Custom libssl

 druide

Goal

Today, i have builded a custom libssl. My custom libssl should be able to export the necessary keys into a text file for Wireshark as the same way as Firefox. See this


This will be done on my laptop :

  • Ubuntu 14.04.1 LTS
  • Intel® Core™ i7-3520M CPU @ 2.90GHz × 4
  • 64 bits


I'll work on the Ubuntu packages source code instead of openssl git repository.

Step

The first step is to download the source code. Download the source package of openssl from Ubuntu source code repository. You have to activate the source repository in your sources.list file if it is not already enabled.

druide@bidouille:~$ cat /etc/apt/sources.list | grep deb-src
deb-src http://archive.ubuntu.com/ubuntu trusty main restricted universe multiverse
druide@bidouille:~$ apt-get update
druide@bidouille:~$ sudo apt-get upgrade
druide@bidouille:~$ apt-get source openssl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Need to get 4,625 kB of source archives.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main openssl 1.0.1f-1ubuntu2 (dsc) [2,358 B]
Get:2 http://archive.ubuntu.com/ubuntu/ trusty/main openssl 1.0.1f-1ubuntu2 (tar) [4,509 kB]
Get:3 http://archive.ubuntu.com/ubuntu/ trusty/main openssl 1.0.1f-1ubuntu2 (diff) [113 kB]
Fetched 4,625 kB in 0s (5,914 kB/s)
gpgv: Signature made Mon 07 Apr 2014 08:26:12 PM UTC using RSA key ID A744BE93
gpgv: Can''t check signature: public key not found
dpkg-source: warning: failed to verify signature on ./openssl_1.0.1f-1ubuntu2.dsc
dpkg-source: info: extracting openssl in openssl-1.0.1f
dpkg-source: info: unpacking openssl_1.0.1f.orig.tar.gz
dpkg-source: info: unpacking openssl_1.0.1f-1ubuntu2.debian.tar.gz
dpkg-source: info: applying ca.patch

...
The next step is to code the extraction of the keys. You can do this manually or you can apply my patch.

druide@bidouille:~$ cd cd openssl-1.0.1f/
druide@bidouille:~/openssl-1.0.1f$ patch ssl/s3_clnt.c < PATH/TO/custom-ssl.patch_.txt
patching file ssl/s3_clnt.c


Now, it's time to build the custom library. To do this job, i have used the « debian » rules file.


druide@bidouille:~/openssl-1.0.1f$ sudo apt-get install devscripts debhelper
druide@bidouille:~/openssl-1.0.1f$ ./debian/rules
# so much informations of compilation and test


When the compilation is done, we have to remove all libssl* files and all libcrypto* files because they are installed by default on Ubuntu. After that, we can install my custom libssl.


druide@bidouille:~$ sudo rm /lib/x86_64-linux-gnu/libssl*
druide@bidouille:~$ sudo rm /lib/x86_64-linux-gnu/libcrypto*
druide@bidouille:~$ sudo rm /usr/lib/x86_64-linux-gnu/libssl*
druide@bidouille:~$ sudo rm /usr/lib/x86_64-linux-gnu/libcrypto*
druide@bidouille:~$ sudo make install_sw
# blablabla
installing libcrypto.so.1.0.0
installing libssl.so.1.0.0
make[1]: Entering directory `/usr/lib/x86_64-linux-gnu`
make[2]: Entering directory `/usr/lib/x86_64-linux-gnu`
make[2]: Leaving directory `/usr/lib/x86_64-linux-gnu`
make[2]: Entering directory `/usr/lib/x86_64-linux-gnu`
make[2]: Leaving directory `/usr/lib/x86_64-linux-gnu`
make[1]: Leaving directory `/usr/lib/x86_64-linux-gnu`
cp libcrypto.pc /usr/lib/x86_64-linux-gnu/pkgconfig
chmod 644 /usr/lib/x86_64-linux-gnu/pkgconfig/libcrypto.pc
cp libssl.pc /usr/lib/x86_64-linux-gnu/pkgconfig
chmod 644 /usr/lib/x86_64-linux-gnu/pkgconfig/libssl.pc
cp openssl.pc /usr/lib/x86_64-linux-gnu/pkgconfig
chmod 644 /usr/lib/x86_64-linux-gnu/pkgconfig/openssl.pc
It's time to test. For the test, i have used curl with --tlsv1.2 option. Like Firefox mechanism, we must create an environment variable to export the keys.

# From shell 1
druide@bidouille:~$ sudo tcpdump -w capture.log
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C187 packets captured
190 packets received by filter
0 packets dropped by kernel

# From shell 2
druide@bidouille:~$ export SSLKEYLOGFILE=/tmp/key
druide@bidouille:~$ curl --tlsv1.2 "https://www.google.ch/#q=my+secret+research" > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 18353    0 18353    0     0  97421      0 --:--:-- --:--:-- --:--:-- 97105


Et voilà!

You can find the « master key » with the « client_random » value in the file defined by SSLKEYLOGFILE environment variable.

# From shell 2
druide@bidouille:~$ cat /tmp/key 
# SSL/TLS secrets log file, generated by custom libssl from druide

# SSL_kEECDH|SSL_kECDHr|SSL_kECDHe
CLIENT_RANDOM 2264236baac8f2485605de001302f4417a8ecebcba8a5dcec9cd61db97850cb1 0649d6c82e3897f11664348a55a0a9b7f9f57e1a5c33add0ee9b46e11473b1265ad2b93d4d6efe29c88939bf3aace917


Note: I think Wireshark use the CLIENT_RANDOM value like an « id » to identify the start of the TLS data stream (handshake) and then, reassemble all packets.

Now, we must see the unciphered data but to do this we must use Wireshark with a version > 1.11. Wireshark 1.10.6, which is the version included in Ubuntu 14.04, with which doesn't work. Then, i have builded the last version from Wireshark repo.

druide@bidouille:~$ sudo apt-get install bison flex libgtk-3-dev libpcap-dev libwiretap3
druide@bidouille:~$ wget https://1.eu.dl.wireshark.org/src/wireshark-1.12.2.tar.bz2
druide@bidouille:~$ tar xvf wireshark-1.12.2.tar.bz2
druide@bidouille:~$ cd wireshark-1.12.2
druide@bidouille:~/wireshark-1.12.2$ ./configure --with-ssl --with-qt=no --with-gtk3=yes
# blablabla
The Wireshark package has been configured with the following options.
             Build wireshark (Gtk+) : yes (with GTK+ 3)
                 Build wireshark-qt : no
                       Build tshark : yes
                     Build capinfos : yes
                      Build captype : yes
                      Build editcap : yes
                      Build dumpcap : yes
                     Build mergecap : yes
                   Build reordercap : yes
                    Build text2pcap : yes
                      Build randpkt : yes
                       Build dftest : yes
                     Build rawshark : yes

   Save files as pcap-ng by default : yes
  Install dumpcap with capabilities : no
             Install dumpcap setuid : no
                  Use dumpcap group : (none)
                        Use plugins : yes
                    Use Lua library : no
                 Use Python binding : no
                   Build rtp_player : no
             Build profile binaries : no
                   Use pcap library : yes
                   Use zlib library : yes
               Use kerberos library : yes (MIT)
                 Use c-ares library : no
               Use GNU ADNS library : no
                Use SMI MIB library : no
             Use GNU crypto library : yes
             Use SSL crypto library : yes
           Use IPv6 name resolution : yes
                 Use gnutls library : yes
     Use POSIX capabilities library : no
                  Use GeoIP library : no
                     Use nl library : no
              Use SBC codec library : no
druide@bidouille:~/wireshark-1.12.2$ make
druide@bidouille:~/wireshark-1.12.2$ sudo make install

The result




That's all folks

Thank you to Diego for proofreading

  • 6 years 1 month before
  • |