From b7a0706a18bd9bae52759c2afeb5a2946b405fda Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Tue, 21 Nov 2023 10:07:51 +0100
Subject: [PATCH] Merge remote-tracking branch
 'origin/topic/awelzel/3453-dnssec-ed448-ed25519'

* origin/topic/awelzel/3453-dnssec-ed448-ed25519:
  DNS: Add Ed25519 and Ed448 enum values to parser

(cherry picked from commit a5a79d3f3a0c8620d2e15dedb2606bbf18487cbf)
---
 src/analyzer/protocol/dns/DNS.cc              |  12 +++++++--
 src/analyzer/protocol/dns/DNS.h               |  12 +++++++--
 .../dns.ed25519.log                           |   4 +++
 .../dns.ed448.log                             |   4 +++
 testing/btest/Traces/dnssec/ed25519.no.pcap   | Bin 0 -> 654 bytes
 testing/btest/Traces/dnssec/ed448.no.pcap     | Bin 0 -> 744 bytes
 .../scripts/base/protocols/dns/dnssec.zeek    |  24 ++++++++++++++++++
 7 files changed, 52 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log
 create mode 100644 testing/btest/Traces/dnssec/ed25519.no.pcap
 create mode 100644 testing/btest/Traces/dnssec/ed448.no.pcap
 create mode 100644 testing/btest/scripts/base/protocols/dns/dnssec.zeek

diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index cb0ab2d57e..a83c621d03 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1031,6 +1031,10 @@ bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, const u_char*& dat
 			break;
 		case detail::ECDSA_curveP384withSHA384:
 			break;
+		case detail::Ed25519:
+			break;
+		case detail::Ed448:
+			break;
 		case detail::Indirect:
 			analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", util::fmt("%d", algo));
 			break;
@@ -1128,6 +1132,10 @@ bool DNS_Interpreter::ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, const u_char*& da
 			break;
 		case detail::ECDSA_curveP384withSHA384:
 			break;
+		case detail::Ed25519:
+			break;
+		case detail::Ed448:
+			break;
 		case detail::Indirect:
 			analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", util::fmt("%d", dalgorithm));
 			break;
@@ -1780,8 +1788,8 @@ void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHand
 
 DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
 	{
-	//### Need to fix alignment if hdr is misaligned (not on a short
-	// boundary).
+	// ### Need to fix alignment if hdr is misaligned (not on a short
+	//  boundary).
 	unsigned short flags = ntohs(hdr->flags);
 
 	QR = (flags & 0x8000) != 0;
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index bc67170260..602c8487e1 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -137,6 +137,8 @@ enum DNSSEC_Algo
 	GOST_R_34_10_2001 = 12,
 	ECDSA_curveP256withSHA256 = 13,
 	ECDSA_curveP384withSHA384 = 14,
+	Ed25519 = 15,
+	Ed448 = 16,
 	Indirect = 252, ///<
 	PrivateDNS = 253, ///<  OPTIONAL
 	PrivateOID = 254, ///<  OPTIONAL
@@ -448,7 +450,10 @@ public:
 
 	void Flush(); ///< process any partially-received data
 
-	detail::TCP_DNS_state State() const { return state; }
+	detail::TCP_DNS_state State() const
+		{
+		return state;
+		}
 
 protected:
 	void DeliverStream(int len, const u_char* data, bool orig) override;
@@ -479,7 +484,10 @@ public:
 	                      bool gen_event) override;
 	void ExpireTimer(double t);
 
-	static analyzer::Analyzer* Instantiate(Connection* conn) { return new DNS_Analyzer(conn); }
+	static analyzer::Analyzer* Instantiate(Connection* conn)
+		{
+		return new DNS_Analyzer(conn);
+		}
 
 protected:
 	detail::DNS_Interpreter* interp;
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log
new file mode 100644
index 0000000000..8b918e980d
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed25519.log
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.resp_h	qtype_name	query	answers
+192.168.0.107	8.8.8.8	DNSKEY	ed25519.no	DNSKEY 15,Ed25519,DNSKEY 15,Ed25519
+192.168.0.107	8.8.8.8	A	ed25519.no	194.63.248.47,RRSIG 1 ed25519.no,Ed25519
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log
new file mode 100644
index 0000000000..5267c46854
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.dnssec/dns.ed448.log
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+id.orig_h	id.resp_h		answers
+192.168.0.107	8.8.8.8		DNSKEY 16,Ed448,DNSKEY 16,Ed448
+192.168.0.107	8.8.8.8		194.63.248.47,RRSIG 1 ed448.no,Ed448
diff --git a/testing/btest/Traces/dnssec/ed25519.no.pcap b/testing/btest/Traces/dnssec/ed25519.no.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..07cefd411a99331e050ac558c2920d92a8e4e2c8
GIT binary patch
literal 654
zcmca|c+)~A1{MYw`2U}Qff2|t*c6_6fRm9S7RUx+3+LJs6@3A(3*GM@;b3rOVDML3
z%)sCv*mmQ<3WjVBAb9eP!IZ(eNX+axqXO6nph4`ZDMqHIhL%iu`9LE<qM9rhfTl4p
z@Gx*Oa8wtx`Z@*3n1L*lIK{}Y5hww|5NjY-f-PHYeuaUdQqUq8WD&?h22-GQ{c1&K
z&l?v2jb#FA!m#WB55!770R|ODMrQsEpI&wT-<6s4?JsB4RMUcErs)q;=k07X3llt4
zo-~bn5{h~TX8zo{Gn+kQt25@`W{SUCdG|^emyr90J}>jiPA;($j_W=^&w%U&0VALX
z?2EYYgchGND70orz(Q+VIw-W1eh4KpVh=4wcxW|1Lrat~ws89+@rfYIIJvnQP6I6l
zVT{n)JHHqdS{G&_LJMf!${AmU5^;nU&@!O!!B+A%F|Zu6|Dg}$>w%mA<i{~E@&kR!
zCy-jSk3ZGhkbiPFa>Oq15;`k&dRB+a^UDv|mPl*+U*j|8cb}4JqObhW^k%Gx$qc4$
o@4JaXcGd5!8?UBWZCa{uW=FrZ)9)G%SC&5wK$F4Y2=pcc04I;HqW}N^

literal 0
HcmV?d00001

diff --git a/testing/btest/Traces/dnssec/ed448.no.pcap b/testing/btest/Traces/dnssec/ed448.no.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ee5b321b7f3522b979faac98203f7f8a01970c22
GIT binary patch
literal 744
zcmca|c+)~A1{MYw`2U}Qff2~j+8CbdIERxV8psA=3+LJs6@3A(3*GM@;b3rOVDMF*
zz`)=j*!uRs3WjVBAn3ZvV9H?GZL`IWQ2}fO&>+^-6cZB*ro4Ox1_O|oCd&n&Squz3
z3|tHx^%K)NHauQp2eQiiJQu@5pacj*EP+@Ew(9a_a|VV=!8!Xu)_|;IFa=t+|DNd<
zyT%5fu}nZsXjUEIfmp~Vz+lVBz$|cN-$keE$N&A>Wbtk%&!PJU9b(R%Vg;>h+%GO`
z;&l(4TYTsALZ7X-ICi|ry~3^~{?LnAQSd~L1y=)#L5$1-s%PGux@@Xe#w~pLvZGk%
zt)R^ZpRO!*J^y(6g>y;^E+3DszqjZ3eCKyJKPH+!R*YTqGN1p@qP4|VKqqQ~+zA4P
zKo4i1hlDHku-!BV6t>?Uz`}O&Qc&0)yS1l;5nI?Y!o#)!8n(Gs0^yELZMQ*ICGj&d
z`~+GH!Wd!udgU!p*dAj+ge}mr>#Vc)lwb{8pjE&i0b9uXn1SVx{SSR0Uk~H}Ais}+
zQ2^*mK7rIiwfa=gne|@Ih$OH@W4+zIzu)4*3#0cN&G-J26>PPB!{(jao=Ecu&RWC4
zBvI*}U8lL}vBXBd&9(7$mgd_<4{uxCTGAk@mma>R|HqEt=Z4`w+hT)crdRs;7|ywP
u(5i{o>+7w+i5pDr{}A<;60@AM?BbE>8Haa!^)PaaSp)qG4s&3jFaQ7vMC{4{

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dns/dnssec.zeek b/testing/btest/scripts/base/protocols/dns/dnssec.zeek
new file mode 100644
index 0000000000..5342fcc00d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/dnssec.zeek
@@ -0,0 +1,24 @@
+# @TEST-DOC: Add the textual representation of the DNSSEC algorithm into answers and verify there's no weirds for the ed25519 and ed448 curves.
+#
+# @TEST-EXEC: zeek -b -r $TRACES/dnssec/ed25519.no.pcap %INPUT
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: zeek-cut -m id.orig_h id.resp_h qtype_name query answers < dns.log > dns.ed25519.log
+#
+# @TEST-EXEC: zeek -b -C -r $TRACES/dnssec/ed448.no.pcap %INPUT
+# @TEST-EXEC: test ! -f weird.log
+# @TEST-EXEC: zeek-cut -m id.orig_h id.resp_h questions answers < dns.log > dns.ed448.log
+#
+# @TEST-EXEC: btest-diff dns.ed25519.log
+# @TEST-EXEC: btest-diff dns.ed448.log
+
+@load base/protocols/dns
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr) &priority=4
+	{
+	c$dns$answers += DNS::algorithms[rrsig$algorithm];
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr) &priority=4
+	{
+	c$dns$answers += DNS::algorithms[dnskey$algorithm];
+	}