diff --git a/configure.ac b/configure.ac index 9f5198f25..5cb1be417 100644 --- a/configure.ac +++ b/configure.ac @@ -1679,12 +1679,6 @@ AC_ARG_WITH([se050], ] ) -# sniffer doesn't work in maxstrength mode -if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes" -then - AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.]) -fi - ENABLED_SNIFFTEST=no AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ], [ @@ -5245,8 +5239,6 @@ then ENABLED_ENCRYPT_THEN_MAC=yes fi -AS_IF([test "x$ENABLED_SNIFFER" = "xyes"],[ENABLED_ENCRYPT_THEN_MAC="no"]) - if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC" @@ -7099,7 +7091,7 @@ AS_IF([test "x$ENABLED_MCAPI" = "xyes"], if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \ test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \ test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \ - test "$ENABLED_SNIFFER" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \ + test "$ENABLED_OPENSSLALL" = "yes" || \ test "$ENABLED_LIBWEBSOCKETS" = "yes" || \ test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \ test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes" diff --git a/scripts/include.am b/scripts/include.am index 5e26f4a91..683e71cf7 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -87,7 +87,7 @@ noinst_SCRIPTS+= scripts/unit.test.in endif endif -EXTRA_DIST += scripts/testsuite.pcap \ +EXTRA_DIST += scripts/sniffer-static-rsa.pcap \ scripts/sniffer-ipv6.pcap \ scripts/sniffer-tls13-dh.pcap \ scripts/sniffer-tls13-dh-resume.pcap \ @@ -95,8 +95,8 @@ EXTRA_DIST += scripts/testsuite.pcap \ scripts/sniffer-tls13-ecc-resume.pcap \ scripts/sniffer-tls13-x25519.pcap \ scripts/sniffer-tls13-x25519-resume.pcap \ - scripts/sniffer-tls13-gen.sh \ scripts/sniffer-tls13-hrr.pcap \ + scripts/sniffer-gen.sh \ scripts/ping.test \ scripts/benchmark.test \ scripts/memtest.sh \ diff --git a/scripts/sniffer-tls13-gen.sh b/scripts/sniffer-gen.sh similarity index 53% rename from scripts/sniffer-tls13-gen.sh rename to scripts/sniffer-gen.sh index b2c54d457..c58352a36 100755 --- a/scripts/sniffer-tls13-gen.sh +++ b/scripts/sniffer-gen.sh @@ -1,72 +1,5 @@ #!/bin/bash -# Run these configures and the example server/client below -# Script to generate wireshark trace for sniffer-tls13-ecc.pcap -#./configure --enable-sniffer --enable-session-ticket && make - -# Script to generate wireshark trace for sniffer-tls13-dh.pcap -#./configure --enable-sniffer --enable-session-ticket --disable-ecc && make - -# Run: with dh or ecc -if [ "$1" == "dh" ] || [ "$1" == "ecc" ]; then - # TLS v1.3 - ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 & - ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 - ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 & - ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 - ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 & - ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 - - # TLS v1.3 Resumption - ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r & - ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r - ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r & - ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r - ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r & - ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -fi - -# Script to generate wireshark trace for sniffer-tls13-x25519.pcap -#./configure --enable-sniffer --enable-session-ticket --enable-curve25519 --disable-dh --disable-ecc && make -# Run: with x25519 -if [ "$1" == "x25519" ]; then - # TLS v1.3 - ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem & - sleep 0.1 - ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem - - ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem & - sleep 0.1 - ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem - - ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem & - sleep 0.1 - ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem - - # TLS v1.3 Resumption - ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem & - sleep 0.1 - ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem - - ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem & - sleep 0.1 - ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem - - ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem & - sleep 0.1 - ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem -fi - -# TLS v1.3 Hello Retry Request (save this as sniffer-tls13-hrr.pcap) -# ./configure --enable-sniffer CFLAGS="-DWOLFSSL_SNIFFER_WATCH" --disable-dh && make - -# Run ./scripts/sniffer-tls13-gen.sh hrr -if [ "$1" == "hrr" ]; then - # TLS v1.3 Hello Retry Request - ./examples/server/server -v 4 -i -x -g & - sleep 0.1 -fi - # Run this script from the wolfSSL root if [ ! -f wolfssl/ssl.h ]; then echo "Run from the wolfssl root" @@ -137,14 +70,16 @@ run_sequence() { if [ "$1" == "hrr" ]; then # TLS v1.3 Hello Retry Request ./examples/server/server -v 4 -i -x -g & + server_pid=$! sleep 0.1 ./examples/client/client -v 4 -J + kill $server_pid fi sleep 1 } run_capture(){ - echo "configuring and building wolfssl..." + echo -e "\nconfiguring and building wolfssl..." ./configure --enable-sniffer $2 1>/dev/null || exit $? make 1>/dev/null || exit $? echo "starting capture" diff --git a/scripts/testsuite.pcap b/scripts/sniffer-static-rsa.pcap similarity index 100% rename from scripts/testsuite.pcap rename to scripts/sniffer-static-rsa.pcap diff --git a/scripts/sniffer-testsuite.test b/scripts/sniffer-testsuite.test index 3388be5ac..d0d520d74 100755 --- a/scripts/sniffer-testsuite.test +++ b/scripts/sniffer-testsuite.test @@ -12,6 +12,36 @@ if [ "${AM_BWRAPPED-}" != "yes" ]; then unset AM_BWRAPPED fi +has_tlsv13=no +./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v13 ' +if [ $? -eq 0 ]; then + has_tlsv13=yes +fi +has_tlsv12=no +./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v12 ' +if [ $? -eq 0 ]; then + has_tlsv12=yes +fi +has_rsa=no +./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa ' +if [ $? -eq 0 ]; then + has_rsa=yes +fi +has_ecc=no +./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ecc ' +if [ $? -eq 0 ]; then + has_ecc=yes +fi +has_x25519=no +./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'x22519 ' +if [ $? -eq 0 ]; then + has_x25519=yes +fi +has_dh=no +./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'dh ' +if [ $? -eq 0 ]; then + has_dh=yes +fi # ./configure --enable-sniffer [--enable-session-ticket] # Resumption tests require "--enable-session-ticket" session_ticket=no @@ -19,94 +49,27 @@ session_ticket=no if [ $? -eq 0 ]; then session_ticket=yes fi -has_rsa=no -./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa ' +has_static_rsa=no +./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa_static ' if [ $? -eq 0 ]; then - has_rsa=yes + has_static_rsa=yes fi + + RESULT=0 -if test $session_ticket == yes +# TLS v1.2 Static RSA Test +if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes then - # TLS v1.2 Static RSA Test echo -e "\nStaring snifftest on testsuite.pcap...\n" - ./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111 + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-static-rsa.pcap ./certs/server-key.pem 127.0.0.1 11111 RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1 + [ $RESULT -ne 0 ] && echo -e "\nsnifftest static RSA failed\n" && exit 1 fi -# TLS v1.3 sniffer test ECC -if test $RESULT -eq 0 -then - ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 - - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1 -fi - -# TLS v1.3 sniffer test DH -if test $RESULT -eq 0 -then - ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111 - - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1 -fi - -# TLS v1.3 sniffer test X25519 -if test $RESULT -eq 0 -then - ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111 - - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1 -fi - -# TLS v1.3 Resumption Tests -if test $session_ticket == yes -then - # TLS v1.3 sniffer test ECC resumption - if test $RESULT -eq 0 - then - ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 - - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1 - fi - - # TLS v1.3 sniffer test DH - if test $RESULT -eq 0 - then - ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111 - - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1 - fi - - # TLS v1.3 sniffer test X25519 - if test $RESULT -eq 0 - then - ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111 - - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1 - fi -fi - - -# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE -if test $RESULT -eq 0 -then - ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 - - RESULT=$? - [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1 -fi - - -# IPv6 -if test $RESULT -eq 0 && test "x$1" = "x-6"; +# TLS v1.2 Static RSA Test (IPv6) +if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes then echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n" ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111 @@ -115,6 +78,69 @@ then [ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1 fi +# TLS v1.3 sniffer test ECC +if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes +then + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1 +fi + +# TLS v1.3 sniffer test DH +if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes +then + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1 +fi + +# TLS v1.3 sniffer test X25519 +if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x22519 == yes +then + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1 +fi + +# TLS v1.3 sniffer test ECC resumption +if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes && test $session_ticket == yes +then + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1 +fi + +# TLS v1.3 sniffer test DH +if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes && test $session_ticket == yes +then + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1 +fi + +# TLS v1.3 sniffer test X25519 +if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes && test $session_ticket == yes +then + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1 +fi + +# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE +if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes +then + ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111 + + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1 +fi + echo -e "\nSuccess!\n" exit 0 diff --git a/src/internal.c b/src/internal.c index 8c1efa770..ba1b0f34e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15658,8 +15658,8 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input, return ret; } -static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz, - int asyncOkay) +static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, + word16 sz, int asyncOkay) { int ret = 0; @@ -15690,10 +15690,10 @@ static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 /* make sure auth iv and auth are allocated */ if (ssl->encrypt.additional == NULL) ssl->encrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ, - ssl->heap, DYNAMIC_TYPE_AES_BUFFER); + ssl->heap, DYNAMIC_TYPE_AES_BUFFER); if (ssl->encrypt.nonce == NULL) ssl->encrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ, - ssl->heap, DYNAMIC_TYPE_AES_BUFFER); + ssl->heap, DYNAMIC_TYPE_AES_BUFFER); if (ssl->encrypt.additional == NULL || ssl->encrypt.nonce == NULL) { return MEMORY_E; @@ -15899,6 +15899,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, return ret; } +/* doAlert Generate alert on error (set to 0 for sniffer use cases) */ int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input, word16 sz, int doAlert) { @@ -15939,10 +15940,10 @@ int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input, /* make sure auth iv and auth are allocated */ if (ssl->decrypt.additional == NULL) ssl->decrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ, - ssl->heap, DYNAMIC_TYPE_AES_BUFFER); + ssl->heap, DYNAMIC_TYPE_AES_BUFFER); if (ssl->decrypt.nonce == NULL) ssl->decrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ, - ssl->heap, DYNAMIC_TYPE_AES_BUFFER); + ssl->heap, DYNAMIC_TYPE_AES_BUFFER); if (ssl->decrypt.additional == NULL || ssl->decrypt.nonce == NULL) { return MEMORY_E; diff --git a/src/sniffer.c b/src/sniffer.c index 3d8e9b876..2db0bef5c 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -102,7 +102,7 @@ #ifndef NO_DH #include #endif -#ifdef HAVE_ECC +#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) #include #endif #ifdef HAVE_CURVE25519 @@ -973,6 +973,7 @@ typedef struct TcpPseudoHdr { } TcpPseudoHdr; +#ifdef WOLFSSL_ENCRYPTED_KEYS /* Password Setting Callback */ static int SetPassword(char* passwd, int sz, int rw, void* userdata) { @@ -980,7 +981,7 @@ static int SetPassword(char* passwd, int sz, int rw, void* userdata) XSTRNCPY(passwd, (const char*)userdata, sz); return (int)XSTRLEN((const char*)userdata); } - +#endif /* Ethernet Header */ typedef struct EthernetHdr { @@ -2140,7 +2141,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo) pCipher = wolfSSL_get_cipher(session->sslServer); if (NULL != pCipher) { XSTRNCPY((char*)sslInfo->serverCipherSuiteName, pCipher, - sizeof(sslInfo->serverCipherSuiteName)); + sizeof(sslInfo->serverCipherSuiteName) - 1); sslInfo->serverCipherSuiteName [sizeof(sslInfo->serverCipherSuiteName) - 1] = '\0'; } @@ -2148,7 +2149,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo) #ifdef HAVE_SNI if (NULL != session->sni) { XSTRNCPY((char*)sslInfo->serverNameIndication, - session->sni, sizeof(sslInfo->serverNameIndication)); + session->sni, sizeof(sslInfo->serverNameIndication) - 1); sslInfo->serverNameIndication [sizeof(sslInfo->serverNameIndication) - 1] = '\0'; } @@ -4445,27 +4446,32 @@ static int DoHandShake(const byte* input, int* sslBytes, case client_key_exchange: Trace(GOT_CLIENT_KEY_EX_STR); #ifdef HAVE_EXTENDED_MASTER - if (session->flags.expectEms && session->hash != NULL) { - if (HashCopy(session->sslServer->hsHashes, - session->hash) == 0 && - HashCopy(session->sslClient->hsHashes, - session->hash) == 0) { + #ifdef WOLFSSL_ASYNC_CRYPT + if (session->sslServer->error != WC_PENDING_E) + #endif + { + if (session->flags.expectEms && session->hash != NULL) { + if (HashCopy(session->sslServer->hsHashes, + session->hash) == 0 && + HashCopy(session->sslClient->hsHashes, + session->hash) == 0) { - session->sslServer->options.haveEMS = 1; - session->sslClient->options.haveEMS = 1; + session->sslServer->options.haveEMS = 1; + session->sslClient->options.haveEMS = 1; + } + else { + SetError(EXTENDED_MASTER_HASH_STR, error, + session, FATAL_ERROR_STATE); + ret = -1; + } + XMEMSET(session->hash, 0, sizeof(HsHashes)); + XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES); + session->hash = NULL; } else { - SetError(EXTENDED_MASTER_HASH_STR, error, - session, FATAL_ERROR_STATE); - ret = -1; + session->sslServer->options.haveEMS = 0; + session->sslClient->options.haveEMS = 0; } - XMEMSET(session->hash, 0, sizeof(HsHashes)); - XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES); - session->hash = NULL; - } - else { - session->sslServer->options.haveEMS = 0; - session->sslClient->options.haveEMS = 0; } #endif if (ret == 0) { @@ -4520,7 +4526,12 @@ static const byte* DecryptMessage(WOLFSSL* ssl, const byte* input, word32 sz, else #endif { + XMEMCPY(&ssl->curRL, rh, RECORD_HEADER_SZ); ret = DecryptTls(ssl, output, input, sz, 0); + if (ssl->specs.cipher_type == aead) { + /* DecryptTls places the output at offset of 8 for explicit IV */ + output += AESGCM_EXP_IV_SZ; + } } #ifdef WOLFSSL_ASYNC_CRYPT /* for async the symmetric operations are blocking */ @@ -6188,8 +6199,8 @@ int ssl_DecodePacketWithSessionInfoStoreData(const unsigned char* packet, int ssl_DecodePacketWithChain(void* vChain, word32 chainSz, byte** data, char* error) { - return ssl_DecodePacketInternal(vChain, chainSz, 1, data, NULL, NULL, - error, 0); + return ssl_DecodePacketInternal((const byte*)vChain, chainSz, 1, data, + NULL, NULL, error, 0); } #endif diff --git a/src/ssl.c b/src/ssl.c index 1282c36e6..594a391e4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13695,20 +13695,20 @@ void AddSession(WOLFSSL* ssl) } #endif - #if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) - if (error == 0) { - word32 active = 0; +#if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) + if (error == 0) { + word32 active = 0; - error = get_locked_session_stats(&active, NULL, NULL); - if (error == WOLFSSL_SUCCESS) { - error = 0; /* back to this function ok */ + error = get_locked_session_stats(&active, NULL, NULL); + if (error == WOLFSSL_SUCCESS) { + error = 0; /* back to this function ok */ - if (PeakSessions < active) { - PeakSessions = active; - } + if (PeakSessions < active) { + PeakSessions = active; } } - #endif /* WOLFSSL_SESSION_STATS && WOLFSSL_PEAK_SESSIONS */ + } +#endif /* WOLFSSL_SESSION_STATS && WOLFSSL_PEAK_SESSIONS */ } @@ -13817,6 +13817,9 @@ static int