suricata
util-lua-tls.c
Go to the documentation of this file.
1 /* Copyright (C) 2014 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 
19 /**
20  * \file
21  *
22  * \author Eric Leblond <eric@regit.org>
23  *
24  */
25 
26 #include "suricata-common.h"
27 #include "detect.h"
28 #include "pkt-var.h"
29 #include "conf.h"
30 
31 #include "threads.h"
32 #include "threadvars.h"
33 #include "tm-threads.h"
34 
35 #include "util-print.h"
36 #include "util-unittest.h"
37 
38 #include "util-debug.h"
39 
40 #include "output.h"
41 #include "app-layer.h"
42 #include "app-layer-parser.h"
43 #include "app-layer-ssl.h"
44 #include "util-privs.h"
45 #include "util-buffer.h"
46 #include "util-proto-name.h"
47 #include "util-logopenfile.h"
48 #include "util-time.h"
49 
50 #include "lua.h"
51 #include "lualib.h"
52 #include "lauxlib.h"
53 
54 #include "util-lua.h"
55 #include "util-lua-common.h"
56 #include "util-lua-tls.h"
57 
58 static int GetCertNotBefore(lua_State *luastate, const Flow *f, int direction)
59 {
60  void *state = FlowGetAppState(f);
61  if (state == NULL)
62  return LuaCallbackError(luastate, "error: no app layer state");
63 
64  SSLState *ssl_state = (SSLState *)state;
65  SSLStateConnp *connp = NULL;
66 
67  if (direction) {
68  connp = &ssl_state->client_connp;
69  } else {
70  connp = &ssl_state->server_connp;
71  }
72 
73  if (connp->cert0_not_before == 0)
74  return LuaCallbackError(luastate, "error: no certificate NotBefore");
75 
76  int r = LuaPushInteger(luastate, connp->cert0_not_before);
77 
78  return r;
79 }
80 
81 static int TlsGetCertNotBefore(lua_State *luastate)
82 {
83  int r;
84 
85  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
86  return LuaCallbackError(luastate, "error: protocol not tls");
87 
88  int direction = LuaStateGetDirection(luastate);
89 
90  Flow *f = LuaStateGetFlow(luastate);
91  if (f == NULL)
92  return LuaCallbackError(luastate, "internal error: no flow");
93 
94  r = GetCertNotBefore(luastate, f, direction);
95 
96  return r;
97 }
98 
99 static int GetCertNotAfter(lua_State *luastate, const Flow *f, int direction)
100 {
101  void *state = FlowGetAppState(f);
102  if (state == NULL)
103  return LuaCallbackError(luastate, "error: no app layer state");
104 
105  SSLState *ssl_state = (SSLState *)state;
106  SSLStateConnp *connp = NULL;
107 
108  if (direction) {
109  connp = &ssl_state->client_connp;
110  } else {
111  connp = &ssl_state->server_connp;
112  }
113 
114  if (connp->cert0_not_after == 0)
115  return LuaCallbackError(luastate, "error: no certificate NotAfter");
116 
117  int r = LuaPushInteger(luastate, connp->cert0_not_after);
118 
119  return r;
120 }
121 
122 static int TlsGetCertNotAfter(lua_State *luastate)
123 {
124  int r;
125 
126  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
127  return LuaCallbackError(luastate, "error: protocol not tls");
128 
129  int direction = LuaStateGetDirection(luastate);
130 
131  Flow *f = LuaStateGetFlow(luastate);
132  if (f == NULL)
133  return LuaCallbackError(luastate, "internal error: no flow");
134 
135  r = GetCertNotAfter(luastate, f, direction);
136 
137  return r;
138 }
139 
140 static int GetCertInfo(lua_State *luastate, const Flow *f, int direction)
141 {
142  void *state = FlowGetAppState(f);
143  if (state == NULL)
144  return LuaCallbackError(luastate, "error: no app layer state");
145 
146  SSLState *ssl_state = (SSLState *)state;
147  SSLStateConnp *connp = NULL;
148 
149  if (direction) {
150  connp = &ssl_state->client_connp;
151  } else {
152  connp = &ssl_state->server_connp;
153  }
154 
155  if (connp->cert0_subject == NULL)
156  return LuaCallbackError(luastate, "error: no cert");
157 
158  /* tls.version */
159  char ssl_version[SSL_VERSION_MAX_STRLEN];
160  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
161 
162  int r = LuaPushStringBuffer(luastate, (uint8_t *)ssl_version, strlen(ssl_version));
163  r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_subject, strlen(connp->cert0_subject));
164  r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_issuerdn, strlen(connp->cert0_issuerdn));
165  r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_fingerprint, strlen(connp->cert0_fingerprint));
166  return r;
167 }
168 
169 static int TlsGetCertInfo(lua_State *luastate)
170 {
171  int r;
172 
173  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
174  return LuaCallbackError(luastate, "error: protocol not tls");
175 
176  int direction = LuaStateGetDirection(luastate);
177 
178  Flow *f = LuaStateGetFlow(luastate);
179  if (f == NULL)
180  return LuaCallbackError(luastate, "internal error: no flow");
181 
182  r = GetCertInfo(luastate, f, direction);
183 
184  return r;
185 }
186 
187 static int GetAgreedVersion(lua_State *luastate, const Flow *f)
188 {
189  void *state = FlowGetAppState(f);
190  if (state == NULL)
191  return LuaCallbackError(luastate, "error: no app layer state");
192 
193  SSLState *ssl_state = (SSLState *)state;
194 
195  char ssl_version[SSL_VERSION_MAX_STRLEN];
196  SSLVersionToString(ssl_state->server_connp.version, ssl_version);
197 
198  return LuaPushStringBuffer(luastate, (uint8_t *)ssl_version,
199  strlen(ssl_version));
200 }
201 
202 static int TlsGetVersion(lua_State *luastate)
203 {
204  int r;
205 
206  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
207  return LuaCallbackError(luastate, "error: protocol not tls");
208 
209  Flow *f = LuaStateGetFlow(luastate);
210  if (f == NULL)
211  return LuaCallbackError(luastate, "internal error: no flow");
212 
213  r = GetAgreedVersion(luastate, f);
214 
215  return r;
216 }
217 
218 static int GetSNI(lua_State *luastate, const Flow *f)
219 {
220  void *state = FlowGetAppState(f);
221  if (state == NULL)
222  return LuaCallbackError(luastate, "error: no app layer state");
223 
224  SSLState *ssl_state = (SSLState *)state;
225 
226  if (ssl_state->client_connp.sni == NULL)
227  return LuaCallbackError(luastate, "error: no server name indication");
228 
229  return LuaPushStringBuffer(luastate, (uint8_t *)ssl_state->client_connp.sni,
230  strlen(ssl_state->client_connp.sni));
231 }
232 
233 static int TlsGetSNI(lua_State *luastate)
234 {
235  int r;
236 
237  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
238  return LuaCallbackError(luastate, "error: protocol not tls");
239 
240  Flow *f = LuaStateGetFlow(luastate);
241  if (f == NULL)
242  return LuaCallbackError(luastate, "internal error: no flow");
243 
244  r = GetSNI(luastate, f);
245 
246  return r;
247 }
248 
249 static int GetCertSerial(lua_State *luastate, const Flow *f)
250 {
251  void *state = FlowGetAppState(f);
252  if (state == NULL)
253  return LuaCallbackError(luastate, "error: no app layer state");
254 
255  SSLState *ssl_state = (SSLState *)state;
256 
257  if (ssl_state->server_connp.cert0_serial == NULL)
258  return LuaCallbackError(luastate, "error: no certificate serial");
259 
260  return LuaPushStringBuffer(luastate,
261  (uint8_t *)ssl_state->server_connp.cert0_serial,
262  strlen(ssl_state->server_connp.cert0_serial));
263 }
264 
265 static int TlsGetCertSerial(lua_State *luastate)
266 {
267  int r;
268 
269  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
270  return LuaCallbackError(luastate, "error: protocol not tls");
271 
272  Flow *f = LuaStateGetFlow(luastate);
273  if (f == NULL)
274  return LuaCallbackError(luastate, "internal error: no flow");
275 
276  r = GetCertSerial(luastate, f);
277 
278  return r;
279 }
280 
281 static int GetCertChain(lua_State *luastate, const Flow *f, int direction)
282 {
283  void *state = FlowGetAppState(f);
284  if (state == NULL)
285  return LuaCallbackError(luastate, "error: no app layer state");
286 
287  SSLState *ssl_state = (SSLState *)state;
288  SSLStateConnp *connp = NULL;
289 
290  if (direction) {
291  connp = &ssl_state->client_connp;
292  } else {
293  connp = &ssl_state->server_connp;
294  }
295 
296  uint32_t u = 0;
297  lua_newtable(luastate);
298  SSLCertsChain *cert = NULL;
299  TAILQ_FOREACH(cert, &connp->certs, next)
300  {
301  lua_pushinteger(luastate, u++);
302 
303  lua_newtable(luastate);
304 
305  lua_pushstring(luastate, "length");
306  lua_pushinteger(luastate, cert->cert_len);
307  lua_settable(luastate, -3);
308 
309  lua_pushstring(luastate, "data");
310  LuaPushStringBuffer(luastate, cert->cert_data, cert->cert_len);
311 
312  lua_settable(luastate, -3);
313  lua_settable(luastate, -3);
314  }
315 
316  return 1;
317 }
318 
319 static int TlsGetCertChain(lua_State *luastate)
320 {
321  int r;
322 
323  if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
324  return LuaCallbackError(luastate, "error: protocol not tls");
325 
326  int direction = LuaStateGetDirection(luastate);
327 
328  Flow *f = LuaStateGetFlow(luastate);
329  if (f == NULL)
330  return LuaCallbackError(luastate, "internal error: no flow");
331 
332  r = GetCertChain(luastate, f, direction);
333 
334  return r;
335 }
336 
337 /** \brief register tls lua extensions in a luastate */
339 {
340  /* registration of the callbacks */
341  lua_pushcfunction(luastate, TlsGetCertNotBefore);
342  lua_setglobal(luastate, "TlsGetCertNotBefore");
343 
344  lua_pushcfunction(luastate, TlsGetCertNotAfter);
345  lua_setglobal(luastate, "TlsGetCertNotAfter");
346 
347  lua_pushcfunction(luastate, TlsGetVersion);
348  lua_setglobal(luastate, "TlsGetVersion");
349 
350  lua_pushcfunction(luastate, TlsGetCertInfo);
351  lua_setglobal(luastate, "TlsGetCertInfo");
352 
353  lua_pushcfunction(luastate, TlsGetSNI);
354  lua_setglobal(luastate, "TlsGetSNI");
355 
356  lua_pushcfunction(luastate, TlsGetCertSerial);
357  lua_setglobal(luastate, "TlsGetCertSerial");
358 
359  lua_pushcfunction(luastate, TlsGetCertChain);
360  lua_setglobal(luastate, "TlsGetCertChain");
361 
362  return 0;
363 }
tm-threads.h
SSLStateConnp_::cert0_subject
char * cert0_subject
Definition: app-layer-ssl.h:250
SSLState_
SSLv[2.0|3.[0|1|2|3]] state structure.
Definition: app-layer-ssl.h:290
SSLCertsChain_::cert_len
uint32_t cert_len
Definition: app-layer-ssl.h:225
util-lua-common.h
SSLState_::client_connp
SSLStateConnp client_connp
Definition: app-layer-ssl.h:308
ALPROTO_TLS
@ ALPROTO_TLS
Definition: app-layer-protos.h:33
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:0
SSLState_::server_connp
SSLStateConnp server_connp
Definition: app-layer-ssl.h:309
SSLStateConnp_::cert0_not_before
int64_t cert0_not_before
Definition: app-layer-ssl.h:253
util-lua.h
LuaCallbackError
int LuaCallbackError(lua_State *luastate, const char *msg)
Definition: util-lua-common.c:59
SSLStateConnp_
Definition: app-layer-ssl.h:230
threads.h
Flow_
Flow data structure.
Definition: flow.h:360
SSL_VERSION_MAX_STRLEN
#define SSL_VERSION_MAX_STRLEN
Definition: app-layer-ssl.h:154
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:252
util-privs.h
SSLStateConnp_::sni
char * sni
Definition: app-layer-ssl.h:260
util-unittest.h
SSLStateConnp_::cert0_issuerdn
char * cert0_issuerdn
Definition: app-layer-ssl.h:251
SSLStateConnp_::cert0_not_after
int64_t cert0_not_after
Definition: app-layer-ssl.h:254
lua_State
struct lua_State lua_State
Definition: suricata-common.h:500
util-debug.h
SSLCertsChain_
Definition: app-layer-ssl.h:223
util-print.h
detect.h
pkt-var.h
SSLVersionToString
void SSLVersionToString(uint16_t version, char *buffer)
Definition: app-layer-ssl.c:346
util-time.h
app-layer-parser.h
LuaStateGetDirection
int LuaStateGetDirection(lua_State *luastate)
get packet pointer from the lua state
Definition: util-lua.c:270
conf.h
LuaRegisterTlsFunctions
int LuaRegisterTlsFunctions(lua_State *luastate)
register tls lua extensions in a luastate
Definition: util-lua-tls.c:338
util-proto-name.h
SSLCertsChain_::cert_data
uint8_t * cert_data
Definition: app-layer-ssl.h:224
suricata-common.h
threadvars.h
util-logopenfile.h
util-buffer.h
LuaStateGetFlow
Flow * LuaStateGetFlow(lua_State *luastate)
get flow pointer from lua state
Definition: util-lua.c:161
util-lua-tls.h
SSLStateConnp_::cert0_fingerprint
char * cert0_fingerprint
Definition: app-layer-ssl.h:255
SSLStateConnp_::cert0_serial
char * cert0_serial
Definition: app-layer-ssl.h:252
LuaStateNeedProto
int LuaStateNeedProto(lua_State *luastate, AppProto alproto)
Definition: util-lua-common.c:995
app-layer-ssl.h
output.h
LuaPushInteger
int LuaPushInteger(lua_State *luastate, lua_Integer n)
Definition: util-lua.c:340
LuaPushStringBuffer
int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len)
Definition: util-lua.c:319
app-layer.h
SSLStateConnp_::version
uint16_t version
Definition: app-layer-ssl.h:239