2 Unix SMB/CIFS implementation.
4 DNS server handler for signed packets
6 Copyright (C) 2012 Kai Blin <kai@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "system/network.h"
24 #include "librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/ndr_dns.h"
26 #include "dns_server/dns_server.h"
27 #include "libcli/util/ntstatus.h"
28 #include "auth/auth.h"
29 #include "auth/gensec/gensec.h"
32 #define DBGC_CLASS DBGC_DNS
34 static WERROR
dns_copy_tsig(TALLOC_CTX
*mem_ctx
,
35 struct dns_res_rec
*old
,
36 struct dns_res_rec
*new_rec
)
38 new_rec
->name
= talloc_strdup(mem_ctx
, old
->name
);
39 W_ERROR_HAVE_NO_MEMORY(new_rec
->name
);
41 new_rec
->rr_type
= old
->rr_type
;
42 new_rec
->rr_class
= old
->rr_class
;
43 new_rec
->ttl
= old
->ttl
;
44 new_rec
->length
= old
->length
;
45 new_rec
->rdata
.tsig_record
.algorithm_name
= talloc_strdup(mem_ctx
,
46 old
->rdata
.tsig_record
.algorithm_name
);
47 W_ERROR_HAVE_NO_MEMORY(new_rec
->rdata
.tsig_record
.algorithm_name
);
49 new_rec
->rdata
.tsig_record
.time_prefix
= old
->rdata
.tsig_record
.time_prefix
;
50 new_rec
->rdata
.tsig_record
.time
= old
->rdata
.tsig_record
.time
;
51 new_rec
->rdata
.tsig_record
.fudge
= old
->rdata
.tsig_record
.fudge
;
52 new_rec
->rdata
.tsig_record
.mac_size
= old
->rdata
.tsig_record
.mac_size
;
53 new_rec
->rdata
.tsig_record
.mac
= talloc_memdup(mem_ctx
,
54 old
->rdata
.tsig_record
.mac
,
55 old
->rdata
.tsig_record
.mac_size
);
56 W_ERROR_HAVE_NO_MEMORY(new_rec
->rdata
.tsig_record
.mac
);
58 new_rec
->rdata
.tsig_record
.original_id
= old
->rdata
.tsig_record
.original_id
;
59 new_rec
->rdata
.tsig_record
.error
= old
->rdata
.tsig_record
.error
;
60 new_rec
->rdata
.tsig_record
.other_size
= old
->rdata
.tsig_record
.other_size
;
61 new_rec
->rdata
.tsig_record
.other_data
= talloc_memdup(mem_ctx
,
62 old
->rdata
.tsig_record
.other_data
,
63 old
->rdata
.tsig_record
.other_size
);
64 W_ERROR_HAVE_NO_MEMORY(new_rec
->rdata
.tsig_record
.other_data
);
69 struct dns_server_tkey
*dns_find_tkey(struct dns_server_tkey_store
*store
,
72 struct dns_server_tkey
*tkey
= NULL
;
76 struct dns_server_tkey
*tmp_key
= store
->tkeys
[i
];
79 i
%= TKEY_BUFFER_SIZE
;
81 if (tmp_key
== NULL
) {
84 if (samba_dns_name_equal(name
, tmp_key
->name
)) {
93 WERROR
dns_verify_tsig(struct dns_server
*dns
,
95 struct dns_request_state
*state
,
96 struct dns_name_packet
*packet
,
101 enum ndr_err_code ndr_err
;
102 uint16_t i
, arcount
= 0;
103 DATA_BLOB tsig_blob
, fake_tsig_blob
, sig
;
104 uint8_t *buffer
= NULL
;
105 size_t buffer_len
= 0, packet_len
= 0;
106 struct dns_server_tkey
*tkey
= NULL
;
107 struct dns_fake_tsig_rec
*check_rec
= talloc_zero(mem_ctx
,
108 struct dns_fake_tsig_rec
);
111 /* Find the first TSIG record in the additional records */
112 for (i
=0; i
< packet
->arcount
; i
++) {
113 if (packet
->additional
[i
].rr_type
== DNS_QTYPE_TSIG
) {
118 if (i
== packet
->arcount
) {
123 /* The TSIG record needs to be the last additional record */
124 if (i
+ 1 != packet
->arcount
) {
125 DEBUG(1, ("TSIG record not the last additional record!\n"));
126 return DNS_ERR(FORMAT_ERROR
);
129 /* We got a TSIG, so we need to sign our reply */
132 state
->tsig
= talloc_zero(state
->mem_ctx
, struct dns_res_rec
);
133 if (state
->tsig
== NULL
) {
134 return WERR_NOT_ENOUGH_MEMORY
;
137 werror
= dns_copy_tsig(state
->tsig
, &packet
->additional
[i
],
139 if (!W_ERROR_IS_OK(werror
)) {
145 tkey
= dns_find_tkey(dns
->tkeys
, state
->tsig
->name
);
148 * We must save the name for use in the TSIG error
149 * response and have no choice here but to save the
150 * keyname from the TSIG request.
