summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-08-29 18:05:06 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-08-29 18:05:06 +1000
commit60936dd2c4e82550e31e5f1b6d476d8b10bde687 (patch)
tree2eb5c7239b97d081d6a49ccb5bf3a45d590cc54f
parent81dcc99e9acb9a7e4c2358e5e44998e4718dc658 (diff)
downloadsamba-60936dd2c4e82550e31e5f1b6d476d8b10bde687.tar.gz
samba-60936dd2c4e82550e31e5f1b6d476d8b10bde687.tar.bz2
samba-60936dd2c4e82550e31e5f1b6d476d8b10bde687.zip
Start implementing the server-sde NETLOGON PAC verification.
(This used to be commit 8741e8fee619cccd84f2f10e00426df1d4f34074)
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c47
1 files changed, 46 insertions, 1 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 763e6a327e..5672d29cb2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -488,7 +488,52 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
case NetlogonGenericInformation:
{
- /* Until we get enough information for an implemetnation */
+ if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+ creds_arcfour_crypt(creds,
+ r->in.logon.generic->data, r->in.logon.generic->length);
+ } else {
+ /* Using DES to verify kerberos tickets makes no sense */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (strcmp(r->in.logon.generic->package_name.string, "Kerberos")) {
+ struct PAC_Validate pac_validate;
+ DATA_BLOB srv_sig;
+ struct PAC_SIGNATURE_DATA kdc_sig;
+ DATA_BLOB pac_validate_blob = data_blob_const(r->in.logon.generic->data,
+ r->in.logon.generic->length);
+ ndr_err = ndr_pull_struct_blob(&pac_validate_blob, mem_ctx,
+ lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
+ &pac_validate,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (pac_validate->MessageType != 3) {
+ /* We don't implement any other message types - such as certificate validation - yet */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (pac_validate->ChecksumAndSignature.length != (pac_validate->ChecksumLength + pac_validate->SignatureLength)
+ || pac_validate->ChecksumAndSignature.length < pac_validate->ChecksumLength
+ || pac_validate->ChecksumAndSignature.length < pac_validate->SignatureLength ) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ srv_sig = data_blob_const(pac_validate->ChecksumAndSignature.data,
+ pac_validate->ChecksumLength);
+
+ kdc_sig.type = pac_validate->SignatureType;
+ kdc_sig.signature = data_blob_const(&pac_validate->ChecksumAndSignature.data[pac_validate->ChecksumLength],
+ pac_validate->SignatureLength);
+ check_pac_checksum(mem_ctx, srv_sig, &kdc_sig,
+ context, keyblock);
+
+
+ }
+
+ /* Until we get an implemetnation of these other packages */
return NT_STATUS_INVALID_PARAMETER;
}
default: