feat: support keylog and pcap mode in gnutls #654
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cfc4n
requested changes
Nov 1, 2024
kern/gnutls_masterkey.h
Outdated
| // Release: Debian 12/ubuntu 23.10/ubuntu 24.04 | ||
|
|
||
| // gnutls_session_int->security_parameters | ||
| #define GNUTLS_SESSION_INT_SECURITY_PARAMETERS 0x0 |
There was a problem hiding this comment.
Do all versions of GNUTLS have the same offset address?
Do we need to determine the version of the class library and select the corresponding bytecode file, just like openssl?
There was a problem hiding this comment.
I not plan to support too much versions of GNUTLS, just the default version which installed in popular Linux distribution, this three version use same offset.
cfc4n
reviewed
Nov 3, 2024
There was a problem hiding this comment.
The results tested on ubuntu 22.04 are not as expected.
Terminal 1
sudo bin/ecapture gnutls -m keylog
2024-11-03T09:45:18Z INF AppName="eCapture(旁观者)"
2024-11-03T09:45:18Z INF HomePage=https://ecapture.cc
2024-11-03T09:45:18Z INF Repository=https://github.com/gojue/ecapture
2024-11-03T09:45:18Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-11-03T09:45:18Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-11-03T09:45:18Z INF Version=linux_arm64:0.8.9-20241031-a995110:5.15.0-121-generic
2024-11-03T09:45:18Z INF Listen=localhost:28256
2024-11-03T09:45:18Z INF eCapture running logs logger=
2024-11-03T09:45:18Z INF the file handler that receives the captured event eventCollector=
2024-11-03T09:45:18Z INF listen=localhost:28256
2024-11-03T09:45:18Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-11-03T09:45:18Z WRN ========== module starting. ==========
2024-11-03T09:45:18Z INF Kernel Info=5.15.163 Pid=10195
2024-11-03T09:45:18Z INF BTF bytecode mode: CORE. btfMode=0
2024-11-03T09:45:18Z INF GnuTlsProbe init eBPFProgramType=KeyLog model=KeyLog
2024-11-03T09:45:18Z INF module initialization. isReload=false moduleName=EBPFProbeGNUTLS
2024-11-03T09:45:18Z INF Module.Run()
2024-11-03T09:45:18Z INF BPF bytecode loaded bytecode filename=user/bytecode/gnutls_kern_core.o
2024-11-03T09:45:18Z INF gnutls binary path binaryPath=/lib/aarch64-linux-gnu/libgnutls.so.30 elfType=2
2024-11-03T09:45:18Z INF target all process.
2024-11-03T09:45:18Z INF perfEventReader created mapSize(MB)=4
2024-11-03T09:45:18Z INF module started successfully. isReload=false moduleName=EBPFProbeGNUTLS
2024-11-03T09:45:21Z INF CLIENT_RANDOM save success ClientRandom=f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a TlsVersion=GNUTLS_TLS1_3
^C2024-11-03T09:45:26Z INF Module closed,message recived from Context
2024-11-03T09:45:26Z INF iModule module close
2024-11-03T09:45:26Z INF bye bye.Terminal 2
Trigger network behavior. On ubuntu 22.04, git uses the libguntls class library.
git pull
Terminal 3
View results
sudo cat ecapture_gnutls_key.og
CLIENT_HANDSHAKE_TRAFFIC_SECRET f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 0000000000000000000000000000000000000000000000000000000000000000
SERVER_HANDSHAKE_TRAFFIC_SECRET f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 0000000000000000000000000000000000000000000000000000000000000000
EXPORTER_SECRET f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a ce902f553705e6e13413a70329d6c089585fe6cf01031a9c0000000000000000
CLIENT_TRAFFIC_SECRET_0 f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 4ae8778b8b84365f4a72cce42f3bfd534a7f3ec1c3cc95b50000000000000000
SERVER_TRAFFIC_SECRET_0 f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 039d90842422683273582d0048013e87b5b830771ba127cb0000000000000000The results of CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET are missing.
Also, the contents of several other keys don't look right, and the last few bytes shouldn't all be 0.
It seems that the offset address is not universal.
cli/cmd/gnutls.go
Outdated
| @@ -35,17 +37,26 @@ ecapture gnutls | |||
| ecapture gnutls --hex --pid=3423 | |||
| ecapture gnutls -l save.log --pid=3423 | |||
| ecapture gnutls --gnutls=/lib/x86_64-linux-gnu/libgnutls.so | |||
| ecapture gnutls -m keylog -k ecapture_gnutls_key.og | |||
There was a problem hiding this comment.
follow the value of openssl part: https://github.com/gojue/ecapture/blob/master/cli/cmd/tls.go#L53
There was a problem hiding this comment.
这可能是一个在将近一年前引入的 typo。因为我尝试关键词 .og file 搜索时看到的大多数内容都与 .ogg 格式相关,而且根据相关上下文推测应该是 .log 而不是 .og。如果选一个合适的后缀的话我会尝试 .keylog.txt。
yes, the gnutls version installed in ubuntu 22.04 is 3.7.3, this offset doesn't support it. |
|
I think it is necessary to automatically identify the version number and select the corresponding offset. At least versions 3.6 and later must be supported. You can read strings from the 
|
I will check this part. |
cfc4n
requested changes
Nov 5, 2024
|
Current only the C file; I will patch it later. |
cfc4n
previously approved these changes
Nov 10, 2024
cfc4n
requested changes
Nov 10, 2024
|
The captured key is sometimes empty, and sometimes the last few bytes are 0, which seems to be a bug. For testing methods, see: #654 (review) sudo cat ecapture_gnutls_key.og
CLIENT_HANDSHAKE_TRAFFIC_SECRET f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 0000000000000000000000000000000000000000000000000000000000000000
SERVER_HANDSHAKE_TRAFFIC_SECRET f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 0000000000000000000000000000000000000000000000000000000000000000
EXPORTER_SECRET f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a ce902f553705e6e13413a70329d6c089585fe6cf01031a9c0000000000000000
CLIENT_TRAFFIC_SECRET_0 f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 4ae8778b8b84365f4a72cce42f3bfd534a7f3ec1c3cc95b50000000000000000
SERVER_TRAFFIC_SECRET_0 f5413ff872ec489fa15601f89461d4f5880c4c2dd1993d8fc8f03845a5a8d10a 039d90842422683273582d0048013e87b5b830771ba127cb0000000000000000 |
work good at amd64, need to check out what happened in arm64. Could you try it again in amd64? |
|
it works fine. ubuntu 22.04 amd64sudo bin/ecapture gnutls -m keylog
2024-11-11T23:36:48+08:00 INF AppName="eCapture(旁观者)"
2024-11-11T23:36:48+08:00 INF HomePage=https://ecapture.cc
2024-11-11T23:36:48+08:00 INF Repository=https://github.com/gojue/ecapture
2024-11-11T23:36:48+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-11-11T23:36:48+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-11-11T23:36:48+08:00 INF Version=linux_amd64:0.8.9-20241110-956a95c:5.15.0-122-generic
2024-11-11T23:36:48+08:00 INF Listen=localhost:28256
2024-11-11T23:36:48+08:00 INF eCapture running logs logger=
2024-11-11T23:36:48+08:00 INF the file handler that receives the captured event eventCollector=
2024-11-11T23:36:48+08:00 WRN ========== module starting. ==========
2024-11-11T23:36:48+08:00 INF Kernel Info=5.15.163 Pid=46567
2024-11-11T23:36:48+08:00 INF BTF bytecode mode: CORE. btfMode=0
2024-11-11T23:36:48+08:00 INF GnuTlsProbe init eBPFProgramType=KeyLog model=KeyLog
2024-11-11T23:36:48+08:00 INF module initialization. isReload=false moduleName=EBPFProbeGNUTLS
2024-11-11T23:36:48+08:00 INF Module.Run()
2024-11-11T23:36:48+08:00 INF listen=localhost:28256
2024-11-11T23:36:48+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-11-11T23:36:48+08:00 INF GnuTLS version found Version=3.7.3
2024-11-11T23:36:48+08:00 INF GnuTLS binary path binaryPath=/lib/x86_64-linux-gnu/libgnutls.so.30 elfType=2
2024-11-11T23:36:48+08:00 INF BPF bytecode loaded bytecode filename=user/bytecode/gnutls_3_7_3_kern_core.o
2024-11-11T23:36:48+08:00 INF target all process.
2024-11-11T23:36:49+08:00 INF perfEventReader created mapSize(MB)=4
2024-11-11T23:36:49+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeGNUTLS
2024-11-11T23:36:51+08:00 INF CLIENT_RANDOM save success ClientRandom=8ddeccf3e6045511b0923a3c5c17d49719ca0f95857b9f38108453f1a0a4da87 TlsVersion=GNUTLS_TLS1_3
^C2024-11-11T23:36:55+08:00 INF Module closed,message recived from Context
2024-11-11T23:36:55+08:00 INF iModule module close
2024-11-11T23:36:55+08:00 INF bye bye.
sudo cat ecapture_gnutls_key.log
CLIENT_HANDSHAKE_TRAFFIC_SECRET 8ddeccf3e6045511b0923a3c5c17d49719ca0f95857b9f38108453f1a0a4da87 bf861c22ebd3aec93315f7c5aa489485c32d6711e2e371b86511b8dd05b6cec6
SERVER_HANDSHAKE_TRAFFIC_SECRET 8ddeccf3e6045511b0923a3c5c17d49719ca0f95857b9f38108453f1a0a4da87 f02278d21c02dff1b69e0a6f2d2203d194962ace1c560d1449b512338134f638
EXPORTER_SECRET 8ddeccf3e6045511b0923a3c5c17d49719ca0f95857b9f38108453f1a0a4da87 dbcb8e86adc748c641649bb213ecdcccc2bc60f009280fa377c75ede4024456e
CLIENT_TRAFFIC_SECRET_0 8ddeccf3e6045511b0923a3c5c17d49719ca0f95857b9f38108453f1a0a4da87 13eb72395ab0920a58599f6a8d405fbb9215dfebd79d988184815167a61930a5
SERVER_TRAFFIC_SECRET_0 8ddeccf3e6045511b0923a3c5c17d49719ca0f95857b9f38108453f1a0a4da87 d97779ec0972003d1dd1f8ddabc706709c8e4d09c415d5a1d61d81099fe43d89ubuntu 22.04 arm64sudo bin/ecapture gnutls -m keylog
2024-11-11T16:06:35Z INF AppName="eCapture(旁观者)"
2024-11-11T16:06:35Z INF HomePage=https://ecapture.cc
2024-11-11T16:06:35Z INF Repository=https://github.com/gojue/ecapture
2024-11-11T16:06:35Z INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-11-11T16:06:35Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-11-11T16:06:35Z INF Version=linux_arm64:0.8.9-20241110-956a95c:5.15.0-121-generic
2024-11-11T16:06:35Z INF Listen=localhost:28256
2024-11-11T16:06:35Z INF eCapture running logs logger=
2024-11-11T16:06:35Z INF the file handler that receives the captured event eventCollector=
2024-11-11T16:06:35Z WRN ========== module starting. ==========
2024-11-11T16:06:35Z INF listen=localhost:28256
2024-11-11T16:06:35Z INF https server starting...You can update the configuration file via the HTTP interface.
2024-11-11T16:06:35Z INF Kernel Info=5.15.163 Pid=301949
2024-11-11T16:06:35Z INF BTF bytecode mode: CORE. btfMode=0
2024-11-11T16:06:35Z INF GnuTlsProbe init eBPFProgramType=KeyLog model=KeyLog
2024-11-11T16:06:35Z INF module initialization. isReload=false moduleName=EBPFProbeGNUTLS
2024-11-11T16:06:35Z INF Module.Run()
2024-11-11T16:06:35Z INF GnuTLS version found Version=3.7.3
2024-11-11T16:06:35Z INF GnuTLS binary path binaryPath=/lib/aarch64-linux-gnu/libgnutls.so.30 elfType=2
2024-11-11T16:06:35Z INF BPF bytecode loaded bytecode filename=user/bytecode/gnutls_3_7_3_kern_core.o
2024-11-11T16:06:35Z INF target all process.
2024-11-11T16:06:36Z INF perfEventReader created mapSize(MB)=4
2024-11-11T16:06:36Z INF module started successfully. isReload=false moduleName=EBPFProbeGNUTLS
^C2024-11-11T16:06:36Z INF Module closed,message recived from Context
2024-11-11T16:06:36Z INF iModule module close
2024-11-11T16:06:36Z INF bye bye.
sudo cat ecapture_gnutls_key.log
CLIENT_HANDSHAKE_TRAFFIC_SECRET cc85d2387d2a0e7d33d727a32bc1a0cf68af0ed429140c63b87a697068baf70e b87b7ff3a84271e337ac0cddc7f2b37a89ff69b8802d592d3ee25337898a08e3
SERVER_HANDSHAKE_TRAFFIC_SECRET cc85d2387d2a0e7d33d727a32bc1a0cf68af0ed429140c63b87a697068baf70e f1a2e7c68d2767a307525ee7a92e2a60e941ba0be9bcd8da282c98b27308c066
EXPORTER_SECRET cc85d2387d2a0e7d33d727a32bc1a0cf68af0ed429140c63b87a697068baf70e f3c4fe9ad82117b4cde89dcc786ffe78245493944a5685bee2d1176577cb294c
CLIENT_TRAFFIC_SECRET_0 cc85d2387d2a0e7d33d727a32bc1a0cf68af0ed429140c63b87a697068baf70e e0edb7c157da6a2c514ee6177e93c3c3410b8c786449064c273b36bbb22b941b
SERVER_TRAFFIC_SECRET_0 cc85d2387d2a0e7d33d727a32bc1a0cf68af0ed429140c63b87a697068baf70e a8aae6f824f0599219a488dd52a9f13b36b9348e30438aef639213638c78c5a3 |
cfc4n
previously approved these changes
Nov 11, 2024
| function run() { | ||
| git fetch --tags | ||
| cp -f ${PROJECT_ROOT_DIR}/utils/gnutls_offset.c ${GNUTLS_DIR}/offset.c | ||
| main_version="3.8" |
There was a problem hiding this comment.
Why the later 3.8 version? How to generate the offset addresses of 3.6.* and 3.7.*?
There was a problem hiding this comment.
Perhaps, it is reasonable to only support versions after 3.8.* to generate offset addresses.
There was a problem hiding this comment.
need to change main_version and loop condition here to support others version, we can do this locally, 3.8.x is the newest version.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support keylog and pcap mode in gnutls
Supported version: gnutls 3.7.9/3.8.1/3.8.3
Release: Debian 12/ubuntu 23.10/ubuntu 24.04