wolfSSL - wolfSSL SSL/TLS library, support up to TLS1.3

Users » wolfSSL » Code » wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/sniffer.c@7:481bce714567, 2017-05-02 (annotated)

Committer:: wolfSSL
Date:: Tue May 02 08:44:47 2017 +0000
Revision:: 7:481bce714567

wolfSSL3.10.2

Who changed what in which revision?

User	Revision	Line number	New contents of line
wolfSSL	7:481bce714567	1	/* sniffer.c
wolfSSL	7:481bce714567	2	*
wolfSSL	7:481bce714567	3	* Copyright (C) 2006-2016 wolfSSL Inc.
wolfSSL	7:481bce714567	4	*
wolfSSL	7:481bce714567	5	* This file is part of wolfSSL.
wolfSSL	7:481bce714567	6	*
wolfSSL	7:481bce714567	7	* wolfSSL is free software; you can redistribute it and/or modify
wolfSSL	7:481bce714567	8	* it under the terms of the GNU General Public License as published by
wolfSSL	7:481bce714567	9	* the Free Software Foundation; either version 2 of the License, or
wolfSSL	7:481bce714567	10	* (at your option) any later version.
wolfSSL	7:481bce714567	11	*
wolfSSL	7:481bce714567	12	* wolfSSL is distributed in the hope that it will be useful,
wolfSSL	7:481bce714567	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL	7:481bce714567	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL	7:481bce714567	15	* GNU General Public License for more details.
wolfSSL	7:481bce714567	16	*
wolfSSL	7:481bce714567	17	* You should have received a copy of the GNU General Public License
wolfSSL	7:481bce714567	18	* along with this program; if not, write to the Free Software
wolfSSL	7:481bce714567	19	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL	7:481bce714567	20	*/
wolfSSL	7:481bce714567	21
wolfSSL	7:481bce714567	22
wolfSSL	7:481bce714567	23	#ifdef HAVE_CONFIG_H
wolfSSL	7:481bce714567	24	#include <config.h>
wolfSSL	7:481bce714567	25	#endif
wolfSSL	7:481bce714567	26
wolfSSL	7:481bce714567	27	#include <wolfssl/wolfcrypt/settings.h>
wolfSSL	7:481bce714567	28
wolfSSL	7:481bce714567	29	#ifndef WOLFCRYPT_ONLY
wolfSSL	7:481bce714567	30	#ifdef WOLFSSL_SNIFFER
wolfSSL	7:481bce714567	31
wolfSSL	7:481bce714567	32	#include <assert.h>
wolfSSL	7:481bce714567	33	#include <time.h>
wolfSSL	7:481bce714567	34
wolfSSL	7:481bce714567	35	#ifndef _WIN32
wolfSSL	7:481bce714567	36	#include <arpa/inet.h>
wolfSSL	7:481bce714567	37	#endif
wolfSSL	7:481bce714567	38
wolfSSL	7:481bce714567	39	#ifdef _WIN32
wolfSSL	7:481bce714567	40	#define SNPRINTF _snprintf
wolfSSL	7:481bce714567	41	#else
wolfSSL	7:481bce714567	42	#define SNPRINTF snprintf
wolfSSL	7:481bce714567	43	#endif
wolfSSL	7:481bce714567	44
wolfSSL	7:481bce714567	45	#include <wolfssl/openssl/ssl.h>
wolfSSL	7:481bce714567	46	#include <wolfssl/internal.h>
wolfSSL	7:481bce714567	47	#include <wolfssl/error-ssl.h>
wolfSSL	7:481bce714567	48	#include <wolfssl/sniffer.h>
wolfSSL	7:481bce714567	49	#include <wolfssl/sniffer_error.h>
wolfSSL	7:481bce714567	50	#ifdef NO_INLINE
wolfSSL	7:481bce714567	51	#include <wolfssl/wolfcrypt/misc.h>
wolfSSL	7:481bce714567	52	#else
wolfSSL	7:481bce714567	53	#define WOLFSSL_MISC_INCLUDED
wolfSSL	7:481bce714567	54	#include <wolfcrypt/src/misc.c>
wolfSSL	7:481bce714567	55	#endif
wolfSSL	7:481bce714567	56
wolfSSL	7:481bce714567	57
wolfSSL	7:481bce714567	58	#ifndef WOLFSSL_SNIFFER_TIMEOUT
wolfSSL	7:481bce714567	59	#define WOLFSSL_SNIFFER_TIMEOUT 900
wolfSSL	7:481bce714567	60	/* Cache unclosed Sessions for 15 minutes since last used */
wolfSSL	7:481bce714567	61	#endif
wolfSSL	7:481bce714567	62
wolfSSL	7:481bce714567	63	/* Misc constants */
wolfSSL	7:481bce714567	64	enum {
wolfSSL	7:481bce714567	65	MAX_SERVER_ADDRESS = 128, /* maximum server address length */
wolfSSL	7:481bce714567	66	MAX_SERVER_NAME = 128, /* maximum server name length */
wolfSSL	7:481bce714567	67	MAX_ERROR_LEN = 80, /* maximum error length */
wolfSSL	7:481bce714567	68	ETHER_IF_ADDR_LEN = 6, /* ethernet interface address length */
wolfSSL	7:481bce714567	69	LOCAL_IF_ADDR_LEN = 4, /* localhost interface address length, !windows */
wolfSSL	7:481bce714567	70	TCP_PROTO = 6, /* TCP_PROTOCOL */
wolfSSL	7:481bce714567	71	IP_HDR_SZ = 20, /* IP header length, min */
wolfSSL	7:481bce714567	72	TCP_HDR_SZ = 20, /* TCP header length, min */
wolfSSL	7:481bce714567	73	IPV4 = 4, /* IP version 4 */
wolfSSL	7:481bce714567	74	TCP_PROTOCOL = 6, /* TCP Protocol id */
wolfSSL	7:481bce714567	75	TRACE_MSG_SZ = 80, /* Trace Message buffer size */
wolfSSL	7:481bce714567	76	HASH_SIZE = 499, /* Session Hash Table Rows */
wolfSSL	7:481bce714567	77	PSEUDO_HDR_SZ = 12, /* TCP Pseudo Header size in bytes */
wolfSSL	7:481bce714567	78	FATAL_ERROR_STATE = 1, /* SnifferSession fatal error state */
wolfSSL	7:481bce714567	79	TICKET_HINT_LEN = 4, /* Session Ticket Hint length */
wolfSSL	7:481bce714567	80	EXT_TYPE_SZ = 2, /* Extension length */
wolfSSL	7:481bce714567	81	MAX_INPUT_SZ = MAX_RECORD_SIZE + COMP_EXTRA + MAX_MSG_EXTRA +
wolfSSL	7:481bce714567	82	MTU_EXTRA, /* Max input sz of reassembly */
wolfSSL	7:481bce714567	83	EXT_MASTER_SECRET = 0x17, /* Extended Master Secret Extension ID */
wolfSSL	7:481bce714567	84	TICKET_EXT_ID = 0x23 /* Session Ticket Extension ID */
wolfSSL	7:481bce714567	85	};
wolfSSL	7:481bce714567	86
wolfSSL	7:481bce714567	87
wolfSSL	7:481bce714567	88	#ifdef _WIN32
wolfSSL	7:481bce714567	89
wolfSSL	7:481bce714567	90	static HMODULE dllModule; /* for error string resources */
wolfSSL	7:481bce714567	91
wolfSSL	7:481bce714567	92	BOOL APIENTRY DllMain( HMODULE hModule,
wolfSSL	7:481bce714567	93	DWORD ul_reason_for_call,
wolfSSL	7:481bce714567	94	LPVOID lpReserved
wolfSSL	7:481bce714567	95	)
wolfSSL	7:481bce714567	96	{
wolfSSL	7:481bce714567	97	static int didInit = 0;
wolfSSL	7:481bce714567	98
wolfSSL	7:481bce714567	99	switch (ul_reason_for_call)
wolfSSL	7:481bce714567	100	{
wolfSSL	7:481bce714567	101	case DLL_PROCESS_ATTACH:
wolfSSL	7:481bce714567	102	if (didInit == 0) {
wolfSSL	7:481bce714567	103	dllModule = hModule;
wolfSSL	7:481bce714567	104	ssl_InitSniffer();
wolfSSL	7:481bce714567	105	didInit = 1;
wolfSSL	7:481bce714567	106	}
wolfSSL	7:481bce714567	107	break;
wolfSSL	7:481bce714567	108	case DLL_THREAD_ATTACH:
wolfSSL	7:481bce714567	109	break;
wolfSSL	7:481bce714567	110	case DLL_THREAD_DETACH:
wolfSSL	7:481bce714567	111	break;
wolfSSL	7:481bce714567	112	case DLL_PROCESS_DETACH:
wolfSSL	7:481bce714567	113	if (didInit) {
wolfSSL	7:481bce714567	114	ssl_FreeSniffer();
wolfSSL	7:481bce714567	115	didInit = 0;
wolfSSL	7:481bce714567	116	}
wolfSSL	7:481bce714567	117	break;
wolfSSL	7:481bce714567	118	}
wolfSSL	7:481bce714567	119	return TRUE;
wolfSSL	7:481bce714567	120	}
wolfSSL	7:481bce714567	121
wolfSSL	7:481bce714567	122	#endif /* _WIN32 */
wolfSSL	7:481bce714567	123
wolfSSL	7:481bce714567	124
wolfSSL	7:481bce714567	125	static int TraceOn = 0; /* Trace is off by default */
wolfSSL	7:481bce714567	126	static FILE* TraceFile = 0;
wolfSSL	7:481bce714567	127
wolfSSL	7:481bce714567	128
wolfSSL	7:481bce714567	129	/* windows uses .rc table for this */
wolfSSL	7:481bce714567	130	#ifndef _WIN32
wolfSSL	7:481bce714567	131
wolfSSL	7:481bce714567	132	static const char* const msgTable[] =
wolfSSL	7:481bce714567	133	{
wolfSSL	7:481bce714567	134	/* 1 */
wolfSSL	7:481bce714567	135	"Out of Memory",
wolfSSL	7:481bce714567	136	"New SSL Sniffer Server Registered",
wolfSSL	7:481bce714567	137	"Checking IP Header",
wolfSSL	7:481bce714567	138	"SSL Sniffer Server Not Registered",
wolfSSL	7:481bce714567	139	"Checking TCP Header",
wolfSSL	7:481bce714567	140
wolfSSL	7:481bce714567	141	/* 6 */
wolfSSL	7:481bce714567	142	"SSL Sniffer Server Port Not Registered",
wolfSSL	7:481bce714567	143	"RSA Private Decrypt Error",
wolfSSL	7:481bce714567	144	"RSA Private Decode Error",
wolfSSL	7:481bce714567	145	"Set Cipher Spec Error",
wolfSSL	7:481bce714567	146	"Server Hello Input Malformed",
wolfSSL	7:481bce714567	147
wolfSSL	7:481bce714567	148	/* 11 */
wolfSSL	7:481bce714567	149	"Couldn't Resume Session Error",
wolfSSL	7:481bce714567	150	"Server Did Resumption",
wolfSSL	7:481bce714567	151	"Client Hello Input Malformed",
wolfSSL	7:481bce714567	152	"Client Trying to Resume",
wolfSSL	7:481bce714567	153	"Handshake Input Malformed",
wolfSSL	7:481bce714567	154
wolfSSL	7:481bce714567	155	/* 16 */
wolfSSL	7:481bce714567	156	"Got Hello Verify msg",
wolfSSL	7:481bce714567	157	"Got Server Hello msg",
wolfSSL	7:481bce714567	158	"Got Cert Request msg",
wolfSSL	7:481bce714567	159	"Got Server Key Exchange msg",
wolfSSL	7:481bce714567	160	"Got Cert msg",
wolfSSL	7:481bce714567	161
wolfSSL	7:481bce714567	162	/* 21 */
wolfSSL	7:481bce714567	163	"Got Server Hello Done msg",
wolfSSL	7:481bce714567	164	"Got Finished msg",
wolfSSL	7:481bce714567	165	"Got Client Hello msg",
wolfSSL	7:481bce714567	166	"Got Client Key Exchange msg",
wolfSSL	7:481bce714567	167	"Got Cert Verify msg",
wolfSSL	7:481bce714567	168
wolfSSL	7:481bce714567	169	/* 26 */
wolfSSL	7:481bce714567	170	"Got Unknown Handshake msg",
wolfSSL	7:481bce714567	171	"New SSL Sniffer Session created",
wolfSSL	7:481bce714567	172	"Couldn't create new SSL",
wolfSSL	7:481bce714567	173	"Got a Packet to decode",
wolfSSL	7:481bce714567	174	"No data present",
wolfSSL	7:481bce714567	175
wolfSSL	7:481bce714567	176	/* 31 */
wolfSSL	7:481bce714567	177	"Session Not Found",
wolfSSL	7:481bce714567	178	"Got an Old Client Hello msg",
wolfSSL	7:481bce714567	179	"Old Client Hello Input Malformed",
wolfSSL	7:481bce714567	180	"Old Client Hello OK",
wolfSSL	7:481bce714567	181	"Bad Old Client Hello",
wolfSSL	7:481bce714567	182
wolfSSL	7:481bce714567	183	/* 36 */
wolfSSL	7:481bce714567	184	"Bad Record Header",
wolfSSL	7:481bce714567	185	"Record Header Input Malformed",
wolfSSL	7:481bce714567	186	"Got a HandShake msg",
wolfSSL	7:481bce714567	187	"Bad HandShake msg",
wolfSSL	7:481bce714567	188	"Got a Change Cipher Spec msg",
wolfSSL	7:481bce714567	189
wolfSSL	7:481bce714567	190	/* 41 */
wolfSSL	7:481bce714567	191	"Got Application Data msg",
wolfSSL	7:481bce714567	192	"Bad Application Data",
wolfSSL	7:481bce714567	193	"Got an Alert msg",
wolfSSL	7:481bce714567	194	"Another msg to Process",
wolfSSL	7:481bce714567	195	"Removing Session From Table",
wolfSSL	7:481bce714567	196
wolfSSL	7:481bce714567	197	/* 46 */
wolfSSL	7:481bce714567	198	"Bad Key File",
wolfSSL	7:481bce714567	199	"Wrong IP Version",
wolfSSL	7:481bce714567	200	"Wrong Protocol type",
wolfSSL	7:481bce714567	201	"Packet Short for header processing",
wolfSSL	7:481bce714567	202	"Got Unknown Record Type",
wolfSSL	7:481bce714567	203
wolfSSL	7:481bce714567	204	/* 51 */
wolfSSL	7:481bce714567	205	"Can't Open Trace File",
wolfSSL	7:481bce714567	206	"Session in Fatal Error State",
wolfSSL	7:481bce714567	207	"Partial SSL record received",
wolfSSL	7:481bce714567	208	"Buffer Error, malformed input",
wolfSSL	7:481bce714567	209	"Added to Partial Input",
wolfSSL	7:481bce714567	210
wolfSSL	7:481bce714567	211	/* 56 */
wolfSSL	7:481bce714567	212	"Received a Duplicate Packet",
wolfSSL	7:481bce714567	213	"Received an Out of Order Packet",
wolfSSL	7:481bce714567	214	"Received an Overlap Duplicate Packet",
wolfSSL	7:481bce714567	215	"Received an Overlap Reassembly Begin Duplicate Packet",
wolfSSL	7:481bce714567	216	"Received an Overlap Reassembly End Duplicate Packet",
wolfSSL	7:481bce714567	217
wolfSSL	7:481bce714567	218	/* 61 */
wolfSSL	7:481bce714567	219	"Missed the Client Hello Entirely",
wolfSSL	7:481bce714567	220	"Got Hello Request msg",
wolfSSL	7:481bce714567	221	"Got Session Ticket msg",
wolfSSL	7:481bce714567	222	"Bad Input",
wolfSSL	7:481bce714567	223	"Bad Decrypt Type",
wolfSSL	7:481bce714567	224
wolfSSL	7:481bce714567	225	/* 66 */
wolfSSL	7:481bce714567	226	"Bad Finished Message Processing",
wolfSSL	7:481bce714567	227	"Bad Compression Type",
wolfSSL	7:481bce714567	228	"Bad DeriveKeys Error",
wolfSSL	7:481bce714567	229	"Saw ACK for Missing Packet Error",
wolfSSL	7:481bce714567	230	"Bad Decrypt Operation",
wolfSSL	7:481bce714567	231
wolfSSL	7:481bce714567	232	/* 71 */
wolfSSL	7:481bce714567	233	"Decrypt Keys Not Set Up",
wolfSSL	7:481bce714567	234	"Late Key Load Error",
wolfSSL	7:481bce714567	235	"Got Certificate Status msg",
wolfSSL	7:481bce714567	236	"RSA Key Missing Error",
wolfSSL	7:481bce714567	237	"Secure Renegotiation Not Supported",
wolfSSL	7:481bce714567	238
wolfSSL	7:481bce714567	239	/* 76 */
wolfSSL	7:481bce714567	240	"Get Session Stats Failure",
wolfSSL	7:481bce714567	241	"Reassembly Buffer Size Exceeded",
wolfSSL	7:481bce714567	242	"Dropping Lost Fragment",
wolfSSL	7:481bce714567	243	"Dropping Partial Record",
wolfSSL	7:481bce714567	244	"Clear ACK Fault",
wolfSSL	7:481bce714567	245
wolfSSL	7:481bce714567	246	/* 81 */
wolfSSL	7:481bce714567	247	"Bad Decrypt Size",
wolfSSL	7:481bce714567	248	"Extended Master Secret Hash Error"
wolfSSL	7:481bce714567	249	};
wolfSSL	7:481bce714567	250
wolfSSL	7:481bce714567	251
wolfSSL	7:481bce714567	252	/* nix version uses table above /
wolfSSL	7:481bce714567	253	static void GetError(int idx, char* str)
wolfSSL	7:481bce714567	254	{
wolfSSL	7:481bce714567	255	XSTRNCPY(str, msgTable[idx - 1], MAX_ERROR_LEN);
wolfSSL	7:481bce714567	256	}
wolfSSL	7:481bce714567	257
wolfSSL	7:481bce714567	258
wolfSSL	7:481bce714567	259	#else /* _WIN32 */
wolfSSL	7:481bce714567	260
wolfSSL	7:481bce714567	261
wolfSSL	7:481bce714567	262	/* Windows version uses .rc table */
wolfSSL	7:481bce714567	263	static void GetError(int idx, char* buffer)
wolfSSL	7:481bce714567	264	{
wolfSSL	7:481bce714567	265	if (!LoadStringA(dllModule, idx, buffer, MAX_ERROR_LEN))
wolfSSL	7:481bce714567	266	buffer[0] = 0;
wolfSSL	7:481bce714567	267	}
wolfSSL	7:481bce714567	268
wolfSSL	7:481bce714567	269
wolfSSL	7:481bce714567	270	#endif /* _WIN32 */
wolfSSL	7:481bce714567	271
wolfSSL	7:481bce714567	272
wolfSSL	7:481bce714567	273	/* Packet Buffer for reassembly list and ready list */
wolfSSL	7:481bce714567	274	typedef struct PacketBuffer {
wolfSSL	7:481bce714567	275	word32 begin; /* relative sequence begin */
wolfSSL	7:481bce714567	276	word32 end; /* relative sequence end */
wolfSSL	7:481bce714567	277	byte* data; /* actual data */
wolfSSL	7:481bce714567	278	struct PacketBuffer* next; /* next on reassembly list or ready list */
wolfSSL	7:481bce714567	279	} PacketBuffer;
wolfSSL	7:481bce714567	280
wolfSSL	7:481bce714567	281
wolfSSL	7:481bce714567	282	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	283
wolfSSL	7:481bce714567	284	/* NamedKey maps a SNI name to a specific private key */
wolfSSL	7:481bce714567	285	typedef struct NamedKey {
wolfSSL	7:481bce714567	286	char name[MAX_SERVER_NAME]; /* server DNS name */
wolfSSL	7:481bce714567	287	word32 nameSz; /* size of server DNS name */
wolfSSL	7:481bce714567	288	byte* key; /* DER private key */
wolfSSL	7:481bce714567	289	word32 keySz; /* size of DER private key */
wolfSSL	7:481bce714567	290	struct NamedKey* next; /* for list */
wolfSSL	7:481bce714567	291	} NamedKey;
wolfSSL	7:481bce714567	292
wolfSSL	7:481bce714567	293	#endif
wolfSSL	7:481bce714567	294
wolfSSL	7:481bce714567	295
wolfSSL	7:481bce714567	296	/* Sniffer Server holds info for each server/port monitored */
wolfSSL	7:481bce714567	297	typedef struct SnifferServer {
wolfSSL	7:481bce714567	298	SSL_CTX* ctx; /* SSL context */
wolfSSL	7:481bce714567	299	char address[MAX_SERVER_ADDRESS]; /* passed in server address */
wolfSSL	7:481bce714567	300	word32 server; /* netowrk order address */
wolfSSL	7:481bce714567	301	int port; /* server port */
wolfSSL	7:481bce714567	302	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	303	NamedKey* namedKeys; /* mapping of names and keys */
wolfSSL	7:481bce714567	304	wolfSSL_Mutex namedKeysMutex; /* mutex for namedKey list */
wolfSSL	7:481bce714567	305	#endif
wolfSSL	7:481bce714567	306	struct SnifferServer* next; /* for list */
wolfSSL	7:481bce714567	307	} SnifferServer;
wolfSSL	7:481bce714567	308
wolfSSL	7:481bce714567	309
wolfSSL	7:481bce714567	310	/* Session Flags */
wolfSSL	7:481bce714567	311	typedef struct Flags {
wolfSSL	7:481bce714567	312	byte side; /* which end is current packet headed */
wolfSSL	7:481bce714567	313	byte serverCipherOn; /* indicates whether cipher is active */
wolfSSL	7:481bce714567	314	byte clientCipherOn; /* indicates whether cipher is active */
wolfSSL	7:481bce714567	315	byte resuming; /* did this session come from resumption */
wolfSSL	7:481bce714567	316	byte cached; /* have we cached this session yet */
wolfSSL	7:481bce714567	317	byte clientHello; /* processed client hello yet, for SSLv2 */
wolfSSL	7:481bce714567	318	byte finCount; /* get both FINs before removing */
wolfSSL	7:481bce714567	319	byte fatalError; /* fatal error state */
wolfSSL	7:481bce714567	320	byte cliAckFault; /* client acked unseen data from server */
wolfSSL	7:481bce714567	321	byte srvAckFault; /* server acked unseen data from client */
wolfSSL	7:481bce714567	322	byte cliSkipPartial; /* client skips partial data to catch up */
wolfSSL	7:481bce714567	323	byte srvSkipPartial; /* server skips partial data to catch up */
wolfSSL	7:481bce714567	324	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	325	byte expectEms; /* expect extended master secret */
wolfSSL	7:481bce714567	326	#endif
wolfSSL	7:481bce714567	327	} Flags;
wolfSSL	7:481bce714567	328
wolfSSL	7:481bce714567	329
wolfSSL	7:481bce714567	330	/* Out of Order FIN caputre */
wolfSSL	7:481bce714567	331	typedef struct FinCaputre {
wolfSSL	7:481bce714567	332	word32 cliFinSeq; /* client relative sequence FIN 0 is no */
wolfSSL	7:481bce714567	333	word32 srvFinSeq; /* server relative sequence FIN, 0 is no */
wolfSSL	7:481bce714567	334	byte cliCounted; /* did we count yet, detects duplicates */
wolfSSL	7:481bce714567	335	byte srvCounted; /* did we count yet, detects duplicates */
wolfSSL	7:481bce714567	336	} FinCaputre;
wolfSSL	7:481bce714567	337
wolfSSL	7:481bce714567	338
wolfSSL	7:481bce714567	339	typedef struct HsHashes {
wolfSSL	7:481bce714567	340	#ifndef NO_OLD_TLS
wolfSSL	7:481bce714567	341	#ifndef NO_SHA
wolfSSL	7:481bce714567	342	Sha hashSha;
wolfSSL	7:481bce714567	343	#endif
wolfSSL	7:481bce714567	344	#ifndef NO_MD5
wolfSSL	7:481bce714567	345	Md5 hashMd5;
wolfSSL	7:481bce714567	346	#endif
wolfSSL	7:481bce714567	347	#endif
wolfSSL	7:481bce714567	348	#ifndef NO_SHA256
wolfSSL	7:481bce714567	349	Sha256 hashSha256;
wolfSSL	7:481bce714567	350	#endif
wolfSSL	7:481bce714567	351	#ifdef WOLFSSL_SHA384
wolfSSL	7:481bce714567	352	Sha384 hashSha384;
wolfSSL	7:481bce714567	353	#endif
wolfSSL	7:481bce714567	354	} HsHashes;
wolfSSL	7:481bce714567	355
wolfSSL	7:481bce714567	356
wolfSSL	7:481bce714567	357	/* Sniffer Session holds info for each client/server SSL/TLS session */
wolfSSL	7:481bce714567	358	typedef struct SnifferSession {
wolfSSL	7:481bce714567	359	SnifferServer* context; /* server context */
wolfSSL	7:481bce714567	360	SSL* sslServer; /* SSL server side decode */
wolfSSL	7:481bce714567	361	SSL* sslClient; /* SSL client side decode */
wolfSSL	7:481bce714567	362	word32 server; /* server address in network byte order */
wolfSSL	7:481bce714567	363	word32 client; /* client address in network byte order */
wolfSSL	7:481bce714567	364	word16 srvPort; /* server port */
wolfSSL	7:481bce714567	365	word16 cliPort; /* client port */
wolfSSL	7:481bce714567	366	word32 cliSeqStart; /* client start sequence */
wolfSSL	7:481bce714567	367	word32 srvSeqStart; /* server start sequence */
wolfSSL	7:481bce714567	368	word32 cliExpected; /* client expected sequence (relative) */
wolfSSL	7:481bce714567	369	word32 srvExpected; /* server expected sequence (relative) */
wolfSSL	7:481bce714567	370	FinCaputre finCaputre; /* retain out of order FIN s */
wolfSSL	7:481bce714567	371	Flags flags; /* session flags */
wolfSSL	7:481bce714567	372	time_t lastUsed; /* last used ticks */
wolfSSL	7:481bce714567	373	PacketBuffer* cliReassemblyList; /* client out of order packets */
wolfSSL	7:481bce714567	374	PacketBuffer* srvReassemblyList; /* server out of order packets */
wolfSSL	7:481bce714567	375	word32 cliReassemblyMemory; /* client packet memory used */
wolfSSL	7:481bce714567	376	word32 srvReassemblyMemory; /* server packet memory used */
wolfSSL	7:481bce714567	377	struct SnifferSession* next; /* for hash table list */
wolfSSL	7:481bce714567	378	byte* ticketID; /* mac ID of session ticket */
wolfSSL	7:481bce714567	379	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	380	HsHashes* hash;
wolfSSL	7:481bce714567	381	#endif
wolfSSL	7:481bce714567	382	} SnifferSession;
wolfSSL	7:481bce714567	383
wolfSSL	7:481bce714567	384
wolfSSL	7:481bce714567	385	/* Sniffer Server List and mutex */
wolfSSL	7:481bce714567	386	static SnifferServer* ServerList = 0;
wolfSSL	7:481bce714567	387	static wolfSSL_Mutex ServerListMutex;
wolfSSL	7:481bce714567	388
wolfSSL	7:481bce714567	389
wolfSSL	7:481bce714567	390	/* Session Hash Table, mutex, and count */
wolfSSL	7:481bce714567	391	static SnifferSession* SessionTable[HASH_SIZE];
wolfSSL	7:481bce714567	392	static wolfSSL_Mutex SessionMutex;
wolfSSL	7:481bce714567	393	static int SessionCount = 0;
wolfSSL	7:481bce714567	394
wolfSSL	7:481bce714567	395	/* Recovery of missed data switches and stats */
wolfSSL	7:481bce714567	396	static wolfSSL_Mutex RecoveryMutex; /* for stats */
wolfSSL	7:481bce714567	397	static int RecoveryEnabled = 0; /* global switch */
wolfSSL	7:481bce714567	398	static int MaxRecoveryMemory = -1; /* per session max recovery memory */
wolfSSL	7:481bce714567	399	static word32 MissedDataSessions = 0; /* # of sessions with missed data */
wolfSSL	7:481bce714567	400
wolfSSL	7:481bce714567	401
wolfSSL	7:481bce714567	402	static void UpdateMissedDataSessions(void)
wolfSSL	7:481bce714567	403	{
wolfSSL	7:481bce714567	404	wc_LockMutex(&RecoveryMutex);
wolfSSL	7:481bce714567	405	MissedDataSessions += 1;
wolfSSL	7:481bce714567	406	wc_UnLockMutex(&RecoveryMutex);
wolfSSL	7:481bce714567	407	}
wolfSSL	7:481bce714567	408
wolfSSL	7:481bce714567	409
wolfSSL	7:481bce714567	410	/* Initialize overall Sniffer */
wolfSSL	7:481bce714567	411	void ssl_InitSniffer(void)
wolfSSL	7:481bce714567	412	{
wolfSSL	7:481bce714567	413	wolfSSL_Init();
wolfSSL	7:481bce714567	414	wc_InitMutex(&ServerListMutex);
wolfSSL	7:481bce714567	415	wc_InitMutex(&SessionMutex);
wolfSSL	7:481bce714567	416	wc_InitMutex(&RecoveryMutex);
wolfSSL	7:481bce714567	417	}
wolfSSL	7:481bce714567	418
wolfSSL	7:481bce714567	419
wolfSSL	7:481bce714567	420	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	421
wolfSSL	7:481bce714567	422	/* Free Named Key and the zero out the private key it holds */
wolfSSL	7:481bce714567	423	static void FreeNamedKey(NamedKey* in)
wolfSSL	7:481bce714567	424	{
wolfSSL	7:481bce714567	425	if (in) {
wolfSSL	7:481bce714567	426	if (in->key) {
wolfSSL	7:481bce714567	427	ForceZero(in->key, in->keySz);
wolfSSL	7:481bce714567	428	free(in->key);
wolfSSL	7:481bce714567	429	}
wolfSSL	7:481bce714567	430	free(in);
wolfSSL	7:481bce714567	431	}
