From 371648a8c61e93b42f74263bcedb9d1b8b1af354 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Thu, 9 Jul 2015 21:45:15 +0200
Subject: [PATCH] lua: TLS support

Support TLS in Lua detection scripts.

function init (args)
    local needs = {}
    needs["tls"] = tostring(true)
    return needs
end

function match(args)
    version, subject, issuer, fingerprint = TlsGetCertInfo();
    if version == nil then
        return 0
    end
    str = string.format("Version %s\nIssuer %s\nSubject %s\nFingerprint %s",
                        version, issuer, subject, fingerprint)
    SCLogInfo(str);
    return 1
end
---
 src/Makefile.am             |   1 +
 src/detect-lua-extensions.c |   2 +
 src/detect-lua.c            |  10 +++
 src/util-lua-tls.c          | 145 ++++++++++++++++++++++++++++++++++++
 src/util-lua-tls.h          |  33 ++++++++
 5 files changed, 191 insertions(+)
 create mode 100644 src/util-lua-tls.c
 create mode 100644 src/util-lua-tls.h

diff --git a/src/Makefile.am b/src/Makefile.am
index 1d59a5082f..e74672f425 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -349,6 +349,7 @@ util-lua.c util-lua.h \
 util-lua-common.c util-lua-common.h \
 util-lua-dns.c util-lua-dns.h \
 util-lua-http.c util-lua-http.h \
+util-lua-tls.c util-lua-tls.h \
 util-magic.c util-magic.h \
 util-memcmp.c util-memcmp.h \
 util-memcpy.h \
diff --git a/src/detect-lua-extensions.c b/src/detect-lua-extensions.c
index 7a2657f9d3..020c886d9b 100644
--- a/src/detect-lua-extensions.c
+++ b/src/detect-lua-extensions.c
@@ -66,6 +66,7 @@
 #include "util-lua-common.h"
 #include "util-lua-http.h"
 #include "util-lua-dns.h"
+#include "util-lua-tls.h"
 
 static const char luaext_key_ld[] = "suricata:luajitdata";
 static const char luaext_key_det_ctx[] = "suricata:det_ctx";
@@ -617,6 +618,7 @@ int LuaRegisterExtensions(lua_State *lua_state)
     LuaRegisterFunctions(lua_state);
     LuaRegisterHttpFunctions(lua_state);
     LuaRegisterDnsFunctions(lua_state);
+    LuaRegisterTlsFunctions(lua_state);
     return 0;
 }
 
diff --git a/src/detect-lua.c b/src/detect-lua.c
index 8fd5ff61b3..d1f2cd00c2 100644
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -164,6 +164,8 @@ void DetectLuaRegister(void)
 #define DATATYPE_DNS_REQUEST                (1<<16)
 #define DATATYPE_DNS_RESPONSE               (1<<17)
 
