feat: support keylog and pcap mode in gnutls

cli/cmd/gnutls.go

@@ -18,6 +18,8 @@
 package cmd
 
 import (
+	"strings"
+
 	"github.com/gojue/ecapture/user/config"
 	"github.com/gojue/ecapture/user/module"
 	"github.com/spf13/cobra"
@@ -35,17 +37,27 @@ ecapture gnutls
 ecapture gnutls --hex --pid=3423
 ecapture gnutls -l save.log --pid=3423
 ecapture gnutls --gnutls=/lib/x86_64-linux-gnu/libgnutls.so
+ecapture gnutls -m keylog -k ecapture_gnutls_key.og --ssl_version=3.7.9
+ecapture gnutls -m pcap --pcapfile save.pcapng -i eth0 --gnutls=/lib/x86_64-linux-gnu/libgnutls.so tcp port 443
 `,
 	Run: gnuTlsCommandFunc,
 }
 
 func init() {
 	//opensslCmd.PersistentFlags().StringVar(&gc.Curlpath, "wget", "", "wget file path, default: /usr/bin/wget. (Deprecated)")
 	gnutlsCmd.PersistentFlags().StringVar(&gc.Gnutls, "gnutls", "", "libgnutls.so file path, will automatically find it from curl default.")
+	gnutlsCmd.PersistentFlags().StringVarP(&gc.Model, "model", "m", "text", "capture model, such as : text, pcap/pcapng, key/keylog")
+	gnutlsCmd.PersistentFlags().StringVarP(&gc.KeylogFile, "keylogfile", "k", "ecapture_gnutls_key.log", "The file stores SSL/TLS keys, and eCapture captures these keys during encrypted traffic communication and saves them to the file.")
+	gnutlsCmd.PersistentFlags().StringVarP(&gc.PcapFile, "pcapfile", "w", "save.pcapng", "write the raw packets to file as pcapng format.")
+	gnutlsCmd.PersistentFlags().StringVarP(&gc.Ifname, "ifname", "i", "", "(TC Classifier) Interface name on which the probe will be attached.")
+	gnutlsCmd.PersistentFlags().StringVar(&gc.SslVersion, "ssl_version", "", "GnuTLS version, e.g: --ssl_version=\"3.7.9\"")
 	rootCmd.AddCommand(gnutlsCmd)
 }
 
 // gnuTlsCommandFunc executes the "bash" command.
 func gnuTlsCommandFunc(command *cobra.Command, args []string) {
+	if gc.PcapFilter == "" && len(args) != 0 {
+		gc.PcapFilter = strings.Join(args, " ")
+	}
 	runModule(module.ModuleNameGnutls, gc)
 }

kern/gnutls_kern.c → kern/gnutls.h

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 #include "ecapture.h"
+#include "tc.h"
 
 enum ssl_data_event_type { kSSLRead, kSSLWrite };
 

kern/gnutls_3_6_12_kern.c

@@ -0,0 +1,45 @@
+#ifndef ECAPTURE_GNUTLS_3_6_12_KERN_H
+#define ECAPTURE_GNUTLS_3_6_12_KERN_H
+
+// version 3.6.12, 3.6.13
+
+// gnutls_session_int->security_parameters
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0
+
+// gnutls_session_int->security_parameters.prf
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_PRF 0x18
+
+// mac_entry_st->id
+#define MAC_ENTRY_ST_ID 0x18
+
+// gnutls_session_int->security_parameters.client_random
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_CLIENT_RANDOM 0x50
+
+// gnutls_session_int->security_parameters.master_secret
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_MASTER_SECRET 0x20
+
+// gnutls_session_int->key.proto.tls13.hs_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_CKEY 0x14d4
+
+// gnutls_session_int->key.proto.tls13.hs_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_SKEY 0x1514
+
+// gnutls_session_int->key.proto.tls13.ap_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_CKEY 0x1554
+
+// gnutls_session_int->key.proto.tls13.ap_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_SKEY 0x1594
+
+// gnutls_session_int->key.proto.tls13.ap_expkey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_EXPKEY 0x15d4
+
+// security_parameters_st->pversion
+#define SECURITY_PARAMETERS_ST_PVERSION 0xf8
+
+// version_entry_st->id
+#define VERSION_ENTRY_ST_ID 0x8
+
+#include "gnutls.h"
+#include "gnutls_masterkey.h"
+
+#endif

