MAC security update:

Device table get verify now PAN-id field also which is new parameter.

MAC security by pass from unknow device only accetp from configured PAN-id

Wi-sun LLC drop Data packet from different PAN-id.

WS-eapol target set after Mac start which set a proper PAN-id to device.

Change-Id: I0132a02f259abcdf0989747428a0968a07ab9555

Author: Juha Heiskanen

source/6LoWPAN/ws/ws_bootstrap.c

@@ -2716,6 +2716,11 @@ void ws_bootstrap_network_scan_process(protocol_interface_info_entry_t *cur)
     tr_info("selected parent:%s panid %u", trace_array(selected_parent_ptr->addr, 8), selected_parent_ptr->pan_id);
 
     // Add EAPOL neighbour
+    cur->ws_info->network_pan_id = selected_parent_ptr->pan_id;
+    cur->ws_info->pan_information = selected_parent_ptr->pan_information;
+    cur->ws_info->pan_information.pan_version = 0; // This is learned from actual configuration
+
+    ws_bootstrap_fhss_activate(cur);
     llc_neighbour_req_t neighbor_info;
     if (!ws_bootstrap_neighbor_info_request(cur, selected_parent_ptr->addr, &neighbor_info, true)) {
         return;
@@ -2724,12 +2729,6 @@ void ws_bootstrap_network_scan_process(protocol_interface_info_entry_t *cur)
     ws_neighbor_class_neighbor_unicast_time_info_update(neighbor_info.ws_neighbor, &selected_parent_ptr->ws_utt, selected_parent_ptr->timestamp);
     ws_neighbor_class_neighbor_unicast_schedule_set(neighbor_info.ws_neighbor, &selected_parent_ptr->ws_us);
 
-    cur->ws_info->network_pan_id = selected_parent_ptr->pan_id;
-    cur->ws_info->pan_information = selected_parent_ptr->pan_information;
-    cur->ws_info->pan_information.pan_version = 0; // This is learned from actual configuration
-
-    ws_bootstrap_fhss_activate(cur);
-
     ws_pae_controller_set_target(cur, selected_parent_ptr->pan_id, selected_parent_ptr->addr); // temporary!!! store since auth
     ws_bootstrap_event_authentication_start(cur);
     return;

source/6LoWPAN/ws/ws_llc_data_service.c

@@ -514,6 +514,11 @@ static void ws_llc_mac_indication_cb(const mac_api_t *api, const mcps_data_ind_t
             return;
         }
 
+        if (interface->mac_parameters->pan_id != 0xffff && data->SrcPANId != interface->mac_parameters->pan_id) {
+            //Drop wrong PAN-id messages in this phase.
+            return;
+        }
+
         mpx_user_t *user_cb;
         mac_payload_IE_t mpx_ie;
         mpx_ie.id = MAC_PAYLOAD_MPX_IE_GROUP_ID;

source/MAC/IEEE802_15_4/mac_mcps_sap.c

@@ -572,9 +572,9 @@ static uint8_t mac_data_interface_decrypt_packet(mac_pre_parsed_frame_t *b, mlme
     } else {
 
         if (!b->neigh_info) {
-            if (rf_mac_setup->mac_security_bypass_unknow_device && (b->fcf_dsn.SrcAddrMode == MAC_ADDR_MODE_64_BIT
-                                                                    && security_params->SecurityLevel > AES_SECURITY_LEVEL_ENC)) {
-                security_by_pass = true;
+            if (SrcPANId == rf_mac_setup->pan_id && rf_mac_setup->mac_security_bypass_unknow_device &&
+                    (b->fcf_dsn.SrcAddrMode == MAC_ADDR_MODE_64_BIT && security_params->SecurityLevel > AES_SECURITY_LEVEL_ENC)) {
+                security_by_pass = true;//Accept by pass only from same PAN-ID
             } else {
                 return MLME_UNSUPPORTED_SECURITY;
             }
@@ -723,7 +723,7 @@ static int8_t mac_data_sap_rx_handler(mac_pre_parsed_frame_t *buf, protocol_inte
     /* Parse security part */
     mac_header_security_components_read(buf, &data_ind->Key);
 
