From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Dec 2015 21:12:56 +0000 (+0100)
Subject: CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"
X-Git-Tag: talloc-2.1.7~409
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=2362c0353b5c8601eda61875f0fea84c8f76e06d

CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/docs-xml/smbdotconf/security/tlsverifypeer.xml b/docs-xml/smbdotconf/security/tlsverifypeer.xml
new file mode 100644
index 00000000000..ce6897d3d93
--- /dev/null
+++ b/docs-xml/smbdotconf/security/tlsverifypeer.xml
@@ -0,0 +1,51 @@
+<samba:parameter name="tls verify peer"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_tls_verify_peer_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This controls if and how strict the client will verify the peer's certificate and name.
+	Possible values are (in increasing order):
+	<constant>no_check</constant>,
+	<constant>ca_only</constant>,
+	<constant>ca_and_name_if_available</constant>,
+	<constant>ca_and_name</constant>
+	and
+	<constant>as_strict_as_possible</constant>.</para>
+
+	<para>When set to <constant>no_check</constant> the certificate is not verified at
+	all, which allows trivial man in the middle attacks.
+	</para>
+
+	<para>When set to <constant>ca_only</constant> the certificate is verified to
+	be signed from a ca specified in the <smbconfoption name="tls ca file"/> option.
+	Setting <smbconfoption name="tls ca file"/> to a valid file is required.
+	The certificate lifetime is also verified. If the <smbconfoption name="tls crl file"/>
+	option is configured, the certificate is also verified against the ca crl.
+	</para>
+
+	<para>When set to <constant>ca_and_name_if_available</constant> all checks from
+	<constant>ca_only</constant> are performed. In addition, the peer hostname is verified
+	against the certificate's name, if it is provided by the application layer and
+	not given as an ip address string.
+	</para>
+
+	<para>When set to <constant>ca_and_name</constant> all checks from
+	<constant>ca_and_name_if_available</constant> are performed.
+	In addition the peer hostname needs to be provided and even an ip
+	address is checked against the certificate's name.
+	</para>
+
+	<para>When set to <constant>as_strict_as_possible</constant> all checks from
+	<constant>ca_and_name</constant> are performed. In addition the
+	<smbconfoption name="tls crl file"/> needs to be configured.
+	Future versions of Samba may implement additional checks.
+	</para>
+
+	<para>Note that the default is likely to change from
+	<constant>no_check</constant> to <constant>as_strict_as_possible</constant>
+	with Samba 4.5.</para>
+</description>
+
+<value type="default">no_check</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5584d878006..43defc171ff 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2674,6 +2674,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
 
 	lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
+	lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check");
 	lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
 	lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
 	lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index be4881f9249..d8d9144b70c 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -33,6 +33,7 @@
 #include "lib/param/param_global.h"
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
+#include "source4/lib/tls/tls.h"
 
 #ifndef N_
 #define N_(x) x
@@ -125,6 +126,20 @@ static const struct enum_list enum_smb_signing_vals[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_tls_verify_peer_vals[] = {
+	{TLS_VERIFY_PEER_NO_CHECK,
+	 TLS_VERIFY_PEER_NO_CHECK_STRING},
+	{TLS_VERIFY_PEER_CA_ONLY,
+	 TLS_VERIFY_PEER_CA_ONLY_STRING},
+	{TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE,
+	 TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE_STRING},
+	{TLS_VERIFY_PEER_CA_AND_NAME,
+	 TLS_VERIFY_PEER_CA_AND_NAME_STRING},
+	{TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE,
+	 TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE_STRING},
+	{-1, NULL}
+};
+
 /* DNS update options. */
 static const struct enum_list enum_dns_update_settings[] = {
 	{DNS_UPDATE_OFF, "disabled"},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 70a29ab7322..a2b1000f9d3 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -70,6 +70,7 @@
 #include "dbwrap/dbwrap_rbt.h"
 #include "../lib/util/bitmap.h"
 #include "librpc/gen_ndr/nbt.h"
+#include "source4/lib/tls/tls.h"
 
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
@@ -868,6 +869,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc spoolss drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
 
 	Globals.tls_enabled = true;
+	Globals.tls_verify_peer = TLS_VERIFY_PEER_NO_CHECK;
 
 	lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
 	lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");