The branch, master has been updated
via 9918abd7324 gitlab-ci: Add runner for fips compliance testing
via 5ae07ac3ea7 selftest: Force fips mode for openssl in ad_dc_fips
via ff67642dc29 tests: Add test to check the server doesn't allow NTLM
via a78f4819847 selftest: Start ad_dc_fips with forced fips mode
via df8831b9d28 selftest: Pass force_fips_mode to
provision_raw_prepare()
via dcd99c8d9f4 selftest: Pass force_fips to provision()
via aa480d4b45e selftest: Pass force_fips_mode to provision_ad_dc()
via 8c5da549f6d selftest: Pass extra_provision_options to
provision_raw_prepare()
via 865670616b5 selftest: Add an ad_dc_fips environment
via ab3394f9f5a s4:tls: Fix generating TLS RSA certs with FIPS140-2
via ecdd17c5366 s4:samdb: Do not create WDdigests for HTTP if weak
crypto is disabled
from d1f4002b914 lib ldb: lmdb init var before calling mdb_reader_check
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9918abd73245241b9ff486090b22194119858f50
Author: Andreas Schneider <[email protected]>
Date: Fri Apr 3 11:19:17 2020 +0200
gitlab-ci: Add runner for fips compliance testing
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Wed Apr 8 14:45:18 UTC 2020 on sn-devel-184
commit 5ae07ac3ea720b1351c39b36865fd25a149c62b0
Author: Andreas Schneider <[email protected]>
Date: Mon Mar 16 09:39:48 2020 +0100
selftest: Force fips mode for openssl in ad_dc_fips
This allows us to test MIT KRB5 and OpenLDAP in FIPS mode.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit ff67642dc29419c9fc80b6b9cb5b197a1586be75
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 16:15:52 2020 +0100
tests: Add test to check the server doesn't allow NTLM
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit a78f4819847c7134bc72a105e8e81ce747676257
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 14:36:18 2020 +0100
selftest: Start ad_dc_fips with forced fips mode
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit df8831b9d28d04737fee921e52778fc5a2705fc1
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 14:33:08 2020 +0100
selftest: Pass force_fips_mode to provision_raw_prepare()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit dcd99c8d9f4a27e0e9575e0a590563f0b21c6dc8
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 14:29:48 2020 +0100
selftest: Pass force_fips to provision()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit aa480d4b45e3b02a16c243141f68536cb9af37f6
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 14:26:33 2020 +0100
selftest: Pass force_fips_mode to provision_ad_dc()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 8c5da549f6dbf4efec7f545459fba97ca89d72ad
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 13:58:57 2020 +0100
selftest: Pass extra_provision_options to provision_raw_prepare()
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit 865670616b56d57f7ecfcfc9bbbd9000f12d3316
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 12:39:54 2020 +0100
selftest: Add an ad_dc_fips environment
This is not FIPS ready yet.
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit ab3394f9f5af71ab904617147dc2e24de77ebcec
Author: Andreas Schneider <[email protected]>
Date: Fri Mar 13 15:32:27 2020 +0100
s4:tls: Fix generating TLS RSA certs with FIPS140-2
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
commit ecdd17c53665d6076e63f748b19a962c67e41d01
Author: Andreas Schneider <[email protected]>
