Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : test suite for SMB2 session setups
5 :
6 : Copyright (C) Michael Adam 2012
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "libcli/smb2/smb2.h"
24 : #include "libcli/smb2/smb2_calls.h"
25 : #include "torture/torture.h"
26 : #include "torture/util.h"
27 : #include "torture/smb2/proto.h"
28 : #include "../libcli/smb/smbXcli_base.h"
29 : #include "lib/cmdline/cmdline.h"
30 : #include "auth/credentials/credentials.h"
31 : #include "auth/credentials/credentials_krb5.h"
32 : #include "libcli/security/security.h"
33 : #include "libcli/resolve/resolve.h"
34 : #include "lib/param/param.h"
35 : #include "lib/util/tevent_ntstatus.h"
36 :
37 : #define CHECK_CREATED(tctx, __io, __created, __attribute) \
38 : do { \
39 : torture_assert_int_equal(tctx, (__io)->out.create_action, \
40 : NTCREATEX_ACTION_ ## __created, \
41 : "out.create_action incorrect"); \
42 : torture_assert_int_equal(tctx, (__io)->out.size, 0, \
43 : "out.size incorrect"); \
44 : torture_assert_int_equal(tctx, (__io)->out.file_attr, \
45 : (__attribute), \
46 : "out.file_attr incorrect"); \
47 : torture_assert_int_equal(tctx, (__io)->out.reserved2, 0, \
48 : "out.reserverd2 incorrect"); \
49 : } while(0)
50 :
51 : #define WAIT_FOR_ASYNC_RESPONSE(req) \
52 : while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) { \
53 : if (tevent_loop_once(tctx->ev) != 0) { \
54 : break; \
55 : } \
56 : }
57 :
58 : /**
59 : * basic test for doing a session reconnect
60 : */
61 2 : bool test_session_reconnect1(struct torture_context *tctx, struct smb2_tree *tree)
62 : {
63 : NTSTATUS status;
64 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
65 : char fname[256];
66 : struct smb2_handle _h1;
67 2 : struct smb2_handle *h1 = NULL;
68 : struct smb2_handle _h2;
69 2 : struct smb2_handle *h2 = NULL;
70 : struct smb2_create io1, io2;
71 : uint64_t previous_session_id;
72 2 : bool ret = true;
73 2 : struct smb2_tree *tree2 = NULL;
74 : union smb_fileinfo qfinfo;
75 :
76 : /* Add some random component to the file name. */
77 2 : snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
78 : generate_random_str(tctx, 8));
79 :
80 2 : smb2_util_unlink(tree, fname);
81 :
82 2 : smb2_oplock_create_share(&io1, fname,
83 : smb2_util_share_access(""),
84 2 : smb2_util_oplock_level("b"));
85 :
86 2 : status = smb2_create(tree, mem_ctx, &io1);
87 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
88 : "smb2_create failed");
89 2 : _h1 = io1.out.file.handle;
90 2 : h1 = &_h1;
91 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
92 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
93 : smb2_util_oplock_level("b"),
94 : "oplock_level incorrect");
95 :
96 : /* disconnect, reconnect and then do durable reopen */
97 2 : previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
98 :
99 2 : torture_assert_goto(tctx, torture_smb2_connection_ext(tctx, previous_session_id,
100 : &tree->session->transport->options, &tree2),
101 : ret, done,
102 : "session reconnect failed\n");
103 :
104 : /* try to access the file via the old handle */
105 :
106 2 : ZERO_STRUCT(qfinfo);
107 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
108 2 : qfinfo.generic.in.file.handle = _h1;
109 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
110 2 : torture_assert_ntstatus_equal_goto(tctx, status,
111 : NT_STATUS_USER_SESSION_DELETED,
112 : ret, done, "smb2_getinfo_file "
113 : "returned unexpected status");
114 2 : h1 = NULL;
115 :
116 2 : smb2_oplock_create_share(&io2, fname,
117 : smb2_util_share_access(""),
118 2 : smb2_util_oplock_level("b"));
119 :
120 2 : status = smb2_create(tree2, mem_ctx, &io2);
121 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
122 : "smb2_create failed");
123 :
124 2 : CHECK_CREATED(tctx, &io2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
125 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
126 : smb2_util_oplock_level("b"),
127 : "oplock_level incorrect");
128 2 : _h2 = io2.out.file.handle;
129 2 : h2 = &_h2;
130 :
131 2 : done:
132 2 : if (h1 != NULL) {
133 0 : smb2_util_close(tree, *h1);
134 : }
135 2 : if (h2 != NULL) {
136 2 : smb2_util_close(tree2, *h2);
137 : }
138 :
139 2 : if (tree2 != NULL) {
140 2 : smb2_util_unlink(tree2, fname);
141 : }
142 2 : smb2_util_unlink(tree, fname);
143 :
144 2 : talloc_free(tree);
145 2 : talloc_free(tree2);
146 :
147 2 : talloc_free(mem_ctx);
148 :
149 2 : return ret;
150 : }
151 :
152 : /**
153 : * basic test for doing a session reconnect on one connection
154 : */
155 2 : bool test_session_reconnect2(struct torture_context *tctx, struct smb2_tree *tree)
156 : {
157 : NTSTATUS status;
158 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
159 : char fname[256];
160 : struct smb2_handle _h1;
161 2 : struct smb2_handle *h1 = NULL;
162 : struct smb2_create io1;
163 : uint64_t previous_session_id;
164 2 : bool ret = true;
165 2 : struct smb2_session *session2 = NULL;
166 : union smb_fileinfo qfinfo;
167 :
168 : /* Add some random component to the file name. */
169 2 : snprintf(fname, sizeof(fname), "session_reconnect_%s.dat",
170 : generate_random_str(tctx, 8));
171 :
172 2 : smb2_util_unlink(tree, fname);
173 :
174 2 : smb2_oplock_create_share(&io1, fname,
175 : smb2_util_share_access(""),
176 2 : smb2_util_oplock_level("b"));
177 2 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
178 :
179 2 : status = smb2_create(tree, mem_ctx, &io1);
180 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
181 : "smb2_create failed");
182 2 : _h1 = io1.out.file.handle;
183 2 : h1 = &_h1;
184 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
185 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
186 : smb2_util_oplock_level("b"),
187 : "oplock_level incorrect");
188 :
189 : /* disconnect, reconnect and then do durable reopen */
190 2 : previous_session_id = smb2cli_session_current_id(tree->session->smbXcli);
191 :
192 2 : torture_assert(tctx, torture_smb2_session_setup(tctx, tree->session->transport,
193 : previous_session_id, tctx, &session2),
194 : "session reconnect (on the same connection) failed");
195 :
196 : /* try to access the file via the old handle */
197 :
198 2 : ZERO_STRUCT(qfinfo);
199 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
200 2 : qfinfo.generic.in.file.handle = _h1;
201 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
202 2 : torture_assert_ntstatus_equal_goto(tctx, status,
203 : NT_STATUS_USER_SESSION_DELETED,
204 : ret, done, "smb2_getinfo_file "
205 : "returned unexpected status");
206 2 : h1 = NULL;
207 :
208 2 : done:
209 2 : if (h1 != NULL) {
210 0 : smb2_util_close(tree, *h1);
211 : }
212 :
213 2 : talloc_free(tree);
214 2 : talloc_free(session2);
215 :
216 2 : talloc_free(mem_ctx);
217 :
218 2 : return ret;
219 : }
220 :
221 2 : bool test_session_reauth1(struct torture_context *tctx, struct smb2_tree *tree)
222 : {
223 : NTSTATUS status;
224 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
225 : char fname[256];
226 : struct smb2_handle _h1;
227 2 : struct smb2_handle *h1 = NULL;
228 : struct smb2_create io1;
229 2 : bool ret = true;
230 : union smb_fileinfo qfinfo;
231 :
232 : /* Add some random component to the file name. */
233 2 : snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
234 : generate_random_str(tctx, 8));
235 :
236 2 : smb2_util_unlink(tree, fname);
237 :
238 2 : smb2_oplock_create_share(&io1, fname,
239 : smb2_util_share_access(""),
240 2 : smb2_util_oplock_level("b"));
241 :
242 2 : status = smb2_create(tree, mem_ctx, &io1);
243 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
244 : "smb2_create failed");
245 2 : _h1 = io1.out.file.handle;
246 2 : h1 = &_h1;
247 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
248 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
249 : smb2_util_oplock_level("b"),
250 : "oplock_level incorrect");
251 :
252 2 : status = smb2_session_setup_spnego(tree->session,
253 : samba_cmdline_get_creds(),
254 : 0 /* previous_session_id */);
255 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
256 : "smb2_session_setup_spnego failed");
257 :
258 : /* try to access the file via the old handle */
259 :
260 2 : ZERO_STRUCT(qfinfo);
261 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
262 2 : qfinfo.generic.in.file.handle = _h1;
263 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
264 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
265 : "smb2_getinfo_file failed");
266 :
267 2 : status = smb2_session_setup_spnego(tree->session,
268 : samba_cmdline_get_creds(),
269 : 0 /* previous_session_id */);
270 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
271 : "smb2_session_setup_spnego failed");
272 :
273 : /* try to access the file via the old handle */
274 :
275 2 : ZERO_STRUCT(qfinfo);
276 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
277 2 : qfinfo.generic.in.file.handle = _h1;
278 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
279 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
280 : "smb2_getinfo_file failed");
281 :
282 2 : done:
283 2 : if (h1 != NULL) {
284 2 : smb2_util_close(tree, *h1);
285 : }
286 :
287 2 : smb2_util_unlink(tree, fname);
288 :
289 2 : talloc_free(tree);
290 :
291 2 : talloc_free(mem_ctx);
292 :
293 2 : return ret;
294 : }
295 :
296 2 : bool test_session_reauth2(struct torture_context *tctx, struct smb2_tree *tree)
297 : {
298 : NTSTATUS status;
299 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
300 : char fname[256];
301 : struct smb2_handle _h1;
302 2 : struct smb2_handle *h1 = NULL;
303 : struct smb2_create io1;
304 2 : bool ret = true;
305 : union smb_fileinfo qfinfo;
306 2 : struct cli_credentials *anon_creds = NULL;
307 :
308 : /* Add some random component to the file name. */
309 2 : snprintf(fname, sizeof(fname), "session_reauth2_%s.dat",
310 : generate_random_str(tctx, 8));
311 :
312 2 : smb2_util_unlink(tree, fname);
313 :
314 2 : smb2_oplock_create_share(&io1, fname,
315 : smb2_util_share_access(""),
316 2 : smb2_util_oplock_level("b"));
317 :
318 2 : status = smb2_create(tree, mem_ctx, &io1);
319 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
320 : "smb2_create failed");
321 2 : _h1 = io1.out.file.handle;
322 2 : h1 = &_h1;
323 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
324 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
325 : smb2_util_oplock_level("b"),
326 : "oplock_level incorrect");
327 :
328 : /* re-authenticate as anonymous */
329 :
330 2 : anon_creds = cli_credentials_init_anon(mem_ctx);
331 2 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
332 :
333 2 : status = smb2_session_setup_spnego(tree->session,
334 : anon_creds,
335 : 0 /* previous_session_id */);
336 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
337 : "smb2_session_setup_spnego failed");
338 :
339 : /* try to access the file via the old handle */
340 :
341 2 : ZERO_STRUCT(qfinfo);
342 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
343 2 : qfinfo.generic.in.file.handle = _h1;
344 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
345 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
346 : "smb2_getinfo_file failed");
347 :
348 : /* re-authenticate as original user again */
349 :
350 2 : status = smb2_session_setup_spnego(tree->session,
351 : samba_cmdline_get_creds(),
352 : 0 /* previous_session_id */);
353 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
354 : "smb2_session_setup_spnego failed");
355 :
356 : /* try to access the file via the old handle */
357 :
358 2 : ZERO_STRUCT(qfinfo);
359 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
360 2 : qfinfo.generic.in.file.handle = _h1;
361 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
362 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
363 : "smb2_getinfo_file failed");
364 :
365 2 : done:
366 2 : if (h1 != NULL) {
367 2 : smb2_util_close(tree, *h1);
368 : }
369 :
370 2 : smb2_util_unlink(tree, fname);
371 :
372 2 : talloc_free(tree);
373 :
374 2 : talloc_free(mem_ctx);
375 :
376 2 : return ret;
377 : }
378 :
379 : /**
380 : * test getting security descriptor after reauth
381 : */
382 2 : bool test_session_reauth3(struct torture_context *tctx, struct smb2_tree *tree)
383 : {
384 : NTSTATUS status;
385 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
386 : char fname[256];
387 : struct smb2_handle _h1;
388 2 : struct smb2_handle *h1 = NULL;
389 : struct smb2_create io1;
390 2 : bool ret = true;
391 : union smb_fileinfo qfinfo;
392 2 : struct cli_credentials *anon_creds = NULL;
393 2 : uint32_t secinfo_flags = SECINFO_OWNER
394 : | SECINFO_GROUP
395 : | SECINFO_DACL
396 : | SECINFO_PROTECTED_DACL
397 : | SECINFO_UNPROTECTED_DACL;
398 :
399 : /* Add some random component to the file name. */
400 2 : snprintf(fname, sizeof(fname), "session_reauth3_%s.dat",
401 : generate_random_str(tctx, 8));
402 :
403 2 : smb2_util_unlink(tree, fname);
404 :
405 2 : smb2_oplock_create_share(&io1, fname,
406 : smb2_util_share_access(""),
407 2 : smb2_util_oplock_level("b"));
408 :
409 2 : status = smb2_create(tree, mem_ctx, &io1);
410 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
411 : "smb2_create failed");
412 2 : _h1 = io1.out.file.handle;
413 2 : h1 = &_h1;
414 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
415 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
416 : smb2_util_oplock_level("b"),
417 : "oplock_level incorrect");
418 :
419 : /* get the security descriptor */
420 :
421 2 : ZERO_STRUCT(qfinfo);
422 :
423 2 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
424 2 : qfinfo.query_secdesc.in.file.handle = _h1;
425 2 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
426 :
427 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
428 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
429 : "smb2_getinfo_file failed");
430 :
431 : /* re-authenticate as anonymous */
432 :
433 2 : anon_creds = cli_credentials_init_anon(mem_ctx);
434 2 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
435 :
436 2 : status = smb2_session_setup_spnego(tree->session,
437 : anon_creds,
438 : 0 /* previous_session_id */);
439 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
440 : "smb2_session_setup_spnego failed");
441 :
442 : /* try to access the file via the old handle */
443 :
444 2 : ZERO_STRUCT(qfinfo);
445 :
446 2 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
447 2 : qfinfo.query_secdesc.in.file.handle = _h1;
448 2 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
449 :
450 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
451 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
452 : "smb2_getinfo_file failed");
453 :
454 : /* re-authenticate as original user again */
455 :
456 2 : status = smb2_session_setup_spnego(tree->session,
457 : samba_cmdline_get_creds(),
458 : 0 /* previous_session_id */);
459 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
460 : "smb2_session_setup_spnego failed");
461 :
462 : /* try to access the file via the old handle */
463 :
464 2 : ZERO_STRUCT(qfinfo);
465 :
466 2 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
467 2 : qfinfo.query_secdesc.in.file.handle = _h1;
468 2 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
469 :
470 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
471 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
472 : "smb2_getinfo_file failed");
473 :
474 2 : done:
475 2 : if (h1 != NULL) {
476 2 : smb2_util_close(tree, *h1);
477 : }
478 :
479 2 : smb2_util_unlink(tree, fname);
480 :
481 2 : talloc_free(tree);
482 :
483 2 : talloc_free(mem_ctx);
484 :
485 2 : return ret;
486 : }
487 :
488 : /**
489 : * test setting security descriptor after reauth.
490 : */
491 2 : bool test_session_reauth4(struct torture_context *tctx, struct smb2_tree *tree)
492 : {
493 : NTSTATUS status;
494 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
495 : char fname[256];
496 : struct smb2_handle _h1;
497 2 : struct smb2_handle *h1 = NULL;
498 : struct smb2_create io1;
499 2 : bool ret = true;
500 : union smb_fileinfo qfinfo;
501 : union smb_setfileinfo sfinfo;
502 2 : struct cli_credentials *anon_creds = NULL;
503 2 : uint32_t secinfo_flags = SECINFO_OWNER
504 : | SECINFO_GROUP
505 : | SECINFO_DACL
506 : | SECINFO_PROTECTED_DACL
507 : | SECINFO_UNPROTECTED_DACL;
508 : struct security_descriptor *sd1;
509 : struct security_ace ace;
510 : struct dom_sid *extra_sid;
511 :
512 : /* Add some random component to the file name. */
513 2 : snprintf(fname, sizeof(fname), "session_reauth4_%s.dat",
514 : generate_random_str(tctx, 8));
515 :
516 2 : smb2_util_unlink(tree, fname);
517 :
518 2 : smb2_oplock_create_share(&io1, fname,
519 : smb2_util_share_access(""),
520 2 : smb2_util_oplock_level("b"));
521 :
522 2 : status = smb2_create(tree, mem_ctx, &io1);
523 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
524 : "smb2_create failed");
525 2 : _h1 = io1.out.file.handle;
526 2 : h1 = &_h1;
527 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
528 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
529 : smb2_util_oplock_level("b"),
530 : "oplock_level incorrect");
531 :
532 : /* get the security descriptor */
533 :
534 2 : ZERO_STRUCT(qfinfo);
535 :
536 2 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
537 2 : qfinfo.query_secdesc.in.file.handle = _h1;
538 2 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
539 :
540 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
541 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
542 : "smb2_getinfo_file failed");
543 :
544 2 : sd1 = qfinfo.query_secdesc.out.sd;
545 :
546 : /* re-authenticate as anonymous */
547 :
548 2 : anon_creds = cli_credentials_init_anon(mem_ctx);
549 2 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
550 :
551 2 : status = smb2_session_setup_spnego(tree->session,
552 : anon_creds,
553 : 0 /* previous_session_id */);
554 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
555 : "smb2_session_setup_spnego failed");
556 :
557 : /* give full access on the file to anonymous */
558 :
559 2 : extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
560 :
561 2 : ZERO_STRUCT(ace);
562 2 : ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
563 2 : ace.flags = 0;
564 2 : ace.access_mask = SEC_STD_ALL | SEC_FILE_ALL;
565 2 : ace.trustee = *extra_sid;
566 :
567 2 : status = security_descriptor_dacl_add(sd1, &ace);
568 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
569 : "security_descriptor_dacl_add failed");
570 :
571 2 : ZERO_STRUCT(sfinfo);
572 2 : sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
573 2 : sfinfo.set_secdesc.in.file.handle = _h1;
574 2 : sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
575 2 : sfinfo.set_secdesc.in.sd = sd1;
576 :
577 2 : status = smb2_setinfo_file(tree, &sfinfo);
578 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
579 : "smb2_setinfo_file failed");
580 :
581 : /* re-authenticate as original user again */
582 :
583 2 : status = smb2_session_setup_spnego(tree->session,
584 : samba_cmdline_get_creds(),
585 : 0 /* previous_session_id */);
586 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
587 : "smb2_session_setup_spnego failed");
588 :
589 : /* re-get the security descriptor */
590 :
591 2 : ZERO_STRUCT(qfinfo);
592 :
593 2 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
594 2 : qfinfo.query_secdesc.in.file.handle = _h1;
595 2 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
596 :
597 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
598 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
599 : "smb2_getinfo_file failed");
600 :
601 2 : ret = true;
602 :
603 2 : done:
604 2 : if (h1 != NULL) {
605 2 : smb2_util_close(tree, *h1);
606 : }
607 :
608 2 : smb2_util_unlink(tree, fname);
609 :
610 2 : talloc_free(tree);
611 :
612 2 : talloc_free(mem_ctx);
613 :
614 2 : return ret;
615 : }
616 :
617 : /**
618 : * test renaming after reauth.
