DPP: Reject unexpected Req/Resp message based on Auth/PKEX role
This prevents issues where an unexpected message in the DPP Authentication exchange or PKEX could result in undefined behavior. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
ba37ba419a
commit
03abb6b541
1 changed files with 13 additions and 3 deletions
|
@ -3096,6 +3096,11 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
|
||||||
u8 r_auth2[DPP_MAX_HASH_LEN];
|
u8 r_auth2[DPP_MAX_HASH_LEN];
|
||||||
u8 role;
|
u8 role;
|
||||||
|
|
||||||
|
if (!auth->initiator) {
|
||||||
|
dpp_auth_fail(auth, "Unexpected Authentication Response");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
auth->waiting_auth_resp = 0;
|
auth->waiting_auth_resp = 0;
|
||||||
|
|
||||||
wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
|
wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
|
||||||
|
@ -3458,6 +3463,11 @@ int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
|
||||||
size_t unwrapped_len = 0;
|
size_t unwrapped_len = 0;
|
||||||
u8 i_auth2[DPP_MAX_HASH_LEN];
|
u8 i_auth2[DPP_MAX_HASH_LEN];
|
||||||
|
|
||||||
|
if (auth->initiator) {
|
||||||
|
dpp_auth_fail(auth, "Unexpected Authentication Confirm");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
auth->waiting_auth_conf = 0;
|
auth->waiting_auth_conf = 0;
|
||||||
|
|
||||||
wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
|
wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
|
||||||
|
@ -6430,7 +6440,7 @@ struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex,
|
||||||
u8 u[DPP_MAX_HASH_LEN];
|
u8 u[DPP_MAX_HASH_LEN];
|
||||||
int res;
|
int res;
|
||||||
|
|
||||||
if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT)
|
if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS,
|
attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS,
|
||||||
|
@ -6740,7 +6750,7 @@ struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
|
||||||
u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN];
|
u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN];
|
||||||
|
|
||||||
if (!pkex->exchange_done || pkex->failed ||
|
if (!pkex->exchange_done || pkex->failed ||
|
||||||
pkex->t >= PKEX_COUNTER_T_LIMIT)
|
pkex->t >= PKEX_COUNTER_T_LIMIT || pkex->initiator)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
|
wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
|
||||||
|
@ -6917,7 +6927,7 @@ int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
|
||||||
struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
|
struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
|
||||||
|
|
||||||
if (!pkex->exchange_done || pkex->failed ||
|
if (!pkex->exchange_done || pkex->failed ||
|
||||||
pkex->t >= PKEX_COUNTER_T_LIMIT)
|
pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
|
wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
|
||||||
|
|
Loading…
Reference in a new issue