search

eriptic / uoscore-uedhoc

C implementations for constrained (and non-constrained) devices of the IETF protocols OSCORE and EDHOC
Other
15 stars 15 forks source link

EDHOC- method type not checked #43

Closed sabor12345 closed 9 months ago

sabor12345 commented 1 year ago

Hi!

Version: v2.1.4 in samples/linux_edhoc and default configurations without any modifications only commenting out the AddressSanitizer in the makefile in responder and initiator.

# use AddressSanitizer to find memory bugs
# comment this out for better speed
#CFLAGS += -fsanitize=address -fno-omit-frame-pointer
#CXXFLAGS += -fsanitize=address -fno-omit-frame-pointer
#LDFLAGS += -fsanitize=address -static-libasan

According to the RFC only method types: 0, 1, 2, and 3 are valid. When i modify the method type in message 1 and send it, the responder and initiator complete the protocol even if the method type is 8. 

m1._message_1_METHOD=8;
TRY_EXPECT(cbor_encode_message_1(rc->msg, rc->msg_len, &m1, &payload_len_out),
true);
rc->msg_len = (uint32_t)payload_len_out;

Initiator creating message 1:

msg1

Responder receving message 1:

image

Sincerely Sabor