Don't allow sniffer to decrypt records if the key hasn't been setup. (Possible with misbehaving client.)

cyassl/sniffer_error.h

@@ -103,6 +103,7 @@
 #define ACK_MISSED_STR 69
 #define BAD_DECRYPT    70 
 
+#define DECRYPT_KEYS_NOT_SETUP 71
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */
 
 

cyassl/sniffer_error.rc

@@ -84,5 +84,7 @@ STRINGTABLE
     68, "Bad DeriveKeys Error"
     69, "Saw ACK for Missing Packet Error"
     70, "Bad Decrypt Operation"
+
+    71, "Decrypt Keys Not Set Up"
 }
 

src/sniffer.c

@@ -225,7 +225,10 @@ static const char* const msgTable[] =
     "Bad Compression Type",
     "Bad DeriveKeys Error",
     "Saw ACK for Missing Packet Error",
-    "Bad Decrypt Operation"
+    "Bad Decrypt Operation",
+
+    /* 71 */
+    "Decrypt Keys Not Set Up"
 };
 
 
@@ -2378,6 +2381,10 @@ doMessage:
                                                session->flags.serverCipherOn)
      || (session->flags.side == CYASSL_CLIENT_END &&
                                                session->flags.clientCipherOn)) {
+        if (ssl->decrypt.setup != 1) {
+            SetError(DECRYPT_KEYS_NOT_SETUP, error, session, FATAL_ERROR_STATE);
+            return -1;
+        }
         if (CheckAvailableSize(ssl, rhSize) < 0) {
             SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE);
             return -1;