wolf SSL / wolfSSL

wolfSSL SSL/TLS library, support up to TLS1.3

Dependents:   CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more

src/sniffer.c@17:a5f916481144, 2020-06-05 (annotated)

Committer:
wolfSSL
Date:
Fri Jun 05 00:11:07 2020 +0000
Revision:
17:a5f916481144
Parent:
16:8e0d178b1d1e 
wolfSSL 4.4.0

Who changed what in which revision?

UserRevisionLine numberNew contents of line
wolfSSL 15:117db924cf7c 1 /* sniffer.c
wolfSSL 15:117db924cf7c 2 *
wolfSSL 16:8e0d178b1d1e 3 * Copyright (C) 2006-2020 wolfSSL Inc.
wolfSSL 15:117db924cf7c 4 *
wolfSSL 15:117db924cf7c 5 * This file is part of wolfSSL.
wolfSSL 15:117db924cf7c 6 *
wolfSSL 15:117db924cf7c 7 * wolfSSL is free software; you can redistribute it and/or modify
wolfSSL 15:117db924cf7c 8 * it under the terms of the GNU General Public License as published by
wolfSSL 15:117db924cf7c 9 * the Free Software Foundation; either version 2 of the License, or
wolfSSL 15:117db924cf7c 10 * (at your option) any later version.
wolfSSL 15:117db924cf7c 11 *
wolfSSL 15:117db924cf7c 12 * wolfSSL is distributed in the hope that it will be useful,
wolfSSL 15:117db924cf7c 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
wolfSSL 15:117db924cf7c 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
wolfSSL 15:117db924cf7c 15 * GNU General Public License for more details.
wolfSSL 15:117db924cf7c 16 *
wolfSSL 15:117db924cf7c 17 * You should have received a copy of the GNU General Public License
wolfSSL 15:117db924cf7c 18 * along with this program; if not, write to the Free Software
wolfSSL 15:117db924cf7c 19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
wolfSSL 15:117db924cf7c 20 */
wolfSSL 15:117db924cf7c 21
wolfSSL 15:117db924cf7c 22
wolfSSL 15:117db924cf7c 23 #ifdef HAVE_CONFIG_H
wolfSSL 15:117db924cf7c 24 #include <config.h>
wolfSSL 15:117db924cf7c 25 #endif
wolfSSL 15:117db924cf7c 26
wolfSSL 15:117db924cf7c 27 #include <wolfssl/wolfcrypt/settings.h>
wolfSSL 15:117db924cf7c 28
wolfSSL 15:117db924cf7c 29 #ifndef WOLFCRYPT_ONLY
wolfSSL 15:117db924cf7c 30 #ifdef WOLFSSL_SNIFFER
wolfSSL 15:117db924cf7c 31
wolfSSL 15:117db924cf7c 32 #include <assert.h>
wolfSSL 15:117db924cf7c 33 #include <time.h>
wolfSSL 15:117db924cf7c 34
wolfSSL 15:117db924cf7c 35 #ifndef _WIN32
wolfSSL 15:117db924cf7c 36 #include <arpa/inet.h>
wolfSSL 16:8e0d178b1d1e 37 #else
wolfSSL 16:8e0d178b1d1e 38 #include <WS2tcpip.h>
wolfSSL 15:117db924cf7c 39 #endif
wolfSSL 15:117db924cf7c 40
wolfSSL 15:117db924cf7c 41 #ifdef _WIN32
wolfSSL 15:117db924cf7c 42 #define SNPRINTF _snprintf
wolfSSL 15:117db924cf7c 43 #else
wolfSSL 15:117db924cf7c 44 #define SNPRINTF snprintf
wolfSSL 15:117db924cf7c 45 #endif
wolfSSL 15:117db924cf7c 46
wolfSSL 15:117db924cf7c 47 #include <wolfssl/openssl/ssl.h>
wolfSSL 15:117db924cf7c 48 #include <wolfssl/internal.h>
wolfSSL 15:117db924cf7c 49 #include <wolfssl/error-ssl.h>
wolfSSL 15:117db924cf7c 50 #include <wolfssl/sniffer.h>
wolfSSL 15:117db924cf7c 51 #include <wolfssl/sniffer_error.h>
wolfSSL 15:117db924cf7c 52 #ifdef NO_INLINE
wolfSSL 15:117db924cf7c 53 #include <wolfssl/wolfcrypt/misc.h>
wolfSSL 15:117db924cf7c 54 #else
wolfSSL 15:117db924cf7c 55 #define WOLFSSL_MISC_INCLUDED
wolfSSL 15:117db924cf7c 56 #include <wolfcrypt/src/misc.c>
wolfSSL 15:117db924cf7c 57 #endif
wolfSSL 15:117db924cf7c 58
wolfSSL 16:8e0d178b1d1e 59 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 60 #include <wolfssl/wolfcrypt/cryptocb.h>
wolfSSL 16:8e0d178b1d1e 61 #ifdef HAVE_INTEL_QA_SYNC
wolfSSL 16:8e0d178b1d1e 62 #include <wolfssl/wolfcrypt/port/intel/quickassist_sync.h>
wolfSSL 16:8e0d178b1d1e 63 #endif
wolfSSL 16:8e0d178b1d1e 64 #ifdef HAVE_CAVIUM_OCTEON_SYNC
wolfSSL 16:8e0d178b1d1e 65 #include <wolfssl/wolfcrypt/port/cavium/cavium_octeon_sync.h>
wolfSSL 16:8e0d178b1d1e 66 #endif
wolfSSL 16:8e0d178b1d1e 67 #endif
wolfSSL 16:8e0d178b1d1e 68
wolfSSL 15:117db924cf7c 69
wolfSSL 15:117db924cf7c 70 #ifndef WOLFSSL_SNIFFER_TIMEOUT
wolfSSL 15:117db924cf7c 71 #define WOLFSSL_SNIFFER_TIMEOUT 900
wolfSSL 15:117db924cf7c 72 /* Cache unclosed Sessions for 15 minutes since last used */
wolfSSL 15:117db924cf7c 73 #endif
wolfSSL 15:117db924cf7c 74
wolfSSL 15:117db924cf7c 75 /* Misc constants */
wolfSSL 15:117db924cf7c 76 enum {
wolfSSL 15:117db924cf7c 77 MAX_SERVER_ADDRESS = 128, /* maximum server address length */
wolfSSL 15:117db924cf7c 78 MAX_SERVER_NAME = 128, /* maximum server name length */
wolfSSL 15:117db924cf7c 79 MAX_ERROR_LEN = 80, /* maximum error length */
wolfSSL 15:117db924cf7c 80 ETHER_IF_ADDR_LEN = 6, /* ethernet interface address length */
wolfSSL 15:117db924cf7c 81 LOCAL_IF_ADDR_LEN = 4, /* localhost interface address length, !windows */
wolfSSL 15:117db924cf7c 82 TCP_PROTO = 6, /* TCP_PROTOCOL */
wolfSSL 16:8e0d178b1d1e 83 IP_HDR_SZ = 20, /* IPv4 header length, min */
wolfSSL 16:8e0d178b1d1e 84 IP6_HDR_SZ = 40, /* IPv6 header length, min */
wolfSSL 15:117db924cf7c 85 TCP_HDR_SZ = 20, /* TCP header length, min */
wolfSSL 15:117db924cf7c 86 IPV4 = 4, /* IP version 4 */
wolfSSL 16:8e0d178b1d1e 87 IPV6 = 6, /* IP version 6 */
wolfSSL 15:117db924cf7c 88 TCP_PROTOCOL = 6, /* TCP Protocol id */
wolfSSL 16:8e0d178b1d1e 89 NO_NEXT_HEADER = 59, /* IPv6 no headers follow */
wolfSSL 15:117db924cf7c 90 TRACE_MSG_SZ = 80, /* Trace Message buffer size */
wolfSSL 15:117db924cf7c 91 HASH_SIZE = 499, /* Session Hash Table Rows */
wolfSSL 15:117db924cf7c 92 PSEUDO_HDR_SZ = 12, /* TCP Pseudo Header size in bytes */
wolfSSL 15:117db924cf7c 93 FATAL_ERROR_STATE = 1, /* SnifferSession fatal error state */
wolfSSL 15:117db924cf7c 94 TICKET_HINT_LEN = 4, /* Session Ticket Hint length */
wolfSSL 15:117db924cf7c 95 EXT_TYPE_SZ = 2, /* Extension length */
wolfSSL 15:117db924cf7c 96 MAX_INPUT_SZ = MAX_RECORD_SIZE + COMP_EXTRA + MAX_MSG_EXTRA +
wolfSSL 15:117db924cf7c 97 MTU_EXTRA, /* Max input sz of reassembly */
wolfSSL 15:117db924cf7c 98 EXT_MASTER_SECRET = 0x17, /* Extended Master Secret Extension ID */
wolfSSL 15:117db924cf7c 99 TICKET_EXT_ID = 0x23 /* Session Ticket Extension ID */
wolfSSL 15:117db924cf7c 100 };
wolfSSL 15:117db924cf7c 101
wolfSSL 15:117db924cf7c 102
wolfSSL 15:117db924cf7c 103 #ifdef _WIN32
wolfSSL 15:117db924cf7c 104
wolfSSL 15:117db924cf7c 105 static HMODULE dllModule; /* for error string resources */
wolfSSL 15:117db924cf7c 106
wolfSSL 15:117db924cf7c 107 BOOL APIENTRY DllMain( HMODULE hModule,
wolfSSL 15:117db924cf7c 108 DWORD ul_reason_for_call,
wolfSSL 15:117db924cf7c 109 LPVOID lpReserved
wolfSSL 15:117db924cf7c 110 )
wolfSSL 15:117db924cf7c 111 {
wolfSSL 15:117db924cf7c 112 static int didInit = 0;
wolfSSL 15:117db924cf7c 113
wolfSSL 15:117db924cf7c 114 switch (ul_reason_for_call)
wolfSSL 15:117db924cf7c 115 {
wolfSSL 15:117db924cf7c 116 case DLL_PROCESS_ATTACH:
wolfSSL 15:117db924cf7c 117 if (didInit == 0) {
wolfSSL 15:117db924cf7c 118 dllModule = hModule;
wolfSSL 15:117db924cf7c 119 ssl_InitSniffer();
wolfSSL 15:117db924cf7c 120 didInit = 1;
wolfSSL 15:117db924cf7c 121 }
wolfSSL 15:117db924cf7c 122 break;
wolfSSL 15:117db924cf7c 123 case DLL_THREAD_ATTACH:
wolfSSL 15:117db924cf7c 124 break;
wolfSSL 15:117db924cf7c 125 case DLL_THREAD_DETACH:
wolfSSL 15:117db924cf7c 126 break;
wolfSSL 15:117db924cf7c 127 case DLL_PROCESS_DETACH:
wolfSSL 15:117db924cf7c 128 if (didInit) {
wolfSSL 15:117db924cf7c 129 ssl_FreeSniffer();
wolfSSL 15:117db924cf7c 130 didInit = 0;
wolfSSL 15:117db924cf7c 131 }
wolfSSL 15:117db924cf7c 132 break;
wolfSSL 15:117db924cf7c 133 }
wolfSSL 15:117db924cf7c 134 return TRUE;
wolfSSL 15:117db924cf7c 135 }
wolfSSL 15:117db924cf7c 136
wolfSSL 15:117db924cf7c 137 #endif /* _WIN32 */
wolfSSL 15:117db924cf7c 138
wolfSSL 15:117db924cf7c 139
wolfSSL 16:8e0d178b1d1e 140 static WOLFSSL_GLOBAL int TraceOn = 0; /* Trace is off by default */
wolfSSL 16:8e0d178b1d1e 141 static WOLFSSL_GLOBAL FILE* TraceFile = 0;
wolfSSL 15:117db924cf7c 142
wolfSSL 15:117db924cf7c 143
wolfSSL 15:117db924cf7c 144 /* windows uses .rc table for this */
wolfSSL 15:117db924cf7c 145 #ifndef _WIN32
wolfSSL 15:117db924cf7c 146
wolfSSL 15:117db924cf7c 147 static const char* const msgTable[] =
wolfSSL 15:117db924cf7c 148 {
wolfSSL 15:117db924cf7c 149 /* 1 */
wolfSSL 15:117db924cf7c 150 "Out of Memory",
wolfSSL 15:117db924cf7c 151 "New SSL Sniffer Server Registered",
wolfSSL 15:117db924cf7c 152 "Checking IP Header",
wolfSSL 15:117db924cf7c 153 "SSL Sniffer Server Not Registered",
wolfSSL 15:117db924cf7c 154 "Checking TCP Header",
wolfSSL 15:117db924cf7c 155
wolfSSL 15:117db924cf7c 156 /* 6 */
wolfSSL 15:117db924cf7c 157 "SSL Sniffer Server Port Not Registered",
wolfSSL 15:117db924cf7c 158 "RSA Private Decrypt Error",
wolfSSL 15:117db924cf7c 159 "RSA Private Decode Error",
wolfSSL 15:117db924cf7c 160 "Set Cipher Spec Error",
wolfSSL 15:117db924cf7c 161 "Server Hello Input Malformed",
wolfSSL 15:117db924cf7c 162
wolfSSL 15:117db924cf7c 163 /* 11 */
wolfSSL 15:117db924cf7c 164 "Couldn't Resume Session Error",
wolfSSL 15:117db924cf7c 165 "Server Did Resumption",
wolfSSL 15:117db924cf7c 166 "Client Hello Input Malformed",
wolfSSL 15:117db924cf7c 167 "Client Trying to Resume",
wolfSSL 15:117db924cf7c 168 "Handshake Input Malformed",
wolfSSL 15:117db924cf7c 169
wolfSSL 15:117db924cf7c 170 /* 16 */
wolfSSL 15:117db924cf7c 171 "Got Hello Verify msg",
wolfSSL 15:117db924cf7c 172 "Got Server Hello msg",
wolfSSL 15:117db924cf7c 173 "Got Cert Request msg",
wolfSSL 15:117db924cf7c 174 "Got Server Key Exchange msg",
wolfSSL 15:117db924cf7c 175 "Got Cert msg",
wolfSSL 15:117db924cf7c 176
wolfSSL 15:117db924cf7c 177 /* 21 */
wolfSSL 15:117db924cf7c 178 "Got Server Hello Done msg",
wolfSSL 15:117db924cf7c 179 "Got Finished msg",
wolfSSL 15:117db924cf7c 180 "Got Client Hello msg",
wolfSSL 15:117db924cf7c 181 "Got Client Key Exchange msg",
wolfSSL 15:117db924cf7c 182 "Got Cert Verify msg",
wolfSSL 15:117db924cf7c 183
wolfSSL 15:117db924cf7c 184 /* 26 */
wolfSSL 15:117db924cf7c 185 "Got Unknown Handshake msg",
wolfSSL 15:117db924cf7c 186 "New SSL Sniffer Session created",
wolfSSL 15:117db924cf7c 187 "Couldn't create new SSL",
wolfSSL 15:117db924cf7c 188 "Got a Packet to decode",
wolfSSL 15:117db924cf7c 189 "No data present",
wolfSSL 15:117db924cf7c 190
wolfSSL 15:117db924cf7c 191 /* 31 */
wolfSSL 15:117db924cf7c 192 "Session Not Found",
wolfSSL 15:117db924cf7c 193 "Got an Old Client Hello msg",
wolfSSL 15:117db924cf7c 194 "Old Client Hello Input Malformed",
wolfSSL 15:117db924cf7c 195 "Old Client Hello OK",
wolfSSL 15:117db924cf7c 196 "Bad Old Client Hello",
wolfSSL 15:117db924cf7c 197
wolfSSL 15:117db924cf7c 198 /* 36 */
wolfSSL 15:117db924cf7c 199 "Bad Record Header",
wolfSSL 15:117db924cf7c 200 "Record Header Input Malformed",
wolfSSL 15:117db924cf7c 201 "Got a HandShake msg",
wolfSSL 15:117db924cf7c 202 "Bad HandShake msg",
wolfSSL 15:117db924cf7c 203 "Got a Change Cipher Spec msg",
wolfSSL 15:117db924cf7c 204
wolfSSL 15:117db924cf7c 205 /* 41 */
wolfSSL 15:117db924cf7c 206 "Got Application Data msg",
wolfSSL 15:117db924cf7c 207 "Bad Application Data",
wolfSSL 15:117db924cf7c 208 "Got an Alert msg",
wolfSSL 15:117db924cf7c 209 "Another msg to Process",
wolfSSL 15:117db924cf7c 210 "Removing Session From Table",
wolfSSL 15:117db924cf7c 211
wolfSSL 15:117db924cf7c 212 /* 46 */
wolfSSL 15:117db924cf7c 213 "Bad Key File",
wolfSSL 15:117db924cf7c 214 "Wrong IP Version",
wolfSSL 15:117db924cf7c 215 "Wrong Protocol type",
wolfSSL 15:117db924cf7c 216 "Packet Short for header processing",
wolfSSL 15:117db924cf7c 217 "Got Unknown Record Type",
wolfSSL 15:117db924cf7c 218
wolfSSL 15:117db924cf7c 219 /* 51 */
wolfSSL 15:117db924cf7c 220 "Can't Open Trace File",
wolfSSL 15:117db924cf7c 221 "Session in Fatal Error State",
wolfSSL 15:117db924cf7c 222 "Partial SSL record received",
wolfSSL 15:117db924cf7c 223 "Buffer Error, malformed input",
wolfSSL 15:117db924cf7c 224 "Added to Partial Input",
wolfSSL 15:117db924cf7c 225
wolfSSL 15:117db924cf7c 226 /* 56 */
wolfSSL 15:117db924cf7c 227 "Received a Duplicate Packet",
wolfSSL 15:117db924cf7c 228 "Received an Out of Order Packet",
wolfSSL 15:117db924cf7c 229 "Received an Overlap Duplicate Packet",
wolfSSL 15:117db924cf7c 230 "Received an Overlap Reassembly Begin Duplicate Packet",
wolfSSL 15:117db924cf7c 231 "Received an Overlap Reassembly End Duplicate Packet",
wolfSSL 15:117db924cf7c 232
wolfSSL 15:117db924cf7c 233 /* 61 */
wolfSSL 15:117db924cf7c 234 "Missed the Client Hello Entirely",
wolfSSL 15:117db924cf7c 235 "Got Hello Request msg",
wolfSSL 15:117db924cf7c 236 "Got Session Ticket msg",
wolfSSL 15:117db924cf7c 237 "Bad Input",
wolfSSL 15:117db924cf7c 238 "Bad Decrypt Type",
wolfSSL 15:117db924cf7c 239
wolfSSL 15:117db924cf7c 240 /* 66 */
wolfSSL 15:117db924cf7c 241 "Bad Finished Message Processing",
wolfSSL 15:117db924cf7c 242 "Bad Compression Type",
wolfSSL 15:117db924cf7c 243 "Bad DeriveKeys Error",
wolfSSL 15:117db924cf7c 244 "Saw ACK for Missing Packet Error",
wolfSSL 15:117db924cf7c 245 "Bad Decrypt Operation",
wolfSSL 15:117db924cf7c 246
wolfSSL 15:117db924cf7c 247 /* 71 */
wolfSSL 15:117db924cf7c 248 "Decrypt Keys Not Set Up",
wolfSSL 15:117db924cf7c 249 "Late Key Load Error",
wolfSSL 15:117db924cf7c 250 "Got Certificate Status msg",
wolfSSL 15:117db924cf7c 251 "RSA Key Missing Error",
wolfSSL 15:117db924cf7c 252 "Secure Renegotiation Not Supported",
wolfSSL 15:117db924cf7c 253
wolfSSL 15:117db924cf7c 254 /* 76 */
wolfSSL 15:117db924cf7c 255 "Get Session Stats Failure",
wolfSSL 15:117db924cf7c 256 "Reassembly Buffer Size Exceeded",
wolfSSL 15:117db924cf7c 257 "Dropping Lost Fragment",
wolfSSL 15:117db924cf7c 258 "Dropping Partial Record",
wolfSSL 15:117db924cf7c 259 "Clear ACK Fault",
wolfSSL 15:117db924cf7c 260
wolfSSL 15:117db924cf7c 261 /* 81 */
wolfSSL 15:117db924cf7c 262 "Bad Decrypt Size",
wolfSSL 16:8e0d178b1d1e 263 "Extended Master Secret Hash Error",
wolfSSL 16:8e0d178b1d1e 264 "Handshake Message Split Across TLS Records",
wolfSSL 16:8e0d178b1d1e 265 "ECC Private Decode Error",
wolfSSL 16:8e0d178b1d1e 266 "ECC Public Decode Error",
wolfSSL 16:8e0d178b1d1e 267
wolfSSL 16:8e0d178b1d1e 268 /* 86 */
wolfSSL 16:8e0d178b1d1e 269 "Watch callback not set",
wolfSSL 16:8e0d178b1d1e 270 "Watch hash failed",
wolfSSL 16:8e0d178b1d1e 271 "Watch callback failed",
wolfSSL 16:8e0d178b1d1e 272 "Bad Certificate Message",
wolfSSL 16:8e0d178b1d1e 273 "Store data callback not set",
wolfSSL 16:8e0d178b1d1e 274
wolfSSL 16:8e0d178b1d1e 275 /* 91 */
wolfSSL 16:8e0d178b1d1e 276 "No data destination Error",
wolfSSL 16:8e0d178b1d1e 277 "Store data callback failed",
wolfSSL 16:8e0d178b1d1e 278 "Loading chain input"
wolfSSL 15:117db924cf7c 279 };
wolfSSL 15:117db924cf7c 280
wolfSSL 15:117db924cf7c 281
wolfSSL 15:117db924cf7c 282 /* *nix version uses table above */
wolfSSL 15:117db924cf7c 283 static void GetError(int idx, char* str)
wolfSSL 15:117db924cf7c 284 {
wolfSSL 16:8e0d178b1d1e 285 XSTRNCPY(str, msgTable[idx - 1], MAX_ERROR_LEN-1);
wolfSSL 16:8e0d178b1d1e 286 str[MAX_ERROR_LEN-1] = '\0';
wolfSSL 15:117db924cf7c 287 }
wolfSSL 15:117db924cf7c 288
wolfSSL 15:117db924cf7c 289
wolfSSL 15:117db924cf7c 290 #else /* _WIN32 */
wolfSSL 15:117db924cf7c 291
wolfSSL 15:117db924cf7c 292
wolfSSL 15:117db924cf7c 293 /* Windows version uses .rc table */
wolfSSL 15:117db924cf7c 294 static void GetError(int idx, char* buffer)
wolfSSL 15:117db924cf7c 295 {
wolfSSL 15:117db924cf7c 296 if (!LoadStringA(dllModule, idx, buffer, MAX_ERROR_LEN))
wolfSSL 15:117db924cf7c 297 buffer[0] = 0;
wolfSSL 15:117db924cf7c 298 }
wolfSSL 15:117db924cf7c 299
wolfSSL 15:117db924cf7c 300
wolfSSL 15:117db924cf7c 301 #endif /* _WIN32 */
wolfSSL 15:117db924cf7c 302
wolfSSL 15:117db924cf7c 303
wolfSSL 15:117db924cf7c 304 /* Packet Buffer for reassembly list and ready list */
wolfSSL 15:117db924cf7c 305 typedef struct PacketBuffer {
wolfSSL 15:117db924cf7c 306 word32 begin; /* relative sequence begin */
wolfSSL 15:117db924cf7c 307 word32 end; /* relative sequence end */
wolfSSL 15:117db924cf7c 308 byte* data; /* actual data */
wolfSSL 15:117db924cf7c 309 struct PacketBuffer* next; /* next on reassembly list or ready list */
wolfSSL 15:117db924cf7c 310 } PacketBuffer;
wolfSSL 15:117db924cf7c 311
wolfSSL 15:117db924cf7c 312
wolfSSL 15:117db924cf7c 313 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 314
wolfSSL 15:117db924cf7c 315 /* NamedKey maps a SNI name to a specific private key */
wolfSSL 15:117db924cf7c 316 typedef struct NamedKey {
wolfSSL 15:117db924cf7c 317 char name[MAX_SERVER_NAME]; /* server DNS name */
wolfSSL 15:117db924cf7c 318 word32 nameSz; /* size of server DNS name */
wolfSSL 15:117db924cf7c 319 byte* key; /* DER private key */
wolfSSL 15:117db924cf7c 320 word32 keySz; /* size of DER private key */
wolfSSL 15:117db924cf7c 321 struct NamedKey* next; /* for list */
wolfSSL 15:117db924cf7c 322 } NamedKey;
wolfSSL 15:117db924cf7c 323
wolfSSL 15:117db924cf7c 324 #endif
wolfSSL 15:117db924cf7c 325
wolfSSL 15:117db924cf7c 326
wolfSSL 16:8e0d178b1d1e 327 typedef struct IpAddrInfo {
wolfSSL 16:8e0d178b1d1e 328 int version;
wolfSSL 16:8e0d178b1d1e 329 union {
wolfSSL 16:8e0d178b1d1e 330 word32 ip4;
wolfSSL 16:8e0d178b1d1e 331 byte ip6[16];
wolfSSL 16:8e0d178b1d1e 332 };
wolfSSL 16:8e0d178b1d1e 333 } IpAddrInfo;
wolfSSL 16:8e0d178b1d1e 334
wolfSSL 16:8e0d178b1d1e 335
wolfSSL 15:117db924cf7c 336 /* Sniffer Server holds info for each server/port monitored */
wolfSSL 15:117db924cf7c 337 typedef struct SnifferServer {
wolfSSL 15:117db924cf7c 338 SSL_CTX* ctx; /* SSL context */
wolfSSL 15:117db924cf7c 339 char address[MAX_SERVER_ADDRESS]; /* passed in server address */
wolfSSL 16:8e0d178b1d1e 340 IpAddrInfo server; /* network order address */
wolfSSL 15:117db924cf7c 341 int port; /* server port */
wolfSSL 15:117db924cf7c 342 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 343 NamedKey* namedKeys; /* mapping of names and keys */
wolfSSL 15:117db924cf7c 344 wolfSSL_Mutex namedKeysMutex; /* mutex for namedKey list */
wolfSSL 15:117db924cf7c 345 #endif
wolfSSL 15:117db924cf7c 346 struct SnifferServer* next; /* for list */
wolfSSL 15:117db924cf7c 347 } SnifferServer;
wolfSSL 15:117db924cf7c 348
wolfSSL 15:117db924cf7c 349
wolfSSL 15:117db924cf7c 350 /* Session Flags */
wolfSSL 15:117db924cf7c 351 typedef struct Flags {
wolfSSL 15:117db924cf7c 352 byte side; /* which end is current packet headed */
wolfSSL 15:117db924cf7c 353 byte serverCipherOn; /* indicates whether cipher is active */
wolfSSL 15:117db924cf7c 354 byte clientCipherOn; /* indicates whether cipher is active */
wolfSSL 15:117db924cf7c 355 byte resuming; /* did this session come from resumption */
wolfSSL 15:117db924cf7c 356 byte cached; /* have we cached this session yet */
wolfSSL 15:117db924cf7c 357 byte clientHello; /* processed client hello yet, for SSLv2 */
wolfSSL 15:117db924cf7c 358 byte finCount; /* get both FINs before removing */
wolfSSL 15:117db924cf7c 359 byte fatalError; /* fatal error state */
wolfSSL 15:117db924cf7c 360 byte cliAckFault; /* client acked unseen data from server */
wolfSSL 15:117db924cf7c 361 byte srvAckFault; /* server acked unseen data from client */
wolfSSL 15:117db924cf7c 362 byte cliSkipPartial; /* client skips partial data to catch up */
wolfSSL 15:117db924cf7c 363 byte srvSkipPartial; /* server skips partial data to catch up */
wolfSSL 15:117db924cf7c 364 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 15:117db924cf7c 365 byte expectEms; /* expect extended master secret */
wolfSSL 15:117db924cf7c 366 #endif
wolfSSL 15:117db924cf7c 367 } Flags;
wolfSSL 15:117db924cf7c 368
wolfSSL 15:117db924cf7c 369
wolfSSL 16:8e0d178b1d1e 370 /* Out of Order FIN capture */
wolfSSL 15:117db924cf7c 371 typedef struct FinCaputre {
wolfSSL 15:117db924cf7c 372 word32 cliFinSeq; /* client relative sequence FIN 0 is no */
wolfSSL 15:117db924cf7c 373 word32 srvFinSeq; /* server relative sequence FIN, 0 is no */
wolfSSL 15:117db924cf7c 374 byte cliCounted; /* did we count yet, detects duplicates */
wolfSSL 15:117db924cf7c 375 byte srvCounted; /* did we count yet, detects duplicates */
wolfSSL 15:117db924cf7c 376 } FinCaputre;
wolfSSL 15:117db924cf7c 377
wolfSSL 15:117db924cf7c 378
wolfSSL 15:117db924cf7c 379 typedef struct HsHashes {
wolfSSL 15:117db924cf7c 380 #ifndef NO_OLD_TLS
wolfSSL 15:117db924cf7c 381 #ifndef NO_SHA
wolfSSL 15:117db924cf7c 382 wc_Sha hashSha;
wolfSSL 15:117db924cf7c 383 #endif
wolfSSL 15:117db924cf7c 384 #ifndef NO_MD5
wolfSSL 15:117db924cf7c 385 wc_Md5 hashMd5;
wolfSSL 15:117db924cf7c 386 #endif
wolfSSL 15:117db924cf7c 387 #endif
wolfSSL 15:117db924cf7c 388 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 389 wc_Sha256 hashSha256;
wolfSSL 15:117db924cf7c 390 #endif
wolfSSL 15:117db924cf7c 391 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 392 wc_Sha384 hashSha384;
wolfSSL 15:117db924cf7c 393 #endif
wolfSSL 15:117db924cf7c 394 } HsHashes;
wolfSSL 15:117db924cf7c 395
wolfSSL 15:117db924cf7c 396
wolfSSL 15:117db924cf7c 397 /* Sniffer Session holds info for each client/server SSL/TLS session */
wolfSSL 15:117db924cf7c 398 typedef struct SnifferSession {
wolfSSL 15:117db924cf7c 399 SnifferServer* context; /* server context */
wolfSSL 15:117db924cf7c 400 SSL* sslServer; /* SSL server side decode */
wolfSSL 15:117db924cf7c 401 SSL* sslClient; /* SSL client side decode */
wolfSSL 16:8e0d178b1d1e 402 IpAddrInfo server; /* server address in network byte order */
wolfSSL 16:8e0d178b1d1e 403 IpAddrInfo client; /* client address in network byte order */
wolfSSL 15:117db924cf7c 404 word16 srvPort; /* server port */
wolfSSL 15:117db924cf7c 405 word16 cliPort; /* client port */
wolfSSL 15:117db924cf7c 406 word32 cliSeqStart; /* client start sequence */
wolfSSL 15:117db924cf7c 407 word32 srvSeqStart; /* server start sequence */
wolfSSL 15:117db924cf7c 408 word32 cliExpected; /* client expected sequence (relative) */
wolfSSL 15:117db924cf7c 409 word32 srvExpected; /* server expected sequence (relative) */
wolfSSL 15:117db924cf7c 410 FinCaputre finCaputre; /* retain out of order FIN s */
wolfSSL 15:117db924cf7c 411 Flags flags; /* session flags */
wolfSSL 15:117db924cf7c 412 time_t lastUsed; /* last used ticks */
wolfSSL 16:8e0d178b1d1e 413 word32 keySz; /* size of the private key */
wolfSSL 15:117db924cf7c 414 PacketBuffer* cliReassemblyList; /* client out of order packets */
wolfSSL 15:117db924cf7c 415 PacketBuffer* srvReassemblyList; /* server out of order packets */
wolfSSL 15:117db924cf7c 416 word32 cliReassemblyMemory; /* client packet memory used */
wolfSSL 15:117db924cf7c 417 word32 srvReassemblyMemory; /* server packet memory used */
wolfSSL 15:117db924cf7c 418 struct SnifferSession* next; /* for hash table list */
wolfSSL 15:117db924cf7c 419 byte* ticketID; /* mac ID of session ticket */
wolfSSL 16:8e0d178b1d1e 420 #ifdef HAVE_SNI
wolfSSL 16:8e0d178b1d1e 421 const char* sni; /* server name indication */
wolfSSL 16:8e0d178b1d1e 422 #endif
wolfSSL 15:117db924cf7c 423 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 15:117db924cf7c 424 HsHashes* hash;
wolfSSL 15:117db924cf7c 425 #endif
wolfSSL 15:117db924cf7c 426 } SnifferSession;
wolfSSL 15:117db924cf7c 427
wolfSSL 15:117db924cf7c 428
wolfSSL 15:117db924cf7c 429 /* Sniffer Server List and mutex */
wolfSSL 16:8e0d178b1d1e 430 static WOLFSSL_GLOBAL SnifferServer* ServerList = 0;
wolfSSL 16:8e0d178b1d1e 431 static WOLFSSL_GLOBAL wolfSSL_Mutex ServerListMutex;
wolfSSL 15:117db924cf7c 432
wolfSSL 15:117db924cf7c 433
wolfSSL 15:117db924cf7c 434 /* Session Hash Table, mutex, and count */
wolfSSL 16:8e0d178b1d1e 435 static WOLFSSL_GLOBAL SnifferSession* SessionTable[HASH_SIZE];
wolfSSL 16:8e0d178b1d1e 436 static WOLFSSL_GLOBAL wolfSSL_Mutex SessionMutex;
wolfSSL 16:8e0d178b1d1e 437 static WOLFSSL_GLOBAL int SessionCount = 0;
wolfSSL 15:117db924cf7c 438
wolfSSL 15:117db924cf7c 439 /* Recovery of missed data switches and stats */
wolfSSL 16:8e0d178b1d1e 440 static WOLFSSL_GLOBAL wolfSSL_Mutex RecoveryMutex; /* for stats */
wolfSSL 16:8e0d178b1d1e 441 static WOLFSSL_GLOBAL int RecoveryEnabled = 0; /* global switch */
wolfSSL 16:8e0d178b1d1e 442 static WOLFSSL_GLOBAL int MaxRecoveryMemory = -1;
wolfSSL 16:8e0d178b1d1e 443 /* per session max recovery memory */
wolfSSL 16:8e0d178b1d1e 444 static WOLFSSL_GLOBAL word32 MissedDataSessions = 0;
wolfSSL 16:8e0d178b1d1e 445 /* # of sessions with missed data */
wolfSSL 16:8e0d178b1d1e 446
wolfSSL 16:8e0d178b1d1e 447 /* Connection Info Callback */
wolfSSL 16:8e0d178b1d1e 448 static WOLFSSL_GLOBAL SSLConnCb ConnectionCb;
wolfSSL 16:8e0d178b1d1e 449 static WOLFSSL_GLOBAL void* ConnectionCbCtx = NULL;
wolfSSL 16:8e0d178b1d1e 450
wolfSSL 16:8e0d178b1d1e 451 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 452 /* Sessions Statistics */
wolfSSL 16:8e0d178b1d1e 453 static WOLFSSL_GLOBAL SSLStats SnifferStats;
wolfSSL 16:8e0d178b1d1e 454 static WOLFSSL_GLOBAL wolfSSL_Mutex StatsMutex;
wolfSSL 16:8e0d178b1d1e 455 #endif
wolfSSL 16:8e0d178b1d1e 456
wolfSSL 16:8e0d178b1d1e 457 #ifdef WOLFSSL_SNIFFER_WATCH
wolfSSL 16:8e0d178b1d1e 458 /* Watch Key Callback */
wolfSSL 16:8e0d178b1d1e 459 static WOLFSSL_GLOBAL SSLWatchCb WatchCb;
wolfSSL 16:8e0d178b1d1e 460 static WOLFSSL_GLOBAL void* WatchCbCtx = NULL;
wolfSSL 16:8e0d178b1d1e 461 #endif
wolfSSL 16:8e0d178b1d1e 462
wolfSSL 16:8e0d178b1d1e 463 #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
wolfSSL 16:8e0d178b1d1e 464 /* Store Data Callback */
wolfSSL 16:8e0d178b1d1e 465 static WOLFSSL_GLOBAL SSLStoreDataCb StoreDataCb;
wolfSSL 16:8e0d178b1d1e 466 #endif
wolfSSL 15:117db924cf7c 467
wolfSSL 15:117db924cf7c 468
wolfSSL 15:117db924cf7c 469 static void UpdateMissedDataSessions(void)
wolfSSL 15:117db924cf7c 470 {
wolfSSL 15:117db924cf7c 471 wc_LockMutex(&RecoveryMutex);
wolfSSL 15:117db924cf7c 472 MissedDataSessions += 1;
wolfSSL 15:117db924cf7c 473 wc_UnLockMutex(&RecoveryMutex);
wolfSSL 15:117db924cf7c 474 }
wolfSSL 15:117db924cf7c 475
wolfSSL 15:117db924cf7c 476
wolfSSL 16:8e0d178b1d1e 477 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 478 #define LOCK_STAT() do { wc_LockMutex(&StatsMutex); } while (0)
wolfSSL 16:8e0d178b1d1e 479 #define UNLOCK_STAT() do { wc_UnLockMutex(&StatsMutex); } while (0)
wolfSSL 16:8e0d178b1d1e 480 #define NOLOCK_ADD_TO_STAT(x,y) do { TraceStat(#x, y); x += y; } while (0)
wolfSSL 16:8e0d178b1d1e 481 #define NOLOCK_INC_STAT(x) NOLOCK_ADD_TO_STAT(x,1)
wolfSSL 16:8e0d178b1d1e 482 #define ADD_TO_STAT(x,y) do { LOCK_STAT(); \
wolfSSL 16:8e0d178b1d1e 483 NOLOCK_ADD_TO_STAT(x,y); UNLOCK_STAT(); } while (0)
wolfSSL 16:8e0d178b1d1e 484 #define INC_STAT(x) do { LOCK_STAT(); \
wolfSSL 16:8e0d178b1d1e 485 NOLOCK_INC_STAT(x); UNLOCK_STAT(); } while (0)
wolfSSL 16:8e0d178b1d1e 486 #endif
wolfSSL 16:8e0d178b1d1e 487
wolfSSL 16:8e0d178b1d1e 488
wolfSSL 16:8e0d178b1d1e 489 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 490 static WOLFSSL_GLOBAL int CryptoDeviceId = INVALID_DEVID;
wolfSSL 16:8e0d178b1d1e 491 #endif
wolfSSL 16:8e0d178b1d1e 492
wolfSSL 16:8e0d178b1d1e 493
wolfSSL 15:117db924cf7c 494 /* Initialize overall Sniffer */
wolfSSL 15:117db924cf7c 495 void ssl_InitSniffer(void)
wolfSSL 15:117db924cf7c 496 {
wolfSSL 15:117db924cf7c 497 wolfSSL_Init();
wolfSSL 15:117db924cf7c 498 wc_InitMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 499 wc_InitMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 500 wc_InitMutex(&RecoveryMutex);
wolfSSL 16:8e0d178b1d1e 501 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 502 XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
wolfSSL 16:8e0d178b1d1e 503 wc_InitMutex(&StatsMutex);
wolfSSL 16:8e0d178b1d1e 504 #endif
wolfSSL 16:8e0d178b1d1e 505 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 506 #ifdef HAVE_INTEL_QA_SYNC
wolfSSL 16:8e0d178b1d1e 507 CryptoDeviceId = wc_CryptoCb_InitIntelQa();
wolfSSL 16:8e0d178b1d1e 508 if (INVALID_DEVID == CryptoDeviceId) {
wolfSSL 16:8e0d178b1d1e 509 printf("Couldn't init the Intel QA\n");
wolfSSL 16:8e0d178b1d1e 510 }
wolfSSL 16:8e0d178b1d1e 511 #endif
wolfSSL 16:8e0d178b1d1e 512 #ifdef HAVE_CAVIUM_OCTEON_SYNC
wolfSSL 16:8e0d178b1d1e 513 CryptoDeviceId = wc_CryptoCb_InitOcteon();
wolfSSL 16:8e0d178b1d1e 514 if (INVALID_DEVID == CryptoDeviceId) {
wolfSSL 16:8e0d178b1d1e 515 printf("Couldn't init the Intel QA\n");
wolfSSL 16:8e0d178b1d1e 516 }
wolfSSL 16:8e0d178b1d1e 517 #endif
wolfSSL 16:8e0d178b1d1e 518 #endif
wolfSSL 15:117db924cf7c 519 }
wolfSSL 15:117db924cf7c 520
wolfSSL 15:117db924cf7c 521
wolfSSL 15:117db924cf7c 522 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 523
wolfSSL 15:117db924cf7c 524 /* Free Named Key and the zero out the private key it holds */
wolfSSL 15:117db924cf7c 525 static void FreeNamedKey(NamedKey* in)
wolfSSL 15:117db924cf7c 526 {
wolfSSL 15:117db924cf7c 527 if (in) {
wolfSSL 15:117db924cf7c 528 if (in->key) {
wolfSSL 15:117db924cf7c 529 ForceZero(in->key, in->keySz);
wolfSSL 16:8e0d178b1d1e 530 XFREE(in->key, NULL, DYNAMIC_TYPE_X509);
wolfSSL 15:117db924cf7c 531 }
wolfSSL 16:8e0d178b1d1e 532 XFREE(in, NULL, DYNAMIC_TYPE_SNIFFER_NAMED_KEY);
