LCOV - code coverage report
Current view: top level - source4/dns_server - dns_crypto.c (source / functions) Hit Total Coverage
Test: coverage report for master 6248eab5 Lines: 180 217 82.9 %
Date: 2021-08-25 13:27:56 Functions: 5 6 83.3 %

          Line data    Source code
       1             : /*
       2             :    Unix SMB/CIFS implementation.
       3             : 
       4             :    DNS server handler for signed packets
       5             : 
       6             :    Copyright (C) 2012 Kai Blin  <kai@samba.org>
       7             : 
       8             :    This program is free software; you can redistribute it and/or modify
       9             :    it under the terms of the GNU General Public License as published by
      10             :    the Free Software Foundation; either version 3 of the License, or
      11             :    (at your option) any later version.
      12             : 
      13             :    This program is distributed in the hope that it will be useful,
      14             :    but WITHOUT ANY WARRANTY; without even the implied warranty of
      15             :    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      16             :    GNU General Public License for more details.
      17             : 
      18             :    You should have received a copy of the GNU General Public License
      19             :    along with this program.  If not, see <http://www.gnu.org/licenses/>.
      20             : */
      21             : 
      22             : #include "includes.h"
      23             : #include "system/network.h"
      24             : #include "librpc/ndr/libndr.h"
      25             : #include "librpc/gen_ndr/ndr_dns.h"
      26             : #include "dns_server/dns_server.h"
      27             : #include "libcli/util/ntstatus.h"
      28             : #include "auth/auth.h"
      29             : #include "auth/gensec/gensec.h"
      30             : 
      31             : #undef DBGC_CLASS
      32             : #define DBGC_CLASS DBGC_DNS
      33             : 
      34         676 : static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
      35             :                             struct dns_res_rec *old,
      36             :                             struct dns_res_rec *new_rec)
      37             : {
      38         676 :         new_rec->name = talloc_strdup(mem_ctx, old->name);
      39         676 :         W_ERROR_HAVE_NO_MEMORY(new_rec->name);
      40             : 
      41         676 :         new_rec->rr_type = old->rr_type;
      42         676 :         new_rec->rr_class = old->rr_class;
      43         676 :         new_rec->ttl = old->ttl;
      44         676 :         new_rec->length = old->length;
      45         676 :         new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
      46             :                                 old->rdata.tsig_record.algorithm_name);
      47         676 :         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
      48             : 
      49         676 :         new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
      50         676 :         new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
      51         676 :         new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
      52         676 :         new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
      53         676 :         new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
      54             :                                         old->rdata.tsig_record.mac,
      55             :                                         old->rdata.tsig_record.mac_size);
      56         676 :         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
      57             : 
      58         676 :         new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
      59         676 :         new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
      60         676 :         new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
      61         676 :         new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
      62             :                                         old->rdata.tsig_record.other_data,
      63             :                                         old->rdata.tsig_record.other_size);
      64         676 :         W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
      65             : 
      66         676 :         return WERR_OK;
      67             : }
      68             : 
      69        1123 : struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
      70             :                                       const char *name)
      71             : {
      72        1123 :         struct dns_server_tkey *tkey = NULL;
      73        1123 :         uint16_t i = 0;
      74             : 
      75             :         do {
      76       41799 :                 struct dns_server_tkey *tmp_key = store->tkeys[i];
      77             : 
      78       41799 :                 i++;
      79       41799 :                 i %= TKEY_BUFFER_SIZE;
      80             : 
      81       41799 :                 if (tmp_key == NULL) {
      82       26078 :                         continue;
      83             :                 }
      84       15721 :                 if (dns_name_equal(name, tmp_key->name)) {
      85         896 :                         tkey = tmp_key;
      86         896 :                         break;
      87             :                 }
      88       40903 :         } while (i != 0);
      89             : 
      90        1123 :         return tkey;
      91             : }
      92             : 
      93       86583 : WERROR dns_verify_tsig(struct dns_server *dns,
      94             :                        TALLOC_CTX *mem_ctx,
      95             :                        struct dns_request_state *state,
      96             :                        struct dns_name_packet *packet,
      97             :                        DATA_BLOB *in)
      98             : {
      99             :         WERROR werror;
     100             :         NTSTATUS status;
     101             :         enum ndr_err_code ndr_err;
     102       86583 :         uint16_t i, arcount = 0;
     103             :         DATA_BLOB tsig_blob, fake_tsig_blob, sig;
     104       86583 :         uint8_t *buffer = NULL;
     105       86583 :         size_t buffer_len = 0, packet_len = 0;
     106       86583 :         struct dns_server_tkey *tkey = NULL;
     107       86583 :         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
     108             :                         struct dns_fake_tsig_rec);
     109             : 
     110             : 
     111             :         /* Find the first TSIG record in the additional records */
     112       86827 :         for (i=0; i < packet->arcount; i++) {
     113         471 :                 if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
     114         227 :                         break;
     115             :                 }
     116             :         }
     117             : 
     118       86583 :         if (i == packet->arcount) {
     119             :                 /* no TSIG around */
     120       86356 :                 return WERR_OK;
     121             :         }
     122             : 
     123             :         /* The TSIG record needs to be the last additional record */
     124         227 :         if (i + 1 != packet->arcount) {
     125           0 :                 DEBUG(1, ("TSIG record not the last additional record!\n"));
     126           0 :                 return DNS_ERR(FORMAT_ERROR);
     127             :         }
     128             : 
     129             :         /* We got a TSIG, so we need to sign our reply */
     130         227 :         state->sign = true;
     131             : 
     132         227 :         state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
     133         227 :         if (state->tsig == NULL) {
     134           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     135             :         }
     136             : 
     137         227 :         werror = dns_copy_tsig(state->tsig, &packet->additional[i],
     138             :                                state->tsig);
     139         227 :         if (!W_ERROR_IS_OK(werror)) {
     140           0 :                 return werror;
     141             :         }
     142             : 
     143         227 :         packet->arcount--;
     144             : 
     145         227 :         tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
     146         227 :         if (tkey == NULL) {
     147             :                 /*
     148             :                  * We must save the name for use in the TSIG error
     149             :                  * response and have no choice here but to save the
     150             :                  * keyname from the TSIG request.
     151             :                  */
     152           1 :                 state->key_name = talloc_strdup(state->mem_ctx,
     153           1 :                                                 state->tsig->name);
     154           1 :                 if (state->key_name == NULL) {
     155           0 :                         return WERR_NOT_ENOUGH_MEMORY;
     156             :                 }
     157           1 :                 state->tsig_error = DNS_RCODE_BADKEY;
     158           1 :                 return DNS_ERR(NOTAUTH);
     159             :         }
     160             : 
     161             :         /*
     162             :          * Remember the keyname that found an existing tkey, used
     163             :          * later to fetch the key with dns_find_tkey() when signing
     164             :          * and adding a TSIG record with MAC.
     165             :          */
     166         226 :         state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
     167         226 :         if (state->key_name == NULL) {
     168           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     169             :         }
     170             : 
     171             :         /* FIXME: check TSIG here */
     172         226 :         if (check_rec == NULL) {
     173           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     174             :         }
     175             : 
     176             :         /* first build and verify check packet */
     177         226 :         check_rec->name = talloc_strdup(check_rec, tkey->name);
     178         226 :         if (check_rec->name == NULL) {
     179           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     180             :         }
     181         226 :         check_rec->rr_class = DNS_QCLASS_ANY;
     182         226 :         check_rec->ttl = 0;
     183         226 :         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
     184         226 :         if (check_rec->algorithm_name == NULL) {
     185           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     186             :         }
     187         226 :         check_rec->time_prefix = 0;
     188         226 :         check_rec->time = state->tsig->rdata.tsig_record.time;
     189         226 :         check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
     190         226 :         check_rec->error = 0;
     191         226 :         check_rec->other_size = 0;
     192         226 :         check_rec->other_data = NULL;
     193             : 
     194         226 :         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
     195             :                 (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
     196         226 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     197           0 :                 DEBUG(1, ("Failed to push packet: %s!\n",
     198             :                           ndr_errstr(ndr_err)));
     199           0 :                 return DNS_ERR(SERVER_FAILURE);
     200             :         }
     201             : 
     202         226 :         ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
     203             :                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
     204         226 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     205           0 :                 DEBUG(1, ("Failed to push packet: %s!\n",
     206             :                           ndr_errstr(ndr_err)));
     207           0 :                 return DNS_ERR(SERVER_FAILURE);
     208             :         }
     209             : 
     210             :         /* we need to work some magic here. we need to keep the input packet
     211             :          * exactly like we got it, but we need to cut off the tsig record */
     212         226 :         packet_len = in->length - tsig_blob.length;
