Merge pull request #1994 from ARMmbed/enable_eapol

Mika Leppänen · web-flow · commit 74dc5312ae27 · 2019-03-13T11:51:01.000+02:00
Enable EAPOL flags
diff --git a/source/6LoWPAN/ws/ws_pae_auth.c b/source/6LoWPAN/ws/ws_pae_auth.c
@@ -361,7 +361,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
         // If active GTK lifetime is larger than revocation lifetime decrements active GTK lifetime
         if (active_lifetime > revocation_lifetime) {
             sec_prot_keys_gtk_lifetime_decrement(pae_auth->gtks, active_index, active_lifetime - revocation_lifetime);
-            tr_info("Access revocation start, GTK active index: %i, revoked lifetime: %i", active_index, revocation_lifetime);
+            tr_info("Access revocation start, GTK active index: %i, revoked lifetime: %"PRIu32"", active_index, revocation_lifetime);
         } else {
             // Otherwise decrements lifetime of the GTK to be installed after the active one
             int8_t second_index = sec_prot_keys_gtk_install_order_second_index_get(pae_auth->gtks);
@@ -372,7 +372,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
                 uint32_t second_lifetime = sec_prot_keys_gtk_lifetime_get(pae_auth->gtks, second_index);
                 if (second_lifetime > second_revocation_lifetime) {
                     sec_prot_keys_gtk_lifetime_decrement(pae_auth->gtks, second_index, second_lifetime - second_revocation_lifetime);
-                    tr_info("Access revocation start, GTK second active index: %i, revoked lifetime: %i", second_index, second_revocation_lifetime);
+                    tr_info("Access revocation start, GTK second active index: %i, revoked lifetime: %"PRIu32"", second_index, second_revocation_lifetime);
                 }
                 // Removes other keys than active and GTK to be installed next
                 not_removed_index = second_index;
@@ -547,11 +547,11 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
                     if (pae_auth->gtk_new_inst_req_exp) {
                         int8_t second_index = sec_prot_keys_gtk_install_order_second_index_get(pae_auth->gtks);
                         if (second_index < 0) {
-                            tr_info("GTK new install required active index: %i, time: %i, system time: %i", active_index, timer_seconds, protocol_core_monotonic_time / 10);
+                            tr_info("GTK new install required active index: %i, time: %"PRIu32", system time: %"PRIu32"", active_index, timer_seconds, protocol_core_monotonic_time / 10);
                             ws_pae_auth_gtk_key_insert(pae_auth);
                             ws_pae_auth_network_keys_from_gtks_set(pae_auth);
                         } else {
-                            tr_info("GTK new install already done; second index: %i, time: %i, system time: %i", second_index, timer_seconds, protocol_core_monotonic_time / 10);
+                            tr_info("GTK new install already done; second index: %i, time: %"PRIu32", system time: %"PRIu32"", second_index, timer_seconds, protocol_core_monotonic_time / 10);
                         }
                     }
                 }
@@ -560,7 +560,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
                     pae_auth->gtk_new_act_time_exp =  ws_pae_timers_gtk_new_activation_time(pae_auth->timer_settings, timer_seconds);
                     if (pae_auth->gtk_new_act_time_exp) {
                         int8_t new_active_index = ws_pae_auth_new_gtk_activate(pae_auth);
-                        tr_info("GTK new activation time active index: %i, time: %i, new index: %i, system time: %i", active_index, timer_seconds, new_active_index, protocol_core_monotonic_time / 10);
+                        tr_info("GTK new activation time active index: %i, time: %"PRIu32", new index: %i, system time: %"PRIu32"", active_index, timer_seconds, new_active_index, protocol_core_monotonic_time / 10);
                         if (new_active_index >= 0) {
                             ws_pae_auth_network_key_index_set(pae_auth, new_active_index);
                         }
@@ -571,7 +571,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
             }
 
             if (timer_seconds == 0) {
-                tr_info("GTK expired index: %i, system time: %i", i, protocol_core_monotonic_time / 10);
+                tr_info("GTK expired index: %i, system time: %"PRIu32"", i, protocol_core_monotonic_time / 10);
                 ws_pae_auth_gtk_clear(pae_auth, i);
                 ws_pae_auth_network_keys_from_gtks_set(pae_auth);
             }
@@ -621,7 +621,7 @@ static void ws_pae_auth_gtk_key_insert(pae_auth_t *pae_auth)
     // Authenticator keys are always fresh
     sec_prot_keys_gtk_status_all_fresh_set(pae_auth->gtks);
 
