-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: SSLDataEvent's fd is 0 Error #642
Conversation
if we get corret fd value, means we are not in BIO mode.
|
If the value of fd is 0, can it be determined that it definitely isn't BIO mode? Additionally, from the solution you've fixed, if fd is zero, then this result should be disregarded. By doing so, would it miss any messages? Does this imply that all BIO mode information with an fd of 0 can be ignored and will always be overwritten by new event that is not zero? |
kern/openssl.h
Outdated
s32 version = active_ssl_buf_t->version; | ||
bpf_probe_read(&buf, sizeof(const char*), &active_ssl_buf_t->buf); | ||
process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version); | ||
process_SSL_data(ctx, current_pid_tgid, kSSLRead, buf, fd, version, is_set_fd); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When is_set_fd
is 0
, can the event be discarded within the kernel?
Hi, @cfc4n, I found a new way to determine BIO type, but this is a huge pull request. Now my dev environment is poor; I will finish this after vacation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# define BIO_TYPE_SOCKET ( 5|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR)
# define BIO_TYPE_NULL ( 6|BIO_TYPE_SOURCE_SINK)
# define BIO_TYPE_SSL ( 7|BIO_TYPE_FILTER)
# define BIO_TYPE_MD ( 8|BIO_TYPE_FILTER)
# define BIO_TYPE_BUFFER ( 9|BIO_TYPE_FILTER)
# define BIO_TYPE_CIPHER (10|BIO_TYPE_FILTER)
716c2b5
to
9a98e1f
Compare
user/module/probe_openssl.go
Outdated
@@ -648,12 +648,13 @@ func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { | |||
} | |||
|
|||
func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) { | |||
if eventStruct.Fd <= 0 { | |||
// BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR = 0x0400|0x0100 = 1280 | |||
if eventStruct.Fd <= 0 && eventStruct.BioType > 1280 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use constant please.
kern/openssl_3_3_0_kern.c
Outdated
@@ -68,6 +74,6 @@ | |||
#define SSL_ST_RBIO SSL_CONNECTION_ST_RBIO | |||
|
|||
#include "openssl.h" | |||
#include "openssl_masterkey_3.2.h" | |||
#include "openssl_masterkey_3.3.h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did it change from 3.2 to 3.3?
As mentioned in
ecapture/utils/openssl_offset_3.3.sh
Line 24 in 7fc3da9
# openssl 3.3.* 跟 3.2.* 的offset一致。 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will check it again, maybe it was changed by utils srcipt.
kern/openssl.h
Outdated
debug_bpf_printk( | ||
"(OPENSSL) bpf_probe_read ssl_rbio_method_ptr failed, ret: %d\n", | ||
ret); | ||
return 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the method
and type
of the BIO are not required, then I think it is possible to continue with the following process instead of returning 0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
those value didn't take effect in SSL_read/SSL_write, we can just make return 0
to // return 0
.
kern/openssl.h
Outdated
debug_bpf_printk( | ||
"(OPENSSL) bpf_probe_read ssl_wbio_method_ptr failed, ret: %d\n", | ||
ret); | ||
// return 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
如果ssl_wbio_method_addr
获取失败,应该不能是简单的注释return 0
, 下面有使用ssl_wbio_method_addr
,逻辑也会影响到,需要把下面的逻辑放到获取成功的逻辑分支里。 针对BIO相关获取,单独剥离一个函数吧,逻辑清晰,也可以更早return。
@cfc4n , please check again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thanks.
Fixes: #596
this error happend because application use BIO instead of set socket fd into the SSL layers.
the default fd value in SSLDataEvent struct is 0, When application use SSL_set_fd, the error will not happend, we can get corret fd value.
When application use SSL_set_bio, the fd value in SSLDataEvent struct will keep default value.
App Example: