CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured

author Stefan Metzmacher <metze@samba.org>

Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)

committer Stefan Metzmacher <metze@samba.org>

Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
author Stefan Metzmacher <metze@samba.org>
Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)
committer Stefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c

index 152d5b9dbc7cce97ebb06dc8edd723fbfc0b0f13..f362560166153291c65d86a50f5fd5947b91d38c 100644 (file)
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -465,18 +465,15 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con
                         char *ca_file = lpcfg_tls_cafile(state, conn->lp_ctx);
                         char *crl_file = lpcfg_tls_crlfile(state, conn->lp_ctx);
                         const char *tls_priority = lpcfg_tls_priority(conn->lp_ctx);
                         char *ca_file = lpcfg_tls_cafile(state, conn->lp_ctx);
                         char *crl_file = lpcfg_tls_crlfile(state, conn->lp_ctx);
                         const char *tls_priority = lpcfg_tls_priority(conn->lp_ctx);
-                       if (!ca_file || !*ca_file) {
-                               composite_error(result,
-                                               NT_STATUS_INVALID_PARAMETER_MIX);
-                               return result;
-                       }
+                       enum tls_verify_peer_state verify_peer =
+                               lpcfg_tls_verify_peer(conn->lp_ctx);
  
                         status = tstream_tls_params_client(state,
                                                            ca_file,
                                                            crl_file,
                                                            tls_priority,
  
                         status = tstream_tls_params_client(state,
                                                            ca_file,
                                                            crl_file,
                                                            tls_priority,
-                                                          TLS_VERIFY_PEER_NO_CHECK,
-                                                          NULL,
+                                                          verify_peer,
+                                                          conn->host,
                                                            &state->tls_params);
                         if (!NT_STATUS_IS_OK(status)) {
                                 composite_error(result, status);
                                                            &state->tls_params);
                         if (!NT_STATUS_IS_OK(status)) {
                                 composite_error(result, status);
author	Stefan Metzmacher <metze@samba.org>
	Wed, 23 Dec 2015 15:17:04 +0000 (16:17 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)