Merge remote-tracking branch 'origin/topic/etyp/dns-tkey'

* origin/topic/etyp/dns-tkey:
  Add DNS TKEY event

CHANGES

@@ -1,3 +1,7 @@
+7.1.0-dev.200 | 2024-08-16 16:50:47 +0200
+
+  * Add DNS TKEY event (Evan Typanski, Corelight)
+
 7.1.0-dev.198 | 2024-08-16 12:10:00 +0200
 
   * simpler and more robust identification of function parameters for AST profiling (Vern Paxson, Corelight)

NEWS

@@ -32,6 +32,9 @@ New Functionality
 * The MySQL analyzer now generates a ``mysql_user_change()`` event when
   the user changes mid-session via the ``COM_USER_CHANGE`` command.
 
+* The DNS analyzer was extended to support TKEY RRs (RFC 2390). A corresponding
+  ``dns_TKEY`` event was added.
+
 Changed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-7.1.0-dev.198
+7.1.0-dev.200

scripts/base/init-bare.zeek

@@ -4083,6 +4083,21 @@ type dns_edns_cookie: record {
 	server_cookie: string &default="";	##< Cookie from the server (0 bytes if missing, or 8 to 32 bytes).
 };
 
+## A DNS TKEY record.
+##
+## .. zeek:see:: dns_TKEY
+type dns_tkey: record {
+	query: string;		##< Query.
+	qtype: count;		##< Query type.
+	alg_name: string;	##< Algorithm name.
+	inception: time;	##< Requested or provided start of validity interval for keying material.
+	expiration: time;	##< Requested or provided end of validity interval for keying material.
+	mode: count;		##< Key agreement or purpose of the message.
+	rr_error: count;	##< Error code.
+	key_data: string;	##< Key exchange data field.
+	is_query: count;	##< The RR is a query/Response.
+};
+
 ## An additional DNS TSIG record.
 ##
 ## .. zeek:see:: dns_TSIG_addl

src/analyzer/protocol/dns/DNS.cc

@@ -256,6 +256,8 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
 
         case detail::TYPE_EDNS: status = ParseRR_EDNS(msg, data, len, rdlength, msg_start); break;
 
+        case detail::TYPE_TKEY: status = ParseRR_TKEY(msg, data, len, rdlength, msg_start); break;
+
         case detail::TYPE_TSIG: status = ParseRR_TSIG(msg, data, len, rdlength, msg_start); break;
 
         case detail::TYPE_RRSIG: status = ParseRR_RRSIG(msg, data, len, rdlength, msg_start); break;
@@ -824,6 +826,48 @@ bool DNS_Interpreter::ParseRR_TSIG(detail::DNS_MsgInfo* msg, const u_char*& data
     return true;
 }
 
+bool DNS_Interpreter::ParseRR_TKEY(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
+                                   const u_char* msg_start) {
+    if ( ! dns_TKEY || msg->skip_event ) {
+        data += rdlength;
+        len -= rdlength;
+        return true;
+    }
+
+    if ( len < 16 )
+        return false;
+
+    const u_char* data_start = data;
+    u_char alg_name[513];
+    int alg_name_len = sizeof(alg_name) - 1;
+
+    u_char* alg_name_end = ExtractName(data, len, alg_name, alg_name_len, msg_start);
+
+    if ( ! alg_name_end )
+        return false;
+
+    uint32_t inception = ExtractLong(data, len);
+    uint32_t expiration = ExtractLong(data, len);
+    uint16_t mode = ExtractShort(data, len);
+    uint16_t error = ExtractShort(data, len);
+    String* key_data;
+    ExtractOctets(data, len, dns_TKEY ? &key_data : nullptr);
+    ExtractOctets(data, len, nullptr); // Other data
+
+    if ( dns_TKEY ) {
+        detail::TKEY_DATA tkey;
+        tkey.alg_name = new String(alg_name, int(alg_name_end - alg_name), true);
+        tkey.inception = inception;
+        tkey.expiration = expiration;
+        tkey.mode = mode;
+        tkey.error = error;
+        tkey.key = key_data;
+        analyzer->EnqueueConnEvent(dns_TKEY, analyzer->ConnVal(), msg->BuildHdrVal(), msg->BuildTKEY_Val(&tkey));
+    }
+
+    return true;
+}
+
 bool DNS_Interpreter::ParseRR_RRSIG(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
                                     const u_char* msg_start) {
     if ( ! dns_RRSIG || msg->skip_event ) {
@@ -1660,6 +1704,23 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_COOKIE_Val(struct EDNS_COOKIE* opt) {
     return r;
 }
 
+RecordValPtr DNS_MsgInfo::BuildTKEY_Val(struct TKEY_DATA* tkey) {
+    static auto dns_tkey = id::find_type<RecordType>("dns_tkey");
+    auto r = make_intrusive<RecordVal>(dns_tkey);
+
+    r->Assign(0, query_name);
+    r->Assign(1, answer_type);
+    r->Assign(2, tkey->alg_name);
+    r->AssignTime(3, static_cast<double>(tkey->inception));
+    r->AssignTime(4, static_cast<double>(tkey->expiration));
+    r->Assign(5, static_cast<uint16_t>(tkey->mode));
+    r->Assign(6, static_cast<uint16_t>(tkey->error));
+    r->Assign(7, tkey->key);
+    r->Assign(8, is_query);
+
+    return r;
+}
+
 RecordValPtr DNS_MsgInfo::BuildTSIG_Val(struct TSIG_DATA* tsig) {
     static auto dns_tsig_additional = id::find_type<RecordType>("dns_tsig_additional");
     auto r = make_intrusive<RecordVal>(dns_tsig_additional);

src/analyzer/protocol/dns/DNS.h

@@ -191,6 +191,15 @@ struct EDNS_COOKIE {
     zeek::String* server_cookie; ///< cookie value sent by the server (0 or 8-32 bytes)
 };
 
+struct TKEY_DATA {
+    String* alg_name;
+    unsigned long inception;
+    unsigned long expiration;
+    unsigned short mode;
+    unsigned short error;
+    String* key;
+};
+
 struct TSIG_DATA {
     String* alg_name;
     unsigned long time_s;
@@ -278,6 +287,7 @@ public:
     RecordValPtr BuildEDNS_ECS_Val(struct EDNS_ECS*);
     RecordValPtr BuildEDNS_TCP_KA_Val(struct EDNS_TCP_KEEPALIVE*);
     RecordValPtr BuildEDNS_COOKIE_Val(struct EDNS_COOKIE*);
+    RecordValPtr BuildTKEY_Val(struct TKEY_DATA*);
     RecordValPtr BuildTSIG_Val(struct TSIG_DATA*);
     RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*);
     RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*);
@@ -361,6 +371,7 @@ protected:
     bool ParseRR_TXT(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start);
     bool ParseRR_SPF(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start);
     bool ParseRR_CAA(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start);
+    bool ParseRR_TKEY(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start);
     bool ParseRR_TSIG(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start);
     bool ParseRR_RRSIG(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start);
     bool ParseRR_DNSKEY(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength, const u_char* msg_start);

src/analyzer/protocol/dns/events.bif

@@ -578,6 +578,23 @@ event dns_EDNS_tcp_keepalive%(c: connection, msg: dns_msg, opt: dns_edns_tcp_kee
 ##    dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_EDNS_cookie%(c: connection, msg: dns_msg, opt: dns_edns_cookie%);
 
+## Generated for DNS replies of type *TKEY*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## See `Wikipedia <http://en.wikipedia.org/wiki/Domain_Name_System>`__ for more
+## information about the DNS protocol. See `RFC2930 <https://tools.ietf.org/html/rfc2930>`__
+## for more information about TKEY. Zeek analyzes both UDP and TCP DNS sessions.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The parsed TKEY reply.
+##
+## .. zeek:see:: dns_TSIG_addl
+event dns_TKEY%(c: connection, msg: dns_msg, ans: dns_tkey%);
+
 ## Generated for DNS replies of type *TSIG*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
 ##

testing/btest/Baseline/scripts.base.protocols.dns.tkey/dns.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.106	50138	192.168.1.108	53	tcp	52640	-	1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5	1	C_INTERNET	249	TKEY	0	NOERROR	F	F	F	F	0	-	-	F
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.tkey/output

@@ -0,0 +1,21 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+TKEY
+query, 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5
+qtype, 3
+alg_name, gss-tsig
+inception, 1676938156.0
+expiration, 1677024556.0
+mode, 3
+rr_error, 0
+key_data size, 3073
+is_query, 1
+TKEY
+query, 1068-ms-7.309-2c6e448.7a9463b8-b109-11ed-26a3-080027f220e5
+qtype, 1
+alg_name, gss-tsig
+inception, 1676938118.0
+expiration, 1677024518.0
+mode, 3
+rr_error, 0
+key_data size, 185
+is_query, 0

testing/btest/scripts/base/protocols/dns/tkey.zeek

@@ -0,0 +1,22 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/tkey.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff output
+# @TEST-EXEC: test ! -f weird.log
+
+@load base/protocols/dns
+
+redef dns_skip_all_addl = F;
+
+event dns_TKEY(c: connection, msg: dns_msg, ans: dns_tkey)
+	{
+	print "TKEY";
+	print "query", ans$query;
+	print "qtype", ans$qtype;
+	print "alg_name", ans$alg_name;
+	print "inception", ans$inception;
+	print "expiration", ans$expiration;
+	print "mode", ans$mode;
+	print "rr_error", ans$rr_error;
+	print "key_data size", |ans$key_data|;
+	print "is_query", ans$is_query;
+	}