fix: correct return statements and improve error handling in BoringSSL #816
Conversation
…L and OpenSSL integration Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
1 similar comment
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
There was a problem hiding this comment.
Pull Request Overview
This pull request fixes error handling and improves robustness in SSL/TLS probing code, particularly for BoringSSL compatibility. The changes prevent premature exits from BPF probe functions when encountering expected conditions that can be normal in certain SSL implementations.
- Commented out early return statements in BPF probe functions to allow continued processing when pointer reads fail or version values are zero
- Added explicit pointer casting to
void*forbpf_probe_read_usercalls - Fixed initialization logic for
eventCollectorWriterto ensure it's always set when needed
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| kern/openssl.h | Removes early returns and adds explicit pointer casting in SSL_read probe function |
| kern/boringssl_masterkey.h | Prevents early return when version reading fails in BoringSSL master key probe |
| cli/cmd/root.go | Fixes eventCollectorWriter initialization to occur outside error check |
kern/openssl.h
Outdated
| // return 0; | ||
| } else { | ||
| // 在BoringSSL中,主要使用ssl_st->s3->hs对象, ssl_st->version 可能为空 | ||
| ssl_rbio_ptr = (u64 *)(ssl + SSL_ST_RBIO); | ||
| ret = bpf_probe_read_user(&ssl_rbio_addr, sizeof(ssl_rbio_addr), | ||
| ssl_rbio_ptr); | ||
| if (ret) { | ||
| debug_bpf_printk( | ||
| "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret: %d\n", | ||
| ret); | ||
| // return 0; | ||
| } | ||
| // get ssl->bio->method->type | ||
| u32 bio_type = process_BIO_type(ssl_rbio_addr); |
There was a problem hiding this comment.
Instead of commenting out the return statement, consider using a more explicit approach like setting a flag or adding a specific condition check. Commented-out code reduces maintainability and makes the control flow unclear.
Copilot uses AI. Check for mistakes.
| debug_bpf_printk( | ||
| "(OPENSSL) bpf_probe_read ssl_rbio_ptr failed, ret: %d\n", | ||
| ret); | ||
| // return 0; |
There was a problem hiding this comment.
Instead of commenting out the return statement, consider using a more explicit approach like setting a flag or adding a specific condition check. Commented-out code reduces maintainability and makes the control flow unclear.
| // return 0; | |
| return 0; |
Copilot uses AI. Check for mistakes.
| debug_bpf_printk( | ||
| "(OPENSSL) bpf_probe_read ssl_rbio_num_ptr failed, ret: %d\n", | ||
| ret); | ||
| // return 0; |
There was a problem hiding this comment.
Instead of commenting out the return statement, consider using a more explicit approach like setting a flag or adding a specific condition check. Commented-out code reduces maintainability and makes the control flow unclear.
| // return 0; | |
| return 0; |
Copilot uses AI. Check for mistakes.
kern/boringssl_masterkey.h
Outdated
| @@ -200,7 +200,7 @@ int probe_ssl_master_key(struct pt_regs *ctx) { | |||
| int ret = bpf_probe_read_user(&version, sizeof(version), (void *)ssl_version_ptr); | |||
| if (ret) { | |||
| debug_bpf_printk("bpf_probe_read tls_version failed, ret :%d\n", ret); | |||
| return 0; | |||
| // return 0; // 在BoringSSL中,version可能为0,主要是使用了ssl->s3->hs对象 | |||
There was a problem hiding this comment.
Instead of commenting out the return statement, consider using a more explicit approach like setting a flag or adding a specific condition check. Commented-out code reduces maintainability and makes the control flow unclear.
| // return 0; // 在BoringSSL中,version可能为0,主要是使用了ssl->s3->hs对象 | |
| // In BoringSSL, version may be 0, mainly because ssl->s3->hs object is used. Do not return here. |
Copilot uses AI. Check for mistakes.
kern/openssl.h
Outdated
| } | ||
| // return 0; | ||
| } else { | ||
| // 在BoringSSL中,主要使用ssl_st->s3->hs对象, ssl_st->version 可能为空 |
There was a problem hiding this comment.
[nitpick] The comment contains mixed languages (Chinese and English) and inconsistent formatting. Consider using English consistently for code comments to improve maintainability for international development teams.
| // 在BoringSSL中,主要使用ssl_st->s3->hs对象, ssl_st->version 可能为空 | |
| // In BoringSSL, the ssl_st->s3->hs object is mainly used; ssl_st->version may be null |
Copilot uses AI. Check for mistakes.
kern/boringssl_masterkey.h
Outdated
| @@ -200,7 +200,7 @@ int probe_ssl_master_key(struct pt_regs *ctx) { | |||
| int ret = bpf_probe_read_user(&version, sizeof(version), (void *)ssl_version_ptr); | |||
| if (ret) { | |||
| debug_bpf_printk("bpf_probe_read tls_version failed, ret :%d\n", ret); | |||
| return 0; | |||
| // return 0; // 在BoringSSL中,version可能为0,主要是使用了ssl->s3->hs对象 | |||
There was a problem hiding this comment.
[nitpick] The comment contains Chinese text. Consider using English consistently for code comments to improve maintainability for international development teams.
| // return 0; // 在BoringSSL中,version可能为0,主要是使用了ssl->s3->hs对象 | |
| // return 0; // In BoringSSL, version may be 0, mainly because the ssl->s3->hs object is used |
Copilot uses AI. Check for mistakes.
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
3 similar comments
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
…tegration Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
5 similar comments
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
5 similar comments
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
|
🔧 Debug Build Complete 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. |
This pull request makes several small but important changes to improve robustness and compatibility in the SSL/TLS probing code, especially when handling BoringSSL and OpenSSL differences. The main focus is on error handling and initialization logic, ensuring the code does not return prematurely in certain edge cases, and making pointer casting explicit for clarity.
Error handling and robustness improvements:
probe_ssl_master_keyinboringssl_masterkey.handprobe_entry_SSL_readinopenssl.h) to prevent premature exit when encountering expected conditions, such asversionbeing zero in BoringSSL or pointer reads failing, which can be normal in some cases. This allows the probes to continue processing and handle these cases more gracefully. [1] [2] [3]ssl->s3->hsand the possibility ofssl->versionbeing empty. [1] [2]Pointer casting and initialization:
void*in calls tobpf_probe_read_userfor clarity and correctness inprobe_entry_SSL_read(openssl.h).Initialization logic fix:
eventCollectorWriteroutside of the error check in therunModulefunction inroot.go, ensuring it is always set when needed.