CyaSSL - CyaSSL changed for NucleoF401RE board: implemente…

Users » Vanger » Code » CyaSSL

CyaSSL changed for NucleoF401RE board: implemented random and time functions for build. (Has trouble with wildcard domains like *.google.com, *.yahoo.com)

Fork of CyaSSL by wolf SSL

src/sniffer.c@4:e505054279ed, 2015-01-14 (annotated)

Committer:: Vanger
Date:: Wed Jan 14 22:07:14 2015 +0000
Revision:: 4:e505054279ed
Parent:: 0:1239e9b70ca2

Implemented some platform specific functions in the Cyassl library code: time functions, seed random functions, and also changed the settings.h file to define settings specific to the platform being used

Who changed what in which revision?

User	Revision	Line number	New contents of line
wolfSSL	0:1239e9b70ca2	1	/* sniffer.c
wolfSSL	0:1239e9b70ca2	2	*
wolfSSL	0:1239e9b70ca2	3	* Copyright (C) 2006-2014 wolfSSL Inc.
wolfSSL	0:1239e9b70ca2	4	*
wolfSSL	0:1239e9b70ca2	5	* This file is part of CyaSSL.
wolfSSL	0:1239e9b70ca2	6	*
wolfSSL	0:1239e9b70ca2	7	* CyaSSL is free software; you can redistribute it and/or modify
wolfSSL	0:1239e9b70ca2	8	* it under the terms of the GNU General Public License as published by
wolfSSL	0:1239e9b70ca2	9	* the Free Software Foundation; either version 2 of the License, or
wolfSSL	0:1239e9b70ca2	10	* (at your option) any later version.
wolfSSL	0:1239e9b70ca2	11	*
wolfSSL	0:1239e9b70ca2	12	* CyaSSL is distributed in the hope that it will be useful,
wolfSSL	0:1239e9b70ca2	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL	0:1239e9b70ca2	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL	0:1239e9b70ca2	15	* GNU General Public License for more details.
wolfSSL	0:1239e9b70ca2	16	*
wolfSSL	0:1239e9b70ca2	17	* You should have received a copy of the GNU General Public License
wolfSSL	0:1239e9b70ca2	18	* along with this program; if not, write to the Free Software
wolfSSL	0:1239e9b70ca2	19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
wolfSSL	0:1239e9b70ca2	20	*/
wolfSSL	0:1239e9b70ca2	21
wolfSSL	0:1239e9b70ca2	22
wolfSSL	0:1239e9b70ca2	23
wolfSSL	0:1239e9b70ca2	24	#ifdef HAVE_CONFIG_H
wolfSSL	0:1239e9b70ca2	25	#include <config.h>
wolfSSL	0:1239e9b70ca2	26	#endif
wolfSSL	0:1239e9b70ca2	27
wolfSSL	0:1239e9b70ca2	28	#include <cyassl/ctaocrypt/settings.h>
wolfSSL	0:1239e9b70ca2	29
wolfSSL	0:1239e9b70ca2	30	#ifdef CYASSL_SNIFFER
wolfSSL	0:1239e9b70ca2	31
wolfSSL	0:1239e9b70ca2	32	#include <assert.h>
wolfSSL	0:1239e9b70ca2	33	#include <time.h>
wolfSSL	0:1239e9b70ca2	34
wolfSSL	0:1239e9b70ca2	35	#ifndef _WIN32
wolfSSL	0:1239e9b70ca2	36	#include <arpa/inet.h>
wolfSSL	0:1239e9b70ca2	37	#endif
wolfSSL	0:1239e9b70ca2	38
wolfSSL	0:1239e9b70ca2	39	#ifdef _WIN32
wolfSSL	0:1239e9b70ca2	40	#define SNPRINTF _snprintf
wolfSSL	0:1239e9b70ca2	41	#else
wolfSSL	0:1239e9b70ca2	42	#define SNPRINTF snprintf
wolfSSL	0:1239e9b70ca2	43	#endif
wolfSSL	0:1239e9b70ca2	44
wolfSSL	0:1239e9b70ca2	45	#include <cyassl/openssl/ssl.h>
wolfSSL	0:1239e9b70ca2	46	#include <cyassl/internal.h>
wolfSSL	0:1239e9b70ca2	47	#include <cyassl/error-ssl.h>
wolfSSL	0:1239e9b70ca2	48	#include <cyassl/sniffer.h>
wolfSSL	0:1239e9b70ca2	49	#include <cyassl/sniffer_error.h>
wolfSSL	0:1239e9b70ca2	50
wolfSSL	0:1239e9b70ca2	51
wolfSSL	0:1239e9b70ca2	52	#ifndef min
wolfSSL	0:1239e9b70ca2	53
wolfSSL	0:1239e9b70ca2	54	static INLINE word32 min(word32 a, word32 b)
wolfSSL	0:1239e9b70ca2	55	{
wolfSSL	0:1239e9b70ca2	56	return a > b ? b : a;
wolfSSL	0:1239e9b70ca2	57	}
wolfSSL	0:1239e9b70ca2	58
wolfSSL	0:1239e9b70ca2	59	#endif
wolfSSL	0:1239e9b70ca2	60
wolfSSL	0:1239e9b70ca2	61
wolfSSL	0:1239e9b70ca2	62	/* Misc constants */
wolfSSL	0:1239e9b70ca2	63	enum {
wolfSSL	0:1239e9b70ca2	64	MAX_SERVER_ADDRESS = 128, /* maximum server address length */
wolfSSL	0:1239e9b70ca2	65	MAX_ERROR_LEN = 80, /* maximum error length */
wolfSSL	0:1239e9b70ca2	66	ETHER_IF_ADDR_LEN = 6, /* ethernet interface address length */
wolfSSL	0:1239e9b70ca2	67	LOCAL_IF_ADDR_LEN = 4, /* localhost interface address length, !windows */
wolfSSL	0:1239e9b70ca2	68	TCP_PROTO = 6, /* TCP_PROTOCOL */
wolfSSL	0:1239e9b70ca2	69	IP_HDR_SZ = 20, /* IP header legnth, min */
wolfSSL	0:1239e9b70ca2	70	TCP_HDR_SZ = 20, /* TCP header legnth, min */
wolfSSL	0:1239e9b70ca2	71	IPV4 = 4, /* IP version 4 */
wolfSSL	0:1239e9b70ca2	72	TCP_PROTOCOL = 6, /* TCP Protocol id */
wolfSSL	0:1239e9b70ca2	73	TRACE_MSG_SZ = 80, /* Trace Message buffer size */
wolfSSL	0:1239e9b70ca2	74	HASH_SIZE = 499, /* Session Hash Table Rows */
wolfSSL	0:1239e9b70ca2	75	PSEUDO_HDR_SZ = 12, /* TCP Pseudo Header size in bytes */
wolfSSL	0:1239e9b70ca2	76	FATAL_ERROR_STATE = 1, /* SnifferSession fatal error state */
wolfSSL	0:1239e9b70ca2	77	SNIFFER_TIMEOUT = 900, /* Cache unclosed Sessions for 15 minutes */
wolfSSL	0:1239e9b70ca2	78	TICKET_HINT_LEN = 4, /* Session Ticket Hint length */
wolfSSL	0:1239e9b70ca2	79	EXT_TYPE_SZ = 2, /* Extension length */
wolfSSL	0:1239e9b70ca2	80	MAX_INPUT_SZ = MAX_RECORD_SIZE + COMP_EXTRA + MAX_MSG_EXTRA +
wolfSSL	0:1239e9b70ca2	81	MTU_EXTRA, /* Max input sz of reassembly */
wolfSSL	0:1239e9b70ca2	82	TICKET_EXT_ID = 0x23 /* Session Ticket Extension ID */
wolfSSL	0:1239e9b70ca2	83	};
wolfSSL	0:1239e9b70ca2	84
wolfSSL	0:1239e9b70ca2	85
wolfSSL	0:1239e9b70ca2	86	#ifdef _WIN32
wolfSSL	0:1239e9b70ca2	87
wolfSSL	0:1239e9b70ca2	88	static HMODULE dllModule; /* for error string resources */
wolfSSL	0:1239e9b70ca2	89
wolfSSL	0:1239e9b70ca2	90	BOOL APIENTRY DllMain( HMODULE hModule,
wolfSSL	0:1239e9b70ca2	91	DWORD ul_reason_for_call,
wolfSSL	0:1239e9b70ca2	92	LPVOID lpReserved
wolfSSL	0:1239e9b70ca2	93	)
wolfSSL	0:1239e9b70ca2	94	{
wolfSSL	0:1239e9b70ca2	95	static int didInit = 0;
wolfSSL	0:1239e9b70ca2	96
wolfSSL	0:1239e9b70ca2	97	switch (ul_reason_for_call)
wolfSSL	0:1239e9b70ca2	98	{
wolfSSL	0:1239e9b70ca2	99	case DLL_PROCESS_ATTACH:
wolfSSL	0:1239e9b70ca2	100	if (didInit == 0) {
wolfSSL	0:1239e9b70ca2	101	dllModule = hModule;
wolfSSL	0:1239e9b70ca2	102	ssl_InitSniffer();
wolfSSL	0:1239e9b70ca2	103	didInit = 1;
wolfSSL	0:1239e9b70ca2	104	}
wolfSSL	0:1239e9b70ca2	105	break;
wolfSSL	0:1239e9b70ca2	106	case DLL_THREAD_ATTACH:
wolfSSL	0:1239e9b70ca2	107	break;
wolfSSL	0:1239e9b70ca2	108	case DLL_THREAD_DETACH:
wolfSSL	0:1239e9b70ca2	109	break;
wolfSSL	0:1239e9b70ca2	110	case DLL_PROCESS_DETACH:
wolfSSL	0:1239e9b70ca2	111	if (didInit) {
wolfSSL	0:1239e9b70ca2	112	ssl_FreeSniffer();
wolfSSL	0:1239e9b70ca2	113	didInit = 0;
wolfSSL	0:1239e9b70ca2	114	}
wolfSSL	0:1239e9b70ca2	115	break;
wolfSSL	0:1239e9b70ca2	116	}
wolfSSL	0:1239e9b70ca2	117	return TRUE;
wolfSSL	0:1239e9b70ca2	118	}
wolfSSL	0:1239e9b70ca2	119
wolfSSL	0:1239e9b70ca2	120	#endif /* _WIN32 */
wolfSSL	0:1239e9b70ca2	121
wolfSSL	0:1239e9b70ca2	122
wolfSSL	0:1239e9b70ca2	123	static int TraceOn = 0; /* Trace is off by default */
wolfSSL	0:1239e9b70ca2	124	static FILE* TraceFile = 0;
wolfSSL	0:1239e9b70ca2	125
wolfSSL	0:1239e9b70ca2	126
wolfSSL	0:1239e9b70ca2	127	/* windows uses .rc table for this */
wolfSSL	0:1239e9b70ca2	128	#ifndef _WIN32
wolfSSL	0:1239e9b70ca2	129
wolfSSL	0:1239e9b70ca2	130	static const char* const msgTable[] =
wolfSSL	0:1239e9b70ca2	131	{
wolfSSL	0:1239e9b70ca2	132	/* 1 */
wolfSSL	0:1239e9b70ca2	133	"Out of Memory",
wolfSSL	0:1239e9b70ca2	134	"New SSL Sniffer Server Registered",
wolfSSL	0:1239e9b70ca2	135	"Checking IP Header",
wolfSSL	0:1239e9b70ca2	136	"SSL Sniffer Server Not Registered",
wolfSSL	0:1239e9b70ca2	137	"Checking TCP Header",
wolfSSL	0:1239e9b70ca2	138
wolfSSL	0:1239e9b70ca2	139	/* 6 */
wolfSSL	0:1239e9b70ca2	140	"SSL Sniffer Server Port Not Registered",
wolfSSL	0:1239e9b70ca2	141	"RSA Private Decrypt Error",
wolfSSL	0:1239e9b70ca2	142	"RSA Private Decode Error",
wolfSSL	0:1239e9b70ca2	143	"Set Cipher Spec Error",
wolfSSL	0:1239e9b70ca2	144	"Server Hello Input Malformed",
wolfSSL	0:1239e9b70ca2	145
wolfSSL	0:1239e9b70ca2	146	/* 11 */
wolfSSL	0:1239e9b70ca2	147	"Couldn't Resume Session Error",
wolfSSL	0:1239e9b70ca2	148	"Server Did Resumption",
wolfSSL	0:1239e9b70ca2	149	"Client Hello Input Malformed",
wolfSSL	0:1239e9b70ca2	150	"Client Trying to Resume",
wolfSSL	0:1239e9b70ca2	151	"Handshake Input Malformed",
wolfSSL	0:1239e9b70ca2	152
wolfSSL	0:1239e9b70ca2	153	/* 16 */
wolfSSL	0:1239e9b70ca2	154	"Got Hello Verify msg",
wolfSSL	0:1239e9b70ca2	155	"Got Server Hello msg",
wolfSSL	0:1239e9b70ca2	156	"Got Cert Request msg",
wolfSSL	0:1239e9b70ca2	157	"Got Server Key Exchange msg",
wolfSSL	0:1239e9b70ca2	158	"Got Cert msg",
wolfSSL	0:1239e9b70ca2	159
wolfSSL	0:1239e9b70ca2	160	/* 21 */
wolfSSL	0:1239e9b70ca2	161	"Got Server Hello Done msg",
wolfSSL	0:1239e9b70ca2	162	"Got Finished msg",
wolfSSL	0:1239e9b70ca2	163	"Got Client Hello msg",
wolfSSL	0:1239e9b70ca2	164	"Got Client Key Exchange msg",
wolfSSL	0:1239e9b70ca2	165	"Got Cert Verify msg",
wolfSSL	0:1239e9b70ca2	166
wolfSSL	0:1239e9b70ca2	167	/* 26 */
wolfSSL	0:1239e9b70ca2	168	"Got Unknown Handshake msg",
wolfSSL	0:1239e9b70ca2	169	"New SSL Sniffer Session created",
wolfSSL	0:1239e9b70ca2	170	"Couldn't create new SSL",
wolfSSL	0:1239e9b70ca2	171	"Got a Packet to decode",
wolfSSL	0:1239e9b70ca2	172	"No data present",
wolfSSL	0:1239e9b70ca2	173
wolfSSL	0:1239e9b70ca2	174	/* 31 */
wolfSSL	0:1239e9b70ca2	175	"Session Not Found",
wolfSSL	0:1239e9b70ca2	176	"Got an Old Client Hello msg",
wolfSSL	0:1239e9b70ca2	177	"Old Client Hello Input Malformed",
wolfSSL	0:1239e9b70ca2	178	"Old Client Hello OK",
wolfSSL	0:1239e9b70ca2	179	"Bad Old Client Hello",
wolfSSL	0:1239e9b70ca2	180
wolfSSL	0:1239e9b70ca2	181	/* 36 */
wolfSSL	0:1239e9b70ca2	182	"Bad Record Header",
wolfSSL	0:1239e9b70ca2	183	"Record Header Input Malformed",
wolfSSL	0:1239e9b70ca2	184	"Got a HandShake msg",
wolfSSL	0:1239e9b70ca2	185	"Bad HandShake msg",
wolfSSL	0:1239e9b70ca2	186	"Got a Change Cipher Spec msg",
wolfSSL	0:1239e9b70ca2	187
wolfSSL	0:1239e9b70ca2	188	/* 41 */
wolfSSL	0:1239e9b70ca2	189	"Got Application Data msg",
wolfSSL	0:1239e9b70ca2	190	"Bad Application Data",
wolfSSL	0:1239e9b70ca2	191	"Got an Alert msg",
wolfSSL	0:1239e9b70ca2	192	"Another msg to Process",
wolfSSL	0:1239e9b70ca2	193	"Removing Session From Table",
wolfSSL	0:1239e9b70ca2	194
wolfSSL	0:1239e9b70ca2	195	/* 46 */
wolfSSL	0:1239e9b70ca2	196	"Bad Key File",
wolfSSL	0:1239e9b70ca2	197	"Wrong IP Version",
wolfSSL	0:1239e9b70ca2	198	"Wrong Protocol type",
wolfSSL	0:1239e9b70ca2	199	"Packet Short for header processing",
wolfSSL	0:1239e9b70ca2	200	"Got Unknown Record Type",
wolfSSL	0:1239e9b70ca2	201
wolfSSL	0:1239e9b70ca2	202	/* 51 */
wolfSSL	0:1239e9b70ca2	203	"Can't Open Trace File",
wolfSSL	0:1239e9b70ca2	204	"Session in Fatal Error State",
wolfSSL	0:1239e9b70ca2	205	"Partial SSL record received",
wolfSSL	0:1239e9b70ca2	206	"Buffer Error, malformed input",
wolfSSL	0:1239e9b70ca2	207	"Added to Partial Input",
wolfSSL	0:1239e9b70ca2	208
wolfSSL	0:1239e9b70ca2	209	/* 56 */
wolfSSL	0:1239e9b70ca2	210	"Received a Duplicate Packet",
wolfSSL	0:1239e9b70ca2	211	"Received an Out of Order Packet",
wolfSSL	0:1239e9b70ca2	212	"Received an Overlap Duplicate Packet",
wolfSSL	0:1239e9b70ca2	213	"Received an Overlap Reassembly Begin Duplicate Packet",
wolfSSL	0:1239e9b70ca2	214	"Received an Overlap Reassembly End Duplicate Packet",
wolfSSL	0:1239e9b70ca2	215
wolfSSL	0:1239e9b70ca2	216	/* 61 */
wolfSSL	0:1239e9b70ca2	217	"Missed the Client Hello Entirely",
wolfSSL	0:1239e9b70ca2	218	"Got Hello Request msg",
wolfSSL	0:1239e9b70ca2	219	"Got Session Ticket msg",
wolfSSL	0:1239e9b70ca2	220	"Bad Input",
wolfSSL	0:1239e9b70ca2	221	"Bad Decrypt Type",
wolfSSL	0:1239e9b70ca2	222
wolfSSL	0:1239e9b70ca2	223	/* 66 */
wolfSSL	0:1239e9b70ca2	224	"Bad Finished Message Processing",
wolfSSL	0:1239e9b70ca2	225	"Bad Compression Type",
wolfSSL	0:1239e9b70ca2	226	"Bad DeriveKeys Error",
wolfSSL	0:1239e9b70ca2	227	"Saw ACK for Missing Packet Error",
wolfSSL	0:1239e9b70ca2	228	"Bad Decrypt Operation"
wolfSSL	0:1239e9b70ca2	229	};
wolfSSL	0:1239e9b70ca2	230
wolfSSL	0:1239e9b70ca2	231
wolfSSL	0:1239e9b70ca2	232	/* nix version uses table above /
wolfSSL	0:1239e9b70ca2	233	static void GetError(int idx, char* str)
wolfSSL	0:1239e9b70ca2	234	{
wolfSSL	0:1239e9b70ca2	235	XSTRNCPY(str, msgTable[idx - 1], MAX_ERROR_LEN);
wolfSSL	0:1239e9b70ca2	236	}
wolfSSL	0:1239e9b70ca2	237
wolfSSL	0:1239e9b70ca2	238
wolfSSL	0:1239e9b70ca2	239	#else /* _WIN32 */
wolfSSL	0:1239e9b70ca2	240
wolfSSL	0:1239e9b70ca2	241
wolfSSL	0:1239e9b70ca2	242	/* Windows version uses .rc table */
wolfSSL	0:1239e9b70ca2	243	static void GetError(int idx, char* buffer)
wolfSSL	0:1239e9b70ca2	244	{
wolfSSL	0:1239e9b70ca2	245	if (!LoadStringA(dllModule, idx, buffer, MAX_ERROR_LEN))
wolfSSL	0:1239e9b70ca2	246	buffer[0] = 0;
wolfSSL	0:1239e9b70ca2	247	}
wolfSSL	0:1239e9b70ca2	248
wolfSSL	0:1239e9b70ca2	249
wolfSSL	0:1239e9b70ca2	250	#endif /* _WIN32 */
wolfSSL	0:1239e9b70ca2	251
wolfSSL	0:1239e9b70ca2	252
wolfSSL	0:1239e9b70ca2	253	/* Packet Buffer for reassembly list and ready list */
wolfSSL	0:1239e9b70ca2	254	typedef struct PacketBuffer {
wolfSSL	0:1239e9b70ca2	255	word32 begin; /* relative sequence begin */
wolfSSL	0:1239e9b70ca2	256	word32 end; /* relative sequence end */
wolfSSL	0:1239e9b70ca2	257	byte* data; /* actual data */
wolfSSL	0:1239e9b70ca2	258	struct PacketBuffer* next; /* next on reassembly list or ready list */
wolfSSL	0:1239e9b70ca2	259	} PacketBuffer;
wolfSSL	0:1239e9b70ca2	260
wolfSSL	0:1239e9b70ca2	261
wolfSSL	0:1239e9b70ca2	262	/* Sniffer Server holds info for each server/port monitored */
wolfSSL	0:1239e9b70ca2	263	typedef struct SnifferServer {
wolfSSL	0:1239e9b70ca2	264	SSL_CTX* ctx; /* SSL context */
wolfSSL	0:1239e9b70ca2	265	char address[MAX_SERVER_ADDRESS]; /* passed in server address */
wolfSSL	0:1239e9b70ca2	266	word32 server; /* netowrk order address */
wolfSSL	0:1239e9b70ca2	267	int port; /* server port */
wolfSSL	0:1239e9b70ca2	268	struct SnifferServer* next; /* for list */
wolfSSL	0:1239e9b70ca2	269	} SnifferServer;
wolfSSL	0:1239e9b70ca2	270
wolfSSL	0:1239e9b70ca2	271
wolfSSL	0:1239e9b70ca2	272	/* Session Flags */
wolfSSL	0:1239e9b70ca2	273	typedef struct Flags {
wolfSSL	0:1239e9b70ca2	274	byte side; /* which end is current packet headed */
wolfSSL	0:1239e9b70ca2	275	byte serverCipherOn; /* indicates whether cipher is active */
wolfSSL	0:1239e9b70ca2	276	byte clientCipherOn; /* indicates whether cipher is active */
wolfSSL	0:1239e9b70ca2	277	byte resuming; /* did this session come from resumption */
wolfSSL	0:1239e9b70ca2	278	byte cached; /* have we cached this session yet */
wolfSSL	0:1239e9b70ca2	279	byte clientHello; /* processed client hello yet, for SSLv2 */
wolfSSL	0:1239e9b70ca2	280	byte finCount; /* get both FINs before removing */
wolfSSL	0:1239e9b70ca2	281	byte fatalError; /* fatal error state */
wolfSSL	0:1239e9b70ca2	282	} Flags;
wolfSSL	0:1239e9b70ca2	283
wolfSSL	0:1239e9b70ca2	284
wolfSSL	0:1239e9b70ca2	285	/* Out of Order FIN caputre */
wolfSSL	0:1239e9b70ca2	286	typedef struct FinCaputre {
wolfSSL	0:1239e9b70ca2	287	word32 cliFinSeq; /* client relative sequence FIN 0 is no */
wolfSSL	0:1239e9b70ca2	288	word32 srvFinSeq; /* server relative sequence FIN, 0 is no */
wolfSSL	0:1239e9b70ca2	289	byte cliCounted; /* did we count yet, detects duplicates */
wolfSSL	0:1239e9b70ca2	290	byte srvCounted; /* did we count yet, detects duplicates */
wolfSSL	0:1239e9b70ca2	291	} FinCaputre;
wolfSSL	0:1239e9b70ca2	292
wolfSSL	0:1239e9b70ca2	293
wolfSSL	0:1239e9b70ca2	294	/* Sniffer Session holds info for each client/server SSL/TLS session */
wolfSSL	0:1239e9b70ca2	295	typedef struct SnifferSession {
wolfSSL	0:1239e9b70ca2	296	SnifferServer* context; /* server context */
wolfSSL	0:1239e9b70ca2	297	SSL* sslServer; /* SSL server side decode */
wolfSSL	0:1239e9b70ca2	298	SSL* sslClient; /* SSL client side decode */
wolfSSL	0:1239e9b70ca2	299	word32 server; /* server address in network byte order */
wolfSSL	0:1239e9b70ca2	300	word32 client; /* client address in network byte order */
wolfSSL	0:1239e9b70ca2	301	word16 srvPort; /* server port */
wolfSSL	0:1239e9b70ca2	302	word16 cliPort; /* client port */
wolfSSL	0:1239e9b70ca2	303	word32 cliSeqStart; /* client start sequence */
wolfSSL	0:1239e9b70ca2	304	word32 srvSeqStart; /* server start sequence */
wolfSSL	0:1239e9b70ca2	305	word32 cliExpected; /* client expected sequence (relative) */
wolfSSL	0:1239e9b70ca2	306	word32 srvExpected; /* server expected sequence (relative) */
wolfSSL	0:1239e9b70ca2	307	FinCaputre finCaputre; /* retain out of order FIN s */
wolfSSL	0:1239e9b70ca2	308	Flags flags; /* session flags */
wolfSSL	0:1239e9b70ca2	309	time_t lastUsed; /* last used ticks */
wolfSSL	0:1239e9b70ca2	310	PacketBuffer* cliReassemblyList; /* client out of order packets */
wolfSSL	0:1239e9b70ca2	311	PacketBuffer* srvReassemblyList; /* server out of order packets */
wolfSSL	0:1239e9b70ca2	312	struct SnifferSession* next; /* for hash table list */
wolfSSL	0:1239e9b70ca2	313	byte* ticketID; /* mac ID of session ticket */
wolfSSL	0:1239e9b70ca2	314	} SnifferSession;
wolfSSL	0:1239e9b70ca2	315
wolfSSL	0:1239e9b70ca2	316
wolfSSL	0:1239e9b70ca2	317	/* Sniffer Server List and mutex */
wolfSSL	0:1239e9b70ca2	318	static SnifferServer* ServerList = 0;
wolfSSL	0:1239e9b70ca2	319	static CyaSSL_Mutex ServerListMutex;
wolfSSL	0:1239e9b70ca2	320
wolfSSL	0:1239e9b70ca2	321
wolfSSL	0:1239e9b70ca2	322	/* Session Hash Table, mutex, and count */
wolfSSL	0:1239e9b70ca2	323	static SnifferSession* SessionTable[HASH_SIZE];
wolfSSL	0:1239e9b70ca2	324	static CyaSSL_Mutex SessionMutex;
wolfSSL	0:1239e9b70ca2	325	static int SessionCount = 0;
wolfSSL	0:1239e9b70ca2	326
wolfSSL	0:1239e9b70ca2	327
wolfSSL	0:1239e9b70ca2	328	/* Initialize overall Sniffer */
wolfSSL	0:1239e9b70ca2	329	void ssl_InitSniffer(void)
wolfSSL	0:1239e9b70ca2	330	{
wolfSSL	0:1239e9b70ca2	331	CyaSSL_Init();
wolfSSL	0:1239e9b70ca2	332	InitMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	333	InitMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	334	}
wolfSSL	0:1239e9b70ca2	335
wolfSSL	0:1239e9b70ca2	336
wolfSSL	0:1239e9b70ca2	337	/* Free Sniffer Server's resources/self */
wolfSSL	0:1239e9b70ca2	338	static void FreeSnifferServer(SnifferServer* srv)
wolfSSL	0:1239e9b70ca2	339	{
wolfSSL	0:1239e9b70ca2	340	if (srv)
wolfSSL	0:1239e9b70ca2	341	SSL_CTX_free(srv->ctx);
wolfSSL	0:1239e9b70ca2	342	free(srv);
wolfSSL	0:1239e9b70ca2	343	}
wolfSSL	0:1239e9b70ca2	344
wolfSSL	0:1239e9b70ca2	345
wolfSSL	0:1239e9b70ca2	346	/* free PacketBuffer's resources/self */
wolfSSL	0:1239e9b70ca2	347	static void FreePacketBuffer(PacketBuffer* del)
wolfSSL	0:1239e9b70ca2	348	{
wolfSSL	0:1239e9b70ca2	349	if (del) {
wolfSSL	0:1239e9b70ca2	350	free(del->data);
wolfSSL	0:1239e9b70ca2	351	free(del);
wolfSSL	0:1239e9b70ca2	352	}
wolfSSL	0:1239e9b70ca2	353	}
wolfSSL	0:1239e9b70ca2	354
wolfSSL	0:1239e9b70ca2	355
wolfSSL	0:1239e9b70ca2	356	/* remove PacketBuffer List */
wolfSSL	0:1239e9b70ca2	357	static void FreePacketList(PacketBuffer* in)
wolfSSL	0:1239e9b70ca2	358	{
wolfSSL	0:1239e9b70ca2	359	if (in) {
wolfSSL	0:1239e9b70ca2	360	PacketBuffer* del;
wolfSSL	0:1239e9b70ca2	361	PacketBuffer* packet = in;
wolfSSL	0:1239e9b70ca2	362
wolfSSL	0:1239e9b70ca2	363	while (packet) {
wolfSSL	0:1239e9b70ca2	364	del = packet;
wolfSSL	0:1239e9b70ca2	365	packet = packet->next;
wolfSSL	0:1239e9b70ca2	366	FreePacketBuffer(del);
wolfSSL	0:1239e9b70ca2	367	}
wolfSSL	0:1239e9b70ca2	368	}
wolfSSL	0:1239e9b70ca2	369	}
wolfSSL	0:1239e9b70ca2	370
wolfSSL	0:1239e9b70ca2	371
wolfSSL	0:1239e9b70ca2	372	/* Free Sniffer Session's resources/self */
wolfSSL	0:1239e9b70ca2	373	static void FreeSnifferSession(SnifferSession* session)
wolfSSL	0:1239e9b70ca2	374	{
wolfSSL	0:1239e9b70ca2	375	if (session) {
wolfSSL	0:1239e9b70ca2	376	SSL_free(session->sslClient);
wolfSSL	0:1239e9b70ca2	377	SSL_free(session->sslServer);
wolfSSL	0:1239e9b70ca2	378
wolfSSL	0:1239e9b70ca2	379	FreePacketList(session->cliReassemblyList);
wolfSSL	0:1239e9b70ca2	380	FreePacketList(session->srvReassemblyList);
wolfSSL	0:1239e9b70ca2	381
wolfSSL	0:1239e9b70ca2	382	free(session->ticketID);
wolfSSL	0:1239e9b70ca2	383	}
wolfSSL	0:1239e9b70ca2	384	free(session);
wolfSSL	0:1239e9b70ca2	385	}
wolfSSL	0:1239e9b70ca2	386
wolfSSL	0:1239e9b70ca2	387
wolfSSL	0:1239e9b70ca2	388	/* Free overall Sniffer */
wolfSSL	0:1239e9b70ca2	389	void ssl_FreeSniffer(void)
wolfSSL	0:1239e9b70ca2	390	{
wolfSSL	0:1239e9b70ca2	391	SnifferServer* srv;
wolfSSL	0:1239e9b70ca2	392	SnifferServer* removeServer;
wolfSSL	0:1239e9b70ca2	393	SnifferSession* session;
wolfSSL	0:1239e9b70ca2	394	SnifferSession* removeSession;
wolfSSL	0:1239e9b70ca2	395	int i;
wolfSSL	0:1239e9b70ca2	396
wolfSSL	0:1239e9b70ca2	397	LockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	398	LockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	399
wolfSSL	0:1239e9b70ca2	400	srv = ServerList;
wolfSSL	0:1239e9b70ca2	401	while (srv) {
wolfSSL	0:1239e9b70ca2	402	removeServer = srv;
wolfSSL	0:1239e9b70ca2	403	srv = srv->next;
wolfSSL	0:1239e9b70ca2	404	FreeSnifferServer(removeServer);
wolfSSL	0:1239e9b70ca2	405	}
wolfSSL	0:1239e9b70ca2	406
wolfSSL	0:1239e9b70ca2	407	for (i = 0; i < HASH_SIZE; i++) {
wolfSSL	0:1239e9b70ca2	408	session = SessionTable[i];
wolfSSL	0:1239e9b70ca2	409	while (session) {
wolfSSL	0:1239e9b70ca2	410	removeSession = session;
wolfSSL	0:1239e9b70ca2	411	session = session->next;
wolfSSL	0:1239e9b70ca2	412	FreeSnifferSession(removeSession);
wolfSSL	0:1239e9b70ca2	413	}
wolfSSL	0:1239e9b70ca2	414	}
wolfSSL	0:1239e9b70ca2	415
wolfSSL	0:1239e9b70ca2	416	UnLockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	417	UnLockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	418
wolfSSL	0:1239e9b70ca2	419	FreeMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	420	FreeMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	421
wolfSSL	0:1239e9b70ca2	422	if (TraceFile) {
wolfSSL	0:1239e9b70ca2	423	TraceOn = 0;
wolfSSL	0:1239e9b70ca2	424	fclose(TraceFile);
wolfSSL	0:1239e9b70ca2	425	TraceFile = NULL;
wolfSSL	0:1239e9b70ca2	426	}
wolfSSL	0:1239e9b70ca2	427
wolfSSL	0:1239e9b70ca2	428	CyaSSL_Cleanup();
wolfSSL	0:1239e9b70ca2	429	}
wolfSSL	0:1239e9b70ca2	430
wolfSSL	0:1239e9b70ca2	431
wolfSSL	0:1239e9b70ca2	432	/* Initialize a SnifferServer */
wolfSSL	0:1239e9b70ca2	433	static void InitSnifferServer(SnifferServer* sniffer)
wolfSSL	0:1239e9b70ca2	434	{
wolfSSL	0:1239e9b70ca2	435	sniffer->ctx = 0;
wolfSSL	0:1239e9b70ca2	436	XMEMSET(sniffer->address, 0, MAX_SERVER_ADDRESS);
wolfSSL	0:1239e9b70ca2	437	sniffer->server = 0;
wolfSSL	0:1239e9b70ca2	438	sniffer->port = 0;
wolfSSL	0:1239e9b70ca2	439	sniffer->next = 0;
wolfSSL	0:1239e9b70ca2	440	}
wolfSSL	0:1239e9b70ca2	441
wolfSSL	0:1239e9b70ca2	442
wolfSSL	0:1239e9b70ca2	443	/* Initialize session flags */
wolfSSL	0:1239e9b70ca2	444	static void InitFlags(Flags* flags)
wolfSSL	0:1239e9b70ca2	445	{
wolfSSL	0:1239e9b70ca2	446	flags->side = 0;
wolfSSL	0:1239e9b70ca2	447	flags->serverCipherOn = 0;
wolfSSL	0:1239e9b70ca2	448	flags->clientCipherOn = 0;
wolfSSL	0:1239e9b70ca2	449	flags->resuming = 0;
wolfSSL	0:1239e9b70ca2	450	flags->cached = 0;
wolfSSL	0:1239e9b70ca2	451	flags->clientHello = 0;
wolfSSL	0:1239e9b70ca2	452	flags->finCount = 0;
wolfSSL	0:1239e9b70ca2	453	flags->fatalError = 0;
wolfSSL	0:1239e9b70ca2	454	}
wolfSSL	0:1239e9b70ca2	455
wolfSSL	0:1239e9b70ca2	456
wolfSSL	0:1239e9b70ca2	457	/* Initialize FIN Capture */
wolfSSL	0:1239e9b70ca2	458	static void InitFinCapture(FinCaputre* cap)
wolfSSL	0:1239e9b70ca2	459	{
wolfSSL	0:1239e9b70ca2	460	cap->cliFinSeq = 0;
wolfSSL	0:1239e9b70ca2	461	cap->srvFinSeq = 0;
wolfSSL	0:1239e9b70ca2	462	cap->cliCounted = 0;
wolfSSL	0:1239e9b70ca2	463	cap->srvCounted = 0;
wolfSSL	0:1239e9b70ca2	464	}
wolfSSL	0:1239e9b70ca2	465
wolfSSL	0:1239e9b70ca2	466
wolfSSL	0:1239e9b70ca2	467	/* Initialize a Sniffer Session */
wolfSSL	0:1239e9b70ca2	468	static void InitSession(SnifferSession* session)
wolfSSL	0:1239e9b70ca2	469	{
wolfSSL	0:1239e9b70ca2	470	session->context = 0;
wolfSSL	0:1239e9b70ca2	471	session->sslServer = 0;
wolfSSL	0:1239e9b70ca2	472	session->sslClient = 0;
wolfSSL	0:1239e9b70ca2	473	session->server = 0;
wolfSSL	0:1239e9b70ca2	474	session->client = 0;
wolfSSL	0:1239e9b70ca2	475	session->srvPort = 0;
wolfSSL	0:1239e9b70ca2	476	session->cliPort = 0;
wolfSSL	0:1239e9b70ca2	477	session->cliSeqStart = 0;
wolfSSL	0:1239e9b70ca2	478	session->srvSeqStart = 0;
wolfSSL	0:1239e9b70ca2	479	session->cliExpected = 0;
wolfSSL	0:1239e9b70ca2	480	session->srvExpected = 0;
wolfSSL	0:1239e9b70ca2	481	session->lastUsed = 0;
wolfSSL	0:1239e9b70ca2	482	session->cliReassemblyList = 0;
wolfSSL	0:1239e9b70ca2	483	session->srvReassemblyList = 0;
wolfSSL	0:1239e9b70ca2	484	session->next = 0;
wolfSSL	0:1239e9b70ca2	485	session->ticketID = 0;
wolfSSL	0:1239e9b70ca2	486
wolfSSL	0:1239e9b70ca2	487	InitFlags(&session->flags);
wolfSSL	0:1239e9b70ca2	488	InitFinCapture(&session->finCaputre);
wolfSSL	0:1239e9b70ca2	489	}
wolfSSL	0:1239e9b70ca2	490
wolfSSL	0:1239e9b70ca2	491
wolfSSL	0:1239e9b70ca2	492	/* IP Info from IP Header */
wolfSSL	0:1239e9b70ca2	493	typedef struct IpInfo {
wolfSSL	0:1239e9b70ca2	494	int length; /* length of this header */
wolfSSL	0:1239e9b70ca2	495	int total; /* total length of fragment */
wolfSSL	0:1239e9b70ca2	496	word32 src; /* network order source address */
wolfSSL	0:1239e9b70ca2	497	word32 dst; /* network order destination address */
wolfSSL	0:1239e9b70ca2	498	} IpInfo;
wolfSSL	0:1239e9b70ca2	499
wolfSSL	0:1239e9b70ca2	500
wolfSSL	0:1239e9b70ca2	501	/* TCP Info from TCP Header */
wolfSSL	0:1239e9b70ca2	502	typedef struct TcpInfo {
wolfSSL	0:1239e9b70ca2	503	int srcPort; /* source port */
wolfSSL	0:1239e9b70ca2	504	int dstPort; /* source port */
wolfSSL	0:1239e9b70ca2	505	int length; /* length of this header */
wolfSSL	0:1239e9b70ca2	506	word32 sequence; /* sequence number */
wolfSSL	0:1239e9b70ca2	507	word32 ackNumber; /* ack number */
wolfSSL	0:1239e9b70ca2	508	byte fin; /* FIN set */
wolfSSL	0:1239e9b70ca2	509	byte rst; /* RST set */
wolfSSL	0:1239e9b70ca2	510	byte syn; /* SYN set */
wolfSSL	0:1239e9b70ca2	511	byte ack; /* ACK set */
wolfSSL	0:1239e9b70ca2	512	} TcpInfo;
wolfSSL	0:1239e9b70ca2	513
wolfSSL	0:1239e9b70ca2	514
wolfSSL	0:1239e9b70ca2	515	/* Tcp Pseudo Header for Checksum calculation */
wolfSSL	0:1239e9b70ca2	516	typedef struct TcpPseudoHdr {
wolfSSL	0:1239e9b70ca2	517	word32 src; /* source address */
wolfSSL	0:1239e9b70ca2	518	word32 dst; /* destination address */
wolfSSL	0:1239e9b70ca2	519	byte rsv; /* reserved, always 0 */
wolfSSL	0:1239e9b70ca2	520	byte protocol; /* IP protocol */
wolfSSL	0:1239e9b70ca2	521	word16 legnth; /* tcp header length + data length (doesn't include */
wolfSSL	0:1239e9b70ca2	522	/* pseudo header length) network order */
wolfSSL	0:1239e9b70ca2	523	} TcpPseudoHdr;
wolfSSL	0:1239e9b70ca2	524
wolfSSL	0:1239e9b70ca2	525
wolfSSL	0:1239e9b70ca2	526	/* Password Setting Callback */
wolfSSL	0:1239e9b70ca2	527	static int SetPassword(char* passwd, int sz, int rw, void* userdata)
wolfSSL	0:1239e9b70ca2	528	{
wolfSSL	0:1239e9b70ca2	529	(void)rw;
wolfSSL	0:1239e9b70ca2	530	XSTRNCPY(passwd, userdata, sz);
wolfSSL	0:1239e9b70ca2	531	return (int)XSTRLEN(userdata);
wolfSSL	0:1239e9b70ca2	532	}
wolfSSL	0:1239e9b70ca2	533
wolfSSL	0:1239e9b70ca2	534
wolfSSL	0:1239e9b70ca2	535	/* Ethernet Header */
wolfSSL	0:1239e9b70ca2	536	typedef struct EthernetHdr {
wolfSSL	0:1239e9b70ca2	537	byte dst[ETHER_IF_ADDR_LEN]; /* destination host address */
wolfSSL	0:1239e9b70ca2	538	byte src[ETHER_IF_ADDR_LEN]; /* source host address */
wolfSSL	0:1239e9b70ca2	539	word16 type; /* IP, ARP, etc */
wolfSSL	0:1239e9b70ca2	540	} EthernetHdr;
wolfSSL	0:1239e9b70ca2	541
wolfSSL	0:1239e9b70ca2	542
wolfSSL	0:1239e9b70ca2	543	/* IP Header */
wolfSSL	0:1239e9b70ca2	544	typedef struct IpHdr {
wolfSSL	0:1239e9b70ca2	545	byte ver_hl; /* version/header length */
wolfSSL	0:1239e9b70ca2	546	byte tos; /* type of service */
wolfSSL	0:1239e9b70ca2	547	word16 length; /* total length */
wolfSSL	0:1239e9b70ca2	548	word16 id; /* identification */
wolfSSL	0:1239e9b70ca2	549	word16 offset; /* fragment offset field */
wolfSSL	0:1239e9b70ca2	550	byte ttl; /* time to live */
wolfSSL	0:1239e9b70ca2	551	byte protocol; /* protocol */
wolfSSL	0:1239e9b70ca2	552	word16 sum; /* checksum */
wolfSSL	0:1239e9b70ca2	553	word32 src; /* source address */
wolfSSL	0:1239e9b70ca2	554	word32 dst; /* destination address */
wolfSSL	0:1239e9b70ca2	555	} IpHdr;
wolfSSL	0:1239e9b70ca2	556
wolfSSL	0:1239e9b70ca2	557
wolfSSL	0:1239e9b70ca2	558	#define IP_HL(ip) ( (((ip)->ver_hl) & 0x0f) * 4)
wolfSSL	0:1239e9b70ca2	559	#define IP_V(ip) ( ((ip)->ver_hl) >> 4)
wolfSSL	0:1239e9b70ca2	560
wolfSSL	0:1239e9b70ca2	561	/* TCP Header */
wolfSSL	0:1239e9b70ca2	562	typedef struct TcpHdr {
wolfSSL	0:1239e9b70ca2	563	word16 srcPort; /* source port */
wolfSSL	0:1239e9b70ca2	564	word16 dstPort; /* destination port */
wolfSSL	0:1239e9b70ca2	565	word32 sequence; /* sequence number */
wolfSSL	0:1239e9b70ca2	566	word32 ack; /* acknoledgment number */
wolfSSL	0:1239e9b70ca2	567	byte offset; /* data offset, reserved */
wolfSSL	0:1239e9b70ca2	568	byte flags; /* option flags */
wolfSSL	0:1239e9b70ca2	569	word16 window; /* window */
wolfSSL	0:1239e9b70ca2	570	word16 sum; /* checksum */
wolfSSL	0:1239e9b70ca2	571	word16 urgent; /* urgent pointer */
wolfSSL	0:1239e9b70ca2	572	} TcpHdr;
wolfSSL	0:1239e9b70ca2	573
wolfSSL	0:1239e9b70ca2	574	#define TCP_LEN(tcp) ( (((tcp)->offset & 0xf0) >> 4) * 4)
wolfSSL	0:1239e9b70ca2	575	#define TCP_FIN 0x01
wolfSSL	0:1239e9b70ca2	576	#define TCP_SYN 0x02
wolfSSL	0:1239e9b70ca2	577	#define TCP_RST 0x04
wolfSSL	0:1239e9b70ca2	578	#define TCP_ACK 0x10
wolfSSL	0:1239e9b70ca2	579
wolfSSL	0:1239e9b70ca2	580
wolfSSL	0:1239e9b70ca2	581
wolfSSL	0:1239e9b70ca2	582
wolfSSL	0:1239e9b70ca2	583
wolfSSL	0:1239e9b70ca2	584	/* Use platform specific GetError to write to tracfile if tracing */
wolfSSL	0:1239e9b70ca2	585	static void Trace(int idx)
wolfSSL	0:1239e9b70ca2	586	{
wolfSSL	0:1239e9b70ca2	587	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	588	char myBuffer[MAX_ERROR_LEN];
wolfSSL	0:1239e9b70ca2	589	GetError(idx, myBuffer);
wolfSSL	0:1239e9b70ca2	590	fprintf(TraceFile, "\t%s\n", myBuffer);
wolfSSL	0:1239e9b70ca2	591	#ifdef DEBUG_SNIFFER
wolfSSL	0:1239e9b70ca2	592	fprintf(stderr, "\t%s\n", myBuffer);
wolfSSL	0:1239e9b70ca2	593	#endif
wolfSSL	0:1239e9b70ca2	594	}
wolfSSL	0:1239e9b70ca2	595	}
wolfSSL	0:1239e9b70ca2	596
wolfSSL	0:1239e9b70ca2	597
wolfSSL	0:1239e9b70ca2	598	/* Show TimeStamp for beginning of packet Trace */
wolfSSL	0:1239e9b70ca2	599	static void TraceHeader(void)
wolfSSL	0:1239e9b70ca2	600	{
wolfSSL	0:1239e9b70ca2	601	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	602	time_t ticks = time(NULL);
wolfSSL	0:1239e9b70ca2	603	fprintf(TraceFile, "\n%s", ctime(&ticks));
wolfSSL	0:1239e9b70ca2	604	}
wolfSSL	0:1239e9b70ca2	605	}
wolfSSL	0:1239e9b70ca2	606
wolfSSL	0:1239e9b70ca2	607
wolfSSL	0:1239e9b70ca2	608	/* Show Set Server info for Trace */
wolfSSL	0:1239e9b70ca2	609	static void TraceSetServer(const char* srv, int port, const char* keyFile)
wolfSSL	0:1239e9b70ca2	610	{
wolfSSL	0:1239e9b70ca2	611	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	612	fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n");
wolfSSL	0:1239e9b70ca2	613	fprintf(TraceFile, "\tserver: %s, port: %d, keyFile: %s\n", srv, port,
wolfSSL	0:1239e9b70ca2	614	keyFile);
wolfSSL	0:1239e9b70ca2	615	}
wolfSSL	0:1239e9b70ca2	616	}
wolfSSL	0:1239e9b70ca2	617
wolfSSL	0:1239e9b70ca2	618
wolfSSL	0:1239e9b70ca2	619	/* Trace got packet number */
wolfSSL	0:1239e9b70ca2	620	static void TracePacket(void)
wolfSSL	0:1239e9b70ca2	621	{
wolfSSL	0:1239e9b70ca2	622	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	623	static word32 packetNumber = 0;
wolfSSL	0:1239e9b70ca2	624	fprintf(TraceFile, "\tGot a Packet to decode, packet %u\n",
wolfSSL	0:1239e9b70ca2	625	++packetNumber);
wolfSSL	0:1239e9b70ca2	626	}
wolfSSL	0:1239e9b70ca2	627	}
wolfSSL	0:1239e9b70ca2	628
wolfSSL	0:1239e9b70ca2	629
wolfSSL	0:1239e9b70ca2	630	/* Convert network byte order address into human readable */
wolfSSL	0:1239e9b70ca2	631	static char* IpToS(word32 addr, char* str)
wolfSSL	0:1239e9b70ca2	632	{
wolfSSL	0:1239e9b70ca2	633	byte* p = (byte*)&addr;
wolfSSL	0:1239e9b70ca2	634
wolfSSL	0:1239e9b70ca2	635	SNPRINTF(str, TRACE_MSG_SZ, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
wolfSSL	0:1239e9b70ca2	636
wolfSSL	0:1239e9b70ca2	637	return str;
wolfSSL	0:1239e9b70ca2	638	}
wolfSSL	0:1239e9b70ca2	639
wolfSSL	0:1239e9b70ca2	640
wolfSSL	0:1239e9b70ca2	641	/* Show destination and source address from Ip Hdr for packet Trace */
wolfSSL	0:1239e9b70ca2	642	static void TraceIP(IpHdr* iphdr)
wolfSSL	0:1239e9b70ca2	643	{
wolfSSL	0:1239e9b70ca2	644	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	645	char src[TRACE_MSG_SZ];
wolfSSL	0:1239e9b70ca2	646	char dst[TRACE_MSG_SZ];
wolfSSL	0:1239e9b70ca2	647	fprintf(TraceFile, "\tdst:%s src:%s\n", IpToS(iphdr->dst, dst),
wolfSSL	0:1239e9b70ca2	648	IpToS(iphdr->src, src));
wolfSSL	0:1239e9b70ca2	649	}
wolfSSL	0:1239e9b70ca2	650	}
wolfSSL	0:1239e9b70ca2	651
wolfSSL	0:1239e9b70ca2	652
wolfSSL	0:1239e9b70ca2	653	/* Show destination and source port from Tcp Hdr for packet Trace */
wolfSSL	0:1239e9b70ca2	654	static void TraceTcp(TcpHdr* tcphdr)
wolfSSL	0:1239e9b70ca2	655	{
wolfSSL	0:1239e9b70ca2	656	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	657	fprintf(TraceFile, "\tdstPort:%u srcPort:%u\n", ntohs(tcphdr->dstPort),
wolfSSL	0:1239e9b70ca2	658	ntohs(tcphdr->srcPort));
wolfSSL	0:1239e9b70ca2	659	}
wolfSSL	0:1239e9b70ca2	660	}
wolfSSL	0:1239e9b70ca2	661
wolfSSL	0:1239e9b70ca2	662
wolfSSL	0:1239e9b70ca2	663	/* Show sequence and payload length for Trace */
wolfSSL	0:1239e9b70ca2	664	static void TraceSequence(word32 seq, int len)
wolfSSL	0:1239e9b70ca2	665	{
wolfSSL	0:1239e9b70ca2	666	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	667	fprintf(TraceFile, "\tSequence:%u, payload length:%d\n", seq, len);
