LOCAL void krb5_parse(MolochSession_t *session, const unsigned char *data, int len) { BSB obsb; uint32_t opc, msgType, olen; unsigned char *ovalue; BSB_INIT(obsb, data, len); ovalue = moloch_parsers_asn_get_tlv(&obsb, &opc, &msgType, &olen); #ifdef KRB5_DEBUG LOG("DEBUG1 - opc:%uumsgType:%u olen:%u", opc, msgType, olen); #endif if (!opc) return; switch (msgType) { case 10: case 12: krb5_parse_req(session, ovalue, olen); break; case 11: case 13: krb5_parse_rep(session, ovalue, olen); break; case 30: krb5_parse_error(session, ovalue, olen); break; } }
LOCAL void krb5_udp_classify(MolochSession_t *session, const unsigned char *data, int len, int UNUSED(which), void *UNUSED(uw)) { if (moloch_session_has_protocol(session, "krb5")) return; BSB obsb; uint32_t opc, otag, olen; BSB_INIT(obsb, data, len); moloch_parsers_asn_get_tlv(&obsb, &opc, &otag, &olen); #ifdef KRB5_DEBUG LOG("enter %u %u %u", opc, otag, olen); #endif if (opc && (otag == 10 || otag == 12 || otag == 30) && len >= (int)olen) { moloch_parsers_register(session, krb5_udp_parser, 0, 0); } }
void tls_certinfo_process(MolochCertInfo_t *ci, BSB *bsb) { int apc, atag, alen; char lastOid[1000]; lastOid[0] = 0; while (BSB_REMAINING(*bsb)) { unsigned char *value = moloch_parsers_asn_get_tlv(bsb, &apc, &atag, &alen); if (!value) return; if (apc) { BSB tbsb; BSB_INIT(tbsb, value, alen); tls_certinfo_process(ci, &tbsb); } else if (atag == 6) { moloch_parsers_asn_decode_oid(lastOid, sizeof(lastOid), value, alen); } else if (lastOid[0] && (atag == 20 || atag == 19 || atag == 12)) { /* 20 == BER_UNI_TAG_TeletexString * 19 == BER_UNI_TAG_PrintableString * 12 == BER_UNI_TAG_UTF8String */ if (strcmp(lastOid, "2.5.4.3") == 0) { MolochString_t *element = MOLOCH_TYPE_ALLOC(MolochString_t); element->utf8 = atag == 12; if (element->utf8) element->str = g_utf8_strdown((char*)value, alen); else element->str = g_ascii_strdown((char*)value, alen); DLL_PUSH_TAIL(s_, &ci->commonName, element); } else if (strcmp(lastOid, "2.5.4.10") == 0) { if (ci->orgName) { LOG("Multiple orgName %s => %.*s", ci->orgName, alen, value); free(ci->orgName); } ci->orgUtf8 = atag == 12; ci->orgName = g_strndup((char*)value, alen); } } } }
void tls_alt_names(MolochCertsInfo_t *certs, BSB *bsb, char *lastOid) { int apc, atag, alen; while (BSB_REMAINING(*bsb) >= 2) { unsigned char *value = moloch_parsers_asn_get_tlv(bsb, &apc, &atag, &alen); if (!value) return; if (apc) { BSB tbsb; BSB_INIT(tbsb, value, alen); tls_alt_names(certs, &tbsb, lastOid); if (certs->alt.s_count > 0) { return; } } else if (atag == 6) { moloch_parsers_asn_decode_oid(lastOid, 100, value, alen); if (strcmp(lastOid, "2.5.29.17") != 0) lastOid[0] = 0; } else if (lastOid[0] && atag == 4) { BSB tbsb; BSB_INIT(tbsb, value, alen); tls_alt_names(certs, &tbsb, lastOid); return; } else if (lastOid[0] && atag == 2) { MolochString_t *element = MOLOCH_TYPE_ALLOC0(MolochString_t); element->str = g_ascii_strdown((char*)value, alen); element->len = alen; DLL_PUSH_TAIL(s_, &certs->alt, element); } } lastOid[0] = 0; return; }
void tls_process_server_certificate(MolochSession_t *session, const unsigned char *data, int len) { BSB cbsb; BSB_INIT(cbsb, data, len); BSB_IMPORT_skip(cbsb, 3); // Length again while(BSB_REMAINING(cbsb) > 3) { int badreason = 0; unsigned char *cdata = BSB_WORK_PTR(cbsb); int clen = MIN(BSB_REMAINING(cbsb) - 3, (cdata[0] << 16 | cdata[1] << 8 | cdata[2])); MolochCertsInfo_t *certs = MOLOCH_TYPE_ALLOC0(MolochCertsInfo_t); DLL_INIT(s_, &certs->alt); DLL_INIT(s_, &certs->subject.commonName); DLL_INIT(s_, &certs->issuer.commonName); int atag, alen, apc; unsigned char *value; BSB bsb; BSB_INIT(bsb, cdata + 3, clen); /* Certificate */ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 1; goto bad_cert;} BSB_INIT(bsb, value, alen); /* signedCertificate */ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 2; goto bad_cert;} BSB_INIT(bsb, value, alen); /* serialNumber or version*/ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 3; goto bad_cert;} if (apc) { if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 4; goto bad_cert;} } certs->serialNumberLen = alen; certs->serialNumber = malloc(alen); memcpy(certs->serialNumber, value, alen); /* signature */ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 5; goto bad_cert;} /* issuer */ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 6; goto bad_cert;} BSB tbsb; BSB_INIT(tbsb, value, alen); tls_certinfo_process(&certs->issuer, &tbsb); /* validity */ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 7; goto bad_cert;} /* subject */ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 8; goto bad_cert;} BSB_INIT(tbsb, value, alen); tls_certinfo_process(&certs->subject, &tbsb); /* subjectPublicKeyInfo */ if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 9; goto bad_cert;} /* extensions */ if (BSB_REMAINING(bsb)) { if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen))) {badreason = 10; goto bad_cert;} BSB tbsb; BSB_INIT(tbsb, value, alen); char lastOid[100]; lastOid[0] = 0; tls_alt_names(certs, &tbsb, lastOid); } if (!moloch_field_certsinfo_add(certsField, session, certs, clen*2)) { moloch_field_certsinfo_free(certs); } BSB_IMPORT_skip(cbsb, clen + 3); continue; bad_cert: if (config.debug) LOG("bad cert %d - %d", badreason, clen); moloch_field_certsinfo_free(certs); break; } }