MAC Security update

Mac frame counter read and update added inside platform critical for support multi thread users.

Added support to accept trough unknow devices if MIC is correct and accept TX.

Added support for Send Secured Enhanced ACK's

Change-Id: I2b07f190df78a295340fafce8e86bf163633d095

Author: Juha Heiskanen

nanostack/mlme.h

@@ -264,6 +264,7 @@ typedef enum {
     macAutoRequestKeyIndex = 0x7b,  /*<The index of the key used for automatic data*/
     macDefaultKeySource = 0x7c,      /*<Default key source*/
     //NON standard extension
+    macAcceptByPassUnknowDevice = 0xfc,  /*< Accept data trough MAC if packet is data can be authenticated by group key nad MIC. Security enforsment point must be handled carefully these packets */
     macLoadBalancingBeaconTx = 0xfd,  /*< Trig Beacon from load balance module periodic */
     macLoadBalancingAcceptAnyBeacon = 0xfe, /*<Beacon accept state control from other network. Value size bool, data true=Enable, false=disable .*/
     macThreadForceLongAddressForBeacon = 0xff /*<Thread standard force beacon source address for extended 64-bit*/

source/MAC/IEEE802_15_4/mac_defines.h

@@ -157,6 +157,8 @@ typedef struct protocol_interface_rf_mac_setup {
     bool macProminousMode:1;
     bool macGTSPermit:1;
     bool mac_security_enabled:1;
+    /* Let trough packet which is secured properly (MIC authenticated group key)  and src address is 64-bit*/
+    bool mac_security_bypass_unknow_device:1;
     /* Load balancing need this feature */
     bool macAcceptAnyBeacon:1;
 

source/MAC/IEEE802_15_4/mac_header_helper_functions.c

@@ -288,18 +288,24 @@ static uint8_t * mac_header_write_fcf_dsn(const mac_fcf_sequence_t *header, uint
     return ptr;
 }
 
-void mac_header_security_components_read(mac_pre_parsed_frame_t *buffer, mlme_security_t *security_params)
+uint16_t mac_header_off_set_to_aux_header(const mac_fcf_sequence_t *fcf)
 {
-    uint8_t *ptr = mcps_mac_security_aux_header_start_pointer_get(buffer);
-    memset(security_params, 0, sizeof(mlme_security_t));
-    uint8_t key_source_len = 0;
-    if (!buffer->fcf_dsn.securityEnabled) {
-        return;
+    //Skip first FCF & address field
+    uint16_t offset = mac_fcf_lenght(fcf);//Skip FCF + DSN
+    offset += mac_dst_address_length_with_panid(fcf);
+    offset += mac_address_length(fcf->SrcAddrMode);
+    if (fcf->SrcPanPresents) {
+        offset += 2; //Skip PanId
     }
+    return offset;
+}
 
+void mac_header_security_aux_header_parse(const uint8_t *ptr, mlme_security_t *security_params)
+{
+    uint8_t key_source_len = 0;
     security_params->KeyIdMode = (*ptr >> 3);
     security_params->SecurityLevel = *ptr++;
-    ptr += 4;
+    ptr += 4; //Skip Frame counter
     switch (security_params->KeyIdMode) {
         case MAC_KEY_ID_MODE_IMPLICIT:
             break;
@@ -315,6 +321,17 @@ void mac_header_security_components_read(mac_pre_parsed_frame_t *buffer, mlme_se
     }
 }
 
+void mac_header_security_components_read(mac_pre_parsed_frame_t *buffer, mlme_security_t *security_params)
+{
+    memset(security_params, 0, sizeof(mlme_security_t));
+    if (!buffer->fcf_dsn.securityEnabled) {
+        return;
+    }
+
+    mac_header_security_aux_header_parse(mcps_mac_security_aux_header_start_pointer_get(buffer), security_params);
+
+}
+
 uint16_t mac_header_get_src_panid(const mac_fcf_sequence_t *header, const uint8_t *ptr)
 {
 

source/MAC/IEEE802_15_4/mac_header_helper_functions.h

@@ -40,6 +40,10 @@ void mac_header_security_parameter_set(struct mac_aux_security_header_s *header,
  */
 const uint8_t * mac_header_parse_fcf_dsn(struct mac_fcf_sequence_s *header, const uint8_t *ptr);
 