wolfSSL	7:481bce714567	432	}
wolfSSL	7:481bce714567	433
wolfSSL	7:481bce714567	434
wolfSSL	7:481bce714567	435	static void FreeNamedKeyList(NamedKey* in)
wolfSSL	7:481bce714567	436	{
wolfSSL	7:481bce714567	437	NamedKey* next;
wolfSSL	7:481bce714567	438
wolfSSL	7:481bce714567	439	while (in) {
wolfSSL	7:481bce714567	440	next = in->next;
wolfSSL	7:481bce714567	441	FreeNamedKey(in);
wolfSSL	7:481bce714567	442	in = next;
wolfSSL	7:481bce714567	443	}
wolfSSL	7:481bce714567	444	}
wolfSSL	7:481bce714567	445
wolfSSL	7:481bce714567	446	#endif
wolfSSL	7:481bce714567	447
wolfSSL	7:481bce714567	448
wolfSSL	7:481bce714567	449	/* Free Sniffer Server's resources/self */
wolfSSL	7:481bce714567	450	static void FreeSnifferServer(SnifferServer* srv)
wolfSSL	7:481bce714567	451	{
wolfSSL	7:481bce714567	452	if (srv) {
wolfSSL	7:481bce714567	453	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	454	wc_LockMutex(&srv->namedKeysMutex);
wolfSSL	7:481bce714567	455	FreeNamedKeyList(srv->namedKeys);
wolfSSL	7:481bce714567	456	wc_UnLockMutex(&srv->namedKeysMutex);
wolfSSL	7:481bce714567	457	wc_FreeMutex(&srv->namedKeysMutex);
wolfSSL	7:481bce714567	458	#endif
wolfSSL	7:481bce714567	459	SSL_CTX_free(srv->ctx);
wolfSSL	7:481bce714567	460	}
wolfSSL	7:481bce714567	461	free(srv);
wolfSSL	7:481bce714567	462	}
wolfSSL	7:481bce714567	463
wolfSSL	7:481bce714567	464
wolfSSL	7:481bce714567	465	/* free PacketBuffer's resources/self */
wolfSSL	7:481bce714567	466	static void FreePacketBuffer(PacketBuffer* del)
wolfSSL	7:481bce714567	467	{
wolfSSL	7:481bce714567	468	if (del) {
wolfSSL	7:481bce714567	469	free(del->data);
wolfSSL	7:481bce714567	470	free(del);
wolfSSL	7:481bce714567	471	}
wolfSSL	7:481bce714567	472	}
wolfSSL	7:481bce714567	473
wolfSSL	7:481bce714567	474
wolfSSL	7:481bce714567	475	/* remove PacketBuffer List */
wolfSSL	7:481bce714567	476	static void FreePacketList(PacketBuffer* in)
wolfSSL	7:481bce714567	477	{
wolfSSL	7:481bce714567	478	if (in) {
wolfSSL	7:481bce714567	479	PacketBuffer* del;
wolfSSL	7:481bce714567	480	PacketBuffer* packet = in;
wolfSSL	7:481bce714567	481
wolfSSL	7:481bce714567	482	while (packet) {
wolfSSL	7:481bce714567	483	del = packet;
wolfSSL	7:481bce714567	484	packet = packet->next;
wolfSSL	7:481bce714567	485	FreePacketBuffer(del);
wolfSSL	7:481bce714567	486	}
wolfSSL	7:481bce714567	487	}
wolfSSL	7:481bce714567	488	}
wolfSSL	7:481bce714567	489
wolfSSL	7:481bce714567	490
wolfSSL	7:481bce714567	491	/* Free Sniffer Session's resources/self */
wolfSSL	7:481bce714567	492	static void FreeSnifferSession(SnifferSession* session)
wolfSSL	7:481bce714567	493	{
wolfSSL	7:481bce714567	494	if (session) {
wolfSSL	7:481bce714567	495	SSL_free(session->sslClient);
wolfSSL	7:481bce714567	496	SSL_free(session->sslServer);
wolfSSL	7:481bce714567	497
wolfSSL	7:481bce714567	498	FreePacketList(session->cliReassemblyList);
wolfSSL	7:481bce714567	499	FreePacketList(session->srvReassemblyList);
wolfSSL	7:481bce714567	500
wolfSSL	7:481bce714567	501	free(session->ticketID);
wolfSSL	7:481bce714567	502	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	503	free(session->hash);
wolfSSL	7:481bce714567	504	#endif
wolfSSL	7:481bce714567	505	}
wolfSSL	7:481bce714567	506	free(session);
wolfSSL	7:481bce714567	507	}
wolfSSL	7:481bce714567	508
wolfSSL	7:481bce714567	509
wolfSSL	7:481bce714567	510	/* Free overall Sniffer */
wolfSSL	7:481bce714567	511	void ssl_FreeSniffer(void)
wolfSSL	7:481bce714567	512	{
wolfSSL	7:481bce714567	513	SnifferServer* srv;
wolfSSL	7:481bce714567	514	SnifferServer* removeServer;
wolfSSL	7:481bce714567	515	SnifferSession* session;
wolfSSL	7:481bce714567	516	SnifferSession* removeSession;
wolfSSL	7:481bce714567	517	int i;
wolfSSL	7:481bce714567	518
wolfSSL	7:481bce714567	519	wc_LockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	520	wc_LockMutex(&SessionMutex);
wolfSSL	7:481bce714567	521
wolfSSL	7:481bce714567	522	srv = ServerList;
wolfSSL	7:481bce714567	523	while (srv) {
wolfSSL	7:481bce714567	524	removeServer = srv;
wolfSSL	7:481bce714567	525	srv = srv->next;
wolfSSL	7:481bce714567	526	FreeSnifferServer(removeServer);
wolfSSL	7:481bce714567	527	}
wolfSSL	7:481bce714567	528
wolfSSL	7:481bce714567	529	for (i = 0; i < HASH_SIZE; i++) {
wolfSSL	7:481bce714567	530	session = SessionTable[i];
wolfSSL	7:481bce714567	531	while (session) {
wolfSSL	7:481bce714567	532	removeSession = session;
wolfSSL	7:481bce714567	533	session = session->next;
wolfSSL	7:481bce714567	534	FreeSnifferSession(removeSession);
wolfSSL	7:481bce714567	535	}
wolfSSL	7:481bce714567	536	}
wolfSSL	7:481bce714567	537
wolfSSL	7:481bce714567	538	wc_UnLockMutex(&SessionMutex);
wolfSSL	7:481bce714567	539	wc_UnLockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	540
wolfSSL	7:481bce714567	541	wc_FreeMutex(&RecoveryMutex);
wolfSSL	7:481bce714567	542	wc_FreeMutex(&SessionMutex);
wolfSSL	7:481bce714567	543	wc_FreeMutex(&ServerListMutex);
wolfSSL	7:481bce714567	544
wolfSSL	7:481bce714567	545	if (TraceFile) {
wolfSSL	7:481bce714567	546	TraceOn = 0;
wolfSSL	7:481bce714567	547	fclose(TraceFile);
wolfSSL	7:481bce714567	548	TraceFile = NULL;
wolfSSL	7:481bce714567	549	}
wolfSSL	7:481bce714567	550
wolfSSL	7:481bce714567	551	wolfSSL_Cleanup();
wolfSSL	7:481bce714567	552	}
wolfSSL	7:481bce714567	553
wolfSSL	7:481bce714567	554
wolfSSL	7:481bce714567	555	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	556
wolfSSL	7:481bce714567	557	static int HashInit(HsHashes* hash)
wolfSSL	7:481bce714567	558	{
wolfSSL	7:481bce714567	559	int ret = 0;
wolfSSL	7:481bce714567	560
wolfSSL	7:481bce714567	561	XMEMSET(hash, 0, sizeof(HsHashes));
wolfSSL	7:481bce714567	562
wolfSSL	7:481bce714567	563	#ifndef NO_OLD_TLS
wolfSSL	7:481bce714567	564	#ifndef NO_SHA
wolfSSL	7:481bce714567	565	if (ret == 0)
wolfSSL	7:481bce714567	566	ret = wc_InitSha(&hash->hashSha);
wolfSSL	7:481bce714567	567	#endif
wolfSSL	7:481bce714567	568	#ifndef NO_MD5
wolfSSL	7:481bce714567	569	if (ret == 0)
wolfSSL	7:481bce714567	570	wc_InitMd5(&hash->hashMd5);
wolfSSL	7:481bce714567	571	#endif
wolfSSL	7:481bce714567	572	#endif
wolfSSL	7:481bce714567	573	#ifndef NO_SHA256
wolfSSL	7:481bce714567	574	if (ret == 0)
wolfSSL	7:481bce714567	575	ret = wc_InitSha256(&hash->hashSha256);
wolfSSL	7:481bce714567	576	#endif
wolfSSL	7:481bce714567	577	#ifdef WOLFSSL_SHA384
wolfSSL	7:481bce714567	578	if (ret == 0)
wolfSSL	7:481bce714567	579	ret = wc_InitSha384(&hash->hashSha384);
wolfSSL	7:481bce714567	580	#endif
wolfSSL	7:481bce714567	581
wolfSSL	7:481bce714567	582	return ret;
wolfSSL	7:481bce714567	583	}
wolfSSL	7:481bce714567	584
wolfSSL	7:481bce714567	585
wolfSSL	7:481bce714567	586	static int HashUpdate(HsHashes* hash, const byte* input, int sz)
wolfSSL	7:481bce714567	587	{
wolfSSL	7:481bce714567	588	int ret = 0;
wolfSSL	7:481bce714567	589
wolfSSL	7:481bce714567	590	input -= HANDSHAKE_HEADER_SZ;
wolfSSL	7:481bce714567	591	sz += HANDSHAKE_HEADER_SZ;
wolfSSL	7:481bce714567	592
wolfSSL	7:481bce714567	593	#ifndef NO_OLD_TLS
wolfSSL	7:481bce714567	594	#ifndef NO_SHA
wolfSSL	7:481bce714567	595	if (ret == 0)
wolfSSL	7:481bce714567	596	ret = wc_ShaUpdate(&hash->hashSha, input, sz);
wolfSSL	7:481bce714567	597	#endif
wolfSSL	7:481bce714567	598	#ifndef NO_MD5
wolfSSL	7:481bce714567	599	if (ret == 0)
wolfSSL	7:481bce714567	600	wc_Md5Update(&hash->hashMd5, input, sz);
wolfSSL	7:481bce714567	601	#endif
wolfSSL	7:481bce714567	602	#endif
wolfSSL	7:481bce714567	603	#ifndef NO_SHA256
wolfSSL	7:481bce714567	604	if (ret == 0)
wolfSSL	7:481bce714567	605	ret = wc_Sha256Update(&hash->hashSha256, input, sz);
wolfSSL	7:481bce714567	606	#endif
wolfSSL	7:481bce714567	607	#ifdef WOLFSSL_SHA384
wolfSSL	7:481bce714567	608	if (ret == 0)
wolfSSL	7:481bce714567	609	ret = wc_Sha384Update(&hash->hashSha384, input, sz);
wolfSSL	7:481bce714567	610	#endif
wolfSSL	7:481bce714567	611
wolfSSL	7:481bce714567	612	return ret;
wolfSSL	7:481bce714567	613	}
wolfSSL	7:481bce714567	614
wolfSSL	7:481bce714567	615
wolfSSL	7:481bce714567	616	static int HashCopy(HS_Hashes* d, HsHashes* s)
wolfSSL	7:481bce714567	617	{
wolfSSL	7:481bce714567	618	#ifndef NO_OLD_TLS
wolfSSL	7:481bce714567	619	#ifndef NO_SHA
wolfSSL	7:481bce714567	620	XMEMCPY(&d->hashSha, &s->hashSha, sizeof(Sha));
wolfSSL	7:481bce714567	621	#endif
wolfSSL	7:481bce714567	622	#ifndef NO_MD5
wolfSSL	7:481bce714567	623	XMEMCPY(&d->hashMd5, &s->hashMd5, sizeof(Md5));
wolfSSL	7:481bce714567	624	#endif
wolfSSL	7:481bce714567	625	#endif
wolfSSL	7:481bce714567	626
wolfSSL	7:481bce714567	627	#ifndef NO_SHA256
wolfSSL	7:481bce714567	628	XMEMCPY(&d->hashSha256, &s->hashSha256, sizeof(Sha256));
wolfSSL	7:481bce714567	629	#endif
wolfSSL	7:481bce714567	630	#ifdef WOLFSSL_SHA384
wolfSSL	7:481bce714567	631	XMEMCPY(&d->hashSha384, &s->hashSha384, sizeof(Sha384));
wolfSSL	7:481bce714567	632	#endif
wolfSSL	7:481bce714567	633
wolfSSL	7:481bce714567	634	return 0;
wolfSSL	7:481bce714567	635	}
wolfSSL	7:481bce714567	636
wolfSSL	7:481bce714567	637	#endif
wolfSSL	7:481bce714567	638
wolfSSL	7:481bce714567	639
wolfSSL	7:481bce714567	640	/* Initialize a SnifferServer */
wolfSSL	7:481bce714567	641	static void InitSnifferServer(SnifferServer* sniffer)
wolfSSL	7:481bce714567	642	{
wolfSSL	7:481bce714567	643	sniffer->ctx = 0;
wolfSSL	7:481bce714567	644	XMEMSET(sniffer->address, 0, MAX_SERVER_ADDRESS);
wolfSSL	7:481bce714567	645	sniffer->server = 0;
wolfSSL	7:481bce714567	646	sniffer->port = 0;
wolfSSL	7:481bce714567	647	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	648	sniffer->namedKeys = 0;
wolfSSL	7:481bce714567	649	wc_InitMutex(&sniffer->namedKeysMutex);
wolfSSL	7:481bce714567	650	#endif
wolfSSL	7:481bce714567	651	sniffer->next = 0;
wolfSSL	7:481bce714567	652	}
wolfSSL	7:481bce714567	653
wolfSSL	7:481bce714567	654
wolfSSL	7:481bce714567	655	/* Initialize session flags */
wolfSSL	7:481bce714567	656	static void InitFlags(Flags* flags)
wolfSSL	7:481bce714567	657	{
wolfSSL	7:481bce714567	658	flags->side = 0;
wolfSSL	7:481bce714567	659	flags->serverCipherOn = 0;
wolfSSL	7:481bce714567	660	flags->clientCipherOn = 0;
wolfSSL	7:481bce714567	661	flags->resuming = 0;
wolfSSL	7:481bce714567	662	flags->cached = 0;
wolfSSL	7:481bce714567	663	flags->clientHello = 0;
wolfSSL	7:481bce714567	664	flags->finCount = 0;
wolfSSL	7:481bce714567	665	flags->fatalError = 0;
wolfSSL	7:481bce714567	666	flags->cliAckFault = 0;
wolfSSL	7:481bce714567	667	flags->srvAckFault = 0;
wolfSSL	7:481bce714567	668	flags->cliSkipPartial = 0;
wolfSSL	7:481bce714567	669	flags->srvSkipPartial = 0;
wolfSSL	7:481bce714567	670	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	671	flags->expectEms = 0;
wolfSSL	7:481bce714567	672	#endif
wolfSSL	7:481bce714567	673	}
wolfSSL	7:481bce714567	674
wolfSSL	7:481bce714567	675
wolfSSL	7:481bce714567	676	/* Initialize FIN Capture */
wolfSSL	7:481bce714567	677	static void InitFinCapture(FinCaputre* cap)
wolfSSL	7:481bce714567	678	{
wolfSSL	7:481bce714567	679	cap->cliFinSeq = 0;
wolfSSL	7:481bce714567	680	cap->srvFinSeq = 0;
wolfSSL	7:481bce714567	681	cap->cliCounted = 0;
wolfSSL	7:481bce714567	682	cap->srvCounted = 0;
wolfSSL	7:481bce714567	683	}
wolfSSL	7:481bce714567	684
wolfSSL	7:481bce714567	685
wolfSSL	7:481bce714567	686	/* Initialize a Sniffer Session */
wolfSSL	7:481bce714567	687	static void InitSession(SnifferSession* session)
wolfSSL	7:481bce714567	688	{
wolfSSL	7:481bce714567	689	session->context = 0;
wolfSSL	7:481bce714567	690	session->sslServer = 0;
wolfSSL	7:481bce714567	691	session->sslClient = 0;
wolfSSL	7:481bce714567	692	session->server = 0;
wolfSSL	7:481bce714567	693	session->client = 0;
wolfSSL	7:481bce714567	694	session->srvPort = 0;
wolfSSL	7:481bce714567	695	session->cliPort = 0;
wolfSSL	7:481bce714567	696	session->cliSeqStart = 0;
wolfSSL	7:481bce714567	697	session->srvSeqStart = 0;
wolfSSL	7:481bce714567	698	session->cliExpected = 0;
wolfSSL	7:481bce714567	699	session->srvExpected = 0;
wolfSSL	7:481bce714567	700	session->lastUsed = 0;
wolfSSL	7:481bce714567	701	session->cliReassemblyList = 0;
wolfSSL	7:481bce714567	702	session->srvReassemblyList = 0;
wolfSSL	7:481bce714567	703	session->cliReassemblyMemory = 0;
wolfSSL	7:481bce714567	704	session->srvReassemblyMemory = 0;
wolfSSL	7:481bce714567	705	session->next = 0;
wolfSSL	7:481bce714567	706	session->ticketID = 0;
wolfSSL	7:481bce714567	707
wolfSSL	7:481bce714567	708	InitFlags(&session->flags);
wolfSSL	7:481bce714567	709	InitFinCapture(&session->finCaputre);
wolfSSL	7:481bce714567	710	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	711	session->hash = 0;
wolfSSL	7:481bce714567	712	#endif
wolfSSL	7:481bce714567	713	}
wolfSSL	7:481bce714567	714
wolfSSL	7:481bce714567	715
wolfSSL	7:481bce714567	716	/* IP Info from IP Header */
wolfSSL	7:481bce714567	717	typedef struct IpInfo {
wolfSSL	7:481bce714567	718	int length; /* length of this header */
wolfSSL	7:481bce714567	719	int total; /* total length of fragment */
wolfSSL	7:481bce714567	720	word32 src; /* network order source address */
wolfSSL	7:481bce714567	721	word32 dst; /* network order destination address */
wolfSSL	7:481bce714567	722	} IpInfo;
wolfSSL	7:481bce714567	723
wolfSSL	7:481bce714567	724
wolfSSL	7:481bce714567	725	/* TCP Info from TCP Header */
wolfSSL	7:481bce714567	726	typedef struct TcpInfo {
wolfSSL	7:481bce714567	727	int srcPort; /* source port */
wolfSSL	7:481bce714567	728	int dstPort; /* source port */
wolfSSL	7:481bce714567	729	int length; /* length of this header */
wolfSSL	7:481bce714567	730	word32 sequence; /* sequence number */
wolfSSL	7:481bce714567	731	word32 ackNumber; /* ack number */
wolfSSL	7:481bce714567	732	byte fin; /* FIN set */
wolfSSL	7:481bce714567	733	byte rst; /* RST set */
wolfSSL	7:481bce714567	734	byte syn; /* SYN set */
wolfSSL	7:481bce714567	735	byte ack; /* ACK set */
wolfSSL	7:481bce714567	736	} TcpInfo;
wolfSSL	7:481bce714567	737
wolfSSL	7:481bce714567	738
wolfSSL	7:481bce714567	739	/* Tcp Pseudo Header for Checksum calculation */
wolfSSL	7:481bce714567	740	typedef struct TcpPseudoHdr {
wolfSSL	7:481bce714567	741	word32 src; /* source address */
wolfSSL	7:481bce714567	742	word32 dst; /* destination address */
wolfSSL	7:481bce714567	743	byte rsv; /* reserved, always 0 */
wolfSSL	7:481bce714567	744	byte protocol; /* IP protocol */
wolfSSL	7:481bce714567	745	word16 length; /* tcp header length + data length (doesn't include */
wolfSSL	7:481bce714567	746	/* pseudo header length) network order */
wolfSSL	7:481bce714567	747	} TcpPseudoHdr;
wolfSSL	7:481bce714567	748
wolfSSL	7:481bce714567	749
wolfSSL	7:481bce714567	750	/* Password Setting Callback */
wolfSSL	7:481bce714567	751	static int SetPassword(char* passwd, int sz, int rw, void* userdata)
wolfSSL	7:481bce714567	752	{
wolfSSL	7:481bce714567	753	(void)rw;
wolfSSL	7:481bce714567	754	XSTRNCPY(passwd, (const char*)userdata, sz);
wolfSSL	7:481bce714567	755	return (int)XSTRLEN((const char*)userdata);
wolfSSL	7:481bce714567	756	}
wolfSSL	7:481bce714567	757
wolfSSL	7:481bce714567	758
wolfSSL	7:481bce714567	759	/* Ethernet Header */
wolfSSL	7:481bce714567	760	typedef struct EthernetHdr {
wolfSSL	7:481bce714567	761	byte dst[ETHER_IF_ADDR_LEN]; /* destination host address */
wolfSSL	7:481bce714567	762	byte src[ETHER_IF_ADDR_LEN]; /* source host address */
wolfSSL	7:481bce714567	763	word16 type; /* IP, ARP, etc */
wolfSSL	7:481bce714567	764	} EthernetHdr;
wolfSSL	7:481bce714567	765
wolfSSL	7:481bce714567	766
wolfSSL	7:481bce714567	767	/* IP Header */
wolfSSL	7:481bce714567	768	typedef struct IpHdr {
wolfSSL	7:481bce714567	769	byte ver_hl; /* version/header length */
wolfSSL	7:481bce714567	770	byte tos; /* type of service */
wolfSSL	7:481bce714567	771	word16 length; /* total length */
wolfSSL	7:481bce714567	772	word16 id; /* identification */
wolfSSL	7:481bce714567	773	word16 offset; /* fragment offset field */
wolfSSL	7:481bce714567	774	byte ttl; /* time to live */
wolfSSL	7:481bce714567	775	byte protocol; /* protocol */
wolfSSL	7:481bce714567	776	word16 sum; /* checksum */
wolfSSL	7:481bce714567	777	word32 src; /* source address */
wolfSSL	7:481bce714567	778	word32 dst; /* destination address */
wolfSSL	7:481bce714567	779	} IpHdr;
wolfSSL	7:481bce714567	780
wolfSSL	7:481bce714567	781
wolfSSL	7:481bce714567	782	#define IP_HL(ip) ( (((ip)->ver_hl) & 0x0f) * 4)
wolfSSL	7:481bce714567	783	#define IP_V(ip) ( ((ip)->ver_hl) >> 4)
wolfSSL	7:481bce714567	784
wolfSSL	7:481bce714567	785	/* TCP Header */
wolfSSL	7:481bce714567	786	typedef struct TcpHdr {
wolfSSL	7:481bce714567	787	word16 srcPort; /* source port */
wolfSSL	7:481bce714567	788	word16 dstPort; /* destination port */
wolfSSL	7:481bce714567	789	word32 sequence; /* sequence number */
wolfSSL	7:481bce714567	790	word32 ack; /* acknoledgment number */
wolfSSL	7:481bce714567	791	byte offset; /* data offset, reserved */
wolfSSL	7:481bce714567	792	byte flags; /* option flags */
wolfSSL	7:481bce714567	793	word16 window; /* window */
wolfSSL	7:481bce714567	794	word16 sum; /* checksum */
wolfSSL	7:481bce714567	795	word16 urgent; /* urgent pointer */
wolfSSL	7:481bce714567	796	} TcpHdr;
wolfSSL	7:481bce714567	797
wolfSSL	7:481bce714567	798	#define TCP_LEN(tcp) ( (((tcp)->offset & 0xf0) >> 4) * 4)
wolfSSL	7:481bce714567	799	#define TCP_FIN 0x01
wolfSSL	7:481bce714567	800	#define TCP_SYN 0x02
wolfSSL	7:481bce714567	801	#define TCP_RST 0x04
wolfSSL	7:481bce714567	802	#define TCP_ACK 0x10
wolfSSL	7:481bce714567	803
wolfSSL	7:481bce714567	804
wolfSSL	7:481bce714567	805
wolfSSL	7:481bce714567	806
wolfSSL	7:481bce714567	807
wolfSSL	7:481bce714567	808	/* Use platform specific GetError to write to tracfile if tracing */
wolfSSL	7:481bce714567	809	static void Trace(int idx)
wolfSSL	7:481bce714567	810	{
wolfSSL	7:481bce714567	811	if (TraceOn) {
wolfSSL	7:481bce714567	812	char myBuffer[MAX_ERROR_LEN];
wolfSSL	7:481bce714567	813	GetError(idx, myBuffer);
wolfSSL	7:481bce714567	814	fprintf(TraceFile, "\t%s\n", myBuffer);
wolfSSL	7:481bce714567	815	#ifdef DEBUG_SNIFFER
wolfSSL	7:481bce714567	816	fprintf(stderr, "\t%s\n", myBuffer);
wolfSSL	7:481bce714567	817	#endif
wolfSSL	7:481bce714567	818	}
wolfSSL	7:481bce714567	819	}
wolfSSL	7:481bce714567	820
wolfSSL	7:481bce714567	821
wolfSSL	7:481bce714567	822	/* Show TimeStamp for beginning of packet Trace */
wolfSSL	7:481bce714567	823	static void TraceHeader(void)
wolfSSL	7:481bce714567	824	{
wolfSSL	7:481bce714567	825	if (TraceOn) {
wolfSSL	7:481bce714567	826	time_t ticks = time(NULL);
wolfSSL	7:481bce714567	827	fprintf(TraceFile, "\n%s", ctime(&ticks));
wolfSSL	7:481bce714567	828	}
wolfSSL	7:481bce714567	829	}
wolfSSL	7:481bce714567	830
wolfSSL	7:481bce714567	831
wolfSSL	7:481bce714567	832	/* Show Set Server info for Trace */
wolfSSL	7:481bce714567	833	static void TraceSetServer(const char* srv, int port, const char* keyFile)
wolfSSL	7:481bce714567	834	{
wolfSSL	7:481bce714567	835	if (TraceOn) {
wolfSSL	7:481bce714567	836	fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n");
wolfSSL	7:481bce714567	837	fprintf(TraceFile, "\tserver: %s, port: %d, keyFile: %s\n", srv, port,
wolfSSL	7:481bce714567	838	keyFile);
wolfSSL	7:481bce714567	839	}
wolfSSL	7:481bce714567	840	}
wolfSSL	7:481bce714567	841
wolfSSL	7:481bce714567	842
wolfSSL	7:481bce714567	843	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	844
wolfSSL	7:481bce714567	845	/* Show Set Named Server info for Trace */
wolfSSL	7:481bce714567	846	static void TraceSetNamedServer(const char* name,
wolfSSL	7:481bce714567	847	const char* srv, int port, const char* keyFile)
wolfSSL	7:481bce714567	848	{
wolfSSL	7:481bce714567	849	if (TraceOn) {
wolfSSL	7:481bce714567	850	fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n");
wolfSSL	7:481bce714567	851	fprintf(TraceFile, "\tname: %s, server: %s, port: %d, keyFile: %s\n",
wolfSSL	7:481bce714567	852	name, srv, port, keyFile);
wolfSSL	7:481bce714567	853	}
wolfSSL	7:481bce714567	854	}
wolfSSL	7:481bce714567	855
wolfSSL	7:481bce714567	856	#endif
wolfSSL	7:481bce714567	857
wolfSSL	7:481bce714567	858
wolfSSL	7:481bce714567	859	/* Trace got packet number */
wolfSSL	7:481bce714567	860	static void TracePacket(void)
wolfSSL	7:481bce714567	861	{
wolfSSL	7:481bce714567	862	if (TraceOn) {
wolfSSL	7:481bce714567	863	static word32 packetNumber = 0;
wolfSSL	7:481bce714567	864	fprintf(TraceFile, "\tGot a Packet to decode, packet %u\n",
wolfSSL	7:481bce714567	865	++packetNumber);
wolfSSL	7:481bce714567	866	}
wolfSSL	7:481bce714567	867	}
wolfSSL	7:481bce714567	868
wolfSSL	7:481bce714567	869
wolfSSL	7:481bce714567	870	/* Convert network byte order address into human readable */
wolfSSL	7:481bce714567	871	static char* IpToS(word32 addr, char* str)
wolfSSL	7:481bce714567	872	{
wolfSSL	7:481bce714567	873	byte* p = (byte*)&addr;
wolfSSL	7:481bce714567	874
wolfSSL	7:481bce714567	875	SNPRINTF(str, TRACE_MSG_SZ, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
wolfSSL	7:481bce714567	876
wolfSSL	7:481bce714567	877	return str;
wolfSSL	7:481bce714567	878	}
wolfSSL	7:481bce714567	879
wolfSSL	7:481bce714567	880
wolfSSL	7:481bce714567	881	/* Show destination and source address from Ip Hdr for packet Trace */
wolfSSL	7:481bce714567	882	static void TraceIP(IpHdr* iphdr)
wolfSSL	7:481bce714567	883	{
wolfSSL	7:481bce714567	884	if (TraceOn) {
wolfSSL	7:481bce714567	885	char src[TRACE_MSG_SZ];
wolfSSL	7:481bce714567	886	char dst[TRACE_MSG_SZ];
wolfSSL	7:481bce714567	887	fprintf(TraceFile, "\tdst:%s src:%s\n", IpToS(iphdr->dst, dst),
wolfSSL	7:481bce714567	888	IpToS(iphdr->src, src));
wolfSSL	7:481bce714567	889	}
wolfSSL	7:481bce714567	890	}
wolfSSL	7:481bce714567	891
wolfSSL	7:481bce714567	892
wolfSSL	7:481bce714567	893	/* Show destination and source port from Tcp Hdr for packet Trace */
wolfSSL	7:481bce714567	894	static void TraceTcp(TcpHdr* tcphdr)
wolfSSL	7:481bce714567	895	{
wolfSSL	7:481bce714567	896	if (TraceOn) {
wolfSSL	7:481bce714567	897	fprintf(TraceFile, "\tdstPort:%u srcPort:%u\n", ntohs(tcphdr->dstPort),
wolfSSL	7:481bce714567	898	ntohs(tcphdr->srcPort));
wolfSSL	7:481bce714567	899	}
wolfSSL	7:481bce714567	900	}
wolfSSL	7:481bce714567	901
wolfSSL	7:481bce714567	902
wolfSSL	7:481bce714567	903	/* Show sequence and payload length for Trace */
wolfSSL	7:481bce714567	904	static void TraceSequence(word32 seq, int len)
wolfSSL	7:481bce714567	905	{
wolfSSL	7:481bce714567	906	if (TraceOn) {
wolfSSL	7:481bce714567	907	fprintf(TraceFile, "\tSequence:%u, payload length:%d\n", seq, len);
wolfSSL	7:481bce714567	908	}
wolfSSL	7:481bce714567	909	}
wolfSSL	7:481bce714567	910
wolfSSL	7:481bce714567	911
wolfSSL	7:481bce714567	912	/* Show sequence and payload length for Trace */
wolfSSL	7:481bce714567	913	static void TraceAck(word32 ack, word32 expected)
wolfSSL	7:481bce714567	914	{
wolfSSL	7:481bce714567	915	if (TraceOn) {
wolfSSL	7:481bce714567	916	fprintf(TraceFile, "\tAck:%u Expected:%u\n", ack, expected);
