llsec: Permit dynamic security levels
This commit is contained in:
parent
0379af3624
commit
10d8b05bc6
@ -78,13 +78,6 @@
|
|||||||
#define NETSTACK_CONF_LLSEC nullsec_driver
|
#define NETSTACK_CONF_LLSEC nullsec_driver
|
||||||
#endif /* NETSTACK_CONF_LLSEC */
|
#endif /* NETSTACK_CONF_LLSEC */
|
||||||
|
|
||||||
/* To avoid unnecessary complexity, we assume the common case of
|
|
||||||
a constant LoWPAN-wide IEEE 802.15.4 security level, which
|
|
||||||
can be specified by defining LLSEC802154_CONF_SECURITY_LEVEL. */
|
|
||||||
#ifndef LLSEC802154_CONF_SECURITY_LEVEL
|
|
||||||
#define LLSEC802154_CONF_SECURITY_LEVEL 0
|
|
||||||
#endif /* LLSEC802154_CONF_SECURITY_LEVEL */
|
|
||||||
|
|
||||||
/* NETSTACK_CONF_NETWORK specifies the network layer and can be either
|
/* NETSTACK_CONF_NETWORK specifies the network layer and can be either
|
||||||
sicslowpan_driver, for IPv6 networking, or rime_driver, for the
|
sicslowpan_driver, for IPv6 networking, or rime_driver, for the
|
||||||
custom Rime network stack. */
|
custom Rime network stack. */
|
||||||
|
@ -44,7 +44,7 @@
|
|||||||
#include "net/llsec/llsec802154.h"
|
#include "net/llsec/llsec802154.h"
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
#if LLSEC802154_SECURITY_LEVEL && LLSEC802154_USES_FRAME_COUNTER
|
#if LLSEC802154_USES_AUX_HEADER && LLSEC802154_USES_FRAME_COUNTER
|
||||||
|
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
static const uint8_t *
|
static const uint8_t *
|
||||||
@ -79,4 +79,4 @@ ccm_star_packetbuf_set_nonce(uint8_t *nonce, int forward)
|
|||||||
nonce[12] = packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL);
|
nonce[12] = packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL);
|
||||||
}
|
}
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL && LLSEC802154_USES_FRAME_COUNTER */
|
#endif /* LLSEC802154_USES_AUX_HEADER && LLSEC802154_USES_FRAME_COUNTER */
|
||||||
|
@ -56,28 +56,13 @@
|
|||||||
#include "net/mac/frame802154.h"
|
#include "net/mac/frame802154.h"
|
||||||
#include "net/ip/uip.h"
|
#include "net/ip/uip.h"
|
||||||
|
|
||||||
#ifdef LLSEC802154_CONF_SECURITY_LEVEL
|
#ifdef LLSEC802154_CONF_ENABLED
|
||||||
#define LLSEC802154_SECURITY_LEVEL LLSEC802154_CONF_SECURITY_LEVEL
|
#define LLSEC802154_ENABLED LLSEC802154_CONF_ENABLED
|
||||||
#else /* LLSEC802154_CONF_SECURITY_LEVEL */
|
#else /* LLSEC802154_CONF_ENABLED */
|
||||||
#define LLSEC802154_SECURITY_LEVEL FRAME802154_SECURITY_LEVEL_NONE
|
#define LLSEC802154_ENABLED 0
|
||||||
#endif /* LLSEC802154_CONF_SECURITY_LEVEL */
|
#endif /* LLSEC802154_CONF_ENABLED */
|
||||||
|
|
||||||
#if ((LLSEC802154_SECURITY_LEVEL < 0) || (LLSEC802154_SECURITY_LEVEL > 7))
|
#define LLSEC802154_MIC_LEN(sec_lvl) (2 << (sec_lvl & 3))
|
||||||
#error "unsupported security level"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#define LLSEC802154_SECURITY_LEVEL_MIC (LLSEC802154_SECURITY_LEVEL & 3)
|
|
||||||
#if LLSEC802154_SECURITY_LEVEL_MIC
|
|
||||||
#define LLSEC802154_MIC_LENGTH (2 << LLSEC802154_SECURITY_LEVEL_MIC)
|
|
||||||
#else
|
|
||||||
#define LLSEC802154_MIC_LENGTH 0
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef LLSEC802154_CONF_USES_ENCRYPTION
|
|
||||||
#define LLSEC802154_USES_ENCRYPTION LLSEC802154_CONF_USES_ENCRYPTION
|
|
||||||
#else /* LLSEC802154_CONF_USES_ENCRYPTION */
|
|
||||||
#define LLSEC802154_USES_ENCRYPTION (LLSEC802154_SECURITY_LEVEL & (1 << 2))
|
|
||||||
#endif /* LLSEC802154_CONF_USES_ENCRYPTION */
|
|
||||||
|
|
||||||
#ifdef LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
#ifdef LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
||||||
#define LLSEC802154_USES_EXPLICIT_KEYS LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
#define LLSEC802154_USES_EXPLICIT_KEYS LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
||||||
@ -88,9 +73,15 @@
|
|||||||
#ifdef LLSEC802154_CONF_USES_FRAME_COUNTER
|
#ifdef LLSEC802154_CONF_USES_FRAME_COUNTER
|
||||||
#define LLSEC802154_USES_FRAME_COUNTER LLSEC802154_CONF_USES_FRAME_COUNTER
|
#define LLSEC802154_USES_FRAME_COUNTER LLSEC802154_CONF_USES_FRAME_COUNTER
|
||||||
#else /* LLSEC802154_CONF_USES_FRAME_COUNTER */
|
#else /* LLSEC802154_CONF_USES_FRAME_COUNTER */
|
||||||
#define LLSEC802154_USES_FRAME_COUNTER (LLSEC802154_SECURITY_LEVEL != FRAME802154_SECURITY_LEVEL_NONE)
|
#define LLSEC802154_USES_FRAME_COUNTER LLSEC802154_ENABLED
|
||||||
#endif /* LLSEC802154_CONF_USES_FRAME_COUNTER */
|
#endif /* LLSEC802154_CONF_USES_FRAME_COUNTER */
|
||||||
|
|
||||||
|
#ifdef LLSEC802154_CONF_USES_AUX_HEADER
|
||||||
|
#define LLSEC802154_USES_AUX_HEADER LLSEC802154_CONF_USES_AUX_HEADER
|
||||||
|
#else /* LLSEC802154_CONF_USES_AUX_HEADER */
|
||||||
|
#define LLSEC802154_USES_AUX_HEADER LLSEC802154_ENABLED
|
||||||
|
#endif /* LLSEC802154_CONF_USES_AUX_HEADER */
|
||||||
|
|
||||||
#if UIP_BYTE_ORDER == UIP_LITTLE_ENDIAN
|
#if UIP_BYTE_ORDER == UIP_LITTLE_ENDIAN
|
||||||
#define LLSEC802154_HTONS(n) (n)
|
#define LLSEC802154_HTONS(n) (n)
|
||||||
#define LLSEC802154_HTONL(n) (n)
|
#define LLSEC802154_HTONL(n) (n)
|
||||||
|
@ -55,7 +55,14 @@
|
|||||||
#include "lib/ccm-star.h"
|
#include "lib/ccm-star.h"
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
#define WITH_ENCRYPTION (LLSEC802154_SECURITY_LEVEL & (1 << 2))
|
#ifdef NONCORESEC_CONF_SEC_LVL
|
||||||
|
#define SEC_LVL NONCORESEC_CONF_SEC_LVL
|
||||||
|
#else /* NONCORESEC_CONF_SEC_LVL */
|
||||||
|
#define SEC_LVL 2
|
||||||
|
#endif /* NONCORESEC_CONF_SEC_LVL */
|
||||||
|
|
||||||
|
#define WITH_ENCRYPTION (SEC_LVL & (1 << 2))
|
||||||
|
#define MIC_LEN LLSEC802154_MIC_LEN(SEC_LVL)
|
||||||
|
|
||||||
#ifdef NONCORESEC_CONF_KEY
|
#ifdef NONCORESEC_CONF_KEY
|
||||||
#define NONCORESEC_KEY NONCORESEC_CONF_KEY
|
#define NONCORESEC_KEY NONCORESEC_CONF_KEY
|
||||||
@ -76,7 +83,7 @@
|
|||||||
#define PRINTF(...)
|
#define PRINTF(...)
|
||||||
#endif /* DEBUG */
|
#endif /* DEBUG */
|
||||||
|
|
||||||
#if LLSEC802154_SECURITY_LEVEL && LLSEC802154_USES_FRAME_COUNTER
|
#if LLSEC802154_USES_AUX_HEADER && SEC_LVL && LLSEC802154_USES_FRAME_COUNTER
|
||||||
|
|
||||||
/* network-wide CCM* key */
|
/* network-wide CCM* key */
|
||||||
static uint8_t key[16] = NONCORESEC_KEY;
|
static uint8_t key[16] = NONCORESEC_KEY;
|
||||||
@ -93,7 +100,7 @@ aead(uint8_t hdrlen, int forward)
|
|||||||
uint8_t *a;
|
uint8_t *a;
|
||||||
uint8_t a_len;
|
uint8_t a_len;
|
||||||
uint8_t *result;
|
uint8_t *result;
|
||||||
uint8_t generated_mic[LLSEC802154_MIC_LENGTH];
|
uint8_t generated_mic[MIC_LEN];
|
||||||
uint8_t *mic;
|
uint8_t *mic;
|
||||||
|
|
||||||
ccm_star_packetbuf_set_nonce(nonce, forward);
|
ccm_star_packetbuf_set_nonce(nonce, forward);
|
||||||
@ -115,14 +122,14 @@ aead(uint8_t hdrlen, int forward)
|
|||||||
CCM_STAR.aead(nonce,
|
CCM_STAR.aead(nonce,
|
||||||
m, m_len,
|
m, m_len,
|
||||||
a, a_len,
|
a, a_len,
|
||||||
result, LLSEC802154_MIC_LENGTH,
|
result, MIC_LEN,
|
||||||
forward);
|
forward);
|
||||||
|
|
||||||
if(forward) {
|
if(forward) {
|
||||||
packetbuf_set_datalen(packetbuf_datalen() + LLSEC802154_MIC_LENGTH);
|
packetbuf_set_datalen(packetbuf_datalen() + MIC_LEN);
|
||||||
return 1;
|
return 1;
|
||||||
} else {
|
} else {
|
||||||
return (memcmp(generated_mic, mic, LLSEC802154_MIC_LENGTH) == 0);
|
return (memcmp(generated_mic, mic, MIC_LEN) == 0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
@ -131,7 +138,7 @@ add_security_header(void)
|
|||||||
{
|
{
|
||||||
if(!packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL)) {
|
if(!packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL)) {
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_DATAFRAME);
|
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_DATAFRAME);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, LLSEC802154_SECURITY_LEVEL);
|
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, SEC_LVL);
|
||||||
anti_replay_set_counter();
|
anti_replay_set_counter();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -170,7 +177,7 @@ parse(void)
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL) != LLSEC802154_SECURITY_LEVEL) {
|
if(packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL) != SEC_LVL) {
|
||||||
PRINTF("noncoresec: received frame with wrong security level\n");
|
PRINTF("noncoresec: received frame with wrong security level\n");
|
||||||
return FRAMER_FAILED;
|
return FRAMER_FAILED;
|
||||||
}
|
}
|
||||||
@ -180,7 +187,7 @@ parse(void)
|
|||||||
return FRAMER_FAILED;
|
return FRAMER_FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
packetbuf_set_datalen(packetbuf_datalen() - LLSEC802154_MIC_LENGTH);
|
packetbuf_set_datalen(packetbuf_datalen() - MIC_LEN);
|
||||||
|
|
||||||
if(!aead(result, 0)) {
|
if(!aead(result, 0)) {
|
||||||
PRINTF("noncoresec: received unauthentic frame %"PRIu32"\n",
|
PRINTF("noncoresec: received unauthentic frame %"PRIu32"\n",
|
||||||
@ -235,7 +242,7 @@ static int
|
|||||||
length(void)
|
length(void)
|
||||||
{
|
{
|
||||||
add_security_header();
|
add_security_header();
|
||||||
return framer_802154.length() + LLSEC802154_MIC_LENGTH;
|
return framer_802154.length() + MIC_LEN;
|
||||||
}
|
}
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
static void
|
static void
|
||||||
@ -258,6 +265,6 @@ const struct framer noncoresec_framer = {
|
|||||||
parse
|
parse
|
||||||
};
|
};
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL && LLSEC802154_USES_FRAME_COUNTER */
|
#endif /* LLSEC802154_USES_AUX_HEADER && SEC_LVL && LLSEC802154_USES_FRAME_COUNTER */
|
||||||
|
|
||||||
/** @} */
|
/** @} */
|
||||||
|
@ -102,7 +102,7 @@ addr_len(uint8_t mode)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
/*----------------------------------------------------------------------------*/
|
/*----------------------------------------------------------------------------*/
|
||||||
#if LLSEC802154_USES_EXPLICIT_KEYS
|
#if LLSEC802154_USES_AUX_HEADER && LLSEC802154_USES_EXPLICIT_KEYS
|
||||||
static uint8_t
|
static uint8_t
|
||||||
get_key_id_len(uint8_t key_id_mode)
|
get_key_id_len(uint8_t key_id_mode)
|
||||||
{
|
{
|
||||||
@ -117,7 +117,7 @@ get_key_id_len(uint8_t key_id_mode)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
#endif /* LLSEC802154_USES_AUX_HEADER && LLSEC802154_USES_EXPLICIT_KEYS */
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
/* Get current PAN ID */
|
/* Get current PAN ID */
|
||||||
uint16_t
|
uint16_t
|
||||||
@ -317,7 +317,7 @@ field_len(frame802154_t *p, field_length_t *flen)
|
|||||||
flen->dest_addr_len = addr_len(p->fcf.dest_addr_mode & 3);
|
flen->dest_addr_len = addr_len(p->fcf.dest_addr_mode & 3);
|
||||||
flen->src_addr_len = addr_len(p->fcf.src_addr_mode & 3);
|
flen->src_addr_len = addr_len(p->fcf.src_addr_mode & 3);
|
||||||
|
|
||||||
#if LLSEC802154_SECURITY_LEVEL
|
#if LLSEC802154_USES_AUX_HEADER
|
||||||
/* Aux security header */
|
/* Aux security header */
|
||||||
if(p->fcf.security_enabled & 1) {
|
if(p->fcf.security_enabled & 1) {
|
||||||
flen->aux_sec_len = 1; /* FCF + possibly frame counter and key ID */
|
flen->aux_sec_len = 1; /* FCF + possibly frame counter and key ID */
|
||||||
@ -333,7 +333,7 @@ field_len(frame802154_t *p, field_length_t *flen)
|
|||||||
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
||||||
;
|
;
|
||||||
}
|
}
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL */
|
#endif /* LLSEC802154_USES_AUX_HEADER */
|
||||||
}
|
}
|
||||||
/*----------------------------------------------------------------------------*/
|
/*----------------------------------------------------------------------------*/
|
||||||
/**
|
/**
|
||||||
@ -418,7 +418,7 @@ frame802154_create(frame802154_t *p, uint8_t *buf)
|
|||||||
for(c = flen.src_addr_len; c > 0; c--) {
|
for(c = flen.src_addr_len; c > 0; c--) {
|
||||||
buf[pos++] = p->src_addr[c - 1];
|
buf[pos++] = p->src_addr[c - 1];
|
||||||
}
|
}
|
||||||
#if LLSEC802154_SECURITY_LEVEL
|
#if LLSEC802154_USES_AUX_HEADER
|
||||||
/* Aux header */
|
