search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
vfs_ceph_new: common prefix to debug-log messages
[Samba.git] / source4 / torture / smb2 / session.c
blob2a3d0e6e853683678f8fe94c2cf736c8238df9fc
1 /*
2 Unix SMB/CIFS implementation.
3
4 test suite for SMB2 session setups
5
6 Copyright (C) Michael Adam 2012
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libcli/smb2/smb2.h"
24 #include "libcli/smb2/smb2_calls.h"
25 #include "torture/torture.h"
26 #include "torture/util.h"
27 #include "torture/smb2/proto.h"
28 #include "../libcli/smb/smbXcli_base.h"
29 #include "lib/cmdline/cmdline.h"
30 #include "auth/credentials/credentials.h"
31 #include "auth/credentials/credentials_krb5.h"
32 #include "libcli/security/security.h"
33 #include "libcli/resolve/resolve.h"
34 #include "lib/param/param.h"
35 #include "lib/util/tevent_ntstatus.h"
36
37 /* Ticket lifetime we want to request in seconds */
38 #define KRB5_TICKET_LIFETIME 5
39 /* Allowed clock skew in seconds */
40 #define KRB5_CLOCKSKEW 5
41 /* Time till ticket fully expired in seconds */
42 #define KRB5_TICKET_EXPIRETIME KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW
43
44 #define texpand(x) #x
45 #define GENSEC_GSSAPI_REQUESTED_LIFETIME(x) \
46 "gensec_gssapi:requested_life_time=" texpand(x)
47
48 #define CHECK_CREATED(tctx, __io, __created, __attribute) \
49 do { \
50 torture_assert_int_equal(tctx, (__io)->out.create_action, \
51 NTCREATEX_ACTION_ ## __created, \
52 "out.create_action incorrect"); \
53 torture_assert_int_equal(tctx, (__io)->out.size, 0, \
54 "out.size incorrect"); \
55 torture_assert_int_equal(tctx, (__io)->out.file_attr, \
56 (__attribute), \
57 "out.file_attr incorrect"); \
58 torture_assert_int_equal(tctx, (__io)->out.reserved2, 0, \
59 "out.reserverd2 incorrect"); \
60 } while(0)
61
62 #define WAIT_FOR_ASYNC_RESPONSE(req) \
63 while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) { \
64 if (tevent_loop_once(tctx->ev) != 0) { \
65 break; \
66 } \
67 }
68
69 static void sleep_remaining(struct torture_context *tctx,
70 const struct timeval *endtime)
71 {
72 struct timeval current = tevent_timeval_current();
73 double remaining_secs = timeval_elapsed2(&current, endtime);
74
75 remaining_secs = remaining_secs < 1.0 ? 1.0 : remaining_secs;
76 torture_comment(
77 tctx,
78 "sleep for %2.f second(s) that the krb5 ticket expires",
79 remaining_secs);
80 smb_msleep((int)(remaining_secs * 1000));
81 }
82
83 /**
84 * basic test for doing a session reconnect
85 */
86 bool test_session_reconnect1(struct torture_context *tctx, struct smb2_tree *tree)
87 {
88 NTSTATUS status;
89 TALLOC_CTX *mem_ctx = talloc_new(tctx);
90 char fname[256];
91 struct smb2_handle _h1;
92 struct smb2_handle *h1 = NULL;
93 struct smb2_handle _h2;
94 struct smb2_handle *h2 = NULL;
95 struct smb2_create io1, io2;
96 uint64_t previous_session_id;
97 bool ret = true;
98 struct smb2_tree *tree2 = NULL;
99 union smb_fileinfo qfinfo;
100
101 /* Add some random component to the file name. */
102 snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
103 generate_random_str(tctx, 8));
104
105 smb2_util_unlink(tree, fname);
106
107 smb2_oplock_create_share(&io1, fname,
108 smb2_util_share_access(""),
109 smb2_util_oplock_level("b"));
110
111 status = smb2_create(tree, mem_ctx, &io1);
112 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
113 "smb2_create failed");
114 _h1 = io1.out.file.handle;
115 h1 = &_h1;
116 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
117 torture_assert_int_equal(tctx, io1.out.oplock_level,
118 smb2_util_oplock_level("b"),
119 "oplock_level incorrect");
120
121 /* disconnect, reconnect and then do durable reopen */
122 previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
123
124 torture_assert_goto(tctx, torture_smb2_connection_ext(tctx, previous_session_id,
125 &tree->session->transport->options, &tree2),
126 ret, done,
127 "session reconnect failed\n");
128
129 /* try to access the file via the old handle */
130
131 ZERO_STRUCT(qfinfo);
132 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
133 qfinfo.generic.in.file.handle = _h1;
134 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
135 torture_assert_ntstatus_equal_goto(tctx, status,
136 NT_STATUS_USER_SESSION_DELETED,
137 ret, done, "smb2_getinfo_file "
138 "returned unexpected status");
139 h1 = NULL;
140
141 smb2_oplock_create_share(&io2, fname,
142 smb2_util_share_access(""),
143 smb2_util_oplock_level("b"));
144
145 status = smb2_create(tree2, mem_ctx, &io2);
146 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
147 "smb2_create failed");
148
149 CHECK_CREATED(tctx, &io2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
150 torture_assert_int_equal(tctx, io1.out.oplock_level,
151 smb2_util_oplock_level("b"),
152 "oplock_level incorrect");
153 _h2 = io2.out.file.handle;
154 h2 = &_h2;
155
156 done:
157 if (h1 != NULL) {
158 smb2_util_close(tree, *h1);
159 }
160 if (h2 != NULL) {
161 smb2_util_close(tree2, *h2);
162 }
163
164 if (tree2 != NULL) {
165 smb2_util_unlink(tree2, fname);
166 }
167 smb2_util_unlink(tree, fname);
168
169 talloc_free(tree);
170 talloc_free(tree2);
171
172 talloc_free(mem_ctx);
173
174 return ret;
175 }
176
177 /**
178 * basic test for doing a session reconnect on one connection
179 */
180 bool test_session_reconnect2(struct torture_context *tctx, struct smb2_tree *tree)
181 {
182 NTSTATUS status;
183 TALLOC_CTX *mem_ctx = talloc_new(tctx);
184 char fname[256];
185 struct smb2_handle _h1;
186 struct smb2_handle *h1 = NULL;
187 struct smb2_create io1;
188 uint64_t previous_session_id;
189 bool ret = true;
190 struct smb2_session *session2 = NULL;
191 union smb_fileinfo qfinfo;
192
193 /* Add some random component to the file name. */
194 snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
195 generate_random_str(tctx, 8));
196
197 smb2_util_unlink(tree, fname);
198
199 smb2_oplock_create_share(&io1, fname,
200 smb2_util_share_access(""),
201 smb2_util_oplock_level("b"));
202 io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
203
204 status = smb2_create(tree, mem_ctx, &io1);
205 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
206 "smb2_create failed");
207 _h1 = io1.out.file.handle;
208 h1 = &_h1;
209 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
210 torture_assert_int_equal(tctx, io1.out.oplock_level,
211 smb2_util_oplock_level("b"),
212 "oplock_level incorrect");
213
214 /* disconnect, reconnect and then do durable reopen */
215 previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
216
217 torture_assert(tctx, torture_smb2_session_setup(tctx, tree->session->transport,
218 previous_session_id, tctx, &session2),
219 "session reconnect (on the same connection) failed");
220
221 /* try to access the file via the old handle */
222
223 ZERO_STRUCT(qfinfo);
224 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
225 qfinfo.generic.in.file.handle = _h1;
226 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
227 torture_assert_ntstatus_equal_goto(tctx, status,
228 NT_STATUS_USER_SESSION_DELETED,
229 ret, done, "smb2_getinfo_file "
230 "returned unexpected status");
231 h1 = NULL;
232
233 done:
234 if (h1 != NULL) {
235 smb2_util_close(tree, *h1);
236 }
237
238 talloc_free(tree);
239 talloc_free(session2);
240
241 talloc_free(mem_ctx);
242
243 return ret;
244 }
245
246 bool test_session_reauth1(struct torture_context *tctx, struct smb2_tree *tree)
247 {
248 NTSTATUS status;
249 TALLOC_CTX *mem_ctx = talloc_new(tctx);
250 char fname[256];
251 struct smb2_handle _h1;
252 struct smb2_handle *h1 = NULL;
253 struct smb2_create io1;
254 bool ret = true;
255 union smb_fileinfo qfinfo;
256
257 /* Add some random component to the file name. */
258 snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
259 generate_random_str(tctx, 8));
260
261 smb2_util_unlink(tree, fname);
262
263 smb2_oplock_create_share(&io1, fname,
264 smb2_util_share_access(""),
265 smb2_util_oplock_level("b"));
266
267 status = smb2_create(tree, mem_ctx, &io1);
268 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
269 "smb2_create failed");
270 _h1 = io1.out.file.handle;
271 h1 = &_h1;
272 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
273 torture_assert_int_equal(tctx, io1.out.oplock_level,
274 smb2_util_oplock_level("b"),
275 "oplock_level incorrect");
276
277 status = smb2_session_setup_spnego(tree->session,
278 samba_cmdline_get_creds(),
279 0 /* previous_session_id */);
280 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
281 "smb2_session_setup_spnego failed");
282
283 /* try to access the file via the old handle */
284
285 ZERO_STRUCT(qfinfo);
286 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
287 qfinfo.generic.in.file.handle = _h1;
288 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
289 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
290 "smb2_getinfo_file failed");
291
292 status = smb2_session_setup_spnego(tree->session,
293 samba_cmdline_get_creds(),
294 0 /* previous_session_id */);
295 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
296 "smb2_session_setup_spnego failed");
297
298 /* try to access the file via the old handle */
299
300 ZERO_STRUCT(qfinfo);
301 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
302 qfinfo.generic.in.file.handle = _h1;
303 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
304 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
305 "smb2_getinfo_file failed");
306
307 done:
308 if (h1 != NULL) {
309 smb2_util_close(tree, *h1);
310 }
311
312 smb2_util_unlink(tree, fname);
313
314 talloc_free(tree);
315
316 talloc_free(mem_ctx);
317
318 return ret;
319 }
320
321 bool test_session_reauth2(struct torture_context *tctx, struct smb2_tree *tree)
322 {
323 NTSTATUS status;
324 TALLOC_CTX *mem_ctx = talloc_new(tctx);
325 char fname[256];
326 struct smb2_handle _h1;
327 struct smb2_handle *h1 = NULL;
328 struct smb2_create io1;
329 bool ret = true;
330 union smb_fileinfo qfinfo;
331 struct cli_credentials *anon_creds = NULL;
332
333 /* Add some random component to the file name. */
334 snprintf(fname, sizeof(fname), "session_reauth2_%s.dat",
335 generate_random_str(tctx, 8));
336
337 smb2_util_unlink(tree, fname);
338
339 smb2_oplock_create_share(&io1, fname,
340 smb2_util_share_access(""),
341 smb2_util_oplock_level("b"));
342
343 status = smb2_create(tree, mem_ctx, &io1);
344 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
345 "smb2_create failed");
346 _h1 = io1.out.file.handle;
347 h1 = &_h1;
348 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
349 torture_assert_int_equal(tctx, io1.out.oplock_level,
350 smb2_util_oplock_level("b"),
351 "oplock_level incorrect");
352
353 /* re-authenticate as anonymous */
354
355 anon_creds = cli_credentials_init_anon(mem_ctx);
356 torture_assert(tctx, (anon_creds != NULL), "talloc error");
357
358 status = smb2_session_setup_spnego(tree->session,
359 anon_creds,
360 0 /* previous_session_id */);
361 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
362 "smb2_session_setup_spnego failed");
363
364 /* try to access the file via the old handle */
365
366 ZERO_STRUCT(qfinfo);
367 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
368 qfinfo.generic.in.file.handle = _h1;
369 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
370 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
371 "smb2_getinfo_file failed");
372
373 /* re-authenticate as original user again */
374
375 status = smb2_session_setup_spnego(tree->session,
376 samba_cmdline_get_creds(),
377 0 /* previous_session_id */);
378 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
379 "smb2_session_setup_spnego failed");
380
381 /* try to access the file via the old handle */
382
383 ZERO_STRUCT(qfinfo);
384 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
385 qfinfo.generic.in.file.handle = _h1;
386 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
387 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
388 "smb2_getinfo_file failed");
389
390 done:
391 if (h1 != NULL) {
392 smb2_util_close(tree, *h1);
393 }
394
395 smb2_util_unlink(tree, fname);
396
397 talloc_free(tree);
398
399 talloc_free(mem_ctx);
400
401 return ret;
402 }
403
404 /**
405 * test getting security descriptor after reauth
406 */
407 bool test_session_reauth3(struct torture_context *tctx, struct smb2_tree *tree)
408 {
409 NTSTATUS status;
410 TALLOC_CTX *mem_ctx = talloc_new(tctx);
411 char fname[256];
412 struct smb2_handle _h1;
413 struct smb2_handle *h1 = NULL;
414 struct smb2_create io1;
415 bool ret = true;
416 union smb_fileinfo qfinfo;
417 struct cli_credentials *anon_creds = NULL;
418 uint32_t secinfo_flags = SECINFO_OWNER
419 | SECINFO_GROUP
420 | SECINFO_DACL
421 | SECINFO_PROTECTED_DACL
422 | SECINFO_UNPROTECTED_DACL;
423
424 /* Add some random component to the file name. */
425 snprintf(fname, sizeof(fname), "session_reauth3_%s.dat",
426 generate_random_str(tctx, 8));
427
428 smb2_util_unlink(tree, fname);
429
430 smb2_oplock_create_share(&io1, fname,
431 smb2_util_share_access(""),
432 smb2_util_oplock_level("b"));
433
434 status = smb2_create(tree, mem_ctx, &io1);
435 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
436 "smb2_create failed");
437 _h1 = io1.out.file.handle;
438 h1 = &_h1;
439 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
440 torture_assert_int_equal(tctx, io1.out.oplock_level,
441 smb2_util_oplock_level("b"),
442 "oplock_level incorrect");
443
444 /* get the security descriptor */
445
446 ZERO_STRUCT(qfinfo);
447
448 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
449 qfinfo.query_secdesc.in.file.handle = _h1;
450 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
451
452 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
453 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
454 "smb2_getinfo_file failed");
455
456 /* re-authenticate as anonymous */
457
458 anon_creds = cli_credentials_init_anon(mem_ctx);
459 torture_assert(tctx, (anon_creds != NULL), "talloc error");
460
461 status = smb2_session_setup_spnego(tree->session,
462 anon_creds,
463 0 /* previous_session_id */);
464 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
465 "smb2_session_setup_spnego failed");
466
467 /* try to access the file via the old handle */
468
469 ZERO_STRUCT(qfinfo);
470
471 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
472 qfinfo.query_secdesc.in.file.handle = _h1;
473 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
474
475 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
476 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
477 "smb2_getinfo_file failed");
478
479 /* re-authenticate as original user again */
480
481 status = smb2_session_setup_spnego(tree->session,
482 samba_cmdline_get_creds(),
483 0 /* previous_session_id */);
484 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
485 "smb2_session_setup_spnego failed");
486
487 /* try to access the file via the old handle */
488
489 ZERO_STRUCT(qfinfo);
490
491 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
492 qfinfo.query_secdesc.in.file.handle = _h1;
493 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
494
495 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
496 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
497 "smb2_getinfo_file failed");
498
499 done:
500 if (h1 != NULL) {
501 smb2_util_close(tree, *h1);
502 }
503
504 smb2_util_unlink(tree, fname);
505
506 talloc_free(tree);
507
508 talloc_free(mem_ctx);
509
510 return ret;
511 }
512
513 /**
514 * test setting security descriptor after reauth.
515 */
516 bool test_session_reauth4(struct torture_context *tctx, struct smb2_tree *tree)
517 {
518 NTSTATUS status;
519 TALLOC_CTX *mem_ctx = talloc_new(tctx);
520 char fname[256];
521 struct smb2_handle _h1;
522 struct smb2_handle *h1 = NULL;
523 struct smb2_create io1;
524 bool ret = true;
525 union smb_fileinfo qfinfo;
526 union smb_setfileinfo sfinfo;
527 struct cli_credentials *anon_creds = NULL;
528 uint32_t secinfo_flags = SECINFO_OWNER
529 | SECINFO_GROUP
530 | SECINFO_DACL
531 | SECINFO_PROTECTED_DACL
532 | SECINFO_UNPROTECTED_DACL;
533 struct security_descriptor *sd1;
534 struct security_ace ace;
535 struct dom_sid *extra_sid;
536
537 /* Add some random component to the file name. */
538 snprintf(fname, sizeof(fname), "session_reauth4_%s.dat",
539 generate_random_str(tctx, 8));
540
541 smb2_util_unlink(tree, fname);
542
543 smb2_oplock_create_share(&io1, fname,
544 smb2_util_share_access(""),
545 smb2_util_oplock_level("b"));
546
547 status = smb2_create(tree, mem_ctx, &io1);
548 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
549 "smb2_create failed");
550 _h1 = io1.out.file.handle;
551 h1 = &_h1;
552 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
553 torture_assert_int_equal(tctx, io1.out.oplock_level,
554 smb2_util_oplock_level("b"),
555 "oplock_level incorrect");
556
557 /* get the security descriptor */
558
559 ZERO_STRUCT(qfinfo);
560
561 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
562 qfinfo.query_secdesc.in.file.handle = _h1;
563 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
564
565 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
566 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
567 "smb2_getinfo_file failed");
568
569 sd1 = qfinfo.query_secdesc.out.sd;
570
571 /* re-authenticate as anonymous */
572
573 anon_creds = cli_credentials_init_anon(mem_ctx);
574 torture_assert(tctx, (anon_creds != NULL), "talloc error");
575
576 status = smb2_session_setup_spnego(tree->session,
577 anon_creds,
578 0 /* previous_session_id */);
579 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
580 "smb2_session_setup_spnego failed");
581
582 /* give full access on the file to anonymous */
583
584 extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
585
586 ZERO_STRUCT(ace);
587 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
588 ace.flags = 0;
589 ace.access_mask = SEC_STD_ALL | SEC_FILE_ALL;
590 ace.trustee = *extra_sid;
591
592 status = security_descriptor_dacl_add(sd1, &ace);
593 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
594 "security_descriptor_dacl_add failed");
595
596 ZERO_STRUCT(sfinfo);
597 sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
598 sfinfo.set_secdesc.in.file.handle = _h1;
599 sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
600 sfinfo.set_secdesc.in.sd = sd1;
601
602 status = smb2_setinfo_file(tree, &sfinfo);
603 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
604 "smb2_setinfo_file failed");
605
606 /* re-authenticate as original user again */
607
608 status = smb2_session_setup_spnego(tree->session,
609 samba_cmdline_get_creds(),
610 0 /* previous_session_id */);
611 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
612 "smb2_session_setup_spnego failed");
613
614 /* re-get the security descriptor */
615
616 ZERO_STRUCT(qfinfo);
617
618 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
619 qfinfo.query_secdesc.in.file.handle = _h1;
620 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
621
622 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
623 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
624 "smb2_getinfo_file failed");
625
626 ret = true;
627
628 done:
629 if (h1 != NULL) {
630 smb2_util_close(tree, *h1);
631 }
632
633 smb2_util_unlink(tree, fname);
634
635 talloc_free(tree);
636
637 talloc_free(mem_ctx);
638
639 return ret;
640 }
641
642 /**
643 * test renaming after reauth.
644 * compare security descriptors before and after rename/reauth
645 */
646 bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
647 {
648 NTSTATUS status;
649 TALLOC_CTX *mem_ctx = talloc_new(tctx);
650 char dname[128];
651 char fname[256];
652 char fname2[256];
653 struct smb2_handle _dh1;
654 struct smb2_handle *dh1 = NULL;
655 struct smb2_handle _h1;
656 struct smb2_handle *h1 = NULL;
657 struct smb2_create io1;
658 bool ret = true;
659 bool ok;
660 union smb_fileinfo qfinfo;
661 union smb_setfileinfo sfinfo;
662 struct cli_credentials *anon_creds = NULL;
663 uint32_t secinfo_flags = SECINFO_OWNER
664 | SECINFO_GROUP
665 | SECINFO_DACL
666 | SECINFO_PROTECTED_DACL
667 | SECINFO_UNPROTECTED_DACL;
668 struct security_descriptor *f_sd1;
669 struct security_descriptor *d_sd1 = NULL;
670 struct security_ace ace;
671 struct dom_sid *extra_sid;
672
673 /* Add some random component to the file name. */
674 snprintf(dname, sizeof(dname), "session_reauth5_%s.d",
675 generate_random_str(tctx, 8));
676 snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
677
678 ok = smb2_util_setup_dir(tctx, tree, dname);
679 torture_assert(tctx, ok, "smb2_util_setup_dir not ok");
680
681 status = torture_smb2_testdir(tree, dname, &_dh1);
682 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
683 "torture_smb2_testdir failed");
684 dh1 = &_dh1;
685
686 smb2_oplock_create_share(&io1, fname,
687 smb2_util_share_access(""),
688 smb2_util_oplock_level("b"));
689
690 status = smb2_create(tree, mem_ctx, &io1);
691 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
692 "smb2_create failed");
693 _h1 = io1.out.file.handle;
694 h1 = &_h1;
695 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
696 torture_assert_int_equal(tctx, io1.out.oplock_level,
697 smb2_util_oplock_level("b"),
698 "oplock_level incorrect");
699
700 /* get the security descriptor */
701
702 ZERO_STRUCT(qfinfo);
703
704 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
705 qfinfo.query_secdesc.in.file.handle = _h1;
706 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
707
708 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
709 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
710 "smb2_getinfo_file failed");
711
712 f_sd1 = qfinfo.query_secdesc.out.sd;
713
714 /* re-authenticate as anonymous */
715
716 anon_creds = cli_credentials_init_anon(mem_ctx);
717 torture_assert(tctx, (anon_creds != NULL), "talloc error");
718
719 status = smb2_session_setup_spnego(tree->session,
720 anon_creds,
721 0 /* previous_session_id */);
722 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
723 "smb2_session_setup_spnego failed");
724
725 /* try to rename the file: fails */
726
727 snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
728
729 status = smb2_util_unlink(tree, fname2);
730 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
731 "smb2_util_unlink failed");
732
733
734 ZERO_STRUCT(sfinfo);
735 sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
736 sfinfo.rename_information.in.file.handle = _h1;
737 sfinfo.rename_information.in.overwrite = true;
738 sfinfo.rename_information.in.new_name = fname2;
739
740 status = smb2_setinfo_file(tree, &sfinfo);
741 torture_assert_ntstatus_equal_goto(tctx, status,
742 NT_STATUS_ACCESS_DENIED,
743 ret, done, "smb2_setinfo_file "
744 "returned unexpected status");
745
746 /* re-authenticate as original user again */
747
748 status = smb2_session_setup_spnego(tree->session,
749 samba_cmdline_get_creds(),
750 0 /* previous_session_id */);
751 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
752 "smb2_session_setup_spnego failed");
753
754 /* give full access on the file to anonymous */
755
756 extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
757
758 ZERO_STRUCT(ace);
759 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
760 ace.flags = 0;
761 ace.access_mask = SEC_RIGHTS_FILE_ALL;
762 ace.trustee = *extra_sid;
763
764 status = security_descriptor_dacl_add(f_sd1, &ace);
765 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
766 "security_descriptor_dacl_add failed");
767
768 ZERO_STRUCT(sfinfo);
769 sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
770 sfinfo.set_secdesc.in.file.handle = _h1;
771 sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
772 sfinfo.set_secdesc.in.sd = f_sd1;
773
774 status = smb2_setinfo_file(tree, &sfinfo);
775 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
776 "smb2_setinfo_file failed");
777
778 /* re-get the security descriptor */
779
780 ZERO_STRUCT(qfinfo);
781
782 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
783 qfinfo.query_secdesc.in.file.handle = _h1;
784 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
785
786 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
787 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
788 "smb2_getinfo_file failed");
789
790 /* re-authenticate as anonymous - again */
791
792 anon_creds = cli_credentials_init_anon(mem_ctx);
793 torture_assert(tctx, (anon_creds != NULL), "talloc error");
794
795 status = smb2_session_setup_spnego(tree->session,
796 anon_creds,
797 0 /* previous_session_id */);
798 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
799 "smb2_session_setup_spnego failed");
800
801 /* try to rename the file: fails */
802
803 ZERO_STRUCT(sfinfo);
804 sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
805 sfinfo.rename_information.in.file.handle = _h1;
806 sfinfo.rename_information.in.overwrite = true;
807 sfinfo.rename_information.in.new_name = fname2;
808
809 status = smb2_setinfo_file(tree, &sfinfo);
810 torture_assert_ntstatus_equal_goto(tctx, status,
811 NT_STATUS_ACCESS_DENIED,
812 ret, done, "smb2_setinfo_file "
813 "returned unexpected status");
814
815 /* give full access on the parent dir to anonymous */
816
817 ZERO_STRUCT(qfinfo);
818
819 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
820 qfinfo.query_secdesc.in.file.handle = _dh1;
821 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
822
823 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
824 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
825 "smb2_getinfo_file failed");
826
827 d_sd1 = qfinfo.query_secdesc.out.sd;
828
829 ZERO_STRUCT(ace);
830 ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
831 ace.flags = 0;
832 ace.access_mask = SEC_RIGHTS_FILE_ALL;
833 ace.trustee = *extra_sid;
834
835 status = security_descriptor_dacl_add(d_sd1, &ace);
836 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
837 "security_descriptor_dacl_add failed");
838
839 ZERO_STRUCT(sfinfo);
840 sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
841 sfinfo.set_secdesc.in.file.handle = _dh1;
842 sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
843 sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
844 sfinfo.set_secdesc.in.sd = d_sd1;
845
846 status = smb2_setinfo_file(tree, &sfinfo);
847 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
848 "smb2_setinfo_file failed");
849
850 ZERO_STRUCT(qfinfo);
851
852 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
853 qfinfo.query_secdesc.in.file.handle = _dh1;
854 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
855
856 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
857 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
858 "smb2_getinfo_file failed");
859
860 status = smb2_util_close(tree, _dh1);
861 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
862 "smb2_util_close failed");
863 dh1 = NULL;
864
865 /* try to rename the file: still fails */
866
867 ZERO_STRUCT(sfinfo);
868 sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
869 sfinfo.rename_information.in.file.handle = _h1;
870 sfinfo.rename_information.in.overwrite = true;
871 sfinfo.rename_information.in.new_name = fname2;
872
873 status = smb2_setinfo_file(tree, &sfinfo);
874 torture_assert_ntstatus_equal_goto(tctx, status,
875 NT_STATUS_ACCESS_DENIED,
876 ret, done, "smb2_setinfo_file "
877 "returned unexpected status");
878
879 /* re-authenticate as original user - again */
880
881 status = smb2_session_setup_spnego(tree->session,
882 samba_cmdline_get_creds(),
883 0 /* previous_session_id */);
884 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
885 "smb2_session_setup_spnego failed");
886
887 /* rename the file - for verification that it works */
888
889 ZERO_STRUCT(sfinfo);
890 sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
891 sfinfo.rename_information.in.file.handle = _h1;
892 sfinfo.rename_information.in.overwrite = true;
893 sfinfo.rename_information.in.new_name = fname2;
894
895 status = smb2_setinfo_file(tree, &sfinfo);
896 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
897 "smb2_setinfo_file failed");
898
899 /* closs the file, check it is gone and reopen under the new name */
900
901 status = smb2_util_close(tree, _h1);
902 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
903 "smb2_util_close failed");
904 ZERO_STRUCT(io1);
905
906 smb2_generic_create_share(&io1,
907 NULL /* lease */, false /* dir */,
908 fname,
909 NTCREATEX_DISP_OPEN,
910 smb2_util_share_access(""),
911 smb2_util_oplock_level("b"),
912 0 /* leasekey */, 0 /* leasestate */);
913
914 status = smb2_create(tree, mem_ctx, &io1);
915 torture_assert_ntstatus_equal_goto(tctx, status,
916 NT_STATUS_OBJECT_NAME_NOT_FOUND,
917 ret, done, "smb2_create "
918 "returned unexpected status");
919
920 ZERO_STRUCT(io1);
921
922 smb2_generic_create_share(&io1,
923 NULL /* lease */, false /* dir */,
924 fname2,
925 NTCREATEX_DISP_OPEN,
926 smb2_util_share_access(""),
927 smb2_util_oplock_level("b"),
928 0 /* leasekey */, 0 /* leasestate */);
929
930 status = smb2_create(tree, mem_ctx, &io1);
931 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
932 "smb2_create failed");
933 _h1 = io1.out.file.handle;
934 h1 = &_h1;
935 CHECK_CREATED(tctx, &io1, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
936 torture_assert_int_equal(tctx, io1.out.oplock_level,
937 smb2_util_oplock_level("b"),
938 "oplock_level incorrect");
939
940 /* try to access the file via the old handle */
941
942 ZERO_STRUCT(qfinfo);
943
944 qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
945 qfinfo.query_secdesc.in.file.handle = _h1;
946 qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
947
948 status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
949 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
950 "smb2_getinfo_file failed");
951
952 done:
953 if (dh1 != NULL) {
954 smb2_util_close(tree, *dh1);
955 }
956 if (h1 != NULL) {
957 smb2_util_close(tree, *h1);
958 }
959
960 smb2_deltree(tree, dname);
961
962 talloc_free(tree);
963
964 talloc_free(mem_ctx);
965
966 return ret;
967 }
968
969 /**
970 * do reauth with wrong credentials,
971 * hence triggering the error path in reauth.
