diff options
author | Matthieu Patou <mat@matws.net> | 2010-11-20 18:19:06 +0300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2011-01-12 09:08:06 +0100 |
commit | 25ae380fabfd2d7e5141dadb48b8e30b5b723c1f (patch) | |
tree | ef26e319e298cfab3d5db45b9b9700c99e6ff478 /librpc | |
parent | 9d9c2128585a1d5fdb9090215750427df6a883ff (diff) | |
download | samba-25ae380fabfd2d7e5141dadb48b8e30b5b723c1f.tar.gz samba-25ae380fabfd2d7e5141dadb48b8e30b5b723c1f.tar.bz2 samba-25ae380fabfd2d7e5141dadb48b8e30b5b723c1f.zip |
idl: Add IDL for remote key backup protocol (rkbp)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'librpc')
-rw-r--r-- | librpc/idl/backupkey.idl | 120 | ||||
-rw-r--r-- | librpc/idl/wscript_build | 2 | ||||
-rw-r--r-- | librpc/ndr/ndr_backupkey.c | 215 | ||||
-rw-r--r-- | librpc/ndr/ndr_backupkey.h | 2 | ||||
-rw-r--r-- | librpc/wscript_build | 10 |
5 files changed, 348 insertions, 1 deletions
diff --git a/librpc/idl/backupkey.idl b/librpc/idl/backupkey.idl new file mode 100644 index 0000000000..e21030bb69 --- /dev/null +++ b/librpc/idl/backupkey.idl @@ -0,0 +1,120 @@ +#include "idl_types.h" + +import "misc.idl", "security.idl"; +[ + uuid("3dde7c30-165d-11d1-ab8f-00805f14db40"), + version(1.0), + endpoint("ncacn_np:[\\pipe\\protected_storage]","ncacn_np:[\\pipe\\ntsvcs]" ,"ncacn_ip_tcp:"), + helpstring("Remote Backup Key Storage"), + helper("../librpc/ndr/ndr_backupkey.h"), + pointer_default(unique) +] +interface backupkey +{ + const string BACKUPKEY_RESTORE_GUID = "47270C64-2FC7-499B-AC5B-0E37CDCE899A"; + const string BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = "018FF48A-EABA-40C6-8F6D-72370240E967"; + + const string BACKUPKEY_RESTORE_GUID_WIN2K = "7FE94D50-178E-11D1-AB8F-00805F14DB40"; + const string BACKUPKEY_BACKUP_GUID = "7F752B10-178E-11D1-AB8F-00805F14DB40"; + + /* + * The magic values are really what they are there is no name it's just remarkable values + * that are here to check that what is transmited or decoded is really what the client or + * the server expect. + */ + [public] typedef struct { + [value(0x00000002)] uint32 header1; + [value(0x00000494)] uint32 header2; + uint32 certificate_len; + [value(0x00000207)] uint32 magic1; + [value(0x0000A400)] uint32 magic2; + [value(0x32415352)] uint32 magic3; + [value(0x00000800)] uint32 magic4; + [subcontext(0),subcontext_size(4),flag(NDR_REMAINING)] DATA_BLOB public_exponent; + + [subcontext(0),subcontext_size(256),flag(NDR_REMAINING)] DATA_BLOB modulus; + [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB prime1; + [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB prime2; + [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB exponent1; + [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB exponent2; + [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB coefficient; + [subcontext(0),subcontext_size(256),flag(NDR_REMAINING)] DATA_BLOB private_exponent; + [subcontext(0),subcontext_size(certificate_len),flag(NDR_REMAINING)] DATA_BLOB cert; + } bkrp_exported_RSA_key_pair; + + [public] typedef struct { + [value(0x00000001)] uint32 magic; + uint8 key[256]; + } bkrp_dc_serverwrap_key; + + [public,gensize] typedef struct { + uint32 version; + uint32 encrypted_secret_len; + uint32 access_check_len; + GUID guid; + uint8 encrypted_secret[encrypted_secret_len]; + uint8 access_check[access_check_len]; + } bkrp_client_side_wrapped; + + [public] typedef struct { + [value(0x00000000)] uint32 magic; + [subcontext(0),flag(NDR_REMAINING)] DATA_BLOB secret; + } bkrp_client_side_unwrapped; + + [public] typedef struct { + uint32 secret_len; + [value(0x00000020)] uint32 magic; + uint8 secret[secret_len]; + uint8 payload_key[32]; + } bkrp_encrypted_secret_v2; + + [public] typedef struct { + uint32 secret_len; + [value(0x00000030)] uint32 magic1; + [value(0x00006610)] uint32 magic2; + [value(0x0000800e)] uint32 magic3; + uint8 secret[secret_len]; + uint8 payload_key[48]; + } bkrp_encrypted_secret_v3; + + /* Due to alignement constraint we can generate the structure only via pidl*/ + [public, nopush, nopull] typedef struct { + [value(0x00000001)] uint32 magic; + uint32 nonce_len; + uint8 nonce[nonce_len]; + dom_sid sid; + uint8 hash[20]; + } bkrp_access_check_v2; + + /* Due to alignement constraint we can generate the structure only via pidl*/ + [public,nopush,nopull] typedef struct { + [value(0x00000001)] uint32 magic; + uint32 nonce_len; + uint8 nonce[nonce_len]; + dom_sid sid; + uint8 hash[64]; + } bkrp_access_check_v3; + + typedef enum { + BACKUPKEY_INVALID_GUID_INTEGER = 0xFFFF, + BACKUPKEY_RESTORE_GUID_INTEGER = 0x0000, + BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001 + } bkrp_guid_to_integer; + + [public] typedef [nodiscriminant] union { + [case(BACKUPKEY_RESTORE_GUID_INTEGER)] bkrp_client_side_wrapped restore_req; + [case(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER)] bkrp_client_side_wrapped cert_req; + } bkrp_data_in_blob; + + /******************/ + /* Function: 0x00 */ + + [public, noprint] WERROR bkrp_BackupKey ( + [in,ref] GUID *guidActionAgent, + [in,ref] [size_is(data_in_len)] uint8 *data_in, + [in] uint32 data_in_len, + [out,ref] [size_is(,*data_out_len)] uint8 **data_out, + [out,ref] uint32 *data_out_len, + [in] uint32 param + ); +} diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build index 78f174f6d1..2d65d748ee 100644 --- a/librpc/idl/wscript_build +++ b/librpc/idl/wscript_build @@ -10,7 +10,7 @@ bld.SAMBA_PIDL_LIST('PIDL', dbgidl.idl dnsserver.idl echo.idl frsrpc.idl lsa.idl nbt.idl dns.idl oxidresolver.idl samr.idl srvsvc.idl winreg.idl dcerpc.idl drsblobs.idl efs.idl frstrans.idl mgmt.idl netlogon.idl - policyagent.idl scerpc.idl svcctl.idl wkssvc.idl eventlog6.idl''', + policyagent.idl scerpc.idl svcctl.idl wkssvc.idl eventlog6.idl backupkey.idl''', options='--header --ndr-parser --samba3-ndr-server --samba3-ndr-client --server --client --python', output_dir='../gen_ndr') diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c new file mode 100644 index 0000000000..ddbaeea000 --- /dev/null +++ b/librpc/ndr/ndr_backupkey.c @@ -0,0 +1,215 @@ +/* + Unix SMB/CIFS implementation. + + routines for top backup key protocol marshalling/unmarshalling + + Copyright (C) Matthieu Patou 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "librpc/gen_ndr/ndr_misc.h" +#include "librpc/gen_ndr/ndr_backupkey.h" +#include "librpc/gen_ndr/ndr_security.h" + +static uint32_t backupkeyguid_to_uint(const struct GUID *guid) +{ + struct GUID tmp; + NTSTATUS status; + bool match; + + status = GUID_from_string(BACKUPKEY_RESTORE_GUID, &tmp); + if (NT_STATUS_IS_OK(status)) { + match = GUID_equal(guid, &tmp); + if (match) { + return BACKUPKEY_RESTORE_GUID_INTEGER; + } + } + + status = GUID_from_string(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, &tmp); + if (NT_STATUS_IS_OK(status)) { + match = GUID_equal(guid, &tmp); + if (match) { + return BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER; + } + } + + return BACKUPKEY_INVALID_GUID_INTEGER; +} + +_PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name, int flags, const struct bkrp_BackupKey *r) +{ + ndr_print_struct(ndr, name, "bkrp_BackupKey"); + if (r == NULL) { ndr_print_null(ndr); return; } + ndr->depth++; + if (flags & NDR_SET_VALUES) { + ndr->flags |= LIBNDR_PRINT_SET_VALUES; + } + if (flags & NDR_IN) { + union bkrp_data_in_blob inblob; + DATA_BLOB blob; + uint32_t level; + enum ndr_err_code ndr_err; + + ndr_print_struct(ndr, "in", "bkrp_BackupKey"); + ndr->depth++; + ndr_print_ptr(ndr, "guidActionAgent", r->in.guidActionAgent); + ndr->depth++; + ndr_print_GUID(ndr, "guidActionAgent", r->in.guidActionAgent); + ndr->depth--; + + level = backupkeyguid_to_uint(r->in.guidActionAgent); + blob.data = r->in.data_in; + blob.length = r->in.data_in_len; + ndr_err = ndr_pull_union_blob(&blob, ndr, &inblob, level, + (ndr_pull_flags_fn_t)ndr_pull_bkrp_data_in_blob); + + ndr_print_ptr(ndr, "data_in", r->in.data_in); + ndr->depth++; + if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + ndr_print_bkrp_data_in_blob(ndr, "data_in", &inblob); + } else { + ndr_print_array_uint8(ndr, "data_in", r->in.data_in, r->in.data_in_len); + } + ndr->depth--; + + ndr_print_uint32(ndr, "data_in_len", r->in.data_in_len); + ndr_print_uint32(ndr, "param", r->in.param); + ndr->depth--; + } + if (flags & NDR_OUT) { + ndr_print_struct(ndr, "out", "bkrp_BackupKey"); + ndr->depth++; + ndr_print_ptr(ndr, "data_out", r->out.data_out); + ndr->depth++; + ndr_print_ptr(ndr, "data_out", *r->out.data_out); + ndr->depth++; + + if (*r->out.data_out) { + ndr_print_array_uint8(ndr, "data_out", *r->out.data_out, *r->out.data_out_len); + } + ndr->depth--; + ndr->depth--; + ndr_print_ptr(ndr, "data_out_len", r->out.data_out_len); + ndr->depth++; + ndr_print_uint32(ndr, "data_out_len", *r->out.data_out_len); + ndr->depth--; + ndr_print_WERROR(ndr, "result", r->out.result); + ndr->depth--; + } + ndr->depth--; +} + +/* We have manual push/pull because we didn't manage to do the alignment + * purely in PIDL as the padding is sized so that the whole access_check_v3 + * struct size is a multiple of 8 (as specified in 2.2.2.3 of ms-bkrp.pdf) + */ +_PUBLIC_ enum ndr_err_code ndr_push_bkrp_access_check_v2(struct ndr_push *ndr, int ndr_flags, const struct bkrp_access_check_v2 *r) +{ + if (ndr_flags & NDR_SCALARS) { + size_t ofs; + size_t pad; + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00000001)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->nonce_len)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len)); + NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->sid)); + /* We articially increment the offset of 20 bytes (size of hash + * comming after the pad) so that ndr_align can determine easily + * the correct pad size to make the whole struct 8 bytes aligned + */ + ofs = ndr->offset + 20; + pad = ndr_align_size(ofs, 8); + NDR_CHECK(ndr_push_zero(ndr, pad)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, 20)); + NDR_CHECK(ndr_push_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_bkrp_access_check_v2(struct ndr_pull *ndr, int ndr_flags, struct bkrp_access_check_v2 *r) +{ + if (ndr_flags & NDR_SCALARS) { + size_t ofs; + size_t