WIP TLS

(wip status = pretty much done, except for handshake version (see code
comment), maybe needs an experimental feature gate; correctness to be
verified, as I'm getting less TLS flows than expected - am I missing
something?)

use tls.VersionName

Author: jotak

bpf/flows.c

@@ -93,6 +93,17 @@ static __always_inline void update_existing_flow(flow_metrics *aggregate_flow, p
         aggregate_flow->flags |= pkt->flags;
         aggregate_flow->dscp = pkt->dscp;
         aggregate_flow->sampling = sampling;
+        if (pkt->ssl_version != 0 && aggregate_flow->ssl_version != pkt->ssl_version) {
+            if (aggregate_flow->ssl_version == 0) {
+                aggregate_flow->ssl_version = pkt->ssl_version;
+            } else {
+                // If several SSL versions are found, keep just the smallest and set the "mismatch" flag
+                if (pkt->ssl_version < aggregate_flow->ssl_version) {
+                    aggregate_flow->ssl_version = pkt->ssl_version;
+                }
+                aggregate_flow->misc_flags |= MISC_FLAGS_SSL_MISMATCH;
+            }
+        }
     } else if (if_index != 0) {
         // Only add info that we've seen this interface (we can also update end time & flags)
         aggregate_flow->end_mono_time_ts = pkt->current_ts;
@@ -197,6 +208,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
         new_flow.sampling = flow_sampling;
         __builtin_memcpy(new_flow.dst_mac, eth->h_dest, ETH_ALEN);
         __builtin_memcpy(new_flow.src_mac, eth->h_source, ETH_ALEN);
+        new_flow.ssl_version = pkt.ssl_version;
 
         long ret = bpf_map_update_elem(&aggregated_flows, &id, &new_flow, BPF_NOEXIST);
         if (ret != 0) {

bpf/types.h

@@ -71,6 +71,8 @@ typedef __u64 u64;
 
 #define MAX_PAYLOAD_SIZE 256
 
+#define MISC_FLAGS_SSL_MISMATCH 0x01
+
 // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
 typedef enum direction_t {
     INGRESS,
@@ -110,6 +112,8 @@ typedef struct flow_metrics_t {
     u8 nb_observed_intf;
     u8 observed_direction[MAX_OBSERVED_INTERFACES];
     u32 observed_intf[MAX_OBSERVED_INTERFACES];
+    u16 ssl_version;
+    u8 misc_flags;
 } flow_metrics;
 
 // Force emitting enums/structs into the ELF
@@ -192,6 +196,7 @@ typedef struct pkt_info_t {
     u16 dns_id;
     u16 dns_flags;
     u64 dns_latency;
+    u16 ssl_version;
 } pkt_info;
 
 // Structure for payload metadata

bpf/utils.h

@@ -50,6 +50,22 @@ static inline void set_flags(struct tcphdr *th, u16 *flags) {
     }
 }
 
+// Extract TLS info
+static inline void fill_tls_info(struct tcphdr *tcp, void *data_end, pkt_info *pkt) {
+    void *start_payload = ((void *)tcp) + (tcp->doff * 4);
+    if (start_payload + 5 <= data_end) {
+        if (((u8 *)start_payload)[0] == 0x16) {
+            // TODO handshake special case, see https://www.netmeister.org/blog/tcpdump-ssl-and-tls.html
+            pkt->ssl_version =
+                ((u16)(((u8 *)start_payload)[1])) << 8 | (u16)(((u8 *)start_payload)[2]);
+        } else if (((u8 *)start_payload)[0] == 0x14 || ((u8 *)start_payload)[0] == 0x15 ||
+                   ((u8 *)start_payload)[0] == 0x17) {
+            pkt->ssl_version =
+                ((u16)(((u8 *)start_payload)[1])) << 8 | (u16)(((u8 *)start_payload)[2]);
+        }
+    }
+}
+
 // Extract L4 info for the supported protocols
 static inline void fill_l4info(void *l4_hdr_start, void *data_end, u8 protocol, pkt_info *pkt) {
     flow_id *id = pkt->id;
@@ -62,6 +78,7 @@ static inline void fill_l4info(void *l4_hdr_start, void *data_end, u8 protocol,
             id->dst_port = bpf_ntohs(tcp->dest);
             set_flags(tcp, &pkt->flags);
             pkt->l4_hdr = (void *)tcp;
+            fill_tls_info(tcp, data_end, pkt);
         }
     } break;
     case IPPROTO_UDP: {

pkg/decode/decode_protobuf.go

@@ -148,6 +148,12 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 			out["IPSecRetCode"] = int32(0)
 			out["IPSecStatus"] = "success"
 		}
+		if tlsVersion := fr.Metrics.SSLVersionToString(); tlsVersion != "" {
+			out["TLSVersion"] = tlsVersion
+		}
+		if fr.Metrics.HasSSLMismatch() {
+			out["TLSMismatch"] = true
+		}
 	}
 
 	if fr.TimeFlowRtt != 0 {

pkg/decode/decode_protobuf_test.go

@@ -98,6 +98,7 @@ func TestPBFlowToMap(t *testing.T) {
 		},
 		IpsecEncrypted:    1,
 		IpsecEncryptedRet: 0,
+		SslVersion:        0x0303,
 	}
 
 	out := PBFlowToMap(flow)
@@ -155,5 +156,6 @@ func TestPBFlowToMap(t *testing.T) {
 		"ZoneId":       uint16(100),
 		"IPSecRetCode": int32(0),
 		"IPSecStatus":  "success",
+		"TLSVersion":   "TLS 1.2",
 	}, out)
 }