152 state
->key_name
= talloc_strdup(state
->mem_ctx
,
154 if (state
->key_name
== NULL
) {
155 return WERR_NOT_ENOUGH_MEMORY
;
157 state
->tsig_error
= DNS_RCODE_BADKEY
;
158 return DNS_ERR(NOTAUTH
);
162 * Remember the keyname that found an existing tkey, used
163 * later to fetch the key with dns_find_tkey() when signing
164 * and adding a TSIG record with MAC.
166 state
->key_name
= talloc_strdup(state
->mem_ctx
, tkey
->name
);
167 if (state
->key_name
== NULL
) {
168 return WERR_NOT_ENOUGH_MEMORY
;
171 /* FIXME: check TSIG here */
172 if (check_rec
== NULL
) {
173 return WERR_NOT_ENOUGH_MEMORY
;
176 /* first build and verify check packet */
177 check_rec
->name
= talloc_strdup(check_rec
, tkey
->name
);
178 if (check_rec
->name
== NULL
) {
179 return WERR_NOT_ENOUGH_MEMORY
;
181 check_rec
->rr_class
= DNS_QCLASS_ANY
;
183 check_rec
->algorithm_name
= talloc_strdup(check_rec
, tkey
->algorithm
);
184 if (check_rec
->algorithm_name
== NULL
) {
185 return WERR_NOT_ENOUGH_MEMORY
;
187 check_rec
->time_prefix
= 0;
188 check_rec
->time
= state
->tsig
->rdata
.tsig_record
.time
;
189 check_rec
->fudge
= state
->tsig
->rdata
.tsig_record
.fudge
;
190 check_rec
->error
= 0;
191 check_rec
->other_size
= 0;
192 check_rec
->other_data
= NULL
;
194 ndr_err
= ndr_push_struct_blob(&tsig_blob
, mem_ctx
, state
->tsig
,
195 (ndr_push_flags_fn_t
)ndr_push_dns_res_rec
);
196 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
197 DEBUG(1, ("Failed to push packet: %s!\n",
198 ndr_errstr(ndr_err
)));
199 return DNS_ERR(SERVER_FAILURE
);
202 ndr_err
= ndr_push_struct_blob(&fake_tsig_blob
, mem_ctx
, check_rec
,
203 (ndr_push_flags_fn_t
)ndr_push_dns_fake_tsig_rec
);
204 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
205 DEBUG(1, ("Failed to push packet: %s!\n",
206 ndr_errstr(ndr_err
)));
207 return DNS_ERR(SERVER_FAILURE
);
210 /* we need to work some magic here. we need to keep the input packet
211 * exactly like we got it, but we need to cut off the tsig record */
212 packet_len
= in
->length
- tsig_blob
.length
;
213 buffer_len
= packet_len
+ fake_tsig_blob
.length
;
214 buffer
= talloc_zero_array(mem_ctx
, uint8_t, buffer_len
);
215 if (buffer
== NULL
) {
216 return WERR_NOT_ENOUGH_MEMORY
;
219 memcpy(buffer
, in
->data
, packet_len
);
220 memcpy(buffer
+ packet_len
, fake_tsig_blob
.data
, fake_tsig_blob
.length
);
222 sig
.length
= state
->tsig
->rdata
.tsig_record
.mac_size
;
223 sig
.data
= talloc_memdup(mem_ctx
, state
->tsig
->rdata
.tsig_record
.mac
, sig
.length
);
224 if (sig
.data
== NULL
) {
225 return WERR_NOT_ENOUGH_MEMORY
;
228 /* Now we also need to count down the additional record counter */