/* Aux header */
|
||||||
if(flen.aux_sec_len) {
|
if(flen.aux_sec_len) {
|
||||||
buf[pos++] = p->aux_hdr.security_control.security_level
|
buf[pos++] = p->aux_hdr.security_control.security_level
|
||||||
@ -447,7 +447,7 @@ frame802154_create(frame802154_t *p, uint8_t *buf)
|
|||||||
}
|
}
|
||||||
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
||||||
}
|
}
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL */
|
#endif /* LLSEC802154_USES_AUX_HEADER */
|
||||||
|
|
||||||
return (int)pos;
|
return (int)pos;
|
||||||
}
|
}
|
||||||
@ -570,7 +570,7 @@ frame802154_parse(uint8_t *data, int len, frame802154_t *pf)
|
|||||||
pf->src_pid = 0;
|
pf->src_pid = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if LLSEC802154_SECURITY_LEVEL
|
#if LLSEC802154_USES_AUX_HEADER
|
||||||
if(fcf.security_enabled) {
|
if(fcf.security_enabled) {
|
||||||
pf->aux_hdr.security_control.security_level = p[0] & 7;
|
pf->aux_hdr.security_control.security_level = p[0] & 7;
|
||||||
#if LLSEC802154_USES_EXPLICIT_KEYS
|
#if LLSEC802154_USES_EXPLICIT_KEYS
|
||||||
@ -599,7 +599,7 @@ frame802154_parse(uint8_t *data, int len, frame802154_t *pf)
|
|||||||
}
|
}
|
||||||
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
||||||
}
|
}
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL */
|
#endif /* LLSEC802154_USES_AUX_HEADER */
|
||||||
|
|
||||||
/* header length */
|
/* header length */
|
||||||
c = p - data;
|
c = p - data;
|
||||||
|
@ -98,7 +98,7 @@ create_frame(int type, int do_create)
|
|||||||
/* Insert IEEE 802.15.4 version bits. */
|
/* Insert IEEE 802.15.4 version bits. */
|
||||||
params.fcf.frame_version = FRAME802154_VERSION;
|
params.fcf.frame_version = FRAME802154_VERSION;
|
||||||
|
|
||||||
#if LLSEC802154_SECURITY_LEVEL
|
#if LLSEC802154_USES_AUX_HEADER
|
||||||
if(packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL)) {
|
if(packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL)) {
|
||||||
params.fcf.security_enabled = 1;
|
params.fcf.security_enabled = 1;
|
||||||
}
|
}
|
||||||
@ -116,7 +116,7 @@ create_frame(int type, int do_create)
|
|||||||
params.aux_hdr.key_index = packetbuf_attr(PACKETBUF_ATTR_KEY_INDEX);
|
params.aux_hdr.key_index = packetbuf_attr(PACKETBUF_ATTR_KEY_INDEX);
|
||||||
params.aux_hdr.key_source.u16[0] = packetbuf_attr(PACKETBUF_ATTR_KEY_SOURCE_BYTES_0_1);
|
params.aux_hdr.key_source.u16[0] = packetbuf_attr(PACKETBUF_ATTR_KEY_SOURCE_BYTES_0_1);
|
||||||
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL */
|
#endif /* LLSEC802154_USES_AUX_HEADER */
|
||||||
|
|
||||||
/* Increment and set the data sequence number. */
|
/* Increment and set the data sequence number. */
|
||||||
if(!do_create) {
|
if(!do_create) {
|
||||||
@ -238,7 +238,7 @@ parse(void)
|
|||||||
packetbuf_set_attr(PACKETBUF_ATTR_PACKET_ID, frame.seq);
|
packetbuf_set_attr(PACKETBUF_ATTR_PACKET_ID, frame.seq);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if LLSEC802154_SECURITY_LEVEL
|
#if LLSEC802154_USES_AUX_HEADER
|
||||||
if(frame.fcf.security_enabled) {
|
if(frame.fcf.security_enabled) {
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, frame.aux_hdr.security_control.security_level);
|
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, frame.aux_hdr.security_control.security_level);
|
||||||
#if LLSEC802154_USES_FRAME_COUNTER
|
#if LLSEC802154_USES_FRAME_COUNTER
|
||||||
@ -251,7 +251,7 @@ parse(void)
|
|||||||
packetbuf_set_attr(PACKETBUF_ATTR_KEY_SOURCE_BYTES_0_1, frame.aux_hdr.key_source.u16[0]);
|
packetbuf_set_attr(PACKETBUF_ATTR_KEY_SOURCE_BYTES_0_1, frame.aux_hdr.key_source.u16[0]);
|
||||||
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
#endif /* LLSEC802154_USES_EXPLICIT_KEYS */
|
||||||
}
|
}
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL */
|
#endif /* LLSEC802154_USES_AUX_HEADER */
|
||||||
|
|
||||||
PRINTF("15.4-IN: %2X", frame.fcf.frame_type);
|
PRINTF("15.4-IN: %2X", frame.fcf.frame_type);
|
||||||
PRINTADDR(packetbuf_addr(PACKETBUF_ADDR_SENDER));
|
PRINTADDR(packetbuf_addr(PACKETBUF_ADDR_SENDER));
|
||||||
|
@ -51,7 +51,7 @@
|
|||||||
frame because it has seen its sequence number already. Replay
|
frame because it has seen its sequence number already. Replay
|
||||||
protection should be implemented at the LLSEC layer where the
|
protection should be implemented at the LLSEC layer where the
|
||||||
authenticity of frames is verified. */
|
authenticity of frames is verified. */
|
||||||
#define RDC_WITH_DUPLICATE_DETECTION !LLSEC802154_CONF_SECURITY_LEVEL
|
#define RDC_WITH_DUPLICATE_DETECTION !LLSEC802154_CONF_ENABLED
|
||||||
#endif /* RDC_CONF_WITH_DUPLICATE_DETECTION */
|
#endif /* RDC_CONF_WITH_DUPLICATE_DETECTION */
|
||||||
|
|
||||||
/* List of packets to be sent by RDC layer */
|
/* List of packets to be sent by RDC layer */
|
||||||
|
@ -128,8 +128,10 @@ To configure TSCH, see the macros in `.h` files under `core/net/mac/tsch/` and r
|
|||||||
To include TSCH standard-compliant security, set the following:
|
To include TSCH standard-compliant security, set the following:
|
||||||
```
|
```
|
||||||
/* Enable security */
|
/* Enable security */
|
||||||
#undef LLSEC802154_CONF_SECURITY_LEVEL
|
#undef LLSEC802154_CONF_ENABLED
|
||||||
#define LLSEC802154_CONF_SECURITY_LEVEL 1
|
#define LLSEC802154_CONF_ENABLED 1
|
||||||
|
#undef TSCH_SECURITY_CONF_LEVEL
|
||||||
|
#define TSCH_SECURITY_CONF_LEVEL 1
|
||||||
/* TSCH uses explicit keys to identify k1 and k2 */
|
/* TSCH uses explicit keys to identify k1 and k2 */
|
||||||
#undef LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
#undef LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
||||||
#define LLSEC802154_CONF_USES_EXPLICIT_KEYS 1
|
#define LLSEC802154_CONF_USES_EXPLICIT_KEYS 1
|
||||||
|
@ -94,7 +94,7 @@ tsch_packet_create_eack(uint8_t *buf, int buf_size,
|
|||||||
p.src_pid = IEEE802154_PANID;
|
p.src_pid = IEEE802154_PANID;
|
||||||
linkaddr_copy((linkaddr_t *)&p.src_addr, &linkaddr_node_addr);
|
linkaddr_copy((linkaddr_t *)&p.src_addr, &linkaddr_node_addr);
|
||||||
#endif
|
#endif
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(tsch_is_pan_secured) {