972 * The invalid reauth deletes the session.
973 */
974 bool test_session_reauth6(struct torture_context *tctx, struct smb2_tree *tree)
975 {
976 NTSTATUS status;
977 TALLOC_CTX *mem_ctx = talloc_new(tctx);
978 char fname[256];
979 struct smb2_handle _h1;
980 struct smb2_handle *h1 = NULL;
981 struct smb2_create io1;
982 bool ret = true;
983 char *corrupted_password;
984 struct cli_credentials *broken_creds;
985 bool ok;
986 bool encrypted;
987 NTSTATUS expected;
988 enum credentials_use_kerberos krb_state;
989
990 krb_state = cli_credentials_get_kerberos_state(
991 samba_cmdline_get_creds());
992 if (krb_state == CRED_USE_KERBEROS_REQUIRED) {
993 torture_skip(tctx,
994 "Can't test failing session setup with kerberos.");
995 }
996
997 encrypted = smb2cli_tcon_is_encryption_on(tree->smbXcli);
998
999 /* Add some random component to the file name. */
1000 snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
1001 generate_random_str(tctx, 8));
1002
1003 smb2_util_unlink(tree, fname);
1004
1005 smb2_oplock_create_share(&io1, fname,
1006 smb2_util_share_access(""),
1007 smb2_util_oplock_level("b"));
1008 io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1009
1010 status = smb2_create(tree, mem_ctx, &io1);
1011 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1012 "smb2_create failed");
1013 _h1 = io1.out.file.handle;
1014 h1 = &_h1;
1015 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1016 torture_assert_int_equal(tctx, io1.out.oplock_level,
1017 smb2_util_oplock_level("b"),
1018 "oplock_level incorrect");
1019
1020 /*
1021 * reauthentication with invalid credentials:
1022 */
1023
1024 broken_creds = cli_credentials_shallow_copy(mem_ctx,
1025 samba_cmdline_get_creds());
1026 torture_assert(tctx, (broken_creds != NULL), "talloc error");
1027
1028 corrupted_password = talloc_asprintf(mem_ctx, "%s%s",
1029 cli_credentials_get_password(broken_creds),
1030 "corrupt");
1031 torture_assert(tctx, (corrupted_password != NULL), "talloc error");
1032
1033 ok = cli_credentials_set_password(broken_creds, corrupted_password,
1034 CRED_SPECIFIED);
1035 torture_assert(tctx, ok, "cli_credentials_set_password not ok");
1036
1037 status = smb2_session_setup_spnego(tree->session,
1038 broken_creds,
1039 0 /* previous_session_id */);
1040 torture_assert_ntstatus_equal_goto(tctx, status,
1041 NT_STATUS_LOGON_FAILURE, ret, done,
1042 "smb2_session_setup_spnego "
1043 "returned unexpected status");
1044
1045 torture_comment(tctx, "did failed reauth\n");
1046 /*
1047 * now verify that the invalid session reauth has closed our session
1048 */
1049
1050 if (encrypted) {
1051 expected = NT_STATUS_CONNECTION_DISCONNECTED;
1052 } else {
1053 expected = NT_STATUS_USER_SESSION_DELETED;
1054 }
1055
1056 smb2_oplock_create_share(&io1, fname,
1057 smb2_util_share_access(""),
1058 smb2_util_oplock_level("b"));
1059
1060 status = smb2_create(tree, mem_ctx, &io1);
1061 torture_assert_ntstatus_equal_goto(tctx, status, expected,
1062 ret, done, "smb2_create "
1063 "returned unexpected status");
1064
1065 done:
1066 if (h1 != NULL) {
1067 smb2_util_close(tree, *h1);
1068 }
1069
1070 smb2_util_unlink(tree, fname);
1071
1072 talloc_free(tree);
1073
1074 talloc_free(mem_ctx);
1075
1076 return ret;
1077 }
1078
1079
1080 static bool test_session_expire1i(struct torture_context *tctx,
1081 bool force_signing,
1082 bool force_encryption)
1083 {
1084 NTSTATUS status;
1085 bool ret = false;
1086 struct smbcli_options options;
1087 const char *host = torture_setting_string(tctx, "host", NULL);
1088 const char *share = torture_setting_string(tctx, "share", NULL);
1089 struct cli_credentials *credentials = samba_cmdline_get_creds();
1090 struct smb2_tree *tree = NULL;
1091 enum credentials_use_kerberos use_kerberos;
1092 char fname[256];
1093 struct smb2_handle _h1;
1094 struct smb2_handle *h1 = NULL;
1095 struct smb2_create io1;
1096 union smb_fileinfo qfinfo;
1097 size_t i;
1098 struct timeval endtime;
1099 bool ticket_expired = false;
1100
1101 use_kerberos = cli_credentials_get_kerberos_state(credentials);
1102 if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1103 torture_warning(tctx,
1104 "smb2.session.expire1 requires "
1105 "--use-kerberos=required!");
1106 torture_skip(tctx,
1107 "smb2.session.expire1 requires "
1108 "--use-kerberos=required!");
1109 }
1110
1111 torture_assert_int_equal(tctx,
1112 use_kerberos,
1113 CRED_USE_KERBEROS_REQUIRED,
1114 "please use --use-kerberos=required");
1115
1116 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1117
1118 lpcfg_set_option(
1119 tctx->lp_ctx,
1120 GENSEC_GSSAPI_REQUESTED_LIFETIME(KRB5_TICKET_LIFETIME));
1121
1122 lpcfg_smbcli_options(tctx->lp_ctx, &options);
1123 if (force_signing) {
1124 options.signing = SMB_SIGNING_REQUIRED;
1125 }
1126
1127 status = smb2_connect(tctx,
1128 host,
1129 lpcfg_smb_ports(tctx->lp_ctx),
1130 share,
1131 lpcfg_resolve_context(tctx->lp_ctx),
1132 credentials,
1133 &tree,
1134 tctx->ev,
1135 &options,
1136 lpcfg_socket_options(tctx->lp_ctx),
1137 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1138 );
1139 /*
1140 * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1141 * Give the server at least KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW + a
1142 * few more milliseconds for this to kick in.
1143 */
1144 endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME, 500 * 1000);
1145 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1146 "smb2_connect failed");
1147
1148 if (force_encryption) {
1149 status = smb2cli_session_encryption_on(tree->session->smbXcli);
1150 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1151 "smb2cli_session_encryption_on failed");
1152 }
1153
1154 /* Add some random component to the file name. */
1155 snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
1156 generate_random_str(tctx, 8));
1157
1158 smb2_util_unlink(tree, fname);
1159
1160 smb2_oplock_create_share(&io1, fname,
1161 smb2_util_share_access(""),
1162 smb2_util_oplock_level("b"));
1163 io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1164
1165 status = smb2_create(tree, tctx, &io1);
1166 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1167 "smb2_create failed");
1168 _h1 = io1.out.file.handle;
1169 h1 = &_h1;
1170 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1171 torture_assert_int_equal(tctx, io1.out.oplock_level,
1172 smb2_util_oplock_level("b"),
1173 "oplock_level incorrect");
1174
1175 /* get the security descriptor */
1176
1177 ZERO_STRUCT(qfinfo);
1178
1179 qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1180 qfinfo.access_information.in.file.handle = _h1;
1181
1182 for (i=0; i < 2; i++) {
1183 torture_comment(tctx, "%s: query info => OK\n",
1184 current_timestring(tctx, true));
1185
1186 ZERO_STRUCT(qfinfo.access_information.out);
1187 status = smb2_getinfo_file(tree, tctx, &qfinfo);
1188 torture_comment(tctx, "%s: %s:%s: after smb2_getinfo_file() => %s\n",
1189 current_timestring(tctx, true),
1190 __location__, __func__,
1191 nt_errstr(status));
1192 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1193 "smb2_getinfo_file failed");
1194
1195 sleep_remaining(tctx, &endtime);
1196
1197 torture_comment(tctx, "%s: query info => EXPIRED\n",
1198 current_timestring(tctx, true));
1199 ZERO_STRUCT(qfinfo.access_information.out);
1200 status = smb2_getinfo_file(tree, tctx, &qfinfo);
1201 torture_comment(tctx, "%s: %s:%s: after smb2_getinfo_file() => %s\n",
1202 current_timestring(tctx, true),
1203 __location__, __func__,
1204 nt_errstr(status));
1205 torture_assert_ntstatus_equal_goto(tctx, status,
1206 NT_STATUS_NETWORK_SESSION_EXPIRED,
1207 ret, done, "smb2_getinfo_file "
1208 "returned unexpected status");
1209
1210 /*
1211 * the krb5 library may not handle expired creds
1212 * well, lets start with an empty ccache.
1213 */
1214 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1215
1216 if (!force_encryption) {
1217 smb2cli_session_require_signed_response(
1218 tree->session->smbXcli, true);
1219 }
1220
1221 torture_comment(tctx, "%s: reauth => OK\n",
1222 current_timestring(tctx, true));
1223 status = smb2_session_setup_spnego(tree->session,
1224 credentials,
1225 0 /* previous_session_id */);
1226 /*
1227 * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1228 * Give the server at least KRB5_TICKET_LIFETIME +
1229 * KRB5_CLOCKSKEW + a few more milliseconds for this to kick in.
1230 */
1231 endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME,
1232 500 * 1000);
1233 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1234 "smb2_session_setup_spnego failed");
1235
1236 smb2cli_session_require_signed_response(
1237 tree->session->smbXcli, false);
1238 }
1239
1240 ticket_expired = timeval_expired(&endtime);
1241 if (ticket_expired) {
1242 struct timeval current = timeval_current();
1243 double remaining_secs = timeval_elapsed2(&current, &endtime);
1244 remaining_secs = remaining_secs < 0.0 ? remaining_secs * -1.0
1245 : remaining_secs;
1246 torture_warning(
1247 tctx,
1248 "The ticket already expired %.2f seconds ago. "
1249 "You might want to increase KRB5_TICKET_LIFETIME.",
1250 remaining_secs);
1251 }
1252 torture_assert(tctx,
1253 ticket_expired == false,
1254 "The kerberos ticket already expired");
1255 ZERO_STRUCT(qfinfo.access_information.out);
1256 torture_comment(tctx, "%s: %s:%s: before smb2_getinfo_file()\n",
1257 current_timestring(tctx, true),
1258 __location__, __func__);
1259 status = smb2_getinfo_file(tree, tctx, &qfinfo);
1260 torture_comment(tctx, "%s: %s:%s: after smb2_getinfo_file() => %s\n",
1261 current_timestring(tctx, true),
1262 __location__, __func__,
1263 nt_errstr(status));
1264 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1265 "smb2_getinfo_file failed");
1266
1267 ret = true;
1268 done:
1269 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1270
1271 if (h1 != NULL) {
1272 smb2_util_close(tree, *h1);
1273 }
1274
1275 talloc_free(tree);
1276 lpcfg_set_option(tctx->lp_ctx, GENSEC_GSSAPI_REQUESTED_LIFETIME(0));
1277 return ret;
1278 }
1279
1280 static bool test_session_expire1n(struct torture_context *tctx)
1281 {
1282 return test_session_expire1i(tctx,
1283 false, /* force_signing */
1284 false); /* force_encryption */
1285 }
1286
1287 static bool test_session_expire1s(struct torture_context *tctx)
1288 {
1289 return test_session_expire1i(tctx,
1290 true, /* force_signing */
1291 false); /* force_encryption */
1292 }
1293
1294 static bool test_session_expire1e(struct torture_context *tctx)
1295 {
1296 return test_session_expire1i(tctx,
1297 true, /* force_signing */
1298 true); /* force_encryption */
1299 }
1300
1301 static bool test_session_expire2i(struct torture_context *tctx,
1302 bool force_encryption)
1303 {
1304 NTSTATUS status;
1305 bool ret = false;
1306 struct smbcli_options options;
1307 const char *host = torture_setting_string(tctx, "host", NULL);
1308 const char *share = torture_setting_string(tctx, "share", NULL);
1309 struct cli_credentials *credentials = samba_cmdline_get_creds();
1310 struct smb2_tree *tree = NULL;
1311 const char *unc = NULL;
1312 struct smb2_tree *tree2 = NULL;
1313 struct tevent_req *subreq = NULL;
1314 uint32_t timeout_msec;
1315 enum credentials_use_kerberos use_kerberos;
1316 uint32_t caps;
1317 char fname[256];
1318 struct smb2_handle dh;
1319 struct smb2_handle dh2;
1320 struct smb2_handle _h1;
1321 struct smb2_handle *h1 = NULL;
1322 struct smb2_create io1;
1323 union smb_fileinfo qfinfo;
1324 union smb_setfileinfo sfinfo;
1325 struct smb2_flush flsh;
1326 struct smb2_read rd;
1327 const uint8_t wd = 0;
1328 struct smb2_lock lck;
1329 struct smb2_lock_element el;
1330 struct smb2_ioctl ctl;
1331 struct smb2_break oack;
1332 struct smb2_lease_break_ack lack;
1333 struct smb2_find fnd;
1334 union smb_search_data *d = NULL;
1335 unsigned int count;
1336 struct smb2_request *req = NULL;
1337 struct smb2_notify ntf1;
1338 struct smb2_notify ntf2;
1339 struct timeval endtime;
1340
1341 use_kerberos = cli_credentials_get_kerberos_state(credentials);
1342 if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1343 torture_warning(tctx,
1344 "smb2.session.expire1 requires "
1345 "--use-kerberos=required!");
1346 torture_skip(tctx,
1347 "smb2.session.expire1 requires "
1348 "--use-kerberos=required!");
1349 }
1350
1351 torture_assert_int_equal(tctx,
1352 use_kerberos,
1353 CRED_USE_KERBEROS_REQUIRED,
1354 "please use --use-kerberos=required");
1355
1356 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1357
1358 lpcfg_set_option(
1359 tctx->lp_ctx,
1360 GENSEC_GSSAPI_REQUESTED_LIFETIME(KRB5_TICKET_LIFETIME));
1361
1362 lpcfg_smbcli_options(tctx->lp_ctx, &options);
1363 options.signing = SMB_SIGNING_REQUIRED;
1364
1365 unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
1366 torture_assert(tctx, unc != NULL, "talloc_asprintf");
1367
1368 status = smb2_connect(tctx,
1369 host,
1370 lpcfg_smb_ports(tctx->lp_ctx),
1371 share,
1372 lpcfg_resolve_context(tctx->lp_ctx),
1373 credentials,
1374 &tree,
1375 tctx->ev,
1376 &options,
1377 lpcfg_socket_options(tctx->lp_ctx),
1378 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1379 );
1380 /*
1381 * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1382 * Give the server at least KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW + a
1383 * few more milliseconds for this to kick in.
1384 */
1385 endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME, 500 * 1000);
1386 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1387 "smb2_connect failed");
1388
1389 if (force_encryption) {
1390 status = smb2cli_session_encryption_on(tree->session->smbXcli);
1391 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1392 "smb2cli_session_encryption_on failed");
1393 }
1394
1395 caps = smb2cli_conn_server_capabilities(tree->session->transport->conn);
1396
1397 /* Add some random component to the file name. */
1398 snprintf(fname, sizeof(fname), "session_expire2_%s.dat",
1399 generate_random_str(tctx, 8));
1400
1401 smb2_util_unlink(tree, fname);
1402
1403 status = smb2_util_roothandle(tree, &dh);
1404 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1405 "smb2_util_roothandle failed");
1406
1407 smb2_oplock_create_share(&io1, fname,
1408 smb2_util_share_access(""),
1409 smb2_util_oplock_level("b"));
1410 io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1411
1412 status = smb2_create(tree, tctx, &io1);
1413 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1414 "smb2_create failed");
1415 _h1 = io1.out.file.handle;
1416 h1 = &_h1;
1417 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1418 torture_assert_int_equal(tctx, io1.out.oplock_level,
1419 smb2_util_oplock_level("b"),
1420 "oplock_level incorrect");
1421
1422 /* get the security descriptor */
1423
1424 ZERO_STRUCT(qfinfo);
1425
1426 qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1427 qfinfo.access_information.in.file.handle = _h1;
1428
1429 torture_comment(tctx, "query info => OK\n");
1430
1431 ZERO_STRUCT(qfinfo.access_information.out);
1432 status = smb2_getinfo_file(tree, tctx, &qfinfo);
1433 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1434 "smb2_getinfo_file failed");
1435
1436 torture_comment(tctx, "lock => OK\n");
1437 ZERO_STRUCT(lck);
1438 lck.in.locks = &el;
1439 lck.in.lock_count = 0x0001;
1440 lck.in.lock_sequence = 0x00000000;
1441 lck.in.file.handle = *h1;
1442 ZERO_STRUCT(el);
1443 el.flags = SMB2_LOCK_FLAG_EXCLUSIVE |
1444 SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
1445 el.offset = 0x0000000000000000;
1446 el.length = 0x0000000000000001;
1447 status = smb2_lock(tree, &lck);
1448 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1449 "smb2_lock lock failed");
1450
1451 torture_comment(tctx, "1st notify => PENDING\n");
1452 ZERO_STRUCT(ntf1);
1453 ntf1.in.file.handle = dh;
1454 ntf1.in.recursive = 0x0000;
1455 ntf1.in.buffer_size = 128;
1456 ntf1.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
1457 ntf1.in.unknown = 0x00000000;
1458 req = smb2_notify_send(tree, &ntf1);
1459
1460 while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) {
1461 if (tevent_loop_once(tctx->ev) != 0) {
1462 break;
1463 }
1464 }
1465
1466 torture_assert_goto(tctx, req->state <= SMB2_REQUEST_RECV, ret, done,
1467 "smb2_notify finished");
1468
1469 sleep_remaining(tctx, &endtime);
1470
1471 torture_comment(tctx, "query info => EXPIRED\n");
1472 ZERO_STRUCT(qfinfo.access_information.out);
1473 status = smb2_getinfo_file(tree, tctx, &qfinfo);
1474 torture_assert_ntstatus_equal_goto(tctx, status,
1475 NT_STATUS_NETWORK_SESSION_EXPIRED,
1476 ret, done, "smb2_getinfo_file "
1477 "returned unexpected status");
1478
1479
1480 torture_comment(tctx, "set info => EXPIRED\n");
1481 ZERO_STRUCT(sfinfo);
1482 sfinfo.end_of_file_info.level = RAW_SFILEINFO_END_OF_FILE_INFORMATION;
1483 sfinfo.end_of_file_info.in.file.handle = *h1;
1484 sfinfo.end_of_file_info.in.size = 1;
1485 status = smb2_setinfo_file(tree, &sfinfo);
1486 torture_assert_ntstatus_equal_goto(tctx, status,
1487 NT_STATUS_NETWORK_SESSION_EXPIRED,
1488 ret, done, "smb2_setinfo_file "
1489 "returned unexpected status");
1490
1491 torture_comment(tctx, "flush => EXPIRED\n");
1492 ZERO_STRUCT(flsh);
1493 flsh.in.file.handle = *h1;
1494 status = smb2_flush(tree, &flsh);
1495 torture_assert_ntstatus_equal_goto(tctx, status,
1496 NT_STATUS_NETWORK_SESSION_EXPIRED,
1497 ret, done, "smb2_flush "
1498 "returned unexpected status");
1499
1500 torture_comment(tctx, "read => EXPIRED\n");
1501 ZERO_STRUCT(rd);
1502 rd.in.file.handle = *h1;
1503 rd.in.length = 5;
1504 rd.in.offset = 0;
1505 status = smb2_read(tree, tctx, &rd);
1506 torture_assert_ntstatus_equal_goto(tctx, status,
1507 NT_STATUS_NETWORK_SESSION_EXPIRED,
1508 ret, done, "smb2_read "
1509 "returned unexpected status");
1510
1511 torture_comment(tctx, "write => EXPIRED\n");
1512 status = smb2_util_write(tree, *h1, &wd, 0, 1);
1513 torture_assert_ntstatus_equal_goto(tctx, status,
1514 NT_STATUS_NETWORK_SESSION_EXPIRED,
1515 ret, done, "smb2_util_write "
1516 "returned unexpected status");
1517
1518 torture_comment(tctx, "ioctl => EXPIRED\n");
1519 ZERO_STRUCT(ctl);
1520 ctl.in.file.handle = *h1;
1521 ctl.in.function = FSCTL_SRV_ENUM_SNAPS;
1522 ctl.in.max_output_response = 16;
1523 ctl.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL;
1524 status = smb2_ioctl(tree, tctx, &ctl);
1525 torture_assert_ntstatus_equal_goto(tctx, status,
1526 NT_STATUS_NETWORK_SESSION_EXPIRED,
1527 ret, done, "smb2_ioctl "
1528 "returned unexpected status");
1529
1530 torture_comment(tctx, "oplock ack => EXPIRED\n");
1531 ZERO_STRUCT(oack);
1532 oack.in.file.handle = *h1;
1533 status = smb2_break(tree, &oack);
1534 torture_assert_ntstatus_equal_goto(tctx, status,
1535 NT_STATUS_NETWORK_SESSION_EXPIRED,
1536 ret, done, "smb2_break "
1537 "returned unexpected status");
1538
1539 if (caps & SMB2_CAP_LEASING) {
1540 torture_comment(tctx, "lease ack => EXPIRED\n");
1541 ZERO_STRUCT(lack);
1542 lack.in.lease.lease_version = 1;
1543 lack.in.lease.lease_key.data[0] = 1;
1544 lack.in.lease.lease_key.data[1] = 2;
1545 status = smb2_lease_break_ack(tree, &lack);
1546 torture_assert_ntstatus_equal_goto(tctx, status,
1547 NT_STATUS_NETWORK_SESSION_EXPIRED,
1548 ret, done, "smb2_break "
1549 "returned unexpected status");
1550 }
1551
1552 torture_comment(tctx, "query directory => EXPIRED\n");
1553 ZERO_STRUCT(fnd);
1554 fnd.in.file.handle = dh;
1555 fnd.in.pattern = "*";
1556 fnd.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE;
1557 fnd.in.max_response_size= 0x100;
1558 fnd.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO;
1559 status = smb2_find_level(tree, tree, &fnd, &count, &d);
1560 torture_assert_ntstatus_equal_goto(tctx, status,
1561 NT_STATUS_NETWORK_SESSION_EXPIRED,
1562 ret, done, "smb2_find_level "
1563 "returned unexpected status");
1564
1565 torture_comment(tctx, "1st notify => CANCEL\n");
1566 smb2_cancel(req);
1567
1568 torture_comment(tctx, "2nd notify => EXPIRED\n");
1569 ZERO_STRUCT(ntf2);
1570 ntf2.in.file.handle = dh;
1571 ntf2.in.recursive = 0x0000;
1572 ntf2.in.buffer_size = 128;
1573 ntf2.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
1574 ntf2.in.unknown = 0x00000000;
1575 status = smb2_notify(tree, tctx, &ntf2);
1576 torture_assert_ntstatus_equal_goto(tctx, status,
1577 NT_STATUS_NETWORK_SESSION_EXPIRED,
1578 ret, done, "smb2_notify "
1579 "returned unexpected status");
1580
1581 torture_assert_goto(tctx, req->state > SMB2_REQUEST_RECV, ret, done,
1582 "smb2_notify (1st) not finished");
1583
1584 status = smb2_notify_recv(req, tctx, &ntf1);
1585 torture_assert_ntstatus_equal_goto(tctx, status,
1586 NT_STATUS_CANCELLED,
1587 ret, done, "smb2_notify cancelled"
1588 "returned unexpected status");
1589
1590 torture_comment(tctx, "tcon => EXPIRED\n");
1591 tree2 = smb2_tree_init(tree->session, tctx, false);
1592 torture_assert(tctx, tree2 != NULL, "smb2_tree_init");
1593 timeout_msec = tree->session->transport->options.request_timeout * 1000;
1594 subreq = smb2cli_tcon_send(tree2, tctx->ev,
1595 tree2->session->transport->conn,
1596 timeout_msec,
1597 tree2->session->smbXcli,
1598 tree2->smbXcli,
1599 0, /* flags */
1600 unc);
1601 torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
1602 torture_assert(tctx,
1603 tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
1604 "tevent_req_poll_ntstatus");
1605 status = smb2cli_tcon_recv(subreq);
1606 TALLOC_FREE(subreq);
1607 torture_assert_ntstatus_equal_goto(tctx, status,
1608 NT_STATUS_NETWORK_SESSION_EXPIRED,
1609 ret, done, "smb2cli_tcon"
1610 "returned unexpected status");
1611
1612 torture_comment(tctx, "create => EXPIRED\n");
1613 status = smb2_util_roothandle(tree, &dh2);
1614 torture_assert_ntstatus_equal_goto(tctx, status,
1615 NT_STATUS_NETWORK_SESSION_EXPIRED,
1616 ret, done, "smb2_util_roothandle"
1617 "returned unexpected status");
1618
1619 torture_comment(tctx, "tdis => EXPIRED\n");
1620 status = smb2_tdis(tree);
1621 torture_assert_ntstatus_equal_goto(tctx, status,
1622 NT_STATUS_NETWORK_SESSION_EXPIRED,
1623 ret, done, "smb2cli_tdis"
1624 "returned unexpected status");
1625
1626 /*
1627 * (Un)Lock, Close and Logoff are still possible
1628 */
1629
1630 torture_comment(tctx, "1st unlock => OK\n");
1631 el.flags = SMB2_LOCK_FLAG_UNLOCK;
1632 status = smb2_lock(tree, &lck);
1633 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1634 "smb2_lock unlock failed");
1635
1636 torture_comment(tctx, "2nd unlock => RANGE_NOT_LOCKED\n");
1637 status = smb2_lock(tree, &lck);
1638 torture_assert_ntstatus_equal_goto(tctx, status,
1639 NT_STATUS_RANGE_NOT_LOCKED,
1640 ret, done, "smb2_lock 2nd unlock"
1641 "returned unexpected status");
1642
1643 torture_comment(tctx, "lock => EXPIRED\n");
1644 el.flags = SMB2_LOCK_FLAG_EXCLUSIVE |
1645 SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
1646 status = smb2_lock(tree, &lck);
1647 torture_assert_ntstatus_equal_goto(tctx, status,
1648 NT_STATUS_NETWORK_SESSION_EXPIRED,
1649 ret, done, "smb2_util_roothandle"
1650 "returned unexpected status");
1651
1652 torture_comment(tctx, "close => OK\n");
1653 status = smb2_util_close(tree, *h1);
1654 h1 = NULL;
1655 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1656 "smb2_close failed");
1657
1658 torture_comment(tctx, "echo without session => OK\n");
1659 status = smb2_keepalive(tree->session->transport);
1660 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1661 "smb2_keepalive without session failed");
1662
1663 torture_comment(tctx, "echo with session => OK\n");
1664 req = smb2_keepalive_send(tree->session->transport, tree->session);
1665 status = smb2_keepalive_recv(req);
1666 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1667 "smb2_keepalive with session failed");
1668
1669 torture_comment(tctx, "logoff => OK\n");
1670 status = smb2_logoff(tree->session);
1671 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1672 "smb2_logoff failed");
1673
1674 ret = true;
1675 done:
1676 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1677
1678 if (h1 != NULL) {
1679 smb2_util_close(tree, *h1);
1680 }
1681
1682 talloc_free(tree);
1683 lpcfg_set_option(tctx->lp_ctx, GENSEC_GSSAPI_REQUESTED_LIFETIME(0));
1684 return ret;
1685 }
1686
1687 static bool test_session_expire2s(struct torture_context *tctx)
1688 {
1689 return test_session_expire2i(tctx,
1690 false); /* force_encryption */
1691 }
1692
1693 static bool test_session_expire2e(struct torture_context *tctx)
1694 {
1695 return test_session_expire2i(tctx,
1696 true); /* force_encryption */
1697 }
1698
1699 static bool test_session_expire_disconnect(struct torture_context *tctx)
1700 {
1701 NTSTATUS status;
1702 bool ret = false;
1703 struct smbcli_options options;
1704 const char *host = torture_setting_string(tctx, "host", NULL);
1705 const char *share = torture_setting_string(tctx, "share", NULL);
1706 struct cli_credentials *credentials = samba_cmdline_get_creds();
1707 struct smb2_tree *tree = NULL;
1708 enum credentials_use_kerberos use_kerberos;
1709 char fname[256];
1710 struct smb2_handle _h1;
1711 struct smb2_handle *h1 = NULL;
1712 struct smb2_create io1;
1713 union smb_fileinfo qfinfo;
1714 bool connected;
1715 struct timeval endtime;
1716
1717 use_kerberos = cli_credentials_get_kerberos_state(credentials);
1718 if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1719 torture_warning(tctx,
1720 "smb2.session.expire1 requires "
1721 "--use-kerberos=required!");
1722 torture_skip(tctx,
1723 "smb2.session.expire1 requires "
1724 "--use-kerberos=required!");
1725 }
1726
1727 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1728
1729 lpcfg_set_option(
1730 tctx->lp_ctx,
1731 GENSEC_GSSAPI_REQUESTED_LIFETIME(KRB5_TICKET_LIFETIME));
1732 lpcfg_smbcli_options(tctx->lp_ctx, &options);
1733 options.signing = SMB_SIGNING_REQUIRED;
1734
1735 status = smb2_connect(tctx,
1736 host,
1737 lpcfg_smb_ports(tctx->lp_ctx),
1738 share,
1739 lpcfg_resolve_context(tctx->lp_ctx),
1740 credentials,
1741 &tree,
1742 tctx->ev,
1743 &options,
1744 lpcfg_socket_options(tctx->lp_ctx),
1745 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1746 );
1747 /*
1748 * We request a ticket lifetime of KRB5_TICKET_LIFETIME seconds.
