Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RPL: Basic security features implementation #1934

Open
wants to merge 25 commits into
base: master
from
Open
Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
36e6942
Secure Functions Declaration
Oct 11, 2016
b3b600d
Enable Security Mode and Set Preinstalled Key
Oct 19, 2016
5e4519a
Enable Security Mode and Set Preinstalled Key
Oct 19, 2016
1bcbd2d
dis_output security section added
Oct 22, 2016
0317ee4
dis_output security section added
Oct 22, 2016
1debb7a
RPLSEC: security part implemented in input and output functions
Oct 27, 2016
7c07043
RPL: Secure Mode implemented
Nov 8, 2016
387e703
RPL: Secure Mode implemented
Nov 8, 2016
7953311
RPL: Secure mode implemented
Nov 8, 2016
d6e22d0
RPL Secure Mode code adjustments
Nov 10, 2016
5685db9
RPL: code aligment compliant to contributing format
Nov 10, 2016
732f859
RPL: code alignment adjusts and some new comments inserted
Nov 11, 2016
75a4bd7
RPL Security features: Added example and README
Nov 11, 2016
6cb1741
RPL Security features: Updated README
Nov 11, 2016
6e2da82
Update comments
arenantonio92 Nov 14, 2016
421d6d5
Removed #include not useful for the implementation
arenantonio92 Nov 14, 2016
7525569
Push to trigger Travis
Nov 16, 2016
adecbfc
RPL: Security features bugfixes
Nov 16, 2016
8aa22bf
Code style and default values adjustments
Nov 30, 2016
b4f939e
Revert ccm-star library changes
Nov 30, 2016
2c18167
Update rpl-icmp6.c
arenantonio92 Mar 28, 2017
84e7f3e
Merge branch 'master' into master
arenantonio92 Mar 28, 2017
3982209
Solved Regression test problems.
arenantonio92 May 10, 2017
407c6ce
RPL: Light Replay Protection implemented
arenantonio92 May 25, 2017
781e16f
Merge pull request #1 from arenantonio92/master_opt
arenantonio92 May 29, 2017
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Enable Security Mode and Set Preinstalled Key

  • Loading branch information
Toni Toni
Toni authored and Toni committed Oct 19, 2016
commit b3b600d2db95738e22e672e9bbc0e4937ec15bee
@@ -338,4 +338,23 @@
#define RPL_DIS_START_DELAY 5
#endif

/*
* RPL Security
*/
#ifdef RPL_CONF_SECURITY
#define RPL_SECURITY RPL_CONF_SECURITY
#else /* Not enabled by user, disable security */
#define RPL_SECURITY 0
#endif

/*
* RPL Pre-installed key for Secure Mode
*/
#ifdef RPL_SECURITY_CONF_K
#define RPL_SECURITY_K RPL_SECURITY_CONF_K
#else
#define RPL_SECURITY_K { 0x36, 0x54, 0x69, 0x53, 0x43, 0x48, 0x20, 0x6D, 0x69, 0x6E, 0x69, 0x6D, 0x61, 0x6C, 0x31, 0x35 }
#endif


#endif /* RPL_CONF_H */
@@ -244,7 +244,11 @@ rpl_dag_root_init_dag(void)
to_become_root = 1;

