source4/dns_server/dns_crypto.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    DNS server handler for signed packets
   5
   6    Copyright (C) 2012 Kai Blin  <kai@samba.org>
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "system/network.h"
  24 #include "librpc/ndr/libndr.h"
  25 #include "librpc/gen_ndr/ndr_dns.h"
  26 #include "dns_server/dns_server.h"
  27 #include "libcli/util/ntstatus.h"
  28 #include "auth/auth.h"
  29 #include "auth/gensec/gensec.h"
  30
  31 #undef DBGC_CLASS
  32 #define DBGC_CLASS DBGC_DNS
  33
  34 static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
  35                             struct dns_res_rec *old,
  36                             struct dns_res_rec *new_rec)
  37 {
  38         new_rec->name = talloc_strdup(mem_ctx, old->name);
  39         W_ERROR_HAVE_NO_MEMORY(new_rec->name);
  40
  41         new_rec->rr_type = old->rr_type;
  42         new_rec->rr_class = old->rr_class;
  43         new_rec->ttl = old->ttl;
  44         new_rec->length = old->length;
  45         new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
  46                                 old->rdata.tsig_record.algorithm_name);
  47         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
  48
  49         new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
  50         new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
  51         new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
  52         new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
  53         new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
  54                                         old->rdata.tsig_record.mac,
  55                                         old->rdata.tsig_record.mac_size);
  56         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
  57
  58         new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
  59         new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
  60         new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
  61         new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
  62                                         old->rdata.tsig_record.other_data,
  63                                         old->rdata.tsig_record.other_size);
  64         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
  65
  66         return WERR_OK;
  67 }
  68
  69 struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
  70                                       const char *name)
  71 {
  72         struct dns_server_tkey *tkey = NULL;
  73         uint16_t i = 0;
  74
  75         do {
  76                 struct dns_server_tkey *tmp_key = store->tkeys[i];
  77
  78                 i++;
  79                 i %= TKEY_BUFFER_SIZE;
  80
  81                 if (tmp_key == NULL) {
  82                         continue;
  83                 }
  84                 if (samba_dns_name_equal(name, tmp_key->name)) {
  85                         tkey = tmp_key;
  86                         break;
  87                 }
  88         } while (i != 0);
  89
  90         return tkey;
  91 }
  92
  93 WERROR dns_verify_tsig(struct dns_server *dns,
  94                        TALLOC_CTX *mem_ctx,
  95                        struct dns_request_state *state,
  96                        struct dns_name_packet *packet,
  97                        DATA_BLOB *in)
  98 {
  99         WERROR werror;
 100         NTSTATUS status;
 101         enum ndr_err_code ndr_err;
 102         uint16_t i, arcount = 0;
 103         DATA_BLOB tsig_blob, fake_tsig_blob, sig;
 104         uint8_t *buffer = NULL;
 105         size_t buffer_len = 0, packet_len = 0;
 106         struct dns_server_tkey *tkey = NULL;
 107         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
 108                         struct dns_fake_tsig_rec);
 109
 110
 111         /* Find the first TSIG record in the additional records */
 112         for (i=0; i < packet->arcount; i++) {
 113                 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
 114                         break;
 115                 }
 116         }
 117
 118         if (i == packet->arcount) {
 119                 /* no TSIG around */
 120                 return WERR_OK;
 121         }
 122
 123         /* The TSIG record needs to be the last additional record */
 124         if (i + 1 != packet->arcount) {
 125                 DEBUG(1, ("TSIG record not the last additional record!\n"));
 126                 return DNS_ERR(FORMAT_ERROR);
 127         }
 128
 129         /* We got a TSIG, so we need to sign our reply */
 130         state->sign = true;
 131         DBG_DEBUG("Got TSIG\n");
 132
 133         state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
 134         if (state->tsig == NULL) {
 135                 return WERR_NOT_ENOUGH_MEMORY;
 136         }
 137
 138         werror = dns_copy_tsig(state->tsig, &packet->additional[i],
 139                                state->tsig);
 140         if (!W_ERROR_IS_OK(werror)) {
 141                 return werror;
 142         }
 143
 144         packet->arcount--;
 145
 146         tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
 147         if (tkey == NULL) {
 148                 DBG_DEBUG("dns_find_tkey() => NOTAUTH / DNS_RCODE_BADKEY\n");
 149                 /*
 150                  * We must save the name for use in the TSIG error
 151                  * response and have no choice here but to save the
 152                  * keyname from the TSIG request.
