The SSL structure in openssl 3.2.0 has been modified

[Z3ratu1]

kern/openssl.h中有一段解析SSL*获取fd的代码，看起来一个是认为结构体大致以如下形式分布

struct ssl_st {
    int version;
    const SSL_METHOD *method;
    BIO *rbio;
    BIO *wbio;
    BIO *bbio;
...
}

但是在openssl 3.2.0中，这个结构体直接大改，bio系列结构体都放进了一个ssl_connection_st的结构体，原ssl_st变为

struct ssl_st {
    int type;
    SSL_CTX *ctx;
    const SSL_METHOD *defltmeth;
    const SSL_METHOD *method;
    CRYPTO_REF_COUNT references;
    CRYPTO_RWLOCK *lock;
    /* extra application data */
    CRYPTO_EX_DATA ex_data;
};

ssl_connection_st为

struct ssl_connection_st {
    struct ssl_st ssl;
    int version;
    BIO *rbio;
    BIO *wbio;
    BIO *bbio;
    ...
}

在调用时ssl_st使用宏SSL_CONNECTION_FROM_SSL进行转换为ssl_connection_st，因此对于新的openssl版本，需整体添加sizeof(struct ssl_st)+sizeof(int)的偏移才能获取到rbio/wbio结构体

以及，在uprobe/SSL_write中，读出ssl_wbio_addr后，后续却是使用ssl_wbio_ptr加上偏移去读取数据，是否有误？

   ssl_wbio_ptr = (u64 *)(ssl + SSL_ST_WBIO);
    ret = bpf_probe_read_user(&ssl_wbio_addr, sizeof(ssl_wbio_addr),
                              ssl_wbio_ptr);
    if (ret) {
        debug_bpf_printk(
            "(OPENSSL) bpf_probe_read ssl_wbio_addr failed, ret :%d\n",
            ret);
        return 0;
    }

    // get fd ssl->wbio->num
    ssl_wbio_num_ptr = (u64 *)(ssl_wbio_ptr + BIO_ST_NUM);
    ret = bpf_probe_read_user(&ssl_wbio_num_addr, sizeof(ssl_wbio_num_addr),
                              ssl_wbio_num_ptr);
    if (ret) {
        debug_bpf_printk(
            "(OPENSSL) bpf_probe_read ssl_wbio_num_ptr failed, ret :%d\n",
            ret);
        return 0;
    }

[cfc4n]

OpenSSL 3.2 is a recently released version, quite new. As you mentioned, there are changes in the structure of the data. It requires eCapture adaptation. I will provide support for it soon.

openssl 3.2是刚出的版本，比较新。正如你所说，存在结构体变化的情况。需要 eCapture 适配。 近期我来支持一下。

[cfc4n]

openssl 3.2.x does have a particularly big change, and I need to find a suitable HOOK function again, and I need to take some time.

However, I started by supporting the 3.1.x version of openssl library

[cfc4n]

在openssl 3.2.x里，如果是bio的结构体发生了变化，eCapture的text模式依旧可以正常工作。不过，keylog、pcapng模式确实无法正常工作。

In OpenSSL 3.2.x, if the structure of the bio has changed, the text mode of eCapture will still work normally. However, the keylog and pcapng modes really don't work

[cfc4n]

Support for OpenSSL 3.2.0 has been completed, please try the new version v0.7.3.