lua: TLS support

Support TLS in Lua detection scripts. function init (args) local needs = {} needs["tls"] = tostring(true) return needs end function match(args) version, subject, issuer, fingerprint = TlsGetCertInfo(); if version == nil then return 0 end str = string.format("Version %s\nIssuer %s\nSubject %s\nFingerprint %s", version, issuer, subject, fingerprint) SCLogInfo(str); return 1 end
10 years ago · 371648a8c6
parent 1e84950017
commit 371648a8c6
5 changed files with 191 additions and 0 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -349,6 +349,7 @@ util-lua.c util-lua.h \
 util-lua-common.c util-lua-common.h \
 util-lua-dns.c util-lua-dns.h \
 util-lua-http.c util-lua-http.h \
+util-lua-tls.c util-lua-tls.h \
 util-magic.c util-magic.h \
 util-memcmp.c util-memcmp.h \
 util-memcpy.h \
--- a/src/detect-lua-extensions.c
+++ b/src/detect-lua-extensions.c
@ -66,6 +66,7 @@
 #include "util-lua-common.h"
 #include "util-lua-http.h"
 #include "util-lua-dns.h"
+#include "util-lua-tls.h"

 static const char luaext_key_ld[] = "suricata:luajitdata";
 static const char luaext_key_det_ctx[] = "suricata:det_ctx";
@ -617,6 +618,7 @@ int LuaRegisterExtensions(lua_State *lua_state)
    LuaRegisterFunctions(lua_state);
    LuaRegisterHttpFunctions(lua_state);
    LuaRegisterDnsFunctions(lua_state);
+    LuaRegisterTlsFunctions(lua_state);
    return 0;
 }

--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@ -164,6 +164,8 @@ void DetectLuaRegister(void)
 #define DATATYPE_DNS_REQUEST                (1<<16)
 #define DATATYPE_DNS_RESPONSE               (1<<17)

+#define DATATYPE_TLS                        (1<<18)
+
 #ifdef HAVE_LUAJIT
 static void *LuaStatePoolAlloc(void)
 {
@ -1000,6 +1002,12 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld)
                SCLogError(SC_ERR_LUA_ERROR, "alloc error");
                goto error;
            }
+        } else if (strncmp(k, "tls", 3) == 0 && strcmp(v, "true") == 0) {
+
+            ld->alproto = ALPROTO_TLS;
+
+            ld->flags |= DATATYPE_TLS;
+
        } else {
            SCLogError(SC_ERR_LUA_ERROR, "unsupported data type %s", k);
            goto error;
@ -1095,6 +1103,8 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
        } else if (luajit->flags & DATATYPE_DNS_RESPONSE) {
            SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSRESPONSE_MATCH);
        }
+    } else if (luajit->alproto == ALPROTO_TLS) {
+        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
    } else {
        SCLogError(SC_ERR_LUA_ERROR, "luajit can't be used with protocol %s",
                   AppLayerGetProtoName(luajit->alproto));
--- a/src/util-lua-tls.c
+++ b/src/util-lua-tls.c
@ -0,0 +1,145 @@
+/* Copyright (C) 2014 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+
+/**
+ * \file
+ *
+ * \author Eric Leblond <eric@regit.org>
+ *
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "detect.h"
+#include "pkt-var.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "threadvars.h"
+#include "tm-threads.h"
+
+#include "util-print.h"
+#include "util-unittest.h"
+
+#include "util-debug.h"
+
+#include "output.h"
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssl.h"
+#include "util-privs.h"
+#include "util-buffer.h"
+#include "util-proto-name.h"
+#include "util-logopenfile.h"
+#include "util-time.h"
+
+#ifdef HAVE_LUA
+
+#include <lua.h>
+#include <lualib.h>
+#include <lauxlib.h>
+
+#include "util-lua.h"
+#include "util-lua-common.h"
+
+static int GetCertInfo(lua_State *luastate, const Flow *f, int direction)
+{
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+    SSLStateConnp *connp = NULL;
+
+    if (direction) {
+        connp = &ssl_state->client_connp;
+    } else {
+        connp = &ssl_state->server_connp;
+    }
+
+    if (connp->cert0_subject == NULL)
+        return LuaCallbackError(luastate, "error: no cert");
+
+    /* tls.version */
+    char ssl_version[32] = "";
+    switch (ssl_state->server_connp.version) {
+        case TLS_VERSION_UNKNOWN:
+            snprintf(ssl_version, sizeof(ssl_version), "UNDETERMINED");
+            break;
+        case SSL_VERSION_2:
+            snprintf(ssl_version, sizeof(ssl_version), "SSLv2");
+            break;
+        case SSL_VERSION_3:
+            snprintf(ssl_version, sizeof(ssl_version), "SSLv3");
+            break;
+        case TLS_VERSION_10:
+            snprintf(ssl_version, sizeof(ssl_version), "TLSv1");
+            break;
+        case TLS_VERSION_11:
+            snprintf(ssl_version, sizeof(ssl_version), "TLS 1.1");
+            break;
+        case TLS_VERSION_12:
+            snprintf(ssl_version, sizeof(ssl_version), "TLS 1.2");
+            break;
+        default:
+            snprintf(ssl_version, sizeof(ssl_version), "0x%04x",
+                     ssl_state->server_connp.version);
+            break;
+    }
+
+    int r = LuaPushStringBuffer(luastate, (uint8_t *)ssl_version, strlen(ssl_version));
+    r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_subject, strlen(connp->cert0_subject));
+    r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_issuerdn, strlen(connp->cert0_issuerdn));
+    r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_fingerprint, strlen(connp->cert0_fingerprint));
+    return r;
+}
+
+static int TlsGetCertInfo(lua_State *luastate)
+{
+    int r;
+
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol not tls");
+
+    int direction = LuaStateGetDirection(luastate);
+
+    int lock_hint = 0;
+    Flow *f = LuaStateGetFlow(luastate, &lock_hint);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    if (lock_hint == LUA_FLOW_NOT_LOCKED_BY_PARENT) {
+        FLOWLOCK_RDLOCK(f);
+        r = GetCertInfo(luastate, f, direction);
+        FLOWLOCK_UNLOCK(f);
+    } else {
+        r = GetCertInfo(luastate, f, direction);
+    }
+    return r;
+}
+
+/** \brief register tls lua extensions in a luastate */
+int LuaRegisterTlsFunctions(lua_State *luastate)
+{
+    /* registration of the callbacks */
+    lua_pushcfunction(luastate, TlsGetCertInfo);
+    lua_setglobal(luastate, "TlsGetCertInfo");
+    return 0;
+}
+
+#endif /* HAVE_LUA */
--- a/src/util-lua-tls.h
+++ b/src/util-lua-tls.h
@ -0,0 +1,33 @@
+/* Copyright (C) 2015 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ */
+
+#ifndef __UTIL_LUA_TLS_H__
+#define __UTIL_LUA_TLS_H__
+
+#ifdef HAVE_LUA
+
+int LuaRegisterTlsFunctions(lua_State *luastate);
+
+#endif /* HAVE_LUA */
+
+#endif /* __UTIL_LUA_TLS_H__ */