search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible
[samba.git] / source4 / dns_server / dns_crypto.c
blobbe79a4e87b75e085d107f7afbe49f2c4540486ec
1 /*
2 Unix SMB/CIFS implementation.
3
4 DNS server handler for signed packets
5
6 Copyright (C) 2012 Kai Blin <kai@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include "librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/ndr_dns.h"
26 #include "dns_server/dns_server.h"
27 #include "libcli/util/ntstatus.h"
28 #include "auth/auth.h"
29 #include "auth/gensec/gensec.h"
30
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_DNS
33
34 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
35 struct dns_res_rec *old,
36 struct dns_res_rec *new_rec)
37 {
38 new_rec->name = talloc_strdup(mem_ctx, old->name);
39 W_ERROR_HAVE_NO_MEMORY(new_rec->name);
40
41 new_rec->rr_type = old->rr_type;
42 new_rec->rr_class = old->rr_class;
43 new_rec->ttl = old->ttl;
44 new_rec->length = old->length;
45 new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
46 old->rdata.tsig_record.algorithm_name);
47 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
48
49 new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
50 new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
51 new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
52 new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
53 new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
54 old->rdata.tsig_record.mac,
55 old->rdata.tsig_record.mac_size);
56 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
57
58 new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
59 new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
60 new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
61 new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
62 old->rdata.tsig_record.other_data,
63 old->rdata.tsig_record.other_size);
64 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
65
66 return WERR_OK;
67 }
68
69 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
70 const char *name)
71 {
72 struct dns_server_tkey *tkey = NULL;
73 uint16_t i = 0;
74
75 do {
76 struct dns_server_tkey *tmp_key = store->tkeys[i];
77
78 i++;
79 i %= TKEY_BUFFER_SIZE;
80
81 if (tmp_key == NULL) {
82 continue;
83 }
84 if (samba_dns_name_equal(name, tmp_key->name)) {
85 tkey = tmp_key;
86 break;
87 }
88 } while (i != 0);
89
90 return tkey;
91 }
92
93 WERROR dns_verify_tsig(struct dns_server *dns,
94 TALLOC_CTX *mem_ctx,
95 struct dns_request_state *state,
96 struct dns_name_packet *packet,
97 DATA_BLOB *in)
98 {
99 WERROR werror;
100 NTSTATUS status;
101 enum ndr_err_code ndr_err;
102 uint16_t i, arcount = 0;
103 DATA_BLOB tsig_blob, fake_tsig_blob, sig;
104 uint8_t *buffer = NULL;
105 size_t buffer_len = 0, packet_len = 0;
106 struct dns_server_tkey *tkey = NULL;
107 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
108 struct dns_fake_tsig_rec);
109
110
111 /* Find the first TSIG record in the additional records */
112 for (i=0; i < packet->arcount; i++) {
113 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
114 break;
115 }
116 }
117
118 if (i == packet->arcount) {
119 /* no TSIG around */
120 return WERR_OK;
121 }
122
123 /* The TSIG record needs to be the last additional record */
124 if (i + 1 != packet->arcount) {
125 DEBUG(1, ("TSIG record not the last additional record!\n"));
126 return DNS_ERR(FORMAT_ERROR);
127 }
128
129 /* We got a TSIG, so we need to sign our reply */
130 state->sign = true;
131 DBG_DEBUG("Got TSIG\n");
132
133 state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
134 if (state->tsig == NULL) {
135 return WERR_NOT_ENOUGH_MEMORY;
136 }
137
138 werror = dns_copy_tsig(state->tsig, &packet->additional[i],
139 state->tsig);
140 if (!W_ERROR_IS_OK(werror)) {
141 return werror;
142 }
143
144 packet->arcount--;
145
146 tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
147 if (tkey == NULL) {
148 DBG_DEBUG("dns_find_tkey() => NOTAUTH / DNS_RCODE_BADKEY\n");
149 /*
150 * We must save the name for use in the TSIG error
151 * response and have no choice here but to save the
152 * keyname from the TSIG request.
153 */
154 state->key_name = talloc_strdup(state->mem_ctx,
155 state->tsig->name);
156 if (state->key_name == NULL) {
157 return WERR_NOT_ENOUGH_MEMORY;
158 }
159 state->tsig_error = DNS_RCODE_BADKEY;
160 return DNS_ERR(NOTAUTH);
161 }
162 DBG_DEBUG("dns_find_tkey() => found\n");
163
164 /*
165 * Remember the keyname that found an existing tkey, used
166 * later to fetch the key with dns_find_tkey() when signing
167 * and adding a TSIG record with MAC.
