source4/dns_server/dns_crypto.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    DNS server handler for signed packets
   5
   6    Copyright (C) 2012 Kai Blin  <kai@samba.org>
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "lib/crypto/hmacmd5.h"
  24 #include "system/network.h"
  25 #include "librpc/ndr/libndr.h"
  26 #include "librpc/gen_ndr/ndr_dns.h"
  27 #include "dns_server/dns_server.h"
  28 #include "libcli/util/ntstatus.h"
  29 #include "auth/auth.h"
  30 #include "auth/gensec/gensec.h"
  31
  32 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
  33                             struct dns_res_rec *old,
  34                             struct dns_res_rec *new_rec)
  35 {
  36         new_rec->name = talloc_strdup(mem_ctx, old->name);
  37         W_ERROR_HAVE_NO_MEMORY(new_rec->name);
  38
  39         new_rec->rr_type = old->rr_type;
  40         new_rec->rr_class = old->rr_class;
  41         new_rec->ttl = old->ttl;
  42         new_rec->length = old->length;
  43         new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
  44                                 old->rdata.tsig_record.algorithm_name);
  45         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
  46
  47         new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
  48         new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
  49         new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
  50         new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
  51         new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
  52                                         old->rdata.tsig_record.mac,
  53                                         old->rdata.tsig_record.mac_size);
  54         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
  55
  56         new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
  57         new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
  58         new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
  59         new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
  60                                         old->rdata.tsig_record.other_data,
  61                                         old->rdata.tsig_record.other_size);
  62         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
  63
  64         return WERR_OK;
  65 }
  66
  67 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
  68                                       const char *name)
  69 {
  70         struct dns_server_tkey *tkey = NULL;
  71         uint16_t i = 0;
  72
  73         do {
  74                 struct dns_server_tkey *tmp_key = store->tkeys[i];
  75
  76                 i++;
  77                 i %= TKEY_BUFFER_SIZE;
  78
  79                 if (tmp_key == NULL) {
  80                         continue;
  81                 }
  82                 if (dns_name_equal(name, tmp_key->name)) {
  83                         tkey = tmp_key;
  84                         break;
  85                 }
  86         } while (i != 0);
  87
  88         return tkey;
  89 }
  90
  91 WERROR dns_verify_tsig(struct dns_server *dns,
  92                        struct dns_request_state *state,
  93                        struct dns_name_packet *packet)
  94 {
  95         WERROR werror;
  96         bool found_tsig = false;
  97         uint16_t i, mac_length = 0;
  98         struct dns_server_tkey *tkey = NULL;
  99         uint8_t *mac = NULL;
 100
 101         /* Find the first TSIG record in the additional records */
 102         for (i=0; i < packet->arcount; i++) {
 103                 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
 104                         found_tsig = true;
 105                         break;
 106                 }
 107         }
 108
 109         if (!found_tsig) {
 110                 return WERR_OK;
 111         }
 112
 113         /* The TSIG record needs to be the last additional record */
 114         if (found_tsig && i + 1 != packet->arcount) {
 115                 DEBUG(0, ("TSIG record not the last additional record!\n"));
 116                 return DNS_ERR(FORMAT_ERROR);
 117         }
 118
 119         /* We got a TSIG, so we need to sign our reply */
 120         state->sign = true;
 121
 122         state->tsig = talloc_zero(state, struct dns_res_rec);
 123         W_ERROR_HAVE_NO_MEMORY(state->tsig);
 124
 125         werror = dns_copy_tsig(state->tsig, &packet->additional[i],
 126                                state->tsig);
 127         W_ERROR_NOT_OK_RETURN(werror);
 128
 129         packet->arcount--;
 130
 131         tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
 132         if (tkey == NULL) {
 133                 state->tsig_error = DNS_RCODE_BADKEY;
 134                 return DNS_ERR(NOTAUTH);
 135         }
 136
 137         /* FIXME: check TSIG here */
 138
 139         dump_data(1, mac, mac_length);
 140         state->tsig_error = DNS_RCODE_BADKEY;
 141         return DNS_ERR(NOTAUTH);
 142 }
 143
 144 WERROR dns_sign_tsig(struct dns_server *dns,
 145                      TALLOC_CTX *mem_ctx,
 146                      struct dns_request_state *state,
