Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

* : add TLS/SSL Version info (openssl). #62

Merged
merged 1 commit into from
May 23, 2022
Merged

* : add TLS/SSL Version info (openssl). #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions kern/openssl_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ struct ssl_data_event_t {
s32 data_len;
char comm[TASK_COMM_LEN];
u32 fd;
s32 version;
};

struct {
Expand All @@ -32,6 +33,12 @@ struct {
} connect_events SEC(".maps");

struct active_ssl_buf {
/*
* protocol version (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION,
* DTLS1_VERSION)
* from ssl/ssl_local.h struct ssl_st
*/
s32 version;
u32 fd;
const char* buf;
};
Expand Down Expand Up @@ -83,7 +90,7 @@ struct BIO {
};

struct ssl_st {
int version;
s32 version;
struct unused* method;
struct BIO* rbio; // used by SSL_read
struct BIO* wbio; // used by SSL_write
Expand Down Expand Up @@ -117,7 +124,7 @@ static __inline struct ssl_data_event_t* create_ssl_data_event(

static int process_SSL_data(struct pt_regs* ctx, u64 id,
enum ssl_data_event_type type, const char* buf,
u32 fd) {
u32 fd, s32 version) {
int len = (int)PT_REGS_RC(ctx);
if (len < 0) {
return 0;
Expand All @@ -130,6 +137,7 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id,

event->type = type;
event->fd = fd;
event->version = version;
// This is a max function, but it is written in such a way to keep older BPF
// verifiers happy.
event->data_len =
Expand Down Expand Up @@ -177,6 +185,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
struct active_ssl_buf active_ssl_buf_t;
__builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
active_ssl_buf_t.fd = fd;
active_ssl_buf_t.version = ssl_info.version;
active_ssl_buf_t.buf = buf;
bpf_map_update_elem(&active_ssl_write_args_map, &current_pid_tgid,
&active_ssl_buf_t, BPF_ANY);
Expand All @@ -201,8 +210,9 @@ int probe_ret_SSL_write(struct pt_regs* ctx) {
if (active_ssl_buf_t != NULL) {
const char* buf;
u32 fd = active_ssl_buf_t->fd;
s32 version = active_ssl_buf_t->version;
bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf);
process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd);
process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd, version);
}
bpf_map_delete_elem(&active_ssl_write_args_map, &current_pid_tgid);
return 0;
Expand Down Expand Up @@ -239,6 +249,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
struct active_ssl_buf active_ssl_buf_t;
__builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
active_ssl_buf_t.fd = fd;
active_ssl_buf_t.version = ssl_info.version;
active_ssl_buf_t.buf = buf;
bpf_map_update_elem(&active_ssl_read_args_map, &current_pid_tgid,
&active_ssl_buf_t, BPF_ANY);
Expand All @@ -263,8 +274,9 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
if (active_ssl_buf_t != NULL) {
const char* buf;
u32 fd = active_ssl_buf_t->fd;
s32 version = active_ssl_buf_t->version;
bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf);
process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd);
process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version);
}
bpf_map_delete_elem(&active_ssl_read_args_map, &current_pid_tgid);
return 0;
Expand Down
8 changes: 3 additions & 5 deletions kern/postgres_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@ struct data_t {
char comm[TASK_COMM_LEN];
};

struct
{
struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
} events SEC(".maps");

Expand All @@ -18,7 +17,6 @@ struct
// static void exec_simple_query(const char *query_string)
SEC("uprobe/exec_simple_query")
int postgres_query(struct pt_regs *ctx) {

u64 current_pid_tgid = bpf_get_current_pid_tgid();
u32 pid = current_pid_tgid >> 32;

Expand All @@ -30,10 +28,10 @@ int postgres_query(struct pt_regs *ctx) {
#endif

struct data_t data = {};
data.pid = pid; // only process id
data.pid = pid; // only process id
data.timestamp = bpf_ktime_get_ns();

char *sql_string= (char *)PT_REGS_PARM1(ctx);
char *sql_string = (char *)PT_REGS_PARM1(ctx);
bpf_get_current_comm(&data.comm, sizeof(data.comm));
bpf_probe_read(&data.query, sizeof(data.query), sql_string);
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
Expand Down
47 changes: 45 additions & 2 deletions user/event_openssl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,43 @@ const (
const MAX_DATA_SIZE = 1024 * 4
const SA_DATA_LEN = 14

const (
SSL2_VERSION = 0x0002
SSL3_VERSION = 0x0300
TLS1_VERSION = 0x0301
TLS1_1_VERSION = 0x0302
TLS1_2_VERSION = 0x0303
TLS1_3_VERSION = 0x0304
DTLS1_VERSION = 0xFEFF
DTLS1_2_VERSION = 0xFEFD
)

type tls_version struct {
version int32
}

func (t tls_version) String() string {
switch t.version {
case SSL2_VERSION:
return "SSL2_VERSION"
case SSL3_VERSION:
return "SSL3_VERSION"
case TLS1_VERSION:
return "TLS1_VERSION"
case TLS1_1_VERSION:
return "TLS1_1_VERSION"
case TLS1_2_VERSION:
return "TLS1_2_VERSION"
case TLS1_3_VERSION:
return "TLS1_3_VERSION"
case DTLS1_VERSION:
return "DTLS1_VERSION"
case DTLS1_2_VERSION:
return "DTLS1_2_VERSION"
}
return "TLS_VERSION_UNKNOW"
}

type SSLDataEvent struct {
module IModule
event_type EVENT_TYPE
Expand All @@ -32,6 +69,7 @@ type SSLDataEvent struct {
Data_len int32
Comm [16]byte
Fd uint32
Version int32
}

func (this *SSLDataEvent) Decode(payload []byte) (err error) {
Expand Down Expand Up @@ -60,6 +98,9 @@ func (this *SSLDataEvent) Decode(payload []byte) (err error) {
if err = binary.Read(buf, binary.LittleEndian, &this.Fd); err != nil {
return
}
if err = binary.Read(buf, binary.LittleEndian, &this.Version); err != nil {
return
}

return nil
}
Expand All @@ -82,7 +123,8 @@ func (this *SSLDataEvent) StringHex() string {
b := dumpByteSlice(this.Data[:this.Data_len], perfix)
b.WriteString(COLORRESET)

s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Payload:\n%s", this.Pid, this.Comm, this.Tid, connInfo, b.String())
v := tls_version{version: this.Version}
s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Version:%s, Payload:\n%s", this.Pid, this.Comm, this.Tid, connInfo, v.String(), b.String())
return s
}

Expand All @@ -100,7 +142,8 @@ func (this *SSLDataEvent) String() string {
default:
connInfo = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET)
}
s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, connInfo, perfix, string(this.Data[:this.Data_len]), COLORRESET)
v := tls_version{version: this.Version}
s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, Version:%s, %s, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, v.String(), connInfo, perfix, string(this.Data[:this.Data_len]), COLORRESET)
return s
}

Expand Down