From 671c0d188537c2ab417b01265b73c01d6f3da826 Mon Sep 17 00:00:00 2001 From: cfc4n Date: Sun, 17 Sep 2023 23:04:48 +0800 Subject: [PATCH 1/5] utils : create BIO_ST_NUM const used bio_st->num Signed-off-by: cfc4n --- kern/openssl_1_0_2a_kern.c | 3 +++ kern/openssl_1_1_0a_kern.c | 3 +++ kern/openssl_1_1_1a_kern.c | 3 +++ kern/openssl_1_1_1b_kern.c | 3 +++ kern/openssl_1_1_1d_kern.c | 3 +++ kern/openssl_1_1_1j_kern.c | 7 +++++-- kern/openssl_3_0_0_kern.c | 7 +++++-- utils/openssl_1_0_2_offset.c | 3 ++- utils/openssl_1_1_0_offset.c | 4 +++- utils/openssl_1_1_1_offset.c | 9 ++++++++- utils/openssl_3_0_offset.c | 5 +++-- utils/openssl_offset_1.1.0.sh | 2 +- utils/openssl_offset_1.1.1.sh | 9 ++++++++- 13 files changed, 50 insertions(+), 11 deletions(-) diff --git a/kern/openssl_1_0_2a_kern.c b/kern/openssl_1_0_2a_kern.c index edcd9f373..a2c9af708 100644 --- a/kern/openssl_1_0_2a_kern.c +++ b/kern/openssl_1_0_2a_kern.c @@ -28,6 +28,9 @@ // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x10 +// bio_st->num +#define BIO_ST_NUM 0x28 + // openssl 1.0.2 does not support TLS 1.3, set 0 default #define SSL_ST_HANDSHAKE_SECRET 0 #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0 diff --git a/kern/openssl_1_1_0a_kern.c b/kern/openssl_1_1_0a_kern.c index 783762fde..6be992dd6 100644 --- a/kern/openssl_1_1_0a_kern.c +++ b/kern/openssl_1_1_0a_kern.c @@ -28,6 +28,9 @@ // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x10 +// bio_st->num +#define BIO_ST_NUM 0x28 + // openssl 1.1.0 does not support TLS 1.3, set 0 default #define SSL_ST_HANDSHAKE_SECRET 0 #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0 diff --git a/kern/openssl_1_1_1a_kern.c b/kern/openssl_1_1_1a_kern.c index ad7f3a5a6..300c299e0 100644 --- a/kern/openssl_1_1_1a_kern.c +++ b/kern/openssl_1_1_1a_kern.c @@ -43,6 +43,9 @@ // ssl_st->exporter_master_secret #define SSL_ST_EXPORTER_MASTER_SECRET 0x3b4 +// bio_st->num +#define BIO_ST_NUM 0x30 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_1_1_1b_kern.c b/kern/openssl_1_1_1b_kern.c index 3cc4fe558..07433b20a 100644 --- a/kern/openssl_1_1_1b_kern.c +++ b/kern/openssl_1_1_1b_kern.c @@ -43,6 +43,9 @@ // ssl_st->exporter_master_secret #define SSL_ST_EXPORTER_MASTER_SECRET 0x3b4 +// bio_st->num +#define BIO_ST_NUM 0x30 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_1_1_1d_kern.c b/kern/openssl_1_1_1d_kern.c index 185a7fc25..fd508c125 100644 --- a/kern/openssl_1_1_1d_kern.c +++ b/kern/openssl_1_1_1d_kern.c @@ -43,6 +43,9 @@ // ssl_st->exporter_master_secret #define SSL_ST_EXPORTER_MASTER_SECRET 0x3bc +// bio_st->num +#define BIO_ST_NUM 0x30 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_1_1_1j_kern.c b/kern/openssl_1_1_1j_kern.c index 4c73cb914..25fb4e1cc 100644 --- a/kern/openssl_1_1_1j_kern.c +++ b/kern/openssl_1_1_1j_kern.c @@ -1,8 +1,8 @@ #ifndef ECAPTURE_OPENSSL_1_1_1_J_KERN_H #define ECAPTURE_OPENSSL_1_1_1_J_KERN_H -/* OPENSSL_VERSION_TEXT: OpenSSL 1.1.1s 1 Nov 2022 */ -/* OPENSSL_VERSION_NUMBER: 269488447 */ +/* OPENSSL_VERSION_TEXT: OpenSSL 1.1.1u 30 May 2023 */ +/* OPENSSL_VERSION_NUMBER: 269488479 */ // ssl_st->version #define SSL_ST_VERSION 0x0 @@ -43,6 +43,9 @@ // ssl_st->exporter_master_secret #define SSL_ST_EXPORTER_MASTER_SECRET 0x3bc +// bio_st->num +#define BIO_ST_NUM 0x30 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_3_0_0_kern.c b/kern/openssl_3_0_0_kern.c index 039d6c080..03d6c9a8f 100644 --- a/kern/openssl_3_0_0_kern.c +++ b/kern/openssl_3_0_0_kern.c @@ -1,8 +1,8 @@ #ifndef ECAPTURE_OPENSSL_3_0_0_KERN_H #define ECAPTURE_OPENSSL_3_0_0_KERN_H -/* OPENSSL_VERSION_TEXT: OpenSSL 3.0.7 1 Nov 2022 */ -/* OPENSSL_VERSION_NUMBER: 805306480 */ +/* OPENSSL_VERSION_TEXT: OpenSSL 3.0.9 30 May 2023 */ +/* OPENSSL_VERSION_NUMBER: 805306512 */ // ssl_st->version #define SSL_ST_VERSION 0x0 @@ -43,6 +43,9 @@ // ssl_st->exporter_master_secret #define SSL_ST_EXPORTER_MASTER_SECRET 0x7c4 +// bio_st->num +#define BIO_ST_NUM 0x38 + #include "openssl.h" #include "openssl_masterkey_3.0.h" diff --git a/utils/openssl_1_0_2_offset.c b/utils/openssl_1_0_2_offset.c index da2999733..f3419d45c 100644 --- a/utils/openssl_1_0_2_offset.c +++ b/utils/openssl_1_0_2_offset.c @@ -12,7 +12,8 @@ X(ssl3_state_st, client_random) \ X(ssl_session_st, cipher) \ X(ssl_session_st, cipher_id) \ - X(ssl_cipher_st, id) + X(ssl_cipher_st, id) \ + X(bio_st, num) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_1_1_0_offset.c b/utils/openssl_1_1_0_offset.c index eb9428da3..85e54bea3 100644 --- a/utils/openssl_1_1_0_offset.c +++ b/utils/openssl_1_1_0_offset.c @@ -1,4 +1,5 @@ #include +#include #include #include #include @@ -12,7 +13,8 @@ X(ssl3_state_st, client_random) \ X(ssl_session_st, cipher) \ X(ssl_session_st, cipher_id) \ - X(ssl_cipher_st, id) + X(ssl_cipher_st, id) \ + X(bio_st, num) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_1_1_1_offset.c b/utils/openssl_1_1_1_offset.c index effb89358..506e3f573 100644 --- a/utils/openssl_1_1_1_offset.c +++ b/utils/openssl_1_1_1_offset.c @@ -3,6 +3,12 @@ #include #include +#if defined(BIO_LCL) +#include +#else +#include +#endif + #if defined(SSL_LOCL_H) #include #else @@ -22,7 +28,8 @@ X(ssl_st, handshake_traffic_hash) \ X(ssl_st, client_app_traffic_secret) \ X(ssl_st, server_app_traffic_secret) \ - X(ssl_st, exporter_master_secret) + X(ssl_st, exporter_master_secret) \ + X(bio_st, num) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_3_0_offset.c b/utils/openssl_3_0_offset.c index 44b6c21c0..847112301 100644 --- a/utils/openssl_3_0_offset.c +++ b/utils/openssl_3_0_offset.c @@ -1,5 +1,5 @@ // clang -I include/ -I . offset.c -o offset - +#include #include #include #include @@ -18,7 +18,8 @@ X(ssl_st, handshake_traffic_hash) \ X(ssl_st, client_app_traffic_secret) \ X(ssl_st, server_app_traffic_secret) \ - X(ssl_st, exporter_master_secret) + X(ssl_st, exporter_master_secret) \ + X(bio_st, num) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_offset_1.1.0.sh b/utils/openssl_offset_1.1.0.sh index 340834eea..9d0949d65 100755 --- a/utils/openssl_offset_1.1.0.sh +++ b/utils/openssl_offset_1.1.0.sh @@ -60,7 +60,7 @@ function run() { ./config make include/openssl/opensslconf.h - clang -I include/ -I . offset.c -o offset + clang -I include/ -I crypto/include/ -I . offset.c -o offset echo -e "#ifndef ECAPTURE_${header_define}" >${header_file} echo -e "#define ECAPTURE_${header_define}\n" >>${header_file} diff --git a/utils/openssl_offset_1.1.1.sh b/utils/openssl_offset_1.1.1.sh index c601fa390..ff7b646a3 100755 --- a/utils/openssl_offset_1.1.1.sh +++ b/utils/openssl_offset_1.1.1.sh @@ -74,7 +74,14 @@ function run() { else unset flags fi - clang ${flags} -I include/ -I . offset.c -o offset + + if [[ $ver == [a-c] ]]; then + flags_lcl="-DBIO_LCL" + else + unset flags_lcl + fi + + clang ${flags} ${flags_lcl} -I include/ -I . offset.c -o offset echo -e "#ifndef ECAPTURE_${header_define}" >${header_file} echo -e "#define ECAPTURE_${header_define}\n" >>${header_file} From ede08f59c2a56698f6a828dc1853b3b852d6a1de Mon Sep 17 00:00:00 2001 From: cfc4n Date: Mon, 18 Sep 2023 00:22:55 +0800 Subject: [PATCH 2/5] utils : add constant SSL_ST_RBIO from offsetof ssl_st->rbio/wbio. Signed-off-by: cfc4n --- kern/openssl_1_0_2a_kern.c | 6 ++++++ kern/openssl_1_1_0a_kern.c | 6 ++++++ kern/openssl_1_1_1a_kern.c | 6 ++++++ kern/openssl_1_1_1b_kern.c | 6 ++++++ kern/openssl_1_1_1d_kern.c | 6 ++++++ kern/openssl_1_1_1j_kern.c | 6 ++++++ kern/openssl_3_0_0_kern.c | 6 ++++++ utils/openssl_1_0_2_offset.c | 2 ++ utils/openssl_1_1_0_offset.c | 2 ++ utils/openssl_1_1_1_offset.c | 2 ++ utils/openssl_3_0_offset.c | 2 ++ 11 files changed, 50 insertions(+) diff --git a/kern/openssl_1_0_2a_kern.c b/kern/openssl_1_0_2a_kern.c index a2c9af708..74c366f40 100644 --- a/kern/openssl_1_0_2a_kern.c +++ b/kern/openssl_1_0_2a_kern.c @@ -13,6 +13,12 @@ // ssl_st->s3 #define SSL_ST_S3 0x80 +// ssl_st->rbio +#define SSL_ST_RBIO 0x10 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x18 + // ssl_session_st->master_key #define SSL_SESSION_ST_MASTER_KEY 0x14 diff --git a/kern/openssl_1_1_0a_kern.c b/kern/openssl_1_1_0a_kern.c index 6be992dd6..d41c531da 100644 --- a/kern/openssl_1_1_0a_kern.c +++ b/kern/openssl_1_1_0a_kern.c @@ -13,6 +13,12 @@ // ssl_st->s3 #define SSL_ST_S3 0x90 +// ssl_st->rbio +#define SSL_ST_RBIO 0x10 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x18 + // ssl_session_st->master_key #define SSL_SESSION_ST_MASTER_KEY 0x8 diff --git a/kern/openssl_1_1_1a_kern.c b/kern/openssl_1_1_1a_kern.c index 300c299e0..7a7b7765f 100644 --- a/kern/openssl_1_1_1a_kern.c +++ b/kern/openssl_1_1_1a_kern.c @@ -13,6 +13,12 @@ // ssl_st->s3 #define SSL_ST_S3 0xa8 +// ssl_st->rbio +#define SSL_ST_RBIO 0x10 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x18 + // ssl_session_st->master_key #define SSL_SESSION_ST_MASTER_KEY 0x50 diff --git a/kern/openssl_1_1_1b_kern.c b/kern/openssl_1_1_1b_kern.c index 07433b20a..38ba612d7 100644 --- a/kern/openssl_1_1_1b_kern.c +++ b/kern/openssl_1_1_1b_kern.c @@ -13,6 +13,12 @@ // ssl_st->s3 #define SSL_ST_S3 0xa8 +// ssl_st->rbio +#define SSL_ST_RBIO 0x10 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x18 + // ssl_session_st->master_key #define SSL_SESSION_ST_MASTER_KEY 0x50 diff --git a/kern/openssl_1_1_1d_kern.c b/kern/openssl_1_1_1d_kern.c index fd508c125..f3bb85501 100644 --- a/kern/openssl_1_1_1d_kern.c +++ b/kern/openssl_1_1_1d_kern.c @@ -13,6 +13,12 @@ // ssl_st->s3 #define SSL_ST_S3 0xa8 +// ssl_st->rbio +#define SSL_ST_RBIO 0x10 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x18 + // ssl_session_st->master_key #define SSL_SESSION_ST_MASTER_KEY 0x50 diff --git a/kern/openssl_1_1_1j_kern.c b/kern/openssl_1_1_1j_kern.c index 25fb4e1cc..a3438e776 100644 --- a/kern/openssl_1_1_1j_kern.c +++ b/kern/openssl_1_1_1j_kern.c @@ -13,6 +13,12 @@ // ssl_st->s3 #define SSL_ST_S3 0xa8 +// ssl_st->rbio +#define SSL_ST_RBIO 0x10 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x18 + // ssl_session_st->master_key #define SSL_SESSION_ST_MASTER_KEY 0x50 diff --git a/kern/openssl_3_0_0_kern.c b/kern/openssl_3_0_0_kern.c index 03d6c9a8f..d185dbdee 100644 --- a/kern/openssl_3_0_0_kern.c +++ b/kern/openssl_3_0_0_kern.c @@ -13,6 +13,12 @@ // ssl_st->s3 #define SSL_ST_S3 0xa8 +// ssl_st->rbio +#define SSL_ST_RBIO 0x10 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x18 + // ssl_session_st->master_key #define SSL_SESSION_ST_MASTER_KEY 0x50 diff --git a/utils/openssl_1_0_2_offset.c b/utils/openssl_1_0_2_offset.c index f3419d45c..f4d85ea4c 100644 --- a/utils/openssl_1_0_2_offset.c +++ b/utils/openssl_1_0_2_offset.c @@ -8,6 +8,8 @@ X(ssl_st, version) \ X(ssl_st, session) \ X(ssl_st, s3) \ + X(ssl_st, rbio) \ + X(ssl_st, wbio) \ X(ssl_session_st, master_key) \ X(ssl3_state_st, client_random) \ X(ssl_session_st, cipher) \ diff --git a/utils/openssl_1_1_0_offset.c b/utils/openssl_1_1_0_offset.c index 85e54bea3..aca5334b8 100644 --- a/utils/openssl_1_1_0_offset.c +++ b/utils/openssl_1_1_0_offset.c @@ -9,6 +9,8 @@ X(ssl_st, version) \ X(ssl_st, session) \ X(ssl_st, s3) \ + X(ssl_st, rbio) \ + X(ssl_st, wbio) \ X(ssl_session_st, master_key) \ X(ssl3_state_st, client_random) \ X(ssl_session_st, cipher) \ diff --git a/utils/openssl_1_1_1_offset.c b/utils/openssl_1_1_1_offset.c index 506e3f573..2ead8acea 100644 --- a/utils/openssl_1_1_1_offset.c +++ b/utils/openssl_1_1_1_offset.c @@ -19,6 +19,8 @@ X(ssl_st, version) \ X(ssl_st, session) \ X(ssl_st, s3) \ + X(ssl_st, rbio) \ + X(ssl_st, wbio) \ X(ssl_session_st, master_key) \ X(ssl3_state_st, client_random) \ X(ssl_session_st, cipher) \ diff --git a/utils/openssl_3_0_offset.c b/utils/openssl_3_0_offset.c index 847112301..ce3f5afe7 100644 --- a/utils/openssl_3_0_offset.c +++ b/utils/openssl_3_0_offset.c @@ -9,6 +9,8 @@ X(ssl_st, version) \ X(ssl_st, session) \ X(ssl_st, s3) \ + X(ssl_st, rbio) \ + X(ssl_st, wbio) \ X(ssl_session_st, master_key) \ X(ssl_st, s3.client_random) \ X(ssl_session_st, cipher) \ From df4d9df159a0825de25de0db76be4da1eba4113e Mon Sep 17 00:00:00 2001 From: cfc4n Date: Sat, 23 Sep 2023 23:37:17 +0800 Subject: [PATCH 3/5] kern : get openssl connection fd used offset address. Signed-off-by: cfc4n --- kern/boringssl_1_1_1_kern.c | 9 ++++ kern/openssl.h | 83 ++++++++++++++++++++++++++++++------ user/module/imodule.go | 2 + user/module/probe_openssl.go | 6 +++ utils/boringssl-offset.c | 4 ++ 5 files changed, 92 insertions(+), 12 deletions(-) diff --git a/kern/boringssl_1_1_1_kern.c b/kern/boringssl_1_1_1_kern.c index 57232bad4..909fdef60 