-    tr_info("GTK install new index: %i, lifetime: %i", install_index, lifetime);
+    tr_info("GTK install new index: %i, lifetime: %"PRIu32"", install_index, lifetime);
 }
 
 static int8_t ws_pae_auth_new_gtk_activate(pae_auth_t *pae_auth)
diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c
@@ -763,7 +763,7 @@ int8_t ws_pae_controller_gtk_update(int8_t interface_id, uint8_t *gtk[4])
             uint32_t lifetime = sec_prot_keys_gtk_install_order_last_lifetime_get(&controller->gtks);
             lifetime += controller->timer_settings.gtk_expire_offset;
             if (sec_prot_keys_gtk_set(&controller->gtks, i, gtk[i], lifetime) >= 0) {
-                tr_info("GTK set index: %i, lifetime %"PRIx32", system time: %"PRIx32"", i, lifetime, protocol_core_monotonic_time / 10);
+                tr_info("GTK set index: %i, lifetime %"PRIu32", system time: %"PRIu32"", i, lifetime, protocol_core_monotonic_time / 10);
             }
         }
     }
diff --git a/source/6LoWPAN/ws/ws_pae_lib.c b/source/6LoWPAN/ws/ws_pae_lib.c
@@ -213,10 +213,10 @@ void ws_pae_lib_supp_list_slow_timer_update(supp_list_t *supp_list, timer_settin
 {
     ns_list_foreach(supp_entry_t, entry, supp_list) {
         if (sec_prot_keys_pmk_lifetime_decrement(&entry->sec_keys, timer_settings->pmk_lifetime, seconds)) {
-            tr_info("PMK and PTK expired, eui-64: %s, system time: %"PRIx32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
+            tr_info("PMK and PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
         }
         if (sec_prot_keys_ptk_lifetime_decrement(&entry->sec_keys, timer_settings->ptk_lifetime, seconds)) {
-            tr_info("PTK expired, eui-64: %s, system time: %"PRIx32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
+            tr_info("PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);
         }
     }
 
diff --git a/source/6LoWPAN/ws/ws_pae_timers.c b/source/6LoWPAN/ws/ws_pae_timers.c
@@ -117,7 +117,7 @@ static void ws_pae_timers_calculate(timer_settings_t *timer_settings)
         time_to_update = gtk_revocation_lifetime - new_activation_time;
     }
 
-    tr_info("Key timers revocation lifetime: %"PRIx32", new activation time: %"PRIx32", max mismatch %i, time to update: %"PRIx32"", gtk_revocation_lifetime, new_activation_time, timer_settings->gtk_max_mismatch, time_to_update);
+    tr_info("Key timers revocation lifetime: %"PRIu32", new activation time: %"PRIu32", max mismatch %i, time to update: %"PRIu32"", gtk_revocation_lifetime, new_activation_time, timer_settings->gtk_max_mismatch, time_to_update);
 
     // If time to update results smaller GTK request Imax use it for calculation otherwise use GTK max mismatch
     if (time_to_update < timer_settings->gtk_max_mismatch) {
diff --git a/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c
@@ -272,7 +272,7 @@ static void auth_eap_tls_sec_prot_tls_finished_indication(sec_prot_t *tls_prot,
 
     if (result == SEC_RESULT_OK) {
         data->tls_result = EAP_TLS_RESULT_HANDSHAKE_OVER;
-        tr_error("EAP-TLS: handshake success");
+        tr_info("EAP-TLS: handshake success");
     } else if (result == SEC_RESULT_CONF_ERROR) {
         data->tls_result = EAP_TLS_RESULT_HANDSHAKE_FATAL_ERROR;
         tr_error("EAP-TLS: handshake fatal error");
diff --git a/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c
@@ -281,7 +281,7 @@ static void supp_eap_tls_sec_prot_tls_finished_indication(sec_prot_t *tls_prot,
 
