Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : test suite for SMB2 session setups
5 :
6 : Copyright (C) Michael Adam 2012
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "libcli/smb2/smb2.h"
24 : #include "libcli/smb2/smb2_calls.h"
25 : #include "torture/torture.h"
26 : #include "torture/util.h"
27 : #include "torture/smb2/proto.h"
28 : #include "../libcli/smb/smbXcli_base.h"
29 : #include "lib/cmdline/cmdline.h"
30 : #include "auth/credentials/credentials.h"
31 : #include "auth/credentials/credentials_krb5.h"
32 : #include "libcli/security/security.h"
33 : #include "libcli/resolve/resolve.h"
34 : #include "lib/param/param.h"
35 : #include "lib/util/tevent_ntstatus.h"
36 :
37 : /* Ticket lifetime we want to request in seconds */
38 : #define KRB5_TICKET_LIFETIME 5
39 : /* Allowed clock skew in seconds */
40 : #define KRB5_CLOCKSKEW 5
41 : /* Time till ticket fully expired in seconds */
42 : #define KRB5_TICKET_EXPIRETIME KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW
43 :
44 : #define texpand(x) #x
45 : #define GENSEC_GSSAPI_REQUESTED_LIFETIME(x) \
46 : "gensec_gssapi:requested_life_time=" texpand(x)
47 :
48 : #define CHECK_CREATED(tctx, __io, __created, __attribute) \
49 : do { \
50 : torture_assert_int_equal(tctx, (__io)->out.create_action, \
51 : NTCREATEX_ACTION_ ## __created, \
52 : "out.create_action incorrect"); \
53 : torture_assert_int_equal(tctx, (__io)->out.size, 0, \
54 : "out.size incorrect"); \
55 : torture_assert_int_equal(tctx, (__io)->out.file_attr, \
56 : (__attribute), \
57 : "out.file_attr incorrect"); \
58 : torture_assert_int_equal(tctx, (__io)->out.reserved2, 0, \
59 : "out.reserverd2 incorrect"); \
60 : } while(0)
61 :
62 : #define WAIT_FOR_ASYNC_RESPONSE(req) \
63 : while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) { \
64 : if (tevent_loop_once(tctx->ev) != 0) { \
65 : break; \
66 : } \
67 : }
68 :
69 45 : static void sleep_remaining(struct torture_context *tctx,
70 : const struct timeval *endtime)
71 : {
72 45 : struct timeval current = tevent_timeval_current();
73 45 : double remaining_secs = timeval_elapsed2(¤t, endtime);
74 :
75 45 : remaining_secs = remaining_secs < 1.0 ? 1.0 : remaining_secs;
76 45 : torture_comment(
77 : tctx,
78 : "sleep for %2.f second(s) that the krb5 ticket expires",
79 : remaining_secs);
80 45 : smb_msleep((int)(remaining_secs * 1000));
81 45 : }
82 :
83 : /**
84 : * basic test for doing a session reconnect
85 : */
86 12 : bool test_session_reconnect1(struct torture_context *tctx, struct smb2_tree *tree)
87 : {
88 2 : NTSTATUS status;
89 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
90 2 : char fname[256];
91 2 : struct smb2_handle _h1;
92 12 : struct smb2_handle *h1 = NULL;
93 2 : struct smb2_handle _h2;
94 12 : struct smb2_handle *h2 = NULL;
95 2 : struct smb2_create io1, io2;
96 2 : uint64_t previous_session_id;
97 12 : bool ret = true;
98 12 : struct smb2_tree *tree2 = NULL;
99 2 : union smb_fileinfo qfinfo;
100 :
101 : /* Add some random component to the file name. */
102 12 : snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
103 : generate_random_str(tctx, 8));
104 :
105 12 : smb2_util_unlink(tree, fname);
106 :
107 12 : smb2_oplock_create_share(&io1, fname,
108 : smb2_util_share_access(""),
109 12 : smb2_util_oplock_level("b"));
110 :
111 12 : status = smb2_create(tree, mem_ctx, &io1);
112 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
113 : "smb2_create failed");
114 12 : _h1 = io1.out.file.handle;
115 12 : h1 = &_h1;
116 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
117 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
118 : smb2_util_oplock_level("b"),
119 : "oplock_level incorrect");
120 :
121 : /* disconnect, reconnect and then do durable reopen */
122 12 : previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
123 :
124 12 : torture_assert_goto(tctx, torture_smb2_connection_ext(tctx, previous_session_id,
125 : &tree->session->transport->options, &tree2),
126 : ret, done,
127 : "session reconnect failed\n");
128 :
129 : /* try to access the file via the old handle */
130 :
131 12 : ZERO_STRUCT(qfinfo);
132 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
133 12 : qfinfo.generic.in.file.handle = _h1;
134 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
135 12 : torture_assert_ntstatus_equal_goto(tctx, status,
136 : NT_STATUS_USER_SESSION_DELETED,
137 : ret, done, "smb2_getinfo_file "
138 : "returned unexpected status");
139 10 : h1 = NULL;
140 :
141 10 : smb2_oplock_create_share(&io2, fname,
142 : smb2_util_share_access(""),
143 10 : smb2_util_oplock_level("b"));
144 :
145 10 : status = smb2_create(tree2, mem_ctx, &io2);
146 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
147 : "smb2_create failed");
148 :
149 10 : CHECK_CREATED(tctx, &io2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
150 10 : torture_assert_int_equal(tctx, io1.out.oplock_level,
151 : smb2_util_oplock_level("b"),
152 : "oplock_level incorrect");
153 10 : _h2 = io2.out.file.handle;
154 10 : h2 = &_h2;
155 :
156 12 : done:
157 12 : if (h1 != NULL) {
158 2 : smb2_util_close(tree, *h1);
159 : }
160 12 : if (h2 != NULL) {
161 10 : smb2_util_close(tree2, *h2);
162 : }
163 :
164 12 : if (tree2 != NULL) {
165 12 : smb2_util_unlink(tree2, fname);
166 : }
167 12 : smb2_util_unlink(tree, fname);
168 :
169 12 : talloc_free(tree);
170 12 : talloc_free(tree2);
171 :
172 12 : talloc_free(mem_ctx);
173 :
174 12 : return ret;
175 : }
176 :
177 : /**
178 : * basic test for doing a session reconnect on one connection
179 : */
180 12 : bool test_session_reconnect2(struct torture_context *tctx, struct smb2_tree *tree)
181 : {
182 2 : NTSTATUS status;
183 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
184 2 : char fname[256];
185 2 : struct smb2_handle _h1;
186 12 : struct smb2_handle *h1 = NULL;
187 2 : struct smb2_create io1;
188 2 : uint64_t previous_session_id;
189 12 : bool ret = true;
190 12 : struct smb2_session *session2 = NULL;
191 2 : union smb_fileinfo qfinfo;
192 :
193 : /* Add some random component to the file name. */
194 12 : snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
195 : generate_random_str(tctx, 8));
196 :
197 12 : smb2_util_unlink(tree, fname);
198 :
199 12 : smb2_oplock_create_share(&io1, fname,
200 : smb2_util_share_access(""),
201 12 : smb2_util_oplock_level("b"));
202 12 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
203 :
204 12 : status = smb2_create(tree, mem_ctx, &io1);
205 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
206 : "smb2_create failed");
207 12 : _h1 = io1.out.file.handle;
208 12 : h1 = &_h1;
209 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
210 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
211 : smb2_util_oplock_level("b"),
212 : "oplock_level incorrect");
213 :
214 : /* disconnect, reconnect and then do durable reopen */
215 12 : previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
216 :
217 12 : torture_assert(tctx, torture_smb2_session_setup(tctx, tree->session->transport,
218 : previous_session_id, tctx, &session2),
219 : "session reconnect (on the same connection) failed");
220 :
221 : /* try to access the file via the old handle */
222 :
223 12 : ZERO_STRUCT(qfinfo);
224 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
225 12 : qfinfo.generic.in.file.handle = _h1;
226 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
227 12 : torture_assert_ntstatus_equal_goto(tctx, status,
228 : NT_STATUS_USER_SESSION_DELETED,
229 : ret, done, "smb2_getinfo_file "
230 : "returned unexpected status");
231 8 : h1 = NULL;
232 :
233 10 : done:
234 10 : if (h1 != NULL) {
235 2 : smb2_util_close(tree, *h1);
236 : }
237 :
238 12 : talloc_free(tree);
239 12 : talloc_free(session2);
240 :
241 12 : talloc_free(mem_ctx);
242 :
243 12 : return ret;
244 : }
245 :
246 12 : bool test_session_reauth1(struct torture_context *tctx, struct smb2_tree *tree)
247 : {
248 2 : NTSTATUS status;
249 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
250 2 : char fname[256];
251 2 : struct smb2_handle _h1;
252 12 : struct smb2_handle *h1 = NULL;
253 2 : struct smb2_create io1;
254 12 : bool ret = true;
255 2 : union smb_fileinfo qfinfo;
256 :
257 : /* Add some random component to the file name. */
258 12 : snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
259 : generate_random_str(tctx, 8));
260 :
261 12 : smb2_util_unlink(tree, fname);
262 :
263 12 : smb2_oplock_create_share(&io1, fname,
264 : smb2_util_share_access(""),
265 12 : smb2_util_oplock_level("b"));
266 :
267 12 : status = smb2_create(tree, mem_ctx, &io1);
268 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
269 : "smb2_create failed");
270 12 : _h1 = io1.out.file.handle;
271 12 : h1 = &_h1;
272 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
273 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
274 : smb2_util_oplock_level("b"),
275 : "oplock_level incorrect");
276 :
277 12 : status = smb2_session_setup_spnego(tree->session,
278 : samba_cmdline_get_creds(),
279 : 0 /* previous_session_id */);
280 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
281 : "smb2_session_setup_spnego failed");
282 :
283 : /* try to access the file via the old handle */
284 :
285 12 : ZERO_STRUCT(qfinfo);
286 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
287 12 : qfinfo.generic.in.file.handle = _h1;
288 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
289 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
290 : "smb2_getinfo_file failed");
291 :
292 12 : status = smb2_session_setup_spnego(tree->session,
293 : samba_cmdline_get_creds(),
294 : 0 /* previous_session_id */);
295 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
296 : "smb2_session_setup_spnego failed");
297 :
298 : /* try to access the file via the old handle */
299 :
300 12 : ZERO_STRUCT(qfinfo);
301 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
302 12 : qfinfo.generic.in.file.handle = _h1;
303 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
304 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
305 : "smb2_getinfo_file failed");
306 :
307 12 : done:
308 10 : if (h1 != NULL) {
309 12 : smb2_util_close(tree, *h1);
310 : }
311 :
312 12 : smb2_util_unlink(tree, fname);
313 :
314 12 : talloc_free(tree);
315 :
316 12 : talloc_free(mem_ctx);
317 :
318 12 : return ret;
319 : }
320 :
321 12 : bool test_session_reauth2(struct torture_context *tctx, struct smb2_tree *tree)
322 : {
323 2 : NTSTATUS status;
324 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
325 2 : char fname[256];
326 2 : struct smb2_handle _h1;
327 12 : struct smb2_handle *h1 = NULL;
328 2 : struct smb2_create io1;
329 12 : bool ret = true;
330 2 : union smb_fileinfo qfinfo;
331 12 : struct cli_credentials *anon_creds = NULL;
332 :
333 : /* Add some random component to the file name. */
334 12 : snprintf(fname, sizeof(fname), "session_reauth2_%s.dat",
335 : generate_random_str(tctx, 8));
336 :
337 12 : smb2_util_unlink(tree, fname);
338 :
339 12 : smb2_oplock_create_share(&io1, fname,
340 : smb2_util_share_access(""),
341 12 : smb2_util_oplock_level("b"));
342 :
343 12 : status = smb2_create(tree, mem_ctx, &io1);
344 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
345 : "smb2_create failed");
346 12 : _h1 = io1.out.file.handle;
347 12 : h1 = &_h1;
348 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
349 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
350 : smb2_util_oplock_level("b"),
351 : "oplock_level incorrect");
352 :
353 : /* re-authenticate as anonymous */
354 :
355 12 : anon_creds = cli_credentials_init_anon(mem_ctx);
356 12 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
357 :
358 12 : status = smb2_session_setup_spnego(tree->session,
359 : anon_creds,
360 : 0 /* previous_session_id */);
361 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
362 : "smb2_session_setup_spnego failed");
363 :
364 : /* try to access the file via the old handle */
365 :
366 12 : ZERO_STRUCT(qfinfo);
367 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
368 12 : qfinfo.generic.in.file.handle = _h1;
369 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
370 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
371 : "smb2_getinfo_file failed");
372 :
373 : /* re-authenticate as original user again */
374 :
375 12 : status = smb2_session_setup_spnego(tree->session,
376 : samba_cmdline_get_creds(),
377 : 0 /* previous_session_id */);
378 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
379 : "smb2_session_setup_spnego failed");
380 :
381 : /* try to access the file via the old handle */
382 :
383 12 : ZERO_STRUCT(qfinfo);
384 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
385 12 : qfinfo.generic.in.file.handle = _h1;
386 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
387 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
388 : "smb2_getinfo_file failed");
389 :
390 12 : done:
391 10 : if (h1 != NULL) {
392 12 : smb2_util_close(tree, *h1);
393 : }
394 :
395 12 : smb2_util_unlink(tree, fname);
396 :
397 12 : talloc_free(tree);
398 :
399 12 : talloc_free(mem_ctx);
400 :
401 12 : return ret;
402 : }
403 :
404 : /**
405 : * test getting security descriptor after reauth
406 : */
407 12 : bool test_session_reauth3(struct torture_context *tctx, struct smb2_tree *tree)
408 : {
409 2 : NTSTATUS status;
410 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
411 2 : char fname[256];
412 2 : struct smb2_handle _h1;
413 12 : struct smb2_handle *h1 = NULL;
414 2 : struct smb2_create io1;
415 12 : bool ret = true;
416 2 : union smb_fileinfo qfinfo;
417 12 : struct cli_credentials *anon_creds = NULL;
418 12 : uint32_t secinfo_flags = SECINFO_OWNER
419 : | SECINFO_GROUP
420 : | SECINFO_DACL
421 : | SECINFO_PROTECTED_DACL
422 : | SECINFO_UNPROTECTED_DACL;
423 :
424 : /* Add some random component to the file name. */
425 12 : snprintf(fname, sizeof(fname), "session_reauth3_%s.dat",
426 : generate_random_str(tctx, 8));
427 :
428 12 : smb2_util_unlink(tree, fname);
429 :
430 12 : smb2_oplock_create_share(&io1, fname,
431 : smb2_util_share_access(""),
432 12 : smb2_util_oplock_level("b"));
433 :
434 12 : status = smb2_create(tree, mem_ctx, &io1);
435 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
436 : "smb2_create failed");
437 12 : _h1 = io1.out.file.handle;
438 12 : h1 = &_h1;
439 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
440 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
441 : smb2_util_oplock_level("b"),
442 : "oplock_level incorrect");
443 :
444 : /* get the security descriptor */
445 :
446 12 : ZERO_STRUCT(qfinfo);
447 :
448 12 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
449 12 : qfinfo.query_secdesc.in.file.handle = _h1;
450 12 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
451 :
452 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
453 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
454 : "smb2_getinfo_file failed");
455 :
456 : /* re-authenticate as anonymous */
457 :
458 12 : anon_creds = cli_credentials_init_anon(mem_ctx);
459 12 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
460 :
461 12 : status = smb2_session_setup_spnego(tree->session,
462 : anon_creds,
463 : 0 /* previous_session_id */);
464 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
465 : "smb2_session_setup_spnego failed");
466 :
467 : /* try to access the file via the old handle */
468 :
469 12 : ZERO_STRUCT(qfinfo);
470 :
471 12 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
472 12 : qfinfo.query_secdesc.in.file.handle = _h1;
473 12 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
474 :
475 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
476 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
477 : "smb2_getinfo_file failed");
478 :
479 : /* re-authenticate as original user again */
480 :
481 12 : status = smb2_session_setup_spnego(tree->session,
482 : samba_cmdline_get_creds(),
483 : 0 /* previous_session_id */);
484 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
485 : "smb2_session_setup_spnego failed");
486 :
487 : /* try to access the file via the old handle */
488 :
489 12 : ZERO_STRUCT(qfinfo);
490 :
491 12 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
492 12 : qfinfo.query_secdesc.in.file.handle = _h1;
493 12 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
494 :
495 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
496 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
497 : "smb2_getinfo_file failed");
498 :
499 12 : done:
500 10 : if (h1 != NULL) {
501 12 : smb2_util_close(tree, *h1);
502 : }
503 :
504 12 : smb2_util_unlink(tree, fname);
505 :
506 12 : talloc_free(tree);
507 :
508 12 : talloc_free(mem_ctx);
509 :
510 12 : return ret;
511 : }
512 :
513 : /**
514 : * test setting security descriptor after reauth.
515 : */
516 12 : bool test_session_reauth4(struct torture_context *tctx, struct smb2_tree *tree)
517 : {
518 2 : NTSTATUS status;
519 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
520 2 : char fname[256];
521 2 : struct smb2_handle _h1;
522 12 : struct smb2_handle *h1 = NULL;
523 2 : struct smb2_create io1;
524 12 : bool ret = true;
525 2 : union smb_fileinfo qfinfo;
526 2 : union smb_setfileinfo sfinfo;
527 12 : struct cli_credentials *anon_creds = NULL;
528 12 : uint32_t secinfo_flags = SECINFO_OWNER
529 : | SECINFO_GROUP
530 : | SECINFO_DACL
531 : | SECINFO_PROTECTED_DACL
532 : | SECINFO_UNPROTECTED_DACL;
533 2 : struct security_descriptor *sd1;
534 2 : struct security_ace ace;
535 2 : struct dom_sid *extra_sid;
536 :
537 : /* Add some random component to the file name. */
538 12 : snprintf(fname, sizeof(fname), "session_reauth4_%s.dat",
539 : generate_random_str(tctx, 8));
540 :
541 12 : smb2_util_unlink(tree, fname);
542 :
543 12 : smb2_oplock_create_share(&io1, fname,
544 : smb2_util_share_access(""),
545 12 : smb2_util_oplock_level("b"));
546 :
547 12 : status = smb2_create(tree, mem_ctx, &io1);
548 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
549 : "smb2_create failed");
550 12 : _h1 = io1.out.file.handle;
551 12 : h1 = &_h1;
552 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
553 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
554 : smb2_util_oplock_level("b"),
555 : "oplock_level incorrect");
556 :
557 : /* get the security descriptor */
558 :
559 12 : ZERO_STRUCT(qfinfo);
560 :
561 12 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
562 12 : qfinfo.query_secdesc.in.file.handle = _h1;
563 12 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
564 :
565 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
566 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
567 : "smb2_getinfo_file failed");
568 :
569 12 : sd1 = qfinfo.query_secdesc.out.sd;
570 :
571 : /* re-authenticate as anonymous */
572 :
573 12 : anon_creds = cli_credentials_init_anon(mem_ctx);
574 12 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
575 :
576 12 : status = smb2_session_setup_spnego(tree->session,
577 : anon_creds,
578 : 0 /* previous_session_id */);
579 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
580 : "smb2_session_setup_spnego failed");
581 :
582 : /* give full access on the file to anonymous */
583 :
584 12 : extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
585 :
586 12 : ZERO_STRUCT(ace);
587 12 : ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
588 12 : ace.flags = 0;
589 12 : ace.access_mask = SEC_STD_ALL | SEC_FILE_ALL;
590 12 : ace.trustee = *extra_sid;
591 :
592 12 : status = security_descriptor_dacl_add(sd1, &ace);
593 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
594 : "security_descriptor_dacl_add failed");
595 :
596 12 : ZERO_STRUCT(sfinfo);
597 12 : sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
598 12 : sfinfo.set_secdesc.in.file.handle = _h1;
599 12 : sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
600 12 : sfinfo.set_secdesc.in.sd = sd1;
601 :
602 12 : status = smb2_setinfo_file(tree, &sfinfo);
603 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
604 : "smb2_setinfo_file failed");
605 :
606 : /* re-authenticate as original user again */
607 :
608 12 : status = smb2_session_setup_spnego(tree->session,
609 : samba_cmdline_get_creds(),
610 : 0 /* previous_session_id */);
611 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
612 : "smb2_session_setup_spnego failed");
613 :
614 : /* re-get the security descriptor */
615 :
616 12 : ZERO_STRUCT(qfinfo);
617 :
618 12 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
619 12 : qfinfo.query_secdesc.in.file.handle = _h1;
620 12 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
621 :
622 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
623 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
624 : "smb2_getinfo_file failed");
625 :
626 10 : ret = true;
627 :
628 12 : done:
629 10 : if (h1 != NULL) {
630 12 : smb2_util_close(tree, *h1);
631 : }
632 :
633 12 : smb2_util_unlink(tree, fname);
634 :
635 12 : talloc_free(tree);
636 :
637 12 : talloc_free(mem_ctx);
638 :
639 12 : return ret;
640 : }
641 :
642 : /**
643 : * test renaming after reauth.
