diff options
author | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2012-09-10 09:14:53 +0000 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2012-09-10 09:14:53 +0000 |
commit | 5d7c6dc0da93afcf0428f0d67f8e06060ef0a190 (patch) | |
tree | e69e35dee0cfc54c3da127643c98eb062ec3cbe4 /epan/dissectors/packet-dns.c | |
parent | eaf81ff987a55e36a545fe257af609a2ec903932 (diff) |
From me via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7709
Enhance DNS Dissector
Add new DNS type : TLSA/DANE (52) RFC6698
The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
svn path=/trunk/; revision=44829
Diffstat (limited to 'epan/dissectors/packet-dns.c')
-rw-r--r-- | epan/dissectors/packet-dns.c | 87 |
1 files changed, 85 insertions, 2 deletions
diff --git a/epan/dissectors/packet-dns.c b/epan/dissectors/packet-dns.c index 2e90bccfda..e60913eb23 100644 --- a/epan/dissectors/packet-dns.c +++ b/epan/dissectors/packet-dns.c @@ -116,6 +116,10 @@ static int hf_dns_nsec3_salt_length = -1; static int hf_dns_nsec3_salt_value = -1; static int hf_dns_nsec3_hash_length = -1; static int hf_dns_nsec3_hash_value = -1; +static int hf_dns_tlsa_certificate_usage = -1; +static int hf_dns_tlsa_selector = -1; +static int hf_dns_tlsa_matching_type = -1; +static int hf_dns_tlsa_certificate_association_data = -1; static int hf_dns_tsig_error = -1; static int hf_dns_tsig_fudge = -1; static int hf_dns_tsig_mac_size = -1; @@ -252,7 +256,7 @@ typedef struct _dns_conv_info_t { #define T_DHCID 49 /* DHCID RR (RFC 4701) */ #define T_NSEC3 50 /* Next secure hash (RFC 5155) */ #define T_NSEC3PARAM 51 /* NSEC3 parameters (RFC 5155) */ -#define T_TLSA 52 /* TLSA */ +#define T_TLSA 52 /* TLSA (RFC 6698) */ #define T_HIP 55 /* Host Identity Protocol (HIP) RR (RFC 5205) */ #define T_NINFO 56 /* NINFO */ #define T_RKEY 57 /* RKEY */ @@ -629,7 +633,7 @@ dns_type_description (guint type) "DHCP Information", /* RFC 4701 */ "Next secured hash", /* RFC 5155 */ "NSEC3 parameters", /* RFC 5155 */ - "TLSA", + "TLSA", /* RFC 6698 */ NULL, NULL, "Host Identity Protocol", /* RFC 5205 */ @@ -696,6 +700,44 @@ static const value_string edns0_opt_code_vals[] = { {O_CLIENT_SUBNET, "Experimental - CSUBNET - Client subnet" }, {0, NULL} }; +/* DNS-Based Authentication of Named Entities (DANE) Parameters + http://www.iana.org/assignments/dane-parameters (last updated 2012-08-14) + */ +/* TLSA Certificate Usages */ +#define TLSA_CU_CA 0 +#define TLSA_CU_SC 1 +#define TLSA_CU_TA 2 +#define TLSA_CU_DI 3 + +static const value_string tlsa_certificate_usage_vals[] = { + {TLSA_CU_CA, "CA constraint"}, + {TLSA_CU_SC, "Service certificate constraint"}, + {TLSA_CU_TA, "Trust anchor assertion"}, + {TLSA_CU_DI, "Domain-issued certificate"}, + {0, NULL} +}; + +/* TLSA Selectors */ +#define TLSA_S_FC 0 +#define TLSA_S_SPKI 1 + +static const value_string tlsa_selector_vals[] = { + {TLSA_S_FC, "Full certificate"}, + {TLSA_S_SPKI, "SubjectPublicKeyInfo"}, + {0, NULL} +}; + +/* TLSA Matching Types */ +#define TLSA_MT_NHU 0 +#define TLSA_MT_S256 1 +#define TLSA_MT_S512 2 + +static const value_string tlsa_matching_type_vals[] = { + {TLSA_MT_NHU, "No Hash Used"}, + {TLSA_MT_S256, "SHA-256"}, + {TLSA_MT_S512, "SHA-512"}, + {0, NULL} +}; static const value_string dns_classes[] = { {C_IN, "IN"}, @@ -2144,6 +2186,27 @@ dissect_dns_answer(tvbuff_t *tvb, int offsetx, int dns_data_offset, } break; + case T_TLSA: /* DNS-Based Authentication of Named Entities (52) */ + { + int rr_len = data_len; + if (cinfo != NULL) { + col_append_fstr(cinfo, COL_INFO, " %s", name); + } + + proto_tree_add_item(rr_tree, hf_dns_tlsa_certificate_usage, tvb, cur_offset, 1, ENC_BIG_ENDIAN); + cur_offset ++; + rr_len --; + proto_tree_add_item(rr_tree, hf_dns_tlsa_selector, tvb, cur_offset, 1, ENC_BIG_ENDIAN); + cur_offset ++; + rr_len --; + proto_tree_add_item(rr_tree, hf_dns_tlsa_matching_type, tvb, cur_offset, 1, ENC_BIG_ENDIAN); + cur_offset ++; + rr_len --; + proto_tree_add_item(rr_tree, hf_dns_tlsa_certificate_association_data, tvb, cur_offset, rr_len, ENC_BIG_ENDIAN); + + } + break; + case T_NXT: { int rr_len = data_len; @@ -4073,6 +4136,26 @@ proto_register_dns(void) FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, + { &hf_dns_tlsa_certificate_usage, + { "Certificate Usage", "dns.tlsa.certificate_usage", + FT_UINT8, BASE_DEC, VALS(tlsa_certificate_usage_vals), 0, + "Specifies the provided association that will be used to match the certificate presented in the TLS handshake", HFILL }}, + + { &hf_dns_tlsa_selector, + { "Selector", "dns.tlsa.selector", + FT_UINT8, BASE_DEC, VALS(tlsa_selector_vals), 0, + "Specifies which part of the TLS certificate presented by the server will be matched against the association data", HFILL }}, + + { &hf_dns_tlsa_matching_type, + { "Matching Type", "dns.tlsa.matching_type", + FT_UINT8, BASE_DEC, VALS(tlsa_matching_type_vals), 0, + "Specifies how the certificate association is presented", HFILL }}, + + { &hf_dns_tlsa_certificate_association_data, + { "Certificate Association Data", "dns.tlsa.certificate_association_data", + FT_BYTES, BASE_NONE, NULL, 0, + "The data refers to the certificate in the association", HFILL }}, + { &hf_dns_tsig_original_id, { "Original Id", "dns.tsig.original_id", FT_UINT16, BASE_DEC, NULL, 0x0, |