-    buf->neigh_info = mac_sec_mib_device_description_get(rf_mac_setup, data_ind->SrcAddr, data_ind->SrcAddrMode);
+    buf->neigh_info = mac_sec_mib_device_description_get(rf_mac_setup, data_ind->SrcAddr, data_ind->SrcAddrMode, data_ind->SrcPANId);
     if (buf->fcf_dsn.securityEnabled) {
         status = mac_data_interface_decrypt_packet(buf, &data_ind->Key);
         if (status != MLME_SUCCESS) {
@@ -846,7 +846,8 @@ static int8_t mac_command_sap_rx_handler(mac_pre_parsed_frame_t *buf, protocol_i
     //Read address and pan-id
     mac_header_get_src_address(&buf->fcf_dsn, mac_header_message_start_pointer(buf), temp_src_address);
     uint8_t address_mode = buf->fcf_dsn.SrcAddrMode;
-    buf->neigh_info = mac_sec_mib_device_description_get(rf_mac_setup, temp_src_address, address_mode);
+    uint16_t pan_id = mac_header_get_src_panid(&buf->fcf_dsn, mac_header_message_start_pointer(buf), rf_mac_setup->pan_id);
+    buf->neigh_info = mac_sec_mib_device_description_get(rf_mac_setup, temp_src_address, address_mode, pan_id);
     //Decrypt Packet if secured
     if (buf->fcf_dsn.securityEnabled) {
         mac_header_security_components_read(buf, &security_params);
@@ -1082,10 +1083,11 @@ static int8_t mac_ack_sap_rx_handler(mac_pre_parsed_frame_t *buf, protocol_inter
     memset(SrcAddr, 0, 8);
     memset(&key, 0, sizeof(mlme_security_t));
     mac_header_get_src_address(&buf->fcf_dsn, mac_header_message_start_pointer(buf), SrcAddr);
+    uint16_t pan_id = mac_header_get_src_panid(&buf->fcf_dsn, mac_header_message_start_pointer(buf), rf_mac_setup->pan_id);
     /* Parse security part */
     mac_header_security_components_read(buf, &key);
 
-    buf->neigh_info = mac_sec_mib_device_description_get(rf_mac_setup, SrcAddr, buf->fcf_dsn.SrcAddrMode);
+    buf->neigh_info = mac_sec_mib_device_description_get(rf_mac_setup, SrcAddr, buf->fcf_dsn.SrcAddrMode, pan_id);
     if (buf->fcf_dsn.securityEnabled) {
         uint8_t status = mac_data_interface_decrypt_packet(buf, &key);
         if (status != MLME_SUCCESS) {
@@ -1276,7 +1278,7 @@ static bool mac_frame_security_parameters_init(ccm_globals_t *ccm_ptr, protocol_
     } else {
         //Discover device descriptor only unicast packet which need ack
         if (buffer->fcf_dsn.DstAddrMode && buffer->fcf_dsn.ackRequested) {
-            device_description =  mac_sec_mib_device_description_get(rf_ptr, buffer->DstAddr, buffer->fcf_dsn.DstAddrMode);
+            device_description =  mac_sec_mib_device_description_get(rf_ptr, buffer->DstAddr, buffer->fcf_dsn.DstAddrMode, buffer->DstPANId);
             if (!device_description) {
                 buffer->status = MLME_UNAVAILABLE_KEY;
                 return false;

source/MAC/IEEE802_15_4/mac_pd_sap.c

@@ -429,7 +429,7 @@ static int8_t mac_data_interface_tx_done_cb(protocol_interface_rf_mac_setup_s *r
 
         if (rf_ptr->mac_ack_tx_active) {
             //Accept direct non crypted acks and crypted only if neighbor is at list
-            if (rf_ptr->ack_tx_possible || mac_sec_mib_device_description_get(rf_ptr, rf_ptr->enhanced_ack_buffer.DstAddr, rf_ptr->enhanced_ack_buffer.fcf_dsn.DstAddrMode)) {
+            if (rf_ptr->ack_tx_possible || mac_sec_mib_device_description_get(rf_ptr, rf_ptr->enhanced_ack_buffer.DstAddr, rf_ptr->enhanced_ack_buffer.fcf_dsn.DstAddrMode, rf_ptr->enhanced_ack_buffer.DstPANId)) {
                 return PHY_TX_ALLOWED;
             }
 
@@ -772,7 +772,7 @@ static int8_t mac_pd_sap_generate_ack(protocol_interface_rf_mac_setup_s *rf_ptr,
         return -1;
     }
 
