From 9f2e81ae02549369db49c05edf7071612a03a8b8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 24 Apr 2013 12:33:28 +0200 Subject: libcli/auth: maintain the sequence number for the NETLOGON SSP as 64bit See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- libcli/auth/schannel.h | 2 +- libcli/auth/schannel_sign.c | 17 +++++++++++++---- source3/librpc/rpc/dcerpc_helpers.c | 4 ++-- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h index bfccd950b6..271b5bb6ba 100644 --- a/libcli/auth/schannel.h +++ b/libcli/auth/schannel.h @@ -30,7 +30,7 @@ enum schannel_position { struct schannel_state { enum schannel_position state; - uint32_t seq_num; + uint64_t seq_num; bool initiator; struct netlogon_creds_CredentialState *creds; }; diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c index 1871da256b..6e5d4544af 100644 --- a/libcli/auth/schannel_sign.c +++ b/libcli/auth/schannel_sign.c @@ -24,6 +24,17 @@ #include "../libcli/auth/schannel.h" #include "../lib/crypto/crypto.h" +#define SETUP_SEQNUM(state, buf, initiator) do { \ + uint8_t *_buf = buf; \ + uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \ + uint32_t _seq_num_high = (state)->seq_num >> 32; \ + if (initiator) { \ + _seq_num_high |= 0x80000000; \ + } \ + RSIVAL(_buf, 0, _seq_num_low); \ + RSIVAL(_buf, 4, _seq_num_high); \ +} while(0) + static void netsec_offset_and_sizes(struct schannel_state *state, bool do_seal, uint32_t *_min_sig_size, @@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state, confounder = NULL; } - RSIVAL(seq_num, 0, state->seq_num); - SIVAL(seq_num, 4, state->initiator?0:0x80); + SETUP_SEQNUM(state, seq_num, !state->initiator); if (do_unseal) { netsec_do_seal(state, seq_num, @@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state, &checksum_length, &confounder_ofs); - RSIVAL(seq_num, 0, state->seq_num); - SIVAL(seq_num, 4, state->initiator?0x80:0); + SETUP_SEQNUM(state, seq_num, state->initiator); if (do_seal) { confounder = _confounder; diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index d36c2da383..c99ca327d1 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -458,8 +458,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas, return NT_STATUS_INVALID_PARAMETER; } - DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n", - sas->seq_num)); + DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n", + (unsigned long long)sas->seq_num)); switch (auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: -- cgit