CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
authorStefan Metzmacher <metze@samba.org>
Wed, 16 Mar 2016 14:07:36 +0000 (15:07 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 12 Apr 2016 17:25:25 +0000 (19:25 +0200)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
selftest/knownfail
source4/selftest/tests.py

index 84859490fd4ca8a38bfe271a793c78e69c1b3b9c..5e281436eb78f55b731dbc2c67ffb59b831b72fc 100644 (file)
 ^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
 ^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc    # ldap server require strong auth = yes
 ^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc     # ldap server require strong auth = yes
+# These are supposed to fail as we want to verify the "tls verify peer"
+# restrictions. Note that fl2008r2dc uses a self-signed certificate
+# with does not have a crl file.
+#
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
+^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
+^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc
index 64347b53899b2b74a3d36ea03866050beba381e5..75bb5581b7cdf1d3f8fe8bc96fe1f4cace37e96b 100755 (executable)
@@ -74,6 +74,33 @@ if have_tls_support:
         plantestsuite("samba4.ldb.ldaps with options %s(ad_dc_ntvfs)" % options, "ad_dc_ntvfs",
                 "%s/test_ldb.sh ldaps $SERVER_IP %s" % (bbdir, options))
 
+    creds_options = [
+        '--simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD',
+    ]
+    peer_options = {
+        'SERVER_IP': '$SERVER_IP',
+        'SERVER_NAME': '$SERVER',
+        'SERVER.REALM': '$SERVER.$REALM',
+    }
+    tls_verify_options = [
+        '--option="tlsverifypeer=no_check"',
+        '--option="tlsverifypeer=ca_only"',
+        '--option="tlsverifypeer=ca_and_name_if_available"',
+        '--option="tlsverifypeer=ca_and_name"',
+        '--option="tlsverifypeer=as_strict_as_possible"',
+    ]
+
+    # we use :local for fl2008r2dc because of the self-signed certificate
+    for env in ["ad_dc_ntvfs", "fl2008r2dc:local"]:
+        for peer_key in peer_options.keys():
+            peer_val = peer_options[peer_key]
+            for creds in creds_options:
+                for tls_verify in tls_verify_options:
+                    options = creds + ' ' + tls_verify
+                    plantestsuite("samba4.ldb.simple.ldaps with options %s %s(%s)" % (
+                                  peer_key, options, env), env,
+                                  "%s/test_ldb_simple.sh ldaps %s %s" % (bbdir, peer_val, options))
+
 # test all "ldap server require strong auth" combinations
 for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
     options = '--simple-bind-dn="$USERNAME@$REALM" --password="$PASSWORD"'