libcli/auth: maintain the sequence number for the NETLOGON SSP as 64bit

See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
index bfccd950b6c92a8243c8d91ee25ab7eeb32d0a9d..271b5bb6ba5c8eabfc82fc969c4f7c4c64358ea3 100644 (file)
--- a/libcli/auth/schannel.h
+++ b/libcli/auth/schannel.h
@@ -30,7 +30,7 @@ enum schannel_position {
 
 struct schannel_state {
        enum schannel_position state;
-       uint32_t seq_num;
+       uint64_t seq_num;
        bool initiator;
        struct netlogon_creds_CredentialState *creds;
 };

diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index 1871da256b91a2426acfec95f58326062cd11697..6e5d4544afe7eb080dadbb16ef3612a82a212663 100644 (file)
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -24,6 +24,17 @@
 #include "../libcli/auth/schannel.h"
 #include "../lib/crypto/crypto.h"
 
+#define SETUP_SEQNUM(state, buf, initiator) do { \
+       uint8_t *_buf = buf; \
+       uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
+       uint32_t _seq_num_high = (state)->seq_num >> 32; \
+       if (initiator) { \
+               _seq_num_high |= 0x80000000; \
+       } \
+       RSIVAL(_buf, 0, _seq_num_low); \
+       RSIVAL(_buf, 4, _seq_num_high); \
+} while(0)
+
 static void netsec_offset_and_sizes(struct schannel_state *state,
                                    bool do_seal,
                                    uint32_t *_min_sig_size,
@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
                confounder = NULL;
        }
 
-       RSIVAL(seq_num, 0, state->seq_num);
-       SIVAL(seq_num, 4, state->initiator?0:0x80);
+       SETUP_SEQNUM(state, seq_num, !state->initiator);
 
        if (do_unseal) {
                netsec_do_seal(state, seq_num,
@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
                                &checksum_length,
                                &confounder_ofs);
 
-       RSIVAL(seq_num, 0, state->seq_num);
-       SIVAL(seq_num, 4, state->initiator?0x80:0);
+       SETUP_SEQNUM(state, seq_num, state->initiator);
 
        if (do_seal) {
                confounder = _confounder;

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index d36c2da3838fa931498c3aa3b00af58c5f099da0..c99ca327d12e44f584d025eb0077354821795977 100644 (file)
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -458,8 +458,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
-                       sas->seq_num));
+       DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
+                 (unsigned long long)sas->seq_num));
 
        switch (auth_level) {
        case DCERPC_AUTH_LEVEL_PRIVACY: