search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: tests: Add new test_stream_dir_rename.sh test.
[Samba.git] / source4 / dns_server / dns_crypto.c
blobb38eb8b13bb2bdae22dd80f279867d5b75ee9904
1 /*
2 Unix SMB/CIFS implementation.
3
4 DNS server handler for signed packets
5
6 Copyright (C) 2012 Kai Blin <kai@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include "librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/ndr_dns.h"
26 #include "dns_server/dns_server.h"
27 #include "libcli/util/ntstatus.h"
28 #include "auth/auth.h"
29 #include "auth/gensec/gensec.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_DNS
33
34 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
35 struct dns_res_rec *old,
36 struct dns_res_rec *new_rec)
37 {
38 new_rec->name = talloc_strdup(mem_ctx, old->name);
39 W_ERROR_HAVE_NO_MEMORY(new_rec->name);
40
41 new_rec->rr_type = old->rr_type;
42 new_rec->rr_class = old->rr_class;
43 new_rec->ttl = old->ttl;
44 new_rec->length = old->length;
45 new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
46 old->rdata.tsig_record.algorithm_name);
47 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
48
49 new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
50 new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
51 new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
52 new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
53 new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
54 old->rdata.tsig_record.mac,
55 old->rdata.tsig_record.mac_size);
56 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
57
58 new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
59 new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
60 new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
61 new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
62 old->rdata.tsig_record.other_data,
63 old->rdata.tsig_record.other_size);
64 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
65
66 return WERR_OK;
67 }
68
69 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
70 const char *name)
71 {
72 struct dns_server_tkey *tkey = NULL;
73 uint16_t i = 0;
74
75 do {
76 struct dns_server_tkey *tmp_key = store->tkeys[i];
77
78 i++;
79 i %= TKEY_BUFFER_SIZE;
80
81 if (tmp_key == NULL) {
82 continue;
83 }
84 if (samba_dns_name_equal(name, tmp_key->name)) {
85 tkey = tmp_key;
86 break;
87 }
88 } while (i != 0);
89
90 return tkey;
91 }
92
93 WERROR dns_verify_tsig(struct dns_server *dns,
94 TALLOC_CTX *mem_ctx,
95 struct dns_request_state *state,
96 struct dns_name_packet *packet,
97 DATA_BLOB *in)
98 {
99 WERROR werror;
100 NTSTATUS status;
101 enum ndr_err_code ndr_err;
102 uint16_t i, arcount = 0;
103 DATA_BLOB tsig_blob, fake_tsig_blob, sig;
104 uint8_t *buffer = NULL;
105 size_t buffer_len = 0, packet_len = 0;
106 struct dns_server_tkey *tkey = NULL;
107 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
108 struct dns_fake_tsig_rec);
109
110
111 /* Find the first TSIG record in the additional records */
112 for (i=0; i < packet->arcount; i++) {
113 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
114 break;
115 }
116 }
117
118 if (i == packet->arcount) {
119 /* no TSIG around */
120 return WERR_OK;
121 }
122
123 /* The TSIG record needs to be the last additional record */
124 if (i + 1 != packet->arcount) {
125 DEBUG(1, ("TSIG record not the last additional record!\n"));
126 return DNS_ERR(FORMAT_ERROR);
127 }
128
129 /* We got a TSIG, so we need to sign our reply */
130 state->sign = true;
131
132 state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
133 if (state->tsig == NULL) {
134 return WERR_NOT_ENOUGH_MEMORY;
135 }
136
137 werror = dns_copy_tsig(state->tsig, &packet->additional[i],
138 state->tsig);
139 if (!W_ERROR_IS_OK(werror)) {
140 return werror;
141 }
142
143 packet->arcount--;
144
145 tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
146 if (tkey == NULL) {
147 /*
148 * We must save the name for use in the TSIG error
149 * response and have no choice here but to save the
150 * keyname from the TSIG request.
151 */
152 state->key_name = talloc_strdup(state->mem_ctx,
153 state->tsig->name);
154 if (state->key_name == NULL) {
155 return WERR_NOT_ENOUGH_MEMORY;
156 }
157 state->tsig_error = DNS_RCODE_BADKEY;
158 return DNS_ERR(NOTAUTH);
159 }
160
161 /*
162 * Remember the keyname that found an existing tkey, used
163 * later to fetch the key with dns_find_tkey() when signing
164 * and adding a TSIG record with MAC.
165 */
166 state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
167 if (state->key_name == NULL) {
168 return WERR_NOT_ENOUGH_MEMORY;
169 }
170
171 /* FIXME: check TSIG here */
172 if (check_rec == NULL) {
173 return WERR_NOT_ENOUGH_MEMORY;
174 }
175
176 /* first build and verify check packet */
177 check_rec->name = talloc_strdup(check_rec, tkey->name);
178 if (check_rec->name == NULL) {
179 return WERR_NOT_ENOUGH_MEMORY;
180 }
181 check_rec->rr_class = DNS_QCLASS_ANY;
182 check_rec->ttl = 0;
183 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
184 if (check_rec->algorithm_name == NULL) {
185 return WERR_NOT_ENOUGH_MEMORY;
186 }
187 check_rec->time_prefix = 0;
188 check_rec->time = state->tsig->rdata.tsig_record.time;
189 check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
190 check_rec->error = 0;
191 check_rec->other_size = 0;
192 check_rec->other_data = NULL;
193
194 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
195 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
196 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
197 DEBUG(1, ("Failed to push packet: %s!\n",
198 ndr_errstr(ndr_err)));
199 return DNS_ERR(SERVER_FAILURE);
200 }
201
202 ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
203 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
204 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
205 DEBUG(1, ("Failed to push packet: %s!\n",
206 ndr_errstr(ndr_err)));
207 return DNS_ERR(SERVER_FAILURE);
208 }
209
210 /* we need to work some magic here. we need to keep the input packet
211 * exactly like we got it, but we need to cut off the tsig record */
212 packet_len = in->length - tsig_blob.length;
213 buffer_len = packet_len + fake_tsig_blob.length;
214 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
215 if (buffer == NULL) {
216 return WERR_NOT_ENOUGH_MEMORY;
217 }
218
219 memcpy(buffer, in->data, packet_len);
220 memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
221
222 sig.length = state->tsig->rdata.tsig_record.mac_size;
223 sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
224 if (sig.data == NULL) {
225 return WERR_NOT_ENOUGH_MEMORY;
226 }
227
228 /* Now we also need to count down the additional record counter */
229 arcount = RSVAL(buffer, 10);
230 RSSVAL(buffer, 10, arcount-1);
231
232 status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
233 buffer, buffer_len, &sig);
234 if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
235 state->tsig_error = DNS_RCODE_BADSIG;
236 return DNS_ERR(NOTAUTH);
237 }
238
239 if (!NT_STATUS_IS_OK(status)) {
240 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
241 return ntstatus_to_werror(status);
242 }
243
244 state->authenticated = true;
245
246 return WERR_OK;
247 }
248
249 static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
250 struct dns_request_state *state,
251 struct dns_name_packet *packet,
252 struct dns_server_tkey *tkey,
253 time_t current_time,
254 DATA_BLOB *_psig)
255 {
256 NTSTATUS status;
257 enum ndr_err_code ndr_err;
258 DATA_BLOB packet_blob, tsig_blob, sig;
259 uint8_t *buffer = NULL;
260 uint8_t *p = NULL;
261 size_t buffer_len = 0;
262 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
263 struct dns_fake_tsig_rec);
264 size_t mac_size = 0;
265
266 if (check_rec == NULL) {
267 return WERR_NOT_ENOUGH_MEMORY;
268 }
269
270 /* first build and verify check packet */
271 check_rec->name = talloc_strdup(check_rec, tkey->name);
272 if (check_rec->name == NULL) {
273 return WERR_NOT_ENOUGH_MEMORY;
274 }
275 check_rec->rr_class = DNS_QCLASS_ANY;
276 check_rec->ttl = 0;
277 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
278 if (check_rec->algorithm_name == NULL) {
279 return WERR_NOT_ENOUGH_MEMORY;
280 }
281 check_rec->time_prefix = 0;
282 check_rec->time = current_time;
283 check_rec->fudge = 300;
284 check_rec->error = state->tsig_error;
285 check_rec->other_size = 0;
286 check_rec->other_data = NULL;
287
288 ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
289 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