-    if (rf_ptr->enhanced_ack_buffer.aux_header.securityLevel == 0 || mac_sec_mib_device_description_get(rf_ptr, rf_ptr->enhanced_ack_buffer.DstAddr, rf_ptr->enhanced_ack_buffer.fcf_dsn.DstAddrMode)) {
+    if (rf_ptr->enhanced_ack_buffer.aux_header.securityLevel == 0 || mac_sec_mib_device_description_get(rf_ptr, rf_ptr->enhanced_ack_buffer.DstAddr, rf_ptr->enhanced_ack_buffer.fcf_dsn.DstAddrMode, rf_ptr->enhanced_ack_buffer.DstPANId)) {
         rf_ptr->ack_tx_possible = true;
     } else {
         rf_ptr->ack_tx_possible = false;

source/MAC/IEEE802_15_4/mac_security_mib.c

@@ -115,7 +115,7 @@ static void mac_sec_mib_frame_counter_key_buffer_free(protocol_interface_rf_mac_
     rf_mac_setup->secFrameCounterPerKey = false;
 }
 
-static mlme_device_descriptor_t *mac_sec_mib_device_description_get_by_mac16(protocol_interface_rf_mac_setup_s *rf_mac_setup, uint16_t mac16)
+static mlme_device_descriptor_t *mac_sec_mib_device_description_get_by_mac16(protocol_interface_rf_mac_setup_s *rf_mac_setup, uint16_t mac16, uint16_t pan_id)
 {
 
     mlme_device_descriptor_t *device_table = rf_mac_setup->device_description_table;
@@ -124,7 +124,7 @@ static mlme_device_descriptor_t *mac_sec_mib_device_description_get_by_mac16(pro
     }
 
     for (int i = 0; i < rf_mac_setup->device_description_table_size; i++) {
-        if (device_table->ShortAddress == mac16) {
+        if ((pan_id == 0xffff || device_table->PANId == pan_id) && device_table->ShortAddress == mac16) {
             return device_table;
         }
         device_table++;
@@ -133,7 +133,7 @@ static mlme_device_descriptor_t *mac_sec_mib_device_description_get_by_mac16(pro
     return NULL;
 }
 
-static mlme_device_descriptor_t *mac_sec_mib_device_description_get_by_mac64(protocol_interface_rf_mac_setup_s *rf_mac_setup, const uint8_t *mac64)
+static mlme_device_descriptor_t *mac_sec_mib_device_description_get_by_mac64(protocol_interface_rf_mac_setup_s *rf_mac_setup, const uint8_t *mac64, uint16_t pan_id)
 {
 
     mlme_device_descriptor_t *device_table = rf_mac_setup->device_description_table;
@@ -142,8 +142,10 @@ static mlme_device_descriptor_t *mac_sec_mib_device_description_get_by_mac64(pro
     }
 
     for (int i = 0; i < rf_mac_setup->device_description_table_size; i++) {
-        if (memcmp(device_table->ExtAddress, mac64, 8) == 0) {
-            return device_table;
+        if ((pan_id == 0xffff || device_table->PANId == pan_id)) {
+            if (memcmp(device_table->ExtAddress, mac64, 8) == 0) {
+                return device_table;
+            }
         }
         device_table++;
     }
@@ -365,14 +367,14 @@ mlme_device_descriptor_t *mac_sec_mib_device_description_get_attribute_index(pro
     return rf_mac_setup->device_description_table + attribute_index;
 }
 
-mlme_device_descriptor_t *mac_sec_mib_device_description_get(protocol_interface_rf_mac_setup_s *rf_mac_setup, const uint8_t *address, uint8_t type)
+mlme_device_descriptor_t *mac_sec_mib_device_description_get(protocol_interface_rf_mac_setup_s *rf_mac_setup, const uint8_t *address, uint8_t type, uint16_t pan_id)
 {
     if (rf_mac_setup) {
         if (type == MAC_ADDR_MODE_16_BIT) {
             uint16_t short_id = common_read_16_bit(address);
-            return  mac_sec_mib_device_description_get_by_mac16(rf_mac_setup, short_id);
+            return  mac_sec_mib_device_description_get_by_mac16(rf_mac_setup, short_id, pan_id);
         } else if (type == MAC_ADDR_MODE_64_BIT) {
-            return mac_sec_mib_device_description_get_by_mac64(rf_mac_setup, address);
+            return mac_sec_mib_device_description_get_by_mac64(rf_mac_setup, address, pan_id);
         }
     }
 

source/MAC/IEEE802_15_4/mac_security_mib.h

@@ -51,7 +51,7 @@ int8_t mac_sec_mib_key_description_set(uint8_t atribute_index, mlme_key_descript
 
 mlme_device_descriptor_t *mac_sec_mib_device_description_get_attribute_index(struct protocol_interface_rf_mac_setup *rf_mac_setup, uint8_t attribute_index);
 
