libcli/drsuapi/repl_decrypt.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Helper functions for applying replicated objects
   4
   5    Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20
  21 */
  22
  23 #include "includes.h"
  24 #include "../lib/util/dlinklist.h"
  25 #include "librpc/gen_ndr/ndr_misc.h"
  26 #include "librpc/gen_ndr/ndr_drsuapi.h"
  27 #include "librpc/gen_ndr/ndr_drsblobs.h"
  28 #include "../lib/crypto/md5.h"
  29 #include "../lib/crypto/arcfour.h"
  30 #include "zlib.h"
  31 #include "../libcli/drsuapi/drsuapi.h"
  32 #include "libcli/auth/libcli_auth.h"
  33 #include "dsdb/samdb/samdb.h"
  34
  35 WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
  36                                        const DATA_BLOB *gensec_skey,
  37                                        bool rid_crypt,
  38                                        uint32_t rid,
  39                                        DATA_BLOB *in,
  40                                        DATA_BLOB *out)
  41 {
  42         DATA_BLOB confounder;
  43         DATA_BLOB enc_buffer;
  44
  45         MD5_CTX md5;
  46         uint8_t _enc_key[16];
  47         DATA_BLOB enc_key;
  48
  49         DATA_BLOB dec_buffer;
  50
  51         uint32_t crc32_given;
  52         uint32_t crc32_calc;
  53         DATA_BLOB checked_buffer;
  54
  55         DATA_BLOB plain_buffer;
  56
  57         /*
  58          * users with rid == 0 should not exist
  59          */
  60         if (rid_crypt && rid == 0) {
  61                 return WERR_DS_DRA_INVALID_PARAMETER;
  62         }
  63
  64         /*
  65          * the first 16 bytes at the beginning are the confounder
  66          * followed by the 4 byte crc32 checksum
  67          */
  68         if (in->length < 20) {
  69                 return WERR_DS_DRA_INVALID_PARAMETER;
  70         }
  71         confounder = data_blob_const(in->data, 16);
  72         enc_buffer = data_blob_const(in->data + 16, in->length - 16);
  73
  74         /*
  75          * build the encryption key md5 over the session key followed
  76          * by the confounder
  77          *
  78          * here the gensec session key is used and
  79          * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
  80          */
  81         enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
  82         MD5Init(&md5);
  83         MD5Update(&md5, gensec_skey->data, gensec_skey->length);
  84         MD5Update(&md5, confounder.data, confounder.length);
  85         MD5Final(enc_key.data, &md5);
  86
  87         /*
  88          * copy the encrypted buffer part and
  89          * decrypt it using the created encryption key using arcfour
  90          */
  91         dec_buffer = data_blob_const(enc_buffer.data, enc_buffer.length);
  92         arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key);
  93
  94         /*
  95          * the first 4 byte are the crc32 checksum
  96          * of the remaining bytes
  97          */
  98         crc32_given = IVAL(dec_buffer.data, 0);
  99         crc32_calc = crc32(0, Z_NULL, 0);
 100         crc32_calc = crc32(crc32_calc,
 101                            dec_buffer.data + 4 ,
 102                            dec_buffer.length - 4);
 103         checked_buffer = data_blob_const(dec_buffer.data + 4, dec_buffer.length - 4);
 104
 105         plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
 106         W_ERROR_HAVE_NO_MEMORY(plain_buffer.data);
 107
 108         if (crc32_given != crc32_calc) {
 109                 return W_ERROR(HRES_ERROR_V(HRES_SEC_E_DECRYPT_FAILURE));
 110         }
 111         /*
 112          * The following rid_crypt obfuscation isn't session specific
 113          * and not really needed here, because we allways know the rid of the
 114          * user account.
