Added key data access functions to key storage

Author: Mika Leppänen

source/6LoWPAN/ws/ws_pae_auth.c

@@ -493,13 +493,13 @@ static void ws_pae_auth_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
         // After EAP-TLS start 4WH towards supplicant
         type = IEEE_802_11_4WH;
         // Insert GTK0
-        supp_entry->sec_keys.gtk_set_index = 0;
+        sec_prot_keys_gtk_insert_index_set(supp_entry->sec_keys.gtks, 0);
         tr_debug("PAE start 4WH, eui-64: %s", trace_array(kmp_address_eui_64_get(supp_entry->addr), 8));
     } else if (type == IEEE_802_11_4WH) {
         // After 4WH start GKH towards supplicant
         type = IEEE_802_11_GKH;
         // Insert GTK1
-        supp_entry->sec_keys.gtk_set_index = 1;
+        sec_prot_keys_gtk_insert_index_set(supp_entry->sec_keys.gtks, 1);
         tr_debug("PAE start GKH, eui-64: %s", trace_array(kmp_address_eui_64_get(supp_entry->addr), 8));
     } else if (type == IEEE_802_11_GKH) {
         tr_debug("PAE authenticated, eui-64: %s", trace_array(kmp_address_eui_64_get(supp_entry->addr), 8));

source/6LoWPAN/ws/ws_pae_controller.c

@@ -58,16 +58,20 @@ static NS_LIST_DEFINE(pae_controller_list, pae_controller_t, link);
 
 static void ws_pae_controller_test_keys_set(sec_prot_gtk_keys_t *gtks)
 {
+    uint8_t gtk[2][GTK_LEN];
+
     // Test data
-    for (int i = 0; i < 16; i++) {
-        gtks->gtk[0].key[i] = 0xcf - i;
-        gtks->gtk[1].key[i] = 0xef - i;
+    for (int i = 0; i < GTK_LEN; i++) {
+        gtk[0][i] = 0xcf - i;
+        gtk[1][i] = 0xef - i;
     }
-    gtks->gtk[0].set = 1;
-    gtks->gtk[0].live = 1;
 
-    gtks->gtk[1].set = 1;
-    gtks->gtk[1].live = 1;
+    sec_prot_keys_gtk_set(gtks, 0, gtk[0]);
+    sec_prot_keys_gtk_set(gtks, 1, gtk[1]);
+
+    sec_prot_keys_gtkl_set(gtks, 0xFF);
+
+    sec_prot_keys_gtk_insert_index_set(gtks, 0);
 }
 
 int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface_ptr)
@@ -93,7 +97,11 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface
     if (ws_pae_supp_authenticate(controller->interface_ptr, controller->target_eui_64) > 0) {
         // Already authenticated
         ws_pae_controller_test_keys_set(&controller->gtks);
-        controller->key_insert(controller->interface_ptr, 0, controller->gtks.gtk[0].key);
+
+        uint8_t index;
+        uint8_t *gtk = sec_prot_keys_get_gtk_to_insert(&controller->gtks, &index);
+
+        controller->key_insert(controller->interface_ptr, index, gtk);
         controller->auth_completed(interface_ptr, true);
     }
 
@@ -123,7 +131,10 @@ int8_t ws_pae_controller_authenticator_start(protocol_interface_info_entry_t *in
     controller->pae_delete = ws_pae_auth_delete;
     controller->pae_timer = ws_pae_auth_timer;
 
-    controller->key_insert(controller->interface_ptr, 0, controller->gtks.gtk[0].key);
+    uint8_t index;
+    uint8_t *gtk = sec_prot_keys_get_gtk_to_insert(&controller->gtks, &index);
+
+    controller->key_insert(controller->interface_ptr, index, gtk);
 
     return 0;
 }

source/6LoWPAN/ws/ws_pae_supp.c

@@ -651,9 +651,13 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
 
     sec_prot_keys_t *keys = sec_keys;
     // Key is to be inserted
-    if (keys && keys->gtk_set_index >= 0) {
-        pae_supp->key_insert(pae_supp->interface_ptr, keys->gtk_set_index, keys->gtks->gtk[keys->gtk_set_index].key);
-        keys->gtk_set_index = -1;
+    if (keys) {
+        uint8_t gtk_index;
+        uint8_t *gtk = sec_prot_keys_get_gtk_to_insert(keys->gtks, &gtk_index);
+        if (gtk) {
+            pae_supp->key_insert(pae_supp->interface_ptr, gtk_index, gtk);
+            sec_prot_keys_gtk_insert_index_clear(keys->gtks);
+        }
     }
 
     if ((type == IEEE_802_11_4WH || type == IEEE_802_11_GKH) && result == KMP_RESULT_OK) {

source/Security/eapol/kde_helper.c

@@ -159,10 +159,10 @@ uint8_t *kde_lifetime_write(uint8_t *ptr, uint32_t lifetime)
     return ptr;
 }
 
-uint8_t *kde_gtkl_write(uint8_t *ptr, uint8_t gtkl0, uint8_t gtkl1, uint8_t gtkl2, uint8_t gtkl3)
+uint8_t *kde_gtkl_write(uint8_t *ptr, uint8_t gtkl)
 {
     ptr = kde_header_write(ptr, WISUN_OUI, KDE_GTKL, KDE_GTKL_LEN);
-    *ptr++ = gtkl0 | (gtkl1 << 1) | (gtkl2 << 2) | (gtkl3 << 3);
+    *ptr++ = gtkl;
 
     return ptr;
 }
@@ -205,17 +205,14 @@ int8_t kde_lifetime_read(const uint8_t *ptr, uint16_t len, uint32_t *lifetime)
     return 0;
 }
 
-int8_t kde_gtkl_read(const uint8_t *ptr, uint16_t len, uint8_t *gtkl0, uint8_t *gtkl1, uint8_t *gtkl2, uint8_t *gtkl3)
+int8_t kde_gtkl_read(const uint8_t *ptr, uint16_t len, uint8_t *gtkl)
 {
     ptr = kde_search(ptr, len, WISUN_OUI, KDE_GTKL, KDE_GTKL_LEN);
     if (ptr == NULL) {
         return -1;
     }
 
-    *gtkl0 = *ptr & 0x01;
-    *gtkl1 = (*ptr >> 1) & 0x01;
-    *gtkl2 = (*ptr >> 2) & 0x01;
-    *gtkl3 = (*ptr >> 3) & 0x01;
+    *gtkl = *ptr;
 
     return 0;
 }

source/Security/eapol/kde_helper.h

@@ -18,22 +18,130 @@
 #ifndef KDE_HELPER_H_
 #define KDE_HELPER_H_
 
+/*
+ * EAPOL KDE helper functions
+ *
+ */
+
 #define KDE_GTK_LEN              6 + 2 + 16
 #define KDE_PMKID_LEN            6 + 16
 #define KDE_LIFETIME_LEN         6 + 4
 #define KDE_GTKL_LEN             6 + 1
 
+/**
+ * kde_padded_length_calc calculates padded length for kde (see IEEE 802.11 chapter 11.6.2 EAPOL-Key frames)
+ *
+ * \param kde_length length without padding
+ *
+ * \return padded length
+ */
 uint16_t kde_padded_length_calc(uint16_t kde_length);
+
+/**
+ * kde_padding_write writes padded bytes
+ *
+ * \param start_ptr first byte of the padding
+ * \param end_ptr last bytes next byte
+ *
+ */
 void kde_padding_write(uint8_t *start_ptr, uint8_t *end_ptr);
 
+/**
+ * kde_gtk_write writes GTK
+ *
+ * \param ptr pointer where to write
+ * \param key_id key identifier (index)
+ * \param gtk GTK
+ *
+ * return incremented write pointer
+ *
+ */
 uint8_t *kde_gtk_write(uint8_t *ptr, uint8_t key_id, const uint8_t *gtk);
+
+/**
+ * kde_pmkid_write writes PMKID
+ *
+ * \param ptr pointer where to write
+ * \param pmkid PMKID
+ *
+ * return incremented write pointer
+ *
+ */
 uint8_t *kde_pmkid_write(uint8_t *ptr, const uint8_t *pmkid);
+
+/**
+ * kde_lifetime_write writes GTK lifetime
+ *
+ * \param ptr pointer where to write
+ * \param lifetime GTK lifetime
+ *
+ * return incremented write pointer
+ *
+ */
 uint8_t *kde_lifetime_write(uint8_t *ptr, uint32_t lifetime);
-uint8_t *kde_gtkl_write(uint8_t *ptr, uint8_t gtkl0, uint8_t gtkl1, uint8_t gtkl2, uint8_t gtkl3);
 
