search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Don't set arp_filter=1 by default in 10.interface
[samba4-gss.git] / source4 / dns_server / dns_crypto.c
blobd30e971508631ec6fec7aec55a60a9143e03cf49
1 /*
2 Unix SMB/CIFS implementation.
3
4 DNS server handler for signed packets
5
6 Copyright (C) 2012 Kai Blin <kai@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "system/network.h"
24 #include "librpc/ndr/libndr.h"
25 #include "librpc/gen_ndr/ndr_dns.h"
26 #include "dns_server/dns_server.h"
27 #include "libcli/util/ntstatus.h"
28 #include "auth/auth.h"
29 #include "auth/gensec/gensec.h"
30 #include "lib/util/bytearray.h"
31
32 #undef DBGC_CLASS
33 #define DBGC_CLASS DBGC_DNS
34
35 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
36 struct dns_res_rec *old,
37 struct dns_res_rec *new_rec)
38 {
39 new_rec->name = talloc_strdup(mem_ctx, old->name);
40 W_ERROR_HAVE_NO_MEMORY(new_rec->name);
41
42 new_rec->rr_type = old->rr_type;
43 new_rec->rr_class = old->rr_class;
44 new_rec->ttl = old->ttl;
45 new_rec->length = old->length;
46 new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
47 old->rdata.tsig_record.algorithm_name);
48 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
49
50 new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
51 new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
52 new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
53 new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
54 new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
55 old->rdata.tsig_record.mac,
56 old->rdata.tsig_record.mac_size);
57 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
58
59 new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
60 new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
61 new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
62 new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
63 old->rdata.tsig_record.other_data,
64 old->rdata.tsig_record.other_size);
65 W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
66
67 return WERR_OK;
68 }
69
70 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
71 const char *name)
72 {
73 struct dns_server_tkey *tkey = NULL;
74 uint16_t i = 0;
75
76 do {
77 struct dns_server_tkey *tmp_key = store->tkeys[i];
78
79 i++;
80 i %= TKEY_BUFFER_SIZE;
81
82 if (tmp_key == NULL) {
83 continue;
84 }
85 if (samba_dns_name_equal(name, tmp_key->name)) {
86 tkey = tmp_key;
87 break;
88 }
89 } while (i != 0);
90
91 return tkey;
92 }
93
94 WERROR dns_verify_tsig(struct dns_server *dns,
95 TALLOC_CTX *mem_ctx,
96 struct dns_request_state *state,
97 struct dns_name_packet *packet,
98 DATA_BLOB *in)
99 {
100 WERROR werror;
101 NTSTATUS status;
102 enum ndr_err_code ndr_err;
103 uint16_t i, arcount = 0;
104 DATA_BLOB tsig_blob, fake_tsig_blob, sig;
105 uint8_t *buffer = NULL;
106 size_t buffer_len = 0, packet_len = 0;
107 struct dns_server_tkey *tkey = NULL;
108 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
109 struct dns_fake_tsig_rec);
110 const char *algorithm = NULL;
111
112 /* Find the first TSIG record in the additional records */
113 for (i=0; i < packet->arcount; i++) {
114 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
115 break;
116 }
117 }
118
119 if (i == packet->arcount) {
120 /* no TSIG around */
121 return WERR_OK;
122 }
123
124 /* The TSIG record needs to be the last additional record */
125 if (i + 1 != packet->arcount) {
126 DEBUG(1, ("TSIG record not the last additional record!\n"));
127 return DNS_ERR(FORMAT_ERROR);
128 }
129
130 /* We got a TSIG, so we need to sign our reply */
131 state->sign = true;
132 DBG_DEBUG("Got TSIG\n");
133
134 state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
135 if (state->tsig == NULL) {
136 return WERR_NOT_ENOUGH_MEMORY;
137 }
138
139 werror = dns_copy_tsig(state->tsig, &packet->additional[i],
140 state->tsig);
141 if (!W_ERROR_IS_OK(werror)) {
142 return werror;
143 }
144
145 packet->arcount--;
146
147 tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
148 if (tkey == NULL) {
149 DBG_DEBUG("dns_find_tkey() => REFUSED / DNS_RCODE_BADKEY\n");
150 /*
151 * We must save the name for use in the TSIG error
152 * response and have no choice here but to save the
153 * keyname from the TSIG request.