wolfSSL	7:481bce714567	917	}
wolfSSL	7:481bce714567	918	}
wolfSSL	7:481bce714567	919
wolfSSL	7:481bce714567	920
wolfSSL	7:481bce714567	921	/* Show relative expected and relative received sequences */
wolfSSL	7:481bce714567	922	static void TraceRelativeSequence(word32 expected, word32 got)
wolfSSL	7:481bce714567	923	{
wolfSSL	7:481bce714567	924	if (TraceOn) {
wolfSSL	7:481bce714567	925	fprintf(TraceFile, "\tExpected sequence:%u, received sequence:%u\n",
wolfSSL	7:481bce714567	926	expected, got);
wolfSSL	7:481bce714567	927	}
wolfSSL	7:481bce714567	928	}
wolfSSL	7:481bce714567	929
wolfSSL	7:481bce714567	930
wolfSSL	7:481bce714567	931	/* Show server sequence startup from SYN */
wolfSSL	7:481bce714567	932	static void TraceServerSyn(word32 seq)
wolfSSL	7:481bce714567	933	{
wolfSSL	7:481bce714567	934	if (TraceOn) {
wolfSSL	7:481bce714567	935	fprintf(TraceFile, "\tServer SYN, Sequence Start:%u\n", seq);
wolfSSL	7:481bce714567	936	}
wolfSSL	7:481bce714567	937	}
wolfSSL	7:481bce714567	938
wolfSSL	7:481bce714567	939
wolfSSL	7:481bce714567	940	/* Show client sequence startup from SYN */
wolfSSL	7:481bce714567	941	static void TraceClientSyn(word32 seq)
wolfSSL	7:481bce714567	942	{
wolfSSL	7:481bce714567	943	if (TraceOn) {
wolfSSL	7:481bce714567	944	fprintf(TraceFile, "\tClient SYN, Sequence Start:%u\n", seq);
wolfSSL	7:481bce714567	945	}
wolfSSL	7:481bce714567	946	}
wolfSSL	7:481bce714567	947
wolfSSL	7:481bce714567	948
wolfSSL	7:481bce714567	949	/* Show client FIN capture */
wolfSSL	7:481bce714567	950	static void TraceClientFin(word32 finSeq, word32 relSeq)
wolfSSL	7:481bce714567	951	{
wolfSSL	7:481bce714567	952	if (TraceOn) {
wolfSSL	7:481bce714567	953	fprintf(TraceFile, "\tClient FIN capture:%u, current SEQ:%u\n",
wolfSSL	7:481bce714567	954	finSeq, relSeq);
wolfSSL	7:481bce714567	955	}
wolfSSL	7:481bce714567	956	}
wolfSSL	7:481bce714567	957
wolfSSL	7:481bce714567	958
wolfSSL	7:481bce714567	959	/* Show server FIN capture */
wolfSSL	7:481bce714567	960	static void TraceServerFin(word32 finSeq, word32 relSeq)
wolfSSL	7:481bce714567	961	{
wolfSSL	7:481bce714567	962	if (TraceOn) {
wolfSSL	7:481bce714567	963	fprintf(TraceFile, "\tServer FIN capture:%u, current SEQ:%u\n",
wolfSSL	7:481bce714567	964	finSeq, relSeq);
wolfSSL	7:481bce714567	965	}
wolfSSL	7:481bce714567	966	}
wolfSSL	7:481bce714567	967
wolfSSL	7:481bce714567	968
wolfSSL	7:481bce714567	969	/* Show number of SSL data bytes decoded, could be 0 (ok) */
wolfSSL	7:481bce714567	970	static void TraceGotData(int bytes)
wolfSSL	7:481bce714567	971	{
wolfSSL	7:481bce714567	972	if (TraceOn) {
wolfSSL	7:481bce714567	973	fprintf(TraceFile, "\t%d bytes of SSL App data processed\n", bytes);
wolfSSL	7:481bce714567	974	}
wolfSSL	7:481bce714567	975	}
wolfSSL	7:481bce714567	976
wolfSSL	7:481bce714567	977
wolfSSL	7:481bce714567	978	/* Show bytes added to old SSL App data */
wolfSSL	7:481bce714567	979	static void TraceAddedData(int newBytes, int existingBytes)
wolfSSL	7:481bce714567	980	{
wolfSSL	7:481bce714567	981	if (TraceOn) {
wolfSSL	7:481bce714567	982	fprintf(TraceFile,
wolfSSL	7:481bce714567	983	"\t%d bytes added to %d existing bytes in User Buffer\n",
wolfSSL	7:481bce714567	984	newBytes, existingBytes);
wolfSSL	7:481bce714567	985	}
wolfSSL	7:481bce714567	986	}
wolfSSL	7:481bce714567	987
wolfSSL	7:481bce714567	988
wolfSSL	7:481bce714567	989	/* Show Stale Session */
wolfSSL	7:481bce714567	990	static void TraceStaleSession(void)
wolfSSL	7:481bce714567	991	{
wolfSSL	7:481bce714567	992	if (TraceOn) {
wolfSSL	7:481bce714567	993	fprintf(TraceFile, "\tFound a stale session\n");
wolfSSL	7:481bce714567	994	}
wolfSSL	7:481bce714567	995	}
wolfSSL	7:481bce714567	996
wolfSSL	7:481bce714567	997
wolfSSL	7:481bce714567	998	/* Show Finding Stale Sessions */
wolfSSL	7:481bce714567	999	static void TraceFindingStale(void)
wolfSSL	7:481bce714567	1000	{
wolfSSL	7:481bce714567	1001	if (TraceOn) {
wolfSSL	7:481bce714567	1002	fprintf(TraceFile, "\tTrying to find Stale Sessions\n");
wolfSSL	7:481bce714567	1003	}
wolfSSL	7:481bce714567	1004	}
wolfSSL	7:481bce714567	1005
wolfSSL	7:481bce714567	1006
wolfSSL	7:481bce714567	1007	/* Show Removed Session */
wolfSSL	7:481bce714567	1008	static void TraceRemovedSession(void)
wolfSSL	7:481bce714567	1009	{
wolfSSL	7:481bce714567	1010	if (TraceOn) {
wolfSSL	7:481bce714567	1011	fprintf(TraceFile, "\tRemoved it\n");
wolfSSL	7:481bce714567	1012	}
wolfSSL	7:481bce714567	1013	}
wolfSSL	7:481bce714567	1014
wolfSSL	7:481bce714567	1015
wolfSSL	7:481bce714567	1016	/* Set user error string */
wolfSSL	7:481bce714567	1017	static void SetError(int idx, char* error, SnifferSession* session, int fatal)
wolfSSL	7:481bce714567	1018	{
wolfSSL	7:481bce714567	1019	GetError(idx, error);
wolfSSL	7:481bce714567	1020	Trace(idx);
wolfSSL	7:481bce714567	1021	if (session && fatal == FATAL_ERROR_STATE)
wolfSSL	7:481bce714567	1022	session->flags.fatalError = 1;
wolfSSL	7:481bce714567	1023	}
wolfSSL	7:481bce714567	1024
wolfSSL	7:481bce714567	1025
wolfSSL	7:481bce714567	1026	/* See if this IPV4 network order address has been registered */
wolfSSL	7:481bce714567	1027	/* return 1 is true, 0 is false */
wolfSSL	7:481bce714567	1028	static int IsServerRegistered(word32 addr)
wolfSSL	7:481bce714567	1029	{
wolfSSL	7:481bce714567	1030	int ret = 0; /* false */
wolfSSL	7:481bce714567	1031	SnifferServer* sniffer;
wolfSSL	7:481bce714567	1032
wolfSSL	7:481bce714567	1033	wc_LockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1034
wolfSSL	7:481bce714567	1035	sniffer = ServerList;
wolfSSL	7:481bce714567	1036	while (sniffer) {
wolfSSL	7:481bce714567	1037	if (sniffer->server == addr) {
wolfSSL	7:481bce714567	1038	ret = 1;
wolfSSL	7:481bce714567	1039	break;
wolfSSL	7:481bce714567	1040	}
wolfSSL	7:481bce714567	1041	sniffer = sniffer->next;
wolfSSL	7:481bce714567	1042	}
wolfSSL	7:481bce714567	1043
wolfSSL	7:481bce714567	1044	wc_UnLockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1045
wolfSSL	7:481bce714567	1046	return ret;
wolfSSL	7:481bce714567	1047	}
wolfSSL	7:481bce714567	1048
wolfSSL	7:481bce714567	1049
wolfSSL	7:481bce714567	1050	/* See if this port has been registered to watch */
wolfSSL	7:481bce714567	1051	/* return 1 is true, 0 is false */
wolfSSL	7:481bce714567	1052	static int IsPortRegistered(word32 port)
wolfSSL	7:481bce714567	1053	{
wolfSSL	7:481bce714567	1054	int ret = 0; /* false */
wolfSSL	7:481bce714567	1055	SnifferServer* sniffer;
wolfSSL	7:481bce714567	1056
wolfSSL	7:481bce714567	1057	wc_LockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1058
wolfSSL	7:481bce714567	1059	sniffer = ServerList;
wolfSSL	7:481bce714567	1060	while (sniffer) {
wolfSSL	7:481bce714567	1061	if (sniffer->port == (int)port) {
wolfSSL	7:481bce714567	1062	ret = 1;
wolfSSL	7:481bce714567	1063	break;
wolfSSL	7:481bce714567	1064	}
wolfSSL	7:481bce714567	1065	sniffer = sniffer->next;
wolfSSL	7:481bce714567	1066	}
wolfSSL	7:481bce714567	1067
wolfSSL	7:481bce714567	1068	wc_UnLockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1069
wolfSSL	7:481bce714567	1070	return ret;
wolfSSL	7:481bce714567	1071	}
wolfSSL	7:481bce714567	1072
wolfSSL	7:481bce714567	1073
wolfSSL	7:481bce714567	1074	/* Get SnifferServer from IP and Port */
wolfSSL	7:481bce714567	1075	static SnifferServer* GetSnifferServer(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL	7:481bce714567	1076	{
wolfSSL	7:481bce714567	1077	SnifferServer* sniffer;
wolfSSL	7:481bce714567	1078
wolfSSL	7:481bce714567	1079	wc_LockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1080
wolfSSL	7:481bce714567	1081	sniffer = ServerList;
wolfSSL	7:481bce714567	1082	while (sniffer) {
wolfSSL	7:481bce714567	1083	if (sniffer->port == tcpInfo->srcPort && sniffer->server == ipInfo->src)
wolfSSL	7:481bce714567	1084	break;
wolfSSL	7:481bce714567	1085	if (sniffer->port == tcpInfo->dstPort && sniffer->server == ipInfo->dst)
wolfSSL	7:481bce714567	1086	break;
wolfSSL	7:481bce714567	1087	sniffer = sniffer->next;
wolfSSL	7:481bce714567	1088	}
wolfSSL	7:481bce714567	1089
wolfSSL	7:481bce714567	1090	wc_UnLockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1091
wolfSSL	7:481bce714567	1092	return sniffer;
wolfSSL	7:481bce714567	1093	}
wolfSSL	7:481bce714567	1094
wolfSSL	7:481bce714567	1095
wolfSSL	7:481bce714567	1096	/* Hash the Session Info, return hash row */
wolfSSL	7:481bce714567	1097	static word32 SessionHash(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL	7:481bce714567	1098	{
wolfSSL	7:481bce714567	1099	word32 hash = ipInfo->src * ipInfo->dst;
wolfSSL	7:481bce714567	1100	hash = tcpInfo->srcPort tcpInfo->dstPort;
wolfSSL	7:481bce714567	1101
wolfSSL	7:481bce714567	1102	return hash % HASH_SIZE;
wolfSSL	7:481bce714567	1103	}
wolfSSL	7:481bce714567	1104
wolfSSL	7:481bce714567	1105
wolfSSL	7:481bce714567	1106	/* Get Exisiting SnifferSession from IP and Port */
wolfSSL	7:481bce714567	1107	static SnifferSession* GetSnifferSession(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL	7:481bce714567	1108	{
wolfSSL	7:481bce714567	1109	SnifferSession* session;
wolfSSL	7:481bce714567	1110	time_t currTime = time(NULL);
wolfSSL	7:481bce714567	1111	word32 row = SessionHash(ipInfo, tcpInfo);
wolfSSL	7:481bce714567	1112
wolfSSL	7:481bce714567	1113	assert(row <= HASH_SIZE);
wolfSSL	7:481bce714567	1114
wolfSSL	7:481bce714567	1115	wc_LockMutex(&SessionMutex);
wolfSSL	7:481bce714567	1116
wolfSSL	7:481bce714567	1117	session = SessionTable[row];
wolfSSL	7:481bce714567	1118	while (session) {
wolfSSL	7:481bce714567	1119	if (session->server == ipInfo->src && session->client == ipInfo->dst &&
wolfSSL	7:481bce714567	1120	session->srvPort == tcpInfo->srcPort &&
wolfSSL	7:481bce714567	1121	session->cliPort == tcpInfo->dstPort)
wolfSSL	7:481bce714567	1122	break;
wolfSSL	7:481bce714567	1123	if (session->client == ipInfo->src && session->server == ipInfo->dst &&
wolfSSL	7:481bce714567	1124	session->cliPort == tcpInfo->srcPort &&
wolfSSL	7:481bce714567	1125	session->srvPort == tcpInfo->dstPort)
wolfSSL	7:481bce714567	1126	break;
wolfSSL	7:481bce714567	1127
wolfSSL	7:481bce714567	1128	session = session->next;
wolfSSL	7:481bce714567	1129	}
wolfSSL	7:481bce714567	1130
wolfSSL	7:481bce714567	1131	if (session)
wolfSSL	7:481bce714567	1132	session->lastUsed= currTime; /* keep session alive, remove stale will */
wolfSSL	7:481bce714567	1133	/* leave alone */
wolfSSL	7:481bce714567	1134	wc_UnLockMutex(&SessionMutex);
wolfSSL	7:481bce714567	1135
wolfSSL	7:481bce714567	1136	/* determine side */
wolfSSL	7:481bce714567	1137	if (session) {
wolfSSL	7:481bce714567	1138	if (ipInfo->dst == session->context->server &&
wolfSSL	7:481bce714567	1139	tcpInfo->dstPort == session->context->port)
wolfSSL	7:481bce714567	1140	session->flags.side = WOLFSSL_SERVER_END;
wolfSSL	7:481bce714567	1141	else
wolfSSL	7:481bce714567	1142	session->flags.side = WOLFSSL_CLIENT_END;
wolfSSL	7:481bce714567	1143	}
wolfSSL	7:481bce714567	1144
wolfSSL	7:481bce714567	1145	return session;
wolfSSL	7:481bce714567	1146	}
wolfSSL	7:481bce714567	1147
wolfSSL	7:481bce714567	1148
wolfSSL	7:481bce714567	1149	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1150
wolfSSL	7:481bce714567	1151	static int LoadKeyFile(byte** keyBuf, word32* keyBufSz,
wolfSSL	7:481bce714567	1152	const char* keyFile, int typeKey,
wolfSSL	7:481bce714567	1153	const char* password)
wolfSSL	7:481bce714567	1154	{
wolfSSL	7:481bce714567	1155	byte* loadBuf;
wolfSSL	7:481bce714567	1156	long fileSz = 0;
wolfSSL	7:481bce714567	1157	XFILE file;
wolfSSL	7:481bce714567	1158	int ret;
wolfSSL	7:481bce714567	1159
wolfSSL	7:481bce714567	1160	if (keyBuf == NULL \|\| keyBufSz == NULL \|\| keyFile == NULL) {
wolfSSL	7:481bce714567	1161	return -1;
wolfSSL	7:481bce714567	1162	}
wolfSSL	7:481bce714567	1163
wolfSSL	7:481bce714567	1164	file = XFOPEN(keyFile, "rb");
wolfSSL	7:481bce714567	1165	if (file == XBADFILE) return -1;
wolfSSL	7:481bce714567	1166	XFSEEK(file, 0, XSEEK_END);
wolfSSL	7:481bce714567	1167	fileSz = XFTELL(file);
wolfSSL	7:481bce714567	1168	XREWIND(file);
wolfSSL	7:481bce714567	1169
wolfSSL	7:481bce714567	1170	loadBuf = (byte*)malloc(fileSz);
wolfSSL	7:481bce714567	1171	if (loadBuf == NULL) {
wolfSSL	7:481bce714567	1172	XFCLOSE(file);
wolfSSL	7:481bce714567	1173	return -1;
wolfSSL	7:481bce714567	1174	}
wolfSSL	7:481bce714567	1175
wolfSSL	7:481bce714567	1176	ret = (int)XFREAD(loadBuf, fileSz, 1, file);
wolfSSL	7:481bce714567	1177	XFCLOSE(file);
wolfSSL	7:481bce714567	1178
wolfSSL	7:481bce714567	1179	if (typeKey == SSL_FILETYPE_PEM) {
wolfSSL	7:481bce714567	1180	byte* saveBuf = (byte*)malloc(fileSz);
wolfSSL	7:481bce714567	1181	int saveBufSz = 0;
wolfSSL	7:481bce714567	1182
wolfSSL	7:481bce714567	1183	ret = -1;
wolfSSL	7:481bce714567	1184	if (saveBuf != NULL) {
wolfSSL	7:481bce714567	1185	saveBufSz = wolfSSL_KeyPemToDer(loadBuf, (int)fileSz,
wolfSSL	7:481bce714567	1186	saveBuf, (int)fileSz, password);
wolfSSL	7:481bce714567	1187	if (saveBufSz < 0) {
wolfSSL	7:481bce714567	1188	saveBufSz = 0;
wolfSSL	7:481bce714567	1189	free(saveBuf);
wolfSSL	7:481bce714567	1190	saveBuf = NULL;
wolfSSL	7:481bce714567	1191	}
wolfSSL	7:481bce714567	1192	else
wolfSSL	7:481bce714567	1193	ret = 0;
wolfSSL	7:481bce714567	1194	}
wolfSSL	7:481bce714567	1195
wolfSSL	7:481bce714567	1196	ForceZero(loadBuf, (word32)fileSz);
wolfSSL	7:481bce714567	1197	free(loadBuf);
wolfSSL	7:481bce714567	1198
wolfSSL	7:481bce714567	1199	if (saveBuf) {
wolfSSL	7:481bce714567	1200	*keyBuf = saveBuf;
wolfSSL	7:481bce714567	1201	*keyBufSz = (word32)saveBufSz;
wolfSSL	7:481bce714567	1202	}
wolfSSL	7:481bce714567	1203	}
wolfSSL	7:481bce714567	1204	else {
wolfSSL	7:481bce714567	1205	*keyBuf = loadBuf;
wolfSSL	7:481bce714567	1206	*keyBufSz = (word32)fileSz;
wolfSSL	7:481bce714567	1207	}
wolfSSL	7:481bce714567	1208
wolfSSL	7:481bce714567	1209	if (ret < 0) {
wolfSSL	7:481bce714567	1210	return -1;
wolfSSL	7:481bce714567	1211	}
wolfSSL	7:481bce714567	1212
wolfSSL	7:481bce714567	1213	return ret;
wolfSSL	7:481bce714567	1214	}
wolfSSL	7:481bce714567	1215
wolfSSL	7:481bce714567	1216	#endif
wolfSSL	7:481bce714567	1217
wolfSSL	7:481bce714567	1218
wolfSSL	7:481bce714567	1219	static int SetNamedPrivateKey(const char* name, const char* address, int port,
wolfSSL	7:481bce714567	1220	const char* keyFile, int typeKey, const char* password, char* error)
wolfSSL	7:481bce714567	1221	{
wolfSSL	7:481bce714567	1222	SnifferServer* sniffer;
wolfSSL	7:481bce714567	1223	int ret;
wolfSSL	7:481bce714567	1224	int type = (typeKey == FILETYPE_PEM) ? SSL_FILETYPE_PEM :
wolfSSL	7:481bce714567	1225	SSL_FILETYPE_ASN1;
wolfSSL	7:481bce714567	1226	int isNew = 0;
wolfSSL	7:481bce714567	1227	word32 serverIp;
wolfSSL	7:481bce714567	1228
wolfSSL	7:481bce714567	1229	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1230	NamedKey* namedKey = NULL;
wolfSSL	7:481bce714567	1231	#endif
wolfSSL	7:481bce714567	1232
wolfSSL	7:481bce714567	1233	(void)name;
wolfSSL	7:481bce714567	1234	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1235	if (name != NULL) {
wolfSSL	7:481bce714567	1236	namedKey = (NamedKey*)malloc(sizeof(NamedKey));
wolfSSL	7:481bce714567	1237	if (namedKey == NULL) {
wolfSSL	7:481bce714567	1238	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1239	return -1;
wolfSSL	7:481bce714567	1240	}
wolfSSL	7:481bce714567	1241	XMEMSET(namedKey, 0, sizeof(NamedKey));
wolfSSL	7:481bce714567	1242
wolfSSL	7:481bce714567	1243	namedKey->nameSz = (word32)XSTRLEN(name);
wolfSSL	7:481bce714567	1244	XSTRNCPY(namedKey->name, name, sizeof(namedKey->name));
wolfSSL	7:481bce714567	1245	if (namedKey->nameSz >= sizeof(namedKey->name)) {
wolfSSL	7:481bce714567	1246	namedKey->nameSz = sizeof(namedKey->name) - 1;
wolfSSL	7:481bce714567	1247	namedKey->name[namedKey->nameSz] = '\0';
wolfSSL	7:481bce714567	1248	}
wolfSSL	7:481bce714567	1249
wolfSSL	7:481bce714567	1250	ret = LoadKeyFile(&namedKey->key, &namedKey->keySz,
wolfSSL	7:481bce714567	1251	keyFile, type, password);
wolfSSL	7:481bce714567	1252	if (ret < 0) {
wolfSSL	7:481bce714567	1253	SetError(KEY_FILE_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1254	FreeNamedKey(namedKey);
wolfSSL	7:481bce714567	1255	return -1;
wolfSSL	7:481bce714567	1256	}
wolfSSL	7:481bce714567	1257	}
wolfSSL	7:481bce714567	1258	#endif
wolfSSL	7:481bce714567	1259
wolfSSL	7:481bce714567	1260	serverIp = inet_addr(address);
wolfSSL	7:481bce714567	1261	sniffer = ServerList;
wolfSSL	7:481bce714567	1262	while (sniffer != NULL &&
wolfSSL	7:481bce714567	1263	(sniffer->server != serverIp \|\| sniffer->port != port)) {
wolfSSL	7:481bce714567	1264	sniffer = sniffer->next;
wolfSSL	7:481bce714567	1265	}
wolfSSL	7:481bce714567	1266
wolfSSL	7:481bce714567	1267	if (sniffer == NULL) {
wolfSSL	7:481bce714567	1268	isNew = 1;
wolfSSL	7:481bce714567	1269	sniffer = (SnifferServer*)malloc(sizeof(SnifferServer));
wolfSSL	7:481bce714567	1270	if (sniffer == NULL) {
wolfSSL	7:481bce714567	1271	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1272	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1273	FreeNamedKey(namedKey);
wolfSSL	7:481bce714567	1274	#endif
wolfSSL	7:481bce714567	1275	return -1;
wolfSSL	7:481bce714567	1276	}
wolfSSL	7:481bce714567	1277	InitSnifferServer(sniffer);
wolfSSL	7:481bce714567	1278
wolfSSL	7:481bce714567	1279	XSTRNCPY(sniffer->address, address, MAX_SERVER_ADDRESS-1);
wolfSSL	7:481bce714567	1280	sniffer->address[MAX_SERVER_ADDRESS-1] = '\0';
wolfSSL	7:481bce714567	1281	sniffer->server = serverIp;
wolfSSL	7:481bce714567	1282	sniffer->port = port;
wolfSSL	7:481bce714567	1283
wolfSSL	7:481bce714567	1284	sniffer->ctx = SSL_CTX_new(TLSv1_client_method());
wolfSSL	7:481bce714567	1285	if (!sniffer->ctx) {
wolfSSL	7:481bce714567	1286	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1287	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1288	FreeNamedKey(namedKey);
wolfSSL	7:481bce714567	1289	#endif
wolfSSL	7:481bce714567	1290	FreeSnifferServer(sniffer);
wolfSSL	7:481bce714567	1291	return -1;
wolfSSL	7:481bce714567	1292	}
wolfSSL	7:481bce714567	1293	}
wolfSSL	7:481bce714567	1294
wolfSSL	7:481bce714567	1295	if (name == NULL) {
wolfSSL	7:481bce714567	1296	if (password) {
wolfSSL	7:481bce714567	1297	SSL_CTX_set_default_passwd_cb(sniffer->ctx, SetPassword);
wolfSSL	7:481bce714567	1298	SSL_CTX_set_default_passwd_cb_userdata(
wolfSSL	7:481bce714567	1299	sniffer->ctx, (void*)password);
wolfSSL	7:481bce714567	1300	}
wolfSSL	7:481bce714567	1301	ret = SSL_CTX_use_PrivateKey_file(sniffer->ctx, keyFile, type);
wolfSSL	7:481bce714567	1302	if (ret != SSL_SUCCESS) {
wolfSSL	7:481bce714567	1303	SetError(KEY_FILE_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1304	if (isNew)
wolfSSL	7:481bce714567	1305	FreeSnifferServer(sniffer);
wolfSSL	7:481bce714567	1306	return -1;
wolfSSL	7:481bce714567	1307	}
wolfSSL	7:481bce714567	1308	}
wolfSSL	7:481bce714567	1309	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1310	else {
wolfSSL	7:481bce714567	1311	wc_LockMutex(&sniffer->namedKeysMutex);
wolfSSL	7:481bce714567	1312	namedKey->next = sniffer->namedKeys;
wolfSSL	7:481bce714567	1313	sniffer->namedKeys = namedKey;
wolfSSL	7:481bce714567	1314	wc_UnLockMutex(&sniffer->namedKeysMutex);
wolfSSL	7:481bce714567	1315	}
wolfSSL	7:481bce714567	1316	#endif
wolfSSL	7:481bce714567	1317
wolfSSL	7:481bce714567	1318	if (isNew) {
wolfSSL	7:481bce714567	1319	sniffer->next = ServerList;
wolfSSL	7:481bce714567	1320	ServerList = sniffer;
wolfSSL	7:481bce714567	1321	}
wolfSSL	7:481bce714567	1322
wolfSSL	7:481bce714567	1323	return 0;
wolfSSL	7:481bce714567	1324	}
wolfSSL	7:481bce714567	1325
wolfSSL	7:481bce714567	1326
wolfSSL	7:481bce714567	1327	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1328
wolfSSL	7:481bce714567	1329	/* Sets the private key for a specific name, server and port */
wolfSSL	7:481bce714567	1330	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	1331	int ssl_SetNamedPrivateKey(const char* name,
wolfSSL	7:481bce714567	1332	const char* address, int port,
wolfSSL	7:481bce714567	1333	const char* keyFile, int typeKey,
wolfSSL	7:481bce714567	1334	const char* password, char* error)
wolfSSL	7:481bce714567	1335	{
wolfSSL	7:481bce714567	1336	int ret;
wolfSSL	7:481bce714567	1337
wolfSSL	7:481bce714567	1338	TraceHeader();
wolfSSL	7:481bce714567	1339	TraceSetNamedServer(name, address, port, keyFile);
wolfSSL	7:481bce714567	1340
wolfSSL	7:481bce714567	1341	wc_LockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1342	ret = SetNamedPrivateKey(name, address, port, keyFile,
wolfSSL	7:481bce714567	1343	typeKey, password, error);
wolfSSL	7:481bce714567	1344	wc_UnLockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1345
wolfSSL	7:481bce714567	1346	if (ret == 0)
wolfSSL	7:481bce714567	1347	Trace(NEW_SERVER_STR);
wolfSSL	7:481bce714567	1348
wolfSSL	7:481bce714567	1349	return ret;
wolfSSL	7:481bce714567	1350	}
wolfSSL	7:481bce714567	1351
wolfSSL	7:481bce714567	1352	#endif
wolfSSL	7:481bce714567	1353
wolfSSL	7:481bce714567	1354
wolfSSL	7:481bce714567	1355	/* Sets the private key for a specific server and port */
wolfSSL	7:481bce714567	1356	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	1357	int ssl_SetPrivateKey(const char* address, int port, const char* keyFile,
wolfSSL	7:481bce714567	1358	int typeKey, const char* password, char* error)
wolfSSL	7:481bce714567	1359	{
wolfSSL	7:481bce714567	1360	int ret;
wolfSSL	7:481bce714567	1361
wolfSSL	7:481bce714567	1362	TraceHeader();
wolfSSL	7:481bce714567	1363	TraceSetServer(address, port, keyFile);
wolfSSL	7:481bce714567	1364
wolfSSL	7:481bce714567	1365	wc_LockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1366	ret = SetNamedPrivateKey(NULL, address, port, keyFile,
wolfSSL	7:481bce714567	1367	typeKey, password, error);
wolfSSL	7:481bce714567	1368	wc_UnLockMutex(&ServerListMutex);
wolfSSL	7:481bce714567	1369
wolfSSL	7:481bce714567	1370	if (ret == 0)
wolfSSL	7:481bce714567	1371	Trace(NEW_SERVER_STR);
wolfSSL	7:481bce714567	1372
wolfSSL	7:481bce714567	1373	return ret;
wolfSSL	7:481bce714567	1374	}
wolfSSL	7:481bce714567	1375
wolfSSL	7:481bce714567	1376
wolfSSL	7:481bce714567	1377	/* Check IP Header for IPV4, TCP, and a registered server address */
wolfSSL	7:481bce714567	1378	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	1379	static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, int length, char* error)
wolfSSL	7:481bce714567	1380	{
wolfSSL	7:481bce714567	1381	int version = IP_V(iphdr);
wolfSSL	7:481bce714567	1382
wolfSSL	7:481bce714567	1383	TraceIP(iphdr);
wolfSSL	7:481bce714567	1384	Trace(IP_CHECK_STR);
wolfSSL	7:481bce714567	1385
wolfSSL	7:481bce714567	1386	if (version != IPV4) {
wolfSSL	7:481bce714567	1387	SetError(BAD_IPVER_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1388	return -1;
wolfSSL	7:481bce714567	1389	}
wolfSSL	7:481bce714567	1390
wolfSSL	7:481bce714567	1391	if (iphdr->protocol != TCP_PROTOCOL) {