|
if(tsch_is_pan_secured) {
|
||||||
p.fcf.security_enabled = 1;
|
p.fcf.security_enabled = 1;
|
||||||
p.aux_hdr.security_control.security_level = TSCH_SECURITY_KEY_SEC_LEVEL_ACK;
|
p.aux_hdr.security_control.security_level = TSCH_SECURITY_KEY_SEC_LEVEL_ACK;
|
||||||
@ -103,7 +103,7 @@ tsch_packet_create_eack(uint8_t *buf, int buf_size,
|
|||||||
p.aux_hdr.security_control.frame_counter_size = 1;
|
p.aux_hdr.security_control.frame_counter_size = 1;
|
||||||
p.aux_hdr.key_index = TSCH_SECURITY_KEY_INDEX_ACK;
|
p.aux_hdr.key_index = TSCH_SECURITY_KEY_INDEX_ACK;
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
if((curr_len = frame802154_create(&p, buf)) == 0) {
|
if((curr_len = frame802154_create(&p, buf)) == 0) {
|
||||||
return 0;
|
return 0;
|
||||||
@ -166,13 +166,13 @@ tsch_packet_parse_eack(const uint8_t *buf, int buf_size,
|
|||||||
|
|
||||||
if(frame->fcf.ie_list_present) {
|
if(frame->fcf.ie_list_present) {
|
||||||
int mic_len = 0;
|
int mic_len = 0;
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
/* Check if there is space for the security MIC (if any) */
|
/* Check if there is space for the security MIC (if any) */
|
||||||
mic_len = tsch_security_mic_len(frame);
|
mic_len = tsch_security_mic_len(frame);
|
||||||
if(buf_size < curr_len + mic_len) {
|
if(buf_size < curr_len + mic_len) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
/* Parse information elements. We need to substract the MIC length, as the exact payload len is needed while parsing */
|
/* Parse information elements. We need to substract the MIC length, as the exact payload len is needed while parsing */
|
||||||
if((ret = frame802154e_parse_information_elements(buf + curr_len, buf_size - curr_len - mic_len, ies)) == -1) {
|
if((ret = frame802154e_parse_information_elements(buf + curr_len, buf_size - curr_len - mic_len, ies)) == -1) {
|
||||||
return 0;
|
return 0;
|
||||||
@ -222,7 +222,7 @@ tsch_packet_create_eb(uint8_t *buf, int buf_size, uint8_t seqno,
|
|||||||
p.dest_addr[0] = 0xff;
|
p.dest_addr[0] = 0xff;
|
||||||
p.dest_addr[1] = 0xff;
|
p.dest_addr[1] = 0xff;
|
||||||
|
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(tsch_is_pan_secured) {
|
if(tsch_is_pan_secured) {
|
||||||
p.fcf.security_enabled = packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL) > 0;
|
p.fcf.security_enabled = packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL) > 0;
|
||||||
p.aux_hdr.security_control.security_level = packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL);
|
p.aux_hdr.security_control.security_level = packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL);
|
||||||
@ -231,7 +231,7 @@ tsch_packet_create_eb(uint8_t *buf, int buf_size, uint8_t seqno,
|
|||||||
p.aux_hdr.security_control.frame_counter_size = 1;
|
p.aux_hdr.security_control.frame_counter_size = 1;
|
||||||
p.aux_hdr.key_index = packetbuf_attr(PACKETBUF_ATTR_KEY_INDEX);
|
p.aux_hdr.key_index = packetbuf_attr(PACKETBUF_ATTR_KEY_INDEX);
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
if((curr_len = frame802154_create(&p, buf)) == 0) {
|
if((curr_len = frame802154_create(&p, buf)) == 0) {
|
||||||
return 0;
|
return 0;
|
||||||
@ -387,14 +387,14 @@ tsch_packet_parse_eb(const uint8_t *buf, int buf_size,
|
|||||||
if(frame->fcf.ie_list_present) {
|
if(frame->fcf.ie_list_present) {
|
||||||
/* Calculate space needed for the security MIC, if any, before attempting to parse IEs */
|
/* Calculate space needed for the security MIC, if any, before attempting to parse IEs */
|
||||||
int mic_len = 0;
|
int mic_len = 0;
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(!frame_without_mic) {
|
if(!frame_without_mic) {
|
||||||
mic_len = tsch_security_mic_len(frame);
|
mic_len = tsch_security_mic_len(frame);
|
||||||
if(buf_size < curr_len + mic_len) {
|
if(buf_size < curr_len + mic_len) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
/* Parse information elements. We need to substract the MIC length, as the exact payload len is needed while parsing */
|
/* Parse information elements. We need to substract the MIC length, as the exact payload len is needed while parsing */
|
||||||
if((ret = frame802154e_parse_information_elements(buf + curr_len, buf_size - curr_len - mic_len, ies)) == -1) {
|
if((ret = frame802154e_parse_information_elements(buf + curr_len, buf_size - curr_len - mic_len, ies)) == -1) {
|
||||||
|
@ -39,22 +39,36 @@
|
|||||||
#include "net/mac/tsch/tsch-asn.h"
|
#include "net/mac/tsch/tsch-asn.h"
|
||||||
#include "net/mac/tsch/tsch-private.h"
|
#include "net/mac/tsch/tsch-private.h"
|
||||||
#include "net/mac/frame802154.h"
|
#include "net/mac/frame802154.h"
|
||||||
|
#include "net/llsec/llsec802154.h"
|
||||||
#include "net/mac/frame802154e-ie.h"
|
#include "net/mac/frame802154e-ie.h"
|
||||||
|
|
||||||
/******** Configuration *******/
|
/******** Configuration *******/
|
||||||
|
|
||||||
/* To enable TSCH security:
|
/* To enable TSCH security:
|
||||||
* - set LLSEC802154_CONF_SECURITY_LEVEL
|
* - set LLSEC802154_CONF_ENABLED
|
||||||
|
* - set TSCH_SECURITY_CONF_LEVEL
|
||||||
* - set LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
* - set LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
||||||
* - unset LLSEC802154_CONF_USES_FRAME_COUNTER
|
* - unset LLSEC802154_CONF_USES_FRAME_COUNTER
|
||||||
* */
|
* */
|
||||||
#define TSCH_SECURITY_ENABLED (LLSEC802154_CONF_SECURITY_LEVEL != 0)
|
|
||||||
#if TSCH_SECURITY_ENABLED && !LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
#ifdef TSCH_SECURITY_CONF_LEVEL
|
||||||
#error TSCH_SECURITY_ENABLED set but LLSEC802154_CONF_USES_EXPLICIT_KEYS unset
|
#define TSCH_SECURITY_LEVEL TSCH_SECURITY_CONF_LEVEL
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#else /* TSCH_SECURITY_CONF_LEVEL */
|
||||||
#if TSCH_SECURITY_ENABLED && LLSEC802154_CONF_USES_FRAME_COUNTER
|
#define TSCH_SECURITY_LEVEL FRAME802154_SECURITY_LEVEL_NONE
|
||||||
#error TSCH_SECURITY_ENABLED set but LLSEC802154_CONF_USES_FRAME_COUNTER set
|
#endif /* TSCH_SECURITY_CONF_LEVEL */
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
|