/* Send a DIS packet to request RPL info from neighbors. */
#if RPL_SECURE
dis_sec_output(NULL);
#else
dis_output(NULL);
#endif
}
/*---------------------------------------------------------------------------*/
int
@@ -817,7 +817,11 @@ rpl_select_dag(rpl_instance_t *instance, rpl_parent_t *p)
rpl_set_preferred_parent(instance->current_dag, NULL);
if(RPL_IS_STORING(instance) && last_parent != NULL) {
/* Send a No-Path DAO to the removed preferred parent. */
#if RPL_SECURE
dao_sec_output(last_parent, RPL_ZERO_LIFETIME);
#else
dao_output(last_parent, RPL_ZERO_LIFETIME);
#endif
}
return NULL;
}
@@ -829,7 +833,11 @@ rpl_select_dag(rpl_instance_t *instance, rpl_parent_t *p)
RPL_STAT(rpl_stats.parent_switch++);
if(RPL_IS_STORING(instance) && last_parent != NULL) {
/* Send a No-Path DAO to the removed preferred parent. */
#if RPL_SECURE
dao_sec_output(last_parent, RPL_ZERO_LIFETIME);
#else
dao_output(last_parent, RPL_ZERO_LIFETIME);
#endif
}
/* The DAO parent set changed - schedule a DAO transmission. */
RPL_LOLLIPOP_INCREMENT(instance->dtsn_out);
@@ -954,7 +962,11 @@ rpl_nullify_parent(rpl_parent_t *parent)
/* Send No-Path DAO only when nullifying preferred parent */
if(parent == dag->preferred_parent) {
if(RPL_IS_STORING(dag->instance)) {
#if RPL_SECURE
dao_sec_output(parent, RPL_ZERO_LIFETIME);
#else
dao_output(parent, RPL_ZERO_LIFETIME);
#endif
}
rpl_set_preferred_parent(dag, NULL);
}
@@ -48,7 +48,6 @@
#include "net/ip/tcpip.h"
#include "net/ipv6/uip-ds6.h"
#include "net/rpl/rpl-private.h"
#include "net/rpl/rpl-ns.h"
#include "net/packetbuf.h"

#define DEBUG DEBUG_NONE
@@ -513,7 +512,11 @@ update_hbh_header(void)
PRINTF("RPL generate No-Path DAO\n");
parent = rpl_get_parent((uip_lladdr_t *)packetbuf_addr(PACKETBUF_ADDR_SENDER));
if(parent != NULL) {
#if RPL_SECURE
dao_sec_output_target(parent, &UIP_IP_BUF->destipaddr, RPL_ZERO_LIFETIME);
#else
dao_output_target(parent, &UIP_IP_BUF->destipaddr, RPL_ZERO_LIFETIME);
#endif
}
/* Drop packet */
return 0;
@@ -56,6 +56,12 @@
#include "net/ipv6/multicast/uip-mcast6.h"
#include "random.h"

/* Security Libraries for CCM with CBC-MAC */
#if RPL_SECURITY
#include "lib/ccm-star.h"
#include "lib/aes-128.h"
#endif

#include <limits.h>
#include <string.h>

@@ -73,15 +79,17 @@
#define UIP_ICMP_BUF ((struct uip_icmp_hdr *)&uip_buf[uip_l2_l3_hdr_len])
#define UIP_ICMP_PAYLOAD ((unsigned char *)&uip_buf[uip_l2_l3_icmp_hdr_len])
/*---------------------------------------------------------------------------*/

static void dis_input(void);
static void dio_input(void);
static void dao_input(void);
static void dao_ack_input(void);
static void dis_secure_input(void);
static void dio_secure_input(void);
static void dao_secure_input(void);
static void dao_ack_secure_input(void);
static void cc_secure_input(void);
static void dis_sec_input(void);
static void dio_sec_input(void);
static void dao_sec_input(void);
static void dao_ack_sec_input(void);
static void cc_input(void);


static void dao_output_target_seq(rpl_parent_t *parent, uip_ipaddr_t *prefix,
uint8_t lifetime, uint8_t seq_no);
@@ -101,11 +109,19 @@ static uint8_t dao_sequence = RPL_LOLLIPOP_INIT;
static uip_mcast6_route_t *mcast_group;
#endif
/*---------------------------------------------------------------------------*/
/* Initialise RPL ICMPv6 message handlers */
/* Initialize RPL ICMPv6 message handlers */
#if RPL_SECURITY
UIP_ICMP6_HANDLER(dis_sec_handler, ICMP6_RPL, RPL_CODE_SEC_DIS, dis_sec_input);
UIP_ICMP6_HANDLER(dio_sec_handler, ICMP6_RPL, RPL_CODE_SEC_DIO, dio_sec_input);
UIP_ICMP6_HANDLER(dao_sec_handler, ICMP6_RPL, RPL_CODE_SEC_DAO, dao_sec_input);
UIP_ICMP6_HANDLER(dao_ack_sec_handler, ICMP6_RPL, RPL_CODE_DAO_ACK, dao_ack_sec_input);
UIP_ICMP6_HANDLER(cc_handler, ICMP6_RPL, RPL_CODE_CC, cc_input)
#else
UIP_ICMP6_HANDLER(dis_handler, ICMP6_RPL, RPL_CODE_DIS, dis_input);
UIP_ICMP6_HANDLER(dio_handler, ICMP6_RPL, RPL_CODE_DIO, dio_input);
UIP_ICMP6_HANDLER(dao_handler, ICMP6_RPL, RPL_CODE_DAO, dao_input);
UIP_ICMP6_HANDLER(dao_ack_handler, ICMP6_RPL, RPL_CODE_DAO_ACK, dao_ack_input);
#endif
/*---------------------------------------------------------------------------*/

