wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5036 from dgarske/sniffer

Browse Source 
Fixes for minor sniffer and async issues
This commit is contained in:
John Safranek
2022-04-22 12:24:33 -07:00
committed by GitHub
parent 4a4b019e30 cb1dbb75f8
commit bf16696d8c
14 changed files with 227 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
configure.ac
View File

@@ -1679,12 +1679,6 @@ AC_ARG_WITH([se050],
]
)
# sniffer doesn't work in maxstrength mode
if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes"
then
AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.])
fi
ENABLED_SNIFFTEST=no
AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ],
[
@@ -5245,8 +5239,6 @@ then
ENABLED_ENCRYPT_THEN_MAC=yes
fi
AS_IF([test "x$ENABLED_SNIFFER" = "xyes"],[ENABLED_ENCRYPT_THEN_MAC="no"])
if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
@@ -7099,7 +7091,7 @@ AS_IF([test "x$ENABLED_MCAPI" = "xyes"],
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \
test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \
test "$ENABLED_SNIFFER" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \
test "$ENABLED_OPENSSLALL" = "yes" || \
test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes"

4
scripts/include.am
View File

@@ -87,7 +87,7 @@ noinst_SCRIPTS+= scripts/unit.test.in
endif
endif
EXTRA_DIST += scripts/testsuite.pcap \
EXTRA_DIST += scripts/sniffer-static-rsa.pcap \
scripts/sniffer-ipv6.pcap \
scripts/sniffer-tls13-dh.pcap \
scripts/sniffer-tls13-dh-resume.pcap \
@@ -95,8 +95,8 @@ EXTRA_DIST += scripts/testsuite.pcap \
scripts/sniffer-tls13-ecc-resume.pcap \
scripts/sniffer-tls13-x25519.pcap \
scripts/sniffer-tls13-x25519-resume.pcap \
scripts/sniffer-tls13-gen.sh \
scripts/sniffer-tls13-hrr.pcap \
scripts/sniffer-gen.sh \
scripts/ping.test \
scripts/benchmark.test \
scripts/memtest.sh \

71
scripts/sniffer-tls13-gen.sh → scripts/sniffer-gen.sh
View File

@@ -1,72 +1,5 @@
#!/bin/bash
# Run these configures and the example server/client below
# Script to generate wireshark trace for sniffer-tls13-ecc.pcap
#./configure --enable-sniffer --enable-session-ticket && make
# Script to generate wireshark trace for sniffer-tls13-dh.pcap
#./configure --enable-sniffer --enable-session-ticket --disable-ecc && make
# Run: with dh or ecc
if [ "$1" == "dh" ] || [ "$1" == "ecc" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 &
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 &
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 &
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r &
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r &
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r &
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r
fi
# Script to generate wireshark trace for sniffer-tls13-x25519.pcap
#./configure --enable-sniffer --enable-session-ticket --enable-curve25519 --disable-dh --disable-ecc && make
# Run: with x25519
if [ "$1" == "x25519" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
fi
# TLS v1.3 Hello Retry Request (save this as sniffer-tls13-hrr.pcap)
# ./configure --enable-sniffer CFLAGS="-DWOLFSSL_SNIFFER_WATCH" --disable-dh && make
# Run ./scripts/sniffer-tls13-gen.sh hrr
if [ "$1" == "hrr" ]; then
# TLS v1.3 Hello Retry Request
./examples/server/server -v 4 -i -x -g &
sleep 0.1
fi
# Run this script from the wolfSSL root
if [ ! -f wolfssl/ssl.h ]; then
echo "Run from the wolfssl root"
@@ -137,14 +70,16 @@ run_sequence() {
if [ "$1" == "hrr" ]; then
# TLS v1.3 Hello Retry Request
./examples/server/server -v 4 -i -x -g &
server_pid=$!
sleep 0.1
./examples/client/client -v 4 -J
kill $server_pid
fi
sleep 1
}
run_capture(){
echo "configuring and building wolfssl..."
echo -e "\nconfiguring and building wolfssl..."
./configure --enable-sniffer $2 1>/dev/null || exit $?
make 1>/dev/null || exit $?
echo "starting capture"

0
scripts/testsuite.pcap → scripts/sniffer-static-rsa.pcap
View File

182
scripts/sniffer-testsuite.test
View File

@@ -12,6 +12,36 @@ if [ "${AM_BWRAPPED-}" != "yes" ]; then
unset AM_BWRAPPED
fi
has_tlsv13=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v13 '
if [ $? -eq 0 ]; then
has_tlsv13=yes
fi
has_tlsv12=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v12 '
if [ $? -eq 0 ]; then
has_tlsv12=yes
fi
has_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
if [ $? -eq 0 ]; then
has_rsa=yes
fi
has_ecc=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ecc '
if [ $? -eq 0 ]; then
has_ecc=yes
fi
has_x25519=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'x22519 '
if [ $? -eq 0 ]; then
has_x25519=yes
fi
has_dh=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'dh '
if [ $? -eq 0 ]; then
has_dh=yes
fi
# ./configure --enable-sniffer [--enable-session-ticket]
# Resumption tests require "--enable-session-ticket"
session_ticket=no
@@ -19,94 +49,27 @@ session_ticket=no
if [ $? -eq 0 ]; then
session_ticket=yes
fi
has_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
has_static_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa_static '
if [ $? -eq 0 ]; then
has_rsa=yes
has_static_rsa=yes
fi
RESULT=0
if test $session_ticket == yes
# TLS v1.2 Static RSA Test
if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
then
# TLS v1.2 Static RSA Test
echo -e "\nStaring snifftest on testsuite.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-static-rsa.pcap ./certs/server-key.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1
[ $RESULT -ne 0 ] && echo -e "\nsnifftest static RSA failed\n" && exit 1
fi
# TLS v1.3 sniffer test ECC
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 Resumption Tests
if test $session_ticket == yes
then
# TLS v1.3 sniffer test ECC resumption
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
fi
# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
fi
# IPv6
if test $RESULT -eq 0 && test "x$1" = "x-6";
# TLS v1.2 Static RSA Test (IPv6)
if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
then
echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
@@ -115,6 +78,69 @@ then
[ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
fi
# TLS v1.3 sniffer test ECC
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x22519 == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 sniffer test ECC resumption
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
fi
echo -e "\nSuccess!\n"
exit 0

13
src/internal.c
View File

@@ -15658,8 +15658,8 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input,
return ret;
}
static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz,
int asyncOkay)
static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
word16 sz, int asyncOkay)
{
int ret = 0;
@@ -15690,10 +15690,10 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16
/* make sure auth iv and auth are allocated */
if (ssl->encrypt.additional == NULL)
ssl->encrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ,
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
if (ssl->encrypt.nonce == NULL)
ssl->encrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ,
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
if (ssl->encrypt.additional == NULL ||
ssl->encrypt.nonce == NULL) {
return MEMORY_E;
@@ -15899,6 +15899,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
return ret;
}
/* doAlert Generate alert on error (set to 0 for sniffer use cases) */
int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input,
word16 sz, int doAlert)
{
@@ -15939,10 +15940,10 @@ int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input,
/* make sure auth iv and auth are allocated */
if (ssl->decrypt.additional == NULL)
ssl->decrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ,
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
if (ssl->decrypt.nonce == NULL)
ssl->decrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ,
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
if (ssl->decrypt.additional == NULL ||
ssl->decrypt.nonce == NULL) {
return MEMORY_E;

57
src/sniffer.c
View File

@@ -102,7 +102,7 @@
#ifndef NO_DH
#include <wolfssl/wolfcrypt/dh.h>
#endif
#ifdef HAVE_ECC
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
#include <wolfssl/wolfcrypt/ecc.h>
#endif
#ifdef HAVE_CURVE25519
@@ -973,6 +973,7 @@ typedef struct TcpPseudoHdr {
} TcpPseudoHdr;
#ifdef WOLFSSL_ENCRYPTED_KEYS
/* Password Setting Callback */
static int SetPassword(char* passwd, int sz, int rw, void* userdata)
{
@@ -980,7 +981,7 @@ static int SetPassword(char* passwd, int sz, int rw, void* userdata)
XSTRNCPY(passwd, (const char*)userdata, sz);
return (int)XSTRLEN((const char*)userdata);
}
#endif
/* Ethernet Header */
typedef struct EthernetHdr {
@@ -2140,7 +2141,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
pCipher = wolfSSL_get_cipher(session->sslServer);
if (NULL != pCipher) {
XSTRNCPY((char*)sslInfo->serverCipherSuiteName, pCipher,
sizeof(sslInfo->serverCipherSuiteName));
sizeof(sslInfo->serverCipherSuiteName) - 1);
sslInfo->serverCipherSuiteName
[sizeof(sslInfo->serverCipherSuiteName) - 1] = '\0';
}
@@ -2148,7 +2149,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
#ifdef HAVE_SNI
if (NULL != session->sni) {
XSTRNCPY((char*)sslInfo->serverNameIndication,
session->sni, sizeof(sslInfo->serverNameIndication));
session->sni, sizeof(sslInfo->serverNameIndication) - 1);
sslInfo->serverNameIndication
[sizeof(sslInfo->serverNameIndication) - 1] = '\0';
}
@@ -4445,27 +4446,32 @@ static int DoHandShake(const byte* input, int* sslBytes,
case client_key_exchange:
Trace(GOT_CLIENT_KEY_EX_STR);
#ifdef HAVE_EXTENDED_MASTER
if (session->flags.expectEms && session->hash != NULL) {
if (HashCopy(session->sslServer->hsHashes,
session->hash) == 0 &&
HashCopy(session->sslClient->hsHashes,
session->hash) == 0) {
#ifdef WOLFSSL_ASYNC_CRYPT
if (session->sslServer->error != WC_PENDING_E)
#endif
{
if (session->flags.expectEms && session->hash != NULL) {
if (HashCopy(session->sslServer->hsHashes,
session->hash) == 0 &&
HashCopy(session->sslClient->hsHashes,
session->hash) == 0) {
session->sslServer->options.haveEMS = 1;
session->sslClient->options.haveEMS = 1;
session->sslServer->options.haveEMS = 1;
session->sslClient->options.haveEMS = 1;
}
else {
SetError(EXTENDED_MASTER_HASH_STR, error,
session, FATAL_ERROR_STATE);
ret = -1;
}
XMEMSET(session->hash, 0, sizeof(HsHashes));
XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
session->hash = NULL;
}
else {
SetError(EXTENDED_MASTER_HASH_STR, error,
session, FATAL_ERROR_STATE);
ret = -1;
session->sslServer->options.haveEMS = 0;
session->sslClient->options.haveEMS = 0;
}
XMEMSET(session->hash, 0, sizeof(HsHashes));
XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
session->hash = NULL;
}
else {
session->sslServer->options.haveEMS = 0;
session->sslClient->options.haveEMS = 0;
}
#endif
if (ret == 0) {
@@ -4520,7 +4526,12 @@ static const byte* DecryptMessage(WOLFSSL* ssl, const byte* input, word32 sz,
else
#endif
{
XMEMCPY(&ssl->curRL, rh, RECORD_HEADER_SZ);
ret = DecryptTls(ssl, output, input, sz, 0);
if (ssl->specs.cipher_type == aead) {
/* DecryptTls places the output at offset of 8 for explicit IV */
output += AESGCM_EXP_IV_SZ;
}
}
#ifdef WOLFSSL_ASYNC_CRYPT
/* for async the symmetric operations are blocking */
@@ -6188,8 +6199,8 @@ int ssl_DecodePacketWithSessionInfoStoreData(const unsigned char* packet,
int ssl_DecodePacketWithChain(void* vChain, word32 chainSz, byte** data,
char* error)
{
return ssl_DecodePacketInternal(vChain, chainSz, 1, data, NULL, NULL,
error, 0);
return ssl_DecodePacketInternal((const byte*)vChain, chainSz, 1, data,
NULL, NULL, error, 0);
}
#endif

23
src/ssl.c
View File

@@ -13695,20 +13695,20 @@ void AddSession(WOLFSSL* ssl)
}
#endif
#if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS)
if (error == 0) {
word32 active = 0;
#if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS)
if (error == 0) {
word32 active = 0;
error = get_locked_session_stats(&active, NULL, NULL);
if (error == WOLFSSL_SUCCESS) {
error = 0; /* back to this function ok */
error = get_locked_session_stats(&active, NULL, NULL);
if (error == WOLFSSL_SUCCESS) {
error = 0; /* back to this function ok */
if (PeakSessions < active) {
PeakSessions = active;
}
if (PeakSessions < active) {
PeakSessions = active;
}
}
#endif /* WOLFSSL_SESSION_STATS && WOLFSSL_PEAK_SESSIONS */
}
#endif /* WOLFSSL_SESSION_STATS && WOLFSSL_PEAK_SESSIONS */
}
@@ -13817,6 +13817,9 @@ static int get_locked_session_stats(word32* active, word32* total, word32* peak)
WOLFSSL_ENTER("get_locked_session_stats");
#ifndef ENABLE_SESSION_CACHE_ROW_LOCK
wc_LockMutex(&session_mutex);
#endif
for (i = 0; i < SESSION_ROWS; i++) {
SessionRow* row = &SessionCache[i];
#ifdef ENABLE_SESSION_CACHE_ROW_LOCK

