The SSL structure in openssl 3.2.0 has been modified
Z3ratu1 opened this issue · 4 comments
kern/openssl.h中有一段解析SSL*获取fd的代码,看起来一个是认为结构体大致以如下形式分布
struct ssl_st {
int version;
const SSL_METHOD *method;
BIO *rbio;
BIO *wbio;
BIO *bbio;
...
}但是在openssl 3.2.0中,这个结构体直接大改,bio系列结构体都放进了一个ssl_connection_st的结构体,原ssl_st变为
struct ssl_st {
int type;
SSL_CTX *ctx;
const SSL_METHOD *defltmeth;
const SSL_METHOD *method;
CRYPTO_REF_COUNT references;
CRYPTO_RWLOCK *lock;
/* extra application data */
CRYPTO_EX_DATA ex_data;
};ssl_connection_st为
struct ssl_connection_st {
struct ssl_st ssl;
int version;
BIO *rbio;
BIO *wbio;
BIO *bbio;
...
}在调用时ssl_st使用宏SSL_CONNECTION_FROM_SSL进行转换为ssl_connection_st,因此对于新的openssl版本,需整体添加sizeof(struct ssl_st)+sizeof(int)的偏移才能获取到rbio/wbio结构体
以及,在uprobe/SSL_write中,读出ssl_wbio_addr后,后续却是使用ssl_wbio_ptr加上偏移去读取数据,是否有误?
ssl_wbio_ptr = (u64 *)(ssl + SSL_ST_WBIO);
ret = bpf_probe_read_user(&ssl_wbio_addr, sizeof(ssl_wbio_addr),
ssl_wbio_ptr);
if (ret) {
debug_bpf_printk(
"(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret :%d\n",
ret);
return 0;
}
// get fd ssl->wbio->num
ssl_wbio_num_ptr = (u64 *)(ssl_wbio_ptr + BIO_ST_NUM);
ret = bpf_probe_read_user(&ssl_wbio_num_addr, sizeof(ssl_wbio_num_addr),
ssl_wbio_num_ptr);
if (ret) {
debug_bpf_printk(
"(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret :%d\n",
ret);
return 0;
}OpenSSL 3.2 is a recently released version, quite new. As you mentioned, there are changes in the structure of the data. It requires eCapture adaptation. I will provide support for it soon.
openssl 3.2是刚出的版本,比较新。正如你所说,存在结构体变化的情况。需要 eCapture 适配。 近期我来支持一下。
openssl 3.2.x does have a particularly big change, and I need to find a suitable HOOK function again, and I need to take some time.
However, I started by supporting the 3.1.x version of openssl library
在openssl 3.2.x里,如果是bio的结构体发生了变化,eCapture的text模式依旧可以正常工作。不过,keylog、pcapng模式确实无法正常工作。
In OpenSSL 3.2.x, if the structure of the bio has changed, the text mode of eCapture will still work normally. However, the keylog and pcapng modes really don't work