#if RPL_WITH_DAO_ACK
@@ -290,6 +306,25 @@ dis_output(uip_ipaddr_t *addr)
}
/*---------------------------------------------------------------------------*/
static void
dis_sec_output(uip_ipaddr_t *addr)
{

/* RPL Security Section
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* |T| Reserved | Algorithm |KIM|Resvd| LVL | Flags |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | Counter |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | |
* . Key Identifier .
* . .
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
}
/*---------------------------------------------------------------------------*/
static void
dio_input(void)
{
unsigned char *buffer;
@@ -1370,10 +1405,18 @@ dao_ack_output(rpl_instance_t *instance, uip_ipaddr_t *dest, uint8_t sequence,
void
rpl_icmp6_register_handlers()
{
#ifndef RPL_SEC_MESSAGES /* Unsecure RPL messages */
uip_icmp6_register_input_handler(&dis_handler);
uip_icmp6_register_input_handler(&dio_handler);
uip_icmp6_register_input_handler(&dao_handler);
uip_icmp6_register_input_handler(&dao_ack_handler);
#else /* Secure RPL messages */
uip_icmp6_register_input_handler(&dis_sec_handler);
uip_icmp6_register_input_handler(&dio_sec_handler);
uip_icmp6_register_input_handler(&dao_sec_handler);
uip_icmp6_register_input_handler(&dao_ack_sec_handler);
uip_icmp6_register_input_handler(&cc_handler);
#endif
}
/*---------------------------------------------------------------------------*/

@@ -77,6 +77,7 @@
#define RPL_CODE_SEC_DIO 0x81 /* Secure DIO */
#define RPL_CODE_SEC_DAO 0x82 /* Secure DAO */
#define RPL_CODE_SEC_DAO_ACK 0x83 /* Secure DAO ACK */
#define RPL_CODE_CC 0x8A /* Consistency Check */

/* RPL control message options. */
#define RPL_OPTION_PAD1 0
@@ -339,11 +340,20 @@ extern rpl_instance_t instance_table[];
extern rpl_instance_t *default_instance;

/* ICMPv6 functions for RPL. */
#if RPL_SECURITY
void dis_sec_output(uip_ipaddr_t *addr);
void dio_sec_output(rpl_instance_t *, uip_ipaddr_t *uc_addr);
void dao_sec_output(rpl_parent_t *, uint8_t lifetime);
void dao_sec_output_target(rpl_parent_t *, uip_ipaddr_t *, uint8_t lifetime);
void dao_ack_sec_output(rpl_instance_t *, uip_ipaddr_t *, uint8_t, uint8_t);
void cc_output(rpl_instance_t *, uip_ipaddr_t *uc_addr);
#else
void dis_output(uip_ipaddr_t *addr);
void dio_output(rpl_instance_t *, uip_ipaddr_t *uc_addr);
void dao_output(rpl_parent_t *, uint8_t lifetime);
void dao_output_target(rpl_parent_t *, uip_ipaddr_t *, uint8_t lifetime);
void dao_ack_output(rpl_instance_t *, uip_ipaddr_t *, uint8_t, uint8_t);
#endif /* RPL_SECURITY */
void rpl_icmp6_register_handlers(void);
uip_ds6_nbr_t *rpl_icmp6_update_nbr_table(uip_ipaddr_t *from,
nbr_table_reason_t r, void *data);
@@ -99,7 +99,11 @@ handle_periodic_timer(void *ptr)
next_dis++;
if(dag == NULL && next_dis >= RPL_DIS_INTERVAL) {
next_dis = 0;
#if RPL_SECURE
dis_sec_output(NULL);
#else
dis_output(NULL);
#endif /* RPL_SECURE */
}
#endif
ctimer_reset(&periodic_timer);
@@ -178,7 +182,12 @@ handle_dio_timer(void *ptr)
#if RPL_CONF_STATS
instance->dio_totsend++;
#endif /* RPL_CONF_STATS */
#if RPL_SECURE
dio_sec_output(instance, NULL);
#else
dio_output(instance, NULL);
#endif /* RPL_SECURE */

