DPP: Reject unexpected Req/Resp message based on Auth/PKEX role

This prevents issues where an unexpected message in the DPP
Authentication exchange or PKEX could result in undefined behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-11-13 12:54:20 +02:00 committed by Jouni Malinen
parent ba37ba419a
commit 03abb6b541

View file

@ -3096,6 +3096,11 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
u8 r_auth2[DPP_MAX_HASH_LEN]; u8 r_auth2[DPP_MAX_HASH_LEN];
u8 role; u8 role;
if (!auth->initiator) {
dpp_auth_fail(auth, "Unexpected Authentication Response");
return NULL;
}
auth->waiting_auth_resp = 0; auth->waiting_auth_resp = 0;
wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA, wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
@ -3458,6 +3463,11 @@ int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
size_t unwrapped_len = 0; size_t unwrapped_len = 0;
u8 i_auth2[DPP_MAX_HASH_LEN]; u8 i_auth2[DPP_MAX_HASH_LEN];
if (auth->initiator) {
dpp_auth_fail(auth, "Unexpected Authentication Confirm");
return NULL;
}
auth->waiting_auth_conf = 0; auth->waiting_auth_conf = 0;
wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA, wrapped_data = dpp_get_attr(attr_start, attr_len, DPP_ATTR_WRAPPED_DATA,
@ -6430,7 +6440,7 @@ struct wpabuf * dpp_pkex_rx_exchange_resp(struct dpp_pkex *pkex,
u8 u[DPP_MAX_HASH_LEN]; u8 u[DPP_MAX_HASH_LEN];
int res; int res;
if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT) if (pkex->failed || pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
return NULL; return NULL;
attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS, attr_status = dpp_get_attr(buf, buflen, DPP_ATTR_STATUS,
@ -6740,7 +6750,7 @@ struct wpabuf * dpp_pkex_rx_commit_reveal_req(struct dpp_pkex *pkex,
u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN]; u8 u[DPP_MAX_HASH_LEN], v[DPP_MAX_HASH_LEN];
if (!pkex->exchange_done || pkex->failed || if (!pkex->exchange_done || pkex->failed ||
pkex->t >= PKEX_COUNTER_T_LIMIT) pkex->t >= PKEX_COUNTER_T_LIMIT || pkex->initiator)
goto fail; goto fail;
wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA, wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,
@ -6917,7 +6927,7 @@ int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL; struct wpabuf *B_pub = NULL, *X_pub = NULL, *Y_pub = NULL;
if (!pkex->exchange_done || pkex->failed || if (!pkex->exchange_done || pkex->failed ||
pkex->t >= PKEX_COUNTER_T_LIMIT) pkex->t >= PKEX_COUNTER_T_LIMIT || !pkex->initiator)
goto fail; goto fail;
wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA, wrapped_data = dpp_get_attr(buf, buflen, DPP_ATTR_WRAPPED_DATA,