290 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
291 DEBUG(1, ("Failed to push packet: %s!\n",
292 ndr_errstr(ndr_err)));
293 return DNS_ERR(SERVER_FAILURE);
294 }
295
296 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
297 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
298 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
299 DEBUG(1, ("Failed to push packet: %s!\n",
300 ndr_errstr(ndr_err)));
301 return DNS_ERR(SERVER_FAILURE);
302 }
303
304 if (state->tsig != NULL) {
305 mac_size = state->tsig->rdata.tsig_record.mac_size;
306 }
307
308 buffer_len = mac_size;
309
310 buffer_len += packet_blob.length;
311 if (buffer_len < packet_blob.length) {
312 return WERR_INVALID_PARAMETER;
313 }
314 buffer_len += tsig_blob.length;
315 if (buffer_len < tsig_blob.length) {
316 return WERR_INVALID_PARAMETER;
317 }
318
319 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
320 if (buffer == NULL) {
321 return WERR_NOT_ENOUGH_MEMORY;
322 }
323
324 p = buffer;
325
326 /*
327 * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
328 * that we're going to sign:
329 * 1. MAC of request (if present)
330 * 2. Outgoing packet
331 * 3. TSIG record
332 */
333 if (mac_size > 0) {
334 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
335 p += mac_size;
336 }
337
338 memcpy(p, packet_blob.data, packet_blob.length);
339 p += packet_blob.length;
340
341 memcpy(p, tsig_blob.data, tsig_blob.length);
342
343 status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
344 buffer, buffer_len, &sig);
345 if (!NT_STATUS_IS_OK(status)) {
346 return ntstatus_to_werror(status);
347 }
348
349 *_psig = sig;
350 return WERR_OK;
351 }
352
353 WERROR dns_sign_tsig(struct dns_server *dns,
354 TALLOC_CTX *mem_ctx,
355 struct dns_request_state *state,
356 struct dns_name_packet *packet,
357 uint16_t error)
358 {
359 WERROR werror;
360 time_t current_time = time(NULL);
361 struct dns_res_rec *tsig = NULL;
362 DATA_BLOB sig = (DATA_BLOB) {
363 .data = NULL,
364 .length = 0
365 };
366
367 tsig = talloc_zero(mem_ctx, struct dns_res_rec);
368 if (tsig == NULL) {
369 return WERR_NOT_ENOUGH_MEMORY;
370 }
371
372 if (state->tsig_error == DNS_RCODE_OK) {
373 struct dns_server_tkey *tkey = dns_find_tkey(
374 dns->tkeys, state->key_name);
375 if (tkey == NULL) {
376 return DNS_ERR(SERVER_FAILURE);
377 }
378
379 werror = dns_tsig_compute_mac(mem_ctx, state, packet,
380 tkey, current_time, &sig);
381 if (!W_ERROR_IS_OK(werror)) {
382 return werror;
383 }
384 }
385
386 tsig->name = talloc_strdup(tsig, state->key_name);
387 if (tsig->name == NULL) {
388 return WERR_NOT_ENOUGH_MEMORY;
389 }
390 tsig->rr_class = DNS_QCLASS_ANY;
391 tsig->rr_type = DNS_QTYPE_TSIG;
392 tsig->ttl = 0;
393 tsig->length = UINT16_MAX;
394 tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
395 if (tsig->rdata.tsig_record.algorithm_name == NULL) {
396 return WERR_NOT_ENOUGH_MEMORY;
397 }
398 tsig->rdata.tsig_record.time_prefix = 0;
399 tsig->rdata.tsig_record.time = current_time;
400 tsig->rdata.tsig_record.fudge = 300;
401 tsig->rdata.tsig_record.error = state->tsig_error;
402 tsig->rdata.tsig_record.original_id = packet->id;
403 tsig->rdata.tsig_record.other_size = 0;
404 tsig->rdata.tsig_record.other_data = NULL;
405 if (sig.length > 0) {
406 tsig->rdata.tsig_record.mac_size = sig.length;
407 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
408 if (tsig->rdata.tsig_record.mac == NULL) {
409 return WERR_NOT_ENOUGH_MEMORY;
410 }
411 }
412
413 if (packet->arcount == 0) {
414 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
415 if (packet->additional == NULL) {
416 return WERR_NOT_ENOUGH_MEMORY;
417 }
418 }
419 packet->additional = talloc_realloc(mem_ctx, packet->additional,
420 struct dns_res_rec,
421 packet->arcount + 1);
422 if (packet->additional == NULL) {
423 return WERR_NOT_ENOUGH_MEMORY;
424 }
425
426 werror = dns_copy_tsig(mem_ctx, tsig,
427 &packet->additional[packet->arcount]);
428 if (!W_ERROR_IS_OK(werror)) {
429 return werror;
430 }
431 packet->arcount++;
432
433 return WERR_OK;
434 }
Samba GIT mirror