2 years ago · 29c120356e
--- a/scripts/include.am
+++ b/scripts/include.am
@@ -90,8 +90,11 @@ endif
 
				 EXTRA_DIST +=  scripts/testsuite.pcap \
			
 
				                scripts/sniffer-ipv6.pcap \
			
 
				                scripts/sniffer-tls13-dh.pcap \
			
 
				+               scripts/sniffer-tls13-dh-resume.pcap \
			
 
				                scripts/sniffer-tls13-ecc.pcap \
			
 
				+               scripts/sniffer-tls13-ecc-resume.pcap \
			
 
				                scripts/sniffer-tls13-x25519.pcap \
			
 
				+               scripts/sniffer-tls13-x25519-resume.pcap \
			
 
				                scripts/sniffer-tls13-gen.sh \
			
 
				                scripts/sniffer-tls13-hrr.pcap \
			
 
				                scripts/ping.test \
			
--- a/scripts/sniffer-testsuite.test
+++ b/scripts/sniffer-testsuite.test
@@ -14,53 +14,99 @@ fi
 
				 
			
 
				 # ./configure --enable-sniffer [--enable-session-ticket]
			
 
				 # Resumption tests require "--enable-session-ticket"
			
 
				+session_ticket=no
			
 
				+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'session_ticket '
			
 
				+if [ $? -eq 0 ]; then
			
 
				+    session_ticket=yes
			
 
				+fi
			
 
				+has_rsa=no
			
 
				+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
			
 
				+if [ $? -eq 0 ]; then
			
 
				+    has_rsa=yes
			
 
				+fi
			
 
				+RESULT=0
			
 
				 
			
 
				-echo -e "\nStaring snifftest on testsuite.pcap...\n"
			
 
				-./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111
			
 
				+if test $session_ticket == yes
			
 
				+then
			
 
				+    # TLS v1.2 Static RSA Test
			
 
				+    echo -e "\nStaring snifftest on testsuite.pcap...\n"
			
 
				+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111
			
 
				 
			
 
				-RESULT=$?
			
 
				-[ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1
			
 
				+    RESULT=$?
			
 
				+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1
			
 
				+fi
			
 
				 
			
 
				-# TLS v1.3 sniffer test ECC (and resumption)
			
 
				-if test $# -ne 0
			
 
				+# TLS v1.3 sniffer test ECC
			
 
				+if test $RESULT -eq 0
			
 
				 then
			
 
				     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
			
 
				 
			
 
				     RESULT=$?
			
 
				-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC\n" && exit 1
			
 
				+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
			
 
				 fi
			
 
				 
			
 
				-# TLS v1.3 sniffer test DH (and resumption)
			
 
				-if test $# -ne 0
			
 
				+# TLS v1.3 sniffer test DH
			
 
				+if test $RESULT -eq 0
			
 
				 then
			
 
				     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
			
 
				 
			
 
				     RESULT=$?
			
 
				-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH\n" && exit 1
			
 
				+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
			
 
				 fi
			
 
				 
			
 
				-# TLS v1.3 sniffer test X25519 (and resumption)
			
 
				-if test $# -ne 0
			
 
				+# TLS v1.3 sniffer test X25519
			
 
				+if test $RESULT -eq 0
			
 
				 then
			
 
				     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
			
 
				 
			
 
				     RESULT=$?
			
 
				-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519\n" && exit 1
			
 
				+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
			
 
				+fi
			
 
				+
			
 
				+# TLS v1.3 Resumption Tests
			
 
				+if test $session_ticket == yes
			
 
				+then
			
 
				+    # TLS v1.3 sniffer test ECC resumption
			
 
				+    if test $RESULT -eq 0
			
 
				+    then
			
 
				+        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
			
 
				+
			
 
				+        RESULT=$?
			
 
				+        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
			
 
				+    fi
			
 
				+
			
 
				+    # TLS v1.3 sniffer test DH
			
 
				+    if test $RESULT -eq 0
			
 
				+    then
			
 
				+        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
			
 
				+
			
 
				+        RESULT=$?
			
 
				+        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
			
 
				+    fi
			
 
				+
			
 
				+    # TLS v1.3 sniffer test X25519
			
 
				+    if test $RESULT -eq 0
			
 
				+    then
			
 
				+        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
			
 
				+
			
 
				+        RESULT=$?
			