wolfSSL 15:117db924cf7c 533 }
wolfSSL 15:117db924cf7c 534 }
wolfSSL 15:117db924cf7c 535
wolfSSL 15:117db924cf7c 536
wolfSSL 15:117db924cf7c 537 static void FreeNamedKeyList(NamedKey* in)
wolfSSL 15:117db924cf7c 538 {
wolfSSL 15:117db924cf7c 539 NamedKey* next;
wolfSSL 15:117db924cf7c 540
wolfSSL 15:117db924cf7c 541 while (in) {
wolfSSL 15:117db924cf7c 542 next = in->next;
wolfSSL 15:117db924cf7c 543 FreeNamedKey(in);
wolfSSL 15:117db924cf7c 544 in = next;
wolfSSL 15:117db924cf7c 545 }
wolfSSL 15:117db924cf7c 546 }
wolfSSL 15:117db924cf7c 547
wolfSSL 15:117db924cf7c 548 #endif
wolfSSL 15:117db924cf7c 549
wolfSSL 15:117db924cf7c 550
wolfSSL 15:117db924cf7c 551 /* Free Sniffer Server's resources/self */
wolfSSL 15:117db924cf7c 552 static void FreeSnifferServer(SnifferServer* srv)
wolfSSL 15:117db924cf7c 553 {
wolfSSL 15:117db924cf7c 554 if (srv) {
wolfSSL 15:117db924cf7c 555 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 556 wc_LockMutex(&srv->namedKeysMutex);
wolfSSL 15:117db924cf7c 557 FreeNamedKeyList(srv->namedKeys);
wolfSSL 15:117db924cf7c 558 wc_UnLockMutex(&srv->namedKeysMutex);
wolfSSL 15:117db924cf7c 559 wc_FreeMutex(&srv->namedKeysMutex);
wolfSSL 15:117db924cf7c 560 #endif
wolfSSL 15:117db924cf7c 561 SSL_CTX_free(srv->ctx);
wolfSSL 15:117db924cf7c 562 }
wolfSSL 16:8e0d178b1d1e 563 XFREE(srv, NULL, DYNAMIC_TYPE_SNIFFER_SERVER);
wolfSSL 15:117db924cf7c 564 }
wolfSSL 15:117db924cf7c 565
wolfSSL 15:117db924cf7c 566
wolfSSL 15:117db924cf7c 567 /* free PacketBuffer's resources/self */
wolfSSL 15:117db924cf7c 568 static void FreePacketBuffer(PacketBuffer* del)
wolfSSL 15:117db924cf7c 569 {
wolfSSL 15:117db924cf7c 570 if (del) {
wolfSSL 16:8e0d178b1d1e 571 XFREE(del->data, NULL, DYNAMIC_TYPE_SNIFFER_PB_BUFFER);
wolfSSL 16:8e0d178b1d1e 572 XFREE(del, NULL, DYNAMIC_TYPE_SNIFFER_PB);
wolfSSL 15:117db924cf7c 573 }
wolfSSL 15:117db924cf7c 574 }
wolfSSL 15:117db924cf7c 575
wolfSSL 15:117db924cf7c 576
wolfSSL 15:117db924cf7c 577 /* remove PacketBuffer List */
wolfSSL 15:117db924cf7c 578 static void FreePacketList(PacketBuffer* in)
wolfSSL 15:117db924cf7c 579 {
wolfSSL 15:117db924cf7c 580 if (in) {
wolfSSL 15:117db924cf7c 581 PacketBuffer* del;
wolfSSL 15:117db924cf7c 582 PacketBuffer* packet = in;
wolfSSL 15:117db924cf7c 583
wolfSSL 15:117db924cf7c 584 while (packet) {
wolfSSL 15:117db924cf7c 585 del = packet;
wolfSSL 15:117db924cf7c 586 packet = packet->next;
wolfSSL 15:117db924cf7c 587 FreePacketBuffer(del);
wolfSSL 15:117db924cf7c 588 }
wolfSSL 15:117db924cf7c 589 }
wolfSSL 15:117db924cf7c 590 }
wolfSSL 15:117db924cf7c 591
wolfSSL 15:117db924cf7c 592
wolfSSL 15:117db924cf7c 593 /* Free Sniffer Session's resources/self */
wolfSSL 15:117db924cf7c 594 static void FreeSnifferSession(SnifferSession* session)
wolfSSL 15:117db924cf7c 595 {
wolfSSL 15:117db924cf7c 596 if (session) {
wolfSSL 15:117db924cf7c 597 SSL_free(session->sslClient);
wolfSSL 15:117db924cf7c 598 SSL_free(session->sslServer);
wolfSSL 15:117db924cf7c 599
wolfSSL 15:117db924cf7c 600 FreePacketList(session->cliReassemblyList);
wolfSSL 15:117db924cf7c 601 FreePacketList(session->srvReassemblyList);
wolfSSL 15:117db924cf7c 602
wolfSSL 16:8e0d178b1d1e 603 XFREE(session->ticketID, NULL, DYNAMIC_TYPE_SNIFFER_TICKET_ID);
wolfSSL 15:117db924cf7c 604 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 16:8e0d178b1d1e 605 XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
wolfSSL 15:117db924cf7c 606 #endif
wolfSSL 15:117db924cf7c 607 }
wolfSSL 16:8e0d178b1d1e 608 XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
wolfSSL 15:117db924cf7c 609 }
wolfSSL 15:117db924cf7c 610
wolfSSL 15:117db924cf7c 611
wolfSSL 15:117db924cf7c 612 /* Free overall Sniffer */
wolfSSL 15:117db924cf7c 613 void ssl_FreeSniffer(void)
wolfSSL 15:117db924cf7c 614 {
wolfSSL 15:117db924cf7c 615 SnifferServer* srv;
wolfSSL 15:117db924cf7c 616 SnifferServer* removeServer;
wolfSSL 15:117db924cf7c 617 SnifferSession* session;
wolfSSL 15:117db924cf7c 618 SnifferSession* removeSession;
wolfSSL 15:117db924cf7c 619 int i;
wolfSSL 15:117db924cf7c 620
wolfSSL 15:117db924cf7c 621 wc_LockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 622 wc_LockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 623
wolfSSL 15:117db924cf7c 624 srv = ServerList;
wolfSSL 15:117db924cf7c 625 while (srv) {
wolfSSL 15:117db924cf7c 626 removeServer = srv;
wolfSSL 15:117db924cf7c 627 srv = srv->next;
wolfSSL 15:117db924cf7c 628 FreeSnifferServer(removeServer);
wolfSSL 15:117db924cf7c 629 }
wolfSSL 15:117db924cf7c 630
wolfSSL 15:117db924cf7c 631 for (i = 0; i < HASH_SIZE; i++) {
wolfSSL 15:117db924cf7c 632 session = SessionTable[i];
wolfSSL 15:117db924cf7c 633 while (session) {
wolfSSL 15:117db924cf7c 634 removeSession = session;
wolfSSL 15:117db924cf7c 635 session = session->next;
wolfSSL 15:117db924cf7c 636 FreeSnifferSession(removeSession);
wolfSSL 15:117db924cf7c 637 }
wolfSSL 15:117db924cf7c 638 }
wolfSSL 15:117db924cf7c 639
wolfSSL 15:117db924cf7c 640 wc_UnLockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 641 wc_UnLockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 642
wolfSSL 15:117db924cf7c 643 wc_FreeMutex(&RecoveryMutex);
wolfSSL 15:117db924cf7c 644 wc_FreeMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 645 wc_FreeMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 646
wolfSSL 16:8e0d178b1d1e 647 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 648 #ifdef HAVE_INTEL_QA_SYNC
wolfSSL 16:8e0d178b1d1e 649 wc_CryptoCb_CleanupIntelQa(&CryptoDeviceId);
wolfSSL 16:8e0d178b1d1e 650 #endif
wolfSSL 16:8e0d178b1d1e 651 #ifdef HAVE_CAVIUM_OCTEON_SYNC
wolfSSL 16:8e0d178b1d1e 652 wc_CryptoCb_CleanupOcteon(&CryptoDeviceId);
wolfSSL 16:8e0d178b1d1e 653 #endif
wolfSSL 16:8e0d178b1d1e 654 #endif
wolfSSL 16:8e0d178b1d1e 655
wolfSSL 15:117db924cf7c 656 if (TraceFile) {
wolfSSL 15:117db924cf7c 657 TraceOn = 0;
wolfSSL 15:117db924cf7c 658 fclose(TraceFile);
wolfSSL 15:117db924cf7c 659 TraceFile = NULL;
wolfSSL 15:117db924cf7c 660 }
wolfSSL 15:117db924cf7c 661
wolfSSL 15:117db924cf7c 662 wolfSSL_Cleanup();
wolfSSL 15:117db924cf7c 663 }
wolfSSL 15:117db924cf7c 664
wolfSSL 15:117db924cf7c 665
wolfSSL 15:117db924cf7c 666 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 15:117db924cf7c 667
wolfSSL 15:117db924cf7c 668 static int HashInit(HsHashes* hash)
wolfSSL 15:117db924cf7c 669 {
wolfSSL 15:117db924cf7c 670 int ret = 0;
wolfSSL 15:117db924cf7c 671
wolfSSL 15:117db924cf7c 672 XMEMSET(hash, 0, sizeof(HsHashes));
wolfSSL 15:117db924cf7c 673
wolfSSL 15:117db924cf7c 674 #ifndef NO_OLD_TLS
wolfSSL 15:117db924cf7c 675 #ifndef NO_SHA
wolfSSL 15:117db924cf7c 676 if (ret == 0)
wolfSSL 15:117db924cf7c 677 ret = wc_InitSha(&hash->hashSha);
wolfSSL 15:117db924cf7c 678 #endif
wolfSSL 15:117db924cf7c 679 #ifndef NO_MD5
wolfSSL 15:117db924cf7c 680 if (ret == 0) {
wolfSSL 15:117db924cf7c 681 ret = wc_InitMd5(&hash->hashMd5);
wolfSSL 15:117db924cf7c 682 }
wolfSSL 15:117db924cf7c 683 #endif
wolfSSL 15:117db924cf7c 684 #endif
wolfSSL 15:117db924cf7c 685 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 686 if (ret == 0)
wolfSSL 15:117db924cf7c 687 ret = wc_InitSha256(&hash->hashSha256);
wolfSSL 15:117db924cf7c 688 #endif
wolfSSL 15:117db924cf7c 689 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 690 if (ret == 0)
wolfSSL 15:117db924cf7c 691 ret = wc_InitSha384(&hash->hashSha384);
wolfSSL 15:117db924cf7c 692 #endif
wolfSSL 15:117db924cf7c 693
wolfSSL 15:117db924cf7c 694 return ret;
wolfSSL 15:117db924cf7c 695 }
wolfSSL 15:117db924cf7c 696
wolfSSL 15:117db924cf7c 697
wolfSSL 15:117db924cf7c 698 static int HashUpdate(HsHashes* hash, const byte* input, int sz)
wolfSSL 15:117db924cf7c 699 {
wolfSSL 15:117db924cf7c 700 int ret = 0;
wolfSSL 15:117db924cf7c 701
wolfSSL 15:117db924cf7c 702 input -= HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 703 sz += HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 704
wolfSSL 15:117db924cf7c 705 #ifndef NO_OLD_TLS
wolfSSL 15:117db924cf7c 706 #ifndef NO_SHA
wolfSSL 15:117db924cf7c 707 if (ret == 0)
wolfSSL 15:117db924cf7c 708 ret = wc_ShaUpdate(&hash->hashSha, input, sz);
wolfSSL 15:117db924cf7c 709 #endif
wolfSSL 15:117db924cf7c 710 #ifndef NO_MD5
wolfSSL 15:117db924cf7c 711 if (ret == 0) {
wolfSSL 15:117db924cf7c 712 ret = wc_Md5Update(&hash->hashMd5, input, sz);
wolfSSL 15:117db924cf7c 713 }
wolfSSL 15:117db924cf7c 714 #endif
wolfSSL 15:117db924cf7c 715 #endif
wolfSSL 15:117db924cf7c 716 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 717 if (ret == 0)
wolfSSL 15:117db924cf7c 718 ret = wc_Sha256Update(&hash->hashSha256, input, sz);
wolfSSL 15:117db924cf7c 719 #endif
wolfSSL 15:117db924cf7c 720 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 721 if (ret == 0)
wolfSSL 15:117db924cf7c 722 ret = wc_Sha384Update(&hash->hashSha384, input, sz);
wolfSSL 15:117db924cf7c 723 #endif
wolfSSL 15:117db924cf7c 724
wolfSSL 15:117db924cf7c 725 return ret;
wolfSSL 15:117db924cf7c 726 }
wolfSSL 15:117db924cf7c 727
wolfSSL 15:117db924cf7c 728
wolfSSL 15:117db924cf7c 729 static int HashCopy(HS_Hashes* d, HsHashes* s)
wolfSSL 15:117db924cf7c 730 {
wolfSSL 15:117db924cf7c 731 #ifndef NO_OLD_TLS
wolfSSL 15:117db924cf7c 732 #ifndef NO_SHA
wolfSSL 15:117db924cf7c 733 XMEMCPY(&d->hashSha, &s->hashSha, sizeof(wc_Sha));
wolfSSL 15:117db924cf7c 734 #endif
wolfSSL 15:117db924cf7c 735 #ifndef NO_MD5
wolfSSL 15:117db924cf7c 736 XMEMCPY(&d->hashMd5, &s->hashMd5, sizeof(wc_Md5));
wolfSSL 15:117db924cf7c 737 #endif
wolfSSL 15:117db924cf7c 738 #endif
wolfSSL 15:117db924cf7c 739
wolfSSL 15:117db924cf7c 740 #ifndef NO_SHA256
wolfSSL 15:117db924cf7c 741 XMEMCPY(&d->hashSha256, &s->hashSha256, sizeof(wc_Sha256));
wolfSSL 15:117db924cf7c 742 #endif
wolfSSL 15:117db924cf7c 743 #ifdef WOLFSSL_SHA384
wolfSSL 15:117db924cf7c 744 XMEMCPY(&d->hashSha384, &s->hashSha384, sizeof(wc_Sha384));
wolfSSL 15:117db924cf7c 745 #endif
wolfSSL 15:117db924cf7c 746
wolfSSL 15:117db924cf7c 747 return 0;
wolfSSL 15:117db924cf7c 748 }
wolfSSL 15:117db924cf7c 749
wolfSSL 15:117db924cf7c 750 #endif
wolfSSL 15:117db924cf7c 751
wolfSSL 15:117db924cf7c 752
wolfSSL 15:117db924cf7c 753 /* Initialize a SnifferServer */
wolfSSL 15:117db924cf7c 754 static void InitSnifferServer(SnifferServer* sniffer)
wolfSSL 15:117db924cf7c 755 {
wolfSSL 16:8e0d178b1d1e 756 XMEMSET(sniffer, 0, sizeof(SnifferServer));
wolfSSL 15:117db924cf7c 757 }
wolfSSL 15:117db924cf7c 758
wolfSSL 15:117db924cf7c 759
wolfSSL 15:117db924cf7c 760 /* Initialize session flags */
wolfSSL 15:117db924cf7c 761 static void InitFlags(Flags* flags)
wolfSSL 15:117db924cf7c 762 {
wolfSSL 16:8e0d178b1d1e 763 XMEMSET(flags, 0, sizeof(Flags));
wolfSSL 15:117db924cf7c 764 }
wolfSSL 15:117db924cf7c 765
wolfSSL 15:117db924cf7c 766
wolfSSL 15:117db924cf7c 767 /* Initialize FIN Capture */
wolfSSL 15:117db924cf7c 768 static void InitFinCapture(FinCaputre* cap)
wolfSSL 15:117db924cf7c 769 {
wolfSSL 16:8e0d178b1d1e 770 XMEMSET(cap, 0, sizeof(FinCaputre));
wolfSSL 15:117db924cf7c 771 }
wolfSSL 15:117db924cf7c 772
wolfSSL 15:117db924cf7c 773
wolfSSL 15:117db924cf7c 774 /* Initialize a Sniffer Session */
wolfSSL 15:117db924cf7c 775 static void InitSession(SnifferSession* session)
wolfSSL 15:117db924cf7c 776 {
wolfSSL 16:8e0d178b1d1e 777 XMEMSET(session, 0, sizeof(SnifferSession));
wolfSSL 15:117db924cf7c 778 InitFlags(&session->flags);
wolfSSL 15:117db924cf7c 779 InitFinCapture(&session->finCaputre);
wolfSSL 15:117db924cf7c 780 }
wolfSSL 15:117db924cf7c 781
wolfSSL 15:117db924cf7c 782
wolfSSL 15:117db924cf7c 783 /* IP Info from IP Header */
wolfSSL 15:117db924cf7c 784 typedef struct IpInfo {
wolfSSL 15:117db924cf7c 785 int length; /* length of this header */
wolfSSL 15:117db924cf7c 786 int total; /* total length of fragment */
wolfSSL 16:8e0d178b1d1e 787 IpAddrInfo src; /* network order source address */
wolfSSL 16:8e0d178b1d1e 788 IpAddrInfo dst; /* network order destination address */
wolfSSL 15:117db924cf7c 789 } IpInfo;
wolfSSL 15:117db924cf7c 790
wolfSSL 15:117db924cf7c 791
wolfSSL 15:117db924cf7c 792 /* TCP Info from TCP Header */
wolfSSL 15:117db924cf7c 793 typedef struct TcpInfo {
wolfSSL 15:117db924cf7c 794 int srcPort; /* source port */
wolfSSL 15:117db924cf7c 795 int dstPort; /* source port */
wolfSSL 15:117db924cf7c 796 int length; /* length of this header */
wolfSSL 15:117db924cf7c 797 word32 sequence; /* sequence number */
wolfSSL 15:117db924cf7c 798 word32 ackNumber; /* ack number */
wolfSSL 15:117db924cf7c 799 byte fin; /* FIN set */
wolfSSL 15:117db924cf7c 800 byte rst; /* RST set */
wolfSSL 15:117db924cf7c 801 byte syn; /* SYN set */
wolfSSL 15:117db924cf7c 802 byte ack; /* ACK set */
wolfSSL 15:117db924cf7c 803 } TcpInfo;
wolfSSL 15:117db924cf7c 804
wolfSSL 15:117db924cf7c 805
wolfSSL 15:117db924cf7c 806 /* Tcp Pseudo Header for Checksum calculation */
wolfSSL 15:117db924cf7c 807 typedef struct TcpPseudoHdr {
wolfSSL 15:117db924cf7c 808 word32 src; /* source address */
wolfSSL 15:117db924cf7c 809 word32 dst; /* destination address */
wolfSSL 15:117db924cf7c 810 byte rsv; /* reserved, always 0 */
wolfSSL 15:117db924cf7c 811 byte protocol; /* IP protocol */
wolfSSL 15:117db924cf7c 812 word16 length; /* tcp header length + data length (doesn't include */
wolfSSL 15:117db924cf7c 813 /* pseudo header length) network order */
wolfSSL 15:117db924cf7c 814 } TcpPseudoHdr;
wolfSSL 15:117db924cf7c 815
wolfSSL 15:117db924cf7c 816
wolfSSL 15:117db924cf7c 817 /* Password Setting Callback */
wolfSSL 15:117db924cf7c 818 static int SetPassword(char* passwd, int sz, int rw, void* userdata)
wolfSSL 15:117db924cf7c 819 {
wolfSSL 15:117db924cf7c 820 (void)rw;
wolfSSL 15:117db924cf7c 821 XSTRNCPY(passwd, (const char*)userdata, sz);
wolfSSL 15:117db924cf7c 822 return (int)XSTRLEN((const char*)userdata);
wolfSSL 15:117db924cf7c 823 }
wolfSSL 15:117db924cf7c 824
wolfSSL 15:117db924cf7c 825
wolfSSL 15:117db924cf7c 826 /* Ethernet Header */
wolfSSL 15:117db924cf7c 827 typedef struct EthernetHdr {
wolfSSL 15:117db924cf7c 828 byte dst[ETHER_IF_ADDR_LEN]; /* destination host address */
wolfSSL 15:117db924cf7c 829 byte src[ETHER_IF_ADDR_LEN]; /* source host address */
wolfSSL 15:117db924cf7c 830 word16 type; /* IP, ARP, etc */
wolfSSL 15:117db924cf7c 831 } EthernetHdr;
wolfSSL 15:117db924cf7c 832
wolfSSL 15:117db924cf7c 833
wolfSSL 16:8e0d178b1d1e 834 /* IPv4 Header */
wolfSSL 15:117db924cf7c 835 typedef struct IpHdr {
wolfSSL 15:117db924cf7c 836 byte ver_hl; /* version/header length */
wolfSSL 15:117db924cf7c 837 byte tos; /* type of service */
wolfSSL 15:117db924cf7c 838 word16 length; /* total length */
wolfSSL 15:117db924cf7c 839 word16 id; /* identification */
wolfSSL 15:117db924cf7c 840 word16 offset; /* fragment offset field */
wolfSSL 15:117db924cf7c 841 byte ttl; /* time to live */
wolfSSL 15:117db924cf7c 842 byte protocol; /* protocol */
wolfSSL 15:117db924cf7c 843 word16 sum; /* checksum */
wolfSSL 15:117db924cf7c 844 word32 src; /* source address */
wolfSSL 15:117db924cf7c 845 word32 dst; /* destination address */
wolfSSL 15:117db924cf7c 846 } IpHdr;
wolfSSL 15:117db924cf7c 847
wolfSSL 15:117db924cf7c 848
wolfSSL 16:8e0d178b1d1e 849 /* IPv6 Header */
wolfSSL 16:8e0d178b1d1e 850 typedef struct Ip6Hdr {
wolfSSL 16:8e0d178b1d1e 851 byte ver_hl; /* version/traffic class high */
wolfSSL 16:8e0d178b1d1e 852 byte tc_fl; /* traffic class low/flow label high */
wolfSSL 16:8e0d178b1d1e 853 word16 fl; /* flow label low */
wolfSSL 16:8e0d178b1d1e 854 word16 length; /* payload length */
wolfSSL 16:8e0d178b1d1e 855 byte next_header; /* next header (6 for TCP, any other skip) */
wolfSSL 16:8e0d178b1d1e 856 byte hl; /* hop limit */
wolfSSL 16:8e0d178b1d1e 857 byte src[16]; /* source address */
wolfSSL 16:8e0d178b1d1e 858 byte dst[16]; /* destination address */
wolfSSL 16:8e0d178b1d1e 859 } Ip6Hdr;
wolfSSL 16:8e0d178b1d1e 860
wolfSSL 16:8e0d178b1d1e 861
wolfSSL 16:8e0d178b1d1e 862 /* IPv6 extension header */
wolfSSL 16:8e0d178b1d1e 863 typedef struct Ip6ExtHdr {
wolfSSL 16:8e0d178b1d1e 864 byte next_header; /* next header (6 for TCP, any other skip) */
wolfSSL 16:8e0d178b1d1e 865 byte length; /* length in 8-octet units - 1 */
wolfSSL 16:8e0d178b1d1e 866 byte reserved[6];
wolfSSL 16:8e0d178b1d1e 867 } Ip6ExtHdr;
wolfSSL 16:8e0d178b1d1e 868
wolfSSL 16:8e0d178b1d1e 869
wolfSSL 15:117db924cf7c 870 #define IP_HL(ip) ( (((ip)->ver_hl) & 0x0f) * 4)
wolfSSL 15:117db924cf7c 871 #define IP_V(ip) ( ((ip)->ver_hl) >> 4)
wolfSSL 15:117db924cf7c 872
wolfSSL 15:117db924cf7c 873 /* TCP Header */
wolfSSL 15:117db924cf7c 874 typedef struct TcpHdr {
wolfSSL 15:117db924cf7c 875 word16 srcPort; /* source port */
wolfSSL 15:117db924cf7c 876 word16 dstPort; /* destination port */
wolfSSL 15:117db924cf7c 877 word32 sequence; /* sequence number */
wolfSSL 16:8e0d178b1d1e 878 word32 ack; /* acknowledgment number */
wolfSSL 15:117db924cf7c 879 byte offset; /* data offset, reserved */
wolfSSL 15:117db924cf7c 880 byte flags; /* option flags */
wolfSSL 15:117db924cf7c 881 word16 window; /* window */
wolfSSL 15:117db924cf7c 882 word16 sum; /* checksum */
wolfSSL 15:117db924cf7c 883 word16 urgent; /* urgent pointer */
wolfSSL 15:117db924cf7c 884 } TcpHdr;
wolfSSL 15:117db924cf7c 885
wolfSSL 15:117db924cf7c 886 #define TCP_LEN(tcp) ( (((tcp)->offset & 0xf0) >> 4) * 4)
wolfSSL 15:117db924cf7c 887 #define TCP_FIN 0x01
wolfSSL 15:117db924cf7c 888 #define TCP_SYN 0x02
wolfSSL 15:117db924cf7c 889 #define TCP_RST 0x04
wolfSSL 15:117db924cf7c 890 #define TCP_ACK 0x10
wolfSSL 15:117db924cf7c 891
wolfSSL 15:117db924cf7c 892
wolfSSL 15:117db924cf7c 893
wolfSSL 15:117db924cf7c 894
wolfSSL 15:117db924cf7c 895
wolfSSL 16:8e0d178b1d1e 896 /* Use platform specific GetError to write to trace file if tracing */
wolfSSL 15:117db924cf7c 897 static void Trace(int idx)
wolfSSL 15:117db924cf7c 898 {
wolfSSL 15:117db924cf7c 899 if (TraceOn) {
wolfSSL 15:117db924cf7c 900 char myBuffer[MAX_ERROR_LEN];
wolfSSL 15:117db924cf7c 901 GetError(idx, myBuffer);
wolfSSL 15:117db924cf7c 902 fprintf(TraceFile, "\t%s\n", myBuffer);
wolfSSL 15:117db924cf7c 903 #ifdef DEBUG_SNIFFER
wolfSSL 15:117db924cf7c 904 fprintf(stderr, "\t%s\n", myBuffer);
wolfSSL 15:117db924cf7c 905 #endif
wolfSSL 15:117db924cf7c 906 }
wolfSSL 15:117db924cf7c 907 }
wolfSSL 15:117db924cf7c 908
wolfSSL 15:117db924cf7c 909
wolfSSL 15:117db924cf7c 910 /* Show TimeStamp for beginning of packet Trace */
wolfSSL 15:117db924cf7c 911 static void TraceHeader(void)
wolfSSL 15:117db924cf7c 912 {
wolfSSL 15:117db924cf7c 913 if (TraceOn) {
wolfSSL 15:117db924cf7c 914 time_t ticks = time(NULL);
wolfSSL 15:117db924cf7c 915 fprintf(TraceFile, "\n%s", ctime(&ticks));
wolfSSL 15:117db924cf7c 916 }
wolfSSL 15:117db924cf7c 917 }
wolfSSL 15:117db924cf7c 918
wolfSSL 15:117db924cf7c 919
wolfSSL 15:117db924cf7c 920 /* Show Set Server info for Trace */
wolfSSL 15:117db924cf7c 921 static void TraceSetServer(const char* srv, int port, const char* keyFile)
wolfSSL 15:117db924cf7c 922 {
wolfSSL 15:117db924cf7c 923 if (TraceOn) {
wolfSSL 15:117db924cf7c 924 fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n");
wolfSSL 15:117db924cf7c 925 fprintf(TraceFile, "\tserver: %s, port: %d, keyFile: %s\n", srv, port,
wolfSSL 15:117db924cf7c 926 keyFile);
wolfSSL 15:117db924cf7c 927 }
wolfSSL 15:117db924cf7c 928 }
wolfSSL 15:117db924cf7c 929
wolfSSL 15:117db924cf7c 930
wolfSSL 15:117db924cf7c 931 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 932
wolfSSL 15:117db924cf7c 933 /* Show Set Named Server info for Trace */
wolfSSL 15:117db924cf7c 934 static void TraceSetNamedServer(const char* name,
wolfSSL 15:117db924cf7c 935 const char* srv, int port, const char* keyFile)
wolfSSL 15:117db924cf7c 936 {
wolfSSL 15:117db924cf7c 937 if (TraceOn) {
wolfSSL 15:117db924cf7c 938 fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n");
wolfSSL 15:117db924cf7c 939 fprintf(TraceFile, "\tname: %s, server: %s, port: %d, keyFile: %s\n",
wolfSSL 15:117db924cf7c 940 name, srv, port, keyFile);
wolfSSL 15:117db924cf7c 941 }
wolfSSL 15:117db924cf7c 942 }
wolfSSL 15:117db924cf7c 943
wolfSSL 15:117db924cf7c 944 #endif
wolfSSL 15:117db924cf7c 945
wolfSSL 15:117db924cf7c 946
wolfSSL 15:117db924cf7c 947 /* Trace got packet number */
wolfSSL 15:117db924cf7c 948 static void TracePacket(void)
wolfSSL 15:117db924cf7c 949 {
wolfSSL 15:117db924cf7c 950 if (TraceOn) {
wolfSSL 15:117db924cf7c 951 static word32 packetNumber = 0;
wolfSSL 15:117db924cf7c 952 fprintf(TraceFile, "\tGot a Packet to decode, packet %u\n",
wolfSSL 15:117db924cf7c 953 ++packetNumber);
wolfSSL 15:117db924cf7c 954 }
wolfSSL 15:117db924cf7c 955 }
wolfSSL 15:117db924cf7c 956
wolfSSL 15:117db924cf7c 957
wolfSSL 15:117db924cf7c 958 /* Convert network byte order address into human readable */
wolfSSL 16:8e0d178b1d1e 959 static const char* IpToS(int version, void* src, char* dst)
wolfSSL 15:117db924cf7c 960 {
wolfSSL 16:8e0d178b1d1e 961 return inet_ntop(version, src, dst, TRACE_MSG_SZ);
wolfSSL 15:117db924cf7c 962 }
wolfSSL 15:117db924cf7c 963
wolfSSL 15:117db924cf7c 964
wolfSSL 15:117db924cf7c 965 /* Show destination and source address from Ip Hdr for packet Trace */
wolfSSL 15:117db924cf7c 966 static void TraceIP(IpHdr* iphdr)
wolfSSL 15:117db924cf7c 967 {
wolfSSL 15:117db924cf7c 968 if (TraceOn) {
wolfSSL 15:117db924cf7c 969 char src[TRACE_MSG_SZ];
wolfSSL 15:117db924cf7c 970 char dst[TRACE_MSG_SZ];
wolfSSL 16:8e0d178b1d1e 971 fprintf(TraceFile, "\tdst:%s src:%s\n",
wolfSSL 16:8e0d178b1d1e 972 IpToS(AF_INET, &iphdr->dst, dst),
wolfSSL 16:8e0d178b1d1e 973 IpToS(AF_INET, &iphdr->src, src));
wolfSSL 16:8e0d178b1d1e 974 }
wolfSSL 16:8e0d178b1d1e 975 }
wolfSSL 16:8e0d178b1d1e 976
wolfSSL 16:8e0d178b1d1e 977
wolfSSL 16:8e0d178b1d1e 978 /* Show destination and source address from Ip6Hdr for packet Trace */
wolfSSL 16:8e0d178b1d1e 979 static void TraceIP6(Ip6Hdr* iphdr)
wolfSSL 16:8e0d178b1d1e 980 {
wolfSSL 16:8e0d178b1d1e 981 if (TraceOn) {
wolfSSL 16:8e0d178b1d1e 982 char src[TRACE_MSG_SZ];
wolfSSL 16:8e0d178b1d1e 983 char dst[TRACE_MSG_SZ];
wolfSSL 16:8e0d178b1d1e 984 fprintf(TraceFile, "\tdst: %s src: %s\n",
wolfSSL 16:8e0d178b1d1e 985 IpToS(AF_INET6, iphdr->dst, dst),
wolfSSL 16:8e0d178b1d1e 986 IpToS(AF_INET6, iphdr->src, src));
wolfSSL 15:117db924cf7c 987 }
wolfSSL 15:117db924cf7c 988 }
wolfSSL 15:117db924cf7c 989
wolfSSL 15:117db924cf7c 990
wolfSSL 15:117db924cf7c 991 /* Show destination and source port from Tcp Hdr for packet Trace */
wolfSSL 15:117db924cf7c 992 static void TraceTcp(TcpHdr* tcphdr)
wolfSSL 15:117db924cf7c 993 {
wolfSSL 15:117db924cf7c 994 if (TraceOn) {
wolfSSL 15:117db924cf7c 995 fprintf(TraceFile, "\tdstPort:%u srcPort:%u\n", ntohs(tcphdr->dstPort),
wolfSSL 15:117db924cf7c 996 ntohs(tcphdr->srcPort));
wolfSSL 15:117db924cf7c 997 }
wolfSSL 15:117db924cf7c 998 }
wolfSSL 15:117db924cf7c 999
wolfSSL 15:117db924cf7c 1000
wolfSSL 15:117db924cf7c 1001 /* Show sequence and payload length for Trace */
wolfSSL 15:117db924cf7c 1002 static void TraceSequence(word32 seq, int len)
wolfSSL 15:117db924cf7c 1003 {
wolfSSL 15:117db924cf7c 1004 if (TraceOn) {
wolfSSL 15:117db924cf7c 1005 fprintf(TraceFile, "\tSequence:%u, payload length:%d\n", seq, len);
wolfSSL 15:117db924cf7c 1006 }
wolfSSL 15:117db924cf7c 1007 }
wolfSSL 15:117db924cf7c 1008
wolfSSL 15:117db924cf7c 1009
wolfSSL 15:117db924cf7c 1010 /* Show sequence and payload length for Trace */
wolfSSL 15:117db924cf7c 1011 static void TraceAck(word32 ack, word32 expected)
wolfSSL 15:117db924cf7c 1012 {
wolfSSL 15:117db924cf7c 1013 if (TraceOn) {
wolfSSL 15:117db924cf7c 1014 fprintf(TraceFile, "\tAck:%u Expected:%u\n", ack, expected);
wolfSSL 15:117db924cf7c 1015 }
wolfSSL 15:117db924cf7c 1016 }
wolfSSL 15:117db924cf7c 1017
wolfSSL 15:117db924cf7c 1018
wolfSSL 15:117db924cf7c 1019 /* Show relative expected and relative received sequences */
wolfSSL 15:117db924cf7c 1020 static void TraceRelativeSequence(word32 expected, word32 got)
wolfSSL 15:117db924cf7c 1021 {
wolfSSL 15:117db924cf7c 1022 if (TraceOn) {
wolfSSL 15:117db924cf7c 1023 fprintf(TraceFile, "\tExpected sequence:%u, received sequence:%u\n",
wolfSSL 15:117db924cf7c 1024 expected, got);
wolfSSL 15:117db924cf7c 1025 }
wolfSSL 15:117db924cf7c 1026 }
wolfSSL 15:117db924cf7c 1027
wolfSSL 15:117db924cf7c 1028
wolfSSL 15:117db924cf7c 1029 /* Show server sequence startup from SYN */
wolfSSL 15:117db924cf7c 1030 static void TraceServerSyn(word32 seq)
wolfSSL 15:117db924cf7c 1031 {
wolfSSL 15:117db924cf7c 1032 if (TraceOn) {
wolfSSL 15:117db924cf7c 1033 fprintf(TraceFile, "\tServer SYN, Sequence Start:%u\n", seq);
wolfSSL 15:117db924cf7c 1034 }
wolfSSL 15:117db924cf7c 1035 }
wolfSSL 15:117db924cf7c 1036
wolfSSL 15:117db924cf7c 1037
wolfSSL 15:117db924cf7c 1038 /* Show client sequence startup from SYN */
wolfSSL 15:117db924cf7c 1039 static void TraceClientSyn(word32 seq)
wolfSSL 15:117db924cf7c 1040 {
wolfSSL 15:117db924cf7c 1041 if (TraceOn) {
wolfSSL 15:117db924cf7c 1042 fprintf(TraceFile, "\tClient SYN, Sequence Start:%u\n", seq);
wolfSSL 15:117db924cf7c 1043 }
wolfSSL 15:117db924cf7c 1044 }
wolfSSL 15:117db924cf7c 1045
wolfSSL 15:117db924cf7c 1046
wolfSSL 15:117db924cf7c 1047 /* Show client FIN capture */
wolfSSL 15:117db924cf7c 1048 static void TraceClientFin(word32 finSeq, word32 relSeq)
wolfSSL 15:117db924cf7c 1049 {
wolfSSL 15:117db924cf7c 1050 if (TraceOn) {
wolfSSL 15:117db924cf7c 1051 fprintf(TraceFile, "\tClient FIN capture:%u, current SEQ:%u\n",
wolfSSL 15:117db924cf7c 1052 finSeq, relSeq);
wolfSSL 15:117db924cf7c 1053 }
wolfSSL 15:117db924cf7c 1054 }
wolfSSL 15:117db924cf7c 1055
wolfSSL 15:117db924cf7c 1056
wolfSSL 15:117db924cf7c 1057 /* Show server FIN capture */
wolfSSL 15:117db924cf7c 1058 static void TraceServerFin(word32 finSeq, word32 relSeq)
wolfSSL 15:117db924cf7c 1059 {
wolfSSL 15:117db924cf7c 1060 if (TraceOn) {
wolfSSL 15:117db924cf7c 1061 fprintf(TraceFile, "\tServer FIN capture:%u, current SEQ:%u\n",
wolfSSL 15:117db924cf7c 1062 finSeq, relSeq);
wolfSSL 15:117db924cf7c 1063 }
wolfSSL 15:117db924cf7c 1064 }
wolfSSL 15:117db924cf7c 1065
wolfSSL 15:117db924cf7c 1066
wolfSSL 15:117db924cf7c 1067 /* Show number of SSL data bytes decoded, could be 0 (ok) */
wolfSSL 15:117db924cf7c 1068 static void TraceGotData(int bytes)
wolfSSL 15:117db924cf7c 1069 {
wolfSSL 15:117db924cf7c 1070 if (TraceOn) {
wolfSSL 15:117db924cf7c 1071 fprintf(TraceFile, "\t%d bytes of SSL App data processed\n", bytes);
wolfSSL 15:117db924cf7c 1072 }
wolfSSL 15:117db924cf7c 1073 }
wolfSSL 15:117db924cf7c 1074
wolfSSL 15:117db924cf7c 1075
wolfSSL 15:117db924cf7c 1076 /* Show bytes added to old SSL App data */
wolfSSL 15:117db924cf7c 1077 static void TraceAddedData(int newBytes, int existingBytes)
wolfSSL 15:117db924cf7c 1078 {
wolfSSL 15:117db924cf7c 1079 if (TraceOn) {
wolfSSL 15:117db924cf7c 1080 fprintf(TraceFile,
wolfSSL 15:117db924cf7c 1081 "\t%d bytes added to %d existing bytes in User Buffer\n",
wolfSSL 15:117db924cf7c 1082 newBytes, existingBytes);
wolfSSL 15:117db924cf7c 1083 }
wolfSSL 15:117db924cf7c 1084 }
wolfSSL 15:117db924cf7c 1085
wolfSSL 15:117db924cf7c 1086
wolfSSL 15:117db924cf7c 1087 /* Show Stale Session */
wolfSSL 15:117db924cf7c 1088 static void TraceStaleSession(void)
wolfSSL 15:117db924cf7c 1089 {
wolfSSL 15:117db924cf7c 1090 if (TraceOn) {
wolfSSL 15:117db924cf7c 1091 fprintf(TraceFile, "\tFound a stale session\n");
wolfSSL 15:117db924cf7c 1092 }
wolfSSL 15:117db924cf7c 1093 }
wolfSSL 15:117db924cf7c 1094
wolfSSL 15:117db924cf7c 1095
wolfSSL 15:117db924cf7c 1096 /* Show Finding Stale Sessions */
wolfSSL 15:117db924cf7c 1097 static void TraceFindingStale(void)
wolfSSL 15:117db924cf7c 1098 {
wolfSSL 15:117db924cf7c 1099 if (TraceOn) {
wolfSSL 15:117db924cf7c 1100 fprintf(TraceFile, "\tTrying to find Stale Sessions\n");
wolfSSL 15:117db924cf7c 1101 }
wolfSSL 15:117db924cf7c 1102 }
wolfSSL 15:117db924cf7c 1103
wolfSSL 15:117db924cf7c 1104
wolfSSL 15:117db924cf7c 1105 /* Show Removed Session */
wolfSSL 15:117db924cf7c 1106 static void TraceRemovedSession(void)
wolfSSL 15:117db924cf7c 1107 {
wolfSSL 15:117db924cf7c 1108 if (TraceOn) {
wolfSSL 15:117db924cf7c 1109 fprintf(TraceFile, "\tRemoved it\n");
wolfSSL 15:117db924cf7c 1110 }
wolfSSL 15:117db924cf7c 1111 }
wolfSSL 15:117db924cf7c 1112
wolfSSL 15:117db924cf7c 1113
wolfSSL 16:8e0d178b1d1e 1114 /* Show SSLInfo if provided and is valid. */
wolfSSL 16:8e0d178b1d1e 1115 static void TraceSessionInfo(SSLInfo* sslInfo)
wolfSSL 16:8e0d178b1d1e 1116 {
wolfSSL 16:8e0d178b1d1e 1117 if (TraceOn) {
wolfSSL 16:8e0d178b1d1e 1118 if (sslInfo != NULL && sslInfo->isValid) {
wolfSSL 16:8e0d178b1d1e 1119 fprintf(TraceFile,
wolfSSL 16:8e0d178b1d1e 1120 "\tver:(%u %u) suiteId:(%02x %02x) suiteName:(%s) "
wolfSSL 16:8e0d178b1d1e 1121 #ifdef HAVE_SNI
wolfSSL 16:8e0d178b1d1e 1122 "sni:(%s) "
wolfSSL 16:8e0d178b1d1e 1123 #endif
wolfSSL 16:8e0d178b1d1e 1124 "keySize:(%u)\n",
wolfSSL 16:8e0d178b1d1e 1125 sslInfo->protocolVersionMajor,
wolfSSL 16:8e0d178b1d1e 1126 sslInfo->protocolVersionMinor,
wolfSSL 16:8e0d178b1d1e 1127 sslInfo->serverCipherSuite0,