644 : * compare security descriptors before and after rename/reauth
645 : */
646 12 : bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
647 : {
648 2 : NTSTATUS status;
649 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
650 2 : char dname[128];
651 2 : char fname[256];
652 2 : char fname2[256];
653 2 : struct smb2_handle _dh1;
654 12 : struct smb2_handle *dh1 = NULL;
655 2 : struct smb2_handle _h1;
656 12 : struct smb2_handle *h1 = NULL;
657 2 : struct smb2_create io1;
658 12 : bool ret = true;
659 2 : bool ok;
660 2 : union smb_fileinfo qfinfo;
661 2 : union smb_setfileinfo sfinfo;
662 12 : struct cli_credentials *anon_creds = NULL;
663 12 : uint32_t secinfo_flags = SECINFO_OWNER
664 : | SECINFO_GROUP
665 : | SECINFO_DACL
666 : | SECINFO_PROTECTED_DACL
667 : | SECINFO_UNPROTECTED_DACL;
668 2 : struct security_descriptor *f_sd1;
669 12 : struct security_descriptor *d_sd1 = NULL;
670 2 : struct security_ace ace;
671 2 : struct dom_sid *extra_sid;
672 :
673 : /* Add some random component to the file name. */
674 12 : snprintf(dname, sizeof(dname), "session_reauth5_%s.d",
675 : generate_random_str(tctx, 8));
676 12 : snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
677 :
678 12 : ok = smb2_util_setup_dir(tctx, tree, dname);
679 12 : torture_assert(tctx, ok, "smb2_util_setup_dir not ok");
680 :
681 12 : status = torture_smb2_testdir(tree, dname, &_dh1);
682 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
683 : "torture_smb2_testdir failed");
684 12 : dh1 = &_dh1;
685 :
686 12 : smb2_oplock_create_share(&io1, fname,
687 : smb2_util_share_access(""),
688 12 : smb2_util_oplock_level("b"));
689 :
690 12 : status = smb2_create(tree, mem_ctx, &io1);
691 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
692 : "smb2_create failed");
693 12 : _h1 = io1.out.file.handle;
694 12 : h1 = &_h1;
695 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
696 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
697 : smb2_util_oplock_level("b"),
698 : "oplock_level incorrect");
699 :
700 : /* get the security descriptor */
701 :
702 12 : ZERO_STRUCT(qfinfo);
703 :
704 12 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
705 12 : qfinfo.query_secdesc.in.file.handle = _h1;
706 12 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
707 :
708 12 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
709 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
710 : "smb2_getinfo_file failed");
711 :
712 12 : f_sd1 = qfinfo.query_secdesc.out.sd;
713 :
714 : /* re-authenticate as anonymous */
715 :
716 12 : anon_creds = cli_credentials_init_anon(mem_ctx);
717 12 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
718 :
719 12 : status = smb2_session_setup_spnego(tree->session,
720 : anon_creds,
721 : 0 /* previous_session_id */);
722 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
723 : "smb2_session_setup_spnego failed");
724 :
725 : /* try to rename the file: fails */
726 :
727 12 : snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
728 :
729 12 : status = smb2_util_unlink(tree, fname2);
730 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
731 : "smb2_util_unlink failed");
732 :
733 :
734 0 : ZERO_STRUCT(sfinfo);
735 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
736 0 : sfinfo.rename_information.in.file.handle = _h1;
737 0 : sfinfo.rename_information.in.overwrite = true;
738 0 : sfinfo.rename_information.in.new_name = fname2;
739 :
740 0 : status = smb2_setinfo_file(tree, &sfinfo);
741 0 : torture_assert_ntstatus_equal_goto(tctx, status,
742 : NT_STATUS_ACCESS_DENIED,
743 : ret, done, "smb2_setinfo_file "
744 : "returned unexpected status");
745 :
746 : /* re-authenticate as original user again */
747 :
748 0 : status = smb2_session_setup_spnego(tree->session,
749 : samba_cmdline_get_creds(),
750 : 0 /* previous_session_id */);
751 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
752 : "smb2_session_setup_spnego failed");
753 :
754 : /* give full access on the file to anonymous */
755 :
756 0 : extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
757 :
758 0 : ZERO_STRUCT(ace);
759 0 : ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
760 0 : ace.flags = 0;
761 0 : ace.access_mask = SEC_RIGHTS_FILE_ALL;
762 0 : ace.trustee = *extra_sid;
763 :
764 0 : status = security_descriptor_dacl_add(f_sd1, &ace);
765 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
766 : "security_descriptor_dacl_add failed");
767 :
768 0 : ZERO_STRUCT(sfinfo);
769 0 : sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
770 0 : sfinfo.set_secdesc.in.file.handle = _h1;
771 0 : sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
772 0 : sfinfo.set_secdesc.in.sd = f_sd1;
773 :
774 0 : status = smb2_setinfo_file(tree, &sfinfo);
775 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
776 : "smb2_setinfo_file failed");
777 :
778 : /* re-get the security descriptor */
779 :
780 0 : ZERO_STRUCT(qfinfo);
781 :
782 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
783 0 : qfinfo.query_secdesc.in.file.handle = _h1;
784 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
785 :
786 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
787 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
788 : "smb2_getinfo_file failed");
789 :
790 : /* re-authenticate as anonymous - again */
791 :
792 0 : anon_creds = cli_credentials_init_anon(mem_ctx);
793 0 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
794 :
795 0 : status = smb2_session_setup_spnego(tree->session,
796 : anon_creds,
797 : 0 /* previous_session_id */);
798 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
799 : "smb2_session_setup_spnego failed");
800 :
801 : /* try to rename the file: fails */
802 :
803 0 : ZERO_STRUCT(sfinfo);
804 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
805 0 : sfinfo.rename_information.in.file.handle = _h1;
806 0 : sfinfo.rename_information.in.overwrite = true;
807 0 : sfinfo.rename_information.in.new_name = fname2;
808 :
809 0 : status = smb2_setinfo_file(tree, &sfinfo);
810 0 : torture_assert_ntstatus_equal_goto(tctx, status,
811 : NT_STATUS_ACCESS_DENIED,
812 : ret, done, "smb2_setinfo_file "
813 : "returned unexpected status");
814 :
815 : /* give full access on the parent dir to anonymous */
816 :
817 0 : ZERO_STRUCT(qfinfo);
818 :
819 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
820 0 : qfinfo.query_secdesc.in.file.handle = _dh1;
821 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
822 :
823 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
824 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
825 : "smb2_getinfo_file failed");
826 :
827 0 : d_sd1 = qfinfo.query_secdesc.out.sd;
828 :
829 0 : ZERO_STRUCT(ace);
830 0 : ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
831 0 : ace.flags = 0;
832 0 : ace.access_mask = SEC_RIGHTS_FILE_ALL;
833 0 : ace.trustee = *extra_sid;
834 :
835 0 : status = security_descriptor_dacl_add(d_sd1, &ace);
836 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
837 : "security_descriptor_dacl_add failed");
838 :
839 0 : ZERO_STRUCT(sfinfo);
840 0 : sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
841 0 : sfinfo.set_secdesc.in.file.handle = _dh1;
842 0 : sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
843 0 : sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
844 0 : sfinfo.set_secdesc.in.sd = d_sd1;
845 :
846 0 : status = smb2_setinfo_file(tree, &sfinfo);
847 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
848 : "smb2_setinfo_file failed");
849 :
850 0 : ZERO_STRUCT(qfinfo);
851 :
852 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
853 0 : qfinfo.query_secdesc.in.file.handle = _dh1;
854 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
855 :
856 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
857 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
858 : "smb2_getinfo_file failed");
859 :
860 0 : status = smb2_util_close(tree, _dh1);
861 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
862 : "smb2_util_close failed");
863 0 : dh1 = NULL;
864 :
865 : /* try to rename the file: still fails */
866 :
867 0 : ZERO_STRUCT(sfinfo);
868 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
869 0 : sfinfo.rename_information.in.file.handle = _h1;
870 0 : sfinfo.rename_information.in.overwrite = true;
871 0 : sfinfo.rename_information.in.new_name = fname2;
872 :
873 0 : status = smb2_setinfo_file(tree, &sfinfo);
874 0 : torture_assert_ntstatus_equal_goto(tctx, status,
875 : NT_STATUS_ACCESS_DENIED,
876 : ret, done, "smb2_setinfo_file "
877 : "returned unexpected status");
878 :
879 : /* re-authenticate as original user - again */
880 :
881 0 : status = smb2_session_setup_spnego(tree->session,
882 : samba_cmdline_get_creds(),
883 : 0 /* previous_session_id */);
884 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
885 : "smb2_session_setup_spnego failed");
886 :
887 : /* rename the file - for verification that it works */
888 :
889 0 : ZERO_STRUCT(sfinfo);
890 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
891 0 : sfinfo.rename_information.in.file.handle = _h1;
892 0 : sfinfo.rename_information.in.overwrite = true;
893 0 : sfinfo.rename_information.in.new_name = fname2;
894 :
895 0 : status = smb2_setinfo_file(tree, &sfinfo);
896 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
897 : "smb2_setinfo_file failed");
898 :
899 : /* closs the file, check it is gone and reopen under the new name */
900 :
901 0 : status = smb2_util_close(tree, _h1);
902 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
903 : "smb2_util_close failed");
904 0 : ZERO_STRUCT(io1);
905 :
906 0 : smb2_generic_create_share(&io1,
907 : NULL /* lease */, false /* dir */,
908 : fname,
909 : NTCREATEX_DISP_OPEN,
910 : smb2_util_share_access(""),
911 0 : smb2_util_oplock_level("b"),
912 : 0 /* leasekey */, 0 /* leasestate */);
913 :
914 0 : status = smb2_create(tree, mem_ctx, &io1);
915 0 : torture_assert_ntstatus_equal_goto(tctx, status,
916 : NT_STATUS_OBJECT_NAME_NOT_FOUND,
917 : ret, done, "smb2_create "
918 : "returned unexpected status");
919 :
920 0 : ZERO_STRUCT(io1);
921 :
922 0 : smb2_generic_create_share(&io1,
923 : NULL /* lease */, false /* dir */,
924 : fname2,
925 : NTCREATEX_DISP_OPEN,
926 : smb2_util_share_access(""),
927 0 : smb2_util_oplock_level("b"),
928 : 0 /* leasekey */, 0 /* leasestate */);
929 :
930 0 : status = smb2_create(tree, mem_ctx, &io1);
931 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
932 : "smb2_create failed");
933 0 : _h1 = io1.out.file.handle;
934 0 : h1 = &_h1;
935 0 : CHECK_CREATED(tctx, &io1, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
936 0 : torture_assert_int_equal(tctx, io1.out.oplock_level,
937 : smb2_util_oplock_level("b"),
938 : "oplock_level incorrect");
939 :
940 : /* try to access the file via the old handle */
941 :
942 0 : ZERO_STRUCT(qfinfo);
943 :
944 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
945 0 : qfinfo.query_secdesc.in.file.handle = _h1;
946 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
947 :
948 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
949 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
950 : "smb2_getinfo_file failed");
951 :
952 12 : done:
953 12 : if (dh1 != NULL) {
954 12 : smb2_util_close(tree, *dh1);
955 : }
956 12 : if (h1 != NULL) {
957 12 : smb2_util_close(tree, *h1);
958 : }
959 :
960 12 : smb2_deltree(tree, dname);
961 :
962 12 : talloc_free(tree);
963 :
964 12 : talloc_free(mem_ctx);
965 :
966 12 : return ret;
967 : }
968 :
969 : /**
970 : * do reauth with wrong credentials,
971 : * hence triggering the error path in reauth.
972 : * The invalid reauth deletes the session.
973 : */
974 12 : bool test_session_reauth6(struct torture_context *tctx, struct smb2_tree *tree)
975 : {
976 2 : NTSTATUS status;
977 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
978 2 : char fname[256];
979 2 : struct smb2_handle _h1;
980 12 : struct smb2_handle *h1 = NULL;
981 2 : struct smb2_create io1;
982 12 : bool ret = true;
983 2 : char *corrupted_password;
984 2 : struct cli_credentials *broken_creds;
985 2 : bool ok;
986 2 : bool encrypted;
987 2 : NTSTATUS expected;
988 2 : enum credentials_use_kerberos krb_state;
989 :
990 12 : krb_state = cli_credentials_get_kerberos_state(
991 : samba_cmdline_get_creds());
992 12 : if (krb_state == CRED_USE_KERBEROS_REQUIRED) {
993 5 : torture_skip(tctx,
994 : "Can't test failing session setup with kerberos.");
995 : }
996 :
997 7 : encrypted = smb2cli_tcon_is_encryption_on(tree->smbXcli);
998 :
999 : /* Add some random component to the file name. */
1000 7 : snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
1001 : generate_random_str(tctx, 8));
1002 :
1003 7 : smb2_util_unlink(tree, fname);
1004 :
1005 7 : smb2_oplock_create_share(&io1, fname,
1006 : smb2_util_share_access(""),
1007 7 : smb2_util_oplock_level("b"));
1008 7 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1009 :
1010 7 : status = smb2_create(tree, mem_ctx, &io1);
1011 7 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1012 : "smb2_create failed");
1013 7 : _h1 = io1.out.file.handle;
1014 7 : h1 = &_h1;
1015 7 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1016 7 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1017 : smb2_util_oplock_level("b"),
1018 : "oplock_level incorrect");
1019 :
1020 : /*
1021 : * reauthentication with invalid credentials:
1022 : */
1023 :
1024 7 : broken_creds = cli_credentials_shallow_copy(mem_ctx,
1025 : samba_cmdline_get_creds());
1026 7 : torture_assert(tctx, (broken_creds != NULL), "talloc error");
1027 :
1028 7 : corrupted_password = talloc_asprintf(mem_ctx, "%s%s",
1029 : cli_credentials_get_password(broken_creds),
1030 : "corrupt");
1031 7 : torture_assert(tctx, (corrupted_password != NULL), "talloc error");
1032 :
1033 7 : ok = cli_credentials_set_password(broken_creds, corrupted_password,
1034 : CRED_SPECIFIED);
1035 7 : torture_assert(tctx, ok, "cli_credentials_set_password not ok");
1036 :
1037 7 : status = smb2_session_setup_spnego(tree->session,
1038 : broken_creds,
1039 : 0 /* previous_session_id */);
1040 7 : torture_assert_ntstatus_equal_goto(tctx, status,
1041 : NT_STATUS_LOGON_FAILURE, ret, done,
1042 : "smb2_session_setup_spnego "
1043 : "returned unexpected status");
1044 :
1045 7 : torture_comment(tctx, "did failed reauth\n");
1046 : /*
1047 : * now verify that the invalid session reauth has closed our session
1048 : */
1049 :
1050 7 : if (encrypted) {
1051 2 : expected = NT_STATUS_CONNECTION_DISCONNECTED;
1052 : } else {
1053 5 : expected = NT_STATUS_USER_SESSION_DELETED;
1054 : }
1055 :
1056 7 : smb2_oplock_create_share(&io1, fname,
1057 : smb2_util_share_access(""),
1058 7 : smb2_util_oplock_level("b"));
1059 :
1060 7 : status = smb2_create(tree, mem_ctx, &io1);
1061 7 : torture_assert_ntstatus_equal_goto(tctx, status, expected,
1062 : ret, done, "smb2_create "
1063 : "returned unexpected status");
1064 :
1065 7 : done:
1066 6 : if (h1 != NULL) {
1067 7 : smb2_util_close(tree, *h1);
1068 : }
1069 :
1070 7 : smb2_util_unlink(tree, fname);
1071 :
1072 7 : talloc_free(tree);
1073 :
1074 7 : talloc_free(mem_ctx);
1075 :
1076 7 : return ret;
1077 : }
1078 :
1079 :
1080 36 : static bool test_session_expire1i(struct torture_context *tctx,
1081 : bool force_signing,
1082 : bool force_encryption)
1083 : {
1084 6 : NTSTATUS status;
1085 36 : bool ret = false;
1086 6 : struct smbcli_options options;
1087 36 : const char *host = torture_setting_string(tctx, "host", NULL);
1088 36 : const char *share = torture_setting_string(tctx, "share", NULL);
1089 36 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1090 36 : struct smb2_tree *tree = NULL;
1091 6 : enum credentials_use_kerberos use_kerberos;
1092 6 : char fname[256];
1093 6 : struct smb2_handle _h1;
1094 36 : struct smb2_handle *h1 = NULL;
1095 6 : struct smb2_create io1;
1096 6 : union smb_fileinfo qfinfo;
1097 6 : size_t i;
1098 6 : struct timeval endtime;
1099 36 : bool ticket_expired = false;
1100 :
1101 36 : use_kerberos = cli_credentials_get_kerberos_state(credentials);
1102 36 : if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1103 21 : torture_warning(tctx,
1104 : "smb2.session.expire1 requires "
1105 : "--use-kerberos=required!");
1106 21 : torture_skip(tctx,
1107 : "smb2.session.expire1 requires "
1108 : "--use-kerberos=required!");
1109 : }
1110 :
1111 15 : torture_assert_int_equal(tctx,
1112 : use_kerberos,
1113 : CRED_USE_KERBEROS_REQUIRED,
1114 : "please use --use-kerberos=required");
1115 :
1116 15 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1117 :
1118 15 : lpcfg_set_option(
1119 : tctx->lp_ctx,
1120 : GENSEC_GSSAPI_REQUESTED_LIFETIME(KRB5_TICKET_LIFETIME));
1121 :
1122 15 : lpcfg_smbcli_options(tctx->lp_ctx, &options);
1123 15 : if (force_signing) {
1124 10 : options.signing = SMB_SIGNING_REQUIRED;
1125 : }
1126 :
1127 15 : status = smb2_connect(tctx,
1128 : host,
1129 : lpcfg_smb_ports(tctx->lp_ctx),
1130 : share,
1131 : lpcfg_resolve_context(tctx->lp_ctx),
1132 : credentials,
1133 : &tree,
1134 : tctx->ev,
1135 : &options,
1136 : lpcfg_socket_options(tctx->lp_ctx),
1137 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1138 : );
1139 : /*
1140 : * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1141 : * Give the server at least KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW + a
1142 : * few more milliseconds for this to kick in.
1143 : */
1144 15 : endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME, 500 * 1000);
1145 15 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1146 : "smb2_connect failed");
1147 :
1148 15 : if (force_encryption) {
1149 5 : status = smb2cli_session_encryption_on(tree->session->smbXcli);
1150 5 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1151 : "smb2cli_session_encryption_on failed");
1152 : }
1153 :
1154 : /* Add some random component to the file name. */
1155 15 : snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
1156 : generate_random_str(tctx, 8));
1157 :
1158 15 : smb2_util_unlink(tree, fname);
1159 :
1160 15 : smb2_oplock_create_share(&io1, fname,
1161 : smb2_util_share_access(""),
1162 15 : smb2_util_oplock_level("b"));
1163 15 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1164 :
1165 15 : status = smb2_create(tree, tctx, &io1);
1166 15 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1167 : "smb2_create failed");
1168 15 : _h1 = io1.out.file.handle;
1169 15 : h1 = &_h1;
1170 15 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1171 15 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1172 : smb2_util_oplock_level("b"),
1173 : "oplock_level incorrect");
1174 :
1175 : /* get the security descriptor */
1176 :
1177 15 : ZERO_STRUCT(qfinfo);
1178 :
1179 15 : qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1180 15 : qfinfo.access_information.in.file.handle = _h1;
1181 :
1182 45 : for (i=0; i < 2; i++) {
1183 30 : torture_comment(tctx, "%s: query info => OK\n",
1184 : current_timestring(tctx, true));
1185 :
1186 30 : ZERO_STRUCT(qfinfo.access_information.out);
1187 30 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1188 30 : torture_comment(tctx, "%s: %s:%s: after smb2_getinfo_file() => %s\n",
1189 : current_timestring(tctx, true),
1190 : __location__, __func__,
1191 : nt_errstr(status));
1192 30 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1193 : "smb2_getinfo_file failed");
1194 :
1195 30 : sleep_remaining(tctx, &endtime);
1196 :
1197 30 : torture_comment(tctx, "%s: query info => EXPIRED\n",
1198 : current_timestring(tctx, true));
1199 30 : ZERO_STRUCT(qfinfo.access_information.out);
1200 30 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1201 30 : torture_comment(tctx, "%s: %s:%s: after smb2_getinfo_file() => %s\n",
1202 : current_timestring(tctx, true),
1203 : __location__, __func__,
1204 : nt_errstr(status));
1205 30 : torture_assert_ntstatus_equal_goto(tctx, status,
1206 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1207 : ret, done, "smb2_getinfo_file "
1208 : "returned unexpected status");
1209 :
1210 : /*
1211 : * the krb5 library may not handle expired creds
1212 : * well, lets start with an empty ccache.
1213 : */
1214 30 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1215 :
1216 30 : if (!force_encryption) {
1217 20 : smb2cli_session_require_signed_response(
1218 20 : tree->session->smbXcli, true);
1219 : }
1220 :
1221 30 : torture_comment(tctx, "%s: reauth => OK\n",
1222 : current_timestring(tctx, true));
1223 30 : status = smb2_session_setup_spnego(tree->session,
1224 : credentials,
1225 : 0 /* previous_session_id */);
1226 : /*
1227 : * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1228 : * Give the server at least KRB5_TICKET_LIFETIME +
1229 : * KRB5_CLOCKSKEW + a few more milliseconds for this to kick in.
1230 : */
1231 30 : endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME,
1232 : 500 * 1000);
1233 30 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1234 : "smb2_session_setup_spnego failed");
1235 :
1236 30 : smb2cli_session_require_signed_response(
1237 30 : tree->session->smbXcli, false);
1238 : }
1239 :
1240 15 : ticket_expired = timeval_expired(&endtime);
1241 15 : if (ticket_expired) {
1242 0 : struct timeval current = timeval_current();
1243 0 : double remaining_secs = timeval_elapsed2(¤t, &endtime);
1244 0 : remaining_secs = remaining_secs < 0.0 ? remaining_secs * -1.0
1245 0 : : remaining_secs;
1246 0 : torture_warning(
1247 : tctx,
1248 : "The ticket already expired %.2f seconds ago. "
1249 : "You might want to increase KRB5_TICKET_LIFETIME.",
1250 : remaining_secs);
1251 : }
1252 15 : torture_assert(tctx,
1253 : ticket_expired == false,
1254 : "The kerberos ticket already expired");
1255 15 : ZERO_STRUCT(qfinfo.access_information.out);
1256 15 : torture_comment(tctx, "%s: %s:%s: before smb2_getinfo_file()\n",
1257 : current_timestring(tctx, true),
1258 : __location__, __func__);
1259 15 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1260 15 : torture_comment(tctx, "%s: %s:%s: after smb2_getinfo_file() => %s\n",
1261 : current_timestring(tctx, true),
1262 : __location__, __func__,
1263 : nt_errstr(status));
1264 15 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1265 : "smb2_getinfo_file failed");
1266 :
1267 12 : ret = true;
1268 15 : done:
1269 15 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1270 :
1271 15 : if (h1 != NULL) {
1272 15 : smb2_util_close(tree, *h1);
1273 : }
1274 :
1275 15 : talloc_free(tree);
1276 15 : lpcfg_set_option(tctx->lp_ctx, GENSEC_GSSAPI_REQUESTED_LIFETIME(0));
1277 15 : return ret;
1278 : }
1279 :
1280 12 : static bool test_session_expire1n(struct torture_context *tctx)
1281 : {
1282 12 : return test_session_expire1i(tctx,
1283 : false, /* force_signing */
1284 : false); /* force_encryption */
1285 : }
1286 :
1287 12 : static bool test_session_expire1s(struct torture_context *tctx)
1288 : {
1289 12 : return test_session_expire1i(tctx,
1290 : true, /* force_signing */
1291 : false); /* force_encryption */
1292 : }
1293 :
1294 12 : static bool test_session_expire1e(struct torture_context *tctx)
1295 : {
1296 12 : return test_session_expire1i(tctx,
1297 : true, /* force_signing */
1298 : true); /* force_encryption */
1299 : }
1300 :
1301 24 : static bool test_session_expire2i(struct torture_context *tctx,
1302 : bool force_encryption)
1303 : {
1304 4 : NTSTATUS status;
1305 24 : bool ret = false;
1306 4 : struct smbcli_options options;
1307 24 : const char *host = torture_setting_string(tctx, "host", NULL);
1308 24 : const char *share = torture_setting_string(tctx, "share", NULL);
1309 24 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1310 24 : struct smb2_tree *tree = NULL;
1311 24 : const char *unc = NULL;
1312 24 : struct smb2_tree *tree2 = NULL;
1313 24 : struct tevent_req *subreq = NULL;
1314 4 : uint32_t timeout_msec;
1315 4 : enum credentials_use_kerberos use_kerberos;
1316 4 : uint32_t caps;
1317 4 : char fname[256];
1318 4 : struct smb2_handle dh;
1319 4 : struct smb2_handle dh2;
1320 4 : struct smb2_handle _h1;
1321 24 : struct smb2_handle *h1 = NULL;
1322 4 : struct smb2_create io1;
1323 4 : union smb_fileinfo qfinfo;
1324 4 : union smb_setfileinfo sfinfo;
1325 4 : struct smb2_flush flsh;
1326 4 : struct smb2_read rd;
1327 24 : const uint8_t wd = 0;
1328 4 : struct smb2_lock lck;
1329 4 : struct smb2_lock_element el;
1330 4 : struct smb2_ioctl ctl;
1331 4 : struct smb2_break oack;
1332 4 : struct smb2_lease_break_ack lack;
1333 4 : struct smb2_find fnd;
1334 24 : union smb_search_data *d = NULL;
1335 4 : unsigned int count;
1336 24 : struct smb2_request *req = NULL;
1337 4 : struct smb2_notify ntf1;
1338 4 : struct smb2_notify ntf2;
1339 4 : struct timeval endtime;
1340 :
1341 24 : use_kerberos = cli_credentials_get_kerberos_state(credentials);
1342 24 : if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1343 14 : torture_warning(tctx,
1344 : "smb2.session.expire1 requires "
1345 : "--use-kerberos=required!");
1346 14 : torture_skip(tctx,
1347 : "smb2.session.expire1 requires "
1348 : "--use-kerberos=required!");
1349 : }
1350 :
1351 10 : torture_assert_int_equal(tctx,
1352 : use_kerberos,
1353 : CRED_USE_KERBEROS_REQUIRED,
1354 : "please use --use-kerberos=required");
1355 :
1356 10 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1357 :
1358 10 : lpcfg_set_option(
1359 : tctx->lp_ctx,
1360 : GENSEC_GSSAPI_REQUESTED_LIFETIME(KRB5_TICKET_LIFETIME));
1361 :
1362 10 : lpcfg_smbcli_options(tctx->lp_ctx, &options);
1363 10 : options.signing = SMB_SIGNING_REQUIRED;
1364 :
1365 10 : unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
1366 10 : torture_assert(tctx, unc != NULL, "talloc_asprintf");
1367 :
1368 10 : status = smb2_connect(tctx,
1369 : host,
1370 : lpcfg_smb_ports(tctx->lp_ctx),
1371 : share,
1372 : lpcfg_resolve_context(tctx->lp_ctx),
1373 : credentials,
1374 : &tree,
1375 : tctx->ev,
1376 : &options,
1377 : lpcfg_socket_options(tctx->lp_ctx),
1378 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1379 : );
1380 : /*
1381 : * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1382 : * Give the server at least KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW + a
1383 : * few more milliseconds for this to kick in.
