The branch, master has been updated
via 23e5b7cc79b s4:torture: Add rpc netlogon fips test
via f1df0c4d0ad s4:torture: Remove trailing whitespaces in rpc.c
via fd5b315805c s4:selftest: Pass environ to plansmbtorture4testsuite()
via e8a2c2fe4e7 selftest: Fix setting environ for
plansmbtorture4testsuite()
via d6c7a2a7003 netlogon:schannel: If weak crypto is disabled, do not
announce RC4 support.
via 17cc20ebe60 s4:libnet: Allow libnet_SetPassword() for encrypted SMB
connections
via 1326e7d65d1 s4:libnet: Remove trailing whitespaces
via 868a9577d6a s4:rpc_server: Allow to set user password in FIPS mode
via 2daf3e79751 auth:gensec: Use lpcfg_weak_crypto()
from 6d928eb1e8e smbd: only open full fd for directories if needed
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 23e5b7cc79b006ae9260d3723e6c44ad66589382
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 26 10:18:05 2021 +0200
s4:torture: Add rpc netlogon fips test
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Tue Aug 3 10:18:26 UTC 2021 on sn-devel-184
commit f1df0c4d0ad43ed1726ba961810078059b990be3
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 26 10:17:38 2021 +0200
s4:torture: Remove trailing whitespaces in rpc.c
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fd5b315805c6c1a4af64e9db57771d864f631207
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 28 11:57:02 2021 +0200
s4:selftest: Pass environ to plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e8a2c2fe4e75c2e6a690ea75045942ec9730c5dc
Author: Andreas Schneider <a...@samba.org>
Date: Wed Jul 28 11:56:12 2021 +0200
selftest: Fix setting environ for plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d6c7a2a7003a2c081aa1ed710a84941bc8f331bf
Author: Andreas Schneider <a...@samba.org>
Date: Thu Sep 3 15:58:56 2020 +0200
netlogon:schannel: If weak crypto is disabled, do not announce RC4 support.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 17cc20ebe602b619461efa215ac75fed8e0d6338
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 26 10:13:52 2021 +0200
s4:libnet: Allow libnet_SetPassword() for encrypted SMB connections
This is needed for smbtorture to join a domain in FIPS mode.
FYI: The correct way would be to join using LDAP as the s3 code is doing
it. But
this requires a bigger rewrite.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 1326e7d65d1feff53303df35b2d641660a5babc0
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 26 10:12:56 2021 +0200
s4:libnet: Remove trailing whitespaces
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 868a9577d6a1da6d1aa1738adaa541038ec3c1cd
Author: Andreas Schneider <a...@samba.org>
Date: Mon Jul 26 10:02:13 2021 +0200
s4:rpc_server: Allow to set user password in FIPS mode
Only in case we have an SMB encrypted connection ...
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2daf3e79751d11a31a1e44d21b70517356301ee7
Author: Andreas Schneider <a...@samba.org>
Date: Fri Apr 23 16:32:27 2021 +0200
auth:gensec: Use lpcfg_weak_crypto()
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/gensec_start.c | 5 +-
libcli/auth/netlogon_creds_cli.c | 12 ++
selftest/selftesthelpers.py | 3 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 7 +
source4/libnet/libnet_passwd.c | 75 ++++---
source4/librpc/rpc/dcerpc_schannel.c | 5 +
source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +
source4/rpc_server/samr/samr_password.c | 12 ++
source4/selftest/tests.py | 26 ++-
source4/torture/rpc/netlogon_crypto.c | 274 ++++++++++++++++++++++++++
source4/torture/rpc/rpc.c | 77 ++++----
source4/torture/wscript_build | 1 +
12 files changed, 438 insertions(+), 68 deletions(-)
create mode 100644 source4/torture/rpc/netlogon_crypto.c
Changeset truncated at 500 lines:
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 906e3ee302c..bd5b7259d3f 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -29,10 +29,10 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "lib/param/param.h"
+#include "lib/param/loadparm.h"
#include "lib/util/tsort.h"
#include "lib/util/samba_modules.h"
#include "lib/util/base64.h"
-#include "lib/crypto/gnutls_helpers.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -51,7 +51,8 @@ bool gensec_security_ops_enabled(const struct
gensec_security_ops *ops, struct g
ops->name,
ops->enabled);
- if (!samba_gnutls_weak_crypto_allowed() && ops->weak_crypto) {
+ if (ops->weak_crypto &&
+ lpcfg_weak_crypto(security->settings->lp_ctx) !=
SAMBA_WEAK_CRYPTO_ALLOWED) {
ok = false;
}
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 12cb3149ff6..e78bc173968 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -39,6 +39,7 @@
#include "libds/common/roles.h"
#include "lib/crypto/md4.h"
#include "auth/credentials/credentials.h"
+#include "lib/param/loadparm.h"
struct netlogon_creds_cli_locked_state;
@@ -414,6 +415,17 @@ NTSTATUS netlogon_creds_cli_context_global(struct
loadparm_context *lp_ctx,
required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
}
+ /*
+ * If weak crypto is disabled, do not announce that we support RC4 and
+ * require AES.