+#define DATATYPE_TLS                        (1<<18)
+
 #ifdef HAVE_LUAJIT
 static void *LuaStatePoolAlloc(void)
 {
@@ -1000,6 +1002,12 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld)
                 SCLogError(SC_ERR_LUA_ERROR, "alloc error");
                 goto error;
             }
+        } else if (strncmp(k, "tls", 3) == 0 && strcmp(v, "true") == 0) {
+
+            ld->alproto = ALPROTO_TLS;
+
+            ld->flags |= DATATYPE_TLS;
+
         } else {
             SCLogError(SC_ERR_LUA_ERROR, "unsupported data type %s", k);
             goto error;
@@ -1095,6 +1103,8 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, char *str)
         } else if (luajit->flags & DATATYPE_DNS_RESPONSE) {
             SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_DNSRESPONSE_MATCH);
         }
+    } else if (luajit->alproto == ALPROTO_TLS) {
+        SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_AMATCH);
     } else {
         SCLogError(SC_ERR_LUA_ERROR, "luajit can't be used with protocol %s",
                    AppLayerGetProtoName(luajit->alproto));
diff --git a/src/util-lua-tls.c b/src/util-lua-tls.c
new file mode 100644
index 0000000000..8816d5d549
--- /dev/null
+++ b/src/util-lua-tls.c
@@ -0,0 +1,145 @@
+/* Copyright (C) 2014 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+
+/**
+ * \file
+ *
+ * \author Eric Leblond <eric@regit.org>
+ *
+ */
+
+#include "suricata-common.h"
+#include "debug.h"
+#include "detect.h"
+#include "pkt-var.h"
+#include "conf.h"
+
+#include "threads.h"
+#include "threadvars.h"
+#include "tm-threads.h"
+
+#include "util-print.h"
+#include "util-unittest.h"
+
+#include "util-debug.h"
+
+#include "output.h"
+#include "app-layer.h"
+#include "app-layer-parser.h"
+#include "app-layer-ssl.h"
+#include "util-privs.h"
+#include "util-buffer.h"
+#include "util-proto-name.h"
+#include "util-logopenfile.h"
+#include "util-time.h"
+
+#ifdef HAVE_LUA
+
+#include <lua.h>
+#include <lualib.h>
+#include <lauxlib.h>
+
+#include "util-lua.h"
+#include "util-lua-common.h"
+
+static int GetCertInfo(lua_State *luastate, const Flow *f, int direction)
+{
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+    SSLStateConnp *connp = NULL;
+
+    if (direction) {
+        connp = &ssl_state->client_connp;
+    } else {
+        connp = &ssl_state->server_connp;
+    }
+
+    if (connp->cert0_subject == NULL)
+        return LuaCallbackError(luastate, "error: no cert");
+
+    /* tls.version */
+    char ssl_version[32] = "";
+    switch (ssl_state->server_connp.version) {
+        case TLS_VERSION_UNKNOWN:
+            snprintf(ssl_version, sizeof(ssl_version), "UNDETERMINED");
+            break;
+        case SSL_VERSION_2:
+            snprintf(ssl_version, sizeof(ssl_version), "SSLv2");
+            break;
+        case SSL_VERSION_3:
+            snprintf(ssl_version, sizeof(ssl_version), "SSLv3");
+            break;
+        case TLS_VERSION_10:
+            snprintf(ssl_version, sizeof(ssl_version), "TLSv1");
+            break;
+        case TLS_VERSION_11:
+            snprintf(ssl_version, sizeof(ssl_version), "TLS 1.1");
+            break;
+        case TLS_VERSION_12:
+            snprintf(ssl_version, sizeof(ssl_version), "TLS 1.2");
+            break;
+        default:
+            snprintf(ssl_version, sizeof(ssl_version), "0x%04x",
+                     ssl_state->server_connp.version);
+            break;
+    }
+
+    int r = LuaPushStringBuffer(luastate, (uint8_t *)ssl_version, strlen(ssl_version));
+    r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_subject, strlen(connp->cert0_subject));
+    r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_issuerdn, strlen(connp->cert0_issuerdn));
+    r += LuaPushStringBuffer(luastate, (uint8_t *)connp->cert0_fingerprint, strlen(connp->cert0_fingerprint));
+    return r;
+}
+
+static int TlsGetCertInfo(lua_State *luastate)
+{
+    int r;
+
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol not tls");
+
+    int direction = LuaStateGetDirection(luastate);
+
+    int lock_hint = 0;
+    Flow *f = LuaStateGetFlow(luastate, &lock_hint);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    if (lock_hint == LUA_FLOW_NOT_LOCKED_BY_PARENT) {
+        FLOWLOCK_RDLOCK(f);
+        r = GetCertInfo(luastate, f, direction);
+        FLOWLOCK_UNLOCK(f);
+    } else {
+        r = GetCertInfo(luastate, f, direction);
+    }
+    return r;
+}
+
+/** \brief register tls lua extensions in a luastate */
+int LuaRegisterTlsFunctions(lua_State *luastate)
+{
+    /* registration of the callbacks */
+    lua_pushcfunction(luastate, TlsGetCertInfo);
+    lua_setglobal(luastate, "TlsGetCertInfo");
+    return 0;
+}
+
+#endif /* HAVE_LUA */
diff --git a/src/util-lua-tls.h b/src/util-lua-tls.h
new file mode 100644
index 0000000000..57a27b5500
--- /dev/null
+++ b/src/util-lua-tls.h
@@ -0,0 +1,33 @@
+/* Copyright (C) 2015 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+/**
+ * \file
+ *
+ * \author Victor Julien <victor@inliniac.net>
+ */
+
+#ifndef __UTIL_LUA_TLS_H__
+#define __UTIL_LUA_TLS_H__
+
+#ifdef HAVE_LUA
+
+int LuaRegisterTlsFunctions(lua_State *luastate);
+
+#endif /* HAVE_LUA */
+
+#endif /* __UTIL_LUA_TLS_H__ */
-- 
2.47.2