1384 : */
1385 10 : endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME, 500 * 1000);
1386 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1387 : "smb2_connect failed");
1388 :
1389 10 : if (force_encryption) {
1390 5 : status = smb2cli_session_encryption_on(tree->session->smbXcli);
1391 5 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1392 : "smb2cli_session_encryption_on failed");
1393 : }
1394 :
1395 10 : caps = smb2cli_conn_server_capabilities(tree->session->transport->conn);
1396 :
1397 : /* Add some random component to the file name. */
1398 10 : snprintf(fname, sizeof(fname), "session_expire2_%s.dat",
1399 : generate_random_str(tctx, 8));
1400 :
1401 10 : smb2_util_unlink(tree, fname);
1402 :
1403 10 : status = smb2_util_roothandle(tree, &dh);
1404 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1405 : "smb2_util_roothandle failed");
1406 :
1407 10 : smb2_oplock_create_share(&io1, fname,
1408 : smb2_util_share_access(""),
1409 10 : smb2_util_oplock_level("b"));
1410 10 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1411 :
1412 10 : status = smb2_create(tree, tctx, &io1);
1413 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1414 : "smb2_create failed");
1415 10 : _h1 = io1.out.file.handle;
1416 10 : h1 = &_h1;
1417 10 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1418 10 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1419 : smb2_util_oplock_level("b"),
1420 : "oplock_level incorrect");
1421 :
1422 : /* get the security descriptor */
1423 :
1424 10 : ZERO_STRUCT(qfinfo);
1425 :
1426 10 : qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1427 10 : qfinfo.access_information.in.file.handle = _h1;
1428 :
1429 10 : torture_comment(tctx, "query info => OK\n");
1430 :
1431 10 : ZERO_STRUCT(qfinfo.access_information.out);
1432 10 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1433 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1434 : "smb2_getinfo_file failed");
1435 :
1436 10 : torture_comment(tctx, "lock => OK\n");
1437 10 : ZERO_STRUCT(lck);
1438 10 : lck.in.locks = ⪙
1439 10 : lck.in.lock_count = 0x0001;
1440 10 : lck.in.lock_sequence = 0x00000000;
1441 10 : lck.in.file.handle = *h1;
1442 10 : ZERO_STRUCT(el);
1443 10 : el.flags = SMB2_LOCK_FLAG_EXCLUSIVE |
1444 : SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
1445 10 : el.offset = 0x0000000000000000;
1446 10 : el.length = 0x0000000000000001;
1447 10 : status = smb2_lock(tree, &lck);
1448 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1449 : "smb2_lock lock failed");
1450 :
1451 10 : torture_comment(tctx, "1st notify => PENDING\n");
1452 10 : ZERO_STRUCT(ntf1);
1453 10 : ntf1.in.file.handle = dh;
1454 10 : ntf1.in.recursive = 0x0000;
1455 10 : ntf1.in.buffer_size = 128;
1456 10 : ntf1.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
1457 10 : ntf1.in.unknown = 0x00000000;
1458 10 : req = smb2_notify_send(tree, &ntf1);
1459 :
1460 50 : while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) {
1461 40 : if (tevent_loop_once(tctx->ev) != 0) {
1462 0 : break;
1463 : }
1464 : }
1465 :
1466 10 : torture_assert_goto(tctx, req->state <= SMB2_REQUEST_RECV, ret, done,
1467 : "smb2_notify finished");
1468 :
1469 10 : sleep_remaining(tctx, &endtime);
1470 :
1471 10 : torture_comment(tctx, "query info => EXPIRED\n");
1472 10 : ZERO_STRUCT(qfinfo.access_information.out);
1473 10 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1474 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1475 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1476 : ret, done, "smb2_getinfo_file "
1477 : "returned unexpected status");
1478 :
1479 :
1480 10 : torture_comment(tctx, "set info => EXPIRED\n");
1481 10 : ZERO_STRUCT(sfinfo);
1482 10 : sfinfo.end_of_file_info.level = RAW_SFILEINFO_END_OF_FILE_INFORMATION;
1483 10 : sfinfo.end_of_file_info.in.file.handle = *h1;
1484 10 : sfinfo.end_of_file_info.in.size = 1;
1485 10 : status = smb2_setinfo_file(tree, &sfinfo);
1486 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1487 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1488 : ret, done, "smb2_setinfo_file "
1489 : "returned unexpected status");
1490 :
1491 10 : torture_comment(tctx, "flush => EXPIRED\n");
1492 10 : ZERO_STRUCT(flsh);
1493 10 : flsh.in.file.handle = *h1;
1494 10 : status = smb2_flush(tree, &flsh);
1495 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1496 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1497 : ret, done, "smb2_flush "
1498 : "returned unexpected status");
1499 :
1500 10 : torture_comment(tctx, "read => EXPIRED\n");
1501 10 : ZERO_STRUCT(rd);
1502 10 : rd.in.file.handle = *h1;
1503 10 : rd.in.length = 5;
1504 10 : rd.in.offset = 0;
1505 10 : status = smb2_read(tree, tctx, &rd);
1506 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1507 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1508 : ret, done, "smb2_read "
1509 : "returned unexpected status");
1510 :
1511 10 : torture_comment(tctx, "write => EXPIRED\n");
1512 10 : status = smb2_util_write(tree, *h1, &wd, 0, 1);
1513 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1514 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1515 : ret, done, "smb2_util_write "
1516 : "returned unexpected status");
1517 :
1518 10 : torture_comment(tctx, "ioctl => EXPIRED\n");
1519 10 : ZERO_STRUCT(ctl);
1520 10 : ctl.in.file.handle = *h1;
1521 10 : ctl.in.function = FSCTL_SRV_ENUM_SNAPS;
1522 10 : ctl.in.max_output_response = 16;
1523 10 : ctl.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL;
1524 10 : status = smb2_ioctl(tree, tctx, &ctl);
1525 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1526 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1527 : ret, done, "smb2_ioctl "
1528 : "returned unexpected status");
1529 :
1530 10 : torture_comment(tctx, "oplock ack => EXPIRED\n");
1531 10 : ZERO_STRUCT(oack);
1532 10 : oack.in.file.handle = *h1;
1533 10 : status = smb2_break(tree, &oack);
1534 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1535 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1536 : ret, done, "smb2_break "
1537 : "returned unexpected status");
1538 :
1539 10 : if (caps & SMB2_CAP_LEASING) {
1540 4 : torture_comment(tctx, "lease ack => EXPIRED\n");
1541 4 : ZERO_STRUCT(lack);
1542 4 : lack.in.lease.lease_version = 1;
1543 4 : lack.in.lease.lease_key.data[0] = 1;
1544 4 : lack.in.lease.lease_key.data[1] = 2;
1545 4 : status = smb2_lease_break_ack(tree, &lack);
1546 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1547 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1548 : ret, done, "smb2_break "
1549 : "returned unexpected status");
1550 : }
1551 :
1552 10 : torture_comment(tctx, "query directory => EXPIRED\n");
1553 10 : ZERO_STRUCT(fnd);
1554 10 : fnd.in.file.handle = dh;
1555 10 : fnd.in.pattern = "*";
1556 10 : fnd.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE;
1557 10 : fnd.in.max_response_size= 0x100;
1558 10 : fnd.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO;
1559 10 : status = smb2_find_level(tree, tree, &fnd, &count, &d);
1560 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1561 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1562 : ret, done, "smb2_find_level "
1563 : "returned unexpected status");
1564 :
1565 10 : torture_comment(tctx, "1st notify => CANCEL\n");
1566 10 : smb2_cancel(req);
1567 :
1568 10 : torture_comment(tctx, "2nd notify => EXPIRED\n");
1569 10 : ZERO_STRUCT(ntf2);
1570 10 : ntf2.in.file.handle = dh;
1571 10 : ntf2.in.recursive = 0x0000;
1572 10 : ntf2.in.buffer_size = 128;
1573 10 : ntf2.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
1574 10 : ntf2.in.unknown = 0x00000000;
1575 10 : status = smb2_notify(tree, tctx, &ntf2);
1576 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1577 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1578 : ret, done, "smb2_notify "
1579 : "returned unexpected status");
1580 :
1581 10 : torture_assert_goto(tctx, req->state > SMB2_REQUEST_RECV, ret, done,
1582 : "smb2_notify (1st) not finished");
1583 :
1584 10 : status = smb2_notify_recv(req, tctx, &ntf1);
1585 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1586 : NT_STATUS_CANCELLED,
1587 : ret, done, "smb2_notify cancelled"
1588 : "returned unexpected status");
1589 :
1590 10 : torture_comment(tctx, "tcon => EXPIRED\n");
1591 10 : tree2 = smb2_tree_init(tree->session, tctx, false);
1592 10 : torture_assert(tctx, tree2 != NULL, "smb2_tree_init");
1593 10 : timeout_msec = tree->session->transport->options.request_timeout * 1000;
1594 12 : subreq = smb2cli_tcon_send(tree2, tctx->ev,
1595 10 : tree2->session->transport->conn,
1596 : timeout_msec,
1597 10 : tree2->session->smbXcli,
1598 : tree2->smbXcli,
1599 : 0, /* flags */
1600 : unc);
1601 10 : torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
1602 10 : torture_assert(tctx,
1603 : tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
1604 : "tevent_req_poll_ntstatus");
1605 10 : status = smb2cli_tcon_recv(subreq);
1606 10 : TALLOC_FREE(subreq);
1607 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1608 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1609 : ret, done, "smb2cli_tcon"
1610 : "returned unexpected status");
1611 :
1612 10 : torture_comment(tctx, "create => EXPIRED\n");
1613 10 : status = smb2_util_roothandle(tree, &dh2);
1614 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1615 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1616 : ret, done, "smb2_util_roothandle"
1617 : "returned unexpected status");
1618 :
1619 10 : torture_comment(tctx, "tdis => EXPIRED\n");
1620 10 : status = smb2_tdis(tree);
1621 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1622 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1623 : ret, done, "smb2cli_tdis"
1624 : "returned unexpected status");
1625 :
1626 : /*
1627 : * (Un)Lock, Close and Logoff are still possible
1628 : */
1629 :
1630 10 : torture_comment(tctx, "1st unlock => OK\n");
1631 10 : el.flags = SMB2_LOCK_FLAG_UNLOCK;
1632 10 : status = smb2_lock(tree, &lck);
1633 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1634 : "smb2_lock unlock failed");
1635 :
1636 10 : torture_comment(tctx, "2nd unlock => RANGE_NOT_LOCKED\n");
1637 10 : status = smb2_lock(tree, &lck);
1638 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1639 : NT_STATUS_RANGE_NOT_LOCKED,
1640 : ret, done, "smb2_lock 2nd unlock"
1641 : "returned unexpected status");
1642 :
1643 10 : torture_comment(tctx, "lock => EXPIRED\n");
1644 10 : el.flags = SMB2_LOCK_FLAG_EXCLUSIVE |
1645 : SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
1646 10 : status = smb2_lock(tree, &lck);
1647 10 : torture_assert_ntstatus_equal_goto(tctx, status,
1648 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1649 : ret, done, "smb2_util_roothandle"
1650 : "returned unexpected status");
1651 :
1652 10 : torture_comment(tctx, "close => OK\n");
1653 10 : status = smb2_util_close(tree, *h1);
1654 10 : h1 = NULL;
1655 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1656 : "smb2_close failed");
1657 :
1658 10 : torture_comment(tctx, "echo without session => OK\n");
1659 10 : status = smb2_keepalive(tree->session->transport);
1660 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1661 : "smb2_keepalive without session failed");
1662 :
1663 10 : torture_comment(tctx, "echo with session => OK\n");
1664 10 : req = smb2_keepalive_send(tree->session->transport, tree->session);
1665 10 : status = smb2_keepalive_recv(req);
1666 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1667 : "smb2_keepalive with session failed");
1668 :
1669 10 : torture_comment(tctx, "logoff => OK\n");
1670 10 : status = smb2_logoff(tree->session);
1671 10 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1672 : "smb2_logoff failed");
1673 :
1674 8 : ret = true;
1675 10 : done:
1676 10 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1677 :
1678 10 : if (h1 != NULL) {
1679 0 : smb2_util_close(tree, *h1);
1680 : }
1681 :
1682 10 : talloc_free(tree);
1683 10 : lpcfg_set_option(tctx->lp_ctx, GENSEC_GSSAPI_REQUESTED_LIFETIME(0));
1684 10 : return ret;
1685 : }
1686 :
1687 12 : static bool test_session_expire2s(struct torture_context *tctx)
1688 : {
1689 12 : return test_session_expire2i(tctx,
1690 : false); /* force_encryption */
1691 : }
1692 :
1693 12 : static bool test_session_expire2e(struct torture_context *tctx)
1694 : {
1695 12 : return test_session_expire2i(tctx,
1696 : true); /* force_encryption */
1697 : }
1698 :
1699 12 : static bool test_session_expire_disconnect(struct torture_context *tctx)
1700 : {
1701 2 : NTSTATUS status;
1702 12 : bool ret = false;
1703 2 : struct smbcli_options options;
1704 12 : const char *host = torture_setting_string(tctx, "host", NULL);
1705 12 : const char *share = torture_setting_string(tctx, "share", NULL);
1706 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1707 12 : struct smb2_tree *tree = NULL;
1708 2 : enum credentials_use_kerberos use_kerberos;
1709 2 : char fname[256];
1710 2 : struct smb2_handle _h1;
1711 12 : struct smb2_handle *h1 = NULL;
1712 2 : struct smb2_create io1;
1713 2 : union smb_fileinfo qfinfo;
1714 2 : bool connected;
1715 2 : struct timeval endtime;
1716 :
1717 12 : use_kerberos = cli_credentials_get_kerberos_state(credentials);
1718 12 : if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1719 7 : torture_warning(tctx,
1720 : "smb2.session.expire1 requires "
1721 : "--use-kerberos=required!");
1722 7 : torture_skip(tctx,
1723 : "smb2.session.expire1 requires "
1724 : "--use-kerberos=required!");
1725 : }
1726 :
1727 5 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1728 :
1729 5 : lpcfg_set_option(
1730 : tctx->lp_ctx,
1731 : GENSEC_GSSAPI_REQUESTED_LIFETIME(KRB5_TICKET_LIFETIME));
1732 5 : lpcfg_smbcli_options(tctx->lp_ctx, &options);
1733 5 : options.signing = SMB_SIGNING_REQUIRED;
1734 :
1735 5 : status = smb2_connect(tctx,
1736 : host,
1737 : lpcfg_smb_ports(tctx->lp_ctx),
1738 : share,
1739 : lpcfg_resolve_context(tctx->lp_ctx),
1740 : credentials,
1741 : &tree,
1742 : tctx->ev,
1743 : &options,
1744 : lpcfg_socket_options(tctx->lp_ctx),
1745 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1746 : );
1747 : /*
1748 : * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1749 : * Give the server at least KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW + a
1750 : * few more milliseconds for this to kick in.
1751 : */
1752 5 : endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME, 500 * 1000);
1753 5 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1754 : "smb2_connect failed");
1755 :
1756 5 : smbXcli_session_set_disconnect_expired(tree->session->smbXcli);
1757 :
1758 : /* Add some random component to the file name. */
1759 5 : snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
1760 : generate_random_str(tctx, 8));
1761 :
1762 5 : smb2_util_unlink(tree, fname);
1763 :
1764 5 : smb2_oplock_create_share(&io1, fname,
1765 : smb2_util_share_access(""),
1766 5 : smb2_util_oplock_level("b"));
1767 5 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1768 :
1769 5 : status = smb2_create(tree, tctx, &io1);
1770 5 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1771 : "smb2_create failed");
1772 5 : _h1 = io1.out.file.handle;
1773 5 : h1 = &_h1;
1774 5 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1775 5 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1776 : smb2_util_oplock_level("b"),
1777 : "oplock_level incorrect");
1778 :
1779 : /* get the security descriptor */
1780 :
1781 5 : ZERO_STRUCT(qfinfo);
1782 :
1783 5 : qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1784 5 : qfinfo.access_information.in.file.handle = _h1;
1785 :
1786 5 : torture_comment(tctx, "query info => OK\n");
1787 :
1788 5 : ZERO_STRUCT(qfinfo.access_information.out);
1789 5 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1790 5 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1791 : "smb2_getinfo_file failed");
1792 :
1793 5 : sleep_remaining(tctx, &endtime);
1794 :
1795 5 : torture_comment(tctx, "query info => EXPIRED\n");
1796 5 : ZERO_STRUCT(qfinfo.access_information.out);
1797 5 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1798 5 : torture_assert_ntstatus_equal_goto(tctx, status,
1799 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1800 : ret, done, "smb2_getinfo_file "
1801 : "returned unexpected status");
1802 :
1803 5 : connected = smbXcli_conn_is_connected(tree->session->transport->conn);
1804 5 : torture_assert_goto(tctx, !connected, ret, done, "connected\n");
1805 :
1806 4 : ret = true;
1807 5 : done:
1808 5 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1809 :
1810 5 : if (h1 != NULL) {
1811 5 : smb2_util_close(tree, *h1);
1812 : }
1813 :
1814 5 : talloc_free(tree);
1815 5 : lpcfg_set_option(tctx->lp_ctx, GENSEC_GSSAPI_REQUESTED_LIFETIME(0));
1816 5 : return ret;
1817 : }
1818 :
1819 12 : bool test_session_bind1(struct torture_context *tctx, struct smb2_tree *tree1)
1820 : {
1821 12 : const char *host = torture_setting_string(tctx, "host", NULL);
1822 12 : const char *share = torture_setting_string(tctx, "share", NULL);
1823 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1824 2 : NTSTATUS status;
1825 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
1826 2 : char fname[256];
1827 2 : struct smb2_handle _h1;
1828 12 : struct smb2_handle *h1 = NULL;
1829 2 : struct smb2_create io1;
1830 2 : union smb_fileinfo qfinfo;
1831 12 : bool ret = false;
1832 12 : struct smb2_tree *tree2 = NULL;
1833 12 : struct smb2_transport *transport1 = tree1->session->transport;
1834 2 : struct smbcli_options options2;
1835 12 : struct smb2_transport *transport2 = NULL;
1836 12 : struct smb2_session *session1_1 = tree1->session;
1837 12 : struct smb2_session *session1_2 = NULL;
1838 12 : struct smb2_session *session2_1 = NULL;
1839 12 : struct smb2_session *session2_2 = NULL;
1840 2 : uint32_t caps;
1841 :
1842 12 : caps = smb2cli_conn_server_capabilities(transport1->conn);
1843 12 : if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
1844 0 : torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
1845 : }
1846 :
1847 : /*
1848 : * We always want signing for this test!
1849 : */
1850 12 : smb2cli_tcon_should_sign(tree1->smbXcli, true);
1851 12 : options2 = transport1->options;
1852 12 : options2.signing = SMB_SIGNING_REQUIRED;
1853 :
1854 : /* Add some random component to the file name. */
1855 12 : snprintf(fname, sizeof(fname), "session_bind1_%s.dat",
1856 : generate_random_str(tctx, 8));
1857 :
1858 12 : smb2_util_unlink(tree1, fname);
1859 :
1860 12 : smb2_oplock_create_share(&io1, fname,
1861 : smb2_util_share_access(""),
1862 12 : smb2_util_oplock_level("b"));
1863 :
1864 12 : status = smb2_create(tree1, mem_ctx, &io1);
1865 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1866 : "smb2_create failed");
1867 12 : _h1 = io1.out.file.handle;
1868 12 : h1 = &_h1;
1869 12 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1870 12 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1871 : smb2_util_oplock_level("b"),
1872 : "oplock_level incorrect");
1873 :
1874 12 : status = smb2_connect(tctx,
1875 : host,
1876 : lpcfg_smb_ports(tctx->lp_ctx),
1877 : share,
1878 : lpcfg_resolve_context(tctx->lp_ctx),
1879 : credentials,
1880 : &tree2,
1881 : tctx->ev,
1882 : &options2,
1883 : lpcfg_socket_options(tctx->lp_ctx),
1884 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1885 : );
1886 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1887 : "smb2_connect failed");
1888 12 : session2_2 = tree2->session;
1889 12 : transport2 = tree2->session->transport;
1890 :
1891 : /*
1892 : * Now bind the 2nd transport connection to the 1st session
1893 : */
1894 12 : session1_2 = smb2_session_channel(transport2,
1895 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
1896 : tree2,
1897 : session1_1);
1898 12 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
1899 :
1900 12 : status = smb2_session_setup_spnego(session1_2,
1901 : samba_cmdline_get_creds(),
1902 : 0 /* previous_session_id */);
1903 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1904 : "smb2_session_setup_spnego failed");
1905 :
1906 : /* use the 1st connection, 1st session */
1907 12 : ZERO_STRUCT(qfinfo);
1908 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
1909 12 : qfinfo.generic.in.file.handle = _h1;
1910 12 : tree1->session = session1_1;
1911 12 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
1912 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1913 : "smb2_getinfo_file failed");
1914 :
1915 : /* use the 2nd connection, 1st session */
1916 12 : ZERO_STRUCT(qfinfo);
1917 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
1918 12 : qfinfo.generic.in.file.handle = _h1;
1919 12 : tree1->session = session1_2;
1920 12 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
1921 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1922 : "smb2_getinfo_file failed");
1923 :
1924 12 : tree1->session = session1_1;
1925 12 : status = smb2_util_close(tree1, *h1);
1926 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1927 : "smb2_util_close failed");
1928 12 : h1 = NULL;
1929 :
1930 : /*
1931 : * Now bind the 1st transport connection to the 2nd session
1932 : */
1933 12 : session2_1 = smb2_session_channel(transport1,
1934 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
1935 : tree1,
1936 : session2_2);
1937 12 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
1938 :
1939 12 : status = smb2_session_setup_spnego(session2_1,
1940 : samba_cmdline_get_creds(),
1941 : 0 /* previous_session_id */);
1942 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1943 : "smb2_session_setup_spnego failed");
1944 :
1945 12 : tree2->session = session2_1;
1946 12 : status = smb2_util_unlink(tree2, fname);
1947 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1948 : "smb2_util_unlink failed");
1949 10 : ret = true;
1950 12 : done:
1951 12 : talloc_free(tree2);
1952 12 : tree1->session = session1_1;
1953 :
1954 12 : if (h1 != NULL) {
1955 0 : smb2_util_close(tree1, *h1);
1956 : }
1957 :
1958 12 : smb2_util_unlink(tree1, fname);
1959 :
1960 12 : talloc_free(tree1);
1961 :
1962 12 : talloc_free(mem_ctx);
1963 :
1964 12 : return ret;
1965 : }
1966 :
1967 12 : static bool test_session_bind2(struct torture_context *tctx, struct smb2_tree *tree1)
1968 : {
1969 12 : const char *host = torture_setting_string(tctx, "host", NULL);
1970 12 : const char *share = torture_setting_string(tctx, "share", NULL);
1971 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1972 2 : NTSTATUS status;
1973 12 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
1974 2 : char fname1[256];
1975 2 : char fname2[256];
1976 2 : struct smb2_handle _h1f1;
1977 12 : struct smb2_handle *h1f1 = NULL;
1978 2 : struct smb2_handle _h1f2;
1979 12 : struct smb2_handle *h1f2 = NULL;
1980 2 : struct smb2_handle _h2f2;
1981 12 : struct smb2_handle *h2f2 = NULL;
1982 2 : struct smb2_create io1f1;
1983 2 : struct smb2_create io1f2;
1984 2 : struct smb2_create io2f1;
1985 2 : struct smb2_create io2f2;
1986 2 : union smb_fileinfo qfinfo;
1987 12 : bool ret = false;
1988 12 : struct smb2_transport *transport1 = tree1->session->transport;
1989 2 : struct smbcli_options options2;
1990 12 : struct smb2_tree *tree2 = NULL;
1991 12 : struct smb2_transport *transport2 = NULL;
1992 2 : struct smbcli_options options3;
1993 12 : struct smb2_tree *tree3 = NULL;
1994 12 : struct smb2_transport *transport3 = NULL;
1995 12 : struct smb2_session *session1_1 = tree1->session;
1996 12 : struct smb2_session *session1_2 = NULL;
1997 12 : struct smb2_session *session1_3 = NULL;
1998 12 : struct smb2_session *session2_1 = NULL;
1999 12 : struct smb2_session *session2_2 = NULL;
2000 12 : struct smb2_session *session2_3 = NULL;
2001 2 : uint32_t caps;
2002 :
2003 12 : caps = smb2cli_conn_server_capabilities(transport1->conn);
2004 12 : if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
2005 0 : torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
2006 : }
2007 :
2008 : /*
2009 : * We always want signing for this test!
