Security Extension: http://arxiv.org/abs/1603.00707

COPYRIGHT

@@ -1,4 +1,7 @@
 /*-
+ * Copyright (c) 2015-2016 Eyal Itkin (TAU),
+ *                         Avishai Wool (TAU),
+ *                         In accordance to http://arxiv.org/abs/1603.00707 .
  * Copyright (c) 2015      Wojciech Owczarek.
  * Copyright (c) 2014      Perseus Telecom.
  * Copyright (c) 2013-2014 Harlan Stenn,

README - Security Extension.md

@@ -0,0 +1,35 @@
+A joint work of Eyal Itkin and Avishai Wool, TAU, suggests a new security extension to the IEEE 1588 (v2) protocol. The work was suggested to the official IEEE 1588 work group, and can be found in details at: http://arxiv.org/abs/1603.00707.
+
+During the work we implemented our proposal over the PTPd implementation, and made a list of changes to it.
+
+Our changes are:
+0. Init srand from /dev/urandom instead of MAC address (SEC_EXT_SEED_RANDOM)
+
+1. Init clock ID from network source (SEC_EXT_BIND_CLOCK_ID_TO_NET_ID)
+1.1. UDP / IP :         4 bytes IP | 2 bytes port
+1.2. 802.1 (Ethernet)   6 bytes MAC address
+
+2. Check receive clock ID against network ID (SEC_EXT_BIND_CLOCK_ID_TO_NET_ID)
+2.1. Save receive MAC in 802.1 mode
+2.2. Cmp net id to clock id right after header unpacking
+
+3. Set up random sequence ID seed for request msgs (msg packing) (SEC_EXT_RANDOMIZE_SEQ_NUM)
+3.1. Delay Reuqest
+3.2. Peer Delay Request
+
+4. Enlarge the sequence numbers of requests to 4 bytes (SEC_EXT_USE_RESERVE_SEQUENCE)
+4.1. Used 2 bytes of reserved as the 2 MSBs of the sequence numbers
+4.1.1. Packing of msgs
+4.1.2. Unpacking of msgs
+4.2. Sequence checks update
+4.3. Data set structure update
+
+5. Added a freshness check (window bounds check) for all master msgs in their recv
+5.1. Sync
+5.2. Announce
+
+6. Added length check against the header.messageLength field (SEC_EXT_CHECK_LENGTH)
+
+7. Minor bug fixes (reserved zeroing)
+
+8. Crypto Extensions (SEC_EXT_CRYPTO)

configure.ac

@@ -684,6 +684,31 @@ case "$enable_daemon" in
 esac
 AC_SUBST(PTP_DAEMON)
 
+ptpd_crypto=0
+AC_MSG_CHECKING([for security extension])
+AC_ARG_ENABLE(
+    [sec_ext_fix],
+    [AS_HELP_STRING(
+	[--disable-sec_ext_fix (disables Security Extension Thesis changes)],
+	[Disables thesis changes mode]
+    )],
+    [],
+    [sec_ext_fix=yes]
+)
+AC_MSG_RESULT([$sec_ext_fix])
+case "$sec_ext_fix" in
+ yes)
+    CPPFLAGS="$CPPFLAGS -DSEC_EXT_BIND_CLOCK_ID_TO_NET_ID -DSEC_EXT_RANDOMIZE_SEQ_NUM -DSEC_EXT_SEED_RANDOM -DSEC_EXT_USE_RESERVE_SEQUENCE -DSEC_EXT_LENGTH_CHECK -DSEC_EXT_CRYPTO -I'dep/crypto/wolfssl-3.8.0'"
+    MY_LOCATION=`pwd`
+    LDFLAGS="$LDFLAGS -L'dep/crypto'"
+	ptpd_crypto=1
+    LIBS="$LIBS -lwolf"
+	;;
+	AC_CONFIG_COMMANDS_POST([cd src/dep/crypto/wolfssl-3.8.0; ./configure --enable-static --enable-ed25519; cd ../../../..])
+esac
+AC_SUBST(SEC_EXT_THESIS)
+AM_CONDITIONAL([PTP_CRYPTO], [test x$ptpd_crypto = x1])
+
 AC_MSG_CHECKING([for experimental options])
 AC_ARG_ENABLE(
     [experimental-options],

src/Makefile.am

@@ -59,6 +59,8 @@ ptpd2_SOURCES =				\
 	dep/ntpengine/ntp_isc_md5.h	\
 	dep/ntpengine/ntpdcontrol.c	\
 	dep/ntpengine/ntpdcontrol.h	\
+	dep/crypto/enc.c	\
+	dep/crypto/enc.h	\
 	timingdomain.h			\
 	timingdomain.c			\
 	dep/alarms.h			\
@@ -67,6 +69,11 @@ ptpd2_SOURCES =				\
 	ptpd.h				\
 	$(NULL)
 
+# CRYPTO
+if PTP_CRYPTO
+SUBDIRS = dep/crypto
+endif
+
 # SNMP
 if SNMP
 ptpd2_SOURCES += dep/snmp.c