Fixes for minor sniffer and async issues:

* Sniffer: Remove old restrictions for max strength, encrypt-then-mac and forcing openssl-extra.
* Fix bound warning with strncpy in sniffer.c.
* Fix for async DH issue.
* Fix for SP math all not initializing raw big int.
* Fix for array bounds warning with "-O3" on SetEccPublicKey.
* Fix a sniffer async edge case with TLS v1.2 static RSA and extended master.
* Improved the sniffer test script detection of features.
* Disable ECC custom curve test with Intel QuickAssist.

configure.ac

@@ -1679,12 +1679,6 @@ AC_ARG_WITH([se050],
     ]
 )
 
-# sniffer doesn't work in maxstrength mode
-if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes"
-then
-    AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.])
-fi
-
 ENABLED_SNIFFTEST=no
 AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ],
       [
@@ -5245,8 +5239,6 @@ then
     ENABLED_ENCRYPT_THEN_MAC=yes
 fi
 
-AS_IF([test "x$ENABLED_SNIFFER" = "xyes"],[ENABLED_ENCRYPT_THEN_MAC="no"])
-
 if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
 then
     AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
@@ -7099,7 +7091,7 @@ AS_IF([test "x$ENABLED_MCAPI" = "xyes"],
 if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
    test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \
    test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \
-   test "$ENABLED_SNIFFER" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \
+   test "$ENABLED_OPENSSLALL" = "yes" || \
    test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
    test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
    test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes"

scripts/include.am

@@ -87,7 +87,7 @@ noinst_SCRIPTS+= scripts/unit.test.in
 endif
 endif
 
-EXTRA_DIST +=  scripts/testsuite.pcap \
+EXTRA_DIST +=  scripts/sniffer-static-rsa.pcap \
                scripts/sniffer-ipv6.pcap \
                scripts/sniffer-tls13-dh.pcap \
                scripts/sniffer-tls13-dh-resume.pcap \
@@ -95,8 +95,8 @@ EXTRA_DIST +=  scripts/testsuite.pcap \
                scripts/sniffer-tls13-ecc-resume.pcap \
                scripts/sniffer-tls13-x25519.pcap \
                scripts/sniffer-tls13-x25519-resume.pcap \
-               scripts/sniffer-tls13-gen.sh \
                scripts/sniffer-tls13-hrr.pcap \
+               scripts/sniffer-gen.sh \
                scripts/ping.test \
                scripts/benchmark.test \
                scripts/memtest.sh \

scripts/sniffer-testsuite.test

@@ -12,6 +12,36 @@ if [ "${AM_BWRAPPED-}" != "yes" ]; then
     unset AM_BWRAPPED
 fi
 
+has_tlsv13=no
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v13 '
+if [ $? -eq 0 ]; then
+    has_tlsv13=yes
+fi
+has_tlsv12=no
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v12 '
+if [ $? -eq 0 ]; then
+    has_tlsv12=yes
+fi
+has_rsa=no
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
+if [ $? -eq 0 ]; then
+    has_rsa=yes
+fi
+has_ecc=no
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ecc '
+if [ $? -eq 0 ]; then
+    has_ecc=yes
+fi
+has_x22519=no
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'x22519 '
+if [ $? -eq 0 ]; then
+    has_x22519=yes
+fi
+has_dh=no
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'dh '
+if [ $? -eq 0 ]; then
+    has_dh=yes
+fi
 # ./configure --enable-sniffer [--enable-session-ticket]
 # Resumption tests require "--enable-session-ticket"
 session_ticket=no
@@ -19,25 +49,37 @@ session_ticket=no
 if [ $? -eq 0 ]; then
     session_ticket=yes
 fi
-has_rsa=no
-./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
+has_static_rsa=no
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa_static '
 if [ $? -eq 0 ]; then
-    has_rsa=yes
+    has_static_rsa=yes
 fi
+
+
 RESULT=0
 
-if test $session_ticket == yes
+# TLS v1.2 Static RSA Test
+if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
 then
-    # TLS v1.2 Static RSA Test
     echo -e "\nStaring snifftest on testsuite.pcap...\n"
-    ./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111
+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-static-rsa.pcap ./certs/server-key.pem 127.0.0.1 11111
 
     RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1
+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest static RSA failed\n" && exit 1
+fi
+
+# TLS v1.2 Static RSA Test (IPv6)
+if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
+then
+    echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
+
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
 fi
 
 # TLS v1.3 sniffer test ECC
-if test $RESULT -eq 0
+if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
 then
     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
 
@@ -46,7 +88,7 @@ then
 fi
 
 # TLS v1.3 sniffer test DH
-if test $RESULT -eq 0
+if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes
 then
     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
 
@@ -55,7 +97,7 @@ then
 fi
 
 # TLS v1.3 sniffer test X25519
-if test $RESULT -eq 0
+if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x22519 == yes
 then
     ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
 
@@ -63,56 +105,40 @@ then
     [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
 fi
 
-# TLS v1.3 Resumption Tests
-if test $session_ticket == yes
+# TLS v1.3 sniffer test ECC resumption
+if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes && test $session_ticket == yes
 then
-    # TLS v1.3 sniffer test ECC resumption
-    if test $RESULT -eq 0
-    then
-        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
-
-        RESULT=$?
-        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
-    fi
-
-    # TLS v1.3 sniffer test DH
-    if test $RESULT -eq 0
-    then
-        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
 
-        RESULT=$?
-        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
-    fi
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
+fi
 
-    # TLS v1.3 sniffer test X25519
-    if test $RESULT -eq 0
-    then
-        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
+# TLS v1.3 sniffer test DH
+if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes && test $session_ticket == yes
+then
+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
 
-        RESULT=$?
-        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
-    fi
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
 fi
 
-
-# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
-if test $RESULT -eq 0
+# TLS v1.3 sniffer test X25519
+if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes && test $session_ticket == yes
 then
-    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
 
     RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
 fi
 
-
-# IPv6
-if test $RESULT -eq 0 && test "x$1" = "x-6";
+# TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
+if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
 then
-    echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
-    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
 
     RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
 fi
 
 echo -e "\nSuccess!\n"

src/sniffer.c

@@ -973,6 +973,7 @@ typedef struct TcpPseudoHdr {
 } TcpPseudoHdr;
 
 
+#ifdef WOLFSSL_ENCRYPTED_KEYS
 /* Password Setting Callback */
 static int SetPassword(char* passwd, int sz, int rw, void* userdata)
 {
@@ -980,7 +981,7 @@ static int SetPassword(char* passwd, int sz, int rw, void* userdata)
     XSTRNCPY(passwd, (const char*)userdata, sz);
     return (int)XSTRLEN((const char*)userdata);
 }
-
+#endif
 
 /* Ethernet Header */
 typedef struct EthernetHdr {
@@ -2140,7 +2141,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
             pCipher = wolfSSL_get_cipher(session->sslServer);
             if (NULL != pCipher) {
                 XSTRNCPY((char*)sslInfo->serverCipherSuiteName, pCipher,
-                         sizeof(sslInfo->serverCipherSuiteName));
+                         sizeof(sslInfo->serverCipherSuiteName) - 1);
                 sslInfo->serverCipherSuiteName
                          [sizeof(sslInfo->serverCipherSuiteName) - 1] = '\0';
             }
@@ -2148,7 +2149,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
         #ifdef HAVE_SNI
             if (NULL != session->sni) {
                 XSTRNCPY((char*)sslInfo->serverNameIndication,
-                         session->sni, sizeof(sslInfo->serverNameIndication));
+                    session->sni, sizeof(sslInfo->serverNameIndication) - 1);
                 sslInfo->serverNameIndication
                          [sizeof(sslInfo->serverNameIndication) - 1] = '\0';
             }
@@ -4445,27 +4446,32 @@ static int DoHandShake(const byte* input, int* sslBytes,
         case client_key_exchange:
             Trace(GOT_CLIENT_KEY_EX_STR);
 #ifdef HAVE_EXTENDED_MASTER
-            if (session->flags.expectEms && session->hash != NULL) {
-                if (HashCopy(session->sslServer->hsHashes,
-                             session->hash) == 0 &&
-                    HashCopy(session->sslClient->hsHashes,
-                             session->hash) == 0) {
-
-                    session->sslServer->options.haveEMS = 1;
-                    session->sslClient->options.haveEMS = 1;
+        #ifdef WOLFSSL_ASYNC_CRYPT
+            if (session->sslServer->error != WC_PENDING_E)
+        #endif
+            {
+                if (session->flags.expectEms && session->hash != NULL) {
+                    if (HashCopy(session->sslServer->hsHashes,
+                                session->hash) == 0 &&
+                        HashCopy(session->sslClient->hsHashes,
+                                session->hash) == 0) {
+
+                        session->sslServer->options.haveEMS = 1;
+                        session->sslClient->options.haveEMS = 1;
+                    }
+                    else {
+                        SetError(EXTENDED_MASTER_HASH_STR, error,
+                                session, FATAL_ERROR_STATE);
+                        ret = -1;
+                    }
+                    XMEMSET(session->hash, 0, sizeof(HsHashes));
+                    XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
+                    session->hash = NULL;
                 }
                 else {
-                    SetError(EXTENDED_MASTER_HASH_STR, error,
-                             session, FATAL_ERROR_STATE);
-                    ret = -1;
+                    session->sslServer->options.haveEMS = 0;
+                    session->sslClient->options.haveEMS = 0;
                 }
-                XMEMSET(session->hash, 0, sizeof(HsHashes));
-                XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
-                session->hash = NULL;
-            }
-            else {
-                session->sslServer->options.haveEMS = 0;
-                session->sslClient->options.haveEMS = 0;
             }
 #endif
             if (ret == 0) {

sslSniffer/sslSnifferTest/snifftest.c

@@ -411,6 +411,9 @@ static void show_appinfo(void)
     #ifdef WOLFSSL_TLS13
         "tls_v13 "
     #endif
+    #ifndef WOLFSSL_NO_TLS12
+        "tls_v12 "
+    #endif
     #ifdef HAVE_SESSION_TICKET
         "session_ticket "
     #endif
@@ -447,6 +450,12 @@ static void show_appinfo(void)
     #ifdef HAVE_CURVE22519
         "x22519 "
     #endif
+    #ifdef WOLFSSL_STATIC_RSA
+        "rsa_static "
+    #endif
+    #ifdef WOLFSSL_STATIC_DH
+        "dh_static "
+    #endif
     "\n\n"
     );
 }

wolfcrypt/src/asn.c

@@ -12968,7 +12968,7 @@ static int SetCurve(ecc_key* key, byte* output)
 #ifdef HAVE_OID_ENCODING
     int ret;
 #endif
-    int idx = 0;
+    int idx;
     word32 oidSz = 0;
 
     /* validate key */
@@ -12985,7 +12985,12 @@ static int SetCurve(ecc_key* key, byte* output)
     oidSz = key->dp->oidSz;
 #endif
 
-    idx += SetObjectId(oidSz, output);
+    idx = SetObjectId(oidSz, output);
+
+    /* length only */
+    if (output == NULL) {
+        return idx + oidSz;
+    }
 
 #ifdef HAVE_OID_ENCODING
     ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz);
@@ -21206,7 +21211,6 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
     word32 pubSz;
     byte bitString[1 + MAX_LENGTH_SZ + 1]; /* 6 */
     byte algo[MAX_ALGO_SZ];  /* 20 */
-    byte curve[MAX_ALGO_SZ]; /* 20 */
 
     /* public size */
     pubSz = key->dp ? key->dp->size : MAX_ECC_BYTES;
@@ -21219,7 +21223,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
 
