diff --git a/source/6LoWPAN/ws/ws_pae_auth.c b/source/6LoWPAN/ws/ws_pae_auth.c index 448127abb7..a8752ad5ac 100644 --- a/source/6LoWPAN/ws/ws_pae_auth.c +++ b/source/6LoWPAN/ws/ws_pae_auth.c @@ -108,7 +108,7 @@ typedef struct { bool gtk_new_act_time_exp: 1; /**< GTK new activation time expired */ } pae_auth_t; -static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth); +static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth, bool force_install); static int8_t ws_pae_auth_active_gtk_set(pae_auth_t *pae_auth, uint8_t index); static int8_t ws_pae_auth_network_key_index_set(pae_auth_t *pae_auth, uint8_t index); static void ws_pae_auth_free(pae_auth_t *pae_auth); @@ -345,7 +345,7 @@ void ws_pae_auth_start(protocol_interface_info_entry_t *interface_ptr) pae_auth->nw_info_updated(pae_auth->interface_ptr); // Inserts keys and updates GTK hash on stack - ws_pae_auth_network_keys_from_gtks_set(pae_auth); + ws_pae_auth_network_keys_from_gtks_set(pae_auth, false); // Sets active key index ws_pae_auth_network_key_index_set(pae_auth, index); @@ -362,7 +362,7 @@ void ws_pae_auth_gtks_updated(protocol_interface_info_entry_t *interface_ptr) return; } - ws_pae_auth_network_keys_from_gtks_set(pae_auth); + ws_pae_auth_network_keys_from_gtks_set(pae_auth, false); } int8_t ws_pae_auth_nw_key_index_update(protocol_interface_info_entry_t *interface_ptr, uint8_t index) @@ -470,7 +470,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int // Adds new GTK ws_pae_auth_gtk_key_insert(pae_auth); - ws_pae_auth_network_keys_from_gtks_set(pae_auth); + ws_pae_auth_network_keys_from_gtks_set(pae_auth, false); // Update keys to NVM as needed pae_auth->nw_info_updated(pae_auth->interface_ptr); @@ -535,8 +535,11 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u } pae_auth->pan_id = pan_id; + bool force_install = false; if (strlen((char *) &pae_auth->network_name) > 0 && strcmp((char *) &pae_auth->network_name, network_name) != 0) { update_keys = true; + // Force GTK install to update the new network name to GAK + force_install = true; } strcpy((char *) &pae_auth->network_name, network_name); @@ -548,7 +551,7 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u pae_auth->nw_keys_remove(pae_auth->interface_ptr); } - ws_pae_auth_network_keys_from_gtks_set(pae_auth); + ws_pae_auth_network_keys_from_gtks_set(pae_auth, force_install); int8_t index = sec_prot_keys_gtk_status_active_get(pae_auth->sec_keys_nw_info->gtks); if (index >= 0) { @@ -559,7 +562,7 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u return 0; } -static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth) +static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth, bool force_install) { // Authenticator keys are always fresh sec_prot_keys_gtk_status_all_fresh_set(pae_auth->sec_keys_nw_info->gtks); @@ -571,7 +574,7 @@ static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth) } if (pae_auth->nw_key_insert) { - pae_auth->nw_key_insert(pae_auth->interface_ptr, pae_auth->sec_keys_nw_info->gtks); + pae_auth->nw_key_insert(pae_auth->interface_ptr, pae_auth->sec_keys_nw_info->gtks, force_install); } return 0; @@ -716,7 +719,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds) if (second_index < 0) { tr_info("GTK new install required active index: %i, time: %"PRIu32", system time: %"PRIu32"", active_index, timer_seconds, protocol_core_monotonic_time / 10); ws_pae_auth_gtk_key_insert(pae_auth); - ws_pae_auth_network_keys_from_gtks_set(pae_auth); + ws_pae_auth_network_keys_from_gtks_set(pae_auth, false); // Update keys to NVM as needed pae_auth->nw_info_updated(pae_auth->interface_ptr); } else { @@ -744,7 +747,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds) if (timer_seconds == 0) { tr_info("GTK expired index: %i, system time: %"PRIu32"", i, protocol_core_monotonic_time / 10); ws_pae_auth_gtk_clear(pae_auth, i); - ws_pae_auth_network_keys_from_gtks_set(pae_auth); + ws_pae_auth_network_keys_from_gtks_set(pae_auth, false); // Update keys to NVM as needed pae_auth->nw_info_updated(pae_auth->interface_ptr); } diff --git a/source/6LoWPAN/ws/ws_pae_auth.h b/source/6LoWPAN/ws/ws_pae_auth.h index fc1030a750..d302aeaf0f 100644 --- a/source/6LoWPAN/ws/ws_pae_auth.h +++ b/source/6LoWPAN/ws/ws_pae_auth.h @@ -207,12 +207,13 @@ typedef void ws_pae_auth_gtk_hash_set(protocol_interface_info_entry_t *interface * * \param interface_ptr interface * \param gtks group keys + * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed * * \return < 0 failure * \return >= 0 success * */ -typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks); +typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install); /** * ws_pae_auth_nw_keys_remove remove network keys callback diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c index e222d825da..cbd19d61aa 100644 --- a/source/6LoWPAN/ws/ws_pae_controller.c +++ b/source/6LoWPAN/ws/ws_pae_controller.c @@ -126,7 +126,7 @@ static void ws_pae_controller_nvm_frame_counter_write(nvm_tlv_t *tlv_entry); static int8_t ws_pae_controller_nvm_frame_counter_read(uint32_t *restart_cnt, uint64_t *stored_time, uint16_t *pan_version, frame_counters_t *counters); static pae_controller_t *ws_pae_controller_get_or_create(int8_t interface_id); static void ws_pae_controller_gtk_hash_set(protocol_interface_info_entry_t *interface_ptr, uint8_t *gtkhash); -static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks); +static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install); static void ws_pae_controller_active_nw_key_clear(nw_key_t *nw_key); static void ws_pae_controller_active_nw_key_set(protocol_interface_info_entry_t *cur, uint8_t index); static int8_t ws_pae_controller_gak_from_gtk(uint8_t *gak, uint8_t *gtk, char *network_name); @@ -137,6 +137,7 @@ static void ws_pae_controller_nw_key_index_check_and_set(protocol_interface_info static void ws_pae_controller_data_init(pae_controller_t *controller); static int8_t ws_pae_controller_frame_counter_read(pae_controller_t *controller); static void ws_pae_controller_frame_counter_reset(frame_counters_t *frame_counters); +static void ws_pae_controller_frame_counter_index_reset(frame_counters_t *frame_counters, uint8_t index); static int8_t ws_pae_controller_nw_info_read(pae_controller_t *controller, sec_prot_gtk_keys_t *gtks); static int8_t ws_pae_controller_nvm_nw_info_write(protocol_interface_info_entry_t *interface_ptr, uint16_t pan_id, char *network_name, sec_prot_gtk_keys_t *gtks); static int8_t ws_pae_controller_nvm_nw_info_read(protocol_interface_info_entry_t *interface_ptr, uint16_t *pan_id, char *network_name, sec_prot_gtk_keys_t *gtks); @@ -165,7 +166,7 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface // In case test keys are set uses those and does not initiate authentication if (controller->gtks_set) { if (sec_prot_keys_gtks_are_updated(&controller->gtks)) { - ws_pae_controller_nw_key_check_and_insert(controller->interface_ptr, &controller->gtks); + ws_pae_controller_nw_key_check_and_insert(controller->interface_ptr, &controller->gtks, false); sec_prot_keys_gtks_updated_reset(&controller->gtks); ws_pae_supp_gtks_set(controller->interface_ptr, &controller->gtks); } @@ -403,7 +404,7 @@ int8_t ws_pae_controller_nw_key_valid(protocol_interface_info_entry_t *interface return ws_pae_supp_nw_key_valid(interface_ptr, br_iid); } -static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks) +static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install) { pae_controller_t *controller = ws_pae_controller_get(interface_ptr); if (!controller) { @@ -429,6 +430,13 @@ static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_ tr_info("NW key remove: %i", i); } + if (force_install) { + // Install always + nw_key[i].installed = false; + // Frame counters are fresh + ws_pae_controller_frame_counter_index_reset(&controller->frame_counters, i); + } + // If GTK key is not set, continues to next GTK if (!gtk) { continue; @@ -798,13 +806,18 @@ static int8_t ws_pae_controller_frame_counter_read(pae_controller_t *controller) static void ws_pae_controller_frame_counter_reset(frame_counters_t *frame_counters) { for (uint8_t index = 0; index < GTK_NUM; index++) { - memset(frame_counters->counter[index].gtk, 0, GTK_LEN); - frame_counters->counter[index].frame_counter = 0; - frame_counters->counter[index].stored_frame_counter = 0; - frame_counters->counter[index].set = false; + ws_pae_controller_frame_counter_index_reset(frame_counters, index); } } +static void ws_pae_controller_frame_counter_index_reset(frame_counters_t *frame_counters, uint8_t index) +{ + memset(frame_counters->counter[index].gtk, 0, GTK_LEN); + frame_counters->counter[index].frame_counter = 0; + frame_counters->counter[index].stored_frame_counter = 0; + frame_counters->counter[index].set = false; +} + static int8_t ws_pae_controller_nw_info_read(pae_controller_t *controller, sec_prot_gtk_keys_t *gtks) { if (ws_pae_controller_nvm_nw_info_read(controller->interface_ptr, &controller->sec_keys_nw_info.key_pan_id, controller->sec_keys_nw_info.network_name, gtks) < 0) { diff --git a/source/6LoWPAN/ws/ws_pae_supp.c b/source/6LoWPAN/ws/ws_pae_supp.c index 9beda28756..cca9cf7953 100644 --- a/source/6LoWPAN/ws/ws_pae_supp.c +++ b/source/6LoWPAN/ws/ws_pae_supp.c @@ -355,7 +355,7 @@ int8_t ws_pae_supp_gtk_hash_update(protocol_interface_info_entry_t *interface_pt } // Modify keys - pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks); + pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false); return 0; } @@ -521,7 +521,7 @@ static int8_t ws_pae_supp_nw_keys_valid_check(pae_supp_t *pae_supp, uint16_t pan (sec_prot_keys_pmk_get(&pae_supp->entry.sec_keys) != NULL) && (sec_prot_keys_ptk_get(&pae_supp->entry.sec_keys) != NULL)) { tr_debug("Existing keys used, counter %i", pae_supp->nw_keys_used_cnt); - if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks) >= 0) { + if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false) >= 0) { tr_debug("Keys inserted"); } pae_supp->nw_keys_used_cnt++; @@ -1260,7 +1260,7 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e if ((type == IEEE_802_11_4WH || type == IEEE_802_11_GKH) && result == KMP_RESULT_OK) { if (sec_keys) { sec_prot_keys_t *keys = sec_keys; - pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks); + pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks, false); } ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_OK); diff --git a/source/6LoWPAN/ws/ws_pae_supp.h b/source/6LoWPAN/ws/ws_pae_supp.h index bed5ebc7e2..0642872896 100644 --- a/source/6LoWPAN/ws/ws_pae_supp.h +++ b/source/6LoWPAN/ws/ws_pae_supp.h @@ -221,12 +221,13 @@ typedef const uint8_t *ws_pae_supp_auth_next_target(protocol_interface_info_entr * * \param interface_ptr interface * \param gtks group keys + * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed * * \return < 0 failure * \return >= 0 success * */ -typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks); +typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install); /** * ws_pae_supp_gtk_hash_ptr_get get pointer to GTK hash storage callback diff --git a/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c b/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c index a8dc175b7b..6b729450a0 100644 --- a/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c +++ b/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c @@ -79,6 +79,8 @@ typedef enum { #define RADIUS_ID_RANGE_SIZE 