2 Unix SMB/CIFS mplementation.
3 Helper functions for applying replicated objects
5 Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "../lib/util/dlinklist.h"
24 #include "librpc/gen_ndr/ndr_misc.h"
25 #include "librpc/gen_ndr/ndr_drsuapi.h"
26 #include "librpc/gen_ndr/ndr_drsblobs.h"
27 #include "../lib/crypto/crypto.h"
28 #include "../libcli/drsuapi/drsuapi.h"
29 #include "libcli/auth/libcli_auth.h"
31 WERROR
drsuapi_decrypt_attribute_value(TALLOC_CTX
*mem_ctx
,
32 const DATA_BLOB
*gensec_skey
,
41 struct MD5Context md5
;
49 DATA_BLOB checked_buffer
;
51 DATA_BLOB plain_buffer
;
54 * users with rid == 0 should not exist
56 if (rid_crypt
&& rid
== 0) {
57 return WERR_DS_DRA_INVALID_PARAMETER
;
61 * the first 16 bytes at the beginning are the confounder
62 * followed by the 4 byte crc32 checksum
64 if (in
->length
< 20) {
65 return WERR_DS_DRA_INVALID_PARAMETER
;
67 confounder
= data_blob_const(in
->data
, 16);
68 enc_buffer
= data_blob_const(in
->data
+ 16, in
->length
- 16);
71 * build the encryption key md5 over the session key followed
74 * here the gensec session key is used and
75 * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
77 enc_key
= data_blob_const(_enc_key
, sizeof(_enc_key
));
79 MD5Update(&md5
, gensec_skey
->data
, gensec_skey
->length
);
80 MD5Update(&md5
, confounder
.data
, confounder
.length
);
81 MD5Final(enc_key
.data
, &md5
);
84 * copy the encrypted buffer part and
85 * decrypt it using the created encryption key using arcfour
87 dec_buffer
= data_blob_const(enc_buffer
.data
, enc_buffer
.length
);
88 arcfour_crypt_blob(dec_buffer
.data
, dec_buffer
.length
, &enc_key
);
91 * the first 4 byte are the crc32 checksum
92 * of the remaining bytes
94 crc32_given
= IVAL(dec_buffer
.data
, 0);
95 crc32_calc
= crc32_calc_buffer(dec_buffer
.data
+ 4 , dec_buffer
.length
- 4);
96 if (crc32_given
!= crc32_calc
) {
97 return WERR_SEC_E_DECRYPT_FAILURE
;
99 checked_buffer
= data_blob_const(dec_buffer
.data
+ 4, dec_buffer
.length
- 4);
101 plain_buffer
= data_blob_talloc(mem_ctx
, checked_buffer
.data
, checked_buffer
.length
);
102 W_ERROR_HAVE_NO_MEMORY(plain_buffer
.data
);
105 * The following rid_crypt obfuscation isn't session specific
106 * and not really needed here, because we allways know the rid of the
109 * some attributes with this 'additional encryption' include
110 * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
112 * But for the rest of samba it's easier when we remove this static
116 uint32_t i
, num_hashes
;
118 if ((checked_buffer
.length
% 16) != 0) {
119 return WERR_DS_DRA_INVALID_PARAMETER
;
122 num_hashes
= plain_buffer
.length
/ 16;
123 for (i
= 0; i
< num_hashes
; i
++) {
124 uint32_t offset
= i
* 16;
125 sam_rid_crypt(rid
, checked_buffer
.data
+ offset
, plain_buffer
.data
+ offset
, 0);
133 WERROR
drsuapi_decrypt_attribute(TALLOC_CTX
*mem_ctx
,
134 const DATA_BLOB
*gensec_skey
,
136 struct drsuapi_DsReplicaAttribute
*attr
)
140 DATA_BLOB plain_data
;
141 bool rid_crypt
= false;
143 if (attr
->value_ctr
.num_values
== 0) {
147 switch (attr
->attid
) {
148 case DRSUAPI_ATTRIBUTE_dBCSPwd
:
149 case DRSUAPI_ATTRIBUTE_unicodePwd
:
150 case DRSUAPI_ATTRIBUTE_ntPwdHistory
:
151 case DRSUAPI_ATTRIBUTE_lmPwdHistory
:
154 case DRSUAPI_ATTRIBUTE_supplementalCredentials
:
155 case DRSUAPI_ATTRIBUTE_priorValue
:
156 case DRSUAPI_ATTRIBUTE_currentValue
:
157 case DRSUAPI_ATTRIBUTE_trustAuthOutgoing
:
158 case DRSUAPI_ATTRIBUTE_trustAuthIncoming
:
159 case DRSUAPI_ATTRIBUTE_initialAuthOutgoing
:
160 case DRSUAPI_ATTRIBUTE_initialAuthIncoming
:
166 if (attr
->value_ctr
.num_values
> 1) {
167 return WERR_DS_DRA_INVALID_PARAMETER
;
170 if (!attr
->value_ctr
.values
[0].blob
) {
171 return WERR_DS_DRA_INVALID_PARAMETER
;
174 enc_data
= attr
->value_ctr
.values
[0].blob
;
176 status
= drsuapi_decrypt_attribute_value(mem_ctx
,
182 W_ERROR_NOT_OK_RETURN(status
);
184 talloc_free(attr
->value_ctr
.values
[0].blob
->data
);
185 *attr
->value_ctr
.values
[0].blob
= plain_data
;