Don't allow sniffer to decrypt records if the key hasn't been setup. (Possible with misbehaving client.)

2025-08-01 03:34:39 +02:00 · 2014-08-19 22:38:04 -07:00
parent 7e6b3a86d5
commit 100f0e8a96
3 changed files with 11 additions and 1 deletions
--- a/cyassl/sniffer_error.h
+++ b/cyassl/sniffer_error.h
@@ -103,6 +103,7 @@
 #define ACK_MISSED_STR 69
 #define BAD_DECRYPT    70 

+#define DECRYPT_KEYS_NOT_SETUP 71
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */


--- a/cyassl/sniffer_error.rc
+++ b/cyassl/sniffer_error.rc
@@ -84,5 +84,7 @@ STRINGTABLE
    68, "Bad DeriveKeys Error"
    69, "Saw ACK for Missing Packet Error"
    70, "Bad Decrypt Operation"
+
+    71, "Decrypt Keys Not Set Up"
 }

--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -225,7 +225,10 @@ static const char* const msgTable[] =
    "Bad Compression Type",
    "Bad DeriveKeys Error",
    "Saw ACK for Missing Packet Error",
-    "Bad Decrypt Operation"
+    "Bad Decrypt Operation",
+
+    /* 71 */
+    "Decrypt Keys Not Set Up"
 };


@@ -2378,6 +2381,10 @@ doMessage:
                                               session->flags.serverCipherOn)
     || (session->flags.side == CYASSL_CLIENT_END &&
                                               session->flags.clientCipherOn)) {
+        if (ssl->decrypt.setup != 1) {
+            SetError(DECRYPT_KEYS_NOT_SETUP, error, session, FATAL_ERROR_STATE);
+            return -1;
+        }
        if (CheckAvailableSize(ssl, rhSize) < 0) {
            SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
            return -1;