From 514ccabc4491bc26538fcee5cadebb144b2cd70f Mon Sep 17 00:00:00 2001 From: Siddharth Chandrasekaran Date: Sat, 28 May 2022 22:24:26 +0200 Subject: [PATCH] mgmt/osdp: phy: Catch out-of-order SC packets and fail During handshake, only certain types of secure block types (<= SCS_14) are allowed. A rouge CP/PD can try to bypass the handshake by directly sending a secure block type ahead of the sequence and gain a secure channel. Fix this by adding a check in packet decode time. Signed-off-by: Siddharth Chandrasekaran --- subsys/mgmt/osdp/src/osdp_pd.c | 8 +++++++- subsys/mgmt/osdp/src/osdp_phy.c | 6 ++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/subsys/mgmt/osdp/src/osdp_pd.c b/subsys/mgmt/osdp/src/osdp_pd.c index c19fc6d7223..a3b7366b324 100644 --- a/subsys/mgmt/osdp/src/osdp_pd.c +++ b/subsys/mgmt/osdp/src/osdp_pd.c @@ -523,8 +523,14 @@ static int pd_decode_command(struct osdp_pd *pd, uint8_t *buf, int len) if (len != CMD_SCRYPT_DATA_LEN) { break; } + ret = OSDP_PD_ERR_REPLY; if (!pd_cmd_cap_ok(pd, NULL)) { - ret = OSDP_PD_ERR_REPLY; + break; + } + if (sc_is_active(pd)) { + pd->reply_id = REPLY_NAK; + pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND; + LOG_ERR("Out of order CMD_SCRYPT; has CP gone rogue?"); break; } for (i = 0; i < CMD_SCRYPT_DATA_LEN; i++) { diff --git a/subsys/mgmt/osdp/src/osdp_phy.c b/subsys/mgmt/osdp/src/osdp_phy.c index d1ddba048e7..864c326e296 100644 --- a/subsys/mgmt/osdp/src/osdp_phy.c +++ b/subsys/mgmt/osdp/src/osdp_phy.c @@ -385,6 +385,12 @@ int osdp_phy_decode_packet(struct osdp_pd *pd, uint8_t *buf, int len) pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND; return OSDP_ERR_PKT_FMT; } + if (!sc_is_active(pd) && pkt->data[1] > SCS_14) { + LOG_ERR("Received invalid secure message!"); + pd->reply_id = REPLY_NAK; + pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND; + return OSDP_ERR_PKT_FMT; + } if (pkt->data[1] == SCS_11 || pkt->data[1] == SCS_13) { /** * CP signals PD to use SCBKD by setting SB data byte