wolfSSL	7:481bce714567	1392	SetError(BAD_PROTO_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1393	return -1;
wolfSSL	7:481bce714567	1394	}
wolfSSL	7:481bce714567	1395
wolfSSL	7:481bce714567	1396	if (!IsServerRegistered(iphdr->src) && !IsServerRegistered(iphdr->dst)) {
wolfSSL	7:481bce714567	1397	SetError(SERVER_NOT_REG_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1398	return -1;
wolfSSL	7:481bce714567	1399	}
wolfSSL	7:481bce714567	1400
wolfSSL	7:481bce714567	1401	info->length = IP_HL(iphdr);
wolfSSL	7:481bce714567	1402	info->total = ntohs(iphdr->length);
wolfSSL	7:481bce714567	1403	info->src = iphdr->src;
wolfSSL	7:481bce714567	1404	info->dst = iphdr->dst;
wolfSSL	7:481bce714567	1405
wolfSSL	7:481bce714567	1406	if (info->total == 0)
wolfSSL	7:481bce714567	1407	info->total = length; /* reassembled may be off */
wolfSSL	7:481bce714567	1408
wolfSSL	7:481bce714567	1409	return 0;
wolfSSL	7:481bce714567	1410	}
wolfSSL	7:481bce714567	1411
wolfSSL	7:481bce714567	1412
wolfSSL	7:481bce714567	1413	/* Check TCP Header for a registered port */
wolfSSL	7:481bce714567	1414	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	1415	static int CheckTcpHdr(TcpHdr* tcphdr, TcpInfo* info, char* error)
wolfSSL	7:481bce714567	1416	{
wolfSSL	7:481bce714567	1417	TraceTcp(tcphdr);
wolfSSL	7:481bce714567	1418	Trace(TCP_CHECK_STR);
wolfSSL	7:481bce714567	1419	info->srcPort = ntohs(tcphdr->srcPort);
wolfSSL	7:481bce714567	1420	info->dstPort = ntohs(tcphdr->dstPort);
wolfSSL	7:481bce714567	1421	info->length = TCP_LEN(tcphdr);
wolfSSL	7:481bce714567	1422	info->sequence = ntohl(tcphdr->sequence);
wolfSSL	7:481bce714567	1423	info->fin = tcphdr->flags & TCP_FIN;
wolfSSL	7:481bce714567	1424	info->rst = tcphdr->flags & TCP_RST;
wolfSSL	7:481bce714567	1425	info->syn = tcphdr->flags & TCP_SYN;
wolfSSL	7:481bce714567	1426	info->ack = tcphdr->flags & TCP_ACK;
wolfSSL	7:481bce714567	1427	if (info->ack)
wolfSSL	7:481bce714567	1428	info->ackNumber = ntohl(tcphdr->ack);
wolfSSL	7:481bce714567	1429
wolfSSL	7:481bce714567	1430	if (!IsPortRegistered(info->srcPort) && !IsPortRegistered(info->dstPort)) {
wolfSSL	7:481bce714567	1431	SetError(SERVER_PORT_NOT_REG_STR, error, NULL, 0);
wolfSSL	7:481bce714567	1432	return -1;
wolfSSL	7:481bce714567	1433	}
wolfSSL	7:481bce714567	1434
wolfSSL	7:481bce714567	1435	return 0;
wolfSSL	7:481bce714567	1436	}
wolfSSL	7:481bce714567	1437
wolfSSL	7:481bce714567	1438
wolfSSL	7:481bce714567	1439	/* Decode Record Layer Header */
wolfSSL	7:481bce714567	1440	static int GetRecordHeader(const byte* input, RecordLayerHeader* rh, int* size)
wolfSSL	7:481bce714567	1441	{
wolfSSL	7:481bce714567	1442	XMEMCPY(rh, input, RECORD_HEADER_SZ);
wolfSSL	7:481bce714567	1443	*size = (rh->length[0] << 8) \| rh->length[1];
wolfSSL	7:481bce714567	1444
wolfSSL	7:481bce714567	1445	if (*size > (MAX_RECORD_SIZE + COMP_EXTRA + MAX_MSG_EXTRA))
wolfSSL	7:481bce714567	1446	return LENGTH_ERROR;
wolfSSL	7:481bce714567	1447
wolfSSL	7:481bce714567	1448	return 0;
wolfSSL	7:481bce714567	1449	}
wolfSSL	7:481bce714567	1450
wolfSSL	7:481bce714567	1451
wolfSSL	7:481bce714567	1452	/* Process Client Key Exchange, RSA only */
wolfSSL	7:481bce714567	1453	static int ProcessClientKeyExchange(const byte* input, int* sslBytes,
wolfSSL	7:481bce714567	1454	SnifferSession* session, char* error)
wolfSSL	7:481bce714567	1455	{
wolfSSL	7:481bce714567	1456	word32 idx = 0;
wolfSSL	7:481bce714567	1457	RsaKey key;
wolfSSL	7:481bce714567	1458	int ret;
wolfSSL	7:481bce714567	1459
wolfSSL	7:481bce714567	1460	if (session->sslServer->buffers.key == NULL \|\|
wolfSSL	7:481bce714567	1461	session->sslServer->buffers.key->buffer == NULL \|\|
wolfSSL	7:481bce714567	1462	session->sslServer->buffers.key->length == 0) {
wolfSSL	7:481bce714567	1463
wolfSSL	7:481bce714567	1464	SetError(RSA_KEY_MISSING_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1465	return -1;
wolfSSL	7:481bce714567	1466	}
wolfSSL	7:481bce714567	1467	ret = wc_InitRsaKey(&key, 0);
wolfSSL	7:481bce714567	1468	if (ret == 0)
wolfSSL	7:481bce714567	1469	ret = wc_RsaPrivateKeyDecode(session->sslServer->buffers.key->buffer,
wolfSSL	7:481bce714567	1470	&idx, &key, session->sslServer->buffers.key->length);
wolfSSL	7:481bce714567	1471	if (ret == 0) {
wolfSSL	7:481bce714567	1472	int length = wc_RsaEncryptSize(&key);
wolfSSL	7:481bce714567	1473
wolfSSL	7:481bce714567	1474	if (IsTLS(session->sslServer))
wolfSSL	7:481bce714567	1475	input += 2; /* tls pre length */
wolfSSL	7:481bce714567	1476
wolfSSL	7:481bce714567	1477	if (length > *sslBytes) {
wolfSSL	7:481bce714567	1478	SetError(PARTIAL_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1479	wc_FreeRsaKey(&key);
wolfSSL	7:481bce714567	1480	return -1;
wolfSSL	7:481bce714567	1481	}
wolfSSL	7:481bce714567	1482	#ifdef WC_RSA_BLINDING
wolfSSL	7:481bce714567	1483	ret = wc_RsaSetRNG(&key, session->sslServer->rng);
wolfSSL	7:481bce714567	1484	if (ret != 0) {
wolfSSL	7:481bce714567	1485	SetError(RSA_DECRYPT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1486	return -1;
wolfSSL	7:481bce714567	1487	}
wolfSSL	7:481bce714567	1488	#endif
wolfSSL	7:481bce714567	1489	ret = wc_RsaPrivateDecrypt(input, length,
wolfSSL	7:481bce714567	1490	session->sslServer->arrays->preMasterSecret,SECRET_LEN, &key);
wolfSSL	7:481bce714567	1491
wolfSSL	7:481bce714567	1492	if (ret != SECRET_LEN) {
wolfSSL	7:481bce714567	1493	SetError(RSA_DECRYPT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1494	wc_FreeRsaKey(&key);
wolfSSL	7:481bce714567	1495	return -1;
wolfSSL	7:481bce714567	1496	}
wolfSSL	7:481bce714567	1497	session->sslServer->arrays->preMasterSz = SECRET_LEN;
wolfSSL	7:481bce714567	1498
wolfSSL	7:481bce714567	1499	/* store for client side as well */
wolfSSL	7:481bce714567	1500	XMEMCPY(session->sslClient->arrays->preMasterSecret,
wolfSSL	7:481bce714567	1501	session->sslServer->arrays->preMasterSecret, SECRET_LEN);
wolfSSL	7:481bce714567	1502	session->sslClient->arrays->preMasterSz = SECRET_LEN;
wolfSSL	7:481bce714567	1503
wolfSSL	7:481bce714567	1504	#ifdef SHOW_SECRETS
wolfSSL	7:481bce714567	1505	{
wolfSSL	7:481bce714567	1506	int i;
wolfSSL	7:481bce714567	1507	printf("pre master secret: ");
wolfSSL	7:481bce714567	1508	for (i = 0; i < SECRET_LEN; i++)
wolfSSL	7:481bce714567	1509	printf("%02x", session->sslServer->arrays->preMasterSecret[i]);
wolfSSL	7:481bce714567	1510	printf("\n");
wolfSSL	7:481bce714567	1511	}
wolfSSL	7:481bce714567	1512	#endif
wolfSSL	7:481bce714567	1513	}
wolfSSL	7:481bce714567	1514	else {
wolfSSL	7:481bce714567	1515	SetError(RSA_DECODE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1516	wc_FreeRsaKey(&key);
wolfSSL	7:481bce714567	1517	return -1;
wolfSSL	7:481bce714567	1518	}
wolfSSL	7:481bce714567	1519
wolfSSL	7:481bce714567	1520	if (SetCipherSpecs(session->sslServer) != 0) {
wolfSSL	7:481bce714567	1521	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1522	wc_FreeRsaKey(&key);
wolfSSL	7:481bce714567	1523	return -1;
wolfSSL	7:481bce714567	1524	}
wolfSSL	7:481bce714567	1525
wolfSSL	7:481bce714567	1526	if (SetCipherSpecs(session->sslClient) != 0) {
wolfSSL	7:481bce714567	1527	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1528	wc_FreeRsaKey(&key);
wolfSSL	7:481bce714567	1529	return -1;
wolfSSL	7:481bce714567	1530	}
wolfSSL	7:481bce714567	1531
wolfSSL	7:481bce714567	1532	ret = MakeMasterSecret(session->sslServer);
wolfSSL	7:481bce714567	1533	ret += MakeMasterSecret(session->sslClient);
wolfSSL	7:481bce714567	1534	ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL	7:481bce714567	1535	ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL	7:481bce714567	1536
wolfSSL	7:481bce714567	1537	if (ret != 0) {
wolfSSL	7:481bce714567	1538	SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1539	return -1;
wolfSSL	7:481bce714567	1540	}
wolfSSL	7:481bce714567	1541
wolfSSL	7:481bce714567	1542	#ifdef SHOW_SECRETS
wolfSSL	7:481bce714567	1543	{
wolfSSL	7:481bce714567	1544	int i;
wolfSSL	7:481bce714567	1545	printf("server master secret: ");
wolfSSL	7:481bce714567	1546	for (i = 0; i < SECRET_LEN; i++)
wolfSSL	7:481bce714567	1547	printf("%02x", session->sslServer->arrays->masterSecret[i]);
wolfSSL	7:481bce714567	1548	printf("\n");
wolfSSL	7:481bce714567	1549
wolfSSL	7:481bce714567	1550	printf("client master secret: ");
wolfSSL	7:481bce714567	1551	for (i = 0; i < SECRET_LEN; i++)
wolfSSL	7:481bce714567	1552	printf("%02x", session->sslClient->arrays->masterSecret[i]);
wolfSSL	7:481bce714567	1553	printf("\n");
wolfSSL	7:481bce714567	1554
wolfSSL	7:481bce714567	1555	printf("server suite = %d\n", session->sslServer->options.cipherSuite);
wolfSSL	7:481bce714567	1556	printf("client suite = %d\n", session->sslClient->options.cipherSuite);
wolfSSL	7:481bce714567	1557	}
wolfSSL	7:481bce714567	1558	#endif
wolfSSL	7:481bce714567	1559
wolfSSL	7:481bce714567	1560	wc_FreeRsaKey(&key);
wolfSSL	7:481bce714567	1561	return ret;
wolfSSL	7:481bce714567	1562	}
wolfSSL	7:481bce714567	1563
wolfSSL	7:481bce714567	1564
wolfSSL	7:481bce714567	1565	/* Process Session Ticket */
wolfSSL	7:481bce714567	1566	static int ProcessSessionTicket(const byte* input, int* sslBytes,
wolfSSL	7:481bce714567	1567	SnifferSession* session, char* error)
wolfSSL	7:481bce714567	1568	{
wolfSSL	7:481bce714567	1569	word16 len;
wolfSSL	7:481bce714567	1570
wolfSSL	7:481bce714567	1571	/* make sure can read through hint and len */
wolfSSL	7:481bce714567	1572	if (TICKET_HINT_LEN + LENGTH_SZ > *sslBytes) {
wolfSSL	7:481bce714567	1573	SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1574	return -1;
wolfSSL	7:481bce714567	1575	}
wolfSSL	7:481bce714567	1576
wolfSSL	7:481bce714567	1577	input += TICKET_HINT_LEN; /* skip over hint */
wolfSSL	7:481bce714567	1578	*sslBytes -= TICKET_HINT_LEN;
wolfSSL	7:481bce714567	1579
wolfSSL	7:481bce714567	1580	len = (word16)((input[0] << 8) \| input[1]);
wolfSSL	7:481bce714567	1581	input += LENGTH_SZ;
wolfSSL	7:481bce714567	1582	*sslBytes -= LENGTH_SZ;
wolfSSL	7:481bce714567	1583
wolfSSL	7:481bce714567	1584	/* make sure can read through ticket */
wolfSSL	7:481bce714567	1585	if (len > *sslBytes \|\| len < ID_LEN) {
wolfSSL	7:481bce714567	1586	SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1587	return -1;
wolfSSL	7:481bce714567	1588	}
wolfSSL	7:481bce714567	1589
wolfSSL	7:481bce714567	1590	/* store session with macID as sessionID */
wolfSSL	7:481bce714567	1591	session->sslServer->options.haveSessionId = 1;
wolfSSL	7:481bce714567	1592	XMEMCPY(session->sslServer->arrays->sessionID, input + len - ID_LEN,ID_LEN);
wolfSSL	7:481bce714567	1593
wolfSSL	7:481bce714567	1594	return 0;
wolfSSL	7:481bce714567	1595	}
wolfSSL	7:481bce714567	1596
wolfSSL	7:481bce714567	1597
wolfSSL	7:481bce714567	1598	/* Process Server Hello */
wolfSSL	7:481bce714567	1599	static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
wolfSSL	7:481bce714567	1600	SnifferSession* session, char* error)
wolfSSL	7:481bce714567	1601	{
wolfSSL	7:481bce714567	1602	ProtocolVersion pv;
wolfSSL	7:481bce714567	1603	byte b;
wolfSSL	7:481bce714567	1604	int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
wolfSSL	7:481bce714567	1605	int doResume = 0;
wolfSSL	7:481bce714567	1606	int initialBytes = *sslBytes;
wolfSSL	7:481bce714567	1607
wolfSSL	7:481bce714567	1608	(void)msgSz;
wolfSSL	7:481bce714567	1609	(void)initialBytes;
wolfSSL	7:481bce714567	1610
wolfSSL	7:481bce714567	1611	/* make sure we didn't miss ClientHello */
wolfSSL	7:481bce714567	1612	if (session->flags.clientHello == 0) {
wolfSSL	7:481bce714567	1613	SetError(MISSED_CLIENT_HELLO_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1614	return -1;
wolfSSL	7:481bce714567	1615	}
wolfSSL	7:481bce714567	1616
wolfSSL	7:481bce714567	1617	/* make sure can read through session len */
wolfSSL	7:481bce714567	1618	if (toRead > *sslBytes) {
wolfSSL	7:481bce714567	1619	SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1620	return -1;
wolfSSL	7:481bce714567	1621	}
wolfSSL	7:481bce714567	1622
wolfSSL	7:481bce714567	1623	XMEMCPY(&pv, input, VERSION_SZ);
wolfSSL	7:481bce714567	1624	input += VERSION_SZ;
wolfSSL	7:481bce714567	1625	*sslBytes -= VERSION_SZ;
wolfSSL	7:481bce714567	1626
wolfSSL	7:481bce714567	1627	session->sslServer->version = pv;
wolfSSL	7:481bce714567	1628	session->sslClient->version = pv;
wolfSSL	7:481bce714567	1629
wolfSSL	7:481bce714567	1630	XMEMCPY(session->sslServer->arrays->serverRandom, input, RAN_LEN);
wolfSSL	7:481bce714567	1631	XMEMCPY(session->sslClient->arrays->serverRandom, input, RAN_LEN);
wolfSSL	7:481bce714567	1632	input += RAN_LEN;
wolfSSL	7:481bce714567	1633	*sslBytes -= RAN_LEN;
wolfSSL	7:481bce714567	1634
wolfSSL	7:481bce714567	1635	b = *input++;
wolfSSL	7:481bce714567	1636	*sslBytes -= 1;
wolfSSL	7:481bce714567	1637
wolfSSL	7:481bce714567	1638	/* make sure can read through compression */
wolfSSL	7:481bce714567	1639	if ( (b + SUITE_LEN + ENUM_LEN) > *sslBytes) {
wolfSSL	7:481bce714567	1640	SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1641	return -1;
wolfSSL	7:481bce714567	1642	}
wolfSSL	7:481bce714567	1643	if (b) {
wolfSSL	7:481bce714567	1644	XMEMCPY(session->sslServer->arrays->sessionID, input, ID_LEN);
wolfSSL	7:481bce714567	1645	session->sslServer->options.haveSessionId = 1;
wolfSSL	7:481bce714567	1646	}
wolfSSL	7:481bce714567	1647	input += b;
wolfSSL	7:481bce714567	1648	*sslBytes -= b;
wolfSSL	7:481bce714567	1649
wolfSSL	7:481bce714567	1650	/* cipher suite */
wolfSSL	7:481bce714567	1651	b = input++; / first byte, ECC or not */
wolfSSL	7:481bce714567	1652	session->sslServer->options.cipherSuite0 = b;
wolfSSL	7:481bce714567	1653	session->sslClient->options.cipherSuite0 = b;
wolfSSL	7:481bce714567	1654	b = *input++;
wolfSSL	7:481bce714567	1655	session->sslServer->options.cipherSuite = b;
wolfSSL	7:481bce714567	1656	session->sslClient->options.cipherSuite = b;
wolfSSL	7:481bce714567	1657	*sslBytes -= SUITE_LEN;
wolfSSL	7:481bce714567	1658
wolfSSL	7:481bce714567	1659	/* compression */
wolfSSL	7:481bce714567	1660	b = *input++;
wolfSSL	7:481bce714567	1661	*sslBytes -= ENUM_LEN;
wolfSSL	7:481bce714567	1662
wolfSSL	7:481bce714567	1663	if (b) {
wolfSSL	7:481bce714567	1664	SetError(BAD_COMPRESSION_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1665	return -1;
wolfSSL	7:481bce714567	1666	}
wolfSSL	7:481bce714567	1667
wolfSSL	7:481bce714567	1668	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	1669	/* extensions */
wolfSSL	7:481bce714567	1670	if ((initialBytes - *sslBytes) < msgSz) {
wolfSSL	7:481bce714567	1671	word16 len;
wolfSSL	7:481bce714567	1672
wolfSSL	7:481bce714567	1673	/* skip extensions until extended master secret */
wolfSSL	7:481bce714567	1674	/* make sure can read len */
wolfSSL	7:481bce714567	1675	if (SUITE_LEN > *sslBytes) {
wolfSSL	7:481bce714567	1676	SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1677	return -1;
wolfSSL	7:481bce714567	1678	}
wolfSSL	7:481bce714567	1679	len = (word16)((input[0] << 8) \| input[1]);
wolfSSL	7:481bce714567	1680	input += SUITE_LEN;
wolfSSL	7:481bce714567	1681	*sslBytes -= SUITE_LEN;
wolfSSL	7:481bce714567	1682	/* make sure can read through all extensions */
wolfSSL	7:481bce714567	1683	if (len > *sslBytes) {
wolfSSL	7:481bce714567	1684	SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1685	return -1;
wolfSSL	7:481bce714567	1686	}
wolfSSL	7:481bce714567	1687
wolfSSL	7:481bce714567	1688	while (len >= EXT_TYPE_SZ + LENGTH_SZ) {
wolfSSL	7:481bce714567	1689	byte extType[EXT_TYPE_SZ];
wolfSSL	7:481bce714567	1690	word16 extLen;
wolfSSL	7:481bce714567	1691
wolfSSL	7:481bce714567	1692	extType[0] = input[0];
wolfSSL	7:481bce714567	1693	extType[1] = input[1];
wolfSSL	7:481bce714567	1694	input += EXT_TYPE_SZ;
wolfSSL	7:481bce714567	1695	*sslBytes -= EXT_TYPE_SZ;
wolfSSL	7:481bce714567	1696
wolfSSL	7:481bce714567	1697	extLen = (word16)((input[0] << 8) \| input[1]);
wolfSSL	7:481bce714567	1698	input += LENGTH_SZ;
wolfSSL	7:481bce714567	1699	*sslBytes -= LENGTH_SZ;
wolfSSL	7:481bce714567	1700
wolfSSL	7:481bce714567	1701	/* make sure can read through individual extension */
wolfSSL	7:481bce714567	1702	if (extLen > *sslBytes) {
wolfSSL	7:481bce714567	1703	SetError(SERVER_HELLO_INPUT_STR, error, session,
wolfSSL	7:481bce714567	1704	FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1705	return -1;
wolfSSL	7:481bce714567	1706	}
wolfSSL	7:481bce714567	1707
wolfSSL	7:481bce714567	1708	if (extType[0] == 0x00 && extType[1] == EXT_MASTER_SECRET) {
wolfSSL	7:481bce714567	1709	session->flags.expectEms = 1;
wolfSSL	7:481bce714567	1710	}
wolfSSL	7:481bce714567	1711
wolfSSL	7:481bce714567	1712	input += extLen;
wolfSSL	7:481bce714567	1713	*sslBytes -= extLen;
wolfSSL	7:481bce714567	1714	len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
wolfSSL	7:481bce714567	1715	}
wolfSSL	7:481bce714567	1716	}
wolfSSL	7:481bce714567	1717
wolfSSL	7:481bce714567	1718	if (!session->flags.expectEms) {
wolfSSL	7:481bce714567	1719	free(session->hash);
wolfSSL	7:481bce714567	1720	session->hash = NULL;
wolfSSL	7:481bce714567	1721	}
wolfSSL	7:481bce714567	1722	#endif
wolfSSL	7:481bce714567	1723
wolfSSL	7:481bce714567	1724	if (session->sslServer->options.haveSessionId &&
wolfSSL	7:481bce714567	1725	XMEMCMP(session->sslServer->arrays->sessionID,
wolfSSL	7:481bce714567	1726	session->sslClient->arrays->sessionID, ID_LEN) == 0)
wolfSSL	7:481bce714567	1727	doResume = 1;
wolfSSL	7:481bce714567	1728	else if (session->sslClient->options.haveSessionId == 0 &&
wolfSSL	7:481bce714567	1729	session->sslServer->options.haveSessionId == 0 &&
wolfSSL	7:481bce714567	1730	session->ticketID)
wolfSSL	7:481bce714567	1731	doResume = 1;
wolfSSL	7:481bce714567	1732
wolfSSL	7:481bce714567	1733	if (session->ticketID && doResume) {
wolfSSL	7:481bce714567	1734	/* use ticketID to retrieve from session, prefer over sessionID */
wolfSSL	7:481bce714567	1735	XMEMCPY(session->sslServer->arrays->sessionID,session->ticketID,ID_LEN);
wolfSSL	7:481bce714567	1736	session->sslServer->options.haveSessionId = 1; /* may not have
wolfSSL	7:481bce714567	1737	actual sessionID */
wolfSSL	7:481bce714567	1738	}
wolfSSL	7:481bce714567	1739
wolfSSL	7:481bce714567	1740	if (doResume ) {
wolfSSL	7:481bce714567	1741	int ret = 0;
wolfSSL	7:481bce714567	1742	SSL_SESSION* resume = GetSession(session->sslServer,
wolfSSL	7:481bce714567	1743	session->sslServer->arrays->masterSecret, 0);
wolfSSL	7:481bce714567	1744	if (resume == NULL) {
wolfSSL	7:481bce714567	1745	SetError(BAD_SESSION_RESUME_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1746	return -1;
wolfSSL	7:481bce714567	1747	}
wolfSSL	7:481bce714567	1748	/* make sure client has master secret too */
wolfSSL	7:481bce714567	1749	XMEMCPY(session->sslClient->arrays->masterSecret,
wolfSSL	7:481bce714567	1750	session->sslServer->arrays->masterSecret, SECRET_LEN);
wolfSSL	7:481bce714567	1751	session->flags.resuming = 1;
wolfSSL	7:481bce714567	1752
wolfSSL	7:481bce714567	1753	Trace(SERVER_DID_RESUMPTION_STR);
wolfSSL	7:481bce714567	1754	if (SetCipherSpecs(session->sslServer) != 0) {
wolfSSL	7:481bce714567	1755	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1756	return -1;
wolfSSL	7:481bce714567	1757	}
wolfSSL	7:481bce714567	1758
wolfSSL	7:481bce714567	1759	if (SetCipherSpecs(session->sslClient) != 0) {
wolfSSL	7:481bce714567	1760	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1761	return -1;
wolfSSL	7:481bce714567	1762	}
wolfSSL	7:481bce714567	1763
wolfSSL	7:481bce714567	1764	if (session->sslServer->options.tls) {
wolfSSL	7:481bce714567	1765	ret = DeriveTlsKeys(session->sslServer);
wolfSSL	7:481bce714567	1766	ret += DeriveTlsKeys(session->sslClient);
wolfSSL	7:481bce714567	1767	}
wolfSSL	7:481bce714567	1768	else {
wolfSSL	7:481bce714567	1769	ret = DeriveKeys(session->sslServer);
wolfSSL	7:481bce714567	1770	ret += DeriveKeys(session->sslClient);
wolfSSL	7:481bce714567	1771	}
wolfSSL	7:481bce714567	1772	ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL	7:481bce714567	1773	ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL	7:481bce714567	1774
wolfSSL	7:481bce714567	1775	if (ret != 0) {
wolfSSL	7:481bce714567	1776	SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1777	return -1;
wolfSSL	7:481bce714567	1778	}
wolfSSL	7:481bce714567	1779	}
wolfSSL	7:481bce714567	1780	#ifdef SHOW_SECRETS
wolfSSL	7:481bce714567	1781	{
wolfSSL	7:481bce714567	1782	int i;
wolfSSL	7:481bce714567	1783	printf("cipher suite = 0x%02x\n",
wolfSSL	7:481bce714567	1784	session->sslServer->options.cipherSuite);
wolfSSL	7:481bce714567	1785	printf("server random: ");
wolfSSL	7:481bce714567	1786	for (i = 0; i < RAN_LEN; i++)
wolfSSL	7:481bce714567	1787	printf("%02x", session->sslServer->arrays->serverRandom[i]);
wolfSSL	7:481bce714567	1788	printf("\n");
wolfSSL	7:481bce714567	1789	}
wolfSSL	7:481bce714567	1790	#endif
wolfSSL	7:481bce714567	1791	return 0;
wolfSSL	7:481bce714567	1792	}
wolfSSL	7:481bce714567	1793
wolfSSL	7:481bce714567	1794
wolfSSL	7:481bce714567	1795	/* Process normal Client Hello */
wolfSSL	7:481bce714567	1796	static int ProcessClientHello(const byte* input, int* sslBytes,
wolfSSL	7:481bce714567	1797	SnifferSession* session, char* error)
wolfSSL	7:481bce714567	1798	{
wolfSSL	7:481bce714567	1799	byte bLen;
wolfSSL	7:481bce714567	1800	word16 len;
wolfSSL	7:481bce714567	1801	int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
wolfSSL	7:481bce714567	1802
wolfSSL	7:481bce714567	1803	#ifdef HAVE_SNI
wolfSSL	7:481bce714567	1804	{
wolfSSL	7:481bce714567	1805	byte name[MAX_SERVER_NAME];
wolfSSL	7:481bce714567	1806	word32 nameSz = sizeof(name);
wolfSSL	7:481bce714567	1807	int ret;
wolfSSL	7:481bce714567	1808
wolfSSL	7:481bce714567	1809	ret = wolfSSL_SNI_GetFromBuffer(
wolfSSL	7:481bce714567	1810	input - HANDSHAKE_HEADER_SZ - RECORD_HEADER_SZ,
wolfSSL	7:481bce714567	1811	*sslBytes + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ,
wolfSSL	7:481bce714567	1812	WOLFSSL_SNI_HOST_NAME, name, &nameSz);
wolfSSL	7:481bce714567	1813
wolfSSL	7:481bce714567	1814	if (ret == SSL_SUCCESS) {
wolfSSL	7:481bce714567	1815	NamedKey* namedKey;
wolfSSL	7:481bce714567	1816
wolfSSL	7:481bce714567	1817	if (nameSz >= sizeof(name))
wolfSSL	7:481bce714567	1818	nameSz = sizeof(name) - 1;
wolfSSL	7:481bce714567	1819	name[nameSz] = 0;
wolfSSL	7:481bce714567	1820	wc_LockMutex(&session->context->namedKeysMutex);
wolfSSL	7:481bce714567	1821	namedKey = session->context->namedKeys;
wolfSSL	7:481bce714567	1822	while (namedKey != NULL) {
wolfSSL	7:481bce714567	1823	if (nameSz == namedKey->nameSz &&
wolfSSL	7:481bce714567	1824	XSTRNCMP((char*)name, namedKey->name, nameSz) == 0) {
wolfSSL	7:481bce714567	1825	if (wolfSSL_use_PrivateKey_buffer(session->sslServer,
wolfSSL	7:481bce714567	1826	namedKey->key, namedKey->keySz,
wolfSSL	7:481bce714567	1827	SSL_FILETYPE_ASN1) != SSL_SUCCESS) {
wolfSSL	7:481bce714567	1828	wc_UnLockMutex(&session->context->namedKeysMutex);
