Added EAPOL key storage to authenticator and unified GTK storage (#2345)

Added EAPOL key storage to authenticator:
- Application can give the memory areas and their sizes to Nanostack
- If application does not define specific areas, memory is allocated from
  heap as needed
- Memory key storage has identical structure to the one stored/read from NVM
  i.e. the file
- When supplicant goes inactive it's security data is stored onto array on
  memory
- On memory key storage array
     - Lifetimes are converted to time stamps
     - Time stamps are calculated as difference to the reference time of the
       heap array
     - Reference time is set when memory array is created (from system time) and
       updated in maximum once a day on a NVM write or after 31 days if
       no other NVM writes
     - PMK security key counters are stored to array, but not written to NVM if
       no other need to write
     - Uniqueness of the PMK security key counters is achieved by including
       re-start counter to PMK counter on NVM read i.e. startup.
- Limit for simultaneously authenticating supplicants is 200
- Key data on NVM needs to be updated when new supplicants appear and they are
  authenticated, they are removed via access revoke, GKTs are updated, or PMK
  or PTK keys need to be re-negotiated or heap array reference time is updated
  after 31 days

Added PAE time module:
- If system real time clock is available application can set its callback
- If there is no clock from application, authenticator maintains rough
  system clock by incrementing time when running, and storing/reading it
  to/from NVM when frame counters are read/stored

Unified GTK storage between supplicant and authenticator and moved it to PAE
controller

Author: Mika Leppänen

nanostack/ns_time_api.h

@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2020, Arm Limited and affiliates.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * \file ns_time_api.h
+ * \brief Nanostack time API
+ *
+ * This is Nanostack time API.
+ *
+ */
+
+#ifndef NS_TIME_API_H_
+#define NS_TIME_API_H_
+
+#include "ns_types.h"
+
+/**
+ * System time callback.
+ *
+ * Callback shall return the system time in seconds after 1970.
+ *
+ * \param seconds system time in seconds
+ *
+ */
+typedef uint64_t ns_time_api_system_time_callback(void);
+
+/**
+ * System time callback set.
+ *
+ * Sets callback for the system time.
+ *
+ * \param callback system time callback
+ *
+ */
+void ns_time_api_system_time_callback_set(ns_time_api_system_time_callback callback);
+
+#endif /* NS_TIME_API_H_ */

nanostack/ws_bbr_api.h

@@ -243,4 +243,40 @@ int ws_bbr_pan_configuration_get(int8_t interface_id, uint16_t *pan_id);
  */
 int ws_bbr_pan_configuration_validate(int8_t interface_id, uint16_t pan_id);
 
+/**
+ * ws_bbr_key_storage_memory_set sets memory used for key storages
+ *
+ * This functions can be used to set memory used by EAPOL key storage. When memory
+ * areas are set, module does not allocate memory internally from heap.
+ *
+ * \param interface_id Network interface ID.
+ * \param key_storages_number number of memory areas.
+ * \param key_storage_size array of memory area sizes.
+ * \param key_storages array of memory area start pointers.
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int ws_bbr_key_storage_memory_set(int8_t interface_id, uint8_t key_storages_number, const uint16_t *key_storage_size, void **key_storages);
+
+/**
+ * ws_bbr_key_storage_settings_set sets key storage settings
+ *
+ * This functions can be used to set the settings of EAPOL key storage.
+ * Allocation max number and allocation size sets the settings that are used when key storage
+ * memory is allocated dynamically from heap. These settings must be set before (first) interface
+ * up and shall not be set if key storage memory is set by ws_pae_key_storage_memory_set() call.
+ *
+ * \param interface_id Network interface ID.
+ * \param alloc_max_number maximum number of allocation made to dynamic memory.
+ * \param alloc_size size of each allocation.
+ * \param storing_interval interval in which the check to store to NVM is made.
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int ws_bbr_key_storage_settings_set(int8_t interface_id, uint8_t alloc_max_number, uint16_t alloc_size, uint16_t storing_interval);
+
 #endif /* WS_BBR_API_H_ */

source/6LoWPAN/ws/ws_bbr_api.c

@@ -28,6 +28,7 @@
 #include "6LoWPAN/ws/ws_common.h"
 #include "6LoWPAN/ws/ws_bootstrap.h"
 #include "6LoWPAN/ws/ws_cfg_settings.h"
+#include "6LoWPAN/ws/ws_pae_key_storage.h"
 #include "RPL/rpl_control.h"
 #include "RPL/rpl_data.h"
 #include "Common_Protocols/icmpv6.h"
@@ -943,3 +944,29 @@ int ws_bbr_pan_configuration_validate(int8_t interface_id, uint16_t pan_id)
     return -1;
 #endif
 }
+
+int ws_bbr_key_storage_memory_set(int8_t interface_id, uint8_t key_storages_number, const uint16_t *key_storage_size, void **key_storages)
+{
+    (void) interface_id;
+#ifdef HAVE_WS_BORDER_ROUTER
+    return ws_pae_key_storage_memory_set(key_storages_number, key_storage_size, key_storages);
+#else
+    (void) key_storages_number;
+    (void) key_storage_size;
+    (void) key_storages;
+    return -1;
+#endif
+}
+
+int ws_bbr_key_storage_settings_set(int8_t interface_id, uint8_t alloc_max_number, uint16_t alloc_size, uint16_t storing_interval)
+{
+    (void) interface_id;
+#ifdef HAVE_WS_BORDER_ROUTER
+    return ws_pae_key_storage_settings_set(alloc_max_number, alloc_size, storing_interval);
+#else
+    (void) alloc_max_number;
+    (void) alloc_size;
+    (void) storing_interval;
+    return -1;
+#endif
+}

source/6LoWPAN/ws/ws_bootstrap.c

@@ -95,6 +95,7 @@ static void ws_bootstrap_nw_key_clear(protocol_interface_info_entry_t *cur, uint
 static void ws_bootstrap_nw_key_index_set(protocol_interface_info_entry_t *cur, uint8_t index);
 static void ws_bootstrap_nw_frame_counter_set(protocol_interface_info_entry_t *cur, uint32_t counter, uint8_t slot);
 static void ws_bootstrap_nw_frame_counter_read(protocol_interface_info_entry_t *cur, uint32_t *counter, uint8_t slot);
+static void ws_bootstrap_nw_info_updated(protocol_interface_info_entry_t *interface_ptr, uint16_t pan_id, char *network_name);
 static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_t *cur, auth_result_e result, uint8_t *target_eui_64);
 static void ws_bootstrap_pan_version_increment(protocol_interface_info_entry_t *cur);
 static ws_nud_table_entry_t *ws_nud_entry_discover(protocol_interface_info_entry_t *cur, void *neighbor);
@@ -1985,7 +1986,7 @@ int ws_bootstrap_init(int8_t interface_id, net_6lowpan_mode_e bootstrap_mode)
         ret_val =  -4;
         goto init_fail;
     }
-    if (ws_pae_controller_cb_register(cur, &ws_bootstrap_authentication_completed, &ws_bootstrap_nw_key_set, &ws_bootstrap_nw_key_clear, &ws_bootstrap_nw_key_index_set, &ws_bootstrap_nw_frame_counter_set, &ws_bootstrap_nw_frame_counter_read, &ws_bootstrap_pan_version_increment) < 0) {
+    if (ws_pae_controller_cb_register(cur, &ws_bootstrap_authentication_completed, &ws_bootstrap_nw_key_set, &ws_bootstrap_nw_key_clear, &ws_bootstrap_nw_key_index_set, &ws_bootstrap_nw_frame_counter_set, &ws_bootstrap_nw_frame_counter_read, &ws_bootstrap_pan_version_increment, &ws_bootstrap_nw_info_updated) < 0) {
         ret_val =  -4;
         goto init_fail;
     }
@@ -2693,6 +2694,32 @@ static void ws_bootstrap_nw_frame_counter_read(protocol_interface_info_entry_t *
     mac_helper_key_link_frame_counter_read(cur->id, counter, slot);
 }
 
+static void ws_bootstrap_nw_info_updated(protocol_interface_info_entry_t *cur, uint16_t pan_id, char *network_name)
+{
+    /* For border router, the PAE controller reads pan_id and network name from storage.
+     * If they are set, takes them into use here.
+     */
+    if (cur->bootsrap_mode == ARM_NWK_BOOTSRAP_MODE_6LoWPAN_BORDER_ROUTER) {
+        // Get pad_id and network name
+        ws_gen_cfg_t gen_cfg;
+        if (ws_cfg_gen_get(&gen_cfg, NULL) < 0) {
+            return;
+        }
+
+        // If pan_id has not been set, set it
+        if (gen_cfg.network_pan_id == 0xffff) {
+            gen_cfg.network_pan_id = pan_id;
+        }
+        // If network name has not been set, set it
+        if (strlen(gen_cfg.network_name) == 0) {
+            strncpy(gen_cfg.network_name, network_name, 32);
+        }
+
+        // Stores the settings
+        ws_cfg_gen_set(cur, NULL, &gen_cfg, 0);
+    }
+}
+
 static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_t *cur, auth_result_e result, uint8_t *target_eui_64)
 {
     (void) target_eui_64;