+uint16_t mac_header_off_set_to_aux_header(const struct mac_fcf_sequence_s *fcf);
+
+void mac_header_security_aux_header_parse(const uint8_t *ptr, struct mlme_security_s *security_params);
+
 void mac_header_security_components_read(struct mac_pre_parsed_frame_s *buffer, struct mlme_security_s *security_params);
 
 bool mac_header_information_elements_parse(struct mac_pre_parsed_frame_s *buffer);

source/MAC/IEEE802_15_4/mac_mcps_sap.c

@@ -527,6 +527,7 @@ static uint8_t mac_data_interface_decrypt_packet(mac_pre_parsed_frame_t *b, mlme
     mlme_key_device_descriptor_t *key_device_description = NULL;
     uint8_t device_descriptor_handle;
     uint8_t openPayloadLength = 0;
+    bool security_by_pass = false;
     protocol_interface_rf_mac_setup_s *rf_mac_setup = (protocol_interface_rf_mac_setup_s*)b->mac_class_ptr;
 //    mlme_security_level_descriptor_t security_level_compare;
 
@@ -590,7 +591,12 @@ static uint8_t mac_data_interface_decrypt_packet(mac_pre_parsed_frame_t *b, mlme
     } else {
 
         if (!b->neigh_info) {
-            return MLME_UNSUPPORTED_SECURITY;
+            if (rf_mac_setup->mac_security_bypass_unknow_device && (b->fcf_dsn.SrcAddrMode == MAC_ADDR_MODE_64_BIT
+                    && security_params->SecurityLevel > AES_SECURITY_LEVEL_ENC)) {
+                security_by_pass = true;
+            } else {
+                return MLME_UNSUPPORTED_SECURITY;
+            }
         }
 
         device_descriptor_handle = mac_mib_device_descption_attribute_get_by_descriptor(rf_mac_setup, b->neigh_info);
@@ -611,7 +617,11 @@ static uint8_t mac_data_interface_decrypt_packet(mac_pre_parsed_frame_t *b, mlme
     }
 
     key = key_description->Key;
-    memcpy(neighbour_validation.nonce_ptr, b->neigh_info->ExtAddress, 8);
+    if (security_by_pass) {
+        memcpy(neighbour_validation.nonce_ptr, neighbour_validation.address, 8);
+    } else {
+        memcpy(neighbour_validation.nonce_ptr, b->neigh_info->ExtAddress, 8);
+    }
 
     ccm_globals_t ccm_ptr;
 
@@ -641,15 +651,16 @@ static uint8_t mac_data_interface_decrypt_packet(mac_pre_parsed_frame_t *b, mlme
     }
 
     //Update key device and key description tables
-
-    b->neigh_info->FrameCounter = neighbour_validation.frameCounter + 1;
-    if (!key_device_description) {
-        // Black list old used keys by this device
-        mac_sec_mib_device_description_blacklist(rf_mac_setup, device_descriptor_handle);
-        key_device_description =  mac_sec_mib_key_device_description_list_update(key_description);
-        if (key_device_description) {
-            tr_debug("Set new device user %u for key", device_descriptor_handle);
-            key_device_description->DeviceDescriptorHandle = device_descriptor_handle;
+    if (!security_by_pass) {
+        b->neigh_info->FrameCounter = neighbour_validation.frameCounter + 1;
+        if (!key_device_description) {
+            // Black list old used keys by this device
+            mac_sec_mib_device_description_blacklist(rf_mac_setup, device_descriptor_handle);
+            key_device_description =  mac_sec_mib_key_device_description_list_update(key_description);
+            if (key_device_description) {
+                tr_debug("Set new device user %u for key", device_descriptor_handle);
+                key_device_description->DeviceDescriptorHandle = device_descriptor_handle;
+            }
         }
     }
 
@@ -1269,8 +1280,13 @@ static bool mac_frame_security_parameters_init(ccm_globals_t *ccm_ptr, protocol_
             device_description =  mac_sec_mib_device_description_get(rf_ptr, buffer->DstAddr, buffer->fcf_dsn.DstAddrMode);
             if (!device_description) {
 
