From 60936dd2c4e82550e31e5f1b6d476d8b10bde687 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 29 Aug 2008 18:05:06 +1000
Subject: Start implementing the server-sde NETLOGON PAC verification. (This
 used to be commit 8741e8fee619cccd84f2f10e00426df1d4f34074)

---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 47 ++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

(limited to 'source4/rpc_server')

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 763e6a327e..5672d29cb2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -488,7 +488,52 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 		
 	case NetlogonGenericInformation:
 	{
-		/* Until we get enough information for an implemetnation */
+		if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+			creds_arcfour_crypt(creds, 
+					    r->in.logon.generic->data, r->in.logon.generic->length);
+		} else {
+			/* Using DES to verify kerberos tickets makes no sense */
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		if (strcmp(r->in.logon.generic->package_name.string, "Kerberos")) {
+			struct PAC_Validate pac_validate;
+			DATA_BLOB srv_sig;
+			struct PAC_SIGNATURE_DATA kdc_sig;
+			DATA_BLOB pac_validate_blob = data_blob_const(r->in.logon.generic->data, 
+								      r->in.logon.generic->length);
+			ndr_err = ndr_pull_struct_blob(&pac_validate_blob, mem_ctx, 
+						       lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx), 
+						       &pac_validate,
+						       (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
+			if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+
+			if (pac_validate->MessageType != 3) {
+				/* We don't implement any other message types - such as certificate validation - yet */
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+			
+			if (pac_validate->ChecksumAndSignature.length != (pac_validate->ChecksumLength + pac_validate->SignatureLength)
+			    || pac_validate->ChecksumAndSignature.length < pac_validate->ChecksumLength
+			    || pac_validate->ChecksumAndSignature.length < pac_validate->SignatureLength ) {
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+
+			srv_sig = data_blob_const(pac_validate->ChecksumAndSignature.data, 
+						  pac_validate->ChecksumLength);
+
+			kdc_sig.type = pac_validate->SignatureType;
+			kdc_sig.signature = data_blob_const(&pac_validate->ChecksumAndSignature.data[pac_validate->ChecksumLength],
+							    pac_validate->SignatureLength);
+			check_pac_checksum(mem_ctx, srv_sig, &kdc_sig, 
+					   context, keyblock);
+					   
+
+		}
+
+		/* Until we get an implemetnation of these other packages */
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	default:
-- 
cgit