154 */
155 state->key_name = talloc_strdup(state->mem_ctx,
156 state->tsig->name);
157 if (state->key_name == NULL) {
158 return WERR_NOT_ENOUGH_MEMORY;
159 }
160 state->tsig_error = DNS_RCODE_BADKEY;
161 return DNS_ERR(REFUSED);
162 }
163 DBG_DEBUG("dns_find_tkey() => found\n");
164
165 algorithm = state->tsig->rdata.tsig_record.algorithm_name;
166 if (strcmp(algorithm, "gss-tsig") == 0) {
167 /* ok */
168 } else if (strcmp(algorithm, "gss.microsoft.com") == 0) {
169 /* ok */
170 } else {
171 state->tsig_error = DNS_RCODE_BADKEY;
172 return DNS_ERR(REFUSED);
173 }
174
175 /*
176 * Remember the keyname that found an existing tkey, used
177 * later to fetch the key with dns_find_tkey() when signing
178 * and adding a TSIG record with MAC.
179 */
180 state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
181 if (state->key_name == NULL) {
182 return WERR_NOT_ENOUGH_MEMORY;
183 }
184
185 /* FIXME: check TSIG here */
186 if (check_rec == NULL) {
187 return WERR_NOT_ENOUGH_MEMORY;
188 }
189
190 /* first build and verify check packet */
191 check_rec->name = talloc_strdup(check_rec, tkey->name);
192 if (check_rec->name == NULL) {
193 return WERR_NOT_ENOUGH_MEMORY;
194 }
195 check_rec->rr_class = DNS_QCLASS_ANY;
196 check_rec->ttl = 0;
197 check_rec->algorithm_name = talloc_strdup(check_rec, algorithm);
198 if (check_rec->algorithm_name == NULL) {
199 return WERR_NOT_ENOUGH_MEMORY;
200 }
201 check_rec->time_prefix = 0;
202 check_rec->time = state->tsig->rdata.tsig_record.time;
203 check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
204 check_rec->error = 0;
205 check_rec->other_size = 0;
206 check_rec->other_data = NULL;
207
208 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
209 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
210 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
211 DEBUG(1, ("Failed to push packet: %s!\n",
212 ndr_errstr(ndr_err)));
213 return DNS_ERR(SERVER_FAILURE);
214 }
215
216 ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
217 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
218 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
219 DEBUG(1, ("Failed to push packet: %s!\n",
220 ndr_errstr(ndr_err)));
221 return DNS_ERR(SERVER_FAILURE);
222 }
223
224 /* we need to work some magic here. we need to keep the input packet
225 * exactly like we got it, but we need to cut off the tsig record */
226 packet_len = in->length - tsig_blob.length;
227 buffer_len = packet_len + fake_tsig_blob.length;
228 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
229 if (buffer == NULL) {
230 return WERR_NOT_ENOUGH_MEMORY;
231 }
232
233 memcpy(buffer, in->data, packet_len);
234 memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
235
236 sig.length = state->tsig->rdata.tsig_record.mac_size;
237 sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
238 if (sig.data == NULL) {
239 return WERR_NOT_ENOUGH_MEMORY;
240 }
241
242 /* Now we also need to count down the additional record counter */
243 arcount = RSVAL(buffer, 10);
244 RSSVAL(buffer, 10, arcount-1);
245
246 status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
247 buffer, buffer_len, &sig);
248 if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
249 dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
250 dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