-mlme_device_descriptor_t *mac_sec_mib_device_description_get(struct protocol_interface_rf_mac_setup *rf_mac_setup, const uint8_t *address, uint8_t type);
+mlme_device_descriptor_t *mac_sec_mib_device_description_get(struct protocol_interface_rf_mac_setup *rf_mac_setup, const uint8_t *address, uint8_t type, uint16_t pan_id);
 
 uint8_t mac_mib_device_descption_attribute_get_by_descriptor(struct protocol_interface_rf_mac_setup *rf_mac_setup, mlme_device_descriptor_t *descriptor);
 

test/nanostack/unittest/mac/mac_security_mib/test_mac_security_mib.c

@@ -250,21 +250,21 @@ bool test_mac_sec_mib_device_description_get_attribute_index()
 
 bool test_mac_sec_mib_device_description_get()
 {
-    if (mac_sec_mib_device_description_get(NULL, NULL, 0)) {
+    if (mac_sec_mib_device_description_get(NULL, NULL, 0, 1)) {
         return false;
     }
     protocol_interface_rf_mac_setup_s setup;
     memset(&setup, 0, sizeof(protocol_interface_rf_mac_setup_s));
 
     uint8_t mac16[2];
     memset(mac16, 0, 2);
-    if (mac_sec_mib_device_description_get(&setup, &mac16, MAC_ADDR_MODE_16_BIT)) {
+    if (mac_sec_mib_device_description_get(&setup, &mac16, MAC_ADDR_MODE_16_BIT, 1)) {
         return false;
     }
 
     uint8_t mac64[8];
     memset(mac64, 0, 8);
-    if (mac_sec_mib_device_description_get(&setup, &mac64, MAC_ADDR_MODE_64_BIT)) {
+    if (mac_sec_mib_device_description_get(&setup, &mac64, MAC_ADDR_MODE_64_BIT, 1)) {
         return false;
     }
 
@@ -279,26 +279,27 @@ bool test_mac_sec_mib_device_description_get()
 
     mac16[0] = 0;
     mac16[1] = 0;
-    if (mac_sec_mib_device_description_get(&setup, &mac16, MAC_ADDR_MODE_16_BIT)) {
+    if (mac_sec_mib_device_description_get(&setup, &mac16, MAC_ADDR_MODE_16_BIT, 1)) {
         return false;
     }
 
-    if (mac_sec_mib_device_description_get(&setup, &mac64, MAC_ADDR_MODE_64_BIT)) {
+    if (mac_sec_mib_device_description_get(&setup, &mac64, MAC_ADDR_MODE_64_BIT, 1)) {
         return false;
     }
 
     mlme_device_descriptor_t *device_table = setup.device_description_table;
     device_table++;
     device_table->ShortAddress = 16;
+    device_table->PANId = 1;
     common_functions_stub.uint16_value = 16;
-    if (!mac_sec_mib_device_description_get(&setup, &mac16, MAC_ADDR_MODE_16_BIT)) {
+    if (!mac_sec_mib_device_description_get(&setup, &mac16, MAC_ADDR_MODE_16_BIT, 1)) {
         return false;
     }
     common_functions_stub.uint16_value = 0;
 
     memset(&device_table->ExtAddress, 1, 8);
     memset(&mac64, 1, 8);
-    if (!mac_sec_mib_device_description_get(&setup, &mac64, MAC_ADDR_MODE_64_BIT)) {
+    if (!mac_sec_mib_device_description_get(&setup, &mac64, MAC_ADDR_MODE_64_BIT, 1)) {
         return false;
     }
 

test/nanostack/unittest/stub/mac_security_mib_stub.c

@@ -61,7 +61,7 @@ mlme_device_descriptor_t *mac_sec_mib_device_description_get_attribute_index(pro
     return mac_security_mib_stub.device_ptr;
 }
 
-mlme_device_descriptor_t *mac_sec_mib_device_description_get(protocol_interface_rf_mac_setup_s *rf_mac_setup, const uint8_t *address, uint8_t type)
+mlme_device_descriptor_t *mac_sec_mib_device_description_get(protocol_interface_rf_mac_setup_s *rf_mac_setup, const uint8_t *address, uint8_t type, uint16_t pan_id)
 {
     return mac_security_mib_stub.device_ptr;
 }