llsec: Unsecuring within parse

This commit is contained in:
Konrad Krentz 2015-07-17 08:26:35 -07:00 committed by kkrentz
parent 0a6b1cb646
commit 1a12ef3334
4 changed files with 47 additions and 33 deletions

View file

@ -82,8 +82,9 @@ NBR_TABLE(struct anti_replay_info, anti_replay_table);
/*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/
static int static int
aead(int forward) aead(uint8_t hdrlen, int forward)
{ {
uint8_t totlen;
uint8_t nonce[CCM_STAR_NONCE_LENGTH]; uint8_t nonce[CCM_STAR_NONCE_LENGTH];
uint8_t *m; uint8_t *m;
uint8_t m_len; uint8_t m_len;
@ -94,16 +95,19 @@ aead(int forward)
uint8_t *mic; uint8_t *mic;
ccm_star_packetbuf_set_nonce(nonce, forward); ccm_star_packetbuf_set_nonce(nonce, forward);
totlen = packetbuf_totlen();
a = packetbuf_hdrptr(); a = packetbuf_hdrptr();
m = packetbuf_dataptr();
#if WITH_ENCRYPTION #if WITH_ENCRYPTION
a_len = packetbuf_hdrlen(); a_len = hdrlen;
m_len = packetbuf_datalen(); m = a + a_len;
m_len = totlen - hdrlen;
#else /* WITH_ENCRYPTION */ #else /* WITH_ENCRYPTION */
a_len = packetbuf_totlen(); a_len = totlen;
m = NULL;
m_len = 0; m_len = 0;
#endif /* WITH_ENCRYPTION */ #endif /* WITH_ENCRYPTION */
mic = a + a_len + m_len;
mic = a + totlen;
result = forward ? mic : generated_mic; result = forward ? mic : generated_mic;
CCM_STAR.aead(nonce, CCM_STAR.aead(nonce,
@ -121,11 +125,18 @@ aead(int forward)
} }
/*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/
static void static void
add_security_header(void)
{
if(!packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL)) {
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_DATAFRAME);
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, LLSEC802154_SECURITY_LEVEL);
anti_replay_set_counter();
}
}
/*---------------------------------------------------------------------------*/
static void
send(mac_callback_t sent, void *ptr) send(mac_callback_t sent, void *ptr)
{ {
packetbuf_set_attr(PACKETBUF_ATTR_FRAME_TYPE, FRAME802154_DATAFRAME);
packetbuf_set_attr(PACKETBUF_ATTR_SECURITY_LEVEL, LLSEC802154_SECURITY_LEVEL);
anti_replay_set_counter();
NETSTACK_MAC.send(sent, ptr); NETSTACK_MAC.send(sent, ptr);
} }
/*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/
@ -134,12 +145,13 @@ create(void)
{ {
int result; int result;
add_security_header();
result = framer_802154.create(); result = framer_802154.create();
if(result == FRAMER_FAILED) { if(result == FRAMER_FAILED) {
return result; return result;
} }
aead(1); aead(result, 1);
return result; return result;
} }
@ -147,31 +159,31 @@ create(void)
static int static int
parse(void) parse(void)
{ {
return framer_802154.parse(); int result;
}
/*---------------------------------------------------------------------------*/
static void
input(void)
{
const linkaddr_t *sender; const linkaddr_t *sender;
struct anti_replay_info* info; struct anti_replay_info* info;
result = framer_802154.parse();
if(result == FRAMER_FAILED) {
return result;
}
if(packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL) != LLSEC802154_SECURITY_LEVEL) { if(packetbuf_attr(PACKETBUF_ATTR_SECURITY_LEVEL) != LLSEC802154_SECURITY_LEVEL) {
PRINTF("noncoresec: received frame with wrong security level\n"); PRINTF("noncoresec: received frame with wrong security level\n");
return; return FRAMER_FAILED;
} }
sender = packetbuf_addr(PACKETBUF_ADDR_SENDER); sender = packetbuf_addr(PACKETBUF_ADDR_SENDER);
if(linkaddr_cmp(sender, &linkaddr_node_addr)) { if(linkaddr_cmp(sender, &linkaddr_node_addr)) {
PRINTF("noncoresec: frame from ourselves\n"); PRINTF("noncoresec: frame from ourselves\n");
return; return FRAMER_FAILED;
} }
packetbuf_set_datalen(packetbuf_datalen() - LLSEC802154_MIC_LENGTH); packetbuf_set_datalen(packetbuf_datalen() - LLSEC802154_MIC_LENGTH);
if(!aead(0)) { if(!aead(result, 0)) {
PRINTF("noncoresec: received unauthentic frame %"PRIu32"\n", PRINTF("noncoresec: received unauthentic frame %"PRIu32"\n",
anti_replay_get_counter()); anti_replay_get_counter());
return; return FRAMER_FAILED;
} }
info = nbr_table_get_from_lladdr(anti_replay_table, sender); info = nbr_table_get_from_lladdr(anti_replay_table, sender);
@ -179,7 +191,7 @@ input(void)
info = nbr_table_add_lladdr(anti_replay_table, sender); info = nbr_table_add_lladdr(anti_replay_table, sender);
if(!info) { if(!info) {
PRINTF("noncoresec: could not get nbr_table_item\n"); PRINTF("noncoresec: could not get nbr_table_item\n");
return; return FRAMER_FAILED;
} }
/* /*
@ -196,7 +208,7 @@ input(void)
if(!nbr_table_lock(anti_replay_table, info)) { if(!nbr_table_lock(anti_replay_table, info)) {
nbr_table_remove(anti_replay_table, info); nbr_table_remove(anti_replay_table, info);
PRINTF("noncoresec: could not lock\n"); PRINTF("noncoresec: could not lock\n");
return; return FRAMER_FAILED;
} }
anti_replay_init_info(info); anti_replay_init_info(info);
@ -204,17 +216,24 @@ input(void)
if(anti_replay_was_replayed(info)) { if(anti_replay_was_replayed(info)) {
PRINTF("noncoresec: received replayed frame %"PRIu32"\n", PRINTF("noncoresec: received replayed frame %"PRIu32"\n",
anti_replay_get_counter()); anti_replay_get_counter());
return; return FRAMER_FAILED;
} }
} }
return result;
}
/*---------------------------------------------------------------------------*/
static void
input(void)
{
NETSTACK_NETWORK.input(); NETSTACK_NETWORK.input();
} }
/*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/
static int static int
length(void) length(void)
{ {
return framer_802154.length() + SECURITY_HEADER_LENGTH + LLSEC802154_MIC_LENGTH; add_security_header();
return framer_802154.length() + LLSEC802154_MIC_LENGTH;
} }
/*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/
static void static void