2010 : */
2011 12 : smb2cli_tcon_should_sign(tree1->smbXcli, true);
2012 12 : options2 = transport1->options;
2013 12 : options2.signing = SMB_SIGNING_REQUIRED;
2014 :
2015 : /* Add some random component to the file name. */
2016 12 : snprintf(fname1, sizeof(fname1), "session_bind2_1_%s.dat",
2017 : generate_random_str(tctx, 8));
2018 12 : snprintf(fname2, sizeof(fname2), "session_bind2_2_%s.dat",
2019 : generate_random_str(tctx, 8));
2020 :
2021 12 : smb2_util_unlink(tree1, fname1);
2022 12 : smb2_util_unlink(tree1, fname2);
2023 :
2024 12 : smb2_oplock_create_share(&io1f1, fname1,
2025 : smb2_util_share_access(""),
2026 12 : smb2_util_oplock_level(""));
2027 12 : smb2_oplock_create_share(&io1f2, fname2,
2028 : smb2_util_share_access(""),
2029 12 : smb2_util_oplock_level(""));
2030 :
2031 12 : status = smb2_create(tree1, mem_ctx, &io1f1);
2032 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2033 : "smb2_create failed");
2034 12 : _h1f1 = io1f1.out.file.handle;
2035 12 : h1f1 = &_h1f1;
2036 12 : CHECK_CREATED(tctx, &io1f1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2037 12 : torture_assert_int_equal(tctx, io1f1.out.oplock_level,
2038 : smb2_util_oplock_level(""),
2039 : "oplock_level incorrect");
2040 :
2041 12 : status = smb2_connect(tctx,
2042 : host,
2043 : lpcfg_smb_ports(tctx->lp_ctx),
2044 : share,
2045 : lpcfg_resolve_context(tctx->lp_ctx),
2046 : credentials,
2047 : &tree2,
2048 : tctx->ev,
2049 : &options2,
2050 : lpcfg_socket_options(tctx->lp_ctx),
2051 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2052 : );
2053 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2054 : "smb2_connect failed");
2055 12 : session2_2 = tree2->session;
2056 12 : transport2 = tree2->session->transport;
2057 12 : smb2cli_tcon_should_sign(tree2->smbXcli, true);
2058 :
2059 12 : smb2_oplock_create_share(&io2f1, fname1,
2060 : smb2_util_share_access(""),
2061 12 : smb2_util_oplock_level(""));
2062 12 : smb2_oplock_create_share(&io2f2, fname2,
2063 : smb2_util_share_access(""),
2064 12 : smb2_util_oplock_level(""));
2065 :
2066 12 : status = smb2_create(tree2, mem_ctx, &io2f2);
2067 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2068 : "smb2_create failed");
2069 12 : _h2f2 = io2f2.out.file.handle;
2070 12 : h2f2 = &_h2f2;
2071 12 : CHECK_CREATED(tctx, &io2f2, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2072 12 : torture_assert_int_equal(tctx, io2f2.out.oplock_level,
2073 : smb2_util_oplock_level(""),
2074 : "oplock_level incorrect");
2075 :
2076 12 : options3 = transport1->options;
2077 12 : options3.signing = SMB_SIGNING_REQUIRED;
2078 12 : options3.only_negprot = true;
2079 :
2080 12 : status = smb2_connect(tctx,
2081 : host,
2082 : lpcfg_smb_ports(tctx->lp_ctx),
2083 : share,
2084 : lpcfg_resolve_context(tctx->lp_ctx),
2085 : credentials,
2086 : &tree3,
2087 : tctx->ev,
2088 : &options3,
2089 : lpcfg_socket_options(tctx->lp_ctx),
2090 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2091 : );
2092 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2093 : "smb2_connect failed");
2094 12 : transport3 = tree3->session->transport;
2095 :
2096 : /*
2097 : * Create a fake session for the 2nd transport connection to the 1st session
2098 : */
2099 12 : session1_2 = smb2_session_channel(transport2,
2100 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2101 : tree1,
2102 : session1_1);
2103 12 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2104 :
2105 : /*
2106 : * Now bind the 3rd transport connection to the 1st session
2107 : */
2108 12 : session1_3 = smb2_session_channel(transport3,
2109 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2110 : tree1,
2111 : session1_1);
2112 12 : torture_assert(tctx, session1_3 != NULL, "smb2_session_channel failed");
2113 :
2114 12 : status = smb2_session_setup_spnego(session1_3,
2115 : credentials,
2116 : 0 /* previous_session_id */);
2117 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2118 : "smb2_session_setup_spnego failed");
2119 :
2120 : /*
2121 : * Create a fake session for the 1st transport connection to the 2nd session
2122 : */
2123 12 : session2_1 = smb2_session_channel(transport1,
2124 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2125 : tree2,
2126 : session2_2);
2127 12 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2128 :
2129 : /*
2130 : * Now bind the 3rd transport connection to the 2nd session
2131 : */
2132 12 : session2_3 = smb2_session_channel(transport3,
2133 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2134 : tree2,
2135 : session2_2);
2136 12 : torture_assert(tctx, session2_3 != NULL, "smb2_session_channel failed");
2137 :
2138 12 : status = smb2_session_setup_spnego(session2_3,
2139 : credentials,
2140 : 0 /* previous_session_id */);
2141 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2142 : "smb2_session_setup_spnego failed");
2143 :
2144 12 : ZERO_STRUCT(qfinfo);
2145 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2146 12 : qfinfo.generic.in.file.handle = _h1f1;
2147 12 : tree1->session = session1_1;
2148 12 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2149 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2150 : "smb2_getinfo_file failed");
2151 12 : tree1->session = session1_2;
2152 12 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2153 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2154 : "smb2_getinfo_file failed");
2155 12 : tree1->session = session1_3;
2156 12 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2157 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2158 : "smb2_getinfo_file failed");
2159 :
2160 12 : ZERO_STRUCT(qfinfo);
2161 12 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2162 12 : qfinfo.generic.in.file.handle = _h2f2;
2163 12 : tree2->session = session2_1;
2164 12 : status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2165 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2166 : "smb2_getinfo_file failed");
2167 12 : tree2->session = session2_2;
2168 12 : status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2169 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2170 : "smb2_getinfo_file failed");
2171 12 : tree2->session = session2_3;
2172 12 : status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2173 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2174 : "smb2_getinfo_file failed");
2175 :
2176 12 : tree1->session = session1_1;
2177 12 : status = smb2_create(tree1, mem_ctx, &io1f2);
2178 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2179 : "smb2_create failed");
2180 12 : tree1->session = session1_2;
2181 12 : status = smb2_create(tree1, mem_ctx, &io1f2);
2182 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2183 : "smb2_create failed");
2184 12 : tree1->session = session1_3;
2185 12 : status = smb2_create(tree1, mem_ctx, &io1f2);
2186 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2187 : "smb2_create failed");
2188 :
2189 12 : tree2->session = session2_1;
2190 12 : status = smb2_create(tree2, mem_ctx, &io2f1);
2191 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2192 : "smb2_create failed");
2193 12 : tree2->session = session2_2;
2194 12 : status = smb2_create(tree2, mem_ctx, &io2f1);
2195 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2196 : "smb2_create failed");
2197 12 : tree2->session = session2_3;
2198 12 : status = smb2_create(tree2, mem_ctx, &io2f1);
2199 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2200 : "smb2_create failed");
2201 :
2202 12 : smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
2203 12 : smb_msleep(500);
2204 :
2205 12 : tree1->session = session1_1;
2206 12 : status = smb2_create(tree1, mem_ctx, &io1f2);
2207 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2208 : "smb2_create failed");
2209 12 : tree1->session = session1_2;
2210 12 : status = smb2_create(tree1, mem_ctx, &io1f2);
2211 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2212 : "smb2_create failed");
2213 :
2214 12 : tree2->session = session2_1;
2215 12 : status = smb2_create(tree2, mem_ctx, &io2f1);
2216 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2217 : "smb2_create failed");
2218 12 : tree2->session = session2_2;
2219 12 : status = smb2_create(tree2, mem_ctx, &io2f1);
2220 12 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2221 : "smb2_create failed");
2222 :
2223 12 : smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
2224 12 : smb_msleep(500);
2225 12 : h2f2 = NULL;
2226 :
2227 12 : tree1->session = session1_1;
2228 12 : status = smb2_create(tree1, mem_ctx, &io1f2);
2229 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2230 : "smb2_create failed");
2231 12 : _h1f2 = io1f2.out.file.handle;
2232 12 : h1f2 = &_h1f2;
2233 12 : CHECK_CREATED(tctx, &io1f2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
2234 12 : torture_assert_int_equal(tctx, io1f2.out.oplock_level,
2235 : smb2_util_oplock_level(""),
2236 : "oplock_level incorrect");
2237 :
2238 12 : tree1->session = session1_1;
2239 12 : status = smb2_util_close(tree1, *h1f1);
2240 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2241 : "smb2_util_close failed");
2242 10 : h1f1 = NULL;
2243 :
2244 10 : ret = true;
2245 12 : done:
2246 :
2247 12 : smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
2248 12 : smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
2249 :
2250 12 : tree1->session = session1_1;
2251 12 : tree2->session = session2_2;
2252 :
2253 12 : if (h1f1 != NULL) {
2254 0 : smb2_util_close(tree1, *h1f1);
2255 : }
2256 12 : if (h1f2 != NULL) {
2257 12 : smb2_util_close(tree1, *h1f2);
2258 : }
2259 12 : if (h2f2 != NULL) {
2260 0 : smb2_util_close(tree2, *h2f2);
2261 : }
2262 :
2263 12 : smb2_util_unlink(tree1, fname1);
2264 12 : smb2_util_unlink(tree1, fname2);
2265 :
2266 12 : talloc_free(tree1);
2267 :
2268 12 : talloc_free(mem_ctx);
2269 :
2270 12 : return ret;
2271 : }
2272 :
2273 18 : static bool test_session_bind_auth_mismatch(struct torture_context *tctx,
2274 : struct smb2_tree *tree1,
2275 : const char *testname,
2276 : struct cli_credentials *creds1,
2277 : struct cli_credentials *creds2,
2278 : bool creds2_require_ok)
2279 : {
2280 18 : const char *host = torture_setting_string(tctx, "host", NULL);
2281 18 : const char *share = torture_setting_string(tctx, "share", NULL);
2282 4 : NTSTATUS status;
2283 18 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
2284 4 : char fname[256];
2285 4 : struct smb2_handle _h1;
2286 18 : struct smb2_handle *h1 = NULL;
2287 4 : struct smb2_create io1;
2288 4 : union smb_fileinfo qfinfo;
2289 18 : bool ret = false;
2290 18 : struct smb2_tree *tree2 = NULL;
2291 18 : struct smb2_transport *transport1 = tree1->session->transport;
2292 4 : struct smbcli_options options2;
2293 18 : struct smb2_transport *transport2 = NULL;
2294 18 : struct smb2_session *session1_1 = tree1->session;
2295 18 : struct smb2_session *session1_2 = NULL;
2296 18 : struct smb2_session *session2_1 = NULL;
2297 18 : struct smb2_session *session2_2 = NULL;
2298 18 : struct smb2_session *session3_1 = NULL;
2299 4 : uint32_t caps;
2300 4 : bool encrypted;
2301 18 : bool creds2_got_ok = false;
2302 :
2303 18 : encrypted = smb2cli_tcon_is_encryption_on(tree1->smbXcli);
2304 :
2305 18 : caps = smb2cli_conn_server_capabilities(transport1->conn);
2306 18 : if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
2307 0 : torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
2308 : }
2309 :
2310 : /*
2311 : * We always want signing for this test!
2312 : */
2313 18 : smb2cli_tcon_should_sign(tree1->smbXcli, true);
2314 18 : options2 = transport1->options;
2315 18 : options2.signing = SMB_SIGNING_REQUIRED;
2316 :
2317 : /* Add some random component to the file name. */
2318 18 : snprintf(fname, sizeof(fname), "%s_%s.dat", testname,
2319 : generate_random_str(tctx, 8));
2320 :
2321 18 : smb2_util_unlink(tree1, fname);
2322 :
2323 18 : smb2_oplock_create_share(&io1, fname,
2324 : smb2_util_share_access(""),
2325 18 : smb2_util_oplock_level("b"));
2326 :
2327 18 : status = smb2_create(tree1, mem_ctx, &io1);
2328 18 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2329 : "smb2_create failed");
2330 18 : _h1 = io1.out.file.handle;
2331 18 : h1 = &_h1;
2332 18 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2333 18 : torture_assert_int_equal(tctx, io1.out.oplock_level,
2334 : smb2_util_oplock_level("b"),
2335 : "oplock_level incorrect");
2336 :
2337 18 : status = smb2_connect(tctx,
2338 : host,
2339 : lpcfg_smb_ports(tctx->lp_ctx),
2340 : share,
2341 : lpcfg_resolve_context(tctx->lp_ctx),
2342 : creds1,
2343 : &tree2,
2344 : tctx->ev,
2345 : &options2,
2346 : lpcfg_socket_options(tctx->lp_ctx),
2347 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2348 : );
2349 18 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2350 : "smb2_connect failed");
2351 18 : session2_2 = tree2->session;
2352 18 : transport2 = tree2->session->transport;
2353 :
2354 : /*
2355 : * Now bind the 2nd transport connection to the 1st session
2356 : */
2357 18 : session1_2 = smb2_session_channel(transport2,
2358 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2359 : tree2,
2360 : session1_1);
2361 18 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2362 :
2363 18 : status = smb2_session_setup_spnego(session1_2,
2364 : creds1,
2365 : 0 /* previous_session_id */);
2366 18 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2367 : "smb2_session_setup_spnego failed");
2368 :
2369 : /* use the 1st connection, 1st session */
2370 18 : ZERO_STRUCT(qfinfo);
2371 18 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2372 18 : qfinfo.generic.in.file.handle = _h1;
2373 18 : tree1->session = session1_1;
2374 18 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2375 18 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2376 : "smb2_getinfo_file failed");
2377 :
2378 : /* use the 2nd connection, 1st session */
2379 18 : ZERO_STRUCT(qfinfo);
2380 18 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2381 18 : qfinfo.generic.in.file.handle = _h1;
2382 18 : tree1->session = session1_2;
2383 18 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2384 18 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2385 : "smb2_getinfo_file failed");
2386 :
2387 18 : tree1->session = session1_1;
2388 18 : status = smb2_util_close(tree1, *h1);
2389 18 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2390 : "smb2_util_close failed");
2391 18 : h1 = NULL;
2392 :
2393 : /*
2394 : * Create a 3rd session in order to check if the invalid (creds2)
2395 : * are mapped to guest.
2396 : */
2397 18 : session3_1 = smb2_session_init(transport1,
2398 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2399 : tctx);
2400 18 : torture_assert(tctx, session3_1 != NULL, "smb2_session_channel failed");
2401 :
2402 18 : status = smb2_session_setup_spnego(session3_1,
2403 : creds2,
2404 : 0 /* previous_session_id */);
2405 18 : if (creds2_require_ok) {
2406 6 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2407 : "smb2_session_setup_spnego worked");
2408 4 : creds2_got_ok = true;
2409 12 : } else if (NT_STATUS_IS_OK(status)) {
2410 2 : bool authentiated = smbXcli_session_is_authenticated(session3_1->smbXcli);
2411 2 : torture_assert(tctx, !authentiated, "Invalid credentials allowed!");
2412 2 : creds2_got_ok = true;
2413 : } else {
2414 10 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2415 : "smb2_session_setup_spnego worked");
2416 : }
2417 :
2418 : /*
2419 : * Now bind the 1st transport connection to the 2nd session
2420 : */
2421 18 : session2_1 = smb2_session_channel(transport1,
2422 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2423 : tree1,
2424 : session2_2);
2425 18 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2426 :
2427 18 : tree2->session = session2_1;
2428 18 : status = smb2_util_unlink(tree2, fname);
2429 18 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2430 : "smb2_util_unlink worked on invalid channel");
2431 :
2432 18 : status = smb2_session_setup_spnego(session2_1,
2433 : creds2,
2434 : 0 /* previous_session_id */);
2435 18 : if (creds2_got_ok) {
2436 : /*
2437 : * attaching with a different user (guest or anonymous) results
2438 : * in ACCESS_DENIED.
2439 : */
2440 8 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_ACCESS_DENIED, ret, done,
2441 : "smb2_session_setup_spnego worked");
2442 : } else {
2443 10 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2444 : "smb2_session_setup_spnego worked");
2445 : }
2446 :
2447 18 : tree2->session = session2_1;
2448 18 : status = smb2_util_unlink(tree2, fname);
2449 18 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2450 : "smb2_util_unlink worked on invalid channel");
2451 :
2452 18 : tree2->session = session2_2;
2453 18 : status = smb2_util_unlink(tree2, fname);
2454 18 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2455 : "smb2_util_unlink failed");
2456 18 : status = smb2_util_unlink(tree2, fname);
2457 18 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2458 : "smb2_util_unlink worked");
2459 18 : if (creds2_got_ok) {
2460 : /*
2461 : * We got ACCESS_DENIED on the session bind
2462 : * with a different user, now check that
2463 : * the correct user can actually bind on
2464 : * the same connection.
2465 : */
2466 8 : TALLOC_FREE(session2_1);
2467 8 : session2_1 = smb2_session_channel(transport1,
2468 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2469 : tree1,
2470 : session2_2);
2471 8 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2472 :
2473 8 : status = smb2_session_setup_spnego(session2_1,
2474 : creds1,
2475 : 0 /* previous_session_id */);
2476 8 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2477 : "smb2_session_setup_spnego failed");
2478 8 : tree2->session = session2_1;
2479 8 : status = smb2_util_unlink(tree2, fname);
2480 8 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2481 : "smb2_util_unlink worked");
2482 8 : tree2->session = session2_2;
2483 : }
2484 :
2485 18 : tree1->session = session1_1;
2486 18 : status = smb2_util_unlink(tree1, fname);
2487 18 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2488 : "smb2_util_unlink worked");
2489 :
2490 18 : tree1->session = session1_2;
2491 18 : status = smb2_util_unlink(tree1, fname);
2492 18 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2493 : "smb2_util_unlink worked");
2494 :
2495 18 : if (creds2_got_ok) {
2496 : /*
2497 : * With valid credentials, there's no point to test a failing
2498 : * reauth.
2499 : */
2500 8 : ret = true;
2501 8 : goto done;
2502 : }
2503 :
2504 : /*
2505 : * Do a failing reauth the 2nd channel
2506 : */
2507 10 : status = smb2_session_setup_spnego(session1_2,
2508 : creds2,
2509 : 0 /* previous_session_id */);
2510 10 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2511 : "smb2_session_setup_spnego worked");
2512 :
2513 10 : tree1->session = session1_1;
2514 10 : status = smb2_util_unlink(tree1, fname);
2515 10 : if (encrypted) {
2516 2 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
2517 : "smb2_util_unlink worked");
2518 : } else {
2519 8 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2520 : "smb2_util_unlink worked");
2521 : }
2522 :
2523 10 : tree1->session = session1_2;
2524 10 : status = smb2_util_unlink(tree1, fname);
2525 10 : if (encrypted) {
2526 2 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
2527 : "smb2_util_unlink worked");
2528 : } else {
2529 8 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2530 : "smb2_util_unlink worked");
2531 : }
2532 :
2533 10 : status = smb2_util_unlink(tree2, fname);
2534 10 : if (encrypted) {
2535 2 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
2536 : "smb2_util_unlink worked");
2537 2 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
2538 : "smb2_util_unlink worked");
2539 : } else {
2540 8 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2541 : "smb2_util_unlink worked");
2542 : }
2543 :
2544 8 : ret = true;
2545 18 : done:
2546 18 : talloc_free(tree2);
2547 18 : tree1->session = session1_1;
2548 :
2549 18 : if (h1 != NULL) {
2550 0 : smb2_util_close(tree1, *h1);
2551 : }
2552 :
2553 18 : smb2_util_unlink(tree1, fname);
2554 :
2555 18 : talloc_free(tree1);
2556 :
2557 18 : talloc_free(mem_ctx);
2558 :
2559 18 : return ret;
2560 : }
2561 :
2562 12 : static bool test_session_bind_invalid_auth(struct torture_context *tctx, struct smb2_tree *tree1)
2563 : {
2564 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2565 12 : struct cli_credentials *invalid_credentials = NULL;
2566 12 : bool ret = false;
2567 :
2568 12 : invalid_credentials = cli_credentials_init(tctx);
2569 12 : torture_assert(tctx, (invalid_credentials != NULL), "talloc error");
2570 12 : cli_credentials_set_username(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2571 12 : cli_credentials_set_domain(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2572 12 : cli_credentials_set_password(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2573 12 : cli_credentials_set_realm(invalid_credentials, NULL, CRED_SPECIFIED);
2574 12 : cli_credentials_set_workstation(invalid_credentials, "", CRED_UNINITIALISED);
2575 :
2576 12 : ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
2577 : credentials,
2578 : invalid_credentials,
2579 : false);
2580 12 : return ret;
2581 : }
2582 :
2583 12 : static bool test_session_bind_different_user(struct torture_context *tctx, struct smb2_tree *tree1)
2584 : {
2585 12 : struct cli_credentials *credentials1 = samba_cmdline_get_creds();
2586 12 : struct cli_credentials *credentials2 = torture_user2_credentials(tctx, tctx);
2587 12 : char *u1 = cli_credentials_get_unparsed_name(credentials1, tctx);
2588 12 : char *u2 = cli_credentials_get_unparsed_name(credentials2, tctx);
2589 12 : bool ret = false;
2590 2 : bool bval;
2591 :
2592 12 : torture_assert(tctx, (credentials2 != NULL), "talloc error");
2593 12 : bval = cli_credentials_is_anonymous(credentials2);
2594 12 : if (bval) {
2595 6 : torture_skip(tctx, "valid user2 credentials are required");
2596 : }
2597 6 : bval = strequal(u1, u2);
2598 6 : if (bval) {
2599 0 : torture_skip(tctx, "different user2 credentials are required");
2600 : }
2601 :
2602 6 : ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
2603 : credentials1,
2604 : credentials2,
2605 : true);
2606 6 : return ret;
2607 : }
2608 :
2609 446 : static bool test_session_bind_negative_smbXtoX(struct torture_context *tctx,
2610 : const char *testname,
2611 : struct cli_credentials *credentials,
2612 : const struct smbcli_options *options1,
2613 : const struct smbcli_options *options2,
2614 : NTSTATUS bind_reject_status)
2615 : {
2616 446 : const char *host = torture_setting_string(tctx, "host", NULL);
2617 446 : const char *share = torture_setting_string(tctx, "share", NULL);
2618 78 : NTSTATUS status;
2619 446 : bool ret = false;
2620 446 : struct smb2_tree *tree1 = NULL;
2621 446 : struct smb2_session *session1_1 = NULL;
2622 78 : char fname[256];
2623 78 : struct smb2_handle _h1;
2624 446 : struct smb2_handle *h1 = NULL;
2625 78 : struct smb2_create io1;
2626 78 : union smb_fileinfo qfinfo1;
2627 446 : struct smb2_tree *tree2_0 = NULL;
2628 446 : struct smb2_transport *transport2 = NULL;
2629 446 : struct smb2_session *session1_2 = NULL;
2630 446 : uint64_t session1_id = 0;
2631 446 : uint16_t session1_flags = 0;
2632 446 : NTSTATUS deleted_status = NT_STATUS_USER_SESSION_DELETED;
2633 :
2634 446 : status = smb2_connect(tctx,
2635 : host,
2636 : lpcfg_smb_ports(tctx->lp_ctx),
2637 : share,
2638 : lpcfg_resolve_context(tctx->lp_ctx),
2639 : credentials,
2640 : &tree1,
2641 : tctx->ev,
2642 : options1,
2643 : lpcfg_socket_options(tctx->lp_ctx),
2644 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2645 : );
2646 446 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2647 : "smb2_connect options1 failed");
2648 446 : session1_1 = tree1->session;
2649 446 : session1_id = smb2cli_session_current_id(session1_1->smbXcli);
2650 446 : session1_flags = smb2cli_session_get_flags(session1_1->smbXcli);
2651 :
2652 : /* Add some random component to the file name. */
2653 446 : snprintf(fname, sizeof(fname), "%s_%s.dat",
2654 : testname, generate_random_str(tctx, 8));
2655 :
2656 446 : smb2_util_unlink(tree1, fname);
2657 :
2658 446 : smb2_oplock_create_share(&io1, fname,
2659 : smb2_util_share_access(""),
2660 446 : smb2_util_oplock_level("b"));
2661 :
2662 446 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
2663 446 : status = smb2_create(tree1, tctx, &io1);
2664 446 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2665 : "smb2_create failed");
2666 446 : _h1 = io1.out.file.handle;
2667 446 : h1 = &_h1;
2668 446 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2669 446 : torture_assert_int_equal(tctx, io1.out.oplock_level,
2670 : smb2_util_oplock_level("b"),
2671 : "oplock_level incorrect");
2672 :
2673 446 : status = smb2_connect(tctx,
2674 : host,
2675 : lpcfg_smb_ports(tctx->lp_ctx),
2676 : share,
2677 : lpcfg_resolve_context(tctx->lp_ctx),
2678 : credentials,
2679 : &tree2_0,
2680 : tctx->ev,
2681 : options2,
2682 : lpcfg_socket_options(tctx->lp_ctx),
2683 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2684 : );
2685 446 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2686 : "smb2_connect options2 failed");
2687 446 : transport2 = tree2_0->session->transport;
2688 :
2689 : /*
2690 : * Now bind the 2nd transport connection to the 1st session
2691 : */
2692 446 : session1_2 = smb2_session_channel(transport2,
2693 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2694 : tree2_0,
2695 : session1_1);
2696 446 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2697 :
2698 446 : status = smb2_session_setup_spnego(session1_2,
2699 : credentials,
2700 : 0 /* previous_session_id */);
2701 446 : torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
2702 : "smb2_session_setup_spnego failed");
2703 422 : if (NT_STATUS_IS_OK(bind_reject_status)) {
2704 24 : ZERO_STRUCT(qfinfo1);
2705 24 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2706 24 : qfinfo1.generic.in.file.handle = _h1;
2707 24 : tree1->session = session1_2;
2708 24 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2709 24 : tree1->session = session1_1;
2710 24 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2711 : "smb2_getinfo_file failed");
2712 : }
2713 422 : TALLOC_FREE(session1_2);
2714 :
2715 : /* Check the initial session is still alive */
2716 422 : ZERO_STRUCT(qfinfo1);
2717 422 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2718 422 : qfinfo1.generic.in.file.handle = _h1;
2719 422 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2720 422 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2721 : "smb2_getinfo_file failed");
2722 :
2723 422 : if (NT_STATUS_IS_OK(bind_reject_status)) {
2724 24 : deleted_status = NT_STATUS_ACCESS_DENIED;
2725 24 : bind_reject_status = NT_STATUS_ACCESS_DENIED;
2726 : }
2727 :
2728 : /*
2729 : * I guess this is not part of MultipleChannel_Negative_SMB2002,
2730 : * but we should also check the status without
2731 : * SMB2_SESSION_FLAG_BINDING.
