Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : DNS server handler for signed packets
5 :
6 : Copyright (C) 2012 Kai Blin <kai@samba.org>
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "system/network.h"
24 : #include "librpc/ndr/libndr.h"
25 : #include "librpc/gen_ndr/ndr_dns.h"
26 : #include "dns_server/dns_server.h"
27 : #include "libcli/util/ntstatus.h"
28 : #include "auth/auth.h"
29 : #include "auth/gensec/gensec.h"
30 :
31 : #undef DBGC_CLASS
32 : #define DBGC_CLASS DBGC_DNS
33 :
34 180 : static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
35 : struct dns_res_rec *old,
36 : struct dns_res_rec *new_rec)
37 : {
38 180 : new_rec->name = talloc_strdup(mem_ctx, old->name);
39 180 : W_ERROR_HAVE_NO_MEMORY(new_rec->name);
40 :
41 180 : new_rec->rr_type = old->rr_type;
42 180 : new_rec->rr_class = old->rr_class;
43 180 : new_rec->ttl = old->ttl;
44 180 : new_rec->length = old->length;
45 180 : new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
46 : old->rdata.tsig_record.algorithm_name);
47 180 : W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
48 :
49 180 : new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
50 180 : new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
51 180 : new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
52 180 : new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
53 180 : new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
54 : old->rdata.tsig_record.mac,
55 : old->rdata.tsig_record.mac_size);
56 180 : W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
57 :
58 180 : new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
59 180 : new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
60 180 : new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
61 180 : new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
62 : old->rdata.tsig_record.other_data,
63 : old->rdata.tsig_record.other_size);
64 180 : W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
65 :
66 180 : return WERR_OK;
67 : }
68 :
69 292 : struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
70 : const char *name)
71 : {
72 292 : struct dns_server_tkey *tkey = NULL;
73 292 : uint16_t i = 0;
74 :
75 : do {
76 9034 : struct dns_server_tkey *tmp_key = store->tkeys[i];
77 :
78 9034 : i++;
79 9034 : i %= TKEY_BUFFER_SIZE;
80 :
81 9034 : if (tmp_key == NULL) {
82 7711 : continue;
83 : }
84 1323 : if (samba_dns_name_equal(name, tmp_key->name)) {
85 230 : tkey = tmp_key;
86 230 : break;
87 : }
88 8804 : } while (i != 0);
89 :
90 292 : return tkey;
91 : }
92 :
93 2537 : WERROR dns_verify_tsig(struct dns_server *dns,
94 : TALLOC_CTX *mem_ctx,
95 : struct dns_request_state *state,
96 : struct dns_name_packet *packet,
97 : DATA_BLOB *in)
98 : {
99 : WERROR werror;
100 : NTSTATUS status;
101 : enum ndr_err_code ndr_err;
102 2537 : uint16_t i, arcount = 0;
103 : DATA_BLOB tsig_blob, fake_tsig_blob, sig;
104 2537 : uint8_t *buffer = NULL;
105 2537 : size_t buffer_len = 0, packet_len = 0;
106 2537 : struct dns_server_tkey *tkey = NULL;
107 2537 : struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
108 : struct dns_fake_tsig_rec);
109 :
110 :
111 : /* Find the first TSIG record in the additional records */
112 2611 : for (i=0; i < packet->arcount; i++) {
113 136 : if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
114 62 : break;
115 : }
116 : }
117 :
118 2537 : if (i == packet->arcount) {
119 : /* no TSIG around */
120 2475 : return WERR_OK;
121 : }
122 :
123 : /* The TSIG record needs to be the last additional record */
124 62 : if (i + 1 != packet->arcount) {
125 0 : DEBUG(1, ("TSIG record not the last additional record!\n"));
126 0 : return DNS_ERR(FORMAT_ERROR);
127 : }
128 :
129 : /* We got a TSIG, so we need to sign our reply */
130 62 : state->sign = true;
131 :
132 62 : state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
133 62 : if (state->tsig == NULL) {
134 0 : return WERR_NOT_ENOUGH_MEMORY;
135 : }
136 :
137 62 : werror = dns_copy_tsig(state->tsig, &packet->additional[i],
138 : state->tsig);
139 62 : if (!W_ERROR_IS_OK(werror)) {
140 0 : return werror;
141 : }
142 :
143 62 : packet->arcount--;
144 :
145 62 : tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
146 62 : if (tkey == NULL) {
147 : /*
148 : * We must save the name for use in the TSIG error
149 : * response and have no choice here but to save the
150 : * keyname from the TSIG request.