wolfSSL	0:1239e9b70ca2	668	}
wolfSSL	0:1239e9b70ca2	669	}
wolfSSL	0:1239e9b70ca2	670
wolfSSL	0:1239e9b70ca2	671
wolfSSL	0:1239e9b70ca2	672	/* Show sequence and payload length for Trace */
wolfSSL	0:1239e9b70ca2	673	static void TraceAck(word32 ack, word32 expected)
wolfSSL	0:1239e9b70ca2	674	{
wolfSSL	0:1239e9b70ca2	675	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	676	fprintf(TraceFile, "\tAck:%u Expected:%u\n", ack, expected);
wolfSSL	0:1239e9b70ca2	677	}
wolfSSL	0:1239e9b70ca2	678	}
wolfSSL	0:1239e9b70ca2	679
wolfSSL	0:1239e9b70ca2	680
wolfSSL	0:1239e9b70ca2	681	/* Show relative expected and relative received sequences */
wolfSSL	0:1239e9b70ca2	682	static void TraceRelativeSequence(word32 expected, word32 got)
wolfSSL	0:1239e9b70ca2	683	{
wolfSSL	0:1239e9b70ca2	684	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	685	fprintf(TraceFile, "\tExpected sequence:%u, received sequence:%u\n",
wolfSSL	0:1239e9b70ca2	686	expected, got);
wolfSSL	0:1239e9b70ca2	687	}
wolfSSL	0:1239e9b70ca2	688	}
wolfSSL	0:1239e9b70ca2	689
wolfSSL	0:1239e9b70ca2	690
wolfSSL	0:1239e9b70ca2	691	/* Show server sequence startup from SYN */
wolfSSL	0:1239e9b70ca2	692	static void TraceServerSyn(word32 seq)
wolfSSL	0:1239e9b70ca2	693	{
wolfSSL	0:1239e9b70ca2	694	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	695	fprintf(TraceFile, "\tServer SYN, Sequence Start:%u\n", seq);
wolfSSL	0:1239e9b70ca2	696	}
wolfSSL	0:1239e9b70ca2	697	}
wolfSSL	0:1239e9b70ca2	698
wolfSSL	0:1239e9b70ca2	699
wolfSSL	0:1239e9b70ca2	700	/* Show client sequence startup from SYN */
wolfSSL	0:1239e9b70ca2	701	static void TraceClientSyn(word32 seq)
wolfSSL	0:1239e9b70ca2	702	{
wolfSSL	0:1239e9b70ca2	703	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	704	fprintf(TraceFile, "\tClient SYN, Sequence Start:%u\n", seq);
wolfSSL	0:1239e9b70ca2	705	}
wolfSSL	0:1239e9b70ca2	706	}
wolfSSL	0:1239e9b70ca2	707
wolfSSL	0:1239e9b70ca2	708
wolfSSL	0:1239e9b70ca2	709	/* Show client FIN capture */
wolfSSL	0:1239e9b70ca2	710	static void TraceClientFin(word32 finSeq, word32 relSeq)
wolfSSL	0:1239e9b70ca2	711	{
wolfSSL	0:1239e9b70ca2	712	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	713	fprintf(TraceFile, "\tClient FIN capture:%u, current SEQ:%u\n",
wolfSSL	0:1239e9b70ca2	714	finSeq, relSeq);
wolfSSL	0:1239e9b70ca2	715	}
wolfSSL	0:1239e9b70ca2	716	}
wolfSSL	0:1239e9b70ca2	717
wolfSSL	0:1239e9b70ca2	718
wolfSSL	0:1239e9b70ca2	719	/* Show server FIN capture */
wolfSSL	0:1239e9b70ca2	720	static void TraceServerFin(word32 finSeq, word32 relSeq)
wolfSSL	0:1239e9b70ca2	721	{
wolfSSL	0:1239e9b70ca2	722	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	723	fprintf(TraceFile, "\tServer FIN capture:%u, current SEQ:%u\n",
wolfSSL	0:1239e9b70ca2	724	finSeq, relSeq);
wolfSSL	0:1239e9b70ca2	725	}
wolfSSL	0:1239e9b70ca2	726	}
wolfSSL	0:1239e9b70ca2	727
wolfSSL	0:1239e9b70ca2	728
wolfSSL	0:1239e9b70ca2	729	/* Show number of SSL data bytes decoded, could be 0 (ok) */
wolfSSL	0:1239e9b70ca2	730	static void TraceGotData(int bytes)
wolfSSL	0:1239e9b70ca2	731	{
wolfSSL	0:1239e9b70ca2	732	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	733	fprintf(TraceFile, "\t%d bytes of SSL App data processed\n", bytes);
wolfSSL	0:1239e9b70ca2	734	}
wolfSSL	0:1239e9b70ca2	735	}
wolfSSL	0:1239e9b70ca2	736
wolfSSL	0:1239e9b70ca2	737
wolfSSL	0:1239e9b70ca2	738	/* Show bytes added to old SSL App data */
wolfSSL	0:1239e9b70ca2	739	static void TraceAddedData(int newBytes, int existingBytes)
wolfSSL	0:1239e9b70ca2	740	{
wolfSSL	0:1239e9b70ca2	741	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	742	fprintf(TraceFile,
wolfSSL	0:1239e9b70ca2	743	"\t%d bytes added to %d exisiting bytes in User Buffer\n",
wolfSSL	0:1239e9b70ca2	744	newBytes, existingBytes);
wolfSSL	0:1239e9b70ca2	745	}
wolfSSL	0:1239e9b70ca2	746	}
wolfSSL	0:1239e9b70ca2	747
wolfSSL	0:1239e9b70ca2	748
wolfSSL	0:1239e9b70ca2	749	/* Show Stale Session */
wolfSSL	0:1239e9b70ca2	750	static void TraceStaleSession(void)
wolfSSL	0:1239e9b70ca2	751	{
wolfSSL	0:1239e9b70ca2	752	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	753	fprintf(TraceFile, "\tFound a stale session\n");
wolfSSL	0:1239e9b70ca2	754	}
wolfSSL	0:1239e9b70ca2	755	}
wolfSSL	0:1239e9b70ca2	756
wolfSSL	0:1239e9b70ca2	757
wolfSSL	0:1239e9b70ca2	758	/* Show Finding Stale Sessions */
wolfSSL	0:1239e9b70ca2	759	static void TraceFindingStale(void)
wolfSSL	0:1239e9b70ca2	760	{
wolfSSL	0:1239e9b70ca2	761	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	762	fprintf(TraceFile, "\tTrying to find Stale Sessions\n");
wolfSSL	0:1239e9b70ca2	763	}
wolfSSL	0:1239e9b70ca2	764	}
wolfSSL	0:1239e9b70ca2	765
wolfSSL	0:1239e9b70ca2	766
wolfSSL	0:1239e9b70ca2	767	/* Show Removed Session */
wolfSSL	0:1239e9b70ca2	768	static void TraceRemovedSession(void)
wolfSSL	0:1239e9b70ca2	769	{
wolfSSL	0:1239e9b70ca2	770	if (TraceOn) {
wolfSSL	0:1239e9b70ca2	771	fprintf(TraceFile, "\tRemoved it\n");
wolfSSL	0:1239e9b70ca2	772	}
wolfSSL	0:1239e9b70ca2	773	}
wolfSSL	0:1239e9b70ca2	774
wolfSSL	0:1239e9b70ca2	775
wolfSSL	0:1239e9b70ca2	776	/* Set user error string */
wolfSSL	0:1239e9b70ca2	777	static void SetError(int idx, char* error, SnifferSession* session, int fatal)
wolfSSL	0:1239e9b70ca2	778	{
wolfSSL	0:1239e9b70ca2	779	GetError(idx, error);
wolfSSL	0:1239e9b70ca2	780	Trace(idx);
wolfSSL	0:1239e9b70ca2	781	if (session && fatal == FATAL_ERROR_STATE)
wolfSSL	0:1239e9b70ca2	782	session->flags.fatalError = 1;
wolfSSL	0:1239e9b70ca2	783	}
wolfSSL	0:1239e9b70ca2	784
wolfSSL	0:1239e9b70ca2	785
wolfSSL	0:1239e9b70ca2	786	/* See if this IPV4 network order address has been registered */
wolfSSL	0:1239e9b70ca2	787	/* return 1 is true, 0 is false */
wolfSSL	0:1239e9b70ca2	788	static int IsServerRegistered(word32 addr)
wolfSSL	0:1239e9b70ca2	789	{
wolfSSL	0:1239e9b70ca2	790	int ret = 0; /* false */
wolfSSL	0:1239e9b70ca2	791	SnifferServer* sniffer;
wolfSSL	0:1239e9b70ca2	792
wolfSSL	0:1239e9b70ca2	793	LockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	794
wolfSSL	0:1239e9b70ca2	795	sniffer = ServerList;
wolfSSL	0:1239e9b70ca2	796	while (sniffer) {
wolfSSL	0:1239e9b70ca2	797	if (sniffer->server == addr) {
wolfSSL	0:1239e9b70ca2	798	ret = 1;
wolfSSL	0:1239e9b70ca2	799	break;
wolfSSL	0:1239e9b70ca2	800	}
wolfSSL	0:1239e9b70ca2	801	sniffer = sniffer->next;
wolfSSL	0:1239e9b70ca2	802	}
wolfSSL	0:1239e9b70ca2	803
wolfSSL	0:1239e9b70ca2	804	UnLockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	805
wolfSSL	0:1239e9b70ca2	806	return ret;
wolfSSL	0:1239e9b70ca2	807	}
wolfSSL	0:1239e9b70ca2	808
wolfSSL	0:1239e9b70ca2	809
wolfSSL	0:1239e9b70ca2	810	/* See if this port has been registered to watch */
wolfSSL	0:1239e9b70ca2	811	/* return 1 is true, 0 is false */
wolfSSL	0:1239e9b70ca2	812	static int IsPortRegistered(word32 port)
wolfSSL	0:1239e9b70ca2	813	{
wolfSSL	0:1239e9b70ca2	814	int ret = 0; /* false */
wolfSSL	0:1239e9b70ca2	815	SnifferServer* sniffer;
wolfSSL	0:1239e9b70ca2	816
wolfSSL	0:1239e9b70ca2	817	LockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	818
wolfSSL	0:1239e9b70ca2	819	sniffer = ServerList;
wolfSSL	0:1239e9b70ca2	820	while (sniffer) {
wolfSSL	0:1239e9b70ca2	821	if (sniffer->port == (int)port) {
wolfSSL	0:1239e9b70ca2	822	ret = 1;
wolfSSL	0:1239e9b70ca2	823	break;
wolfSSL	0:1239e9b70ca2	824	}
wolfSSL	0:1239e9b70ca2	825	sniffer = sniffer->next;
wolfSSL	0:1239e9b70ca2	826	}
wolfSSL	0:1239e9b70ca2	827
wolfSSL	0:1239e9b70ca2	828	UnLockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	829
wolfSSL	0:1239e9b70ca2	830	return ret;
wolfSSL	0:1239e9b70ca2	831	}
wolfSSL	0:1239e9b70ca2	832
wolfSSL	0:1239e9b70ca2	833
wolfSSL	0:1239e9b70ca2	834	/* Get SnifferServer from IP and Port */
wolfSSL	0:1239e9b70ca2	835	static SnifferServer* GetSnifferServer(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL	0:1239e9b70ca2	836	{
wolfSSL	0:1239e9b70ca2	837	SnifferServer* sniffer;
wolfSSL	0:1239e9b70ca2	838
wolfSSL	0:1239e9b70ca2	839	LockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	840
wolfSSL	0:1239e9b70ca2	841	sniffer = ServerList;
wolfSSL	0:1239e9b70ca2	842	while (sniffer) {
wolfSSL	0:1239e9b70ca2	843	if (sniffer->port == tcpInfo->srcPort && sniffer->server == ipInfo->src)
wolfSSL	0:1239e9b70ca2	844	break;
wolfSSL	0:1239e9b70ca2	845	if (sniffer->port == tcpInfo->dstPort && sniffer->server == ipInfo->dst)
wolfSSL	0:1239e9b70ca2	846	break;
wolfSSL	0:1239e9b70ca2	847	sniffer = sniffer->next;
wolfSSL	0:1239e9b70ca2	848	}
wolfSSL	0:1239e9b70ca2	849
wolfSSL	0:1239e9b70ca2	850	UnLockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	851
wolfSSL	0:1239e9b70ca2	852	return sniffer;
wolfSSL	0:1239e9b70ca2	853	}
wolfSSL	0:1239e9b70ca2	854
wolfSSL	0:1239e9b70ca2	855
wolfSSL	0:1239e9b70ca2	856	/* Hash the Session Info, return hash row */
wolfSSL	0:1239e9b70ca2	857	static word32 SessionHash(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL	0:1239e9b70ca2	858	{
wolfSSL	0:1239e9b70ca2	859	word32 hash = ipInfo->src * ipInfo->dst;
wolfSSL	0:1239e9b70ca2	860	hash = tcpInfo->srcPort tcpInfo->dstPort;
wolfSSL	0:1239e9b70ca2	861
wolfSSL	0:1239e9b70ca2	862	return hash % HASH_SIZE;
wolfSSL	0:1239e9b70ca2	863	}
wolfSSL	0:1239e9b70ca2	864
wolfSSL	0:1239e9b70ca2	865
wolfSSL	0:1239e9b70ca2	866	/* Get Exisiting SnifferSession from IP and Port */
wolfSSL	0:1239e9b70ca2	867	static SnifferSession* GetSnifferSession(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL	0:1239e9b70ca2	868	{
wolfSSL	0:1239e9b70ca2	869	SnifferSession* session;
wolfSSL	0:1239e9b70ca2	870	time_t currTime = time(NULL);
wolfSSL	0:1239e9b70ca2	871	word32 row = SessionHash(ipInfo, tcpInfo);
wolfSSL	0:1239e9b70ca2	872
wolfSSL	0:1239e9b70ca2	873	assert(row <= HASH_SIZE);
wolfSSL	0:1239e9b70ca2	874
wolfSSL	0:1239e9b70ca2	875	LockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	876
wolfSSL	0:1239e9b70ca2	877	session = SessionTable[row];
wolfSSL	0:1239e9b70ca2	878	while (session) {
wolfSSL	0:1239e9b70ca2	879	if (session->server == ipInfo->src && session->client == ipInfo->dst &&
wolfSSL	0:1239e9b70ca2	880	session->srvPort == tcpInfo->srcPort &&
wolfSSL	0:1239e9b70ca2	881	session->cliPort == tcpInfo->dstPort)
wolfSSL	0:1239e9b70ca2	882	break;
wolfSSL	0:1239e9b70ca2	883	if (session->client == ipInfo->src && session->server == ipInfo->dst &&
wolfSSL	0:1239e9b70ca2	884	session->cliPort == tcpInfo->srcPort &&
wolfSSL	0:1239e9b70ca2	885	session->srvPort == tcpInfo->dstPort)
wolfSSL	0:1239e9b70ca2	886	break;
wolfSSL	0:1239e9b70ca2	887
wolfSSL	0:1239e9b70ca2	888	session = session->next;
wolfSSL	0:1239e9b70ca2	889	}
wolfSSL	0:1239e9b70ca2	890
wolfSSL	0:1239e9b70ca2	891	if (session)
wolfSSL	0:1239e9b70ca2	892	session->lastUsed= currTime; /* keep session alive, remove stale will */
wolfSSL	0:1239e9b70ca2	893	/* leave alone */
wolfSSL	0:1239e9b70ca2	894	UnLockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	895
wolfSSL	0:1239e9b70ca2	896	/* determine side */
wolfSSL	0:1239e9b70ca2	897	if (session) {
wolfSSL	0:1239e9b70ca2	898	if (ipInfo->dst == session->context->server &&
wolfSSL	0:1239e9b70ca2	899	tcpInfo->dstPort == session->context->port)
wolfSSL	0:1239e9b70ca2	900	session->flags.side = CYASSL_SERVER_END;
wolfSSL	0:1239e9b70ca2	901	else
wolfSSL	0:1239e9b70ca2	902	session->flags.side = CYASSL_CLIENT_END;
wolfSSL	0:1239e9b70ca2	903	}
wolfSSL	0:1239e9b70ca2	904
wolfSSL	0:1239e9b70ca2	905	return session;
wolfSSL	0:1239e9b70ca2	906	}
wolfSSL	0:1239e9b70ca2	907
wolfSSL	0:1239e9b70ca2	908
wolfSSL	0:1239e9b70ca2	909	/* Sets the private key for a specific server and port */
wolfSSL	0:1239e9b70ca2	910	/* returns 0 on success, -1 on error */
wolfSSL	0:1239e9b70ca2	911	int ssl_SetPrivateKey(const char* serverAddress, int port, const char* keyFile,
wolfSSL	0:1239e9b70ca2	912	int typeKey, const char* password, char* error)
wolfSSL	0:1239e9b70ca2	913	{
wolfSSL	0:1239e9b70ca2	914	int ret;
wolfSSL	0:1239e9b70ca2	915	int type = (typeKey == FILETYPE_PEM) ? SSL_FILETYPE_PEM :
wolfSSL	0:1239e9b70ca2	916	SSL_FILETYPE_ASN1;
wolfSSL	0:1239e9b70ca2	917	SnifferServer* sniffer;
wolfSSL	0:1239e9b70ca2	918
wolfSSL	0:1239e9b70ca2	919	TraceHeader();
wolfSSL	0:1239e9b70ca2	920	TraceSetServer(serverAddress, port, keyFile);
wolfSSL	0:1239e9b70ca2	921
wolfSSL	0:1239e9b70ca2	922	sniffer = (SnifferServer*)malloc(sizeof(SnifferServer));
wolfSSL	0:1239e9b70ca2	923	if (sniffer == NULL) {
wolfSSL	0:1239e9b70ca2	924	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	925	return -1;
wolfSSL	0:1239e9b70ca2	926	}
wolfSSL	0:1239e9b70ca2	927	InitSnifferServer(sniffer);
wolfSSL	0:1239e9b70ca2	928
wolfSSL	0:1239e9b70ca2	929	XSTRNCPY(sniffer->address, serverAddress, MAX_SERVER_ADDRESS);
wolfSSL	0:1239e9b70ca2	930	sniffer->server = inet_addr(sniffer->address);
wolfSSL	0:1239e9b70ca2	931	sniffer->port = port;
wolfSSL	0:1239e9b70ca2	932
wolfSSL	0:1239e9b70ca2	933	/* start in client mode since SSL_new needs a cert for server */
wolfSSL	0:1239e9b70ca2	934	sniffer->ctx = SSL_CTX_new(SSLv3_client_method());
wolfSSL	0:1239e9b70ca2	935	if (!sniffer->ctx) {
wolfSSL	0:1239e9b70ca2	936	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	937	FreeSnifferServer(sniffer);
wolfSSL	0:1239e9b70ca2	938	return -1;
wolfSSL	0:1239e9b70ca2	939	}
wolfSSL	0:1239e9b70ca2	940
wolfSSL	0:1239e9b70ca2	941	if (password){
wolfSSL	0:1239e9b70ca2	942	SSL_CTX_set_default_passwd_cb(sniffer->ctx, SetPassword);
wolfSSL	0:1239e9b70ca2	943	SSL_CTX_set_default_passwd_cb_userdata(sniffer->ctx, (void*)password);
wolfSSL	0:1239e9b70ca2	944	}
wolfSSL	0:1239e9b70ca2	945	ret = SSL_CTX_use_PrivateKey_file(sniffer->ctx, keyFile, type);
wolfSSL	0:1239e9b70ca2	946	if (ret != SSL_SUCCESS) {
wolfSSL	0:1239e9b70ca2	947	SetError(KEY_FILE_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	948	FreeSnifferServer(sniffer);
wolfSSL	0:1239e9b70ca2	949	return -1;
wolfSSL	0:1239e9b70ca2	950	}
wolfSSL	0:1239e9b70ca2	951	Trace(NEW_SERVER_STR);
wolfSSL	0:1239e9b70ca2	952
wolfSSL	0:1239e9b70ca2	953	LockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	954
wolfSSL	0:1239e9b70ca2	955	sniffer->next = ServerList;
wolfSSL	0:1239e9b70ca2	956	ServerList = sniffer;
wolfSSL	0:1239e9b70ca2	957
wolfSSL	0:1239e9b70ca2	958	UnLockMutex(&ServerListMutex);
wolfSSL	0:1239e9b70ca2	959
wolfSSL	0:1239e9b70ca2	960	return 0;
wolfSSL	0:1239e9b70ca2	961	}
wolfSSL	0:1239e9b70ca2	962
wolfSSL	0:1239e9b70ca2	963
wolfSSL	0:1239e9b70ca2	964	/* Check IP Header for IPV4, TCP, and a registered server address */
wolfSSL	0:1239e9b70ca2	965	/* returns 0 on success, -1 on error */
wolfSSL	0:1239e9b70ca2	966	static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, int length, char* error)
wolfSSL	0:1239e9b70ca2	967	{
wolfSSL	0:1239e9b70ca2	968	int version = IP_V(iphdr);
wolfSSL	0:1239e9b70ca2	969
wolfSSL	0:1239e9b70ca2	970	TraceIP(iphdr);
wolfSSL	0:1239e9b70ca2	971	Trace(IP_CHECK_STR);
wolfSSL	0:1239e9b70ca2	972
wolfSSL	0:1239e9b70ca2	973	if (version != IPV4) {
wolfSSL	0:1239e9b70ca2	974	SetError(BAD_IPVER_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	975	return -1;
wolfSSL	0:1239e9b70ca2	976	}
wolfSSL	0:1239e9b70ca2	977
wolfSSL	0:1239e9b70ca2	978	if (iphdr->protocol != TCP_PROTOCOL) {
wolfSSL	0:1239e9b70ca2	979	SetError(BAD_PROTO_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	980	return -1;
wolfSSL	0:1239e9b70ca2	981	}
wolfSSL	0:1239e9b70ca2	982
wolfSSL	0:1239e9b70ca2	983	if (!IsServerRegistered(iphdr->src) && !IsServerRegistered(iphdr->dst)) {
wolfSSL	0:1239e9b70ca2	984	SetError(SERVER_NOT_REG_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	985	return -1;
wolfSSL	0:1239e9b70ca2	986	}
wolfSSL	0:1239e9b70ca2	987
wolfSSL	0:1239e9b70ca2	988	info->length = IP_HL(iphdr);
wolfSSL	0:1239e9b70ca2	989	info->total = ntohs(iphdr->length);
wolfSSL	0:1239e9b70ca2	990	info->src = iphdr->src;
wolfSSL	0:1239e9b70ca2	991	info->dst = iphdr->dst;
wolfSSL	0:1239e9b70ca2	992
wolfSSL	0:1239e9b70ca2	993	if (info->total == 0)
wolfSSL	0:1239e9b70ca2	994	info->total = length; /* reassembled may be off */
wolfSSL	0:1239e9b70ca2	995
wolfSSL	0:1239e9b70ca2	996	return 0;
wolfSSL	0:1239e9b70ca2	997	}
wolfSSL	0:1239e9b70ca2	998
wolfSSL	0:1239e9b70ca2	999
wolfSSL	0:1239e9b70ca2	1000	/* Check TCP Header for a registered port */
wolfSSL	0:1239e9b70ca2	1001	/* returns 0 on success, -1 on error */
wolfSSL	0:1239e9b70ca2	1002	static int CheckTcpHdr(TcpHdr* tcphdr, TcpInfo* info, char* error)
wolfSSL	0:1239e9b70ca2	1003	{
wolfSSL	0:1239e9b70ca2	1004	TraceTcp(tcphdr);
wolfSSL	0:1239e9b70ca2	1005	Trace(TCP_CHECK_STR);
wolfSSL	0:1239e9b70ca2	1006	info->srcPort = ntohs(tcphdr->srcPort);
wolfSSL	0:1239e9b70ca2	1007	info->dstPort = ntohs(tcphdr->dstPort);
wolfSSL	0:1239e9b70ca2	1008	info->length = TCP_LEN(tcphdr);
wolfSSL	0:1239e9b70ca2	1009	info->sequence = ntohl(tcphdr->sequence);
wolfSSL	0:1239e9b70ca2	1010	info->fin = tcphdr->flags & TCP_FIN;
wolfSSL	0:1239e9b70ca2	1011	info->rst = tcphdr->flags & TCP_RST;
wolfSSL	0:1239e9b70ca2	1012	info->syn = tcphdr->flags & TCP_SYN;
wolfSSL	0:1239e9b70ca2	1013	info->ack = tcphdr->flags & TCP_ACK;
wolfSSL	0:1239e9b70ca2	1014	if (info->ack)
wolfSSL	0:1239e9b70ca2	1015	info->ackNumber = ntohl(tcphdr->ack);
wolfSSL	0:1239e9b70ca2	1016
wolfSSL	0:1239e9b70ca2	1017	if (!IsPortRegistered(info->srcPort) && !IsPortRegistered(info->dstPort)) {
wolfSSL	0:1239e9b70ca2	1018	SetError(SERVER_PORT_NOT_REG_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1019	return -1;
wolfSSL	0:1239e9b70ca2	1020	}
wolfSSL	0:1239e9b70ca2	1021
wolfSSL	0:1239e9b70ca2	1022	return 0;
wolfSSL	0:1239e9b70ca2	1023	}
wolfSSL	0:1239e9b70ca2	1024
wolfSSL	0:1239e9b70ca2	1025
wolfSSL	0:1239e9b70ca2	1026	/* Decode Record Layer Header */
wolfSSL	0:1239e9b70ca2	1027	static int GetRecordHeader(const byte* input, RecordLayerHeader* rh, int* size)
wolfSSL	0:1239e9b70ca2	1028	{
wolfSSL	0:1239e9b70ca2	1029	XMEMCPY(rh, input, RECORD_HEADER_SZ);
wolfSSL	0:1239e9b70ca2	1030	*size = (rh->length[0] << 8) \| rh->length[1];
wolfSSL	0:1239e9b70ca2	1031
wolfSSL	0:1239e9b70ca2	1032	if (*size > (MAX_RECORD_SIZE + COMP_EXTRA + MAX_MSG_EXTRA))
wolfSSL	0:1239e9b70ca2	1033	return LENGTH_ERROR;
wolfSSL	0:1239e9b70ca2	1034
wolfSSL	0:1239e9b70ca2	1035	return 0;
wolfSSL	0:1239e9b70ca2	1036	}
wolfSSL	0:1239e9b70ca2	1037
wolfSSL	0:1239e9b70ca2	1038
wolfSSL	0:1239e9b70ca2	1039	/* Process Client Key Exchange, RSA only */
wolfSSL	0:1239e9b70ca2	1040	static int ProcessClientKeyExchange(const byte* input, int* sslBytes,
wolfSSL	0:1239e9b70ca2	1041	SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	1042	{
wolfSSL	0:1239e9b70ca2	1043	word32 idx = 0;
wolfSSL	0:1239e9b70ca2	1044	RsaKey key;
wolfSSL	0:1239e9b70ca2	1045	int ret;
wolfSSL	0:1239e9b70ca2	1046
wolfSSL	0:1239e9b70ca2	1047	ret = InitRsaKey(&key, 0);
wolfSSL	0:1239e9b70ca2	1048	if (ret == 0)
wolfSSL	0:1239e9b70ca2	1049	ret = RsaPrivateKeyDecode(session->context->ctx->privateKey.buffer,
wolfSSL	0:1239e9b70ca2	1050	&idx, &key, session->context->ctx->privateKey.length);
wolfSSL	0:1239e9b70ca2	1051	if (ret == 0) {
wolfSSL	0:1239e9b70ca2	1052	int length = RsaEncryptSize(&key);
wolfSSL	0:1239e9b70ca2	1053
wolfSSL	0:1239e9b70ca2	1054	if (IsTLS(session->sslServer))
wolfSSL	0:1239e9b70ca2	1055	input += 2; /* tls pre length */
wolfSSL	0:1239e9b70ca2	1056
wolfSSL	0:1239e9b70ca2	1057	if (length > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1058	SetError(PARTIAL_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1059	FreeRsaKey(&key);
wolfSSL	0:1239e9b70ca2	1060	return -1;
wolfSSL	0:1239e9b70ca2	1061	}
wolfSSL	0:1239e9b70ca2	1062	ret = RsaPrivateDecrypt(input, length,
wolfSSL	0:1239e9b70ca2	1063	session->sslServer->arrays->preMasterSecret,SECRET_LEN, &key);
wolfSSL	0:1239e9b70ca2	1064
wolfSSL	0:1239e9b70ca2	1065	if (ret != SECRET_LEN) {
wolfSSL	0:1239e9b70ca2	1066	SetError(RSA_DECRYPT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1067	FreeRsaKey(&key);
wolfSSL	0:1239e9b70ca2	1068	return -1;
wolfSSL	0:1239e9b70ca2	1069	}
wolfSSL	0:1239e9b70ca2	1070	ret = 0; /* not in error state */
wolfSSL	0:1239e9b70ca2	1071	session->sslServer->arrays->preMasterSz = SECRET_LEN;
wolfSSL	0:1239e9b70ca2	1072
wolfSSL	0:1239e9b70ca2	1073	/* store for client side as well */
wolfSSL	0:1239e9b70ca2	1074	XMEMCPY(session->sslClient->arrays->preMasterSecret,
wolfSSL	0:1239e9b70ca2	1075	session->sslServer->arrays->preMasterSecret, SECRET_LEN);
wolfSSL	0:1239e9b70ca2	1076	session->sslClient->arrays->preMasterSz = SECRET_LEN;
wolfSSL	0:1239e9b70ca2	1077
wolfSSL	0:1239e9b70ca2	1078	#ifdef SHOW_SECRETS
wolfSSL	0:1239e9b70ca2	1079	{
wolfSSL	0:1239e9b70ca2	1080	int i;
wolfSSL	0:1239e9b70ca2	1081	printf("pre master secret: ");
wolfSSL	0:1239e9b70ca2	1082	for (i = 0; i < SECRET_LEN; i++)
wolfSSL	0:1239e9b70ca2	1083	printf("%02x", session->sslServer->arrays->preMasterSecret[i]);
wolfSSL	0:1239e9b70ca2	1084	printf("\n");
wolfSSL	0:1239e9b70ca2	1085	}
wolfSSL	0:1239e9b70ca2	1086	#endif
wolfSSL	0:1239e9b70ca2	1087	}
wolfSSL	0:1239e9b70ca2	1088	else {
wolfSSL	0:1239e9b70ca2	1089	SetError(RSA_DECODE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1090	FreeRsaKey(&key);
wolfSSL	0:1239e9b70ca2	1091	return -1;
wolfSSL	0:1239e9b70ca2	1092	}
wolfSSL	0:1239e9b70ca2	1093
wolfSSL	0:1239e9b70ca2	1094	if (SetCipherSpecs(session->sslServer) != 0) {
wolfSSL	0:1239e9b70ca2	1095	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1096	FreeRsaKey(&key);
wolfSSL	0:1239e9b70ca2	1097	return -1;
wolfSSL	0:1239e9b70ca2	1098	}
wolfSSL	0:1239e9b70ca2	1099
wolfSSL	0:1239e9b70ca2	1100	if (SetCipherSpecs(session->sslClient) != 0) {
wolfSSL	0:1239e9b70ca2	1101	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1102	FreeRsaKey(&key);
wolfSSL	0:1239e9b70ca2	1103	return -1;
wolfSSL	0:1239e9b70ca2	1104	}
wolfSSL	0:1239e9b70ca2	1105
wolfSSL	0:1239e9b70ca2	1106	MakeMasterSecret(session->sslServer);
wolfSSL	0:1239e9b70ca2	1107	MakeMasterSecret(session->sslClient);
wolfSSL	0:1239e9b70ca2	1108	#ifdef SHOW_SECRETS
wolfSSL	0:1239e9b70ca2	1109	{
wolfSSL	0:1239e9b70ca2	1110	int i;
wolfSSL	0:1239e9b70ca2	1111	printf("server master secret: ");
wolfSSL	0:1239e9b70ca2	1112	for (i = 0; i < SECRET_LEN; i++)
wolfSSL	0:1239e9b70ca2	1113	printf("%02x", session->sslServer->arrays->masterSecret[i]);
wolfSSL	0:1239e9b70ca2	1114	printf("\n");
wolfSSL	0:1239e9b70ca2	1115
wolfSSL	0:1239e9b70ca2	1116	printf("client master secret: ");
wolfSSL	0:1239e9b70ca2	1117	for (i = 0; i < SECRET_LEN; i++)
wolfSSL	0:1239e9b70ca2	1118	printf("%02x", session->sslClient->arrays->masterSecret[i]);
wolfSSL	0:1239e9b70ca2	1119	printf("\n");
wolfSSL	0:1239e9b70ca2	1120
wolfSSL	0:1239e9b70ca2	1121	printf("server suite = %d\n", session->sslServer->options.cipherSuite);
wolfSSL	0:1239e9b70ca2	1122	printf("client suite = %d\n", session->sslClient->options.cipherSuite);
wolfSSL	0:1239e9b70ca2	1123	}
wolfSSL	0:1239e9b70ca2	1124	#endif
wolfSSL	0:1239e9b70ca2	1125
wolfSSL	0:1239e9b70ca2	1126	FreeRsaKey(&key);
wolfSSL	0:1239e9b70ca2	1127	return ret;
wolfSSL	0:1239e9b70ca2	1128	}
wolfSSL	0:1239e9b70ca2	1129
wolfSSL	0:1239e9b70ca2	1130
wolfSSL	0:1239e9b70ca2	1131	/* Process Session Ticket */
wolfSSL	0:1239e9b70ca2	1132	static int ProcessSessionTicket(const byte* input, int* sslBytes,
wolfSSL	0:1239e9b70ca2	1133	SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	1134	{
wolfSSL	0:1239e9b70ca2	1135	word16 len;
wolfSSL	0:1239e9b70ca2	1136
wolfSSL	0:1239e9b70ca2	1137	/* make sure can read through hint and len */
wolfSSL	0:1239e9b70ca2	1138	if (TICKET_HINT_LEN + LENGTH_SZ > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1139	SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1140	return -1;
wolfSSL	0:1239e9b70ca2	1141	}
wolfSSL	0:1239e9b70ca2	1142
wolfSSL	0:1239e9b70ca2	1143	input += TICKET_HINT_LEN; /* skip over hint */
wolfSSL	0:1239e9b70ca2	1144	*sslBytes -= TICKET_HINT_LEN;
wolfSSL	0:1239e9b70ca2	1145
wolfSSL	0:1239e9b70ca2	1146	len = (word16)((input[0] << 8) \| input[1]);
wolfSSL	0:1239e9b70ca2	1147	input += LENGTH_SZ;
wolfSSL	0:1239e9b70ca2	1148	*sslBytes -= LENGTH_SZ;
wolfSSL	0:1239e9b70ca2	1149
wolfSSL	0:1239e9b70ca2	1150	/* make sure can read through ticket */
wolfSSL	0:1239e9b70ca2	1151	if (len > *sslBytes \|\| len < ID_LEN) {
wolfSSL	0:1239e9b70ca2	1152	SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1153	return -1;
wolfSSL	0:1239e9b70ca2	1154	}
wolfSSL	0:1239e9b70ca2	1155
wolfSSL	0:1239e9b70ca2	1156	/* store session with macID as sessionID */
wolfSSL	0:1239e9b70ca2	1157	session->sslServer->options.haveSessionId = 1;
wolfSSL	0:1239e9b70ca2	1158	XMEMCPY(session->sslServer->arrays->sessionID, input + len - ID_LEN,ID_LEN);
wolfSSL	0:1239e9b70ca2	1159
wolfSSL	0:1239e9b70ca2	1160	return 0;
wolfSSL	0:1239e9b70ca2	1161	}
wolfSSL	0:1239e9b70ca2	1162
wolfSSL	0:1239e9b70ca2	1163
wolfSSL	0:1239e9b70ca2	1164	/* Process Server Hello */
wolfSSL	0:1239e9b70ca2	1165	static int ProcessServerHello(const byte* input, int* sslBytes,
wolfSSL	0:1239e9b70ca2	1166	SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	1167	{
wolfSSL	0:1239e9b70ca2	1168	ProtocolVersion pv;
wolfSSL	0:1239e9b70ca2	1169	byte b;
wolfSSL	0:1239e9b70ca2	1170	int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
wolfSSL	0:1239e9b70ca2	1171	int doResume = 0;
wolfSSL	0:1239e9b70ca2	1172
wolfSSL	0:1239e9b70ca2	1173	/* make sure we didn't miss ClientHello */
wolfSSL	0:1239e9b70ca2	1174	if (session->flags.clientHello == 0) {
wolfSSL	0:1239e9b70ca2	1175	SetError(MISSED_CLIENT_HELLO_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1176	return -1;
wolfSSL	0:1239e9b70ca2	1177	}
wolfSSL	0:1239e9b70ca2	1178
wolfSSL	0:1239e9b70ca2	1179	/* make sure can read through session len */
wolfSSL	0:1239e9b70ca2	1180	if (toRead > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1181	SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1182	return -1;
wolfSSL	0:1239e9b70ca2	1183	}
wolfSSL	0:1239e9b70ca2	1184
wolfSSL	0:1239e9b70ca2	1185	XMEMCPY(&pv, input, VERSION_SZ);
wolfSSL	0:1239e9b70ca2	1186	input += VERSION_SZ;
wolfSSL	0:1239e9b70ca2	1187	*sslBytes -= VERSION_SZ;
wolfSSL	0:1239e9b70ca2	1188
wolfSSL	0:1239e9b70ca2	1189	session->sslServer->version = pv;
wolfSSL	0:1239e9b70ca2	1190	session->sslClient->version = pv;
wolfSSL	0:1239e9b70ca2	1191
wolfSSL	0:1239e9b70ca2	1192	XMEMCPY(session->sslServer->arrays->serverRandom, input, RAN_LEN);
wolfSSL	0:1239e9b70ca2	1193	XMEMCPY(session->sslClient->arrays->serverRandom, input, RAN_LEN);
wolfSSL	0:1239e9b70ca2	1194	input += RAN_LEN;
wolfSSL	0:1239e9b70ca2	1195	*sslBytes -= RAN_LEN;
wolfSSL	0:1239e9b70ca2	1196
wolfSSL	0:1239e9b70ca2	1197	b = *input++;
wolfSSL	0:1239e9b70ca2	1198	*sslBytes -= 1;
wolfSSL	0:1239e9b70ca2	1199
wolfSSL	0:1239e9b70ca2	1200	/* make sure can read through compression */
wolfSSL	0:1239e9b70ca2	1201	if ( (b + SUITE_LEN + ENUM_LEN) > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1202	SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1203	return -1;
wolfSSL	0:1239e9b70ca2	1204	}
wolfSSL	0:1239e9b70ca2	1205	if (b) {
wolfSSL	0:1239e9b70ca2	1206	XMEMCPY(session->sslServer->arrays->sessionID, input, ID_LEN);
wolfSSL	0:1239e9b70ca2	1207	session->sslServer->options.haveSessionId = 1;
wolfSSL	0:1239e9b70ca2	1208	}
wolfSSL	0:1239e9b70ca2	1209	input += b;
wolfSSL	0:1239e9b70ca2	1210	*sslBytes -= b;
wolfSSL	0:1239e9b70ca2	1211
wolfSSL	0:1239e9b70ca2	1212	/* cipher suite */
wolfSSL	0:1239e9b70ca2	1213	b = input++; / first byte, ECC or not */
wolfSSL	0:1239e9b70ca2	1214	session->sslServer->options.cipherSuite0 = b;
wolfSSL	0:1239e9b70ca2	1215	session->sslClient->options.cipherSuite0 = b;
wolfSSL	0:1239e9b70ca2	1216	b = *input++;
wolfSSL	0:1239e9b70ca2	1217	session->sslServer->options.cipherSuite = b;
wolfSSL	0:1239e9b70ca2	1218	session->sslClient->options.cipherSuite = b;
wolfSSL	0:1239e9b70ca2	1219	*sslBytes -= SUITE_LEN;
wolfSSL	0:1239e9b70ca2	1220
wolfSSL	0:1239e9b70ca2	1221	/* compression */
wolfSSL	0:1239e9b70ca2	1222	b = *input++;
wolfSSL	0:1239e9b70ca2	1223	*sslBytes -= ENUM_LEN;
wolfSSL	0:1239e9b70ca2	1224
wolfSSL	0:1239e9b70ca2	1225	if (b) {
wolfSSL	0:1239e9b70ca2	1226	SetError(BAD_COMPRESSION_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1227	return -1;
wolfSSL	0:1239e9b70ca2	1228	}
wolfSSL	0:1239e9b70ca2	1229
wolfSSL	0:1239e9b70ca2	1230	if (session->sslServer->options.haveSessionId &&
wolfSSL	0:1239e9b70ca2	1231	XMEMCMP(session->sslServer->arrays->sessionID,
wolfSSL	0:1239e9b70ca2	1232	session->sslClient->arrays->sessionID, ID_LEN) == 0)
wolfSSL	0:1239e9b70ca2	1233	doResume = 1;
wolfSSL	0:1239e9b70ca2	1234	else if (session->sslClient->options.haveSessionId == 0 &&
wolfSSL	0:1239e9b70ca2	1235	session->sslServer->options.haveSessionId == 0 &&
wolfSSL	0:1239e9b70ca2	1236	session->ticketID)
wolfSSL	0:1239e9b70ca2	1237	doResume = 1;
wolfSSL	0:1239e9b70ca2	1238
wolfSSL	0:1239e9b70ca2	1239	if (session->ticketID && doResume) {
wolfSSL	0:1239e9b70ca2	1240	/* use ticketID to retrieve from session, prefer over sessionID */
wolfSSL	0:1239e9b70ca2	1241	XMEMCPY(session->sslServer->arrays->sessionID,session->ticketID,ID_LEN);
wolfSSL	0:1239e9b70ca2	1242	session->sslServer->options.haveSessionId = 1; /* may not have
wolfSSL	0:1239e9b70ca2	1243	actual sessionID */
wolfSSL	0:1239e9b70ca2	1244	}
wolfSSL	0:1239e9b70ca2	1245
wolfSSL	0:1239e9b70ca2	1246	if (doResume ) {
wolfSSL	0:1239e9b70ca2	1247	int ret = 0;
wolfSSL	0:1239e9b70ca2	1248	SSL_SESSION* resume = GetSession(session->sslServer,
wolfSSL	0:1239e9b70ca2	1249	session->sslServer->arrays->masterSecret);
wolfSSL	0:1239e9b70ca2	1250	if (resume == NULL) {
wolfSSL	0:1239e9b70ca2	1251	SetError(BAD_SESSION_RESUME_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1252	return -1;
wolfSSL	0:1239e9b70ca2	1253	}
wolfSSL	0:1239e9b70ca2	1254	/* make sure client has master secret too */
wolfSSL	0:1239e9b70ca2	1255	XMEMCPY(session->sslClient->arrays->masterSecret,
wolfSSL	0:1239e9b70ca2	1256	session->sslServer->arrays->masterSecret, SECRET_LEN);
wolfSSL	0:1239e9b70ca2	1257	session->flags.resuming = 1;
wolfSSL	0:1239e9b70ca2	1258
wolfSSL	0:1239e9b70ca2	1259	Trace(SERVER_DID_RESUMPTION_STR);
wolfSSL	0:1239e9b70ca2	1260	if (SetCipherSpecs(session->sslServer) != 0) {
wolfSSL	0:1239e9b70ca2	1261	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1262	return -1;
wolfSSL	0:1239e9b70ca2	1263	}
wolfSSL	0:1239e9b70ca2	1264
wolfSSL	0:1239e9b70ca2	1265	if (SetCipherSpecs(session->sslClient) != 0) {
wolfSSL	0:1239e9b70ca2	1266	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1267	return -1;
wolfSSL	0:1239e9b70ca2	1268	}
wolfSSL	0:1239e9b70ca2	1269
wolfSSL	0:1239e9b70ca2	1270	if (session->sslServer->options.tls) {
wolfSSL	0:1239e9b70ca2	1271	ret = DeriveTlsKeys(session->sslServer);
wolfSSL	0:1239e9b70ca2	1272	ret += DeriveTlsKeys(session->sslClient);
wolfSSL	0:1239e9b70ca2	1273	}
wolfSSL	0:1239e9b70ca2	1274	else {
wolfSSL	0:1239e9b70ca2	1275	ret = DeriveKeys(session->sslServer);
wolfSSL	0:1239e9b70ca2	1276	ret += DeriveKeys(session->sslClient);
wolfSSL	0:1239e9b70ca2	1277	}
wolfSSL	0:1239e9b70ca2	1278	if (ret != 0) {
wolfSSL	0:1239e9b70ca2	1279	SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1280	return -1;
wolfSSL	0:1239e9b70ca2	1281	}
wolfSSL	0:1239e9b70ca2	1282	}
wolfSSL	0:1239e9b70ca2	1283	#ifdef SHOW_SECRETS
wolfSSL	0:1239e9b70ca2	1284	{
wolfSSL	0:1239e9b70ca2	1285	int i;
wolfSSL	0:1239e9b70ca2	1286	printf("cipher suite = 0x%02x\n",
wolfSSL	0:1239e9b70ca2	1287	session->sslServer->options.cipherSuite);
wolfSSL	0:1239e9b70ca2	1288	printf("server random: ");
wolfSSL	0:1239e9b70ca2	1289	for (i = 0; i < RAN_LEN; i++)
wolfSSL	0:1239e9b70ca2	1290	printf("%02x", session->sslServer->arrays->serverRandom[i]);
wolfSSL	0:1239e9b70ca2	1291	printf("\n");
wolfSSL	0:1239e9b70ca2	1292	}
wolfSSL	0:1239e9b70ca2	1293	#endif
wolfSSL	0:1239e9b70ca2	1294	return 0;
wolfSSL	0:1239e9b70ca2	1295	}
wolfSSL	0:1239e9b70ca2	1296
wolfSSL	0:1239e9b70ca2	1297
wolfSSL	0:1239e9b70ca2	1298	/* Process normal Client Hello */
wolfSSL	0:1239e9b70ca2	1299	static int ProcessClientHello(const byte* input, int* sslBytes,
wolfSSL	0:1239e9b70ca2	1300	SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	1301	{
wolfSSL	0:1239e9b70ca2	1302	byte bLen;
wolfSSL	0:1239e9b70ca2	1303	word16 len;
wolfSSL	0:1239e9b70ca2	1304	int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
wolfSSL	0:1239e9b70ca2	1305
wolfSSL	0:1239e9b70ca2	1306	session->flags.clientHello = 1; /* don't process again */
wolfSSL	0:1239e9b70ca2	1307
wolfSSL	0:1239e9b70ca2	1308	/* make sure can read up to session len */
wolfSSL	0:1239e9b70ca2	1309	if (toRead > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1310	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1311	return -1;
wolfSSL	0:1239e9b70ca2	1312	}
wolfSSL	0:1239e9b70ca2	1313
wolfSSL	0:1239e9b70ca2	1314	/* skip, get negotiated one from server hello */
wolfSSL	0:1239e9b70ca2	1315	input += VERSION_SZ;
wolfSSL	0:1239e9b70ca2	1316	*sslBytes -= VERSION_SZ;
wolfSSL	0:1239e9b70ca2	1317
wolfSSL	0:1239e9b70ca2	1318	XMEMCPY(session->sslServer->arrays->clientRandom, input, RAN_LEN);
wolfSSL	0:1239e9b70ca2	1319	XMEMCPY(session->sslClient->arrays->clientRandom, input, RAN_LEN);
wolfSSL	0:1239e9b70ca2	1320
wolfSSL	0:1239e9b70ca2	1321	input += RAN_LEN;
wolfSSL	0:1239e9b70ca2	1322	*sslBytes -= RAN_LEN;
wolfSSL	0:1239e9b70ca2	1323
wolfSSL	0:1239e9b70ca2	1324	/* store session in case trying to resume */
wolfSSL	0:1239e9b70ca2	1325	bLen = *input++;
wolfSSL	0:1239e9b70ca2	1326	*sslBytes -= ENUM_LEN;
wolfSSL	0:1239e9b70ca2	1327	if (bLen) {
wolfSSL	0:1239e9b70ca2	1328	if (ID_LEN > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1329	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1330	return -1;
wolfSSL	0:1239e9b70ca2	1331	}
wolfSSL	0:1239e9b70ca2	1332	Trace(CLIENT_RESUME_TRY_STR);
wolfSSL	0:1239e9b70ca2	1333	XMEMCPY(session->sslClient->arrays->sessionID, input, ID_LEN);
wolfSSL	0:1239e9b70ca2	1334	session->sslClient->options.haveSessionId = 1;
wolfSSL	0:1239e9b70ca2	1335	}
wolfSSL	0:1239e9b70ca2	1336	#ifdef SHOW_SECRETS
wolfSSL	0:1239e9b70ca2	1337	{
wolfSSL	0:1239e9b70ca2	1338	int i;
wolfSSL	0:1239e9b70ca2	1339	printf("client random: ");
wolfSSL	0:1239e9b70ca2	1340	for (i = 0; i < RAN_LEN; i++)
wolfSSL	0:1239e9b70ca2	1341	printf("%02x", session->sslServer->arrays->clientRandom[i]);
wolfSSL	0:1239e9b70ca2	1342	printf("\n");
wolfSSL	0:1239e9b70ca2	1343	}
wolfSSL	0:1239e9b70ca2	1344	#endif
wolfSSL	0:1239e9b70ca2	1345
wolfSSL	0:1239e9b70ca2	1346	input += bLen;
wolfSSL	0:1239e9b70ca2	1347	*sslBytes -= bLen;
wolfSSL	0:1239e9b70ca2	1348
wolfSSL	0:1239e9b70ca2	1349	/* skip cipher suites */
wolfSSL	0:1239e9b70ca2	1350	/* make sure can read len */
wolfSSL	0:1239e9b70ca2	1351	if (SUITE_LEN > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1352	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1353	return -1;
wolfSSL	0:1239e9b70ca2	1354	}
wolfSSL	0:1239e9b70ca2	1355	len = (word16)((input[0] << 8) \| input[1]);
wolfSSL	0:1239e9b70ca2	1356	input += SUITE_LEN;
wolfSSL	0:1239e9b70ca2	1357	*sslBytes -= SUITE_LEN;
wolfSSL	0:1239e9b70ca2	1358	/* make sure can read suites + comp len */
wolfSSL	0:1239e9b70ca2	1359	if (len + ENUM_LEN > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1360	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1361	return -1;
wolfSSL	0:1239e9b70ca2	1362	}
wolfSSL	0:1239e9b70ca2	1363	input += len;
wolfSSL	0:1239e9b70ca2	1364	*sslBytes -= len;
wolfSSL	0:1239e9b70ca2	1365
wolfSSL	0:1239e9b70ca2	1366	/* skip compression */
wolfSSL	0:1239e9b70ca2	1367	bLen = *input++;
wolfSSL	0:1239e9b70ca2	1368	*sslBytes -= ENUM_LEN;
wolfSSL	0:1239e9b70ca2	1369	/* make sure can read len */
wolfSSL	0:1239e9b70ca2	1370	if (bLen > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1371	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1372	return -1;
wolfSSL	0:1239e9b70ca2	1373	}
wolfSSL	0:1239e9b70ca2	1374	input += bLen;
wolfSSL	0:1239e9b70ca2	1375	*sslBytes -= bLen;
wolfSSL	0:1239e9b70ca2	1376
wolfSSL	0:1239e9b70ca2	1377	if (*sslBytes == 0) {
wolfSSL	0:1239e9b70ca2	1378	/* no extensions */
wolfSSL	0:1239e9b70ca2	1379	return 0;
wolfSSL	0:1239e9b70ca2	1380	}
wolfSSL	0:1239e9b70ca2	1381
wolfSSL	0:1239e9b70ca2	1382	/* skip extensions until session ticket */
wolfSSL	0:1239e9b70ca2	1383	/* make sure can read len */
wolfSSL	0:1239e9b70ca2	1384	if (SUITE_LEN > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1385	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1386	return -1;
wolfSSL	0:1239e9b70ca2	1387	}
wolfSSL	0:1239e9b70ca2	1388	len = (word16)((input[0] << 8) \| input[1]);
wolfSSL	0:1239e9b70ca2	1389	input += SUITE_LEN;
wolfSSL	0:1239e9b70ca2	1390	*sslBytes -= SUITE_LEN;
wolfSSL	0:1239e9b70ca2	1391	/* make sure can read through all extensions */
wolfSSL	0:1239e9b70ca2	1392	if (len > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1393	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1394	return -1;
wolfSSL	0:1239e9b70ca2	1395	}
wolfSSL	0:1239e9b70ca2	1396
wolfSSL	0:1239e9b70ca2	1397	while (len > EXT_TYPE_SZ + LENGTH_SZ) {
wolfSSL	0:1239e9b70ca2	1398	byte extType[EXT_TYPE_SZ];
wolfSSL	0:1239e9b70ca2	1399	word16 extLen;
wolfSSL	0:1239e9b70ca2	1400
wolfSSL	0:1239e9b70ca2	1401	extType[0] = input[0];
wolfSSL	0:1239e9b70ca2	1402	extType[1] = input[1];
wolfSSL	0:1239e9b70ca2	1403	input += EXT_TYPE_SZ;
wolfSSL	0:1239e9b70ca2	1404	*sslBytes -= EXT_TYPE_SZ;
wolfSSL	0:1239e9b70ca2	1405
wolfSSL	0:1239e9b70ca2	1406	extLen = (word16)((input[0] << 8) \| input[1]);
wolfSSL	0:1239e9b70ca2	1407	input += LENGTH_SZ;
wolfSSL	0:1239e9b70ca2	1408	*sslBytes -= LENGTH_SZ;
wolfSSL	0:1239e9b70ca2	1409
wolfSSL	0:1239e9b70ca2	1410	/* make sure can read through individual extension */
wolfSSL	0:1239e9b70ca2	1411	if (extLen > *sslBytes) {
wolfSSL	0:1239e9b70ca2	1412	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1413	return -1;
wolfSSL	0:1239e9b70ca2	1414	}
wolfSSL	0:1239e9b70ca2	1415
wolfSSL	0:1239e9b70ca2	1416	if (extType[0] == 0x00 && extType[1] == TICKET_EXT_ID) {
wolfSSL	0:1239e9b70ca2	1417
wolfSSL	0:1239e9b70ca2	1418	/* make sure can read through ticket if there is a non blank one */
wolfSSL	0:1239e9b70ca2	1419	if (extLen && extLen < ID_LEN) {
wolfSSL	0:1239e9b70ca2	1420	SetError(CLIENT_HELLO_INPUT_STR, error, session,
wolfSSL	0:1239e9b70ca2	1421	FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1422	return -1;
wolfSSL	0:1239e9b70ca2	1423	}
wolfSSL	0:1239e9b70ca2	1424
wolfSSL	0:1239e9b70ca2	1425	if (extLen) {
wolfSSL	0:1239e9b70ca2	1426	if (session->ticketID == 0) {
wolfSSL	0:1239e9b70ca2	1427	session->ticketID = (byte*)malloc(ID_LEN);
wolfSSL	0:1239e9b70ca2	1428	if (session->ticketID == 0) {
wolfSSL	0:1239e9b70ca2	1429	SetError(MEMORY_STR, error, session,
wolfSSL	0:1239e9b70ca2	1430	FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1431	return -1;
wolfSSL	0:1239e9b70ca2	1432	}
wolfSSL	0:1239e9b70ca2	1433	}
wolfSSL	0:1239e9b70ca2	1434	XMEMCPY(session->ticketID, input + extLen - ID_LEN, ID_LEN);
wolfSSL	0:1239e9b70ca2	1435	}
wolfSSL	0:1239e9b70ca2	1436	}
wolfSSL	0:1239e9b70ca2	1437
wolfSSL	0:1239e9b70ca2	1438	input += extLen;
wolfSSL	0:1239e9b70ca2	1439	*sslBytes -= extLen;
wolfSSL	0:1239e9b70ca2	1440	len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
wolfSSL	0:1239e9b70ca2	1441	}
wolfSSL	0:1239e9b70ca2	1442
wolfSSL	0:1239e9b70ca2	1443	return 0;
wolfSSL	0:1239e9b70ca2	1444	}
wolfSSL	0:1239e9b70ca2	1445
wolfSSL	0:1239e9b70ca2	1446
wolfSSL	0:1239e9b70ca2	1447	/* Process Finished */
wolfSSL	0:1239e9b70ca2	1448	static int ProcessFinished(const byte* input, int size, int* sslBytes,
wolfSSL	0:1239e9b70ca2	1449	SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	1450	{
wolfSSL	0:1239e9b70ca2	1451	SSL* ssl;
wolfSSL	0:1239e9b70ca2	1452	word32 inOutIdx = 0;
wolfSSL	0:1239e9b70ca2	1453	int ret;
wolfSSL	0:1239e9b70ca2	1454
wolfSSL	0:1239e9b70ca2	1455	if (session->flags.side == CYASSL_SERVER_END)
wolfSSL	0:1239e9b70ca2	1456	ssl = session->sslServer;
wolfSSL	0:1239e9b70ca2	1457	else
wolfSSL	0:1239e9b70ca2	1458	ssl = session->sslClient;
wolfSSL	0:1239e9b70ca2	1459
wolfSSL	0:1239e9b70ca2	1460	ret = DoFinished(ssl, input, &inOutIdx, (word32) size, (word32) *sslBytes,
wolfSSL	0:1239e9b70ca2	1461	SNIFF);
wolfSSL	0:1239e9b70ca2	1462	*sslBytes -= (int)inOutIdx;
wolfSSL	0:1239e9b70ca2	1463
wolfSSL	0:1239e9b70ca2	1464	if (ret < 0) {
wolfSSL	0:1239e9b70ca2	1465	SetError(BAD_FINISHED_MSG, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1466	return ret;
wolfSSL	0:1239e9b70ca2	1467	}
wolfSSL	0:1239e9b70ca2	1468
wolfSSL	0:1239e9b70ca2	1469	if (ret == 0 && session->flags.cached == 0) {
wolfSSL	0:1239e9b70ca2	1470	if (session->sslServer->options.haveSessionId) {
wolfSSL	0:1239e9b70ca2	1471	CYASSL_SESSION* sess = GetSession(session->sslServer, NULL);
wolfSSL	0:1239e9b70ca2	1472	if (sess == NULL)
wolfSSL	0:1239e9b70ca2	1473	AddSession(session->sslServer); /* don't re add */
wolfSSL	0:1239e9b70ca2	1474	session->flags.cached = 1;
wolfSSL	0:1239e9b70ca2	1475	}
wolfSSL	0:1239e9b70ca2	1476	}
wolfSSL	0:1239e9b70ca2	1477
wolfSSL	0:1239e9b70ca2	1478	FreeHandshakeResources(ssl);
wolfSSL	0:1239e9b70ca2	1479
wolfSSL	0:1239e9b70ca2	1480	return ret;
wolfSSL	0:1239e9b70ca2	1481	}
wolfSSL	0:1239e9b70ca2	1482
wolfSSL	0:1239e9b70ca2	1483
wolfSSL	0:1239e9b70ca2	1484	/* Process HandShake input */
wolfSSL	0:1239e9b70ca2	1485	static int DoHandShake(const byte* input, int* sslBytes,
wolfSSL	0:1239e9b70ca2	1486	SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	1487	{
wolfSSL	0:1239e9b70ca2	1488	byte type;
wolfSSL	0:1239e9b70ca2	1489	int size;
wolfSSL	0:1239e9b70ca2	1490	int ret = 0;
wolfSSL	0:1239e9b70ca2	1491
wolfSSL	0:1239e9b70ca2	1492	if (*sslBytes < HANDSHAKE_HEADER_SZ) {
wolfSSL	0:1239e9b70ca2	1493	SetError(HANDSHAKE_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1494	return -1;
wolfSSL	0:1239e9b70ca2	1495	}
wolfSSL	0:1239e9b70ca2	1496	type = input[0];
wolfSSL	0:1239e9b70ca2	1497	size = (input[1] << 16) \| (input[2] << 8) \| input[3];
wolfSSL	0:1239e9b70ca2	1498
wolfSSL	0:1239e9b70ca2	1499	input += HANDSHAKE_HEADER_SZ;
wolfSSL	0:1239e9b70ca2	1500	*sslBytes -= HANDSHAKE_HEADER_SZ;
wolfSSL	0:1239e9b70ca2	1501
wolfSSL	0:1239e9b70ca2	1502	if (*sslBytes < size) {
wolfSSL	0:1239e9b70ca2	1503	SetError(HANDSHAKE_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1504	return -1;
wolfSSL	0:1239e9b70ca2	1505	}
wolfSSL	0:1239e9b70ca2	1506
wolfSSL	0:1239e9b70ca2	1507	switch (type) {
wolfSSL	0:1239e9b70ca2	1508	case hello_verify_request:
wolfSSL	0:1239e9b70ca2	1509	Trace(GOT_HELLO_VERIFY_STR);
wolfSSL	0:1239e9b70ca2	1510	break;
wolfSSL	0:1239e9b70ca2	1511	case hello_request:
wolfSSL	0:1239e9b70ca2	1512	Trace(GOT_HELLO_REQUEST_STR);
wolfSSL	0:1239e9b70ca2	1513	break;
wolfSSL	0:1239e9b70ca2	1514	case session_ticket:
wolfSSL	0:1239e9b70ca2	1515	Trace(GOT_SESSION_TICKET_STR);
wolfSSL	0:1239e9b70ca2	1516	ret = ProcessSessionTicket(input, sslBytes, session, error);
wolfSSL	0:1239e9b70ca2	1517	break;
wolfSSL	0:1239e9b70ca2	1518	case server_hello:
wolfSSL	0:1239e9b70ca2	1519	Trace(GOT_SERVER_HELLO_STR);
wolfSSL	0:1239e9b70ca2	1520	ret = ProcessServerHello(input, sslBytes, session, error);
wolfSSL	0:1239e9b70ca2	1521	break;
wolfSSL	0:1239e9b70ca2	1522	case certificate_request:
wolfSSL	0:1239e9b70ca2	1523	Trace(GOT_CERT_REQ_STR);
wolfSSL	0:1239e9b70ca2	1524	break;
wolfSSL	0:1239e9b70ca2	1525	case server_key_exchange:
wolfSSL	0:1239e9b70ca2	1526	Trace(GOT_SERVER_KEY_EX_STR);
wolfSSL	0:1239e9b70ca2	1527	/* can't know temp key passively */
wolfSSL	0:1239e9b70ca2	1528	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1529	ret = -1;
wolfSSL	0:1239e9b70ca2	1530	break;
wolfSSL	0:1239e9b70ca2	1531	case certificate:
wolfSSL	0:1239e9b70ca2	1532	Trace(GOT_CERT_STR);
wolfSSL	0:1239e9b70ca2	1533	break;
wolfSSL	0:1239e9b70ca2	1534	case server_hello_done:
wolfSSL	0:1239e9b70ca2	1535	Trace(GOT_SERVER_HELLO_DONE_STR);
wolfSSL	0:1239e9b70ca2	1536	break;
wolfSSL	0:1239e9b70ca2	1537	case finished:
wolfSSL	0:1239e9b70ca2	1538	Trace(GOT_FINISHED_STR);
wolfSSL	0:1239e9b70ca2	1539	ret = ProcessFinished(input, size, sslBytes, session, error);
wolfSSL	0:1239e9b70ca2	1540	break;
wolfSSL	0:1239e9b70ca2	1541	case client_hello:
wolfSSL	0:1239e9b70ca2	1542	Trace(GOT_CLIENT_HELLO_STR);
wolfSSL	0:1239e9b70ca2	1543	ret = ProcessClientHello(input, sslBytes, session, error);
wolfSSL	0:1239e9b70ca2	1544	break;
wolfSSL	0:1239e9b70ca2	1545	case client_key_exchange:
wolfSSL	0:1239e9b70ca2	1546	Trace(GOT_CLIENT_KEY_EX_STR);
wolfSSL	0:1239e9b70ca2	1547	ret = ProcessClientKeyExchange(input, sslBytes, session, error);
wolfSSL	0:1239e9b70ca2	1548	break;
wolfSSL	0:1239e9b70ca2	1549	case certificate_verify:
wolfSSL	0:1239e9b70ca2	1550	Trace(GOT_CERT_VER_STR);
wolfSSL	0:1239e9b70ca2	1551	break;
wolfSSL	0:1239e9b70ca2	1552	default:
wolfSSL	0:1239e9b70ca2	1553	SetError(GOT_UNKNOWN_HANDSHAKE_STR, error, session, 0);
wolfSSL	0:1239e9b70ca2	1554	return -1;
wolfSSL	0:1239e9b70ca2	1555	}
wolfSSL	0:1239e9b70ca2	1556
wolfSSL	0:1239e9b70ca2	1557	return ret;
wolfSSL	0:1239e9b70ca2	1558	}
wolfSSL	0:1239e9b70ca2	1559
wolfSSL	0:1239e9b70ca2	1560
wolfSSL	0:1239e9b70ca2	1561	/* Decrypt input into plain output, 0 on success */
wolfSSL	0:1239e9b70ca2	1562	static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
wolfSSL	0:1239e9b70ca2	1563	{
wolfSSL	0:1239e9b70ca2	1564	int ret = 0;
wolfSSL	0:1239e9b70ca2	1565
wolfSSL	0:1239e9b70ca2	1566	switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL	0:1239e9b70ca2	1567	#ifdef BUILD_ARC4
wolfSSL	0:1239e9b70ca2	1568	case cyassl_rc4:
wolfSSL	0:1239e9b70ca2	1569	Arc4Process(ssl->decrypt.arc4, output, input, sz);
wolfSSL	0:1239e9b70ca2	1570	break;
wolfSSL	0:1239e9b70ca2	1571	#endif
wolfSSL	0:1239e9b70ca2	1572
wolfSSL	0:1239e9b70ca2	1573	#ifdef BUILD_DES3
wolfSSL	0:1239e9b70ca2	1574	case cyassl_triple_des:
wolfSSL	0:1239e9b70ca2	1575	ret = Des3_CbcDecrypt(ssl->decrypt.des3, output, input, sz);
wolfSSL	0:1239e9b70ca2	1576	break;
wolfSSL	0:1239e9b70ca2	1577	#endif
wolfSSL	0:1239e9b70ca2	1578
wolfSSL	0:1239e9b70ca2	1579	#ifdef BUILD_AES
wolfSSL	0:1239e9b70ca2	1580	case cyassl_aes:
wolfSSL	0:1239e9b70ca2	1581	ret = AesCbcDecrypt(ssl->decrypt.aes, output, input, sz);
wolfSSL	0:1239e9b70ca2	1582	break;
wolfSSL	0:1239e9b70ca2	1583	#endif
wolfSSL	0:1239e9b70ca2	1584
wolfSSL	0:1239e9b70ca2	1585	#ifdef HAVE_HC128
wolfSSL	0:1239e9b70ca2	1586	case cyassl_hc128:
wolfSSL	0:1239e9b70ca2	1587	Hc128_Process(ssl->decrypt.hc128, output, input, sz);
wolfSSL	0:1239e9b70ca2	1588	break;
wolfSSL	0:1239e9b70ca2	1589	#endif
wolfSSL	0:1239e9b70ca2	1590
wolfSSL	0:1239e9b70ca2	1591	#ifdef BUILD_RABBIT
wolfSSL	0:1239e9b70ca2	1592	case cyassl_rabbit:
wolfSSL	0:1239e9b70ca2	1593	RabbitProcess(ssl->decrypt.rabbit, output, input, sz);
wolfSSL	0:1239e9b70ca2	1594	break;
wolfSSL	0:1239e9b70ca2	1595	#endif
wolfSSL	0:1239e9b70ca2	1596
wolfSSL	0:1239e9b70ca2	1597	#ifdef HAVE_CAMELLIA
wolfSSL	0:1239e9b70ca2	1598	case cyassl_camellia:
wolfSSL	0:1239e9b70ca2	1599	CamelliaCbcDecrypt(ssl->decrypt.cam, output, input, sz);
wolfSSL	0:1239e9b70ca2	1600	break;
wolfSSL	0:1239e9b70ca2	1601	#endif
wolfSSL	0:1239e9b70ca2	1602
wolfSSL	0:1239e9b70ca2	1603	default:
wolfSSL	0:1239e9b70ca2	1604	Trace(BAD_DECRYPT_TYPE);
wolfSSL	0:1239e9b70ca2	1605	ret = -1;
wolfSSL	0:1239e9b70ca2	1606	break;
wolfSSL	0:1239e9b70ca2	1607	}
wolfSSL	0:1239e9b70ca2	1608
wolfSSL	0:1239e9b70ca2	1609	return ret;
wolfSSL	0:1239e9b70ca2	1610	}
wolfSSL	0:1239e9b70ca2	1611
wolfSSL	0:1239e9b70ca2	1612
wolfSSL	0:1239e9b70ca2	1613	/* Decrypt input message into output, adjust output steam if needed */
wolfSSL	0:1239e9b70ca2	1614	static const byte* DecryptMessage(SSL* ssl, const byte* input, word32 sz,
wolfSSL	0:1239e9b70ca2	1615	byte* output, int* error)
wolfSSL	0:1239e9b70ca2	1616	{
wolfSSL	0:1239e9b70ca2	1617	int ivExtra = 0;
wolfSSL	0:1239e9b70ca2	1618
wolfSSL	0:1239e9b70ca2	1619	int ret = Decrypt(ssl, output, input, sz);
wolfSSL	0:1239e9b70ca2	1620	if (ret != 0) {
wolfSSL	0:1239e9b70ca2	1621	*error = ret;
wolfSSL	0:1239e9b70ca2	1622	return NULL;
wolfSSL	0:1239e9b70ca2	1623	}
wolfSSL	0:1239e9b70ca2	1624	ssl->keys.encryptSz = sz;
wolfSSL	0:1239e9b70ca2	1625	if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) {
wolfSSL	0:1239e9b70ca2	1626	output += ssl->specs.block_size; /* go past TLSv1.1 IV */
wolfSSL	0:1239e9b70ca2	1627	ivExtra = ssl->specs.block_size;
wolfSSL	0:1239e9b70ca2	1628	}
wolfSSL	0:1239e9b70ca2	1629
wolfSSL	0:1239e9b70ca2	1630	ssl->keys.padSz = ssl->specs.hash_size;
wolfSSL	0:1239e9b70ca2	1631
wolfSSL	0:1239e9b70ca2	1632	if (ssl->specs.cipher_type == block)
wolfSSL	0:1239e9b70ca2	1633	ssl->keys.padSz += *(output + sz - ivExtra - 1) + 1;
wolfSSL	0:1239e9b70ca2	1634
wolfSSL	0:1239e9b70ca2	1635	return output;
wolfSSL	0:1239e9b70ca2	1636	}
wolfSSL	0:1239e9b70ca2	1637
wolfSSL	0:1239e9b70ca2	1638
wolfSSL	0:1239e9b70ca2	1639	/* remove session from table, use rowHint if no info (means we have a lock) */
wolfSSL	0:1239e9b70ca2	1640	static void RemoveSession(SnifferSession* session, IpInfo* ipInfo,
wolfSSL	0:1239e9b70ca2	1641	TcpInfo* tcpInfo, word32 rowHint)
wolfSSL	0:1239e9b70ca2	1642	{
wolfSSL	0:1239e9b70ca2	1643	SnifferSession* previous = 0;
wolfSSL	0:1239e9b70ca2	1644	SnifferSession* current;
wolfSSL	0:1239e9b70ca2	1645	word32 row = rowHint;
wolfSSL	0:1239e9b70ca2	1646	int haveLock = 0;
wolfSSL	0:1239e9b70ca2	1647
wolfSSL	0:1239e9b70ca2	1648	if (ipInfo && tcpInfo)
wolfSSL	0:1239e9b70ca2	1649	row = SessionHash(ipInfo, tcpInfo);
wolfSSL	0:1239e9b70ca2	1650	else
wolfSSL	0:1239e9b70ca2	1651	haveLock = 1;
wolfSSL	0:1239e9b70ca2	1652
wolfSSL	0:1239e9b70ca2	1653	assert(row <= HASH_SIZE);
wolfSSL	0:1239e9b70ca2	1654	Trace(REMOVE_SESSION_STR);
wolfSSL	0:1239e9b70ca2	1655
wolfSSL	0:1239e9b70ca2	1656	if (!haveLock)
wolfSSL	0:1239e9b70ca2	1657	LockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	1658
wolfSSL	0:1239e9b70ca2	1659	current = SessionTable[row];
wolfSSL	0:1239e9b70ca2	1660
wolfSSL	0:1239e9b70ca2	1661	while (current) {
wolfSSL	0:1239e9b70ca2	1662	if (current == session) {
wolfSSL	0:1239e9b70ca2	1663	if (previous)
wolfSSL	0:1239e9b70ca2	1664	previous->next = current->next;
wolfSSL	0:1239e9b70ca2	1665	else
wolfSSL	0:1239e9b70ca2	1666	SessionTable[row] = current->next;
wolfSSL	0:1239e9b70ca2	1667	FreeSnifferSession(session);
wolfSSL	0:1239e9b70ca2	1668	TraceRemovedSession();
wolfSSL	0:1239e9b70ca2	1669	break;
wolfSSL	0:1239e9b70ca2	1670	}
wolfSSL	0:1239e9b70ca2	1671	previous = current;
wolfSSL	0:1239e9b70ca2	1672	current = current->next;
wolfSSL	0:1239e9b70ca2	1673	}
wolfSSL	0:1239e9b70ca2	1674
wolfSSL	0:1239e9b70ca2	1675	if (!haveLock)
wolfSSL	0:1239e9b70ca2	1676	UnLockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	1677	}
wolfSSL	0:1239e9b70ca2	1678
wolfSSL	0:1239e9b70ca2	1679
wolfSSL	0:1239e9b70ca2	1680	/* Remove stale sessions from the Session Table, have a lock */
wolfSSL	0:1239e9b70ca2	1681	static void RemoveStaleSessions(void)
wolfSSL	0:1239e9b70ca2	1682	{
wolfSSL	0:1239e9b70ca2	1683	word32 i;
wolfSSL	0:1239e9b70ca2	1684	SnifferSession* session;
wolfSSL	0:1239e9b70ca2	1685
wolfSSL	0:1239e9b70ca2	1686	for (i = 0; i < HASH_SIZE; i++) {
