Added tx failure cause to initial EAPOL-key security protocol

TX failure cause "no acknowledge" is now sent from the mpx interface, via the
eapol pdu, kpm and security protocols to pae supplicant, which sends the failure
reason to bootstrap.

Re-structured eapol-key protocol to be similar to other security protocols. Added
own state machines to authenticator and supplicant. Supplicant now runs timer
to wait for mpx tx response.

Author: Mika Leppänen

source/6LoWPAN/ws/ws_bootstrap.c

@@ -92,7 +92,7 @@ static void ws_bootstrap_nw_key_clear(protocol_interface_info_entry_t *cur, uint
 static void ws_bootstrap_nw_key_index_set(protocol_interface_info_entry_t *cur, uint8_t index);
 static void ws_bootstrap_nw_frame_counter_set(protocol_interface_info_entry_t *cur, uint32_t counter);
 static void ws_bootstrap_nw_frame_counter_read(protocol_interface_info_entry_t *cur, uint32_t *counter);
-static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_t *cur, bool success);
+static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_t *cur, auth_result_e result);
 static void ws_bootstrap_pan_version_increment(protocol_interface_info_entry_t *cur);
 static ws_nud_table_entry_t *ws_nud_entry_discover(protocol_interface_info_entry_t *cur, void *neighbor);
 static void ws_nud_entry_remove(protocol_interface_info_entry_t *cur, mac_neighbor_table_entry_t *entry_ptr);
@@ -2196,9 +2196,9 @@ static void ws_bootstrap_nw_frame_counter_read(protocol_interface_info_entry_t *
     mac_helper_link_frame_counter_read(cur->id, counter);
 }
 
-static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_t *cur, bool success)
+static void ws_bootstrap_authentication_completed(protocol_interface_info_entry_t *cur, auth_result_e result)
 {
-    if (success) {
+    if (result == AUTH_RESULT_OK) {
         tr_debug("authentication success");
         ws_bootstrap_event_configuration_start(cur);
     } else {

source/6LoWPAN/ws/ws_eapol_pdu.c

@@ -37,9 +37,11 @@
 #define TRACE_GROUP "wsep"
 
 typedef struct {
-    uint8_t handle;
     void *data_ptr;
     void *buffer;
+    ws_eapol_pdu_tx_status *tx_status;
+    uint8_t tx_identifier;
+    uint8_t handle;
     ns_list_link_t link;
 } eapol_pdu_msdu_t;
 
@@ -180,7 +182,7 @@ int8_t ws_eapol_pdu_cb_unregister(protocol_interface_info_entry_t *interface_ptr
     return -1;
 }
 
-int8_t ws_eapol_pdu_send_to_mpx(protocol_interface_info_entry_t *interface_ptr, const uint8_t *eui_64, void *data, uint16_t size, void *buffer)
+int8_t ws_eapol_pdu_send_to_mpx(protocol_interface_info_entry_t *interface_ptr, const uint8_t *eui_64, void *data, uint16_t size, void *buffer, ws_eapol_pdu_tx_status *tx_status, uint8_t tx_identifier)
 {
     eapol_pdu_data_t *eapol_pdu_data = ws_eapol_pdu_data_get(interface_ptr);
 
@@ -198,6 +200,8 @@ int8_t ws_eapol_pdu_send_to_mpx(protocol_interface_info_entry_t *interface_ptr,
     msdu_entry->data_ptr = data;
     msdu_entry->buffer = buffer;
     msdu_entry->handle = eapol_pdu_data->msdu_handle;
+    msdu_entry->tx_status = tx_status;
+    msdu_entry->tx_identifier = tx_identifier;
     ns_list_add_to_start(&eapol_pdu_data->msdu_list, msdu_entry);
 
     memcpy(data_request.DstAddr, eui_64, 8);
@@ -265,6 +269,15 @@ static void ws_eapol_pdu_mpx_data_confirm(const mpx_api_t *api, const struct mcp
 