 147                      struct dns_name_packet *packet,
 148                      uint16_t error)
 149 {
 150         WERROR werror;
 151         NTSTATUS status;
 152         enum ndr_err_code ndr_err;
 153         time_t current_time = time(NULL);
 154         DATA_BLOB packet_blob, tsig_blob, sig;
 155         uint8_t *buffer = NULL;
 156         size_t buffer_len = 0;
 157         struct dns_server_tkey * tkey = NULL;
 158         struct dns_res_rec *tsig = talloc_zero(mem_ctx, struct dns_res_rec);
 159
 160         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
 161                         struct dns_fake_tsig_rec);
 162
 163         if (tsig == NULL) {
 164                 return WERR_NOMEM;
 165         }
 166
 167         if (check_rec == NULL) {
 168                 return WERR_NOMEM;
 169         }
 170
 171         tkey = dns_find_tkey(dns->tkeys, state->key_name);
 172         if (tkey == NULL) {
 173                 /* FIXME: read up on what to do when we can't find a key */
 174                 return WERR_OK;
 175         }
 176
 177         /* first build and verify check packet */
 178         check_rec->name = talloc_strdup(check_rec, tkey->name);
 179         if (check_rec->name == NULL) {
 180                 return WERR_NOMEM;
 181         }
 182         check_rec->rr_class = DNS_QCLASS_ANY;
 183         check_rec->ttl = 0;
 184         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
 185         if (check_rec->algorithm_name == NULL) {
 186                 return WERR_NOMEM;
 187         }
 188         check_rec->time_prefix = 0;
 189         check_rec->time = current_time;
 190         check_rec->fudge = 300;
 191         check_rec->error = state->tsig_error;
 192         check_rec->other_size = 0;
 193         check_rec->other_data = NULL;
 194
 195         ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
 196                 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
 197         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 198                 DEBUG(1, ("Failed to push packet: %s!\n",
 199                           ndr_errstr(ndr_err)));
 200                 return DNS_ERR(SERVER_FAILURE);
 201         }
 202
 203         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
 204                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
 205         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 206                 DEBUG(1, ("Failed to push packet: %s!\n",
 207                           ndr_errstr(ndr_err)));
 208                 return DNS_ERR(SERVER_FAILURE);
 209         }
 210
 211         buffer_len = packet_blob.length + tsig_blob.length;
 212         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
 213         if (buffer == NULL) {
 214                 return WERR_NOMEM;
 215         }
 216
 217         memcpy(buffer, packet_blob.data, packet_blob.length);
 218         memcpy(buffer, tsig_blob.data, tsig_blob.length);
 219
 220
 221         status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
 222                                     buffer, buffer_len, &sig);
 223         if (!NT_STATUS_IS_OK(status)) {
 224                 return ntstatus_to_werror(status);
 225         }
 226
 227         tsig->name = talloc_strdup(tsig, check_rec->name);
 228         if (tsig->name == NULL) {
 229                 return WERR_NOMEM;
 230         }
 231         tsig->rr_class = check_rec->rr_class;
 232         tsig->rr_type = DNS_QTYPE_TSIG;
 233         tsig->ttl = 0;
 234         tsig->length = UINT16_MAX;
 235         tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig,
 236                         check_rec->algorithm_name);
 237         tsig->rdata.tsig_record.time_prefix = check_rec->time_prefix;
 238         tsig->rdata.tsig_record.time = check_rec->time;
 239         tsig->rdata.tsig_record.fudge = check_rec->fudge;
 240         tsig->rdata.tsig_record.error = state->tsig_error;
 241         tsig->rdata.tsig_record.original_id = packet->id;
 242         tsig->rdata.tsig_record.other_size = 0;
 243         tsig->rdata.tsig_record.other_data = NULL;
 244         tsig->rdata.tsig_record.mac_size = sig.length;
 245         tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
 246
 247
 248         if (packet->arcount == 0) {
 249                 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
 250                 if (packet->additional == NULL) {
 251                         return WERR_NOMEM;
 252                 }
 253         }
 254         packet->additional = talloc_realloc(mem_ctx, packet->additional,
 255                                             struct dns_res_rec,
 256                                             packet->arcount + 1);
 257         if (packet->additional == NULL) {
 258                 return WERR_NOMEM;
 259         }
 260
 261         werror = dns_copy_tsig(mem_ctx, tsig,
 262                                &packet->additional[packet->arcount]);
 263         if (!W_ERROR_IS_OK(werror)) {
 264                 return werror;
 265         }
 266         packet->arcount++;
 267
 268         return WERR_OK;
 269 }