get_locked_session_stats(word32* active, word32* total, word32* peak) WOLFSSL_ENTER("get_locked_session_stats"); +#ifndef ENABLE_SESSION_CACHE_ROW_LOCK + wc_LockMutex(&session_mutex); +#endif for (i = 0; i < SESSION_ROWS; i++) { SessionRow* row = &SessionCache[i]; #ifdef ENABLE_SESSION_CACHE_ROW_LOCK diff --git a/src/tls13.c b/src/tls13.c index de8a70794..8720845a9 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -2110,7 +2110,7 @@ static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output, * sz The length of the encrypted data plus authentication tag. * aad The additional authentication data. * aadSz The size of the addition authentication data. - * doAlert Generate alert on error (not for sniffer use cases) + * doAlert Generate alert on error (set to 0 for sniffer use cases) * returns 0 on success, otherwise failure. */ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index dccd177c4..43b6929f2 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -149,14 +149,16 @@ static const byte eccHash[] = { #endif -pcap_t* pcap = NULL; -pcap_if_t* alldevs = NULL; - +static pcap_t* pcap = NULL; +static pcap_if_t* alldevs = NULL; +static struct bpf_program pcap_fp; static void FreeAll(void) { - if (pcap) + if (pcap) { + pcap_freecode(&pcap_fp); pcap_close(pcap); + } if (alldevs) pcap_freealldevs(alldevs); #ifndef _WIN32 @@ -411,6 +413,9 @@ static void show_appinfo(void) #ifdef WOLFSSL_TLS13 "tls_v13 " #endif + #ifndef WOLFSSL_NO_TLS12 + "tls_v12 " + #endif #ifdef HAVE_SESSION_TICKET "session_ticket " #endif @@ -447,6 +452,12 @@ static void show_appinfo(void) #ifdef HAVE_CURVE22519 "x22519 " #endif + #ifdef WOLFSSL_STATIC_RSA + "rsa_static " + #endif + #ifdef WOLFSSL_STATIC_DH + "dh_static " + #endif "\n\n" ); } @@ -474,7 +485,6 @@ int main(int argc, char** argv) char keyFilesUser[MAX_FILENAME_SZ]; const char *server = NULL; const char *sniName = NULL; - struct bpf_program fp; pcap_if_t *d; pcap_addr_t *a; int isChain = 0; @@ -581,10 +591,10 @@ int main(int argc, char** argv) SNPRINTF(filter, sizeof(filter), "tcp and port %d", port); - ret = pcap_compile(pcap, &fp, filter, 0, 0); + ret = pcap_compile(pcap, &pcap_fp, filter, 0, 0); if (ret != 0) printf("pcap_compile failed %s\n", pcap_geterr(pcap)); - ret = pcap_setfilter(pcap, &fp); + ret = pcap_setfilter(pcap, &pcap_fp); if (ret != 0) printf("pcap_setfilter failed %s\n", pcap_geterr(pcap)); /* optionally enter the private key to use */ @@ -667,13 +677,13 @@ int main(int argc, char** argv) } /* Only let through TCP/IP packets */ - ret = pcap_compile(pcap, &fp, "(ip6 or ip) and tcp", 0, 0); + ret = pcap_compile(pcap, &pcap_fp, "(ip6 or ip) and tcp", 0, 0); if (ret != 0) { printf("pcap_compile failed %s\n", pcap_geterr(pcap)); exit(EXIT_FAILURE); } - ret = pcap_setfilter(pcap, &fp); + ret = pcap_setfilter(pcap, &pcap_fp); if (ret != 0) { printf("pcap_setfilter failed %s\n", pcap_geterr(pcap)); exit(EXIT_FAILURE); @@ -727,12 +737,11 @@ int main(int argc, char** argv) #else chain = (void*)packet; chainSz = header.caplen; - (void)isChain; #endif #ifdef WOLFSSL_ASYNC_CRYPT do { - WOLF_EVENT* events[1]; /* poll for single event */ + WOLF_EVENT* events[WOLF_ASYNC_MAX_PENDING]; int eventCount = 0; /* For async call the original API again with same data, @@ -786,6 +795,7 @@ int main(int argc, char** argv) break; /* we're done reading file */ } FreeAll(); + (void)isChain; return hadBadPacket ? EXIT_FAILURE : EXIT_SUCCESS; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index af4599732..83201e91a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -3316,7 +3316,8 @@ int CheckBitString(const byte* input, word32* inOutIdx, int* len, (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || \ defined(OPENSSL_EXTRA))) || \ (defined(WC_ENABLE_ASYM_KEY_EXPORT) && !defined(NO_CERT)) || \ - (!defined(NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)) + (!defined(NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)) || \ + (!defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)) /* Set the DER/BER encoding of the ASN.1 BIT STRING header. * @@ -12968,7 +12969,7 @@ static int SetCurve(ecc_key* key, byte* output) #ifdef HAVE_OID_ENCODING int ret; #endif - int idx = 0; + int idx; word32 oidSz = 0; /* validate key */ @@ -12985,7 +12986,12 @@ static int SetCurve(ecc_key* key, byte* output) oidSz = key->dp->oidSz; #endif - idx += SetObjectId(oidSz, output); + idx = SetObjectId(oidSz, output); + + /* length only */ + if (output == NULL) { + return idx + oidSz; + } #ifdef HAVE_OID_ENCODING ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz); @@ -21206,7 +21212,6 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen, word32 pubSz; byte bitString[1 + MAX_LENGTH_SZ + 1]; /* 6 */ byte algo[MAX_ALGO_SZ]; /* 20 */ - byte curve[MAX_ALGO_SZ]; /* 20 */ /* public size */ pubSz = key->dp ? key->dp->size : MAX_ECC_BYTES; @@ -21219,7 +21224,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen, /* headers */ if (with_header) { - curveSz = SetCurve(key, curve); + curveSz = SetCurve(key, NULL); if (curveSz <= 0) { return curveSz; } @@ -21242,7 +21247,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen, idx += algoSz; /* curve */ if (output) - XMEMCPY(output + idx, curve, curveSz); + (void)SetCurve(key, output + idx); idx += curveSz; /* bit string */ if (output) diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index 284b6bc6a..4a5caeb2e 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -4385,31 +4385,49 @@ int sp_init_multi(sp_int* n1, sp_int* n2, sp_int* n3, sp_int* n4, sp_int* n5, _sp_zero(n1); n1->dp[0] = 0; n1->size = SP_INT_DIGITS; + #ifdef HAVE_WOLF_BIGINT + wc_bigint_init(&n1->raw); + #endif } if (n2 != NULL) { _sp_zero(n2); n2->dp[0] = 0; n2->size = SP_INT_DIGITS; + #ifdef HAVE_WOLF_BIGINT + wc_bigint_init(&n2->raw); + #endif } if (n3 != NULL) { _sp_zero(n3); n3->dp[0] = 0; n3->size = SP_INT_DIGITS; + #ifdef HAVE_WOLF_BIGINT + wc_bigint_init(&n3->raw); + #endif } if (n4 != NULL) { _sp_zero(n4); n4->dp[0] = 0; n4->size = SP_INT_DIGITS; + #ifdef HAVE_WOLF_BIGINT + wc_bigint_init(&n4->raw); + #endif } if (n5 != NULL) { _sp_zero(n5); n5->dp[0] = 0; n5->size = SP_INT_DIGITS; + #ifdef HAVE_WOLF_BIGINT + wc_bigint_init(&n5->raw); + #endif } if (n6 != NULL) { _sp_zero(n6); n6->dp[0] = 0; n6->size = SP_INT_DIGITS; + #ifdef HAVE_WOLF_BIGINT + wc_bigint_init(&n6->raw); + #endif } return MP_OKAY; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 9fb993b3b..10e40700c 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -16260,17 +16260,23 @@ static int dh_ffdhe_test(WC_RNG *rng, int name) } ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz); +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE); +#endif if (ret != MP_VAL && ret != MP_EXPTMOD_E) { ERROR_OUT(-8058, done); } ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2); - if (ret != MP_VAL && ret != MP_EXPTMOD_E) { +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE); +#endif + if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) { ERROR_OUT(-8057, done); } ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz); - if (ret != MP_VAL && ret != MP_EXPTMOD_E) { + if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) { ERROR_OUT(-8057, done); } @@ -23925,7 +23931,7 @@ static int ecc_test_custom_curves(WC_RNG* rng) #endif /* test use of custom curve - using BRAINPOOLP256R1 for test */ -#ifdef HAVE_ECC_BRAINPOOL +#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA) #ifndef WOLFSSL_ECC_CURVE_STATIC WOLFSSL_SMALL_STACK_STATIC const ecc_oid_t ecc_oid_brainpoolp256r1[] = { 0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07 @@ -23966,7 +23972,7 @@ static int ecc_test_custom_curves(WC_RNG* rng) XMEMSET(key, 0, sizeof *key); -#ifdef HAVE_ECC_BRAINPOOL +#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA) ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF, &ecc_dp_brainpool256r1); if (ret != 0) { diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index aec28a8db..5fad9b113 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -728,8 +728,8 @@ decouple library dependencies with standard string, memory and so on. #endif /* _MSC_VER */ #endif /* USE_WINDOWS_API */ - #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) \ - || defined(HAVE_ALPN) + #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ + defined(HAVE_ALPN) || defined(WOLFSSL_SNIFFER) /* use only Thread Safe version of strtok */ #if defined(USE_WOLF_STRTOK) #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))