wolfSSL	7:481bce714567	1829	SetError(CLIENT_HELLO_LATE_KEY_STR, error, session,
wolfSSL	7:481bce714567	1830	FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1831	return -1;
wolfSSL	7:481bce714567	1832	}
wolfSSL	7:481bce714567	1833	break;
wolfSSL	7:481bce714567	1834	}
wolfSSL	7:481bce714567	1835	else
wolfSSL	7:481bce714567	1836	namedKey = namedKey->next;
wolfSSL	7:481bce714567	1837	}
wolfSSL	7:481bce714567	1838	wc_UnLockMutex(&session->context->namedKeysMutex);
wolfSSL	7:481bce714567	1839	}
wolfSSL	7:481bce714567	1840	}
wolfSSL	7:481bce714567	1841	#endif
wolfSSL	7:481bce714567	1842
wolfSSL	7:481bce714567	1843	session->flags.clientHello = 1; /* don't process again */
wolfSSL	7:481bce714567	1844
wolfSSL	7:481bce714567	1845	/* make sure can read up to session len */
wolfSSL	7:481bce714567	1846	if (toRead > *sslBytes) {
wolfSSL	7:481bce714567	1847	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1848	return -1;
wolfSSL	7:481bce714567	1849	}
wolfSSL	7:481bce714567	1850
wolfSSL	7:481bce714567	1851	/* skip, get negotiated one from server hello */
wolfSSL	7:481bce714567	1852	input += VERSION_SZ;
wolfSSL	7:481bce714567	1853	*sslBytes -= VERSION_SZ;
wolfSSL	7:481bce714567	1854
wolfSSL	7:481bce714567	1855	XMEMCPY(session->sslServer->arrays->clientRandom, input, RAN_LEN);
wolfSSL	7:481bce714567	1856	XMEMCPY(session->sslClient->arrays->clientRandom, input, RAN_LEN);
wolfSSL	7:481bce714567	1857
wolfSSL	7:481bce714567	1858	input += RAN_LEN;
wolfSSL	7:481bce714567	1859	*sslBytes -= RAN_LEN;
wolfSSL	7:481bce714567	1860
wolfSSL	7:481bce714567	1861	/* store session in case trying to resume */
wolfSSL	7:481bce714567	1862	bLen = *input++;
wolfSSL	7:481bce714567	1863	*sslBytes -= ENUM_LEN;
wolfSSL	7:481bce714567	1864	if (bLen) {
wolfSSL	7:481bce714567	1865	if (ID_LEN > *sslBytes) {
wolfSSL	7:481bce714567	1866	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1867	return -1;
wolfSSL	7:481bce714567	1868	}
wolfSSL	7:481bce714567	1869	Trace(CLIENT_RESUME_TRY_STR);
wolfSSL	7:481bce714567	1870	XMEMCPY(session->sslClient->arrays->sessionID, input, ID_LEN);
wolfSSL	7:481bce714567	1871	session->sslClient->options.haveSessionId = 1;
wolfSSL	7:481bce714567	1872	}
wolfSSL	7:481bce714567	1873	#ifdef SHOW_SECRETS
wolfSSL	7:481bce714567	1874	{
wolfSSL	7:481bce714567	1875	int i;
wolfSSL	7:481bce714567	1876	printf("client random: ");
wolfSSL	7:481bce714567	1877	for (i = 0; i < RAN_LEN; i++)
wolfSSL	7:481bce714567	1878	printf("%02x", session->sslServer->arrays->clientRandom[i]);
wolfSSL	7:481bce714567	1879	printf("\n");
wolfSSL	7:481bce714567	1880	}
wolfSSL	7:481bce714567	1881	#endif
wolfSSL	7:481bce714567	1882
wolfSSL	7:481bce714567	1883	input += bLen;
wolfSSL	7:481bce714567	1884	*sslBytes -= bLen;
wolfSSL	7:481bce714567	1885
wolfSSL	7:481bce714567	1886	/* skip cipher suites */
wolfSSL	7:481bce714567	1887	/* make sure can read len */
wolfSSL	7:481bce714567	1888	if (SUITE_LEN > *sslBytes) {
wolfSSL	7:481bce714567	1889	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1890	return -1;
wolfSSL	7:481bce714567	1891	}
wolfSSL	7:481bce714567	1892	len = (word16)((input[0] << 8) \| input[1]);
wolfSSL	7:481bce714567	1893	input += SUITE_LEN;
wolfSSL	7:481bce714567	1894	*sslBytes -= SUITE_LEN;
wolfSSL	7:481bce714567	1895	/* make sure can read suites + comp len */
wolfSSL	7:481bce714567	1896	if (len + ENUM_LEN > *sslBytes) {
wolfSSL	7:481bce714567	1897	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1898	return -1;
wolfSSL	7:481bce714567	1899	}
wolfSSL	7:481bce714567	1900	input += len;
wolfSSL	7:481bce714567	1901	*sslBytes -= len;
wolfSSL	7:481bce714567	1902
wolfSSL	7:481bce714567	1903	/* skip compression */
wolfSSL	7:481bce714567	1904	bLen = *input++;
wolfSSL	7:481bce714567	1905	*sslBytes -= ENUM_LEN;
wolfSSL	7:481bce714567	1906	/* make sure can read len */
wolfSSL	7:481bce714567	1907	if (bLen > *sslBytes) {
wolfSSL	7:481bce714567	1908	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1909	return -1;
wolfSSL	7:481bce714567	1910	}
wolfSSL	7:481bce714567	1911	input += bLen;
wolfSSL	7:481bce714567	1912	*sslBytes -= bLen;
wolfSSL	7:481bce714567	1913
wolfSSL	7:481bce714567	1914	if (*sslBytes == 0) {
wolfSSL	7:481bce714567	1915	/* no extensions */
wolfSSL	7:481bce714567	1916	return 0;
wolfSSL	7:481bce714567	1917	}
wolfSSL	7:481bce714567	1918
wolfSSL	7:481bce714567	1919	/* skip extensions until session ticket */
wolfSSL	7:481bce714567	1920	/* make sure can read len */
wolfSSL	7:481bce714567	1921	if (SUITE_LEN > *sslBytes) {
wolfSSL	7:481bce714567	1922	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1923	return -1;
wolfSSL	7:481bce714567	1924	}
wolfSSL	7:481bce714567	1925	len = (word16)((input[0] << 8) \| input[1]);
wolfSSL	7:481bce714567	1926	input += SUITE_LEN;
wolfSSL	7:481bce714567	1927	*sslBytes -= SUITE_LEN;
wolfSSL	7:481bce714567	1928	/* make sure can read through all extensions */
wolfSSL	7:481bce714567	1929	if (len > *sslBytes) {
wolfSSL	7:481bce714567	1930	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1931	return -1;
wolfSSL	7:481bce714567	1932	}
wolfSSL	7:481bce714567	1933
wolfSSL	7:481bce714567	1934	while (len >= EXT_TYPE_SZ + LENGTH_SZ) {
wolfSSL	7:481bce714567	1935	byte extType[EXT_TYPE_SZ];
wolfSSL	7:481bce714567	1936	word16 extLen;
wolfSSL	7:481bce714567	1937
wolfSSL	7:481bce714567	1938	extType[0] = input[0];
wolfSSL	7:481bce714567	1939	extType[1] = input[1];
wolfSSL	7:481bce714567	1940	input += EXT_TYPE_SZ;
wolfSSL	7:481bce714567	1941	*sslBytes -= EXT_TYPE_SZ;
wolfSSL	7:481bce714567	1942
wolfSSL	7:481bce714567	1943	extLen = (word16)((input[0] << 8) \| input[1]);
wolfSSL	7:481bce714567	1944	input += LENGTH_SZ;
wolfSSL	7:481bce714567	1945	*sslBytes -= LENGTH_SZ;
wolfSSL	7:481bce714567	1946
wolfSSL	7:481bce714567	1947	/* make sure can read through individual extension */
wolfSSL	7:481bce714567	1948	if (extLen > *sslBytes) {
wolfSSL	7:481bce714567	1949	SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1950	return -1;
wolfSSL	7:481bce714567	1951	}
wolfSSL	7:481bce714567	1952
wolfSSL	7:481bce714567	1953	if (extType[0] == 0x00 && extType[1] == TICKET_EXT_ID) {
wolfSSL	7:481bce714567	1954
wolfSSL	7:481bce714567	1955	/* make sure can read through ticket if there is a non blank one */
wolfSSL	7:481bce714567	1956	if (extLen && extLen < ID_LEN) {
wolfSSL	7:481bce714567	1957	SetError(CLIENT_HELLO_INPUT_STR, error, session,
wolfSSL	7:481bce714567	1958	FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1959	return -1;
wolfSSL	7:481bce714567	1960	}
wolfSSL	7:481bce714567	1961
wolfSSL	7:481bce714567	1962	if (extLen) {
wolfSSL	7:481bce714567	1963	if (session->ticketID == 0) {
wolfSSL	7:481bce714567	1964	session->ticketID = (byte*)malloc(ID_LEN);
wolfSSL	7:481bce714567	1965	if (session->ticketID == 0) {
wolfSSL	7:481bce714567	1966	SetError(MEMORY_STR, error, session,
wolfSSL	7:481bce714567	1967	FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	1968	return -1;
wolfSSL	7:481bce714567	1969	}
wolfSSL	7:481bce714567	1970	}
wolfSSL	7:481bce714567	1971	XMEMCPY(session->ticketID, input + extLen - ID_LEN, ID_LEN);
wolfSSL	7:481bce714567	1972	}
wolfSSL	7:481bce714567	1973	}
wolfSSL	7:481bce714567	1974
wolfSSL	7:481bce714567	1975	input += extLen;
wolfSSL	7:481bce714567	1976	*sslBytes -= extLen;
wolfSSL	7:481bce714567	1977	len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
wolfSSL	7:481bce714567	1978	}
wolfSSL	7:481bce714567	1979
wolfSSL	7:481bce714567	1980	return 0;
wolfSSL	7:481bce714567	1981	}
wolfSSL	7:481bce714567	1982
wolfSSL	7:481bce714567	1983
wolfSSL	7:481bce714567	1984	/* Process Finished */
wolfSSL	7:481bce714567	1985	static int ProcessFinished(const byte* input, int size, int* sslBytes,
wolfSSL	7:481bce714567	1986	SnifferSession* session, char* error)
wolfSSL	7:481bce714567	1987	{
wolfSSL	7:481bce714567	1988	SSL* ssl;
wolfSSL	7:481bce714567	1989	word32 inOutIdx = 0;
wolfSSL	7:481bce714567	1990	int ret;
wolfSSL	7:481bce714567	1991
wolfSSL	7:481bce714567	1992	if (session->flags.side == WOLFSSL_SERVER_END)
wolfSSL	7:481bce714567	1993	ssl = session->sslServer;
wolfSSL	7:481bce714567	1994	else
wolfSSL	7:481bce714567	1995	ssl = session->sslClient;
wolfSSL	7:481bce714567	1996
wolfSSL	7:481bce714567	1997	ret = DoFinished(ssl, input, &inOutIdx, (word32) size, (word32) *sslBytes,
wolfSSL	7:481bce714567	1998	SNIFF);
wolfSSL	7:481bce714567	1999	*sslBytes -= (int)inOutIdx;
wolfSSL	7:481bce714567	2000
wolfSSL	7:481bce714567	2001	if (ret < 0) {
wolfSSL	7:481bce714567	2002	SetError(BAD_FINISHED_MSG, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2003	return ret;
wolfSSL	7:481bce714567	2004	}
wolfSSL	7:481bce714567	2005
wolfSSL	7:481bce714567	2006	if (ret == 0 && session->flags.cached == 0) {
wolfSSL	7:481bce714567	2007	if (session->sslServer->options.haveSessionId) {
wolfSSL	7:481bce714567	2008	WOLFSSL_SESSION* sess = GetSession(session->sslServer, NULL, 0);
wolfSSL	7:481bce714567	2009	if (sess == NULL)
wolfSSL	7:481bce714567	2010	AddSession(session->sslServer); /* don't re add */
wolfSSL	7:481bce714567	2011	session->flags.cached = 1;
wolfSSL	7:481bce714567	2012	}
wolfSSL	7:481bce714567	2013	}
wolfSSL	7:481bce714567	2014
wolfSSL	7:481bce714567	2015	/* If receiving a finished message from one side, free the resources
wolfSSL	7:481bce714567	2016	* from the other side's tracker. */
wolfSSL	7:481bce714567	2017	if (session->flags.side == WOLFSSL_SERVER_END)
wolfSSL	7:481bce714567	2018	FreeHandshakeResources(session->sslClient);
wolfSSL	7:481bce714567	2019	else
wolfSSL	7:481bce714567	2020	FreeHandshakeResources(session->sslServer);
wolfSSL	7:481bce714567	2021
wolfSSL	7:481bce714567	2022	return ret;
wolfSSL	7:481bce714567	2023	}
wolfSSL	7:481bce714567	2024
wolfSSL	7:481bce714567	2025
wolfSSL	7:481bce714567	2026	/* Process HandShake input */
wolfSSL	7:481bce714567	2027	static int DoHandShake(const byte* input, int* sslBytes,
wolfSSL	7:481bce714567	2028	SnifferSession* session, char* error)
wolfSSL	7:481bce714567	2029	{
wolfSSL	7:481bce714567	2030	byte type;
wolfSSL	7:481bce714567	2031	int size;
wolfSSL	7:481bce714567	2032	int ret = 0;
wolfSSL	7:481bce714567	2033	int startBytes;
wolfSSL	7:481bce714567	2034
wolfSSL	7:481bce714567	2035	if (*sslBytes < HANDSHAKE_HEADER_SZ) {
wolfSSL	7:481bce714567	2036	SetError(HANDSHAKE_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2037	return -1;
wolfSSL	7:481bce714567	2038	}
wolfSSL	7:481bce714567	2039	type = input[0];
wolfSSL	7:481bce714567	2040	size = (input[1] << 16) \| (input[2] << 8) \| input[3];
wolfSSL	7:481bce714567	2041
wolfSSL	7:481bce714567	2042	input += HANDSHAKE_HEADER_SZ;
wolfSSL	7:481bce714567	2043	*sslBytes -= HANDSHAKE_HEADER_SZ;
wolfSSL	7:481bce714567	2044	startBytes = *sslBytes;
wolfSSL	7:481bce714567	2045
wolfSSL	7:481bce714567	2046	if (*sslBytes < size) {
wolfSSL	7:481bce714567	2047	SetError(HANDSHAKE_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2048	return -1;
wolfSSL	7:481bce714567	2049	}
wolfSSL	7:481bce714567	2050
wolfSSL	7:481bce714567	2051	/* A session's arrays are released when the handshake is completed. */
wolfSSL	7:481bce714567	2052	if (session->sslServer->arrays == NULL &&
wolfSSL	7:481bce714567	2053	session->sslClient->arrays == NULL) {
wolfSSL	7:481bce714567	2054
wolfSSL	7:481bce714567	2055	SetError(NO_SECURE_RENEGOTIATION, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2056	return -1;
wolfSSL	7:481bce714567	2057	}
wolfSSL	7:481bce714567	2058
wolfSSL	7:481bce714567	2059	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	2060	if (session->hash) {
wolfSSL	7:481bce714567	2061	if (HashUpdate(session->hash, input, size) != 0) {
wolfSSL	7:481bce714567	2062	SetError(EXTENDED_MASTER_HASH_STR, error,
wolfSSL	7:481bce714567	2063	session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2064	return -1;
wolfSSL	7:481bce714567	2065	}
wolfSSL	7:481bce714567	2066	}
wolfSSL	7:481bce714567	2067	#endif
wolfSSL	7:481bce714567	2068
wolfSSL	7:481bce714567	2069	switch (type) {
wolfSSL	7:481bce714567	2070	case hello_verify_request:
wolfSSL	7:481bce714567	2071	Trace(GOT_HELLO_VERIFY_STR);
wolfSSL	7:481bce714567	2072	break;
wolfSSL	7:481bce714567	2073	case hello_request:
wolfSSL	7:481bce714567	2074	Trace(GOT_HELLO_REQUEST_STR);
wolfSSL	7:481bce714567	2075	break;
wolfSSL	7:481bce714567	2076	case session_ticket:
wolfSSL	7:481bce714567	2077	Trace(GOT_SESSION_TICKET_STR);
wolfSSL	7:481bce714567	2078	ret = ProcessSessionTicket(input, sslBytes, session, error);
wolfSSL	7:481bce714567	2079	break;
wolfSSL	7:481bce714567	2080	case server_hello:
wolfSSL	7:481bce714567	2081	Trace(GOT_SERVER_HELLO_STR);
wolfSSL	7:481bce714567	2082	ret = ProcessServerHello(size, input, sslBytes, session, error);
wolfSSL	7:481bce714567	2083	break;
wolfSSL	7:481bce714567	2084	case certificate_request:
wolfSSL	7:481bce714567	2085	Trace(GOT_CERT_REQ_STR);
wolfSSL	7:481bce714567	2086	break;
wolfSSL	7:481bce714567	2087	case server_key_exchange:
wolfSSL	7:481bce714567	2088	Trace(GOT_SERVER_KEY_EX_STR);
wolfSSL	7:481bce714567	2089	/* can't know temp key passively */
wolfSSL	7:481bce714567	2090	SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2091	ret = -1;
wolfSSL	7:481bce714567	2092	break;
wolfSSL	7:481bce714567	2093	case certificate:
wolfSSL	7:481bce714567	2094	Trace(GOT_CERT_STR);
wolfSSL	7:481bce714567	2095	break;
wolfSSL	7:481bce714567	2096	case server_hello_done:
wolfSSL	7:481bce714567	2097	Trace(GOT_SERVER_HELLO_DONE_STR);
wolfSSL	7:481bce714567	2098	break;
wolfSSL	7:481bce714567	2099	case finished:
wolfSSL	7:481bce714567	2100	Trace(GOT_FINISHED_STR);
wolfSSL	7:481bce714567	2101	ret = ProcessFinished(input, size, sslBytes, session, error);
wolfSSL	7:481bce714567	2102	break;
wolfSSL	7:481bce714567	2103	case client_hello:
wolfSSL	7:481bce714567	2104	Trace(GOT_CLIENT_HELLO_STR);
wolfSSL	7:481bce714567	2105	ret = ProcessClientHello(input, sslBytes, session, error);
wolfSSL	7:481bce714567	2106	break;
wolfSSL	7:481bce714567	2107	case client_key_exchange:
wolfSSL	7:481bce714567	2108	Trace(GOT_CLIENT_KEY_EX_STR);
wolfSSL	7:481bce714567	2109	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	2110	if (session->flags.expectEms && session->hash != NULL) {
wolfSSL	7:481bce714567	2111	if (HashCopy(session->sslServer->hsHashes,
wolfSSL	7:481bce714567	2112	session->hash) == 0 &&
wolfSSL	7:481bce714567	2113	HashCopy(session->sslClient->hsHashes,
wolfSSL	7:481bce714567	2114	session->hash) == 0) {
wolfSSL	7:481bce714567	2115
wolfSSL	7:481bce714567	2116	session->sslServer->options.haveEMS = 1;
wolfSSL	7:481bce714567	2117	session->sslClient->options.haveEMS = 1;
wolfSSL	7:481bce714567	2118	}
wolfSSL	7:481bce714567	2119	else {
wolfSSL	7:481bce714567	2120	SetError(EXTENDED_MASTER_HASH_STR, error,
wolfSSL	7:481bce714567	2121	session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2122	ret = -1;
wolfSSL	7:481bce714567	2123	}
wolfSSL	7:481bce714567	2124	XMEMSET(session->hash, 0, sizeof(HsHashes));
wolfSSL	7:481bce714567	2125	free(session->hash);
wolfSSL	7:481bce714567	2126	session->hash = NULL;
wolfSSL	7:481bce714567	2127	}
wolfSSL	7:481bce714567	2128	else {
wolfSSL	7:481bce714567	2129	session->sslServer->options.haveEMS = 0;
wolfSSL	7:481bce714567	2130	session->sslClient->options.haveEMS = 0;
wolfSSL	7:481bce714567	2131	}
wolfSSL	7:481bce714567	2132	#endif
wolfSSL	7:481bce714567	2133	if (ret == 0)
wolfSSL	7:481bce714567	2134	ret = ProcessClientKeyExchange(input, sslBytes, session, error);
wolfSSL	7:481bce714567	2135	break;
wolfSSL	7:481bce714567	2136	case certificate_verify:
wolfSSL	7:481bce714567	2137	Trace(GOT_CERT_VER_STR);
wolfSSL	7:481bce714567	2138	break;
wolfSSL	7:481bce714567	2139	case certificate_status:
wolfSSL	7:481bce714567	2140	Trace(GOT_CERT_STATUS_STR);
wolfSSL	7:481bce714567	2141	break;
wolfSSL	7:481bce714567	2142	default:
wolfSSL	7:481bce714567	2143	SetError(GOT_UNKNOWN_HANDSHAKE_STR, error, session, 0);
wolfSSL	7:481bce714567	2144	return -1;
wolfSSL	7:481bce714567	2145	}
wolfSSL	7:481bce714567	2146
wolfSSL	7:481bce714567	2147	sslBytes = startBytes - size; / actual bytes of full process */
wolfSSL	7:481bce714567	2148
wolfSSL	7:481bce714567	2149	return ret;
wolfSSL	7:481bce714567	2150	}
wolfSSL	7:481bce714567	2151
wolfSSL	7:481bce714567	2152
wolfSSL	7:481bce714567	2153	/* Decrypt input into plain output, 0 on success */
wolfSSL	7:481bce714567	2154	static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
wolfSSL	7:481bce714567	2155	{
wolfSSL	7:481bce714567	2156	int ret = 0;
wolfSSL	7:481bce714567	2157
wolfSSL	7:481bce714567	2158	(void)output;
wolfSSL	7:481bce714567	2159	(void)input;
wolfSSL	7:481bce714567	2160	(void)sz;
wolfSSL	7:481bce714567	2161
wolfSSL	7:481bce714567	2162	switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL	7:481bce714567	2163	#ifdef BUILD_ARC4
wolfSSL	7:481bce714567	2164	case wolfssl_rc4:
wolfSSL	7:481bce714567	2165	wc_Arc4Process(ssl->decrypt.arc4, output, input, sz);
wolfSSL	7:481bce714567	2166	break;
wolfSSL	7:481bce714567	2167	#endif
wolfSSL	7:481bce714567	2168
wolfSSL	7:481bce714567	2169	#ifdef BUILD_DES3
wolfSSL	7:481bce714567	2170	case wolfssl_triple_des:
wolfSSL	7:481bce714567	2171	ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, output, input, sz);
wolfSSL	7:481bce714567	2172	break;
wolfSSL	7:481bce714567	2173	#endif
wolfSSL	7:481bce714567	2174
wolfSSL	7:481bce714567	2175	#ifdef BUILD_AES
wolfSSL	7:481bce714567	2176	case wolfssl_aes:
wolfSSL	7:481bce714567	2177	ret = wc_AesCbcDecrypt(ssl->decrypt.aes, output, input, sz);
wolfSSL	7:481bce714567	2178	break;
wolfSSL	7:481bce714567	2179	#endif
wolfSSL	7:481bce714567	2180
wolfSSL	7:481bce714567	2181	#ifdef HAVE_HC128
wolfSSL	7:481bce714567	2182	case wolfssl_hc128:
wolfSSL	7:481bce714567	2183	wc_Hc128_Process(ssl->decrypt.hc128, output, input, sz);
wolfSSL	7:481bce714567	2184	break;
wolfSSL	7:481bce714567	2185	#endif
wolfSSL	7:481bce714567	2186
wolfSSL	7:481bce714567	2187	#ifdef BUILD_RABBIT
wolfSSL	7:481bce714567	2188	case wolfssl_rabbit:
wolfSSL	7:481bce714567	2189	wc_RabbitProcess(ssl->decrypt.rabbit, output, input, sz);
wolfSSL	7:481bce714567	2190	break;
wolfSSL	7:481bce714567	2191	#endif
wolfSSL	7:481bce714567	2192
wolfSSL	7:481bce714567	2193	#ifdef HAVE_CAMELLIA
wolfSSL	7:481bce714567	2194	case wolfssl_camellia:
wolfSSL	7:481bce714567	2195	wc_CamelliaCbcDecrypt(ssl->decrypt.cam, output, input, sz);
wolfSSL	7:481bce714567	2196	break;
wolfSSL	7:481bce714567	2197	#endif
wolfSSL	7:481bce714567	2198
wolfSSL	7:481bce714567	2199	#ifdef HAVE_IDEA
wolfSSL	7:481bce714567	2200	case wolfssl_idea:
wolfSSL	7:481bce714567	2201	wc_IdeaCbcDecrypt(ssl->decrypt.idea, output, input, sz);
wolfSSL	7:481bce714567	2202	break;
wolfSSL	7:481bce714567	2203	#endif
wolfSSL	7:481bce714567	2204
wolfSSL	7:481bce714567	2205	#ifdef HAVE_AESGCM
wolfSSL	7:481bce714567	2206	case wolfssl_aes_gcm:
wolfSSL	7:481bce714567	2207	if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size))
wolfSSL	7:481bce714567	2208	{
wolfSSL	7:481bce714567	2209	byte nonce[AESGCM_NONCE_SZ];
wolfSSL	7:481bce714567	2210	XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
wolfSSL	7:481bce714567	2211	XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
wolfSSL	7:481bce714567	2212
wolfSSL	7:481bce714567	2213	if (wc_AesGcmEncrypt(ssl->decrypt.aes,
wolfSSL	7:481bce714567	2214	output,
wolfSSL	7:481bce714567	2215	input + AESGCM_EXP_IV_SZ,
wolfSSL	7:481bce714567	2216	sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
wolfSSL	7:481bce714567	2217	nonce, AESGCM_NONCE_SZ,
wolfSSL	7:481bce714567	2218	NULL, 0,
wolfSSL	7:481bce714567	2219	NULL, 0) < 0) {
wolfSSL	7:481bce714567	2220	Trace(BAD_DECRYPT);
wolfSSL	7:481bce714567	2221	ret = -1;
wolfSSL	7:481bce714567	2222	}
wolfSSL	7:481bce714567	2223	ForceZero(nonce, AESGCM_NONCE_SZ);
wolfSSL	7:481bce714567	2224	}
wolfSSL	7:481bce714567	2225	else {
wolfSSL	7:481bce714567	2226	Trace(BAD_DECRYPT_SIZE);
wolfSSL	7:481bce714567	2227	ret = -1;
wolfSSL	7:481bce714567	2228	}
wolfSSL	7:481bce714567	2229	break;
wolfSSL	7:481bce714567	2230	#endif
wolfSSL	7:481bce714567	2231
wolfSSL	7:481bce714567	2232	default:
wolfSSL	7:481bce714567	2233	Trace(BAD_DECRYPT_TYPE);
wolfSSL	7:481bce714567	2234	ret = -1;
wolfSSL	7:481bce714567	2235	break;
wolfSSL	7:481bce714567	2236	}
wolfSSL	7:481bce714567	2237
wolfSSL	7:481bce714567	2238	return ret;
wolfSSL	7:481bce714567	2239	}
wolfSSL	7:481bce714567	2240
wolfSSL	7:481bce714567	2241
wolfSSL	7:481bce714567	2242	/* Decrypt input message into output, adjust output steam if needed */
wolfSSL	7:481bce714567	2243	static const byte* DecryptMessage(SSL* ssl, const byte* input, word32 sz,
wolfSSL	7:481bce714567	2244	byte* output, int* error, int* advance)
wolfSSL	7:481bce714567	2245	{
wolfSSL	7:481bce714567	2246	int ivExtra = 0;
wolfSSL	7:481bce714567	2247
wolfSSL	7:481bce714567	2248	int ret = Decrypt(ssl, output, input, sz);
wolfSSL	7:481bce714567	2249	if (ret != 0) {
wolfSSL	7:481bce714567	2250	*error = ret;
wolfSSL	7:481bce714567	2251	return NULL;
wolfSSL	7:481bce714567	2252	}
wolfSSL	7:481bce714567	2253	ssl->keys.encryptSz = sz;
wolfSSL	7:481bce714567	2254	if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) {
wolfSSL	7:481bce714567	2255	output += ssl->specs.block_size; /* go past TLSv1.1 IV */
wolfSSL	7:481bce714567	2256	ivExtra = ssl->specs.block_size;
wolfSSL	7:481bce714567	2257	*advance = ssl->specs.block_size;
wolfSSL	7:481bce714567	2258	}
wolfSSL	7:481bce714567	2259
wolfSSL	7:481bce714567	2260	if (ssl->specs.cipher_type == aead) {
wolfSSL	7:481bce714567	2261	*advance = ssl->specs.aead_mac_size;
wolfSSL	7:481bce714567	2262	ssl->keys.padSz = ssl->specs.aead_mac_size;
wolfSSL	7:481bce714567	2263	}
wolfSSL	7:481bce714567	2264	else
wolfSSL	7:481bce714567	2265	ssl->keys.padSz = ssl->specs.hash_size;
wolfSSL	7:481bce714567	2266
wolfSSL	7:481bce714567	2267	if (ssl->specs.cipher_type == block)
wolfSSL	7:481bce714567	2268	ssl->keys.padSz += *(output + sz - ivExtra - 1) + 1;
wolfSSL	7:481bce714567	2269
wolfSSL	7:481bce714567	2270	return output;
wolfSSL	7:481bce714567	2271	}
wolfSSL	7:481bce714567	2272
wolfSSL	7:481bce714567	2273
wolfSSL	7:481bce714567	2274	/* remove session from table, use rowHint if no info (means we have a lock) */
wolfSSL	7:481bce714567	2275	static void RemoveSession(SnifferSession* session, IpInfo* ipInfo,
wolfSSL	7:481bce714567	2276	TcpInfo* tcpInfo, word32 rowHint)
wolfSSL	7:481bce714567	2277	{
wolfSSL	7:481bce714567	2278	SnifferSession* previous = 0;
wolfSSL	7:481bce714567	2279	SnifferSession* current;
wolfSSL	7:481bce714567	2280	word32 row = rowHint;
wolfSSL	7:481bce714567	2281	int haveLock = 0;
wolfSSL	7:481bce714567	2282
wolfSSL	7:481bce714567	2283	if (ipInfo && tcpInfo)
wolfSSL	7:481bce714567	2284	row = SessionHash(ipInfo, tcpInfo);
wolfSSL	7:481bce714567	2285	else
wolfSSL	7:481bce714567	2286	haveLock = 1;
wolfSSL	7:481bce714567	2287
wolfSSL	7:481bce714567	2288	assert(row <= HASH_SIZE);