+ */
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ required_flags &= ~NETLOGON_NEG_ARCFOUR;
+ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
+ proposed_flags &= ~NETLOGON_NEG_ARCFOUR;
+ proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
+ }
+
proposed_flags |= required_flags;
if (seal_secure_channel) {
diff --git a/selftest/selftesthelpers.py b/selftest/selftesthelpers.py
index 542737dbd10..0320008faf9 100644
--- a/selftest/selftesthelpers.py
+++ b/selftest/selftesthelpers.py
@@ -201,7 +201,8 @@ def plansmbtorture4testsuite(name, env, options, target,
modname=None, environ={
cmdline = ""
if environ:
environ = dict(environ)
- cmdline = ["%s=%s" % item for item in environ.items()]
+ cmdline_env = ["%s=%s" % item for item in environ.items()]
+ cmdline += " ".join(cmdline_env) + " "
cmdline += " %s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4),
options, name)
plantestsuite_loadlist(modname, env, cmdline)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index eaacd8dbc6a..51a5663b9da 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -910,6 +910,13 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
}
+ /*
+ * If weak cryto is disabled, do not announce that we support RC4.
+ */
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ srv_flgs &= ~NETLOGON_NEG_ARCFOUR;
+ }
+
switch (p->opnum) {
case NDR_NETR_SERVERAUTHENTICATE:
fn = "_netr_ServerAuthenticate";
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index 868f9442cd0..2bb7e392bd8 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -1,19 +1,19 @@
-/*
+/*
Unix SMB/CIFS implementation.
-
+
Copyright (C) Stefan Metzmacher 2004
Copyright (C) Andrew Bartlett <abart...@samba.org> 2005
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -23,6 +23,8 @@
#include "libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "source4/librpc/rpc/dcerpc.h"
+#include "auth/credentials/credentials.h"
+#include "libcli/smb/smb_constants.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
@@ -245,7 +247,7 @@ static NTSTATUS libnet_ChangePassword_samr(struct
libnet_context *ctx, TALLOC_CT
if (!NT_STATUS_IS_OK(status)) {
r->samr.out.error_string = talloc_asprintf(mem_ctx,
"samr_ChangePasswordUser2 for '%s\\%s' failed: %s",
-
r->samr.in.domain_name, r->samr.in.account_name,
+
r->samr.in.domain_name, r->samr.in.account_name,
nt_errstr(status));
}
goto disconnect;
@@ -296,7 +298,7 @@ static NTSTATUS libnet_ChangePassword_samr(struct
libnet_context *ctx, TALLOC_CT
if (!NT_STATUS_IS_OK(oe2.out.result)) {
r->samr.out.error_string = talloc_asprintf(mem_ctx,
"samr_OemChangePasswordUser2 for '%s\\%s' failed: %s",
-
r->samr.in.domain_name, r->samr.in.account_name,
+
r->samr.in.domain_name, r->samr.in.account_name,
nt_errstr(status));
}
goto disconnect;
@@ -337,7 +339,7 @@ static NTSTATUS libnet_ChangePassword_samr(struct
libnet_context *ctx, TALLOC_CT
if (!NT_STATUS_IS_OK(pw.out.result)) {
r->samr.out.error_string = talloc_asprintf(mem_ctx,
"samr_ChangePasswordUser for
'%s\\%s' failed: %s",
- r->samr.in.domain_name,
r->samr.in.account_name,
+ r->samr.in.domain_name,
r->samr.in.account_name,
nt_errstr(pw.out.result));
if (NT_STATUS_EQUAL(pw.out.result,
NT_STATUS_PASSWORD_RESTRICTION)) {
status = pw.out.result;
@@ -426,7 +428,7 @@ static NTSTATUS libnet_SetPassword_samr_handle_26(struct
libnet_context *ctx, TA
sui.in.user_handle = r->samr_handle.in.user_handle;
sui.in.info = &u_info;
sui.in.level = 26;
-
+
/* 7. try samr_SetUserInfo2 level 26 to set the password */
status =
