idl: Add IDL for remote key backup protocol (rkbp)

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/librpc/idl/backupkey.idl b/librpc/idl/backupkey.idl
new file mode 100644 (file)
index 0000000..e21030b
--- /dev/null
+++ b/librpc/idl/backupkey.idl
@@ -0,0 +1,120 @@
+#include "idl_types.h"
+
+import "misc.idl", "security.idl";
+[
+  uuid("3dde7c30-165d-11d1-ab8f-00805f14db40"),
+  version(1.0),
+  endpoint("ncacn_np:[\\pipe\\protected_storage]","ncacn_np:[\\pipe\\ntsvcs]" ,"ncacn_ip_tcp:"),
+  helpstring("Remote Backup Key Storage"),
+  helper("../librpc/ndr/ndr_backupkey.h"),
+  pointer_default(unique)
+]
+interface backupkey
+{
+       const string BACKUPKEY_RESTORE_GUID             = "47270C64-2FC7-499B-AC5B-0E37CDCE899A";
+       const string BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID = "018FF48A-EABA-40C6-8F6D-72370240E967";
+
+       const string BACKUPKEY_RESTORE_GUID_WIN2K       = "7FE94D50-178E-11D1-AB8F-00805F14DB40";
+       const string BACKUPKEY_BACKUP_GUID              = "7F752B10-178E-11D1-AB8F-00805F14DB40";
+
+       /*
+        * The magic values are really what they are there is no name it's just remarkable values
+        * that are here to check that what is transmited or decoded is really what the client or
+        * the server expect.
+        */
+       [public] typedef struct {
+               [value(0x00000002)] uint32 header1;
+               [value(0x00000494)] uint32 header2;
+               uint32 certificate_len;
+               [value(0x00000207)] uint32 magic1;
+               [value(0x0000A400)] uint32 magic2;
+               [value(0x32415352)] uint32 magic3;
+               [value(0x00000800)] uint32 magic4;
+               [subcontext(0),subcontext_size(4),flag(NDR_REMAINING)] DATA_BLOB public_exponent;
+
+               [subcontext(0),subcontext_size(256),flag(NDR_REMAINING)] DATA_BLOB modulus;
+               [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB prime1;
+               [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB prime2;
+               [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB exponent1;
+               [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB exponent2;
+               [subcontext(0),subcontext_size(128),flag(NDR_REMAINING)] DATA_BLOB coefficient;
+               [subcontext(0),subcontext_size(256),flag(NDR_REMAINING)] DATA_BLOB private_exponent;
+               [subcontext(0),subcontext_size(certificate_len),flag(NDR_REMAINING)] DATA_BLOB cert;
+       } bkrp_exported_RSA_key_pair;
+
+       [public] typedef struct {
+               [value(0x00000001)] uint32 magic;
+               uint8 key[256];
+       } bkrp_dc_serverwrap_key;
+
+       [public,gensize] typedef struct {
+               uint32 version;
+               uint32 encrypted_secret_len;
+               uint32 access_check_len;
+               GUID guid;
+               uint8  encrypted_secret[encrypted_secret_len];
+               uint8  access_check[access_check_len];
+       } bkrp_client_side_wrapped;
+
+       [public] typedef struct {
+               [value(0x00000000)] uint32 magic;
+               [subcontext(0),flag(NDR_REMAINING)] DATA_BLOB secret;
+       } bkrp_client_side_unwrapped;
+
+       [public] typedef struct {
+               uint32 secret_len;
+               [value(0x00000020)] uint32 magic;
+               uint8 secret[secret_len];
+               uint8 payload_key[32];
+       } bkrp_encrypted_secret_v2;
+
+       [public] typedef struct {
+               uint32 secret_len;
+               [value(0x00000030)] uint32 magic1;
+               [value(0x00006610)] uint32 magic2;
+               [value(0x0000800e)] uint32 magic3;
+               uint8 secret[secret_len];
+               uint8 payload_key[48];
+       } bkrp_encrypted_secret_v3;
+
+       /* Due to alignement constraint we can generate the structure only via pidl*/
+       [public, nopush, nopull] typedef struct {
+               [value(0x00000001)] uint32 magic;
+               uint32 nonce_len;
+               uint8 nonce[nonce_len];
+               dom_sid sid;
+               uint8 hash[20];
+       } bkrp_access_check_v2;
+
+       /* Due to alignement constraint we can generate the structure only via pidl*/
+       [public,nopush,nopull] typedef struct {
+               [value(0x00000001)] uint32 magic;
+               uint32 nonce_len;
+               uint8 nonce[nonce_len];
+               dom_sid sid;
+               uint8 hash[64];
+       } bkrp_access_check_v3;
+
+       typedef enum {
+               BACKUPKEY_INVALID_GUID_INTEGER = 0xFFFF,
+               BACKUPKEY_RESTORE_GUID_INTEGER = 0x0000,
+               BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001
+       } bkrp_guid_to_integer;
+
+       [public] typedef [nodiscriminant] union {
+               [case(BACKUPKEY_RESTORE_GUID_INTEGER)] bkrp_client_side_wrapped restore_req;
+               [case(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER)] bkrp_client_side_wrapped cert_req;
+       } bkrp_data_in_blob;
+
+       /******************/
+       /* Function: 0x00 */
+
+       [public, noprint] WERROR bkrp_BackupKey (
+               [in,ref]  GUID *guidActionAgent,
+               [in,ref]  [size_is(data_in_len)] uint8 *data_in,
+               [in]      uint32 data_in_len,
+               [out,ref] [size_is(,*data_out_len)] uint8 **data_out,
+               [out,ref] uint32 *data_out_len,
+               [in]      uint32 param
+       );
+}

diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index 78f174f6d1ca936fdebe830f6e80f00c65be17e0..2d65d748ee4773fad31a648f1e9230b5434df607 100644 (file)
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -10,7 +10,7 @@ bld.SAMBA_PIDL_LIST('PIDL',
                        dbgidl.idl dnsserver.idl echo.idl frsrpc.idl lsa.idl nbt.idl dns.idl
                        oxidresolver.idl samr.idl srvsvc.idl winreg.idl dcerpc.idl
                        drsblobs.idl efs.idl frstrans.idl mgmt.idl netlogon.idl
-                       policyagent.idl scerpc.idl svcctl.idl wkssvc.idl eventlog6.idl''',
+                       policyagent.idl scerpc.idl svcctl.idl wkssvc.idl eventlog6.idl backupkey.idl''',
                     options='--header --ndr-parser --samba3-ndr-server --samba3-ndr-client --server --client --python',
                     output_dir='../gen_ndr')
 

diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
new file mode 100644 (file)
index 0000000..ddbaeea
--- /dev/null
+++ b/librpc/ndr/ndr_backupkey.c
@@ -0,0 +1,215 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   routines for top backup key protocol marshalling/unmarshalling
+
+   Copyright (C) Matthieu Patou 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_backupkey.h"
+#include "librpc/gen_ndr/ndr_security.h"
+
+static uint32_t backupkeyguid_to_uint(const struct GUID *guid)
+{
+       struct GUID tmp;
+       NTSTATUS status;
+       bool match;
+
+       status = GUID_from_string(BACKUPKEY_RESTORE_GUID, &tmp);
+       if (NT_STATUS_IS_OK(status)) {
+               match = GUID_equal(guid, &tmp);
+               if (match) {
+                       return BACKUPKEY_RESTORE_GUID_INTEGER;
+               }
+       }
+
+       status = GUID_from_string(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID, &tmp);
+       if (NT_STATUS_IS_OK(status)) {
+               match = GUID_equal(guid, &tmp);
+               if (match) {
+                       return BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER;
+               }
+       }
+
+       return BACKUPKEY_INVALID_GUID_INTEGER;
+}
+
+_PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name, int flags, const struct bkrp_BackupKey *r)
+{
+       ndr_print_struct(ndr, name, "bkrp_BackupKey");
+       if (r == NULL) { ndr_print_null(ndr); return; }
+       ndr->depth++;
+       if (flags & NDR_SET_VALUES) {
+               ndr->flags |= LIBNDR_PRINT_SET_VALUES;
+       }
+       if (flags & NDR_IN) {
+               union bkrp_data_in_blob inblob;
+               DATA_BLOB blob;
+               uint32_t level;
+               enum ndr_err_code ndr_err;
+
+               ndr_print_struct(ndr, "in", "bkrp_BackupKey");
+               ndr->depth++;
+               ndr_print_ptr(ndr, "guidActionAgent", r->in.guidActionAgent);
+               ndr->depth++;
+               ndr_print_GUID(ndr, "guidActionAgent", r->in.guidActionAgent);
+               ndr->depth--;
+
+               level = backupkeyguid_to_uint(r->in.guidActionAgent);
+               blob.data = r->in.data_in;
+               blob.length = r->in.data_in_len;
+               ndr_err = ndr_pull_union_blob(&blob, ndr, &inblob, level,
+                               (ndr_pull_flags_fn_t)ndr_pull_bkrp_data_in_blob);
+
+               ndr_print_ptr(ndr, "data_in", r->in.data_in);
+               ndr->depth++;
+               if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+                       ndr_print_bkrp_data_in_blob(ndr, "data_in", &inblob);
+               } else {
+                       ndr_print_array_uint8(ndr, "data_in", r->in.data_in, r->in.data_in_len);
+               }
+               ndr->depth--;
+
+               ndr_print_uint32(ndr, "data_in_len", r->in.data_in_len);
+               ndr_print_uint32(ndr, "param", r->in.param);
+               ndr->depth--;
+       }
+       if (flags & NDR_OUT) {
+               ndr_print_struct(ndr, "out", "bkrp_BackupKey");
+               ndr->depth++;
+               ndr_print_ptr(ndr, "data_out", r->out.data_out);
+               ndr->depth++;
+               ndr_print_ptr(ndr, "data_out", *r->out.data_out);
+               ndr->depth++;
+
+               if (*r->out.data_out) {
+                       ndr_print_array_uint8(ndr, "data_out", *r->out.data_out, *r->out.data_out_len);
+               }
+               ndr->depth--;
+               ndr->depth--;
+               ndr_print_ptr(ndr, "data_out_len", r->out.data_out_len);
+               ndr->depth++;
+               ndr_print_uint32(ndr, "data_out_len", *r->out.data_out_len);
+               ndr->depth--;
+               ndr_print_WERROR(ndr, "result", r->out.result);
+               ndr->depth--;
+       }
+       ndr->depth--;
+}
+
+/* We have manual push/pull because we didn't manage to do the alignment
+ * purely in PIDL as the padding is sized so that the whole access_check_v3
+ * struct size is a multiple of 8 (as specified in 2.2.2.3 of ms-bkrp.pdf)
+ */
+_PUBLIC_ enum ndr_err_code ndr_push_bkrp_access_check_v2(struct ndr_push *ndr, int ndr_flags, const struct bkrp_access_check_v2 *r)
+{
+       if (ndr_flags & NDR_SCALARS) {
+               size_t ofs;
+               size_t pad;
+               NDR_CHECK(ndr_push_align(ndr, 4));
+               NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00000001));
+               NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->nonce_len));
+               NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len));
+               NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->sid));
+               /* We articially increment the offset of 20 bytes (size of hash
+                * comming after the pad) so that ndr_align can determine easily
+                * the correct pad size to make the whole struct 8 bytes aligned
+                */
+               ofs = ndr->offset + 20;
+               pad = ndr_align_size(ofs, 8);
+               NDR_CHECK(ndr_push_zero(ndr, pad));
+               NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, 20));
+               NDR_CHECK(ndr_push_trailer_align(ndr, 4));
+       }
+       if (ndr_flags & NDR_BUFFERS) {
+       }
+       return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_bkrp_access_check_v2(struct ndr_pull *ndr, int ndr_flags, struct bkrp_access_check_v2 *r)
+{
+       if (ndr_flags & NDR_SCALARS) {
+               size_t ofs;
+               size_t pad;
+               NDR_CHECK(ndr_pull_align(ndr, 4));
+               NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic));
+               NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->nonce_len));
+               NDR_PULL_ALLOC_N(ndr, r->nonce, r->nonce_len);
+               NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len));
+               NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sid));
+               ofs = ndr->offset + 20;
+               pad = ndr_align_size(ofs, 8);
+               NDR_CHECK(ndr_pull_advance(ndr, pad));
+               NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 20));
+               NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
+       }
+       if (ndr_flags & NDR_BUFFERS) {
+       }
+       return NDR_ERR_SUCCESS;
+}
+
+/* We have manual push/pull because we didn't manage to do the alignment
+ * purely in PIDL as the padding is sized so that the whole access_check_v3
+ * struct size is a multiple of 16 (as specified in 2.2.2.4 of ms-bkrp.pdf)
+ */
+_PUBLIC_ enum ndr_err_code ndr_push_bkrp_access_check_v3(struct ndr_push *ndr, int ndr_flags, const struct bkrp_access_check_v3 *r)
+{
+       if (ndr_flags & NDR_SCALARS) {
+               size_t ofs;
+               size_t pad;
+               NDR_CHECK(ndr_push_align(ndr, 4));
+               NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0x00000001));
+               NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->nonce_len));
+               NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len));
+               NDR_CHECK(ndr_push_dom_sid(ndr, NDR_SCALARS, &r->sid));
+               /* We articially increment the offset of 64 bytes (size of hash
+                * comming after the pad) so that ndr_align can determine easily
+                * the correct pad size to make the whole struct 16 bytes aligned
+                */
+               ofs = ndr->offset + 64;
+               pad = ndr_align_size(ofs, 16);
+               NDR_CHECK(ndr_push_zero(ndr, pad));
+               NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->hash, 64));
+               NDR_CHECK(ndr_push_trailer_align(ndr, 4));
+       }
+       if (ndr_flags & NDR_BUFFERS) {
+       }
+       return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_bkrp_access_check_v3(struct ndr_pull *ndr, int ndr_flags, struct bkrp_access_check_v3 *r)
+{
+       if (ndr_flags & NDR_SCALARS) {
+               size_t ofs;
+               size_t pad;
+               NDR_CHECK(ndr_pull_align(ndr, 4));
+               NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->magic));
+               NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->nonce_len));
+               NDR_PULL_ALLOC_N(ndr, r->nonce, r->nonce_len);
+               NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->nonce, r->nonce_len));
+               NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->sid));
+               ofs = ndr->offset + 64;
+               pad = ndr_align_size(ofs, 16);
+               NDR_CHECK(ndr_pull_advance(ndr, pad));
+               NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->hash, 64));
+               NDR_CHECK(ndr_pull_trailer_align(ndr, 4));
+       }
+       if (ndr_flags & NDR_BUFFERS) {
+       }
+       return NDR_ERR_SUCCESS;
+}

diff --git a/librpc/ndr/ndr_backupkey.h b/librpc/ndr/ndr_backupkey.h
new file mode 100644 (file)
index 0000000..c5c7c39
--- /dev/null
+++ b/librpc/ndr/ndr_backupkey.h
@@ -0,0 +1,2 @@
+_PUBLIC_ enum ndr_err_code ndr_push_bkrp_access_check_v2(struct ndr_push *ndr, int ndr_flags, const struct bkrp_access_check_v2 *r);
+_PUBLIC_ enum ndr_err_code ndr_pull_bkrp_access_check_v2(struct ndr_pull *ndr, int ndr_flags, struct bkrp_access_check_v2 *r);

diff --git a/librpc/wscript_build b/librpc/wscript_build
index 0d90d106ea2a4b1b7c79fad67a32d891268b718c..236a728d5f7f6b2c428e34ef04736fc74f6e6df0 100644 (file)
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -281,6 +281,11 @@ bld.SAMBA_SUBSYSTEM('NDR_NBT',
         header_path='gen_ndr'
        )
 
+bld.SAMBA_SUBSYSTEM('NDR_BACKUPKEY',
+       source='../librpc/ndr/ndr_backupkey.c ../librpc/gen_ndr/ndr_backupkey.c',
+       public_deps='ndr'
+       )
+
 bld.SAMBA_SUBSYSTEM('RPC_NDR_XATTR',
        source='../librpc/gen_ndr/ndr_xattr_c.c',
        public_deps='NDR_XATTR dcerpc'
@@ -468,6 +473,11 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_KEYSVC',
        public_deps='dcerpc NDR_KEYSVC'
        )
 
+bld.SAMBA_SUBSYSTEM('RPC_NDR_BACKUPKEY',
+       source='../librpc/gen_ndr/ndr_backupkey_c.c',
+       public_deps='dcerpc NDR_BACKUPKEY'
+       )
+
 # a grouping library for NDR subsystems that may be used by more than one target
 bld.SAMBA_LIBRARY('ndr-samba',
        source=[],

diff --git a/source4/librpc/wscript_build b/source4/librpc/wscript_build
index dbef6714141c5a1e86a9e76c488eafdc8d4a46ee..5cff4a9b686af75b1174400565ca7fda19e7a99d 100755 (executable)
--- a/source4/librpc/wscript_build
+++ b/source4/librpc/wscript_build
@@ -135,7 +135,7 @@ bld.SAMBA_SUBSYSTEM('ndr-table',
         NDR_SASL_HELPERS NDR_NOTIFY NDR_WINBIND NDR_FRSRPC NDR_FRSAPI
         NDR_FRSTRANS NDR_NFS4ACL NDR_NTP_SIGND NDR_DCOM NDR_WMI
         NDR_NAMED_PIPE_AUTH NDR_NTLMSSP NDR_DFSBLOBS NDR_DNSP
-        NDR_NTPRINTING NDR_DNS''',
+        NDR_NTPRINTING NDR_DNS NDR_BACKUPKEY''',
         depends_on='GEN_NDR_TABLES'
         )