libcli/samsync/decrypt.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Extract the user/system database from a remote SamSync server
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   7    Copyright (C) Guenther Deschner <gd@samba.org> 2008
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23
  24 #include "includes.h"
  25 #include "../libcli/auth/libcli_auth.h"
  26 #include "../libcli/samsync/samsync.h"
  27 #include "librpc/gen_ndr/ndr_netlogon.h"
  28 #include "lib/crypto/gnutls_helpers.h"
  29
  30 #undef netlogon_creds_arcfour_crypt
  31
  32 /**
  33  * Decrypt and extract the user's passwords.
  34  *
  35  * The writes decrypted (no longer 'RID encrypted' or arcfour encrypted)
  36  * passwords back into the structure
  37  */
  38
  39 static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
  40                          struct netlogon_creds_CredentialState *creds,
  41                          enum netr_SamDatabaseID database_id,
  42                          struct netr_DELTA_ENUM *delta)
  43 {
  44
  45         uint32_t rid = delta->delta_id_union.rid;
  46         struct netr_DELTA_USER *user = delta->delta_union.user;
  47         struct samr_Password lm_hash;
  48         struct samr_Password nt_hash;
  49         int rc;
  50
  51         /* Note that win2000 may send us all zeros
  52          * for the hashes if it doesn't
  53          * think this channel is secure enough. */
  54         if (user->lm_password_present) {
  55                 if (!all_zero(user->lmpassword.hash, 16)) {
  56                         rc = sam_rid_crypt(rid, user->lmpassword.hash,
  57                                             lm_hash.hash, SAMBA_GNUTLS_DECRYPT);
  58                         if (rc != 0) {
  59                                 return gnutls_error_to_ntstatus(rc,
  60                                                                 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
  61                         }
  62                 } else {
  63                         memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
  64                 }
  65                 user->lmpassword = lm_hash;
  66         }
  67
  68         if (user->nt_password_present) {
  69                 if (!all_zero(user->ntpassword.hash, 16)) {
  70                         rc = sam_rid_crypt(rid, user->ntpassword.hash,
  71                                             nt_hash.hash, SAMBA_GNUTLS_DECRYPT);
  72                         if (rc != 0) {
  73                                 return gnutls_error_to_ntstatus(rc,
  74                                                                 NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
  75                         }
  76                 } else {
  77                         memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
  78                 }
  79                 user->ntpassword = nt_hash;
  80         }
  81
  82         if (user->user_private_info.SensitiveData) {
  83                 DATA_BLOB data;
  84                 struct netr_USER_KEYS keys;
  85                 enum ndr_err_code ndr_err;
  86                 NTSTATUS status;
  87
  88                 data.data = user->user_private_info.SensitiveData;
  89                 data.length = user->user_private_info.DataLength;
  90
  91                 status = netlogon_creds_arcfour_crypt(creds,
  92                                                       data.data,
  93                                                       data.length);
  94                 if (!NT_STATUS_IS_OK(status)) {
  95                         return status;
  96                 }
  97
  98                 user->user_private_info.SensitiveData = data.data;
  99                 user->user_private_info.DataLength = data.length;
 100
 101                 ndr_err = ndr_pull_struct_blob(&data, mem_ctx, &keys,
 102                         (ndr_pull_flags_fn_t)ndr_pull_netr_USER_KEYS);
 103                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 104                         dump_data(10, data.data, data.length);
 105                         return ndr_map_error2ntstatus(ndr_err);
 106                 }
 107
 108                 /* Note that win2000 may send us all zeros
 109                  * for the hashes if it doesn't
 110                  * think this channel is secure enough. */
 111                 if (keys.keys.keys2.lmpassword.length == 16) {
 112                         if (!all_zero(keys.keys.keys2.lmpassword.pwd.hash,
 113                                       16)) {
 114                                 rc = sam_rid_crypt(rid,
 115                                                    keys.keys.keys2.lmpassword.pwd.hash,
 116                                                    lm_hash.hash, SAMBA_GNUTLS_DECRYPT);
 117                                 if (rc != 0) {
 118                                         return gnutls_error_to_ntstatus(rc,
 119                                                                         NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
 120                                 }
 121                         } else {
 122                                 memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
 123                         }
 124                         user->lmpassword = lm_hash;
 125                         user->lm_password_present = true;
 126                 }
 127                 if (keys.keys.keys2.ntpassword.length == 16) {
 128                         if (!all_zero(keys.keys.keys2.ntpassword.pwd.hash,
 129                                       16)) {
 130                                 rc = sam_rid_crypt(rid,
 131                                                    keys.keys.keys2.ntpassword.pwd.hash,
 132                                                    nt_hash.hash, SAMBA_GNUTLS_DECRYPT);
 133                                 if (rc != 0) {
 134                                         return gnutls_error_to_ntstatus(rc,
 135                                                                         NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER);
 136                                 }
 137                         } else {
 138                                 memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
 139                         }
 140                         user->ntpassword = nt_hash;
 141                         user->nt_password_present = true;
 142                 }
 143                 /* TODO: rid decrypt history fields */
 144         }
 145         return NT_STATUS_OK;
 146 }
 147
 148 /**
 149  * Decrypt and extract the secrets
 150  *
 151  * The writes decrypted secrets back into the structure
 152  */
 153 static NTSTATUS fix_secret(TALLOC_CTX *mem_ctx,
 154                            struct netlogon_creds_CredentialState *creds,
 155                            enum netr_SamDatabaseID database,
 156                            struct netr_DELTA_ENUM *delta)
 157 {
 158         struct netr_DELTA_SECRET *secret = delta->delta_union.secret;
 159         NTSTATUS status;
 160
 161         status = netlogon_creds_arcfour_crypt(creds,
 162                                               secret->current_cipher.cipher_data,
 163                                               secret->current_cipher.maxlen);
 164         if (!NT_STATUS_IS_OK(status)) {
 165                 return status;
 166         }
 167
 168         status = netlogon_creds_arcfour_crypt(creds,
 169                                               secret->old_cipher.cipher_data,
 170                                               secret->old_cipher.maxlen);
 171         if (!NT_STATUS_IS_OK(status)) {
 172                 return status;
 173         }
 174
 175         return NT_STATUS_OK;
 176 }
 177
 178 /**
 179  * Fix up the delta, dealing with encryption issues so that the final
 180  * callback need only do the printing or application logic
 181  */
 182
 183 NTSTATUS samsync_fix_delta(TALLOC_CTX *mem_ctx,
 184                            struct netlogon_creds_CredentialState *creds,
 185                            enum netr_SamDatabaseID database_id,
 186                            struct netr_DELTA_ENUM *delta)
 187 {
 188         NTSTATUS status = NT_STATUS_OK;
 189
 190         switch (delta->delta_type) {
 191                 case NETR_DELTA_USER:
 192
 193                         status = fix_user(mem_ctx,
 194                                           creds,
 195                                           database_id,
 196                                           delta);
 197                         break;
 198                 case NETR_DELTA_SECRET:
 199
 200                         status = fix_secret(mem_ctx,
 201                                             creds,
 202                                             database_id,
 203                                             delta);
 204                         break;
 205                 default:
 206                         break;
 207         }
 208
 209         return status;
 210 }
 211