             :         /* different client guid */
    2796           8 :         options2 = options1;
    2797           8 :         options2.client_guid = GUID_random();
    2798           8 :         options2.only_negprot = true;
    2799             : 
    2800           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    2801             :                                                  credentials,
    2802             :                                                  &options1, &options2,
    2803           8 :                                                  NT_STATUS_REQUEST_NOT_ACCEPTED);
    2804           8 :         talloc_free(tree0);
    2805           8 :         return ret;
    2806             : }
    2807             : 
    2808          10 : static bool test_session_bind_negative_smb2to3s(struct torture_context *tctx, struct smb2_tree *tree0)
    2809             : {
    2810          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2811          10 :         bool ret = false;
    2812          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    2813             :         struct smbcli_options options1;
    2814             :         struct smbcli_options options2;
    2815             :         bool encrypted;
    2816             : 
    2817          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    2818          10 :         if (encrypted) {
    2819           2 :                 torture_skip(tctx,
    2820             :                              "Can't test SMB 2.10 if encrytion is required");
    2821             :         }
    2822             : 
    2823           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
    2824           0 :                 torture_skip(tctx,
    2825             :                              "Can't test without SMB3 support");
    2826             :         }
    2827             : 
    2828           8 :         options1 = transport0->options;
    2829           8 :         options1.client_guid = GUID_random();
    2830           8 :         options1.min_protocol = PROTOCOL_SMB2_02;
    2831           8 :         options1.max_protocol = PROTOCOL_SMB2_10;
    2832             : 
    2833             :         /* same client guid */
    2834           8 :         options2 = options1;
    2835           8 :         options2.only_negprot = true;
    2836           8 :         options2.min_protocol = PROTOCOL_SMB3_00;
    2837           8 :         options2.max_protocol = PROTOCOL_SMB3_11;
    2838           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    2839             :                 .num_algos = 1,
    2840             :                 .algos = {
    2841             :                         SMB2_SIGNING_AES128_CMAC,
    2842             :                 },
    2843             :         };
    2844             : 
    2845           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    2846             :                                                  credentials,
    2847             :                                                  &options1, &options2,
    2848           8 :                                                  NT_STATUS_INVALID_PARAMETER);
    2849           8 :         talloc_free(tree0);
    2850           8 :         return ret;
    2851             : }
    2852             : 
    2853          10 : static bool test_session_bind_negative_smb2to3d(struct torture_context *tctx, struct smb2_tree *tree0)
    2854             : {
    2855          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2856          10 :         bool ret = false;
    2857          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    2858             :         struct smbcli_options options1;
    2859             :         struct smbcli_options options2;
    2860             :         bool encrypted;
    2861             : 
    2862          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    2863          10 :         if (encrypted) {
    2864           2 :                 torture_skip(tctx,
    2865             :                              "Can't test SMB 2.10 if encrytion is required");
    2866             :         }
    2867             : 
    2868           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
    2869           0 :                 torture_skip(tctx,
    2870             :                              "Can't test without SMB3 support");
    2871             :         }
    2872             : 
    2873           8 :         options1 = transport0->options;
    2874           8 :         options1.client_guid = GUID_random();
    2875           8 :         options1.min_protocol = PROTOCOL_SMB2_02;
    2876           8 :         options1.max_protocol = PROTOCOL_SMB2_10;
    2877             : 
    2878             :         /* different client guid */
    2879           8 :         options2 = options1;
    2880           8 :         options2.client_guid = GUID_random();
    2881           8 :         options2.only_negprot = true;
    2882           8 :         options2.min_protocol = PROTOCOL_SMB3_00;
    2883           8 :         options2.max_protocol = PROTOCOL_SMB3_11;
    2884           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    2885             :                 .num_algos = 1,
    2886             :                 .algos = {
    2887             :                         SMB2_SIGNING_AES128_CMAC,
    2888             :                 },
    2889             :         };
    2890             : 
    2891           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    2892             :                                                  credentials,
    2893             :                                                  &options1, &options2,
    2894           8 :                                                  NT_STATUS_INVALID_PARAMETER);
    2895           8 :         talloc_free(tree0);
    2896           8 :         return ret;
    2897             : }
    2898             : 
    2899          10 : static bool test_session_bind_negative_smb3to2s(struct torture_context *tctx, struct smb2_tree *tree0)
    2900             : {
    2901          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2902          10 :         bool ret = false;
    2903          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    2904             :         struct smbcli_options options1;
    2905             :         struct smbcli_options options2;
    2906             :         bool encrypted;
    2907             : 
    2908          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    2909          10 :         if (encrypted) {
    2910           2 :                 torture_skip(tctx,
    2911             :                              "Can't test SMB 2.10 if encrytion is required");
    2912             :         }
    2913             : 
    2914           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
    2915           0 :                 torture_skip(tctx,
    2916             :                              "Can't test without SMB3 support");
    2917             :         }
    2918             : 
    2919           8 :         options1 = transport0->options;
    2920           8 :         options1.client_guid = GUID_random();
    2921           8 :         options1.min_protocol = PROTOCOL_SMB3_00;
    2922           8 :         options1.max_protocol = PROTOCOL_SMB3_11;
    2923           8 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    2924             :                 .num_algos = 1,
    2925             :                 .algos = {
    2926             :                         SMB2_SIGNING_AES128_CMAC,
    2927             :                 },
    2928             :         };
    2929             : 
    2930             :         /* same client guid */
    2931           8 :         options2 = options1;
    2932           8 :         options2.only_negprot = true;
    2933           8 :         options2.min_protocol = PROTOCOL_SMB2_02;
    2934           8 :         options2.max_protocol = PROTOCOL_SMB2_10;
    2935           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    2936             :                 .num_algos = 1,
    2937             :                 .algos = {
    2938             :                         SMB2_SIGNING_HMAC_SHA256,
    2939             :                 },
    2940             :         };
    2941             : 
    2942           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    2943             :                                                  credentials,
    2944             :                                                  &options1, &options2,
    2945           8 :                                                  NT_STATUS_REQUEST_NOT_ACCEPTED);
    2946           8 :         talloc_free(tree0);
    2947           8 :         return ret;
    2948             : }
    2949             : 
    2950          10 : static bool test_session_bind_negative_smb3to2d(struct torture_context *tctx, struct smb2_tree *tree0)
    2951             : {
    2952          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    2953          10 :         bool ret = false;
    2954          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    2955             :         struct smbcli_options options1;
    2956             :         struct smbcli_options options2;
    2957             :         bool encrypted;
    2958             : 
    2959          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    2960          10 :         if (encrypted) {
    2961           2 :                 torture_skip(tctx,
    2962             :                              "Can't test SMB 2.10 if encrytion is required");
    2963             :         }
    2964             : 
    2965           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
    2966           0 :                 torture_skip(tctx,
    2967             :                              "Can't test without SMB3 support");
    2968             :         }
    2969             : 
    2970           8 :         options1 = transport0->options;
    2971           8 :         options1.client_guid = GUID_random();
    2972           8 :         options1.min_protocol = PROTOCOL_SMB3_00;
    2973           8 :         options1.max_protocol = PROTOCOL_SMB3_11;
    2974           8 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    2975             :                 .num_algos = 1,
    2976             :                 .algos = {
    2977             :                         SMB2_SIGNING_AES128_CMAC,
    2978             :                 },
    2979             :         };
    2980             : 
    2981             :         /* different client guid */
    2982           8 :         options2 = options1;
    2983           8 :         options2.client_guid = GUID_random();
    2984           8 :         options2.only_negprot = true;
    2985           8 :         options2.min_protocol = PROTOCOL_SMB2_02;
    2986           8 :         options2.max_protocol = PROTOCOL_SMB2_10;
    2987           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    2988             :                 .num_algos = 1,
    2989             :                 .algos = {
    2990             :                         SMB2_SIGNING_HMAC_SHA256,
    2991             :                 },
    2992             :         };
    2993             : 
    2994           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    2995             :                                                  credentials,
    2996             :                                                  &options1, &options2,
    2997           8 :                                                  NT_STATUS_REQUEST_NOT_ACCEPTED);
    2998           8 :         talloc_free(tree0);
    2999           8 :         return ret;
    3000             : }
    3001             : 
    3002          10 : static bool test_session_bind_negative_smb3to3s(struct torture_context *tctx, struct smb2_tree *tree0)
    3003             : {
    3004          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    3005          10 :         bool ret = false;
    3006          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3007             :         struct smbcli_options options1;
    3008             :         struct smbcli_options options2;
    3009             : 
    3010          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3011           0 :                 torture_skip(tctx,
    3012             :                              "Can't test without SMB 3.1.1 support");
    3013             :         }
    3014             : 
    3015          10 :         options1 = transport0->options;
    3016          10 :         options1.client_guid = GUID_random();
    3017          10 :         options1.min_protocol = PROTOCOL_SMB3_02;
    3018          10 :         options1.max_protocol = PROTOCOL_SMB3_02;
    3019             : 
    3020             :         /* same client guid */
    3021          10 :         options2 = options1;
    3022          10 :         options2.only_negprot = true;
    3023          10 :         options2.min_protocol = PROTOCOL_SMB3_11;
    3024          10 :         options2.max_protocol = PROTOCOL_SMB3_11;
    3025          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3026             :                 .num_algos = 1,
    3027             :                 .algos = {
    3028             :                         SMB2_SIGNING_AES128_CMAC,
    3029             :                 },
    3030             :         };
    3031             : 
    3032          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3033             :                                                  credentials,
    3034             :                                                  &options1, &options2,
    3035          10 :                                                  NT_STATUS_INVALID_PARAMETER);
    3036          10 :         talloc_free(tree0);
    3037          10 :         return ret;
    3038             : }
    3039             : 
    3040          10 : static bool test_session_bind_negative_smb3to3d(struct torture_context *tctx, struct smb2_tree *tree0)
    3041             : {
    3042          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    3043          10 :         bool ret = false;
    3044          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3045             :         struct smbcli_options options1;
    3046             :         struct smbcli_options options2;
    3047             : 
    3048          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3049           0 :                 torture_skip(tctx,
    3050             :                              "Can't test without SMB 3.1.1 support");
    3051             :         }
    3052             : 
    3053          10 :         options1 = transport0->options;
    3054          10 :         options1.client_guid = GUID_random();
    3055          10 :         options1.min_protocol = PROTOCOL_SMB3_02;
    3056          10 :         options1.max_protocol = PROTOCOL_SMB3_02;
    3057             : 
    3058             :         /* different client guid */
    3059          10 :         options2 = options1;
    3060          10 :         options2.client_guid = GUID_random();
    3061          10 :         options2.only_negprot = true;
    3062          10 :         options2.min_protocol = PROTOCOL_SMB3_11;
    3063          10 :         options2.max_protocol = PROTOCOL_SMB3_11;
    3064          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3065             :                 .num_algos = 1,
    3066             :                 .algos = {
    3067             :                         SMB2_SIGNING_AES128_CMAC,
    3068             :                 },
    3069             :         };
    3070             : 
    3071          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3072             :                                                  credentials,
    3073             :                                                  &options1, &options2,
    3074          10 :                                                  NT_STATUS_INVALID_PARAMETER);
    3075          10 :         talloc_free(tree0);
    3076          10 :         return ret;
    3077             : }
    3078             : 
    3079          10 : static bool test_session_bind_negative_smb3encGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
    3080             : {
    3081          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3082          10 :         struct cli_credentials *credentials = NULL;
    3083          10 :         bool ret = false;
    3084          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3085             :         struct smbcli_options options1;
    3086             :         struct smbcli_options options2;
    3087             :         bool ok;
    3088             : 
    3089          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3090           0 :                 torture_skip(tctx,
    3091             :                              "Can't test without SMB 3.1.1 support");
    3092             :         }
    3093             : 
    3094          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3095          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3096          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3097             :                                                 SMB_ENCRYPTION_REQUIRED,
    3098             :                                                 CRED_SPECIFIED);
    3099          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3100             : 
    3101          10 :         options1 = transport0->options;
    3102          10 :         options1.client_guid = GUID_random();
    3103          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3104          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3105          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3106          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3107             :                 .num_algos = 1,
    3108             :                 .algos = {
    3109             :                         SMB2_ENCRYPTION_AES128_GCM,
    3110             :                 },
    3111             :         };
    3112             : 
    3113             :         /* same client guid */
    3114          10 :         options2 = options1;
    3115          10 :         options2.only_negprot = true;
    3116          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3117             :                 .num_algos = 1,
    3118             :                 .algos = {
    3119             :                         SMB2_ENCRYPTION_AES128_CCM,
    3120             :                 },
    3121             :         };
    3122             : 
    3123          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3124             :                                                  credentials,
    3125             :                                                  &options1, &options2,
    3126          10 :                                                  NT_STATUS_INVALID_PARAMETER);
    3127          10 :         talloc_free(tree0);
    3128          10 :         return ret;
    3129             : }
    3130             : 
    3131          10 : static bool test_session_bind_negative_smb3encGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
    3132             : {
