ARMmbed
diff --git a/‎nanostack/sw_mac.h
Lines changed: 8 additions & 0 deletions b/‎nanostack/sw_mac.h
Lines changed: 8 additions & 0 deletions
diff --git a/‎source/6LoWPAN/MAC/mac_helper.c
Lines changed: 6 additions & 8 deletions b/‎source/6LoWPAN/MAC/mac_helper.c
Lines changed: 6 additions & 8 deletions
diff --git a/‎source/6LoWPAN/MAC/mac_helper.h
Lines changed: 1 addition & 1 deletion b/‎source/6LoWPAN/MAC/mac_helper.h
Lines changed: 1 addition & 1 deletion
diff --git a/‎source/6LoWPAN/ws/ws_bootstrap.c
Lines changed: 5 additions & 1 deletion b/‎source/6LoWPAN/ws/ws_bootstrap.c
Lines changed: 5 additions & 1 deletion
diff --git a/‎source/6LoWPAN/ws/ws_pae_controller.c
Lines changed: 8 additions & 2 deletions b/‎source/6LoWPAN/ws/ws_pae_controller.c
Lines changed: 8 additions & 2 deletions
diff --git a/‎source/MAC/IEEE802_15_4/mac_defines.h
Lines changed: 9 additions & 9 deletions b/‎source/MAC/IEEE802_15_4/mac_defines.h
Lines changed: 9 additions & 9 deletions
diff --git a/‎source/MAC/IEEE802_15_4/mac_mcps_sap.c
Lines changed: 78 additions & 24 deletions b/‎source/MAC/IEEE802_15_4/mac_mcps_sap.c
Lines changed: 78 additions & 24 deletions
diff --git a/‎source/MAC/IEEE802_15_4/mac_mcps_sap.h
Lines changed: 2 additions & 0 deletions b/‎source/MAC/IEEE802_15_4/mac_mcps_sap.h
Lines changed: 2 additions & 0 deletions
@@ -97,6 +97,14 @@ extern int ns_sw_mac_phy_statistics_start(struct mac_api_s *mac_api, struct phy_
  */
 extern uint32_t ns_sw_mac_read_current_timestamp(struct mac_api_s *mac_api);
 
+/**
+ * @brief Enable or disable Frame counter per security key. SW MAC must be create before enable this feature!
+ * @param mac_api MAC instance.
+ * @param enable_feature True will allocate frame counter table for devices / key False will clear mode and free counter table.
+ * @return 0 on success, -1 on fail.
+ */
+extern int8_t ns_sw_mac_enable_frame_counter_per_key(struct mac_api_s *mac_api, bool enable_feature);
+
 #ifdef __cplusplus
 }
 #endif
 
@@ -349,12 +349,12 @@ int8_t mac_helper_security_default_recv_key_set(protocol_interface_info_entry_t
     return 0;
 }
 
-int8_t mac_helper_security_auto_request_key_index_set(protocol_interface_info_entry_t *interface, uint8_t id)
+int8_t mac_helper_security_auto_request_key_index_set(protocol_interface_info_entry_t *interface, uint8_t key_attibute_index, uint8_t id)
 {
     if (id == 0) {
         return -1;
     }
-
+    interface->mac_parameters->mac_default_key_attribute_id = key_attibute_index;
     mac_helper_pib_8bit_set(interface, macAutoRequestKeyIndex, id);
     return 0;
 }
@@ -442,13 +442,11 @@ void mac_helper_security_key_swap_next_to_default(protocol_interface_info_entry_
     interface->mac_parameters->mac_prev_key_index = interface->mac_parameters->mac_default_key_index;
     interface->mac_parameters->mac_prev_key_attribute_id = interface->mac_parameters->mac_default_key_attribute_id;
 
