2 Unix SMB/CIFS implementation.
4 DNS server handler for signed packets
6 Copyright (C) 2012 Kai Blin <kai@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "lib/crypto/hmacmd5.h"
24 #include "system/network.h"
25 #include "librpc/ndr/libndr.h"
26 #include "librpc/gen_ndr/ndr_dns.h"
27 #include "dns_server/dns_server.h"
28 #include "libcli/util/ntstatus.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
32 static WERROR
dns_copy_tsig(TALLOC_CTX
*mem_ctx
,
33 struct dns_res_rec
*old
,
34 struct dns_res_rec
*new_rec
)
36 new_rec
->name
= talloc_strdup(mem_ctx
, old
->name
);
37 W_ERROR_HAVE_NO_MEMORY(new_rec
->name
);
39 new_rec
->rr_type
= old
->rr_type
;
40 new_rec
->rr_class
= old
->rr_class
;
41 new_rec
->ttl
= old
->ttl
;
42 new_rec
->length
= old
->length
;
43 new_rec
->rdata
.tsig_record
.algorithm_name
= talloc_strdup(mem_ctx
,
44 old
->rdata
.tsig_record
.algorithm_name
);
45 W_ERROR_HAVE_NO_MEMORY(new_rec
->rdata
.tsig_record
.algorithm_name
);
47 new_rec
->rdata
.tsig_record
.time_prefix
= old
->rdata
.tsig_record
.time_prefix
;
48 new_rec
->rdata
.tsig_record
.time
= old
->rdata
.tsig_record
.time
;
49 new_rec
->rdata
.tsig_record
.fudge
= old
->rdata
.tsig_record
.fudge
;
50 new_rec
->rdata
.tsig_record
.mac_size
= old
->rdata
.tsig_record
.mac_size
;
51 new_rec
->rdata
.tsig_record
.mac
= talloc_memdup(mem_ctx
,
52 old
->rdata
.tsig_record
.mac
,
53 old
->rdata
.tsig_record
.mac_size
);
54 W_ERROR_HAVE_NO_MEMORY(new_rec
->rdata
.tsig_record
.mac
);
56 new_rec
->rdata
.tsig_record
.original_id
= old
->rdata
.tsig_record
.original_id
;
57 new_rec
->rdata
.tsig_record
.error
= old
->rdata
.tsig_record
.error
;
58 new_rec
->rdata
.tsig_record
.other_size
= old
->rdata
.tsig_record
.other_size
;
59 new_rec
->rdata
.tsig_record
.other_data
= talloc_memdup(mem_ctx
,
60 old
->rdata
.tsig_record
.other_data
,
61 old
->rdata
.tsig_record
.other_size
);
62 W_ERROR_HAVE_NO_MEMORY(new_rec
->rdata
.tsig_record
.other_data
);
67 struct dns_server_tkey
*dns_find_tkey(struct dns_server_tkey_store
*store
,
70 struct dns_server_tkey
*tkey
= NULL
;
74 struct dns_server_tkey
*tmp_key
= store
->tkeys
[i
];
77 i
%= TKEY_BUFFER_SIZE
;
79 if (tmp_key
== NULL
) {
82 if (dns_name_equal(name
, tmp_key
->name
)) {
91 WERROR
dns_verify_tsig(struct dns_server
*dns
,
93 struct dns_request_state
*state
,
94 struct dns_name_packet
*packet
,
99 enum ndr_err_code ndr_err
;
100 bool found_tsig
= false;
101 uint16_t i
, arcount
= 0;
102 DATA_BLOB tsig_blob
, fake_tsig_blob
, sig
;
103 uint8_t *buffer
= NULL
;
104 size_t buffer_len
= 0, packet_len
= 0;
105 struct dns_server_tkey
*tkey
= NULL
;
106 struct dns_fake_tsig_rec
*check_rec
= talloc_zero(mem_ctx
,
107 struct dns_fake_tsig_rec
);
110 /* Find the first TSIG record in the additional records */
111 for (i
=0; i
< packet
->arcount
; i
++) {
112 if (packet
->additional
[i
].rr_type
== DNS_QTYPE_TSIG
) {
122 /* The TSIG record needs to be the last additional record */
123 if (found_tsig
&& i
+ 1 != packet
->arcount
) {
124 DEBUG(1, ("TSIG record not the last additional record!\n"));
125 return DNS_ERR(FORMAT_ERROR
);
128 /* We got a TSIG, so we need to sign our reply */
131 state
->tsig
= talloc_zero(mem_ctx