     /* headers */
     if (with_header) {
-        curveSz = SetCurve(key, curve);
+        curveSz = SetCurve(key, NULL);
         if (curveSz <= 0) {
             return curveSz;
         }
@@ -21242,7 +21246,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
         idx += algoSz;
         /* curve */
         if (output)
-            XMEMCPY(output + idx, curve, curveSz);
+            (void)SetCurve(key, output + idx);
         idx += curveSz;
         /* bit string */
         if (output)

wolfcrypt/src/sp_int.c

@@ -4385,31 +4385,49 @@ int sp_init_multi(sp_int* n1, sp_int* n2, sp_int* n3, sp_int* n4, sp_int* n5,
         _sp_zero(n1);
         n1->dp[0] = 0;
         n1->size = SP_INT_DIGITS;
+    #ifdef HAVE_WOLF_BIGINT
+        wc_bigint_init(&n1->raw);
+    #endif
     }
     if (n2 != NULL) {
         _sp_zero(n2);
         n2->dp[0] = 0;
         n2->size = SP_INT_DIGITS;
+    #ifdef HAVE_WOLF_BIGINT
+        wc_bigint_init(&n2->raw);
+    #endif
     }
     if (n3 != NULL) {
         _sp_zero(n3);
         n3->dp[0] = 0;
         n3->size = SP_INT_DIGITS;
+    #ifdef HAVE_WOLF_BIGINT
+        wc_bigint_init(&n3->raw);
+    #endif
     }
     if (n4 != NULL) {
         _sp_zero(n4);
         n4->dp[0] = 0;
         n4->size = SP_INT_DIGITS;
+    #ifdef HAVE_WOLF_BIGINT
+        wc_bigint_init(&n4->raw);
+    #endif
     }
     if (n5 != NULL) {
         _sp_zero(n5);
         n5->dp[0] = 0;
         n5->size = SP_INT_DIGITS;
+    #ifdef HAVE_WOLF_BIGINT
+        wc_bigint_init(&n5->raw);
+    #endif
     }
     if (n6 != NULL) {
         _sp_zero(n6);
         n6->dp[0] = 0;
         n6->size = SP_INT_DIGITS;
+    #ifdef HAVE_WOLF_BIGINT
+        wc_bigint_init(&n6->raw);
+    #endif
     }
 
     return MP_OKAY;

wolfcrypt/test/test.c

@@ -16260,17 +16260,23 @@ static int dh_ffdhe_test(WC_RNG *rng, int name)
     }
 
     ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
     if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
         ERROR_OUT(-8058, done);
     }
 
     ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
-    if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
+#if defined(WOLFSSL_ASYNC_CRYPT)
+    ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
+#endif
+    if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
         ERROR_OUT(-8057, done);
     }
 
     ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz);
-    if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
+    if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
         ERROR_OUT(-8057, done);
     }
 
@@ -23925,7 +23931,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
 #endif
 
     /* test use of custom curve - using BRAINPOOLP256R1 for test */
-#ifdef HAVE_ECC_BRAINPOOL
+#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
     #ifndef WOLFSSL_ECC_CURVE_STATIC
         WOLFSSL_SMALL_STACK_STATIC const ecc_oid_t ecc_oid_brainpoolp256r1[] = {
             0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07
@@ -23966,7 +23972,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
 
     XMEMSET(key, 0, sizeof *key);
 
-#ifdef HAVE_ECC_BRAINPOOL
+#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
     ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF,
         &ecc_dp_brainpool256r1);
     if (ret != 0) {

wolfssl/wolfcrypt/types.h

@@ -728,8 +728,8 @@ decouple library dependencies with standard string, memory and so on.
             #endif /* _MSC_VER */
         #endif /* USE_WINDOWS_API */
 
-        #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) \
-                    || defined(HAVE_ALPN)
+        #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
+            defined(HAVE_ALPN) || defined(WOLFSSL_SNIFFER)
             /* use only Thread Safe version of strtok */
             #if defined(USE_WOLF_STRTOK)
                 #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))