-    interface->mac_parameters->mac_default_key_index = interface->mac_parameters->mac_next_key_index;
-    interface->mac_parameters->mac_default_key_attribute_id = interface->mac_parameters->mac_next_key_attribute_id;
+    mac_helper_security_auto_request_key_index_set(interface, interface->mac_parameters->mac_next_key_attribute_id, interface->mac_parameters->mac_next_key_index);
+
     interface->mac_parameters->mac_next_key_index = 0;
     interface->mac_parameters->mac_next_key_attribute_id = prev_attribute;
 
-    mac_helper_pib_8bit_set(interface, macAutoRequestKeyIndex,  interface->mac_parameters->mac_default_key_index);
-
 }
 
 void mac_helper_security_key_clean(protocol_interface_info_entry_t *interface)
@@ -841,7 +839,7 @@ int8_t mac_helper_link_frame_counter_read(int8_t interface_id, uint32_t *seq_ptr
     }
     mlme_get_t get_req;
     get_req.attr = macFrameCounter;
-    get_req.attr_index = 0;
+    get_req.attr_index = cur->mac_parameters->mac_default_key_attribute_id;
     cur->mac_api->mlme_req(cur->mac_api, MLME_GET, &get_req);
     *seq_ptr = cur->mac_parameters->security_frame_counter;
 
@@ -858,7 +856,7 @@ int8_t mac_helper_link_frame_counter_set(int8_t interface_id, uint32_t seq_ptr)
     }
     mlme_set_t set_req;
     set_req.attr = macFrameCounter;
-    set_req.attr_index = 0;
+    set_req.attr_index = cur->mac_parameters->mac_default_key_attribute_id;
     set_req.value_pointer = &seq_ptr;
     set_req.value_size = 4;
     cur->mac_api->mlme_req(cur->mac_api, MLME_SET, &set_req);
 
@@ -69,7 +69,7 @@ int8_t mac_helper_security_default_key_set(struct protocol_interface_info_entry
 
 int8_t mac_helper_security_default_recv_key_set(struct protocol_interface_info_entry *interface, const uint8_t *key, uint8_t id, uint8_t keyid_mode);
 
-int8_t mac_helper_security_auto_request_key_index_set(struct protocol_interface_info_entry *interface, uint8_t id);
+int8_t mac_helper_security_auto_request_key_index_set(struct protocol_interface_info_entry *interface, uint8_t key_attibute_index, uint8_t id);
 
 int8_t mac_helper_security_next_key_set(struct protocol_interface_info_entry *interface, uint8_t *key, uint8_t id, uint8_t keyid_mode);
 
 
@@ -1581,6 +1581,10 @@ int ws_bootstrap_init(int8_t interface_id, net_6lowpan_mode_e bootstrap_mode)
         return -2;
     }
 
+    if (ns_sw_mac_enable_frame_counter_per_key(cur->mac_api, true)) {
+        return -1;
+    }
+
     if (!etx_storage_list_allocate(cur->id, buffer.device_decription_table_size)) {
         return -1;
     }
@@ -2171,7 +2175,7 @@ static void ws_bootstrap_nw_key_clear(protocol_interface_info_entry_t *cur, uint
 static void ws_bootstrap_nw_key_index_set(protocol_interface_info_entry_t *cur, uint8_t index)
 {
     // Set send key
-    mac_helper_security_auto_request_key_index_set(cur, index + 1);
+    mac_helper_security_auto_request_key_index_set(cur, index, index + 1);
 }
 
 static void ws_bootstrap_nw_frame_counter_set(protocol_interface_info_entry_t *cur, uint32_t counter)
 
@@ -482,9 +482,12 @@ static void ws_pae_controller_nw_key_index_check_and_set(protocol_interface_info
         controller->gtk_index = index;
 
         uint32_t frame_counter = ws_pae_controller_frame_counter_get(&controller->stored_frame_counter, index, controller->nw_key[index].hash);
-        controller->nw_frame_counter_set(interface_ptr, frame_counter);
+        if (frame_counter) {
+            controller->nw_frame_counter_set(interface_ptr, frame_counter);
+        }
         tr_info("NW frame counter set: %"PRIu32"", frame_counter);
         ws_pae_controller_frame_counter_write(controller, index, controller->nw_key[index].hash, frame_counter);
+
     }
 
