libcli/drsuapi/repl_decrypt.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Helper functions for applying replicated objects
   4
   5    Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20
  21 */
  22
  23 #include "includes.h"
  24 #include "../lib/util/dlinklist.h"
  25 #include "librpc/gen_ndr/ndr_misc.h"
  26 #include "librpc/gen_ndr/ndr_drsuapi.h"
  27 #include "librpc/gen_ndr/ndr_drsblobs.h"
  28 #include "../lib/crypto/md5.h"
  29 #include "../lib/crypto/arcfour.h"
  30 #include "zlib.h"
  31 #include "../libcli/drsuapi/drsuapi.h"
  32 #include "libcli/auth/libcli_auth.h"
  33 #include "dsdb/samdb/samdb.h"
  34
  35 #include <gnutls/gnutls.h>
  36 #include <gnutls/crypto.h>
  37
  38 WERROR drsuapi_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
  39                                        const DATA_BLOB *gensec_skey,
  40                                        bool rid_crypt,
  41                                        uint32_t rid,
  42                                        DATA_BLOB *in,
  43                                        DATA_BLOB *out)
  44 {
  45         DATA_BLOB confounder;
  46         DATA_BLOB enc_buffer;
  47
  48         gnutls_hash_hd_t hash_hnd = NULL;
  49         uint8_t _enc_key[16];
  50         DATA_BLOB enc_key;
  51
  52         DATA_BLOB dec_buffer;
  53
  54         uint32_t crc32_given;
  55         uint32_t crc32_calc;
  56         DATA_BLOB checked_buffer;
  57
  58         DATA_BLOB plain_buffer;
  59         WERROR result;
  60         int rc;
  61
  62         /*
  63          * users with rid == 0 should not exist
  64          */
  65         if (rid_crypt && rid == 0) {
  66                 return WERR_DS_DRA_INVALID_PARAMETER;
  67         }
  68
  69         /*
  70          * the first 16 bytes at the beginning are the confounder
  71          * followed by the 4 byte crc32 checksum
  72          */
  73         if (in->length < 20) {
  74                 return WERR_DS_DRA_INVALID_PARAMETER;
  75         }
  76         confounder = data_blob_const(in->data, 16);
  77         enc_buffer = data_blob_const(in->data + 16, in->length - 16);
  78
  79         /*
  80          * build the encryption key md5 over the session key followed
  81          * by the confounder
  82          *
  83          * here the gensec session key is used and
  84          * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
  85          */
  86         enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
  87
  88         rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
  89         if (rc < 0) {
  90                 result = WERR_NOT_ENOUGH_MEMORY;
  91                 goto out;
  92         }
  93         rc = gnutls_hash(hash_hnd, gensec_skey->data, gensec_skey->length);
  94         if (rc < 0) {
  95                 gnutls_hash_deinit(hash_hnd, NULL);
  96                 result = WERR_INTERNAL_ERROR;
  97                 goto out;
  98         }
  99         rc = gnutls_hash(hash_hnd, confounder.data, confounder.length);
 100         if (rc < 0) {
 101                 gnutls_hash_deinit(hash_hnd, NULL);
 102                 result = WERR_INTERNAL_ERROR;
 103                 goto out;
 104         }
 105
 106         gnutls_hash_deinit(hash_hnd, enc_key.data);
 107
 108         /*
 109          * copy the encrypted buffer part and
 110          * decrypt it using the created encryption key using arcfour
 111          */
 112         dec_buffer = data_blob_const(enc_buffer.data, enc_buffer.length);
 113         arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key);
 114
 115         ZERO_ARRAY_LEN(enc_key.data, enc_key.length);
 116
 117         /*
 118          * the first 4 byte are the crc32 checksum
 119          * of the remaining bytes
 120          */
 121         crc32_given = IVAL(dec_buffer.data, 0);
 122         crc32_calc = crc32(0, Z_NULL, 0);
 123         crc32_calc = crc32(crc32_calc,
 124                            dec_buffer.data + 4 ,
 125                            dec_buffer.length - 4);
 126         checked_buffer = data_blob_const(dec_buffer.data + 4, dec_buffer.length - 4);
 127
 128         plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
 129         W_ERROR_HAVE_NO_MEMORY(plain_buffer.data);
 130
 131         if (crc32_given != crc32_calc) {
 132                 result = W_ERROR(HRES_ERROR_V(HRES_SEC_E_DECRYPT_FAILURE));
 133                 goto out;
 134         }
 135         /*
 136          * The following rid_crypt obfuscation isn't session specific
 137          * and not really needed here, because we allways know the rid of the
 138          * user account.