     if (result == SEC_RESULT_OK) {
         data->tls_result = EAP_TLS_RESULT_HANDSHAKE_OVER;
-        tr_error("EAP-TLS: handshake success");
+        tr_info("EAP-TLS: handshake success");
     } else if (result == SEC_RESULT_CONF_ERROR) {
         data->tls_result = EAP_TLS_RESULT_HANDSHAKE_FATAL_ERROR;
         tr_error("EAP-TLS: handshake fatal error");
diff --git a/source/Security/protocols/fwh_sec_prot/supp_fwh_sec_prot.c b/source/Security/protocols/fwh_sec_prot/supp_fwh_sec_prot.c
@@ -86,7 +86,7 @@ static int8_t supp_fwh_sec_prot_init(sec_prot_t *prot);
 static void supp_fwh_sec_prot_create_response(sec_prot_t *prot, sec_prot_result_e result);
 static void supp_fwh_sec_prot_delete(sec_prot_t *prot);
 static int8_t supp_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t size);
-static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys);
+static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(sec_prot_t *prot, eapol_pdu_t *eapol_pdu);
 static void supp_fwh_sec_prot_state_machine(sec_prot_t *prot);
 
 static int8_t supp_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg);
@@ -96,6 +96,7 @@ static int8_t supp_fwh_sec_prot_ptk_generate(sec_prot_t *prot, sec_prot_keys_t *
 static int8_t supp_fwh_sec_prot_mic_validate(sec_prot_t *prot);
 
 static void supp_fwh_sec_prot_recv_replay_counter_store(sec_prot_t *prot);
+static uint64_t supp_fwh_sec_prot_recv_replay_counter_get(sec_prot_t *prot);
 static void supp_fwh_sec_prot_anonce_store(sec_prot_t *prot);
 static int8_t supp_fwh_sec_prot_anonce_validate(sec_prot_t *prot);
 static void supp_fwh_sec_prot_security_replay_counter_update(sec_prot_t *prot);
@@ -137,6 +138,7 @@ static int8_t supp_fwh_sec_prot_init(sec_prot_t *prot)
 
     data->common.ticks = 30 * 10; // 30 seconds
     data->msg3_retry_wait = false;
+    data->recv_replay_cnt = 0;
 
     uint8_t eui64[8] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
     sec_prot_lib_nonce_init(data->snonce, eui64, 1000);
@@ -167,7 +169,7 @@ static int8_t supp_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
     // Decoding is successful
     if (eapol_parse_pdu_header(pdu, size, &data->recv_eapol_pdu)) {
         // Get message
-        data->recv_msg = supp_fwh_sec_prot_message_get(&data->recv_eapol_pdu, prot->sec_keys);
+        data->recv_msg = supp_fwh_sec_prot_message_get(prot, &data->recv_eapol_pdu);
         if (data->recv_msg != FWH_MESSAGE_UNKNOWN) {
             tr_info("4WH: recv %s", data->recv_msg == FWH_MESSAGE_1 ? "Message 1" : "Message 3");
 
@@ -191,7 +193,7 @@ static int8_t supp_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
     return ret_val;
 }
 
-static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys)
+static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(sec_prot_t *prot, eapol_pdu_t *eapol_pdu)
 {
     fwh_sec_prot_msg_e msg = FWH_MESSAGE_UNKNOWN;
 
@@ -203,17 +205,23 @@ static fwh_sec_prot_msg_e supp_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu,
     uint8_t key_mask = sec_prot_lib_key_mask_get(eapol_pdu);
 
     switch (key_mask) {
+        // Message 1
         case KEY_INFO_KEY_ACK:
-            // Must have valid replay counter
-            if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(sec_keys)) {
+            /* Must have valid replay counter, both larger for PMK and larger that is used on
+             * the four way handshake session (note: PMK replay counter is not updated for Message 1
+             * but session specific counter is)
+             */
+            if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(prot->sec_keys) &&
+                    eapol_pdu->msg.key.replay_counter > supp_fwh_sec_prot_recv_replay_counter_get(prot)) {
                 msg = FWH_MESSAGE_1;
             } else {
                 tr_error("4WH: invalid replay counter %"PRId64, eapol_pdu->msg.key.replay_counter);
             }
             break;
+        // Message 3
         case KEY_INFO_INSTALL | KEY_INFO_KEY_ACK | KEY_INFO_KEY_MIC | KEY_INFO_SECURED_KEY_FRAME:
             // Must have valid replay counter
-            if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(sec_keys)) {
+            if (eapol_pdu->msg.key.replay_counter > sec_prot_keys_pmk_replay_cnt_get(prot->sec_keys)) {
                 if (eapol_pdu->msg.key.key_information.encrypted_key_data) {
                     // This should include the GTK KDE, Lifetime KDE and GTKL KDE.
                     // At least some of them should be present
@@ -346,6 +354,7 @@ static void supp_fwh_sec_prot_state_machine(sec_prot_t *prot)
                 // Send 4WH message 2
                 supp_fwh_sec_prot_message_send(prot, FWH_MESSAGE_2);
                 data->common.ticks = 30 * 10; // 30 seconds
+                return;
             } else if (data->recv_msg != FWH_MESSAGE_3) {
                 return;
             }
@@ -467,6 +476,12 @@ static void supp_fwh_sec_prot_recv_replay_counter_store(sec_prot_t *prot)
     data->recv_replay_cnt = data->recv_eapol_pdu.msg.key.replay_counter;
 }
 
+static uint64_t supp_fwh_sec_prot_recv_replay_counter_get(sec_prot_t *prot)
+{
+    fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);
+    return data->recv_replay_cnt;
+}
+
 static void supp_fwh_sec_prot_anonce_store(sec_prot_t *prot)
 {
     fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);
diff --git a/source/Security/protocols/sec_prot.h b/source/Security/protocols/sec_prot.h
@@ -217,6 +217,8 @@ typedef sec_prot_t *sec_prot_by_type_get(sec_prot_t *prot, uint8_t type);
  */
 typedef void sec_prot_receive_disable(sec_prot_t *prot);
 
+typedef struct sec_prot_int_data_s sec_prot_int_data_t;
+
 // Security protocol data
 struct sec_prot_s {
     sec_prot_create_request       *create_req;           /**< Create request */
@@ -246,7 +248,7 @@ struct sec_prot_s {
 
     sec_prot_keys_t               *sec_keys;             /**< Security keys storage pointer */
     uint8_t                       header_size;           /**< Header size */
-    uint8_t                       data;                  /**< Protocol internal data */
+    sec_prot_int_data_t           *data;                 /**< Protocol internal data */
 };
 
 #endif /* SEC_PROT_H_ */
diff --git a/source/Security/protocols/sec_prot_keys.c b/source/Security/protocols/sec_prot_keys.c
@@ -225,7 +225,7 @@ void sec_prot_keys_ptk_eui_64_write(sec_prot_keys_t *sec_keys, const uint8_t *eu
 
 uint8_t *sec_prot_keys_ptk_eui_64_get(sec_prot_keys_t *sec_keys)
 {
-    if (!sec_keys->ptk_eui_64 || !sec_keys->ptk_eui_64_set) {
+    if (!sec_keys->ptk_eui_64_set) {
         return NULL;
     }
 
@@ -564,7 +564,7 @@ bool sec_prot_keys_gtks_hash_update(sec_prot_gtk_keys_t *gtks, uint8_t *gtkhash)
             if (sec_prot_keys_gtk_is_set(gtks, i)) {
                 uint32_t lifetime = sec_prot_keys_gtk_lifetime_get(gtks, i);
                 if (lifetime > GTK_EXPIRE_MISMATCH_TIME) {
-                    tr_info("GTK mismatch %i expired time, lifetime: %"PRIx32"", i, lifetime);
+                    tr_info("GTK mismatch %i expired time, lifetime: %"PRIu32"", i, lifetime);
                     mismatch = true;
                 }
                 sec_prot_keys_gtk_clear(gtks, i);
diff --git a/source/Security/protocols/sec_prot_lib.c b/source/Security/protocols/sec_prot_lib.c
@@ -278,7 +278,7 @@ int8_t sec_prot_lib_pmkid_calc(const uint8_t *pmk, const uint8_t *auth_eui64, co
     ptr += EUI64_LEN;
     memcpy(ptr, supp_eui64, EUI64_LEN);
 
-    if (hmac_sha1_calc(pmk, PMK_LEN, data, data_len, pmkid) < 0) {
+    if (hmac_sha1_calc(pmk, PMK_LEN, data, data_len, pmkid, PMKID_LEN) < 0) {
         return -1;
     }
 
