From 100f0e8a96934654a5c705339afb845c8bb3b880 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 19 Aug 2014 22:38:04 -0700 Subject: [PATCH] Don't allow sniffer to decrypt records if the key hasn't been setup. (Possible with misbehaving client.) --- cyassl/sniffer_error.h | 1 + cyassl/sniffer_error.rc | 2 ++ src/sniffer.c | 9 ++++++++- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/cyassl/sniffer_error.h b/cyassl/sniffer_error.h index c588a568e..6bea8e26f 100644 --- a/cyassl/sniffer_error.h +++ b/cyassl/sniffer_error.h @@ -103,6 +103,7 @@ #define ACK_MISSED_STR 69 #define BAD_DECRYPT 70 +#define DECRYPT_KEYS_NOT_SETUP 71 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */ diff --git a/cyassl/sniffer_error.rc b/cyassl/sniffer_error.rc index 516f7aa11..93f0cf180 100644 --- a/cyassl/sniffer_error.rc +++ b/cyassl/sniffer_error.rc @@ -84,5 +84,7 @@ STRINGTABLE 68, "Bad DeriveKeys Error" 69, "Saw ACK for Missing Packet Error" 70, "Bad Decrypt Operation" + + 71, "Decrypt Keys Not Set Up" } diff --git a/src/sniffer.c b/src/sniffer.c index 2c6860c83..4328dfd70 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -225,7 +225,10 @@ static const char* const msgTable[] = "Bad Compression Type", "Bad DeriveKeys Error", "Saw ACK for Missing Packet Error", - "Bad Decrypt Operation" + "Bad Decrypt Operation", + + /* 71 */ + "Decrypt Keys Not Set Up" }; @@ -2378,6 +2381,10 @@ doMessage: session->flags.serverCipherOn) || (session->flags.side == CYASSL_CLIENT_END && session->flags.clientCipherOn)) { + if (ssl->decrypt.setup != 1) { + SetError(DECRYPT_KEYS_NOT_SETUP, error, session, FATAL_ERROR_STATE); + return -1; + } if (CheckAvailableSize(ssl, rhSize) < 0) { SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE); return -1;