Date: Wed May 15 08:46:56 2019 +0200
s4:samdb: Do not create WDdigests for HTTP if weak crypto is disabled
Signed-off-by: Andreas Schneider <[email protected]>
Reviewed-by: Guenther Deschner <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci.yml | 5 +
script/autobuild.py | 11 ++
selftest/target/Samba.pm | 12 ++
selftest/target/Samba4.pm | 185 ++++++++++++++++++++-----
source4/dsdb/samdb/ldb_modules/password_hash.c | 8 +-
source4/lib/tls/tlscert.c | 4 +-
source4/selftest/tests.py | 3 +-
testprogs/blackbox/test_weak_crypto_server.sh | 64 +++++++++
8 files changed, 251 insertions(+), 41 deletions(-)
create mode 100755 testprogs/blackbox/test_weak_crypto_server.sh
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1e4c2c67122..4e9a5284429 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -181,6 +181,10 @@ samba-admem-mit:
samba-ad-dc-4-mitkrb5:
extends: .shared_template
+samba-ad-dc-fips:
+ extends: .shared_template
+ image: $SAMBA_CI_CONTAINER_IMAGE_fedora31
+
.private_template:
extends: .shared_template
tags:
@@ -245,6 +249,7 @@ pages:
- samba-nt4
- samba-schemaupgrade
- samba-ad-dc-1-mitkrb5
+ - samba-ad-dc-fips
script:
- ./configure.developer
- make -j
diff --git a/script/autobuild.py b/script/autobuild.py
index 64f8ad90961..7a9e57e3b24 100755
--- a/script/autobuild.py
+++ b/script/autobuild.py
@@ -456,6 +456,16 @@ tasks = {
("check-clean-tree", "script/clean-source-tree.sh"),
],
+ # Test fips compliance
+ "samba-ad-dc-fips": [
+ ("random-sleep", random_sleep(1, 1)),
+ ("configure", "./configure.developer --with-selftest-prefix=./bin/ab
--with-system-mitkrb5 --with-experimental-mit-ad-dc" + samba_configure_params),
+ ("make", "make -j"),
+ ("test", make_test(include_envs=["ad_dc_fips"])),
+ ("lcov", LCOV_CMD),
+ ("check-clean-tree", "script/clean-source-tree.sh"),
+ ],
+
# run the backup/restore testenvs separately as they're fairly standalone
# (and CI seems to max out at ~8 different DCs running at once)
"samba-ad-dc-backup": [
@@ -816,6 +826,7 @@ defaulttasks.remove("pass")
defaulttasks.remove("fail")
defaulttasks.remove("samba-test-only")
defaulttasks.remove("samba-fuzz")
+defaulttasks.remove("samba-ad-dc-fips")
if os.environ.get("AUTOBUILD_SKIP_SAMBA_O3", "0") == "1":
defaulttasks.remove("samba-o3")
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index b7b730eced5..6118f2e243a 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -472,6 +472,7 @@ sub realm_to_ip_mappings
'prockilldom.samba.example.com' => 'prockilldc',
'proclimit.samba.example.com' => 'proclimitdc',
'samba.example.com' => 'localdc',
+ 'fips.samba.example.com' => 'fipsdc',
);
my @mapping = ();
@@ -552,6 +553,7 @@ sub get_interface($)
fileserversmb1 => 53,
addcsmb1 => 54,
lclnt4dc2smb1 => 55,
+ fipsdc => 56,
rootdnsforwarder => 64,
@@ -687,6 +689,12 @@ sub get_env_for_process
} else {
$proc_envs->{RESOLV_WRAPPER_HOSTS} =
$env_vars->{RESOLV_WRAPPER_HOSTS};
}
+ if (defined($env_vars->{GNUTLS_FORCE_FIPS_MODE})) {
+ $proc_envs->{GNUTLS_FORCE_FIPS_MODE} =
$env_vars->{GNUTLS_FORCE_FIPS_MODE};
+ }
+ if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
+ $proc_envs->{OPENSSL_FORCE_FIPS_MODE} =
$env_vars->{OPENSSL_FORCE_FIPS_MODE};
+ }
return $proc_envs;
}
@@ -870,6 +878,10 @@ my @exported_envvars = (
# resolv_wrapper
"RESOLV_WRAPPER_CONF",
"RESOLV_WRAPPER_HOSTS",
+
+ # crypto libraries
+ "GNUTLS_FORCE_FIPS_MODE",
+ "OPENSSL_FORCE_FIPS_MODE",
);
sub exported_envvars_str
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index f72609b0f53..2046af3b984 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -168,6 +168,12 @@ sub wait_for_start($$)
$cmd .=
"RESOLV_WRAPPER_HOSTS='$testenv_vars->{RESOLV_WRAPPER_HOSTS}' ";
}
$cmd .= "RESOLV_CONF='$testenv_vars->{RESOLV_CONF}' ";
+ if (defined($testenv_vars->{GNUTLS_FORCE_FIPS_MODE})) {
+ $cmd .=
"GNUTLS_FORCE_FIPS_MODE=$testenv_vars->{GNUTLS_FORCE_FIPS_MODE} ";
+ }
+ if (defined($testenv_vars->{OPENSSL_FORCE_FIPS_MODE})) {
+ $cmd .=
"OPENSSL_FORCE_FIPS_MODE=$testenv_vars->{OPENSSL_FORCE_FIPS_MODE} ";
+ }
$cmd .= "$ldbsearch ";
$cmd .= "$testenv_vars->{CONFIGURATION} ";
@@ -381,6 +387,12 @@ sub get_cmd_env_vars
} else {
$cmd_env .=
"RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
}
+ if (defined($localenv->{GNUTLS_FORCE_FIPS_MODE})) {
+ $cmd_env .=
"GNUTLS_FORCE_FIPS_MODE=$localenv->{GNUTLS_FORCE_FIPS_MODE} ";
+ }
+ if (defined($localenv->{OPENSSL_FORCE_FIPS_MODE})) {
+ $cmd_env .=
"OPENSSL_FORCE_FIPS_MODE=$localenv->{OPENSSL_FORCE_FIPS_MODE} ";
+ }
$cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" ";
$cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" ";
$cmd_env .= "RESOLV_CONF=\"$localenv->{RESOLV_CONF}\" ";
@@ -471,11 +483,21 @@ sub setup_trust($$$$$)
return $localenv
}
-sub provision_raw_prepare($$$$$$$$$$$$)
-{
- my ($self, $prefix, $server_role, $hostname,
- $domain, $realm, $samsid, $functional_level,
- $password, $kdc_ipv4, $kdc_ipv6) = @_;
+sub provision_raw_prepare($$$$$$$$$$$$$$)
+{
+ my ($self,
+ $prefix,
+ $server_role,
+ $hostname,
+ $domain,
+ $realm,
+ $samsid,
+ $functional_level,
+ $password,
+ $kdc_ipv4,
+ $kdc_ipv6,
+ $force_fips_mode,
+ $extra_provision_options) = @_;
my $ctx;
my $python_cmd = "";
if (defined $ENV{PYTHON}) {
@@ -510,6 +532,7 @@ sub provision_raw_prepare($$$$$$$$$$$$)
$ctx->{password} = $password;
$ctx->{kdc_ipv4} = $kdc_ipv4;
$ctx->{kdc_ipv6} = $kdc_ipv6;
+ $ctx->{force_fips_mode} = $force_fips_mode;
$ctx->{krb5_ccname} = "$prefix_abs/krb5cc_%{uid}";
if ($functional_level eq "2000") {
$ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5
des-cbc-crc"
@@ -597,6 +620,11 @@ sub provision_raw_prepare($$$$$$$$$$$$)
} else {
push (@provision_options,
"RESOLV_WRAPPER_HOSTS=\"$ctx->{dns_host_file}\"");
}
+ if (defined($ctx->{force_fips_mode})) {
+ push (@provision_options, "GNUTLS_FORCE_FIPS_MODE=1");
+ push (@provision_options, "OPENSSL_FORCE_FIPS_MODE=1");
+ }
+
if (defined($ENV{GDB_PROVISION})) {
push (@provision_options, "gdb --args");
if (!defined($ENV{PYTHON})) {
@@ -635,6 +663,10 @@ sub provision_raw_prepare($$$$$$$$$$$$)
@{$ctx->{provision_options}} = @provision_options;
+ if (defined($extra_provision_options)) {
+ push (@{$ctx->{provision_options}},
@{$extra_provision_options});
+ }
+
return $ctx;
}
@@ -857,7 +889,7 @@ nogroup:x:65534:nobody
UID_RFC2307TEST => $uid_rfc2307test,
GID_RFC2307TEST => $gid_rfc2307test,
SERVER_ROLE => $ctx->{server_role},
- RESOLV_CONF => $ctx->{resolv_conf}
+ RESOLV_CONF => $ctx->{resolv_conf},
};
if (defined($ctx->{use_resolv_wrapper})) {
@@ -865,6 +897,10 @@ nogroup:x:65534:nobody
} else {
$ret->{RESOLV_WRAPPER_HOSTS} = $ctx->{dns_host_file};
}
+ if (defined($ctx->{force_fips_mode})) {
+ $ret->{GNUTLS_FORCE_FIPS_MODE} = "1",
+ $ret->{OPENSSL_FORCE_FIPS_MODE} = "1",
+ }
if ($ctx->{server_role} eq "domain controller") {
$ret->{DOMSID} = $ret->{SAMSID};
