search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4 dns: Make debug output less noisy
[Samba/gebeck_regimport.git] / source4 / dns_server / dns_crypto.c
blob7604a053392831c1d99370188721a09f40e4b02a
1 /*
2 Unix SMB/CIFS implementation.
3
4 DNS server handler for signed packets
5
6 Copyright (C) 2012 Kai Blin <kai@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/crypto/hmacmd5.h"
24 #include "system/network.h"
25 #include "librpc/ndr/libndr.h"
26 #include "librpc/gen_ndr/ndr_dns.h"
27 #include "dns_server/dns_server.h"
28 #include "libcli/util/ntstatus.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
31
32 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
33 struct dns_res_rec *old,
34 struct dns_res_rec *new_rec)
35 {
36 new_rec->name = talloc_strdup(mem_ctx, old->name);
37 W_ERROR_HAVE_NO_MEMORY(new_rec->name);
38
39 new_rec->rr_type = old->rr_type;
40 new_rec->rr_class = old->rr_class;
41 new_rec->ttl = old->ttl;
42 new_rec->length = old->length;
43 new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
44 old->rdata.tsig_record.algorithm_name);
45 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
46
47 new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
48 new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
49 new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
50 new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
51 new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
52 old->rdata.tsig_record.mac,
53 old->rdata.tsig_record.mac_size);
54 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
55
56 new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
57 new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
58 new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
59 new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
60 old->rdata.tsig_record.other_data,
61 old->rdata.tsig_record.other_size);
62 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
63
64 return WERR_OK;
65 }
66
67 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
68 const char *name)
69 {
70 struct dns_server_tkey *tkey = NULL;
71 uint16_t i = 0;
72
73 do {
74 struct dns_server_tkey *tmp_key = store->tkeys[i];
75
76 i++;
77 i %= TKEY_BUFFER_SIZE;
78
79 if (tmp_key == NULL) {
80 continue;
81 }
82 if (dns_name_equal(name, tmp_key->name)) {
83 tkey = tmp_key;
84 break;
85 }
86 } while (i != 0);
87
88 return tkey;
89 }
90
91 WERROR dns_verify_tsig(struct dns_server *dns,
92 TALLOC_CTX *mem_ctx,
93 struct dns_request_state *state,
94 struct dns_name_packet *packet,
95 DATA_BLOB *in)
96 {
97 WERROR werror;
98 NTSTATUS status;
99 enum ndr_err_code ndr_err;
100 bool found_tsig = false;
101 uint16_t i, arcount = 0;
102 DATA_BLOB tsig_blob, fake_tsig_blob, sig;
103 uint8_t *buffer = NULL;
104 size_t buffer_len = 0, packet_len = 0;
105 struct dns_server_tkey *tkey = NULL;
106 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
107 struct dns_fake_tsig_rec);
108
109
110 /* Find the first TSIG record in the additional records */
111 for (i=0; i < packet->arcount; i++) {
112 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
113 found_tsig = true;
114 break;
115 }
116 }
117
118 if (!found_tsig) {
119 return WERR_OK;
120 }
121
122 /* The TSIG record needs to be the last additional record */
123 if (found_tsig && i + 1 != packet->arcount) {
124 DEBUG(1, ("TSIG record not the last additional record!\n"));
125 return DNS_ERR(FORMAT_ERROR);
126 }
127
128 /* We got a TSIG, so we need to sign our reply */
129 state->sign = true;
130
131 state->tsig = talloc_zero(mem_ctx, struct dns_res_rec);
132 if (state->tsig == NULL) {
133 return WERR_NOMEM;
134 }
135
136 werror = dns_copy_tsig(state->tsig, &packet->additional[i],
137 state->tsig);
138 if (!W_ERROR_IS_OK(werror)) {
139 return werror;
140 }
141
142 packet->arcount--;
143
144 tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
145 if (tkey == NULL) {
146 state->tsig_error = DNS_RCODE_BADKEY;
147 return DNS_ERR(NOTAUTH);
148 }
149
150 /* FIXME: check TSIG here */
151 if (check_rec == NULL) {
152 return WERR_NOMEM;
153 }
154
155 /* first build and verify check packet */
156 check_rec->name = talloc_strdup(check_rec, tkey->name);
157 if (check_rec->name == NULL) {
158 return WERR_NOMEM;
159 }
160 check_rec->rr_class = DNS_QCLASS_ANY;
161 check_rec->ttl = 0;
162 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
163 if (check_rec->algorithm_name == NULL) {
164 return WERR_NOMEM;
165 }
166 check_rec->time_prefix = 0;
167 check_rec->time = state->tsig->rdata.tsig_record.time;
168 check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
169 check_rec->error = 0;
170 check_rec->other_size = 0;
171 check_rec->other_data = NULL;
172
173 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
174 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
175 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
176 DEBUG(1, ("Failed to push packet: %s!\n",
177 ndr_errstr(ndr_err)));
178 return DNS_ERR(SERVER_FAILURE);
179 }
180
181 ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
182 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
183 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
184 DEBUG(1, ("Failed to push packet: %s!\n",
185 ndr_errstr(ndr_err)));
186 return DNS_ERR(SERVER_FAILURE);
187 }
188