2732 : */
2733 422 : session1_2 = smb2_session_channel(transport2,
2734 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2735 : tree2_0,
2736 : session1_1);
2737 422 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2738 422 : session1_2->needs_bind = false;
2739 :
2740 422 : status = smb2_session_setup_spnego(session1_2,
2741 : credentials,
2742 : 0 /* previous_session_id */);
2743 422 : torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
2744 : "smb2_session_setup_spnego failed");
2745 422 : TALLOC_FREE(session1_2);
2746 :
2747 : /*
2748 : * ... and we should also check the status without any existing
2749 : * session keys.
2750 : */
2751 422 : session1_2 = smb2_session_init(transport2,
2752 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2753 : tree2_0);
2754 422 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2755 422 : talloc_steal(tree2_0->session, transport2);
2756 422 : smb2cli_session_set_id_and_flags(session1_2->smbXcli,
2757 : session1_id, session1_flags);
2758 :
2759 422 : status = smb2_session_setup_spnego(session1_2,
2760 : credentials,
2761 : 0 /* previous_session_id */);
2762 422 : torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
2763 : "smb2_session_setup_spnego failed");
2764 422 : TALLOC_FREE(session1_2);
2765 :
2766 : /* Check the initial session is still alive */
2767 422 : ZERO_STRUCT(qfinfo1);
2768 422 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2769 422 : qfinfo1.generic.in.file.handle = _h1;
2770 422 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2771 422 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2772 : "smb2_getinfo_file failed");
2773 :
2774 : /*
2775 : * Now bind the 2nd transport connection to the 1st session (again)
2776 : */
2777 422 : session1_2 = smb2_session_channel(transport2,
2778 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2779 : tree2_0,
2780 : session1_1);
2781 422 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2782 :
2783 422 : status = smb2_session_setup_spnego(session1_2,
2784 : credentials,
2785 : 0 /* previous_session_id */);
2786 422 : torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
2787 : "smb2_session_setup_spnego failed");
2788 422 : TALLOC_FREE(session1_2);
2789 :
2790 : /* Check the initial session is still alive */
2791 422 : ZERO_STRUCT(qfinfo1);
2792 422 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2793 422 : qfinfo1.generic.in.file.handle = _h1;
2794 422 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2795 422 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2796 : "smb2_getinfo_file failed");
2797 :
2798 348 : ret = true;
2799 446 : done:
2800 446 : talloc_free(tree2_0);
2801 446 : if (h1 != NULL) {
2802 446 : smb2_util_close(tree1, *h1);
2803 : }
2804 446 : talloc_free(tree1);
2805 :
2806 446 : return ret;
2807 : }
2808 :
2809 : /*
2810 : * This is similar to the MultipleChannel_Negative_SMB2002 test
2811 : * from the Windows Protocol Test Suite.
2812 : *
2813 : * It demonstrates that the server needs to do lookup
2814 : * in the global session table in order to get the signing
2815 : * and error code of invalid session setups correct.
2816 : *
2817 : * See: https://bugzilla.samba.org/show_bug.cgi?id=14512
2818 : *
2819 : * Note you can ignore tree0...
2820 : */
2821 12 : static bool test_session_bind_negative_smb202(struct torture_context *tctx, struct smb2_tree *tree0)
2822 : {
2823 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2824 12 : bool ret = false;
2825 12 : struct smb2_transport *transport0 = tree0->session->transport;
2826 2 : struct smbcli_options options1;
2827 2 : struct smbcli_options options2;
2828 2 : bool encrypted;
2829 :
2830 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2831 12 : if (encrypted) {
2832 2 : torture_skip(tctx,
2833 : "Can't test SMB 2.02 if encryption is required");
2834 : }
2835 :
2836 10 : options1 = transport0->options;
2837 10 : options1.client_guid = GUID_zero();
2838 10 : options1.max_protocol = PROTOCOL_SMB2_02;
2839 :
2840 10 : options2 = options1;
2841 10 : options2.only_negprot = true;
2842 :
2843 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2844 : credentials,
2845 : &options1, &options2,
2846 10 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2847 10 : talloc_free(tree0);
2848 10 : return ret;
2849 : }
2850 :
2851 12 : static bool test_session_bind_negative_smb210s(struct torture_context *tctx, struct smb2_tree *tree0)
2852 : {
2853 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2854 12 : bool ret = false;
2855 12 : struct smb2_transport *transport0 = tree0->session->transport;
2856 2 : struct smbcli_options options1;
2857 2 : struct smbcli_options options2;
2858 2 : bool encrypted;
2859 :
2860 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2861 12 : if (encrypted) {
2862 2 : torture_skip(tctx,
2863 : "Can't test SMB 2.10 if encryption is required");
2864 : }
2865 :
2866 10 : options1 = transport0->options;
2867 10 : options1.client_guid = GUID_random();
2868 10 : options1.max_protocol = PROTOCOL_SMB2_10;
2869 :
2870 : /* same client guid */
2871 10 : options2 = options1;
2872 10 : options2.only_negprot = true;
2873 :
2874 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2875 : credentials,
2876 : &options1, &options2,
2877 10 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2878 10 : talloc_free(tree0);
2879 10 : return ret;
2880 : }
2881 :
2882 12 : static bool test_session_bind_negative_smb210d(struct torture_context *tctx, struct smb2_tree *tree0)
2883 : {
2884 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2885 12 : bool ret = false;
2886 12 : struct smb2_transport *transport0 = tree0->session->transport;
2887 2 : struct smbcli_options options1;
2888 2 : struct smbcli_options options2;
2889 2 : bool encrypted;
2890 :
2891 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2892 12 : if (encrypted) {
2893 2 : torture_skip(tctx,
2894 : "Can't test SMB 2.10 if encryption is required");
2895 : }
2896 :
2897 10 : options1 = transport0->options;
2898 10 : options1.client_guid = GUID_random();
2899 10 : options1.max_protocol = PROTOCOL_SMB2_10;
2900 :
2901 : /* different client guid */
2902 10 : options2 = options1;
2903 10 : options2.client_guid = GUID_random();
2904 10 : options2.only_negprot = true;
2905 :
2906 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2907 : credentials,
2908 : &options1, &options2,
2909 10 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2910 10 : talloc_free(tree0);
2911 10 : return ret;
2912 : }
2913 :
2914 12 : static bool test_session_bind_negative_smb2to3s(struct torture_context *tctx, struct smb2_tree *tree0)
2915 : {
2916 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2917 12 : bool ret = false;
2918 12 : struct smb2_transport *transport0 = tree0->session->transport;
2919 2 : struct smbcli_options options1;
2920 2 : struct smbcli_options options2;
2921 2 : bool encrypted;
2922 :
2923 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2924 12 : if (encrypted) {
2925 2 : torture_skip(tctx,
2926 : "Can't test SMB 2.10 if encryption is required");
2927 : }
2928 :
2929 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2930 0 : torture_skip(tctx,
2931 : "Can't test without SMB3 support");
2932 : }
2933 :
2934 10 : options1 = transport0->options;
2935 10 : options1.client_guid = GUID_random();
2936 10 : options1.min_protocol = PROTOCOL_SMB2_02;
2937 10 : options1.max_protocol = PROTOCOL_SMB2_10;
2938 :
2939 : /* same client guid */
2940 10 : options2 = options1;
2941 10 : options2.only_negprot = true;
2942 10 : options2.min_protocol = PROTOCOL_SMB3_00;
2943 10 : options2.max_protocol = PROTOCOL_SMB3_11;
2944 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2945 : .num_algos = 1,
2946 : .algos = {
2947 : SMB2_SIGNING_AES128_CMAC,
2948 : },
2949 : };
2950 :
2951 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2952 : credentials,
2953 : &options1, &options2,
2954 10 : NT_STATUS_INVALID_PARAMETER);
2955 10 : talloc_free(tree0);
2956 10 : return ret;
2957 : }
2958 :
2959 12 : static bool test_session_bind_negative_smb2to3d(struct torture_context *tctx, struct smb2_tree *tree0)
2960 : {
2961 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2962 12 : bool ret = false;
2963 12 : struct smb2_transport *transport0 = tree0->session->transport;
2964 2 : struct smbcli_options options1;
2965 2 : struct smbcli_options options2;
2966 2 : bool encrypted;
2967 :
2968 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2969 12 : if (encrypted) {
2970 2 : torture_skip(tctx,
2971 : "Can't test SMB 2.10 if encryption is required");
2972 : }
2973 :
2974 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2975 0 : torture_skip(tctx,
2976 : "Can't test without SMB3 support");
2977 : }
2978 :
2979 10 : options1 = transport0->options;
2980 10 : options1.client_guid = GUID_random();
2981 10 : options1.min_protocol = PROTOCOL_SMB2_02;
2982 10 : options1.max_protocol = PROTOCOL_SMB2_10;
2983 :
2984 : /* different client guid */
2985 10 : options2 = options1;
2986 10 : options2.client_guid = GUID_random();
2987 10 : options2.only_negprot = true;
2988 10 : options2.min_protocol = PROTOCOL_SMB3_00;
2989 10 : options2.max_protocol = PROTOCOL_SMB3_11;
2990 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2991 : .num_algos = 1,
2992 : .algos = {
2993 : SMB2_SIGNING_AES128_CMAC,
2994 : },
2995 : };
2996 :
2997 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2998 : credentials,
2999 : &options1, &options2,
3000 10 : NT_STATUS_INVALID_PARAMETER);
3001 10 : talloc_free(tree0);
3002 10 : return ret;
3003 : }
3004 :
3005 12 : static bool test_session_bind_negative_smb3to2s(struct torture_context *tctx, struct smb2_tree *tree0)
3006 : {
3007 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
3008 12 : bool ret = false;
3009 12 : struct smb2_transport *transport0 = tree0->session->transport;
3010 2 : struct smbcli_options options1;
3011 2 : struct smbcli_options options2;
3012 2 : bool encrypted;
3013 :
3014 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
3015 12 : if (encrypted) {
3016 2 : torture_skip(tctx,
3017 : "Can't test SMB 2.10 if encryption is required");
3018 : }
3019 :
3020 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
3021 0 : torture_skip(tctx,
3022 : "Can't test without SMB3 support");
3023 : }
3024 :
3025 10 : options1 = transport0->options;
3026 10 : options1.client_guid = GUID_random();
3027 10 : options1.min_protocol = PROTOCOL_SMB3_00;
3028 10 : options1.max_protocol = PROTOCOL_SMB3_11;
3029 10 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3030 : .num_algos = 1,
3031 : .algos = {
3032 : SMB2_SIGNING_AES128_CMAC,
3033 : },
3034 : };
3035 :
3036 : /* same client guid */
3037 10 : options2 = options1;
3038 10 : options2.only_negprot = true;
3039 10 : options2.min_protocol = PROTOCOL_SMB2_02;
3040 10 : options2.max_protocol = PROTOCOL_SMB2_10;
3041 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3042 : .num_algos = 1,
3043 : .algos = {
3044 : SMB2_SIGNING_HMAC_SHA256,
3045 : },
3046 : };
3047 :
3048 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3049 : credentials,
3050 : &options1, &options2,
3051 10 : NT_STATUS_REQUEST_NOT_ACCEPTED);
3052 10 : talloc_free(tree0);
3053 10 : return ret;
3054 : }
3055 :
3056 12 : static bool test_session_bind_negative_smb3to2d(struct torture_context *tctx, struct smb2_tree *tree0)
3057 : {
3058 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
3059 12 : bool ret = false;
3060 12 : struct smb2_transport *transport0 = tree0->session->transport;
3061 2 : struct smbcli_options options1;
3062 2 : struct smbcli_options options2;
3063 2 : bool encrypted;
3064 :
3065 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
3066 12 : if (encrypted) {
3067 2 : torture_skip(tctx,
3068 : "Can't test SMB 2.10 if encryption is required");
3069 : }
3070 :
3071 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
3072 0 : torture_skip(tctx,
3073 : "Can't test without SMB3 support");
3074 : }
3075 :
3076 10 : options1 = transport0->options;
3077 10 : options1.client_guid = GUID_random();
3078 10 : options1.min_protocol = PROTOCOL_SMB3_00;
3079 10 : options1.max_protocol = PROTOCOL_SMB3_11;
3080 10 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3081 : .num_algos = 1,
3082 : .algos = {
3083 : SMB2_SIGNING_AES128_CMAC,
3084 : },
3085 : };
3086 :
3087 : /* different client guid */
3088 10 : options2 = options1;
3089 10 : options2.client_guid = GUID_random();
3090 10 : options2.only_negprot = true;
3091 10 : options2.min_protocol = PROTOCOL_SMB2_02;
3092 10 : options2.max_protocol = PROTOCOL_SMB2_10;
3093 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3094 : .num_algos = 1,
3095 : .algos = {
3096 : SMB2_SIGNING_HMAC_SHA256,
3097 : },
3098 : };
3099 :
3100 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3101 : credentials,
3102 : &options1, &options2,
3103 10 : NT_STATUS_REQUEST_NOT_ACCEPTED);
3104 10 : talloc_free(tree0);
3105 10 : return ret;
3106 : }
3107 :
3108 12 : static bool test_session_bind_negative_smb3to3s(struct torture_context *tctx, struct smb2_tree *tree0)
3109 : {
3110 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
3111 12 : bool ret = false;
3112 12 : struct smb2_transport *transport0 = tree0->session->transport;
3113 2 : struct smbcli_options options1;
3114 2 : struct smbcli_options options2;
3115 :
3116 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3117 0 : torture_skip(tctx,
3118 : "Can't test without SMB 3.1.1 support");
3119 : }
3120 :
3121 12 : options1 = transport0->options;
3122 12 : options1.client_guid = GUID_random();
3123 12 : options1.min_protocol = PROTOCOL_SMB3_02;
3124 12 : options1.max_protocol = PROTOCOL_SMB3_02;
3125 :
3126 : /* same client guid */
3127 12 : options2 = options1;
3128 12 : options2.only_negprot = true;
3129 12 : options2.min_protocol = PROTOCOL_SMB3_11;
3130 12 : options2.max_protocol = PROTOCOL_SMB3_11;
3131 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3132 : .num_algos = 1,
3133 : .algos = {
3134 : SMB2_SIGNING_AES128_CMAC,
3135 : },
3136 : };
3137 :
3138 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3139 : credentials,
3140 : &options1, &options2,
3141 12 : NT_STATUS_INVALID_PARAMETER);
3142 12 : talloc_free(tree0);
3143 12 : return ret;
3144 : }
3145 :
3146 12 : static bool test_session_bind_negative_smb3to3d(struct torture_context *tctx, struct smb2_tree *tree0)
3147 : {
3148 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
3149 12 : bool ret = false;
3150 12 : struct smb2_transport *transport0 = tree0->session->transport;
3151 2 : struct smbcli_options options1;
3152 2 : struct smbcli_options options2;
3153 :
3154 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3155 0 : torture_skip(tctx,
3156 : "Can't test without SMB 3.1.1 support");
3157 : }
3158 :
3159 12 : options1 = transport0->options;
3160 12 : options1.client_guid = GUID_random();
3161 12 : options1.min_protocol = PROTOCOL_SMB3_02;
3162 12 : options1.max_protocol = PROTOCOL_SMB3_02;
3163 :
3164 : /* different client guid */
3165 12 : options2 = options1;
3166 12 : options2.client_guid = GUID_random();
3167 12 : options2.only_negprot = true;
3168 12 : options2.min_protocol = PROTOCOL_SMB3_11;
3169 12 : options2.max_protocol = PROTOCOL_SMB3_11;
3170 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3171 : .num_algos = 1,
3172 : .algos = {
3173 : SMB2_SIGNING_AES128_CMAC,
3174 : },
3175 : };
3176 :
3177 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3178 : credentials,
3179 : &options1, &options2,
3180 12 : NT_STATUS_INVALID_PARAMETER);
3181 12 : talloc_free(tree0);
3182 12 : return ret;
3183 : }
3184 :
3185 12 : static bool test_session_bind_negative_smb3encGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3186 : {
3187 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3188 12 : struct cli_credentials *credentials = NULL;
3189 12 : bool ret = false;
3190 12 : struct smb2_transport *transport0 = tree0->session->transport;
3191 2 : struct smbcli_options options1;
3192 2 : struct smbcli_options options2;
3193 2 : bool ok;
3194 :
3195 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3196 0 : torture_skip(tctx,
3197 : "Can't test without SMB 3.1.1 support");
3198 : }
3199 :
3200 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3201 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3202 12 : ok = cli_credentials_set_smb_encryption(credentials,
3203 : SMB_ENCRYPTION_REQUIRED,
3204 : CRED_SPECIFIED);
3205 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3206 :
3207 12 : options1 = transport0->options;
3208 12 : options1.client_guid = GUID_random();
3209 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3210 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3211 12 : options1.signing = SMB_SIGNING_REQUIRED;
3212 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3213 : .num_algos = 1,
3214 : .algos = {
3215 : SMB2_ENCRYPTION_AES128_GCM,
3216 : },
3217 : };
3218 :
3219 : /* same client guid */
3220 12 : options2 = options1;
3221 12 : options2.only_negprot = true;
3222 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3223 : .num_algos = 1,
3224 : .algos = {
3225 : SMB2_ENCRYPTION_AES128_CCM,
3226 : },
3227 : };
3228 :
3229 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3230 : credentials,
3231 : &options1, &options2,
3232 12 : NT_STATUS_INVALID_PARAMETER);
3233 12 : talloc_free(tree0);
3234 12 : return ret;
3235 : }
3236 :
3237 12 : static bool test_session_bind_negative_smb3encGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3238 : {
3239 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3240 12 : struct cli_credentials *credentials = NULL;
3241 12 : bool ret = false;
3242 12 : struct smb2_transport *transport0 = tree0->session->transport;
3243 2 : struct smbcli_options options1;
3244 2 : struct smbcli_options options2;
3245 2 : bool ok;
3246 :
3247 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3248 0 : torture_skip(tctx,
3249 : "Can't test without SMB 3.1.1 support");
3250 : }
3251 :
3252 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3253 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3254 12 : ok = cli_credentials_set_smb_encryption(credentials,
3255 : SMB_ENCRYPTION_REQUIRED,
3256 : CRED_SPECIFIED);
3257 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3258 :
3259 12 : options1 = transport0->options;
3260 12 : options1.client_guid = GUID_random();
3261 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3262 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3263 12 : options1.signing = SMB_SIGNING_REQUIRED;
3264 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3265 : .num_algos = 1,
3266 : .algos = {
3267 : SMB2_ENCRYPTION_AES128_GCM,
3268 : },
3269 : };
3270 :
3271 : /* different client guid */
3272 12 : options2 = options1;
3273 12 : options2.client_guid = GUID_random();
3274 12 : options2.only_negprot = true;
3275 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3276 : .num_algos = 1,
3277 : .algos = {
3278 : SMB2_ENCRYPTION_AES128_CCM,
3279 : },
3280 : };
3281 :
3282 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3283 : credentials,
3284 : &options1, &options2,
3285 12 : NT_STATUS_INVALID_PARAMETER);
3286 12 : talloc_free(tree0);
3287 12 : return ret;
3288 : }
3289 :
3290 12 : static bool test_session_bind_negative_smb3signCtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
3291 : {
3292 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3293 12 : struct cli_credentials *credentials = NULL;
3294 12 : bool ret = false;
3295 12 : struct smb2_transport *transport0 = tree0->session->transport;
3296 2 : struct smbcli_options options1;
3297 2 : struct smbcli_options options2;
3298 2 : bool ok;
3299 :
3300 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3301 0 : torture_skip(tctx,
3302 : "Can't test without SMB 3.1.1 support");
3303 : }
3304 :
3305 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3306 0 : torture_skip(tctx,
3307 : "Can't test without SMB 3.1.1 signing negotiation support");
3308 : }
3309 :
3310 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3311 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3312 12 : ok = cli_credentials_set_smb_encryption(credentials,
3313 : SMB_ENCRYPTION_REQUIRED,
3314 : CRED_SPECIFIED);
3315 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3316 :
3317 12 : options1 = transport0->options;
3318 12 : options1.client_guid = GUID_random();
3319 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3320 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3321 12 : options1.signing = SMB_SIGNING_REQUIRED;
3322 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3323 : .num_algos = 1,
3324 : .algos = {
3325 : SMB2_SIGNING_AES128_CMAC,
3326 : },
3327 : };
3328 :
3329 : /* same client guid */
3330 12 : options2 = options1;
3331 12 : options2.only_negprot = true;
3332 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3333 : .num_algos = 1,
3334 : .algos = {
3335 : SMB2_SIGNING_HMAC_SHA256,
3336 : },
3337 : };
3338 :
3339 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3340 : credentials,
3341 : &options1, &options2,
3342 12 : NT_STATUS_OK);
3343 12 : talloc_free(tree0);
3344 12 : return ret;
3345 : }
3346 :
3347 12 : static bool test_session_bind_negative_smb3signCtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
3348 : {
3349 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3350 12 : struct cli_credentials *credentials = NULL;
3351 12 : bool ret = false;
3352 12 : struct smb2_transport *transport0 = tree0->session->transport;
3353 2 : struct smbcli_options options1;
3354 2 : struct smbcli_options options2;
3355 2 : bool ok;
3356 :
3357 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3358 0 : torture_skip(tctx,
3359 : "Can't test without SMB 3.1.1 support");
3360 : }
3361 :
3362 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3363 0 : torture_skip(tctx,
3364 : "Can't test without SMB 3.1.1 signing negotiation support");
3365 : }
3366 :
3367 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3368 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3369 12 : ok = cli_credentials_set_smb_encryption(credentials,
3370 : SMB_ENCRYPTION_REQUIRED,
3371 : CRED_SPECIFIED);
3372 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3373 :
3374 12 : options1 = transport0->options;
3375 12 : options1.client_guid = GUID_random();
3376 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3377 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3378 12 : options1.signing = SMB_SIGNING_REQUIRED;
3379 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3380 : .num_algos = 1,
3381 : .algos = {
3382 : SMB2_SIGNING_AES128_CMAC,
3383 : },
3384 : };
3385 :
3386 : /* different client guid */
3387 12 : options2 = options1;
3388 12 : options2.client_guid = GUID_random();
3389 12 : options2.only_negprot = true;
3390 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3391 : .num_algos = 1,
3392 : .algos = {
3393 : SMB2_SIGNING_HMAC_SHA256,
3394 : },
3395 : };
3396 :
3397 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3398 : credentials,
3399 : &options1, &options2,
3400 12 : NT_STATUS_OK);
3401 12 : talloc_free(tree0);
3402 12 : return ret;
3403 : }
3404 :
3405 12 : static bool test_session_bind_negative_smb3signHtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3406 : {
3407 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3408 12 : struct cli_credentials *credentials = NULL;
3409 12 : bool ret = false;
3410 12 : struct smb2_transport *transport0 = tree0->session->transport;
3411 2 : struct smbcli_options options1;
3412 2 : struct smbcli_options options2;
3413 2 : bool ok;
3414 :
3415 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3416 0 : torture_skip(tctx,
3417 : "Can't test without SMB 3.1.1 support");
3418 : }
3419 :
3420 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3421 0 : torture_skip(tctx,
3422 : "Can't test without SMB 3.1.1 signing negotiation support");
3423 : }
3424 :
3425 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3426 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3427 12 : ok = cli_credentials_set_smb_encryption(credentials,
3428 : SMB_ENCRYPTION_REQUIRED,
3429 : CRED_SPECIFIED);
3430 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3431 :
3432 12 : options1 = transport0->options;
3433 12 : options1.client_guid = GUID_random();
3434 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3435 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3436 12 : options1.signing = SMB_SIGNING_REQUIRED;
3437 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3438 : .num_algos = 1,
3439 : .algos = {
3440 : SMB2_SIGNING_HMAC_SHA256,
3441 : },
3442 : };
3443 :
3444 : /* same client guid */
3445 12 : options2 = options1;
3446 12 : options2.only_negprot = true;
3447 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3448 : .num_algos = 1,
3449 : .algos = {
3450 : SMB2_SIGNING_AES128_CMAC,
3451 : },
3452 : };
3453 :
3454 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3455 : credentials,
3456 : &options1, &options2,
3457 12 : NT_STATUS_OK);
3458 12 : talloc_free(tree0);
3459 12 : return ret;
3460 : }
3461 :
3462 12 : static bool test_session_bind_negative_smb3signHtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3463 : {
3464 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3465 12 : struct cli_credentials *credentials = NULL;
3466 12 : bool ret = false;
3467 12 : struct smb2_transport *transport0 = tree0->session->transport;
3468 2 : struct smbcli_options options1;
3469 2 : struct smbcli_options options2;
3470 2 : bool ok;
3471 :
3472 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3473 0 : torture_skip(tctx,
3474 : "Can't test without SMB 3.1.1 support");
3475 : }
3476 :
3477 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3478 0 : torture_skip(tctx,
3479 : "Can't test without SMB 3.1.1 signing negotiation support");
3480 : }
3481 :
3482 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3483 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3484 12 : ok = cli_credentials_set_smb_encryption(credentials,
3485 : SMB_ENCRYPTION_REQUIRED,
3486 : CRED_SPECIFIED);
3487 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3488 :
3489 12 : options1 = transport0->options;
3490 12 : options1.client_guid = GUID_random();
3491 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3492 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3493 12 : options1.signing = SMB_SIGNING_REQUIRED;