} else {
PRINTF("RPL: Suppressing DIO transmission (%d >= %d)\n",
instance->dio_counter, instance->dio_redundancy);
@@ -273,17 +282,25 @@ handle_dao_timer(void *ptr)
if(instance->current_dag->preferred_parent != NULL) {
PRINTF("RPL: handle_dao_timer - sending DAO\n");
/* Set the route lifetime to the default value. */
#if RPL_SECURE
dao_sec_output(instance->current_dag->preferred_parent, instance->default_lifetime);
#else
dao_output(instance->current_dag->preferred_parent, instance->default_lifetime);

#endif /* RPL_SECURE */
#if RPL_WITH_MULTICAST
/* Send DAOs for multicast prefixes only if the instance is in MOP 3 */
if(instance->mop == RPL_MOP_STORING_MULTICAST) {
/* Send a DAO for own multicast addresses */
for(i = 0; i < UIP_DS6_MADDR_NB; i++) {
if(uip_ds6_if.maddr_list[i].isused
&& uip_is_addr_mcast_global(&uip_ds6_if.maddr_list[i].ipaddr)) {
dao_output_target(instance->current_dag->preferred_parent,
#if RPL_SECURE
dao_sec_output_target(instance->current_dag->preferred_parent,
&uip_ds6_if.maddr_list[i].ipaddr, RPL_MCAST_LIFETIME);
#else
dao_output_target(instance->current_dag->preferred_parent,
&uip_ds6_if.maddr_list[i].ipaddr, RPL_MCAST_LIFETIME);
#endif /* RPL_SECURE */
}
}

@@ -292,8 +309,13 @@ handle_dao_timer(void *ptr)
while(mcast_route != NULL) {
/* Don't send if it's also our own address, done that already */
if(uip_ds6_maddr_lookup(&mcast_route->group) == NULL) {
dao_output_target(instance->current_dag->preferred_parent,
#if RPL_SECURE
dao_sec_output_target(instance->current_dag->preferred_parent,
&mcast_route->group, RPL_MCAST_LIFETIME);
#else
dao_output_target(instance->current_dag->preferred_parent,
&mcast_route->group, RPL_MCAST_LIFETIME);
#endif /* RPL_SECURE */
}
mcast_route = list_item_next(mcast_route);
}
@@ -365,7 +387,11 @@ handle_unicast_dio_timer(void *ptr)
uip_ipaddr_t *target_ipaddr = rpl_get_parent_ipaddr(instance->unicast_dio_target);

if(target_ipaddr != NULL) {
dio_output(instance, target_ipaddr);
#if RPL_SECURE
dio_sec_output(instance, target_ipaddr);
#else
dio_output(instance, target_ipaddr);
#endif /* RPL_SECURE */
}
}
/*---------------------------------------------------------------------------*/
@@ -93,7 +93,11 @@ rpl_set_mode(enum rpl_mode m)
if(default_instance != NULL) {
PRINTF("rpl_set_mode: RPL sending DAO with zero lifetime\n");
if(default_instance->current_dag != NULL) {
#if RPL_SECURE
dao_sec_output(default_instance->current_dag->preferred_parent, RPL_ZERO_LIFETIME);
#else
dao_output(default_instance->current_dag->preferred_parent, RPL_ZERO_LIFETIME);
#endif /* RPL_SECURE */
}
rpl_cancel_dao(default_instance);
} else {
@@ -149,7 +153,11 @@ rpl_purge_routes(void)
/* Propagate this information with a No-Path DAO to preferred parent if we are not a RPL Root */
if(dag->rank != ROOT_RANK(default_instance)) {
PRINTF(" -> generate No-Path DAO\n");
#if RPL_SECURE
dao_sec_output_target(dag->preferred_parent, &prefix, RPL_ZERO_LIFETIME);
#else
dao_output_target(dag->preferred_parent, &prefix, RPL_ZERO_LIFETIME);
#endif /* RPL_SECURE */
/* Don't schedule more than 1 No-Path DAO, let next iteration handle that */
return;
}
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.