wolfSSL	7:481bce714567	2289	Trace(REMOVE_SESSION_STR);
wolfSSL	7:481bce714567	2290
wolfSSL	7:481bce714567	2291	if (!haveLock)
wolfSSL	7:481bce714567	2292	wc_LockMutex(&SessionMutex);
wolfSSL	7:481bce714567	2293
wolfSSL	7:481bce714567	2294	current = SessionTable[row];
wolfSSL	7:481bce714567	2295
wolfSSL	7:481bce714567	2296	while (current) {
wolfSSL	7:481bce714567	2297	if (current == session) {
wolfSSL	7:481bce714567	2298	if (previous)
wolfSSL	7:481bce714567	2299	previous->next = current->next;
wolfSSL	7:481bce714567	2300	else
wolfSSL	7:481bce714567	2301	SessionTable[row] = current->next;
wolfSSL	7:481bce714567	2302	FreeSnifferSession(session);
wolfSSL	7:481bce714567	2303	TraceRemovedSession();
wolfSSL	7:481bce714567	2304	break;
wolfSSL	7:481bce714567	2305	}
wolfSSL	7:481bce714567	2306	previous = current;
wolfSSL	7:481bce714567	2307	current = current->next;
wolfSSL	7:481bce714567	2308	}
wolfSSL	7:481bce714567	2309
wolfSSL	7:481bce714567	2310	if (!haveLock)
wolfSSL	7:481bce714567	2311	wc_UnLockMutex(&SessionMutex);
wolfSSL	7:481bce714567	2312	}
wolfSSL	7:481bce714567	2313
wolfSSL	7:481bce714567	2314
wolfSSL	7:481bce714567	2315	/* Remove stale sessions from the Session Table, have a lock */
wolfSSL	7:481bce714567	2316	static void RemoveStaleSessions(void)
wolfSSL	7:481bce714567	2317	{
wolfSSL	7:481bce714567	2318	word32 i;
wolfSSL	7:481bce714567	2319	SnifferSession* session;
wolfSSL	7:481bce714567	2320
wolfSSL	7:481bce714567	2321	for (i = 0; i < HASH_SIZE; i++) {
wolfSSL	7:481bce714567	2322	session = SessionTable[i];
wolfSSL	7:481bce714567	2323	while (session) {
wolfSSL	7:481bce714567	2324	SnifferSession* next = session->next;
wolfSSL	7:481bce714567	2325	if (time(NULL) >= session->lastUsed + WOLFSSL_SNIFFER_TIMEOUT) {
wolfSSL	7:481bce714567	2326	TraceStaleSession();
wolfSSL	7:481bce714567	2327	RemoveSession(session, NULL, NULL, i);
wolfSSL	7:481bce714567	2328	}
wolfSSL	7:481bce714567	2329	session = next;
wolfSSL	7:481bce714567	2330	}
wolfSSL	7:481bce714567	2331	}
wolfSSL	7:481bce714567	2332	}
wolfSSL	7:481bce714567	2333
wolfSSL	7:481bce714567	2334
wolfSSL	7:481bce714567	2335	/* Create a new Sniffer Session */
wolfSSL	7:481bce714567	2336	static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	7:481bce714567	2337	char* error)
wolfSSL	7:481bce714567	2338	{
wolfSSL	7:481bce714567	2339	SnifferSession* session = 0;
wolfSSL	7:481bce714567	2340	int row;
wolfSSL	7:481bce714567	2341
wolfSSL	7:481bce714567	2342	Trace(NEW_SESSION_STR);
wolfSSL	7:481bce714567	2343	/* create a new one */
wolfSSL	7:481bce714567	2344	session = (SnifferSession*)malloc(sizeof(SnifferSession));
wolfSSL	7:481bce714567	2345	if (session == NULL) {
wolfSSL	7:481bce714567	2346	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2347	return 0;
wolfSSL	7:481bce714567	2348	}
wolfSSL	7:481bce714567	2349	InitSession(session);
wolfSSL	7:481bce714567	2350	#ifdef HAVE_EXTENDED_MASTER
wolfSSL	7:481bce714567	2351	{
wolfSSL	7:481bce714567	2352	HsHashes* newHash = (HsHashes*)malloc(sizeof(HsHashes));
wolfSSL	7:481bce714567	2353	if (newHash == NULL) {
wolfSSL	7:481bce714567	2354	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2355	free(session);
wolfSSL	7:481bce714567	2356	return 0;
wolfSSL	7:481bce714567	2357	}
wolfSSL	7:481bce714567	2358	if (HashInit(newHash) != 0) {
wolfSSL	7:481bce714567	2359	SetError(EXTENDED_MASTER_HASH_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2360	free(session);
wolfSSL	7:481bce714567	2361	return 0;
wolfSSL	7:481bce714567	2362	}
wolfSSL	7:481bce714567	2363	session->hash = newHash;
wolfSSL	7:481bce714567	2364	}
wolfSSL	7:481bce714567	2365	#endif
wolfSSL	7:481bce714567	2366	session->server = ipInfo->dst;
wolfSSL	7:481bce714567	2367	session->client = ipInfo->src;
wolfSSL	7:481bce714567	2368	session->srvPort = (word16)tcpInfo->dstPort;
wolfSSL	7:481bce714567	2369	session->cliPort = (word16)tcpInfo->srcPort;
wolfSSL	7:481bce714567	2370	session->cliSeqStart = tcpInfo->sequence;
wolfSSL	7:481bce714567	2371	session->cliExpected = 1; /* relative */
wolfSSL	7:481bce714567	2372	session->lastUsed= time(NULL);
wolfSSL	7:481bce714567	2373
wolfSSL	7:481bce714567	2374	session->context = GetSnifferServer(ipInfo, tcpInfo);
wolfSSL	7:481bce714567	2375	if (session->context == NULL) {
wolfSSL	7:481bce714567	2376	SetError(SERVER_NOT_REG_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2377	free(session);
wolfSSL	7:481bce714567	2378	return 0;
wolfSSL	7:481bce714567	2379	}
wolfSSL	7:481bce714567	2380
wolfSSL	7:481bce714567	2381	session->sslServer = SSL_new(session->context->ctx);
wolfSSL	7:481bce714567	2382	if (session->sslServer == NULL) {
wolfSSL	7:481bce714567	2383	SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2384	free(session);
wolfSSL	7:481bce714567	2385	return 0;
wolfSSL	7:481bce714567	2386	}
wolfSSL	7:481bce714567	2387	session->sslClient = SSL_new(session->context->ctx);
wolfSSL	7:481bce714567	2388	if (session->sslClient == NULL) {
wolfSSL	7:481bce714567	2389	SSL_free(session->sslServer);
wolfSSL	7:481bce714567	2390	session->sslServer = 0;
wolfSSL	7:481bce714567	2391
wolfSSL	7:481bce714567	2392	SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2393	free(session);
wolfSSL	7:481bce714567	2394	return 0;
wolfSSL	7:481bce714567	2395	}
wolfSSL	7:481bce714567	2396	/* put server back into server mode */
wolfSSL	7:481bce714567	2397	session->sslServer->options.side = WOLFSSL_SERVER_END;
wolfSSL	7:481bce714567	2398
wolfSSL	7:481bce714567	2399	row = SessionHash(ipInfo, tcpInfo);
wolfSSL	7:481bce714567	2400
wolfSSL	7:481bce714567	2401	/* add it to the session table */
wolfSSL	7:481bce714567	2402	wc_LockMutex(&SessionMutex);
wolfSSL	7:481bce714567	2403
wolfSSL	7:481bce714567	2404	session->next = SessionTable[row];
wolfSSL	7:481bce714567	2405	SessionTable[row] = session;
wolfSSL	7:481bce714567	2406
wolfSSL	7:481bce714567	2407	SessionCount++;
wolfSSL	7:481bce714567	2408
wolfSSL	7:481bce714567	2409	if ( (SessionCount % HASH_SIZE) == 0) {
wolfSSL	7:481bce714567	2410	TraceFindingStale();
wolfSSL	7:481bce714567	2411	RemoveStaleSessions();
wolfSSL	7:481bce714567	2412	}
wolfSSL	7:481bce714567	2413
wolfSSL	7:481bce714567	2414	wc_UnLockMutex(&SessionMutex);
wolfSSL	7:481bce714567	2415
wolfSSL	7:481bce714567	2416	/* determine headed side */
wolfSSL	7:481bce714567	2417	if (ipInfo->dst == session->context->server &&
wolfSSL	7:481bce714567	2418	tcpInfo->dstPort == session->context->port)
wolfSSL	7:481bce714567	2419	session->flags.side = WOLFSSL_SERVER_END;
wolfSSL	7:481bce714567	2420	else
wolfSSL	7:481bce714567	2421	session->flags.side = WOLFSSL_CLIENT_END;
wolfSSL	7:481bce714567	2422
wolfSSL	7:481bce714567	2423	return session;
wolfSSL	7:481bce714567	2424	}
wolfSSL	7:481bce714567	2425
wolfSSL	7:481bce714567	2426
wolfSSL	7:481bce714567	2427	#ifdef OLD_HELLO_ALLOWED
wolfSSL	7:481bce714567	2428
wolfSSL	7:481bce714567	2429	/* Process Old Client Hello Input */
wolfSSL	7:481bce714567	2430	static int DoOldHello(SnifferSession* session, const byte* sslFrame,
wolfSSL	7:481bce714567	2431	int* rhSize, int* sslBytes, char* error)
wolfSSL	7:481bce714567	2432	{
wolfSSL	7:481bce714567	2433	const byte* input = sslFrame;
wolfSSL	7:481bce714567	2434	byte b0, b1;
wolfSSL	7:481bce714567	2435	word32 idx = 0;
wolfSSL	7:481bce714567	2436	int ret;
wolfSSL	7:481bce714567	2437
wolfSSL	7:481bce714567	2438	Trace(GOT_OLD_CLIENT_HELLO_STR);
wolfSSL	7:481bce714567	2439	session->flags.clientHello = 1; /* don't process again */
wolfSSL	7:481bce714567	2440	b0 = *input++;
wolfSSL	7:481bce714567	2441	b1 = *input++;
wolfSSL	7:481bce714567	2442	*sslBytes -= 2;
wolfSSL	7:481bce714567	2443	*rhSize = ((b0 & 0x7f) << 8) \| b1;
wolfSSL	7:481bce714567	2444
wolfSSL	7:481bce714567	2445	if (rhSize > sslBytes) {
wolfSSL	7:481bce714567	2446	SetError(OLD_CLIENT_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2447	return -1;
wolfSSL	7:481bce714567	2448	}
wolfSSL	7:481bce714567	2449
wolfSSL	7:481bce714567	2450	ret = ProcessOldClientHello(session->sslServer, input, &idx, *sslBytes,
wolfSSL	7:481bce714567	2451	(word16)*rhSize);
wolfSSL	7:481bce714567	2452	if (ret < 0 && ret != MATCH_SUITE_ERROR) {
wolfSSL	7:481bce714567	2453	SetError(BAD_OLD_CLIENT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2454	return -1;
wolfSSL	7:481bce714567	2455	}
wolfSSL	7:481bce714567	2456
wolfSSL	7:481bce714567	2457	Trace(OLD_CLIENT_OK_STR);
wolfSSL	7:481bce714567	2458	XMEMCPY(session->sslClient->arrays->clientRandom,
wolfSSL	7:481bce714567	2459	session->sslServer->arrays->clientRandom, RAN_LEN);
wolfSSL	7:481bce714567	2460
wolfSSL	7:481bce714567	2461	sslBytes -= rhSize;
wolfSSL	7:481bce714567	2462	return 0;
wolfSSL	7:481bce714567	2463	}
wolfSSL	7:481bce714567	2464
wolfSSL	7:481bce714567	2465	#endif /* OLD_HELLO_ALLOWED */
wolfSSL	7:481bce714567	2466
wolfSSL	7:481bce714567	2467
wolfSSL	7:481bce714567	2468	#if 0
wolfSSL	7:481bce714567	2469	/* Calculate the TCP checksum, see RFC 1071 */
wolfSSL	7:481bce714567	2470	/* return 0 for success, -1 on error */
wolfSSL	7:481bce714567	2471	/* can be called from decode() with
wolfSSL	7:481bce714567	2472	TcpChecksum(&ipInfo, &tcpInfo, sslBytes, packet + ipInfo.length);
wolfSSL	7:481bce714567	2473	could also add a 64bit version if type available and using this
wolfSSL	7:481bce714567	2474	*/
wolfSSL	7:481bce714567	2475	int TcpChecksum(IpInfo* ipInfo, TcpInfo* tcpInfo, int dataLen,
wolfSSL	7:481bce714567	2476	const byte* packet)
wolfSSL	7:481bce714567	2477	{
wolfSSL	7:481bce714567	2478	TcpPseudoHdr pseudo;
wolfSSL	7:481bce714567	2479	int count = PSEUDO_HDR_SZ;
wolfSSL	7:481bce714567	2480	const word16* data = (word16*)&pseudo;
wolfSSL	7:481bce714567	2481	word32 sum = 0;
wolfSSL	7:481bce714567	2482	word16 checksum;
wolfSSL	7:481bce714567	2483
wolfSSL	7:481bce714567	2484	pseudo.src = ipInfo->src;
wolfSSL	7:481bce714567	2485	pseudo.dst = ipInfo->dst;
wolfSSL	7:481bce714567	2486	pseudo.rsv = 0;
wolfSSL	7:481bce714567	2487	pseudo.protocol = TCP_PROTO;
wolfSSL	7:481bce714567	2488	pseudo.length = htons(tcpInfo->length + dataLen);
wolfSSL	7:481bce714567	2489
wolfSSL	7:481bce714567	2490	/* pseudo header sum */
wolfSSL	7:481bce714567	2491	while (count >= 2) {
wolfSSL	7:481bce714567	2492	sum += *data++;
wolfSSL	7:481bce714567	2493	count -= 2;
wolfSSL	7:481bce714567	2494	}
wolfSSL	7:481bce714567	2495
wolfSSL	7:481bce714567	2496	count = tcpInfo->length + dataLen;
wolfSSL	7:481bce714567	2497	data = (word16*)packet;
wolfSSL	7:481bce714567	2498
wolfSSL	7:481bce714567	2499	/* main sum */
wolfSSL	7:481bce714567	2500	while (count > 1) {
wolfSSL	7:481bce714567	2501	sum += *data++;
wolfSSL	7:481bce714567	2502	count -=2;
wolfSSL	7:481bce714567	2503	}
wolfSSL	7:481bce714567	2504
wolfSSL	7:481bce714567	2505	/* get left-over, if any */
wolfSSL	7:481bce714567	2506	packet = (byte*)data;
wolfSSL	7:481bce714567	2507	if (count > 0) {
wolfSSL	7:481bce714567	2508	sum += *packet;
wolfSSL	7:481bce714567	2509	}
wolfSSL	7:481bce714567	2510
wolfSSL	7:481bce714567	2511	/* fold 32bit sum into 16 bits */
wolfSSL	7:481bce714567	2512	while (sum >> 16)
wolfSSL	7:481bce714567	2513	sum = (sum & 0xffff) + (sum >> 16);
wolfSSL	7:481bce714567	2514
wolfSSL	7:481bce714567	2515	checksum = (word16)~sum;
wolfSSL	7:481bce714567	2516	/* checksum should now equal 0, since included already calcd checksum */
wolfSSL	7:481bce714567	2517	/* field, but tcp checksum offloading could negate calculation */
wolfSSL	7:481bce714567	2518	if (checksum == 0)
wolfSSL	7:481bce714567	2519	return 0;
wolfSSL	7:481bce714567	2520	return -1;
wolfSSL	7:481bce714567	2521	}
wolfSSL	7:481bce714567	2522	#endif
wolfSSL	7:481bce714567	2523
wolfSSL	7:481bce714567	2524
wolfSSL	7:481bce714567	2525	/* Check IP and TCP headers, set payload */
wolfSSL	7:481bce714567	2526	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	2527	static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet,
wolfSSL	7:481bce714567	2528	int length, const byte** sslFrame, int* sslBytes, char* error)
wolfSSL	7:481bce714567	2529	{
wolfSSL	7:481bce714567	2530	TraceHeader();
wolfSSL	7:481bce714567	2531	TracePacket();
wolfSSL	7:481bce714567	2532
wolfSSL	7:481bce714567	2533	/* ip header */
wolfSSL	7:481bce714567	2534	if (length < IP_HDR_SZ) {
wolfSSL	7:481bce714567	2535	SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2536	return -1;
wolfSSL	7:481bce714567	2537	}
wolfSSL	7:481bce714567	2538	if (CheckIpHdr((IpHdr*)packet, ipInfo, length, error) != 0)
wolfSSL	7:481bce714567	2539	return -1;
wolfSSL	7:481bce714567	2540
wolfSSL	7:481bce714567	2541	/* tcp header */
wolfSSL	7:481bce714567	2542	if (length < (ipInfo->length + TCP_HDR_SZ)) {
wolfSSL	7:481bce714567	2543	SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2544	return -1;
wolfSSL	7:481bce714567	2545	}
wolfSSL	7:481bce714567	2546	if (CheckTcpHdr((TcpHdr*)(packet + ipInfo->length), tcpInfo, error) != 0)
wolfSSL	7:481bce714567	2547	return -1;
wolfSSL	7:481bce714567	2548
wolfSSL	7:481bce714567	2549	/* setup */
wolfSSL	7:481bce714567	2550	*sslFrame = packet + ipInfo->length + tcpInfo->length;
wolfSSL	7:481bce714567	2551	if (*sslFrame > packet + length) {
wolfSSL	7:481bce714567	2552	SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2553	return -1;
wolfSSL	7:481bce714567	2554	}
wolfSSL	7:481bce714567	2555	sslBytes = (int)(packet + length - sslFrame);
wolfSSL	7:481bce714567	2556
wolfSSL	7:481bce714567	2557	return 0;
wolfSSL	7:481bce714567	2558	}
wolfSSL	7:481bce714567	2559
wolfSSL	7:481bce714567	2560
wolfSSL	7:481bce714567	2561	/* Create or Find existing session */
wolfSSL	7:481bce714567	2562	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	7:481bce714567	2563	static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes,
wolfSSL	7:481bce714567	2564	SnifferSession** session, char* error)
wolfSSL	7:481bce714567	2565	{
wolfSSL	7:481bce714567	2566	/* create a new SnifferSession on client SYN */
wolfSSL	7:481bce714567	2567	if (tcpInfo->syn && !tcpInfo->ack) {
wolfSSL	7:481bce714567	2568	TraceClientSyn(tcpInfo->sequence);
wolfSSL	7:481bce714567	2569	*session = CreateSession(ipInfo, tcpInfo, error);
wolfSSL	7:481bce714567	2570	if (*session == NULL) {
wolfSSL	7:481bce714567	2571	*session = GetSnifferSession(ipInfo, tcpInfo);
wolfSSL	7:481bce714567	2572	/* already had existing, so OK */
wolfSSL	7:481bce714567	2573	if (*session)
wolfSSL	7:481bce714567	2574	return 1;
wolfSSL	7:481bce714567	2575
wolfSSL	7:481bce714567	2576	SetError(MEMORY_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2577	return -1;
wolfSSL	7:481bce714567	2578	}
wolfSSL	7:481bce714567	2579	return 1;
wolfSSL	7:481bce714567	2580	}
wolfSSL	7:481bce714567	2581	/* get existing sniffer session */
wolfSSL	7:481bce714567	2582	else {
wolfSSL	7:481bce714567	2583	*session = GetSnifferSession(ipInfo, tcpInfo);
wolfSSL	7:481bce714567	2584	if (*session == NULL) {
wolfSSL	7:481bce714567	2585	/* don't worry about extraneous RST or duplicate FINs */
wolfSSL	7:481bce714567	2586	if (tcpInfo->fin \|\| tcpInfo->rst)
wolfSSL	7:481bce714567	2587	return 1;
wolfSSL	7:481bce714567	2588	/* don't worry about duplicate ACKs either */
wolfSSL	7:481bce714567	2589	if (sslBytes == 0 && tcpInfo->ack)
wolfSSL	7:481bce714567	2590	return 1;
wolfSSL	7:481bce714567	2591
wolfSSL	7:481bce714567	2592	SetError(BAD_SESSION_STR, error, NULL, 0);
wolfSSL	7:481bce714567	2593	return -1;
wolfSSL	7:481bce714567	2594	}
wolfSSL	7:481bce714567	2595	}
wolfSSL	7:481bce714567	2596	return 0;
wolfSSL	7:481bce714567	2597	}
wolfSSL	7:481bce714567	2598
wolfSSL	7:481bce714567	2599
wolfSSL	7:481bce714567	2600	/* Create a Packet Buffer from begin - end, adjust new begin and bytesLeft */
wolfSSL	7:481bce714567	2601	static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data,
wolfSSL	7:481bce714567	2602	int* bytesLeft)
wolfSSL	7:481bce714567	2603	{
wolfSSL	7:481bce714567	2604	PacketBuffer* pb;
wolfSSL	7:481bce714567	2605
wolfSSL	7:481bce714567	2606	int added = end - *begin + 1;
wolfSSL	7:481bce714567	2607	assert(*begin <= end);
wolfSSL	7:481bce714567	2608
wolfSSL	7:481bce714567	2609	pb = (PacketBuffer*)malloc(sizeof(PacketBuffer));
wolfSSL	7:481bce714567	2610	if (pb == NULL) return NULL;
wolfSSL	7:481bce714567	2611
wolfSSL	7:481bce714567	2612	pb->next = 0;
wolfSSL	7:481bce714567	2613	pb->begin = *begin;
wolfSSL	7:481bce714567	2614	pb->end = end;
wolfSSL	7:481bce714567	2615	pb->data = (byte*)malloc(added);
wolfSSL	7:481bce714567	2616
wolfSSL	7:481bce714567	2617	if (pb->data == NULL) {
wolfSSL	7:481bce714567	2618	free(pb);
wolfSSL	7:481bce714567	2619	return NULL;
wolfSSL	7:481bce714567	2620	}
wolfSSL	7:481bce714567	2621	XMEMCPY(pb->data, data, added);
wolfSSL	7:481bce714567	2622
wolfSSL	7:481bce714567	2623	*bytesLeft -= added;
wolfSSL	7:481bce714567	2624	*begin = pb->end + 1;
wolfSSL	7:481bce714567	2625
wolfSSL	7:481bce714567	2626	return pb;
wolfSSL	7:481bce714567	2627	}
wolfSSL	7:481bce714567	2628
wolfSSL	7:481bce714567	2629
wolfSSL	7:481bce714567	2630	/* Add sslFrame to Reassembly List */
wolfSSL	7:481bce714567	2631	/* returns 1 (end) on success, -1, on error */
wolfSSL	7:481bce714567	2632	static int AddToReassembly(byte from, word32 seq, const byte* sslFrame,
wolfSSL	7:481bce714567	2633	int sslBytes, SnifferSession* session, char* error)
wolfSSL	7:481bce714567	2634	{
wolfSSL	7:481bce714567	2635	PacketBuffer* add;
wolfSSL	7:481bce714567	2636	PacketBuffer** front = (from == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2637	&session->cliReassemblyList: &session->srvReassemblyList;
wolfSSL	7:481bce714567	2638	PacketBuffer* curr = *front;
wolfSSL	7:481bce714567	2639	PacketBuffer* prev = curr;
wolfSSL	7:481bce714567	2640
wolfSSL	7:481bce714567	2641	word32* reassemblyMemory = (from == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2642	&session->cliReassemblyMemory : &session->srvReassemblyMemory;
wolfSSL	7:481bce714567	2643	word32 startSeq = seq;
wolfSSL	7:481bce714567	2644	word32 added;
wolfSSL	7:481bce714567	2645	int bytesLeft = sslBytes; /* could be overlapping fragment */
wolfSSL	7:481bce714567	2646
wolfSSL	7:481bce714567	2647	/* if list is empty add full frame to front */
wolfSSL	7:481bce714567	2648	if (!curr) {
wolfSSL	7:481bce714567	2649	if (MaxRecoveryMemory != -1 &&
wolfSSL	7:481bce714567	2650	(int)(*reassemblyMemory + sslBytes) > MaxRecoveryMemory) {
wolfSSL	7:481bce714567	2651	SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2652	return -1;
wolfSSL	7:481bce714567	2653	}
wolfSSL	7:481bce714567	2654	add = CreateBuffer(&seq, seq + sslBytes - 1, sslFrame, &bytesLeft);
wolfSSL	7:481bce714567	2655	if (add == NULL) {
wolfSSL	7:481bce714567	2656	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2657	return -1;
wolfSSL	7:481bce714567	2658	}
wolfSSL	7:481bce714567	2659	*front = add;
wolfSSL	7:481bce714567	2660	*reassemblyMemory += sslBytes;
wolfSSL	7:481bce714567	2661	return 1;
wolfSSL	7:481bce714567	2662	}
wolfSSL	7:481bce714567	2663
wolfSSL	7:481bce714567	2664	/* add to front if before current front, up to next->begin */
wolfSSL	7:481bce714567	2665	if (seq < curr->begin) {
wolfSSL	7:481bce714567	2666	word32 end = seq + sslBytes - 1;
wolfSSL	7:481bce714567	2667
wolfSSL	7:481bce714567	2668	if (end >= curr->begin)
wolfSSL	7:481bce714567	2669	end = curr->begin - 1;
wolfSSL	7:481bce714567	2670
wolfSSL	7:481bce714567	2671	if (MaxRecoveryMemory -1 &&
wolfSSL	7:481bce714567	2672	(int)(*reassemblyMemory + sslBytes) > MaxRecoveryMemory) {
wolfSSL	7:481bce714567	2673	SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2674	return -1;
wolfSSL	7:481bce714567	2675	}
wolfSSL	7:481bce714567	2676	add = CreateBuffer(&seq, end, sslFrame, &bytesLeft);
wolfSSL	7:481bce714567	2677	if (add == NULL) {
wolfSSL	7:481bce714567	2678	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2679	return -1;
wolfSSL	7:481bce714567	2680	}
wolfSSL	7:481bce714567	2681	add->next = curr;
wolfSSL	7:481bce714567	2682	*front = add;
wolfSSL	7:481bce714567	2683	*reassemblyMemory += sslBytes;
wolfSSL	7:481bce714567	2684	}
wolfSSL	7:481bce714567	2685
wolfSSL	7:481bce714567	2686	/* while we have bytes left, try to find a gap to fill */
wolfSSL	7:481bce714567	2687	while (bytesLeft > 0) {
wolfSSL	7:481bce714567	2688	/* get previous packet in list */
wolfSSL	7:481bce714567	2689	while (curr && (seq >= curr->begin)) {
wolfSSL	7:481bce714567	2690	prev = curr;
wolfSSL	7:481bce714567	2691	curr = curr->next;
wolfSSL	7:481bce714567	2692	}
wolfSSL	7:481bce714567	2693
wolfSSL	7:481bce714567	2694	/* don't add duplicate data */
wolfSSL	7:481bce714567	2695	if (prev->end >= seq) {
wolfSSL	7:481bce714567	2696	if ( (seq + bytesLeft - 1) <= prev->end)
wolfSSL	7:481bce714567	2697	return 1;
wolfSSL	7:481bce714567	2698	seq = prev->end + 1;
wolfSSL	7:481bce714567	2699	bytesLeft = startSeq + sslBytes - seq;
wolfSSL	7:481bce714567	2700	}
wolfSSL	7:481bce714567	2701
wolfSSL	7:481bce714567	2702	if (!curr)
wolfSSL	7:481bce714567	2703	/* we're at the end */
wolfSSL	7:481bce714567	2704	added = bytesLeft;
wolfSSL	7:481bce714567	2705	else
wolfSSL	7:481bce714567	2706	/* we're in between two frames */
wolfSSL	7:481bce714567	2707	added = min((word32)bytesLeft, curr->begin - seq);
wolfSSL	7:481bce714567	2708
wolfSSL	7:481bce714567	2709	/* data already there */
wolfSSL	7:481bce714567	2710	if (added == 0)
wolfSSL	7:481bce714567	2711	continue;
wolfSSL	7:481bce714567	2712
wolfSSL	7:481bce714567	2713	if (MaxRecoveryMemory != -1 &&
wolfSSL	7:481bce714567	2714	(int)(*reassemblyMemory + added) > MaxRecoveryMemory) {
wolfSSL	7:481bce714567	2715	SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2716	return -1;
wolfSSL	7:481bce714567	2717	}
wolfSSL	7:481bce714567	2718	add = CreateBuffer(&seq, seq + added - 1, &sslFrame[seq - startSeq],
wolfSSL	7:481bce714567	2719	&bytesLeft);
wolfSSL	7:481bce714567	2720	if (add == NULL) {
wolfSSL	7:481bce714567	2721	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2722	return -1;
wolfSSL	7:481bce714567	2723	}
wolfSSL	7:481bce714567	2724	add->next = prev->next;
wolfSSL	7:481bce714567	2725	prev->next = add;
wolfSSL	7:481bce714567	2726	*reassemblyMemory += added;
wolfSSL	7:481bce714567	2727	}
wolfSSL	7:481bce714567	2728	return 1;
wolfSSL	7:481bce714567	2729	}
wolfSSL	7:481bce714567	2730
wolfSSL	7:481bce714567	2731
wolfSSL	7:481bce714567	2732	/* Add out of order FIN capture */
wolfSSL	7:481bce714567	2733	/* returns 1 for success (end) */
wolfSSL	7:481bce714567	2734	static int AddFinCapture(SnifferSession* session, word32 sequence)
wolfSSL	7:481bce714567	2735	{
wolfSSL	7:481bce714567	2736	if (session->flags.side == WOLFSSL_SERVER_END) {
wolfSSL	7:481bce714567	2737	if (session->finCaputre.cliCounted == 0)
wolfSSL	7:481bce714567	2738	session->finCaputre.cliFinSeq = sequence;
wolfSSL	7:481bce714567	2739	}
wolfSSL	7:481bce714567	2740	else {
wolfSSL	7:481bce714567	2741	if (session->finCaputre.srvCounted == 0)
