Merge pull request #1949 from ARMmbed/eapol_eap_and_tls

EAPOL EAP-TLS and TLS (using mbed TLS) security protocols

Author: Mika Leppänen

source/6LoWPAN/ws/ws_pae_auth.c

@@ -31,9 +31,11 @@
 #include "Security/kmp/kmp_addr.h"
 #include "Security/kmp/kmp_api.h"
 #include "Security/kmp/kmp_socket_if.h"
+#include "Security/protocols/sec_prot_certs.h"
 #include "Security/protocols/sec_prot_keys.h"
 #include "Security/protocols/key_sec_prot/key_sec_prot.h"
-#include "Security/protocols/eap_tls_sec_prot/eap_tls_sec_prot.h"
+#include "Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.h"
+#include "Security/protocols/tls_sec_prot/tls_sec_prot.h"
 #include "Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.h"
 #include "Security/protocols/gkh_sec_prot/auth_gkh_sec_prot.h"
 #include "6LoWPAN/ws/ws_pae_controller.h"
@@ -60,6 +62,7 @@ typedef struct {
     supp_list_t inactive_supp_list;                          /**< List of inactive supplicants */
     arm_event_storage_t *timer;                              /**< Timer */
     sec_prot_gtk_keys_t *gtks;                               /**< GTKs */
+    const sec_prot_certs_t *certs;                           /**< Certificates */
     bool timer_running;                                      /**< Timer is running */
 } pae_auth_t;
 
@@ -74,16 +77,18 @@ static int8_t ws_pae_auth_timer_start(pae_auth_t *pae_auth);
 static int8_t ws_pae_auth_timer_stop(pae_auth_t *pae_auth);
 static bool ws_pae_auth_timer_running(pae_auth_t *pae_auth);
 static void ws_pae_auth_kmp_service_addr_get(kmp_service_t *service, kmp_api_t *kmp, kmp_addr_t *local_addr, kmp_addr_t *remote_addr);
+static kmp_api_t *ws_pae_auth_kmp_service_api_get(kmp_service_t *service, kmp_api_t *kmp, kmp_type_e type);
 static kmp_api_t *ws_pae_auth_kmp_incoming_ind(kmp_service_t *service, kmp_type_e type, const kmp_addr_t *addr);
 static void ws_pae_auth_kmp_api_create_confirm(kmp_api_t *kmp, kmp_result_e result);
 static void ws_pae_auth_kmp_api_create_indication(kmp_api_t *kmp, kmp_type_e type, kmp_addr_t *addr);
 static void ws_pae_auth_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e result, kmp_sec_keys_t *sec_keys);
+static kmp_api_t *ws_pae_auth_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, supp_entry_t *supp_entry);
 static void ws_pae_auth_kmp_api_finished(kmp_api_t *kmp);
 
 static int8_t tasklet_id = -1;
 static NS_LIST_DEFINE(pae_auth_list, pae_auth_t, link);
 
-int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port, sec_prot_gtk_keys_t *gtks)
+int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port, sec_prot_gtk_keys_t *gtks, const sec_prot_certs_t *certs)
 {
     if (!interface_ptr || !remote_addr || !gtks) {
         return -1;
@@ -104,13 +109,14 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t
     pae_auth->timer = NULL;
 
     pae_auth->gtks = gtks;
+    pae_auth->certs = certs;
 
     pae_auth->kmp_service = kmp_service_create();
     if (!pae_auth->kmp_service) {
         goto error;
     }
 
-    if (kmp_service_cb_register(pae_auth->kmp_service, ws_pae_auth_kmp_incoming_ind, ws_pae_auth_kmp_service_addr_get)) {
+    if (kmp_service_cb_register(pae_auth->kmp_service, ws_pae_auth_kmp_incoming_ind, ws_pae_auth_kmp_service_addr_get, ws_pae_auth_kmp_service_api_get)) {
         goto error;
     }
 
@@ -130,7 +136,11 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t
         goto error;
     }
 
-    if (eap_tls_auth_sec_prot_register(pae_auth->kmp_service) < 0) {
+    if (auth_eap_tls_sec_prot_register(pae_auth->kmp_service) < 0) {
+        goto error;
+    }
+
+    if (server_tls_sec_prot_register(pae_auth->kmp_service) < 0) {
         goto error;
     }
 
@@ -357,6 +367,18 @@ static void ws_pae_auth_kmp_service_addr_get(kmp_service_t *service, kmp_api_t *
     }
 }
 
+static kmp_api_t *ws_pae_auth_kmp_service_api_get(kmp_service_t *service, kmp_api_t *kmp, kmp_type_e type)
+{
+    (void) service;
+
+    supp_entry_t *supp_entry = kmp_api_data_get(kmp);
+    if (!supp_entry) {
+        return NULL;
+    }
+
+    return ws_pae_lib_kmp_list_type_get(&supp_entry->kmp_list, type);
+}
+
 static kmp_api_t *ws_pae_auth_kmp_incoming_ind(kmp_service_t *service, kmp_type_e type, const kmp_addr_t *addr)
 {
     pae_auth_t *pae_auth = ws_pae_auth_by_kmp_service_get(service);
@@ -382,7 +404,7 @@ static kmp_api_t *ws_pae_auth_kmp_incoming_ind(kmp_service_t *service, kmp_type_
         if (!supp_entry) {
             return 0;
         }
-        sec_prot_keys_init(&supp_entry->sec_keys, pae_auth->gtks);
+        sec_prot_keys_init(&supp_entry->sec_keys, pae_auth->gtks, pae_auth->certs);
     } else {
         // Updates relay address
         kmp_address_copy(supp_entry->addr, addr);
@@ -494,31 +516,57 @@ static void ws_pae_auth_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
         return;
     }
 
-    // Create KMP instance for new authentication
-    kmp_api_t *new_kmp = kmp_api_create(pae_auth->kmp_service, type);
-    kmp_api_data_set(new_kmp, supp_entry);
-
+    // Create new instance
+    kmp_api_t *new_kmp = ws_pae_auth_kmp_create_and_start(pae_auth->kmp_service, type, supp_entry);
     if (!new_kmp) {
         return;
     }
 
-    if (ws_pae_lib_kmp_list_add(&supp_entry->kmp_list, new_kmp) == NULL) {
-        kmp_api_delete(new_kmp);
-        return;
+    // For EAP-TLS create also TLS in addition to EAP-TLS
+    if (type == IEEE_802_1X_MKA) {
+        if (ws_pae_lib_kmp_list_type_get(&supp_entry->kmp_list, TLS_PROT) != NULL) {
+            // TLS already exists, wait for it to be deleted
+            ws_pae_lib_kmp_list_delete(&supp_entry->kmp_list, new_kmp);
+            return;
+        }
+        // Create TLS instance */
+        if (ws_pae_auth_kmp_create_and_start(service, TLS_PROT, supp_entry) == NULL) {
+            ws_pae_lib_kmp_list_delete(&supp_entry->kmp_list, new_kmp);
+            return;
+        }
+    }
+
+    kmp_api_create_request(new_kmp, type, supp_entry->addr, &supp_entry->sec_keys);
+}
+
+static kmp_api_t *ws_pae_auth_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, supp_entry_t *supp_entry)
+{
+    // Create KMP instance for new authentication
+    kmp_api_t *kmp = kmp_api_create(service, type);
+
+    if (!kmp) {
+        return NULL;
     }
 
-    kmp_api_cb_register(new_kmp,
+    if (ws_pae_lib_kmp_list_add(&supp_entry->kmp_list, kmp) == NULL) {
+        kmp_api_delete(kmp);
+        return NULL;
+    }
+
+    kmp_api_cb_register(kmp,
                         ws_pae_auth_kmp_api_create_confirm,
                         ws_pae_auth_kmp_api_create_indication,
                         ws_pae_auth_kmp_api_finished_indication,
                         ws_pae_auth_kmp_api_finished);
 
-    if (kmp_api_start(new_kmp) < 0) {
-        ws_pae_lib_kmp_list_delete(&supp_entry->kmp_list, new_kmp);
-        return;
+    kmp_api_data_set(kmp, supp_entry);
+
+    if (kmp_api_start(kmp) < 0) {
+        ws_pae_lib_kmp_list_delete(&supp_entry->kmp_list, kmp);
+        return NULL;
     }
 
-    kmp_api_create_request(new_kmp, type, supp_entry->addr, &supp_entry->sec_keys);
+    return kmp;
 }
 
 static void ws_pae_auth_kmp_api_finished(kmp_api_t *kmp)

source/6LoWPAN/ws/ws_pae_auth.h

@@ -44,12 +44,13 @@
  * \param remote_addr remote address
  * \param remote_port remote port
  * \param gtks group keys
+ * \param cert_chain certificate chain
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port, sec_prot_gtk_keys_t *gtks);
+int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port, sec_prot_gtk_keys_t *gtks, const sec_prot_certs_t *certs);
 
 /**
  * ws_pae_auth_delete deletes PAE authenticator
@@ -72,7 +73,7 @@ void ws_pae_auth_timer(uint16_t ticks);
 
