wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 20:24:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5036 from dgarske/sniffer

Browse Source 
Fixes for minor sniffer and async issues
This commit is contained in:
John Safranek
2022-04-22 12:24:33 -07:00
committed by GitHub
parent 4a4b019e30 cb1dbb75f8
commit bf16696d8c
14 changed files with 227 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
configure.ac
View File

@@ -1679,12 +1679,6 @@ AC_ARG_WITH([se050],
] ]
) )
# sniffer doesn't work in maxstrength mode
if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes"
then
AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.])
fi
ENABLED_SNIFFTEST=no ENABLED_SNIFFTEST=no
AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ], AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ],
[ [
@@ -5245,8 +5239,6 @@ then
ENABLED_ENCRYPT_THEN_MAC=yes ENABLED_ENCRYPT_THEN_MAC=yes
fi fi
AS_IF([test "x$ENABLED_SNIFFER" = "xyes"],[ENABLED_ENCRYPT_THEN_MAC="no"])
if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes" if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
then then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC" AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
@@ -7099,7 +7091,7 @@ AS_IF([test "x$ENABLED_MCAPI" = "xyes"],
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \ if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \ test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \
test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \ test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \
test "$ENABLED_SNIFFER" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \ test "$ENABLED_OPENSSLALL" = "yes" || \
test "$ENABLED_LIBWEBSOCKETS" = "yes" || \ test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \ test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes" test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes"

4
scripts/include.am
View File

@@ -87,7 +87,7 @@ noinst_SCRIPTS+= scripts/unit.test.in
endif endif
endif endif
EXTRA_DIST += scripts/testsuite.pcap \ EXTRA_DIST += scripts/sniffer-static-rsa.pcap \
scripts/sniffer-ipv6.pcap \ scripts/sniffer-ipv6.pcap \
scripts/sniffer-tls13-dh.pcap \ scripts/sniffer-tls13-dh.pcap \
scripts/sniffer-tls13-dh-resume.pcap \ scripts/sniffer-tls13-dh-resume.pcap \
@@ -95,8 +95,8 @@ EXTRA_DIST += scripts/testsuite.pcap \
scripts/sniffer-tls13-ecc-resume.pcap \ scripts/sniffer-tls13-ecc-resume.pcap \
scripts/sniffer-tls13-x25519.pcap \ scripts/sniffer-tls13-x25519.pcap \
scripts/sniffer-tls13-x25519-resume.pcap \ scripts/sniffer-tls13-x25519-resume.pcap \
scripts/sniffer-tls13-gen.sh \
scripts/sniffer-tls13-hrr.pcap \ scripts/sniffer-tls13-hrr.pcap \
scripts/sniffer-gen.sh \
scripts/ping.test \ scripts/ping.test \
scripts/benchmark.test \ scripts/benchmark.test \
scripts/memtest.sh \ scripts/memtest.sh \

71
scripts/sniffer-tls13-gen.sh → scripts/sniffer-gen.sh
View File

@@ -1,72 +1,5 @@
#!/bin/bash #!/bin/bash
# Run these configures and the example server/client below
# Script to generate wireshark trace for sniffer-tls13-ecc.pcap
#./configure --enable-sniffer --enable-session-ticket && make
# Script to generate wireshark trace for sniffer-tls13-dh.pcap
#./configure --enable-sniffer --enable-session-ticket --disable-ecc && make
# Run: with dh or ecc
if [ "$1" == "dh" ] || [ "$1" == "ecc" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 &
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 &
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 &
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r &
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r &
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r &
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r
fi
# Script to generate wireshark trace for sniffer-tls13-x25519.pcap
#./configure --enable-sniffer --enable-session-ticket --enable-curve25519 --disable-dh --disable-ecc && make
# Run: with x25519
if [ "$1" == "x25519" ]; then
# TLS v1.3
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
# TLS v1.3 Resumption
./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
sleep 0.1
./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
fi
# TLS v1.3 Hello Retry Request (save this as sniffer-tls13-hrr.pcap)
# ./configure --enable-sniffer CFLAGS="-DWOLFSSL_SNIFFER_WATCH" --disable-dh && make
# Run ./scripts/sniffer-tls13-gen.sh hrr
if [ "$1" == "hrr" ]; then
# TLS v1.3 Hello Retry Request
./examples/server/server -v 4 -i -x -g &
sleep 0.1
fi
# Run this script from the wolfSSL root # Run this script from the wolfSSL root
if [ ! -f wolfssl/ssl.h ]; then if [ ! -f wolfssl/ssl.h ]; then
echo "Run from the wolfssl root" echo "Run from the wolfssl root"
@@ -137,14 +70,16 @@ run_sequence() {
if [ "$1" == "hrr" ]; then if [ "$1" == "hrr" ]; then
# TLS v1.3 Hello Retry Request # TLS v1.3 Hello Retry Request
./examples/server/server -v 4 -i -x -g & ./examples/server/server -v 4 -i -x -g &
server_pid=$!
sleep 0.1 sleep 0.1
./examples/client/client -v 4 -J ./examples/client/client -v 4 -J
kill $server_pid
fi fi
sleep 1 sleep 1
} }
run_capture(){ run_capture(){
echo "configuring and building wolfssl..." echo -e "\nconfiguring and building wolfssl..."
./configure --enable-sniffer $2 1>/dev/null || exit $? ./configure --enable-sniffer $2 1>/dev/null || exit $?
make 1>/dev/null || exit $? make 1>/dev/null || exit $?
echo "starting capture" echo "starting capture"

0
scripts/testsuite.pcap → scripts/sniffer-static-rsa.pcap
View File

182
scripts/sniffer-testsuite.test
View File

@@ -12,6 +12,36 @@ if [ "${AM_BWRAPPED-}" != "yes" ]; then
unset AM_BWRAPPED unset AM_BWRAPPED
fi fi
has_tlsv13=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v13 '
if [ $? -eq 0 ]; then
has_tlsv13=yes
fi
has_tlsv12=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v12 '
if [ $? -eq 0 ]; then
has_tlsv12=yes
fi
has_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
if [ $? -eq 0 ]; then
has_rsa=yes
fi
has_ecc=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ecc '
if [ $? -eq 0 ]; then
has_ecc=yes
fi
has_x25519=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'x22519 '
if [ $? -eq 0 ]; then
has_x25519=yes
fi
has_dh=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'dh '
if [ $? -eq 0 ]; then
has_dh=yes
fi
# ./configure --enable-sniffer [--enable-session-ticket] # ./configure --enable-sniffer [--enable-session-ticket]
# Resumption tests require "--enable-session-ticket" # Resumption tests require "--enable-session-ticket"
session_ticket=no session_ticket=no
@@ -19,94 +49,27 @@ session_ticket=no
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
session_ticket=yes session_ticket=yes
fi fi
has_rsa=no has_static_rsa=no
./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa ' ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa_static '
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
has_rsa=yes has_static_rsa=yes
fi fi
RESULT=0 RESULT=0
if test $session_ticket == yes
then
# TLS v1.2 Static RSA Test # TLS v1.2 Static RSA Test
if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
then
echo -e "\nStaring snifftest on testsuite.pcap...\n" echo -e "\nStaring snifftest on testsuite.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111 ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-static-rsa.pcap ./certs/server-key.pem 127.0.0.1 11111
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1 [ $RESULT -ne 0 ] && echo -e "\nsnifftest static RSA failed\n" && exit 1
fi fi
# TLS v1.3 sniffer test ECC # TLS v1.2 Static RSA Test (IPv6)
if test $RESULT -eq 0 if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 Resumption Tests
if test $session_ticket == yes
then
# TLS v1.3 sniffer test ECC resumption
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
fi
# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
if test $RESULT -eq 0
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
fi
# IPv6
if test $RESULT -eq 0 && test "x$1" = "x-6";
then then
echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n" echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111 ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
@@ -115,6 +78,69 @@ then
[ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1 [ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
fi fi
# TLS v1.3 sniffer test ECC
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x22519 == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 sniffer test ECC resumption
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
fi
# TLS v1.3 sniffer test DH
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
fi
# TLS v1.3 sniffer test X25519
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes && test $session_ticket == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
fi
# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
then
./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
fi
echo -e "\nSuccess!\n" echo -e "\nSuccess!\n"
exit 0 exit 0

