root/source4/dsdb/repl/replicated_objects.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. dsdb_decrypt_attribute_value
  2. dsdb_decrypt_attribute
  3. dsdb_convert_object
  4. dsdb_extended_replicated_objects_commit

   1 /* 
   2    Unix SMB/CIFS mplementation.
   3    Helper functions for applying replicated objects
   4    
   5    Copyright (C) Stefan Metzmacher <metze@samba.org> 2007
   6     
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11    
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16    
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19    
  20 */
  21 
  22 #include "includes.h"
  23 #include "dsdb/samdb/samdb.h"
  24 #include "lib/ldb/include/ldb_errors.h"
  25 #include "../lib/util/dlinklist.h"
  26 #include "librpc/gen_ndr/ndr_misc.h"
  27 #include "librpc/gen_ndr/ndr_drsuapi.h"
  28 #include "librpc/gen_ndr/ndr_drsblobs.h"
  29 #include "../lib/crypto/crypto.h"
  30 #include "libcli/auth/libcli_auth.h"
  31 #include "param/param.h"
  32 
  33 static WERROR dsdb_decrypt_attribute_value(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
  34                                            const DATA_BLOB *gensec_skey,
  35                                            bool rid_crypt,
  36                                            uint32_t rid,
  37                                            DATA_BLOB *in,
  38                                            DATA_BLOB *out)
  39 {
  40         DATA_BLOB confounder;
  41         DATA_BLOB enc_buffer;
  42 
  43         struct MD5Context md5;
  44         uint8_t _enc_key[16];
  45         DATA_BLOB enc_key;
  46 
  47         DATA_BLOB dec_buffer;
  48 
  49         uint32_t crc32_given;
  50         uint32_t crc32_calc;
  51         DATA_BLOB checked_buffer;
  52 
  53         DATA_BLOB plain_buffer;
  54 
  55         /*
  56          * users with rid == 0 should not exist
  57          */
  58         if (rid_crypt && rid == 0) {
  59                 return WERR_DS_DRA_INVALID_PARAMETER;
  60         }
  61 
  62         /* 
  63          * the first 16 bytes at the beginning are the confounder
  64          * followed by the 4 byte crc32 checksum
  65          */
  66         if (in->length < 20) {
  67                 return WERR_DS_DRA_INVALID_PARAMETER;
  68         }
  69         confounder = data_blob_const(in->data, 16);
  70         enc_buffer = data_blob_const(in->data + 16, in->length - 16);
  71 
  72         /* 
  73          * build the encryption key md5 over the session key followed
  74          * by the confounder
  75          * 
  76          * here the gensec session key is used and
  77          * not the dcerpc ncacn_ip_tcp "SystemLibraryDTC" key!
  78          */
  79         enc_key = data_blob_const(_enc_key, sizeof(_enc_key));
  80         MD5Init(&md5);
  81         MD5Update(&md5, gensec_skey->data, gensec_skey->length);
  82         MD5Update(&md5, confounder.data, confounder.length);
  83         MD5Final(enc_key.data, &md5);
  84 
  85         /*
  86          * copy the encrypted buffer part and 
  87          * decrypt it using the created encryption key using arcfour
  88          */
  89         dec_buffer = data_blob_const(enc_buffer.data, enc_buffer.length);
  90         arcfour_crypt_blob(dec_buffer.data, dec_buffer.length, &enc_key);
  91 
  92         /* 
  93          * the first 4 byte are the crc32 checksum
  94          * of the remaining bytes
  95          */
  96         crc32_given = IVAL(dec_buffer.data, 0);
  97         crc32_calc = crc32_calc_buffer(dec_buffer.data + 4 , dec_buffer.length - 4);
  98         if (crc32_given != crc32_calc) {
  99                 return WERR_SEC_E_DECRYPT_FAILURE;
 100         }
 101         checked_buffer = data_blob_const(dec_buffer.data + 4, dec_buffer.length - 4);
 102 
 103         plain_buffer = data_blob_talloc(mem_ctx, checked_buffer.data, checked_buffer.length);
 104         W_ERROR_HAVE_NO_MEMORY(plain_buffer.data);
 105 
 106         /*
 107          * The following rid_crypt obfuscation isn't session specific
 108          * and not really needed here, because we allways know the rid of the
 109          * user account.
 110          *
 111          * But for the rest of samba it's easier when we remove this static
 112          * obfuscation here
 113          */
 114         if (rid_crypt) {
 115                 uint32_t i, num_hashes;
 116 
 117                 if ((checked_buffer.length % 16) != 0) {
 118                         return WERR_DS_DRA_INVALID_PARAMETER;
 119                 }
 120 
 121                 num_hashes = plain_buffer.length / 16;
 122                 for (i = 0; i < num_hashes; i++) {
 123                         uint32_t offset = i * 16;
 124                         sam_rid_crypt(rid, checked_buffer.data + offset, plain_buffer.data + offset, 0);
 125                 }
 126         }
 127 
 128         *out = plain_buffer;
 129         return WERR_OK;
 130 }
 131 
 132 static WERROR dsdb_decrypt_attribute(const DATA_BLOB *gensec_skey,
     /* [<][>][^][v][top][bottom][index][help] */
 133                                      uint32_t rid,
 134                                      struct drsuapi_DsReplicaAttribute *attr)
 135 {
 136         WERROR status;
 137         TALLOC_CTX *mem_ctx;
 138         DATA_BLOB *enc_data;
 139         DATA_BLOB plain_data;
 140         bool rid_crypt = false;
 141 
 142         if (attr->value_ctr.num_values == 0) {
 143                 return WERR_OK;
 144         }
 145 
 146         switch (attr->attid) {
 147         case DRSUAPI_ATTRIBUTE_dBCSPwd:
 148         case DRSUAPI_ATTRIBUTE_unicodePwd:
 149         case DRSUAPI_ATTRIBUTE_ntPwdHistory:
 150         case DRSUAPI_ATTRIBUTE_lmPwdHistory:
 151                 rid_crypt = true;
 152                 break;
 153         case DRSUAPI_ATTRIBUTE_supplementalCredentials:
 154         case DRSUAPI_ATTRIBUTE_priorValue:
 155         case DRSUAPI_ATTRIBUTE_currentValue:
 156         case DRSUAPI_ATTRIBUTE_trustAuthOutgoing:
 157         case DRSUAPI_ATTRIBUTE_trustAuthIncoming:
 158         case DRSUAPI_ATTRIBUTE_initialAuthOutgoing:
 159         case DRSUAPI_ATTRIBUTE_initialAuthIncoming:
 160                 break;
 161         default:
 162                 return WERR_OK;
 163         }
 164 
 165         if (attr->value_ctr.num_values > 1) {
 166                 return WERR_DS_DRA_INVALID_PARAMETER;
 167         }
 168 
 169         if (!attr->value_ctr.values[0].blob) {
 170                 return WERR_DS_DRA_INVALID_PARAMETER;
 171         }
 172 
 173         mem_ctx         = attr->value_ctr.values[0].blob;
 174         enc_data        = attr->value_ctr.values[0].blob;
 175 
 176         status = dsdb_decrypt_attribute_value(mem_ctx,
 177                                               gensec_skey,
 178                                               rid_crypt,
 179                                               rid,
 180                                               enc_data,
 181                                               &plain_data);
 182         W_ERROR_NOT_OK_RETURN(status);
 183 
 184         talloc_free(attr->value_ctr.values[0].blob->data);
 185         *attr->value_ctr.values[0].blob = plain_data;
 186 
 187         return WERR_OK;
 188 }
 189 
 190 static WERROR dsdb_convert_object(struct ldb_context *ldb,
     /* [<][>][^][v][top][bottom][index][help] */
 191                                   const struct dsdb_schema *schema,
 192                                   struct dsdb_extended_replicated_objects *ctr,
 193                                   const struct drsuapi_DsReplicaObjectListItemEx *in,
 194                                   const DATA_BLOB *gensec_skey,
 195                                   TALLOC_CTX *mem_ctx,
 196                                   struct dsdb_extended_replicated_object *out)
 197 {
 198         NTSTATUS nt_status;
 199         enum ndr_err_code ndr_err;
 200         WERROR status;
 201         uint32_t i;
 202         struct ldb_message *msg;
 203         struct replPropertyMetaDataBlob *md;
 204         struct ldb_val guid_value;
 205         NTTIME whenChanged = 0;
 206         time_t whenChanged_t;
 207         const char *whenChanged_s;
 208         const char *rdn_name = NULL;
 209         const struct ldb_val *rdn_value = NULL;
 210         const struct dsdb_attribute *rdn_attr = NULL;
 211         uint32_t rdn_attid;
 212         struct drsuapi_DsReplicaAttribute *name_a = NULL;
 213         struct drsuapi_DsReplicaMetaData *name_d = NULL;
 214         struct replPropertyMetaData1 *rdn_m = NULL;
 215         struct dom_sid *sid = NULL;
 216         uint32_t rid = 0;
 217         int ret;
 218 
 219         if (!in->object.identifier) {
 220                 return WERR_FOOBAR;
 221         }
 222 
 223         if (!in->object.identifier->dn || !in->object.identifier->dn[0]) {
 224                 return WERR_FOOBAR;
 225         }
 226 
 227         if (in->object.attribute_ctr.num_attributes != 0 && !in->meta_data_ctr) {
 228                 return WERR_FOOBAR;
 229         }
 230 
 231         if (in->object.attribute_ctr.num_attributes != in->meta_data_ctr->count) {
 232                 return WERR_FOOBAR;
 233         }
 234 
 235         sid = &in->object.identifier->sid;
 236         if (sid->num_auths > 0) {
 237                 rid = sid->sub_auths[sid->num_auths - 1];
 238         }
 239 
 240         msg = ldb_msg_new(mem_ctx);
 241         W_ERROR_HAVE_NO_MEMORY(msg);
 242 
 243         msg->dn                 = ldb_dn_new(msg, ldb, in->object.identifier->dn);
 244         W_ERROR_HAVE_NO_MEMORY(msg->dn);
 245 
 246         rdn_name        = ldb_dn_get_rdn_name(msg->dn);
 247         rdn_attr        = dsdb_attribute_by_lDAPDisplayName(schema, rdn_name);
 248         if (!rdn_attr) {
 249                 return WERR_FOOBAR;
 250         }
 251         rdn_attid       = rdn_attr->attributeID_id;
 252         rdn_value       = ldb_dn_get_rdn_val(msg->dn);
 253 
 254         msg->num_elements       = in->object.attribute_ctr.num_attributes;
 255         msg->elements           = talloc_array(msg, struct ldb_message_element,
 256                                                msg->num_elements);
 257         W_ERROR_HAVE_NO_MEMORY(msg->elements);
 258 
 259         md = talloc(mem_ctx, struct replPropertyMetaDataBlob);
 260         W_ERROR_HAVE_NO_MEMORY(md);
 261 
 262         md->version             = 1;
 263         md->reserved            = 0;
 264         md->ctr.ctr1.count      = in->meta_data_ctr->count;
 265         md->ctr.ctr1.reserved   = 0;
 266         md->ctr.ctr1.array      = talloc_array(mem_ctx,
 267                                                struct replPropertyMetaData1,
 268                                                md->ctr.ctr1.count + 1); /* +1 because of the RDN attribute */
 269         W_ERROR_HAVE_NO_MEMORY(md->ctr.ctr1.array);
 270 
 271         for (i=0; i < in->meta_data_ctr->count; i++) {
 272                 struct drsuapi_DsReplicaAttribute *a;
 273                 struct drsuapi_DsReplicaMetaData *d;
 274                 struct replPropertyMetaData1 *m;
 275                 struct ldb_message_element *e;
 276 
 277                 a = &in->object.attribute_ctr.attributes[i];
 278                 d = &in->meta_data_ctr->meta_data[i];
 279                 m = &md->ctr.ctr1.array[i];
 280                 e = &msg->elements[i];
 281 
 282                 status = dsdb_decrypt_attribute(gensec_skey, rid, a);
 283                 W_ERROR_NOT_OK_RETURN(status);
 284 
 285                 status = dsdb_attribute_drsuapi_to_ldb(ldb, schema, a, msg->elements, e);
 286                 W_ERROR_NOT_OK_RETURN(status);
 287 
 288                 m->attid                        = a->attid;
 289                 m->version                      = d->version;
 290                 m->originating_change_time      = d->originating_change_time;
 291                 m->originating_invocation_id    = d->originating_invocation_id;
 292                 m->originating_usn              = d->originating_usn;
 293                 m->local_usn                    = 0;
 294 
 295                 if (d->originating_change_time > whenChanged) {
 296                         whenChanged = d->originating_change_time;
 297                 }
 298 
 299                 if (a->attid == DRSUAPI_ATTRIBUTE_name) {
 300                         name_a = a;
 301                         name_d = d;
 302                         rdn_m = &md->ctr.ctr1.array[md->ctr.ctr1.count];
 303                 }
 304         }
 305 
 306         if (rdn_m) {
 307                 ret = ldb_msg_add_value(msg, rdn_attr->lDAPDisplayName, rdn_value, NULL);
 308                 if (ret != LDB_SUCCESS) {
 309                         return WERR_FOOBAR;
 310                 }
 311 
 312                 rdn_m->attid                            = rdn_attid;
 313                 rdn_m->version                          = name_d->version;
 314                 rdn_m->originating_change_time          = name_d->originating_change_time;
 315                 rdn_m->originating_invocation_id        = name_d->originating_invocation_id;
 316                 rdn_m->originating_usn                  = name_d->originating_usn;
 317                 rdn_m->local_usn                        = 0;
 318                 md->ctr.ctr1.count++;
 319 
 320         }
 321 
 322         whenChanged_t = nt_time_to_unix(whenChanged);
 323         whenChanged_s = ldb_timestring(msg, whenChanged_t);
 324         W_ERROR_HAVE_NO_MEMORY(whenChanged_s);
 325 
 326         ndr_err = ndr_push_struct_blob(&guid_value, msg, 
 327                                        lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
 328                                        &in->object.identifier->guid,
 329                                          (ndr_push_flags_fn_t)ndr_push_GUID);
 330         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 331                 nt_status = ndr_map_error2ntstatus(ndr_err);
 332                 return ntstatus_to_werror(nt_status);
 333         }
 334 
 335         out->msg                = msg;
 336         out->guid_value         = guid_value;
 337         out->when_changed       = whenChanged_s;
 338         out->meta_data          = md;
 339         return WERR_OK;
 340 }
 341 
 342 WERROR dsdb_extended_replicated_objects_commit(struct ldb_context *ldb,
     /* [<][>][^][v][top][bottom][index][help] */
 343                                                const char *partition_dn,
 344                                                const struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr,
 345                                                uint32_t object_count,
 346                                                const struct drsuapi_DsReplicaObjectListItemEx *first_object,
 347                                                uint32_t linked_attributes_count,
 348                                                const struct drsuapi_DsReplicaLinkedAttribute *linked_attributes,
 349                                                const struct repsFromTo1 *source_dsa,
 350                                                const struct drsuapi_DsReplicaCursor2CtrEx *uptodateness_vector,
 351                                                const DATA_BLOB *gensec_skey,
 352                                                TALLOC_CTX *mem_ctx,
 353                                                struct dsdb_extended_replicated_objects **_out)
 354 {
 355         WERROR status;
 356         const struct dsdb_schema *schema;
 357         struct dsdb_extended_replicated_objects *out;
 358         struct ldb_result *ext_res;
 359         const struct drsuapi_DsReplicaObjectListItemEx *cur;
 360         uint32_t i;
 361         int ret;
 362 
 363         schema = dsdb_get_schema(ldb);
 364         if (!schema) {
 365                 return WERR_DS_SCHEMA_NOT_LOADED;
 366         }
 367 
 368         status = dsdb_verify_oid_mappings_drsuapi(schema, mapping_ctr);
 369         W_ERROR_NOT_OK_RETURN(status);
 370 
 371         out = talloc_zero(mem_ctx, struct dsdb_extended_replicated_objects);
 372         W_ERROR_HAVE_NO_MEMORY(out);
 373         out->version            = DSDB_EXTENDED_REPLICATED_OBJECTS_VERSION;
 374 
 375         out->partition_dn       = ldb_dn_new(out, ldb, partition_dn);
 376         W_ERROR_HAVE_NO_MEMORY(out->partition_dn);
 377 
 378         out->source_dsa         = source_dsa;
 379         out->uptodateness_vector= uptodateness_vector;
 380 
 381         out->num_objects        = object_count;
 382         out->objects            = talloc_array(out,
 383                                                struct dsdb_extended_replicated_object,
 384                                                out->num_objects);
 385         W_ERROR_HAVE_NO_MEMORY(out->objects);
 386 
 387         for (i=0, cur = first_object; cur; cur = cur->next_object, i++) {
 388                 if (i == out->num_objects) {
 389                         return WERR_FOOBAR;
 390                 }
 391 
 392                 status = dsdb_convert_object(ldb, schema, out, cur, gensec_skey, out->objects, &out->objects[i]);
 393                 W_ERROR_NOT_OK_RETURN(status);
 394         }
 395         if (i != out->num_objects) {
 396                 return WERR_FOOBAR;
 397         }
 398 
 399         /* TODO: handle linked attributes */
 400 
 401         ret = ldb_extended(ldb, DSDB_EXTENDED_REPLICATED_OBJECTS_OID, out, &ext_res);
 402         if (ret != LDB_SUCCESS) {
 403                 DEBUG(0,("Failed to apply records: %s: %s\n",
 404                          ldb_errstring(ldb), ldb_strerror(ret)));
 405                 talloc_free(out);
 406                 return WERR_FOOBAR;
 407         }
 408         talloc_free(ext_res);
 409 
 410         if (_out) {
 411                 *_out = out;
 412         } else {
 413                 talloc_free(out);
 414         }
 415 
 416         return WERR_OK;
 417 }

/* [<][>][^][v][top][bottom][index][help] */