From 93cfff4c55a9da5b85321b07d2281b5c7c666dfd Mon Sep 17 00:00:00 2001 From: yuweizzz Date: Sun, 13 Oct 2024 19:00:21 +0800 Subject: [PATCH] fix: SSLDataEvent's fd is 0 Error (#642) * fix: #642 , support OpenSSL/boringssl BIO type --- kern/boringssl_a_13_kern.c | 6 +++ kern/boringssl_a_14_kern.c | 6 +++ kern/boringssl_na_kern.c | 6 +++ kern/openssl.h | 83 +++++++++++++++++++++++++++--------- kern/openssl_1_0_2a_kern.c | 6 +++ kern/openssl_1_1_0a_kern.c | 6 +++ kern/openssl_1_1_1a_kern.c | 6 +++ kern/openssl_1_1_1b_kern.c | 6 +++ kern/openssl_1_1_1d_kern.c | 6 +++ kern/openssl_1_1_1j_kern.c | 6 +++ kern/openssl_3_0_0_kern.c | 14 ++++-- kern/openssl_3_1_0_kern.c | 10 ++++- kern/openssl_3_2_0_kern.c | 10 ++++- kern/openssl_3_2_3_kern.c | 6 +++ kern/openssl_3_3_0_kern.c | 18 +++++--- user/event/event_openssl.go | 4 ++ user/module/probe_openssl.go | 9 +++- utils/boringssl-offset.c | 2 + utils/openssl_1_0_2_offset.c | 4 +- utils/openssl_1_1_0_offset.c | 4 +- utils/openssl_1_1_1_offset.c | 4 +- utils/openssl_3_0_offset.c | 4 +- utils/openssl_3_2_0_offset.c | 2 + 23 files changed, 189 insertions(+), 39 deletions(-) diff --git a/kern/boringssl_a_13_kern.c b/kern/boringssl_a_13_kern.c index e814713b8..6a1b31225 100644 --- a/kern/boringssl_a_13_kern.c +++ b/kern/boringssl_a_13_kern.c @@ -31,6 +31,12 @@ // bio_st->num #define BIO_ST_NUM 0x18 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x10 diff --git a/kern/boringssl_a_14_kern.c b/kern/boringssl_a_14_kern.c index 332cd81ee..4852d774e 100644 --- a/kern/boringssl_a_14_kern.c +++ b/kern/boringssl_a_14_kern.c @@ -31,6 +31,12 @@ // bio_st->num #define BIO_ST_NUM 0x18 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x10 diff --git a/kern/boringssl_na_kern.c b/kern/boringssl_na_kern.c index 81253a796..5e1cbbc32 100644 --- a/kern/boringssl_na_kern.c +++ b/kern/boringssl_na_kern.c @@ -31,6 +31,12 @@ // bio_st->num #define BIO_ST_NUM 0x20 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x10 diff --git a/kern/openssl.h b/kern/openssl.h index f24022a6d..36ec90435 100644 --- a/kern/openssl.h +++ b/kern/openssl.h @@ -22,6 +22,8 @@ enum ssl_data_event_type { kSSLRead, kSSLWrite }; const u32 invalidFD = 0; +// BIO_TYPE_NONE +const u32 defaultBioType = 0; struct ssl_data_event_t { enum ssl_data_event_type type; @@ -33,6 +35,7 @@ struct ssl_data_event_t { char comm[TASK_COMM_LEN]; u32 fd; s32 version; + u32 bio_type; }; struct connect_event_t { @@ -52,6 +55,7 @@ struct active_ssl_buf { */ s32 version; u32 fd; + u32 bio_type; const char* buf; }; @@ -128,6 +132,7 @@ static __inline struct ssl_data_event_t* create_ssl_data_event( event->pid = current_pid_tgid >> 32; event->tid = current_pid_tgid & kMask32b; event->fd = invalidFD; + event->bio_type = defaultBioType; return event; } @@ -138,7 +143,7 @@ static __inline struct ssl_data_event_t* create_ssl_data_event( static int process_SSL_data(struct pt_regs* ctx, u64 id, enum ssl_data_event_type type, const char* buf, - u32 fd, s32 version) { + u32 fd, s32 version, u32 bio_type) { int len = (int)PT_REGS_RC(ctx); if (len < 0) { return 0; @@ -151,6 +156,7 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, event->type = type; event->fd = fd; + event->bio_type = bio_type; event->version = version; // This is a max function, but it is written in such a way to keep older BPF // verifiers happy. @@ -164,6 +170,38 @@ static int process_SSL_data(struct pt_regs* ctx, u64 id, return 0; } +static u32 process_BIO_type(u64 ssl_bio_addr) { + u64 *ssl_bio_method_ptr, *ssl_bio_method_type_ptr; + u64 ssl_bio_method_addr; + u32 bio_type; + int ret; + + // get ssl->bio->method + ssl_bio_method_ptr = (u64 *)(ssl_bio_addr + BIO_ST_METHOD); + ret = bpf_probe_read_user(&ssl_bio_method_addr, sizeof(ssl_bio_method_addr), + ssl_bio_method_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) process_BIO_type: bpf_probe_read ssl_bio_method_ptr failed, ret: %d\n", + ret); + return defaultBioType; + } + + // get ssl->bio->method->type + ssl_bio_method_type_ptr = (u64 *)(ssl_bio_method_addr + BIO_METHOD_ST_TYPE); + ret = bpf_probe_read_user(&bio_type, sizeof(bio_type), + ssl_bio_method_type_ptr); + if (ret) { + debug_bpf_printk( + "(OPENSSL) process_BIO_type: bpf_probe_read ssl_bio_method_type_ptr failed, ret: %d\n", + ret); + return defaultBioType; + } + + debug_bpf_printk("openssl process_BIO_type bio_type: %d\n", bio_type); + return bio_type; +} + /*********************************************************** * BPF probe function entry-points ***********************************************************/ @@ -186,7 +224,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { return 0; } #endif - debug_bpf_printk("openssl uprobe/SSL_write pid :%d\n", pid); + debug_bpf_printk("openssl uprobe/SSL_write pid: %d\n", pid); void* ssl = (void*)PT_REGS_PARM1(ctx); // https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/crypto/bio/bio_local.h @@ -200,7 +238,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { ssl_ver_ptr); if (ret) { debug_bpf_printk( - "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n", + "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret: %d\n", ret); return 0; } @@ -210,23 +248,24 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { ssl_wbio_ptr); if (ret) { debug_bpf_printk( - "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret :%d\n", + "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret: %d\n", ret); return 0; } + // get ssl->bio->method->type + u32 bio_type = process_BIO_type(ssl_wbio_addr); + // get fd ssl->wbio->num ssl_wbio_num_ptr = (u64 *)(ssl_wbio_addr + BIO_ST_NUM); ret = bpf_probe_read_user(&ssl_wbio_num_addr, sizeof(ssl_wbio_num_addr), ssl_wbio_num_ptr); if (ret) { debug_bpf_printk( - "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret :%d\n", + "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret: %d\n", ret); return 0; } - - // get fd ssl->wbio->num u32 fd = (u32)ssl_wbio_num_addr; if (fd == 0) { u64 ssl_addr = (u64)ssl; @@ -236,7 +275,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { } else { } } - debug_bpf_printk("openssl uprobe SSL_write FD:%d, version:%d\n", fd, ssl_version); + debug_bpf_printk("openssl uprobe/SSL_write fd: %d, version: %d\n", fd, ssl_version); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; @@ -244,6 +283,7 @@ int probe_entry_SSL_write(struct pt_regs* ctx) { active_ssl_buf_t.fd = fd; active_ssl_buf_t.version = ssl_version; active_ssl_buf_t.buf = buf; + active_ssl_buf_t.bio_type = bio_type; bpf_map_update_elem(&active_ssl_write_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); @@ -266,15 +306,16 @@ int probe_ret_SSL_write(struct pt_regs* ctx) { return 0; } #endif - debug_bpf_printk("openssl uretprobe/SSL_write pid :%d\n", pid); + debug_bpf_printk("openssl uretprobe/SSL_write pid: %d\n", pid); struct active_ssl_buf* active_ssl_buf_t = bpf_map_lookup_elem(&active_ssl_write_args_map, ¤t_pid_tgid); if (active_ssl_buf_t != NULL) { const char* buf; u32 fd = active_ssl_buf_t->fd; + u32 bio_type = active_ssl_buf_t->bio_type; s32 version = active_ssl_buf_t->version; bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf); - process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd, version); + process_SSL_data(ctx, current_pid_tgid, kSSLWrite, buf, fd, version, bio_type); } bpf_map_delete_elem(&active_ssl_write_args_map, ¤t_pid_tgid); return 0; @@ -288,7 +329,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; u64 current_uid_gid = bpf_get_current_uid_gid(); u32 uid = current_uid_gid; - debug_bpf_printk("openssl uprobe/SSL_read pid :%d\n", pid); + debug_bpf_printk("openssl uprobe/SSL_read pid: %d\n", pid); #ifndef KERNEL_LESS_5_2 // if target_ppid is 0 then we target all pids @@ -312,7 +353,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { ssl_ver_ptr); if (ret) { debug_bpf_printk( - "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret :%d\n", + "(OPENSSL) bpf_probe_read ssl_ver_ptr failed, ret: %d\n", ret); return 0; } @@ -322,22 +363,24 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { ssl_rbio_ptr); if (ret) { debug_bpf_printk( - "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret :%d\n", + "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret: %d\n", ret); return 0; } + // get ssl->bio->method->type + u32 bio_type = process_BIO_type(ssl_rbio_addr); + // get fd ssl->rbio->num ssl_rbio_num_ptr = (u64 *)(ssl_rbio_addr + BIO_ST_NUM); ret = bpf_probe_read_user(&ssl_rbio_num_addr, sizeof(ssl_rbio_num_addr), ssl_rbio_num_ptr); if (ret) { debug_bpf_printk( - "(OPENSSL) bpf_probe_read ssl_rbio_num_ptr failed, ret :%d\n", + "(OPENSSL) bpf_probe_read ssl_rbio_num_ptr failed, ret: %d\n", ret); return 0; } - u32 fd = (u32)ssl_rbio_num_addr; if (fd == 0) { u64 ssl_addr = (u64)ssl; @@ -347,7 +390,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { } else { } } - debug_bpf_printk("openssl uprobe PID:%d, SSL_read FD:%d\n", pid, fd); + debug_bpf_printk("openssl uprobe/SSL_read fd: %d, version: %d\n", fd, ssl_version); const char* buf = (const char*)PT_REGS_PARM2(ctx); struct active_ssl_buf active_ssl_buf_t; @@ -355,6 +398,7 @@ int probe_entry_SSL_read(struct pt_regs* ctx) { active_ssl_buf_t.fd = fd; active_ssl_buf_t.version = ssl_version; active_ssl_buf_t.buf = buf; + active_ssl_buf_t.bio_type = bio_type; bpf_map_update_elem(&active_ssl_read_args_map, ¤t_pid_tgid, &active_ssl_buf_t, BPF_ANY); return 0; @@ -366,7 +410,7 @@ int probe_ret_SSL_read(struct pt_regs* ctx) { u32 pid = current_pid_tgid >> 32; u64 current_uid_gid = bpf_get_current_uid_gid(); u32 uid = current_uid_gid; - debug_bpf_printk("openssl uretprobe/SSL_read pid :%d\n", pid); + debug_bpf_printk("openssl uretprobe/SSL_read pid: %d\n", pid); #ifndef KERNEL_LESS_5_2 // if target_ppid is 0 then we target all pids @@ -383,9 +427,10 @@ int probe_ret_SSL_read(struct pt_regs* ctx) { if (active_ssl_buf_t != NULL) { const char* buf; u32 fd = active_ssl_buf_t->fd; + u32 bio_type = active_ssl_buf_t->bio_type; s32 version = active_ssl_buf_t->version; bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf); - process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version); + process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version, bio_type); } bpf_map_delete_elem(&active_ssl_read_args_map, ¤t_pid_tgid); return 0; @@ -454,6 +499,6 @@ int probe_SSL_set_fd(struct pt_regs* ctx) { u64 ssl_addr = (u64)PT_REGS_PARM1(ctx); u64 fd = (u64)PT_REGS_PARM2(ctx); bpf_map_update_elem(&ssl_st_fd, &ssl_addr, &fd, BPF_ANY); - debug_bpf_printk("SSL_set_fd hook!!, ssl_addr:%d, fd:%d\n", ssl_addr, fd); + debug_bpf_printk("SSL_set_fd hook!!, ssl_addr: %d, fd: %d\n", ssl_addr, fd); return 0; } diff --git a/kern/openssl_1_0_2a_kern.c b/kern/openssl_1_0_2a_kern.c index 04631e3d5..aa8f9e010 100644 --- a/kern/openssl_1_0_2a_kern.c +++ b/kern/openssl_1_0_2a_kern.c @@ -40,6 +40,12 @@ // bio_st->num #define BIO_ST_NUM 0x28 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // openssl 1.0.2 does not support TLS 1.3, set 0 default #define SSL_ST_HANDSHAKE_SECRET 0 #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0 diff --git a/kern/openssl_1_1_0a_kern.c b/kern/openssl_1_1_0a_kern.c index a515bd12a..698571e68 100644 --- a/kern/openssl_1_1_0a_kern.c +++ b/kern/openssl_1_1_0a_kern.c @@ -40,6 +40,12 @@ // bio_st->num #define BIO_ST_NUM 0x28 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // openssl 1.1.0 does not support TLS 1.3, set 0 default #define SSL_ST_HANDSHAKE_SECRET 0 #define SSL_ST_HANDSHAKE_TRAFFIC_HASH 0 diff --git a/kern/openssl_1_1_1a_kern.c b/kern/openssl_1_1_1a_kern.c index 19d415b0d..77e3e2618 100644 --- a/kern/openssl_1_1_1a_kern.c +++ b/kern/openssl_1_1_1a_kern.c @@ -55,6 +55,12 @@ // bio_st->num #define BIO_ST_NUM 0x30 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_1_1_1b_kern.c b/kern/openssl_1_1_1b_kern.c index 8f78bebf5..2a6991a89 100644 --- a/kern/openssl_1_1_1b_kern.c +++ b/kern/openssl_1_1_1b_kern.c @@ -55,6 +55,12 @@ // bio_st->num #define BIO_ST_NUM 0x30 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_1_1_1d_kern.c b/kern/openssl_1_1_1d_kern.c index b5c55286b..cf3669dc7 100644 --- a/kern/openssl_1_1_1d_kern.c +++ b/kern/openssl_1_1_1d_kern.c @@ -55,6 +55,12 @@ // bio_st->num #define BIO_ST_NUM 0x30 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_1_1_1j_kern.c b/kern/openssl_1_1_1j_kern.c index 9d3869b56..a9659cbba 100644 --- a/kern/openssl_1_1_1j_kern.c +++ b/kern/openssl_1_1_1j_kern.c @@ -55,6 +55,12 @@ // bio_st->num #define BIO_ST_NUM 0x30 +// bio_st->method +#define BIO_ST_METHOD 0x0 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + #include "openssl.h" #include "openssl_masterkey.h" diff --git a/kern/openssl_3_0_0_kern.c b/kern/openssl_3_0_0_kern.c index cda9e1377..aa46ba45f 100644 --- a/kern/openssl_3_0_0_kern.c +++ b/kern/openssl_3_0_0_kern.c @@ -1,8 +1,8 @@ -#ifndef ECAPTURE_OPENSSL_3_0_6_KERN_H -#define ECAPTURE_OPENSSL_3_0_6_KERN_H +#ifndef ECAPTURE_OPENSSL_3_0_0_KERN_H +#define ECAPTURE_OPENSSL_3_0_0_KERN_H -/* OPENSSL_VERSION_TEXT: OpenSSL 3.1.6 4 Jun 2024 */ -/* OPENSSL_VERSION_NUMBER: 806355040 */ +/* OPENSSL_VERSION_TEXT: OpenSSL 3.0.9 30 May 2023 */ +/* OPENSSL_VERSION_NUMBER: 805306512 */ // ssl_st->version #define SSL_ST_VERSION 0x0 @@ -55,6 +55,12 @@ // bio_st->num #define BIO_ST_NUM 0x38 +// bio_st->method +#define BIO_ST_METHOD 0x8 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + #include "openssl.h" #include "openssl_masterkey_3.0.h" diff --git a/kern/openssl_3_1_0_kern.c b/kern/openssl_3_1_0_kern.c index 04fa61261..a266b6993 100644 --- a/kern/openssl_3_1_0_kern.c +++ b/kern/openssl_3_1_0_kern.c @@ -1,8 +1,8 @@ #ifndef ECAPTURE_OPENSSL_3_0_0_KERN_H #define ECAPTURE_OPENSSL_3_0_0_KERN_H -/* OPENSSL_VERSION_TEXT: OpenSSL 3.1.5 30 Jan 2024 */ -/* OPENSSL_VERSION_NUMBER: 806355024 */ +/* OPENSSL_VERSION_TEXT: OpenSSL 3.1.7 3 Sep 2024 */ +/* OPENSSL_VERSION_NUMBER: 806355056 */ // ssl_st->version #define SSL_ST_VERSION 0x0 @@ -55,6 +55,12 @@ // bio_st->num #define BIO_ST_NUM 0x38 +// bio_st->method +#define BIO_ST_METHOD 0x8 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + #include "openssl.h" #include "openssl_masterkey_3.0.h" diff --git a/kern/openssl_3_2_0_kern.c b/kern/openssl_3_2_0_kern.c index 8390179a9..e85112b7d 100644 --- a/kern/openssl_3_2_0_kern.c +++ b/kern/openssl_3_2_0_kern.c @@ -1,5 +1,5 @@ -#ifndef ECAPTURE_OPENSSL_3_2_2_KERN_H -#define ECAPTURE_OPENSSL_3_2_2_KERN_H +#ifndef ECAPTURE_OPENSSL_3_2_0_KERN_H +#define ECAPTURE_OPENSSL_3_2_0_KERN_H /* OPENSSL_VERSION_TEXT: OpenSSL 3.2.2 4 Jun 2024 */ /* OPENSSL_VERSION_NUMBER: 807403552 */ @@ -58,6 +58,12 @@ // bio_st->num #define BIO_ST_NUM 0x38 +// bio_st->method +#define BIO_ST_METHOD 0x8 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // quic_conn_st->tls #define QUIC_CONN_ST_TLS 0x40 diff --git a/kern/openssl_3_2_3_kern.c b/kern/openssl_3_2_3_kern.c index 31dc8268d..f05e9c04b 100644 --- a/kern/openssl_3_2_3_kern.c +++ b/kern/openssl_3_2_3_kern.c @@ -58,6 +58,12 @@ // bio_st->num #define BIO_ST_NUM 0x38 +// bio_st->method +#define BIO_ST_METHOD 0x8 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // quic_conn_st->tls #define QUIC_CONN_ST_TLS 0x40 diff --git a/kern/openssl_3_3_0_kern.c b/kern/openssl_3_3_0_kern.c index 8390179a9..7787b4853 100644 --- a/kern/openssl_3_3_0_kern.c +++ b/kern/openssl_3_3_0_kern.c @@ -1,8 +1,8 @@ -#ifndef ECAPTURE_OPENSSL_3_2_2_KERN_H -#define ECAPTURE_OPENSSL_3_2_2_KERN_H +#ifndef ECAPTURE_OPENSSL_3_2_0_KERN_H +#define ECAPTURE_OPENSSL_3_2_0_KERN_H -/* OPENSSL_VERSION_TEXT: OpenSSL 3.2.2 4 Jun 2024 */ -/* OPENSSL_VERSION_NUMBER: 807403552 */ +/* OPENSSL_VERSION_TEXT: OpenSSL 3.3.2 3 Sep 2024 */ +/* OPENSSL_VERSION_NUMBER: 808452128 */ // ssl_st->type #define SSL_ST_TYPE 0x0 @@ -32,10 +32,10 @@ #define SSL_CONNECTION_ST_S3_CLIENT_RANDOM 0x140 // ssl_session_st->cipher -#define SSL_SESSION_ST_CIPHER 0x300 +#define SSL_SESSION_ST_CIPHER 0x2f8 // ssl_session_st->cipher_id -#define SSL_SESSION_ST_CIPHER_ID 0x308 +#define SSL_SESSION_ST_CIPHER_ID 0x300 // ssl_cipher_st->id #define SSL_CIPHER_ST_ID 0x18 @@ -58,6 +58,12 @@ // bio_st->num #define BIO_ST_NUM 0x38 +// bio_st->method +#define BIO_ST_METHOD 0x8 + +// bio_method_st->type +#define BIO_METHOD_ST_TYPE 0x0 + // quic_conn_st->tls #define QUIC_CONN_ST_TLS 0x40 diff --git a/user/event/event_openssl.go b/user/event/event_openssl.go index e407fc731..9e80cda6c 100644 --- a/user/event/event_openssl.go +++ b/user/event/event_openssl.go @@ -80,6 +80,7 @@ type SSLDataEvent struct { Fd uint32 `json:"fd"` Version int32 `json:"version"` Addr string + BioType uint32 } func (se *SSLDataEvent) Decode(payload []byte) (err error) { @@ -111,6 +112,9 @@ func (se *SSLDataEvent) Decode(payload []byte) (err error) { if err = binary.Read(buf, binary.LittleEndian, &se.Version); err != nil { return } + if err = binary.Read(buf, binary.LittleEndian, &se.BioType); err != nil { + return + } decodedKtime, err := DecodeKtime(int64(se.Timestamp), true) if err == nil { diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go index cba00b073..b4adc4507 100644 --- a/user/module/probe_openssl.go +++ b/user/module/probe_openssl.go @@ -41,6 +41,10 @@ import ( const ( ConnNotFound = "[ADDR_NOT_FOUND]" DefaultAddr = "0.0.0.0" + // OpenSSL the classes of BIOs + // https://github.com/openssl/openssl/blob/openssl-3.0.0/include/openssl/bio.h.in + BIO_TYPE_DESCRIPTOR = 0x0100 + BIO_TYPE_SOURCE_SINK = 0x0400 ) type Tls13MasterSecret struct { @@ -648,12 +652,13 @@ func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { } func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) { - if eventStruct.Fd <= 0 { + // BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR = 0x0400|0x0100 = 1280 + if eventStruct.Fd <= 0 && eventStruct.BioType > BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR { m.logger.Error().Uint32("pid", eventStruct.Pid).Uint32("fd", eventStruct.Fd).Str("address", eventStruct.Addr).Msg("SSLDataEvent's fd is 0") //return } addr := m.GetConn(eventStruct.Pid, eventStruct.Fd) - m.logger.Debug().Uint32("pid", eventStruct.Pid).Uint32("fd", eventStruct.Fd).Str("address", addr).Msg("SSLDataEvent") + m.logger.Debug().Uint32("pid", eventStruct.Pid).Uint32("bio_type", eventStruct.BioType).Uint32("fd", eventStruct.Fd).Str("address", addr).Msg("SSLDataEvent") if addr == ConnNotFound { eventStruct.Addr = DefaultAddr } else { diff --git a/utils/boringssl-offset.c b/utils/boringssl-offset.c index d2dcbedc1..4367ef847 100644 --- a/utils/boringssl-offset.c +++ b/utils/boringssl-offset.c @@ -30,6 +30,8 @@ X(ssl_session_st, secret) \ X(ssl_session_st, cipher) \ X(bio_st, num) \ + X(bio_st, method) \ + X(bio_method_st, type) \ X(ssl_cipher_st, id) \ X(bssl::SSL3_STATE, hs) \ X(bssl::SSL3_STATE, client_random) \ diff --git a/utils/openssl_1_0_2_offset.c b/utils/openssl_1_0_2_offset.c index 2eb2158d4..0bc242983 100644 --- a/utils/openssl_1_0_2_offset.c +++ b/utils/openssl_1_0_2_offset.c @@ -16,7 +16,9 @@ X(ssl_session_st, cipher) \ X(ssl_session_st, cipher_id) \ X(ssl_cipher_st, id) \ - X(bio_st, num) + X(bio_st, num) \ + X(bio_st, method) \ + X(bio_method_st, type) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_1_1_0_offset.c b/utils/openssl_1_1_0_offset.c index 555bb07c8..4a83535a6 100644 --- a/utils/openssl_1_1_0_offset.c +++ b/utils/openssl_1_1_0_offset.c @@ -17,7 +17,9 @@ X(ssl_session_st, cipher) \ X(ssl_session_st, cipher_id) \ X(ssl_cipher_st, id) \ - X(bio_st, num) + X(bio_st, num) \ + X(bio_st, method) \ + X(bio_method_st, type) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_1_1_1_offset.c b/utils/openssl_1_1_1_offset.c index 3004b6c35..8c1bab004 100644 --- a/utils/openssl_1_1_1_offset.c +++ b/utils/openssl_1_1_1_offset.c @@ -32,7 +32,9 @@ X(ssl_st, client_app_traffic_secret) \ X(ssl_st, server_app_traffic_secret) \ X(ssl_st, exporter_master_secret) \ - X(bio_st, num) + X(bio_st, num) \ + X(bio_st, method) \ + X(bio_method_st, type) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_3_0_offset.c b/utils/openssl_3_0_offset.c index 8d9610ffc..5827aab87 100644 --- a/utils/openssl_3_0_offset.c +++ b/utils/openssl_3_0_offset.c @@ -22,7 +22,9 @@ X(ssl_st, client_app_traffic_secret) \ X(ssl_st, server_app_traffic_secret) \ X(ssl_st, exporter_master_secret) \ - X(bio_st, num) + X(bio_st, num) \ + X(bio_st, method) \ + X(bio_method_st, type) void toUpper(char *s) { int i = 0; diff --git a/utils/openssl_3_2_0_offset.c b/utils/openssl_3_2_0_offset.c index df3b27d93..3e44b864a 100644 --- a/utils/openssl_3_2_0_offset.c +++ b/utils/openssl_3_2_0_offset.c @@ -24,6 +24,8 @@ X(ssl_connection_st, server_app_traffic_secret) \ X(ssl_connection_st, exporter_master_secret) \ X(bio_st, num) \ + X(bio_st, method) \ + X(bio_method_st, type) \ X(quic_conn_st, tls) void toUpper(char *s) {