@@ -300,7 +300,7 @@ int8_t sec_prot_lib_ptkid_calc(const uint8_t *ptk, const uint8_t *auth_eui64, co
     ptr += EUI64_LEN;
     memcpy(ptr, supp_eui64, EUI64_LEN);
 
-    if (hmac_sha1_calc(ptk, PTK_LEN, data, data_len, ptkid) < 0) {
+    if (hmac_sha1_calc(ptk, PTK_LEN, data, data_len, ptkid, PTKID_LEN) < 0) {
         return -1;
     }
 
@@ -332,7 +332,7 @@ uint8_t *sec_prot_lib_message_build(uint8_t *ptk, uint8_t *kde, uint16_t kde_len
 
     if (eapol_pdu->msg.key.key_information.key_mic) {
         uint8_t mic[EAPOL_KEY_MIC_LEN];
-        if (hmac_sha1_calc(ptk, KCK_LEN, eapol_pdu_frame + header_size, eapol_pdu_size, mic) < 0) {
+        if (hmac_sha1_calc(ptk, KCK_LEN, eapol_pdu_frame + header_size, eapol_pdu_size, mic, EAPOL_KEY_MIC_LEN) < 0) {
             ns_dyn_mem_free(eapol_pdu_frame);
             return NULL;
         }
@@ -402,7 +402,7 @@ int8_t sec_prot_lib_gtk_read(uint8_t *kde, uint16_t kde_len, sec_prot_keys_t *se
         }
     }
 
-    tr_info("GTK recv index %i lifetime %"PRIx32"", gtk_index, sec_prot_keys_gtk_lifetime_get(sec_keys->gtks, gtk_index));
+    tr_info("GTK recv index %i lifetime %"PRIu32"", gtk_index, sec_prot_keys_gtk_lifetime_get(sec_keys->gtks, gtk_index));
 
     return 0;
 }
@@ -415,7 +415,7 @@ int8_t sec_prot_lib_mic_validate(uint8_t *ptk, uint8_t *mic, uint8_t *pdu, uint8
     eapol_write_key_packet_mic(pdu, 0);
 
     uint8_t calc_mic[EAPOL_KEY_MIC_LEN];
-    if (hmac_sha1_calc(ptk, EAPOL_KEY_MIC_LEN, pdu, pdu_size, calc_mic) < 0) {
+    if (hmac_sha1_calc(ptk, EAPOL_KEY_MIC_LEN, pdu, pdu_size, calc_mic, EAPOL_KEY_MIC_LEN) < 0) {
         tr_error("MIC invalid");
         return -1;
     }
diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot.c
@@ -54,6 +54,8 @@ typedef enum {
     TLS_STATE_FINISHED = SEC_STATE_FINISHED
 } eap_tls_sec_prot_state_e;
 
+typedef struct tls_sec_prot_lib_int_s tls_sec_prot_lib_int_t;
+
 typedef struct {
     sec_prot_common_t             common;            /**< Common data */
     uint8_t                       new_pmk[PMK_LEN];  /**< New Pair Wise Master Key */
@@ -64,7 +66,7 @@ typedef struct {
     bool                          timer_running;     /**< TLS timer running */
     bool                          finished;          /**< TLS finished */
     bool                          calculating;       /**< TLS is calculating */
-    uint8_t                       tls_sec_inst;      /**< TLS security library storage, SHALL BE THE LAST FIELD */
+    tls_sec_prot_lib_int_t        *tls_sec_inst;     /**< TLS security library storage, SHALL BE THE LAST FIELD */
 } tls_sec_prot_int_t;
 
 static uint16_t tls_sec_prot_size(void);
diff --git a/source/Service_Libs/hmac/hmac_sha1.c b/source/Service_Libs/hmac/hmac_sha1.c
@@ -25,7 +25,7 @@
 
 #define TRACE_GROUP "hmac"
 
-int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result)
+int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result, uint8_t result_len)
 {
 #ifdef EXTRA_DEBUG_INFO
     // Extensive debug for now, to be disabled later
@@ -62,13 +62,21 @@ int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data,
     if (mbedtls_md_hmac_update(&ctx, (const unsigned char *) data, data_len) != 0) {
         goto error;
     }
-    if (mbedtls_md_hmac_finish(&ctx, result) != 0) {
+
+    uint8_t result_value[20];
+    if (mbedtls_md_hmac_finish(&ctx, result_value) != 0) {
         goto error;
     }
     mbedtls_md_free(&ctx);
 