619 : * compare security descriptors before and after rename/reauth
620 : */
621 2 : bool test_session_reauth5(struct torture_context *tctx, struct smb2_tree *tree)
622 : {
623 : NTSTATUS status;
624 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
625 : char dname[128];
626 : char fname[256];
627 : char fname2[256];
628 : struct smb2_handle _dh1;
629 2 : struct smb2_handle *dh1 = NULL;
630 : struct smb2_handle _h1;
631 2 : struct smb2_handle *h1 = NULL;
632 : struct smb2_create io1;
633 2 : bool ret = true;
634 : bool ok;
635 : union smb_fileinfo qfinfo;
636 : union smb_setfileinfo sfinfo;
637 2 : struct cli_credentials *anon_creds = NULL;
638 2 : uint32_t secinfo_flags = SECINFO_OWNER
639 : | SECINFO_GROUP
640 : | SECINFO_DACL
641 : | SECINFO_PROTECTED_DACL
642 : | SECINFO_UNPROTECTED_DACL;
643 : struct security_descriptor *f_sd1;
644 2 : struct security_descriptor *d_sd1 = NULL;
645 : struct security_ace ace;
646 : struct dom_sid *extra_sid;
647 :
648 : /* Add some random component to the file name. */
649 2 : snprintf(dname, sizeof(dname), "session_reauth5_%s.d",
650 : generate_random_str(tctx, 8));
651 2 : snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
652 :
653 2 : ok = smb2_util_setup_dir(tctx, tree, dname);
654 2 : torture_assert(tctx, ok, "smb2_util_setup_dir not ok");
655 :
656 2 : status = torture_smb2_testdir(tree, dname, &_dh1);
657 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
658 : "torture_smb2_testdir failed");
659 2 : dh1 = &_dh1;
660 :
661 2 : smb2_oplock_create_share(&io1, fname,
662 : smb2_util_share_access(""),
663 2 : smb2_util_oplock_level("b"));
664 :
665 2 : status = smb2_create(tree, mem_ctx, &io1);
666 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
667 : "smb2_create failed");
668 2 : _h1 = io1.out.file.handle;
669 2 : h1 = &_h1;
670 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
671 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
672 : smb2_util_oplock_level("b"),
673 : "oplock_level incorrect");
674 :
675 : /* get the security descriptor */
676 :
677 2 : ZERO_STRUCT(qfinfo);
678 :
679 2 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
680 2 : qfinfo.query_secdesc.in.file.handle = _h1;
681 2 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
682 :
683 2 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
684 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
685 : "smb2_getinfo_file failed");
686 :
687 2 : f_sd1 = qfinfo.query_secdesc.out.sd;
688 :
689 : /* re-authenticate as anonymous */
690 :
691 2 : anon_creds = cli_credentials_init_anon(mem_ctx);
692 2 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
693 :
694 2 : status = smb2_session_setup_spnego(tree->session,
695 : anon_creds,
696 : 0 /* previous_session_id */);
697 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
698 : "smb2_session_setup_spnego failed");
699 :
700 : /* try to rename the file: fails */
701 :
702 2 : snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
703 :
704 2 : status = smb2_util_unlink(tree, fname2);
705 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
706 : "smb2_util_unlink failed");
707 :
708 :
709 0 : ZERO_STRUCT(sfinfo);
710 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
711 0 : sfinfo.rename_information.in.file.handle = _h1;
712 0 : sfinfo.rename_information.in.overwrite = true;
713 0 : sfinfo.rename_information.in.new_name = fname2;
714 :
715 0 : status = smb2_setinfo_file(tree, &sfinfo);
716 0 : torture_assert_ntstatus_equal_goto(tctx, status,
717 : NT_STATUS_ACCESS_DENIED,
718 : ret, done, "smb2_setinfo_file "
719 : "returned unexpected status");
720 :
721 : /* re-authenticate as original user again */
722 :
723 0 : status = smb2_session_setup_spnego(tree->session,
724 : samba_cmdline_get_creds(),
725 : 0 /* previous_session_id */);
726 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
727 : "smb2_session_setup_spnego failed");
728 :
729 : /* give full access on the file to anonymous */
730 :
731 0 : extra_sid = dom_sid_parse_talloc(tctx, SID_NT_ANONYMOUS);
732 :
733 0 : ZERO_STRUCT(ace);
734 0 : ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
735 0 : ace.flags = 0;
736 0 : ace.access_mask = SEC_RIGHTS_FILE_ALL;
737 0 : ace.trustee = *extra_sid;
738 :
739 0 : status = security_descriptor_dacl_add(f_sd1, &ace);
740 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
741 : "security_descriptor_dacl_add failed");
742 :
743 0 : ZERO_STRUCT(sfinfo);
744 0 : sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
745 0 : sfinfo.set_secdesc.in.file.handle = _h1;
746 0 : sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
747 0 : sfinfo.set_secdesc.in.sd = f_sd1;
748 :
749 0 : status = smb2_setinfo_file(tree, &sfinfo);
750 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
751 : "smb2_setinfo_file failed");
752 :
753 : /* re-get the security descriptor */
754 :
755 0 : ZERO_STRUCT(qfinfo);
756 :
757 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
758 0 : qfinfo.query_secdesc.in.file.handle = _h1;
759 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
760 :
761 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
762 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
763 : "smb2_getinfo_file failed");
764 :
765 : /* re-authenticate as anonymous - again */
766 :
767 0 : anon_creds = cli_credentials_init_anon(mem_ctx);
768 0 : torture_assert(tctx, (anon_creds != NULL), "talloc error");
769 :
770 0 : status = smb2_session_setup_spnego(tree->session,
771 : anon_creds,
772 : 0 /* previous_session_id */);
773 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
774 : "smb2_session_setup_spnego failed");
775 :
776 : /* try to rename the file: fails */
777 :
778 0 : ZERO_STRUCT(sfinfo);
779 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
780 0 : sfinfo.rename_information.in.file.handle = _h1;
781 0 : sfinfo.rename_information.in.overwrite = true;
782 0 : sfinfo.rename_information.in.new_name = fname2;
783 :
784 0 : status = smb2_setinfo_file(tree, &sfinfo);
785 0 : torture_assert_ntstatus_equal_goto(tctx, status,
786 : NT_STATUS_ACCESS_DENIED,
787 : ret, done, "smb2_setinfo_file "
788 : "returned unexpected status");
789 :
790 : /* give full access on the parent dir to anonymous */
791 :
792 0 : ZERO_STRUCT(qfinfo);
793 :
794 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
795 0 : qfinfo.query_secdesc.in.file.handle = _dh1;
796 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
797 :
798 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
799 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
800 : "smb2_getinfo_file failed");
801 :
802 0 : d_sd1 = qfinfo.query_secdesc.out.sd;
803 :
804 0 : ZERO_STRUCT(ace);
805 0 : ace.type = SEC_ACE_TYPE_ACCESS_ALLOWED;
806 0 : ace.flags = 0;
807 0 : ace.access_mask = SEC_RIGHTS_FILE_ALL;
808 0 : ace.trustee = *extra_sid;
809 :
810 0 : status = security_descriptor_dacl_add(d_sd1, &ace);
811 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
812 : "security_descriptor_dacl_add failed");
813 :
814 0 : ZERO_STRUCT(sfinfo);
815 0 : sfinfo.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
816 0 : sfinfo.set_secdesc.in.file.handle = _dh1;
817 0 : sfinfo.set_secdesc.in.secinfo_flags = secinfo_flags;
818 0 : sfinfo.set_secdesc.in.secinfo_flags = SECINFO_DACL;
819 0 : sfinfo.set_secdesc.in.sd = d_sd1;
820 :
821 0 : status = smb2_setinfo_file(tree, &sfinfo);
822 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
823 : "smb2_setinfo_file failed");
824 :
825 0 : ZERO_STRUCT(qfinfo);
826 :
827 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
828 0 : qfinfo.query_secdesc.in.file.handle = _dh1;
829 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
830 :
831 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
832 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
833 : "smb2_getinfo_file failed");
834 :
835 0 : status = smb2_util_close(tree, _dh1);
836 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
837 : "smb2_util_close failed");
838 0 : dh1 = NULL;
839 :
840 : /* try to rename the file: still fails */
841 :
842 0 : ZERO_STRUCT(sfinfo);
843 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
844 0 : sfinfo.rename_information.in.file.handle = _h1;
845 0 : sfinfo.rename_information.in.overwrite = true;
846 0 : sfinfo.rename_information.in.new_name = fname2;
847 :
848 0 : status = smb2_setinfo_file(tree, &sfinfo);
849 0 : torture_assert_ntstatus_equal_goto(tctx, status,
850 : NT_STATUS_ACCESS_DENIED,
851 : ret, done, "smb2_setinfo_file "
852 : "returned unexpected status");
853 :
854 : /* re-authenticate as original user - again */
855 :
856 0 : status = smb2_session_setup_spnego(tree->session,
857 : samba_cmdline_get_creds(),
858 : 0 /* previous_session_id */);
859 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
860 : "smb2_session_setup_spnego failed");
861 :
862 : /* rename the file - for verification that it works */
863 :
864 0 : ZERO_STRUCT(sfinfo);
865 0 : sfinfo.rename_information.level = RAW_SFILEINFO_RENAME_INFORMATION;
866 0 : sfinfo.rename_information.in.file.handle = _h1;
867 0 : sfinfo.rename_information.in.overwrite = true;
868 0 : sfinfo.rename_information.in.new_name = fname2;
869 :
870 0 : status = smb2_setinfo_file(tree, &sfinfo);
871 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
872 : "smb2_setinfo_file failed");
873 :
874 : /* closs the file, check it is gone and reopen under the new name */
875 :
876 0 : status = smb2_util_close(tree, _h1);
877 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
878 : "smb2_util_close failed");
879 0 : ZERO_STRUCT(io1);
880 :
881 0 : smb2_generic_create_share(&io1,
882 : NULL /* lease */, false /* dir */,
883 : fname,
884 : NTCREATEX_DISP_OPEN,
885 : smb2_util_share_access(""),
886 0 : smb2_util_oplock_level("b"),
887 : 0 /* leasekey */, 0 /* leasestate */);
888 :
889 0 : status = smb2_create(tree, mem_ctx, &io1);
890 0 : torture_assert_ntstatus_equal_goto(tctx, status,
891 : NT_STATUS_OBJECT_NAME_NOT_FOUND,
892 : ret, done, "smb2_create "
893 : "returned unexpected status");
894 :
895 0 : ZERO_STRUCT(io1);
896 :
897 0 : smb2_generic_create_share(&io1,
898 : NULL /* lease */, false /* dir */,
899 : fname2,
900 : NTCREATEX_DISP_OPEN,
901 : smb2_util_share_access(""),
902 0 : smb2_util_oplock_level("b"),
903 : 0 /* leasekey */, 0 /* leasestate */);
904 :
905 0 : status = smb2_create(tree, mem_ctx, &io1);
906 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
907 : "smb2_create failed");
908 0 : _h1 = io1.out.file.handle;
909 0 : h1 = &_h1;
910 0 : CHECK_CREATED(tctx, &io1, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
911 0 : torture_assert_int_equal(tctx, io1.out.oplock_level,
912 : smb2_util_oplock_level("b"),
913 : "oplock_level incorrect");
914 :
915 : /* try to access the file via the old handle */
916 :
917 0 : ZERO_STRUCT(qfinfo);
918 :
919 0 : qfinfo.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
920 0 : qfinfo.query_secdesc.in.file.handle = _h1;
921 0 : qfinfo.query_secdesc.in.secinfo_flags = secinfo_flags;
922 :
923 0 : status = smb2_getinfo_file(tree, mem_ctx, &qfinfo);
924 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
925 : "smb2_getinfo_file failed");
926 :
927 2 : done:
928 2 : if (dh1 != NULL) {
929 2 : smb2_util_close(tree, *dh1);
930 : }
931 2 : if (h1 != NULL) {
932 2 : smb2_util_close(tree, *h1);
933 : }
934 :
935 2 : smb2_deltree(tree, dname);
936 :
937 2 : talloc_free(tree);
938 :
939 2 : talloc_free(mem_ctx);
940 :
941 2 : return ret;
942 : }
943 :
944 : /**
945 : * do reauth with wrong credentials,
946 : * hence triggering the error path in reauth.
947 : * The invalid reauth deletes the session.
948 : */
949 2 : bool test_session_reauth6(struct torture_context *tctx, struct smb2_tree *tree)
950 : {
951 : NTSTATUS status;
952 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
953 : char fname[256];
954 : struct smb2_handle _h1;
955 2 : struct smb2_handle *h1 = NULL;
956 : struct smb2_create io1;
957 2 : bool ret = true;
958 : char *corrupted_password;
959 : struct cli_credentials *broken_creds;
960 : bool ok;
961 : bool encrypted;
962 : NTSTATUS expected;
963 : enum credentials_use_kerberos krb_state;
964 :
965 2 : krb_state = cli_credentials_get_kerberos_state(
966 : samba_cmdline_get_creds());
967 2 : if (krb_state == CRED_USE_KERBEROS_REQUIRED) {
968 2 : torture_skip(tctx,
969 : "Can't test failing session setup with kerberos.");
970 : }
971 :
972 0 : encrypted = smb2cli_tcon_is_encryption_on(tree->smbXcli);
973 :
974 : /* Add some random component to the file name. */
975 0 : snprintf(fname, sizeof(fname), "session_reauth1_%s.dat",
976 : generate_random_str(tctx, 8));
977 :
978 0 : smb2_util_unlink(tree, fname);
979 :
980 0 : smb2_oplock_create_share(&io1, fname,
981 : smb2_util_share_access(""),
982 0 : smb2_util_oplock_level("b"));
983 0 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
984 :
985 0 : status = smb2_create(tree, mem_ctx, &io1);
986 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
987 : "smb2_create failed");
988 0 : _h1 = io1.out.file.handle;
989 0 : h1 = &_h1;
990 0 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
991 0 : torture_assert_int_equal(tctx, io1.out.oplock_level,
992 : smb2_util_oplock_level("b"),
993 : "oplock_level incorrect");
994 :
995 : /*
996 : * reauthentication with invalid credentials:
997 : */
998 :
999 0 : broken_creds = cli_credentials_shallow_copy(mem_ctx,
1000 : samba_cmdline_get_creds());
1001 0 : torture_assert(tctx, (broken_creds != NULL), "talloc error");
1002 :
1003 0 : corrupted_password = talloc_asprintf(mem_ctx, "%s%s",
1004 : cli_credentials_get_password(broken_creds),
1005 : "corrupt");
1006 0 : torture_assert(tctx, (corrupted_password != NULL), "talloc error");
1007 :
1008 0 : ok = cli_credentials_set_password(broken_creds, corrupted_password,
1009 : CRED_SPECIFIED);
1010 0 : torture_assert(tctx, ok, "cli_credentials_set_password not ok");
1011 :
1012 0 : status = smb2_session_setup_spnego(tree->session,
1013 : broken_creds,
1014 : 0 /* previous_session_id */);
1015 0 : torture_assert_ntstatus_equal_goto(tctx, status,
1016 : NT_STATUS_LOGON_FAILURE, ret, done,
1017 : "smb2_session_setup_spnego "
1018 : "returned unexpected status");
1019 :
1020 0 : torture_comment(tctx, "did failed reauth\n");
1021 : /*
1022 : * now verify that the invalid session reauth has closed our session
1023 : */
1024 :
1025 0 : if (encrypted) {
1026 0 : expected = NT_STATUS_CONNECTION_DISCONNECTED;
1027 : } else {
1028 0 : expected = NT_STATUS_USER_SESSION_DELETED;
1029 : }
1030 :
1031 0 : smb2_oplock_create_share(&io1, fname,
1032 : smb2_util_share_access(""),
1033 0 : smb2_util_oplock_level("b"));
1034 :
1035 0 : status = smb2_create(tree, mem_ctx, &io1);
1036 0 : torture_assert_ntstatus_equal_goto(tctx, status, expected,
1037 : ret, done, "smb2_create "
1038 : "returned unexpected status");
1039 :
1040 0 : done:
1041 0 : if (h1 != NULL) {
1042 0 : smb2_util_close(tree, *h1);
1043 : }
1044 :
1045 0 : smb2_util_unlink(tree, fname);
1046 :
1047 0 : talloc_free(tree);
1048 :
1049 0 : talloc_free(mem_ctx);
1050 :
1051 0 : return ret;
1052 : }
1053 :
1054 :
1055 6 : static bool test_session_expire1i(struct torture_context *tctx,
1056 : bool force_signing,
1057 : bool force_encryption)
1058 : {
1059 : NTSTATUS status;
1060 6 : bool ret = false;
1061 : struct smbcli_options options;
1062 6 : const char *host = torture_setting_string(tctx, "host", NULL);
1063 6 : const char *share = torture_setting_string(tctx, "share", NULL);
1064 6 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1065 6 : struct smb2_tree *tree = NULL;
1066 : enum credentials_use_kerberos use_kerberos;
1067 : char fname[256];
1068 : struct smb2_handle _h1;
1069 6 : struct smb2_handle *h1 = NULL;
1070 : struct smb2_create io1;
1071 : union smb_fileinfo qfinfo;
1072 : size_t i;
1073 :
1074 6 : use_kerberos = cli_credentials_get_kerberos_state(credentials);
1075 6 : if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1076 0 : torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
1077 0 : torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
1078 : }
1079 :
1080 6 : torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
1081 : "please use -k yes");
1082 :
1083 6 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1084 :
1085 6 : lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
1086 :
1087 6 : lpcfg_smbcli_options(tctx->lp_ctx, &options);
1088 6 : if (force_signing) {
1089 4 : options.signing = SMB_SIGNING_REQUIRED;
1090 : }
1091 :
1092 6 : status = smb2_connect(tctx,
1093 : host,
1094 : lpcfg_smb_ports(tctx->lp_ctx),
1095 : share,
1096 : lpcfg_resolve_context(tctx->lp_ctx),
1097 : credentials,
1098 : &tree,
1099 : tctx->ev,
1100 : &options,
1101 : lpcfg_socket_options(tctx->lp_ctx),
1102 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1103 : );
1104 6 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1105 : "smb2_connect failed");
1106 :
1107 6 : if (force_encryption) {
1108 2 : status = smb2cli_session_encryption_on(tree->session->smbXcli);
1109 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1110 : "smb2cli_session_encryption_on failed");
1111 : }
1112 :
1113 : /* Add some random component to the file name. */
1114 6 : snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
1115 : generate_random_str(tctx, 8));
1116 :
1117 6 : smb2_util_unlink(tree, fname);
1118 :
1119 6 : smb2_oplock_create_share(&io1, fname,
1120 : smb2_util_share_access(""),
1121 6 : smb2_util_oplock_level("b"));
1122 6 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1123 :
1124 6 : status = smb2_create(tree, tctx, &io1);
1125 6 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1126 : "smb2_create failed");
1127 6 : _h1 = io1.out.file.handle;
1128 6 : h1 = &_h1;
1129 6 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1130 6 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1131 : smb2_util_oplock_level("b"),
1132 : "oplock_level incorrect");
1133 :
1134 : /* get the security descriptor */
1135 :
1136 6 : ZERO_STRUCT(qfinfo);
1137 :
1138 6 : qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1139 6 : qfinfo.access_information.in.file.handle = _h1;
1140 :
1141 18 : for (i=0; i < 2; i++) {
1142 12 : torture_comment(tctx, "query info => OK\n");
1143 :
1144 12 : ZERO_STRUCT(qfinfo.access_information.out);
1145 12 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1146 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1147 : "smb2_getinfo_file failed");
1148 :
1149 12 : torture_comment(tctx, "sleep 10 seconds\n");
1150 12 : smb_msleep(10*1000);
1151 :
1152 12 : torture_comment(tctx, "query info => EXPIRED\n");
1153 12 : ZERO_STRUCT(qfinfo.access_information.out);
1154 12 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1155 12 : torture_assert_ntstatus_equal_goto(tctx, status,
1156 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1157 : ret, done, "smb2_getinfo_file "
1158 : "returned unexpected status");
1159 :
1160 : /*
1161 : * the krb5 library may not handle expired creds
1162 : * well, lets start with an empty ccache.
1163 : */
1164 12 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1165 :
1166 12 : if (!force_encryption) {
1167 8 : smb2cli_session_require_signed_response(
1168 8 : tree->session->smbXcli, true);
1169 : }
1170 :
1171 12 : torture_comment(tctx, "reauth => OK\n");
1172 12 : status = smb2_session_setup_spnego(tree->session,
1173 : credentials,
1174 : 0 /* previous_session_id */);
1175 12 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1176 : "smb2_session_setup_spnego failed");
1177 :
1178 12 : smb2cli_session_require_signed_response(
1179 12 : tree->session->smbXcli, false);
1180 : }
1181 :
1182 6 : ZERO_STRUCT(qfinfo.access_information.out);
1183 6 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1184 6 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1185 : "smb2_getinfo_file failed");
1186 :
1187 6 : ret = true;
1188 6 : done:
1189 6 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1190 :
1191 6 : if (h1 != NULL) {
1192 6 : smb2_util_close(tree, *h1);
1193 : }
1194 :
1195 6 : talloc_free(tree);
1196 6 : lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
1197 6 : return ret;
1198 : }
1199 :
1200 2 : static bool test_session_expire1n(struct torture_context *tctx)
1201 : {
1202 2 : return test_session_expire1i(tctx,
1203 : false, /* force_signing */
1204 : false); /* force_encryption */
1205 : }
1206 :
1207 2 : static bool test_session_expire1s(struct torture_context *tctx)
1208 : {
1209 2 : return test_session_expire1i(tctx,
1210 : true, /* force_signing */
1211 : false); /* force_encryption */
1212 : }
1213 :
1214 2 : static bool test_session_expire1e(struct torture_context *tctx)
1215 : {
1216 2 : return test_session_expire1i(tctx,
1217 : true, /* force_signing */
1218 : true); /* force_encryption */
1219 : }
1220 :
1221 4 : static bool test_session_expire2i(struct torture_context *tctx,
1222 : bool force_encryption)
1223 : {
1224 : NTSTATUS status;
1225 4 : bool ret = false;
1226 : struct smbcli_options options;
1227 4 : const char *host = torture_setting_string(tctx, "host", NULL);
1228 4 : const char *share = torture_setting_string(tctx, "share", NULL);
1229 4 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1230 4 : struct smb2_tree *tree = NULL;
1231 4 : const char *unc = NULL;
1232 4 : struct smb2_tree *tree2 = NULL;
1233 4 : struct tevent_req *subreq = NULL;
1234 : uint32_t timeout_msec;
1235 : enum credentials_use_kerberos use_kerberos;
1236 : uint32_t caps;
1237 : char fname[256];
1238 : struct smb2_handle dh;
1239 : struct smb2_handle dh2;
1240 : struct smb2_handle _h1;
1241 4 : struct smb2_handle *h1 = NULL;
1242 : struct smb2_create io1;
1243 : union smb_fileinfo qfinfo;
1244 : union smb_setfileinfo sfinfo;
1245 : struct smb2_flush flsh;
1246 : struct smb2_read rd;
1247 4 : const uint8_t wd = 0;
1248 : struct smb2_lock lck;
1249 : struct smb2_lock_element el;
1250 : struct smb2_ioctl ctl;
1251 : struct smb2_break oack;
1252 : struct smb2_lease_break_ack lack;
1253 : struct smb2_find fnd;
1254 4 : union smb_search_data *d = NULL;
1255 : unsigned int count;
1256 4 : struct smb2_request *req = NULL;
1257 : struct smb2_notify ntf1;
1258 : struct smb2_notify ntf2;
1259 :
1260 4 : use_kerberos = cli_credentials_get_kerberos_state(credentials);
1261 4 : if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1262 0 : torture_warning(tctx, "smb2.session.expire2 requires -k yes!");
1263 0 : torture_skip(tctx, "smb2.session.expire2 requires -k yes!");
1264 : }
1265 :
1266 4 : torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
1267 : "please use -k yes");
1268 :
1269 4 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1270 :
1271 4 : lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
1272 :
1273 4 : lpcfg_smbcli_options(tctx->lp_ctx, &options);
1274 4 : options.signing = SMB_SIGNING_REQUIRED;
1275 :
1276 4 : unc = talloc_asprintf(tctx, "\\\\%s\\%s", host, share);
1277 4 : torture_assert(tctx, unc != NULL, "talloc_asprintf");
1278 :
1279 4 : status = smb2_connect(tctx,
1280 : host,
1281 : lpcfg_smb_ports(tctx->lp_ctx),
1282 : share,
1283 : lpcfg_resolve_context(tctx->lp_ctx),
1284 : credentials,
1285 : &tree,
1286 : tctx->ev,
1287 : &options,
1288 : lpcfg_socket_options(tctx->lp_ctx),
1289 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1290 : );
1291 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1292 : "smb2_connect failed");
1293 :
1294 4 : if (force_encryption) {
1295 2 : status = smb2cli_session_encryption_on(tree->session->smbXcli);
1296 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1297 : "smb2cli_session_encryption_on failed");
1298 : }
1299 :
1300 4 : caps = smb2cli_conn_server_capabilities(tree->session->transport->conn);
1301 :
1302 : /* Add some random component to the file name. */
1303 4 : snprintf(fname, sizeof(fname), "session_expire2_%s.dat",
1304 : generate_random_str(tctx, 8));
1305 :
1306 4 : smb2_util_unlink(tree, fname);
1307 :
1308 4 : status = smb2_util_roothandle(tree, &dh);
1309 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1310 : "smb2_util_roothandle failed");
1311 :
1312 4 : smb2_oplock_create_share(&io1, fname,
1313 : smb2_util_share_access(""),
1314 4 : smb2_util_oplock_level("b"));
1315 4 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1316 :
1317 4 : status = smb2_create(tree, tctx, &io1);
1318 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1319 : "smb2_create failed");
1320 4 : _h1 = io1.out.file.handle;
1321 4 : h1 = &_h1;
1322 4 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1323 4 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1324 : smb2_util_oplock_level("b"),
1325 : "oplock_level incorrect");
1326 :
1327 : /* get the security descriptor */
1328 :
1329 4 : ZERO_STRUCT(qfinfo);
1330 :
1331 4 : qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1332 4 : qfinfo.access_information.in.file.handle = _h1;
1333 :
1334 4 : torture_comment(tctx, "query info => OK\n");
1335 :
1336 4 : ZERO_STRUCT(qfinfo.access_information.out);
1337 4 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1338 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1339 : "smb2_getinfo_file failed");
1340 :
1341 4 : torture_comment(tctx, "lock => OK\n");
1342 4 : ZERO_STRUCT(lck);
1343 4 : lck.in.locks = ⪙
1344 4 : lck.in.lock_count = 0x0001;
1345 4 : lck.in.lock_sequence = 0x00000000;
1346 4 : lck.in.file.handle = *h1;
1347 4 : ZERO_STRUCT(el);
1348 4 : el.flags = SMB2_LOCK_FLAG_EXCLUSIVE |
1349 : SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
1350 4 : el.offset = 0x0000000000000000;
1351 4 : el.length = 0x0000000000000001;
1352 4 : status = smb2_lock(tree, &lck);
1353 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1354 : "smb2_lock lock failed");
1355 :
1356 4 : torture_comment(tctx, "1st notify => PENDING\n");
1357 4 : ZERO_STRUCT(ntf1);
1358 4 : ntf1.in.file.handle = dh;
1359 4 : ntf1.in.recursive = 0x0000;
1360 4 : ntf1.in.buffer_size = 128;
1361 4 : ntf1.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
1362 4 : ntf1.in.unknown = 0x00000000;
1363 4 : req = smb2_notify_send(tree, &ntf1);
1364 :
1365 12 : while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) {
1366 16 : if (tevent_loop_once(tctx->ev) != 0) {
1367 0 : break;
1368 : }
1369 : }
1370 :
1371 4 : torture_assert_goto(tctx, req->state <= SMB2_REQUEST_RECV, ret, done,
1372 : "smb2_notify finished");
1373 :
1374 4 : torture_comment(tctx, "sleep 10 seconds\n");
1375 4 : smb_msleep(10*1000);
1376 :
1377 4 : torture_comment(tctx, "query info => EXPIRED\n");
1378 4 : ZERO_STRUCT(qfinfo.access_information.out);
1379 4 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1380 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1381 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1382 : ret, done, "smb2_getinfo_file "
1383 : "returned unexpected status");
1384 :
1385 :
1386 4 : torture_comment(tctx, "set info => EXPIRED\n");
1387 4 : ZERO_STRUCT(sfinfo);
1388 4 : sfinfo.end_of_file_info.level = RAW_SFILEINFO_END_OF_FILE_INFORMATION;
1389 4 : sfinfo.end_of_file_info.in.file.handle = *h1;
1390 4 : sfinfo.end_of_file_info.in.size = 1;
1391 4 : status = smb2_setinfo_file(tree, &sfinfo);
1392 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1393 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1394 : ret, done, "smb2_setinfo_file "
1395 : "returned unexpected status");
1396 :
1397 4 : torture_comment(tctx, "flush => EXPIRED\n");
1398 4 : ZERO_STRUCT(flsh);
1399 4 : flsh.in.file.handle = *h1;
1400 4 : status = smb2_flush(tree, &flsh);
1401 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1402 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1403 : ret, done, "smb2_flush "
1404 : "returned unexpected status");
1405 :
1406 4 : torture_comment(tctx, "read => EXPIRED\n");
1407 4 : ZERO_STRUCT(rd);
1408 4 : rd.in.file.handle = *h1;
1409 4 : rd.in.length = 5;
1410 4 : rd.in.offset = 0;
1411 4 : status = smb2_read(tree, tctx, &rd);
1412 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1413 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1414 : ret, done, "smb2_read "
1415 : "returned unexpected status");
1416 :
1417 4 : torture_comment(tctx, "write => EXPIRED\n");
1418 4 : status = smb2_util_write(tree, *h1, &wd, 0, 1);
1419 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1420 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1421 : ret, done, "smb2_util_write "
1422 : "returned unexpected status");
1423 :
1424 4 : torture_comment(tctx, "ioctl => EXPIRED\n");
1425 4 : ZERO_STRUCT(ctl);
1426 4 : ctl.in.file.handle = *h1;
1427 4 : ctl.in.function = FSCTL_SRV_ENUM_SNAPS;
1428 4 : ctl.in.max_output_response = 16;
1429 4 : ctl.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL;
1430 4 : status = smb2_ioctl(tree, tctx, &ctl);
1431 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1432 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1433 : ret, done, "smb2_ioctl "
1434 : "returned unexpected status");
1435 :
1436 4 : torture_comment(tctx, "oplock ack => EXPIRED\n");
1437 4 : ZERO_STRUCT(oack);
1438 4 : oack.in.file.handle = *h1;
1439 4 : status = smb2_break(tree, &oack);
1440 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1441 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1442 : ret, done, "smb2_break "
1443 : "returned unexpected status");
1444 :
1445 4 : if (caps & SMB2_CAP_LEASING) {
1446 4 : torture_comment(tctx, "lease ack => EXPIRED\n");
1447 4 : ZERO_STRUCT(lack);
1448 4 : lack.in.lease.lease_version = 1;
1449 4 : lack.in.lease.lease_key.data[0] = 1;
1450 4 : lack.in.lease.lease_key.data[1] = 2;
1451 4 : status = smb2_lease_break_ack(tree, &lack);
1452 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1453 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1454 : ret, done, "smb2_break "
1455 : "returned unexpected status");
1456 : }
1457 :
1458 4 : torture_comment(tctx, "query directory => EXPIRED\n");
1459 4 : ZERO_STRUCT(fnd);
1460 4 : fnd.in.file.handle = dh;
1461 4 : fnd.in.pattern = "*";
1462 4 : fnd.in.continue_flags = SMB2_CONTINUE_FLAG_SINGLE;
1463 4 : fnd.in.max_response_size= 0x100;
1464 4 : fnd.in.level = SMB2_FIND_BOTH_DIRECTORY_INFO;
1465 4 : status = smb2_find_level(tree, tree, &fnd, &count, &d);
1466 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1467 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1468 : ret, done, "smb2_find_level "
1469 : "returned unexpected status");
1470 :
1471 4 : torture_comment(tctx, "1st notify => CANCEL\n");
1472 4 : smb2_cancel(req);
1473 :
1474 4 : torture_comment(tctx, "2nd notify => EXPIRED\n");
1475 4 : ZERO_STRUCT(ntf2);
1476 4 : ntf2.in.file.handle = dh;
1477 4 : ntf2.in.recursive = 0x0000;
1478 4 : ntf2.in.buffer_size = 128;
1479 4 : ntf2.in.completion_filter= FILE_NOTIFY_CHANGE_ATTRIBUTES;
1480 4 : ntf2.in.unknown = 0x00000000;
1481 4 : status = smb2_notify(tree, tctx, &ntf2);
1482 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1483 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1484 : ret, done, "smb2_notify "
1485 : "returned unexpected status");
1486 :
1487 4 : torture_assert_goto(tctx, req->state > SMB2_REQUEST_RECV, ret, done,
1488 : "smb2_notify (1st) not finished");
1489 :
1490 4 : status = smb2_notify_recv(req, tctx, &ntf1);
1491 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1492 : NT_STATUS_CANCELLED,
1493 : ret, done, "smb2_notify cancelled"
1494 : "returned unexpected status");
1495 :
1496 4 : torture_comment(tctx, "tcon => EXPIRED\n");
1497 4 : tree2 = smb2_tree_init(tree->session, tctx, false);
1498 4 : torture_assert(tctx, tree2 != NULL, "smb2_tree_init");
1499 4 : timeout_msec = tree->session->transport->options.request_timeout * 1000;
1500 8 : subreq = smb2cli_tcon_send(tree2, tctx->ev,
1501 4 : tree2->session->transport->conn,
1502 : timeout_msec,
1503 4 : tree2->session->smbXcli,
1504 : tree2->smbXcli,
1505 : 0, /* flags */
1506 : unc);
1507 4 : torture_assert(tctx, subreq != NULL, "smb2cli_tcon_send");
1508 4 : torture_assert(tctx,
1509 : tevent_req_poll_ntstatus(subreq, tctx->ev, &status),
1510 : "tevent_req_poll_ntstatus");
1511 4 : status = smb2cli_tcon_recv(subreq);
1512 4 : TALLOC_FREE(subreq);
1513 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1514 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1515 : ret, done, "smb2cli_tcon"
1516 : "returned unexpected status");
1517 :
1518 4 : torture_comment(tctx, "create => EXPIRED\n");
1519 4 : status = smb2_util_roothandle(tree, &dh2);
1520 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1521 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1522 : ret, done, "smb2_util_roothandle"
1523 : "returned unexpected status");
1524 :
1525 4 : torture_comment(tctx, "tdis => EXPIRED\n");
1526 4 : status = smb2_tdis(tree);
1527 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1528 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1529 : ret, done, "smb2cli_tdis"
1530 : "returned unexpected status");
1531 :
1532 : /*
1533 : * (Un)Lock, Close and Logoff are still possible
1534 : */
1535 :
1536 4 : torture_comment(tctx, "1st unlock => OK\n");
1537 4 : el.flags = SMB2_LOCK_FLAG_UNLOCK;
1538 4 : status = smb2_lock(tree, &lck);
1539 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1540 : "smb2_lock unlock failed");
1541 :
1542 4 : torture_comment(tctx, "2nd unlock => RANGE_NOT_LOCKED\n");
1543 4 : status = smb2_lock(tree, &lck);
1544 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1545 : NT_STATUS_RANGE_NOT_LOCKED,
1546 : ret, done, "smb2_lock 2nd unlock"
1547 : "returned unexpected status");
1548 :
1549 4 : torture_comment(tctx, "lock => EXPIRED\n");
1550 4 : el.flags = SMB2_LOCK_FLAG_EXCLUSIVE |
1551 : SMB2_LOCK_FLAG_FAIL_IMMEDIATELY;
1552 4 : status = smb2_lock(tree, &lck);
1553 4 : torture_assert_ntstatus_equal_goto(tctx, status,
1554 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1555 : ret, done, "smb2_util_roothandle"
1556 : "returned unexpected status");
1557 :
1558 4 : torture_comment(tctx, "close => OK\n");
1559 4 : status = smb2_util_close(tree, *h1);
1560 4 : h1 = NULL;
1561 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1562 : "smb2_close failed");
1563 :
1564 4 : torture_comment(tctx, "echo without session => OK\n");
1565 4 : status = smb2_keepalive(tree->session->transport);
1566 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1567 : "smb2_keepalive without session failed");
1568 :
1569 4 : torture_comment(tctx, "echo with session => OK\n");
1570 4 : req = smb2_keepalive_send(tree->session->transport, tree->session);
1571 4 : status = smb2_keepalive_recv(req);
1572 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1573 : "smb2_keepalive with session failed");
1574 :
1575 4 : torture_comment(tctx, "logoff => OK\n");
1576 4 : status = smb2_logoff(tree->session);
1577 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1578 : "smb2_logoff failed");
1579 :
1580 4 : ret = true;
1581 4 : done:
1582 4 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1583 :
1584 4 : if (h1 != NULL) {
1585 0 : smb2_util_close(tree, *h1);
1586 : }
1587 :
1588 4 : talloc_free(tree);
1589 4 : lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
1590 4 : return ret;
1591 : }
1592 :
1593 2 : static bool test_session_expire2s(struct torture_context *tctx)
1594 : {
1595 2 : return test_session_expire2i(tctx,
1596 : false); /* force_encryption */
1597 : }
1598 :
1599 2 : static bool test_session_expire2e(struct torture_context *tctx)
1600 : {
1601 2 : return test_session_expire2i(tctx,
1602 : true); /* force_encryption */
1603 : }
1604 :
1605 2 : static bool test_session_expire_disconnect(struct torture_context *tctx)
1606 : {
1607 : NTSTATUS status;
1608 2 : bool ret = false;
1609 : struct smbcli_options options;
1610 2 : const char *host = torture_setting_string(tctx, "host", NULL);
1611 2 : const char *share = torture_setting_string(tctx, "share", NULL);
1612 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1613 2 : struct smb2_tree *tree = NULL;
1614 : enum credentials_use_kerberos use_kerberos;
1615 : char fname[256];
1616 : struct smb2_handle _h1;
1617 2 : struct smb2_handle *h1 = NULL;
1618 : struct smb2_create io1;
1619 : union smb_fileinfo qfinfo;
1620 : bool connected;
1621 :
1622 2 : use_kerberos = cli_credentials_get_kerberos_state(credentials);
1623 2 : if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
1624 0 : torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
1625 0 : torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
1626 : }
1627 :
1628 2 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1629 :
1630 2 : lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
1631 2 : lpcfg_smbcli_options(tctx->lp_ctx, &options);
1632 2 : options.signing = SMB_SIGNING_REQUIRED;
1633 :
1634 2 : status = smb2_connect(tctx,
1635 : host,
1636 : lpcfg_smb_ports(tctx->lp_ctx),
1637 : share,
1638 : lpcfg_resolve_context(tctx->lp_ctx),
1639 : credentials,
1640 : &tree,
1641 : tctx->ev,
1642 : &options,
1643 : lpcfg_socket_options(tctx->lp_ctx),
1644 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1645 : );
1646 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1647 : "smb2_connect failed");
1648 :
1649 2 : smbXcli_session_set_disconnect_expired(tree->session->smbXcli);
1650 :
1651 : /* Add some random component to the file name. */
1652 2 : snprintf(fname, sizeof(fname), "session_expire1_%s.dat",
1653 : generate_random_str(tctx, 8));
1654 :
1655 2 : smb2_util_unlink(tree, fname);
1656 :
1657 2 : smb2_oplock_create_share(&io1, fname,
1658 : smb2_util_share_access(""),
1659 2 : smb2_util_oplock_level("b"));
1660 2 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
1661 :
1662 2 : status = smb2_create(tree, tctx, &io1);
1663 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1664 : "smb2_create failed");
1665 2 : _h1 = io1.out.file.handle;
1666 2 : h1 = &_h1;
1667 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1668 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1669 : smb2_util_oplock_level("b"),
1670 : "oplock_level incorrect");
1671 :
1672 : /* get the security descriptor */
1673 :
1674 2 : ZERO_STRUCT(qfinfo);
1675 :
1676 2 : qfinfo.access_information.level = RAW_FILEINFO_ACCESS_INFORMATION;
1677 2 : qfinfo.access_information.in.file.handle = _h1;
1678 :
1679 2 : torture_comment(tctx, "query info => OK\n");
1680 :
1681 2 : ZERO_STRUCT(qfinfo.access_information.out);
1682 2 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1683 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1684 : "smb2_getinfo_file failed");
1685 :
1686 2 : torture_comment(tctx, "sleep 10 seconds\n");
1687 2 : smb_msleep(10*1000);
1688 :
1689 2 : torture_comment(tctx, "query info => EXPIRED\n");
1690 2 : ZERO_STRUCT(qfinfo.access_information.out);
1691 2 : status = smb2_getinfo_file(tree, tctx, &qfinfo);
1692 2 : torture_assert_ntstatus_equal_goto(tctx, status,
1693 : NT_STATUS_NETWORK_SESSION_EXPIRED,
1694 : ret, done, "smb2_getinfo_file "
1695 : "returned unexpected status");
1696 :
1697 2 : connected = smbXcli_conn_is_connected(tree->session->transport->conn);
1698 2 : torture_assert_goto(tctx, !connected, ret, done, "connected\n");
1699 :
1700 2 : ret = true;
1701 2 : done:
1702 2 : cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
1703 :
1704 2 : if (h1 != NULL) {
1705 2 : smb2_util_close(tree, *h1);
1706 : }
1707 :
1708 2 : talloc_free(tree);
1709 2 : lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=0");
1710 2 : return ret;
1711 : }
1712 :
1713 2 : bool test_session_bind1(struct torture_context *tctx, struct smb2_tree *tree1)
1714 : {
1715 2 : const char *host = torture_setting_string(tctx, "host", NULL);
1716 2 : const char *share = torture_setting_string(tctx, "share", NULL);
1717 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1718 : NTSTATUS status;
1719 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
1720 : char fname[256];
1721 : struct smb2_handle _h1;
1722 2 : struct smb2_handle *h1 = NULL;
1723 : struct smb2_create io1;
1724 : union smb_fileinfo qfinfo;
1725 2 : bool ret = false;
1726 2 : struct smb2_tree *tree2 = NULL;
1727 2 : struct smb2_transport *transport1 = tree1->session->transport;
1728 : struct smbcli_options options2;
1729 2 : struct smb2_transport *transport2 = NULL;
1730 2 : struct smb2_session *session1_1 = tree1->session;
1731 2 : struct smb2_session *session1_2 = NULL;
1732 2 : struct smb2_session *session2_1 = NULL;
1733 2 : struct smb2_session *session2_2 = NULL;
1734 : uint32_t caps;
1735 :
1736 2 : caps = smb2cli_conn_server_capabilities(transport1->conn);
1737 2 : if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
1738 0 : torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
1739 : }
1740 :
1741 : /*
1742 : * We always want signing for this test!
1743 : */
1744 2 : smb2cli_tcon_should_sign(tree1->smbXcli, true);
1745 2 : options2 = transport1->options;
1746 2 : options2.signing = SMB_SIGNING_REQUIRED;
1747 :
1748 : /* Add some random component to the file name. */
1749 2 : snprintf(fname, sizeof(fname), "session_bind1_%s.dat",
1750 : generate_random_str(tctx, 8));
1751 :
1752 2 : smb2_util_unlink(tree1, fname);
1753 :
1754 2 : smb2_oplock_create_share(&io1, fname,
1755 : smb2_util_share_access(""),
1756 2 : smb2_util_oplock_level("b"));
1757 :
1758 2 : status = smb2_create(tree1, mem_ctx, &io1);
1759 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1760 : "smb2_create failed");
1761 2 : _h1 = io1.out.file.handle;
1762 2 : h1 = &_h1;
1763 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1764 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
1765 : smb2_util_oplock_level("b"),
1766 : "oplock_level incorrect");
1767 :
1768 2 : status = smb2_connect(tctx,
1769 : host,
1770 : lpcfg_smb_ports(tctx->lp_ctx),
1771 : share,
1772 : lpcfg_resolve_context(tctx->lp_ctx),
1773 : credentials,
1774 : &tree2,
1775 : tctx->ev,
1776 : &options2,
1777 : lpcfg_socket_options(tctx->lp_ctx),
1778 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1779 : );
1780 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1781 : "smb2_connect failed");
1782 2 : session2_2 = tree2->session;
1783 2 : transport2 = tree2->session->transport;
1784 :
1785 : /*
1786 : * Now bind the 2nd transport connection to the 1st session
1787 : */
1788 2 : session1_2 = smb2_session_channel(transport2,
1789 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
1790 : tree2,
1791 : session1_1);
1792 2 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
1793 :
1794 2 : status = smb2_session_setup_spnego(session1_2,
1795 : samba_cmdline_get_creds(),
1796 : 0 /* previous_session_id */);
1797 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1798 : "smb2_session_setup_spnego failed");
1799 :
1800 : /* use the 1st connection, 1st session */
1801 2 : ZERO_STRUCT(qfinfo);
1802 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
1803 2 : qfinfo.generic.in.file.handle = _h1;
1804 2 : tree1->session = session1_1;
1805 2 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
1806 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1807 : "smb2_getinfo_file failed");
1808 :
1809 : /* use the 2nd connection, 1st session */
1810 2 : ZERO_STRUCT(qfinfo);
1811 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
1812 2 : qfinfo.generic.in.file.handle = _h1;
1813 2 : tree1->session = session1_2;
1814 2 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
1815 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1816 : "smb2_getinfo_file failed");
1817 :
1818 2 : tree1->session = session1_1;
1819 2 : status = smb2_util_close(tree1, *h1);
1820 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1821 : "smb2_util_close failed");
1822 2 : h1 = NULL;
1823 :
1824 : /*
1825 : * Now bind the 1st transport connection to the 2nd session
1826 : */
1827 2 : session2_1 = smb2_session_channel(transport1,
1828 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
1829 : tree1,
1830 : session2_2);
1831 2 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
1832 :
1833 2 : status = smb2_session_setup_spnego(session2_1,
1834 : samba_cmdline_get_creds(),
1835 : 0 /* previous_session_id */);
1836 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1837 : "smb2_session_setup_spnego failed");
1838 :
1839 2 : tree2->session = session2_1;
1840 2 : status = smb2_util_unlink(tree2, fname);
1841 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1842 : "smb2_util_unlink failed");
1843 2 : ret = true;
1844 2 : done:
1845 2 : talloc_free(tree2);
1846 2 : tree1->session = session1_1;
1847 :
1848 2 : if (h1 != NULL) {
1849 0 : smb2_util_close(tree1, *h1);
1850 : }
1851 :
1852 2 : smb2_util_unlink(tree1, fname);
1853 :
1854 2 : talloc_free(tree1);
1855 :
1856 2 : talloc_free(mem_ctx);
1857 :
1858 2 : return ret;
1859 : }
1860 :
1861 2 : static bool test_session_bind2(struct torture_context *tctx, struct smb2_tree *tree1)
1862 : {
1863 2 : const char *host = torture_setting_string(tctx, "host", NULL);
1864 2 : const char *share = torture_setting_string(tctx, "share", NULL);
1865 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
1866 : NTSTATUS status;
1867 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
1868 : char fname1[256];
1869 : char fname2[256];
1870 : struct smb2_handle _h1f1;
1871 2 : struct smb2_handle *h1f1 = NULL;
1872 : struct smb2_handle _h1f2;
1873 2 : struct smb2_handle *h1f2 = NULL;
1874 : struct smb2_handle _h2f2;
1875 2 : struct smb2_handle *h2f2 = NULL;
1876 : struct smb2_create io1f1;
1877 : struct smb2_create io1f2;
1878 : struct smb2_create io2f1;
1879 : struct smb2_create io2f2;
1880 : union smb_fileinfo qfinfo;
1881 2 : bool ret = false;
1882 2 : struct smb2_transport *transport1 = tree1->session->transport;
1883 : struct smbcli_options options2;
1884 2 : struct smb2_tree *tree2 = NULL;
1885 2 : struct smb2_transport *transport2 = NULL;
1886 : struct smbcli_options options3;
1887 2 : struct smb2_tree *tree3 = NULL;
1888 2 : struct smb2_transport *transport3 = NULL;
1889 2 : struct smb2_session *session1_1 = tree1->session;
1890 2 : struct smb2_session *session1_2 = NULL;
1891 2 : struct smb2_session *session1_3 = NULL;
1892 2 : struct smb2_session *session2_1 = NULL;
1893 2 : struct smb2_session *session2_2 = NULL;
1894 2 : struct smb2_session *session2_3 = NULL;
1895 : uint32_t caps;
1896 :
1897 2 : caps = smb2cli_conn_server_capabilities(transport1->conn);
1898 2 : if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
1899 0 : torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
1900 : }
1901 :
1902 : /*
1903 : * We always want signing for this test!
1904 : */
1905 2 : smb2cli_tcon_should_sign(tree1->smbXcli, true);
1906 2 : options2 = transport1->options;
1907 2 : options2.signing = SMB_SIGNING_REQUIRED;
1908 :
1909 : /* Add some random component to the file name. */
1910 2 : snprintf(fname1, sizeof(fname1), "session_bind2_1_%s.dat",
1911 : generate_random_str(tctx, 8));
1912 2 : snprintf(fname2, sizeof(fname2), "session_bind2_2_%s.dat",
1913 : generate_random_str(tctx, 8));
1914 :
1915 2 : smb2_util_unlink(tree1, fname1);
1916 2 : smb2_util_unlink(tree1, fname2);
1917 :
1918 2 : smb2_oplock_create_share(&io1f1, fname1,
1919 : smb2_util_share_access(""),
1920 2 : smb2_util_oplock_level(""));
1921 2 : smb2_oplock_create_share(&io1f2, fname2,
1922 : smb2_util_share_access(""),
1923 2 : smb2_util_oplock_level(""));
1924 :
1925 2 : status = smb2_create(tree1, mem_ctx, &io1f1);
1926 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1927 : "smb2_create failed");
1928 2 : _h1f1 = io1f1.out.file.handle;
1929 2 : h1f1 = &_h1f1;
1930 2 : CHECK_CREATED(tctx, &io1f1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1931 2 : torture_assert_int_equal(tctx, io1f1.out.oplock_level,
1932 : smb2_util_oplock_level(""),
1933 : "oplock_level incorrect");
1934 :
1935 2 : status = smb2_connect(tctx,
1936 : host,
1937 : lpcfg_smb_ports(tctx->lp_ctx),
1938 : share,
1939 : lpcfg_resolve_context(tctx->lp_ctx),
1940 : credentials,
1941 : &tree2,
1942 : tctx->ev,
1943 : &options2,
1944 : lpcfg_socket_options(tctx->lp_ctx),
1945 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1946 : );
1947 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1948 : "smb2_connect failed");
1949 2 : session2_2 = tree2->session;
1950 2 : transport2 = tree2->session->transport;
1951 2 : smb2cli_tcon_should_sign(tree2->smbXcli, true);
1952 :
1953 2 : smb2_oplock_create_share(&io2f1, fname1,
1954 : smb2_util_share_access(""),
1955 2 : smb2_util_oplock_level(""));
1956 2 : smb2_oplock_create_share(&io2f2, fname2,
1957 : smb2_util_share_access(""),
1958 2 : smb2_util_oplock_level(""));
1959 :
1960 2 : status = smb2_create(tree2, mem_ctx, &io2f2);
1961 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1962 : "smb2_create failed");
1963 2 : _h2f2 = io2f2.out.file.handle;
1964 2 : h2f2 = &_h2f2;
1965 2 : CHECK_CREATED(tctx, &io2f2, CREATED, FILE_ATTRIBUTE_ARCHIVE);
1966 2 : torture_assert_int_equal(tctx, io2f2.out.oplock_level,
1967 : smb2_util_oplock_level(""),
1968 : "oplock_level incorrect");
1969 :
1970 2 : options3 = transport1->options;
1971 2 : options3.signing = SMB_SIGNING_REQUIRED;
1972 2 : options3.only_negprot = true;
1973 :
1974 2 : status = smb2_connect(tctx,
1975 : host,
1976 : lpcfg_smb_ports(tctx->lp_ctx),
1977 : share,
1978 : lpcfg_resolve_context(tctx->lp_ctx),
1979 : credentials,
1980 : &tree3,
1981 : tctx->ev,
1982 : &options3,
1983 : lpcfg_socket_options(tctx->lp_ctx),
1984 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
1985 : );
1986 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
1987 : "smb2_connect failed");
1988 2 : transport3 = tree3->session->transport;
1989 :
1990 : /*
1991 : * Create a fake session for the 2nd transport connection to the 1st session
1992 : */
1993 2 : session1_2 = smb2_session_channel(transport2,
1994 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
1995 : tree1,
1996 : session1_1);
1997 2 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
1998 :
1999 : /*
2000 : * Now bind the 3rd transport connection to the 1st session
2001 : */
2002 2 : session1_3 = smb2_session_channel(transport3,
2003 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2004 : tree1,
2005 : session1_1);
2006 2 : torture_assert(tctx, session1_3 != NULL, "smb2_session_channel failed");
2007 :
2008 2 : status = smb2_session_setup_spnego(session1_3,
2009 : credentials,
2010 : 0 /* previous_session_id */);
2011 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2012 : "smb2_session_setup_spnego failed");
2013 :
2014 : /*
2015 : * Create a fake session for the 1st transport connection to the 2nd session
2016 : */
2017 2 : session2_1 = smb2_session_channel(transport1,
2018 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2019 : tree2,
2020 : session2_2);
2021 2 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2022 :
2023 : /*
2024 : * Now bind the 3rd transport connection to the 2nd session
2025 : */
2026 2 : session2_3 = smb2_session_channel(transport3,
2027 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2028 : tree2,
2029 : session2_2);
2030 2 : torture_assert(tctx, session2_3 != NULL, "smb2_session_channel failed");
2031 :
2032 2 : status = smb2_session_setup_spnego(session2_3,
2033 : credentials,
2034 : 0 /* previous_session_id */);
2035 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2036 : "smb2_session_setup_spnego failed");
2037 :
2038 2 : ZERO_STRUCT(qfinfo);
2039 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2040 2 : qfinfo.generic.in.file.handle = _h1f1;
2041 2 : tree1->session = session1_1;
2042 2 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2043 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2044 : "smb2_getinfo_file failed");
2045 2 : tree1->session = session1_2;
2046 2 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2047 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2048 : "smb2_getinfo_file failed");
2049 2 : tree1->session = session1_3;
2050 2 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2051 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2052 : "smb2_getinfo_file failed");
2053 :
2054 2 : ZERO_STRUCT(qfinfo);
2055 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2056 2 : qfinfo.generic.in.file.handle = _h2f2;
2057 2 : tree2->session = session2_1;
2058 2 : status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2059 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2060 : "smb2_getinfo_file failed");
2061 2 : tree2->session = session2_2;
2062 2 : status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2063 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2064 : "smb2_getinfo_file failed");
2065 2 : tree2->session = session2_3;
2066 2 : status = smb2_getinfo_file(tree2, mem_ctx, &qfinfo);
2067 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2068 : "smb2_getinfo_file failed");
2069 :
2070 2 : tree1->session = session1_1;
2071 2 : status = smb2_create(tree1, mem_ctx, &io1f2);
2072 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2073 : "smb2_create failed");
2074 2 : tree1->session = session1_2;
2075 2 : status = smb2_create(tree1, mem_ctx, &io1f2);
2076 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2077 : "smb2_create failed");
2078 2 : tree1->session = session1_3;
2079 2 : status = smb2_create(tree1, mem_ctx, &io1f2);
2080 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2081 : "smb2_create failed");
2082 :
2083 2 : tree2->session = session2_1;
2084 2 : status = smb2_create(tree2, mem_ctx, &io2f1);
2085 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2086 : "smb2_create failed");
2087 2 : tree2->session = session2_2;
2088 2 : status = smb2_create(tree2, mem_ctx, &io2f1);
2089 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2090 : "smb2_create failed");
2091 2 : tree2->session = session2_3;
2092 2 : status = smb2_create(tree2, mem_ctx, &io2f1);
2093 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2094 : "smb2_create failed");
2095 :
2096 2 : smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
2097 2 : smb_msleep(500);
2098 :
2099 2 : tree1->session = session1_1;
2100 2 : status = smb2_create(tree1, mem_ctx, &io1f2);
2101 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2102 : "smb2_create failed");
2103 2 : tree1->session = session1_2;
2104 2 : status = smb2_create(tree1, mem_ctx, &io1f2);
2105 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2106 : "smb2_create failed");
2107 :
2108 2 : tree2->session = session2_1;
2109 2 : status = smb2_create(tree2, mem_ctx, &io2f1);
2110 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2111 : "smb2_create failed");
2112 2 : tree2->session = session2_2;
2113 2 : status = smb2_create(tree2, mem_ctx, &io2f1);
2114 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_SHARING_VIOLATION, ret, done,
2115 : "smb2_create failed");
2116 :
2117 2 : smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
2118 2 : smb_msleep(500);
2119 2 : h2f2 = NULL;
2120 :
2121 2 : tree1->session = session1_1;
2122 2 : status = smb2_create(tree1, mem_ctx, &io1f2);
2123 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2124 : "smb2_create failed");
2125 2 : _h1f2 = io1f2.out.file.handle;
2126 2 : h1f2 = &_h1f2;
2127 2 : CHECK_CREATED(tctx, &io1f2, EXISTED, FILE_ATTRIBUTE_ARCHIVE);
2128 2 : torture_assert_int_equal(tctx, io1f2.out.oplock_level,
2129 : smb2_util_oplock_level(""),
2130 : "oplock_level incorrect");
2131 :
2132 2 : tree1->session = session1_1;
2133 2 : status = smb2_util_close(tree1, *h1f1);
2134 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2135 : "smb2_util_close failed");
2136 2 : h1f1 = NULL;
2137 :
2138 2 : ret = true;
2139 2 : done:
2140 :
2141 2 : smbXcli_conn_disconnect(transport3->conn, NT_STATUS_LOCAL_DISCONNECT);
2142 2 : smbXcli_conn_disconnect(transport2->conn, NT_STATUS_LOCAL_DISCONNECT);
2143 :
2144 2 : tree1->session = session1_1;
2145 2 : tree2->session = session2_2;
2146 :
2147 2 : if (h1f1 != NULL) {
2148 0 : smb2_util_close(tree1, *h1f1);
2149 : }
2150 2 : if (h1f2 != NULL) {
2151 2 : smb2_util_close(tree1, *h1f2);
2152 : }
2153 2 : if (h2f2 != NULL) {
2154 0 : smb2_util_close(tree2, *h2f2);
2155 : }
2156 :
2157 2 : smb2_util_unlink(tree1, fname1);
2158 2 : smb2_util_unlink(tree1, fname2);
2159 :
2160 2 : talloc_free(tree1);
2161 :
2162 2 : talloc_free(mem_ctx);
2163 :
2164 2 : return ret;
2165 : }
2166 :
2167 2 : static bool test_session_bind_auth_mismatch(struct torture_context *tctx,
2168 : struct smb2_tree *tree1,
2169 : const char *testname,
2170 : struct cli_credentials *creds1,
2171 : struct cli_credentials *creds2,
2172 : bool creds2_require_ok)
2173 : {
2174 2 : const char *host = torture_setting_string(tctx, "host", NULL);
2175 2 : const char *share = torture_setting_string(tctx, "share", NULL);
2176 : NTSTATUS status;
2177 2 : TALLOC_CTX *mem_ctx = talloc_new(tctx);
2178 : char fname[256];
2179 : struct smb2_handle _h1;
2180 2 : struct smb2_handle *h1 = NULL;
2181 : struct smb2_create io1;
2182 : union smb_fileinfo qfinfo;
2183 2 : bool ret = false;
2184 2 : struct smb2_tree *tree2 = NULL;
2185 2 : struct smb2_transport *transport1 = tree1->session->transport;
2186 : struct smbcli_options options2;
2187 2 : struct smb2_transport *transport2 = NULL;
2188 2 : struct smb2_session *session1_1 = tree1->session;
2189 2 : struct smb2_session *session1_2 = NULL;
2190 2 : struct smb2_session *session2_1 = NULL;
2191 2 : struct smb2_session *session2_2 = NULL;
2192 2 : struct smb2_session *session3_1 = NULL;
2193 : uint32_t caps;
2194 : bool encrypted;
2195 2 : bool creds2_got_ok = false;
2196 :
2197 2 : encrypted = smb2cli_tcon_is_encryption_on(tree1->smbXcli);
2198 :
2199 2 : caps = smb2cli_conn_server_capabilities(transport1->conn);
2200 2 : if (!(caps & SMB2_CAP_MULTI_CHANNEL)) {
2201 0 : torture_skip(tctx, "server doesn't support SMB2_CAP_MULTI_CHANNEL\n");
2202 : }
2203 :
2204 : /*
2205 : * We always want signing for this test!
2206 : */
2207 2 : smb2cli_tcon_should_sign(tree1->smbXcli, true);
2208 2 : options2 = transport1->options;
2209 2 : options2.signing = SMB_SIGNING_REQUIRED;
2210 :
2211 : /* Add some random component to the file name. */
2212 2 : snprintf(fname, sizeof(fname), "%s_%s.dat", testname,
2213 : generate_random_str(tctx, 8));
2214 :
2215 2 : smb2_util_unlink(tree1, fname);
2216 :
2217 2 : smb2_oplock_create_share(&io1, fname,
2218 : smb2_util_share_access(""),
2219 2 : smb2_util_oplock_level("b"));
2220 :
2221 2 : status = smb2_create(tree1, mem_ctx, &io1);
2222 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2223 : "smb2_create failed");
2224 2 : _h1 = io1.out.file.handle;
2225 2 : h1 = &_h1;
2226 2 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2227 2 : torture_assert_int_equal(tctx, io1.out.oplock_level,
2228 : smb2_util_oplock_level("b"),
2229 : "oplock_level incorrect");
2230 :
2231 2 : status = smb2_connect(tctx,
2232 : host,
2233 : lpcfg_smb_ports(tctx->lp_ctx),
2234 : share,
2235 : lpcfg_resolve_context(tctx->lp_ctx),
2236 : creds1,
2237 : &tree2,
2238 : tctx->ev,
2239 : &options2,
2240 : lpcfg_socket_options(tctx->lp_ctx),
2241 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2242 : );
2243 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2244 : "smb2_connect failed");
2245 2 : session2_2 = tree2->session;
2246 2 : transport2 = tree2->session->transport;
2247 :
2248 : /*
2249 : * Now bind the 2nd transport connection to the 1st session
2250 : */
2251 2 : session1_2 = smb2_session_channel(transport2,
2252 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2253 : tree2,
2254 : session1_1);
2255 2 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2256 :
2257 2 : status = smb2_session_setup_spnego(session1_2,
2258 : creds1,
2259 : 0 /* previous_session_id */);
2260 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2261 : "smb2_session_setup_spnego failed");
2262 :
2263 : /* use the 1st connection, 1st session */
2264 2 : ZERO_STRUCT(qfinfo);
2265 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2266 2 : qfinfo.generic.in.file.handle = _h1;
2267 2 : tree1->session = session1_1;
2268 2 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2269 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2270 : "smb2_getinfo_file failed");
2271 :
2272 : /* use the 2nd connection, 1st session */
2273 2 : ZERO_STRUCT(qfinfo);
2274 2 : qfinfo.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2275 2 : qfinfo.generic.in.file.handle = _h1;
2276 2 : tree1->session = session1_2;
2277 2 : status = smb2_getinfo_file(tree1, mem_ctx, &qfinfo);
2278 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2279 : "smb2_getinfo_file failed");
2280 :
2281 2 : tree1->session = session1_1;
2282 2 : status = smb2_util_close(tree1, *h1);
2283 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2284 : "smb2_util_close failed");
2285 2 : h1 = NULL;
2286 :
2287 : /*
2288 : * Create a 3rd session in order to check if the invalid (creds2)
2289 : * are mapped to guest.
2290 : */
2291 2 : session3_1 = smb2_session_init(transport1,
2292 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2293 : tctx);
2294 2 : torture_assert(tctx, session3_1 != NULL, "smb2_session_channel failed");
2295 :
2296 2 : status = smb2_session_setup_spnego(session3_1,
2297 : creds2,
2298 : 0 /* previous_session_id */);
2299 2 : if (creds2_require_ok) {
2300 0 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2301 : "smb2_session_setup_spnego worked");
2302 0 : creds2_got_ok = true;
2303 2 : } else if (NT_STATUS_IS_OK(status)) {
2304 2 : bool authentiated = smbXcli_session_is_authenticated(session3_1->smbXcli);
2305 2 : torture_assert(tctx, !authentiated, "Invalid credentials allowed!");
2306 2 : creds2_got_ok = true;
2307 : } else {
2308 0 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2309 : "smb2_session_setup_spnego worked");
2310 : }
2311 :
2312 : /*
2313 : * Now bind the 1st transport connection to the 2nd session
2314 : */
2315 2 : session2_1 = smb2_session_channel(transport1,
2316 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2317 : tree1,
2318 : session2_2);
2319 2 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2320 :
2321 2 : tree2->session = session2_1;
2322 2 : status = smb2_util_unlink(tree2, fname);
2323 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2324 : "smb2_util_unlink worked on invalid channel");
2325 :
2326 2 : status = smb2_session_setup_spnego(session2_1,
2327 : creds2,
2328 : 0 /* previous_session_id */);
2329 2 : if (creds2_got_ok) {
2330 : /*
2331 : * attaching with a different user (guest or anonymous) results
2332 : * in ACCESS_DENIED.
2333 : */
2334 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_ACCESS_DENIED, ret, done,
2335 : "smb2_session_setup_spnego worked");
2336 : } else {
2337 0 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2338 : "smb2_session_setup_spnego worked");
2339 : }
2340 :
2341 2 : tree2->session = session2_1;
2342 2 : status = smb2_util_unlink(tree2, fname);
2343 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2344 : "smb2_util_unlink worked on invalid channel");
2345 :
2346 2 : tree2->session = session2_2;
2347 2 : status = smb2_util_unlink(tree2, fname);
2348 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2349 : "smb2_util_unlink failed");
2350 2 : status = smb2_util_unlink(tree2, fname);
2351 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2352 : "smb2_util_unlink worked");
2353 2 : if (creds2_got_ok) {
2354 : /*
2355 : * We got ACCESS_DENIED on the session bind
2356 : * with a different user, now check that
2357 : * the correct user can actually bind on
2358 : * the same connection.
2359 : */
2360 2 : TALLOC_FREE(session2_1);
2361 2 : session2_1 = smb2_session_channel(transport1,
2362 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2363 : tree1,
2364 : session2_2);
2365 2 : torture_assert(tctx, session2_1 != NULL, "smb2_session_channel failed");
2366 :
2367 2 : status = smb2_session_setup_spnego(session2_1,
2368 : creds1,
2369 : 0 /* previous_session_id */);
2370 2 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2371 : "smb2_session_setup_spnego failed");
2372 2 : tree2->session = session2_1;
2373 2 : status = smb2_util_unlink(tree2, fname);
2374 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2375 : "smb2_util_unlink worked");
2376 2 : tree2->session = session2_2;
2377 : }
2378 :
2379 2 : tree1->session = session1_1;
2380 2 : status = smb2_util_unlink(tree1, fname);
2381 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2382 : "smb2_util_unlink worked");
2383 :
2384 2 : tree1->session = session1_2;
2385 2 : status = smb2_util_unlink(tree1, fname);
2386 2 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2387 : "smb2_util_unlink worked");
2388 :
2389 2 : if (creds2_got_ok) {
2390 : /*
2391 : * With valid credentials, there's no point to test a failing
2392 : * reauth.
2393 : */
2394 2 : ret = true;
2395 2 : goto done;
2396 : }
2397 :
2398 : /*
2399 : * Do a failing reauth the 2nd channel
2400 : */
2401 0 : status = smb2_session_setup_spnego(session1_2,
2402 : creds2,
2403 : 0 /* previous_session_id */);
2404 0 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_LOGON_FAILURE, ret, done,
2405 : "smb2_session_setup_spnego worked");
2406 :
2407 0 : tree1->session = session1_1;
2408 0 : status = smb2_util_unlink(tree1, fname);
2409 0 : if (encrypted) {
2410 0 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
2411 : "smb2_util_unlink worked");
2412 : } else {
2413 0 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2414 : "smb2_util_unlink worked");
2415 : }
2416 :
2417 0 : tree1->session = session1_2;
2418 0 : status = smb2_util_unlink(tree1, fname);
2419 0 : if (encrypted) {
2420 0 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
2421 : "smb2_util_unlink worked");
2422 : } else {
2423 0 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_USER_SESSION_DELETED, ret, done,
2424 : "smb2_util_unlink worked");
2425 : }
2426 :
2427 0 : status = smb2_util_unlink(tree2, fname);
2428 0 : if (encrypted) {
2429 0 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport1->conn), ret, done,
2430 : "smb2_util_unlink worked");
2431 0 : torture_assert_goto(tctx, !smbXcli_conn_is_connected(transport2->conn), ret, done,
2432 : "smb2_util_unlink worked");
2433 : } else {
2434 0 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_OBJECT_NAME_NOT_FOUND, ret, done,
2435 : "smb2_util_unlink worked");
2436 : }
2437 :
2438 0 : ret = true;
2439 2 : done:
2440 2 : talloc_free(tree2);
2441 2 : tree1->session = session1_1;
2442 :
2443 2 : if (h1 != NULL) {
2444 0 : smb2_util_close(tree1, *h1);
2445 : }
2446 :
2447 2 : smb2_util_unlink(tree1, fname);
2448 :
2449 2 : talloc_free(tree1);
2450 :
2451 2 : talloc_free(mem_ctx);
2452 :
2453 2 : return ret;
2454 : }
2455 :
2456 2 : static bool test_session_bind_invalid_auth(struct torture_context *tctx, struct smb2_tree *tree1)
2457 : {
2458 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2459 2 : struct cli_credentials *invalid_credentials = NULL;
2460 2 : bool ret = false;
2461 :
2462 2 : invalid_credentials = cli_credentials_init(tctx);
2463 2 : torture_assert(tctx, (invalid_credentials != NULL), "talloc error");
2464 2 : cli_credentials_set_username(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2465 2 : cli_credentials_set_domain(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2466 2 : cli_credentials_set_password(invalid_credentials, "__none__invalid__none__", CRED_SPECIFIED);
2467 2 : cli_credentials_set_realm(invalid_credentials, NULL, CRED_SPECIFIED);
2468 2 : cli_credentials_set_workstation(invalid_credentials, "", CRED_UNINITIALISED);
2469 :
2470 2 : ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
2471 : credentials,
2472 : invalid_credentials,
2473 : false);
2474 2 : return ret;
2475 : }
2476 :
2477 2 : static bool test_session_bind_different_user(struct torture_context *tctx, struct smb2_tree *tree1)
2478 : {
2479 2 : struct cli_credentials *credentials1 = samba_cmdline_get_creds();
2480 2 : struct cli_credentials *credentials2 = torture_user2_credentials(tctx, tctx);
2481 2 : char *u1 = cli_credentials_get_unparsed_name(credentials1, tctx);
2482 2 : char *u2 = cli_credentials_get_unparsed_name(credentials2, tctx);
2483 2 : bool ret = false;
2484 : bool bval;
2485 :
2486 2 : torture_assert(tctx, (credentials2 != NULL), "talloc error");
2487 2 : bval = cli_credentials_is_anonymous(credentials2);
2488 2 : if (bval) {
2489 2 : torture_skip(tctx, "valid user2 credentials are required");
2490 : }
2491 0 : bval = strequal(u1, u2);
2492 0 : if (bval) {
2493 0 : torture_skip(tctx, "different user2 credentials are required");
2494 : }
2495 :
2496 0 : ret = test_session_bind_auth_mismatch(tctx, tree1, __func__,
2497 : credentials1,
2498 : credentials2,
2499 : true);
2500 0 : return ret;
2501 : }
2502 :
2503 78 : static bool test_session_bind_negative_smbXtoX(struct torture_context *tctx,
2504 : const char *testname,
2505 : struct cli_credentials *credentials,
2506 : const struct smbcli_options *options1,
2507 : const struct smbcli_options *options2,
2508 : NTSTATUS bind_reject_status)
2509 : {
2510 78 : const char *host = torture_setting_string(tctx, "host", NULL);
2511 78 : const char *share = torture_setting_string(tctx, "share", NULL);
2512 : NTSTATUS status;
2513 78 : bool ret = false;
2514 78 : struct smb2_tree *tree1 = NULL;
2515 78 : struct smb2_session *session1_1 = NULL;
2516 : char fname[256];
2517 : struct smb2_handle _h1;
2518 78 : struct smb2_handle *h1 = NULL;
2519 : struct smb2_create io1;
2520 : union smb_fileinfo qfinfo1;
2521 78 : struct smb2_tree *tree2_0 = NULL;
2522 78 : struct smb2_transport *transport2 = NULL;
2523 78 : struct smb2_session *session1_2 = NULL;
2524 78 : uint64_t session1_id = 0;
2525 78 : uint16_t session1_flags = 0;
2526 78 : NTSTATUS deleted_status = NT_STATUS_USER_SESSION_DELETED;
2527 :
2528 78 : status = smb2_connect(tctx,
2529 : host,
2530 : lpcfg_smb_ports(tctx->lp_ctx),
2531 : share,
2532 : lpcfg_resolve_context(tctx->lp_ctx),
2533 : credentials,
2534 : &tree1,
2535 : tctx->ev,
2536 : options1,
2537 : lpcfg_socket_options(tctx->lp_ctx),
2538 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2539 : );
2540 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2541 : "smb2_connect options1 failed");
2542 78 : session1_1 = tree1->session;
2543 78 : session1_id = smb2cli_session_current_id(session1_1->smbXcli);
2544 78 : session1_flags = smb2cli_session_get_flags(session1_1->smbXcli);
2545 :
2546 : /* Add some random component to the file name. */
2547 78 : snprintf(fname, sizeof(fname), "%s_%s.dat",
2548 : testname, generate_random_str(tctx, 8));
2549 :
2550 78 : smb2_util_unlink(tree1, fname);
2551 :
2552 78 : smb2_oplock_create_share(&io1, fname,
2553 : smb2_util_share_access(""),
2554 78 : smb2_util_oplock_level("b"));
2555 :
2556 78 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
2557 78 : status = smb2_create(tree1, tctx, &io1);
2558 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2559 : "smb2_create failed");
2560 78 : _h1 = io1.out.file.handle;
2561 78 : h1 = &_h1;
2562 78 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
2563 78 : torture_assert_int_equal(tctx, io1.out.oplock_level,
2564 : smb2_util_oplock_level("b"),
2565 : "oplock_level incorrect");
2566 :
2567 78 : status = smb2_connect(tctx,
2568 : host,
2569 : lpcfg_smb_ports(tctx->lp_ctx),
2570 : share,
2571 : lpcfg_resolve_context(tctx->lp_ctx),
2572 : credentials,
2573 : &tree2_0,
2574 : tctx->ev,
2575 : options2,
2576 : lpcfg_socket_options(tctx->lp_ctx),
2577 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
2578 : );
2579 78 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2580 : "smb2_connect options2 failed");
2581 78 : transport2 = tree2_0->session->transport;
2582 :
2583 : /*
2584 : * Now bind the 2nd transport connection to the 1st session
2585 : */
2586 78 : session1_2 = smb2_session_channel(transport2,
2587 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2588 : tree2_0,
2589 : session1_1);
2590 78 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2591 :
2592 78 : status = smb2_session_setup_spnego(session1_2,
2593 : credentials,
2594 : 0 /* previous_session_id */);
2595 78 : torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
2596 : "smb2_session_setup_spnego failed");
2597 74 : if (NT_STATUS_IS_OK(bind_reject_status)) {
2598 4 : ZERO_STRUCT(qfinfo1);
2599 4 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2600 4 : qfinfo1.generic.in.file.handle = _h1;
2601 4 : tree1->session = session1_2;
2602 4 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2603 4 : tree1->session = session1_1;
2604 4 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2605 : "smb2_getinfo_file failed");
2606 : }
2607 74 : TALLOC_FREE(session1_2);
2608 :
2609 : /* Check the initial session is still alive */
2610 74 : ZERO_STRUCT(qfinfo1);
2611 74 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2612 74 : qfinfo1.generic.in.file.handle = _h1;
2613 74 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2614 74 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2615 : "smb2_getinfo_file failed");
2616 :
2617 74 : if (NT_STATUS_IS_OK(bind_reject_status)) {
2618 4 : deleted_status = NT_STATUS_ACCESS_DENIED;
2619 4 : bind_reject_status = NT_STATUS_ACCESS_DENIED;
2620 : }
2621 :
2622 : /*
2623 : * I guess this is not part of MultipleChannel_Negative_SMB2002,
2624 : * but we should also check the status without
2625 : * SMB2_SESSION_FLAG_BINDING.
2626 : */
2627 74 : session1_2 = smb2_session_channel(transport2,
2628 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2629 : tree2_0,
2630 : session1_1);
2631 74 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2632 74 : session1_2->needs_bind = false;
2633 :
2634 74 : status = smb2_session_setup_spnego(session1_2,
2635 : credentials,
2636 : 0 /* previous_session_id */);
2637 74 : torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
2638 : "smb2_session_setup_spnego failed");
2639 74 : TALLOC_FREE(session1_2);
2640 :
2641 : /*
2642 : * ... and we should also check the status without any existing
2643 : * session keys.
2644 : */
2645 74 : session1_2 = smb2_session_init(transport2,
2646 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2647 : tree2_0);
2648 74 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2649 74 : talloc_steal(tree2_0->session, transport2);
2650 74 : smb2cli_session_set_id_and_flags(session1_2->smbXcli,
2651 : session1_id, session1_flags);
2652 :
2653 74 : status = smb2_session_setup_spnego(session1_2,
2654 : credentials,
2655 : 0 /* previous_session_id */);
2656 74 : torture_assert_ntstatus_equal_goto(tctx, status, deleted_status, ret, done,
2657 : "smb2_session_setup_spnego failed");
2658 74 : TALLOC_FREE(session1_2);
2659 :
2660 : /* Check the initial session is still alive */
2661 74 : ZERO_STRUCT(qfinfo1);
2662 74 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2663 74 : qfinfo1.generic.in.file.handle = _h1;
2664 74 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2665 74 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2666 : "smb2_getinfo_file failed");
2667 :
2668 : /*
2669 : * Now bind the 2nd transport connection to the 1st session (again)
2670 : */
2671 74 : session1_2 = smb2_session_channel(transport2,
2672 : lpcfg_gensec_settings(tctx, tctx->lp_ctx),
2673 : tree2_0,
2674 : session1_1);
2675 74 : torture_assert(tctx, session1_2 != NULL, "smb2_session_channel failed");
2676 :
2677 74 : status = smb2_session_setup_spnego(session1_2,
2678 : credentials,
2679 : 0 /* previous_session_id */);
2680 74 : torture_assert_ntstatus_equal_goto(tctx, status, bind_reject_status, ret, done,
2681 : "smb2_session_setup_spnego failed");
2682 74 : TALLOC_FREE(session1_2);
2683 :
2684 : /* Check the initial session is still alive */
2685 74 : ZERO_STRUCT(qfinfo1);
2686 74 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
2687 74 : qfinfo1.generic.in.file.handle = _h1;
2688 74 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
2689 74 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
2690 : "smb2_getinfo_file failed");
2691 :
2692 74 : ret = true;
2693 78 : done:
2694 78 : talloc_free(tree2_0);
2695 78 : if (h1 != NULL) {
2696 78 : smb2_util_close(tree1, *h1);
2697 : }
2698 78 : talloc_free(tree1);
2699 :
2700 78 : return ret;
2701 : }
2702 :
2703 : /*
2704 : * This is similar to the MultipleChannel_Negative_SMB2002 test
2705 : * from the Windows Protocol Test Suite.
2706 : *
2707 : * It demonstrates that the server needs to do lookup
2708 : * in the global session table in order to get the signing
2709 : * and error code of invalid session setups correct.
2710 : *
2711 : * See: https://bugzilla.samba.org/show_bug.cgi?id=14512
2712 : *
2713 : * Note you can ignore tree0...
2714 : */
2715 2 : static bool test_session_bind_negative_smb202(struct torture_context *tctx, struct smb2_tree *tree0)
2716 : {
2717 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2718 2 : bool ret = false;
2719 2 : struct smb2_transport *transport0 = tree0->session->transport;
2720 : struct smbcli_options options1;
2721 : struct smbcli_options options2;
2722 : bool encrypted;
2723 :
2724 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2725 2 : if (encrypted) {
2726 0 : torture_skip(tctx,
2727 : "Can't test SMB 2.02 if encryption is required");
2728 : }
2729 :
2730 2 : options1 = transport0->options;
2731 2 : options1.client_guid = GUID_zero();
2732 2 : options1.max_protocol = PROTOCOL_SMB2_02;
2733 :
2734 2 : options2 = options1;
2735 2 : options2.only_negprot = true;
2736 :
2737 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2738 : credentials,
2739 : &options1, &options2,
2740 2 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2741 2 : talloc_free(tree0);
2742 2 : return ret;
2743 : }
2744 :
2745 2 : static bool test_session_bind_negative_smb210s(struct torture_context *tctx, struct smb2_tree *tree0)
2746 : {
2747 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2748 2 : bool ret = false;
2749 2 : struct smb2_transport *transport0 = tree0->session->transport;
2750 : struct smbcli_options options1;
2751 : struct smbcli_options options2;
2752 : bool encrypted;
2753 :
2754 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2755 2 : if (encrypted) {
2756 0 : torture_skip(tctx,
2757 : "Can't test SMB 2.10 if encrytion is required");
2758 : }
2759 :
2760 2 : options1 = transport0->options;
2761 2 : options1.client_guid = GUID_random();
2762 2 : options1.max_protocol = PROTOCOL_SMB2_10;
2763 :
2764 : /* same client guid */
2765 2 : options2 = options1;
2766 2 : options2.only_negprot = true;
2767 :
2768 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2769 : credentials,
2770 : &options1, &options2,
2771 2 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2772 2 : talloc_free(tree0);
2773 2 : return ret;
2774 : }
2775 :
2776 2 : static bool test_session_bind_negative_smb210d(struct torture_context *tctx, struct smb2_tree *tree0)
2777 : {
2778 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2779 2 : bool ret = false;
2780 2 : struct smb2_transport *transport0 = tree0->session->transport;
2781 : struct smbcli_options options1;
2782 : struct smbcli_options options2;
2783 : bool encrypted;
2784 :
2785 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2786 2 : if (encrypted) {
2787 0 : torture_skip(tctx,
2788 : "Can't test SMB 2.10 if encrytion is required");
2789 : }
2790 :
2791 2 : options1 = transport0->options;
2792 2 : options1.client_guid = GUID_random();
2793 2 : options1.max_protocol = PROTOCOL_SMB2_10;
2794 :
2795 : /* different client guid */
2796 2 : options2 = options1;
2797 2 : options2.client_guid = GUID_random();
2798 2 : options2.only_negprot = true;
2799 :
2800 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2801 : credentials,
2802 : &options1, &options2,
2803 2 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2804 2 : talloc_free(tree0);
2805 2 : return ret;
2806 : }
2807 :
2808 2 : static bool test_session_bind_negative_smb2to3s(struct torture_context *tctx, struct smb2_tree *tree0)
2809 : {
2810 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2811 2 : bool ret = false;
2812 2 : struct smb2_transport *transport0 = tree0->session->transport;
2813 : struct smbcli_options options1;
2814 : struct smbcli_options options2;
2815 : bool encrypted;
2816 :
2817 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2818 2 : if (encrypted) {
2819 0 : torture_skip(tctx,
2820 : "Can't test SMB 2.10 if encrytion is required");
2821 : }
2822 :
2823 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2824 0 : torture_skip(tctx,
2825 : "Can't test without SMB3 support");
2826 : }
2827 :
2828 2 : options1 = transport0->options;
2829 2 : options1.client_guid = GUID_random();
2830 2 : options1.min_protocol = PROTOCOL_SMB2_02;
2831 2 : options1.max_protocol = PROTOCOL_SMB2_10;
2832 :
2833 : /* same client guid */
2834 2 : options2 = options1;
2835 2 : options2.only_negprot = true;
2836 2 : options2.min_protocol = PROTOCOL_SMB3_00;
2837 2 : options2.max_protocol = PROTOCOL_SMB3_11;
2838 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2839 : .num_algos = 1,
2840 : .algos = {
2841 : SMB2_SIGNING_AES128_CMAC,
2842 : },
2843 : };
2844 :
2845 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2846 : credentials,
2847 : &options1, &options2,
2848 2 : NT_STATUS_INVALID_PARAMETER);
2849 2 : talloc_free(tree0);
2850 2 : return ret;
2851 : }
2852 :
2853 2 : static bool test_session_bind_negative_smb2to3d(struct torture_context *tctx, struct smb2_tree *tree0)
2854 : {
2855 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2856 2 : bool ret = false;
2857 2 : struct smb2_transport *transport0 = tree0->session->transport;
2858 : struct smbcli_options options1;
2859 : struct smbcli_options options2;
2860 : bool encrypted;
2861 :
2862 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2863 2 : if (encrypted) {
2864 0 : torture_skip(tctx,
2865 : "Can't test SMB 2.10 if encrytion is required");
2866 : }
2867 :
2868 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2869 0 : torture_skip(tctx,
2870 : "Can't test without SMB3 support");
2871 : }
2872 :
2873 2 : options1 = transport0->options;
2874 2 : options1.client_guid = GUID_random();
2875 2 : options1.min_protocol = PROTOCOL_SMB2_02;
2876 2 : options1.max_protocol = PROTOCOL_SMB2_10;
2877 :
2878 : /* different client guid */
2879 2 : options2 = options1;
2880 2 : options2.client_guid = GUID_random();
2881 2 : options2.only_negprot = true;
2882 2 : options2.min_protocol = PROTOCOL_SMB3_00;
2883 2 : options2.max_protocol = PROTOCOL_SMB3_11;
2884 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2885 : .num_algos = 1,
2886 : .algos = {
2887 : SMB2_SIGNING_AES128_CMAC,
2888 : },
2889 : };
2890 :
2891 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2892 : credentials,
2893 : &options1, &options2,
2894 2 : NT_STATUS_INVALID_PARAMETER);
2895 2 : talloc_free(tree0);
2896 2 : return ret;
2897 : }
2898 :
2899 2 : static bool test_session_bind_negative_smb3to2s(struct torture_context *tctx, struct smb2_tree *tree0)
2900 : {
2901 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2902 2 : bool ret = false;
2903 2 : struct smb2_transport *transport0 = tree0->session->transport;
2904 : struct smbcli_options options1;
2905 : struct smbcli_options options2;
2906 : bool encrypted;
2907 :
2908 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2909 2 : if (encrypted) {
2910 0 : torture_skip(tctx,
2911 : "Can't test SMB 2.10 if encrytion is required");
2912 : }
2913 :
2914 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2915 0 : torture_skip(tctx,
2916 : "Can't test without SMB3 support");
2917 : }
2918 :
2919 2 : options1 = transport0->options;
2920 2 : options1.client_guid = GUID_random();
2921 2 : options1.min_protocol = PROTOCOL_SMB3_00;
2922 2 : options1.max_protocol = PROTOCOL_SMB3_11;
2923 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2924 : .num_algos = 1,
2925 : .algos = {
2926 : SMB2_SIGNING_AES128_CMAC,
2927 : },
2928 : };
2929 :
2930 : /* same client guid */
2931 2 : options2 = options1;
2932 2 : options2.only_negprot = true;
2933 2 : options2.min_protocol = PROTOCOL_SMB2_02;
2934 2 : options2.max_protocol = PROTOCOL_SMB2_10;
2935 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2936 : .num_algos = 1,
2937 : .algos = {
2938 : SMB2_SIGNING_HMAC_SHA256,
2939 : },
2940 : };
2941 :
2942 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2943 : credentials,
2944 : &options1, &options2,
2945 2 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2946 2 : talloc_free(tree0);
2947 2 : return ret;
2948 : }
2949 :
2950 2 : static bool test_session_bind_negative_smb3to2d(struct torture_context *tctx, struct smb2_tree *tree0)
2951 : {
2952 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
2953 2 : bool ret = false;
2954 2 : struct smb2_transport *transport0 = tree0->session->transport;
2955 : struct smbcli_options options1;
2956 : struct smbcli_options options2;
2957 : bool encrypted;
2958 :
2959 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
2960 2 : if (encrypted) {
2961 0 : torture_skip(tctx,
2962 : "Can't test SMB 2.10 if encrytion is required");
2963 : }
2964 :
2965 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_00) {
2966 0 : torture_skip(tctx,
2967 : "Can't test without SMB3 support");
2968 : }
2969 :
2970 2 : options1 = transport0->options;
2971 2 : options1.client_guid = GUID_random();
2972 2 : options1.min_protocol = PROTOCOL_SMB3_00;
2973 2 : options1.max_protocol = PROTOCOL_SMB3_11;
2974 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2975 : .num_algos = 1,
2976 : .algos = {
2977 : SMB2_SIGNING_AES128_CMAC,
2978 : },
2979 : };
2980 :
2981 : /* different client guid */
2982 2 : options2 = options1;
2983 2 : options2.client_guid = GUID_random();
2984 2 : options2.only_negprot = true;
2985 2 : options2.min_protocol = PROTOCOL_SMB2_02;
2986 2 : options2.max_protocol = PROTOCOL_SMB2_10;
2987 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
2988 : .num_algos = 1,
2989 : .algos = {
2990 : SMB2_SIGNING_HMAC_SHA256,
2991 : },
2992 : };
2993 :
2994 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
2995 : credentials,
2996 : &options1, &options2,
2997 2 : NT_STATUS_REQUEST_NOT_ACCEPTED);
2998 2 : talloc_free(tree0);
2999 2 : return ret;
3000 : }
3001 :
3002 2 : static bool test_session_bind_negative_smb3to3s(struct torture_context *tctx, struct smb2_tree *tree0)
3003 : {
3004 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
3005 2 : bool ret = false;
3006 2 : struct smb2_transport *transport0 = tree0->session->transport;
3007 : struct smbcli_options options1;
3008 : struct smbcli_options options2;
3009 :
3010 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3011 0 : torture_skip(tctx,
3012 : "Can't test without SMB 3.1.1 support");
3013 : }
3014 :
3015 2 : options1 = transport0->options;
3016 2 : options1.client_guid = GUID_random();
3017 2 : options1.min_protocol = PROTOCOL_SMB3_02;
3018 2 : options1.max_protocol = PROTOCOL_SMB3_02;
3019 :
3020 : /* same client guid */
3021 2 : options2 = options1;
3022 2 : options2.only_negprot = true;
3023 2 : options2.min_protocol = PROTOCOL_SMB3_11;
3024 2 : options2.max_protocol = PROTOCOL_SMB3_11;
3025 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3026 : .num_algos = 1,
3027 : .algos = {
3028 : SMB2_SIGNING_AES128_CMAC,
3029 : },
3030 : };
3031 :
3032 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3033 : credentials,
3034 : &options1, &options2,
3035 2 : NT_STATUS_INVALID_PARAMETER);
3036 2 : talloc_free(tree0);
3037 2 : return ret;
3038 : }
3039 :
3040 2 : static bool test_session_bind_negative_smb3to3d(struct torture_context *tctx, struct smb2_tree *tree0)
3041 : {
3042 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
3043 2 : bool ret = false;
3044 2 : struct smb2_transport *transport0 = tree0->session->transport;
3045 : struct smbcli_options options1;
3046 : struct smbcli_options options2;
3047 :
3048 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3049 0 : torture_skip(tctx,
3050 : "Can't test without SMB 3.1.1 support");
3051 : }
3052 :
3053 2 : options1 = transport0->options;
3054 2 : options1.client_guid = GUID_random();
3055 2 : options1.min_protocol = PROTOCOL_SMB3_02;
3056 2 : options1.max_protocol = PROTOCOL_SMB3_02;
3057 :
3058 : /* different client guid */
3059 2 : options2 = options1;
3060 2 : options2.client_guid = GUID_random();
3061 2 : options2.only_negprot = true;
3062 2 : options2.min_protocol = PROTOCOL_SMB3_11;
3063 2 : options2.max_protocol = PROTOCOL_SMB3_11;
3064 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3065 : .num_algos = 1,
3066 : .algos = {
3067 : SMB2_SIGNING_AES128_CMAC,
3068 : },
3069 : };
3070 :
3071 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3072 : credentials,
3073 : &options1, &options2,
3074 2 : NT_STATUS_INVALID_PARAMETER);
3075 2 : talloc_free(tree0);
3076 2 : return ret;
3077 : }
3078 :
3079 2 : static bool test_session_bind_negative_smb3encGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3080 : {
3081 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3082 2 : struct cli_credentials *credentials = NULL;
3083 2 : bool ret = false;
3084 2 : struct smb2_transport *transport0 = tree0->session->transport;
3085 : struct smbcli_options options1;
3086 : struct smbcli_options options2;
3087 : bool ok;
3088 :
3089 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3090 0 : torture_skip(tctx,
3091 : "Can't test without SMB 3.1.1 support");
3092 : }
3093 :
3094 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3095 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3096 2 : ok = cli_credentials_set_smb_encryption(credentials,
3097 : SMB_ENCRYPTION_REQUIRED,
3098 : CRED_SPECIFIED);
3099 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3100 :
3101 2 : options1 = transport0->options;
3102 2 : options1.client_guid = GUID_random();
3103 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3104 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3105 2 : options1.signing = SMB_SIGNING_REQUIRED;
3106 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3107 : .num_algos = 1,
3108 : .algos = {
3109 : SMB2_ENCRYPTION_AES128_GCM,
3110 : },
3111 : };
3112 :
3113 : /* same client guid */
3114 2 : options2 = options1;
3115 2 : options2.only_negprot = true;
3116 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3117 : .num_algos = 1,
3118 : .algos = {
3119 : SMB2_ENCRYPTION_AES128_CCM,
3120 : },
3121 : };
3122 :
3123 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3124 : credentials,
3125 : &options1, &options2,
3126 2 : NT_STATUS_INVALID_PARAMETER);
3127 2 : talloc_free(tree0);
3128 2 : return ret;
3129 : }
3130 :
3131 2 : static bool test_session_bind_negative_smb3encGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3132 : {
3133 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3134 2 : struct cli_credentials *credentials = NULL;
3135 2 : bool ret = false;
3136 2 : struct smb2_transport *transport0 = tree0->session->transport;
3137 : struct smbcli_options options1;
3138 : struct smbcli_options options2;
3139 : bool ok;
3140 :
3141 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3142 0 : torture_skip(tctx,
3143 : "Can't test without SMB 3.1.1 support");
3144 : }
3145 :
3146 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3147 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3148 2 : ok = cli_credentials_set_smb_encryption(credentials,
3149 : SMB_ENCRYPTION_REQUIRED,
3150 : CRED_SPECIFIED);
3151 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3152 :
3153 2 : options1 = transport0->options;
3154 2 : options1.client_guid = GUID_random();
3155 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3156 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3157 2 : options1.signing = SMB_SIGNING_REQUIRED;
3158 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3159 : .num_algos = 1,
3160 : .algos = {
3161 : SMB2_ENCRYPTION_AES128_GCM,
3162 : },
3163 : };
3164 :
3165 : /* different client guid */
3166 2 : options2 = options1;
3167 2 : options2.client_guid = GUID_random();
3168 2 : options2.only_negprot = true;
3169 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3170 : .num_algos = 1,
3171 : .algos = {
3172 : SMB2_ENCRYPTION_AES128_CCM,
3173 : },
3174 : };
3175 :
3176 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3177 : credentials,
3178 : &options1, &options2,
3179 2 : NT_STATUS_INVALID_PARAMETER);
3180 2 : talloc_free(tree0);
3181 2 : return ret;
3182 : }
3183 :
3184 2 : static bool test_session_bind_negative_smb3signCtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
3185 : {
3186 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3187 2 : struct cli_credentials *credentials = NULL;
3188 2 : bool ret = false;
3189 2 : struct smb2_transport *transport0 = tree0->session->transport;
3190 : struct smbcli_options options1;
3191 : struct smbcli_options options2;
3192 : bool ok;
3193 :
3194 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3195 0 : torture_skip(tctx,
3196 : "Can't test without SMB 3.1.1 support");
3197 : }
3198 :
3199 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3200 0 : torture_skip(tctx,
3201 : "Can't test without SMB 3.1.1 signing negotiation support");
3202 : }
3203 :
3204 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3205 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3206 2 : ok = cli_credentials_set_smb_encryption(credentials,
3207 : SMB_ENCRYPTION_REQUIRED,
3208 : CRED_SPECIFIED);
3209 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3210 :
3211 2 : options1 = transport0->options;
3212 2 : options1.client_guid = GUID_random();
3213 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3214 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3215 2 : options1.signing = SMB_SIGNING_REQUIRED;
3216 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3217 : .num_algos = 1,
3218 : .algos = {
3219 : SMB2_SIGNING_AES128_CMAC,
3220 : },
3221 : };
3222 :
3223 : /* same client guid */
3224 2 : options2 = options1;
3225 2 : options2.only_negprot = true;
3226 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3227 : .num_algos = 1,
3228 : .algos = {
3229 : SMB2_SIGNING_HMAC_SHA256,
3230 : },
3231 : };
3232 :
3233 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3234 : credentials,
3235 : &options1, &options2,
3236 2 : NT_STATUS_OK);
3237 2 : talloc_free(tree0);
3238 2 : return ret;
3239 : }
3240 :
3241 2 : static bool test_session_bind_negative_smb3signCtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
3242 : {
3243 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3244 2 : struct cli_credentials *credentials = NULL;
3245 2 : bool ret = false;
3246 2 : struct smb2_transport *transport0 = tree0->session->transport;
3247 : struct smbcli_options options1;
3248 : struct smbcli_options options2;
3249 : bool ok;
3250 :
3251 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3252 0 : torture_skip(tctx,
3253 : "Can't test without SMB 3.1.1 support");
3254 : }
3255 :
3256 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3257 0 : torture_skip(tctx,
3258 : "Can't test without SMB 3.1.1 signing negotiation support");
3259 : }
3260 :
3261 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3262 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3263 2 : ok = cli_credentials_set_smb_encryption(credentials,
3264 : SMB_ENCRYPTION_REQUIRED,
3265 : CRED_SPECIFIED);
3266 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3267 :
3268 2 : options1 = transport0->options;
3269 2 : options1.client_guid = GUID_random();
3270 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3271 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3272 2 : options1.signing = SMB_SIGNING_REQUIRED;
3273 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3274 : .num_algos = 1,
3275 : .algos = {
3276 : SMB2_SIGNING_AES128_CMAC,
3277 : },
3278 : };
3279 :
3280 : /* different client guid */
3281 2 : options2 = options1;
3282 2 : options2.client_guid = GUID_random();
3283 2 : options2.only_negprot = true;
3284 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3285 : .num_algos = 1,
3286 : .algos = {
3287 : SMB2_SIGNING_HMAC_SHA256,
3288 : },
3289 : };
3290 :
3291 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3292 : credentials,
3293 : &options1, &options2,
3294 2 : NT_STATUS_OK);
3295 2 : talloc_free(tree0);
3296 2 : return ret;
3297 : }
3298 :
3299 2 : static bool test_session_bind_negative_smb3signHtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3300 : {
3301 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3302 2 : struct cli_credentials *credentials = NULL;
3303 2 : bool ret = false;
3304 2 : struct smb2_transport *transport0 = tree0->session->transport;
3305 : struct smbcli_options options1;
3306 : struct smbcli_options options2;
3307 : bool ok;
3308 :
3309 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3310 0 : torture_skip(tctx,
3311 : "Can't test without SMB 3.1.1 support");
3312 : }
3313 :
3314 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3315 0 : torture_skip(tctx,
3316 : "Can't test without SMB 3.1.1 signing negotiation support");
3317 : }
3318 :
3319 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3320 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3321 2 : ok = cli_credentials_set_smb_encryption(credentials,
3322 : SMB_ENCRYPTION_REQUIRED,
3323 : CRED_SPECIFIED);
3324 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3325 :
3326 2 : options1 = transport0->options;
3327 2 : options1.client_guid = GUID_random();
3328 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3329 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3330 2 : options1.signing = SMB_SIGNING_REQUIRED;
3331 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3332 : .num_algos = 1,
3333 : .algos = {
3334 : SMB2_SIGNING_HMAC_SHA256,
3335 : },
3336 : };
3337 :
3338 : /* same client guid */
3339 2 : options2 = options1;
3340 2 : options2.only_negprot = true;
3341 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3342 : .num_algos = 1,
3343 : .algos = {
3344 : SMB2_SIGNING_AES128_CMAC,
3345 : },
3346 : };
3347 :
3348 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3349 : credentials,
3350 : &options1, &options2,
3351 2 : NT_STATUS_OK);
3352 2 : talloc_free(tree0);
3353 2 : return ret;
3354 : }
3355 :
3356 2 : static bool test_session_bind_negative_smb3signHtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3357 : {
3358 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3359 2 : struct cli_credentials *credentials = NULL;
3360 2 : bool ret = false;
3361 2 : struct smb2_transport *transport0 = tree0->session->transport;
3362 : struct smbcli_options options1;
3363 : struct smbcli_options options2;
3364 : bool ok;
3365 :
3366 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3367 0 : torture_skip(tctx,
3368 : "Can't test without SMB 3.1.1 support");
3369 : }
3370 :
3371 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3372 0 : torture_skip(tctx,
3373 : "Can't test without SMB 3.1.1 signing negotiation support");
3374 : }
3375 :
3376 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3377 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3378 2 : ok = cli_credentials_set_smb_encryption(credentials,
3379 : SMB_ENCRYPTION_REQUIRED,
3380 : CRED_SPECIFIED);
3381 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3382 :
3383 2 : options1 = transport0->options;
3384 2 : options1.client_guid = GUID_random();
3385 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3386 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3387 2 : options1.signing = SMB_SIGNING_REQUIRED;
3388 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3389 : .num_algos = 1,
3390 : .algos = {
3391 : SMB2_SIGNING_HMAC_SHA256,
3392 : },
3393 : };
3394 :
3395 : /* different client guid */
3396 2 : options2 = options1;
3397 2 : options2.client_guid = GUID_random();
3398 2 : options2.only_negprot = true;
3399 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3400 : .num_algos = 1,
3401 : .algos = {
3402 : SMB2_SIGNING_AES128_CMAC,
3403 : },
3404 : };
3405 :
3406 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3407 : credentials,
3408 : &options1, &options2,
3409 2 : NT_STATUS_OK);
3410 2 : talloc_free(tree0);
3411 2 : return ret;
3412 : }
3413 :
3414 2 : static bool test_session_bind_negative_smb3signHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
3415 : {
3416 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3417 2 : struct cli_credentials *credentials = NULL;
3418 2 : bool ret = false;
3419 2 : struct smb2_transport *transport0 = tree0->session->transport;
3420 : struct smbcli_options options1;
3421 : struct smbcli_options options2;
3422 : bool ok;
3423 :
3424 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3425 0 : torture_skip(tctx,
3426 : "Can't test without SMB 3.1.1 support");
3427 : }
3428 :
3429 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3430 0 : torture_skip(tctx,
3431 : "Can't test without SMB 3.1.1 signing negotiation support");
3432 : }
3433 :
3434 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3435 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3436 2 : ok = cli_credentials_set_smb_encryption(credentials,
3437 : SMB_ENCRYPTION_REQUIRED,
3438 : CRED_SPECIFIED);
3439 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3440 :
3441 2 : options1 = transport0->options;
3442 2 : options1.client_guid = GUID_random();
3443 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3444 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3445 2 : options1.signing = SMB_SIGNING_REQUIRED;
3446 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3447 : .num_algos = 1,
3448 : .algos = {
3449 : SMB2_SIGNING_HMAC_SHA256,
3450 : },
3451 : };
3452 :
3453 : /* same client guid */
3454 2 : options2 = options1;
3455 2 : options2.only_negprot = true;
3456 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3457 : .num_algos = 1,
3458 : .algos = {
3459 : SMB2_SIGNING_AES128_GMAC,
3460 : },
3461 : };
3462 :
3463 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3464 : credentials,
3465 : &options1, &options2,
3466 2 : NT_STATUS_NOT_SUPPORTED);
3467 2 : talloc_free(tree0);
3468 2 : return ret;
3469 : }
3470 :
3471 2 : static bool test_session_bind_negative_smb3signHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
3472 : {
3473 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3474 2 : struct cli_credentials *credentials = NULL;
3475 2 : bool ret = false;
3476 2 : struct smb2_transport *transport0 = tree0->session->transport;
3477 : struct smbcli_options options1;
3478 : struct smbcli_options options2;
3479 : bool ok;
3480 :
3481 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3482 0 : torture_skip(tctx,
3483 : "Can't test without SMB 3.1.1 support");
3484 : }
3485 :
3486 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3487 0 : torture_skip(tctx,
3488 : "Can't test without SMB 3.1.1 signing negotiation support");
3489 : }
3490 :
3491 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3492 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3493 2 : ok = cli_credentials_set_smb_encryption(credentials,
3494 : SMB_ENCRYPTION_REQUIRED,
3495 : CRED_SPECIFIED);
3496 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3497 :
3498 2 : options1 = transport0->options;
3499 2 : options1.client_guid = GUID_random();
3500 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3501 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3502 2 : options1.signing = SMB_SIGNING_REQUIRED;
3503 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3504 : .num_algos = 1,
3505 : .algos = {
3506 : SMB2_SIGNING_HMAC_SHA256,
3507 : },
3508 : };
3509 :
3510 : /* different client guid */
3511 2 : options2 = options1;
3512 2 : options2.client_guid = GUID_random();
3513 2 : options2.only_negprot = true;
3514 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3515 : .num_algos = 1,
3516 : .algos = {
3517 : SMB2_SIGNING_AES128_GMAC,
3518 : },
3519 : };
3520 :
3521 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3522 : credentials,
3523 : &options1, &options2,
3524 2 : NT_STATUS_NOT_SUPPORTED);
3525 2 : talloc_free(tree0);
3526 2 : return ret;
3527 : }
3528 :
3529 2 : static bool test_session_bind_negative_smb3signCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
3530 : {
3531 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3532 2 : struct cli_credentials *credentials = NULL;
3533 2 : bool ret = false;
3534 2 : struct smb2_transport *transport0 = tree0->session->transport;
3535 : struct smbcli_options options1;
3536 : struct smbcli_options options2;
3537 : bool ok;
3538 :
3539 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3540 0 : torture_skip(tctx,
3541 : "Can't test without SMB 3.1.1 support");
3542 : }
3543 :
3544 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3545 0 : torture_skip(tctx,
3546 : "Can't test without SMB 3.1.1 signing negotiation support");
3547 : }
3548 :
3549 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3550 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3551 2 : ok = cli_credentials_set_smb_encryption(credentials,
3552 : SMB_ENCRYPTION_REQUIRED,
3553 : CRED_SPECIFIED);
3554 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3555 :
3556 2 : options1 = transport0->options;
3557 2 : options1.client_guid = GUID_random();
3558 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3559 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3560 2 : options1.signing = SMB_SIGNING_REQUIRED;
3561 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3562 : .num_algos = 1,
3563 : .algos = {
3564 : SMB2_SIGNING_AES128_CMAC,
3565 : },
3566 : };
3567 :
3568 : /* same client guid */
3569 2 : options2 = options1;
3570 2 : options2.only_negprot = true;
3571 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3572 : .num_algos = 1,
3573 : .algos = {
3574 : SMB2_SIGNING_AES128_GMAC,
3575 : },
3576 : };
3577 :
3578 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3579 : credentials,
3580 : &options1, &options2,
3581 2 : NT_STATUS_NOT_SUPPORTED);
3582 2 : talloc_free(tree0);
3583 2 : return ret;
3584 : }
3585 :
3586 2 : static bool test_session_bind_negative_smb3signCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
3587 : {
3588 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3589 2 : struct cli_credentials *credentials = NULL;
3590 2 : bool ret = false;
3591 2 : struct smb2_transport *transport0 = tree0->session->transport;
3592 : struct smbcli_options options1;
3593 : struct smbcli_options options2;
3594 : bool ok;
3595 :
3596 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3597 0 : torture_skip(tctx,
3598 : "Can't test without SMB 3.1.1 support");
3599 : }
3600 :
3601 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3602 0 : torture_skip(tctx,
3603 : "Can't test without SMB 3.1.1 signing negotiation support");
3604 : }
3605 :
3606 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3607 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3608 2 : ok = cli_credentials_set_smb_encryption(credentials,
3609 : SMB_ENCRYPTION_REQUIRED,
3610 : CRED_SPECIFIED);
3611 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3612 :
3613 2 : options1 = transport0->options;
3614 2 : options1.client_guid = GUID_random();
3615 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3616 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3617 2 : options1.signing = SMB_SIGNING_REQUIRED;
3618 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3619 : .num_algos = 1,
3620 : .algos = {
3621 : SMB2_SIGNING_AES128_CMAC,
3622 : },
3623 : };
3624 :
3625 : /* different client guid */
3626 2 : options2 = options1;
3627 2 : options2.client_guid = GUID_random();
3628 2 : options2.only_negprot = true;
3629 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3630 : .num_algos = 1,
3631 : .algos = {
3632 : SMB2_SIGNING_AES128_GMAC,
3633 : },
3634 : };
3635 :
3636 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3637 : credentials,
3638 : &options1, &options2,
3639 2 : NT_STATUS_NOT_SUPPORTED);
3640 2 : talloc_free(tree0);
3641 2 : return ret;
3642 : }
3643 :
3644 2 : static bool test_session_bind_negative_smb3signGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3645 : {
3646 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3647 2 : struct cli_credentials *credentials = NULL;
3648 2 : bool ret = false;
3649 2 : struct smb2_transport *transport0 = tree0->session->transport;
3650 : struct smbcli_options options1;
3651 : struct smbcli_options options2;
3652 : bool ok;
3653 :
3654 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3655 0 : torture_skip(tctx,
3656 : "Can't test without SMB 3.1.1 support");
3657 : }
3658 :
3659 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3660 0 : torture_skip(tctx,
3661 : "Can't test without SMB 3.1.1 signing negotiation support");
3662 : }
3663 :
3664 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3665 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3666 2 : ok = cli_credentials_set_smb_encryption(credentials,
3667 : SMB_ENCRYPTION_REQUIRED,
3668 : CRED_SPECIFIED);
3669 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3670 :
3671 2 : options1 = transport0->options;
3672 2 : options1.client_guid = GUID_random();
3673 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3674 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3675 2 : options1.signing = SMB_SIGNING_REQUIRED;
3676 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3677 : .num_algos = 1,
3678 : .algos = {
3679 : SMB2_SIGNING_AES128_GMAC,
3680 : },
3681 : };
3682 :
3683 : /* same client guid */
3684 2 : options2 = options1;
3685 2 : options2.only_negprot = true;
3686 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3687 : .num_algos = 1,
3688 : .algos = {
3689 : SMB2_SIGNING_AES128_CMAC,
3690 : },
3691 : };
3692 :
3693 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3694 : credentials,
3695 : &options1, &options2,
3696 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3697 2 : talloc_free(tree0);
3698 2 : return ret;
3699 : }
3700 :
3701 2 : static bool test_session_bind_negative_smb3signGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3702 : {
3703 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3704 2 : struct cli_credentials *credentials = NULL;
3705 2 : bool ret = false;
3706 2 : struct smb2_transport *transport0 = tree0->session->transport;
3707 : struct smbcli_options options1;
3708 : struct smbcli_options options2;
3709 : bool ok;
3710 :
3711 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3712 0 : torture_skip(tctx,
3713 : "Can't test without SMB 3.1.1 support");
3714 : }
3715 :
3716 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3717 0 : torture_skip(tctx,
3718 : "Can't test without SMB 3.1.1 signing negotiation support");
3719 : }
3720 :
3721 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3722 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3723 2 : ok = cli_credentials_set_smb_encryption(credentials,
3724 : SMB_ENCRYPTION_REQUIRED,
3725 : CRED_SPECIFIED);
3726 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3727 :
3728 2 : options1 = transport0->options;
3729 2 : options1.client_guid = GUID_random();
3730 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3731 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3732 2 : options1.signing = SMB_SIGNING_REQUIRED;
3733 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3734 : .num_algos = 1,
3735 : .algos = {
3736 : SMB2_SIGNING_AES128_GMAC,
3737 : },
3738 : };
3739 :
3740 : /* different client guid */
3741 2 : options2 = options1;
3742 2 : options2.client_guid = GUID_random();
3743 2 : options2.only_negprot = true;
3744 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3745 : .num_algos = 1,
3746 : .algos = {
3747 : SMB2_SIGNING_AES128_CMAC,
3748 : },
3749 : };
3750 :
3751 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3752 : credentials,
3753 : &options1, &options2,
3754 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3755 2 : talloc_free(tree0);
3756 2 : return ret;
3757 : }
3758 :
3759 2 : static bool test_session_bind_negative_smb3signGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
3760 : {
3761 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3762 2 : struct cli_credentials *credentials = NULL;
3763 2 : bool ret = false;
3764 2 : struct smb2_transport *transport0 = tree0->session->transport;
3765 : struct smbcli_options options1;
3766 : struct smbcli_options options2;
3767 : bool ok;
3768 :
3769 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3770 0 : torture_skip(tctx,
3771 : "Can't test without SMB 3.1.1 support");
3772 : }
3773 :
3774 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3775 0 : torture_skip(tctx,
3776 : "Can't test without SMB 3.1.1 signing negotiation support");
3777 : }
3778 :
3779 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3780 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3781 2 : ok = cli_credentials_set_smb_encryption(credentials,
3782 : SMB_ENCRYPTION_REQUIRED,
3783 : CRED_SPECIFIED);
3784 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3785 :
3786 2 : options1 = transport0->options;
3787 2 : options1.client_guid = GUID_random();
3788 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3789 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3790 2 : options1.signing = SMB_SIGNING_REQUIRED;
3791 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3792 : .num_algos = 1,
3793 : .algos = {
3794 : SMB2_SIGNING_AES128_GMAC,
3795 : },
3796 : };
3797 :
3798 : /* same client guid */
3799 2 : options2 = options1;
3800 2 : options2.only_negprot = true;
3801 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3802 : .num_algos = 1,
3803 : .algos = {
3804 : SMB2_SIGNING_HMAC_SHA256,
3805 : },
3806 : };
3807 :
3808 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3809 : credentials,
3810 : &options1, &options2,
3811 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3812 2 : talloc_free(tree0);
3813 2 : return ret;
3814 : }
3815 :
3816 2 : static bool test_session_bind_negative_smb3signGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
3817 : {
3818 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3819 2 : struct cli_credentials *credentials = NULL;
3820 2 : bool ret = false;
3821 2 : struct smb2_transport *transport0 = tree0->session->transport;
3822 : struct smbcli_options options1;
3823 : struct smbcli_options options2;
3824 : bool ok;
3825 :
3826 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3827 0 : torture_skip(tctx,
3828 : "Can't test without SMB 3.1.1 support");
3829 : }
3830 :
3831 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3832 0 : torture_skip(tctx,
3833 : "Can't test without SMB 3.1.1 signing negotiation support");
3834 : }
3835 :
3836 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3837 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3838 2 : ok = cli_credentials_set_smb_encryption(credentials,
3839 : SMB_ENCRYPTION_REQUIRED,
3840 : CRED_SPECIFIED);
3841 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3842 :
3843 2 : options1 = transport0->options;
3844 2 : options1.client_guid = GUID_random();
3845 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3846 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3847 2 : options1.signing = SMB_SIGNING_REQUIRED;
3848 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3849 : .num_algos = 1,
3850 : .algos = {
3851 : SMB2_SIGNING_AES128_GMAC,
3852 : },
3853 : };
3854 :
3855 : /* different client guid */
3856 2 : options2 = options1;
3857 2 : options2.client_guid = GUID_random();
3858 2 : options2.only_negprot = true;
3859 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3860 : .num_algos = 1,
3861 : .algos = {
3862 : SMB2_SIGNING_HMAC_SHA256,
3863 : },
3864 : };
3865 :
3866 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3867 : credentials,
3868 : &options1, &options2,
3869 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3870 2 : talloc_free(tree0);
3871 2 : return ret;
3872 : }
3873 :
3874 2 : static bool test_session_bind_negative_smb3sneGtoCs(struct torture_context *tctx, struct smb2_tree *tree0)
3875 : {
3876 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3877 2 : struct cli_credentials *credentials = NULL;
3878 2 : bool ret = false;
3879 2 : struct smb2_transport *transport0 = tree0->session->transport;
3880 : struct smbcli_options options1;
3881 : struct smbcli_options options2;
3882 : bool ok;
3883 :
3884 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3885 0 : torture_skip(tctx,
3886 : "Can't test without SMB 3.1.1 support");
3887 : }
3888 :
3889 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3890 0 : torture_skip(tctx,
3891 : "Can't test without SMB 3.1.1 signing negotiation support");
3892 : }
3893 :
3894 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3895 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3896 2 : ok = cli_credentials_set_smb_encryption(credentials,
3897 : SMB_ENCRYPTION_REQUIRED,
3898 : CRED_SPECIFIED);
3899 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3900 :
3901 2 : options1 = transport0->options;
3902 2 : options1.client_guid = GUID_random();
3903 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3904 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3905 2 : options1.signing = SMB_SIGNING_REQUIRED;
3906 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3907 : .num_algos = 1,
3908 : .algos = {
3909 : SMB2_SIGNING_AES128_GMAC,
3910 : },
3911 : };
3912 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3913 : .num_algos = 1,
3914 : .algos = {
3915 : SMB2_ENCRYPTION_AES128_GCM,
3916 : },
3917 : };
3918 :
3919 : /* same client guid */
3920 2 : options2 = options1;
3921 2 : options2.only_negprot = true;
3922 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3923 : .num_algos = 1,
3924 : .algos = {
3925 : SMB2_SIGNING_AES128_CMAC,
3926 : },
3927 : };
3928 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3929 : .num_algos = 1,
3930 : .algos = {
3931 : SMB2_ENCRYPTION_AES128_CCM,
3932 : },
3933 : };
3934 :
3935 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
3936 : credentials,
3937 : &options1, &options2,
3938 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
3939 2 : talloc_free(tree0);
3940 2 : return ret;
3941 : }
3942 :
3943 2 : static bool test_session_bind_negative_smb3sneGtoCd(struct torture_context *tctx, struct smb2_tree *tree0)
3944 : {
3945 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
3946 2 : struct cli_credentials *credentials = NULL;
3947 2 : bool ret = false;
3948 2 : struct smb2_transport *transport0 = tree0->session->transport;
3949 : struct smbcli_options options1;
3950 : struct smbcli_options options2;
3951 : bool ok;
3952 :
3953 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
3954 0 : torture_skip(tctx,
3955 : "Can't test without SMB 3.1.1 support");
3956 : }
3957 :
3958 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
3959 0 : torture_skip(tctx,
3960 : "Can't test without SMB 3.1.1 signing negotiation support");
3961 : }
3962 :
3963 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
3964 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
3965 2 : ok = cli_credentials_set_smb_encryption(credentials,
3966 : SMB_ENCRYPTION_REQUIRED,
3967 : CRED_SPECIFIED);
3968 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
3969 :
3970 2 : options1 = transport0->options;
3971 2 : options1.client_guid = GUID_random();
3972 2 : options1.min_protocol = PROTOCOL_SMB3_11;
3973 2 : options1.max_protocol = PROTOCOL_SMB3_11;
3974 2 : options1.signing = SMB_SIGNING_REQUIRED;
3975 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3976 : .num_algos = 1,
3977 : .algos = {
3978 : SMB2_SIGNING_AES128_GMAC,
3979 : },
3980 : };
3981 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3982 : .num_algos = 1,
3983 : .algos = {
3984 : SMB2_ENCRYPTION_AES128_GCM,
3985 : },
3986 : };
3987 :
3988 : /* different client guid */
3989 2 : options2 = options1;
3990 2 : options2.client_guid = GUID_random();
3991 2 : options2.only_negprot = true;
3992 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
3993 : .num_algos = 1,
3994 : .algos = {
3995 : SMB2_SIGNING_AES128_CMAC,
3996 : },
3997 : };
3998 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
3999 : .num_algos = 1,
4000 : .algos = {
4001 : SMB2_ENCRYPTION_AES128_CCM,
4002 : },
4003 : };
4004 :
4005 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4006 : credentials,
4007 : &options1, &options2,
4008 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4009 2 : talloc_free(tree0);
4010 2 : return ret;
4011 : }
4012 :
4013 2 : static bool test_session_bind_negative_smb3sneGtoHs(struct torture_context *tctx, struct smb2_tree *tree0)
4014 : {
4015 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4016 2 : struct cli_credentials *credentials = NULL;
4017 2 : bool ret = false;
4018 2 : struct smb2_transport *transport0 = tree0->session->transport;
4019 : struct smbcli_options options1;
4020 : struct smbcli_options options2;
4021 : bool ok;
4022 :
4023 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4024 0 : torture_skip(tctx,
4025 : "Can't test without SMB 3.1.1 support");
4026 : }
4027 :
4028 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4029 0 : torture_skip(tctx,
4030 : "Can't test without SMB 3.1.1 signing negotiation support");
4031 : }
4032 :
4033 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4034 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4035 2 : ok = cli_credentials_set_smb_encryption(credentials,
4036 : SMB_ENCRYPTION_REQUIRED,
4037 : CRED_SPECIFIED);
4038 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4039 :
4040 2 : options1 = transport0->options;
4041 2 : options1.client_guid = GUID_random();
4042 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4043 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4044 2 : options1.signing = SMB_SIGNING_REQUIRED;
4045 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4046 : .num_algos = 1,
4047 : .algos = {
4048 : SMB2_SIGNING_AES128_GMAC,
4049 : },
4050 : };
4051 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4052 : .num_algos = 1,
4053 : .algos = {
4054 : SMB2_ENCRYPTION_AES128_GCM,
4055 : },
4056 : };
4057 :
4058 : /* same client guid */
4059 2 : options2 = options1;
4060 2 : options2.only_negprot = true;
4061 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4062 : .num_algos = 1,
4063 : .algos = {
4064 : SMB2_SIGNING_HMAC_SHA256,
4065 : },
4066 : };
4067 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4068 : .num_algos = 1,
4069 : .algos = {
4070 : SMB2_ENCRYPTION_AES128_CCM,
4071 : },
4072 : };
4073 :
4074 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4075 : credentials,
4076 : &options1, &options2,
4077 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4078 2 : talloc_free(tree0);
4079 2 : return ret;
4080 : }
4081 :
4082 2 : static bool test_session_bind_negative_smb3sneGtoHd(struct torture_context *tctx, struct smb2_tree *tree0)
4083 : {
4084 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4085 2 : struct cli_credentials *credentials = NULL;
4086 2 : bool ret = false;
4087 2 : struct smb2_transport *transport0 = tree0->session->transport;
4088 : struct smbcli_options options1;
4089 : struct smbcli_options options2;
4090 : bool ok;
4091 :
4092 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4093 0 : torture_skip(tctx,
4094 : "Can't test without SMB 3.1.1 support");
4095 : }
4096 :
4097 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4098 0 : torture_skip(tctx,
4099 : "Can't test without SMB 3.1.1 signing negotiation support");
4100 : }
4101 :
4102 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4103 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4104 2 : ok = cli_credentials_set_smb_encryption(credentials,
4105 : SMB_ENCRYPTION_REQUIRED,
4106 : CRED_SPECIFIED);
4107 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4108 :
4109 2 : options1 = transport0->options;
4110 2 : options1.client_guid = GUID_random();
4111 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4112 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4113 2 : options1.signing = SMB_SIGNING_REQUIRED;
4114 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4115 : .num_algos = 1,
4116 : .algos = {
4117 : SMB2_SIGNING_AES128_GMAC,
4118 : },
4119 : };
4120 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4121 : .num_algos = 1,
4122 : .algos = {
4123 : SMB2_ENCRYPTION_AES128_GCM,
4124 : },
4125 : };
4126 :
4127 : /* different client guid */
4128 2 : options2 = options1;
4129 2 : options2.client_guid = GUID_random();
4130 2 : options2.only_negprot = true;
4131 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4132 : .num_algos = 1,
4133 : .algos = {
4134 : SMB2_SIGNING_HMAC_SHA256,
4135 : },
4136 : };
4137 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4138 : .num_algos = 1,
4139 : .algos = {
4140 : SMB2_ENCRYPTION_AES128_CCM,
4141 : },
4142 : };
4143 :
4144 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4145 : credentials,
4146 : &options1, &options2,
4147 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4148 2 : talloc_free(tree0);
4149 2 : return ret;
4150 : }
4151 :
4152 2 : static bool test_session_bind_negative_smb3sneCtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4153 : {
4154 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4155 2 : struct cli_credentials *credentials = NULL;
4156 2 : bool ret = false;
4157 2 : struct smb2_transport *transport0 = tree0->session->transport;
4158 : struct smbcli_options options1;
4159 : struct smbcli_options options2;
4160 : bool ok;
4161 :
4162 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4163 0 : torture_skip(tctx,
4164 : "Can't test without SMB 3.1.1 support");
4165 : }
4166 :
4167 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4168 0 : torture_skip(tctx,
4169 : "Can't test without SMB 3.1.1 signing negotiation support");
4170 : }
4171 :
4172 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4173 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4174 2 : ok = cli_credentials_set_smb_encryption(credentials,
4175 : SMB_ENCRYPTION_REQUIRED,
4176 : CRED_SPECIFIED);
4177 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4178 :
4179 2 : options1 = transport0->options;
4180 2 : options1.client_guid = GUID_random();
4181 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4182 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4183 2 : options1.signing = SMB_SIGNING_REQUIRED;
4184 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4185 : .num_algos = 1,
4186 : .algos = {
4187 : SMB2_SIGNING_AES128_CMAC,
4188 : },
4189 : };
4190 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4191 : .num_algos = 1,
4192 : .algos = {
4193 : SMB2_ENCRYPTION_AES128_CCM,
4194 : },
4195 : };
4196 :
4197 : /* same client guid */
4198 2 : options2 = options1;
4199 2 : options2.only_negprot = true;
4200 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4201 : .num_algos = 1,
4202 : .algos = {
4203 : SMB2_SIGNING_AES128_GMAC,
4204 : },
4205 : };
4206 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4207 : .num_algos = 1,
4208 : .algos = {
4209 : SMB2_ENCRYPTION_AES128_GCM,
4210 : },
4211 : };
4212 :
4213 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4214 : credentials,
4215 : &options1, &options2,
4216 2 : NT_STATUS_NOT_SUPPORTED);
4217 2 : talloc_free(tree0);
4218 2 : return ret;
4219 : }
4220 :
4221 2 : static bool test_session_bind_negative_smb3sneCtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4222 : {
4223 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4224 2 : struct cli_credentials *credentials = NULL;
4225 2 : bool ret = false;
4226 2 : struct smb2_transport *transport0 = tree0->session->transport;
4227 : struct smbcli_options options1;
4228 : struct smbcli_options options2;
4229 : bool ok;
4230 :
4231 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4232 0 : torture_skip(tctx,
4233 : "Can't test without SMB 3.1.1 support");
4234 : }
4235 :
4236 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4237 0 : torture_skip(tctx,
4238 : "Can't test without SMB 3.1.1 signing negotiation support");
4239 : }
4240 :
4241 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4242 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4243 2 : ok = cli_credentials_set_smb_encryption(credentials,
4244 : SMB_ENCRYPTION_REQUIRED,
4245 : CRED_SPECIFIED);
4246 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4247 :
4248 2 : options1 = transport0->options;
4249 2 : options1.client_guid = GUID_random();
4250 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4251 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4252 2 : options1.signing = SMB_SIGNING_REQUIRED;
4253 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4254 : .num_algos = 1,
4255 : .algos = {
4256 : SMB2_SIGNING_AES128_CMAC,
4257 : },
4258 : };
4259 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4260 : .num_algos = 1,
4261 : .algos = {
4262 : SMB2_ENCRYPTION_AES128_CCM,
4263 : },
4264 : };
4265 :
4266 : /* different client guid */
4267 2 : options2 = options1;
4268 2 : options2.client_guid = GUID_random();
4269 2 : options2.only_negprot = true;
4270 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4271 : .num_algos = 1,
4272 : .algos = {
4273 : SMB2_SIGNING_AES128_GMAC,
4274 : },
4275 : };
4276 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4277 : .num_algos = 1,
4278 : .algos = {
4279 : SMB2_ENCRYPTION_AES128_GCM,
4280 : },
4281 : };
4282 :
4283 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4284 : credentials,
4285 : &options1, &options2,
4286 2 : NT_STATUS_NOT_SUPPORTED);
4287 2 : talloc_free(tree0);
4288 2 : return ret;
4289 : }
4290 :
4291 2 : static bool test_session_bind_negative_smb3sneHtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4292 : {
4293 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4294 2 : struct cli_credentials *credentials = NULL;
4295 2 : bool ret = false;
4296 2 : struct smb2_transport *transport0 = tree0->session->transport;
4297 : struct smbcli_options options1;
4298 : struct smbcli_options options2;
4299 : bool ok;
4300 :
4301 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4302 0 : torture_skip(tctx,
4303 : "Can't test without SMB 3.1.1 support");
4304 : }
4305 :
4306 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4307 0 : torture_skip(tctx,
4308 : "Can't test without SMB 3.1.1 signing negotiation support");
4309 : }
4310 :
4311 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4312 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4313 2 : ok = cli_credentials_set_smb_encryption(credentials,
4314 : SMB_ENCRYPTION_REQUIRED,
4315 : CRED_SPECIFIED);
4316 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4317 :
4318 2 : options1 = transport0->options;
4319 2 : options1.client_guid = GUID_random();
4320 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4321 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4322 2 : options1.signing = SMB_SIGNING_REQUIRED;
4323 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4324 : .num_algos = 1,
4325 : .algos = {
4326 : SMB2_SIGNING_HMAC_SHA256,
4327 : },
4328 : };
4329 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4330 : .num_algos = 1,
4331 : .algos = {
4332 : SMB2_ENCRYPTION_AES128_CCM,
4333 : },
4334 : };
4335 :
4336 : /* same client guid */
4337 2 : options2 = options1;
4338 2 : options2.only_negprot = true;
4339 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4340 : .num_algos = 1,
4341 : .algos = {
4342 : SMB2_SIGNING_AES128_GMAC,
4343 : },
4344 : };
4345 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4346 : .num_algos = 1,
4347 : .algos = {
4348 : SMB2_ENCRYPTION_AES128_GCM,
4349 : },
4350 : };
4351 :
4352 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4353 : credentials,
4354 : &options1, &options2,
4355 2 : NT_STATUS_NOT_SUPPORTED);
4356 2 : talloc_free(tree0);
4357 2 : return ret;
4358 : }
4359 :
4360 2 : static bool test_session_bind_negative_smb3sneHtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4361 : {
4362 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4363 2 : struct cli_credentials *credentials = NULL;
4364 2 : bool ret = false;
4365 2 : struct smb2_transport *transport0 = tree0->session->transport;
4366 : struct smbcli_options options1;
4367 : struct smbcli_options options2;
4368 : bool ok;
4369 :
4370 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4371 0 : torture_skip(tctx,
4372 : "Can't test without SMB 3.1.1 support");
4373 : }
4374 :
4375 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4376 0 : torture_skip(tctx,
4377 : "Can't test without SMB 3.1.1 signing negotiation support");
4378 : }
4379 :
4380 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4381 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4382 2 : ok = cli_credentials_set_smb_encryption(credentials,
4383 : SMB_ENCRYPTION_REQUIRED,
4384 : CRED_SPECIFIED);
4385 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4386 :
4387 2 : options1 = transport0->options;
4388 2 : options1.client_guid = GUID_random();
4389 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4390 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4391 2 : options1.signing = SMB_SIGNING_REQUIRED;
4392 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4393 : .num_algos = 1,
4394 : .algos = {
4395 : SMB2_SIGNING_HMAC_SHA256,
4396 : },
4397 : };
4398 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4399 : .num_algos = 1,
4400 : .algos = {
4401 : SMB2_ENCRYPTION_AES128_CCM,
4402 : },
4403 : };
4404 :
4405 : /* different client guid */
4406 2 : options2 = options1;
4407 2 : options2.client_guid = GUID_random();
4408 2 : options2.only_negprot = true;
4409 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4410 : .num_algos = 1,
4411 : .algos = {
4412 : SMB2_SIGNING_AES128_GMAC,
4413 : },
4414 : };
4415 2 : options2.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
4416 : .num_algos = 1,
4417 : .algos = {
4418 : SMB2_ENCRYPTION_AES128_GCM,
4419 : },
4420 : };
4421 :
4422 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4423 : credentials,
4424 : &options1, &options2,
4425 2 : NT_STATUS_NOT_SUPPORTED);
4426 2 : talloc_free(tree0);
4427 2 : return ret;
4428 : }
4429 :
4430 2 : static bool test_session_bind_negative_smb3signC30toGs(struct torture_context *tctx, struct smb2_tree *tree0)
4431 : {
4432 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4433 2 : struct cli_credentials *credentials = NULL;
4434 2 : bool ret = false;
4435 2 : struct smb2_transport *transport0 = tree0->session->transport;
4436 : struct smbcli_options options1;
4437 : struct smbcli_options options2;
4438 : bool ok;
4439 :
4440 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4441 0 : torture_skip(tctx,
4442 : "Can't test without SMB 3.1.1 support");
4443 : }
4444 :
4445 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4446 0 : torture_skip(tctx,
4447 : "Can't test without SMB 3.1.1 signing negotiation support");
4448 : }
4449 :
4450 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4451 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4452 2 : ok = cli_credentials_set_smb_encryption(credentials,
4453 : SMB_ENCRYPTION_REQUIRED,
4454 : CRED_SPECIFIED);
4455 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4456 :
4457 2 : options1 = transport0->options;
4458 2 : options1.client_guid = GUID_random();
4459 2 : options1.min_protocol = PROTOCOL_SMB3_00;
4460 2 : options1.max_protocol = PROTOCOL_SMB3_02;
4461 2 : options1.signing = SMB_SIGNING_REQUIRED;
4462 :
4463 : /* same client guid */
4464 2 : options2 = options1;
4465 2 : options2.only_negprot = true;
4466 2 : options2.min_protocol = PROTOCOL_SMB3_11;
4467 2 : options2.max_protocol = PROTOCOL_SMB3_11;
4468 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4469 : .num_algos = 1,
4470 : .algos = {
4471 : SMB2_SIGNING_AES128_GMAC,
4472 : },
4473 : };
4474 :
4475 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4476 : credentials,
4477 : &options1, &options2,
4478 2 : NT_STATUS_NOT_SUPPORTED);
4479 2 : talloc_free(tree0);
4480 2 : return ret;
4481 : }
4482 :
4483 2 : static bool test_session_bind_negative_smb3signC30toGd(struct torture_context *tctx, struct smb2_tree *tree0)
4484 : {
4485 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4486 2 : struct cli_credentials *credentials = NULL;
4487 2 : bool ret = false;
4488 2 : struct smb2_transport *transport0 = tree0->session->transport;
4489 : struct smbcli_options options1;
4490 : struct smbcli_options options2;
4491 : bool ok;
4492 :
4493 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4494 0 : torture_skip(tctx,
4495 : "Can't test without SMB 3.1.1 support");
4496 : }
4497 :
4498 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4499 0 : torture_skip(tctx,
4500 : "Can't test without SMB 3.1.1 signing negotiation support");
4501 : }
4502 :
4503 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4504 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4505 2 : ok = cli_credentials_set_smb_encryption(credentials,
4506 : SMB_ENCRYPTION_REQUIRED,
4507 : CRED_SPECIFIED);
4508 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4509 :
4510 2 : options1 = transport0->options;
4511 2 : options1.client_guid = GUID_random();
4512 2 : options1.min_protocol = PROTOCOL_SMB3_00;
4513 2 : options1.max_protocol = PROTOCOL_SMB3_02;
4514 2 : options1.signing = SMB_SIGNING_REQUIRED;
4515 :
4516 : /* different client guid */
4517 2 : options2 = options1;
4518 2 : options2.client_guid = GUID_random();
4519 2 : options2.only_negprot = true;
4520 2 : options2.min_protocol = PROTOCOL_SMB3_11;
4521 2 : options2.max_protocol = PROTOCOL_SMB3_11;
4522 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4523 : .num_algos = 1,
4524 : .algos = {
4525 : SMB2_SIGNING_AES128_GMAC,
4526 : },
4527 : };
4528 :
4529 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4530 : credentials,
4531 : &options1, &options2,
4532 2 : NT_STATUS_NOT_SUPPORTED);
4533 2 : talloc_free(tree0);
4534 2 : return ret;
4535 : }
4536 :
4537 2 : static bool test_session_bind_negative_smb3signH2XtoGs(struct torture_context *tctx, struct smb2_tree *tree0)
4538 : {
4539 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4540 2 : struct cli_credentials *credentials = NULL;
4541 2 : bool ret = false;
4542 2 : struct smb2_transport *transport0 = tree0->session->transport;
4543 : struct smbcli_options options1;
4544 : struct smbcli_options options2;
4545 : bool ok;
4546 : bool encrypted;
4547 :
4548 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4549 2 : if (encrypted) {
4550 0 : torture_skip(tctx,
4551 : "Can't test SMB 2.10 if encrytion is required");
4552 : }
4553 :
4554 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4555 0 : torture_skip(tctx,
4556 : "Can't test without SMB 3.1.1 support");
4557 : }
4558 :
4559 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4560 0 : torture_skip(tctx,
4561 : "Can't test without SMB 3.1.1 signing negotiation support");
4562 : }
4563 :
4564 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4565 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4566 2 : ok = cli_credentials_set_smb_encryption(credentials,
4567 : SMB_ENCRYPTION_OFF,
4568 : CRED_SPECIFIED);
4569 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4570 :
4571 2 : options1 = transport0->options;
4572 2 : options1.client_guid = GUID_random();
4573 2 : options1.min_protocol = PROTOCOL_SMB2_02;
4574 2 : options1.max_protocol = PROTOCOL_SMB2_10;
4575 2 : options1.signing = SMB_SIGNING_REQUIRED;
4576 :
4577 : /* same client guid */
4578 2 : options2 = options1;
4579 2 : options2.only_negprot = true;
4580 2 : options2.min_protocol = PROTOCOL_SMB3_11;
4581 2 : options2.max_protocol = PROTOCOL_SMB3_11;
4582 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4583 : .num_algos = 1,
4584 : .algos = {
4585 : SMB2_SIGNING_AES128_GMAC,
4586 : },
4587 : };
4588 :
4589 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4590 : credentials,
4591 : &options1, &options2,
4592 2 : NT_STATUS_NOT_SUPPORTED);
4593 2 : talloc_free(tree0);
4594 2 : return ret;
4595 : }
4596 :
4597 2 : static bool test_session_bind_negative_smb3signH2XtoGd(struct torture_context *tctx, struct smb2_tree *tree0)
4598 : {
4599 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4600 2 : struct cli_credentials *credentials = NULL;
4601 2 : bool ret = false;
4602 2 : struct smb2_transport *transport0 = tree0->session->transport;
4603 : struct smbcli_options options1;
4604 : struct smbcli_options options2;
4605 : bool ok;
4606 : bool encrypted;
4607 :
4608 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4609 2 : if (encrypted) {
4610 0 : torture_skip(tctx,
4611 : "Can't test SMB 2.10 if encrytion is required");
4612 : }
4613 :
4614 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4615 0 : torture_skip(tctx,
4616 : "Can't test without SMB 3.1.1 support");
4617 : }
4618 :
4619 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4620 0 : torture_skip(tctx,
4621 : "Can't test without SMB 3.1.1 signing negotiation support");
4622 : }
4623 :
4624 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4625 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4626 2 : ok = cli_credentials_set_smb_encryption(credentials,
4627 : SMB_ENCRYPTION_OFF,
4628 : CRED_SPECIFIED);
4629 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4630 :
4631 2 : options1 = transport0->options;
4632 2 : options1.client_guid = GUID_random();
4633 2 : options1.min_protocol = PROTOCOL_SMB2_02;
4634 2 : options1.max_protocol = PROTOCOL_SMB2_10;
4635 2 : options1.signing = SMB_SIGNING_REQUIRED;
4636 :
4637 : /* different client guid */
4638 2 : options2 = options1;
4639 2 : options2.client_guid = GUID_random();
4640 2 : options2.only_negprot = true;
4641 2 : options2.min_protocol = PROTOCOL_SMB3_11;
4642 2 : options2.max_protocol = PROTOCOL_SMB3_11;
4643 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4644 : .num_algos = 1,
4645 : .algos = {
4646 : SMB2_SIGNING_AES128_GMAC,
4647 : },
4648 : };
4649 :
4650 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4651 : credentials,
4652 : &options1, &options2,
4653 2 : NT_STATUS_NOT_SUPPORTED);
4654 2 : talloc_free(tree0);
4655 2 : return ret;
4656 : }
4657 :
4658 2 : static bool test_session_bind_negative_smb3signGtoC30s(struct torture_context *tctx, struct smb2_tree *tree0)
4659 : {
4660 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4661 2 : struct cli_credentials *credentials = NULL;
4662 2 : bool ret = false;
4663 2 : struct smb2_transport *transport0 = tree0->session->transport;
4664 : struct smbcli_options options1;
4665 : struct smbcli_options options2;
4666 : bool ok;
4667 :
4668 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4669 0 : torture_skip(tctx,
4670 : "Can't test without SMB 3.1.1 support");
4671 : }
4672 :
4673 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4674 0 : torture_skip(tctx,
4675 : "Can't test without SMB 3.1.1 signing negotiation support");
4676 : }
4677 :
4678 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4679 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4680 2 : ok = cli_credentials_set_smb_encryption(credentials,
4681 : SMB_ENCRYPTION_REQUIRED,
4682 : CRED_SPECIFIED);
4683 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4684 :
4685 2 : options1 = transport0->options;
4686 2 : options1.client_guid = GUID_random();
4687 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4688 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4689 2 : options1.signing = SMB_SIGNING_REQUIRED;
4690 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4691 : .num_algos = 1,
4692 : .algos = {
4693 : SMB2_SIGNING_AES128_GMAC,
4694 : },
4695 : };
4696 :
4697 : /* same client guid */
4698 2 : options2 = options1;
4699 2 : options2.only_negprot = true;
4700 2 : options2.min_protocol = PROTOCOL_SMB3_00;
4701 2 : options2.max_protocol = PROTOCOL_SMB3_02;
4702 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4703 : .num_algos = 1,
4704 : .algos = {
4705 : SMB2_SIGNING_AES128_CMAC,
4706 : },
4707 : };
4708 :
4709 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4710 : credentials,
4711 : &options1, &options2,
4712 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4713 2 : talloc_free(tree0);
4714 2 : return ret;
4715 : }
4716 :
4717 2 : static bool test_session_bind_negative_smb3signGtoC30d(struct torture_context *tctx, struct smb2_tree *tree0)
4718 : {
4719 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4720 2 : struct cli_credentials *credentials = NULL;
4721 2 : bool ret = false;
4722 2 : struct smb2_transport *transport0 = tree0->session->transport;
4723 : struct smbcli_options options1;
4724 : struct smbcli_options options2;
4725 : bool ok;
4726 :
4727 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4728 0 : torture_skip(tctx,
4729 : "Can't test without SMB 3.1.1 support");
4730 : }
4731 :
4732 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4733 0 : torture_skip(tctx,
4734 : "Can't test without SMB 3.1.1 signing negotiation support");
4735 : }
4736 :
4737 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4738 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4739 2 : ok = cli_credentials_set_smb_encryption(credentials,
4740 : SMB_ENCRYPTION_REQUIRED,
4741 : CRED_SPECIFIED);
4742 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4743 :
4744 2 : options1 = transport0->options;
4745 2 : options1.client_guid = GUID_random();
4746 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4747 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4748 2 : options1.signing = SMB_SIGNING_REQUIRED;
4749 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4750 : .num_algos = 1,
4751 : .algos = {
4752 : SMB2_SIGNING_AES128_GMAC,
4753 : },
4754 : };
4755 :
4756 : /* different client guid */
4757 2 : options2 = options1;
4758 2 : options2.client_guid = GUID_random();
4759 2 : options2.only_negprot = true;
4760 2 : options2.min_protocol = PROTOCOL_SMB3_00;
4761 2 : options2.max_protocol = PROTOCOL_SMB3_02;
4762 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4763 : .num_algos = 1,
4764 : .algos = {
4765 : SMB2_SIGNING_AES128_CMAC,
4766 : },
4767 : };
4768 :
4769 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4770 : credentials,
4771 : &options1, &options2,
4772 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4773 2 : talloc_free(tree0);
4774 2 : return ret;
4775 : }
4776 :
4777 2 : static bool test_session_bind_negative_smb3signGtoH2Xs(struct torture_context *tctx, struct smb2_tree *tree0)
4778 : {
4779 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4780 2 : struct cli_credentials *credentials = NULL;
4781 2 : bool ret = false;
4782 2 : struct smb2_transport *transport0 = tree0->session->transport;
4783 : struct smbcli_options options1;
4784 : struct smbcli_options options2;
4785 : bool ok;
4786 : bool encrypted;
4787 :
4788 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4789 2 : if (encrypted) {
4790 0 : torture_skip(tctx,
4791 : "Can't test SMB 2.10 if encrytion is required");
4792 : }
4793 :
4794 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4795 0 : torture_skip(tctx,
4796 : "Can't test without SMB 3.1.1 support");
4797 : }
4798 :
4799 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4800 0 : torture_skip(tctx,
4801 : "Can't test without SMB 3.1.1 signing negotiation support");
4802 : }
4803 :
4804 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4805 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4806 2 : ok = cli_credentials_set_smb_encryption(credentials,
4807 : SMB_ENCRYPTION_REQUIRED,
4808 : CRED_SPECIFIED);
4809 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4810 :
4811 2 : options1 = transport0->options;
4812 2 : options1.client_guid = GUID_random();
4813 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4814 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4815 2 : options1.signing = SMB_SIGNING_REQUIRED;
4816 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4817 : .num_algos = 1,
4818 : .algos = {
4819 : SMB2_SIGNING_AES128_GMAC,
4820 : },
4821 : };
4822 :
4823 : /* same client guid */
4824 2 : options2 = options1;
4825 2 : options2.only_negprot = true;
4826 2 : options2.min_protocol = PROTOCOL_SMB2_02;
4827 2 : options2.max_protocol = PROTOCOL_SMB2_10;
4828 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4829 : .num_algos = 1,
4830 : .algos = {
4831 : SMB2_SIGNING_HMAC_SHA256,
4832 : },
4833 : };
4834 :
4835 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4836 : credentials,
4837 : &options1, &options2,
4838 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4839 2 : talloc_free(tree0);
4840 2 : return ret;
4841 : }
4842 :
4843 2 : static bool test_session_bind_negative_smb3signGtoH2Xd(struct torture_context *tctx, struct smb2_tree *tree0)
4844 : {
4845 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
4846 2 : struct cli_credentials *credentials = NULL;
4847 2 : bool ret = false;
4848 2 : struct smb2_transport *transport0 = tree0->session->transport;
4849 : struct smbcli_options options1;
4850 : struct smbcli_options options2;
4851 : bool ok;
4852 : bool encrypted;
4853 :
4854 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
4855 2 : if (encrypted) {
4856 0 : torture_skip(tctx,
4857 : "Can't test SMB 2.10 if encrytion is required");
4858 : }
4859 :
4860 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
4861 0 : torture_skip(tctx,
4862 : "Can't test without SMB 3.1.1 support");
4863 : }
4864 :
4865 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
4866 0 : torture_skip(tctx,
4867 : "Can't test without SMB 3.1.1 signing negotiation support");
4868 : }
4869 :
4870 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
4871 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
4872 2 : ok = cli_credentials_set_smb_encryption(credentials,
4873 : SMB_ENCRYPTION_REQUIRED,
4874 : CRED_SPECIFIED);
4875 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
4876 :
4877 2 : options1 = transport0->options;
4878 2 : options1.client_guid = GUID_random();
4879 2 : options1.min_protocol = PROTOCOL_SMB3_11;
4880 2 : options1.max_protocol = PROTOCOL_SMB3_11;
4881 2 : options1.signing = SMB_SIGNING_REQUIRED;
4882 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4883 : .num_algos = 1,
4884 : .algos = {
4885 : SMB2_SIGNING_AES128_GMAC,
4886 : },
4887 : };
4888 :
4889 : /* different client guid */
4890 2 : options2 = options1;
4891 2 : options2.client_guid = GUID_random();
4892 2 : options2.only_negprot = true;
4893 2 : options2.min_protocol = PROTOCOL_SMB2_02;
4894 2 : options2.max_protocol = PROTOCOL_SMB2_10;
4895 2 : options2.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
4896 : .num_algos = 1,
4897 : .algos = {
4898 : SMB2_SIGNING_HMAC_SHA256,
4899 : },
4900 : };
4901 :
4902 2 : ret = test_session_bind_negative_smbXtoX(tctx, __func__,
4903 : credentials,
4904 : &options1, &options2,
4905 2 : NT_STATUS_REQUEST_OUT_OF_SEQUENCE);
4906 2 : talloc_free(tree0);
4907 2 : return ret;
4908 : }
4909 :
4910 2 : static bool test_session_two_logoff(struct torture_context *tctx,
4911 : struct smb2_tree *tree1)
4912 : {
4913 : NTSTATUS status;
4914 2 : bool ret = true;
4915 : struct smbcli_options transport2_options;
4916 2 : struct smb2_tree *tree2 = NULL;
4917 2 : struct smb2_session *session2 = NULL;
4918 2 : struct smb2_session *session1 = tree1->session;
4919 2 : struct smb2_transport *transport1 = tree1->session->transport;
4920 : struct smb2_transport *transport2;
4921 : bool ok;
4922 :
4923 : /* Connect 2nd connection */
4924 2 : torture_comment(tctx, "connect tree2 with the same client_guid\n");
4925 2 : transport2_options = transport1->options;
4926 2 : ok = torture_smb2_connection_ext(tctx, 0, &transport2_options, &tree2);
4927 2 : torture_assert(tctx, ok, "couldn't connect tree2\n");
4928 2 : transport2 = tree2->session->transport;
4929 2 : session2 = tree2->session;
4930 :
4931 2 : torture_comment(tctx, "session2: logoff\n");
4932 2 : status = smb2_logoff(session2);
4933 2 : torture_assert_ntstatus_ok(tctx, status, "session2: logoff");
4934 2 : torture_comment(tctx, "transport2: keepalive\n");
4935 2 : status = smb2_keepalive(transport2);
4936 2 : torture_assert_ntstatus_ok(tctx, status, "transport2: keepalive");
4937 2 : torture_comment(tctx, "transport2: disconnect\n");
4938 2 : TALLOC_FREE(tree2);
4939 :
4940 2 : torture_comment(tctx, "session1: logoff\n");
4941 2 : status = smb2_logoff(session1);
4942 2 : torture_assert_ntstatus_ok(tctx, status, "session1: logoff");
4943 2 : torture_comment(tctx, "transport1: keepalive\n");
4944 2 : status = smb2_keepalive(transport1);
4945 2 : torture_assert_ntstatus_ok(tctx, status, "transport1: keepalive");
4946 2 : torture_comment(tctx, "transport1: disconnect\n");
4947 2 : TALLOC_FREE(tree1);
4948 :
4949 2 : return ret;
4950 : }
4951 :
4952 14 : static bool test_session_sign_enc(struct torture_context *tctx,
4953 : const char *testname,
4954 : struct cli_credentials *credentials1,
4955 : const struct smbcli_options *options1)
4956 : {
4957 14 : const char *host = torture_setting_string(tctx, "host", NULL);
4958 14 : const char *share = torture_setting_string(tctx, "share", NULL);
4959 : NTSTATUS status;
4960 14 : bool ret = false;
4961 14 : struct smb2_tree *tree1 = NULL;
4962 : char fname[256];
4963 14 : struct smb2_handle rh = {{0}};
4964 : struct smb2_handle _h1;
4965 14 : struct smb2_handle *h1 = NULL;
4966 : struct smb2_create io1;
4967 : union smb_fileinfo qfinfo1;
4968 : union smb_notify notify;
4969 14 : struct smb2_request *req = NULL;
4970 :
4971 14 : status = smb2_connect(tctx,
4972 : host,
4973 : lpcfg_smb_ports(tctx->lp_ctx),
4974 : share,
4975 : lpcfg_resolve_context(tctx->lp_ctx),
4976 : credentials1,
4977 : &tree1,
4978 : tctx->ev,
4979 : options1,
4980 : lpcfg_socket_options(tctx->lp_ctx),
4981 : lpcfg_gensec_settings(tctx, tctx->lp_ctx)
4982 : );
4983 14 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
4984 : "smb2_connect options1 failed");
4985 :
4986 14 : status = smb2_util_roothandle(tree1, &rh);
4987 14 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
4988 : "smb2_util_roothandle failed");
4989 :
4990 : /* Add some random component to the file name. */
4991 14 : snprintf(fname, sizeof(fname), "%s_%s.dat",
4992 : testname, generate_random_str(tctx, 8));
4993 :
4994 14 : smb2_util_unlink(tree1, fname);
4995 :
4996 14 : smb2_oplock_create_share(&io1, fname,
4997 : smb2_util_share_access(""),
4998 14 : smb2_util_oplock_level("b"));
4999 :
5000 14 : io1.in.create_options |= NTCREATEX_OPTIONS_DELETE_ON_CLOSE;
5001 14 : status = smb2_create(tree1, tctx, &io1);
5002 14 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5003 : "smb2_create failed");
5004 14 : _h1 = io1.out.file.handle;
5005 14 : h1 = &_h1;
5006 14 : CHECK_CREATED(tctx, &io1, CREATED, FILE_ATTRIBUTE_ARCHIVE);
5007 14 : torture_assert_int_equal(tctx, io1.out.oplock_level,
5008 : smb2_util_oplock_level("b"),
5009 : "oplock_level incorrect");
5010 :
5011 : /* Check the initial session is still alive */
5012 14 : ZERO_STRUCT(qfinfo1);
5013 14 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
5014 14 : qfinfo1.generic.in.file.handle = _h1;
5015 14 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
5016 14 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5017 : "smb2_getinfo_file failed");
5018 :
5019 : /* ask for a change notify,
5020 : on file or directory name changes */
5021 14 : ZERO_STRUCT(notify);
5022 14 : notify.smb2.level = RAW_NOTIFY_SMB2;
5023 14 : notify.smb2.in.buffer_size = 1000;
5024 14 : notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
5025 14 : notify.smb2.in.file.handle = rh;
5026 14 : notify.smb2.in.recursive = true;
5027 :
5028 14 : req = smb2_notify_send(tree1, &(notify.smb2));
5029 63 : WAIT_FOR_ASYNC_RESPONSE(req);
5030 :
5031 14 : status = smb2_cancel(req);
5032 14 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5033 : "smb2_cancel failed");
5034 :
5035 14 : status = smb2_notify_recv(req, tctx, &(notify.smb2));
5036 14 : torture_assert_ntstatus_equal_goto(tctx, status, NT_STATUS_CANCELLED,
5037 : ret, done,
5038 : "smb2_notify_recv failed");
5039 :
5040 : /* Check the initial session is still alive */
5041 14 : ZERO_STRUCT(qfinfo1);
5042 14 : qfinfo1.generic.level = RAW_FILEINFO_POSITION_INFORMATION;
5043 14 : qfinfo1.generic.in.file.handle = _h1;
5044 14 : status = smb2_getinfo_file(tree1, tctx, &qfinfo1);
5045 14 : torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
5046 : "smb2_getinfo_file failed");
5047 :
5048 14 : ret = true;
5049 14 : done:
5050 14 : if (h1 != NULL) {
5051 14 : smb2_util_close(tree1, *h1);
5052 : }
5053 14 : TALLOC_FREE(tree1);
5054 :
5055 14 : return ret;
5056 : }
5057 :
5058 2 : static bool test_session_signing_hmac_sha_256(struct torture_context *tctx, struct smb2_tree *tree0)
5059 : {
5060 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
5061 2 : bool ret = false;
5062 2 : struct smb2_transport *transport0 = tree0->session->transport;
5063 : struct smbcli_options options1;
5064 : bool encrypted;
5065 :
5066 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5067 2 : if (encrypted) {
5068 0 : torture_skip(tctx,
5069 : "Can't test signing only if encrytion is required");
5070 : }
5071 :
5072 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5073 0 : torture_skip(tctx,
5074 : "Can't test without SMB 3.1.1 support");
5075 : }
5076 :
5077 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5078 0 : torture_skip(tctx,
5079 : "Can't test without SMB 3.1.1 signing negotiation support");
5080 : }
5081 :
5082 2 : options1 = transport0->options;
5083 2 : options1.client_guid = GUID_random();
5084 2 : options1.min_protocol = PROTOCOL_SMB3_11;
5085 2 : options1.max_protocol = PROTOCOL_SMB3_11;
5086 2 : options1.signing = SMB_SIGNING_REQUIRED;
5087 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5088 : .num_algos = 1,
5089 : .algos = {
5090 : SMB2_SIGNING_HMAC_SHA256,
5091 : },
5092 : };
5093 :
5094 2 : ret = test_session_sign_enc(tctx,
5095 : __func__,
5096 : credentials,
5097 : &options1);
5098 2 : TALLOC_FREE(tree0);
5099 2 : return ret;
5100 : }
5101 :
5102 2 : static bool test_session_signing_aes_128_cmac(struct torture_context *tctx, struct smb2_tree *tree0)
5103 : {
5104 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
5105 2 : bool ret = false;
5106 2 : struct smb2_transport *transport0 = tree0->session->transport;
5107 : struct smbcli_options options1;
5108 : bool encrypted;
5109 :
5110 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5111 2 : if (encrypted) {
5112 0 : torture_skip(tctx,
5113 : "Can't test signing only if encrytion is required");
5114 : }
5115 :
5116 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5117 0 : torture_skip(tctx,
5118 : "Can't test without SMB 3.1.1 support");
5119 : }
5120 :
5121 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5122 0 : torture_skip(tctx,
5123 : "Can't test without SMB 3.1.1 signing negotiation support");
5124 : }
5125 :
5126 2 : options1 = transport0->options;
5127 2 : options1.client_guid = GUID_random();
5128 2 : options1.min_protocol = PROTOCOL_SMB3_11;
5129 2 : options1.max_protocol = PROTOCOL_SMB3_11;
5130 2 : options1.signing = SMB_SIGNING_REQUIRED;
5131 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5132 : .num_algos = 1,
5133 : .algos = {
5134 : SMB2_SIGNING_AES128_CMAC,
5135 : },
5136 : };
5137 :
5138 2 : ret = test_session_sign_enc(tctx,
5139 : __func__,
5140 : credentials,
5141 : &options1);
5142 2 : TALLOC_FREE(tree0);
5143 2 : return ret;
5144 : }
5145 :
5146 2 : static bool test_session_signing_aes_128_gmac(struct torture_context *tctx, struct smb2_tree *tree0)
5147 : {
5148 2 : struct cli_credentials *credentials = samba_cmdline_get_creds();
5149 2 : bool ret = false;
5150 2 : struct smb2_transport *transport0 = tree0->session->transport;
5151 : struct smbcli_options options1;
5152 : bool encrypted;
5153 :
5154 2 : encrypted = smb2cli_tcon_is_encryption_on(tree0->smbXcli);
5155 2 : if (encrypted) {
5156 0 : torture_skip(tctx,
5157 : "Can't test signing only if encrytion is required");
5158 : }
5159 :
5160 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5161 0 : torture_skip(tctx,
5162 : "Can't test without SMB 3.1.1 support");
5163 : }
5164 :
5165 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5166 0 : torture_skip(tctx,
5167 : "Can't test without SMB 3.1.1 signing negotiation support");
5168 : }
5169 :
5170 2 : options1 = transport0->options;
5171 2 : options1.client_guid = GUID_random();
5172 2 : options1.min_protocol = PROTOCOL_SMB3_11;
5173 2 : options1.max_protocol = PROTOCOL_SMB3_11;
5174 2 : options1.signing = SMB_SIGNING_REQUIRED;
5175 2 : options1.smb3_capabilities.signing = (struct smb3_signing_capabilities) {
5176 : .num_algos = 1,
5177 : .algos = {
5178 : SMB2_SIGNING_AES128_GMAC,
5179 : },
5180 : };
5181 :
5182 2 : ret = test_session_sign_enc(tctx,
5183 : __func__,
5184 : credentials,
5185 : &options1);
5186 2 : TALLOC_FREE(tree0);
5187 2 : return ret;
5188 : }
5189 :
5190 2 : static bool test_session_encryption_aes_128_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
5191 : {
5192 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5193 2 : struct cli_credentials *credentials = NULL;
5194 2 : bool ret = false;
5195 2 : struct smb2_transport *transport0 = tree0->session->transport;
5196 : struct smbcli_options options1;
5197 : bool ok;
5198 :
5199 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5200 0 : torture_skip(tctx,
5201 : "Can't test without SMB 3.1.1 support");
5202 : }
5203 :
5204 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5205 0 : torture_skip(tctx,
5206 : "Can't test without SMB 3.1.1 signing negotiation support");
5207 : }
5208 :
5209 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5210 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5211 2 : ok = cli_credentials_set_smb_encryption(credentials,
5212 : SMB_ENCRYPTION_REQUIRED,
5213 : CRED_SPECIFIED);
5214 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5215 :
5216 2 : options1 = transport0->options;
5217 2 : options1.client_guid = GUID_random();
5218 2 : options1.min_protocol = PROTOCOL_SMB3_11;
5219 2 : options1.max_protocol = PROTOCOL_SMB3_11;
5220 2 : options1.signing = SMB_SIGNING_REQUIRED;
5221 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5222 : .num_algos = 1,
5223 : .algos = {
5224 : SMB2_ENCRYPTION_AES128_CCM,
5225 : },
5226 : };
5227 :
5228 2 : ret = test_session_sign_enc(tctx,
5229 : __func__,
5230 : credentials,
5231 : &options1);
5232 2 : TALLOC_FREE(tree0);
5233 2 : return ret;
5234 : }
5235 :
5236 2 : static bool test_session_encryption_aes_128_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
5237 : {
5238 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5239 2 : struct cli_credentials *credentials = NULL;
5240 2 : bool ret = false;
5241 2 : struct smb2_transport *transport0 = tree0->session->transport;
5242 : struct smbcli_options options1;
5243 : bool ok;
5244 :
5245 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5246 0 : torture_skip(tctx,
5247 : "Can't test without SMB 3.1.1 support");
5248 : }
5249 :
5250 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5251 0 : torture_skip(tctx,
5252 : "Can't test without SMB 3.1.1 signing negotiation support");
5253 : }
5254 :
5255 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5256 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5257 2 : ok = cli_credentials_set_smb_encryption(credentials,
5258 : SMB_ENCRYPTION_REQUIRED,
5259 : CRED_SPECIFIED);
5260 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5261 :
5262 2 : options1 = transport0->options;
5263 2 : options1.client_guid = GUID_random();
5264 2 : options1.min_protocol = PROTOCOL_SMB3_11;
5265 2 : options1.max_protocol = PROTOCOL_SMB3_11;
5266 2 : options1.signing = SMB_SIGNING_REQUIRED;
5267 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5268 : .num_algos = 1,
5269 : .algos = {
5270 : SMB2_ENCRYPTION_AES128_GCM,
5271 : },
5272 : };
5273 :
5274 2 : ret = test_session_sign_enc(tctx,
5275 : __func__,
5276 : credentials,
5277 : &options1);
5278 2 : TALLOC_FREE(tree0);
5279 2 : return ret;
5280 : }
5281 :
5282 2 : static bool test_session_encryption_aes_256_ccm(struct torture_context *tctx, struct smb2_tree *tree0)
5283 : {
5284 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5285 2 : struct cli_credentials *credentials = NULL;
5286 2 : bool ret = false;
5287 2 : struct smb2_transport *transport0 = tree0->session->transport;
5288 : struct smbcli_options options1;
5289 : bool ok;
5290 :
5291 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5292 0 : torture_skip(tctx,
5293 : "Can't test without SMB 3.1.1 support");
5294 : }
5295 :
5296 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5297 0 : torture_skip(tctx,
5298 : "Can't test without SMB 3.1.1 signing negotiation support");
5299 : }
5300 :
5301 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5302 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5303 2 : ok = cli_credentials_set_smb_encryption(credentials,
5304 : SMB_ENCRYPTION_REQUIRED,
5305 : CRED_SPECIFIED);
5306 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5307 :
5308 2 : options1 = transport0->options;
5309 2 : options1.client_guid = GUID_random();
5310 2 : options1.min_protocol = PROTOCOL_SMB3_11;
5311 2 : options1.max_protocol = PROTOCOL_SMB3_11;
5312 2 : options1.signing = SMB_SIGNING_REQUIRED;
5313 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5314 : .num_algos = 1,
5315 : .algos = {
5316 : SMB2_ENCRYPTION_AES256_CCM,
5317 : },
5318 : };
5319 :
5320 2 : ret = test_session_sign_enc(tctx,
5321 : __func__,
5322 : credentials,
5323 : &options1);
5324 2 : TALLOC_FREE(tree0);
5325 2 : return ret;
5326 : }
5327 :
5328 2 : static bool test_session_encryption_aes_256_gcm(struct torture_context *tctx, struct smb2_tree *tree0)
5329 : {
5330 2 : struct cli_credentials *credentials0 = samba_cmdline_get_creds();
5331 2 : struct cli_credentials *credentials = NULL;
5332 2 : bool ret = false;
5333 2 : struct smb2_transport *transport0 = tree0->session->transport;
5334 : struct smbcli_options options1;
5335 : bool ok;
5336 :
5337 2 : if (smbXcli_conn_protocol(transport0->conn) < PROTOCOL_SMB3_11) {
5338 0 : torture_skip(tctx,
5339 : "Can't test without SMB 3.1.1 support");
5340 : }
5341 :
5342 2 : if (smb2cli_conn_server_signing_algo(transport0->conn) < SMB2_SIGNING_AES128_GMAC) {
5343 0 : torture_skip(tctx,
5344 : "Can't test without SMB 3.1.1 signing negotiation support");
5345 : }
5346 :
5347 2 : credentials = cli_credentials_shallow_copy(tctx, credentials0);
5348 2 : torture_assert(tctx, credentials != NULL, "cli_credentials_shallow_copy");
5349 2 : ok = cli_credentials_set_smb_encryption(credentials,
5350 : SMB_ENCRYPTION_REQUIRED,
5351 : CRED_SPECIFIED);
5352 2 : torture_assert(tctx, ok, "cli_credentials_set_smb_encryption");
5353 :
5354 2 : options1 = transport0->options;
5355 2 : options1.client_guid = GUID_random();
5356 2 : options1.min_protocol = PROTOCOL_SMB3_11;
5357 2 : options1.max_protocol = PROTOCOL_SMB3_11;
5358 2 : options1.signing = SMB_SIGNING_REQUIRED;
5359 2 : options1.smb3_capabilities.encryption = (struct smb3_encryption_capabilities) {
5360 : .num_algos = 1,
5361 : .algos = {
5362 : SMB2_ENCRYPTION_AES256_GCM,
5363 : },
5364 : };
5365 :
5366 2 : ret = test_session_sign_enc(tctx,
5367 : __func__,
5368 : credentials,
5369 : &options1);
5370 2 : TALLOC_FREE(tree0);
5371 2 : return ret;
5372 : }
5373 :
5374 2 : static bool test_session_ntlmssp_bug14932(struct torture_context *tctx, struct smb2_tree *tree)
5375 : {
5376 1 : struct cli_credentials *ntlm_creds =
5377 2 : cli_credentials_shallow_copy(tctx, samba_cmdline_get_creds());
5378 : NTSTATUS status;
5379 2 : bool ret = true;
5380 : /*
5381 : * This is a NTLMv2_RESPONSE with the strange
5382 : * NTLMv2_CLIENT_CHALLENGE used by the net diag
5383 : * tool.
5384 : *
5385 : * As we expect an error anyway we fill the
5386 : * Response part with 0xab...
5387 : */
5388 : static const char *netapp_magic =
5389 : "\xab\xab\xab\xab\xab\xab\xab\xab"
5390 : "\xab\xab\xab\xab\xab\xab\xab\xab"
5391 : "\x01\x01\x00\x00\x00\x00\x00\x00"
5392 : "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f"
5393 : "\xb8\x82\x3a\xf1\xb3\xdd\x08\x15"
5394 : "\x00\x00\x00\x00\x11\xa2\x08\x81"
5395 : "\x50\x38\x22\x78\x2b\x94\x47\xfe"
5396 : "\x54\x94\x7b\xff\x17\x27\x5a\xb4"
5397 : "\xf4\x18\xba\xdc\x2c\x38\xfd\x5b"
5398 : "\xfb\x0e\xc1\x85\x1e\xcc\x92\xbb"
5399 : "\x9b\xb1\xc4\xd5\x53\x14\xff\x8c"
5400 : "\x76\x49\xf5\x45\x90\x19\xa2";
5401 2 : DATA_BLOB lm_response = data_blob_talloc_zero(tctx, 24);
5402 2 : DATA_BLOB lm_session_key = data_blob_talloc_zero(tctx, 16);
5403 2 : DATA_BLOB nt_response = data_blob_const(netapp_magic, 95);
5404 2 : DATA_BLOB nt_session_key = data_blob_talloc_zero(tctx, 16);
5405 :
5406 2 : cli_credentials_set_kerberos_state(ntlm_creds,
5407 : CRED_USE_KERBEROS_DISABLED,
5408 : CRED_SPECIFIED);
5409 2 : cli_credentials_set_ntlm_response(ntlm_creds,
5410 : &lm_response,
5411 : &lm_session_key,
5412 : &nt_response,
5413 : &nt_session_key,
5414 : CRED_SPECIFIED);
5415 2 : status = smb2_session_setup_spnego(tree->session,
5416 : ntlm_creds,
5417 : 0 /* previous_session_id */);
5418 2 : torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
5419 : "smb2_session_setup_spnego failed");
5420 :
5421 2 : return ret;
5422 : }
5423 :
5424 964 : struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
5425 : {
5426 738 : struct torture_suite *suite =
5427 226 : torture_suite_create(ctx, "session");
5428 :
5429 964 : torture_suite_add_1smb2_test(suite, "reconnect1", test_session_reconnect1);
5430 964 : torture_suite_add_1smb2_test(suite, "reconnect2", test_session_reconnect2);
5431 964 : torture_suite_add_1smb2_test(suite, "reauth1", test_session_reauth1);
5432 964 : torture_suite_add_1smb2_test(suite, "reauth2", test_session_reauth2);
5433 964 : torture_suite_add_1smb2_test(suite, "reauth3", test_session_reauth3);
5434 964 : torture_suite_add_1smb2_test(suite, "reauth4", test_session_reauth4);
5435 964 : torture_suite_add_1smb2_test(suite, "reauth5", test_session_reauth5);
5436 964 : torture_suite_add_1smb2_test(suite, "reauth6", test_session_reauth6);
5437 964 : torture_suite_add_simple_test(suite, "expire1n", test_session_expire1n);
5438 964 : torture_suite_add_simple_test(suite, "expire1s", test_session_expire1s);
5439 964 : torture_suite_add_simple_test(suite, "expire1e", test_session_expire1e);
5440 964 : torture_suite_add_simple_test(suite, "expire2s", test_session_expire2s);
5441 964 : torture_suite_add_simple_test(suite, "expire2e", test_session_expire2e);
5442 964 : torture_suite_add_simple_test(suite, "expire_disconnect",
5443 : test_session_expire_disconnect);
5444 964 : torture_suite_add_1smb2_test(suite, "bind1", test_session_bind1);
5445 964 : torture_suite_add_1smb2_test(suite, "bind2", test_session_bind2);
5446 964 : torture_suite_add_1smb2_test(suite, "bind_invalid_auth", test_session_bind_invalid_auth);
5447 964 : torture_suite_add_1smb2_test(suite, "bind_different_user", test_session_bind_different_user);
5448 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb202", test_session_bind_negative_smb202);
5449 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb210s", test_session_bind_negative_smb210s);
5450 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb210d", test_session_bind_negative_smb210d);
5451 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3s", test_session_bind_negative_smb2to3s);
5452 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb2to3d", test_session_bind_negative_smb2to3d);
5453 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2s", test_session_bind_negative_smb3to2s);
5454 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to2d", test_session_bind_negative_smb3to2d);
5455 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3s", test_session_bind_negative_smb3to3s);
5456 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3to3d", test_session_bind_negative_smb3to3d);
5457 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCs", test_session_bind_negative_smb3encGtoCs);
5458 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3encGtoCd", test_session_bind_negative_smb3encGtoCd);
5459 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHs", test_session_bind_negative_smb3signCtoHs);
5460 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoHd", test_session_bind_negative_smb3signCtoHd);
5461 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGs", test_session_bind_negative_smb3signCtoGs);
5462 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signCtoGd", test_session_bind_negative_smb3signCtoGd);
5463 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCs", test_session_bind_negative_smb3signHtoCs);
5464 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoCd", test_session_bind_negative_smb3signHtoCd);
5465 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGs", test_session_bind_negative_smb3signHtoGs);
5466 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signHtoGd", test_session_bind_negative_smb3signHtoGd);
5467 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCs", test_session_bind_negative_smb3signGtoCs);
5468 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoCd", test_session_bind_negative_smb3signGtoCd);
5469 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHs", test_session_bind_negative_smb3signGtoHs);
5470 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoHd", test_session_bind_negative_smb3signGtoHd);
5471 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCs", test_session_bind_negative_smb3sneGtoCs);
5472 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoCd", test_session_bind_negative_smb3sneGtoCd);
5473 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHs", test_session_bind_negative_smb3sneGtoHs);
5474 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneGtoHd", test_session_bind_negative_smb3sneGtoHd);
5475 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGs", test_session_bind_negative_smb3sneCtoGs);
5476 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneCtoGd", test_session_bind_negative_smb3sneCtoGd);
5477 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGs", test_session_bind_negative_smb3sneHtoGs);
5478 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3sneHtoGd", test_session_bind_negative_smb3sneHtoGd);
5479 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGs", test_session_bind_negative_smb3signC30toGs);
5480 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signC30toGd", test_session_bind_negative_smb3signC30toGd);
5481 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGs", test_session_bind_negative_smb3signH2XtoGs);
5482 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signH2XtoGd", test_session_bind_negative_smb3signH2XtoGd);
5483 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30s", test_session_bind_negative_smb3signGtoC30s);
5484 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoC30d", test_session_bind_negative_smb3signGtoC30d);
5485 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xs", test_session_bind_negative_smb3signGtoH2Xs);
5486 964 : torture_suite_add_1smb2_test(suite, "bind_negative_smb3signGtoH2Xd", test_session_bind_negative_smb3signGtoH2Xd);
5487 964 : torture_suite_add_1smb2_test(suite, "two_logoff", test_session_two_logoff);
5488 964 : torture_suite_add_1smb2_test(suite, "signing-hmac-sha-256", test_session_signing_hmac_sha_256);
5489 964 : torture_suite_add_1smb2_test(suite, "signing-aes-128-cmac", test_session_signing_aes_128_cmac);
5490 964 : torture_suite_add_1smb2_test(suite, "signing-aes-128-gmac", test_session_signing_aes_128_gmac);
5491 964 : torture_suite_add_1smb2_test(suite, "encryption-aes-128-ccm", test_session_encryption_aes_128_ccm);
5492 964 : torture_suite_add_1smb2_test(suite, "encryption-aes-128-gcm", test_session_encryption_aes_128_gcm);
5493 964 : torture_suite_add_1smb2_test(suite, "encryption-aes-256-ccm", test_session_encryption_aes_256_ccm);
5494 964 : torture_suite_add_1smb2_test(suite, "encryption-aes-256-gcm", test_session_encryption_aes_256_gcm);
5495 964 : torture_suite_add_1smb2_test(suite, "ntlmssp_bug14932", test_session_ntlmssp_bug14932);
5496 :
5497 964 : suite->description = talloc_strdup(suite, "SMB2-SESSION tests");
5498 :
5499 964 : return suite;
5500 : }
5501 :
5502 2 : static bool test_session_require_sign_bug15397(struct torture_context *tctx,
5503 : struct smb2_tree *_tree)
5504 : {
5505 2 : const char *host = torture_setting_string(tctx, "host", NULL);
5506 2 : const char *share = torture_setting_string(tctx, "share", NULL);
5507 2 : struct cli_credentials *_creds = samba_cmdline_get_creds();
5508 2 : struct cli_credentials *creds = NULL;
5509 : struct smbcli_options options;
5510 2 : struct smb2_tree *tree = NULL;
5511 : uint8_t security_mode;
5512 : NTSTATUS status;
5513 2 : bool ok = true;
5514 :
5515 : /*
5516 : * Setup our own connection so we can control the signing flags
5517 : */
5518 :
5519 2 : creds = cli_credentials_shallow_copy(tctx, _creds);
5520 2 : torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
5521 :
5522 2 : options = _tree->session->transport->options;
5523 2 : options.client_guid = GUID_random();
5524 2 : options.signing = SMB_SIGNING_IF_REQUIRED;
5525 :
5526 2 : status = smb2_connect(tctx,
5527 : host,
5528 : lpcfg_smb_ports(tctx->lp_ctx),
5529 : share,
5530 : lpcfg_resolve_context(tctx->lp_ctx),
5531 : creds,
5532 : &tree,
5533 : tctx->ev,
5534 : &options,
5535 : lpcfg_socket_options(tctx->lp_ctx),
5536 : lpcfg_gensec_settings(tctx, tctx->lp_ctx));
5537 2 : torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
5538 : "smb2_connect failed");
5539 :
5540 2 : security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
5541 :
5542 2 : torture_assert_int_equal_goto(
5543 : tctx,
5544 : security_mode,
5545 : SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
5546 : ok,
5547 : done,
5548 : "Signing not required");
5549 :
5550 3 : done:
5551 2 : return ok;
5552 : }
5553 :
5554 964 : struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
5555 : {
5556 738 : struct torture_suite *suite =
5557 226 : torture_suite_create(ctx, "session-require-signing");
5558 :
5559 964 : torture_suite_add_1smb2_test(suite, "bug15397",
5560 : test_session_require_sign_bug15397);
5561 :
5562 964 : suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
5563 964 : return suite;
5564 : }
|