wolfSSL	0:1239e9b70ca2	1687	session = SessionTable[i];
wolfSSL	0:1239e9b70ca2	1688	while (session) {
wolfSSL	0:1239e9b70ca2	1689	SnifferSession* next = session->next;
wolfSSL	0:1239e9b70ca2	1690	if (time(NULL) >= session->lastUsed + SNIFFER_TIMEOUT) {
wolfSSL	0:1239e9b70ca2	1691	TraceStaleSession();
wolfSSL	0:1239e9b70ca2	1692	RemoveSession(session, NULL, NULL, i);
wolfSSL	0:1239e9b70ca2	1693	}
wolfSSL	0:1239e9b70ca2	1694	session = next;
wolfSSL	0:1239e9b70ca2	1695	}
wolfSSL	0:1239e9b70ca2	1696	}
wolfSSL	0:1239e9b70ca2	1697	}
wolfSSL	0:1239e9b70ca2	1698
wolfSSL	0:1239e9b70ca2	1699
wolfSSL	0:1239e9b70ca2	1700	/* Create a new Sniffer Session */
wolfSSL	0:1239e9b70ca2	1701	static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	0:1239e9b70ca2	1702	char* error)
wolfSSL	0:1239e9b70ca2	1703	{
wolfSSL	0:1239e9b70ca2	1704	SnifferSession* session = 0;
wolfSSL	0:1239e9b70ca2	1705	int row;
wolfSSL	0:1239e9b70ca2	1706
wolfSSL	0:1239e9b70ca2	1707	Trace(NEW_SESSION_STR);
wolfSSL	0:1239e9b70ca2	1708	/* create a new one */
wolfSSL	0:1239e9b70ca2	1709	session = (SnifferSession*)malloc(sizeof(SnifferSession));
wolfSSL	0:1239e9b70ca2	1710	if (session == NULL) {
wolfSSL	0:1239e9b70ca2	1711	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1712	return 0;
wolfSSL	0:1239e9b70ca2	1713	}
wolfSSL	0:1239e9b70ca2	1714	InitSession(session);
wolfSSL	0:1239e9b70ca2	1715	session->server = ipInfo->dst;
wolfSSL	0:1239e9b70ca2	1716	session->client = ipInfo->src;
wolfSSL	0:1239e9b70ca2	1717	session->srvPort = (word16)tcpInfo->dstPort;
wolfSSL	0:1239e9b70ca2	1718	session->cliPort = (word16)tcpInfo->srcPort;
wolfSSL	0:1239e9b70ca2	1719	session->cliSeqStart = tcpInfo->sequence;
wolfSSL	0:1239e9b70ca2	1720	session->cliExpected = 1; /* relative */
wolfSSL	0:1239e9b70ca2	1721	session->lastUsed= time(NULL);
wolfSSL	0:1239e9b70ca2	1722
wolfSSL	0:1239e9b70ca2	1723	session->context = GetSnifferServer(ipInfo, tcpInfo);
wolfSSL	0:1239e9b70ca2	1724	if (session->context == NULL) {
wolfSSL	0:1239e9b70ca2	1725	SetError(SERVER_NOT_REG_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1726	free(session);
wolfSSL	0:1239e9b70ca2	1727	return 0;
wolfSSL	0:1239e9b70ca2	1728	}
wolfSSL	0:1239e9b70ca2	1729
wolfSSL	0:1239e9b70ca2	1730	session->sslServer = SSL_new(session->context->ctx);
wolfSSL	0:1239e9b70ca2	1731	if (session->sslServer == NULL) {
wolfSSL	0:1239e9b70ca2	1732	SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1733	free(session);
wolfSSL	0:1239e9b70ca2	1734	return 0;
wolfSSL	0:1239e9b70ca2	1735	}
wolfSSL	0:1239e9b70ca2	1736	session->sslClient = SSL_new(session->context->ctx);
wolfSSL	0:1239e9b70ca2	1737	if (session->sslClient == NULL) {
wolfSSL	0:1239e9b70ca2	1738	SSL_free(session->sslServer);
wolfSSL	0:1239e9b70ca2	1739	session->sslServer = 0;
wolfSSL	0:1239e9b70ca2	1740
wolfSSL	0:1239e9b70ca2	1741	SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1742	free(session);
wolfSSL	0:1239e9b70ca2	1743	return 0;
wolfSSL	0:1239e9b70ca2	1744	}
wolfSSL	0:1239e9b70ca2	1745	/* put server back into server mode */
wolfSSL	0:1239e9b70ca2	1746	session->sslServer->options.side = CYASSL_SERVER_END;
wolfSSL	0:1239e9b70ca2	1747
wolfSSL	0:1239e9b70ca2	1748	row = SessionHash(ipInfo, tcpInfo);
wolfSSL	0:1239e9b70ca2	1749
wolfSSL	0:1239e9b70ca2	1750	/* add it to the session table */
wolfSSL	0:1239e9b70ca2	1751	LockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	1752
wolfSSL	0:1239e9b70ca2	1753	session->next = SessionTable[row];
wolfSSL	0:1239e9b70ca2	1754	SessionTable[row] = session;
wolfSSL	0:1239e9b70ca2	1755
wolfSSL	0:1239e9b70ca2	1756	SessionCount++;
wolfSSL	0:1239e9b70ca2	1757
wolfSSL	0:1239e9b70ca2	1758	if ( (SessionCount % HASH_SIZE) == 0) {
wolfSSL	0:1239e9b70ca2	1759	TraceFindingStale();
wolfSSL	0:1239e9b70ca2	1760	RemoveStaleSessions();
wolfSSL	0:1239e9b70ca2	1761	}
wolfSSL	0:1239e9b70ca2	1762
wolfSSL	0:1239e9b70ca2	1763	UnLockMutex(&SessionMutex);
wolfSSL	0:1239e9b70ca2	1764
wolfSSL	0:1239e9b70ca2	1765	/* determine headed side */
wolfSSL	0:1239e9b70ca2	1766	if (ipInfo->dst == session->context->server &&
wolfSSL	0:1239e9b70ca2	1767	tcpInfo->dstPort == session->context->port)
wolfSSL	0:1239e9b70ca2	1768	session->flags.side = CYASSL_SERVER_END;
wolfSSL	0:1239e9b70ca2	1769	else
wolfSSL	0:1239e9b70ca2	1770	session->flags.side = CYASSL_CLIENT_END;
wolfSSL	0:1239e9b70ca2	1771
wolfSSL	0:1239e9b70ca2	1772	return session;
wolfSSL	0:1239e9b70ca2	1773	}
wolfSSL	0:1239e9b70ca2	1774
wolfSSL	0:1239e9b70ca2	1775
wolfSSL	0:1239e9b70ca2	1776	/* Process Old Client Hello Input */
wolfSSL	0:1239e9b70ca2	1777	static int DoOldHello(SnifferSession* session, const byte* sslFrame,
wolfSSL	0:1239e9b70ca2	1778	int* rhSize, int* sslBytes, char* error)
wolfSSL	0:1239e9b70ca2	1779	{
wolfSSL	0:1239e9b70ca2	1780	const byte* input = sslFrame;
wolfSSL	0:1239e9b70ca2	1781	byte b0, b1;
wolfSSL	0:1239e9b70ca2	1782	word32 idx = 0;
wolfSSL	0:1239e9b70ca2	1783	int ret;
wolfSSL	0:1239e9b70ca2	1784
wolfSSL	0:1239e9b70ca2	1785	Trace(GOT_OLD_CLIENT_HELLO_STR);
wolfSSL	0:1239e9b70ca2	1786	session->flags.clientHello = 1; /* don't process again */
wolfSSL	0:1239e9b70ca2	1787	b0 = *input++;
wolfSSL	0:1239e9b70ca2	1788	b1 = *input++;
wolfSSL	0:1239e9b70ca2	1789	*sslBytes -= 2;
wolfSSL	0:1239e9b70ca2	1790	*rhSize = ((b0 & 0x7f) << 8) \| b1;
wolfSSL	0:1239e9b70ca2	1791
wolfSSL	0:1239e9b70ca2	1792	if (rhSize > sslBytes) {
wolfSSL	0:1239e9b70ca2	1793	SetError(OLD_CLIENT_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1794	return -1;
wolfSSL	0:1239e9b70ca2	1795	}
wolfSSL	0:1239e9b70ca2	1796
wolfSSL	0:1239e9b70ca2	1797	ret = ProcessOldClientHello(session->sslServer, input, &idx, *sslBytes,
wolfSSL	0:1239e9b70ca2	1798	(word16)*rhSize);
wolfSSL	0:1239e9b70ca2	1799	if (ret < 0 && ret != MATCH_SUITE_ERROR) {
wolfSSL	0:1239e9b70ca2	1800	SetError(BAD_OLD_CLIENT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1801	return -1;
wolfSSL	0:1239e9b70ca2	1802	}
wolfSSL	0:1239e9b70ca2	1803
wolfSSL	0:1239e9b70ca2	1804	Trace(OLD_CLIENT_OK_STR);
wolfSSL	0:1239e9b70ca2	1805	XMEMCPY(session->sslClient->arrays->clientRandom,
wolfSSL	0:1239e9b70ca2	1806	session->sslServer->arrays->clientRandom, RAN_LEN);
wolfSSL	0:1239e9b70ca2	1807
wolfSSL	0:1239e9b70ca2	1808	sslBytes -= rhSize;
wolfSSL	0:1239e9b70ca2	1809	return 0;
wolfSSL	0:1239e9b70ca2	1810	}
wolfSSL	0:1239e9b70ca2	1811
wolfSSL	0:1239e9b70ca2	1812
wolfSSL	0:1239e9b70ca2	1813	#if 0
wolfSSL	0:1239e9b70ca2	1814	/* Calculate the TCP checksum, see RFC 1071 */
wolfSSL	0:1239e9b70ca2	1815	/* return 0 for success, -1 on error */
wolfSSL	0:1239e9b70ca2	1816	/* can be called from decode() with
wolfSSL	0:1239e9b70ca2	1817	TcpChecksum(&ipInfo, &tcpInfo, sslBytes, packet + ipInfo.length);
wolfSSL	0:1239e9b70ca2	1818	could also add a 64bit version if type available and using this
wolfSSL	0:1239e9b70ca2	1819	*/
wolfSSL	0:1239e9b70ca2	1820	int TcpChecksum(IpInfo* ipInfo, TcpInfo* tcpInfo, int dataLen,
wolfSSL	0:1239e9b70ca2	1821	const byte* packet)
wolfSSL	0:1239e9b70ca2	1822	{
wolfSSL	0:1239e9b70ca2	1823	TcpPseudoHdr pseudo;
wolfSSL	0:1239e9b70ca2	1824	int count = PSEUDO_HDR_SZ;
wolfSSL	0:1239e9b70ca2	1825	const word16* data = (word16*)&pseudo;
wolfSSL	0:1239e9b70ca2	1826	word32 sum = 0;
wolfSSL	0:1239e9b70ca2	1827	word16 checksum;
wolfSSL	0:1239e9b70ca2	1828
wolfSSL	0:1239e9b70ca2	1829	pseudo.src = ipInfo->src;
wolfSSL	0:1239e9b70ca2	1830	pseudo.dst = ipInfo->dst;
wolfSSL	0:1239e9b70ca2	1831	pseudo.rsv = 0;
wolfSSL	0:1239e9b70ca2	1832	pseudo.protocol = TCP_PROTO;
wolfSSL	0:1239e9b70ca2	1833	pseudo.legnth = htons(tcpInfo->length + dataLen);
wolfSSL	0:1239e9b70ca2	1834
wolfSSL	0:1239e9b70ca2	1835	/* pseudo header sum */
wolfSSL	0:1239e9b70ca2	1836	while (count >= 2) {
wolfSSL	0:1239e9b70ca2	1837	sum += *data++;
wolfSSL	0:1239e9b70ca2	1838	count -= 2;
wolfSSL	0:1239e9b70ca2	1839	}
wolfSSL	0:1239e9b70ca2	1840
wolfSSL	0:1239e9b70ca2	1841	count = tcpInfo->length + dataLen;
wolfSSL	0:1239e9b70ca2	1842	data = (word16*)packet;
wolfSSL	0:1239e9b70ca2	1843
wolfSSL	0:1239e9b70ca2	1844	/* main sum */
wolfSSL	0:1239e9b70ca2	1845	while (count > 1) {
wolfSSL	0:1239e9b70ca2	1846	sum += *data++;
wolfSSL	0:1239e9b70ca2	1847	count -=2;
wolfSSL	0:1239e9b70ca2	1848	}
wolfSSL	0:1239e9b70ca2	1849
wolfSSL	0:1239e9b70ca2	1850	/* get left-over, if any */
wolfSSL	0:1239e9b70ca2	1851	packet = (byte*)data;
wolfSSL	0:1239e9b70ca2	1852	if (count > 0) {
wolfSSL	0:1239e9b70ca2	1853	sum += *packet;
wolfSSL	0:1239e9b70ca2	1854	}
wolfSSL	0:1239e9b70ca2	1855
wolfSSL	0:1239e9b70ca2	1856	/* fold 32bit sum into 16 bits */
wolfSSL	0:1239e9b70ca2	1857	while (sum >> 16)
wolfSSL	0:1239e9b70ca2	1858	sum = (sum & 0xffff) + (sum >> 16);
wolfSSL	0:1239e9b70ca2	1859
wolfSSL	0:1239e9b70ca2	1860	checksum = (word16)~sum;
wolfSSL	0:1239e9b70ca2	1861	/* checksum should now equal 0, since included already calcd checksum */
wolfSSL	0:1239e9b70ca2	1862	/* field, but tcp checksum offloading could negate calculation */
wolfSSL	0:1239e9b70ca2	1863	if (checksum == 0)
wolfSSL	0:1239e9b70ca2	1864	return 0;
wolfSSL	0:1239e9b70ca2	1865	return -1;
wolfSSL	0:1239e9b70ca2	1866	}
wolfSSL	0:1239e9b70ca2	1867	#endif
wolfSSL	0:1239e9b70ca2	1868
wolfSSL	0:1239e9b70ca2	1869
wolfSSL	0:1239e9b70ca2	1870	/* Check IP and TCP headers, set payload */
wolfSSL	0:1239e9b70ca2	1871	/* returns 0 on success, -1 on error */
wolfSSL	0:1239e9b70ca2	1872	static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet,
wolfSSL	0:1239e9b70ca2	1873	int length, const byte** sslFrame, int* sslBytes, char* error)
wolfSSL	0:1239e9b70ca2	1874	{
wolfSSL	0:1239e9b70ca2	1875	TraceHeader();
wolfSSL	0:1239e9b70ca2	1876	TracePacket();
wolfSSL	0:1239e9b70ca2	1877
wolfSSL	0:1239e9b70ca2	1878	/* ip header */
wolfSSL	0:1239e9b70ca2	1879	if (length < IP_HDR_SZ) {
wolfSSL	0:1239e9b70ca2	1880	SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1881	return -1;
wolfSSL	0:1239e9b70ca2	1882	}
wolfSSL	0:1239e9b70ca2	1883	if (CheckIpHdr((IpHdr*)packet, ipInfo, length, error) != 0)
wolfSSL	0:1239e9b70ca2	1884	return -1;
wolfSSL	0:1239e9b70ca2	1885
wolfSSL	0:1239e9b70ca2	1886	/* tcp header */
wolfSSL	0:1239e9b70ca2	1887	if (length < (ipInfo->length + TCP_HDR_SZ)) {
wolfSSL	0:1239e9b70ca2	1888	SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1889	return -1;
wolfSSL	0:1239e9b70ca2	1890	}
wolfSSL	0:1239e9b70ca2	1891	if (CheckTcpHdr((TcpHdr*)(packet + ipInfo->length), tcpInfo, error) != 0)
wolfSSL	0:1239e9b70ca2	1892	return -1;
wolfSSL	0:1239e9b70ca2	1893
wolfSSL	0:1239e9b70ca2	1894	/* setup */
wolfSSL	0:1239e9b70ca2	1895	*sslFrame = packet + ipInfo->length + tcpInfo->length;
wolfSSL	0:1239e9b70ca2	1896	if (*sslFrame > packet + length) {
wolfSSL	0:1239e9b70ca2	1897	SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1898	return -1;
wolfSSL	0:1239e9b70ca2	1899	}
wolfSSL	0:1239e9b70ca2	1900	sslBytes = (int)(packet + length - sslFrame);
wolfSSL	0:1239e9b70ca2	1901
wolfSSL	0:1239e9b70ca2	1902	return 0;
wolfSSL	0:1239e9b70ca2	1903	}
wolfSSL	0:1239e9b70ca2	1904
wolfSSL	0:1239e9b70ca2	1905
wolfSSL	0:1239e9b70ca2	1906	/* Create or Find existing session */
wolfSSL	0:1239e9b70ca2	1907	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	0:1239e9b70ca2	1908	static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes,
wolfSSL	0:1239e9b70ca2	1909	SnifferSession** session, char* error)
wolfSSL	0:1239e9b70ca2	1910	{
wolfSSL	0:1239e9b70ca2	1911	/* create a new SnifferSession on client SYN */
wolfSSL	0:1239e9b70ca2	1912	if (tcpInfo->syn && !tcpInfo->ack) {
wolfSSL	0:1239e9b70ca2	1913	TraceClientSyn(tcpInfo->sequence);
wolfSSL	0:1239e9b70ca2	1914	*session = CreateSession(ipInfo, tcpInfo, error);
wolfSSL	0:1239e9b70ca2	1915	if (*session == NULL) {
wolfSSL	0:1239e9b70ca2	1916	*session = GetSnifferSession(ipInfo, tcpInfo);
wolfSSL	0:1239e9b70ca2	1917	/* already had exisiting, so OK */
wolfSSL	0:1239e9b70ca2	1918	if (*session)
wolfSSL	0:1239e9b70ca2	1919	return 1;
wolfSSL	0:1239e9b70ca2	1920
wolfSSL	0:1239e9b70ca2	1921	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1922	return -1;
wolfSSL	0:1239e9b70ca2	1923	}
wolfSSL	0:1239e9b70ca2	1924	return 1;
wolfSSL	0:1239e9b70ca2	1925	}
wolfSSL	0:1239e9b70ca2	1926	/* get existing sniffer session */
wolfSSL	0:1239e9b70ca2	1927	else {
wolfSSL	0:1239e9b70ca2	1928	*session = GetSnifferSession(ipInfo, tcpInfo);
wolfSSL	0:1239e9b70ca2	1929	if (*session == NULL) {
wolfSSL	0:1239e9b70ca2	1930	/* don't worry about extraneous RST or duplicate FINs */
wolfSSL	0:1239e9b70ca2	1931	if (tcpInfo->fin \|\| tcpInfo->rst)
wolfSSL	0:1239e9b70ca2	1932	return 1;
wolfSSL	0:1239e9b70ca2	1933	/* don't worry about duplicate ACKs either */
wolfSSL	0:1239e9b70ca2	1934	if (sslBytes == 0 && tcpInfo->ack)
wolfSSL	0:1239e9b70ca2	1935	return 1;
wolfSSL	0:1239e9b70ca2	1936
wolfSSL	0:1239e9b70ca2	1937	SetError(BAD_SESSION_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	1938	return -1;
wolfSSL	0:1239e9b70ca2	1939	}
wolfSSL	0:1239e9b70ca2	1940	}
wolfSSL	0:1239e9b70ca2	1941	return 0;
wolfSSL	0:1239e9b70ca2	1942	}
wolfSSL	0:1239e9b70ca2	1943
wolfSSL	0:1239e9b70ca2	1944
wolfSSL	0:1239e9b70ca2	1945	/* Create a Packet Buffer from begin - end, adjust new begin and bytesLeft */
wolfSSL	0:1239e9b70ca2	1946	static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data,
wolfSSL	0:1239e9b70ca2	1947	int* bytesLeft)
wolfSSL	0:1239e9b70ca2	1948	{
wolfSSL	0:1239e9b70ca2	1949	PacketBuffer* pb;
wolfSSL	0:1239e9b70ca2	1950
wolfSSL	0:1239e9b70ca2	1951	int added = end - *begin + 1;
wolfSSL	0:1239e9b70ca2	1952	assert(*begin <= end);
wolfSSL	0:1239e9b70ca2	1953
wolfSSL	0:1239e9b70ca2	1954	pb = (PacketBuffer*)malloc(sizeof(PacketBuffer));
wolfSSL	0:1239e9b70ca2	1955	if (pb == NULL) return NULL;
wolfSSL	0:1239e9b70ca2	1956
wolfSSL	0:1239e9b70ca2	1957	pb->next = 0;
wolfSSL	0:1239e9b70ca2	1958	pb->begin = *begin;
wolfSSL	0:1239e9b70ca2	1959	pb->end = end;
wolfSSL	0:1239e9b70ca2	1960	pb->data = (byte*)malloc(added);
wolfSSL	0:1239e9b70ca2	1961
wolfSSL	0:1239e9b70ca2	1962	if (pb->data == NULL) {
wolfSSL	0:1239e9b70ca2	1963	free(pb);
wolfSSL	0:1239e9b70ca2	1964	return NULL;
wolfSSL	0:1239e9b70ca2	1965	}
wolfSSL	0:1239e9b70ca2	1966	XMEMCPY(pb->data, data, added);
wolfSSL	0:1239e9b70ca2	1967
wolfSSL	0:1239e9b70ca2	1968	*bytesLeft -= added;
wolfSSL	0:1239e9b70ca2	1969	*begin = pb->end + 1;
wolfSSL	0:1239e9b70ca2	1970
wolfSSL	0:1239e9b70ca2	1971	return pb;
wolfSSL	0:1239e9b70ca2	1972	}
wolfSSL	0:1239e9b70ca2	1973
wolfSSL	0:1239e9b70ca2	1974
wolfSSL	0:1239e9b70ca2	1975	/* Add sslFrame to Reassembly List */
wolfSSL	0:1239e9b70ca2	1976	/* returns 1 (end) on success, -1, on error */
wolfSSL	0:1239e9b70ca2	1977	static int AddToReassembly(byte from, word32 seq, const byte* sslFrame,
wolfSSL	0:1239e9b70ca2	1978	int sslBytes, SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	1979	{
wolfSSL	0:1239e9b70ca2	1980	PacketBuffer* add;
wolfSSL	0:1239e9b70ca2	1981	PacketBuffer** front = (from == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	1982	&session->cliReassemblyList: &session->srvReassemblyList;
wolfSSL	0:1239e9b70ca2	1983	PacketBuffer* curr = *front;
wolfSSL	0:1239e9b70ca2	1984	PacketBuffer* prev = curr;
wolfSSL	0:1239e9b70ca2	1985
wolfSSL	0:1239e9b70ca2	1986	word32 startSeq = seq;
wolfSSL	0:1239e9b70ca2	1987	word32 added;
wolfSSL	0:1239e9b70ca2	1988	int bytesLeft = sslBytes; /* could be overlapping fragment */
wolfSSL	0:1239e9b70ca2	1989
wolfSSL	0:1239e9b70ca2	1990	/* if list is empty add full frame to front */
wolfSSL	0:1239e9b70ca2	1991	if (!curr) {
wolfSSL	0:1239e9b70ca2	1992	add = CreateBuffer(&seq, seq + sslBytes - 1, sslFrame, &bytesLeft);
wolfSSL	0:1239e9b70ca2	1993	if (add == NULL) {
wolfSSL	0:1239e9b70ca2	1994	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	1995	return -1;
wolfSSL	0:1239e9b70ca2	1996	}
wolfSSL	0:1239e9b70ca2	1997	*front = add;
wolfSSL	0:1239e9b70ca2	1998	return 1;
wolfSSL	0:1239e9b70ca2	1999	}
wolfSSL	0:1239e9b70ca2	2000
wolfSSL	0:1239e9b70ca2	2001	/* add to front if before current front, up to next->begin */
wolfSSL	0:1239e9b70ca2	2002	if (seq < curr->begin) {
wolfSSL	0:1239e9b70ca2	2003	word32 end = seq + sslBytes - 1;
wolfSSL	0:1239e9b70ca2	2004
wolfSSL	0:1239e9b70ca2	2005	if (end >= curr->begin)
wolfSSL	0:1239e9b70ca2	2006	end = curr->begin - 1;
wolfSSL	0:1239e9b70ca2	2007
wolfSSL	0:1239e9b70ca2	2008	add = CreateBuffer(&seq, end, sslFrame, &bytesLeft);
wolfSSL	0:1239e9b70ca2	2009	if (add == NULL) {
wolfSSL	0:1239e9b70ca2	2010	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2011	return -1;
wolfSSL	0:1239e9b70ca2	2012	}
wolfSSL	0:1239e9b70ca2	2013	add->next = curr;
wolfSSL	0:1239e9b70ca2	2014	*front = add;
wolfSSL	0:1239e9b70ca2	2015	}
wolfSSL	0:1239e9b70ca2	2016
wolfSSL	0:1239e9b70ca2	2017	/* while we have bytes left, try to find a gap to fill */
wolfSSL	0:1239e9b70ca2	2018	while (bytesLeft > 0) {
wolfSSL	0:1239e9b70ca2	2019	/* get previous packet in list */
wolfSSL	0:1239e9b70ca2	2020	while (curr && (seq >= curr->begin)) {
wolfSSL	0:1239e9b70ca2	2021	prev = curr;
wolfSSL	0:1239e9b70ca2	2022	curr = curr->next;
wolfSSL	0:1239e9b70ca2	2023	}
wolfSSL	0:1239e9b70ca2	2024
wolfSSL	0:1239e9b70ca2	2025	/* don't add duplicate data */
wolfSSL	0:1239e9b70ca2	2026	if (prev->end >= seq) {
wolfSSL	0:1239e9b70ca2	2027	if ( (seq + bytesLeft - 1) <= prev->end)
wolfSSL	0:1239e9b70ca2	2028	return 1;
wolfSSL	0:1239e9b70ca2	2029	seq = prev->end + 1;
wolfSSL	0:1239e9b70ca2	2030	bytesLeft = startSeq + sslBytes - seq;
wolfSSL	0:1239e9b70ca2	2031	}
wolfSSL	0:1239e9b70ca2	2032
wolfSSL	0:1239e9b70ca2	2033	if (!curr)
wolfSSL	0:1239e9b70ca2	2034	/* we're at the end */
wolfSSL	0:1239e9b70ca2	2035	added = bytesLeft;
wolfSSL	0:1239e9b70ca2	2036	else
wolfSSL	0:1239e9b70ca2	2037	/* we're in between two frames */
wolfSSL	0:1239e9b70ca2	2038	added = min((word32)bytesLeft, curr->begin - seq);
wolfSSL	0:1239e9b70ca2	2039
wolfSSL	0:1239e9b70ca2	2040	/* data already there */
wolfSSL	0:1239e9b70ca2	2041	if (added == 0)
wolfSSL	0:1239e9b70ca2	2042	continue;
wolfSSL	0:1239e9b70ca2	2043
wolfSSL	0:1239e9b70ca2	2044	add = CreateBuffer(&seq, seq + added - 1, &sslFrame[seq - startSeq],
wolfSSL	0:1239e9b70ca2	2045	&bytesLeft);
wolfSSL	0:1239e9b70ca2	2046	if (add == NULL) {
wolfSSL	0:1239e9b70ca2	2047	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2048	return -1;
wolfSSL	0:1239e9b70ca2	2049	}
wolfSSL	0:1239e9b70ca2	2050	add->next = prev->next;
wolfSSL	0:1239e9b70ca2	2051	prev->next = add;
wolfSSL	0:1239e9b70ca2	2052	}
wolfSSL	0:1239e9b70ca2	2053	return 1;
wolfSSL	0:1239e9b70ca2	2054	}
wolfSSL	0:1239e9b70ca2	2055
wolfSSL	0:1239e9b70ca2	2056
wolfSSL	0:1239e9b70ca2	2057	/* Add out of order FIN capture */
wolfSSL	0:1239e9b70ca2	2058	/* returns 1 for success (end) */
wolfSSL	0:1239e9b70ca2	2059	static int AddFinCapture(SnifferSession* session, word32 sequence)
wolfSSL	0:1239e9b70ca2	2060	{
wolfSSL	0:1239e9b70ca2	2061	if (session->flags.side == CYASSL_SERVER_END) {
wolfSSL	0:1239e9b70ca2	2062	if (session->finCaputre.cliCounted == 0)
wolfSSL	0:1239e9b70ca2	2063	session->finCaputre.cliFinSeq = sequence;
wolfSSL	0:1239e9b70ca2	2064	}
wolfSSL	0:1239e9b70ca2	2065	else {
wolfSSL	0:1239e9b70ca2	2066	if (session->finCaputre.srvCounted == 0)
wolfSSL	0:1239e9b70ca2	2067	session->finCaputre.srvFinSeq = sequence;
wolfSSL	0:1239e9b70ca2	2068	}
wolfSSL	0:1239e9b70ca2	2069	return 1;
wolfSSL	0:1239e9b70ca2	2070	}
wolfSSL	0:1239e9b70ca2	2071
wolfSSL	0:1239e9b70ca2	2072
wolfSSL	0:1239e9b70ca2	2073	/* Adjust incoming sequence based on side */
wolfSSL	0:1239e9b70ca2	2074	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	0:1239e9b70ca2	2075	static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session,
wolfSSL	0:1239e9b70ca2	2076	int* sslBytes, const byte** sslFrame, char* error)
wolfSSL	0:1239e9b70ca2	2077	{
wolfSSL	0:1239e9b70ca2	2078	word32 seqStart = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2079	session->cliSeqStart :session->srvSeqStart;
wolfSSL	0:1239e9b70ca2	2080	word32 real = tcpInfo->sequence - seqStart;
wolfSSL	0:1239e9b70ca2	2081	word32* expected = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2082	&session->cliExpected : &session->srvExpected;
wolfSSL	0:1239e9b70ca2	2083	PacketBuffer* reassemblyList = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2084	session->cliReassemblyList : session->srvReassemblyList;
wolfSSL	0:1239e9b70ca2	2085
wolfSSL	0:1239e9b70ca2	2086	/* handle rollover of sequence */
wolfSSL	0:1239e9b70ca2	2087	if (tcpInfo->sequence < seqStart)
wolfSSL	0:1239e9b70ca2	2088	real = 0xffffffffU - seqStart + tcpInfo->sequence;
wolfSSL	0:1239e9b70ca2	2089
wolfSSL	0:1239e9b70ca2	2090	TraceRelativeSequence(*expected, real);
wolfSSL	0:1239e9b70ca2	2091
wolfSSL	0:1239e9b70ca2	2092	if (real < *expected) {
wolfSSL	0:1239e9b70ca2	2093	Trace(DUPLICATE_STR);
wolfSSL	0:1239e9b70ca2	2094	if (real + sslBytes > expected) {
wolfSSL	0:1239e9b70ca2	2095	int overlap = *expected - real;
wolfSSL	0:1239e9b70ca2	2096	Trace(OVERLAP_DUPLICATE_STR);
wolfSSL	0:1239e9b70ca2	2097
wolfSSL	0:1239e9b70ca2	2098	/* adjust to expected, remove duplicate */
wolfSSL	0:1239e9b70ca2	2099	*sslFrame += overlap;
wolfSSL	0:1239e9b70ca2	2100	*sslBytes -= overlap;
wolfSSL	0:1239e9b70ca2	2101
wolfSSL	0:1239e9b70ca2	2102	if (reassemblyList) {
wolfSSL	0:1239e9b70ca2	2103	word32 newEnd = expected + sslBytes;
wolfSSL	0:1239e9b70ca2	2104
wolfSSL	0:1239e9b70ca2	2105	if (newEnd > reassemblyList->begin) {
wolfSSL	0:1239e9b70ca2	2106	Trace(OVERLAP_REASSEMBLY_BEGIN_STR);
wolfSSL	0:1239e9b70ca2	2107
wolfSSL	0:1239e9b70ca2	2108	/* remove bytes already on reassembly list */
wolfSSL	0:1239e9b70ca2	2109	*sslBytes -= newEnd - reassemblyList->begin;
wolfSSL	0:1239e9b70ca2	2110	}
wolfSSL	0:1239e9b70ca2	2111	if (newEnd > reassemblyList->end) {
wolfSSL	0:1239e9b70ca2	2112	Trace(OVERLAP_REASSEMBLY_END_STR);
wolfSSL	0:1239e9b70ca2	2113
wolfSSL	0:1239e9b70ca2	2114	/* may be past reassembly list end (could have more on list)
wolfSSL	0:1239e9b70ca2	2115	so try to add what's past the front->end */
wolfSSL	0:1239e9b70ca2	2116	AddToReassembly(session->flags.side, reassemblyList->end +1,
wolfSSL	0:1239e9b70ca2	2117	sslFrame + reassemblyList->end - expected + 1,
wolfSSL	0:1239e9b70ca2	2118	newEnd - reassemblyList->end, session, error);
wolfSSL	0:1239e9b70ca2	2119	}
wolfSSL	0:1239e9b70ca2	2120	}
wolfSSL	0:1239e9b70ca2	2121	}
wolfSSL	0:1239e9b70ca2	2122	else
wolfSSL	0:1239e9b70ca2	2123	return 1;
wolfSSL	0:1239e9b70ca2	2124	}
wolfSSL	0:1239e9b70ca2	2125	else if (real > *expected) {
wolfSSL	0:1239e9b70ca2	2126	Trace(OUT_OF_ORDER_STR);
wolfSSL	0:1239e9b70ca2	2127	if (*sslBytes > 0)
wolfSSL	0:1239e9b70ca2	2128	return AddToReassembly(session->flags.side, real, *sslFrame,
wolfSSL	0:1239e9b70ca2	2129	*sslBytes, session, error);
wolfSSL	0:1239e9b70ca2	2130	else if (tcpInfo->fin)
wolfSSL	0:1239e9b70ca2	2131	return AddFinCapture(session, real);
wolfSSL	0:1239e9b70ca2	2132	}
wolfSSL	0:1239e9b70ca2	2133	/* got expected sequence */
wolfSSL	0:1239e9b70ca2	2134	expected += sslBytes;
wolfSSL	0:1239e9b70ca2	2135	if (tcpInfo->fin)
wolfSSL	0:1239e9b70ca2	2136	*expected += 1;
wolfSSL	0:1239e9b70ca2	2137
wolfSSL	0:1239e9b70ca2	2138	return 0;
wolfSSL	0:1239e9b70ca2	2139	}
wolfSSL	0:1239e9b70ca2	2140
wolfSSL	0:1239e9b70ca2	2141
wolfSSL	0:1239e9b70ca2	2142	/* Check latest ack number for missing packets
wolfSSL	0:1239e9b70ca2	2143	return 0 ok, <0 on error */
wolfSSL	0:1239e9b70ca2	2144	static int CheckAck(TcpInfo* tcpInfo, SnifferSession* session)
wolfSSL	0:1239e9b70ca2	2145	{
wolfSSL	0:1239e9b70ca2	2146	if (tcpInfo->ack) {
wolfSSL	0:1239e9b70ca2	2147	word32 seqStart = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2148	session->srvSeqStart :session->cliSeqStart;
wolfSSL	0:1239e9b70ca2	2149	word32 real = tcpInfo->ackNumber - seqStart;
wolfSSL	0:1239e9b70ca2	2150	word32 expected = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2151	session->srvExpected : session->cliExpected;
wolfSSL	0:1239e9b70ca2	2152
wolfSSL	0:1239e9b70ca2	2153	/* handle rollover of sequence */
wolfSSL	0:1239e9b70ca2	2154	if (tcpInfo->ackNumber < seqStart)
wolfSSL	0:1239e9b70ca2	2155	real = 0xffffffffU - seqStart + tcpInfo->ackNumber;
wolfSSL	0:1239e9b70ca2	2156
wolfSSL	0:1239e9b70ca2	2157	TraceAck(real, expected);
wolfSSL	0:1239e9b70ca2	2158
wolfSSL	0:1239e9b70ca2	2159	if (real > expected)
wolfSSL	0:1239e9b70ca2	2160	return -1; /* we missed a packet, ACKing data we never saw */
wolfSSL	0:1239e9b70ca2	2161	}
wolfSSL	0:1239e9b70ca2	2162	return 0;
wolfSSL	0:1239e9b70ca2	2163	}
wolfSSL	0:1239e9b70ca2	2164
wolfSSL	0:1239e9b70ca2	2165
wolfSSL	0:1239e9b70ca2	2166	/* Check TCP Sequence status */
wolfSSL	0:1239e9b70ca2	2167	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	0:1239e9b70ca2	2168	static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	0:1239e9b70ca2	2169	SnifferSession* session, int* sslBytes,
wolfSSL	0:1239e9b70ca2	2170	const byte** sslFrame, char* error)
wolfSSL	0:1239e9b70ca2	2171	{
wolfSSL	0:1239e9b70ca2	2172	int actualLen;
wolfSSL	0:1239e9b70ca2	2173
wolfSSL	0:1239e9b70ca2	2174	/* init SEQ from server to client */
wolfSSL	0:1239e9b70ca2	2175	if (tcpInfo->syn && tcpInfo->ack) {
wolfSSL	0:1239e9b70ca2	2176	session->srvSeqStart = tcpInfo->sequence;
wolfSSL	0:1239e9b70ca2	2177	session->srvExpected = 1;
wolfSSL	0:1239e9b70ca2	2178	TraceServerSyn(tcpInfo->sequence);
wolfSSL	0:1239e9b70ca2	2179	return 1;
wolfSSL	0:1239e9b70ca2	2180	}
wolfSSL	0:1239e9b70ca2	2181
wolfSSL	0:1239e9b70ca2	2182	/* adjust potential ethernet trailer */
wolfSSL	0:1239e9b70ca2	2183	actualLen = ipInfo->total - ipInfo->length - tcpInfo->length;
wolfSSL	0:1239e9b70ca2	2184	if (*sslBytes > actualLen) {
wolfSSL	0:1239e9b70ca2	2185	*sslBytes = actualLen;
wolfSSL	0:1239e9b70ca2	2186	}
wolfSSL	0:1239e9b70ca2	2187
wolfSSL	0:1239e9b70ca2	2188	TraceSequence(tcpInfo->sequence, *sslBytes);
wolfSSL	0:1239e9b70ca2	2189	if (CheckAck(tcpInfo, session) < 0) {
wolfSSL	0:1239e9b70ca2	2190	SetError(ACK_MISSED_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2191	return -1;
wolfSSL	0:1239e9b70ca2	2192	}
wolfSSL	0:1239e9b70ca2	2193
wolfSSL	0:1239e9b70ca2	2194	return AdjustSequence(tcpInfo, session, sslBytes, sslFrame, error);
wolfSSL	0:1239e9b70ca2	2195	}
wolfSSL	0:1239e9b70ca2	2196
wolfSSL	0:1239e9b70ca2	2197
wolfSSL	0:1239e9b70ca2	2198	/* Check Status before record processing */
wolfSSL	0:1239e9b70ca2	2199	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	0:1239e9b70ca2	2200	static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	0:1239e9b70ca2	2201	const byte sslFrame, SnifferSession session,
wolfSSL	0:1239e9b70ca2	2202	int* sslBytes, const byte** end, char* error)
wolfSSL	0:1239e9b70ca2	2203	{
wolfSSL	0:1239e9b70ca2	2204	word32 length;
wolfSSL	0:1239e9b70ca2	2205	SSL* ssl = ((*session)->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2206	(session)->sslServer : (session)->sslClient;
wolfSSL	0:1239e9b70ca2	2207	/* remove SnifferSession on 2nd FIN or RST */
wolfSSL	0:1239e9b70ca2	2208	if (tcpInfo->fin \|\| tcpInfo->rst) {
wolfSSL	0:1239e9b70ca2	2209	/* flag FIN and RST */
wolfSSL	0:1239e9b70ca2	2210	if (tcpInfo->fin)
wolfSSL	0:1239e9b70ca2	2211	(*session)->flags.finCount += 1;
wolfSSL	0:1239e9b70ca2	2212	else if (tcpInfo->rst)
wolfSSL	0:1239e9b70ca2	2213	(*session)->flags.finCount += 2;
wolfSSL	0:1239e9b70ca2	2214
wolfSSL	0:1239e9b70ca2	2215	if ((*session)->flags.finCount >= 2) {
wolfSSL	0:1239e9b70ca2	2216	RemoveSession(*session, ipInfo, tcpInfo, 0);
wolfSSL	0:1239e9b70ca2	2217	*session = NULL;
wolfSSL	0:1239e9b70ca2	2218	return 1;
wolfSSL	0:1239e9b70ca2	2219	}
wolfSSL	0:1239e9b70ca2	2220	}
wolfSSL	0:1239e9b70ca2	2221
wolfSSL	0:1239e9b70ca2	2222	if ((*session)->flags.fatalError == FATAL_ERROR_STATE) {
wolfSSL	0:1239e9b70ca2	2223	SetError(FATAL_ERROR_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	2224	return -1;
wolfSSL	0:1239e9b70ca2	2225	}
wolfSSL	0:1239e9b70ca2	2226
wolfSSL	0:1239e9b70ca2	2227	if (*sslBytes == 0) {
wolfSSL	0:1239e9b70ca2	2228	Trace(NO_DATA_STR);
wolfSSL	0:1239e9b70ca2	2229	return 1;
wolfSSL	0:1239e9b70ca2	2230	}
wolfSSL	0:1239e9b70ca2	2231
wolfSSL	0:1239e9b70ca2	2232	/* if current partial data, add to end of partial */
wolfSSL	0:1239e9b70ca2	2233	if ( (length = ssl->buffers.inputBuffer.length) ) {
wolfSSL	0:1239e9b70ca2	2234	Trace(PARTIAL_ADD_STR);
wolfSSL	0:1239e9b70ca2	2235
wolfSSL	0:1239e9b70ca2	2236	if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
wolfSSL	0:1239e9b70ca2	2237	if (GrowInputBuffer(ssl, *sslBytes, length) < 0) {
wolfSSL	0:1239e9b70ca2	2238	SetError(MEMORY_STR, error, *session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2239	return -1;
wolfSSL	0:1239e9b70ca2	2240	}
wolfSSL	0:1239e9b70ca2	2241	}
wolfSSL	0:1239e9b70ca2	2242	XMEMCPY(&ssl->buffers.inputBuffer.buffer[length], sslFrame, sslBytes);
wolfSSL	0:1239e9b70ca2	2243	*sslBytes += length;
wolfSSL	0:1239e9b70ca2	2244	ssl->buffers.inputBuffer.length = *sslBytes;
wolfSSL	0:1239e9b70ca2	2245	*sslFrame = ssl->buffers.inputBuffer.buffer;
wolfSSL	0:1239e9b70ca2	2246	end = sslFrame + *sslBytes;
wolfSSL	0:1239e9b70ca2	2247	}
wolfSSL	0:1239e9b70ca2	2248
wolfSSL	0:1239e9b70ca2	2249	if ((session)->flags.clientHello == 0 && *sslFrame != handshake) {
wolfSSL	0:1239e9b70ca2	2250	int rhSize;
wolfSSL	0:1239e9b70ca2	2251	int ret = DoOldHello(session, sslFrame, &rhSize, sslBytes, error);
wolfSSL	0:1239e9b70ca2	2252	if (ret < 0)
wolfSSL	0:1239e9b70ca2	2253	return -1; /* error already set */
wolfSSL	0:1239e9b70ca2	2254	if (*sslBytes <= 0)
wolfSSL	0:1239e9b70ca2	2255	return 1;
wolfSSL	0:1239e9b70ca2	2256	}
wolfSSL	0:1239e9b70ca2	2257
wolfSSL	0:1239e9b70ca2	2258	return 0;
wolfSSL	0:1239e9b70ca2	2259	}
wolfSSL	0:1239e9b70ca2	2260
wolfSSL	0:1239e9b70ca2	2261
wolfSSL	0:1239e9b70ca2	2262	/* See if input on the reassembly list is ready for consuming */
wolfSSL	0:1239e9b70ca2	2263	/* returns 1 for TRUE, 0 for FALSE */
wolfSSL	0:1239e9b70ca2	2264	static int HaveMoreInput(SnifferSession* session, const byte** sslFrame,
wolfSSL	0:1239e9b70ca2	2265	int* sslBytes, const byte** end, char* error)
wolfSSL	0:1239e9b70ca2	2266	{
wolfSSL	0:1239e9b70ca2	2267	/* sequence and reassembly based on from, not to */
wolfSSL	0:1239e9b70ca2	2268	int moreInput = 0;
wolfSSL	0:1239e9b70ca2	2269	PacketBuffer** front = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2270	&session->cliReassemblyList : &session->srvReassemblyList;
wolfSSL	0:1239e9b70ca2	2271	word32* expected = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2272	&session->cliExpected : &session->srvExpected;
wolfSSL	0:1239e9b70ca2	2273	/* buffer is on receiving end */
wolfSSL	0:1239e9b70ca2	2274	word32* length = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2275	&session->sslServer->buffers.inputBuffer.length :
wolfSSL	0:1239e9b70ca2	2276	&session->sslClient->buffers.inputBuffer.length;
wolfSSL	0:1239e9b70ca2	2277	byte* myBuffer = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2278	session->sslServer->buffers.inputBuffer.buffer :
wolfSSL	0:1239e9b70ca2	2279	session->sslClient->buffers.inputBuffer.buffer;
wolfSSL	0:1239e9b70ca2	2280	word32 bufferSize = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2281	session->sslServer->buffers.inputBuffer.bufferSize :
wolfSSL	0:1239e9b70ca2	2282	session->sslClient->buffers.inputBuffer.bufferSize;
wolfSSL	0:1239e9b70ca2	2283	SSL* ssl = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2284	session->sslServer : session->sslClient;
wolfSSL	0:1239e9b70ca2	2285
wolfSSL	0:1239e9b70ca2	2286	while (front && ((front)->begin == *expected) ) {
wolfSSL	0:1239e9b70ca2	2287	word32 room = bufferSize - *length;
wolfSSL	0:1239e9b70ca2	2288	word32 packetLen = (front)->end - (front)->begin + 1;
wolfSSL	0:1239e9b70ca2	2289
wolfSSL	0:1239e9b70ca2	2290	if (packetLen > room && bufferSize < MAX_INPUT_SZ) {
wolfSSL	0:1239e9b70ca2	2291	if (GrowInputBuffer(ssl, packetLen, *length) < 0) {
wolfSSL	0:1239e9b70ca2	2292	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2293	return 0;
wolfSSL	0:1239e9b70ca2	2294	}
wolfSSL	0:1239e9b70ca2	2295	}
wolfSSL	0:1239e9b70ca2	2296
wolfSSL	0:1239e9b70ca2	2297	if (packetLen <= room) {
wolfSSL	0:1239e9b70ca2	2298	PacketBuffer* del = *front;
wolfSSL	0:1239e9b70ca2	2299
wolfSSL	0:1239e9b70ca2	2300	XMEMCPY(&myBuffer[length], (front)->data, packetLen);
wolfSSL	0:1239e9b70ca2	2301	*length += packetLen;
wolfSSL	0:1239e9b70ca2	2302	*expected += packetLen;
wolfSSL	0:1239e9b70ca2	2303
wolfSSL	0:1239e9b70ca2	2304	/* remove used packet */
wolfSSL	0:1239e9b70ca2	2305	front = (front)->next;
wolfSSL	0:1239e9b70ca2	2306	FreePacketBuffer(del);
wolfSSL	0:1239e9b70ca2	2307
wolfSSL	0:1239e9b70ca2	2308	moreInput = 1;
wolfSSL	0:1239e9b70ca2	2309	}
wolfSSL	0:1239e9b70ca2	2310	else
wolfSSL	0:1239e9b70ca2	2311	break;
wolfSSL	0:1239e9b70ca2	2312	}
wolfSSL	0:1239e9b70ca2	2313	if (moreInput) {
wolfSSL	0:1239e9b70ca2	2314	*sslFrame = myBuffer;
wolfSSL	0:1239e9b70ca2	2315	sslBytes = length;
wolfSSL	0:1239e9b70ca2	2316	end = myBuffer + length;
wolfSSL	0:1239e9b70ca2	2317	}
wolfSSL	0:1239e9b70ca2	2318	return moreInput;
wolfSSL	0:1239e9b70ca2	2319	}
wolfSSL	0:1239e9b70ca2	2320
wolfSSL	0:1239e9b70ca2	2321
wolfSSL	0:1239e9b70ca2	2322
wolfSSL	0:1239e9b70ca2	2323	/* Process Message(s) from sslFrame */
wolfSSL	0:1239e9b70ca2	2324	/* return Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL	0:1239e9b70ca2	2325	static int ProcessMessage(const byte* sslFrame, SnifferSession* session,
wolfSSL	0:1239e9b70ca2	2326	int sslBytes, byte* data, const byte* end,char* error)
wolfSSL	0:1239e9b70ca2	2327	{
wolfSSL	0:1239e9b70ca2	2328	const byte* sslBegin = sslFrame;
wolfSSL	0:1239e9b70ca2	2329	const byte* tmp;
wolfSSL	0:1239e9b70ca2	2330	RecordLayerHeader rh;
wolfSSL	0:1239e9b70ca2	2331	int rhSize = 0;
wolfSSL	0:1239e9b70ca2	2332	int ret;
wolfSSL	0:1239e9b70ca2	2333	int errCode = 0;
wolfSSL	0:1239e9b70ca2	2334	int decoded = 0; /* bytes stored for user in data */
wolfSSL	0:1239e9b70ca2	2335	int notEnough; /* notEnough bytes yet flag */
wolfSSL	0:1239e9b70ca2	2336	SSL* ssl = (session->flags.side == CYASSL_SERVER_END) ?
