2023-11-13 17:08:58 +13:00
/*
Unix SMB / CIFS implementation .
Group Key Distribution Protocol functions
Copyright ( C ) Catalyst . Net Ltd 2023
This program is free software : you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation , either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < https : //www.gnu.org/licenses/>.
*/
# ifndef LIB_CRYPTO_GKDI_H
# define LIB_CRYPTO_GKDI_H
# include <stdint.h>
2023-11-13 17:08:58 +13:00
# include <gnutls/gnutls.h>
# include "lib/util/data_blob.h"
# include "libcli/util/ntstatus.h"
# include "librpc/gen_ndr/misc.h"
# include "lib/util/time.h"
# include "talloc.h"
enum KdfAlgorithmId {
KDF_ALGORITHM_SP800_108_CTR_HMAC ,
} ;
2024-03-22 14:08:22 +13:00
# define SP800_108_CTR_HMAC "SP800_108_CTR_HMAC"
2023-11-13 17:08:58 +13:00
enum KdfSp800_108Param {
KDF_PARAM_SHA1 ,
KDF_PARAM_SHA256 ,
KDF_PARAM_SHA384 ,
KDF_PARAM_SHA512 ,
} ;
struct KdfAlgorithm {
union {
enum KdfSp800_108Param sp800_108 ;
} param ;
enum KdfAlgorithmId id ;
} ;
enum {
root_key_version_1 = 1 ,
} ;
struct ProvRootKey {
struct GUID id ;
DATA_BLOB data ;
NTTIME create_time ;
NTTIME use_start_time ;
const char * domain_id ;
struct KdfAlgorithm kdf_algorithm ;
int32_t version ;
} ;
2024-02-13 13:04:48 +13:00
NTSTATUS ProvRootKey ( TALLOC_CTX * mem_ctx ,
const struct GUID root_key_id ,
const int32_t version ,
const DATA_BLOB root_key_data ,
const NTTIME create_time ,
const NTTIME use_start_time ,
const char * const domain_id ,
const struct KdfAlgorithm kdf_algorithm ,
const struct ProvRootKey * * const root_key_out ) ;
2023-11-13 17:08:58 +13:00
struct Gkid {
int32_t l0_idx ;
int8_t l1_idx ; /* [range(0, 31)] */
int8_t l2_idx ; /* [range(0, 31)] */
} ;
enum GkidType {
GKID_DEFAULT = - 1 ,
GKID_L0_SEED_KEY = 0 ,
GKID_L1_SEED_KEY = 1 ,
GKID_L2_SEED_KEY = 2 ,
} ;
2024-02-13 13:04:48 +13:00
/*
* Construct a GKID . The caller must check the returned GKID is valid before
* using it !
*/
static inline struct Gkid Gkid ( int32_t l0_idx , int8_t l1_idx , int8_t l2_idx )
{
return ( struct Gkid ) { l0_idx , l1_idx , l2_idx } ;
}
static const struct Gkid invalid_gkid = {
INT32_MIN ,
INT8_MIN ,
INT8_MIN ,
} ;
static const uint32_t key_envelope_magic = 0x4b53444b ; /* ‘ ’
struct KeyEnvelopeId {
struct GUID root_key_id ;
struct Gkid gkid ;
} ;
struct KeyEnvelope ;
NTSTATUS gkdi_pull_KeyEnvelope ( TALLOC_CTX * mem_ctx ,
const DATA_BLOB * pwd_id_blob ,
struct KeyEnvelope * pwd_id_out ) ;
const struct KeyEnvelopeId * gkdi_pull_KeyEnvelopeId (
const DATA_BLOB key_env ,
struct KeyEnvelopeId * key_env_out ) ;
2024-01-09 14:13:31 +13:00
enum GkidType gkid_key_type ( const struct Gkid gkid ) ;
bool gkid_is_valid ( const struct Gkid gkid ) ;
2023-11-13 17:08:58 +13:00
static const int gkdi_l1_key_iteration = 32 ;
static const int gkdi_l2_key_iteration = 32 ;
2024-01-09 14:14:23 +13:00
static const int64_t gkdi_key_cycle_duration = 360000000000 ; /* ten hours */
2024-04-16 16:05:55 +12:00
static const int gkdi_max_clock_skew_mins = 5 ;
2024-01-09 14:14:23 +13:00
static const int64_t gkdi_max_clock_skew = 3000000000 ; /* five minutes */
2023-11-13 17:08:58 +13:00
2023-11-13 17:08:58 +13:00
# define GKDI_KEY_LEN 64
2024-02-13 13:04:48 +13:00
struct Gkid gkdi_get_interval_id ( const NTTIME time ) ;
2024-02-13 13:04:48 +13:00
bool gkdi_get_key_start_time ( const struct Gkid gkid , NTTIME * start_time_out ) ;
2024-02-13 13:04:48 +13:00
NTTIME gkdi_get_interval_start_time ( const NTTIME time ) ;
bool gkid_less_than_or_equal_to ( const struct Gkid g1 , const struct Gkid g2 ) ;
bool gkdi_rollover_interval ( const int64_t managed_password_interval ,
NTTIME * result ) ;
2023-11-13 17:08:58 +13:00
gnutls_mac_algorithm_t get_sp800_108_mac_algorithm (
const struct KdfAlgorithm kdf_algorithm ) ;
2023-12-22 16:01:36 +13:00
NTSTATUS compute_seed_key ( TALLOC_CTX * mem_ctx ,
const DATA_BLOB target_security_descriptor ,
const struct ProvRootKey * const root_key ,
const struct Gkid gkid ,
uint8_t out [ static const GKDI_KEY_LEN ] ) ;
2023-11-13 17:08:58 +13:00
2024-02-13 13:04:48 +13:00
NTSTATUS kdf_sp_800_108_from_params (
const DATA_BLOB * const kdf_param ,
struct KdfAlgorithm * const kdf_algorithm_out ) ;
NTSTATUS kdf_algorithm_from_params (
const char * const kdf_algorithm_id ,
const DATA_BLOB * const kdf_param ,
struct KdfAlgorithm * const kdf_algorithm_out ) ;
2023-11-13 17:08:58 +13:00
# endif /* LIB_CRYPTO_GKDI_H */
