Pana server and client update:

Juha Heiskanen · juhhei01 · commit 957c7fbb77d5 · 2017-12-08T15:14:46.000+02:00
Fix a memory leak when session is removed and eap fragmentation or
reassembly is running.

Fix Pana server eap fragmentation re-trans bug.

Added support to force eap fragmentation timeout, retry and start fail.

Client stop authentication from Client hello state to pana failure.

(cherry picked from commit af2d049b766789fba28d71c6a1875cfe08deb69d)
diff --git a/source/Security/Common/sec_lib_definitions.h b/source/Security/Common/sec_lib_definitions.h
@@ -317,6 +317,7 @@ typedef struct pana_session_t {
     bool session_ready:1;
     bool key_warp:1;
     bool user_server:1;
+    bool packet_delivered:1;
     /* Define Relay usage */
     uint8_t address_status;
     uint8_t session_relay_address[16];
diff --git a/source/Security/Common/security_lib.c b/source/Security/Common/security_lib.c
@@ -748,12 +748,12 @@ int8_t sec_suite_remove(sec_suite_t *cur) {
         return -1;
     }
 
-    if (cur->pana_session.pana_heap) {
-        ns_dyn_mem_free(cur->pana_session.pana_heap);
-        cur->pana_session.pana_heap = NULL;
-    }
+    pana_free_dynamic_ram(cur);
 
     sec_suite_tls_free(cur, true);
+#ifdef ECC
+    sec_ecc_state_free(cur);
+#endif
     ns_list_remove(&sec_suite_list, cur);
     ns_dyn_mem_free(cur);
     return 0;
diff --git a/source/Security/PANA/eap_protocol.c b/source/Security/PANA/eap_protocol.c
@@ -42,6 +42,37 @@
 
 const uint8_t EAP_ANYMOUS[9] = {'a', 'n', 'o', 'n', 'y', 'm', 'o', 'u', 's'};
 
+static bool force_frag_last_retry = false;
+
+static bool force_frag_start_fail = false;
+
+static bool force_frag_timeout = false;
+
+static void eap_seq_back_to_accept(sec_suite_t *suite)
+{
+    if (suite->pana_session.eap_id_seq == 0) {
+        suite->pana_session.eap_id_seq = 0xff;
+    } else {
+        suite->pana_session.eap_id_seq--;
+    }
+}
+
+void pana_eap_fragmetation_start_filter(bool state)
+{
+    tr_debug("Set start state %u", state);
+    force_frag_start_fail = state;
+}
+
+void pana_eap_fragmetation_force_timeout(bool state)
+{
+    force_frag_timeout = state;
+}
+
+void pana_eap_fragmetation_force_retry(bool state)
+{
+    force_frag_last_retry = state;
+}
+
 static buffer_t *eap_common_headroom_get_to_buffer(buffer_t *buf, uint16_t header_size)
 {
     if ((buf = buffer_headroom(buf, header_size)) == 0) {
@@ -145,7 +176,7 @@ bool pana_eap_frag_re_tx(sec_suite_t *suite)
             buffer_data_length_set(f_buf, suite->pana_session.last_assy_size);
             goto success_push;
         }
-    } else if (suite->pana_session.eap_frag_buf) {
+    } else if (suite->pana_session.eap_frag_buf || suite->pana_session.packet_delivered) {
         f_buf = buffer_get(127);
         if (f_buf) {
 
@@ -337,17 +368,24 @@ buffer_t *eap_up(buffer_t *buf, sec_suite_t *suite)
                         if (suite->pana_session.eap_assy_buf) {
                             tr_debug("Free Frag Buf");
                             buffer_free(suite->pana_session.eap_assy_buf);
-                            suite->pana_session.eap_assy_buf  = 0;
+                            suite->pana_session.eap_assy_buf  = NULL;
                         }
                         suite->pana_session.assy_length = 0;
                         suite->pana_session.assy_off_set = 0;
                         suite->pana_session.last_assy_size = 0;
+                        suite->pana_session.packet_delivered = true;
+                        suite->retry_counter = 0;
                     }
                 }
             }
 
             if ((eap_tls_header.eap_tls_flags & EAP_TLS_MORE_FRAGMENTS) == 0) {
                 if (suite->pana_session.frag_length) {
+                    if (force_frag_last_retry || force_frag_timeout) {
+                        force_frag_last_retry = false;
+                        eap_seq_back_to_accept(suite);
+                        return buffer_free(buf);
+                    }
                     buffer_t *t_buf = suite->pana_session.eap_frag_buf;
 
                     uint16_t check_len = suite->pana_session.frag_off_set;
@@ -462,8 +500,14 @@ buffer_t *eap_up(buffer_t *buf, sec_suite_t *suite)
                 //Check did we have a already action
                 if (suite->pana_session.frag_length == 0) {
 
-                    buffer_t *f_buf = buffer_get(eap_tls_header.tls_length);
-                    tr_debug("First Fragment");
+                    buffer_t *f_buf = NULL;
+                    if (force_frag_start_fail) {
+                        tr_debug("Force to drop fragment");
+                        force_frag_start_fail = false;
+                    } else {
+                        tr_debug("First Fragment");
+                        f_buf = buffer_get(eap_tls_header.tls_length);
+                    }
                     if (f_buf) {
                         buffer_data_length_set(f_buf, eap_tls_header.tls_length);
                         memcpy(buffer_data_pointer(f_buf), eap_tls_header.data_ptr, eap_tls_header.tls_frame_length);
@@ -532,4 +576,20 @@ buffer_t *eap_up(buffer_t *buf, sec_suite_t *suite)
             return buffer_free(buf);
     }
 }
+#else
+void pana_eap_fragmetation_start_filter(bool state)
+{
+    (void) state;
+}
+
+void pana_eap_fragmetation_force_timeout(bool state)
+{
+    (void) state;
+}
+
+void pana_eap_fragmetation_force_retry(bool state)
+{
+    (void) state;
+}
+
 #endif
diff --git a/source/Security/PANA/pana_client.c b/source/Security/PANA/pana_client.c
@@ -657,9 +657,11 @@ static void pana_client_state_machine_func(sec_suite_t *suite)
 
             switch (suite->state) {
                 case TLS_KEY_CHANGE:
-                case TLS_INIT:
                     sec_lib_state_machine_trig(suite, TLS_ALERT_INTERNAL);
                     break;
+                case TLS_INIT: //Trig pana failure if not get any response from server
+                    sec_lib_state_machine_trig(suite, PANA_FAILURE);
+                    break;
 
                 default:
                     pana_client_pana_error_handler(suite);
diff --git a/source/Security/PANA/pana_server.c b/source/Security/PANA/pana_server.c
@@ -741,13 +741,14 @@ static void pana_server_state_machine_func(sec_suite_t *suite)
 #ifdef ECC
             if (sec_auth_re_check(suite)) {
                 bool tx_start_OK = false;
-                if (suite->pana_session.assy_length && suite->pana_session.frag_length) {
+                if (suite->pana_session.assy_length || suite->pana_session.frag_length || suite->pana_session.packet_delivered) {
                     //Build next EAP Packet
                     //tr_debug("TX same again fragment piece");
                     tx_start_OK = pana_eap_frag_re_tx(suite);
 
                 } else {
                     if (tls_pana_server_exchange_build(suite)) {
+                        suite->pana_session.packet_delivered = false;
                         tx_start_OK = true;
                     }
 
