Added supplicant PAE NVM storage

Stores and reads network related info (PAN ID, network name, GTKs) and key
information (PMK, PMK replay counter, PTK and BR EUI-64 used to derive PTK)
to/from file system.

Added PTK (PTKID) and PMK (PMKID) hashes to initial EAPOL-Key send by the
supplicant.

Author: Mika Leppänen

source/6LoWPAN/ws/ws_bootstrap.c

@@ -1696,6 +1696,10 @@ static void ws_bootstrap_rpl_callback(rpl_event_t event, void *handle)
             tr_debug("Start EAPOL relay");
             // Set both own port and border router port to 10253
             ws_eapol_relay_start(cur, EAPOL_RELAY_SOCKET_PORT, dodag_info.dodag_id, EAPOL_RELAY_SOCKET_PORT);
+            // Set network information to PAE
+            ws_pae_controller_nw_info_set(cur, cur->ws_info->network_pan_id, cur->ws_info->network_name);
+            // Network key is valid
+            ws_pae_controller_nw_key_valid(cur);
         }
 
         ws_set_fhss_hop(cur);
@@ -2144,6 +2148,8 @@ static void ws_bootstrap_event_handler(arm_event_s *event)
 
             if (cur->bootsrap_mode == ARM_NWK_BOOTSRAP_MODE_6LoWPAN_BORDER_ROUTER) {
                 tr_debug("Border router start network");
+                ws_pae_controller_auth_init(cur);
+
                 // Randomize fixed channels. Only used if channel plan is fixed.
                 cur->ws_info->fhss_uc_fixed_channel = ws_randomize_fixed_channel(cur->ws_info->fhss_uc_fixed_channel, cur->ws_info->hopping_schdule.number_of_channels);
                 cur->ws_info->fhss_bc_fixed_channel = ws_randomize_fixed_channel(cur->ws_info->fhss_bc_fixed_channel, cur->ws_info->hopping_schdule.number_of_channels);
@@ -2178,6 +2184,8 @@ static void ws_bootstrap_event_handler(arm_event_s *event)
                 ws_pae_controller_authenticator_start(cur, PAE_AUTH_SOCKET_PORT, ll_addr, EAPOL_RELAY_SOCKET_PORT);
                 break;
             }
+            ws_pae_controller_supp_init(cur);
+
             // Configure LLC for network discovery
             ws_bootstrap_network_discovery_configure(cur);
             ws_bootstrap_fhss_activate(cur);
@@ -2282,7 +2290,7 @@ void ws_bootstrap_network_scan_process(protocol_interface_info_entry_t *cur)
     ws_bootstrap_network_information_learn(cur);
     ws_bootstrap_fhss_activate(cur);
 
-    ws_pae_controller_set_target(cur, cur->ws_info->parent_info.addr); // temporary!!! store since auth
+    ws_pae_controller_set_target(cur, cur->ws_info->parent_info.pan_id, cur->ws_info->parent_info.addr); // temporary!!! store since auth
     ws_bootstrap_event_authentication_start(cur);
     return;
 }

source/6LoWPAN/ws/ws_pae_auth.c

@@ -88,9 +88,9 @@ static void ws_pae_auth_kmp_api_finished(kmp_api_t *kmp);
 static int8_t tasklet_id = -1;
 static NS_LIST_DEFINE(pae_auth_list, pae_auth_t, link);
 
-int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port, sec_prot_gtk_keys_t *gtks, const sec_prot_certs_t *certs)
+int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, const sec_prot_certs_t *certs)
 {
-    if (!interface_ptr || !remote_addr || !gtks) {
+    if (!interface_ptr || !gtks || !certs) {
         return -1;
     }
 
@@ -128,10 +128,6 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t
         goto error;
     }
 
-    if (kmp_socket_if_register(pae_auth->kmp_service, local_port, remote_addr, remote_port) < 0) {
-        goto error;
-    }
-
     if (key_sec_prot_register(pae_auth->kmp_service) < 0) {
         goto error;
     }
@@ -173,6 +169,27 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t
     return -1;
 }
 
+int8_t ws_pae_auth_addresses_set(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port)
+{
+    if (!interface_ptr || !remote_addr) {
+        return -1;
+    }
+
+    pae_auth_t *pae_auth = ws_pae_auth_get(interface_ptr);
+    if (!pae_auth) {
+        return -1;
+    }
+    if (!pae_auth->kmp_service) {
+        return -1;
+    }
+
+    if (kmp_socket_if_register(pae_auth->kmp_service, local_port, remote_addr, remote_port) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
 int8_t ws_pae_auth_delete(protocol_interface_info_entry_t *interface_ptr)
 {
     if (!interface_ptr) {

source/6LoWPAN/ws/ws_pae_auth.h

@@ -50,7 +50,21 @@
  * \return >= 0 success
  *
  */
-int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port, sec_prot_gtk_keys_t *gtks, const sec_prot_certs_t *certs);
+int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, const sec_prot_certs_t *certs);
+
+/**
+ * ws_pae_auth_addresses_set set relay addresses
+ *
+ * \param interface_ptr interface
+ * \param local_port local port
+ * \param remote_addr remote address
+ * \param remote_port remote port
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t ws_pae_auth_addresses_set(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port);
 
 /**
  * ws_pae_auth_delete deletes PAE authenticator
@@ -73,7 +87,8 @@ void ws_pae_auth_timer(uint16_t ticks);
 
 #else
 
-#define ws_pae_auth_init(interface_ptr, local_port, remote_addr, remote_port, gtks, certs) 1
+#define ws_pae_auth_init(interface_ptr, gtks, certs) 1
+#define ws_pae_auth_addresses_set(interface_ptr, local_port, remote_addr, remote_port) 1
 #define ws_pae_auth_delete NULL
 #define ws_pae_auth_timer NULL
 

source/6LoWPAN/ws/ws_pae_controller.c

@@ -37,10 +37,14 @@
 
 typedef int8_t ws_pae_delete(protocol_interface_info_entry_t *interface_ptr);
 typedef void ws_pae_timer(uint16_t ticks);
+typedef int8_t ws_pae_br_addr_write(protocol_interface_info_entry_t *interface_ptr, const uint8_t *eui_64);
+typedef int8_t ws_pae_br_addr_read(protocol_interface_info_entry_t *interface_ptr, uint8_t *eui_64);
+
 
 typedef struct {
     ns_list_link_t link;                                 /**< Link */
     uint8_t target_eui_64[8];                            /**< EAPOL target */
+    uint16_t target_pan_id;                              /**< EAPOL target PAN ID */
     uint8_t br_eui_64[8];                                /**< Border router EUI-64 */
     sec_prot_gtk_keys_t gtks;                            /**< GTKs */
     sec_prot_certs_t certs;                              /**< Certificates */
@@ -49,6 +53,8 @@ typedef struct {
     ws_pae_controller_key_insert *key_insert;            /**< Key insert callback */
     ws_pae_delete *pae_delete;                           /**< PAE delete callback */
     ws_pae_timer *pae_timer;                             /**< PAE timer callback */
+    ws_pae_br_addr_write *pae_br_addr_write;             /**< PAE Border router EUI-64 write callback */
+    ws_pae_br_addr_read *pae_br_addr_read;               /**< PAE Border router EUI-64 read callback */
 } pae_controller_t;
 
 static void ws_pae_controller_test_keys_set(sec_prot_gtk_keys_t *gtks);
@@ -85,16 +91,7 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface
         return -1;
     }
 
-    if (ws_pae_supp_init(controller->interface_ptr, &controller->certs) < 0) {
-        return -1;
-    }
-
-    controller->pae_delete = ws_pae_supp_delete;
-    controller->pae_timer = ws_pae_supp_timer;
-
-    ws_pae_supp_cb_register(controller->interface_ptr, controller->auth_completed, controller->key_insert);
-
-    if (ws_pae_supp_authenticate(controller->interface_ptr, controller->target_eui_64) > 0) {
+    if (ws_pae_supp_authenticate(controller->interface_ptr, controller->target_pan_id, controller->target_eui_64) == PAE_SUPP_NOT_ENABLED) {
         // Already authenticated
         ws_pae_controller_test_keys_set(&controller->gtks);
 
@@ -105,6 +102,14 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface
         controller->auth_completed(interface_ptr, true);
     }
 
+    ///////////
+    // For now fixed since not yet support for EA-IE
+    const uint8_t addr[8] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+    if (controller->pae_br_addr_write) {
+        controller->pae_br_addr_write(interface_ptr, addr);
+    }
+    ////////////////
+
     return 0;
 }
 
@@ -124,18 +129,15 @@ int8_t ws_pae_controller_authenticator_start(protocol_interface_info_entry_t *in
 
     ws_pae_controller_test_keys_set(&controller->gtks);
 
-    if (ws_pae_auth_init(controller->interface_ptr, local_port, remote_addr, remote_port, &controller->gtks, &controller->certs) < 0) {
-        return -1;
-    }
-
-    controller->pae_delete = ws_pae_auth_delete;
-    controller->pae_timer = ws_pae_auth_timer;
-
     uint8_t index;
     uint8_t *gtk = sec_prot_keys_get_gtk_to_insert(&controller->gtks, &index);
 
     controller->key_insert(controller->interface_ptr, index, gtk);
 
+    if (ws_pae_auth_addresses_set(interface_ptr, local_port, remote_addr, remote_port) < 0) {
+        return -1;
+    }
+
     return 0;
 }
 
@@ -156,7 +158,7 @@ int8_t ws_pae_controller_cb_register(protocol_interface_info_entry_t *interface_
     return 0;
 }
 
-int8_t ws_pae_controller_set_target(protocol_interface_info_entry_t *interface_ptr, uint8_t *dest_eui_64)
+int8_t ws_pae_controller_set_target(protocol_interface_info_entry_t *interface_ptr, uint16_t target_pan_id, uint8_t *target_eui_64)
 {
     if (!interface_ptr) {
         return -1;
@@ -167,11 +169,43 @@ int8_t ws_pae_controller_set_target(protocol_interface_info_entry_t *interface_p
         return -1;
     }
 
