wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 03:07:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Sniffer asynchronous support.

Browse Source 
* Adds stateful handling of DH shared secret computation in `SetupKeys`.
* Improved the decrypt handling to use internal functions and avoid generating alerts on failures.
* Fix for sniffer resume due to missing `sessionIDSz` broken in #4807.
* Fix sniffer test cases to split resume (session_ticket) tests.
* Add `snifftest` list of build features so test script can gate running resume test.
This commit is contained in:
David Garske
2022-03-21 12:05:08 -07:00
parent c213c725d7
commit 29c120356e
20 changed files with 1409 additions and 865 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
scripts/include.am
View File

@ -90,8 +90,11 @@ endif
EXTRA_DIST += scripts/testsuite.pcap \ EXTRA_DIST += scripts/testsuite.pcap \
scripts/sniffer-ipv6.pcap \ scripts/sniffer-ipv6.pcap \
scripts/sniffer-tls13-dh.pcap \ scripts/sniffer-tls13-dh.pcap \
scripts/sniffer-tls13-dh-resume.pcap \
scripts/sniffer-tls13-ecc.pcap \ scripts/sniffer-tls13-ecc.pcap \
scripts/sniffer-tls13-ecc-resume.pcap \
scripts/sniffer-tls13-x25519.pcap \ scripts/sniffer-tls13-x25519.pcap \
scripts/sniffer-tls13-x25519-resume.pcap \
scripts/sniffer-tls13-gen.sh \ scripts/sniffer-tls13-gen.sh \
scripts/sniffer-tls13-hrr.pcap \ scripts/sniffer-tls13-hrr.pcap \
scripts/ping.test \ scripts/ping.test \

78
scripts/sniffer-testsuite.test
View File

@ -14,53 +14,99 @@ fi
# ./configure --enable-sniffer [--enable-session-ticket] # ./configure --enable-sniffer [--enable-session-ticket]
# Resumption tests require "--enable-session-ticket" # Resumption tests require "--enable-session-ticket"
session_ticket=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'session_ticket '
if [ $? -eq 0 ]; then
session_ticket=yes
fi
has_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
if [ $? -eq 0 ]; then
has_rsa=yes
fi
RESULT=0
echo -e "\nStaring snifftest on testsuite.pcap...\n" if test $session_ticket == yes
./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111 then
# TLS v1.2 Static RSA Test
echo -e "\nStaring snifftest on testsuite.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1 [ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1
fi
# TLS v1.3 sniffer test ECC (and resumption) # TLS v1.3 sniffer test ECC
if test $# -ne 0 if test $RESULT -eq 0
then then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC\n" && exit 1 [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi fi
# TLS v1.3 sniffer test DH (and resumption) # TLS v1.3 sniffer test DH
if test $# -ne 0 if test $RESULT -eq 0
then then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111 ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH\n" && exit 1 [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi fi
# TLS v1.3 sniffer test X25519 (and resumption) # TLS v1.3 sniffer test X25519
if test $# -ne 0 if test $RESULT -eq 0
then then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111 ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519\n" && exit 1 [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 Resumption Tests
if test $session_ticket == yes
then
# TLS v1.3 sniffer test ECC resumption
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
fi fi
# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE # TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
if test $# -ne 0 if test $RESULT -eq 0
then then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR\n" && exit 1 [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
fi fi
# IPv6 # IPv6
if test $# -ne 0 && test "x$1" = "x-6"; if test $RESULT -eq 0 && test "x$1" = "x-6";
then then
echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n" echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111 ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111

BIN
scripts/sniffer-tls13-dh-resume.pcap Normal file
View File

Binary file not shown.

BIN
scripts/sniffer-tls13-dh.pcap
View File

Binary file not shown.

BIN
scripts/sniffer-tls13-ecc-resume.pcap Normal file
View File

Binary file not shown.

BIN
scripts/sniffer-tls13-ecc.pcap
View File

Binary file not shown.

94
scripts/sniffer-tls13-gen.sh
View File

@ -66,5 +66,97 @@ if [ "$1" == "hrr" ]; then
./examples/server/server -v 4 -i -x -g & ./examples/server/server -v 4 -i -x -g &
sleep 0.1 sleep 0.1
./examples/client/client -v 4 -J # Run this script from the wolfSSL root
if [ ! -f wolfssl/ssl.h ]; then
echo "Run from the wolfssl root"
exit -1
fi fi
run_sequence() {
if [ "$1" == "dh" ] || [ "$1" == "ecc" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256
fi
if [ "$1" == "dh-resume" ] || [ "$1" == "ecc-resume" ]; then
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r
fi
if [ "$1" == "x25519" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
fi
# Run: with x25519_resume
if [ "$1" == "x25519-resume" ]; then
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
fi
# TLS v1.3 Hello Retry Request
if [ "$1" == "hrr" ]; then
# TLS v1.3 Hello Retry Request
./examples/server/server -v 4 -i -x -g &
sleep 0.1
./examples/client/client -v 4 -J
fi
sleep 1
}
run_capture(){
echo "configuring and building wolfssl..."
./configure --enable-sniffer $2 1>/dev/null || exit $?
make 1>/dev/null || exit $?
echo "starting capture"
tcpdump -i lo0 -nn port 11111 -w ./scripts/sniffer-tls13-$1.pcap &
tcpdump_pid=$!
run_sequence $1
kill $tcpdump_pid
}
run_capture "ecc" ""
run_capture "ecc-resume" "--enable-session-ticket"
run_capture "dh" "--disable-ecc"
run_capture "dh-resume" "--disable-ecc --enable-session-ticket"
run_capture "x25519" "--enable-curve25519 --disable-dh --disable-ecc"
run_capture "x25519-resume" "--enable-curve25519 --disable-dh --disable-ecc --enable-session-ticket"
run_capture "hrr" "--disable-dh CFLAGS=-DWOLFSSL_SNIFFER_WATCH"

BIN
scripts/sniffer-tls13-hrr.pcap
View File

Binary file not shown.

BIN
scripts/sniffer-tls13-x25519-resume.pcap Normal file
View File

Binary file not shown.

BIN
scripts/sniffer-tls13-x25519.pcap
View File

Binary file not shown.

27
src/internal.c
View File

@ -15876,8 +15876,8 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
return ret; return ret;
} }
static WC_INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input, int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input,
word16 sz) word16 sz, int doAlert)
{ {
int ret = 0; int ret = 0;
@ -15996,12 +15996,13 @@ static WC_INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
/* handle mac error case */ /* handle mac error case */
if (ret == VERIFY_MAC_ERROR) { if (ret == VERIFY_MAC_ERROR) {
if (!ssl->options.dtls) if (!ssl->options.dtls && doAlert) {
SendAlert(ssl, alert_fatal, bad_record_mac); SendAlert(ssl, alert_fatal, bad_record_mac);
}
#ifdef WOLFSSL_DTLS_DROP_STATS #ifdef WOLFSSL_DTLS_DROP_STATS
if (ssl->options.dtls)
ssl->macDropCount++; ssl->macDropCount++;
#endif /* WOLFSSL_DTLS_DROP_STATS */ #endif /* WOLFSSL_DTLS_DROP_STATS */
} }
return ret; return ret;
@ -17149,10 +17150,10 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
if (ssl->options.startedETMRead) { if (ssl->options.startedETMRead) {
word32 digestSz = MacSize(ssl); word32 digestSz = MacSize(ssl);
ret = Decrypt(ssl, ret = DecryptTls(ssl,
in->buffer + in->idx, in->buffer + in->idx,
in->buffer + in->idx, in->buffer + in->idx,
ssl->curSize - (word16)digestSz); ssl->curSize - (word16)digestSz, 1);
if (ret == 0) { if (ret == 0) {
byte invalid = 0; byte invalid = 0;
byte padding = (byte)-1; byte padding = (byte)-1;
@ -17188,10 +17189,10 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
else else
#endif #endif
{ {
ret = Decrypt(ssl, ret = DecryptTls(ssl,
in->buffer + in->idx, in->buffer + in->idx,
in->buffer + in->idx, in->buffer + in->idx,
ssl->curSize); ssl->curSize, 1);
} }
#else #else
ret = DECRYPT_ERROR; ret = DECRYPT_ERROR;
@ -17204,7 +17205,7 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
in->buffer + in->idx, in->buffer + in->idx,
in->buffer + in->idx, in->buffer + in->idx,
ssl->curSize, ssl->curSize,
(byte*)&ssl->curRL, RECORD_HEADER_SZ); (byte*)&ssl->curRL, RECORD_HEADER_SZ, 1);
#else #else
ret = DECRYPT_ERROR; ret = DECRYPT_ERROR;
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
@ -26804,11 +26805,15 @@ int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
if (ssl->options.tls1_3) { if (ssl->options.tls1_3) {
XMEMCPY(ssl->session->sessionID, XMEMCPY(ssl->session->sessionID,
ssl->session->ticket + length - ID_LEN, ID_LEN); ssl->session->ticket + length - ID_LEN, ID_LEN);
ssl->session->sessionIDSz = ID_LEN;
} }
else else
#endif #endif
{
XMEMCPY(ssl->arrays->sessionID, XMEMCPY(ssl->arrays->sessionID,
ssl->session->ticket + length - ID_LEN, ID_LEN); ssl->session->ticket + length - ID_LEN, ID_LEN);
ssl->arrays->sessionIDSz = ID_LEN;
}
} }
return 0; return 0;

1860
src/sniffer.c
View File

File diff suppressed because it is too large Load Diff

9
src/tls13.c
View File

@ -2106,10 +2106,11 @@ static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
* sz The length of the encrypted data plus authentication tag. * sz The length of the encrypted data plus authentication tag.
* aad The additional authentication data. * aad The additional authentication data.
* aadSz The size of the addition authentication data. * aadSz The size of the addition authentication data.
* doAlert Generate alert on error (not for sniffer use cases)
* returns 0 on success, otherwise failure. * returns 0 on success, otherwise failure.
*/ */
int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
const byte* aad, word16 aadSz) const byte* aad, word16 aadSz, int doAlert)
{ {
int ret = 0; int ret = 0;
word16 dataSz = sz - ssl->specs.aead_mac_size; word16 dataSz = sz - ssl->specs.aead_mac_size;
@ -2275,9 +2276,13 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
#ifndef WOLFSSL_EARLY_DATA #ifndef WOLFSSL_EARLY_DATA
if (ret < 0) { if (ret < 0) {
SendAlert(ssl, alert_fatal, bad_record_mac); if (doAlert) {
SendAlert(ssl, alert_fatal, bad_record_mac);
}
ret = VERIFY_MAC_ERROR; ret = VERIFY_MAC_ERROR;
} }
#else
(void)doAlert;
#endif #endif
return ret; return ret;

158
sslSniffer/sslSnifferTest/snifftest.c
View File

@ -27,6 +27,8 @@
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/types.h> #include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/logging.h> #include <wolfssl/wolfcrypt/logging.h>
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/version.h>
#ifdef WOLFSSL_SNIFFER_STORE_DATA_CB #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
#include <wolfssl/wolfcrypt/memory.h> #include <wolfssl/wolfcrypt/memory.h>
@ -382,6 +384,80 @@ static void TrimNewLine(char* str)
str[strSz-1] = '\0'; str[strSz-1] = '\0';
} }
static void show_appinfo(void)
{
printf("snifftest %s\n", LIBWOLFSSL_VERSION_STRING);
/* list enabled sniffer features */
printf("sniffer features: "
#ifdef WOLFSSL_SNIFFER_STATS
"stats, "
#endif
#ifdef WOLFSSL_SNIFFER_WATCH
"watch, "
#endif
#ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
"store_data_cb "
#endif
#ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
"chain_input "
#endif
#ifdef WOLFSSL_SNIFFER_KEY_CALLBACK
"key_callback "
#endif
#ifdef DEBUG_SNIFFER
"debug "
#endif
#ifdef WOLFSSL_TLS13
"tls_v13 "
#endif
#ifdef HAVE_SESSION_TICKET
"session_ticket "
#endif
#ifdef WOLFSSL_STATIC_EPHEMERAL
"static_ephemeral "
#endif
#ifdef WOLFSSL_ENCRYPTED_KEYS
"encrypted_keys "
#endif
#ifdef HAVE_SNI
"sni "
#endif
#ifdef HAVE_EXTENDED_MASTER
"extended_master "
#endif
#ifdef HAVE_MAX_FRAGMENT
"max fragment "
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
"async_crypt "
#endif
#ifndef NO_RSA
"rsa "
#endif
#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)
"dh "
#endif
#ifdef HAVE_ECC
"ecc "
#endif
#ifdef HAVE_CURVE448
"x448 "
#endif
#ifdef HAVE_CURVE22519
"x22519 "
#endif
"\n\n"
);
}
static void show_usage(void)
{
printf("usage:\n");
printf("\t./snifftest\n");
printf("\t\tprompts for options\n");
printf("\t./snifftest dump pemKey [server] [port] [password]\n");
}
int main(int argc, char** argv) int main(int argc, char** argv)
{ {
int ret = 0; int ret = 0;
@ -401,11 +477,15 @@ int main(int argc, char** argv)
struct bpf_program fp; struct bpf_program fp;
pcap_if_t *d; pcap_if_t *d;
pcap_addr_t *a; pcap_addr_t *a;
int isChain = 0;
int j;
#ifdef WOLFSSL_SNIFFER_CHAIN_INPUT #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
struct iovec chain[CHAIN_INPUT_COUNT]; struct iovec chains[CHAIN_INPUT_COUNT];
int chainSz; unsigned int remainder;
#endif #endif
show_appinfo();
signal(SIGINT, sig_handler); signal(SIGINT, sig_handler);
#ifndef _WIN32 #ifndef _WIN32
@ -601,9 +681,7 @@ int main(int argc, char** argv)
} }
} }
else { else {
/* usage error */ show_usage();
printf( "usage: ./snifftest or ./snifftest dump pemKey"
" [server] [port] [password]\n");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
@ -618,9 +696,11 @@ int main(int argc, char** argv)
struct pcap_pkthdr header; struct pcap_pkthdr header;
const unsigned char* packet = pcap_next(pcap, &header); const unsigned char* packet = pcap_next(pcap, &header);
SSLInfo sslInfo; SSLInfo sslInfo;
void* chain = NULL;
int chainSz = 0;
packetNumber++; packetNumber++;
if (packet) { if (packet) {
byte* data = NULL; byte* data = NULL;
if (header.caplen > 40) { /* min ip(20) + min tcp(20) */ if (header.caplen > 40) { /* min ip(20) + min tcp(20) */
@ -629,45 +709,69 @@ int main(int argc, char** argv)
} }
else else
continue; continue;
#ifdef WOLFSSL_SNIFFER_CHAIN_INPUT #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
{ isChain = 1;
unsigned int j = 0; j = 0;
unsigned int remainder = header.caplen; remainder = header.caplen;
chainSz = 0;
chainSz = 0; do {
do { unsigned int chunkSz = min(remainder, CHAIN_INPUT_CHUNK_SIZE);
unsigned int chunkSz; chains[chainSz].iov_base = (void*)(packet + j);
chains[chainSz].iov_len = chunkSz;
chunkSz = min(remainder, CHAIN_INPUT_CHUNK_SIZE); j += chunkSz;
chain[chainSz].iov_base = (void*)(packet + j); remainder -= chunkSz;
chain[chainSz].iov_len = chunkSz; chainSz++;
j += chunkSz; } while (j < (int)header.caplen);
remainder -= chunkSz; chain = (void*)chains;
chainSz++; #else
} while (j < header.caplen); chain = (void*)packet;
} chainSz = header.caplen;
(void)isChain;
#endif #endif
#if defined(WOLFSSL_SNIFFER_CHAIN_INPUT) && \ #ifdef WOLFSSL_ASYNC_CRYPT
defined(WOLFSSL_SNIFFER_STORE_DATA_CB) do {
WOLF_EVENT* events[1]; /* poll for single event */
int eventCount = 0;
/* For async call the original API again with same data,
* or call with different sessions for multiple concurrent
* stream processing */
ret = ssl_DecodePacketAsync(chain, chainSz, isChain, &data, err,
&sslInfo, NULL);
if (ret == WC_PENDING_E) {
if (ssl_PollSniffer(events, 1, WOLF_POLL_FLAG_CHECK_HW,
&eventCount) != 0) {
break;
}
}
} while (ret == WC_PENDING_E);
#elif defined(WOLFSSL_SNIFFER_CHAIN_INPUT) && \
defined(WOLFSSL_SNIFFER_STORE_DATA_CB)
ret = ssl_DecodePacketWithChainSessionInfoStoreData(chain, chainSz, ret = ssl_DecodePacketWithChainSessionInfoStoreData(chain, chainSz,
&data, &sslInfo, err); &data, &sslInfo, err);
#elif defined(WOLFSSL_SNIFFER_CHAIN_INPUT) #elif defined(WOLFSSL_SNIFFER_CHAIN_INPUT)
(void)sslInfo; (void)sslInfo;
ret = ssl_DecodePacketWithChain(chain, chainSz, &data, err); ret = ssl_DecodePacketWithChain(chain, chainSz, &data, err);
#elif defined(WOLFSSL_SNIFFER_STORE_DATA_CB) #else
#if defined(WOLFSSL_SNIFFER_STORE_DATA_CB)
ret = ssl_DecodePacketWithSessionInfoStoreData(packet, ret = ssl_DecodePacketWithSessionInfoStoreData(packet,
header.caplen, &data, &sslInfo, err); header.caplen, &data, &sslInfo, err);
#else #else
ret = ssl_DecodePacketWithSessionInfo(packet, header.caplen, &data, ret = ssl_DecodePacketWithSessionInfo(packet, header.caplen, &data,
&sslInfo, err); &sslInfo, err);
#endif
(void)chain;
(void)chainSz;
#endif #endif
if (ret < 0) { if (ret < 0) {
printf("ssl_Decode ret = %d, %s\n", ret, err); printf("ssl_Decode ret = %d, %s\n", ret, err);
hadBadPacket = 1; hadBadPacket = 1;
} }
if (ret > 0) { if (ret > 0) {
int j;
/* Convert non-printable data to periods. */ /* Convert non-printable data to periods. */
for (j = 0; j < ret; j++) { for (j = 0; j < ret; j++) {
if (isprint(data[j]) || isspace(data[j])) continue; if (isprint(data[j]) || isspace(data[j])) continue;

