Re: 802.15.4 security

[Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de>]

Found the bug for levels 1,2,3:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/mac802154/llsec.c#n680

Scatterlist length 0 is invalid. If I had properly built the
scatterlists properly instead of setting single element lengths to 0
(because I thought that was allowed), things wouldn't die in a BUG().
Can't patch that now, though, I'm sorry :(

On Thu, 18 Jun 2015 13:13:30 +0200
Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> wrote:

> Hi Simon,
> 
> the last kernel I used this with was 3.15-rc8, so actually quite a
> while ago. Unfortunately, I don't have the means to test things with a
> current kernel right now, because I don't remember things failing that
> hard when I last worked on that code. I usually used seclevel 5, which
> worked fine with our devices.
> 
> @wireshark: by default, without further configuration, wireshark can't
> check the MIC, because it doesn't have the necessary keys. There was a
> way to give wireshark those keys, but I don't remember off hand how
> that worked.
> 
> On Thu, 18 Jun 2015 11:12:19 +0100
> Simon Vincent <simon.vincent@xsilon.com> wrote:
> 
> > Hi Phoebe,
> > 
> > I am having some problems with the 802.15.4 security.
> > 
> > What kernel version/gitref did you last test the 802.15.4 security
> > on? What level of security are you using? (1-7)
> > 
> > I can then have a look what has changed since and try and debug the 
> > problems I am seeing.
> > 
> > I find if I set the security level to 1,2,3 I get a kernel panic 
> > whenever a packet is sent.
> > If I set the security level to 4 the packets sent are corrupt.
> > If I set the security level to 5-7 wireshark decodes the packets as
> > MIC check failed.
> > 
> > Regards
> > 
> > Simon
> > 
> > On 28/05/15 10:00, Phoebe Buckheister wrote:
> > > Hi Simon,
> > >
> > > sorry for taking so long to reply. Unfortunately, there's
> > > currently no actual documentation for the crypto layer (and I
> > > probably won't come around to write any sometime soon), but I
> > > have built an application that works with llsec [1].
> > >
> > > The process to set up a crypto config for a network is rougly
> > > outlined in [2] and [3]. There are more options to the crypto
> > > layer than are used there, but the process is pretty much the
> > > same: you add a number of devices you want to securely
> > > communicate with, add the keys those devices will use to
> > > communicate, and then set the general parameters for llsec (like
> > > default llsec, enabling the crypto layer and such).
> > >
> > > Hope that helps a little,
> > > Phoebe
> > >
> > >
> > > [1]
> > > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
> > > [2]
> > > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
> > > [3]
> > > https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
> > >
> > > On Thu, 21 May 2015 14:23:10 +0100
> > > Simon Vincent <simon.vincent@xsilon.com> wrote:
> > >
> > >> What is the status of the crypto-layer? I can see a lot of crypto
> > >> functionality in the mac layer but I can't work out how to setup
> > >> the keys and enable encryption/authentication. Will this be part
> > >> of the wpan-tools?
> > >>
> > >> - Simon
> > >> --
> > >> To unsubscribe from this list: send the line "unsubscribe
> > >> linux-wpan" in the body of a message to majordomo@vger.kernel.org
> > >> More majordomo info at
> > >> http://vger.kernel.org/majordomo-info.html
> > > --
> > > To unsubscribe from this list: send the line "unsubscribe
> > > linux-wpan" in the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
> in the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html