     ns_list_foreach(eapol_pdu_msdu_t, msdu, &eapol_pdu_data->msdu_list) {
         if (msdu->handle == data->msduHandle) {
+            if (msdu->tx_status) {
+                eapol_pdu_tx_status_e status = EAPOL_PDU_TX_ERR_UNSPEC;
+                if (data->status == MLME_SUCCESS) {
+                    status = EAPOL_PDU_TX_OK;
+                } else if (data->status == MLME_TX_NO_ACK) {
+                    status = EAPOL_PDU_TX_ERR_TX_NO_ACK;
+                }
+                msdu->tx_status(eapol_pdu_data->interface_ptr, status, msdu->tx_identifier);
+            }
             ns_dyn_mem_free(msdu->buffer);
             ns_list_remove(&eapol_pdu_data->msdu_list, msdu);
             ns_dyn_mem_free(msdu);

source/6LoWPAN/ws/ws_eapol_pdu.h

@@ -127,6 +127,22 @@ int8_t ws_eapol_pdu_cb_register(protocol_interface_info_entry_t *interface_ptr,
  */
 int8_t ws_eapol_pdu_cb_unregister(protocol_interface_info_entry_t *interface_ptr, const eapol_pdu_recv_cb_data_t *cb_data);
 
+typedef enum {
+    EAPOL_PDU_TX_OK = 0,                 // Successful
+    EAPOL_PDU_TX_ERR_TX_NO_ACK  = -1,    // No acknowledge was received
+    EAPOL_PDU_TX_ERR_UNSPEC = -2,        // Other reason
+} eapol_pdu_tx_status_e;
+
+/**
+ * ws_eapol_pdu_tx_status will be called when TX status is known
+ *
+ * \param interface_ptr interface
+ * \param tx_status tx status
+ * \param tx_identifier tx identifier
+ *
+ */
+typedef int8_t ws_eapol_pdu_tx_status(protocol_interface_info_entry_t *interface_ptr, eapol_pdu_tx_status_e tx_status, uint8_t tx_identifier);
+
 /**
  *  ws_eapol_pdu_send_to_mpx send EAPOL PDU to MPX
  *
@@ -135,11 +151,13 @@ int8_t ws_eapol_pdu_cb_unregister(protocol_interface_info_entry_t *interface_ptr
  * \param data EAPOL PDU
  * \param size PDU size
  * \param buffer pointer to allocated buffer
+ * \param tx_status tx status callback
+ * \param tx_identifier tx identifier
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-int8_t ws_eapol_pdu_send_to_mpx(protocol_interface_info_entry_t *interface_ptr, const uint8_t *eui_64, void *data, uint16_t size, void *buffer);
+int8_t ws_eapol_pdu_send_to_mpx(protocol_interface_info_entry_t *interface_ptr, const uint8_t *eui_64, void *data, uint16_t size, void *buffer, ws_eapol_pdu_tx_status tx_status, uint8_t tx_identifier);
 
 #endif /* WS_EAPOL_PDU_H_ */

source/6LoWPAN/ws/ws_eapol_relay.c

@@ -183,7 +183,7 @@ static void ws_eapol_relay_socket_cb(void *cb)
     }
 
     //First 8 byte is EUID64 and rsr payload
-    if (ws_eapol_pdu_send_to_mpx(eapol_relay->interface_ptr, socket_pdu, socket_pdu + 8, cb_data->d_len - 8, socket_pdu) < 0) {
+    if (ws_eapol_pdu_send_to_mpx(eapol_relay->interface_ptr, socket_pdu, socket_pdu + 8, cb_data->d_len - 8, socket_pdu, NULL, 0) < 0) {
         ns_dyn_mem_free(socket_pdu);
     }
 }

source/6LoWPAN/ws/ws_pae_auth.c

@@ -159,7 +159,7 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot
         goto error;
     }
 
-    if (kmp_service_cb_register(pae_auth->kmp_service, ws_pae_auth_kmp_incoming_ind, ws_pae_auth_kmp_service_addr_get, ws_pae_auth_kmp_service_api_get)) {
+    if (kmp_service_cb_register(pae_auth->kmp_service, ws_pae_auth_kmp_incoming_ind, NULL, ws_pae_auth_kmp_service_addr_get, ws_pae_auth_kmp_service_api_get)) {
         goto error;
     }
 
@@ -171,7 +171,7 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot
         goto error;
     }
 
-    if (key_sec_prot_register(pae_auth->kmp_service) < 0) {
+    if (auth_key_sec_prot_register(pae_auth->kmp_service) < 0) {
         goto error;
     }
 

source/6LoWPAN/ws/ws_pae_controller.h

@@ -20,7 +20,15 @@
 
 #ifdef HAVE_WS
 
+typedef enum {
+    AUTH_RESULT_OK = 0,                    // Successful
+    AUTH_RESULT_ERR_NO_MEM = -1,           // No memory
+    AUTH_RESULT_ERR_TX_NO_ACK = -2,        // No acknowledge was received
+    AUTH_RESULT_ERR_UNSPEC = -3            // Other reason
+} auth_result_e;
+
 struct nvm_tlv_entry;
+
 /**
  * ws_pae_controller_set_target sets EAPOL target for PAE supplicant
  *
@@ -484,10 +492,10 @@ typedef void ws_pae_controller_nw_frame_counter_read(protocol_interface_info_ent
  * ws_pae_controller_auth_completed authentication completed callback
  *
  * \param interface_ptr interface
- * \param success true if authentication was successful
+ * \param result result, either ok or failure reason
  *
  */
-typedef void ws_pae_controller_auth_completed(protocol_interface_info_entry_t *interface_ptr, bool success);
+typedef void ws_pae_controller_auth_completed(protocol_interface_info_entry_t *interface_ptr, auth_result_e result);
 
 /**
  * ws_pae_controller_pan_ver_increment PAN version increment callback

source/6LoWPAN/ws/ws_pae_lib.c

@@ -93,6 +93,17 @@ kmp_api_t *ws_pae_lib_kmp_list_type_get(kmp_list_t *kmp_list, kmp_type_e type)
     return kmp;
 }
 
+kmp_api_t *ws_pae_lib_kmp_list_instance_id_get(kmp_list_t *kmp_list, uint8_t instance_id)
+{
+    ns_list_foreach(kmp_entry_t, cur, kmp_list) {
+        if (kmp_api_instance_id_get(cur->kmp) == instance_id) {
+            return cur->kmp;
+        }
+    }
+
+    return NULL;
+}
+
 void ws_pae_lib_kmp_list_free(kmp_list_t *kmp_list)
 {
     ns_list_foreach_safe(kmp_entry_t, cur, kmp_list) {

source/6LoWPAN/ws/ws_pae_lib.h

@@ -88,7 +88,7 @@ int8_t ws_pae_lib_kmp_list_delete(kmp_list_t *kmp_list, kmp_api_t *kmp);
 void ws_pae_lib_kmp_list_free(kmp_list_t *kmp_list);
 
 /**
- * ws_pae_lib_kmp_list_type_get gets KMP entry from KMP list based on KMP type
+ * ws_pae_lib_kmp_list_type_get gets KMP from KMP list based on KMP type
  *
  * \param kmp_list KMP list
  * \param type type
@@ -99,6 +99,18 @@ void ws_pae_lib_kmp_list_free(kmp_list_t *kmp_list);
  */
 kmp_api_t *ws_pae_lib_kmp_list_type_get(kmp_list_t *kmp_list, kmp_type_e type);
 
+/**
+ * ws_pae_lib_kmp_list_instance_id_get gets KMP from KMP list based on instance identifier
+ *
+ * \param kmp_list KMP list
+ * \param instance_id instance identifier
+ *
+ * \return KMP on success
+ * \return NULL on failure
+ *
+ */
+kmp_api_t *ws_pae_lib_kmp_list_instance_id_get(kmp_list_t *kmp_list, uint8_t instance_id);
+
 /**
  * ws_pae_lib_kmp_list_entry_get gets KMP entry from KMP list based on KMP
  *

source/6LoWPAN/ws/ws_pae_supp.c

@@ -99,7 +99,7 @@ typedef struct {
     timer_settings_t *timer_settings;                      /**< Timer settings */
     uint8_t nw_keys_used_cnt;                              /**< How many times bootstrap has been tried with current keys */
     bool auth_trickle_running : 1;                         /**< Initial EAPOL-Key Trickle timer running */
-    bool auth_requested : 1;                               /**< Authentication has been requested */
+    bool auth_requested : 1;                               /**< Authentication has been requested by the bootstrap */
     bool timer_running : 1;                                /**< Timer is running */
     bool new_br_eui_64_set : 1;                            /**< Border router address has been set */
     bool new_br_eui_64_fresh : 1;                          /**< Border router address is fresh (set during this authentication attempt) */
@@ -117,7 +117,7 @@ static trickle_params_t initial_eapol_key_trickle_params = {
 };
 
 static void ws_pae_supp_free(pae_supp_t *pae_supp);
-static void ws_pae_supp_authenticate_response(pae_supp_t *pae_supp, bool success);
+static void ws_pae_supp_authenticate_response(pae_supp_t *pae_supp, auth_result_e result);
 static int8_t ws_pae_supp_initial_key_send(pae_supp_t *pae_supp);
 static void ws_pae_supp_nvm_update(pae_supp_t *pae_supp);
 static int8_t ws_pae_supp_nw_keys_valid_check(pae_supp_t *pae_supp, uint16_t pan_id);
@@ -134,6 +134,7 @@ static bool ws_pae_supp_timer_running(pae_supp_t *pae_supp);
 static void ws_pae_supp_kmp_service_addr_get(kmp_service_t *service, kmp_api_t *kmp, kmp_addr_t *local_addr, kmp_addr_t *remote_addr);
 static kmp_api_t *ws_pae_supp_kmp_service_api_get(kmp_service_t *service, kmp_api_t *kmp, kmp_type_e type);
 static kmp_api_t *ws_pae_supp_kmp_incoming_ind(kmp_service_t *service, kmp_type_e type, const kmp_addr_t *addr);
+static kmp_api_t *ws_pae_supp_kmp_tx_status_ind(kmp_service_t *service, uint8_t instance_id);
 static kmp_api_t *ws_pae_supp_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, pae_supp_t *pae_supp);
 static int8_t ws_pae_supp_eapol_pdu_address_check(protocol_interface_info_entry_t *interface_ptr, const uint8_t *eui_64);
 static int8_t ws_pae_supp_parent_eui_64_get(protocol_interface_info_entry_t *interface_ptr, uint8_t *eui_64);
@@ -143,6 +144,7 @@ static void ws_pae_supp_kmp_api_create_indication(kmp_api_t *kmp, kmp_type_e typ
 static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e result, kmp_sec_keys_t *sec_keys);
 static void ws_pae_supp_kmp_api_finished(kmp_api_t *kmp);
 
+
 static const eapol_pdu_recv_cb_data_t eapol_pdu_recv_cb_data = {
     .priority = EAPOL_PDU_RECV_HIGH_PRIORITY,
     .addr_check = ws_pae_supp_eapol_pdu_address_check,
@@ -381,8 +383,6 @@ static void ws_pae_supp_nvm_update(pae_supp_t *pae_supp)
         ws_pae_supp_nvm_keys_write(pae_supp);
         sec_prot_keys_updated_reset(&pae_supp->entry.sec_keys);
     }
-
-
 }
 
 static int8_t ws_pae_supp_nvm_nw_info_write(pae_supp_t *pae_supp)
@@ -457,12 +457,12 @@ static int8_t ws_pae_supp_nvm_keys_read(pae_supp_t *pae_supp)
     return 0;
 }
 
-static void ws_pae_supp_authenticate_response(pae_supp_t *pae_supp, bool success)
+static void ws_pae_supp_authenticate_response(pae_supp_t *pae_supp, auth_result_e result)
 {
     pae_supp->auth_trickle_running = false;
     if (pae_supp->auth_requested && pae_supp->auth_completed) {
         pae_supp->auth_requested = false;
-        pae_supp->auth_completed(pae_supp->interface_ptr, success);
+        pae_supp->auth_completed(pae_supp->interface_ptr, result);
     }
 }
 
@@ -605,7 +605,7 @@ int8_t ws_pae_supp_init(protocol_interface_info_entry_t *interface_ptr, const se
         goto error;
     }
 
-    if (kmp_service_cb_register(pae_supp->kmp_service, ws_pae_supp_kmp_incoming_ind, ws_pae_supp_kmp_service_addr_get, ws_pae_supp_kmp_service_api_get) < 0) {
+    if (kmp_service_cb_register(pae_supp->kmp_service, ws_pae_supp_kmp_incoming_ind, ws_pae_supp_kmp_tx_status_ind, ws_pae_supp_kmp_service_addr_get, ws_pae_supp_kmp_service_api_get) < 0) {
         goto error;
     }
 
@@ -625,7 +625,7 @@ int8_t ws_pae_supp_init(protocol_interface_info_entry_t *interface_ptr, const se
         goto error;
     }
 
-    if (key_sec_prot_register(pae_supp->kmp_service) < 0) {
+    if (supp_key_sec_prot_register(pae_supp->kmp_service) < 0) {
         goto error;
     }
 
@@ -1115,14 +1115,24 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
         ws_pae_lib_supp_timer_ticks_set(&pae_supp->entry, WAIT_FOR_AUTHENTICATION_TICKS);
     }
 
+    /* When 4WH or GKH completes inserts keys and indicates authentication completed
+       (if not alredy indicated) */
     if ((type == IEEE_802_11_4WH || type == IEEE_802_11_GKH) && result == KMP_RESULT_OK) {
         if (sec_keys) {
             sec_prot_keys_t *keys = sec_keys;
             pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks);
         }
 
-        ws_pae_supp_authenticate_response(pae_supp, true);
+        ws_pae_supp_authenticate_response(pae_supp, result);
+    }
+
+    /* If initial EAPOL-key message sending fails to tx no acknowledge, indicates failure so
+       that bootstrap can decide if EAPOL target should be changed */
+    else if (type > IEEE_802_1X_INITIAL_KEY && result == KMP_RESULT_ERR_TX_NO_ACK) {
+        tr_info("Initial EAPOL-Key TX failure, target: %s", trace_array(kmp_address_eui_64_get(&pae_supp->entry.addr), 8));
+        ws_pae_supp_authenticate_response(pae_supp, result);
     }
+
 }
 
 static void ws_pae_supp_kmp_api_finished(kmp_api_t *kmp)
@@ -1137,6 +1147,21 @@ static void ws_pae_supp_kmp_api_finished(kmp_api_t *kmp)
     ws_pae_lib_kmp_list_delete(&pae_supp->entry.kmp_list, kmp);
 }
 
+static kmp_api_t *ws_pae_supp_kmp_tx_status_ind(kmp_service_t *service, uint8_t instance_id)
+{
+    pae_supp_t *pae_supp = ws_pae_supp_by_kmp_service_get(service);
+    if (!pae_supp) {
+        return NULL;
+    }
+
+    kmp_api_t *kmp = ws_pae_lib_kmp_list_instance_id_get(&pae_supp->entry.kmp_list, instance_id);
+    if (!kmp) {
+        return NULL;
+    }
+
+    return kmp;
+}
+
 #endif /* HAVE_PAE_SUPP */
 #endif /* HAVE_WS */
 

source/6LoWPAN/ws/ws_pae_supp.h

@@ -206,10 +206,10 @@ typedef void ws_pae_supp_nw_key_index_set(protocol_interface_info_entry_t *inter
  * ws_pae_supp_auth_completed authentication completed callback
  *
  * \param interface_ptr interface
- * \param success true if authentication was successful
+ * \param result result, either ok or failure reason
  *
  */
-typedef void ws_pae_supp_auth_completed(protocol_interface_info_entry_t *interface_ptr, bool success);
+typedef void ws_pae_supp_auth_completed(protocol_interface_info_entry_t *interface_ptr, auth_result_e result);
 
 /**
  * ws_pae_supp_nw_key_insert network key insert callback