 139          *
 140          * some attributes with this 'additional encryption' include
 141          * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
 142          *
 143          * But for the rest of samba it's easier when we remove this static
 144          * obfuscation here
 145          */
 146         if (rid_crypt) {
 147                 uint32_t i, num_hashes;
 148
 149                 if ((checked_buffer.length % 16) != 0) {
 150                         result = WERR_DS_DRA_INVALID_PARAMETER;
 151                         goto out;
 152                 }
 153
 154                 num_hashes = plain_buffer.length / 16;
 155                 for (i = 0; i < num_hashes; i++) {
 156                         uint32_t offset = i * 16;
 157                         sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
 158                 }
 159         }
 160
 161         *out = plain_buffer;
 162         result = WERR_OK;
 163 out:
 164         return result;
 165 }
 166
 167 WERROR drsuapi_decrypt_attribute(TALLOC_CTX *mem_ctx,
 168                                  const DATA_BLOB *gensec_skey,
 169                                  uint32_t rid,
 170                                  uint32_t dsdb_repl_flags,
 171                                  struct drsuapi_DsReplicaAttribute *attr)
 172 {
 173         WERROR status;
 174         DATA_BLOB *enc_data;
 175         DATA_BLOB plain_data;
 176         bool rid_crypt = false;
 177
 178         if (attr->value_ctr.num_values == 0) {
 179                 return WERR_OK;
 180         }
 181
 182         switch (attr->attid) {
 183         case DRSUAPI_ATTID_dBCSPwd:
 184         case DRSUAPI_ATTID_unicodePwd:
 185         case DRSUAPI_ATTID_ntPwdHistory:
 186         case DRSUAPI_ATTID_lmPwdHistory:
 187                 rid_crypt = true;
 188                 break;
 189         case DRSUAPI_ATTID_supplementalCredentials:
 190         case DRSUAPI_ATTID_priorValue:
 191         case DRSUAPI_ATTID_currentValue:
 192         case DRSUAPI_ATTID_trustAuthOutgoing:
 193         case DRSUAPI_ATTID_trustAuthIncoming:
 194         case DRSUAPI_ATTID_initialAuthOutgoing:
 195         case DRSUAPI_ATTID_initialAuthIncoming:
 196                 break;
 197         default:
 198                 return WERR_OK;
 199         }
 200
 201         if (dsdb_repl_flags & DSDB_REPL_FLAG_EXPECT_NO_SECRETS) {
 202                 return WERR_TOO_MANY_SECRETS;
 203         }
 204
 205         if (attr->value_ctr.num_values > 1) {
 206                 return WERR_DS_DRA_INVALID_PARAMETER;
 207         }
 208
 209         if (!attr->value_ctr.values[0].blob) {
 210                 return WERR_DS_DRA_INVALID_PARAMETER;
 211         }
 212
 213         enc_data        = attr->value_ctr.values[0].blob;
 214
 215         status = drsuapi_decrypt_attribute_value(mem_ctx,
 216                                                  gensec_skey,
 217                                                  rid_crypt,
 218                                                  rid,
 219                                                  enc_data,
 220                                                  &plain_data);
 221         W_ERROR_NOT_OK_RETURN(status);
 222
 223         talloc_free(attr->value_ctr.values[0].blob->data);
 224         *attr->value_ctr.values[0].blob = plain_data;
 225
 226         return WERR_OK;
 227 }
 228
 229 static WERROR drsuapi_encrypt_attribute_value(TALLOC_CTX *mem_ctx,
 230                                               const DATA_BLOB *gensec_skey,
 231                                               bool rid_crypt,
 232                                               uint32_t rid,
 233                                               DATA_BLOB *in,
 234                                               DATA_BLOB *out)
 235 {
 236         DATA_BLOB rid_crypt_out = data_blob(NULL, 0);
 237         DATA_BLOB confounder;
 238
 239         MD5_CTX md5;
 240         uint8_t _enc_key[16];
 241         DATA_BLOB enc_key;
 242
 243         DATA_BLOB enc_buffer;
 244
 245         uint32_t crc32_calc;
 246
 247         /*
 248          * users with rid == 0 should not exist
 249          */
 250         if (rid_crypt && rid == 0) {
 251                 return WERR_DS_DRA_INVALID_PARAMETER;
 252         }
 253
 254         /*
 255          * The following rid_crypt obfuscation isn't session specific
 256          * and not really needed here, because we allways know the rid of the
 257          * user account.