-                buffer->status = MLME_UNAVAILABLE_KEY;
-                return false;
+                if (rf_ptr->mac_security_bypass_unknow_device && (buffer->fcf_dsn.SrcAddrMode == MAC_ADDR_MODE_64_BIT
+                        && buffer->aux_header.securityLevel > AES_SECURITY_LEVEL_ENC)) {
+
+                } else {
+                    buffer->status = MLME_UNAVAILABLE_KEY;
+                    return false;
+                }
             }
         }
         nonce_ext_64_ptr = rf_ptr->mac64;
@@ -1517,12 +1533,12 @@ static int8_t mcps_generic_packet_build(protocol_interface_rf_mac_setup_s *rf_pt
 
     if (buffer->fcf_dsn.securityEnabled) {
         //Remember to update security counter here!
-        buffer->aux_header.frameCounter = rf_ptr->security_frame_counter;
+        buffer->aux_header.frameCounter = mac_mlme_framecounter_get(rf_ptr);
         if (!mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer)) {
             return -2;
         }
         //Increment security counter
-        rf_ptr->security_frame_counter++;
+        mac_mlme_framecounter_increment(rf_ptr);
 
     }
 
@@ -1556,7 +1572,7 @@ static int8_t mcps_generic_packet_build(protocol_interface_rf_mac_setup_s *rf_pt
         tr_debug("Too Long %u, %u pa %u header %u mic %u",frame_length, mac_payload_length, buffer->mac_header_length_with_security,  buffer->security_mic_len, dev_driver->phy_MTU);
         buffer->status = MLME_FRAME_TOO_LONG;
         //decrement security counter
-        rf_ptr->security_frame_counter--;
+        mac_mlme_framecounter_decrement(rf_ptr);
         return -1;
     }
 
@@ -1587,7 +1603,7 @@ static int8_t mcps_generic_packet_build(protocol_interface_rf_mac_setup_s *rf_pt
 }
 
 
-int8_t mcps_generic_ack_build(protocol_interface_rf_mac_setup_s *rf_ptr, mac_fcf_sequence_t *fcf, const uint8_t *data_ptr, const mcps_ack_data_payload_t *ack_payload, uint32_t rx_time)
+int8_t mcps_generic_ack_build(protocol_interface_rf_mac_setup_s *rf_ptr, const mac_fcf_sequence_t *fcf, const uint8_t *data_ptr, const mcps_ack_data_payload_t *ack_payload, uint32_t rx_time)
 {
     phy_device_driver_s *dev_driver = rf_ptr->dev_driver->phy_driver;
     dev_driver_tx_buffer_s *tx_buf = &rf_ptr->dev_driver_tx_buffer;
@@ -1613,12 +1629,34 @@ int8_t mcps_generic_ack_build(protocol_interface_rf_mac_setup_s *rf_ptr, mac_fcf
     }
 
     buffer->mac_header_length_with_security += mac_header_address_length(&buffer->fcf_dsn);
+
     buffer->DstPANId = mac_header_get_src_panid(fcf, data_ptr);
     buffer->SrcPANId = mac_header_get_dst_panid(fcf, data_ptr);
 
     mac_header_get_src_address(fcf, data_ptr, buffer->DstAddr);
     mac_header_get_dst_address(fcf, data_ptr, buffer->SrcAddr);
 
+    //Security
+    buffer->fcf_dsn.securityEnabled = fcf->securityEnabled;
+    if (buffer->fcf_dsn.securityEnabled ) {
+        //Read Security AUX headers
+        const uint8_t *ptr = data_ptr;
+        ptr += mac_header_off_set_to_aux_header(fcf);
+        //Start parsing AUX header
+        mlme_security_t aux_parse;
+        mac_header_security_aux_header_parse(ptr, &aux_parse);
+        buffer->aux_header.KeyIdMode = aux_parse.KeyIdMode;
+        buffer->aux_header.KeyIndex = aux_parse.KeyIndex;
+        buffer->aux_header.securityLevel = aux_parse.SecurityLevel;
+        memcpy(buffer->aux_header.Keysource, aux_parse.Keysource, 8);
+
+        buffer->security_mic_len = mac_security_mic_length_get(buffer->aux_header.securityLevel);
+        buffer->fcf_dsn.frameVersion = MAC_FRAME_VERSION_2006;
+        buffer->mac_header_length_with_security += mac_header_security_aux_header_length(buffer->aux_header.securityLevel, buffer->aux_header.KeyIdMode);
+
+    }
+
+
     //TODO Request Application data to ACK
     uint16_t ie_header_length = 0;
     uint16_t ie_payload_length = 0;
@@ -1645,12 +1683,12 @@ int8_t mcps_generic_ack_build(protocol_interface_rf_mac_setup_s *rf_ptr, mac_fcf
 
     if (buffer->fcf_dsn.securityEnabled) {
         //Remember to update security counter here!
-        buffer->aux_header.frameCounter = rf_ptr->security_frame_counter;
+        buffer->aux_header.frameCounter = mac_mlme_framecounter_get(rf_ptr);
         if ( !mac_frame_security_parameters_init(&ccm_ptr, rf_ptr, buffer)) {
             return -2;
         }
         //Increment security counter
-        rf_ptr->security_frame_counter++;
+        mac_mlme_framecounter_increment(rf_ptr);
     }
 
     //Calculate Payload length here with IE extension
@@ -1666,7 +1704,7 @@ int8_t mcps_generic_ack_build(protocol_interface_rf_mac_setup_s *rf_ptr, mac_fcf
 
         if (buffer->fcf_dsn.securityEnabled) {
             //decrement security counter
-            rf_ptr->security_frame_counter--;
+            mac_mlme_framecounter_decrement(rf_ptr);
             ccm_free(&ccm_ptr);
         }
         return -1;

source/MAC/IEEE802_15_4/mac_mcps_sap.h

@@ -204,6 +204,6 @@ void mcps_sap_purge_reg_handler(struct protocol_interface_rf_mac_setup *rf_mac_s
 
 int8_t mcps_pd_data_rebuild(struct protocol_interface_rf_mac_setup *rf_ptr, mac_pre_build_frame_t *buffer);
 
-int8_t mcps_generic_ack_build(struct protocol_interface_rf_mac_setup *rf_ptr, mac_fcf_sequence_t *fcf, const uint8_t *data_ptr, const mcps_ack_data_payload_t *ack_payload, uint32_t rx_time);
+int8_t mcps_generic_ack_build(struct protocol_interface_rf_mac_setup *rf_ptr, const mac_fcf_sequence_t *fcf, const uint8_t *data_ptr, const mcps_ack_data_payload_t *ack_payload, uint32_t rx_time);
 
 #endif /* MAC_IEEE802_15_4_MAC_MCPS_SAP_H_ */

source/MAC/IEEE802_15_4/mac_mlme.c

@@ -510,6 +510,9 @@ static int8_t mac_mlme_boolean_set(protocol_interface_rf_mac_setup_s *rf_mac_set
                 rf_mac_setup->dev_driver->phy_driver->extension(PHY_EXTENSION_ACCEPT_ANY_BEACON, (uint8_t*)&value);
             }
             break;
+        case macAcceptByPassUnknowDevice:
+        rf_mac_setup->mac_security_bypass_unknow_device = value;
+        break;
 
         default:
             return -1;
@@ -609,7 +612,9 @@ static int8_t mac_mlme_32bit_set(protocol_interface_rf_mac_setup_s *rf_mac_setup
     (void) value;
     switch (attribute) {
         case macFrameCounter:
+            platform_enter_critical();
             rf_mac_setup->security_frame_counter = value;
+            platform_exit_critical();
             break;
 
         default:
@@ -720,6 +725,30 @@ int8_t mac_mlme_set_req(protocol_interface_rf_mac_setup_s *rf_mac_setup,const ml
     }
 }
 
+uint32_t mac_mlme_framecounter_get(struct protocol_interface_rf_mac_setup *rf_mac_setup)
+{
+    uint32_t value;
+    platform_enter_critical();
+    value = rf_mac_setup->security_frame_counter;
+    platform_exit_critical();
+    return value;
+}
+
+void mac_mlme_framecounter_increment(struct protocol_interface_rf_mac_setup *rf_mac_setup)
+{
+    platform_enter_critical();
+    rf_mac_setup->security_frame_counter++;
+    platform_exit_critical();
+}
+
+void mac_mlme_framecounter_decrement(struct protocol_interface_rf_mac_setup *rf_mac_setup)
+{
+    platform_enter_critical();
+    rf_mac_setup->security_frame_counter--;
+    platform_exit_critical();
+}
+
+
 int8_t mac_mlme_get_req(struct protocol_interface_rf_mac_setup *rf_mac_setup, mlme_get_conf_t *get_req)
 {
     if (!get_req || !rf_mac_setup ) {
@@ -742,7 +771,9 @@ int8_t mac_mlme_get_req(struct protocol_interface_rf_mac_setup *rf_mac_setup, ml
             break;
 
         case macFrameCounter:
+            platform_enter_critical();
             get_req->value_pointer = &rf_mac_setup->security_frame_counter;
+            platform_exit_critical();
             get_req->value_size = 4;
             break;
 

source/MAC/IEEE802_15_4/mac_mlme.h

@@ -65,6 +65,11 @@ int8_t mac_mlme_get_req(struct protocol_interface_rf_mac_setup *rf_mac_setup, st
 
 void mac_extended_mac_set(struct protocol_interface_rf_mac_setup *rf_mac_setup, const uint8_t *mac64);
 