 
				+        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
			
 
				+    fi
			
 
				 fi
			
 
				 
			
 
				 
			
 
				 # TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
			
 
				-if test $# -ne 0
			
 
				+if test $RESULT -eq 0
			
 
				 then
			
 
				     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
			
 
				 
			
 
				     RESULT=$?
			
 
				-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR\n" && exit 1
			
 
				+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
			
 
				 fi
			
 
				 
			
 
				 
			
 
				 # IPv6
			
 
				-if test $# -ne 0 && test "x$1" = "x-6";
			
 
				+if test $RESULT -eq 0 && test "x$1" = "x-6";
			
 
				 then
			
 
				     echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
			
 
				     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
			
--- a/scripts/sniffer-tls13-dh-resume.pcap
+++ b/scripts/sniffer-tls13-dh-resume.pcap
--- a/scripts/sniffer-tls13-dh.pcap
+++ b/scripts/sniffer-tls13-dh.pcap
--- a/scripts/sniffer-tls13-ecc-resume.pcap
+++ b/scripts/sniffer-tls13-ecc-resume.pcap
--- a/scripts/sniffer-tls13-ecc.pcap
+++ b/scripts/sniffer-tls13-ecc.pcap
--- a/scripts/sniffer-tls13-gen.sh
+++ b/scripts/sniffer-tls13-gen.sh
@@ -66,5 +66,97 @@ if [ "$1" == "hrr" ]; then
 
				     ./examples/server/server -v 4 -i -x -g &
			
 
				     sleep 0.1
			
 
				 
			
 
				-    ./examples/client/client -v 4 -J
			
 
				+# Run this script from the wolfSSL root
			
 
				+if [ ! -f wolfssl/ssl.h ]; then
			
 
				+    echo "Run from the wolfssl root"
			
 
				+    exit -1
			
 
				 fi
			
 
				+
			
 
				+run_sequence() {
			
 
				+    if [ "$1" == "dh" ] || [ "$1" == "ecc" ]; then
			
 
				+        # TLS v1.3
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256
			
 
				+    fi
			
 
				+    if [ "$1" == "dh-resume" ] || [ "$1" == "ecc-resume" ]; then
			
 
				+        # TLS v1.3 Resumption
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r
			
 
				+    fi
			
 
				+
			
 
				+    if [ "$1" == "x25519" ]; then
			
 
				+        # TLS v1.3
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
			
 
				+    fi
			
 
				+    # Run: with x25519_resume
			
 
				+    if [ "$1" == "x25519-resume" ]; then
			
 
				+        # TLS v1.3 Resumption
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES128-GCM-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-AES256-GCM-SHA384 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
			
 
				+
			
 
				+        ./examples/server/server -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/server-ed25519.pem -k ./certs/ed25519/server-ed25519-priv.pem -A ./certs/ed25519/client-ed25519.pem &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -l TLS13-CHACHA20-POLY1305-SHA256 -r -c ./certs/ed25519/client-ed25519.pem -k ./certs/ed25519/client-ed25519-priv.pem -A ./certs/ed25519/root-ed25519.pem
			
 
				+    fi
			
 
				+
			
 
				+    # TLS v1.3 Hello Retry Request
			
 
				+    if [ "$1" == "hrr" ]; then
			
 
				+        # TLS v1.3 Hello Retry Request
			
 
				+        ./examples/server/server -v 4 -i -x -g &
			
 
				+        sleep 0.1
			
 
				+        ./examples/client/client -v 4 -J
			
 
				+    fi
			
 
				+    sleep 1
			
 
				+}
			
 
				+
			
 
				+run_capture(){
			
 
				+    echo "configuring and building wolfssl..."
			
 
				+    ./configure --enable-sniffer $2 1>/dev/null || exit $?
			
 
				+    make 1>/dev/null || exit $?
			
 
				+    echo "starting capture"
			
 
				+    tcpdump -i lo0 -nn port 11111 -w ./scripts/sniffer-tls13-$1.pcap &
			
 
				+    tcpdump_pid=$!
			