wolfSSL 16:8e0d178b1d1e 1128 sslInfo->serverCipherSuite,
wolfSSL 16:8e0d178b1d1e 1129 sslInfo->serverCipherSuiteName,
wolfSSL 16:8e0d178b1d1e 1130 #ifdef HAVE_SNI
wolfSSL 16:8e0d178b1d1e 1131 sslInfo->serverNameIndication,
wolfSSL 16:8e0d178b1d1e 1132 #endif
wolfSSL 16:8e0d178b1d1e 1133 sslInfo->keySize);
wolfSSL 16:8e0d178b1d1e 1134 }
wolfSSL 16:8e0d178b1d1e 1135 }
wolfSSL 16:8e0d178b1d1e 1136 }
wolfSSL 16:8e0d178b1d1e 1137
wolfSSL 16:8e0d178b1d1e 1138
wolfSSL 16:8e0d178b1d1e 1139 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 1140
wolfSSL 16:8e0d178b1d1e 1141 /* Show value added to a named statistic. */
wolfSSL 16:8e0d178b1d1e 1142 static void TraceStat(const char* name, int add)
wolfSSL 16:8e0d178b1d1e 1143 {
wolfSSL 16:8e0d178b1d1e 1144 if (TraceOn) {
wolfSSL 16:8e0d178b1d1e 1145 fprintf(TraceFile, "\tAdding %d to %s\n", add, name);
wolfSSL 16:8e0d178b1d1e 1146 }
wolfSSL 16:8e0d178b1d1e 1147 }
wolfSSL 16:8e0d178b1d1e 1148
wolfSSL 16:8e0d178b1d1e 1149 #endif
wolfSSL 16:8e0d178b1d1e 1150
wolfSSL 16:8e0d178b1d1e 1151
wolfSSL 15:117db924cf7c 1152 /* Set user error string */
wolfSSL 15:117db924cf7c 1153 static void SetError(int idx, char* error, SnifferSession* session, int fatal)
wolfSSL 15:117db924cf7c 1154 {
wolfSSL 15:117db924cf7c 1155 GetError(idx, error);
wolfSSL 15:117db924cf7c 1156 Trace(idx);
wolfSSL 15:117db924cf7c 1157 if (session && fatal == FATAL_ERROR_STATE)
wolfSSL 15:117db924cf7c 1158 session->flags.fatalError = 1;
wolfSSL 15:117db924cf7c 1159 }
wolfSSL 15:117db924cf7c 1160
wolfSSL 15:117db924cf7c 1161
wolfSSL 16:8e0d178b1d1e 1162 /* Compare IpAddrInfo structs */
wolfSSL 16:8e0d178b1d1e 1163 static WC_INLINE int MatchAddr(IpAddrInfo l, IpAddrInfo r)
wolfSSL 16:8e0d178b1d1e 1164 {
wolfSSL 16:8e0d178b1d1e 1165 if (l.version == r.version) {
wolfSSL 16:8e0d178b1d1e 1166 if (l.version == IPV4)
wolfSSL 16:8e0d178b1d1e 1167 return (l.ip4 == r.ip4);
wolfSSL 16:8e0d178b1d1e 1168 else if (l.version == IPV6)
wolfSSL 16:8e0d178b1d1e 1169 return (0 == XMEMCMP(l.ip6, r.ip6, sizeof(l.ip6)));
wolfSSL 16:8e0d178b1d1e 1170 }
wolfSSL 16:8e0d178b1d1e 1171 return 0;
wolfSSL 16:8e0d178b1d1e 1172 }
wolfSSL 16:8e0d178b1d1e 1173
wolfSSL 16:8e0d178b1d1e 1174
wolfSSL 16:8e0d178b1d1e 1175 #ifndef WOLFSSL_SNIFFER_WATCH
wolfSSL 16:8e0d178b1d1e 1176
wolfSSL 15:117db924cf7c 1177 /* See if this IPV4 network order address has been registered */
wolfSSL 15:117db924cf7c 1178 /* return 1 is true, 0 is false */
wolfSSL 15:117db924cf7c 1179 static int IsServerRegistered(word32 addr)
wolfSSL 15:117db924cf7c 1180 {
wolfSSL 15:117db924cf7c 1181 int ret = 0; /* false */
wolfSSL 15:117db924cf7c 1182 SnifferServer* sniffer;
wolfSSL 15:117db924cf7c 1183
wolfSSL 15:117db924cf7c 1184 wc_LockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1185
wolfSSL 15:117db924cf7c 1186 sniffer = ServerList;
wolfSSL 15:117db924cf7c 1187 while (sniffer) {
wolfSSL 16:8e0d178b1d1e 1188 if (sniffer->server.ip4 == addr) {
wolfSSL 16:8e0d178b1d1e 1189 ret = 1;
wolfSSL 16:8e0d178b1d1e 1190 break;
wolfSSL 16:8e0d178b1d1e 1191 }
wolfSSL 16:8e0d178b1d1e 1192 sniffer = sniffer->next;
wolfSSL 16:8e0d178b1d1e 1193 }
wolfSSL 16:8e0d178b1d1e 1194
wolfSSL 16:8e0d178b1d1e 1195 wc_UnLockMutex(&ServerListMutex);
wolfSSL 16:8e0d178b1d1e 1196
wolfSSL 16:8e0d178b1d1e 1197 return ret;
wolfSSL 16:8e0d178b1d1e 1198 }
wolfSSL 16:8e0d178b1d1e 1199
wolfSSL 16:8e0d178b1d1e 1200
wolfSSL 16:8e0d178b1d1e 1201 /* See if this port has been registered to watch */
wolfSSL 16:8e0d178b1d1e 1202 /* See if this IPV4 network order address has been registered */
wolfSSL 16:8e0d178b1d1e 1203 /* return 1 is true, 0 is false */
wolfSSL 16:8e0d178b1d1e 1204 static int IsServerRegistered6(byte* addr)
wolfSSL 16:8e0d178b1d1e 1205 {
wolfSSL 16:8e0d178b1d1e 1206 int ret = 0; /* false */
wolfSSL 16:8e0d178b1d1e 1207 SnifferServer* sniffer;
wolfSSL 16:8e0d178b1d1e 1208
wolfSSL 16:8e0d178b1d1e 1209 wc_LockMutex(&ServerListMutex);
wolfSSL 16:8e0d178b1d1e 1210
wolfSSL 16:8e0d178b1d1e 1211 sniffer = ServerList;
wolfSSL 16:8e0d178b1d1e 1212 while (sniffer) {
wolfSSL 16:8e0d178b1d1e 1213 if (sniffer->server.version == IPV6 &&
wolfSSL 16:8e0d178b1d1e 1214 0 == XMEMCMP(sniffer->server.ip6, addr, sizeof(sniffer->server.ip6))) {
wolfSSL 15:117db924cf7c 1215 ret = 1;
wolfSSL 15:117db924cf7c 1216 break;
wolfSSL 15:117db924cf7c 1217 }
wolfSSL 15:117db924cf7c 1218 sniffer = sniffer->next;
wolfSSL 15:117db924cf7c 1219 }
wolfSSL 15:117db924cf7c 1220
wolfSSL 15:117db924cf7c 1221 wc_UnLockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1222
wolfSSL 15:117db924cf7c 1223 return ret;
wolfSSL 15:117db924cf7c 1224 }
wolfSSL 15:117db924cf7c 1225
wolfSSL 15:117db924cf7c 1226
wolfSSL 15:117db924cf7c 1227 /* See if this port has been registered to watch */
wolfSSL 15:117db924cf7c 1228 /* return 1 is true, 0 is false */
wolfSSL 15:117db924cf7c 1229 static int IsPortRegistered(word32 port)
wolfSSL 15:117db924cf7c 1230 {
wolfSSL 15:117db924cf7c 1231 int ret = 0; /* false */
wolfSSL 15:117db924cf7c 1232 SnifferServer* sniffer;
wolfSSL 15:117db924cf7c 1233
wolfSSL 15:117db924cf7c 1234 wc_LockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1235
wolfSSL 15:117db924cf7c 1236 sniffer = ServerList;
wolfSSL 15:117db924cf7c 1237 while (sniffer) {
wolfSSL 15:117db924cf7c 1238 if (sniffer->port == (int)port) {
wolfSSL 15:117db924cf7c 1239 ret = 1;
wolfSSL 15:117db924cf7c 1240 break;
wolfSSL 15:117db924cf7c 1241 }
wolfSSL 15:117db924cf7c 1242 sniffer = sniffer->next;
wolfSSL 15:117db924cf7c 1243 }
wolfSSL 15:117db924cf7c 1244
wolfSSL 15:117db924cf7c 1245 wc_UnLockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1246
wolfSSL 15:117db924cf7c 1247 return ret;
wolfSSL 15:117db924cf7c 1248 }
wolfSSL 15:117db924cf7c 1249
wolfSSL 16:8e0d178b1d1e 1250 #endif
wolfSSL 16:8e0d178b1d1e 1251
wolfSSL 15:117db924cf7c 1252
wolfSSL 15:117db924cf7c 1253 /* Get SnifferServer from IP and Port */
wolfSSL 15:117db924cf7c 1254 static SnifferServer* GetSnifferServer(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL 15:117db924cf7c 1255 {
wolfSSL 15:117db924cf7c 1256 SnifferServer* sniffer;
wolfSSL 15:117db924cf7c 1257
wolfSSL 15:117db924cf7c 1258 wc_LockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1259
wolfSSL 15:117db924cf7c 1260 sniffer = ServerList;
wolfSSL 16:8e0d178b1d1e 1261
wolfSSL 16:8e0d178b1d1e 1262 #ifndef WOLFSSL_SNIFFER_WATCH
wolfSSL 15:117db924cf7c 1263 while (sniffer) {
wolfSSL 16:8e0d178b1d1e 1264 if (sniffer->port == tcpInfo->srcPort &&
wolfSSL 16:8e0d178b1d1e 1265 MatchAddr(sniffer->server, ipInfo->src))
wolfSSL 15:117db924cf7c 1266 break;
wolfSSL 16:8e0d178b1d1e 1267 if (sniffer->port == tcpInfo->dstPort &&
wolfSSL 16:8e0d178b1d1e 1268 MatchAddr(sniffer->server, ipInfo->dst))
wolfSSL 15:117db924cf7c 1269 break;
wolfSSL 16:8e0d178b1d1e 1270
wolfSSL 15:117db924cf7c 1271 sniffer = sniffer->next;
wolfSSL 15:117db924cf7c 1272 }
wolfSSL 16:8e0d178b1d1e 1273 #else
wolfSSL 16:8e0d178b1d1e 1274 (void)ipInfo;
wolfSSL 16:8e0d178b1d1e 1275 (void)tcpInfo;
wolfSSL 16:8e0d178b1d1e 1276 #endif
wolfSSL 15:117db924cf7c 1277
wolfSSL 15:117db924cf7c 1278 wc_UnLockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1279
wolfSSL 15:117db924cf7c 1280 return sniffer;
wolfSSL 15:117db924cf7c 1281 }
wolfSSL 15:117db924cf7c 1282
wolfSSL 15:117db924cf7c 1283
wolfSSL 15:117db924cf7c 1284 /* Hash the Session Info, return hash row */
wolfSSL 15:117db924cf7c 1285 static word32 SessionHash(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL 15:117db924cf7c 1286 {
wolfSSL 16:8e0d178b1d1e 1287 word32 hash = 1;
wolfSSL 16:8e0d178b1d1e 1288
wolfSSL 16:8e0d178b1d1e 1289 if (ipInfo->src.version == IPV4) {
wolfSSL 16:8e0d178b1d1e 1290 hash *= ipInfo->src.ip4 * ipInfo->dst.ip4;
wolfSSL 16:8e0d178b1d1e 1291 }
wolfSSL 16:8e0d178b1d1e 1292 else if (ipInfo->src.version == IPV6) {
wolfSSL 16:8e0d178b1d1e 1293 word32* x;
wolfSSL 16:8e0d178b1d1e 1294 word32 y;
wolfSSL 16:8e0d178b1d1e 1295 x = (word32*)ipInfo->src.ip6;
wolfSSL 16:8e0d178b1d1e 1296 y = x[0] ^ x[1] ^ x[2] ^ x[3];
wolfSSL 16:8e0d178b1d1e 1297 hash *= y;
wolfSSL 16:8e0d178b1d1e 1298 x = (word32*)ipInfo->dst.ip6;
wolfSSL 16:8e0d178b1d1e 1299 y = x[0] ^ x[1] ^ x[2] ^ x[3];
wolfSSL 16:8e0d178b1d1e 1300 hash *= y;
wolfSSL 16:8e0d178b1d1e 1301 }
wolfSSL 15:117db924cf7c 1302 hash *= tcpInfo->srcPort * tcpInfo->dstPort;
wolfSSL 15:117db924cf7c 1303
wolfSSL 15:117db924cf7c 1304 return hash % HASH_SIZE;
wolfSSL 15:117db924cf7c 1305 }
wolfSSL 15:117db924cf7c 1306
wolfSSL 15:117db924cf7c 1307
wolfSSL 16:8e0d178b1d1e 1308 /* Get Existing SnifferSession from IP and Port */
wolfSSL 15:117db924cf7c 1309 static SnifferSession* GetSnifferSession(IpInfo* ipInfo, TcpInfo* tcpInfo)
wolfSSL 15:117db924cf7c 1310 {
wolfSSL 15:117db924cf7c 1311 SnifferSession* session;
wolfSSL 15:117db924cf7c 1312 time_t currTime = time(NULL);
wolfSSL 15:117db924cf7c 1313 word32 row = SessionHash(ipInfo, tcpInfo);
wolfSSL 15:117db924cf7c 1314
wolfSSL 15:117db924cf7c 1315 assert(row <= HASH_SIZE);
wolfSSL 15:117db924cf7c 1316
wolfSSL 15:117db924cf7c 1317 wc_LockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 1318
wolfSSL 15:117db924cf7c 1319 session = SessionTable[row];
wolfSSL 15:117db924cf7c 1320 while (session) {
wolfSSL 16:8e0d178b1d1e 1321 if (MatchAddr(session->server, ipInfo->src) &&
wolfSSL 16:8e0d178b1d1e 1322 MatchAddr(session->client, ipInfo->dst) &&
wolfSSL 15:117db924cf7c 1323 session->srvPort == tcpInfo->srcPort &&
wolfSSL 15:117db924cf7c 1324 session->cliPort == tcpInfo->dstPort)
wolfSSL 15:117db924cf7c 1325 break;
wolfSSL 16:8e0d178b1d1e 1326
wolfSSL 16:8e0d178b1d1e 1327 if (MatchAddr(session->client, ipInfo->src) &&
wolfSSL 16:8e0d178b1d1e 1328 MatchAddr(session->server, ipInfo->dst) &&
wolfSSL 15:117db924cf7c 1329 session->cliPort == tcpInfo->srcPort &&
wolfSSL 15:117db924cf7c 1330 session->srvPort == tcpInfo->dstPort)
wolfSSL 15:117db924cf7c 1331 break;
wolfSSL 15:117db924cf7c 1332
wolfSSL 15:117db924cf7c 1333 session = session->next;
wolfSSL 15:117db924cf7c 1334 }
wolfSSL 15:117db924cf7c 1335
wolfSSL 15:117db924cf7c 1336 if (session)
wolfSSL 15:117db924cf7c 1337 session->lastUsed= currTime; /* keep session alive, remove stale will */
wolfSSL 15:117db924cf7c 1338 /* leave alone */
wolfSSL 15:117db924cf7c 1339 wc_UnLockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 1340
wolfSSL 15:117db924cf7c 1341 /* determine side */
wolfSSL 15:117db924cf7c 1342 if (session) {
wolfSSL 16:8e0d178b1d1e 1343 if (MatchAddr(ipInfo->dst, session->server) &&
wolfSSL 16:8e0d178b1d1e 1344 tcpInfo->dstPort == session->srvPort) {
wolfSSL 16:8e0d178b1d1e 1345
wolfSSL 15:117db924cf7c 1346 session->flags.side = WOLFSSL_SERVER_END;
wolfSSL 16:8e0d178b1d1e 1347 }
wolfSSL 16:8e0d178b1d1e 1348 else {
wolfSSL 15:117db924cf7c 1349 session->flags.side = WOLFSSL_CLIENT_END;
wolfSSL 16:8e0d178b1d1e 1350 }
wolfSSL 15:117db924cf7c 1351 }
wolfSSL 15:117db924cf7c 1352
wolfSSL 15:117db924cf7c 1353 return session;
wolfSSL 15:117db924cf7c 1354 }
wolfSSL 15:117db924cf7c 1355
wolfSSL 15:117db924cf7c 1356
wolfSSL 16:8e0d178b1d1e 1357 #if defined(HAVE_SNI) || defined(WOLFSSL_SNIFFER_WATCH)
wolfSSL 15:117db924cf7c 1358
wolfSSL 15:117db924cf7c 1359 static int LoadKeyFile(byte** keyBuf, word32* keyBufSz,
wolfSSL 15:117db924cf7c 1360 const char* keyFile, int typeKey,
wolfSSL 15:117db924cf7c 1361 const char* password)
wolfSSL 15:117db924cf7c 1362 {
wolfSSL 15:117db924cf7c 1363 byte* loadBuf;
wolfSSL 15:117db924cf7c 1364 long fileSz = 0;
wolfSSL 15:117db924cf7c 1365 XFILE file;
wolfSSL 15:117db924cf7c 1366 int ret;
wolfSSL 15:117db924cf7c 1367
wolfSSL 15:117db924cf7c 1368 if (keyBuf == NULL || keyBufSz == NULL || keyFile == NULL) {
wolfSSL 15:117db924cf7c 1369 return -1;
wolfSSL 15:117db924cf7c 1370 }
wolfSSL 15:117db924cf7c 1371
wolfSSL 15:117db924cf7c 1372 file = XFOPEN(keyFile, "rb");
wolfSSL 15:117db924cf7c 1373 if (file == XBADFILE) return -1;
wolfSSL 16:8e0d178b1d1e 1374 if(XFSEEK(file, 0, XSEEK_END) != 0) {
wolfSSL 16:8e0d178b1d1e 1375 XFCLOSE(file);
wolfSSL 16:8e0d178b1d1e 1376 return -1;
wolfSSL 16:8e0d178b1d1e 1377 }
wolfSSL 15:117db924cf7c 1378 fileSz = XFTELL(file);
wolfSSL 16:8e0d178b1d1e 1379 if (fileSz > MAX_WOLFSSL_FILE_SIZE || fileSz < 0) {
wolfSSL 16:8e0d178b1d1e 1380 XFCLOSE(file);
wolfSSL 16:8e0d178b1d1e 1381 return -1;
wolfSSL 16:8e0d178b1d1e 1382 }
wolfSSL 15:117db924cf7c 1383 XREWIND(file);
wolfSSL 15:117db924cf7c 1384
wolfSSL 16:8e0d178b1d1e 1385 loadBuf = (byte*)XMALLOC(fileSz, NULL, DYNAMIC_TYPE_FILE);
wolfSSL 15:117db924cf7c 1386 if (loadBuf == NULL) {
wolfSSL 15:117db924cf7c 1387 XFCLOSE(file);
wolfSSL 15:117db924cf7c 1388 return -1;
wolfSSL 15:117db924cf7c 1389 }
wolfSSL 15:117db924cf7c 1390
wolfSSL 15:117db924cf7c 1391 ret = (int)XFREAD(loadBuf, 1, fileSz, file);
wolfSSL 15:117db924cf7c 1392 XFCLOSE(file);
wolfSSL 15:117db924cf7c 1393
wolfSSL 15:117db924cf7c 1394 if (ret != fileSz) {
wolfSSL 16:8e0d178b1d1e 1395 XFREE(loadBuf, NULL, DYNAMIC_TYPE_FILE);
wolfSSL 15:117db924cf7c 1396 return -1;
wolfSSL 15:117db924cf7c 1397 }
wolfSSL 15:117db924cf7c 1398
wolfSSL 15:117db924cf7c 1399 if (typeKey == WOLFSSL_FILETYPE_PEM) {
wolfSSL 16:8e0d178b1d1e 1400 byte* saveBuf = (byte*)XMALLOC(fileSz, NULL, DYNAMIC_TYPE_X509);
wolfSSL 15:117db924cf7c 1401 int saveBufSz = 0;
wolfSSL 15:117db924cf7c 1402
wolfSSL 15:117db924cf7c 1403 ret = -1;
wolfSSL 15:117db924cf7c 1404 if (saveBuf != NULL) {
wolfSSL 15:117db924cf7c 1405 saveBufSz = wc_KeyPemToDer(loadBuf, (int)fileSz,
wolfSSL 15:117db924cf7c 1406 saveBuf, (int)fileSz, password);
wolfSSL 15:117db924cf7c 1407 if (saveBufSz < 0) {
wolfSSL 15:117db924cf7c 1408 saveBufSz = 0;
wolfSSL 16:8e0d178b1d1e 1409 XFREE(saveBuf, NULL, DYNAMIC_TYPE_X509);
wolfSSL 15:117db924cf7c 1410 saveBuf = NULL;
wolfSSL 15:117db924cf7c 1411 }
wolfSSL 15:117db924cf7c 1412 else
wolfSSL 15:117db924cf7c 1413 ret = 0;
wolfSSL 15:117db924cf7c 1414 }
wolfSSL 15:117db924cf7c 1415
wolfSSL 15:117db924cf7c 1416 ForceZero(loadBuf, (word32)fileSz);
wolfSSL 16:8e0d178b1d1e 1417 XFREE(loadBuf, NULL, DYNAMIC_TYPE_FILE);
wolfSSL 15:117db924cf7c 1418
wolfSSL 15:117db924cf7c 1419 if (saveBuf) {
wolfSSL 15:117db924cf7c 1420 *keyBuf = saveBuf;
wolfSSL 15:117db924cf7c 1421 *keyBufSz = (word32)saveBufSz;
wolfSSL 15:117db924cf7c 1422 }
wolfSSL 15:117db924cf7c 1423 }
wolfSSL 15:117db924cf7c 1424 else {
wolfSSL 15:117db924cf7c 1425 *keyBuf = loadBuf;
wolfSSL 15:117db924cf7c 1426 *keyBufSz = (word32)fileSz;
wolfSSL 15:117db924cf7c 1427 }
wolfSSL 15:117db924cf7c 1428
wolfSSL 15:117db924cf7c 1429 if (ret < 0) {
wolfSSL 15:117db924cf7c 1430 return -1;
wolfSSL 15:117db924cf7c 1431 }
wolfSSL 15:117db924cf7c 1432
wolfSSL 15:117db924cf7c 1433 return ret;
wolfSSL 15:117db924cf7c 1434 }
wolfSSL 15:117db924cf7c 1435
wolfSSL 15:117db924cf7c 1436 #endif
wolfSSL 15:117db924cf7c 1437
wolfSSL 15:117db924cf7c 1438
wolfSSL 16:8e0d178b1d1e 1439 #ifdef WOLFSSL_SNIFFER_WATCH
wolfSSL 16:8e0d178b1d1e 1440
wolfSSL 16:8e0d178b1d1e 1441 static int CreateWatchSnifferServer(char* error)
wolfSSL 16:8e0d178b1d1e 1442 {
wolfSSL 16:8e0d178b1d1e 1443 SnifferServer* sniffer;
wolfSSL 16:8e0d178b1d1e 1444
wolfSSL 16:8e0d178b1d1e 1445 sniffer = (SnifferServer*)XMALLOC(sizeof(SnifferServer), NULL,
wolfSSL 16:8e0d178b1d1e 1446 DYNAMIC_TYPE_SNIFFER_SERVER);
wolfSSL 16:8e0d178b1d1e 1447 if (sniffer == NULL) {
wolfSSL 16:8e0d178b1d1e 1448 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 1449 return -1;
wolfSSL 16:8e0d178b1d1e 1450 }
wolfSSL 16:8e0d178b1d1e 1451 InitSnifferServer(sniffer);
wolfSSL 16:8e0d178b1d1e 1452 sniffer->ctx = SSL_CTX_new(TLSv1_2_client_method());
wolfSSL 16:8e0d178b1d1e 1453 if (!sniffer->ctx) {
wolfSSL 16:8e0d178b1d1e 1454 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 1455 FreeSnifferServer(sniffer);
wolfSSL 16:8e0d178b1d1e 1456 return -1;
wolfSSL 16:8e0d178b1d1e 1457 }
wolfSSL 16:8e0d178b1d1e 1458 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 1459 if (CryptoDeviceId != INVALID_DEVID)
wolfSSL 16:8e0d178b1d1e 1460 wolfSSL_CTX_SetDevId(sniffer->ctx, CryptoDeviceId);
wolfSSL 16:8e0d178b1d1e 1461 #endif
wolfSSL 16:8e0d178b1d1e 1462 ServerList = sniffer;
wolfSSL 16:8e0d178b1d1e 1463
wolfSSL 16:8e0d178b1d1e 1464 return 0;
wolfSSL 16:8e0d178b1d1e 1465 }
wolfSSL 16:8e0d178b1d1e 1466
wolfSSL 16:8e0d178b1d1e 1467 #endif
wolfSSL 16:8e0d178b1d1e 1468
wolfSSL 16:8e0d178b1d1e 1469
wolfSSL 15:117db924cf7c 1470 static int SetNamedPrivateKey(const char* name, const char* address, int port,
wolfSSL 15:117db924cf7c 1471 const char* keyFile, int typeKey, const char* password, char* error)
wolfSSL 15:117db924cf7c 1472 {
wolfSSL 15:117db924cf7c 1473 SnifferServer* sniffer;
wolfSSL 15:117db924cf7c 1474 int ret;
wolfSSL 15:117db924cf7c 1475 int type = (typeKey == FILETYPE_PEM) ? WOLFSSL_FILETYPE_PEM :
wolfSSL 15:117db924cf7c 1476 WOLFSSL_FILETYPE_ASN1;
wolfSSL 15:117db924cf7c 1477 int isNew = 0;
wolfSSL 16:8e0d178b1d1e 1478 IpAddrInfo serverIp;
wolfSSL 15:117db924cf7c 1479
wolfSSL 15:117db924cf7c 1480 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 1481 NamedKey* namedKey = NULL;
wolfSSL 15:117db924cf7c 1482 #endif
wolfSSL 15:117db924cf7c 1483
wolfSSL 15:117db924cf7c 1484 (void)name;
wolfSSL 15:117db924cf7c 1485 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 1486 if (name != NULL) {
wolfSSL 16:8e0d178b1d1e 1487 namedKey = (NamedKey*)XMALLOC(sizeof(NamedKey),
wolfSSL 16:8e0d178b1d1e 1488 NULL, DYNAMIC_TYPE_SNIFFER_NAMED_KEY);
wolfSSL 15:117db924cf7c 1489 if (namedKey == NULL) {
wolfSSL 15:117db924cf7c 1490 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1491 return -1;
wolfSSL 15:117db924cf7c 1492 }
wolfSSL 15:117db924cf7c 1493 XMEMSET(namedKey, 0, sizeof(NamedKey));
wolfSSL 15:117db924cf7c 1494
wolfSSL 15:117db924cf7c 1495 namedKey->nameSz = (word32)XSTRLEN(name);
wolfSSL 15:117db924cf7c 1496 if (namedKey->nameSz > sizeof(namedKey->name)-1)
wolfSSL 15:117db924cf7c 1497 namedKey->nameSz = sizeof(namedKey->name)-1;
wolfSSL 15:117db924cf7c 1498 XSTRNCPY(namedKey->name, name, namedKey->nameSz);
wolfSSL 15:117db924cf7c 1499 namedKey->name[MAX_SERVER_NAME-1] = '\0';
wolfSSL 15:117db924cf7c 1500
wolfSSL 15:117db924cf7c 1501 ret = LoadKeyFile(&namedKey->key, &namedKey->keySz,
wolfSSL 15:117db924cf7c 1502 keyFile, type, password);
wolfSSL 15:117db924cf7c 1503 if (ret < 0) {
wolfSSL 15:117db924cf7c 1504 SetError(KEY_FILE_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1505 FreeNamedKey(namedKey);
wolfSSL 15:117db924cf7c 1506 return -1;
wolfSSL 15:117db924cf7c 1507 }
wolfSSL 15:117db924cf7c 1508 }
wolfSSL 15:117db924cf7c 1509 #endif
wolfSSL 15:117db924cf7c 1510
wolfSSL 16:8e0d178b1d1e 1511 serverIp.version = IPV4;
wolfSSL 16:8e0d178b1d1e 1512 serverIp.ip4 = inet_addr(address);
wolfSSL 16:8e0d178b1d1e 1513 if (serverIp.ip4 == INADDR_NONE) {
wolfSSL 16:8e0d178b1d1e 1514 if (inet_pton(AF_INET6, address, serverIp.ip6) == 1) {
wolfSSL 16:8e0d178b1d1e 1515 serverIp.version = IPV6;
wolfSSL 16:8e0d178b1d1e 1516 }
wolfSSL 16:8e0d178b1d1e 1517 }
wolfSSL 15:117db924cf7c 1518 sniffer = ServerList;
wolfSSL 15:117db924cf7c 1519 while (sniffer != NULL &&
wolfSSL 16:8e0d178b1d1e 1520 (!MatchAddr(sniffer->server, serverIp) || sniffer->port != port)) {
wolfSSL 15:117db924cf7c 1521 sniffer = sniffer->next;
wolfSSL 15:117db924cf7c 1522 }
wolfSSL 15:117db924cf7c 1523
wolfSSL 15:117db924cf7c 1524 if (sniffer == NULL) {
wolfSSL 15:117db924cf7c 1525 isNew = 1;
wolfSSL 16:8e0d178b1d1e 1526 sniffer = (SnifferServer*)XMALLOC(sizeof(SnifferServer),
wolfSSL 16:8e0d178b1d1e 1527 NULL, DYNAMIC_TYPE_SNIFFER_SERVER);
wolfSSL 15:117db924cf7c 1528 if (sniffer == NULL) {
wolfSSL 15:117db924cf7c 1529 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1530 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 1531 FreeNamedKey(namedKey);
wolfSSL 15:117db924cf7c 1532 #endif
wolfSSL 15:117db924cf7c 1533 return -1;
wolfSSL 15:117db924cf7c 1534 }
wolfSSL 15:117db924cf7c 1535 InitSnifferServer(sniffer);
wolfSSL 15:117db924cf7c 1536
wolfSSL 15:117db924cf7c 1537 XSTRNCPY(sniffer->address, address, MAX_SERVER_ADDRESS-1);
wolfSSL 15:117db924cf7c 1538 sniffer->address[MAX_SERVER_ADDRESS-1] = '\0';
wolfSSL 15:117db924cf7c 1539 sniffer->server = serverIp;
wolfSSL 15:117db924cf7c 1540 sniffer->port = port;
wolfSSL 15:117db924cf7c 1541
wolfSSL 15:117db924cf7c 1542 sniffer->ctx = SSL_CTX_new(TLSv1_2_client_method());
wolfSSL 15:117db924cf7c 1543 if (!sniffer->ctx) {
wolfSSL 15:117db924cf7c 1544 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1545 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 1546 FreeNamedKey(namedKey);
wolfSSL 15:117db924cf7c 1547 #endif
wolfSSL 15:117db924cf7c 1548 FreeSnifferServer(sniffer);
wolfSSL 15:117db924cf7c 1549 return -1;
wolfSSL 15:117db924cf7c 1550 }
wolfSSL 15:117db924cf7c 1551 }
wolfSSL 15:117db924cf7c 1552
wolfSSL 15:117db924cf7c 1553 if (name == NULL) {
wolfSSL 15:117db924cf7c 1554 if (password) {
wolfSSL 15:117db924cf7c 1555 #ifdef WOLFSSL_ENCRYPTED_KEYS
wolfSSL 15:117db924cf7c 1556 SSL_CTX_set_default_passwd_cb(sniffer->ctx, SetPassword);
wolfSSL 15:117db924cf7c 1557 SSL_CTX_set_default_passwd_cb_userdata(
wolfSSL 15:117db924cf7c 1558 sniffer->ctx, (void*)password);
wolfSSL 15:117db924cf7c 1559 #endif
wolfSSL 15:117db924cf7c 1560 }
wolfSSL 15:117db924cf7c 1561 ret = SSL_CTX_use_PrivateKey_file(sniffer->ctx, keyFile, type);
wolfSSL 15:117db924cf7c 1562 if (ret != WOLFSSL_SUCCESS) {
wolfSSL 15:117db924cf7c 1563 SetError(KEY_FILE_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1564 if (isNew)
wolfSSL 15:117db924cf7c 1565 FreeSnifferServer(sniffer);
wolfSSL 15:117db924cf7c 1566 return -1;
wolfSSL 15:117db924cf7c 1567 }
wolfSSL 16:8e0d178b1d1e 1568 #ifdef WOLF_CRYPTO_CB
wolfSSL 16:8e0d178b1d1e 1569 wolfSSL_CTX_SetDevId(sniffer->ctx, CryptoDeviceId);
wolfSSL 16:8e0d178b1d1e 1570 #endif
wolfSSL 15:117db924cf7c 1571 }
wolfSSL 15:117db924cf7c 1572 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 1573 else {
wolfSSL 15:117db924cf7c 1574 wc_LockMutex(&sniffer->namedKeysMutex);
wolfSSL 15:117db924cf7c 1575 namedKey->next = sniffer->namedKeys;
wolfSSL 15:117db924cf7c 1576 sniffer->namedKeys = namedKey;
wolfSSL 15:117db924cf7c 1577 wc_UnLockMutex(&sniffer->namedKeysMutex);
wolfSSL 15:117db924cf7c 1578 }
wolfSSL 15:117db924cf7c 1579 #endif
wolfSSL 15:117db924cf7c 1580
wolfSSL 15:117db924cf7c 1581 if (isNew) {
wolfSSL 15:117db924cf7c 1582 sniffer->next = ServerList;
wolfSSL 15:117db924cf7c 1583 ServerList = sniffer;
wolfSSL 15:117db924cf7c 1584 }
wolfSSL 15:117db924cf7c 1585
wolfSSL 15:117db924cf7c 1586 return 0;
wolfSSL 15:117db924cf7c 1587 }
wolfSSL 15:117db924cf7c 1588
wolfSSL 15:117db924cf7c 1589
wolfSSL 15:117db924cf7c 1590 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 1591
wolfSSL 15:117db924cf7c 1592 /* Sets the private key for a specific name, server and port */
wolfSSL 15:117db924cf7c 1593 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 1594 int ssl_SetNamedPrivateKey(const char* name,
wolfSSL 15:117db924cf7c 1595 const char* address, int port,
wolfSSL 15:117db924cf7c 1596 const char* keyFile, int typeKey,
wolfSSL 15:117db924cf7c 1597 const char* password, char* error)
wolfSSL 15:117db924cf7c 1598 {
wolfSSL 15:117db924cf7c 1599 int ret;
wolfSSL 15:117db924cf7c 1600
wolfSSL 15:117db924cf7c 1601 TraceHeader();
wolfSSL 15:117db924cf7c 1602 TraceSetNamedServer(name, address, port, keyFile);
wolfSSL 15:117db924cf7c 1603
wolfSSL 15:117db924cf7c 1604 wc_LockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1605 ret = SetNamedPrivateKey(name, address, port, keyFile,
wolfSSL 15:117db924cf7c 1606 typeKey, password, error);
wolfSSL 15:117db924cf7c 1607 wc_UnLockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1608
wolfSSL 15:117db924cf7c 1609 if (ret == 0)
wolfSSL 15:117db924cf7c 1610 Trace(NEW_SERVER_STR);
wolfSSL 15:117db924cf7c 1611
wolfSSL 15:117db924cf7c 1612 return ret;
wolfSSL 15:117db924cf7c 1613 }
wolfSSL 15:117db924cf7c 1614
wolfSSL 15:117db924cf7c 1615 #endif
wolfSSL 15:117db924cf7c 1616
wolfSSL 15:117db924cf7c 1617
wolfSSL 15:117db924cf7c 1618 /* Sets the private key for a specific server and port */
wolfSSL 15:117db924cf7c 1619 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 1620 int ssl_SetPrivateKey(const char* address, int port, const char* keyFile,
wolfSSL 15:117db924cf7c 1621 int typeKey, const char* password, char* error)
wolfSSL 15:117db924cf7c 1622 {
wolfSSL 15:117db924cf7c 1623 int ret;
wolfSSL 15:117db924cf7c 1624
wolfSSL 15:117db924cf7c 1625 TraceHeader();
wolfSSL 15:117db924cf7c 1626 TraceSetServer(address, port, keyFile);
wolfSSL 15:117db924cf7c 1627
wolfSSL 15:117db924cf7c 1628 wc_LockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1629 ret = SetNamedPrivateKey(NULL, address, port, keyFile,
wolfSSL 15:117db924cf7c 1630 typeKey, password, error);
wolfSSL 15:117db924cf7c 1631 wc_UnLockMutex(&ServerListMutex);
wolfSSL 15:117db924cf7c 1632
wolfSSL 15:117db924cf7c 1633 if (ret == 0)
wolfSSL 15:117db924cf7c 1634 Trace(NEW_SERVER_STR);
wolfSSL 15:117db924cf7c 1635
wolfSSL 15:117db924cf7c 1636 return ret;
wolfSSL 15:117db924cf7c 1637 }
wolfSSL 15:117db924cf7c 1638
wolfSSL 15:117db924cf7c 1639
wolfSSL 16:8e0d178b1d1e 1640 /* Check IP Header for IPV6, TCP, and a registered server address */
wolfSSL 16:8e0d178b1d1e 1641 /* returns 0 on success, -1 on error */
wolfSSL 16:8e0d178b1d1e 1642 static int CheckIp6Hdr(Ip6Hdr* iphdr, IpInfo* info, int length, char* error)
wolfSSL 16:8e0d178b1d1e 1643 {
wolfSSL 16:8e0d178b1d1e 1644 int version = IP_V(iphdr);
wolfSSL 16:8e0d178b1d1e 1645 int exthdrsz = IP6_HDR_SZ;
wolfSSL 16:8e0d178b1d1e 1646
wolfSSL 16:8e0d178b1d1e 1647 TraceIP6(iphdr);
wolfSSL 16:8e0d178b1d1e 1648 Trace(IP_CHECK_STR);
wolfSSL 16:8e0d178b1d1e 1649
wolfSSL 16:8e0d178b1d1e 1650 if (version != IPV6) {
wolfSSL 16:8e0d178b1d1e 1651 SetError(BAD_IPVER_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 1652 return -1;
wolfSSL 16:8e0d178b1d1e 1653 }
wolfSSL 16:8e0d178b1d1e 1654
wolfSSL 16:8e0d178b1d1e 1655 /* Here, we need to move onto next header if not TCP. */
wolfSSL 16:8e0d178b1d1e 1656 if (iphdr->next_header != TCP_PROTOCOL) {
wolfSSL 16:8e0d178b1d1e 1657 Ip6ExtHdr* exthdr = (Ip6ExtHdr*)((byte*)iphdr + IP6_HDR_SZ);
wolfSSL 16:8e0d178b1d1e 1658 do {
wolfSSL 16:8e0d178b1d1e 1659 int hdrsz = (exthdr->length + 1) * 8;
wolfSSL 16:8e0d178b1d1e 1660 if (hdrsz > length - exthdrsz) {
wolfSSL 16:8e0d178b1d1e 1661 SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 1662 return -1;
wolfSSL 16:8e0d178b1d1e 1663 }
wolfSSL 16:8e0d178b1d1e 1664 exthdrsz += hdrsz;
wolfSSL 16:8e0d178b1d1e 1665 exthdr = (Ip6ExtHdr*)((byte*)exthdr + hdrsz);
wolfSSL 16:8e0d178b1d1e 1666 }
wolfSSL 16:8e0d178b1d1e 1667 while (exthdr->next_header != TCP_PROTOCOL &&
wolfSSL 16:8e0d178b1d1e 1668 exthdr->next_header != NO_NEXT_HEADER);
wolfSSL 16:8e0d178b1d1e 1669 }
wolfSSL 16:8e0d178b1d1e 1670
wolfSSL 16:8e0d178b1d1e 1671 #ifndef WOLFSSL_SNIFFER_WATCH
wolfSSL 16:8e0d178b1d1e 1672 if (!IsServerRegistered6(iphdr->src) && !IsServerRegistered6(iphdr->dst)) {
wolfSSL 16:8e0d178b1d1e 1673 SetError(SERVER_NOT_REG_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 1674 return -1;
wolfSSL 16:8e0d178b1d1e 1675 }
wolfSSL 16:8e0d178b1d1e 1676 #endif
wolfSSL 16:8e0d178b1d1e 1677
wolfSSL 16:8e0d178b1d1e 1678 info->length = exthdrsz;
wolfSSL 16:8e0d178b1d1e 1679 info->total = ntohs(iphdr->length) + info->length;
wolfSSL 16:8e0d178b1d1e 1680 /* IPv6 doesn't include its own header size in the length like v4. */
wolfSSL 16:8e0d178b1d1e 1681 info->src.version = IPV6;
wolfSSL 16:8e0d178b1d1e 1682 XMEMCPY(info->src.ip6, iphdr->src, sizeof(info->src.ip6));
wolfSSL 16:8e0d178b1d1e 1683 info->dst.version = IPV6;
wolfSSL 16:8e0d178b1d1e 1684 XMEMCPY(info->dst.ip6, iphdr->dst, sizeof(info->dst.ip6));
wolfSSL 16:8e0d178b1d1e 1685
wolfSSL 16:8e0d178b1d1e 1686 return 0;
wolfSSL 16:8e0d178b1d1e 1687 }
wolfSSL 16:8e0d178b1d1e 1688
wolfSSL 16:8e0d178b1d1e 1689
wolfSSL 15:117db924cf7c 1690 /* Check IP Header for IPV4, TCP, and a registered server address */
wolfSSL 16:8e0d178b1d1e 1691 /* If header IPv6, pass to CheckIp6Hdr(). */
wolfSSL 15:117db924cf7c 1692 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 1693 static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, int length, char* error)
wolfSSL 15:117db924cf7c 1694 {
wolfSSL 15:117db924cf7c 1695 int version = IP_V(iphdr);
wolfSSL 15:117db924cf7c 1696
wolfSSL 16:8e0d178b1d1e 1697 if (version == IPV6)
wolfSSL 16:8e0d178b1d1e 1698 return CheckIp6Hdr((Ip6Hdr*)iphdr, info, length, error);
wolfSSL 16:8e0d178b1d1e 1699
wolfSSL 15:117db924cf7c 1700 TraceIP(iphdr);
wolfSSL 15:117db924cf7c 1701 Trace(IP_CHECK_STR);
wolfSSL 15:117db924cf7c 1702
wolfSSL 15:117db924cf7c 1703 if (version != IPV4) {
wolfSSL 15:117db924cf7c 1704 SetError(BAD_IPVER_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1705 return -1;
wolfSSL 15:117db924cf7c 1706 }
wolfSSL 15:117db924cf7c 1707
wolfSSL 15:117db924cf7c 1708 if (iphdr->protocol != TCP_PROTOCOL) {
wolfSSL 15:117db924cf7c 1709 SetError(BAD_PROTO_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1710 return -1;