+uint32_t mac_mlme_framecounter_get(struct protocol_interface_rf_mac_setup *rf_mac_setup);
+
+void mac_mlme_framecounter_increment(struct protocol_interface_rf_mac_setup *rf_mac_setup);
+void mac_mlme_framecounter_decrement(struct protocol_interface_rf_mac_setup *rf_mac_setup);
+
 /**
  * MLME Poll Request
  *

source/MAC/IEEE802_15_4/mac_pd_sap.c

@@ -319,6 +319,14 @@ static void mac_sap_no_ack_cb(protocol_interface_rf_mac_setup_s *rf_ptr) {
     }
 }
 
+static bool mac_data_counter_too_small(uint32_t current_counter, uint32_t packet_counter)
+{
+   if((current_counter - packet_counter) >= 2) {
+       return true;
+   }
+   return false;
+}
+
 
 static int8_t mac_data_interface_tx_done_cb(protocol_interface_rf_mac_setup_s *rf_ptr, phy_link_tx_status_e status, uint8_t cca_retry, uint8_t tx_retry)
 {
@@ -372,6 +380,15 @@ static int8_t mac_data_interface_tx_done_cb(protocol_interface_rf_mac_setup_s *r
     if (rf_ptr->mac_ack_tx_active) {
         rf_ptr->mac_ack_tx_active = false;
         if (rf_ptr->active_pd_data_request) {
+
+            if (rf_ptr->active_pd_data_request->fcf_dsn.securityEnabled) {
+                uint32_t current_counter = mac_mlme_framecounter_get(rf_ptr);
+                if (mac_data_counter_too_small(current_counter, rf_ptr->active_pd_data_request->aux_header.frameCounter)) {
+                    tr_debug("HOXS counter %u < ack counter %u", rf_ptr->active_pd_data_request->aux_header.frameCounter, rf_ptr->security_frame_counter);
+                    rf_ptr->active_pd_data_request->aux_header.frameCounter = current_counter;
+                    mac_mlme_framecounter_increment(rf_ptr);
+                }
+            }
             //GEN TX failure
             mac_sap_cca_fail_cb(rf_ptr);
         }

test/nanostack/unittest/stub/mac_header_helper_functions_stub.c

@@ -68,6 +68,22 @@ void mac_header_security_components_read(mac_pre_parsed_frame_t *buffer, mlme_se
     }
 }
 
+void mac_header_security_aux_header_parse(const uint8_t *ptr, mlme_security_t *security_params)
+{
+    if (security_params) {
+        security_params->KeyIdMode = mac_header_helper_functions_stub.security_header.KeyIdMode;
+        security_params->KeyIndex = mac_header_helper_functions_stub.security_header.KeyIndex;
+        security_params->SecurityLevel = mac_header_helper_functions_stub.security_header.securityLevel;
+        memcpy(security_params->Keysource, mac_header_helper_functions_stub.security_header.Keysource, 8);
+
+    }
+}
+
+uint16_t mac_header_off_set_to_aux_header(const mac_fcf_sequence_t *fcf)
+{
+    return 0;
+}
+
 uint16_t mac_header_get_src_panid(const mac_fcf_sequence_t *header, const uint8_t *ptr)
 {
     return mac_header_helper_functions_stub.pan_src;

test/nanostack/unittest/stub/mac_mcps_sap_stub.c

@@ -160,7 +160,7 @@ int8_t mcps_pd_data_rebuild(struct protocol_interface_rf_mac_setup *rf_ptr, mac_
     return mac_mcps_sap_stub.int8_value;
 }
 
-int8_t mcps_generic_ack_build(struct protocol_interface_rf_mac_setup *rf_ptr, mac_fcf_sequence_t *fcf, const uint8_t *data_ptr, const mcps_ack_data_payload_t *ack_payload, uint32_t rx_time)
+int8_t mcps_generic_ack_build(struct protocol_interface_rf_mac_setup *rf_ptr, const mac_fcf_sequence_t *fcf, const uint8_t *data_ptr, const mcps_ack_data_payload_t *ack_payload, uint32_t rx_time)
 {
     return 0;
 }