+    if (result_len > 20) {
+        result_len = 20;
+    }
+
+    memcpy(result, result_value, result_len);
+
 #ifdef EXTRA_DEBUG_INFO
-    tr_debug("hmac_sha_1 result %s\n", trace_array(result, 20));
+    tr_debug("hmac_sha_1 result %s\n", trace_array(result_value, 20));
 #endif
     return 0;
 
diff --git a/source/Service_Libs/hmac/hmac_sha1.h b/source/Service_Libs/hmac/hmac_sha1.h
@@ -27,12 +27,13 @@
  * \param key_len key length
  * \param data pointer to data
  * \param data_len data length
- * \param result pointer to result, must be at least 160 bytes
+ * \param result pointer to result
+ * \param result_len in bytes, maximum is 20 bytes
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result);
+int8_t hmac_sha1_calc(const uint8_t *key, uint16_t key_len, const uint8_t *data, uint16_t data_len, uint8_t *result, uint8_t result_len);
 
 #endif /* HMAC_SHA1_ */
diff --git a/source/Service_Libs/ieee_802_11/ieee_802_11.c b/source/Service_Libs/ieee_802_11/ieee_802_11.c
@@ -67,7 +67,7 @@ int8_t ieee_802_11_prf_finish(ieee_802_11_prf_t *prf, uint8_t *result)
 
     for (uint8_t i = 0; i < (prf->bits + 159) / 160; i++) {
         prf->string[prf->a_len + 1 + prf->b_len] = i; /* X (index) */
-        if (hmac_sha1_calc(prf->key, prf->key_len, prf->string, string_len, result) < 0) {
+        if (hmac_sha1_calc(prf->key, prf->key_len, prf->string, string_len, result, 20) < 0) {
             return -1;
         }
         result += 160 / 8;
diff --git a/source/configs/base/cfg_ws_border_router.h b/source/configs/base/cfg_ws_border_router.h
@@ -24,3 +24,5 @@
 #define HAVE_WS_BORDER_ROUTER
 #define HAVE_ND_PROXY
 #define MULTICAST_FORWARDING
+#define HAVE_PAE_AUTH
+#define HAVE_EAPOL_RELAY
diff --git a/source/configs/base/cfg_ws_router.h b/source/configs/base/cfg_ws_router.h
@@ -22,3 +22,5 @@
 #define HAVE_6LOWPAN_ND
 #define HAVE_MPL
 #define HAVE_WS
+#define HAVE_PAE_SUPP
+#define HAVE_EAPOL_RELAY
diff --git a/source/configs/cfg_generic.h b/source/configs/cfg_generic.h
diff --git a/source/configs/cfg_ws_border_router.h b/source/configs/cfg_ws_border_router.h
diff --git a/test/nanostack/unittest/service_libs/hmac/hmactest.cpp b/test/nanostack/unittest/service_libs/hmac/hmactest.cpp
diff --git a/test/nanostack/unittest/service_libs/hmac/test_hmac.c b/test/nanostack/unittest/service_libs/hmac/test_hmac.c
diff --git a/test/nanostack/unittest/service_libs/hmac/test_hmac.h b/test/nanostack/unittest/service_libs/hmac/test_hmac.h
diff --git a/test/nanostack/unittest/stub/hmac_stub.c b/test/nanostack/unittest/stub/hmac_stub.c
diff --git a/test/nanostack/unittest/stub/hmac_stub.h b/test/nanostack/unittest/stub/hmac_stub.h

Original file line number	Diff line number	Diff line change
`@@ -763,7 +763,7 @@ int8_t ws_pae_controller_gtk_update(int8_t interface_id, uint8_t *gtk[4])`
`763`	`763`	`uint32_t lifetime = sec_prot_keys_gtk_install_order_last_lifetime_get(&controller->gtks);`
`764`	`764`	`lifetime += controller->timer_settings.gtk_expire_offset;`
`765`	`765`	`if (sec_prot_keys_gtk_set(&controller->gtks, i, gtk[i], lifetime) >= 0) {`
`766`		`- tr_info("GTK set index: %i, lifetime %"PRIx32", system time: %"PRIx32"", i, lifetime, protocol_core_monotonic_time / 10);`
	`766`	`+ tr_info("GTK set index: %i, lifetime %"PRIu32", system time: %"PRIu32"", i, lifetime, protocol_core_monotonic_time / 10);`
`767`	`767`	`}`
`768`	`768`	`}`
`769`	`769`	`}`
Original file line number	Diff line number	Diff line change
`@@ -213,10 +213,10 @@ void ws_pae_lib_supp_list_slow_timer_update(supp_list_t *supp_list, timer_settin`
`213`	`213`	`{`
`214`	`214`	`ns_list_foreach(supp_entry_t, entry, supp_list) {`
`215`	`215`	`if (sec_prot_keys_pmk_lifetime_decrement(&entry->sec_keys, timer_settings->pmk_lifetime, seconds)) {`
`216`		`- tr_info("PMK and PTK expired, eui-64: %s, system time: %"PRIx32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);`
	`216`	`+ tr_info("PMK and PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);`
`217`	`217`	`}`
`218`	`218`	`if (sec_prot_keys_ptk_lifetime_decrement(&entry->sec_keys, timer_settings->ptk_lifetime, seconds)) {`
`219`		`- tr_info("PTK expired, eui-64: %s, system time: %"PRIx32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);`
	`219`	`+ tr_info("PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(kmp_address_eui_64_get(entry->addr), 8), protocol_core_monotonic_time / 10);`
`220`	`220`	`}`
`221`	`221`	`}`
`222`	`222`
Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ static void ws_pae_timers_calculate(timer_settings_t *timer_settings)`
`117`	`117`	`time_to_update = gtk_revocation_lifetime - new_activation_time;`
`118`	`118`	`}`
`119`	`119`
`120`		`- tr_info("Key timers revocation lifetime: %"PRIx32", new activation time: %"PRIx32", max mismatch %i, time to update: %"PRIx32"", gtk_revocation_lifetime, new_activation_time, timer_settings->gtk_max_mismatch, time_to_update);`
	`120`	`+ tr_info("Key timers revocation lifetime: %"PRIu32", new activation time: %"PRIu32", max mismatch %i, time to update: %"PRIu32"", gtk_revocation_lifetime, new_activation_time, timer_settings->gtk_max_mismatch, time_to_update);`
`121`	`121`
`122`	`122`	`// If time to update results smaller GTK request Imax use it for calculation otherwise use GTK max mismatch`
`123`	`123`	`if (time_to_update < timer_settings->gtk_max_mismatch) {`
Original file line number	Diff line number	Diff line change
`@@ -225,7 +225,7 @@ void sec_prot_keys_ptk_eui_64_write(sec_prot_keys_t sec_keys, const uint8_t eu`
`225`	`225`
`226`	`226`	`uint8_t sec_prot_keys_ptk_eui_64_get(sec_prot_keys_t sec_keys)`
`227`	`227`	`{`
`228`		`- if (!sec_keys->ptk_eui_64 \|\| !sec_keys->ptk_eui_64_set) {`
	`228`	`+ if (!sec_keys->ptk_eui_64_set) {`
`229`	`229`	`return NULL;`
`230`	`230`	`}`
`231`	`231`
`@@ -564,7 +564,7 @@ bool sec_prot_keys_gtks_hash_update(sec_prot_gtk_keys_t gtks, uint8_t gtkhash)`
`564`	`564`	`if (sec_prot_keys_gtk_is_set(gtks, i)) {`
`565`	`565`	`uint32_t lifetime = sec_prot_keys_gtk_lifetime_get(gtks, i);`
`566`	`566`	`if (lifetime > GTK_EXPIRE_MISMATCH_TIME) {`
`567`		`- tr_info("GTK mismatch %i expired time, lifetime: %"PRIx32"", i, lifetime);`
	`567`	`+ tr_info("GTK mismatch %i expired time, lifetime: %"PRIu32"", i, lifetime);`
`568`	`568`	`mismatch = true;`
`569`	`569`	`}`
`570`	`570`	`sec_prot_keys_gtk_clear(gtks, i);`
Original file line number	Diff line number	Diff line change
`@@ -278,7 +278,7 @@ int8_t sec_prot_lib_pmkid_calc(const uint8_t pmk, const uint8_t auth_eui64, co`
`278`	`278`	`ptr += EUI64_LEN;`
`279`	`279`	`memcpy(ptr, supp_eui64, EUI64_LEN);`
`280`	`280`
`281`		`- if (hmac_sha1_calc(pmk, PMK_LEN, data, data_len, pmkid) < 0) {`
	`281`	`+ if (hmac_sha1_calc(pmk, PMK_LEN, data, data_len, pmkid, PMKID_LEN) < 0) {`
`282`	`282`	`return -1;`
`283`	`283`	`}`
`284`	`284`
`@@ -300,7 +300,7 @@ int8_t sec_prot_lib_ptkid_calc(const uint8_t ptk, const uint8_t auth_eui64, co`
`300`	`300`	`ptr += EUI64_LEN;`
`301`	`301`	`memcpy(ptr, supp_eui64, EUI64_LEN);`
`302`	`302`
`303`		`- if (hmac_sha1_calc(ptk, PTK_LEN, data, data_len, ptkid) < 0) {`
	`303`	`+ if (hmac_sha1_calc(ptk, PTK_LEN, data, data_len, ptkid, PTKID_LEN) < 0) {`
`304`	`304`	`return -1;`
`305`	`305`	`}`
`306`	`306`
`@@ -332,7 +332,7 @@ uint8_t sec_prot_lib_message_build(uint8_t ptk, uint8_t *kde, uint16_t kde_len`
`332`	`332`
`333`	`333`	`if (eapol_pdu->msg.key.key_information.key_mic) {`
`334`	`334`	`uint8_t mic[EAPOL_KEY_MIC_LEN];`
`335`		`- if (hmac_sha1_calc(ptk, KCK_LEN, eapol_pdu_frame + header_size, eapol_pdu_size, mic) < 0) {`
	`335`	`+ if (hmac_sha1_calc(ptk, KCK_LEN, eapol_pdu_frame + header_size, eapol_pdu_size, mic, EAPOL_KEY_MIC_LEN) < 0) {`
`336`	`336`	`ns_dyn_mem_free(eapol_pdu_frame);`
`337`	`337`	`return NULL;`
`338`	`338`	`}`
`@@ -402,7 +402,7 @@ int8_t sec_prot_lib_gtk_read(uint8_t kde, uint16_t kde_len, sec_prot_keys_t se`
`402`	`402`	`}`
`403`	`403`	`}`
`404`	`404`
`405`		`- tr_info("GTK recv index %i lifetime %"PRIx32"", gtk_index, sec_prot_keys_gtk_lifetime_get(sec_keys->gtks, gtk_index));`
	`405`	`+ tr_info("GTK recv index %i lifetime %"PRIu32"", gtk_index, sec_prot_keys_gtk_lifetime_get(sec_keys->gtks, gtk_index));`
`406`	`406`
`407`	`407`	`return 0;`
`408`	`408`	`}`
`@@ -415,7 +415,7 @@ int8_t sec_prot_lib_mic_validate(uint8_t ptk, uint8_t mic, uint8_t *pdu, uint8`
`415`	`415`	`eapol_write_key_packet_mic(pdu, 0);`
`416`	`416`
`417`	`417`	`uint8_t calc_mic[EAPOL_KEY_MIC_LEN];`
`418`		`- if (hmac_sha1_calc(ptk, EAPOL_KEY_MIC_LEN, pdu, pdu_size, calc_mic) < 0) {`
	`418`	`+ if (hmac_sha1_calc(ptk, EAPOL_KEY_MIC_LEN, pdu, pdu_size, calc_mic, EAPOL_KEY_MIC_LEN) < 0) {`
`419`	`419`	`tr_error("MIC invalid");`
`420`	`420`	`return -1;`
`421`	`421`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ int8_t ieee_802_11_prf_finish(ieee_802_11_prf_t prf, uint8_t result)`
`67`	`67`
`68`	`68`	`for (uint8_t i = 0; i < (prf->bits + 159) / 160; i++) {`
`69`	`69`	`prf->string[prf->a_len + 1 + prf->b_len] = i; /* X (index) */`
`70`		`- if (hmac_sha1_calc(prf->key, prf->key_len, prf->string, string_len, result) < 0) {`
	`70`	`+ if (hmac_sha1_calc(prf->key, prf->key_len, prf->string, string_len, result, 20) < 0) {`
`71`	`71`	`return -1;`
`72`	`72`	`}`
`73`	`73`	`result += 160 / 8;`