diff --git a/tap/tlstapper/bpf/common.c b/tap/tlstapper/bpf/common.c index eb010db65..6d8a9dc2d 100644 --- a/tap/tlstapper/bpf/common.c +++ b/tap/tlstapper/bpf/common.c @@ -143,3 +143,28 @@ static __always_inline void output_ssl_chunk(struct pt_regs *ctx, struct ssl_inf send_chunk(ctx, info->buffer, id, chunk); } + +static __always_inline struct ssl_info lookup_ssl_info(struct pt_regs *ctx, struct bpf_map_def* map_fd, __u64 pid_tgid) { + struct ssl_info *infoPtr = bpf_map_lookup_elem(&ssl_write_context, &pid_tgid); + struct ssl_info info = {}; + + if (infoPtr == NULL) { + info.fd = -1; + info.created_at_nano = bpf_ktime_get_ns(); + } else { + long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr); + + if (err != 0) { + log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_UPROBE_CODE); + } + + if ((bpf_ktime_get_ns() - info.created_at_nano) > SSL_INFO_MAX_TTL_NANO) { + // If the ssl info is too old, we don't want to use its info because it may be incorrect. + // + info.fd = -1; + info.created_at_nano = bpf_ktime_get_ns(); + } + } + + return info; +} diff --git a/tap/tlstapper/bpf/golang_uprobes.c b/tap/tlstapper/bpf/golang_uprobes.c index a8cc5520b..aff9ddf47 100644 --- a/tap/tlstapper/bpf/golang_uprobes.c +++ b/tap/tlstapper/bpf/golang_uprobes.c @@ -21,26 +21,7 @@ static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) { return 0; } - struct ssl_info *infoPtr = bpf_map_lookup_elem(&ssl_write_context, &pid_tgid); - struct ssl_info info = {}; - - if (infoPtr == NULL) { - info.fd = -1; - info.created_at_nano = bpf_ktime_get_ns(); - } else { - long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr); - - if (err != 0) { - log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_UPROBE_CODE); - } - - if ((bpf_ktime_get_ns() - info.created_at_nano) > SSL_INFO_MAX_TTL_NANO) { - // If the ssl info is too old, we don't want to use its info because it may be incorrect. - // - info.fd = -1; - info.created_at_nano = bpf_ktime_get_ns(); - } - } + struct ssl_info info = lookup_ssl_info(ctx, &ssl_write_context, pid_tgid); info.buffer_len = ctx->rcx; info.buffer = (void*)ctx->rbx; @@ -73,26 +54,7 @@ static __always_inline int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) { return 0; } - struct ssl_info *infoPtr = bpf_map_lookup_elem(&ssl_read_context, &pid_tgid); - struct ssl_info info = {}; - - if (infoPtr == NULL) { - info.fd = -1; - info.created_at_nano = bpf_ktime_get_ns(); - } else { - long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr); - - if (err != 0) { - log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_UPROBE_CODE); - } - - if ((bpf_ktime_get_ns() - info.created_at_nano) > SSL_INFO_MAX_TTL_NANO) { - // If the ssl info is too old, we don't want to use its info because it may be incorrect. - // - info.fd = -1; - info.created_at_nano = bpf_ktime_get_ns(); - } - } + struct ssl_info info = lookup_ssl_info(ctx, &ssl_read_context, pid_tgid); info.buffer_len = ctx->rcx; info.buffer = (void*)data_p; diff --git a/tap/tlstapper/bpf/include/common.h b/tap/tlstapper/bpf/include/common.h index 0c01efdba..226c020f4 100644 --- a/tap/tlstapper/bpf/include/common.h +++ b/tap/tlstapper/bpf/include/common.h @@ -12,5 +12,6 @@ int add_address_to_chunk(struct pt_regs *ctx, struct tls_chunk* chunk, __u64 id, void send_chunk_part(struct pt_regs *ctx, __u8* buffer, __u64 id, struct tls_chunk* chunk, int start, int end); void send_chunk(struct pt_regs *ctx, __u8* buffer, __u64 id, struct tls_chunk* chunk); void output_ssl_chunk(struct pt_regs *ctx, struct ssl_info* info, int count_bytes, __u64 id, __u32 flags); +struct ssl_info lookup_ssl_info(struct pt_regs *ctx, struct bpf_map_def* map_fd, __u64 pid_tgid); #endif /* __COMMON__ */ diff --git a/tap/tlstapper/bpf/openssl_uprobes.c b/tap/tlstapper/bpf/openssl_uprobes.c index 749fca975..3a4e9a312 100644 --- a/tap/tlstapper/bpf/openssl_uprobes.c +++ b/tap/tlstapper/bpf/openssl_uprobes.c @@ -21,25 +21,7 @@ static __always_inline void ssl_uprobe(struct pt_regs *ctx, void* ssl, void* buf } struct ssl_info *infoPtr = bpf_map_lookup_elem(map_fd, &id); - struct ssl_info info = {}; - - if (infoPtr == NULL) { - info.fd = -1; - info.created_at_nano = bpf_ktime_get_ns(); - } else { - long err = bpf_probe_read(&info, sizeof(struct ssl_info), infoPtr); - - if (err != 0) { - log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, id, err, ORIGIN_SSL_UPROBE_CODE); - } - - if ((bpf_ktime_get_ns() - info.created_at_nano) > SSL_INFO_MAX_TTL_NANO) { - // If the ssl info is too old, we don't want to use its info because it may be incorrect. - // - info.fd = -1; - info.created_at_nano = bpf_ktime_get_ns(); - } - } + struct ssl_info info = lookup_ssl_info(ctx, &ssl_write_context, id); info.count_ptr = count_ptr; info.buffer = buffer; diff --git a/tap/tlstapper/tlstapper_bpfeb.o b/tap/tlstapper/tlstapper_bpfeb.o index 17fcc1749..360269686 100644 Binary files a/tap/tlstapper/tlstapper_bpfeb.o and b/tap/tlstapper/tlstapper_bpfeb.o differ diff --git a/tap/tlstapper/tlstapper_bpfel.o b/tap/tlstapper/tlstapper_bpfel.o index 43a2c5d57..10bcbcc7c 100644 Binary files a/tap/tlstapper/tlstapper_bpfel.o and b/tap/tlstapper/tlstapper_bpfel.o differ