source4/dns_server/dns_crypto.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    DNS server handler for signed packets
   5
   6    Copyright (C) 2012 Kai Blin  <kai@samba.org>
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "lib/crypto/hmacmd5.h"
  24 #include "system/network.h"
  25 #include "librpc/ndr/libndr.h"
  26 #include "librpc/gen_ndr/ndr_dns.h"
  27 #include "dns_server/dns_server.h"
  28 #include "libcli/util/ntstatus.h"
  29 #include "auth/auth.h"
  30 #include "auth/gensec/gensec.h"
  31
  32 #undef DBGC_CLASS
  33 #define DBGC_CLASS DBGC_DNS
  34
  35 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
  36                             struct dns_res_rec *old,
  37                             struct dns_res_rec *new_rec)
  38 {
  39         new_rec->name = talloc_strdup(mem_ctx, old->name);
  40         W_ERROR_HAVE_NO_MEMORY(new_rec->name);
  41
  42         new_rec->rr_type = old->rr_type;
  43         new_rec->rr_class = old->rr_class;
  44         new_rec->ttl = old->ttl;
  45         new_rec->length = old->length;
  46         new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
  47                                 old->rdata.tsig_record.algorithm_name);
  48         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
  49
  50         new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
  51         new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
  52         new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
  53         new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
  54         new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
  55                                         old->rdata.tsig_record.mac,
  56                                         old->rdata.tsig_record.mac_size);
  57         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
  58
  59         new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
  60         new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
  61         new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
  62         new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
  63                                         old->rdata.tsig_record.other_data,
  64                                         old->rdata.tsig_record.other_size);
  65         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
  66
  67         return WERR_OK;
  68 }
  69
  70 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
  71                                       const char *name)
  72 {
  73         struct dns_server_tkey *tkey = NULL;
  74         uint16_t i = 0;
  75
  76         do {
  77                 struct dns_server_tkey *tmp_key = store->tkeys[i];
  78
  79                 i++;
  80                 i %= TKEY_BUFFER_SIZE;
  81
  82                 if (tmp_key == NULL) {
  83                         continue;
  84                 }
  85                 if (dns_name_equal(name, tmp_key->name)) {
  86                         tkey = tmp_key;
  87                         break;
  88                 }
  89         } while (i != 0);
  90
  91         return tkey;
  92 }
  93
  94 WERROR dns_verify_tsig(struct dns_server *dns,
  95                        TALLOC_CTX *mem_ctx,
  96                        struct dns_request_state *state,
  97                        struct dns_name_packet *packet,
  98                        DATA_BLOB *in)
  99 {
 100         WERROR werror;
 101         NTSTATUS status;
 102         enum ndr_err_code ndr_err;
 103         bool found_tsig = false;
 104         uint16_t i, arcount = 0;
 105         DATA_BLOB tsig_blob, fake_tsig_blob, sig;
 106         uint8_t *buffer = NULL;
 107         size_t buffer_len = 0, packet_len = 0;
 108         struct dns_server_tkey *tkey = NULL;
 109         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
 110                         struct dns_fake_tsig_rec);
 111
 112
 113         /* Find the first TSIG record in the additional records */
 114         for (i=0; i < packet->arcount; i++) {
 115                 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
 116                         found_tsig = true;
 117                         break;
 118                 }
 119         }
 120
 121         if (!found_tsig) {
 122                 return WERR_OK;
 123         }
 124
 125         /* The TSIG record needs to be the last additional record */
 126         if (found_tsig && i + 1 != packet->arcount) {
 127                 DEBUG(1, ("TSIG record not the last additional record!\n"));
 128                 return DNS_ERR(FORMAT_ERROR);
 129         }
 130
 131         /* We got a TSIG, so we need to sign our reply */
 132         state->sign = true;
 133
 134         state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
 135         if (state->tsig == NULL) {
 136                 return WERR_NOT_ENOUGH_MEMORY;
 137         }
 138
 139         werror = dns_copy_tsig(state->tsig, &packet->additional[i],
 140                                state->tsig);
 141         if (!W_ERROR_IS_OK(werror)) {
 142                 return werror;
 143         }
 144
 145         packet->arcount--;
 146
 147         tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
 148         if (tkey == NULL) {
 149                 /*
 150                  * We must save the name for use in the TSIG error
 151                  * response and have no choice here but to save the
 152                  * keyname from the TSIG request.
 153                  */
 154                 state->key_name = talloc_strdup(state->mem_ctx,
 155                                                 state->tsig->name);
 156                 if (state->key_name == NULL) {
 157                         return WERR_NOT_ENOUGH_MEMORY;
 158                 }
 159                 state->tsig_error = DNS_RCODE_BADKEY;
 160                 return DNS_ERR(NOTAUTH);
 161         }
 162
 163         /*
 164          * Remember the keyname that found an existing tkey, used
 165          * later to fetch the key with dns_find_tkey() when signing
 166          * and adding a TSIG record with MAC.
 167          */
 168         state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
 169         if (state->key_name == NULL) {
 170                 return WERR_NOT_ENOUGH_MEMORY;
 171         }
 172
 173         /* FIXME: check TSIG here */
 174         if (check_rec == NULL) {
 175                 return WERR_NOT_ENOUGH_MEMORY;
 176         }
 177
 178         /* first build and verify check packet */
 179         check_rec->name = talloc_strdup(check_rec, tkey->name);
 180         if (check_rec->name == NULL) {
 181                 return WERR_NOT_ENOUGH_MEMORY;
 182         }
 183         check_rec->rr_class = DNS_QCLASS_ANY;
 184         check_rec->ttl = 0;
 185         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
 186         if (check_rec->algorithm_name == NULL) {
 187                 return WERR_NOT_ENOUGH_MEMORY;
 188         }
 189         check_rec->time_prefix = 0;
 190         check_rec->time = state->tsig->rdata.tsig_record.time;
 191         check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
 192         check_rec->error = 0;
 193         check_rec->other_size = 0;
 194         check_rec->other_data = NULL;
 195
 196         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
 197                 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
 198         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 199                 DEBUG(1, ("Failed to push packet: %s!\n",
 200                           ndr_errstr(ndr_err)));
 201                 return DNS_ERR(SERVER_FAILURE);
 202         }
 203
 204         ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
 205                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
 206         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 207                 DEBUG(1, ("Failed to push packet: %s!\n",
 208                           ndr_errstr(ndr_err)));
 209                 return DNS_ERR(SERVER_FAILURE);
 210         }
 211
 212         /* we need to work some magic here. we need to keep the input packet
 213          * exactly like we got it, but we need to cut off the tsig record */
 214         packet_len = in->length - tsig_blob.length;
 215         buffer_len = packet_len + fake_tsig_blob.length;
 216         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
 217         if (buffer == NULL) {
 218                 return WERR_NOT_ENOUGH_MEMORY;
 219         }
 220
 221         memcpy(buffer, in->data, packet_len);
 222         memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
 223
 224         sig.length = state->tsig->rdata.tsig_record.mac_size;
 225         sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
 226         if (sig.data == NULL) {
 227                 return WERR_NOT_ENOUGH_MEMORY;
 228         }
 229
 230         /* Now we also need to count down the additional record counter */
 231         arcount = RSVAL(buffer, 10);
 232         RSSVAL(buffer, 10, arcount-1);
 233
 234         status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
 235                                     buffer, buffer_len, &sig);
 236         if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
 237                 state->tsig_error = DNS_RCODE_BADSIG;
 238                 return DNS_ERR(NOTAUTH);
 239         }
 240
 241         if (!NT_STATUS_IS_OK(status)) {
 242                 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
 243                 return ntstatus_to_werror(status);
 244         }
 245
 246         state->authenticated = true;
 247
 248         return WERR_OK;
 249 }
 250
 251 static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
 252                                    struct dns_request_state *state,
 253                                    struct dns_name_packet *packet,
 254                                    struct dns_server_tkey *tkey,
 255                                    time_t current_time,
 256                                    DATA_BLOB *_psig)
 257 {
 258         NTSTATUS status;
 259         enum ndr_err_code ndr_err;
 260         DATA_BLOB packet_blob, tsig_blob, sig;
 261         uint8_t *buffer = NULL;
 262         uint8_t *p = NULL;
 263         size_t buffer_len = 0;
 264         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
 265                         struct dns_fake_tsig_rec);
 266         size_t mac_size = 0;
 267
 268         if (check_rec == NULL) {
 269                 return WERR_NOT_ENOUGH_MEMORY;
 270         }
 271
 272         /* first build and verify check packet */
 273         check_rec->name = talloc_strdup(check_rec, tkey->name);
 274         if (check_rec->name == NULL) {
 275                 return WERR_NOT_ENOUGH_MEMORY;
 276         }
 277         check_rec->rr_class = DNS_QCLASS_ANY;
 278         check_rec->ttl = 0;
 279         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
 280         if (check_rec->algorithm_name == NULL) {
 281                 return WERR_NOT_ENOUGH_MEMORY;
 282         }
 283         check_rec->time_prefix = 0;
 284         check_rec->time = current_time;
 285         check_rec->fudge = 300;
 286         check_rec->error = state->tsig_error;
 287         check_rec->other_size = 0;
 288         check_rec->other_data = NULL;
 289
 290         ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
 291                 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
