diff --git a/cyassl/sniffer_error.h b/cyassl/sniffer_error.h index 7b7a50496..4882c7dd8 100644 --- a/cyassl/sniffer_error.h +++ b/cyassl/sniffer_error.h @@ -98,6 +98,7 @@ #define BAD_INPUT_STR 64 #define BAD_DECRYPT_TYPE 65 #define BAD_FINISHED_MSG 66 +#define BAD_COMPRESSION_STR 67 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */ diff --git a/cyassl/sniffer_error.rc b/cyassl/sniffer_error.rc index ad722f4e0..f4af8ee5b 100644 --- a/cyassl/sniffer_error.rc +++ b/cyassl/sniffer_error.rc @@ -80,5 +80,6 @@ STRINGTABLE 65, "Bad Decrypt Type" 66, "Bad Finished Message Processing" + 67, "Bad Compression Type" } diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 9f7fceee1..e726f4a8f 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -128,6 +128,11 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) load_buffer(ctx, svrKey, CYASSL_KEY); #endif +#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) + /* don't use EDH, can't sniff tmp keys */ + CyaSSL_CTX_set_cipher_list(ctx, "AES256-SHA"); +#endif + SignalReady(args); while (!shutdown) { diff --git a/examples/server/server.c b/examples/server/server.c index c3630d4e8..1403a109f 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -146,6 +146,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) load_buffer(ctx, svrKey, CYASSL_KEY); #endif /* NO_FILESYSTEM */ +#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC) + /* don't use EDH, can't sniff tmp keys */ + SSL_CTX_set_cipher_list(ctx, "AES256-SHA"); +#endif + ssl = SSL_new(ctx); #ifdef HAVE_CRL CyaSSL_EnableCRL(ssl, 0); diff --git a/src/sniffer.c b/src/sniffer.c index 3b5a35649..037d52896 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -216,7 +216,8 @@ static const char* const msgTable[] = "Bad Decrypt Type", /* 66 */ - "Bad Finished Message Processing" + "Bad Finished Message Processing", + "Bad Compression Type" }; @@ -1066,7 +1067,7 @@ static int ProcessClientKeyExchange(const byte* input, int* sslBytes, FreeRsaKey(&key); return -1; } - + MakeMasterSecret(session->sslServer); MakeMasterSecret(session->sslClient); #ifdef SHOW_SECRETS @@ -1172,12 +1173,22 @@ static int ProcessServerHello(const byte* input, int* sslBytes, } input += b; *sslBytes -= b; - + + /* cipher suite */ (void)*input++; /* eat first byte, always 0 */ b = *input++; session->sslServer->options.cipherSuite = b; session->sslClient->options.cipherSuite = b; *sslBytes -= SUITE_LEN; + + /* compression */ + b = *input++; + *sslBytes -= ENUM_LEN; + + if (b) { + SetError(BAD_COMPRESSION_STR, error, session, FATAL_ERROR_STATE); + return -1; + } if (session->sslServer->options.haveSessionId && XMEMCMP(session->sslServer->arrays.sessionID, @@ -1466,6 +1477,9 @@ static int DoHandShake(const byte* input, int* sslBytes, break; case server_key_exchange: Trace(GOT_SERVER_KEY_EX_STR); + /* can't know temp key passively */ + SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); + ret = -1; break; case certificate: Trace(GOT_CERT_STR); diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 0b844b2d2..a132538b6 100755 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -63,7 +63,7 @@ typedef unsigned char byte; enum { ETHER_IF_FRAME_LEN = 14, /* ethernet interface frame length */ - LOCAL_IF_FRAME_LEN = 4, /* localhost interface frame length */ + NULL_IF_FRAME_LEN = 4, /* no link interface frame length */ }; @@ -241,8 +241,8 @@ int main(int argc, char** argv) if (ret != 0) err_sys(err); - if (pcap_datalink(pcap) == 0) - frame = LOCAL_IF_FRAME_LEN; + if (pcap_datalink(pcap) == DLT_NULL) + frame = NULL_IF_FRAME_LEN; while (1) { struct pcap_pkthdr header;