, struct dns_res_rec
);
132 if (state
->tsig
== NULL
) {
136 werror
= dns_copy_tsig(state
->tsig
, &packet
->additional
[i
],
138 if (!W_ERROR_IS_OK(werror
)) {
144 tkey
= dns_find_tkey(dns
->tkeys
, state
->tsig
->name
);
146 state
->tsig_error
= DNS_RCODE_BADKEY
;
147 return DNS_ERR(NOTAUTH
);
150 /* FIXME: check TSIG here */
151 if (check_rec
== NULL
) {
155 /* first build and verify check packet */
156 check_rec
->name
= talloc_strdup(check_rec
, tkey
->name
);
157 if (check_rec
->name
== NULL
) {
160 check_rec
->rr_class
= DNS_QCLASS_ANY
;
162 check_rec
->algorithm_name
= talloc_strdup(check_rec
, tkey
->algorithm
);
163 if (check_rec
->algorithm_name
== NULL
) {
166 check_rec
->time_prefix
= 0;
167 check_rec
->time
= state
->tsig
->rdata
.tsig_record
.time
;
168 check_rec
->fudge
= state
->tsig
->rdata
.tsig_record
.fudge
;
169 check_rec
->error
= 0;
170 check_rec
->other_size
= 0;
171 check_rec
->other_data
= NULL
;
173 ndr_err
= ndr_push_struct_blob(&tsig_blob
, mem_ctx
, state
->tsig
,
174 (ndr_push_flags_fn_t
)ndr_push_dns_res_rec
);
175 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
176 DEBUG(1, ("Failed to push packet: %s!\n",
177 ndr_errstr(ndr_err
)));
178 return DNS_ERR(SERVER_FAILURE
);
181 ndr_err
= ndr_push_struct_blob(&fake_tsig_blob
, mem_ctx
, check_rec
,
182 (ndr_push_flags_fn_t
)ndr_push_dns_fake_tsig_rec
);
183 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
184 DEBUG(1, ("Failed to push packet: %s!\n",
185 ndr_errstr(ndr_err
)));
186 return DNS_ERR(SERVER_FAILURE
);
189 /* we need to work some magic here. we need to keep the input packet
190 * exactly like we got it, but we need to cut off the tsig record */
191 packet_len
= in
->length
- tsig_blob
.length
;
192 buffer_len
= packet_len
+ fake_tsig_blob
.length
;
193 buffer
= talloc_zero_array(mem_ctx
, uint8_t, buffer_len
);
194 if (buffer
== NULL
) {
198 memcpy(buffer
, in
->data
, packet_len
);
199 memcpy(buffer
+ packet_len
, fake_tsig_blob
.data
, fake_tsig_blob
.length
);
201 sig
.length
= state
->tsig
->rdata
.tsig_record
.mac_size
;
202 sig
.data
= talloc_memdup(mem_ctx
, state
->tsig
->rdata
.tsig_record
.mac
, sig
.length
);
203 if (sig
.data
== NULL
) {
207 /*FIXME: Why is there too much padding? */
210 /* Now we also need to count down the additional record counter */
211 arcount
= RSVAL(buffer
, 10);
212 RSSVAL(buffer
, 10, arcount
-1);
214 status
= gensec_check_packet(tkey
->gensec
, buffer
, buffer_len
,
215 buffer
, buffer_len
, &sig
);
216 if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED
, status
)) {
217 return DNS_ERR(BADKEY
);
220 if (!NT_STATUS_IS_OK(status
)) {
221 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status
)));
222 return ntstatus_to_werror(status
);
225 state
->authenticated
= true;
226 state
->key_name
= talloc_strdup(mem_ctx
, tkey
->name
);
227 if (state
->key_name
== NULL
) {
234 WERROR
dns_sign_tsig(struct dns_server
*dns
,
236 struct dns_request_state
*state
,
237 struct dns_name_packet
*packet
,
242 enum ndr_err_code ndr_err
;
243 time_t current_time
= time(NULL
);
244 DATA_BLOB packet_blob
, tsig_blob
, sig
;
245 uint8_t *buffer
= NULL
;
246 size_t buffer_len
= 0;
247 struct dns_server_tkey
* tkey
