From 3a730923903c6ede0f8e58428eb36d8c25142b62 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Dec 2015 16:17:04 +0100 Subject: [PATCH] CVE-2016-2113: s4:libcli/ldap: verify the server certificate and hostname if configured MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- source4/libcli/ldap/ldap_client.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c index f585abded56..817863a3449 100644 --- a/source4/libcli/ldap/ldap_client.c +++ b/source4/libcli/ldap/ldap_client.c @@ -465,18 +465,15 @@ _PUBLIC_ struct composite_context *ldap_connect_send(struct ldap_connection *con char *ca_file = lpcfg_tls_cafile(state, conn->lp_ctx); char *crl_file = lpcfg_tls_crlfile(state, conn->lp_ctx); const char *tls_priority = lpcfg_tls_priority(conn->lp_ctx); - if (!ca_file || !*ca_file) { - composite_error(result, - NT_STATUS_INVALID_PARAMETER_MIX); - return result; - } + enum tls_verify_peer_state verify_peer = + lpcfg_tls_verify_peer(conn->lp_ctx); status = tstream_tls_params_client(state, ca_file, crl_file, tls_priority, - TLS_VERIFY_PEER_NO_CHECK, - NULL, + verify_peer, + conn->host, &state->tls_params); if (!NT_STATUS_IS_OK(status)) { composite_error(result, status); -- 2.47.2