[Tinyos-help] Possible TinySec byteReceived bug
Victor Cionca
Victor.Cionca at ul.ie
Tue Dec 2 04:41:27 PST 2008
Hello,
I was examining the TinySec code and I stumbled on what I think is a
bug. Please correct me if I'm wrong.
In TinySecM, in TinySecRadio.byteReceived we have this code:
698 async event result_t TinySecRadio.byteReceived(uint8_t byte) {
699 int8_t macRecCount=-1, decryptRecCount=-1;
700 if(RxByteCnt < rxlength) {
701 // this branch statement is a hack for when we skip
702 // over the IV for non-encrypted packets. we add the TINYSEC_IV_SIZE
703 if(RxByteCnt == offsetof(struct TinySec_Msg,iv) && !rxdecrypt) {
704 RxByteCnt += TINYSEC_IV_LENGTH;
705 ((uint8_t *) ciphertext_rec_ptr)[(int)RxByteCnt] = byte;
706 RxByteCnt++;
707 macRecCount = ((RxByteCnt - TINYSEC_IV_LENGTH) & (blockSize-1)) +
708 TINYSEC_IV_LENGTH;
709 decryptRecCount = RxByteCnt - offsetof(struct TinySec_Msg,enc);
710 } else {
711 ((uint8_t *) ciphertext_rec_ptr)[(int)RxByteCnt] = byte;
712 RxByteCnt++;
713 macRecCount = RxByteCnt & (blockSize-1);
714 decryptRecCount = RxByteCnt - offsetof(struct TinySec_Msg,enc);
715 }
716 } else if(RxByteCnt < rxlength + TINYSEC_IV_LENGTH) {
717 ciphertext_rec_ptr->mac[RxByteCnt-rxlength] = byte;
718 RxByteCnt++;
719 }
On line 716 we check to see if we passed the payload part and should
start receiving the MAC. rxlength is computed as
rxlength = TINYSEC_MSG_DATA_SIZE-TINYSEC_MAC_LENGTH;
The test on line 716 will allow copying TINYSEC_IV_LENGTH bytes into the
mac. Because MAC and IV are both 4 bytes, this does not pose any
problems. However, if we use a MAC longer than than 4 bytes we will have
errors.
I think it should be
716 } else if(RxByteCnt < rxlength + TINYSEC_MAC_LENGTH) {
This repeats on line 814 of the same function which tests if the entire
MAC is received and ready to be verified against the computed MAC.
Again, forgive me if I am wrong.
Best regards,
Victor Cionca
More information about the Tinyos-help
mailing list