Added sending of initial EAPOL-key to original target during bootstrap

Mika Leppänen · Mika Leppänen · commit 00fdf8dc50ba · 2019-09-03T16:44:47.000+03:00
If during bootstrap, EAPOL key hash mismatch is detected after EAPOL
authentication, but before bootstrap has completed, supplicant sends
initial EAPOL-key message to original target of the EAPOL. Also when bootstrap
is completed, supplicant checks for the EAPOL key hash mismatch, and if
it is detected, supplicant triggers sending of the initial EAPOL-key to
RPL parent. These changes should make recovering from the key mismatch
faster if it happens during bootstrap.
diff --git a/source/6LoWPAN/ws/ws_bootstrap.c b/source/6LoWPAN/ws/ws_bootstrap.c
@@ -2526,6 +2526,9 @@ static void ws_bootstrap_event_handler(arm_event_s *event)
             cur->ws_info->trickle_pas_running = false;
             cur->ws_info->trickle_pcs_running = false;
 
+            // Indicate PAE controller that bootstrap is ready
+            ws_pae_controller_bootstrap_done(cur);
+
             ws_bootstrap_advertise_start(cur);
             ws_bootstrap_state_change(cur, ER_BOOTSRAP_DONE);
             break;
diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c
@@ -182,6 +182,25 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface
     return 0;
 }
 
+int8_t ws_pae_controller_bootstrap_done(protocol_interface_info_entry_t *interface_ptr)
+{
+    pae_controller_t *controller = ws_pae_controller_get(interface_ptr);
+    if (!controller) {
+        return -1;
+    }
+
+#ifdef HAVE_PAE_SUPP
+    // RPL parent is known, remove EAPOL target that what was set using the authenticate call */
+    ws_pae_supp_eapol_target_remove(interface_ptr);
+
+    /* Trigger GTK hash update to supplicant, so it can check whether keys have been updated
+       during bootstrap. Does nothing if GTKs are up to date. */
+    ws_pae_supp_gtk_hash_update(interface_ptr, controller->gtkhash);
+#endif
+
+    return 0;
+}
+
 int8_t ws_pae_controller_authenticator_start(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port)
 {
     (void) local_port;
diff --git a/source/6LoWPAN/ws/ws_pae_controller.h b/source/6LoWPAN/ws/ws_pae_controller.h
@@ -45,6 +45,17 @@ int8_t ws_pae_controller_set_target(protocol_interface_info_entry_t *interface_p
  */
 int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface_ptr);
 
+/**
+ * ws_pae_controller_bootstrap_done indicates to PAE controller that bootstrap is ready
+ *
+ * \param interface_ptr interface
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t ws_pae_controller_bootstrap_done(protocol_interface_info_entry_t *interface_ptr);
+
 /**
  * ws_pae_controller_authenticator_start start PAE authenticator
  *
diff --git a/source/6LoWPAN/ws/ws_pae_supp.c b/source/6LoWPAN/ws/ws_pae_supp.c
@@ -166,6 +166,11 @@ static void ws_pae_supp_address_set(pae_supp_t *pae_supp, kmp_addr_t *address)
     }
 }
 
+static bool ws_pae_supp_address_is_set(pae_supp_t *pae_supp)
+{
+    return pae_supp->entry_address_active;
+}
+
 int8_t ws_pae_supp_authenticate(protocol_interface_info_entry_t *interface_ptr, uint16_t dest_pan_id, uint8_t *dest_eui_64)
 {
     pae_supp_t *pae_supp = ws_pae_supp_get(interface_ptr);
@@ -321,6 +326,9 @@ int8_t ws_pae_supp_gtk_hash_update(protocol_interface_info_entry_t *interface_pt
             ws_pae_supp_timer_start(pae_supp);
 
             tr_info("GTK update start imin: %i, imax: %i, max mismatch: %i, tr time: %i", pae_supp->timer_settings->gtk_request_imin, pae_supp->timer_settings->gtk_request_imax, pae_supp->timer_settings->gtk_max_mismatch, pae_supp->auth_trickle_timer.t);
+        } else {
+            // If trickle is already running, set inconsistent heard to speed up the trickle
+            trickle_inconsistent_heard(&pae_supp->auth_trickle_timer, &pae_supp->auth_trickle_params);
         }
     }
 
@@ -346,6 +354,19 @@ int8_t ws_pae_supp_nw_key_index_update(protocol_interface_info_entry_t *interfac
     return 0;
 }
 
