mgmt/osdp: phy: Catch out-of-order SC packets and fail

During handshake, only certain types of secure block types (<= SCS_14) are allowed. A rouge CP/PD can try to bypass the handshake by directly sending a secure block type ahead of the sequence and gain a secure channel. Fix this by adding a check in packet decode time. Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
2022-05-28 22:24:26 +02:00 · 2022-05-28 22:24:26 +02:00 · 514ccabc44
commit 514ccabc44
parent a233dea285
2 changed files with 13 additions and 1 deletions
--- a/subsys/mgmt/osdp/src/osdp_pd.c
+++ b/subsys/mgmt/osdp/src/osdp_pd.c
@ -523,8 +523,14 @@ static int pd_decode_command(struct osdp_pd *pd, uint8_t *buf, int len)
 		if (len != CMD_SCRYPT_DATA_LEN) {
 			break;
 		}
+		ret = OSDP_PD_ERR_REPLY;
 		if (!pd_cmd_cap_ok(pd, NULL)) {
-			ret = OSDP_PD_ERR_REPLY;
+			break;
+		}
+		if (sc_is_active(pd)) {
+			pd->reply_id = REPLY_NAK;
+			pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND;
+			LOG_ERR("Out of order CMD_SCRYPT; has CP gone rogue?");
 			break;
 		}
 		for (i = 0; i < CMD_SCRYPT_DATA_LEN; i++) {
--- a/subsys/mgmt/osdp/src/osdp_phy.c
+++ b/subsys/mgmt/osdp/src/osdp_phy.c
@ -385,6 +385,12 @@ int osdp_phy_decode_packet(struct osdp_pd *pd, uint8_t *buf, int len)
 			pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND;
 			return OSDP_ERR_PKT_FMT;
 		}
+		if (!sc_is_active(pd) && pkt->data[1] > SCS_14) {
+			LOG_ERR("Received invalid secure message!");
+			pd->reply_id = REPLY_NAK;
+			pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND;
+			return OSDP_ERR_PKT_FMT;
+		}
 		if (pkt->data[1] == SCS_11 || pkt->data[1] == SCS_13) {
 			/**
 			 * CP signals PD to use SCBKD by setting SB data byte