    3133          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3134          10 :         struct cli_credentials *credentials = NULL;
    3135          10 :         bool ret = false;
    3136          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3137             :         struct smbcli_options options1;
    3138             :         struct smbcli_options options2;
    3139             :         bool ok;
    3140             : 
    3141          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3142           0 :                 torture_skip(tctx,
    3143             :                              "Can't test without SMB 3.1.1 support");
    3144             :         }
    3145             : 
    3146          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3147          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3148          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3149             :                                                 SMB_ENCRYPTION_REQUIRED,
    3150             :                                                 CRED_SPECIFIED);
    3151          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3152             : 
    3153          10 :         options1 = transport0->options;
    3154          10 :         options1.client_guid = GUID_random();
    3155          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3156          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3157          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3158          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3159             :                 .num_algos = 1,
    3160             :                 .algos = {
    3161             :                         SMB2_ENCRYPTION_AES128_GCM,
    3162             :                 },
    3163             :         };
    3164             : 
    3165             :         /* different client guid */
    3166          10 :         options2 = options1;
    3167          10 :         options2.client_guid = GUID_random();
    3168          10 :         options2.only_negprot = true;
    3169          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3170             :                 .num_algos = 1,
    3171             :                 .algos = {
    3172             :                         SMB2_ENCRYPTION_AES128_CCM,
    3173             :                 },
    3174             :         };
    3175             : 
    3176          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3177             :                                                  credentials,
    3178             :                                                  &options1, &options2,
    3179          10 :                                                  NT_STATUS_INVALID_PARAMETER);
    3180          10 :         talloc_free(tree0);
    3181          10 :         return ret;
    3182             : }
    3183             : 
    3184          10 : static bool test_session_bind_negative_smb3signCtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
    3185             : {
    3186          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3187          10 :         struct cli_credentials *credentials = NULL;
    3188          10 :         bool ret = false;
    3189          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3190             :         struct smbcli_options options1;
    3191             :         struct smbcli_options options2;
    3192             :         bool ok;
    3193             : 
    3194          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3195           0 :                 torture_skip(tctx,
    3196             :                              "Can't test without SMB 3.1.1 support");
    3197             :         }
    3198             : 
    3199          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3200           0 :                 torture_skip(tctx,
    3201             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3202             :         }
    3203             : 
    3204          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3205          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3206          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3207             :                                                 SMB_ENCRYPTION_REQUIRED,
    3208             :                                                 CRED_SPECIFIED);
    3209          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3210             : 
    3211          10 :         options1 = transport0->options;
    3212          10 :         options1.client_guid = GUID_random();
    3213          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3214          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3215          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3216          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3217             :                 .num_algos = 1,
    3218             :                 .algos = {
    3219             :                         SMB2_SIGNING_AES128_CMAC,
    3220             :                 },
    3221             :         };
    3222             : 
    3223             :         /* same client guid */
    3224          10 :         options2 = options1;
    3225          10 :         options2.only_negprot = true;
    3226          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3227             :                 .num_algos = 1,
    3228             :                 .algos = {
    3229             :                         SMB2_SIGNING_HMAC_SHA256,
    3230             :                 },
    3231             :         };
    3232             : 
    3233          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3234             :                                                  credentials,
    3235             :                                                  &options1, &options2,
    3236          10 :                                                  NT_STATUS_OK);
    3237          10 :         talloc_free(tree0);
    3238          10 :         return ret;
    3239             : }
    3240             : 
    3241          10 : static bool test_session_bind_negative_smb3signCtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
    3242             : {
    3243          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3244          10 :         struct cli_credentials *credentials = NULL;
    3245          10 :         bool ret = false;
    3246          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3247             :         struct smbcli_options options1;
    3248             :         struct smbcli_options options2;
    3249             :         bool ok;
    3250             : 
    3251          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3252           0 :                 torture_skip(tctx,
    3253             :                              "Can't test without SMB 3.1.1 support");
    3254             :         }
    3255             : 
    3256          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3257           0 :                 torture_skip(tctx,
    3258             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3259             :         }
    3260             : 
    3261          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3262          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3263          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3264             :                                                 SMB_ENCRYPTION_REQUIRED,
    3265             :                                                 CRED_SPECIFIED);
    3266          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3267             : 
    3268          10 :         options1 = transport0->options;
    3269          10 :         options1.client_guid = GUID_random();
    3270          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3271          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3272          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3273          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3274             :                 .num_algos = 1,
    3275             :                 .algos = {
    3276             :                         SMB2_SIGNING_AES128_CMAC,
    3277             :                 },
    3278             :         };
    3279             : 
    3280             :         /* different client guid */
    3281          10 :         options2 = options1;
    3282          10 :         options2.client_guid = GUID_random();
    3283          10 :         options2.only_negprot = true;
    3284          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3285             :                 .num_algos = 1,
    3286             :                 .algos = {
    3287             :                         SMB2_SIGNING_HMAC_SHA256,
    3288             :                 },
    3289             :         };
    3290             : 
    3291          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3292             :                                                  credentials,
    3293             :                                                  &options1, &options2,
    3294          10 :                                                  NT_STATUS_OK);
    3295          10 :         talloc_free(tree0);
    3296          10 :         return ret;
    3297             : }
    3298             : 
    3299          10 : static bool test_session_bind_negative_smb3signHtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
    3300             : {
    3301          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3302          10 :         struct cli_credentials *credentials = NULL;
    3303          10 :         bool ret = false;
    3304          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3305             :         struct smbcli_options options1;
    3306             :         struct smbcli_options options2;
    3307             :         bool ok;
    3308             : 
    3309          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3310           0 :                 torture_skip(tctx,
    3311             :                              "Can't test without SMB 3.1.1 support");
    3312             :         }
    3313             : 
    3314          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3315           0 :                 torture_skip(tctx,
    3316             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3317             :         }
    3318             : 
    3319          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3320          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3321          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3322             :                                                 SMB_ENCRYPTION_REQUIRED,
    3323             :                                                 CRED_SPECIFIED);
    3324          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3325             : 
    3326          10 :         options1 = transport0->options;
    3327          10 :         options1.client_guid = GUID_random();
    3328          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3329          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3330          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3331          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3332             :                 .num_algos = 1,
    3333             :                 .algos = {
    3334             :                         SMB2_SIGNING_HMAC_SHA256,
    3335             :                 },
    3336             :         };
    3337             : 
    3338             :         /* same client guid */
    3339          10 :         options2 = options1;
    3340          10 :         options2.only_negprot = true;
    3341          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3342             :                 .num_algos = 1,
    3343             :                 .algos = {
    3344             :                         SMB2_SIGNING_AES128_CMAC,
    3345             :                 },
    3346             :         };
    3347             : 
    3348          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3349             :                                                  credentials,
    3350             :                                                  &options1, &options2,
    3351          10 :                                                  NT_STATUS_OK);
    3352          10 :         talloc_free(tree0);
    3353          10 :         return ret;
    3354             : }
    3355             : 
    3356          10 : static bool test_session_bind_negative_smb3signHtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
    3357             : {
    3358          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3359          10 :         struct cli_credentials *credentials = NULL;
    3360          10 :         bool ret = false;
    3361          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3362             :         struct smbcli_options options1;
    3363             :         struct smbcli_options options2;
    3364             :         bool ok;
    3365             : 
    3366          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3367           0 :                 torture_skip(tctx,
    3368             :                              "Can't test without SMB 3.1.1 support");
    3369             :         }
    3370             : 
    3371          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3372           0 :                 torture_skip(tctx,
    3373             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3374             :         }
    3375             : 
    3376          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3377          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3378          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3379             :                                                 SMB_ENCRYPTION_REQUIRED,
    3380             :                                                 CRED_SPECIFIED);
    3381          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3382             : 
    3383          10 :         options1 = transport0->options;
    3384          10 :         options1.client_guid = GUID_random();
    3385          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3386          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3387          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3388          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3389             :                 .num_algos = 1,
    3390             :                 .algos = {
    3391             :                         SMB2_SIGNING_HMAC_SHA256,
    3392             :                 },
    3393             :         };
    3394             : 
    3395             :         /* different client guid */
    3396          10 :         options2 = options1;
    3397          10 :         options2.client_guid = GUID_random();
    3398          10 :         options2.only_negprot = true;
    3399          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3400             :                 .num_algos = 1,
    3401             :                 .algos = {
    3402             :                         SMB2_SIGNING_AES128_CMAC,
    3403             :                 },
    3404             :         };
    3405             : 
    3406          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3407             :                                                  credentials,
    3408             :                                                  &options1, &options2,
    3409          10 :                                                  NT_STATUS_OK);
    3410          10 :         talloc_free(tree0);
    3411          10 :         return ret;
    3412             : }
    3413             : 
    3414          10 : static bool test_session_bind_negative_smb3signHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
    3415             : {
    3416          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3417          10 :         struct cli_credentials *credentials = NULL;
    3418          10 :         bool ret = false;
    3419          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3420             :         struct smbcli_options options1;
    3421             :         struct smbcli_options options2;
    3422             :         bool ok;
    3423             : 
    3424          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3425           0 :                 torture_skip(tctx,
    3426             :                              "Can't test without SMB 3.1.1 support");
    3427             :         }
    3428             : 
    3429          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3430           0 :                 torture_skip(tctx,
    3431             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3432             :         }
    3433             : 
    3434          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3435          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3436          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3437             :                                                 SMB_ENCRYPTION_REQUIRED,
    3438             :                                                 CRED_SPECIFIED);
    3439          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3440             : 
    3441          10 :         options1 = transport0->options;
    3442          10 :         options1.client_guid = GUID_random();
    3443          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3444          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3445          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3446          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3447             :                 .num_algos = 1,
    3448             :                 .algos = {
    3449             :                         SMB2_SIGNING_HMAC_SHA256,
    3450             :                 },
    3451             :         };
    3452             : 
    3453             :         /* same client guid */
    3454          10 :         options2 = options1;
    3455          10 :         options2.only_negprot = true;
    3456          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3457             :                 .num_algos = 1,
    3458             :                 .algos = {
    3459             :                         SMB2_SIGNING_AES128_GMAC,
    3460             :                 },
    3461             :         };
    3462             : 
    3463          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3464             :                                                  credentials,
    3465             :                                                  &options1, &options2,
    3466          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    3467          10 :         talloc_free(tree0);
    3468          10 :         return ret;
    3469             : }
    3470             : 
    3471          10 : static bool test_session_bind_negative_smb3signHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
    3472             : {
    3473          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3474          10 :         struct cli_credentials *credentials = NULL;
    3475          10 :         bool ret = false;
