diff options
-rwxr-xr-x | source4/selftest/tests.py | 3 | ||||
-rwxr-xr-x | testprogs/blackbox/test_weak_crypto_server.sh | 64 |
2 files changed, 66 insertions, 1 deletions
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 565f7ae1375..04712ce4025 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -524,7 +524,8 @@ plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) if have_gnutls_crypto_policies: - plantestsuite("samba4.blackbox.weak_crypto", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) + plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) + plantestsuite("samba4.blackbox.weak_crypto.server", "ad_dc_fips", [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration]) plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) # json tests hook into ``chgdcpass'' to make them run in contributor CI on diff --git a/testprogs/blackbox/test_weak_crypto_server.sh b/testprogs/blackbox/test_weak_crypto_server.sh new file mode 100755 index 00000000000..8e38b009947 --- /dev/null +++ b/testprogs/blackbox/test_weak_crypto_server.sh @@ -0,0 +1,64 @@ +#!/bin/sh + +# +# Blackbox tests for weak crytpo +# Copyright (c) 2020 Andreas Schneider <asn@samba.org> +# + +if [ $# -lt 7 ]; then +cat <<EOF +Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +CONFIGURATION=$7 +shift 7 + +failed=0 +. `dirname $0`/subunit.sh + +samba_bindir="$BINDIR" +samba_testparm="$BINDIR/testparm" +samba_rpcclient="$samba_bindir/rpcclient" + +# remove the --configfile= +configuration="${CONFIGURATION##*=}" + +test_weak_crypto_allowed() +{ + local testparm_stderr_output_path="$PREFIX/testparm_stderr_output" + + $samba_testparm -s $configuration 2>$testparm_stderr_output_path >/dev/null + + grep "Weak crypto is allowed" $testparm_stderr_output_path >/dev/null 2>&1 + if [ $ret -ne 0 ]; then + echo "Invalid crypto state:" + cat $testparm_stderr_output_path + rm -f $testparm_stderr_output_path + return 1 + fi + + rm -f $testparm_stderr_output_path + + return 0 +} + +unset GNUTLS_FORCE_FIPS_MODE + +# Checks that testparm reports: Weak crypto is disallowed +testit "testparm-weak-crypto" test_weak_crypto_allowed || failed=`expr $failed + 1` + +# We should not be allowed to use NTLM for connecting +testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER_IP[ntlm] -U$USERNAME%$PASSWORD -c "getusername" && failed=`expr $failed + 1` + +GNUTLS_FORCE_FIPS_MODE=1 +export GNUTLS_FORCE_FIPS_MODE + +exit $failed |