Line data Source code
1 : /*
2 : Unix SMB/CIFS implementation.
3 :
4 : DNS server handler for signed packets
5 :
6 : Copyright (C) 2012 Kai Blin <kai@samba.org>
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "includes.h"
23 : #include "system/network.h"
24 : #include "librpc/ndr/libndr.h"
25 : #include "librpc/gen_ndr/ndr_dns.h"
26 : #include "dns_server/dns_server.h"
27 : #include "libcli/util/ntstatus.h"
28 : #include "auth/auth.h"
29 : #include "auth/gensec/gensec.h"
30 :
31 : #undef DBGC_CLASS
32 : #define DBGC_CLASS DBGC_DNS
33 :
34 257 : static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
35 : struct dns_res_rec *old,
36 : struct dns_res_rec *new_rec)
37 : {
38 257 : new_rec->name = talloc_strdup(mem_ctx, old->name);
39 257 : W_ERROR_HAVE_NO_MEMORY(new_rec->name);
40 :
41 257 : new_rec->rr_type = old->rr_type;
42 257 : new_rec->rr_class = old->rr_class;
43 257 : new_rec->ttl = old->ttl;
44 257 : new_rec->length = old->length;
45 257 : new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
46 : old->rdata.tsig_record.algorithm_name);
47 257 : W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
48 :
49 257 : new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
50 257 : new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
51 257 : new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
52 257 : new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
53 257 : new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
54 : old->rdata.tsig_record.mac,
55 : old->rdata.tsig_record.mac_size);
56 257 : W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
57 :
58 257 : new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
59 257 : new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
60 257 : new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
61 257 : new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
62 : old->rdata.tsig_record.other_data,
63 : old->rdata.tsig_record.other_size);
64 257 : W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
65 :
66 257 : return WERR_OK;
67 : }
68 :
69 433 : struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
70 : const char *name)
71 : {
72 433 : struct dns_server_tkey *tkey = NULL;
73 433 : uint16_t i = 0;
74 :
75 0 : do {
76 13932 : struct dns_server_tkey *tmp_key = store->tkeys[i];
77 :
78 13932 : i++;
79 13932 : i %= TKEY_BUFFER_SIZE;
80 :
81 13932 : if (tmp_key == NULL) {
82 11451 : continue;
83 : }
84 2481 : if (samba_dns_name_equal(name, tmp_key->name)) {
85 340 : tkey = tmp_key;
86 340 : break;
87 : }
88 13592 : } while (i != 0);
89 :
90 433 : return tkey;
91 : }
92 :
93 4264 : WERROR dns_verify_tsig(struct dns_server *dns,
94 : TALLOC_CTX *mem_ctx,
95 : struct dns_request_state *state,
96 : struct dns_name_packet *packet,
97 : DATA_BLOB *in)
98 : {
99 0 : WERROR werror;
100 0 : NTSTATUS status;
101 0 : enum ndr_err_code ndr_err;
102 4264 : uint16_t i, arcount = 0;
103 0 : DATA_BLOB tsig_blob, fake_tsig_blob, sig;
104 4264 : uint8_t *buffer = NULL;
105 4264 : size_t buffer_len = 0, packet_len = 0;
106 4264 : struct dns_server_tkey *tkey = NULL;
107 4264 : struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
108 : struct dns_fake_tsig_rec);
109 :
110 :
111 : /* Find the first TSIG record in the additional records */
112 4381 : for (i=0; i < packet->arcount; i++) {
113 210 : if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
114 93 : break;
115 : }
116 : }
117 :
118 4264 : if (i == packet->arcount) {
119 : /* no TSIG around */
120 4171 : return WERR_OK;
121 : }
122 :
123 : /* The TSIG record needs to be the last additional record */
124 93 : if (i + 1 != packet->arcount) {
125 0 : DEBUG(1, ("TSIG record not the last additional record!\n"));
126 0 : return DNS_ERR(FORMAT_ERROR);
127 : }
128 :
129 : /* We got a TSIG, so we need to sign our reply */
130 93 : state->sign = true;
131 93 : DBG_DEBUG("Got TSIG\n");
132 :
133 93 : state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
134 93 : if (state->tsig == NULL) {
135 0 : return WERR_NOT_ENOUGH_MEMORY;
136 : }
137 :
138 93 : werror = dns_copy_tsig(state->tsig, &packet->additional[i],
139 : state->tsig);
140 93 : if (!W_ERROR_IS_OK(werror)) {
141 0 : return werror;
142 : }
143 :
144 93 : packet->arcount--;
145 :
146 93 : tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
147 93 : if (tkey == NULL) {
148 2 : DBG_DEBUG("dns_find_tkey() => NOTAUTH / DNS_RCODE_BADKEY\n");
149 : /*
150 : * We must save the name for use in the TSIG error
151 : * response and have no choice here but to save the
152 : * keyname from the TSIG request.
153 : */
154 4 : state->key_name = talloc_strdup(state->mem_ctx,
155 2 : state->tsig->name);
156 2 : if (state->key_name == NULL) {
157 0 : return WERR_NOT_ENOUGH_MEMORY;
158 : }
159 2 : state->tsig_error = DNS_RCODE_BADKEY;
160 2 : return DNS_ERR(NOTAUTH);
161 : }
162 91 : DBG_DEBUG("dns_find_tkey() => found\n");
163 :
164 : /*
165 : * Remember the keyname that found an existing tkey, used
166 : * later to fetch the key with dns_find_tkey() when signing
167 : * and adding a TSIG record with MAC.
168 : */
169 91 : state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
170 91 : if (state->key_name == NULL) {
171 0 : return WERR_NOT_ENOUGH_MEMORY;
172 : }
173 :
174 : /* FIXME: check TSIG here */
175 91 : if (check_rec == NULL) {
176 0 : return WERR_NOT_ENOUGH_MEMORY;
177 : }
178 :
179 : /* first build and verify check packet */
180 91 : check_rec->name = talloc_strdup(check_rec, tkey->name);
181 91 : if (check_rec->name == NULL) {
182 0 : return WERR_NOT_ENOUGH_MEMORY;
183 : }
184 91 : check_rec->rr_class = DNS_QCLASS_ANY;
185 91 : check_rec->ttl = 0;
186 91 : check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
187 91 : if (check_rec->algorithm_name == NULL) {
188 0 : return WERR_NOT_ENOUGH_MEMORY;
189 : }
190 91 : check_rec->time_prefix = 0;
191 91 : check_rec->time = state->tsig->rdata.tsig_record.time;
192 91 : check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
193 91 : check_rec->error = 0;
194 91 : check_rec->other_size = 0;
195 91 : check_rec->other_data = NULL;
196 :
197 91 : ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
198 : (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
199 91 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
200 0 : DEBUG(1, ("Failed to push packet: %s!\n",
201 : ndr_errstr(ndr_err)));
202 0 : return DNS_ERR(SERVER_FAILURE);
203 : }
204 :
205 91 : ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
206 : (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
207 91 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
208 0 : DEBUG(1, ("Failed to push packet: %s!\n",
209 : ndr_errstr(ndr_err)));
210 0 : return DNS_ERR(SERVER_FAILURE);
211 : }
212 :
213 : /* we need to work some magic here. we need to keep the input packet
214 : * exactly like we got it, but we need to cut off the tsig record */
215 91 : packet_len = in->length - tsig_blob.length;
216 91 : buffer_len = packet_len + fake_tsig_blob.length;
217 91 : buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
218 91 : if (buffer == NULL) {
219 0 : return WERR_NOT_ENOUGH_MEMORY;
220 : }
221 :
222 91 : memcpy(buffer, in->data, packet_len);
223 91 : memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
224 :
225 91 : sig.length = state->tsig->rdata.tsig_record.mac_size;
226 91 : sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
227 91 : if (sig.data == NULL) {
228 0 : return WERR_NOT_ENOUGH_MEMORY;
229 : }
230 :
231 : /* Now we also need to count down the additional record counter */
232 91 : arcount = RSVAL(buffer, 10);
233 91 : RSSVAL(buffer, 10, arcount-1);
234 :
235 91 : status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
236 : buffer, buffer_len, &sig);
237 91 : if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
238 2 : dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
239 2 : dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
240 2 : DBG_NOTICE("Verifying tsig failed: %s\n", nt_errstr(status));
241 2 : state->tsig_error = DNS_RCODE_BADSIG;
242 2 : return DNS_ERR(NOTAUTH);
243 : }
244 :
245 89 : if (!NT_STATUS_IS_OK(status)) {
246 0 : dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
247 0 : dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
248 0 : DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
249 0 : return ntstatus_to_werror(status);
250 : }
251 :
252 89 : state->authenticated = true;
253 :
254 89 : DBG_DEBUG("AUTHENTICATED\n");
255 89 : return WERR_OK;
256 : }
257 :
258 160 : static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
259 : struct dns_request_state *state,
260 : struct dns_name_packet *packet,
261 : struct dns_server_tkey *tkey,
262 : time_t current_time,
263 : DATA_BLOB *_psig)
264 : {
265 0 : NTSTATUS status;
266 0 : enum ndr_err_code ndr_err;
267 0 : DATA_BLOB packet_blob, tsig_blob, sig;
268 160 : uint8_t *buffer = NULL;
269 160 : uint8_t *p = NULL;
270 160 : size_t buffer_len = 0;
271 160 : struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
272 : struct dns_fake_tsig_rec);
273 160 : size_t mac_size = 0;
274 :
275 160 : if (check_rec == NULL) {
276 0 : return WERR_NOT_ENOUGH_MEMORY;
277 : }
278 :
279 : /* first build and verify check packet */
280 160 : check_rec->name = talloc_strdup(check_rec, tkey->name);
281 160 : if (check_rec->name == NULL) {
282 0 : return WERR_NOT_ENOUGH_MEMORY;
283 : }
284 160 : check_rec->rr_class = DNS_QCLASS_ANY;
285 160 : check_rec->ttl = 0;
286 160 : check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
287 160 : if (check_rec->algorithm_name == NULL) {
288 0 : return WERR_NOT_ENOUGH_MEMORY;
289 : }
290 160 : check_rec->time_prefix = 0;
291 160 : check_rec->time = current_time;
292 160 : check_rec->fudge = 300;
293 160 : check_rec->error = state->tsig_error;
294 160 : check_rec->other_size = 0;
295 160 : check_rec->other_data = NULL;
296 :
297 160 : ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
298 : (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
299 160 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
300 0 : DEBUG(1, ("Failed to push packet: %s!\n",
301 : ndr_errstr(ndr_err)));
302 0 : return DNS_ERR(SERVER_FAILURE);
303 : }
304 :
305 160 : ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
306 : (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
307 160 : if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
308 0 : DEBUG(1, ("Failed to push packet: %s!\n",
309 : ndr_errstr(ndr_err)));
310 0 : return DNS_ERR(SERVER_FAILURE);
311 : }
312 :
313 160 : if (state->tsig != NULL) {
314 69 : mac_size = state->tsig->rdata.tsig_record.mac_size;
315 : }
316 :
317 160 : buffer_len = mac_size;
318 :
319 160 : buffer_len += packet_blob.length;
320 160 : if (buffer_len < packet_blob.length) {
321 0 : return WERR_INVALID_PARAMETER;
322 : }
323 160 : buffer_len += tsig_blob.length;
324 160 : if (buffer_len < tsig_blob.length) {
325 0 : return WERR_INVALID_PARAMETER;
326 : }
327 :
328 160 : buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
329 160 : if (buffer == NULL) {
330 0 : return WERR_NOT_ENOUGH_MEMORY;
331 : }
332 :
333 160 : p = buffer;
334 :
335 : /*
336 : * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
337 : * that we're going to sign:
338 : * 1. MAC of request (if present)
339 : * 2. Outgoing packet
340 : * 3. TSIG record
341 : */
342 160 : if (mac_size > 0) {
343 69 : memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
344 69 : p += mac_size;
345 : }
346 :
347 160 : memcpy(p, packet_blob.data, packet_blob.length);
348 160 : p += packet_blob.length;
349 :
350 160 : memcpy(p, tsig_blob.data, tsig_blob.length);
351 :
352 160 : status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
353 : buffer, buffer_len, &sig);
354 160 : if (!NT_STATUS_IS_OK(status)) {
355 0 : return ntstatus_to_werror(status);
356 : }
357 :
358 160 : *_psig = sig;
359 160 : return WERR_OK;
360 : }
361 :
362 164 : WERROR dns_sign_tsig(struct dns_server *dns,
363 : TALLOC_CTX *mem_ctx,
364 : struct dns_request_state *state,
365 : struct dns_name_packet *packet,
366 : uint16_t error)
367 : {
368 0 : WERROR werror;
369 164 : time_t current_time = time(NULL);
370 164 : struct dns_res_rec *tsig = NULL;
371 164 : DATA_BLOB sig = (DATA_BLOB) {
372 : .data = NULL,
373 : .length = 0
374 : };
375 :
376 164 : tsig = talloc_zero(mem_ctx, struct dns_res_rec);
377 164 : if (tsig == NULL) {
378 0 : return WERR_NOT_ENOUGH_MEMORY;
379 : }
380 :
381 164 : if (state->tsig_error == DNS_RCODE_OK) {
382 160 : struct dns_server_tkey *tkey = dns_find_tkey(
383 160 : dns->tkeys, state->key_name);
384 160 : if (tkey == NULL) {
385 0 : DBG_WARNING("dns_find_tkey() => NULL)\n");
386 0 : return DNS_ERR(SERVER_FAILURE);
387 : }
388 :
389 160 : werror = dns_tsig_compute_mac(mem_ctx, state, packet,
390 : tkey, current_time, &sig);
391 160 : DBG_DEBUG("dns_tsig_compute_mac() => %s\n", win_errstr(werror));
392 160 : if (!W_ERROR_IS_OK(werror)) {
393 0 : return werror;
394 : }
395 : }
396 :
397 164 : tsig->name = talloc_strdup(tsig, state->key_name);
398 164 : if (tsig->name == NULL) {
399 0 : return WERR_NOT_ENOUGH_MEMORY;
400 : }
401 164 : tsig->rr_class = DNS_QCLASS_ANY;
402 164 : tsig->rr_type = DNS_QTYPE_TSIG;
403 164 : tsig->ttl = 0;
404 164 : tsig->length = UINT16_MAX;
405 164 : tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
406 164 : if (tsig->rdata.tsig_record.algorithm_name == NULL) {
407 0 : return WERR_NOT_ENOUGH_MEMORY;
408 : }
409 164 : tsig->rdata.tsig_record.time_prefix = 0;
410 164 : tsig->rdata.tsig_record.time = current_time;
411 164 : tsig->rdata.tsig_record.fudge = 300;
412 164 : tsig->rdata.tsig_record.error = state->tsig_error;
413 164 : tsig->rdata.tsig_record.original_id = packet->id;
414 164 : tsig->rdata.tsig_record.other_size = 0;
415 164 : tsig->rdata.tsig_record.other_data = NULL;
416 164 : if (sig.length > 0) {
417 160 : tsig->rdata.tsig_record.mac_size = sig.length;
418 160 : tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
419 160 : if (tsig->rdata.tsig_record.mac == NULL) {
420 0 : return WERR_NOT_ENOUGH_MEMORY;
421 : }
422 : }
423 :
424 164 : DBG_DEBUG("sig.length=%zu\n", sig.length);
425 :
426 164 : if (packet->arcount == 0) {
427 164 : packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
428 164 : if (packet->additional == NULL) {
429 0 : return WERR_NOT_ENOUGH_MEMORY;
430 : }
431 : }
432 164 : packet->additional = talloc_realloc(mem_ctx, packet->additional,
433 : struct dns_res_rec,
434 : packet->arcount + 1);
435 164 : if (packet->additional == NULL) {
436 0 : return WERR_NOT_ENOUGH_MEMORY;
437 : }
438 :
439 164 : werror = dns_copy_tsig(mem_ctx, tsig,
440 164 : &packet->additional[packet->arcount]);
441 164 : DBG_DEBUG("dns_copy_tsig() => %s\n", win_errstr(werror));
442 164 : if (!W_ERROR_IS_OK(werror)) {
443 0 : return werror;
444 : }
445 164 : packet->arcount++;
446 :
447 164 : return WERR_OK;
448 : }
|