     213         226 :         buffer_len = packet_len + fake_tsig_blob.length;
     214         226 :         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
     215         226 :         if (buffer == NULL) {
     216           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     217             :         }
     218             : 
     219         226 :         memcpy(buffer, in->data, packet_len);
     220         226 :         memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
     221             : 
     222         226 :         sig.length = state->tsig->rdata.tsig_record.mac_size;
     223         226 :         sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
     224         226 :         if (sig.data == NULL) {
     225           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     226             :         }
     227             : 
     228             :         /* Now we also need to count down the additional record counter */
     229         226 :         arcount = RSVAL(buffer, 10);
     230         226 :         RSSVAL(buffer, 10, arcount-1);
     231             : 
     232         226 :         status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
     233             :                                     buffer, buffer_len, &sig);
     234         226 :         if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
     235           1 :                 state->tsig_error = DNS_RCODE_BADSIG;
     236           1 :                 return DNS_ERR(NOTAUTH);
     237             :         }
     238             : 
     239         225 :         if (!NT_STATUS_IS_OK(status)) {
     240           0 :                 DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
     241           0 :                 return ntstatus_to_werror(status);
     242             :         }
     243             : 
     244         225 :         state->authenticated = true;
     245             : 
     246         225 :         return WERR_OK;
     247             : }
     248             : 
     249         447 : static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
     250             :                                    struct dns_request_state *state,
     251             :                                    struct dns_name_packet *packet,
     252             :                                    struct dns_server_tkey *tkey,
     253             :                                    time_t current_time,
     254             :                                    DATA_BLOB *_psig)
     255             : {
     256             :         NTSTATUS status;
     257             :         enum ndr_err_code ndr_err;
     258             :         DATA_BLOB packet_blob, tsig_blob, sig;
     259         447 :         uint8_t *buffer = NULL;
     260         447 :         uint8_t *p = NULL;
     261         447 :         size_t buffer_len = 0;
     262         447 :         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
     263             :                         struct dns_fake_tsig_rec);
     264         447 :         size_t mac_size = 0;
     265             : 
     266         447 :         if (check_rec == NULL) {
     267           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     268             :         }
     269             : 
     270             :         /* first build and verify check packet */
     271         447 :         check_rec->name = talloc_strdup(check_rec, tkey->name);
     272         447 :         if (check_rec->name == NULL) {
     273           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     274             :         }
     275         447 :         check_rec->rr_class = DNS_QCLASS_ANY;
     276         447 :         check_rec->ttl = 0;
     277         447 :         check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
     278         447 :         if (check_rec->algorithm_name == NULL) {
     279           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     280             :         }
     281         447 :         check_rec->time_prefix = 0;
     282         447 :         check_rec->time = current_time;
     283         447 :         check_rec->fudge = 300;
     284         447 :         check_rec->error = state->tsig_error;
     285         447 :         check_rec->other_size = 0;
     286         447 :         check_rec->other_data = NULL;
     287             : 
     288         447 :         ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
     289             :                 (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
     290         447 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     291           0 :                 DEBUG(1, ("Failed to push packet: %s!\n",
     292             :                           ndr_errstr(ndr_err)));
     293           0 :                 return DNS_ERR(SERVER_FAILURE);
     294             :         }
     295             : 
     296         447 :         ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
     297             :                 (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
     298         447 :         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
     299           0 :                 DEBUG(1, ("Failed to push packet: %s!\n",
     300             :                           ndr_errstr(ndr_err)));
     301           0 :                 return DNS_ERR(SERVER_FAILURE);
     302             :         }
     303             : 
     304         447 :         if (state->tsig != NULL) {
     305         221 :                 mac_size = state->tsig->rdata.tsig_record.mac_size;
     306             :         }
     307             : 
     308         447 :         buffer_len = mac_size;
     309             : 
     310         447 :         buffer_len += packet_blob.length;
     311         447 :         if (buffer_len < packet_blob.length) {
     312           0 :                 return WERR_INVALID_PARAMETER;
     313             :         }
     314         447 :         buffer_len += tsig_blob.length;
     315         447 :         if (buffer_len < tsig_blob.length) {
     316           0 :                 return WERR_INVALID_PARAMETER;
     317             :         }
     318             : 
     319         447 :         buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
     320         447 :         if (buffer == NULL) {
     321           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     322             :         }
     323             : 
     324         447 :         p = buffer;
     325             : 
     326             :         /*
     327             :          * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
     328             :          * that we're going to sign:
     329             :          * 1. MAC of request (if present)
     330             :          * 2. Outgoing packet
     331             :          * 3. TSIG record
     332             :          */
     333         447 :         if (mac_size > 0) {
     334         221 :                 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
     335         221 :                 p += mac_size;
     336             :         }
     337             : 
     338         447 :         memcpy(p, packet_blob.data, packet_blob.length);
     339         447 :         p += packet_blob.length;
     340             : 
     341         447 :         memcpy(p, tsig_blob.data, tsig_blob.length);
     342             : 
     343         447 :         status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
     344             :                                     buffer, buffer_len, &sig);
     345         447 :         if (!NT_STATUS_IS_OK(status)) {
     346           0 :                 return ntstatus_to_werror(status);
     347             :         }
     348             : 
     349         447 :         *_psig = sig;
     350         447 :         return WERR_OK;
     351             : }
     352             : 
     353         449 : WERROR dns_sign_tsig(struct dns_server *dns,
     354             :                      TALLOC_CTX *mem_ctx,
     355             :                      struct dns_request_state *state,
     356             :                      struct dns_name_packet *packet,
     357             :                      uint16_t error)
     358             : {
     359             :         WERROR werror;
     360         449 :         time_t current_time = time(NULL);
     361         449 :         struct dns_res_rec *tsig = NULL;
     362         449 :         DATA_BLOB sig = (DATA_BLOB) {
     363             :                 .data = NULL,
     364             :                 .length = 0
     365             :         };
     366             : 
     367         449 :         tsig = talloc_zero(mem_ctx, struct dns_res_rec);
     368         449 :         if (tsig == NULL) {
     369           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     370             :         }
     371             : 
     372         449 :         if (state->tsig_error == DNS_RCODE_OK) {
     373         447 :                 struct dns_server_tkey *tkey = dns_find_tkey(
     374         447 :                         dns->tkeys, state->key_name);
     375         447 :                 if (tkey == NULL) {
     376           0 :                         return DNS_ERR(SERVER_FAILURE);
     377             :                 }
     378             : 
     379         447 :                 werror = dns_tsig_compute_mac(mem_ctx, state, packet,
     380             :                                               tkey, current_time, &sig);
     381         447 :                 if (!W_ERROR_IS_OK(werror)) {
     382           0 :                         return werror;
     383             :                 }
     384             :         }
     385             : 
     386         449 :         tsig->name = talloc_strdup(tsig, state->key_name);
     387         449 :         if (tsig->name == NULL) {
     388           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     389             :         }
     390         449 :         tsig->rr_class = DNS_QCLASS_ANY;
     391         449 :         tsig->rr_type = DNS_QTYPE_TSIG;
     392         449 :         tsig->ttl = 0;
     393         449 :         tsig->length = UINT16_MAX;
     394         449 :         tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, "gss-tsig");
     395         449 :         if (tsig->rdata.tsig_record.algorithm_name == NULL) {
     396           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     397             :         }
     398         449 :         tsig->rdata.tsig_record.time_prefix = 0;
     399         449 :         tsig->rdata.tsig_record.time = current_time;
     400         449 :         tsig->rdata.tsig_record.fudge = 300;
     401         449 :         tsig->rdata.tsig_record.error = state->tsig_error;
     402         449 :         tsig->rdata.tsig_record.original_id = packet->id;
     403         449 :         tsig->rdata.tsig_record.other_size = 0;
     404         449 :         tsig->rdata.tsig_record.other_data = NULL;
     405         449 :         if (sig.length > 0) {
     406         447 :                 tsig->rdata.tsig_record.mac_size = sig.length;
     407         447 :                 tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
     408         447 :                 if (tsig->rdata.tsig_record.mac == NULL) {
     409           0 :                         return WERR_NOT_ENOUGH_MEMORY;
     410             :                 }
     411             :         }
     412             : 
     413         449 :         if (packet->arcount == 0) {
     414         449 :                 packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
     415         449 :                 if (packet->additional == NULL) {
     416           0 :                         return WERR_NOT_ENOUGH_MEMORY;
     417             :                 }
     418             :         }
     419         449 :         packet->additional = talloc_realloc(mem_ctx, packet->additional,
     420             :                                             struct dns_res_rec,
     421             :                                             packet->arcount + 1);
     422         449 :         if (packet->additional == NULL) {
     423           0 :                 return WERR_NOT_ENOUGH_MEMORY;
     424             :         }
     425             : 
     426         449 :         werror = dns_copy_tsig(mem_ctx, tsig,
     427         449 :                                &packet->additional[packet->arcount]);
     428         449 :         if (!W_ERROR_IS_OK(werror)) {
     429           0 :                 return werror;
     430             :         }
     431         449 :         packet->arcount++;
     432             : 
     433         449 :         return WERR_OK;
     434             : }

Generated by: LCOV version 1.13