 153                  */
 154                 state->key_name = talloc_strdup(state->mem_ctx,
 155                                                 state->tsig->name);
 156                 if (state->key_name == NULL) {
 157                         return WERR_NOT_ENOUGH_MEMORY;
 158                 }
 159                 state->tsig_error = DNS_RCODE_BADKEY;
 160                 return DNS_ERR(NOTAUTH);
 161         }
 162         DBG_DEBUG("dns_find_tkey() => found\n");
 163
 164         /*
 165          * Remember the keyname that found an existing tkey, used
 166          * later to fetch the key with dns_find_tkey() when signing
 167          * and adding a TSIG record with MAC.
 168          */
 169         state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
 170         if (state->key_name == NULL) {
 171                 return WERR_NOT_ENOUGH_MEMORY;
 172         }
 173
 174         /* FIXME: check TSIG here */
 175         if (check_rec == NULL) {
 176                 return WERR_NOT_ENOUGH_MEMORY;
 177         }
 178
 179         /* first build and verify check packet */
 180         check_rec->name = talloc_strdup(check_rec, tkey->name);
 181         if (check_rec->name == NULL) {
 182                 return WERR_NOT_ENOUGH_MEMORY;
 183         }
 184         check_rec->rr_class = DNS_QCLASS_ANY;
 185         check_rec->ttl = 0;
 186         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
 187         if (check_rec->algorithm_name == NULL) {
 188                 return WERR_NOT_ENOUGH_MEMORY;
 189         }
 190         check_rec->time_prefix = 0;
 191         check_rec->time = state->tsig->rdata.tsig_record.time;
 192         check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
 193         check_rec->error = 0;
 194         check_rec->other_size = 0;
 195         check_rec->other_data = NULL;
 196
 197         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
 198                 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
 199         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 200                 DEBUG(1, ("Failed to push packet: %s!\n",
 201                           ndr_errstr(ndr_err)));
 202                 return DNS_ERR(SERVER_FAILURE);
 203         }
 204
 205         ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
 206                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
 207         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 208                 DEBUG(1, ("Failed to push packet: %s!\n",
 209                           ndr_errstr(ndr_err)));
 210                 return DNS_ERR(SERVER_FAILURE);
 211         }
 212
 213         /* we need to work some magic here. we need to keep the input packet
 214          * exactly like we got it, but we need to cut off the tsig record */
 215         packet_len = in->length - tsig_blob.length;
 216         buffer_len = packet_len + fake_tsig_blob.length;
 217         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
 218         if (buffer == NULL) {
 219                 return WERR_NOT_ENOUGH_MEMORY;
 220         }
 221
 222         memcpy(buffer, in->data, packet_len);
 223         memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
 224
 225         sig.length = state->tsig->rdata.tsig_record.mac_size;
 226         sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
 227         if (sig.data == NULL) {
 228                 return WERR_NOT_ENOUGH_MEMORY;
 229         }
 230
 231         /* Now we also need to count down the additional record counter */
 232         arcount = RSVAL(buffer, 10);
 233         RSSVAL(buffer, 10, arcount-1);
 234
 235         status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
 236                                     buffer, buffer_len, &sig);
 237         if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
 238                 dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
 239                 dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
 240                 DBG_NOTICE("Verifying tsig failed: %s\n", nt_errstr(status));
 241                 state->tsig_error = DNS_RCODE_BADSIG;
 242                 return DNS_ERR(NOTAUTH);
