fix: SSLDataEvent's fd is 0 Error (#642)

* fix: #642 , support OpenSSL/boringssl BIO type
gojue · Oct 13, 2024 · 93cfff4 · 93cfff4
1 parent 95d1dc3
commit 93cfff4
Show file tree

Hide file tree

Showing 23 changed files with 189 additions and 39 deletions.
diff --git a/kern/boringssl_a_13_kern.c b/kern/boringssl_a_13_kern.c
@@ -31,6 +31,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x18
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 // ssl_cipher_st->id
 #define SSL_CIPHER_ST_ID 0x10
 

diff --git a/kern/boringssl_a_14_kern.c b/kern/boringssl_a_14_kern.c
@@ -31,6 +31,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x18
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 // ssl_cipher_st->id
 #define SSL_CIPHER_ST_ID 0x10
 

diff --git a/kern/boringssl_na_kern.c b/kern/boringssl_na_kern.c
@@ -31,6 +31,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x20
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 // ssl_cipher_st->id
 #define SSL_CIPHER_ST_ID 0x10
 

diff --git a/kern/openssl.h b/kern/openssl.h
@@ -22,6 +22,8 @@
 
 enum ssl_data_event_type { kSSLRead, kSSLWrite };
 const u32 invalidFD = 0;
+// BIO_TYPE_NONE
+const u32 defaultBioType = 0;
 
 struct ssl_data_event_t {
     enum ssl_data_event_type type;
@@ -33,6 +35,7 @@ struct ssl_data_event_t {
     char comm[TASK_COMM_LEN];
     u32 fd;
     s32 version;
+    u32 bio_type;
 };
 
 struct connect_event_t {
@@ -52,6 +55,7 @@ struct active_ssl_buf {
      */
     s32 version;
     u32 fd;
+    u32 bio_type;
     const char* buf;
 };
 
@@ -128,6 +132,7 @@ static __inline struct ssl_data_event_t* create_ssl_data_event(
     event->pid = current_pid_tgid >> 32;
     event->tid = current_pid_tgid & kMask32b;
     event->fd = invalidFD;
+    event->bio_type = defaultBioType;
 
     return event;
 }
@@ -138,7 +143,7 @@ static __inline struct ssl_data_event_t* create_ssl_data_event(
 
 static int process_SSL_data(struct pt_regs* ctx, u64 id,
                             enum ssl_data_event_type type, const char* buf,
-                            u32 fd, s32 version) {
+                            u32 fd, s32 version, u32 bio_type) {
     int len = (int)PT_REGS_RC(ctx);
     if (len < 0) {
         return 0;
@@ -151,6 +156,7 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id,
 
     event->type = type;
     event->fd = fd;
+    event->bio_type = bio_type;
     event->version = version;
     // This is a max function, but it is written in such a way to keep older BPF
     // verifiers happy.
@@ -164,6 +170,38 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id,
     return 0;
 }
 
+static u32 process_BIO_type(u64 ssl_bio_addr) {
+    u64 *ssl_bio_method_ptr, *ssl_bio_method_type_ptr;
+    u64 ssl_bio_method_addr;
+    u32 bio_type;
+    int ret;
+
+    // get ssl->bio->method
+    ssl_bio_method_ptr = (u64 *)(ssl_bio_addr + BIO_ST_METHOD);
+    ret = bpf_probe_read_user(&ssl_bio_method_addr, sizeof(ssl_bio_method_addr),
+                              ssl_bio_method_ptr);
+    if (ret) {
+        debug_bpf_printk(
+            "(OPENSSL) process_BIO_type: bpf_probe_read ssl_bio_method_ptr failed, ret: %d\n",
+            ret);
+        return defaultBioType;
+    }
+
+    // get ssl->bio->method->type
+    ssl_bio_method_type_ptr = (u64 *)(ssl_bio_method_addr + BIO_METHOD_ST_TYPE);
+    ret = bpf_probe_read_user(&bio_type, sizeof(bio_type),
+                              ssl_bio_method_type_ptr);
+    if (ret) {
+        debug_bpf_printk(
+            "(OPENSSL) process_BIO_type: bpf_probe_read ssl_bio_method_type_ptr failed, ret: %d\n",
+            ret);
+        return defaultBioType;
+    }
+
+    debug_bpf_printk("openssl process_BIO_type bio_type: %d\n", bio_type);
+    return bio_type;
+}
+
 /***********************************************************
  * BPF probe function entry-points
  ***********************************************************/
@@ -186,7 +224,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
         return 0;
     }
 #endif
-    debug_bpf_printk("openssl uprobe/SSL_write pid :%d\n", pid);
+    debug_bpf_printk("openssl uprobe/SSL_write pid: %d\n", pid);
 
     void* ssl = (void*)PT_REGS_PARM1(ctx);
     // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h
@@ -200,7 +238,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
                               ssl_ver_ptr);
     if (ret) {
         debug_bpf_printk(
-            "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n",
+            "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret: %d\n",
             ret);
         return 0;
     }
@@ -210,23 +248,24 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
                               ssl_wbio_ptr);
     if (ret) {
         debug_bpf_printk(
-            "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret :%d\n",
+            "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret: %d\n",
             ret);
         return 0;
     }
 
+    // get ssl->bio->method->type
+    u32 bio_type = process_BIO_type(ssl_wbio_addr);
+
     // get fd ssl->wbio->num
     ssl_wbio_num_ptr = (u64 *)(ssl_wbio_addr + BIO_ST_NUM);
     ret = bpf_probe_read_user(&ssl_wbio_num_addr, sizeof(ssl_wbio_num_addr),
                               ssl_wbio_num_ptr);
     if (ret) {
         debug_bpf_printk(
-            "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret :%d\n",
+            "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret: %d\n",
             ret);
         return 0;
     }
-
-    // get fd ssl->wbio->num
     u32 fd = (u32)ssl_wbio_num_addr;
     if (fd == 0) {
         u64 ssl_addr = (u64)ssl;
@@ -236,14 +275,15 @@ int probe_entry_SSL_write(struct pt_regs* ctx) {
         } else {
         }
     }
-    debug_bpf_printk("openssl uprobe SSL_write FD:%d, version:%d\n", fd, ssl_version);
+    debug_bpf_printk("openssl uprobe/SSL_write fd: %d, version: %d\n", fd, ssl_version);
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
     struct active_ssl_buf active_ssl_buf_t;
     __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
     active_ssl_buf_t.fd = fd;
     active_ssl_buf_t.version = ssl_version;
     active_ssl_buf_t.buf = buf;
+    active_ssl_buf_t.bio_type = bio_type;
     bpf_map_update_elem(&active_ssl_write_args_map, &current_pid_tgid,
                         &active_ssl_buf_t, BPF_ANY);
 
@@ -266,15 +306,16 @@ int probe_ret_SSL_write(struct pt_regs* ctx) {
         return 0;
     }
 #endif
-    debug_bpf_printk("openssl uretprobe/SSL_write pid :%d\n", pid);
+    debug_bpf_printk("openssl uretprobe/SSL_write pid: %d\n", pid);
     struct active_ssl_buf* active_ssl_buf_t =
         bpf_map_lookup_elem(&active_ssl_write_args_map, &current_pid_tgid);
     if (active_ssl_buf_t != NULL) {
         const char* buf;
         u32 fd = active_ssl_buf_t->fd;
+        u32 bio_type = active_ssl_buf_t->bio_type;
         s32 version = active_ssl_buf_t->version;
         bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf);
-        process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd, version);
+        process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd, version, bio_type);
     }
     bpf_map_delete_elem(&active_ssl_write_args_map, &current_pid_tgid);
     return 0;
@@ -288,7 +329,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
     u32 pid = current_pid_tgid >> 32;
     u64 current_uid_gid = bpf_get_current_uid_gid();
     u32 uid = current_uid_gid;
-    debug_bpf_printk("openssl uprobe/SSL_read pid :%d\n", pid);
+    debug_bpf_printk("openssl uprobe/SSL_read pid: %d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
@@ -312,7 +353,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
                               ssl_ver_ptr);
     if (ret) {
         debug_bpf_printk(
-            "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n",
+            "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret: %d\n",
             ret);
         return 0;
     }
@@ -322,22 +363,24 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
                               ssl_rbio_ptr);
     if (ret) {
         debug_bpf_printk(
-            "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret :%d\n",
+            "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret: %d\n",
             ret);
         return 0;
     }
 
+    // get ssl->bio->method->type
+    u32 bio_type = process_BIO_type(ssl_rbio_addr);
+
     // get fd ssl->rbio->num
     ssl_rbio_num_ptr = (u64 *)(ssl_rbio_addr + BIO_ST_NUM);
     ret = bpf_probe_read_user(&ssl_rbio_num_addr, sizeof(ssl_rbio_num_addr),
                               ssl_rbio_num_ptr);
     if (ret) {
         debug_bpf_printk(
-            "(OPENSSL) bpf_probe_read ssl_rbio_num_ptr failed, ret :%d\n",
+            "(OPENSSL) bpf_probe_read ssl_rbio_num_ptr failed, ret: %d\n",
             ret);
         return 0;
     }
-
     u32 fd = (u32)ssl_rbio_num_addr;
     if (fd == 0) {
         u64 ssl_addr = (u64)ssl;
@@ -347,14 +390,15 @@ int probe_entry_SSL_read(struct pt_regs* ctx) {
         } else {
         }
     }
-    debug_bpf_printk("openssl uprobe PID:%d, SSL_read FD:%d\n", pid, fd);
+    debug_bpf_printk("openssl uprobe/SSL_read fd: %d, version: %d\n", fd, ssl_version);
 
     const char* buf = (const char*)PT_REGS_PARM2(ctx);
     struct active_ssl_buf active_ssl_buf_t;
     __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t));
     active_ssl_buf_t.fd = fd;
     active_ssl_buf_t.version = ssl_version;
     active_ssl_buf_t.buf = buf;
+    active_ssl_buf_t.bio_type = bio_type;
     bpf_map_update_elem(&active_ssl_read_args_map, &current_pid_tgid,
                         &active_ssl_buf_t, BPF_ANY);
     return 0;
@@ -366,7 +410,7 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     u32 pid = current_pid_tgid >> 32;
     u64 current_uid_gid = bpf_get_current_uid_gid();
     u32 uid = current_uid_gid;
-    debug_bpf_printk("openssl uretprobe/SSL_read pid :%d\n", pid);
+    debug_bpf_printk("openssl uretprobe/SSL_read pid: %d\n", pid);
 
 #ifndef KERNEL_LESS_5_2
     // if target_ppid is 0 then we target all pids
@@ -383,9 +427,10 @@ int probe_ret_SSL_read(struct pt_regs* ctx) {
     if (active_ssl_buf_t != NULL) {
         const char* buf;
         u32 fd = active_ssl_buf_t->fd;
+        u32 bio_type = active_ssl_buf_t->bio_type;
         s32 version = active_ssl_buf_t->version;
         bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf);
-        process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version);
+        process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version, bio_type);
     }
     bpf_map_delete_elem(&active_ssl_read_args_map, &current_pid_tgid);
     return 0;
@@ -454,6 +499,6 @@ int probe_SSL_set_fd(struct pt_regs* ctx) {
     u64 ssl_addr = (u64)PT_REGS_PARM1(ctx);
     u64 fd = (u64)PT_REGS_PARM2(ctx);
     bpf_map_update_elem(&ssl_st_fd, &ssl_addr, &fd, BPF_ANY);
-    debug_bpf_printk("SSL_set_fd hook!!, ssl_addr:%d, fd:%d\n", ssl_addr, fd);
+    debug_bpf_printk("SSL_set_fd hook!!, ssl_addr: %d, fd: %d\n", ssl_addr, fd);
     return 0;
 }
diff --git a/kern/openssl_1_0_2a_kern.c b/kern/openssl_1_0_2a_kern.c
@@ -40,6 +40,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x28
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 // openssl 1.0.2 does not support TLS 1.3, set 0 default
 #define SSL_ST_HANDSHAKE_SECRET 0
 #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0

diff --git a/kern/openssl_1_1_0a_kern.c b/kern/openssl_1_1_0a_kern.c
@@ -40,6 +40,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x28
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 // openssl 1.1.0 does not support TLS 1.3, set 0 default
 #define SSL_ST_HANDSHAKE_SECRET 0
 #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0

diff --git a/kern/openssl_1_1_1a_kern.c b/kern/openssl_1_1_1a_kern.c
@@ -55,6 +55,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x30
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 #include "openssl.h"
 #include "openssl_masterkey.h"
 

diff --git a/kern/openssl_1_1_1b_kern.c b/kern/openssl_1_1_1b_kern.c
@@ -55,6 +55,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x30
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 #include "openssl.h"
 #include "openssl_masterkey.h"
 

diff --git a/kern/openssl_1_1_1d_kern.c b/kern/openssl_1_1_1d_kern.c
@@ -55,6 +55,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x30
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 #include "openssl.h"
 #include "openssl_masterkey.h"
 

diff --git a/kern/openssl_1_1_1j_kern.c b/kern/openssl_1_1_1j_kern.c
@@ -55,6 +55,12 @@
 // bio_st->num
 #define BIO_ST_NUM 0x30
 
+// bio_st->method
+#define BIO_ST_METHOD 0x0
+
+// bio_method_st->type
+#define BIO_METHOD_ST_TYPE 0x0
+
 #include "openssl.h"
 #include "openssl_masterkey.h"