6
#include <linux/if_ether.h>
11
#include <bpf/bpf_helpers.h>
12
#include <bpf/bpf_endian.h>
14
#define GADGET_TYPE_NETWORKING
15
#include <gadget/sockets-map.h>
20
const struct event_t *unusedevent __attribute__((unused));
23
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
32
static __always_inline int parse_sni(struct __sk_buff *skb, int data_offset,
37
bpf_skb_load_bytes(skb, data_offset, &content_type, 1);
38
if (content_type != TLS_CONTENT_TYPE_HANDSHAKE)
43
bpf_skb_load_bytes(skb, data_offset + TLS_HANDSHAKE_TYPE_OFF,
45
if (handshake_type != TLS_HANDSHAKE_TYPE_CLIENT_HELLO)
48
int session_id_len_off = data_offset + TLS_SESSION_ID_LENGTH_OFF;
50
bpf_skb_load_bytes(skb, session_id_len_off, &session_id_len, 1);
52
int cipher_suites_len_off =
53
session_id_len_off + TLS_SESSION_ID_LENGTH_LEN + session_id_len;
54
__u16 cipher_suites_len_be;
55
bpf_skb_load_bytes(skb, cipher_suites_len_off, &cipher_suites_len_be,
58
int compression_methods_len_off = cipher_suites_len_off +
59
TLS_CIPHER_SUITES_LENGTH_LEN +
60
bpf_ntohs(cipher_suites_len_be);
62
__u8 compression_methods_len;
63
bpf_skb_load_bytes(skb, compression_methods_len_off,
64
&compression_methods_len, 1);
66
int extensions_len_off = compression_methods_len_off +
67
TLS_COMPRESSION_METHODS_LENGTH_LEN +
68
compression_methods_len;
70
int extensions_off = extensions_len_off + TLS_EXTENSIONS_LENGTH_LEN;
74
__u16 server_name_ext_off = 0;
75
for (int i = 0; i < TLS_MAX_EXTENSION_COUNT; i++) {
76
__u16 curr_ext_type_be;
77
bpf_skb_load_bytes(skb, extensions_off + cur, &curr_ext_type_be,
79
if (bpf_ntohs(curr_ext_type_be) == TLS_EXTENSION_SERVER_NAME) {
80
server_name_ext_off = extensions_off + cur;
84
cur += TLS_EXTENSION_TYPE_LEN;
89
bpf_skb_load_bytes(skb, extensions_off + cur, &len_be, 2);
90
cur += TLS_EXTENSION_LENGTH_LEN + bpf_ntohs(len_be);
93
if (server_name_ext_off == 0)
96
__u16 server_name_len_be;
97
bpf_skb_load_bytes(skb,
98
server_name_ext_off + TLS_SERVER_NAME_LENGTH_OFF,
99
&server_name_len_be, 2);
100
__u16 server_name_len = bpf_ntohs(server_name_len_be);
101
if (server_name_len == 0 || server_name_len > TLS_MAX_SERVER_NAME_LEN)
105
__u16 server_name_off = server_name_ext_off + TLS_SERVER_NAME_OFF;
109
for (int i = 0; i < TLS_MAX_SERVER_NAME_LEN; i++) {
112
if (i >= server_name_len)
115
bpf_skb_load_bytes(skb, server_name_off + i, &b, 1);
125
int ig_trace_sni(struct __sk_buff *skb)
129
if (bpf_skb_load_bytes(skb, 0, ðh, sizeof ethh))
131
if (bpf_ntohs(ethh.h_proto) != ETH_P_IP)
134
int ip_off = ETH_HLEN;
137
if (bpf_skb_load_bytes(skb, ip_off, &iph, sizeof iph))
141
if (iph.protocol != IPPROTO_TCP)
147
__u8 ip_header_len = iph.ihl * 4;
148
int tcp_off = ip_off + ip_header_len;
152
if (bpf_skb_load_bytes(skb, tcp_off, &tcph, sizeof tcph))
160
__u8 tcp_header_len = tcph.doff * 4;
162
int payload_off = tcp_off + tcp_header_len;
165
char sni[TLS_MAX_SERVER_NAME_LEN] = {};
166
int read = parse_sni(skb, payload_off, sni);
170
struct event_t event = {
173
event.netns = skb->cb[0];
174
for (int i = 0; i < TLS_MAX_SERVER_NAME_LEN; i++) {
177
event.name[i] = sni[i];
179
event.timestamp = bpf_ktime_get_boot_ns();
182
struct sockets_value *skb_val = gadget_socket_lookup(skb);
183
if (skb_val != NULL) {
184
event.mount_ns_id = skb_val->mntns;
185
event.pid = skb_val->pid_tgid >> 32;
186
event.tid = (__u32)skb_val->pid_tgid;
187
__builtin_memcpy(&event.task, skb_val->task,
189
event.uid = (__u32)skb_val->uid_gid;
190
event.gid = (__u32)(skb_val->uid_gid >> 32);
193
bpf_perf_event_output(skb, &events, BPF_F_CURRENT_CPU, &event,
199
char _license[] SEC("license") = "GPL";