lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 28 Sep 2015 09:00:22 +0200
From:	Alexander Aring <alex.aring@...il.com>
To:	linux-wpan@...r.kernel.org
Cc:	kernel@...gutronix.de, netdev@...r.kernel.org,
	phoebe.buckheister@...m.fraunhofer.de,
	Alexander Aring <alex.aring@...il.com>
Subject: [PATCH bluetooth-next 0/4] ieee802154: add llsec support over nl802154

Hi,

this patch series will add llsec support for nl802154.

What is "llsec"?

The llsec (I suppose it stands for linklayer security) is part of the SoftMAC
implementation of 802.15.4 "net/mac802154/llsec.c". The 802.15.4 standard
describes an security mechanism over ACL's. The encryption/decryption will do
llsec. To access llsec we need an interface for nl802154. The 802.15.4 standard
describes PHY/MAC layer and we have "possible" similar paradigms like wireless
with SoftMAC and HardMAC drivers. (We don't support HardMAC transceivers right
now, I never had some HardMAC transceivers, are really expensive and there are
only few some which can also run in a "raw" mode.) Anyway the nl802154 should
access SoftMAC/HardMAC drivers to abstract "one interface to userspace".

These ACL's are known as "security tables" inside the mac information base
(MIB) of 802.15.4 standard, security MIB.

The final goal we have to provide these tables in userspace is an "iptables"
handling "store" and "restore", over the userspace application "iwpan" which
contains the general "framework mechanism" like wireless "iw" tool, you can
add/del entries on these security tables, then.

I don't looked right now how iptables userspace application do "exactly" the
store and restore mechanism. The current way is a very KISS handling:

 We add netlink cmd's to add/del the table entries. Over the dump callback
 it's possible to get all information which is printed out as the command
 line string "iwpan dev $WPAN_DEV $TABLE add ...". The restore script will
 simple export $WPAN_DEV variable to restore these configuration for a
 specific interface.

 I will send the userspace patches as well to netdev, maybe somebody wants
 to know what I did there for first support.

This sounds weird but is to support llsec somehow a acceptable use-case. The
final goal is to lookup how iptables works and make a nicer C implementation.
There is currently no "official supported" userspace tool which support
accessing the "llsec".

I added several TODO's to the current implementation and added a new:

CONFIG_IEEE802154_NL802154_EXPERIMENTAL

This config will not build the nl802154 llsec layer and reduce the MAX_ATTR
attribute of nl802154 interface. With this config I explicit say this interface
over nl802154 is still in development and will be changed later.

The 802.15.4 subsystem is still in EXPERIMENTAL state, there was some commit
f4671a90c418b5aae14b61a9fc9d79c629403ca0 ("net/ieee802154: remove depends on
CONFIG_EXPERIMENTAL") which is fine but no maintainer ever said it's not
experimental anymore.

Checkpatch will complain about some above 80-chars width, at these places I
ignore these warning otherwise the code looks awful in my opinion.

My current working repository is still bluetooth-next/master. David if
everything is fine, then please ack patch "[PATCH bluetooth-next 1/4]
netlink: add nla_get for le32 and le64", so Marcel can apply it. Thanks.

- Alex

Alexander Aring (4):
  netlink: add nla_get for le32 and le64
  nl802154: use nla_get_le64 for get extended addr
  nl802154: add support for security layer
  mac802154: add comments for llsec issues

 include/net/cfg802154.h         |  131 ++++
 include/net/ieee802154_netdev.h |   75 ---
 include/net/netlink.h           |   18 +
 include/net/nl802154.h          |  191 ++++++
 net/ieee802154/Kconfig          |    5 +
 net/ieee802154/core.c           |   12 +
 net/ieee802154/core.h           |    1 +
 net/ieee802154/nl802154.c       | 1320 ++++++++++++++++++++++++++++++++++++---
 net/ieee802154/rdev-ops.h       |  109 ++++
 net/mac802154/cfg.c             |  205 ++++++
 net/mac802154/rx.c              |    4 +
 net/mac802154/tx.c              |    4 +
 12 files changed, 1903 insertions(+), 172 deletions(-)

-- 
2.5.3

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