Merge pull request #761 from KNX-IOT/enable-replay

enable replay protection by default

Author: WAvdBeek

CMakeLists.txt

@@ -30,7 +30,7 @@ set(OC_LOG_TO_FILE_ENABLED OFF CACHE BOOL "redirect debug messages to file")
 set(CLANG_TIDY_ENABLED OFF CACHE BOOL "Enable clang-tidy analysis during compilation.")
 set(OC_USE_STORAGE ON CACHE BOOL "Persistent storage of data.")
 set(OC_USE_MULTICAST_SCOPE_2 ON CACHE BOOL "devices send also group multicast events with scope2.")
-set(OC_REPLAY_PROTECTION_ENABLED OFF CACHE BOOL "Enable replay protection using the Echo option")
+set(OC_REPLAY_PROTECTION_ENABLED ON CACHE BOOL "Enable replay protection using the Echo option")
 
 set(KNX_BUILTIN_MBEDTLS ON CACHE BOOL "Use built-in mbedTLS, as opposed to external lib from different project")
 set(KNX_BUILTIN_TINYCBOR ON CACHE BOOL "Use built-in TinyCBOR, as opposed to external lib from different project")

api/oc_replay.c

@@ -187,7 +187,13 @@ oc_replay_check_client(uint64_t rx_ssn, oc_string_t rx_kid,
       // slide the window and accept the packet
       rec->rx_ssn = rx_ssn;
       // ssn_diff is negative in this side of the if
-      rec->window = rec->window << (-ssn_diff);
+      // note that shifting by an amount greater than the size of the type
+      // is undefined behaviour, so we must zero the window manually here
+      if (-ssn_diff >= sizeof(rec->window) * 8)
+        rec->window = 0;
+      else
+        rec->window = rec->window << (-ssn_diff);
+
       // set bit 1, indicating ssn rec->rx_ssn has been received
       rec->window |= 1;
       return true;

messaging/coap/engine.c

@@ -516,7 +516,7 @@ coap_receive(oc_message_t *msg)
         }
       }
 
-#ifdef OC_REPLAY_PROTECTION
+#if defined(OC_REPLAY_PROTECTION) && defined(OC_OSCORE)
       bool client_is_sync = true;
       oc_string_t kid = { 0 };
       oc_string_t kid_ctx = { 0 };