    3476          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3477             :         struct smbcli_options options1;
    3478             :         struct smbcli_options options2;
    3479             :         bool ok;
    3480             : 
    3481          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3482           0 :                 torture_skip(tctx,
    3483             :                              "Can't test without SMB 3.1.1 support");
    3484             :         }
    3485             : 
    3486          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3487           0 :                 torture_skip(tctx,
    3488             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3489             :         }
    3490             : 
    3491          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3492          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3493          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3494             :                                                 SMB_ENCRYPTION_REQUIRED,
    3495             :                                                 CRED_SPECIFIED);
    3496          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3497             : 
    3498          10 :         options1 = transport0->options;
    3499          10 :         options1.client_guid = GUID_random();
    3500          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3501          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3502          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3503          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3504             :                 .num_algos = 1,
    3505             :                 .algos = {
    3506             :                         SMB2_SIGNING_HMAC_SHA256,
    3507             :                 },
    3508             :         };
    3509             : 
    3510             :         /* different client guid */
    3511          10 :         options2 = options1;
    3512          10 :         options2.client_guid = GUID_random();
    3513          10 :         options2.only_negprot = true;
    3514          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3515             :                 .num_algos = 1,
    3516             :                 .algos = {
    3517             :                         SMB2_SIGNING_AES128_GMAC,
    3518             :                 },
    3519             :         };
    3520             : 
    3521          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3522             :                                                  credentials,
    3523             :                                                  &options1, &options2,
    3524          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    3525          10 :         talloc_free(tree0);
    3526          10 :         return ret;
    3527             : }
    3528             : 
    3529          10 : static bool test_session_bind_negative_smb3signCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
    3530             : {
    3531          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3532          10 :         struct cli_credentials *credentials = NULL;
    3533          10 :         bool ret = false;
    3534          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3535             :         struct smbcli_options options1;
    3536             :         struct smbcli_options options2;
    3537             :         bool ok;
    3538             : 
    3539          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3540           0 :                 torture_skip(tctx,
    3541             :                              "Can't test without SMB 3.1.1 support");
    3542             :         }
    3543             : 
    3544          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3545           0 :                 torture_skip(tctx,
    3546             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3547             :         }
    3548             : 
    3549          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3550          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3551          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3552             :                                                 SMB_ENCRYPTION_REQUIRED,
    3553             :                                                 CRED_SPECIFIED);
    3554          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3555             : 
    3556          10 :         options1 = transport0->options;
    3557          10 :         options1.client_guid = GUID_random();
    3558          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3559          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3560          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3561          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3562             :                 .num_algos = 1,
    3563             :                 .algos = {
    3564             :                         SMB2_SIGNING_AES128_CMAC,
    3565             :                 },
    3566             :         };
    3567             : 
    3568             :         /* same client guid */
    3569          10 :         options2 = options1;
    3570          10 :         options2.only_negprot = true;
    3571          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3572             :                 .num_algos = 1,
    3573             :                 .algos = {
    3574             :                         SMB2_SIGNING_AES128_GMAC,
    3575             :                 },
    3576             :         };
    3577             : 
    3578          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3579             :                                                  credentials,
    3580             :                                                  &options1, &options2,
    3581          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    3582          10 :         talloc_free(tree0);
    3583          10 :         return ret;
    3584             : }
    3585             : 
    3586          10 : static bool test_session_bind_negative_smb3signCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
    3587             : {
    3588          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3589          10 :         struct cli_credentials *credentials = NULL;
    3590          10 :         bool ret = false;
    3591          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3592             :         struct smbcli_options options1;
    3593             :         struct smbcli_options options2;
    3594             :         bool ok;
    3595             : 
    3596          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3597           0 :                 torture_skip(tctx,
    3598             :                              "Can't test without SMB 3.1.1 support");
    3599             :         }
    3600             : 
    3601          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3602           0 :                 torture_skip(tctx,
    3603             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3604             :         }
    3605             : 
    3606          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3607          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3608          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3609             :                                                 SMB_ENCRYPTION_REQUIRED,
    3610             :                                                 CRED_SPECIFIED);
    3611          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3612             : 
    3613          10 :         options1 = transport0->options;
    3614          10 :         options1.client_guid = GUID_random();
    3615          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3616          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3617          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3618          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3619             :                 .num_algos = 1,
    3620             :                 .algos = {
    3621             :                         SMB2_SIGNING_AES128_CMAC,
    3622             :                 },
    3623             :         };
    3624             : 
    3625             :         /* different client guid */
    3626          10 :         options2 = options1;
    3627          10 :         options2.client_guid = GUID_random();
    3628          10 :         options2.only_negprot = true;
    3629          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3630             :                 .num_algos = 1,
    3631             :                 .algos = {
    3632             :                         SMB2_SIGNING_AES128_GMAC,
    3633             :                 },
    3634             :         };
    3635             : 
    3636          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3637             :                                                  credentials,
    3638             :                                                  &options1, &options2,
    3639          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    3640          10 :         talloc_free(tree0);
    3641          10 :         return ret;
    3642             : }
    3643             : 
    3644          10 : static bool test_session_bind_negative_smb3signGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
    3645             : {
    3646          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3647          10 :         struct cli_credentials *credentials = NULL;
    3648          10 :         bool ret = false;
    3649          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3650             :         struct smbcli_options options1;
    3651             :         struct smbcli_options options2;
    3652             :         bool ok;
    3653             : 
    3654          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3655           0 :                 torture_skip(tctx,
    3656             :                              "Can't test without SMB 3.1.1 support");
    3657             :         }
    3658             : 
    3659          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3660           0 :                 torture_skip(tctx,
    3661             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3662             :         }
    3663             : 
    3664          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3665          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3666          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3667             :                                                 SMB_ENCRYPTION_REQUIRED,
    3668             :                                                 CRED_SPECIFIED);
    3669          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3670             : 
    3671          10 :         options1 = transport0->options;
    3672          10 :         options1.client_guid = GUID_random();
    3673          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3674          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3675          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3676          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3677             :                 .num_algos = 1,
    3678             :                 .algos = {
    3679             :                         SMB2_SIGNING_AES128_GMAC,
    3680             :                 },
    3681             :         };
    3682             : 
    3683             :         /* same client guid */
    3684          10 :         options2 = options1;
    3685          10 :         options2.only_negprot = true;
    3686          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3687             :                 .num_algos = 1,
    3688             :                 .algos = {
    3689             :                         SMB2_SIGNING_AES128_CMAC,
    3690             :                 },
    3691             :         };
    3692             : 
    3693          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3694             :                                                  credentials,
    3695             :                                                  &options1, &options2,
    3696          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    3697          10 :         talloc_free(tree0);
    3698          10 :         return ret;
    3699             : }
    3700             : 
    3701          10 : static bool test_session_bind_negative_smb3signGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
    3702             : {
    3703          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3704          10 :         struct cli_credentials *credentials = NULL;
    3705          10 :         bool ret = false;
    3706          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3707             :         struct smbcli_options options1;
    3708             :         struct smbcli_options options2;
    3709             :         bool ok;
    3710             : 
    3711          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3712           0 :                 torture_skip(tctx,
    3713             :                              "Can't test without SMB 3.1.1 support");
    3714             :         }
    3715             : 
    3716          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3717           0 :                 torture_skip(tctx,
    3718             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3719             :         }
    3720             : 
    3721          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3722          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3723          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3724             :                                                 SMB_ENCRYPTION_REQUIRED,
    3725             :                                                 CRED_SPECIFIED);
    3726          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3727             : 
    3728          10 :         options1 = transport0->options;
    3729          10 :         options1.client_guid = GUID_random();
    3730          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3731          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3732          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3733          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3734             :                 .num_algos = 1,
    3735             :                 .algos = {
    3736             :                         SMB2_SIGNING_AES128_GMAC,
    3737             :                 },
    3738             :         };
    3739             : 
    3740             :         /* different client guid */
    3741          10 :         options2 = options1;
    3742          10 :         options2.client_guid = GUID_random();
    3743          10 :         options2.only_negprot = true;
    3744          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3745             :                 .num_algos = 1,
    3746             :                 .algos = {
    3747             :                         SMB2_SIGNING_AES128_CMAC,
    3748             :                 },
    3749             :         };
    3750             : 
    3751          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3752             :                                                  credentials,
    3753             :                                                  &options1, &options2,
    3754          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    3755          10 :         talloc_free(tree0);
    3756          10 :         return ret;
    3757             : }
    3758             : 
    3759          10 : static bool test_session_bind_negative_smb3signGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
    3760             : {
    3761          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3762          10 :         struct cli_credentials *credentials = NULL;
    3763          10 :         bool ret = false;
    3764          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3765             :         struct smbcli_options options1;
    3766             :         struct smbcli_options options2;
    3767             :         bool ok;
    3768             : 
    3769          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3770           0 :                 torture_skip(tctx,
    3771             :                              "Can't test without SMB 3.1.1 support");
    3772             :         }
    3773             : 
    3774          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3775           0 :                 torture_skip(tctx,
    3776             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3777             :         }
    3778             : 
    3779          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3780          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3781          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3782             :                                                 SMB_ENCRYPTION_REQUIRED,
    3783             :                                                 CRED_SPECIFIED);
    3784          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3785             : 
    3786          10 :         options1 = transport0->options;
    3787          10 :         options1.client_guid = GUID_random();
    3788          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3789          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3790          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3791          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3792             :                 .num_algos = 1,
    3793             :                 .algos = {
    3794             :                         SMB2_SIGNING_AES128_GMAC,
    3795             :                 },
    3796             :         };
    3797             : 
    3798             :         /* same client guid */
    3799          10 :         options2 = options1;
    3800          10 :         options2.only_negprot = true;
    3801          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3802             :                 .num_algos = 1,
    3803             :                 .algos = {
    3804             :                         SMB2_SIGNING_HMAC_SHA256,
    3805             :                 },
    3806             :         };
    3807             : 
    3808          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3809             :                                                  credentials,
    3810             :                                                  &options1, &options2,
    3811          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    3812          10 :         talloc_free(tree0);
    3813          10 :         return ret;
    3814             : }
    3815             : 
    3816          10 : static bool test_session_bind_negative_smb3signGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
    3817             : {
    3818          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3819          10 :         struct cli_credentials *credentials = NULL;
    3820          10 :         bool ret = false;
    3821          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3822             :         struct smbcli_options options1;
    3823             :         struct smbcli_options options2;
    3824             :         bool ok;
    3825             : 
    3826          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3827           0 :                 torture_skip(tctx,
    3828             :                              "Can't test without SMB 3.1.1 support");
    3829             :         }
    3830             : 
    3831          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3832           0 :                 torture_skip(tctx,
    3833             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3834             :         }
    3835             : 
    3836          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3837          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3838          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3839             :                                                 SMB_ENCRYPTION_REQUIRED,
    3840             :                                                 CRED_SPECIFIED);
    3841          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3842             : 
    3843          10 :         options1 = transport0->options;
    3844          10 :         options1.client_guid = GUID_random();
    3845          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3846          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3847          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3848          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3849             :                 .num_algos = 1,
    3850             :                 .algos = {
    3851             :                         SMB2_SIGNING_AES128_GMAC,
    3852             :                 },
    3853             :         };
    3854             : 
    3855             :         /* different client guid */
    3856          10 :         options2 = options1;
    3857          10 :         options2.client_guid = GUID_random();
    3858          10 :         options2.only_negprot = true;
    3859          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3860             :                 .num_algos = 1,
    3861             :                 .algos = {
    3862             :                         SMB2_SIGNING_HMAC_SHA256,
    3863             :                 },
    3864             :         };
    3865             : 
    3866          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3867             :                                                  credentials,
    3868             :                                                  &options1, &options2,
    3869          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    3870          10 :         talloc_free(tree0);
    3871          10 :         return ret;
    3872             : }
    3873             : 
    3874          10 : static bool test_session_bind_negative_smb3sneGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
    3875             : {
    3876          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3877          10 :         struct cli_credentials *credentials = NULL;
    3878          10 :         bool ret = false;
    3879          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3880             :         struct smbcli_options options1;
    3881             :         struct smbcli_options options2;
    3882             :         bool ok;
    3883             : 
    3884          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3885           0 :                 torture_skip(tctx,
    3886             :                              "Can't test without SMB 3.1.1 support");
    3887             :         }
    3888             : 
    3889          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3890           0 :                 torture_skip(tctx,
    3891             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3892             :         }
    3893             : 
    3894          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3895          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3896          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3897             :                                                 SMB_ENCRYPTION_REQUIRED,
    3898             :                                                 CRED_SPECIFIED);
    3899          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3900             : 
    3901          10 :         options1 = transport0->options;
    3902          10 :         options1.client_guid = GUID_random();
    3903          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3904          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3905          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3906          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3907             :                 .num_algos = 1,
    3908             :                 .algos = {
    3909             :                         SMB2_SIGNING_AES128_GMAC,
    3910             :                 },
    3911             :         };
    3912          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3913             :                 .num_algos = 1,
    3914             :                 .algos = {
    3915             :                         SMB2_ENCRYPTION_AES128_GCM,
    3916             :                 },
    3917             :         };
    3918             : 
    3919             :         /* same client guid */
    3920          10 :         options2 = options1;
    3921          10 :         options2.only_negprot = true;
    3922          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3923             :                 .num_algos = 1,
    3924             :                 .algos = {
    3925             :                         SMB2_SIGNING_AES128_CMAC,
    3926             :                 },
    3927             :         };
    3928          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3929             :                 .num_algos = 1,
    3930             :                 .algos = {
    3931             :                         SMB2_ENCRYPTION_AES128_CCM,
    3932             :                 },
    3933             :         };
    3934             : 
    3935          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    3936             :                                                  credentials,
    3937             :                                                  &options1, &options2,
    3938          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    3939          10 :         talloc_free(tree0);
    3940          10 :         return ret;
    3941             : }
    3942             : 
    3943          10 : static bool test_session_bind_negative_smb3sneGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
    3944             : {
    3945          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    3946          10 :         struct cli_credentials *credentials = NULL;
    3947          10 :         bool ret = false;
    3948          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    3949             :         struct smbcli_options options1;
    3950             :         struct smbcli_options options2;
    3951             :         bool ok;
    3952             : 
    3953          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    3954           0 :                 torture_skip(tctx,
    3955             :                              "Can't test without SMB 3.1.1 support");
    3956             :         }
    3957             : 
    3958          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    3959           0 :                 torture_skip(tctx,
    3960             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    3961             :         }
    3962             : 
    3963          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    3964          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    3965          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    3966             :                                                 SMB_ENCRYPTION_REQUIRED,
    3967             :                                                 CRED_SPECIFIED);
    3968          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    3969             : 
    3970          10 :         options1 = transport0->options;
    3971          10 :         options1.client_guid = GUID_random();
    3972          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    3973          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    3974          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    3975          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3976             :                 .num_algos = 1,
    3977             :                 .algos = {
    3978             :                         SMB2_SIGNING_AES128_GMAC,
    3979             :                 },
    3980             :         };
    3981          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3982             :                 .num_algos = 1,
    3983             :                 .algos = {
    3984             :                         SMB2_ENCRYPTION_AES128_GCM,
    3985             :                 },
    3986             :         };
    3987             : 
    3988             :         /* different client guid */
    3989          10 :         options2 = options1;
    3990          10 :         options2.client_guid = GUID_random();
    3991          10 :         options2.only_negprot = true;
    3992          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    3993             :                 .num_algos = 1,
    3994             :                 .algos = {
    3995             :                         SMB2_SIGNING_AES128_CMAC,
    3996             :                 },
    3997             :         };
    3998          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    3999             :                 .num_algos = 1,
    4000             :                 .algos = {
    4001             :                         SMB2_ENCRYPTION_AES128_CCM,
    4002             :                 },
    4003             :         };
    4004             : 
    4005          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4006             :                                                  credentials,
    4007             :                                                  &options1, &options2,
    4008          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    4009          10 :         talloc_free(tree0);
    4010          10 :         return ret;
    4011             : }
    4012             : 
    4013          10 : static bool test_session_bind_negative_smb3sneGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
    4014             : {
    4015          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4016          10 :         struct cli_credentials *credentials = NULL;
    4017          10 :         bool ret = false;
    4018          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4019             :         struct smbcli_options options1;
    4020             :         struct smbcli_options options2;
    4021             :         bool ok;
    4022             : 
    4023          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4024           0 :                 torture_skip(tctx,
    4025             :                              "Can't test without SMB 3.1.1 support");
    4026             :         }
    4027             : 
    4028          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4029           0 :                 torture_skip(tctx,
    4030             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4031             :         }
    4032             : 
    4033          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4034          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4035          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4036             :                                                 SMB_ENCRYPTION_REQUIRED,
    4037             :                                                 CRED_SPECIFIED);
    4038          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4039             : 
    4040          10 :         options1 = transport0->options;
    4041          10 :         options1.client_guid = GUID_random();
    4042          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4043          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4044          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4045          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4046             :                 .num_algos = 1,
    4047             :                 .algos = {
    4048             :                         SMB2_SIGNING_AES128_GMAC,
    4049             :                 },
    4050             :         };
    4051          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4052             :                 .num_algos = 1,
    4053             :                 .algos = {
    4054             :                         SMB2_ENCRYPTION_AES128_GCM,
    4055             :                 },
    4056             :         };
    4057             : 
    4058             :         /* same client guid */
    4059          10 :         options2 = options1;
    4060          10 :         options2.only_negprot = true;
    4061          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4062             :                 .num_algos = 1,
    4063             :                 .algos = {
    4064             :                         SMB2_SIGNING_HMAC_SHA256,
    4065             :                 },
    4066             :         };
    4067          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4068             :                 .num_algos = 1,
    4069             :                 .algos = {
    4070             :                         SMB2_ENCRYPTION_AES128_CCM,
    4071             :                 },
    4072             :         };
    4073             : 
    4074          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4075             :                                                  credentials,
    4076             :                                                  &options1, &options2,
    4077          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    4078          10 :         talloc_free(tree0);
    4079          10 :         return ret;
    4080             : }
    4081             : 
    4082          10 : static bool test_session_bind_negative_smb3sneGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
    4083             : {
    4084          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4085          10 :         struct cli_credentials *credentials = NULL;
    4086          10 :         bool ret = false;
    4087          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4088             :         struct smbcli_options options1;
    4089             :         struct smbcli_options options2;
    4090             :         bool ok;
    4091             : 
    4092          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4093           0 :                 torture_skip(tctx,
    4094             :                              "Can't test without SMB 3.1.1 support");
    4095             :         }
    4096             : 
    4097          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4098           0 :                 torture_skip(tctx,
    4099             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4100             :         }
    4101             : 
    4102          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4103          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4104          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4105             :                                                 SMB_ENCRYPTION_REQUIRED,
    4106             :                                                 CRED_SPECIFIED);
    4107          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4108             : 
    4109          10 :         options1 = transport0->options;
    4110          10 :         options1.client_guid = GUID_random();
    4111          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4112          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4113          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4114          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4115             :                 .num_algos = 1,
    4116             :                 .algos = {
    4117             :                         SMB2_SIGNING_AES128_GMAC,
    4118             :                 },
    4119             :         };
    4120          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4121             :                 .num_algos = 1,
    4122             :                 .algos = {
    4123             :                         SMB2_ENCRYPTION_AES128_GCM,
    4124             :                 },
    4125             :         };
    4126             : 
    4127             :         /* different client guid */
    4128          10 :         options2 = options1;
    4129          10 :         options2.client_guid = GUID_random();
    4130          10 :         options2.only_negprot = true;
    4131          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4132             :                 .num_algos = 1,
    4133             :                 .algos = {
    4134             :                         SMB2_SIGNING_HMAC_SHA256,
    4135             :                 },
    4136             :         };
    4137          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4138             :                 .num_algos = 1,
    4139             :                 .algos = {
    4140             :                         SMB2_ENCRYPTION_AES128_CCM,
    4141             :                 },
    4142             :         };
    4143             : 
    4144          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4145             :                                                  credentials,
    4146             :                                                  &options1, &options2,
    4147          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    4148          10 :         talloc_free(tree0);
    4149          10 :         return ret;
    4150             : }
    4151             : 
    4152          10 : static bool test_session_bind_negative_smb3sneCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
    4153             : {
    4154          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4155          10 :         struct cli_credentials *credentials = NULL;
    4156          10 :         bool ret = false;
    4157          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4158             :         struct smbcli_options options1;
    4159             :         struct smbcli_options options2;
    4160             :         bool ok;
    4161             : 
    4162          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4163           0 :                 torture_skip(tctx,
    4164             :                              "Can't test without SMB 3.1.1 support");
    4165             :         }
    4166             : 
    4167          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4168           0 :                 torture_skip(tctx,
