[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Dec 24 05:19:03 MST 2013


The branch, master has been updated
       via  e6afeae libcli/auth: try to use the current timestamp creds->sequence
       via  636daac libcli/auth: remove bogus comment regarding replay attacks
       via  202bcf9 libcli/auth: set the return_authenticator->timestamp = 0
      from  819e1f5 selftest: add rodc and other env tests for wbinfo

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e6afeae69537f55ed187b28b60ad29b9e237ec6e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 17 19:55:12 2013 +0100

    libcli/auth: try to use the current timestamp creds->sequence
    
    If the last usage of netlogon_creds_client_authenticator()
    is in the past try to use the current timestamp and increment
    more than just 2.
    
    If we use netlogon_creds_client_authenticator() a lot within a
    second, we increment keep incrementing by 2.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104

commit 636daac3b7b08ccb8845dab060157918d296ef67
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 17 19:40:15 2013 +0100

    libcli/auth: remove bogus comment regarding replay attacks
    
    creds->sequence (timestamp) is the value that is used to increment the internal
    state, it's not a real sequence number. The sequence comes
    from adding all timestamps of the whole session.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 202bcf9096e53d94b294936d6144ae77f1536b72
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 17 19:35:37 2013 +0100

    libcli/auth: set the return_authenticator->timestamp = 0
    
    This is what windows returns, the value is ignored by the client anyway.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/auth/credentials.c |   26 +++++++++++++++++++++++---
 1 files changed, 23 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 1f664d3..f52538a 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
 void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
 				struct netr_Authenticator *next)
 {
+	uint32_t t32n = (uint32_t)time(NULL);
+
+	/*
+	 * we always increment and ignore an overflow here
+	 */
 	creds->sequence += 2;
+
+	if (t32n > creds->sequence) {
+		/*
+		 * we may increment more
+		 */
+		creds->sequence = t32n;
+	} else {
+		uint32_t d = creds->sequence - t32n;
+
+		if (d >= INT32_MAX) {
+			/*
+			 * got an overflow of time_t vs. uint32_t
+			 */
+			creds->sequence = t32n;
+		}
+	}
+
 	netlogon_creds_step(creds);
 
 	next->cred = creds->client;
@@ -473,13 +495,11 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	/* TODO: this may allow the a replay attack on a non-signed
-	   connection. Should we check that this is increasing? */
 	creds->sequence = received_authenticator->timestamp;
 	netlogon_creds_step(creds);
 	if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
 		return_authenticator->cred = creds->server;
-		return_authenticator->timestamp = creds->sequence;
+		return_authenticator->timestamp = 0;
 		return NT_STATUS_OK;
 	} else {
 		ZERO_STRUCTP(return_authenticator);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list