Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / 023154c7708087ddf6c2031cef5d25c2445b70c4 / . / tools / sslsniff.py
blob: 8c027fe34f66b6dec37e0f6dc0cc1e89ddafe9c1 [file] [log] [blame]
Alexey Ivanovcc01a9c2019-01-16 09:50:46 -0800[diff] [blame]1#!/usr/bin/python
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]2#
jeromemarchand8b17dc32018-08-04 07:09:36 +0200[diff] [blame]3# sslsniff Captures data on read/recv or write/send functions of OpenSSL,
4# GnuTLS and NSS
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]5# For Linux, uses BCC, eBPF.
6#
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]7# USAGE: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d]
8#
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]9# Licensed under the Apache License, Version 2.0 (the "License")
10#
11# 12-Aug-2016 Adrian Lopez Created this.
12# 13-Aug-2016 Mark Drayton Fix SSL_Read
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]13# 17-Aug-2016 Adrian Lopez Capture GnuTLS and add options
14#
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]15
16from __future__ import print_function
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]17from bcc import BPF
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]18import argparse
19
20# arguments
21examples = """examples:
22 ./sslsniff # sniff OpenSSL and GnuTLS functions
23 ./sslsniff -p 181 # sniff PID 181 only
24 ./sslsniff -c curl # sniff curl command only
25 ./sslsniff --no-openssl # don't show OpenSSL calls
26 ./sslsniff --no-gnutls # don't show GnuTLS calls
jeromemarchand8b17dc32018-08-04 07:09:36 +0200[diff] [blame]27 ./sslsniff --no-nss # don't show NSS calls
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]28"""
29parser = argparse.ArgumentParser(
30 description="Sniff SSL data",
31 formatter_class=argparse.RawDescriptionHelpFormatter,
32 epilog=examples)
htbegin5ac5d6e2017-05-24 22:53:17 +0800[diff] [blame]33parser.add_argument("-p", "--pid", type=int, help="sniff this PID only.")
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]34parser.add_argument("-c", "--comm",
35 help="sniff only commands matching string.")
36parser.add_argument("-o", "--no-openssl", action="store_false", dest="openssl",
37 help="do not show OpenSSL calls.")
38parser.add_argument("-g", "--no-gnutls", action="store_false", dest="gnutls",
39 help="do not show GnuTLS calls.")
jeromemarchand8b17dc32018-08-04 07:09:36 +0200[diff] [blame]40parser.add_argument("-n", "--no-nss", action="store_false", dest="nss",
41 help="do not show NSS calls.")
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]42parser.add_argument('-d', '--debug', dest='debug', action='count', default=0,
43 help='debug mode.')
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]44parser.add_argument("--ebpf", action="store_true",
45 help=argparse.SUPPRESS)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]46args = parser.parse_args()
47
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]48
49prog = """
50#include <linux/ptrace.h>
51#include <linux/sched.h> /* For TASK_COMM_LEN */
52
53struct probe_SSL_data_t {
54 u64 timestamp_ns;
55 u32 pid;
56 char comm[TASK_COMM_LEN];
Brenden Blanco71eb1772017-04-20 09:47:28 -0700[diff] [blame]57 char v0[464];
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]58 u32 len;
59};
60
61BPF_PERF_OUTPUT(perf_SSL_write);
62
63int probe_SSL_write(struct pt_regs *ctx, void *ssl, void *buf, int num) {
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]64 u32 pid = bpf_get_current_pid_tgid();
65 FILTER
66
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]67 struct probe_SSL_data_t __data = {0};
68 __data.timestamp_ns = bpf_ktime_get_ns();
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]69 __data.pid = pid;
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]70 __data.len = num;
71
72 bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
73
74 if ( buf != 0) {
Sumanth Korikkar023154c2020-04-20 05:54:57 -0500[diff] [blame^]75 bpf_probe_read_user(&__data.v0, sizeof(__data.v0), buf);
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]76 }
77
78 perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data));
79 return 0;
80}
81
82BPF_PERF_OUTPUT(perf_SSL_read);
83
84BPF_HASH(bufs, u32, u64);
85
86int probe_SSL_read_enter(struct pt_regs *ctx, void *ssl, void *buf, int num) {
87 u32 pid = bpf_get_current_pid_tgid();
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]88 FILTER
89
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]90 bufs.update(&pid, (u64*)&buf);
91 return 0;
92}
93
94int probe_SSL_read_exit(struct pt_regs *ctx, void *ssl, void *buf, int num) {
95 u32 pid = bpf_get_current_pid_tgid();
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]96 FILTER
97
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]98 u64 *bufp = bufs.lookup(&pid);
99 if (bufp == 0) {
100 return 0;
101 }
102
103 struct probe_SSL_data_t __data = {0};
104 __data.timestamp_ns = bpf_ktime_get_ns();
105 __data.pid = pid;
106 __data.len = PT_REGS_RC(ctx);
107
108 bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
109
110 if (bufp != 0) {
Sumanth Korikkar023154c2020-04-20 05:54:57 -0500[diff] [blame^]111 bpf_probe_read_user(&__data.v0, sizeof(__data.v0), (char *)*bufp);
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]112 }
113
114 bufs.delete(&pid);
115
116 perf_SSL_read.perf_submit(ctx, &__data, sizeof(__data));
117 return 0;
118}
119"""
120
