1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <assert.h> 29 #include <errno.h> 30 #include <stdio.h> 31 #include <stdlib.h> 32 #include <strings.h> 33 #include <sys/types.h> 34 #include <sys/socket.h> 35 #include <netinet/in.h> 36 #include <arpa/inet.h> 37 #include <sys/time.h> 38 #include <unistd.h> 39 #include <string.h> 40 #include <arpa/nameser.h> 41 #include <resolv.h> 42 #include <netdb.h> 43 #include <rpc/rpc.h> 44 #include <syslog.h> 45 #include <gssapi/gssapi.h> 46 #include <kerberosv5/krb5.h> 47 #include <net/if.h> 48 49 #include <smbns_dyndns.h> 50 #include <smbns_krb.h> 51 52 /* internal use, in dyndns_add_entry */ 53 #define DEL_NONE 2 54 /* Maximum retires if not authoritative */ 55 #define MAX_AUTH_RETRIES 3 56 /* Number of times to retry a DNS query */ 57 #define DYNDNS_MAX_QUERY_RETRIES 3 58 /* Timeout value, in seconds, for DNS query responses */ 59 #define DYNDNS_QUERY_TIMEOUT 2 60 61 static uint16_t dns_msgid; 62 mutex_t dns_msgid_mtx; 63 64 int 65 dns_msgid_init(void) 66 { 67 struct __res_state res; 68 69 bzero(&res, sizeof (struct __res_state)); 70 if (res_ninit(&res) < 0) 71 return (-1); 72 73 (void) mutex_lock(&dns_msgid_mtx); 74 dns_msgid = res.id; 75 (void) mutex_unlock(&dns_msgid_mtx); 76 res_ndestroy(&res); 77 return (0); 78 } 79 80 int 81 dns_get_msgid(void) 82 { 83 uint16_t id; 84 85 (void) mutex_lock(&dns_msgid_mtx); 86 id = ++dns_msgid; 87 (void) mutex_unlock(&dns_msgid_mtx); 88 return (id); 89 } 90 91 /* 92 * XXX The following should be removed once head/arpa/nameser_compat.h 93 * defines BADSIG, BADKEY, BADTIME macros 94 */ 95 #ifndef BADSIG 96 #define BADSIG ns_r_badsig 97 #endif /* BADSIG */ 98 99 #ifndef BADKEY 100 #define BADKEY ns_r_badkey 101 #endif /* BADKEY */ 102 103 #ifndef BADTIME 104 #define BADTIME ns_r_badtime 105 #endif /* BADTIME */ 106 107 /* 108 * dyndns_msg_err 109 * Display error message for DNS error code found in the DNS header in 110 * reply message. 111 * Parameters: 112 * err: DNS errer code 113 * Returns: 114 * None 115 */ 116 void 117 dyndns_msg_err(int err) 118 { 119 switch (err) { 120 case NOERROR: 121 break; 122 case FORMERR: 123 syslog(LOG_ERR, "DNS message format error\n"); 124 break; 125 case SERVFAIL: 126 syslog(LOG_ERR, "DNS server internal error\n"); 127 break; 128 case NXDOMAIN: 129 syslog(LOG_ERR, "DNS entry should exist but does not exist\n"); 130 break; 131 case NOTIMP: 132 syslog(LOG_ERR, "DNS opcode not supported\n"); 133 break; 134 case REFUSED: 135 syslog(LOG_ERR, "DNS operation refused\n"); 136 break; 137 case YXDOMAIN: 138 syslog(LOG_ERR, "DNS entry shouldn't exist but does exist\n"); 139 break; 140 case YXRRSET: 141 syslog(LOG_ERR, "DNS RRSet shouldn't exist but does exist\n"); 142 break; 143 case NXRRSET: 144 syslog(LOG_ERR, "DNS RRSet should exist but does not exist\n"); 145 break; 146 case NOTAUTH: 147 syslog(LOG_ERR, "DNS server is not authoritative " 148 "for specified zone\n"); 149 break; 150 case NOTZONE: 151 syslog(LOG_ERR, "Name in Prereq or Update section not " 152 "within specified zone\n"); 153 break; 154 case BADSIG: 155 syslog(LOG_ERR, "Bad transaction signature (TSIG)"); 156 break; 157 case BADKEY: 158 syslog(LOG_ERR, "Bad transaction key (TKEY)"); 159 break; 160 case BADTIME: 161 syslog(LOG_ERR, "Time not synchronized"); 162 break; 163 164 default: 165 syslog(LOG_ERR, "Unknown DNS error\n"); 166 } 167 } 168 169 /* 170 * display_stat 171 * Display GSS error message from error code. This routine is used to display 172 * the mechanism independent and mechanism specific error messages for GSS 173 * routines. The major status error code is the mechanism independent error 174 * code and the minor status error code is the mechanism specific error code. 175 * Parameters: 176 * maj: GSS major status 177 * min: GSS minor status 178 * Returns: 179 * None 180 */ 181 static void 182 display_stat(OM_uint32 maj, OM_uint32 min) 183 { 184 gss_buffer_desc msg; 185 OM_uint32 msg_ctx = 0; 186 OM_uint32 min2; 187 (void) gss_display_status(&min2, maj, GSS_C_GSS_CODE, GSS_C_NULL_OID, 188 &msg_ctx, &msg); 189 syslog(LOG_ERR, "dyndns: GSS major status error: %s\n", 190 (char *)msg.value); 191 (void) gss_display_status(&min2, min, GSS_C_MECH_CODE, GSS_C_NULL_OID, 192 &msg_ctx, &msg); 193 syslog(LOG_ERR, "dyndns: GSS minor status error: %s\n", 194 (char *)msg.value); 195 } 196 197 static char * 198 dyndns_put_nshort(char *buf, uint16_t val) 199 { 200 uint16_t nval; 201 202 nval = htons(val); 203 (void) memcpy(buf, &nval, sizeof (uint16_t)); 204 buf += sizeof (uint16_t); 205 return (buf); 206 } 207 208 char * 209 dyndns_get_nshort(char *buf, uint16_t *val) 210 { 211 uint16_t nval; 212 213 (void) memcpy(&nval, buf, sizeof (uint16_t)); 214 *val = ntohs(nval); 215 buf += sizeof (uint16_t); 216 return (buf); 217 } 218 219 static char * 220 dyndns_put_nlong(char *buf, uint32_t val) 221 { 222 uint32_t lval; 223 224 lval = htonl(val); 225 (void) memcpy(buf, &lval, sizeof (uint32_t)); 226 buf += sizeof (uint32_t); 227 return (buf); 228 } 229 230 static char * 231 dyndns_put_byte(char *buf, char val) 232 { 233 *buf = val; 234 buf++; 235 return (buf); 236 } 237 238 static char * 239 dyndns_put_int(char *buf, int val) 240 { 241 (void) memcpy(buf, &val, sizeof (int)); 242 buf += sizeof (int); 243 return (buf); 244 } 245 246 char * 247 dyndns_get_int(char *buf, int *val) 248 { 249 (void) memcpy(val, buf, sizeof (int)); 250 buf += sizeof (int); 251 return (buf); 252 } 253 254 255 /* 256 * dyndns_stuff_str 257 * Converts a domain string by removing periods and replacing with a byte value 258 * of how many characters following period. A byte value is placed in front 259 * to indicate how many characters before first period. A NULL character is 260 * placed at the end. i.e. host.procom.com -> 4host5procom3com0 261 * Buffer space checking is done by caller. 262 * Parameters: 263 * ptr : address of pointer to buffer to store converted string 264 * zone: domain name string 265 * Returns: 266 * ptr: address of pointer to next available buffer space 267 * -1 : error 268 * 0 : success 269 */ 270 static int 271 dyndns_stuff_str(char **ptr, char *zone) 272 { 273 int len; 274 char *lenPtr, *zonePtr; 275 276 for (zonePtr = zone; *zonePtr; ) { 277 lenPtr = *ptr; 278 *ptr = *ptr + 1; 279 len = 0; 280 while (*zonePtr != '.' && *zonePtr != 0) { 281 *ptr = dyndns_put_byte(*ptr, *zonePtr); 282 zonePtr++; 283 len++; 284 } 285 *lenPtr = len; 286 if (*zonePtr == '.') 287 zonePtr++; 288 } 289 *ptr = dyndns_put_byte(*ptr, 0); 290 return (0); 291 } 292 293 /* 294 * dyndns_build_header 295 * Build the header for DNS query and DNS update request message. 296 * Parameters: 297 * ptr : address of pointer to buffer to store header 298 * buf_len : buffer length 299 * msg_id : message id 300 * query_req : use REQ_QUERY for query message or REQ_UPDATE for 301 * update message 302 * quest_zone_cnt : number of question record for query message or 303 * number of zone record for update message 304 * ans_prereq_cnt : number of answer record for query message or 305 * number of prerequisite record for update message 306 * nameser_update_cnt: number of name server for query message or 307 * number of update record for update message 308 * addit_cnt : number of additional record 309 * flags : query flags word 310 * Returns: 311 * ptr: address of pointer to next available buffer space 312 * -1 : error 313 * 0 : success 314 */ 315 int 316 dyndns_build_header(char **ptr, int buf_len, uint16_t msg_id, int query_req, 317 uint16_t quest_zone_cnt, uint16_t ans_prereq_cnt, 318 uint16_t nameser_update_cnt, uint16_t addit_cnt, int flags) 319 { 320 uint16_t opcode; 321 322 if (buf_len < 12) { 323 syslog(LOG_ERR, "dyndns: no more buf for header section\n"); 324 return (-1); 325 } 326 327 *ptr = dyndns_put_nshort(*ptr, msg_id); /* mesg ID */ 328 if (query_req == REQ_QUERY) 329 opcode = ns_o_query; /* query msg */ 330 else 331 opcode = ns_o_update << 11; /* update msg */ 332 opcode |= flags; 333 /* mesg opcode */ 334 *ptr = dyndns_put_nshort(*ptr, opcode); 335 /* zone record count */ 336 *ptr = dyndns_put_nshort(*ptr, quest_zone_cnt); 337 /* prerequiste record count */ 338 *ptr = dyndns_put_nshort(*ptr, ans_prereq_cnt); 339 /* update record count */ 340 *ptr = dyndns_put_nshort(*ptr, nameser_update_cnt); 341 /* additional record count */ 342 *ptr = dyndns_put_nshort(*ptr, addit_cnt); 343 344 return (0); 345 } 346 347 /* 348 * dyndns_build_quest_zone 349 * Build the question section for query message or zone section for 350 * update message. 351 * Parameters: 352 * ptr : address of pointer to buffer to store question or zone section 353 * buf_len: buffer length 354 * name : question or zone name 355 * type : type of question or zone 356 * class : class of question or zone 357 * Returns: 358 * ptr: address of pointer to next available buffer space 359 * -1 : error 360 * 0 : success 361 */ 362 int 363 dyndns_build_quest_zone(char **ptr, int buf_len, char *name, int type, 364 int class) 365 { 366 char *zonePtr; 367 368 if ((strlen(name) + 6) > buf_len) { 369 syslog(LOG_ERR, "dyndns: no more buf " 370 "for question/zone section\n"); 371 return (-1); 372 } 373 374 zonePtr = *ptr; 375 (void) dyndns_stuff_str(&zonePtr, name); 376 *ptr = zonePtr; 377 *ptr = dyndns_put_nshort(*ptr, type); 378 *ptr = dyndns_put_nshort(*ptr, class); 379 return (0); 380 } 381 382 /* 383 * dyndns_build_update 384 * Build update section of update message for adding and removing a record. 385 * If the ttl value is 0 then this message is for record deletion. 386 * 387 * Parameters: 388 * ptr : address of pointer to buffer to store update section 389 * buf_len : buffer length 390 * name : resource name of this record 391 * type : type of this record 392 * class : class of this record 393 * ttl : time-to-live, cached time of this entry by others and not 394 * within DNS database, a zero value for record(s) deletion 395 * data : data of this resource record 396 * forw_rev: UPDATE_FORW for forward zone, UPDATE_REV for reverse zone 397 * add_del : UPDATE_ADD for adding entry, UPDATE_DEL for removing zone 398 * del_type: DEL_ONE for deleting one entry, DEL_ALL for deleting all 399 * entries of the same resource name. Only valid for UPDATE_DEL. 400 * Returns: 401 * ptr: address of pointer to next available buffer space 402 * -1 : error 403 * 0 : success 404 */ 405 static int 406 dyndns_build_update(char **ptr, int buf_len, char *name, int type, int class, 407 uint32_t ttl, char *data, int forw_rev, int add_del, int del_type) 408 { 409 char *namePtr; 410 int rec_len, data_len; 411 412 rec_len = strlen(name) + 10; 413 if (add_del == UPDATE_ADD) { 414 if (forw_rev == UPDATE_FORW) 415 data_len = 4; 416 else 417 data_len = strlen(data) + 2; 418 } else { 419 if (del_type == DEL_ALL) 420 data_len = 0; 421 else if (forw_rev == UPDATE_FORW) 422 data_len = 4; 423 else 424 data_len = strlen(data) + 2; 425 } 426 427 if (rec_len + data_len > buf_len) { 428 syslog(LOG_ERR, "dyndns: no more buf for update section\n"); 429 return (-1); 430 } 431 432 namePtr = *ptr; 433 (void) dyndns_stuff_str(&namePtr, name); 434 *ptr = namePtr; 435 *ptr = dyndns_put_nshort(*ptr, type); 436 *ptr = dyndns_put_nshort(*ptr, class); 437 *ptr = dyndns_put_nlong(*ptr, ttl); 438 439 if (add_del == UPDATE_DEL && del_type == DEL_ALL) { 440 *ptr = dyndns_put_nshort(*ptr, 0); 441 return (0); 442 } 443 444 if (forw_rev == UPDATE_FORW) { 445 *ptr = dyndns_put_nshort(*ptr, 4); 446 *ptr = dyndns_put_int(*ptr, inet_addr(data)); /* ip address */ 447 } else { 448 *ptr = dyndns_put_nshort(*ptr, strlen(data)+2); 449 namePtr = *ptr; 450 (void) dyndns_stuff_str(&namePtr, data); /* hostname */ 451 *ptr = namePtr; 452 } 453 return (0); 454 } 455 456 /* 457 * dyndns_build_tkey 458 * Build TKEY section to establish security context for secure dynamic DNS 459 * update. DNS header and question sections need to be build before this 460 * section. The TKEY data are the tokens generated during security context 461 * establishment and the TKEY message is used to transmit those tokens, one 462 * at a time, to the DNS server. 463 * Parameters: 464 * ptr : address of pointer to buffer to store TKEY 465 * buf_len : buffer length 466 * name : key name, must be unique and same as for TSIG record 467 * key_expire: expiration time of this key in second 468 * data : TKEY data 469 * data_size : data size 470 * Returns: 471 * ptr: address of the pointer to the next available buffer space 472 * -1 : error 473 * 0 : success 474 */ 475 static int 476 dyndns_build_tkey(char **ptr, int buf_len, char *name, int key_expire, 477 char *data, int data_size) 478 { 479 char *namePtr; 480 struct timeval tp; 481 482 if (strlen(name)+2 + 45 + data_size > buf_len) { 483 syslog(LOG_ERR, "dyndns: no more buf for TKEY record\n"); 484 return (-1); 485 } 486 487 namePtr = *ptr; 488 (void) dyndns_stuff_str(&namePtr, name); /* unique global name */ 489 *ptr = namePtr; 490 *ptr = dyndns_put_nshort(*ptr, ns_t_tkey); 491 *ptr = dyndns_put_nshort(*ptr, ns_c_any); 492 *ptr = dyndns_put_nlong(*ptr, 0); 493 /* 19 + 14 + data_size + 2 */ 494 *ptr = dyndns_put_nshort(*ptr, 35 + data_size); 495 namePtr = *ptr; 496 (void) dyndns_stuff_str(&namePtr, "gss.microsoft.com"); 497 *ptr = namePtr; 498 (void) gettimeofday(&tp, 0); 499 *ptr = dyndns_put_nlong(*ptr, tp.tv_sec); /* inception */ 500 /* expiration, 86400 */ 501 *ptr = dyndns_put_nlong(*ptr, tp.tv_sec + key_expire); 502 *ptr = dyndns_put_nshort(*ptr, MODE_GSS_API); /* mode: gss-api */ 503 *ptr = dyndns_put_nshort(*ptr, 0); /* error */ 504 *ptr = dyndns_put_nshort(*ptr, data_size); /* key size */ 505 (void) memcpy(*ptr, data, data_size); /* key data */ 506 *ptr += data_size; 507 *ptr = dyndns_put_nshort(*ptr, 0); /* other */ 508 return (0); 509 } 510 511 /* 512 * dyndns_build_tsig 513 * Build TSIG section for secure dynamic DNS update. This routine will be 514 * called twice. First called with TSIG_UNSIGNED, and second with TSIG_SIGNED. 