s4:dns_server: correctly sign dns update responses with gss-tsig like Windows

author Stefan Metzmacher <metze@samba.org>

Thu, 30 May 2024 12:39:28 +0000 (14:39 +0200)

committer Jule Anger <janger@samba.org>

Wed, 3 Jul 2024 08:48:12 +0000 (08:48 +0000)
author Stefan Metzmacher <metze@samba.org>
Thu, 30 May 2024 12:39:28 +0000 (14:39 +0200)
committer Jule Anger <janger@samba.org>
Wed, 3 Jul 2024 08:48:12 +0000 (08:48 +0000)
diff --git a/selftest/knownfail.d/dns_tkey b/selftest/knownfail.d/dns_tkey

index 12c38d83b972140979ccae52be23b5b489a191fe..a88b7cf3e8c6c9961e435b23d84f5719b32020fd 100644 (file)
--- a/selftest/knownfail.d/dns_tkey
+++ b/selftest/knownfail.d/dns_tkey
@@ -1,9 +1,3 @@
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_keyname.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_mac.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_answers.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_algorithm.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_changed_algorithm1.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_additional.fl2008r2dc
  ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_windows.fl2008r2dc
  ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_wo_tsig.fl2008r2dc
  ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_record_access_denied.fl2008r2dc
diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c

index f9b3bd161c523bed79b1619e94d02f0762aa636c..d30e971508631ec6fec7aec55a60a9143e03cf49 100644 (file)
--- a/source4/dns_server/dns_crypto.c
+++ b/source4/dns_server/dns_crypto.c
@@ -27,6 +27,7 @@
  #include "libcli/util/ntstatus.h"
  #include "auth/auth.h"
  #include "auth/gensec/gensec.h"
+#include "lib/util/bytearray.h"
  
  #undef DBGC_CLASS
  #define DBGC_CLASS DBGC_DNS
@@ -281,11 +282,19 @@ static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
         struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
                         struct dns_fake_tsig_rec);
         size_t mac_size = 0;
+       bool gss_tsig;
  
         if (check_rec == NULL) {
                 return WERR_NOT_ENOUGH_MEMORY;
         }
  
+       if (strcmp(tkey->algorithm, "gss-tsig") == 0) {
+               gss_tsig = true;
+       } else {
+               /* gss.microsoft.com */
+               gss_tsig = false;
+       }
+
         /* first build and verify check packet */
         check_rec->name = talloc_strdup(check_rec, tkey->name);
         if (check_rec->name == NULL) {
@@ -325,6 +334,9 @@ static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
         }
  
         buffer_len = mac_size;
+       if (gss_tsig && mac_size > 0) {
+               buffer_len += 2;
+       }
  
         buffer_len += packet_blob.length;
         if (buffer_len < packet_blob.length) {
@@ -345,11 +357,21 @@ static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
         /*
          * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
          * that we're going to sign:
-        * 1. MAC of request (if present)
+        * 1. if MAC of request is present
+        *    - 16bit big endian length of MAC of request
+        *    - MAC of request
          * 2. Outgoing packet
          * 3. TSIG record
          */
         if (mac_size > 0) {
+               if (gss_tsig) {
+                       /*
+                        * only gss-tsig not with
+                        * gss.microsoft.com
+                        */
+                       PUSH_BE_U16(p, 0, mac_size);
+                       p += 2;
+               }
                 memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
                 p += mac_size;
         }
author	Stefan Metzmacher <metze@samba.org>
	Thu, 30 May 2024 12:39:28 +0000 (14:39 +0200)
committer	Jule Anger <janger@samba.org>
	Wed, 3 Jul 2024 08:48:12 +0000 (08:48 +0000)
selftest/knownfail.d/dns_tkey		patch \| blob \| blame \| history
source4/dns_server/dns_crypto.c		patch \| blob \| blame \| history