Ignoring authentication failure if security protocol already started

Mika Leppänen · Mika Leppänen · commit b2fe3d49dbb5 · 2020-04-29T11:50:02.000+03:00
On supplicant, if initial-EAPOL key fails to TX failure, but authenticator
has already started security protocol (e.g. EAP-TLS), do not indicate
authenticaton failure to bootstrap.
diff --git a/source/6LoWPAN/ws/ws_pae_lib.c b/source/6LoWPAN/ws/ws_pae_lib.c
@@ -132,6 +132,11 @@ bool ws_pae_lib_kmp_list_empty(kmp_list_t *kmp_list)
     return ns_list_is_empty(kmp_list);
 }
 
+uint8_t ws_pae_lib_kmp_list_count(kmp_list_t *kmp_list)
+{
+    return ns_list_count(kmp_list);
+}
+
 void ws_pae_lib_kmp_timer_start(kmp_list_t *kmp_list, kmp_entry_t *entry)
 {
     if (ns_list_get_first(kmp_list) != entry) {
diff --git a/source/6LoWPAN/ws/ws_pae_lib.h b/source/6LoWPAN/ws/ws_pae_lib.h
@@ -135,6 +135,16 @@ kmp_entry_t *ws_pae_lib_kmp_list_entry_get(kmp_list_t *kmp_list, kmp_api_t *kmp)
  */
 bool ws_pae_lib_kmp_list_empty(kmp_list_t *kmp_list);
 
+/**
+ * ws_pae_lib_kmp_list_count counts entries on KMP list
+ *
+ * \param kmp_list KMP list
+ *
+ * \return count of entries on the list
+ *
+ */
+uint8_t ws_pae_lib_kmp_list_count(kmp_list_t *kmp_list);
+
 /**
  * ws_pae_lib_kmp_timer_start starts KMP timer
  *
diff --git a/source/6LoWPAN/ws/ws_pae_supp.c b/source/6LoWPAN/ws/ws_pae_supp.c
@@ -1220,7 +1220,11 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
        that bootstrap can decide if EAPOL target should be changed */
     else if (type > IEEE_802_1X_INITIAL_KEY && result == KMP_RESULT_ERR_TX_NO_ACK) {
         tr_info("Initial EAPOL-Key TX failure, target: %s", trace_array(kmp_address_eui_64_get(&pae_supp->entry.addr), 8));
-        ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_ERR_TX_NO_ACK);
+        /* Fails authentication only if other authentication protocols are not yet
+           started by authenticator */
+        if (ws_pae_lib_kmp_list_count(&pae_supp->entry.kmp_list) <= 1) {
+            ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_ERR_TX_NO_ACK);
+        }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,11 @@ bool ws_pae_lib_kmp_list_empty(kmp_list_t *kmp_list)`
`132`	`132`	`return ns_list_is_empty(kmp_list);`
`133`	`133`	`}`
`134`	`134`
	`135`	`+uint8_t ws_pae_lib_kmp_list_count(kmp_list_t *kmp_list)`
	`136`	`+{`
	`137`	`+ return ns_list_count(kmp_list);`
	`138`	`+}`
	`139`	`+`
`135`	`140`	`void ws_pae_lib_kmp_timer_start(kmp_list_t kmp_list, kmp_entry_t entry)`
`136`	`141`	`{`
`137`	`142`	`if (ns_list_get_first(kmp_list) != entry) {`
Original file line number	Diff line number	Diff line change
`@@ -1220,7 +1220,11 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e`
`1220`	`1220`	`that bootstrap can decide if EAPOL target should be changed */`
`1221`	`1221`	`else if (type > IEEE_802_1X_INITIAL_KEY && result == KMP_RESULT_ERR_TX_NO_ACK) {`
`1222`	`1222`	`tr_info("Initial EAPOL-Key TX failure, target: %s", trace_array(kmp_address_eui_64_get(&pae_supp->entry.addr), 8));`
`1223`		`- ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_ERR_TX_NO_ACK);`
	`1223`	`+ /* Fails authentication only if other authentication protocols are not yet`
	`1224`	`+ started by authenticator */`
	`1225`	`+ if (ws_pae_lib_kmp_list_count(&pae_supp->entry.kmp_list) <= 1) {`
	`1226`	`+ ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_ERR_TX_NO_ACK);`
	`1227`	`+ }`
`1224`	`1228`	`}`
`1225`	`1229`	`}`
`1226`	`1230`