1749 * Give the server at least KRB5_TICKET_LIFETIME + KRB5_CLOCKSKEW + a
1750 * few more milliseconds for this to kick in.
1751 */
1752 endtime = timeval_current_ofs(KRB5_TICKET_EXPIRETIME, 500 * 1000);
1753 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1754 "smb2_connect failed");
1755
1756 smbXcli_session_set_disconnect_expired(tree->session->smbXcli);
1757
1758 /* Add some random component to the file name. */
1759 snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
1760 generate_random_str(tctx, 8));
1761
1762 smb2_util_unlink(tree, fname);
1763
1764 smb2_oplock_create_share(&io1, fname,
1765 smb2_util_share_access(""),
1766 smb2_util_oplock_level("b"));
1767 io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1768
1769 status = smb2_create(tree, tctx, &io1);
1770 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1771 "smb2_create failed");
1772 _h1 = io1.out.file.handle;
1773 h1 = &_h1;
1774 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1775 torture_assert_int_equal(tctx, io1.out.oplock_level,
1776 smb2_util_oplock_level("b"),
1777 "oplock_level incorrect");
1778
1779 /* get the security descriptor */
1780
1781 ZERO_STRUCT(qfinfo);
1782
1783 qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1784 qfinfo.access_information.in.file.handle = _h1;
1785
1786 torture_comment(tctx, "query info => OK\n");
1787
1788 ZERO_STRUCT(qfinfo.access_information.out);
1789 status = smb2_getinfo_file(tree, tctx, &qfinfo);
1790 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1791 "smb2_getinfo_file failed");
1792
1793 sleep_remaining(tctx, &endtime);
1794
1795 torture_comment(tctx, "query info => EXPIRED\n");
1796 ZERO_STRUCT(qfinfo.access_information.out);
1797 status = smb2_getinfo_file(tree, tctx, &qfinfo);
1798 torture_assert_ntstatus_equal_goto(tctx, status,
1799 NT_STATUS_NETWORK_SESSION_EXPIRED,
1800 ret, done, "smb2_getinfo_file "
1801 "returned unexpected status");
1802
1803 connected = smbXcli_conn_is_connected(tree->session->transport->conn);
1804 torture_assert_goto(tctx, !connected, ret, done, "connected\n");
1805
1806 ret = true;
1807 done:
1808 cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1809
1810 if (h1 != NULL) {
1811 smb2_util_close(tree, *h1);
1812 }
1813
1814 talloc_free(tree);
1815 lpcfg_set_option(tctx->lp_ctx, GENSEC_GSSAPI_REQUESTED_LIFETIME(0));
1816 return ret;
1817 }
1818
1819 bool test_session_bind1(struct torture_context *tctx, struct smb2_tree *tree1)
1820 {
1821 const char *host = torture_setting_string(tctx, "host", NULL);
1822 const char *share = torture_setting_string(tctx, "share", NULL);
1823 struct cli_credentials *credentials = samba_cmdline_get_creds();
1824 NTSTATUS status;
1825 TALLOC_CTX *mem_ctx = talloc_new(tctx);
1826 char fname[256];
1827 struct smb2_handle _h1;
1828 struct smb2_handle *h1 = NULL;
1829 struct smb2_create io1;
1830 union smb_fileinfo qfinfo;
1831 bool ret = false;
1832 struct smb2_tree *tree2 = NULL;
1833 struct smb2_transport *transport1 = tree1->session->transport;
1834 struct smbcli_options options2;
1835 struct smb2_transport *transport2 = NULL;
1836 struct smb2_session *session1_1 = tree1->session;
1837 struct smb2_session *session1_2 = NULL;
1838 struct smb2_session *session2_1 = NULL;
1839 struct smb2_session *session2_2 = NULL;
1840 uint32_t caps;
1841
1842 caps = smb2cli_conn_server_capabilities(transport1->conn);
1843 if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
1844 torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
1845 }
1846
1847 /*
1848 * We always want signing for this test!
1849 */
1850 smb2cli_tcon_should_sign(tree1->smbXcli, true);
1851 options2 = transport1->options;
1852 options2.signing = SMB_SIGNING_REQUIRED;
1853
1854 /* Add some random component to the file name. */
1855 snprintf(fname, sizeof(fname), "session_bind1_%s.dat",
1856 generate_random_str(tctx, 8));
1857
1858 smb2_util_unlink(tree1, fname);
1859
1860 smb2_oplock_create_share(&io1, fname,
1861 smb2_util_share_access(""),
1862 smb2_util_oplock_level("b"));
1863
1864 status = smb2_create(tree1, mem_ctx, &io1);
1865 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1866 "smb2_create failed");
1867 _h1 = io1.out.file.handle;
1868 h1 = &_h1;
1869 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1870 torture_assert_int_equal(tctx, io1.out.oplock_level,
1871 smb2_util_oplock_level("b"),
1872 "oplock_level incorrect");
1873
1874 status = smb2_connect(tctx,
1875 host,
1876 lpcfg_smb_ports(tctx->lp_ctx),
1877 share,
1878 lpcfg_resolve_context(tctx->lp_ctx),
1879 credentials,
1880 &tree2,
1881 tctx->ev,
1882 &options2,
1883 lpcfg_socket_options(tctx->lp_ctx),
1884 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1885 );
1886 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1887 "smb2_connect failed");
1888 session2_2 = tree2->session;
1889 transport2 = tree2->session->transport;
1890
1891 /*
1892 * Now bind the 2nd transport connection to the 1st session
1893 */
1894 session1_2 = smb2_session_channel(transport2,
1895 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
1896 tree2,
1897 session1_1);
1898 torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
1899
1900 status = smb2_session_setup_spnego(session1_2,
1901 samba_cmdline_get_creds(),
1902 0 /* previous_session_id */);
1903 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1904 "smb2_session_setup_spnego failed");
1905
1906 /* use the 1st connection, 1st session */
1907 ZERO_STRUCT(qfinfo);
1908 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
1909 qfinfo.generic.in.file.handle = _h1;
1910 tree1->session = session1_1;
1911 status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
1912 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1913 "smb2_getinfo_file failed");
1914
1915 /* use the 2nd connection, 1st session */
1916 ZERO_STRUCT(qfinfo);
1917 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
1918 qfinfo.generic.in.file.handle = _h1;
1919 tree1->session = session1_2;
1920 status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
1921 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1922 "smb2_getinfo_file failed");
1923
1924 tree1->session = session1_1;
1925 status = smb2_util_close(tree1, *h1);
1926 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1927 "smb2_util_close failed");
1928 h1 = NULL;
1929
1930 /*
1931 * Now bind the 1st transport connection to the 2nd session
1932 */
1933 session2_1 = smb2_session_channel(transport1,
1934 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
1935 tree1,
1936 session2_2);
1937 torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
1938
1939 status = smb2_session_setup_spnego(session2_1,
1940 samba_cmdline_get_creds(),
1941 0 /* previous_session_id */);
1942 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1943 "smb2_session_setup_spnego failed");
1944
1945 tree2->session = session2_1;
1946 status = smb2_util_unlink(tree2, fname);
1947 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1948 "smb2_util_unlink failed");
1949 ret = true;
1950 done:
1951 talloc_free(tree2);
1952 tree1->session = session1_1;
1953
1954 if (h1 != NULL) {
1955 smb2_util_close(tree1, *h1);
1956 }
1957
1958 smb2_util_unlink(tree1, fname);
1959
1960 talloc_free(tree1);
1961
1962 talloc_free(mem_ctx);
1963
1964 return ret;
1965 }
1966
1967 static bool test_session_bind2(struct torture_context *tctx, struct smb2_tree *tree1)
1968 {
1969 const char *host = torture_setting_string(tctx, "host", NULL);
1970 const char *share = torture_setting_string(tctx, "share", NULL);
1971 struct cli_credentials *credentials = samba_cmdline_get_creds();
1972 NTSTATUS status;
1973 TALLOC_CTX *mem_ctx = talloc_new(tctx);
1974 char fname1[256];
1975 char fname2[256];
1976 struct smb2_handle _h1f1;
1977 struct smb2_handle *h1f1 = NULL;
1978 struct smb2_handle _h1f2;
1979 struct smb2_handle *h1f2 = NULL;
1980 struct smb2_handle _h2f2;
1981 struct smb2_handle *h2f2 = NULL;
1982 struct smb2_create io1f1;
1983 struct smb2_create io1f2;
1984 struct smb2_create io2f1;
1985 struct smb2_create io2f2;
1986 union smb_fileinfo qfinfo;
1987 bool ret = false;
1988 struct smb2_transport *transport1 = tree1->session->transport;
1989 struct smbcli_options options2;
1990 struct smb2_tree *tree2 = NULL;
1991 struct smb2_transport *transport2 = NULL;
1992 struct smbcli_options options3;
1993 struct smb2_tree *tree3 = NULL;
1994 struct smb2_transport *transport3 = NULL;
1995 struct smb2_session *session1_1 = tree1->session;
1996 struct smb2_session *session1_2 = NULL;
1997 struct smb2_session *session1_3 = NULL;
1998 struct smb2_session *session2_1 = NULL;
1999 struct smb2_session *session2_2 = NULL;
2000 struct smb2_session *session2_3 = NULL;
2001 uint32_t caps;
2002
2003 caps = smb2cli_conn_server_capabilities(transport1->conn);
2004 if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
2005 torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
2006 }
2007
2008 /*
2009 * We always want signing for this test!
2010 */
2011 smb2cli_tcon_should_sign(tree1->smbXcli, true);
2012 options2 = transport1->options;
2013 options2.signing = SMB_SIGNING_REQUIRED;
2014
2015 /* Add some random component to the file name. */
2016 snprintf(fname1, sizeof(fname1), "session_bind2_1_%s.dat",
2017 generate_random_str(tctx, 8));
2018 snprintf(fname2, sizeof(fname2), "session_bind2_2_%s.dat",
2019 generate_random_str(tctx, 8));
2020
2021 smb2_util_unlink(tree1, fname1);
2022 smb2_util_unlink(tree1, fname2);
2023
2024 smb2_oplock_create_share(&io1f1, fname1,
2025 smb2_util_share_access(""),
2026 smb2_util_oplock_level(""));
2027 smb2_oplock_create_share(&io1f2, fname2,
2028 smb2_util_share_access(""),
2029 smb2_util_oplock_level(""));
2030
2031 status = smb2_create(tree1, mem_ctx, &io1f1);
2032 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2033 "smb2_create failed");
2034 _h1f1 = io1f1.out.file.handle;
2035 h1f1 = &_h1f1;
2036 CHECK_CREATED(tctx, &io1f1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2037 torture_assert_int_equal(tctx, io1f1.out.oplock_level,
2038 smb2_util_oplock_level(""),
2039 "oplock_level incorrect");
2040
2041 status = smb2_connect(tctx,
2042 host,
2043 lpcfg_smb_ports(tctx->lp_ctx),
2044 share,
2045 lpcfg_resolve_context(tctx->lp_ctx),
2046 credentials,
2047 &tree2,
2048 tctx->ev,
2049 &options2,
2050 lpcfg_socket_options(tctx->lp_ctx),
2051 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2052 );
2053 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2054 "smb2_connect failed");
2055 session2_2 = tree2->session;
2056 transport2 = tree2->session->transport;
2057 smb2cli_tcon_should_sign(tree2->smbXcli, true);
2058
2059 smb2_oplock_create_share(&io2f1, fname1,
2060 smb2_util_share_access(""),
2061 smb2_util_oplock_level(""));
2062 smb2_oplock_create_share(&io2f2, fname2,
2063 smb2_util_share_access(""),
2064 smb2_util_oplock_level(""));
2065
2066 status = smb2_create(tree2, mem_ctx, &io2f2);
2067 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2068 "smb2_create failed");
2069 _h2f2 = io2f2.out.file.handle;
2070 h2f2 = &_h2f2;
2071 CHECK_CREATED(tctx, &io2f2, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2072 torture_assert_int_equal(tctx, io2f2.out.oplock_level,
2073 smb2_util_oplock_level(""),
2074 "oplock_level incorrect");
2075
2076 options3 = transport1->options;
2077 options3.signing = SMB_SIGNING_REQUIRED;
2078 options3.only_negprot = true;
2079
2080 status = smb2_connect(tctx,
2081 host,
2082 lpcfg_smb_ports(tctx->lp_ctx),
2083 share,
2084 lpcfg_resolve_context(tctx->lp_ctx),
2085 credentials,
2086 &tree3,
2087 tctx->ev,
2088 &options3,
2089 lpcfg_socket_options(tctx->lp_ctx),
2090 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2091 );
2092 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2093 "smb2_connect failed");
2094 transport3 = tree3->session->transport;
2095
2096 /*
2097 * Create a fake session for the 2nd transport connection to the 1st session
2098 */
2099 session1_2 = smb2_session_channel(transport2,
2100 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2101 tree1,
2102 session1_1);
2103 torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2104
2105 /*
2106 * Now bind the 3rd transport connection to the 1st session
2107 */
2108 session1_3 = smb2_session_channel(transport3,
2109 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2110 tree1,
2111 session1_1);
2112 torture_assert(tctx, session1_3 != NULL, "smb2_session_channel failed");
2113
2114 status = smb2_session_setup_spnego(session1_3,
2115 credentials,
2116 0 /* previous_session_id */);
2117 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2118 "smb2_session_setup_spnego failed");
2119
2120 /*
2121 * Create a fake session for the 1st transport connection to the 2nd session
2122 */
2123 session2_1 = smb2_session_channel(transport1,
2124 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2125 tree2,
2126 session2_2);
2127 torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2128
2129 /*
2130 * Now bind the 3rd transport connection to the 2nd session
2131 */
2132 session2_3 = smb2_session_channel(transport3,
2133 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2134 tree2,
2135 session2_2);
2136 torture_assert(tctx, session2_3 != NULL, "smb2_session_channel failed");
2137
2138 status = smb2_session_setup_spnego(session2_3,
2139 credentials,
2140 0 /* previous_session_id */);
2141 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2142 "smb2_session_setup_spnego failed");
2143
2144 ZERO_STRUCT(qfinfo);
2145 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2146 qfinfo.generic.in.file.handle = _h1f1;
2147 tree1->session = session1_1;
2148 status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2149 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2150 "smb2_getinfo_file failed");
2151 tree1->session = session1_2;
2152 status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2153 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2154 "smb2_getinfo_file failed");
2155 tree1->session = session1_3;
2156 status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2157 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2158 "smb2_getinfo_file failed");
2159
2160 ZERO_STRUCT(qfinfo);
2161 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2162 qfinfo.generic.in.file.handle = _h2f2;
2163 tree2->session = session2_1;
2164 status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2165 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2166 "smb2_getinfo_file failed");
2167 tree2->session = session2_2;
2168 status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2169 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2170 "smb2_getinfo_file failed");
2171 tree2->session = session2_3;
2172 status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2173 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2174 "smb2_getinfo_file failed");
2175
2176 tree1->session = session1_1;
2177 status = smb2_create(tree1, mem_ctx, &io1f2);
2178 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2179 "smb2_create failed");
2180 tree1->session = session1_2;
2181 status = smb2_create(tree1, mem_ctx, &io1f2);
2182 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2183 "smb2_create failed");
2184 tree1->session = session1_3;
2185 status = smb2_create(tree1, mem_ctx, &io1f2);
2186 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2187 "smb2_create failed");
2188
2189 tree2->session = session2_1;
2190 status = smb2_create(tree2, mem_ctx, &io2f1);
2191 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2192 "smb2_create failed");
2193 tree2->session = session2_2;
2194 status = smb2_create(tree2, mem_ctx, &io2f1);
2195 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2196 "smb2_create failed");
2197 tree2->session = session2_3;
2198 status = smb2_create(tree2, mem_ctx, &io2f1);
2199 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2200 "smb2_create failed");
2201
2202 smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
2203 smb_msleep(500);
2204
2205 tree1->session = session1_1;
2206 status = smb2_create(tree1, mem_ctx, &io1f2);
2207 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2208 "smb2_create failed");
2209 tree1->session = session1_2;
2210 status = smb2_create(tree1, mem_ctx, &io1f2);
2211 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2212 "smb2_create failed");
2213
2214 tree2->session = session2_1;
2215 status = smb2_create(tree2, mem_ctx, &io2f1);
2216 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2217 "smb2_create failed");
2218 tree2->session = session2_2;
2219 status = smb2_create(tree2, mem_ctx, &io2f1);
2220 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2221 "smb2_create failed");
2222
2223 smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
2224 smb_msleep(500);
2225 h2f2 = NULL;
2226
2227 tree1->session = session1_1;
2228 status = smb2_create(tree1, mem_ctx, &io1f2);
2229 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2230 "smb2_create failed");
2231 _h1f2 = io1f2.out.file.handle;
2232 h1f2 = &_h1f2;
2233 CHECK_CREATED(tctx, &io1f2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
2234 torture_assert_int_equal(tctx, io1f2.out.oplock_level,
2235 smb2_util_oplock_level(""),
2236 "oplock_level incorrect");
2237
2238 tree1->session = session1_1;
2239 status = smb2_util_close(tree1, *h1f1);
2240 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2241 "smb2_util_close failed");
2242 h1f1 = NULL;
2243
2244 ret = true;
2245 done:
2246
2247 smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
2248 smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
2249
2250 tree1->session = session1_1;
2251 tree2->session = session2_2;
2252
2253 if (h1f1 != NULL) {
2254 smb2_util_close(tree1, *h1f1);
2255 }
2256 if (h1f2 != NULL) {
2257 smb2_util_close(tree1, *h1f2);
2258 }
2259 if (h2f2 != NULL) {
2260 smb2_util_close(tree2, *h2f2);
2261 }
2262
2263 smb2_util_unlink(tree1, fname1);
2264 smb2_util_unlink(tree1, fname2);
2265
2266 talloc_free(tree1);
2267
2268 talloc_free(mem_ctx);
2269
2270 return ret;
2271 }
2272
2273 static bool test_session_bind_auth_mismatch(struct torture_context *tctx,
2274 struct smb2_tree *tree1,
2275 const char *testname,
2276 struct cli_credentials *creds1,
2277 struct cli_credentials *creds2,
2278 bool creds2_require_ok)
2279 {
2280 const char *host = torture_setting_string(tctx, "host", NULL);
2281 const char *share = torture_setting_string(tctx, "share", NULL);
2282 NTSTATUS status;
2283 TALLOC_CTX *mem_ctx = talloc_new(tctx);
2284 char fname[256];
2285 struct smb2_handle _h1;
2286 struct smb2_handle *h1 = NULL;
2287 struct smb2_create io1;
2288 union smb_fileinfo qfinfo;
2289 bool ret = false;
2290 struct smb2_tree *tree2 = NULL;
2291 struct smb2_transport *transport1 = tree1->session->transport;
2292 struct smbcli_options options2;
2293 struct smb2_transport *transport2 = NULL;
2294 struct smb2_session *session1_1 = tree1->session;
2295 struct smb2_session *session1_2 = NULL;
2296 struct smb2_session *session2_1 = NULL;
2297 struct smb2_session *session2_2 = NULL;
2298 struct smb2_session *session3_1 = NULL;
2299 uint32_t caps;
2300 bool encrypted;
2301 bool creds2_got_ok = false;
2302
2303 encrypted = smb2cli_tcon_is_encryption_on(tree1->smbXcli);
2304
2305 caps = smb2cli_conn_server_capabilities(transport1->conn);
2306 if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
2307 torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
2308 }
2309
2310 /*
2311 * We always want signing for this test!
