f.close()
have_heimdal_support = ("SAMBA4_USES_HEIMDAL" in config_hash)
-have_gnutls_crypto_policies = ("HAVE_GNUTLS_CRYPTO_POLICIES" in config_hash)
+have_gnutls_fips_mode_support = ("HAVE_GNUTLS_FIPS_MODE_SUPPORTED" in config_hash)
for options in ['-U"$USERNAME%$PASSWORD"']:
plantestsuite("samba4.ldb.ldaps with options %s(ad_dc_ntvfs)" % options, "ad_dc_ntvfs",
'$REALM'])
plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
-if have_gnutls_crypto_policies:
+if have_gnutls_fips_mode_support:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
for env in ["ad_dc_fips", "ad_member_fips"]:
name = module
plantestsuite_loadlist(name, env, args)
-if have_gnutls_crypto_policies:
+if have_gnutls_fips_mode_support:
planoldpythontestsuite("ad_dc", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'})
planoldpythontestsuite("ad_dc_fips", "samba.tests.dcerpc.createtrustrelax", environ={'GNUTLS_FORCE_FIPS_MODE':'1'})
from waflib import Options
+import os
def parse_version(v):
return tuple(map(int, (v.split("."))))
if (parse_version(gnutls_version) > parse_version('3.6.14')):
conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
-# Check if we have support for crypto policies
-if conf.CHECK_FUNCS_IN('gnutls_get_system_config_file', 'gnutls'):
- conf.DEFINE('HAVE_GNUTLS_CRYPTO_POLICIES', 1)
+# Check if gnutls has fips mode support
+# gnutls_fips140_mode_enabled() is available since 3.3.0
+fragment = '''
+#include <gnutls/gnutls.h>
+#include <stdlib.h>
+
+int main(void)
+{
+ unsigned int ok;
+
+ ok = gnutls_fips140_mode_enabled();
+
+ return !ok;
+}
+'''
+
+os.environ['GNUTLS_FORCE_FIPS_MODE'] = '1'
+conf.CHECK_CODE(fragment,
+ 'HAVE_GNUTLS_FIPS_MODE_SUPPORTED',
+ execute=True,
+ addmain=False,
+ add_headers=False,
+ lib='gnutls',
+ msg='Checking for gnutls fips mode support')
+del os.environ['GNUTLS_FORCE_FIPS_MODE']
if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'):
conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)