Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / 24581968001b68ad77ee8f823483688d08e08c29 / . / tools / sslsniff.py
blob: 174577b0fa7923e6d96b835640e890a506084aeb [file] [log] [blame]
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]1#!/usr/bin/python
2#
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]3# sslsniff Captures data on read/recv or write/send functions of OpenSSL and
4# GnuTLS
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]5# For Linux, uses BCC, eBPF.
6#
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]7# USAGE: sslsniff.py [-h] [-p PID] [-c COMM] [-o] [-g] [-d]
8#
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]9# Licensed under the Apache License, Version 2.0 (the "License")
10#
11# 12-Aug-2016 Adrian Lopez Created this.
12# 13-Aug-2016 Mark Drayton Fix SSL_Read
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]13# 17-Aug-2016 Adrian Lopez Capture GnuTLS and add options
14#
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]15
16from __future__ import print_function
17import ctypes as ct
18from bcc import BPF
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]19import argparse
20
21# arguments
22examples = """examples:
23 ./sslsniff # sniff OpenSSL and GnuTLS functions
24 ./sslsniff -p 181 # sniff PID 181 only
25 ./sslsniff -c curl # sniff curl command only
26 ./sslsniff --no-openssl # don't show OpenSSL calls
27 ./sslsniff --no-gnutls # don't show GnuTLS calls
28"""
29parser = argparse.ArgumentParser(
30 description="Sniff SSL data",
31 formatter_class=argparse.RawDescriptionHelpFormatter,
32 epilog=examples)
htbegin5ac5d6e2017-05-24 22:53:17 +0800[diff] [blame]33parser.add_argument("-p", "--pid", type=int, help="sniff this PID only.")
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]34parser.add_argument("-c", "--comm",
35 help="sniff only commands matching string.")
36parser.add_argument("-o", "--no-openssl", action="store_false", dest="openssl",
37 help="do not show OpenSSL calls.")
38parser.add_argument("-g", "--no-gnutls", action="store_false", dest="gnutls",
39 help="do not show GnuTLS calls.")
40parser.add_argument('-d', '--debug', dest='debug', action='count', default=0,
41 help='debug mode.')
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]42parser.add_argument("--ebpf", action="store_true",
43 help=argparse.SUPPRESS)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]44args = parser.parse_args()
45
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]46
47prog = """
48#include <linux/ptrace.h>
49#include <linux/sched.h> /* For TASK_COMM_LEN */
50
51struct probe_SSL_data_t {
52 u64 timestamp_ns;
53 u32 pid;
54 char comm[TASK_COMM_LEN];
Brenden Blanco71eb1772017-04-20 09:47:28 -0700[diff] [blame]55 char v0[464];
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]56 u32 len;
57};
58
59BPF_PERF_OUTPUT(perf_SSL_write);
60
61int probe_SSL_write(struct pt_regs *ctx, void *ssl, void *buf, int num) {
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]62 u32 pid = bpf_get_current_pid_tgid();
63 FILTER
64
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]65 struct probe_SSL_data_t __data = {0};
66 __data.timestamp_ns = bpf_ktime_get_ns();
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]67 __data.pid = pid;
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]68 __data.len = num;
69
70 bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
71
72 if ( buf != 0) {
73 bpf_probe_read(&__data.v0, sizeof(__data.v0), buf);
74 }
75
76 perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data));
77 return 0;
78}
79
80BPF_PERF_OUTPUT(perf_SSL_read);
81
82BPF_HASH(bufs, u32, u64);
83
84int probe_SSL_read_enter(struct pt_regs *ctx, void *ssl, void *buf, int num) {
85 u32 pid = bpf_get_current_pid_tgid();
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]86 FILTER
87
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]88 bufs.update(&pid, (u64*)&buf);
89 return 0;
90}
91
92int probe_SSL_read_exit(struct pt_regs *ctx, void *ssl, void *buf, int num) {
93 u32 pid = bpf_get_current_pid_tgid();
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]94 FILTER
95
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]96 u64 *bufp = bufs.lookup(&pid);
97 if (bufp == 0) {
98 return 0;
99 }
100
101 struct probe_SSL_data_t __data = {0};
102 __data.timestamp_ns = bpf_ktime_get_ns();
103 __data.pid = pid;
104 __data.len = PT_REGS_RC(ctx);
105
106 bpf_get_current_comm(&__data.comm, sizeof(__data.comm));
107
108 if (bufp != 0) {
109 bpf_probe_read(&__data.v0, sizeof(__data.v0), (char *)*bufp);
110 }
111
112 bufs.delete(&pid);
113
114 perf_SSL_read.perf_submit(ctx, &__data, sizeof(__data));