2312 */
2313 smb2cli_tcon_should_sign(tree1->smbXcli, true);
2314 options2 = transport1->options;
2315 options2.signing = SMB_SIGNING_REQUIRED;
2316
2317 /* Add some random component to the file name. */
2318 snprintf(fname, sizeof(fname), "%s_%s.dat", testname,
2319 generate_random_str(tctx, 8));
2320
2321 smb2_util_unlink(tree1, fname);
2322
2323 smb2_oplock_create_share(&io1, fname,
2324 smb2_util_share_access(""),
2325 smb2_util_oplock_level("b"));
2326
2327 status = smb2_create(tree1, mem_ctx, &io1);
2328 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2329 "smb2_create failed");
2330 _h1 = io1.out.file.handle;
2331 h1 = &_h1;
2332 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2333 torture_assert_int_equal(tctx, io1.out.oplock_level,
2334 smb2_util_oplock_level("b"),
2335 "oplock_level incorrect");
2336
2337 status = smb2_connect(tctx,
2338 host,
2339 lpcfg_smb_ports(tctx->lp_ctx),
2340 share,
2341 lpcfg_resolve_context(tctx->lp_ctx),
2342 creds1,
2343 &tree2,
2344 tctx->ev,
2345 &options2,
2346 lpcfg_socket_options(tctx->lp_ctx),
2347 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2348 );
2349 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2350 "smb2_connect failed");
2351 session2_2 = tree2->session;
2352 transport2 = tree2->session->transport;
2353
2354 /*
2355 * Now bind the 2nd transport connection to the 1st session
2356 */
2357 session1_2 = smb2_session_channel(transport2,
2358 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2359 tree2,
2360 session1_1);
2361 torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2362
2363 status = smb2_session_setup_spnego(session1_2,
2364 creds1,
2365 0 /* previous_session_id */);
2366 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2367 "smb2_session_setup_spnego failed");
2368
2369 /* use the 1st connection, 1st session */
2370 ZERO_STRUCT(qfinfo);
2371 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2372 qfinfo.generic.in.file.handle = _h1;
2373 tree1->session = session1_1;
2374 status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2375 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2376 "smb2_getinfo_file failed");
2377
2378 /* use the 2nd connection, 1st session */
2379 ZERO_STRUCT(qfinfo);
2380 qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2381 qfinfo.generic.in.file.handle = _h1;
2382 tree1->session = session1_2;
2383 status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2384 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2385 "smb2_getinfo_file failed");
2386
2387 tree1->session = session1_1;
2388 status = smb2_util_close(tree1, *h1);
2389 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2390 "smb2_util_close failed");
2391 h1 = NULL;
2392
2393 /*
2394 * Create a 3rd session in order to check if the invalid (creds2)
2395 * are mapped to guest.
2396 */
2397 session3_1 = smb2_session_init(transport1,
2398 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2399 tctx);
2400 torture_assert(tctx, session3_1 != NULL, "smb2_session_channel failed");
2401
2402 status = smb2_session_setup_spnego(session3_1,
2403 creds2,
2404 0 /* previous_session_id */);
2405 if (creds2_require_ok) {
2406 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2407 "smb2_session_setup_spnego worked");
2408 creds2_got_ok = true;
2409 } else if (NT_STATUS_IS_OK(status)) {
2410 bool authentiated = smbXcli_session_is_authenticated(session3_1->smbXcli);
2411 torture_assert(tctx, !authentiated, "Invalid credentials allowed!");
2412 creds2_got_ok = true;
2413 } else {
2414 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2415 "smb2_session_setup_spnego worked");
2416 }
2417
2418 /*
2419 * Now bind the 1st transport connection to the 2nd session
2420 */
2421 session2_1 = smb2_session_channel(transport1,
2422 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2423 tree1,
2424 session2_2);
2425 torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2426
2427 tree2->session = session2_1;
2428 status = smb2_util_unlink(tree2, fname);
2429 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2430 "smb2_util_unlink worked on invalid channel");
2431
2432 status = smb2_session_setup_spnego(session2_1,
2433 creds2,
2434 0 /* previous_session_id */);
2435 if (creds2_got_ok) {
2436 /*
2437 * attaching with a different user (guest or anonymous) results
2438 * in ACCESS_DENIED.
2439 */
2440 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_ACCESS_DENIED, ret, done,
2441 "smb2_session_setup_spnego worked");
2442 } else {
2443 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2444 "smb2_session_setup_spnego worked");
2445 }
2446
2447 tree2->session = session2_1;
2448 status = smb2_util_unlink(tree2, fname);
2449 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2450 "smb2_util_unlink worked on invalid channel");
2451
2452 tree2->session = session2_2;
2453 status = smb2_util_unlink(tree2, fname);
2454 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2455 "smb2_util_unlink failed");
2456 status = smb2_util_unlink(tree2, fname);
2457 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2458 "smb2_util_unlink worked");
2459 if (creds2_got_ok) {
2460 /*
2461 * We got ACCESS_DENIED on the session bind
2462 * with a different user, now check that
2463 * the correct user can actually bind on
2464 * the same connection.
2465 */
2466 TALLOC_FREE(session2_1);
2467 session2_1 = smb2_session_channel(transport1,
2468 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2469 tree1,
2470 session2_2);
2471 torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2472
2473 status = smb2_session_setup_spnego(session2_1,
2474 creds1,
2475 0 /* previous_session_id */);
2476 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2477 "smb2_session_setup_spnego failed");
2478 tree2->session = session2_1;
2479 status = smb2_util_unlink(tree2, fname);
2480 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2481 "smb2_util_unlink worked");
2482 tree2->session = session2_2;
2483 }
2484
2485 tree1->session = session1_1;
2486 status = smb2_util_unlink(tree1, fname);
2487 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2488 "smb2_util_unlink worked");
2489
2490 tree1->session = session1_2;
2491 status = smb2_util_unlink(tree1, fname);
2492 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2493 "smb2_util_unlink worked");
2494
2495 if (creds2_got_ok) {
2496 /*
2497 * With valid credentials, there's no point to test a failing
2498 * reauth.
2499 */
2500 ret = true;
2501 goto done;
2502 }
2503
2504 /*
2505 * Do a failing reauth the 2nd channel
2506 */
2507 status = smb2_session_setup_spnego(session1_2,
2508 creds2,
2509 0 /* previous_session_id */);
2510 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2511 "smb2_session_setup_spnego worked");
2512
2513 tree1->session = session1_1;
2514 status = smb2_util_unlink(tree1, fname);
2515 if (encrypted) {
2516 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
2517 "smb2_util_unlink worked");
2518 } else {
2519 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2520 "smb2_util_unlink worked");
2521 }
2522
2523 tree1->session = session1_2;
2524 status = smb2_util_unlink(tree1, fname);
2525 if (encrypted) {
2526 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
2527 "smb2_util_unlink worked");
2528 } else {
2529 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2530 "smb2_util_unlink worked");
2531 }
2532
2533 status = smb2_util_unlink(tree2, fname);
2534 if (encrypted) {
2535 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
2536 "smb2_util_unlink worked");
2537 torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
2538 "smb2_util_unlink worked");
2539 } else {
2540 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2541 "smb2_util_unlink worked");
2542 }
2543
2544 ret = true;
2545 done:
2546 talloc_free(tree2);
2547 tree1->session = session1_1;
2548
2549 if (h1 != NULL) {
2550 smb2_util_close(tree1, *h1);
2551 }
2552
2553 smb2_util_unlink(tree1, fname);
2554
2555 talloc_free(tree1);
2556
2557 talloc_free(mem_ctx);
2558
2559 return ret;
2560 }
2561
2562 static bool test_session_bind_invalid_auth(struct torture_context *tctx, struct smb2_tree *tree1)
2563 {
2564 struct cli_credentials *credentials = samba_cmdline_get_creds();
2565 struct cli_credentials *invalid_credentials = NULL;
2566 bool ret = false;
2567
2568 invalid_credentials = cli_credentials_init(tctx);
2569 torture_assert(tctx, (invalid_credentials != NULL), "talloc error");
2570 cli_credentials_set_username(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2571 cli_credentials_set_domain(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2572 cli_credentials_set_password(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2573 cli_credentials_set_realm(invalid_credentials, NULL, CRED_SPECIFIED);
2574 cli_credentials_set_workstation(invalid_credentials, "", CRED_UNINITIALISED);
2575
2576 ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
2577 credentials,
2578 invalid_credentials,
2579 false);
2580 return ret;
2581 }
2582
2583 static bool test_session_bind_different_user(struct torture_context *tctx, struct smb2_tree *tree1)
2584 {
2585 struct cli_credentials *credentials1 = samba_cmdline_get_creds();
2586 struct cli_credentials *credentials2 = torture_user2_credentials(tctx, tctx);
2587 char *u1 = cli_credentials_get_unparsed_name(credentials1, tctx);
2588 char *u2 = cli_credentials_get_unparsed_name(credentials2, tctx);
2589 bool ret = false;
2590 bool bval;
2591
2592 torture_assert(tctx, (credentials2 != NULL), "talloc error");
2593 bval = cli_credentials_is_anonymous(credentials2);
2594 if (bval) {
2595 torture_skip(tctx, "valid user2 credentials are required");
2596 }
2597 bval = strequal(u1, u2);
2598 if (bval) {
2599 torture_skip(tctx, "different user2 credentials are required");
2600 }
2601
2602 ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
2603 credentials1,
2604 credentials2,
2605 true);
2606 return ret;
2607 }
2608
2609 static bool test_session_bind_negative_smbXtoX(struct torture_context *tctx,
2610 const char *testname,
2611 struct cli_credentials *credentials,
2612 const struct smbcli_options *options1,
2613 const struct smbcli_options *options2,
2614 NTSTATUS bind_reject_status)
2615 {
2616 const char *host = torture_setting_string(tctx, "host", NULL);
2617 const char *share = torture_setting_string(tctx, "share", NULL);
2618 NTSTATUS status;
2619 bool ret = false;
2620 struct smb2_tree *tree1 = NULL;
2621 struct smb2_session *session1_1 = NULL;
2622 char fname[256];
2623 struct smb2_handle _h1;
2624 struct smb2_handle *h1 = NULL;
2625 struct smb2_create io1;
2626 union smb_fileinfo qfinfo1;
2627 struct smb2_tree *tree2_0 = NULL;
2628 struct smb2_transport *transport2 = NULL;
2629 struct smb2_session *session1_2 = NULL;
2630 uint64_t session1_id = 0;
2631 uint16_t session1_flags = 0;
2632 NTSTATUS deleted_status = NT_STATUS_USER_SESSION_DELETED;
2633
2634 status = smb2_connect(tctx,
2635 host,
2636 lpcfg_smb_ports(tctx->lp_ctx),
2637 share,
2638 lpcfg_resolve_context(tctx->lp_ctx),
2639 credentials,
2640 &tree1,
2641 tctx->ev,
2642 options1,
2643 lpcfg_socket_options(tctx->lp_ctx),
2644 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2645 );
2646 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2647 "smb2_connect options1 failed");
2648 session1_1 = tree1->session;
2649 session1_id = smb2cli_session_current_id(session1_1->smbXcli);
2650 session1_flags = smb2cli_session_get_flags(session1_1->smbXcli);
2651
2652 /* Add some random component to the file name. */
2653 snprintf(fname, sizeof(fname), "%s_%s.dat",
2654 testname, generate_random_str(tctx, 8));
2655
2656 smb2_util_unlink(tree1, fname);
2657
2658 smb2_oplock_create_share(&io1, fname,
2659 smb2_util_share_access(""),
2660 smb2_util_oplock_level("b"));
2661
2662 io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
2663 status = smb2_create(tree1, tctx, &io1);
2664 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2665 "smb2_create failed");
2666 _h1 = io1.out.file.handle;
2667 h1 = &_h1;
2668 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2669 torture_assert_int_equal(tctx, io1.out.oplock_level,
2670 smb2_util_oplock_level("b"),
2671 "oplock_level incorrect");
2672
2673 status = smb2_connect(tctx,
2674 host,
2675 lpcfg_smb_ports(tctx->lp_ctx),
2676 share,
2677 lpcfg_resolve_context(tctx->lp_ctx),
2678 credentials,
2679 &tree2_0,
2680 tctx->ev,
2681 options2,
2682 lpcfg_socket_options(tctx->lp_ctx),
2683 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2684 );
2685 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2686 "smb2_connect options2 failed");
2687 transport2 = tree2_0->session->transport;
2688
2689 /*
2690 * Now bind the 2nd transport connection to the 1st session
2691 */
2692 session1_2 = smb2_session_channel(transport2,
2693 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2694 tree2_0,
2695 session1_1);
2696 torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2697
2698 status = smb2_session_setup_spnego(session1_2,
2699 credentials,
2700 0 /* previous_session_id */);
2701 torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
2702 "smb2_session_setup_spnego failed");
2703 if (NT_STATUS_IS_OK(bind_reject_status)) {
2704 ZERO_STRUCT(qfinfo1);
2705 qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2706 qfinfo1.generic.in.file.handle = _h1;
2707 tree1->session = session1_2;
2708 status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2709 tree1->session = session1_1;
2710 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2711 "smb2_getinfo_file failed");
2712 }
2713 TALLOC_FREE(session1_2);
2714
2715 /* Check the initial session is still alive */
2716 ZERO_STRUCT(qfinfo1);
2717 qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2718 qfinfo1.generic.in.file.handle = _h1;
2719 status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2720 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2721 "smb2_getinfo_file failed");
2722
2723 if (NT_STATUS_IS_OK(bind_reject_status)) {
2724 deleted_status = NT_STATUS_ACCESS_DENIED;
2725 bind_reject_status = NT_STATUS_ACCESS_DENIED;
2726 }
2727
2728 /*
2729 * I guess this is not part of MultipleChannel_Negative_SMB2002,
2730 * but we should also check the status without
2731 * SMB2_SESSION_FLAG_BINDING.
2732 */
2733 session1_2 = smb2_session_channel(transport2,
2734 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2735 tree2_0,
2736 session1_1);
2737 torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2738 session1_2->needs_bind = false;
2739
2740 status = smb2_session_setup_spnego(session1_2,
2741 credentials,
2742 0 /* previous_session_id */);
2743 torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
2744 "smb2_session_setup_spnego failed");
2745 TALLOC_FREE(session1_2);
2746
2747 /*
2748 * ... and we should also check the status without any existing
2749 * session keys.
2750 */
2751 session1_2 = smb2_session_init(transport2,
2752 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2753 tree2_0);
2754 torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2755 talloc_steal(tree2_0->session, transport2);
2756 smb2cli_session_set_id_and_flags(session1_2->smbXcli,
2757 session1_id, session1_flags);
2758
2759 status = smb2_session_setup_spnego(session1_2,
2760 credentials,
2761 0 /* previous_session_id */);
2762 torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
2763 "smb2_session_setup_spnego failed");
2764 TALLOC_FREE(session1_2);
2765
2766 /* Check the initial session is still alive */
2767 ZERO_STRUCT(qfinfo1);
2768 qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2769 qfinfo1.generic.in.file.handle = _h1;
2770 status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2771 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2772 "smb2_getinfo_file failed");
2773
2774 /*
2775 * Now bind the 2nd transport connection to the 1st session (again)
2776 */
2777 session1_2 = smb2_session_channel(transport2,
2778 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2779 tree2_0,
2780 session1_1);
2781 torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2782
2783 status = smb2_session_setup_spnego(session1_2,
2784 credentials,
2785 0 /* previous_session_id */);
2786 torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
2787 "smb2_session_setup_spnego failed");
2788 TALLOC_FREE(session1_2);
2789
2790 /* Check the initial session is still alive */
2791 ZERO_STRUCT(qfinfo1);
2792 qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2793 qfinfo1.generic.in.file.handle = _h1;
2794 status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2795 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2796 "smb2_getinfo_file failed");
2797
2798 ret = true;
2799 done:
2800 talloc_free(tree2_0);
2801 if (h1 != NULL) {
2802 smb2_util_close(tree1, *h1);
2803 }
2804 talloc_free(tree1);
2805
2806 return ret;
2807 }
2808
2809 /*
2810 * This is similar to the MultipleChannel_Negative_SMB2002 test
2811 * from the Windows Protocol Test Suite.
2812 *
2813 * It demonstrates that the server needs to do lookup
2814 * in the global session table in order to get the signing
2815 * and error code of invalid session setups correct.
2816 *
2817 * See: https://bugzilla.samba.org/show_bug.cgi?id=14512
2818 *
2819 * Note you can ignore tree0...
2820 */
2821 static bool test_session_bind_negative_smb202(struct torture_context *tctx, struct smb2_tree *tree0)
2822 {
2823 struct cli_credentials *credentials = samba_cmdline_get_creds();
2824 bool ret = false;
2825 struct smb2_transport *transport0 = tree0->session->transport;
2826 struct smbcli_options options1;
2827 struct smbcli_options options2;
2828 bool encrypted;
2829
2830 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2831 if (encrypted) {
2832 torture_skip(tctx,
2833 "Can't test SMB 2.02 if encryption is required");
2834 }
2835
2836 options1 = transport0->options;
2837 options1.client_guid = GUID_zero();
2838 options1.max_protocol = PROTOCOL_SMB2_02;
2839
2840 options2 = options1;
2841 options2.only_negprot = true;
2842
2843 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2844 credentials,
2845 &options1, &options2,
2846 NT_STATUS_REQUEST_NOT_ACCEPTED);
2847 talloc_free(tree0);
2848 return ret;
2849 }
2850
2851 static bool test_session_bind_negative_smb210s(struct torture_context *tctx, struct smb2_tree *tree0)
2852 {
2853 struct cli_credentials *credentials = samba_cmdline_get_creds();
2854 bool ret = false;
2855 struct smb2_transport *transport0 = tree0->session->transport;
2856 struct smbcli_options options1;
2857 struct smbcli_options options2;
2858 bool encrypted;
2859
2860 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2861 if (encrypted) {
2862 torture_skip(tctx,
2863 "Can't test SMB 2.10 if encryption is required");
2864 }
2865
2866 options1 = transport0->options;
2867 options1.client_guid = GUID_random();
2868 options1.max_protocol = PROTOCOL_SMB2_10;
2869
2870 /* same client guid */
2871 options2 = options1;
2872 options2.only_negprot = true;
2873
2874 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2875 credentials,
2876 &options1, &options2,
2877 NT_STATUS_REQUEST_NOT_ACCEPTED);
2878 talloc_free(tree0);
2879 return ret;
2880 }
2881
2882 static bool test_session_bind_negative_smb210d(struct torture_context *tctx, struct smb2_tree *tree0)
2883 {
2884 struct cli_credentials *credentials = samba_cmdline_get_creds();
2885 bool ret = false;
2886 struct smb2_transport *transport0 = tree0->session->transport;
2887 struct smbcli_options options1;
2888 struct smbcli_options options2;
2889 bool encrypted;
2890
2891 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2892 if (encrypted) {
2893 torture_skip(tctx,
2894 "Can't test SMB 2.10 if encryption is required");
2895 }
2896
2897 options1 = transport0->options;
2898 options1.client_guid = GUID_random();
2899 options1.max_protocol = PROTOCOL_SMB2_10;
2900
2901 /* different client guid */
2902 options2 = options1;
2903 options2.client_guid = GUID_random();
2904 options2.only_negprot = true;
2905
2906 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2907 credentials,
2908 &options1, &options2,
2909 NT_STATUS_REQUEST_NOT_ACCEPTED);
2910 talloc_free(tree0);
2911 return ret;
2912 }
2913
2914 static bool test_session_bind_negative_smb2to3s(struct torture_context *tctx, struct smb2_tree *tree0)
2915 {
2916 struct cli_credentials *credentials = samba_cmdline_get_creds();
2917 bool ret = false;
2918 struct smb2_transport *transport0 = tree0->session->transport;
2919 struct smbcli_options options1;
2920 struct smbcli_options options2;
2921 bool encrypted;
2922
2923 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2924 if (encrypted) {
2925 torture_skip(tctx,
2926 "Can't test SMB 2.10 if encryption is required");
2927 }
2928
2929 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2930 torture_skip(tctx,
2931 "Can't test without SMB3 support");
2932 }
2933
2934 options1 = transport0->options;
2935 options1.client_guid = GUID_random();
2936 options1.min_protocol = PROTOCOL_SMB2_02;
2937 options1.max_protocol = PROTOCOL_SMB2_10;
2938
2939 /* same client guid */
2940 options2 = options1;
2941 options2.only_negprot = true;
2942 options2.min_protocol = PROTOCOL_SMB3_00;
2943 options2.max_protocol = PROTOCOL_SMB3_11;
2944 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2945 .num_algos = 1,
2946 .algos = {
2947 SMB2_SIGNING_AES128_CMAC,
2948 },
2949 };
2950
2951 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2952 credentials,
2953 &options1, &options2,
2954 NT_STATUS_INVALID_PARAMETER);
2955 talloc_free(tree0);
2956 return ret;
2957 }
2958
2959 static bool test_session_bind_negative_smb2to3d(struct torture_context *tctx, struct smb2_tree *tree0)
2960 {
2961 struct cli_credentials *credentials = samba_cmdline_get_creds();
2962 bool ret = false;
2963 struct smb2_transport *transport0 = tree0->session->transport;
2964 struct smbcli_options options1;
2965 struct smbcli_options options2;
2966 bool encrypted;
2967
2968 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2969 if (encrypted) {
2970 torture_skip(tctx,
2971 "Can't test SMB 2.10 if encryption is required");
2972 }
2973
2974 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2975 torture_skip(tctx,
2976 "Can't test without SMB3 support");
2977 }
2978
2979 options1 = transport0->options;
2980 options1.client_guid = GUID_random();
2981 options1.min_protocol = PROTOCOL_SMB2_02;
2982 options1.max_protocol = PROTOCOL_SMB2_10;
2983
2984 /* different client guid */
2985 options2 = options1;
2986 options2.client_guid = GUID_random();
2987 options2.only_negprot = true;
2988 options2.min_protocol = PROTOCOL_SMB3_00;
2989 options2.max_protocol = PROTOCOL_SMB3_11;
2990 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2991 .num_algos = 1,
2992 .algos = {
2993 SMB2_SIGNING_AES128_CMAC,
2994 },
2995 };
2996
2997 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2998 credentials,
2999 &options1, &options2,
3000 NT_STATUS_INVALID_PARAMETER);
3001 talloc_free(tree0);
3002 return ret;
3003 }
3004
3005 static bool test_session_bind_negative_smb3to2s(struct torture_context *tctx, struct smb2_tree *tree0)
3006 {
3007 struct cli_credentials *credentials = samba_cmdline_get_creds();
3008 bool ret = false;
3009 struct smb2_transport *transport0 = tree0->session->transport;
3010 struct smbcli_options options1;
3011 struct smbcli_options options2;
3012 bool encrypted;
3013
3014 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
3015 if (encrypted) {
3016 torture_skip(tctx,
3017 "Can't test SMB 2.10 if encryption is required");
3018 }
3019
3020 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
3021 torture_skip(tctx,
3022 "Can't test without SMB3 support");
3023 }
3024
3025 options1 = transport0->options;
3026 options1.client_guid = GUID_random();
3027 options1.min_protocol = PROTOCOL_SMB3_00;
3028 options1.max_protocol = PROTOCOL_SMB3_11;
3029 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3030 .num_algos = 1,
3031 .algos = {
3032 SMB2_SIGNING_AES128_CMAC,
3033 },
3034 };
3035
3036 /* same client guid */
3037 options2 = options1;
3038 options2.only_negprot = true;
3039 options2.min_protocol = PROTOCOL_SMB2_02;
3040 options2.max_protocol = PROTOCOL_SMB2_10;
3041 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3042 .num_algos = 1,
3043 .algos = {
3044 SMB2_SIGNING_HMAC_SHA256,
3045 },
3046 };
3047
3048 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3049 credentials,
3050 &options1, &options2,
3051 NT_STATUS_REQUEST_NOT_ACCEPTED);
3052 talloc_free(tree0);
3053 return ret;
3054 }
3055
3056 static bool test_session_bind_negative_smb3to2d(struct torture_context *tctx, struct smb2_tree *tree0)
3057 {
3058 struct cli_credentials *credentials = samba_cmdline_get_creds();
3059 bool ret = false;
3060 struct smb2_transport *transport0 = tree0->session->transport;
3061 struct smbcli_options options1;
3062 struct smbcli_options options2;
3063 bool encrypted;
3064
3065 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
3066 if (encrypted) {
3067 torture_skip(tctx,
3068 "Can't test SMB 2.10 if encryption is required");
3069 }
3070
3071 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
3072 torture_skip(tctx,
3073 "Can't test without SMB3 support");
3074 }
3075
3076 options1 = transport0->options;
3077 options1.client_guid = GUID_random();
3078 options1.min_protocol = PROTOCOL_SMB3_00;
3079 options1.max_protocol = PROTOCOL_SMB3_11;
3080 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3081 .num_algos = 1,
3082 .algos = {
3083 SMB2_SIGNING_AES128_CMAC,
3084 },
3085 };
3086
3087 /* different client guid */
3088 options2 = options1;
3089 options2.client_guid = GUID_random();
3090 options2.only_negprot = true;
3091 options2.min_protocol = PROTOCOL_SMB2_02;
3092 options2.max_protocol = PROTOCOL_SMB2_10;
3093 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3094 .num_algos = 1,
3095 .algos = {
3096 SMB2_SIGNING_HMAC_SHA256,
3097 },
3098 };
3099
3100 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3101 credentials,
3102 &options1, &options2,
3103 NT_STATUS_REQUEST_NOT_ACCEPTED);
3104 talloc_free(tree0);
3105 return ret;
3106 }
3107
3108 static bool test_session_bind_negative_smb3to3s(struct torture_context *tctx, struct smb2_tree *tree0)
3109 {
3110 struct cli_credentials *credentials = samba_cmdline_get_creds();
3111 bool ret = false;
