NETOBSERV-2471: TLS usage tracking

bpf/flows.c

@@ -28,6 +28,11 @@
  */
 #include "dns_tracker.h"
 
+/*
+ * Defines the TLS tracker,
+ */
+#include "tls_tracker.h"
+
 /*
  * Defines an rtt tracker,
  * which runs inside flow_monitor. Is optional.
@@ -93,6 +98,17 @@ static __always_inline void update_existing_flow(flow_metrics *aggregate_flow, p
         aggregate_flow->flags |= pkt->flags;
         aggregate_flow->dscp = pkt->dscp;
         aggregate_flow->sampling = sampling;
+        if (pkt->ssl_version != 0 && aggregate_flow->ssl_version != pkt->ssl_version) {
+            if (aggregate_flow->ssl_version == 0) {
+                aggregate_flow->ssl_version = pkt->ssl_version;
+            } else {
+                // If several SSL versions are found, keep just the smallest and set the "mismatch" flag
+                if (pkt->ssl_version < aggregate_flow->ssl_version) {
+                    aggregate_flow->ssl_version = pkt->ssl_version;
+                }
+                aggregate_flow->misc_flags |= MISC_FLAGS_SSL_MISMATCH;
+            }
+        }
     } else if (if_index != 0) {
         // Only add info that we've seen this interface (we can also update end time & flags)
         aggregate_flow->end_mono_time_ts = pkt->current_ts;
@@ -178,6 +194,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
     if (enable_dns_tracking) {
         dns_errno = track_dns_packet(skb, &pkt);
     }
+    track_tls_version(skb, &pkt);
     flow_metrics *aggregate_flow = (flow_metrics *)bpf_map_lookup_elem(&aggregated_flows, &id);
     if (aggregate_flow != NULL) {
         update_existing_flow(aggregate_flow, &pkt, len, flow_sampling, skb->ifindex, direction);
@@ -197,6 +214,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
         new_flow.sampling = flow_sampling;
         __builtin_memcpy(new_flow.dst_mac, eth->h_dest, ETH_ALEN);
         __builtin_memcpy(new_flow.src_mac, eth->h_source, ETH_ALEN);
+        new_flow.ssl_version = pkt.ssl_version;
 
         long ret = bpf_map_update_elem(&aggregated_flows, &id, &new_flow, BPF_NOEXIST);
         if (ret != 0) {

bpf/tls_tracker.h

@@ -0,0 +1,82 @@
+/*
+    light weight TLS tracker.
+*/
+
+#ifndef __TLS_TRACKER_H__
+#define __TLS_TRACKER_H__
+#include "utils.h"
+
+#define CONTENT_TYPE_CHANGE_CIPHER 0x14
+#define CONTENT_TYPE_ALERT 0x15
+#define CONTENT_TYPE_HANDSHAKE 0x16
+#define CONTENT_TYPE_APP_DATA 0x17
+#define HANDSHAKE_CLIENT_HELLO 0x01
+#define HANDSHAKE_SERVER_HELLO 0x02
+
+// https://www.rfc-editor.org/rfc/rfc5246
+struct tls_record {
+    u8 content_type; // handshake, alert, change cipher, app data
+    u8 major;
+    u8 minor;
+    u16 length;
+};
+
+struct tls_handshake_header {
+    u8 content_type; // client hello, server hello ...
+    u8 len[3];
+};
+
+struct tls_handshake_version {
+    u8 major;
+    u8 minor;
+};
+
+// Extract TLS info
+static inline void track_tls_version(struct __sk_buff *skb, pkt_info *pkt) {
+    if (pkt->id->transport_protocol == IPPROTO_TCP) {
+        void *data_end = (void *)(long)skb->data_end;
+        struct tcphdr *tcp = (struct tcphdr *)pkt->l4_hdr;
+        if (!tcp || ((void *)tcp + sizeof(*tcp) > data_end)) {
+            return;
+        }
+
+        u8 len = tcp->doff * sizeof(u32);
+        if (!len) {
+            return;
+        }
+
+        struct tls_record rec;
+        u32 offset = (long)pkt->l4_hdr - (long)skb->data + len;
+
+        if ((bpf_skb_load_bytes(skb, offset, &rec, sizeof(rec))) < 0) {
+            return;
+        }
+
+        switch (rec.content_type) {
+        case CONTENT_TYPE_HANDSHAKE: {
+            pkt->ssl_version = ((u16)rec.major) << 8 | rec.minor;
+            struct tls_handshake_header handshake;
+            if (bpf_skb_load_bytes(skb, offset + sizeof(rec), &handshake, sizeof(handshake)) < 0) {
+                return;
+            }
+            if (handshake.content_type == HANDSHAKE_CLIENT_HELLO ||
+                handshake.content_type == HANDSHAKE_SERVER_HELLO) {
+                struct tls_handshake_version handshake_version;
+                if (bpf_skb_load_bytes(skb, offset + sizeof(rec) + sizeof(handshake),
+                                       &handshake_version, sizeof(handshake_version)) < 0) {
+                    return;
+                }
+                pkt->ssl_version = ((u16)handshake_version.major) << 8 | handshake_version.minor;
+            }
+            break;
+        }
+        case CONTENT_TYPE_CHANGE_CIPHER:
+        case CONTENT_TYPE_ALERT:
+        case CONTENT_TYPE_APP_DATA:
+            pkt->ssl_version = ((u16)rec.major) << 8 | rec.minor;
+            break;
+        }
+    }
+}
+
+#endif // __TLS_TRACKER_H__

bpf/types.h

@@ -71,6 +71,8 @@ typedef __u64 u64;
 
 #define MAX_PAYLOAD_SIZE 256
 
+#define MISC_FLAGS_SSL_MISMATCH 0x01
+
 // according to field 61 in https://www.iana.org/assignments/ipfix/ipfix.xhtml
 typedef enum direction_t {
     INGRESS,
@@ -110,6 +112,8 @@ typedef struct flow_metrics_t {
     u8 nb_observed_intf;
     u8 observed_direction[MAX_OBSERVED_INTERFACES];
     u32 observed_intf[MAX_OBSERVED_INTERFACES];
+    u16 ssl_version;
+    u8 misc_flags;
 } flow_metrics;
 
 // Force emitting enums/structs into the ELF
@@ -192,6 +196,7 @@ typedef struct pkt_info_t {
     u16 dns_id;
     u16 dns_flags;
     u64 dns_latency;
+    u16 ssl_version;
 } pkt_info;
 
 // Structure for payload metadata

pkg/decode/decode_protobuf.go

@@ -93,6 +93,10 @@ func RecordToMap(fr *model.Record) config.GenericMap {
 		out["Sampling"] = fr.Metrics.Sampling
 	}
 
+	if tlsVersion := fr.Metrics.SSLVersionToString(); tlsVersion != "" {
+		out["TLSVersion"] = tlsVersion
+	}
+
 	if fr.Metrics.EthProtocol == uint16(ethernet.EtherTypeIPv4) || fr.Metrics.EthProtocol == uint16(ethernet.EtherTypeIPv6) {
 		out["SrcAddr"] = model.IP(fr.ID.SrcIp).String()
 		out["DstAddr"] = model.IP(fr.ID.DstIp).String()

pkg/decode/decode_protobuf_test.go

@@ -98,6 +98,7 @@ func TestPBFlowToMap(t *testing.T) {
 		},
 		IpsecEncrypted:    1,
 		IpsecEncryptedRet: 0,
+		SslVersion:        0x0303,
 	}
 
 	out := PBFlowToMap(flow)
@@ -155,5 +156,6 @@ func TestPBFlowToMap(t *testing.T) {
 		"ZoneId":       uint16(100),
 		"IPSecRetCode": int32(0),
 		"IPSecStatus":  "success",
+		"TLSVersion":   "TLS 1.2",
 	}, out)
 }

pkg/exporter/converters_test.go

@@ -48,6 +48,7 @@ func TestConversions(t *testing.T) {
 						Flags:       0x100,
 						Dscp:        64,
 						Sampling:    1,
+						SslVersion:  0x0303,
 					},
 					AdditionalMetrics: &ebpf.BpfAdditionalMetrics{
 						DnsRecord: ebpf.BpfDnsRecordT{
@@ -83,6 +84,7 @@ func TestConversions(t *testing.T) {
 				"AgentIP":         "10.11.12.13",
 				"IPSecRetCode":    0,
 				"IPSecStatus":     "success",
+				"TLSVersion":      "TLS 1.2",
 			},
 		},
 		{
@@ -333,6 +335,7 @@ func TestConversions(t *testing.T) {
 						Packets:     123,
 						Flags:       0x100,
 						Dscp:        64,
+						SslVersion:  0x0200,
 					},
 					AdditionalMetrics: &ebpf.BpfAdditionalMetrics{
 						DnsRecord: ebpf.BpfDnsRecordT{
@@ -389,6 +392,7 @@ func TestConversions(t *testing.T) {
 				"TimeFlowRttNs":          someDuration.Nanoseconds(),
 				"IPSecRetCode":           0,
 				"IPSecStatus":            "success",
+				"TLSVersion":             "0x0200",
 			},
 		},
 		{
@@ -410,6 +414,7 @@ func TestConversions(t *testing.T) {
 						Packets:     1,
 						Flags:       0x100,
 						Dscp:        64,
+						SslVersion:  0x0303,
 					},
 					AdditionalMetrics: &ebpf.BpfAdditionalMetrics{
 						DnsRecord: ebpf.BpfDnsRecordT{
@@ -447,6 +452,59 @@ func TestConversions(t *testing.T) {
 				"AgentIP":         "10.11.12.13",
 				"IPSecRetCode":    0,
 				"IPSecStatus":     "success",
+				"TLSVersion":      "TLS 1.2",
+			},
+		},
+		{
+			name: "SSL Mismatch",
+			flow: &model.Record{
+				ID: ebpf.BpfFlowId{
+					SrcIp:             model.IPAddr{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x06, 0x07, 0x08, 0x09},
+					DstIp:             model.IPAddr{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x0a, 0x0b, 0x0c, 0x0d},
+					SrcPort:           23000,
+					DstPort:           443,
+					TransportProtocol: 6,
+				},
+				Metrics: model.BpfFlowContent{
+					BpfFlowMetrics: &ebpf.BpfFlowMetrics{
+						EthProtocol: 2048,
+						SrcMac:      model.MacAddr{0x04, 0x05, 0x06, 0x07, 0x08, 0x09},
+						DstMac:      model.MacAddr{0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f},
+						Bytes:       64,
+						Packets:     1,
+						Flags:       0x100,
+						Dscp:        64,
+						SslVersion:  0x0303,
+						MiscFlags:   model.MiscFlagsSSLMismatch,
+					},
+				},
+				Interfaces: []model.IntfDirUdn{
+					model.NewIntfDirUdn("eth0", model.DirectionEgress, nil),
+				},
+				TimeFlowStart: someTime,
+				TimeFlowEnd:   someTime,
+				AgentIP:       net.IPv4(0x0a, 0x0b, 0x0c, 0x0d),
+			},
+			expected: &config.GenericMap{
+				"IfDirections":    []int{1},
+				"Bytes":           64,
+				"SrcAddr":         "6.7.8.9",
+				"DstAddr":         "10.11.12.13",
+				"Dscp":            64,
+				"DstMac":          "0a:0b:0c:0d:0e:0f",
+				"SrcMac":          "04:05:06:07:08:09",
+				"Etype":           2048,
+				"Packets":         1,
+				"Proto":           6,
+				"SrcPort":         23000,
+				"DstPort":         443,
+				"Flags":           0x100,
+				"TimeFlowStartMs": someTime.UnixMilli(),
+				"TimeFlowEndMs":   someTime.UnixMilli(),
+				"Interfaces":      []string{"eth0"},
+				"Udns":            []string{""},
+				"AgentIP":         "10.11.12.13",
+				"TLSVersion":      "~ TLS 1.2",
 			},
 		},
 	}

pkg/model/record.go

@@ -1,6 +1,7 @@
 package model
 
 import (
+	"crypto/tls"
 	"encoding/binary"
 	"fmt"
 	"io"
@@ -25,6 +26,8 @@ const (
 	NetworkEventsMaxEventsMD = 8
 	MaxNetworkEvents         = 4
 	MaxObservedInterfaces    = 6
+
+	MiscFlagsSSLMismatch = 0x01
 )
 
 var recordLog = logrus.WithField("component", "model")
@@ -222,3 +225,18 @@ func AllZeroIP(ip net.IP) bool {
 	}
 	return false
 }
+
+func (r *BpfFlowContent) SSLVersionToString() string {
+	if r.SslVersion == 0 {
+		return ""
+	}
+	v := tls.VersionName(r.SslVersion)
+	if r.HasSSLMismatch() {
+		return "~ " + v
+	}
+	return v
+}
+
+func (r *BpfFlowContent) HasSSLMismatch() bool {
+	return r.MiscFlags&MiscFlagsSSLMismatch > 0
+}