From 879b65710b266fecaca01b9dd40474b2cc35d417 Mon Sep 17 00:00:00 2001
From: Arvid Requate <requate@univention.de>
Date: Mon, 7 Jul 2014 18:48:41 +0200
Subject: [PATCH] s4-backupkey: IDL for ServerWrap subprotocol

This adds some IDL structs for the ServerWrap subprotocol, allowing
parsing of the incoming RPC calls and returning WERR_NOT_SUPPORTED
instead of WERR_INVALID_PARAM.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---
 librpc/idl/backupkey.idl                      | 26 ++++++++++++++++++-
 .../rpc_server/backupkey/dcesrv_backupkey.c   | 12 +++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/librpc/idl/backupkey.idl b/librpc/idl/backupkey.idl
index b504ca578e9f..18098cd0a6a2 100644
--- a/librpc/idl/backupkey.idl
+++ b/librpc/idl/backupkey.idl
@@ -98,15 +98,39 @@ interface backupkey
 		uint8 hash[64];
 	} bkrp_access_check_v3;
 
+	[public] typedef struct {
+		[subcontext(0),subcontext_size(32),flag(NDR_REMAINING)] DATA_BLOB r3;
+		[subcontext(0),subcontext_size(20),flag(NDR_REMAINING)] DATA_BLOB mac;
+		dom_sid sid;
+		[subcontext(0),flag(NDR_REMAINING)] DATA_BLOB secret;
+	} bkrp_rc4encryptedpayload;
+
+	[public] typedef struct {
+		[value(0x00000001)] uint32 magic;
+		uint32 payload_length;
+		uint32 cyphertext_length;
+		[subcontext(0),subcontext_size(16),flag(NDR_REMAINING)] DATA_BLOB guid_of_wrapping_key;
+		[subcontext(0),subcontext_size(68),flag(NDR_REMAINING)] DATA_BLOB r2;
+		[subcontext(0),flag(NDR_REMAINING)] DATA_BLOB rc4encryptedpayload;
+	} bkrp_server_side_wrapped;
+
+	[public] typedef struct {
+		[flag(NDR_REMAINING)] DATA_BLOB opaque;
+	} bkrp_opaque_blob;
+
 	typedef enum {
 		BACKUPKEY_INVALID_GUID_INTEGER = 0xFFFF,
 		BACKUPKEY_RESTORE_GUID_INTEGER = 0x0000,
-		BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001
+		BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER = 0x0001,
+		BACKUPKEY_RESTORE_GUID_WIN2K_INTEGER = 0x0002,
+		BACKUPKEY_BACKUP_GUID_INTEGER = 0x0003
 	} bkrp_guid_to_integer;
 
 	[public] typedef [nodiscriminant] union {
 		[case(BACKUPKEY_RESTORE_GUID_INTEGER)] bkrp_client_side_wrapped restore_req;
 		[case(BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID_INTEGER)] bkrp_empty empty;
+		[case(BACKUPKEY_RESTORE_GUID_WIN2K_INTEGER)] bkrp_server_side_wrapped unsign_req;
+		[case(BACKUPKEY_BACKUP_GUID_INTEGER)] bkrp_opaque_blob sign_req;
 	} bkrp_data_in_blob;
 
 	/******************/
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 07af1c0adba3..9dc795157a24 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1308,6 +1308,18 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
 			DEBUG(debuglevel, ("Client %s requested certificate for client wrapped secret\n", addr));
 			error = bkrp_do_retreive_client_wrap_key(dce_call, mem_ctx, r, ldb_ctx);
 		}
+
+		if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
+			BACKUPKEY_RESTORE_GUID_WIN2K, strlen(BACKUPKEY_RESTORE_GUID_WIN2K)) == 0) {
+			DEBUG(debuglevel, ("Client %s requested to decrypt a server side wrapped secret, not implemented yet\n", addr));
+			return WERR_NOT_SUPPORTED; /* is this appropriate? */
+		}
+
+		if (strncasecmp(GUID_string(mem_ctx, r->in.guidActionAgent),
+			BACKUPKEY_BACKUP_GUID, strlen(BACKUPKEY_BACKUP_GUID)) == 0) {
+			DEBUG(debuglevel, ("Client %s requested a server wrapped secret, not implemented yet\n", addr));
+			return WERR_NOT_SUPPORTED; /* is this appropriate? */
+		}
 	}
 	/*else: I am a RODC so I don't handle backup key protocol */