suricata
util-lua-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author Eric Leblond <eric@regit.org>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "pkt-var.h"
29 #include "conf.h"
30 
31 #include "threads.h"
32 #include "threadvars.h"
33 #include "tm-threads.h"
34 
35 #include "util-print.h"
36 #include "util-unittest.h"
37 
38 #include "util-debug.h"
39 
40 #include "output.h"
41 #include "app-layer.h"
42 #include "app-layer-parser.h"
43 #include "app-layer-ssl.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 #include "util-proto-name.h"
47 #include "util-logopenfile.h"
48 #include "util-time.h"
49 
50 #ifdef HAVE_LUA
51 
52 #include <lua.h>
53 #include <lualib.h>
54 #include <lauxlib.h>
55 
56 #include "util-lua.h"
57 #include "util-lua-common.h"
58 #include "util-lua-tls.h"
59 
60 static int GetCertNotBefore(lua_State *luastate, const Flow *f, int direction)
61 {
62  void *state = FlowGetAppState(f);
63  if (state == NULL)
64  return LuaCallbackError(luastate, "error: no app layer state");
65 
66  SSLState *ssl_state = (SSLState *)state;
67  SSLStateConnp *connp = NULL;
68 
69  if (direction) {
70  connp = &ssl_state->client_connp;
71  } else {
72  connp = &ssl_state->server_connp;
73  }
74 
75  if (connp->cert0_not_before == 0)
76  return LuaCallbackError(luastate, "error: no certificate NotBefore");
77 
78  int r = LuaPushInteger(luastate, connp->cert0_not_before);
79 
80  return r;
81 }
82 
83 static int TlsGetCertNotBefore(lua_State *luastate)
84 {
85  int r;
86 
87  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
88  return LuaCallbackError(luastate, "error: protocol not tls");
89 
90  int direction = LuaStateGetDirection(luastate);
91 
92  Flow *f = LuaStateGetFlow(luastate);
93  if (f == NULL)
94  return LuaCallbackError(luastate, "internal error: no flow");
95 
96  r = GetCertNotBefore(luastate, f, direction);
97 
98  return r;
99 }
100 
101 static int GetCertNotAfter(lua_State *luastate, const Flow *f, int direction)
102 {
103  void *state = FlowGetAppState(f);
104  if (state == NULL)
105  return LuaCallbackError(luastate, "error: no app layer state");
106 
107  SSLState *ssl_state = (SSLState *)state;
108  SSLStateConnp *connp = NULL;
109 
110  if (direction) {
111  connp = &ssl_state->client_connp;
112  } else {
113  connp = &ssl_state->server_connp;
114  }
115 
116  if (connp->cert0_not_after == 0)
117  return LuaCallbackError(luastate, "error: no certificate NotAfter");
118 
119  int r = LuaPushInteger(luastate, connp->cert0_not_after);
120 
121  return r;
122 }
123 
124 static int TlsGetCertNotAfter(lua_State *luastate)
125 {
126  int r;
127 
128  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
129  return LuaCallbackError(luastate, "error: protocol not tls");
130 
131  int direction = LuaStateGetDirection(luastate);
132 
133  Flow *f = LuaStateGetFlow(luastate);
134  if (f == NULL)
135  return LuaCallbackError(luastate, "internal error: no flow");
136 
137  r = GetCertNotAfter(luastate, f, direction);
138 
139  return r;
140 }
141 
142 static int GetCertInfo(lua_State *luastate, const Flow *f, int direction)
143 {
144  void *state = FlowGetAppState(f);
145  if (state == NULL)
146  return LuaCallbackError(luastate, "error: no app layer state");
147 
148  SSLState *ssl_state = (SSLState *)state;
149  SSLStateConnp *connp = NULL;
150 
151  if (direction) {
152  connp = &ssl_state->client_connp;
153  } else {
154  connp = &ssl_state->server_connp;
155  }
156 
157  if (connp->cert0_subject == NULL)
158  return LuaCallbackError(luastate, "error: no cert");
159 
160  /* tls.version */
161  char ssl_version[SSL_VERSION_MAX_STRLEN];
162  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
163 
164  int r = LuaPushStringBuffer(luastate, (uint8_t *)ssl_version, strlen(ssl_version));
165  r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_subject, strlen(connp->cert0_subject));
166  r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_issuerdn, strlen(connp->cert0_issuerdn));
167  r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_fingerprint, strlen(connp->cert0_fingerprint));
168  return r;
169 }
170 
171 static int TlsGetCertInfo(lua_State *luastate)
172 {
173  int r;
174 
175  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
176  return LuaCallbackError(luastate, "error: protocol not tls");
177 
178  int direction = LuaStateGetDirection(luastate);
179 
180  Flow *f = LuaStateGetFlow(luastate);
181  if (f == NULL)
182  return LuaCallbackError(luastate, "internal error: no flow");
183 
184  r = GetCertInfo(luastate, f, direction);
185 
186  return r;
187 }
188 
189 static int GetAgreedVersion(lua_State *luastate, const Flow *f)
190 {
191  void *state = FlowGetAppState(f);
192  if (state == NULL)
193  return LuaCallbackError(luastate, "error: no app layer state");
194 
195  SSLState *ssl_state = (SSLState *)state;
196 
197  char ssl_version[SSL_VERSION_MAX_STRLEN];
198  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
199 
200  return LuaPushStringBuffer(luastate, (uint8_t *)ssl_version,
201  strlen(ssl_version));
202 }
203 
204 static int TlsGetVersion(lua_State *luastate)
205 {
206  int r;
207 
208  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
209  return LuaCallbackError(luastate, "error: protocol not tls");
210 
211  Flow *f = LuaStateGetFlow(luastate);
212  if (f == NULL)
213  return LuaCallbackError(luastate, "internal error: no flow");
214 
215  r = GetAgreedVersion(luastate, f);
216 
217  return r;
218 }
219 
220 static int GetSNI(lua_State *luastate, const Flow *f)
221 {
222  void *state = FlowGetAppState(f);
223  if (state == NULL)
224  return LuaCallbackError(luastate, "error: no app layer state");
225 
226  SSLState *ssl_state = (SSLState *)state;
227 
228  if (ssl_state->client_connp.sni == NULL)
229  return LuaCallbackError(luastate, "error: no server name indication");
230 
231  return LuaPushStringBuffer(luastate, (uint8_t *)ssl_state->client_connp.sni,
232  strlen(ssl_state->client_connp.sni));
233 }
234 
235 static int TlsGetSNI(lua_State *luastate)
236 {
237  int r;
238 
239  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
240  return LuaCallbackError(luastate, "error: protocol not tls");
241 
242  Flow *f = LuaStateGetFlow(luastate);
243  if (f == NULL)
244  return LuaCallbackError(luastate, "internal error: no flow");
245 
246  r = GetSNI(luastate, f);
247 
248  return r;
249 }
250 
251 static int GetCertSerial(lua_State *luastate, const Flow *f)
252 {
253  void *state = FlowGetAppState(f);
254  if (state == NULL)
255  return LuaCallbackError(luastate, "error: no app layer state");
256 
257  SSLState *ssl_state = (SSLState *)state;
258 
259  if (ssl_state->server_connp.cert0_serial == NULL)
260  return LuaCallbackError(luastate, "error: no certificate serial");
261 
262  return LuaPushStringBuffer(luastate,
263  (uint8_t *)ssl_state->server_connp.cert0_serial,
264  strlen(ssl_state->server_connp.cert0_serial));
265 }
266 
267 static int TlsGetCertSerial(lua_State *luastate)
268 {
269  int r;
270 
271  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
272  return LuaCallbackError(luastate, "error: protocol not tls");
273 
274  Flow *f = LuaStateGetFlow(luastate);
275  if (f == NULL)
276  return LuaCallbackError(luastate, "internal error: no flow");
277 
278  r = GetCertSerial(luastate, f);
279 
280  return r;
281 }
282 
283 static int GetCertChain(lua_State *luastate, const Flow *f, int direction)
284 {
285  void *state = FlowGetAppState(f);
286  if (state == NULL)
287  return LuaCallbackError(luastate, "error: no app layer state");
288 
289  SSLState *ssl_state = (SSLState *)state;
290  SSLStateConnp *connp = NULL;
291 
292  if (direction) {
293  connp = &ssl_state->client_connp;
294  } else {
295  connp = &ssl_state->server_connp;
296  }
297 
298  uint32_t u = 0;
299  lua_newtable(luastate);
300  SSLCertsChain *cert = NULL;
301  TAILQ_FOREACH(cert, &connp->certs, next)
302  {
303  lua_pushinteger(luastate, u++);
304 
305  lua_newtable(luastate);
306 
307  lua_pushstring(luastate, "length");
308  lua_pushinteger(luastate, cert->cert_len);
309  lua_settable(luastate, -3);
310 
311  lua_pushstring(luastate, "data");
312  LuaPushStringBuffer(luastate, cert->cert_data, cert->cert_len);
313 
314  lua_settable(luastate, -3);
315  lua_settable(luastate, -3);
316  }
317 
318  return 1;
319 }
320 
321 static int TlsGetCertChain(lua_State *luastate)
322 {
323  int r;
324 
325  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
326  return LuaCallbackError(luastate, "error: protocol not tls");
327 
328  int direction = LuaStateGetDirection(luastate);
329 
330  Flow *f = LuaStateGetFlow(luastate);
331  if (f == NULL)
332  return LuaCallbackError(luastate, "internal error: no flow");
333 
334  r = GetCertChain(luastate, f, direction);
335 
336  return r;
337 }
338 
339 /** \brief register tls lua extensions in a luastate */
340 int LuaRegisterTlsFunctions(lua_State *luastate)
341 {
342  /* registration of the callbacks */
343  lua_pushcfunction(luastate, TlsGetCertNotBefore);
344  lua_setglobal(luastate, "TlsGetCertNotBefore");
345 
346  lua_pushcfunction(luastate, TlsGetCertNotAfter);
347  lua_setglobal(luastate, "TlsGetCertNotAfter");
348 
349  lua_pushcfunction(luastate, TlsGetVersion);
350  lua_setglobal(luastate, "TlsGetVersion");
351 
352  lua_pushcfunction(luastate, TlsGetCertInfo);
353  lua_setglobal(luastate, "TlsGetCertInfo");
354 
355  lua_pushcfunction(luastate, TlsGetSNI);
356  lua_setglobal(luastate, "TlsGetSNI");
357 
358  lua_pushcfunction(luastate, TlsGetCertSerial);
359  lua_setglobal(luastate, "TlsGetCertSerial");
360 
361  lua_pushcfunction(luastate, TlsGetCertChain);
362  lua_setglobal(luastate, "TlsGetCertChain");
363 
364  return 0;
365 }
366 
367 #endif /* HAVE_LUA */
tm-threads.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:248
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:284
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:223
util-lua-common.h
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:302
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:303
SSLStateConnp_::cert0_not_before
int64_t cert0_not_before
Definition: app-layer-ssl.h:251
util-lua.h
SSLStateConnp_
Definition: app-layer-ssl.h:228
threads.h
Flow_
Flow data structure.
Definition: flow.h:350
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:152
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
util-privs.h
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:256
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:249
SSLStateConnp_::cert0_not_after
int64_t cert0_not_after
Definition: app-layer-ssl.h:252
util-debug.h
SSLCertsChain_
Definition: app-layer-ssl.h:221
util-print.h
detect.h
pkt-var.h
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:340
util-time.h
app-layer-parser.h
conf.h
util-proto-name.h
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:222
suricata-common.h
lua_State
void lua_State
Definition: suricata-common.h:500
threadvars.h
util-logopenfile.h
util-buffer.h
util-lua-tls.h
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:253
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:250
app-layer-ssl.h
output.h
app-layer.h
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:237