Fixes for minor sniffer and async issues:

* Sniffer: Remove old restrictions for max strength, encrypt-then-mac and forcing openssl-extra. * Fix bound warning with strncpy in sniffer.c. * Fix for async DH issue. * Fix for SP math all not initializing raw big int. * Fix for array bounds warning with "-O3" on SetEccPublicKey. * Fix a sniffer async edge case with TLS v1.2 static RSA and extended master. * Improved the sniffer test script detection of features. * Disable ECC custom curve test with Intel QuickAssist.
2022-04-08 15:22:16 -07:00 · 2022-04-08 15:22:16 -07:00 · 659d33fdaf
parent 567ae7ca55
commit 659d33fdaf
11 changed files with 181 additions and 120 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1679,12 +1679,6 @@ AC_ARG_WITH([se050],
    ]
 )
 # sniffer doesn't work in maxstrength mode
 if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes"
 then
    AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.])
 fi
 ENABLED_SNIFFTEST=no
 AS_IF([ test "x$ENABLED_SNIFFER" = "xyes" ],
      [
@ -5245,8 +5239,6 @@ then
    ENABLED_ENCRYPT_THEN_MAC=yes
 fi
 AS_IF([test "x$ENABLED_SNIFFER" = "xyes"],[ENABLED_ENCRYPT_THEN_MAC="no"])
 if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
 then
    AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
@ -7099,7 +7091,7 @@ AS_IF([test "x$ENABLED_MCAPI" = "xyes"],
 if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
   test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \
   test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \
-   test "$ENABLED_SNIFFER" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \
+   test "$ENABLED_OPENSSLALL" = "yes" || \
   test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
   test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
   test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes"
--- a/scripts/include.am
+++ b/scripts/include.am
@ -87,7 +87,7 @@ noinst_SCRIPTS+= scripts/unit.test.in
 endif
 endif
-EXTRA_DIST +=  scripts/testsuite.pcap \
+EXTRA_DIST +=  scripts/sniffer-static-rsa.pcap \
               scripts/sniffer-ipv6.pcap \
               scripts/sniffer-tls13-dh.pcap \
               scripts/sniffer-tls13-dh-resume.pcap \
@ -95,8 +95,8 @@ EXTRA_DIST +=  scripts/testsuite.pcap \
               scripts/sniffer-tls13-ecc-resume.pcap \
               scripts/sniffer-tls13-x25519.pcap \
               scripts/sniffer-tls13-x25519-resume.pcap \
               scripts/sniffer-tls13-gen.sh \
               scripts/sniffer-tls13-hrr.pcap \
               scripts/sniffer-gen.sh \
               scripts/ping.test \
               scripts/benchmark.test \
               scripts/memtest.sh \
--- a/scripts/sniffer-tls13-gen.sh
+++ b/scripts/sniffer-tls13-gen.sh
--- a/scripts/sniffer-static-rsa.pcap
+++ b/scripts/sniffer-static-rsa.pcap
--- a/scripts/sniffer-testsuite.test
+++ b/scripts/sniffer-testsuite.test
@ -12,6 +12,36 @@ if [ "${AM_BWRAPPED-}" != "yes" ]; then
    unset AM_BWRAPPED
 fi
 has_tlsv13=no
 ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v13 '
 if [ $? -eq 0 ]; then
    has_tlsv13=yes
 fi
 has_tlsv12=no
 ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'tls_v12 '
 if [ $? -eq 0 ]; then
    has_tlsv12=yes
 fi
 has_rsa=no
 ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
 if [ $? -eq 0 ]; then
    has_rsa=yes
 fi
 has_ecc=no
 ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'ecc '
 if [ $? -eq 0 ]; then
    has_ecc=yes
 fi
 has_x22519=no
 ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'x22519 '
 if [ $? -eq 0 ]; then
    has_x22519=yes
 fi
 has_dh=no
 ./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'dh '
 if [ $? -eq 0 ]; then
    has_dh=yes
 fi
 # ./configure --enable-sniffer [--enable-session-ticket]
 # Resumption tests require "--enable-session-ticket"
 session_ticket=no
@ -19,94 +49,27 @@ session_ticket=no
 if [ $? -eq 0 ]; then
    session_ticket=yes
 fi
-has_rsa=no
+has_static_rsa=no
-./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa '
+./sslSniffer/sslSnifferTest/snifftest -? 2>&1 | grep -- 'rsa_static '
 if [ $? -eq 0 ]; then
-    has_rsa=yes
+    has_static_rsa=yes
 fi
 RESULT=0
-if test $session_ticket == yes
+# TLS v1.2 Static RSA Test
 if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
 then
    # TLS v1.2 Static RSA Test
    echo -e "\nStaring snifftest on testsuite.pcap...\n"
-    ./sslSniffer/sslSnifferTest/snifftest ./scripts/testsuite.pcap ./certs/server-key.pem 127.0.0.1 11111
+    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-static-rsa.pcap ./certs/server-key.pem 127.0.0.1 11111
    RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "\nsnifftest failed\n" && exit 1
+    [ $RESULT -ne 0 ] && echo -e "\nsnifftest static RSA failed\n" && exit 1
 fi
-# TLS v1.3 sniffer test ECC
+# TLS v1.2 Static RSA Test (IPv6)
-if test $RESULT -eq 0
+if test $RESULT -eq 0 && test $has_rsa == yes && test $has_tlsv12 == yes && test $has_static_rsa == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test DH
 if test $RESULT -eq 0
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test X25519
 if test $RESULT -eq 0
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
 fi
 # TLS v1.3 Resumption Tests
 if test $session_ticket == yes
 then
    # TLS v1.3 sniffer test ECC resumption
    if test $RESULT -eq 0
    then
        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
        RESULT=$?
        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
    fi
    # TLS v1.3 sniffer test DH
    if test $RESULT -eq 0
    then
        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
        RESULT=$?
        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
    fi
    # TLS v1.3 sniffer test X25519
    if test $RESULT -eq 0
    then
        ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
        RESULT=$?
        [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
    fi
 fi
 # TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
 if test $RESULT -eq 0
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
 fi
 # IPv6
 if test $RESULT -eq 0 && test "x$1" = "x-6";
 then
    echo -e "\nStaring snifftest on sniffer-ipv6.pcap...\n"
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-ipv6.pcap ./certs/server-key.pem ::1 11111
@ -115,6 +78,69 @@ then
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest (ipv6) failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test ECC
 if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test DH
 if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test X25519
 if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x22519 == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test ECC resumption
 if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes && test $session_ticket == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-ecc-resume.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 ECC failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test DH
 if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_dh == yes && test $session_ticket == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-dh-resume.pcap ./certs/statickeys/dh-ffdhe2048.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 DH failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test X25519
 if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_x25519 == yes && test $session_ticket == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-x25519-resume.pcap ./certs/statickeys/x25519.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 X25519 failed\n" && exit 1
 fi
 # TLS v1.3 sniffer test hello_retry_request (HRR) with ECDHE
 if test $RESULT -eq 0 && test $has_tlsv13 == yes && test $has_ecc == yes
 then
    ./sslSniffer/sslSnifferTest/snifftest ./scripts/sniffer-tls13-hrr.pcap ./certs/statickeys/ecc-secp256r1.pem 127.0.0.1 11111
    RESULT=$?
    [ $RESULT -ne 0 ] && echo -e "\nsnifftest TLS v1.3 HRR failed\n" && exit 1
 fi
 echo -e "\nSuccess!\n"
 exit 0
--- a/src/sniffer.c
+++ b/src/sniffer.c
@ -973,6 +973,7 @@ typedef struct TcpPseudoHdr {
 } TcpPseudoHdr;
 #ifdef WOLFSSL_ENCRYPTED_KEYS
 /* Password Setting Callback */
 static int SetPassword(char* passwd, int sz, int rw, void* userdata)
 {
@ -980,7 +981,7 @@ static int SetPassword(char* passwd, int sz, int rw, void* userdata)
    XSTRNCPY(passwd, (const char*)userdata, sz);
    return (int)XSTRLEN((const char*)userdata);
 }
-
+#endif
 /* Ethernet Header */
 typedef struct EthernetHdr {
@ -2140,7 +2141,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
            pCipher = wolfSSL_get_cipher(session->sslServer);
            if (NULL != pCipher) {
                XSTRNCPY((char*)sslInfo->serverCipherSuiteName, pCipher,
-                         sizeof(sslInfo->serverCipherSuiteName));
+                         sizeof(sslInfo->serverCipherSuiteName) - 1);
                sslInfo->serverCipherSuiteName
                         [sizeof(sslInfo->serverCipherSuiteName) - 1] = '\0';
            }
@ -2148,7 +2149,7 @@ static void CopySessionInfo(SnifferSession* session, SSLInfo* sslInfo)
        #ifdef HAVE_SNI
            if (NULL != session->sni) {
                XSTRNCPY((char*)sslInfo->serverNameIndication,
-                         session->sni, sizeof(sslInfo->serverNameIndication));
+                    session->sni, sizeof(sslInfo->serverNameIndication) - 1);
                sslInfo->serverNameIndication
                         [sizeof(sslInfo->serverNameIndication) - 1] = '\0';
            }
@ -4445,27 +4446,32 @@ static int DoHandShake(const byte* input, int* sslBytes,
        case client_key_exchange:
            Trace(GOT_CLIENT_KEY_EX_STR);
 #ifdef HAVE_EXTENDED_MASTER
-            if (session->flags.expectEms && session->hash != NULL) {
+        #ifdef WOLFSSL_ASYNC_CRYPT
-                if (HashCopy(session->sslServer->hsHashes,
+            if (session->sslServer->error != WC_PENDING_E)
-                             session->hash) == 0 &&
+        #endif
-                    HashCopy(session->sslClient->hsHashes,
+            {
-                             session->hash) == 0) {
+                if (session->flags.expectEms && session->hash != NULL) {
                    if (HashCopy(session->sslServer->hsHashes,
                                session->hash) == 0 &&
                        HashCopy(session->sslClient->hsHashes,
                                session->hash) == 0) {
-                    session->sslServer->options.haveEMS = 1;
+                        session->sslServer->options.haveEMS = 1;
-                    session->sslClient->options.haveEMS = 1;
+                        session->sslClient->options.haveEMS = 1;
                    }
                    else {
                        SetError(EXTENDED_MASTER_HASH_STR, error,
                                session, FATAL_ERROR_STATE);
                        ret = -1;
                    }
                    XMEMSET(session->hash, 0, sizeof(HsHashes));
                    XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
                    session->hash = NULL;
                }
                else {
-                    SetError(EXTENDED_MASTER_HASH_STR, error,
+                    session->sslServer->options.haveEMS = 0;
-                             session, FATAL_ERROR_STATE);
+                    session->sslClient->options.haveEMS = 0;
                    ret = -1;
                }
                XMEMSET(session->hash, 0, sizeof(HsHashes));
                XFREE(session->hash, NULL, DYNAMIC_TYPE_HASHES);
                session->hash = NULL;
            }
            else {
                session->sslServer->options.haveEMS = 0;
                session->sslClient->options.haveEMS = 0;
            }
 #endif
            if (ret == 0) {
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@ -411,6 +411,9 @@ static void show_appinfo(void)
    #ifdef WOLFSSL_TLS13
        "tls_v13 "
    #endif
    #ifndef WOLFSSL_NO_TLS12
        "tls_v12 "
    #endif
    #ifdef HAVE_SESSION_TICKET
        "session_ticket "
    #endif
@ -447,6 +450,12 @@ static void show_appinfo(void)
    #ifdef HAVE_CURVE22519
        "x22519 "
    #endif
    #ifdef WOLFSSL_STATIC_RSA
        "rsa_static "
    #endif
    #ifdef WOLFSSL_STATIC_DH
        "dh_static "
    #endif
    "\n\n"
    );
 }
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -12968,7 +12968,7 @@ static int SetCurve(ecc_key* key, byte* output)
 #ifdef HAVE_OID_ENCODING
    int ret;
 #endif
-    int idx = 0;
+    int idx;
    word32 oidSz = 0;
    /* validate key */
@ -12985,7 +12985,12 @@ static int SetCurve(ecc_key* key, byte* output)
    oidSz = key->dp->oidSz;
 #endif
-    idx += SetObjectId(oidSz, output);
+    idx = SetObjectId(oidSz, output);
    /* length only */
    if (output == NULL) {
        return idx + oidSz;
    }
 #ifdef HAVE_OID_ENCODING
    ret = EncodeObjectId(key->dp->oid, key->dp->oidSz, output+idx, &oidSz);
@ -21206,7 +21211,6 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
    word32 pubSz;
    byte bitString[1 + MAX_LENGTH_SZ + 1]; /* 6 */
    byte algo[MAX_ALGO_SZ];  /* 20 */
    byte curve[MAX_ALGO_SZ]; /* 20 */
    /* public size */
    pubSz = key->dp ? key->dp->size : MAX_ECC_BYTES;
@ -21219,7 +21223,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
    /* headers */
    if (with_header) {
-        curveSz = SetCurve(key, curve);
+        curveSz = SetCurve(key, NULL);
        if (curveSz <= 0) {
            return curveSz;
        }
@ -21242,7 +21246,7 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen,
        idx += algoSz;
        /* curve */
        if (output)
-            XMEMCPY(output + idx, curve, curveSz);
+            (void)SetCurve(key, output + idx);
        idx += curveSz;
        /* bit string */
        if (output)
--- a/wolfcrypt/src/sp_int.c
+++ b/wolfcrypt/src/sp_int.c
@ -4385,31 +4385,49 @@ int sp_init_multi(sp_int* n1, sp_int* n2, sp_int* n3, sp_int* n4, sp_int* n5,
        _sp_zero(n1);
        n1->dp[0] = 0;
        n1->size = SP_INT_DIGITS;
    #ifdef HAVE_WOLF_BIGINT
        wc_bigint_init(&n1->raw);
    #endif
    }
    if (n2 != NULL) {
        _sp_zero(n2);
        n2->dp[0] = 0;
        n2->size = SP_INT_DIGITS;
    #ifdef HAVE_WOLF_BIGINT
        wc_bigint_init(&n2->raw);
    #endif
    }
    if (n3 != NULL) {
        _sp_zero(n3);
        n3->dp[0] = 0;
        n3->size = SP_INT_DIGITS;
    #ifdef HAVE_WOLF_BIGINT
        wc_bigint_init(&n3->raw);
    #endif
    }
    if (n4 != NULL) {
        _sp_zero(n4);
        n4->dp[0] = 0;
        n4->size = SP_INT_DIGITS;
    #ifdef HAVE_WOLF_BIGINT
        wc_bigint_init(&n4->raw);
    #endif
    }
    if (n5 != NULL) {
        _sp_zero(n5);
        n5->dp[0] = 0;
        n5->size = SP_INT_DIGITS;
    #ifdef HAVE_WOLF_BIGINT
        wc_bigint_init(&n5->raw);
    #endif
    }
    if (n6 != NULL) {
        _sp_zero(n6);
        n6->dp[0] = 0;
        n6->size = SP_INT_DIGITS;
    #ifdef HAVE_WOLF_BIGINT
        wc_bigint_init(&n6->raw);
    #endif
    }
    return MP_OKAY;
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -16260,17 +16260,23 @@ static int dh_ffdhe_test(WC_RNG *rng, int name)
    }
    ret = wc_DhGenerateKeyPair(key, rng, priv, &privSz, pub, &pubSz);
 #if defined(WOLFSSL_ASYNC_CRYPT)
    ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
    if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
        ERROR_OUT(-8058, done);
    }
    ret = wc_DhAgree(key, agree, &agreeSz, priv, privSz, pub2, pubSz2);
-    if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
+#if defined(WOLFSSL_ASYNC_CRYPT)
    ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_NONE);
 #endif
    if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
        ERROR_OUT(-8057, done);
    }
    ret = wc_DhCheckKeyPair(key, pub, pubSz, priv, privSz);
-    if (ret != MP_VAL && ret != MP_EXPTMOD_E) {
+    if (ret != MP_VAL && ret != MP_EXPTMOD_E && ret != ASYNC_OP_E) {
        ERROR_OUT(-8057, done);
    }
@ -23925,7 +23931,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
 #endif
    /* test use of custom curve - using BRAINPOOLP256R1 for test */
-#ifdef HAVE_ECC_BRAINPOOL
+#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
    #ifndef WOLFSSL_ECC_CURVE_STATIC
        WOLFSSL_SMALL_STACK_STATIC const ecc_oid_t ecc_oid_brainpoolp256r1[] = {
            0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07
@ -23966,7 +23972,7 @@ static int ecc_test_custom_curves(WC_RNG* rng)
    XMEMSET(key, 0, sizeof *key);
-#ifdef HAVE_ECC_BRAINPOOL
+#if defined(HAVE_ECC_BRAINPOOL) && !defined(HAVE_INTEL_QA)
    ret = ecc_test_curve_size(rng, 0, ECC_TEST_VERIFY_COUNT, ECC_CURVE_DEF,
        &ecc_dp_brainpool256r1);
    if (ret != 0) {
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@ -728,8 +728,8 @@ decouple library dependencies with standard string, memory and so on.
            #endif /* _MSC_VER */
        #endif /* USE_WINDOWS_API */
-        #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) \
+        #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \
-                    || defined(HAVE_ALPN)
+            defined(HAVE_ALPN) || defined(WOLFSSL_SNIFFER)
            /* use only Thread Safe version of strtok */
            #if defined(USE_WOLF_STRTOK)
                #define XSTRTOK(s1,d,ptr) wc_strtok((s1),(d),(ptr))