 258          *
 259          * some attributes with this 'additional encryption' include
 260          * dBCSPwd, unicodePwd, ntPwdHistory, lmPwdHistory
 261          *
 262          * But for the rest of samba it's easier when we remove this static
 263          * obfuscation here
 264          */
 265         if (rid_crypt) {
 266                 uint32_t i, num_hashes;
 267                 rid_crypt_out = data_blob_talloc(mem_ctx, in->data, in->length);
 268                 W_ERROR_HAVE_NO_MEMORY(rid_crypt_out.data);
 269
 270                 if ((rid_crypt_out.length % 16) != 0) {
 271                         return WERR_DS_DRA_INVALID_PARAMETER;
 272                 }
 273
 274                 num_hashes = rid_crypt_out.length / 16;
 275                 for (i = 0; i < num_hashes; i++) {
 276                         uint32_t offset = i * 16;
 277                         sam_rid_crypt(rid, in->data + offset, rid_crypt_out.data + offset, 1);
 278                 }
 279                 in = &rid_crypt_out;
 280         }
 281
 282         /*
 283          * the first 16 bytes at the beginning are the confounder
 284          * followed by the 4 byte crc32 checksum
 285          */
 286
 287         enc_buffer = data_blob_talloc(mem_ctx, NULL, in->length+20);
 288         if (!enc_buffer.data) {
 289                 talloc_free(rid_crypt_out.data);
 290                 return WERR_NOT_ENOUGH_MEMORY;
 291         };
 292
 293         confounder = data_blob_const(enc_buffer.data, 16);
 294         generate_random_buffer(confounder.data, confounder.length);
 295
 296         /*
 297          * build the encryption key md5 over the session key followed
 298          * by the confounder
 299          *
 300          * here the gensec session key is used and
 301          * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
 302          */
 303         enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
 304         MD5Init(&md5);
 305         MD5Update(&md5, gensec_skey->data, gensec_skey->length);
 306         MD5Update(&md5, confounder.data, confounder.length);
 307         MD5Final(enc_key.data, &md5);
 308
 309         /*
 310          * the first 4 byte are the crc32 checksum
 311          * of the remaining bytes
 312          */
 313         crc32_calc = crc32(0, Z_NULL, 0);
 314         crc32_calc = crc32(crc32_calc, in->data, in->length);
 315         SIVAL(enc_buffer.data, 16, crc32_calc);
 316
 317         /*
 318          * copy the plain buffer part and
 319          * encrypt it using the created encryption key using arcfour
 320          */
 321         memcpy(enc_buffer.data+20, in->data, in->length);
 322         talloc_free(rid_crypt_out.data);
 323
 324         arcfour_crypt_blob(enc_buffer.data+16, enc_buffer.length-16, &enc_key);
 325
 326         *out = enc_buffer;
 327
 328         return WERR_OK;
 329 }
 330
 331 /*
 332   encrypt a DRSUAPI attribute ready for sending over the wire
 333   Only some attribute types are encrypted
 334  */
 335 WERROR drsuapi_encrypt_attribute(TALLOC_CTX *mem_ctx,
 336                                  const DATA_BLOB *gensec_skey,
 337                                  uint32_t rid,
 338                                  struct drsuapi_DsReplicaAttribute *attr)
 339 {
 340         WERROR status;
 341         DATA_BLOB *plain_data;
 342         DATA_BLOB enc_data;
 343         bool rid_crypt = false;
 344
 345         if (attr->value_ctr.num_values == 0) {
 346                 return WERR_OK;
 347         }
 348
 349         switch (attr->attid) {
 350         case DRSUAPI_ATTID_dBCSPwd:
 351         case DRSUAPI_ATTID_unicodePwd:
 352         case DRSUAPI_ATTID_ntPwdHistory:
 353         case DRSUAPI_ATTID_lmPwdHistory:
 354                 rid_crypt = true;
 355                 break;
 356         case DRSUAPI_ATTID_supplementalCredentials:
 357         case DRSUAPI_ATTID_priorValue:
 358         case DRSUAPI_ATTID_currentValue:
 359         case DRSUAPI_ATTID_trustAuthOutgoing:
 360         case DRSUAPI_ATTID_trustAuthIncoming:
 361         case DRSUAPI_ATTID_initialAuthOutgoing:
 362         case DRSUAPI_ATTID_initialAuthIncoming:
 363                 break;
 364         default:
 365                 return WERR_OK;
 366         }
 367
 368         if (attr->value_ctr.num_values > 1) {
 369                 return WERR_DS_DRA_INVALID_PARAMETER;
 370         }
 371
 372         if (!attr->value_ctr.values[0].blob) {
 373                 return WERR_DS_DRA_INVALID_PARAMETER;
 374         }
 375
 376         plain_data      = attr->value_ctr.values[0].blob;
 377
 378         status = drsuapi_encrypt_attribute_value(mem_ctx,
 379                                                  gensec_skey,
 380                                                  rid_crypt,
 381                                                  rid,
 382                                                  plain_data,
 383                                                  &enc_data);
 384         W_ERROR_NOT_OK_RETURN(status);
 385
 386         talloc_free(attr->value_ctr.values[0].blob->data);
 387         *attr->value_ctr.values[0].blob = enc_data;
 388
 389         return WERR_OK;
 390 }
 391