SSL_in_before hook点在openssl 1.0.2k的系统上找不到符号表

Question

SSL_in_before hook点在openssl 1.0.2k的系统上找不到符号表

Closed this issue 2 months ago · 4 comments

boost2020 commented 2 months ago

Describe the bug
从官网下载的0.76的版本在内核4.19.91 openssl版本1.0.2k上无法运行，提示找不到符号SSL_in_before，我重新换到1.1.1的上面就正常了

To Reproduce
openssl 1.0.2k
kernel: 4.19.91( non btf) x86_64 (( Linux wave-test-arm 4.19.91-27.7.al7.x86_64 #1 SMP Wed Oct 25 17:46:42 CST 2023 x86_64 x86_64 x86_64 GNU/Linux ))
epcapture release version: 0.76

Screenshots
../soft/ecapture --libssl /usr/lib64/libssl.so tls -m pcap
2024/04/12 17:20:09 Your environment is like a container. We won't be able to detect the BTF configuration.
tls_2024/04/12 17:20:09 ECAPTURE :: ecapture Version : linux_x86_64:v0.7.6:5.15.0-1059-azure
tls_2024/04/12 17:20:09 ECAPTURE :: Pid Info : 23473
tls_2024/04/12 17:20:09 ECAPTURE :: Kernel Info : 4.19.91
2024/04/12 17:20:09 read keylogger :ld.so.conf.d/.conf error .
2024/04/12 17:20:09 read keylogger :ld.so.conf.d/.conf error .
2024/04/12 17:20:09 read keylogger :ld.so.conf.d/*.conf error .
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL module initialization
tls_2024/04/12 17:20:09 ECAPTURE :: Module.Run()
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL Pcapng MODEL
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL origin version:OpenSSL 1.0.2k, as key:openssl 1.0.2k
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL HOOK type: 2, binrayPath: /usr/lib64/libssl.so
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL PcapFilter:
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL Ifname: eth0, Ifindex: 2
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL Hook masterKey function: [SSL_get_wbio SSL_in_before SSL_do_handshake]
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL BPF bytecode filename:user/bytecode/openssl_1_0_2a_kern_less52.o
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL saving pcapng file: /root/ecapture/save.pcapng
tls_2024/04/12 17:20:09 EBPFProbeOPENSSL module run failed, [skip it]. error:couldn't start bootstrap manager error:2 errors occurred:
* error:opening uprobe: symbol SSL_in_before: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_smk_SSL_in_before, EbpfFuncName:probe_ssl_master_key}
* error:opening uprobe: invalid program: bad file descriptor , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_smk_SSL_do_handshake, EbpfFuncName:probe_ssl_master_key}

, probes activation validation failed .
tls_2024/04/12 17:20:09 ECAPTURE :: No runnable modules, Exit(1)

Additional context

查看openssl1.0.2k的源码，可以看到SSL_in_before这个是个宏，而不像1.1.1是一个函数
1.0.2k

1.1.1w

Answer 1 · 2024-04-12T09:57:41.000Z

boost2020 commented 2 months ago

Answer 2 · 2024-04-12T13:40:57.000Z

你知道是从宏改为函数的版本吗？

Answer 3 · 2024-04-12T15:10:44.000Z

看起来就是从1.1.0开始改为函数的
openssl/openssl@49ae742

Answer 4 · 2024-04-14T10:33:49.000Z

感谢，确认ok了