mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix for asynchronous sniffer edge case for back to back sessions where new session was created while still pending.

Browse Source
This commit is contained in:
David Garske 2022-11-04 13:11:24 -07:00
parent fe28702891
commit 6ca8336c52
1 changed files with 34 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/sniffer.c
View File

@ -4936,7 +4936,7 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
NULL, DYNAMIC_TYPE_SNIFFER_SESSION); NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
if (session == NULL) { if (session == NULL) {
SetError(MEMORY_STR, error, NULL, 0); SetError(MEMORY_STR, error, NULL, 0);
return 0; return NULL;
} }
InitSession(session); InitSession(session);
#ifdef HAVE_EXTENDED_MASTER #ifdef HAVE_EXTENDED_MASTER
@ -4946,12 +4946,12 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
if (newHash == NULL) { if (newHash == NULL) {
SetError(MEMORY_STR, error, NULL, 0); SetError(MEMORY_STR, error, NULL, 0);
XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION); XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
return 0; return NULL;
} }
if (HashInit(newHash) != 0) { if (HashInit(newHash) != 0) {
SetError(EXTENDED_MASTER_HASH_STR, error, NULL, 0); SetError(EXTENDED_MASTER_HASH_STR, error, NULL, 0);
XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION); XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
return 0; return NULL;
} }
session->hash = newHash; session->hash = newHash;
} }
@ -4972,14 +4972,14 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
if (session->context == NULL) { if (session->context == NULL) {
SetError(SERVER_NOT_REG_STR, error, NULL, 0); SetError(SERVER_NOT_REG_STR, error, NULL, 0);
XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION); XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
return 0; return NULL;
} }
session->sslServer = wolfSSL_new(session->context->ctx); session->sslServer = wolfSSL_new(session->context->ctx);
if (session->sslServer == NULL) { if (session->sslServer == NULL) {
SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE); SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION); XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
return 0; return NULL;
} }
session->sslClient = wolfSSL_new(session->context->ctx); session->sslClient = wolfSSL_new(session->context->ctx);
if (session->sslClient == NULL) { if (session->sslClient == NULL) {
@ -4988,7 +4988,7 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo,
SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE); SetError(BAD_NEW_SSL_STR, error, session, FATAL_ERROR_STATE);
XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION); XFREE(session, NULL, DYNAMIC_TYPE_SNIFFER_SESSION);
return 0; return NULL;
} }
/* put server back into server mode */ /* put server back into server mode */
session->sslServer->options.side = WOLFSSL_SERVER_END; session->sslServer->options.side = WOLFSSL_SERVER_END;
@ -5177,6 +5177,16 @@ static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes,
{ {
/* create a new SnifferSession on client SYN */ /* create a new SnifferSession on client SYN */
if (tcpInfo->syn && !tcpInfo->ack) { if (tcpInfo->syn && !tcpInfo->ack) {
#ifdef WOLFSSL_ASYNC_CRYPT
/* if session already exists and is pending do not create another */
*session = GetSnifferSession(ipInfo, tcpInfo);
if (*session != NULL) {
if ((*session)->pendSeq != 0) {
return WC_PENDING_E;
}
}
#endif
TraceClientSyn(tcpInfo->sequence); TraceClientSyn(tcpInfo->sequence);
#ifdef WOLFSSL_SNIFFER_STATS #ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslEncryptedConns); INC_STAT(SnifferStats.sslEncryptedConns);
@ -5724,6 +5734,17 @@ static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo,
&session->flags.cliAckFault : &session->flags.cliAckFault :
&session->flags.srvAckFault; &session->flags.srvAckFault;
#ifdef WOLFSSL_ASYNC_CRYPT
if (session->sslServer->error == 0 && session->pendSeq != 0 &&
session->pendSeq == tcpInfo->sequence) {
return 0; /* ready to process, but skip sequence checking below (already done) */
}
/* check if this session is pending */
else if (session->pendSeq != 0 && session->pendSeq != tcpInfo->sequence) {
return WC_PENDING_E;
}
#endif
/* init SEQ from server to client - if not ack fault */ /* init SEQ from server to client - if not ack fault */
if (tcpInfo->syn && tcpInfo->ack && !*ackFault) { if (tcpInfo->syn && tcpInfo->ack && !*ackFault) {
session->srvSeqStart = tcpInfo->sequence; session->srvSeqStart = tcpInfo->sequence;
@ -5738,14 +5759,6 @@ static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo,
*sslBytes = actualLen; *sslBytes = actualLen;
} }
#ifdef WOLFSSL_ASYNC_CRYPT
/* check if this session is pending */
if (session->pendSeq != 0 && session->pendSeq != tcpInfo->sequence) {
/* this stream is processing, queue packet */
return WC_PENDING_E;
}
#endif
TraceSequence(tcpInfo->sequence, *sslBytes); TraceSequence(tcpInfo->sequence, *sslBytes);
if (CheckAck(tcpInfo, session) < 0) { if (CheckAck(tcpInfo, session) < 0) {
if (!RecoveryEnabled) { if (!RecoveryEnabled) {
@ -6379,6 +6392,9 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain,
ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error); ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error);
if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error))
return WOLFSSL_SNIFFER_FATAL_ERROR; return WOLFSSL_SNIFFER_FATAL_ERROR;
#ifdef WOLFSSL_ASYNC_CRYPT
else if (ret == WC_PENDING_E) return WC_PENDING_E;
#endif
else if (ret == -1) return WOLFSSL_SNIFFER_ERROR; else if (ret == -1) return WOLFSSL_SNIFFER_ERROR;
else if (ret == 1) { else if (ret == 1) {
#ifdef WOLFSSL_SNIFFER_STATS #ifdef WOLFSSL_SNIFFER_STATS
@ -6458,10 +6474,9 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain,
session->sslServer->error = ret; session->sslServer->error = ret;
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
/* capture the seq pending for this session */ /* capture the seq pending for this session */
session->pendSeq = (ret == WC_PENDING_E) ? tcpInfo.sequence : 0;
if (ret == WC_PENDING_E) { if (ret == WC_PENDING_E) {
session->flags.wasPolled = 0; session->flags.wasPolled = 0;
session->pendSeq = tcpInfo.sequence;
if (!asyncOkay || CryptoDeviceId == INVALID_DEVID) { if (!asyncOkay || CryptoDeviceId == INVALID_DEVID) {
/* If devId has not been set then we need to block here by /* If devId has not been set then we need to block here by
* polling and looping */ * polling and looping */
@ -6471,6 +6486,9 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain,
return ret; /* return to caller */ return ret; /* return to caller */
} }
} }
else {
session->pendSeq = 0;
}
} while (ret == WC_PENDING_E); } while (ret == WC_PENDING_E);
#else #else
(void)asyncOkay; (void)asyncOkay;