 
				+    run_sequence $1
			
 
				+    kill $tcpdump_pid
			
 
				+}
			
 
				+
			
 
				+run_capture "ecc"           ""
			
 
				+run_capture "ecc-resume"    "--enable-session-ticket"
			
 
				+run_capture "dh"            "--disable-ecc"
			
 
				+run_capture "dh-resume"     "--disable-ecc --enable-session-ticket"
			
 
				+run_capture "x25519"        "--enable-curve25519 --disable-dh --disable-ecc"
			
 
				+run_capture "x25519-resume" "--enable-curve25519 --disable-dh --disable-ecc --enable-session-ticket"
			
 
				+run_capture "hrr"           "--disable-dh CFLAGS=-DWOLFSSL_SNIFFER_WATCH"
			
--- a/scripts/sniffer-tls13-hrr.pcap
+++ b/scripts/sniffer-tls13-hrr.pcap
--- a/scripts/sniffer-tls13-x25519-resume.pcap
+++ b/scripts/sniffer-tls13-x25519-resume.pcap
--- a/scripts/sniffer-tls13-x25519.pcap
+++ b/scripts/sniffer-tls13-x25519.pcap
--- a/src/internal.c
+++ b/src/internal.c
@@ -15876,8 +15876,8 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
 
				     return ret;
			
 
				 }
			
 
				 
			
 
				-static WC_INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
			
 
				-                           word16 sz)
			
 
				+int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input,
			
 
				+                           word16 sz, int doAlert)
			
 
				 {
			
 
				     int ret = 0;
			
 
				 
			
@@ -15996,12 +15996,13 @@ static WC_INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
 
				 
			
 
				     /* handle mac error case */
			
 
				     if (ret == VERIFY_MAC_ERROR) {
			
 
				-        if (!ssl->options.dtls)
			
 
				+        if (!ssl->options.dtls && doAlert) {
			
 
				             SendAlert(ssl, alert_fatal, bad_record_mac);
			
 
				-
			
 
				-        #ifdef WOLFSSL_DTLS_DROP_STATS
			
 
				+        }
			
 
				+    #ifdef WOLFSSL_DTLS_DROP_STATS
			
 
				+        if (ssl->options.dtls)
			
 
				             ssl->macDropCount++;
			
 
				-        #endif /* WOLFSSL_DTLS_DROP_STATS */
			
 
				+    #endif /* WOLFSSL_DTLS_DROP_STATS */
			
 
				     }
			
 
				 
			
 
				     return ret;
			
@@ -17149,10 +17150,10 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
 
				             #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
			
 
				                     if (ssl->options.startedETMRead) {
			
 
				                         word32 digestSz = MacSize(ssl);
			
 
				-                        ret = Decrypt(ssl,
			
 
				+                        ret = DecryptTls(ssl,
			
 
				                                       in->buffer + in->idx,
			
 
				                                       in->buffer + in->idx,
			
 
				-                                      ssl->curSize - (word16)digestSz);
			
 
				+                                      ssl->curSize - (word16)digestSz, 1);
			
 
				                         if (ret == 0) {
			
 
				                             byte invalid = 0;
			
 
				                             byte padding = (byte)-1;
			
@@ -17188,10 +17189,10 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
 
				                     else
			
 
				             #endif
			
 
				                     {
			
 
				-                        ret = Decrypt(ssl,
			
 
				+                        ret = DecryptTls(ssl,
			
 
				                                       in->buffer + in->idx,
			
 
				                                       in->buffer + in->idx,
			
 
				-                                      ssl->curSize);
			
 
				+                                      ssl->curSize, 1);
			
 
				                     }
			
 
				         #else
			
 
				                         ret = DECRYPT_ERROR;
			
@@ -17204,7 +17205,7 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
 
				                                         in->buffer + in->idx,
			
 
				                                         in->buffer + in->idx,
			
 
				                                         ssl->curSize,
			
 
				-                                        (byte*)&ssl->curRL, RECORD_HEADER_SZ);
			
 
				+                                        (byte*)&ssl->curRL, RECORD_HEADER_SZ, 1);
			
 
				                 #else
			
 
				                         ret = DECRYPT_ERROR;
			
 
				                 #endif /* WOLFSSL_TLS13 */
			
@@ -26804,11 +26805,15 @@ int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
 
				         if (ssl->options.tls1_3) {
			
 
				             XMEMCPY(ssl->session->sessionID,
			
 
				                                  ssl->session->ticket + length - ID_LEN, ID_LEN);
			
 
				+            ssl->session->sessionIDSz = ID_LEN;
			
 
				         }
			
 
				         else
			
 
				 #endif
			
 
				+        {
			
 
				             XMEMCPY(ssl->arrays->sessionID,
			
 
				                                  ssl->session->ticket + length - ID_LEN, ID_LEN);
			
 
				+            ssl->arrays->sessionIDSz = ID_LEN;
			
 
				+        }
			
 
				     }
			
 
				 
			
 
				     return 0;
			
--- a/src/sniffer.c
+++ b/src/sniffer.c
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -2106,10 +2106,11 @@ static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
 
				  * sz      The length of the encrypted data plus authentication tag.
			