168 */
169 state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
170 if (state->key_name == NULL) {
171 return WERR_NOT_ENOUGH_MEMORY;
172 }
173
174 /* FIXME: check TSIG here */
175 if (check_rec == NULL) {
176 return WERR_NOT_ENOUGH_MEMORY;
177 }
178
179 /* first build and verify check packet */
180 check_rec->name = talloc_strdup(check_rec, tkey->name);
181 if (check_rec->name == NULL) {
182 return WERR_NOT_ENOUGH_MEMORY;
183 }
184 check_rec->rr_class = DNS_QCLASS_ANY;
185 check_rec->ttl = 0;
186 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
187 if (check_rec->algorithm_name == NULL) {
188 return WERR_NOT_ENOUGH_MEMORY;
189 }
190 check_rec->time_prefix = 0;
191 check_rec->time = state->tsig->rdata.tsig_record.time;
192 check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
193 check_rec->error = 0;
194 check_rec->other_size = 0;
195 check_rec->other_data = NULL;
196
197 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
198 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
199 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
200 DEBUG(1, ("Failed to push packet: %s!\n",
201 ndr_errstr(ndr_err)));
202 return DNS_ERR(SERVER_FAILURE);
203 }
204
205 ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
206 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
207 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
208 DEBUG(1, ("Failed to push packet: %s!\n",
209 ndr_errstr(ndr_err)));
210 return DNS_ERR(SERVER_FAILURE);
211 }
212
213 /* we need to work some magic here. we need to keep the input packet
214 * exactly like we got it, but we need to cut off the tsig record */
215 packet_len = in->length - tsig_blob.length;
216 buffer_len = packet_len + fake_tsig_blob.length;
217 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
218 if (buffer == NULL) {
219 return WERR_NOT_ENOUGH_MEMORY;
220 }
221
222 memcpy(buffer, in->data, packet_len);
223 memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
224
225 sig.length = state->tsig->rdata.tsig_record.mac_size;
226 sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
227 if (sig.data == NULL) {
228 return WERR_NOT_ENOUGH_MEMORY;
229 }
230
231 /* Now we also need to count down the additional record counter */
232 arcount = RSVAL(buffer, 10);
233 RSSVAL(buffer, 10, arcount-1);
234
235 status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
236 buffer, buffer_len, &sig);
237 if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
238 dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
239 dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
240 DBG_NOTICE("Verifying tsig failed: %s\n", nt_errstr(status));
241 state->tsig_error = DNS_RCODE_BADSIG;
242 return DNS_ERR(NOTAUTH);
243 }
244
245 if (!NT_STATUS_IS_OK(status)) {
246 dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
247 dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
248 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
249 return ntstatus_to_werror(status);
250 }
251
252 state->authenticated = true;
253
254 DBG_DEBUG("AUTHENTICATED\n");
255 return WERR_OK;
256 }
257
258 static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
259 struct dns_request_state *state,
260 struct dns_name_packet *packet,
261 struct dns_server_tkey *tkey,
262 time_t current_time,
263 DATA_BLOB *_psig)
264 {
265 NTSTATUS status;
266 enum ndr_err_code ndr_err;
267 DATA_BLOB packet_blob, tsig_blob, sig;
268 uint8_t *buffer = NULL;
269 uint8_t *p = NULL;
270 size_t buffer_len = 0;
271 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
272 struct dns_fake_tsig_rec);
273 size_t mac_size = 0;
274
275 if (check_rec == NULL) {
276 return WERR_NOT_ENOUGH_MEMORY;
277 }
278
279 /* first build and verify check packet */
280 check_rec->name = talloc_strdup(check_rec, tkey->name);
281 if (check_rec->name == NULL) {
282 return WERR_NOT_ENOUGH_MEMORY;
283 }
284 check_rec->rr_class = DNS_QCLASS_ANY;
285 check_rec->ttl = 0;
286 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
287 if (check_rec->algorithm_name == NULL) {
288 return WERR_NOT_ENOUGH_MEMORY;
289 }
290 check_rec->time_prefix = 0;
291 check_rec->time = current_time;
292 check_rec->fudge = 300;
293 check_rec->error = state->tsig_error;
294 check_rec->other_size = 0;
295 check_rec->other_data = NULL;
296
297 ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
298 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
299 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
300 DEBUG(1, ("Failed to push packet: %s!\n",
301 ndr_errstr(ndr_err)));
302 return DNS_ERR(SERVER_FAILURE);
303 }
304
305 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
306 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
307 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
308 DEBUG(1, ("Failed to push packet: %s!\n",
309 ndr_errstr(ndr_err)));
310 return DNS_ERR(SERVER_FAILURE);
311 }
312
313 if (state->tsig != NULL) {
314 mac_size = state->tsig->rdata.tsig_record.mac_size;
315 }
316
317 buffer_len = mac_size;
318
319 buffer_len += packet_blob.length;
320 if (buffer_len < packet_blob.length) {
321 return WERR_INVALID_PARAMETER;
322 }
323 buffer_len += tsig_blob.length;
324 if (buffer_len < tsig_blob.length) {
325 return WERR_INVALID_PARAMETER;
326 }
327
328 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
329 if (buffer == NULL) {
330 return WERR_NOT_ENOUGH_MEMORY;
331 }
332
333 p = buffer;
334
335 /*
336 * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
337 * that we're going to sign:
338 * 1. MAC of request (if present)
339 * 2. Outgoing packet
340 * 3. TSIG record
341 */
342 if (mac_size > 0) {
343 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
344 p += mac_size;
345 }
346
347 memcpy(p, packet_blob.data, packet_blob.length);
348 p += packet_blob.length;
349
350 memcpy(p, tsig_blob.data, tsig_blob.length);
351
352 status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
353 buffer, buffer_len, &sig);
354 if (!NT_STATUS_IS_OK(status)) {
355 return ntstatus_to_werror(status);
356 }
357
358 *_psig = sig;
359 return WERR_OK;
360 }
361
362 WERROR dns_sign_tsig(struct dns_server *dns,
363 TALLOC_CTX *mem_ctx,
364 struct dns_request_state *state,
365 struct dns_name_packet *packet,
366 uint16_t error)
367 {
368 WERROR werror;
369 time_t current_time = time(NULL);
370 struct dns_res_rec *tsig = NULL;
371 DATA_BLOB sig = (DATA_BLOB) {
372 .data = NULL,
373 .length = 0
374 };
375
376 tsig = talloc_zero(mem_ctx, struct dns_res_rec);
377 if (tsig == NULL) {
378 return WERR_NOT_ENOUGH_MEMORY;
379 }
380
381 if (state->tsig_error == DNS_RCODE_OK) {
382 struct dns_server_tkey *tkey = dns_find_tkey(
383 dns->tkeys, state->key_name);
384 if (tkey == NULL) {
385 DBG_WARNING("dns_find_tkey() => NULL)\n");
386 return DNS_ERR(SERVER_FAILURE);
387 }
388
389 werror = dns_tsig_compute_mac(mem_ctx, state, packet,
390 tkey, current_time, &sig);
391 DBG_DEBUG("dns_tsig_compute_mac() => %s\n", win_errstr(werror));
392 if (!W_ERROR_IS_OK(werror)) {
393 return werror;
394 }
395 }
396
397 tsig->name = talloc_strdup(tsig, state->key_name);
398 if (tsig->name == NULL) {
399 return WERR_NOT_ENOUGH_MEMORY;
400 }
401 tsig->rr_class = DNS_QCLASS_ANY;
402 tsig->rr_type = DNS_QTYPE_TSIG;
403 tsig->ttl = 0;
404 tsig->length = UINT16_MAX;
405 tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
406 if (tsig->rdata.tsig_record.algorithm_name == NULL) {
407 return WERR_NOT_ENOUGH_MEMORY;
408 }
409 tsig->rdata.tsig_record.time_prefix = 0;
410 tsig->rdata.tsig_record.time = current_time;
411 tsig->rdata.tsig_record.fudge = 300;
412 tsig->rdata.tsig_record.error = state->tsig_error;
413 tsig->rdata.tsig_record.original_id = packet->id;
414 tsig->rdata.tsig_record.other_size = 0;
415 tsig->rdata.tsig_record.other_data = NULL;
416 if (sig.length > 0) {
417 tsig->rdata.tsig_record.mac_size = sig.length;
418 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
419 if (tsig->rdata.tsig_record.mac == NULL) {
420 return WERR_NOT_ENOUGH_MEMORY;
421 }
422 }
423
424 DBG_DEBUG("sig.length=%zu\n", sig.length);
425
426 if (packet->arcount == 0) {
427 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
428 if (packet->additional == NULL) {
429 return WERR_NOT_ENOUGH_MEMORY;
430 }
431 }
432 packet->additional = talloc_realloc(mem_ctx, packet->additional,
433 struct dns_res_rec,
434 packet->arcount + 1);
435 if (packet->additional == NULL) {
436 return WERR_NOT_ENOUGH_MEMORY;
437 }
438
439 werror = dns_copy_tsig(mem_ctx, tsig,
440 &packet->additional[packet->arcount]);
441 DBG_DEBUG("dns_copy_tsig() => %s\n", win_errstr(werror));
442 if (!W_ERROR_IS_OK(werror)) {
443 return werror;
444 }
445 packet->arcount++;
446
447 return WERR_OK;
448 }
Samba git mirror