3494 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3495 : .num_algos = 1,
3496 : .algos = {
3497 : SMB2_SIGNING_HMAC_SHA256,
3498 : },
3499 : };
3500 :
3501 : /* different client guid */
3502 12 : options2 = options1;
3503 12 : options2.client_guid = GUID_random();
3504 12 : options2.only_negprot = true;
3505 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3506 : .num_algos = 1,
3507 : .algos = {
3508 : SMB2_SIGNING_AES128_CMAC,
3509 : },
3510 : };
3511 :
3512 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3513 : credentials,
3514 : &options1, &options2,
3515 12 : NT_STATUS_OK);
3516 12 : talloc_free(tree0);
3517 12 : return ret;
3518 : }
3519 :
3520 12 : static bool test_session_bind_negative_smb3signHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
3521 : {
3522 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3523 12 : struct cli_credentials *credentials = NULL;
3524 12 : bool ret = false;
3525 12 : struct smb2_transport *transport0 = tree0->session->transport;
3526 2 : struct smbcli_options options1;
3527 2 : struct smbcli_options options2;
3528 2 : bool ok;
3529 :
3530 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3531 0 : torture_skip(tctx,
3532 : "Can't test without SMB 3.1.1 support");
3533 : }
3534 :
3535 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3536 0 : torture_skip(tctx,
3537 : "Can't test without SMB 3.1.1 signing negotiation support");
3538 : }
3539 :
3540 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3541 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3542 12 : ok = cli_credentials_set_smb_encryption(credentials,
3543 : SMB_ENCRYPTION_REQUIRED,
3544 : CRED_SPECIFIED);
3545 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3546 :
3547 12 : options1 = transport0->options;
3548 12 : options1.client_guid = GUID_random();
3549 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3550 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3551 12 : options1.signing = SMB_SIGNING_REQUIRED;
3552 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3553 : .num_algos = 1,
3554 : .algos = {
3555 : SMB2_SIGNING_HMAC_SHA256,
3556 : },
3557 : };
3558 :
3559 : /* same client guid */
3560 12 : options2 = options1;
3561 12 : options2.only_negprot = true;
3562 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3563 : .num_algos = 1,
3564 : .algos = {
3565 : SMB2_SIGNING_AES128_GMAC,
3566 : },
3567 : };
3568 :
3569 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3570 : credentials,
3571 : &options1, &options2,
3572 12 : NT_STATUS_NOT_SUPPORTED);
3573 12 : talloc_free(tree0);
3574 12 : return ret;
3575 : }
3576 :
3577 12 : static bool test_session_bind_negative_smb3signHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
3578 : {
3579 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3580 12 : struct cli_credentials *credentials = NULL;
3581 12 : bool ret = false;
3582 12 : struct smb2_transport *transport0 = tree0->session->transport;
3583 2 : struct smbcli_options options1;
3584 2 : struct smbcli_options options2;
3585 2 : bool ok;
3586 :
3587 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3588 0 : torture_skip(tctx,
3589 : "Can't test without SMB 3.1.1 support");
3590 : }
3591 :
3592 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3593 0 : torture_skip(tctx,
3594 : "Can't test without SMB 3.1.1 signing negotiation support");
3595 : }
3596 :
3597 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3598 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3599 12 : ok = cli_credentials_set_smb_encryption(credentials,
3600 : SMB_ENCRYPTION_REQUIRED,
3601 : CRED_SPECIFIED);
3602 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3603 :
3604 12 : options1 = transport0->options;
3605 12 : options1.client_guid = GUID_random();
3606 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3607 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3608 12 : options1.signing = SMB_SIGNING_REQUIRED;
3609 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3610 : .num_algos = 1,
3611 : .algos = {
3612 : SMB2_SIGNING_HMAC_SHA256,
3613 : },
3614 : };
3615 :
3616 : /* different client guid */
3617 12 : options2 = options1;
3618 12 : options2.client_guid = GUID_random();
3619 12 : options2.only_negprot = true;
3620 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3621 : .num_algos = 1,
3622 : .algos = {
3623 : SMB2_SIGNING_AES128_GMAC,
3624 : },
3625 : };
3626 :
3627 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3628 : credentials,
3629 : &options1, &options2,
3630 12 : NT_STATUS_NOT_SUPPORTED);
3631 12 : talloc_free(tree0);
3632 12 : return ret;
3633 : }
3634 :
3635 12 : static bool test_session_bind_negative_smb3signCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
3636 : {
3637 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3638 12 : struct cli_credentials *credentials = NULL;
3639 12 : bool ret = false;
3640 12 : struct smb2_transport *transport0 = tree0->session->transport;
3641 2 : struct smbcli_options options1;
3642 2 : struct smbcli_options options2;
3643 2 : bool ok;
3644 :
3645 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3646 0 : torture_skip(tctx,
3647 : "Can't test without SMB 3.1.1 support");
3648 : }
3649 :
3650 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3651 0 : torture_skip(tctx,
3652 : "Can't test without SMB 3.1.1 signing negotiation support");
3653 : }
3654 :
3655 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3656 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3657 12 : ok = cli_credentials_set_smb_encryption(credentials,
3658 : SMB_ENCRYPTION_REQUIRED,
3659 : CRED_SPECIFIED);
3660 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3661 :
3662 12 : options1 = transport0->options;
3663 12 : options1.client_guid = GUID_random();
3664 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3665 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3666 12 : options1.signing = SMB_SIGNING_REQUIRED;
3667 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3668 : .num_algos = 1,
3669 : .algos = {
3670 : SMB2_SIGNING_AES128_CMAC,
3671 : },
3672 : };
3673 :
3674 : /* same client guid */
3675 12 : options2 = options1;
3676 12 : options2.only_negprot = true;
3677 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3678 : .num_algos = 1,
3679 : .algos = {
3680 : SMB2_SIGNING_AES128_GMAC,
3681 : },
3682 : };
3683 :
3684 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3685 : credentials,
3686 : &options1, &options2,
3687 12 : NT_STATUS_NOT_SUPPORTED);
3688 12 : talloc_free(tree0);
3689 12 : return ret;
3690 : }
3691 :
3692 12 : static bool test_session_bind_negative_smb3signCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
3693 : {
3694 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3695 12 : struct cli_credentials *credentials = NULL;
3696 12 : bool ret = false;
3697 12 : struct smb2_transport *transport0 = tree0->session->transport;
3698 2 : struct smbcli_options options1;
3699 2 : struct smbcli_options options2;
3700 2 : bool ok;
3701 :
3702 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3703 0 : torture_skip(tctx,
3704 : "Can't test without SMB 3.1.1 support");
3705 : }
3706 :
3707 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3708 0 : torture_skip(tctx,
3709 : "Can't test without SMB 3.1.1 signing negotiation support");
3710 : }
3711 :
3712 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3713 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3714 12 : ok = cli_credentials_set_smb_encryption(credentials,
3715 : SMB_ENCRYPTION_REQUIRED,
3716 : CRED_SPECIFIED);
3717 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3718 :
3719 12 : options1 = transport0->options;
3720 12 : options1.client_guid = GUID_random();
3721 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3722 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3723 12 : options1.signing = SMB_SIGNING_REQUIRED;
3724 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3725 : .num_algos = 1,
3726 : .algos = {
3727 : SMB2_SIGNING_AES128_CMAC,
3728 : },
3729 : };
3730 :
3731 : /* different client guid */
3732 12 : options2 = options1;
3733 12 : options2.client_guid = GUID_random();
3734 12 : options2.only_negprot = true;
3735 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3736 : .num_algos = 1,
3737 : .algos = {
3738 : SMB2_SIGNING_AES128_GMAC,
3739 : },
3740 : };
3741 :
3742 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3743 : credentials,
3744 : &options1, &options2,
3745 12 : NT_STATUS_NOT_SUPPORTED);
3746 12 : talloc_free(tree0);
3747 12 : return ret;
3748 : }
3749 :
3750 12 : static bool test_session_bind_negative_smb3signGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3751 : {
3752 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3753 12 : struct cli_credentials *credentials = NULL;
3754 12 : bool ret = false;
3755 12 : struct smb2_transport *transport0 = tree0->session->transport;
3756 2 : struct smbcli_options options1;
3757 2 : struct smbcli_options options2;
3758 2 : bool ok;
3759 :
3760 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3761 0 : torture_skip(tctx,
3762 : "Can't test without SMB 3.1.1 support");
3763 : }
3764 :
3765 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3766 0 : torture_skip(tctx,
3767 : "Can't test without SMB 3.1.1 signing negotiation support");
3768 : }
3769 :
3770 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3771 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3772 12 : ok = cli_credentials_set_smb_encryption(credentials,
3773 : SMB_ENCRYPTION_REQUIRED,
3774 : CRED_SPECIFIED);
3775 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3776 :
3777 12 : options1 = transport0->options;
3778 12 : options1.client_guid = GUID_random();
3779 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3780 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3781 12 : options1.signing = SMB_SIGNING_REQUIRED;
3782 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3783 : .num_algos = 1,
3784 : .algos = {
3785 : SMB2_SIGNING_AES128_GMAC,
3786 : },
3787 : };
3788 :
3789 : /* same client guid */
3790 12 : options2 = options1;
3791 12 : options2.only_negprot = true;
3792 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3793 : .num_algos = 1,
3794 : .algos = {
3795 : SMB2_SIGNING_AES128_CMAC,
3796 : },
3797 : };
3798 :
3799 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3800 : credentials,
3801 : &options1, &options2,
3802 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3803 12 : talloc_free(tree0);
3804 12 : return ret;
3805 : }
3806 :
3807 12 : static bool test_session_bind_negative_smb3signGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3808 : {
3809 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3810 12 : struct cli_credentials *credentials = NULL;
3811 12 : bool ret = false;
3812 12 : struct smb2_transport *transport0 = tree0->session->transport;
3813 2 : struct smbcli_options options1;
3814 2 : struct smbcli_options options2;
3815 2 : bool ok;
3816 :
3817 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3818 0 : torture_skip(tctx,
3819 : "Can't test without SMB 3.1.1 support");
3820 : }
3821 :
3822 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3823 0 : torture_skip(tctx,
3824 : "Can't test without SMB 3.1.1 signing negotiation support");
3825 : }
3826 :
3827 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3828 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3829 12 : ok = cli_credentials_set_smb_encryption(credentials,
3830 : SMB_ENCRYPTION_REQUIRED,
3831 : CRED_SPECIFIED);
3832 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3833 :
3834 12 : options1 = transport0->options;
3835 12 : options1.client_guid = GUID_random();
3836 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3837 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3838 12 : options1.signing = SMB_SIGNING_REQUIRED;
3839 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3840 : .num_algos = 1,
3841 : .algos = {
3842 : SMB2_SIGNING_AES128_GMAC,
3843 : },
3844 : };
3845 :
3846 : /* different client guid */
3847 12 : options2 = options1;
3848 12 : options2.client_guid = GUID_random();
3849 12 : options2.only_negprot = true;
3850 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3851 : .num_algos = 1,
3852 : .algos = {
3853 : SMB2_SIGNING_AES128_CMAC,
3854 : },
3855 : };
3856 :
3857 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3858 : credentials,
3859 : &options1, &options2,
3860 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3861 12 : talloc_free(tree0);
3862 12 : return ret;
3863 : }
3864 :
3865 12 : static bool test_session_bind_negative_smb3signGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
3866 : {
3867 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3868 12 : struct cli_credentials *credentials = NULL;
3869 12 : bool ret = false;
3870 12 : struct smb2_transport *transport0 = tree0->session->transport;
3871 2 : struct smbcli_options options1;
3872 2 : struct smbcli_options options2;
3873 2 : bool ok;
3874 :
3875 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3876 0 : torture_skip(tctx,
3877 : "Can't test without SMB 3.1.1 support");
3878 : }
3879 :
3880 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3881 0 : torture_skip(tctx,
3882 : "Can't test without SMB 3.1.1 signing negotiation support");
3883 : }
3884 :
3885 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3886 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3887 12 : ok = cli_credentials_set_smb_encryption(credentials,
3888 : SMB_ENCRYPTION_REQUIRED,
3889 : CRED_SPECIFIED);
3890 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3891 :
3892 12 : options1 = transport0->options;
3893 12 : options1.client_guid = GUID_random();
3894 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3895 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3896 12 : options1.signing = SMB_SIGNING_REQUIRED;
3897 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3898 : .num_algos = 1,
3899 : .algos = {
3900 : SMB2_SIGNING_AES128_GMAC,
3901 : },
3902 : };
3903 :
3904 : /* same client guid */
3905 12 : options2 = options1;
3906 12 : options2.only_negprot = true;
3907 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3908 : .num_algos = 1,
3909 : .algos = {
3910 : SMB2_SIGNING_HMAC_SHA256,
3911 : },
3912 : };
3913 :
3914 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3915 : credentials,
3916 : &options1, &options2,
3917 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3918 12 : talloc_free(tree0);
3919 12 : return ret;
3920 : }
3921 :
3922 12 : static bool test_session_bind_negative_smb3signGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
3923 : {
3924 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3925 12 : struct cli_credentials *credentials = NULL;
3926 12 : bool ret = false;
3927 12 : struct smb2_transport *transport0 = tree0->session->transport;
3928 2 : struct smbcli_options options1;
3929 2 : struct smbcli_options options2;
3930 2 : bool ok;
3931 :
3932 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3933 0 : torture_skip(tctx,
3934 : "Can't test without SMB 3.1.1 support");
3935 : }
3936 :
3937 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3938 0 : torture_skip(tctx,
3939 : "Can't test without SMB 3.1.1 signing negotiation support");
3940 : }
3941 :
3942 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3943 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3944 12 : ok = cli_credentials_set_smb_encryption(credentials,
3945 : SMB_ENCRYPTION_REQUIRED,
3946 : CRED_SPECIFIED);
3947 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3948 :
3949 12 : options1 = transport0->options;
3950 12 : options1.client_guid = GUID_random();
3951 12 : options1.min_protocol = PROTOCOL_SMB3_11;
3952 12 : options1.max_protocol = PROTOCOL_SMB3_11;
3953 12 : options1.signing = SMB_SIGNING_REQUIRED;
3954 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3955 : .num_algos = 1,
3956 : .algos = {
3957 : SMB2_SIGNING_AES128_GMAC,
3958 : },
3959 : };
3960 :
3961 : /* different client guid */
3962 12 : options2 = options1;
3963 12 : options2.client_guid = GUID_random();
3964 12 : options2.only_negprot = true;
3965 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3966 : .num_algos = 1,
3967 : .algos = {
3968 : SMB2_SIGNING_HMAC_SHA256,
3969 : },
3970 : };
3971 :
3972 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3973 : credentials,
3974 : &options1, &options2,
3975 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3976 12 : talloc_free(tree0);
3977 12 : return ret;
3978 : }
3979 :
3980 12 : static bool test_session_bind_negative_smb3sneGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3981 : {
3982 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3983 12 : struct cli_credentials *credentials = NULL;
3984 12 : bool ret = false;
3985 12 : struct smb2_transport *transport0 = tree0->session->transport;
3986 2 : struct smbcli_options options1;
3987 2 : struct smbcli_options options2;
3988 2 : bool ok;
3989 :
3990 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3991 0 : torture_skip(tctx,
3992 : "Can't test without SMB 3.1.1 support");
3993 : }
3994 :
3995 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3996 0 : torture_skip(tctx,
3997 : "Can't test without SMB 3.1.1 signing negotiation support");
3998 : }
3999 :
4000 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4001 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4002 12 : ok = cli_credentials_set_smb_encryption(credentials,
4003 : SMB_ENCRYPTION_REQUIRED,
4004 : CRED_SPECIFIED);
4005 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4006 :
4007 12 : options1 = transport0->options;
4008 12 : options1.client_guid = GUID_random();
4009 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4010 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4011 12 : options1.signing = SMB_SIGNING_REQUIRED;
4012 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4013 : .num_algos = 1,
4014 : .algos = {
4015 : SMB2_SIGNING_AES128_GMAC,
4016 : },
4017 : };
4018 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4019 : .num_algos = 1,
4020 : .algos = {
4021 : SMB2_ENCRYPTION_AES128_GCM,
4022 : },
4023 : };
4024 :
4025 : /* same client guid */
4026 12 : options2 = options1;
4027 12 : options2.only_negprot = true;
4028 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4029 : .num_algos = 1,
4030 : .algos = {
4031 : SMB2_SIGNING_AES128_CMAC,
4032 : },
4033 : };
4034 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4035 : .num_algos = 1,
4036 : .algos = {
4037 : SMB2_ENCRYPTION_AES128_CCM,
4038 : },
4039 : };
4040 :
4041 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4042 : credentials,
4043 : &options1, &options2,
4044 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4045 12 : talloc_free(tree0);
4046 12 : return ret;
4047 : }
4048 :
4049 12 : static bool test_session_bind_negative_smb3sneGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
4050 : {
4051 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4052 12 : struct cli_credentials *credentials = NULL;
4053 12 : bool ret = false;
4054 12 : struct smb2_transport *transport0 = tree0->session->transport;
4055 2 : struct smbcli_options options1;
4056 2 : struct smbcli_options options2;
4057 2 : bool ok;
4058 :
4059 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4060 0 : torture_skip(tctx,
4061 : "Can't test without SMB 3.1.1 support");
4062 : }
4063 :
4064 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4065 0 : torture_skip(tctx,
4066 : "Can't test without SMB 3.1.1 signing negotiation support");
4067 : }
4068 :
4069 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4070 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4071 12 : ok = cli_credentials_set_smb_encryption(credentials,
4072 : SMB_ENCRYPTION_REQUIRED,
4073 : CRED_SPECIFIED);
4074 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4075 :
4076 12 : options1 = transport0->options;
4077 12 : options1.client_guid = GUID_random();
4078 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4079 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4080 12 : options1.signing = SMB_SIGNING_REQUIRED;
4081 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4082 : .num_algos = 1,
4083 : .algos = {
4084 : SMB2_SIGNING_AES128_GMAC,
4085 : },
4086 : };
4087 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4088 : .num_algos = 1,
4089 : .algos = {
4090 : SMB2_ENCRYPTION_AES128_GCM,
4091 : },
4092 : };
4093 :
4094 : /* different client guid */
4095 12 : options2 = options1;
4096 12 : options2.client_guid = GUID_random();
4097 12 : options2.only_negprot = true;
4098 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4099 : .num_algos = 1,
4100 : .algos = {
4101 : SMB2_SIGNING_AES128_CMAC,
4102 : },
4103 : };
4104 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4105 : .num_algos = 1,
4106 : .algos = {
4107 : SMB2_ENCRYPTION_AES128_CCM,
4108 : },
4109 : };
4110 :
4111 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4112 : credentials,
4113 : &options1, &options2,
4114 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4115 12 : talloc_free(tree0);
4116 12 : return ret;
4117 : }
4118 :
4119 12 : static bool test_session_bind_negative_smb3sneGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
4120 : {
4121 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4122 12 : struct cli_credentials *credentials = NULL;
4123 12 : bool ret = false;
4124 12 : struct smb2_transport *transport0 = tree0->session->transport;
4125 2 : struct smbcli_options options1;
4126 2 : struct smbcli_options options2;
4127 2 : bool ok;
4128 :
4129 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4130 0 : torture_skip(tctx,
4131 : "Can't test without SMB 3.1.1 support");
4132 : }
4133 :
4134 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4135 0 : torture_skip(tctx,
4136 : "Can't test without SMB 3.1.1 signing negotiation support");
4137 : }
4138 :
4139 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4140 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4141 12 : ok = cli_credentials_set_smb_encryption(credentials,
4142 : SMB_ENCRYPTION_REQUIRED,
4143 : CRED_SPECIFIED);
4144 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4145 :
4146 12 : options1 = transport0->options;
4147 12 : options1.client_guid = GUID_random();
4148 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4149 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4150 12 : options1.signing = SMB_SIGNING_REQUIRED;
4151 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4152 : .num_algos = 1,
4153 : .algos = {
4154 : SMB2_SIGNING_AES128_GMAC,
4155 : },
4156 : };
4157 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4158 : .num_algos = 1,
4159 : .algos = {
4160 : SMB2_ENCRYPTION_AES128_GCM,
4161 : },
4162 : };
4163 :
4164 : /* same client guid */
4165 12 : options2 = options1;
4166 12 : options2.only_negprot = true;
4167 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4168 : .num_algos = 1,
4169 : .algos = {
4170 : SMB2_SIGNING_HMAC_SHA256,
4171 : },
4172 : };
4173 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4174 : .num_algos = 1,
4175 : .algos = {
4176 : SMB2_ENCRYPTION_AES128_CCM,
4177 : },
4178 : };
4179 :
4180 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4181 : credentials,
4182 : &options1, &options2,
4183 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4184 12 : talloc_free(tree0);
4185 12 : return ret;
4186 : }
4187 :
4188 12 : static bool test_session_bind_negative_smb3sneGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
4189 : {
4190 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4191 12 : struct cli_credentials *credentials = NULL;
4192 12 : bool ret = false;
4193 12 : struct smb2_transport *transport0 = tree0->session->transport;
4194 2 : struct smbcli_options options1;
4195 2 : struct smbcli_options options2;
4196 2 : bool ok;
4197 :
4198 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4199 0 : torture_skip(tctx,
4200 : "Can't test without SMB 3.1.1 support");
4201 : }
4202 :
4203 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4204 0 : torture_skip(tctx,
4205 : "Can't test without SMB 3.1.1 signing negotiation support");
4206 : }
4207 :
4208 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4209 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4210 12 : ok = cli_credentials_set_smb_encryption(credentials,
4211 : SMB_ENCRYPTION_REQUIRED,
4212 : CRED_SPECIFIED);
4213 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4214 :
4215 12 : options1 = transport0->options;
4216 12 : options1.client_guid = GUID_random();
4217 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4218 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4219 12 : options1.signing = SMB_SIGNING_REQUIRED;
4220 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4221 : .num_algos = 1,
4222 : .algos = {
4223 : SMB2_SIGNING_AES128_GMAC,
4224 : },
4225 : };
4226 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4227 : .num_algos = 1,
4228 : .algos = {
4229 : SMB2_ENCRYPTION_AES128_GCM,
4230 : },
4231 : };
4232 :
4233 : /* different client guid */
4234 12 : options2 = options1;
4235 12 : options2.client_guid = GUID_random();
4236 12 : options2.only_negprot = true;
4237 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4238 : .num_algos = 1,
4239 : .algos = {
4240 : SMB2_SIGNING_HMAC_SHA256,
4241 : },
4242 : };
4243 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4244 : .num_algos = 1,
4245 : .algos = {
4246 : SMB2_ENCRYPTION_AES128_CCM,
4247 : },
4248 : };
4249 :
4250 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4251 : credentials,
4252 : &options1, &options2,
4253 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4254 12 : talloc_free(tree0);
4255 12 : return ret;
4256 : }
4257 :
4258 12 : static bool test_session_bind_negative_smb3sneCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4259 : {
4260 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4261 12 : struct cli_credentials *credentials = NULL;
4262 12 : bool ret = false;
4263 12 : struct smb2_transport *transport0 = tree0->session->transport;
4264 2 : struct smbcli_options options1;
4265 2 : struct smbcli_options options2;
4266 2 : bool ok;
4267 :
4268 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4269 0 : torture_skip(tctx,
4270 : "Can't test without SMB 3.1.1 support");
4271 : }
4272 :