wolfSSL 15:117db924cf7c 1711 }
wolfSSL 15:117db924cf7c 1712
wolfSSL 16:8e0d178b1d1e 1713 #ifndef WOLFSSL_SNIFFER_WATCH
wolfSSL 15:117db924cf7c 1714 if (!IsServerRegistered(iphdr->src) && !IsServerRegistered(iphdr->dst)) {
wolfSSL 15:117db924cf7c 1715 SetError(SERVER_NOT_REG_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1716 return -1;
wolfSSL 15:117db924cf7c 1717 }
wolfSSL 16:8e0d178b1d1e 1718 #endif
wolfSSL 15:117db924cf7c 1719
wolfSSL 15:117db924cf7c 1720 info->length = IP_HL(iphdr);
wolfSSL 15:117db924cf7c 1721 info->total = ntohs(iphdr->length);
wolfSSL 16:8e0d178b1d1e 1722 info->src.version = IPV4;
wolfSSL 16:8e0d178b1d1e 1723 info->src.ip4 = iphdr->src;
wolfSSL 16:8e0d178b1d1e 1724 info->dst.version = IPV4;
wolfSSL 16:8e0d178b1d1e 1725 info->dst.ip4 = iphdr->dst;
wolfSSL 15:117db924cf7c 1726
wolfSSL 15:117db924cf7c 1727 if (info->total == 0)
wolfSSL 15:117db924cf7c 1728 info->total = length; /* reassembled may be off */
wolfSSL 15:117db924cf7c 1729
wolfSSL 15:117db924cf7c 1730 return 0;
wolfSSL 15:117db924cf7c 1731 }
wolfSSL 15:117db924cf7c 1732
wolfSSL 15:117db924cf7c 1733
wolfSSL 15:117db924cf7c 1734 /* Check TCP Header for a registered port */
wolfSSL 15:117db924cf7c 1735 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 1736 static int CheckTcpHdr(TcpHdr* tcphdr, TcpInfo* info, char* error)
wolfSSL 15:117db924cf7c 1737 {
wolfSSL 15:117db924cf7c 1738 TraceTcp(tcphdr);
wolfSSL 15:117db924cf7c 1739 Trace(TCP_CHECK_STR);
wolfSSL 15:117db924cf7c 1740 info->srcPort = ntohs(tcphdr->srcPort);
wolfSSL 15:117db924cf7c 1741 info->dstPort = ntohs(tcphdr->dstPort);
wolfSSL 15:117db924cf7c 1742 info->length = TCP_LEN(tcphdr);
wolfSSL 15:117db924cf7c 1743 info->sequence = ntohl(tcphdr->sequence);
wolfSSL 15:117db924cf7c 1744 info->fin = tcphdr->flags & TCP_FIN;
wolfSSL 15:117db924cf7c 1745 info->rst = tcphdr->flags & TCP_RST;
wolfSSL 15:117db924cf7c 1746 info->syn = tcphdr->flags & TCP_SYN;
wolfSSL 15:117db924cf7c 1747 info->ack = tcphdr->flags & TCP_ACK;
wolfSSL 15:117db924cf7c 1748 if (info->ack)
wolfSSL 15:117db924cf7c 1749 info->ackNumber = ntohl(tcphdr->ack);
wolfSSL 15:117db924cf7c 1750
wolfSSL 16:8e0d178b1d1e 1751 #ifndef WOLFSSL_SNIFFER_WATCH
wolfSSL 15:117db924cf7c 1752 if (!IsPortRegistered(info->srcPort) && !IsPortRegistered(info->dstPort)) {
wolfSSL 15:117db924cf7c 1753 SetError(SERVER_PORT_NOT_REG_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 1754 return -1;
wolfSSL 15:117db924cf7c 1755 }
wolfSSL 16:8e0d178b1d1e 1756 #else
wolfSSL 16:8e0d178b1d1e 1757 (void)error;
wolfSSL 16:8e0d178b1d1e 1758 #endif
wolfSSL 15:117db924cf7c 1759
wolfSSL 15:117db924cf7c 1760 return 0;
wolfSSL 15:117db924cf7c 1761 }
wolfSSL 15:117db924cf7c 1762
wolfSSL 15:117db924cf7c 1763
wolfSSL 15:117db924cf7c 1764 /* Decode Record Layer Header */
wolfSSL 15:117db924cf7c 1765 static int GetRecordHeader(const byte* input, RecordLayerHeader* rh, int* size)
wolfSSL 15:117db924cf7c 1766 {
wolfSSL 15:117db924cf7c 1767 XMEMCPY(rh, input, RECORD_HEADER_SZ);
wolfSSL 15:117db924cf7c 1768 *size = (rh->length[0] << 8) | rh->length[1];
wolfSSL 15:117db924cf7c 1769
wolfSSL 15:117db924cf7c 1770 if (*size > (MAX_RECORD_SIZE + COMP_EXTRA + MAX_MSG_EXTRA))
wolfSSL 15:117db924cf7c 1771 return LENGTH_ERROR;
wolfSSL 15:117db924cf7c 1772
wolfSSL 15:117db924cf7c 1773 return 0;
wolfSSL 15:117db924cf7c 1774 }
wolfSSL 15:117db924cf7c 1775
wolfSSL 15:117db924cf7c 1776
wolfSSL 16:8e0d178b1d1e 1777 /* Copies the session's information to the provided sslInfo. Skip copy if
wolfSSL 16:8e0d178b1d1e 1778 * SSLInfo is not provided. */
wolfSSL 16:8e0d178b1d1e 1779 static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
wolfSSL 16:8e0d178b1d1e 1780 {
wolfSSL 16:8e0d178b1d1e 1781 if (NULL != sslInfo) {
wolfSSL 16:8e0d178b1d1e 1782 XMEMSET(sslInfo, 0, sizeof(SSLInfo));
wolfSSL 16:8e0d178b1d1e 1783
wolfSSL 16:8e0d178b1d1e 1784 /* Pass back Session Info after we have processed the Server Hello. */
wolfSSL 16:8e0d178b1d1e 1785 if (0 != session->sslServer->options.cipherSuite) {
wolfSSL 16:8e0d178b1d1e 1786 const char* pCipher;
wolfSSL 16:8e0d178b1d1e 1787
wolfSSL 16:8e0d178b1d1e 1788 sslInfo->isValid = 1;
wolfSSL 16:8e0d178b1d1e 1789 sslInfo->protocolVersionMajor = session->sslServer->version.major;
wolfSSL 16:8e0d178b1d1e 1790 sslInfo->protocolVersionMinor = session->sslServer->version.minor;
wolfSSL 16:8e0d178b1d1e 1791 sslInfo->serverCipherSuite0 =
wolfSSL 16:8e0d178b1d1e 1792 session->sslServer->options.cipherSuite0;
wolfSSL 16:8e0d178b1d1e 1793 sslInfo->serverCipherSuite =
wolfSSL 16:8e0d178b1d1e 1794 session->sslServer->options.cipherSuite;
wolfSSL 16:8e0d178b1d1e 1795
wolfSSL 16:8e0d178b1d1e 1796 pCipher = wolfSSL_get_cipher(session->sslServer);
wolfSSL 16:8e0d178b1d1e 1797 if (NULL != pCipher) {
wolfSSL 16:8e0d178b1d1e 1798 XSTRNCPY((char*)sslInfo->serverCipherSuiteName, pCipher,
wolfSSL 16:8e0d178b1d1e 1799 sizeof(sslInfo->serverCipherSuiteName));
wolfSSL 16:8e0d178b1d1e 1800 sslInfo->serverCipherSuiteName
wolfSSL 16:8e0d178b1d1e 1801 [sizeof(sslInfo->serverCipherSuiteName) - 1] = '\0';
wolfSSL 16:8e0d178b1d1e 1802 }
wolfSSL 16:8e0d178b1d1e 1803 sslInfo->keySize = session->keySz;
wolfSSL 16:8e0d178b1d1e 1804 #ifdef HAVE_SNI
wolfSSL 16:8e0d178b1d1e 1805 if (NULL != session->sni) {
wolfSSL 16:8e0d178b1d1e 1806 XSTRNCPY((char*)sslInfo->serverNameIndication,
wolfSSL 16:8e0d178b1d1e 1807 session->sni, sizeof(sslInfo->serverNameIndication));
wolfSSL 16:8e0d178b1d1e 1808 sslInfo->serverNameIndication
wolfSSL 16:8e0d178b1d1e 1809 [sizeof(sslInfo->serverNameIndication) - 1] = '\0';
wolfSSL 16:8e0d178b1d1e 1810 }
wolfSSL 16:8e0d178b1d1e 1811 #endif
wolfSSL 16:8e0d178b1d1e 1812 TraceSessionInfo(sslInfo);
wolfSSL 16:8e0d178b1d1e 1813 }
wolfSSL 16:8e0d178b1d1e 1814 }
wolfSSL 16:8e0d178b1d1e 1815 }
wolfSSL 16:8e0d178b1d1e 1816
wolfSSL 16:8e0d178b1d1e 1817
wolfSSL 16:8e0d178b1d1e 1818 /* Call the session connection start callback. */
wolfSSL 16:8e0d178b1d1e 1819 static void CallConnectionCb(SnifferSession* session)
wolfSSL 16:8e0d178b1d1e 1820 {
wolfSSL 16:8e0d178b1d1e 1821 if (ConnectionCb != NULL) {
wolfSSL 16:8e0d178b1d1e 1822 SSLInfo info;
wolfSSL 16:8e0d178b1d1e 1823 CopySessionInfo(session, &info);
wolfSSL 16:8e0d178b1d1e 1824 ConnectionCb((const void*)session, &info, ConnectionCbCtx);
wolfSSL 16:8e0d178b1d1e 1825 }
wolfSSL 16:8e0d178b1d1e 1826 }
wolfSSL 16:8e0d178b1d1e 1827
wolfSSL 16:8e0d178b1d1e 1828
wolfSSL 16:8e0d178b1d1e 1829 /* Process Client Key Exchange, RSA or static ECDH */
wolfSSL 15:117db924cf7c 1830 static int ProcessClientKeyExchange(const byte* input, int* sslBytes,
wolfSSL 15:117db924cf7c 1831 SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 1832 {
wolfSSL 15:117db924cf7c 1833 word32 idx = 0;
wolfSSL 16:8e0d178b1d1e 1834 int tryEcc = 0;
wolfSSL 16:8e0d178b1d1e 1835 int ret;
wolfSSL 15:117db924cf7c 1836
wolfSSL 15:117db924cf7c 1837 if (session->sslServer->buffers.key == NULL ||
wolfSSL 15:117db924cf7c 1838 session->sslServer->buffers.key->buffer == NULL ||
wolfSSL 15:117db924cf7c 1839 session->sslServer->buffers.key->length == 0) {
wolfSSL 15:117db924cf7c 1840
wolfSSL 15:117db924cf7c 1841 SetError(RSA_KEY_MISSING_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 1842 return -1;
wolfSSL 15:117db924cf7c 1843 }
wolfSSL 16:8e0d178b1d1e 1844
wolfSSL 16:8e0d178b1d1e 1845 {
wolfSSL 16:8e0d178b1d1e 1846 RsaKey key;
wolfSSL 16:8e0d178b1d1e 1847 int length;
wolfSSL 16:8e0d178b1d1e 1848
wolfSSL 16:8e0d178b1d1e 1849 ret = wc_InitRsaKey(&key, 0);
wolfSSL 16:8e0d178b1d1e 1850 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1851 ret = wc_RsaPrivateKeyDecode(
wolfSSL 16:8e0d178b1d1e 1852 session->sslServer->buffers.key->buffer,
wolfSSL 16:8e0d178b1d1e 1853 &idx, &key, session->sslServer->buffers.key->length);
wolfSSL 16:8e0d178b1d1e 1854 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 1855 tryEcc = 1;
wolfSSL 16:8e0d178b1d1e 1856 #ifndef HAVE_ECC
wolfSSL 16:8e0d178b1d1e 1857 SetError(RSA_DECODE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 1858 #else
wolfSSL 16:8e0d178b1d1e 1859 /* If we can do ECC, this isn't fatal. Not loading an ECC
wolfSSL 16:8e0d178b1d1e 1860 * key will be fatal, though. */
wolfSSL 16:8e0d178b1d1e 1861 SetError(RSA_DECODE_STR, error, session, 0);
wolfSSL 16:8e0d178b1d1e 1862 #endif
wolfSSL 16:8e0d178b1d1e 1863 }
wolfSSL 15:117db924cf7c 1864 }
wolfSSL 16:8e0d178b1d1e 1865
wolfSSL 16:8e0d178b1d1e 1866 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1867 length = wc_RsaEncryptSize(&key);
wolfSSL 16:8e0d178b1d1e 1868 if (IsTLS(session->sslServer)) {
wolfSSL 16:8e0d178b1d1e 1869 input += 2; /* tls pre length */
wolfSSL 16:8e0d178b1d1e 1870 }
wolfSSL 16:8e0d178b1d1e 1871
wolfSSL 16:8e0d178b1d1e 1872 if (length > *sslBytes) {
wolfSSL 16:8e0d178b1d1e 1873 SetError(PARTIAL_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 1874 ret = -1;
wolfSSL 16:8e0d178b1d1e 1875 }
wolfSSL 16:8e0d178b1d1e 1876 }
wolfSSL 16:8e0d178b1d1e 1877
wolfSSL 15:117db924cf7c 1878 #ifdef WC_RSA_BLINDING
wolfSSL 16:8e0d178b1d1e 1879 if (ret == 0) {
wolfSSL 15:117db924cf7c 1880 ret = wc_RsaSetRNG(&key, session->sslServer->rng);
wolfSSL 15:117db924cf7c 1881 if (ret != 0) {
wolfSSL 15:117db924cf7c 1882 SetError(RSA_DECRYPT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 1883 }
wolfSSL 15:117db924cf7c 1884 }
wolfSSL 15:117db924cf7c 1885 #endif
wolfSSL 16:8e0d178b1d1e 1886
wolfSSL 16:8e0d178b1d1e 1887 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1888 session->keySz = length * WOLFSSL_BIT_SIZE;
wolfSSL 16:8e0d178b1d1e 1889 /* length is the key size in bytes */
wolfSSL 16:8e0d178b1d1e 1890 session->sslServer->arrays->preMasterSz = SECRET_LEN;
wolfSSL 16:8e0d178b1d1e 1891
wolfSSL 16:8e0d178b1d1e 1892 do {
wolfSSL 16:8e0d178b1d1e 1893 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 16:8e0d178b1d1e 1894 ret = wc_AsyncWait(ret, &key.asyncDev,
wolfSSL 16:8e0d178b1d1e 1895 WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL 16:8e0d178b1d1e 1896 #endif
wolfSSL 16:8e0d178b1d1e 1897 if (ret >= 0) {
wolfSSL 16:8e0d178b1d1e 1898 ret = wc_RsaPrivateDecrypt(input, length,
wolfSSL 16:8e0d178b1d1e 1899 session->sslServer->arrays->preMasterSecret,
wolfSSL 16:8e0d178b1d1e 1900 session->sslServer->arrays->preMasterSz, &key);
wolfSSL 16:8e0d178b1d1e 1901 }
wolfSSL 16:8e0d178b1d1e 1902 } while (ret == WC_PENDING_E);
wolfSSL 16:8e0d178b1d1e 1903
wolfSSL 16:8e0d178b1d1e 1904 if (ret != SECRET_LEN) {
wolfSSL 16:8e0d178b1d1e 1905 SetError(RSA_DECRYPT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 1906 }
wolfSSL 16:8e0d178b1d1e 1907 }
wolfSSL 16:8e0d178b1d1e 1908
wolfSSL 16:8e0d178b1d1e 1909 wc_FreeRsaKey(&key);
wolfSSL 15:117db924cf7c 1910 }
wolfSSL 16:8e0d178b1d1e 1911
wolfSSL 16:8e0d178b1d1e 1912 if (tryEcc) {
wolfSSL 16:8e0d178b1d1e 1913 #ifdef HAVE_ECC
wolfSSL 16:8e0d178b1d1e 1914 ecc_key key;
wolfSSL 16:8e0d178b1d1e 1915 ecc_key pubKey;
wolfSSL 16:8e0d178b1d1e 1916 int length, keyInit = 0, pubKeyInit = 0;
wolfSSL 16:8e0d178b1d1e 1917
wolfSSL 16:8e0d178b1d1e 1918 idx = 0;
wolfSSL 16:8e0d178b1d1e 1919 ret = wc_ecc_init(&key);
wolfSSL 16:8e0d178b1d1e 1920 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1921 keyInit = 1;
wolfSSL 16:8e0d178b1d1e 1922 ret = wc_ecc_init(&pubKey);
wolfSSL 16:8e0d178b1d1e 1923 }
wolfSSL 16:8e0d178b1d1e 1924 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1925 pubKeyInit = 1;
wolfSSL 16:8e0d178b1d1e 1926 ret = wc_EccPrivateKeyDecode(
wolfSSL 16:8e0d178b1d1e 1927 session->sslServer->buffers.key->buffer,
wolfSSL 16:8e0d178b1d1e 1928 &idx, &key, session->sslServer->buffers.key->length);
wolfSSL 16:8e0d178b1d1e 1929 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 1930 SetError(ECC_DECODE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 1931 }
wolfSSL 16:8e0d178b1d1e 1932 }
wolfSSL 16:8e0d178b1d1e 1933
wolfSSL 16:8e0d178b1d1e 1934 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1935 length = wc_ecc_size(&key) * 2 + 1;
wolfSSL 16:8e0d178b1d1e 1936 /* The length should be 2 times the key size (x and y), plus 1
wolfSSL 16:8e0d178b1d1e 1937 * for the type byte. */
wolfSSL 16:8e0d178b1d1e 1938 if (IsTLS(session->sslServer)) {
wolfSSL 16:8e0d178b1d1e 1939 input += 1; /* Don't include the TLS length for the key. */
wolfSSL 16:8e0d178b1d1e 1940 }
wolfSSL 16:8e0d178b1d1e 1941
wolfSSL 16:8e0d178b1d1e 1942 if (length + 1 > *sslBytes) {
wolfSSL 16:8e0d178b1d1e 1943 SetError(PARTIAL_INPUT_STR,
wolfSSL 16:8e0d178b1d1e 1944 error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 1945 ret = -1;
wolfSSL 16:8e0d178b1d1e 1946 }
wolfSSL 16:8e0d178b1d1e 1947 }
wolfSSL 16:8e0d178b1d1e 1948
wolfSSL 16:8e0d178b1d1e 1949 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1950 ret = wc_ecc_import_x963_ex(input, length, &pubKey, ECC_CURVE_DEF);
wolfSSL 16:8e0d178b1d1e 1951 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 1952 SetError(ECC_PUB_DECODE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 1953 }
wolfSSL 16:8e0d178b1d1e 1954 }
wolfSSL 16:8e0d178b1d1e 1955
wolfSSL 16:8e0d178b1d1e 1956 if (ret == 0) {
wolfSSL 16:8e0d178b1d1e 1957 session->keySz = ((length - 1) / 2) * WOLFSSL_BIT_SIZE;
wolfSSL 16:8e0d178b1d1e 1958 /* Length is in bytes. Subtract 1 for the ECC key type. Divide
wolfSSL 16:8e0d178b1d1e 1959 * by two as the key is in (x,y) coordinates, where x and y are
wolfSSL 16:8e0d178b1d1e 1960 * the same size, the key size. Convert from bytes to bits. */
wolfSSL 16:8e0d178b1d1e 1961 session->sslServer->arrays->preMasterSz = ENCRYPT_LEN;
wolfSSL 16:8e0d178b1d1e 1962
wolfSSL 16:8e0d178b1d1e 1963 do {
wolfSSL 16:8e0d178b1d1e 1964 #ifdef WOLFSSL_ASYNC_CRYPT
wolfSSL 16:8e0d178b1d1e 1965 ret = wc_AsyncWait(ret, &key.asyncDev,
wolfSSL 16:8e0d178b1d1e 1966 WC_ASYNC_FLAG_CALL_AGAIN);
wolfSSL 16:8e0d178b1d1e 1967 #endif
wolfSSL 16:8e0d178b1d1e 1968 if (ret >= 0) {
wolfSSL 16:8e0d178b1d1e 1969 ret = wc_ecc_shared_secret(&key, &pubKey,
wolfSSL 16:8e0d178b1d1e 1970 session->sslServer->arrays->preMasterSecret,
wolfSSL 16:8e0d178b1d1e 1971 &session->sslServer->arrays->preMasterSz);
wolfSSL 16:8e0d178b1d1e 1972 }
wolfSSL 16:8e0d178b1d1e 1973 } while (ret == WC_PENDING_E);
wolfSSL 16:8e0d178b1d1e 1974 }
wolfSSL 16:8e0d178b1d1e 1975
wolfSSL 16:8e0d178b1d1e 1976 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 1977 if (ret != 0)
wolfSSL 16:8e0d178b1d1e 1978 INC_STAT(SnifferStats.sslKeyFails);
wolfSSL 16:8e0d178b1d1e 1979 #endif
wolfSSL 16:8e0d178b1d1e 1980
wolfSSL 16:8e0d178b1d1e 1981 if (keyInit)
wolfSSL 16:8e0d178b1d1e 1982 wc_ecc_free(&key);
wolfSSL 16:8e0d178b1d1e 1983 if (pubKeyInit)
wolfSSL 16:8e0d178b1d1e 1984 wc_ecc_free(&pubKey);
wolfSSL 16:8e0d178b1d1e 1985 #endif
wolfSSL 15:117db924cf7c 1986 }
wolfSSL 15:117db924cf7c 1987
wolfSSL 16:8e0d178b1d1e 1988 /* store for client side as well */
wolfSSL 16:8e0d178b1d1e 1989 XMEMCPY(session->sslClient->arrays->preMasterSecret,
wolfSSL 16:8e0d178b1d1e 1990 session->sslServer->arrays->preMasterSecret,
wolfSSL 16:8e0d178b1d1e 1991 session->sslServer->arrays->preMasterSz);
wolfSSL 16:8e0d178b1d1e 1992 session->sslClient->arrays->preMasterSz =
wolfSSL 16:8e0d178b1d1e 1993 session->sslServer->arrays->preMasterSz;
wolfSSL 16:8e0d178b1d1e 1994
wolfSSL 16:8e0d178b1d1e 1995 #ifdef SHOW_SECRETS
wolfSSL 16:8e0d178b1d1e 1996 {
wolfSSL 16:8e0d178b1d1e 1997 word32 i;
wolfSSL 16:8e0d178b1d1e 1998 printf("pre master secret: ");
wolfSSL 16:8e0d178b1d1e 1999 for (i = 0; i < session->sslServer->arrays->preMasterSz; i++)
wolfSSL 16:8e0d178b1d1e 2000 printf("%02x", session->sslServer->arrays->preMasterSecret[i]);
wolfSSL 16:8e0d178b1d1e 2001 printf("\n");
wolfSSL 16:8e0d178b1d1e 2002 }
wolfSSL 16:8e0d178b1d1e 2003 #endif
wolfSSL 16:8e0d178b1d1e 2004
wolfSSL 15:117db924cf7c 2005 if (SetCipherSpecs(session->sslServer) != 0) {
wolfSSL 15:117db924cf7c 2006 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2007 return -1;
wolfSSL 15:117db924cf7c 2008 }
wolfSSL 15:117db924cf7c 2009
wolfSSL 15:117db924cf7c 2010 if (SetCipherSpecs(session->sslClient) != 0) {
wolfSSL 15:117db924cf7c 2011 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2012 return -1;
wolfSSL 15:117db924cf7c 2013 }
wolfSSL 15:117db924cf7c 2014
wolfSSL 15:117db924cf7c 2015 ret = MakeMasterSecret(session->sslServer);
wolfSSL 15:117db924cf7c 2016 ret += MakeMasterSecret(session->sslClient);
wolfSSL 15:117db924cf7c 2017 ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL 15:117db924cf7c 2018 ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL 15:117db924cf7c 2019
wolfSSL 15:117db924cf7c 2020 if (ret != 0) {
wolfSSL 15:117db924cf7c 2021 SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2022 return -1;
wolfSSL 15:117db924cf7c 2023 }
wolfSSL 15:117db924cf7c 2024
wolfSSL 15:117db924cf7c 2025 #ifdef SHOW_SECRETS
wolfSSL 15:117db924cf7c 2026 {
wolfSSL 15:117db924cf7c 2027 int i;
wolfSSL 15:117db924cf7c 2028 printf("server master secret: ");
wolfSSL 15:117db924cf7c 2029 for (i = 0; i < SECRET_LEN; i++)
wolfSSL 15:117db924cf7c 2030 printf("%02x", session->sslServer->arrays->masterSecret[i]);
wolfSSL 15:117db924cf7c 2031 printf("\n");
wolfSSL 15:117db924cf7c 2032
wolfSSL 15:117db924cf7c 2033 printf("client master secret: ");
wolfSSL 15:117db924cf7c 2034 for (i = 0; i < SECRET_LEN; i++)
wolfSSL 15:117db924cf7c 2035 printf("%02x", session->sslClient->arrays->masterSecret[i]);
wolfSSL 15:117db924cf7c 2036 printf("\n");
wolfSSL 15:117db924cf7c 2037
wolfSSL 15:117db924cf7c 2038 printf("server suite = %d\n", session->sslServer->options.cipherSuite);
wolfSSL 15:117db924cf7c 2039 printf("client suite = %d\n", session->sslClient->options.cipherSuite);
wolfSSL 15:117db924cf7c 2040 }
wolfSSL 15:117db924cf7c 2041 #endif
wolfSSL 15:117db924cf7c 2042
wolfSSL 16:8e0d178b1d1e 2043 CallConnectionCb(session);
wolfSSL 16:8e0d178b1d1e 2044
wolfSSL 15:117db924cf7c 2045 return ret;
wolfSSL 15:117db924cf7c 2046 }
wolfSSL 15:117db924cf7c 2047
wolfSSL 15:117db924cf7c 2048
wolfSSL 15:117db924cf7c 2049 /* Process Session Ticket */
wolfSSL 15:117db924cf7c 2050 static int ProcessSessionTicket(const byte* input, int* sslBytes,
wolfSSL 15:117db924cf7c 2051 SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 2052 {
wolfSSL 15:117db924cf7c 2053 word16 len;
wolfSSL 15:117db924cf7c 2054
wolfSSL 15:117db924cf7c 2055 /* make sure can read through hint and len */
wolfSSL 15:117db924cf7c 2056 if (TICKET_HINT_LEN + LENGTH_SZ > *sslBytes) {
wolfSSL 15:117db924cf7c 2057 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2058 return -1;
wolfSSL 15:117db924cf7c 2059 }
wolfSSL 15:117db924cf7c 2060
wolfSSL 15:117db924cf7c 2061 input += TICKET_HINT_LEN; /* skip over hint */
wolfSSL 15:117db924cf7c 2062 *sslBytes -= TICKET_HINT_LEN;
wolfSSL 15:117db924cf7c 2063
wolfSSL 15:117db924cf7c 2064 len = (word16)((input[0] << 8) | input[1]);
wolfSSL 15:117db924cf7c 2065 input += LENGTH_SZ;
wolfSSL 15:117db924cf7c 2066 *sslBytes -= LENGTH_SZ;
wolfSSL 15:117db924cf7c 2067
wolfSSL 15:117db924cf7c 2068 /* make sure can read through ticket */
wolfSSL 15:117db924cf7c 2069 if (len > *sslBytes || len < ID_LEN) {
wolfSSL 15:117db924cf7c 2070 SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2071 return -1;
wolfSSL 15:117db924cf7c 2072 }
wolfSSL 15:117db924cf7c 2073
wolfSSL 15:117db924cf7c 2074 /* store session with macID as sessionID */
wolfSSL 15:117db924cf7c 2075 session->sslServer->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 2076 XMEMCPY(session->sslServer->arrays->sessionID, input + len - ID_LEN,ID_LEN);
wolfSSL 15:117db924cf7c 2077
wolfSSL 15:117db924cf7c 2078 return 0;
wolfSSL 15:117db924cf7c 2079 }
wolfSSL 15:117db924cf7c 2080
wolfSSL 15:117db924cf7c 2081
wolfSSL 15:117db924cf7c 2082 /* Process Server Hello */
wolfSSL 15:117db924cf7c 2083 static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
wolfSSL 15:117db924cf7c 2084 SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 2085 {
wolfSSL 15:117db924cf7c 2086 ProtocolVersion pv;
wolfSSL 16:8e0d178b1d1e 2087 byte b, b0;
wolfSSL 15:117db924cf7c 2088 int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
wolfSSL 15:117db924cf7c 2089 int doResume = 0;
wolfSSL 15:117db924cf7c 2090 int initialBytes = *sslBytes;
wolfSSL 15:117db924cf7c 2091
wolfSSL 15:117db924cf7c 2092 (void)msgSz;
wolfSSL 15:117db924cf7c 2093 (void)initialBytes;
wolfSSL 15:117db924cf7c 2094
wolfSSL 15:117db924cf7c 2095 /* make sure we didn't miss ClientHello */
wolfSSL 15:117db924cf7c 2096 if (session->flags.clientHello == 0) {
wolfSSL 15:117db924cf7c 2097 SetError(MISSED_CLIENT_HELLO_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2098 return -1;
wolfSSL 15:117db924cf7c 2099 }
wolfSSL 15:117db924cf7c 2100
wolfSSL 15:117db924cf7c 2101 /* make sure can read through session len */
wolfSSL 15:117db924cf7c 2102 if (toRead > *sslBytes) {
wolfSSL 15:117db924cf7c 2103 SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2104 return -1;
wolfSSL 15:117db924cf7c 2105 }
wolfSSL 15:117db924cf7c 2106
wolfSSL 15:117db924cf7c 2107 XMEMCPY(&pv, input, VERSION_SZ);
wolfSSL 15:117db924cf7c 2108 input += VERSION_SZ;
wolfSSL 15:117db924cf7c 2109 *sslBytes -= VERSION_SZ;
wolfSSL 15:117db924cf7c 2110
wolfSSL 15:117db924cf7c 2111 session->sslServer->version = pv;
wolfSSL 15:117db924cf7c 2112 session->sslClient->version = pv;
wolfSSL 15:117db924cf7c 2113
wolfSSL 15:117db924cf7c 2114 XMEMCPY(session->sslServer->arrays->serverRandom, input, RAN_LEN);
wolfSSL 15:117db924cf7c 2115 XMEMCPY(session->sslClient->arrays->serverRandom, input, RAN_LEN);
wolfSSL 15:117db924cf7c 2116 input += RAN_LEN;
wolfSSL 15:117db924cf7c 2117 *sslBytes -= RAN_LEN;
wolfSSL 15:117db924cf7c 2118
wolfSSL 15:117db924cf7c 2119 b = *input++;
wolfSSL 15:117db924cf7c 2120 *sslBytes -= 1;
wolfSSL 15:117db924cf7c 2121
wolfSSL 15:117db924cf7c 2122 /* make sure can read through compression */
wolfSSL 15:117db924cf7c 2123 if ( (b + SUITE_LEN + ENUM_LEN) > *sslBytes) {
wolfSSL 15:117db924cf7c 2124 SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2125 return -1;
wolfSSL 15:117db924cf7c 2126 }
wolfSSL 15:117db924cf7c 2127 if (b) {
wolfSSL 15:117db924cf7c 2128 XMEMCPY(session->sslServer->arrays->sessionID, input, ID_LEN);
wolfSSL 15:117db924cf7c 2129 session->sslServer->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 2130 }
wolfSSL 15:117db924cf7c 2131 input += b;
wolfSSL 15:117db924cf7c 2132 *sslBytes -= b;
wolfSSL 15:117db924cf7c 2133
wolfSSL 15:117db924cf7c 2134 /* cipher suite */
wolfSSL 16:8e0d178b1d1e 2135 b0 = *input++; /* first byte, ECC or not */
wolfSSL 16:8e0d178b1d1e 2136 session->sslServer->options.cipherSuite0 = b0;
wolfSSL 16:8e0d178b1d1e 2137 session->sslClient->options.cipherSuite0 = b0;
wolfSSL 15:117db924cf7c 2138 b = *input++;
wolfSSL 15:117db924cf7c 2139 session->sslServer->options.cipherSuite = b;
wolfSSL 15:117db924cf7c 2140 session->sslClient->options.cipherSuite = b;
wolfSSL 15:117db924cf7c 2141 *sslBytes -= SUITE_LEN;
wolfSSL 15:117db924cf7c 2142
wolfSSL 16:8e0d178b1d1e 2143 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2144 {
wolfSSL 16:8e0d178b1d1e 2145 const CipherSuiteInfo* suites = GetCipherNames();
wolfSSL 16:8e0d178b1d1e 2146 int suitesSz = GetCipherNamesSize();
wolfSSL 16:8e0d178b1d1e 2147 int match = 0;
wolfSSL 16:8e0d178b1d1e 2148
wolfSSL 16:8e0d178b1d1e 2149 while (suitesSz) {
wolfSSL 16:8e0d178b1d1e 2150 if (b0 == suites->cipherSuite0 && b == suites->cipherSuite) {
wolfSSL 16:8e0d178b1d1e 2151 match = 1;
wolfSSL 16:8e0d178b1d1e 2152 break;
wolfSSL 16:8e0d178b1d1e 2153 }
wolfSSL 16:8e0d178b1d1e 2154 suites++;
wolfSSL 16:8e0d178b1d1e 2155 suitesSz--;
wolfSSL 16:8e0d178b1d1e 2156 }
wolfSSL 16:8e0d178b1d1e 2157 if (!match)
wolfSSL 16:8e0d178b1d1e 2158 INC_STAT(SnifferStats.sslCiphersUnsupported);
wolfSSL 16:8e0d178b1d1e 2159 }
wolfSSL 16:8e0d178b1d1e 2160 #endif /* WOLFSSL_SNIFFER_STATS */
wolfSSL 16:8e0d178b1d1e 2161
wolfSSL 15:117db924cf7c 2162 /* compression */
wolfSSL 15:117db924cf7c 2163 b = *input++;
wolfSSL 15:117db924cf7c 2164 *sslBytes -= ENUM_LEN;
wolfSSL 15:117db924cf7c 2165
wolfSSL 15:117db924cf7c 2166 if (b) {
wolfSSL 15:117db924cf7c 2167 SetError(BAD_COMPRESSION_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2168 return -1;
wolfSSL 15:117db924cf7c 2169 }
wolfSSL 15:117db924cf7c 2170
wolfSSL 15:117db924cf7c 2171 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 15:117db924cf7c 2172 /* extensions */
wolfSSL 15:117db924cf7c 2173 if ((initialBytes - *sslBytes) < msgSz) {
wolfSSL 15:117db924cf7c 2174 word16 len;
wolfSSL 15:117db924cf7c 2175
wolfSSL 15:117db924cf7c 2176 /* skip extensions until extended master secret */
wolfSSL 15:117db924cf7c 2177 /* make sure can read len */
wolfSSL 15:117db924cf7c 2178 if (SUITE_LEN > *sslBytes) {
wolfSSL 15:117db924cf7c 2179 SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2180 return -1;
wolfSSL 15:117db924cf7c 2181 }
wolfSSL 15:117db924cf7c 2182 len = (word16)((input[0] << 8) | input[1]);
wolfSSL 15:117db924cf7c 2183 input += SUITE_LEN;
wolfSSL 15:117db924cf7c 2184 *sslBytes -= SUITE_LEN;
wolfSSL 15:117db924cf7c 2185 /* make sure can read through all extensions */
wolfSSL 15:117db924cf7c 2186 if (len > *sslBytes) {
wolfSSL 15:117db924cf7c 2187 SetError(SERVER_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2188 return -1;
wolfSSL 15:117db924cf7c 2189 }
wolfSSL 15:117db924cf7c 2190
wolfSSL 15:117db924cf7c 2191 while (len >= EXT_TYPE_SZ + LENGTH_SZ) {
wolfSSL 15:117db924cf7c 2192 byte extType[EXT_TYPE_SZ];
wolfSSL 15:117db924cf7c 2193 word16 extLen;
wolfSSL 15:117db924cf7c 2194
wolfSSL 15:117db924cf7c 2195 extType[0] = input[0];
wolfSSL 15:117db924cf7c 2196 extType[1] = input[1];
wolfSSL 15:117db924cf7c 2197 input += EXT_TYPE_SZ;
wolfSSL 15:117db924cf7c 2198 *sslBytes -= EXT_TYPE_SZ;
wolfSSL 15:117db924cf7c 2199
wolfSSL 15:117db924cf7c 2200 extLen = (word16)((input[0] << 8) | input[1]);
wolfSSL 15:117db924cf7c 2201 input += LENGTH_SZ;
wolfSSL 15:117db924cf7c 2202 *sslBytes -= LENGTH_SZ;
wolfSSL 15:117db924cf7c 2203
wolfSSL 15:117db924cf7c 2204 /* make sure can read through individual extension */
wolfSSL 15:117db924cf7c 2205 if (extLen > *sslBytes) {
wolfSSL 15:117db924cf7c 2206 SetError(SERVER_HELLO_INPUT_STR, error, session,
wolfSSL 15:117db924cf7c 2207 FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2208 return -1;
wolfSSL 15:117db924cf7c 2209 }
wolfSSL 15:117db924cf7c 2210
wolfSSL 15:117db924cf7c 2211 if (extType[0] == 0x00 && extType[1] == EXT_MASTER_SECRET) {
wolfSSL 15:117db924cf7c 2212 session->flags.expectEms = 1;
wolfSSL 15:117db924cf7c 2213 }
wolfSSL 15:117db924cf7c 2214
wolfSSL 15:117db924cf7c 2215 input += extLen;
wolfSSL 15:117db924cf7c 2216 *sslBytes -= extLen;
wolfSSL 15:117db924cf7c 2217 len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
wolfSSL 15:117db924cf7c 2218 }
wolfSSL 15:117db924cf7c 2219 }
wolfSSL 15:117db924cf7c 2220
wolfSSL 15:117db924cf7c 2221 if (!session->flags.expectEms) {
wolfSSL 16:8e0d178b1d1e 2222 XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
wolfSSL 15:117db924cf7c 2223 session->hash = NULL;
wolfSSL 15:117db924cf7c 2224 }
wolfSSL 15:117db924cf7c 2225 #endif
wolfSSL 15:117db924cf7c 2226
wolfSSL 16:8e0d178b1d1e 2227 if (session->sslServer->options.haveSessionId) {
wolfSSL 16:8e0d178b1d1e 2228 if (XMEMCMP(session->sslServer->arrays->sessionID,
wolfSSL 15:117db924cf7c 2229 session->sslClient->arrays->sessionID, ID_LEN) == 0)
wolfSSL 16:8e0d178b1d1e 2230 doResume = 1;
wolfSSL 16:8e0d178b1d1e 2231 }
wolfSSL 15:117db924cf7c 2232 else if (session->sslClient->options.haveSessionId == 0 &&
wolfSSL 15:117db924cf7c 2233 session->sslServer->options.haveSessionId == 0 &&
wolfSSL 15:117db924cf7c 2234 session->ticketID)
wolfSSL 15:117db924cf7c 2235 doResume = 1;
wolfSSL 15:117db924cf7c 2236
wolfSSL 15:117db924cf7c 2237 if (session->ticketID && doResume) {
wolfSSL 15:117db924cf7c 2238 /* use ticketID to retrieve from session, prefer over sessionID */
wolfSSL 15:117db924cf7c 2239 XMEMCPY(session->sslServer->arrays->sessionID,session->ticketID,ID_LEN);
wolfSSL 15:117db924cf7c 2240 session->sslServer->options.haveSessionId = 1; /* may not have
wolfSSL 15:117db924cf7c 2241 actual sessionID */
wolfSSL 15:117db924cf7c 2242 }
wolfSSL 15:117db924cf7c 2243
wolfSSL 15:117db924cf7c 2244 if (doResume ) {
wolfSSL 15:117db924cf7c 2245 int ret = 0;
wolfSSL 15:117db924cf7c 2246 SSL_SESSION* resume = GetSession(session->sslServer,
wolfSSL 15:117db924cf7c 2247 session->sslServer->arrays->masterSecret, 0);
wolfSSL 15:117db924cf7c 2248 if (resume == NULL) {
wolfSSL 16:8e0d178b1d1e 2249 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2250 INC_STAT(SnifferStats.sslResumeMisses);
wolfSSL 16:8e0d178b1d1e 2251 #endif
wolfSSL 15:117db924cf7c 2252 SetError(BAD_SESSION_RESUME_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2253 return -1;
wolfSSL 15:117db924cf7c 2254 }
wolfSSL 15:117db924cf7c 2255 /* make sure client has master secret too */
wolfSSL 15:117db924cf7c 2256 XMEMCPY(session->sslClient->arrays->masterSecret,
wolfSSL 15:117db924cf7c 2257 session->sslServer->arrays->masterSecret, SECRET_LEN);
wolfSSL 15:117db924cf7c 2258 session->flags.resuming = 1;
wolfSSL 15:117db924cf7c 2259
wolfSSL 15:117db924cf7c 2260 Trace(SERVER_DID_RESUMPTION_STR);
wolfSSL 16:8e0d178b1d1e 2261 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2262 INC_STAT(SnifferStats.sslResumedConns);
wolfSSL 16:8e0d178b1d1e 2263 INC_STAT(SnifferStats.sslResumptionValid);
wolfSSL 16:8e0d178b1d1e 2264 #endif
wolfSSL 15:117db924cf7c 2265 if (SetCipherSpecs(session->sslServer) != 0) {
wolfSSL 15:117db924cf7c 2266 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2267 return -1;
wolfSSL 15:117db924cf7c 2268 }
wolfSSL 15:117db924cf7c 2269
wolfSSL 15:117db924cf7c 2270 if (SetCipherSpecs(session->sslClient) != 0) {
wolfSSL 15:117db924cf7c 2271 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2272 return -1;
wolfSSL 15:117db924cf7c 2273 }
wolfSSL 15:117db924cf7c 2274
wolfSSL 15:117db924cf7c 2275 if (session->sslServer->options.tls) {
wolfSSL 15:117db924cf7c 2276 ret = DeriveTlsKeys(session->sslServer);
wolfSSL 15:117db924cf7c 2277 ret += DeriveTlsKeys(session->sslClient);
wolfSSL 15:117db924cf7c 2278 }
wolfSSL 15:117db924cf7c 2279 else {
wolfSSL 15:117db924cf7c 2280 ret = DeriveKeys(session->sslServer);
wolfSSL 15:117db924cf7c 2281 ret += DeriveKeys(session->sslClient);
wolfSSL 15:117db924cf7c 2282 }
wolfSSL 15:117db924cf7c 2283 ret += SetKeysSide(session->sslServer, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL 15:117db924cf7c 2284 ret += SetKeysSide(session->sslClient, ENCRYPT_AND_DECRYPT_SIDE);
wolfSSL 15:117db924cf7c 2285
wolfSSL 15:117db924cf7c 2286 if (ret != 0) {
wolfSSL 15:117db924cf7c 2287 SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2288 return -1;
wolfSSL 15:117db924cf7c 2289 }
wolfSSL 15:117db924cf7c 2290 }
wolfSSL 16:8e0d178b1d1e 2291 else {
wolfSSL 16:8e0d178b1d1e 2292 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2293 INC_STAT(SnifferStats.sslStandardConns);
wolfSSL 16:8e0d178b1d1e 2294 #endif
wolfSSL 16:8e0d178b1d1e 2295 }
wolfSSL 15:117db924cf7c 2296 #ifdef SHOW_SECRETS
wolfSSL 15:117db924cf7c 2297 {
wolfSSL 15:117db924cf7c 2298 int i;
wolfSSL 15:117db924cf7c 2299 printf("cipher suite = 0x%02x\n",
wolfSSL 15:117db924cf7c 2300 session->sslServer->options.cipherSuite);
wolfSSL 15:117db924cf7c 2301 printf("server random: ");
wolfSSL 15:117db924cf7c 2302 for (i = 0; i < RAN_LEN; i++)
wolfSSL 15:117db924cf7c 2303 printf("%02x", session->sslServer->arrays->serverRandom[i]);
wolfSSL 15:117db924cf7c 2304 printf("\n");
wolfSSL 15:117db924cf7c 2305 }
wolfSSL 15:117db924cf7c 2306 #endif
wolfSSL 15:117db924cf7c 2307 return 0;
wolfSSL 15:117db924cf7c 2308 }
wolfSSL 15:117db924cf7c 2309
wolfSSL 15:117db924cf7c 2310
wolfSSL 15:117db924cf7c 2311 /* Process normal Client Hello */
wolfSSL 15:117db924cf7c 2312 static int ProcessClientHello(const byte* input, int* sslBytes,
wolfSSL 15:117db924cf7c 2313 SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 2314 {
wolfSSL 15:117db924cf7c 2315 byte bLen;
wolfSSL 15:117db924cf7c 2316 word16 len;
wolfSSL 15:117db924cf7c 2317 int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
wolfSSL 15:117db924cf7c 2318
wolfSSL 15:117db924cf7c 2319 #ifdef HAVE_SNI
wolfSSL 15:117db924cf7c 2320 {
wolfSSL 15:117db924cf7c 2321 byte name[MAX_SERVER_NAME];
wolfSSL 15:117db924cf7c 2322 word32 nameSz = sizeof(name);
wolfSSL 15:117db924cf7c 2323 int ret;
wolfSSL 15:117db924cf7c 2324
wolfSSL 15:117db924cf7c 2325 ret = wolfSSL_SNI_GetFromBuffer(
wolfSSL 15:117db924cf7c 2326 input - HANDSHAKE_HEADER_SZ - RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 2327 *sslBytes + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ,
wolfSSL 15:117db924cf7c 2328 WOLFSSL_SNI_HOST_NAME, name, &nameSz);
wolfSSL 15:117db924cf7c 2329
wolfSSL 15:117db924cf7c 2330 if (ret == WOLFSSL_SUCCESS) {
wolfSSL 15:117db924cf7c 2331 NamedKey* namedKey;
wolfSSL 15:117db924cf7c 2332
wolfSSL 15:117db924cf7c 2333 if (nameSz > sizeof(name) - 1)
wolfSSL 15:117db924cf7c 2334 nameSz = sizeof(name) - 1;
wolfSSL 15:117db924cf7c 2335 name[nameSz] = 0;
wolfSSL 15:117db924cf7c 2336 wc_LockMutex(&session->context->namedKeysMutex);
wolfSSL 15:117db924cf7c 2337 namedKey = session->context->namedKeys;
wolfSSL 15:117db924cf7c 2338 while (namedKey != NULL) {
wolfSSL 15:117db924cf7c 2339 if (nameSz == namedKey->nameSz &&
wolfSSL 15:117db924cf7c 2340 XSTRNCMP((char*)name, namedKey->name, nameSz) == 0) {
wolfSSL 15:117db924cf7c 2341 if (wolfSSL_use_PrivateKey_buffer(session->sslServer,
wolfSSL 15:117db924cf7c 2342 namedKey->key, namedKey->keySz,
wolfSSL 15:117db924cf7c 2343 WOLFSSL_FILETYPE_ASN1) != WOLFSSL_SUCCESS) {
wolfSSL 15:117db924cf7c 2344 wc_UnLockMutex(&session->context->namedKeysMutex);
wolfSSL 15:117db924cf7c 2345 SetError(CLIENT_HELLO_LATE_KEY_STR, error, session,
wolfSSL 15:117db924cf7c 2346 FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2347 return -1;
wolfSSL 15:117db924cf7c 2348 }
wolfSSL 16:8e0d178b1d1e 2349 session->sni = namedKey->name;
wolfSSL 15:117db924cf7c 2350 break;
wolfSSL 15:117db924cf7c 2351 }
wolfSSL 15:117db924cf7c 2352 else
wolfSSL 15:117db924cf7c 2353 namedKey = namedKey->next;
wolfSSL 15:117db924cf7c 2354 }
wolfSSL 15:117db924cf7c 2355 wc_UnLockMutex(&session->context->namedKeysMutex);
wolfSSL 15:117db924cf7c 2356 }
wolfSSL 15:117db924cf7c 2357 }
wolfSSL 15:117db924cf7c 2358 #endif
wolfSSL 15:117db924cf7c 2359
wolfSSL 15:117db924cf7c 2360 session->flags.clientHello = 1; /* don't process again */
wolfSSL 15:117db924cf7c 2361
wolfSSL 15:117db924cf7c 2362 /* make sure can read up to session len */
wolfSSL 15:117db924cf7c 2363 if (toRead > *sslBytes) {
wolfSSL 15:117db924cf7c 2364 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2365 return -1;
wolfSSL 15:117db924cf7c 2366 }
wolfSSL 15:117db924cf7c 2367
wolfSSL 15:117db924cf7c 2368 /* skip, get negotiated one from server hello */
wolfSSL 15:117db924cf7c 2369 input += VERSION_SZ;
wolfSSL 15:117db924cf7c 2370 *sslBytes -= VERSION_SZ;
wolfSSL 15:117db924cf7c 2371
wolfSSL 15:117db924cf7c 2372 XMEMCPY(session->sslServer->arrays->clientRandom, input, RAN_LEN);
wolfSSL 15:117db924cf7c 2373 XMEMCPY(session->sslClient->arrays->clientRandom, input, RAN_LEN);
wolfSSL 15:117db924cf7c 2374
wolfSSL 15:117db924cf7c 2375 input += RAN_LEN;
wolfSSL 15:117db924cf7c 2376 *sslBytes -= RAN_LEN;
wolfSSL 15:117db924cf7c 2377
wolfSSL 15:117db924cf7c 2378 /* store session in case trying to resume */
wolfSSL 15:117db924cf7c 2379 bLen = *input++;
wolfSSL 15:117db924cf7c 2380 *sslBytes -= ENUM_LEN;
wolfSSL 15:117db924cf7c 2381 if (bLen) {
wolfSSL 15:117db924cf7c 2382 if (ID_LEN > *sslBytes) {
wolfSSL 15:117db924cf7c 2383 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2384 return -1;
wolfSSL 15:117db924cf7c 2385 }
wolfSSL 15:117db924cf7c 2386 Trace(CLIENT_RESUME_TRY_STR);
wolfSSL 15:117db924cf7c 2387 XMEMCPY(session->sslClient->arrays->sessionID, input, ID_LEN);
wolfSSL 15:117db924cf7c 2388 session->sslClient->options.haveSessionId = 1;
wolfSSL 15:117db924cf7c 2389 }
wolfSSL 15:117db924cf7c 2390 #ifdef SHOW_SECRETS
wolfSSL 15:117db924cf7c 2391 {
wolfSSL 15:117db924cf7c 2392 int i;
wolfSSL 15:117db924cf7c 2393 printf("client random: ");
wolfSSL 15:117db924cf7c 2394 for (i = 0; i < RAN_LEN; i++)
wolfSSL 15:117db924cf7c 2395 printf("%02x", session->sslServer->arrays->clientRandom[i]);
wolfSSL 15:117db924cf7c 2396 printf("\n");
wolfSSL 15:117db924cf7c 2397 }
wolfSSL 15:117db924cf7c 2398 #endif
wolfSSL 15:117db924cf7c 2399
wolfSSL 15:117db924cf7c 2400 input += bLen;
wolfSSL 15:117db924cf7c 2401 *sslBytes -= bLen;
wolfSSL 15:117db924cf7c 2402
wolfSSL 15:117db924cf7c 2403 /* skip cipher suites */
wolfSSL 15:117db924cf7c 2404 /* make sure can read len */
wolfSSL 15:117db924cf7c 2405 if (SUITE_LEN > *sslBytes) {
wolfSSL 15:117db924cf7c 2406 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2407 return -1;
wolfSSL 15:117db924cf7c 2408 }
wolfSSL 15:117db924cf7c 2409 len = (word16)((input[0] << 8) | input[1]);
wolfSSL 15:117db924cf7c 2410 input += SUITE_LEN;
wolfSSL 15:117db924cf7c 2411 *sslBytes -= SUITE_LEN;
wolfSSL 15:117db924cf7c 2412 /* make sure can read suites + comp len */
wolfSSL 15:117db924cf7c 2413 if (len + ENUM_LEN > *sslBytes) {
wolfSSL 15:117db924cf7c 2414 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2415 return -1;
wolfSSL 15:117db924cf7c 2416 }
wolfSSL 15:117db924cf7c 2417 input += len;
wolfSSL 15:117db924cf7c 2418 *sslBytes -= len;
wolfSSL 15:117db924cf7c 2419
wolfSSL 15:117db924cf7c 2420 /* skip compression */
wolfSSL 15:117db924cf7c 2421 bLen = *input++;
wolfSSL 15:117db924cf7c 2422 *sslBytes -= ENUM_LEN;
wolfSSL 15:117db924cf7c 2423 /* make sure can read len */
wolfSSL 15:117db924cf7c 2424 if (bLen > *sslBytes) {
wolfSSL 15:117db924cf7c 2425 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2426 return -1;
wolfSSL 15:117db924cf7c 2427 }
wolfSSL 15:117db924cf7c 2428 input += bLen;
wolfSSL 15:117db924cf7c 2429 *sslBytes -= bLen;
wolfSSL 15:117db924cf7c 2430
wolfSSL 15:117db924cf7c 2431 if (*sslBytes == 0) {
wolfSSL 15:117db924cf7c 2432 /* no extensions */
wolfSSL 15:117db924cf7c 2433 return 0;
wolfSSL 15:117db924cf7c 2434 }
wolfSSL 15:117db924cf7c 2435
wolfSSL 15:117db924cf7c 2436 /* skip extensions until session ticket */
wolfSSL 15:117db924cf7c 2437 /* make sure can read len */
wolfSSL 15:117db924cf7c 2438 if (SUITE_LEN > *sslBytes) {
wolfSSL 15:117db924cf7c 2439 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2440 return -1;
wolfSSL 15:117db924cf7c 2441 }
wolfSSL 15:117db924cf7c 2442 len = (word16)((input[0] << 8) | input[1]);
wolfSSL 15:117db924cf7c 2443 input += SUITE_LEN;
wolfSSL 15:117db924cf7c 2444 *sslBytes -= SUITE_LEN;
wolfSSL 15:117db924cf7c 2445 /* make sure can read through all extensions */
wolfSSL 15:117db924cf7c 2446 if (len > *sslBytes) {
wolfSSL 15:117db924cf7c 2447 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2448 return -1;
wolfSSL 15:117db924cf7c 2449 }
wolfSSL 15:117db924cf7c 2450
wolfSSL 15:117db924cf7c 2451 while (len >= EXT_TYPE_SZ + LENGTH_SZ) {
wolfSSL 15:117db924cf7c 2452 byte extType[EXT_TYPE_SZ];
wolfSSL 15:117db924cf7c 2453 word16 extLen;
wolfSSL 15:117db924cf7c 2454
wolfSSL 15:117db924cf7c 2455 extType[0] = input[0];
wolfSSL 15:117db924cf7c 2456 extType[1] = input[1];
wolfSSL 15:117db924cf7c 2457 input += EXT_TYPE_SZ;
wolfSSL 15:117db924cf7c 2458 *sslBytes -= EXT_TYPE_SZ;
wolfSSL 15:117db924cf7c 2459
wolfSSL 15:117db924cf7c 2460 extLen = (word16)((input[0] << 8) | input[1]);
wolfSSL 15:117db924cf7c 2461 input += LENGTH_SZ;
wolfSSL 15:117db924cf7c 2462 *sslBytes -= LENGTH_SZ;
wolfSSL 15:117db924cf7c 2463
wolfSSL 15:117db924cf7c 2464 /* make sure can read through individual extension */
wolfSSL 15:117db924cf7c 2465 if (extLen > *sslBytes) {
wolfSSL 15:117db924cf7c 2466 SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2467 return -1;
wolfSSL 15:117db924cf7c 2468 }
wolfSSL 15:117db924cf7c 2469
wolfSSL 15:117db924cf7c 2470 if (extType[0] == 0x00 && extType[1] == TICKET_EXT_ID) {
wolfSSL 15:117db924cf7c 2471
wolfSSL 15:117db924cf7c 2472 /* make sure can read through ticket if there is a non blank one */
wolfSSL 15:117db924cf7c 2473 if (extLen && extLen < ID_LEN) {
wolfSSL 15:117db924cf7c 2474 SetError(CLIENT_HELLO_INPUT_STR, error, session,
wolfSSL 15:117db924cf7c 2475 FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2476 return -1;
wolfSSL 15:117db924cf7c 2477 }
wolfSSL 15:117db924cf7c 2478
wolfSSL 15:117db924cf7c 2479 if (extLen) {
wolfSSL 15:117db924cf7c 2480 if (session->ticketID == 0) {
wolfSSL 16:8e0d178b1d1e 2481 session->ticketID = (byte*)XMALLOC(ID_LEN,
wolfSSL 16:8e0d178b1d1e 2482 NULL, DYNAMIC_TYPE_SNIFFER_TICKET_ID);
wolfSSL 15:117db924cf7c 2483 if (session->ticketID == 0) {
wolfSSL 15:117db924cf7c 2484 SetError(MEMORY_STR, error, session,
wolfSSL 15:117db924cf7c 2485 FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2486 return -1;
wolfSSL 15:117db924cf7c 2487 }
wolfSSL 15:117db924cf7c 2488 }
wolfSSL 15:117db924cf7c 2489 XMEMCPY(session->ticketID, input + extLen - ID_LEN, ID_LEN);
wolfSSL 15:117db924cf7c 2490 }
wolfSSL 15:117db924cf7c 2491 }
wolfSSL 15:117db924cf7c 2492
wolfSSL 15:117db924cf7c 2493 input += extLen;
wolfSSL 15:117db924cf7c 2494 *sslBytes -= extLen;
wolfSSL 15:117db924cf7c 2495 len -= extLen + EXT_TYPE_SZ + LENGTH_SZ;
wolfSSL 15:117db924cf7c 2496 }
wolfSSL 15:117db924cf7c 2497
wolfSSL 15:117db924cf7c 2498 return 0;
wolfSSL 15:117db924cf7c 2499 }
wolfSSL 15:117db924cf7c 2500
wolfSSL 15:117db924cf7c 2501
wolfSSL 16:8e0d178b1d1e 2502 #ifdef WOLFSSL_SNIFFER_WATCH
wolfSSL 16:8e0d178b1d1e 2503
wolfSSL 16:8e0d178b1d1e 2504 /* Process Certificate */
wolfSSL 16:8e0d178b1d1e 2505 static int ProcessCertificate(const byte* input, int* sslBytes,
wolfSSL 16:8e0d178b1d1e 2506 SnifferSession* session, char* error)
wolfSSL 16:8e0d178b1d1e 2507 {
wolfSSL 16:8e0d178b1d1e 2508 Sha256 sha;
wolfSSL 16:8e0d178b1d1e 2509 const byte* certChain;
wolfSSL 16:8e0d178b1d1e 2510 word32 certChainSz;
wolfSSL 16:8e0d178b1d1e 2511 word32 certSz;
wolfSSL 16:8e0d178b1d1e 2512 int ret;
wolfSSL 16:8e0d178b1d1e 2513 byte digest[SHA256_DIGEST_SIZE];
wolfSSL 16:8e0d178b1d1e 2514
wolfSSL 16:8e0d178b1d1e 2515 /* If the receiver is the server, this is the client certificate message,
wolfSSL 16:8e0d178b1d1e 2516 * and it should be ignored at this point. */
wolfSSL 16:8e0d178b1d1e 2517 if (session->flags.side == WOLFSSL_SERVER_END)
wolfSSL 16:8e0d178b1d1e 2518 return 0;
wolfSSL 16:8e0d178b1d1e 2519
wolfSSL 16:8e0d178b1d1e 2520 if (WatchCb == NULL) {
wolfSSL 16:8e0d178b1d1e 2521 SetError(WATCH_CB_MISSING_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 2522 return -1;
wolfSSL 16:8e0d178b1d1e 2523 }
wolfSSL 16:8e0d178b1d1e 2524
wolfSSL 16:8e0d178b1d1e 2525 if (*sslBytes < CERT_HEADER_SZ) {
wolfSSL 16:8e0d178b1d1e 2526 SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 2527 return -1;
wolfSSL 16:8e0d178b1d1e 2528 }
wolfSSL 16:8e0d178b1d1e 2529 ato24(input, &certChainSz);
wolfSSL 16:8e0d178b1d1e 2530 *sslBytes -= CERT_HEADER_SZ;
wolfSSL 16:8e0d178b1d1e 2531 input += CERT_HEADER_SZ;
wolfSSL 16:8e0d178b1d1e 2532
wolfSSL 16:8e0d178b1d1e 2533 if (*sslBytes < (int)certChainSz) {
wolfSSL 16:8e0d178b1d1e 2534 SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 2535 return -1;
wolfSSL 16:8e0d178b1d1e 2536 }
wolfSSL 16:8e0d178b1d1e 2537 certChain = input;
wolfSSL 16:8e0d178b1d1e 2538
wolfSSL 16:8e0d178b1d1e 2539 ato24(input, &certSz);
wolfSSL 16:8e0d178b1d1e 2540 input += OPAQUE24_LEN;
wolfSSL 16:8e0d178b1d1e 2541 if (*sslBytes < (int)certSz) {
wolfSSL 16:8e0d178b1d1e 2542 SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 2543 return -1;
wolfSSL 16:8e0d178b1d1e 2544 }
wolfSSL 16:8e0d178b1d1e 2545
wolfSSL 16:8e0d178b1d1e 2546 *sslBytes -= certChainSz;
wolfSSL 16:8e0d178b1d1e 2547
wolfSSL 16:8e0d178b1d1e 2548 ret = wc_InitSha256(&sha);
wolfSSL 16:8e0d178b1d1e 2549 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 2550 ret = wc_Sha256Update(&sha, input, certSz);
wolfSSL 16:8e0d178b1d1e 2551 if (ret == 0)
wolfSSL 16:8e0d178b1d1e 2552 ret = wc_Sha256Final(&sha, digest);
wolfSSL 16:8e0d178b1d1e 2553 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 2554 SetError(WATCH_HASH_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 2555 return -1;
wolfSSL 16:8e0d178b1d1e 2556 }
wolfSSL 16:8e0d178b1d1e 2557
wolfSSL 16:8e0d178b1d1e 2558 ret = WatchCb((void*)session, digest, sizeof(digest),
wolfSSL 16:8e0d178b1d1e 2559 certChain, certChainSz, WatchCbCtx, error);
wolfSSL 16:8e0d178b1d1e 2560 if (ret != 0) {
wolfSSL 16:8e0d178b1d1e 2561 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2562 INC_STAT(SnifferStats.sslKeysUnmatched);
wolfSSL 16:8e0d178b1d1e 2563 #endif
wolfSSL 16:8e0d178b1d1e 2564 SetError(WATCH_FAIL_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 2565 return -1;
wolfSSL 16:8e0d178b1d1e 2566 }
wolfSSL 16:8e0d178b1d1e 2567 else {
wolfSSL 16:8e0d178b1d1e 2568 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2569 INC_STAT(SnifferStats.sslKeyMatches);
wolfSSL 16:8e0d178b1d1e 2570 #endif
wolfSSL 16:8e0d178b1d1e 2571 }
wolfSSL 16:8e0d178b1d1e 2572
wolfSSL 16:8e0d178b1d1e 2573 return 0;
wolfSSL 16:8e0d178b1d1e 2574 }
wolfSSL 16:8e0d178b1d1e 2575
wolfSSL 16:8e0d178b1d1e 2576 #endif
wolfSSL 16:8e0d178b1d1e 2577
wolfSSL 16:8e0d178b1d1e 2578
wolfSSL 15:117db924cf7c 2579 /* Process Finished */
wolfSSL 15:117db924cf7c 2580 static int ProcessFinished(const byte* input, int size, int* sslBytes,
wolfSSL 15:117db924cf7c 2581 SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 2582 {
wolfSSL 15:117db924cf7c 2583 SSL* ssl;
wolfSSL 15:117db924cf7c 2584 word32 inOutIdx = 0;
wolfSSL 15:117db924cf7c 2585 int ret;
wolfSSL 15:117db924cf7c 2586
wolfSSL 15:117db924cf7c 2587 if (session->flags.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 2588 ssl = session->sslServer;
wolfSSL 15:117db924cf7c 2589 else
wolfSSL 15:117db924cf7c 2590 ssl = session->sslClient;
wolfSSL 15:117db924cf7c 2591
wolfSSL 15:117db924cf7c 2592 ret = DoFinished(ssl, input, &inOutIdx, (word32) size, (word32) *sslBytes,
wolfSSL 15:117db924cf7c 2593 SNIFF);
wolfSSL 15:117db924cf7c 2594 *sslBytes -= (int)inOutIdx;
wolfSSL 15:117db924cf7c 2595
wolfSSL 15:117db924cf7c 2596 if (ret < 0) {
wolfSSL 15:117db924cf7c 2597 SetError(BAD_FINISHED_MSG, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2598 return ret;
wolfSSL 15:117db924cf7c 2599 }
wolfSSL 15:117db924cf7c 2600
wolfSSL 15:117db924cf7c 2601 if (ret == 0 && session->flags.cached == 0) {
wolfSSL 15:117db924cf7c 2602 if (session->sslServer->options.haveSessionId) {
wolfSSL 15:117db924cf7c 2603 WOLFSSL_SESSION* sess = GetSession(session->sslServer, NULL, 0);
wolfSSL 16:8e0d178b1d1e 2604 if (sess == NULL) {
wolfSSL 15:117db924cf7c 2605 AddSession(session->sslServer); /* don't re add */
wolfSSL 16:8e0d178b1d1e 2606 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2607 INC_STAT(SnifferStats.sslResumptionInserts);
wolfSSL 16:8e0d178b1d1e 2608 #endif
wolfSSL 16:8e0d178b1d1e 2609 }
wolfSSL 15:117db924cf7c 2610 session->flags.cached = 1;
wolfSSL 15:117db924cf7c 2611 }
wolfSSL 15:117db924cf7c 2612 }
wolfSSL 15:117db924cf7c 2613
wolfSSL 15:117db924cf7c 2614 /* If receiving a finished message from one side, free the resources
wolfSSL 15:117db924cf7c 2615 * from the other side's tracker. */
wolfSSL 15:117db924cf7c 2616 if (session->flags.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 2617 FreeHandshakeResources(session->sslClient);
wolfSSL 15:117db924cf7c 2618 else
wolfSSL 15:117db924cf7c 2619 FreeHandshakeResources(session->sslServer);
wolfSSL 15:117db924cf7c 2620
wolfSSL 15:117db924cf7c 2621 return ret;
wolfSSL 15:117db924cf7c 2622 }
wolfSSL 15:117db924cf7c 2623
wolfSSL 15:117db924cf7c 2624
wolfSSL 15:117db924cf7c 2625 /* Process HandShake input */
wolfSSL 15:117db924cf7c 2626 static int DoHandShake(const byte* input, int* sslBytes,
wolfSSL 15:117db924cf7c 2627 SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 2628 {
wolfSSL 15:117db924cf7c 2629 byte type;
wolfSSL 15:117db924cf7c 2630 int size;
wolfSSL 15:117db924cf7c 2631 int ret = 0;
wolfSSL 15:117db924cf7c 2632 int startBytes;
wolfSSL 15:117db924cf7c 2633
wolfSSL 15:117db924cf7c 2634 if (*sslBytes < HANDSHAKE_HEADER_SZ) {
wolfSSL 15:117db924cf7c 2635 SetError(HANDSHAKE_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2636 return -1;
wolfSSL 15:117db924cf7c 2637 }
wolfSSL 15:117db924cf7c 2638 type = input[0];
wolfSSL 15:117db924cf7c 2639 size = (input[1] << 16) | (input[2] << 8) | input[3];
wolfSSL 15:117db924cf7c 2640
wolfSSL 15:117db924cf7c 2641 input += HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 2642 *sslBytes -= HANDSHAKE_HEADER_SZ;
wolfSSL 15:117db924cf7c 2643 startBytes = *sslBytes;
wolfSSL 15:117db924cf7c 2644
wolfSSL 15:117db924cf7c 2645 if (*sslBytes < size) {
wolfSSL 16:8e0d178b1d1e 2646 Trace(SPLIT_HANDSHAKE_MSG_STR);
wolfSSL 16:8e0d178b1d1e 2647 *sslBytes = 0;
wolfSSL 16:8e0d178b1d1e 2648 return ret;
wolfSSL 15:117db924cf7c 2649 }
wolfSSL 15:117db924cf7c 2650
wolfSSL 15:117db924cf7c 2651 /* A session's arrays are released when the handshake is completed. */
wolfSSL 15:117db924cf7c 2652 if (session->sslServer->arrays == NULL &&
wolfSSL 15:117db924cf7c 2653 session->sslClient->arrays == NULL) {
wolfSSL 15:117db924cf7c 2654
wolfSSL 15:117db924cf7c 2655 SetError(NO_SECURE_RENEGOTIATION, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2656 return -1;
wolfSSL 15:117db924cf7c 2657 }
wolfSSL 15:117db924cf7c 2658
wolfSSL 15:117db924cf7c 2659 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 15:117db924cf7c 2660 if (session->hash) {
wolfSSL 15:117db924cf7c 2661 if (HashUpdate(session->hash, input, size) != 0) {
wolfSSL 15:117db924cf7c 2662 SetError(EXTENDED_MASTER_HASH_STR, error,
wolfSSL 15:117db924cf7c 2663 session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2664 return -1;
wolfSSL 15:117db924cf7c 2665 }
wolfSSL 15:117db924cf7c 2666 }
wolfSSL 15:117db924cf7c 2667 #endif
wolfSSL 15:117db924cf7c 2668
wolfSSL 15:117db924cf7c 2669 switch (type) {
wolfSSL 15:117db924cf7c 2670 case hello_verify_request:
wolfSSL 15:117db924cf7c 2671 Trace(GOT_HELLO_VERIFY_STR);
wolfSSL 15:117db924cf7c 2672 break;
wolfSSL 15:117db924cf7c 2673 case hello_request:
wolfSSL 15:117db924cf7c 2674 Trace(GOT_HELLO_REQUEST_STR);
wolfSSL 15:117db924cf7c 2675 break;
wolfSSL 15:117db924cf7c 2676 case session_ticket:
wolfSSL 15:117db924cf7c 2677 Trace(GOT_SESSION_TICKET_STR);
wolfSSL 15:117db924cf7c 2678 ret = ProcessSessionTicket(input, sslBytes, session, error);
wolfSSL 15:117db924cf7c 2679 break;
wolfSSL 15:117db924cf7c 2680 case server_hello:
wolfSSL 15:117db924cf7c 2681 Trace(GOT_SERVER_HELLO_STR);
wolfSSL 15:117db924cf7c 2682 ret = ProcessServerHello(size, input, sslBytes, session, error);
wolfSSL 15:117db924cf7c 2683 break;
wolfSSL 15:117db924cf7c 2684 case certificate_request:
wolfSSL 15:117db924cf7c 2685 Trace(GOT_CERT_REQ_STR);
wolfSSL 15:117db924cf7c 2686 break;
wolfSSL 15:117db924cf7c 2687 case server_key_exchange:
wolfSSL 16:8e0d178b1d1e 2688 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2689 INC_STAT(SnifferStats.sslEphemeralMisses);
wolfSSL 16:8e0d178b1d1e 2690 #endif
wolfSSL 15:117db924cf7c 2691 Trace(GOT_SERVER_KEY_EX_STR);
wolfSSL 15:117db924cf7c 2692 /* can't know temp key passively */
wolfSSL 15:117db924cf7c 2693 SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2694 ret = -1;
wolfSSL 15:117db924cf7c 2695 break;
wolfSSL 15:117db924cf7c 2696 case certificate:
wolfSSL 15:117db924cf7c 2697 Trace(GOT_CERT_STR);
wolfSSL 16:8e0d178b1d1e 2698 if (session->flags.side == WOLFSSL_SERVER_END) {
wolfSSL 16:8e0d178b1d1e 2699 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 2700 INC_STAT(SnifferStats.sslClientAuthConns);
wolfSSL 16:8e0d178b1d1e 2701 #endif
wolfSSL 16:8e0d178b1d1e 2702 }
wolfSSL 16:8e0d178b1d1e 2703 #ifdef WOLFSSL_SNIFFER_WATCH
wolfSSL 16:8e0d178b1d1e 2704 ret = ProcessCertificate(input, sslBytes, session, error);
wolfSSL 16:8e0d178b1d1e 2705 #endif
wolfSSL 15:117db924cf7c 2706 break;
wolfSSL 15:117db924cf7c 2707 case server_hello_done:
wolfSSL 15:117db924cf7c 2708 Trace(GOT_SERVER_HELLO_DONE_STR);
wolfSSL 15:117db924cf7c 2709 break;
wolfSSL 15:117db924cf7c 2710 case finished:
wolfSSL 15:117db924cf7c 2711 Trace(GOT_FINISHED_STR);
wolfSSL 15:117db924cf7c 2712 ret = ProcessFinished(input, size, sslBytes, session, error);
wolfSSL 15:117db924cf7c 2713 break;
wolfSSL 15:117db924cf7c 2714 case client_hello:
wolfSSL 15:117db924cf7c 2715 Trace(GOT_CLIENT_HELLO_STR);
wolfSSL 15:117db924cf7c 2716 ret = ProcessClientHello(input, sslBytes, session, error);
wolfSSL 15:117db924cf7c 2717 break;
wolfSSL 15:117db924cf7c 2718 case client_key_exchange:
wolfSSL 15:117db924cf7c 2719 Trace(GOT_CLIENT_KEY_EX_STR);
wolfSSL 15:117db924cf7c 2720 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 15:117db924cf7c 2721 if (session->flags.expectEms && session->hash != NULL) {
wolfSSL 15:117db924cf7c 2722 if (HashCopy(session->sslServer->hsHashes,
wolfSSL 15:117db924cf7c 2723 session->hash) == 0 &&
wolfSSL 15:117db924cf7c 2724 HashCopy(session->sslClient->hsHashes,
wolfSSL 15:117db924cf7c 2725 session->hash) == 0) {
wolfSSL 15:117db924cf7c 2726
wolfSSL 15:117db924cf7c 2727 session->sslServer->options.haveEMS = 1;
wolfSSL 15:117db924cf7c 2728 session->sslClient->options.haveEMS = 1;
wolfSSL 15:117db924cf7c 2729 }
wolfSSL 15:117db924cf7c 2730 else {
wolfSSL 15:117db924cf7c 2731 SetError(EXTENDED_MASTER_HASH_STR, error,
wolfSSL 15:117db924cf7c 2732 session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 2733 ret = -1;
wolfSSL 15:117db924cf7c 2734 }
wolfSSL 15:117db924cf7c 2735 XMEMSET(session->hash, 0, sizeof(HsHashes));
wolfSSL 16:8e0d178b1d1e 2736 XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
wolfSSL 15:117db924cf7c 2737 session->hash = NULL;
wolfSSL 15:117db924cf7c 2738 }
wolfSSL 15:117db924cf7c 2739 else {
wolfSSL 15:117db924cf7c 2740 session->sslServer->options.haveEMS = 0;
wolfSSL 15:117db924cf7c 2741 session->sslClient->options.haveEMS = 0;
wolfSSL 15:117db924cf7c 2742 }
wolfSSL 15:117db924cf7c 2743 #endif
wolfSSL 15:117db924cf7c 2744 if (ret == 0)
wolfSSL 15:117db924cf7c 2745 ret = ProcessClientKeyExchange(input, sslBytes, session, error);
wolfSSL 15:117db924cf7c 2746 break;
wolfSSL 15:117db924cf7c 2747 case certificate_verify:
wolfSSL 15:117db924cf7c 2748 Trace(GOT_CERT_VER_STR);
wolfSSL 15:117db924cf7c 2749 break;
wolfSSL 15:117db924cf7c 2750 case certificate_status:
wolfSSL 15:117db924cf7c 2751 Trace(GOT_CERT_STATUS_STR);
wolfSSL 15:117db924cf7c 2752 break;
wolfSSL 15:117db924cf7c 2753 default:
wolfSSL 15:117db924cf7c 2754 SetError(GOT_UNKNOWN_HANDSHAKE_STR, error, session, 0);
wolfSSL 15:117db924cf7c 2755 return -1;
wolfSSL 15:117db924cf7c 2756 }
wolfSSL 15:117db924cf7c 2757
wolfSSL 15:117db924cf7c 2758 *sslBytes = startBytes - size; /* actual bytes of full process */
wolfSSL 15:117db924cf7c 2759
wolfSSL 15:117db924cf7c 2760 return ret;
wolfSSL 15:117db924cf7c 2761 }
wolfSSL 15:117db924cf7c 2762
wolfSSL 15:117db924cf7c 2763
wolfSSL 15:117db924cf7c 2764 /* Decrypt input into plain output, 0 on success */
wolfSSL 15:117db924cf7c 2765 static int Decrypt(SSL* ssl, byte* output, const byte* input, word32 sz)
wolfSSL 15:117db924cf7c 2766 {
wolfSSL 15:117db924cf7c 2767 int ret = 0;
wolfSSL 15:117db924cf7c 2768
wolfSSL 15:117db924cf7c 2769 (void)output;
wolfSSL 15:117db924cf7c 2770 (void)input;
wolfSSL 15:117db924cf7c 2771 (void)sz;
wolfSSL 15:117db924cf7c 2772
wolfSSL 15:117db924cf7c 2773 switch (ssl->specs.bulk_cipher_algorithm) {
wolfSSL 15:117db924cf7c 2774 #ifdef BUILD_ARC4
wolfSSL 15:117db924cf7c 2775 case wolfssl_rc4:
wolfSSL 15:117db924cf7c 2776 wc_Arc4Process(ssl->decrypt.arc4, output, input, sz);
wolfSSL 15:117db924cf7c 2777 break;
wolfSSL 15:117db924cf7c 2778 #endif
wolfSSL 15:117db924cf7c 2779
wolfSSL 15:117db924cf7c 2780 #ifdef BUILD_DES3
wolfSSL 15:117db924cf7c 2781 case wolfssl_triple_des:
wolfSSL 15:117db924cf7c 2782 ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, output, input, sz);
wolfSSL 15:117db924cf7c 2783 break;
wolfSSL 15:117db924cf7c 2784 #endif
wolfSSL 15:117db924cf7c 2785
wolfSSL 15:117db924cf7c 2786 #ifdef BUILD_AES
wolfSSL 15:117db924cf7c 2787 case wolfssl_aes:
wolfSSL 15:117db924cf7c 2788 ret = wc_AesCbcDecrypt(ssl->decrypt.aes, output, input, sz);
wolfSSL 15:117db924cf7c 2789 break;
wolfSSL 15:117db924cf7c 2790 #endif
wolfSSL 15:117db924cf7c 2791
wolfSSL 15:117db924cf7c 2792 #ifdef HAVE_HC128
wolfSSL 15:117db924cf7c 2793 case wolfssl_hc128:
wolfSSL 15:117db924cf7c 2794 wc_Hc128_Process(ssl->decrypt.hc128, output, input, sz);
wolfSSL 15:117db924cf7c 2795 break;
wolfSSL 15:117db924cf7c 2796 #endif
wolfSSL 15:117db924cf7c 2797
wolfSSL 15:117db924cf7c 2798 #ifdef BUILD_RABBIT
wolfSSL 15:117db924cf7c 2799 case wolfssl_rabbit:
wolfSSL 15:117db924cf7c 2800 wc_RabbitProcess(ssl->decrypt.rabbit, output, input, sz);
wolfSSL 15:117db924cf7c 2801 break;
wolfSSL 15:117db924cf7c 2802 #endif
wolfSSL 15:117db924cf7c 2803
wolfSSL 15:117db924cf7c 2804 #ifdef HAVE_CAMELLIA
wolfSSL 15:117db924cf7c 2805 case wolfssl_camellia:
wolfSSL 15:117db924cf7c 2806 wc_CamelliaCbcDecrypt(ssl->decrypt.cam, output, input, sz);
wolfSSL 15:117db924cf7c 2807 break;
wolfSSL 15:117db924cf7c 2808 #endif
wolfSSL 15:117db924cf7c 2809
wolfSSL 15:117db924cf7c 2810 #ifdef HAVE_IDEA
wolfSSL 15:117db924cf7c 2811 case wolfssl_idea:
wolfSSL 15:117db924cf7c 2812 wc_IdeaCbcDecrypt(ssl->decrypt.idea, output, input, sz);
wolfSSL 15:117db924cf7c 2813 break;
wolfSSL 15:117db924cf7c 2814 #endif
wolfSSL 15:117db924cf7c 2815
wolfSSL 15:117db924cf7c 2816 #ifdef HAVE_AESGCM
wolfSSL 15:117db924cf7c 2817 case wolfssl_aes_gcm:
wolfSSL 15:117db924cf7c 2818 if (sz >= (word32)(AESGCM_EXP_IV_SZ + ssl->specs.aead_mac_size))
wolfSSL 15:117db924cf7c 2819 {
wolfSSL 15:117db924cf7c 2820 /* scratch buffer, sniffer ignores auth tag*/
wolfSSL 15:117db924cf7c 2821 byte authTag[WOLFSSL_MIN_AUTH_TAG_SZ];
wolfSSL 15:117db924cf7c 2822
wolfSSL 15:117db924cf7c 2823 byte nonce[AESGCM_NONCE_SZ];
wolfSSL 15:117db924cf7c 2824 XMEMCPY(nonce, ssl->keys.aead_dec_imp_IV, AESGCM_IMP_IV_SZ);
