Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The SSL structure in openssl 3.2.0 has been modified #464

Closed
Z3ratu1 opened this issue Jan 23, 2024 · 4 comments
Closed

The SSL structure in openssl 3.2.0 has been modified #464

Z3ratu1 opened this issue Jan 23, 2024 · 4 comments
Assignees
@cfc4n
Labels
enhancement New feature or request good first issue Good for newcomers question Further information is requested

Comments

@Z3ratu1
Copy link

Z3ratu1 commented Jan 23, 2024
edited

kern/openssl.h中有一段解析SSL*获取fd的代码,看起来一个是认为结构体大致以如下形式分布

struct ssl_st {
    int version;
    const SSL_METHOD *method;
    BIO *rbio;
    BIO *wbio;
    BIO *bbio;
...
}

但是在openssl 3.2.0中,这个结构体直接大改,bio系列结构体都放进了一个ssl_connection_st的结构体,原ssl_st变为

struct ssl_st {
    int type;
    SSL_CTX *ctx;
    const SSL_METHOD *defltmeth;
    const SSL_METHOD *method;
    CRYPTO_REF_COUNT references;
    CRYPTO_RWLOCK *lock;
    /* extra application data */
    CRYPTO_EX_DATA ex_data;
};

ssl_connection_st为

struct ssl_connection_st {
    struct ssl_st ssl;
    int version;
    BIO *rbio;
    BIO *wbio;
    BIO *bbio;
    ...
}

在调用时ssl_st使用宏SSL_CONNECTION_FROM_SSL进行转换为ssl_connection_st,因此对于新的openssl版本,需整体添加sizeof(struct ssl_st)+sizeof(int)的偏移才能获取到rbio/wbio结构体

以及,在uprobe/SSL_write中,读出ssl_wbio_addr后,后续却是使用ssl_wbio_ptr加上偏移去读取数据,是否有误?

   ssl_wbio_ptr = (u64 *)(ssl + SSL_ST_WBIO);
    ret = bpf_probe_read_user(&ssl_wbio_addr, sizeof(ssl_wbio_addr),
                              ssl_wbio_ptr);
    if (ret) {
        debug_bpf_printk(
            "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret :%d\n",
            ret);
        return 0;
    }

    // get fd ssl->wbio->num
    ssl_wbio_num_ptr = (u64 *)(ssl_wbio_ptr + BIO_ST_NUM);
    ret = bpf_probe_read_user(&ssl_wbio_num_addr, sizeof(ssl_wbio_num_addr),
                              ssl_wbio_num_ptr);
    if (ret) {
        debug_bpf_printk(
            "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret :%d\n",
            ret);
        return 0;
    }
@cfc4n cfc4n added good first issue Good for newcomers question Further information is requested enhancement New feature or request labels Jan 23, 2024
@cfc4n
Copy link
Member

cfc4n commented Jan 23, 2024
edited

OpenSSL 3.2 is a recently released version, quite new. As you mentioned, there are changes in the structure of the data. It requires eCapture adaptation. I will provide support for it soon.

openssl 3.2是刚出的版本,比较新。正如你所说,存在结构体变化的情况。需要 eCapture 适配。 近期我来支持一下。

@cfc4n cfc4n changed the title openssl 3.2.0 中SSL结构体有所改变及相关问题 The SSL structure in openssl 3.2.0 has been modified Jan 23, 2024
@cfc4n cfc4n self-assigned this Jan 24, 2024
@cfc4n
Copy link
Member

cfc4n commented Jan 26, 2024

openssl 3.2.x does have a particularly big change, and I need to find a suitable HOOK function again, and I need to take some time.

However, I started by supporting the 3.1.x version of openssl library

@cfc4n
Copy link
Member

cfc4n commented Jan 26, 2024
edited

在openssl 3.2.x里,如果是bio的结构体发生了变化,eCapture的text模式依旧可以正常工作。不过,keylogpcapng模式确实无法正常工作。

In OpenSSL 3.2.x, if the structure of the bio has changed, the text mode of eCapture will still work normally. However, the keylog and pcapng modes really don't work

@cfc4n cfc4n mentioned this issue Jan 27, 2024
Merged
cfc4n added a commit that referenced this issue Jan 28, 2024
@cfc4n
kern: support openssl 3.2.x , change ssl_st to ssl_connection_st (#472)
2ae3e78 
* kern: support openssl 3.2.x , change ssl_st to ssl_connection_st, update more OFFSETS.
* user: Added eBPF loader support for OpenSSL 3.2.0.
* Optimized OpenSSL 3.2 offset generation scripts.
* SSL_CONNECTION types of ssl_st are not supported at this time.

feat: #464 
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@cfc4n
Copy link
Member

cfc4n commented Jan 28, 2024

Support for OpenSSL 3.2.0 has been completed, please try the new version v0.7.3.

@Z3ratu1 Z3ratu1 closed this as completed Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cfc4n cfc4n

Labels
enhancement New feature or request good first issue Good for newcomers question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cfc4n @Z3ratu1