s4-backupkey: IDL for ServerWrap subprotocol

This adds some IDL structs for the ServerWrap subprotocol, allowing
parsing of the incoming RPC calls and returning WERR_NOT_SUPPORTED
instead of WERR_INVALID_PARAM.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit 879b65710b266fecaca01b9dd40474b2cc35d417)

diff --git a/librpc/idl/backupkey.idl b/librpc/idl/backupkey.idl
index b504ca578e9f3110b3a437a5538907af58d2fe01..18098cd0a6a2770ff896a2da2c95a67ebcbb059d 100644 (file)
--- a/librpc/idl/backupkey.idl
+++ b/librpc/idl/backupkey.idl
@@ -98,15 +98,39 @@ interface backupkey
                uint8 hash[64];
        } bkrp_access_check_v3;
 
+       [public] typedef struct {
+               [subcontext(0),subcontext_size(32),flag(NDR_REMAINING)] DATA_BLOB r3;
+               [subcontext(0),subcontext_size(20),flag(NDR_REMAINING)] DATA_BLOB mac;
+               dom_sid sid;
+               [subcontext(0),flag(NDR_REMAINING)] DATA_BLOB secret;
+       } bkrp_rc4encryptedpayload;
+
+       [public] typedef struct {
+               [value(0x00000001)] uint32 magic;
+               uint32 payload_length;
+               uint32 cyphertext_length;
+               [subcontext(0),subcontext_size(16),flag(NDR_REMAINING)] DATA_BLOB guid_of_wrapping_key;
+               [subcontext(0),subcontext_size(68),flag(NDR_REMAINING)] DATA_BLOB r2;
+               [subcontext(0),flag(NDR_REMAINING)] DATA_BLOB rc4encryptedpayload;
+       } bkrp_server_side_wrapped;
+
+       [public] typedef struct {
+               [flag(NDR_REMAINING)] DATA_BLOB opaque;
+       } bkrp_opaque_blob;
+
        typedef enum {
                BACKUPKEY_INVALID_GUID_INTEGER = 0xFFFF,
                BACKUPKEY_RESTORE_GUID_INTEGER = 0x0000,
-               BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001
+               BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001,
+               BACKUPKEY_RESTORE_GUID_WIN2K_INTEGER = 0x0002,
+               BACKUPKEY_BACKUP_GUID_INTEGER = 0x0003
        } bkrp_guid_to_integer;
 
        [public] typedef [nodiscriminant] union {
                [case(BACKUPKEY_RESTORE_GUID_INTEGER)] bkrp_client_side_wrapped restore_req;
                [case(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER)] bkrp_empty empty;
+               [case(BACKUPKEY_RESTORE_GUID_WIN2K_INTEGER)] bkrp_server_side_wrapped unsign_req;
+               [case(BACKUPKEY_BACKUP_GUID_INTEGER)] bkrp_opaque_blob sign_req;
        } bkrp_data_in_blob;
 
        /******************/

diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 07af1c0adba38639331620ea745e5007cf7bffea..9dc795157a24593fdbadda1f4a63187819a19697 100644 (file)
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1308,6 +1308,18 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
                        DEBUG(debuglevel, ("Client %s requested certificate for client wrapped secret\n", addr));
                        error = bkrp_do_retreive_client_wrap_key(dce_call, mem_ctx, r, ldb_ctx);
                }
+
+               if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
+                       BACKUPKEY_RESTORE_GUID_WIN2K, strlen(BACKUPKEY_RESTORE_GUID_WIN2K)) == 0) {
+                       DEBUG(debuglevel, ("Client %s requested to decrypt a server side wrapped secret, not implemented yet\n", addr));
+                       return WERR_NOT_SUPPORTED; /* is this appropriate? */
+               }
+
+               if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
+                       BACKUPKEY_BACKUP_GUID, strlen(BACKUPKEY_BACKUP_GUID)) == 0) {
+                       DEBUG(debuglevel, ("Client %s requested a server wrapped secret, not implemented yet\n", addr));
+                       return WERR_NOT_SUPPORTED; /* is this appropriate? */
+               }
        }
        /*else: I am a RODC so I don't handle backup key protocol */