-    memcpy(controller->target_eui_64, dest_eui_64, 8);
+    controller->target_pan_id = target_pan_id;
+    memcpy(controller->target_eui_64, target_eui_64, 8);
 
     return 0;
 }
 
+int8_t ws_pae_controller_nw_info_set(protocol_interface_info_entry_t *interface_ptr, uint16_t pan_id, char *network_name)
+{
+    (void) pan_id;
+    (void) network_name;
+
+    if (!interface_ptr) {
+        return -1;
+    }
+
+    pae_controller_t *controller = ws_pae_controller_get(interface_ptr);
+    if (!controller) {
+        return -1;
+    }
+
+    return ws_pae_supp_nw_info_set(interface_ptr, pan_id, network_name);
+}
+
+int8_t ws_pae_controller_nw_key_valid(protocol_interface_info_entry_t *interface_ptr)
+{
+    if (!interface_ptr) {
+        return -1;
+    }
+
+    pae_controller_t *controller = ws_pae_controller_get(interface_ptr);
+    if (!controller) {
+        return -1;
+    }
+
+    return ws_pae_supp_nw_key_valid(interface_ptr);
+}
+
 int8_t ws_pae_controller_init(protocol_interface_info_entry_t *interface_ptr)
 {
     if (!interface_ptr) {
@@ -194,6 +228,8 @@ int8_t ws_pae_controller_init(protocol_interface_info_entry_t *interface_ptr)
     controller->key_insert = NULL;
     controller->pae_delete = NULL;
     controller->pae_timer = NULL;
+    controller->pae_br_addr_write = NULL;
+    controller->pae_br_addr_read = NULL;
 
     sec_prot_keys_gtks_init(&controller->gtks);
     sec_prot_certs_init(&controller->certs);
@@ -203,6 +239,51 @@ int8_t ws_pae_controller_init(protocol_interface_info_entry_t *interface_ptr)
     return 0;
 }
 
+int8_t ws_pae_controller_supp_init(protocol_interface_info_entry_t *interface_ptr)
+{
+    if (!interface_ptr) {
+        return -1;
+    }
+
+    pae_controller_t *controller = ws_pae_controller_get(interface_ptr);
+    if (!controller) {
+        return -1;
+    }
+
+    if (ws_pae_supp_init(controller->interface_ptr, &controller->certs) < 0) {
+        return -1;
+    }
+
+    controller->pae_delete = ws_pae_supp_delete;
+    controller->pae_timer = ws_pae_supp_timer;
+    controller->pae_br_addr_write = ws_pae_supp_border_router_addr_write;
+    controller->pae_br_addr_read = ws_pae_supp_border_router_addr_read;
+
+    ws_pae_supp_cb_register(controller->interface_ptr, controller->auth_completed, controller->key_insert);
+
+    return 0;
+}
+
+int8_t ws_pae_controller_auth_init(protocol_interface_info_entry_t *interface_ptr)
+{
+    if (!interface_ptr) {
+        return -1;
+    }
+
+    pae_controller_t *controller = ws_pae_controller_get(interface_ptr);
+    if (!controller) {
+        return -1;
+    }
+
+    if (ws_pae_auth_init(controller->interface_ptr, &controller->gtks, &controller->certs) < 0) {
+        return -1;
+    }
+
+    controller->pae_delete = ws_pae_auth_delete;
+    controller->pae_timer = ws_pae_auth_timer;
+
+    return 0;
+}
 int8_t ws_pae_controller_stop(protocol_interface_info_entry_t *interface_ptr)
 {
     if (!interface_ptr) {
@@ -266,7 +347,7 @@ int8_t ws_pae_controller_certificate_chain_set(const arm_certificate_chain_entry
     return 0;
 }
 
-int8_t ws_pae_controller_border_router_addr_write(protocol_interface_info_entry_t *interface_ptr, uint8_t *eui_64)
+int8_t ws_pae_controller_border_router_addr_write(protocol_interface_info_entry_t *interface_ptr, const uint8_t *eui_64)
 {
     if (!interface_ptr || !eui_64) {
         return -1;
@@ -277,7 +358,11 @@ int8_t ws_pae_controller_border_router_addr_write(protocol_interface_info_entry_
         return -1;
     }
 
-    memcpy(controller->br_eui_64, eui_64, 8);
+    if (controller->pae_br_addr_write) {
+        return controller->pae_br_addr_write(interface_ptr, eui_64);
+    } else {
+        memcpy(controller->br_eui_64, eui_64, 8);
+    }
 
     return 0;
 
@@ -294,7 +379,11 @@ int8_t ws_pae_controller_border_router_addr_read(protocol_interface_info_entry_t
         return -1;
     }
 
-    memcpy(eui_64, controller->br_eui_64, 8);
+    if (controller->pae_br_addr_read) {
+        return controller->pae_br_addr_read(interface_ptr, eui_64);
+    } else {
+        memcpy(eui_64, controller->br_eui_64, 8);
+    }
 
     return 0;
 }