2
wolfcrypt/src/wolfevent.c
View File

@ -205,7 +205,7 @@ int wolfEventQueue_Poll(WOLF_EVENT_QUEUE* queue, void* context_filter,
} }
#endif #endif
/* itterate event queue */ /* iterrate event queue */
for (event = queue->head; event != NULL; event = event->next) for (event = queue->head; event != NULL; event = event->next)
{ {
/* optional filter based on context */ /* optional filter based on context */

7
wolfssl/internal.h
View File

@ -1760,9 +1760,14 @@ WOLFSSL_LOCAL int HashInput(WOLFSSL* ssl, const byte* input, int sz);
WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl); WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl);
#endif #endif
#endif #endif
WOLFSSL_LOCAL int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input,
word16 sz, int doAlert);
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
WOLFSSL_LOCAL int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, WOLFSSL_LOCAL int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
word16 sz, const byte* aad, word16 aadSz); word16 sz, const byte* aad, word16 aadSz,
int doAlert);
WOLFSSL_LOCAL int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, WOLFSSL_LOCAL int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input,
word32* inOutIdx, byte type, word32* inOutIdx, byte type,
word32 size, word32 totalSz); word32 size, word32 totalSz);

28
wolfssl/sniffer.h
View File

@ -27,6 +27,11 @@
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/asn_public.h> #include <wolfssl/wolfcrypt/asn_public.h>
#ifdef HAVE_WOLF_EVENT
#include <wolfssl/wolfcrypt/wolfevent.h>
#endif
#ifdef _WIN32 #ifdef _WIN32
#ifdef SSL_SNIFFER_EXPORTS #ifdef SSL_SNIFFER_EXPORTS
#define SSL_SNIFFER_API __declspec(dllexport) #define SSL_SNIFFER_API __declspec(dllexport)
@ -119,9 +124,13 @@ SSL_SNIFFER_API int ssl_GetSessionStats(unsigned int* active,
unsigned int* reassemblyMemory, unsigned int* reassemblyMemory,
char* error); char* error);
WOLFSSL_API void ssl_InitSniffer(void); WOLFSSL_API
SSL_SNIFFER_API void ssl_InitSniffer(void);
WOLFSSL_API
SSL_SNIFFER_API void ssl_InitSniffer_ex(int devId);
WOLFSSL_API void ssl_FreeSniffer(void); WOLFSSL_API
SSL_SNIFFER_API void ssl_FreeSniffer(void);
/* ssl_SetPrivateKey typeKs */ /* ssl_SetPrivateKey typeKs */
@ -270,6 +279,21 @@ SSL_SNIFFER_API int ssl_DecodePacketWithChainSessionInfoStoreData(
#endif #endif
#ifdef WOLFSSL_ASYNC_CRYPT
WOLFSSL_API
SSL_SNIFFER_API int ssl_DecodePacketAsync(void* packet, unsigned int packetSz,
int isChain, unsigned char** data, char* error, SSLInfo* sslInfo,
void* userCtx);
WOLFSSL_API
SSL_SNIFFER_API int ssl_PollSniffer(WOLF_EVENT** events, int maxEvents,
WOLF_EVENT_FLAG flags, int* eventCount);
#endif /* WOLFSSL_ASYNC_CRYPT */
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */
#endif #endif

5
wolfssl/wolfcrypt/dh.h
View File

@ -91,6 +91,11 @@ enum {
WC_FFDHE_8192 = 260, WC_FFDHE_8192 = 260,
}; };
/* DH Private Key size up to 8192 bit */
#ifndef WC_DH_PRIV_MAX_SZ
#define WC_DH_PRIV_MAX_SZ 52
#endif
#ifdef HAVE_PUBLIC_FFDHE #ifdef HAVE_PUBLIC_FFDHE
#ifdef HAVE_FFDHE_2048 #ifdef HAVE_FFDHE_2048
WOLFSSL_API const DhParams* wc_Dh_ffdhe2048_Get(void); WOLFSSL_API const DhParams* wc_Dh_ffdhe2048_Get(void);

2
wolfssl/wolfcrypt/error-crypt.h
View File

@ -24,7 +24,7 @@
*/ */
/* /*
DESCRIPTION DESCRIPTION
This library defines error codes and contians routines for setting and examining This library defines error codes and contains routines for setting and examining
the error status. the error status.
*/ */

1
wolfssl/wolfcrypt/types.h
View File

@ -904,6 +904,7 @@ decouple library dependencies with standard string, memory and so on.
DYNAMIC_TYPE_SNIFFER_PB_BUFFER = 1003, DYNAMIC_TYPE_SNIFFER_PB_BUFFER = 1003,
DYNAMIC_TYPE_SNIFFER_TICKET_ID = 1004, DYNAMIC_TYPE_SNIFFER_TICKET_ID = 1004,
DYNAMIC_TYPE_SNIFFER_NAMED_KEY = 1005, DYNAMIC_TYPE_SNIFFER_NAMED_KEY = 1005,
DYNAMIC_TYPE_SNIFFER_KEY = 1006,
}; };
/* max error buffer string size */ /* max error buffer string size */