diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-08-29 18:05:06 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-08-29 18:05:06 +1000 |
commit | 60936dd2c4e82550e31e5f1b6d476d8b10bde687 (patch) | |
tree | 2eb5c7239b97d081d6a49ccb5bf3a45d590cc54f | |
parent | 81dcc99e9acb9a7e4c2358e5e44998e4718dc658 (diff) | |
download | samba-60936dd2c4e82550e31e5f1b6d476d8b10bde687.tar.gz samba-60936dd2c4e82550e31e5f1b6d476d8b10bde687.tar.bz2 samba-60936dd2c4e82550e31e5f1b6d476d8b10bde687.zip |
Start implementing the server-sde NETLOGON PAC verification.
(This used to be commit 8741e8fee619cccd84f2f10e00426df1d4f34074)
-rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 763e6a327e..5672d29cb2 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -488,7 +488,52 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal case NetlogonGenericInformation: { - /* Until we get enough information for an implemetnation */ + if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) { + creds_arcfour_crypt(creds, + r->in.logon.generic->data, r->in.logon.generic->length); + } else { + /* Using DES to verify kerberos tickets makes no sense */ + return NT_STATUS_INVALID_PARAMETER; + } + + if (strcmp(r->in.logon.generic->package_name.string, "Kerberos")) { + struct PAC_Validate pac_validate; + DATA_BLOB srv_sig; + struct PAC_SIGNATURE_DATA kdc_sig; + DATA_BLOB pac_validate_blob = data_blob_const(r->in.logon.generic->data, + r->in.logon.generic->length); + ndr_err = ndr_pull_struct_blob(&pac_validate_blob, mem_ctx, + lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx), + &pac_validate, + (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (pac_validate->MessageType != 3) { + /* We don't implement any other message types - such as certificate validation - yet */ + return NT_STATUS_INVALID_PARAMETER; + } + + if (pac_validate->ChecksumAndSignature.length != (pac_validate->ChecksumLength + pac_validate->SignatureLength) + || pac_validate->ChecksumAndSignature.length < pac_validate->ChecksumLength + || pac_validate->ChecksumAndSignature.length < pac_validate->SignatureLength ) { + return NT_STATUS_INVALID_PARAMETER; + } + + srv_sig = data_blob_const(pac_validate->ChecksumAndSignature.data, + pac_validate->ChecksumLength); + + kdc_sig.type = pac_validate->SignatureType; + kdc_sig.signature = data_blob_const(&pac_validate->ChecksumAndSignature.data[pac_validate->ChecksumLength], + pac_validate->SignatureLength); + check_pac_checksum(mem_ctx, srv_sig, &kdc_sig, + context, keyblock); + + + } + + /* Until we get an implemetnation of these other packages */ return NT_STATUS_INVALID_PARAMETER; } default: |