wolfSSL 15:117db924cf7c 2825 XMEMCPY(nonce + AESGCM_IMP_IV_SZ, input, AESGCM_EXP_IV_SZ);
wolfSSL 15:117db924cf7c 2826
wolfSSL 15:117db924cf7c 2827 if (wc_AesGcmEncrypt(ssl->decrypt.aes,
wolfSSL 15:117db924cf7c 2828 output,
wolfSSL 15:117db924cf7c 2829 input + AESGCM_EXP_IV_SZ,
wolfSSL 15:117db924cf7c 2830 sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
wolfSSL 15:117db924cf7c 2831 nonce, AESGCM_NONCE_SZ,
wolfSSL 15:117db924cf7c 2832 authTag, sizeof(authTag),
wolfSSL 15:117db924cf7c 2833 NULL, 0) < 0) {
wolfSSL 15:117db924cf7c 2834 Trace(BAD_DECRYPT);
wolfSSL 15:117db924cf7c 2835 ret = -1;
wolfSSL 15:117db924cf7c 2836 }
wolfSSL 15:117db924cf7c 2837 ForceZero(nonce, AESGCM_NONCE_SZ);
wolfSSL 15:117db924cf7c 2838 }
wolfSSL 15:117db924cf7c 2839 else {
wolfSSL 15:117db924cf7c 2840 Trace(BAD_DECRYPT_SIZE);
wolfSSL 15:117db924cf7c 2841 ret = -1;
wolfSSL 15:117db924cf7c 2842 }
wolfSSL 15:117db924cf7c 2843 break;
wolfSSL 15:117db924cf7c 2844 #endif
wolfSSL 15:117db924cf7c 2845
wolfSSL 16:8e0d178b1d1e 2846 #ifdef HAVE_NULL_CIPHER
wolfSSL 16:8e0d178b1d1e 2847 case wolfssl_cipher_null:
wolfSSL 16:8e0d178b1d1e 2848 XMEMCPY(output, input, sz);
wolfSSL 16:8e0d178b1d1e 2849 break;
wolfSSL 16:8e0d178b1d1e 2850 #endif
wolfSSL 16:8e0d178b1d1e 2851
wolfSSL 15:117db924cf7c 2852 default:
wolfSSL 15:117db924cf7c 2853 Trace(BAD_DECRYPT_TYPE);
wolfSSL 15:117db924cf7c 2854 ret = -1;
wolfSSL 15:117db924cf7c 2855 break;
wolfSSL 15:117db924cf7c 2856 }
wolfSSL 15:117db924cf7c 2857
wolfSSL 15:117db924cf7c 2858 return ret;
wolfSSL 15:117db924cf7c 2859 }
wolfSSL 15:117db924cf7c 2860
wolfSSL 15:117db924cf7c 2861
wolfSSL 15:117db924cf7c 2862 /* Decrypt input message into output, adjust output steam if needed */
wolfSSL 15:117db924cf7c 2863 static const byte* DecryptMessage(SSL* ssl, const byte* input, word32 sz,
wolfSSL 15:117db924cf7c 2864 byte* output, int* error, int* advance)
wolfSSL 15:117db924cf7c 2865 {
wolfSSL 15:117db924cf7c 2866 int ivExtra = 0;
wolfSSL 15:117db924cf7c 2867
wolfSSL 15:117db924cf7c 2868 int ret = Decrypt(ssl, output, input, sz);
wolfSSL 15:117db924cf7c 2869 if (ret != 0) {
wolfSSL 15:117db924cf7c 2870 *error = ret;
wolfSSL 15:117db924cf7c 2871 return NULL;
wolfSSL 15:117db924cf7c 2872 }
wolfSSL 15:117db924cf7c 2873 ssl->keys.encryptSz = sz;
wolfSSL 15:117db924cf7c 2874 if (ssl->options.tls1_1 && ssl->specs.cipher_type == block) {
wolfSSL 15:117db924cf7c 2875 output += ssl->specs.block_size; /* go past TLSv1.1 IV */
wolfSSL 15:117db924cf7c 2876 ivExtra = ssl->specs.block_size;
wolfSSL 15:117db924cf7c 2877 *advance = ssl->specs.block_size;
wolfSSL 15:117db924cf7c 2878 }
wolfSSL 15:117db924cf7c 2879
wolfSSL 15:117db924cf7c 2880 if (ssl->specs.cipher_type == aead) {
wolfSSL 15:117db924cf7c 2881 *advance = ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 2882 ssl->keys.padSz = ssl->specs.aead_mac_size;
wolfSSL 15:117db924cf7c 2883 }
wolfSSL 15:117db924cf7c 2884 else
wolfSSL 15:117db924cf7c 2885 ssl->keys.padSz = ssl->specs.hash_size;
wolfSSL 15:117db924cf7c 2886
wolfSSL 15:117db924cf7c 2887 if (ssl->specs.cipher_type == block)
wolfSSL 15:117db924cf7c 2888 ssl->keys.padSz += *(output + sz - ivExtra - 1) + 1;
wolfSSL 15:117db924cf7c 2889
wolfSSL 15:117db924cf7c 2890 return output;
wolfSSL 15:117db924cf7c 2891 }
wolfSSL 15:117db924cf7c 2892
wolfSSL 15:117db924cf7c 2893
wolfSSL 15:117db924cf7c 2894 /* remove session from table, use rowHint if no info (means we have a lock) */
wolfSSL 15:117db924cf7c 2895 static void RemoveSession(SnifferSession* session, IpInfo* ipInfo,
wolfSSL 15:117db924cf7c 2896 TcpInfo* tcpInfo, word32 rowHint)
wolfSSL 15:117db924cf7c 2897 {
wolfSSL 15:117db924cf7c 2898 SnifferSession* previous = 0;
wolfSSL 15:117db924cf7c 2899 SnifferSession* current;
wolfSSL 15:117db924cf7c 2900 word32 row = rowHint;
wolfSSL 15:117db924cf7c 2901 int haveLock = 0;
wolfSSL 15:117db924cf7c 2902
wolfSSL 15:117db924cf7c 2903 if (ipInfo && tcpInfo)
wolfSSL 15:117db924cf7c 2904 row = SessionHash(ipInfo, tcpInfo);
wolfSSL 15:117db924cf7c 2905 else
wolfSSL 15:117db924cf7c 2906 haveLock = 1;
wolfSSL 15:117db924cf7c 2907
wolfSSL 15:117db924cf7c 2908 assert(row <= HASH_SIZE);
wolfSSL 15:117db924cf7c 2909 Trace(REMOVE_SESSION_STR);
wolfSSL 15:117db924cf7c 2910
wolfSSL 15:117db924cf7c 2911 if (!haveLock)
wolfSSL 15:117db924cf7c 2912 wc_LockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 2913
wolfSSL 15:117db924cf7c 2914 current = SessionTable[row];
wolfSSL 15:117db924cf7c 2915
wolfSSL 15:117db924cf7c 2916 while (current) {
wolfSSL 15:117db924cf7c 2917 if (current == session) {
wolfSSL 15:117db924cf7c 2918 if (previous)
wolfSSL 15:117db924cf7c 2919 previous->next = current->next;
wolfSSL 15:117db924cf7c 2920 else
wolfSSL 15:117db924cf7c 2921 SessionTable[row] = current->next;
wolfSSL 15:117db924cf7c 2922 FreeSnifferSession(session);
wolfSSL 15:117db924cf7c 2923 TraceRemovedSession();
wolfSSL 15:117db924cf7c 2924 break;
wolfSSL 15:117db924cf7c 2925 }
wolfSSL 15:117db924cf7c 2926 previous = current;
wolfSSL 15:117db924cf7c 2927 current = current->next;
wolfSSL 15:117db924cf7c 2928 }
wolfSSL 15:117db924cf7c 2929
wolfSSL 15:117db924cf7c 2930 if (!haveLock)
wolfSSL 15:117db924cf7c 2931 wc_UnLockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 2932 }
wolfSSL 15:117db924cf7c 2933
wolfSSL 15:117db924cf7c 2934
wolfSSL 15:117db924cf7c 2935 /* Remove stale sessions from the Session Table, have a lock */
wolfSSL 15:117db924cf7c 2936 static void RemoveStaleSessions(void)
wolfSSL 15:117db924cf7c 2937 {
wolfSSL 15:117db924cf7c 2938 word32 i;
wolfSSL 15:117db924cf7c 2939 SnifferSession* session;
wolfSSL 15:117db924cf7c 2940
wolfSSL 15:117db924cf7c 2941 for (i = 0; i < HASH_SIZE; i++) {
wolfSSL 15:117db924cf7c 2942 session = SessionTable[i];
wolfSSL 15:117db924cf7c 2943 while (session) {
wolfSSL 15:117db924cf7c 2944 SnifferSession* next = session->next;
wolfSSL 15:117db924cf7c 2945 if (time(NULL) >= session->lastUsed + WOLFSSL_SNIFFER_TIMEOUT) {
wolfSSL 15:117db924cf7c 2946 TraceStaleSession();
wolfSSL 15:117db924cf7c 2947 RemoveSession(session, NULL, NULL, i);
wolfSSL 15:117db924cf7c 2948 }
wolfSSL 15:117db924cf7c 2949 session = next;
wolfSSL 15:117db924cf7c 2950 }
wolfSSL 15:117db924cf7c 2951 }
wolfSSL 15:117db924cf7c 2952 }
wolfSSL 15:117db924cf7c 2953
wolfSSL 15:117db924cf7c 2954
wolfSSL 15:117db924cf7c 2955 /* Create a new Sniffer Session */
wolfSSL 15:117db924cf7c 2956 static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL 15:117db924cf7c 2957 char* error)
wolfSSL 15:117db924cf7c 2958 {
wolfSSL 15:117db924cf7c 2959 SnifferSession* session = 0;
wolfSSL 15:117db924cf7c 2960 int row;
wolfSSL 15:117db924cf7c 2961
wolfSSL 15:117db924cf7c 2962 Trace(NEW_SESSION_STR);
wolfSSL 15:117db924cf7c 2963 /* create a new one */
wolfSSL 16:8e0d178b1d1e 2964 session = (SnifferSession*)XMALLOC(sizeof(SnifferSession),
wolfSSL 16:8e0d178b1d1e 2965 NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
wolfSSL 15:117db924cf7c 2966 if (session == NULL) {
wolfSSL 15:117db924cf7c 2967 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 2968 return 0;
wolfSSL 15:117db924cf7c 2969 }
wolfSSL 15:117db924cf7c 2970 InitSession(session);
wolfSSL 15:117db924cf7c 2971 #ifdef HAVE_EXTENDED_MASTER
wolfSSL 15:117db924cf7c 2972 {
wolfSSL 16:8e0d178b1d1e 2973 HsHashes* newHash = (HsHashes*)XMALLOC(sizeof(HsHashes),
wolfSSL 16:8e0d178b1d1e 2974 NULL, DYNAMIC_TYPE_HASHES);
wolfSSL 15:117db924cf7c 2975 if (newHash == NULL) {
wolfSSL 15:117db924cf7c 2976 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 2977 XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
wolfSSL 15:117db924cf7c 2978 return 0;
wolfSSL 15:117db924cf7c 2979 }
wolfSSL 15:117db924cf7c 2980 if (HashInit(newHash) != 0) {
wolfSSL 15:117db924cf7c 2981 SetError(EXTENDED_MASTER_HASH_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 2982 XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
wolfSSL 15:117db924cf7c 2983 return 0;
wolfSSL 15:117db924cf7c 2984 }
wolfSSL 15:117db924cf7c 2985 session->hash = newHash;
wolfSSL 15:117db924cf7c 2986 }
wolfSSL 15:117db924cf7c 2987 #endif
wolfSSL 15:117db924cf7c 2988 session->server = ipInfo->dst;
wolfSSL 15:117db924cf7c 2989 session->client = ipInfo->src;
wolfSSL 15:117db924cf7c 2990 session->srvPort = (word16)tcpInfo->dstPort;
wolfSSL 15:117db924cf7c 2991 session->cliPort = (word16)tcpInfo->srcPort;
wolfSSL 15:117db924cf7c 2992 session->cliSeqStart = tcpInfo->sequence;
wolfSSL 15:117db924cf7c 2993 session->cliExpected = 1; /* relative */
wolfSSL 15:117db924cf7c 2994 session->lastUsed= time(NULL);
wolfSSL 16:8e0d178b1d1e 2995 session->keySz = 0;
wolfSSL 16:8e0d178b1d1e 2996 #ifdef HAVE_SNI
wolfSSL 16:8e0d178b1d1e 2997 session->sni = NULL;
wolfSSL 16:8e0d178b1d1e 2998 #endif
wolfSSL 15:117db924cf7c 2999
wolfSSL 15:117db924cf7c 3000 session->context = GetSnifferServer(ipInfo, tcpInfo);
wolfSSL 15:117db924cf7c 3001 if (session->context == NULL) {
wolfSSL 15:117db924cf7c 3002 SetError(SERVER_NOT_REG_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 3003 XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
wolfSSL 15:117db924cf7c 3004 return 0;
wolfSSL 15:117db924cf7c 3005 }
wolfSSL 15:117db924cf7c 3006
wolfSSL 15:117db924cf7c 3007 session->sslServer = SSL_new(session->context->ctx);
wolfSSL 15:117db924cf7c 3008 if (session->sslServer == NULL) {
wolfSSL 15:117db924cf7c 3009 SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 3010 XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
wolfSSL 15:117db924cf7c 3011 return 0;
wolfSSL 15:117db924cf7c 3012 }
wolfSSL 15:117db924cf7c 3013 session->sslClient = SSL_new(session->context->ctx);
wolfSSL 15:117db924cf7c 3014 if (session->sslClient == NULL) {
wolfSSL 15:117db924cf7c 3015 SSL_free(session->sslServer);
wolfSSL 15:117db924cf7c 3016 session->sslServer = 0;
wolfSSL 15:117db924cf7c 3017
wolfSSL 15:117db924cf7c 3018 SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 3019 XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
wolfSSL 15:117db924cf7c 3020 return 0;
wolfSSL 15:117db924cf7c 3021 }
wolfSSL 15:117db924cf7c 3022 /* put server back into server mode */
wolfSSL 15:117db924cf7c 3023 session->sslServer->options.side = WOLFSSL_SERVER_END;
wolfSSL 15:117db924cf7c 3024
wolfSSL 15:117db924cf7c 3025 row = SessionHash(ipInfo, tcpInfo);
wolfSSL 15:117db924cf7c 3026
wolfSSL 15:117db924cf7c 3027 /* add it to the session table */
wolfSSL 15:117db924cf7c 3028 wc_LockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 3029
wolfSSL 15:117db924cf7c 3030 session->next = SessionTable[row];
wolfSSL 15:117db924cf7c 3031 SessionTable[row] = session;
wolfSSL 15:117db924cf7c 3032
wolfSSL 15:117db924cf7c 3033 SessionCount++;
wolfSSL 15:117db924cf7c 3034
wolfSSL 15:117db924cf7c 3035 if ( (SessionCount % HASH_SIZE) == 0) {
wolfSSL 15:117db924cf7c 3036 TraceFindingStale();
wolfSSL 15:117db924cf7c 3037 RemoveStaleSessions();
wolfSSL 15:117db924cf7c 3038 }
wolfSSL 15:117db924cf7c 3039
wolfSSL 15:117db924cf7c 3040 wc_UnLockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 3041
wolfSSL 16:8e0d178b1d1e 3042 /* CreateSession is called in response to a SYN packet, we know this
wolfSSL 16:8e0d178b1d1e 3043 * is headed to the server. Also we know the server is one we care
wolfSSL 16:8e0d178b1d1e 3044 * about as we've passed the GetSnifferServer() successfully. */
wolfSSL 16:8e0d178b1d1e 3045 session->flags.side = WOLFSSL_SERVER_END;
wolfSSL 15:117db924cf7c 3046
wolfSSL 15:117db924cf7c 3047 return session;
wolfSSL 15:117db924cf7c 3048 }
wolfSSL 15:117db924cf7c 3049
wolfSSL 15:117db924cf7c 3050
wolfSSL 15:117db924cf7c 3051 #ifdef OLD_HELLO_ALLOWED
wolfSSL 15:117db924cf7c 3052
wolfSSL 15:117db924cf7c 3053 /* Process Old Client Hello Input */
wolfSSL 15:117db924cf7c 3054 static int DoOldHello(SnifferSession* session, const byte* sslFrame,
wolfSSL 15:117db924cf7c 3055 int* rhSize, int* sslBytes, char* error)
wolfSSL 15:117db924cf7c 3056 {
wolfSSL 15:117db924cf7c 3057 const byte* input = sslFrame;
wolfSSL 15:117db924cf7c 3058 byte b0, b1;
wolfSSL 15:117db924cf7c 3059 word32 idx = 0;
wolfSSL 15:117db924cf7c 3060 int ret;
wolfSSL 15:117db924cf7c 3061
wolfSSL 15:117db924cf7c 3062 Trace(GOT_OLD_CLIENT_HELLO_STR);
wolfSSL 15:117db924cf7c 3063 session->flags.clientHello = 1; /* don't process again */
wolfSSL 15:117db924cf7c 3064 b0 = *input++;
wolfSSL 15:117db924cf7c 3065 b1 = *input++;
wolfSSL 15:117db924cf7c 3066 *sslBytes -= 2;
wolfSSL 15:117db924cf7c 3067 *rhSize = ((b0 & 0x7f) << 8) | b1;
wolfSSL 15:117db924cf7c 3068
wolfSSL 15:117db924cf7c 3069 if (*rhSize > *sslBytes) {
wolfSSL 15:117db924cf7c 3070 SetError(OLD_CLIENT_INPUT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3071 return -1;
wolfSSL 15:117db924cf7c 3072 }
wolfSSL 15:117db924cf7c 3073
wolfSSL 15:117db924cf7c 3074 ret = ProcessOldClientHello(session->sslServer, input, &idx, *sslBytes,
wolfSSL 15:117db924cf7c 3075 (word16)*rhSize);
wolfSSL 15:117db924cf7c 3076 if (ret < 0 && ret != MATCH_SUITE_ERROR) {
wolfSSL 15:117db924cf7c 3077 SetError(BAD_OLD_CLIENT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3078 return -1;
wolfSSL 15:117db924cf7c 3079 }
wolfSSL 15:117db924cf7c 3080
wolfSSL 15:117db924cf7c 3081 Trace(OLD_CLIENT_OK_STR);
wolfSSL 15:117db924cf7c 3082 XMEMCPY(session->sslClient->arrays->clientRandom,
wolfSSL 15:117db924cf7c 3083 session->sslServer->arrays->clientRandom, RAN_LEN);
wolfSSL 15:117db924cf7c 3084
wolfSSL 15:117db924cf7c 3085 *sslBytes -= *rhSize;
wolfSSL 15:117db924cf7c 3086 return 0;
wolfSSL 15:117db924cf7c 3087 }
wolfSSL 15:117db924cf7c 3088
wolfSSL 15:117db924cf7c 3089 #endif /* OLD_HELLO_ALLOWED */
wolfSSL 15:117db924cf7c 3090
wolfSSL 15:117db924cf7c 3091
wolfSSL 15:117db924cf7c 3092 #if 0
wolfSSL 15:117db924cf7c 3093 /* Calculate the TCP checksum, see RFC 1071 */
wolfSSL 15:117db924cf7c 3094 /* return 0 for success, -1 on error */
wolfSSL 15:117db924cf7c 3095 /* can be called from decode() with
wolfSSL 15:117db924cf7c 3096 TcpChecksum(&ipInfo, &tcpInfo, sslBytes, packet + ipInfo.length);
wolfSSL 15:117db924cf7c 3097 could also add a 64bit version if type available and using this
wolfSSL 15:117db924cf7c 3098 */
wolfSSL 15:117db924cf7c 3099 int TcpChecksum(IpInfo* ipInfo, TcpInfo* tcpInfo, int dataLen,
wolfSSL 15:117db924cf7c 3100 const byte* packet)
wolfSSL 15:117db924cf7c 3101 {
wolfSSL 15:117db924cf7c 3102 TcpPseudoHdr pseudo;
wolfSSL 15:117db924cf7c 3103 int count = PSEUDO_HDR_SZ;
wolfSSL 15:117db924cf7c 3104 const word16* data = (word16*)&pseudo;
wolfSSL 15:117db924cf7c 3105 word32 sum = 0;
wolfSSL 15:117db924cf7c 3106 word16 checksum;
wolfSSL 15:117db924cf7c 3107
wolfSSL 15:117db924cf7c 3108 pseudo.src = ipInfo->src;
wolfSSL 15:117db924cf7c 3109 pseudo.dst = ipInfo->dst;
wolfSSL 15:117db924cf7c 3110 pseudo.rsv = 0;
wolfSSL 15:117db924cf7c 3111 pseudo.protocol = TCP_PROTO;
wolfSSL 15:117db924cf7c 3112 pseudo.length = htons(tcpInfo->length + dataLen);
wolfSSL 15:117db924cf7c 3113
wolfSSL 15:117db924cf7c 3114 /* pseudo header sum */
wolfSSL 15:117db924cf7c 3115 while (count >= 2) {
wolfSSL 15:117db924cf7c 3116 sum += *data++;
wolfSSL 15:117db924cf7c 3117 count -= 2;
wolfSSL 15:117db924cf7c 3118 }
wolfSSL 15:117db924cf7c 3119
wolfSSL 15:117db924cf7c 3120 count = tcpInfo->length + dataLen;
wolfSSL 15:117db924cf7c 3121 data = (word16*)packet;
wolfSSL 15:117db924cf7c 3122
wolfSSL 15:117db924cf7c 3123 /* main sum */
wolfSSL 15:117db924cf7c 3124 while (count > 1) {
wolfSSL 15:117db924cf7c 3125 sum += *data++;
wolfSSL 15:117db924cf7c 3126 count -=2;
wolfSSL 15:117db924cf7c 3127 }
wolfSSL 15:117db924cf7c 3128
wolfSSL 15:117db924cf7c 3129 /* get left-over, if any */
wolfSSL 15:117db924cf7c 3130 packet = (byte*)data;
wolfSSL 15:117db924cf7c 3131 if (count > 0) {
wolfSSL 15:117db924cf7c 3132 sum += *packet;
wolfSSL 15:117db924cf7c 3133 }
wolfSSL 15:117db924cf7c 3134
wolfSSL 15:117db924cf7c 3135 /* fold 32bit sum into 16 bits */
wolfSSL 15:117db924cf7c 3136 while (sum >> 16)
wolfSSL 15:117db924cf7c 3137 sum = (sum & 0xffff) + (sum >> 16);
wolfSSL 15:117db924cf7c 3138
wolfSSL 15:117db924cf7c 3139 checksum = (word16)~sum;
wolfSSL 15:117db924cf7c 3140 /* checksum should now equal 0, since included already calcd checksum */
wolfSSL 15:117db924cf7c 3141 /* field, but tcp checksum offloading could negate calculation */
wolfSSL 15:117db924cf7c 3142 if (checksum == 0)
wolfSSL 15:117db924cf7c 3143 return 0;
wolfSSL 15:117db924cf7c 3144 return -1;
wolfSSL 15:117db924cf7c 3145 }
wolfSSL 15:117db924cf7c 3146 #endif
wolfSSL 15:117db924cf7c 3147
wolfSSL 15:117db924cf7c 3148
wolfSSL 15:117db924cf7c 3149 /* Check IP and TCP headers, set payload */
wolfSSL 15:117db924cf7c 3150 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 3151 static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet,
wolfSSL 15:117db924cf7c 3152 int length, const byte** sslFrame, int* sslBytes, char* error)
wolfSSL 15:117db924cf7c 3153 {
wolfSSL 15:117db924cf7c 3154 TraceHeader();
wolfSSL 15:117db924cf7c 3155 TracePacket();
wolfSSL 15:117db924cf7c 3156
wolfSSL 15:117db924cf7c 3157 /* ip header */
wolfSSL 15:117db924cf7c 3158 if (length < IP_HDR_SZ) {
wolfSSL 15:117db924cf7c 3159 SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 3160 return -1;
wolfSSL 15:117db924cf7c 3161 }
wolfSSL 15:117db924cf7c 3162 if (CheckIpHdr((IpHdr*)packet, ipInfo, length, error) != 0)
wolfSSL 15:117db924cf7c 3163 return -1;
wolfSSL 15:117db924cf7c 3164
wolfSSL 15:117db924cf7c 3165 /* tcp header */
wolfSSL 15:117db924cf7c 3166 if (length < (ipInfo->length + TCP_HDR_SZ)) {
wolfSSL 15:117db924cf7c 3167 SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 3168 return -1;
wolfSSL 15:117db924cf7c 3169 }
wolfSSL 15:117db924cf7c 3170 if (CheckTcpHdr((TcpHdr*)(packet + ipInfo->length), tcpInfo, error) != 0)
wolfSSL 15:117db924cf7c 3171 return -1;
wolfSSL 15:117db924cf7c 3172
wolfSSL 15:117db924cf7c 3173 /* setup */
wolfSSL 15:117db924cf7c 3174 *sslFrame = packet + ipInfo->length + tcpInfo->length;
wolfSSL 15:117db924cf7c 3175 if (*sslFrame > packet + length) {
wolfSSL 15:117db924cf7c 3176 SetError(PACKET_HDR_SHORT_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 3177 return -1;
wolfSSL 15:117db924cf7c 3178 }
wolfSSL 16:8e0d178b1d1e 3179 /* We only care about the data in the TCP/IP record. There may be extra
wolfSSL 16:8e0d178b1d1e 3180 * data after the IP record for the FCS for Ethernet. */
wolfSSL 16:8e0d178b1d1e 3181 *sslBytes = (int)(packet + ipInfo->total - *sslFrame);
wolfSSL 15:117db924cf7c 3182
wolfSSL 15:117db924cf7c 3183 return 0;
wolfSSL 15:117db924cf7c 3184 }
wolfSSL 15:117db924cf7c 3185
wolfSSL 15:117db924cf7c 3186
wolfSSL 15:117db924cf7c 3187 /* Create or Find existing session */
wolfSSL 15:117db924cf7c 3188 /* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL 15:117db924cf7c 3189 static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes,
wolfSSL 15:117db924cf7c 3190 SnifferSession** session, char* error)
wolfSSL 15:117db924cf7c 3191 {
wolfSSL 15:117db924cf7c 3192 /* create a new SnifferSession on client SYN */
wolfSSL 15:117db924cf7c 3193 if (tcpInfo->syn && !tcpInfo->ack) {
wolfSSL 15:117db924cf7c 3194 TraceClientSyn(tcpInfo->sequence);
wolfSSL 16:8e0d178b1d1e 3195 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 3196 INC_STAT(SnifferStats.sslEncryptedConns);
wolfSSL 16:8e0d178b1d1e 3197 #endif
wolfSSL 15:117db924cf7c 3198 *session = CreateSession(ipInfo, tcpInfo, error);
wolfSSL 15:117db924cf7c 3199 if (*session == NULL) {
wolfSSL 15:117db924cf7c 3200 *session = GetSnifferSession(ipInfo, tcpInfo);
wolfSSL 15:117db924cf7c 3201 /* already had existing, so OK */
wolfSSL 15:117db924cf7c 3202 if (*session)
wolfSSL 15:117db924cf7c 3203 return 1;
wolfSSL 15:117db924cf7c 3204
wolfSSL 15:117db924cf7c 3205 SetError(MEMORY_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 3206 return -1;
wolfSSL 15:117db924cf7c 3207 }
wolfSSL 15:117db924cf7c 3208 return 1;
wolfSSL 15:117db924cf7c 3209 }
wolfSSL 15:117db924cf7c 3210 /* get existing sniffer session */
wolfSSL 15:117db924cf7c 3211 else {
wolfSSL 15:117db924cf7c 3212 *session = GetSnifferSession(ipInfo, tcpInfo);
wolfSSL 15:117db924cf7c 3213 if (*session == NULL) {
wolfSSL 15:117db924cf7c 3214 /* don't worry about extraneous RST or duplicate FINs */
wolfSSL 15:117db924cf7c 3215 if (tcpInfo->fin || tcpInfo->rst)
wolfSSL 15:117db924cf7c 3216 return 1;
wolfSSL 15:117db924cf7c 3217 /* don't worry about duplicate ACKs either */
wolfSSL 15:117db924cf7c 3218 if (sslBytes == 0 && tcpInfo->ack)
wolfSSL 15:117db924cf7c 3219 return 1;
wolfSSL 15:117db924cf7c 3220
wolfSSL 16:8e0d178b1d1e 3221 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 3222 LOCK_STAT();
wolfSSL 16:8e0d178b1d1e 3223 NOLOCK_INC_STAT(SnifferStats.sslDecryptedPackets);
wolfSSL 16:8e0d178b1d1e 3224 NOLOCK_ADD_TO_STAT(SnifferStats.sslDecryptedBytes, sslBytes);
wolfSSL 16:8e0d178b1d1e 3225 UNLOCK_STAT();
wolfSSL 16:8e0d178b1d1e 3226 #endif
wolfSSL 16:8e0d178b1d1e 3227
wolfSSL 15:117db924cf7c 3228 SetError(BAD_SESSION_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 3229 return -1;
wolfSSL 15:117db924cf7c 3230 }
wolfSSL 15:117db924cf7c 3231 }
wolfSSL 15:117db924cf7c 3232 return 0;
wolfSSL 15:117db924cf7c 3233 }
wolfSSL 15:117db924cf7c 3234
wolfSSL 15:117db924cf7c 3235
wolfSSL 15:117db924cf7c 3236 /* Create a Packet Buffer from *begin - end, adjust new *begin and bytesLeft */
wolfSSL 15:117db924cf7c 3237 static PacketBuffer* CreateBuffer(word32* begin, word32 end, const byte* data,
wolfSSL 15:117db924cf7c 3238 int* bytesLeft)
wolfSSL 15:117db924cf7c 3239 {
wolfSSL 15:117db924cf7c 3240 PacketBuffer* pb;
wolfSSL 15:117db924cf7c 3241
wolfSSL 15:117db924cf7c 3242 int added = end - *begin + 1;
wolfSSL 15:117db924cf7c 3243 assert(*begin <= end);
wolfSSL 15:117db924cf7c 3244
wolfSSL 16:8e0d178b1d1e 3245 pb = (PacketBuffer*)XMALLOC(sizeof(PacketBuffer),
wolfSSL 16:8e0d178b1d1e 3246 NULL, DYNAMIC_TYPE_SNIFFER_PB);
wolfSSL 15:117db924cf7c 3247 if (pb == NULL) return NULL;
wolfSSL 15:117db924cf7c 3248
wolfSSL 15:117db924cf7c 3249 pb->next = 0;
wolfSSL 15:117db924cf7c 3250 pb->begin = *begin;
wolfSSL 15:117db924cf7c 3251 pb->end = end;
wolfSSL 16:8e0d178b1d1e 3252 pb->data = (byte*)XMALLOC(added, NULL, DYNAMIC_TYPE_SNIFFER_PB_BUFFER);
wolfSSL 15:117db924cf7c 3253
wolfSSL 15:117db924cf7c 3254 if (pb->data == NULL) {
wolfSSL 16:8e0d178b1d1e 3255 XFREE(pb, NULL, DYNAMIC_TYPE_SNIFFER_PB);
wolfSSL 15:117db924cf7c 3256 return NULL;
wolfSSL 15:117db924cf7c 3257 }
wolfSSL 15:117db924cf7c 3258 XMEMCPY(pb->data, data, added);
wolfSSL 15:117db924cf7c 3259
wolfSSL 15:117db924cf7c 3260 *bytesLeft -= added;
wolfSSL 15:117db924cf7c 3261 *begin = pb->end + 1;
wolfSSL 15:117db924cf7c 3262
wolfSSL 15:117db924cf7c 3263 return pb;
wolfSSL 15:117db924cf7c 3264 }
wolfSSL 15:117db924cf7c 3265
wolfSSL 15:117db924cf7c 3266
wolfSSL 15:117db924cf7c 3267 /* Add sslFrame to Reassembly List */
wolfSSL 15:117db924cf7c 3268 /* returns 1 (end) on success, -1, on error */
wolfSSL 15:117db924cf7c 3269 static int AddToReassembly(byte from, word32 seq, const byte* sslFrame,
wolfSSL 15:117db924cf7c 3270 int sslBytes, SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 3271 {
wolfSSL 15:117db924cf7c 3272 PacketBuffer* add;
wolfSSL 15:117db924cf7c 3273 PacketBuffer** front = (from == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3274 &session->cliReassemblyList: &session->srvReassemblyList;
wolfSSL 15:117db924cf7c 3275 PacketBuffer* curr = *front;
wolfSSL 15:117db924cf7c 3276 PacketBuffer* prev = curr;
wolfSSL 15:117db924cf7c 3277
wolfSSL 15:117db924cf7c 3278 word32* reassemblyMemory = (from == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3279 &session->cliReassemblyMemory : &session->srvReassemblyMemory;
wolfSSL 15:117db924cf7c 3280 word32 startSeq = seq;
wolfSSL 15:117db924cf7c 3281 word32 added;
wolfSSL 15:117db924cf7c 3282 int bytesLeft = sslBytes; /* could be overlapping fragment */
wolfSSL 15:117db924cf7c 3283
wolfSSL 15:117db924cf7c 3284 /* if list is empty add full frame to front */
wolfSSL 15:117db924cf7c 3285 if (!curr) {
wolfSSL 15:117db924cf7c 3286 if (MaxRecoveryMemory != -1 &&
wolfSSL 15:117db924cf7c 3287 (int)(*reassemblyMemory + sslBytes) > MaxRecoveryMemory) {
wolfSSL 15:117db924cf7c 3288 SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3289 return -1;
wolfSSL 15:117db924cf7c 3290 }
wolfSSL 15:117db924cf7c 3291 add = CreateBuffer(&seq, seq + sslBytes - 1, sslFrame, &bytesLeft);
wolfSSL 15:117db924cf7c 3292 if (add == NULL) {
wolfSSL 15:117db924cf7c 3293 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3294 return -1;
wolfSSL 15:117db924cf7c 3295 }
wolfSSL 15:117db924cf7c 3296 *front = add;
wolfSSL 15:117db924cf7c 3297 *reassemblyMemory += sslBytes;
wolfSSL 15:117db924cf7c 3298 return 1;
wolfSSL 15:117db924cf7c 3299 }
wolfSSL 15:117db924cf7c 3300
wolfSSL 15:117db924cf7c 3301 /* add to front if before current front, up to next->begin */
wolfSSL 15:117db924cf7c 3302 if (seq < curr->begin) {
wolfSSL 15:117db924cf7c 3303 word32 end = seq + sslBytes - 1;
wolfSSL 15:117db924cf7c 3304
wolfSSL 15:117db924cf7c 3305 if (end >= curr->begin)
wolfSSL 15:117db924cf7c 3306 end = curr->begin - 1;
wolfSSL 15:117db924cf7c 3307
wolfSSL 15:117db924cf7c 3308 if (MaxRecoveryMemory -1 &&
wolfSSL 15:117db924cf7c 3309 (int)(*reassemblyMemory + sslBytes) > MaxRecoveryMemory) {
wolfSSL 15:117db924cf7c 3310 SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3311 return -1;
wolfSSL 15:117db924cf7c 3312 }
wolfSSL 15:117db924cf7c 3313 add = CreateBuffer(&seq, end, sslFrame, &bytesLeft);
wolfSSL 15:117db924cf7c 3314 if (add == NULL) {
wolfSSL 15:117db924cf7c 3315 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3316 return -1;
wolfSSL 15:117db924cf7c 3317 }
wolfSSL 15:117db924cf7c 3318 add->next = curr;
wolfSSL 15:117db924cf7c 3319 *front = add;
wolfSSL 15:117db924cf7c 3320 *reassemblyMemory += sslBytes;
wolfSSL 15:117db924cf7c 3321 }
wolfSSL 15:117db924cf7c 3322
wolfSSL 15:117db924cf7c 3323 /* while we have bytes left, try to find a gap to fill */
wolfSSL 15:117db924cf7c 3324 while (bytesLeft > 0) {
wolfSSL 15:117db924cf7c 3325 /* get previous packet in list */
wolfSSL 15:117db924cf7c 3326 while (curr && (seq >= curr->begin)) {
wolfSSL 15:117db924cf7c 3327 prev = curr;
wolfSSL 15:117db924cf7c 3328 curr = curr->next;
wolfSSL 15:117db924cf7c 3329 }
wolfSSL 15:117db924cf7c 3330
wolfSSL 15:117db924cf7c 3331 /* don't add duplicate data */
wolfSSL 15:117db924cf7c 3332 if (prev->end >= seq) {
wolfSSL 15:117db924cf7c 3333 if ( (seq + bytesLeft - 1) <= prev->end)
wolfSSL 15:117db924cf7c 3334 return 1;
wolfSSL 15:117db924cf7c 3335 seq = prev->end + 1;
wolfSSL 15:117db924cf7c 3336 bytesLeft = startSeq + sslBytes - seq;
wolfSSL 15:117db924cf7c 3337 }
wolfSSL 15:117db924cf7c 3338
wolfSSL 15:117db924cf7c 3339 if (!curr)
wolfSSL 15:117db924cf7c 3340 /* we're at the end */
wolfSSL 15:117db924cf7c 3341 added = bytesLeft;
wolfSSL 15:117db924cf7c 3342 else
wolfSSL 15:117db924cf7c 3343 /* we're in between two frames */
wolfSSL 15:117db924cf7c 3344 added = min((word32)bytesLeft, curr->begin - seq);
wolfSSL 15:117db924cf7c 3345
wolfSSL 15:117db924cf7c 3346 /* data already there */
wolfSSL 15:117db924cf7c 3347 if (added == 0)
wolfSSL 15:117db924cf7c 3348 continue;
wolfSSL 15:117db924cf7c 3349
wolfSSL 15:117db924cf7c 3350 if (MaxRecoveryMemory != -1 &&
wolfSSL 15:117db924cf7c 3351 (int)(*reassemblyMemory + added) > MaxRecoveryMemory) {
wolfSSL 15:117db924cf7c 3352 SetError(REASSEMBLY_MAX_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3353 return -1;
wolfSSL 15:117db924cf7c 3354 }
wolfSSL 15:117db924cf7c 3355 add = CreateBuffer(&seq, seq + added - 1, &sslFrame[seq - startSeq],
wolfSSL 15:117db924cf7c 3356 &bytesLeft);
wolfSSL 15:117db924cf7c 3357 if (add == NULL) {
wolfSSL 15:117db924cf7c 3358 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3359 return -1;
wolfSSL 15:117db924cf7c 3360 }
wolfSSL 15:117db924cf7c 3361 add->next = prev->next;
wolfSSL 15:117db924cf7c 3362 prev->next = add;
wolfSSL 15:117db924cf7c 3363 *reassemblyMemory += added;
wolfSSL 15:117db924cf7c 3364 }
wolfSSL 15:117db924cf7c 3365 return 1;
wolfSSL 15:117db924cf7c 3366 }
wolfSSL 15:117db924cf7c 3367
wolfSSL 15:117db924cf7c 3368
wolfSSL 15:117db924cf7c 3369 /* Add out of order FIN capture */
wolfSSL 15:117db924cf7c 3370 /* returns 1 for success (end) */
wolfSSL 15:117db924cf7c 3371 static int AddFinCapture(SnifferSession* session, word32 sequence)
wolfSSL 15:117db924cf7c 3372 {
wolfSSL 15:117db924cf7c 3373 if (session->flags.side == WOLFSSL_SERVER_END) {
wolfSSL 15:117db924cf7c 3374 if (session->finCaputre.cliCounted == 0)
wolfSSL 15:117db924cf7c 3375 session->finCaputre.cliFinSeq = sequence;
wolfSSL 15:117db924cf7c 3376 }
wolfSSL 15:117db924cf7c 3377 else {
wolfSSL 15:117db924cf7c 3378 if (session->finCaputre.srvCounted == 0)
wolfSSL 15:117db924cf7c 3379 session->finCaputre.srvFinSeq = sequence;
wolfSSL 15:117db924cf7c 3380 }
wolfSSL 15:117db924cf7c 3381 return 1;
wolfSSL 15:117db924cf7c 3382 }
wolfSSL 15:117db924cf7c 3383
