2 Unix SMB/CIFS implementation.
4 DNS server handler for signed packets
6 Copyright (C) 2012 Kai Blin <kai@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "lib/crypto/hmacmd5.h"
24 #include "system/network.h"
25 #include "librpc/ndr/libndr.h"
26 #include "librpc/gen_ndr/ndr_dns.h"
27 #include "dns_server/dns_server.h"
28 #include "libcli/util/ntstatus.h"
29 #include "auth/auth.h"
30 #include "auth/gensec/gensec.h"
33 #define DBGC_CLASS DBGC_DNS
35 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
36 struct dns_res_rec *old,
37 struct dns_res_rec *new_rec)
39 new_rec->name = talloc_strdup(mem_ctx, old->name);
40 W_ERROR_HAVE_NO_MEMORY(new_rec->name);
42 new_rec->rr_type = old->rr_type;
43 new_rec->rr_class = old->rr_class;
44 new_rec->ttl = old->ttl;
45 new_rec->length = old->length;
46 new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
47 old->rdata.tsig_record.algorithm_name);
48 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
50 new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
51 new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
52 new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
53 new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
54 new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
55 old->rdata.tsig_record.mac,
56 old->rdata.tsig_record.mac_size);
57 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
59 new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
60 new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
61 new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
62 new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
63 old->rdata.tsig_record.other_data,
64 old->rdata.tsig_record.other_size);
65 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
70 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
73 struct dns_server_tkey *tkey = NULL;
77 struct dns_server_tkey *tmp_key = store->tkeys[i];
80 i %= TKEY_BUFFER_SIZE;
82 if (tmp_key == NULL) {
85 if (dns_name_equal(name, tmp_key->name)) {
94 WERROR dns_verify_tsig(struct dns_server *dns,
96 struct dns_request_state *state,
97 struct dns_name_packet *packet,
102 enum ndr_err_code ndr_err;
103 uint16_t i, arcount = 0;
104 DATA_BLOB tsig_blob, fake_tsig_blob, sig;
105 uint8_t *buffer = NULL;
106 size_t buffer_len = 0, packet_len = 0;
107 struct dns_server_tkey *tkey = NULL;
108 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
109 struct dns_fake_tsig_rec);
112 /* Find the first TSIG record in the additional records */
113 for (i=0; i < packet->arcount; i++) {
114 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
119 if (i == packet->arcount) {
124 /* The TSIG record needs to be the last additional record */
125 if (i + 1 != packet->arcount) {
126 DEBUG(1, ("TSIG record not the last additional record!\n"));
127 return DNS_ERR(FORMAT_ERROR);
130 /* We got a TSIG, so we need to sign our reply */
133 state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
134 if (state->tsig == NULL) {
135 return WERR_NOT_ENOUGH_MEMORY;
138 werror = dns_copy_tsig(state->tsig, &packet->additional[i],
140 if (!W_ERROR_IS_OK(werror)) {
146 tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
149 * We must save the name for use in the TSIG error
150 * response and have no choice here but to save the
151 * keyname from the TSIG request.
153 state->key_name = talloc_strdup(state->mem_ctx,
155 if (state->key_name == NULL) {
156 return WERR_NOT_ENOUGH_MEMORY;
158 state->tsig_error = DNS_RCODE_BADKEY;
159 return DNS_ERR(NOTAUTH);
163 * Remember the keyname that found an existing tkey, used
164 * later to fetch the key with dns_find_tkey() when signing
165 * and adding a TSIG record with MAC.
167 state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
168 if (state->key_name == NULL) {
169 return WERR_NOT_ENOUGH_MEMORY;
172 /* FIXME: check TSIG here */
173 if (check_rec == NULL) {
174 return WERR_NOT_ENOUGH_MEMORY;
177 /* first build and verify check packet */
178 check_rec->name = talloc_strdup(check_rec, tkey->name);
179 if (check_rec->name == NULL) {
180 return WERR_NOT_ENOUGH_MEMORY;
182 check_rec->rr_class = DNS_QCLASS_ANY;
184 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
185 if (check_rec->algorithm_name == NULL) {
186 return WERR_NOT_ENOUGH_MEMORY;
188 check_rec->time_prefix = 0;
189 check_rec->time = state->tsig->rdata.tsig_record.time;
190 check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
191 check_rec->error = 0;
192 check_rec->other_size = 0;
193 check_rec->other_data = NULL;
195 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
196 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
197 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
198 DEBUG(1, ("Failed to push packet: %s!\n",
199 ndr_errstr(ndr_err)));
200 return DNS_ERR(SERVER_FAILURE);
203 ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
204 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
205 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
206 DEBUG(1, ("Failed to push packet: %s!\n",
207 ndr_errstr(ndr_err)));
208 return DNS_ERR(SERVER_FAILURE);
211 /* we need to work some magic here. we need to keep the input packet
212 * exactly like we got it, but we need to cut off the tsig record */
213 packet_len = in->length - tsig_blob.length;
214 buffer_len = packet_len + fake_tsig_blob.length;
215 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
216 if (buffer == NULL) {
217 return WERR_NOT_ENOUGH_MEMORY;
220 memcpy(buffer, in->data, packet_len);
221 memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
223 sig.length = state->tsig->rdata.tsig_record.mac_size;
224 sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
225 if (sig.data == NULL) {
226 return WERR_NOT_ENOUGH_MEMORY;
229 /* Now we also need to count down the additional record counter */
230 arcount = RSVAL(buffer, 10);
231 RSSVAL(buffer, 10, arcount-1);
233 status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
234 buffer, buffer_len, &sig);
235 if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
236 state->tsig_error = DNS_RCODE_BADSIG;
237 return DNS_ERR(NOTAUTH);
240 if (!NT_STATUS_IS_OK(status)) {
241 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
242 return ntstatus_to_werror(status);
245 state->authenticated = true;
250 static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
251 struct dns_request_state *state,
252 struct dns_name_packet *packet,
253 struct dns_server_tkey *tkey,
258 enum ndr_err_code ndr_err;
259 DATA_BLOB packet_blob, tsig_blob, sig;
260 uint8_t *buffer = NULL;
262 size_t buffer_len = 0;
263 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
264 struct dns_fake_tsig_rec);
267 if (check_rec == NULL) {
268 return WERR_NOT_ENOUGH_MEMORY;
271 /* first build and verify check packet */
272 check_rec->name = talloc_strdup(check_rec, tkey->name);
273 if (check_rec->name == NULL) {
274 return WERR_NOT_ENOUGH_MEMORY;
276 check_rec->rr_class = DNS_QCLASS_ANY;
278 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
279 if (check_rec->algorithm_name == NULL) {
280 return WERR_NOT_ENOUGH_MEMORY;
282 check_rec->time_prefix = 0;
283 check_rec->time = current_time;
284 check_rec->fudge = 300;
285 check_rec->error = state->tsig_error;
286 check_rec->other_size = 0;
287 check_rec->other_data = NULL;
289 ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
290 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
291 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
292 DEBUG(1, ("Failed to push packet: %s!\n",
293 ndr_errstr(ndr_err)));
294 return DNS_ERR(SERVER_FAILURE);
297 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
298 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
299 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
300 DEBUG(1, ("Failed to push packet: %s!\n",
301 ndr_errstr(ndr_err)));
302 return DNS_ERR(SERVER_FAILURE);
305 if (state->tsig != NULL) {
306 mac_size = state->tsig->rdata.tsig_record.mac_size;
309 buffer_len = mac_size;
311 buffer_len += packet_blob.length;
312 if (buffer_len < packet_blob.length) {
313 return WERR_INVALID_PARAMETER;
315 buffer_len += tsig_blob.length;
316 if (buffer_len < tsig_blob.length) {
317 return WERR_INVALID_PARAMETER;
320 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
321 if (buffer == NULL) {
322 return WERR_NOT_ENOUGH_MEMORY;
328 * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
329 * that we're going to sign:
330 * 1. MAC of request (if present)
335 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
339 memcpy(p, packet_blob.data, packet_blob.length);
340 p += packet_blob.length;
342 memcpy(p, tsig_blob.data, tsig_blob.length);
344 status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
345 buffer, buffer_len, &sig);
346 if (!NT_STATUS_IS_OK(status)) {
347 return ntstatus_to_werror(status);
354 WERROR dns_sign_tsig(struct dns_server *dns,
356 struct dns_request_state *state,
357 struct dns_name_packet *packet,
361 time_t current_time = time(NULL);
362 struct dns_res_rec *tsig = NULL;
363 DATA_BLOB sig = (DATA_BLOB) {
368 tsig = talloc_zero(mem_ctx, struct dns_res_rec);
370 return WERR_NOT_ENOUGH_MEMORY;
373 if (state->tsig_error == DNS_RCODE_OK) {
374 struct dns_server_tkey *tkey = dns_find_tkey(
375 dns->tkeys, state->key_name);
377 return DNS_ERR(SERVER_FAILURE);
380 werror = dns_tsig_compute_mac(mem_ctx, state, packet,
381 tkey, current_time, &sig);
382 if (!W_ERROR_IS_OK(werror)) {
387 tsig->name = talloc_strdup(tsig, state->key_name);
388 if (tsig->name == NULL) {
389 return WERR_NOT_ENOUGH_MEMORY;
391 tsig->rr_class = DNS_QCLASS_ANY;
392 tsig->rr_type = DNS_QTYPE_TSIG;
394 tsig->length = UINT16_MAX;
395 tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
396 if (tsig->rdata.tsig_record.algorithm_name == NULL) {
397 return WERR_NOT_ENOUGH_MEMORY;
399 tsig->rdata.tsig_record.time_prefix = 0;
400 tsig->rdata.tsig_record.time = current_time;
401 tsig->rdata.tsig_record.fudge = 300;
402 tsig->rdata.tsig_record.error = state->tsig_error;
403 tsig->rdata.tsig_record.original_id = packet->id;
404 tsig->rdata.tsig_record.other_size = 0;
405 tsig->rdata.tsig_record.other_data = NULL;
406 if (sig.length > 0) {
407 tsig->rdata.tsig_record.mac_size = sig.length;
408 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
409 if (tsig->rdata.tsig_record.mac == NULL) {
410 return WERR_NOT_ENOUGH_MEMORY;
414 if (packet->arcount == 0) {
415 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
416 if (packet->additional == NULL) {
417 return WERR_NOT_ENOUGH_MEMORY;
420 packet->additional = talloc_realloc(mem_ctx, packet->additional,
422 packet->arcount + 1);
423 if (packet->additional == NULL) {
424 return WERR_NOT_ENOUGH_MEMORY;
427 werror = dns_copy_tsig(mem_ctx, tsig,
428 &packet->additional[packet->arcount]);
429 if (!W_ERROR_IS_OK(werror)) {