CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
authorStefan Metzmacher <metze@samba.org>
Wed, 23 Dec 2015 21:12:56 +0000 (22:12 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
docs-xml/smbdotconf/security/tlsverifypeer.xml [new file with mode: 0644]
lib/param/loadparm.c
lib/param/param_table.c
source3/param/loadparm.c

diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml
new file mode 100644 (file)
index 0000000..ce6897d
--- /dev/null
@@ -0,0 +1,51 @@
+<samba:parameter name="tls verify peer"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_tls_verify_peer_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>This controls if and how strict the client will verify the peer's certificate and name.
+       Possible values are (in increasing order):
+       <constant>no_check</constant>,
+       <constant>ca_only</constant>,
+       <constant>ca_and_name_if_available</constant>,
+       <constant>ca_and_name</constant>
+       and
+       <constant>as_strict_as_possible</constant>.</para>
+
+       <para>When set to <constant>no_check</constant> the certificate is not verified at
+       all, which allows trivial man in the middle attacks.
+       </para>
+
+       <para>When set to <constant>ca_only</constant> the certificate is verified to
+       be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
+       Setting <smbconfoption name="tls ca file"/> to a valid file is required.
+       The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
+       option is configured, the certificate is also verified against the ca crl.
+       </para>
+
+       <para>When set to <constant>ca_and_name_if_available</constant> all checks from
+       <constant>ca_only</constant> are performed. In addition, the peer hostname is verified
+       against the certificate's name, if it is provided by the application layer and
+       not given as an ip address string.
+       </para>
+
+       <para>When set to <constant>ca_and_name</constant> all checks from
+       <constant>ca_and_name_if_available</constant> are performed.
+       In addition the peer hostname needs to be provided and even an ip
+       address is checked against the certificate's name.
+       </para>
+
+       <para>When set to <constant>as_strict_as_possible</constant> all checks from
+       <constant>ca_and_name</constant> are performed. In addition the
+       <smbconfoption name="tls crl file"/> needs to be configured.
+       Future versions of Samba may implement additional checks.
+       </para>
+
+       <para>Note that the default is likely to change from
+       <constant>no_check</constant> to <constant>as_strict_as_possible</constant>
+       with Samba 4.5.</para>
+</description>
+
+<value type="default">no_check</value>
+</samba:parameter>
index 5584d878006b47f16d8b6ccacba4d1b42fd2a2f8..43defc171ff3c5e4cbec810659b471b75c7e1917 100644 (file)
@@ -2674,6 +2674,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
 
        lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
+       lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check");
        lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
        lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
        lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
index be4881f9249b73185140a4f9041cebea63f32708..d8d9144b70cf3bac68f8c874578453cd32035d26 100644 (file)
@@ -33,6 +33,7 @@
 #include "lib/param/param_global.h"
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
+#include "source4/lib/tls/tls.h"
 
 #ifndef N_
 #define N_(x) x
@@ -125,6 +126,20 @@ static const struct enum_list enum_smb_signing_vals[] = {
        {-1, NULL}
 };
 
+static const struct enum_list enum_tls_verify_peer_vals[] = {
+       {TLS_VERIFY_PEER_NO_CHECK,
+        TLS_VERIFY_PEER_NO_CHECK_STRING},
+       {TLS_VERIFY_PEER_CA_ONLY,
+        TLS_VERIFY_PEER_CA_ONLY_STRING},
+       {TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE,
+        TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE_STRING},
+       {TLS_VERIFY_PEER_CA_AND_NAME,
+        TLS_VERIFY_PEER_CA_AND_NAME_STRING},
+       {TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE,
+        TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE_STRING},
+       {-1, NULL}
+};
+
 /* DNS update options. */
 static const struct enum_list enum_dns_update_settings[] = {
        {DNS_UPDATE_OFF, "disabled"},
index 70a29ab73222f4cce48f363f0e453fac1ae501ad..a2b1000f9d3f3a9ff9fe537e049f18f206f8a0c8 100644 (file)
@@ -70,6 +70,7 @@
 #include "dbwrap/dbwrap_rbt.h"
 #include "../lib/util/bitmap.h"
 #include "librpc/gen_ndr/nbt.h"
+#include "source4/lib/tls/tls.h"
 
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
@@ -868,6 +869,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
 
        Globals.tls_enabled = true;
+       Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK;
 
        lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
        lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");