Renew challenge on expiry
This commit is contained in:
Christoph Hagen
@ -116,7 +116,7 @@ void SesameController::sendPreparedResponseToServer() {
|
||||
void SesameController::processMessage(SignedMessage* message) {
|
||||
// Result must be empty
|
||||
if (message->message.result != MessageResult::MessageAccepted) {
|
||||
prepareResponseBuffer(MessageResult::ClientChallengeInvalid);
|
||||
prepareResponseBuffer(MessageResult::InvalidMessageResult);
|
||||
return;
|
||||
}
|
||||
if (!isAuthenticMessage(message, keyConfig.remoteKey)) {
|
||||
@ -125,7 +125,7 @@ void SesameController::processMessage(SignedMessage* message) {
|
||||
}
|
||||
switch (message->message.messageType) {
|
||||
case MessageType::initial:
|
||||
prepareChallenge(&message->message);
|
||||
checkAndPrepareChallenge(&message->message);
|
||||
return;
|
||||
case MessageType::request:
|
||||
completeUnlockRequest(&message->message);
|
||||
@ -136,12 +136,16 @@ void SesameController::processMessage(SignedMessage* message) {
|
||||
}
|
||||
}
|
||||
|
||||
void SesameController::prepareChallenge(Message* message) {
|
||||
void SesameController::checkAndPrepareChallenge(Message* message) {
|
||||
// Server challenge must be empty
|
||||
if (message->serverChallenge != 0) {
|
||||
prepareResponseBuffer(MessageResult::ClientChallengeInvalid);
|
||||
return;
|
||||
}
|
||||
prepareChallenge(message);
|
||||
}
|
||||
|
||||
void SesameController::prepareChallenge(Message* message) {
|
||||
if (hasCurrentChallenge()) {
|
||||
Serial.println("[INFO] Overwriting old challenge");
|
||||
}
|
||||
@ -155,10 +159,6 @@ void SesameController::prepareChallenge(Message* message) {
|
||||
}
|
||||
|
||||
void SesameController::completeUnlockRequest(Message* message) {
|
||||
if (!hasCurrentChallenge()) {
|
||||
prepareResponseBuffer(MessageResult::ClientChallengeInvalid, message);
|
||||
return;
|
||||
}
|
||||
// Client and server challenge must match
|
||||
if (message->clientChallenge != currentClientChallenge) {
|
||||
prepareResponseBuffer(MessageResult::ClientChallengeInvalid, message);
|
||||
@ -168,6 +168,15 @@ void SesameController::completeUnlockRequest(Message* message) {
|
||||
prepareResponseBuffer(MessageResult::ServerChallengeMismatch, message);
|
||||
return;
|
||||
}
|
||||
if (!hasCurrentChallenge()) {
|
||||
// Directly send new challenge on expiry, since rest of message is valid
|
||||
// This allows the remote to directly try again without requesting a new challenge.
|
||||
// Security note: The client nonce is reused in this case, but an attacker would still
|
||||
// not be able to create a valid unlock request due to the new server nonce.
|
||||
prepareChallenge(message);
|
||||
return;
|
||||
}
|
||||
|
||||
clearCurrentChallenge();
|
||||
|
||||
// Move servo
|
||||
|
||||
Reference in New Issue
Block a user