+int8_t ws_pae_supp_eapol_target_remove(protocol_interface_info_entry_t *interface_ptr)
+{
+    pae_supp_t *pae_supp = ws_pae_supp_get(interface_ptr);
+    if (!pae_supp) {
+        return -1;
+    }
+
+    // Sets target/parent address to null
+    ws_pae_supp_address_set(pae_supp, NULL);
+
+    return 0;
+}
+
 static void ws_pae_supp_nvm_update(pae_supp_t *pae_supp)
 {
     // Check if NW info or GTKs have been changed
@@ -450,15 +471,21 @@ static int8_t ws_pae_supp_initial_key_send(pae_supp_t *pae_supp)
     if (!pae_supp->auth_requested) {
         // If not making initial authentication updates target (RPL parent) for each EAPOL-key message
         uint8_t parent_eui_64[8];
-        if (ws_pae_supp_parent_eui_64_get(pae_supp->interface_ptr, parent_eui_64) < 0) {
+        if (ws_pae_supp_parent_eui_64_get(pae_supp->interface_ptr, parent_eui_64) >= 0) {
+            // Stores target/parent address
+            kmp_address_init(KMP_ADDR_EUI_64, &pae_supp->target_addr, parent_eui_64);
+            // Sets parent address in use
+            ws_pae_supp_address_set(pae_supp, &pae_supp->target_addr);
+        } else if (ws_pae_supp_address_is_set(pae_supp)) {
+            /* If there is no RPL parent but there is target address from initial authentication
+               bootstrap, tries to use it. This can happen if BR updates keys after EAPOL authentication
+               but before bootstrap is completed and RPL parent is known */
+            tr_info("EAPOL initial auth target used");
+        } else {
+            // No target, failure
             return -1;
         }
 
-        // Stores target/parent address
-        kmp_address_init(KMP_ADDR_EUI_64, &pae_supp->target_addr, parent_eui_64);
-        // Sets parent address in use
-        ws_pae_supp_address_set(pae_supp, &pae_supp->target_addr);
-
         ws_pae_lib_supp_timer_ticks_set(&pae_supp->entry, WAIT_FOR_REAUTHENTICATION_TICKS);
         tr_info("PAE wait for auth seconds: %i", WAIT_FOR_REAUTHENTICATION_TICKS / 10);
     }
@@ -758,10 +785,7 @@ void ws_pae_supp_fast_timer(uint16_t ticks)
 
         // Checks whether timer needs to be active
         if (!pae_supp->initial_key_timer && !pae_supp->auth_trickle_running && !running) {
-
             tr_debug("PAE idle");
-            // Sets target/parent address to null
-            ws_pae_supp_address_set(pae_supp, NULL);
             // If not already completed, restart bootstrap
             ws_pae_supp_authenticate_response(pae_supp, false);
 
@@ -777,7 +801,9 @@ void ws_pae_supp_slow_timer(uint16_t seconds)
         // Checks whether initial EAPOL-Key message needs to be re-send or new GTK request to be sent
         if (pae_supp->auth_trickle_running) {
             if (trickle_timer(&pae_supp->auth_trickle_timer, &pae_supp->auth_trickle_params, seconds)) {
-                ws_pae_supp_initial_key_send(pae_supp);
+                if (ws_pae_supp_initial_key_send(pae_supp) < 0) {
+                    tr_info("EAPOL-Key send failed");
+                }
             }
             // Maximum number of trickle expires, authentication fails
             if (!trickle_running(&pae_supp->auth_trickle_timer, &pae_supp->auth_trickle_params)) {
@@ -800,14 +826,15 @@ void ws_pae_supp_slow_timer(uint16_t seconds)
                 pae_supp->initial_key_timer = 0;
 
                 // Sends initial EAPOL-Key message
-                ws_pae_supp_initial_key_send(pae_supp);
+                if (ws_pae_supp_initial_key_send(pae_supp) < 0) {
+                    tr_info("EAPOL-Key send failed");
+                }
 
                 // Starts trickle
                 pae_supp->auth_trickle_params = initial_eapol_key_trickle_params;
                 trickle_start(&pae_supp->auth_trickle_timer, &pae_supp->auth_trickle_params);
                 pae_supp->auth_trickle_running = true;
             }
-
         }
     }
 }
diff --git a/source/6LoWPAN/ws/ws_pae_supp.h b/source/6LoWPAN/ws/ws_pae_supp.h
@@ -182,6 +182,17 @@ int8_t ws_pae_supp_gtk_hash_update(protocol_interface_info_entry_t *interface_pt
  */
 int8_t ws_pae_supp_nw_key_index_update(protocol_interface_info_entry_t *interface_ptr, uint8_t index);
 
+/**
+ * ws_pae_supp_eapol_target_remove remove EAPOL target set using authentication start
+ *
+ * \param interface_ptr interface
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t ws_pae_supp_eapol_target_remove(protocol_interface_info_entry_t *interface_ptr);
+
 /**
  * ws_pae_supp_nw_key_index_set network send key index set callback
  *
@@ -238,6 +249,7 @@ void ws_pae_supp_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_
 #define ws_pae_supp_border_router_addr_read NULL
 #define ws_pae_supp_gtk_hash_update NULL
 #define ws_pae_supp_nw_key_index_update NULL
+#define ws_pae_supp_eapol_target_remove(interface_ptr)
 
 #endif
 
