ecapture
ecapture copied to clipboard
gojue
the handshake State judgment is not completely accurate on boringssl with the branch main-with-bazel
此问题是#552 的后续,背景再叙说一下: 环境: nginx 版本: nginx/1.19.3 boringssl 版本:https://github.com/google/boringssl/branches main-with-bazel commit id: f1c75347daa2ea81a941e953f2263e0a4d970c8d 静态编译到nginx中,并且没有带-g的编译,因此readelf都看不到符号表信息
readelf -s /usr/local/openresty/nginx/sbin/nginx |grep SSL_
179: 0000000000000000 0 NOTYPE WEAK DEFAULT UND OPENSSL_memory_alloc
188: 0000000000000000 0 NOTYPE WEAK DEFAULT UND OPENSSL_memory_get_size
336: 0000000000000000 0 NOTYPE WEAK DEFAULT UND OPENSSL_memory_free
这个时候使用ecapture就会报错:
./ecapture-0606 tls --libssl=/usr/local/openresty/nginx/sbin/nginx --ssl_version="boringssl na" -b 2 -m key
2024-06-06T22:05:00+08:00 INF AppName="eCapture(旁观者)"
2024-06-06T22:05:00+08:00 INF HomePage=https://ecapture.cc
2024-06-06T22:05:00+08:00 INF Repository=https://github.com/gojue/ecapture
2024-06-06T22:05:00+08:00 INF Author="CFC4N <[email protected]>"
2024-06-06T22:05:00+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-06-06T22:05:00+08:00 INF Version=linux_amd64:0.8.2--8e25629:x86_64
2024-06-06T22:05:00+08:00 INF listen=localhost:28256
2024-06-06T22:05:00+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-06-06T22:05:00+08:00 WRN ========== module starting. ==========
2024-06-06T22:05:00+08:00 INF Kernel Info=4.19.132 Pid=36269
2024-06-06T22:05:00+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-06-06T22:05:00+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og
2024-06-06T22:05:00+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-06-06T22:05:00+08:00 INF Module.Run()
2024-06-06T22:05:00+08:00 INF OpenSSL/BoringSSL version found sslVersion="boringssl na"
2024-06-06T22:05:00+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/local/openresty/nginx/sbin/nginx masterHookFuncs=["SSL_in_init"]
2024-06-06T22:05:00+08:00 INF setupManagers eBPFProgramType=KeyLog
2024-06-06T22:05:00+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_na_kern_noncore_less52.o
2024-06-06T22:05:00+08:00 FTL module run failed, skip it. error="couldn't start bootstrap manager error:1 error occurred:\n\t* error:opening uprobe: symbol SSL_in_init: not found , isRet:false, opts:&{0 0 0 0 0 }, {UID:uprobe_smk_SSL_in_init, EbpfFuncName:probe_ssl_master_key}\n\n, probes activation validation failed ." isReload=false
静态编译到nginx时带上-g,加上符号表后,
readelf -s /usr/local/openresty/nginx/sbin/nginx |grep SSL_|grep "^.*14 SSL"
17035: 00000000002a2966 144 FUNC LOCAL DEFAULT 14 SSL_get_certificate
17043: 0000000000290281 27 FUNC LOCAL DEFAULT 14 SSL_free
17048: 0000000000295cce 15 FUNC LOCAL DEFAULT 14 SSL_CTX_sess_accept
17115: 00000000002931a8 52 FUNC LOCAL DEFAULT 14 SSL_get_curve_id
17126: 0000000000290f33 297 FUNC LOCAL DEFAULT 14 SSL_write
17151: 00000000002a30a4 43 FUNC LOCAL DEFAULT 14 SSL_clear_chain_certs
17167: 0000000000292156 131 FUNC LOCAL DEFAULT 14 SSL_set_fd
17211: 0000000000291576 136 FUNC LOCAL DEFAULT 14 SSL_set_quic_early_data_c
17215: 0000000000295839 92 FUNC LOCAL DEFAULT 14 SSL_set_retain_only_sha25
17218: 0000000000294bf5 18 FUNC LOCAL DEFAULT 14 SSL_get_info_callback
17260: 000000000029989d 171 FUNC LOCAL DEFAULT 14 SSL_use_RSAPrivateKey_ASN
17275: 0000000000294247 94 FUNC LOCAL DEFAULT 14 SSL_set_tls_channel_id_en
17285: 0000000000295d37 15 FUNC LOCAL DEFAULT 14 SSL_CTX_sess_cache_full
17289: 0000000000296201 34 FUNC LOCAL DEFAULT 14 SSL_CTX_set_tlsext_status
17311: 000000000028b771 384 FUNC LOCAL DEFAULT 14 SSL_CTX_use_PrivateKey_fi
17312: 00000000002a2fe8 107 FUNC LOCAL DEFAULT 14 SSL_add1_chain_cert
17377: 0000000000295f0e 361 FUNC LOCAL DEFAULT 14 SSL_process_tls13_new_ses
17400: 00000000002a70d9 124 FUNC LOCAL DEFAULT 14 SSL_get_key_block_len
17418: 0000000000285adf 62 FUNC LOCAL DEFAULT 14 SSL_CTX_set_signed_cert_t
17454: 00000000002bfdd3 165 FUNC LOCAL DEFAULT 14 SSL_get0_ech_retry_config
17458: 00000000002893d9 17 FUNC LOCAL DEFAULT 14 SSL_CIPHER_get_id
17476: 00000000002a33c0 218 FUNC LOCAL DEFAULT 14 SSL_get0_chain_certs
17477: 00000000002c03e4 201 FUNC LOCAL DEFAULT 14 SSL_ECH_KEYS_has_duplicat
17493: 00000000002902ca 46 FUNC LOCAL DEFAULT 14 SSL_set_accept_state
17531: 00000000002857ee 240 FUNC LOCAL DEFAULT 14 SSL_use_certificate_ASN1
17536: 000000000029e780 46 FUNC LOCAL DEFAULT 14 SSL_SESSION_get0_id_conte
17544: 0000000000295d0a 15 FUNC LOCAL DEFAULT 14 SSL_CTX_sess_cb_hits
17551: 000000000029046c 30 FUNC LOCAL DEFAULT 14 SSL_get_rbio
17554: 0000000000289bbb 17 FUNC LOCAL DEFAULT 14 SSL_CIPHER_get_version
17566: 0000000000289746 317 FUNC LOCAL DEFAULT 14 SSL_CIPHER_get_kx_name
17570: 00000000002858de 63 FUNC LOCAL DEFAULT 14 SSL_CTX_set_cert_cb
17590: 0000000000294c8a 52 FUNC LOCAL DEFAULT 14 SSL_CTX_set_quic_method
17605: 00000000002946ce 175 FUNC LOCAL DEFAULT 14 SSL_get_privatekey
17608: 0000000000292b76 72 FUNC LOCAL DEFAULT 14 SSL_CTX_set_max_send_frag
17634: 0000000000294862 19 FUNC LOCAL DEFAULT 14 SSL_get_server_tmp_key
17680: 00000000002947fe 70 FUNC LOCAL DEFAULT 14 SSL_session_reused
17686: 00000000002931dc 19 FUNC LOCAL DEFAULT 14 SSL_CTX_set_tmp_dh
17687: 000000000029592b 94 FUNC LOCAL DEFAULT 14 SSL_set_permute_extension
17689: 0000000000285ddf 31 FUNC LOCAL DEFAULT 14 SSL_delegated_credential_
17690: 000000000028563e 119 FUNC LOCAL DEFAULT 14 SSL_set_chain_and_key
17722: 000000000029574c 86 FUNC LOCAL DEFAULT 14 SSL_get_client_random
17726: 000000000028f7e5 1800 FUNC LOCAL DEFAULT 14 SSL_new
17747: 00000000002949c5 65 FUNC LOCAL DEFAULT 14 SSL_get_shutdown
17789: 0000000000290722 278 FUNC LOCAL DEFAULT 14 SSL_do_handshake
17790: 0000000000290322 42 FUNC LOCAL DEFAULT 14 SSL_set0_wbio
ecapture就能正常work了
./ecapture-0606 tls --libssl=/usr/local/openresty/nginx/sbin/nginx --ssl_version="boringssl na" -b 2 -m key
2024-06-06T22:10:20+08:00 INF AppName="eCapture(旁观者)"
2024-06-06T22:10:20+08:00 INF HomePage=https://ecapture.cc
2024-06-06T22:10:20+08:00 INF Repository=https://github.com/gojue/ecapture
2024-06-06T22:10:20+08:00 INF Author="CFC4N <[email protected]>"
2024-06-06T22:10:20+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-06-06T22:10:20+08:00 INF Version=linux_amd64:0.8.2--8e25629:x86_64
2024-06-06T22:10:20+08:00 INF listen=localhost:28256
2024-06-06T22:10:20+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-06-06T22:10:20+08:00 WRN ========== module starting. ==========
2024-06-06T22:10:20+08:00 INF Kernel Info=4.19.132 Pid=38162
2024-06-06T22:10:20+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-06-06T22:10:20+08:00 INF master key keylogger has been set. eBPFProgramType=KeyLog keylogger=ecapture_openssl_key.og
2024-06-06T22:10:20+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-06-06T22:10:20+08:00 INF Module.Run()
2024-06-06T22:10:20+08:00 INF OpenSSL/BoringSSL version found sslVersion="boringssl na"
2024-06-06T22:10:20+08:00 INF HOOK type:Openssl elf ElfType=2 binrayPath=/usr/local/openresty/nginx/sbin/nginx masterHookFuncs=["SSL_in_init"]
2024-06-06T22:10:20+08:00 INF setupManagers eBPFProgramType=KeyLog
2024-06-06T22:10:20+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/boringssl_na_kern_noncore_less52.o
2024-06-06T22:10:20+08:00 INF perfEventReader created mapSize(MB)=4
2024-06-06T22:10:20+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
但这里还是有问题:
boringssl_masterkey.h 第299行
if (ssl3_hs_state.state < 20) {
// not finished yet.
return 0;
}
判断握手状态的值 20不太合适,实际上state 等于18时,握手就完成了
<...>-37497 [001] .... 25597082.620129: 0: mastersecret->version :771, client_version:771,
<...>-37497 [001] .... 25597082.620153: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25597082.620153: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25597082.620154: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37497 [001] .... 25597082.620155: 0: mastersecret->version :771, client_version:771,
<...>-37497 [001] .... 25597082.620157: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37497 [001] .... 25597082.620158: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37497 [001] .... 25597082.620159: 0: secret_length:48
<...>-37497 [001] .... 25597082.620160: 0: master_key: 62 e0 2b
<...>-37497 [001] .... 25597082.620174: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25597082.620175: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25597082.620176: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37497 [001] .... 25597082.620177: 0: mastersecret->version :771, client_version:771,
<...>-37497 [001] .... 25597082.620178: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37497 [001] .... 25597082.620179: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37497 [001] .... 25597082.620180: 0: secret_length:48
<...>-37497 [001] .... 25597082.620181: 0: master_key: 62 e0 2b
<...>-37497 [001] .... 25597082.620191: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25597082.620192: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25597082.620193: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37497 [001] .... 25597082.620194: 0: mastersecret->version :771, client_version:771,
<...>-37497 [001] .... 25597082.620195: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37497 [001] .... 25597082.620196: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37497 [001] .... 25597082.620197: 0: secret_length:48
<...>-37497 [001] .... 25597082.620198: 0: master_key: 62 e0 2b
<...>-37497 [001] .... 25597082.620217: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25597082.620218: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25597082.620219: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37497 [001] .... 25597082.620220: 0: mastersecret->version :771, client_version:771,
<...>-37497 [001] .... 25597082.620221: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37497 [001] .... 25597082.620222: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37497 [001] .... 25597082.620223: 0: secret_length:48
<...>-37497 [001] .... 25597082.620224: 0: master_key: 62 e0 2b
所以我这里有2个问题 1) 没有加-g的编译时,也就是没有带上调试信息时,能否也能让ecapture正常work? 2) boringssl 在main-with-bazel 这个分支时 state == 18时就可以正常工作了,这个如何修改适合普适的版本
- He can work normally. However, you need to search for the offer offset of the hooked function, manually enter it into the program, and then compile the program.
https://github.com/gojue/ecapture/blob/4b1c52df6a935886058f08aff3b7acd2e60a872c/user/module/probe_openssl_text.go#L47C3-L52C6
// add Offset
{
Section: "uprobe/SSL_write",
EbpfFuncName: "probe_entry_SSL_write",
AttachToFuncName: "SSL_write",
BinaryPath: binaryPath,
UprobeOffset: 0x1234, // add offset
},
- about
state == 18
判断握手状态的值 20不太合适,实际上state 等于18时,握手就完成了
Can you provide more detailed information?
如果用20时 ,debug的信息是如下:
if (ssl3_hs_state.state < 20) {
// not finished yet.
return 0;
}
cat /sys/kernel/debug/tracing/trace_pipe
<...>-37497 [001] .... 25640037.438187: 0: client_version:0, state:0, tls13_state:0
<...>-37497 [001] .... 25640037.438193: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.438194: 0: SSL_HANDSHAKE_ALLBOOL:0, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.438210: 0: client_version:0, state:1, tls13_state:0
<...>-37497 [001] .... 25640037.438211: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.438212: 0: SSL_HANDSHAKE_ALLBOOL:0, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.438230: 0: client_version:0, state:1, tls13_state:0
<...>-37497 [001] .... 25640037.438231: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.438232: 0: SSL_HANDSHAKE_ALLBOOL:0, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.438353: 0: client_version:771, state:5, tls13_state:0
<...>-37497 [001] .... 25640037.438356: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.438357: 0: SSL_HANDSHAKE_ALLBOOL:131600, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.439763: 0: client_version:771, state:12, tls13_state:0
<...>-37497 [001] .... 25640037.439766: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.439767: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442391: 0: client_version:771, state:12, tls13_state:0
<...>-37497 [001] .... 25640037.442394: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442395: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442401: 0: client_version:771, state:12, tls13_state:0
<...>-37497 [001] .... 25640037.442402: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442403: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442413: 0: client_version:771, state:12, tls13_state:0
<...>-37497 [001] .... 25640037.442414: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442415: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442422: 0: client_version:771, state:12, tls13_state:0
<...>-37497 [001] .... 25640037.442423: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442425: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442849: 0: client_version:771, state:12, tls13_state:0
<...>-37497 [001] .... 25640037.442852: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442853: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442859: 0: client_version:771, state:15, tls13_state:0
<...>-37497 [001] .... 25640037.442861: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442862: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442869: 0: client_version:771, state:15, tls13_state:0
<...>-37497 [001] .... 25640037.442870: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442871: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442878: 0: client_version:771, state:15, tls13_state:0
<...>-37497 [001] .... 25640037.442880: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442881: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442911: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25640037.442913: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442914: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442922: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25640037.442930: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442931: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442940: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25640037.442941: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442942: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
<...>-37497 [001] .... 25640037.442961: 0: client_version:771, state:18, tls13_state:0
<...>-37497 [001] .... 25640037.442964: 0: TLS version :771, hash_len:0,
<...>-37497 [001] .... 25640037.442965: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077d123958
将比较值改到18时,就可以取到key了
if (ssl3_hs_state.state < 18) {
// not finished yet.
return 0;
}
cat /sys/kernel/debug/tracing/trace_pipe
<...>-37498 [002] .... 25640191.915947: 0: client_version:0, state:0, tls13_state:0
<...>-37498 [002] .... 25640191.915952: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.915953: 0: SSL_HANDSHAKE_ALLBOOL:0, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.915954: 0: mastersecret->version :771, client_version:0,
<...>-37498 [002] .... 25640191.915973: 0: client_version:0, state:1, tls13_state:0
<...>-37498 [002] .... 25640191.915974: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.915975: 0: SSL_HANDSHAKE_ALLBOOL:0, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.915975: 0: mastersecret->version :771, client_version:0,
<...>-37498 [002] .... 25640191.915993: 0: client_version:0, state:1, tls13_state:0
<...>-37498 [002] .... 25640191.915993: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.915994: 0: SSL_HANDSHAKE_ALLBOOL:0, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.915995: 0: mastersecret->version :771, client_version:0,
<...>-37498 [002] .... 25640191.916145: 0: client_version:771, state:5, tls13_state:0
<...>-37498 [002] .... 25640191.916148: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.916149: 0: SSL_HANDSHAKE_ALLBOOL:131600, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.916151: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.919168: 0: client_version:771, state:12, tls13_state:0
<...>-37498 [002] .... 25640191.919171: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.919173: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.919173: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.921925: 0: client_version:771, state:12, tls13_state:0
<...>-37498 [002] .... 25640191.921928: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.921929: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.921929: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.921935: 0: client_version:771, state:12, tls13_state:0
<...>-37498 [002] .... 25640191.921936: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.921937: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.921937: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.921946: 0: client_version:771, state:12, tls13_state:0
<...>-37498 [002] .... 25640191.921946: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.921948: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.921948: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.921956: 0: client_version:771, state:12, tls13_state:0
<...>-37498 [002] .... 25640191.921957: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.921958: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.921959: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922366: 0: client_version:771, state:12, tls13_state:0
<...>-37498 [002] .... 25640191.922368: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922369: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922370: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922377: 0: client_version:771, state:15, tls13_state:0
<...>-37498 [002] .... 25640191.922377: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922378: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922378: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922385: 0: client_version:771, state:15, tls13_state:0
<...>-37498 [002] .... 25640191.922386: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922387: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922388: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922396: 0: client_version:771, state:15, tls13_state:0
<...>-37498 [002] .... 25640191.922397: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922398: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922399: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922424: 0: client_version:771, state:18, tls13_state:0
<...>-37498 [002] .... 25640191.922428: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922429: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922432: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922434: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37498 [002] .... 25640191.922435: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37498 [002] .... 25640191.922436: 0: secret_length:48
<...>-37498 [002] .... 25640191.922438: 0: master_key: 34 83 19
<...>-37498 [002] .... 25640191.922453: 0: client_version:771, state:18, tls13_state:0
<...>-37498 [002] .... 25640191.922457: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922458: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922460: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922462: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37498 [002] .... 25640191.922463: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37498 [002] .... 25640191.922464: 0: secret_length:48
<...>-37498 [002] .... 25640191.922465: 0: master_key: 34 83 19
<...>-37498 [002] .... 25640191.922474: 0: client_version:771, state:18, tls13_state:0
<...>-37498 [002] .... 25640191.922475: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922476: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922476: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922477: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37498 [002] .... 25640191.922478: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37498 [002] .... 25640191.922478: 0: secret_length:48
<...>-37498 [002] .... 25640191.922479: 0: master_key: 34 83 19
<...>-37498 [002] .... 25640191.922511: 0: client_version:771, state:18, tls13_state:0
<...>-37498 [002] .... 25640191.922514: 0: TLS version :771, hash_len:0,
<...>-37498 [002] .... 25640191.922515: 0: SSL_HANDSHAKE_ALLBOOL:8520208, ssl_hs_st_addr:56077c9a9088
<...>-37498 [002] .... 25640191.922515: 0: mastersecret->version :771, client_version:771,
<...>-37498 [002] .... 25640191.922517: 0: ssl_st->s3->hs->new_session is not null, address :56077e5c7ba8
<...>-37498 [002] .... 25640191.922518: 0: s3_address:56077e5cc508, ssl_session_st_addr addr :56077e5c7ba8
<...>-37498 [002] .... 25640191.922519: 0: secret_length:48
<...>-37498 [002] .... 25640191.922520: 0: master_key: 34 83 19
运行环境如开头描述 nginx 静态编译boringssl main-with-bazel 分支 commit id: f1c75347daa2ea81a941e953f2263e0a4d970c8d
但是确实有点奇怪,从客户端看确实状态到了20
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [104 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3019 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
20 is more accurate than 18.
enum tls12_server_hs_state_t {
state12_start_accept = 0,
state12_read_client_hello,
state12_read_client_hello_after_ech,
state12_cert_callback,
state12_tls13,
state12_select_parameters,
state12_send_server_hello,
state12_send_server_certificate,
state12_send_server_key_exchange,
state12_send_server_hello_done,
state12_read_client_certificate,
state12_verify_client_certificate,
state12_read_client_key_exchange,
state12_read_client_certificate_verify,
state12_read_change_cipher_spec,
state12_process_change_cipher_spec,
state12_read_next_proto,
state12_read_channel_id,
state12_read_client_finished,
state12_send_server_finished,
state12_finish_server_handshake,
state12_done,
};
You can carefully read the code related to state12_read_client_finished, state12_send_server_finished, and state12_finish_server_handshake.
That's right, I changed the max to 18 to output the key. I'll debug it again
gdb了nginx看了一下,boringssl中ssl_in_init这个貌似只到了18就结束,也就是后面的19,20都没有到ssl_in_init
所以这应该是bosringssl_masterkey.h中我把它改小到18才能输出key的原因。
再次确认ssl_in_init在state 19后不再调用,确切的证据:
在state 18时调用了3次ssl_in_init,所以在我这种情景下,只能用18,否则无法取到key
if (ssl3_hs_state.state < 18) {
// not finished yet.
return 0;
}
这个问题稍微复杂一些,涉及TLS 协议版本、Client、Server角色,都会影响openssl的TLS链接状态。
eCapture需要更准确的判断分支,我近期会做验证,感谢反馈。
This issue is slightly more complex, involving the TLS protocol version and the roles of Client and Server, all of which can affect the OpenSSL TLS connection status.
eCapture requires a more accurate determination of branches; I will conduct verification in the near future. Thank you for your feedback.