added support for EAPOL timing adjustment

Modified the minimum interval settings to be more suitable in Wi-SUN
added possibility to give network slowness value that can be used to adjust
timings

Author: Mika Tervonen

source/6LoWPAN/ws/ws_common.c

@@ -27,6 +27,7 @@
 #include "6LoWPAN/ws/ws_common.h"
 #include "6LoWPAN/ws/ws_bootstrap.h"
 #include "6LoWPAN/ws/ws_bbr_api_internal.h"
+#include "6LoWPAN/ws/ws_pae_controller.h"
 #include "Service_Libs/etx/etx.h"
 #include "Service_Libs/mac_neighbor_table/mac_neighbor_table.h"
 #include "Service_Libs/blacklist/blacklist.h"
@@ -327,7 +328,7 @@ void ws_common_network_size_configure(protocol_interface_info_entry_t *cur, uint
         } else {
             ws_bbr_rpl_config(0, 0, 0);
         }
-
+        ws_pae_controller_timing_adjust(1); // Fast and reactive network
     } else if (network_size < 300) {
         // Configure the Wi-SUN discovery trickle parameters
         cur->ws_info->trickle_params_pan_discovery = trickle_params_pan_discovery_medium;
@@ -336,6 +337,7 @@ void ws_common_network_size_configure(protocol_interface_info_entry_t *cur, uint
         // doublings:5 (960s)
         // redundancy; 10
         ws_bbr_rpl_config(15, 5, 10);
+        ws_pae_controller_timing_adjust(9); // medium limited network
     } else {
         // Configure the Wi-SUN discovery trickle parameters
         cur->ws_info->trickle_params_pan_discovery = trickle_params_pan_discovery_large;
@@ -344,6 +346,7 @@ void ws_common_network_size_configure(protocol_interface_info_entry_t *cur, uint
         // doublings:1 (1048s, 17 min)
         // redundancy; 10 May need some tuning still
         ws_bbr_rpl_config(19, 1, 10);
+        ws_pae_controller_timing_adjust(24); // Very slow and high latency network
     }
     return;
 }

source/6LoWPAN/ws/ws_pae_auth.c

@@ -212,6 +212,14 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot
     return -1;
 }
 
+int8_t ws_pae_auth_timing_adjust(uint8_t timing)
+{
+    auth_gkh_sec_prot_timing_adjust(timing);
+    auth_fwh_sec_prot_timing_adjust(timing);
+    auth_eap_tls_sec_prot_timing_adjust(timing);
+    return 0;
+}
+
 int8_t ws_pae_auth_addresses_set(protocol_interface_info_entry_t *interface_ptr, uint16_t local_port, const uint8_t *remote_addr, uint16_t remote_port)
 {
     if (!interface_ptr || !remote_addr) {

source/6LoWPAN/ws/ws_pae_auth.h

@@ -54,6 +54,28 @@
  */
 int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, sec_prot_gtk_keys_t *next_gtks, const sec_prot_certs_t *certs, timer_settings_t *timer_settings);
 
+/**
+ * ws_pae_auth_timing_adjust Adjust retries and timings of the security protocols
+ *
+ * Timing value is a generic number between 0 to 32 that goes from fast and
+ * reactive network to low bandwidth and long latency.
+ *
+ * example value definitions:
+ * 0-8 very fast network
+ * 9-16 medium network
+ * 16-24 slow network
+ * 25-32 extremely slow network
+ *
+ * There is no need to have lots variations in every layer if protocol is not very active in any case.
+ *
+ * \param timing Timing value.
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t ws_pae_auth_timing_adjust(uint8_t timing);
+
 /**
  * ws_pae_auth_addresses_set set relay addresses
  *
@@ -210,6 +232,7 @@ void ws_pae_auth_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_
 #else
 