4273 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4274 0 : torture_skip(tctx,
4275 : "Can't test without SMB 3.1.1 signing negotiation support");
4276 : }
4277 :
4278 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4279 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4280 12 : ok = cli_credentials_set_smb_encryption(credentials,
4281 : SMB_ENCRYPTION_REQUIRED,
4282 : CRED_SPECIFIED);
4283 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4284 :
4285 12 : options1 = transport0->options;
4286 12 : options1.client_guid = GUID_random();
4287 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4288 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4289 12 : options1.signing = SMB_SIGNING_REQUIRED;
4290 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4291 : .num_algos = 1,
4292 : .algos = {
4293 : SMB2_SIGNING_AES128_CMAC,
4294 : },
4295 : };
4296 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4297 : .num_algos = 1,
4298 : .algos = {
4299 : SMB2_ENCRYPTION_AES128_CCM,
4300 : },
4301 : };
4302 :
4303 : /* same client guid */
4304 12 : options2 = options1;
4305 12 : options2.only_negprot = true;
4306 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4307 : .num_algos = 1,
4308 : .algos = {
4309 : SMB2_SIGNING_AES128_GMAC,
4310 : },
4311 : };
4312 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4313 : .num_algos = 1,
4314 : .algos = {
4315 : SMB2_ENCRYPTION_AES128_GCM,
4316 : },
4317 : };
4318 :
4319 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4320 : credentials,
4321 : &options1, &options2,
4322 12 : NT_STATUS_NOT_SUPPORTED);
4323 12 : talloc_free(tree0);
4324 12 : return ret;
4325 : }
4326 :
4327 12 : static bool test_session_bind_negative_smb3sneCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4328 : {
4329 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4330 12 : struct cli_credentials *credentials = NULL;
4331 12 : bool ret = false;
4332 12 : struct smb2_transport *transport0 = tree0->session->transport;
4333 2 : struct smbcli_options options1;
4334 2 : struct smbcli_options options2;
4335 2 : bool ok;
4336 :
4337 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4338 0 : torture_skip(tctx,
4339 : "Can't test without SMB 3.1.1 support");
4340 : }
4341 :
4342 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4343 0 : torture_skip(tctx,
4344 : "Can't test without SMB 3.1.1 signing negotiation support");
4345 : }
4346 :
4347 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4348 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4349 12 : ok = cli_credentials_set_smb_encryption(credentials,
4350 : SMB_ENCRYPTION_REQUIRED,
4351 : CRED_SPECIFIED);
4352 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4353 :
4354 12 : options1 = transport0->options;
4355 12 : options1.client_guid = GUID_random();
4356 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4357 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4358 12 : options1.signing = SMB_SIGNING_REQUIRED;
4359 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4360 : .num_algos = 1,
4361 : .algos = {
4362 : SMB2_SIGNING_AES128_CMAC,
4363 : },
4364 : };
4365 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4366 : .num_algos = 1,
4367 : .algos = {
4368 : SMB2_ENCRYPTION_AES128_CCM,
4369 : },
4370 : };
4371 :
4372 : /* different client guid */
4373 12 : options2 = options1;
4374 12 : options2.client_guid = GUID_random();
4375 12 : options2.only_negprot = true;
4376 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4377 : .num_algos = 1,
4378 : .algos = {
4379 : SMB2_SIGNING_AES128_GMAC,
4380 : },
4381 : };
4382 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4383 : .num_algos = 1,
4384 : .algos = {
4385 : SMB2_ENCRYPTION_AES128_GCM,
4386 : },
4387 : };
4388 :
4389 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4390 : credentials,
4391 : &options1, &options2,
4392 12 : NT_STATUS_NOT_SUPPORTED);
4393 12 : talloc_free(tree0);
4394 12 : return ret;
4395 : }
4396 :
4397 12 : static bool test_session_bind_negative_smb3sneHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4398 : {
4399 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4400 12 : struct cli_credentials *credentials = NULL;
4401 12 : bool ret = false;
4402 12 : struct smb2_transport *transport0 = tree0->session->transport;
4403 2 : struct smbcli_options options1;
4404 2 : struct smbcli_options options2;
4405 2 : bool ok;
4406 :
4407 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4408 0 : torture_skip(tctx,
4409 : "Can't test without SMB 3.1.1 support");
4410 : }
4411 :
4412 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4413 0 : torture_skip(tctx,
4414 : "Can't test without SMB 3.1.1 signing negotiation support");
4415 : }
4416 :
4417 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4418 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4419 12 : ok = cli_credentials_set_smb_encryption(credentials,
4420 : SMB_ENCRYPTION_REQUIRED,
4421 : CRED_SPECIFIED);
4422 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4423 :
4424 12 : options1 = transport0->options;
4425 12 : options1.client_guid = GUID_random();
4426 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4427 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4428 12 : options1.signing = SMB_SIGNING_REQUIRED;
4429 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4430 : .num_algos = 1,
4431 : .algos = {
4432 : SMB2_SIGNING_HMAC_SHA256,
4433 : },
4434 : };
4435 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4436 : .num_algos = 1,
4437 : .algos = {
4438 : SMB2_ENCRYPTION_AES128_CCM,
4439 : },
4440 : };
4441 :
4442 : /* same client guid */
4443 12 : options2 = options1;
4444 12 : options2.only_negprot = true;
4445 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4446 : .num_algos = 1,
4447 : .algos = {
4448 : SMB2_SIGNING_AES128_GMAC,
4449 : },
4450 : };
4451 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4452 : .num_algos = 1,
4453 : .algos = {
4454 : SMB2_ENCRYPTION_AES128_GCM,
4455 : },
4456 : };
4457 :
4458 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4459 : credentials,
4460 : &options1, &options2,
4461 12 : NT_STATUS_NOT_SUPPORTED);
4462 12 : talloc_free(tree0);
4463 12 : return ret;
4464 : }
4465 :
4466 12 : static bool test_session_bind_negative_smb3sneHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4467 : {
4468 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4469 12 : struct cli_credentials *credentials = NULL;
4470 12 : bool ret = false;
4471 12 : struct smb2_transport *transport0 = tree0->session->transport;
4472 2 : struct smbcli_options options1;
4473 2 : struct smbcli_options options2;
4474 2 : bool ok;
4475 :
4476 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4477 0 : torture_skip(tctx,
4478 : "Can't test without SMB 3.1.1 support");
4479 : }
4480 :
4481 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4482 0 : torture_skip(tctx,
4483 : "Can't test without SMB 3.1.1 signing negotiation support");
4484 : }
4485 :
4486 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4487 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4488 12 : ok = cli_credentials_set_smb_encryption(credentials,
4489 : SMB_ENCRYPTION_REQUIRED,
4490 : CRED_SPECIFIED);
4491 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4492 :
4493 12 : options1 = transport0->options;
4494 12 : options1.client_guid = GUID_random();
4495 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4496 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4497 12 : options1.signing = SMB_SIGNING_REQUIRED;
4498 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4499 : .num_algos = 1,
4500 : .algos = {
4501 : SMB2_SIGNING_HMAC_SHA256,
4502 : },
4503 : };
4504 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4505 : .num_algos = 1,
4506 : .algos = {
4507 : SMB2_ENCRYPTION_AES128_CCM,
4508 : },
4509 : };
4510 :
4511 : /* different client guid */
4512 12 : options2 = options1;
4513 12 : options2.client_guid = GUID_random();
4514 12 : options2.only_negprot = true;
4515 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4516 : .num_algos = 1,
4517 : .algos = {
4518 : SMB2_SIGNING_AES128_GMAC,
4519 : },
4520 : };
4521 12 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4522 : .num_algos = 1,
4523 : .algos = {
4524 : SMB2_ENCRYPTION_AES128_GCM,
4525 : },
4526 : };
4527 :
4528 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4529 : credentials,
4530 : &options1, &options2,
4531 12 : NT_STATUS_NOT_SUPPORTED);
4532 12 : talloc_free(tree0);
4533 12 : return ret;
4534 : }
4535 :
4536 12 : static bool test_session_bind_negative_smb3signC30toGs(struct torture_context *tctx, struct smb2_tree *tree0)
4537 : {
4538 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4539 12 : struct cli_credentials *credentials = NULL;
4540 12 : bool ret = false;
4541 12 : struct smb2_transport *transport0 = tree0->session->transport;
4542 2 : struct smbcli_options options1;
4543 2 : struct smbcli_options options2;
4544 2 : bool ok;
4545 :
4546 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4547 0 : torture_skip(tctx,
4548 : "Can't test without SMB 3.1.1 support");
4549 : }
4550 :
4551 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4552 0 : torture_skip(tctx,
4553 : "Can't test without SMB 3.1.1 signing negotiation support");
4554 : }
4555 :
4556 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4557 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4558 12 : ok = cli_credentials_set_smb_encryption(credentials,
4559 : SMB_ENCRYPTION_REQUIRED,
4560 : CRED_SPECIFIED);
4561 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4562 :
4563 12 : options1 = transport0->options;
4564 12 : options1.client_guid = GUID_random();
4565 12 : options1.min_protocol = PROTOCOL_SMB3_00;
4566 12 : options1.max_protocol = PROTOCOL_SMB3_02;
4567 12 : options1.signing = SMB_SIGNING_REQUIRED;
4568 :
4569 : /* same client guid */
4570 12 : options2 = options1;
4571 12 : options2.only_negprot = true;
4572 12 : options2.min_protocol = PROTOCOL_SMB3_11;
4573 12 : options2.max_protocol = PROTOCOL_SMB3_11;
4574 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4575 : .num_algos = 1,
4576 : .algos = {
4577 : SMB2_SIGNING_AES128_GMAC,
4578 : },
4579 : };
4580 :
4581 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4582 : credentials,
4583 : &options1, &options2,
4584 12 : NT_STATUS_NOT_SUPPORTED);
4585 12 : talloc_free(tree0);
4586 12 : return ret;
4587 : }
4588 :
4589 12 : static bool test_session_bind_negative_smb3signC30toGd(struct torture_context *tctx, struct smb2_tree *tree0)
4590 : {
4591 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4592 12 : struct cli_credentials *credentials = NULL;
4593 12 : bool ret = false;
4594 12 : struct smb2_transport *transport0 = tree0->session->transport;
4595 2 : struct smbcli_options options1;
4596 2 : struct smbcli_options options2;
4597 2 : bool ok;
4598 :
4599 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4600 0 : torture_skip(tctx,
4601 : "Can't test without SMB 3.1.1 support");
4602 : }
4603 :
4604 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4605 0 : torture_skip(tctx,
4606 : "Can't test without SMB 3.1.1 signing negotiation support");
4607 : }
4608 :
4609 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4610 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4611 12 : ok = cli_credentials_set_smb_encryption(credentials,
4612 : SMB_ENCRYPTION_REQUIRED,
4613 : CRED_SPECIFIED);
4614 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4615 :
4616 12 : options1 = transport0->options;
4617 12 : options1.client_guid = GUID_random();
4618 12 : options1.min_protocol = PROTOCOL_SMB3_00;
4619 12 : options1.max_protocol = PROTOCOL_SMB3_02;
4620 12 : options1.signing = SMB_SIGNING_REQUIRED;
4621 :
4622 : /* different client guid */
4623 12 : options2 = options1;
4624 12 : options2.client_guid = GUID_random();
4625 12 : options2.only_negprot = true;
4626 12 : options2.min_protocol = PROTOCOL_SMB3_11;
4627 12 : options2.max_protocol = PROTOCOL_SMB3_11;
4628 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4629 : .num_algos = 1,
4630 : .algos = {
4631 : SMB2_SIGNING_AES128_GMAC,
4632 : },
4633 : };
4634 :
4635 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4636 : credentials,
4637 : &options1, &options2,
4638 12 : NT_STATUS_NOT_SUPPORTED);
4639 12 : talloc_free(tree0);
4640 12 : return ret;
4641 : }
4642 :
4643 12 : static bool test_session_bind_negative_smb3signH2XtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4644 : {
4645 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4646 12 : struct cli_credentials *credentials = NULL;
4647 12 : bool ret = false;
4648 12 : struct smb2_transport *transport0 = tree0->session->transport;
4649 2 : struct smbcli_options options1;
4650 2 : struct smbcli_options options2;
4651 2 : bool ok;
4652 2 : bool encrypted;
4653 :
4654 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4655 12 : if (encrypted) {
4656 2 : torture_skip(tctx,
4657 : "Can't test SMB 2.10 if encryption is required");
4658 : }
4659 :
4660 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4661 0 : torture_skip(tctx,
4662 : "Can't test without SMB 3.1.1 support");
4663 : }
4664 :
4665 10 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4666 0 : torture_skip(tctx,
4667 : "Can't test without SMB 3.1.1 signing negotiation support");
4668 : }
4669 :
4670 10 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4671 10 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4672 10 : ok = cli_credentials_set_smb_encryption(credentials,
4673 : SMB_ENCRYPTION_OFF,
4674 : CRED_SPECIFIED);
4675 10 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4676 :
4677 10 : options1 = transport0->options;
4678 10 : options1.client_guid = GUID_random();
4679 10 : options1.min_protocol = PROTOCOL_SMB2_02;
4680 10 : options1.max_protocol = PROTOCOL_SMB2_10;
4681 10 : options1.signing = SMB_SIGNING_REQUIRED;
4682 :
4683 : /* same client guid */
4684 10 : options2 = options1;
4685 10 : options2.only_negprot = true;
4686 10 : options2.min_protocol = PROTOCOL_SMB3_11;
4687 10 : options2.max_protocol = PROTOCOL_SMB3_11;
4688 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4689 : .num_algos = 1,
4690 : .algos = {
4691 : SMB2_SIGNING_AES128_GMAC,
4692 : },
4693 : };
4694 :
4695 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4696 : credentials,
4697 : &options1, &options2,
4698 10 : NT_STATUS_NOT_SUPPORTED);
4699 10 : talloc_free(tree0);
4700 10 : return ret;
4701 : }
4702 :
4703 12 : static bool test_session_bind_negative_smb3signH2XtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4704 : {
4705 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4706 12 : struct cli_credentials *credentials = NULL;
4707 12 : bool ret = false;
4708 12 : struct smb2_transport *transport0 = tree0->session->transport;
4709 2 : struct smbcli_options options1;
4710 2 : struct smbcli_options options2;
4711 2 : bool ok;
4712 2 : bool encrypted;
4713 :
4714 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4715 12 : if (encrypted) {
4716 2 : torture_skip(tctx,
4717 : "Can't test SMB 2.10 if encryption is required");
4718 : }
4719 :
4720 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4721 0 : torture_skip(tctx,
4722 : "Can't test without SMB 3.1.1 support");
4723 : }
4724 :
4725 10 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4726 0 : torture_skip(tctx,
4727 : "Can't test without SMB 3.1.1 signing negotiation support");
4728 : }
4729 :
4730 10 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4731 10 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4732 10 : ok = cli_credentials_set_smb_encryption(credentials,
4733 : SMB_ENCRYPTION_OFF,
4734 : CRED_SPECIFIED);
4735 10 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4736 :
4737 10 : options1 = transport0->options;
4738 10 : options1.client_guid = GUID_random();
4739 10 : options1.min_protocol = PROTOCOL_SMB2_02;
4740 10 : options1.max_protocol = PROTOCOL_SMB2_10;
4741 10 : options1.signing = SMB_SIGNING_REQUIRED;
4742 :
4743 : /* different client guid */
4744 10 : options2 = options1;
4745 10 : options2.client_guid = GUID_random();
4746 10 : options2.only_negprot = true;
4747 10 : options2.min_protocol = PROTOCOL_SMB3_11;
4748 10 : options2.max_protocol = PROTOCOL_SMB3_11;
4749 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4750 : .num_algos = 1,
4751 : .algos = {
4752 : SMB2_SIGNING_AES128_GMAC,
4753 : },
4754 : };
4755 :
4756 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4757 : credentials,
4758 : &options1, &options2,
4759 10 : NT_STATUS_NOT_SUPPORTED);
4760 10 : talloc_free(tree0);
4761 10 : return ret;
4762 : }
4763 :
4764 12 : static bool test_session_bind_negative_smb3signGtoC30s(struct torture_context *tctx, struct smb2_tree *tree0)
4765 : {
4766 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4767 12 : struct cli_credentials *credentials = NULL;
4768 12 : bool ret = false;
4769 12 : struct smb2_transport *transport0 = tree0->session->transport;
4770 2 : struct smbcli_options options1;
4771 2 : struct smbcli_options options2;
4772 2 : bool ok;
4773 :
4774 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4775 0 : torture_skip(tctx,
4776 : "Can't test without SMB 3.1.1 support");
4777 : }
4778 :
4779 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4780 0 : torture_skip(tctx,
4781 : "Can't test without SMB 3.1.1 signing negotiation support");
4782 : }
4783 :
4784 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4785 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4786 12 : ok = cli_credentials_set_smb_encryption(credentials,
4787 : SMB_ENCRYPTION_REQUIRED,
4788 : CRED_SPECIFIED);
4789 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4790 :
4791 12 : options1 = transport0->options;
4792 12 : options1.client_guid = GUID_random();
4793 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4794 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4795 12 : options1.signing = SMB_SIGNING_REQUIRED;
4796 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4797 : .num_algos = 1,
4798 : .algos = {
4799 : SMB2_SIGNING_AES128_GMAC,
4800 : },
4801 : };
4802 :
4803 : /* same client guid */
4804 12 : options2 = options1;
4805 12 : options2.only_negprot = true;
4806 12 : options2.min_protocol = PROTOCOL_SMB3_00;
4807 12 : options2.max_protocol = PROTOCOL_SMB3_02;
4808 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4809 : .num_algos = 1,
4810 : .algos = {
4811 : SMB2_SIGNING_AES128_CMAC,
4812 : },
4813 : };
4814 :
4815 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4816 : credentials,
4817 : &options1, &options2,
4818 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4819 12 : talloc_free(tree0);
4820 12 : return ret;
4821 : }
4822 :
4823 12 : static bool test_session_bind_negative_smb3signGtoC30d(struct torture_context *tctx, struct smb2_tree *tree0)
4824 : {
4825 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4826 12 : struct cli_credentials *credentials = NULL;
4827 12 : bool ret = false;
4828 12 : struct smb2_transport *transport0 = tree0->session->transport;
4829 2 : struct smbcli_options options1;
4830 2 : struct smbcli_options options2;
4831 2 : bool ok;
4832 :
4833 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4834 0 : torture_skip(tctx,
4835 : "Can't test without SMB 3.1.1 support");
4836 : }
4837 :
4838 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4839 0 : torture_skip(tctx,
4840 : "Can't test without SMB 3.1.1 signing negotiation support");
4841 : }
4842 :
4843 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4844 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4845 12 : ok = cli_credentials_set_smb_encryption(credentials,
4846 : SMB_ENCRYPTION_REQUIRED,
4847 : CRED_SPECIFIED);
4848 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4849 :
4850 12 : options1 = transport0->options;
4851 12 : options1.client_guid = GUID_random();
4852 12 : options1.min_protocol = PROTOCOL_SMB3_11;
4853 12 : options1.max_protocol = PROTOCOL_SMB3_11;
4854 12 : options1.signing = SMB_SIGNING_REQUIRED;
4855 12 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4856 : .num_algos = 1,
4857 : .algos = {
4858 : SMB2_SIGNING_AES128_GMAC,
4859 : },
4860 : };
4861 :
4862 : /* different client guid */
4863 12 : options2 = options1;
4864 12 : options2.client_guid = GUID_random();
4865 12 : options2.only_negprot = true;
4866 12 : options2.min_protocol = PROTOCOL_SMB3_00;
4867 12 : options2.max_protocol = PROTOCOL_SMB3_02;
4868 12 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4869 : .num_algos = 1,
4870 : .algos = {
4871 : SMB2_SIGNING_AES128_CMAC,
4872 : },
4873 : };
4874 :
4875 14 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4876 : credentials,
4877 : &options1, &options2,
4878 12 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4879 12 : talloc_free(tree0);
4880 12 : return ret;
4881 : }
4882 :
4883 12 : static bool test_session_bind_negative_smb3signGtoH2Xs(struct torture_context *tctx, struct smb2_tree *tree0)
4884 : {
4885 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4886 12 : struct cli_credentials *credentials = NULL;
4887 12 : bool ret = false;
4888 12 : struct smb2_transport *transport0 = tree0->session->transport;
4889 2 : struct smbcli_options options1;
4890 2 : struct smbcli_options options2;
4891 2 : bool ok;
4892 2 : bool encrypted;
4893 :
4894 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4895 12 : if (encrypted) {
4896 2 : torture_skip(tctx,
4897 : "Can't test SMB 2.10 if encryption is required");
4898 : }
4899 :
4900 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4901 0 : torture_skip(tctx,
4902 : "Can't test without SMB 3.1.1 support");
4903 : }
4904 :
4905 10 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4906 0 : torture_skip(tctx,
4907 : "Can't test without SMB 3.1.1 signing negotiation support");
4908 : }
4909 :
4910 10 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4911 10 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4912 10 : ok = cli_credentials_set_smb_encryption(credentials,
4913 : SMB_ENCRYPTION_REQUIRED,
4914 : CRED_SPECIFIED);
4915 10 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4916 :
4917 10 : options1 = transport0->options;
4918 10 : options1.client_guid = GUID_random();
4919 10 : options1.min_protocol = PROTOCOL_SMB3_11;
4920 10 : options1.max_protocol = PROTOCOL_SMB3_11;
4921 10 : options1.signing = SMB_SIGNING_REQUIRED;
4922 10 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4923 : .num_algos = 1,
4924 : .algos = {
4925 : SMB2_SIGNING_AES128_GMAC,
4926 : },
4927 : };
4928 :
4929 : /* same client guid */
4930 10 : options2 = options1;
4931 10 : options2.only_negprot = true;
4932 10 : options2.min_protocol = PROTOCOL_SMB2_02;
4933 10 : options2.max_protocol = PROTOCOL_SMB2_10;
4934 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4935 : .num_algos = 1,
4936 : .algos = {
4937 : SMB2_SIGNING_HMAC_SHA256,
4938 : },
4939 : };
4940 :
4941 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4942 : credentials,
4943 : &options1, &options2,
4944 10 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4945 10 : talloc_free(tree0);
4946 10 : return ret;
4947 : }
4948 :
4949 12 : static bool test_session_bind_negative_smb3signGtoH2Xd(struct torture_context *tctx, struct smb2_tree *tree0)
4950 : {
4951 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4952 12 : struct cli_credentials *credentials = NULL;
4953 12 : bool ret = false;
4954 12 : struct smb2_transport *transport0 = tree0->session->transport;
4955 2 : struct smbcli_options options1;
4956 2 : struct smbcli_options options2;
4957 2 : bool ok;
4958 2 : bool encrypted;
4959 :
4960 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4961 12 : if (encrypted) {
4962 2 : torture_skip(tctx,
4963 : "Can't test SMB 2.10 if encryption is required");
4964 : }
4965 :
4966 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4967 0 : torture_skip(tctx,
4968 : "Can't test without SMB 3.1.1 support");
4969 : }
4970 :
4971 10 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4972 0 : torture_skip(tctx,
4973 : "Can't test without SMB 3.1.1 signing negotiation support");
4974 : }
4975 :
4976 10 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4977 10 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4978 10 : ok = cli_credentials_set_smb_encryption(credentials,
4979 : SMB_ENCRYPTION_REQUIRED,
4980 : CRED_SPECIFIED);
4981 10 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4982 :
4983 10 : options1 = transport0->options;
4984 10 : options1.client_guid = GUID_random();
4985 10 : options1.min_protocol = PROTOCOL_SMB3_11;
4986 10 : options1.max_protocol = PROTOCOL_SMB3_11;
4987 10 : options1.signing = SMB_SIGNING_REQUIRED;
4988 10 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4989 : .num_algos = 1,
4990 : .algos = {
4991 : SMB2_SIGNING_AES128_GMAC,
4992 : },
4993 : };
4994 :
4995 : /* different client guid */
4996 10 : options2 = options1;
4997 10 : options2.client_guid = GUID_random();
4998 10 : options2.only_negprot = true;
4999 10 : options2.min_protocol = PROTOCOL_SMB2_02;
5000 10 : options2.max_protocol = PROTOCOL_SMB2_10;
5001 10 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5002 : .num_algos = 1,
5003 : .algos = {
5004 : SMB2_SIGNING_HMAC_SHA256,
5005 : },
5006 : };
5007 :
5008 12 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
5009 : credentials,
5010 : &options1, &options2,
5011 10 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
5012 10 : talloc_free(tree0);
5013 10 : return ret;
5014 : }
5015 :
5016 12 : static bool test_session_two_logoff(struct torture_context *tctx,
5017 : struct smb2_tree *tree1)
5018 : {
5019 2 : NTSTATUS status;
5020 12 : bool ret = true;
5021 2 : struct smbcli_options transport2_options;
5022 12 : struct smb2_tree *tree2 = NULL;
5023 12 : struct smb2_session *session2 = NULL;
5024 12 : struct smb2_session *session1 = tree1->session;
5025 12 : struct smb2_transport *transport1 = tree1->session->transport;
5026 2 : struct smb2_transport *transport2;
5027 2 : bool ok;
5028 :
5029 : /* Connect 2nd connection */
5030 12 : torture_comment(tctx, "connect tree2 with the same client_guid\n");
5031 12 : transport2_options = transport1->options;
5032 12 : ok = torture_smb2_connection_ext(tctx, 0, &transport2_options, &tree2);
5033 12 : torture_assert(tctx, ok, "couldn't connect tree2\n");
5034 12 : transport2 = tree2->session->transport;
5035 12 : session2 = tree2->session;
