Added GTK, PMK, PTK lifecycles and node's access of revocation

For certification tests added certification add and remove interfaces
(trusted certificates, CRL). Added key lifetime interfaces needed
on tests. Improved TLS memory usage (CRL is allocated only when
needed). Corrected TLS and MPX send errors. Enabled conversion
from GTK to Group AES Key (GAK) when new keys are installed.

Author: Mika Leppänen

nanostack/net_ws_test.h

@@ -113,9 +113,9 @@ int ws_test_active_key_set(int8_t interface_id, uint8_t index);
  * Pairwise Transient Key (PTK) lifetimes.
  *
  * \param interface_id Network interface ID.
- * \param gtk_lifetime GTK lifetime in minutes
- * \param pmk_lifetime PMK lifetime in minutes
- * \param ptk_lifetime PTK lifetime in minutes
+ * \param gtk_lifetime GTK lifetime in minutes or zero if value is not changed
+ * \param pmk_lifetime PMK lifetime in minutes or zero if value is not changed
+ * \param ptk_lifetime PTK lifetime in minutes or zero if value is not changed
  *
  * \return 0                         Lifetimes are set
  * \return <0                        Lifetime set has failed
@@ -135,9 +135,10 @@ int ws_test_key_lifetime_set(
  * maximum mismatch time in minutes.
  *
  * \param interface_id Network interface ID.
- * \param revocat_lifetime_reduct GTK Revocation Lifetime Reduction (1 / value * GTK lifetime)
- * \param new_activation_time GTK New Activation Time (1 / value * GTK lifetime)
- * \param max_mismatch GTK maximum mismatch in minutes
+ * \param revocat_lifetime_reduct GTK Revocation Lifetime Reduction (1 / value * GTK lifetime) or zero if value is not changed
+ * \param new_activation_time GTK New Activation Time (1 / value * GTK lifetime) or zero if value is not changed
+ * \param new_install_req GTK New Install Required (percent * GTK lifetime) or zero if value is not changed
+ * \param max_mismatch GTK maximum mismatch in minutes or zero if value is not changed
  *
  * \return 0                         Lifetimes are set
  * \return <0                        Lifetime set has failed.
@@ -146,9 +147,26 @@ int ws_test_gtk_time_settings_set(
     int8_t interface_id,
     uint8_t revocat_lifetime_reduct,
     uint8_t new_activation_time,
+    uint8_t new_install_req,
     uint32_t max_mismatch
 );
 
+/**
+ * Sets Next Group Transient Keys used during GTK life cycle
+ *
+ * Sets next Group Transient Keys (GTKs) used during GTK life cycle. Up to four
+ * GTKs can be set (GTKs from index 0 to 3). When next GTK(s) are set, border
+ * router inserts GTKs from the next GTK list into use during GTK update
+ * procedure.
+ *
+ * \param interface_id Network interface ID.
+ * \param gtk GTK array, if GTK is not set, pointer for the index shall be NULL.
+ *
+ * \return 0                         GTKs are set
+ * \return <0                        GTK set has failed
+ */
+int ws_test_next_gtk_set(int8_t interface_id, uint8_t *gtk[4]);
+
 #ifdef __cplusplus
 }
 #endif

source/6LoWPAN/ws/ws_bbr_api.c

@@ -35,6 +35,7 @@
 #include "net_rpl.h"
 #include "Service_Libs/nd_proxy/nd_proxy.h"
 #include "6LoWPAN/ws/ws_bbr_api_internal.h"
+#include "6LoWPAN/ws/ws_pae_controller.h"
 #include "DHCPv6_Server/DHCPv6_server_service.h"
 
 #include "ws_bbr_api.h"
@@ -564,12 +565,20 @@ int ws_bbr_node_keys_remove(int8_t interface_id, uint8_t *eui64)
     (void) interface_id;
     (void) eui64;
 
+#ifdef HAVE_WS_BORDER_ROUTER
+    return ws_pae_controller_node_keys_remove(interface_id, eui64);
+#else
     return -1;
+#endif
 }
 
 int ws_bbr_node_access_revoke_start(int8_t interface_id)
 {
     (void) interface_id;
 
+#ifdef HAVE_WS_BORDER_ROUTER
+    return ws_pae_controller_node_access_revoke_start(interface_id);
+#else
     return -1;
+#endif
 }

source/6LoWPAN/ws/ws_bootstrap.c

@@ -1926,6 +1926,9 @@ static void ws_bootstrap_start_discovery(protocol_interface_info_entry_t *cur)
 static void ws_bootstrap_start_authentication(protocol_interface_info_entry_t *cur)
 {
     tr_debug("authentication start");
+    // Set PAN ID and network name to controller
+    ws_pae_controller_nw_info_set(cur, cur->ws_info->network_pan_id, cur->ws_info->network_name);
+
     ws_pae_controller_authenticate(cur);
 }
 
@@ -2252,6 +2255,9 @@ static void ws_bootstrap_event_handler(arm_event_s *event)
                 // Set authenticator relay to port 10253 and PAE to 10254 (and to own ll address)
                 ws_eapol_auth_relay_start(cur, EAPOL_RELAY_SOCKET_PORT, ll_addr, PAE_AUTH_SOCKET_PORT);
 
+                // Set PAN ID and network name to controller
+                ws_pae_controller_nw_info_set(cur, cur->ws_info->network_pan_id, cur->ws_info->network_name);
+
                 // Set PAE port to 10254 and authenticator relay to 10253 (and to own ll address)
                 ws_pae_controller_authenticator_start(cur, PAE_AUTH_SOCKET_PORT, ll_addr, EAPOL_RELAY_SOCKET_PORT);
                 break;

source/6LoWPAN/ws/ws_eapol_pdu.c

@@ -197,12 +197,15 @@ int8_t ws_eapol_pdu_send_to_mpx(protocol_interface_info_entry_t *interface_ptr,
     }
     msdu_entry->data_ptr = data;
     msdu_entry->buffer = buffer;
-    msdu_entry->handle = eapol_pdu_data->msdu_handle++;
+    msdu_entry->handle = eapol_pdu_data->msdu_handle;
     ns_list_add_to_start(&eapol_pdu_data->msdu_list, msdu_entry);
 
     memcpy(data_request.DstAddr, eui_64, 8);
     data_request.msdu = data;
     data_request.msduLength = size;
+    data_request.msduHandle = eapol_pdu_data->msdu_handle;
+
+    eapol_pdu_data->msdu_handle++;
 
     eapol_pdu_data->mpx_api->mpx_data_request(eapol_pdu_data->mpx_api, &data_request, eapol_pdu_data->mpx_user_id);
     return 0;