diff --git a/src/sniffer.c b/src/sniffer.c index bcc6cd6ba..4c71725b7 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -362,7 +362,11 @@ static const char* const msgTable[] = "Loading chain input", "Got encrypted extension", "Got Hello Retry Request", + + /* 96 */ "Setting up keys", + "Unsupported TLS Version", + "Server Client Key Mismatch", }; @@ -552,6 +556,9 @@ typedef struct SnifferSession { void* userCtx; word32 pendSeq; /* when WC_PENDING_E is returned capture sequence */ #endif + int error; /* store the last set error number */ + byte verboseErr; /* Last set error is helpful and should + * not be overwritten by FATAL_ERROR_STATE */ } SnifferSession; @@ -1330,6 +1337,8 @@ static void SetError(int idx, char* error, SnifferSession* session, int fatal) { GetError(idx, error); TraceError(idx, error); + if (session) + session->error = idx; if (session && fatal == FATAL_ERROR_STATE) session->flags.fatalError = 1; } @@ -1805,6 +1814,10 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port, ServerList = sniffer; } +#ifndef WOLFSSL_STATIC_EPHEMERAL + (void)isEphemeralKey; +#endif + return 0; } @@ -3028,11 +3041,13 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, if (SetCipherSpecs(session->sslServer) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; ret = -1; break; } if (SetCipherSpecs(session->sslClient) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; ret = -1; break; } @@ -3106,6 +3121,9 @@ exit_sk: #else FreeSetupKeysArgs(ssl, args); #endif +#ifndef WOLFSSL_STATIC_EPHEMERAL + (void)ctx; +#endif return ret; } @@ -3426,11 +3444,13 @@ static int DoResume(SnifferSession* session, char* error) #endif if (SetCipherSpecs(session->sslServer) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; return -1; } if (SetCipherSpecs(session->sslClient) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; return -1; } @@ -3685,6 +3705,21 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, } } + if (IsAtLeastTLSv1_3(session->sslServer->version)) { +#ifndef WOLFSSL_TLS13 + SetError(UNSUPPORTED_TLS_VER_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; + return -1; +#endif + } + else { +#ifdef WOLFSSL_NO_TLS12 + SetError(UNSUPPORTED_TLS_VER_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; + return -1; +#endif + } + #ifdef HAVE_EXTENDED_MASTER if (!session->flags.expectEms) { XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES); @@ -3771,7 +3806,8 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, return ret; } #endif - SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); + SetError(KEY_MISMATCH_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; return ret; } @@ -4461,6 +4497,7 @@ static int DoHandShake(const byte* input, int* sslBytes, Trace(GOT_SERVER_KEY_EX_STR); /* can't know temp key passively */ SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; ret = -1; break; case encrypted_extensions: @@ -4525,8 +4562,10 @@ static int DoHandShake(const byte* input, int* sslBytes, if (ret == WC_PENDING_E) return ret; #endif - if (ret != 0) - SetError(GOT_CLIENT_KEY_EX_STR, error, session, FATAL_ERROR_STATE); + if (ret != 0) { + SetError(KEY_MISMATCH_STR, error, session, FATAL_ERROR_STATE); + session->verboseErr = 1; + } } break; case certificate_verify: @@ -4964,6 +5003,8 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo, session->cliExpected = 1; /* relative */ session->lastUsed= wc_Time(NULL); session->keySz = 0; + session->error = 0; + session->verboseErr = 0; #ifdef HAVE_SNI session->sni = NULL; #endif @@ -6334,7 +6375,9 @@ static int RemoveFatalSession(IpInfo* ipInfo, TcpInfo* tcpInfo, { if (session && session->flags.fatalError == FATAL_ERROR_STATE) { RemoveSession(session, ipInfo, tcpInfo, 0); - SetError(FATAL_ERROR_STR, error, NULL, 0); + if (!session->verboseErr) { + SetError(FATAL_ERROR_STR, error, NULL, 0); + } return 1; } return 0; diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 92b7fc6ee..e5062cd31 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -363,7 +363,7 @@ static int load_key(const char* name, const char* server, int port, if (loadCount == 0) { printf("Failed loading private key %s: ret %d\n", keyFile, ret); - printf("Please run directly from sslSniffer/sslSnifferTest dir\n"); + printf("Please run directly from wolfSSL root dir\n"); ret = -1; } else { diff --git a/wolfssl/sniffer_error.h b/wolfssl/sniffer_error.h index 387f3de3f..37c55f374 100644 --- a/wolfssl/sniffer_error.h +++ b/wolfssl/sniffer_error.h @@ -138,7 +138,10 @@ #define CHAIN_INPUT_STR 93 #define GOT_ENC_EXT_STR 94 #define GOT_HELLO_RETRY_REQ_STR 95 + #define SNIFFER_KEY_SETUP_STR 96 +#define UNSUPPORTED_TLS_VER_STR 97 +#define KEY_MISMATCH_STR 98 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */ diff --git a/wolfssl/sniffer_error.rc b/wolfssl/sniffer_error.rc index 863a37551..113aee594 100644 --- a/wolfssl/sniffer_error.rc +++ b/wolfssl/sniffer_error.rc @@ -114,5 +114,8 @@ STRINGTABLE 93, "Loading chain input" 94, "Got encrypted extension" 95, "Got Hello Retry Request" + 96, "Setting up keys" + 97, "Unsupported TLS Version" + 98, "Server Client Key Mismatch" }