From df4d9df159a0825de25de0db76be4da1eba4113e Mon Sep 17 00:00:00 2001 From: cfc4n Date: Sat, 23 Sep 2023 23:37:17 +0800 Subject: [PATCH] kern : get openssl connection fd used offset address. Signed-off-by: cfc4n --- kern/boringssl_1_1_1_kern.c | 9 ++++ kern/openssl.h | 83 ++++++++++++++++++++++++++++++------ user/module/imodule.go | 2 + user/module/probe_openssl.go | 6 +++ utils/boringssl-offset.c | 4 ++ 5 files changed, 92 insertions(+), 12 deletions(-) diff --git a/kern/boringssl_1_1_1_kern.c b/kern/boringssl_1_1_1_kern.c index 57232bad4..909fdef60 100644 --- a/kern/boringssl_1_1_1_kern.c +++ b/kern/boringssl_1_1_1_kern.c @@ -10,6 +10,12 @@ // ssl_st->session #define SSL_ST_SESSION 0x58 +// ssl_st->rbio +#define SSL_ST_RBIO 0x18 + +// ssl_st->wbio +#define SSL_ST_WBIO 0x20 + // ssl_st->s3 #define SSL_ST_S3 0x30 @@ -25,6 +31,9 @@ // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x10 +// bio_st->num +#define BIO_ST_NUM 0x18 + // bssl::SSL3_STATE->hs #define BSSL__SSL3_STATE_HS 0x110 diff --git a/kern/openssl.h b/kern/openssl.h index e58134be5..d27121f8d 100644 --- a/kern/openssl.h +++ b/kern/openssl.h @@ -191,21 +191,51 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { void* ssl = (void*)PT_REGS_PARM1(ctx); // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h - struct ssl_st ssl_info; - bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl); - struct BIO bio_w; - bpf_probe_read_user(&bio_w, sizeof(bio_w), ssl_info.wbio); + u64 *ssl_ver_ptr, *ssl_wbio_ptr, *ssl_wbio_num_ptr; + u64 ssl_version, ssl_wbio_addr, ssl_wbio_num_addr; + int ret; + + ssl_ver_ptr = (u64 *)(ssl + SSL_ST_VERSION); + ret = bpf_probe_read_user(&ssl_version, sizeof(ssl_version), + ssl_ver_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n", + ret); + return 0; + } + + ssl_wbio_ptr = (u64 *)(ssl + SSL_ST_WBIO); + ret = bpf_probe_read_user(&ssl_wbio_addr, sizeof(ssl_wbio_addr), + ssl_wbio_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret :%d\n", + ret); + return 0; + } + + // get fd ssl->wbio->num + ssl_wbio_num_ptr = (u64 *)(ssl_wbio_ptr + BIO_ST_NUM); + ret = bpf_probe_read_user(&ssl_wbio_num_addr, sizeof(ssl_wbio_num_addr), + ssl_wbio_num_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret :%d\n", + ret); + return 0; + } // get fd ssl->wbio->num - u32 fd = bio_w.num; + u32 fd = (u32)ssl_wbio_num_addr; debug_bpf_printk("openssl uprobe SSL_write FD:%d\n", fd); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t)); active_ssl_buf_t.fd = fd; - active_ssl_buf_t.version = ssl_info.version; + active_ssl_buf_t.version = ssl_version; active_ssl_buf_t.buf = buf; bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); @@ -265,21 +295,50 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { void* ssl = (void*)PT_REGS_PARM1(ctx); // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h - struct ssl_st ssl_info; - bpf_probe_read_user(&ssl_info, sizeof(ssl_info), ssl); + // Get ssl_rbio pointer + u64 *ssl_ver_ptr, *ssl_rbio_ptr, *ssl_rbio_num_ptr; + u64 ssl_version, ssl_rbio_addr, ssl_rbio_num_addr; + int ret; + + ssl_ver_ptr = (u64 *)(ssl + SSL_ST_VERSION); + ret = bpf_probe_read_user(&ssl_version, sizeof(ssl_version), + ssl_ver_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n", + ret); + return 0; + } - struct BIO bio_r; - bpf_probe_read_user(&bio_r, sizeof(bio_r), ssl_info.rbio); + ssl_rbio_ptr = (u64 *)(ssl + SSL_ST_RBIO); + ret = bpf_probe_read_user(&ssl_rbio_addr, sizeof(ssl_rbio_addr), + ssl_rbio_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret :%d\n", + ret); + return 0; + } // get fd ssl->rbio->num - u32 fd = bio_r.num; + ssl_rbio_num_ptr = (u64 *)(ssl_rbio_addr + BIO_ST_NUM); + ret = bpf_probe_read_user(&ssl_rbio_num_addr, sizeof(ssl_rbio_num_addr), + ssl_rbio_num_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) bpf_probe_read ssl_rbio_num_ptr failed, ret :%d\n", + ret); + return 0; + } + + u32 fd = (u32)ssl_rbio_num_addr; debug_bpf_printk("openssl uprobe PID:%d, SSL_read FD:%d\n", pid, fd); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; __builtin_memset(&active_ssl_buf_t, 0, sizeof(active_ssl_buf_t)); active_ssl_buf_t.fd = fd; - active_ssl_buf_t.version = ssl_info.version; + active_ssl_buf_t.version = ssl_version; active_ssl_buf_t.buf = buf; bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); diff --git a/user/module/imodule.go b/user/module/imodule.go index 789fea208..e4c2236f3 100644 --- a/user/module/imodule.go +++ b/user/module/imodule.go @@ -302,6 +302,8 @@ func (m *Module) Dispatcher(e event.IEventStruct) { case event.EventTypeModuleData: // Save to cache m.child.Dispatcher(e) + default: + m.logger.Printf("%s\tunknown event type:%d", m.child.Name(), e.EventType()) } } diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go index 497861c4d..049203f76 100644 --- a/user/module/probe_openssl.go +++ b/user/module/probe_openssl.go @@ -459,6 +459,7 @@ func (m *MOpenSSLProbe) AddConn(pid, fd uint32, addr string) { } connMap[fd] = addr m.pidConns[pid] = connMap + m.logger.Printf("%s\tAddConn pid:%d, fd:%d, addr:%s, mapinfo:%v\n", m.Name(), pid, fd, addr, m.pidConns) return } @@ -487,6 +488,7 @@ func (m *MOpenSSLProbe) GetConn(pid, fd uint32) string { addr := "" var connMap map[uint32]string var f bool + m.logger.Printf("%s\tGetConn pid:%d, fd:%d, mapinfo:%v\n", m.Name(), pid, fd, m.pidConns) connMap, f = m.pidConns[pid] if !f { return ConnNotFound @@ -701,7 +703,11 @@ func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { } func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) { + if eventStruct.Fd <= 0 { + m.logger.Printf("\tnotic: SSLDataEvent's fd is 0. pid:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, eventStruct.Addr) + } var addr = m.GetConn(eventStruct.Pid, eventStruct.Fd) + m.logger.Printf("\tSSLDataEvent pid:%d, fd:%d, addr:%s\n", eventStruct.Pid, eventStruct.Fd, addr) if addr == ConnNotFound { eventStruct.Addr = DefaultAddr } else { diff --git a/utils/boringssl-offset.c b/utils/boringssl-offset.c index e55ca5809..3d998c590 100644 --- a/utils/boringssl-offset.c +++ b/utils/boringssl-offset.c @@ -13,6 +13,7 @@ // limitations under the License. // g++ -I include/ -I src/ ./src/offset.c -o off +#include #include #include #include @@ -22,10 +23,13 @@ #define SSL_STRUCT_OFFSETS \ X(ssl_st, version) \ X(ssl_st, session) \ + X(ssl_st, rbio) \ + X(ssl_st, wbio) \ X(ssl_st, s3) \ X(ssl_session_st, secret_length) \ X(ssl_session_st, secret) \ X(ssl_session_st, cipher) \ + X(bio_st, num) \ X(ssl_cipher_st, id) \ X(bssl::SSL3_STATE, hs) \ X(bssl::SSL3_STATE, client_random) \