 
				  * aad     The additional authentication data.
			
 
				  * aadSz   The size of the addition authentication data.
			
 
				+ * doAlert Generate alert on error (not for sniffer use cases)
			
 
				  * returns 0 on success, otherwise failure.
			
 
				  */
			
 
				 int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
			
 
				-                 const byte* aad, word16 aadSz)
			
 
				+                 const byte* aad, word16 aadSz, int doAlert)
			
 
				 {
			
 
				     int    ret    = 0;
			
 
				     word16 dataSz = sz - ssl->specs.aead_mac_size;
			
@@ -2275,9 +2276,13 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
 
				 
			
 
				 #ifndef WOLFSSL_EARLY_DATA
			
 
				     if (ret < 0) {
			
 
				-        SendAlert(ssl, alert_fatal, bad_record_mac);
			
 
				+        if (doAlert) {
			
 
				+            SendAlert(ssl, alert_fatal, bad_record_mac);
			
 
				+        }
			
 
				         ret = VERIFY_MAC_ERROR;
			
 
				     }
			
 
				+#else
			
 
				+    (void)doAlert;
			
 
				 #endif
			
 
				 
			
 
				     return ret;
			
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@@ -27,6 +27,8 @@
 
				 #include <wolfssl/wolfcrypt/settings.h>
			
 
				 #include <wolfssl/wolfcrypt/types.h>
			
 
				 #include <wolfssl/wolfcrypt/logging.h>
			
 
				+#include <wolfssl/wolfcrypt/error-crypt.h>
			
 
				+#include <wolfssl/version.h>
			
 
				 
			
 
				 #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
			
 
				     #include <wolfssl/wolfcrypt/memory.h>
			
@@ -382,6 +384,80 @@ static void TrimNewLine(char* str)
 
				         str[strSz-1] = '\0';
			
 
				 }
			
 
				 
			
 
				+static void show_appinfo(void)
			
 
				+{
			
 
				+    printf("snifftest %s\n", LIBWOLFSSL_VERSION_STRING);
			
 
				+
			
 
				+    /* list enabled sniffer features */
			
 
				+    printf("sniffer features: "
			
 
				+    #ifdef WOLFSSL_SNIFFER_STATS
			
 
				+        "stats, "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_SNIFFER_WATCH
			
 
				+        "watch, "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB
			
 
				+        "store_data_cb "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
			
 
				+        "chain_input "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_SNIFFER_KEY_CALLBACK
			
 
				+        "key_callback "
			
 
				+    #endif
			
 
				+    #ifdef DEBUG_SNIFFER
			
 
				+        "debug "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_TLS13
			
 
				+        "tls_v13 "
			
 
				+    #endif
			
 
				+    #ifdef HAVE_SESSION_TICKET
			
 
				+        "session_ticket "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_STATIC_EPHEMERAL
			
 
				+        "static_ephemeral "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_ENCRYPTED_KEYS
			
 
				+        "encrypted_keys "
			
 
				+    #endif
			
 
				+    #ifdef HAVE_SNI
			
 
				+        "sni "
			
 
				+    #endif
			
 
				+    #ifdef HAVE_EXTENDED_MASTER
			
 
				+        "extended_master "
			
 
				+    #endif
			
 
				+    #ifdef HAVE_MAX_FRAGMENT
			
 
				+        "max fragment "
			
 
				+    #endif
			
 
				+    #ifdef WOLFSSL_ASYNC_CRYPT
			
 
				+        "async_crypt "
			
 
				+    #endif
			
 
				+    #ifndef NO_RSA
			
 
				+        "rsa "
			
 
				+    #endif
			
 
				+    #if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)
			
 
				+        "dh "
			
 
				+    #endif
			
 
				+    #ifdef HAVE_ECC
			
 
				+        "ecc "
			
 
				+    #endif
			
 
				+    #ifdef HAVE_CURVE448
			
 
				+        "x448 "
			
