diff options
author | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2013-07-03 16:46:29 +0000 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2013-07-03 16:46:29 +0000 |
commit | 5cdc82ab69f2bc3016cd9f5e4a0e6782e15b9974 (patch) | |
tree | 678464b476735c0ccbe8f0d3040c091e732f2bfd | |
parent | 361b800eae865405d69a1eb266f9b3d6785763da (diff) |
From Oliver Gasser via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8863 Add CAA support to DNS dissector
Add informationa about Certificate Authority Authorization (CAA) data to the DNS dissector. See the RFC [1] for more information. Suggestions and improvements are welcome.
[1] http://tools.ietf.org/html/rfc6844
svn path=/trunk/; revision=50370
-rw-r--r-- | epan/dissectors/packet-dns.c | 110 | ||||
-rw-r--r-- | epan/tfs.c | 2 | ||||
-rw-r--r-- | epan/tfs.h | 1 |
3 files changed, 111 insertions, 2 deletions
diff --git a/epan/dissectors/packet-dns.c b/epan/dissectors/packet-dns.c index fbb759acc7..28a219c086 100644 --- a/epan/dissectors/packet-dns.c +++ b/epan/dissectors/packet-dns.c @@ -223,6 +223,15 @@ static int hf_dns_apl_coded_prefix = -1; static int hf_dns_apl_negation = -1; static int hf_dns_apl_afdlength = -1; static int hf_dns_nsap_rdata = -1; +static int hf_dns_caa_flags = -1; +static int hf_dns_caa_flag_issuer_critical = -1; +static int hf_dns_caa_issue = -1; +static int hf_dns_caa_issuewild = -1; +static int hf_dns_caa_iodef = -1; +static int hf_dns_caa_unknown = -1; +static int hf_dns_caa_tag_length = -1; +static int hf_dns_caa_tag = -1; +static int hf_dns_caa_value = -1; static gint ett_dns = -1; static gint ett_dns_qd = -1; @@ -235,6 +244,8 @@ static gint ett_nsec3_flags = -1; static gint ett_key_flags = -1; static gint ett_t_key = -1; static gint ett_dns_mac = -1; +static gint ett_caa_flags = -1; +static gint ett_caa_data = -1; static expert_field ei_dns_rr_opt_bad_length = EI_INIT; @@ -356,6 +367,7 @@ typedef struct _dns_conv_info_t { #define T_MAILB 253 /* mailbox-related RRs (MB, MG or MR) (RFC 1035) */ #define T_MAILA 254 /* mail agent RRs (OBSOLETE - see MX) (RFC 1035) */ #define T_ANY 255 /* A request for all records (RFC 1035) */ +#define T_CAA 257 /* Certification Authority Authorization (RFC 6844) */ #define T_DLV 32769 /* DNSSEC Lookaside Validation (DLV) DNS Resource Record (RFC 4431) */ #define T_WINS 65281 /* Microsoft's WINS RR */ #define T_WINS_R 65282 /* Microsoft's WINS-R RR */ @@ -565,6 +577,9 @@ static const value_string afamily_vals[] = { { 0, NULL } }; +/* RFC 6844 */ +#define CAA_FLAG_ISSUER_CRITICAL (1<<7) + /* See RFC 1035 for all RR types for which no RFC is listed, except for the ones with "???", and for the Microsoft WINS and WINS-R RRs, for which one should look at @@ -650,6 +665,8 @@ static const value_string dns_types[] = { { T_MAILB, "MAILA" }, { T_ANY, "ANY" }, + { T_CAA, "CAA" }, /* RFC 6844 */ + { T_DLV, "DLV" }, /* RFC 4431 */ { T_WINS, "WINS" }, @@ -765,6 +782,9 @@ dns_type_description (guint type) case T_ANY: long_name = "Request for all records"; break; + case T_CAA: + long_name = "Certification Authority Authorization"; + break; default: long_name = NULL; break; @@ -3369,6 +3389,48 @@ dissect_dns_answer(tvbuff_t *tvb, int offsetx, int dns_data_offset, } break; + case T_CAA: + { + proto_item *caa_item; + proto_tree *caa_tree; + guint8 tag_len; + const char *tag; + gushort value_len; + const guchar *value; + int cur_hf = -1; + + caa_item = proto_tree_add_item(rr_tree, hf_dns_caa_flags, tvb, cur_offset, 1, ENC_BIG_ENDIAN); + caa_tree = proto_item_add_subtree(caa_item, ett_caa_flags); + proto_tree_add_item(caa_tree, hf_dns_caa_flag_issuer_critical, tvb, cur_offset, 1, ENC_BIG_ENDIAN); + cur_offset++; + + tag_len = tvb_get_guint8(tvb, cur_offset); + tag = tvb_get_ephemeral_string(tvb, cur_offset + 1, tag_len); + + value_len = data_len - (tag_len + 2); + value = tvb_get_ephemeral_string(tvb, cur_offset + 1 + tag_len, value_len); + + value = format_text(value, value_len); + + if (strncmp(tag, "issue", tag_len) == 0) { + cur_hf = hf_dns_caa_issue; + } else if (strncmp(tag, "issuewild", tag_len) == 0) { + cur_hf = hf_dns_caa_issuewild; + } else if (strncmp(tag, "iodef", tag_len) == 0) { + cur_hf = hf_dns_caa_iodef; + } else { + cur_hf = hf_dns_caa_unknown; + } + + caa_item = proto_tree_add_string(rr_tree, cur_hf, tvb, cur_offset, 1 + tag_len + value_len, value); + caa_tree = proto_item_add_subtree(caa_item, ett_caa_data); + + proto_tree_add_uint(caa_tree, hf_dns_caa_tag_length, tvb, cur_offset, 1, tag_len); + proto_tree_add_string(caa_tree, hf_dns_caa_tag, tvb, cur_offset + 1, tag_len, tag); + proto_tree_add_string(caa_tree, hf_dns_caa_value, tvb, cur_offset + 1 + tag_len, value_len, value); + } + break; + case T_NULL: { if (cinfo != NULL) { @@ -4699,8 +4761,52 @@ proto_register_dns(void) { &hf_dns_nsap_rdata, { "NSAP Data", "dns.nsap.rdata", FT_BYTES, BASE_NONE, NULL, 0, - NULL, HFILL }} + NULL, HFILL }}, + { &hf_dns_caa_flags, + { "CAA Flags", "dns.caa.flags", + FT_UINT8, BASE_HEX, NULL, 0x0, + NULL, HFILL }}, + + { &hf_dns_caa_flag_issuer_critical, + { "Issuer Critical", "dns.caa.flags.issuer_critical", + FT_BOOLEAN, 8, TFS(&tfs_critical_not_critical), CAA_FLAG_ISSUER_CRITICAL, + "Other CAs must not issue certificates", HFILL }}, + + { &hf_dns_caa_issue, + { "Issue", "dns.caa.issue", + FT_STRING, BASE_NONE, NULL, 0x0, + "CA which is allowed to issue certificates", HFILL }}, + + { &hf_dns_caa_issuewild, + { "Issue Wildcard", "dns.caa.issuewild", + FT_STRING, BASE_NONE, NULL, 0x0, + "CA which is allowed to issue wildcard certificates", HFILL }}, + + { &hf_dns_caa_iodef, + { "Report URL", "dns.caa.iodef", + FT_STRING, BASE_NONE, NULL, 0x0, + "URL or email address for certificate issue requests and violation reports", HFILL }}, + + { &hf_dns_caa_unknown, + { "Unkown tag", "dns.caa.unknown", + FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL }}, + + { &hf_dns_caa_tag_length, + { "Tag length", "dns.caa.tag_length", + FT_UINT8, BASE_DEC, NULL, 0, + NULL, HFILL }}, + + { &hf_dns_caa_tag, + { "Tag", "dns.caa.tag", + FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL }}, + + { &hf_dns_caa_value, + { "Value", "dns.caa.value", + FT_STRING, BASE_NONE, NULL, 0x0, + NULL, HFILL }} }; static ei_register_info ei[] = { @@ -4719,6 +4825,8 @@ proto_register_dns(void) &ett_key_flags, &ett_t_key, &ett_dns_mac, + &ett_caa_flags, + &ett_caa_data, }; module_t *dns_module; expert_module_t* expert_dns; diff --git a/epan/tfs.c b/epan/tfs.c index 47d7cb52ed..0761d265e4 100644 --- a/epan/tfs.c +++ b/epan/tfs.c @@ -70,5 +70,5 @@ const true_false_string tfs_shared_independent = { "Shared", "Independent" }; const true_false_string tfs_valid_invalid = { "Valid", "Invalid" }; const true_false_string tfs_group_unique_name = { "Group name", "Unique name" }; const true_false_string tfs_inuse_not_inuse = { "In use", "Not in use" }; - +const true_false_string tfs_critical_not_critical = { "Critical", "Not critical" }; diff --git a/epan/tfs.h b/epan/tfs.h index 31f5820ec7..f7e770c5e5 100644 --- a/epan/tfs.h +++ b/epan/tfs.h @@ -81,4 +81,5 @@ WS_DLL_PUBLIC const true_false_string tfs_shared_independent; WS_DLL_PUBLIC const true_false_string tfs_valid_invalid; WS_DLL_PUBLIC const true_false_string tfs_group_unique_name; WS_DLL_PUBLIC const true_false_string tfs_inuse_not_inuse; +WS_DLL_PUBLIC const true_false_string tfs_critical_not_critical; #endif |