dcerpc_samr_SetUserInfo2_r(r->samr_handle.in.dcerpc_pipe->binding_handle,
mem_ctx, &sui);
/* check result of samr_SetUserInfo2 level 26 */
@@ -671,7 +673,7 @@ static NTSTATUS libnet_SetPassword_samr_handle(struct
libnet_context *ctx, TALLO
}
break;
}
-
+
return status;
}
/*
@@ -707,7 +709,7 @@ static NTSTATUS libnet_SetPassword_samr(struct
libnet_context *ctx, TALLOC_CTX *
c.level = LIBNET_RPC_CONNECT_PDC;
c.in.name = r->samr.in.domain_name;
c.in.dcerpc_iface = &ndr_table_samr;
-
+
/* 1. connect to the SAMR pipe of users domain PDC (maybe a standalone
server or workstation) */
status = libnet_RpcConnect(ctx, mem_ctx, &c);
if (!NT_STATUS_IS_OK(status)) {
@@ -802,7 +804,7 @@ static NTSTATUS libnet_SetPassword_samr(struct
libnet_context *ctx, TALLOC_CTX *
"samr_LookupNames for [%s]
returns %d RIDs",
r->samr.in.account_name,
ln.out.rids->count);
status = NT_STATUS_INVALID_NETWORK_RESPONSE;
- goto disconnect;
+ goto disconnect;
}
if (ln.out.types->count != 1) {
@@ -870,28 +872,55 @@ static NTSTATUS libnet_SetPassword_generic(struct
libnet_context *ctx, TALLOC_CT
NTSTATUS libnet_SetPassword(struct libnet_context *ctx, TALLOC_CTX *mem_ctx,
union libnet_SetPassword *r)
{
+ enum smb_encryption_setting encryption_state =
+ cli_credentials_get_smb_encryption(ctx->cred);
+ NTSTATUS status = NT_STATUS_INVALID_LEVEL;
+
switch (r->generic.level) {
case LIBNET_SET_PASSWORD_GENERIC:
- return libnet_SetPassword_generic(ctx, mem_ctx, r);
+ status = libnet_SetPassword_generic(ctx, mem_ctx, r);
+ break;
case LIBNET_SET_PASSWORD_SAMR:
- return libnet_SetPassword_samr(ctx, mem_ctx, r);
+ status = libnet_SetPassword_samr(ctx, mem_ctx, r);
+ break;
case LIBNET_SET_PASSWORD_SAMR_HANDLE:
- return libnet_SetPassword_samr_handle(ctx, mem_ctx, r);
+ status = libnet_SetPassword_samr_handle(ctx, mem_ctx,
r);
+ break;
case LIBNET_SET_PASSWORD_SAMR_HANDLE_26:
- return libnet_SetPassword_samr_handle_26(ctx, mem_ctx,
r);
+ if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ }
+ status = libnet_SetPassword_samr_handle_26(ctx,
mem_ctx, r);
+ break;
case LIBNET_SET_PASSWORD_SAMR_HANDLE_25:
- return libnet_SetPassword_samr_handle_25(ctx, mem_ctx,
r);
+ if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ }
+ status = libnet_SetPassword_samr_handle_25(ctx,
mem_ctx, r);
+ break;
case LIBNET_SET_PASSWORD_SAMR_HANDLE_24:
- return libnet_SetPassword_samr_handle_24(ctx, mem_ctx,
r);
+ if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ }
+ status = libnet_SetPassword_samr_handle_24(ctx,
mem_ctx, r);
+ break;
case LIBNET_SET_PASSWORD_SAMR_HANDLE_23:
- return libnet_SetPassword_samr_handle_23(ctx, mem_ctx,
r);
+ if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ }
+ status = libnet_SetPassword_samr_handle_23(ctx,
mem_ctx, r);
+ break;
case LIBNET_SET_PASSWORD_KRB5:
- return NT_STATUS_NOT_IMPLEMENTED;
+ status = NT_STATUS_NOT_IMPLEMENTED;
+ break;
case LIBNET_SET_PASSWORD_LDAP:
- return NT_STATUS_NOT_IMPLEMENTED;
+ status = NT_STATUS_NOT_IMPLEMENTED;
+ break;
case LIBNET_SET_PASSWORD_RAP:
- return NT_STATUS_NOT_IMPLEMENTED;
+ status = NT_STATUS_NOT_IMPLEMENTED;
+ break;
}
- return NT_STATUS_INVALID_LEVEL;
+ GNUTLS_FIPS140_SET_STRICT_MODE();
+ return status;
}
diff --git a/source4/librpc/rpc/dcerpc_schannel.c
b/source4/librpc/rpc/dcerpc_schannel.c
index d12647222eb..68bc3b34e24 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -31,6 +31,7 @@
#include "auth/credentials/credentials.h"
#include "librpc/rpc/dcerpc_proto.h"
#include "param/param.h"
+#include "lib/param/loadparm.h"
