testprogs/blackbox/test_weak_crypto_server.sh

   1 #!/bin/sh
   2
   3 #
   4 # Blackbox tests for weak crypto
   5 # Copyright (c) 2020      Andreas Schneider <asn@samba.org>
   6 #
   7
   8 if [ $# -lt 7 ]; then
   9         cat <<EOF
  10 Usage: $0 SERVER USERNAME PASSWORD REALM DOMAIN PREFIX
  11 EOF
  12         exit 1
  13 fi
  14
  15 SERVER=$1
  16 USERNAME=$2
  17 PASSWORD=$3
  18 REALM=$4
  19 DOMAIN=$5
  20 PREFIX=$6
  21 CONFIGURATION=$7
  22 shift 7
  23
  24 failed=0
  25 . $(dirname $0)/subunit.sh
  26
  27 samba_bindir="$BINDIR"
  28 samba_testparm="$BINDIR/testparm"
  29 samba_rpcclient="$samba_bindir/rpcclient"
  30
  31 # remove the --configfile=
  32 configuration="${CONFIGURATION##*=}"
  33
  34 test_weak_crypto_allowed()
  35 {
  36         local testparm_stderr_output_path="$PREFIX/testparm_stderr_output"
  37
  38         $samba_testparm --suppress-prompt $configuration 2>$testparm_stderr_output_path >/dev/null
  39
  40         grep "Weak crypto is allowed" $testparm_stderr_output_path >/dev/null 2>&1
  41         if [ $ret -ne 0 ]; then
  42                 echo "Invalid crypto state:"
  43                 cat $testparm_stderr_output_path
  44                 rm -f $testparm_stderr_output_path
  45                 return 1
  46         fi
  47
  48         rm -f $testparm_stderr_output_path
  49
  50         return 0
  51 }
  52
  53 unset GNUTLS_FORCE_FIPS_MODE
  54
  55 # Checks that testparm reports: Weak crypto is disallowed
  56 testit "testparm-weak-crypto" test_weak_crypto_allowed || failed=$(expr $failed + 1)
  57
  58 # We should not be allowed to use NTLM for connecting
  59 testit_expect_failure "rpclient.ntlm" $samba_rpcclient ncacn_np:${SERVER_IP}[ntlm] -U$USERNAME%$PASSWORD -c "getusername" || failed=$(expr $failed + 1)
  60
  61 GNUTLS_FORCE_FIPS_MODE=1
  62 export GNUTLS_FORCE_FIPS_MODE
  63
  64 exit $failed