[SCM] Samba Shared Repository - branch master updated
Kai Blin
kai at samba.org
Wed Sep 5 06:11:02 MDT 2012
The branch, master has been updated
via 558fa4c s4 dns: Revert erroneous push from wrong branch
from 92bd7b0 s3:smb2_create: check for SMB2_CREATE_TAG_DHNC first
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 558fa4c45a87704c57893d61a5431fc8bb51385a
Author: Kai Blin <kai at samba.org>
Date: Wed Sep 5 11:07:55 2012 +0200
s4 dns: Revert erroneous push from wrong branch
I've pushed the wrong branch for this, sorry about that.
Autobuild-User(master): Kai Blin <kai at samba.org>
Autobuild-Date(master): Wed Sep 5 14:10:54 CEST 2012 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/dns.idl | 14 --
source4/dns_server/dns_crypto.c | 359 --------------------------------------
source4/dns_server/dns_query.c | 110 ++++++------
source4/dns_server/dns_server.c | 23 ---
source4/dns_server/dns_server.h | 18 --
source4/dns_server/dns_update.c | 7 +-
source4/dns_server/dns_utils.c | 2 -
source4/dns_server/wscript_build | 2 +-
8 files changed, 60 insertions(+), 475 deletions(-)
delete mode 100644 source4/dns_server/dns_crypto.c
Changeset truncated at 500 lines:
diff --git a/librpc/idl/dns.idl b/librpc/idl/dns.idl
index 984f2b3..a92c418 100644
--- a/librpc/idl/dns.idl
+++ b/librpc/idl/dns.idl
@@ -192,20 +192,6 @@ interface dns
uint8 other_data[other_size];
} dns_tsig_record;
- typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
- dns_string name;
- dns_qclass rr_class;
- uint32 ttl;
- dns_string algorithm_name;
- uint16 time_prefix; /* 0 until February 2106*/
- uint32 time;
- uint16 fudge;
- uint16 original_id;
- uint16 error;
- uint16 other_size;
- uint8 other_data[other_size];
- } dns_fake_tsig_rec;
-
typedef [nodiscriminant,public,flag(NDR_NOALIGN)] union {
[case(DNS_QTYPE_A)] ipv4address ipv4_record;
[case(DNS_QTYPE_NS)] dns_string ns_record;
diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c
deleted file mode 100644
index 7362adc..0000000
--- a/source4/dns_server/dns_crypto.c
+++ /dev/null
@@ -1,359 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- DNS server handler for signed packets
-
- Copyright (C) 2012 Kai Blin <kai at samba.org>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "lib/crypto/hmacmd5.h"
-#include "system/network.h"
-#include "librpc/ndr/libndr.h"
-#include "librpc/gen_ndr/ndr_dns.h"
-#include "dns_server/dns_server.h"
-#include "libcli/util/ntstatus.h"
-#include "auth/auth.h"
-#include "auth/gensec/gensec.h"
-
-static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
- struct dns_res_rec *old,
- struct dns_res_rec *new_rec)
-{
- new_rec->name = talloc_strdup(mem_ctx, old->name);
- W_ERROR_HAVE_NO_MEMORY(new_rec->name);
-
- new_rec->rr_type = old->rr_type;
- new_rec->rr_class = old->rr_class;
- new_rec->ttl = old->ttl;
- new_rec->length = old->length;
- new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
- old->rdata.tsig_record.algorithm_name);
- W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);
-
- new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
- new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
- new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
- new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
- new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
- old->rdata.tsig_record.mac,
- old->rdata.tsig_record.mac_size);
- W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);
-
- new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
- new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
- new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
- new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
- old->rdata.tsig_record.other_data,
- old->rdata.tsig_record.other_size);
- W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);
-
- return WERR_OK;
-}
-
-struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
- const char *name)
-{
- struct dns_server_tkey *tkey = NULL;
- uint16_t i = 0;
-
- do {
- struct dns_server_tkey *tmp_key = store->tkeys[i];
-
- i++;
- i %= TKEY_BUFFER_SIZE;
-
- if (tmp_key == NULL) {
- continue;
- }
- if (dns_name_equal(name, tmp_key->name)) {
- tkey = tmp_key;
- break;
- }
- } while (i != 0);
-
- return tkey;
-}
-
-WERROR dns_verify_tsig(struct dns_server *dns,
- TALLOC_CTX *mem_ctx,
- struct dns_request_state *state,
- struct dns_name_packet *packet,
- DATA_BLOB *in)
-{
- WERROR werror;
- NTSTATUS status;
- enum ndr_err_code ndr_err;
- bool found_tsig = false;
- uint16_t i, arcount = 0;
- DATA_BLOB tsig_blob, fake_tsig_blob, sig;
- uint8_t *buffer = NULL;
- size_t buffer_len = 0, packet_len = 0;
- struct dns_server_tkey *tkey = NULL;
- struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
- struct dns_fake_tsig_rec);
-
-
- /* Find the first TSIG record in the additional records */
- for (i=0; i < packet->arcount; i++) {
- if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
- found_tsig = true;
- break;
- }
- }
-
- if (!found_tsig) {
- return WERR_OK;
- }
-
- /* The TSIG record needs to be the last additional record */
- if (found_tsig && i + 1 != packet->arcount) {
- DEBUG(0, ("TSIG record not the last additional record!\n"));
- return DNS_ERR(FORMAT_ERROR);
- }
-
- /* We got a TSIG, so we need to sign our reply */
- state->sign = true;
-
- state->tsig = talloc_zero(mem_ctx, struct dns_res_rec);
- if (state->tsig == NULL) {
- return WERR_NOMEM;
- }
-
- werror = dns_copy_tsig(state->tsig, &packet->additional[i],
- state->tsig);
- if (!W_ERROR_IS_OK(werror)) {
- return werror;
- }
-
- packet->arcount--;
-
- tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
- if (tkey == NULL) {
- state->tsig_error = DNS_RCODE_BADKEY;
- return DNS_ERR(NOTAUTH);
- }
-
- /* FIXME: check TSIG here */
- if (check_rec == NULL) {
- return WERR_NOMEM;
- }
-
- /* first build and verify check packet */
- check_rec->name = talloc_strdup(check_rec, tkey->name);
- if (check_rec->name == NULL) {
- return WERR_NOMEM;
- }
- check_rec->rr_class = DNS_QCLASS_ANY;
- check_rec->ttl = 0;
- check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
- if (check_rec->algorithm_name == NULL) {
- return WERR_NOMEM;
- }
- check_rec->time_prefix = 0;
- check_rec->time = state->tsig->rdata.tsig_record.time;
- check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
- check_rec->error = 0;
- check_rec->other_size = 0;
- check_rec->other_data = NULL;
-
- ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
- (ndr_push_flags_fn_t)ndr_push_dns_res_rec);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(1, ("Failed to push packet: %s!\n",
- ndr_errstr(ndr_err)));
- return DNS_ERR(SERVER_FAILURE);
- }
-
- ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
- (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(1, ("Failed to push packet: %s!\n",
- ndr_errstr(ndr_err)));
- return DNS_ERR(SERVER_FAILURE);
- }
-
- /* we need to work some magic here. we need to keep the input packet
- * exactly like we got it, but we need to cut off the tsig record */
- packet_len = in->length - tsig_blob.length;
- buffer_len = packet_len + fake_tsig_blob.length;
- buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
- if (buffer == NULL) {
- return WERR_NOMEM;
- }
-
- memcpy(buffer, in->data, packet_len);
- memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);
-
- sig.length = state->tsig->rdata.tsig_record.mac_size;
- sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
- if (sig.data == NULL) {
- return WERR_NOMEM;
- }
-
- /*FIXME: Why is there too much padding? */
- buffer_len -= 2;
-
- /* Now we also need to count down the additional record counter */
- arcount = RSVAL(buffer, 10);
- RSSVAL(buffer, 10, arcount-1);
-
- status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
- buffer, buffer_len, &sig);
- if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
- return DNS_ERR(BADKEY);
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Verifying tsig failed: %s\n", nt_errstr(status)));
- return ntstatus_to_werror(status);
- }
-
- state->authenticated = true;
- state->key_name = talloc_strdup(mem_ctx, tkey->name);
- if (state->key_name == NULL) {
- return WERR_NOMEM;
- }
-
- return WERR_OK;
-}
-
-WERROR dns_sign_tsig(struct dns_server *dns,
- TALLOC_CTX *mem_ctx,
- struct dns_request_state *state,
- struct dns_name_packet *packet,
- uint16_t error)
-{
- WERROR werror;
- NTSTATUS status;
- enum ndr_err_code ndr_err;
- time_t current_time = time(NULL);
- DATA_BLOB packet_blob, tsig_blob, sig;
- uint8_t *buffer = NULL;
- size_t buffer_len = 0;
- struct dns_server_tkey * tkey = NULL;
- struct dns_res_rec *tsig = talloc_zero(mem_ctx, struct dns_res_rec);
-
- struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
- struct dns_fake_tsig_rec);
-
- if (tsig == NULL) {
- return WERR_NOMEM;
- }
-
- if (check_rec == NULL) {
- return WERR_NOMEM;
- }
-
- tkey = dns_find_tkey(dns->tkeys, state->key_name);
- if (tkey == NULL) {
- /* FIXME: read up on what to do when we can't find a key */
- return WERR_OK;
- }
-
- /* first build and verify check packet */
- check_rec->name = talloc_strdup(check_rec, tkey->name);
- if (check_rec->name == NULL) {
- return WERR_NOMEM;
- }
- check_rec->rr_class = DNS_QCLASS_ANY;
- check_rec->ttl = 0;
- check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
- if (check_rec->algorithm_name == NULL) {
- return WERR_NOMEM;
- }
- check_rec->time_prefix = 0;
- check_rec->time = current_time;
- check_rec->fudge = 300;
- check_rec->error = state->tsig_error;
- check_rec->other_size = 0;
- check_rec->other_data = NULL;
-
- ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
- (ndr_push_flags_fn_t)ndr_push_dns_name_packet);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(1, ("Failed to push packet: %s!\n",
- ndr_errstr(ndr_err)));
- return DNS_ERR(SERVER_FAILURE);
- }
-
- ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
- (ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(1, ("Failed to push packet: %s!\n",
- ndr_errstr(ndr_err)));
- return DNS_ERR(SERVER_FAILURE);
- }
-
- buffer_len = packet_blob.length + tsig_blob.length;
- buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
- if (buffer == NULL) {
- return WERR_NOMEM;
- }
-
- memcpy(buffer, packet_blob.data, packet_blob.length);
- memcpy(buffer+packet_blob.length, tsig_blob.data, tsig_blob.length);
-
-
- status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
- buffer, buffer_len, &sig);
- if (!NT_STATUS_IS_OK(status)) {
- return ntstatus_to_werror(status);
- }
-
- tsig->name = talloc_strdup(tsig, check_rec->name);
- if (tsig->name == NULL) {
- return WERR_NOMEM;
- }
- tsig->rr_class = check_rec->rr_class;
- tsig->rr_type = DNS_QTYPE_TSIG;
- tsig->ttl = 0;
- tsig->length = UINT16_MAX;
- tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig,
- check_rec->algorithm_name);
- tsig->rdata.tsig_record.time_prefix = check_rec->time_prefix;
- tsig->rdata.tsig_record.time = check_rec->time;
- tsig->rdata.tsig_record.fudge = check_rec->fudge;
- tsig->rdata.tsig_record.error = state->tsig_error;
- tsig->rdata.tsig_record.original_id = packet->id;
- tsig->rdata.tsig_record.other_size = 0;
- tsig->rdata.tsig_record.other_data = NULL;
- tsig->rdata.tsig_record.mac_size = sig.length;
- tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
-
-
- if (packet->arcount == 0) {
- packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
- if (packet->additional == NULL) {
- return WERR_NOMEM;
- }
- }
- packet->additional = talloc_realloc(mem_ctx, packet->additional,
- struct dns_res_rec,
- packet->arcount + 1);
- if (packet->additional == NULL) {
- return WERR_NOMEM;
- }
-
- werror = dns_copy_tsig(mem_ctx, tsig,
- &packet->additional[packet->arcount]);
- if (!W_ERROR_IS_OK(werror)) {
- return werror;
- }
- packet->arcount++;
-
- return WERR_OK;
-}
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 98ebc63..530b7b2 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -320,9 +320,62 @@ static WERROR handle_question(struct dns_server *dns,
return WERR_OK;
}
+static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx,
+ struct dns_server *dns,
+ struct dns_server_tkey *tkey,
+ const DATA_BLOB *key,
+ DATA_BLOB *reply,
+ uint16_t *dns_auth_error)
+{
+ NTSTATUS status;
+
+ status = gensec_update(tkey->gensec, mem_ctx, dns->task->event_ctx,
+ *key, reply);
+
+ if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
+ *dns_auth_error = DNS_RCODE_OK;
+ return status;
+ }
+
+ if (NT_STATUS_IS_OK(status)) {
+
+ status = gensec_session_info(tkey->gensec, tkey, &tkey->session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ *dns_auth_error = DNS_RCODE_BADKEY;
+ return status;
+ }
+ *dns_auth_error = DNS_RCODE_OK;
+ }
+
+ return status;
+}
+
+static struct dns_server_tkey *find_tkey(struct dns_server_tkey_store *store,
+ const char *name)
+{
+ struct dns_server_tkey *tkey = NULL;
+ uint16_t i = 0;
+
+ do {
+ struct dns_server_tkey *tmp_key = store->tkeys[i];
+
+ i++;
+ i %= TKEY_BUFFER_SIZE;
+
+ if (tmp_key == NULL) {
+ continue;
+ }
+ if (dns_name_equal(name, tmp_key->name)) {
+ tkey = tmp_key;
+ break;
+ }
+ } while (i != 0);
+
+ return tkey;
+}
+
static NTSTATUS create_tkey(struct dns_server *dns,
const char* name,
- const char* algorithm,
struct dns_server_tkey **tkey)
{
NTSTATUS status;
@@ -339,11 +392,6 @@ static NTSTATUS create_tkey(struct dns_server *dns,
return NT_STATUS_NO_MEMORY;
}
- k->algorithm = talloc_strdup(k, algorithm);
- if (k->algorithm == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
status = samba_server_gensec_start(k,
dns->task->event_ctx,
dns->task->msg_ctx,
@@ -380,40 +428,9 @@ static NTSTATUS create_tkey(struct dns_server *dns,
return NT_STATUS_OK;
}
-static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx,
- struct dns_server *dns,
- struct dns_server_tkey *tkey,
- const DATA_BLOB *key,
- DATA_BLOB *reply,
- uint16_t *dns_auth_error)
-{
- NTSTATUS status;
-
- status = gensec_update(tkey->gensec, mem_ctx, dns->task->event_ctx,
- *key, reply);
-
- if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) {
- *dns_auth_error = DNS_RCODE_OK;
- return status;
- }
-
- if (NT_STATUS_IS_OK(status)) {
-
- status = gensec_session_info(tkey->gensec, tkey, &tkey->session_info);
- if (!NT_STATUS_IS_OK(status)) {
- *dns_auth_error = DNS_RCODE_BADKEY;
- return status;
- }
- *dns_auth_error = DNS_RCODE_OK;
- }
--
Samba Shared Repository
More information about the samba-cvs
mailing list