Difference between revisions of "SoC/2017"

(Improve libcli/dns)
Line 14: Line 14:
 
--------------------------------------------------------
 
--------------------------------------------------------
  
===== Client-side DNS call handling with GSS-TSIG =====
+
'''Client-side DNS call handling with GSS-TSIG'''
 
 
  
 
Unix SMB/CIFS implementation
 
Unix SMB/CIFS implementation
Line 24: Line 23:
  
  
====== About ======
+
===== About =====
 
--------------------------------------------------------
 
--------------------------------------------------------
  
Line 38: Line 37:
 
definitions for client-side functionality.
 
definitions for client-side functionality.
  
 +
For more information on the project goals, read the GSoC proposal [https://summerofcode.withgoogle.com/projects/#6642229069217792 here].
 +
 +
The project timeline and development journal is documented in its dedicated [https://dimgrav.blogspot.gr/ blogspot].
 +
 +
 +
====== Repositories ======
 +
 +
* Individual project "mirror" repository (requires Samba source code for integration - NOT STANDALONE): [https://github.com/dimgrav/Samba-GSOC2017 link]
 +
* Samba GitHub repository: [https://github.com/samba-team/samba link]
 +
* Personal samba-team/samba fork with integrated changes in libcli/dns: [https://github.com/dimgrav/samba link]
 +
 +
 +
====== Commits ======
 +
 +
* dimgrav/samba (fork): [https://github.com/dimgrav/samba/commits/master/libcli/dns?author=dimgrav link]
 +
 +
 +
===== The libcli/dns library =====
 +
--------------------------------------------------------
 +
 +
To integrate the functionality described in the project goals, the entire libcli/dns structure had to be
 +
reorganized, since the vast majority of the project code is new , with few changes to the pre-existing
 +
code, such as renames (for reasons of semantics and integration of the new code) and minor additions, mainly to
 +
incorporate all the new code into the Samba building scripts.
 +
 +
 +
The difference in libcli/dns structure is demonstrated as follows:
  
 
'''Initial libcli/dns structure'''
 
'''Initial libcli/dns structure'''
Line 45: Line 71:
 
* libdns.h
 
* libdns.h
 
* wscript_build
 
* wscript_build
 
  
 
'''Project libcli/dns structure:'''
 
'''Project libcli/dns structure:'''
Line 55: Line 80:
 
** dns_udp.c
 
** dns_udp.c
 
* cmocka-tests/
 
* cmocka-tests/
** test-fn
+
** test-fn/
 
*** cli_crypto_test.c
 
*** cli_crypto_test.c
 
*** dns_tcp_test.c
 
*** dns_tcp_test.c
Line 64: Line 89:
 
** wscript_build
 
** wscript_build
 
* README.md
 
* README.md
* cli_dns.c
+
* cli_dns.c (replaces ''dns.c'')
 
* dns.h
 
* dns.h
 
* libtcp.h
 
* libtcp.h
* libudp.h
+
* libudp.h (renamed ''from libdns.h'')
 
* libtsig.h
 
* libtsig.h
 
* libwrap.h
 
* libwrap.h
Line 74: Line 99:
  
  
For more information on the project goals, read the GSoC proposal [https://summerofcode.withgoogle.com/projects/#6642229069217792 here].
+
====== Other changes ======
  
The project timeline and development journal is documented in its dedicated [https://dimgrav.blogspot.gr/ blogspot].
+
In Samba/source4/dns_server/dns_query.c:
  
 +
@@ -30,7 +30,7 @@
 +
  #include "dsdb/samdb/samdb.h"
 +
  #include "dsdb/common/util.h"
 +
  #include "dns_server/dns_server.h"
 +
-#include "libcli/dns/libdns.h"
 +
+#include "libcli/dns/libudp.h"
 +
  #include "lib/util/dlinklist.h"
 +
  #include "lib/util/util_net.h"
 +
  #include "lib/util/tevent_werror.h"
  
'''Repositories'''
+
In Samba/libcli/dns/wscript_build:
  
* Individual project "mirror" repository (requires Samba source code for integration - NOT STANDALONE): [https://github.com/dimgrav/Samba-GSOC2017 link]
+
@@ -1,5 +1,7 @@
* Samba GitHub repository: [https://github.com/samba-team/samba link]
+
#!/usr/bin/env python
* Personal samba-team/samba fork with integrated changes in libcli/dns: [https://github.com/dimgrav/samba link]
+
 +
+# builds a library for DNS TCP/UDP calls that utilizes GSS-TSIG encryption
 +
  bld.SAMBA_SUBSYSTEM('clidns',
 +
-         source='dns.c',
 +
-        public_deps='LIBTSOCKET tevent-util')
 +
+   source='cli_dns.c',
 +
+   public_deps='LIBTSOCKET tevent-util',
 +
+   deps='gensec auth samba_server_gensec dnsserver_common')
  
 +
In Samba/wscript_build:
  
'''Commits'''
+
@@ -120,12 +120,14 @@ bld.RECURSE('libcli/lsarpc')
 +
  bld.RECURSE('libcli/drsuapi')
 +
  bld.RECURSE('libcli/echo')
 +
  bld.RECURSE('libcli/dns')
 +
+bld.RECURSE('libcli/dns/cmocka-tests')
 +
  bld.RECURSE('libcli/samsync')
 +
  bld.RECURSE('libcli/registry')
 +
  bld.RECURSE('source4/lib/policy')
 +
  bld.RECURSE('libcli/named_pipe_auth')
 +
  if bld.CONFIG_GET('ENABLE_SELFTEST'):
 +
      bld.RECURSE('testsuite/unittests')
 +
+    bld.RECURSE('libcli/dns/cmocka-tests/test-fn')
 +
 
 +
  if bld.CONFIG_GET('KRB5_VENDOR') in (None, 'heimdal'):
 +
      if bld.CONFIG_GET("HEIMDAL_KRB5_CONFIG") and bld.CONFIG_GET("USING_SYSTEM_KRB5"):
  
* dimgrav/samba (fork): [https://github.com/dimgrav/samba/commits/master/libcli/dns?author=dimgrav link]
 
  
 
+
===== DNS client and features =====
====== DNS Client (with wrapper support) ======
 
 
--------------------------------------------------------
 
--------------------------------------------------------
  
Handles TCP and UDP requests.
+
====== TCP/UDP requests ======
  
 
The client may use either TCP or UDP protocols to send a DNS name request to
 
The client may use either TCP or UDP protocols to send a DNS name request to
Line 111: Line 165:
  
 
====== Wrapping ======
 
====== Wrapping ======
--------------------------------------------------------
 
  
 
''wrap_cli.c'' provides multiple wrapping of the above functionality, to hide buffer
 
''wrap_cli.c'' provides multiple wrapping of the above functionality, to hide buffer
Line 119: Line 172:
  
 
====== Test suite ======
 
====== Test suite ======
--------------------------------------------------------
 
  
 
In ''cmocka-tests, cli_tests.c'' provides a test suite for the complete client-side functionality,  
 
In ''cmocka-tests, cli_tests.c'' provides a test suite for the complete client-side functionality,  
Line 132: Line 184:
  
  
====== To-do list ======
+
===== To-do list =====
 
--------------------------------------------------------
 
--------------------------------------------------------
  

Revision as of 10:33, 27 August 2017

Improve libcli/dns

Samba comes with its own asynchronous DNS parser framework developed for the internal DNS server. Basic calls have been implemented for a client-side library as well, but a more fleshed out implementation would be needed. The goal of this project is to implement more high-level calls handling DNS requests, such as UDP/TCP switchover and client-side GSS-TSIG cryptography. A test suite excercising all the functions is required and can be used to cross-check and complement the existing DNS server tests already shipped by Samba. This testsuite should use cmocka.

  • Difficulty: Medium
  • Language(s): C
  • Mentors: Kai Blin, David Disseldorp
  • Student: Dimitris Gravanis


Project Information


Client-side DNS call handling with GSS-TSIG

Unix SMB/CIFS implementation

Dimitrios Gravanis (C) 2017

Based on the existing work by Samba Team


About

For the Samba AD DC, libcli/dns is a library that allows the handling of DNS calls (send/receive requests) and generates GSS-TSIG type encryption signature for signed packets, to accomodate encrypted client-server communication.

The project goal was to enhance client-server communication, by implementing TCP request send/receive handling and sign client-side packets with GSS-TSIG signatures, to provide security.

It consists of its respective function and structure libraries, that provide definitions for client-side functionality.

For more information on the project goals, read the GSoC proposal here.

The project timeline and development journal is documented in its dedicated blogspot.


Repositories
  • Individual project "mirror" repository (requires Samba source code for integration - NOT STANDALONE): link
  • Samba GitHub repository: link
  • Personal samba-team/samba fork with integrated changes in libcli/dns: link


Commits
  • dimgrav/samba (fork): link


The libcli/dns library

To integrate the functionality described in the project goals, the entire libcli/dns structure had to be reorganized, since the vast majority of the project code is new , with few changes to the pre-existing code, such as renames (for reasons of semantics and integration of the new code) and minor additions, mainly to incorporate all the new code into the Samba building scripts.


The difference in libcli/dns structure is demonstrated as follows:

Initial libcli/dns structure

  • dns.c
  • dns.h
  • libdns.h
  • wscript_build

Project libcli/dns structure:

  • cli-fn/
    • README.md
    • client_crypto.c
    • dns_tcp.c
    • dns_udp.c
  • cmocka-tests/
    • test-fn/
      • cli_crypto_test.c
      • dns_tcp_test.c
      • dns_udp_test.c
      • wscript
    • README.md
    • cli_tests.c
    • wscript_build
  • README.md
  • cli_dns.c (replaces dns.c)
  • dns.h
  • libtcp.h
  • libudp.h (renamed from libdns.h)
  • libtsig.h
  • libwrap.h
  • wrap_cli.c
  • wscript_build


Other changes

In Samba/source4/dns_server/dns_query.c:

@@ -30,7 +30,7 @@
 #include "dsdb/samdb/samdb.h"
 #include "dsdb/common/util.h"
 #include "dns_server/dns_server.h"
-#include "libcli/dns/libdns.h"
+#include "libcli/dns/libudp.h"
 #include "lib/util/dlinklist.h"
 #include "lib/util/util_net.h"
 #include "lib/util/tevent_werror.h"

In Samba/libcli/dns/wscript_build:

@@ -1,5 +1,7 @@
#!/usr/bin/env python

+# builds a library for DNS TCP/UDP calls that utilizes GSS-TSIG encryption
 bld.SAMBA_SUBSYSTEM('clidns',
-         source='dns.c',
-         public_deps='LIBTSOCKET tevent-util')
+	  source='cli_dns.c',
+	  public_deps='LIBTSOCKET tevent-util',
+	  deps='gensec auth samba_server_gensec dnsserver_common')

In Samba/wscript_build:

@@ -120,12 +120,14 @@ bld.RECURSE('libcli/lsarpc')
 bld.RECURSE('libcli/drsuapi')
 bld.RECURSE('libcli/echo')
 bld.RECURSE('libcli/dns')
+bld.RECURSE('libcli/dns/cmocka-tests')
 bld.RECURSE('libcli/samsync')
 bld.RECURSE('libcli/registry')
 bld.RECURSE('source4/lib/policy')
 bld.RECURSE('libcli/named_pipe_auth')
 if bld.CONFIG_GET('ENABLE_SELFTEST'):
     bld.RECURSE('testsuite/unittests')
+    bld.RECURSE('libcli/dns/cmocka-tests/test-fn')
 
 if bld.CONFIG_GET('KRB5_VENDOR') in (None, 'heimdal'):
     if bld.CONFIG_GET("HEIMDAL_KRB5_CONFIG") and bld.CONFIG_GET("USING_SYSTEM_KRB5"):


DNS client and features

TCP/UDP requests

The client may use either TCP or UDP protocols to send a DNS name request to the server, then handle the reception of the appropriate server response.

Features:

  • UDP request send/receive
  • TCP request send/receive
  • GSS-TSIG generation
  • DNS name packet parsing and signing

The library consists of cli_dns.c, that includes functions, and dns.h, libtcp.h, libtsig.h, libudp.h, that provide definitions and structures.


Wrapping

wrap_cli.c provides multiple wrapping of the above functionality, to hide buffer creation, DNS packet parsing and signature generation. Definitions of the wrapped functions are provided in libwrap.h.


Test suite

In cmocka-tests, cli_tests.c provides a test suite for the complete client-side functionality, as defined by the functions in libcli/dns/cli_dns.c. The API used for unit testing is Cmocka.

In cmocka-tests/test-fn, there are individual unit tests for every feature library in libcli/dns. All of these tests are incorporated in cmocka-tests/cli_tests.c These tests can be built by using waf-samba and the intended configuration in cmocka-tests/test-fn/wscript. The purpose of these test suites is to facilitate future additions and features in Samba client-side code, without the necessity to integrate them directly to cli_dns.c, thus making changes easier to test and encourage future contributions.


To-do list

Tests

  1. cmocka-tests/test-fn: wscript needs to be properly configured to enable standalone test builds for the feature libraries.
  2. cmocka-tests/cli_tests.c: TCP/UDP callbacks may be additionally tested for internal error output in their respective test functions.