View file

@ -101,7 +101,8 @@ create(void)
} }
chdr = packetbuf_hdrptr(); chdr = packetbuf_hdrptr();
chdr->id = CONTIKIMAC_ID; chdr->id = CONTIKIMAC_ID;
chdr->len = 0; chdr->len = packetbuf_datalen();
pad();
hdr_len = DECORATED_FRAMER.create(); hdr_len = DECORATED_FRAMER.create();
if(hdr_len < 0) { if(hdr_len < 0) {
@ -110,8 +111,6 @@ create(void)
} }
packetbuf_compact(); packetbuf_compact();
chdr->len = packetbuf_datalen();
pad();
return hdr_len + sizeof(struct hdr); return hdr_len + sizeof(struct hdr);
} }
@ -123,7 +122,7 @@ pad(void)
uint8_t *ptr; uint8_t *ptr;
uint8_t zeroes_count; uint8_t zeroes_count;
transmit_len = packetbuf_totlen(); transmit_len = packetbuf_totlen() + hdr_length();
if(transmit_len < SHORTEST_PACKET_SIZE) { if(transmit_len < SHORTEST_PACKET_SIZE) {
/* Padding required */ /* Padding required */
zeroes_count = SHORTEST_PACKET_SIZE - transmit_len; zeroes_count = SHORTEST_PACKET_SIZE - transmit_len;
@ -156,7 +155,6 @@ parse(void)
} }
packetbuf_set_datalen(chdr->len); packetbuf_set_datalen(chdr->len);
chdr->len = 0;
return hdr_len + sizeof(struct hdr); return hdr_len + sizeof(struct hdr);
} }

View file

@ -915,8 +915,6 @@ input_packet(void)
broadcast address. */ broadcast address. */
/* If FRAME_PENDING is set, we are receiving a packets in a burst */ /* If FRAME_PENDING is set, we are receiving a packets in a burst */
/* TODO To prevent denial-of-sleep attacks, the transceiver should
be disabled upon receipt of an unauthentic frame. */
we_are_receiving_burst = packetbuf_attr(PACKETBUF_ATTR_PENDING); we_are_receiving_burst = packetbuf_attr(PACKETBUF_ATTR_PENDING);
if(we_are_receiving_burst) { if(we_are_receiving_burst) {
on(); on();

View file

@ -302,8 +302,7 @@ packet_input(void)
} }
#endif /* RDC_WITH_DUPLICATE_DETECTION */ #endif /* RDC_WITH_DUPLICATE_DETECTION */
#endif /* NULLRDC_802154_AUTOACK */ #endif /* NULLRDC_802154_AUTOACK */
/* TODO We may want to acknowledge only authentic frames */
#if NULLRDC_SEND_802154_ACK #if NULLRDC_SEND_802154_ACK
{ {
frame802154_t info154; frame802154_t info154;