wolfSSL 15:117db924cf7c 3384
wolfSSL 15:117db924cf7c 3385 /* Adjust incoming sequence based on side */
wolfSSL 15:117db924cf7c 3386 /* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL 15:117db924cf7c 3387 static int AdjustSequence(TcpInfo* tcpInfo, SnifferSession* session,
wolfSSL 15:117db924cf7c 3388 int* sslBytes, const byte** sslFrame, char* error)
wolfSSL 15:117db924cf7c 3389 {
wolfSSL 15:117db924cf7c 3390 word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3391 session->cliSeqStart :session->srvSeqStart;
wolfSSL 15:117db924cf7c 3392 word32 real = tcpInfo->sequence - seqStart;
wolfSSL 15:117db924cf7c 3393 word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3394 &session->cliExpected : &session->srvExpected;
wolfSSL 15:117db924cf7c 3395 PacketBuffer* reassemblyList = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3396 session->cliReassemblyList : session->srvReassemblyList;
wolfSSL 15:117db924cf7c 3397 byte skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3398 session->flags.srvSkipPartial :
wolfSSL 15:117db924cf7c 3399 session->flags.cliSkipPartial;
wolfSSL 15:117db924cf7c 3400
wolfSSL 15:117db924cf7c 3401 /* handle rollover of sequence */
wolfSSL 15:117db924cf7c 3402 if (tcpInfo->sequence < seqStart)
wolfSSL 15:117db924cf7c 3403 real = 0xffffffffU - seqStart + tcpInfo->sequence;
wolfSSL 15:117db924cf7c 3404
wolfSSL 15:117db924cf7c 3405 TraceRelativeSequence(*expected, real);
wolfSSL 15:117db924cf7c 3406
wolfSSL 15:117db924cf7c 3407 if (real < *expected) {
wolfSSL 15:117db924cf7c 3408 Trace(DUPLICATE_STR);
wolfSSL 15:117db924cf7c 3409 if (real + *sslBytes > *expected) {
wolfSSL 15:117db924cf7c 3410 int overlap = *expected - real;
wolfSSL 15:117db924cf7c 3411 Trace(OVERLAP_DUPLICATE_STR);
wolfSSL 15:117db924cf7c 3412
wolfSSL 15:117db924cf7c 3413 /* adjust to expected, remove duplicate */
wolfSSL 15:117db924cf7c 3414 *sslFrame += overlap;
wolfSSL 15:117db924cf7c 3415 *sslBytes -= overlap;
wolfSSL 15:117db924cf7c 3416
wolfSSL 15:117db924cf7c 3417 /* The following conditional block is duplicated below. It is the
wolfSSL 15:117db924cf7c 3418 * same action but for a different setup case. If changing this
wolfSSL 15:117db924cf7c 3419 * block be sure to also update the block below. */
wolfSSL 15:117db924cf7c 3420 if (reassemblyList) {
wolfSSL 15:117db924cf7c 3421 word32 newEnd = *expected + *sslBytes;
wolfSSL 15:117db924cf7c 3422
wolfSSL 15:117db924cf7c 3423 if (newEnd > reassemblyList->begin) {
wolfSSL 15:117db924cf7c 3424 Trace(OVERLAP_REASSEMBLY_BEGIN_STR);
wolfSSL 15:117db924cf7c 3425
wolfSSL 15:117db924cf7c 3426 /* remove bytes already on reassembly list */
wolfSSL 15:117db924cf7c 3427 *sslBytes -= newEnd - reassemblyList->begin;
wolfSSL 15:117db924cf7c 3428 }
wolfSSL 15:117db924cf7c 3429 if (newEnd > reassemblyList->end) {
wolfSSL 15:117db924cf7c 3430 Trace(OVERLAP_REASSEMBLY_END_STR);
wolfSSL 15:117db924cf7c 3431
wolfSSL 15:117db924cf7c 3432 /* may be past reassembly list end (could have more on list)
wolfSSL 15:117db924cf7c 3433 so try to add what's past the front->end */
wolfSSL 15:117db924cf7c 3434 AddToReassembly(session->flags.side, reassemblyList->end +1,
wolfSSL 15:117db924cf7c 3435 *sslFrame + reassemblyList->end - *expected + 1,
wolfSSL 15:117db924cf7c 3436 newEnd - reassemblyList->end, session, error);
wolfSSL 15:117db924cf7c 3437 }
wolfSSL 15:117db924cf7c 3438 }
wolfSSL 15:117db924cf7c 3439 }
wolfSSL 15:117db924cf7c 3440 else
wolfSSL 15:117db924cf7c 3441 return 1;
wolfSSL 15:117db924cf7c 3442 }
wolfSSL 15:117db924cf7c 3443 else if (real > *expected) {
wolfSSL 15:117db924cf7c 3444 Trace(OUT_OF_ORDER_STR);
wolfSSL 15:117db924cf7c 3445 if (*sslBytes > 0) {
wolfSSL 15:117db924cf7c 3446 int addResult = AddToReassembly(session->flags.side, real,
wolfSSL 15:117db924cf7c 3447 *sslFrame, *sslBytes, session, error);
wolfSSL 15:117db924cf7c 3448 if (skipPartial) {
wolfSSL 15:117db924cf7c 3449 *sslBytes = 0;
wolfSSL 15:117db924cf7c 3450 return 0;
wolfSSL 15:117db924cf7c 3451 }
wolfSSL 15:117db924cf7c 3452 else
wolfSSL 15:117db924cf7c 3453 return addResult;
wolfSSL 15:117db924cf7c 3454 }
wolfSSL 15:117db924cf7c 3455 else if (tcpInfo->fin)
wolfSSL 15:117db924cf7c 3456 return AddFinCapture(session, real);
wolfSSL 15:117db924cf7c 3457 }
wolfSSL 15:117db924cf7c 3458 else if (*sslBytes > 0) {
wolfSSL 15:117db924cf7c 3459 if (skipPartial) {
wolfSSL 15:117db924cf7c 3460 AddToReassembly(session->flags.side, real,
wolfSSL 15:117db924cf7c 3461 *sslFrame, *sslBytes, session, error);
wolfSSL 15:117db924cf7c 3462 *expected += *sslBytes;
wolfSSL 15:117db924cf7c 3463 *sslBytes = 0;
wolfSSL 15:117db924cf7c 3464 if (tcpInfo->fin)
wolfSSL 15:117db924cf7c 3465 *expected += 1;
wolfSSL 15:117db924cf7c 3466 return 0;
wolfSSL 15:117db924cf7c 3467 }
wolfSSL 15:117db924cf7c 3468 /* The following conditional block is duplicated above. It is the
wolfSSL 15:117db924cf7c 3469 * same action but for a different setup case. If changing this
wolfSSL 15:117db924cf7c 3470 * block be sure to also update the block above. */
wolfSSL 15:117db924cf7c 3471 else if (reassemblyList) {
wolfSSL 15:117db924cf7c 3472 word32 newEnd = *expected + *sslBytes;
wolfSSL 15:117db924cf7c 3473
wolfSSL 15:117db924cf7c 3474 if (newEnd > reassemblyList->begin) {
wolfSSL 15:117db924cf7c 3475 Trace(OVERLAP_REASSEMBLY_BEGIN_STR);
wolfSSL 15:117db924cf7c 3476
wolfSSL 15:117db924cf7c 3477 /* remove bytes already on reassembly list */
wolfSSL 15:117db924cf7c 3478 *sslBytes -= newEnd - reassemblyList->begin;
wolfSSL 15:117db924cf7c 3479 }
wolfSSL 15:117db924cf7c 3480 if (newEnd > reassemblyList->end) {
wolfSSL 15:117db924cf7c 3481 Trace(OVERLAP_REASSEMBLY_END_STR);
wolfSSL 15:117db924cf7c 3482
wolfSSL 15:117db924cf7c 3483 /* may be past reassembly list end (could have more on list)
wolfSSL 15:117db924cf7c 3484 so try to add what's past the front->end */
wolfSSL 15:117db924cf7c 3485 AddToReassembly(session->flags.side, reassemblyList->end +1,
wolfSSL 15:117db924cf7c 3486 *sslFrame + reassemblyList->end - *expected + 1,
wolfSSL 15:117db924cf7c 3487 newEnd - reassemblyList->end, session, error);
wolfSSL 15:117db924cf7c 3488 }
wolfSSL 15:117db924cf7c 3489 }
wolfSSL 15:117db924cf7c 3490 }
wolfSSL 15:117db924cf7c 3491 /* got expected sequence */
wolfSSL 15:117db924cf7c 3492 *expected += *sslBytes;
wolfSSL 15:117db924cf7c 3493 if (tcpInfo->fin)
wolfSSL 15:117db924cf7c 3494 *expected += 1;
wolfSSL 15:117db924cf7c 3495
wolfSSL 15:117db924cf7c 3496 return 0;
wolfSSL 15:117db924cf7c 3497 }
wolfSSL 15:117db924cf7c 3498
wolfSSL 15:117db924cf7c 3499
wolfSSL 15:117db924cf7c 3500 static int FindNextRecordInAssembly(SnifferSession* session,
wolfSSL 15:117db924cf7c 3501 const byte** sslFrame, int* sslBytes,
wolfSSL 15:117db924cf7c 3502 const byte** end, char* error)
wolfSSL 15:117db924cf7c 3503 {
wolfSSL 15:117db924cf7c 3504 PacketBuffer** front = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3505 &session->cliReassemblyList :
wolfSSL 15:117db924cf7c 3506 &session->srvReassemblyList;
wolfSSL 15:117db924cf7c 3507 PacketBuffer* curr = *front;
wolfSSL 15:117db924cf7c 3508 PacketBuffer* prev = NULL;
wolfSSL 15:117db924cf7c 3509 byte* skipPartial = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3510 &session->flags.srvSkipPartial :
wolfSSL 15:117db924cf7c 3511 &session->flags.cliSkipPartial;
wolfSSL 15:117db924cf7c 3512 word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3513 &session->cliReassemblyMemory :
wolfSSL 15:117db924cf7c 3514 &session->srvReassemblyMemory;
wolfSSL 15:117db924cf7c 3515 SSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3516 session->sslServer :
wolfSSL 15:117db924cf7c 3517 session->sslClient;
wolfSSL 15:117db924cf7c 3518 ProtocolVersion pv = ssl->version;
wolfSSL 15:117db924cf7c 3519 word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3520 &session->cliExpected :
wolfSSL 15:117db924cf7c 3521 &session->srvExpected;
wolfSSL 15:117db924cf7c 3522
wolfSSL 15:117db924cf7c 3523 while (curr != NULL) {
wolfSSL 15:117db924cf7c 3524 *expected = curr->end + 1;
wolfSSL 15:117db924cf7c 3525
wolfSSL 15:117db924cf7c 3526 if (curr->data[0] == application_data &&
wolfSSL 15:117db924cf7c 3527 curr->data[1] == pv.major &&
wolfSSL 15:117db924cf7c 3528 curr->data[2] == pv.minor) {
wolfSSL 15:117db924cf7c 3529
wolfSSL 15:117db924cf7c 3530 if (ssl->buffers.inputBuffer.length > 0)
wolfSSL 15:117db924cf7c 3531 Trace(DROPPING_PARTIAL_RECORD);
wolfSSL 15:117db924cf7c 3532
wolfSSL 15:117db924cf7c 3533 *sslBytes = curr->end - curr->begin + 1;
wolfSSL 15:117db924cf7c 3534 if ( (word32)*sslBytes > ssl->buffers.inputBuffer.bufferSize) {
wolfSSL 15:117db924cf7c 3535 if (GrowInputBuffer(ssl, *sslBytes, 0) < 0) {
wolfSSL 15:117db924cf7c 3536 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3537 return -1;
wolfSSL 15:117db924cf7c 3538 }
wolfSSL 15:117db924cf7c 3539 }
wolfSSL 15:117db924cf7c 3540
wolfSSL 15:117db924cf7c 3541 XMEMCPY(ssl->buffers.inputBuffer.buffer, curr->data, *sslBytes);
wolfSSL 15:117db924cf7c 3542
wolfSSL 15:117db924cf7c 3543 *front = curr->next;
wolfSSL 15:117db924cf7c 3544 *reassemblyMemory -= *sslBytes;
wolfSSL 15:117db924cf7c 3545 FreePacketBuffer(curr);
wolfSSL 15:117db924cf7c 3546
wolfSSL 15:117db924cf7c 3547 ssl->buffers.inputBuffer.length = *sslBytes;
wolfSSL 15:117db924cf7c 3548 *sslFrame = ssl->buffers.inputBuffer.buffer;
wolfSSL 15:117db924cf7c 3549 *end = *sslFrame + *sslBytes;
wolfSSL 15:117db924cf7c 3550 *skipPartial = 0;
wolfSSL 15:117db924cf7c 3551
wolfSSL 15:117db924cf7c 3552 return 0;
wolfSSL 15:117db924cf7c 3553 }
wolfSSL 15:117db924cf7c 3554 else if (ssl->specs.cipher_type == block) {
wolfSSL 15:117db924cf7c 3555 if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
wolfSSL 15:117db924cf7c 3556 #ifdef BUILD_AES
wolfSSL 15:117db924cf7c 3557 wc_AesSetIV(ssl->decrypt.aes,
wolfSSL 15:117db924cf7c 3558 curr->data + curr->end - curr->begin
wolfSSL 15:117db924cf7c 3559 - ssl->specs.block_size + 1);
wolfSSL 15:117db924cf7c 3560 #endif
wolfSSL 15:117db924cf7c 3561 }
wolfSSL 15:117db924cf7c 3562 else if (ssl->specs.bulk_cipher_algorithm == wolfssl_triple_des) {
wolfSSL 15:117db924cf7c 3563 #ifdef BUILD_DES3
wolfSSL 15:117db924cf7c 3564 wc_Des3_SetIV(ssl->decrypt.des3,
wolfSSL 15:117db924cf7c 3565 curr->data + curr->end - curr->begin
wolfSSL 15:117db924cf7c 3566 - ssl->specs.block_size + 1);
wolfSSL 15:117db924cf7c 3567 #endif
wolfSSL 15:117db924cf7c 3568 }
wolfSSL 15:117db924cf7c 3569 }
wolfSSL 15:117db924cf7c 3570
wolfSSL 15:117db924cf7c 3571 Trace(DROPPING_LOST_FRAG_STR);
wolfSSL 16:8e0d178b1d1e 3572 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 3573 INC_STAT(SnifferStats.sslDecodeFails);
wolfSSL 16:8e0d178b1d1e 3574 #endif
wolfSSL 15:117db924cf7c 3575 prev = curr;
wolfSSL 15:117db924cf7c 3576 curr = curr->next;
wolfSSL 15:117db924cf7c 3577 *reassemblyMemory -= (prev->end - prev->begin + 1);
wolfSSL 15:117db924cf7c 3578 FreePacketBuffer(prev);
wolfSSL 15:117db924cf7c 3579 }
wolfSSL 15:117db924cf7c 3580
wolfSSL 15:117db924cf7c 3581 *front = curr;
wolfSSL 15:117db924cf7c 3582
wolfSSL 15:117db924cf7c 3583 return 0;
wolfSSL 15:117db924cf7c 3584 }
wolfSSL 15:117db924cf7c 3585
wolfSSL 15:117db924cf7c 3586
wolfSSL 15:117db924cf7c 3587 static int FixSequence(TcpInfo* tcpInfo, SnifferSession* session)
wolfSSL 15:117db924cf7c 3588 {
wolfSSL 15:117db924cf7c 3589 word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3590 &session->srvExpected : &session->cliExpected;
wolfSSL 15:117db924cf7c 3591 PacketBuffer* list = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3592 session->srvReassemblyList :
wolfSSL 15:117db924cf7c 3593 session->cliReassemblyList;
wolfSSL 15:117db924cf7c 3594 byte* skipPartial = (session->flags.side != WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3595 &session->flags.srvSkipPartial :
wolfSSL 15:117db924cf7c 3596 &session->flags.cliSkipPartial;
wolfSSL 15:117db924cf7c 3597
wolfSSL 15:117db924cf7c 3598 *skipPartial = 1;
wolfSSL 15:117db924cf7c 3599 if (list != NULL)
wolfSSL 15:117db924cf7c 3600 *expected = list->begin;
wolfSSL 15:117db924cf7c 3601 else {
wolfSSL 15:117db924cf7c 3602 word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3603 session->srvSeqStart : session->cliSeqStart;
wolfSSL 15:117db924cf7c 3604 word32 real = tcpInfo->ackNumber - seqStart;
wolfSSL 15:117db924cf7c 3605
wolfSSL 15:117db924cf7c 3606 *expected = real;
wolfSSL 15:117db924cf7c 3607 }
wolfSSL 15:117db924cf7c 3608
wolfSSL 15:117db924cf7c 3609 return 1;
wolfSSL 15:117db924cf7c 3610 }
wolfSSL 15:117db924cf7c 3611
wolfSSL 15:117db924cf7c 3612
wolfSSL 15:117db924cf7c 3613 /* Check latest ack number for missing packets
wolfSSL 15:117db924cf7c 3614 return 0 ok, <0 on error */
wolfSSL 15:117db924cf7c 3615 static int CheckAck(TcpInfo* tcpInfo, SnifferSession* session)
wolfSSL 15:117db924cf7c 3616 {
wolfSSL 15:117db924cf7c 3617 if (tcpInfo->ack) {
wolfSSL 15:117db924cf7c 3618 word32 seqStart = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3619 session->srvSeqStart :session->cliSeqStart;
wolfSSL 15:117db924cf7c 3620 word32 real = tcpInfo->ackNumber - seqStart;
wolfSSL 15:117db924cf7c 3621 word32 expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3622 session->srvExpected : session->cliExpected;
wolfSSL 15:117db924cf7c 3623
wolfSSL 15:117db924cf7c 3624 /* handle rollover of sequence */
wolfSSL 15:117db924cf7c 3625 if (tcpInfo->ackNumber < seqStart)
wolfSSL 15:117db924cf7c 3626 real = 0xffffffffU - seqStart + tcpInfo->ackNumber;
wolfSSL 15:117db924cf7c 3627
wolfSSL 15:117db924cf7c 3628 TraceAck(real, expected);
wolfSSL 15:117db924cf7c 3629
wolfSSL 15:117db924cf7c 3630 if (real > expected)
wolfSSL 15:117db924cf7c 3631 return -1; /* we missed a packet, ACKing data we never saw */
wolfSSL 15:117db924cf7c 3632 }
wolfSSL 15:117db924cf7c 3633 return 0;
wolfSSL 15:117db924cf7c 3634 }
wolfSSL 15:117db924cf7c 3635
wolfSSL 15:117db924cf7c 3636
wolfSSL 15:117db924cf7c 3637 /* Check TCP Sequence status */
wolfSSL 15:117db924cf7c 3638 /* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL 15:117db924cf7c 3639 static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL 15:117db924cf7c 3640 SnifferSession* session, int* sslBytes,
wolfSSL 15:117db924cf7c 3641 const byte** sslFrame, char* error)
wolfSSL 15:117db924cf7c 3642 {
wolfSSL 15:117db924cf7c 3643 int actualLen;
wolfSSL 15:117db924cf7c 3644 byte* ackFault = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3645 &session->flags.cliAckFault :
wolfSSL 15:117db924cf7c 3646 &session->flags.srvAckFault;
wolfSSL 15:117db924cf7c 3647
wolfSSL 15:117db924cf7c 3648 /* init SEQ from server to client */
wolfSSL 15:117db924cf7c 3649 if (tcpInfo->syn && tcpInfo->ack) {
wolfSSL 15:117db924cf7c 3650 session->srvSeqStart = tcpInfo->sequence;
wolfSSL 15:117db924cf7c 3651 session->srvExpected = 1;
wolfSSL 15:117db924cf7c 3652 TraceServerSyn(tcpInfo->sequence);
wolfSSL 15:117db924cf7c 3653 return 1;
wolfSSL 15:117db924cf7c 3654 }
wolfSSL 15:117db924cf7c 3655
wolfSSL 15:117db924cf7c 3656 /* adjust potential ethernet trailer */
wolfSSL 15:117db924cf7c 3657 actualLen = ipInfo->total - ipInfo->length - tcpInfo->length;
wolfSSL 15:117db924cf7c 3658 if (*sslBytes > actualLen) {
wolfSSL 15:117db924cf7c 3659 *sslBytes = actualLen;
wolfSSL 15:117db924cf7c 3660 }
wolfSSL 15:117db924cf7c 3661
wolfSSL 15:117db924cf7c 3662 TraceSequence(tcpInfo->sequence, *sslBytes);
wolfSSL 15:117db924cf7c 3663 if (CheckAck(tcpInfo, session) < 0) {
wolfSSL 15:117db924cf7c 3664 if (!RecoveryEnabled) {
wolfSSL 15:117db924cf7c 3665 UpdateMissedDataSessions();
wolfSSL 15:117db924cf7c 3666 SetError(ACK_MISSED_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3667 return -1;
wolfSSL 15:117db924cf7c 3668 }
wolfSSL 15:117db924cf7c 3669 else {
wolfSSL 15:117db924cf7c 3670 SetError(ACK_MISSED_STR, error, session, 0);
wolfSSL 15:117db924cf7c 3671 if (*ackFault == 0) {
wolfSSL 15:117db924cf7c 3672 *ackFault = 1;
wolfSSL 15:117db924cf7c 3673 UpdateMissedDataSessions();
wolfSSL 15:117db924cf7c 3674 }
wolfSSL 15:117db924cf7c 3675 return FixSequence(tcpInfo, session);
wolfSSL 15:117db924cf7c 3676 }
wolfSSL 15:117db924cf7c 3677 }
wolfSSL 15:117db924cf7c 3678
wolfSSL 15:117db924cf7c 3679 if (*ackFault) {
wolfSSL 15:117db924cf7c 3680 Trace(CLEAR_ACK_FAULT);
wolfSSL 15:117db924cf7c 3681 *ackFault = 0;
wolfSSL 15:117db924cf7c 3682 }
wolfSSL 15:117db924cf7c 3683
wolfSSL 15:117db924cf7c 3684 return AdjustSequence(tcpInfo, session, sslBytes, sslFrame, error);
wolfSSL 15:117db924cf7c 3685 }
wolfSSL 15:117db924cf7c 3686
wolfSSL 15:117db924cf7c 3687
wolfSSL 15:117db924cf7c 3688 /* Check Status before record processing */
wolfSSL 15:117db924cf7c 3689 /* returns 0 on success (continue), -1 on error, 1 on success (end) */
wolfSSL 15:117db924cf7c 3690 static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL 15:117db924cf7c 3691 const byte** sslFrame, SnifferSession** session,
wolfSSL 16:8e0d178b1d1e 3692 int* sslBytes, const byte** end,
wolfSSL 16:8e0d178b1d1e 3693 void* vChain, word32 chainSz, char* error)
wolfSSL 15:117db924cf7c 3694 {
wolfSSL 15:117db924cf7c 3695 word32 length;
wolfSSL 15:117db924cf7c 3696 SSL* ssl = ((*session)->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3697 (*session)->sslServer : (*session)->sslClient;
wolfSSL 15:117db924cf7c 3698 byte skipPartial = ((*session)->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3699 (*session)->flags.srvSkipPartial :
wolfSSL 15:117db924cf7c 3700 (*session)->flags.cliSkipPartial;
wolfSSL 15:117db924cf7c 3701 /* remove SnifferSession on 2nd FIN or RST */
wolfSSL 15:117db924cf7c 3702 if (tcpInfo->fin || tcpInfo->rst) {
wolfSSL 15:117db924cf7c 3703 /* flag FIN and RST */
wolfSSL 15:117db924cf7c 3704 if (tcpInfo->fin)
wolfSSL 15:117db924cf7c 3705 (*session)->flags.finCount += 1;
wolfSSL 15:117db924cf7c 3706 else if (tcpInfo->rst)
wolfSSL 15:117db924cf7c 3707 (*session)->flags.finCount += 2;
wolfSSL 15:117db924cf7c 3708
wolfSSL 15:117db924cf7c 3709 if ((*session)->flags.finCount >= 2) {
wolfSSL 15:117db924cf7c 3710 RemoveSession(*session, ipInfo, tcpInfo, 0);
wolfSSL 15:117db924cf7c 3711 *session = NULL;
wolfSSL 15:117db924cf7c 3712 return 1;
wolfSSL 15:117db924cf7c 3713 }
wolfSSL 15:117db924cf7c 3714 }
wolfSSL 15:117db924cf7c 3715
wolfSSL 15:117db924cf7c 3716 if ((*session)->flags.fatalError == FATAL_ERROR_STATE) {
wolfSSL 15:117db924cf7c 3717 SetError(FATAL_ERROR_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 3718 return -1;
wolfSSL 15:117db924cf7c 3719 }
wolfSSL 15:117db924cf7c 3720
wolfSSL 15:117db924cf7c 3721 if (skipPartial) {
wolfSSL 15:117db924cf7c 3722 if (FindNextRecordInAssembly(*session,
wolfSSL 15:117db924cf7c 3723 sslFrame, sslBytes, end, error) < 0) {
wolfSSL 15:117db924cf7c 3724 return -1;
wolfSSL 15:117db924cf7c 3725 }
wolfSSL 15:117db924cf7c 3726 }
wolfSSL 15:117db924cf7c 3727
wolfSSL 15:117db924cf7c 3728 if (*sslBytes == 0) {
wolfSSL 15:117db924cf7c 3729 Trace(NO_DATA_STR);
wolfSSL 15:117db924cf7c 3730 return 1;
wolfSSL 15:117db924cf7c 3731 }
wolfSSL 15:117db924cf7c 3732
wolfSSL 15:117db924cf7c 3733 /* if current partial data, add to end of partial */
wolfSSL 15:117db924cf7c 3734 /* if skipping, the data is already at the end of partial */
wolfSSL 16:8e0d178b1d1e 3735 if ( !skipPartial && (length = ssl->buffers.inputBuffer.length) ) {
wolfSSL 15:117db924cf7c 3736 Trace(PARTIAL_ADD_STR);
wolfSSL 15:117db924cf7c 3737
wolfSSL 15:117db924cf7c 3738 if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
wolfSSL 15:117db924cf7c 3739 if (GrowInputBuffer(ssl, *sslBytes, length) < 0) {
wolfSSL 15:117db924cf7c 3740 SetError(MEMORY_STR, error, *session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3741 return -1;
wolfSSL 15:117db924cf7c 3742 }
wolfSSL 15:117db924cf7c 3743 }
wolfSSL 16:8e0d178b1d1e 3744 if (vChain == NULL) {
wolfSSL 16:8e0d178b1d1e 3745 XMEMCPY(&ssl->buffers.inputBuffer.buffer[length],
wolfSSL 16:8e0d178b1d1e 3746 *sslFrame, *sslBytes);
wolfSSL 16:8e0d178b1d1e 3747 *sslBytes += length;
wolfSSL 16:8e0d178b1d1e 3748 ssl->buffers.inputBuffer.length = *sslBytes;
wolfSSL 16:8e0d178b1d1e 3749 *sslFrame = ssl->buffers.inputBuffer.buffer;
wolfSSL 16:8e0d178b1d1e 3750 *end = *sslFrame + *sslBytes;
wolfSSL 16:8e0d178b1d1e 3751 }
wolfSSL 16:8e0d178b1d1e 3752 }
wolfSSL 16:8e0d178b1d1e 3753
wolfSSL 16:8e0d178b1d1e 3754 if (vChain != NULL) {
wolfSSL 16:8e0d178b1d1e 3755 #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
wolfSSL 16:8e0d178b1d1e 3756 struct iovec* chain = (struct iovec*)vChain;
wolfSSL 16:8e0d178b1d1e 3757 word32 i, offset, headerSz, qty, remainder;
wolfSSL 16:8e0d178b1d1e 3758
wolfSSL 16:8e0d178b1d1e 3759 Trace(CHAIN_INPUT_STR);
wolfSSL 16:8e0d178b1d1e 3760 headerSz = (word32)*sslFrame - (word32)chain[0].iov_base;
wolfSSL 16:8e0d178b1d1e 3761 remainder = *sslBytes;
wolfSSL 16:8e0d178b1d1e 3762
wolfSSL 16:8e0d178b1d1e 3763 if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
wolfSSL 16:8e0d178b1d1e 3764 if (GrowInputBuffer(ssl, *sslBytes, length) < 0) {
wolfSSL 16:8e0d178b1d1e 3765 SetError(MEMORY_STR, error, *session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 3766 return -1;
wolfSSL 16:8e0d178b1d1e 3767 }
wolfSSL 16:8e0d178b1d1e 3768 }
wolfSSL 16:8e0d178b1d1e 3769
wolfSSL 16:8e0d178b1d1e 3770 qty = min(*sslBytes, (word32)chain[0].iov_len - headerSz);
wolfSSL 16:8e0d178b1d1e 3771 XMEMCPY(&ssl->buffers.inputBuffer.buffer[length],
wolfSSL 16:8e0d178b1d1e 3772 (byte*)chain[0].iov_base + headerSz, qty);
wolfSSL 16:8e0d178b1d1e 3773 offset = length;
wolfSSL 16:8e0d178b1d1e 3774 for (i = 1; i < chainSz; i++) {
wolfSSL 16:8e0d178b1d1e 3775 offset += qty;
wolfSSL 16:8e0d178b1d1e 3776 remainder -= qty;
wolfSSL 16:8e0d178b1d1e 3777
wolfSSL 16:8e0d178b1d1e 3778 if (chain[i].iov_len > remainder)
wolfSSL 16:8e0d178b1d1e 3779 qty = remainder;
wolfSSL 16:8e0d178b1d1e 3780 else
wolfSSL 16:8e0d178b1d1e 3781 qty = (word32)chain[i].iov_len;
wolfSSL 16:8e0d178b1d1e 3782 XMEMCPY(ssl->buffers.inputBuffer.buffer + offset,
wolfSSL 16:8e0d178b1d1e 3783 chain[i].iov_base, qty);
wolfSSL 16:8e0d178b1d1e 3784 }
wolfSSL 16:8e0d178b1d1e 3785
wolfSSL 15:117db924cf7c 3786 *sslBytes += length;
wolfSSL 15:117db924cf7c 3787 ssl->buffers.inputBuffer.length = *sslBytes;
wolfSSL 15:117db924cf7c 3788 *sslFrame = ssl->buffers.inputBuffer.buffer;
wolfSSL 15:117db924cf7c 3789 *end = *sslFrame + *sslBytes;
wolfSSL 16:8e0d178b1d1e 3790 #endif
wolfSSL 16:8e0d178b1d1e 3791 (void)chainSz;
wolfSSL 15:117db924cf7c 3792 }
wolfSSL 15:117db924cf7c 3793
wolfSSL 15:117db924cf7c 3794 if ((*session)->flags.clientHello == 0 && **sslFrame != handshake) {
wolfSSL 15:117db924cf7c 3795 /* Sanity check the packet for an old style client hello. */
wolfSSL 15:117db924cf7c 3796 int rhSize = (((*sslFrame)[0] & 0x7f) << 8) | ((*sslFrame)[1]);
wolfSSL 15:117db924cf7c 3797
wolfSSL 15:117db924cf7c 3798 if ((rhSize <= (*sslBytes - 2)) &&
wolfSSL 15:117db924cf7c 3799 (*sslFrame)[2] == OLD_HELLO_ID && (*sslFrame)[3] == SSLv3_MAJOR) {
wolfSSL 15:117db924cf7c 3800 #ifdef OLD_HELLO_ALLOWED
wolfSSL 15:117db924cf7c 3801 int ret = DoOldHello(*session, *sslFrame, &rhSize, sslBytes, error);
wolfSSL 15:117db924cf7c 3802 if (ret < 0)
wolfSSL 15:117db924cf7c 3803 return -1; /* error already set */
wolfSSL 15:117db924cf7c 3804 if (*sslBytes <= 0)
wolfSSL 15:117db924cf7c 3805 return 1;
wolfSSL 15:117db924cf7c 3806 #endif
wolfSSL 15:117db924cf7c 3807 }
wolfSSL 15:117db924cf7c 3808 else {
wolfSSL 15:117db924cf7c 3809 #ifdef STARTTLS_ALLOWED
wolfSSL 16:8e0d178b1d1e 3810 if (ssl->buffers.inputBuffer.dynamicFlag) {
wolfSSL 16:8e0d178b1d1e 3811 ssl->buffers.inputBuffer.length = 0;
wolfSSL 16:8e0d178b1d1e 3812 ShrinkInputBuffer(ssl, NO_FORCED_FREE);
wolfSSL 16:8e0d178b1d1e 3813 }
wolfSSL 15:117db924cf7c 3814 return 1;
wolfSSL 15:117db924cf7c 3815 #endif
wolfSSL 15:117db924cf7c 3816 }
wolfSSL 15:117db924cf7c 3817 }
wolfSSL 15:117db924cf7c 3818
wolfSSL 15:117db924cf7c 3819 return 0;
wolfSSL 15:117db924cf7c 3820 }
wolfSSL 15:117db924cf7c 3821
wolfSSL 15:117db924cf7c 3822
wolfSSL 15:117db924cf7c 3823 /* See if input on the reassembly list is ready for consuming */
wolfSSL 15:117db924cf7c 3824 /* returns 1 for TRUE, 0 for FALSE */
wolfSSL 15:117db924cf7c 3825 static int HaveMoreInput(SnifferSession* session, const byte** sslFrame,
wolfSSL 15:117db924cf7c 3826 int* sslBytes, const byte** end, char* error)
wolfSSL 15:117db924cf7c 3827 {
wolfSSL 15:117db924cf7c 3828 /* sequence and reassembly based on from, not to */
wolfSSL 15:117db924cf7c 3829 int moreInput = 0;
wolfSSL 15:117db924cf7c 3830 PacketBuffer** front = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3831 &session->cliReassemblyList : &session->srvReassemblyList;
wolfSSL 15:117db924cf7c 3832 word32* expected = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3833 &session->cliExpected : &session->srvExpected;
wolfSSL 15:117db924cf7c 3834 /* buffer is on receiving end */
wolfSSL 15:117db924cf7c 3835 word32* length = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3836 &session->sslServer->buffers.inputBuffer.length :
wolfSSL 15:117db924cf7c 3837 &session->sslClient->buffers.inputBuffer.length;
wolfSSL 15:117db924cf7c 3838 byte** myBuffer = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3839 &session->sslServer->buffers.inputBuffer.buffer :
wolfSSL 15:117db924cf7c 3840 &session->sslClient->buffers.inputBuffer.buffer;
wolfSSL 15:117db924cf7c 3841 word32* bufferSize = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3842 &session->sslServer->buffers.inputBuffer.bufferSize :
wolfSSL 15:117db924cf7c 3843 &session->sslClient->buffers.inputBuffer.bufferSize;
wolfSSL 15:117db924cf7c 3844 SSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3845 session->sslServer : session->sslClient;
wolfSSL 15:117db924cf7c 3846 word32* reassemblyMemory = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3847 &session->cliReassemblyMemory : &session->srvReassemblyMemory;
wolfSSL 15:117db924cf7c 3848
wolfSSL 15:117db924cf7c 3849 while (*front && ((*front)->begin == *expected) ) {
wolfSSL 15:117db924cf7c 3850 word32 room = *bufferSize - *length;
wolfSSL 15:117db924cf7c 3851 word32 packetLen = (*front)->end - (*front)->begin + 1;
wolfSSL 15:117db924cf7c 3852
wolfSSL 15:117db924cf7c 3853 if (packetLen > room && *bufferSize < MAX_INPUT_SZ) {
wolfSSL 15:117db924cf7c 3854 if (GrowInputBuffer(ssl, packetLen, *length) < 0) {
wolfSSL 15:117db924cf7c 3855 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3856 return 0;
wolfSSL 15:117db924cf7c 3857 }
wolfSSL 15:117db924cf7c 3858 room = *bufferSize - *length; /* bufferSize is now bigger */
wolfSSL 15:117db924cf7c 3859 }
wolfSSL 15:117db924cf7c 3860
wolfSSL 15:117db924cf7c 3861 if (packetLen <= room) {
wolfSSL 15:117db924cf7c 3862 PacketBuffer* del = *front;
wolfSSL 15:117db924cf7c 3863 byte* buf = *myBuffer;
wolfSSL 15:117db924cf7c 3864
wolfSSL 15:117db924cf7c 3865 XMEMCPY(&buf[*length], (*front)->data, packetLen);
wolfSSL 15:117db924cf7c 3866 *length += packetLen;
wolfSSL 15:117db924cf7c 3867 *expected += packetLen;
wolfSSL 15:117db924cf7c 3868
wolfSSL 15:117db924cf7c 3869 /* remove used packet */
wolfSSL 15:117db924cf7c 3870 *front = (*front)->next;
wolfSSL 15:117db924cf7c 3871
wolfSSL 15:117db924cf7c 3872 *reassemblyMemory -= packetLen;
wolfSSL 15:117db924cf7c 3873 FreePacketBuffer(del);
wolfSSL 15:117db924cf7c 3874
wolfSSL 15:117db924cf7c 3875 moreInput = 1;
wolfSSL 15:117db924cf7c 3876 }
wolfSSL 15:117db924cf7c 3877 else
wolfSSL 15:117db924cf7c 3878 break;
wolfSSL 15:117db924cf7c 3879 }
wolfSSL 15:117db924cf7c 3880 if (moreInput) {
wolfSSL 15:117db924cf7c 3881 *sslFrame = *myBuffer;
wolfSSL 15:117db924cf7c 3882 *sslBytes = *length;
wolfSSL 15:117db924cf7c 3883 *end = *myBuffer + *length;
wolfSSL 15:117db924cf7c 3884 }
wolfSSL 15:117db924cf7c 3885 return moreInput;
wolfSSL 15:117db924cf7c 3886 }
wolfSSL 15:117db924cf7c 3887
wolfSSL 15:117db924cf7c 3888
wolfSSL 15:117db924cf7c 3889
wolfSSL 15:117db924cf7c 3890 /* Process Message(s) from sslFrame */
wolfSSL 15:117db924cf7c 3891 /* return Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL 15:117db924cf7c 3892 static int ProcessMessage(const byte* sslFrame, SnifferSession* session,
wolfSSL 15:117db924cf7c 3893 int sslBytes, byte** data, const byte* end,
wolfSSL 16:8e0d178b1d1e 3894 void* ctx, char* error)
wolfSSL 15:117db924cf7c 3895 {
wolfSSL 15:117db924cf7c 3896 const byte* sslBegin = sslFrame;
wolfSSL 15:117db924cf7c 3897 const byte* recordEnd; /* end of record indicator */
wolfSSL 15:117db924cf7c 3898 const byte* inRecordEnd; /* indicator from input stream not decrypt */
wolfSSL 15:117db924cf7c 3899 RecordLayerHeader rh;
wolfSSL 15:117db924cf7c 3900 int rhSize = 0;
wolfSSL 15:117db924cf7c 3901 int ret;
wolfSSL 15:117db924cf7c 3902 int errCode = 0;
wolfSSL 15:117db924cf7c 3903 int decoded = 0; /* bytes stored for user in data */
wolfSSL 15:117db924cf7c 3904 int notEnough; /* notEnough bytes yet flag */
wolfSSL 15:117db924cf7c 3905 int decrypted = 0; /* was current msg decrypted */
wolfSSL 15:117db924cf7c 3906 SSL* ssl = (session->flags.side == WOLFSSL_SERVER_END) ?