5
src/internal.c
View File

@@ -15658,8 +15658,8 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input,
return ret; return ret;
} }
static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input, word16 sz, static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
int asyncOkay) word16 sz, int asyncOkay)
{ {
int ret = 0; int ret = 0;
@@ -15899,6 +15899,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
return ret; return ret;
} }
/* doAlert Generate alert on error (set to 0 for sniffer use cases) */
int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input, int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input,
word16 sz, int doAlert) word16 sz, int doAlert)
{ {

23
src/sniffer.c
View File

@@ -102,7 +102,7 @@
#ifndef NO_DH #ifndef NO_DH
#include <wolfssl/wolfcrypt/dh.h> #include <wolfssl/wolfcrypt/dh.h>
#endif #endif
#ifdef HAVE_ECC #if defined(HAVE_ECC) || defined(HAVE_CURVE25519)
#include <wolfssl/wolfcrypt/ecc.h> #include <wolfssl/wolfcrypt/ecc.h>
#endif #endif
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
@@ -973,6 +973,7 @@ typedef struct TcpPseudoHdr {
} TcpPseudoHdr; } TcpPseudoHdr;
#ifdef WOLFSSL_ENCRYPTED_KEYS
/* Password Setting Callback */ /* Password Setting Callback */
static int SetPassword(char* passwd, int sz, int rw, void* userdata) static int SetPassword(char* passwd, int sz, int rw, void* userdata)
{ {
@@ -980,7 +981,7 @@ static int SetPassword(char* passwd, int sz, int rw, void* userdata)
XSTRNCPY(passwd, (const char*)userdata, sz); XSTRNCPY(passwd, (const char*)userdata, sz);
return (int)XSTRLEN((const char*)userdata); return (int)XSTRLEN((const char*)userdata);
} }
#endif
/* Ethernet Header */ /* Ethernet Header */
typedef struct EthernetHdr { typedef struct EthernetHdr {
@@ -2140,7 +2141,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
pCipher = wolfSSL_get_cipher(session->sslServer); pCipher = wolfSSL_get_cipher(session->sslServer);
if (NULL != pCipher) { if (NULL != pCipher) {
XSTRNCPY((char*)sslInfo->serverCipherSuiteName, pCipher, XSTRNCPY((char*)sslInfo->serverCipherSuiteName, pCipher,
sizeof(sslInfo->serverCipherSuiteName)); sizeof(sslInfo->serverCipherSuiteName) - 1);
sslInfo->serverCipherSuiteName sslInfo->serverCipherSuiteName
[sizeof(sslInfo->serverCipherSuiteName) - 1] = '\0'; [sizeof(sslInfo->serverCipherSuiteName) - 1] = '\0';
} }
@@ -2148,7 +2149,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
#ifdef HAVE_SNI #ifdef HAVE_SNI
if (NULL != session->sni) { if (NULL != session->sni) {
XSTRNCPY((char*)sslInfo->serverNameIndication, XSTRNCPY((char*)sslInfo->serverNameIndication,
session->sni, sizeof(sslInfo->serverNameIndication)); session->sni, sizeof(sslInfo->serverNameIndication) - 1);
sslInfo->serverNameIndication sslInfo->serverNameIndication
[sizeof(sslInfo->serverNameIndication) - 1] = '\0'; [sizeof(sslInfo->serverNameIndication) - 1] = '\0';
} }
@@ -4445,6 +4446,10 @@ static int DoHandShake(const byte* input, int* sslBytes,
case client_key_exchange: case client_key_exchange:
Trace(GOT_CLIENT_KEY_EX_STR); Trace(GOT_CLIENT_KEY_EX_STR);
#ifdef HAVE_EXTENDED_MASTER #ifdef HAVE_EXTENDED_MASTER
#ifdef WOLFSSL_ASYNC_CRYPT
if (session->sslServer->error != WC_PENDING_E)
#endif
{
if (session->flags.expectEms && session->hash != NULL) { if (session->flags.expectEms && session->hash != NULL) {
if (HashCopy(session->sslServer->hsHashes, if (HashCopy(session->sslServer->hsHashes,
session->hash) == 0 && session->hash) == 0 &&
@@ -4467,6 +4472,7 @@ static int DoHandShake(const byte* input, int* sslBytes,
session->sslServer->options.haveEMS = 0; session->sslServer->options.haveEMS = 0;
session->sslClient->options.haveEMS = 0; session->sslClient->options.haveEMS = 0;
} }
}
#endif #endif
if (ret == 0) { if (ret == 0) {
/* TODO: Add async reentry support here */ /* TODO: Add async reentry support here */
@@ -4520,7 +4526,12 @@ static const byte* DecryptMessage(WOLFSSL* ssl, const byte* input, word32 sz,
else else
#endif #endif
{ {
XMEMCPY(&ssl->curRL, rh, RECORD_HEADER_SZ);
ret = DecryptTls(ssl, output, input, sz, 0); ret = DecryptTls(ssl, output, input, sz, 0);
if (ssl->specs.cipher_type == aead) {
/* DecryptTls places the output at offset of 8 for explicit IV */
output += AESGCM_EXP_IV_SZ;
}
} }
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
/* for async the symmetric operations are blocking */ /* for async the symmetric operations are blocking */
@@ -6188,8 +6199,8 @@ int ssl_DecodePacketWithSessionInfoStoreData(const unsigned char* packet,
int ssl_DecodePacketWithChain(void* vChain, word32 chainSz, byte** data, int ssl_DecodePacketWithChain(void* vChain, word32 chainSz, byte** data,
char* error) char* error)
{ {
return ssl_DecodePacketInternal(vChain, chainSz, 1, data, NULL, NULL, return ssl_DecodePacketInternal((const byte*)vChain, chainSz, 1, data,
error, 0); NULL, NULL, error, 0);
} }
#endif #endif

