ebpf: add trace wolfSSL_write() and wolfSSL_read() using eBPF uprobes.

Includes:
 - TLS client and server examples
 - eBPF programs for write/read entry and read return
 - userspace loader with perf buffer handling
 - automatic symbol lookup (no hardcoded offsets)
 - x86_64 and ARM64 register handling
 - full README with usage, architecture, and explanation

Shows how to observe TLS plaintext inside applications without modifying
wolfSSL or application code.

Signed-off-by: sameeh.jubran <sameeh@wolfssl.com>

Author: sameehj

ebpf/syscall-write-trace/Makefile

@@ -1,5 +1,3 @@
-# Makefile for syscall-write-trace example
-
 CC = gcc
 CLANG = clang
 

ebpf/syscall-write-trace/client-tcp.c

@@ -1,12 +1,12 @@
 /* client-tcp.c
  *
- * Copyright (C) 2006-2020 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * the Free Software Foundation; either version 3 of the License, or
  * (at your option) any later version.
  *
  * wolfSSL is distributed in the hope that it will be useful,
@@ -16,7 +16,7 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
 /* the usual suspects */

ebpf/syscall-write-trace/server-tcp.c

@@ -1,12 +1,12 @@
 /* server-tcp.c
  *
- * Copyright (C) 2006-2020 wolfSSL Inc.
+ * Copyright (C) 2006-2025 wolfSSL Inc.
  *
- * This file is part of wolfSSL. (formerly known as CyaSSL)
+ * This file is part of wolfSSL.
  *
  * wolfSSL is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
+ * the Free Software Foundation; either version 3 of the License, or
  * (at your option) any later version.
  *
  * wolfSSL is distributed in the hope that it will be useful,
@@ -16,10 +16,9 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  */
 
-/* the usual suspects */
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>

ebpf/syscall-write-trace/write_tracer.bpf.c

@@ -1,4 +1,26 @@
-//  SPDX-License-Identifier: GPL-2.0
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+/* wolfssl_tracer.bpf.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
 #include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>

ebpf/syscall-write-trace/write_tracer.c

@@ -1,3 +1,24 @@
+/* write_tracer.c
+ *
+ * Copyright (C) 2006-2025 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>

ebpf/tls-uprobe-trace/.gitignore

@@ -0,0 +1,13 @@
+# Binaries
+client-tls
+server-tls
+wolfssl_uprobe
+*.o
+*.bpf.o
+*.log
+
+# Editor files
+*~
+*.swp
+.DS_Store
+

ebpf/tls-uprobe-trace/Makefile

@@ -0,0 +1,44 @@
+CC      = gcc
+CLANG   = clang
+CFLAGS  = -O2 -g -Wall
+
+# Auto-detect host arch, convert to BPF target name
+UNAME_M := $(shell uname -m)
+
+ifeq ($(UNAME_M), x86_64)
+    BPF_ARCH   := x86
+    UAPI_PATH  := /usr/include/x86_64-linux-gnu
+else ifeq ($(UNAME_M), aarch64)
+    BPF_ARCH   := arm64
+    UAPI_PATH  := /usr/include/aarch64-linux-gnu
+else
+    $(error Unsupported architecture: $(UNAME_M))
+endif
+
+BPF_CFLAGS = -O2 -g -target bpf -D__TARGET_ARCH_$(BPF_ARCH)
+
+LIBBPF_LIBS = -lbpf -lelf -lz
+
+TARGETS = client-tls server-tls wolfssl_uprobe wolfssl_uprobe.bpf.o
+
+all: $(TARGETS)
+
+# ===== TLS Programs =====
+client-tls: client-tls.c
+	$(CC) $(CFLAGS) $< -o $@ -lwolfssl
+
+server-tls: server-tls.c
+	$(CC) $(CFLAGS) $< -o $@ -lwolfssl
+
+# ===== eBPF Program =====
+wolfssl_uprobe.bpf.o: wolfssl_uprobe.bpf.c
+	$(CLANG) $(BPF_CFLAGS) \
+		-I/usr/include \
+		-I$(UAPI_PATH) \
+		-c $< -o $@
+
+wolfssl_uprobe: wolfssl_uprobe.c wolfssl_uprobe.bpf.o
+	$(CC) $(CFLAGS) $< -o $@ $(LIBBPF_LIBS)
+
+clean:
+	rm -f $(TARGETS) *.o *.log