Skip to content

Commit

Permalink
Added retry traces to authenticator EAP-TLS, 4WH, and GKH
Browse files Browse the repository at this point in the history
  • Loading branch information
Mika Leppänen committed Mar 4, 2021
1 parent a87646d commit 7f7c01a
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 26 deletions.
29 changes: 15 additions & 14 deletions source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ static int8_t auth_eap_tls_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_
static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot);

static int8_t auth_eap_tls_sec_prot_message_handle(sec_prot_t *prot);
static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state);
static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state, bool retry);

static void auth_eap_tls_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks);
static int8_t auth_eap_tls_sec_prot_init_tls(sec_prot_t *prot);
Expand Down Expand Up @@ -247,7 +247,7 @@ static int8_t auth_eap_tls_sec_prot_message_handle(sec_prot_t *prot)
return eap_tls_sec_prot_lib_message_handle(data_ptr, length, new_seq_id, &data->tls_send, &data->tls_recv);
}

static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state)
static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state, bool retry)
{
eap_tls_sec_prot_int_t *data = eap_tls_sec_prot_get(prot);

Expand Down Expand Up @@ -275,9 +275,9 @@ static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_c
return -1;
}

tr_info("EAP-TLS: send %s type %s id %i flags %x len %i, eui-64: %s", eap_msg_trace[eap_code - 1],
eap_type == EAP_IDENTITY ? "IDENTITY" : "TLS", data->eap_id_seq, flags, eapol_pdu_size,
trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
tr_info("EAP-TLS: %s %s type %s id %i flags %x len %i, eui-64: %s", retry ? "retry" : "send",
eap_msg_trace[eap_code - 1], eap_type == EAP_IDENTITY ? "IDENTITY" : "TLS",
data->eap_id_seq, flags, eapol_pdu_size, trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));

if (prot->send(prot, eapol_decoded_data, eapol_pdu_size + prot->header_size) < 0) {
return -1;
Expand Down Expand Up @@ -418,7 +418,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
auth_eap_tls_sec_prot_seq_id_update(prot);

// Sends EAP request, Identity
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE);
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE, false);

// Start trickle timer to re-send if no response
sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
Expand All @@ -432,7 +432,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
// On timeout
if (sec_prot_result_timeout_check(&data->common)) {
// Re-sends EAP request, Identity
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE);
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE, true);
return;
}

Expand All @@ -442,7 +442,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
}

// Sends EAP request, TLS EAP start
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START, false);

// Start trickle timer to re-send if no response
sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
Expand All @@ -456,12 +456,13 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)

// On timeout
if (sec_prot_result_timeout_check(&data->common)) {

if (sec_prot_state_get(&data->common) == EAP_TLS_STATE_RESPONSE_START) {
// Re-sends EAP request, TLS EAP start
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START, true);
} else {
// Re-sends EAP request, TLS EAP
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING);
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING, true);
}
return;
}
Expand All @@ -475,7 +476,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
}
if (result == EAP_TLS_MSG_IDENTITY) {
// If received EAP response, Identity: re-sends EAP request, TLS EAP start
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START, true);
return;
}

Expand Down Expand Up @@ -524,7 +525,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
data->send_pending = false;

// Sends EAP request, TLS EAP, TLS exchange
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING);
auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING, false);

// Start trickle timer to re-send if no response
sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
Expand All @@ -534,10 +535,10 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
// Supplicant PMK is now valid
sec_prot_keys_pmk_mismatch_reset(prot->sec_keys);
// Sends EAP success
auth_eap_tls_sec_prot_message_send(prot, EAP_SUCCESS, 0, EAP_TLS_EXCHANGE_NONE);
auth_eap_tls_sec_prot_message_send(prot, EAP_SUCCESS, 0, EAP_TLS_EXCHANGE_NONE, false);
} else {
// Sends EAP failure
auth_eap_tls_sec_prot_message_send(prot, EAP_FAILURE, 0, EAP_TLS_EXCHANGE_NONE);
auth_eap_tls_sec_prot_message_send(prot, EAP_FAILURE, 0, EAP_TLS_EXCHANGE_NONE, false);
sec_prot_result_set(&data->common, SEC_RESULT_ERROR);
}

Expand Down
16 changes: 9 additions & 7 deletions source/Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ static int8_t auth_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
static fwh_sec_prot_msg_e auth_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys);
static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot);

static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg);
static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg, bool retry);
static void auth_fwh_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks);

static int8_t auth_fwh_sec_prot_ptk_generate(sec_prot_t *prot, sec_prot_keys_t *sec_keys);
Expand Down Expand Up @@ -204,7 +204,7 @@ static fwh_sec_prot_msg_e auth_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu,
return msg;
}

static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg)
static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg, bool retry)
{
fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);

Expand Down Expand Up @@ -301,7 +301,9 @@ static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_
return -1;
}

tr_info("4WH: send %s, eui-64: %s", msg == FWH_MESSAGE_1 ? "Message 1" : "Message 3", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
tr_info("4WH: %s %s, eui-64: %s", retry ? "retry" : "send",
msg == FWH_MESSAGE_1 ? "Message 1" : "Message 3",
trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));

if (prot->send(prot, eapol_pdu_frame, eapol_pdu_size + prot->header_size) < 0) {
return -1;
Expand Down Expand Up @@ -347,7 +349,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)

// Sends 4WH Message 1
sec_prot_lib_nonce_generate(data->nonce);
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1);
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1, false);

// Start trickle timer to re-send if no response
sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
Expand All @@ -360,7 +362,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
if (sec_prot_result_timeout_check(&data->common)) {
// Re-sends 4WH Message 1
sec_prot_lib_nonce_generate(data->nonce);
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1);
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1, true);
} else {
if (data->recv_msg != FWH_MESSAGE_2) {
return;
Expand All @@ -375,7 +377,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
}

// Sends 4WH Message 3
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3);
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3, false);

// Start trickle timer to re-send if no response
sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
Expand All @@ -388,7 +390,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
case FWH_STATE_MESSAGE_4:
if (sec_prot_result_timeout_check(&data->common)) {
// Re-sends 4WH Message 3
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3);
auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3, true);
} else {
if (data->recv_msg != FWH_MESSAGE_4) {
return;
Expand Down
11 changes: 6 additions & 5 deletions source/Security/protocols/gkh_sec_prot/auth_gkh_sec_prot.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ static int8_t auth_gkh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
static gkh_sec_prot_msg_e auth_gkh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys);
static void auth_gkh_sec_prot_state_machine(sec_prot_t *prot);

static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg);
static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg, bool retry);
static void auth_gkh_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks);
static int8_t auth_gkh_sec_prot_mic_validate(sec_prot_t *prot);

Expand Down Expand Up @@ -180,7 +180,7 @@ static gkh_sec_prot_msg_e auth_gkh_sec_prot_message_get(eapol_pdu_t *eapol_pdu,
return msg;
}

static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg)
static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg, bool retry)
{
uint16_t kde_len = 0;

Expand Down Expand Up @@ -249,7 +249,8 @@ static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_
return -1;
}

tr_info("GKH: send Message 1, eui-64: %s", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
tr_info("GKH: %s Message 1, eui-64: %s", retry ? "retry" : "send",
trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));

if (prot->send(prot, eapol_pdu_frame, eapol_pdu_size + prot->header_size) < 0) {
return -1;
Expand Down Expand Up @@ -287,7 +288,7 @@ static void auth_gkh_sec_prot_state_machine(sec_prot_t *prot)
prot->create_conf(prot, SEC_RESULT_OK);

// Sends GKH Message 1
auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1);
auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1, false);

// Start trickle timer to re-send if no response
sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
Expand All @@ -303,7 +304,7 @@ static void auth_gkh_sec_prot_state_machine(sec_prot_t *prot)

if (sec_prot_result_timeout_check(&data->common)) {
// Re-sends GKH Message 1
auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1);
auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1, true);
} else {
if (auth_gkh_sec_prot_mic_validate(prot) < 0) {
return;
Expand Down

0 comments on commit 7f7c01a

Please sign in to comment.