100644 --- a/kern/boringssl_1_1_1_kern.c +++ b/kern/boringssl_1_1_1_kern.c @@ -10,6 +10,12 @@ // ssl_st->session #define SSL_ST_SESSION 0x58 +// ssl_st->rbio +#define SSL_ST_RBIO 0x18 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x20 + // ssl_st->s3 #define SSL_ST_S3 0x30 @@ -25,6 +31,9 @@ // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x10 +// bio_st->num +#define BIO_ST_NUM 0x18 + // bssl::SSL3_STATE->hs #define BSSL__SSL3_STATE_HS 0x110 diff --git a/kern/openssl.h b/kern/openssl.h index e58134be5..d27121f8d 100644 --- a/kern/openssl.h +++ b/kern/openssl.h @@ -191,21 +191,51 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { void* ssl = (void*)PT_REGS_PARM1(ctx); // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h - struct ssl_st ssl_info; - bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl); - struct BIO bio_w; - bpf_probe_read_user(&bio_w, sizeof(bio_w), ssl_info.wbio); + u64 *ssl_ver_ptr, *ssl_wbio_ptr, *ssl_wbio_num_ptr; + u64 ssl_version, ssl_wbio_addr, ssl_wbio_num_addr; + int ret; + + ssl_ver_ptr = (u64 *)(ssl + SSL_ST_VERSION); + ret = bpf_probe_read_user(&ssl_version, sizeof(ssl_version), + ssl_ver_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n", + ret); + return 0; + } + + ssl_wbio_ptr = (u64 *)(ssl + SSL_ST_WBIO); + ret = bpf_probe_read_user(&ssl_wbio_addr, sizeof(ssl_wbio_addr), + ssl_wbio_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret :%d\n", + ret); + return 0; + } + + // get fd ssl->wbio->num + ssl_wbio_num_ptr = (u64 *)(ssl_wbio_ptr + BIO_ST_NUM); + ret = bpf_probe_read_user(&ssl_wbio_num_addr, sizeof(ssl_wbio_num_addr), + ssl_wbio_num_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret :%d\n", + ret); + return 0; + } // get fd ssl->wbio->num - u32 fd = bio_w.num; + u32 fd = (u32)ssl_wbio_num_addr; debug_bpf_printk("openssl uprobe SSL_write FD:%d\n", fd); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t)); active_ssl_buf_t.fd = fd; - active_ssl_buf_t.version = ssl_info.version; + active_ssl_buf_t.version = ssl_version; active_ssl_buf_t.buf = buf; bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); @@ -265,21 +295,50 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { void* ssl = (void*)PT_REGS_PARM1(ctx); // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h - struct ssl_st ssl_info; - bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl); + // Get ssl_rbio pointer + u64 *ssl_ver_ptr, *ssl_rbio_ptr, *ssl_rbio_num_ptr; + u64 ssl_version, ssl_rbio_addr, ssl_rbio_num_addr; + int ret; + + ssl_ver_ptr = (u64 *)(ssl + SSL_ST_VERSION); + ret = bpf_probe_read_user(&ssl_version, sizeof(ssl_version), + ssl_ver_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n", + ret); + return 0; + } - struct BIO bio_r; - bpf_probe_read_user(&bio_r, sizeof(bio_r), ssl_info.rbio); + ssl_rbio_ptr = (u64 *)(ssl + SSL_ST_RBIO); + ret = bpf_probe_read_user(&ssl_rbio_addr, sizeof(ssl_rbio_addr), + ssl_rbio_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret :%d\n", + ret); + return 0; + } // get fd ssl->rbio->num - u32 fd = bio_r.num; + ssl_rbio_num_ptr = (u64 *)(ssl_rbio_addr + BIO_ST_NUM); + ret = bpf_probe_read_user(&ssl_rbio_num_addr, sizeof(ssl_rbio_num_addr), + ssl_rbio_num_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_rbio_num_ptr failed, ret :%d\n", + ret); + return 0; + } + + u32 fd = (u32)ssl_rbio_num_addr; debug_bpf_printk("openssl uprobe PID:%d, SSL_read FD:%d\n", pid, fd); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t)); active_ssl_buf_t.fd = fd; - active_ssl_buf_t.version = ssl_info.version; + active_ssl_buf_t.version = ssl_version; active_ssl_buf_t.buf = buf; bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); diff --git a/user/module/imodule.go b/user/module/imodule.go index 789fea208..e4c2236f3 100644 --- a/user/module/imodule.go +++ b/user/module/imodule.go @@ -302,6 +302,8 @@ func (m *Module) Dispatcher(e event.IEventStruct) { case event.EventTypeModuleData: // Save to cache m.child.Dispatcher(e) + default: + m.logger.Printf("%s\tunknown event type:%d", m.child.Name(), e.EventType()) } } diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go index 497861c4d..049203f76 100644 --- a/user/module/probe_openssl.go +++ b/user/module/probe_openssl.go @@ -459,6 +459,7 @@ func (m *MOpenSSLProbe) AddConn(pid, fd uint32, addr string) { } connMap[fd] = addr m.pidConns[pid] = connMap + m.logger.Printf("%s\tAddConn pid:%d, fd:%d, addr:%s, mapinfo:%v\n", m.Name(), pid, fd, addr, m.pidConns) return } @@ -487,6 +488,7 @@ func (m *MOpenSSLProbe) GetConn(pid, fd uint32) string { addr := "" var connMap map[uint32]string var f bool + m.logger.Printf("%s\tGetConn pid:%d, fd:%d, mapinfo:%v\n", m.Name(), pid, fd, m.pidConns) connMap, f = m.pidConns[pid] if !f { return ConnNotFound @@ -701,7 +703,11 @@ func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { } func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) { + if eventStruct.Fd <= 0 { + m.logger.Printf("\tnotic: SSLDataEvent's fd is 0. pid:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, eventStruct.Addr) + } var addr = m.GetConn(eventStruct.Pid, eventStruct.Fd) + m.logger.Printf("\tSSLDataEvent pid:%d, fd:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, addr) if addr == ConnNotFound { eventStruct.Addr = DefaultAddr } else { diff --git a/utils/boringssl-offset.c b/utils/boringssl-offset.c index e55ca5809..3d998c590 100644 --- a/utils/boringssl-offset.c +++ b/utils/boringssl-offset.c @@ -13,6 +13,7 @@ // limitations under the License. // g++ -I include/ -I src/ ./src/offset.c -o off +#include #include #include #include @@ -22,10 +23,13 @@ #define SSL_STRUCT_OFFSETS \ X(ssl_st, version) \ X(ssl_st, session) \ + X(ssl_st, rbio) \ + X(ssl_st, wbio) \ X(ssl_st, s3) \ X(ssl_session_st, secret_length) \ X(ssl_session_st, secret) \ X(ssl_session_st, cipher) \ + X(bio_st, num) \ X(ssl_cipher_st, id) \ X(bssl::SSL3_STATE, hs) \ X(bssl::SSL3_STATE, client_random) \ From ed92b7869a3611aaa9f8061c5f76c404cf00ba14 Mon Sep 17 00:00:00 2001 From: cfc4n Date: Sat, 23 Sep 2023 23:47:00 +0800 Subject: [PATCH 4/5] user : fix go format type. Signed-off-by: cfc4n --- user/module/probe_openssl.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go index 049203f76..68eb6c954 100644 --- a/user/module/probe_openssl.go +++ b/user/module/probe_openssl.go @@ -704,7 +704,7 @@ func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) { if eventStruct.Fd <= 0 { - m.logger.Printf("\tnotic: SSLDataEvent's fd is 0. pid:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, eventStruct.Addr) + m.logger.Printf("\tnotice: SSLDataEvent's fd is 0. pid:%d, fd:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, eventStruct.Addr) } var addr = m.GetConn(eventStruct.Pid, eventStruct.Fd) m.logger.Printf("\tSSLDataEvent pid:%d, fd:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, addr) From 0a28aa473d8f19c5ce7d0175875d14996c9c2844 Mon Sep 17 00:00:00 2001 From: cfc4n Date: Sun, 24 Sep 2023 15:08:54 +0800 Subject: [PATCH 5/5] kern : add debug info. Signed-off-by: cfc4n --- kern/openssl.h | 2 +- user/module/probe_openssl.go | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/kern/openssl.h b/kern/openssl.h index d27121f8d..9c7d94604 100644 --- a/kern/openssl.h +++ b/kern/openssl.h @@ -229,7 +229,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { // get fd ssl->wbio->num u32 fd = (u32)ssl_wbio_num_addr; - debug_bpf_printk("openssl uprobe SSL_write FD:%d\n", fd); + debug_bpf_printk("openssl uprobe SSL_write FD:%d, version:%d\n", fd, ssl_version); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go index 68eb6c954..fdff1aae2 100644 --- a/user/module/probe_openssl.go +++ b/user/module/probe_openssl.go @@ -450,6 +450,10 @@ func (m *MOpenSSLProbe) Events() []*ebpf.Map { } func (m *MOpenSSLProbe) AddConn(pid, fd uint32, addr string) { + if fd <= 0 { + m.logger.Printf("%s\tAddConn failed. pid:%d, fd:%d, addr:%s\n", m.Name(), pid, fd, addr) + return + } // save var connMap map[uint32]string var f bool @@ -459,7 +463,7 @@ func (m *MOpenSSLProbe) AddConn(pid, fd uint32, addr string) { } connMap[fd] = addr m.pidConns[pid] = connMap - m.logger.Printf("%s\tAddConn pid:%d, fd:%d, addr:%s, mapinfo:%v\n", m.Name(), pid, fd, addr, m.pidConns) + //m.logger.Printf("%s\tAddConn pid:%d, fd:%d, addr:%s, mapinfo:%v\n", m.Name(), pid, fd, addr, m.pidConns) return } @@ -485,10 +489,13 @@ func (m *MOpenSSLProbe) DelConn(pid, fd uint32) { return } func (m *MOpenSSLProbe) GetConn(pid, fd uint32) string { + if fd <= 0 { + return ConnNotFound + } addr := "" var connMap map[uint32]string var f bool - m.logger.Printf("%s\tGetConn pid:%d, fd:%d, mapinfo:%v\n", m.Name(), pid, fd, m.pidConns) + //m.logger.Printf("%s\tGetConn pid:%d, fd:%d, mapinfo:%v\n", m.Name(), pid, fd, m.pidConns) connMap, f = m.pidConns[pid] if !f { return ConnNotFound @@ -707,7 +714,7 @@ func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) { m.logger.Printf("\tnotice: SSLDataEvent's fd is 0. pid:%d, fd:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, eventStruct.Addr) } var addr = m.GetConn(eventStruct.Pid, eventStruct.Fd) - m.logger.Printf("\tSSLDataEvent pid:%d, fd:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, addr) + //m.logger.Printf("\tSSLDataEvent pid:%d, fd:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, addr) if addr == ConnNotFound { eventStruct.Addr = DefaultAddr } else {