cp: disallow unexpected SC responses

When CP has a secure channel active, it should never receive a REPLY_CCRYPT or REPLY_RMAC_I. Since these responses change the SC state, let's also make sure that they are accepted only when they are expected: in response to commands CMD_CHLNG and CMD_SCRYPT respectively. Since this incident has some security implication, let's increase the log level of such out-of-order messages to EMERGENCY so they can be triaged appropriately. Reported-by: Eran Jacob <eran.jacob@otorio.com> Signed-off-by: Siddharth Chandrasekaran <sidcha.dev@gmail.com>
goToMain · Nov 1, 2023 · 298576d · 298576d
1 parent b71a7f1
commit 298576d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/src/osdp_cp.c b/src/osdp_cp.c
@@ -639,6 +639,10 @@ static int cp_decode_response(struct osdp_pd *pd, uint8_t *buf, int len)
 		ret = osdp_file_cmd_stat_decode(pd, buf + pos, len);
 		break;
 	case REPLY_CCRYPT:
+		if (sc_is_active(pd) || pd->cmd_id != CMD_CHLNG) {
+			LOG_EM("Out of order REPLY_CCRYPT; has PD gone rogue?");
+			break;
+		}
 		if (len != REPLY_CCRYPT_DATA_LEN) {
 			break;
 		}
@@ -654,6 +658,10 @@ static int cp_decode_response(struct osdp_pd *pd, uint8_t *buf, int len)
 		ret = OSDP_CP_ERR_NONE;
 		break;
 	case REPLY_RMAC_I:
+		if (sc_is_active(pd) || pd->cmd_id != CMD_SCRYPT) {
+			LOG_EM("Out of order REPLY_RMAC_I; has PD gone rogue?");
+			break;
+		}
 		if (len != REPLY_RMAC_I_DATA_LEN) {
 			break;
 		}

diff --git a/src/osdp_pd.c b/src/osdp_pd.c
@@ -621,7 +621,7 @@ static int pd_decode_command(struct osdp_pd *pd, uint8_t *buf, int len)
 		if (sc_is_active(pd)) {
 			pd->reply_id = REPLY_NAK;
 			pd->ephemeral_data[0] = OSDP_PD_NAK_SC_COND;
-			LOG_WRN("Out of order CMD_SCRYPT; has CP gone rogue?");
+			LOG_EM("Out of order CMD_SCRYPT; has CP gone rogue?");
 			break;
 		}
 		memcpy(pd->sc.cp_cryptogram, buf + pos, CMD_SCRYPT_DATA_LEN);