private MessageDigest digest;
    private byte[] macSigningKey;
    private boolean bypass = false;
    private int updates;
    private int signSequence;

    /**
     * Constructs a new signing digest with the specified MAC signing key.
     *
     * @param macSigningKey the MAC signing key for message authentication
     * @param bypass whether to bypass MAC signing
     * @throws SmbException if MD5 algorithm is not available
     */

```

See <https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html> for AWS S3 spec on object locking and permissions required for object retention and governance bypass overrides.

### Set legal hold on an object

PutObject API allows setting legal hold using `x-amz-object-lock-legal-hold` header.

```sh

// OpenFileDirectIO - bypass kernel cache.
func OpenFileDirectIO(filePath string, flag int, perm os.FileMode) (*os.File, error) {
	return directio.OpenFile(filePath, flag, perm)
}

// DisableDirectIO - disables directio mode.
func DisableDirectIO(f *os.File) error {
	fd := f.Fd()
	_, err := unix.FcntlInt(fd, unix.F_NOCACHE, 0)
	return err
}

// AlignedBlock - pass through to directio implementation.

import (
	"os"
	"syscall"

	"github.com/ncw/directio"
	"golang.org/x/sys/unix"
)

// ODirectPlatform indicates if the platform supports O_DIRECT
const ODirectPlatform = true

// OpenFileDirectIO - bypass kernel cache.
func OpenFileDirectIO(filePath string, flag int, perm os.FileMode) (*os.File, error) {
	return directio.OpenFile(filePath, flag, perm)
}

// DisableDirectIO - disables directio mode.

# - MSYS2 + curl, git, patch, vim, unzip, zip
# - Python 3.12.3
# - Bazelisk 1.19.0
# - JDK 21 (Azul Zulu)

FROM mcr.microsoft.com/windows/servercore:ltsc2019

SHELL ["powershell.exe", "-ExecutionPolicy", "Bypass", "-Command", \
       "$ErrorActionPreference='Stop'; $ProgressPreference='SilentlyContinue';$VerbosePreference = 'Continue';"]

# This should only be necessary when running on A GCP VM, on a default

 * tests focus on the contract that implementations should honour and the
 * interaction with {@link SmbFile} instances. The tests make heavy use of
 * Mockito to guarantee that implementation classes do not inadvertently
 * bypass the filter logic.
 */
public class SmbFileFilterTest {

    /**
     * A minimal implementation that accepts every {@link SmbFile}.
     */
    private final SmbFileFilter ALWAYSACTIVE = new SmbFileFilter() {

        assertEquals(expected, LdapUtil.escapeValue(input));
    }

    @Test
    public void test_escapeValue_realWorldLdapInjectionAttempts() {
        // Authentication bypass attempt
        assertEquals("\\2a", LdapUtil.escapeValue("*"));

        // Filter injection to match any user
        assertEquals("\\2a\\29\\28|\\28cn=\\2a", LdapUtil.escapeValue("*)(|(cn=*"));

in handling your report.

Please, provide a detailed explanation of the issue. In particular, outline the type of the security
issue (DoS, authentication bypass, information disclose, ...) and the assumptions you're making (e.g. do
you need access credentials for a successful exploit).

        KerberosKey kdcKey = new KerberosKey(null, keyBytes, PacSignature.HMAC_SHA1_96_AES256, 1);
        keys.put(PacSignature.ETYPE_AES256_CTS_HMAC_SHA1_96, kdcKey);

        // Mock Pac construction to bypass complex validation
        try (MockedConstruction<Pac> pacMock = Mockito.mockConstruction(Pac.class, (mock, context) -> {
            // Setup mock behavior
            PacLogonInfo mockLogonInfo = Mockito.mock(PacLogonInfo.class);

3. Export the node's certificate:
   `keytool -export -alias test-node -keystore test-node.jks -storepass keypass -file test-node.crt`
4. Import the node certificate in the client's keystore: