CVE-2016-2115: s3:winbindd: use lp_client_ipc_{min,max}_protocol()
[samba.git] / source4 / dns_server / dns_crypto.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    DNS server handler for signed packets
5
6    Copyright (C) 2012 Kai Blin  <kai@samba.org>
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "lib/crypto/hmacmd5.h"
24 #include "system/network.h"
25 #include "librpc/ndr/libndr.h"
26 #include "librpc/gen_ndr/ndr_dns.h"
27 #include "dns_server/dns_server.h"
28 #include "libcli/util/ntstatus.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
31
32 #undef DBGC_CLASS
33 #define DBGC_CLASS DBGC_DNS
34
35 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
36                             struct dns_res_rec *old,
37                             struct dns_res_rec *new_rec)
38 {
39         new_rec->name = talloc_strdup(mem_ctx, old->name);
40         W_ERROR_HAVE_NO_MEMORY(new_rec->name);
41
42         new_rec->rr_type = old->rr_type;
43         new_rec->rr_class = old->rr_class;
44         new_rec->ttl = old->ttl;
45         new_rec->length = old->length;
46         new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
47                                 old->rdata.tsig_record.algorithm_name);
48         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
49
50         new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
51         new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
52         new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
53         new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
54         new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
55                                         old->rdata.tsig_record.mac,
56                                         old->rdata.tsig_record.mac_size);
57         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
58
59         new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
60         new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
61         new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
62         new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
63                                         old->rdata.tsig_record.other_data,
64                                         old->rdata.tsig_record.other_size);
65         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
66
67         return WERR_OK;
68 }
69
70 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
71                                       const char *name)
72 {
73         struct dns_server_tkey *tkey = NULL;
74         uint16_t i = 0;
75
76         do {
77                 struct dns_server_tkey *tmp_key = store->tkeys[i];
78
79                 i++;
80                 i %= TKEY_BUFFER_SIZE;
81
82                 if (tmp_key == NULL) {
83                         continue;
84                 }
85                 if (dns_name_equal(name, tmp_key->name)) {
86                         tkey = tmp_key;
87                         break;
88                 }
89         } while (i != 0);
90
91         return tkey;
92 }
93
94 WERROR dns_verify_tsig(struct dns_server *dns,
95                        TALLOC_CTX *mem_ctx,
96                        struct dns_request_state *state,
97                        struct dns_name_packet *packet,
98                        DATA_BLOB *in)
99 {
100         WERROR werror;
101         NTSTATUS status;
102         enum ndr_err_code ndr_err;
103         bool found_tsig = false;
104         uint16_t i, arcount = 0;
105         DATA_BLOB tsig_blob, fake_tsig_blob, sig;
106         uint8_t *buffer = NULL;
107         size_t buffer_len = 0, packet_len = 0;
108         struct dns_server_tkey *tkey = NULL;
109         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
110                         struct dns_fake_tsig_rec);
111
112
113         /* Find the first TSIG record in the additional records */
114         for (i=0; i < packet->arcount; i++) {
115                 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
116                         found_tsig = true;
117                         break;
118                 }
119         }
120
121         if (!found_tsig) {
122                 return WERR_OK;
123         }
124
125         /* The TSIG record needs to be the last additional record */
126         if (found_tsig && i + 1 != packet->arcount) {
127                 DEBUG(1, ("TSIG record not the last additional record!\n"));
128                 return DNS_ERR(FORMAT_ERROR);
129         }
130
131         /* We got a TSIG, so we need to sign our reply */
132         state->sign = true;
133
134         state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
135         if (state->tsig == NULL) {
136                 return WERR_NOMEM;
137         }
138
139         werror = dns_copy_tsig(state->tsig, &packet->additional[i],
140                                state->tsig);
141         if (!W_ERROR_IS_OK(werror)) {
142                 return werror;
143         }
144
145         packet->arcount--;
146
147         tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
148         if (tkey == NULL) {
149                 state->tsig_error = DNS_RCODE_BADKEY;
150                 return DNS_ERR(NOTAUTH);
151         }
152
153         /* FIXME: check TSIG here */
154         if (check_rec == NULL) {
155                 return WERR_NOMEM;
156         }
157
158         /* first build and verify check packet */
159         check_rec->name = talloc_strdup(check_rec, tkey->name);
160         if (check_rec->name == NULL) {
161                 return WERR_NOMEM;
162         }
163         check_rec->rr_class = DNS_QCLASS_ANY;
164         check_rec->ttl = 0;
165         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
166         if (check_rec->algorithm_name == NULL) {
167                 return WERR_NOMEM;
168         }
169         check_rec->time_prefix = 0;
170         check_rec->time = state->tsig->rdata.tsig_record.time;
171         check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
172         check_rec->error = 0;
173         check_rec->other_size = 0;
174         check_rec->other_data = NULL;
175
176         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
177                 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
178         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
179                 DEBUG(1, ("Failed to push packet: %s!\n",
180                           ndr_errstr(ndr_err)));
181                 return DNS_ERR(SERVER_FAILURE);
182         }
183
184         ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
185                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
186         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
187                 DEBUG(1, ("Failed to push packet: %s!\n",
188                           ndr_errstr(ndr_err)));
189                 return DNS_ERR(SERVER_FAILURE);
190         }
191
192         /* we need to work some magic here. we need to keep the input packet
193          * exactly like we got it, but we need to cut off the tsig record */
194         packet_len = in->length - tsig_blob.length;
195         buffer_len = packet_len + fake_tsig_blob.length;
196         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
197         if (buffer == NULL) {
198                 return WERR_NOMEM;
199         }
200
201         memcpy(buffer, in->data, packet_len);
202         memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
203
204         sig.length = state->tsig->rdata.tsig_record.mac_size;
205         sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
206         if (sig.data == NULL) {
207                 return WERR_NOMEM;
208         }
209
210         /*FIXME: Why is there too much padding? */
211         buffer_len -= 2;
212
213         /* Now we also need to count down the additional record counter */
214         arcount = RSVAL(buffer, 10);
215         RSSVAL(buffer, 10, arcount-1);
216
217         status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
218                                     buffer, buffer_len, &sig);
219         if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
220                 return DNS_ERR(BADKEY);
221         }
222
223         if (!NT_STATUS_IS_OK(status)) {
224                 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
225                 return ntstatus_to_werror(status);
226         }
227
228         state->authenticated = true;
229         state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
230         if (state->key_name == NULL) {
231                 return WERR_NOMEM;
232         }
233
234         return WERR_OK;
235 }
236
237 WERROR dns_sign_tsig(struct dns_server *dns,
238                      TALLOC_CTX *mem_ctx,
239                      struct dns_request_state *state,
240                      struct dns_name_packet *packet,
241                      uint16_t error)
242 {
243         WERROR werror;
244         NTSTATUS status;
245         enum ndr_err_code ndr_err;
246         time_t current_time = time(NULL);
247         DATA_BLOB packet_blob, tsig_blob, sig;
248         uint8_t *buffer = NULL;
249         size_t buffer_len = 0;
250         struct dns_server_tkey * tkey = NULL;
251         struct dns_res_rec *tsig = talloc_zero(mem_ctx, struct dns_res_rec);
252
253         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
254                         struct dns_fake_tsig_rec);
255
256         if (tsig == NULL) {
257                 return WERR_NOMEM;
258         }
259
260         if (check_rec == NULL) {
261                 return WERR_NOMEM;
262         }
263
264         tkey = dns_find_tkey(dns->tkeys, state->key_name);
265         if (tkey == NULL) {
266                 /* FIXME: read up on what to do when we can't find a key */
267                 return WERR_OK;
268         }
269
270         /* first build and verify check packet */
271         check_rec->name = talloc_strdup(check_rec, tkey->name);
272         if (check_rec->name == NULL) {
273                 return WERR_NOMEM;
274         }
275         check_rec->rr_class = DNS_QCLASS_ANY;
276         check_rec->ttl = 0;
277         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
278         if (check_rec->algorithm_name == NULL) {
279                 return WERR_NOMEM;
280         }
281         check_rec->time_prefix = 0;
282         check_rec->time = current_time;
283         check_rec->fudge = 300;
284         check_rec->error = state->tsig_error;
285         check_rec->other_size = 0;
286         check_rec->other_data = NULL;
287
288         ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
289                 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
290         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
291                 DEBUG(1, ("Failed to push packet: %s!\n",
292                           ndr_errstr(ndr_err)));
293                 return DNS_ERR(SERVER_FAILURE);
294         }
295
296         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
297                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
298         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
299                 DEBUG(1, ("Failed to push packet: %s!\n",
300                           ndr_errstr(ndr_err)));
301                 return DNS_ERR(SERVER_FAILURE);
302         }
303
304         buffer_len = packet_blob.length + tsig_blob.length;
305         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
306         if (buffer == NULL) {
307                 return WERR_NOMEM;
308         }
309
310         memcpy(buffer, packet_blob.data, packet_blob.length);
311         memcpy(buffer+packet_blob.length, tsig_blob.data, tsig_blob.length);
312
313
314         status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
315                                     buffer, buffer_len, &sig);
316         if (!NT_STATUS_IS_OK(status)) {
317                 return ntstatus_to_werror(status);
318         }
319
320         tsig->name = talloc_strdup(tsig, check_rec->name);
321         if (tsig->name == NULL) {
322                 return WERR_NOMEM;
323         }
324         tsig->rr_class = check_rec->rr_class;
325         tsig->rr_type = DNS_QTYPE_TSIG;
326         tsig->ttl = 0;
327         tsig->length = UINT16_MAX;
328         tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig,
329                         check_rec->algorithm_name);
330         tsig->rdata.tsig_record.time_prefix = check_rec->time_prefix;
331         tsig->rdata.tsig_record.time = check_rec->time;
332         tsig->rdata.tsig_record.fudge = check_rec->fudge;
333         tsig->rdata.tsig_record.error = state->tsig_error;
334         tsig->rdata.tsig_record.original_id = packet->id;
335         tsig->rdata.tsig_record.other_size = 0;
336         tsig->rdata.tsig_record.other_data = NULL;
337         tsig->rdata.tsig_record.mac_size = sig.length;
338         tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
339
340
341         if (packet->arcount == 0) {
342                 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
343                 if (packet->additional == NULL) {
344                         return WERR_NOMEM;
345                 }
346         }
347         packet->additional = talloc_realloc(mem_ctx, packet->additional,
348                                             struct dns_res_rec,
349                                             packet->arcount + 1);
350         if (packet->additional == NULL) {
351                 return WERR_NOMEM;
352         }
353
354         werror = dns_copy_tsig(mem_ctx, tsig,
355                                &packet->additional[packet->arcount]);
356         if (!W_ERROR_IS_OK(werror)) {
357                 return werror;
358         }
359         packet->arcount++;
360
361         return WERR_OK;
362 }