/*
   Unix SMB/CIFS implementation.

   DNS server handler for signed packets

   Copyright (C) 2012 Kai Blin  <kai@samba.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "system/network.h"
#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/ndr_dns.h"
#include "dns_server/dns_server.h"
#include "libcli/util/ntstatus.h"
#include "auth/auth.h"
#include "auth/gensec/gensec.h"
#include "lib/util/bytearray.h"

#undef DBGC_CLASS
#define DBGC_CLASS DBGC_DNS

static WERROR dns_copy_tsig(TALLOC_CTX *mem_ctx,
			    struct dns_res_rec *old,
			    struct dns_res_rec *new_rec)
{
	new_rec->name = talloc_strdup(mem_ctx, old->name);
	W_ERROR_HAVE_NO_MEMORY(new_rec->name);

	new_rec->rr_type = old->rr_type;
	new_rec->rr_class = old->rr_class;
	new_rec->ttl = old->ttl;
	new_rec->length = old->length;
	new_rec->rdata.tsig_record.algorithm_name = talloc_strdup(mem_ctx,
				old->rdata.tsig_record.algorithm_name);
	W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.algorithm_name);

	new_rec->rdata.tsig_record.time_prefix = old->rdata.tsig_record.time_prefix;
	new_rec->rdata.tsig_record.time = old->rdata.tsig_record.time;
	new_rec->rdata.tsig_record.fudge = old->rdata.tsig_record.fudge;
	new_rec->rdata.tsig_record.mac_size = old->rdata.tsig_record.mac_size;
	new_rec->rdata.tsig_record.mac = talloc_memdup(mem_ctx,
					old->rdata.tsig_record.mac,
					old->rdata.tsig_record.mac_size);
	W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.mac);

	new_rec->rdata.tsig_record.original_id = old->rdata.tsig_record.original_id;
	new_rec->rdata.tsig_record.error = old->rdata.tsig_record.error;
	new_rec->rdata.tsig_record.other_size = old->rdata.tsig_record.other_size;
	new_rec->rdata.tsig_record.other_data = talloc_memdup(mem_ctx,
					old->rdata.tsig_record.other_data,
					old->rdata.tsig_record.other_size);
	W_ERROR_HAVE_NO_MEMORY(new_rec->rdata.tsig_record.other_data);

	return WERR_OK;
}

struct dns_server_tkey *dns_find_tkey(struct dns_server_tkey_store *store,
				      const char *name)
{
	struct dns_server_tkey *tkey = NULL;
	uint16_t i = 0;

	do {
		struct dns_server_tkey *tmp_key = store->tkeys[i];

		i++;
		i %= TKEY_BUFFER_SIZE;

		if (tmp_key == NULL) {
			continue;
		}
		if (samba_dns_name_equal(name, tmp_key->name)) {
			tkey = tmp_key;
			break;
		}
	} while (i != 0);

	return tkey;
}

WERROR dns_verify_tsig(struct dns_server *dns,
		       TALLOC_CTX *mem_ctx,
		       struct dns_request_state *state,
		       struct dns_name_packet *packet,
		       DATA_BLOB *in)
{
	WERROR werror;
	NTSTATUS status;
	enum ndr_err_code ndr_err;
	uint16_t i, arcount = 0;
	DATA_BLOB tsig_blob, fake_tsig_blob, sig;
	uint8_t *buffer = NULL;
	size_t buffer_len = 0, packet_len = 0;
	struct dns_server_tkey *tkey = NULL;
	struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
			struct dns_fake_tsig_rec);
	const char *algorithm = NULL;

	/* Find the first TSIG record in the additional records */
	for (i=0; i < packet->arcount; i++) {
		if (packet->additional[i].rr_type == DNS_QTYPE_TSIG) {
			break;
		}
	}

	if (i == packet->arcount) {
		/* no TSIG around */
		return WERR_OK;
	}

	/* The TSIG record needs to be the last additional record */
	if (i + 1 != packet->arcount) {
		DEBUG(1, ("TSIG record not the last additional record!\n"));
		return DNS_ERR(FORMAT_ERROR);
	}

	/* We got a TSIG, so we need to sign our reply */
	state->sign = true;
	DBG_DEBUG("Got TSIG\n");

	state->tsig = talloc_zero(state->mem_ctx, struct dns_res_rec);
	if (state->tsig == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	werror = dns_copy_tsig(state->tsig, &packet->additional[i],
			       state->tsig);
	if (!W_ERROR_IS_OK(werror)) {
		return werror;
	}

	packet->arcount--;

	tkey = dns_find_tkey(dns->tkeys, state->tsig->name);
	if (tkey == NULL) {
		DBG_DEBUG("dns_find_tkey() => REFUSED / DNS_RCODE_BADKEY\n");
		/*
		 * We must save the name for use in the TSIG error
		 * response and have no choice here but to save the
		 * keyname from the TSIG request.
		 */
		state->key_name = talloc_strdup(state->mem_ctx,
						state->tsig->name);
		if (state->key_name == NULL) {
			return WERR_NOT_ENOUGH_MEMORY;
		}
		state->tsig_error = DNS_RCODE_BADKEY;
		return DNS_ERR(REFUSED);
	}
	DBG_DEBUG("dns_find_tkey() => found\n");

	algorithm = state->tsig->rdata.tsig_record.algorithm_name;
	if (strcmp(algorithm, "gss-tsig") == 0) {
		/* ok */
	} else if (strcmp(algorithm, "gss.microsoft.com") == 0) {
		/* ok */
	} else {
		state->tsig_error = DNS_RCODE_BADKEY;
		return DNS_ERR(REFUSED);
	}

	/*
	 * Remember the keyname that found an existing tkey, used
	 * later to fetch the key with dns_find_tkey() when signing
	 * and adding a TSIG record with MAC.
	 */
	state->key_name = talloc_strdup(state->mem_ctx, tkey->name);
	if (state->key_name == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	/* FIXME: check TSIG here */
	if (check_rec == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	/* first build and verify check packet */
	check_rec->name = talloc_strdup(check_rec, tkey->name);
	if (check_rec->name == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}
	check_rec->rr_class = DNS_QCLASS_ANY;
	check_rec->ttl = 0;
	check_rec->algorithm_name = talloc_strdup(check_rec, algorithm);
	if (check_rec->algorithm_name == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}
	check_rec->time_prefix = 0;
	check_rec->time = state->tsig->rdata.tsig_record.time;
	check_rec->fudge = state->tsig->rdata.tsig_record.fudge;
	check_rec->error = 0;
	check_rec->other_size = 0;
	check_rec->other_data = NULL;

	ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, state->tsig,
		(ndr_push_flags_fn_t)ndr_push_dns_res_rec);
	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
		DEBUG(1, ("Failed to push packet: %s!\n",
			  ndr_errstr(ndr_err)));
		return DNS_ERR(SERVER_FAILURE);
	}

	ndr_err = ndr_push_struct_blob(&fake_tsig_blob, mem_ctx, check_rec,
		(ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
		DEBUG(1, ("Failed to push packet: %s!\n",
			  ndr_errstr(ndr_err)));
		return DNS_ERR(SERVER_FAILURE);
	}

	/* we need to work some magic here. we need to keep the input packet
	 * exactly like we got it, but we need to cut off the tsig record */
	packet_len = in->length - tsig_blob.length;
	buffer_len = packet_len + fake_tsig_blob.length;
	buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
	if (buffer == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	memcpy(buffer, in->data, packet_len);
	memcpy(buffer + packet_len, fake_tsig_blob.data, fake_tsig_blob.length);

	sig.length = state->tsig->rdata.tsig_record.mac_size;
	sig.data = talloc_memdup(mem_ctx, state->tsig->rdata.tsig_record.mac, sig.length);
	if (sig.data == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	/* Now we also need to count down the additional record counter */
	arcount = RSVAL(buffer, 10);
	RSSVAL(buffer, 10, arcount-1);

	status = gensec_check_packet(tkey->gensec, buffer, buffer_len,
				    buffer, buffer_len, &sig);
	if (NT_STATUS_EQUAL(NT_STATUS_ACCESS_DENIED, status)) {
		dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
		dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
		DBG_NOTICE("Verifying tsig failed: %s\n", nt_errstr(status));
		state->tsig_error = DNS_RCODE_BADSIG;
		return DNS_ERR(REFUSED);
	}

	if (!NT_STATUS_IS_OK(status)) {
		dump_data_dbgc(DBGC_DNS, 8, sig.data, sig.length);
		dump_data_dbgc(DBGC_DNS, 8, buffer, buffer_len);
		DEBUG(1, ("Verifying tsig failed: %s\n", nt_errstr(status)));
		return ntstatus_to_werror(status);
	}

	state->authenticated = true;

	DBG_DEBUG("AUTHENTICATED\n");
	return WERR_OK;
}

static WERROR dns_tsig_compute_mac(TALLOC_CTX *mem_ctx,
				   struct dns_request_state *state,
				   struct dns_name_packet *packet,
				   struct dns_server_tkey *tkey,
				   time_t current_time,
				   DATA_BLOB *_psig)
{
	NTSTATUS status;
	enum ndr_err_code ndr_err;
	DATA_BLOB packet_blob, tsig_blob, sig;
	uint8_t *buffer = NULL;
	uint8_t *p = NULL;
	size_t buffer_len = 0;
	struct dns_fake_tsig_rec *check_rec = talloc_zero(mem_ctx,
			struct dns_fake_tsig_rec);
	size_t mac_size = 0;
	bool gss_tsig;

	if (check_rec == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	if (strcmp(tkey->algorithm, "gss-tsig") == 0) {
		gss_tsig = true;
	} else {
		/* gss.microsoft.com */
		gss_tsig = false;
	}

	/* first build and verify check packet */
	check_rec->name = talloc_strdup(check_rec, tkey->name);
	if (check_rec->name == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}
	check_rec->rr_class = DNS_QCLASS_ANY;
	check_rec->ttl = 0;
	check_rec->algorithm_name = talloc_strdup(check_rec, tkey->algorithm);
	if (check_rec->algorithm_name == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}
	check_rec->time_prefix = 0;
	check_rec->time = current_time;
	check_rec->fudge = 300;
	check_rec->error = state->tsig_error;
	check_rec->other_size = 0;
	check_rec->other_data = NULL;

	ndr_err = ndr_push_struct_blob(&packet_blob, mem_ctx, packet,
		(ndr_push_flags_fn_t)ndr_push_dns_name_packet);
	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
		DEBUG(1, ("Failed to push packet: %s!\n",
			  ndr_errstr(ndr_err)));
		return DNS_ERR(SERVER_FAILURE);
	}

	ndr_err = ndr_push_struct_blob(&tsig_blob, mem_ctx, check_rec,
		(ndr_push_flags_fn_t)ndr_push_dns_fake_tsig_rec);
	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
		DEBUG(1, ("Failed to push packet: %s!\n",
			  ndr_errstr(ndr_err)));
		return DNS_ERR(SERVER_FAILURE);
	}

	if (state->tsig != NULL) {
		mac_size = state->tsig->rdata.tsig_record.mac_size;
	}

	buffer_len = mac_size;
	if (gss_tsig && mac_size > 0) {
		buffer_len += 2;
	}

	buffer_len += packet_blob.length;
	if (buffer_len < packet_blob.length) {
		return WERR_INVALID_PARAMETER;
	}
	buffer_len += tsig_blob.length;
	if (buffer_len < tsig_blob.length) {
		return WERR_INVALID_PARAMETER;
	}

	buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len);
	if (buffer == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	p = buffer;

	/*
	 * RFC 2845 "4.2 TSIG on Answers", how to lay out the buffer
	 * that we're going to sign:
	 * 1. if MAC of request is present
	 *    - 16bit big endian length of MAC of request
	 *    - MAC of request
	 * 2. Outgoing packet
	 * 3. TSIG record
	 */
	if (mac_size > 0) {
		if (gss_tsig) {
			/*
			 * only gss-tsig not with
			 * gss.microsoft.com
			 */
			PUSH_BE_U16(p, 0, mac_size);
			p += 2;
		}
		memcpy(p, state->tsig->rdata.tsig_record.mac, mac_size);
		p += mac_size;
	}

	memcpy(p, packet_blob.data, packet_blob.length);
	p += packet_blob.length;

	memcpy(p, tsig_blob.data, tsig_blob.length);

	status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len,
				    buffer, buffer_len, &sig);
	if (!NT_STATUS_IS_OK(status)) {
		return ntstatus_to_werror(status);
	}

	*_psig = sig;
	return WERR_OK;
}

WERROR dns_sign_tsig(struct dns_server *dns,
		     TALLOC_CTX *mem_ctx,
		     struct dns_request_state *state,
		     struct dns_name_packet *packet,
		     uint16_t error)
{
	WERROR werror;
	time_t current_time = time(NULL);
	struct dns_res_rec *tsig = NULL;
	DATA_BLOB sig = (DATA_BLOB) {
		.data = NULL,
		.length = 0
	};
	const char *algorithm = "gss-tsig";

	tsig = talloc_zero(mem_ctx, struct dns_res_rec);
	if (tsig == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	if (state->tsig_error == DNS_RCODE_OK) {
		struct dns_server_tkey *tkey = dns_find_tkey(
			dns->tkeys, state->key_name);
		if (tkey == NULL) {
			DBG_WARNING("dns_find_tkey() => NULL)\n");
			return DNS_ERR(SERVER_FAILURE);
		}

		werror = dns_tsig_compute_mac(mem_ctx, state, packet,
					      tkey, current_time, &sig);
		DBG_DEBUG("dns_tsig_compute_mac() => %s\n", win_errstr(werror));
		if (!W_ERROR_IS_OK(werror)) {
			return werror;
		}

		algorithm = tkey->algorithm;
	}

	tsig->name = talloc_strdup(tsig, state->key_name);
	if (tsig->name == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}
	tsig->rr_class = DNS_QCLASS_ANY;
	tsig->rr_type = DNS_QTYPE_TSIG;
	tsig->ttl = 0;
	tsig->length = UINT16_MAX;
	tsig->rdata.tsig_record.algorithm_name = talloc_strdup(tsig, algorithm);
	if (tsig->rdata.tsig_record.algorithm_name == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}
	tsig->rdata.tsig_record.time_prefix = 0;
	tsig->rdata.tsig_record.time = current_time;
	tsig->rdata.tsig_record.fudge = 300;
	tsig->rdata.tsig_record.error = state->tsig_error;
	tsig->rdata.tsig_record.original_id = packet->id;
	tsig->rdata.tsig_record.other_size = 0;
	tsig->rdata.tsig_record.other_data = NULL;
	if (sig.length > 0) {
		tsig->rdata.tsig_record.mac_size = sig.length;
		tsig->rdata.tsig_record.mac = talloc_memdup(tsig, sig.data, sig.length);
		if (tsig->rdata.tsig_record.mac == NULL) {
			return WERR_NOT_ENOUGH_MEMORY;
		}
	}

	DBG_DEBUG("sig.length=%zu\n", sig.length);

	if (packet->arcount == 0) {
		packet->additional = talloc_zero(mem_ctx, struct dns_res_rec);
		if (packet->additional == NULL) {
			return WERR_NOT_ENOUGH_MEMORY;
		}
	}
	packet->additional = talloc_realloc(mem_ctx, packet->additional,
					    struct dns_res_rec,
					    packet->arcount + 1);
	if (packet->additional == NULL) {
		return WERR_NOT_ENOUGH_MEMORY;
	}

	werror = dns_copy_tsig(mem_ctx, tsig,
			       &packet->additional[packet->arcount]);
	DBG_DEBUG("dns_copy_tsig() => %s\n", win_errstr(werror));
	if (!W_ERROR_IS_OK(werror)) {
		return werror;
	}
	packet->arcount++;

	return WERR_OK;
}