3112 struct smb2_transport *transport0 = tree0->session->transport;
3113 struct smbcli_options options1;
3114 struct smbcli_options options2;
3115
3116 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3117 torture_skip(tctx,
3118 "Can't test without SMB 3.1.1 support");
3119 }
3120
3121 options1 = transport0->options;
3122 options1.client_guid = GUID_random();
3123 options1.min_protocol = PROTOCOL_SMB3_02;
3124 options1.max_protocol = PROTOCOL_SMB3_02;
3125
3126 /* same client guid */
3127 options2 = options1;
3128 options2.only_negprot = true;
3129 options2.min_protocol = PROTOCOL_SMB3_11;
3130 options2.max_protocol = PROTOCOL_SMB3_11;
3131 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3132 .num_algos = 1,
3133 .algos = {
3134 SMB2_SIGNING_AES128_CMAC,
3135 },
3136 };
3137
3138 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3139 credentials,
3140 &options1, &options2,
3141 NT_STATUS_INVALID_PARAMETER);
3142 talloc_free(tree0);
3143 return ret;
3144 }
3145
3146 static bool test_session_bind_negative_smb3to3d(struct torture_context *tctx, struct smb2_tree *tree0)
3147 {
3148 struct cli_credentials *credentials = samba_cmdline_get_creds();
3149 bool ret = false;
3150 struct smb2_transport *transport0 = tree0->session->transport;
3151 struct smbcli_options options1;
3152 struct smbcli_options options2;
3153
3154 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3155 torture_skip(tctx,
3156 "Can't test without SMB 3.1.1 support");
3157 }
3158
3159 options1 = transport0->options;
3160 options1.client_guid = GUID_random();
3161 options1.min_protocol = PROTOCOL_SMB3_02;
3162 options1.max_protocol = PROTOCOL_SMB3_02;
3163
3164 /* different client guid */
3165 options2 = options1;
3166 options2.client_guid = GUID_random();
3167 options2.only_negprot = true;
3168 options2.min_protocol = PROTOCOL_SMB3_11;
3169 options2.max_protocol = PROTOCOL_SMB3_11;
3170 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3171 .num_algos = 1,
3172 .algos = {
3173 SMB2_SIGNING_AES128_CMAC,
3174 },
3175 };
3176
3177 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3178 credentials,
3179 &options1, &options2,
3180 NT_STATUS_INVALID_PARAMETER);
3181 talloc_free(tree0);
3182 return ret;
3183 }
3184
3185 static bool test_session_bind_negative_smb3encGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3186 {
3187 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3188 struct cli_credentials *credentials = NULL;
3189 bool ret = false;
3190 struct smb2_transport *transport0 = tree0->session->transport;
3191 struct smbcli_options options1;
3192 struct smbcli_options options2;
3193 bool ok;
3194
3195 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3196 torture_skip(tctx,
3197 "Can't test without SMB 3.1.1 support");
3198 }
3199
3200 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3201 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3202 ok = cli_credentials_set_smb_encryption(credentials,
3203 SMB_ENCRYPTION_REQUIRED,
3204 CRED_SPECIFIED);
3205 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3206
3207 options1 = transport0->options;
3208 options1.client_guid = GUID_random();
3209 options1.min_protocol = PROTOCOL_SMB3_11;
3210 options1.max_protocol = PROTOCOL_SMB3_11;
3211 options1.signing = SMB_SIGNING_REQUIRED;
3212 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3213 .num_algos = 1,
3214 .algos = {
3215 SMB2_ENCRYPTION_AES128_GCM,
3216 },
3217 };
3218
3219 /* same client guid */
3220 options2 = options1;
3221 options2.only_negprot = true;
3222 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3223 .num_algos = 1,
3224 .algos = {
3225 SMB2_ENCRYPTION_AES128_CCM,
3226 },
3227 };
3228
3229 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3230 credentials,
3231 &options1, &options2,
3232 NT_STATUS_INVALID_PARAMETER);
3233 talloc_free(tree0);
3234 return ret;
3235 }
3236
3237 static bool test_session_bind_negative_smb3encGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3238 {
3239 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3240 struct cli_credentials *credentials = NULL;
3241 bool ret = false;
3242 struct smb2_transport *transport0 = tree0->session->transport;
3243 struct smbcli_options options1;
3244 struct smbcli_options options2;
3245 bool ok;
3246
3247 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3248 torture_skip(tctx,
3249 "Can't test without SMB 3.1.1 support");
3250 }
3251
3252 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3253 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3254 ok = cli_credentials_set_smb_encryption(credentials,
3255 SMB_ENCRYPTION_REQUIRED,
3256 CRED_SPECIFIED);
3257 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3258
3259 options1 = transport0->options;
3260 options1.client_guid = GUID_random();
3261 options1.min_protocol = PROTOCOL_SMB3_11;
3262 options1.max_protocol = PROTOCOL_SMB3_11;
3263 options1.signing = SMB_SIGNING_REQUIRED;
3264 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3265 .num_algos = 1,
3266 .algos = {
3267 SMB2_ENCRYPTION_AES128_GCM,
3268 },
3269 };
3270
3271 /* different client guid */
3272 options2 = options1;
3273 options2.client_guid = GUID_random();
3274 options2.only_negprot = true;
3275 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3276 .num_algos = 1,
3277 .algos = {
3278 SMB2_ENCRYPTION_AES128_CCM,
3279 },
3280 };
3281
3282 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3283 credentials,
3284 &options1, &options2,
3285 NT_STATUS_INVALID_PARAMETER);
3286 talloc_free(tree0);
3287 return ret;
3288 }
3289
3290 static bool test_session_bind_negative_smb3signCtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
3291 {
3292 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3293 struct cli_credentials *credentials = NULL;
3294 bool ret = false;
3295 struct smb2_transport *transport0 = tree0->session->transport;
3296 struct smbcli_options options1;
3297 struct smbcli_options options2;
3298 bool ok;
3299
3300 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3301 torture_skip(tctx,
3302 "Can't test without SMB 3.1.1 support");
3303 }
3304
3305 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3306 torture_skip(tctx,
3307 "Can't test without SMB 3.1.1 signing negotiation support");
3308 }
3309
3310 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3311 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3312 ok = cli_credentials_set_smb_encryption(credentials,
3313 SMB_ENCRYPTION_REQUIRED,
3314 CRED_SPECIFIED);
3315 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3316
3317 options1 = transport0->options;
3318 options1.client_guid = GUID_random();
3319 options1.min_protocol = PROTOCOL_SMB3_11;
3320 options1.max_protocol = PROTOCOL_SMB3_11;
3321 options1.signing = SMB_SIGNING_REQUIRED;
3322 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3323 .num_algos = 1,
3324 .algos = {
3325 SMB2_SIGNING_AES128_CMAC,
3326 },
3327 };
3328
3329 /* same client guid */
3330 options2 = options1;
3331 options2.only_negprot = true;
3332 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3333 .num_algos = 1,
3334 .algos = {
3335 SMB2_SIGNING_HMAC_SHA256,
3336 },
3337 };
3338
3339 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3340 credentials,
3341 &options1, &options2,
3342 NT_STATUS_OK);
3343 talloc_free(tree0);
3344 return ret;
3345 }
3346
3347 static bool test_session_bind_negative_smb3signCtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
3348 {
3349 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3350 struct cli_credentials *credentials = NULL;
3351 bool ret = false;
3352 struct smb2_transport *transport0 = tree0->session->transport;
3353 struct smbcli_options options1;
3354 struct smbcli_options options2;
3355 bool ok;
3356
3357 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3358 torture_skip(tctx,
3359 "Can't test without SMB 3.1.1 support");
3360 }
3361
3362 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3363 torture_skip(tctx,
3364 "Can't test without SMB 3.1.1 signing negotiation support");
3365 }
3366
3367 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3368 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3369 ok = cli_credentials_set_smb_encryption(credentials,
3370 SMB_ENCRYPTION_REQUIRED,
3371 CRED_SPECIFIED);
3372 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3373
3374 options1 = transport0->options;
3375 options1.client_guid = GUID_random();
3376 options1.min_protocol = PROTOCOL_SMB3_11;
3377 options1.max_protocol = PROTOCOL_SMB3_11;
3378 options1.signing = SMB_SIGNING_REQUIRED;
3379 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3380 .num_algos = 1,
3381 .algos = {
3382 SMB2_SIGNING_AES128_CMAC,
3383 },
3384 };
3385
3386 /* different client guid */
3387 options2 = options1;
3388 options2.client_guid = GUID_random();
3389 options2.only_negprot = true;
3390 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3391 .num_algos = 1,
3392 .algos = {
3393 SMB2_SIGNING_HMAC_SHA256,
3394 },
3395 };
3396
3397 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3398 credentials,
3399 &options1, &options2,
3400 NT_STATUS_OK);
3401 talloc_free(tree0);
3402 return ret;
3403 }
3404
3405 static bool test_session_bind_negative_smb3signHtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3406 {
3407 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3408 struct cli_credentials *credentials = NULL;
3409 bool ret = false;
3410 struct smb2_transport *transport0 = tree0->session->transport;
3411 struct smbcli_options options1;
3412 struct smbcli_options options2;
3413 bool ok;
3414
3415 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3416 torture_skip(tctx,
3417 "Can't test without SMB 3.1.1 support");
3418 }
3419
3420 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3421 torture_skip(tctx,
3422 "Can't test without SMB 3.1.1 signing negotiation support");
3423 }
3424
3425 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3426 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3427 ok = cli_credentials_set_smb_encryption(credentials,
3428 SMB_ENCRYPTION_REQUIRED,
3429 CRED_SPECIFIED);
3430 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3431
3432 options1 = transport0->options;
3433 options1.client_guid = GUID_random();
3434 options1.min_protocol = PROTOCOL_SMB3_11;
3435 options1.max_protocol = PROTOCOL_SMB3_11;
3436 options1.signing = SMB_SIGNING_REQUIRED;
3437 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3438 .num_algos = 1,
3439 .algos = {
3440 SMB2_SIGNING_HMAC_SHA256,
3441 },
3442 };
3443
3444 /* same client guid */
3445 options2 = options1;
3446 options2.only_negprot = true;
3447 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3448 .num_algos = 1,
3449 .algos = {
3450 SMB2_SIGNING_AES128_CMAC,
3451 },
3452 };
3453
3454 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3455 credentials,
3456 &options1, &options2,
3457 NT_STATUS_OK);
3458 talloc_free(tree0);
3459 return ret;
3460 }
3461
3462 static bool test_session_bind_negative_smb3signHtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3463 {
3464 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3465 struct cli_credentials *credentials = NULL;
3466 bool ret = false;
3467 struct smb2_transport *transport0 = tree0->session->transport;
3468 struct smbcli_options options1;
3469 struct smbcli_options options2;
3470 bool ok;
3471
3472 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3473 torture_skip(tctx,
3474 "Can't test without SMB 3.1.1 support");
3475 }
3476
3477 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3478 torture_skip(tctx,
3479 "Can't test without SMB 3.1.1 signing negotiation support");
3480 }
3481
3482 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3483 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3484 ok = cli_credentials_set_smb_encryption(credentials,
3485 SMB_ENCRYPTION_REQUIRED,
3486 CRED_SPECIFIED);
3487 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3488
3489 options1 = transport0->options;
3490 options1.client_guid = GUID_random();
3491 options1.min_protocol = PROTOCOL_SMB3_11;
3492 options1.max_protocol = PROTOCOL_SMB3_11;
3493 options1.signing = SMB_SIGNING_REQUIRED;
3494 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3495 .num_algos = 1,
3496 .algos = {
3497 SMB2_SIGNING_HMAC_SHA256,
3498 },
3499 };
3500
3501 /* different client guid */
3502 options2 = options1;
3503 options2.client_guid = GUID_random();
3504 options2.only_negprot = true;
3505 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3506 .num_algos = 1,
3507 .algos = {
3508 SMB2_SIGNING_AES128_CMAC,
3509 },
3510 };
3511
3512 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3513 credentials,
3514 &options1, &options2,
3515 NT_STATUS_OK);
3516 talloc_free(tree0);
3517 return ret;
3518 }
3519
3520 static bool test_session_bind_negative_smb3signHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
3521 {
3522 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3523 struct cli_credentials *credentials = NULL;
3524 bool ret = false;
3525 struct smb2_transport *transport0 = tree0->session->transport;
3526 struct smbcli_options options1;
3527 struct smbcli_options options2;
3528 bool ok;
3529
3530 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3531 torture_skip(tctx,
3532 "Can't test without SMB 3.1.1 support");
3533 }
3534
3535 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3536 torture_skip(tctx,
3537 "Can't test without SMB 3.1.1 signing negotiation support");
3538 }
3539
3540 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3541 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3542 ok = cli_credentials_set_smb_encryption(credentials,
3543 SMB_ENCRYPTION_REQUIRED,
3544 CRED_SPECIFIED);
3545 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3546
3547 options1 = transport0->options;
3548 options1.client_guid = GUID_random();
3549 options1.min_protocol = PROTOCOL_SMB3_11;
3550 options1.max_protocol = PROTOCOL_SMB3_11;
3551 options1.signing = SMB_SIGNING_REQUIRED;
3552 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3553 .num_algos = 1,
3554 .algos = {
3555 SMB2_SIGNING_HMAC_SHA256,
3556 },
3557 };
3558
3559 /* same client guid */
3560 options2 = options1;
3561 options2.only_negprot = true;
3562 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3563 .num_algos = 1,
3564 .algos = {
3565 SMB2_SIGNING_AES128_GMAC,
3566 },
3567 };
3568
3569 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3570 credentials,
3571 &options1, &options2,
3572 NT_STATUS_NOT_SUPPORTED);
3573 talloc_free(tree0);
3574 return ret;
3575 }
3576
3577 static bool test_session_bind_negative_smb3signHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
3578 {
3579 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3580 struct cli_credentials *credentials = NULL;
3581 bool ret = false;
3582 struct smb2_transport *transport0 = tree0->session->transport;
3583 struct smbcli_options options1;
3584 struct smbcli_options options2;
3585 bool ok;
3586
3587 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3588 torture_skip(tctx,
3589 "Can't test without SMB 3.1.1 support");
3590 }
3591
3592 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3593 torture_skip(tctx,
3594 "Can't test without SMB 3.1.1 signing negotiation support");
3595 }
3596
3597 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3598 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3599 ok = cli_credentials_set_smb_encryption(credentials,
3600 SMB_ENCRYPTION_REQUIRED,
3601 CRED_SPECIFIED);
3602 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3603
3604 options1 = transport0->options;
3605 options1.client_guid = GUID_random();
3606 options1.min_protocol = PROTOCOL_SMB3_11;
3607 options1.max_protocol = PROTOCOL_SMB3_11;
3608 options1.signing = SMB_SIGNING_REQUIRED;
3609 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3610 .num_algos = 1,
3611 .algos = {
3612 SMB2_SIGNING_HMAC_SHA256,
3613 },
3614 };
3615
3616 /* different client guid */
3617 options2 = options1;
3618 options2.client_guid = GUID_random();
3619 options2.only_negprot = true;
3620 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3621 .num_algos = 1,
3622 .algos = {
3623 SMB2_SIGNING_AES128_GMAC,
3624 },
3625 };
3626
3627 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3628 credentials,
3629 &options1, &options2,
3630 NT_STATUS_NOT_SUPPORTED);
3631 talloc_free(tree0);
3632 return ret;
3633 }
3634
3635 static bool test_session_bind_negative_smb3signCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
3636 {
3637 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3638 struct cli_credentials *credentials = NULL;
3639 bool ret = false;
3640 struct smb2_transport *transport0 = tree0->session->transport;
3641 struct smbcli_options options1;
3642 struct smbcli_options options2;
3643 bool ok;
3644
3645 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3646 torture_skip(tctx,
3647 "Can't test without SMB 3.1.1 support");
3648 }
3649
3650 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3651 torture_skip(tctx,
3652 "Can't test without SMB 3.1.1 signing negotiation support");
3653 }
3654
3655 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3656 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3657 ok = cli_credentials_set_smb_encryption(credentials,
3658 SMB_ENCRYPTION_REQUIRED,
3659 CRED_SPECIFIED);
3660 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3661
3662 options1 = transport0->options;
3663 options1.client_guid = GUID_random();
3664 options1.min_protocol = PROTOCOL_SMB3_11;
3665 options1.max_protocol = PROTOCOL_SMB3_11;
3666 options1.signing = SMB_SIGNING_REQUIRED;
3667 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3668 .num_algos = 1,
3669 .algos = {
3670 SMB2_SIGNING_AES128_CMAC,
3671 },
3672 };
3673
3674 /* same client guid */
3675 options2 = options1;
3676 options2.only_negprot = true;
3677 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3678 .num_algos = 1,
3679 .algos = {
3680 SMB2_SIGNING_AES128_GMAC,
3681 },
3682 };
3683
3684 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3685 credentials,
3686 &options1, &options2,
3687 NT_STATUS_NOT_SUPPORTED);
3688 talloc_free(tree0);
3689 return ret;
3690 }
3691
3692 static bool test_session_bind_negative_smb3signCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
3693 {
3694 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3695 struct cli_credentials *credentials = NULL;
3696 bool ret = false;
3697 struct smb2_transport *transport0 = tree0->session->transport;
3698 struct smbcli_options options1;
3699 struct smbcli_options options2;
3700 bool ok;
3701
3702 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3703 torture_skip(tctx,
3704 "Can't test without SMB 3.1.1 support");
3705 }
3706
3707 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3708 torture_skip(tctx,
3709 "Can't test without SMB 3.1.1 signing negotiation support");
3710 }
3711
3712 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3713 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3714 ok = cli_credentials_set_smb_encryption(credentials,
3715 SMB_ENCRYPTION_REQUIRED,
3716 CRED_SPECIFIED);
3717 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3718
3719 options1 = transport0->options;
3720 options1.client_guid = GUID_random();
3721 options1.min_protocol = PROTOCOL_SMB3_11;
3722 options1.max_protocol = PROTOCOL_SMB3_11;
3723 options1.signing = SMB_SIGNING_REQUIRED;
3724 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3725 .num_algos = 1,
3726 .algos = {
3727 SMB2_SIGNING_AES128_CMAC,
3728 },
3729 };
3730
3731 /* different client guid */
3732 options2 = options1;
3733 options2.client_guid = GUID_random();
3734 options2.only_negprot = true;
3735 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3736 .num_algos = 1,
3737 .algos = {
3738 SMB2_SIGNING_AES128_GMAC,
3739 },
3740 };
3741
3742 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3743 credentials,
3744 &options1, &options2,
3745 NT_STATUS_NOT_SUPPORTED);
3746 talloc_free(tree0);
3747 return ret;
3748 }
3749
3750 static bool test_session_bind_negative_smb3signGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3751 {
3752 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3753 struct cli_credentials *credentials = NULL;
3754 bool ret = false;
3755 struct smb2_transport *transport0 = tree0->session->transport;
3756 struct smbcli_options options1;
3757 struct smbcli_options options2;
3758 bool ok;
3759
3760 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3761 torture_skip(tctx,
3762 "Can't test without SMB 3.1.1 support");
3763 }
3764
3765 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3766 torture_skip(tctx,
3767 "Can't test without SMB 3.1.1 signing negotiation support");
3768 }
3769
3770 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3771 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3772 ok = cli_credentials_set_smb_encryption(credentials,
3773 SMB_ENCRYPTION_REQUIRED,
3774 CRED_SPECIFIED);
3775 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3776
3777 options1 = transport0->options;
3778 options1.client_guid = GUID_random();
3779 options1.min_protocol = PROTOCOL_SMB3_11;
3780 options1.max_protocol = PROTOCOL_SMB3_11;
3781 options1.signing = SMB_SIGNING_REQUIRED;
3782 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3783 .num_algos = 1,
3784 .algos = {
3785 SMB2_SIGNING_AES128_GMAC,
3786 },
3787 };
3788
3789 /* same client guid */
3790 options2 = options1;
3791 options2.only_negprot = true;
3792 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3793 .num_algos = 1,
3794 .algos = {
3795 SMB2_SIGNING_AES128_CMAC,
3796 },
3797 };
3798
3799 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3800 credentials,
3801 &options1, &options2,
3802 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3803 talloc_free(tree0);
3804 return ret;
3805 }
3806
3807 static bool test_session_bind_negative_smb3signGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3808 {
3809 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3810 struct cli_credentials *credentials = NULL;
3811 bool ret = false;
3812 struct smb2_transport *transport0 = tree0->session->transport;
3813 struct smbcli_options options1;
3814 struct smbcli_options options2;
3815 bool ok;
3816
3817 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3818 torture_skip(tctx,
3819 "Can't test without SMB 3.1.1 support");
3820 }
3821
3822 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3823 torture_skip(tctx,
3824 "Can't test without SMB 3.1.1 signing negotiation support");
3825 }
3826
3827 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3828 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3829 ok = cli_credentials_set_smb_encryption(credentials,
3830 SMB_ENCRYPTION_REQUIRED,
3831 CRED_SPECIFIED);
3832 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3833
3834 options1 = transport0->options;
3835 options1.client_guid = GUID_random();
3836 options1.min_protocol = PROTOCOL_SMB3_11;
3837 options1.max_protocol = PROTOCOL_SMB3_11;
3838 options1.signing = SMB_SIGNING_REQUIRED;
3839 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3840 .num_algos = 1,
3841 .algos = {
3842 SMB2_SIGNING_AES128_GMAC,
3843 },
3844 };
3845
3846 /* different client guid */
3847 options2 = options1;
3848 options2.client_guid = GUID_random();
3849 options2.only_negprot = true;
3850 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3851 .num_algos = 1,
3852 .algos = {
3853 SMB2_SIGNING_AES128_CMAC,
3854 },
3855 };
3856
3857 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3858 credentials,
3859 &options1, &options2,
3860 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3861 talloc_free(tree0);
3862 return ret;
3863 }
3864
3865 static bool test_session_bind_negative_smb3signGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
3866 {
3867 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3868 struct cli_credentials *credentials = NULL;
3869 bool ret = false;
3870 struct smb2_transport *transport0 = tree0->session->transport;
3871 struct smbcli_options options1;
3872 struct smbcli_options options2;
3873 bool ok;
3874
3875 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3876 torture_skip(tctx,
3877 "Can't test without SMB 3.1.1 support");
3878 }
3879
3880 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3881 torture_skip(tctx,
3882 "Can't test without SMB 3.1.1 signing negotiation support");
3883 }
3884
3885 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3886 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3887 ok = cli_credentials_set_smb_encryption(credentials,
3888 SMB_ENCRYPTION_REQUIRED,
3889 CRED_SPECIFIED);
3890 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3891
3892 options1 = transport0->options;
3893 options1.client_guid = GUID_random();
3894 options1.min_protocol = PROTOCOL_SMB3_11;
3895 options1.max_protocol = PROTOCOL_SMB3_11;
3896 options1.signing = SMB_SIGNING_REQUIRED;
3897 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3898 .num_algos = 1,
3899 .algos = {
3900 SMB2_SIGNING_AES128_GMAC,
3901 },
3902 };
3903
3904 /* same client guid */
3905 options2 = options1;
3906 options2.only_negprot = true;
3907 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3908 .num_algos = 1,
3909 .algos = {
3910 SMB2_SIGNING_HMAC_SHA256,
3911 },
3912 };
3913
3914 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3915 credentials,
3916 &options1, &options2,
3917 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3918 talloc_free(tree0);
3919 return ret;
3920 }
3921
3922 static bool test_session_bind_negative_smb3signGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
3923 {
3924 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3925 struct cli_credentials *credentials = NULL;
3926 bool ret = false;
3927 struct smb2_transport *transport0 = tree0->session->transport;
3928 struct smbcli_options options1;
3929 struct smbcli_options options2;
3930 bool ok;
3931
3932 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3933 torture_skip(tctx,
3934 "Can't test without SMB 3.1.1 support");
3935 }
3936
3937 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3938 torture_skip(tctx,
3939 "Can't test without SMB 3.1.1 signing negotiation support");
3940 }
3941
3942 credentials = cli_credentials_shallow_copy(tctx, credentials0);
3943 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3944 ok = cli_credentials_set_smb_encryption(credentials,