 
				+    #endif
			
 
				+    #ifdef HAVE_CURVE22519
			
 
				+        "x22519 "
			
 
				+    #endif
			
 
				+    "\n\n"
			
 
				+    );
			
 
				+}
			
 
				+static void show_usage(void)
			
 
				+{
			
 
				+    printf("usage:\n");
			
 
				+    printf("\t./snifftest\n");
			
 
				+    printf("\t\tprompts for options\n");
			
 
				+    printf("\t./snifftest dump pemKey [server] [port] [password]\n");
			
 
				+}
			
 
				+
			
 
				 int main(int argc, char** argv)
			
 
				 {
			
 
				     int          ret = 0;
			
@@ -401,11 +477,15 @@ int main(int argc, char** argv)
 
				     struct       bpf_program fp;
			
 
				     pcap_if_t   *d;
			
 
				     pcap_addr_t *a;
			
 
				+    int          isChain = 0;
			
 
				+    int          j;
			
 
				 #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
			
 
				-    struct iovec chain[CHAIN_INPUT_COUNT];
			
 
				-    int          chainSz;
			
 
				+    struct iovec chains[CHAIN_INPUT_COUNT];
			
 
				+    unsigned int remainder;
			
 
				 #endif
			
 
				 
			
 
				+    show_appinfo();
			
 
				+
			
 
				     signal(SIGINT, sig_handler);
			
 
				 
			
 
				 #ifndef _WIN32
			
@@ -601,9 +681,7 @@ int main(int argc, char** argv)
 
				         }
			
 
				     }
			
 
				     else {
			
 
				-        /* usage error */
			
 
				-        printf( "usage: ./snifftest or ./snifftest dump pemKey"
			
 
				-                " [server] [port] [password]\n");
			
 
				+        show_usage();
			
 
				         exit(EXIT_FAILURE);
			
 
				     }
			
 
				 
			
@@ -618,9 +696,11 @@ int main(int argc, char** argv)
 
				         struct pcap_pkthdr header;
			
 
				         const unsigned char* packet = pcap_next(pcap, &header);
			
 
				         SSLInfo sslInfo;
			
 
				+        void* chain = NULL;
			
 
				+        int   chainSz = 0;
			
 
				+
			
 
				         packetNumber++;
			
 
				         if (packet) {
			
 
				-
			
 
				             byte* data = NULL;
			
 
				 
			
 
				             if (header.caplen > 40)  { /* min ip(20) + min tcp(20) */
			
@@ -629,45 +709,69 @@ int main(int argc, char** argv)
 
				             }
			
 
				             else
			
 
				                 continue;
			
 
				+
			
 
				 #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT
			
 
				-            {
			
 
				-                unsigned int j = 0;
			
 
				-                unsigned int remainder = header.caplen;
			
 
				-
			
 
				-                chainSz = 0;
			
 
				-                do {
			
 
				-                    unsigned int chunkSz;
			
 
				-
			
 
				-                    chunkSz = min(remainder, CHAIN_INPUT_CHUNK_SIZE);
			
 
				-                    chain[chainSz].iov_base = (void*)(packet + j);
			
 
				-                    chain[chainSz].iov_len = chunkSz;
			
 
				-                    j += chunkSz;
			
 
				-                    remainder -= chunkSz;
			
 
				-                    chainSz++;
			
 
				-                } while (j < header.caplen);
			
 
				-            }
			
 
				+            isChain = 1;
			
 
				+            j = 0;
			
 
				+            remainder = header.caplen;
			
 
				+            chainSz = 0;
			
 
				+            do {
			
 
				+                unsigned int chunkSz = min(remainder, CHAIN_INPUT_CHUNK_SIZE);
			
 
				+                chains[chainSz].iov_base = (void*)(packet + j);
			
 
				+                chains[chainSz].iov_len = chunkSz;
			
 
				+                j += chunkSz;
			
 
				+                remainder -= chunkSz;
			
 
				+                chainSz++;
			
 
				+            } while (j < (int)header.caplen);
			
 
				+            chain = (void*)chains;
			
 
				+#else
			
 
				+            chain = (void*)packet;
			
 
				+            chainSz = header.caplen;
			
 
				+            (void)isChain;
			
 
				 #endif
			
 
				 
			
 