 #define ws_pae_auth_init(interface_ptr, gtks, next_gtks, certs, timer_settings) 1
+#define ws_pae_auth_timing_adjust(timing) 1
 #define ws_pae_auth_addresses_set(interface_ptr, local_port, remote_addr, remote_port) 1
 #define ws_pae_auth_delete NULL
 #define ws_pae_auth_cb_register(interface_ptr, hash_set, nw_key_insert, nw_key_index_set) {(void) hash_set;}

source/6LoWPAN/ws/ws_pae_controller.c

@@ -710,6 +710,13 @@ int8_t ws_pae_controller_delete(protocol_interface_info_entry_t *interface_ptr)
     return 0;
 }
 
+int8_t ws_pae_controller_timing_adjust(uint8_t timing)
+{
+    ws_pae_supp_timing_adjust(timing);
+    ws_pae_auth_timing_adjust(timing);
+    return 0;
+}
+
 int8_t ws_pae_controller_certificate_chain_set(const arm_certificate_chain_entry_s *new_chain)
 {
     if (!new_chain) {

source/6LoWPAN/ws/ws_pae_controller.h

@@ -114,6 +114,28 @@ int8_t ws_pae_controller_stop(protocol_interface_info_entry_t *interface_ptr);
  */
 int8_t ws_pae_controller_delete(protocol_interface_info_entry_t *interface_ptr);
 
+/**
+ * ws_pae_controller_timing_adjust Adjust retries and timings of the security protocols
+ *
+ * Timing value is a generic number between 0 to 32 that goes from fast and
+ * reactive network to low bandwidth and long latency.
+ *
+ * example value definitions:
+ * 0-8 very fast network
+ * 9-16 medium network
+ * 16-24 slow network
+ * 25-32 extremely slow network
+ *
+ * There is no need to have lots variations in every layer if protocol is not very active in any case.
+ *
+ * \param timing Timing value.
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t ws_pae_controller_timing_adjust(uint8_t timing);
+
 /**
  * ws_pae_controller_certificate_chain_set set certificate chain
  *

source/6LoWPAN/ws/ws_pae_supp.c

@@ -656,6 +656,13 @@ int8_t ws_pae_supp_delete(protocol_interface_info_entry_t *interface_ptr)
     return 0;
 }
 
+int8_t ws_pae_supp_timing_adjust(uint8_t timing)
+{
+    supp_fwh_sec_prot_timing_adjust(timing);
+    supp_eap_sec_prot_timing_adjust(timing);
+    return 0;
+}
+
 static void ws_pae_supp_free(pae_supp_t *pae_supp)
 {
     if (!pae_supp) {

source/6LoWPAN/ws/ws_pae_supp.h

@@ -57,6 +57,29 @@ int8_t ws_pae_supp_init(protocol_interface_info_entry_t *interface_ptr, const se
  */
 int8_t ws_pae_supp_delete(protocol_interface_info_entry_t *interface_ptr);
 
+
+/**
+ * ws_pae_supp_timing_adjust Adjust retries and timings of the 4WH protocol
+ *
+ * Timing value is a generic number between 0 to 32 that goes from fast and
+ * reactive network to low bandwidth and long latency.
+ *
+ * example value definitions:
+ * 0-8 very fast network
+ * 9-16 medium network
+ * 16-24 slow network
+ * 25-32 extremely slow network
+ *
+ * There is no need to have lots variations in every layer if protocol is not very active in any case.
+ *
+ * \param timing Timing value.
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t ws_pae_supp_timing_adjust(uint8_t timing);
+
 /**
  * ws_pae_supp_fast_timer PAE supplicant fast timer call
  *
@@ -204,6 +227,7 @@ void ws_pae_supp_cb_register(protocol_interface_info_entry_t *interface_ptr, ws_
 
 #define ws_pae_supp_init(interface_ptr, certs, timer_settings) 1
 #define ws_pae_supp_delete NULL
+#define ws_pae_supp_timing_adjust(timing) 1
 #define ws_pae_supp_cb_register(interface_ptr, completed, nw_key_insert, nw_key_index_set)
 #define ws_pae_supp_nw_info_set(interface_ptr, pan_id, network_name) -1
 #define ws_pae_supp_nw_key_valid(interface_ptr) -1

source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c

@@ -69,9 +69,18 @@ typedef struct {
     bool                          send_pending: 1;  /**< TLS data is not yet send to network */
 } eap_tls_sec_prot_int_t;
 