 243         }
 244
 245         if (!NT_STATUS_IS_OK(status)) {
 246                 dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
 247                 dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
 248                 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
 249                 return ntstatus_to_werror(status);
 250         }
 251
 252         state->authenticated = true;
 253
 254         DBG_DEBUG("AUTHENTICATED\n");
 255         return WERR_OK;
 256 }
 257
 258 static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
 259                                    struct dns_request_state *state,
 260                                    struct dns_name_packet *packet,
 261                                    struct dns_server_tkey *tkey,
 262                                    time_t current_time,
 263                                    DATA_BLOB *_psig)
 264 {
 265         NTSTATUS status;
 266         enum ndr_err_code ndr_err;
 267         DATA_BLOB packet_blob, tsig_blob, sig;
 268         uint8_t *buffer = NULL;
 269         uint8_t *p = NULL;
 270         size_t buffer_len = 0;
 271         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
 272                         struct dns_fake_tsig_rec);
 273         size_t mac_size = 0;
 274
 275         if (check_rec == NULL) {
 276                 return WERR_NOT_ENOUGH_MEMORY;
 277         }
 278
 279         /* first build and verify check packet */
 280         check_rec->name = talloc_strdup(check_rec, tkey->name);
 281         if (check_rec->name == NULL) {
 282                 return WERR_NOT_ENOUGH_MEMORY;
 283         }
 284         check_rec->rr_class = DNS_QCLASS_ANY;
 285         check_rec->ttl = 0;
 286         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
 287         if (check_rec->algorithm_name == NULL) {
 288                 return WERR_NOT_ENOUGH_MEMORY;
 289         }
 290         check_rec->time_prefix = 0;
 291         check_rec->time = current_time;
 292         check_rec->fudge = 300;
 293         check_rec->error = state->tsig_error;
 294         check_rec->other_size = 0;
 295         check_rec->other_data = NULL;
 296
 297         ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
 298                 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
 299         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 300                 DEBUG(1, ("Failed to push packet: %s!\n",
 301                           ndr_errstr(ndr_err)));
 302                 return DNS_ERR(SERVER_FAILURE);
 303         }
 304
 305         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
 306                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
 307         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 308                 DEBUG(1, ("Failed to push packet: %s!\n",
 309                           ndr_errstr(ndr_err)));
 310                 return DNS_ERR(SERVER_FAILURE);
 311         }
 312
 313         if (state->tsig != NULL) {
 314                 mac_size = state->tsig->rdata.tsig_record.mac_size;
 315         }
 316
 317         buffer_len = mac_size;
 318
 319         buffer_len += packet_blob.length;
 320         if (buffer_len < packet_blob.length) {
 321                 return WERR_INVALID_PARAMETER;
 322         }
 323         buffer_len += tsig_blob.length;
 324         if (buffer_len < tsig_blob.length) {
 325                 return WERR_INVALID_PARAMETER;
 326         }
 327
 328         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
 329         if (buffer == NULL) {
 330                 return WERR_NOT_ENOUGH_MEMORY;
 331         }
 332
 333         p = buffer;
 334
 335         /*
 336          * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
 337          * that we're going to sign:
 338          * 1. MAC of request (if present)
 339          * 2. Outgoing packet
 340          * 3. TSIG record
 341          */
 342         if (mac_size > 0) {
 343                 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
 344                 p += mac_size;
 345         }
 346
 347         memcpy(p, packet_blob.data, packet_blob.length);
