From: Volker Lendecke Date: Sat, 13 Jun 2026 08:59:08 +0000 (+0200) Subject: net: Move dns_negotiate_sec_ctx() into its only caller X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2b7a6250aac870d863d4c18de6ddec579d86c7c;p=thirdparty%2Fsamba.git net: Move dns_negotiate_sec_ctx() into its only caller Now that it's converted to NDR-generated structures and uses dns_cli_request() from toplevel libcli/dns, dns_negotiate_sec_ctx() does not have to live in lib/addns anymore. If we were to make this more generally available, it would move together with DoDNSUpdateNegotiateGensec() or even DoDNSUpdate(). Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher --- diff --git a/lib/addns/dns.h b/lib/addns/dns.h index bff10db800b..457b7b38a22 100644 --- a/lib/addns/dns.h +++ b/lib/addns/dns.h @@ -185,13 +185,4 @@ struct dns_update_request *dns_request2update(struct dns_request *request); uint16_t dns_response_code(uint16_t flags); const char *dns_errstr(DNS_ERROR err); -/* from dnsgss.c */ - -struct gensec_security; - -DNS_ERROR dns_negotiate_sec_ctx(const char *serveraddress, - const char *keyname, - struct gensec_security *gensec, - enum dns_ServerType srv_type); - #endif /* _DNS_H */ diff --git a/lib/addns/dnsgss.c b/lib/addns/dnsgss.c deleted file mode 100644 index 07714aad908..00000000000 --- a/lib/addns/dnsgss.c +++ /dev/null @@ -1,145 +0,0 @@ -/* - Public Interface file for Linux DNS client library implementation - - Copyright (C) 2006 Krishna Ganugapati - Copyright (C) 2006 Gerald Carter - - ** NOTE! The following LGPL license applies to the libaddns - ** library. This does NOT imply that all of Samba is released - ** under the LGPL - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, see . -*/ - -#include "replace.h" -#include -#include "lib/util/talloc_stack.h" -#include "lib/util/data_blob.h" -#include "lib/util/time.h" -#include "lib/util/charset/charset.h" -#include "libcli/util/ntstatus.h" -#include "auth/gensec/gensec.h" -#include "dnserr.h" -#include "lib/addns/dns.h" -#include "libcli/dns/libdns.h" - -DNS_ERROR dns_negotiate_sec_ctx(const char *serveraddress, - const char *keyname, - struct gensec_security *gensec, - enum dns_ServerType srv_type) -{ - TALLOC_CTX *frame = talloc_stackframe(); - struct dns_name_packet *reply = NULL; - DATA_BLOB in = { .length = 0, }; - DATA_BLOB out = { .length = 0, }; - NTSTATUS status; - DNS_ERROR err; - - do { - status = gensec_update(gensec, frame, in, &out); - TALLOC_FREE(reply); - if (GENSEC_UPDATE_IS_NTERROR(status)) { - err = ERROR_DNS_GSS_ERROR; - goto error; - } - - if (out.length != 0) { - int ret; - time_t t = time(NULL); - - struct dns_res_rec tkey = { - .name = keyname, - .rr_type = DNS_QTYPE_TKEY, - .rr_class = DNS_QCLASS_ANY, - .length = 1, - .rdata.tkey_record - .algorithm = "gss.microsoft.com", - .rdata.tkey_record.inception = t, - .rdata.tkey_record.expiration = t + 86400, - .rdata.tkey_record.mode = DNS_TKEY_MODE_GSSAPI, - .rdata.tkey_record.key_size = out.length, - .rdata.tkey_record.key_data = out.data, - }; - struct dns_name_question question = { - .name = keyname, - .question_class = DNS_QCLASS_IN, - .question_type = DNS_QTYPE_TKEY, - }; - struct dns_name_packet rec = { - .operation = DNS_OPCODE_QUERY, - .qdcount = 1, - .questions = &question, - }; - - /* Windows 2000 DNS is broken and requires the - TKEY payload in the Answer section instead - of the Additional section like Windows 2003 */ - - if ( srv_type == DNS_SRV_WIN2000 ) { - rec.ancount = 1; - rec.answers = &tkey; - } else { - rec.arcount = 1; - rec.additional = &tkey; - } - - ret = dns_cli_request(frame, - serveraddress, - &rec, - &reply); - if (ret != 0) { - err = ERROR_DNS_SOCKET_ERROR; - goto error; - } - } - - if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - struct dns_res_rec *tkey_answer = NULL; - struct dns_tkey_record *tkey = NULL; - - uint16_t i; - - /* - * TODO: Compare id and keyname - */ - - for (i = 0; i < reply->ancount; i++) { - tkey_answer = &reply->answers[i]; - - if (tkey_answer->rr_type == DNS_QTYPE_TKEY) { - break; - } - } - - if (i == reply->ancount) { - err = ERROR_DNS_INVALID_MESSAGE; - goto error; - } - - tkey = &tkey_answer->rdata.tkey_record; - - in = data_blob_const(tkey->key_data, tkey->key_size); - } - - } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)); - - /* If we arrive here, we have a valid security context */ - - err = ERROR_DNS_SUCCESS; - - error: - - TALLOC_FREE(frame); - return err; -} diff --git a/lib/addns/wscript_build b/lib/addns/wscript_build index d6ad5952c2b..656c596191b 100644 --- a/lib/addns/wscript_build +++ b/lib/addns/wscript_build @@ -5,7 +5,6 @@ bld.SAMBA_LIBRARY('addns', dnsquery.c dnsrecord.c dnssock.c - dnsgss.c dnsmarshall.c error.c dnsquery_srv.c diff --git a/source3/utils/net_dns.c b/source3/utils/net_dns.c index 51648a37c4f..63cd4f6c8db 100644 --- a/source3/utils/net_dns.c +++ b/source3/utils/net_dns.c @@ -29,6 +29,116 @@ #if defined(HAVE_KRB5) +static DNS_ERROR dns_negotiate_sec_ctx(const char *serveraddress, + const char *keyname, + struct gensec_security *gensec, + enum dns_ServerType srv_type) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct dns_name_packet *reply = NULL; + DATA_BLOB in = { .length = 0, }; + DATA_BLOB out = { .length = 0, }; + NTSTATUS status; + DNS_ERROR err; + + do { + status = gensec_update(gensec, frame, in, &out); + TALLOC_FREE(reply); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + err = ERROR_DNS_GSS_ERROR; + goto error; + } + + if (out.length != 0) { + int ret; + time_t t = time(NULL); + + struct dns_res_rec tkey = { + .name = keyname, + .rr_type = DNS_QTYPE_TKEY, + .rr_class = DNS_QCLASS_ANY, + .length = 1, + .rdata.tkey_record + .algorithm = "gss.microsoft.com", + .rdata.tkey_record.inception = t, + .rdata.tkey_record.expiration = t + 86400, + .rdata.tkey_record.mode = DNS_TKEY_MODE_GSSAPI, + .rdata.tkey_record.key_size = out.length, + .rdata.tkey_record.key_data = out.data, + }; + struct dns_name_question question = { + .name = keyname, + .question_class = DNS_QCLASS_IN, + .question_type = DNS_QTYPE_TKEY, + }; + struct dns_name_packet rec = { + .operation = DNS_OPCODE_QUERY, + .qdcount = 1, + .questions = &question, + }; + + /* Windows 2000 DNS is broken and requires the + TKEY payload in the Answer section instead + of the Additional section like Windows 2003 */ + + if ( srv_type == DNS_SRV_WIN2000 ) { + rec.ancount = 1; + rec.answers = &tkey; + } else { + rec.arcount = 1; + rec.additional = &tkey; + } + + ret = dns_cli_request(frame, + serveraddress, + &rec, + &reply); + if (ret != 0) { + err = ERROR_DNS_SOCKET_ERROR; + goto error; + } + } + + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + struct dns_res_rec *tkey_answer = NULL; + struct dns_tkey_record *tkey = NULL; + + uint16_t i; + + /* + * TODO: Compare id and keyname + */ + + for (i = 0; i < reply->ancount; i++) { + tkey_answer = &reply->answers[i]; + + if (tkey_answer->rr_type == DNS_QTYPE_TKEY) { + break; + } + } + + if (i == reply->ancount) { + err = ERROR_DNS_INVALID_MESSAGE; + goto error; + } + + tkey = &tkey_answer->rdata.tkey_record; + + in = data_blob_const(tkey->key_data, tkey->key_size); + } + + } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)); + + /* If we arrive here, we have a valid security context */ + + err = ERROR_DNS_SUCCESS; + + error: + + TALLOC_FREE(frame); + return err; +} + /********************************************************************* *********************************************************************/