3945 SMB_ENCRYPTION_REQUIRED,
3946 CRED_SPECIFIED);
3947 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3948
3949 options1 = transport0->options;
3950 options1.client_guid = GUID_random();
3951 options1.min_protocol = PROTOCOL_SMB3_11;
3952 options1.max_protocol = PROTOCOL_SMB3_11;
3953 options1.signing = SMB_SIGNING_REQUIRED;
3954 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3955 .num_algos = 1,
3956 .algos = {
3957 SMB2_SIGNING_AES128_GMAC,
3958 },
3959 };
3960
3961 /* different client guid */
3962 options2 = options1;
3963 options2.client_guid = GUID_random();
3964 options2.only_negprot = true;
3965 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3966 .num_algos = 1,
3967 .algos = {
3968 SMB2_SIGNING_HMAC_SHA256,
3969 },
3970 };
3971
3972 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3973 credentials,
3974 &options1, &options2,
3975 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3976 talloc_free(tree0);
3977 return ret;
3978 }
3979
3980 static bool test_session_bind_negative_smb3sneGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3981 {
3982 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3983 struct cli_credentials *credentials = NULL;
3984 bool ret = false;
3985 struct smb2_transport *transport0 = tree0->session->transport;
3986 struct smbcli_options options1;
3987 struct smbcli_options options2;
3988 bool ok;
3989
3990 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3991 torture_skip(tctx,
3992 "Can't test without SMB 3.1.1 support");
3993 }
3994
3995 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3996 torture_skip(tctx,
3997 "Can't test without SMB 3.1.1 signing negotiation support");
3998 }
3999
4000 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4001 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4002 ok = cli_credentials_set_smb_encryption(credentials,
4003 SMB_ENCRYPTION_REQUIRED,
4004 CRED_SPECIFIED);
4005 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4006
4007 options1 = transport0->options;
4008 options1.client_guid = GUID_random();
4009 options1.min_protocol = PROTOCOL_SMB3_11;
4010 options1.max_protocol = PROTOCOL_SMB3_11;
4011 options1.signing = SMB_SIGNING_REQUIRED;
4012 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4013 .num_algos = 1,
4014 .algos = {
4015 SMB2_SIGNING_AES128_GMAC,
4016 },
4017 };
4018 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4019 .num_algos = 1,
4020 .algos = {
4021 SMB2_ENCRYPTION_AES128_GCM,
4022 },
4023 };
4024
4025 /* same client guid */
4026 options2 = options1;
4027 options2.only_negprot = true;
4028 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4029 .num_algos = 1,
4030 .algos = {
4031 SMB2_SIGNING_AES128_CMAC,
4032 },
4033 };
4034 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4035 .num_algos = 1,
4036 .algos = {
4037 SMB2_ENCRYPTION_AES128_CCM,
4038 },
4039 };
4040
4041 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4042 credentials,
4043 &options1, &options2,
4044 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4045 talloc_free(tree0);
4046 return ret;
4047 }
4048
4049 static bool test_session_bind_negative_smb3sneGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
4050 {
4051 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4052 struct cli_credentials *credentials = NULL;
4053 bool ret = false;
4054 struct smb2_transport *transport0 = tree0->session->transport;
4055 struct smbcli_options options1;
4056 struct smbcli_options options2;
4057 bool ok;
4058
4059 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4060 torture_skip(tctx,
4061 "Can't test without SMB 3.1.1 support");
4062 }
4063
4064 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4065 torture_skip(tctx,
4066 "Can't test without SMB 3.1.1 signing negotiation support");
4067 }
4068
4069 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4070 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4071 ok = cli_credentials_set_smb_encryption(credentials,
4072 SMB_ENCRYPTION_REQUIRED,
4073 CRED_SPECIFIED);
4074 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4075
4076 options1 = transport0->options;
4077 options1.client_guid = GUID_random();
4078 options1.min_protocol = PROTOCOL_SMB3_11;
4079 options1.max_protocol = PROTOCOL_SMB3_11;
4080 options1.signing = SMB_SIGNING_REQUIRED;
4081 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4082 .num_algos = 1,
4083 .algos = {
4084 SMB2_SIGNING_AES128_GMAC,
4085 },
4086 };
4087 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4088 .num_algos = 1,
4089 .algos = {
4090 SMB2_ENCRYPTION_AES128_GCM,
4091 },
4092 };
4093
4094 /* different client guid */
4095 options2 = options1;
4096 options2.client_guid = GUID_random();
4097 options2.only_negprot = true;
4098 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4099 .num_algos = 1,
4100 .algos = {
4101 SMB2_SIGNING_AES128_CMAC,
4102 },
4103 };
4104 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4105 .num_algos = 1,
4106 .algos = {
4107 SMB2_ENCRYPTION_AES128_CCM,
4108 },
4109 };
4110
4111 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4112 credentials,
4113 &options1, &options2,
4114 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4115 talloc_free(tree0);
4116 return ret;
4117 }
4118
4119 static bool test_session_bind_negative_smb3sneGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
4120 {
4121 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4122 struct cli_credentials *credentials = NULL;
4123 bool ret = false;
4124 struct smb2_transport *transport0 = tree0->session->transport;
4125 struct smbcli_options options1;
4126 struct smbcli_options options2;
4127 bool ok;
4128
4129 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4130 torture_skip(tctx,
4131 "Can't test without SMB 3.1.1 support");
4132 }
4133
4134 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4135 torture_skip(tctx,
4136 "Can't test without SMB 3.1.1 signing negotiation support");
4137 }
4138
4139 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4140 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4141 ok = cli_credentials_set_smb_encryption(credentials,
4142 SMB_ENCRYPTION_REQUIRED,
4143 CRED_SPECIFIED);
4144 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4145
4146 options1 = transport0->options;
4147 options1.client_guid = GUID_random();
4148 options1.min_protocol = PROTOCOL_SMB3_11;
4149 options1.max_protocol = PROTOCOL_SMB3_11;
4150 options1.signing = SMB_SIGNING_REQUIRED;
4151 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4152 .num_algos = 1,
4153 .algos = {
4154 SMB2_SIGNING_AES128_GMAC,
4155 },
4156 };
4157 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4158 .num_algos = 1,
4159 .algos = {
4160 SMB2_ENCRYPTION_AES128_GCM,
4161 },
4162 };
4163
4164 /* same client guid */
4165 options2 = options1;
4166 options2.only_negprot = true;
4167 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4168 .num_algos = 1,
4169 .algos = {
4170 SMB2_SIGNING_HMAC_SHA256,
4171 },
4172 };
4173 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4174 .num_algos = 1,
4175 .algos = {
4176 SMB2_ENCRYPTION_AES128_CCM,
4177 },
4178 };
4179
4180 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4181 credentials,
4182 &options1, &options2,
4183 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4184 talloc_free(tree0);
4185 return ret;
4186 }
4187
4188 static bool test_session_bind_negative_smb3sneGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
4189 {
4190 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4191 struct cli_credentials *credentials = NULL;
4192 bool ret = false;
4193 struct smb2_transport *transport0 = tree0->session->transport;
4194 struct smbcli_options options1;
4195 struct smbcli_options options2;
4196 bool ok;
4197
4198 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4199 torture_skip(tctx,
4200 "Can't test without SMB 3.1.1 support");
4201 }
4202
4203 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4204 torture_skip(tctx,
4205 "Can't test without SMB 3.1.1 signing negotiation support");
4206 }
4207
4208 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4209 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4210 ok = cli_credentials_set_smb_encryption(credentials,
4211 SMB_ENCRYPTION_REQUIRED,
4212 CRED_SPECIFIED);
4213 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4214
4215 options1 = transport0->options;
4216 options1.client_guid = GUID_random();
4217 options1.min_protocol = PROTOCOL_SMB3_11;
4218 options1.max_protocol = PROTOCOL_SMB3_11;
4219 options1.signing = SMB_SIGNING_REQUIRED;
4220 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4221 .num_algos = 1,
4222 .algos = {
4223 SMB2_SIGNING_AES128_GMAC,
4224 },
4225 };
4226 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4227 .num_algos = 1,
4228 .algos = {
4229 SMB2_ENCRYPTION_AES128_GCM,
4230 },
4231 };
4232
4233 /* different client guid */
4234 options2 = options1;
4235 options2.client_guid = GUID_random();
4236 options2.only_negprot = true;
4237 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4238 .num_algos = 1,
4239 .algos = {
4240 SMB2_SIGNING_HMAC_SHA256,
4241 },
4242 };
4243 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4244 .num_algos = 1,
4245 .algos = {
4246 SMB2_ENCRYPTION_AES128_CCM,
4247 },
4248 };
4249
4250 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4251 credentials,
4252 &options1, &options2,
4253 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4254 talloc_free(tree0);
4255 return ret;
4256 }
4257
4258 static bool test_session_bind_negative_smb3sneCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4259 {
4260 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4261 struct cli_credentials *credentials = NULL;
4262 bool ret = false;
4263 struct smb2_transport *transport0 = tree0->session->transport;
4264 struct smbcli_options options1;
4265 struct smbcli_options options2;
4266 bool ok;
4267
4268 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4269 torture_skip(tctx,
4270 "Can't test without SMB 3.1.1 support");
4271 }
4272
4273 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4274 torture_skip(tctx,
4275 "Can't test without SMB 3.1.1 signing negotiation support");
4276 }
4277
4278 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4279 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4280 ok = cli_credentials_set_smb_encryption(credentials,
4281 SMB_ENCRYPTION_REQUIRED,
4282 CRED_SPECIFIED);
4283 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4284
4285 options1 = transport0->options;
4286 options1.client_guid = GUID_random();
4287 options1.min_protocol = PROTOCOL_SMB3_11;
4288 options1.max_protocol = PROTOCOL_SMB3_11;
4289 options1.signing = SMB_SIGNING_REQUIRED;
4290 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4291 .num_algos = 1,
4292 .algos = {
4293 SMB2_SIGNING_AES128_CMAC,
4294 },
4295 };
4296 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4297 .num_algos = 1,
4298 .algos = {
4299 SMB2_ENCRYPTION_AES128_CCM,
4300 },
4301 };
4302
4303 /* same client guid */
4304 options2 = options1;
4305 options2.only_negprot = true;
4306 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4307 .num_algos = 1,
4308 .algos = {
4309 SMB2_SIGNING_AES128_GMAC,
4310 },
4311 };
4312 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4313 .num_algos = 1,
4314 .algos = {
4315 SMB2_ENCRYPTION_AES128_GCM,
4316 },
4317 };
4318
4319 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4320 credentials,
4321 &options1, &options2,
4322 NT_STATUS_NOT_SUPPORTED);
4323 talloc_free(tree0);
4324 return ret;
4325 }
4326
4327 static bool test_session_bind_negative_smb3sneCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4328 {
4329 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4330 struct cli_credentials *credentials = NULL;
4331 bool ret = false;
4332 struct smb2_transport *transport0 = tree0->session->transport;
4333 struct smbcli_options options1;
4334 struct smbcli_options options2;
4335 bool ok;
4336
4337 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4338 torture_skip(tctx,
4339 "Can't test without SMB 3.1.1 support");
4340 }
4341
4342 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4343 torture_skip(tctx,
4344 "Can't test without SMB 3.1.1 signing negotiation support");
4345 }
4346
4347 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4348 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4349 ok = cli_credentials_set_smb_encryption(credentials,
4350 SMB_ENCRYPTION_REQUIRED,
4351 CRED_SPECIFIED);
4352 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4353
4354 options1 = transport0->options;
4355 options1.client_guid = GUID_random();
4356 options1.min_protocol = PROTOCOL_SMB3_11;
4357 options1.max_protocol = PROTOCOL_SMB3_11;
4358 options1.signing = SMB_SIGNING_REQUIRED;
4359 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4360 .num_algos = 1,
4361 .algos = {
4362 SMB2_SIGNING_AES128_CMAC,
4363 },
4364 };
4365 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4366 .num_algos = 1,
4367 .algos = {
4368 SMB2_ENCRYPTION_AES128_CCM,
4369 },
4370 };
4371
4372 /* different client guid */
4373 options2 = options1;
4374 options2.client_guid = GUID_random();
4375 options2.only_negprot = true;
4376 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4377 .num_algos = 1,
4378 .algos = {
4379 SMB2_SIGNING_AES128_GMAC,
4380 },
4381 };
4382 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4383 .num_algos = 1,
4384 .algos = {
4385 SMB2_ENCRYPTION_AES128_GCM,
4386 },
4387 };
4388
4389 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4390 credentials,
4391 &options1, &options2,
4392 NT_STATUS_NOT_SUPPORTED);
4393 talloc_free(tree0);
4394 return ret;
4395 }
4396
4397 static bool test_session_bind_negative_smb3sneHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4398 {
4399 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4400 struct cli_credentials *credentials = NULL;
4401 bool ret = false;
4402 struct smb2_transport *transport0 = tree0->session->transport;
4403 struct smbcli_options options1;
4404 struct smbcli_options options2;
4405 bool ok;
4406
4407 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4408 torture_skip(tctx,
4409 "Can't test without SMB 3.1.1 support");
4410 }
4411
4412 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4413 torture_skip(tctx,
4414 "Can't test without SMB 3.1.1 signing negotiation support");
4415 }
4416
4417 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4418 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4419 ok = cli_credentials_set_smb_encryption(credentials,
4420 SMB_ENCRYPTION_REQUIRED,
4421 CRED_SPECIFIED);
4422 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4423
4424 options1 = transport0->options;
4425 options1.client_guid = GUID_random();
4426 options1.min_protocol = PROTOCOL_SMB3_11;
4427 options1.max_protocol = PROTOCOL_SMB3_11;
4428 options1.signing = SMB_SIGNING_REQUIRED;
4429 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4430 .num_algos = 1,
4431 .algos = {
4432 SMB2_SIGNING_HMAC_SHA256,
4433 },
4434 };
4435 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4436 .num_algos = 1,
4437 .algos = {
4438 SMB2_ENCRYPTION_AES128_CCM,
4439 },
4440 };
4441
4442 /* same client guid */
4443 options2 = options1;
4444 options2.only_negprot = true;
4445 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4446 .num_algos = 1,
4447 .algos = {
4448 SMB2_SIGNING_AES128_GMAC,
4449 },
4450 };
4451 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4452 .num_algos = 1,
4453 .algos = {
4454 SMB2_ENCRYPTION_AES128_GCM,
4455 },
4456 };
4457
4458 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4459 credentials,
4460 &options1, &options2,
4461 NT_STATUS_NOT_SUPPORTED);
4462 talloc_free(tree0);
4463 return ret;
4464 }
4465
4466 static bool test_session_bind_negative_smb3sneHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4467 {
4468 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4469 struct cli_credentials *credentials = NULL;
4470 bool ret = false;
4471 struct smb2_transport *transport0 = tree0->session->transport;
4472 struct smbcli_options options1;
4473 struct smbcli_options options2;
4474 bool ok;
4475
4476 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4477 torture_skip(tctx,
4478 "Can't test without SMB 3.1.1 support");
4479 }
4480
4481 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4482 torture_skip(tctx,
4483 "Can't test without SMB 3.1.1 signing negotiation support");
4484 }
4485
4486 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4487 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4488 ok = cli_credentials_set_smb_encryption(credentials,
4489 SMB_ENCRYPTION_REQUIRED,
4490 CRED_SPECIFIED);
4491 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4492
4493 options1 = transport0->options;
4494 options1.client_guid = GUID_random();
4495 options1.min_protocol = PROTOCOL_SMB3_11;
4496 options1.max_protocol = PROTOCOL_SMB3_11;
4497 options1.signing = SMB_SIGNING_REQUIRED;
4498 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4499 .num_algos = 1,
4500 .algos = {
4501 SMB2_SIGNING_HMAC_SHA256,
4502 },
4503 };
4504 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4505 .num_algos = 1,
4506 .algos = {
4507 SMB2_ENCRYPTION_AES128_CCM,
4508 },
4509 };
4510
4511 /* different client guid */
4512 options2 = options1;
4513 options2.client_guid = GUID_random();
4514 options2.only_negprot = true;
4515 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4516 .num_algos = 1,
4517 .algos = {
4518 SMB2_SIGNING_AES128_GMAC,
4519 },
4520 };
4521 options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4522 .num_algos = 1,
4523 .algos = {
4524 SMB2_ENCRYPTION_AES128_GCM,
4525 },
4526 };
4527
4528 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4529 credentials,
4530 &options1, &options2,
4531 NT_STATUS_NOT_SUPPORTED);
4532 talloc_free(tree0);
4533 return ret;
4534 }
4535
4536 static bool test_session_bind_negative_smb3signC30toGs(struct torture_context *tctx, struct smb2_tree *tree0)
4537 {
4538 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4539 struct cli_credentials *credentials = NULL;
4540 bool ret = false;
4541 struct smb2_transport *transport0 = tree0->session->transport;
4542 struct smbcli_options options1;
4543 struct smbcli_options options2;
4544 bool ok;
4545
4546 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4547 torture_skip(tctx,
4548 "Can't test without SMB 3.1.1 support");
4549 }
4550
4551 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4552 torture_skip(tctx,
4553 "Can't test without SMB 3.1.1 signing negotiation support");
4554 }
4555
4556 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4557 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4558 ok = cli_credentials_set_smb_encryption(credentials,
4559 SMB_ENCRYPTION_REQUIRED,
4560 CRED_SPECIFIED);
4561 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4562
4563 options1 = transport0->options;
4564 options1.client_guid = GUID_random();
4565 options1.min_protocol = PROTOCOL_SMB3_00;
4566 options1.max_protocol = PROTOCOL_SMB3_02;
4567 options1.signing = SMB_SIGNING_REQUIRED;
4568
4569 /* same client guid */
4570 options2 = options1;
4571 options2.only_negprot = true;
4572 options2.min_protocol = PROTOCOL_SMB3_11;
4573 options2.max_protocol = PROTOCOL_SMB3_11;
4574 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4575 .num_algos = 1,
4576 .algos = {
4577 SMB2_SIGNING_AES128_GMAC,
4578 },
4579 };
4580
4581 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4582 credentials,
4583 &options1, &options2,
4584 NT_STATUS_NOT_SUPPORTED);
4585 talloc_free(tree0);
4586 return ret;
4587 }
4588
4589 static bool test_session_bind_negative_smb3signC30toGd(struct torture_context *tctx, struct smb2_tree *tree0)
4590 {
4591 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4592 struct cli_credentials *credentials = NULL;
4593 bool ret = false;
4594 struct smb2_transport *transport0 = tree0->session->transport;
4595 struct smbcli_options options1;
4596 struct smbcli_options options2;
4597 bool ok;
4598
4599 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4600 torture_skip(tctx,
4601 "Can't test without SMB 3.1.1 support");
4602 }
4603
4604 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4605 torture_skip(tctx,
4606 "Can't test without SMB 3.1.1 signing negotiation support");
4607 }
4608
4609 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4610 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4611 ok = cli_credentials_set_smb_encryption(credentials,
4612 SMB_ENCRYPTION_REQUIRED,
4613 CRED_SPECIFIED);
4614 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4615
4616 options1 = transport0->options;
4617 options1.client_guid = GUID_random();
4618 options1.min_protocol = PROTOCOL_SMB3_00;
4619 options1.max_protocol = PROTOCOL_SMB3_02;
4620 options1.signing = SMB_SIGNING_REQUIRED;
4621
4622 /* different client guid */
4623 options2 = options1;
4624 options2.client_guid = GUID_random();
4625 options2.only_negprot = true;
4626 options2.min_protocol = PROTOCOL_SMB3_11;
4627 options2.max_protocol = PROTOCOL_SMB3_11;
4628 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4629 .num_algos = 1,
4630 .algos = {
4631 SMB2_SIGNING_AES128_GMAC,
4632 },
4633 };
4634
4635 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4636 credentials,
4637 &options1, &options2,
4638 NT_STATUS_NOT_SUPPORTED);
4639 talloc_free(tree0);
4640 return ret;
4641 }
4642
4643 static bool test_session_bind_negative_smb3signH2XtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4644 {
4645 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4646 struct cli_credentials *credentials = NULL;
4647 bool ret = false;
4648 struct smb2_transport *transport0 = tree0->session->transport;
4649 struct smbcli_options options1;
4650 struct smbcli_options options2;
4651 bool ok;
4652 bool encrypted;
4653
4654 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4655 if (encrypted) {
4656 torture_skip(tctx,
4657 "Can't test SMB 2.10 if encryption is required");
4658 }
4659
4660 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4661 torture_skip(tctx,
4662 "Can't test without SMB 3.1.1 support");
4663 }
4664
4665 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4666 torture_skip(tctx,
4667 "Can't test without SMB 3.1.1 signing negotiation support");
4668 }
4669
4670 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4671 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4672 ok = cli_credentials_set_smb_encryption(credentials,
4673 SMB_ENCRYPTION_OFF,
4674 CRED_SPECIFIED);
4675 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4676
4677 options1 = transport0->options;
4678 options1.client_guid = GUID_random();
4679 options1.min_protocol = PROTOCOL_SMB2_02;
4680 options1.max_protocol = PROTOCOL_SMB2_10;
4681 options1.signing = SMB_SIGNING_REQUIRED;
4682
4683 /* same client guid */
4684 options2 = options1;
4685 options2.only_negprot = true;
4686 options2.min_protocol = PROTOCOL_SMB3_11;
4687 options2.max_protocol = PROTOCOL_SMB3_11;
4688 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4689 .num_algos = 1,
4690 .algos = {
4691 SMB2_SIGNING_AES128_GMAC,
4692 },
4693 };
4694
4695 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4696 credentials,
4697 &options1, &options2,
4698 NT_STATUS_NOT_SUPPORTED);
4699 talloc_free(tree0);
4700 return ret;
4701 }
4702
4703 static bool test_session_bind_negative_smb3signH2XtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4704 {
4705 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4706 struct cli_credentials *credentials = NULL;
4707 bool ret = false;
4708 struct smb2_transport *transport0 = tree0->session->transport;
4709 struct smbcli_options options1;
4710 struct smbcli_options options2;
4711 bool ok;
4712 bool encrypted;
4713
4714 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4715 if (encrypted) {
4716 torture_skip(tctx,
4717 "Can't test SMB 2.10 if encryption is required");
4718 }
4719
4720 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4721 torture_skip(tctx,
4722 "Can't test without SMB 3.1.1 support");
4723 }
4724
4725 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4726 torture_skip(tctx,
4727 "Can't test without SMB 3.1.1 signing negotiation support");
4728 }
4729
4730 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4731 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4732 ok = cli_credentials_set_smb_encryption(credentials,
4733 SMB_ENCRYPTION_OFF,
4734 CRED_SPECIFIED);
4735 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4736
4737 options1 = transport0->options;
4738 options1.client_guid = GUID_random();
4739 options1.min_protocol = PROTOCOL_SMB2_02;
4740 options1.max_protocol = PROTOCOL_SMB2_10;
4741 options1.signing = SMB_SIGNING_REQUIRED;
4742
4743 /* different client guid */
4744 options2 = options1;
4745 options2.client_guid = GUID_random();
4746 options2.only_negprot = true;
4747 options2.min_protocol = PROTOCOL_SMB3_11;
4748 options2.max_protocol = PROTOCOL_SMB3_11;
4749 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4750 .num_algos = 1,
4751 .algos = {
4752 SMB2_SIGNING_AES128_GMAC,
4753 },
4754 };
4755
4756 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4757 credentials,
4758 &options1, &options2,
4759 NT_STATUS_NOT_SUPPORTED);
4760 talloc_free(tree0);
4761 return ret;
4762 }
4763
4764 static bool test_session_bind_negative_smb3signGtoC30s(struct torture_context *tctx, struct smb2_tree *tree0)
4765 {
4766 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4767 struct cli_credentials *credentials = NULL;
4768 bool ret = false;
4769 struct smb2_transport *transport0 = tree0->session->transport;
4770 struct smbcli_options options1;
4771 struct smbcli_options options2;
4772 bool ok;
4773
4774 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4775 torture_skip(tctx,
4776 "Can't test without SMB 3.1.1 support");
4777 }
4778
4779 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4780 torture_skip(tctx,
4781 "Can't test without SMB 3.1.1 signing negotiation support");
4782 }
4783
4784 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4785 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4786 ok = cli_credentials_set_smb_encryption(credentials,
4787 SMB_ENCRYPTION_REQUIRED,
4788 CRED_SPECIFIED);
4789 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4790
4791 options1 = transport0->options;