wolfSSL	7:481bce714567	2742	session->finCaputre.srvFinSeq = sequence;
wolfSSL	7:481bce714567	2743	}
wolfSSL	7:481bce714567	2744	return 1;
wolfSSL	7:481bce714567	2745	}
wolfSSL	7:481bce714567	2746
wolfSSL	7:481bce714567	2747
wolfSSL	7:481bce714567	2748	/* Adjust incoming sequence based on side */
wolfSSL	7:481bce714567	2749	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	7:481bce714567	2750	static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session,
wolfSSL	7:481bce714567	2751	int* sslBytes, const byte** sslFrame, char* error)
wolfSSL	7:481bce714567	2752	{
wolfSSL	7:481bce714567	2753	word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2754	session->cliSeqStart :session->srvSeqStart;
wolfSSL	7:481bce714567	2755	word32 real = tcpInfo->sequence - seqStart;
wolfSSL	7:481bce714567	2756	word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2757	&session->cliExpected : &session->srvExpected;
wolfSSL	7:481bce714567	2758	PacketBuffer* reassemblyList = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2759	session->cliReassemblyList : session->srvReassemblyList;
wolfSSL	7:481bce714567	2760	byte skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2761	session->flags.srvSkipPartial :
wolfSSL	7:481bce714567	2762	session->flags.cliSkipPartial;
wolfSSL	7:481bce714567	2763
wolfSSL	7:481bce714567	2764	/* handle rollover of sequence */
wolfSSL	7:481bce714567	2765	if (tcpInfo->sequence < seqStart)
wolfSSL	7:481bce714567	2766	real = 0xffffffffU - seqStart + tcpInfo->sequence;
wolfSSL	7:481bce714567	2767
wolfSSL	7:481bce714567	2768	TraceRelativeSequence(*expected, real);
wolfSSL	7:481bce714567	2769
wolfSSL	7:481bce714567	2770	if (real < *expected) {
wolfSSL	7:481bce714567	2771	Trace(DUPLICATE_STR);
wolfSSL	7:481bce714567	2772	if (real + sslBytes > expected) {
wolfSSL	7:481bce714567	2773	int overlap = *expected - real;
wolfSSL	7:481bce714567	2774	Trace(OVERLAP_DUPLICATE_STR);
wolfSSL	7:481bce714567	2775
wolfSSL	7:481bce714567	2776	/* adjust to expected, remove duplicate */
wolfSSL	7:481bce714567	2777	*sslFrame += overlap;
wolfSSL	7:481bce714567	2778	*sslBytes -= overlap;
wolfSSL	7:481bce714567	2779
wolfSSL	7:481bce714567	2780	/* The following conditional block is duplicated below. It is the
wolfSSL	7:481bce714567	2781	* same action but for a different setup case. If changing this
wolfSSL	7:481bce714567	2782	* block be sure to also update the block below. */
wolfSSL	7:481bce714567	2783	if (reassemblyList) {
wolfSSL	7:481bce714567	2784	word32 newEnd = expected + sslBytes;
wolfSSL	7:481bce714567	2785
wolfSSL	7:481bce714567	2786	if (newEnd > reassemblyList->begin) {
wolfSSL	7:481bce714567	2787	Trace(OVERLAP_REASSEMBLY_BEGIN_STR);
wolfSSL	7:481bce714567	2788
wolfSSL	7:481bce714567	2789	/* remove bytes already on reassembly list */
wolfSSL	7:481bce714567	2790	*sslBytes -= newEnd - reassemblyList->begin;
wolfSSL	7:481bce714567	2791	}
wolfSSL	7:481bce714567	2792	if (newEnd > reassemblyList->end) {
wolfSSL	7:481bce714567	2793	Trace(OVERLAP_REASSEMBLY_END_STR);
wolfSSL	7:481bce714567	2794
wolfSSL	7:481bce714567	2795	/* may be past reassembly list end (could have more on list)
wolfSSL	7:481bce714567	2796	so try to add what's past the front->end */
wolfSSL	7:481bce714567	2797	AddToReassembly(session->flags.side, reassemblyList->end +1,
wolfSSL	7:481bce714567	2798	sslFrame + reassemblyList->end - expected + 1,
wolfSSL	7:481bce714567	2799	newEnd - reassemblyList->end, session, error);
wolfSSL	7:481bce714567	2800	}
wolfSSL	7:481bce714567	2801	}
wolfSSL	7:481bce714567	2802	}
wolfSSL	7:481bce714567	2803	else
wolfSSL	7:481bce714567	2804	return 1;
wolfSSL	7:481bce714567	2805	}
wolfSSL	7:481bce714567	2806	else if (real > *expected) {
wolfSSL	7:481bce714567	2807	Trace(OUT_OF_ORDER_STR);
wolfSSL	7:481bce714567	2808	if (*sslBytes > 0) {
wolfSSL	7:481bce714567	2809	int addResult = AddToReassembly(session->flags.side, real,
wolfSSL	7:481bce714567	2810	sslFrame, sslBytes, session, error);
wolfSSL	7:481bce714567	2811	if (skipPartial) {
wolfSSL	7:481bce714567	2812	*sslBytes = 0;
wolfSSL	7:481bce714567	2813	return 0;
wolfSSL	7:481bce714567	2814	}
wolfSSL	7:481bce714567	2815	else
wolfSSL	7:481bce714567	2816	return addResult;
wolfSSL	7:481bce714567	2817	}
wolfSSL	7:481bce714567	2818	else if (tcpInfo->fin)
wolfSSL	7:481bce714567	2819	return AddFinCapture(session, real);
wolfSSL	7:481bce714567	2820	}
wolfSSL	7:481bce714567	2821	else if (*sslBytes > 0) {
wolfSSL	7:481bce714567	2822	if (skipPartial) {
wolfSSL	7:481bce714567	2823	AddToReassembly(session->flags.side, real,
wolfSSL	7:481bce714567	2824	sslFrame, sslBytes, session, error);
wolfSSL	7:481bce714567	2825	expected += sslBytes;
wolfSSL	7:481bce714567	2826	*sslBytes = 0;
wolfSSL	7:481bce714567	2827	if (tcpInfo->fin)
wolfSSL	7:481bce714567	2828	*expected += 1;
wolfSSL	7:481bce714567	2829	return 0;
wolfSSL	7:481bce714567	2830	}
wolfSSL	7:481bce714567	2831	/* The following conditional block is duplicated above. It is the
wolfSSL	7:481bce714567	2832	* same action but for a different setup case. If changing this
wolfSSL	7:481bce714567	2833	* block be sure to also update the block above. */
wolfSSL	7:481bce714567	2834	else if (reassemblyList) {
wolfSSL	7:481bce714567	2835	word32 newEnd = expected + sslBytes;
wolfSSL	7:481bce714567	2836
wolfSSL	7:481bce714567	2837	if (newEnd > reassemblyList->begin) {
wolfSSL	7:481bce714567	2838	Trace(OVERLAP_REASSEMBLY_BEGIN_STR);
wolfSSL	7:481bce714567	2839
wolfSSL	7:481bce714567	2840	/* remove bytes already on reassembly list */
wolfSSL	7:481bce714567	2841	*sslBytes -= newEnd - reassemblyList->begin;
wolfSSL	7:481bce714567	2842	}
wolfSSL	7:481bce714567	2843	if (newEnd > reassemblyList->end) {
wolfSSL	7:481bce714567	2844	Trace(OVERLAP_REASSEMBLY_END_STR);
wolfSSL	7:481bce714567	2845
wolfSSL	7:481bce714567	2846	/* may be past reassembly list end (could have more on list)
wolfSSL	7:481bce714567	2847	so try to add what's past the front->end */
wolfSSL	7:481bce714567	2848	AddToReassembly(session->flags.side, reassemblyList->end +1,
wolfSSL	7:481bce714567	2849	sslFrame + reassemblyList->end - expected + 1,
wolfSSL	7:481bce714567	2850	newEnd - reassemblyList->end, session, error);
wolfSSL	7:481bce714567	2851	}
wolfSSL	7:481bce714567	2852	}
wolfSSL	7:481bce714567	2853	}
wolfSSL	7:481bce714567	2854	/* got expected sequence */
wolfSSL	7:481bce714567	2855	expected += sslBytes;
wolfSSL	7:481bce714567	2856	if (tcpInfo->fin)
wolfSSL	7:481bce714567	2857	*expected += 1;
wolfSSL	7:481bce714567	2858
wolfSSL	7:481bce714567	2859	return 0;
wolfSSL	7:481bce714567	2860	}
wolfSSL	7:481bce714567	2861
wolfSSL	7:481bce714567	2862
wolfSSL	7:481bce714567	2863	static int FindNextRecordInAssembly(SnifferSession* session,
wolfSSL	7:481bce714567	2864	const byte** sslFrame, int* sslBytes,
wolfSSL	7:481bce714567	2865	const byte** end, char* error)
wolfSSL	7:481bce714567	2866	{
wolfSSL	7:481bce714567	2867	PacketBuffer** front = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2868	&session->cliReassemblyList :
wolfSSL	7:481bce714567	2869	&session->srvReassemblyList;
wolfSSL	7:481bce714567	2870	PacketBuffer* curr = *front;
wolfSSL	7:481bce714567	2871	PacketBuffer* prev = NULL;
wolfSSL	7:481bce714567	2872	byte* skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2873	&session->flags.srvSkipPartial :
wolfSSL	7:481bce714567	2874	&session->flags.cliSkipPartial;
wolfSSL	7:481bce714567	2875	word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2876	&session->cliReassemblyMemory :
wolfSSL	7:481bce714567	2877	&session->srvReassemblyMemory;
wolfSSL	7:481bce714567	2878	SSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2879	session->sslServer :
wolfSSL	7:481bce714567	2880	session->sslClient;
wolfSSL	7:481bce714567	2881	ProtocolVersion pv = ssl->version;
wolfSSL	7:481bce714567	2882	word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2883	&session->cliExpected :
wolfSSL	7:481bce714567	2884	&session->srvExpected;
wolfSSL	7:481bce714567	2885
wolfSSL	7:481bce714567	2886	while (curr != NULL) {
wolfSSL	7:481bce714567	2887	*expected = curr->end + 1;
wolfSSL	7:481bce714567	2888
wolfSSL	7:481bce714567	2889	if (curr->data[0] == application_data &&
wolfSSL	7:481bce714567	2890	curr->data[1] == pv.major &&
wolfSSL	7:481bce714567	2891	curr->data[2] == pv.minor) {
wolfSSL	7:481bce714567	2892
wolfSSL	7:481bce714567	2893	if (ssl->buffers.inputBuffer.length > 0)
wolfSSL	7:481bce714567	2894	Trace(DROPPING_PARTIAL_RECORD);
wolfSSL	7:481bce714567	2895
wolfSSL	7:481bce714567	2896	*sslBytes = curr->end - curr->begin + 1;
wolfSSL	7:481bce714567	2897	if ( (word32)*sslBytes > ssl->buffers.inputBuffer.bufferSize) {
wolfSSL	7:481bce714567	2898	if (GrowInputBuffer(ssl, *sslBytes, 0) < 0) {
wolfSSL	7:481bce714567	2899	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	2900	return -1;
wolfSSL	7:481bce714567	2901	}
wolfSSL	7:481bce714567	2902	}
wolfSSL	7:481bce714567	2903
wolfSSL	7:481bce714567	2904	XMEMCPY(ssl->buffers.inputBuffer.buffer, curr->data, *sslBytes);
wolfSSL	7:481bce714567	2905
wolfSSL	7:481bce714567	2906	*front = curr->next;
wolfSSL	7:481bce714567	2907	reassemblyMemory -= sslBytes;
wolfSSL	7:481bce714567	2908	FreePacketBuffer(curr);
wolfSSL	7:481bce714567	2909
wolfSSL	7:481bce714567	2910	ssl->buffers.inputBuffer.length = *sslBytes;
wolfSSL	7:481bce714567	2911	*sslFrame = ssl->buffers.inputBuffer.buffer;
wolfSSL	7:481bce714567	2912	end = sslFrame + *sslBytes;
wolfSSL	7:481bce714567	2913	*skipPartial = 0;
wolfSSL	7:481bce714567	2914
wolfSSL	7:481bce714567	2915	return 0;
wolfSSL	7:481bce714567	2916	}
wolfSSL	7:481bce714567	2917	else if (ssl->specs.cipher_type == block) {
wolfSSL	7:481bce714567	2918	if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
wolfSSL	7:481bce714567	2919	#ifdef BUILD_AES
wolfSSL	7:481bce714567	2920	wc_AesSetIV(ssl->decrypt.aes,
wolfSSL	7:481bce714567	2921	curr->data + curr->end - curr->begin
wolfSSL	7:481bce714567	2922	- ssl->specs.block_size + 1);
wolfSSL	7:481bce714567	2923	#endif
wolfSSL	7:481bce714567	2924	}
wolfSSL	7:481bce714567	2925	else if (ssl->specs.bulk_cipher_algorithm == wolfssl_triple_des) {
wolfSSL	7:481bce714567	2926	#ifdef BUILD_DES3
wolfSSL	7:481bce714567	2927	wc_Des3_SetIV(ssl->decrypt.des3,
wolfSSL	7:481bce714567	2928	curr->data + curr->end - curr->begin
wolfSSL	7:481bce714567	2929	- ssl->specs.block_size + 1);
wolfSSL	7:481bce714567	2930	#endif
wolfSSL	7:481bce714567	2931	}
wolfSSL	7:481bce714567	2932	}
wolfSSL	7:481bce714567	2933
wolfSSL	7:481bce714567	2934	Trace(DROPPING_LOST_FRAG_STR);
wolfSSL	7:481bce714567	2935	prev = curr;
wolfSSL	7:481bce714567	2936	curr = curr->next;
wolfSSL	7:481bce714567	2937	*reassemblyMemory -= (prev->end - prev->begin + 1);
wolfSSL	7:481bce714567	2938	FreePacketBuffer(prev);
wolfSSL	7:481bce714567	2939	}
wolfSSL	7:481bce714567	2940
wolfSSL	7:481bce714567	2941	*front = curr;
wolfSSL	7:481bce714567	2942
wolfSSL	7:481bce714567	2943	return 0;
wolfSSL	7:481bce714567	2944	}
wolfSSL	7:481bce714567	2945
wolfSSL	7:481bce714567	2946
wolfSSL	7:481bce714567	2947	static int FixSequence(TcpInfo* tcpInfo, SnifferSession* session)
wolfSSL	7:481bce714567	2948	{
wolfSSL	7:481bce714567	2949	word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2950	&session->srvExpected : &session->cliExpected;
wolfSSL	7:481bce714567	2951	PacketBuffer* list = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2952	session->srvReassemblyList :
wolfSSL	7:481bce714567	2953	session->cliReassemblyList;
wolfSSL	7:481bce714567	2954	byte* skipPartial = (session->flags.side != WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2955	&session->flags.srvSkipPartial :
wolfSSL	7:481bce714567	2956	&session->flags.cliSkipPartial;
wolfSSL	7:481bce714567	2957
wolfSSL	7:481bce714567	2958	*skipPartial = 1;
wolfSSL	7:481bce714567	2959	if (list != NULL)
wolfSSL	7:481bce714567	2960	*expected = list->begin;
wolfSSL	7:481bce714567	2961	else {
wolfSSL	7:481bce714567	2962	word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2963	session->srvSeqStart : session->cliSeqStart;
wolfSSL	7:481bce714567	2964	word32 real = tcpInfo->ackNumber - seqStart;
wolfSSL	7:481bce714567	2965
wolfSSL	7:481bce714567	2966	*expected = real;
wolfSSL	7:481bce714567	2967	}
wolfSSL	7:481bce714567	2968
wolfSSL	7:481bce714567	2969	return 1;
wolfSSL	7:481bce714567	2970	}
wolfSSL	7:481bce714567	2971
wolfSSL	7:481bce714567	2972
wolfSSL	7:481bce714567	2973	/* Check latest ack number for missing packets
wolfSSL	7:481bce714567	2974	return 0 ok, <0 on error */
wolfSSL	7:481bce714567	2975	static int CheckAck(TcpInfo* tcpInfo, SnifferSession* session)
wolfSSL	7:481bce714567	2976	{
wolfSSL	7:481bce714567	2977	if (tcpInfo->ack) {
wolfSSL	7:481bce714567	2978	word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2979	session->srvSeqStart :session->cliSeqStart;
wolfSSL	7:481bce714567	2980	word32 real = tcpInfo->ackNumber - seqStart;
wolfSSL	7:481bce714567	2981	word32 expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	2982	session->srvExpected : session->cliExpected;
wolfSSL	7:481bce714567	2983
wolfSSL	7:481bce714567	2984	/* handle rollover of sequence */
wolfSSL	7:481bce714567	2985	if (tcpInfo->ackNumber < seqStart)
wolfSSL	7:481bce714567	2986	real = 0xffffffffU - seqStart + tcpInfo->ackNumber;
wolfSSL	7:481bce714567	2987
wolfSSL	7:481bce714567	2988	TraceAck(real, expected);
wolfSSL	7:481bce714567	2989
wolfSSL	7:481bce714567	2990	if (real > expected)
wolfSSL	7:481bce714567	2991	return -1; /* we missed a packet, ACKing data we never saw */
wolfSSL	7:481bce714567	2992	}
wolfSSL	7:481bce714567	2993	return 0;
wolfSSL	7:481bce714567	2994	}
wolfSSL	7:481bce714567	2995
wolfSSL	7:481bce714567	2996
wolfSSL	7:481bce714567	2997	/* Check TCP Sequence status */
wolfSSL	7:481bce714567	2998	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	7:481bce714567	2999	static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	7:481bce714567	3000	SnifferSession* session, int* sslBytes,
wolfSSL	7:481bce714567	3001	const byte** sslFrame, char* error)
wolfSSL	7:481bce714567	3002	{
wolfSSL	7:481bce714567	3003	int actualLen;
wolfSSL	7:481bce714567	3004	byte* ackFault = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3005	&session->flags.cliAckFault :
wolfSSL	7:481bce714567	3006	&session->flags.srvAckFault;
wolfSSL	7:481bce714567	3007
wolfSSL	7:481bce714567	3008	/* init SEQ from server to client */
wolfSSL	7:481bce714567	3009	if (tcpInfo->syn && tcpInfo->ack) {
wolfSSL	7:481bce714567	3010	session->srvSeqStart = tcpInfo->sequence;
wolfSSL	7:481bce714567	3011	session->srvExpected = 1;
wolfSSL	7:481bce714567	3012	TraceServerSyn(tcpInfo->sequence);
wolfSSL	7:481bce714567	3013	return 1;
wolfSSL	7:481bce714567	3014	}
wolfSSL	7:481bce714567	3015
wolfSSL	7:481bce714567	3016	/* adjust potential ethernet trailer */
wolfSSL	7:481bce714567	3017	actualLen = ipInfo->total - ipInfo->length - tcpInfo->length;
wolfSSL	7:481bce714567	3018	if (*sslBytes > actualLen) {
wolfSSL	7:481bce714567	3019	*sslBytes = actualLen;
wolfSSL	7:481bce714567	3020	}
wolfSSL	7:481bce714567	3021
wolfSSL	7:481bce714567	3022	TraceSequence(tcpInfo->sequence, *sslBytes);
wolfSSL	7:481bce714567	3023	if (CheckAck(tcpInfo, session) < 0) {
wolfSSL	7:481bce714567	3024	if (!RecoveryEnabled) {
wolfSSL	7:481bce714567	3025	UpdateMissedDataSessions();
wolfSSL	7:481bce714567	3026	SetError(ACK_MISSED_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3027	return -1;
wolfSSL	7:481bce714567	3028	}
wolfSSL	7:481bce714567	3029	else {
wolfSSL	7:481bce714567	3030	SetError(ACK_MISSED_STR, error, session, 0);
wolfSSL	7:481bce714567	3031	if (*ackFault == 0) {
wolfSSL	7:481bce714567	3032	*ackFault = 1;
wolfSSL	7:481bce714567	3033	UpdateMissedDataSessions();
wolfSSL	7:481bce714567	3034	}
wolfSSL	7:481bce714567	3035	return FixSequence(tcpInfo, session);
wolfSSL	7:481bce714567	3036	}
wolfSSL	7:481bce714567	3037	}
wolfSSL	7:481bce714567	3038
wolfSSL	7:481bce714567	3039	if (*ackFault) {
wolfSSL	7:481bce714567	3040	Trace(CLEAR_ACK_FAULT);
wolfSSL	7:481bce714567	3041	*ackFault = 0;
wolfSSL	7:481bce714567	3042	}
wolfSSL	7:481bce714567	3043
wolfSSL	7:481bce714567	3044	return AdjustSequence(tcpInfo, session, sslBytes, sslFrame, error);
wolfSSL	7:481bce714567	3045	}
wolfSSL	7:481bce714567	3046
wolfSSL	7:481bce714567	3047
wolfSSL	7:481bce714567	3048	/* Check Status before record processing */
wolfSSL	7:481bce714567	3049	/* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL	7:481bce714567	3050	static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	7:481bce714567	3051	const byte sslFrame, SnifferSession session,
wolfSSL	7:481bce714567	3052	int* sslBytes, const byte** end, char* error)
wolfSSL	7:481bce714567	3053	{
wolfSSL	7:481bce714567	3054	word32 length;
wolfSSL	7:481bce714567	3055	SSL* ssl = ((*session)->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3056	(session)->sslServer : (session)->sslClient;
wolfSSL	7:481bce714567	3057	byte skipPartial = ((*session)->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3058	(*session)->flags.srvSkipPartial :
wolfSSL	7:481bce714567	3059	(*session)->flags.cliSkipPartial;
wolfSSL	7:481bce714567	3060	/* remove SnifferSession on 2nd FIN or RST */
wolfSSL	7:481bce714567	3061	if (tcpInfo->fin \|\| tcpInfo->rst) {
wolfSSL	7:481bce714567	3062	/* flag FIN and RST */
wolfSSL	7:481bce714567	3063	if (tcpInfo->fin)
wolfSSL	7:481bce714567	3064	(*session)->flags.finCount += 1;
wolfSSL	7:481bce714567	3065	else if (tcpInfo->rst)
wolfSSL	7:481bce714567	3066	(*session)->flags.finCount += 2;
wolfSSL	7:481bce714567	3067
wolfSSL	7:481bce714567	3068	if ((*session)->flags.finCount >= 2) {
wolfSSL	7:481bce714567	3069	RemoveSession(*session, ipInfo, tcpInfo, 0);
wolfSSL	7:481bce714567	3070	*session = NULL;
wolfSSL	7:481bce714567	3071	return 1;
wolfSSL	7:481bce714567	3072	}
wolfSSL	7:481bce714567	3073	}
wolfSSL	7:481bce714567	3074
wolfSSL	7:481bce714567	3075	if ((*session)->flags.fatalError == FATAL_ERROR_STATE) {
wolfSSL	7:481bce714567	3076	SetError(FATAL_ERROR_STR, error, NULL, 0);
wolfSSL	7:481bce714567	3077	return -1;
wolfSSL	7:481bce714567	3078	}
wolfSSL	7:481bce714567	3079
wolfSSL	7:481bce714567	3080	if (skipPartial) {
wolfSSL	7:481bce714567	3081	if (FindNextRecordInAssembly(*session,
wolfSSL	7:481bce714567	3082	sslFrame, sslBytes, end, error) < 0) {
wolfSSL	7:481bce714567	3083	return -1;
wolfSSL	7:481bce714567	3084	}
wolfSSL	7:481bce714567	3085	}
wolfSSL	7:481bce714567	3086
wolfSSL	7:481bce714567	3087	if (*sslBytes == 0) {
wolfSSL	7:481bce714567	3088	Trace(NO_DATA_STR);
wolfSSL	7:481bce714567	3089	return 1;
wolfSSL	7:481bce714567	3090	}
wolfSSL	7:481bce714567	3091
wolfSSL	7:481bce714567	3092	/* if current partial data, add to end of partial */
wolfSSL	7:481bce714567	3093	/* if skipping, the data is already at the end of partial */
wolfSSL	7:481bce714567	3094	if ( !skipPartial &&
wolfSSL	7:481bce714567	3095	(length = ssl->buffers.inputBuffer.length) ) {
wolfSSL	7:481bce714567	3096	Trace(PARTIAL_ADD_STR);
wolfSSL	7:481bce714567	3097
wolfSSL	7:481bce714567	3098	if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
wolfSSL	7:481bce714567	3099	if (GrowInputBuffer(ssl, *sslBytes, length) < 0) {
wolfSSL	7:481bce714567	3100	SetError(MEMORY_STR, error, *session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3101	return -1;
wolfSSL	7:481bce714567	3102	}
wolfSSL	7:481bce714567	3103	}
wolfSSL	7:481bce714567	3104	XMEMCPY(&ssl->buffers.inputBuffer.buffer[length], sslFrame, sslBytes);
wolfSSL	7:481bce714567	3105	*sslBytes += length;
wolfSSL	7:481bce714567	3106	ssl->buffers.inputBuffer.length = *sslBytes;
wolfSSL	7:481bce714567	3107	*sslFrame = ssl->buffers.inputBuffer.buffer;
wolfSSL	7:481bce714567	3108	end = sslFrame + *sslBytes;
wolfSSL	7:481bce714567	3109	}
wolfSSL	7:481bce714567	3110
wolfSSL	7:481bce714567	3111	if ((session)->flags.clientHello == 0 && *sslFrame != handshake) {
wolfSSL	7:481bce714567	3112	/* Sanity check the packet for an old style client hello. */
wolfSSL	7:481bce714567	3113	int rhSize = (((sslFrame)[0] & 0x7f) << 8) \| ((sslFrame)[1]);
wolfSSL	7:481bce714567	3114
wolfSSL	7:481bce714567	3115	if ((rhSize <= (*sslBytes - 2)) &&
wolfSSL	7:481bce714567	3116	(sslFrame)[2] == OLD_HELLO_ID && (sslFrame)[3] == SSLv3_MAJOR) {
wolfSSL	7:481bce714567	3117	#ifdef OLD_HELLO_ALLOWED
wolfSSL	7:481bce714567	3118	int ret = DoOldHello(session, sslFrame, &rhSize, sslBytes, error);
wolfSSL	7:481bce714567	3119	if (ret < 0)
wolfSSL	7:481bce714567	3120	return -1; /* error already set */
wolfSSL	7:481bce714567	3121	if (*sslBytes <= 0)
wolfSSL	7:481bce714567	3122	return 1;
wolfSSL	7:481bce714567	3123	#endif
wolfSSL	7:481bce714567	3124	}
wolfSSL	7:481bce714567	3125	else {
wolfSSL	7:481bce714567	3126	#ifdef STARTTLS_ALLOWED
wolfSSL	7:481bce714567	3127	return 1;
wolfSSL	7:481bce714567	3128	#endif
wolfSSL	7:481bce714567	3129	}
wolfSSL	7:481bce714567	3130	}
wolfSSL	7:481bce714567	3131
wolfSSL	7:481bce714567	3132	return 0;
wolfSSL	7:481bce714567	3133	}
wolfSSL	7:481bce714567	3134
wolfSSL	7:481bce714567	3135
wolfSSL	7:481bce714567	3136	/* See if input on the reassembly list is ready for consuming */
wolfSSL	7:481bce714567	3137	/* returns 1 for TRUE, 0 for FALSE */
wolfSSL	7:481bce714567	3138	static int HaveMoreInput(SnifferSession* session, const byte** sslFrame,
wolfSSL	7:481bce714567	3139	int* sslBytes, const byte** end, char* error)
wolfSSL	7:481bce714567	3140	{
wolfSSL	7:481bce714567	3141	/* sequence and reassembly based on from, not to */
wolfSSL	7:481bce714567	3142	int moreInput = 0;
wolfSSL	7:481bce714567	3143	PacketBuffer** front = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3144	&session->cliReassemblyList : &session->srvReassemblyList;
wolfSSL	7:481bce714567	3145	word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3146	&session->cliExpected : &session->srvExpected;
wolfSSL	7:481bce714567	3147	/* buffer is on receiving end */
wolfSSL	7:481bce714567	3148	word32* length = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3149	&session->sslServer->buffers.inputBuffer.length :
wolfSSL	7:481bce714567	3150	&session->sslClient->buffers.inputBuffer.length;
wolfSSL	7:481bce714567	3151	byte** myBuffer = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3152	&session->sslServer->buffers.inputBuffer.buffer :
wolfSSL	7:481bce714567	3153	&session->sslClient->buffers.inputBuffer.buffer;
wolfSSL	7:481bce714567	3154	word32* bufferSize = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3155	&session->sslServer->buffers.inputBuffer.bufferSize :
wolfSSL	7:481bce714567	3156	&session->sslClient->buffers.inputBuffer.bufferSize;
wolfSSL	7:481bce714567	3157	SSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3158	session->sslServer : session->sslClient;
wolfSSL	7:481bce714567	3159	word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3160	&session->cliReassemblyMemory : &session->srvReassemblyMemory;
