name: "Code scanning - action"

on:
  push:
    branches: [ main, master, release ]
  schedule:
    - cron: '0 5 * * *'

permissions: {}

jobs:
  CodeQL-Build:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    runs-on: ubuntu-latest

    /**
     * Checks if message signing is supported but not mandatory.
     *
     * @return whether signatures are supported but not required
     * @throws SmbException if an error occurs checking signing status
     */
    boolean isSigningOptional() throws SmbException;

    /**
     * Checks if message signing is mandatory for this connection.
     *

    }

    /**
     * Test that signing is properly configured
     */
    @Test
    public void testSigningConfiguration() throws CIFSException {
        BaseConfiguration config = new BaseConfiguration(true);

        // Verify IPC signing is enforced (this is a security requirement)
        assertTrue("IPC signing should be enforced for security", config.isIpcSigningEnforced());
    }

package jcifs.internal;

/**
 * Interface for SMB message signing and verification operations.
 * Provides cryptographic signing capabilities for SMB protocol messages to ensure
 * message integrity and authenticity using MAC (Message Authentication Code) algorithms.
 *
 * @author mbechler
 */
public interface SMBSigningDigest {

    /**
     * Performs MAC signing of the SMB. This is done as follows.

Use [CertificatePinner](https://square.github.io/okhttp/4.x/okhttp/okhttp3/-certificate-pinner/) to restrict which certificates and certificate authorities are trusted. Certificate pinning increases security, but limits your server team’s abilities to update their TLS certificates. **Do not use certificate pinning without the blessing of your server’s TLS administrator!**

=== ":material-language-kotlin: Kotlin"
    ```kotlin
      private val client = OkHttpClient.Builder()

        assertFalse(result);
        verify(negotiationResponse).canReuse(null, false);
    }

    @Test
    @DisplayName("Test signing state combinations")
    void testSigningStateCombinations() {
        // Test all combinations of signing states

        // Signing disabled
        when(negotiationResponse.isSigningEnabled()).thenReturn(false);
        when(negotiationResponse.isSigningRequired()).thenReturn(false);

        assertTrue(context.isEstablished());
        assertArrayEquals(serverChallenge, context.getServerChallenge());
        // Signing key may or may not be generated depending on flags negotiation
        // The context negotiates flags with server, so we can't guarantee signing key
    }

    @Test
    void testInitSecContext_state2_withoutSigning() throws Exception {

        # Learn more...
        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}

    private static final String S2C_SIGN_CONSTANT = "session key to server-to-client signing key magic constant";
    private static final String S2C_SEAL_CONSTANT = "session key to server-to-client sealing key magic constant";

    private static final String C2S_SIGN_CONSTANT = "session key to client-to-server signing key magic constant";

     * @return the server challenge bytes
     */
    public byte[] getServerChallenge() {
        return serverChallenge;
    }

    /**
     * Gets the signing key for message authentication.
     * @return the signing key bytes
     */
    public byte[] getSigningKey() {
        return signingKey;
    }

    /**
     * Gets the NetBIOS name of the remote server.