@@ -1068,11 +1104,21 @@ userPrincipalName: jane.doe\@$ctx->{realm}
return $ret;
}
-sub provision($$$$$$$$$$)
-{
- my ($self, $prefix, $server_role, $hostname,
- $domain, $realm, $functional_level,
- $password, $kdc_ipv4, $kdc_ipv6, $extra_smbconf_options,
$extra_smbconf_shares,
+sub provision($$$$$$$$$$$)
+{
+ my ($self,
+ $prefix,
+ $server_role,
+ $hostname,
+ $domain,
+ $realm,
+ $functional_level,
+ $password,
+ $kdc_ipv4,
+ $kdc_ipv6,
+ $force_fips_mode,
+ $extra_smbconf_options,
+ $extra_smbconf_shares,
$extra_provision_options) = @_;
my $samsid = Samba::random_domain_sid();
@@ -1082,11 +1128,11 @@ sub provision($$$$$$$$$$)
$domain, $realm,
$samsid,
$functional_level,
- $password, $kdc_ipv4, $kdc_ipv6);
-
- if (defined($extra_provision_options)) {
- push (@{$ctx->{provision_options}},
@{$extra_provision_options});
- }
+ $password,
+ $kdc_ipv4,
+ $kdc_ipv6,
+ $force_fips_mode,
+ $extra_provision_options);
$ctx->{share} = "$ctx->{prefix_abs}/share";
push(@{$ctx->{directories}}, "$ctx->{share}");
@@ -1257,6 +1303,7 @@ server min protocol = LANMAN1
"locMEMpass3",
$dcvars->{SERVER_IP},
$dcvars->{SERVER_IPV6},
+ undef,
$extra_smb_conf, "",
$extra_provision_options);
unless ($ret) {
@@ -1319,6 +1366,7 @@ sub provision_rpc_proxy($$$)
"locRPCproxypass4",
$dcvars->{SERVER_IP},
$dcvars->{SERVER_IPV6},
+ undef,
$extra_smbconf_options, "",
$extra_provision_options);
unless ($ret) {
@@ -1537,6 +1585,7 @@ sub provision_ad_dc_ntvfs($$$)
"locDCpass1",
undef,
undef,
+ undef,
$extra_conf_options,
"",
$extra_provision_options);
@@ -1578,6 +1627,7 @@ sub provision_fl2000dc($$)
"locDCpass5",
undef,
undef,
+ undef,
$extra_conf_options,
"",
$extra_provision_options);
@@ -1615,6 +1665,7 @@ sub provision_fl2003dc($$$)
"locDCpass6",
undef,
undef,
+ undef,
$extra_conf_options,
"",
$extra_provision_options);
@@ -1665,6 +1716,7 @@ sub provision_fl2008r2dc($$$)
"locDCpass7",
undef,
undef,
+ undef,
$extra_conf_options,
"",
$extra_provision_options);
@@ -1790,10 +1842,16 @@ sub read_config_h($)
return \%ret;
}
-sub provision_ad_dc($$$$$$)
+sub provision_ad_dc($$$$$$$)
{
- my ($self, $prefix, $hostname, $domain, $realm, $smbconf_args,
- $extra_provision_options) = @_;
+ my ($self,
+ $prefix,
+ $hostname,
+ $domain,
+ $realm,
+ $force_fips_mode,
+ $smbconf_args,
+ $extra_provision_options) = @_;
my $prefix_abs = abs_path($prefix);
@@ -1919,6 +1977,7 @@ sub provision_ad_dc($$$$$$)
"locDCpass1",
undef,
undef,
+ $force_fips_mode,
$extra_smbconf_options,
$extra_smbconf_shares,
$extra_provision_options);
@@ -1957,6 +2016,7 @@ sub provision_chgdcpass($$)
"chgDCpass1",
undef,
undef,
+ undef,
$extra_smb_conf,
"",
$extra_provision_options);
@@ -2104,6 +2164,7 @@ sub check_env($$)
# name => [dep_1, dep_2, ...],
dns_hub => [],
ad_dc_ntvfs => ["dns_hub"],
+ ad_dc_fips => ["dns_hub"],
ad_dc => ["dns_hub"],
ad_dc_smb1 => ["dns_hub"],
ad_dc_smb1_done => ["ad_dc_smb1"],
@@ -2504,6 +2565,7 @@ sub setup_ad_dc
}
my $env = $self->provision_ad_dc($path, $server, "ADDOMAIN",
$dom,
+ undef,
$conf_opts,
undef);
unless ($env) {
@@ -2548,8 +2610,13 @@ sub setup_ad_dc_no_nss
return "UNKNOWN";
}
- my $env = $self->provision_ad_dc($path, "addc_no_nss", "ADNONSSDOMAIN",
- "adnonssdom.samba.example.com", "",
undef);
+ my $env = $self->provision_ad_dc($path,
+ "addc_no_nss",
+ "ADNONSSDOMAIN",
+ "adnonssdom.samba.example.com",
+ undef,
+ "",
+ undef);
unless ($env) {
return undef;
}
@@ -2578,9 +2645,45 @@ sub setup_ad_dc_no_ntlm
return "UNKNOWN";
}
- my $env = $self->provision_ad_dc($path, "addc_no_ntlm",
"ADNONTLMDOMAIN",
+ my $env = $self->provision_ad_dc($path,
+ "addc_no_ntlm",
+ "ADNONTLMDOMAIN",
"adnontlmdom.samba.example.com",
- "ntlm auth = disabled", undef);
+ undef,
+ "ntlm auth = disabled",
+ undef);
+ unless ($env) {
+ return undef;
+ }
+
+ if (not defined($self->check_or_start($env, "prefork"))) {
+ return undef;
+ }
+
+ my $upn_array = ["$env->{REALM}.upn"];
+ my $spn_array = ["$env->{REALM}.spn"];
+
+ $self->setup_namespaces($env, $upn_array, $spn_array);
+
+ return $env;
+}
+
+sub setup_ad_dc_fips
+{
+ my ($self, $path) = @_;
+
+ # If we didn't build with ADS, pretend this env was never available
+ if (not $self->{target3}->have_ads()) {
+ return "UNKNOWN";
+ }
+
+ my $env = $self->provision_ad_dc($path,
+ "fipsdc",
+ "FIPSDOMAIN",
+ "fips.samba.example.com",
+ 1,
+ "",
+ undef);
unless ($env) {
return undef;
}
@@ -2611,12 +2714,13 @@ sub setup_preforkrestartdc
# note DC name must be <= 15 chars so we use 'prockill' instead of
# 'preforkrestart'
- my $env = $self->provision_ad_dc(
- $path,
- "prockilldc",
- "PROCKILLDOMAIN",
- "prockilldom.samba.example.com",
- "prefork backoff increment = 5\nprefork maximum backoff=10");
+ my $env = $self->provision_ad_dc($path,
+ "prockilldc",
+ "PROCKILLDOMAIN",
+ "prockilldom.samba.example.com",
+ undef,
+ "prefork backoff increment =
5\nprefork maximum backoff=10",
+ undef);
unless ($env) {
return undef;
}
@@ -2649,12 +2753,13 @@ sub setup_proclimitdc
return "UNKNOWN";
}
- my $env = $self->provision_ad_dc(
- $path,
- "proclimitdc",
- "PROCLIMITDOM",
- "proclimit.samba.example.com",
- "max smbd processes = 20");
+ my $env = $self->provision_ad_dc($path,
+ "proclimitdc",
+ "PROCLIMITDOM",
+ "proclimit.samba.example.com",
+ undef,
+ "max smbd processes = 20",
+ undef);
unless ($env) {
return undef;
}
@@ -2682,8 +2787,11 @@ sub setup_schema_dc
# provision the PDC using an older base schema
my $provision_args = ["--base-schema=2008_R2", "--backend-store=mdb"];
- my $env = $self->provision_ad_dc($path, "liveupgrade1dc",
"SCHEMADOMAIN",
+ my $env = $self->provision_ad_dc($path,
+ "liveupgrade1dc",
+ "SCHEMADOMAIN",
"schema.samba.example.com",
+ undef,
"drs: max link sync = 2",
$provision_args);
unless ($env) {
@@ -2785,8 +2893,11 @@ sub setup_backupfromdc
my $provision_args = ["--site=Backup-Site"];
- my $env = $self->provision_ad_dc($path, "backupfromdc", "BACKUPDOMAIN",
+ my $env = $self->provision_ad_dc($path,
+ "backupfromdc",
+ "BACKUPDOMAIN",
"backupdom.samba.example.com",
+ undef,
"samba kcc command = /bin/true",
$provision_args);
unless ($env) {
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c
b/source4/dsdb/samdb/ldb_modules/password_hash.c
index ffd48da616e..287f79541bf 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -47,8 +47,9 @@
#include "lib/krb5_wrap/krb5_samba.h"
#include "auth/common_auth.h"
#include "lib/messaging/messaging.h"
+#include "lib/param/loadparm.h"
-#include <gnutls/gnutls.h>
+#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/crypto.h>
#ifdef ENABLE_GPGME
@@ -1792,11 +1793,14 @@ static int setup_supplemental_field(struct
setup_password_fields_io *io)
bool do_newer_keys = false;
bool do_cleartext = false;
bool do_samba_gpg = false;
+ struct loadparm_context *lp_ctx = NULL;
ZERO_STRUCT(names);
--
Samba Shared Repository