4792 options1.client_guid = GUID_random();
4793 options1.min_protocol = PROTOCOL_SMB3_11;
4794 options1.max_protocol = PROTOCOL_SMB3_11;
4795 options1.signing = SMB_SIGNING_REQUIRED;
4796 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4797 .num_algos = 1,
4798 .algos = {
4799 SMB2_SIGNING_AES128_GMAC,
4800 },
4801 };
4802
4803 /* same client guid */
4804 options2 = options1;
4805 options2.only_negprot = true;
4806 options2.min_protocol = PROTOCOL_SMB3_00;
4807 options2.max_protocol = PROTOCOL_SMB3_02;
4808 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4809 .num_algos = 1,
4810 .algos = {
4811 SMB2_SIGNING_AES128_CMAC,
4812 },
4813 };
4814
4815 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4816 credentials,
4817 &options1, &options2,
4818 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4819 talloc_free(tree0);
4820 return ret;
4821 }
4822
4823 static bool test_session_bind_negative_smb3signGtoC30d(struct torture_context *tctx, struct smb2_tree *tree0)
4824 {
4825 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4826 struct cli_credentials *credentials = NULL;
4827 bool ret = false;
4828 struct smb2_transport *transport0 = tree0->session->transport;
4829 struct smbcli_options options1;
4830 struct smbcli_options options2;
4831 bool ok;
4832
4833 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4834 torture_skip(tctx,
4835 "Can't test without SMB 3.1.1 support");
4836 }
4837
4838 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4839 torture_skip(tctx,
4840 "Can't test without SMB 3.1.1 signing negotiation support");
4841 }
4842
4843 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4844 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4845 ok = cli_credentials_set_smb_encryption(credentials,
4846 SMB_ENCRYPTION_REQUIRED,
4847 CRED_SPECIFIED);
4848 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4849
4850 options1 = transport0->options;
4851 options1.client_guid = GUID_random();
4852 options1.min_protocol = PROTOCOL_SMB3_11;
4853 options1.max_protocol = PROTOCOL_SMB3_11;
4854 options1.signing = SMB_SIGNING_REQUIRED;
4855 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4856 .num_algos = 1,
4857 .algos = {
4858 SMB2_SIGNING_AES128_GMAC,
4859 },
4860 };
4861
4862 /* different client guid */
4863 options2 = options1;
4864 options2.client_guid = GUID_random();
4865 options2.only_negprot = true;
4866 options2.min_protocol = PROTOCOL_SMB3_00;
4867 options2.max_protocol = PROTOCOL_SMB3_02;
4868 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4869 .num_algos = 1,
4870 .algos = {
4871 SMB2_SIGNING_AES128_CMAC,
4872 },
4873 };
4874
4875 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4876 credentials,
4877 &options1, &options2,
4878 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4879 talloc_free(tree0);
4880 return ret;
4881 }
4882
4883 static bool test_session_bind_negative_smb3signGtoH2Xs(struct torture_context *tctx, struct smb2_tree *tree0)
4884 {
4885 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4886 struct cli_credentials *credentials = NULL;
4887 bool ret = false;
4888 struct smb2_transport *transport0 = tree0->session->transport;
4889 struct smbcli_options options1;
4890 struct smbcli_options options2;
4891 bool ok;
4892 bool encrypted;
4893
4894 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4895 if (encrypted) {
4896 torture_skip(tctx,
4897 "Can't test SMB 2.10 if encryption is required");
4898 }
4899
4900 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4901 torture_skip(tctx,
4902 "Can't test without SMB 3.1.1 support");
4903 }
4904
4905 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4906 torture_skip(tctx,
4907 "Can't test without SMB 3.1.1 signing negotiation support");
4908 }
4909
4910 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4911 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4912 ok = cli_credentials_set_smb_encryption(credentials,
4913 SMB_ENCRYPTION_REQUIRED,
4914 CRED_SPECIFIED);
4915 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4916
4917 options1 = transport0->options;
4918 options1.client_guid = GUID_random();
4919 options1.min_protocol = PROTOCOL_SMB3_11;
4920 options1.max_protocol = PROTOCOL_SMB3_11;
4921 options1.signing = SMB_SIGNING_REQUIRED;
4922 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4923 .num_algos = 1,
4924 .algos = {
4925 SMB2_SIGNING_AES128_GMAC,
4926 },
4927 };
4928
4929 /* same client guid */
4930 options2 = options1;
4931 options2.only_negprot = true;
4932 options2.min_protocol = PROTOCOL_SMB2_02;
4933 options2.max_protocol = PROTOCOL_SMB2_10;
4934 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4935 .num_algos = 1,
4936 .algos = {
4937 SMB2_SIGNING_HMAC_SHA256,
4938 },
4939 };
4940
4941 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4942 credentials,
4943 &options1, &options2,
4944 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4945 talloc_free(tree0);
4946 return ret;
4947 }
4948
4949 static bool test_session_bind_negative_smb3signGtoH2Xd(struct torture_context *tctx, struct smb2_tree *tree0)
4950 {
4951 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4952 struct cli_credentials *credentials = NULL;
4953 bool ret = false;
4954 struct smb2_transport *transport0 = tree0->session->transport;
4955 struct smbcli_options options1;
4956 struct smbcli_options options2;
4957 bool ok;
4958 bool encrypted;
4959
4960 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4961 if (encrypted) {
4962 torture_skip(tctx,
4963 "Can't test SMB 2.10 if encryption is required");
4964 }
4965
4966 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4967 torture_skip(tctx,
4968 "Can't test without SMB 3.1.1 support");
4969 }
4970
4971 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4972 torture_skip(tctx,
4973 "Can't test without SMB 3.1.1 signing negotiation support");
4974 }
4975
4976 credentials = cli_credentials_shallow_copy(tctx, credentials0);
4977 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4978 ok = cli_credentials_set_smb_encryption(credentials,
4979 SMB_ENCRYPTION_REQUIRED,
4980 CRED_SPECIFIED);
4981 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4982
4983 options1 = transport0->options;
4984 options1.client_guid = GUID_random();
4985 options1.min_protocol = PROTOCOL_SMB3_11;
4986 options1.max_protocol = PROTOCOL_SMB3_11;
4987 options1.signing = SMB_SIGNING_REQUIRED;
4988 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4989 .num_algos = 1,
4990 .algos = {
4991 SMB2_SIGNING_AES128_GMAC,
4992 },
4993 };
4994
4995 /* different client guid */
4996 options2 = options1;
4997 options2.client_guid = GUID_random();
4998 options2.only_negprot = true;
4999 options2.min_protocol = PROTOCOL_SMB2_02;
5000 options2.max_protocol = PROTOCOL_SMB2_10;
5001 options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5002 .num_algos = 1,
5003 .algos = {
5004 SMB2_SIGNING_HMAC_SHA256,
5005 },
5006 };
5007
5008 ret = test_session_bind_negative_smbXtoX(tctx, __func__,
5009 credentials,
5010 &options1, &options2,
5011 NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
5012 talloc_free(tree0);
5013 return ret;
5014 }
5015
5016 static bool test_session_two_logoff(struct torture_context *tctx,
5017 struct smb2_tree *tree1)
5018 {
5019 NTSTATUS status;
5020 bool ret = true;
5021 struct smbcli_options transport2_options;
5022 struct smb2_tree *tree2 = NULL;
5023 struct smb2_session *session2 = NULL;
5024 struct smb2_session *session1 = tree1->session;
5025 struct smb2_transport *transport1 = tree1->session->transport;
5026 struct smb2_transport *transport2;
5027 bool ok;
5028
5029 /* Connect 2nd connection */
5030 torture_comment(tctx, "connect tree2 with the same client_guid\n");
5031 transport2_options = transport1->options;
5032 ok = torture_smb2_connection_ext(tctx, 0, &transport2_options, &tree2);
5033 torture_assert(tctx, ok, "couldn't connect tree2\n");
5034 transport2 = tree2->session->transport;
5035 session2 = tree2->session;
5036
5037 torture_comment(tctx, "session2: logoff\n");
5038 status = smb2_logoff(session2);
5039 torture_assert_ntstatus_ok(tctx, status, "session2: logoff");
5040 torture_comment(tctx, "transport2: keepalive\n");
5041 status = smb2_keepalive(transport2);
5042 torture_assert_ntstatus_ok(tctx, status, "transport2: keepalive");
5043 torture_comment(tctx, "transport2: disconnect\n");
5044 TALLOC_FREE(tree2);
5045
5046 torture_comment(tctx, "session1: logoff\n");
5047 status = smb2_logoff(session1);
5048 torture_assert_ntstatus_ok(tctx, status, "session1: logoff");
5049 torture_comment(tctx, "transport1: keepalive\n");
5050 status = smb2_keepalive(transport1);
5051 torture_assert_ntstatus_ok(tctx, status, "transport1: keepalive");
5052 torture_comment(tctx, "transport1: disconnect\n");
5053 TALLOC_FREE(tree1);
5054
5055 return ret;
5056 }
5057
5058 static bool test_session_sign_enc(struct torture_context *tctx,
5059 const char *testname,
5060 struct cli_credentials *credentials1,
5061 const struct smbcli_options *options1)
5062 {
5063 const char *host = torture_setting_string(tctx, "host", NULL);
5064 const char *share = torture_setting_string(tctx, "share", NULL);
5065 NTSTATUS status;
5066 bool ret = false;
5067 struct smb2_tree *tree1 = NULL;
5068 char fname[256];
5069 struct smb2_handle rh = {{0}};
5070 struct smb2_handle _h1;
5071 struct smb2_handle *h1 = NULL;
5072 struct smb2_create io1;
5073 union smb_fileinfo qfinfo1;
5074 union smb_notify notify;
5075 struct smb2_request *req = NULL;
5076
5077 status = smb2_connect(tctx,
5078 host,
5079 lpcfg_smb_ports(tctx->lp_ctx),
5080 share,
5081 lpcfg_resolve_context(tctx->lp_ctx),
5082 credentials1,
5083 &tree1,
5084 tctx->ev,
5085 options1,
5086 lpcfg_socket_options(tctx->lp_ctx),
5087 lpcfg_gensec_settings(tctx, tctx->lp_ctx)
5088 );
5089 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5090 "smb2_connect options1 failed");
5091
5092 status = smb2_util_roothandle(tree1, &rh);
5093 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5094 "smb2_util_roothandle failed");
5095
5096 /* Add some random component to the file name. */
5097 snprintf(fname, sizeof(fname), "%s_%s.dat",
5098 testname, generate_random_str(tctx, 8));
5099
5100 smb2_util_unlink(tree1, fname);
5101
5102 smb2_oplock_create_share(&io1, fname,
5103 smb2_util_share_access(""),
5104 smb2_util_oplock_level("b"));
5105
5106 io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
5107 status = smb2_create(tree1, tctx, &io1);
5108 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5109 "smb2_create failed");
5110 _h1 = io1.out.file.handle;
5111 h1 = &_h1;
5112 CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
5113 torture_assert_int_equal(tctx, io1.out.oplock_level,
5114 smb2_util_oplock_level("b"),
5115 "oplock_level incorrect");
5116
5117 /* Check the initial session is still alive */
5118 ZERO_STRUCT(qfinfo1);
5119 qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
5120 qfinfo1.generic.in.file.handle = _h1;
5121 status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
5122 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5123 "smb2_getinfo_file failed");
5124
5125 /* ask for a change notify,
5126 on file or directory name changes */
5127 ZERO_STRUCT(notify);
5128 notify.smb2.level = RAW_NOTIFY_SMB2;
5129 notify.smb2.in.buffer_size = 1000;
5130 notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
5131 notify.smb2.in.file.handle = rh;
5132 notify.smb2.in.recursive = true;
5133
5134 req = smb2_notify_send(tree1, &(notify.smb2));
5135 WAIT_FOR_ASYNC_RESPONSE(req);
5136
5137 status = smb2_cancel(req);
5138 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5139 "smb2_cancel failed");
5140
5141 status = smb2_notify_recv(req, tctx, &(notify.smb2));
5142 torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_CANCELLED,
5143 ret, done,
5144 "smb2_notify_recv failed");
5145
5146 /* Check the initial session is still alive */
5147 ZERO_STRUCT(qfinfo1);
5148 qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
5149 qfinfo1.generic.in.file.handle = _h1;
5150 status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
5151 torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5152 "smb2_getinfo_file failed");
5153
5154 ret = true;
5155 done:
5156 if (h1 != NULL) {
5157 smb2_util_close(tree1, *h1);
5158 }
5159 TALLOC_FREE(tree1);
5160
5161 return ret;
5162 }
5163
5164 static bool test_session_signing_hmac_sha_256(struct torture_context *tctx, struct smb2_tree *tree0)
5165 {
5166 struct cli_credentials *credentials = samba_cmdline_get_creds();
5167 bool ret = false;
5168 struct smb2_transport *transport0 = tree0->session->transport;
5169 struct smbcli_options options1;
5170 bool encrypted;
5171
5172 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5173 if (encrypted) {
5174 torture_skip(tctx,
5175 "Can't test signing only if encryption is required");
5176 }
5177
5178 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5179 torture_skip(tctx,
5180 "Can't test without SMB 3.1.1 support");
5181 }
5182
5183 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5184 torture_skip(tctx,
5185 "Can't test without SMB 3.1.1 signing negotiation support");
5186 }
5187
5188 options1 = transport0->options;
5189 options1.client_guid = GUID_random();
5190 options1.min_protocol = PROTOCOL_SMB3_11;
5191 options1.max_protocol = PROTOCOL_SMB3_11;
5192 options1.signing = SMB_SIGNING_REQUIRED;
5193 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5194 .num_algos = 1,
5195 .algos = {
5196 SMB2_SIGNING_HMAC_SHA256,
5197 },
5198 };
5199
5200 ret = test_session_sign_enc(tctx,
5201 __func__,
5202 credentials,
5203 &options1);
5204 TALLOC_FREE(tree0);
5205 return ret;
5206 }
5207
5208 static bool test_session_signing_aes_128_cmac(struct torture_context *tctx, struct smb2_tree *tree0)
5209 {
5210 struct cli_credentials *credentials = samba_cmdline_get_creds();
5211 bool ret = false;
5212 struct smb2_transport *transport0 = tree0->session->transport;
5213 struct smbcli_options options1;
5214 bool encrypted;
5215
5216 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5217 if (encrypted) {
5218 torture_skip(tctx,
5219 "Can't test signing only if encryption is required");
5220 }
5221
5222 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5223 torture_skip(tctx,
5224 "Can't test without SMB 3.1.1 support");
5225 }
5226
5227 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5228 torture_skip(tctx,
5229 "Can't test without SMB 3.1.1 signing negotiation support");
5230 }
5231
5232 options1 = transport0->options;
5233 options1.client_guid = GUID_random();
5234 options1.min_protocol = PROTOCOL_SMB3_11;
5235 options1.max_protocol = PROTOCOL_SMB3_11;
5236 options1.signing = SMB_SIGNING_REQUIRED;
5237 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5238 .num_algos = 1,
5239 .algos = {
5240 SMB2_SIGNING_AES128_CMAC,
5241 },
5242 };
5243
5244 ret = test_session_sign_enc(tctx,
5245 __func__,
5246 credentials,
5247 &options1);
5248 TALLOC_FREE(tree0);
5249 return ret;
5250 }
5251
5252 static bool test_session_signing_aes_128_gmac(struct torture_context *tctx, struct smb2_tree *tree0)
5253 {
5254 struct cli_credentials *credentials = samba_cmdline_get_creds();
5255 bool ret = false;
5256 struct smb2_transport *transport0 = tree0->session->transport;
5257 struct smbcli_options options1;
5258 bool encrypted;
5259
5260 encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5261 if (encrypted) {
5262 torture_skip(tctx,
5263 "Can't test signing only if encryption is required");
5264 }
5265
5266 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5267 torture_skip(tctx,
5268 "Can't test without SMB 3.1.1 support");
5269 }
5270
5271 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5272 torture_skip(tctx,
5273 "Can't test without SMB 3.1.1 signing negotiation support");
5274 }
5275
5276 options1 = transport0->options;
5277 options1.client_guid = GUID_random();
5278 options1.min_protocol = PROTOCOL_SMB3_11;
5279 options1.max_protocol = PROTOCOL_SMB3_11;
5280 options1.signing = SMB_SIGNING_REQUIRED;
5281 options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5282 .num_algos = 1,
5283 .algos = {
5284 SMB2_SIGNING_AES128_GMAC,
5285 },
5286 };
5287
5288 ret = test_session_sign_enc(tctx,
5289 __func__,
5290 credentials,
5291 &options1);
5292 TALLOC_FREE(tree0);
5293 return ret;
5294 }
5295
5296 static bool test_session_encryption_aes_128_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
5297 {
5298 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5299 struct cli_credentials *credentials = NULL;
5300 bool ret = false;
5301 struct smb2_transport *transport0 = tree0->session->transport;
5302 struct smbcli_options options1;
5303 bool ok;
5304
5305 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5306 torture_skip(tctx,
5307 "Can't test without SMB 3.1.1 support");
5308 }
5309
5310 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5311 torture_skip(tctx,
5312 "Can't test without SMB 3.1.1 signing negotiation support");
5313 }
5314
5315 credentials = cli_credentials_shallow_copy(tctx, credentials0);
5316 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5317 ok = cli_credentials_set_smb_encryption(credentials,
5318 SMB_ENCRYPTION_REQUIRED,
5319 CRED_SPECIFIED);
5320 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5321
5322 options1 = transport0->options;
5323 options1.client_guid = GUID_random();
5324 options1.min_protocol = PROTOCOL_SMB3_11;
5325 options1.max_protocol = PROTOCOL_SMB3_11;
5326 options1.signing = SMB_SIGNING_REQUIRED;
5327 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5328 .num_algos = 1,
5329 .algos = {
5330 SMB2_ENCRYPTION_AES128_CCM,
5331 },
5332 };
5333
5334 ret = test_session_sign_enc(tctx,
5335 __func__,
5336 credentials,
5337 &options1);
5338 TALLOC_FREE(tree0);
5339 return ret;
5340 }
5341
5342 static bool test_session_encryption_aes_128_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
5343 {
5344 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5345 struct cli_credentials *credentials = NULL;
5346 bool ret = false;
5347 struct smb2_transport *transport0 = tree0->session->transport;
5348 struct smbcli_options options1;
5349 bool ok;
5350
5351 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5352 torture_skip(tctx,
5353 "Can't test without SMB 3.1.1 support");
5354 }
5355
5356 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5357 torture_skip(tctx,
5358 "Can't test without SMB 3.1.1 signing negotiation support");
5359 }
5360
5361 credentials = cli_credentials_shallow_copy(tctx, credentials0);
5362 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5363 ok = cli_credentials_set_smb_encryption(credentials,
5364 SMB_ENCRYPTION_REQUIRED,
5365 CRED_SPECIFIED);
5366 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5367
5368 options1 = transport0->options;
5369 options1.client_guid = GUID_random();
5370 options1.min_protocol = PROTOCOL_SMB3_11;
5371 options1.max_protocol = PROTOCOL_SMB3_11;
5372 options1.signing = SMB_SIGNING_REQUIRED;
5373 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5374 .num_algos = 1,
5375 .algos = {
5376 SMB2_ENCRYPTION_AES128_GCM,
5377 },
5378 };
5379
5380 ret = test_session_sign_enc(tctx,
5381 __func__,
5382 credentials,
5383 &options1);
5384 TALLOC_FREE(tree0);
5385 return ret;
5386 }
5387
5388 static bool test_session_encryption_aes_256_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
5389 {
5390 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5391 struct cli_credentials *credentials = NULL;
5392 bool ret = false;
5393 struct smb2_transport *transport0 = tree0->session->transport;
5394 struct smbcli_options options1;
5395 bool ok;
5396
5397 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5398 torture_skip(tctx,
5399 "Can't test without SMB 3.1.1 support");
5400 }
5401
5402 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5403 torture_skip(tctx,
5404 "Can't test without SMB 3.1.1 signing negotiation support");
5405 }
5406
5407 credentials = cli_credentials_shallow_copy(tctx, credentials0);
5408 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5409 ok = cli_credentials_set_smb_encryption(credentials,
5410 SMB_ENCRYPTION_REQUIRED,
5411 CRED_SPECIFIED);
5412 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5413
5414 options1 = transport0->options;
5415 options1.client_guid = GUID_random();
5416 options1.min_protocol = PROTOCOL_SMB3_11;
5417 options1.max_protocol = PROTOCOL_SMB3_11;
5418 options1.signing = SMB_SIGNING_REQUIRED;
5419 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5420 .num_algos = 1,
5421 .algos = {
5422 SMB2_ENCRYPTION_AES256_CCM,
5423 },
5424 };
5425
5426 ret = test_session_sign_enc(tctx,
5427 __func__,
5428 credentials,
5429 &options1);
5430 TALLOC_FREE(tree0);
5431 return ret;
5432 }
5433
5434 static bool test_session_encryption_aes_256_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
5435 {
5436 struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5437 struct cli_credentials *credentials = NULL;
5438 bool ret = false;
5439 struct smb2_transport *transport0 = tree0->session->transport;
5440 struct smbcli_options options1;
5441 bool ok;
5442
5443 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5444 torture_skip(tctx,
5445 "Can't test without SMB 3.1.1 support");
5446 }
5447
5448 if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5449 torture_skip(tctx,
5450 "Can't test without SMB 3.1.1 signing negotiation support");
5451 }
5452
5453 credentials = cli_credentials_shallow_copy(tctx, credentials0);
5454 torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5455 ok = cli_credentials_set_smb_encryption(credentials,
5456 SMB_ENCRYPTION_REQUIRED,
5457 CRED_SPECIFIED);
5458 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5459
5460 options1 = transport0->options;
5461 options1.client_guid = GUID_random();
5462 options1.min_protocol = PROTOCOL_SMB3_11;
5463 options1.max_protocol = PROTOCOL_SMB3_11;
5464 options1.signing = SMB_SIGNING_REQUIRED;
5465 options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5466 .num_algos = 1,
5467 .algos = {
5468 SMB2_ENCRYPTION_AES256_GCM,
5469 },
5470 };
5471
5472 ret = test_session_sign_enc(tctx,
5473 __func__,
5474 credentials,
5475 &options1);
5476 TALLOC_FREE(tree0);
5477 return ret;
5478 }
5479
5480 static bool test_session_ntlmssp_bug14932(struct torture_context *tctx, struct smb2_tree *tree)
5481 {
5482 struct cli_credentials *ntlm_creds =
5483 cli_credentials_shallow_copy(tctx, samba_cmdline_get_creds());
5484 NTSTATUS status;
5485 bool ret = true;
5486 /*
5487 * This is a NTLMv2_RESPONSE with the strange
5488 * NTLMv2_CLIENT_CHALLENGE used by the net diag
5489 * tool.
5490 *
5491 * As we expect an error anyway we fill the
5492 * Response part with 0xab...
5493 */
5494 static const char *netapp_magic =
5495 "\xab\xab\xab\xab\xab\xab\xab\xab"
5496 "\xab\xab\xab\xab\xab\xab\xab\xab"
5497 "\x01\x01\x00\x00\x00\x00\x00\x00"
5498 "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f"
5499 "\xb8\x82\x3a\xf1\xb3\xdd\x08\x15"
5500 "\x00\x00\x00\x00\x11\xa2\x08\x81"
5501 "\x50\x38\x22\x78\x2b\x94\x47\xfe"
5502 "\x54\x94\x7b\xff\x17\x27\x5a\xb4"
5503 "\xf4\x18\xba\xdc\x2c\x38\xfd\x5b"
5504 "\xfb\x0e\xc1\x85\x1e\xcc\x92\xbb"
5505 "\x9b\xb1\xc4\xd5\x53\x14\xff\x8c"
5506 "\x76\x49\xf5\x45\x90\x19\xa2";
5507 DATA_BLOB lm_response = data_blob_talloc_zero(tctx, 24);
5508 DATA_BLOB lm_session_key = data_blob_talloc_zero(tctx, 16);
5509 DATA_BLOB nt_response = data_blob_const(netapp_magic, 95);
5510 DATA_BLOB nt_session_key = data_blob_talloc_zero(tctx, 16);
5511
5512 cli_credentials_set_kerberos_state(ntlm_creds,
5513 CRED_USE_KERBEROS_DISABLED,
5514 CRED_SPECIFIED);
5515 cli_credentials_set_ntlm_response(ntlm_creds,
5516 &lm_response,
5517 &lm_session_key,
5518 &nt_response,
5519 &nt_session_key,
5520 CRED_SPECIFIED);
5521 status = smb2_session_setup_spnego(tree->session,
5522 ntlm_creds,
5523 0 /* previous_session_id */);
5524 torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
5525 "smb2_session_setup_spnego failed");
5526
5527 return ret;
5528 }
5529
5530 static bool test_session_anon_encryption1(struct torture_context *tctx,
5531 struct smb2_tree *tree0)
5532 {
5533 const char *host = torture_setting_string(tctx, "host", NULL);
5534 const char *share = "IPC$";
5535 char *unc = NULL;
5536 struct smb2_transport *transport0 = tree0->session->transport;
5537 struct cli_credentials *anon_creds = NULL;
5538 struct smbcli_options options;
5539 struct smb2_transport *transport = NULL;
5540 struct smb2_session *anon_session = NULL;
5541 struct smb2_tree *anon_tree = NULL;
5542 NTSTATUS status;
5543 bool ok = true;
5544 struct tevent_req *subreq = NULL;
5545 uint32_t timeout_msec;
5546
5547 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
5548 torture_skip(tctx,
5549 "Can't test without SMB3 support");
5550 }
5551
5552 unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
5553 torture_assert(tctx, unc != NULL, "talloc_asprintf");
5554
5555 anon_creds = cli_credentials_init_anon(tctx);
5556 torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon");
5557 ok = cli_credentials_set_smb_encryption(anon_creds,
5558 SMB_ENCRYPTION_REQUIRED,
5559 CRED_SPECIFIED);
5560 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5561
5562 options = transport0->options;
5563 options.client_guid = GUID_random();
5564 options.only_negprot = true;
5565
5566 status = smb2_connect(tctx,
5567 host,
5568 lpcfg_smb_ports(tctx->lp_ctx),
5569 share,
5570 lpcfg_resolve_context(tctx->lp_ctx),
5571 anon_creds,
5572 &anon_tree,
5573 tctx->ev,
5574 &options,
5575 lpcfg_socket_options(tctx->lp_ctx),
5576 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
5577 torture_assert_ntstatus_ok(tctx, status, "smb2_connect failed");
5578 anon_session = anon_tree->session;
5579 transport = anon_session->transport;
5580
5581 anon_session->anonymous_session_key = true;
5582 smb2cli_session_torture_anonymous_encryption(anon_session->smbXcli, true);
5583
5584 status = smb2_session_setup_spnego(anon_session,
5585 anon_creds,
5586 0 /* previous_session_id */);
5587 torture_assert_ntstatus_ok(tctx, status,
5588 "smb2_session_setup_spnego failed");
5589
5590 ok = smbXcli_session_is_authenticated(anon_session->smbXcli);
5591 torture_assert(tctx, !ok, "smbXcli_session_is_authenticated(anon) wrong");
5592
5593 /*
5594 * The connection is still in ConstrainedConnection state...
5595 *
5596 * This will use encryption and causes a connection reset
5597 */
5598 timeout_msec = transport->options.request_timeout * 1000;
5599 subreq = smb2cli_tcon_send(tctx,
5600 tctx->ev,
5601 transport->conn,
5602 timeout_msec,
5603 anon_session->smbXcli,
5604 anon_tree->smbXcli,
5605 0, /* flags */
5606 unc);
5607 torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
5608
5609 torture_assert(tctx,
5610 tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
5611 "tevent_req_poll_ntstatus");
5612
5613 status = smb2cli_tcon_recv(subreq);
5614 TALLOC_FREE(subreq);
5615 if (NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_DISCONNECTED)) {
5616 status = NT_STATUS_CONNECTION_RESET;
5617 }
5618 torture_assert_ntstatus_equal(tctx, status,
5619 NT_STATUS_CONNECTION_RESET,
5620 "smb2cli_tcon_recv");
5621
5622 ok = smbXcli_conn_is_connected(transport->conn);
5623 torture_assert(tctx, !ok, "smbXcli_conn_is_connected still connected");
5624
5625 return true;
5626 }
5627
5628 static bool test_session_anon_encryption2(struct torture_context *tctx,
5629 struct smb2_tree *tree0)
5630 {
5631 const char *host = torture_setting_string(tctx, "host", NULL);
5632 const char *share = "IPC$";
5633 char *unc = NULL;
5634 struct smb2_transport *transport0 = tree0->session->transport;
5635 struct cli_credentials *_creds = samba_cmdline_get_creds();
5636 struct cli_credentials *user_creds = NULL;
5637 struct cli_credentials *anon_creds = NULL;
5638 struct smbcli_options options;
5639 struct smb2_transport *transport = NULL;
5640 struct smb2_session *user_session = NULL;
5641 struct smb2_tree *user_tree = NULL;
5642 struct smb2_session *anon_session = NULL;
5643 struct smb2_tree *anon_tree = NULL;
5644 struct smb2_ioctl ioctl = {
5645 .level = RAW_IOCTL_SMB2,
5646 .in = {
5647 .file = {
5648 .handle = {
5649 .data = {
5650 [0] = UINT64_MAX,
5651 [1] = UINT64_MAX,
5652 },
5653 },
5654 },
5655 .function = FSCTL_QUERY_NETWORK_INTERFACE_INFO,
5656 /* Windows client sets this to 64KiB */
5657 .max_output_response = 0x10000,
5658 .flags = SMB2_IOCTL_FLAG_IS_FSCTL,
5659 },
5660 };
5661 NTSTATUS status;
5662 bool ok = true;
5663 struct tevent_req *subreq = NULL;
5664 uint32_t timeout_msec;
5665 uint32_t caps = smb2cli_conn_server_capabilities(transport0->conn);
5666 NTSTATUS expected_mc_status;
5667
5668 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
5669 torture_skip(tctx,
5670 "Can't test without SMB3 support");
5671 }
5672
5673 if (caps & SMB2_CAP_MULTI_CHANNEL) {
5674 expected_mc_status = NT_STATUS_OK;
5675 } else {
5676 expected_mc_status = NT_STATUS_FS_DRIVER_REQUIRED;
5677 }
5678
5679 unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
5680 torture_assert(tctx, unc != NULL, "talloc_asprintf");
5681
5682 user_creds = cli_credentials_shallow_copy(tctx, _creds);
5683 torture_assert(tctx, user_creds != NULL, "cli_credentials_shallow_copy");
5684 ok = cli_credentials_set_smb_encryption(user_creds,
5685 SMB_ENCRYPTION_REQUIRED,
5686 CRED_SPECIFIED);
5687 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5688
5689 anon_creds = cli_credentials_init_anon(tctx);
5690 torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon");
5691 ok = cli_credentials_set_smb_encryption(anon_creds,
5692 SMB_ENCRYPTION_REQUIRED,
5693 CRED_SPECIFIED);
5694 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5695
5696 options = transport0->options;
5697 options.client_guid = GUID_random();
5698
5699 status = smb2_connect(tctx,
5700 host,
5701 lpcfg_smb_ports(tctx->lp_ctx),
5702 share,
5703 lpcfg_resolve_context(tctx->lp_ctx),
5704 user_creds,
5705 &user_tree,
5706 tctx->ev,
5707 &options,
5708 lpcfg_socket_options(tctx->lp_ctx),
5709 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
5710 torture_assert_ntstatus_ok(tctx, status, "smb2_connect failed");
5711 user_session = user_tree->session;
5712 transport = user_session->transport;
5713 ok = smb2cli_tcon_is_encryption_on(user_tree->smbXcli);
5714 torture_assert(tctx, ok, "smb2cli_tcon_is_encryption_on(user)");
5715 ok = smbXcli_session_is_authenticated(user_session->smbXcli);
5716 torture_assert(tctx, ok, "smbXcli_session_is_authenticated(user)");
5717
5718 anon_session = smb2_session_init(transport,
5719 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
5720 tctx);
5721 torture_assert(tctx, anon_session != NULL, "smb2_session_init(anon)");
5722
5723 anon_session->anonymous_session_key = true;
5724 smb2cli_session_torture_anonymous_encryption(anon_session->smbXcli, true);
5725
5726 status = smb2_session_setup_spnego(anon_session,
5727 anon_creds,
5728 0 /* previous_session_id */);
5729 torture_assert_ntstatus_ok(tctx, status,
5730 "smb2_session_setup_spnego failed");
5731
5732 ok = smb2cli_tcon_is_encryption_on(user_tree->smbXcli);
5733 torture_assert(tctx, ok, "smb2cli_tcon_is_encryption_on(anon)");
5734 ok = smbXcli_session_is_authenticated(anon_session->smbXcli);
5735 torture_assert(tctx, !ok, "smbXcli_session_is_authenticated(anon) wrong");
5736
5737 anon_tree = smb2_tree_init(anon_session, tctx, false);
5738 torture_assert(tctx, anon_tree != NULL, "smb2_tree_init");
5739
5740 timeout_msec = transport->options.request_timeout * 1000;
5741 subreq = smb2cli_tcon_send(tctx,
5742 tctx->ev,
5743 transport->conn,
5744 timeout_msec,
5745 anon_session->smbXcli,
5746 anon_tree->smbXcli,
5747 0, /* flags */
5748 unc);
5749 torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
5750
5751 torture_assert(tctx,
5752 tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
5753 "tevent_req_poll_ntstatus");
5754
5755 status = smb2cli_tcon_recv(subreq);
5756 TALLOC_FREE(subreq);
5757 torture_assert_ntstatus_ok(tctx, status,
5758 "smb2cli_tcon_recv(anon)");
5759
5760 ok = smbXcli_conn_is_connected(transport->conn);
5761 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
5762
5763 ok = smb2cli_tcon_is_encryption_on(anon_tree->smbXcli);
5764 torture_assert(tctx, ok, "smb2cli_tcon_is_encryption_on(anon)");
5765 ok = smbXcli_session_is_authenticated(anon_session->smbXcli);
5766 torture_assert(tctx, !ok, "smbXcli_session_is_authenticated(anon) wrong");
5767
5768 status = smb2_ioctl(user_tree, tctx, &ioctl);
5769 torture_assert_ntstatus_equal(tctx, status, expected_mc_status,
5770 "FSCTL_QUERY_NETWORK_INTERFACE_INFO user");
5771
5772 ok = smbXcli_conn_is_connected(transport->conn);
5773 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
5774
5775 status = smb2_ioctl(anon_tree, tctx, &ioctl);
5776 torture_assert_ntstatus_equal(tctx, status, expected_mc_status,
5777 "FSCTL_QUERY_NETWORK_INTERFACE_INFO anonymous");
5778
5779 ok = smbXcli_conn_is_connected(transport->conn);
5780 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
5781
5782 status = smb2_ioctl(user_tree, tctx, &ioctl);
5783 torture_assert_ntstatus_equal(tctx, status, expected_mc_status,
5784 "FSCTL_QUERY_NETWORK_INTERFACE_INFO user");
5785
5786 ok = smbXcli_conn_is_connected(transport->conn);
5787 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
5788
5789 status = smb2_ioctl(anon_tree, tctx, &ioctl);
5790 torture_assert_ntstatus_equal(tctx, status, expected_mc_status,
5791 "FSCTL_QUERY_NETWORK_INTERFACE_INFO anonymous");
5792
5793 ok = smbXcli_conn_is_connected(transport->conn);
5794 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
5795
5796 return true;
5797 }
5798
5799 static bool test_session_anon_encryption3(struct torture_context *tctx,
5800 struct smb2_tree *tree0)
5801 {
5802 const char *host = torture_setting_string(tctx, "host", NULL);
5803 const char *share = "IPC$";
5804 char *unc = NULL;
5805 struct smb2_transport *transport0 = tree0->session->transport;
5806 struct cli_credentials *_creds = samba_cmdline_get_creds();
5807 struct cli_credentials *user_creds = NULL;
5808 struct cli_credentials *anon_creds = NULL;
5809 struct smbcli_options options;
5810 struct smb2_transport *transport = NULL;
5811 struct smb2_session *user_session = NULL;
5812 struct smb2_tree *user_tree = NULL;
5813 struct smb2_session *anon_session = NULL;
5814 struct smb2_tree *anon_tree = NULL;
5815 NTSTATUS status;
5816 bool ok = true;
5817 struct tevent_req *subreq = NULL;
5818 uint32_t timeout_msec;
5819 uint8_t wrong_session_key[16] = { 0x1f, 0x2f, 0x3f, };
5820
5821 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
5822 torture_skip(tctx,
5823 "Can't test without SMB3 support");
5824 }
5825
5826 unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
5827 torture_assert(tctx, unc != NULL, "talloc_asprintf");
5828
5829 user_creds = cli_credentials_shallow_copy(tctx, _creds);
5830 torture_assert(tctx, user_creds != NULL, "cli_credentials_shallow_copy");
5831 ok = cli_credentials_set_smb_encryption(user_creds,
5832 SMB_ENCRYPTION_REQUIRED,
5833 CRED_SPECIFIED);
5834 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5835
5836 anon_creds = cli_credentials_init_anon(tctx);
5837 torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon");
5838 ok = cli_credentials_set_smb_encryption(anon_creds,
5839 SMB_ENCRYPTION_REQUIRED,
5840 CRED_SPECIFIED);
5841 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5842
5843 options = transport0->options;
5844 options.client_guid = GUID_random();
5845
5846 status = smb2_connect(tctx,
5847 host,
5848 lpcfg_smb_ports(tctx->lp_ctx),
5849 share,
5850 lpcfg_resolve_context(tctx->lp_ctx),
5851 user_creds,
5852 &user_tree,
5853 tctx->ev,
5854 &options,
5855 lpcfg_socket_options(tctx->lp_ctx),
5856 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
5857 torture_assert_ntstatus_ok(tctx, status, "smb2_connect failed");
5858 user_session = user_tree->session;
5859 transport = user_session->transport;
5860 ok = smb2cli_tcon_is_encryption_on(user_tree->smbXcli);
5861 torture_assert(tctx, ok, "smb2cli_tcon_is_encryption_on(user)");
5862 ok = smbXcli_session_is_authenticated(user_session->smbXcli);
5863 torture_assert(tctx, ok, "smbXcli_session_is_authenticated(user)");
5864
5865 anon_session = smb2_session_init(transport,
5866 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
5867 tctx);
5868 torture_assert(tctx, anon_session != NULL, "smb2_session_init(anon)");
5869
5870 anon_session->anonymous_session_key = true;
5871 anon_session->forced_session_key = data_blob_const(wrong_session_key,
5872 ARRAY_SIZE(wrong_session_key));
5873 smb2cli_session_torture_anonymous_encryption(anon_session->smbXcli, true);
5874
5875 status = smb2_session_setup_spnego(anon_session,
5876 anon_creds,
5877 0 /* previous_session_id */);
5878 torture_assert_ntstatus_ok(tctx, status,
5879 "smb2_session_setup_spnego failed");
5880
5881 ok = smb2cli_tcon_is_encryption_on(user_tree->smbXcli);
5882 torture_assert(tctx, ok, "smb2cli_tcon_is_encryption_on(anon)");
5883 ok = smbXcli_session_is_authenticated(anon_session->smbXcli);
5884 torture_assert(tctx, !ok, "smbXcli_session_is_authenticated(anon) wrong");
5885
5886 anon_tree = smb2_tree_init(anon_session, tctx, false);
5887 torture_assert(tctx, anon_tree != NULL, "smb2_tree_init");
5888
5889 timeout_msec = transport->options.request_timeout * 1000;
5890 subreq = smb2cli_tcon_send(tctx,
5891 tctx->ev,
5892 transport->conn,
5893 timeout_msec,
5894 anon_session->smbXcli,
5895 anon_tree->smbXcli,
5896 0, /* flags */
5897 unc);
5898 torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
5899
5900 torture_assert(tctx,
5901 tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
5902 "tevent_req_poll_ntstatus");
5903
5904 status = smb2cli_tcon_recv(subreq);
5905 TALLOC_FREE(subreq);
5906 if (NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_DISCONNECTED)) {
5907 status = NT_STATUS_CONNECTION_RESET;
5908 }
5909 torture_assert_ntstatus_equal(tctx, status,
5910 NT_STATUS_CONNECTION_RESET,
5911 "smb2cli_tcon_recv");
5912
5913 ok = smbXcli_conn_is_connected(transport->conn);
5914 torture_assert(tctx, !ok, "smbXcli_conn_is_connected still connected");
5915
5916 return true;
5917 }
5918
5919 static bool test_session_anon_signing1(struct torture_context *tctx,
5920 struct smb2_tree *tree0)
5921 {
5922 const char *host = torture_setting_string(tctx, "host", NULL);
5923 const char *share = "IPC$";
5924 char *unc = NULL;
5925 struct smb2_transport *transport0 = tree0->session->transport;
5926 struct cli_credentials *anon_creds = NULL;
5927 struct smbcli_options options;
5928 struct smb2_transport *transport = NULL;
5929 struct smb2_session *anon_session = NULL;
5930 struct smb2_tree *anon_tree = NULL;
5931 NTSTATUS status;
5932 bool ok = true;
5933 struct tevent_req *subreq = NULL;
5934 uint32_t timeout_msec;
5935
5936 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
5937 torture_skip(tctx,
5938 "Can't test without SMB3 support");
5939 }
5940
5941 unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
5942 torture_assert(tctx, unc != NULL, "talloc_asprintf");
5943
5944 anon_creds = cli_credentials_init_anon(tctx);
5945 torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon");
5946 ok = cli_credentials_set_smb_signing(anon_creds,
5947 SMB_SIGNING_REQUIRED,
5948 CRED_SPECIFIED);
5949 torture_assert(tctx, ok, "cli_credentials_set_smb_signing");
5950 ok = cli_credentials_set_smb_ipc_signing(anon_creds,
5951 SMB_SIGNING_REQUIRED,
5952 CRED_SPECIFIED);
5953 torture_assert(tctx, ok, "cli_credentials_set_smb_ipc_signing");
5954 ok = cli_credentials_set_smb_encryption(anon_creds,
5955 SMB_ENCRYPTION_OFF,
5956 CRED_SPECIFIED);
5957 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5958
5959 options = transport0->options;
5960 options.client_guid = GUID_random();
5961 options.only_negprot = true;
5962 options.signing = SMB_SIGNING_REQUIRED;
5963
5964 status = smb2_connect(tctx,
5965 host,
5966 lpcfg_smb_ports(tctx->lp_ctx),
5967 share,
5968 lpcfg_resolve_context(tctx->lp_ctx),
5969 anon_creds,
5970 &anon_tree,
5971 tctx->ev,
5972 &options,
5973 lpcfg_socket_options(tctx->lp_ctx),
5974 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
5975 torture_assert_ntstatus_ok(tctx, status, "smb2_connect failed");
5976 anon_session = anon_tree->session;
5977 transport = anon_session->transport;
5978
5979 anon_session->anonymous_session_key = true;
5980 smb2cli_session_torture_anonymous_signing(anon_session->smbXcli, true);
5981
5982 status = smb2_session_setup_spnego(anon_session,
5983 anon_creds,
5984 0 /* previous_session_id */);
5985 torture_assert_ntstatus_ok(tctx, status,
5986 "smb2_session_setup_spnego failed");
5987
5988 ok = smbXcli_session_is_authenticated(anon_session->smbXcli);
5989 torture_assert(tctx, !ok, "smbXcli_session_is_authenticated(anon) wrong");
5990
5991 timeout_msec = transport->options.request_timeout * 1000;
5992 subreq = smb2cli_tcon_send(tctx,
5993 tctx->ev,
5994 transport->conn,
5995 timeout_msec,
5996 anon_session->smbXcli,
5997 anon_tree->smbXcli,
5998 0, /* flags */
5999 unc);
6000 torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
6001
6002 torture_assert(tctx,
6003 tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
6004 "tevent_req_poll_ntstatus");
6005
6006 status = smb2cli_tcon_recv(subreq);
6007 TALLOC_FREE(subreq);
6008 torture_assert_ntstatus_ok(tctx, status, "smb2cli_tcon_recv");
6009
6010 ok = smbXcli_conn_is_connected(transport->conn);
6011 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
6012
6013 return true;
6014 }
6015
6016 static bool test_session_anon_signing2(struct torture_context *tctx,
6017 struct smb2_tree *tree0)
6018 {
6019 const char *host = torture_setting_string(tctx, "host", NULL);
6020 const char *share = "IPC$";
6021 char *unc = NULL;
6022 struct smb2_transport *transport0 = tree0->session->transport;
6023 struct cli_credentials *anon_creds = NULL;
6024 struct smbcli_options options;
6025 struct smb2_transport *transport = NULL;
6026 struct smb2_session *anon_session = NULL;
6027 struct smb2_session *anon_session_nosign = NULL;
6028 struct smb2_tree *anon_tree = NULL;
6029 NTSTATUS status;
6030 bool ok = true;
6031 struct tevent_req *subreq = NULL;
6032 uint32_t timeout_msec;
6033 uint8_t wrong_session_key[16] = { 0x1f, 0x2f, 0x3f, };
6034 uint64_t session_id;
6035
6036 if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
6037 torture_skip(tctx,
6038 "Can't test without SMB3 support");
6039 }
6040
6041 unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
6042 torture_assert(tctx, unc != NULL, "talloc_asprintf");
6043
6044 anon_creds = cli_credentials_init_anon(tctx);
6045 torture_assert(tctx, anon_creds != NULL, "cli_credentials_init_anon");
6046 ok = cli_credentials_set_smb_signing(anon_creds,
6047 SMB_SIGNING_REQUIRED,
6048 CRED_SPECIFIED);
6049 torture_assert(tctx, ok, "cli_credentials_set_smb_signing");
6050 ok = cli_credentials_set_smb_ipc_signing(anon_creds,
6051 SMB_SIGNING_REQUIRED,
6052 CRED_SPECIFIED);
6053 torture_assert(tctx, ok, "cli_credentials_set_smb_ipc_signing");
6054 ok = cli_credentials_set_smb_encryption(anon_creds,
6055 SMB_ENCRYPTION_OFF,
6056 CRED_SPECIFIED);
6057 torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
6058
6059 options = transport0->options;
6060 options.client_guid = GUID_random();
6061 options.only_negprot = true;
6062 options.signing = SMB_SIGNING_REQUIRED;
6063
6064 status = smb2_connect(tctx,
6065 host,
6066 lpcfg_smb_ports(tctx->lp_ctx),
6067 share,
6068 lpcfg_resolve_context(tctx->lp_ctx),
6069 anon_creds,
6070 &anon_tree,
6071 tctx->ev,
6072 &options,
6073 lpcfg_socket_options(tctx->lp_ctx),
6074 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
6075 torture_assert_ntstatus_ok(tctx, status, "smb2_connect failed");
6076 anon_session = anon_tree->session;
6077 transport = anon_session->transport;
6078
6079 anon_session->anonymous_session_key = true;
6080 anon_session->forced_session_key = data_blob_const(wrong_session_key,
6081 ARRAY_SIZE(wrong_session_key));
6082 smb2cli_session_torture_anonymous_signing(anon_session->smbXcli, true);
6083 smb2cli_session_torture_no_signing_disconnect(anon_session->smbXcli);
6084
6085 status = smb2_session_setup_spnego(anon_session,
6086 anon_creds,
6087 0 /* previous_session_id */);
6088 torture_assert_ntstatus_ok(tctx, status,
6089 "smb2_session_setup_spnego failed");
6090
6091 ok = smbXcli_session_is_authenticated(anon_session->smbXcli);
6092 torture_assert(tctx, !ok, "smbXcli_session_is_authenticated(anon) wrong");
6093
6094 /*
6095 * create a new structure for the same session id,
6096 * but without smb2.should_sign set.
6097 */
6098 session_id = smb2cli_session_current_id(anon_session->smbXcli);
6099 anon_session_nosign = smb2_session_init(transport,
6100 lpcfg_gensec_settings(tctx, tctx->lp_ctx),
6101 tctx);
6102 torture_assert(tctx, anon_session_nosign != NULL, "smb2_session_init(anon_nosign)");
6103 smb2cli_session_set_id_and_flags(anon_session_nosign->smbXcli, session_id, 0);
6104 smb2cli_session_torture_no_signing_disconnect(anon_session_nosign->smbXcli);
6105
6106 timeout_msec = transport->options.request_timeout * 1000;
6107 subreq = smb2cli_tcon_send(tctx,
6108 tctx->ev,
6109 transport->conn,
6110 timeout_msec,
6111 anon_session->smbXcli,
6112 anon_tree->smbXcli,
6113 0, /* flags */
6114 unc);
6115 torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
6116
6117 torture_assert(tctx,
6118 tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
6119 "tevent_req_poll_ntstatus");
6120
6121 status = smb2cli_tcon_recv(subreq);
6122 TALLOC_FREE(subreq);
6123 torture_assert_ntstatus_equal(tctx, status,
6124 NT_STATUS_ACCESS_DENIED,
6125 "smb2cli_tcon_recv");
6126
6127 ok = smbXcli_conn_is_connected(transport->conn);
6128 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
6129
6130 subreq = smb2cli_tcon_send(tctx,
6131 tctx->ev,
6132 transport->conn,
6133 timeout_msec,
6134 anon_session_nosign->smbXcli,
6135 anon_tree->smbXcli,
6136 0, /* flags */
6137 unc);
6138 torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
6139
6140 torture_assert(tctx,
6141 tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
6142 "tevent_req_poll_ntstatus");
6143
6144 status = smb2cli_tcon_recv(subreq);
6145 TALLOC_FREE(subreq);
6146 torture_assert_ntstatus_ok(tctx, status, "smb2cli_tcon_recv");
6147
6148 ok = smbXcli_conn_is_connected(transport->conn);
6149 torture_assert(tctx, ok, "smbXcli_conn_is_connected");
6150
6151 return true;
6152 }
6153
6154 struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
6155 {
6156 struct torture_suite *suite =
6157 torture_suite_create(ctx, "session");
6158
6159 torture_suite_add_1smb2_test(suite, "reconnect1", test_session_reconnect1);
6160 torture_suite_add_1smb2_test(suite, "reconnect2", test_session_reconnect2);
6161 torture_suite_add_1smb2_test(suite, "reauth1", test_session_reauth1);
6162 torture_suite_add_1smb2_test(suite, "reauth2", test_session_reauth2);
6163 torture_suite_add_1smb2_test(suite, "reauth3", test_session_reauth3);
6164 torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
6165 torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
6166 torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
6167 torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
6168 torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
6169 torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
6170 torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
6171 torture_suite_add_simple_test(suite, "expire2e", test_session_expire2e);
6172 torture_suite_add_simple_test(suite, "expire_disconnect",
6173 test_session_expire_disconnect);
6174 torture_suite_add_1smb2_test(suite, "bind1", test_session_bind1);
6175 torture_suite_add_1smb2_test(suite, "bind2", test_session_bind2);
6176 torture_suite_add_1smb2_test(suite, "bind_invalid_auth", test_session_bind_invalid_auth);
6177 torture_suite_add_1smb2_test(suite, "bind_different_user", test_session_bind_different_user);
6178 torture_suite_add_1smb2_test(suite, "bind_negative_smb202", test_session_bind_negative_smb202);
6179 torture_suite_add_1smb2_test(suite, "bind_negative_smb210s", test_session_bind_negative_smb210s);
6180 torture_suite_add_1smb2_test(suite, "bind_negative_smb210d", test_session_bind_negative_smb210d);
6181 torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3s", test_session_bind_negative_smb2to3s);
6182 torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3d", test_session_bind_negative_smb2to3d);
6183 torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2s", test_session_bind_negative_smb3to2s);
6184 torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2d", test_session_bind_negative_smb3to2d);
6185 torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3s", test_session_bind_negative_smb3to3s);
6186 torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3d", test_session_bind_negative_smb3to3d);
6187 torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCs", test_session_bind_negative_smb3encGtoCs);
6188 torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCd", test_session_bind_negative_smb3encGtoCd);
6189 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHs", test_session_bind_negative_smb3signCtoHs);
6190 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHd", test_session_bind_negative_smb3signCtoHd);
6191 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGs", test_session_bind_negative_smb3signCtoGs);
6192 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGd", test_session_bind_negative_smb3signCtoGd);
6193 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCs", test_session_bind_negative_smb3signHtoCs);
6194 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCd", test_session_bind_negative_smb3signHtoCd);
6195 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGs", test_session_bind_negative_smb3signHtoGs);
6196 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGd", test_session_bind_negative_smb3signHtoGd);
6197 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCs", test_session_bind_negative_smb3signGtoCs);
6198 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCd", test_session_bind_negative_smb3signGtoCd);
6199 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHs", test_session_bind_negative_smb3signGtoHs);
6200 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHd", test_session_bind_negative_smb3signGtoHd);
6201 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCs", test_session_bind_negative_smb3sneGtoCs);
6202 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCd", test_session_bind_negative_smb3sneGtoCd);
6203 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHs", test_session_bind_negative_smb3sneGtoHs);
6204 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHd", test_session_bind_negative_smb3sneGtoHd);
6205 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGs", test_session_bind_negative_smb3sneCtoGs);
6206 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGd", test_session_bind_negative_smb3sneCtoGd);
6207 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGs", test_session_bind_negative_smb3sneHtoGs);
6208 torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGd", test_session_bind_negative_smb3sneHtoGd);
6209 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGs", test_session_bind_negative_smb3signC30toGs);
6210 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGd", test_session_bind_negative_smb3signC30toGd);
6211 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGs", test_session_bind_negative_smb3signH2XtoGs);
6212 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGd", test_session_bind_negative_smb3signH2XtoGd);
6213 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30s", test_session_bind_negative_smb3signGtoC30s);
6214 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30d", test_session_bind_negative_smb3signGtoC30d);
6215 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xs", test_session_bind_negative_smb3signGtoH2Xs);
6216 torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xd", test_session_bind_negative_smb3signGtoH2Xd);
6217 torture_suite_add_1smb2_test(suite, "two_logoff", test_session_two_logoff);
6218 torture_suite_add_1smb2_test(suite, "signing-hmac-sha-256", test_session_signing_hmac_sha_256);
6219 torture_suite_add_1smb2_test(suite, "signing-aes-128-cmac", test_session_signing_aes_128_cmac);
6220 torture_suite_add_1smb2_test(suite, "signing-aes-128-gmac", test_session_signing_aes_128_gmac);
6221 torture_suite_add_1smb2_test(suite, "encryption-aes-128-ccm", test_session_encryption_aes_128_ccm);
6222 torture_suite_add_1smb2_test(suite, "encryption-aes-128-gcm", test_session_encryption_aes_128_gcm);
6223 torture_suite_add_1smb2_test(suite, "encryption-aes-256-ccm", test_session_encryption_aes_256_ccm);
6224 torture_suite_add_1smb2_test(suite, "encryption-aes-256-gcm", test_session_encryption_aes_256_gcm);
6225 torture_suite_add_1smb2_test(suite, "ntlmssp_bug14932", test_session_ntlmssp_bug14932);
6226 torture_suite_add_1smb2_test(suite, "anon-encryption1", test_session_anon_encryption1);
6227 torture_suite_add_1smb2_test(suite, "anon-encryption2", test_session_anon_encryption2);
6228 torture_suite_add_1smb2_test(suite, "anon-encryption3", test_session_anon_encryption3);
6229 torture_suite_add_1smb2_test(suite, "anon-signing1", test_session_anon_signing1);
6230 torture_suite_add_1smb2_test(suite, "anon-signing2", test_session_anon_signing2);
6231
6232 suite->description = talloc_strdup(suite, "SMB2-SESSION tests");
6233
6234 return suite;
6235 }
6236
6237 static bool test_session_require_sign_bug15397(struct torture_context *tctx,
6238 struct smb2_tree *_tree)
6239 {
6240 const char *host = torture_setting_string(tctx, "host", NULL);
6241 const char *share = torture_setting_string(tctx, "share", NULL);
6242 struct cli_credentials *_creds = samba_cmdline_get_creds();
6243 struct cli_credentials *creds = NULL;
6244 struct smbcli_options options;
6245 struct smb2_tree *tree = NULL;
6246 uint8_t security_mode;
6247 NTSTATUS status;
6248 bool ok = true;
6249
6250 /*
6251 * Setup our own connection so we can control the signing flags
6252 */
6253
6254 creds = cli_credentials_shallow_copy(tctx, _creds);
6255 torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
6256
6257 options = _tree->session->transport->options;
6258 options.client_guid = GUID_random();
6259 options.signing = SMB_SIGNING_IF_REQUIRED;
6260
6261 status = smb2_connect(tctx,
6262 host,
6263 lpcfg_smb_ports(tctx->lp_ctx),
6264 share,
6265 lpcfg_resolve_context(tctx->lp_ctx),
6266 creds,
6267 &tree,
6268 tctx->ev,
6269 &options,
6270 lpcfg_socket_options(tctx->lp_ctx),
6271 lpcfg_gensec_settings(tctx, tctx->lp_ctx));
6272 torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
6273 "smb2_connect failed");
6274
6275 security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
6276
6277 torture_assert_int_equal_goto(
6278 tctx,
6279 security_mode,
6280 SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
6281 ok,
6282 done,
6283 "Signing not required");
6284
6285 done:
6286 return ok;
6287 }
6288
6289 struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
6290 {
6291 struct torture_suite *suite =
6292 torture_suite_create(ctx, "session-require-signing");
6293
6294 torture_suite_add_1smb2_test(suite, "bug15397",
6295 test_session_require_sign_bug15397);
6296
6297 suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
6298 return suite;
6299 }
Samba GIT mirror