2
src/tls13.c
View File

@@ -2110,7 +2110,7 @@ static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
* sz The length of the encrypted data plus authentication tag.
* aad The additional authentication data.
* aadSz The size of the addition authentication data.
* doAlert Generate alert on error (not for sniffer use cases)
* doAlert Generate alert on error (set to 0 for sniffer use cases)
* returns 0 on success, otherwise failure.
*/
int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,

32
sslSniffer/sslSnifferTest/snifftest.c
View File

@@ -149,14 +149,16 @@ static const byte eccHash[] = {
#endif
pcap_t* pcap = NULL;
pcap_if_t* alldevs = NULL;
static pcap_t* pcap = NULL;
static pcap_if_t* alldevs = NULL;
static struct bpf_program pcap_fp;
static void FreeAll(void)
{
if (pcap)
if (pcap) {
pcap_freecode(&pcap_fp);
pcap_close(pcap);
}
if (alldevs)
pcap_freealldevs(alldevs);
#ifndef _WIN32
@@ -411,6 +413,9 @@ static void show_appinfo(void)
#ifdef WOLFSSL_TLS13
"tls_v13 "
#endif
#ifndef WOLFSSL_NO_TLS12
"tls_v12 "
#endif
#ifdef HAVE_SESSION_TICKET
"session_ticket "
#endif
@@ -447,6 +452,12 @@ static void show_appinfo(void)
#ifdef HAVE_CURVE22519
"x22519 "
#endif
#ifdef WOLFSSL_STATIC_RSA
"rsa_static "
#endif
#ifdef WOLFSSL_STATIC_DH
"dh_static "
#endif
"\n\n"
);
}
@@ -474,7 +485,6 @@ int main(int argc, char** argv)
char keyFilesUser[MAX_FILENAME_SZ];
const char *server = NULL;
const char *sniName = NULL;
struct bpf_program fp;
pcap_if_t *d;
pcap_addr_t *a;
int isChain = 0;
@@ -581,10 +591,10 @@ int main(int argc, char** argv)
SNPRINTF(filter, sizeof(filter), "tcp and port %d", port);
ret = pcap_compile(pcap, &fp, filter, 0, 0);
ret = pcap_compile(pcap, &pcap_fp, filter, 0, 0);
if (ret != 0) printf("pcap_compile failed %s\n", pcap_geterr(pcap));
ret = pcap_setfilter(pcap, &fp);
ret = pcap_setfilter(pcap, &pcap_fp);
if (ret != 0) printf("pcap_setfilter failed %s\n", pcap_geterr(pcap));
/* optionally enter the private key to use */
@@ -667,13 +677,13 @@ int main(int argc, char** argv)
}
/* Only let through TCP/IP packets */
ret = pcap_compile(pcap, &fp, "(ip6 or ip) and tcp", 0, 0);
ret = pcap_compile(pcap, &pcap_fp, "(ip6 or ip) and tcp", 0, 0);
if (ret != 0) {
printf("pcap_compile failed %s\n", pcap_geterr(pcap));
exit(EXIT_FAILURE);
}
ret = pcap_setfilter(pcap, &fp);
ret = pcap_setfilter(pcap, &pcap_fp);
if (ret != 0) {
printf("pcap_setfilter failed %s\n", pcap_geterr(pcap));
exit(EXIT_FAILURE);
@@ -727,12 +737,11 @@ int main(int argc, char** argv)
#else
chain = (void*)packet;
chainSz = header.caplen;
(void)isChain;
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
do {
WOLF_EVENT* events[1]; /* poll for single event */
WOLF_EVENT* events[WOLF_ASYNC_MAX_PENDING];
int eventCount = 0;
/* For async call the original API again with same data,
@@ -786,6 +795,7 @@ int main(int argc, char** argv)
break; /* we're done reading file */
}
FreeAll();
(void)isChain;
return hadBadPacket ? EXIT_FAILURE : EXIT_SUCCESS;
}