151 : */
152 4 : state->key_name = talloc_strdup(state->mem_ctx,
153 2 : state->tsig->name);
154 2 : if (state->key_name == NULL) {
155 0 : return WERR_NOT_ENOUGH_MEMORY;
156 : }
157 2 : state->tsig_error = DNS_RCODE_BADKEY;
158 2 : return DNS_ERR(NOTAUTH);
159 : }
160 :
161 : /*
162 : * Remember the keyname that found an existing tkey, used
163 : * later to fetch the key with dns_find_tkey() when signing
164 : * and adding a TSIG record with MAC.
165 : */
166 60 : state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
167 60 : if (state->key_name == NULL) {
168 0 : return WERR_NOT_ENOUGH_MEMORY;
169 : }
170 :
171 : /* FIXME: check TSIG here */
172 60 : if (check_rec == NULL) {
173 0 : return WERR_NOT_ENOUGH_MEMORY;
174 : }
175 :
176 : /* first build and verify check packet */
177 60 : check_rec->name = talloc_strdup(check_rec, tkey->name);
178 60 : if (check_rec->name == NULL) {
179 0 : return WERR_NOT_ENOUGH_MEMORY;
180 : }
181 60 : check_rec->rr_class = DNS_QCLASS_ANY;
182 60 : check_rec->ttl = 0;
183 60 : check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
184 60 : if (check_rec->algorithm_name == NULL) {
185 0 : return WERR_NOT_ENOUGH_MEMORY;
186 : }
187 60 : check_rec->time_prefix = 0;
188 60 : check_rec->time = state->tsig->rdata.tsig_record.time;
189 60 : check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
190 60 : check_rec->error = 0;
191 60 : check_rec->other_size = 0;
192 60 : check_rec->other_data = NULL;
193 :
194 60 : ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
195 : (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
196 60 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
197 0 : DEBUG(1, ("Failed to push packet: %s!\n",
198 : ndr_errstr(ndr_err)));
199 0 : return DNS_ERR(SERVER_FAILURE);
200 : }
201 :
202 60 : ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
203 : (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
204 60 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
205 0 : DEBUG(1, ("Failed to push packet: %s!\n",
206 : ndr_errstr(ndr_err)));
207 0 : return DNS_ERR(SERVER_FAILURE);
208 : }
209 :
210 : /* we need to work some magic here. we need to keep the input packet
211 : * exactly like we got it, but we need to cut off the tsig record */
212 60 : packet_len = in->length - tsig_blob.length;
213 60 : buffer_len = packet_len + fake_tsig_blob.length;
214 60 : buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
215 60 : if (buffer == NULL) {
216 0 : return WERR_NOT_ENOUGH_MEMORY;
217 : }
218 :
219 60 : memcpy(buffer, in->data, packet_len);
220 60 : memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
221 :
222 60 : sig.length = state->tsig->rdata.tsig_record.mac_size;
223 60 : sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
224 60 : if (sig.data == NULL) {
225 0 : return WERR_NOT_ENOUGH_MEMORY;
226 : }
227 :
228 : /* Now we also need to count down the additional record counter */
229 60 : arcount = RSVAL(buffer, 10);
230 60 : RSSVAL(buffer, 10, arcount-1);
231 :
232 60 : status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
233 : buffer, buffer_len, &sig);
234 60 : if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
235 2 : state->tsig_error = DNS_RCODE_BADSIG;
