/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- dsdb_decrypt_attribute_value
- dsdb_decrypt_attribute
- dsdb_convert_object
- dsdb_extended_replicated_objects_commit
1 /*
2 Unix SMB/CIFS mplementation.
3 Helper functions for applying replicated objects
4
5 Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19
20 */
21
22 #include "includes.h"
23 #include "dsdb/samdb/samdb.h"
24 #include "lib/ldb/include/ldb_errors.h"
25 #include "../lib/util/dlinklist.h"
26 #include "librpc/gen_ndr/ndr_misc.h"
27 #include "librpc/gen_ndr/ndr_drsuapi.h"
28 #include "librpc/gen_ndr/ndr_drsblobs.h"
29 #include "../lib/crypto/crypto.h"
30 #include "libcli/auth/libcli_auth.h"
31 #include "param/param.h"
32
33 static WERROR dsdb_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
34 const DATA_BLOB *gensec_skey,
35 bool rid_crypt,
36 uint32_t rid,
37 DATA_BLOB *in,
38 DATA_BLOB *out)
39 {
40 DATA_BLOB confounder;
41 DATA_BLOB enc_buffer;
42
43 struct MD5Context md5;
44 uint8_t _enc_key[16];
45 DATA_BLOB enc_key;
46
47 DATA_BLOB dec_buffer;
48
49 uint32_t crc32_given;
50 uint32_t crc32_calc;
51 DATA_BLOB checked_buffer;
52
53 DATA_BLOB plain_buffer;
54
55 /*
56 * users with rid == 0 should not exist
57 */
58 if (rid_crypt && rid == 0) {
59 return WERR_DS_DRA_INVALID_PARAMETER;
60 }
61
62 /*
63 * the first 16 bytes at the beginning are the confounder
64 * followed by the 4 byte crc32 checksum
65 */
66 if (in->length < 20) {
67 return WERR_DS_DRA_INVALID_PARAMETER;
68 }
69 confounder = data_blob_const(in->data, 16);
70 enc_buffer = data_blob_const(in->data + 16, in->length - 16);
71
72 /*
73 * build the encryption key md5 over the session key followed
74 * by the confounder
75 *
76 * here the gensec session key is used and
77 * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
78 */
79 enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
80 MD5Init(&md5);
81 MD5Update(&md5, gensec_skey->data, gensec_skey->length);
82 MD5Update(&md5, confounder.data, confounder.length);
83 MD5Final(enc_key.data, &md5);
84
85 /*
86 * copy the encrypted buffer part and
87 * decrypt it using the created encryption key using arcfour
88 */
89 dec_buffer = data_blob_const(enc_buffer.data, enc_buffer.length);
90 arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key);
91
92 /*
93 * the first 4 byte are the crc32 checksum
94 * of the remaining bytes
95 */
96 crc32_given = IVAL(dec_buffer.data, 0);
97 crc32_calc = crc32_calc_buffer(dec_buffer.data + 4 , dec_buffer.length - 4);
98 if (crc32_given != crc32_calc) {
99 return WERR_SEC_E_DECRYPT_FAILURE;
100 }
101 checked_buffer = data_blob_const(dec_buffer.data + 4, dec_buffer.length - 4);
102
103 plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
104 W_ERROR_HAVE_NO_MEMORY(plain_buffer.data);
105
106 /*
107 * The following rid_crypt obfuscation isn't session specific
108 * and not really needed here, because we allways know the rid of the
109 * user account.
