kern: support openssl 3.3.* (#575)

Add the offset of the `ssl_st->server` field to determine whether the current *SSL is in server mode.

Signed-off-by: CFC4N <[email protected]>

Author: cfc4n

kern/openssl_1_0_2a_kern.c

@@ -19,6 +19,9 @@
 // ssl_st->wbio
 #define SSL_ST_WBIO 0x18
 
+// ssl_st->server
+#define SSL_ST_SERVER 0x38
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x14
 

kern/openssl_1_1_0a_kern.c

@@ -19,6 +19,9 @@
 // ssl_st->wbio
 #define SSL_ST_WBIO 0x18
 
+// ssl_st->server
+#define SSL_ST_SERVER 0x38
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x8
 

kern/openssl_1_1_1a_kern.c

@@ -19,6 +19,9 @@
 // ssl_st->wbio
 #define SSL_ST_WBIO 0x18
 
+// ssl_st->server
+#define SSL_ST_SERVER 0x38
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x50
 

kern/openssl_1_1_1b_kern.c

@@ -19,6 +19,9 @@
 // ssl_st->wbio
 #define SSL_ST_WBIO 0x18
 
+// ssl_st->server
+#define SSL_ST_SERVER 0x38
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x50
 

kern/openssl_1_1_1d_kern.c

@@ -19,6 +19,9 @@
 // ssl_st->wbio
 #define SSL_ST_WBIO 0x18
 
+// ssl_st->server
+#define SSL_ST_SERVER 0x38
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x50
 

kern/openssl_1_1_1j_kern.c

@@ -1,8 +1,8 @@
 #ifndef ECAPTURE_OPENSSL_1_1_1_J_KERN_H
 #define ECAPTURE_OPENSSL_1_1_1_J_KERN_H
 
-/* OPENSSL_VERSION_TEXT: OpenSSL 1.1.1u  30 May 2023 */
-/* OPENSSL_VERSION_NUMBER: 269488479 */
+/* OPENSSL_VERSION_TEXT: OpenSSL 1.1.1w  11 Sep 2023 */
+/* OPENSSL_VERSION_NUMBER: 269488511 */
 
 // ssl_st->version
 #define SSL_ST_VERSION 0x0
@@ -19,6 +19,9 @@
 // ssl_st->wbio
 #define SSL_ST_WBIO 0x18
 
+// ssl_st->server
+#define SSL_ST_SERVER 0x38
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x50
 

kern/openssl_3_0_0_kern.c

@@ -1,8 +1,8 @@
-#ifndef ECAPTURE_OPENSSL_3_0_0_KERN_H
-#define ECAPTURE_OPENSSL_3_0_0_KERN_H
+#ifndef ECAPTURE_OPENSSL_3_0_6_KERN_H
+#define ECAPTURE_OPENSSL_3_0_6_KERN_H
 
-/* OPENSSL_VERSION_TEXT: OpenSSL 3.0.9 30 May 2023 */
-/* OPENSSL_VERSION_NUMBER: 805306512 */
+/* OPENSSL_VERSION_TEXT: OpenSSL 3.1.6 4 Jun 2024 */
+/* OPENSSL_VERSION_NUMBER: 806355040 */
 
 // ssl_st->version
 #define SSL_ST_VERSION 0x0
@@ -19,6 +19,9 @@
 // ssl_st->wbio
 #define SSL_ST_WBIO 0x18
 
+// ssl_st->server
+#define SSL_ST_SERVER 0x38
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x50
 

kern/openssl_3_2_0_kern.c

@@ -1,8 +1,8 @@
-#ifndef ECAPTURE_OPENSSL_3_2_0_KERN_H
-#define ECAPTURE_OPENSSL_3_2_0_KERN_H
+#ifndef ECAPTURE_OPENSSL_3_2_2_KERN_H
+#define ECAPTURE_OPENSSL_3_2_2_KERN_H
 
-/* OPENSSL_VERSION_TEXT: OpenSSL 3.2.0 23 Nov 2023 */
-/* OPENSSL_VERSION_NUMBER: 807403520 */
+/* OPENSSL_VERSION_TEXT: OpenSSL 3.2.2 4 Jun 2024 */
+/* OPENSSL_VERSION_NUMBER: 807403552 */
 
 // ssl_st->type
 #define SSL_ST_TYPE 0x0
@@ -22,6 +22,9 @@
 // ssl_connection_st->wbio
 #define SSL_CONNECTION_ST_WBIO 0x50
 
+// ssl_connection_st->server
+#define SSL_CONNECTION_ST_SERVER 0x70
+
 // ssl_session_st->master_key
 #define SSL_SESSION_ST_MASTER_KEY 0x50
 

user/module/probe_openssl_lib.go

@@ -30,6 +30,7 @@ const (
 	Linuxdefaulefilename30  = "linux_default_3_0"
 	Linuxdefaulefilename31  = "linux_default_3_0"
 	Linuxdefaulefilename320 = "linux_default_3_2"
+	Linuxdefaulefilename330 = "linux_default_3_3"
 	AndroidDefauleFilename  = "android_default"
 
 	OpenSslVersionLen = 30 // openssl version string length
@@ -39,9 +40,10 @@ const (
 	MaxSupportedOpenSSL102Version = 'u'
 	MaxSupportedOpenSSL110Version = 'l'
 	MaxSupportedOpenSSL111Version = 'w'
-	MaxSupportedOpenSSL30Version  = 13
-	MaxSupportedOpenSSL31Version  = 5
-	MaxSupportedOpenSSL32Version  = 1
+	MaxSupportedOpenSSL30Version  = 14
+	MaxSupportedOpenSSL31Version  = 6
+	MaxSupportedOpenSSL32Version  = 2
+	MaxSupportedOpenSSL33Version  = 1
 )
 
 // initOpensslOffset initial BpfMap
@@ -109,6 +111,12 @@ func (m *MOpenSSLProbe) initOpensslOffset() {
 		m.sslVersionBpfMap[fmt.Sprintf("openssl 3.2.%d", ch)] = "openssl_3_2_0_kern.o"
 	}
 
+	// openssl 3.3.0
+	for ch := 0; ch <= MaxSupportedOpenSSL33Version; ch++ {
+		// The OpenSSL 3.3.* series is the same as the 3.2.* series of offsets
+		m.sslVersionBpfMap[fmt.Sprintf("openssl 3.3.%d", ch)] = "openssl_3_2_0_kern.o"
+	}
+
 	// openssl 1.1.0a - 1.1.0l
 	for ch := 'a'; ch <= MaxSupportedOpenSSL110Version; ch++ {
 		m.sslVersionBpfMap["openssl 1.1.0"+string(ch)] = "openssl_1_1_0a_kern.o"

utils/openssl_1_0_2_offset.c

@@ -10,6 +10,7 @@
     X(ssl_st, s3)                   \
     X(ssl_st, rbio)                 \
     X(ssl_st, wbio)                 \
+    X(ssl_st, server)               \
     X(ssl_session_st, master_key)   \
     X(ssl3_state_st, client_random) \
     X(ssl_session_st, cipher)       \

utils/openssl_1_1_0_offset.c

@@ -11,6 +11,7 @@
     X(ssl_st, s3)                   \
     X(ssl_st, rbio)                 \
     X(ssl_st, wbio)                 \
+    X(ssl_st, server)                    \
     X(ssl_session_st, master_key)   \
     X(ssl3_state_st, client_random) \
     X(ssl_session_st, cipher)       \

utils/openssl_1_1_1_offset.c

@@ -21,6 +21,7 @@
     X(ssl_st, s3)                        \
     X(ssl_st, rbio)                      \
     X(ssl_st, wbio)                      \
+    X(ssl_st, server)                    \
     X(ssl_session_st, master_key)        \
     X(ssl3_state_st, client_random)      \
     X(ssl_session_st, cipher)            \

utils/openssl_3_0_offset.c

@@ -11,6 +11,7 @@
     X(ssl_st, s3)                        \
     X(ssl_st, rbio)                      \
     X(ssl_st, wbio)                      \
+    X(ssl_st, server)                    \
     X(ssl_session_st, master_key)        \
     X(ssl_st, s3.client_random)          \
     X(ssl_session_st, cipher)            \

utils/openssl_3_2_0_offset.c

@@ -12,6 +12,7 @@
     X(ssl_connection_st, s3)                        \
     X(ssl_connection_st, rbio)                      \
     X(ssl_connection_st, wbio)                      \
+    X(ssl_connection_st, server)                    \
     X(ssl_session_st, master_key)                   \
     X(ssl_connection_st, s3.client_random)          \
     X(ssl_session_st, cipher)                       \

utils/openssl_offset_3.0.sh

@@ -39,6 +39,7 @@ function run() {
   sslVerMap["11"]="0"
   sslVerMap["12"]="0"
   sslVerMap["13"]="0"
+  sslVerMap["14"]="0"
 
   # shellcheck disable=SC2068
   for ver in ${!sslVerMap[@]}; do

utils/openssl_offset_3.1.sh

@@ -31,6 +31,7 @@ function run() {
   sslVerMap["3"]="0"
   sslVerMap["4"]="0"
   sslVerMap["5"]="0"
+  sslVerMap["6"]="0"
 
   # shellcheck disable=SC2068
   for ver in ${!sslVerMap[@]}; do

utils/openssl_offset_3.2.sh

@@ -27,6 +27,7 @@ function run() {
   declare -A sslVerMap=()
   sslVerMap["0"]="0"
   sslVerMap["1"]="0"
+  sslVerMap["2"]="0"
 
   # shellcheck disable=SC2068
   for ver in ${!sslVerMap[@]}; do

utils/openssl_offset_3.3.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+set -e
+
+PROJECT_ROOT_DIR=$(pwd)
+OPENSSL_DIR="${PROJECT_ROOT_DIR}/deps/openssl"
+OUTPUT_DIR="${PROJECT_ROOT_DIR}/kern"
+
+if [[ ! -f "go.mod" ]]; then
+  echo "Run the script from the project root directory"
+  exit 1
+fi
+
+echo "check file exists: ${OPENSSL_DIR}/.git"
+# skip cloning if the header file of the max supported version is already generated
+if [[ ! -f "${OPENSSL_DIR}/.git" ]]; then
+  echo "check directory exists: ${OPENSSL_DIR}"
+  # skip cloning if the openssl directory already exists
+  if [[ ! -d "${OPENSSL_DIR}" ]]; then
+    echo "git clone openssl to ${OPENSSL_DIR}"
+    git clone https://github.com/openssl/openssl.git ${OPENSSL_DIR}
+  fi
+fi
+
+# openssl 3.3.* 跟 3.2.* 的offset一致，故这里采用 3.2的文件名。
+function run() {
+  git fetch --tags
+  cp -f ${PROJECT_ROOT_DIR}/utils/openssl_3_2_0_offset.c ${OPENSSL_DIR}/offset.c
+  declare -A sslVerMap=()
+  sslVerMap["0"]="0"
+  sslVerMap["1"]="1"
+
+  # shellcheck disable=SC2068
+  for ver in ${!sslVerMap[@]}; do
+    tag="openssl-3.3.${ver}"
+    val=${sslVerMap[$ver]}
+    header_file="${OUTPUT_DIR}/openssl_3_2_${val}_kern.c"
+    header_define="OPENSSL_3_2_$(echo ${val} | tr "[:lower:]" "[:upper:]")_KERN_H"
+
+    if [[ -f ${header_file} ]]; then
+      echo "Skip ${header_file}"
+      continue
+    fi
+    echo "git checkout ${tag}"
+    git checkout ${tag}
+    echo "Generating ${header_file}"
+
+
+    # ./Configure and make openssl/opensslconf.h
+    ./Configure
+    make clean
+    make build_generated
+
+
+    clang -I include/ -I . offset.c -o offset
+
+    echo -e "#ifndef ECAPTURE_${header_define}" >${header_file}
+    echo -e "#define ECAPTURE_${header_define}\n" >>${header_file}
+    ./offset >>${header_file}
+    echo -e "#define SSL_ST_VERSION SSL_CONNECTION_ST_VERSION\n" >>${header_file}
+    echo -e "#define SSL_ST_WBIO SSL_CONNECTION_ST_WBIO\n" >>${header_file}
+    echo -e "#define SSL_ST_RBIO SSL_CONNECTION_ST_RBIO\n" >>${header_file}
+    echo -e "\n#include \"openssl.h\"" >>${header_file}
+    echo -e "#include \"openssl_masterkey_3.3.h\"" >>${header_file}
+    echo -e "\n#endif" >>${header_file}
+
+    # clean up
+    make clean
+
+  done
+
+  rm offset.c
+}
+
+# TODO Check if the directory for OpenSSL exists
+pushd ${OPENSSL_DIR}
+(run)
+[[ "$?" != 0 ]] && popd
+popd