summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Wu <peter@lekensteyn.nl>2018-10-23 19:31:09 +0200
committerPeter Wu <peter@lekensteyn.nl>2018-10-23 19:31:09 +0200
commit4388526d2c91d3e4ea98b5040cb0d386a1d7e3e5 (patch)
tree42bed76ede68d25310ce637afc647c9938fa3ef8
parent9fa13901cd459ea71543753a68fbf75c4f35c51e (diff)
downloadwireshark-notes-4388526d2c91d3e4ea98b5040cb0d386a1d7e3e5.tar.gz
sslkeylog.c: fix OpenSSL 1.1.1 support when library is not loaded
When libssl.so.1.1.1 was not yet loaded, it would assume that an older library was already loaded and avoid the new API. That assumption is not correct, it is also possible that no library was loaded at all as is the case with Python. Test: ./sslkeylog.sh python -c \ 'import requests;print(requests.head("https://wireshark.org"))' Before this fix it would output all zeroes as secret (a sign that something is wrong).
-rw-r--r--src/sslkeylog.c38
1 files changed, 21 insertions, 17 deletions
diff --git a/src/sslkeylog.c b/src/sslkeylog.c
index 1617cd6..3706689 100644
--- a/src/sslkeylog.c
+++ b/src/sslkeylog.c
@@ -117,21 +117,25 @@ static void init_keylog_file(void)
}
}
-static inline void *lookup_symbol(const char *sym)
+static inline void *try_lookup_symbol(const char *sym, int optional)
{
void *func = dlsym(RTLD_NEXT, sym);
+ if (!func && optional && dlsym(RTLD_NEXT, "SSL_new")) {
+ /* Symbol not found, but an old OpenSSL version was actually loaded. */
+ return NULL;
+ }
/* Symbol not found, OpenSSL is not loaded (linked) so try to load it
* manually. This is error-prone as it depends on a fixed library name.
* Perhaps it should be an env name? */
if (!func) {
void *handle = dlopen(OPENSSL_SONAME, RTLD_LAZY);
if (!handle) {
- fprintf(stderr, "Lookup error for %s: %s", sym, dlerror());
+ fprintf(stderr, "Lookup error for %s: %s\n", sym, dlerror());
abort();
}
func = dlsym(handle, sym);
- if (!func) {
- fprintf(stderr, "Cannot lookup %s", sym);
+ if (!func && !optional) {
+ fprintf(stderr, "Cannot lookup %s\n", sym);
abort();
}
dlclose(handle);
@@ -139,6 +143,11 @@ static inline void *lookup_symbol(const char *sym)
return func;
}
+static inline void *lookup_symbol(const char *sym)
+{
+ return try_lookup_symbol(sym, 0);
+}
+
#ifndef NO_OPENSSL_110_SUPPORT
typedef struct ssl_tap_state {
int master_key_length;
@@ -195,24 +204,19 @@ static void copy_client_random(const SSL *ssl, unsigned char *client_random)
}
/* non-NULL if the new OpenSSL 1.1.1 keylog API is supported. */
-static void *new_keylog_api(void)
+static int supports_keylog_api(void)
{
- static void *set_keylog_cb = (void *)-1;
- if (set_keylog_cb == (void *)-1) {
- /*
- * Assume OpenSSL is already loaded and try to locate the OpenSSL 1.1.1
- * keylog API. Do not fallback to lookup_symbol as that could result in
- * loading a different, incompatible version of libssl.so.
- */
- set_keylog_cb = dlsym(RTLD_NEXT, "SSL_CTX_set_keylog_callback");
+ static int supported = -1;
+ if (supported == -1) {
+ supported = try_lookup_symbol("SSL_CTX_set_keylog_callback", 1) != NULL;
}
- return set_keylog_cb;
+ return supported;
}
/* Copies SSL state for later comparison in tap_ssl_key. */
static void ssl_tap_state_init(ssl_tap_state_t *state, const SSL *ssl)
{
- if (new_keylog_api()) {
+ if (supports_keylog_api()) {
/* Favor using the callbacks API to extract secrets. */
return;
}
@@ -231,7 +235,7 @@ static void ssl_tap_state_init(ssl_tap_state_t *state, const SSL *ssl)
static void tap_ssl_key(const SSL *ssl, ssl_tap_state_t *state)
{
- if (new_keylog_api()) {
+ if (supports_keylog_api()) {
/* Favor using the callbacks API to extract secrets. */
return;
}
@@ -347,7 +351,7 @@ SSL *SSL_new(SSL_CTX *ctx)
set_keylog_cb = lookup_symbol("SSL_CTX_set_keylog_callback");
#else /* ! NO_OPENSSL_110_SUPPORT */
/* May be NULL if used with an older OpenSSL runtime library. */
- set_keylog_cb = new_keylog_api();
+ set_keylog_cb = try_lookup_symbol("SSL_CTX_set_keylog_callback", 1);
#endif /* ! NO_OPENSSL_110_SUPPORT */
}
if (set_keylog_cb) {