10 #define RADIUS_ID_RANGE_NUM (255 / RADIUS_ID_RANGE_SIZE) - 1 +#define RADIUS_ID_TIMEOUT 60 + typedef struct radius_client_sec_prot_lib_int_s radius_client_sec_prot_lib_int_t; typedef struct { @@ -120,7 +122,6 @@ typedef struct { static uint16_t radius_client_sec_prot_size(void); static int8_t radius_client_sec_prot_init(sec_prot_t *prot); static int8_t radius_client_sec_prot_shared_data_timeout(uint16_t ticks); -static void radius_identifier_timer_value_set(uint8_t conn_num, uint8_t id_range, uint8_t value); static int8_t radius_client_sec_prot_shared_data_delete(void); static void radius_identifier_timer_value_set(uint8_t conn_num, uint8_t id_range, uint8_t value); static void radius_client_sec_prot_create_response(sec_prot_t *prot, sec_prot_result_e result); @@ -541,17 +542,17 @@ static uint8_t radius_client_sec_prot_identifier_allocate(sec_prot_t *prot, uint { radius_client_sec_prot_int_t *data = radius_client_sec_prot_get(prot); - if (!data->radius_id_range_set || value >= (data->radius_id_range * RADIUS_ID_RANGE_SIZE) + RADIUS_ID_RANGE_SIZE) { + if (!data->radius_id_range_set || value >= (data->radius_id_range * RADIUS_ID_RANGE_SIZE) + RADIUS_ID_RANGE_SIZE - 1) { for (uint8_t conn_num = 0; conn_num < RADIUS_CONN_NUMBER; conn_num++) { for (uint8_t id_range = 0; id_range < RADIUS_ID_RANGE_NUM; id_range++) { if (shared_data->radius_identifier_timer[conn_num][id_range] == 0) { // If range has been already reserved if (data->radius_id_range_set) { - // Set previous range to timeout in 5 seconds - radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, 5); + // Set previous range to timeout at 1/5 of identifier timeout + radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, RADIUS_ID_TIMEOUT / 5); } // Set timeout for new range to 60 seconds - radius_identifier_timer_value_set(conn_num, id_range, 60); + radius_identifier_timer_value_set(conn_num, id_range, RADIUS_ID_TIMEOUT); data->radius_id_conn_num = conn_num; data->radius_id_range = id_range; data->radius_id_range_set = true; @@ -560,7 +561,7 @@ static uint8_t radius_client_sec_prot_identifier_allocate(sec_prot_t *prot, uint } } } else { - radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, 60); + radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, RADIUS_ID_TIMEOUT); return value + 1; } @@ -572,7 +573,8 @@ static void radius_client_sec_prot_identifier_free(sec_prot_t *prot) radius_client_sec_prot_int_t *data = radius_client_sec_prot_get(prot); if (data->radius_id_range_set) { - radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, 5); + // Timeout at 1/5 of identifier timeout + radius_identifier_timer_value_set(data->radius_id_conn_num, data->radius_id_range, RADIUS_ID_TIMEOUT / 5); } } diff --git a/source/Service_Libs/fhss/fhss_ws.c b/source/Service_Libs/fhss/fhss_ws.c index 78cb5154d5..848079e69d 100644 --- a/source/Service_Libs/fhss/fhss_ws.c +++ b/source/Service_Libs/fhss/fhss_ws.c @@ -305,12 +305,12 @@ static void fhss_broadcast_handler(const fhss_api_t *fhss_api, uint16_t delay) /* Start timer with random timeout to trigger broadcast TX queue poll event. * Min random is 1/50 of the channel dwell interval. - * Max random is 1/10 of the channel dwell interval. + * Max random is 3/4 of the channel dwell interval. * Event timer resolution is 50us. */ uint32_t bc_dwell_us = MS_TO_US(fhss_structure->ws->fhss_configuration.fhss_bc_dwell_interval); uint16_t bc_min_random = (bc_dwell_us / 50) / 50; - uint16_t bc_max_random = (bc_dwell_us / 10) / 50; + uint16_t bc_max_random = (bc_dwell_us - (bc_dwell_us / 4)) / 50; eventOS_callback_timer_start(fhss_structure->fhss_event_timer, randLIB_get_random_in_range(bc_min_random, bc_max_random)); } else { fhss_structure->ws->unicast_start_time_us = fhss_structure->callbacks.read_timestamp(fhss_structure->fhss_api);