fix(ja4ebpf): correct BPF struct byte offsets and regenerate SSL_write programs

Fix two critical offset bugs introduced when ip_total_length was added to tcp_syn_event: tcp_options_raw offset 21→23 and tcp_options_len offset 61→63, plus minimum size check 70→72. Fix ssl_data_event direction field offset from 4118 (inside timestamp_ns) to 4126. Simplify attachSSLWrite to use generated objects directly instead of dynamic spec loading. Regenerate BPF objects with SSL_write uprobe programs included. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 14:06:28 +02:00
parent 24306ef390
commit 65d833bb18
3 changed files with 32 additions and 52 deletions
--- a/services/ja4ebpf/internal/loader/ja4ssl_x86_bpfel.go
+++ b/services/ja4ebpf/internal/loader/ja4ssl_x86_bpfel.go
@ -107,11 +107,13 @@ type Ja4SslSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type Ja4SslProgramSpecs struct {
-	KprobeAccept4Entry   *ebpf.ProgramSpec `ebpf:"kprobe_accept4_entry"`
-	KretprobeAccept4Exit *ebpf.ProgramSpec `ebpf:"kretprobe_accept4_exit"`
-	UprobeSslReadEntry   *ebpf.ProgramSpec `ebpf:"uprobe_ssl_read_entry"`
-	UprobeSslSetFd       *ebpf.ProgramSpec `ebpf:"uprobe_ssl_set_fd"`
-	UretprobeSslReadExit *ebpf.ProgramSpec `ebpf:"uretprobe_ssl_read_exit"`
+	KprobeAccept4Entry    *ebpf.ProgramSpec `ebpf:"kprobe_accept4_entry"`
+	KretprobeAccept4Exit  *ebpf.ProgramSpec `ebpf:"kretprobe_accept4_exit"`
+	UprobeSslReadEntry    *ebpf.ProgramSpec `ebpf:"uprobe_ssl_read_entry"`
+	UprobeSslSetFd        *ebpf.ProgramSpec `ebpf:"uprobe_ssl_set_fd"`
+	UprobeSslWriteEntry   *ebpf.ProgramSpec `ebpf:"uprobe_ssl_write_entry"`
+	UretprobeSslReadExit  *ebpf.ProgramSpec `ebpf:"uretprobe_ssl_read_exit"`
+	UretprobeSslWriteExit *ebpf.ProgramSpec `ebpf:"uretprobe_ssl_write_exit"`
 }

 // Ja4SslMapSpecs contains maps before they are loaded into the kernel.
@ -189,11 +191,13 @@ func (m *Ja4SslMaps) Close() error {
 //
 // It can be passed to LoadJa4SslObjects or ebpf.CollectionSpec.LoadAndAssign.
 type Ja4SslPrograms struct {
-	KprobeAccept4Entry   *ebpf.Program `ebpf:"kprobe_accept4_entry"`
-	KretprobeAccept4Exit *ebpf.Program `ebpf:"kretprobe_accept4_exit"`
-	UprobeSslReadEntry   *ebpf.Program `ebpf:"uprobe_ssl_read_entry"`
-	UprobeSslSetFd       *ebpf.Program `ebpf:"uprobe_ssl_set_fd"`
-	UretprobeSslReadExit *ebpf.Program `ebpf:"uretprobe_ssl_read_exit"`
+	KprobeAccept4Entry    *ebpf.Program `ebpf:"kprobe_accept4_entry"`
+	KretprobeAccept4Exit  *ebpf.Program `ebpf:"kretprobe_accept4_exit"`
+	UprobeSslReadEntry    *ebpf.Program `ebpf:"uprobe_ssl_read_entry"`
+	UprobeSslSetFd        *ebpf.Program `ebpf:"uprobe_ssl_set_fd"`
+	UprobeSslWriteEntry   *ebpf.Program `ebpf:"uprobe_ssl_write_entry"`
+	UretprobeSslReadExit  *ebpf.Program `ebpf:"uretprobe_ssl_read_exit"`
+	UretprobeSslWriteExit *ebpf.Program `ebpf:"uretprobe_ssl_write_exit"`
 }

 func (p *Ja4SslPrograms) Close() error {
@ -202,7 +206,9 @@ func (p *Ja4SslPrograms) Close() error {
 		p.KretprobeAccept4Exit,
 		p.UprobeSslReadEntry,
 		p.UprobeSslSetFd,
+		p.UprobeSslWriteEntry,
 		p.UretprobeSslReadExit,
+		p.UretprobeSslWriteExit,
 	)
 }