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]121if args.pid:
htbegin5ac5d6e2017-05-24 22:53:17 +0800[diff] [blame]122 prog = prog.replace('FILTER', 'if (pid != %d) { return 0; }' % args.pid)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]123else:
124 prog = prog.replace('FILTER', '')
125
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]126if args.debug or args.ebpf:
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]127 print(prog)
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]128 if args.ebpf:
129 exit()
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]130
131
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]132b = BPF(text=prog)
133
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]134# It looks like SSL_read's arguments aren't available in a return probe so you
135# need to stash the buffer address in a map on the function entry and read it
136# on its exit (Mark Drayton)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]137#
138if args.openssl:
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]139 b.attach_uprobe(name="ssl", sym="SSL_write", fn_name="probe_SSL_write",
140 pid=args.pid or -1)
141 b.attach_uprobe(name="ssl", sym="SSL_read", fn_name="probe_SSL_read_enter",
142 pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]143 b.attach_uretprobe(name="ssl", sym="SSL_read",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]144 fn_name="probe_SSL_read_exit", pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]145
146if args.gnutls:
147 b.attach_uprobe(name="gnutls", sym="gnutls_record_send",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]148 fn_name="probe_SSL_write", pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]149 b.attach_uprobe(name="gnutls", sym="gnutls_record_recv",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]150 fn_name="probe_SSL_read_enter", pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]151 b.attach_uretprobe(name="gnutls", sym="gnutls_record_recv",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]152 fn_name="probe_SSL_read_exit", pid=args.pid or -1)
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]153
jeromemarchand8b17dc32018-08-04 07:09:36 +0200[diff] [blame]154if args.nss:
155 b.attach_uprobe(name="nspr4", sym="PR_Write", fn_name="probe_SSL_write",
156 pid=args.pid or -1)
157 b.attach_uprobe(name="nspr4", sym="PR_Send", fn_name="probe_SSL_write",
158 pid=args.pid or -1)
159 b.attach_uprobe(name="nspr4", sym="PR_Read", fn_name="probe_SSL_read_enter",
160 pid=args.pid or -1)
161 b.attach_uretprobe(name="nspr4", sym="PR_Read",
162 fn_name="probe_SSL_read_exit", pid=args.pid or -1)
163 b.attach_uprobe(name="nspr4", sym="PR_Recv", fn_name="probe_SSL_read_enter",
164 pid=args.pid or -1)
165 b.attach_uretprobe(name="nspr4", sym="PR_Recv",
166 fn_name="probe_SSL_read_exit", pid=args.pid or -1)
167
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]168# define output data structure in Python
169TASK_COMM_LEN = 16 # linux/sched.h
Brenden Blanco71eb1772017-04-20 09:47:28 -0700[diff] [blame]170MAX_BUF_SIZE = 464 # Limited by the BPF stack
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]171
172
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]173# header
174print("%-12s %-18s %-16s %-6s %-6s" % ("FUNC", "TIME(s)", "COMM", "PID",
175 "LEN"))
176
177# process event
178start = 0
179
180
181def print_event_write(cpu, data, size):
Xiaozhou Liu51d62d32019-02-15 13:03:05 +0800[diff] [blame]182 print_event(cpu, data, size, "WRITE/SEND", "perf_SSL_write")
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]183
184
185def print_event_read(cpu, data, size):
Xiaozhou Liu51d62d32019-02-15 13:03:05 +0800[diff] [blame]186 print_event(cpu, data, size, "READ/RECV", "perf_SSL_read")
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]187
188
Xiaozhou Liu51d62d32019-02-15 13:03:05 +0800[diff] [blame]189def print_event(cpu, data, size, rw, evt):
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]190 global start
Xiaozhou Liu51d62d32019-02-15 13:03:05 +0800[diff] [blame]191 event = b[evt].event(data)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]192
193 # Filter events by command
194 if args.comm:
195 if not args.comm == event.comm:
196 return
197
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]198 if start == 0:
199 start = event.timestamp_ns
200 time_s = (float(event.timestamp_ns - start)) / 1000000000
201
202 s_mark = "-" * 5 + " DATA " + "-" * 5
203
204 e_mark = "-" * 5 + " END DATA " + "-" * 5
205
206 truncated_bytes = event.len - MAX_BUF_SIZE
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]207 if truncated_bytes > 0:
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]208 e_mark = "-" * 5 + " END DATA (TRUNCATED, " + str(truncated_bytes) + \
209 " bytes lost) " + "-" * 5
210
Paul Chaignon7b911b52017-10-07 11:52:17 +0200[diff] [blame]211 fmt = "%-12s %-18.9f %-16s %-6d %-6d\n%s\n%s\n%s\n\n"
jeromemarchandb96ebcd2018-10-10 01:58:15 +0200[diff] [blame]212 print(fmt % (rw, time_s, event.comm.decode('utf-8', 'replace'),
213 event.pid, event.len, s_mark,
214 event.v0.decode('utf-8', 'replace'), e_mark))
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]215
216b["perf_SSL_write"].open_perf_buffer(print_event_write)
217b["perf_SSL_read"].open_perf_buffer(print_event_read)
218while 1:
Jerome Marchand51671272018-12-19 01:57:24 +0100[diff] [blame]219 try:
220 b.perf_buffer_poll()
221 except KeyboardInterrupt:
222 exit()