tests: Add test to check the server doesn't allow NTLM
authorAndreas Schneider <asn@samba.org>
Fri, 13 Mar 2020 15:15:52 +0000 (16:15 +0100)
committerAndreas Schneider <asn@cryptomilk.org>
Wed, 8 Apr 2020 13:02:40 +0000 (13:02 +0000)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
source4/selftest/tests.py
testprogs/blackbox/test_weak_crypto_server.sh [new file with mode: 0755]

index 565f7ae1375a3f183b5ece6d517564760c72877a..04712ce402569418c0d0735f754b6d255ceb0eb7 100755 (executable)
@@ -524,7 +524,8 @@ plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local",
 plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
 
 if have_gnutls_crypto_policies:
-    plantestsuite("samba4.blackbox.weak_crypto", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
+    plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
+    plantestsuite("samba4.blackbox.weak_crypto.server", "ad_dc_fips", [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
 
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
 # json tests hook into ``chgdcpass'' to make them run in contributor CI on
diff --git a/testprogs/blackbox/test_weak_crypto_server.sh b/testprogs/blackbox/test_weak_crypto_server.sh
new file mode 100755 (executable)
index 0000000..8e38b00
--- /dev/null
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+#
+# Blackbox tests for weak crytpo
+# Copyright (c) 2020      Andreas Schneider <asn@samba.org>
+#
+
+if [ $# -lt 7 ]; then
+cat <<EOF
+Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+REALM=$4
+DOMAIN=$5
+PREFIX=$6
+CONFIGURATION=$7
+shift 7
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_bindir="$BINDIR"
+samba_testparm="$BINDIR/testparm"
+samba_rpcclient="$samba_bindir/rpcclient"
+
+# remove the --configfile=
+configuration="${CONFIGURATION##*=}"
+
+test_weak_crypto_allowed()
+{
+    local testparm_stderr_output_path="$PREFIX/testparm_stderr_output"
+
+    $samba_testparm -s $configuration 2>$testparm_stderr_output_path >/dev/null
+
+    grep "Weak crypto is allowed" $testparm_stderr_output_path >/dev/null 2>&1
+    if [ $ret -ne 0 ]; then
+        echo "Invalid crypto state:"
+        cat $testparm_stderr_output_path
+        rm -f $testparm_stderr_output_path
+        return 1
+    fi
+
+    rm -f $testparm_stderr_output_path
+
+    return 0
+}
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit "testparm-weak-crypto" test_weak_crypto_allowed || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER_IP[ntlm] -U$USERNAME%$PASSWORD -c "getusername" && failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+exit $failed