struct schannel_key_state {
struct dcerpc_pipe *pipe;
@@ -346,6 +347,10 @@ static struct composite_context
*dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
}
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ s->local_negotiate_flags &= ~NETLOGON_NEG_ARCFOUR;
+ }
+
epm_creds = cli_credentials_init_anon(s);
if (composite_nomem(epm_creds, c)) return c;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c
b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index c87375c16a5..6860202a985 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -44,6 +44,7 @@
#include "lib/socket/netif.h"
#include "rpc_server/common/sid_helper.h"
#include "lib/util/util_str_escape.h"
+#include "lib/param/loadparm.h"
#define DCESRV_INTERFACE_NETLOGON_BIND(context, iface) \
dcesrv_interface_netlogon_bind(context, iface)
@@ -223,6 +224,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
NETLOGON_NEG_AUTHENTICATED_RPC;
+ /*
+ * If weak cryto is disabled, do not announce that we support RC4.
+ */
+ if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
+ SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ server_flags &= ~NETLOGON_NEG_ARCFOUR;
+ }
+
negotiate_flags = *r->in.negotiate_flags & server_flags;
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
diff --git a/source4/rpc_server/samr/samr_password.c
b/source4/rpc_server/samr/samr_password.c
index 83b104fbd0e..0f5a6d0f820 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -702,6 +702,9 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state
*dce_call,
TALLOC_CTX *mem_ctx,
struct samr_CryptPasswordEx *pwbuf)
{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ struct auth_session_info *session_info =
+ dcesrv_call_session_info(dce_call);
NTSTATUS nt_status;
DATA_BLOB new_password;
@@ -710,6 +713,7 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state
*dce_call,
DATA_BLOB pw_data = data_blob_const(pwbuf->data, 516);
DATA_BLOB session_key = data_blob(NULL, 0);
int rc;
+ bool encrypted;
nt_status = dcesrv_transport_session_key(dce_call, &session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -719,10 +723,18 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state
*dce_call,
return NT_STATUS_WRONG_PASSWORD;
}
+ encrypted = dcerpc_is_transport_encrypted(session_info);
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
+ !encrypted) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ GNUTLS_FIPS140_SET_LAX_MODE();
rc = samba_gnutls_arcfour_confounded_md5(&confounder,
&session_key,
&pw_data,
SAMBA_GNUTLS_DECRYPT);
+ GNUTLS_FIPS140_SET_STRICT_MODE();
if (rc < 0) {
nt_status = gnutls_error_to_ntstatus(rc,
NT_STATUS_HASH_NOT_SUPPORTED);
goto out;
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 4820af85a85..01c190704a0 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -34,9 +34,13 @@ from selftesthelpers import smbtorture4, ntlm_auth3,
samba3srcdir
print("OPTIONS %s" % " ".join(smbtorture4_options), file=sys.stderr)
-def plansmbtorture4testsuite(name, env, options, modname=None):
- return selftesthelpers.plansmbtorture4testsuite(name, env, options,
- target='samba4',
modname=modname)
+def plansmbtorture4testsuite(name, env, options, modname=None, environ={}):
+ return selftesthelpers.plansmbtorture4testsuite(name,
+ env,
+ options,
+ target='samba4',
+ modname=modname,
+ environ=environ)
samba4srcdir = source4dir()
@@ -197,7 +201,11 @@ all_rpc_tests = ncalrpc_tests + ncacn_np_tests +
ncacn_ip_tcp_tests + slow_ncacn
rpc_s3only = [
"rpc.mdssvc",
]
-rpc_tests = [x for x in smbtorture4_testsuites("rpc.") if x not in rpc_s3only]
+rpc_fipsonly = [
+ "rpc.fips.netlogon.crypto",
+]
+rpc_exclude = rpc_s3only + rpc_fipsonly
+rpc_tests = [x for x in smbtorture4_testsuites("rpc.") if x not in rpc_exclude]
auto_rpc_tests = list(filter(lambda t: t not in all_rpc_tests, rpc_tests))
for bindoptions in ["seal,padcheck"] + validate_list + ["bigendian"]:
@@ -632,6 +640,16 @@ if have_gnutls_fips_mode_support:
environ={'GNUTLS_FORCE_FIPS_MODE': '1',
'OPENSSL_FORCE_FIPS_MODE': '1'})
+ plansmbtorture4testsuite('rpc.fips.netlogon.crypto',
+ 'ad_dc_fips',
+ ['ncacn_np:$SERVER[krb5]',
+ '-U$USERNAME%$PASSWORD',
+ '--workgroup=$DOMAIN',
+ '--client-protection=encrypt'],
+ 'samba4.rpc.fips.netlogon.crypto',
+ environ={'GNUTLS_FORCE_FIPS_MODE': '1',
+ 'OPENSSL_FORCE_FIPS_MODE': '1'})
+
plansmbtorture4testsuite('rpc.echo', "ad_dc_ntvfs", ['ncacn_np:$NETBIOSALIAS',
'-U$DOMAIN/$USERNAME%$PASSWORD'], "samba4.rpc.echo against NetBIOS alias")
# Test wbinfo trust auth
diff --git a/source4/torture/rpc/netlogon_crypto.c
b/source4/torture/rpc/netlogon_crypto.c
new file mode 100644
index 00000000000..05beb2b77b3
--- /dev/null
+++ b/source4/torture/rpc/netlogon_crypto.c
@@ -0,0 +1,274 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ test suite for netlogon rpc operations
+
+ Copyright (C) Andrew Tridgell 2003
+ Copyright (C) Andrew Bartlett <abart...@samba.org> 2003-2004
+ Copyright (C) Tim Potter 2003
+ Copyright (C) Matthias Dieter Wallnöfer 2009-2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/replace/system/network.h"
+#include "lib/cmdline/cmdline.h"
+#include "torture/rpc/torture_rpc.h"
+#include "libcli/auth/libcli_auth.h"
+#include "librpc/gen_ndr/ndr_netlogon_c.h"
+#include "param/param.h"
+#include "lib/param/loadparm.h"
+#include "libcli/security/security.h"
+
+#undef strcasecmp
+
+#define TEST_MACHINE_NAME "torturetest"
+
+static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ uint32_t negotiate_flags,
+ struct cli_credentials *machine_credentials,
+ bool force_client_rc4)
+{
+ struct netr_ServerReqChallenge r;
+ struct netr_ServerAuthenticate3 a;
+ struct netr_Credential netr_creds1 = {
+ .data = {0},
+ };
+ struct netr_Credential netr_creds2 = {
+ .data = {0},
+ };
+ struct netr_Credential netr_creds3 = {
+ .data = {0},
+ };
+ struct netlogon_creds_CredentialState *creds_state = NULL;
+ struct samr_Password machine_password = {
+ .hash = {0},
+ };
+ const char *machine_name = NULL;
+ const char *plain_pass = NULL;
+ struct dcerpc_binding_handle *b = NULL;
+ uint32_t rid = 0;
+ NTSTATUS status;
+ bool weak_crypto_allowed =
+ (lpcfg_weak_crypto(tctx->lp_ctx) ==
+ SAMBA_WEAK_CRYPTO_ALLOWED);
+
+ if (p == NULL) {
+ return false;
+ }
+ b = p->binding_handle;
+
+ ZERO_STRUCT(r);
+ ZERO_STRUCT(a);
+
+ torture_comment(tctx, "client negotiate_flags=0x%08x\n",
negotiate_flags);
+
+ machine_name = cli_credentials_get_workstation(machine_credentials);
+ torture_assert_not_null(tctx, machine_name, "machine name is not set");
+
+ plain_pass = cli_credentials_get_password(machine_credentials);
+ torture_assert_not_null(tctx, plain_pass, "plain_pass is not set");
+
+
+ torture_comment(tctx, "Testing ServerReqChallenge\n");
+
+ r.in.server_name = NULL;
+ r.in.computer_name = machine_name;
+ r.in.credentials = &netr_creds1;
+ r.out.return_credentials = &netr_creds2;
+
+ netlogon_creds_random_challenge(&netr_creds1);
+
+ status = dcerpc_netr_ServerReqChallenge_r(b, tctx, &r);
+ torture_assert_ntstatus_ok(tctx,
--
Samba Shared Repository