				-#if defined(WOLFSSL_SNIFFER_CHAIN_INPUT) && \
			
 
				-    defined(WOLFSSL_SNIFFER_STORE_DATA_CB)
			
 
				+#ifdef WOLFSSL_ASYNC_CRYPT
			
 
				+            do {
			
 
				+                WOLF_EVENT* events[1]; /* poll for single event */
			
 
				+                int eventCount = 0;
			
 
				+
			
 
				+                /* For async call the original API again with same data, 
			
 
				+                 * or call with different sessions for multiple concurrent
			
 
				+                 * stream processing */
			
 
				+                ret = ssl_DecodePacketAsync(chain, chainSz, isChain, &data, err,
			
 
				+                    &sslInfo, NULL);
			
 
				+
			
 
				+                if (ret == WC_PENDING_E) {
			
 
				+                    if (ssl_PollSniffer(events, 1, WOLF_POLL_FLAG_CHECK_HW,
			
 
				+                        &eventCount) != 0) {
			
 
				+                        break;
			
 
				+                    }
			
 
				+                }
			
 
				+            } while (ret == WC_PENDING_E);
			
 
				+#elif defined(WOLFSSL_SNIFFER_CHAIN_INPUT) && \
			
 
				+      defined(WOLFSSL_SNIFFER_STORE_DATA_CB)
			
 
				             ret = ssl_DecodePacketWithChainSessionInfoStoreData(chain, chainSz,
			
 
				                     &data, &sslInfo, err);
			
 
				 #elif defined(WOLFSSL_SNIFFER_CHAIN_INPUT)
			
 
				             (void)sslInfo;
			
 
				             ret = ssl_DecodePacketWithChain(chain, chainSz, &data, err);
			
 
				-#elif defined(WOLFSSL_SNIFFER_STORE_DATA_CB)
			
 
				+#else
			
 
				+    #if defined(WOLFSSL_SNIFFER_STORE_DATA_CB)
			
 
				             ret = ssl_DecodePacketWithSessionInfoStoreData(packet,
			
 
				                     header.caplen, &data, &sslInfo, err);
			
 
				-#else
			
 
				+    #else
			
 
				             ret = ssl_DecodePacketWithSessionInfo(packet, header.caplen, &data,
			
 
				                                                   &sslInfo, err);
			
 
				+    #endif
			
 
				+            (void)chain;
			
 
				+            (void)chainSz;
			
 
				 #endif
			
 
				+
			
 
				             if (ret < 0) {
			
 
				                 printf("ssl_Decode ret = %d, %s\n", ret, err);
			
 
				                 hadBadPacket = 1;
			
 
				             }
			
 
				             if (ret > 0) {
			
 
				-                int j;
			
 
				                 /* Convert non-printable data to periods. */
			
 
				                 for (j = 0; j < ret; j++) {
			
 
				                     if (isprint(data[j]) || isspace(data[j])) continue;
			
--- a/wolfcrypt/src/wolfevent.c
+++ b/wolfcrypt/src/wolfevent.c
@@ -205,7 +205,7 @@ int wolfEventQueue_Poll(WOLF_EVENT_QUEUE* queue, void* context_filter,
 
				     }
			
 
				 #endif
			
 
				 
			
 
				-    /* itterate event queue */
			
 
				+    /* iterrate event queue */
			
 
				     for (event = queue->head; event != NULL; event = event->next)
			
 
				     {
			
 
				         /* optional filter based on context */
			
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1760,9 +1760,14 @@ WOLFSSL_LOCAL int  HashInput(WOLFSSL* ssl, const byte* input, int sz);
 
				 WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl);
			
 
				 #endif
			
 
				 #endif
			
 
				+
			
 
				+WOLFSSL_LOCAL int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input,
			
 
				+                             word16 sz, int doAlert);
			
 
				+
			
 
				 #ifdef WOLFSSL_TLS13
			
 
				 WOLFSSL_LOCAL int  DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
			
 
				-                                word16 sz, const byte* aad, word16 aadSz);
			
 
				+                                word16 sz, const byte* aad, word16 aadSz,
			
 
				+                                int doAlert);
			
 
				 WOLFSSL_LOCAL int  DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input,
			
 
				                                            word32* inOutIdx, byte type,
			
 
				                                            word32 size, word32 totalSz);
			
