"ReadWriteC -> ReadWriteA",
        "ReadWriteB -> ReadWriteC",
        "ReadWriteA -> ReadWriteB");
  }

  public void testWriteToReadLockDowngrading() {
    writeLockA.lock(); // writeLockA downgrades to readLockA
    readLockA.lock();
    writeLockA.unlock();

    lockB.lock(); // readLockA -> lockB
    readLockA.unlock();

    // lockB -> writeLockA should fail

        "ReadWriteC -> ReadWriteA",
        "ReadWriteB -> ReadWriteC",
        "ReadWriteA -> ReadWriteB");
  }

  public void testWriteToReadLockDowngrading() {
    writeLockA.lock(); // writeLockA downgrades to readLockA
    readLockA.lock();
    writeLockA.unlock();

    lockB.lock(); // readLockA -> lockB
    readLockA.unlock();

    // lockB -> writeLockA should fail

            return false;
        }
        return true;
    }

    /**
     * Validates if the canonical URL is valid relative to the original URL.
     * Specifically checks for HTTPS to HTTP downgrades.
     *
     * @param url the original URL
     * @param canonicalUrl the canonical URL to validate
     * @return true if the canonical URL is valid, false otherwise
     */

### Other notable changes

* kube-up (with gce/gci and gce/coreos providers) now ensures the authentication token file contains correct tokens for the control plane components, even if the file already exists (ensures upgrades and downgrades work successfully) ([#43676](https://github.com/kubernetes/kubernetes/pull/43676), [@liggitt](https://github.com/liggitt))

     */
    static Stream<Arguments> messages() {
        return Stream.of(Arguments.of((String) null), Arguments.of(""), Arguments.of("unexpected downgrade"));
    }

    @Test
    @DisplayName("Default ctor: null message/cause; toString is class name; type hierarchy")
    void defaultConstructor_hasNullMessageAndCause_andTypeHierarchy() {
        // Arrange & Act

    }
  }

  companion object {
    /**
     * The cipher suite used during TLS connection fallback to indicate a fallback. See
     * https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
     */
    const val TLS_FALLBACK_SCSV = "TLS_FALLBACK_SCSV"
  }

 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */
package jcifs.smb;

import jcifs.CIFSException;

/**
 * Exception thrown when an SMB protocol downgrade attack is detected.
 * Indicates that the negotiated protocol version is lower than expected or required.
 *
 * @author mbechler
 *
 */
public class SMBProtocolDowngradeException extends CIFSException {

    /**

- **Encryption Context**: Per-session encryption state management
- **Key Derivation**: SMB3 KDF implementation with dialect-specific parameters
- **Pre-Authentication Integrity**: SMB 3.1.1 PAI for preventing downgrade attacks
- **Automatic Detection**: Encryption automatically enabled when servers require it
- **Secure Key Management**: Proper key derivation and nonce generation

### Core Features

import jcifs.internal.smb2.nego.PreauthIntegrityNegotiateContext;

/**
 * Enhanced Pre-Authentication Integrity Service for SMB 3.1.1.
 *
 * Provides comprehensive pre-authentication integrity protection against
 * downgrade attacks by maintaining cryptographic hash chains of all
 * negotiation and session setup messages.
 */
public class PreauthIntegrityService {

import jcifs.internal.util.SMBUtil;

/**
 * SMB2 Pre-authentication Integrity Negotiate Context.
 *
 * This negotiate context is used in SMB 3.1.1 to establish
 * pre-authentication integrity protection against downgrade attacks.
 *
 * @author mbechler
 */
public class PreauthIntegrityNegotiateContext implements NegotiateContextRequest, NegotiateContextResponse {

    /**
     * Context type
     */