515 * The TSIG data is NULL and ignored for TSIG_UNSIGNED and is the update request 516 * message encrypted for TSIG_SIGNED. The message id must be the same id as the 517 * one in the update request before it is encrypted. 518 * Parameters: 519 * ptr : address of pointer to buffer to store TSIG 520 * buf_len : buffer length 521 * msg_id : message id 522 * name : key name, must be the same as in TKEY record 523 * fudge_time : amount of error time allow in seconds 524 * data : TSIG data if TSIG_SIGNED, otherwise NULL 525 * data_size : size of data, otherwise 0 if data is NULL 526 * data_signed: TSIG_SIGNED to indicate data is signed and encrypted, 527 * otherwise TSIG_UNSIGNED 528 * Returns: 529 * ptr: address of pointer to next available buffer space 530 * -1 : error 531 * 0 : success 532 */ 533 static int 534 dyndns_build_tsig(char **ptr, int buf_len, int msg_id, char *name, 535 int fudge_time, char *data, int data_size, int data_signed) 536 { 537 char *namePtr; 538 struct timeval tp; 539 int signtime, fudge, rec_len; 540 541 if (data_signed == TSIG_UNSIGNED) 542 rec_len = strlen(name)+2 + 37; 543 else 544 rec_len = strlen(name)+2 + 45 + data_size; 545 546 if (rec_len > buf_len) { 547 syslog(LOG_ERR, "dyndns: no more buf for TSIG record\n"); 548 return (-1); 549 } 550 551 namePtr = *ptr; 552 (void) dyndns_stuff_str(&namePtr, name); /* unique global name */ 553 *ptr = namePtr; 554 if (data_signed == TSIG_SIGNED) 555 *ptr = dyndns_put_nshort(*ptr, ns_t_tsig); 556 *ptr = dyndns_put_nshort(*ptr, ns_c_any); 557 *ptr = dyndns_put_nlong(*ptr, 0); 558 if (data_signed == TSIG_SIGNED) { 559 /* 19 + 10 + data_size + 6 */ 560 *ptr = dyndns_put_nshort(*ptr, 35 + data_size); 561 } 562 namePtr = *ptr; 563 (void) dyndns_stuff_str(&namePtr, "gss.microsoft.com"); 564 *ptr = namePtr; 565 (void) gettimeofday(&tp, 0); 566 signtime = tp.tv_sec >> 16; 567 *ptr = dyndns_put_nlong(*ptr, signtime); /* sign time */ 568 fudge = tp.tv_sec << 16; 569 fudge |= fudge_time; 570 *ptr = dyndns_put_nlong(*ptr, fudge); /* fudge time */ 571 if (data_signed == TSIG_SIGNED) { 572 /* signed data size */ 573 *ptr = dyndns_put_nshort(*ptr, data_size); 574 (void) memcpy(*ptr, data, data_size); /* signed data */ 575 *ptr += data_size; 576 *ptr = dyndns_put_nshort(*ptr, msg_id); /* original id */ 577 } 578 *ptr = dyndns_put_nshort(*ptr, 0); /* error */ 579 *ptr = dyndns_put_nshort(*ptr, 0); /* other */ 580 return (0); 581 } 582 583 /* 584 * dyndns_open_init_socket 585 * This routine creates a SOCK_STREAM or SOCK_DGRAM socket and initializes it 586 * by doing bind() and setting linger option to off. 587 * 588 * Parameters: 589 * sock_type: SOCK_STREAM for TCP or SOCK_DGRAM for UDP 590 * dest_addr: destination address in network byte order 591 * port : destination port number 592 * Returns: 593 * descriptor: descriptor referencing the created socket 594 * -1 : error 595 */ 596 int 597 dyndns_open_init_socket(int sock_type, unsigned long dest_addr, int port) 598 { 599 int s; 600 struct sockaddr_in my_addr; 601 struct linger l; 602 struct sockaddr_in serv_addr; 603 604 if ((s = socket(AF_INET, sock_type, 0)) == -1) { 605 syslog(LOG_ERR, "dyndns: socket err\n"); 606 return (-1); 607 } 608 609 l.l_onoff = 0; 610 if (setsockopt(s, SOL_SOCKET, SO_LINGER, 611 (char *)&l, sizeof (l)) == -1) { 612 syslog(LOG_ERR, "dyndns: setsocket err\n"); 613 (void) close(s); 614 return (-1); 615 } 616 617 bzero(&my_addr, sizeof (my_addr)); 618 my_addr.sin_family = AF_INET; 619 my_addr.sin_port = htons(0); 620 my_addr.sin_addr.s_addr = htonl(INADDR_ANY); 621 622 if (bind(s, (struct sockaddr *)&my_addr, sizeof (my_addr)) < 0) { 623 syslog(LOG_ERR, "dyndns: client bind err\n"); 624 (void) close(s); 625 return (-1); 626 } 627 628 serv_addr.sin_family = AF_INET; 629 serv_addr.sin_port = htons(port); 630 serv_addr.sin_addr.s_addr = dest_addr; 631 632 if (connect(s, (struct sockaddr *)&serv_addr, 633 sizeof (struct sockaddr_in)) < 0) { 634 syslog(LOG_ERR, "dyndns: client connect err (%s)\n", 635 strerror(errno)); 636 (void) close(s); 637 return (-1); 638 } 639 640 return (s); 641 } 642 643 /* 644 * dyndns_build_tkey_msg 645 * This routine is used to build the TKEY message to transmit GSS tokens 646 * during GSS security context establishment for secure DNS update. The 647 * TKEY message format uses the DNS query message format. The TKEY section 648 * is the answer section of the query message format. 649 * Microsoft uses a value of 86400 seconds (24 hours) for key expiration time. 650 * Parameters: 651 * buf : buffer to build and store TKEY message 652 * key_name: a unique key name, this same key name must be also be used in 653 * the TSIG message 654 * out_tok : TKEY message data (GSS tokens) 655 * Returns: 656 * id : message id of this TKEY message 657 * message size: the size of the TKEY message 658 * -1 : error 659 */ 660 static int 661 dyndns_build_tkey_msg(char *buf, char *key_name, uint16_t *id, 662 gss_buffer_desc *out_tok) 663 { 664 int queryReq, zoneCount, preqCount, updateCount, additionalCount; 665 int zoneType, zoneClass; 666 char *bufptr; 667 668 queryReq = REQ_QUERY; 669 /* query section of query request */ 670 zoneCount = 1; 671 /* answer section of query request */ 672 preqCount = 1; 673 updateCount = 0; 674 additionalCount = 0; 675 676 (void) memset(buf, 0, MAX_TCP_SIZE); 677 bufptr = buf; 678 *id = dns_get_msgid(); 679 680 /* add TCP length info that follows this field */ 681 bufptr = dyndns_put_nshort(bufptr, 682 26 + (strlen(key_name)+2)*2 + 35 + out_tok->length); 683 684 if (dyndns_build_header(&bufptr, BUFLEN_TCP(bufptr, buf), *id, queryReq, 685 zoneCount, preqCount, updateCount, additionalCount, 0) == -1) { 686 return (-1); 687 } 688 689 zoneType = ns_t_tkey; 690 zoneClass = ns_c_in; 691 if (dyndns_build_quest_zone(&bufptr, BUFLEN_TCP(bufptr, buf), key_name, 692 zoneType, zoneClass) == -1) { 693 return (-1); 694 } 695 696 if (dyndns_build_tkey(&bufptr, BUFLEN_TCP(bufptr, buf), key_name, 697 86400, out_tok->value, out_tok->length) == -1) { 698 return (-1); 699 } 700 701 return (bufptr - buf); 702 } 703 704 /* 705 * dyndns_establish_sec_ctx 706 * This routine is used to establish a security context with the DNS server 707 * by building TKEY messages and sending them to the DNS server. TKEY messages 708 * are also received from the DNS server for processing. The security context 709 * establishment is done with the GSS client on the system producing a token 710 * and sending the token within the TKEY message to the GSS server on the DNS 711 * server. The GSS server then processes the token and then send a TKEY reply 712 * message with a new token to be processed by the GSS client. The GSS client 713 * processes the new token and then generates a new token to be sent to the 714 * GSS server. This cycle is continued until the security establishment is 715 * done. TCP is used to send and receive TKEY messages. 716 * Parameters: 717 * cred_handle : handle to credential 718 * s : socket descriptor to DNS server 719 * key_name : TKEY key name 720 * dns_hostname: fully qualified DNS hostname 721 * oid : contains Kerberos 5 object identifier 722 * Returns: 723 * gss_context : handle to security context 724 */ 725 static int 726 dyndns_establish_sec_ctx(gss_ctx_id_t *gss_context, gss_cred_id_t cred_handle, 727 int s, char *key_name, char *dns_hostname, gss_OID oid) 728 { 729 uint16_t id, rid, rsz; 730 char buf[MAX_TCP_SIZE], buf2[MAX_TCP_SIZE]; 731 int ret; 732 char *service_name, *tmpptr; 733 int service_sz; 734 OM_uint32 min, maj, time_rec; 735 gss_buffer_desc service_buf, in_tok, out_tok; 736 gss_name_t target_name; 737 gss_buffer_desc *inputptr; 738 int gss_flags; 739 OM_uint32 ret_flags; 740 int buf_sz; 741 742 service_sz = strlen(dns_hostname) + 5; 743 service_name = (char *)malloc(sizeof (char) * service_sz); 744 if (service_name == NULL) { 745 syslog(LOG_ERR, "Malloc failed for %d bytes ", service_sz); 746 return (-1); 747 } 748 (void) snprintf(service_name, service_sz, "DNS@%s", dns_hostname); 749 service_buf.value = service_name; 750 service_buf.length = strlen(service_name)+1; 751 if ((maj = gss_import_name(&min, &service_buf, 752 GSS_C_NT_HOSTBASED_SERVICE, &target_name)) != GSS_S_COMPLETE) { 753 display_stat(maj, min); 754 (void) free(service_name); 755 return (-1); 756 } 757 (void) free(service_name); 758 759 inputptr = GSS_C_NO_BUFFER; 760 *gss_context = GSS_C_NO_CONTEXT; 761 gss_flags = GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG | GSS_C_REPLAY_FLAG | 762 GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG; 763 do { 764 maj = gss_init_sec_context(&min, cred_handle, gss_context, 765 target_name, oid, gss_flags, 0, NULL, inputptr, NULL, 766 &out_tok, &ret_flags, &time_rec); 767 768 if (maj != GSS_S_COMPLETE && maj != GSS_S_CONTINUE_NEEDED) { 769 assert(gss_context); 770 if (*gss_context != GSS_C_NO_CONTEXT) 771 (void) gss_delete_sec_context(&min, 772 gss_context, NULL); 773 774 display_stat(maj, min); 775 (void) gss_release_name(&min, &target_name); 776 return (-1); 777 } 778 779 if ((maj == GSS_S_COMPLETE) && 780 !(ret_flags & GSS_C_REPLAY_FLAG)) { 781 syslog(LOG_ERR, "dyndns: No GSS_C_REPLAY_FLAG\n"); 782 if (out_tok.length > 0) 783 (void) gss_release_buffer(&min, &out_tok); 784 (void) gss_release_name(&min, &target_name); 785 return (-1); 786 } 787 788 if ((maj == GSS_S_COMPLETE) && 789 !(ret_flags & GSS_C_MUTUAL_FLAG)) { 790 syslog(LOG_ERR, "dyndns: No GSS_C_MUTUAL_FLAG\n"); 791 if (out_tok.length > 0) 792 (void) gss_release_buffer(&min, &out_tok); 793 (void) gss_release_name(&min, &target_name); 794 return (-1); 795 } 796 797 if (out_tok.length > 0) { 798 if ((buf_sz = dyndns_build_tkey_msg(buf, key_name, 799 &id, &out_tok)) <= 0) { 800 (void) gss_release_buffer(&min, &out_tok); 801 (void) gss_release_name(&min, &target_name); 802 return (-1); 803 } 804 805 (void) gss_release_buffer(&min, &out_tok); 806 807 if (send(s, buf, buf_sz, 0) == -1) { 808 syslog(LOG_ERR, "dyndns: TKEY send error\n"); 809 (void) gss_release_name(&min, &target_name); 810 return (-1); 811 } 812 813 bzero(buf2, MAX_TCP_SIZE); 814 if (recv(s, buf2, MAX_TCP_SIZE, 0) == -1) { 815 syslog(LOG_ERR, "dyndns: TKEY " 816 "reply recv error\n"); 817 (void) gss_release_name(&min, &target_name); 818 return (-1); 819 } 820 821 ret = buf2[5] & 0xf; /* error field in TCP */ 822 if (ret != NOERROR) { 823 syslog(LOG_ERR, "dyndns: Error in " 824 "TKEY reply: %d: ", ret); 825 dyndns_msg_err(ret); 826 (void) gss_release_name(&min, &target_name); 827 return (-1); 828 } 829 830 tmpptr = &buf2[2]; 831 (void) dyndns_get_nshort(tmpptr, &rid); 832 if (id != rid) { 833 (void) gss_release_name(&min, &target_name); 834 return (-1); 835 } 836 837 tmpptr = &buf2[59+(strlen(key_name)+2)*2]; 838 (void) dyndns_get_nshort(tmpptr, &rsz); 839 in_tok.length = rsz; 840 841 /* bsd38 -> 2*7=14 */ 842 in_tok.value = &buf2[61+(strlen(key_name)+2)*2]; 843 inputptr = &in_tok; 844 } 845 846 } while (maj != GSS_S_COMPLETE); 847 848 (void) gss_release_name(&min, &target_name); 849 850 return (0); 851 } 852 853 /* 854 * dyndns_get_sec_context 855 * Get security context for secure dynamic DNS update. This routine opens 856 * a TCP socket to the DNS server and establishes a security context with 857 * the DNS server using host principal to perform secure dynamic DNS update. 858 * Parameters: 859 * hostname: fully qualified hostname 860 * dns_ip : ip address of hostname in network byte order 861 * Returns: 862 * gss_handle: gss credential handle 863 * gss_context: gss security context 864 * -1: error 865 * 0: success 866 */ 867 static gss_ctx_id_t 868 dyndns_get_sec_context(const char *hostname, int dns_ip) 869 { 870 int s; 871 gss_cred_id_t cred_handle; 872 gss_ctx_id_t gss_context; 873 gss_OID oid; 874 struct hostent *hentry; 875 char *key_name, dns_hostname[MAXHOSTNAMELEN]; 876 877 cred_handle = GSS_C_NO_CREDENTIAL; 878 oid = GSS_C_NO_OID; 879 key_name = (char *)hostname; 880 881 hentry = gethostbyaddr((char *)&dns_ip, 4, AF_INET); 882 if (hentry == NULL) { 883 syslog(LOG_ERR, "dyndns: Can't get DNS " 884 "hostname from DNS ip.\n"); 885 return (NULL); 886 } 887 (void) strcpy(dns_hostname, hentry->h_name); 888 889 if ((s = dyndns_open_init_socket(SOCK_STREAM, dns_ip, 53)) < 0) { 890 return (NULL); 891 } 892 893 if (dyndns_establish_sec_ctx(&gss_context, cred_handle, s, key_name, 894 dns_hostname, oid)) 895 gss_context = NULL; 896 897 (void) close(s); 898 return (gss_context); 899 } 900 901 /* 902 * dyndns_build_add_remove_msg 903 * This routine builds the update request message for adding and removing DNS 904 * entries which is used for non-secure and secure DNS update. 905 * This routine builds an UDP message. 906 * Parameters: 907 * buf : buffer to build message 908 * update_zone: the type of zone to update, use UPDATE_FORW for forward 909 * lookup zone, use UPDATE_REV for reverse lookup zone 910 * hostname : fully qualified hostname to update DNS with 911 * ip_addr : IP address of hostname 912 * life_time : cached time of this entry by others and not within DNS 913 * database 914 * update_type: UPDATE_ADD to add entry, UPDATE_DEL to remove entry 915 * del_type : DEL_ONE for deleting one entry, DEL_ALL for deleting all 916 * entries of the same resource name. Only valid for UPDATE_DEL. 917 * addit_cnt : Indicate how many record is in the additional section of 918 * the DNS message. A value of zero is always used with 919 * non-secure update message. For secure update message, 920 * the value will be one because the signed TSIG message 921 * is added as the additional record of the DNS update message. 922 * id : DNS message ID. If a positive value then this ID value is 923 * used, otherwise the next incremented value is used 924 * level : This is the domain level which we send the request to, level 925 * zero is the default level, it can go upto 2 in reverse zone 926 * and virtually to any level in forward zone. 927 * Returns: 928 * buf : buffer containing update message 929 * id : DNS message ID 930 * int : size of update message 931 * -1 : error 932 * 933 * This function is changed to handle dynamic DNS update retires to higher 934 * authoritative domains. 935 */ 936 static int 937 dyndns_build_add_remove_msg(char *buf, int update_zone, const char *hostname, 938 const char *ip_addr, int life_time, int update_type, int del_type, 939 int addit_cnt, uint16_t *id, int level) 940 { 941 int a, b, c, d; 942 char *bufptr; 943 int queryReq, zoneCount, preqCount, updateCount, additionalCount; 944 char *zone, *resource, *data, zone_buf[100], resrc_buf[100]; 945 int zoneType, zoneClass, type, class, ttl; 946 char *p; 947 948 queryReq = REQ_UPDATE; 949 zoneCount = 1; 950 preqCount = 0; 951 updateCount = 1; 952 additionalCount = addit_cnt; 953 954 (void) memset(buf, 0, NS_PACKETSZ); 955 bufptr = buf; 956 957 if (*id == 0) 958 *id = dns_get_msgid(); 959 960 if (dyndns_build_header(&bufptr, BUFLEN_UDP(bufptr, buf), *id, queryReq, 961 zoneCount, preqCount, updateCount, additionalCount, 0) == -1) { 962 return (-1); 963 } 964 965 zoneType = ns_t_soa; 966 zoneClass = ns_c_in; 967 968 if (update_zone == UPDATE_FORW) { 969 p = (char *)hostname; 970 971 /* Try higher domains according to the level requested */ 972 do { 973 /* domain */ 974 if ((zone = (char *)strchr(p, '.')) == NULL) 975 return (-1); 976 zone += 1; 977 p = zone; 978 } while (--level >= 0); 979 resource = (char *)hostname; 980 data = (char *)ip_addr; 981 } else { 982 (void) sscanf(ip_addr, "%d.%d.%d.%d", &a, &b, &c, &d); 983 (void) sprintf(zone_buf, "%d.%d.%d.in-addr.arpa", c, b, a); 984 zone = p = zone_buf; 985 986 /* Try higher domains according to the level requested */ 987 while (--level >= 0) { 988 /* domain */ 989 if ((zone = (char *)strchr(p, '.')) == NULL) { 990 return (-1); 991 } 992 zone += 1; 993 p = zone; 994 } 995 996 (void) sprintf(resrc_buf, "%d.%d.%d.%d.in-addr.arpa", 997 d, c, b, a); 998 resource = resrc_buf; /* ip info */ 999 data = (char *)hostname; 1000 } 1001 1002 if (dyndns_build_quest_zone(&bufptr, BUFLEN_UDP(bufptr, buf), zone, 1003 zoneType, zoneClass) == -1) { 1004 return (-1); 1005 } 1006 1007 if (update_zone == UPDATE_FORW) 1008 type = ns_t_a; 1009 else 1010 type = ns_t_ptr; 1011 1012 if (update_type == UPDATE_ADD) { 1013 class = ns_c_in; 1014 ttl = life_time; 1015 } else { 1016 if (del_type == DEL_ONE) 1017 class = ns_c_none; /* remove one */ 1018 else 1019 class = ns_c_any; /* remove all */ 1020 ttl = 0; 1021 } 1022 if (dyndns_build_update(&bufptr, BUFLEN_UDP(bufptr, buf), 1023 resource, type, class, ttl, data, update_zone, 1024 update_type, del_type) == -1) { 1025 return (-1); 1026 } 1027 1028 return (bufptr - buf); 1029 } 1030 1031 /* 1032 * dyndns_build_unsigned_tsig_msg 1033 * This routine is used to build the unsigned TSIG message for signing. The 1034 * unsigned TSIG message contains the update request message with certain TSIG 1035 * fields included. An error time of 300 seconds is used for fudge time. This 1036 * is the number used by Microsoft clients. 1037 * This routine builds a UDP message. 1038 * Parameters: 1039 * buf : buffer to build message 1040 * update_zone: the type of zone to update, use UPDATE_FORW for forward 1041 * lookup zone, use UPDATE_REV for reverse lookup zone 1042 * hostname : fully qualified hostname to update DNS with 1043 * ip_addr : IP address of hostname 1044 * life_time : cached time of this entry by others and not within DNS 1045 * database 1046 * update_type: UPDATE_ADD to add entry, UPDATE_DEL to remove entry 1047 * del_type : DEL_ONE for deleting one entry, DEL_ALL for deleting all 1048 * entries of the same resource name. Only valid for UPDATE_DEL. 1049 * key_name : same key name used in TKEY message 1050 * id : DNS message ID. If a positive value then this ID value is 1051 * used, otherwise the next incremented value is used 1052 * level : This is the domain level which we send the request to, level 1053 * zero is the default level, it can go upto 2 in reverse zone 1054 * and virtually to any level in forward zone. 1055 * Returns: 1056 * buf : buffer containing update message 1057 * id : DNS message ID 1058 * int : size of update message 1059 * -1 : error 1060 */ 1061 static int 1062 dyndns_build_unsigned_tsig_msg(char *buf, int update_zone, const char *hostname, 1063 const char *ip_addr, int life_time, int update_type, int del_type, 1064 char *key_name, uint16_t *id, int level) 1065 { 1066 char *bufptr; 1067 int buf_sz; 1068 1069 if ((buf_sz = dyndns_build_add_remove_msg(buf, update_zone, hostname, 1070 ip_addr, life_time, update_type, del_type, 0, id, level)) <= 0) { 1071 return (-1); 1072 } 1073 1074 bufptr = buf + buf_sz; 1075 1076 if (dyndns_build_tsig(&bufptr, BUFLEN_UDP(bufptr, buf), 0, 1077 key_name, 300, NULL, 0, TSIG_UNSIGNED) == -1) { 1078 return (-1); 1079 } 1080 1081 return (bufptr - buf); 1082 } 1083 1084 /* 1085 * dyndns_build_signed_tsig_msg 1086 * This routine build the signed TSIG message which contains the update 1087 * request message encrypted. An error time of 300 seconds is used for fudge 1088 * time. This is the number used by Microsoft clients. 1089 * This routine builds a UDP message. 1090 * Parameters: 1091 * buf : buffer to build message 1092 * update_zone: the type of zone to update, use UPDATE_FORW for forward 1093 * lookup zone, use UPDATE_REV for reverse lookup zone 1094 * hostname : fully qualified hostname to update DNS with 1095 * ip_addr : IP address of hostname 1096 * life_time : cached time of this entry by others and not within DNS 1097 * database 1098 * update_type: UPDATE_ADD to add entry, UPDATE_DEL to remove entry 1099 * del_type : DEL_ONE for deleting one entry, DEL_ALL for deleting all 1100 * entries of the same resource name. Only valid for UPDATE_DEL. 1101 * key_name : same key name used in TKEY message 1102 * id : DNS message ID. If a positive value then this ID value is 1103 * used, otherwise the next incremented value is used 1104 * in_mic : the update request message encrypted 1105 * level : This is the domain level which we send the request to, level 1106 * zero is the default level, it can go upto 2 in reverse zone 1107 * and virtually to any level in forward zone. 1108 * 1109 * Returns: 1110 * buf : buffer containing update message 1111 * id : DNS message ID 1112 * int : size of update message 1113 * -1 : error 1114 */ 1115 static int 1116 dyndns_build_signed_tsig_msg(char *buf, int update_zone, const char *hostname, 1117 const char *ip_addr, int life_time, int update_type, int del_type, 1118 char *key_name, uint16_t *id, gss_buffer_desc *in_mic, int level) 1119 { 1120 char *bufptr; 1121 int buf_sz; 1122 1123 if ((buf_sz = dyndns_build_add_remove_msg(buf, update_zone, hostname, 1124 ip_addr, life_time, update_type, del_type, 1, id, level)) <= 0) { 1125 return (-1); 1126 } 1127 1128 bufptr = buf + buf_sz; 1129 1130 if (dyndns_build_tsig(&bufptr, BUFLEN_UDP(bufptr, buf), 1131 *id, key_name, 300, in_mic->value, 1132 in_mic->length, TSIG_SIGNED) == -1) { 1133 return (-1); 1134 } 1135 1136 return (bufptr - buf); 1137 } 1138 1139 /* 1140 * dyndns_udp_send_recv 1141 * This routine sends and receives UDP DNS request and reply messages. 1142 * 1143 * Pre-condition: Caller must call dyndns_open_init_socket() before calling 1144 * this function. 1145 * 1146 * Parameters: 1147 * s : socket descriptor 1148 * buf : buffer containing data to send 1149 * buf_sz : size of data to send 1150 * Returns: 1151 * -1 : error 1152 * rec_buf: reply dat 1153 * 0 : success 1154 */ 1155 int 1156 dyndns_udp_send_recv(int s, char *buf, int buf_sz, char *rec_buf) 1157 { 1158 int i, retval, addr_len; 1159 struct timeval tv, timeout; 1160 fd_set rfds; 1161 struct sockaddr_in from_addr; 1162 1163 timeout.tv_usec = 0; 1164 timeout.tv_sec = DYNDNS_QUERY_TIMEOUT; 1165 1166 for (i = 0; i <= DYNDNS_MAX_QUERY_RETRIES; i++) { 1167 if (send(s, buf, buf_sz, 0) == -1) { 1168 syslog(LOG_ERR, "dyndns: UDP send error (%s)\n", 1169 strerror(errno)); 1170 return (-1); 1171 } 1172 1173 FD_ZERO(&rfds); 1174 FD_SET(s, &rfds); 1175 1176 tv = timeout; 1177 1178 retval = select(s+1, &rfds, NULL, NULL, &tv); 1179 1180 if (retval == -1) { 1181 return (-1); 1182 } else if (retval > 0) { 1183 bzero(rec_buf, NS_PACKETSZ); 1184 /* required by recvfrom */ 1185 addr_len = sizeof (struct sockaddr_in); 1186 if (recvfrom(s, rec_buf, NS_PACKETSZ, 0, 1187 (struct sockaddr *)&from_addr, &addr_len) == -1) { 1188 syslog(LOG_ERR, "dyndns: UDP recv err\n"); 1189 return (-1); 1190 } 1191 break; 1192 } 1193 } 1194 1195 /* did not receive anything */ 1196 if (i == (DYNDNS_MAX_QUERY_RETRIES + 1)) { 1197 syslog(LOG_ERR, "dyndns: max retries for UDP recv reached\n"); 1198 return (-1); 1199 } 1200 1201 return (0); 1202 } 1203 1204 /* 1205 * dyndns_sec_add_remove_entry 1206 * Perform secure dynamic DNS update after getting security context. 1207 * This routine opens a UDP socket to the DNS sever, gets the security context, 1208 * builds the unsigned TSIG message and signed TSIG message. The signed TSIG 1209 * message containing the encrypted update request message is sent to the DNS 1210 * server. The response is received and check for error. If there is no 1211 * error then credential handle and security context are released and the local 1212 * NSS cached is purged. 1213 * Parameters: 1214 * update_zone : UPDATE_FORW for forward zone, UPDATE_REV for reverse zone 1215 * hostname : fully qualified hostname 1216 * ip_addr : ip address of hostname in string format 1217 * life_time : cached time of this entry by others and not within DNS 1218 * database 1219 * max_retries : maximum retries for sending DNS update request 1220 * recv_timeout: receive timeout 1221 * update_type : UPDATE_ADD for adding entry, UPDATE_DEL for removing entry 1222 * del_type : DEL_ONE for deleting one entry, DEL_ALL for deleting all 1223 * entries of the same resource name. Only valid for UPDATE_DEL 1224 * dns_str : DNS IP address in string format 1225 * Returns: 1226 * -1: error 1227 * 0: success 1228 * 1229 * This function is enhanced to handle the case of NOTAUTH error when DNS server 1230 * is not authoritative for specified zone. In this case we need to resend the 1231 * same request to the higher authoritative domains. 1232 * This is true for both secure and unsecure dynamic DNS updates. 1233 */ 1234 static int 1235 dyndns_sec_add_remove_entry(int update_zone, const char *hostname, 1236 const char *ip_addr, int life_time, int update_type, int del_type, 1237 char *dns_str) 1238 { 1239 int s2; 1240 uint16_t id, rid; 1241 char buf[NS_PACKETSZ], buf2[NS_PACKETSZ]; 1242 int ret; 1243 OM_uint32 min, maj; 1244 gss_buffer_desc in_mic, out_mic; 1245 gss_ctx_id_t gss_context; 1246 int dns_ip; 1247 char *key_name; 1248 int buf_sz; 1249 int level = 0; 1250 1251 assert(dns_str); 1252 assert(*dns_str); 1253 1254 dns_ip = inet_addr(dns_str); 1255 1256 sec_retry_higher: 1257 1258 if ((gss_context = dyndns_get_sec_context(hostname, 1259 dns_ip)) == NULL) { 1260 return (-1); 1261 } 1262 1263 key_name = (char *)hostname; 1264 1265 if ((s2 = dyndns_open_init_socket(SOCK_DGRAM, dns_ip, 53)) < 0) { 1266 if (gss_context != GSS_C_NO_CONTEXT) 1267 (void) gss_delete_sec_context(&min, &gss_context, NULL); 1268 return (-1); 1269 } 1270 1271 id = 0; 1272 if ((buf_sz = dyndns_build_unsigned_tsig_msg(buf, update_zone, hostname, 1273 ip_addr, life_time, update_type, del_type, 1274 key_name, &id, level)) <= 0) { 1275 (void) close(s2); 1276 if (gss_context != GSS_C_NO_CONTEXT) 1277 (void) gss_delete_sec_context(&min, &gss_context, NULL); 1278 return (-1); 1279 } 1280 1281 in_mic.length = buf_sz; 1282 in_mic.value = buf; 1283 1284 /* sign update message */ 1285 if ((maj = gss_get_mic(&min, gss_context, 0, &in_mic, &out_mic)) != 1286 GSS_S_COMPLETE) { 1287 display_stat(maj, min); 1288 (void) close(s2); 1289 if (gss_context != GSS_C_NO_CONTEXT) 1290 (void) gss_delete_sec_context(&min, &gss_context, NULL); 1291 return (-1); 1292 } 1293 1294 if ((buf_sz = dyndns_build_signed_tsig_msg(buf, update_zone, hostname, 1295 ip_addr, life_time, update_type, del_type, key_name, &id, 1296 &out_mic, level)) <= 0) { 1297 (void) close(s2); 1298 (void) gss_release_buffer(&min, &out_mic); 1299 if (gss_context != GSS_C_NO_CONTEXT) 1300 (void) gss_delete_sec_context(&min, &gss_context, NULL); 1301 return (-1); 1302 } 1303 1304 (void) gss_release_buffer(&min, &out_mic); 1305 1306 if (dyndns_udp_send_recv(s2, buf, buf_sz, buf2)) { 1307 (void) close(s2); 1308 if (gss_context != GSS_C_NO_CONTEXT) 1309 (void) gss_delete_sec_context(&min, &gss_context, NULL); 1310 return (-1); 1311 } 1312 1313 (void) close(s2); 1314 1315 if (gss_context != GSS_C_NO_CONTEXT) 1316 (void) gss_delete_sec_context(&min, &gss_context, NULL); 1317 1318 ret = buf2[3] & 0xf; /* error field in UDP */ 1319 1320 /* 1321 * If it is a NOTAUTH error we should retry with higher domains 1322 * until we get a successful reply or the maximum retries is met. 1323 */ 1324 if (ret == NOTAUTH && level++ < MAX_AUTH_RETRIES) 1325 goto sec_retry_higher; 1326 1327 /* check here for update request is successful */ 1328 if (ret != NOERROR) { 1329 syslog(LOG_ERR, "dyndns: Error in TSIG reply: %d: ", ret); 1330 dyndns_msg_err(ret); 1331 return (-1); 1332 } 1333 1334 (void) dyndns_get_nshort(buf2, &rid); 1335 if (id != rid) 1336 return (-1); 1337 1338 return (0); 1339 } 1340 1341 /* 1342 * dyndns_seach_entry 1343 * Query DNS server for entry. This routine can indicate if an entry exist 1344 * or not during forward or reverse lookup. Also can indicate if the data 1345 * of the entry matched. For example, for forward lookup, the entry is 1346 * searched using the hostname and the data is the IP address. For reverse 1347 * lookup, the entry is searched using the IP address and the data is the 1348 * hostname. 1349 * Parameters: 1350 * update_zone: UPDATE_FORW for forward zone, UPDATE_REV for reverse zone 1351 * hostname : fully qualified hostname 1352 * ip_addr : ip address of hostname in string format 1353 * update_type: UPDATE_ADD for adding entry, UPDATE_DEL for removing entry 1354 * Returns: 1355 * time_out: no use 1356 * is_match: is 1 for found matching entry, otherwise 0 1357 * 1 : an entry exist but not necessarily match 1358 * 0 : an entry does not exist 1359 */ 1360 /*ARGSUSED*/ 1361 static int 1362 dyndns_search_entry(int update_zone, const char *hostname, const char *ip_addr, 1363 int update_type, struct timeval *time_out, int *is_match) 1364 { 1365 struct hostent *hentry; 1366 struct in_addr in; 1367 in_addr_t ip; 1368 int i; 1369 1370 *is_match = 0; 1371 if (update_zone == UPDATE_FORW) { 1372 hentry = gethostbyname(hostname); 1373 if (hentry) { 1374 ip = inet_addr(ip_addr); 1375 for (i = 0; hentry->h_addr_list[i]; i++) { 1376 (void) memcpy(&in.s_addr, 1377 hentry->h_addr_list[i], sizeof (in.s_addr)); 1378 if (ip == in.s_addr) { 1379 *is_match = 1; 1380 break; 1381 } 1382 } 1383 return (1); 1384 } 1385 } else { 1386 int dns_ip = inet_addr(ip_addr); 1387 hentry = gethostbyaddr((char *)&dns_ip, 4, AF_INET); 1388 if (hentry) { 1389 if (strncasecmp(hentry->h_name, hostname, 1390 strlen(hostname)) == 0) { 1391 *is_match = 1; 1392 } 1393 return (1); 1394 } 1395 } 1396 1397 /* entry does not exist */ 1398 return (0); 1399 } 1400 1401 /* 1402 * dyndns_add_remove_entry 1403 * Perform non-secure dynamic DNS update. If it fails and host principal 1404 * keys can be found in the local keytab file, secure update will be performed. 1405 * 1406 * This routine opens a UDP socket to the DNS sever, build the update request 1407 * message, and sends the message to the DNS server. The response is received 1408 * and check for error. If there is no error then the local NSS cached is 1409 * purged. DNS may be used to check to see if an entry already exist before 1410 * adding or to see if an entry does exist before removing it. Adding 1411 * duplicate entries or removing non-existing entries does not cause any 1412 * problems. DNS is not check when doing a delete all. 1413 * Parameters: 1414 * update_zone: UPDATE_FORW for forward zone, UPDATE_REV for reverse zone 1415 * hostname : fully qualified hostname 1416 * ip_addr : ip address of hostname in string format 1417 * life_time : cached time of this entry by others and not within DNS 1418 * database 1419 * update_type: UPDATE_ADD to add entry, UPDATE_DEL to remove entry 1420 * do_check : DNS_CHECK to check first in DNS, DNS_NOCHECK for no DNS 1421 * checking before update 1422 * del_type : DEL_ONE for deleting one entry, DEL_ALL for deleting all 1423 * entries of the same resource name. Only valid for UPDATE_DEL. 1424 * dns_str : DNS IP address in string format 1425 * Returns: 1426 * -1: error 1427 * 0: success 1428 * 1429 * This function is enhanced to handle the case of NOTAUTH error when DNS server 1430 * is not authoritative for specified zone. In this case we need to resend the 1431 * same request to the higher authoritative domains. 1432 * This is true for both secure and unsecure dynamic DNS updates. 1433 */ 1434 static int 1435 dyndns_add_remove_entry(int update_zone, const char *hostname, 1436 const char *ip_addr, int life_time, int update_type, 1437 int do_check, int del_type, char *dns_str) 1438 { 1439 int s; 1440 uint16_t id, rid; 1441 char buf[NS_PACKETSZ], buf2[NS_PACKETSZ]; 1442 int ret, dns_ip; 1443 int is_exist, is_match; 1444 struct timeval timeout; 1445 int buf_sz; 1446 int level = 0; 1447 1448 assert(dns_str); 1449 assert(*dns_str); 1450 1451 dns_ip = inet_addr(dns_str); 1452 1453 if (do_check == DNS_CHECK && del_type != DEL_ALL) { 1454 is_exist = dyndns_search_entry(update_zone, hostname, ip_addr, 1455 update_type, &timeout, &is_match); 1456 1457 if (update_type == UPDATE_ADD && is_exist && is_match) { 1458 return (0); 1459 } else if (update_type == UPDATE_DEL && !is_exist) { 1460 return (0); 1461 } 1462 } 1463 1464 retry_higher: 1465 if ((s = dyndns_open_init_socket(SOCK_DGRAM, dns_ip, 53)) < 0) { 1466 return (-1); 1467 } 1468 1469 id = 0; 1470 if ((buf_sz = dyndns_build_add_remove_msg(buf, update_zone, hostname, 1471 ip_addr, life_time, update_type, del_type, 0, &id, level)) <= 0) { 1472 (void) close(s); 1473 return (-1); 1474 } 1475 1476 if (dyndns_udp_send_recv(s, buf, buf_sz, buf2)) { 1477 (void) close(s); 1478 return (-1); 1479 } 1480 1481 (void) close(s); 1482 1483 ret = buf2[3] & 0xf; /* error field in UDP */ 1484 1485 /* 1486 * If it is a NOTAUTH error we should retry with higher domains 1487 * until we get a successful reply 1488 */ 1489 if (ret == NOTAUTH && level++ < MAX_AUTH_RETRIES) 1490 goto retry_higher; 1491 1492 /* check here for update request is successful */ 1493 if (ret == NOERROR) { 1494 (void) dyndns_get_nshort(buf2, &rid); 1495 if (id != rid) 1496 return (-1); 1497 return (0); 1498 } 1499 1500 if (ret == NOTIMP) { 1501 syslog(LOG_ERR, "dyndns: DNS does not " 1502 "support dynamic update\n"); 1503 return (-1); 1504 } else if (ret == NOTAUTH) { 1505 syslog(LOG_ERR, "dyndns: DNS is not authoritative for " 1506 "zone name in zone section\n"); 1507 return (-1); 1508 } 1509 1510 if (smb_krb5_find_keytab_entries(hostname, SMBNS_KRB5_KEYTAB)) 1511 ret = dyndns_sec_add_remove_entry(update_zone, hostname, 1512 ip_addr, life_time, update_type, del_type, dns_str); 1513 1514 return (ret); 1515 } 1516 1517 /* 1518 * dyndns_add_entry 1519 * Main routine to add an entry into DNS. The attempt will be made on the 1520 * the servers returned by smb_get_nameserver(). Upon a successful 1521 * attempt on any one of the server, the function will exit with 0. 1522 * Otherwise, -1 is retuned to indicate the update attempt on all the 1523 * nameservers has failed. 1524 * 1525 * Parameters: 1526 * update_zone: the type of zone to update, use UPDATE_FORW for forward 1527 * lookup zone, use UPDATE_REV for reverse lookup zone 1528 * hostname : fully qualified hostname 1529 * ip_addr : ip address of hostname in string format 1530 * life_time : cached time of this entry by others and not within DNS 1531 * database 1532 * Returns: 1533 * -1: error 1534 * 0: success 1535 */ 1536 static int 1537 dyndns_add_entry(int update_zone, const char *hostname, const char *ip_addr, 1538 int life_time) 1539 { 1540 char *dns_str; 1541 struct in_addr ns_list[MAXNS]; 1542 int i, cnt; 1543 int addr, rc = 0; 1544 1545 if (hostname == NULL || ip_addr == NULL) { 1546 return (-1); 1547 } 1548 1549 addr = (int)inet_addr(ip_addr); 1550 if ((addr == -1) || (addr == 0)) { 1551 return (-1); 1552 } 1553 1554 cnt = smb_get_nameservers(ns_list, MAXNS); 1555 1556 for (i = 0; i < cnt; i++) { 1557 dns_str = inet_ntoa(ns_list[i]); 1558 if ((dns_str == NULL) || 1559 (strcmp(dns_str, "0.0.0.0") == 0)) { 1560 continue; 1561 } 1562 1563 if (update_zone == UPDATE_FORW) { 1564 syslog(LOG_DEBUG, "Dynamic update on forward lookup " 1565 "zone for %s (%s)...\n", hostname, ip_addr); 1566 } else { 1567 syslog(LOG_DEBUG, "Dynamic update on reverse lookup " 1568 "zone for %s (%s)...\n", hostname, ip_addr); 1569 } 1570 if (dyndns_add_remove_entry(update_zone, hostname, 1571 ip_addr, life_time, 1572 UPDATE_ADD, DNS_NOCHECK, DEL_NONE, dns_str) != -1) { 1573 rc = 1; 1574 break; 1575 } 1576 } 1577 1578 return (rc ? 0 : -1); 1579 } 1580 1581 /* 1582 * dyndns_remove_entry 1583 * Main routine to remove an entry or all entries of the same resource name 1584 * from DNS. The update attempt will be made on the primary DNS server. If 1585 * there is a failure then another attempt will be made on the secondary DNS 1586 * server. 1587 * Parameters: 1588 * update_zone: the type of zone to update, use UPDATE_FORW for forward 1589 * lookup zone, use UPDATE_REV for reverse lookup zone 1590 * hostname : fully qualified hostname 1591 * ip_addr : ip address of hostname in string format 1592 * del_type : DEL_ONE for deleting one entry, DEL_ALL for deleting all 1593 * entries of the same resource name. Only valid for UPDATE_DEL 1594 * Returns: 1595 * -1: error 1596 * 0: success 1597 */ 1598 static int 1599 dyndns_remove_entry(int update_zone, const char *hostname, const char *ip_addr, 1600 int del_type) 1601 { 1602 char *dns_str; 1603 struct in_addr ns_list[MAXNS]; 1604 int i, cnt, scnt; 1605 int addr; 1606 1607 if ((hostname == NULL || ip_addr == NULL)) { 1608 return (-1); 1609 } 1610 1611 addr = (int)inet_addr(ip_addr); 1612 if ((addr == -1) || (addr == 0)) { 1613 return (-1); 1614 } 1615 1616 cnt = smb_get_nameservers(ns_list, MAXNS); 1617 scnt = 0; 1618 1619 for (i = 0; i < cnt; i++) { 1620 dns_str = inet_ntoa(ns_list[i]); 1621 if ((dns_str == NULL) || 1622 (strcmp(dns_str, "0.0.0.0") == 0)) { 1623 continue; 1624 } 1625 1626 if (update_zone == UPDATE_FORW) { 1627 if (del_type == DEL_ONE) { 1628 syslog(LOG_DEBUG, "Dynamic update " 1629 "on forward lookup " 1630 "zone for %s (%s)...\n", hostname, ip_addr); 1631 } else { 1632 syslog(LOG_DEBUG, "Removing all " 1633 "entries of %s " 1634 "in forward lookup zone...\n", hostname); 1635 } 1636 } else { 1637 if (del_type == DEL_ONE) { 1638 syslog(LOG_DEBUG, "Dynamic update " 1639 "on reverse lookup " 1640 "zone for %s (%s)...\n", hostname, ip_addr); 1641 } else { 1642 syslog(LOG_DEBUG, "Removing all " 1643 "entries of %s " 1644 "in reverse lookup zone...\n", ip_addr); 1645 } 1646 } 1647 if (dyndns_add_remove_entry(update_zone, hostname, ip_addr, 0, 1648 UPDATE_DEL, DNS_NOCHECK, del_type, dns_str) != -1) { 1649 scnt++; 1650 break; 1651 } 1652 } 1653 if (scnt) 1654 return (0); 1655 return (-1); 1656 } 1657 1658 /* 1659 * dyndns_update 1660 * 1661 * Dynamic DNS update API for kclient. 1662 * 1663 * Returns: 1664 * 0: successful 1665 * -1: dynamic update failure. 1666 * -2: unable to obtain NIC info. 1667 * -3: init failure 1668 */ 1669 int 1670 dyndns_update(char *fqdn) 1671 { 1672 int rc; 1673 1674 if (smb_nic_init() != 0) 1675 return (-2); 1676 1677 if (dns_msgid_init() != 0) 1678 return (-3); 1679 1680 rc = dyndns_update_core(fqdn); 1681 smb_nic_fini(); 1682 return (rc); 1683 } 1684 1685 /* 1686 * dyndns_update_core 1687 * Perform dynamic update on both forward and reverse lookup zone using 1688 * the specified hostname and IP addresses. Before updating DNS, existing 1689 * host entries with the same hostname in the forward lookup zone are removed 1690 * and existing pointer entries with the same IP addresses in the reverse 1691 * lookup zone are removed. After DNS update, host entries for current 1692 * hostname will show current IP addresses and pointer entries for current 1693 * IP addresses will show current hostname. 1694 * Parameters: 1695 * fqhn - fully-qualified hostname 1696 * 1697 * Returns: 1698 * -1: some dynamic DNS updates errors 1699 * 0: successful or DDNS disabled. 1700 */ 1701 int 1702 dyndns_update_core(char *fqdn) 1703 { 1704 int forw_update_ok, error; 1705 char *my_ip; 1706 struct in_addr addr; 1707 smb_niciter_t ni; 1708 int rc; 1709 char fqhn[MAXHOSTNAMELEN]; 1710 1711 if (!smb_config_getbool(SMB_CI_DYNDNS_ENABLE)) 1712 return (0); 1713 1714 if (smb_gethostname(fqhn, MAXHOSTNAMELEN, 0) != 0) 1715 return (-1); 1716 1717 (void) snprintf(fqhn, MAXHOSTNAMELEN, "%s.%s", fqhn, fqdn); 1718 error = 0; 1719 forw_update_ok = 0; 1720 1721 /* 1722 * Dummy IP is okay since we are removing all using the hostname. 1723 */ 1724 if (dyndns_remove_entry(UPDATE_FORW, fqhn, "1.1.1.1", DEL_ALL) == 0) { 1725 forw_update_ok = 1; 1726 } else { 1727 error++; 1728 } 1729 1730 if (smb_nic_getfirst(&ni) != 0) 1731 return (-1); 1732 1733 do { 1734 if (ni.ni_nic.nic_sysflags & (IFF_STANDBY | IFF_PRIVATE)) 1735 continue; 1736 1737 addr.s_addr = ni.ni_nic.nic_ip; 1738 my_ip = (char *)strdup(inet_ntoa(addr)); 1739 if (my_ip == NULL) { 1740 error++; 1741 continue; 1742 } 1743 1744 if (forw_update_ok) { 1745 rc = dyndns_add_entry(UPDATE_FORW, fqhn, my_ip, 1746 DDNS_TTL); 1747 1748 if (rc == -1) 1749 error++; 1750 } 1751 1752 rc = dyndns_remove_entry(UPDATE_REV, fqhn, my_ip, DEL_ALL); 1753 if (rc == 0) { 1754 rc = dyndns_add_entry(UPDATE_REV, fqhn, my_ip, 1755 DDNS_TTL); 1756 } 1757 1758 if (rc == -1) 1759 error++; 1760 1761 (void) free(my_ip); 1762 } while (smb_nic_getnext(&ni) == 0); 1763 1764 return ((error == 0) ? 0 : -1); 1765 } 1766 1767 /* 1768 * dyndns_clear_rev_zone 1769 * Clear the rev zone records. Must be called to clear the OLD if list 1770 * of down records prior to updating the list with new information. 1771 * 1772 * Parameters: 1773 * fqhn - fully-qualified hostname 1774 * Returns: 1775 * -1: some dynamic DNS updates errors 1776 * 0: successful or DDNS disabled. 1777 */ 1778 int 1779 dyndns_clear_rev_zone(char *fqdn) 1780 { 1781 int error; 1782 char *my_ip; 1783 struct in_addr addr; 1784 smb_niciter_t ni; 1785 int rc; 1786 char fqhn[MAXHOSTNAMELEN]; 1787 1788 if (!smb_config_getbool(SMB_CI_DYNDNS_ENABLE)) 1789 return (0); 1790 1791 if (smb_gethostname(fqhn, MAXHOSTNAMELEN, 0) != 0) 1792 return (-1); 1793 1794 (void) snprintf(fqhn, MAXHOSTNAMELEN, "%s.%s", fqhn, fqdn); 1795 error = 0; 1796 1797 if (smb_nic_getfirst(&ni) != 0) 1798 return (-1); 1799 1800 do { 1801 if (ni.ni_nic.nic_sysflags & (IFF_STANDBY | IFF_PRIVATE)) 1802 continue; 1803 1804 addr.s_addr = ni.ni_nic.nic_ip; 1805 my_ip = (char *)strdup(inet_ntoa(addr)); 1806 if (my_ip == NULL) { 1807 error++; 1808 continue; 1809 } 1810 1811 rc = dyndns_remove_entry(UPDATE_REV, fqhn, my_ip, DEL_ALL); 1812 if (rc != 0) 1813 error++; 1814 1815 (void) free(my_ip); 1816 } while (smb_nic_getnext(&ni) == 0); 1817 1818 return ((error == 0) ? 0 : -1); 1819 } 1820