||||||
|
#if LLSEC802154_ENABLED && !TSCH_SECURITY_LEVEL
|
||||||
|
#error LLSEC802154_ENABLED set but TSCH_SECURITY_LEVEL unset
|
||||||
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
#if !LLSEC802154_ENABLED && TSCH_SECURITY_LEVEL
|
||||||
|
#error TSCH_SECURITY_LEVEL set but LLSEC802154_ENABLED unset
|
||||||
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
#if LLSEC802154_ENABLED && !LLSEC802154_USES_EXPLICIT_KEYS
|
||||||
|
#error LLSEC802154_ENABLED set but LLSEC802154_USES_EXPLICIT_KEYS unset
|
||||||
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
#if LLSEC802154_ENABLED && LLSEC802154_USES_FRAME_COUNTER
|
||||||
|
#error LLSEC802154_ENABLED set but LLSEC802154_USES_FRAME_COUNTER set
|
||||||
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
/* K1, defined in 6TiSCH minimal, is well-known (offers no security) and used for EBs only */
|
/* K1, defined in 6TiSCH minimal, is well-known (offers no security) and used for EBs only */
|
||||||
#ifdef TSCH_SECURITY_CONF_K1
|
#ifdef TSCH_SECURITY_CONF_K1
|
||||||
|
@ -404,10 +404,10 @@ PT_THREAD(tsch_tx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
} else {
|
} else {
|
||||||
/* packet payload */
|
/* packet payload */
|
||||||
static void *packet;
|
static void *packet;
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
/* encrypted payload */
|
/* encrypted payload */
|
||||||
static uint8_t encrypted_packet[TSCH_PACKET_MAX_LEN];
|
static uint8_t encrypted_packet[TSCH_PACKET_MAX_LEN];
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
/* packet payload length */
|
/* packet payload length */
|
||||||
static uint8_t packet_len;
|
static uint8_t packet_len;
|
||||||
/* packet seqno */
|
/* packet seqno */
|
||||||
@ -434,7 +434,7 @@ PT_THREAD(tsch_tx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
packet_ready = 1;
|
packet_ready = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(tsch_is_pan_secured) {
|
if(tsch_is_pan_secured) {
|
||||||
/* If we are going to encrypt, we need to generate the output in a separate buffer and keep
|
/* If we are going to encrypt, we need to generate the output in a separate buffer and keep
|
||||||
* the original untouched. This is to allow for future retransmissions. */
|
* the original untouched. This is to allow for future retransmissions. */
|
||||||
@ -445,7 +445,7 @@ PT_THREAD(tsch_tx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
packet = encrypted_packet;
|
packet = encrypted_packet;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
/* prepare packet to send: copy to radio buffer */
|
/* prepare packet to send: copy to radio buffer */
|
||||||
if(packet_ready && NETSTACK_RADIO.prepare(packet, packet_len) == 0) { /* 0 means success */
|
if(packet_ready && NETSTACK_RADIO.prepare(packet, packet_len) == 0) { /* 0 means success */
|
||||||
@ -530,7 +530,7 @@ PT_THREAD(tsch_tx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
ack_len = 0;
|
ack_len = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(ack_len != 0) {
|
if(ack_len != 0) {
|
||||||
if(!tsch_security_parse_frame(ackbuf, ack_hdrlen, ack_len - ack_hdrlen - tsch_security_mic_len(&frame),
|
if(!tsch_security_parse_frame(ackbuf, ack_hdrlen, ack_len - ack_hdrlen - tsch_security_mic_len(&frame),
|
||||||
&frame, ¤t_neighbor->addr, ¤t_asn)) {
|
&frame, ¤t_neighbor->addr, ¤t_asn)) {
|
||||||
@ -544,7 +544,7 @@ PT_THREAD(tsch_tx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
snprintf(log->message, sizeof(log->message),
|
snprintf(log->message, sizeof(log->message),
|
||||||
"!failed to parse ACK"));
|
"!failed to parse ACK"));
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
}
|
}
|
||||||
|
|
||||||
if(ack_len != 0) {
|
if(ack_len != 0) {
|
||||||
@ -604,11 +604,11 @@ PT_THREAD(tsch_tx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
log->tx.drift = drift_correction;
|
log->tx.drift = drift_correction;
|
||||||
log->tx.drift_used = is_drift_correction_used;
|
log->tx.drift_used = is_drift_correction_used;
|
||||||
log->tx.is_data = ((((uint8_t *)(queuebuf_dataptr(current_packet->qb)))[0]) & 7) == FRAME802154_DATAFRAME;
|
log->tx.is_data = ((((uint8_t *)(queuebuf_dataptr(current_packet->qb)))[0]) & 7) == FRAME802154_DATAFRAME;
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
log->tx.sec_level = queuebuf_attr(current_packet->qb, PACKETBUF_ATTR_SECURITY_LEVEL);
|
log->tx.sec_level = queuebuf_attr(current_packet->qb, PACKETBUF_ATTR_SECURITY_LEVEL);
|
||||||
#else /* TSCH_SECURITY_ENABLED */
|
#else /* LLSEC802154_ENABLED */
|
||||||
log->tx.sec_level = 0;
|
log->tx.sec_level = 0;
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
log->tx.dest = TSCH_LOG_ID_FROM_LINKADDR(queuebuf_addr(current_packet->qb, PACKETBUF_ADDR_RECEIVER));
|
log->tx.dest = TSCH_LOG_ID_FROM_LINKADDR(queuebuf_addr(current_packet->qb, PACKETBUF_ADDR_RECEIVER));
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -712,7 +712,7 @@ PT_THREAD(tsch_rx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
|
|
||||||
packet_duration = TSCH_PACKET_DURATION(current_input->len);
|
packet_duration = TSCH_PACKET_DURATION(current_input->len);
|
||||||
|
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
/* Decrypt and verify incoming frame */
|
/* Decrypt and verify incoming frame */
|
||||||
if(frame_valid) {
|
if(frame_valid) {
|
||||||
if(tsch_security_parse_frame(
|
if(tsch_security_parse_frame(
|
||||||
@ -731,7 +731,7 @@ PT_THREAD(tsch_rx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
"!failed to parse frame %u %u", header_len, current_input->len));
|
"!failed to parse frame %u %u", header_len, current_input->len));
|
||||||
frame_valid = 0;
|
frame_valid = 0;
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
if(frame_valid) {
|
if(frame_valid) {
|
||||||
if(linkaddr_cmp(&destination_address, &linkaddr_node_addr)
|
if(linkaddr_cmp(&destination_address, &linkaddr_node_addr)
|
||||||
@ -765,12 +765,12 @@ PT_THREAD(tsch_rx_slot(struct pt *pt, struct rtimer *t))
|
|||||||
ack_len = tsch_packet_create_eack(ack_buf, sizeof(ack_buf),
|
ack_len = tsch_packet_create_eack(ack_buf, sizeof(ack_buf),
|
||||||
&source_address, frame.seq, (int16_t)RTIMERTICKS_TO_US(estimated_drift), do_nack);
|
&source_address, frame.seq, (int16_t)RTIMERTICKS_TO_US(estimated_drift), do_nack);
|
||||||
|
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(tsch_is_pan_secured) {
|
if(tsch_is_pan_secured) {
|
||||||
/* Secure ACK frame. There is only header and header IEs, therefore data len == 0. */
|
/* Secure ACK frame. There is only header and header IEs, therefore data len == 0. */
|
||||||
ack_len += tsch_security_secure_frame(ack_buf, ack_buf, ack_len, 0, ¤t_asn);
|
ack_len += tsch_security_secure_frame(ack_buf, ack_buf, ack_len, 0, ¤t_asn);
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
/* Copy to radio buffer */
|
/* Copy to radio buffer */
|
||||||
NETSTACK_RADIO.prepare((const void *)ack_buf, ack_len);
|
NETSTACK_RADIO.prepare((const void *)ack_buf, ack_len);
|
||||||
|
@ -141,7 +141,7 @@ int tsch_is_coordinator = 0;
|
|||||||
/* Are we associated to a TSCH network? */
|
/* Are we associated to a TSCH network? */
|
||||||
int tsch_is_associated = 0;
|
int tsch_is_associated = 0;
|
||||||
/* Is the PAN running link-layer security? */
|
/* Is the PAN running link-layer security? */
|
||||||
int tsch_is_pan_secured = TSCH_SECURITY_ENABLED;
|
int tsch_is_pan_secured = LLSEC802154_ENABLED;
|
||||||
/* The current Absolute Slot Number (ASN) */
|
/* The current Absolute Slot Number (ASN) */
|
||||||
struct asn_t current_asn;
|
struct asn_t current_asn;
|
||||||
/* Device rank or join priority:
|
/* Device rank or join priority:
|
||||||
@ -177,7 +177,7 @@ tsch_set_coordinator(int enable)
|
|||||||
void
|
void
|
||||||
tsch_set_pan_secured(int enable)
|
tsch_set_pan_secured(int enable)
|
||||||
{
|
{
|
||||||
tsch_is_pan_secured = TSCH_SECURITY_ENABLED && enable;
|
tsch_is_pan_secured = LLSEC802154_ENABLED && enable;
|
||||||
}
|
}
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
void
|
void
|
||||||
@ -455,21 +455,21 @@ tsch_associate(const struct input_packet *input_eb, rtimer_clock_t timestamp)
|
|||||||
}
|
}
|
||||||
#endif /* TSCH_JOIN_SECURED_ONLY */
|
#endif /* TSCH_JOIN_SECURED_ONLY */
|
||||||
|
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(!tsch_security_parse_frame(input_eb->payload, hdrlen,
|
if(!tsch_security_parse_frame(input_eb->payload, hdrlen,
|
||||||
input_eb->len - hdrlen - tsch_security_mic_len(&frame),
|
input_eb->len - hdrlen - tsch_security_mic_len(&frame),
|
||||||
&frame, (linkaddr_t*)&frame.src_addr, ¤t_asn)) {
|
&frame, (linkaddr_t*)&frame.src_addr, ¤t_asn)) {
|
||||||
PRINTF("TSCH:! parse_eb: failed to authenticate\n");
|
PRINTF("TSCH:! parse_eb: failed to authenticate\n");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
#if !TSCH_SECURITY_ENABLED
|
#if !LLSEC802154_ENABLED
|
||||||
if(frame.fcf.security_enabled == 1) {
|
if(frame.fcf.security_enabled == 1) {
|
||||||
PRINTF("TSCH:! parse_eb: we do not support security, but EB is secured\n");
|
PRINTF("TSCH:! parse_eb: we do not support security, but EB is secured\n");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* !TSCH_SECURITY_ENABLED */
|
#endif /* !LLSEC802154_ENABLED */
|
||||||
|
|
||||||
#if TSCH_JOIN_MY_PANID_ONLY
|
#if TSCH_JOIN_MY_PANID_ONLY
|
||||||
/* Check if the EB comes from the PAN ID we expect */
|
/* Check if the EB comes from the PAN ID we expect */
|
||||||
@ -746,14 +746,14 @@ PROCESS_THREAD(tsch_send_eb_process, ev, data)
|
|||||||
}
|
}
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_BEACONFRAME);
|
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_BEACONFRAME);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_MAC_SEQNO, tsch_packet_seqno);
|
packetbuf_set_attr(PACKETBUF_ATTR_MAC_SEQNO, tsch_packet_seqno);
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(tsch_is_pan_secured) {
|
if(tsch_is_pan_secured) {
|
||||||
/* Set security level, key id and index */
|
/* Set security level, key id and index */
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, TSCH_SECURITY_KEY_SEC_LEVEL_EB);
|
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, TSCH_SECURITY_KEY_SEC_LEVEL_EB);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_KEY_ID_MODE, FRAME802154_1_BYTE_KEY_ID_MODE); /* Use 1-byte key index */
|
packetbuf_set_attr(PACKETBUF_ATTR_KEY_ID_MODE, FRAME802154_1_BYTE_KEY_ID_MODE); /* Use 1-byte key index */
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_KEY_INDEX, TSCH_SECURITY_KEY_INDEX_EB);
|
packetbuf_set_attr(PACKETBUF_ATTR_KEY_INDEX, TSCH_SECURITY_KEY_INDEX_EB);
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
eb_len = tsch_packet_create_eb(packetbuf_dataptr(), PACKETBUF_SIZE,
|
eb_len = tsch_packet_create_eb(packetbuf_dataptr(), PACKETBUF_SIZE,
|
||||||
tsch_packet_seqno, &hdr_len, &tsch_sync_ie_offset);
|
tsch_packet_seqno, &hdr_len, &tsch_sync_ie_offset);
|
||||||
if(eb_len != 0) {
|
if(eb_len != 0) {
|
||||||
@ -907,14 +907,14 @@ send_packet(mac_callback_t sent, void *ptr)
|
|||||||
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_DATAFRAME);
|
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_DATAFRAME);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_MAC_SEQNO, tsch_packet_seqno);
|
packetbuf_set_attr(PACKETBUF_ATTR_MAC_SEQNO, tsch_packet_seqno);
|
||||||
|
|
||||||
#if TSCH_SECURITY_ENABLED
|
#if LLSEC802154_ENABLED
|
||||||
if(tsch_is_pan_secured) {
|
if(tsch_is_pan_secured) {
|
||||||
/* Set security level, key id and index */
|
/* Set security level, key id and index */
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, TSCH_SECURITY_KEY_SEC_LEVEL_OTHER);
|
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, TSCH_SECURITY_KEY_SEC_LEVEL_OTHER);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_KEY_ID_MODE, FRAME802154_1_BYTE_KEY_ID_MODE); /* Use 1-byte key index */
|
packetbuf_set_attr(PACKETBUF_ATTR_KEY_ID_MODE, FRAME802154_1_BYTE_KEY_ID_MODE); /* Use 1-byte key index */
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_KEY_INDEX, TSCH_SECURITY_KEY_INDEX_OTHER);
|
packetbuf_set_attr(PACKETBUF_ATTR_KEY_INDEX, TSCH_SECURITY_KEY_INDEX_OTHER);
|
||||||
}
|
}
|
||||||
#endif /* TSCH_SECURITY_ENABLED */
|
#endif /* LLSEC802154_ENABLED */
|
||||||
|
|
||||||
packet_count_before = tsch_queue_packet_count(addr);
|
packet_count_before = tsch_queue_packet_count(addr);
|
||||||
|
|
||||||
|
@ -84,8 +84,8 @@
|
|||||||
#ifdef TSCH_CONF_JOIN_SECURED_ONLY
|
#ifdef TSCH_CONF_JOIN_SECURED_ONLY
|
||||||
#define TSCH_JOIN_SECURED_ONLY TSCH_CONF_JOIN_SECURED_ONLY
|
#define TSCH_JOIN_SECURED_ONLY TSCH_CONF_JOIN_SECURED_ONLY
|
||||||
#else
|
#else
|
||||||
/* By default, set if TSCH_SECURITY_ENABLED is also non-zero */
|
/* By default, set if LLSEC802154_ENABLED is also non-zero */
|
||||||
#define TSCH_JOIN_SECURED_ONLY TSCH_SECURITY_ENABLED
|
#define TSCH_JOIN_SECURED_ONLY LLSEC802154_ENABLED
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* By default, join any PAN ID. Otherwise, wait for an EB from IEEE802154_PANID */
|
/* By default, join any PAN ID. Otherwise, wait for an EB from IEEE802154_PANID */
|
||||||
|
@ -332,9 +332,9 @@ enum {
|
|||||||
#endif /* NETSTACK_CONF_WITH_RIME */
|
#endif /* NETSTACK_CONF_WITH_RIME */
|
||||||
PACKETBUF_ATTR_PENDING,
|
PACKETBUF_ATTR_PENDING,
|
||||||
PACKETBUF_ATTR_FRAME_TYPE,
|
PACKETBUF_ATTR_FRAME_TYPE,
|
||||||
#if LLSEC802154_SECURITY_LEVEL
|
#if LLSEC802154_USES_AUX_HEADER
|
||||||
PACKETBUF_ATTR_SECURITY_LEVEL,
|
PACKETBUF_ATTR_SECURITY_LEVEL,
|
||||||
#endif /* LLSEC802154_SECURITY_LEVEL */
|
#endif /* LLSEC802154_USES_AUX_HEADER */
|
||||||
#if LLSEC802154_USES_FRAME_COUNTER
|
#if LLSEC802154_USES_FRAME_COUNTER
|
||||||
PACKETBUF_ATTR_FRAME_COUNTER_BYTES_0_1,
|
PACKETBUF_ATTR_FRAME_COUNTER_BYTES_0_1,
|
||||||
PACKETBUF_ATTR_FRAME_COUNTER_BYTES_2_3,
|
PACKETBUF_ATTR_FRAME_COUNTER_BYTES_2_3,
|
||||||
|
@ -144,7 +144,7 @@ PROCESS_THREAD(node_process, ev, data)
|
|||||||
|
|
||||||
/* Set node with ID == 1 as coordinator, convenient in Cooja. */
|
/* Set node with ID == 1 as coordinator, convenient in Cooja. */
|
||||||
if(node_id == 1) {
|
if(node_id == 1) {
|
||||||
if(LLSEC802154_CONF_SECURITY_LEVEL) {
|
if(TSCH_SECURITY_LEVEL) {
|
||||||
node_role = role_6dr_sec;
|
node_role = role_6dr_sec;
|
||||||
} else {
|
} else {
|
||||||
node_role = role_6dr;
|
node_role = role_6dr;
|
||||||
@ -169,7 +169,7 @@ PROCESS_THREAD(node_process, ev, data)
|
|||||||
|| etimer_expired(&et));
|
|| etimer_expired(&et));
|
||||||
if(ev == sensors_event && data == &button_sensor && button_sensor.value(0) > 0) {
|
if(ev == sensors_event && data == &button_sensor && button_sensor.value(0) > 0) {
|
||||||
node_role = (node_role + 1) % 3;
|
node_role = (node_role + 1) % 3;
|
||||||
if(LLSEC802154_CONF_SECURITY_LEVEL == 0 && node_role == role_6dr_sec) {
|
if(TSCH_SECURITY_LEVEL == 0 && node_role == role_6dr_sec) {
|
||||||
node_role = (node_role + 1) % 3;
|
node_role = (node_role + 1) % 3;
|
||||||
}
|
}
|
||||||
etimer_restart(&et);
|
etimer_restart(&et);
|
||||||
@ -182,7 +182,7 @@ PROCESS_THREAD(node_process, ev, data)
|
|||||||
printf("Init: node starting with role %s\n",
|
printf("Init: node starting with role %s\n",
|
||||||
node_role == role_6ln ? "6ln" : (node_role == role_6dr) ? "6dr" : "6dr-sec");
|
node_role == role_6ln ? "6ln" : (node_role == role_6dr) ? "6dr" : "6dr-sec");
|
||||||
|
|
||||||
tsch_set_pan_secured(LLSEC802154_CONF_SECURITY_LEVEL && (node_role == role_6dr_sec));
|
tsch_set_pan_secured(TSCH_SECURITY_LEVEL && (node_role == role_6dr_sec));
|
||||||
is_coordinator = node_role > role_6ln;
|
is_coordinator = node_role > role_6ln;
|
||||||
|
|
||||||
if(is_coordinator) {
|
if(is_coordinator) {
|
||||||
|
@ -100,8 +100,10 @@
|
|||||||
#if WITH_SECURITY
|
#if WITH_SECURITY
|
||||||
|
|
||||||
/* Enable security */
|
/* Enable security */
|
||||||
#undef LLSEC802154_CONF_SECURITY_LEVEL
|
#undef TSCH_SECURITY_CONF_LEVEL
|
||||||
#define LLSEC802154_CONF_SECURITY_LEVEL 1
|
#define TSCH_SECURITY_CONF_LEVEL 1
|
||||||
|
#undef LLSEC802154_CONF_ENABLED
|
||||||
|
#define LLSEC802154_CONF_ENABLED 1
|
||||||
/* TSCH uses explicit keys to identify k1 and k2 */
|
/* TSCH uses explicit keys to identify k1 and k2 */
|
||||||
#undef LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
#undef LLSEC802154_CONF_USES_EXPLICIT_KEYS
|
||||||
#define LLSEC802154_CONF_USES_EXPLICIT_KEYS 1
|
#define LLSEC802154_CONF_USES_EXPLICIT_KEYS 1
|
||||||
|
@ -142,7 +142,7 @@
|
|||||||
|
|
||||||
#if WITH_TSCH_SECURITY
|
#if WITH_TSCH_SECURITY
|
||||||
/* Set security level to the maximum, even if unused, to all crypto code */
|
/* Set security level to the maximum, even if unused, to all crypto code */
|
||||||
#define LLSEC802154_CONF_SECURITY_LEVEL 7
|
#define LLSEC802154_CONF_ENABLED 1
|
||||||
/* Attempt to associate from both secured and non-secured EBs */
|
/* Attempt to associate from both secured and non-secured EBs */
|
||||||
#define TSCH_CONF_JOIN_SECURED_ONLY 0
|
#define TSCH_CONF_JOIN_SECURED_ONLY 0
|
||||||
/* We need explicit keys to identify k1 and k2 */
|
/* We need explicit keys to identify k1 and k2 */
|
||||||
|
@ -152,7 +152,7 @@ PROCESS_THREAD(node_process, ev, data)
|
|||||||
|
|
||||||
/* Set node with ID == 1 as coordinator, handy in Cooja. */
|
/* Set node with ID == 1 as coordinator, handy in Cooja. */
|
||||||
if(node_id == 1) {
|
if(node_id == 1) {
|
||||||
if(LLSEC802154_CONF_SECURITY_LEVEL) {
|
if(LLSEC802154_ENABLED) {
|
||||||
node_role = role_6dr_sec;
|
node_role = role_6dr_sec;
|
||||||
} else {
|
} else {
|
||||||
node_role = role_6dr;
|
node_role = role_6dr;
|
||||||
@ -165,7 +165,7 @@ PROCESS_THREAD(node_process, ev, data)
|
|||||||
node_role == role_6ln ? "6ln" : (node_role == role_6dr) ? "6dr" : "6dr-sec");
|
node_role == role_6ln ? "6ln" : (node_role == role_6dr) ? "6dr" : "6dr-sec");
|
||||||
|
|
||||||
#if WITH_TSCH
|
#if WITH_TSCH
|
||||||
tsch_set_pan_secured(LLSEC802154_CONF_SECURITY_LEVEL && (node_role == role_6dr_sec));
|
tsch_set_pan_secured(LLSEC802154_ENABLED && (node_role == role_6dr_sec));
|
||||||
#endif /* WITH_TSCH */
|
#endif /* WITH_TSCH */
|
||||||
is_coordinator = node_role > role_6ln;
|
is_coordinator = node_role > role_6ln;
|
||||||
|
|
||||||
|
@ -37,4 +37,4 @@
|
|||||||
* Konrad Krentz <konrad.krentz@gmail.com>
|