    4169             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4170             :         }
    4171             : 
    4172          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4173          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4174          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4175             :                                                 SMB_ENCRYPTION_REQUIRED,
    4176             :                                                 CRED_SPECIFIED);
    4177          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4178             : 
    4179          10 :         options1 = transport0->options;
    4180          10 :         options1.client_guid = GUID_random();
    4181          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4182          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4183          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4184          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4185             :                 .num_algos = 1,
    4186             :                 .algos = {
    4187             :                         SMB2_SIGNING_AES128_CMAC,
    4188             :                 },
    4189             :         };
    4190          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4191             :                 .num_algos = 1,
    4192             :                 .algos = {
    4193             :                         SMB2_ENCRYPTION_AES128_CCM,
    4194             :                 },
    4195             :         };
    4196             : 
    4197             :         /* same client guid */
    4198          10 :         options2 = options1;
    4199          10 :         options2.only_negprot = true;
    4200          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4201             :                 .num_algos = 1,
    4202             :                 .algos = {
    4203             :                         SMB2_SIGNING_AES128_GMAC,
    4204             :                 },
    4205             :         };
    4206          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4207             :                 .num_algos = 1,
    4208             :                 .algos = {
    4209             :                         SMB2_ENCRYPTION_AES128_GCM,
    4210             :                 },
    4211             :         };
    4212             : 
    4213          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4214             :                                                  credentials,
    4215             :                                                  &options1, &options2,
    4216          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    4217          10 :         talloc_free(tree0);
    4218          10 :         return ret;
    4219             : }
    4220             : 
    4221          10 : static bool test_session_bind_negative_smb3sneCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
    4222             : {
    4223          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4224          10 :         struct cli_credentials *credentials = NULL;
    4225          10 :         bool ret = false;
    4226          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4227             :         struct smbcli_options options1;
    4228             :         struct smbcli_options options2;
    4229             :         bool ok;
    4230             : 
    4231          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4232           0 :                 torture_skip(tctx,
    4233             :                              "Can't test without SMB 3.1.1 support");
    4234             :         }
    4235             : 
    4236          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4237           0 :                 torture_skip(tctx,
    4238             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4239             :         }
    4240             : 
    4241          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4242          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4243          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4244             :                                                 SMB_ENCRYPTION_REQUIRED,
    4245             :                                                 CRED_SPECIFIED);
    4246          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4247             : 
    4248          10 :         options1 = transport0->options;
    4249          10 :         options1.client_guid = GUID_random();
    4250          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4251          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4252          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4253          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4254             :                 .num_algos = 1,
    4255             :                 .algos = {
    4256             :                         SMB2_SIGNING_AES128_CMAC,
    4257             :                 },
    4258             :         };
    4259          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4260             :                 .num_algos = 1,
    4261             :                 .algos = {
    4262             :                         SMB2_ENCRYPTION_AES128_CCM,
    4263             :                 },
    4264             :         };
    4265             : 
    4266             :         /* different client guid */
    4267          10 :         options2 = options1;
    4268          10 :         options2.client_guid = GUID_random();
    4269          10 :         options2.only_negprot = true;
    4270          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4271             :                 .num_algos = 1,
    4272             :                 .algos = {
    4273             :                         SMB2_SIGNING_AES128_GMAC,
    4274             :                 },
    4275             :         };
    4276          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4277             :                 .num_algos = 1,
    4278             :                 .algos = {
    4279             :                         SMB2_ENCRYPTION_AES128_GCM,
    4280             :                 },
    4281             :         };
    4282             : 
    4283          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4284             :                                                  credentials,
    4285             :                                                  &options1, &options2,
    4286          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    4287          10 :         talloc_free(tree0);
    4288          10 :         return ret;
    4289             : }
    4290             : 
    4291          10 : static bool test_session_bind_negative_smb3sneHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
    4292             : {
    4293          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4294          10 :         struct cli_credentials *credentials = NULL;
    4295          10 :         bool ret = false;
    4296          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4297             :         struct smbcli_options options1;
    4298             :         struct smbcli_options options2;
    4299             :         bool ok;
    4300             : 
    4301          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4302           0 :                 torture_skip(tctx,
    4303             :                              "Can't test without SMB 3.1.1 support");
    4304             :         }
    4305             : 
    4306          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4307           0 :                 torture_skip(tctx,
    4308             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4309             :         }
    4310             : 
    4311          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4312          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4313          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4314             :                                                 SMB_ENCRYPTION_REQUIRED,
    4315             :                                                 CRED_SPECIFIED);
    4316          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4317             : 
    4318          10 :         options1 = transport0->options;
    4319          10 :         options1.client_guid = GUID_random();
    4320          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4321          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4322          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4323          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4324             :                 .num_algos = 1,
    4325             :                 .algos = {
    4326             :                         SMB2_SIGNING_HMAC_SHA256,
    4327             :                 },
    4328             :         };
    4329          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4330             :                 .num_algos = 1,
    4331             :                 .algos = {
    4332             :                         SMB2_ENCRYPTION_AES128_CCM,
    4333             :                 },
    4334             :         };
    4335             : 
    4336             :         /* same client guid */
    4337          10 :         options2 = options1;
    4338          10 :         options2.only_negprot = true;
    4339          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4340             :                 .num_algos = 1,
    4341             :                 .algos = {
    4342             :                         SMB2_SIGNING_AES128_GMAC,
    4343             :                 },
    4344             :         };
    4345          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4346             :                 .num_algos = 1,
    4347             :                 .algos = {
    4348             :                         SMB2_ENCRYPTION_AES128_GCM,
    4349             :                 },
    4350             :         };
    4351             : 
    4352          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4353             :                                                  credentials,
    4354             :                                                  &options1, &options2,
    4355          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    4356          10 :         talloc_free(tree0);
    4357          10 :         return ret;
    4358             : }
    4359             : 
    4360          10 : static bool test_session_bind_negative_smb3sneHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
    4361             : {
    4362          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4363          10 :         struct cli_credentials *credentials = NULL;
    4364          10 :         bool ret = false;
    4365          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4366             :         struct smbcli_options options1;
    4367             :         struct smbcli_options options2;
    4368             :         bool ok;
    4369             : 
    4370          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4371           0 :                 torture_skip(tctx,
    4372             :                              "Can't test without SMB 3.1.1 support");
    4373             :         }
    4374             : 
    4375          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4376           0 :                 torture_skip(tctx,
    4377             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4378             :         }
    4379             : 
    4380          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4381          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4382          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4383             :                                                 SMB_ENCRYPTION_REQUIRED,
    4384             :                                                 CRED_SPECIFIED);
    4385          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4386             : 
    4387          10 :         options1 = transport0->options;
    4388          10 :         options1.client_guid = GUID_random();
    4389          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4390          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4391          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4392          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4393             :                 .num_algos = 1,
    4394             :                 .algos = {
    4395             :                         SMB2_SIGNING_HMAC_SHA256,
    4396             :                 },
    4397             :         };
    4398          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4399             :                 .num_algos = 1,
    4400             :                 .algos = {
    4401             :                         SMB2_ENCRYPTION_AES128_CCM,
    4402             :                 },
    4403             :         };
    4404             : 
    4405             :         /* different client guid */
    4406          10 :         options2 = options1;
    4407          10 :         options2.client_guid = GUID_random();
    4408          10 :         options2.only_negprot = true;
    4409          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4410             :                 .num_algos = 1,
    4411             :                 .algos = {
    4412             :                         SMB2_SIGNING_AES128_GMAC,
    4413             :                 },
    4414             :         };
    4415          10 :         options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    4416             :                 .num_algos = 1,
    4417             :                 .algos = {
    4418             :                         SMB2_ENCRYPTION_AES128_GCM,
    4419             :                 },
    4420             :         };
    4421             : 
    4422          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4423             :                                                  credentials,
    4424             :                                                  &options1, &options2,
    4425          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    4426          10 :         talloc_free(tree0);
    4427          10 :         return ret;
    4428             : }
    4429             : 
    4430          10 : static bool test_session_bind_negative_smb3signC30toGs(struct torture_context *tctx, struct smb2_tree *tree0)
    4431             : {
    4432          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4433          10 :         struct cli_credentials *credentials = NULL;
    4434          10 :         bool ret = false;
    4435          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4436             :         struct smbcli_options options1;
    4437             :         struct smbcli_options options2;
    4438             :         bool ok;
    4439             : 
    4440          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4441           0 :                 torture_skip(tctx,
    4442             :                              "Can't test without SMB 3.1.1 support");
    4443             :         }
    4444             : 
    4445          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4446           0 :                 torture_skip(tctx,
    4447             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4448             :         }
    4449             : 
    4450          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4451          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4452          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4453             :                                                 SMB_ENCRYPTION_REQUIRED,
    4454             :                                                 CRED_SPECIFIED);
    4455          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4456             : 
    4457          10 :         options1 = transport0->options;
    4458          10 :         options1.client_guid = GUID_random();
    4459          10 :         options1.min_protocol = PROTOCOL_SMB3_00;
    4460          10 :         options1.max_protocol = PROTOCOL_SMB3_02;
    4461          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4462             : 
    4463             :         /* same client guid */
    4464          10 :         options2 = options1;
    4465          10 :         options2.only_negprot = true;
    4466          10 :         options2.min_protocol = PROTOCOL_SMB3_11;
    4467          10 :         options2.max_protocol = PROTOCOL_SMB3_11;
    4468          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4469             :                 .num_algos = 1,
    4470             :                 .algos = {
    4471             :                         SMB2_SIGNING_AES128_GMAC,
    4472             :                 },
    4473             :         };
    4474             : 
    4475          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4476             :                                                  credentials,
    4477             :                                                  &options1, &options2,
    4478          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    4479          10 :         talloc_free(tree0);
    4480          10 :         return ret;
    4481             : }
    4482             : 
    4483          10 : static bool test_session_bind_negative_smb3signC30toGd(struct torture_context *tctx, struct smb2_tree *tree0)
    4484             : {
    4485          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4486          10 :         struct cli_credentials *credentials = NULL;
    4487          10 :         bool ret = false;
    4488          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4489             :         struct smbcli_options options1;
    4490             :         struct smbcli_options options2;
    4491             :         bool ok;
    4492             : 
    4493          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4494           0 :                 torture_skip(tctx,
    4495             :                              "Can't test without SMB 3.1.1 support");
    4496             :         }
    4497             : 
    4498          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4499           0 :                 torture_skip(tctx,
    4500             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4501             :         }
    4502             : 
    4503          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4504          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4505          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4506             :                                                 SMB_ENCRYPTION_REQUIRED,
    4507             :                                                 CRED_SPECIFIED);
    4508          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4509             : 
    4510          10 :         options1 = transport0->options;
    4511          10 :         options1.client_guid = GUID_random();
    4512          10 :         options1.min_protocol = PROTOCOL_SMB3_00;
    4513          10 :         options1.max_protocol = PROTOCOL_SMB3_02;
