Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A doubt in pcap mode #637

Open
xd121614 opened this issue Sep 19, 2024 · 2 comments
Open

A doubt in pcap mode #637

xd121614 opened this issue Sep 19, 2024 · 2 comments
Labels
question Further information is requested

Comments

@xd121614
Copy link

通过学习ecapture的代码,了解到pcap模式下通过hook openssl的SSL_write_key函数获取密钥,TC HOOK抓取到加密数据后通过密钥解密,我想了解的是获取密钥和抓取数据过程之间有可能再次hook到SSL_write_key,这样密钥会被覆盖,针对这种情况是如何处理的。
@cfc4n cfc4n changed the title pcap模式下的一个疑问 Sep 19, 2024
@cfc4n cfc4n added the question Further information is requested label Sep 19, 2024
@cfc4n
Copy link
Member

cfc4n commented Sep 19, 2024

Firstly, an SSL handshake involves only one key exchange. Secondly, the program filters out identical CLIENT_RANDOM results (multiple HOOK points triggered in a single process).

ecapture/user/module/probe_openssl.go

Lines 388 to 393 in d50ee78

_, f := m.masterKeys[k]
if f {
// 已存在该随机数的masterSecret,不需要重复写入
return
}

@xd121614
Copy link
Author

Firstly, an SSL handshake involves only one key exchange. Secondly, the program filters out identical CLIENT_RANDOM results (multiple HOOK points triggered in a single process).

ecapture/user/module/probe_openssl.go

Lines 388 to 393 in d50ee78

_, f := m.masterKeys[k]
if f {
// 已存在该随机数的masterSecret,不需要重复写入
return
}

可能我的理解有误,请指正,我描述的场景:
首先每条openssl连接的密钥都是不同的,ssl_connection1握手阶段被hook后拿到secretkey1,后续加密流量使用secretkey1解密,这时又hook到ssl_connection2拿到secretkey2,ssl_connection1可能还在传输加密数据,这时会用secretkey2来解密。
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
2 participants
@cfc4n @xd121614