--- a/wolfssl/sniffer.h
+++ b/wolfssl/sniffer.h
@@ -27,6 +27,11 @@
 
				 #include <wolfssl/wolfcrypt/settings.h>
			
 
				 #include <wolfssl/wolfcrypt/asn_public.h>
			
 
				 
			
 
				+#ifdef HAVE_WOLF_EVENT
			
 
				+    #include <wolfssl/wolfcrypt/wolfevent.h>
			
 
				+#endif
			
 
				+
			
 
				+
			
 
				 #ifdef _WIN32
			
 
				     #ifdef SSL_SNIFFER_EXPORTS
			
 
				         #define SSL_SNIFFER_API __declspec(dllexport)
			
@@ -119,9 +124,13 @@ SSL_SNIFFER_API int ssl_GetSessionStats(unsigned int* active,
 
				                                         unsigned int* reassemblyMemory,
			
 
				                                         char* error);
			
 
				 
			
 
				-WOLFSSL_API void ssl_InitSniffer(void);
			
 
				+WOLFSSL_API 
			
 
				+SSL_SNIFFER_API void ssl_InitSniffer(void);
			
 
				+WOLFSSL_API 
			
 
				+SSL_SNIFFER_API void ssl_InitSniffer_ex(int devId);
			
 
				 
			
 
				-WOLFSSL_API void ssl_FreeSniffer(void);
			
 
				+WOLFSSL_API 
			
 
				+SSL_SNIFFER_API void ssl_FreeSniffer(void);
			
 
				 
			
 
				 
			
 
				 /* ssl_SetPrivateKey typeKs */
			
@@ -270,6 +279,21 @@ SSL_SNIFFER_API int ssl_DecodePacketWithChainSessionInfoStoreData(
 
				 #endif
			
 
				 
			
 
				 
			
 
				+#ifdef WOLFSSL_ASYNC_CRYPT
			
 
				+
			
 
				+WOLFSSL_API
			
 
				+SSL_SNIFFER_API int ssl_DecodePacketAsync(void* packet, unsigned int packetSz,
			
 
				+    int isChain, unsigned char** data, char* error, SSLInfo* sslInfo,
			
 
				+    void* userCtx);
			
 
				+
			
 
				+WOLFSSL_API
			
 
				+SSL_SNIFFER_API int ssl_PollSniffer(WOLF_EVENT** events, int maxEvents,
			
 
				+    WOLF_EVENT_FLAG flags, int* eventCount);
			
 
				+
			
 
				+#endif /* WOLFSSL_ASYNC_CRYPT */
			
 
				+
			
 
				+
			
 
				+
			
 
				 #ifdef __cplusplus
			
 
				     }  /* extern "C" */
			
 
				 #endif
			
--- a/wolfssl/wolfcrypt/dh.h
+++ b/wolfssl/wolfcrypt/dh.h
@@ -91,6 +91,11 @@ enum {
 
				     WC_FFDHE_8192 = 260,
			
 
				 };
			
 
				 
			
 
				+/* DH Private Key size up to 8192 bit */
			
 
				+#ifndef WC_DH_PRIV_MAX_SZ
			
 
				+#define WC_DH_PRIV_MAX_SZ 52
			
 
				+#endif
			
 
				+
			
 
				 #ifdef HAVE_PUBLIC_FFDHE
			
 
				 #ifdef HAVE_FFDHE_2048
			
 
				 WOLFSSL_API const DhParams* wc_Dh_ffdhe2048_Get(void);
			
--- a/wolfssl/wolfcrypt/error-crypt.h
+++ b/wolfssl/wolfcrypt/error-crypt.h
@@ -24,7 +24,7 @@
 
				 */
			
 
				 /*
			
 
				 DESCRIPTION
			
 
				-This library defines error codes and contians routines for setting and examining
			
 
				+This library defines error codes and contains routines for setting and examining
			
 
				 the error status.
			
 
				 */
			
 
				 
			
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -904,6 +904,7 @@ decouple library dependencies with standard string, memory and so on.
 
				         DYNAMIC_TYPE_SNIFFER_PB_BUFFER  = 1003,
			
 
				         DYNAMIC_TYPE_SNIFFER_TICKET_ID  = 1004,
			
 
				         DYNAMIC_TYPE_SNIFFER_NAMED_KEY  = 1005,
			
 
				+        DYNAMIC_TYPE_SNIFFER_KEY        = 1006,
			
 
				     };
			
 
				 
			
 
				     /* max error buffer string size */