Merge remote-tracking branch 'origin/topic/awelzel/3453-dnssec-ed448-ed25519'

* origin/topic/awelzel/3453-dnssec-ed448-ed25519: DNS: Add Ed25519 and Ed448 enum values to parser
2025-10-02 14:48:21 +00:00 · 2023-11-21 10:07:51 +01:00 · 2023-11-21 10:07:51 +01:00 · a5a79d3f3a
commit a5a79d3f3a
parent 2dfbfdc4aa 81aa6b14fd
10 changed files with 76 additions and 1 deletions
--- a/35
+++ b/35
@ -1,3 +1,38 @@
 6.2.0-dev.155 | 2023-11-21 10:08:14 +0100
  * GH-3453: DNS: Add Ed25519 and Ed448 enum values to parser (Arne Welzel, Corelight)
    We already had these declared in dns/const.zeek, so extend the parser
    as well to avoid raising weirds and add some test pcaps:
       $ dig @8.8.8.8 DNSKEY ed448.no
       $ dig @8.8.8.8 ed448.no +dnssec
    And the same for the ed25519.no domain.
  * RE_Match_State: Do not reset current_pos for every Match() call (Arne Welzel, Corelight)
    This seems like a bug: If one feeds one byte at a time, current_pos
    is being reset for every byte, possibly reporting the wrong offsets
    in the accepted_matches map.
  * frameworks/software: Fix stale value used for stripping (Arne Welzel, Corelight)
    There was some confusion around which value was used subsequent to a strip(),
    but sub not respecting anchors make it appear to work. Also seems that the
    `\(?` part seems redundant.
  * GH-3455: strings.bif/sub,gsub: Respect anchors in pattern (Arne Welzel, Corelight)
    Anchors within pattern passed to sub() or gsub() were previously ignored,
    replacing any occurrence of '<text>' even when '^<text>' was used as a
    pattern.
    This is a pretty user-visible change (and we even have anchored patterns
    within the base scripts), but seems "the right thing to do".
    Relates to #3455
 6.2.0-dev.147 | 2023-11-17 18:00:32 +0100
  * BTest updates to accommodate event handler coalescence differences (Vern Paxson, Corelight)
--- a/2
+++ b/2
@ -27,6 +27,8 @@ Changed Functionality
  end-of-line $ anchors. Previously, an anchored pattern would be matched anywhere
  in the input string.
 - Ed25519 and Ed448 DNSKEY and RRSIG entries do not cause weirds anymore.
 Removed Functionality
 ---------------------
--- a/2
+++ b/2
@ -1 +1 @@
-6.2.0-dev.147
+6.2.0-dev.155
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -872,6 +872,8 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, const u_char*& dat
        case detail::GOST_R_34_10_2001: break;
        case detail::ECDSA_curveP256withSHA256: break;
        case detail::ECDSA_curveP384withSHA384: break;
        case detail::Ed25519: break;
        case detail::Ed448: break;
        case detail::Indirect: analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", util::fmt("%d", algo)); break;
        case detail::PrivateDNS: analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", util::fmt("%d", algo)); break;
        case detail::PrivateOID: analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", util::fmt("%d", algo)); break;
@ -945,6 +947,8 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, const u_char*& da
        case detail::GOST_R_34_10_2001: break;
        case detail::ECDSA_curveP256withSHA256: break;
        case detail::ECDSA_curveP384withSHA384: break;
        case detail::Ed25519: break;
        case detail::Ed448: break;
        case detail::Indirect:
            analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", util::fmt("%d", dalgorithm));
            break;
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@ -127,6 +127,8 @@ enum DNSSEC_Algo {
    GOST_R_34_10_2001 = 12,
    ECDSA_curveP256withSHA256 = 13,
    ECDSA_curveP384withSHA384 = 14,
    Ed25519 = 15,
    Ed448 = 16,
    Indirect = 252,   ///<
    PrivateDNS = 253, ///<  OPTIONAL
    PrivateOID = 254, ///<  OPTIONAL
--- a/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log
@ -0,0 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 id.orig_h	id.resp_h	qtype_name	query	answers
 192.168.0.107	8.8.8.8	DNSKEY	ed25519.no	DNSKEY 15,Ed25519,DNSKEY 15,Ed25519
 192.168.0.107	8.8.8.8	A	ed25519.no	194.63.248.47,RRSIG 1 ed25519.no,Ed25519
--- a/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log
@ -0,0 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 id.orig_h	id.resp_h		answers
 192.168.0.107	8.8.8.8		DNSKEY 16,Ed448,DNSKEY 16,Ed448
 192.168.0.107	8.8.8.8		194.63.248.47,RRSIG 1 ed448.no,Ed448
--- a/testing/btest/Traces/dnssec/ed25519.no.pcap
+++ b/testing/btest/Traces/dnssec/ed25519.no.pcap
--- a/testing/btest/Traces/dnssec/ed448.no.pcap
+++ b/testing/btest/Traces/dnssec/ed448.no.pcap
--- a/testing/btest/scripts/base/protocols/dns/dnssec.zeek
+++ b/testing/btest/scripts/base/protocols/dns/dnssec.zeek
@ -0,0 +1,24 @@
 # @TEST-DOC: Add the textual representation of the DNSSEC algorithm into answers and verify there's no weirds for the ed25519 and ed448 curves.
 #
 # @TEST-EXEC: zeek -b -r $TRACES/dnssec/ed25519.no.pcap %INPUT
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: zeek-cut -m id.orig_h id.resp_h qtype_name query answers < dns.log > dns.ed25519.log
 #
 # @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/ed448.no.pcap %INPUT
 # @TEST-EXEC: test ! -f weird.log
 # @TEST-EXEC: zeek-cut -m id.orig_h id.resp_h questions answers < dns.log > dns.ed448.log
 #
 # @TEST-EXEC: btest-diff dns.ed25519.log
 # @TEST-EXEC: btest-diff dns.ed448.log
@load base/protocols/dns
 event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) &priority=4
 	{
 	c$dns$answers += DNS::algorithms[rrsig$algorithm];
 	}
 event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) &priority=4
 	{
 	c$dns$answers += DNS::algorithms[dnskey$algorithm];
 	}