     // Do not update PAN version for initial key index set
@@ -511,9 +514,12 @@ static void ws_pae_controller_active_nw_key_set(protocol_interface_info_entry_t
         // If index has changed and the key for the index is fresh get frame counter
         if (controller->gtk_index != index && controller->nw_key[index].fresh) {
             uint32_t frame_counter = ws_pae_controller_frame_counter_get(&controller->stored_frame_counter, index, controller->nw_key[index].hash);
-            controller->nw_frame_counter_set(cur, frame_counter);
+            if (frame_counter) {
+                controller->nw_frame_counter_set(cur, frame_counter);
+            }
             tr_info("NW frame counter set: %"PRIu32"", frame_counter);
             ws_pae_controller_frame_counter_write(controller, index, controller->nw_key[index].hash, frame_counter);
+
         }
 
         controller->gtk_index = index;
 
@@ -148,32 +148,26 @@ typedef struct mac_mcps_data_conf_fail_s {
 
 typedef struct protocol_interface_rf_mac_setup {
     int8_t mac_interface_id;
-    bool macUpState;
+    bool macUpState: 1;
     bool shortAdressValid: 1;   //Define Dynamic src address to mac16 when it is true
     bool beaconSrcAddressModeLong: 1; //This force beacon src to mac64 otherwise shortAdressValid will define type
+    bool secFrameCounterPerKey: 1;
     bool mac_extension_enabled: 1;
     bool mac_ack_tx_active: 1;
     bool mac_frame_pending: 1;
-    uint16_t mac_short_address;
-    uint16_t pan_id;
-    uint8_t mac64[8];
-    uint16_t coord_short_address;
-    uint8_t coord_long_address[8];
     /* MAC Capability Information */
     bool macCapRxOnIdle: 1;
     bool macCapCordinator: 1;
     bool macCapAssocationPermit: 1;
     bool macCapBatteryPowered: 1;
     bool macCapSecrutityCapability: 1;
-
     bool macProminousMode: 1;
     bool macGTSPermit: 1;
     bool mac_security_enabled: 1;
     /* Let trough packet which is secured properly (MIC authenticated group key)  and src address is 64-bit*/
     bool mac_security_bypass_unknow_device: 1;
     /* Load balancing need this feature */
     bool macAcceptAnyBeacon: 1;
-
     /* TX process Flag */
     bool macTxProcessActive: 1;
     bool macTxRequestAck: 1;
@@ -188,6 +182,12 @@ typedef struct protocol_interface_rf_mac_setup {
     bool scan_active: 1;
     bool rf_csma_extension_supported: 1;
     bool ack_tx_possible: 1;
+    uint16_t mac_short_address;
+    uint16_t pan_id;
+    uint8_t mac64[8];
+    uint16_t coord_short_address;
+    uint8_t coord_long_address[8];
+
     /* CSMA Params */
     unsigned macMinBE: 4;
     unsigned macMaxBE: 4;
@@ -200,7 +200,6 @@ typedef struct protocol_interface_rf_mac_setup {
     uint8_t scan_duration; //Needed???
     mac_scan_type_t scan_type;
 
-
     uint8_t mac_channel;
     //uint8_t cca_failure;
 
@@ -253,6 +252,7 @@ typedef struct protocol_interface_rf_mac_setup {
     struct mlme_device_descriptor_s *device_description_table;
     uint8_t device_description_table_size;
     struct mlme_key_descriptor_s *key_description_table;
+    void *key_device_frame_counter_list_buffer;
     uint8_t key_description_table_size;
     uint8_t key_lookup_list_size;
     uint8_t key_usage_list_size;
 
@@ -90,6 +90,14 @@ uint32_t mac_mcps_sap_get_phy_timestamp(protocol_interface_rf_mac_setup_s *rf_ma
     return timestamp;
 }
 
+static bool mac_data_counter_too_small(uint32_t current_counter, uint32_t packet_counter)
+{
+    if ((current_counter - packet_counter) >= 2) {
+        return true;
+    }
+    return false;
+}
+
 static bool mac_data_request_confirmation_finnish(protocol_interface_rf_mac_setup_s *rf_mac_setup, mac_pre_build_frame_t *buffer)
 {
     if (!buffer->asynch_request) {
@@ -583,10 +591,14 @@ static uint8_t mac_data_interface_decrypt_packet(mac_pre_parsed_frame_t *b, mlme
             return MLME_UNAVAILABLE_KEY;
         }
 
-        if (b->neigh_info && neighbour_validation.frameCounter < b->neigh_info->FrameCounter) {
-            tr_debug("MLME_COUNTER_ERROR");
-            return MLME_COUNTER_ERROR;
+        if (b->neigh_info) {
+            uint32_t min_accepted_frame_counter = mac_mib_key_device_frame_counter_get(key_description, b->neigh_info, device_descriptor_handle);
+            if (neighbour_validation.frameCounter < min_accepted_frame_counter) {
+                tr_debug("MLME_COUNTER_ERROR");
+                return MLME_COUNTER_ERROR;
+            }
         }
+
     }
 
     key = key_description->Key;
@@ -620,10 +632,15 @@ static uint8_t mac_data_interface_decrypt_packet(mac_pre_parsed_frame_t *b, mlme
 
     //Update key device and key description tables
     if (!security_by_pass) {
-        b->neigh_info->FrameCounter = neighbour_validation.frameCounter + 1;
+
+        mac_sec_mib_key_device_frame_counter_set(key_description, b->neigh_info, neighbour_validation.frameCounter + 1, device_descriptor_handle);
+
         if (!key_device_description) {
-            // Black list old used keys by this device
-            mac_sec_mib_device_description_blacklist(rf_mac_setup, device_descriptor_handle);
+            if (!rf_mac_setup->secFrameCounterPerKey) {
+                // Black list old used keys by this device
+                mac_sec_mib_device_description_blacklist(rf_mac_setup, device_descriptor_handle);
+            }
+
             key_device_description =  mac_sec_mib_key_device_description_list_update(key_description);
             if (key_device_description) {
                 tr_debug("Set new device user %u for key", device_descriptor_handle);
@@ -1230,21 +1247,21 @@ void mcps_sap_prebuild_frame_buffer_free(mac_pre_build_frame_t *buffer)
 
 }
 
-static bool mac_frame_security_parameters_init(ccm_globals_t *ccm_ptr, protocol_interface_rf_mac_setup_s *rf_ptr, mac_pre_build_frame_t *buffer)
+static mlme_key_descriptor_t *mac_frame_security_key_get(protocol_interface_rf_mac_setup_s *rf_ptr, mac_pre_build_frame_t *buffer)
 {
     /* Encrypt the packet payload if AES encyption bit is set */
     mlme_security_t key_source;
     key_source.KeyIdMode = buffer->aux_header.KeyIdMode;
     key_source.KeyIndex = buffer->aux_header.KeyIndex;
     key_source.SecurityLevel = buffer->aux_header.securityLevel;
     memcpy(key_source.Keysource, buffer->aux_header.Keysource, 8);
-    mlme_key_descriptor_t *key_description =  mac_sec_key_description_get(rf_ptr, &key_source, buffer->fcf_dsn.DstAddrMode, buffer->DstAddr, buffer->DstPANId);
+    return mac_sec_key_description_get(rf_ptr, &key_source, buffer->fcf_dsn.DstAddrMode, buffer->DstAddr, buffer->DstPANId);
+}
 
-    if (!key_description) {
-        buffer->status = MLME_UNAVAILABLE_KEY;
-        return false;
 
-    }
+static bool mac_frame_security_parameters_init(ccm_globals_t *ccm_ptr, protocol_interface_rf_mac_setup_s *rf_ptr, mac_pre_build_frame_t *buffer, mlme_key_descriptor_t *key_description)
+{
+    /* Encrypt the packet payload if AES encyption bit is set */
     mlme_device_descriptor_t *device_description;
     uint8_t *nonce_ext_64_ptr;
 
