ecapture icon indicating copy to clipboard operation
ecapture copied to clipboard
verified publisher icon gojue

A doubt in pcap mode

Open xd121614 opened this issue 1 year ago • 3 comments

通过学习ecapture的代码,了解到pcap模式下通过hook openssl的SSL_write_key函数获取密钥,TC HOOK抓取到加密数据后通过密钥解密,我想了解的是获取密钥和抓取数据过程之间有可能再次hook到SSL_write_key,这样密钥会被覆盖,针对这种情况是如何处理的。

xd121614 avatar Sep 19 '24 09:09 xd121614

Firstly, an SSL handshake involves only one key exchange. Secondly, the program filters out identical CLIENT_RANDOM results (multiple HOOK points triggered in a single process).

https://github.com/gojue/ecapture/blob/d50ee780c0c26df50bdcd262e792b02cef55b1f4/user/module/probe_openssl.go#L388-L393

cfc4n avatar Sep 19 '24 10:09 cfc4n

Firstly, an SSL handshake involves only one key exchange. Secondly, the program filters out identical CLIENT_RANDOM results (multiple HOOK points triggered in a single process).

https://github.com/gojue/ecapture/blob/d50ee780c0c26df50bdcd262e792b02cef55b1f4/user/module/probe_openssl.go#L388-L393

可能我的理解有误,请指正,我描述的场景: 首先每条openssl连接的密钥都是不同的,ssl_connection1握手阶段被hook后拿到secretkey1,后续加密流量使用secretkey1解密,这时又hook到ssl_connection2拿到secretkey2,ssl_connection1可能还在传输加密数据,这时会用secretkey2来解密。

xd121614 avatar Sep 19 '24 11:09 xd121614

每个TLS握手建立后, CLIENT_RANDOM是唯一不变的。

cfc4n avatar Sep 26 '24 13:09 cfc4n