2 Unix SMB/CIFS implementation.
4 endpoint server for the backupkey interface
6 Copyright (C) Matthieu Patou <mat@samba.org> 2010
7 Copyright (C) Andreas Schneider <asn@samba.org> 2015
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "rpc_server/dcerpc_server.h"
25 #include "rpc_server/common/common.h"
26 #include "librpc/gen_ndr/ndr_backupkey.h"
27 #include "dsdb/common/util.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "lib/ldb/include/ldb_errors.h"
30 #include "../lib/util/util_ldb.h"
31 #include "param/param.h"
32 #include "auth/session.h"
33 #include "system/network.h"
35 #include "../lib/tsocket/tsocket.h"
36 #include "../libcli/security/security.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "libds/common/roles.h"
40 #include <gnutls/gnutls.h>
41 #include <gnutls/x509.h>
42 #include <gnutls/crypto.h>
43 #include <gnutls/abstract.h>
45 #define DCESRV_INTERFACE_BACKUPKEY_BIND(call, iface) \
46 dcesrv_interface_backupkey_bind(call, iface)
47 static NTSTATUS dcesrv_interface_backupkey_bind(struct dcesrv_call_state *dce_call,
48 const struct dcesrv_interface *iface)
50 struct dcesrv_connection_context *context = dce_call->context;
51 return dcesrv_interface_bind_require_privacy(context, iface);
54 static NTSTATUS set_lsa_secret(TALLOC_CTX *mem_ctx,
55 struct ldb_context *ldb,
57 const DATA_BLOB *lsa_secret)
59 struct ldb_message *msg;
60 struct ldb_result *res;
61 struct ldb_dn *domain_dn;
62 struct ldb_dn *system_dn;
66 struct timeval now = timeval_current();
67 NTTIME nt_now = timeval_to_nttime(&now);
68 const char *attrs[] = {
72 domain_dn = ldb_get_default_basedn(ldb);
74 return NT_STATUS_INTERNAL_ERROR;
77 msg = ldb_msg_new(mem_ctx);
79 return NT_STATUS_NO_MEMORY;
83 * This function is a lot like dcesrv_lsa_CreateSecret
84 * in the rpc_server/lsa directory
85 * The reason why we duplicate the effort here is that:
86 * * we want to keep the former function static
87 * * we want to avoid the burden of doing LSA calls
88 * when we can just manipulate the secrets directly
89 * * taillor the function to the particular needs of backup protocol
92 system_dn = samdb_search_dn(ldb, msg, domain_dn, "(&(objectClass=container)(cn=System))");
93 if (system_dn == NULL) {
95 return NT_STATUS_NO_MEMORY;
98 name2 = talloc_asprintf(msg, "%s Secret", name);
101 return NT_STATUS_NO_MEMORY;
104 ret = ldb_search(ldb, mem_ctx, &res, system_dn, LDB_SCOPE_SUBTREE, attrs,
105 "(&(cn=%s)(objectclass=secret))",
106 ldb_binary_encode_string(mem_ctx, name2));
108 if (ret != LDB_SUCCESS || res->count != 0 ) {
109 DEBUG(2, ("Secret %s already exists !\n", name2));
111 return NT_STATUS_OBJECT_NAME_COLLISION;
115 * We don't care about previous value as we are
116 * here only if the key didn't exists before
119 msg->dn = ldb_dn_copy(mem_ctx, system_dn);
120 if (msg->dn == NULL) {
122 return NT_STATUS_NO_MEMORY;
124 if (!ldb_dn_add_child_fmt(msg->dn, "cn=%s", name2)) {
126 return NT_STATUS_NO_MEMORY;
129 ret = ldb_msg_add_string(msg, "cn", name2);
130 if (ret != LDB_SUCCESS) {
132 return NT_STATUS_NO_MEMORY;
134 ret = ldb_msg_add_string(msg, "objectClass", "secret");
135 if (ret != LDB_SUCCESS) {
137 return NT_STATUS_NO_MEMORY;
139 ret = samdb_msg_add_uint64(ldb, mem_ctx, msg, "priorSetTime", nt_now);
140 if (ret != LDB_SUCCESS) {
142 return NT_STATUS_NO_MEMORY;
144 val.data = lsa_secret->data;
145 val.length = lsa_secret->length;
146 ret = ldb_msg_add_value(msg, "currentValue", &val, NULL);
147 if (ret != LDB_SUCCESS) {
149 return NT_STATUS_NO_MEMORY;
151 ret = samdb_msg_add_uint64(ldb, mem_ctx, msg, "lastSetTime", nt_now);
152 if (ret != LDB_SUCCESS) {
154 return NT_STATUS_NO_MEMORY;
158 * create the secret with DSDB_MODIFY_RELAX
159 * otherwise dsdb/samdb/ldb_modules/objectclass.c forbid
160 * the create of LSA secret object
162 ret = dsdb_add(ldb, msg, DSDB_MODIFY_RELAX);
163 if (ret != LDB_SUCCESS) {
164 DEBUG(2,("Failed to create secret record %s: %s\n",
165 ldb_dn_get_linearized(msg->dn),
166 ldb_errstring(ldb)));
168 return NT_STATUS_ACCESS_DENIED;
175 /* This function is pretty much like dcesrv_lsa_QuerySecret */
176 static NTSTATUS get_lsa_secret(TALLOC_CTX *mem_ctx,
177 struct ldb_context *ldb,
179 DATA_BLOB *lsa_secret)
182 struct ldb_result *res;
183 struct ldb_dn *domain_dn;
184 struct ldb_dn *system_dn;
185 const struct ldb_val *val;
187 const char *attrs[] = {
193 lsa_secret->data = NULL;
194 lsa_secret->length = 0;
196 domain_dn = ldb_get_default_basedn(ldb);
198 return NT_STATUS_INTERNAL_ERROR;
201 tmp_mem = talloc_new(mem_ctx);
202 if (tmp_mem == NULL) {
203 return NT_STATUS_NO_MEMORY;
206 system_dn = samdb_search_dn(ldb, tmp_mem, domain_dn, "(&(objectClass=container)(cn=System))");
207 if (system_dn == NULL) {
208 talloc_free(tmp_mem);
209 return NT_STATUS_NO_MEMORY;
212 ret = ldb_search(ldb, mem_ctx, &res, system_dn, LDB_SCOPE_SUBTREE, attrs,
213 "(&(cn=%s Secret)(objectclass=secret))",
214 ldb_binary_encode_string(tmp_mem, name));
216 if (ret != LDB_SUCCESS) {
217 talloc_free(tmp_mem);
218 return NT_STATUS_INTERNAL_DB_CORRUPTION;
220 if (res->count == 0) {
221 talloc_free(tmp_mem);
222 return NT_STATUS_RESOURCE_NAME_NOT_FOUND;
224 if (res->count > 1) {
225 DEBUG(2, ("Secret %s collision\n", name));
226 talloc_free(tmp_mem);
227 return NT_STATUS_INTERNAL_DB_CORRUPTION;
230 val = ldb_msg_find_ldb_val(res->msgs[0], "currentValue");
233 * The secret object is here but we don't have the secret value
234 * The most common case is a RODC
236 *lsa_secret = data_blob_null;
237 talloc_free(tmp_mem);
242 lsa_secret->data = talloc_move(mem_ctx, &data);
243 lsa_secret->length = val->length;
245 talloc_free(tmp_mem);
249 static int reverse_and_get_bignum(TALLOC_CTX *mem_ctx,
251 gnutls_datum_t *datum)
255 datum->data = talloc_array(mem_ctx, uint8_t, blob.length);
256 if (datum->data == NULL) {
260 for(i = 0; i < blob.length; i++) {
261 datum->data[i] = blob.data[blob.length - i - 1];
263 datum->size = blob.length;
268 static NTSTATUS get_pk_from_raw_keypair_params(TALLOC_CTX *ctx,