@@ -1518,21 +1535,30 @@ static int8_t mcps_generic_packet_build(protocol_interface_rf_mac_setup_s *rf_pt
     mac_header_information_elements_preparation(buffer);
 
     mcps_generic_sequence_number_allocate(rf_ptr, buffer);
-
+    mlme_key_descriptor_t *key_desc;
     if (buffer->fcf_dsn.securityEnabled) {
         bool increment_framecounter = false;
         //Remember to update security counter here!
-        uint32_t new_frameCounter = mac_mlme_framecounter_get(rf_ptr);
+        key_desc = mac_frame_security_key_get(rf_ptr, buffer);
+        if (!key_desc) {
+            buffer->status = MLME_UNAVAILABLE_KEY;
+            return -2;
+        }
+
+        //GET Counter
+        uint32_t new_frameCounter = mac_sec_mib_key_outgoing_frame_counter_get(rf_ptr, key_desc);
         // If buffer frame counter is set, this is FHSS channel retry, update frame counter only if something was sent after failure
-        if ((buffer->aux_header.frameCounter == 0xffffffff) || buffer->asynch_request || ((new_frameCounter - buffer->aux_header.frameCounter) > 1)) {
+        if ((buffer->aux_header.frameCounter == 0xffffffff) || buffer->asynch_request || mac_data_counter_too_small(new_frameCounter, buffer->aux_header.frameCounter)) {
             buffer->aux_header.frameCounter = new_frameCounter;
             increment_framecounter = true;
         }
-        if (!mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer)) {
+
+        if (!mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer, key_desc)) {
             return -2;
         }
+        //Increment security counter
         if (increment_framecounter) {
-            mac_mlme_framecounter_increment(rf_ptr);
+            mac_sec_mib_key_outgoing_frame_counter_increment(rf_ptr, key_desc);
         }
     }
 
@@ -1566,7 +1592,9 @@ static int8_t mcps_generic_packet_build(protocol_interface_rf_mac_setup_s *rf_pt
         tr_debug("Too Long %u, %u pa %u header %u mic %u", frame_length, mac_payload_length, buffer->mac_header_length_with_security,  buffer->security_mic_len, dev_driver->phy_MTU);
         buffer->status = MLME_FRAME_TOO_LONG;
         //decrement security counter
-        mac_mlme_framecounter_decrement(rf_ptr);
+        if (buffer->fcf_dsn.securityEnabled) {
+            mac_sec_mib_key_outgoing_frame_counter_decrement(rf_ptr, key_desc);
+        }
         return -1;
     }
 
@@ -1680,19 +1708,24 @@ int8_t mcps_generic_ack_build(protocol_interface_rf_mac_setup_s *rf_ptr, bool in
 
     ccm_globals_t ccm_ptr;
     mac_pre_build_frame_t *buffer = &rf_ptr->enhanced_ack_buffer;
-
+    mlme_key_descriptor_t *key_desc;
 
     if (buffer->fcf_dsn.securityEnabled) {
         //Remember to update security counter here!
+        key_desc = mac_frame_security_key_get(rf_ptr, buffer);
+        if (!key_desc) {
+            buffer->status = MLME_UNAVAILABLE_KEY;
+            return -2;
+        }
         if (init_build) {
-            buffer->aux_header.frameCounter = mac_mlme_framecounter_get(rf_ptr);
+            buffer->aux_header.frameCounter = mac_sec_mib_key_outgoing_frame_counter_get(rf_ptr, key_desc);
         }
-        if (!mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer)) {
+        if (!mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer, key_desc)) {
             return -2;
         }
         if (init_build) {
             //Increment security counter
-            mac_mlme_framecounter_increment(rf_ptr);
+            mac_sec_mib_key_outgoing_frame_counter_increment(rf_ptr, key_desc);
         }
     }
 
@@ -1716,7 +1749,7 @@ int8_t mcps_generic_ack_build(protocol_interface_rf_mac_setup_s *rf_ptr, bool in
 
         if (buffer->fcf_dsn.securityEnabled) {
             //decrement security counter
-            mac_mlme_framecounter_decrement(rf_ptr);
+            mac_sec_mib_key_outgoing_frame_counter_decrement(rf_ptr, key_desc);
             ccm_free(&ccm_ptr);
         }
         return -1;
@@ -1777,7 +1810,14 @@ static int8_t mcps_generic_packet_rebuild(protocol_interface_rf_mac_setup_s *rf_
     }
 
     if (buffer->fcf_dsn.securityEnabled) {
-        if (!mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer)) {
+
+        mlme_key_descriptor_t *key_desc = mac_frame_security_key_get(rf_ptr, buffer);
+        if (!key_desc) {
+            buffer->status = MLME_UNAVAILABLE_KEY;
+            return -2;
+        }
+
+        if (!mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer, key_desc)) {
             return -2;
         }
     }
@@ -2325,3 +2365,17 @@ int mcps_packet_ingress_rate_limit_by_memory(uint8_t free_heap_percentage)
 
     return -1;
 }
+
+void mcps_pending_packet_counter_update_check(protocol_interface_rf_mac_setup_s *rf_mac_setup, mac_pre_build_frame_t *buffer)
+{
+    if (buffer->fcf_dsn.securityEnabled) {
+        mlme_key_descriptor_t *key_desc = mac_frame_security_key_get(rf_mac_setup, buffer);
+        if (key_desc) {
+            uint32_t current_counter = mac_sec_mib_key_outgoing_frame_counter_get(rf_mac_setup, key_desc);
+            if (mac_data_counter_too_small(current_counter, buffer->aux_header.frameCounter)) {
+                buffer->aux_header.frameCounter = current_counter;
+                mac_sec_mib_key_outgoing_frame_counter_increment(rf_mac_setup, key_desc);
+            }
+        }
+    }
+}
@@ -140,4 +140,6 @@ int mcps_packet_ingress_rate_limit_by_memory(uint8_t free_heap_percentage);
 
 uint32_t mac_mcps_sap_get_phy_timestamp(struct protocol_interface_rf_mac_setup *rf_mac_setup);
 
+void mcps_pending_packet_counter_update_check(struct protocol_interface_rf_mac_setup *rf_mac_setup, mac_pre_build_frame_t *buffer);
+
 #endif /* MAC_IEEE802_15_4_MAC_MCPS_SAP_H_ */
Original file line number	Diff line number	Diff line change
`@@ -1581,6 +1581,10 @@ int ws_bootstrap_init(int8_t interface_id, net_6lowpan_mode_e bootstrap_mode)`
`1581`	`1581`	`return -2;`
`1582`	`1582`	`}`
`1583`	`1583`
	`1584`	`+ if (ns_sw_mac_enable_frame_counter_per_key(cur->mac_api, true)) {`
	`1585`	`+ return -1;`
	`1586`	`+ }`
	`1587`	`+`
`1584`	`1588`	`if (!etx_storage_list_allocate(cur->id, buffer.device_decription_table_size)) {`
`1585`	`1589`	`return -1;`
`1586`	`1590`	`}`
`@@ -2171,7 +2175,7 @@ static void ws_bootstrap_nw_key_clear(protocol_interface_info_entry_t *cur, uint`
`2171`	`2175`	`static void ws_bootstrap_nw_key_index_set(protocol_interface_info_entry_t *cur, uint8_t index)`
`2172`	`2176`	`{`
`2173`	`2177`	`// Set send key`
`2174`		`- mac_helper_security_auto_request_key_index_set(cur, index + 1);`
	`2178`	`+ mac_helper_security_auto_request_key_index_set(cur, index, index + 1);`
`2175`	`2179`	`}`
`2176`	`2180`
`2177`	`2181`	`static void ws_bootstrap_nw_frame_counter_set(protocol_interface_info_entry_t *cur, uint32_t counter)`