s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index b7e67e6a8dff5defc18edee4fa74db11bddef185..c958f1c597436aa102c4bfebdfd364b414cfb01d 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -36,6 +36,7 @@
 #include "lib/util/smb_strtox.h"
 #include "lib/param/loadparm.h"
 #include "librpc/rpc/dcerpc_helper.h"
+#include "librpc/rpc/dcerpc_lsa.h"
 
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
@@ -864,6 +865,58 @@ static NTSTATUS dcesrv_lsa_EnumAccounts(struct dcesrv_call_state *dce_call, TALL
        return NT_STATUS_OK;
 }
 
+static NTSTATUS get_trustdom_auth_blob_aes(
+       struct dcesrv_call_state *dce_call,
+       TALLOC_CTX *mem_ctx,
+       struct lsa_TrustDomainInfoAuthInfoInternalAES *auth_info,
+       struct trustDomainPasswords *auth_struct)
+{
+       DATA_BLOB session_key = data_blob_null;
+       DATA_BLOB salt = data_blob(auth_info->salt, sizeof(auth_info->salt));
+       DATA_BLOB auth_blob = data_blob(auth_info->cipher.data,
+                                       auth_info->cipher.size);
+       DATA_BLOB ciphertext = data_blob_null;
+       enum ndr_err_code ndr_err;
+       NTSTATUS status;
+
+       /*
+        * The data blob starts with 512 bytes of random data and has two 32bit
+        * size parameters.
+        */
+       if (auth_blob.length < 520) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       status = dcesrv_transport_session_key(dce_call, &session_key);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       status = samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(
+               mem_ctx,
+               &auth_blob,
+               &session_key,
+               &lsa_aes256_enc_key_salt,
+               &lsa_aes256_mac_key_salt,
+               &salt,
+               auth_info->auth_data,
+               &ciphertext);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       ndr_err = ndr_pull_struct_blob(
+                       &ciphertext,
+                       mem_ctx,
+                       auth_struct,
+                       (ndr_pull_flags_fn_t)ndr_pull_trustDomainPasswords);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       return NT_STATUS_OK;
+}
+
 /* This decrypts and returns Trusted Domain Auth Information Internal data */
 static NTSTATUS get_trustdom_auth_blob(struct dcesrv_call_state *dce_call,
                                       TALLOC_CTX *mem_ctx, DATA_BLOB *auth_blob,