From 1533386cc29d025b7a42517430807e43a46df319 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Mon, 27 Feb 2023 14:17:59 -0500 Subject: [PATCH] Disallow CASE and PASE establishment attempts over existing secure sessions. Per spec, CASE and PASE establishment needs to happen via unauthenticated messages. We should ignore Sigma1 or PBKDFParamsRequest received over a CASE or PASE (or group) session. --- src/protocols/secure_channel/CASEServer.cpp | 9 ++++++++- src/protocols/secure_channel/PASESession.cpp | 7 +++++++ src/transport/Session.h | 2 ++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/protocols/secure_channel/CASEServer.cpp b/src/protocols/secure_channel/CASEServer.cpp index 221ca831eb5dc9..b0d74694a5196b 100644 --- a/src/protocols/secure_channel/CASEServer.cpp +++ b/src/protocols/secure_channel/CASEServer.cpp @@ -73,7 +73,14 @@ CHIP_ERROR CASEServer::OnUnsolicitedMessageReceived(const PayloadHeader & payloa CHIP_ERROR CASEServer::OnMessageReceived(Messaging::ExchangeContext * ec, const PayloadHeader & payloadHeader, System::PacketBufferHandle && payload) { - ChipLogProgress(Inet, "CASE Server received Sigma1 message. Starting handshake. EC %p", ec); + if (!ec->GetSessionHandle()->IsUnauthenticatedSession()) + { + ChipLogError(Inet, "CASE Server received Sigma1 message %s EC %p", "over encrypted session. Ignoring.", ec); + return CHIP_ERROR_INCORRECT_STATE; + } + + ChipLogProgress(Inet, "CASE Server received Sigma1 message %s EC %p", ". Starting handshake.", ec); + CHIP_ERROR err = InitCASEHandshake(ec); SuccessOrExit(err); diff --git a/src/protocols/secure_channel/PASESession.cpp b/src/protocols/secure_channel/PASESession.cpp index 9be51e42ed90e2..603c7ac51d1fdc 100644 --- a/src/protocols/secure_channel/PASESession.cpp +++ b/src/protocols/secure_channel/PASESession.cpp @@ -794,6 +794,13 @@ CHIP_ERROR PASESession::ValidateReceivedMessage(ExchangeContext * exchange, cons { mExchangeCtxt = exchange; } + + if (!mExchangeCtxt->GetSessionHandle()->IsUnauthenticatedSession()) + { + ChipLogError(SecureChannel, "PASESession received PBKDFParamRequest over encrypted session. Ignoring."); + return CHIP_ERROR_INCORRECT_STATE; + } + mExchangeCtxt->UseSuggestedResponseTimeout(kExpectedHighProcessingTime); VerifyOrReturnError(!msg.IsNull(), CHIP_ERROR_INVALID_ARGUMENT); diff --git a/src/transport/Session.h b/src/transport/Session.h index a05c27f1f7ca3b..29ebf593a9b5e3 100644 --- a/src/transport/Session.h +++ b/src/transport/Session.h @@ -222,6 +222,8 @@ class Session bool IsSecureSession() const { return GetSessionType() == SessionType::kSecure; } + bool IsUnauthenticatedSession() const { return GetSessionType() == SessionType::kUnauthenticated; } + void DispatchSessionEvent(SessionDelegate::Event event) { // Holders might remove themselves when notified.