client-side gss-tsig packet

Dimitris Gravanis dimgrav at
Thu Jul 20 18:30:37 UTC 2017


I followed Stefan's steps below:

Basically the signature generation needs to use the original
dns packet and:
- remove the bytes from dns_tsig_record
- count down the arcount field in the buffer
- construct a blob using dns_fake_tsig_rec and append that
- pass the constructed buffer to gensec_sign_packet()
- rebuild the dns packet buffer with the signature (MAC) field of
   dns_tsig_record filled with the signature from gensec_sign_packet().

I came up with what you can see in the attached files client_crypto.c 
and libcli_crypto.h.

I think I've used tsocket, tevent, talloc and gensec correctly, based 
everything on PIDL, dns_server/dns_crypto.c, as well as all pre-existing 
work in libcli/dns and every relevant lib in Samba that I could find 
(the online guide 
for internals helped a lot as well).

I'll be writing a test to check my code, but I'd need your feedback 
first, in case there's something immensely wrong that has to be fixed 
right away.

You can always check the project's temporary GitHub repo 
<> for every update I make daily.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: client_crypto.c
Type: text/x-csrc
Size: 6344 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libcli_crypto.h
Type: text/x-chdr
Size: 2675 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list