-static const trickle_params_t eap_tls_trickle_params = {
-    .Imin = 200,           /* 20s; ticks are 100ms */
-    .Imax = 450,           /* 45s */
+/*Small network setup*/
+#define EAP_TLS_SMALL_IMIN 300 // retries done in 30 seconds
+#define EAP_TLS_SMALL_IMAX 900 // Largest value 90 seconds
+
+/* Large network setup*/
+#define EAP_TLS_LARGE_IMIN 600 // retries done in 60 seconds
+#define EAP_TLS_LARGE_IMAX 2400 // Largest value 240 seconds
+
+
+static trickle_params_t eap_tls_trickle_params = {
+    .Imin = EAP_TLS_SMALL_IMIN,           /* ticks are 100ms */
+    .Imax = EAP_TLS_SMALL_IMAX,           /* ticks are 100ms */
     .k = 0,                /* infinity - no consistency checking */
     .TimerExpirations = 2
 };
@@ -109,6 +118,19 @@ int8_t auth_eap_tls_sec_prot_register(kmp_service_t *service)
     return 0;
 }
 
+int8_t auth_eap_tls_sec_prot_timing_adjust(uint8_t timing)
+{
+
+    if (timing < 16) {
+        eap_tls_trickle_params.Imin = EAP_TLS_SMALL_IMIN;
+        eap_tls_trickle_params.Imax = EAP_TLS_SMALL_IMAX;
+    } else {
+        eap_tls_trickle_params.Imin = EAP_TLS_LARGE_IMIN;
+        eap_tls_trickle_params.Imax = EAP_TLS_LARGE_IMAX;
+    }
+    return 0;
+}
+
 static uint16_t auth_eap_tls_sec_prot_size(void)
 {
     return sizeof(eap_tls_sec_prot_int_t);

source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.h

@@ -33,4 +33,26 @@
  */
 int8_t auth_eap_tls_sec_prot_register(kmp_service_t *service);
 
+/**
+ * auth_eap_tls_sec_prot_timing_adjust Adjust retries and timings of the EAP-TLS protocol
+ *
+ * Timing value is a generic number between 0 to 32 that goes from fast and
+ * reactive network to low bandwidth and long latency.
+ *
+ * example value definitions:
+ * 0-8 very fast network
+ * 9-16 medium network
+ * 16-24 slow network
+ * 25-32 extremely slow network
+ *
+ * There is no need to have lots variations in every layer if protocol is not very active in any case.
+ *
+ * \param timing Timing value.
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t auth_eap_tls_sec_prot_timing_adjust(uint8_t timing);
+
 #endif /* AUTH_EAP_TLS_SEC_PROT_H_ */

source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c

@@ -72,12 +72,10 @@ typedef struct {
     bool                          send_pending: 1;  /**< TLS data is not yet send to network */
 } eap_tls_sec_prot_int_t;
 
-static const trickle_params_t eap_tls_trickle_params = {
-    .Imin = 200,           /* 20s; ticks are 100ms */
-    .Imax = 450,           /* 45s */
-    .k = 0,                /* infinity - no consistency checking */
-    .TimerExpirations = 2
-};
+#define FWH_RETRY_TIMEOUT_SMALL 330*10 // retry timeout for small network additional 30 seconds for authenticator delay
+#define FWH_RETRY_TIMEOUT_LARGE 750*10 // retry timeout for large network additional 30 seconds for authenticator delay
+
+static uint16_t retry_timeout = FWH_RETRY_TIMEOUT_SMALL;
 
 static uint16_t supp_eap_tls_sec_prot_size(void);
 static int8_t supp_eap_tls_sec_prot_init(sec_prot_t *prot);
@@ -112,6 +110,17 @@ int8_t supp_eap_tls_sec_prot_register(kmp_service_t *service)
     return 0;
 }
 
