fix(ja4ebpf): correct BPF struct byte offsets and regenerate SSL_write programs
Fix two critical offset bugs introduced when ip_total_length was added to tcp_syn_event: tcp_options_raw offset 21→23 and tcp_options_len offset 61→63, plus minimum size check 70→72. Fix ssl_data_event direction field offset from 4118 (inside timestamp_ns) to 4126. Simplify attachSSLWrite to use generated objects directly instead of dynamic spec loading. Regenerate BPF objects with SSL_write uprobe programs included. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
@ -266,10 +266,9 @@ func (l *Loader) AttachUprobes(sslLibPath string) error {
|
||||
l.uprobeLinks = append(l.uprobeLinks, readExitLink)
|
||||
|
||||
// SSL_write — capture les réponses HTTP du serveur (direction=1)
|
||||
// Les programmes BPF uprobe/SSL_write et uretprobe/SSL_write sont
|
||||
// chargés depuis les objets Ja4Ssl. Si les objets BPF n'ont pas été
|
||||
// régénérés (pas de clang sur le host), ces programmes sont absents.
|
||||
_ = l.attachSSLWrite(ex)
|
||||
if err := l.attachSSLWrite(ex); err != nil {
|
||||
return fmt.Errorf("attachement SSL_write: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@ -293,43 +292,17 @@ func (l *Loader) AttachAcceptProbe() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// attachSSLWrite tente d'attacher les uprobes SSL_write pour capturer
|
||||
// les réponses HTTP du serveur. Si les programmes BPF SSL_write ne sont
|
||||
// pas disponibles (objets non régénérés), retourne nil sans bloquer.
|
||||
// attachSSLWrite attache les uprobes SSL_write pour capturer
|
||||
// les réponses HTTP du serveur (direction=1).
|
||||
func (l *Loader) attachSSLWrite(ex *link.Executable) error {
|
||||
// Charger la collection spec embarquée pour vérifier si SSL_write existe
|
||||
spec, err := LoadJa4Ssl()
|
||||
entryLink, err := ex.Uprobe("SSL_write", l.sslObjs.UprobeSslWriteEntry, nil)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
entrySpec, hasEntry := spec.Programs["uprobe_ssl_write_entry"]
|
||||
exitSpec, hasExit := spec.Programs["uretprobe_ssl_write_exit"]
|
||||
if !hasEntry || !hasExit {
|
||||
return nil // programmes SSL_write absents — BPF non régénéré
|
||||
}
|
||||
|
||||
writeEntry, err := ebpf.NewProgram(entrySpec)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
writeExit, err := ebpf.NewProgram(exitSpec)
|
||||
if err != nil {
|
||||
writeEntry.Close()
|
||||
return nil
|
||||
}
|
||||
|
||||
entryLink, err := ex.Uprobe("SSL_write", writeEntry, nil)
|
||||
if err != nil {
|
||||
writeEntry.Close()
|
||||
writeExit.Close()
|
||||
return fmt.Errorf("attachement uprobe SSL_write (entry): %w", err)
|
||||
}
|
||||
l.uprobeLinks = append(l.uprobeLinks, entryLink)
|
||||
|
||||
exitLink, err := ex.Uretprobe("SSL_write", writeExit, nil)
|
||||
exitLink, err := ex.Uretprobe("SSL_write", l.sslObjs.UretprobeSslWriteExit, nil)
|
||||
if err != nil {
|
||||
writeExit.Close()
|
||||
return fmt.Errorf("attachement uretprobe SSL_write (exit): %w", err)
|
||||
}
|
||||
l.uprobeLinks = append(l.uprobeLinks, exitLink)
|
||||
|
||||
Reference in New Issue
Block a user