Re: 802.15.4 security

[Simon Vincent <simon.vincent@xsilon.com>]

No worries I will fix it.

Simon

On 18/06/15 12:40, Phoebe Buckheister wrote:
> Found the bug for levels 1,2,3:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/mac802154/llsec.c#n680
>
> Scatterlist length 0 is invalid. If I had properly built the
> scatterlists properly instead of setting single element lengths to 0
> (because I thought that was allowed), things wouldn't die in a BUG().
> Can't patch that now, though, I'm sorry :(
>
> On Thu, 18 Jun 2015 13:13:30 +0200
> Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> wrote:
>
>> Hi Simon,
>>
>> the last kernel I used this with was 3.15-rc8, so actually quite a
>> while ago. Unfortunately, I don't have the means to test things with a
>> current kernel right now, because I don't remember things failing that
>> hard when I last worked on that code. I usually used seclevel 5, which
>> worked fine with our devices.
>>
>> @wireshark: by default, without further configuration, wireshark can't
>> check the MIC, because it doesn't have the necessary keys. There was a
>> way to give wireshark those keys, but I don't remember off hand how
>> that worked.
>>
>> On Thu, 18 Jun 2015 11:12:19 +0100
>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>
>>> Hi Phoebe,
>>>
>>> I am having some problems with the 802.15.4 security.
>>>
>>> What kernel version/gitref did you last test the 802.15.4 security
>>> on? What level of security are you using? (1-7)
>>>
>>> I can then have a look what has changed since and try and debug the
>>> problems I am seeing.
>>>
>>> I find if I set the security level to 1,2,3 I get a kernel panic
>>> whenever a packet is sent.
>>> If I set the security level to 4 the packets sent are corrupt.
>>> If I set the security level to 5-7 wireshark decodes the packets as
>>> MIC check failed.
>>>
>>> Regards
>>>
>>> Simon
>>>
>>> On 28/05/15 10:00, Phoebe Buckheister wrote:
>>>> Hi Simon,
>>>>
>>>> sorry for taking so long to reply. Unfortunately, there's
>>>> currently no actual documentation for the crypto layer (and I
>>>> probably won't come around to write any sometime soon), but I
>>>> have built an application that works with llsec [1].
>>>>
>>>> The process to set up a crypto config for a network is rougly
>>>> outlined in [2] and [3]. There are more options to the crypto
>>>> layer than are used there, but the process is pretty much the
>>>> same: you add a number of devices you want to securely
>>>> communicate with, add the keys those devices will use to
>>>> communicate, and then set the general parameters for llsec (like
>>>> default llsec, enabling the crypto layer and such).
>>>>
>>>> Hope that helps a little,
>>>> Phoebe
>>>>
>>>>
>>>> [1]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm
>>>> [2]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L160
>>>> [3]
>>>> https://github.com/mysmartgrid/hexabus/blob/pb-crypto/hostsoftware/hxbnm/src/hxbnm.cpp#L90
>>>>
>>>> On Thu, 21 May 2015 14:23:10 +0100
>>>> Simon Vincent <simon.vincent@xsilon.com> wrote:
>>>>
>>>>> What is the status of the crypto-layer? I can see a lot of crypto
>>>>> functionality in the mac layer but I can't work out how to setup
>>>>> the keys and enable encryption/authentication. Will this be part
>>>>> of the wpan-tools?
>>>>>
>>>>> - Simon
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>>> More majordomo info at
>>>>> http://vger.kernel.org/majordomo-info.html
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe
>>>> linux-wpan" in the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-wpan"
>> in the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html