Changeset 464 for azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/src/sniffer.c
- Timestamp:
- Jun 22, 2021, 9:00:19 PM (3 years ago)
- Location:
- azure_iot_hub_f767zi/trunk/wolfssl-4.7.0
- Files:
-
- 1 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
azure_iot_hub_f767zi/trunk/wolfssl-4.7.0/src/sniffer.c
r457 r464 26 26 27 27 #include <wolfssl/wolfcrypt/settings.h> 28 29 #ifndef WOLFCRYPT_ONLY 28 #include <wolfssl/wolfcrypt/wc_port.h> 29 30 /* xctime */ 31 #ifndef XCTIME 32 #define XCTIME ctime 33 #endif 34 35 /* only in this file, to avoid confusing future ports leave 36 * these defines here. Do not move to wc_port.h */ 37 #ifdef USER_CUSTOM_SNIFFX 38 /* To be implemented in user_settings.h */ 39 #elif defined(FUSION_RTOS) 40 #include <fcl_network.h> 41 #define XINET_NTOA FNS_INET_NTOA 42 #define XINET_ATON FNS_INET_ATON 43 #define XINET_PTON(a,b,c,d) FNS_INET_PTON((a),(b),(c),(d),NULL) 44 #define XINET_NTOP(a,b,c,d) FNS_INET_NTOP((a),(b),(c),(d),NULL) 45 #define XINET_ADDR FNS_INET_ADDR 46 #define XHTONS FNS_HTONS 47 #define XNTOHS FNS_NTOHS 48 #define XHTONL FNS_HTONL 49 #define XNTOHL FNS_NTOHL 50 #define XINADDR_NONE FNS_INADDR_NONE 51 #else 52 /* default */ 53 #define XINET_NTOA inet_ntoa 54 #define XINET_ATON inet_aton 55 #define XINET_PTON(a,b,c) inet_pton((a),(b),(c)) 56 #define XINET_NTOP inet_ntop 57 #define XINET_ADDR inet_addr 58 #define XHTONS htons 59 #define XNTOHS ntohs 60 #define XHTONL htonl 61 #define XNTOHL ntohl 62 #define XINADDR_NONE INADDR_NONE 63 #endif 64 65 #if !defined(WOLFCRYPT_ONLY) && !defined(NO_FILESYSTEM) 30 66 #ifdef WOLFSSL_SNIFFER 31 67 … … 33 69 #include <time.h> 34 70 35 #ifndef _WIN32 36 #include <arpa/inet.h> 71 #ifdef FUSION_RTOS 72 #include <fns_inet.h> 73 #ifdef TCP_PROTOCOL 74 #undef TCP_PROTOCOL 75 #endif 37 76 #else 38 #include <WS2tcpip.h> 77 #ifndef _WIN32 78 #include <arpa/inet.h> 79 #else 80 #include <WS2tcpip.h> 81 #endif 39 82 #endif 40 83 … … 45 88 #endif 46 89 47 #include <wolfssl/openssl/ssl.h>48 90 #include <wolfssl/internal.h> 49 91 #include <wolfssl/error-ssl.h> … … 91 133 HASH_SIZE = 499, /* Session Hash Table Rows */ 92 134 PSEUDO_HDR_SZ = 12, /* TCP Pseudo Header size in bytes */ 93 FATAL_ERROR_STATE = 1,/* SnifferSession fatal error state */135 FATAL_ERROR_STATE = 1, /* SnifferSession fatal error state */ 94 136 TICKET_HINT_LEN = 4, /* Session Ticket Hint length */ 95 EXT_TYPE_SZ = 2, /* Extension length */ 137 TICKET_HINT_AGE_LEN= 4, /* Session Ticket Age add length */ 138 EXT_TYPE_SZ = 2, /* Extension type length */ 96 139 MAX_INPUT_SZ = MAX_RECORD_SIZE + COMP_EXTRA + MAX_MSG_EXTRA + 97 140 MTU_EXTRA, /* Max input sz of reassembly */ 98 EXT_MASTER_SECRET = 0x17, /* Extended Master Secret Extension ID */ 99 TICKET_EXT_ID = 0x23 /* Session Ticket Extension ID */ 141 142 /* TLS Extensions */ 143 EXT_SERVER_NAME = 0x0000, /* a.k.a. SNI */ 144 EXT_MAX_FRAGMENT_LENGTH = 0x0001, 145 EXT_TRUSTED_CA_KEYS = 0x0003, 146 EXT_TRUNCATED_HMAC = 0x0004, 147 EXT_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stapling */ 148 EXT_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ 149 EXT_EC_POINT_FORMATS = 0x000b, 150 EXT_SIGNATURE_ALGORITHMS = 0x000d, 151 EXT_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ 152 EXT_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stapling v2 */ 153 EXT_ENCRYPT_THEN_MAC = 0x0016, /* RFC 7366 */ 154 EXT_MASTER_SECRET = 0x0017, /* Extended Master Secret Extension ID */ 155 EXT_TICKET_ID = 0x0023, /* Session Ticket Extension ID */ 156 EXT_PRE_SHARED_KEY = 0x0029, 157 EXT_EARLY_DATA = 0x002a, 158 EXT_SUPPORTED_VERSIONS = 0x002b, 159 EXT_COOKIE = 0x002c, 160 EXT_PSK_KEY_EXCHANGE_MODES = 0x002d, 161 EXT_POST_HANDSHAKE_AUTH = 0x0031, 162 EXT_SIGNATURE_ALGORITHMS_CERT = 0x0032, 163 EXT_KEY_SHARE = 0x0033, 164 EXT_RENEGOTIATION_INFO = 0xff01 100 165 }; 101 166 … … 139 204 140 205 static WOLFSSL_GLOBAL int TraceOn = 0; /* Trace is off by default */ 141 static WOLFSSL_GLOBAL FILE*TraceFile = 0;206 static WOLFSSL_GLOBAL XFILE TraceFile = 0; 142 207 143 208 … … 276 341 "No data destination Error", 277 342 "Store data callback failed", 278 "Loading chain input" 343 "Loading chain input", 344 "Got encrypted extension", 345 "Got Hello Retry Request", 279 346 }; 280 347 … … 319 386 byte* key; /* DER private key */ 320 387 word32 keySz; /* size of DER private key */ 388 int isEphemeralKey; 321 389 struct NamedKey* next; /* for list */ 322 390 } NamedKey; … … 336 404 /* Sniffer Server holds info for each server/port monitored */ 337 405 typedef struct SnifferServer { 338 SSL_CTX*ctx; /* SSL context */406 WOLFSSL_CTX* ctx; /* SSL context */ 339 407 char address[MAX_SERVER_ADDRESS]; /* passed in server address */ 340 408 IpAddrInfo server; /* network order address */ … … 365 433 byte expectEms; /* expect extended master secret */ 366 434 #endif 435 byte gotFinished; /* processed finished */ 367 436 } Flags; 368 437 369 438 370 439 /* Out of Order FIN capture */ 371 typedef struct FinCap utre {440 typedef struct FinCapture { 372 441 word32 cliFinSeq; /* client relative sequence FIN 0 is no */ 373 442 word32 srvFinSeq; /* server relative sequence FIN, 0 is no */ 374 443 byte cliCounted; /* did we count yet, detects duplicates */ 375 444 byte srvCounted; /* did we count yet, detects duplicates */ 376 } FinCap utre;445 } FinCapture; 377 446 378 447 … … 385 454 wc_Md5 hashMd5; 386 455 #endif 387 #endif 456 #endif /* !NO_OLD_TLS */ 388 457 #ifndef NO_SHA256 389 458 wc_Sha256 hashSha256; … … 393 462 #endif 394 463 } HsHashes; 464 465 typedef struct KeyShareInfo { 466 word16 named_group; 467 int key_len; 468 const byte* key; 469 470 /* additional info */ 471 int dh_key_bits; 472 int curve_id; 473 } KeyShareInfo; 395 474 396 475 … … 398 477 typedef struct SnifferSession { 399 478 SnifferServer* context; /* server context */ 400 SSL*sslServer; /* SSL server side decode */401 SSL*sslClient; /* SSL client side decode */479 WOLFSSL* sslServer; /* SSL server side decode */ 480 WOLFSSL* sslClient; /* SSL client side decode */ 402 481 IpAddrInfo server; /* server address in network byte order */ 403 482 IpAddrInfo client; /* client address in network byte order */ … … 408 487 word32 cliExpected; /* client expected sequence (relative) */ 409 488 word32 srvExpected; /* server expected sequence (relative) */ 410 FinCap utre finCaputre; /* retain out of order FIN s */489 FinCapture finCapture; /* retain out of order FIN s */ 411 490 Flags flags; /* session flags */ 412 time_t lastUsed; 491 time_t lastUsed; /* last used ticks */ 413 492 word32 keySz; /* size of the private key */ 414 493 PacketBuffer* cliReassemblyList; /* client out of order packets */ … … 416 495 word32 cliReassemblyMemory; /* client packet memory used */ 417 496 word32 srvReassemblyMemory; /* server packet memory used */ 418 struct SnifferSession* next; /* for hash table list */ 419 byte* ticketID; /* mac ID of session ticket */ 497 struct SnifferSession* next; /* for hash table list */ 498 byte* ticketID; /* mac ID of session ticket */ 499 #ifdef HAVE_MAX_FRAGMENT 500 byte* tlsFragBuf; 501 word32 tlsFragOffset; 502 word32 tlsFragSize; 503 #endif 420 504 #ifdef HAVE_SNI 421 505 const char* sni; /* server name indication */ 422 506 #endif 423 507 #ifdef HAVE_EXTENDED_MASTER 424 HsHashes* hash; 508 HsHashes* hash; 509 #endif 510 #ifdef WOLFSSL_TLS13 511 byte* cliKeyShare; 512 word32 cliKeyShareSz; 513 KeyShareInfo srvKs; 514 KeyShareInfo cliKs; 425 515 #endif 426 516 } SnifferSession; … … 559 649 wc_FreeMutex(&srv->namedKeysMutex); 560 650 #endif 561 SSL_CTX_free(srv->ctx);651 wolfSSL_CTX_free(srv->ctx); 562 652 } 563 653 XFREE(srv, NULL, DYNAMIC_TYPE_SNIFFER_SERVER); … … 595 685 { 596 686 if (session) { 597 SSL_free(session->sslClient);598 SSL_free(session->sslServer);687 wolfSSL_free(session->sslClient); 688 wolfSSL_free(session->sslServer); 599 689 600 690 FreePacketList(session->cliReassemblyList); … … 604 694 #ifdef HAVE_EXTENDED_MASTER 605 695 XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES); 696 #endif 697 #ifdef WOLFSSL_TLS13 698 if (session->cliKeyShare) 699 XFREE(session->cliKeyShare, NULL, DYNAMIC_TYPE_TMP_BUFFER); 700 #endif 701 #ifdef HAVE_MAX_FRAGMENT 702 if (session->tlsFragBuf) { 703 XFREE(session->tlsFragBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); 704 session->tlsFragBuf = NULL; 705 } 606 706 #endif 607 707 } … … 622 722 wc_LockMutex(&SessionMutex); 623 723 624 srv = ServerList; 625 while (srv) { 626 removeServer = srv; 627 srv = srv->next; 628 FreeSnifferServer(removeServer); 629 } 630 724 /* Free sessions (wolfSSL objects) first */ 631 725 for (i = 0; i < HASH_SIZE; i++) { 632 726 session = SessionTable[i]; … … 637 731 } 638 732 } 733 SessionCount = 0; 734 735 /* Then server (wolfSSL_CTX) */ 736 srv = ServerList; 737 while (srv) { 738 removeServer = srv; 739 srv = srv->next; 740 FreeSnifferServer(removeServer); 741 } 742 ServerList = NULL; 639 743 640 744 wc_UnLockMutex(&SessionMutex); … … 656 760 if (TraceFile) { 657 761 TraceOn = 0; 658 fclose(TraceFile);762 XFCLOSE(TraceFile); 659 763 TraceFile = NULL; 660 764 } … … 678 782 #endif 679 783 #ifndef NO_MD5 680 if (ret == 0) {784 if (ret == 0) 681 785 ret = wc_InitMd5(&hash->hashMd5); 682 } 683 #endif 684 #endif 786 #endif 787 #endif /* !NO_OLD_TLS */ 685 788 #ifndef NO_SHA256 686 789 if (ret == 0) … … 694 797 return ret; 695 798 } 696 697 799 698 800 static int HashUpdate(HsHashes* hash, const byte* input, int sz) … … 709 811 #endif 710 812 #ifndef NO_MD5 711 if (ret == 0) {813 if (ret == 0) 712 814 ret = wc_Md5Update(&hash->hashMd5, input, sz); 713 } 714 #endif 715 #endif 815 #endif 816 #endif /* !NO_OLD_TLS */ 716 817 #ifndef NO_SHA256 717 818 if (ret == 0) … … 726 827 } 727 828 728 729 829 static int HashCopy(HS_Hashes* d, HsHashes* s) 730 830 { 731 831 #ifndef NO_OLD_TLS 732 832 #ifndef NO_SHA 733 833 XMEMCPY(&d->hashSha, &s->hashSha, sizeof(wc_Sha)); 734 834 #endif 735 835 #ifndef NO_MD5 736 XMEMCPY(&d->hashMd5, &s->hashMd5, sizeof(wc_Md5)); 737 #endif 738 #endif 739 836 XMEMCPY(&d->hashMd5, &s->hashMd5, sizeof(wc_Md5)); 837 #endif 838 #endif /* !NO_OLD_TLS */ 740 839 #ifndef NO_SHA256 741 840 XMEMCPY(&d->hashSha256, &s->hashSha256, sizeof(wc_Sha256)); 742 841 #endif 743 842 #ifdef WOLFSSL_SHA384 744 843 XMEMCPY(&d->hashSha384, &s->hashSha384, sizeof(wc_Sha384)); 745 844 #endif 746 845 … … 766 865 767 866 /* Initialize FIN Capture */ 768 static void InitFinCapture(FinCap utre* cap)769 { 770 XMEMSET(cap, 0, sizeof(FinCap utre));867 static void InitFinCapture(FinCapture* cap) 868 { 869 XMEMSET(cap, 0, sizeof(FinCapture)); 771 870 } 772 871 … … 777 876 XMEMSET(session, 0, sizeof(SnifferSession)); 778 877 InitFlags(&session->flags); 779 InitFinCapture(&session->finCap utre);878 InitFinCapture(&session->finCapture); 780 879 } 781 880 … … 900 999 char myBuffer[MAX_ERROR_LEN]; 901 1000 GetError(idx, myBuffer); 902 fprintf(TraceFile, "\t%s\n", myBuffer);1001 XFPRINTF(TraceFile, "\t%s\n", myBuffer); 903 1002 #ifdef DEBUG_SNIFFER 904 fprintf(stderr, "\t%s\n", myBuffer);1003 XFPRINTF(stderr, "\t%s\n", myBuffer); 905 1004 #endif 906 1005 } … … 912 1011 { 913 1012 if (TraceOn) { 914 time_t ticks = time(NULL);915 fprintf(TraceFile, "\n%s", ctime(&ticks));1013 time_t ticks = XTIME(NULL); 1014 XFPRINTF(TraceFile, "\n%s", XCTIME(&ticks)); 916 1015 } 917 1016 } … … 922 1021 { 923 1022 if (TraceOn) { 924 fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n");925 fprintf(TraceFile, "\tserver: %s, port: %d, keyFile: %s\n", srv, port,1023 XFPRINTF(TraceFile, "\tTrying to install a new Sniffer Server with\n"); 1024 XFPRINTF(TraceFile, "\tserver: %s, port: %d, keyFile: %s\n", srv, port, 926 1025 keyFile); 927 1026 } … … 936 1035 { 937 1036 if (TraceOn) { 938 fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n"); 939 fprintf(TraceFile, "\tname: %s, server: %s, port: %d, keyFile: %s\n", 940 name, srv, port, keyFile); 1037 XFPRINTF(TraceFile, "\tTrying to install a new Sniffer Server with\n"); 1038 XFPRINTF(TraceFile, "\tname: %s, server: %s, port: %d, keyFile: %s\n", 1039 name ? name : "", 1040 srv ? srv : "", 1041 port, 1042 keyFile ? keyFile : ""); 941 1043 } 942 1044 } … … 950 1052 if (TraceOn) { 951 1053 static word32 packetNumber = 0; 952 fprintf(TraceFile, "\tGot a Packet to decode, packet %u\n",1054 XFPRINTF(TraceFile, "\tGot a Packet to decode, packet %u\n", 953 1055 ++packetNumber); 954 1056 } … … 959 1061 static const char* IpToS(int version, void* src, char* dst) 960 1062 { 961 return inet_ntop(version, src, dst, TRACE_MSG_SZ);1063 return XINET_NTOP(version, src, dst, TRACE_MSG_SZ); 962 1064 } 963 1065 … … 969 1071 char src[TRACE_MSG_SZ]; 970 1072 char dst[TRACE_MSG_SZ]; 971 fprintf(TraceFile, "\tdst:%s src:%s\n",1073 XFPRINTF(TraceFile, "\tdst:%s src:%s\n", 972 1074 IpToS(AF_INET, &iphdr->dst, dst), 973 1075 IpToS(AF_INET, &iphdr->src, src)); … … 982 1084 char src[TRACE_MSG_SZ]; 983 1085 char dst[TRACE_MSG_SZ]; 984 fprintf(TraceFile, "\tdst: %s src: %s\n",1086 XFPRINTF(TraceFile, "\tdst: %s src: %s\n", 985 1087 IpToS(AF_INET6, iphdr->dst, dst), 986 1088 IpToS(AF_INET6, iphdr->src, src)); … … 993 1095 { 994 1096 if (TraceOn) { 995 fprintf(TraceFile, "\tdstPort:%u srcPort:%u\n", ntohs(tcphdr->dstPort),996 ntohs(tcphdr->srcPort));1097 XFPRINTF(TraceFile, "\tdstPort:%u srcPort:%u\n", XNTOHS(tcphdr->dstPort), 1098 XNTOHS(tcphdr->srcPort)); 997 1099 } 998 1100 } … … 1003 1105 { 1004 1106 if (TraceOn) { 1005 fprintf(TraceFile, "\tSequence:%u, payload length:%d\n", seq, len);1107 XFPRINTF(TraceFile, "\tSequence:%u, payload length:%d\n", seq, len); 1006 1108 } 1007 1109 } … … 1012 1114 { 1013 1115 if (TraceOn) { 1014 fprintf(TraceFile, "\tAck:%u Expected:%u\n", ack, expected);1116 XFPRINTF(TraceFile, "\tAck:%u Expected:%u\n", ack, expected); 1015 1117 } 1016 1118 } … … 1021 1123 { 1022 1124 if (TraceOn) { 1023 fprintf(TraceFile, "\tExpected sequence:%u, received sequence:%u\n",1125 XFPRINTF(TraceFile, "\tExpected sequence:%u, received sequence:%u\n", 1024 1126 expected, got); 1025 1127 } … … 1031 1133 { 1032 1134 if (TraceOn) { 1033 fprintf(TraceFile, "\tServer SYN, Sequence Start:%u\n", seq);1135 XFPRINTF(TraceFile, "\tServer SYN, Sequence Start:%u\n", seq); 1034 1136 } 1035 1137 } … … 1040 1142 { 1041 1143 if (TraceOn) { 1042 fprintf(TraceFile, "\tClient SYN, Sequence Start:%u\n", seq);1144 XFPRINTF(TraceFile, "\tClient SYN, Sequence Start:%u\n", seq); 1043 1145 } 1044 1146 } … … 1049 1151 { 1050 1152 if (TraceOn) { 1051 fprintf(TraceFile, "\tClient FIN capture:%u, current SEQ:%u\n",1153 XFPRINTF(TraceFile, "\tClient FIN capture:%u, current SEQ:%u\n", 1052 1154 finSeq, relSeq); 1053 1155 } … … 1059 1161 { 1060 1162 if (TraceOn) { 1061 fprintf(TraceFile, "\tServer FIN capture:%u, current SEQ:%u\n",1163 XFPRINTF(TraceFile, "\tServer FIN capture:%u, current SEQ:%u\n", 1062 1164 finSeq, relSeq); 1063 1165 } … … 1069 1171 { 1070 1172 if (TraceOn) { 1071 fprintf(TraceFile, "\t%d bytes of SSL App data processed\n", bytes);1173 XFPRINTF(TraceFile, "\t%d bytes of SSL App data processed\n", bytes); 1072 1174 } 1073 1175 } … … 1078 1180 { 1079 1181 if (TraceOn) { 1080 fprintf(TraceFile,1182 XFPRINTF(TraceFile, 1081 1183 "\t%d bytes added to %d existing bytes in User Buffer\n", 1082 1184 newBytes, existingBytes); … … 1089 1191 { 1090 1192 if (TraceOn) { 1091 fprintf(TraceFile, "\tFound a stale session\n");1193 XFPRINTF(TraceFile, "\tFound a stale session\n"); 1092 1194 } 1093 1195 } … … 1098 1200 { 1099 1201 if (TraceOn) { 1100 fprintf(TraceFile, "\tTrying to find Stale Sessions\n");1202 XFPRINTF(TraceFile, "\tTrying to find Stale Sessions\n"); 1101 1203 } 1102 1204 } … … 1107 1209 { 1108 1210 if (TraceOn) { 1109 fprintf(TraceFile, "\tRemoved it\n");1211 XFPRINTF(TraceFile, "\tRemoved it\n"); 1110 1212 } 1111 1213 } … … 1117 1219 if (TraceOn) { 1118 1220 if (sslInfo != NULL && sslInfo->isValid) { 1119 fprintf(TraceFile,1221 XFPRINTF(TraceFile, 1120 1222 "\tver:(%u %u) suiteId:(%02x %02x) suiteName:(%s) " 1121 1223 #ifdef HAVE_SNI … … 1143 1245 { 1144 1246 if (TraceOn) { 1145 fprintf(TraceFile, "\tAdding %d to %s\n", add, name);1247 XFPRINTF(TraceFile, "\tAdding %d to %s\n", add, name); 1146 1248 } 1147 1249 } … … 1310 1412 { 1311 1413 SnifferSession* session; 1312 time_t currTime = time(NULL);1414 time_t currTime = XTIME(NULL); 1313 1415 word32 row = SessionHash(ipInfo, tcpInfo); 1314 1416 … … 1358 1460 1359 1461 static int LoadKeyFile(byte** keyBuf, word32* keyBufSz, 1360 const char* keyFile, int typeKey,1462 const char* keyFile, int keySz, int typeKey, 1361 1463 const char* password) 1362 1464 { … … 1364 1466 long fileSz = 0; 1365 1467 XFILE file; 1366 int ret ;1468 int ret = -1; 1367 1469 1368 1470 if (keyBuf == NULL || keyBufSz == NULL || keyFile == NULL) { … … 1370 1472 } 1371 1473 1372 file = XFOPEN(keyFile, "rb"); 1373 if (file == XBADFILE) return -1; 1374 if(XFSEEK(file, 0, XSEEK_END) != 0) { 1474 if (keySz == 0) { 1475 /* load from file */ 1476 file = XFOPEN(keyFile, "rb"); 1477 if (file == XBADFILE) return -1; 1478 if(XFSEEK(file, 0, XSEEK_END) != 0) { 1479 XFCLOSE(file); 1480 return -1; 1481 } 1482 fileSz = XFTELL(file); 1483 if (fileSz > MAX_WOLFSSL_FILE_SIZE || fileSz < 0) { 1484 XFCLOSE(file); 1485 return -1; 1486 } 1487 XREWIND(file); 1488 1489 loadBuf = (byte*)XMALLOC(fileSz, NULL, DYNAMIC_TYPE_FILE); 1490 if (loadBuf == NULL) { 1491 XFCLOSE(file); 1492 return -1; 1493 } 1494 1495 ret = (int)XFREAD(loadBuf, 1, fileSz, file); 1375 1496 XFCLOSE(file); 1376 return -1; 1377 } 1378 fileSz = XFTELL(file); 1379 if (fileSz > MAX_WOLFSSL_FILE_SIZE || fileSz < 0) { 1380 XFCLOSE(file); 1381 return -1; 1382 } 1383 XREWIND(file); 1384 1385 loadBuf = (byte*)XMALLOC(fileSz, NULL, DYNAMIC_TYPE_FILE); 1386 if (loadBuf == NULL) { 1387 XFCLOSE(file); 1388 return -1; 1389 } 1390 1391 ret = (int)XFREAD(loadBuf, 1, fileSz, file); 1392 XFCLOSE(file); 1393 1394 if (ret != fileSz) { 1395 XFREE(loadBuf, NULL, DYNAMIC_TYPE_FILE); 1396 return -1; 1497 1498 if (ret != fileSz) { 1499 XFREE(loadBuf, NULL, DYNAMIC_TYPE_FILE); 1500 return -1; 1501 } 1502 } 1503 else { 1504 /* use buffer directly */ 1505 loadBuf = (byte*)XMALLOC(keySz, NULL, DYNAMIC_TYPE_FILE); 1506 if (loadBuf == NULL) { 1507 return -1; 1508 } 1509 fileSz = keySz; 1510 XMEMCPY(loadBuf, keyFile, fileSz); 1397 1511 } 1398 1512 … … 1450 1564 } 1451 1565 InitSnifferServer(sniffer); 1452 sniffer->ctx = SSL_CTX_new(TLSv1_2_client_method());1566 sniffer->ctx = wolfSSL_CTX_new(SSLv23_client_method()); 1453 1567 if (!sniffer->ctx) { 1454 1568 SetError(MEMORY_STR, error, NULL, 0); … … 1469 1583 1470 1584 static int SetNamedPrivateKey(const char* name, const char* address, int port, 1471 const char* keyFile, int typeKey, const char* password, char* error) 1585 const char* keyFile, int keySz, int typeKey, const char* password, 1586 char* error, int isEphemeralKey) 1472 1587 { 1473 1588 SnifferServer* sniffer; … … 1498 1613 XSTRNCPY(namedKey->name, name, namedKey->nameSz); 1499 1614 namedKey->name[MAX_SERVER_NAME-1] = '\0'; 1500 1615 namedKey->isEphemeralKey = isEphemeralKey; 1501 1616 ret = LoadKeyFile(&namedKey->key, &namedKey->keySz, 1502 keyFile, type, password);1617 keyFile, keySz, type, password); 1503 1618 if (ret < 0) { 1504 1619 SetError(KEY_FILE_STR, error, NULL, 0); … … 1510 1625 1511 1626 serverIp.version = IPV4; 1512 serverIp.ip4 = inet_addr(address); 1513 if (serverIp.ip4 == INADDR_NONE) { 1514 if (inet_pton(AF_INET6, address, serverIp.ip6) == 1) { 1627 serverIp.ip4 = XINET_ADDR(address); 1628 if (serverIp.ip4 == XINADDR_NONE) { 1629 #ifdef FUSION_RTOS 1630 if (XINET_PTON(AF_INET6, address, serverIp.ip6, 1631 sizeof(serverIp.ip4)) == 1) { 1632 #else 1633 if (XINET_PTON(AF_INET6, address, serverIp.ip6) == 1) { 1634 #endif 1515 1635 serverIp.version = IPV6; 1516 1636 } … … 1540 1660 sniffer->port = port; 1541 1661 1542 sniffer->ctx = SSL_CTX_new(TLSv1_2_client_method());1662 sniffer->ctx = wolfSSL_CTX_new(SSLv23_client_method()); 1543 1663 if (!sniffer->ctx) { 1544 1664 SetError(MEMORY_STR, error, NULL, 0); … … 1554 1674 if (password) { 1555 1675 #ifdef WOLFSSL_ENCRYPTED_KEYS 1556 SSL_CTX_set_default_passwd_cb(sniffer->ctx, SetPassword);1557 SSL_CTX_set_default_passwd_cb_userdata(1676 wolfSSL_CTX_set_default_passwd_cb(sniffer->ctx, SetPassword); 1677 wolfSSL_CTX_set_default_passwd_cb_userdata( 1558 1678 sniffer->ctx, (void*)password); 1559 1679 #endif 1560 1680 } 1561 ret = SSL_CTX_use_PrivateKey_file(sniffer->ctx, keyFile, type); 1681 1682 #ifdef WOLFSSL_STATIC_EPHEMERAL 1683 if (isEphemeralKey) { 1684 /* auto detect key type with WC_PK_TYPE_NONE */ 1685 /* keySz == 0 mean load file */ 1686 ret = wolfSSL_CTX_set_ephemeral_key(sniffer->ctx, WC_PK_TYPE_NONE, 1687 keyFile, 0, type); 1688 if (ret == 0) 1689 ret = WOLFSSL_SUCCESS; 1690 } 1691 else 1692 #endif 1693 { 1694 if (keySz == 0) { 1695 ret = wolfSSL_CTX_use_PrivateKey_file(sniffer->ctx, keyFile, type); 1696 } 1697 else { 1698 ret = wolfSSL_CTX_use_PrivateKey_buffer(sniffer->ctx, 1699 (const byte*)keyFile, keySz, type); 1700 } 1701 } 1562 1702 if (ret != WOLFSSL_SUCCESS) { 1563 1703 SetError(KEY_FILE_STR, error, NULL, 0); … … 1589 1729 1590 1730 #ifdef HAVE_SNI 1591 1592 1731 /* Sets the private key for a specific name, server and port */ 1593 1732 /* returns 0 on success, -1 on error */ … … 1603 1742 1604 1743 wc_LockMutex(&ServerListMutex); 1605 ret = SetNamedPrivateKey(name, address, port, keyFile, 1606 typeKey, password, error );1744 ret = SetNamedPrivateKey(name, address, port, keyFile, 0, 1745 typeKey, password, error, 0); 1607 1746 wc_UnLockMutex(&ServerListMutex); 1608 1747 … … 1613 1752 } 1614 1753 1615 #endif 1616 1754 int ssl_SetNamedPrivateKeyBuffer(const char* name, 1755 const char* address, int port, 1756 const char* keyBuf, int keySz, int typeKey, 1757 const char* password, char* error) 1758 { 1759 int ret; 1760 1761 TraceHeader(); 1762 TraceSetNamedServer(name, address, port, NULL); 1763 1764 wc_LockMutex(&ServerListMutex); 1765 ret = SetNamedPrivateKey(name, address, port, keyBuf, keySz, 1766 typeKey, password, error, 0); 1767 wc_UnLockMutex(&ServerListMutex); 1768 1769 if (ret == 0) 1770 Trace(NEW_SERVER_STR); 1771 1772 return ret; 1773 } 1774 #endif /* HAVE_SNI */ 1617 1775 1618 1776 /* Sets the private key for a specific server and port */ 1619 1777 /* returns 0 on success, -1 on error */ 1620 int ssl_SetPrivateKey(const char* address, int port, const char* keyFile, 1621 int typeKey, const char* password, char* error) 1778 int ssl_SetPrivateKey(const char* address, int port, 1779 const char* keyFile, int typeKey, 1780 const char* password, char* error) 1622 1781 { 1623 1782 int ret; … … 1627 1786 1628 1787 wc_LockMutex(&ServerListMutex); 1629 ret = SetNamedPrivateKey(NULL, address, port, keyFile, 1630 typeKey, password, error );1788 ret = SetNamedPrivateKey(NULL, address, port, keyFile, 0, 1789 typeKey, password, error, 0); 1631 1790 wc_UnLockMutex(&ServerListMutex); 1632 1791 … … 1637 1796 } 1638 1797 1798 int ssl_SetPrivateKeyBuffer(const char* address, int port, 1799 const char* keyBuf, int keySz, int typeKey, 1800 const char* password, char* error) 1801 { 1802 int ret; 1803 1804 TraceHeader(); 1805 TraceSetServer(address, port, "from buffer"); 1806 1807 wc_LockMutex(&ServerListMutex); 1808 ret = SetNamedPrivateKey(NULL, address, port, keyBuf, keySz, 1809 typeKey, password, error, 0); 1810 wc_UnLockMutex(&ServerListMutex); 1811 1812 if (ret == 0) 1813 Trace(NEW_SERVER_STR); 1814 1815 return ret; 1816 } 1817 1818 #ifdef WOLFSSL_STATIC_EPHEMERAL 1819 #ifdef HAVE_SNI 1820 /* Sets the ephemeral key for a specific name, server and port */ 1821 /* returns 0 on success, -1 on error */ 1822 int ssl_SetNamedEphemeralKey(const char* name, 1823 const char* address, int port, 1824 const char* keyFile, int typeKey, 1825 const char* password, char* error) 1826 { 1827 int ret; 1828 1829 TraceHeader(); 1830 TraceSetNamedServer(name, address, port, keyFile); 1831 1832 wc_LockMutex(&ServerListMutex); 1833 ret = SetNamedPrivateKey(name, address, port, keyFile, 0, 1834 typeKey, password, error, 1); 1835 wc_UnLockMutex(&ServerListMutex); 1836 1837 if (ret == 0) 1838 Trace(NEW_SERVER_STR); 1839 1840 return ret; 1841 } 1842 1843 int ssl_SetNamedEphemeralKeyBuffer(const char* name, 1844 const char* address, int port, 1845 const char* keyBuf, int keySz, int typeKey, 1846 const char* password, char* error) 1847 { 1848 int ret; 1849 1850 TraceHeader(); 1851 TraceSetNamedServer(name, address, port, NULL); 1852 1853 wc_LockMutex(&ServerListMutex); 1854 ret = SetNamedPrivateKey(name, address, port, keyBuf, keySz, 1855 typeKey, password, error, 1); 1856 wc_UnLockMutex(&ServerListMutex); 1857 1858 if (ret == 0) 1859 Trace(NEW_SERVER_STR); 1860 1861 return ret; 1862 } 1863 #endif /* HAVE_SNI */ 1864 1865 /* Sets the ephemeral key for a specific server and port */ 1866 /* returns 0 on success, -1 on error */ 1867 int ssl_SetEphemeralKey(const char* address, int port, 1868 const char* keyFile, int typeKey, 1869 const char* password, char* error) 1870 { 1871 int ret; 1872 1873 TraceHeader(); 1874 TraceSetServer(address, port, keyFile); 1875 1876 wc_LockMutex(&ServerListMutex); 1877 ret = SetNamedPrivateKey(NULL, address, port, keyFile, 0, 1878 typeKey, password, error, 1); 1879 wc_UnLockMutex(&ServerListMutex); 1880 1881 if (ret == 0) 1882 Trace(NEW_SERVER_STR); 1883 1884 return ret; 1885 } 1886 1887 int ssl_SetEphemeralKeyBuffer(const char* address, int port, 1888 const char* keyBuf, int keySz, int typeKey, 1889 const char* password, char* error) 1890 { 1891 int ret; 1892 1893 TraceHeader(); 1894 TraceSetServer(address, port, "from buffer"); 1895 1896 wc_LockMutex(&ServerListMutex); 1897 ret = SetNamedPrivateKey(NULL, address, port, keyBuf, keySz, 1898 typeKey, password, error, 1); 1899 wc_UnLockMutex(&ServerListMutex); 1900 1901 if (ret == 0) 1902 Trace(NEW_SERVER_STR); 1903 1904 return ret; 1905 } 1906 #endif /* WOLFSSL_STATIC_EPHEMERAL */ 1639 1907 1640 1908 /* Check IP Header for IPV6, TCP, and a registered server address */ … … 1677 1945 1678 1946 info->length = exthdrsz; 1679 info->total = ntohs(iphdr->length) + info->length;1680 1947 info->total = XNTOHS(iphdr->length) + info->length; 1948 /* IPv6 doesn't include its own header size in the length like v4. */ 1681 1949 info->src.version = IPV6; 1682 1950 XMEMCPY(info->src.ip6, iphdr->src, sizeof(info->src.ip6)); … … 1693 1961 static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, int length, char* error) 1694 1962 { 1695 int 1963 int version = IP_V(iphdr); 1696 1964 1697 1965 if (version == IPV6) … … 1719 1987 1720 1988 info->length = IP_HL(iphdr); 1721 info->total = ntohs(iphdr->length);1989 info->total = XNTOHS(iphdr->length); 1722 1990 info->src.version = IPV4; 1723 1991 info->src.ip4 = iphdr->src; … … 1738 2006 TraceTcp(tcphdr); 1739 2007 Trace(TCP_CHECK_STR); 1740 info->srcPort = ntohs(tcphdr->srcPort);1741 info->dstPort = ntohs(tcphdr->dstPort);2008 info->srcPort = XNTOHS(tcphdr->srcPort); 2009 info->dstPort = XNTOHS(tcphdr->dstPort); 1742 2010 info->length = TCP_LEN(tcphdr); 1743 info->sequence = ntohl(tcphdr->sequence);2011 info->sequence = XNTOHL(tcphdr->sequence); 1744 2012 info->fin = tcphdr->flags & TCP_FIN; 1745 2013 info->rst = tcphdr->flags & TCP_RST; … … 1747 2015 info->ack = tcphdr->flags & TCP_ACK; 1748 2016 if (info->ack) 1749 info->ackNumber = ntohl(tcphdr->ack);2017 info->ackNumber = XNTOHL(tcphdr->ack); 1750 2018 1751 2019 #ifndef WOLFSSL_SNIFFER_WATCH … … 1802 2070 } 1803 2071 sslInfo->keySize = session->keySz; 1804 2072 #ifdef HAVE_SNI 1805 2073 if (NULL != session->sni) { 1806 2074 XSTRNCPY((char*)sslInfo->serverNameIndication, … … 1809 2077 [sizeof(sslInfo->serverNameIndication) - 1] = '\0'; 1810 2078 } 1811 2079 #endif 1812 2080 TraceSessionInfo(sslInfo); 1813 2081 } … … 1826 2094 } 1827 2095 1828 1829 /* Process Client Key Exchange, RSA or static ECDH */ 1830 static int ProcessClientKeyExchange(const byte* input, int* sslBytes, 1831 SnifferSession* session, char* error) 2096 #ifdef SHOW_SECRETS 2097 static void PrintSecret(const char* desc, const byte* buf, int sz) 2098 { 2099 int i; 2100 printf("%s: ", desc); 2101 for (i = 0; i < sz; i++) { 2102 printf("%02x", buf[i]); 2103 } 2104 printf("\n"); 2105 } 2106 2107 static void ShowTlsSecrets(SnifferSession* session) 2108 { 2109 PrintSecret("server master secret", session->sslServer->arrays->masterSecret, SECRET_LEN); 2110 PrintSecret("client master secret", session->sslClient->arrays->masterSecret, SECRET_LEN); 2111 printf("server suite = %d\n", session->sslServer->options.cipherSuite); 2112 printf("client suite = %d\n", session->sslClient->options.cipherSuite); 2113 } 2114 #endif /* SHOW_SECRETS */ 2115 2116 2117 /* Process Keys */ 2118 2119 /* contains static ephemeral keys */ 2120 typedef struct { 2121 #ifndef NO_DH 2122 DerBuffer* dhKey; 2123 #endif 2124 #ifdef HAVE_ECC 2125 DerBuffer* ecKey; 2126 #endif 2127 #if !defined(NO_RSA) && defined(WOLFSSL_STATIC_RSA) 2128 DerBuffer* rsaKey; 2129 #endif 2130 } KeyBuffers_t; 2131 2132 static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, 2133 char* error, KeyShareInfo* ksInfo, KeyBuffers_t* keys) 1832 2134 { 1833 2135 word32 idx = 0; 1834 int tryEcc = 0;1835 2136 int ret; 1836 1837 if (session->sslServer->buffers.key == NULL || 1838 session->sslServer->buffers.key->buffer == NULL ||1839 session->sslServer->buffers.key->length == 0) {1840 1841 SetError(RSA_KEY_MISSING_STR, error, session, FATAL_ERROR_STATE); 1842 return -1; 1843 } 1844 1845 {2137 DerBuffer* keyBuf; 2138 #ifdef HAVE_ECC 2139 int useEccCurveId = ECC_CURVE_DEF; 2140 if (ksInfo && ksInfo->curve_id != 0) 2141 useEccCurveId = ksInfo->curve_id; 2142 #endif 2143 2144 #ifndef NO_RSA 2145 /* Static RSA */ 2146 if (ksInfo == NULL && keys->rsaKey) { 1846 2147 RsaKey key; 1847 2148 int length; 1848 2149 2150 keyBuf = keys->rsaKey; 2151 1849 2152 ret = wc_InitRsaKey(&key, 0); 1850 2153 if (ret == 0) { 1851 ret = wc_RsaPrivateKeyDecode( 1852 session->sslServer->buffers.key->buffer, 1853 &idx, &key, session->sslServer->buffers.key->length); 2154 ret = wc_RsaPrivateKeyDecode(keyBuf->buffer, &idx, &key, keyBuf->length); 1854 2155 if (ret != 0) { 1855 tryEcc = 1; 1856 #ifndef HAVE_ECC 1857 SetError(RSA_DECODE_STR, error, session, FATAL_ERROR_STATE); 1858 #else 1859 /* If we can do ECC, this isn't fatal. Not loading an ECC 1860 * key will be fatal, though. */ 1861 SetError(RSA_DECODE_STR, error, session, 0); 1862 #endif 1863 } 2156 #ifndef HAVE_ECC 2157 SetError(RSA_DECODE_STR, error, session, FATAL_ERROR_STATE); 2158 #else 2159 /* If we can do ECC, this isn't fatal. Not loading an ECC 2160 * key will be fatal, though. */ 2161 SetError(RSA_DECODE_STR, error, session, 0); 2162 if (keys->ecKey == NULL) 2163 keys->ecKey = session->sslServer->buffers.key; /* try ECC */ 2164 #endif 2165 } 2166 #ifdef HAVE_ECC 2167 else { 2168 useEccCurveId = -1; /* don't try loading ECC */ 2169 } 2170 #endif 1864 2171 } 1865 2172 … … 1909 2216 wc_FreeRsaKey(&key); 1910 2217 } 1911 1912 if (tryEcc) { 2218 #endif /* !NO_RSA */ 2219 2220 #if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA) 2221 /* Static DH Key */ 2222 if (ksInfo && ksInfo->dh_key_bits != 0 && keys->dhKey) { 2223 DhKey dhKey; 2224 const DhParams* params; 2225 word32 privKeySz; 2226 byte privKey[52]; /* max for TLS */ 2227 2228 keyBuf = keys->dhKey; 2229 2230 /* get DH params */ 2231 switch (ksInfo->named_group) { 2232 #ifdef HAVE_FFDHE_2048 2233 case WOLFSSL_FFDHE_2048: 2234 params = wc_Dh_ffdhe2048_Get(); 2235 privKeySz = 29; 2236 break; 2237 #endif 2238 #ifdef HAVE_FFDHE_3072 2239 case WOLFSSL_FFDHE_3072: 2240 params = wc_Dh_ffdhe3072_Get(); 2241 privKeySz = 34; 2242 break; 2243 #endif 2244 #ifdef HAVE_FFDHE_4096 2245 case WOLFSSL_FFDHE_4096: 2246 params = wc_Dh_ffdhe4096_Get(); 2247 privKeySz = 39; 2248 break; 2249 #endif 2250 #ifdef HAVE_FFDHE_6144 2251 case WOLFSSL_FFDHE_6144: 2252 params = wc_Dh_ffdhe6144_Get(); 2253 privKeySz = 46; 2254 break; 2255 #endif 2256 #ifdef HAVE_FFDHE_8192 2257 case WOLFSSL_FFDHE_8192: 2258 params = wc_Dh_ffdhe8192_Get(); 2259 privKeySz = 52; 2260 break; 2261 #endif 2262 default: 2263 return BAD_FUNC_ARG; 2264 } 2265 2266 ret = wc_InitDhKey(&dhKey); 2267 if (ret == 0) { 2268 ret = wc_DhSetKey(&dhKey, 2269 (byte*)params->p, params->p_len, 2270 (byte*)params->g, params->g_len); 2271 if (ret == 0) { 2272 ret = wc_DhKeyDecode(keyBuf->buffer, &idx, &dhKey, 2273 keyBuf->length); 2274 } 2275 if (ret == 0) { 2276 ret = wc_DhExportKeyPair(&dhKey, privKey, &privKeySz, NULL, 2277 NULL); 2278 } 2279 2280 /* Derive secret from private key and peer's public key */ 2281 do { 2282 #ifdef WOLFSSL_ASYNC_CRYPT 2283 ret = wc_AsyncWait(ret, &dhPriv.asyncDev, 2284 WC_ASYNC_FLAG_CALL_AGAIN); 2285 #endif 2286 if (ret >= 0) { 2287 ret = wc_DhAgree(&dhKey, 2288 session->sslServer->arrays->preMasterSecret, 2289 &session->sslServer->arrays->preMasterSz, 2290 privKey, privKeySz, 2291 input, *sslBytes); 2292 } 2293 } while (ret == WC_PENDING_E); 2294 2295 wc_FreeDhKey(&dhKey); 2296 2297 /* left-padded with zeros up to the size of the prime */ 2298 if (params->p_len > session->sslServer->arrays->preMasterSz) { 2299 word32 diff = params->p_len - session->sslServer->arrays->preMasterSz; 2300 XMEMMOVE(session->sslServer->arrays->preMasterSecret + diff, 2301 session->sslServer->arrays->preMasterSecret, 2302 session->sslServer->arrays->preMasterSz); 2303 XMEMSET(session->sslServer->arrays->preMasterSecret, 0, diff); 2304 session->sslServer->arrays->preMasterSz = params->p_len; 2305 } 2306 } 2307 } 2308 #endif /* !NO_DH && WOLFSSL_DH_EXTRA */ 2309 1913 2310 #ifdef HAVE_ECC 2311 /* Static ECC Key */ 2312 if (useEccCurveId >= ECC_CURVE_DEF && keys->ecKey) { 1914 2313 ecc_key key; 1915 2314 ecc_key pubKey; 1916 2315 int length, keyInit = 0, pubKeyInit = 0; 1917 2316 2317 keyBuf = keys->ecKey; 1918 2318 idx = 0; 1919 2319 ret = wc_ecc_init(&key); … … 1922 2322 ret = wc_ecc_init(&pubKey); 1923 2323 } 2324 2325 #if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \ 2326 (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2))) && \ 2327 !defined(HAVE_SELFTEST) 2328 if (ret == 0) { 2329 ret = wc_ecc_set_rng(&key, session->sslServer->rng); 2330 } 2331 #endif 2332 1924 2333 if (ret == 0) { 1925 2334 pubKeyInit = 1; 1926 ret = wc_EccPrivateKeyDecode( 1927 session->sslServer->buffers.key->buffer, 1928 &idx, &key, session->sslServer->buffers.key->length); 2335 ret = wc_EccPrivateKeyDecode(keyBuf->buffer, &idx, &key, keyBuf->length); 1929 2336 if (ret != 0) { 1930 2337 SetError(ECC_DECODE_STR, error, session, FATAL_ERROR_STATE); … … 1936 2343 /* The length should be 2 times the key size (x and y), plus 1 1937 2344 * for the type byte. */ 1938 if ( IsTLS(session->sslServer)) {2345 if (!IsAtLeastTLSv1_3(session->sslServer->version)) { 1939 2346 input += 1; /* Don't include the TLS length for the key. */ 1940 2347 } 1941 2348 1942 if (length + 1 > *sslBytes) { 1943 SetError(PARTIAL_INPUT_STR, 1944 error, session, FATAL_ERROR_STATE); 2349 if (length > *sslBytes) { 2350 SetError(PARTIAL_INPUT_STR, error, session, FATAL_ERROR_STATE); 1945 2351 ret = -1; 1946 2352 } 2353 2354 /* if curve not provided in key share data, then use private key curve */ 2355 if (useEccCurveId == ECC_CURVE_DEF && key.dp) { 2356 useEccCurveId = key.dp->id; 2357 } 1947 2358 } 1948 2359 1949 2360 if (ret == 0) { 1950 ret = wc_ecc_import_x963_ex(input, length, &pubKey, ECC_CURVE_DEF);2361 ret = wc_ecc_import_x963_ex(input, length, &pubKey, useEccCurveId); 1951 2362 if (ret != 0) { 1952 2363 SetError(ECC_PUB_DECODE_STR, error, session, FATAL_ERROR_STATE); … … 1983 2394 if (pubKeyInit) 1984 2395 wc_ecc_free(&pubKey); 1985 #endif 1986 } 2396 } 2397 #endif /* HAVE_ECC */ 1987 2398 1988 2399 /* store for client side as well */ … … 1993 2404 session->sslServer->arrays->preMasterSz; 1994 2405 1995 #ifdef SHOW_SECRETS 1996 { 1997 word32 i; 1998 printf("pre master secret: "); 1999 for (i = 0; i < session->sslServer->arrays->preMasterSz; i++) 2000 printf("%02x", session->sslServer->arrays->preMasterSecret[i]); 2001 printf("\n"); 2002 } 2003 #endif 2406 #ifdef SHOW_SECRETS 2407 PrintSecret("pre master secret", 2408 session->sslServer->arrays->preMasterSecret, 2409 session->sslServer->arrays->preMasterSz); 2410 #endif 2004 2411 2005 2412 if (SetCipherSpecs(session->sslServer) != 0) { … … 2013 2420 } 2014 2421 2015 ret = MakeMasterSecret(session->sslServer); 2016 ret += MakeMasterSecret(session->sslClient); 2017 ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE); 2018 ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE); 2019 2422 #ifdef WOLFSSL_TLS13 2423 /* TLS v1.3 derive handshake key */ 2424 if (IsAtLeastTLSv1_3(session->sslServer->version)) { 2425 ret = DeriveEarlySecret(session->sslServer); 2426 ret += DeriveEarlySecret(session->sslClient); 2427 ret += DeriveHandshakeSecret(session->sslServer); 2428 ret += DeriveHandshakeSecret(session->sslClient); 2429 ret += DeriveTls13Keys(session->sslServer, handshake_key, ENCRYPT_AND_DECRYPT_SIDE, 1); 2430 ret += DeriveTls13Keys(session->sslClient, handshake_key, ENCRYPT_AND_DECRYPT_SIDE, 1); 2431 #ifdef WOLFSSL_EARLY_DATA 2432 ret += SetKeysSide(session->sslServer, DECRYPT_SIDE_ONLY); 2433 ret += SetKeysSide(session->sslClient, DECRYPT_SIDE_ONLY); 2434 #else 2435 ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE); 2436 ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE); 2437 #endif 2438 } 2439 else 2440 #endif 2441 { 2442 ret = MakeMasterSecret(session->sslServer); 2443 ret += MakeMasterSecret(session->sslClient); 2444 ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE); 2445 ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE); 2446 } 2020 2447 if (ret != 0) { 2021 2448 SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE); … … 2024 2451 2025 2452 #ifdef SHOW_SECRETS 2026 { 2027 int i; 2028 printf("server master secret: "); 2029 for (i = 0; i < SECRET_LEN; i++) 2030 printf("%02x", session->sslServer->arrays->masterSecret[i]); 2031 printf("\n"); 2032 2033 printf("client master secret: "); 2034 for (i = 0; i < SECRET_LEN; i++) 2035 printf("%02x", session->sslClient->arrays->masterSecret[i]); 2036 printf("\n"); 2037 2038 printf("server suite = %d\n", session->sslServer->options.cipherSuite); 2039 printf("client suite = %d\n", session->sslClient->options.cipherSuite); 2040 } 2453 #ifdef WOLFSSL_TLS13 2454 if (!IsAtLeastTLSv1_3(session->sslServer->version)) 2455 #endif 2456 ShowTlsSecrets(session); 2041 2457 #endif 2042 2458 … … 2046 2462 } 2047 2463 2464 /* Process Client Key Exchange, static RSA */ 2465 static int ProcessClientKeyExchange(const byte* input, int* sslBytes, 2466 SnifferSession* session, char* error) 2467 { 2468 KeyBuffers_t keys; 2469 2470 if (session->sslServer->buffers.key == NULL || 2471 session->sslServer->buffers.key->buffer == NULL || 2472 session->sslServer->buffers.key->length == 0) { 2473 2474 SetError(RSA_KEY_MISSING_STR, error, session, FATAL_ERROR_STATE); 2475 return -1; 2476 } 2477 2478 XMEMSET(&keys, 0, sizeof(keys)); 2479 #ifdef WOLFSSL_STATIC_EPHEMERAL 2480 #ifndef NO_DH 2481 keys.dhKey = session->sslServer->staticKE.dhKey; 2482 #endif 2483 #ifdef HAVE_ECC 2484 keys.ecKey = session->sslServer->staticKE.ecKey; 2485 #endif 2486 #endif 2487 keys.rsaKey = session->sslServer->buffers.key; 2488 return SetupKeys(input, sslBytes, session, error, NULL, &keys); 2489 } 2490 2491 #ifdef WOLFSSL_TLS13 2492 static int ProcessKeyShare(KeyShareInfo* info, const byte* input, int len, 2493 word16 filter_group) 2494 { 2495 int index = 0; 2496 while (index < len) { 2497 /* clear info (reset dh_key_bits and curve_id) */ 2498 XMEMSET(info, 0, sizeof(KeyShareInfo)); 2499 2500 /* Named group and public key */ 2501 info->named_group = (word16)((input[index] << 8) | input[index+1]); 2502 index += OPAQUE16_LEN; 2503 info->key_len = 0; 2504 info->key = NULL; 2505 /* If key was provided... (a hello_retry_request will not send a key) */ 2506 if (index + 2 <= len) { 2507 info->key_len = (word16)((input[index] << 8) | input[index+1]); 2508 index += OPAQUE16_LEN; 2509 if (info->key_len == 0 || info->key_len > len - index) { 2510 return -1; 2511 } 2512 info->key = &input[index]; 2513 index += info->key_len; 2514 } 2515 2516 switch (info->named_group) { 2517 #ifndef NO_DH 2518 #ifdef HAVE_FFDHE_2048 2519 case WOLFSSL_FFDHE_2048: 2520 info->dh_key_bits = 2048; 2521 break; 2522 #endif 2523 #ifdef HAVE_FFDHE_3072 2524 case WOLFSSL_FFDHE_3072: 2525 info->dh_key_bits = 3072; 2526 break; 2527 #endif 2528 #ifdef HAVE_FFDHE_4096 2529 case WOLFSSL_FFDHE_4096: 2530 info->dh_key_bits = 4096; 2531 break; 2532 #endif 2533 #ifdef HAVE_FFDHE_6144 2534 case WOLFSSL_FFDHE_6144: 2535 info->dh_key_bits = 6144; 2536 break; 2537 #endif 2538 #ifdef HAVE_FFDHE_8192 2539 case WOLFSSL_FFDHE_8192: 2540 info->dh_key_bits = 8192; 2541 break; 2542 #endif 2543 #endif /* !NO_DH */ 2544 #ifdef HAVE_ECC 2545 #if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES) 2546 #ifndef NO_ECC_SECP 2547 case WOLFSSL_ECC_SECP256R1: 2548 info->curve_id = ECC_SECP256R1; 2549 break; 2550 #endif /* !NO_ECC_SECP */ 2551 #endif 2552 #if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES) 2553 #ifndef NO_ECC_SECP 2554 case WOLFSSL_ECC_SECP384R1: 2555 info->curve_id = ECC_SECP384R1; 2556 break; 2557 #endif /* !NO_ECC_SECP */ 2558 #endif 2559 #if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES) 2560 #ifndef NO_ECC_SECP 2561 case WOLFSSL_ECC_SECP521R1: 2562 info->curve_id = ECC_SECP521R1; 2563 break; 2564 #endif /* !NO_ECC_SECP */ 2565 #endif 2566 #endif /* HAVE_ECC */ 2567 #ifdef HAVE_CURVE25519 2568 case WOLFSSL_ECC_X25519: 2569 info->curve_id = ECC_X25519; 2570 break; 2571 #endif 2572 #ifdef HAVE_X448 2573 case WOLFSSL_ECC_X448: 2574 info->curve_id = ECC_X448; 2575 break; 2576 #endif 2577 default: 2578 /* do not throw error here, keep iterating the client key share */ 2579 break; 2580 } 2581 2582 if (filter_group == 0 || filter_group == info->named_group) { 2583 return 0; 2584 } 2585 } 2586 return NO_PEER_KEY; /* unsupported key type */ 2587 } 2588 2589 static int ProcessServerKeyShare(SnifferSession* session, const byte* input, int len, 2590 char* error) 2591 { 2592 int ret; 2593 2594 if (session->cliKeyShare == NULL || session->cliKeyShareSz == 0) { 2595 /* session->cliKeyShareSz could not be provided yet if the client_hello 2596 did not send a key share to force a hello_retry_request */ 2597 return 0; 2598 } 2599 2600 /* Get server_hello key share (and key) */ 2601 ret = ProcessKeyShare(&session->srvKs, input, len, 0); 2602 if (ret == 0 && session->srvKs.key_len > 0) { 2603 /* Get client_hello key share */ 2604 ret = ProcessKeyShare(&session->cliKs, session->cliKeyShare, 2605 session->cliKeyShareSz, session->srvKs.named_group); 2606 } 2607 if (ret != 0) { 2608 SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); 2609 return -1; 2610 } 2611 2612 return ret; 2613 } 2614 #endif /* WOLFSSL_TLS13 */ 2048 2615 2049 2616 /* Process Session Ticket */ … … 2053 2620 word16 len; 2054 2621 2055 /* make sure can read through hint and len */ 2056 if (TICKET_HINT_LEN + LENGTH_SZ > *sslBytes) { 2622 #ifdef WOLFSSL_TLS13 2623 WOLFSSL* ssl; 2624 2625 if (session->flags.side == WOLFSSL_SERVER_END) 2626 ssl = session->sslServer; 2627 else 2628 ssl = session->sslClient; 2629 #endif 2630 2631 /* make sure can read through hint len */ 2632 if (TICKET_HINT_LEN > *sslBytes) { 2057 2633 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); 2058 2634 return -1; 2059 2635 } 2060 2061 input += TICKET_HINT_LEN; /* skip over hint */ 2636 input += TICKET_HINT_LEN; /* skip over hint len */ 2062 2637 *sslBytes -= TICKET_HINT_LEN; 2063 2638 2064 len = (word16)((input[0] << 8) | input[1]); 2065 input += LENGTH_SZ; 2066 *sslBytes -= LENGTH_SZ; 2067 2068 /* make sure can read through ticket */ 2069 if (len > *sslBytes || len < ID_LEN) { 2639 #ifdef WOLFSSL_TLS13 2640 /* TLS v1.3 has hint age and nonce */ 2641 if (IsAtLeastTLSv1_3(ssl->version)) { 2642 /* make sure can read through hint age and nonce len */ 2643 if (TICKET_HINT_AGE_LEN + 1 > *sslBytes) { 2644 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); 2645 return -1; 2646 } 2647 input += TICKET_HINT_AGE_LEN; /* skip over hint age */ 2648 *sslBytes -= TICKET_HINT_AGE_LEN; 2649 2650 /* ticket nonce */ 2651 len = input[0]; 2652 if (len > MAX_TICKET_NONCE_SZ) { 2653 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); 2654 return -1; 2655 } 2656 input += OPAQUE8_LEN; 2657 *sslBytes -= OPAQUE8_LEN; 2658 #ifdef HAVE_SESSION_TICKET 2659 /* store nonce in server for DeriveResumptionPSK */ 2660 session->sslServer->session.ticketNonce.len = len; 2661 if (len > 0) 2662 XMEMCPY(&session->sslServer->session.ticketNonce.data, input, len); 2663 #endif 2664 input += len; 2665 *sslBytes -= len; 2666 } 2667 #endif 2668 2669 /* make sure can read through len */ 2670 if (OPAQUE16_LEN > *sslBytes) { 2070 2671 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); 2071 2672 return -1; 2072 2673 } 2073 2674 2074 /* store session with macID as sessionID */ 2075 session->sslServer->options.haveSessionId = 1; 2076 XMEMCPY(session->sslServer->arrays->sessionID, input + len - ID_LEN,ID_LEN); 2675 len = (word16)((input[0] << 8) | input[1]); 2676 input += OPAQUE16_LEN; 2677 *sslBytes -= OPAQUE16_LEN; 2678 2679 /* make sure can read through ticket */ 2680 if (len > *sslBytes) { 2681 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); 2682 return -1; 2683 } 2684 2685 #ifdef WOLFSSL_TLS13 2686 /* TLS v1.3 has hint age and nonce */ 2687 if (IsAtLeastTLSv1_3(ssl->version)) { 2688 #ifdef HAVE_SESSION_TICKET 2689 if (SetTicket(ssl, input, len) != 0) { 2690 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); 2691 return -1; 2692 } 2693 /* set haveSessionId to use the wolfSession cache */ 2694 ssl->options.haveSessionId = 1; 2695 2696 /* Use the wolf Session cache to retain resumption secret */ 2697 if (session->flags.cached == 0) { 2698 WOLFSSL_SESSION* sess = GetSession(ssl, NULL, 0); 2699 if (sess == NULL) { 2700 AddSession(ssl); /* don't re add */ 2701 #ifdef WOLFSSL_SNIFFER_STATS 2702 INC_STAT(SnifferStats.sslResumptionInserts); 2703 #endif 2704 } 2705 session->flags.cached = 1; 2706 } 2707 #endif /* HAVE_SESSION_TICKET */ 2708 } 2709 else 2710 #endif /* WOLFSSL_TLS13 */ 2711 { 2712 /* capture last part of sessionID as macID (32 bytes) */ 2713 if (len < ID_LEN) { 2714 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); 2715 return -1; 2716 } 2717 /* store session with macID as sessionID */ 2718 session->sslServer->options.haveSessionId = 1; 2719 XMEMCPY(session->sslServer->arrays->sessionID, 2720 input + len - ID_LEN, ID_LEN); 2721 } 2077 2722 2078 2723 return 0; 2079 2724 } 2080 2725 2726 static int DoResume(SnifferSession* session, char* error) 2727 { 2728 int ret = 0; 2729 WOLFSSL_SESSION* resume; 2730 2731 #ifdef WOLFSSL_TLS13 2732 if (IsAtLeastTLSv1_3(session->sslServer->version)) { 2733 resume = GetSession(session->sslServer, 2734 session->sslServer->session.masterSecret, 0); 2735 } 2736 else 2737 #endif 2738 { 2739 resume = GetSession(session->sslServer, 2740 session->sslServer->arrays->masterSecret, 0); 2741 } 2742 if (resume == NULL) { 2743 /* a session id without resume is okay with hello_retry_request */ 2744 #ifdef WOLFSSL_SNIFFER_STATS 2745 INC_STAT(SnifferStats.sslStandardConns); 2746 #endif 2747 return 0; 2748 } 2749 2750 /* make sure client has master secret too */ 2751 #ifdef WOLFSSL_TLS13 2752 if (IsAtLeastTLSv1_3(session->sslServer->version)) { 2753 XMEMCPY(session->sslClient->session.masterSecret, 2754 session->sslServer->session.masterSecret, SECRET_LEN); 2755 } 2756 else 2757 #endif 2758 { 2759 XMEMCPY(session->sslClient->arrays->masterSecret, 2760 session->sslServer->arrays->masterSecret, SECRET_LEN); 2761 } 2762 session->flags.resuming = 1; 2763 2764 Trace(SERVER_DID_RESUMPTION_STR); 2765 #ifdef WOLFSSL_SNIFFER_STATS 2766 INC_STAT(SnifferStats.sslResumedConns); 2767 INC_STAT(SnifferStats.sslResumptionValid); 2768 #endif 2769 if (SetCipherSpecs(session->sslServer) != 0) { 2770 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); 2771 return -1; 2772 } 2773 2774 if (SetCipherSpecs(session->sslClient) != 0) { 2775 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); 2776 return -1; 2777 } 2778 2779 #ifdef WOLFSSL_TLS13 2780 if (IsAtLeastTLSv1_3(session->sslServer->version)) { 2781 #ifdef HAVE_SESSION_TICKET 2782 /* Resumption PSK is resumption master secret. */ 2783 session->sslServer->arrays->psk_keySz = session->sslServer->specs.hash_size; 2784 session->sslClient->arrays->psk_keySz = session->sslClient->specs.hash_size; 2785 ret = DeriveResumptionPSK(session->sslServer, session->sslServer->session.ticketNonce.data, 2786 session->sslServer->session.ticketNonce.len, session->sslServer->arrays->psk_key); 2787 /* Copy resumption PSK to client */ 2788 XMEMCPY(session->sslClient->arrays->psk_key, 2789 session->sslServer->arrays->psk_key, 2790 session->sslServer->arrays->psk_keySz); 2791 #endif 2792 /* handshake key setup below and traffic keys done in SetupKeys */ 2793 } 2794 else 2795 #endif 2796 { 2797 if (IsTLS(session->sslServer)) { 2798 ret = DeriveTlsKeys(session->sslServer); 2799 ret += DeriveTlsKeys(session->sslClient); 2800 } 2801 else { 2802 #ifndef NO_OLD_TLS 2803 ret = DeriveKeys(session->sslServer); 2804 ret += DeriveKeys(session->sslClient); 2805 #endif 2806 } 2807 ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE); 2808 ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE); 2809 } 2810 2811 if (ret != 0) { 2812 SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE); 2813 return -1; 2814 } 2815 2816 return ret; 2817 } 2081 2818 2082 2819 /* Process Server Hello */ … … 2084 2821 SnifferSession* session, char* error) 2085 2822 { 2823 int ret = 0; 2086 2824 ProtocolVersion pv; 2087 2825 byte b, b0; 2088 2826 int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN; 2089 int doResume = 0; 2827 int doResume = 0; 2828 const byte* inputHello = input; 2090 2829 int initialBytes = *sslBytes; 2091 2830 2092 2831 (void)msgSz; 2093 (void)initialBytes;2094 2832 2095 2833 /* make sure we didn't miss ClientHello */ 2096 if (session->flags.clientHello == 0 ) {2097 SetError(MISSED_CLIENT_HELLO_STR, error, session, FATAL_ERROR_STATE);2098 return -1;2834 if (session->flags.clientHello == 0 || session->sslClient->arrays == NULL) { 2835 SetError(MISSED_CLIENT_HELLO_STR, error, session, 0); 2836 return 0; /* do not throw error, just ignore packet */ 2099 2837 } 2100 2838 … … 2111 2849 session->sslServer->version = pv; 2112 2850 session->sslClient->version = pv; 2851 if (pv.minor >= TLSv1_MINOR) { 2852 session->sslServer->options.tls = 1; 2853 session->sslClient->options.tls = 1; 2854 } 2113 2855 2114 2856 XMEMCPY(session->sslServer->arrays->serverRandom, input, RAN_LEN); 2115 2857 XMEMCPY(session->sslClient->arrays->serverRandom, input, RAN_LEN); 2116 input += RAN_LEN;2858 input += RAN_LEN; 2117 2859 *sslBytes -= RAN_LEN; 2118 2860 … … 2126 2868 } 2127 2869 if (b) { 2870 #ifdef WOLFSSL_TLS13 2871 XMEMCPY(session->sslServer->session.sessionID, input, ID_LEN); 2872 #endif 2128 2873 XMEMCPY(session->sslServer->arrays->sessionID, input, ID_LEN); 2129 2874 session->sslServer->options.haveSessionId = 1; … … 2169 2914 } 2170 2915 2171 #ifdef HAVE_EXTENDED_MASTER2172 2916 /* extensions */ 2173 2917 if ((initialBytes - *sslBytes) < msgSz) { … … 2190 2934 2191 2935 while (len >= EXT_TYPE_SZ + LENGTH_SZ) { 2192 byte extType[EXT_TYPE_SZ];2936 word16 extType; 2193 2937 word16 extLen; 2194 2938 2195 extType[0] = input[0]; 2196 extType[1] = input[1]; 2939 extType = (word16)((input[0] << 8) | input[1]); 2197 2940 input += EXT_TYPE_SZ; 2198 2941 *sslBytes -= EXT_TYPE_SZ; 2199 2942 2200 extLen = (word16)((input[0] << 8) | input[1]);2943 extLen = (word16)((input[0] << 8) | input[1]); 2201 2944 input += LENGTH_SZ; 2202 2945 *sslBytes -= LENGTH_SZ; … … 2209 2952 } 2210 2953 2211 if (extType[0] == 0x00 && extType[1] == EXT_MASTER_SECRET) { 2954 switch (extType) { 2955 #ifdef WOLFSSL_TLS13 2956 case EXT_KEY_SHARE: 2957 ret = ProcessServerKeyShare(session, input, extLen, error); 2958 if (ret != 0) { 2959 SetError(SERVER_HELLO_INPUT_STR, error, session, 2960 FATAL_ERROR_STATE); 2961 return -1; 2962 } 2963 break; 2964 #endif 2965 #ifdef HAVE_SESSION_TICKET 2966 case EXT_PRE_SHARED_KEY: 2967 /* indicates we want to use resumption */ 2968 session->sslServer->options.resuming = 1; 2969 session->sslClient->options.resuming = 1; 2970 #ifdef WOLFSSL_TLS13 2971 /* default nonce to len = 1, data = 0 */ 2972 session->sslServer->session.ticketNonce.len = 1; 2973 session->sslServer->session.ticketNonce.data[0] = 0; 2974 session->sslClient->session.ticketNonce.len = 1; 2975 session->sslClient->session.ticketNonce.data[0] = 0; 2976 #endif 2977 break; 2978 #endif 2979 #ifdef HAVE_MAX_FRAGMENT 2980 case EXT_MAX_FRAGMENT_LENGTH: 2981 { 2982 word16 max_fragment = MAX_RECORD_SIZE; 2983 switch (input[0]) { 2984 case WOLFSSL_MFL_2_8 : max_fragment = 256; break; 2985 case WOLFSSL_MFL_2_9 : max_fragment = 512; break; 2986 case WOLFSSL_MFL_2_10: max_fragment = 1024; break; 2987 case WOLFSSL_MFL_2_11: max_fragment = 2048; break; 2988 case WOLFSSL_MFL_2_12: max_fragment = 4096; break; 2989 case WOLFSSL_MFL_2_13: max_fragment = 8192; break; 2990 default: break; 2991 } 2992 session->sslServer->max_fragment = max_fragment; 2993 session->sslClient->max_fragment = max_fragment; 2994 break; 2995 } 2996 #endif 2997 case EXT_SUPPORTED_VERSIONS: 2998 session->sslServer->version.major = input[0]; 2999 session->sslServer->version.minor = input[1]; 3000 session->sslClient->version.major = input[0]; 3001 session->sslClient->version.minor = input[1]; 3002 if (IsAtLeastTLSv1_3(session->sslServer->version)) { 3003 /* The server side handshake encryption is on for future packets */ 3004 session->flags.serverCipherOn = 1; 3005 } 3006 break; 3007 case EXT_MASTER_SECRET: 3008 #ifdef HAVE_EXTENDED_MASTER 2212 3009 session->flags.expectEms = 1; 3010 #endif 3011 break; 2213 3012 } 2214 3013 … … 2219 3018 } 2220 3019 3020 #ifdef HAVE_EXTENDED_MASTER 2221 3021 if (!session->flags.expectEms) { 2222 3022 XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES); … … 2227 3027 if (session->sslServer->options.haveSessionId) { 2228 3028 if (XMEMCMP(session->sslServer->arrays->sessionID, 2229 session->sslClient->arrays->sessionID, ID_LEN) == 0)3029 session->sslClient->arrays->sessionID, ID_LEN) == 0) { 2230 3030 doResume = 1; 2231 } 3031 } 3032 } 2232 3033 else if (session->sslClient->options.haveSessionId == 0 && 2233 3034 session->sslServer->options.haveSessionId == 0 && 2234 session->ticketID) 3035 session->ticketID) { 2235 3036 doResume = 1; 3037 } 2236 3038 2237 3039 if (session->ticketID && doResume) { … … 2242 3044 } 2243 3045 2244 if (doResume ) { 2245 int ret = 0; 2246 SSL_SESSION* resume = GetSession(session->sslServer, 2247 session->sslServer->arrays->masterSecret, 0); 2248 if (resume == NULL) { 2249 #ifdef WOLFSSL_SNIFFER_STATS 2250 INC_STAT(SnifferStats.sslResumeMisses); 2251 #endif 2252 SetError(BAD_SESSION_RESUME_STR, error, session, FATAL_ERROR_STATE); 2253 return -1; 2254 } 2255 /* make sure client has master secret too */ 2256 XMEMCPY(session->sslClient->arrays->masterSecret, 2257 session->sslServer->arrays->masterSecret, SECRET_LEN); 2258 session->flags.resuming = 1; 2259 2260 Trace(SERVER_DID_RESUMPTION_STR); 2261 #ifdef WOLFSSL_SNIFFER_STATS 2262 INC_STAT(SnifferStats.sslResumedConns); 2263 INC_STAT(SnifferStats.sslResumptionValid); 2264 #endif 2265 if (SetCipherSpecs(session->sslServer) != 0) { 2266 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); 2267 return -1; 2268 } 2269 2270 if (SetCipherSpecs(session->sslClient) != 0) { 2271 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); 2272 return -1; 2273 } 2274 2275 if (session->sslServer->options.tls) { 2276 ret = DeriveTlsKeys(session->sslServer); 2277 ret += DeriveTlsKeys(session->sslClient); 2278 } 2279 else { 2280 ret = DeriveKeys(session->sslServer); 2281 ret += DeriveKeys(session->sslClient); 2282 } 2283 ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE); 2284 ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE); 2285 3046 #ifdef WOLFSSL_TLS13 3047 /* Is TLS v1.3 hello_retry_request? */ 3048 if (IsAtLeastTLSv1_3(session->sslServer->version) && session->srvKs.key_len == 0) { 3049 Trace(GOT_HELLO_RETRY_REQ_STR); 3050 3051 /* do not compute keys yet */ 3052 session->flags.serverCipherOn = 0; 3053 3054 /* make sure the mac and digest size are set */ 3055 SetCipherSpecs(session->sslServer); 3056 SetCipherSpecs(session->sslClient); 3057 3058 /* reset hashes */ 3059 RestartHandshakeHash(session->sslServer); 3060 RestartHandshakeHash(session->sslClient); 3061 3062 doResume = 0; 3063 } 3064 #endif 3065 3066 /* hash server_hello */ 3067 HashRaw(session->sslServer, inputHello - HANDSHAKE_HEADER_SZ, 3068 initialBytes + HANDSHAKE_HEADER_SZ); 3069 HashRaw(session->sslClient, inputHello - HANDSHAKE_HEADER_SZ, 3070 initialBytes + HANDSHAKE_HEADER_SZ); 3071 3072 if (doResume) { 3073 ret = DoResume(session, error); 2286 3074 if (ret != 0) { 2287 SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE); 2288 return -1; 3075 return ret; 2289 3076 } 2290 3077 } … … 2294 3081 #endif 2295 3082 } 3083 2296 3084 #ifdef SHOW_SECRETS 2297 { 2298 int i; 2299 printf("cipher suite = 0x%02x\n", 2300 session->sslServer->options.cipherSuite); 2301 printf("server random: "); 2302 for (i = 0; i < RAN_LEN; i++) 2303 printf("%02x", session->sslServer->arrays->serverRandom[i]); 2304 printf("\n"); 2305 } 2306 #endif 3085 printf("cipher suite = 0x%02x\n", session->sslServer->options.cipherSuite); 3086 PrintSecret("server random", session->sslServer->arrays->serverRandom, RAN_LEN); 3087 #endif 3088 3089 #ifdef WOLFSSL_TLS13 3090 /* Setup handshake keys */ 3091 if (IsAtLeastTLSv1_3(session->sslServer->version) && session->srvKs.key_len > 0) { 3092 KeyBuffers_t keys; 3093 XMEMSET(&keys, 0, sizeof(keys)); 3094 keys.rsaKey = session->sslServer->buffers.key; 3095 #ifdef WOLFSSL_STATIC_EPHEMERAL 3096 #ifndef NO_DH 3097 keys.dhKey = session->sslServer->staticKE.dhKey; 3098 #endif 3099 #ifdef HAVE_ECC 3100 keys.ecKey = session->sslServer->staticKE.ecKey; 3101 #endif 3102 #endif 3103 ret = SetupKeys(session->cliKs.key, &session->cliKs.key_len, 3104 session, error, &session->cliKs, &keys); 3105 if (ret != 0) { 3106 SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); 3107 return ret; 3108 } 3109 3110 if (session->flags.side == WOLFSSL_SERVER_END) 3111 session->flags.serverCipherOn = 1; 3112 else 3113 session->flags.clientCipherOn = 1; 3114 } 3115 #endif 3116 2307 3117 return 0; 2308 3118 } … … 2313 3123 SnifferSession* session, char* error) 2314 3124 { 3125 int ret = 0; 2315 3126 byte bLen; 2316 3127 word16 len; 2317 3128 int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN; 3129 const byte* inputHello = input; 3130 int inputHelloSz = *sslBytes; 3131 WOLFSSL* ssl = session->sslServer; 3132 int didHash = 0; 2318 3133 2319 3134 #ifdef HAVE_SNI … … 2321 3136 byte name[MAX_SERVER_NAME]; 2322 3137 word32 nameSz = sizeof(name); 2323 int ret;2324 3138 2325 3139 ret = wolfSSL_SNI_GetFromBuffer( … … 2339 3153 if (nameSz == namedKey->nameSz && 2340 3154 XSTRNCMP((char*)name, namedKey->name, nameSz) == 0) { 2341 if (wolfSSL_use_PrivateKey_buffer(session->sslServer, 2342 namedKey->key, namedKey->keySz, 2343 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) { 3155 #ifdef WOLFSSL_STATIC_EPHEMERAL 3156 if (namedKey->isEphemeralKey) { 3157 /* auto detect key type with WC_PK_TYPE_NONE */ 3158 ret = wolfSSL_set_ephemeral_key(ssl, 3159 WC_PK_TYPE_NONE, (const char*)namedKey->key, 3160 namedKey->keySz, WOLFSSL_FILETYPE_ASN1); 3161 if (ret == 0) 3162 ret = WOLFSSL_SUCCESS; 3163 } 3164 else 3165 #endif 3166 { 3167 ret = wolfSSL_use_PrivateKey_buffer(ssl, 3168 namedKey->key, namedKey->keySz, 3169 WOLFSSL_FILETYPE_ASN1); 3170 } 3171 if (ret != WOLFSSL_SUCCESS) { 2344 3172 wc_UnLockMutex(&session->context->namedKeysMutex); 2345 3173 SetError(CLIENT_HELLO_LATE_KEY_STR, error, session, … … 2355 3183 wc_UnLockMutex(&session->context->namedKeysMutex); 2356 3184 } 3185 /* SSLv3 does not support the SNI TLS Extension and may return SNI_UNSUPPORTED */ 3186 if (ret > 0 || ret == SNI_UNSUPPORTED) { 3187 /* make sure WOLFSSL_SUCCESS is converted to zero error code */ 3188 ret = 0; 3189 } 2357 3190 } 2358 3191 #endif … … 2385 3218 } 2386 3219 Trace(CLIENT_RESUME_TRY_STR); 3220 #ifdef WOLFSSL_TLS13 3221 XMEMCPY(session->sslClient->session.sessionID, input, ID_LEN); 3222 #endif 2387 3223 XMEMCPY(session->sslClient->arrays->sessionID, input, ID_LEN); 2388 3224 session->sslClient->options.haveSessionId = 1; 2389 3225 } 3226 2390 3227 #ifdef SHOW_SECRETS 2391 { 2392 int i; 2393 printf("client random: "); 2394 for (i = 0; i < RAN_LEN; i++) 2395 printf("%02x", session->sslServer->arrays->clientRandom[i]); 2396 printf("\n"); 2397 } 3228 PrintSecret("client random", ssl->arrays->clientRandom, RAN_LEN); 2398 3229 #endif 2399 3230 … … 2450 3281 2451 3282 while (len >= EXT_TYPE_SZ + LENGTH_SZ) { 2452 byte extType[EXT_TYPE_SZ];3283 word16 extType; 2453 3284 word16 extLen; 2454 3285 2455 extType[0] = input[0]; 2456 extType[1] = input[1]; 3286 extType = (word16)((input[0] << 8) | input[1]); 2457 3287 input += EXT_TYPE_SZ; 2458 3288 *sslBytes -= EXT_TYPE_SZ; 2459 3289 2460 extLen = (word16)((input[0] << 8) | input[1]);3290 extLen = (word16)((input[0] << 8) | input[1]); 2461 3291 input += LENGTH_SZ; 2462 3292 *sslBytes -= LENGTH_SZ; … … 2468 3298 } 2469 3299 2470 if (extType[0] == 0x00 && extType[1] == TICKET_EXT_ID) { 2471 3300 switch (extType) { 3301 #ifdef WOLFSSL_TLS13 3302 case EXT_KEY_SHARE: 3303 { 3304 word16 ksLen = (word16)((input[0] << 8) | input[1]); 3305 if (ksLen + OPAQUE16_LEN > extLen) { 3306 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); 3307 return -1; 3308 } 3309 /* cache key share data till server_hello */ 3310 session->cliKeyShareSz = ksLen; 3311 session->cliKeyShare = (byte*)XMALLOC(ksLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); 3312 if (session->cliKeyShare == NULL) { 3313 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE); 3314 break; 3315 } 3316 XMEMCPY(session->cliKeyShare, &input[2], ksLen); 3317 break; 3318 } 3319 #ifdef HAVE_SESSION_TICKET 3320 case EXT_PRE_SHARED_KEY: 3321 { 3322 word16 idsLen, idLen, bindersLen, idx = 0; 3323 word32 ticketAge; 3324 const byte *identity, *binders; 3325 3326 idsLen = (word16)((input[idx] << 8) | input[idx+1]); 3327 if (idsLen + OPAQUE16_LEN + idx > extLen) { 3328 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); 3329 return -1; 3330 } 3331 idx += OPAQUE16_LEN; 3332 3333 /* PSK identity */ 3334 idLen = (word16)((input[idx] << 8) | input[idx+1]); 3335 if (idLen + OPAQUE16_LEN + idx > extLen) { 3336 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); 3337 return -1; 3338 } 3339 idx += OPAQUE16_LEN; 3340 identity = &input[idx]; 3341 idx += idLen; 3342 3343 /* Obfuscated Ticket Age 32-bits */ 3344 ticketAge = (word32)((input[idx] << 24) | (input[idx+1] << 16) | 3345 (input[idx+2] << 8) | input[idx+3]); 3346 (void)ticketAge; /* not used */ 3347 idx += OPAQUE32_LEN; 3348 3349 /* binders - all binders */ 3350 bindersLen = (word16)((input[idx] << 8) | input[idx+1]); 3351 if (bindersLen + OPAQUE16_LEN + idx > extLen) { 3352 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); 3353 return -1; 3354 } 3355 idx += OPAQUE16_LEN; 3356 binders = &input[idx]; 3357 bindersLen += OPAQUE16_LEN; /* includes 2 bytes for total len */ 3358 (void)binders; /* not used */ 3359 3360 /* Hash data up to binders for deriving binders in PSK extension. */ 3361 HashRaw(session->sslServer, inputHello - HANDSHAKE_HEADER_SZ, 3362 inputHelloSz - bindersLen + HANDSHAKE_HEADER_SZ); 3363 HashRaw(session->sslClient, inputHello - HANDSHAKE_HEADER_SZ, 3364 inputHelloSz - bindersLen + HANDSHAKE_HEADER_SZ); 3365 3366 /* call to decrypt session ticket */ 3367 if (DoClientTicket(ssl, identity, idLen) != 0) { 3368 /* we aren't decrypting the resumption, since we know the master secret */ 3369 /* ignore errors */ 3370 } 3371 ssl->options.resuming = 1; 3372 3373 /* Hash the rest of the ClientHello. */ 3374 HashRaw(session->sslServer, inputHello + inputHelloSz - bindersLen, bindersLen); 3375 HashRaw(session->sslClient, inputHello + inputHelloSz - bindersLen, bindersLen); 3376 didHash = 1; 3377 break; 3378 } 3379 #endif /* HAVE_SESSION_TICKET */ 3380 #endif /* WOLFSSL_TLS13 */ 3381 case EXT_SUPPORTED_VERSIONS: 3382 break; 3383 case EXT_TICKET_ID: 2472 3384 /* make sure can read through ticket if there is a non blank one */ 2473 3385 if (extLen && extLen < ID_LEN) { … … 2476 3388 return -1; 2477 3389 } 2478 2479 3390 if (extLen) { 2480 if (session->ticketID == 0) {3391 if (session->ticketID == NULL) { 2481 3392 session->ticketID = (byte*)XMALLOC(ID_LEN, 2482 3393 NULL, DYNAMIC_TYPE_SNIFFER_TICKET_ID); … … 2489 3400 XMEMCPY(session->ticketID, input + extLen - ID_LEN, ID_LEN); 2490 3401 } 3402 break; 2491 3403 } 2492 3404 … … 2496 3408 } 2497 3409 2498 return 0; 3410 if (!didHash) { 3411 HashRaw(session->sslServer, inputHello - HANDSHAKE_HEADER_SZ, 3412 inputHelloSz + HANDSHAKE_HEADER_SZ); 3413 HashRaw(session->sslClient, inputHello - HANDSHAKE_HEADER_SZ, 3414 inputHelloSz + HANDSHAKE_HEADER_SZ); 3415 } 3416 3417 (void)ssl; 3418 3419 return ret; 2499 3420 } 2500 3421 2501 3422 2502 3423 #ifdef WOLFSSL_SNIFFER_WATCH 3424 3425 static int KeyWatchCall(SnifferSession* session, const byte* data, int dataSz, 3426 char* error) 3427 { 3428 int ret; 3429 Sha256 sha; 3430 byte digest[SHA256_DIGEST_SIZE]; 3431 3432 if (WatchCb == NULL) { 3433 