189 /* we need to work some magic here. we need to keep the input packet
190 * exactly like we got it, but we need to cut off the tsig record */
191 packet_len = in->length - tsig_blob.length;
192 buffer_len = packet_len + fake_tsig_blob.length;
193 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
194 if (buffer == NULL) {
195 return WERR_NOMEM;
196 }
197
198 memcpy(buffer, in->data, packet_len);
199 memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
200
201 sig.length = state->tsig->rdata.tsig_record.mac_size;
202 sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
203 if (sig.data == NULL) {
204 return WERR_NOMEM;
205 }
206
207 /*FIXME: Why is there too much padding? */
208 buffer_len -= 2;
209
210 /* Now we also need to count down the additional record counter */
211 arcount = RSVAL(buffer, 10);
212 RSSVAL(buffer, 10, arcount-1);
213
214 status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
215 buffer, buffer_len, &sig);
216 if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
217 return DNS_ERR(BADKEY);
218 }
219
220 if (!NT_STATUS_IS_OK(status)) {
221 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
222 return ntstatus_to_werror(status);
223 }
224
225 state->authenticated = true;
226 state->key_name = talloc_strdup(mem_ctx, tkey->name);
227 if (state->key_name == NULL) {
228 return WERR_NOMEM;
229 }
230
231 return WERR_OK;
232 }
233
234 WERROR dns_sign_tsig(struct dns_server *dns,
235 TALLOC_CTX *mem_ctx,
236 struct dns_request_state *state,
237 struct dns_name_packet *packet,
238 uint16_t error)
239 {
240 WERROR werror;
241 NTSTATUS status;
242 enum ndr_err_code ndr_err;
243 time_t current_time = time(NULL);
244 DATA_BLOB packet_blob, tsig_blob, sig;
245 uint8_t *buffer = NULL;
246 size_t buffer_len = 0;
247 struct dns_server_tkey * tkey = NULL;
248 struct dns_res_rec *tsig = talloc_zero(mem_ctx, struct dns_res_rec);
249
250 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
251 struct dns_fake_tsig_rec);
252
253 if (tsig == NULL) {
254 return WERR_NOMEM;
255 }
256
257 if (check_rec == NULL) {
258 return WERR_NOMEM;
259 }
260
261 tkey = dns_find_tkey(dns->tkeys, state->key_name);
262 if (tkey == NULL) {
263 /* FIXME: read up on what to do when we can't find a key */
264 return WERR_OK;
265 }
266
267 /* first build and verify check packet */
268 check_rec->name = talloc_strdup(check_rec, tkey->name);
269 if (check_rec->name == NULL) {
270 return WERR_NOMEM;
271 }
272 check_rec->rr_class = DNS_QCLASS_ANY;
273 check_rec->ttl = 0;
274 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
275 if (check_rec->algorithm_name == NULL) {
276 return WERR_NOMEM;
277 }
278 check_rec->time_prefix = 0;
279 check_rec->time = current_time;
280 check_rec->fudge = 300;
281 check_rec->error = state->tsig_error;
282 check_rec->other_size = 0;
283 check_rec->other_data = NULL;
284
285 ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
286 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
287 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
288 DEBUG(1, ("Failed to push packet: %s!\n",
289 ndr_errstr(ndr_err)));
290 return DNS_ERR(SERVER_FAILURE);
291 }
292
293 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
294 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
295 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
296 DEBUG(1, ("Failed to push packet: %s!\n",
297 ndr_errstr(ndr_err)));
298 return DNS_ERR(SERVER_FAILURE);
299 }
300
301 buffer_len = packet_blob.length + tsig_blob.length;
302 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
303 if (buffer == NULL) {
304 return WERR_NOMEM;
305 }
306
307 memcpy(buffer, packet_blob.data, packet_blob.length);
308 memcpy(buffer+packet_blob.length, tsig_blob.data, tsig_blob.length);
309
310
311 status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
312 buffer, buffer_len, &sig);
313 if (!NT_STATUS_IS_OK(status)) {
314 return ntstatus_to_werror(status);
315 }
316
317 tsig->name = talloc_strdup(tsig, check_rec->name);
318 if (tsig->name == NULL) {
319 return WERR_NOMEM;
320 }
321 tsig->rr_class = check_rec->rr_class;
322 tsig->rr_type = DNS_QTYPE_TSIG;
323 tsig->ttl = 0;
324 tsig->length = UINT16_MAX;
325 tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig,
326 check_rec->algorithm_name);
327 tsig->rdata.tsig_record.time_prefix = check_rec->time_prefix;
328 tsig->rdata.tsig_record.time = check_rec->time;
329 tsig->rdata.tsig_record.fudge = check_rec->fudge;
330 tsig->rdata.tsig_record.error = state->tsig_error;
331 tsig->rdata.tsig_record.original_id = packet->id;
332 tsig->rdata.tsig_record.other_size = 0;
333 tsig->rdata.tsig_record.other_data = NULL;
334 tsig->rdata.tsig_record.mac_size = sig.length;
335 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
336
337
338 if (packet->arcount == 0) {
339 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
340 if (packet->additional == NULL) {
341 return WERR_NOMEM;
342 }
343 }
344 packet->additional = talloc_realloc(mem_ctx, packet->additional,
345 struct dns_res_rec,
346 packet->arcount + 1);
347 if (packet->additional == NULL) {
348 return WERR_NOMEM;
349 }
350
351 werror = dns_copy_tsig(mem_ctx, tsig,
352 &packet->additional[packet->arcount]);
353 if (!W_ERROR_IS_OK(werror)) {
354 return werror;
355 }
356 packet->arcount++;
357
358 return WERR_OK;
359 }
reg import