LOCAL void krb5_parse(MolochSession_t *session, const unsigned char *data, int len)
{
BSB obsb;
uint32_t opc, msgType, olen;
unsigned char *ovalue;
BSB_INIT(obsb, data, len);
ovalue = moloch_parsers_asn_get_tlv(&obsb, &opc, &msgType, &olen);
#ifdef KRB5_DEBUG
LOG("DEBUG1 - opc:%uumsgType:%u olen:%u", opc, msgType, olen);
#endif
if (!opc)
return;
switch (msgType) {
case 10:
case 12:
krb5_parse_req(session, ovalue, olen);
break;
case 11:
case 13:
krb5_parse_rep(session, ovalue, olen);
break;
case 30:
krb5_parse_error(session, ovalue, olen);
break;
}
}
LOCAL void krb5_udp_classify(MolochSession_t *session, const unsigned char *data, int len, int UNUSED(which), void *UNUSED(uw))
{
if (moloch_session_has_protocol(session, "krb5"))
return;
BSB obsb;
uint32_t opc, otag, olen;
BSB_INIT(obsb, data, len);
moloch_parsers_asn_get_tlv(&obsb, &opc, &otag, &olen);
#ifdef KRB5_DEBUG
LOG("enter %u %u %u", opc, otag, olen);
#endif
if (opc && (otag == 10 || otag == 12 || otag == 30) && len >= (int)olen) {
moloch_parsers_register(session, krb5_udp_parser, 0, 0);
}
}
void
tls_certinfo_process(MolochCertInfo_t *ci, BSB *bsb)
{
int apc, atag, alen;
char lastOid[1000];
lastOid[0] = 0;
while (BSB_REMAINING(*bsb)) {
unsigned char *value = moloch_parsers_asn_get_tlv(bsb, &apc, &atag, &alen);
if (!value)
return;
if (apc) {
BSB tbsb;
BSB_INIT(tbsb, value, alen);
tls_certinfo_process(ci, &tbsb);
} else if (atag == 6) {
moloch_parsers_asn_decode_oid(lastOid, sizeof(lastOid), value, alen);
} else if (lastOid[0] && (atag == 20 || atag == 19 || atag == 12)) {
/* 20 == BER_UNI_TAG_TeletexString
* 19 == BER_UNI_TAG_PrintableString
* 12 == BER_UNI_TAG_UTF8String
*/
if (strcmp(lastOid, "2.5.4.3") == 0) {
MolochString_t *element = MOLOCH_TYPE_ALLOC(MolochString_t);
element->utf8 = atag == 12;
if (element->utf8)
element->str = g_utf8_strdown((char*)value, alen);
else
element->str = g_ascii_strdown((char*)value, alen);
DLL_PUSH_TAIL(s_, &ci->commonName, element);
} else if (strcmp(lastOid, "2.5.4.10") == 0) {
if (ci->orgName) {
LOG("Multiple orgName %s => %.*s", ci->orgName, alen, value);
free(ci->orgName);
}
ci->orgUtf8 = atag == 12;
ci->orgName = g_strndup((char*)value, alen);
}
}
}
}
void
tls_alt_names(MolochCertsInfo_t *certs, BSB *bsb, char *lastOid)
{
int apc, atag, alen;
while (BSB_REMAINING(*bsb) >= 2) {
unsigned char *value = moloch_parsers_asn_get_tlv(bsb, &apc, &atag, &alen);
if (!value)
return;
if (apc) {
BSB tbsb;
BSB_INIT(tbsb, value, alen);
tls_alt_names(certs, &tbsb, lastOid);
if (certs->alt.s_count > 0) {
return;
}
} else if (atag == 6) {
moloch_parsers_asn_decode_oid(lastOid, 100, value, alen);
if (strcmp(lastOid, "2.5.29.17") != 0)
lastOid[0] = 0;
} else if (lastOid[0] && atag == 4) {
BSB tbsb;
BSB_INIT(tbsb, value, alen);
tls_alt_names(certs, &tbsb, lastOid);
return;
} else if (lastOid[0] && atag == 2) {
MolochString_t *element = MOLOCH_TYPE_ALLOC0(MolochString_t);
element->str = g_ascii_strdown((char*)value, alen);
element->len = alen;
DLL_PUSH_TAIL(s_, &certs->alt, element);
}
}
lastOid[0] = 0;
return;
}
void tls_process_server_certificate(MolochSession_t *session, const unsigned char *data, int len)
{
BSB cbsb;
BSB_INIT(cbsb, data, len);
BSB_IMPORT_skip(cbsb, 3); // Length again
while(BSB_REMAINING(cbsb) > 3) {
int badreason = 0;
unsigned char *cdata = BSB_WORK_PTR(cbsb);
int clen = MIN(BSB_REMAINING(cbsb) - 3, (cdata[0] << 16 | cdata[1] << 8 | cdata[2]));
MolochCertsInfo_t *certs = MOLOCH_TYPE_ALLOC0(MolochCertsInfo_t);
DLL_INIT(s_, &certs->alt);
DLL_INIT(s_, &certs->subject.commonName);
DLL_INIT(s_, &certs->issuer.commonName);
int atag, alen, apc;
unsigned char *value;
BSB bsb;
BSB_INIT(bsb, cdata + 3, clen);
/* Certificate */
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 1; goto bad_cert;}
BSB_INIT(bsb, value, alen);
/* signedCertificate */
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 2; goto bad_cert;}
BSB_INIT(bsb, value, alen);
/* serialNumber or version*/
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 3; goto bad_cert;}
if (apc) {
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 4; goto bad_cert;}
}
certs->serialNumberLen = alen;
certs->serialNumber = malloc(alen);
memcpy(certs->serialNumber, value, alen);
/* signature */
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 5; goto bad_cert;}
/* issuer */
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 6; goto bad_cert;}
BSB tbsb;
BSB_INIT(tbsb, value, alen);
tls_certinfo_process(&certs->issuer, &tbsb);
/* validity */
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 7; goto bad_cert;}
/* subject */
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 8; goto bad_cert;}
BSB_INIT(tbsb, value, alen);
tls_certinfo_process(&certs->subject, &tbsb);
/* subjectPublicKeyInfo */
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 9; goto bad_cert;}
/* extensions */
if (BSB_REMAINING(bsb)) {
if (!(value = moloch_parsers_asn_get_tlv(&bsb, &apc, &atag, &alen)))
{badreason = 10; goto bad_cert;}
BSB tbsb;
BSB_INIT(tbsb, value, alen);
char lastOid[100];
lastOid[0] = 0;
tls_alt_names(certs, &tbsb, lastOid);
}
if (!moloch_field_certsinfo_add(certsField, session, certs, clen*2)) {
moloch_field_certsinfo_free(certs);
}
BSB_IMPORT_skip(cbsb, clen + 3);
continue;
bad_cert:
if (config.debug)
LOG("bad cert %d - %d", badreason, clen);
moloch_field_certsinfo_free(certs);
break;
}
}
