gkdi.idl: Add definitions for the Group Key Distribution Service

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/librpc/idl/gkdi.idl b/librpc/idl/gkdi.idl
new file mode 100644 (file)
index 0000000..4f03527
--- /dev/null
+++ b/librpc/idl/gkdi.idl
@@ -0,0 +1,111 @@
+/*
+ * Type definitions for Group Key Distribution Service
+ *
+ * The below was initially obtained from MS-GKDI which is copyright © 2021
+ * Microsoft Corporation as permitted by the Open Specifications terms
+ * reproduced in IDL_LICENCE.txt.
+ *
+ * Only GetKey() was provided as IDL. The definitions of GroupKeyEnvelope,
+ * KdfParameters, and FfcDhParameters were derived from structure diagrams.
+ * KeyEnvelope was undocumented.
+ */
+
+#include "idl_types.h"
+
+import "misc.idl";
+
+[
+  uuid("b9785960-524f-11df-8b6d-83dcded72085"),
+  endpoint("ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:", "ncalrpc:"),
+  version(1.0),
+  pointer_default(unique),
+  helpstring("Active Directory Group Key Distribution Service")
+]
+interface gkdi
+{
+       /* Public structures. */
+
+       typedef [bitmap32bit] bitmap {
+               ENVELOPE_FLAG_TRANSPORTING_PUBLIC_KEY = 0x00000001,
+               ENVELOPE_FLAG_KEY_MAY_ENCRYPT_NEW_DATA = 0x00000002
+       } EnvelopeFlags;
+
+       /*
+        * This is an undocumented type. It is similar to GroupKeyEnvelope, but
+        * with some fields omitted.
+        */
+       typedef [public] struct {
+               uint32 version;
+               [value(0x4b53444b)] uint32 magic; /* ‘KDSK’ */
+               EnvelopeFlags flags;
+               uint32 l0_index;
+               [range(0, 31)] uint32 l1_index;
+               [range(0, 31)] uint32 l2_index;
+               GUID root_key_id;
+               uint32 unknown; /* This might be the length of a key that is rarely or never present. */
+               [value(2 * ndr_charset_length(domain_name, CH_UTF16))] uint32 domain_name_len;
+               [value(2 * ndr_charset_length(forest_name, CH_UTF16))] uint32 forest_name_len;
+               nstring domain_name;
+               nstring forest_name;
+       } KeyEnvelope;
+
+       typedef [public] struct {
+               uint32 version; /* The version (msKds-Version) of the root key ADM element. */
+               [value(0x4b53444b)] uint32 magic; /* ‘KDSK’ */
+               EnvelopeFlags flags;
+               uint32 l0_index;
+               [range(0, 31)] uint32 l1_index;
+               [range(0, 31)] uint32 l2_index;
+               GUID root_key_id;
+               [value(2 * ndr_charset_length(kdf_algorithm, CH_UTF16))] uint32 kdf_algorithm_len;
+               uint32 kdf_parameters_len;
+               [value(2 * ndr_charset_length(secret_agreement_algorithm, CH_UTF16))] uint32 secret_agreement_algorithm_len;
+               uint32 secret_agreement_parameters_len;
+               uint32 private_key_len;
+               uint32 public_key_len;
+               uint32 l1_key_len;
+               uint32 l2_key_len;
+               [value(2 * ndr_charset_length(domain_name, CH_UTF16))] uint32 domain_name_len;
+               [value(2 * ndr_charset_length(forest_name, CH_UTF16))] uint32 forest_name_len;
+               nstring kdf_algorithm;
+               uint8 kdf_parameters[kdf_parameters_len];
+               nstring secret_agreement_algorithm;
+               uint8 secret_agreement_parameters[secret_agreement_parameters_len];
+               nstring domain_name;
+               nstring forest_name;
+               [flag(NDR_SECRET)] uint8 l1_key[l1_key_len];
+               [flag(NDR_SECRET)] uint8 l2_key[l2_key_len];
+       } GroupKeyEnvelope;
+
+       typedef [public] struct {
+               [value(0)] uint32 padding_0;
+               [value(1)] uint32 padding_1;
+               [value(2 * ndr_charset_length(hash_algorithm, CH_UTF16))] uint32 hash_algorithm_len;
+               [value(0)] uint32 padding_2;
+               nstring hash_algorithm;
+       } KdfParameters;
+
+       typedef [public] struct {
+               /*
+                * Twelve bytes account for the length, magic number, and key
+                * length; the remaining bytes cover the two arrays of
+                * ‘key_length’ bytes each.
+                */
+               [value(12 + 2 * key_length)] uint32 length;
+               [value(0x4d504844)] uint32 magic; /* ‘DHPM’ */
+               uint32 key_length;
+               uint8 field_order[key_length];
+               uint8 generator[key_length];
+       } FfcDhParameters;
+
+       HRESULT gkdi_GetKey(
+               [in] uint32 target_sd_len,
+               [in] [size_is(target_sd_len)] [ref] char *target_sd,
+               [in] [unique] GUID* root_key_id,
+               [in] int32 l0_key_id,
+               [in] int32 l1_key_id,
+               [in] int32 l2_key_id,
+               [out] uint32 *out_len,
+               [out] [size_is(,*out_len)] uint8** out
+       );
+}

diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index 1f4d54c87de6db83814f827e288277489a2ea304..9b2dfd901499d344b914c5e177f933c7a2f322fa 100644 (file)
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -27,7 +27,7 @@ bld.SAMBA_PIDL_LIST('PIDL',
 
 # Services that we only have a client for
 bld.SAMBA_PIDL_LIST('PIDL',
-                    '''atsvc.idl''',
+                    '''atsvc.idl gkdi.idl''',
                     options='--header --ndr-parser --client --python',
                     output_dir='../gen_ndr')
 

diff --git a/librpc/wscript_build b/librpc/wscript_build
index c80c23137ed0f72a7553f16e2b36a7282ec5d8b5..f7763e1013d5a791608ce674c450c35068e67cc5 100644 (file)
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -390,6 +390,10 @@ bld.SAMBA_SUBSYSTEM('NDR_CLAIMS',
     source='gen_ndr/ndr_claims.c ndr/ndr_claims.c',
     deps='ndr NDR_COMPRESSION LZXPRESS')
 
+bld.SAMBA_SUBSYSTEM('NDR_GKDI',
+    source='gen_ndr/ndr_gkdi.c',
+    deps='ndr')
+
 bld.SAMBA_SUBSYSTEM('NDR_GMSA',
     source='gen_ndr/ndr_gmsa.c',
     deps='ndr')
@@ -631,6 +635,11 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_MDSSVC',
     public_deps='dcerpc-binding NDR_MDSSVC'
     )
 
+bld.SAMBA_SUBSYSTEM('RPC_NDR_GKDI',
+    source='gen_ndr/ndr_gkdi_c.c',
+    public_deps='dcerpc-binding NDR_GKDI'
+    )
+
 # a grouping library for NDR subsystems that may be used by more than one target
 bld.SAMBA_LIBRARY('ndr-samba',
     source=[],
@@ -638,7 +647,7 @@ bld.SAMBA_LIBRARY('ndr-samba',
     NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH
     NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV
     NDR_SMB3POSIX
-    NDR_KRB5CCACHE NDR_WSP NDR_GMSA''',
+    NDR_KRB5CCACHE NDR_WSP NDR_GKDI NDR_GMSA''',
     private_library=True,
     grouping_library=True
     )
@@ -649,7 +658,7 @@ bld.SAMBA_LIBRARY('dcerpc-samba',
     deps='''RPC_NDR_LSA RPC_NDR_SAMR RPC_NDR_NETLOGON RPC_NDR_EVENTLOG
     RPC_NDR_DFS RPC_NDR_NTSVCS RPC_NDR_SVCCTL RPC_NDR_INITSHUTDOWN
     RPC_NDR_WKSSVC RPC_NDR_SRVSVC RPC_NDR_WINREG RPC_NDR_ECHO RPC_NDR_EPMAPPER
-    RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNSSERVER''',
+    RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNSSERVER RPC_NDR_GKDI''',
     public_deps='ndr-standard',
     private_library=True,
     grouping_library=True

diff --git a/source4/librpc/wscript_build b/source4/librpc/wscript_build
index 0a08c524ea73df2cbf69418571b8fd30fda8cbf7..2f6d4304b712979351bb44d8bebca9ca3f9ac4c8 100644 (file)
--- a/source4/librpc/wscript_build
+++ b/source4/librpc/wscript_build
@@ -268,6 +268,13 @@ bld.SAMBA_PYTHON('python_claims',
         cflags_end=gen_cflags
         )
 
+bld.SAMBA_PYTHON('python_gkdi',
+        source='../../librpc/gen_ndr/py_gkdi.c',
+        deps='RPC_NDR_GKDI %s %s' % (pytalloc_util, pyrpc_util),
+        realname='samba/dcerpc/gkdi.so',
+        cflags_end=gen_cflags
+        )
+
 bld.SAMBA_PYTHON('python_gmsa',
         source='../../librpc/gen_ndr/py_gmsa.c',
         deps='NDR_GMSA %s %s' % (pytalloc_util, pyrpc_util),