229 arcount
= RSVAL(buffer
, 10);
230 RSSVAL(buffer
, 10, arcount
-1);
232 status
= gensec_check_packet(tkey
->gensec
, buffer
, buffer_len
,
233 buffer
, buffer_len
, &sig
);
234 if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED
, status
)) {
235 state
->tsig_error
= DNS_RCODE_BADSIG
;
236 return DNS_ERR(NOTAUTH
);
239 if (!NT_STATUS_IS_OK(status
)) {
240 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status
)));
241 return ntstatus_to_werror(status
);
244 state
->authenticated
= true;
249 static WERROR
dns_tsig_compute_mac(TALLOC_CTX
*mem_ctx
,
250 struct dns_request_state
*state
,
251 struct dns_name_packet
*packet
,
252 struct dns_server_tkey
*tkey
,
257 enum ndr_err_code ndr_err
;
258 DATA_BLOB packet_blob
, tsig_blob
, sig
;
259 uint8_t *buffer
= NULL
;
261 size_t buffer_len
= 0;
262 struct dns_fake_tsig_rec
*check_rec
= talloc_zero(mem_ctx
,
263 struct dns_fake_tsig_rec
);
266 if (check_rec
== NULL
) {
267 return WERR_NOT_ENOUGH_MEMORY
;
270 /* first build and verify check packet */
271 check_rec
->name
= talloc_strdup(check_rec
, tkey
->name
);
272 if (check_rec
->name
== NULL
) {
273 return WERR_NOT_ENOUGH_MEMORY
;
275 check_rec
->rr_class
= DNS_QCLASS_ANY
;
277 check_rec
->algorithm_name
= talloc_strdup(check_rec
, tkey
->algorithm
);
278 if (check_rec
->algorithm_name
== NULL
) {
279 return WERR_NOT_ENOUGH_MEMORY
;
281 check_rec
->time_prefix
= 0;
282 check_rec
->time
= current_time
;
283 check_rec
->fudge
= 300;
284 check_rec
->error
= state
->tsig_error
;
285 check_rec
->other_size
= 0;
286 check_rec
->other_data
= NULL
;
288 ndr_err
= ndr_push_struct_blob(&packet_blob
, mem_ctx
, packet
,
289 (ndr_push_flags_fn_t
)ndr_push_dns_name_packet
);
290 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
291 DEBUG(1, ("Failed to push packet: %s!\n",
292 ndr_errstr(ndr_err
)));
293 return DNS_ERR(SERVER_FAILURE
);
296 ndr_err
= ndr_push_struct_blob(&tsig_blob
, mem_ctx
, check_rec
,
297 (ndr_push_flags_fn_t
)ndr_push_dns_fake_tsig_rec
);
298 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
299 DEBUG(1, ("Failed to push packet: %s!\n",
300 ndr_errstr(ndr_err
)));
301 return DNS_ERR(SERVER_FAILURE
);
304 if (state
->tsig
!= NULL
) {
305 mac_size
= state
->tsig
->rdata
.tsig_record
.mac_size
;
308 buffer_len
= mac_size
;
310 buffer_len
+= packet_blob
.length
;
311 if (buffer_len
< packet_blob
.length
) {
312 return WERR_INVALID_PARAMETER
;
314 buffer_len
+= tsig_blob
.length
;
315 if (buffer_len
< tsig_blob
.length
) {
316 return WERR_INVALID_PARAMETER
;
319 buffer
= talloc_zero_array(mem_ctx
, uint8_t, buffer_len
);
320 if (buffer
== NULL
) {
321 return WERR_NOT_ENOUGH_MEMORY
;
