kern : get correct master secrets while used TLS 1.3 in android borin…

…gssl . fixes (#283) Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
gojue · Jan 5, 2023 · 80f0dbc · 80f0dbc
1 parent cbc300c
commit 80f0dbc
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 42 deletions.
diff --git a/kern/boringssl_1_1_1_kern.c b/kern/boringssl_1_1_1_kern.c
@@ -13,12 +13,12 @@
 // ssl_st->s3
 #define SSL_ST_S3 0x30
 
-// ssl_session_st->secret
-#define SSL_SESSION_ST_SECRET 0x10
-
 // ssl_session_st->secret_length
 #define SSL_SESSION_ST_SECRET_LENGTH 0xc
 
+// ssl_session_st->secret
+#define SSL_SESSION_ST_SECRET 0x10
+
 // ssl_session_st->cipher
 #define SSL_SESSION_ST_CIPHER 0xd0
 

diff --git a/kern/boringssl_masterkey.h b/kern/boringssl_masterkey.h
@@ -111,10 +111,9 @@ static __always_inline struct mastersecret_bssl_t *make_event() {
     return bpf_map_lookup_elem(&bpf_context, &id);
 }
 
-// in boringssl, the master secret is stored in src/ssl/ssl_session.cc
-// SSL_SESSION *SSL_get_session(const SSL *ssl)
-// ssl_handshake_session
-static __always_inline u64 get_session_addr(void *ssl_st_ptr, u64 s3_address, u64 *ssl_hs_st_ptr) {
+// in boringssl, the master secret is stored in src/ssl/handshake.cc  581
+// const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) {
+static __always_inline u64 get_session_addr(void *ssl_st_ptr, u64 s3_address, u64 ssl_hs_st_ptr) {
     u64 tmp_address;
     int ret;
 
@@ -283,17 +282,22 @@ int probe_ssl_master_key(struct pt_regs *ctx) {
             ret, ssl_hs_st_addr);
         return 0;
     }
-    debug_bpf_printk("SSL_HANDSHAKE_ALLBOOL:%d, ssl_hs_st_ptr:%lx\n", all_bool,
+    debug_bpf_printk("SSL_HANDSHAKE_ALLBOOL:%d, ssl_hs_st_addr:%lx\n", all_bool,
                      ssl_hs_st_addr);
-    // 是否为 state_done
 
     ///////////////////////// get TLS 1.2 master secret ////////////////////
     if (mastersecret->version != TLS1_3_VERSION) {
+        // state12_finish_server_handshake
+        // state12_done
+        if (ssl3_hs_state.state  < 20) {
+            // not finished yet.
+            return 0;
+        }
         // Get ssl_session_st pointer
         u64 ssl_session_st_addr;
-        ssl_session_st_addr = get_session_addr(ssl_st_ptr, s3_address, ssl_hs_st_ptr);
+        ssl_session_st_addr = get_session_addr(ssl_st_ptr, s3_address, ssl_hs_st_addr);
         if (ssl_session_st_addr == 0) {
-            debug_bpf_printk("ssl_session_st_addr is null\n");
+//            debug_bpf_printk("ssl_session_st_addr is null\n");
             return 0;
         }
         debug_bpf_printk("s3_address:%llx, ssl_session_st_addr addr :%llx\n",

diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go
@@ -613,29 +613,31 @@ func (this *MOpenSSLProbe) saveMasterSecretBSSL(secretEvent *event.MasterSecretB
 	var b *bytes.Buffer
 	switch secretEvent.Version {
 	case event.TLS1_2_VERSION:
-		b = bytes.NewBufferString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelTLS12, secretEvent.ClientRandom, secretEvent.Secret))
+		if this.bSSLEvent12NullSecrets(secretEvent) {
+			return
+		}
+		var length = int(secretEvent.HashLen)
+		b = bytes.NewBufferString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelTLS12, secretEvent.ClientRandom, secretEvent.Secret[:length]))
 		this.masterKeys[k] = true
 	case event.TLS1_3_VERSION:
 		fallthrough
 	default:
 		var length int
 		length = int(secretEvent.HashLen)
 		// 判断 密钥是否为空
-		if this.verifyBSSLEvent(secretEvent) == false {
-			//this.logger.Printf("secretEvent is null.")
+		if this.bSSLEvent13NullSecrets(secretEvent) {
 			return
 		}
 		this.masterKeys[k] = true
-		this.logger.Printf("secretEvent.HashLen:%d, CipherId:%d", secretEvent.HashLen, secretEvent.HashLen)
+		//this.logger.Printf("secretEvent.HashLen:%d, CipherId:%d", secretEvent.HashLen, secretEvent.HashLen)
 		b = bytes.NewBufferString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelClientHandshake, secretEvent.ClientRandom, secretEvent.ClientHandshakeSecret[:length]))
-		b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelClientEarlyTafficSecret, secretEvent.ClientRandom, secretEvent.EarlyTrafficSecret[:length]))
+		//b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelClientEarlyTafficSecret, secretEvent.ClientRandom, secretEvent.EarlyTrafficSecret[:length]))
 		b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelClientTraffic, secretEvent.ClientRandom, secretEvent.ClientTrafficSecret0[:length]))
 		b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelServerHandshake, secretEvent.ClientRandom, secretEvent.ServerHandshakeSecret[:length]))
 		b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelServerTraffic, secretEvent.ClientRandom, secretEvent.ServerTrafficSecret0[:length]))
 		b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelExporterSecret, secretEvent.ClientRandom, secretEvent.ExporterSecret[:length]))
-
-		//b = bytes.NewBufferString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelTLS12, secretEvent.ClientRandom, secretEvent.Secret))
 	}
+
 	v := event.TlsVersion{Version: secretEvent.Version}
 	l, e := this.keylogger.WriteString(b.String())
 	if e != nil {
@@ -656,47 +658,53 @@ func (this *MOpenSSLProbe) saveMasterSecretBSSL(secretEvent *event.MasterSecretB
 		this.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", v.String(), secretEvent.ClientRandom, l)
 	}
 }
-func (this *MOpenSSLProbe) verifyBSSLEvent(e *event.MasterSecretBSSLEvent) bool {
-	var isNUllCount = 0
 
+func (this *MOpenSSLProbe) bSSLEvent12NullSecrets(e *event.MasterSecretBSSLEvent) bool {
+	var isNull = true
 	var hashLen = int(e.HashLen)
 	for i := 0; i < hashLen; i++ {
-		if e.ClientHandshakeSecret[i] != 0 {
-			isNUllCount += 1
+		if e.Secret[i] != 0 {
+			isNull = false
 			break
 		}
 	}
+	return isNull
+}
+
+func (this *MOpenSSLProbe) bSSLEvent13NullSecrets(e *event.MasterSecretBSSLEvent) bool {
+	var isNUllCount = 5
 
+	var hashLen = int(e.HashLen)
+	var chsChecked, ctsChecked, shsChecked, stsChecked, esChecked bool
 	for i := 0; i < hashLen; i++ {
-		if e.ClientTrafficSecret0[i] != 0 {
-			isNUllCount += 1
-			break
+		if !chsChecked && e.ClientHandshakeSecret[i] != 0 {
+			isNUllCount -= 1
+			chsChecked = true
 		}
-	}
 
-	for i := 0; i < hashLen; i++ {
-		if e.ServerHandshakeSecret[i] != 0 {
-			isNUllCount += 1
-			break
+		if !ctsChecked && e.ClientTrafficSecret0[i] != 0 {
+			isNUllCount -= 1
+			ctsChecked = true
 		}
-	}
 
-	for i := 0; i < hashLen; i++ {
-		if e.ServerTrafficSecret0[i] != 0 {
-			isNUllCount += 1
-			break
+		if !shsChecked && e.ServerHandshakeSecret[i] != 0 {
+			isNUllCount -= 1
+			shsChecked = true
 		}
-	}
 
-	for i := 0; i < hashLen; i++ {
-		if e.ExporterSecret[i] != 0 {
-			isNUllCount += 1
-			break
+		if !stsChecked && e.ServerTrafficSecret0[i] != 0 {
+			isNUllCount -= 1
+			stsChecked = true
 		}
-	}
 
-	return isNUllCount == 5
+		if !esChecked && e.ExporterSecret[i] != 0 {
+			isNUllCount -= 1
+			esChecked = true
+		}
+	}
+	return isNUllCount != 0
 }
+
 func (this *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) {
 	// detect eventStruct type
 	switch eventStruct.(type) {