251 DBG_NOTICE("Verifying tsig failed: %s\n", nt_errstr(status));
252 state->tsig_error = DNS_RCODE_BADSIG;
253 return DNS_ERR(REFUSED);
254 }
255
256 if (!NT_STATUS_IS_OK(status)) {
257 dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
258 dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
259 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
260 return ntstatus_to_werror(status);
261 }
262
263 state->authenticated = true;
264
265 DBG_DEBUG("AUTHENTICATED\n");
266 return WERR_OK;
267 }
268
269 static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
270 struct dns_request_state *state,
271 struct dns_name_packet *packet,
272 struct dns_server_tkey *tkey,
273 time_t current_time,
274 DATA_BLOB *_psig)
275 {
276 NTSTATUS status;
277 enum ndr_err_code ndr_err;
278 DATA_BLOB packet_blob, tsig_blob, sig;
279 uint8_t *buffer = NULL;
280 uint8_t *p = NULL;
281 size_t buffer_len = 0;
282 struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
283 struct dns_fake_tsig_rec);
284 size_t mac_size = 0;
285 bool gss_tsig;
286
287 if (check_rec == NULL) {
288 return WERR_NOT_ENOUGH_MEMORY;
289 }
290
291 if (strcmp(tkey->algorithm, "gss-tsig") == 0) {
292 gss_tsig = true;
293 } else {
294 /* gss.microsoft.com */
295 gss_tsig = false;
296 }
297
298 /* first build and verify check packet */
299 check_rec->name = talloc_strdup(check_rec, tkey->name);
300 if (check_rec->name == NULL) {
301 return WERR_NOT_ENOUGH_MEMORY;
302 }
303 check_rec->rr_class = DNS_QCLASS_ANY;
304 check_rec->ttl = 0;
305 check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
306 if (check_rec->algorithm_name == NULL) {
307 return WERR_NOT_ENOUGH_MEMORY;
308 }
309 check_rec->time_prefix = 0;
310 check_rec->time = current_time;
311 check_rec->fudge = 300;
312 check_rec->error = state->tsig_error;
313 check_rec->other_size = 0;
314 check_rec->other_data = NULL;
315
316 ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
317 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
318 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
319 DEBUG(1, ("Failed to push packet: %s!\n",
320 ndr_errstr(ndr_err)));
321 return DNS_ERR(SERVER_FAILURE);
322 }
323
324 ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
325 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
326 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
327 DEBUG(1, ("Failed to push packet: %s!\n",
328 ndr_errstr(ndr_err)));
329 return DNS_ERR(SERVER_FAILURE);
330 }
331
332 if (state->tsig != NULL) {
333 mac_size = state->tsig->rdata.tsig_record.mac_size;
334 }
335
336 buffer_len = mac_size;
337 if (gss_tsig && mac_size > 0) {
338 buffer_len += 2;
339 }
340
341 buffer_len += packet_blob.length;
342 if (buffer_len < packet_blob.length) {
343 return WERR_INVALID_PARAMETER;
344 }
345 buffer_len += tsig_blob.length;
346 if (buffer_len < tsig_blob.length) {
347 return WERR_INVALID_PARAMETER;
348 }
349
350 buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
351 if (buffer == NULL) {
352 return WERR_NOT_ENOUGH_MEMORY;
353 }
354
355 p = buffer;
356
357 /*
358 * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
359 * that we're going to sign:
360 * 1. if MAC of request is present
361 * - 16bit big endian length of MAC of request
362 * - MAC of request
363 * 2. Outgoing packet
364 * 3. TSIG record
365 */
366 if (mac_size > 0) {
367 if (gss_tsig) {
368 /*
369 * only gss-tsig not with
370 * gss.microsoft.com
371 */
372 PUSH_BE_U16(p, 0, mac_size);
373 p += 2;
374 }
375 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
376 p += mac_size;
377 }
378
379 memcpy(p, packet_blob.data, packet_blob.length);
380 p += packet_blob.length;
381
382 memcpy(p, tsig_blob.data, tsig_blob.length);
383
384 status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
385 buffer, buffer_len, &sig);
386 if (!NT_STATUS_IS_OK(status)) {
387 return ntstatus_to_werror(status);
388 }
389
390 *_psig = sig;
391 return WERR_OK;
392 }
393
394 WERROR dns_sign_tsig(struct dns_server *dns,
395 TALLOC_CTX *mem_ctx,
396 struct dns_request_state *state,
397 struct dns_name_packet *packet,
398 uint16_t error)
399 {
400 WERROR werror;
401 time_t current_time = time(NULL);
402 struct dns_res_rec *tsig = NULL;
403 DATA_BLOB sig = (DATA_BLOB) {
404 .data = NULL,
405 .length = 0
406 };
407 const char *algorithm = "gss-tsig";
408
409 tsig = talloc_zero(mem_ctx, struct dns_res_rec);
410 if (tsig == NULL) {
411 return WERR_NOT_ENOUGH_MEMORY;
412 }
413
414 if (state->tsig_error == DNS_RCODE_OK) {
415 struct dns_server_tkey *tkey = dns_find_tkey(
416 dns->tkeys, state->key_name);
417 if (tkey == NULL) {
418 DBG_WARNING("dns_find_tkey() => NULL)\n");
419 return DNS_ERR(SERVER_FAILURE);
420 }
421
422 werror = dns_tsig_compute_mac(mem_ctx, state, packet,
423 tkey, current_time, &sig);
424 DBG_DEBUG("dns_tsig_compute_mac() => %s\n", win_errstr(werror));
425 if (!W_ERROR_IS_OK(werror)) {
426 return werror;
427 }
428
429 algorithm = tkey->algorithm;
430 }
431
432 tsig->name = talloc_strdup(tsig, state->key_name);
433 if (tsig->name == NULL) {
434 return WERR_NOT_ENOUGH_MEMORY;
435 }
436 tsig->rr_class = DNS_QCLASS_ANY;
437 tsig->rr_type = DNS_QTYPE_TSIG;
438 tsig->ttl = 0;
439 tsig->length = UINT16_MAX;
440 tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, algorithm);
441 if (tsig->rdata.tsig_record.algorithm_name == NULL) {
442 return WERR_NOT_ENOUGH_MEMORY;
443 }
444 tsig->rdata.tsig_record.time_prefix = 0;
445 tsig->rdata.tsig_record.time = current_time;
446 tsig->rdata.tsig_record.fudge = 300;
447 tsig->rdata.tsig_record.error = state->tsig_error;
448 tsig->rdata.tsig_record.original_id = packet->id;
449 tsig->rdata.tsig_record.other_size = 0;
450 tsig->rdata.tsig_record.other_data = NULL;
451 if (sig.length > 0) {
452 tsig->rdata.tsig_record.mac_size = sig.length;
453 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
454 if (tsig->rdata.tsig_record.mac == NULL) {
455 return WERR_NOT_ENOUGH_MEMORY;
456 }
457 }
458
459 DBG_DEBUG("sig.length=%zu\n", sig.length);
460
461 if (packet->arcount == 0) {
462 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
463 if (packet->additional == NULL) {
464 return WERR_NOT_ENOUGH_MEMORY;
465 }
466 }
467 packet->additional = talloc_realloc(mem_ctx, packet->additional,
468 struct dns_res_rec,
469 packet->arcount + 1);
470 if (packet->additional == NULL) {
471 return WERR_NOT_ENOUGH_MEMORY;
472 }
473
474 werror = dns_copy_tsig(mem_ctx, tsig,
475 &packet->additional[packet->arcount]);
476 DBG_DEBUG("dns_copy_tsig() => %s\n", win_errstr(werror));
477 if (!W_ERROR_IS_OK(werror)) {
478 return werror;
479 }
480 packet->arcount++;
481
482 return WERR_OK;
483 }
GSS-enabled samba4