327 * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
328 * that we're going to sign:
329 * 1. MAC of request (if present)
334 memcpy(p
, state
->tsig
->rdata
.tsig_record
.mac
, mac_size
);
338 memcpy(p
, packet_blob
.data
, packet_blob
.length
);
339 p
+= packet_blob
.length
;
341 memcpy(p
, tsig_blob
.data
, tsig_blob
.length
);
343 status
= gensec_sign_packet(tkey
->gensec
, mem_ctx
, buffer
, buffer_len
,
344 buffer
, buffer_len
, &sig
);
345 if (!NT_STATUS_IS_OK(status
)) {
346 return ntstatus_to_werror(status
);
353 WERROR
dns_sign_tsig(struct dns_server
*dns
,
355 struct dns_request_state
*state
,
356 struct dns_name_packet
*packet
,
360 time_t current_time
= time(NULL
);
361 struct dns_res_rec
*tsig
= NULL
;
362 DATA_BLOB sig
= (DATA_BLOB
) {
367 tsig
= talloc_zero(mem_ctx
, struct dns_res_rec
);
369 return WERR_NOT_ENOUGH_MEMORY
;
372 if (state
->tsig_error
== DNS_RCODE_OK
) {
373 struct dns_server_tkey
*tkey
= dns_find_tkey(
374 dns
->tkeys
, state
->key_name
);
376 return DNS_ERR(SERVER_FAILURE
);
379 werror
= dns_tsig_compute_mac(mem_ctx
, state
, packet
,
380 tkey
, current_time
, &sig
);
381 if (!W_ERROR_IS_OK(werror
)) {
386 tsig
->name
= talloc_strdup(tsig
, state
->key_name
);
387 if (tsig
->name
== NULL
) {
388 return WERR_NOT_ENOUGH_MEMORY
;
390 tsig
->rr_class
= DNS_QCLASS_ANY
;
391 tsig
->rr_type
= DNS_QTYPE_TSIG
;
393 tsig
->length
= UINT16_MAX
;
394 tsig
->rdata
.tsig_record
.algorithm_name
= talloc_strdup(tsig
, "gss-tsig");
395 if (tsig
->rdata
.tsig_record
.algorithm_name
== NULL
) {
396 return WERR_NOT_ENOUGH_MEMORY
;
398 tsig
->rdata
.tsig_record
.time_prefix
= 0;
399 tsig
->rdata
.tsig_record
.time
= current_time
;
400 tsig
->rdata
.tsig_record
.fudge
= 300;
401 tsig
->rdata
.tsig_record
.error
= state
->tsig_error
;
402 tsig
->rdata
.tsig_record
.original_id
= packet
->id
;
403 tsig
->rdata
.tsig_record
.other_size
= 0;
404 tsig
->rdata
.tsig_record
.other_data
= NULL
;
405 if (sig
.length
> 0) {
406 tsig
->rdata
.tsig_record
.mac_size
= sig
.length
;
407 tsig
->rdata
.tsig_record
.mac
= talloc_memdup(tsig
, sig
.data
, sig
.length
);
408 if (tsig
->rdata
.tsig_record
.mac
== NULL
) {
409 return WERR_NOT_ENOUGH_MEMORY
;
413 if (packet
->arcount
== 0) {
414 packet
->additional
= talloc_zero(mem_ctx
, struct dns_res_rec
);
415 if (packet
->additional
== NULL
) {
416 return WERR_NOT_ENOUGH_MEMORY
;
419 packet
->additional
= talloc_realloc(mem_ctx
, packet
->additional
,
421 packet
->arcount
+ 1);
422 if (packet
->additional
== NULL
) {
423 return WERR_NOT_ENOUGH_MEMORY
;
426 werror
= dns_copy_tsig(mem_ctx
, tsig
,
427 &packet
->additional
[packet
->arcount
]);
428 if (!W_ERROR_IS_OK(werror
)) {