3
src/ssl.c
View File

@@ -13817,6 +13817,9 @@ static int get_locked_session_stats(word32* active, word32* total, word32* peak)
WOLFSSL_ENTER("get_locked_session_stats"); WOLFSSL_ENTER("get_locked_session_stats");
#ifndef ENABLE_SESSION_CACHE_ROW_LOCK
wc_LockMutex(&session_mutex);
#endif
for (i = 0; i < SESSION_ROWS; i++) { for (i = 0; i < SESSION_ROWS; i++) {
SessionRow* row = &SessionCache[i]; SessionRow* row = &SessionCache[i];
#ifdef ENABLE_SESSION_CACHE_ROW_LOCK #ifdef ENABLE_SESSION_CACHE_ROW_LOCK

2
src/tls13.c
View File

@@ -2110,7 +2110,7 @@ static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
* sz The length of the encrypted data plus authentication tag. * sz The length of the encrypted data plus authentication tag.
* aad The additional authentication data. * aad The additional authentication data.
* aadSz The size of the addition authentication data. * aadSz The size of the addition authentication data.
* doAlert Generate alert on error (not for sniffer use cases) * doAlert Generate alert on error (set to 0 for sniffer use cases)
* returns 0 on success, otherwise failure. * returns 0 on success, otherwise failure.
*/ */
int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,

32
sslSniffer/sslSnifferTest/snifftest.c
View File

@@ -149,14 +149,16 @@ static const byte eccHash[] = {
#endif #endif
pcap_t* pcap = NULL; static pcap_t* pcap = NULL;
pcap_if_t* alldevs = NULL; static pcap_if_t* alldevs = NULL;
static struct bpf_program pcap_fp;
static void FreeAll(void) static void FreeAll(void)
{ {
if (pcap) if (pcap) {
pcap_freecode(&pcap_fp);
pcap_close(pcap); pcap_close(pcap);
}
if (alldevs) if (alldevs)
pcap_freealldevs(alldevs); pcap_freealldevs(alldevs);
#ifndef _WIN32 #ifndef _WIN32
@@ -411,6 +413,9 @@ static void show_appinfo(void)
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
"tls_v13 " "tls_v13 "
#endif #endif
#ifndef WOLFSSL_NO_TLS12
"tls_v12 "
#endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
"session_ticket " "session_ticket "
#endif #endif
@@ -447,6 +452,12 @@ static void show_appinfo(void)
#ifdef HAVE_CURVE22519 #ifdef HAVE_CURVE22519
"x22519 " "x22519 "
#endif #endif
#ifdef WOLFSSL_STATIC_RSA
"rsa_static "
#endif
#ifdef WOLFSSL_STATIC_DH
"dh_static "
#endif
"\n\n" "\n\n"
); );
} }
@@ -474,7 +485,6 @@ int main(int argc, char** argv)
char keyFilesUser[MAX_FILENAME_SZ]; char keyFilesUser[MAX_FILENAME_SZ];
const char *server = NULL; const char *server = NULL;
const char *sniName = NULL; const char *sniName = NULL;
struct bpf_program fp;
pcap_if_t *d; pcap_if_t *d;
pcap_addr_t *a; pcap_addr_t *a;
int isChain = 0; int isChain = 0;
@@ -581,10 +591,10 @@ int main(int argc, char** argv)
SNPRINTF(filter, sizeof(filter), "tcp and port %d", port); SNPRINTF(filter, sizeof(filter), "tcp and port %d", port);
ret = pcap_compile(pcap, &fp, filter, 0, 0); ret = pcap_compile(pcap, &pcap_fp, filter, 0, 0);
if (ret != 0) printf("pcap_compile failed %s\n", pcap_geterr(pcap)); if (ret != 0) printf("pcap_compile failed %s\n", pcap_geterr(pcap));
ret = pcap_setfilter(pcap, &fp); ret = pcap_setfilter(pcap, &pcap_fp);
if (ret != 0) printf("pcap_setfilter failed %s\n", pcap_geterr(pcap)); if (ret != 0) printf("pcap_setfilter failed %s\n", pcap_geterr(pcap));
/* optionally enter the private key to use */ /* optionally enter the private key to use */
@@ -667,13 +677,13 @@ int main(int argc, char** argv)
} }
/* Only let through TCP/IP packets */ /* Only let through TCP/IP packets */
ret = pcap_compile(pcap, &fp, "(ip6 or ip) and tcp", 0, 0); ret = pcap_compile(pcap, &pcap_fp, "(ip6 or ip) and tcp", 0, 0);
if (ret != 0) { if (ret != 0) {
printf("pcap_compile failed %s\n", pcap_geterr(pcap)); printf("pcap_compile failed %s\n", pcap_geterr(pcap));
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
ret = pcap_setfilter(pcap, &fp); ret = pcap_setfilter(pcap, &pcap_fp);
if (ret != 0) { if (ret != 0) {
printf("pcap_setfilter failed %s\n", pcap_geterr(pcap)); printf("pcap_setfilter failed %s\n", pcap_geterr(pcap));
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
@@ -727,12 +737,11 @@ int main(int argc, char** argv)
#else #else
chain = (void*)packet; chain = (void*)packet;
chainSz = header.caplen; chainSz = header.caplen;
(void)isChain;
#endif #endif
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
do { do {
WOLF_EVENT* events[1]; /* poll for single event */ WOLF_EVENT* events[WOLF_ASYNC_MAX_PENDING];
int eventCount = 0; int eventCount = 0;
/* For async call the original API again with same data, /* For async call the original API again with same data,
@@ -786,6 +795,7 @@ int main(int argc, char** argv)
break; /* we're done reading file */ break; /* we're done reading file */
} }
FreeAll(); FreeAll();
(void)isChain;
return hadBadPacket ? EXIT_FAILURE : EXIT_SUCCESS; return hadBadPacket ? EXIT_FAILURE : EXIT_SUCCESS;
} }

17
wolfcrypt/src/asn.c
View File

@@ -3316,7 +3316,8 @@ int CheckBitString(const byte* input, word32* inOutIdx, int* len,
(defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || \ (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) || \
defined(OPENSSL_EXTRA))) || \ defined(OPENSSL_EXTRA))) || \
(defined(WC_ENABLE_ASYM_KEY_EXPORT) && !defined(NO_CERT)) || \ (defined(WC_ENABLE_ASYM_KEY_EXPORT) && !defined(NO_CERT)) || \
(!defined(NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)) (!defined(NO_DSA) && !defined(HAVE_SELFTEST) && defined(WOLFSSL_KEY_GEN)) || \
(!defined(NO_DH) && defined(WOLFSSL_DH_EXTRA))
/* Set the DER/BER encoding of the ASN.1 BIT STRING header. /* Set the DER/BER encoding of the ASN.1 BIT STRING header.
* *
@@ -12968,7 +12969,7 @@ static int SetCurve(ecc_key* key, byte* output)
#ifdef HAVE_OID_ENCODING #ifdef HAVE_OID_ENCODING
int ret; int ret;
#endif #endif
int idx = 0; int idx;
word32 oidSz = 0; word32 oidSz = 0;
/* validate key */ /* validate key */
@@ -12985,7 +12986,12 @@ static int SetCurve(ecc_key* key, byte* output)
oidSz = key->dp->oidSz; oidSz = key->dp->oidSz;
#endif #endif
idx += SetObjectId(oidSz, output); idx = SetObjectId(oidSz, output);
/* length only */
if (output == NULL) {
return idx + oidSz;
}
#ifdef HAVE_OID_ENCODING #ifdef HAVE_OID_ENCODING
ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz); ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz);
@@ -21206,7 +21212,6 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
word32 pubSz; word32 pubSz;
byte bitString[1 + MAX_LENGTH_SZ + 1]; /* 6 */ byte bitString[1 + MAX_LENGTH_SZ + 1]; /* 6 */
byte algo[MAX_ALGO_SZ]; /* 20 */ byte algo[MAX_ALGO_SZ]; /* 20 */
byte curve[MAX_ALGO_SZ]; /* 20 */
/* public size */ /* public size */
pubSz = key->dp ? key->dp->size : MAX_ECC_BYTES; pubSz = key->dp ? key->dp->size : MAX_ECC_BYTES;
@@ -21219,7 +21224,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
/* headers */ /* headers */
if (with_header) { if (with_header) {
curveSz = SetCurve(key, curve); curveSz = SetCurve(key, NULL);
if (curveSz <= 0) { if (curveSz <= 0) {
return curveSz; return curveSz;
} }
@@ -21242,7 +21247,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
idx += algoSz; idx += algoSz;
/* curve */ /* curve */
if (output) if (output)
XMEMCPY(output + idx, curve, curveSz); (void)SetCurve(key, output + idx);
idx += curveSz; idx += curveSz;
/* bit string */ /* bit string */
if (output) if (output)