kern/gnutls_3_6_14_kern.c

@@ -0,0 +1,45 @@
+#ifndef ECAPTURE_GNUTLS_3_6_14_KERN_H
+#define ECAPTURE_GNUTLS_3_6_14_KERN_H
+
+// version 3.6.14, 3.6.15, 3.6.16
+
+// gnutls_session_int->security_parameters
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0
+
+// gnutls_session_int->security_parameters.prf
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_PRF 0x18
+
+// mac_entry_st->id
+#define MAC_ENTRY_ST_ID 0x18
+
+// gnutls_session_int->security_parameters.client_random
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_CLIENT_RANDOM 0x50
+
+// gnutls_session_int->security_parameters.master_secret
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_MASTER_SECRET 0x20
+
+// gnutls_session_int->key.proto.tls13.hs_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_CKEY 0x17e4
+
+// gnutls_session_int->key.proto.tls13.hs_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_SKEY 0x1824
+
+// gnutls_session_int->key.proto.tls13.ap_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_CKEY 0x1864
+
+// gnutls_session_int->key.proto.tls13.ap_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_SKEY 0x18a4
+
+// gnutls_session_int->key.proto.tls13.ap_expkey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_EXPKEY 0x18e4
+
+// security_parameters_st->pversion
+#define SECURITY_PARAMETERS_ST_PVERSION 0xf8
+
+// version_entry_st->id
+#define VERSION_ENTRY_ST_ID 0x8
+
+#include "gnutls.h"
+#include "gnutls_masterkey.h"
+
+#endif

kern/gnutls_3_7_0_kern.c

@@ -0,0 +1,45 @@
+#ifndef ECAPTURE_GNUTLS_3_7_0_KERN_H
+#define ECAPTURE_GNUTLS_3_7_0_KERN_H
+
+// version 3.7.0, 3.7.1, 3.7.2
+
+// gnutls_session_int->security_parameters
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0
+
+// gnutls_session_int->security_parameters.prf
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_PRF 0x18
+
+// mac_entry_st->id
+#define MAC_ENTRY_ST_ID 0x18
+
+// gnutls_session_int->security_parameters.client_random
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_CLIENT_RANDOM 0x50
+
+// gnutls_session_int->security_parameters.master_secret
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_MASTER_SECRET 0x20
+
+// gnutls_session_int->key.proto.tls13.hs_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_CKEY 0x1804
+
+// gnutls_session_int->key.proto.tls13.hs_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_SKEY 0x1844
+
+// gnutls_session_int->key.proto.tls13.ap_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_CKEY 0x1884
+
+// gnutls_session_int->key.proto.tls13.ap_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_SKEY 0x18c4
+
+// gnutls_session_int->key.proto.tls13.ap_expkey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_EXPKEY 0x1904
+
+// security_parameters_st->pversion
+#define SECURITY_PARAMETERS_ST_PVERSION 0xf8
+
+// version_entry_st->id
+#define VERSION_ENTRY_ST_ID 0x8
+
+#include "gnutls.h"
+#include "gnutls_masterkey.h"
+
+#endif

kern/gnutls_3_7_3_kern.c

@@ -0,0 +1,45 @@
+#ifndef ECAPTURE_GNUTLS_3_7_3_KERN_H
+#define ECAPTURE_GNUTLS_3_7_3_KERN_H
+
+// version 3.7.3, 3.7.4, 3.7.5, 3.7.6
+
+// gnutls_session_int->security_parameters
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0
+
+// gnutls_session_int->security_parameters.prf
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_PRF 0x18
+
+// mac_entry_st->id
+#define MAC_ENTRY_ST_ID 0x18
+
+// gnutls_session_int->security_parameters.client_random
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_CLIENT_RANDOM 0x50
+
+// gnutls_session_int->security_parameters.master_secret
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_MASTER_SECRET 0x20
+
+// gnutls_session_int->key.proto.tls13.hs_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_CKEY 0x180c
+
+// gnutls_session_int->key.proto.tls13.hs_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_SKEY 0x184c
+
+// gnutls_session_int->key.proto.tls13.ap_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_CKEY 0x188c
+
+// gnutls_session_int->key.proto.tls13.ap_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_SKEY 0x18cc
+
+// gnutls_session_int->key.proto.tls13.ap_expkey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_EXPKEY 0x190c
+
+// security_parameters_st->pversion
+#define SECURITY_PARAMETERS_ST_PVERSION 0xf8
+
+// version_entry_st->id
+#define VERSION_ENTRY_ST_ID 0x8
+
+#include "gnutls.h"
+#include "gnutls_masterkey.h"
+
+#endif