17
wolfcrypt/src/asn.c
View File

@@ -3316,7 +3316,8 @@ int CheckBitString(const byte* input, word32* inOutIdx, int* len,
(defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || \
defined(OPENSSL_EXTRA))) || \
(defined(WC_ENABLE_ASYM_KEY_EXPORT) && !defined(NO_CERT)) || \
(!defined(NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN))
(!defined(NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)) || \
(!defined(NO_DH) && defined(WOLFSSL_DH_EXTRA))
/* Set the DER/BER encoding of the ASN.1 BIT STRING header.
*
@@ -12968,7 +12969,7 @@ static int SetCurve(ecc_key* key, byte* output)
#ifdef HAVE_OID_ENCODING
int ret;
#endif
int idx = 0;
int idx;
word32 oidSz = 0;
/* validate key */
@@ -12985,7 +12986,12 @@ static int SetCurve(ecc_key* key, byte* output)
oidSz = key->dp->oidSz;
#endif
idx += SetObjectId(oidSz, output);
idx = SetObjectId(oidSz, output);
/* length only */
if (output == NULL) {
return idx + oidSz;
}
#ifdef HAVE_OID_ENCODING
ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz);
@@ -21206,7 +21212,6 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
word32 pubSz;
byte bitString[1 + MAX_LENGTH_SZ + 1]; /* 6 */
byte algo[MAX_ALGO_SZ]; /* 20 */
byte curve[MAX_ALGO_SZ]; /* 20 */
/* public size */
pubSz = key->dp ? key->dp->size : MAX_ECC_BYTES;
@@ -21219,7 +21224,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
/* headers */
if (with_header) {
curveSz = SetCurve(key, curve);
curveSz = SetCurve(key, NULL);
if (curveSz <= 0) {
return curveSz;
}
@@ -21242,7 +21247,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
idx += algoSz;
/* curve */
if (output)
XMEMCPY(output + idx, curve, curveSz);
(void)SetCurve(key, output + idx);
idx += curveSz;
/* bit string */
if (output)

18
wolfcrypt/src/sp_int.c
View File

@@ -4385,31 +4385,49 @@ int sp_init_multi(sp_int* n1, sp_int* n2, sp_int* n3, sp_int* n4, sp_int* n5,
_sp_zero(n1);
n1->dp[0] = 0;
n1->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n1->raw);
#endif
}
if (n2 != NULL) {
_sp_zero(n2);
n2->dp[0] = 0;
n2->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n2->raw);
#endif
}
if (n3 != NULL) {
_sp_zero(n3);
n3->dp[0] = 0;
n3->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n3->raw);
#endif
}
if (n4 != NULL) {
_sp_zero(n4);
n4->dp[0] = 0;
n4->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n4->raw);
#endif
}
if (n5 != NULL) {
_sp_zero(n5);
n5->dp[0] = 0;
n5->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n5->raw);
#endif
}
if (n6 != NULL) {
_sp_zero(n6);
n6->dp[0] = 0;
n6->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n6->raw);
#endif
}
return MP_OKAY;

14
wolfcrypt/test/test.c
View File

@@ -16260,17 +16260,23 @@ static int dh_ffdhe_test(WC_RNG *rng, int name)
}
ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
#if defined(WOLFSSL_ASYNC_CRYPT)
ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
#endif
if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
ERROR_OUT(-8058, done);
}
ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
#if defined(WOLFSSL_ASYNC_CRYPT)
ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
#endif
if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
ERROR_OUT(-8057, done);
}
ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz);
if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
ERROR_OUT(-8057, done);
}
@@ -23925,7 +23931,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
#endif
/* test use of custom curve - using BRAINPOOLP256R1 for test */
#ifdef HAVE_ECC_BRAINPOOL
#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
#ifndef WOLFSSL_ECC_CURVE_STATIC
WOLFSSL_SMALL_STACK_STATIC const ecc_oid_t ecc_oid_brainpoolp256r1[] = {
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07
@@ -23966,7 +23972,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
XMEMSET(key, 0, sizeof *key);
#ifdef HAVE_ECC_BRAINPOOL
#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF,
&ecc_dp_brainpool256r1);
if (ret != 0) {

4
wolfssl/wolfcrypt/types.h
View File

@@ -728,8 +728,8 @@ decouple library dependencies with standard string, memory and so on.
#endif /* _MSC_VER */
#endif /* USE_WINDOWS_API */
#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) \
|| defined(HAVE_ALPN)
#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
defined(HAVE_ALPN) || defined(WOLFSSL_SNIFFER)
/* use only Thread Safe version of strtok */
#if defined(USE_WOLF_STRTOK)
#define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))