+int8_t supp_eap_sec_prot_timing_adjust(uint8_t timing)
+{
+    if (timing < 16) {
+        retry_timeout = FWH_RETRY_TIMEOUT_SMALL;
+    } else {
+        retry_timeout = FWH_RETRY_TIMEOUT_LARGE;
+    }
+    return 0;
+}
+
+
 static uint16_t supp_eap_tls_sec_prot_size(void)
 {
     return sizeof(eap_tls_sec_prot_int_t);
@@ -281,7 +290,7 @@ static void supp_eap_tls_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks
         data->burst_filt_timer = 0;
     }
 
-    sec_prot_timer_timeout_handle(prot, &data->common, &eap_tls_trickle_params, ticks);
+    sec_prot_timer_timeout_handle(prot, &data->common, NULL, ticks);
 }
 
 static void supp_eap_tls_sec_prot_tls_create_confirm(sec_prot_t *tls_prot, sec_prot_result_e result)
@@ -420,9 +429,6 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
                 // Send EAP response, Identity
                 supp_eap_tls_sec_prot_message_send(prot, EAP_RESPONSE, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE);
 
-                // Start trickle timer to re-send if no response
-                sec_prot_timer_trickle_start(&data->common, &eap_tls_trickle_params);
-
                 sec_prot_state_set(prot, &data->common, EAP_TLS_STATE_REQUEST_TLS_EAP);
             } else {
                 // Ready to be deleted
@@ -431,12 +437,6 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             break;
 
         case EAP_TLS_STATE_REQUEST_TLS_EAP:
-            // On timeout
-            if (sec_prot_result_timeout_check(&data->common)) {
-                /* Waits for next trickle expire. If trickle expirations reach the limit,
-                   terminates EAP-TLS */
-                return;
-            }
 
             // Handle EAP request (expected TLS EAP start)
             result = supp_eap_tls_sec_prot_message_handle(prot);
@@ -456,6 +456,7 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             supp_eap_tls_sec_prot_seq_id_update(prot);
 
             sec_prot_state_set(prot, &data->common, EAP_TLS_STATE_REQUEST);
+            data->common.ticks = retry_timeout;
 
             // Initialize TLS protocol
             supp_eap_tls_sec_prot_init_tls(prot);
@@ -464,12 +465,6 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             break;
 
         case EAP_TLS_STATE_REQUEST:
-            // On timeout
-            if (sec_prot_result_timeout_check(&data->common)) {
-                /* Waits for next trickle expire. If trickle expirations reach the limit,
-                   terminates EAP-TLS */
-                return;
-            }
 
             // EAP success
             if (data->eap_code == EAP_SUCCESS) {
@@ -514,8 +509,9 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             supp_eap_tls_sec_prot_message_send(prot, EAP_RESPONSE, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING);
             data->send_pending = false;
 
-            // Start trickle timer to re-send if no response
-            sec_prot_timer_trickle_start(&data->common, &eap_tls_trickle_params);
+            // Add more time for re-send if no response
+            data->common.ticks = retry_timeout;
+
             break;
 
         case EAP_TLS_STATE_FINISH:

source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.h

@@ -33,5 +33,27 @@
  */
 int8_t supp_eap_tls_sec_prot_register(kmp_service_t *service);
 
+/**
+ * supp_eap_sec_prot_timing_adjust Adjust retries and timings of the 4WH protocol
+ *
+ * Timing value is a generic number between 0 to 32 that goes from fast and
+ * reactive network to low bandwidth and long latency.
+ *
+ * example value definitions:
+ * 0-8 very fast network
+ * 9-16 medium network
+ * 16-24 slow network
+ * 25-32 extremely slow network
+ *
+ * There is no need to have lots variations in every layer if protocol is not very active in any case.
+ *
+ * \param timing Timing value.
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ *
+ */
+int8_t supp_eap_sec_prot_timing_adjust(uint8_t timing);
+
 #endif /* SUPP_EAP_TLS_SEC_PROT_H_ */