CVE-2016-2113: docs-xml: add "tls verify peer" option defaulting to "no_check"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

2 files changed, 16 insertions, 0 deletions

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5584d878006..43defc171ff 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2674,6 +2674,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "min wins ttl", "21600");
 
 	lpcfg_do_global_parameter(lp_ctx, "tls enabled", "True");
+	lpcfg_do_global_parameter(lp_ctx, "tls verify peer", "no_check");
 	lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
 	lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
 	lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index be4881f9249..d8d9144b70c 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -33,6 +33,7 @@
 #include "lib/param/param_global.h"
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
+#include "source4/lib/tls/tls.h"
 
 #ifndef N_
 #define N_(x) x
@@ -125,6 +126,20 @@ static const struct enum_list enum_smb_signing_vals[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_tls_verify_peer_vals[] = {
+	{TLS_VERIFY_PEER_NO_CHECK,
+	 TLS_VERIFY_PEER_NO_CHECK_STRING},
+	{TLS_VERIFY_PEER_CA_ONLY,
+	 TLS_VERIFY_PEER_CA_ONLY_STRING},
+	{TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE,
+	 TLS_VERIFY_PEER_CA_AND_NAME_IF_AVAILABLE_STRING},
+	{TLS_VERIFY_PEER_CA_AND_NAME,
+	 TLS_VERIFY_PEER_CA_AND_NAME_STRING},
+	{TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE,
+	 TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE_STRING},
+	{-1, NULL}
+};
+
 /* DNS update options. */
 static const struct enum_list enum_dns_update_settings[] = {
 	{DNS_UPDATE_OFF, "disabled"},