better error output for temp keys or compression on sniffer

cyassl/sniffer_error.h

@@ -98,6 +98,7 @@
 #define BAD_INPUT_STR 64
 #define BAD_DECRYPT_TYPE 65
 #define BAD_FINISHED_MSG 66
+#define BAD_COMPRESSION_STR 67
 
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */
 

cyassl/sniffer_error.rc

@@ -80,5 +80,6 @@ STRINGTABLE
     65, "Bad Decrypt Type"
 
     66, "Bad Finished Message Processing"
+    67, "Bad Compression Type"
 }
 

examples/echoserver/echoserver.c

@@ -128,6 +128,11 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
     load_buffer(ctx, svrKey,  CYASSL_KEY);
 #endif
 
+#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
+    /* don't use EDH, can't sniff tmp keys */
+    CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA");
+#endif
+
     SignalReady(args);
 
     while (!shutdown) {

examples/server/server.c

@@ -146,6 +146,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
     load_buffer(ctx, svrKey,  CYASSL_KEY);
 #endif /* NO_FILESYSTEM */
 
+#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
+    /* don't use EDH, can't sniff tmp keys */
+    SSL_CTX_set_cipher_list(ctx, "AES256-SHA");
+#endif
+
     ssl = SSL_new(ctx);
 #ifdef HAVE_CRL
     CyaSSL_EnableCRL(ssl, 0);

src/sniffer.c

@@ -216,7 +216,8 @@ static const char* const msgTable[] =
     "Bad Decrypt Type",
 
     /* 66 */
-    "Bad Finished Message Processing"
+    "Bad Finished Message Processing",
+    "Bad Compression Type"
 };
 
 
@@ -1066,7 +1067,7 @@ static int ProcessClientKeyExchange(const byte* input, int* sslBytes,
         FreeRsaKey(&key);
         return -1;
     }
-    
+
     MakeMasterSecret(session->sslServer);
     MakeMasterSecret(session->sslClient);
 #ifdef SHOW_SECRETS
@@ -1172,12 +1173,22 @@ static int ProcessServerHello(const byte* input, int* sslBytes,
     }
     input     += b;
     *sslBytes -= b;
-    
+   
+    /* cipher suite */ 
     (void)*input++;  /* eat first byte, always 0 */
     b = *input++;
     session->sslServer->options.cipherSuite = b;
     session->sslClient->options.cipherSuite = b;
     *sslBytes -= SUITE_LEN;
+
+    /* compression */
+    b = *input++;
+    *sslBytes -= ENUM_LEN;
+
+    if (b) {
+        SetError(BAD_COMPRESSION_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
    
     if (session->sslServer->options.haveSessionId &&
             XMEMCMP(session->sslServer->arrays.sessionID,
@@ -1466,6 +1477,9 @@ static int DoHandShake(const byte* input, int* sslBytes,
             break;
         case server_key_exchange:
             Trace(GOT_SERVER_KEY_EX_STR);
+            /* can't know temp key passively */
+            SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
+            ret = -1;
             break;
         case certificate:
             Trace(GOT_CERT_STR);

sslSniffer/sslSnifferTest/snifftest.c

@@ -63,7 +63,7 @@ typedef unsigned char byte;
 
 enum {
     ETHER_IF_FRAME_LEN = 14,   /* ethernet interface frame length */
-    LOCAL_IF_FRAME_LEN =  4,   /* localhost interface frame length  */
+    NULL_IF_FRAME_LEN =   4,   /* no link interface frame length  */
 };
 
 
@@ -241,8 +241,8 @@ int main(int argc, char** argv)
     if (ret != 0)
         err_sys(err);
 
-    if (pcap_datalink(pcap) == 0) 
-        frame = LOCAL_IF_FRAME_LEN;
+    if (pcap_datalink(pcap) == DLT_NULL) 
+        frame = NULL_IF_FRAME_LEN;
 
     while (1) {
         struct pcap_pkthdr header;