115 return 0;
116}
117"""
118
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]119if args.pid:
htbegin5ac5d6e2017-05-24 22:53:17 +0800[diff] [blame]120 prog = prog.replace('FILTER', 'if (pid != %d) { return 0; }' % args.pid)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]121else:
122 prog = prog.replace('FILTER', '')
123
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]124if args.debug or args.ebpf:
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]125 print(prog)
Nathan Scottcf0792f2018-02-02 16:56:50 +1100[diff] [blame]126 if args.ebpf:
127 exit()
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]128
129
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]130b = BPF(text=prog)
131
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]132# It looks like SSL_read's arguments aren't available in a return probe so you
133# need to stash the buffer address in a map on the function entry and read it
134# on its exit (Mark Drayton)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]135#
136if args.openssl:
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]137 b.attach_uprobe(name="ssl", sym="SSL_write", fn_name="probe_SSL_write",
138 pid=args.pid or -1)
139 b.attach_uprobe(name="ssl", sym="SSL_read", fn_name="probe_SSL_read_enter",
140 pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]141 b.attach_uretprobe(name="ssl", sym="SSL_read",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]142 fn_name="probe_SSL_read_exit", pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]143
144if args.gnutls:
145 b.attach_uprobe(name="gnutls", sym="gnutls_record_send",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]146 fn_name="probe_SSL_write", pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]147 b.attach_uprobe(name="gnutls", sym="gnutls_record_recv",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]148 fn_name="probe_SSL_read_enter", pid=args.pid or -1)
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]149 b.attach_uretprobe(name="gnutls", sym="gnutls_record_recv",
Paul Chaignond73c58f2017-01-21 14:25:41 +0100[diff] [blame]150 fn_name="probe_SSL_read_exit", pid=args.pid or -1)
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]151
152# define output data structure in Python
153TASK_COMM_LEN = 16 # linux/sched.h
Brenden Blanco71eb1772017-04-20 09:47:28 -0700[diff] [blame]154MAX_BUF_SIZE = 464 # Limited by the BPF stack
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]155
156
157# Max size of the whole struct: 512 bytes
158class Data(ct.Structure):
159 _fields_ = [
160 ("timestamp_ns", ct.c_ulonglong),
161 ("pid", ct.c_uint),
162 ("comm", ct.c_char * TASK_COMM_LEN),
163 ("v0", ct.c_char * MAX_BUF_SIZE),
164 ("len", ct.c_uint)
165 ]
166
167
168# header
169print("%-12s %-18s %-16s %-6s %-6s" % ("FUNC", "TIME(s)", "COMM", "PID",
170 "LEN"))
171
172# process event
173start = 0
174
175
176def print_event_write(cpu, data, size):
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]177 print_event(cpu, data, size, "WRITE/SEND")
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]178
179
180def print_event_read(cpu, data, size):
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]181 print_event(cpu, data, size, "READ/RECV")
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]182
183
184def print_event(cpu, data, size, rw):
185 global start
186 event = ct.cast(data, ct.POINTER(Data)).contents
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]187
188 # Filter events by command
189 if args.comm:
190 if not args.comm == event.comm:
191 return
192
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]193 if start == 0:
194 start = event.timestamp_ns
195 time_s = (float(event.timestamp_ns - start)) / 1000000000
196
197 s_mark = "-" * 5 + " DATA " + "-" * 5
198
199 e_mark = "-" * 5 + " END DATA " + "-" * 5
200
201 truncated_bytes = event.len - MAX_BUF_SIZE
Adrian Lopezd9cc3de2016-08-17 14:08:08 +0200[diff] [blame]202 if truncated_bytes > 0:
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]203 e_mark = "-" * 5 + " END DATA (TRUNCATED, " + str(truncated_bytes) + \
204 " bytes lost) " + "-" * 5
205
Paul Chaignon7b911b52017-10-07 11:52:17 +0200[diff] [blame]206 fmt = "%-12s %-18.9f %-16s %-6d %-6d\n%s\n%s\n%s\n\n"
207 print(fmt % (rw, time_s, event.comm.decode(), event.pid, event.len, s_mark,
208 event.v0.decode(), e_mark))
Adrian Lopezd496d5c2016-08-16 17:49:49 +0200[diff] [blame]209
210b["perf_SSL_write"].open_perf_buffer(print_event_write)
211b["perf_SSL_read"].open_perf_buffer(print_event_read)
212while 1:
Teng Qindbf00292018-02-28 21:47:50 -0800[diff] [blame]213 b.perf_buffer_poll()