 115          *
 116          * some attributes with this 'additional encryption' include
 117          * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
 118          *
 119          * But for the rest of samba it's easier when we remove this static
 120          * obfuscation here
 121          */
 122         if (rid_crypt) {
 123                 uint32_t i, num_hashes;
 124
 125                 if ((checked_buffer.length % 16) != 0) {
 126                         return WERR_DS_DRA_INVALID_PARAMETER;
 127                 }
 128
 129                 num_hashes = plain_buffer.length / 16;
 130                 for (i = 0; i < num_hashes; i++) {
 131                         uint32_t offset = i * 16;
 132                         sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
 133                 }
 134         }
 135
 136         *out = plain_buffer;
 137         return WERR_OK;
 138 }
 139
 140 WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx,
 141                                  const DATA_BLOB *gensec_skey,
 142                                  uint32_t rid,
 143                                  uint32_t dsdb_repl_flags,
 144                                  struct drsuapi_DsReplicaAttribute *attr)
 145 {
 146         WERROR status;
 147         DATA_BLOB *enc_data;
 148         DATA_BLOB plain_data;
 149         bool rid_crypt = false;
 150
 151         if (attr->value_ctr.num_values == 0) {
 152                 return WERR_OK;
 153         }
 154
 155         switch (attr->attid) {
 156         case DRSUAPI_ATTID_dBCSPwd:
 157         case DRSUAPI_ATTID_unicodePwd:
 158         case DRSUAPI_ATTID_ntPwdHistory:
 159         case DRSUAPI_ATTID_lmPwdHistory:
 160                 rid_crypt = true;
 161                 break;
 162         case DRSUAPI_ATTID_supplementalCredentials:
 163         case DRSUAPI_ATTID_priorValue:
 164         case DRSUAPI_ATTID_currentValue:
 165         case DRSUAPI_ATTID_trustAuthOutgoing:
 166         case DRSUAPI_ATTID_trustAuthIncoming:
 167         case DRSUAPI_ATTID_initialAuthOutgoing:
 168         case DRSUAPI_ATTID_initialAuthIncoming:
 169                 break;
 170         default:
 171                 return WERR_OK;
 172         }
 173
 174         if (dsdb_repl_flags & DSDB_REPL_FLAG_EXPECT_NO_SECRETS) {
 175                 return WERR_TOO_MANY_SECRETS;
 176         }
 177
 178         if (attr->value_ctr.num_values > 1) {
 179                 return WERR_DS_DRA_INVALID_PARAMETER;
 180         }
 181
 182         if (!attr->value_ctr.values[0].blob) {
 183                 return WERR_DS_DRA_INVALID_PARAMETER;
 184         }
 185
 186         enc_data        = attr->value_ctr.values[0].blob;
 187
 188         status = drsuapi_decrypt_attribute_value(mem_ctx,
 189                                                  gensec_skey,
 190                                                  rid_crypt,
 191                                                  rid,
 192                                                  enc_data,
 193                                                  &plain_data);
 194         W_ERROR_NOT_OK_RETURN(status);
 195
 196         talloc_free(attr->value_ctr.values[0].blob->data);
 197         *attr->value_ctr.values[0].blob = plain_data;
 198
 199         return WERR_OK;
 200 }
 201
 202 static WERROR drsuapi_encrypt_attribute_value(TALLOC_CTX *mem_ctx,
 203                                               const DATA_BLOB *gensec_skey,
 204                                               bool rid_crypt,
 205                                               uint32_t rid,
 206                                               DATA_BLOB *in,
 207                                               DATA_BLOB *out)
 208 {
 209         DATA_BLOB rid_crypt_out = data_blob(NULL, 0);
 210         DATA_BLOB confounder;
 211
 212         MD5_CTX md5;
 213         uint8_t _enc_key[16];
 214         DATA_BLOB enc_key;
 215
 216         DATA_BLOB enc_buffer;
 217
 218         uint32_t crc32_calc;
 219
 220         /*
 221          * users with rid == 0 should not exist
 222          */
 223         if (rid_crypt && rid == 0) {
 224                 return WERR_DS_DRA_INVALID_PARAMETER;
 225         }
 226
 227         /*
 228          * The following rid_crypt obfuscation isn't session specific
 229          * and not really needed here, because we allways know the rid of the
 230          * user account.
 231          *
 232          * some attributes with this 'additional encryption' include
 233          * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
 234          *
 235          * But for the rest of samba it's easier when we remove this static
 236          * obfuscation here
 237          */
 238         if (rid_crypt) {
 239                 uint32_t i, num_hashes;
 240                 rid_crypt_out = data_blob_talloc(mem_ctx, in->data, in->length);
 241                 W_ERROR_HAVE_NO_MEMORY(rid_crypt_out.data);
 242
 243                 if ((rid_crypt_out.length % 16) != 0) {
 244                         return WERR_DS_DRA_INVALID_PARAMETER;
 245                 }
 246
 247                 num_hashes = rid_crypt_out.length / 16;
 248                 for (i = 0; i < num_hashes; i++) {
 249                         uint32_t offset = i * 16;
 250                         sam_rid_crypt(rid, in->data + offset, rid_crypt_out.data + offset, 1);
 251                 }
 252                 in = &rid_crypt_out;
 253         }
 254
 255         /*
 256          * the first 16 bytes at the beginning are the confounder
 257          * followed by the 4 byte crc32 checksum
 258          */
 259
 260         enc_buffer = data_blob_talloc(mem_ctx, NULL, in->length+20);
 261         if (!enc_buffer.data) {
 262                 talloc_free(rid_crypt_out.data);
 263                 return WERR_NOT_ENOUGH_MEMORY;
 264         };
 265
 266         confounder = data_blob_const(enc_buffer.data, 16);
 267         generate_random_buffer(confounder.data, confounder.length);
 268
 269         /*
 270          * build the encryption key md5 over the session key followed
 271          * by the confounder
 272          *
 273          * here the gensec session key is used and
 274          * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
 275          */
 276         enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
 277         MD5Init(&md5);
 278         MD5Update(&md5, gensec_skey->data, gensec_skey->length);
 279         MD5Update(&md5, confounder.data, confounder.length);
 280         MD5Final(enc_key.data, &md5);
 281
 282         /*
 283          * the first 4 byte are the crc32 checksum
 284          * of the remaining bytes
 285          */
 286         crc32_calc = crc32(0, Z_NULL, 0);
 287         crc32_calc = crc32(crc32_calc, in->data, in->length);
 288         SIVAL(enc_buffer.data, 16, crc32_calc);
 289
 290         /*
 291          * copy the plain buffer part and
 292          * encrypt it using the created encryption key using arcfour
 293          */
 294         memcpy(enc_buffer.data+20, in->data, in->length);
 295         talloc_free(rid_crypt_out.data);
 296
 297         arcfour_crypt_blob(enc_buffer.data+16, enc_buffer.length-16, &enc_key);
 298
 299         *out = enc_buffer;
 300
 301         return WERR_OK;
 302 }
 303
 304 /*
 305   encrypt a DRSUAPI attribute ready for sending over the wire
 306   Only some attribute types are encrypted
 307  */
 308 WERROR drsuapi_encrypt_attribute(TALLOC_CTX *mem_ctx,
 309                                  const DATA_BLOB *gensec_skey,
 310                                  uint32_t rid,
 311                                  struct drsuapi_DsReplicaAttribute *attr)
 312 {
 313         WERROR status;
 314         DATA_BLOB *plain_data;
 315         DATA_BLOB enc_data;
 316         bool rid_crypt = false;
 317
 318         if (attr->value_ctr.num_values == 0) {
 319                 return WERR_OK;
 320         }
 321
 322         switch (attr->attid) {
 323         case DRSUAPI_ATTID_dBCSPwd:
 324         case DRSUAPI_ATTID_unicodePwd:
 325         case DRSUAPI_ATTID_ntPwdHistory:
 326         case DRSUAPI_ATTID_lmPwdHistory:
 327                 rid_crypt = true;
 328                 break;
 329         case DRSUAPI_ATTID_supplementalCredentials:
 330         case DRSUAPI_ATTID_priorValue:
 331         case DRSUAPI_ATTID_currentValue:
 332         case DRSUAPI_ATTID_trustAuthOutgoing:
 333         case DRSUAPI_ATTID_trustAuthIncoming:
 334         case DRSUAPI_ATTID_initialAuthOutgoing:
 335         case DRSUAPI_ATTID_initialAuthIncoming:
 336                 break;
 337         default:
 338                 return WERR_OK;
 339         }
 340
 341         if (attr->value_ctr.num_values > 1) {
 342                 return WERR_DS_DRA_INVALID_PARAMETER;
 343         }
 344
 345         if (!attr->value_ctr.values[0].blob) {
 346                 return WERR_DS_DRA_INVALID_PARAMETER;
 347         }
 348
 349         plain_data      = attr->value_ctr.values[0].blob;
 350
 351         status = drsuapi_encrypt_attribute_value(mem_ctx,
 352                                                  gensec_skey,
 353                                                  rid_crypt,
 354                                                  rid,
 355                                                  plain_data,
 356                                                  &enc_data);
 357         W_ERROR_NOT_OK_RETURN(status);
 358
 359         talloc_free(attr->value_ctr.values[0].blob->data);
 360         *attr->value_ctr.values[0].blob = enc_data;
 361
 362         return WERR_OK;
 363 }
 364