= NULL
;
248 struct dns_res_rec
*tsig
= talloc_zero(mem_ctx
, struct dns_res_rec
);
250 struct dns_fake_tsig_rec
*check_rec
= talloc_zero(mem_ctx
,
251 struct dns_fake_tsig_rec
);
257 if (check_rec
== NULL
) {
261 tkey
= dns_find_tkey(dns
->tkeys
, state
->key_name
);
263 /* FIXME: read up on what to do when we can't find a key */
267 /* first build and verify check packet */
268 check_rec
->name
= talloc_strdup(check_rec
, tkey
->name
);
269 if (check_rec
->name
== NULL
) {
272 check_rec
->rr_class
= DNS_QCLASS_ANY
;
274 check_rec
->algorithm_name
= talloc_strdup(check_rec
, tkey
->algorithm
);
275 if (check_rec
->algorithm_name
== NULL
) {
278 check_rec
->time_prefix
= 0;
279 check_rec
->time
= current_time
;
280 check_rec
->fudge
= 300;
281 check_rec
->error
= state
->tsig_error
;
282 check_rec
->other_size
= 0;
283 check_rec
->other_data
= NULL
;
285 ndr_err
= ndr_push_struct_blob(&packet_blob
, mem_ctx
, packet
,
286 (ndr_push_flags_fn_t
)ndr_push_dns_name_packet
);
287 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
288 DEBUG(1, ("Failed to push packet: %s!\n",
289 ndr_errstr(ndr_err
)));
290 return DNS_ERR(SERVER_FAILURE
);
293 ndr_err
= ndr_push_struct_blob(&tsig_blob
, mem_ctx
, check_rec
,
294 (ndr_push_flags_fn_t
)ndr_push_dns_fake_tsig_rec
);
295 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
296 DEBUG(1, ("Failed to push packet: %s!\n",
297 ndr_errstr(ndr_err
)));
298 return DNS_ERR(SERVER_FAILURE
);
301 buffer_len
= packet_blob
.length
+ tsig_blob
.length
;
302 buffer
= talloc_zero_array(mem_ctx
, uint8_t, buffer_len
);
303 if (buffer
== NULL
) {
307 memcpy(buffer
, packet_blob
.data
, packet_blob
.length
);
308 memcpy(buffer
+packet_blob
.length
, tsig_blob
.data
, tsig_blob
.length
);
311 status
= gensec_sign_packet(tkey
->gensec
, mem_ctx
, buffer
, buffer_len
,
312 buffer
, buffer_len
, &sig
);
313 if (!NT_STATUS_IS_OK(status
)) {
314 return ntstatus_to_werror(status
);
317 tsig
->name
= talloc_strdup(tsig
, check_rec
->name
);
318 if (tsig
->name
== NULL
) {
321 tsig
->rr_class
= check_rec
->rr_class
;
322 tsig
->rr_type
= DNS_QTYPE_TSIG
;
324 tsig
->length
= UINT16_MAX
;
325 tsig
->rdata
.tsig_record
.algorithm_name
= talloc_strdup(tsig
,
326 check_rec
->algorithm_name
);
327 tsig
->rdata
.tsig_record
.time_prefix
= check_rec
->time_prefix
;
328 tsig
->rdata
.tsig_record
.time
= check_rec
->time
;
329 tsig
->rdata
.tsig_record
.fudge
= check_rec
->fudge
;
330 tsig
->rdata
.tsig_record
.error
= state
->tsig_error
;
331 tsig
->rdata
.tsig_record
.original_id
= packet
->id
;
332 tsig
->rdata
.tsig_record
.other_size
= 0;
333 tsig
->rdata
.tsig_record
.other_data
= NULL
;
334 tsig
->rdata
.tsig_record
.mac_size
= sig
.length
;
335 tsig
->rdata
.tsig_record
.mac
= talloc_memdup(tsig
, sig
.data
, sig
.length
);
338 if (packet
->arcount
== 0) {
339 packet
->additional
= talloc_zero(mem_ctx
, struct dns_res_rec
);
340 if (packet
->additional
== NULL
) {
344 packet
->additional
= talloc_realloc(mem_ctx
, packet
->additional
,
346 packet
->arcount
+ 1);
347 if (packet
->additional
== NULL
) {
351 werror
= dns_copy_tsig(mem_ctx
, tsig
,
352 &packet
->additional
[packet
->arcount
]);
353 if (!W_ERROR_IS_OK(werror
)) {