[PATCH 09/10] s4-backupkey: IDL for ServerWarp subprotocol
Arvid Requate
requate at univention.de
Mon Jul 7 11:15:18 MDT 2014
This adds some IDL structs for the ServerWarp subprotocol to allow
parsing of the incoming RPC calls and returning WERR_NOT_SUPPORTED
instead of WERR_INVALID_PARAM.
Signed-off-by: Arvid Requate <requate at univention.de>
---
librpc/idl/backupkey.idl | 26
++++++++++++++++++++++++-
source4/rpc_server/backupkey/dcesrv_backupkey.c | 12 ++++++++++++
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/librpc/idl/backupkey.idl b/librpc/idl/backupkey.idl
index b504ca5..18098cd 100644
--- a/librpc/idl/backupkey.idl
+++ b/librpc/idl/backupkey.idl
@@ -98,15 +98,39 @@ interface backupkey
uint8 hash[64];
} bkrp_access_check_v3;
+ [public] typedef struct {
+ [subcontext(0),subcontext_size(32),flag(NDR_REMAINING)]
DATA_BLOB r3;
+ [subcontext(0),subcontext_size(20),flag(NDR_REMAINING)]
DATA_BLOB mac;
+ dom_sid sid;
+ [subcontext(0),flag(NDR_REMAINING)] DATA_BLOB secret;
+ } bkrp_rc4encryptedpayload;
+
+ [public] typedef struct {
+ [value(0x00000001)] uint32 magic;
+ uint32 payload_length;
+ uint32 cyphertext_length;
+ [subcontext(0),subcontext_size(16),flag(NDR_REMAINING)]
DATA_BLOB guid_of_wrapping_key;
+ [subcontext(0),subcontext_size(68),flag(NDR_REMAINING)]
DATA_BLOB r2;
+ [subcontext(0),flag(NDR_REMAINING)] DATA_BLOB
rc4encryptedpayload;
+ } bkrp_server_side_wrapped;
+
+ [public] typedef struct {
+ [flag(NDR_REMAINING)] DATA_BLOB opaque;
+ } bkrp_opaque_blob;
+
typedef enum {
BACKUPKEY_INVALID_GUID_INTEGER = 0xFFFF,
BACKUPKEY_RESTORE_GUID_INTEGER = 0x0000,
- BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001
+ BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001,
+ BACKUPKEY_RESTORE_GUID_WIN2K_INTEGER = 0x0002,
+ BACKUPKEY_BACKUP_GUID_INTEGER = 0x0003
} bkrp_guid_to_integer;
[public] typedef [nodiscriminant] union {
[case(BACKUPKEY_RESTORE_GUID_INTEGER)]
bkrp_client_side_wrapped restore_req;
[case(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER)] bkrp_empty
empty;
+ [case(BACKUPKEY_RESTORE_GUID_WIN2K_INTEGER)]
bkrp_server_side_wrapped unsign_req;
+ [case(BACKUPKEY_BACKUP_GUID_INTEGER)] bkrp_opaque_blob
sign_req;
} bkrp_data_in_blob;
/******************/
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c
b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 737d609..9e17625 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1309,6 +1309,18 @@ static WERROR dcesrv_bkrp_BackupKey(struct
dcesrv_call_state *dce_call,
DEBUG(debuglevel, ("Client %s requested certificate for
client wrapped secret\n", addr));
error = bkrp_do_retreive_client_wrap_key(dce_call,
mem_ctx, r, ldb_ctx);
}
+
+ if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
+ BACKUPKEY_RESTORE_GUID_WIN2K,
strlen(BACKUPKEY_RESTORE_GUID_WIN2K)) == 0) {
+ DEBUG(debuglevel, ("Client %s requested to decrypt a
server side wrapped secret, not implemented yet\n", addr));
+ return WERR_NOT_SUPPORTED; /* is this appropriate? */
+ }
+
+ if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
+ BACKUPKEY_BACKUP_GUID, strlen(BACKUPKEY_BACKUP_GUID))
== 0) {
+ DEBUG(debuglevel, ("Client %s requested a server
wrapped secret, not implemented yet\n", addr));
+ return WERR_NOT_SUPPORTED; /* is this appropriate? */
+ }
}
/*else: I am a RODC so I don't handle backup key protocol */
--
2.0.0.rc2
More information about the samba-technical
mailing list