18
wolfcrypt/src/sp_int.c
View File

@@ -4385,31 +4385,49 @@ int sp_init_multi(sp_int* n1, sp_int* n2, sp_int* n3, sp_int* n4, sp_int* n5,
_sp_zero(n1); _sp_zero(n1);
n1->dp[0] = 0; n1->dp[0] = 0;
n1->size = SP_INT_DIGITS; n1->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n1->raw);
#endif
} }
if (n2 != NULL) { if (n2 != NULL) {
_sp_zero(n2); _sp_zero(n2);
n2->dp[0] = 0; n2->dp[0] = 0;
n2->size = SP_INT_DIGITS; n2->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n2->raw);
#endif
} }
if (n3 != NULL) { if (n3 != NULL) {
_sp_zero(n3); _sp_zero(n3);
n3->dp[0] = 0; n3->dp[0] = 0;
n3->size = SP_INT_DIGITS; n3->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n3->raw);
#endif
} }
if (n4 != NULL) { if (n4 != NULL) {
_sp_zero(n4); _sp_zero(n4);
n4->dp[0] = 0; n4->dp[0] = 0;
n4->size = SP_INT_DIGITS; n4->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n4->raw);
#endif
} }
if (n5 != NULL) { if (n5 != NULL) {
_sp_zero(n5); _sp_zero(n5);
n5->dp[0] = 0; n5->dp[0] = 0;
n5->size = SP_INT_DIGITS; n5->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n5->raw);
#endif
} }
if (n6 != NULL) { if (n6 != NULL) {
_sp_zero(n6); _sp_zero(n6);
n6->dp[0] = 0; n6->dp[0] = 0;
n6->size = SP_INT_DIGITS; n6->size = SP_INT_DIGITS;
#ifdef HAVE_WOLF_BIGINT
wc_bigint_init(&n6->raw);
#endif
} }
return MP_OKAY; return MP_OKAY;

14
wolfcrypt/test/test.c
View File

@@ -16260,17 +16260,23 @@ static int dh_ffdhe_test(WC_RNG *rng, int name)
} }
ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz); ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
#if defined(WOLFSSL_ASYNC_CRYPT)
ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
#endif
if (ret != MP_VAL && ret != MP_EXPTMOD_E) { if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
ERROR_OUT(-8058, done); ERROR_OUT(-8058, done);
} }
ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2); ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
if (ret != MP_VAL && ret != MP_EXPTMOD_E) { #if defined(WOLFSSL_ASYNC_CRYPT)
ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
#endif
if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
ERROR_OUT(-8057, done); ERROR_OUT(-8057, done);
} }
ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz); ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz);
if (ret != MP_VAL && ret != MP_EXPTMOD_E) { if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
ERROR_OUT(-8057, done); ERROR_OUT(-8057, done);
} }
@@ -23925,7 +23931,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
#endif #endif
/* test use of custom curve - using BRAINPOOLP256R1 for test */ /* test use of custom curve - using BRAINPOOLP256R1 for test */
#ifdef HAVE_ECC_BRAINPOOL #if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
#ifndef WOLFSSL_ECC_CURVE_STATIC #ifndef WOLFSSL_ECC_CURVE_STATIC
WOLFSSL_SMALL_STACK_STATIC const ecc_oid_t ecc_oid_brainpoolp256r1[] = { WOLFSSL_SMALL_STACK_STATIC const ecc_oid_t ecc_oid_brainpoolp256r1[] = {
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07 0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07
@@ -23966,7 +23972,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
XMEMSET(key, 0, sizeof *key); XMEMSET(key, 0, sizeof *key);
#ifdef HAVE_ECC_BRAINPOOL #if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF, ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF,
&ecc_dp_brainpool256r1); &ecc_dp_brainpool256r1);
if (ret != 0) { if (ret != 0) {

4
wolfssl/wolfcrypt/types.h
View File

@@ -728,8 +728,8 @@ decouple library dependencies with standard string, memory and so on.
#endif /* _MSC_VER */ #endif /* _MSC_VER */
#endif /* USE_WINDOWS_API */ #endif /* USE_WINDOWS_API */
#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) \ #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
|| defined(HAVE_ALPN) defined(HAVE_ALPN) || defined(WOLFSSL_SNIFFER)
/* use only Thread Safe version of strtok */ /* use only Thread Safe version of strtok */
#if defined(USE_WOLF_STRTOK) #if defined(USE_WOLF_STRTOK)
#define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr)) #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))