110 *
111 * But for the rest of samba it's easier when we remove this static
112 * obfuscation here
113 */
114 if (rid_crypt) {
115 uint32_t i, num_hashes;
116
117 if ((checked_buffer.length % 16) != 0) {
118 return WERR_DS_DRA_INVALID_PARAMETER;
119 }
120
121 num_hashes = plain_buffer.length / 16;
122 for (i = 0; i < num_hashes; i++) {
123 uint32_t offset = i * 16;
124 sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
125 }
126 }
127
128 *out = plain_buffer;
129 return WERR_OK;
130 }
131
132 static WERROR dsdb_decrypt_attribute(const DATA_BLOB *gensec_skey,
/* [<][>][^][v][top][bottom][index][help] */
133 uint32_t rid,
134 struct drsuapi_DsReplicaAttribute *attr)
135 {
136 WERROR status;
137 TALLOC_CTX *mem_ctx;
138 DATA_BLOB *enc_data;
139 DATA_BLOB plain_data;
140 bool rid_crypt = false;
141
142 if (attr->value_ctr.num_values == 0) {
143 return WERR_OK;
144 }
145
146 switch (attr->attid) {
147 case DRSUAPI_ATTRIBUTE_dBCSPwd:
148 case DRSUAPI_ATTRIBUTE_unicodePwd:
149 case DRSUAPI_ATTRIBUTE_ntPwdHistory:
150 case DRSUAPI_ATTRIBUTE_lmPwdHistory:
151 rid_crypt = true;
152 break;
153 case DRSUAPI_ATTRIBUTE_supplementalCredentials:
154 case DRSUAPI_ATTRIBUTE_priorValue:
155 case DRSUAPI_ATTRIBUTE_currentValue:
156 case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
157 case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
158 case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
159 case DRSUAPI_ATTRIBUTE_initialAuthIncoming:
160 break;
161 default:
162 return WERR_OK;
163 }
164
165 if (attr->value_ctr.num_values > 1) {
166 return WERR_DS_DRA_INVALID_PARAMETER;
167 }
168
169 if (!attr->value_ctr.values[0].blob) {
170 return WERR_DS_DRA_INVALID_PARAMETER;
171 }
172
173 mem_ctx = attr->value_ctr.values[0].blob;
174 enc_data = attr->value_ctr.values[0].blob;
175
176 status = dsdb_decrypt_attribute_value(mem_ctx,
177 gensec_skey,
178 rid_crypt,
179 rid,
180 enc_data,
181 &plain_data);
182 W_ERROR_NOT_OK_RETURN(status);
183
184 talloc_free(attr->value_ctr.values[0].blob->data);
185 *attr->value_ctr.values[0].blob = plain_data;
186
187 return WERR_OK;
188 }
189
190 static WERROR dsdb_convert_object(struct ldb_context *ldb,
/* [<][>][^][v][top][bottom][index][help] */
191 const struct dsdb_schema *schema,
192 struct dsdb_extended_replicated_objects *ctr,
193 const struct drsuapi_DsReplicaObjectListItemEx *in,
194 const DATA_BLOB *gensec_skey,
195 TALLOC_CTX *mem_ctx,
196 struct dsdb_extended_replicated_object *out)
197 {
198 NTSTATUS nt_status;
199 enum ndr_err_code ndr_err;
200 WERROR status;
201 uint32_t i;
202 struct ldb_message *msg;
203 struct replPropertyMetaDataBlob *md;
204 struct ldb_val guid_value;
205 NTTIME whenChanged = 0;
206 time_t whenChanged_t;
207 const char *whenChanged_s;
208 const char *rdn_name = NULL;
209 const struct ldb_val *rdn_value = NULL;
210 const struct dsdb_attribute *rdn_attr = NULL;
211 uint32_t rdn_attid;
212 struct drsuapi_DsReplicaAttribute *name_a = NULL;
213 struct drsuapi_DsReplicaMetaData *name_d = NULL;
214 struct replPropertyMetaData1 *rdn_m = NULL;
215 struct dom_sid *sid = NULL;
216 uint32_t rid = 0;
217 int ret;