236 2 : return DNS_ERR(NOTAUTH);
237 : }
238 :
239 58 : if (!NT_STATUS_IS_OK(status)) {
240 0 : DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
241 0 : return ntstatus_to_werror(status);
242 : }
243 :
244 58 : state->authenticated = true;
245 :
246 58 : return WERR_OK;
247 : }
248 :
249 114 : static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
250 : struct dns_request_state *state,
251 : struct dns_name_packet *packet,
252 : struct dns_server_tkey *tkey,
253 : time_t current_time,
254 : DATA_BLOB *_psig)
255 : {
256 : NTSTATUS status;
257 : enum ndr_err_code ndr_err;
258 : DATA_BLOB packet_blob, tsig_blob, sig;
259 114 : uint8_t *buffer = NULL;
260 114 : uint8_t *p = NULL;
261 114 : size_t buffer_len = 0;
262 114 : struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
263 : struct dns_fake_tsig_rec);
264 114 : size_t mac_size = 0;
265 :
266 114 : if (check_rec == NULL) {
267 0 : return WERR_NOT_ENOUGH_MEMORY;
268 : }
269 :
270 : /* first build and verify check packet */
271 114 : check_rec->name = talloc_strdup(check_rec, tkey->name);
272 114 : if (check_rec->name == NULL) {
273 0 : return WERR_NOT_ENOUGH_MEMORY;
274 : }
275 114 : check_rec->rr_class = DNS_QCLASS_ANY;
276 114 : check_rec->ttl = 0;
277 114 : check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
278 114 : if (check_rec->algorithm_name == NULL) {
279 0 : return WERR_NOT_ENOUGH_MEMORY;
280 : }
281 114 : check_rec->time_prefix = 0;
282 114 : check_rec->time = current_time;
283 114 : check_rec->fudge = 300;
284 114 : check_rec->error = state->tsig_error;
285 114 : check_rec->other_size = 0;
286 114 : check_rec->other_data = NULL;
287 :
288 114 : ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
289 : (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
290 114 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
291 0 : DEBUG(1, ("Failed to push packet: %s!\n",
292 : ndr_errstr(ndr_err)));
293 0 : return DNS_ERR(SERVER_FAILURE);
294 : }
295 :
296 114 : ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
297 : (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
298 114 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
299 0 : DEBUG(1, ("Failed to push packet: %s!\n",
300 : ndr_errstr(ndr_err)));
301 0 : return DNS_ERR(SERVER_FAILURE);
302 : }
303 :
304 114 : if (state->tsig != NULL) {
305 54 : mac_size = state->tsig->rdata.tsig_record.mac_size;
306 : }
307 :
308 114 : buffer_len = mac_size;
309 :
310 114 : buffer_len += packet_blob.length;
311 114 : if (buffer_len < packet_blob.length) {
312 0 : return WERR_INVALID_PARAMETER;
313 : }
314 114 : buffer_len += tsig_blob.length;
315 114 : if (buffer_len < tsig_blob.length) {
316 0 : return WERR_INVALID_PARAMETER;
317 : }
318 :
319 114 : buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
320 114 : if (buffer == NULL) {
321 0 : return WERR_NOT_ENOUGH_MEMORY;
322 : }
323 :
324 114 : p = buffer;
325 :
326 : /*
327 : * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
328 : * that we're going to sign:
329 : * 1. MAC of request (if present)
330 : * 2. Outgoing packet
331 : * 3. TSIG record
332 : */
333 114 : if (mac_size > 0) {
334 54 : memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
335 54 : p += mac_size;
336 : }
337 :
338 114 : memcpy(p, packet_blob.data, packet_blob.length);
339 114 : p += packet_blob.length;
340 :
341 114 : memcpy(p, tsig_blob.data, tsig_blob.length);
342 :
343 114 : status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
344 : buffer, buffer_len, &sig);
345 114 : if (!NT_STATUS_IS_OK(status)) {
346 0 : return ntstatus_to_werror(status);
347 : }
348 :
349 114 : *_psig = sig;
350 114 : return WERR_OK;
351 : }
352 :
353 118 : WERROR dns_sign_tsig(struct dns_server *dns,
354 : TALLOC_CTX *mem_ctx,
355 : struct dns_request_state *state,
356 : struct dns_name_packet *packet,
357 : uint16_t error)
358 : {
359 : WERROR werror;
360 118 : time_t current_time = time(NULL);
361 118 : struct dns_res_rec *tsig = NULL;
362 118 : DATA_BLOB sig = (DATA_BLOB) {
363 : .data = NULL,
364 : .length = 0
365 : };
366 :
367 118 : tsig = talloc_zero(mem_ctx, struct dns_res_rec);
368 118 : if (tsig == NULL) {
369 0 : return WERR_NOT_ENOUGH_MEMORY;
370 : }
371 :
372 118 : if (state->tsig_error == DNS_RCODE_OK) {
373 114 : struct dns_server_tkey *tkey = dns_find_tkey(
374 114 : dns->tkeys, state->key_name);
375 114 : if (tkey == NULL) {
376 0 : return DNS_ERR(SERVER_FAILURE);
377 : }
378 :
379 114 : werror = dns_tsig_compute_mac(mem_ctx, state, packet,
380 : tkey, current_time, &sig);
381 114 : if (!W_ERROR_IS_OK(werror)) {
382 0 : return werror;
383 : }
384 : }
385 :
386 118 : tsig->name = talloc_strdup(tsig, state->key_name);
387 118 : if (tsig->name == NULL) {
388 0 : return WERR_NOT_ENOUGH_MEMORY;
389 : }
390 118 : tsig->rr_class = DNS_QCLASS_ANY;
391 118 : tsig->rr_type = DNS_QTYPE_TSIG;
392 118 : tsig->ttl = 0;
393 118 : tsig->length = UINT16_MAX;
394 118 : tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
395 118 : if (tsig->rdata.tsig_record.algorithm_name == NULL) {
396 0 : return WERR_NOT_ENOUGH_MEMORY;
397 : }
398 118 : tsig->rdata.tsig_record.time_prefix = 0;
399 118 : tsig->rdata.tsig_record.time = current_time;
400 118 : tsig->rdata.tsig_record.fudge = 300;
401 118 : tsig->rdata.tsig_record.error = state->tsig_error;
402 118 : tsig->rdata.tsig_record.original_id = packet->id;
403 118 : tsig->rdata.tsig_record.other_size = 0;
404 118 : tsig->rdata.tsig_record.other_data = NULL;
405 118 : if (sig.length > 0) {
406 114 : tsig->rdata.tsig_record.mac_size = sig.length;
407 114 : tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
408 114 : if (tsig->rdata.tsig_record.mac == NULL) {
409 0 : return WERR_NOT_ENOUGH_MEMORY;
410 : }
411 : }
412 :
413 118 : if (packet->arcount == 0) {
414 118 : packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
415 118 : if (packet->additional == NULL) {
416 0 : return WERR_NOT_ENOUGH_MEMORY;
417 : }
418 : }
419 118 : packet->additional = talloc_realloc(mem_ctx, packet->additional,
420 : struct dns_res_rec,
421 : packet->arcount + 1);
422 118 : if (packet->additional == NULL) {
423 0 : return WERR_NOT_ENOUGH_MEMORY;
424 : }
425 :
426 118 : werror = dns_copy_tsig(mem_ctx, tsig,
427 118 : &packet->additional[packet->arcount]);
428 118 : if (!W_ERROR_IS_OK(werror)) {
429 0 : return werror;
430 : }
431 118 : packet->arcount++;
432 :
433 118 : return WERR_OK;
434 : }
|