 292         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 293                 DEBUG(1, ("Failed to push packet: %s!\n",
 294                           ndr_errstr(ndr_err)));
 295                 return DNS_ERR(SERVER_FAILURE);
 296         }
 297
 298         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
 299                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
 300         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 301                 DEBUG(1, ("Failed to push packet: %s!\n",
 302                           ndr_errstr(ndr_err)));
 303                 return DNS_ERR(SERVER_FAILURE);
 304         }
 305
 306         if (state->tsig != NULL) {
 307                 mac_size = state->tsig->rdata.tsig_record.mac_size;
 308         }
 309
 310         buffer_len = mac_size;
 311
 312         buffer_len += packet_blob.length;
 313         if (buffer_len < packet_blob.length) {
 314                 return WERR_INVALID_PARAMETER;
 315         }
 316         buffer_len += tsig_blob.length;
 317         if (buffer_len < tsig_blob.length) {
 318                 return WERR_INVALID_PARAMETER;
 319         }
 320
 321         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
 322         if (buffer == NULL) {
 323                 return WERR_NOT_ENOUGH_MEMORY;
 324         }
 325
 326         p = buffer;
 327
 328         /*
 329          * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
 330          * that we're going to sign:
 331          * 1. MAC of request (if present)
 332          * 2. Outgoing packet
 333          * 3. TSIG record
 334          */
 335         if (mac_size > 0) {
 336                 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
 337                 p += mac_size;
 338         }
 339
 340         memcpy(p, packet_blob.data, packet_blob.length);
 341         p += packet_blob.length;
 342
 343         memcpy(p, tsig_blob.data, tsig_blob.length);
 344
 345         status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
 346                                     buffer, buffer_len, &sig);
 347         if (!NT_STATUS_IS_OK(status)) {
 348                 return ntstatus_to_werror(status);
 349         }
 350
 351         *_psig = sig;
 352         return WERR_OK;
 353 }
 354
 355 WERROR dns_sign_tsig(struct dns_server *dns,
 356                      TALLOC_CTX *mem_ctx,
 357                      struct dns_request_state *state,
 358                      struct dns_name_packet *packet,
 359                      uint16_t error)
 360 {
 361         WERROR werror;
 362         time_t current_time = time(NULL);
 363         struct dns_res_rec *tsig = NULL;
 364         DATA_BLOB sig = (DATA_BLOB) {
 365                 .data = NULL,
 366                 .length = 0
 367         };
 368
 369         tsig = talloc_zero(mem_ctx, struct dns_res_rec);
 370         if (tsig == NULL) {
 371                 return WERR_NOT_ENOUGH_MEMORY;
 372         }
 373
 374         if (state->tsig_error == DNS_RCODE_OK) {
 375                 struct dns_server_tkey *tkey = dns_find_tkey(
 376                         dns->tkeys, state->key_name);
 377                 if (tkey == NULL) {
 378                         return DNS_ERR(SERVER_FAILURE);
 379                 }
 380
 381                 werror = dns_tsig_compute_mac(mem_ctx, state, packet,
 382                                               tkey, current_time, &sig);
 383                 if (!W_ERROR_IS_OK(werror)) {
 384                         return werror;
 385                 }
 386         }
 387
 388         tsig->name = talloc_strdup(tsig, state->key_name);
 389         if (tsig->name == NULL) {
 390                 return WERR_NOT_ENOUGH_MEMORY;
 391         }
 392         tsig->rr_class = DNS_QCLASS_ANY;
 393         tsig->rr_type = DNS_QTYPE_TSIG;
 394         tsig->ttl = 0;
 395         tsig->length = UINT16_MAX;
 396         tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
 397         tsig->rdata.tsig_record.time_prefix = 0;
 398         tsig->rdata.tsig_record.time = current_time;
 399         tsig->rdata.tsig_record.fudge = 300;
 400         tsig->rdata.tsig_record.error = state->tsig_error;
 401         tsig->rdata.tsig_record.original_id = packet->id;
 402         tsig->rdata.tsig_record.other_size = 0;
 403         tsig->rdata.tsig_record.other_data = NULL;
 404         if (sig.length > 0) {
 405                 tsig->rdata.tsig_record.mac_size = sig.length;
 406                 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
 407         }
 408
 409         if (packet->arcount == 0) {
 410                 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
 411                 if (packet->additional == NULL) {
 412                         return WERR_NOT_ENOUGH_MEMORY;
 413                 }
 414         }
 415         packet->additional = talloc_realloc(mem_ctx, packet->additional,
 416                                             struct dns_res_rec,
 417                                             packet->arcount + 1);
 418         if (packet->additional == NULL) {
 419                 return WERR_NOT_ENOUGH_MEMORY;
 420         }
 421
 422         werror = dns_copy_tsig(mem_ctx, tsig,
 423                                &packet->additional[packet->arcount]);
 424         if (!W_ERROR_IS_OK(werror)) {
 425                 return werror;
 426         }
 427         packet->arcount++;
 428
 429         return WERR_OK;
 430 }