testprogs/blackbox/test_weak_crypto.sh

   1 #!/bin/sh
   2
   3 #
   4 # Blackbox tests for weak crytpo
   5 # Copyright (c) 2020      Andreas Schneider <asn@samba.org>
   6 #
   7
   8 if [ $# -lt 6 ]; then
   9         cat <<EOF
  10 Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
  11 EOF
  12         exit 1
  13 fi
  14
  15 SERVER=$1
  16 USERNAME=$2
  17 PASSWORD=$3
  18 REALM=$4
  19 DOMAIN=$5
  20 PREFIX=$6
  21 shift 6
  22
  23 failed=0
  24 . $(dirname $0)/subunit.sh
  25
  26 samba_bindir="$BINDIR"
  27 samba_testparm="$BINDIR/testparm"
  28 samba_rpcclient="$samba_bindir/rpcclient"
  29
  30 opt="--option=gensec:gse_krb5=no -U${USERNAME}%${PASSWORD}"
  31
  32 unset GNUTLS_FORCE_FIPS_MODE
  33
  34 # Checks that testparm reports: Weak crypto is allowed
  35 testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=$(expr $failed + 1)
  36
  37 # We should be allowed to use NTLM for connecting
  38 testit "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=$(expr $failed + 1)
  39
  40 GNUTLS_FORCE_FIPS_MODE=1
  41 export GNUTLS_FORCE_FIPS_MODE
  42
  43 # Checks that testparm reports: Weak crypto is disallowed
  44 testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=$(expr $failed + 1)
  45
  46 # We should not be allowed to use NTLM for connecting
  47 testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:$SERVER $opt -c "getusername" || failed=$(expr $failed + 1)
  48
  49 unset GNUTLS_FORCE_FIPS_MODE
  50
  51 exit $failed