269 struct bkrp_exported_RSA_key_pair *keypair,
270 gnutls_privkey_t *pk)
272 gnutls_x509_privkey_t x509_privkey = NULL;
273 gnutls_privkey_t privkey = NULL;
274 gnutls_datum_t m, e, d, p, q, u, e1, e2;
277 rc = reverse_and_get_bignum(ctx, keypair->modulus, &m);
279 return NT_STATUS_INVALID_PARAMETER;
281 rc = reverse_and_get_bignum(ctx, keypair->public_exponent, &e);
283 return NT_STATUS_INVALID_PARAMETER;
285 rc = reverse_and_get_bignum(ctx, keypair->private_exponent, &d);
287 return NT_STATUS_INVALID_PARAMETER;
290 rc = reverse_and_get_bignum(ctx, keypair->prime1, &p);
292 return NT_STATUS_INVALID_PARAMETER;
294 rc = reverse_and_get_bignum(ctx, keypair->prime2, &q);
296 return NT_STATUS_INVALID_PARAMETER;
299 rc = reverse_and_get_bignum(ctx, keypair->coefficient, &u);
301 return NT_STATUS_INVALID_PARAMETER;
304 rc = reverse_and_get_bignum(ctx, keypair->exponent1, &e1);
306 return NT_STATUS_INVALID_PARAMETER;
308 rc = reverse_and_get_bignum(ctx, keypair->exponent2, &e2);
310 return NT_STATUS_INVALID_PARAMETER;
313 rc = gnutls_x509_privkey_init(&x509_privkey);
314 if (rc != GNUTLS_E_SUCCESS) {
315 DBG_ERR("gnutls_x509_privkey_init failed - %s\n",
316 gnutls_strerror(rc));
317 return NT_STATUS_INTERNAL_ERROR;
320 rc = gnutls_x509_privkey_import_rsa_raw2(x509_privkey,
329 if (rc != GNUTLS_E_SUCCESS) {
330 DBG_ERR("gnutls_x509_privkey_import_rsa_raw2 failed - %s\n",
331 gnutls_strerror(rc));
332 return NT_STATUS_INTERNAL_ERROR;
335 rc = gnutls_privkey_init(&privkey);
336 if (rc != GNUTLS_E_SUCCESS) {
337 DBG_ERR("gnutls_privkey_init failed - %s\n",
338 gnutls_strerror(rc));
339 gnutls_x509_privkey_deinit(x509_privkey);
340 return NT_STATUS_INTERNAL_ERROR;
343 rc = gnutls_privkey_import_x509(privkey,
345 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
346 if (rc != GNUTLS_E_SUCCESS) {
347 DBG_ERR("gnutls_privkey_import_x509 failed - %s\n",
348 gnutls_strerror(rc));
349 gnutls_x509_privkey_deinit(x509_privkey);
350 return NT_STATUS_INTERNAL_ERROR;
358 static WERROR get_and_verify_access_check(TALLOC_CTX *sub_ctx,
361 uint8_t *access_check,
362 uint32_t access_check_len,
363 struct auth_session_info *session_info)
365 struct bkrp_access_check_v2 uncrypted_accesscheckv2;
366 struct bkrp_access_check_v3 uncrypted_accesscheckv3;
367 gnutls_cipher_hd_t cipher_handle = { 0 };
368 gnutls_cipher_algorithm_t cipher_algo;
370 enum ndr_err_code ndr_err;
374 struct dom_sid *access_sid = NULL;
375 struct dom_sid *caller_sid = NULL;
380 cipher_algo = GNUTLS_CIPHER_3DES_CBC;
383 cipher_algo = GNUTLS_CIPHER_AES_256_CBC;
386 return WERR_INVALID_DATA;
389 key.data = key_and_iv;
390 key.size = gnutls_cipher_get_key_size(cipher_algo);
392 iv.data = key_and_iv + key.size;
393 iv.size = gnutls_cipher_get_iv_size(cipher_algo);
395 /* Allocate data structure for the plaintext */
396 blob_us = data_blob_talloc_zero(sub_ctx, access_check_len);
397 if (blob_us.data == NULL) {
398 return WERR_INVALID_DATA;
401 rc = gnutls_cipher_init(&cipher_handle,
406 DBG_ERR("gnutls_cipher_init failed: %s\n",
407 gnutls_strerror(rc));
408 return WERR_INVALID_DATA;
411 rc = gnutls_cipher_decrypt2(cipher_handle,
416 gnutls_cipher_deinit(cipher_handle);
418 DBG_ERR("gnutls_cipher_decrypt2 failed: %s\n",
419 gnutls_strerror(rc));
420 return WERR_INVALID_DATA;
426 uint32_t hash_size = 20;
427 uint8_t hash[hash_size];
428 gnutls_hash_hd_t dig_ctx;
430 ndr_err = ndr_pull_struct_blob(&blob_us, sub_ctx, &uncrypted_accesscheckv2,
431 (ndr_pull_flags_fn_t)ndr_pull_bkrp_access_check_v2);
432 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
433 /* Unable to unmarshall */
434 return WERR_INVALID_DATA;
436 if (uncrypted_accesscheckv2.magic != 0x1) {
438 return WERR_INVALID_DATA;
441 gnutls_hash_init(&dig_ctx, GNUTLS_DIG_SHA1);
444 blob_us.length - hash_size);
445 gnutls_hash_deinit(dig_ctx, hash);
447 * We free it after the sha1 calculation because blob.data
448 * point to the same area
451 if (memcmp(hash, uncrypted_accesscheckv2.hash, hash_size) != 0) {
452 DEBUG(2, ("Wrong hash value in the access check in backup key remote protocol\n"));
453 return WERR_INVALID_DATA;
455 access_sid = &(uncrypted_accesscheckv2.sid);
460 uint32_t hash_size = 64;
461 uint8_t hash[hash_size];
462 gnutls_hash_hd_t dig_ctx;
464 ndr_err = ndr_pull_struct_blob(&blob_us, sub_ctx, &uncrypted_accesscheckv3,
465 (ndr_pull_flags_fn_t)ndr_pull_bkrp_access_check_v3);
466 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
467 /* Unable to unmarshall */
468 return WERR_INVALID_DATA;
470 if (uncrypted_accesscheckv3.magic != 0x1) {
472 return WERR_INVALID_DATA;
475 gnutls_hash_init(&dig_ctx, GNUTLS_DIG_SHA512);
478 blob_us.length - hash_size);
479 gnutls_hash_deinit(dig_ctx, hash);
482 * We free it after the sha1 calculation because blob.data
483 * point to the same area
486 if (memcmp(hash, uncrypted_accesscheckv3.hash, hash_size) != 0) {
487 DEBUG(2, ("Wrong hash value in the access check in backup key remote protocol\n"));
488 return WERR_INVALID_DATA;
490 access_sid = &(uncrypted_accesscheckv3.sid);
494 /* Never reached normally as we filtered at the switch / case level */
495 return WERR_INVALID_DATA;
498 caller_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
500 if (!dom_sid_equal(caller_sid, access_sid)) {
501 return WERR_INVALID_ACCESS;
507 * We have some data, such as saved website or IMAP passwords that the
508 * client has in profile on-disk. This needs to be decrypted. This
509 * version gives the server the data over the network (protected by
510 * the X.509 certificate and public key encryption, and asks that it
511 * be decrypted returned for short-term use, protected only by the
512 * negotiated transport encryption.
514 * The data is NOT stored in the LSA, but a X.509 certificate, public
515 * and private keys used to encrypt the data will be stored. There is
516 * only one active encryption key pair and certificate per domain, it
517 * is pointed at with G$BCKUPKEY_PREFERRED in the LSA secrets store.
519 * The potentially multiple valid decrypting key pairs are in turn
520 * stored in the LSA secrets store as G$BCKUPKEY_keyGuidString.
523 static WERROR bkrp_client_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
525 struct bkrp_BackupKey *r,
526 struct ldb_context *ldb_ctx)
528 struct auth_session_info *session_info =
529 dcesrv_call_session_info(dce_call);
530 struct bkrp_client_side_wrapped uncrypt_request;
532 enum ndr_err_code ndr_err;
534 char *cert_secret_name;
535 DATA_BLOB lsa_secret;
536 DATA_BLOB *uncrypted_data = NULL;
538 uint32_t requested_version;
540 blob.data = r->in.data_in;
541 blob.length = r->in.data_in_len;
543 if (r->in.data_in_len < 4 || r->in.data_in == NULL) {
544 return WERR_INVALID_PARAMETER;
548 * We check for the version here, so we can actually print the
549 * message as we are unlikely to parse it with NDR.
551 requested_version = IVAL(r->in.data_in, 0);
552 if ((requested_version != BACKUPKEY_CLIENT_WRAP_VERSION2)
553 && (requested_version != BACKUPKEY_CLIENT_WRAP_VERSION3)) {
554 DEBUG(1, ("Request for unknown BackupKey sub-protocol %d\n", requested_version));
555 return WERR_INVALID_PARAMETER;
558 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &uncrypt_request,
559 (ndr_pull_flags_fn_t)ndr_pull_bkrp_client_side_wrapped);
560 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
561 return WERR_INVALID_PARAMETER;
564 if ((uncrypt_request.version != BACKUPKEY_CLIENT_WRAP_VERSION2)
565 && (uncrypt_request.version != BACKUPKEY_CLIENT_WRAP_VERSION3)) {
566 DEBUG(1, ("Request for unknown BackupKey sub-protocol %d\n", uncrypt_request.version));
567 return WERR_INVALID_PARAMETER;
570 guid_string = GUID_string(mem_ctx, &uncrypt_request.guid);
571 if (guid_string == NULL) {
572 return WERR_NOT_ENOUGH_MEMORY;
575 cert_secret_name = talloc_asprintf(mem_ctx,
578 if (cert_secret_name == NULL) {
579 return WERR_NOT_ENOUGH_MEMORY;
582 status = get_lsa_secret(mem_ctx,
586 if (!NT_STATUS_IS_OK(status)) {
587 DEBUG(10, ("Error while fetching secret %s\n", cert_secret_name));
588 return WERR_INVALID_DATA;
589 } else if (lsa_secret.length == 0) {
590 /* we do not have the real secret attribute, like if we are an RODC */
591 return WERR_INVALID_PARAMETER;
593 struct bkrp_exported_RSA_key_pair keypair;
594 gnutls_privkey_t privkey = NULL;
595 gnutls_datum_t reversed_secret;
596 gnutls_datum_t uncrypted_secret;
602 ndr_err = ndr_pull_struct_blob(&lsa_secret, mem_ctx, &keypair, (ndr_pull_flags_fn_t)ndr_pull_bkrp_exported_RSA_key_pair);
603 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
604 DEBUG(2, ("Unable to parse the ndr encoded cert in key %s\n", cert_secret_name));
605 return WERR_FILE_NOT_FOUND;
608 status = get_pk_from_raw_keypair_params(mem_ctx,
611 if (!NT_STATUS_IS_OK(status)) {
612 return WERR_INTERNAL_ERROR;
615 reversed_secret.data = talloc_array(mem_ctx, uint8_t,
616 uncrypt_request.encrypted_secret_len);
617 if (reversed_secret.data == NULL) {
618 gnutls_privkey_deinit(privkey);
619 return WERR_NOT_ENOUGH_MEMORY;
622 /* The secret has to be reversed ... */
623 for(i=0; i< uncrypt_request.encrypted_secret_len; i++) {
624 uint8_t *reversed = (uint8_t *)reversed_secret.data;
625 uint8_t *uncrypt = uncrypt_request.encrypted_secret;
626 reversed[i] = uncrypt[uncrypt_request.encrypted_secret_len - 1 - i];
628 reversed_secret.size = uncrypt_request.encrypted_secret_len;
631 * Let's try to decrypt the secret now that
632 * we have the private key ...
634 rc = gnutls_privkey_decrypt_data(privkey,
638 gnutls_privkey_deinit(privkey);
639 if (rc != GNUTLS_E_SUCCESS) {
640 /* We are not able to decrypt the secret, looks like something is wrong */
641 return WERR_INVALID_PARAMETER;
643 blob_us.data = uncrypted_secret.data;
644 blob_us.length = uncrypted_secret.size;
646 if (uncrypt_request.version == 2) {
647 struct bkrp_encrypted_secret_v2 uncrypted_secretv2;
649 ndr_err = ndr_pull_struct_blob(&blob_us, mem_ctx, &uncrypted_secretv2,
650 (ndr_pull_flags_fn_t)ndr_pull_bkrp_encrypted_secret_v2);
651 gnutls_free(uncrypted_secret.data);
652 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
653 /* Unable to unmarshall */
654 return WERR_INVALID_DATA;
656 if (uncrypted_secretv2.magic != 0x20) {
658 return WERR_INVALID_DATA;
661 werr = get_and_verify_access_check(mem_ctx, 2,
662 uncrypted_secretv2.payload_key,
663 uncrypt_request.access_check,
664 uncrypt_request.access_check_len,
666 if (!W_ERROR_IS_OK(werr)) {
669 uncrypted_data = talloc(mem_ctx, DATA_BLOB);
670 if (uncrypted_data == NULL) {
671 return WERR_INVALID_DATA;
674 uncrypted_data->data = uncrypted_secretv2.secret;
675 uncrypted_data->length = uncrypted_secretv2.secret_len;
677 if (uncrypt_request.version == 3) {
678 struct bkrp_encrypted_secret_v3 uncrypted_secretv3;
680 ndr_err = ndr_pull_struct_blob(&blob_us, mem_ctx, &uncrypted_secretv3,
681 (ndr_pull_flags_fn_t)ndr_pull_bkrp_encrypted_secret_v3);
682 gnutls_free(uncrypted_secret.data);
683 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
684 /* Unable to unmarshall */
685 return WERR_INVALID_DATA;
688 if (uncrypted_secretv3.magic1 != 0x30 ||
689 uncrypted_secretv3.magic2 != 0x6610 ||
690 uncrypted_secretv3.magic3 != 0x800e) {
692 return WERR_INVALID_DATA;
696 * Confirm that the caller is permitted to
697 * read this particular data. Because one key
698 * pair is used per domain, the caller could
699 * have stolen the profile data on-disk and
700 * would otherwise be able to read the
704 werr = get_and_verify_access_check(mem_ctx, 3,
705 uncrypted_secretv3.payload_key,
706 uncrypt_request.access_check,
707 uncrypt_request.access_check_len,
709 if (!W_ERROR_IS_OK(werr)) {
713 uncrypted_data = talloc(mem_ctx, DATA_BLOB);
714 if (uncrypted_data == NULL) {
715 return WERR_INVALID_DATA;
718 uncrypted_data->data = uncrypted_secretv3.secret;
719 uncrypted_data->length = uncrypted_secretv3.secret_len;
723 * Yeah if we are here all looks pretty good:
725 * - user sid is the same as the one in access check
726 * - we were able to decrypt the whole stuff
730 if (uncrypted_data->data == NULL) {
731 return WERR_INVALID_DATA;
734 /* There is a magic value a the beginning of the data
735 * we can use an adhoc structure but as the
736 * parent structure is just an array of bytes it a lot of work
737 * work just prepending 4 bytes
739 *(r->out.data_out) = talloc_zero_array(mem_ctx, uint8_t, uncrypted_data->length + 4);
740 W_ERROR_HAVE_NO_MEMORY(*(r->out.data_out));
741 memcpy(4+*(r->out.data_out), uncrypted_data->data, uncrypted_data->length);
742 *(r->out.data_out_len) = uncrypted_data->length + 4;
747 static DATA_BLOB *reverse_and_get_blob(TALLOC_CTX *mem_ctx,
748 gnutls_datum_t *datum)
753 blob = talloc(mem_ctx, DATA_BLOB);
758 blob->length = datum->size;
759 if (datum->data[0] == '\0') {
760 /* The datum has a leading byte zero, skip it */
761 blob->length = datum->size - 1;
763 blob->data = talloc_zero_array(mem_ctx, uint8_t, blob->length);
764 if (blob->data == NULL) {
769 for (i = 0; i < blob->length; i++) {
770 blob->data[i] = datum->data[datum->size - i - 1];
776 static WERROR create_privkey_rsa(gnutls_privkey_t *pk)
779 gnutls_x509_privkey_t x509_privkey = NULL;
780 gnutls_privkey_t privkey = NULL;
783 rc = gnutls_x509_privkey_init(&x509_privkey);
784 if (rc != GNUTLS_E_SUCCESS) {
785 DBG_ERR("gnutls_x509_privkey_init failed - %s\n",
786 gnutls_strerror(rc));
787 return WERR_INTERNAL_ERROR;
790 rc = gnutls_x509_privkey_generate(x509_privkey,
794 if (rc != GNUTLS_E_SUCCESS) {
795 DBG_ERR("gnutls_x509_privkey_generate failed - %s\n",
796 gnutls_strerror(rc));
797 gnutls_x509_privkey_deinit(x509_privkey);
798 return WERR_INTERNAL_ERROR;
801 rc = gnutls_privkey_init(&privkey);
802 if (rc != GNUTLS_E_SUCCESS) {
803 DBG_ERR("gnutls_privkey_init failed - %s\n",
804 gnutls_strerror(rc));
805 gnutls_x509_privkey_deinit(x509_privkey);
806 return WERR_INTERNAL_ERROR;
809 rc = gnutls_privkey_import_x509(privkey,
811 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
812 if (rc != GNUTLS_E_SUCCESS) {
813 DBG_ERR("gnutls_privkey_import_x509 failed - %s\n",
814 gnutls_strerror(rc));
815 gnutls_x509_privkey_deinit(x509_privkey);
816 return WERR_INTERNAL_ERROR;
824 static WERROR self_sign_cert(TALLOC_CTX *mem_ctx,
827 gnutls_privkey_t issuer_privkey,
828 gnutls_x509_crt_t *certificate,
831 gnutls_datum_t unique_id;
832 gnutls_datum_t serial_number;
833 gnutls_x509_crt_t issuer_cert;
834 gnutls_x509_privkey_t x509_issuer_privkey;
835 time_t activation = time(NULL);
836 time_t expiry = activation + lifetime;
837 const char *error_string;
842 unique_id.size = guidblob->length;
843 unique_id.data = talloc_memdup(mem_ctx,
846 if (unique_id.data == NULL) {
847 return WERR_NOT_ENOUGH_MEMORY;
850 reversed = talloc_array(mem_ctx, uint8_t, guidblob->length);
851 if (reversed == NULL) {
852 talloc_free(unique_id.data);
853 return WERR_NOT_ENOUGH_MEMORY;
856 /* Native AD generates certificates with serialnumber in reversed notation */
857 for (i = 0; i < guidblob->length; i++) {
858 uint8_t *uncrypt = guidblob->data;
859 reversed[i] = uncrypt[guidblob->length - i - 1];
861 serial_number.size = guidblob->length;
862 serial_number.data = reversed;
864 /* Create certificate to sign */
865 rc = gnutls_x509_crt_init(&issuer_cert);
866 if (rc != GNUTLS_E_SUCCESS) {
867 DBG_ERR("gnutls_x509_crt_init failed - %s\n",
868 gnutls_strerror(rc));
869 return WERR_NOT_ENOUGH_MEMORY;
872 rc = gnutls_x509_crt_set_dn(issuer_cert, dn, &error_string);
873 if (rc != GNUTLS_E_SUCCESS) {
874 DBG_ERR("gnutls_x509_crt_set_dn failed - %s (%s)\n",
877 gnutls_x509_crt_deinit(issuer_cert);
878 return WERR_INVALID_PARAMETER;
881 rc = gnutls_x509_crt_set_issuer_dn(issuer_cert, dn, &error_string);
882 if (rc != GNUTLS_E_SUCCESS) {
883 DBG_ERR("gnutls_x509_crt_set_issuer_dn failed - %s (%s)\n",
886 gnutls_x509_crt_deinit(issuer_cert);
887 return WERR_INVALID_PARAMETER;
890 /* Get x509 privkey for subjectPublicKeyInfo */
891 rc = gnutls_x509_privkey_init(&x509_issuer_privkey);
892 if (rc != GNUTLS_E_SUCCESS) {
893 DBG_ERR("gnutls_x509_privkey_init failed - %s\n",
894 gnutls_strerror(rc));
895 gnutls_x509_crt_deinit(issuer_cert);
896 return WERR_INVALID_PARAMETER;
899 rc = gnutls_privkey_export_x509(issuer_privkey,
900 &x509_issuer_privkey);
901 if (rc != GNUTLS_E_SUCCESS) {
902 DBG_ERR("gnutls_x509_privkey_init failed - %s\n",
903 gnutls_strerror(rc));
904 gnutls_x509_privkey_deinit(x509_issuer_privkey);
905 gnutls_x509_crt_deinit(issuer_cert);
906 return WERR_INVALID_PARAMETER;
909 /* Set subjectPublicKeyInfo */
910 rc = gnutls_x509_crt_set_key(issuer_cert, x509_issuer_privkey);
911 gnutls_x509_privkey_deinit(x509_issuer_privkey);
912 if (rc != GNUTLS_E_SUCCESS) {
913 DBG_ERR("gnutls_x509_crt_set_pubkey failed - %s\n",
914 gnutls_strerror(rc));
915 gnutls_x509_crt_deinit(issuer_cert);
916 return WERR_INVALID_PARAMETER;
919 rc = gnutls_x509_crt_set_activation_time(issuer_cert, activation);
920 if (rc != GNUTLS_E_SUCCESS) {
921 DBG_ERR("gnutls_x509_crt_set_activation_time failed - %s\n",
922 gnutls_strerror(rc));
923 gnutls_x509_crt_deinit(issuer_cert);
924 return WERR_INVALID_PARAMETER;
927 rc = gnutls_x509_crt_set_expiration_time(issuer_cert, expiry);
928 if (rc != GNUTLS_E_SUCCESS) {
929 DBG_ERR("gnutls_x509_crt_set_expiration_time failed - %s\n",
930 gnutls_strerror(rc));
931 gnutls_x509_crt_deinit(issuer_cert);
932 return WERR_INVALID_PARAMETER;
935 rc = gnutls_x509_crt_set_version(issuer_cert, 3);
936 if (rc != GNUTLS_E_SUCCESS) {
937 DBG_ERR("gnutls_x509_crt_set_version failed - %s\n",
938 gnutls_strerror(rc));
939 gnutls_x509_crt_deinit(issuer_cert);
940 return WERR_INVALID_PARAMETER;
943 rc = gnutls_x509_crt_set_subject_unique_id(issuer_cert,
946 if (rc != GNUTLS_E_SUCCESS) {
947 DBG_ERR("gnutls_x509_crt_set_subject_key_id failed - %s\n",
948 gnutls_strerror(rc));
949 gnutls_x509_crt_deinit(issuer_cert);
950 return WERR_INVALID_PARAMETER;
953 rc = gnutls_x509_crt_set_issuer_unique_id(issuer_cert,
956 if (rc != GNUTLS_E_SUCCESS) {
957 DBG_ERR("gnutls_x509_crt_set_issuer_unique_id failed - %s\n",
958 gnutls_strerror(rc));
959 gnutls_x509_crt_deinit(issuer_cert);
960 return WERR_INVALID_PARAMETER;
963 rc = gnutls_x509_crt_set_serial(issuer_cert,
966 if (rc != GNUTLS_E_SUCCESS) {
967 DBG_ERR("gnutls_x509_crt_set_serial failed - %s\n",
968 gnutls_strerror(rc));
969 gnutls_x509_crt_deinit(issuer_cert);
970 return WERR_INVALID_PARAMETER;
973 rc = gnutls_x509_crt_privkey_sign(issuer_cert,
978 if (rc != GNUTLS_E_SUCCESS) {
979 DBG_ERR("gnutls_x509_crt_privkey_sign failed - %s\n",
980 gnutls_strerror(rc));
981 return WERR_INVALID_PARAMETER;
984 *certificate = issuer_cert;
989 /* Return an error when we fail to generate a certificate */
990 static WERROR generate_bkrp_cert(TALLOC_CTX *mem_ctx,
991 struct dcesrv_call_state *dce_call,
992 struct ldb_context *ldb_ctx,
996 gnutls_privkey_t issuer_privkey = NULL;
997 gnutls_x509_crt_t cert = NULL;
998 gnutls_datum_t cert_blob;
999 gnutls_datum_t m, e, d, p, q, u, e1, e2;
1001 DATA_BLOB blobkeypair;
1004 struct GUID guid = GUID_random();
1007 struct bkrp_exported_RSA_key_pair keypair;
1008 enum ndr_err_code ndr_err;
1009 time_t nb_seconds_validity = 3600 * 24 * 365;
1012 DEBUG(6, ("Trying to generate a certificate\n"));
1013 werr = create_privkey_rsa(&issuer_privkey);
1014 if (!W_ERROR_IS_OK(werr)) {
1018 status = GUID_to_ndr_blob(&guid, mem_ctx, &blob);
1019 if (!NT_STATUS_IS_OK(status)) {
1020 gnutls_privkey_deinit(issuer_privkey);
1021 return WERR_INVALID_DATA;
1024 werr = self_sign_cert(mem_ctx,
1025 nb_seconds_validity,
1030 if (!W_ERROR_IS_OK(werr)) {
1031 gnutls_privkey_deinit(issuer_privkey);
1032 return WERR_INVALID_DATA;
1035 rc = gnutls_x509_crt_export2(cert, GNUTLS_X509_FMT_DER, &cert_blob);
1036 if (rc != GNUTLS_E_SUCCESS) {
1037 DBG_ERR("gnutls_x509_crt_export2 failed - %s\n",
1038 gnutls_strerror(rc));
1039 gnutls_privkey_deinit(issuer_privkey);
1040 gnutls_x509_crt_deinit(cert);
1041 return WERR_INVALID_DATA;
1044 keypair.cert.length = cert_blob.size;
1045 keypair.cert.data = talloc_memdup(mem_ctx, cert_blob.data, cert_blob.size);
1046 gnutls_x509_crt_deinit(cert);
1047 gnutls_free(cert_blob.data);
1048 if (keypair.cert.data == NULL) {
1049 gnutls_privkey_deinit(issuer_privkey);
1050 return WERR_NOT_ENOUGH_MEMORY;
1053 rc = gnutls_privkey_export_rsa_raw(issuer_privkey,
1062 if (rc != GNUTLS_E_SUCCESS) {
1063 gnutls_privkey_deinit(issuer_privkey);
1064 return WERR_INVALID_DATA;
1068 * Heimdal's bignum are big endian and the
1069 * structure expect it to be in little endian
1070 * so we reverse the buffer to make it work
1072 tmp = reverse_and_get_blob(mem_ctx, &e);
1076 SMB_ASSERT(tmp->length <= 4);
1077 keypair.public_exponent = *tmp;
1080 tmp = reverse_and_get_blob(mem_ctx, &d);
1084 keypair.private_exponent = *tmp;
1087 tmp = reverse_and_get_blob(mem_ctx, &m);
1091 keypair.modulus = *tmp;
1094 tmp = reverse_and_get_blob(mem_ctx, &p);
1098 keypair.prime1 = *tmp;
1101 tmp = reverse_and_get_blob(mem_ctx, &q);
1105 keypair.prime2 = *tmp;
1108 tmp = reverse_and_get_blob(mem_ctx, &e1);
1112 keypair.exponent1 = *tmp;
1115 tmp = reverse_and_get_blob(mem_ctx, &e2);
1119 keypair.exponent2 = *tmp;
1122 tmp = reverse_and_get_blob(mem_ctx, &u);
1126 keypair.coefficient = *tmp;
1129 /* One of the keypair allocation was wrong */
1131 gnutls_privkey_deinit(issuer_privkey);
1132 return WERR_INVALID_DATA;
1135 keypair.certificate_len = keypair.cert.length;
1136 ndr_err = ndr_push_struct_blob(&blobkeypair,
1139 (ndr_push_flags_fn_t)ndr_push_bkrp_exported_RSA_key_pair);
1140 gnutls_privkey_deinit(issuer_privkey);
1141 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1142 return WERR_INVALID_DATA;
1145 secret_name = talloc_asprintf(mem_ctx, "BCKUPKEY_%s", GUID_string(mem_ctx, &guid));
1146 if (secret_name == NULL) {
1147 return WERR_OUTOFMEMORY;
1150 status = set_lsa_secret(mem_ctx, ldb_ctx, secret_name, &blobkeypair);
1151 if (!NT_STATUS_IS_OK(status)) {
1152 DEBUG(2, ("Failed to save the secret %s\n", secret_name));
1154 talloc_free(secret_name);
1156 GUID_to_ndr_blob(&guid, mem_ctx, &blob);
1157 status = set_lsa_secret(mem_ctx, ldb_ctx, "BCKUPKEY_PREFERRED", &blob);
1158 if (!NT_STATUS_IS_OK(status)) {
1159 DEBUG(2, ("Failed to save the secret BCKUPKEY_PREFERRED\n"));
1165 static WERROR bkrp_retrieve_client_wrap_key(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1166 struct bkrp_BackupKey *r, struct ldb_context *ldb_ctx)
1170 DATA_BLOB lsa_secret;
1171 enum ndr_err_code ndr_err;
1175 * here we basicaly need to return our certificate
1176 * search for lsa secret BCKUPKEY_PREFERRED first
1179 status = get_lsa_secret(mem_ctx,
1181 "BCKUPKEY_PREFERRED",
1183 if (NT_STATUS_EQUAL(status, NT_STATUS_RESOURCE_NAME_NOT_FOUND)) {
1184 /* Ok we can be in this case if there was no certs */
1185 struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
1186 char *dn = talloc_asprintf(mem_ctx, "CN=%s",
1187 lpcfg_realm(lp_ctx));
1189 WERROR werr = generate_bkrp_cert(mem_ctx, dce_call, ldb_ctx, dn);
1190 if (!W_ERROR_IS_OK(werr)) {
1191 return WERR_INVALID_PARAMETER;
1193 status = get_lsa_secret(mem_ctx,
1195 "BCKUPKEY_PREFERRED",
1198 if (!NT_STATUS_IS_OK(status)) {
1199 /* Ok we really don't manage to get this certs ...*/
1200 DEBUG(2, ("Unable to locate BCKUPKEY_PREFERRED after cert generation\n"));
1201 return WERR_FILE_NOT_FOUND;
1203 } else if (!NT_STATUS_IS_OK(status)) {
1204 return WERR_INTERNAL_ERROR;
1207 if (lsa_secret.length == 0) {
1208 DEBUG(1, ("No secret in BCKUPKEY_PREFERRED, are we an undetected RODC?\n"));
1209 return WERR_INTERNAL_ERROR;
1211 char *cert_secret_name;
1213 status = GUID_from_ndr_blob(&lsa_secret, &guid);
1214 if (!NT_STATUS_IS_OK(status)) {
1215 return WERR_FILE_NOT_FOUND;
1218 guid_string = GUID_string(mem_ctx, &guid);
1219 if (guid_string == NULL) {
1220 /* We return file not found because the client
1223 return WERR_FILE_NOT_FOUND;
1226 cert_secret_name = talloc_asprintf(mem_ctx,
1229 status = get_lsa_secret(mem_ctx,
1233 if (!NT_STATUS_IS_OK(status)) {
1234 return WERR_FILE_NOT_FOUND;
1237 if (lsa_secret.length != 0) {
1238 struct bkrp_exported_RSA_key_pair keypair;
1239 ndr_err = ndr_pull_struct_blob(&lsa_secret, mem_ctx, &keypair,
1240 (ndr_pull_flags_fn_t)ndr_pull_bkrp_exported_RSA_key_pair);
1241 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1242 return WERR_FILE_NOT_FOUND;
1244 *(r->out.data_out_len) = keypair.cert.length;
1245 *(r->out.data_out) = talloc_memdup(mem_ctx, keypair.cert.data, keypair.cert.length);
1246 W_ERROR_HAVE_NO_MEMORY(*(r->out.data_out));
1249 DEBUG(1, ("No or broken secret called %s\n", cert_secret_name));
1250 return WERR_INTERNAL_ERROR;
1254 return WERR_NOT_SUPPORTED;
1257 static WERROR generate_bkrp_server_wrap_key(TALLOC_CTX *ctx, struct ldb_context *ldb_ctx)
1259 struct GUID guid = GUID_random();
1260 enum ndr_err_code ndr_err;
1261 DATA_BLOB blob_wrap_key, guid_blob;
1262 struct bkrp_dc_serverwrap_key wrap_key;
1265 TALLOC_CTX *frame = talloc_stackframe();
1267 generate_random_buffer(wrap_key.key, sizeof(wrap_key.key));
1269 ndr_err = ndr_push_struct_blob(&blob_wrap_key, ctx, &wrap_key, (ndr_push_flags_fn_t)ndr_push_bkrp_dc_serverwrap_key);
1270 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1272 return WERR_INVALID_DATA;
1275 secret_name = talloc_asprintf(frame, "BCKUPKEY_%s", GUID_string(ctx, &guid));
1276 if (secret_name == NULL) {
1278 return WERR_NOT_ENOUGH_MEMORY;
1281 status = set_lsa_secret(frame, ldb_ctx, secret_name, &blob_wrap_key);
1282 if (!NT_STATUS_IS_OK(status)) {
1283 DEBUG(2, ("Failed to save the secret %s\n", secret_name));
1285 return WERR_INTERNAL_ERROR;
1288 status = GUID_to_ndr_blob(&guid, frame, &guid_blob);
1289 if (!NT_STATUS_IS_OK(status)) {
1290 DEBUG(2, ("Failed to save the secret %s\n", secret_name));
1294 status = set_lsa_secret(frame, ldb_ctx, "BCKUPKEY_P", &guid_blob);
1295 if (!NT_STATUS_IS_OK(status)) {
1296 DEBUG(2, ("Failed to save the secret %s\n", secret_name));
1298 return WERR_INTERNAL_ERROR;
1307 * Find the specified decryption keys from the LSA secrets store as
1308 * G$BCKUPKEY_keyGuidString.
1311 static WERROR bkrp_do_retrieve_server_wrap_key(TALLOC_CTX *mem_ctx, struct ldb_context *ldb_ctx,
1312 struct bkrp_dc_serverwrap_key *server_key,
1316 DATA_BLOB lsa_secret;
1319 enum ndr_err_code ndr_err;
1321 guid_string = GUID_string(mem_ctx, guid);
1322 if (guid_string == NULL) {
1323 /* We return file not found because the client
1326 return WERR_FILE_NOT_FOUND;
1329 secret_name = talloc_asprintf(mem_ctx, "BCKUPKEY_%s", guid_string);
1330 if (secret_name == NULL) {
1331 return WERR_NOT_ENOUGH_MEMORY;
1334 status = get_lsa_secret(mem_ctx, ldb_ctx, secret_name, &lsa_secret);
1335 if (!NT_STATUS_IS_OK(status)) {
1336 DEBUG(10, ("Error while fetching secret %s\n", secret_name));
1337 return WERR_INVALID_DATA;
1339 if (lsa_secret.length == 0) {
1340 /* RODC case, we do not have secrets locally */
1341 DEBUG(1, ("Unable to fetch value for secret %s, are we an undetected RODC?\n",
1343 return WERR_INTERNAL_ERROR;
1345 ndr_err = ndr_pull_struct_blob(&lsa_secret, mem_ctx, server_key,
1346 (ndr_pull_flags_fn_t)ndr_pull_bkrp_dc_serverwrap_key);
1347 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1348 DEBUG(2, ("Unable to parse the ndr encoded server wrap key %s\n", secret_name));
1349 return WERR_INVALID_DATA;
1356 * Find the current, preferred ServerWrap Key by looking at
1357 * G$BCKUPKEY_P in the LSA secrets store.
1359 * Then find the current decryption keys from the LSA secrets store as
1360 * G$BCKUPKEY_keyGuidString.
1363 static WERROR bkrp_do_retrieve_default_server_wrap_key(TALLOC_CTX *mem_ctx,
1364 struct ldb_context *ldb_ctx,
1365 struct bkrp_dc_serverwrap_key *server_key,
1366 struct GUID *returned_guid)
1369 DATA_BLOB guid_binary;
1371 status = get_lsa_secret(mem_ctx, ldb_ctx, "BCKUPKEY_P", &guid_binary);
1372 if (!NT_STATUS_IS_OK(status)) {
1373 DEBUG(10, ("Error while fetching secret BCKUPKEY_P to find current GUID\n"));
1374 return WERR_FILE_NOT_FOUND;
1375 } else if (guid_binary.length == 0) {
1376 /* RODC case, we do not have secrets locally */
1377 DEBUG(1, ("Unable to fetch value for secret BCKUPKEY_P, are we an undetected RODC?\n"));
1378 return WERR_INTERNAL_ERROR;
1381 status = GUID_from_ndr_blob(&guid_binary, returned_guid);
1382 if (!NT_STATUS_IS_OK(status)) {
1383 return WERR_FILE_NOT_FOUND;
1386 return bkrp_do_retrieve_server_wrap_key(mem_ctx, ldb_ctx,
1387 server_key, returned_guid);
1390 static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1391 struct bkrp_BackupKey *r ,struct ldb_context *ldb_ctx)
1393 struct auth_session_info *session_info =
1394 dcesrv_call_session_info(dce_call);
1396 struct bkrp_server_side_wrapped decrypt_request;
1397 DATA_BLOB sid_blob, encrypted_blob;
1399 enum ndr_err_code ndr_err;
1400 struct bkrp_dc_serverwrap_key server_key;
1401 struct bkrp_rc4encryptedpayload rc4payload;
1402 struct dom_sid *caller_sid;
1403 uint8_t symkey[20]; /* SHA-1 hash len */
1404 uint8_t mackey[20]; /* SHA-1 hash len */
1405 uint8_t mac[20]; /* SHA-1 hash len */
1406 gnutls_hmac_hd_t hmac_hnd;
1407 gnutls_cipher_hd_t cipher_hnd;
1408 gnutls_datum_t cipher_key;
1411 blob.data = r->in.data_in;
1412 blob.length = r->in.data_in_len;
1414 if (r->in.data_in_len == 0 || r->in.data_in == NULL) {
1415 return WERR_INVALID_PARAMETER;
1418 ndr_err = ndr_pull_struct_blob_all(&blob, mem_ctx, &decrypt_request,
1419 (ndr_pull_flags_fn_t)ndr_pull_bkrp_server_side_wrapped);
1420 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1421 return WERR_INVALID_PARAMETER;
1424 if (decrypt_request.magic != BACKUPKEY_SERVER_WRAP_VERSION) {
1425 return WERR_INVALID_PARAMETER;
1428 werr = bkrp_do_retrieve_server_wrap_key(mem_ctx, ldb_ctx, &server_key,
1429 &decrypt_request.guid);
1430 if (!W_ERROR_IS_OK(werr)) {
1434 dump_data_pw("server_key: \n", server_key.key, sizeof(server_key.key));
1436 dump_data_pw("r2: \n", decrypt_request.r2, sizeof(decrypt_request.r2));
1439 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
1440 * BACKUPKEY_BACKUP_GUID, it really is the whole key
1443 gnutls_hmac_init(&hmac_hnd,
1446 sizeof(server_key.key));
1447 gnutls_hmac(hmac_hnd,
1449 sizeof(decrypt_request.r2));
1450 gnutls_hmac_output(hmac_hnd, symkey);
1452 dump_data_pw("symkey: \n", symkey, sizeof(symkey));
1454 /* rc4 decrypt sid and secret using sym key */
1455 cipher_key.data = symkey;
1456 cipher_key.size = sizeof(symkey);
1458 encrypted_blob = data_blob_const(decrypt_request.rc4encryptedpayload,
1459 decrypt_request.ciphertext_length);
1461 rc = gnutls_cipher_init(&cipher_hnd,
1462 GNUTLS_CIPHER_ARCFOUR_128,
1465 if (rc != GNUTLS_E_SUCCESS) {
1466 DBG_ERR("gnutls_cipher_init failed - %s\n",
1467 gnutls_strerror(rc));
1468 return WERR_INVALID_PARAMETER;
1470 rc = gnutls_cipher_encrypt2(cipher_hnd,
1471 encrypted_blob.data,
1472 encrypted_blob.length,
1473 encrypted_blob.data,
1474 encrypted_blob.length);
1475 gnutls_cipher_deinit(cipher_hnd);
1476 if (rc != GNUTLS_E_SUCCESS) {
1477 DBG_ERR("gnutls_cipher_encrypt2 failed - %s\n",
1478 gnutls_strerror(rc));
1479 return WERR_INVALID_PARAMETER;
1482 ndr_err = ndr_pull_struct_blob_all(&encrypted_blob, mem_ctx, &rc4payload,
1483 (ndr_pull_flags_fn_t)ndr_pull_bkrp_rc4encryptedpayload);
1484 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1485 return WERR_INVALID_PARAMETER;
1488 if (decrypt_request.payload_length != rc4payload.secret_data.length) {
1489 return WERR_INVALID_PARAMETER;
1492 dump_data_pw("r3: \n", rc4payload.r3, sizeof(rc4payload.r3));
1495 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
1496 * BACKUPKEY_BACKUP_GUID, it really is the whole key
1498 gnutls_hmac(hmac_hnd,
1500 sizeof(rc4payload.r3));
1501 gnutls_hmac_deinit(hmac_hnd, mackey);
1503 dump_data_pw("mackey: \n", mackey, sizeof(mackey));
1505 ndr_err = ndr_push_struct_blob(&sid_blob, mem_ctx, &rc4payload.sid,
1506 (ndr_push_flags_fn_t)ndr_push_dom_sid);
1507 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1508 return WERR_INTERNAL_ERROR;
1511 gnutls_hmac_init(&hmac_hnd,
1516 gnutls_hmac(hmac_hnd,
1520 gnutls_hmac(hmac_hnd,
1521 rc4payload.secret_data.data,
1522 rc4payload.secret_data.length);
1523 gnutls_hmac_deinit(hmac_hnd, mac);
1525 dump_data_pw("mac: \n", mac, sizeof(mac));
1526 dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
1528 if (memcmp(mac, rc4payload.mac, sizeof(mac)) != 0) {
1529 return WERR_INVALID_ACCESS;
1532 caller_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
1534 if (!dom_sid_equal(&rc4payload.sid, caller_sid)) {
1535 return WERR_INVALID_ACCESS;
1538 *(r->out.data_out) = rc4payload.secret_data.data;
1539 *(r->out.data_out_len) = rc4payload.secret_data.length;
1545 * For BACKUPKEY_RESTORE_GUID we need to check the first 4 bytes to
1546 * determine what type of restore is wanted.
1548 * See MS-BKRP 3.1.4.1.4 BACKUPKEY_RESTORE_GUID point 1.
1551 static WERROR bkrp_generic_decrypt_data(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1552 struct bkrp_BackupKey *r, struct ldb_context *ldb_ctx)
1554 if (r->in.data_in_len < 4 || r->in.data_in == NULL) {
1555 return WERR_INVALID_PARAMETER;
1558 if (IVAL(r->in.data_in, 0) == BACKUPKEY_SERVER_WRAP_VERSION) {
1559 return bkrp_server_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx);
1562 return bkrp_client_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx);
1566 * We have some data, such as saved website or IMAP passwords that the
1567 * client would like to put into the profile on-disk. This needs to
1568 * be encrypted. This version gives the server the data over the
1569 * network (protected only by the negotiated transport encryption),
1570 * and asks that it be encrypted and returned for long-term storage.
1572 * The data is NOT stored in the LSA, but a key to encrypt the data
1573 * will be stored. There is only one active encryption key per domain,
1574 * it is pointed at with G$BCKUPKEY_P in the LSA secrets store.
1576 * The potentially multiple valid decryptiong keys (and the encryption
1577 * key) are in turn stored in the LSA secrets store as
1578 * G$BCKUPKEY_keyGuidString.
1582 static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
1583 struct bkrp_BackupKey *r ,struct ldb_context *ldb_ctx)
1585 struct auth_session_info *session_info =
1586 dcesrv_call_session_info(dce_call);
1587 DATA_BLOB sid_blob, encrypted_blob, server_wrapped_blob;
1589 struct dom_sid *caller_sid;
1590 uint8_t symkey[20]; /* SHA-1 hash len */
1591 uint8_t mackey[20]; /* SHA-1 hash len */
1592 struct bkrp_rc4encryptedpayload rc4payload;
1593 gnutls_hmac_hd_t hmac_hnd;
1594 struct bkrp_dc_serverwrap_key server_key;
1595 enum ndr_err_code ndr_err;
1596 struct bkrp_server_side_wrapped server_side_wrapped;
1598 gnutls_cipher_hd_t cipher_hnd;
1599 gnutls_datum_t cipher_key;
1602 if (r->in.data_in_len == 0 || r->in.data_in == NULL) {
1603 return WERR_INVALID_PARAMETER;
1606 werr = bkrp_do_retrieve_default_server_wrap_key(mem_ctx,
1607 ldb_ctx, &server_key,
1610 if (!W_ERROR_IS_OK(werr)) {
1611 if (W_ERROR_EQUAL(werr, WERR_FILE_NOT_FOUND)) {
1612 /* Generate the server wrap key since one wasn't found */
1613 werr = generate_bkrp_server_wrap_key(mem_ctx,
1615 if (!W_ERROR_IS_OK(werr)) {
1616 return WERR_INVALID_PARAMETER;
1618 werr = bkrp_do_retrieve_default_server_wrap_key(mem_ctx,
1623 if (W_ERROR_EQUAL(werr, WERR_FILE_NOT_FOUND)) {
1624 /* Ok we really don't manage to get this secret ...*/
1625 return WERR_FILE_NOT_FOUND;
1628 /* In theory we should NEVER reach this point as it
1629 should only appear in a rodc server */
1630 /* we do not have the real secret attribute */
1631 return WERR_INVALID_PARAMETER;
1635 caller_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
1637 dump_data_pw("server_key: \n", server_key.key, sizeof(server_key.key));
1640 * This is the key derivation step, so that the HMAC and RC4
1641 * operations over the user-supplied data are not able to
1642 * disclose the master key. By using random data, the symkey
1643 * and mackey values are unique for this operation, and
1644 * discovering these (by reversing the RC4 over the
1645 * attacker-controlled data) does not return something able to
1646 * be used to decyrpt the encrypted data of other users
1648 generate_random_buffer(server_side_wrapped.r2, sizeof(server_side_wrapped.r2));
1650 dump_data_pw("r2: \n", server_side_wrapped.r2, sizeof(server_side_wrapped.r2));
1652 generate_random_buffer(rc4payload.r3, sizeof(rc4payload.r3));
1654 dump_data_pw("r3: \n", rc4payload.r3, sizeof(rc4payload.r3));
1658 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
1659 * BACKUPKEY_BACKUP_GUID, it really is the whole key
1661 gnutls_hmac_init(&hmac_hnd,
1664 sizeof(server_key.key));
1665 gnutls_hmac(hmac_hnd,
1666 server_side_wrapped.r2,
1667 sizeof(server_side_wrapped.r2));
1668 gnutls_hmac_output(hmac_hnd, symkey);
1670 dump_data_pw("symkey: \n", symkey, sizeof(symkey));
1673 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
1674 * BACKUPKEY_BACKUP_GUID, it really is the whole key
1676 gnutls_hmac(hmac_hnd,
1678 sizeof(rc4payload.r3));
1679 gnutls_hmac_deinit(hmac_hnd, mackey);
1681 dump_data_pw("mackey: \n", mackey, sizeof(mackey));
1683 ndr_err = ndr_push_struct_blob(&sid_blob, mem_ctx, caller_sid,
1684 (ndr_push_flags_fn_t)ndr_push_dom_sid);
1685 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1686 return WERR_INTERNAL_ERROR;
1689 rc4payload.secret_data.data = r->in.data_in;
1690 rc4payload.secret_data.length = r->in.data_in_len;
1692 gnutls_hmac_init(&hmac_hnd,
1697 gnutls_hmac(hmac_hnd,
1701 gnutls_hmac(hmac_hnd,
1702 rc4payload.secret_data.data,
1703 rc4payload.secret_data.length);
1704 gnutls_hmac_deinit(hmac_hnd, rc4payload.mac);
1706 dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
1708 rc4payload.sid = *caller_sid;
1710 ndr_err = ndr_push_struct_blob(&encrypted_blob, mem_ctx, &rc4payload,
1711 (ndr_push_flags_fn_t)ndr_push_bkrp_rc4encryptedpayload);
1712 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1713 return WERR_INTERNAL_ERROR;
1716 /* rc4 encrypt sid and secret using sym key */
1717 cipher_key.data = symkey;
1718 cipher_key.size = sizeof(symkey);
1720 rc = gnutls_cipher_init(&cipher_hnd,
1721 GNUTLS_CIPHER_ARCFOUR_128,
1724 if (rc != GNUTLS_E_SUCCESS) {
1725 DBG_ERR("gnutls_cipher_init failed - %s\n",
1726 gnutls_strerror(rc));
1727 return WERR_INVALID_PARAMETER;
1729 rc = gnutls_cipher_encrypt2(cipher_hnd,
1730 encrypted_blob.data,
1731 encrypted_blob.length,
1732 encrypted_blob.data,
1733 encrypted_blob.length);
1734 gnutls_cipher_deinit(cipher_hnd);
1735 if (rc != GNUTLS_E_SUCCESS) {
1736 DBG_ERR("gnutls_cipher_encrypt2 failed - %s\n",
1737 gnutls_strerror(rc));
1738 return WERR_INVALID_PARAMETER;
1741 /* create server wrap structure */
1743 server_side_wrapped.payload_length = rc4payload.secret_data.length;
1744 server_side_wrapped.ciphertext_length = encrypted_blob.length;
1745 server_side_wrapped.guid = guid;
1746 server_side_wrapped.rc4encryptedpayload = encrypted_blob.data;
1748 ndr_err = ndr_push_struct_blob(&server_wrapped_blob, mem_ctx, &server_side_wrapped,
1749 (ndr_push_flags_fn_t)ndr_push_bkrp_server_side_wrapped);
1750 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1751 return WERR_INTERNAL_ERROR;
1754 *(r->out.data_out) = server_wrapped_blob.data;
1755 *(r->out.data_out_len) = server_wrapped_blob.length;
1760 static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
1761 TALLOC_CTX *mem_ctx, struct bkrp_BackupKey *r)
1763 WERROR error = WERR_INVALID_PARAMETER;
1764 struct ldb_context *ldb_ctx;
1766 const char *addr = "unknown";
1767 /* At which level we start to add more debug of what is done in the protocol */
1768 const int debuglevel = 4;
1770 gnutls_global_init();
1772 if (DEBUGLVL(debuglevel)) {
1773 const struct tsocket_address *remote_address;
1774 remote_address = dcesrv_connection_get_remote_address(dce_call->conn);
1775 if (tsocket_address_is_inet(remote_address, "ip")) {
1776 addr = tsocket_address_inet_addr_string(remote_address, mem_ctx);
1777 W_ERROR_HAVE_NO_MEMORY(addr);
1781 if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
1782 return WERR_NOT_SUPPORTED;
1786 * Save the current remote session details so they can used by the
1787 * audit logging module. This allows the audit logging to report the
1788 * remote users details, rather than the system users details.
1790 ldb_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
1792 if (samdb_rodc(ldb_ctx, &is_rodc) != LDB_SUCCESS) {
1793 talloc_unlink(mem_ctx, ldb_ctx);
1794 return WERR_INVALID_PARAMETER;
1798 if(strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
1799 BACKUPKEY_RESTORE_GUID, strlen(BACKUPKEY_RESTORE_GUID)) == 0) {
1800 DEBUG(debuglevel, ("Client %s requested to decrypt a wrapped secret\n", addr));
1801 error = bkrp_generic_decrypt_data(dce_call, mem_ctx, r, ldb_ctx);
1804 if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
1805 BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, strlen(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID)) == 0) {
1806 DEBUG(debuglevel, ("Client %s requested certificate for client wrapped secret\n", addr));
1807 error = bkrp_retrieve_client_wrap_key(dce_call, mem_ctx, r, ldb_ctx);
1810 if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
1811 BACKUPKEY_RESTORE_GUID_WIN2K, strlen(BACKUPKEY_RESTORE_GUID_WIN2K)) == 0) {
1812 DEBUG(debuglevel, ("Client %s requested to decrypt a server side wrapped secret\n", addr));
1813 error = bkrp_server_wrap_decrypt_data(dce_call, mem_ctx, r, ldb_ctx);
1816 if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
1817 BACKUPKEY_BACKUP_GUID, strlen(BACKUPKEY_BACKUP_GUID)) == 0) {
1818 DEBUG(debuglevel, ("Client %s requested a server wrapped secret\n", addr));
1819 error = bkrp_server_wrap_encrypt_data(dce_call, mem_ctx, r, ldb_ctx);
1822 /*else: I am a RODC so I don't handle backup key protocol */
1824 gnutls_global_deinit();
1825 talloc_unlink(mem_ctx, ldb_ctx);
1829 /* include the generated boilerplate */
1830 #include "librpc/gen_ndr/ndr_backupkey_s.c"