    4514          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4515             : 
    4516             :         /* different client guid */
    4517          10 :         options2 = options1;
    4518          10 :         options2.client_guid = GUID_random();
    4519          10 :         options2.only_negprot = true;
    4520          10 :         options2.min_protocol = PROTOCOL_SMB3_11;
    4521          10 :         options2.max_protocol = PROTOCOL_SMB3_11;
    4522          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4523             :                 .num_algos = 1,
    4524             :                 .algos = {
    4525             :                         SMB2_SIGNING_AES128_GMAC,
    4526             :                 },
    4527             :         };
    4528             : 
    4529          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4530             :                                                  credentials,
    4531             :                                                  &options1, &options2,
    4532          10 :                                                  NT_STATUS_NOT_SUPPORTED);
    4533          10 :         talloc_free(tree0);
    4534          10 :         return ret;
    4535             : }
    4536             : 
    4537          10 : static bool test_session_bind_negative_smb3signH2XtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
    4538             : {
    4539          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4540          10 :         struct cli_credentials *credentials = NULL;
    4541          10 :         bool ret = false;
    4542          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4543             :         struct smbcli_options options1;
    4544             :         struct smbcli_options options2;
    4545             :         bool ok;
    4546             :         bool encrypted;
    4547             : 
    4548          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    4549          10 :         if (encrypted) {
    4550           2 :                 torture_skip(tctx,
    4551             :                              "Can't test SMB 2.10 if encrytion is required");
    4552             :         }
    4553             : 
    4554           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4555           0 :                 torture_skip(tctx,
    4556             :                              "Can't test without SMB 3.1.1 support");
    4557             :         }
    4558             : 
    4559           8 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4560           0 :                 torture_skip(tctx,
    4561             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4562             :         }
    4563             : 
    4564           8 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4565           8 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4566           8 :         ok = cli_credentials_set_smb_encryption(credentials,
    4567             :                                                 SMB_ENCRYPTION_OFF,
    4568             :                                                 CRED_SPECIFIED);
    4569           8 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4570             : 
    4571           8 :         options1 = transport0->options;
    4572           8 :         options1.client_guid = GUID_random();
    4573           8 :         options1.min_protocol = PROTOCOL_SMB2_02;
    4574           8 :         options1.max_protocol = PROTOCOL_SMB2_10;
    4575           8 :         options1.signing = SMB_SIGNING_REQUIRED;
    4576             : 
    4577             :         /* same client guid */
    4578           8 :         options2 = options1;
    4579           8 :         options2.only_negprot = true;
    4580           8 :         options2.min_protocol = PROTOCOL_SMB3_11;
    4581           8 :         options2.max_protocol = PROTOCOL_SMB3_11;
    4582           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4583             :                 .num_algos = 1,
    4584             :                 .algos = {
    4585             :                         SMB2_SIGNING_AES128_GMAC,
    4586             :                 },
    4587             :         };
    4588             : 
    4589           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4590             :                                                  credentials,
    4591             :                                                  &options1, &options2,
    4592           8 :                                                  NT_STATUS_NOT_SUPPORTED);
    4593           8 :         talloc_free(tree0);
    4594           8 :         return ret;
    4595             : }
    4596             : 
    4597          10 : static bool test_session_bind_negative_smb3signH2XtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
    4598             : {
    4599          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4600          10 :         struct cli_credentials *credentials = NULL;
    4601          10 :         bool ret = false;
    4602          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4603             :         struct smbcli_options options1;
    4604             :         struct smbcli_options options2;
    4605             :         bool ok;
    4606             :         bool encrypted;
    4607             : 
    4608          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    4609          10 :         if (encrypted) {
    4610           2 :                 torture_skip(tctx,
    4611             :                              "Can't test SMB 2.10 if encrytion is required");
    4612             :         }
    4613             : 
    4614           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4615           0 :                 torture_skip(tctx,
    4616             :                              "Can't test without SMB 3.1.1 support");
    4617             :         }
    4618             : 
    4619           8 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4620           0 :                 torture_skip(tctx,
    4621             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4622             :         }
    4623             : 
    4624           8 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4625           8 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4626           8 :         ok = cli_credentials_set_smb_encryption(credentials,
    4627             :                                                 SMB_ENCRYPTION_OFF,
    4628             :                                                 CRED_SPECIFIED);
    4629           8 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4630             : 
    4631           8 :         options1 = transport0->options;
    4632           8 :         options1.client_guid = GUID_random();
    4633           8 :         options1.min_protocol = PROTOCOL_SMB2_02;
    4634           8 :         options1.max_protocol = PROTOCOL_SMB2_10;
    4635           8 :         options1.signing = SMB_SIGNING_REQUIRED;
    4636             : 
    4637             :         /* different client guid */
    4638           8 :         options2 = options1;
    4639           8 :         options2.client_guid = GUID_random();
    4640           8 :         options2.only_negprot = true;
    4641           8 :         options2.min_protocol = PROTOCOL_SMB3_11;
    4642           8 :         options2.max_protocol = PROTOCOL_SMB3_11;
    4643           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4644             :                 .num_algos = 1,
    4645             :                 .algos = {
    4646             :                         SMB2_SIGNING_AES128_GMAC,
    4647             :                 },
    4648             :         };
    4649             : 
    4650           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4651             :                                                  credentials,
    4652             :                                                  &options1, &options2,
    4653           8 :                                                  NT_STATUS_NOT_SUPPORTED);
    4654           8 :         talloc_free(tree0);
    4655           8 :         return ret;
    4656             : }
    4657             : 
    4658          10 : static bool test_session_bind_negative_smb3signGtoC30s(struct torture_context *tctx, struct smb2_tree *tree0)
    4659             : {
    4660          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4661          10 :         struct cli_credentials *credentials = NULL;
    4662          10 :         bool ret = false;
    4663          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4664             :         struct smbcli_options options1;
    4665             :         struct smbcli_options options2;
    4666             :         bool ok;
    4667             : 
    4668          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4669           0 :                 torture_skip(tctx,
    4670             :                              "Can't test without SMB 3.1.1 support");
    4671             :         }
    4672             : 
    4673          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4674           0 :                 torture_skip(tctx,
    4675             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4676             :         }
    4677             : 
    4678          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4679          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4680          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4681             :                                                 SMB_ENCRYPTION_REQUIRED,
    4682             :                                                 CRED_SPECIFIED);
    4683          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4684             : 
    4685          10 :         options1 = transport0->options;
    4686          10 :         options1.client_guid = GUID_random();
    4687          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4688          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4689          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4690          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4691             :                 .num_algos = 1,
    4692             :                 .algos = {
    4693             :                         SMB2_SIGNING_AES128_GMAC,
    4694             :                 },
    4695             :         };
    4696             : 
    4697             :         /* same client guid */
    4698          10 :         options2 = options1;
    4699          10 :         options2.only_negprot = true;
    4700          10 :         options2.min_protocol = PROTOCOL_SMB3_00;
    4701          10 :         options2.max_protocol = PROTOCOL_SMB3_02;
    4702          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4703             :                 .num_algos = 1,
    4704             :                 .algos = {
    4705             :                         SMB2_SIGNING_AES128_CMAC,
    4706             :                 },
    4707             :         };
    4708             : 
    4709          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4710             :                                                  credentials,
    4711             :                                                  &options1, &options2,
    4712          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    4713          10 :         talloc_free(tree0);
    4714          10 :         return ret;
    4715             : }
    4716             : 
    4717          10 : static bool test_session_bind_negative_smb3signGtoC30d(struct torture_context *tctx, struct smb2_tree *tree0)
    4718             : {
    4719          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4720          10 :         struct cli_credentials *credentials = NULL;
    4721          10 :         bool ret = false;
    4722          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4723             :         struct smbcli_options options1;
    4724             :         struct smbcli_options options2;
    4725             :         bool ok;
    4726             : 
    4727          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4728           0 :                 torture_skip(tctx,
    4729             :                              "Can't test without SMB 3.1.1 support");
    4730             :         }
    4731             : 
    4732          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4733           0 :                 torture_skip(tctx,
    4734             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4735             :         }
    4736             : 
    4737          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4738          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4739          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    4740             :                                                 SMB_ENCRYPTION_REQUIRED,
    4741             :                                                 CRED_SPECIFIED);
    4742          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4743             : 
    4744          10 :         options1 = transport0->options;
    4745          10 :         options1.client_guid = GUID_random();
    4746          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4747          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4748          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    4749          10 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4750             :                 .num_algos = 1,
    4751             :                 .algos = {
    4752             :                         SMB2_SIGNING_AES128_GMAC,
    4753             :                 },
    4754             :         };
    4755             : 
    4756             :         /* different client guid */
    4757          10 :         options2 = options1;
    4758          10 :         options2.client_guid = GUID_random();
    4759          10 :         options2.only_negprot = true;
    4760          10 :         options2.min_protocol = PROTOCOL_SMB3_00;
    4761          10 :         options2.max_protocol = PROTOCOL_SMB3_02;
    4762          10 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4763             :                 .num_algos = 1,
    4764             :                 .algos = {
    4765             :                         SMB2_SIGNING_AES128_CMAC,
    4766             :                 },
    4767             :         };
    4768             : 
    4769          10 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4770             :                                                  credentials,
    4771             :                                                  &options1, &options2,
    4772          10 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    4773          10 :         talloc_free(tree0);
    4774          10 :         return ret;
    4775             : }
    4776             : 
    4777          10 : static bool test_session_bind_negative_smb3signGtoH2Xs(struct torture_context *tctx, struct smb2_tree *tree0)
    4778             : {
    4779          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4780          10 :         struct cli_credentials *credentials = NULL;
    4781          10 :         bool ret = false;
    4782          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4783             :         struct smbcli_options options1;
    4784             :         struct smbcli_options options2;
    4785             :         bool ok;
    4786             :         bool encrypted;
    4787             : 
    4788          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    4789          10 :         if (encrypted) {
    4790           2 :                 torture_skip(tctx,
    4791             :                              "Can't test SMB 2.10 if encrytion is required");
    4792             :         }
    4793             : 
    4794           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4795           0 :                 torture_skip(tctx,
    4796             :                              "Can't test without SMB 3.1.1 support");
    4797             :         }
    4798             : 
    4799           8 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4800           0 :                 torture_skip(tctx,
    4801             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4802             :         }
    4803             : 
    4804           8 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4805           8 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4806           8 :         ok = cli_credentials_set_smb_encryption(credentials,
    4807             :                                                 SMB_ENCRYPTION_REQUIRED,
    4808             :                                                 CRED_SPECIFIED);
    4809           8 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4810             : 
    4811           8 :         options1 = transport0->options;
    4812           8 :         options1.client_guid = GUID_random();
    4813           8 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4814           8 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4815           8 :         options1.signing = SMB_SIGNING_REQUIRED;
    4816           8 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4817             :                 .num_algos = 1,
    4818             :                 .algos = {
    4819             :                         SMB2_SIGNING_AES128_GMAC,
    4820             :                 },
    4821             :         };
    4822             : 
    4823             :         /* same client guid */
    4824           8 :         options2 = options1;
    4825           8 :         options2.only_negprot = true;
    4826           8 :         options2.min_protocol = PROTOCOL_SMB2_02;
    4827           8 :         options2.max_protocol = PROTOCOL_SMB2_10;
    4828           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4829             :                 .num_algos = 1,
    4830             :                 .algos = {
    4831             :                         SMB2_SIGNING_HMAC_SHA256,
    4832             :                 },
    4833             :         };
    4834             : 
    4835           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4836             :                                                  credentials,
    4837             :                                                  &options1, &options2,
    4838           8 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    4839           8 :         talloc_free(tree0);
    4840           8 :         return ret;
    4841             : }
    4842             : 
    4843          10 : static bool test_session_bind_negative_smb3signGtoH2Xd(struct torture_context *tctx, struct smb2_tree *tree0)
    4844             : {
    4845          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    4846          10 :         struct cli_credentials *credentials = NULL;
    4847          10 :         bool ret = false;
    4848          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    4849             :         struct smbcli_options options1;
    4850             :         struct smbcli_options options2;
    4851             :         bool ok;
    4852             :         bool encrypted;
    4853             : 
    4854          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    4855          10 :         if (encrypted) {
    4856           2 :                 torture_skip(tctx,
    4857             :                              "Can't test SMB 2.10 if encrytion is required");
    4858             :         }
    4859             : 
    4860           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    4861           0 :                 torture_skip(tctx,
    4862             :                              "Can't test without SMB 3.1.1 support");
    4863             :         }
    4864             : 
    4865           8 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    4866           0 :                 torture_skip(tctx,
    4867             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    4868             :         }
    4869             : 
    4870           8 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    4871           8 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    4872           8 :         ok = cli_credentials_set_smb_encryption(credentials,
    4873             :                                                 SMB_ENCRYPTION_REQUIRED,
    4874             :                                                 CRED_SPECIFIED);
    4875           8 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    4876             : 
    4877           8 :         options1 = transport0->options;
    4878           8 :         options1.client_guid = GUID_random();
    4879           8 :         options1.min_protocol = PROTOCOL_SMB3_11;
    4880           8 :         options1.max_protocol = PROTOCOL_SMB3_11;
    4881           8 :         options1.signing = SMB_SIGNING_REQUIRED;
    4882           8 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4883             :                 .num_algos = 1,
    4884             :                 .algos = {
    4885             :                         SMB2_SIGNING_AES128_GMAC,
    4886             :                 },
    4887             :         };
    4888             : 
    4889             :         /* different client guid */
    4890           8 :         options2 = options1;
    4891           8 :         options2.client_guid = GUID_random();
    4892           8 :         options2.only_negprot = true;
    4893           8 :         options2.min_protocol = PROTOCOL_SMB2_02;
    4894           8 :         options2.max_protocol = PROTOCOL_SMB2_10;
    4895           8 :         options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    4896             :                 .num_algos = 1,
    4897             :                 .algos = {
    4898             :                         SMB2_SIGNING_HMAC_SHA256,
    4899             :                 },
    4900             :         };
    4901             : 
    4902           8 :         ret = test_session_bind_negative_smbXtoX(tctx, __func__,
    4903             :                                                  credentials,
    4904             :                                                  &options1, &options2,
    4905           8 :                                                  NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
    4906           8 :         talloc_free(tree0);
    4907           8 :         return ret;
    4908             : }
    4909             : 
    4910          10 : static bool test_session_two_logoff(struct torture_context *tctx,
    4911             :                                     struct smb2_tree *tree1)
    4912             : {
    4913             :         NTSTATUS status;
    4914          10 :         bool ret = true;
    4915             :         struct smbcli_options transport2_options;
    4916          10 :         struct smb2_tree *tree2 = NULL;
    4917          10 :         struct smb2_session *session2 = NULL;
    4918          10 :         struct smb2_session *session1 = tree1->session;
    4919          10 :         struct smb2_transport *transport1 = tree1->session->transport;
    4920             :         struct smb2_transport *transport2;
    4921             :         bool ok;
    4922             : 
    4923             :         /* Connect 2nd connection */
    4924          10 :         torture_comment(tctx, "connect tree2 with the same client_guid\n");
    4925          10 :         transport2_options = transport1->options;
    4926          10 :         ok = torture_smb2_connection_ext(tctx, 0, &transport2_options, &tree2);
    4927          10 :         torture_assert(tctx, ok, "couldn't connect tree2\n");
    4928          10 :         transport2 = tree2->session->transport;
    4929          10 :         session2 = tree2->session;
    4930             : 
    4931          10 :         torture_comment(tctx, "session2: logoff\n");
    4932          10 :         status = smb2_logoff(session2);
    4933          10 :         torture_assert_ntstatus_ok(tctx, status, "session2: logoff");
    4934          10 :         torture_comment(tctx, "transport2: keepalive\n");
    4935          10 :         status = smb2_keepalive(transport2);
    4936          10 :         torture_assert_ntstatus_ok(tctx, status, "transport2: keepalive");
    4937          10 :         torture_comment(tctx, "transport2: disconnect\n");
    4938          10 :         TALLOC_FREE(tree2);
    4939             : 
    4940          10 :         torture_comment(tctx, "session1: logoff\n");
    4941          10 :         status = smb2_logoff(session1);
    4942          10 :         torture_assert_ntstatus_ok(tctx, status, "session1: logoff");
    4943          10 :         torture_comment(tctx, "transport1: keepalive\n");
    4944          10 :         status = smb2_keepalive(transport1);
    4945          10 :         torture_assert_ntstatus_ok(tctx, status, "transport1: keepalive");
    4946          10 :         torture_comment(tctx, "transport1: disconnect\n");
    4947          10 :         TALLOC_FREE(tree1);
    4948             : 
    4949          10 :         return ret;
    4950             : }
    4951             : 
    4952          64 : static bool test_session_sign_enc(struct torture_context *tctx,
    4953             :                                   const char *testname,
    4954             :                                   struct cli_credentials *credentials1,
    4955             :                                   const struct smbcli_options *options1)
    4956             : {
    4957          64 :         const char *host = torture_setting_string(tctx, "host", NULL);
    4958          64 :         const char *share = torture_setting_string(tctx, "share", NULL);
    4959             :         NTSTATUS status;
    4960          64 :         bool ret = false;
    4961          64 :         struct smb2_tree *tree1 = NULL;
    4962             :         char fname[256];
    4963          64 :         struct smb2_handle rh = {{0}};
    4964             :         struct smb2_handle _h1;
    4965          64 :         struct smb2_handle *h1 = NULL;
    4966             :         struct smb2_create io1;
    4967             :         union smb_fileinfo qfinfo1;
    4968             :         union smb_notify notify;
    4969          64 :         struct smb2_request *req = NULL;
    4970             : 
    4971          64 :         status = smb2_connect(tctx,
    4972             :                               host,
    4973             :                               lpcfg_smb_ports(tctx->lp_ctx),
    4974             :                               share,
    4975             :                               lpcfg_resolve_context(tctx->lp_ctx),
    4976             :                               credentials1,
    4977             :                               &tree1,
    4978             :                               tctx->ev,
    4979             :                               options1,
    4980             :                               lpcfg_socket_options(tctx->lp_ctx),
    4981             :                               lpcfg_gensec_settings(tctx, tctx->lp_ctx)
    4982             :                               );
    4983          64 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    4984             :                                         "smb2_connect options1 failed");
    4985             : 
    4986          64 :         status = smb2_util_roothandle(tree1, &rh);
    4987          64 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    4988             :                                         "smb2_util_roothandle failed");
    4989             : 
    4990             :         /* Add some random component to the file name. */
    4991          64 :         snprintf(fname, sizeof(fname), "%s_%s.dat",
    4992             :                  testname, generate_random_str(tctx, 8));
    4993             : 
    4994          64 :         smb2_util_unlink(tree1, fname);
    4995             : 
    4996          64 :         smb2_oplock_create_share(&io1, fname,
    4997             :                                  smb2_util_share_access(""),
    4998          64 :                                  smb2_util_oplock_level("b"));
    4999             : 
    5000          64 :         io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
    5001          64 :         status = smb2_create(tree1, tctx, &io1);
    5002          64 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    5003             :                                         "smb2_create failed");
    5004          64 :         _h1 = io1.out.file.handle;
    5005          64 :         h1 = &_h1;
    5006          64 :         CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
    5007          64 :         torture_assert_int_equal(tctx, io1.out.oplock_level,
    5008             :                                         smb2_util_oplock_level("b"),
    5009             :                                         "oplock_level incorrect");
    5010             : 
    5011             :         /* Check the initial session is still alive */
    5012          64 :         ZERO_STRUCT(qfinfo1);
    5013          64 :         qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    5014          64 :         qfinfo1.generic.in.file.handle = _h1;
    5015          64 :         status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
    5016          64 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    5017             :                                         "smb2_getinfo_file failed");
    5018             : 
    5019             :         /* ask for a change notify,
    5020             :            on file or directory name changes */
    5021          64 :         ZERO_STRUCT(notify);
    5022          64 :         notify.smb2.level = RAW_NOTIFY_SMB2;
    5023          64 :         notify.smb2.in.buffer_size = 1000;
    5024          64 :         notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
    5025          64 :         notify.smb2.in.file.handle = rh;
    5026          64 :         notify.smb2.in.recursive = true;
    5027             : 
    5028          64 :         req = smb2_notify_send(tree1, &(notify.smb2));
    5029         256 :         WAIT_FOR_ASYNC_RESPONSE(req);
    5030             : 
    5031          64 :         status = smb2_cancel(req);
    5032          64 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    5033             :                                         "smb2_cancel failed");
    5034             : 
    5035          64 :         status = smb2_notify_recv(req, tctx, &(notify.smb2));
    5036          64 :         torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_CANCELLED,
    5037             :                                            ret, done,
    5038             :                                            "smb2_notify_recv failed");
    5039             : 
    5040             :         /* Check the initial session is still alive */
    5041          64 :         ZERO_STRUCT(qfinfo1);
    5042          64 :         qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
    5043          64 :         qfinfo1.generic.in.file.handle = _h1;
    5044          64 :         status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
    5045          64 :         torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
    5046             :                                         "smb2_getinfo_file failed");
    5047             : 
    5048          64 :         ret = true;
    5049          64 : done:
    5050          64 :         if (h1 != NULL) {
    5051          64 :                 smb2_util_close(tree1, *h1);
    5052             :         }
    5053          64 :         TALLOC_FREE(tree1);
    5054             : 
    5055          64 :         return ret;
    5056             : }
    5057             : 
    5058          10 : static bool test_session_signing_hmac_sha_256(struct torture_context *tctx, struct smb2_tree *tree0)
    5059             : {
    5060          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    5061          10 :         bool ret = false;
    5062          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    5063             :         struct smbcli_options options1;
    5064             :         bool encrypted;
    5065             : 
    5066          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    5067          10 :         if (encrypted) {
    5068           2 :                 torture_skip(tctx,
    5069             :                              "Can't test signing only if encrytion is required");
    5070             :         }
    5071             : 
    5072           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    5073           0 :                 torture_skip(tctx,
    5074             :                              "Can't test without SMB 3.1.1 support");
    5075             :         }
    5076             : 
    5077           8 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    5078           0 :                 torture_skip(tctx,
    5079             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    5080             :         }
    5081             : 
    5082           8 :         options1 = transport0->options;
    5083           8 :         options1.client_guid = GUID_random();
    5084           8 :         options1.min_protocol = PROTOCOL_SMB3_11;
    5085           8 :         options1.max_protocol = PROTOCOL_SMB3_11;
    5086           8 :         options1.signing = SMB_SIGNING_REQUIRED;
    5087           8 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    5088             :                 .num_algos = 1,
    5089             :                 .algos = {
    5090             :                         SMB2_SIGNING_HMAC_SHA256,
    5091             :                 },
    5092             :         };
    5093             : 
    5094           8 :         ret = test_session_sign_enc(tctx,
    5095             :                                     __func__,
    5096             :                                     credentials,
    5097             :                                     &options1);
    5098           8 :         TALLOC_FREE(tree0);
    5099           8 :         return ret;
    5100             : }
    5101             : 
    5102          10 : static bool test_session_signing_aes_128_cmac(struct torture_context *tctx, struct smb2_tree *tree0)
    5103             : {
    5104          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    5105          10 :         bool ret = false;
    5106          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    5107             :         struct smbcli_options options1;
    5108             :         bool encrypted;
    5109             : 
    5110          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    5111          10 :         if (encrypted) {
    5112           2 :                 torture_skip(tctx,
    5113             :                              "Can't test signing only if encrytion is required");
    5114             :         }
    5115             : 
    5116           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    5117           0 :                 torture_skip(tctx,
    5118             :                              "Can't test without SMB 3.1.1 support");
    5119             :         }
    5120             : 
    5121           8 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    5122           0 :                 torture_skip(tctx,
    5123             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    5124             :         }
    5125             : 
    5126           8 :         options1 = transport0->options;
    5127           8 :         options1.client_guid = GUID_random();
    5128           8 :         options1.min_protocol = PROTOCOL_SMB3_11;
    5129           8 :         options1.max_protocol = PROTOCOL_SMB3_11;
    5130           8 :         options1.signing = SMB_SIGNING_REQUIRED;
    5131           8 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    5132             :                 .num_algos = 1,
    5133             :                 .algos = {
    5134             :                         SMB2_SIGNING_AES128_CMAC,
    5135             :                 },
    5136             :         };
    5137             : 
    5138           8 :         ret = test_session_sign_enc(tctx,
    5139             :                                     __func__,
    5140             :                                     credentials,
    5141             :                                     &options1);
    5142           8 :         TALLOC_FREE(tree0);
    5143           8 :         return ret;
    5144             : }
    5145             : 
    5146          10 : static bool test_session_signing_aes_128_gmac(struct torture_context *tctx, struct smb2_tree *tree0)
    5147             : {
    5148          10 :         struct cli_credentials *credentials = samba_cmdline_get_creds();
    5149          10 :         bool ret = false;
    5150          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    5151             :         struct smbcli_options options1;
    5152             :         bool encrypted;
    5153             : 
    5154          10 :         encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
    5155          10 :         if (encrypted) {
    5156           2 :                 torture_skip(tctx,
    5157             :                              "Can't test signing only if encrytion is required");
    5158             :         }
    5159             : 
    5160           8 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    5161           0 :                 torture_skip(tctx,
    5162             :                              "Can't test without SMB 3.1.1 support");
    5163             :         }
    5164             : 
    5165           8 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    5166           0 :                 torture_skip(tctx,
    5167             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    5168             :         }
    5169             : 
    5170           8 :         options1 = transport0->options;
    5171           8 :         options1.client_guid = GUID_random();
    5172           8 :         options1.min_protocol = PROTOCOL_SMB3_11;
    5173           8 :         options1.max_protocol = PROTOCOL_SMB3_11;
    5174           8 :         options1.signing = SMB_SIGNING_REQUIRED;
    5175           8 :         options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
    5176             :                 .num_algos = 1,
    5177             :                 .algos = {
    5178             :                         SMB2_SIGNING_AES128_GMAC,
    5179             :                 },
    5180             :         };
    5181             : 
    5182           8 :         ret = test_session_sign_enc(tctx,
    5183             :                                     __func__,
    5184             :                                     credentials,
    5185             :                                     &options1);
    5186           8 :         TALLOC_FREE(tree0);
    5187           8 :         return ret;
    5188             : }
    5189             : 
    5190          10 : static bool test_session_encryption_aes_128_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
    5191             : {
    5192          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    5193          10 :         struct cli_credentials *credentials = NULL;
    5194          10 :         bool ret = false;
    5195          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    5196             :         struct smbcli_options options1;
    5197             :         bool ok;
    5198             : 
    5199          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    5200           0 :                 torture_skip(tctx,
    5201             :                              "Can't test without SMB 3.1.1 support");
    5202             :         }
    5203             : 
    5204          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    5205           0 :                 torture_skip(tctx,
    5206             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    5207             :         }
    5208             : 
    5209          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    5210          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    5211          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    5212             :                                                 SMB_ENCRYPTION_REQUIRED,
    5213             :                                                 CRED_SPECIFIED);
    5214          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    5215             : 
    5216          10 :         options1 = transport0->options;
    5217          10 :         options1.client_guid = GUID_random();
    5218          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    5219          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    5220          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    5221          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    5222             :                 .num_algos = 1,
    5223             :                 .algos = {
    5224             :                         SMB2_ENCRYPTION_AES128_CCM,
    5225             :                 },
    5226             :         };
    5227             : 
    5228          10 :         ret = test_session_sign_enc(tctx,
    5229             :                                     __func__,
    5230             :                                     credentials,
    5231             :                                     &options1);
    5232          10 :         TALLOC_FREE(tree0);
    5233          10 :         return ret;
    5234             : }
    5235             : 
    5236          10 : static bool test_session_encryption_aes_128_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
    5237             : {
    5238          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    5239          10 :         struct cli_credentials *credentials = NULL;
    5240          10 :         bool ret = false;
    5241          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    5242             :         struct smbcli_options options1;
    5243             :         bool ok;
    5244             : 
    5245          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    5246           0 :                 torture_skip(tctx,
    5247             :                              "Can't test without SMB 3.1.1 support");
    5248             :         }
    5249             : 
    5250          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    5251           0 :                 torture_skip(tctx,
    5252             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    5253             :         }
    5254             : 
    5255          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    5256          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    5257          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    5258             :                                                 SMB_ENCRYPTION_REQUIRED,
    5259             :                                                 CRED_SPECIFIED);
    5260          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    5261             : 
    5262          10 :         options1 = transport0->options;
    5263          10 :         options1.client_guid = GUID_random();
    5264          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    5265          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    5266          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    5267          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    5268             :                 .num_algos = 1,
    5269             :                 .algos = {
    5270             :                         SMB2_ENCRYPTION_AES128_GCM,
    5271             :                 },
    5272             :         };
    5273             : 
    5274          10 :         ret = test_session_sign_enc(tctx,
    5275             :                                     __func__,
    5276             :                                     credentials,
    5277             :                                     &options1);
    5278          10 :         TALLOC_FREE(tree0);
    5279          10 :         return ret;
    5280             : }
    5281             : 
    5282          10 : static bool test_session_encryption_aes_256_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
    5283             : {
    5284          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    5285          10 :         struct cli_credentials *credentials = NULL;
    5286          10 :         bool ret = false;
    5287          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    5288             :         struct smbcli_options options1;
    5289             :         bool ok;
    5290             : 
    5291          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    5292           0 :                 torture_skip(tctx,
    5293             :                              "Can't test without SMB 3.1.1 support");
    5294             :         }
    5295             : 
    5296          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    5297           0 :                 torture_skip(tctx,
    5298             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    5299             :         }
    5300             : 
    5301          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    5302          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    5303          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    5304             :                                                 SMB_ENCRYPTION_REQUIRED,
    5305             :                                                 CRED_SPECIFIED);
    5306          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    5307             : 
    5308          10 :         options1 = transport0->options;
    5309          10 :         options1.client_guid = GUID_random();
    5310          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    5311          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    5312          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    5313          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    5314             :                 .num_algos = 1,
    5315             :                 .algos = {
    5316             :                         SMB2_ENCRYPTION_AES256_CCM,
    5317             :                 },
    5318             :         };
    5319             : 
    5320          10 :         ret = test_session_sign_enc(tctx,
    5321             :                                     __func__,
    5322             :                                     credentials,
    5323             :                                     &options1);
    5324          10 :         TALLOC_FREE(tree0);
    5325          10 :         return ret;
    5326             : }
    5327             : 
    5328          10 : static bool test_session_encryption_aes_256_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
    5329             : {
    5330          10 :         struct cli_credentials *credentials0 = samba_cmdline_get_creds();
    5331          10 :         struct cli_credentials *credentials = NULL;
    5332          10 :         bool ret = false;
    5333          10 :         struct smb2_transport *transport0 = tree0->session->transport;
    5334             :         struct smbcli_options options1;
    5335             :         bool ok;
    5336             : 
    5337          10 :         if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
    5338           0 :                 torture_skip(tctx,
    5339             :                              "Can't test without SMB 3.1.1 support");
    5340             :         }
    5341             : 
    5342          10 :         if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
    5343           0 :                 torture_skip(tctx,
    5344             :                              "Can't test without SMB 3.1.1 signing negotiation support");
    5345             :         }
    5346             : 
    5347          10 :         credentials = cli_credentials_shallow_copy(tctx, credentials0);
    5348          10 :         torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
    5349          10 :         ok = cli_credentials_set_smb_encryption(credentials,
    5350             :                                                 SMB_ENCRYPTION_REQUIRED,
    5351             :                                                 CRED_SPECIFIED);
    5352          10 :         torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
    5353             : 
    5354          10 :         options1 = transport0->options;
    5355          10 :         options1.client_guid = GUID_random();
    5356          10 :         options1.min_protocol = PROTOCOL_SMB3_11;
    5357          10 :         options1.max_protocol = PROTOCOL_SMB3_11;
    5358          10 :         options1.signing = SMB_SIGNING_REQUIRED;
    5359          10 :         options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
    5360             :                 .num_algos = 1,
    5361             :                 .algos = {
    5362             :                         SMB2_ENCRYPTION_AES256_GCM,
    5363             :                 },
    5364             :         };
    5365             : 
    5366          10 :         ret = test_session_sign_enc(tctx,
    5367             :                                     __func__,
    5368             :                                     credentials,
    5369             :                                     &options1);
    5370          10 :         TALLOC_FREE(tree0);
    5371          10 :         return ret;
    5372             : }
    5373             : 
    5374        2353 : struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
    5375             : {
    5376        2353 :         struct torture_suite *suite =
    5377             :             torture_suite_create(ctx, "session");
    5378             : 
    5379        2353 :         torture_suite_add_1smb2_test(suite, "reconnect1", test_session_reconnect1);
    5380        2353 :         torture_suite_add_1smb2_test(suite, "reconnect2", test_session_reconnect2);
    5381        2353 :         torture_suite_add_1smb2_test(suite, "reauth1", test_session_reauth1);
    5382        2353 :         torture_suite_add_1smb2_test(suite, "reauth2", test_session_reauth2);
    5383        2353 :         torture_suite_add_1smb2_test(suite, "reauth3", test_session_reauth3);
    5384        2353 :         torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
    5385        2353 :         torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
    5386        2353 :         torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
    5387        2353 :         torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
    5388        2353 :         torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
    5389        2353 :         torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
    5390        2353 :         torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
    5391        2353 :         torture_suite_add_simple_test(suite, "expire2e", test_session_expire2e);
    5392        2353 :         torture_suite_add_simple_test(suite, "expire_disconnect",
    5393             :                                       test_session_expire_disconnect);
    5394        2353 :         torture_suite_add_1smb2_test(suite, "bind1", test_session_bind1);
    5395        2353 :         torture_suite_add_1smb2_test(suite, "bind2", test_session_bind2);
    5396        2353 :         torture_suite_add_1smb2_test(suite, "bind_invalid_auth", test_session_bind_invalid_auth);
    5397        2353 :         torture_suite_add_1smb2_test(suite, "bind_different_user", test_session_bind_different_user);
    5398        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb202", test_session_bind_negative_smb202);
    5399        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb210s", test_session_bind_negative_smb210s);
    5400        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb210d", test_session_bind_negative_smb210d);
    5401        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3s", test_session_bind_negative_smb2to3s);
    5402        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3d", test_session_bind_negative_smb2to3d);
    5403        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2s", test_session_bind_negative_smb3to2s);
    5404        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2d", test_session_bind_negative_smb3to2d);
    5405        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3s", test_session_bind_negative_smb3to3s);
    5406        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3d", test_session_bind_negative_smb3to3d);
    5407        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCs", test_session_bind_negative_smb3encGtoCs);
    5408        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCd", test_session_bind_negative_smb3encGtoCd);
    5409        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHs", test_session_bind_negative_smb3signCtoHs);
    5410        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHd", test_session_bind_negative_smb3signCtoHd);
    5411        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGs", test_session_bind_negative_smb3signCtoGs);
    5412        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGd", test_session_bind_negative_smb3signCtoGd);
    5413        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCs", test_session_bind_negative_smb3signHtoCs);
    5414        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCd", test_session_bind_negative_smb3signHtoCd);
    5415        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGs", test_session_bind_negative_smb3signHtoGs);
    5416        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGd", test_session_bind_negative_smb3signHtoGd);
    5417        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCs", test_session_bind_negative_smb3signGtoCs);
    5418        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCd", test_session_bind_negative_smb3signGtoCd);
    5419        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHs", test_session_bind_negative_smb3signGtoHs);
    5420        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHd", test_session_bind_negative_smb3signGtoHd);
    5421        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCs", test_session_bind_negative_smb3sneGtoCs);
    5422        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCd", test_session_bind_negative_smb3sneGtoCd);
    5423        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHs", test_session_bind_negative_smb3sneGtoHs);
    5424        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHd", test_session_bind_negative_smb3sneGtoHd);
    5425        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGs", test_session_bind_negative_smb3sneCtoGs);
    5426        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGd", test_session_bind_negative_smb3sneCtoGd);
    5427        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGs", test_session_bind_negative_smb3sneHtoGs);
    5428        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGd", test_session_bind_negative_smb3sneHtoGd);
    5429        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGs", test_session_bind_negative_smb3signC30toGs);
    5430        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGd", test_session_bind_negative_smb3signC30toGd);
    5431        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGs", test_session_bind_negative_smb3signH2XtoGs);
    5432        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGd", test_session_bind_negative_smb3signH2XtoGd);
    5433        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30s", test_session_bind_negative_smb3signGtoC30s);
    5434        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30d", test_session_bind_negative_smb3signGtoC30d);
    5435        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xs", test_session_bind_negative_smb3signGtoH2Xs);
    5436        2353 :         torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xd", test_session_bind_negative_smb3signGtoH2Xd);
    5437        2353 :         torture_suite_add_1smb2_test(suite, "two_logoff", test_session_two_logoff);
    5438        2353 :         torture_suite_add_1smb2_test(suite, "signing-hmac-sha-256", test_session_signing_hmac_sha_256);
    5439        2353 :         torture_suite_add_1smb2_test(suite, "signing-aes-128-cmac", test_session_signing_aes_128_cmac);
    5440        2353 :         torture_suite_add_1smb2_test(suite, "signing-aes-128-gmac", test_session_signing_aes_128_gmac);
    5441        2353 :         torture_suite_add_1smb2_test(suite, "encryption-aes-128-ccm", test_session_encryption_aes_128_ccm);
    5442        2353 :         torture_suite_add_1smb2_test(suite, "encryption-aes-128-gcm", test_session_encryption_aes_128_gcm);
    5443        2353 :         torture_suite_add_1smb2_test(suite, "encryption-aes-256-ccm", test_session_encryption_aes_256_ccm);
    5444        2353 :         torture_suite_add_1smb2_test(suite, "encryption-aes-256-gcm", test_session_encryption_aes_256_gcm);
    5445             : 
    5446        2353 :         suite->description = talloc_strdup(suite, "SMB2-SESSION tests");
    5447             : 
    5448        2353 :         return suite;
    5449             : }

Generated by: LCOV version 1.13