wolfSSL	0:1239e9b70ca2	2337	session->sslServer : session->sslClient;
wolfSSL	0:1239e9b70ca2	2338	doMessage:
wolfSSL	0:1239e9b70ca2	2339	notEnough = 0;
wolfSSL	0:1239e9b70ca2	2340	if (sslBytes < 0) {
wolfSSL	0:1239e9b70ca2	2341	SetError(PACKET_HDR_SHORT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2342	return -1;
wolfSSL	0:1239e9b70ca2	2343	}
wolfSSL	0:1239e9b70ca2	2344	if (sslBytes >= RECORD_HEADER_SZ) {
wolfSSL	0:1239e9b70ca2	2345	if (GetRecordHeader(sslFrame, &rh, &rhSize) != 0) {
wolfSSL	0:1239e9b70ca2	2346	SetError(BAD_RECORD_HDR_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2347	return -1;
wolfSSL	0:1239e9b70ca2	2348	}
wolfSSL	0:1239e9b70ca2	2349	}
wolfSSL	0:1239e9b70ca2	2350	else
wolfSSL	0:1239e9b70ca2	2351	notEnough = 1;
wolfSSL	0:1239e9b70ca2	2352
wolfSSL	0:1239e9b70ca2	2353	if (notEnough \|\| rhSize > (sslBytes - RECORD_HEADER_SZ)) {
wolfSSL	0:1239e9b70ca2	2354	/* don't have enough input yet to process full SSL record */
wolfSSL	0:1239e9b70ca2	2355	Trace(PARTIAL_INPUT_STR);
wolfSSL	0:1239e9b70ca2	2356
wolfSSL	0:1239e9b70ca2	2357	/* store partial if not there already or we advanced */
wolfSSL	0:1239e9b70ca2	2358	if (ssl->buffers.inputBuffer.length == 0 \|\| sslBegin != sslFrame) {
wolfSSL	0:1239e9b70ca2	2359	if (sslBytes > (int)ssl->buffers.inputBuffer.bufferSize) {
wolfSSL	0:1239e9b70ca2	2360	if (GrowInputBuffer(ssl, sslBytes, 0) < 0) {
wolfSSL	0:1239e9b70ca2	2361	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2362	return -1;
wolfSSL	0:1239e9b70ca2	2363	}
wolfSSL	0:1239e9b70ca2	2364	}
wolfSSL	0:1239e9b70ca2	2365	XMEMCPY(ssl->buffers.inputBuffer.buffer, sslFrame, sslBytes);
wolfSSL	0:1239e9b70ca2	2366	ssl->buffers.inputBuffer.length = sslBytes;
wolfSSL	0:1239e9b70ca2	2367	}
wolfSSL	0:1239e9b70ca2	2368	if (HaveMoreInput(session, &sslFrame, &sslBytes, &end, error))
wolfSSL	0:1239e9b70ca2	2369	goto doMessage;
wolfSSL	0:1239e9b70ca2	2370	return decoded;
wolfSSL	0:1239e9b70ca2	2371	}
wolfSSL	0:1239e9b70ca2	2372	sslFrame += RECORD_HEADER_SZ;
wolfSSL	0:1239e9b70ca2	2373	sslBytes -= RECORD_HEADER_SZ;
wolfSSL	0:1239e9b70ca2	2374	tmp = sslFrame + rhSize; /* may have more than one record to process */
wolfSSL	0:1239e9b70ca2	2375
wolfSSL	0:1239e9b70ca2	2376	/* decrypt if needed */
wolfSSL	0:1239e9b70ca2	2377	if ((session->flags.side == CYASSL_SERVER_END &&
wolfSSL	0:1239e9b70ca2	2378	session->flags.serverCipherOn)
wolfSSL	0:1239e9b70ca2	2379	\|\| (session->flags.side == CYASSL_CLIENT_END &&
wolfSSL	0:1239e9b70ca2	2380	session->flags.clientCipherOn)) {
wolfSSL	0:1239e9b70ca2	2381	if (CheckAvailableSize(ssl, rhSize) < 0) {
wolfSSL	0:1239e9b70ca2	2382	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2383	return -1;
wolfSSL	0:1239e9b70ca2	2384	}
wolfSSL	0:1239e9b70ca2	2385	sslFrame = DecryptMessage(ssl, sslFrame, rhSize,
wolfSSL	0:1239e9b70ca2	2386	ssl->buffers.outputBuffer.buffer, &errCode);
wolfSSL	0:1239e9b70ca2	2387	if (errCode != 0) {
wolfSSL	0:1239e9b70ca2	2388	SetError(BAD_DECRYPT, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2389	return -1;
wolfSSL	0:1239e9b70ca2	2390	}
wolfSSL	0:1239e9b70ca2	2391	}
wolfSSL	0:1239e9b70ca2	2392
wolfSSL	0:1239e9b70ca2	2393	switch ((enum ContentType)rh.type) {
wolfSSL	0:1239e9b70ca2	2394	case handshake:
wolfSSL	0:1239e9b70ca2	2395	Trace(GOT_HANDSHAKE_STR);
wolfSSL	0:1239e9b70ca2	2396	ret = DoHandShake(sslFrame, &sslBytes, session, error);
wolfSSL	0:1239e9b70ca2	2397	if (ret != 0) {
wolfSSL	0:1239e9b70ca2	2398	if (session->flags.fatalError == 0)
wolfSSL	0:1239e9b70ca2	2399	SetError(BAD_HANDSHAKE_STR,error,session,FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2400	return -1;
wolfSSL	0:1239e9b70ca2	2401	}
wolfSSL	0:1239e9b70ca2	2402	break;
wolfSSL	0:1239e9b70ca2	2403	case change_cipher_spec:
wolfSSL	0:1239e9b70ca2	2404	if (session->flags.side == CYASSL_SERVER_END)
wolfSSL	0:1239e9b70ca2	2405	session->flags.serverCipherOn = 1;
wolfSSL	0:1239e9b70ca2	2406	else
wolfSSL	0:1239e9b70ca2	2407	session->flags.clientCipherOn = 1;
wolfSSL	0:1239e9b70ca2	2408	Trace(GOT_CHANGE_CIPHER_STR);
wolfSSL	0:1239e9b70ca2	2409	ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL	0:1239e9b70ca2	2410	break;
wolfSSL	0:1239e9b70ca2	2411	case application_data:
wolfSSL	0:1239e9b70ca2	2412	Trace(GOT_APP_DATA_STR);
wolfSSL	0:1239e9b70ca2	2413	{
wolfSSL	0:1239e9b70ca2	2414	word32 inOutIdx = 0;
wolfSSL	0:1239e9b70ca2	2415
wolfSSL	0:1239e9b70ca2	2416	ret = DoApplicationData(ssl, (byte*)sslFrame, &inOutIdx);
wolfSSL	0:1239e9b70ca2	2417	if (ret == 0) {
wolfSSL	0:1239e9b70ca2	2418	ret = ssl->buffers.clearOutputBuffer.length;
wolfSSL	0:1239e9b70ca2	2419	TraceGotData(ret);
wolfSSL	0:1239e9b70ca2	2420	if (ret) { /* may be blank message */
wolfSSL	0:1239e9b70ca2	2421	XMEMCPY(&data[decoded],
wolfSSL	0:1239e9b70ca2	2422	ssl->buffers.clearOutputBuffer.buffer, ret);
wolfSSL	0:1239e9b70ca2	2423	TraceAddedData(ret, decoded);
wolfSSL	0:1239e9b70ca2	2424	decoded += ret;
wolfSSL	0:1239e9b70ca2	2425	ssl->buffers.clearOutputBuffer.length = 0;
wolfSSL	0:1239e9b70ca2	2426	}
wolfSSL	0:1239e9b70ca2	2427	}
wolfSSL	0:1239e9b70ca2	2428	else {
wolfSSL	0:1239e9b70ca2	2429	SetError(BAD_APP_DATA_STR, error,session,FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2430	return -1;
wolfSSL	0:1239e9b70ca2	2431	}
wolfSSL	0:1239e9b70ca2	2432	if (ssl->buffers.outputBuffer.dynamicFlag)
wolfSSL	0:1239e9b70ca2	2433	ShrinkOutputBuffer(ssl);
wolfSSL	0:1239e9b70ca2	2434	}
wolfSSL	0:1239e9b70ca2	2435	break;
wolfSSL	0:1239e9b70ca2	2436	case alert:
wolfSSL	0:1239e9b70ca2	2437	Trace(GOT_ALERT_STR);
wolfSSL	0:1239e9b70ca2	2438	break;
wolfSSL	0:1239e9b70ca2	2439	case no_type:
wolfSSL	0:1239e9b70ca2	2440	default:
wolfSSL	0:1239e9b70ca2	2441	SetError(GOT_UNKNOWN_RECORD_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	0:1239e9b70ca2	2442	return -1;
wolfSSL	0:1239e9b70ca2	2443	}
wolfSSL	0:1239e9b70ca2	2444
wolfSSL	0:1239e9b70ca2	2445	if (tmp < end) {
wolfSSL	0:1239e9b70ca2	2446	Trace(ANOTHER_MSG_STR);
wolfSSL	0:1239e9b70ca2	2447	sslFrame = tmp;
wolfSSL	0:1239e9b70ca2	2448	sslBytes = (int)(end - tmp);
wolfSSL	0:1239e9b70ca2	2449	goto doMessage;
wolfSSL	0:1239e9b70ca2	2450	}
wolfSSL	0:1239e9b70ca2	2451
wolfSSL	0:1239e9b70ca2	2452	/* clear used input */
wolfSSL	0:1239e9b70ca2	2453	ssl->buffers.inputBuffer.length = 0;
wolfSSL	0:1239e9b70ca2	2454
wolfSSL	0:1239e9b70ca2	2455	/* could have more input ready now */
wolfSSL	0:1239e9b70ca2	2456	if (HaveMoreInput(session, &sslFrame, &sslBytes, &end, error))
wolfSSL	0:1239e9b70ca2	2457	goto doMessage;
wolfSSL	0:1239e9b70ca2	2458
wolfSSL	0:1239e9b70ca2	2459	if (ssl->buffers.inputBuffer.dynamicFlag)
wolfSSL	0:1239e9b70ca2	2460	ShrinkInputBuffer(ssl, NO_FORCED_FREE);
wolfSSL	0:1239e9b70ca2	2461
wolfSSL	0:1239e9b70ca2	2462	return decoded;
wolfSSL	0:1239e9b70ca2	2463	}
wolfSSL	0:1239e9b70ca2	2464
wolfSSL	0:1239e9b70ca2	2465
wolfSSL	0:1239e9b70ca2	2466	/* See if we need to process any pending FIN captures */
wolfSSL	0:1239e9b70ca2	2467	static void CheckFinCapture(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	0:1239e9b70ca2	2468	SnifferSession* session)
wolfSSL	0:1239e9b70ca2	2469	{
wolfSSL	0:1239e9b70ca2	2470	if (session->finCaputre.cliFinSeq && session->finCaputre.cliFinSeq <=
wolfSSL	0:1239e9b70ca2	2471	session->cliExpected) {
wolfSSL	0:1239e9b70ca2	2472	if (session->finCaputre.cliCounted == 0) {
wolfSSL	0:1239e9b70ca2	2473	session->flags.finCount += 1;
wolfSSL	0:1239e9b70ca2	2474	session->finCaputre.cliCounted = 1;
wolfSSL	0:1239e9b70ca2	2475	TraceClientFin(session->finCaputre.cliFinSeq, session->cliExpected);
wolfSSL	0:1239e9b70ca2	2476	}
wolfSSL	0:1239e9b70ca2	2477	}
wolfSSL	0:1239e9b70ca2	2478
wolfSSL	0:1239e9b70ca2	2479	if (session->finCaputre.srvFinSeq && session->finCaputre.srvFinSeq <=
wolfSSL	0:1239e9b70ca2	2480	session->srvExpected) {
wolfSSL	0:1239e9b70ca2	2481	if (session->finCaputre.srvCounted == 0) {
wolfSSL	0:1239e9b70ca2	2482	session->flags.finCount += 1;
wolfSSL	0:1239e9b70ca2	2483	session->finCaputre.srvCounted = 1;
wolfSSL	0:1239e9b70ca2	2484	TraceServerFin(session->finCaputre.srvFinSeq, session->srvExpected);
wolfSSL	0:1239e9b70ca2	2485	}
wolfSSL	0:1239e9b70ca2	2486	}
wolfSSL	0:1239e9b70ca2	2487
wolfSSL	0:1239e9b70ca2	2488	if (session->flags.finCount >= 2)
wolfSSL	0:1239e9b70ca2	2489	RemoveSession(session, ipInfo, tcpInfo, 0);
wolfSSL	0:1239e9b70ca2	2490	}
wolfSSL	0:1239e9b70ca2	2491
wolfSSL	0:1239e9b70ca2	2492
wolfSSL	0:1239e9b70ca2	2493	/* If session is in fatal error state free resources now
wolfSSL	0:1239e9b70ca2	2494	return true if removed, 0 otherwise */
wolfSSL	0:1239e9b70ca2	2495	static int RemoveFatalSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	0:1239e9b70ca2	2496	SnifferSession* session, char* error)
wolfSSL	0:1239e9b70ca2	2497	{
wolfSSL	0:1239e9b70ca2	2498	if (session && session->flags.fatalError == FATAL_ERROR_STATE) {
wolfSSL	0:1239e9b70ca2	2499	RemoveSession(session, ipInfo, tcpInfo, 0);
wolfSSL	0:1239e9b70ca2	2500	SetError(FATAL_ERROR_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	2501	return 1;
wolfSSL	0:1239e9b70ca2	2502	}
wolfSSL	0:1239e9b70ca2	2503	return 0;
wolfSSL	0:1239e9b70ca2	2504	}
wolfSSL	0:1239e9b70ca2	2505
wolfSSL	0:1239e9b70ca2	2506
wolfSSL	0:1239e9b70ca2	2507	/* Passes in an IP/TCP packet for decoding (ethernet/localhost frame) removed */
wolfSSL	0:1239e9b70ca2	2508	/* returns Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL	0:1239e9b70ca2	2509	int ssl_DecodePacket(const byte* packet, int length, byte* data, char* error)
wolfSSL	0:1239e9b70ca2	2510	{
wolfSSL	0:1239e9b70ca2	2511	TcpInfo tcpInfo;
wolfSSL	0:1239e9b70ca2	2512	IpInfo ipInfo;
wolfSSL	0:1239e9b70ca2	2513	const byte* sslFrame;
wolfSSL	0:1239e9b70ca2	2514	const byte* end = packet + length;
wolfSSL	0:1239e9b70ca2	2515	int sslBytes; /* ssl bytes unconsumed */
wolfSSL	0:1239e9b70ca2	2516	int ret;
wolfSSL	0:1239e9b70ca2	2517	SnifferSession* session = 0;
wolfSSL	0:1239e9b70ca2	2518
wolfSSL	0:1239e9b70ca2	2519	if (CheckHeaders(&ipInfo, &tcpInfo, packet, length, &sslFrame, &sslBytes,
wolfSSL	0:1239e9b70ca2	2520	error) != 0)
wolfSSL	0:1239e9b70ca2	2521	return -1;
wolfSSL	0:1239e9b70ca2	2522
wolfSSL	0:1239e9b70ca2	2523	ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error);
wolfSSL	0:1239e9b70ca2	2524	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	0:1239e9b70ca2	2525	else if (ret == -1) return -1;
wolfSSL	0:1239e9b70ca2	2526	else if (ret == 1) return 0; /* done for now */
wolfSSL	0:1239e9b70ca2	2527
wolfSSL	0:1239e9b70ca2	2528	ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error);
wolfSSL	0:1239e9b70ca2	2529	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	0:1239e9b70ca2	2530	else if (ret == -1) return -1;
wolfSSL	0:1239e9b70ca2	2531	else if (ret == 1) return 0; /* done for now */
wolfSSL	0:1239e9b70ca2	2532
wolfSSL	0:1239e9b70ca2	2533	ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes,
wolfSSL	0:1239e9b70ca2	2534	&end, error);
wolfSSL	0:1239e9b70ca2	2535	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	0:1239e9b70ca2	2536	else if (ret == -1) return -1;
wolfSSL	0:1239e9b70ca2	2537	else if (ret == 1) return 0; /* done for now */
wolfSSL	0:1239e9b70ca2	2538
wolfSSL	0:1239e9b70ca2	2539	ret = ProcessMessage(sslFrame, session, sslBytes, data, end, error);
wolfSSL	0:1239e9b70ca2	2540	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	0:1239e9b70ca2	2541	CheckFinCapture(&ipInfo, &tcpInfo, session);
wolfSSL	0:1239e9b70ca2	2542	return ret;
wolfSSL	0:1239e9b70ca2	2543	}
wolfSSL	0:1239e9b70ca2	2544
wolfSSL	0:1239e9b70ca2	2545
wolfSSL	0:1239e9b70ca2	2546	/* Enables (if traceFile)/ Disables debug tracing */
wolfSSL	0:1239e9b70ca2	2547	/* returns 0 on success, -1 on error */
wolfSSL	0:1239e9b70ca2	2548	int ssl_Trace(const char* traceFile, char* error)
wolfSSL	0:1239e9b70ca2	2549	{
wolfSSL	0:1239e9b70ca2	2550	if (traceFile) {
wolfSSL	0:1239e9b70ca2	2551	TraceFile = fopen(traceFile, "a");
wolfSSL	0:1239e9b70ca2	2552	if (!TraceFile) {
wolfSSL	0:1239e9b70ca2	2553	SetError(BAD_TRACE_FILE_STR, error, NULL, 0);
wolfSSL	0:1239e9b70ca2	2554	return -1;
wolfSSL	0:1239e9b70ca2	2555	}
wolfSSL	0:1239e9b70ca2	2556	TraceOn = 1;
wolfSSL	0:1239e9b70ca2	2557	}
wolfSSL	0:1239e9b70ca2	2558	else
wolfSSL	0:1239e9b70ca2	2559	TraceOn = 0;
wolfSSL	0:1239e9b70ca2	2560
wolfSSL	0:1239e9b70ca2	2561	return 0;
wolfSSL	0:1239e9b70ca2	2562	}
wolfSSL	0:1239e9b70ca2	2563
wolfSSL	0:1239e9b70ca2	2564
wolfSSL	0:1239e9b70ca2	2565
wolfSSL	0:1239e9b70ca2	2566
wolfSSL	0:1239e9b70ca2	2567	#endif /* CYASSL_SNIFFER */
wolfSSL	0:1239e9b70ca2	2568

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	14 Jan 2015
Imports:	1
Forks:	0
Commits:	5
Dependents:	0
Dependencies:	0
Followers:	2

src/sniffer.c@4:e505054279ed, 2015-01-14 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning