This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH 2/2] new example: capture_ssl_master_secrets.stp

Thanks! I worked on the meta file a bit and checked it in as commit 327716850.

On Mon, Oct 30, 2017 at 11:09 AM, Timo Juhani Lindfors
<timo.lindfors@iki.fi> wrote:
> Tested to work with Debian 9 openssl and gnutls.
> ---
>  .../io/capture_ssl_master_secrets.meta             | 11 ++++++++
>  .../io/capture_ssl_master_secrets.stp              | 33 ++++++++++++++++++++++
>  .../io/capture_ssl_master_secrets.txt              | 22 +++++++++++++++
>  3 files changed, 66 insertions(+)
>  create mode 100644 testsuite/systemtap.examples/io/capture_ssl_master_secrets.meta
>  create mode 100755 testsuite/systemtap.examples/io/capture_ssl_master_secrets.stp
>  create mode 100644 testsuite/systemtap.examples/io/capture_ssl_master_secrets.txt
>
> diff --git a/testsuite/systemtap.examples/io/capture_ssl_master_secrets.meta b/testsuite/systemtap.examples/io/capture_ssl_master_secrets.meta
> new file mode 100644
> index 000000000..2ac462734
> --- /dev/null
> +++ b/testsuite/systemtap.examples/io/capture_ssl_master_secrets.meta
> @@ -0,0 +1,11 @@
> +title: Capture SSL/TLS master secrets from gnutls and openssl users
> +name: capture_ssl_master_secrets.stp
> +version: 1.0
> +author: Timo Juhani Lindfors <timo.lindfors@iki.fi>
> +keywords: io monitoring
> +application: openssl gnutls
> +status: alpha
> +exit: user-controlled
> +output: trace
> +scope: system-wide
> +description: Capture SSL/TLS master secrets from gnutls and openssl users for easy traffic decryption
> diff --git a/testsuite/systemtap.examples/io/capture_ssl_master_secrets.stp b/testsuite/systemtap.examples/io/capture_ssl_master_secrets.stp
> new file mode 100755
> index 000000000..e021fd9bd
> --- /dev/null
> +++ b/testsuite/systemtap.examples/io/capture_ssl_master_secrets.stp
> @@ -0,0 +1,33 @@
> +#!/usr/bin/env stap
> +
> +function cast_char_to_unsigned_char (val:long) {
> +  if (val < 0) {
> +    return val + 256;
> +  } else {
> +    return val;
> +  }
> +}
> +
> +function print_buffer (buf:long, len:long) {
> +  for (i = 0; i < len; i++) {
> +    printf("%02x", cast_char_to_unsigned_char(user_char(buf + i)));
> +  }
> +}
> +
> +probe process("/usr/lib/*/libssl.so.*").function("tls1_generate_master_secret").return {
> +  printf("# %d %s %s (%d)\n", gettimeofday_us(), pp(), execname(), pid());
> +  printf("CLIENT_RANDOM ");
> +  print_buffer(@entry($s->s3->client_random), 32);
> +  printf(" ");
> +  print_buffer(@entry($out), $return);
> +  printf("\n");
> +}
> +
> +probe process("/usr/lib/*/libgnutls.so.*").function("generate_normal_master").return {
> +  printf("# %d %s %s (%d)\n", gettimeofday_us(), pp(), execname(), pid());
> +  printf("CLIENT_RANDOM ");
> +  print_buffer(@entry($session) + 72, 32);
> +  printf(" ");
> +  print_buffer(@entry($session) + 24, 48);
> +  printf("\n");
> +}
> diff --git a/testsuite/systemtap.examples/io/capture_ssl_master_secrets.txt b/testsuite/systemtap.examples/io/capture_ssl_master_secrets.txt
> new file mode 100644
> index 000000000..d9c20d45f
> --- /dev/null
> +++ b/testsuite/systemtap.examples/io/capture_ssl_master_secrets.txt
> @@ -0,0 +1,22 @@
> +Capture SSL/TLS master secrets from gnutls and openssl users
> +
> +The following usage example has been tested to work on Debian 9:
> +
> +$ sudo stap-prep
> +$ sudo apt-get install libgnutls30-dbgsym libssl1.0.2-dbgsym libssl1.1-dbgsym libssl-dev
> +$ ./capture_ssl_master_secrets.stp | tee keylog.txt &
> +$ sudo tcpdump -s0 -w traffic.pcap -U port 443 &
> +$ curl https://www.ssllabs.com/curl_secret
> +$ wget https://www.ssllabs.com/wget_secret
> +$ echo "GET /sclient_secret HTTP/1.1\nHost: www.ssllabs.com\n\n" | openssl s_client -connect www.ssllabs.com:443 -servername www.ssllabs.com
> +$ cat keylog.txt
> +# 1509378583063892 process("/usr/lib/x86_64-linux-gnu/libssl.so.1.0.2").function("tls1_generate_master_secret@./ssl/t1_enc.c:1134").return curl (24745)
> +CLIENT_RANDOM 924207933a2eda5d90ccd2552a620924c6cd12bf72036ced2227bfc0016152ad 9bffacb095403182e9a2f515851d3fa49838b93599de6507230bac0c0666c29d140588739635d4ad19bdfd4fced69000
> +# 1509378587558501 process("/usr/lib/x86_64-linux-gnu/libgnutls.so.30.13.1").function("generate_normal_master@./lib/kx.c:131").return wget (24755)
> +CLIENT_RANDOM 59f74aa0d72f90753e989d049953deb9fc6479a2c7091936520d280a4b1be28a 5604af95f156eaa21a93f6982c1de24289b86dac9331e0080bfc4b1a67ab13535f03c7d50530e5b3f8cd572b5d8967c8
> +# 1509378592611222 process("/usr/lib/x86_64-linux-gnu/libssl.so.1.1").function("tls1_generate_master_secret@../ssl/t1_enc.c:463").return openssl (24757)
> +CLIENT_RANDOM aa211423644611d7b52f254e44e55c3919a48d81cc0a7f0c6af604190720fc93 74150d7854157f7e6b01e40238641d065c37d7f931bac6a14aa9fac6a44b1ea7da0943f15714039acc3f71077c21127a
> +$ tshark -o ssl.keylog_file:keylog.txt -d tcp.port==443,ssl -x -r traffic.pcap -V | grep -A1 'Decrypted SSL data' |grep "GET "
> +0000  47 45 54 20 2f 63 75 72 6c 5f 73 65 63 72 65 74   GET /curl_secret
> +0000  47 45 54 20 2f 77 67 65 74 5f 73 65 63 72 65 74   GET /wget_secret
> +0000  47 45 54 20 2f 73 63 6c 69 65 6e 74 5f 73 65 63   GET /sclient_sec
> --
> 2.11.0
>



-- 
David Smith
Principal Software Engineer
Red Hat
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]