kern/gnutls_3_7_7_kern.c

@@ -0,0 +1,46 @@
+#ifndef ECAPTURE_GNUTLS_3_7_7_KERN_H
+#define ECAPTURE_GNUTLS_3_7_7_KERN_H
+
+// version 3.7.7, 3.7.8, 3.7.9, 3.7.10, 3.7.11
+// version 3.8.0, 3.8.1, 3.8.2, 3.8.3
+
+// gnutls_session_int->security_parameters
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0
+
+// gnutls_session_int->security_parameters.prf
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_PRF 0x18
+
+// mac_entry_st->id
+#define MAC_ENTRY_ST_ID 0x18
+
+// gnutls_session_int->security_parameters.client_random
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_CLIENT_RANDOM 0x50
+
+// gnutls_session_int->security_parameters.master_secret
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_MASTER_SECRET 0x20
+
+// gnutls_session_int->key.proto.tls13.hs_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_CKEY 0x1794
+
+// gnutls_session_int->key.proto.tls13.hs_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_SKEY 0x17d4
+
+// gnutls_session_int->key.proto.tls13.ap_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_CKEY 0x1814
+
+// gnutls_session_int->key.proto.tls13.ap_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_SKEY 0x1854
+
+// gnutls_session_int->key.proto.tls13.ap_expkey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_EXPKEY 0x1894
+
+// security_parameters_st->pversion
+#define SECURITY_PARAMETERS_ST_PVERSION 0xf8
+
+// version_entry_st->id
+#define VERSION_ENTRY_ST_ID 0x8
+
+#include "gnutls.h"
+#include "gnutls_masterkey.h"
+
+#endif

kern/gnutls_3_8_4_kern.c

@@ -0,0 +1,45 @@
+#ifndef ECAPTURE_GNUTLS_3_8_4_KERN_H
+#define ECAPTURE_GNUTLS_3_8_4_KERN_H
+
+// version 3.8.4, 3.8.5, 3.8.6
+
+// gnutls_session_int->security_parameters
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0
+
+// gnutls_session_int->security_parameters.prf
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_PRF 0x18
+
+// mac_entry_st->id
+#define MAC_ENTRY_ST_ID 0x18
+
+// gnutls_session_int->security_parameters.client_random
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_CLIENT_RANDOM 0x50
+
+// gnutls_session_int->security_parameters.master_secret
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_MASTER_SECRET 0x20
+
+// gnutls_session_int->key.proto.tls13.hs_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_CKEY 0x17dc
+
+// gnutls_session_int->key.proto.tls13.hs_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_SKEY 0x181c
+
+// gnutls_session_int->key.proto.tls13.ap_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_CKEY 0x185c
+
+// gnutls_session_int->key.proto.tls13.ap_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_SKEY 0x189c
+
+// gnutls_session_int->key.proto.tls13.ap_expkey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_EXPKEY 0x18dc
+
+// security_parameters_st->pversion
+#define SECURITY_PARAMETERS_ST_PVERSION 0xf8
+
+// version_entry_st->id
+#define VERSION_ENTRY_ST_ID 0x8
+
+#include "gnutls.h"
+#include "gnutls_masterkey.h"
+
+#endif

kern/gnutls_3_8_7_kern.c

@@ -0,0 +1,45 @@
+#ifndef ECAPTURE_GNUTLS_3_8_7_KERN_H
+#define ECAPTURE_GNUTLS_3_8_7_KERN_H
+
+// version 3.8.7
+
+// gnutls_session_int->security_parameters
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0
+
+// gnutls_session_int->security_parameters.prf
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_PRF 0x18
+
+// mac_entry_st->id
+#define MAC_ENTRY_ST_ID 0x18
+
+// gnutls_session_int->security_parameters.client_random
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_CLIENT_RANDOM 0x50
+
+// gnutls_session_int->security_parameters.master_secret
+#define GNUTLS_SESSION_INT_SECURITY_PARAMETERS_MASTER_SECRET 0x20
+
+// gnutls_session_int->key.proto.tls13.hs_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_CKEY 0x19d4
+
+// gnutls_session_int->key.proto.tls13.hs_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_HS_SKEY 0x1a14
+
+// gnutls_session_int->key.proto.tls13.ap_ckey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_CKEY 0x1a54
+
+// gnutls_session_int->key.proto.tls13.ap_skey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_SKEY 0x1a94
+
+// gnutls_session_int->key.proto.tls13.ap_expkey
+#define GNUTLS_SESSION_INT_KEY_PROTO_TLS13_AP_EXPKEY 0x1ad4
+
+// security_parameters_st->pversion
+#define SECURITY_PARAMETERS_ST_PVERSION 0xf8
+
+// version_entry_st->id
+#define VERSION_ENTRY_ST_ID 0x8
+
+#include "gnutls.h"
+#include "gnutls_masterkey.h"
+
+#endif