5036 :
5037 12 : torture_comment(tctx, "session2: logoff\n");
5038 12 : status = smb2_logoff(session2);
5039 12 : torture_assert_ntstatus_ok(tctx, status, "session2: logoff");
5040 12 : torture_comment(tctx, "transport2: keepalive\n");
5041 12 : status = smb2_keepalive(transport2);
5042 12 : torture_assert_ntstatus_ok(tctx, status, "transport2: keepalive");
5043 12 : torture_comment(tctx, "transport2: disconnect\n");
5044 12 : TALLOC_FREE(tree2);
5045 :
5046 12 : torture_comment(tctx, "session1: logoff\n");
5047 12 : status = smb2_logoff(session1);
5048 12 : torture_assert_ntstatus_ok(tctx, status, "session1: logoff");
5049 12 : torture_comment(tctx, "transport1: keepalive\n");
5050 12 : status = smb2_keepalive(transport1);
5051 12 : torture_assert_ntstatus_ok(tctx, status, "transport1: keepalive");
5052 12 : torture_comment(tctx, "transport1: disconnect\n");
5053 12 : TALLOC_FREE(tree1);
5054 :
5055 12 : return ret;
5056 : }
5057 :
5058 78 : static bool test_session_sign_enc(struct torture_context *tctx,
5059 : const char *testname,
5060 : struct cli_credentials *credentials1,
5061 : const struct smbcli_options *options1)
5062 : {
5063 78 : const char *host = torture_setting_string(tctx, "host", NULL);
5064 78 : const char *share = torture_setting_string(tctx, "share", NULL);
5065 14 : NTSTATUS status;
5066 78 : bool ret = false;
5067 78 : struct smb2_tree *tree1 = NULL;
5068 14 : char fname[256];
5069 78 : struct smb2_handle rh = {{0}};
5070 14 : struct smb2_handle _h1;
5071 78 : struct smb2_handle *h1 = NULL;
5072 14 : struct smb2_create io1;
5073 14 : union smb_fileinfo qfinfo1;
5074 14 : union smb_notify notify;
5075 78 : struct smb2_request *req = NULL;
5076 :
5077 78 : status = smb2_connect(tctx,
5078 : host,
5079 : lpcfg_smb_ports(tctx->lp_ctx),
5080 : share,
5081 : lpcfg_resolve_context(tctx->lp_ctx),
5082 : credentials1,
5083 : &tree1,
5084 : tctx->ev,
5085 : options1,
5086 : lpcfg_socket_options(tctx->lp_ctx),
5087 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
5088 : );
5089 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5090 : "smb2_connect options1 failed");
5091 :
5092 78 : status = smb2_util_roothandle(tree1, &rh);
5093 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5094 : "smb2_util_roothandle failed");
5095 :
5096 : /* Add some random component to the file name. */
5097 78 : snprintf(fname, sizeof(fname), "%s_%s.dat",
5098 : testname, generate_random_str(tctx, 8));
5099 :
5100 78 : smb2_util_unlink(tree1, fname);
5101 :
5102 78 : smb2_oplock_create_share(&io1, fname,
5103 : smb2_util_share_access(""),
5104 78 : smb2_util_oplock_level("b"));
5105 :
5106 78 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
5107 78 : status = smb2_create(tree1, tctx, &io1);
5108 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5109 : "smb2_create failed");
5110 78 : _h1 = io1.out.file.handle;
5111 78 : h1 = &_h1;
5112 78 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
5113 78 : torture_assert_int_equal(tctx, io1.out.oplock_level,
5114 : smb2_util_oplock_level("b"),
5115 : "oplock_level incorrect");
5116 :
5117 : /* Check the initial session is still alive */
5118 78 : ZERO_STRUCT(qfinfo1);
5119 78 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
5120 78 : qfinfo1.generic.in.file.handle = _h1;
5121 78 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
5122 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5123 : "smb2_getinfo_file failed");
5124 :
5125 : /* ask for a change notify,
5126 : on file or directory name changes */
5127 78 : ZERO_STRUCT(notify);
5128 78 : notify.smb2.level = RAW_NOTIFY_SMB2;
5129 78 : notify.smb2.in.buffer_size = 1000;
5130 78 : notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
5131 78 : notify.smb2.in.file.handle = rh;
5132 78 : notify.smb2.in.recursive = true;
5133 :
5134 78 : req = smb2_notify_send(tree1, &(notify.smb2));
5135 390 : WAIT_FOR_ASYNC_RESPONSE(req);
5136 :
5137 78 : status = smb2_cancel(req);
5138 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5139 : "smb2_cancel failed");
5140 :
5141 78 : status = smb2_notify_recv(req, tctx, &(notify.smb2));
5142 78 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_CANCELLED,
5143 : ret, done,
5144 : "smb2_notify_recv failed");
5145 :
5146 : /* Check the initial session is still alive */
5147 78 : ZERO_STRUCT(qfinfo1);
5148 78 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
5149 78 : qfinfo1.generic.in.file.handle = _h1;
5150 78 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
5151 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5152 : "smb2_getinfo_file failed");
5153 :
5154 64 : ret = true;
5155 78 : done:
5156 64 : if (h1 != NULL) {
5157 78 : smb2_util_close(tree1, *h1);
5158 : }
5159 78 : TALLOC_FREE(tree1);
5160 :
5161 64 : return ret;
5162 : }
5163 :
5164 12 : static bool test_session_signing_hmac_sha_256(struct torture_context *tctx, struct smb2_tree *tree0)
5165 : {
5166 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
5167 12 : bool ret = false;
5168 12 : struct smb2_transport *transport0 = tree0->session->transport;
5169 2 : struct smbcli_options options1;
5170 2 : bool encrypted;
5171 :
5172 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5173 12 : if (encrypted) {
5174 2 : torture_skip(tctx,
5175 : "Can't test signing only if encryption is required");
5176 : }
5177 :
5178 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5179 0 : torture_skip(tctx,
5180 : "Can't test without SMB 3.1.1 support");
5181 : }
5182 :
5183 10 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5184 0 : torture_skip(tctx,
5185 : "Can't test without SMB 3.1.1 signing negotiation support");
5186 : }
5187 :
5188 10 : options1 = transport0->options;
5189 10 : options1.client_guid = GUID_random();
5190 10 : options1.min_protocol = PROTOCOL_SMB3_11;
5191 10 : options1.max_protocol = PROTOCOL_SMB3_11;
5192 10 : options1.signing = SMB_SIGNING_REQUIRED;
5193 10 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5194 : .num_algos = 1,
5195 : .algos = {
5196 : SMB2_SIGNING_HMAC_SHA256,
5197 : },
5198 : };
5199 :
5200 10 : ret = test_session_sign_enc(tctx,
5201 : __func__,
5202 : credentials,
5203 : &options1);
5204 10 : TALLOC_FREE(tree0);
5205 10 : return ret;
5206 : }
5207 :
5208 12 : static bool test_session_signing_aes_128_cmac(struct torture_context *tctx, struct smb2_tree *tree0)
5209 : {
5210 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
5211 12 : bool ret = false;
5212 12 : struct smb2_transport *transport0 = tree0->session->transport;
5213 2 : struct smbcli_options options1;
5214 2 : bool encrypted;
5215 :
5216 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5217 12 : if (encrypted) {
5218 2 : torture_skip(tctx,
5219 : "Can't test signing only if encryption is required");
5220 : }
5221 :
5222 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5223 0 : torture_skip(tctx,
5224 : "Can't test without SMB 3.1.1 support");
5225 : }
5226 :
5227 10 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5228 0 : torture_skip(tctx,
5229 : "Can't test without SMB 3.1.1 signing negotiation support");
5230 : }
5231 :
5232 10 : options1 = transport0->options;
5233 10 : options1.client_guid = GUID_random();
5234 10 : options1.min_protocol = PROTOCOL_SMB3_11;
5235 10 : options1.max_protocol = PROTOCOL_SMB3_11;
5236 10 : options1.signing = SMB_SIGNING_REQUIRED;
5237 10 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5238 : .num_algos = 1,
5239 : .algos = {
5240 : SMB2_SIGNING_AES128_CMAC,
5241 : },
5242 : };
5243 :
5244 10 : ret = test_session_sign_enc(tctx,
5245 : __func__,
5246 : credentials,
5247 : &options1);
5248 10 : TALLOC_FREE(tree0);
5249 10 : return ret;
5250 : }
5251 :
5252 12 : static bool test_session_signing_aes_128_gmac(struct torture_context *tctx, struct smb2_tree *tree0)
5253 : {
5254 12 : struct cli_credentials *credentials = samba_cmdline_get_creds();
5255 12 : bool ret = false;
5256 12 : struct smb2_transport *transport0 = tree0->session->transport;
5257 2 : struct smbcli_options options1;
5258 2 : bool encrypted;
5259 :
5260 12 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5261 12 : if (encrypted) {
5262 2 : torture_skip(tctx,
5263 : "Can't test signing only if encryption is required");
5264 : }
5265 :
5266 10 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5267 0 : torture_skip(tctx,
5268 : "Can't test without SMB 3.1.1 support");
5269 : }
5270 :
5271 10 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5272 0 : torture_skip(tctx,
5273 : "Can't test without SMB 3.1.1 signing negotiation support");
5274 : }
5275 :
5276 10 : options1 = transport0->options;
5277 10 : options1.client_guid = GUID_random();
5278 10 : options1.min_protocol = PROTOCOL_SMB3_11;
5279 10 : options1.max_protocol = PROTOCOL_SMB3_11;
5280 10 : options1.signing = SMB_SIGNING_REQUIRED;
5281 10 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5282 : .num_algos = 1,
5283 : .algos = {
5284 : SMB2_SIGNING_AES128_GMAC,
5285 : },
5286 : };
5287 :
5288 10 : ret = test_session_sign_enc(tctx,
5289 : __func__,
5290 : credentials,
5291 : &options1);
5292 10 : TALLOC_FREE(tree0);
5293 10 : return ret;
5294 : }
5295 :
5296 12 : static bool test_session_encryption_aes_128_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
5297 : {
5298 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5299 12 : struct cli_credentials *credentials = NULL;
5300 12 : bool ret = false;
5301 12 : struct smb2_transport *transport0 = tree0->session->transport;
5302 2 : struct smbcli_options options1;
5303 2 : bool ok;
5304 :
5305 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5306 0 : torture_skip(tctx,
5307 : "Can't test without SMB 3.1.1 support");
5308 : }
5309 :
5310 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5311 0 : torture_skip(tctx,
5312 : "Can't test without SMB 3.1.1 signing negotiation support");
5313 : }
5314 :
5315 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5316 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5317 12 : ok = cli_credentials_set_smb_encryption(credentials,
5318 : SMB_ENCRYPTION_REQUIRED,
5319 : CRED_SPECIFIED);
5320 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5321 :
5322 12 : options1 = transport0->options;
5323 12 : options1.client_guid = GUID_random();
5324 12 : options1.min_protocol = PROTOCOL_SMB3_11;
5325 12 : options1.max_protocol = PROTOCOL_SMB3_11;
5326 12 : options1.signing = SMB_SIGNING_REQUIRED;
5327 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5328 : .num_algos = 1,
5329 : .algos = {
5330 : SMB2_ENCRYPTION_AES128_CCM,
5331 : },
5332 : };
5333 :
5334 12 : ret = test_session_sign_enc(tctx,
5335 : __func__,
5336 : credentials,
5337 : &options1);
5338 12 : TALLOC_FREE(tree0);
5339 12 : return ret;
5340 : }
5341 :
5342 12 : static bool test_session_encryption_aes_128_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
5343 : {
5344 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5345 12 : struct cli_credentials *credentials = NULL;
5346 12 : bool ret = false;
5347 12 : struct smb2_transport *transport0 = tree0->session->transport;
5348 2 : struct smbcli_options options1;
5349 2 : bool ok;
5350 :
5351 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5352 0 : torture_skip(tctx,
5353 : "Can't test without SMB 3.1.1 support");
5354 : }
5355 :
5356 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5357 0 : torture_skip(tctx,
5358 : "Can't test without SMB 3.1.1 signing negotiation support");
5359 : }
5360 :
5361 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5362 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5363 12 : ok = cli_credentials_set_smb_encryption(credentials,
5364 : SMB_ENCRYPTION_REQUIRED,
5365 : CRED_SPECIFIED);
5366 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5367 :
5368 12 : options1 = transport0->options;
5369 12 : options1.client_guid = GUID_random();
5370 12 : options1.min_protocol = PROTOCOL_SMB3_11;
5371 12 : options1.max_protocol = PROTOCOL_SMB3_11;
5372 12 : options1.signing = SMB_SIGNING_REQUIRED;
5373 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5374 : .num_algos = 1,
5375 : .algos = {
5376 : SMB2_ENCRYPTION_AES128_GCM,
5377 : },
5378 : };
5379 :
5380 12 : ret = test_session_sign_enc(tctx,
5381 : __func__,
5382 : credentials,
5383 : &options1);
5384 12 : TALLOC_FREE(tree0);
5385 12 : return ret;
5386 : }
5387 :
5388 12 : static bool test_session_encryption_aes_256_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
5389 : {
5390 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5391 12 : struct cli_credentials *credentials = NULL;
5392 12 : bool ret = false;
5393 12 : struct smb2_transport *transport0 = tree0->session->transport;
5394 2 : struct smbcli_options options1;
5395 2 : bool ok;
5396 :
5397 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5398 0 : torture_skip(tctx,
5399 : "Can't test without SMB 3.1.1 support");
5400 : }
5401 :
5402 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5403 0 : torture_skip(tctx,
5404 : "Can't test without SMB 3.1.1 signing negotiation support");
5405 : }
5406 :
5407 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5408 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5409 12 : ok = cli_credentials_set_smb_encryption(credentials,
5410 : SMB_ENCRYPTION_REQUIRED,
5411 : CRED_SPECIFIED);
5412 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5413 :
5414 12 : options1 = transport0->options;
5415 12 : options1.client_guid = GUID_random();
5416 12 : options1.min_protocol = PROTOCOL_SMB3_11;
5417 12 : options1.max_protocol = PROTOCOL_SMB3_11;
5418 12 : options1.signing = SMB_SIGNING_REQUIRED;
5419 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5420 : .num_algos = 1,
5421 : .algos = {
5422 : SMB2_ENCRYPTION_AES256_CCM,
5423 : },
5424 : };
5425 :
5426 12 : ret = test_session_sign_enc(tctx,
5427 : __func__,
5428 : credentials,
5429 : &options1);
5430 12 : TALLOC_FREE(tree0);
5431 12 : return ret;
5432 : }
5433 :
5434 12 : static bool test_session_encryption_aes_256_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
5435 : {
5436 12 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5437 12 : struct cli_credentials *credentials = NULL;
5438 12 : bool ret = false;
5439 12 : struct smb2_transport *transport0 = tree0->session->transport;
5440 2 : struct smbcli_options options1;
5441 2 : bool ok;
5442 :
5443 12 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5444 0 : torture_skip(tctx,
5445 : "Can't test without SMB 3.1.1 support");
5446 : }
5447 :
5448 12 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5449 0 : torture_skip(tctx,
5450 : "Can't test without SMB 3.1.1 signing negotiation support");
5451 : }
5452 :
5453 12 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5454 12 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5455 12 : ok = cli_credentials_set_smb_encryption(credentials,
5456 : SMB_ENCRYPTION_REQUIRED,
5457 : CRED_SPECIFIED);
5458 12 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5459 :
5460 12 : options1 = transport0->options;
5461 12 : options1.client_guid = GUID_random();
5462 12 : options1.min_protocol = PROTOCOL_SMB3_11;
5463 12 : options1.max_protocol = PROTOCOL_SMB3_11;
5464 12 : options1.signing = SMB_SIGNING_REQUIRED;
5465 12 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5466 : .num_algos = 1,
5467 : .algos = {
5468 : SMB2_ENCRYPTION_AES256_GCM,
5469 : },
5470 : };
5471 :
5472 12 : ret = test_session_sign_enc(tctx,
5473 : __func__,
5474 : credentials,
5475 : &options1);
5476 12 : TALLOC_FREE(tree0);
5477 12 : return ret;
5478 : }
5479 :
5480 12 : static bool test_session_ntlmssp_bug14932(struct torture_context *tctx, struct smb2_tree *tree)
5481 : {
5482 2 : struct cli_credentials *ntlm_creds =
5483 12 : cli_credentials_shallow_copy(tctx, samba_cmdline_get_creds());
5484 2 : NTSTATUS status;
5485 12 : bool ret = true;
5486 : /*
5487 : * This is a NTLMv2_RESPONSE with the strange
5488 : * NTLMv2_CLIENT_CHALLENGE used by the net diag
5489 : * tool.
5490 : *
5491 : * As we expect an error anyway we fill the
5492 : * Response part with 0xab...
5493 : */
5494 2 : static const char *netapp_magic =
5495 : "\xab\xab\xab\xab\xab\xab\xab\xab"
5496 : "\xab\xab\xab\xab\xab\xab\xab\xab"
5497 : "\x01\x01\x00\x00\x00\x00\x00\x00"
5498 : "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f"
5499 : "\xb8\x82\x3a\xf1\xb3\xdd\x08\x15"
5500 : "\x00\x00\x00\x00\x11\xa2\x08\x81"
5501 : "\x50\x38\x22\x78\x2b\x94\x47\xfe"
5502 : "\x54\x94\x7b\xff\x17\x27\x5a\xb4"
5503 : "\xf4\x18\xba\xdc\x2c\x38\xfd\x5b"
5504 : "\xfb\x0e\xc1\x85\x1e\xcc\x92\xbb"
5505 : "\x9b\xb1\xc4\xd5\x53\x14\xff\x8c"
5506 : "\x76\x49\xf5\x45\x90\x19\xa2";
5507 12 : DATA_BLOB lm_response = data_blob_talloc_zero(tctx, 24);
5508 12 : DATA_BLOB lm_session_key = data_blob_talloc_zero(tctx, 16);
5509 12 : DATA_BLOB nt_response = data_blob_const(netapp_magic, 95);
5510 12 : DATA_BLOB nt_session_key = data_blob_talloc_zero(tctx, 16);
5511 :
5512 12 : cli_credentials_set_kerberos_state(ntlm_creds,
5513 : CRED_USE_KERBEROS_DISABLED,
5514 : CRED_SPECIFIED);
5515 12 : cli_credentials_set_ntlm_response(ntlm_creds,
5516 : &lm_response,
5517 : &lm_session_key,
5518 : &nt_response,
5519 : &nt_session_key,
5520 : CRED_SPECIFIED);
5521 12 : status = smb2_session_setup_spnego(tree->session,
5522 : ntlm_creds,
5523 : 0 /* previous_session_id */);
5524 12 : torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
5525 : "smb2_session_setup_spnego failed");
5526 :
5527 10 : return ret;
5528 : }
5529 :
5530 2358 : struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
5531 : {
5532 125 : struct torture_suite *suite =
5533 2358 : torture_suite_create(ctx, "session");
5534 :
5535 2358 : torture_suite_add_1smb2_test(suite, "reconnect1", test_session_reconnect1);
5536 2358 : torture_suite_add_1smb2_test(suite, "reconnect2", test_session_reconnect2);
5537 2358 : torture_suite_add_1smb2_test(suite, "reauth1", test_session_reauth1);
5538 2358 : torture_suite_add_1smb2_test(suite, "reauth2", test_session_reauth2);
5539 2358 : torture_suite_add_1smb2_test(suite, "reauth3", test_session_reauth3);
5540 2358 : torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
5541 2358 : torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
5542 2358 : torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
5543 2358 : torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
5544 2358 : torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
5545 2358 : torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
5546 2358 : torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
5547 2358 : torture_suite_add_simple_test(suite, "expire2e", test_session_expire2e);
5548 2358 : torture_suite_add_simple_test(suite, "expire_disconnect",
5549 : test_session_expire_disconnect);
5550 2358 : torture_suite_add_1smb2_test(suite, "bind1", test_session_bind1);
5551 2358 : torture_suite_add_1smb2_test(suite, "bind2", test_session_bind2);
5552 2358 : torture_suite_add_1smb2_test(suite, "bind_invalid_auth", test_session_bind_invalid_auth);
5553 2358 : torture_suite_add_1smb2_test(suite, "bind_different_user", test_session_bind_different_user);
5554 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb202", test_session_bind_negative_smb202);
5555 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb210s", test_session_bind_negative_smb210s);
5556 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb210d", test_session_bind_negative_smb210d);
5557 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3s", test_session_bind_negative_smb2to3s);
5558 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3d", test_session_bind_negative_smb2to3d);
5559 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2s", test_session_bind_negative_smb3to2s);
5560 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2d", test_session_bind_negative_smb3to2d);
5561 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3s", test_session_bind_negative_smb3to3s);
5562 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3d", test_session_bind_negative_smb3to3d);
5563 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCs", test_session_bind_negative_smb3encGtoCs);
5564 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCd", test_session_bind_negative_smb3encGtoCd);
5565 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHs", test_session_bind_negative_smb3signCtoHs);
5566 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHd", test_session_bind_negative_smb3signCtoHd);
5567 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGs", test_session_bind_negative_smb3signCtoGs);
5568 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGd", test_session_bind_negative_smb3signCtoGd);
5569 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCs", test_session_bind_negative_smb3signHtoCs);
5570 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCd", test_session_bind_negative_smb3signHtoCd);
5571 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGs", test_session_bind_negative_smb3signHtoGs);
5572 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGd", test_session_bind_negative_smb3signHtoGd);
5573 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCs", test_session_bind_negative_smb3signGtoCs);
5574 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCd", test_session_bind_negative_smb3signGtoCd);
5575 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHs", test_session_bind_negative_smb3signGtoHs);
5576 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHd", test_session_bind_negative_smb3signGtoHd);
5577 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCs", test_session_bind_negative_smb3sneGtoCs);
5578 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCd", test_session_bind_negative_smb3sneGtoCd);
5579 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHs", test_session_bind_negative_smb3sneGtoHs);
5580 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHd", test_session_bind_negative_smb3sneGtoHd);
5581 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGs", test_session_bind_negative_smb3sneCtoGs);
5582 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGd", test_session_bind_negative_smb3sneCtoGd);
5583 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGs", test_session_bind_negative_smb3sneHtoGs);
5584 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGd", test_session_bind_negative_smb3sneHtoGd);
5585 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGs", test_session_bind_negative_smb3signC30toGs);
5586 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGd", test_session_bind_negative_smb3signC30toGd);
5587 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGs", test_session_bind_negative_smb3signH2XtoGs);
5588 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGd", test_session_bind_negative_smb3signH2XtoGd);
5589 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30s", test_session_bind_negative_smb3signGtoC30s);
5590 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30d", test_session_bind_negative_smb3signGtoC30d);
5591 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xs", test_session_bind_negative_smb3signGtoH2Xs);
5592 2358 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xd", test_session_bind_negative_smb3signGtoH2Xd);
5593 2358 : torture_suite_add_1smb2_test(suite, "two_logoff", test_session_two_logoff);
5594 2358 : torture_suite_add_1smb2_test(suite, "signing-hmac-sha-256", test_session_signing_hmac_sha_256);
5595 2358 : torture_suite_add_1smb2_test(suite, "signing-aes-128-cmac", test_session_signing_aes_128_cmac);
5596 2358 : torture_suite_add_1smb2_test(suite, "signing-aes-128-gmac", test_session_signing_aes_128_gmac);
5597 2358 : torture_suite_add_1smb2_test(suite, "encryption-aes-128-ccm", test_session_encryption_aes_128_ccm);
5598 2358 : torture_suite_add_1smb2_test(suite, "encryption-aes-128-gcm", test_session_encryption_aes_128_gcm);
5599 2358 : torture_suite_add_1smb2_test(suite, "encryption-aes-256-ccm", test_session_encryption_aes_256_ccm);
5600 2358 : torture_suite_add_1smb2_test(suite, "encryption-aes-256-gcm", test_session_encryption_aes_256_gcm);
5601 2358 : torture_suite_add_1smb2_test(suite, "ntlmssp_bug14932", test_session_ntlmssp_bug14932);
5602 :
5603 2358 : suite->description = talloc_strdup(suite, "SMB2-SESSION tests");
5604 :
5605 2358 : return suite;
5606 : }
5607 :
5608 2 : static bool test_session_require_sign_bug15397(struct torture_context *tctx,
5609 : struct smb2_tree *_tree)
5610 : {
5611 2 : const char *host = torture_setting_string(tctx, "host", NULL);
5612 2 : const char *share = torture_setting_string(tctx, "share", NULL);
5613 2 : struct cli_credentials *_creds = samba_cmdline_get_creds();
5614 2 : struct cli_credentials *creds = NULL;
5615 0 : struct smbcli_options options;
5616 2 : struct smb2_tree *tree = NULL;
5617 0 : uint8_t security_mode;
5618 0 : NTSTATUS status;
5619 2 : bool ok = true;
5620 :
5621 : /*
5622 : * Setup our own connection so we can control the signing flags
5623 : */
5624 :
5625 2 : creds = cli_credentials_shallow_copy(tctx, _creds);
5626 2 : torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
5627 :
5628 2 : options = _tree->session->transport->options;
5629 2 : options.client_guid = GUID_random();
5630 2 : options.signing = SMB_SIGNING_IF_REQUIRED;
5631 :
5632 2 : status = smb2_connect(tctx,
5633 : host,
5634 : lpcfg_smb_ports(tctx->lp_ctx),
5635 : share,
5636 : lpcfg_resolve_context(tctx->lp_ctx),
5637 : creds,
5638 : &tree,
5639 : tctx->ev,
5640 : &options,
5641 : lpcfg_socket_options(tctx->lp_ctx),
5642 : lpcfg_gensec_settings(tctx, tctx->lp_ctx));
5643 2 : torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
5644 : "smb2_connect failed");
5645 :
5646 2 : security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
5647 :
5648 2 : torture_assert_int_equal_goto(
5649 : tctx,
5650 : security_mode,
5651 : SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
5652 : ok,
5653 : done,
5654 : "Signing not required");
5655 :
5656 2 : done:
5657 2 : return ok;
5658 : }
5659 :
5660 2358 : struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
5661 : {
5662 125 : struct torture_suite *suite =
5663 2358 : torture_suite_create(ctx, "session-require-signing");
5664 :
5665 2358 : torture_suite_add_1smb2_test(suite, "bug15397",
5666 : test_session_require_sign_bug15397);
5667 :
5668 2358 : suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
5669 2358 : return suite;
5670 : }
|