 348         p += packet_blob.length;
 349
 350         memcpy(p, tsig_blob.data, tsig_blob.length);
 351
 352         status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
 353                                     buffer, buffer_len, &sig);
 354         if (!NT_STATUS_IS_OK(status)) {
 355                 return ntstatus_to_werror(status);
 356         }
 357
 358         *_psig = sig;
 359         return WERR_OK;
 360 }
 361
 362 WERROR dns_sign_tsig(struct dns_server *dns,
 363                      TALLOC_CTX *mem_ctx,
 364                      struct dns_request_state *state,
 365                      struct dns_name_packet *packet,
 366                      uint16_t error)
 367 {
 368         WERROR werror;
 369         time_t current_time = time(NULL);
 370         struct dns_res_rec *tsig = NULL;
 371         DATA_BLOB sig = (DATA_BLOB) {
 372                 .data = NULL,
 373                 .length = 0
 374         };
 375
 376         tsig = talloc_zero(mem_ctx, struct dns_res_rec);
 377         if (tsig == NULL) {
 378                 return WERR_NOT_ENOUGH_MEMORY;
 379         }
 380
 381         if (state->tsig_error == DNS_RCODE_OK) {
 382                 struct dns_server_tkey *tkey = dns_find_tkey(
 383                         dns->tkeys, state->key_name);
 384                 if (tkey == NULL) {
 385                         DBG_WARNING("dns_find_tkey() => NULL)\n");
 386                         return DNS_ERR(SERVER_FAILURE);
 387                 }
 388
 389                 werror = dns_tsig_compute_mac(mem_ctx, state, packet,
 390                                               tkey, current_time, &sig);
 391                 DBG_DEBUG("dns_tsig_compute_mac() => %s\n", win_errstr(werror));
 392                 if (!W_ERROR_IS_OK(werror)) {
 393                         return werror;
 394                 }
 395         }
 396
 397         tsig->name = talloc_strdup(tsig, state->key_name);
 398         if (tsig->name == NULL) {
 399                 return WERR_NOT_ENOUGH_MEMORY;
 400         }
 401         tsig->rr_class = DNS_QCLASS_ANY;
 402         tsig->rr_type = DNS_QTYPE_TSIG;
 403         tsig->ttl = 0;
 404         tsig->length = UINT16_MAX;
 405         tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
 406         if (tsig->rdata.tsig_record.algorithm_name == NULL) {
 407                 return WERR_NOT_ENOUGH_MEMORY;
 408         }
 409         tsig->rdata.tsig_record.time_prefix = 0;
 410         tsig->rdata.tsig_record.time = current_time;
 411         tsig->rdata.tsig_record.fudge = 300;
 412         tsig->rdata.tsig_record.error = state->tsig_error;
 413         tsig->rdata.tsig_record.original_id = packet->id;
 414         tsig->rdata.tsig_record.other_size = 0;
 415         tsig->rdata.tsig_record.other_data = NULL;
 416         if (sig.length > 0) {
 417                 tsig->rdata.tsig_record.mac_size = sig.length;
 418                 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
 419                 if (tsig->rdata.tsig_record.mac == NULL) {
 420                         return WERR_NOT_ENOUGH_MEMORY;
 421                 }
 422         }
 423
 424         DBG_DEBUG("sig.length=%zu\n", sig.length);
 425
 426         if (packet->arcount == 0) {
 427                 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
 428                 if (packet->additional == NULL) {
 429                         return WERR_NOT_ENOUGH_MEMORY;
 430                 }
 431         }
 432         packet->additional = talloc_realloc(mem_ctx, packet->additional,
 433                                             struct dns_res_rec,
 434                                             packet->arcount + 1);
 435         if (packet->additional == NULL) {
 436                 return WERR_NOT_ENOUGH_MEMORY;
 437         }
 438
 439         werror = dns_copy_tsig(mem_ctx, tsig,
 440                                &packet->additional[packet->arcount]);
 441         DBG_DEBUG("dns_copy_tsig() => %s\n", win_errstr(werror));
 442         if (!W_ERROR_IS_OK(werror)) {
 443                 return werror;
 444         }
 445         packet->arcount++;
 446
 447         return WERR_OK;
 448 }