SetError(WATCH_CB_MISSING_STR, error, session, FATAL_ERROR_STATE); 3434 return -1; 3435 } 3436 3437 ret = wc_InitSha256(&sha); 3438 if (ret == 0) 3439 ret = wc_Sha256Update(&sha, data, dataSz); 3440 if (ret == 0) 3441 ret = wc_Sha256Final(&sha, digest); 3442 if (ret != 0) { 3443 SetError(WATCH_HASH_STR, error, session, FATAL_ERROR_STATE); 3444 return -1; 3445 } 3446 3447 ret = WatchCb((void*)session, digest, sizeof(digest), 3448 data, dataSz, WatchCbCtx, error); 3449 if (ret != 0) { 3450 #ifdef WOLFSSL_SNIFFER_STATS 3451 INC_STAT(SnifferStats.sslKeysUnmatched); 3452 #endif 3453 SetError(WATCH_FAIL_STR, error, session, FATAL_ERROR_STATE); 3454 ret = -1; 3455 } 3456 else { 3457 #ifdef WOLFSSL_SNIFFER_STATS 3458 INC_STAT(SnifferStats.sslKeyMatches); 3459 #endif 3460 } 3461 return ret; 3462 } 2503 3463 2504 3464 /* Process Certificate */ … … 2506 3466 SnifferSession* session, char* error) 2507 3467 { 2508 Sha256 sha;2509 const byte* certChain;2510 3468 word32 certChainSz; 2511 3469 word32 certSz; 2512 int ret;2513 byte digest[SHA256_DIGEST_SIZE];2514 3470 2515 3471 /* If the receiver is the server, this is the client certificate message, … … 2518 3474 return 0; 2519 3475 2520 if (WatchCb == NULL) {2521 SetError(WATCH_CB_MISSING_STR, error, session, FATAL_ERROR_STATE);2522 return -1;2523 }2524 2525 3476 if (*sslBytes < CERT_HEADER_SZ) { 2526 3477 SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE); 2527 3478 return -1; 2528 3479 } 3480 3481 #ifdef WOLFSSL_TLS13 3482 if (IsAtLeastTLSv1_3(session->sslServer->version)) { 3483 /* skip 1 byte (Request context len) */ 3484 input += OPAQUE8_LEN; 3485 *sslBytes -= OPAQUE8_LEN; 3486 } 3487 #endif 3488 2529 3489 ato24(input, &certChainSz); 2530 3490 *sslBytes -= CERT_HEADER_SZ; … … 2535 3495 return -1; 2536 3496 } 2537 certChain = input;2538 3497 2539 3498 ato24(input, &certSz); … … 2546 3505 *sslBytes -= certChainSz; 2547 3506 2548 ret = wc_InitSha256(&sha); 2549 if (ret == 0) 2550 ret = wc_Sha256Update(&sha, input, certSz); 2551 if (ret == 0) 2552 ret = wc_Sha256Final(&sha, digest); 2553 if (ret != 0) { 2554 SetError(WATCH_HASH_STR, error, session, FATAL_ERROR_STATE); 2555 return -1; 2556 } 2557 2558 ret = WatchCb((void*)session, digest, sizeof(digest), 2559 certChain, certChainSz, WatchCbCtx, error); 2560 if (ret != 0) { 2561 #ifdef WOLFSSL_SNIFFER_STATS 2562 INC_STAT(SnifferStats.sslKeysUnmatched); 2563 #endif 2564 SetError(WATCH_FAIL_STR, error, session, FATAL_ERROR_STATE); 2565 return -1; 2566 } 2567 else { 2568 #ifdef WOLFSSL_SNIFFER_STATS 2569 INC_STAT(SnifferStats.sslKeyMatches); 2570 #endif 2571 } 2572 2573 return 0; 3507 return KeyWatchCall(session, input, certSz, error); 2574 3508 } 2575 3509 … … 2581 3515 SnifferSession* session, char* error) 2582 3516 { 2583 SSL*ssl;3517 WOLFSSL* ssl; 2584 3518 word32 inOutIdx = 0; 2585 3519 int ret; … … 2590 3524 ssl = session->sslClient; 2591 3525 2592 ret = DoFinished(ssl, input, &inOutIdx, (word32) size, (word32) *sslBytes, 2593 SNIFF); 3526 #ifdef WOLFSSL_TLS13 3527 if (IsAtLeastTLSv1_3(ssl->version)) { 3528 ret = DoTls13Finished(ssl, input, &inOutIdx, (word32)size, 3529 (word32)*sslBytes, SNIFF); 3530 3531 ssl->options.handShakeState = HANDSHAKE_DONE; 3532 ssl->options.handShakeDone = 1; 3533 } 3534 else 3535 #endif 3536 { 3537 ret = DoFinished(ssl, input, &inOutIdx, (word32)size, 3538 (word32)*sslBytes, SNIFF); 3539 } 2594 3540 *sslBytes -= (int)inOutIdx; 2595 3541 … … 2612 3558 } 2613 3559 3560 #ifdef WOLFSSL_TLS13 3561 /* Derive TLS v1.3 traffic keys */ 3562 if (IsAtLeastTLSv1_3(ssl->version)) { 3563 if (!session->flags.gotFinished) { 3564 /* When either side gets "finished" derive master secret and keys */ 3565 ret = DeriveMasterSecret(session->sslServer); 3566 ret += DeriveMasterSecret(session->sslClient); 3567 #ifdef WOLFSSL_EARLY_DATA 3568 ret += DeriveTls13Keys(session->sslServer, traffic_key, ENCRYPT_AND_DECRYPT_SIDE, ssl->earlyData == no_early_data); 3569 ret += DeriveTls13Keys(session->sslClient, traffic_key, ENCRYPT_AND_DECRYPT_SIDE, ssl->earlyData == no_early_data); 3570 #else 3571 ret += DeriveTls13Keys(session->sslServer, traffic_key, ENCRYPT_AND_DECRYPT_SIDE, 1); 3572 ret += DeriveTls13Keys(session->sslClient, traffic_key, ENCRYPT_AND_DECRYPT_SIDE, 1); 3573 #endif 3574 3575 if (ret != 0) { 3576 SetError(BAD_FINISHED_MSG, error, session, FATAL_ERROR_STATE); 3577 return -1; 3578 } 3579 3580 session->flags.gotFinished = 1; 3581 #ifdef SHOW_SECRETS 3582 ShowTlsSecrets(session); 3583 #endif 3584 } 3585 3586 if (session->flags.side == WOLFSSL_SERVER_END) { 3587 /* finished from client to server */ 3588 ret = SetKeysSide(session->sslServer, DECRYPT_SIDE_ONLY); 3589 ret += SetKeysSide(session->sslClient, ENCRYPT_SIDE_ONLY); 3590 3591 #ifdef HAVE_SESSION_TICKET 3592 /* derive resumption secret for next session - on finished (from client) */ 3593 ret += DeriveResumptionSecret(session->sslClient, session->sslClient->session.masterSecret); 3594 3595 /* copy resumption secret to server */ 3596 XMEMCPY(session->sslServer->session.masterSecret, 3597 session->sslClient->session.masterSecret, SECRET_LEN); 3598 #ifdef SHOW_SECRETS 3599 PrintSecret("resumption secret", session->sslClient->session.masterSecret, SECRET_LEN); 3600 #endif 3601 #endif 3602 } 3603 else { 3604 /* finished from server to client */ 3605 ret = SetKeysSide(session->sslServer, ENCRYPT_SIDE_ONLY); 3606 ret += SetKeysSide(session->sslClient, DECRYPT_SIDE_ONLY); 3607 } 3608 3609 if (ret != 0) { 3610 SetError(BAD_FINISHED_MSG, error, session, FATAL_ERROR_STATE); 3611 return -1; 3612 } 3613 } 3614 #endif 3615 2614 3616 /* If receiving a finished message from one side, free the resources 2615 3617 * from the other side's tracker. */ … … 2625 3627 /* Process HandShake input */ 2626 3628 static int DoHandShake(const byte* input, int* sslBytes, 2627 SnifferSession* session, char* error )3629 SnifferSession* session, char* error, word16 rhSize) 2628 3630 { 2629 3631 byte type; 2630 3632 int size; 2631 3633 int ret = 0; 2632 int startBytes; 3634 WOLFSSL* ssl; 3635 int startBytes; 3636 3637 (void)rhSize; 3638 3639 #ifdef HAVE_MAX_FRAGMENT 3640 if (session->tlsFragBuf) { 3641 XMEMCPY(session->tlsFragBuf + session->tlsFragOffset, input, rhSize); 3642 session->tlsFragOffset += rhSize; 3643 *sslBytes -= rhSize; 3644 3645 if (session->tlsFragOffset < session->tlsFragSize) { 3646 return 0; 3647 } 3648 3649 /* reassembled complete fragment */ 3650 input = session->tlsFragBuf; 3651 *sslBytes = session->tlsFragSize; 3652 rhSize = session->tlsFragSize; 3653 } 3654 #endif 2633 3655 2634 3656 if (*sslBytes < HANDSHAKE_HEADER_SZ) { … … 2649 3671 } 2650 3672 2651 /* A session's arrays are released when the handshake is completed. */ 2652 if (session->sslServer->arrays == NULL && 2653 session->sslClient->arrays == NULL) { 2654 2655 SetError(NO_SECURE_RENEGOTIATION, error, session, FATAL_ERROR_STATE); 2656 return -1; 2657 } 2658 3673 if (session->flags.side == WOLFSSL_SERVER_END) 3674 ssl = session->sslServer; 3675 else 3676 ssl = session->sslClient; 3677 3678 #ifdef HAVE_SECURE_RENEGOTIATION 3679 if (!IsAtLeastTLSv1_3(ssl->version)) { 3680 /* A session's arrays are released when the handshake is completed. */ 3681 if (session->sslServer->arrays == NULL && 3682 session->sslClient->arrays == NULL) { 3683 3684 SetError(NO_SECURE_RENEGOTIATION, error, session, FATAL_ERROR_STATE); 3685 return -1; 3686 } 3687 } 3688 #endif 3689 3690 #ifdef HAVE_MAX_FRAGMENT 3691 if (rhSize < size) { 3692 /* partial fragment, let's reassemble */ 3693 if (session->tlsFragBuf == NULL) { 3694 session->tlsFragOffset = 0; 3695 session->tlsFragSize = size + HANDSHAKE_HEADER_SZ; 3696 session->tlsFragBuf = (byte*)XMALLOC(session->tlsFragSize, NULL, DYNAMIC_TYPE_TMP_BUFFER); 3697 if (session->tlsFragBuf == NULL) { 3698 SetError(MEMORY_STR, error, NULL, 0); 3699 return 0; 3700 } 3701 3702 /* include the handshake header */ 3703 input -= HANDSHAKE_HEADER_SZ; 3704 *sslBytes += HANDSHAKE_HEADER_SZ; 3705 } 3706 3707 XMEMCPY(session->tlsFragBuf + session->tlsFragOffset, input, rhSize); 3708 session->tlsFragOffset += rhSize; 3709 *sslBytes -= rhSize; 3710 return 0; 3711 } 3712 #endif 3713 3714 #ifdef WOLFSSL_TLS13 3715 if (type != client_hello && type != server_hello) { 3716 /* For resumption the hash is before / after client_hello PSK binder */ 3717 /* hash the packet including header */ 3718 /* TLS v1.3 requires the hash for the handshake and transfer key derivation */ 3719 /* we hash even for non TLS v1.3, since we don't know if its actually 3720 TLS v1.3 till later at EXT_SUPPORTED_VERSIONS in server_hello */ 3721 /* hello retry request restarts hash prior to server_hello hash calc */ 3722 HashRaw(session->sslServer, input - HANDSHAKE_HEADER_SZ, size + HANDSHAKE_HEADER_SZ); 3723 HashRaw(session->sslClient, input - HANDSHAKE_HEADER_SZ, size + HANDSHAKE_HEADER_SZ); 3724 } 3725 #endif 2659 3726 #ifdef HAVE_EXTENDED_MASTER 2660 3727 if (session->hash) { … … 2662 3729 SetError(EXTENDED_MASTER_HASH_STR, error, 2663 3730 session, FATAL_ERROR_STATE); 2664 return -1; 3731 ret = -1; 3732 goto exit; 2665 3733 } 2666 3734 } … … 2694 3762 ret = -1; 2695 3763 break; 3764 case encrypted_extensions: 3765 Trace(GOT_ENC_EXT_STR); 3766 ssl->msgsReceived.got_encrypted_extensions = 1; 3767 break; 2696 3768 case certificate: 2697 3769 Trace(GOT_CERT_STR); … … 2753 3825 default: 2754 3826 SetError(GOT_UNKNOWN_HANDSHAKE_STR, error, session, 0); 2755 return -1; 2756 } 3827 ret = -1; 3828 break; 3829 } 3830 3831 #ifdef HAVE_EXTENDED_MASTER 3832 exit: 3833 #endif 3834 #ifdef HAVE_MAX_FRAGMENT 3835 if (session->tlsFragBuf) { 3836 XFREE(session->tlsFragBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); 3837 session->tlsFragBuf = NULL; 3838 } 3839 #endif 2757 3840 2758 3841 *sslBytes = startBytes - size; /* actual bytes of full process */ … … 2763 3846 2764 3847 /* Decrypt input into plain output, 0 on success */ 2765 static int Decrypt( SSL* ssl, byte* output, const byte* input, word32 sz)3848 static int Decrypt(WOLFSSL* ssl, byte* output, const byte* input, word32 sz) 2766 3849 { 2767 3850 int ret = 0; … … 2814 3897 #endif 2815 3898 2816 #if def HAVE_AESGCM3899 #if defined(HAVE_AESGCM) || defined(HAVE_AESCCM) 2817 3900 case wolfssl_aes_gcm: 2818 if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size)) 2819 { 2820 /* scratch buffer, sniffer ignores auth tag*/ 3901 case wolfssl_aes_ccm: /* GCM AEAD macros use same size as CCM */ 3902 if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size)) { 3903 /* scratch buffer, sniffer ignores auth tag */ 3904 wc_AesAuthEncryptFunc aes_auth_fn; 2821 3905 byte authTag[WOLFSSL_MIN_AUTH_TAG_SZ]; 2822 2823 3906 byte nonce[AESGCM_NONCE_SZ]; 2824 3907 XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ); 2825 3908 XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ); 2826 3909 2827 if (wc_AesGcmEncrypt(ssl->decrypt.aes, 3910 /* use encrypt because we don't care about authtag */ 3911 #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM) 3912 aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) 3913 ? wc_AesGcmEncrypt : wc_AesCcmEncrypt; 3914 #elif defined(BUILD_AESGCM) 3915 aes_auth_fn = wc_AesGcmEncrypt; 3916 #else 3917 aes_auth_fn = wc_AesCcmEncrypt; 3918 #endif 3919 if (aes_auth_fn(ssl->decrypt.aes, 2828 3920 output, 2829 3921 input + AESGCM_EXP_IV_SZ, … … 2842 3934 } 2843 3935 break; 2844 3936 #endif 2845 3937 2846 3938 #ifdef HAVE_NULL_CIPHER … … 2861 3953 2862 3954 /* Decrypt input message into output, adjust output steam if needed */ 2863 static const byte* DecryptMessage( SSL* ssl, const byte* input, word32 sz,2864 byte* output, int* error, int* advance)3955 static const byte* DecryptMessage(WOLFSSL* ssl, const byte* input, word32 sz, 3956 byte* output, int* error, int* advance, RecordLayerHeader* rh) 2865 3957 { 2866 3958 int ivExtra = 0; 2867 2868 int ret = Decrypt(ssl, output, input, sz); 3959 int ret; 3960 3961 #ifdef WOLFSSL_TLS13 3962 if (IsAtLeastTLSv1_3(ssl->version)) { 3963 ret = DecryptTls13(ssl, output, input, sz, (byte*)rh, RECORD_HEADER_SZ); 3964 } 3965 else 3966 #endif 3967 { 3968 ret = Decrypt(ssl, output, input, sz); 3969 } 2869 3970 if (ret != 0) { 2870 3971 *error = ret; … … 2873 3974 ssl->keys.encryptSz = sz; 2874 3975 if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) { 2875 output += ssl->specs.block_size; 3976 output += ssl->specs.block_size; /* go past TLSv1.1 IV */ 2876 3977 ivExtra = ssl->specs.block_size; 2877 3978 *advance = ssl->specs.block_size; … … 2887 3988 if (ssl->specs.cipher_type == block) 2888 3989 ssl->keys.padSz += *(output + sz - ivExtra - 1) + 1; 3990 3991 #ifdef WOLFSSL_TLS13 3992 if (IsAtLeastTLSv1_3(ssl->version)) { 3993 word16 i = (word16)(sz - ssl->keys.padSz); 3994 /* Remove padding from end of plain text. */ 3995 for (--i; i > 0; i--) { 3996 if (output[i] != 0) 3997 break; 3998 } 3999 /* Get the real content type from the end of the data. */ 4000 rh->type = output[i]; 4001 ssl->keys.padSz = sz - i; 4002 } 4003 #endif 4004 (void)rh; 2889 4005 2890 4006 return output; … … 2943 4059 while (session) { 2944 4060 SnifferSession* next = session->next; 2945 if ( time(NULL) >= session->lastUsed + WOLFSSL_SNIFFER_TIMEOUT) {4061 if (XTIME(NULL) >= session->lastUsed + WOLFSSL_SNIFFER_TIMEOUT) { 2946 4062 TraceStaleSession(); 2947 4063 RemoveSession(session, NULL, NULL, i); … … 2992 4108 session->cliSeqStart = tcpInfo->sequence; 2993 4109 session->cliExpected = 1; /* relative */ 2994 session->lastUsed= time(NULL);4110 session->lastUsed= XTIME(NULL); 2995 4111 session->keySz = 0; 2996 4112 #ifdef HAVE_SNI … … 3005 4121 } 3006 4122 3007 session->sslServer = SSL_new(session->context->ctx);4123 session->sslServer = wolfSSL_new(session->context->ctx); 3008 4124 if (session->sslServer == NULL) { 3009 4125 SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE); … … 3011 4127 return 0; 3012 4128 } 3013 session->sslClient = SSL_new(session->context->ctx);4129 session->sslClient = wolfSSL_new(session->context->ctx); 3014 4130 if (session->sslClient == NULL) { 3015 SSL_free(session->sslServer);4131 wolfSSL_free(session->sslServer); 3016 4132 session->sslServer = 0; 3017 4133 … … 3152 4268 int length, const byte** sslFrame, int* sslBytes, char* error) 3153 4269 { 4270 IpHdr* iphdr = (IpHdr*)packet; 4271 int version; 4272 3154 4273 TraceHeader(); 3155 4274 TracePacket(); … … 3160 4279 return -1; 3161 4280 } 4281 4282 version = IP_V(iphdr); 4283 if (version != IPV6 && version != IPV4) { 4284 /* Is this VLAN IEEE 802.1Q Frame? TPID = 0x8100 */ 4285 if (packet[2] == 0x81 && packet[3] == 0x00) { 4286 /* trim VLAN header and try again */ 4287 packet += 8; 4288 length -= 8; 4289 } 4290 } 4291 3162 4292 if (CheckIpHdr((IpHdr*)packet, ipInfo, length, error) != 0) 3163 4293 return -1; … … 3177 4307 return -1; 3178 4308 } 4309 3179 4310 /* We only care about the data in the TCP/IP record. There may be extra 3180 4311 * data after the IP record for the FCS for Ethernet. */ … … 3372 4503 { 3373 4504 if (session->flags.side == WOLFSSL_SERVER_END) { 3374 if (session->finCap utre.cliCounted == 0)3375 session->finCap utre.cliFinSeq = sequence;4505 if (session->finCapture.cliCounted == 0) 4506 session->finCapture.cliFinSeq = sequence; 3376 4507 } 3377 4508 else { 3378 if (session->finCap utre.srvCounted == 0)3379 session->finCap utre.srvFinSeq = sequence;4509 if (session->finCapture.srvCounted == 0) 4510 session->finCapture.srvFinSeq = sequence; 3380 4511 } 3381 4512 return 1; … … 3513 4644 &session->cliReassemblyMemory : 3514 4645 &session->srvReassemblyMemory; 3515 SSL*ssl = (session->flags.side == WOLFSSL_SERVER_END) ?4646 WOLFSSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ? 3516 4647 session->sslServer : 3517 4648 session->sslClient; … … 3589 4720 word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ? 3590 4721 &session->srvExpected : &session->cliExpected; 4722 word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? 4723 session->srvSeqStart : session->cliSeqStart; 3591 4724 PacketBuffer* list = (session->flags.side == WOLFSSL_SERVER_END) ? 3592 4725 session->srvReassemblyList : … … 3596 4729 &session->flags.cliSkipPartial; 3597 4730 4731 if (tcpInfo->ackNumber < seqStart) { 4732 return -1; /* do not fix sequence - could be ack on unseen seq */ 4733 } 3598 4734 *skipPartial = 1; 4735 3599 4736 if (list != NULL) 3600 4737 *expected = list->begin; 3601 else { 3602 word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ? 3603 session->srvSeqStart : session->cliSeqStart; 3604 word32 real = tcpInfo->ackNumber - seqStart; 3605 3606 *expected = real; 3607 } 4738 else 4739 *expected = tcpInfo->ackNumber - seqStart; 4740 3608 4741 3609 4742 return 1; … … 3646 4779 &session->flags.srvAckFault; 3647 4780 3648 /* init SEQ from server to client */3649 if (tcpInfo->syn && tcpInfo->ack ) {4781 /* init SEQ from server to client - if not ack fault */ 4782 if (tcpInfo->syn && tcpInfo->ack && !*ackFault) { 3650 4783 session->srvSeqStart = tcpInfo->sequence; 3651 4784 session->srvExpected = 1; … … 3694 4827 { 3695 4828 word32 length; 3696 SSL*ssl = ((*session)->flags.side == WOLFSSL_SERVER_END) ?4829 WOLFSSL* ssl = ((*session)->flags.side == WOLFSSL_SERVER_END) ? 3697 4830 (*session)->sslServer : (*session)->sslClient; 3698 4831 byte skipPartial = ((*session)->flags.side == WOLFSSL_SERVER_END) ? … … 3758 4891 3759 4892 Trace(CHAIN_INPUT_STR); 3760 headerSz = (word32) *sslFrame - (word32)chain[0].iov_base;4893 headerSz = (word32)((const byte*)*sslFrame - (const byte*)chain[0].iov_base); 3761 4894 remainder = *sslBytes; 3762 4895 … … 3833 4966 &session->cliExpected : &session->srvExpected; 3834 4967 /* buffer is on receiving end */ 3835 word32* length = (session->flags.side == WOLFSSL_SERVER_END) ?4968 word32* length = (session->flags.side == WOLFSSL_SERVER_END) ? 3836 4969 &session->sslServer->buffers.inputBuffer.length : 3837 4970 &session->sslClient->buffers.inputBuffer.length; … … 3839 4972 &session->sslServer->buffers.inputBuffer.buffer : 3840 4973 &session->sslClient->buffers.inputBuffer.buffer; 3841 word32* 4974 word32* bufferSize = (session->flags.side == WOLFSSL_SERVER_END) ? 3842 4975 &session->sslServer->buffers.inputBuffer.bufferSize : 3843 4976 &session->sslClient->buffers.inputBuffer.bufferSize; 3844 SSL*ssl = (session->flags.side == WOLFSSL_SERVER_END) ?4977 WOLFSSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ? 3845 4978 session->sslServer : session->sslClient; 3846 4979 word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ? … … 3904 5037 int notEnough; /* notEnough bytes yet flag */ 3905 5038 int decrypted = 0; /* was current msg decrypted */ 3906 SSL*ssl = (session->flags.side == WOLFSSL_SERVER_END) ?3907 5039 WOLFSSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ? 5040 session->sslServer : session->sslClient; 3908 5041 doMessage: 3909 5042 notEnough = 0; … … 3951 5084 session->flags.clientCipherOn)) { 3952 5085 int ivAdvance = 0; /* TLSv1.1 advance amount */ 5086 5087 /* change_cipher_spec is not encrypted */ 5088 if (rh.type == change_cipher_spec) { 5089 goto doPart; 5090 } 3953 5091 if (ssl->decrypt.setup != 1) { 3954 5092 SetError(DECRYPT_KEYS_NOT_SETUP, error, session, FATAL_ERROR_STATE); … … 3959 5097 return -1; 3960 5098 } 5099 3961 5100 sslFrame = DecryptMessage(ssl, sslFrame, rhSize, 3962 5101 ssl->buffers.outputBuffer.buffer, &errCode, 3963 &ivAdvance );5102 &ivAdvance, &rh); 3964 5103 recordEnd = sslFrame - ivAdvance + rhSize; /* sslFrame moved so 3965 5104 should recordEnd */ … … 3992 5131 3993 5132 Trace(GOT_HANDSHAKE_STR); 3994 ret = DoHandShake(sslFrame, &sslBytes, session, error );3995 if (ret != 0 ) {5133 ret = DoHandShake(sslFrame, &sslBytes, session, error, rhSize); 5134 if (ret != 0 || sslBytes > startIdx) { 3996 5135 if (session->flags.fatalError == 0) 3997 5136 SetError(BAD_HANDSHAKE_STR, error, session, … … 4008 5147 break; 4009 5148 case change_cipher_spec: 4010 if (session->flags.side == WOLFSSL_SERVER_END) 4011 session->flags.serverCipherOn = 1; 5149 if (session->flags.side == WOLFSSL_SERVER_END) { 5150 #ifdef WOLFSSL_TLS13 5151 if (IsAtLeastTLSv1_3(session->sslServer->version) && session->srvKs.key_len == 0) { 5152 session->flags.serverCipherOn = 0; 5153 } 5154 else 5155 #endif 5156 { 5157 session->flags.serverCipherOn = 1; 5158 } 5159 } 4012 5160 else 4013 5161 session->flags.clientCipherOn = 1; … … 4146 5294 { 4147 5295 int ret = 0; 4148 if (session->finCap utre.cliFinSeq && session->finCaputre.cliFinSeq <=5296 if (session->finCapture.cliFinSeq && session->finCapture.cliFinSeq <= 4149 5297 session->cliExpected) { 4150 if (session->finCap utre.cliCounted == 0) {5298 if (session->finCapture.cliCounted == 0) { 4151 5299 session->flags.finCount += 1; 4152 session->finCap utre.cliCounted = 1;4153 TraceClientFin(session->finCap utre.cliFinSeq, session->cliExpected);4154 } 4155 } 4156 4157 if (session->finCap utre.srvFinSeq && session->finCaputre.srvFinSeq <=5300 session->finCapture.cliCounted = 1; 5301 TraceClientFin(session->finCapture.cliFinSeq, session->cliExpected); 5302 } 5303 } 5304 5305 if (session->finCapture.srvFinSeq && session->finCapture.srvFinSeq <= 4158 5306 session->srvExpected) { 4159 if (session->finCap utre.srvCounted == 0) {5307 if (session->finCapture.srvCounted == 0) { 4160 5308 session->flags.finCount += 1; 4161 session->finCap utre.srvCounted = 1;4162 TraceServerFin(session->finCap utre.srvFinSeq, session->srvExpected);5309 session->finCapture.srvCounted = 1; 5310 TraceServerFin(session->finCapture.srvFinSeq, session->srvExpected); 4163 5311 } 4164 5312 } … … 4581 5729 WOLFSSL_FILETYPE_ASN1; 4582 5730 4583 ret = LoadKeyFile(&keyBuf, &keyBufSz, keyFile, keyType, password);5731 ret = LoadKeyFile(&keyBuf, &keyBufSz, keyFile, 0, keyType, password); 4584 5732 if (ret < 0) { 4585 5733 SetError(KEY_FILE_STR, error, NULL, 0);
Note:
See TracChangeset
for help on using the changeset viewer.