sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-26 21:57:41 +03:00
Code

CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-03-16 15:07:36 +01:00
parent 45ff760cf3
commit 942e4ed851
2 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
selftest/knownfail
View File

@ -307,3 +307,13 @@
^samba4.ldb.simple.ldap with SIMPLE-BIND.*ad_dc_ntvfs # ldap server require strong auth = allow_sasl_over_tls
^samba4.ldb.simple.ldap with SIMPLE-BIND.*fl2003dc # ldap server require strong auth = yes
^samba4.ldb.simple.ldaps with SASL-BIND.*fl2003dc # ldap server require strong auth = yes
# These are supposed to fail as we want to verify the "tls verify peer"
# restrictions. Note that fl2008r2dc uses a self-signed certificate
# with does not have a crl file.
#
^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name_if_available\(
^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=ca_and_name\(
^samba4.ldb.simple.ldaps.*SERVER_NAME.*tlsverifypeer=as_strict_as_possible\(
^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=ca_and_name\(
^samba4.ldb.simple.ldaps.*SERVER_IP.*tlsverifypeer=as_strict_as_possible\(
^samba4.ldb.simple.ldaps.*SERVER.REALM.*tlsverifypeer=as_strict_as_possible.*fl2008r2dc

27
source4/selftest/tests.py
View File

@ -74,6 +74,33 @@ if have_tls_support:
plantestsuite("samba4.ldb.ldaps with options %s(ad_dc_ntvfs)" % options, "ad_dc_ntvfs",
"%s/test_ldb.sh ldaps $SERVER_IP %s" % (bbdir, options))
creds_options = [
'--simple-bind-dn=$USERNAME@$REALM --password=$PASSWORD',
]
peer_options = {
'SERVER_IP': '$SERVER_IP',
'SERVER_NAME': '$SERVER',
'SERVER.REALM': '$SERVER.$REALM',
}
tls_verify_options = [
'--option="tlsverifypeer=no_check"',
'--option="tlsverifypeer=ca_only"',
'--option="tlsverifypeer=ca_and_name_if_available"',
'--option="tlsverifypeer=ca_and_name"',
'--option="tlsverifypeer=as_strict_as_possible"',
]
# we use :local for fl2008r2dc because of the self-signed certificate
for env in ["ad_dc_ntvfs", "fl2008r2dc:local"]:
for peer_key in peer_options.keys():
peer_val = peer_options[peer_key]
for creds in creds_options:
for tls_verify in tls_verify_options:
options = creds + ' ' + tls_verify
plantestsuite("samba4.ldb.simple.ldaps with options %s %s(%s)" % (
peer_key, options, env), env,
"%s/test_ldb_simple.sh ldaps %s %s" % (bbdir, peer_val, options))
# test all "ldap server require strong auth" combinations
for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
options = '--simple-bind-dn="$USERNAME@$REALM" --password="$PASSWORD"'