pad; + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->nonce_len)); + NDR_PULL_ALLOC_N(ndr, r->nonce, r->nonce_len); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len)); + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sid)); + ofs = ndr->offset + 20; + pad = ndr_align_size(ofs, 8); + NDR_CHECK(ndr_pull_advance(ndr, pad)); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 20)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +/* We have manual push/pull because we didn't manage to do the alignment + * purely in PIDL as the padding is sized so that the whole access_check_v3 + * struct size is a multiple of 16 (as specified in 2.2.2.4 of ms-bkrp.pdf) + */ +_PUBLIC_ enum ndr_err_code ndr_push_bkrp_access_check_v3(struct ndr_push *ndr, int ndr_flags, const struct bkrp_access_check_v3 *r) +{ + if (ndr_flags & NDR_SCALARS) { + size_t ofs; + size_t pad; + NDR_CHECK(ndr_push_align(ndr, 4)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00000001)); + NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->nonce_len)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len)); + NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->sid)); + /* We articially increment the offset of 64 bytes (size of hash + * comming after the pad) so that ndr_align can determine easily + * the correct pad size to make the whole struct 16 bytes aligned + */ + ofs = ndr->offset + 64; + pad = ndr_align_size(ofs, 16); + NDR_CHECK(ndr_push_zero(ndr, pad)); + NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, 64)); + NDR_CHECK(ndr_push_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ enum ndr_err_code ndr_pull_bkrp_access_check_v3(struct ndr_pull *ndr, int ndr_flags, struct bkrp_access_check_v3 *r) +{ + if (ndr_flags & NDR_SCALARS) { + size_t ofs; + size_t pad; + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->nonce_len)); + NDR_PULL_ALLOC_N(ndr, r->nonce, r->nonce_len); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len)); + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sid)); + ofs = ndr->offset + 64; + pad = ndr_align_size(ofs, 16); + NDR_CHECK(ndr_pull_advance(ndr, pad)); + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 64)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} diff --git a/librpc/ndr/ndr_backupkey.h b/librpc/ndr/ndr_backupkey.h new file mode 100644 index 0000000000..c5c7c39995 --- /dev/null +++ b/librpc/ndr/ndr_backupkey.h @@ -0,0 +1,2 @@ +_PUBLIC_ enum ndr_err_code ndr_push_bkrp_access_check_v2(struct ndr_push *ndr, int ndr_flags, const struct bkrp_access_check_v2 *r); +_PUBLIC_ enum ndr_err_code ndr_pull_bkrp_access_check_v2(struct ndr_pull *ndr, int ndr_flags, struct bkrp_access_check_v2 *r); diff --git a/librpc/wscript_build b/librpc/wscript_build index 0d90d106ea..236a728d5f 100644 --- a/librpc/wscript_build +++ b/librpc/wscript_build @@ -281,6 +281,11 @@ bld.SAMBA_SUBSYSTEM('NDR_NBT', header_path='gen_ndr' ) +bld.SAMBA_SUBSYSTEM('NDR_BACKUPKEY', + source='../librpc/ndr/ndr_backupkey.c ../librpc/gen_ndr/ndr_backupkey.c', + public_deps='ndr' + ) + bld.SAMBA_SUBSYSTEM('RPC_NDR_XATTR', source='../librpc/gen_ndr/ndr_xattr_c.c', public_deps='NDR_XATTR dcerpc' @@ -468,6 +473,11 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_KEYSVC', public_deps='dcerpc NDR_KEYSVC' ) +bld.SAMBA_SUBSYSTEM('RPC_NDR_BACKUPKEY', + source='../librpc/gen_ndr/ndr_backupkey_c.c', + public_deps='dcerpc NDR_BACKUPKEY' + ) + # a grouping library for NDR subsystems that may be used by more than one target bld.SAMBA_LIBRARY('ndr-samba', source=[], |