+/**
+ * kde_gtkl_write writes GTK liveness information
+ *
+ * \param ptr pointer where to write
+ * \param gtkl GTK liveness bit field
+ *
+ * return incremented write pointer
+ *
+ */
+uint8_t *kde_gtkl_write(uint8_t *ptr, uint8_t gtkl);
+
+/**
+ *  kde_gtk_read reads GTK
+ *
+ * \param ptr pointer where to read
+ * \param len length of the remaining data
+ * \param key_id key identifier (index)
+ * \param gtk GTK
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
 int8_t kde_gtk_read(const uint8_t *ptr, uint16_t len, uint8_t *key_id, uint8_t *gtk);
+
+/**
+ *  kde_pmkid_read reads PMKID
+ *
+ * \param ptr pointer where to read
+ * \param len length of the remaining data
+ * \param pmkid PMKID
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
 int8_t kde_pmkid_read(const uint8_t *ptr, uint16_t len, uint8_t *pmkid);
+
+/**
+ *  kde_lifetime_read reads GTK lifetime
+ *
+ * \param ptr pointer where to read
+ * \param len length of the remaining data
+ * \param lifetime GTK lifetime
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
 int8_t kde_lifetime_read(const uint8_t *ptr, uint16_t len, uint32_t *lifetime);
-int8_t kde_gtkl_read(const uint8_t *ptr, uint16_t len, uint8_t *gtkl0, uint8_t *gtkl1, uint8_t *gtkl2, uint8_t *gtkl3);
+
+/**
+ *  kde_gtkl_read reads GTK liveness information
+ *
+ * \param ptr pointer where to read
+ * \param len length of the remaining data
+ * \param gtkl GTK liveness bit field
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t kde_gtkl_read(const uint8_t *ptr, uint16_t len, uint8_t *gtkl);
 
 #endif /* KDE_HELPER_H_ */

source/Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.c

@@ -87,7 +87,6 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot);
 static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg);
 static void auth_fwh_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks);
 
-static int8_t auth_fwh_sec_prot_pmkid_generate(sec_prot_t *prot, uint8_t *pmkid);
 static int8_t auth_fwh_sec_prot_ptk_generate(sec_prot_t *prot, sec_prot_keys_t *sec_keys);
 static int8_t auth_fwh_sec_prot_mic_validate(sec_prot_t *prot);
 
@@ -186,13 +185,13 @@ static fwh_sec_prot_msg_e auth_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu,
     switch (key_mask) {
         case KEY_INFO_KEY_MIC:
             // Only accept message from supplicant with expected replay counter
-            if (eapol_pdu->msg.key.replay_counter == sec_keys->pmk_key_replay_cnt) {
+            if (eapol_pdu->msg.key.replay_counter == sec_prot_keys_pmk_replay_cnt_get(sec_keys)) {
                 msg = FWH_MESSAGE_2;
             }
             break;
         case KEY_INFO_KEY_MIC | KEY_INFO_SECURED_KEY_FRAME:
             // Only accept message from supplicant with expected replay counter
-            if (eapol_pdu->msg.key.replay_counter == sec_keys->pmk_key_replay_cnt) {
+            if (eapol_pdu->msg.key.replay_counter ==  sec_prot_keys_pmk_replay_cnt_get(sec_keys)) {
                 msg = FWH_MESSAGE_4;
             }
             break;
@@ -233,21 +232,24 @@ static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_
     switch (msg) {
         case FWH_MESSAGE_1: {
             uint8_t pmkid[PMKID_LEN];
-            if (auth_fwh_sec_prot_pmkid_generate(prot, pmkid) < 0) {
+            if (sec_prot_lib_pmkid_generate(prot, pmkid, true) < 0) {
                 ns_dyn_mem_free(kde_start);
                 return -1;
             }
             kde_end = kde_pmkid_write(kde_end, pmkid);
         }
         break;
         case FWH_MESSAGE_3: {
-            int8_t gtk_set_index = prot->sec_keys->gtk_set_index;
-            sec_prot_gtk_keys_t *gtks = prot->sec_keys->gtks;
-            if (gtk_set_index >= 0 && gtks->gtk[gtk_set_index].set && gtks->gtk[gtk_set_index].live) {
-                kde_end = kde_gtk_write(kde_end, gtk_set_index, gtks->gtk[gtk_set_index].key);
+            uint8_t gtk_index;
+            uint8_t *gtk = sec_prot_keys_get_gtk_to_insert(prot->sec_keys->gtks, &gtk_index);
+            if (gtk) {
+                kde_end = kde_gtk_write(kde_end, gtk_index, gtk);
+
+                uint32_t gtk_lifetime = sec_prot_keys_gtk_lifetime_get(prot->sec_keys->gtks, gtk_index);
+                kde_end = kde_lifetime_write(kde_end, gtk_lifetime);
             }
-            kde_end = kde_lifetime_write(kde_end, GTK_DEFAULT_LIFETIME);
-            kde_end = kde_gtkl_write(kde_end, gtks->gtk[0].live, gtks->gtk[1].live, gtks->gtk[2].live, gtks->gtk[3].live);
+            uint8_t gtkl = sec_prot_keys_gtkl_get(prot->sec_keys->gtks);
+            kde_end = kde_gtkl_write(kde_end, gtkl);
             kde_padding_write(kde_end, kde_start + kde_len);
         }
         break;
@@ -262,13 +264,15 @@ static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_
 
     switch (msg) {
         case FWH_MESSAGE_1:
-            eapol_pdu.msg.key.replay_counter = ++prot->sec_keys->pmk_key_replay_cnt;
+            sec_prot_keys_pmk_replay_cnt_increment(prot->sec_keys);
+            eapol_pdu.msg.key.replay_counter = sec_prot_keys_pmk_replay_cnt_get(prot->sec_keys);
             eapol_pdu.msg.key.key_information.key_ack = true;
             eapol_pdu.msg.key.key_length = 32;
             eapol_pdu.msg.key.key_nonce = data->nonce;
             break;
         case FWH_MESSAGE_3:
-            eapol_pdu.msg.key.replay_counter = ++prot->sec_keys->pmk_key_replay_cnt;
+            sec_prot_keys_pmk_replay_cnt_increment(prot->sec_keys);
+            eapol_pdu.msg.key.replay_counter = sec_prot_keys_pmk_replay_cnt_get(prot->sec_keys);
             eapol_pdu.msg.key.key_information.install = true;
             eapol_pdu.msg.key.key_information.key_ack = true;
             eapol_pdu.msg.key.key_information.key_mic = true;
@@ -317,6 +321,13 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
         case FWH_STATE_CREATE_REQ:
             tr_debug("4WH start");
 
+            uint8_t *pmk = sec_prot_keys_pmk_get(prot->sec_keys);
+            if (!pmk) { // If PMK is not set fails
+                prot->create_conf(prot, SEC_RESULT_ERROR);
+                sec_prot_state_set(prot, &data->common, FWH_STATE_FINISHED);
+                return;
+            }
+
             // KMP-CREATE.confirm
             prot->create_conf(prot, SEC_RESULT_OK);
 
@@ -394,15 +405,6 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
     }
 }
 
-static int8_t auth_fwh_sec_prot_pmkid_generate(sec_prot_t *prot, uint8_t *pmkid)
-{
-    uint8_t local_eui64[8];
-    uint8_t remote_eui64[8];
-    prot->addr_get(prot, local_eui64, remote_eui64);
-
-    return sec_prot_lib_pmkid_calc(prot->sec_keys->pmk, local_eui64, remote_eui64, pmkid);
-}
-
 static int8_t auth_fwh_sec_prot_ptk_generate(sec_prot_t *prot, sec_prot_keys_t *sec_keys)
 {
     fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);
@@ -417,7 +419,8 @@ static int8_t auth_fwh_sec_prot_ptk_generate(sec_prot_t *prot, sec_prot_keys_t *
         return 1;
     }
 
-    sec_prot_lib_ptk_calc(sec_keys->pmk, local_eui64, remote_eui64, data->nonce, remote_nonce, data->new_ptk);
+    uint8_t *pmk = sec_prot_keys_pmk_get(sec_keys);
+    sec_prot_lib_ptk_calc(pmk, local_eui64, remote_eui64, data->nonce, remote_nonce, data->new_ptk);
 
     return 0;
 }