* Konrad Krentz <konrad.krentz@gmail.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#define LLSEC802154_CONF_SECURITY_LEVEL 6
|
#define LLSEC802154_CONF_ENABLED 1
|
||||||
|
@ -47,6 +47,9 @@
|
|||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
#define SEC_LVL 6
|
||||||
|
#define MIC_LEN LLSEC802154_MIC_LEN(6)
|
||||||
|
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
/* Test vector C.2.1.2 from IEEE 802.15.4-2006 */
|
/* Test vector C.2.1.2 from IEEE 802.15.4-2006 */
|
||||||
static void
|
static void
|
||||||
@ -70,8 +73,8 @@ test_sec_lvl_6()
|
|||||||
/* Frame Counter */
|
/* Frame Counter */
|
||||||
0x05 , 0x00 , 0x00 , 0x00 ,
|
0x05 , 0x00 , 0x00 , 0x00 ,
|
||||||
0x01 , 0xCE };
|
0x01 , 0xCE };
|
||||||
uint8_t oracle[LLSEC802154_MIC_LENGTH] = { 0x4F , 0xDE , 0x52 , 0x90 ,
|
uint8_t oracle[MIC_LEN] = { 0x4F , 0xDE , 0x52 , 0x90 ,
|
||||||
0x61 , 0xF9 , 0xC6 , 0xF1 };
|
0x61 , 0xF9 , 0xC6 , 0xF1 };
|
||||||
uint8_t nonce[13];
|
uint8_t nonce[13];
|
||||||
frame802154_frame_counter_t counter;
|
frame802154_frame_counter_t counter;
|
||||||
|
|
||||||
@ -84,7 +87,7 @@ test_sec_lvl_6()
|
|||||||
counter.u32 = 5;
|
counter.u32 = 5;
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_0_1, counter.u16[0]);
|
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_0_1, counter.u16[0]);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_2_3, counter.u16[1]);
|
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_2_3, counter.u16[1]);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, LLSEC802154_SECURITY_LEVEL);
|
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, SEC_LVL);
|
||||||
packetbuf_hdrreduce(29);
|
packetbuf_hdrreduce(29);
|
||||||
|
|
||||||
CCM_STAR.set_key(key);
|
CCM_STAR.set_key(key);
|
||||||
@ -92,10 +95,10 @@ test_sec_lvl_6()
|
|||||||
CCM_STAR.aead(nonce,
|
CCM_STAR.aead(nonce,
|
||||||
packetbuf_dataptr(), packetbuf_datalen(),
|
packetbuf_dataptr(), packetbuf_datalen(),
|
||||||
packetbuf_hdrptr(), packetbuf_hdrlen(),
|
packetbuf_hdrptr(), packetbuf_hdrlen(),
|
||||||
((uint8_t *) packetbuf_hdrptr()) + 30, LLSEC802154_MIC_LENGTH,
|
((uint8_t *) packetbuf_hdrptr()) + 30, MIC_LEN,
|
||||||
1);
|
1);
|
||||||
|
|
||||||
if(memcmp(((uint8_t *) packetbuf_hdrptr()) + 30, oracle, LLSEC802154_MIC_LENGTH) == 0) {
|
if(memcmp(((uint8_t *) packetbuf_hdrptr()) + 30, oracle, MIC_LEN) == 0) {
|
||||||
printf("Success\n");
|
printf("Success\n");
|
||||||
} else {
|
} else {
|
||||||
printf("Failure\n");
|
printf("Failure\n");
|
||||||
@ -115,7 +118,7 @@ test_sec_lvl_6()
|
|||||||
CCM_STAR.aead(nonce,
|
CCM_STAR.aead(nonce,
|
||||||
packetbuf_dataptr(), packetbuf_datalen(),
|
packetbuf_dataptr(), packetbuf_datalen(),
|
||||||
packetbuf_hdrptr(), packetbuf_hdrlen(),
|
packetbuf_hdrptr(), packetbuf_hdrlen(),
|
||||||
((uint8_t *) packetbuf_hdrptr()) + 30, LLSEC802154_MIC_LENGTH,
|
((uint8_t *) packetbuf_hdrptr()) + 30, MIC_LEN,
|
||||||
0);
|
0);
|
||||||
if(((uint8_t *) packetbuf_hdrptr())[29] == 0xCE) {
|
if(((uint8_t *) packetbuf_hdrptr())[29] == 0xCE) {
|
||||||
printf("Success\n");
|
printf("Success\n");
|
||||||
|
@ -37,4 +37,4 @@
|
|||||||
* Konrad Krentz <konrad.krentz@gmail.com>
|
* Konrad Krentz <konrad.krentz@gmail.com>
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#define LLSEC802154_CONF_SECURITY_LEVEL 2
|
#define LLSEC802154_CONF_ENABLED 1
|
||||||
|
@ -48,6 +48,9 @@
|
|||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
#define SEC_LVL 2
|
||||||
|
#define MIC_LEN LLSEC802154_MIC_LEN(2)
|
||||||
|
|
||||||
/*---------------------------------------------------------------------------*/
|
/*---------------------------------------------------------------------------*/
|
||||||
/* Test vector C.1 from FIPS Pub 197 */
|
/* Test vector C.1 from FIPS Pub 197 */
|
||||||
static void
|
static void
|
||||||
@ -97,10 +100,10 @@ test_sec_lvl_2()
|
|||||||
0x05 , 0x00 , 0x00 , 0x00 ,
|
0x05 , 0x00 , 0x00 , 0x00 ,
|
||||||
/* Payload */
|
/* Payload */
|
||||||
0x55 , 0xCF , 0x00 , 0x00 , 0x51 , 0x52 , 0x53 , 0x54 };
|
0x55 , 0xCF , 0x00 , 0x00 , 0x51 , 0x52 , 0x53 , 0x54 };
|
||||||
uint8_t oracle[LLSEC802154_MIC_LENGTH] = { 0x22 , 0x3B , 0xC1 , 0xEC ,
|
uint8_t oracle[MIC_LEN] = { 0x22 , 0x3B , 0xC1 , 0xEC ,
|
||||||
0x84 , 0x1A , 0xB5 , 0x53 };
|
0x84 , 0x1A , 0xB5 , 0x53 };
|
||||||
frame802154_frame_counter_t counter;
|
frame802154_frame_counter_t counter;
|
||||||
uint8_t mic[LLSEC802154_MIC_LENGTH];
|
uint8_t mic[MIC_LEN];
|
||||||
uint8_t nonce[13];
|
uint8_t nonce[13];
|
||||||
|
|
||||||
printf("Testing verification ... ");
|
printf("Testing verification ... ");
|
||||||
@ -112,7 +115,7 @@ test_sec_lvl_2()
|
|||||||
counter.u32 = 5;
|
counter.u32 = 5;
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_0_1, counter.u16[0]);
|
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_0_1, counter.u16[0]);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_2_3, counter.u16[1]);
|
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_COUNTER_BYTES_2_3, counter.u16[1]);
|
||||||
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, LLSEC802154_SECURITY_LEVEL);
|
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, SEC_LVL);
|
||||||
packetbuf_hdrreduce(18);
|
packetbuf_hdrreduce(18);
|
||||||
|
|
||||||
CCM_STAR.set_key(key);
|
CCM_STAR.set_key(key);
|
||||||
@ -120,10 +123,10 @@ test_sec_lvl_2()
|
|||||||
CCM_STAR.aead(nonce,
|
CCM_STAR.aead(nonce,
|
||||||
NULL, 0,
|
NULL, 0,
|
||||||
packetbuf_hdrptr(), packetbuf_totlen(),
|
packetbuf_hdrptr(), packetbuf_totlen(),
|
||||||
((uint8_t *) packetbuf_dataptr()) + packetbuf_datalen(), LLSEC802154_MIC_LENGTH,
|
((uint8_t *) packetbuf_dataptr()) + packetbuf_datalen(), MIC_LEN,
|
||||||
1);
|
1);
|
||||||
|
|
||||||
if(memcmp(((uint8_t *) packetbuf_dataptr()) + packetbuf_datalen(), oracle, LLSEC802154_MIC_LENGTH) == 0) {
|
if(memcmp(((uint8_t *) packetbuf_dataptr()) + packetbuf_datalen(), oracle, MIC_LEN) == 0) {
|
||||||
printf("Success\n");
|
printf("Success\n");
|
||||||
} else {
|
} else {
|
||||||
printf("Failure\n");
|
printf("Failure\n");
|
||||||
|
Loading…
Reference in New Issue
Block a user