wolfSSL	7:481bce714567	3161
wolfSSL	7:481bce714567	3162	while (front && ((front)->begin == *expected) ) {
wolfSSL	7:481bce714567	3163	word32 room = bufferSize - length;
wolfSSL	7:481bce714567	3164	word32 packetLen = (front)->end - (front)->begin + 1;
wolfSSL	7:481bce714567	3165
wolfSSL	7:481bce714567	3166	if (packetLen > room && *bufferSize < MAX_INPUT_SZ) {
wolfSSL	7:481bce714567	3167	if (GrowInputBuffer(ssl, packetLen, *length) < 0) {
wolfSSL	7:481bce714567	3168	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3169	return 0;
wolfSSL	7:481bce714567	3170	}
wolfSSL	7:481bce714567	3171	room = bufferSize - length; /* bufferSize is now bigger */
wolfSSL	7:481bce714567	3172	}
wolfSSL	7:481bce714567	3173
wolfSSL	7:481bce714567	3174	if (packetLen <= room) {
wolfSSL	7:481bce714567	3175	PacketBuffer* del = *front;
wolfSSL	7:481bce714567	3176	byte* buf = *myBuffer;
wolfSSL	7:481bce714567	3177
wolfSSL	7:481bce714567	3178	XMEMCPY(&buf[length], (front)->data, packetLen);
wolfSSL	7:481bce714567	3179	*length += packetLen;
wolfSSL	7:481bce714567	3180	*expected += packetLen;
wolfSSL	7:481bce714567	3181
wolfSSL	7:481bce714567	3182	/* remove used packet */
wolfSSL	7:481bce714567	3183	front = (front)->next;
wolfSSL	7:481bce714567	3184
wolfSSL	7:481bce714567	3185	*reassemblyMemory -= packetLen;
wolfSSL	7:481bce714567	3186	FreePacketBuffer(del);
wolfSSL	7:481bce714567	3187
wolfSSL	7:481bce714567	3188	moreInput = 1;
wolfSSL	7:481bce714567	3189	}
wolfSSL	7:481bce714567	3190	else
wolfSSL	7:481bce714567	3191	break;
wolfSSL	7:481bce714567	3192	}
wolfSSL	7:481bce714567	3193	if (moreInput) {
wolfSSL	7:481bce714567	3194	sslFrame = myBuffer;
wolfSSL	7:481bce714567	3195	sslBytes = length;
wolfSSL	7:481bce714567	3196	end = myBuffer + *length;
wolfSSL	7:481bce714567	3197	}
wolfSSL	7:481bce714567	3198	return moreInput;
wolfSSL	7:481bce714567	3199	}
wolfSSL	7:481bce714567	3200
wolfSSL	7:481bce714567	3201
wolfSSL	7:481bce714567	3202
wolfSSL	7:481bce714567	3203	/* Process Message(s) from sslFrame */
wolfSSL	7:481bce714567	3204	/* return Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL	7:481bce714567	3205	static int ProcessMessage(const byte* sslFrame, SnifferSession* session,
wolfSSL	7:481bce714567	3206	int sslBytes, byte** data, const byte* end,
wolfSSL	7:481bce714567	3207	char* error)
wolfSSL	7:481bce714567	3208	{
wolfSSL	7:481bce714567	3209	const byte* sslBegin = sslFrame;
wolfSSL	7:481bce714567	3210	const byte* recordEnd; /* end of record indicator */
wolfSSL	7:481bce714567	3211	const byte* inRecordEnd; /* indicator from input stream not decrypt */
wolfSSL	7:481bce714567	3212	RecordLayerHeader rh;
wolfSSL	7:481bce714567	3213	int rhSize = 0;
wolfSSL	7:481bce714567	3214	int ret;
wolfSSL	7:481bce714567	3215	int errCode = 0;
wolfSSL	7:481bce714567	3216	int decoded = 0; /* bytes stored for user in data */
wolfSSL	7:481bce714567	3217	int notEnough; /* notEnough bytes yet flag */
wolfSSL	7:481bce714567	3218	int decrypted = 0; /* was current msg decrypted */
wolfSSL	7:481bce714567	3219	SSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL	7:481bce714567	3220	session->sslServer : session->sslClient;
wolfSSL	7:481bce714567	3221	doMessage:
wolfSSL	7:481bce714567	3222	notEnough = 0;
wolfSSL	7:481bce714567	3223	if (sslBytes < 0) {
wolfSSL	7:481bce714567	3224	SetError(PACKET_HDR_SHORT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3225	return -1;
wolfSSL	7:481bce714567	3226	}
wolfSSL	7:481bce714567	3227	if (sslBytes >= RECORD_HEADER_SZ) {
wolfSSL	7:481bce714567	3228	if (GetRecordHeader(sslFrame, &rh, &rhSize) != 0) {
wolfSSL	7:481bce714567	3229	SetError(BAD_RECORD_HDR_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3230	return -1;
wolfSSL	7:481bce714567	3231	}
wolfSSL	7:481bce714567	3232	}
wolfSSL	7:481bce714567	3233	else
wolfSSL	7:481bce714567	3234	notEnough = 1;
wolfSSL	7:481bce714567	3235
wolfSSL	7:481bce714567	3236	if (notEnough \|\| rhSize > (sslBytes - RECORD_HEADER_SZ)) {
wolfSSL	7:481bce714567	3237	/* don't have enough input yet to process full SSL record */
wolfSSL	7:481bce714567	3238	Trace(PARTIAL_INPUT_STR);
wolfSSL	7:481bce714567	3239
wolfSSL	7:481bce714567	3240	/* store partial if not there already or we advanced */
wolfSSL	7:481bce714567	3241	if (ssl->buffers.inputBuffer.length == 0 \|\| sslBegin != sslFrame) {
wolfSSL	7:481bce714567	3242	if (sslBytes > (int)ssl->buffers.inputBuffer.bufferSize) {
wolfSSL	7:481bce714567	3243	if (GrowInputBuffer(ssl, sslBytes, 0) < 0) {
wolfSSL	7:481bce714567	3244	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3245	return -1;
wolfSSL	7:481bce714567	3246	}
wolfSSL	7:481bce714567	3247	}
wolfSSL	7:481bce714567	3248	XMEMMOVE(ssl->buffers.inputBuffer.buffer, sslFrame, sslBytes);
wolfSSL	7:481bce714567	3249	ssl->buffers.inputBuffer.length = sslBytes;
wolfSSL	7:481bce714567	3250	}
wolfSSL	7:481bce714567	3251	if (HaveMoreInput(session, &sslFrame, &sslBytes, &end, error))
wolfSSL	7:481bce714567	3252	goto doMessage;
wolfSSL	7:481bce714567	3253	return decoded;
wolfSSL	7:481bce714567	3254	}
wolfSSL	7:481bce714567	3255	sslFrame += RECORD_HEADER_SZ;
wolfSSL	7:481bce714567	3256	sslBytes -= RECORD_HEADER_SZ;
wolfSSL	7:481bce714567	3257	recordEnd = sslFrame + rhSize; /* may have more than one record */
wolfSSL	7:481bce714567	3258	inRecordEnd = recordEnd;
wolfSSL	7:481bce714567	3259
wolfSSL	7:481bce714567	3260	/* decrypt if needed */
wolfSSL	7:481bce714567	3261	if ((session->flags.side == WOLFSSL_SERVER_END &&
wolfSSL	7:481bce714567	3262	session->flags.serverCipherOn)
wolfSSL	7:481bce714567	3263	\|\| (session->flags.side == WOLFSSL_CLIENT_END &&
wolfSSL	7:481bce714567	3264	session->flags.clientCipherOn)) {
wolfSSL	7:481bce714567	3265	int ivAdvance = 0; /* TLSv1.1 advance amount */
wolfSSL	7:481bce714567	3266	if (ssl->decrypt.setup != 1) {
wolfSSL	7:481bce714567	3267	SetError(DECRYPT_KEYS_NOT_SETUP, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3268	return -1;
wolfSSL	7:481bce714567	3269	}
wolfSSL	7:481bce714567	3270	if (CheckAvailableSize(ssl, rhSize) < 0) {
wolfSSL	7:481bce714567	3271	SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3272	return -1;
wolfSSL	7:481bce714567	3273	}
wolfSSL	7:481bce714567	3274	sslFrame = DecryptMessage(ssl, sslFrame, rhSize,
wolfSSL	7:481bce714567	3275	ssl->buffers.outputBuffer.buffer, &errCode,
wolfSSL	7:481bce714567	3276	&ivAdvance);
wolfSSL	7:481bce714567	3277	recordEnd = sslFrame - ivAdvance + rhSize; /* sslFrame moved so
wolfSSL	7:481bce714567	3278	should recordEnd */
wolfSSL	7:481bce714567	3279	decrypted = 1;
wolfSSL	7:481bce714567	3280	if (errCode != 0) {
wolfSSL	7:481bce714567	3281	SetError(BAD_DECRYPT, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3282	return -1;
wolfSSL	7:481bce714567	3283	}
wolfSSL	7:481bce714567	3284	}
wolfSSL	7:481bce714567	3285
wolfSSL	7:481bce714567	3286	doPart:
wolfSSL	7:481bce714567	3287
wolfSSL	7:481bce714567	3288	switch ((enum ContentType)rh.type) {
wolfSSL	7:481bce714567	3289	case handshake:
wolfSSL	7:481bce714567	3290	{
wolfSSL	7:481bce714567	3291	int startIdx = sslBytes;
wolfSSL	7:481bce714567	3292	int used;
wolfSSL	7:481bce714567	3293
wolfSSL	7:481bce714567	3294	Trace(GOT_HANDSHAKE_STR);
wolfSSL	7:481bce714567	3295	ret = DoHandShake(sslFrame, &sslBytes, session, error);
wolfSSL	7:481bce714567	3296	if (ret != 0) {
wolfSSL	7:481bce714567	3297	if (session->flags.fatalError == 0)
wolfSSL	7:481bce714567	3298	SetError(BAD_HANDSHAKE_STR, error, session,
wolfSSL	7:481bce714567	3299	FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3300	return -1;
wolfSSL	7:481bce714567	3301	}
wolfSSL	7:481bce714567	3302
wolfSSL	7:481bce714567	3303	/* DoHandShake now fully decrements sslBytes to remaining */
wolfSSL	7:481bce714567	3304	used = startIdx - sslBytes;
wolfSSL	7:481bce714567	3305	sslFrame += used;
wolfSSL	7:481bce714567	3306	if (decrypted)
wolfSSL	7:481bce714567	3307	sslFrame += ssl->keys.padSz;
wolfSSL	7:481bce714567	3308	}
wolfSSL	7:481bce714567	3309	break;
wolfSSL	7:481bce714567	3310	case change_cipher_spec:
wolfSSL	7:481bce714567	3311	if (session->flags.side == WOLFSSL_SERVER_END)
wolfSSL	7:481bce714567	3312	session->flags.serverCipherOn = 1;
wolfSSL	7:481bce714567	3313	else
wolfSSL	7:481bce714567	3314	session->flags.clientCipherOn = 1;
wolfSSL	7:481bce714567	3315	Trace(GOT_CHANGE_CIPHER_STR);
wolfSSL	7:481bce714567	3316	ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL	7:481bce714567	3317	ssl->options.handShakeDone = 1;
wolfSSL	7:481bce714567	3318
wolfSSL	7:481bce714567	3319	sslFrame += 1;
wolfSSL	7:481bce714567	3320	sslBytes -= 1;
wolfSSL	7:481bce714567	3321
wolfSSL	7:481bce714567	3322	break;
wolfSSL	7:481bce714567	3323	case application_data:
wolfSSL	7:481bce714567	3324	Trace(GOT_APP_DATA_STR);
wolfSSL	7:481bce714567	3325	{
wolfSSL	7:481bce714567	3326	word32 inOutIdx = 0;
wolfSSL	7:481bce714567	3327
wolfSSL	7:481bce714567	3328	ret = DoApplicationData(ssl, (byte*)sslFrame, &inOutIdx);
wolfSSL	7:481bce714567	3329	if (ret == 0) {
wolfSSL	7:481bce714567	3330	ret = ssl->buffers.clearOutputBuffer.length;
wolfSSL	7:481bce714567	3331	TraceGotData(ret);
wolfSSL	7:481bce714567	3332	if (ret) { /* may be blank message */
wolfSSL	7:481bce714567	3333	byte* tmpData; /* don't leak on realloc free */
wolfSSL	7:481bce714567	3334	/* add an extra byte at end of allocation in case user
wolfSSL	7:481bce714567	3335	* wants to null terminate plaintext */
wolfSSL	7:481bce714567	3336	tmpData = (byte)realloc(data, decoded + ret + 1);
wolfSSL	7:481bce714567	3337	if (tmpData == NULL) {
wolfSSL	7:481bce714567	3338	ForceZero(*data, decoded);
wolfSSL	7:481bce714567	3339	free(*data);
wolfSSL	7:481bce714567	3340	*data = NULL;
wolfSSL	7:481bce714567	3341	SetError(MEMORY_STR, error, session,
wolfSSL	7:481bce714567	3342	FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3343	return -1;
wolfSSL	7:481bce714567	3344	}
wolfSSL	7:481bce714567	3345	*data = tmpData;
wolfSSL	7:481bce714567	3346	XMEMCPY(*data + decoded,
wolfSSL	7:481bce714567	3347	ssl->buffers.clearOutputBuffer.buffer, ret);
wolfSSL	7:481bce714567	3348	TraceAddedData(ret, decoded);
wolfSSL	7:481bce714567	3349	decoded += ret;
wolfSSL	7:481bce714567	3350	ssl->buffers.clearOutputBuffer.length = 0;
wolfSSL	7:481bce714567	3351	}
wolfSSL	7:481bce714567	3352	}
wolfSSL	7:481bce714567	3353	else {
wolfSSL	7:481bce714567	3354	SetError(BAD_APP_DATA_STR, error,session,FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3355	return -1;
wolfSSL	7:481bce714567	3356	}
wolfSSL	7:481bce714567	3357	if (ssl->buffers.outputBuffer.dynamicFlag)
wolfSSL	7:481bce714567	3358	ShrinkOutputBuffer(ssl);
wolfSSL	7:481bce714567	3359
wolfSSL	7:481bce714567	3360	sslFrame += inOutIdx;
wolfSSL	7:481bce714567	3361	sslBytes -= inOutIdx;
wolfSSL	7:481bce714567	3362	}
wolfSSL	7:481bce714567	3363	break;
wolfSSL	7:481bce714567	3364	case alert:
wolfSSL	7:481bce714567	3365	Trace(GOT_ALERT_STR);
wolfSSL	7:481bce714567	3366	sslFrame += rhSize;
wolfSSL	7:481bce714567	3367	sslBytes -= rhSize;
wolfSSL	7:481bce714567	3368	break;
wolfSSL	7:481bce714567	3369	case no_type:
wolfSSL	7:481bce714567	3370	default:
wolfSSL	7:481bce714567	3371	SetError(GOT_UNKNOWN_RECORD_STR, error, session, FATAL_ERROR_STATE);
wolfSSL	7:481bce714567	3372	return -1;
wolfSSL	7:481bce714567	3373	}
wolfSSL	7:481bce714567	3374
wolfSSL	7:481bce714567	3375	/* do we have another msg in record ? */
wolfSSL	7:481bce714567	3376	if (sslFrame < recordEnd) {
wolfSSL	7:481bce714567	3377	Trace(ANOTHER_MSG_STR);
wolfSSL	7:481bce714567	3378	goto doPart;
wolfSSL	7:481bce714567	3379	}
wolfSSL	7:481bce714567	3380
wolfSSL	7:481bce714567	3381	/* back to input stream instead of potential decrypt buffer */
wolfSSL	7:481bce714567	3382	recordEnd = inRecordEnd;
wolfSSL	7:481bce714567	3383
wolfSSL	7:481bce714567	3384	/* do we have more records ? */
wolfSSL	7:481bce714567	3385	if (recordEnd < end) {
wolfSSL	7:481bce714567	3386	Trace(ANOTHER_MSG_STR);
wolfSSL	7:481bce714567	3387	sslFrame = recordEnd;
wolfSSL	7:481bce714567	3388	sslBytes = (int)(end - recordEnd);
wolfSSL	7:481bce714567	3389	goto doMessage;
wolfSSL	7:481bce714567	3390	}
wolfSSL	7:481bce714567	3391
wolfSSL	7:481bce714567	3392	/* clear used input */
wolfSSL	7:481bce714567	3393	ssl->buffers.inputBuffer.length = 0;
wolfSSL	7:481bce714567	3394
wolfSSL	7:481bce714567	3395	/* could have more input ready now */
wolfSSL	7:481bce714567	3396	if (HaveMoreInput(session, &sslFrame, &sslBytes, &end, error))
wolfSSL	7:481bce714567	3397	goto doMessage;
wolfSSL	7:481bce714567	3398
wolfSSL	7:481bce714567	3399	if (ssl->buffers.inputBuffer.dynamicFlag)
wolfSSL	7:481bce714567	3400	ShrinkInputBuffer(ssl, NO_FORCED_FREE);
wolfSSL	7:481bce714567	3401
wolfSSL	7:481bce714567	3402	return decoded;
wolfSSL	7:481bce714567	3403	}
wolfSSL	7:481bce714567	3404
wolfSSL	7:481bce714567	3405
wolfSSL	7:481bce714567	3406	/* See if we need to process any pending FIN captures */
wolfSSL	7:481bce714567	3407	static void CheckFinCapture(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	7:481bce714567	3408	SnifferSession* session)
wolfSSL	7:481bce714567	3409	{
wolfSSL	7:481bce714567	3410	if (session->finCaputre.cliFinSeq && session->finCaputre.cliFinSeq <=
wolfSSL	7:481bce714567	3411	session->cliExpected) {
wolfSSL	7:481bce714567	3412	if (session->finCaputre.cliCounted == 0) {
wolfSSL	7:481bce714567	3413	session->flags.finCount += 1;
wolfSSL	7:481bce714567	3414	session->finCaputre.cliCounted = 1;
wolfSSL	7:481bce714567	3415	TraceClientFin(session->finCaputre.cliFinSeq, session->cliExpected);
wolfSSL	7:481bce714567	3416	}
wolfSSL	7:481bce714567	3417	}
wolfSSL	7:481bce714567	3418
wolfSSL	7:481bce714567	3419	if (session->finCaputre.srvFinSeq && session->finCaputre.srvFinSeq <=
wolfSSL	7:481bce714567	3420	session->srvExpected) {
wolfSSL	7:481bce714567	3421	if (session->finCaputre.srvCounted == 0) {
wolfSSL	7:481bce714567	3422	session->flags.finCount += 1;
wolfSSL	7:481bce714567	3423	session->finCaputre.srvCounted = 1;
wolfSSL	7:481bce714567	3424	TraceServerFin(session->finCaputre.srvFinSeq, session->srvExpected);
wolfSSL	7:481bce714567	3425	}
wolfSSL	7:481bce714567	3426	}
wolfSSL	7:481bce714567	3427
wolfSSL	7:481bce714567	3428	if (session->flags.finCount >= 2)
wolfSSL	7:481bce714567	3429	RemoveSession(session, ipInfo, tcpInfo, 0);
wolfSSL	7:481bce714567	3430	}
wolfSSL	7:481bce714567	3431
wolfSSL	7:481bce714567	3432
wolfSSL	7:481bce714567	3433	/* If session is in fatal error state free resources now
wolfSSL	7:481bce714567	3434	return true if removed, 0 otherwise */
wolfSSL	7:481bce714567	3435	static int RemoveFatalSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL	7:481bce714567	3436	SnifferSession* session, char* error)
wolfSSL	7:481bce714567	3437	{
wolfSSL	7:481bce714567	3438	if (session && session->flags.fatalError == FATAL_ERROR_STATE) {
wolfSSL	7:481bce714567	3439	RemoveSession(session, ipInfo, tcpInfo, 0);
wolfSSL	7:481bce714567	3440	SetError(FATAL_ERROR_STR, error, NULL, 0);
wolfSSL	7:481bce714567	3441	return 1;
wolfSSL	7:481bce714567	3442	}
wolfSSL	7:481bce714567	3443	return 0;
wolfSSL	7:481bce714567	3444	}
wolfSSL	7:481bce714567	3445
wolfSSL	7:481bce714567	3446
wolfSSL	7:481bce714567	3447	/* Passes in an IP/TCP packet for decoding (ethernet/localhost frame) removed */
wolfSSL	7:481bce714567	3448	/* returns Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL	7:481bce714567	3449	int ssl_DecodePacket(const byte* packet, int length, byte** data, char* error)
wolfSSL	7:481bce714567	3450	{
wolfSSL	7:481bce714567	3451	TcpInfo tcpInfo;
wolfSSL	7:481bce714567	3452	IpInfo ipInfo;
wolfSSL	7:481bce714567	3453	const byte* sslFrame;
wolfSSL	7:481bce714567	3454	const byte* end = packet + length;
wolfSSL	7:481bce714567	3455	int sslBytes; /* ssl bytes unconsumed */
wolfSSL	7:481bce714567	3456	int ret;
wolfSSL	7:481bce714567	3457	SnifferSession* session = 0;
wolfSSL	7:481bce714567	3458
wolfSSL	7:481bce714567	3459	if (CheckHeaders(&ipInfo, &tcpInfo, packet, length, &sslFrame, &sslBytes,
wolfSSL	7:481bce714567	3460	error) != 0)
wolfSSL	7:481bce714567	3461	return -1;
wolfSSL	7:481bce714567	3462
wolfSSL	7:481bce714567	3463	ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error);
wolfSSL	7:481bce714567	3464	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	7:481bce714567	3465	else if (ret == -1) return -1;
wolfSSL	7:481bce714567	3466	else if (ret == 1) return 0; /* done for now */
wolfSSL	7:481bce714567	3467
wolfSSL	7:481bce714567	3468	ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error);
wolfSSL	7:481bce714567	3469	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	7:481bce714567	3470	else if (ret == -1) return -1;
wolfSSL	7:481bce714567	3471	else if (ret == 1) return 0; /* done for now */
wolfSSL	7:481bce714567	3472
wolfSSL	7:481bce714567	3473	ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes,
wolfSSL	7:481bce714567	3474	&end, error);
wolfSSL	7:481bce714567	3475	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	7:481bce714567	3476	else if (ret == -1) return -1;
wolfSSL	7:481bce714567	3477	else if (ret == 1) return 0; /* done for now */
wolfSSL	7:481bce714567	3478
wolfSSL	7:481bce714567	3479	ret = ProcessMessage(sslFrame, session, sslBytes, data, end, error);
wolfSSL	7:481bce714567	3480	if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL	7:481bce714567	3481	CheckFinCapture(&ipInfo, &tcpInfo, session);
wolfSSL	7:481bce714567	3482	return ret;
wolfSSL	7:481bce714567	3483	}
wolfSSL	7:481bce714567	3484
wolfSSL	7:481bce714567	3485
wolfSSL	7:481bce714567	3486	/* Deallocator for the decoded data buffer. */
wolfSSL	7:481bce714567	3487	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	3488	int ssl_FreeDecodeBuffer(byte** data, char* error)
wolfSSL	7:481bce714567	3489	{
wolfSSL	7:481bce714567	3490	return ssl_FreeZeroDecodeBuffer(data, 0, error);
wolfSSL	7:481bce714567	3491	}
wolfSSL	7:481bce714567	3492
wolfSSL	7:481bce714567	3493
wolfSSL	7:481bce714567	3494	/* Deallocator for the decoded data buffer, zeros out buffer. */
wolfSSL	7:481bce714567	3495	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	3496	int ssl_FreeZeroDecodeBuffer(byte** data, int sz, char* error)
wolfSSL	7:481bce714567	3497	{
wolfSSL	7:481bce714567	3498	(void)error;
wolfSSL	7:481bce714567	3499
wolfSSL	7:481bce714567	3500	if (sz < 0) {
wolfSSL	7:481bce714567	3501	return -1;
wolfSSL	7:481bce714567	3502	}
wolfSSL	7:481bce714567	3503
wolfSSL	7:481bce714567	3504	if (data != NULL) {
wolfSSL	7:481bce714567	3505	ForceZero(*data, (word32)sz);
wolfSSL	7:481bce714567	3506	free(*data);
wolfSSL	7:481bce714567	3507	*data = NULL;
wolfSSL	7:481bce714567	3508	}
wolfSSL	7:481bce714567	3509
wolfSSL	7:481bce714567	3510	return 0;
wolfSSL	7:481bce714567	3511	}
wolfSSL	7:481bce714567	3512
wolfSSL	7:481bce714567	3513
wolfSSL	7:481bce714567	3514	/* Enables (if traceFile)/ Disables debug tracing */
wolfSSL	7:481bce714567	3515	/* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	3516	int ssl_Trace(const char* traceFile, char* error)
wolfSSL	7:481bce714567	3517	{
wolfSSL	7:481bce714567	3518	if (traceFile) {
wolfSSL	7:481bce714567	3519	TraceFile = fopen(traceFile, "a");
wolfSSL	7:481bce714567	3520	if (!TraceFile) {
wolfSSL	7:481bce714567	3521	SetError(BAD_TRACE_FILE_STR, error, NULL, 0);
wolfSSL	7:481bce714567	3522	return -1;
wolfSSL	7:481bce714567	3523	}
wolfSSL	7:481bce714567	3524	TraceOn = 1;
wolfSSL	7:481bce714567	3525	}
wolfSSL	7:481bce714567	3526	else
wolfSSL	7:481bce714567	3527	TraceOn = 0;
wolfSSL	7:481bce714567	3528
wolfSSL	7:481bce714567	3529	return 0;
wolfSSL	7:481bce714567	3530	}
wolfSSL	7:481bce714567	3531
wolfSSL	7:481bce714567	3532
wolfSSL	7:481bce714567	3533	/* Enables/Disables Recovery of missed data if later packets allow
wolfSSL	7:481bce714567	3534	* maxMemory is number of bytes to use for reassembly buffering per session,
wolfSSL	7:481bce714567	3535	* -1 means unlimited
wolfSSL	7:481bce714567	3536	* returns 0 on success, -1 on error */
wolfSSL	7:481bce714567	3537	int ssl_EnableRecovery(int onOff, int maxMemory, char* error)
wolfSSL	7:481bce714567	3538	{
wolfSSL	7:481bce714567	3539	(void)error;
wolfSSL	7:481bce714567	3540
wolfSSL	7:481bce714567	3541	RecoveryEnabled = onOff;
wolfSSL	7:481bce714567	3542	if (onOff)
wolfSSL	7:481bce714567	3543	MaxRecoveryMemory = maxMemory;
wolfSSL	7:481bce714567	3544
wolfSSL	7:481bce714567	3545	return 0;
wolfSSL	7:481bce714567	3546	}
wolfSSL	7:481bce714567	3547
wolfSSL	7:481bce714567	3548
wolfSSL	7:481bce714567	3549
wolfSSL	7:481bce714567	3550	int ssl_GetSessionStats(unsigned int* active, unsigned int* total,
wolfSSL	7:481bce714567	3551	unsigned int* peak, unsigned int* maxSessions,
wolfSSL	7:481bce714567	3552	unsigned int* missedData, unsigned int* reassemblyMem,
wolfSSL	7:481bce714567	3553	char* error)
wolfSSL	7:481bce714567	3554	{
wolfSSL	7:481bce714567	3555	int ret;
wolfSSL	7:481bce714567	3556
wolfSSL	7:481bce714567	3557	if (missedData) {
wolfSSL	7:481bce714567	3558	wc_LockMutex(&RecoveryMutex);
wolfSSL	7:481bce714567	3559	*missedData = MissedDataSessions;
wolfSSL	7:481bce714567	3560	wc_UnLockMutex(&RecoveryMutex);
wolfSSL	7:481bce714567	3561	}
wolfSSL	7:481bce714567	3562
wolfSSL	7:481bce714567	3563	if (reassemblyMem) {
wolfSSL	7:481bce714567	3564	SnifferSession* session;
wolfSSL	7:481bce714567	3565	int i;
wolfSSL	7:481bce714567	3566
wolfSSL	7:481bce714567	3567	*reassemblyMem = 0;
wolfSSL	7:481bce714567	3568	wc_LockMutex(&SessionMutex);
wolfSSL	7:481bce714567	3569	for (i = 0; i < HASH_SIZE; i++) {
wolfSSL	7:481bce714567	3570	session = SessionTable[i];
wolfSSL	7:481bce714567	3571	while (session) {
wolfSSL	7:481bce714567	3572	*reassemblyMem += session->cliReassemblyMemory;
wolfSSL	7:481bce714567	3573	*reassemblyMem += session->srvReassemblyMemory;
wolfSSL	7:481bce714567	3574	session = session->next;
wolfSSL	7:481bce714567	3575	}
wolfSSL	7:481bce714567	3576	}
wolfSSL	7:481bce714567	3577	wc_UnLockMutex(&SessionMutex);
wolfSSL	7:481bce714567	3578	}
wolfSSL	7:481bce714567	3579
wolfSSL	7:481bce714567	3580	ret = wolfSSL_get_session_stats(active, total, peak, maxSessions);
wolfSSL	7:481bce714567	3581
wolfSSL	7:481bce714567	3582	if (ret == SSL_SUCCESS)
wolfSSL	7:481bce714567	3583	return 0;
wolfSSL	7:481bce714567	3584	else {
wolfSSL	7:481bce714567	3585	SetError(BAD_SESSION_STATS, error, NULL, 0);
wolfSSL	7:481bce714567	3586	return -1;
wolfSSL	7:481bce714567	3587	}
wolfSSL	7:481bce714567	3588	}
wolfSSL	7:481bce714567	3589
wolfSSL	7:481bce714567	3590
wolfSSL	7:481bce714567	3591
wolfSSL	7:481bce714567	3592	#endif /* WOLFSSL_SNIFFER */
wolfSSL	7:481bce714567	3593	#endif /* WOLFCRYPT_ONLY */
wolfSSL	7:481bce714567	3594

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	26 Jun 2015
Imports:	673
Forks:	0
Commits:	18
Dependents:	29
Dependencies:	0
Followers:	21

src/sniffer.c@7:481bce714567, 2017-05-02 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning