CVE-2023-3347: CI: add a test for server-side mandatory signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow@samba.org>

selftest/knownfail.d/samba3.smb2.session-require-signing

@@ -0,0 +1 @@
+^samba3.smb2.session-require-signing.bug15397

selftest/target/Samba3.pm

@@ -1295,6 +1295,7 @@ sub setup_ad_member_idmap_rid
 	create krb5 conf = no
         map to guest = bad user
 	winbind expand groups = 10
+	server signing = required
 ";
 
 	my $ret = $self->provision(

source3/selftest/tests.py

@@ -1097,6 +1097,8 @@ for t in tests:
         # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,
         # ad_member_idmap_rid sets "create krb5.conf = no"
         plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
+    elif t == "smb2.session-require-signing":
+        plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')
     elif t == "rpc.lsa":
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
         plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')

source4/torture/smb2/session.c

@@ -5604,3 +5604,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 
 	return suite;
 }
+
+static bool test_session_require_sign_bug15397(struct torture_context *tctx,
+					       struct smb2_tree *_tree)
+{
+	const char *host = torture_setting_string(tctx, "host", NULL);
+	const char *share = torture_setting_string(tctx, "share", NULL);
+	struct cli_credentials *_creds = samba_cmdline_get_creds();
+	struct cli_credentials *creds = NULL;
+	struct smbcli_options options;
+	struct smb2_tree *tree = NULL;
+	uint8_t security_mode;
+	NTSTATUS status;
+	bool ok = true;
+
+	/*
+	 * Setup our own connection so we can control the signing flags
+	 */
+
+	creds = cli_credentials_shallow_copy(tctx, _creds);
+	torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
+
+	options = _tree->session->transport->options;
+	options.client_guid = GUID_random();
+	options.signing = SMB_SIGNING_IF_REQUIRED;
+
+	status = smb2_connect(tctx,
+			      host,
+			      lpcfg_smb_ports(tctx->lp_ctx),
+			      share,
+			      lpcfg_resolve_context(tctx->lp_ctx),
+			      creds,
+			      &tree,
+			      tctx->ev,
+			      &options,
+			      lpcfg_socket_options(tctx->lp_ctx),
+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
+	torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
+					"smb2_connect failed");
+
+	security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
+
+	torture_assert_int_equal_goto(
+		tctx,
+		security_mode,
+		SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
+		ok,
+		done,
+		"Signing not required");
+
+done:
+	return ok;
+}
+
+struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
+{
+	struct torture_suite *suite =
+	    torture_suite_create(ctx, "session-require-signing");
+
+	torture_suite_add_1smb2_test(suite, "bug15397",
+				     test_session_require_sign_bug15397);
+
+	suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
+	return suite;
+}

source4/torture/smb2/smb2.c

@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)
 	torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));
 	torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);
 	torture_suite_add_suite(suite, torture_smb2_session_init(suite));
+	torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));
 	torture_suite_add_suite(suite, torture_smb2_replay_init(suite));
 	torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);
 	torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);