 #else
 
-#define ws_pae_auth_init(interface_ptr, local_port, remote_addr, remote_port, gtks) 1
+#define ws_pae_auth_init(interface_ptr, local_port, remote_addr, remote_port, gtks, certs) 1
 #define ws_pae_auth_delete NULL
 #define ws_pae_auth_timer NULL
 

source/6LoWPAN/ws/ws_pae_controller.c

@@ -26,6 +26,7 @@
 #include "NWK_INTERFACE/Include/protocol.h"
 #include "6LoWPAN/ws/ws_config.h"
 #include "6LoWPAN/ws/ws_pae_controller.h"
+#include "Security/protocols/sec_prot_certs.h"
 #include "Security/protocols/sec_prot_keys.h"
 #include "6LoWPAN/ws/ws_pae_supp.h"
 #include "6LoWPAN/ws/ws_pae_auth.h"
@@ -41,6 +42,7 @@ typedef struct {
     ns_list_link_t link;                                 /**< Link */
     uint8_t target_eui_64[8];                            /**< EAPOL target */
     sec_prot_gtk_keys_t gtks;                            /**< GTKs */
+    sec_prot_certs_t certs;                              /**< Certificates */
     protocol_interface_info_entry_t *interface_ptr;      /**< List link entry */
     ws_pae_controller_auth_completed *auth_completed;    /**< Authentication completed callback, continue bootstrap */
     ws_pae_controller_key_insert *key_insert;            /**< Key insert callback */
@@ -78,7 +80,7 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface
         return -1;
     }
 
-    if (ws_pae_supp_init(controller->interface_ptr) < 0) {
+    if (ws_pae_supp_init(controller->interface_ptr, &controller->certs) < 0) {
         return -1;
     }
 
@@ -113,7 +115,7 @@ int8_t ws_pae_controller_authenticator_start(protocol_interface_info_entry_t *in
 
     ws_pae_controller_test_keys_set(&controller->gtks);
 
-    if (ws_pae_auth_init(controller->interface_ptr, local_port, remote_addr, remote_port, &controller->gtks) < 0) {
+    if (ws_pae_auth_init(controller->interface_ptr, local_port, remote_addr, remote_port, &controller->gtks, &controller->certs) < 0) {
         return -1;
     }
 
@@ -181,6 +183,7 @@ int8_t ws_pae_controller_init(protocol_interface_info_entry_t *interface_ptr)
     controller->pae_timer = NULL;
 
     sec_prot_keys_gtks_init(&controller->gtks);
+    sec_prot_certs_init(&controller->certs);
 
     ns_list_add_to_end(&pae_controller_list, controller);
 
@@ -220,11 +223,36 @@ int8_t ws_pae_controller_delete(protocol_interface_info_entry_t *interface_ptr)
     }
 
     ns_list_remove(&pae_controller_list, controller);
+
+    sec_prot_certs_delete(&controller->certs);
+
     ns_dyn_mem_free(controller);
 
     return 0;
 }
 
+int8_t ws_pae_controller_certificate_chain_set(const arm_certificate_chain_entry_s *new_chain)
+{
+    ns_list_foreach(pae_controller_t, entry, &pae_controller_list) {
+        // Delete previous information
+        sec_prot_certs_delete(&entry->certs);
+
+        if (new_chain->cert_chain[0]) {
+            cert_chain_entry_t *root_ca_chain = sec_prot_certs_chain_entry_create();
+            sec_prot_certs_cert_set(root_ca_chain, 0, (uint8_t *) new_chain->cert_chain[0], new_chain->cert_len[0]);
+            sec_prot_certs_chain_list_add(&entry->certs.trusted_cert_chain_list, root_ca_chain);
+        }
+
+        if (new_chain->cert_chain[1] && new_chain->key_chain[1]) {
+            sec_prot_certs_cert_set(&entry->certs.own_cert_chain, 0, (uint8_t *) new_chain->cert_chain[1], new_chain->cert_len[1]);
+            uint8_t key_len = strlen((char *) new_chain->key_chain[1]) + 1;
+            sec_prot_certs_priv_key_set(&entry->certs.own_cert_chain, (uint8_t *) new_chain->key_chain[1], key_len);
+        }
+    }
+
+    return 0;
+}
+
 void ws_pae_controller_timer(uint16_t ticks)
 {
     ns_list_foreach(pae_controller_t, entry, &pae_controller_list) {

source/6LoWPAN/ws/ws_pae_controller.h

@@ -90,6 +90,17 @@ int8_t ws_pae_controller_stop(protocol_interface_info_entry_t *interface_ptr);
  */
 int8_t ws_pae_controller_delete(protocol_interface_info_entry_t *interface_ptr);
 
+/**
+ * ws_pae_controller_certificate_chain_set set certificate chain
+ *
+ * \param chain certificate chain
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t ws_pae_controller_certificate_chain_set(const arm_certificate_chain_entry_s *chain);
+
 /**
  * ws_pae_controller_key_insert new GTK key available callback
  *

source/6LoWPAN/ws/ws_pae_lib.c

@@ -26,6 +26,7 @@
 #include "6LoWPAN/ws/ws_config.h"
 #include "Security/kmp/kmp_addr.h"
 #include "Security/kmp/kmp_api.h"
+#include "Security/protocols/sec_prot_certs.h"
 #include "Security/protocols/sec_prot_keys.h"
 #include "6LoWPAN/ws/ws_pae_lib.h"