218
219 if (!in->object.identifier) {
220 return WERR_FOOBAR;
221 }
222
223 if (!in->object.identifier->dn || !in->object.identifier->dn[0]) {
224 return WERR_FOOBAR;
225 }
226
227 if (in->object.attribute_ctr.num_attributes != 0 && !in->meta_data_ctr) {
228 return WERR_FOOBAR;
229 }
230
231 if (in->object.attribute_ctr.num_attributes != in->meta_data_ctr->count) {
232 return WERR_FOOBAR;
233 }
234
235 sid = &in->object.identifier->sid;
236 if (sid->num_auths > 0) {
237 rid = sid->sub_auths[sid->num_auths - 1];
238 }
239
240 msg = ldb_msg_new(mem_ctx);
241 W_ERROR_HAVE_NO_MEMORY(msg);
242
243 msg->dn = ldb_dn_new(msg, ldb, in->object.identifier->dn);
244 W_ERROR_HAVE_NO_MEMORY(msg->dn);
245
246 rdn_name = ldb_dn_get_rdn_name(msg->dn);
247 rdn_attr = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
248 if (!rdn_attr) {
249 return WERR_FOOBAR;
250 }
251 rdn_attid = rdn_attr->attributeID_id;
252 rdn_value = ldb_dn_get_rdn_val(msg->dn);
253
254 msg->num_elements = in->object.attribute_ctr.num_attributes;
255 msg->elements = talloc_array(msg, struct ldb_message_element,
256 msg->num_elements);
257 W_ERROR_HAVE_NO_MEMORY(msg->elements);
258
259 md = talloc(mem_ctx, struct replPropertyMetaDataBlob);
260 W_ERROR_HAVE_NO_MEMORY(md);
261
262 md->version = 1;
263 md->reserved = 0;
264 md->ctr.ctr1.count = in->meta_data_ctr->count;
265 md->ctr.ctr1.reserved = 0;
266 md->ctr.ctr1.array = talloc_array(mem_ctx,
267 struct replPropertyMetaData1,
268 md->ctr.ctr1.count + 1); /* +1 because of the RDN attribute */
269 W_ERROR_HAVE_NO_MEMORY(md->ctr.ctr1.array);
270
271 for (i=0; i < in->meta_data_ctr->count; i++) {
272 struct drsuapi_DsReplicaAttribute *a;
273 struct drsuapi_DsReplicaMetaData *d;
274 struct replPropertyMetaData1 *m;
275 struct ldb_message_element *e;
276
277 a = &in->object.attribute_ctr.attributes[i];
278 d = &in->meta_data_ctr->meta_data[i];
279 m = &md->ctr.ctr1.array[i];
280 e = &msg->elements[i];
281
282 status = dsdb_decrypt_attribute(gensec_skey, rid, a);
283 W_ERROR_NOT_OK_RETURN(status);
284
285 status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, a, msg->elements, e);
286 W_ERROR_NOT_OK_RETURN(status);
287
288 m->attid = a->attid;
289 m->version = d->version;
290 m->originating_change_time = d->originating_change_time;
291 m->originating_invocation_id = d->originating_invocation_id;
292 m->originating_usn = d->originating_usn;
293 m->local_usn = 0;
294
295 if (d->originating_change_time > whenChanged) {
296 whenChanged = d->originating_change_time;
297 }
298
299 if (a->attid == DRSUAPI_ATTRIBUTE_name) {
300 name_a = a;
301 name_d = d;
302 rdn_m = &md->ctr.ctr1.array[md->ctr.ctr1.count];
303 }
304 }
305
306 if (rdn_m) {
307 ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName, rdn_value, NULL);
308 if (ret != LDB_SUCCESS) {
309 return WERR_FOOBAR;
310 }
311
312 rdn_m->attid = rdn_attid;
313 rdn_m->version = name_d->version;
314 rdn_m->originating_change_time = name_d->originating_change_time;
315 rdn_m->originating_invocation_id = name_d->originating_invocation_id;
316 rdn_m->originating_usn = name_d->originating_usn;
317 rdn_m->local_usn = 0;
318 md->ctr.ctr1.count++;
319
320 }
321
322 whenChanged_t = nt_time_to_unix(whenChanged);
323 whenChanged_s = ldb_timestring(msg, whenChanged_t);
324 W_ERROR_HAVE_NO_MEMORY(whenChanged_s);
325
326 ndr_err = ndr_push_struct_blob(&guid_value, msg,
327 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
328 &in->object.identifier->guid,
329 (ndr_push_flags_fn_t)ndr_push_GUID);
330 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
331 nt_status = ndr_map_error2ntstatus(ndr_err);
332 return ntstatus_to_werror(nt_status);
333 }
334
335 out->msg = msg;
336 out->guid_value = guid_value;
337 out->when_changed = whenChanged_s;
338 out->meta_data = md;
339 return WERR_OK;
340 }
341
342 WERROR dsdb_extended_replicated_objects_commit(struct ldb_context *ldb,
/* [<][>][^][v][top][bottom][index][help] */
343 const char *partition_dn,
344 const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr,
345 uint32_t object_count,
346 const struct drsuapi_DsReplicaObjectListItemEx *first_object,
347 uint32_t linked_attributes_count,
348 const struct drsuapi_DsReplicaLinkedAttribute *linked_attributes,
349 const struct repsFromTo1 *source_dsa,
350 const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector,
351 const DATA_BLOB *gensec_skey,
352 TALLOC_CTX *mem_ctx,
353 struct dsdb_extended_replicated_objects **_out)
354 {
355 WERROR status;
356 const struct dsdb_schema *schema;
357 struct dsdb_extended_replicated_objects *out;
358 struct ldb_result *ext_res;
359 const struct drsuapi_DsReplicaObjectListItemEx *cur;
360 uint32_t i;
361 int ret;
362
363 schema = dsdb_get_schema(ldb);
364 if (!schema) {
365 return WERR_DS_SCHEMA_NOT_LOADED;
366 }
367
368 status = dsdb_verify_oid_mappings_drsuapi(schema, mapping_ctr);
369 W_ERROR_NOT_OK_RETURN(status);
370
371 out = talloc_zero(mem_ctx, struct dsdb_extended_replicated_objects);
372 W_ERROR_HAVE_NO_MEMORY(out);
373 out->version = DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION;
374
375 out->partition_dn = ldb_dn_new(out, ldb, partition_dn);
376 W_ERROR_HAVE_NO_MEMORY(out->partition_dn);
377
378 out->source_dsa = source_dsa;
379 out->uptodateness_vector= uptodateness_vector;
380
381 out->num_objects = object_count;
382 out->objects = talloc_array(out,
383 struct dsdb_extended_replicated_object,
384 out->num_objects);
385 W_ERROR_HAVE_NO_MEMORY(out->objects);
386
387 for (i=0, cur = first_object; cur; cur = cur->next_object, i++) {
388 if (i == out->num_objects) {
389 return WERR_FOOBAR;
390 }
391
392 status = dsdb_convert_object(ldb, schema, out, cur, gensec_skey, out->objects, &out->objects[i]);
393 W_ERROR_NOT_OK_RETURN(status);
394 }
395 if (i != out->num_objects) {
396 return WERR_FOOBAR;
397 }
398
399 /* TODO: handle linked attributes */
400
401 ret = ldb_extended(ldb, DSDB_EXTENDED_REPLICATED_OBJECTS_OID, out, &ext_res);
402 if (ret != LDB_SUCCESS) {
403 DEBUG(0,("Failed to apply records: %s: %s\n",
404 ldb_errstring(ldb), ldb_strerror(ret)));
405 talloc_free(out);
406 return WERR_FOOBAR;
407 }
408 talloc_free(ext_res);
409
410 if (_out) {
411 *_out = out;
412 } else {
413 talloc_free(out);
414 }
415
416 return WERR_OK;
417 }