wolfSSL 15:117db924cf7c 3907 session->sslServer : session->sslClient;
wolfSSL 15:117db924cf7c 3908 doMessage:
wolfSSL 15:117db924cf7c 3909 notEnough = 0;
wolfSSL 15:117db924cf7c 3910 if (sslBytes < 0) {
wolfSSL 15:117db924cf7c 3911 SetError(PACKET_HDR_SHORT_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3912 return -1;
wolfSSL 15:117db924cf7c 3913 }
wolfSSL 15:117db924cf7c 3914 if (sslBytes >= RECORD_HEADER_SZ) {
wolfSSL 15:117db924cf7c 3915 if (GetRecordHeader(sslFrame, &rh, &rhSize) != 0) {
wolfSSL 15:117db924cf7c 3916 SetError(BAD_RECORD_HDR_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3917 return -1;
wolfSSL 15:117db924cf7c 3918 }
wolfSSL 15:117db924cf7c 3919 }
wolfSSL 15:117db924cf7c 3920 else
wolfSSL 15:117db924cf7c 3921 notEnough = 1;
wolfSSL 15:117db924cf7c 3922
wolfSSL 15:117db924cf7c 3923 if (notEnough || rhSize > (sslBytes - RECORD_HEADER_SZ)) {
wolfSSL 15:117db924cf7c 3924 /* don't have enough input yet to process full SSL record */
wolfSSL 15:117db924cf7c 3925 Trace(PARTIAL_INPUT_STR);
wolfSSL 15:117db924cf7c 3926
wolfSSL 15:117db924cf7c 3927 /* store partial if not there already or we advanced */
wolfSSL 15:117db924cf7c 3928 if (ssl->buffers.inputBuffer.length == 0 || sslBegin != sslFrame) {
wolfSSL 15:117db924cf7c 3929 if (sslBytes > (int)ssl->buffers.inputBuffer.bufferSize) {
wolfSSL 15:117db924cf7c 3930 if (GrowInputBuffer(ssl, sslBytes, 0) < 0) {
wolfSSL 15:117db924cf7c 3931 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3932 return -1;
wolfSSL 15:117db924cf7c 3933 }
wolfSSL 15:117db924cf7c 3934 }
wolfSSL 15:117db924cf7c 3935 XMEMMOVE(ssl->buffers.inputBuffer.buffer, sslFrame, sslBytes);
wolfSSL 15:117db924cf7c 3936 ssl->buffers.inputBuffer.length = sslBytes;
wolfSSL 15:117db924cf7c 3937 }
wolfSSL 15:117db924cf7c 3938 if (HaveMoreInput(session, &sslFrame, &sslBytes, &end, error))
wolfSSL 15:117db924cf7c 3939 goto doMessage;
wolfSSL 15:117db924cf7c 3940 return decoded;
wolfSSL 15:117db924cf7c 3941 }
wolfSSL 15:117db924cf7c 3942 sslFrame += RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 3943 sslBytes -= RECORD_HEADER_SZ;
wolfSSL 15:117db924cf7c 3944 recordEnd = sslFrame + rhSize; /* may have more than one record */
wolfSSL 15:117db924cf7c 3945 inRecordEnd = recordEnd;
wolfSSL 15:117db924cf7c 3946
wolfSSL 15:117db924cf7c 3947 /* decrypt if needed */
wolfSSL 15:117db924cf7c 3948 if ((session->flags.side == WOLFSSL_SERVER_END &&
wolfSSL 15:117db924cf7c 3949 session->flags.serverCipherOn)
wolfSSL 15:117db924cf7c 3950 || (session->flags.side == WOLFSSL_CLIENT_END &&
wolfSSL 15:117db924cf7c 3951 session->flags.clientCipherOn)) {
wolfSSL 15:117db924cf7c 3952 int ivAdvance = 0; /* TLSv1.1 advance amount */
wolfSSL 15:117db924cf7c 3953 if (ssl->decrypt.setup != 1) {
wolfSSL 15:117db924cf7c 3954 SetError(DECRYPT_KEYS_NOT_SETUP, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3955 return -1;
wolfSSL 15:117db924cf7c 3956 }
wolfSSL 15:117db924cf7c 3957 if (CheckAvailableSize(ssl, rhSize) < 0) {
wolfSSL 15:117db924cf7c 3958 SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3959 return -1;
wolfSSL 15:117db924cf7c 3960 }
wolfSSL 15:117db924cf7c 3961 sslFrame = DecryptMessage(ssl, sslFrame, rhSize,
wolfSSL 15:117db924cf7c 3962 ssl->buffers.outputBuffer.buffer, &errCode,
wolfSSL 15:117db924cf7c 3963 &ivAdvance);
wolfSSL 15:117db924cf7c 3964 recordEnd = sslFrame - ivAdvance + rhSize; /* sslFrame moved so
wolfSSL 15:117db924cf7c 3965 should recordEnd */
wolfSSL 15:117db924cf7c 3966 decrypted = 1;
wolfSSL 16:8e0d178b1d1e 3967
wolfSSL 16:8e0d178b1d1e 3968 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 3969 if (errCode != 0) {
wolfSSL 16:8e0d178b1d1e 3970 INC_STAT(SnifferStats.sslKeyFails);
wolfSSL 16:8e0d178b1d1e 3971 }
wolfSSL 16:8e0d178b1d1e 3972 else {
wolfSSL 16:8e0d178b1d1e 3973 LOCK_STAT();
wolfSSL 16:8e0d178b1d1e 3974 NOLOCK_INC_STAT(SnifferStats.sslDecryptedPackets);
wolfSSL 16:8e0d178b1d1e 3975 NOLOCK_ADD_TO_STAT(SnifferStats.sslDecryptedBytes, sslBytes);
wolfSSL 16:8e0d178b1d1e 3976 UNLOCK_STAT();
wolfSSL 16:8e0d178b1d1e 3977 }
wolfSSL 16:8e0d178b1d1e 3978 #endif
wolfSSL 15:117db924cf7c 3979 if (errCode != 0) {
wolfSSL 15:117db924cf7c 3980 SetError(BAD_DECRYPT, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3981 return -1;
wolfSSL 15:117db924cf7c 3982 }
wolfSSL 15:117db924cf7c 3983 }
wolfSSL 15:117db924cf7c 3984
wolfSSL 15:117db924cf7c 3985 doPart:
wolfSSL 15:117db924cf7c 3986
wolfSSL 15:117db924cf7c 3987 switch ((enum ContentType)rh.type) {
wolfSSL 15:117db924cf7c 3988 case handshake:
wolfSSL 15:117db924cf7c 3989 {
wolfSSL 15:117db924cf7c 3990 int startIdx = sslBytes;
wolfSSL 15:117db924cf7c 3991 int used;
wolfSSL 15:117db924cf7c 3992
wolfSSL 15:117db924cf7c 3993 Trace(GOT_HANDSHAKE_STR);
wolfSSL 15:117db924cf7c 3994 ret = DoHandShake(sslFrame, &sslBytes, session, error);
wolfSSL 15:117db924cf7c 3995 if (ret != 0) {
wolfSSL 15:117db924cf7c 3996 if (session->flags.fatalError == 0)
wolfSSL 15:117db924cf7c 3997 SetError(BAD_HANDSHAKE_STR, error, session,
wolfSSL 15:117db924cf7c 3998 FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 3999 return -1;
wolfSSL 15:117db924cf7c 4000 }
wolfSSL 15:117db924cf7c 4001
wolfSSL 15:117db924cf7c 4002 /* DoHandShake now fully decrements sslBytes to remaining */
wolfSSL 15:117db924cf7c 4003 used = startIdx - sslBytes;
wolfSSL 15:117db924cf7c 4004 sslFrame += used;
wolfSSL 15:117db924cf7c 4005 if (decrypted)
wolfSSL 15:117db924cf7c 4006 sslFrame += ssl->keys.padSz;
wolfSSL 15:117db924cf7c 4007 }
wolfSSL 15:117db924cf7c 4008 break;
wolfSSL 15:117db924cf7c 4009 case change_cipher_spec:
wolfSSL 15:117db924cf7c 4010 if (session->flags.side == WOLFSSL_SERVER_END)
wolfSSL 15:117db924cf7c 4011 session->flags.serverCipherOn = 1;
wolfSSL 15:117db924cf7c 4012 else
wolfSSL 15:117db924cf7c 4013 session->flags.clientCipherOn = 1;
wolfSSL 15:117db924cf7c 4014 Trace(GOT_CHANGE_CIPHER_STR);
wolfSSL 15:117db924cf7c 4015 ssl->options.handShakeState = HANDSHAKE_DONE;
wolfSSL 15:117db924cf7c 4016 ssl->options.handShakeDone = 1;
wolfSSL 15:117db924cf7c 4017
wolfSSL 15:117db924cf7c 4018 sslFrame += 1;
wolfSSL 15:117db924cf7c 4019 sslBytes -= 1;
wolfSSL 15:117db924cf7c 4020
wolfSSL 15:117db924cf7c 4021 break;
wolfSSL 15:117db924cf7c 4022 case application_data:
wolfSSL 15:117db924cf7c 4023 Trace(GOT_APP_DATA_STR);
wolfSSL 15:117db924cf7c 4024 {
wolfSSL 15:117db924cf7c 4025 word32 inOutIdx = 0;
wolfSSL 15:117db924cf7c 4026
wolfSSL 15:117db924cf7c 4027 ret = DoApplicationData(ssl, (byte*)sslFrame, &inOutIdx);
wolfSSL 15:117db924cf7c 4028 if (ret == 0) {
wolfSSL 15:117db924cf7c 4029 ret = ssl->buffers.clearOutputBuffer.length;
wolfSSL 15:117db924cf7c 4030 TraceGotData(ret);
wolfSSL 15:117db924cf7c 4031 if (ret) { /* may be blank message */
wolfSSL 16:8e0d178b1d1e 4032 if (data != NULL) {
wolfSSL 16:8e0d178b1d1e 4033 byte* tmpData; /* don't leak on realloc free */
wolfSSL 16:8e0d178b1d1e 4034 /* add an extra byte at end of allocation in case
wolfSSL 16:8e0d178b1d1e 4035 * user wants to null terminate plaintext */
wolfSSL 16:8e0d178b1d1e 4036 tmpData = (byte*)XREALLOC(*data, decoded + ret + 1,
wolfSSL 16:8e0d178b1d1e 4037 NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 16:8e0d178b1d1e 4038 if (tmpData == NULL) {
wolfSSL 16:8e0d178b1d1e 4039 ForceZero(*data, decoded);
wolfSSL 16:8e0d178b1d1e 4040 XFREE(*data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 16:8e0d178b1d1e 4041 *data = NULL;
wolfSSL 16:8e0d178b1d1e 4042 SetError(MEMORY_STR, error, session,
wolfSSL 16:8e0d178b1d1e 4043 FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 4044 return -1;
wolfSSL 16:8e0d178b1d1e 4045 }
wolfSSL 16:8e0d178b1d1e 4046 *data = tmpData;
wolfSSL 16:8e0d178b1d1e 4047 XMEMCPY(*data + decoded,
wolfSSL 16:8e0d178b1d1e 4048 ssl->buffers.clearOutputBuffer.buffer, ret);
wolfSSL 16:8e0d178b1d1e 4049 }
wolfSSL 16:8e0d178b1d1e 4050 else {
wolfSSL 16:8e0d178b1d1e 4051 #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
wolfSSL 16:8e0d178b1d1e 4052 if (StoreDataCb) {
wolfSSL 16:8e0d178b1d1e 4053 const byte* buf;
wolfSSL 16:8e0d178b1d1e 4054 word32 offset = 0;
wolfSSL 16:8e0d178b1d1e 4055 word32 bufSz;
wolfSSL 16:8e0d178b1d1e 4056 int stored;
wolfSSL 16:8e0d178b1d1e 4057
wolfSSL 16:8e0d178b1d1e 4058 buf = ssl->buffers.clearOutputBuffer.buffer;
wolfSSL 16:8e0d178b1d1e 4059 bufSz = ssl->buffers.clearOutputBuffer.length;
wolfSSL 16:8e0d178b1d1e 4060 do {
wolfSSL 16:8e0d178b1d1e 4061 stored = StoreDataCb(buf, bufSz, offset,
wolfSSL 16:8e0d178b1d1e 4062 ctx);
wolfSSL 16:8e0d178b1d1e 4063 if (stored <= 0) {
wolfSSL 16:8e0d178b1d1e 4064 return -1;
wolfSSL 16:8e0d178b1d1e 4065 }
wolfSSL 16:8e0d178b1d1e 4066 offset += stored;
wolfSSL 16:8e0d178b1d1e 4067 } while (offset < bufSz);
wolfSSL 16:8e0d178b1d1e 4068 }
wolfSSL 16:8e0d178b1d1e 4069 else {
wolfSSL 16:8e0d178b1d1e 4070 SetError(STORE_DATA_CB_MISSING_STR, error,
wolfSSL 16:8e0d178b1d1e 4071 session, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 4072 return -1;
wolfSSL 16:8e0d178b1d1e 4073 }
wolfSSL 16:8e0d178b1d1e 4074 #else
wolfSSL 16:8e0d178b1d1e 4075 (void)ctx;
wolfSSL 16:8e0d178b1d1e 4076 SetError(NO_DATA_DEST_STR, error, session,
wolfSSL 16:8e0d178b1d1e 4077 FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 4078 return -1;
wolfSSL 16:8e0d178b1d1e 4079 #endif
wolfSSL 15:117db924cf7c 4080 }
wolfSSL 15:117db924cf7c 4081 TraceAddedData(ret, decoded);
wolfSSL 15:117db924cf7c 4082 decoded += ret;
wolfSSL 15:117db924cf7c 4083 ssl->buffers.clearOutputBuffer.length = 0;
wolfSSL 15:117db924cf7c 4084 }
wolfSSL 15:117db924cf7c 4085 }
wolfSSL 15:117db924cf7c 4086 else {
wolfSSL 15:117db924cf7c 4087 SetError(BAD_APP_DATA_STR, error,session,FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 4088 return -1;
wolfSSL 15:117db924cf7c 4089 }
wolfSSL 15:117db924cf7c 4090 if (ssl->buffers.outputBuffer.dynamicFlag)
wolfSSL 15:117db924cf7c 4091 ShrinkOutputBuffer(ssl);
wolfSSL 15:117db924cf7c 4092
wolfSSL 15:117db924cf7c 4093 sslFrame += inOutIdx;
wolfSSL 15:117db924cf7c 4094 sslBytes -= inOutIdx;
wolfSSL 15:117db924cf7c 4095 }
wolfSSL 15:117db924cf7c 4096 break;
wolfSSL 15:117db924cf7c 4097 case alert:
wolfSSL 15:117db924cf7c 4098 Trace(GOT_ALERT_STR);
wolfSSL 16:8e0d178b1d1e 4099 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 4100 INC_STAT(SnifferStats.sslAlerts);
wolfSSL 16:8e0d178b1d1e 4101 #endif
wolfSSL 15:117db924cf7c 4102 sslFrame += rhSize;
wolfSSL 15:117db924cf7c 4103 sslBytes -= rhSize;
wolfSSL 15:117db924cf7c 4104 break;
wolfSSL 15:117db924cf7c 4105 case no_type:
wolfSSL 15:117db924cf7c 4106 default:
wolfSSL 15:117db924cf7c 4107 SetError(GOT_UNKNOWN_RECORD_STR, error, session, FATAL_ERROR_STATE);
wolfSSL 15:117db924cf7c 4108 return -1;
wolfSSL 15:117db924cf7c 4109 }
wolfSSL 15:117db924cf7c 4110
wolfSSL 15:117db924cf7c 4111 /* do we have another msg in record ? */
wolfSSL 15:117db924cf7c 4112 if (sslFrame < recordEnd) {
wolfSSL 15:117db924cf7c 4113 Trace(ANOTHER_MSG_STR);
wolfSSL 15:117db924cf7c 4114 goto doPart;
wolfSSL 15:117db924cf7c 4115 }
wolfSSL 15:117db924cf7c 4116
wolfSSL 15:117db924cf7c 4117 /* back to input stream instead of potential decrypt buffer */
wolfSSL 15:117db924cf7c 4118 recordEnd = inRecordEnd;
wolfSSL 15:117db924cf7c 4119
wolfSSL 15:117db924cf7c 4120 /* do we have more records ? */
wolfSSL 15:117db924cf7c 4121 if (recordEnd < end) {
wolfSSL 15:117db924cf7c 4122 Trace(ANOTHER_MSG_STR);
wolfSSL 15:117db924cf7c 4123 sslFrame = recordEnd;
wolfSSL 15:117db924cf7c 4124 sslBytes = (int)(end - recordEnd);
wolfSSL 15:117db924cf7c 4125 goto doMessage;
wolfSSL 15:117db924cf7c 4126 }
wolfSSL 15:117db924cf7c 4127
wolfSSL 15:117db924cf7c 4128 /* clear used input */
wolfSSL 15:117db924cf7c 4129 ssl->buffers.inputBuffer.length = 0;
wolfSSL 15:117db924cf7c 4130
wolfSSL 15:117db924cf7c 4131 /* could have more input ready now */
wolfSSL 15:117db924cf7c 4132 if (HaveMoreInput(session, &sslFrame, &sslBytes, &end, error))
wolfSSL 15:117db924cf7c 4133 goto doMessage;
wolfSSL 15:117db924cf7c 4134
wolfSSL 15:117db924cf7c 4135 if (ssl->buffers.inputBuffer.dynamicFlag)
wolfSSL 15:117db924cf7c 4136 ShrinkInputBuffer(ssl, NO_FORCED_FREE);
wolfSSL 15:117db924cf7c 4137
wolfSSL 15:117db924cf7c 4138 return decoded;
wolfSSL 15:117db924cf7c 4139 }
wolfSSL 15:117db924cf7c 4140
wolfSSL 15:117db924cf7c 4141
wolfSSL 15:117db924cf7c 4142 /* See if we need to process any pending FIN captures */
wolfSSL 16:8e0d178b1d1e 4143 /* Return 0=normal, else = session removed */
wolfSSL 16:8e0d178b1d1e 4144 static int CheckFinCapture(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL 15:117db924cf7c 4145 SnifferSession* session)
wolfSSL 15:117db924cf7c 4146 {
wolfSSL 16:8e0d178b1d1e 4147 int ret = 0;
wolfSSL 15:117db924cf7c 4148 if (session->finCaputre.cliFinSeq && session->finCaputre.cliFinSeq <=
wolfSSL 15:117db924cf7c 4149 session->cliExpected) {
wolfSSL 15:117db924cf7c 4150 if (session->finCaputre.cliCounted == 0) {
wolfSSL 15:117db924cf7c 4151 session->flags.finCount += 1;
wolfSSL 15:117db924cf7c 4152 session->finCaputre.cliCounted = 1;
wolfSSL 15:117db924cf7c 4153 TraceClientFin(session->finCaputre.cliFinSeq, session->cliExpected);
wolfSSL 15:117db924cf7c 4154 }
wolfSSL 15:117db924cf7c 4155 }
wolfSSL 15:117db924cf7c 4156
wolfSSL 15:117db924cf7c 4157 if (session->finCaputre.srvFinSeq && session->finCaputre.srvFinSeq <=
wolfSSL 15:117db924cf7c 4158 session->srvExpected) {
wolfSSL 15:117db924cf7c 4159 if (session->finCaputre.srvCounted == 0) {
wolfSSL 15:117db924cf7c 4160 session->flags.finCount += 1;
wolfSSL 15:117db924cf7c 4161 session->finCaputre.srvCounted = 1;
wolfSSL 15:117db924cf7c 4162 TraceServerFin(session->finCaputre.srvFinSeq, session->srvExpected);
wolfSSL 15:117db924cf7c 4163 }
wolfSSL 15:117db924cf7c 4164 }
wolfSSL 15:117db924cf7c 4165
wolfSSL 16:8e0d178b1d1e 4166 if (session->flags.finCount >= 2) {
wolfSSL 15:117db924cf7c 4167 RemoveSession(session, ipInfo, tcpInfo, 0);
wolfSSL 16:8e0d178b1d1e 4168 ret = 1;
wolfSSL 16:8e0d178b1d1e 4169 }
wolfSSL 16:8e0d178b1d1e 4170 return ret;
wolfSSL 15:117db924cf7c 4171 }
wolfSSL 15:117db924cf7c 4172
wolfSSL 15:117db924cf7c 4173
wolfSSL 15:117db924cf7c 4174 /* If session is in fatal error state free resources now
wolfSSL 15:117db924cf7c 4175 return true if removed, 0 otherwise */
wolfSSL 15:117db924cf7c 4176 static int RemoveFatalSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
wolfSSL 15:117db924cf7c 4177 SnifferSession* session, char* error)
wolfSSL 15:117db924cf7c 4178 {
wolfSSL 15:117db924cf7c 4179 if (session && session->flags.fatalError == FATAL_ERROR_STATE) {
wolfSSL 15:117db924cf7c 4180 RemoveSession(session, ipInfo, tcpInfo, 0);
wolfSSL 15:117db924cf7c 4181 SetError(FATAL_ERROR_STR, error, NULL, 0);
wolfSSL 15:117db924cf7c 4182 return 1;
wolfSSL 15:117db924cf7c 4183 }
wolfSSL 15:117db924cf7c 4184 return 0;
wolfSSL 15:117db924cf7c 4185 }
wolfSSL 15:117db924cf7c 4186
wolfSSL 15:117db924cf7c 4187
wolfSSL 15:117db924cf7c 4188 /* Passes in an IP/TCP packet for decoding (ethernet/localhost frame) removed */
wolfSSL 15:117db924cf7c 4189 /* returns Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL 16:8e0d178b1d1e 4190 static int ssl_DecodePacketInternal(const byte* packet, int length,
wolfSSL 16:8e0d178b1d1e 4191 void* vChain, word32 chainSz,
wolfSSL 16:8e0d178b1d1e 4192 byte** data, SSLInfo* sslInfo,
wolfSSL 16:8e0d178b1d1e 4193 void* ctx, char* error)
wolfSSL 15:117db924cf7c 4194 {
wolfSSL 15:117db924cf7c 4195 TcpInfo tcpInfo;
wolfSSL 15:117db924cf7c 4196 IpInfo ipInfo;
wolfSSL 15:117db924cf7c 4197 const byte* sslFrame;
wolfSSL 16:8e0d178b1d1e 4198 const byte* end;
wolfSSL 15:117db924cf7c 4199 int sslBytes; /* ssl bytes unconsumed */
wolfSSL 15:117db924cf7c 4200 int ret;
wolfSSL 15:117db924cf7c 4201 SnifferSession* session = 0;
wolfSSL 15:117db924cf7c 4202
wolfSSL 16:8e0d178b1d1e 4203 #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
wolfSSL 16:8e0d178b1d1e 4204 if (packet == NULL && vChain != NULL) {
wolfSSL 16:8e0d178b1d1e 4205 struct iovec* chain = (struct iovec*)vChain;
wolfSSL 16:8e0d178b1d1e 4206 word32 i;
wolfSSL 16:8e0d178b1d1e 4207
wolfSSL 16:8e0d178b1d1e 4208 length = 0;
wolfSSL 16:8e0d178b1d1e 4209 for (i = 0; i < chainSz; i++)
wolfSSL 16:8e0d178b1d1e 4210 length += chain[i].iov_len;
wolfSSL 16:8e0d178b1d1e 4211 packet = (const byte*)chain[0].iov_base;
wolfSSL 16:8e0d178b1d1e 4212 }
wolfSSL 16:8e0d178b1d1e 4213 #endif
wolfSSL 16:8e0d178b1d1e 4214
wolfSSL 15:117db924cf7c 4215 if (CheckHeaders(&ipInfo, &tcpInfo, packet, length, &sslFrame, &sslBytes,
wolfSSL 15:117db924cf7c 4216 error) != 0)
wolfSSL 15:117db924cf7c 4217 return -1;
wolfSSL 15:117db924cf7c 4218
wolfSSL 16:8e0d178b1d1e 4219 end = sslFrame + sslBytes;
wolfSSL 16:8e0d178b1d1e 4220
wolfSSL 15:117db924cf7c 4221 ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error);
wolfSSL 15:117db924cf7c 4222 if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL 15:117db924cf7c 4223 else if (ret == -1) return -1;
wolfSSL 16:8e0d178b1d1e 4224 else if (ret == 1) {
wolfSSL 16:8e0d178b1d1e 4225 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 4226 if (sslBytes > 0) {
wolfSSL 16:8e0d178b1d1e 4227 LOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4228 NOLOCK_INC_STAT(SnifferStats.sslEncryptedPackets);
wolfSSL 16:8e0d178b1d1e 4229 NOLOCK_ADD_TO_STAT(SnifferStats.sslEncryptedBytes, sslBytes);
wolfSSL 16:8e0d178b1d1e 4230 UNLOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4231 }
wolfSSL 16:8e0d178b1d1e 4232 else
wolfSSL 16:8e0d178b1d1e 4233 INC_STAT(SnifferStats.sslDecryptedPackets);
wolfSSL 16:8e0d178b1d1e 4234 #endif
wolfSSL 16:8e0d178b1d1e 4235 return 0; /* done for now */
wolfSSL 16:8e0d178b1d1e 4236 }
wolfSSL 15:117db924cf7c 4237
wolfSSL 15:117db924cf7c 4238 ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error);
wolfSSL 15:117db924cf7c 4239 if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL 15:117db924cf7c 4240 else if (ret == -1) return -1;
wolfSSL 16:8e0d178b1d1e 4241 else if (ret == 1) {
wolfSSL 16:8e0d178b1d1e 4242 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 4243 INC_STAT(SnifferStats.sslDecryptedPackets);
wolfSSL 16:8e0d178b1d1e 4244 #endif
wolfSSL 16:8e0d178b1d1e 4245 return 0; /* done for now */
wolfSSL 16:8e0d178b1d1e 4246 }
wolfSSL 15:117db924cf7c 4247
wolfSSL 15:117db924cf7c 4248 ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes,
wolfSSL 16:8e0d178b1d1e 4249 &end, vChain, chainSz, error);
wolfSSL 15:117db924cf7c 4250 if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL 15:117db924cf7c 4251 else if (ret == -1) return -1;
wolfSSL 16:8e0d178b1d1e 4252 else if (ret == 1) {
wolfSSL 16:8e0d178b1d1e 4253 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 4254 INC_STAT(SnifferStats.sslDecryptedPackets);
wolfSSL 16:8e0d178b1d1e 4255 #endif
wolfSSL 16:8e0d178b1d1e 4256 return 0; /* done for now */
wolfSSL 16:8e0d178b1d1e 4257 }
wolfSSL 16:8e0d178b1d1e 4258
wolfSSL 16:8e0d178b1d1e 4259 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 4260 if (sslBytes > 0) {
wolfSSL 16:8e0d178b1d1e 4261 LOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4262 NOLOCK_INC_STAT(SnifferStats.sslEncryptedPackets);
wolfSSL 16:8e0d178b1d1e 4263 NOLOCK_ADD_TO_STAT(SnifferStats.sslEncryptedBytes, sslBytes);
wolfSSL 16:8e0d178b1d1e 4264 UNLOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4265 }
wolfSSL 16:8e0d178b1d1e 4266 else
wolfSSL 16:8e0d178b1d1e 4267 INC_STAT(SnifferStats.sslDecryptedPackets);
wolfSSL 16:8e0d178b1d1e 4268 #endif
wolfSSL 16:8e0d178b1d1e 4269
wolfSSL 16:8e0d178b1d1e 4270 ret = ProcessMessage(sslFrame, session, sslBytes, data, end, ctx, error);
wolfSSL 15:117db924cf7c 4271 if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
wolfSSL 16:8e0d178b1d1e 4272 if (CheckFinCapture(&ipInfo, &tcpInfo, session) == 0) {
wolfSSL 16:8e0d178b1d1e 4273 CopySessionInfo(session, sslInfo);
wolfSSL 16:8e0d178b1d1e 4274 }
wolfSSL 16:8e0d178b1d1e 4275
wolfSSL 15:117db924cf7c 4276 return ret;
wolfSSL 15:117db924cf7c 4277 }
wolfSSL 15:117db924cf7c 4278
wolfSSL 15:117db924cf7c 4279
wolfSSL 16:8e0d178b1d1e 4280 /* Passes in an IP/TCP packet for decoding (ethernet/localhost frame) removed */
wolfSSL 16:8e0d178b1d1e 4281 /* returns Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL 16:8e0d178b1d1e 4282 /* Also returns Session Info if available */
wolfSSL 16:8e0d178b1d1e 4283 int ssl_DecodePacketWithSessionInfo(const unsigned char* packet, int length,
wolfSSL 16:8e0d178b1d1e 4284 unsigned char** data, SSLInfo* sslInfo, char* error)
wolfSSL 16:8e0d178b1d1e 4285 {
wolfSSL 16:8e0d178b1d1e 4286 return ssl_DecodePacketInternal(packet, length, NULL, 0, data, sslInfo,
wolfSSL 16:8e0d178b1d1e 4287 NULL, error);
wolfSSL 16:8e0d178b1d1e 4288 }
wolfSSL 16:8e0d178b1d1e 4289
wolfSSL 16:8e0d178b1d1e 4290
wolfSSL 16:8e0d178b1d1e 4291 /* Passes in an IP/TCP packet for decoding (ethernet/localhost frame) removed */
wolfSSL 16:8e0d178b1d1e 4292 /* returns Number of bytes on success, 0 for no data yet, and -1 on error */
wolfSSL 16:8e0d178b1d1e 4293 int ssl_DecodePacket(const byte* packet, int length, byte** data, char* error)
wolfSSL 16:8e0d178b1d1e 4294 {
wolfSSL 16:8e0d178b1d1e 4295 return ssl_DecodePacketInternal(packet, length, NULL, 0, data, NULL, NULL,
wolfSSL 16:8e0d178b1d1e 4296 error);
wolfSSL 16:8e0d178b1d1e 4297 }
wolfSSL 16:8e0d178b1d1e 4298
wolfSSL 16:8e0d178b1d1e 4299
wolfSSL 16:8e0d178b1d1e 4300 #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
wolfSSL 16:8e0d178b1d1e 4301
wolfSSL 16:8e0d178b1d1e 4302 int ssl_DecodePacketWithSessionInfoStoreData(const unsigned char* packet,
wolfSSL 16:8e0d178b1d1e 4303 int length, void* ctx, SSLInfo* sslInfo, char* error)
wolfSSL 16:8e0d178b1d1e 4304 {
wolfSSL 16:8e0d178b1d1e 4305 return ssl_DecodePacketInternal(packet, length, NULL, 0, NULL, sslInfo,
wolfSSL 16:8e0d178b1d1e 4306 ctx, error);
wolfSSL 16:8e0d178b1d1e 4307 }
wolfSSL 16:8e0d178b1d1e 4308
wolfSSL 16:8e0d178b1d1e 4309 #endif
wolfSSL 16:8e0d178b1d1e 4310
wolfSSL 16:8e0d178b1d1e 4311
wolfSSL 16:8e0d178b1d1e 4312 #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
wolfSSL 16:8e0d178b1d1e 4313
wolfSSL 16:8e0d178b1d1e 4314 int ssl_DecodePacketWithChain(void* vChain, word32 chainSz, byte** data,
wolfSSL 16:8e0d178b1d1e 4315 char* error)
wolfSSL 16:8e0d178b1d1e 4316 {
wolfSSL 16:8e0d178b1d1e 4317 return ssl_DecodePacketInternal(NULL, 0, vChain, chainSz, data, NULL, NULL,
wolfSSL 16:8e0d178b1d1e 4318 error);
wolfSSL 16:8e0d178b1d1e 4319 }
wolfSSL 16:8e0d178b1d1e 4320
wolfSSL 16:8e0d178b1d1e 4321 #endif
wolfSSL 16:8e0d178b1d1e 4322
wolfSSL 16:8e0d178b1d1e 4323
wolfSSL 16:8e0d178b1d1e 4324 #if defined(WOLFSSL_SNIFFER_CHAIN_INPUT) && \
wolfSSL 16:8e0d178b1d1e 4325 defined(WOLFSSL_SNIFFER_STORE_DATA_CB)
wolfSSL 16:8e0d178b1d1e 4326
wolfSSL 16:8e0d178b1d1e 4327 int ssl_DecodePacketWithChainSessionInfoStoreData(void* vChain, word32 chainSz,
wolfSSL 16:8e0d178b1d1e 4328 void* ctx, SSLInfo* sslInfo, char* error)
wolfSSL 16:8e0d178b1d1e 4329 {
wolfSSL 16:8e0d178b1d1e 4330 return ssl_DecodePacketInternal(NULL, 0, vChain, chainSz, NULL, sslInfo,
wolfSSL 16:8e0d178b1d1e 4331 ctx, error);
wolfSSL 16:8e0d178b1d1e 4332 }
wolfSSL 16:8e0d178b1d1e 4333
wolfSSL 16:8e0d178b1d1e 4334 #endif
wolfSSL 16:8e0d178b1d1e 4335
wolfSSL 16:8e0d178b1d1e 4336
wolfSSL 15:117db924cf7c 4337 /* Deallocator for the decoded data buffer. */
wolfSSL 15:117db924cf7c 4338 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 4339 int ssl_FreeDecodeBuffer(byte** data, char* error)
wolfSSL 15:117db924cf7c 4340 {
wolfSSL 15:117db924cf7c 4341 return ssl_FreeZeroDecodeBuffer(data, 0, error);
wolfSSL 15:117db924cf7c 4342 }
wolfSSL 15:117db924cf7c 4343
wolfSSL 15:117db924cf7c 4344
wolfSSL 15:117db924cf7c 4345 /* Deallocator for the decoded data buffer, zeros out buffer. */
wolfSSL 15:117db924cf7c 4346 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 4347 int ssl_FreeZeroDecodeBuffer(byte** data, int sz, char* error)
wolfSSL 15:117db924cf7c 4348 {
wolfSSL 15:117db924cf7c 4349 (void)error;
wolfSSL 15:117db924cf7c 4350
wolfSSL 15:117db924cf7c 4351 if (sz < 0) {
wolfSSL 15:117db924cf7c 4352 return -1;
wolfSSL 15:117db924cf7c 4353 }
wolfSSL 15:117db924cf7c 4354
wolfSSL 15:117db924cf7c 4355 if (data != NULL) {
wolfSSL 15:117db924cf7c 4356 ForceZero(*data, (word32)sz);
wolfSSL 16:8e0d178b1d1e 4357 XFREE(*data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
wolfSSL 15:117db924cf7c 4358 *data = NULL;
wolfSSL 15:117db924cf7c 4359 }
wolfSSL 15:117db924cf7c 4360
wolfSSL 15:117db924cf7c 4361 return 0;
wolfSSL 15:117db924cf7c 4362 }
wolfSSL 15:117db924cf7c 4363
wolfSSL 15:117db924cf7c 4364
wolfSSL 15:117db924cf7c 4365 /* Enables (if traceFile)/ Disables debug tracing */
wolfSSL 15:117db924cf7c 4366 /* returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 4367 int ssl_Trace(const char* traceFile, char* error)
wolfSSL 15:117db924cf7c 4368 {
wolfSSL 15:117db924cf7c 4369 if (traceFile) {
wolfSSL 16:8e0d178b1d1e 4370 /* Don't try to reopen the file */
wolfSSL 16:8e0d178b1d1e 4371 if (TraceFile == NULL) {
wolfSSL 16:8e0d178b1d1e 4372 TraceFile = fopen(traceFile, "a");
wolfSSL 16:8e0d178b1d1e 4373 if (!TraceFile) {
wolfSSL 16:8e0d178b1d1e 4374 SetError(BAD_TRACE_FILE_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 4375 return -1;
wolfSSL 16:8e0d178b1d1e 4376 }
wolfSSL 16:8e0d178b1d1e 4377 TraceOn = 1;
wolfSSL 15:117db924cf7c 4378 }
wolfSSL 15:117db924cf7c 4379 }
wolfSSL 15:117db924cf7c 4380 else
wolfSSL 15:117db924cf7c 4381 TraceOn = 0;
wolfSSL 15:117db924cf7c 4382
wolfSSL 15:117db924cf7c 4383 return 0;
wolfSSL 15:117db924cf7c 4384 }
wolfSSL 15:117db924cf7c 4385
wolfSSL 15:117db924cf7c 4386
wolfSSL 15:117db924cf7c 4387 /* Enables/Disables Recovery of missed data if later packets allow
wolfSSL 15:117db924cf7c 4388 * maxMemory is number of bytes to use for reassembly buffering per session,
wolfSSL 15:117db924cf7c 4389 * -1 means unlimited
wolfSSL 15:117db924cf7c 4390 * returns 0 on success, -1 on error */
wolfSSL 15:117db924cf7c 4391 int ssl_EnableRecovery(int onOff, int maxMemory, char* error)
wolfSSL 15:117db924cf7c 4392 {
wolfSSL 15:117db924cf7c 4393 (void)error;
wolfSSL 15:117db924cf7c 4394
wolfSSL 15:117db924cf7c 4395 RecoveryEnabled = onOff;
wolfSSL 15:117db924cf7c 4396 if (onOff)
wolfSSL 15:117db924cf7c 4397 MaxRecoveryMemory = maxMemory;
wolfSSL 15:117db924cf7c 4398
wolfSSL 15:117db924cf7c 4399 return 0;
wolfSSL 15:117db924cf7c 4400 }
wolfSSL 15:117db924cf7c 4401
wolfSSL 15:117db924cf7c 4402
wolfSSL 15:117db924cf7c 4403
wolfSSL 16:8e0d178b1d1e 4404 #ifdef WOLFSSL_SESSION_STATS
wolfSSL 16:8e0d178b1d1e 4405
wolfSSL 15:117db924cf7c 4406 int ssl_GetSessionStats(unsigned int* active, unsigned int* total,
wolfSSL 15:117db924cf7c 4407 unsigned int* peak, unsigned int* maxSessions,
wolfSSL 15:117db924cf7c 4408 unsigned int* missedData, unsigned int* reassemblyMem,
wolfSSL 15:117db924cf7c 4409 char* error)
wolfSSL 15:117db924cf7c 4410 {
wolfSSL 15:117db924cf7c 4411 int ret;
wolfSSL 15:117db924cf7c 4412
wolfSSL 15:117db924cf7c 4413 if (missedData) {
wolfSSL 15:117db924cf7c 4414 wc_LockMutex(&RecoveryMutex);
wolfSSL 15:117db924cf7c 4415 *missedData = MissedDataSessions;
wolfSSL 15:117db924cf7c 4416 wc_UnLockMutex(&RecoveryMutex);
wolfSSL 15:117db924cf7c 4417 }
wolfSSL 15:117db924cf7c 4418
wolfSSL 15:117db924cf7c 4419 if (reassemblyMem) {
wolfSSL 15:117db924cf7c 4420 SnifferSession* session;
wolfSSL 15:117db924cf7c 4421 int i;
wolfSSL 15:117db924cf7c 4422
wolfSSL 15:117db924cf7c 4423 *reassemblyMem = 0;
wolfSSL 15:117db924cf7c 4424 wc_LockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 4425 for (i = 0; i < HASH_SIZE; i++) {
wolfSSL 15:117db924cf7c 4426 session = SessionTable[i];
wolfSSL 15:117db924cf7c 4427 while (session) {
wolfSSL 15:117db924cf7c 4428 *reassemblyMem += session->cliReassemblyMemory;
wolfSSL 15:117db924cf7c 4429 *reassemblyMem += session->srvReassemblyMemory;
wolfSSL 15:117db924cf7c 4430 session = session->next;
wolfSSL 15:117db924cf7c 4431 }
wolfSSL 15:117db924cf7c 4432 }
wolfSSL 15:117db924cf7c 4433 wc_UnLockMutex(&SessionMutex);
wolfSSL 15:117db924cf7c 4434 }
wolfSSL 15:117db924cf7c 4435
wolfSSL 15:117db924cf7c 4436 ret = wolfSSL_get_session_stats(active, total, peak, maxSessions);
wolfSSL 15:117db924cf7c 4437
wolfSSL 15:117db924cf7c 4438 if (ret == WOLFSSL_SUCCESS)
wolfSSL 15:117db924cf7c 4439 return 0;
wolfSSL 15:117db924cf7c 4440 else {
wolfSSL 15:117db924cf7c 4441 SetError(BAD_SESSION_STATS, error, NULL, 0);
wolfSSL 15:117db924cf7c 4442 return -1;
wolfSSL 15:117db924cf7c 4443 }
wolfSSL 15:117db924cf7c 4444 }
wolfSSL 15:117db924cf7c 4445
wolfSSL 16:8e0d178b1d1e 4446 #endif
wolfSSL 16:8e0d178b1d1e 4447
wolfSSL 16:8e0d178b1d1e 4448
wolfSSL 16:8e0d178b1d1e 4449
wolfSSL 16:8e0d178b1d1e 4450 int ssl_SetConnectionCb(SSLConnCb cb)
wolfSSL 16:8e0d178b1d1e 4451 {
wolfSSL 16:8e0d178b1d1e 4452 ConnectionCb = cb;
wolfSSL 16:8e0d178b1d1e 4453 return 0;
wolfSSL 16:8e0d178b1d1e 4454 }
wolfSSL 16:8e0d178b1d1e 4455
wolfSSL 16:8e0d178b1d1e 4456
wolfSSL 16:8e0d178b1d1e 4457
wolfSSL 16:8e0d178b1d1e 4458 int ssl_SetConnectionCtx(void* ctx)
wolfSSL 16:8e0d178b1d1e 4459 {
wolfSSL 16:8e0d178b1d1e 4460 ConnectionCbCtx = ctx;
wolfSSL 16:8e0d178b1d1e 4461 return 0;
wolfSSL 16:8e0d178b1d1e 4462 }
wolfSSL 16:8e0d178b1d1e 4463
wolfSSL 16:8e0d178b1d1e 4464
wolfSSL 16:8e0d178b1d1e 4465 #ifdef WOLFSSL_SNIFFER_STATS
wolfSSL 16:8e0d178b1d1e 4466
wolfSSL 16:8e0d178b1d1e 4467 /* Resets the statistics tracking global structure.
wolfSSL 16:8e0d178b1d1e 4468 * returns 0 on success, -1 on error */
wolfSSL 16:8e0d178b1d1e 4469 int ssl_ResetStatistics(void)
wolfSSL 16:8e0d178b1d1e 4470 {
wolfSSL 16:8e0d178b1d1e 4471 wc_LockMutex(&StatsMutex);
wolfSSL 16:8e0d178b1d1e 4472 XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
wolfSSL 16:8e0d178b1d1e 4473 wc_UnLockMutex(&StatsMutex);
wolfSSL 16:8e0d178b1d1e 4474 return 0;
wolfSSL 16:8e0d178b1d1e 4475 }
wolfSSL 16:8e0d178b1d1e 4476
wolfSSL 16:8e0d178b1d1e 4477
wolfSSL 16:8e0d178b1d1e 4478 /* Copies the SSL statistics into the provided stats record.
wolfSSL 16:8e0d178b1d1e 4479 * returns 0 on success, -1 on error */
wolfSSL 16:8e0d178b1d1e 4480 int ssl_ReadStatistics(SSLStats* stats)
wolfSSL 16:8e0d178b1d1e 4481 {
wolfSSL 16:8e0d178b1d1e 4482 if (stats == NULL)
wolfSSL 16:8e0d178b1d1e 4483 return -1;
wolfSSL 16:8e0d178b1d1e 4484
wolfSSL 16:8e0d178b1d1e 4485 LOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4486 XMEMCPY(stats, &SnifferStats, sizeof(SSLStats));
wolfSSL 16:8e0d178b1d1e 4487 UNLOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4488 return 0;
wolfSSL 16:8e0d178b1d1e 4489 }
wolfSSL 16:8e0d178b1d1e 4490
wolfSSL 16:8e0d178b1d1e 4491 /* Copies the SSL statistics into the provided stats record then
wolfSSL 16:8e0d178b1d1e 4492 * resets the statistics tracking global structure.
wolfSSL 16:8e0d178b1d1e 4493 * returns 0 on success, -1 on error */
wolfSSL 16:8e0d178b1d1e 4494 int ssl_ReadResetStatistics(SSLStats* stats)
wolfSSL 16:8e0d178b1d1e 4495 {
wolfSSL 16:8e0d178b1d1e 4496 if (stats == NULL)
wolfSSL 16:8e0d178b1d1e 4497 return -1;
wolfSSL 16:8e0d178b1d1e 4498
wolfSSL 16:8e0d178b1d1e 4499 LOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4500 XMEMCPY(stats, &SnifferStats, sizeof(SSLStats));
wolfSSL 16:8e0d178b1d1e 4501 XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
wolfSSL 16:8e0d178b1d1e 4502 UNLOCK_STAT();
wolfSSL 16:8e0d178b1d1e 4503 return 0;
wolfSSL 16:8e0d178b1d1e 4504 }
wolfSSL 16:8e0d178b1d1e 4505
wolfSSL 16:8e0d178b1d1e 4506 #endif /* WOLFSSL_SNIFFER_STATS */
wolfSSL 16:8e0d178b1d1e 4507
wolfSSL 16:8e0d178b1d1e 4508
wolfSSL 16:8e0d178b1d1e 4509 #ifdef WOLFSSL_SNIFFER_WATCH
wolfSSL 16:8e0d178b1d1e 4510
wolfSSL 16:8e0d178b1d1e 4511 int ssl_SetWatchKeyCallback_ex(SSLWatchCb cb, int devId, char* error)
wolfSSL 16:8e0d178b1d1e 4512 {
wolfSSL 16:8e0d178b1d1e 4513 (void)devId;
wolfSSL 16:8e0d178b1d1e 4514 WatchCb = cb;
wolfSSL 16:8e0d178b1d1e 4515 return CreateWatchSnifferServer(error);
wolfSSL 16:8e0d178b1d1e 4516 }
wolfSSL 16:8e0d178b1d1e 4517
wolfSSL 16:8e0d178b1d1e 4518
wolfSSL 16:8e0d178b1d1e 4519 int ssl_SetWatchKeyCallback(SSLWatchCb cb, char* error)
wolfSSL 16:8e0d178b1d1e 4520 {
wolfSSL 16:8e0d178b1d1e 4521 WatchCb = cb;
wolfSSL 16:8e0d178b1d1e 4522 return CreateWatchSnifferServer(error);
wolfSSL 16:8e0d178b1d1e 4523 }
wolfSSL 16:8e0d178b1d1e 4524
wolfSSL 16:8e0d178b1d1e 4525
wolfSSL 16:8e0d178b1d1e 4526 int ssl_SetWatchKeyCtx(void* ctx, char* error)
wolfSSL 16:8e0d178b1d1e 4527 {
wolfSSL 16:8e0d178b1d1e 4528 (void)error;
wolfSSL 16:8e0d178b1d1e 4529 WatchCbCtx = ctx;
wolfSSL 16:8e0d178b1d1e 4530 return 0;
wolfSSL 16:8e0d178b1d1e 4531 }
wolfSSL 16:8e0d178b1d1e 4532
wolfSSL 16:8e0d178b1d1e 4533
wolfSSL 16:8e0d178b1d1e 4534 int ssl_SetWatchKey_buffer(void* vSniffer, const byte* key, word32 keySz,
wolfSSL 16:8e0d178b1d1e 4535 int keyType, char* error)
wolfSSL 16:8e0d178b1d1e 4536 {
wolfSSL 16:8e0d178b1d1e 4537 SnifferSession* sniffer;
wolfSSL 16:8e0d178b1d1e 4538 int ret;
wolfSSL 16:8e0d178b1d1e 4539
wolfSSL 16:8e0d178b1d1e 4540 if (vSniffer == NULL) {
wolfSSL 16:8e0d178b1d1e 4541 return -1;
wolfSSL 16:8e0d178b1d1e 4542 }
wolfSSL 16:8e0d178b1d1e 4543 if (key == NULL || keySz == 0) {
wolfSSL 16:8e0d178b1d1e 4544 return -1;
wolfSSL 16:8e0d178b1d1e 4545 }
wolfSSL 16:8e0d178b1d1e 4546
wolfSSL 16:8e0d178b1d1e 4547 sniffer = (SnifferSession*)vSniffer;
wolfSSL 16:8e0d178b1d1e 4548 /* Remap the keyType from what the user can use to
wolfSSL 16:8e0d178b1d1e 4549 * what wolfSSL_use_PrivateKey_buffer expects. */
wolfSSL 16:8e0d178b1d1e 4550 keyType = (keyType == FILETYPE_PEM) ? WOLFSSL_FILETYPE_PEM :
wolfSSL 16:8e0d178b1d1e 4551 WOLFSSL_FILETYPE_ASN1;
wolfSSL 16:8e0d178b1d1e 4552
wolfSSL 16:8e0d178b1d1e 4553 ret = wolfSSL_use_PrivateKey_buffer(sniffer->sslServer,
wolfSSL 16:8e0d178b1d1e 4554 key, keySz, keyType);
wolfSSL 16:8e0d178b1d1e 4555 if (ret != WOLFSSL_SUCCESS) {
wolfSSL 16:8e0d178b1d1e 4556 SetError(KEY_FILE_STR, error, sniffer, FATAL_ERROR_STATE);
wolfSSL 16:8e0d178b1d1e 4557 return -1;
wolfSSL 16:8e0d178b1d1e 4558 }
wolfSSL 16:8e0d178b1d1e 4559
wolfSSL 16:8e0d178b1d1e 4560 return 0;
wolfSSL 16:8e0d178b1d1e 4561 }
wolfSSL 16:8e0d178b1d1e 4562
wolfSSL 16:8e0d178b1d1e 4563
wolfSSL 16:8e0d178b1d1e 4564 int ssl_SetWatchKey_file(void* vSniffer, const char* keyFile, int keyType,
wolfSSL 16:8e0d178b1d1e 4565 const char* password, char* error)
wolfSSL 16:8e0d178b1d1e 4566 {
wolfSSL 16:8e0d178b1d1e 4567 byte* keyBuf = NULL;
wolfSSL 16:8e0d178b1d1e 4568 word32 keyBufSz = 0;
wolfSSL 16:8e0d178b1d1e 4569 int ret;
wolfSSL 16:8e0d178b1d1e 4570
wolfSSL 16:8e0d178b1d1e 4571 if (vSniffer == NULL) {
wolfSSL 16:8e0d178b1d1e 4572 return -1;
wolfSSL 16:8e0d178b1d1e 4573 }
wolfSSL 16:8e0d178b1d1e 4574 if (keyFile == NULL) {
wolfSSL 16:8e0d178b1d1e 4575 return -1;
wolfSSL 16:8e0d178b1d1e 4576 }
wolfSSL 16:8e0d178b1d1e 4577
wolfSSL 16:8e0d178b1d1e 4578 /* Remap the keyType from what the user can use to
wolfSSL 16:8e0d178b1d1e 4579 * what LoadKeyFile expects. */
wolfSSL 16:8e0d178b1d1e 4580 keyType = (keyType == FILETYPE_PEM) ? WOLFSSL_FILETYPE_PEM :
wolfSSL 16:8e0d178b1d1e 4581 WOLFSSL_FILETYPE_ASN1;
wolfSSL 16:8e0d178b1d1e 4582
wolfSSL 16:8e0d178b1d1e 4583 ret = LoadKeyFile(&keyBuf, &keyBufSz, keyFile, keyType, password);
wolfSSL 16:8e0d178b1d1e 4584 if (ret < 0) {
wolfSSL 16:8e0d178b1d1e 4585 SetError(KEY_FILE_STR, error, NULL, 0);
wolfSSL 16:8e0d178b1d1e 4586 XFREE(keyBuf, NULL, DYNAMIC_TYPE_X509);
wolfSSL 16:8e0d178b1d1e 4587 return -1;
wolfSSL 16:8e0d178b1d1e 4588 }
wolfSSL 16:8e0d178b1d1e 4589
wolfSSL 16:8e0d178b1d1e 4590 ret = ssl_SetWatchKey_buffer(vSniffer, keyBuf, keyBufSz, FILETYPE_DER,
wolfSSL 16:8e0d178b1d1e 4591 error);
wolfSSL 16:8e0d178b1d1e 4592 XFREE(keyBuf, NULL, DYNAMIC_TYPE_X509);
wolfSSL 16:8e0d178b1d1e 4593
wolfSSL 16:8e0d178b1d1e 4594 return ret;
wolfSSL 16:8e0d178b1d1e 4595 }
wolfSSL 16:8e0d178b1d1e 4596
wolfSSL 16:8e0d178b1d1e 4597 #endif /* WOLFSSL_SNIFFER_WATCH */
wolfSSL 16:8e0d178b1d1e 4598
wolfSSL 16:8e0d178b1d1e 4599
wolfSSL 16:8e0d178b1d1e 4600 #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
wolfSSL 16:8e0d178b1d1e 4601
wolfSSL 16:8e0d178b1d1e 4602 int ssl_SetStoreDataCallback(SSLStoreDataCb cb)
wolfSSL 16:8e0d178b1d1e 4603 {
wolfSSL 16:8e0d178b1d1e 4604 StoreDataCb = cb;
wolfSSL 16:8e0d178b1d1e 4605 return 0;
wolfSSL 16:8e0d178b1d1e 4606 }
wolfSSL 16:8e0d178b1d1e 4607
wolfSSL 16:8e0d178b1d1e 4608 #endif /* WOLFSSL_SNIFFER_STORE_DATA_CB */
wolfSSL 15:117db924cf7c 4609
wolfSSL 15:117db924cf7c 4610 #endif /* WOLFSSL_SNIFFER */
wolfSSL 15:117db924cf7c 4611 #endif /* WOLFCRYPT_ONLY */
wolfSSL 15:117db924cf7c 4612