From 133485937952d8ed106eae840f517edf53024e19 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 23 Sep 2015 16:34:40 +0200
Subject: [PATCH] dns: add support for sshfp records

Update parser to process the records.

Update json output to log it.
---
 src/app-layer-dns-common.c | 15 +++++++++++++++
 src/app-layer-dns-common.h |  1 -
 src/output-json-dns.c      | 28 ++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c
index 16a2252b4c..cfb441451b 100644
--- a/src/app-layer-dns-common.c
+++ b/src/app-layer-dns-common.c
@@ -1005,6 +1005,21 @@ const uint8_t *DNSReponseParse(DNSState *dns_state, const DNSHeader * const dns_
             data += ntohs(head->len);
             break;
         }
+        case DNS_RECORD_TYPE_SSHFP:
+        {
+            /* data here should be:
+             * [1 byte algo][1 byte type][var bytes fingerprint]
+             * As we currently can't store each of those in the state,
+             * we just store the raw data an let the output/detect
+             * code figure out what to do with it. */
+
+            DNSStoreAnswerInState(dns_state, list, fqdn, fqdn_len,
+                    ntohs(head->type), ntohs(head->class), ntohl(head->ttl),
+                    data, ntohs(head->len), ntohs(dns_header->tx_id));
+
+            data += ntohs(head->len);
+            break;
+        }
         default:    /* unsupported record */
         {
             DNSStoreAnswerInState(dns_state, list, NULL, 0,
diff --git a/src/app-layer-dns-common.h b/src/app-layer-dns-common.h
index a3bdd9351d..184fb26408 100644
--- a/src/app-layer-dns-common.h
+++ b/src/app-layer-dns-common.h
@@ -92,7 +92,6 @@
 #define DNS_RECORD_TYPE_ANY         255
 #define DNS_RECORD_TYPE_URI         256
 
-
 #define DNS_RCODE_NOERROR       0
 #define DNS_RCODE_FORMERR       1
 #define DNS_RCODE_SERVFAIL      2
diff --git a/src/output-json-dns.c b/src/output-json-dns.c
index 87b276521b..db8ae40f17 100644
--- a/src/output-json-dns.c
+++ b/src/output-json-dns.c
@@ -172,6 +172,34 @@ static void OutputAnswer(LogDnsLogThread *aft, json_t *djs, DNSTransaction *tx,
             } else {
                 json_object_set_new(js, "rdata", json_string(""));
             }
+        } else if (entry->type == DNS_RECORD_TYPE_SSHFP) {
+            if (entry->data_len > 2) {
+                /* get algo and type */
+                uint8_t algo = *ptr;
+                uint8_t fptype = *(ptr+1);
+
+                /* turn fp raw buffer into a nice :-separate hex string */
+                uint16_t fp_len = (entry->data_len - 2);
+                uint8_t *dptr = ptr+2;
+                uint32_t output_len = fp_len * 2 + 1; // create c-string, so add space for 0.
+                char hexstring[output_len], *p = hexstring;
+                memset(hexstring, 0x00, output_len);
+
+                uint16_t x;
+                for (x = 0; x < fp_len; x++, p += 3) {
+                    snprintf(p, 4, x == fp_len - 1 ? "%02x" : "%02x:", dptr[x]);
+                }
+
+                /* wrap the whole thing in it's own structure */
+                json_t *hjs = json_object();
+                if (hjs != NULL) {
+                    json_object_set_new(hjs, "fingerprint", json_string(hexstring));
+                    json_object_set_new(hjs, "algo", json_integer(algo));
+                    json_object_set_new(hjs, "type", json_integer(fptype));
+
+                    json_object_set_new(js, "sshfp", hjs);
+                }
+            }
         }
     }
 
-- 
2.47.2