Set frame counter increment to 1000000

Mika Leppänen · Mika Leppänen · commit 40dc21529421 · 2020-09-23T10:02:59.000+03:00
Removed not needed NVM writes for PAN ID and network name on
supplicant. Added frame counter maximum value check.
diff --git a/source/6LoWPAN/ws/ws_config.h b/source/6LoWPAN/ws/ws_config.h
@@ -174,8 +174,8 @@ extern uint8_t DEVICE_MIN_SENS;
 #define FRAME_COUNTER_STORE_INTERVAL        60          // Time interval (on seconds) between checking if frame counter storing is needed
 #define FRAME_COUNTER_STORE_FORCE_INTERVAL  (3600 * 20) // Time interval (on seconds) before frame counter storing is forced (if no other storing operations triggered)
 #define FRAME_COUNTER_STORE_TRIGGER         5           // Delay (on seconds) before storing, when storing of frame counters is triggered
-#define FRAME_COUNTER_INCREMENT             1000        // How much frame counter is incremented on start up
-#define FRAME_COUNTER_STORE_THRESHOLD       800         // How much frame counter must increment before it is stored
+#define FRAME_COUNTER_INCREMENT             1000000     // How much frame counter is incremented on start up
+#define FRAME_COUNTER_STORE_THRESHOLD       994999      // How much frame counter must increment before it is stored
 
 
 /*
diff --git a/source/6LoWPAN/ws/ws_pae_auth.c b/source/6LoWPAN/ws/ws_pae_auth.c
@@ -440,7 +440,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
 
         // If active GTK lifetime is larger than revocation lifetime decrements active GTK lifetime
         if (active_lifetime > revocation_lifetime) {
-            sec_prot_keys_gtk_lifetime_decrement(pae_auth->sec_keys_nw_info->gtks, active_index, current_time, active_lifetime - revocation_lifetime);
+            sec_prot_keys_gtk_lifetime_decrement(pae_auth->sec_keys_nw_info->gtks, active_index, current_time, active_lifetime - revocation_lifetime, true);
             tr_info("Access revocation start, GTK active index: %i, revoked lifetime: %"PRIu32"", active_index, revocation_lifetime);
         } else {
             // Otherwise decrements lifetime of the GTK to be installed after the active one
@@ -451,7 +451,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
 
                 uint32_t second_lifetime = sec_prot_keys_gtk_lifetime_get(pae_auth->sec_keys_nw_info->gtks, second_index);
                 if (second_lifetime > second_revocation_lifetime) {
-                    sec_prot_keys_gtk_lifetime_decrement(pae_auth->sec_keys_nw_info->gtks, second_index, current_time, second_lifetime - second_revocation_lifetime);
+                    sec_prot_keys_gtk_lifetime_decrement(pae_auth->sec_keys_nw_info->gtks, second_index, current_time, second_lifetime - second_revocation_lifetime, true);
                     tr_info("Access revocation start, GTK second active index: %i, revoked lifetime: %"PRIu32"", second_index, second_revocation_lifetime);
                 }
                 // Removes other keys than active and GTK to be installed next
@@ -710,7 +710,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
             if (!sec_prot_keys_gtk_is_set(pae_auth->sec_keys_nw_info->gtks, i)) {
                 continue;
             }
-            uint32_t timer_seconds = sec_prot_keys_gtk_lifetime_decrement(pae_auth->sec_keys_nw_info->gtks, i, current_time, seconds);
+            uint32_t timer_seconds = sec_prot_keys_gtk_lifetime_decrement(pae_auth->sec_keys_nw_info->gtks, i, current_time, seconds, true);
             if (active_index == i) {
                 if (!pae_auth->gtk_new_inst_req_exp) {
                     pae_auth->gtk_new_inst_req_exp = ws_pae_timers_gtk_new_install_required(pae_auth->sec_cfg, timer_seconds);
diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c
@@ -783,8 +783,14 @@ static int8_t ws_pae_controller_frame_counter_read(pae_controller_t *controller)
         // Checks frame counters
         for (uint8_t index = 0; index < GTK_NUM; index++) {
             if (controller->frame_counters.counter[index].set) {
-                // Increments frame counters
-                controller->frame_counters.counter[index].frame_counter += FRAME_COUNTER_INCREMENT;
+                // If there is room on frame counter space
+                if (controller->frame_counters.counter[index].frame_counter < (UINT32_MAX - FRAME_COUNTER_INCREMENT * 2)) {
+                    // Increments frame counters
+                    controller->frame_counters.counter[index].frame_counter += FRAME_COUNTER_INCREMENT;
+                } else {
+                    tr_error("Frame counter space exhausted");
+                    controller->frame_counters.counter[index].frame_counter = UINT32_MAX;
+                }
                 controller->frame_counters.counter[index].stored_frame_counter =
                     controller->frame_counters.counter[index].frame_counter;
 
@@ -891,6 +897,7 @@ int8_t ws_pae_controller_supp_init(protocol_interface_info_entry_t *interface_pt
     ws_pae_controller_nw_info_read(controller, controller->sec_keys_nw_info.gtks);
     // Set active key back to fresh so that it can be used again after re-start
     sec_prot_keys_gtk_status_active_to_fresh_set(&controller->gtks);
+    sec_prot_keys_gtks_updated_reset(&controller->gtks);
 
     return 0;
 }
diff --git a/source/6LoWPAN/ws/ws_pae_supp.c b/source/6LoWPAN/ws/ws_pae_supp.c
@@ -549,11 +549,13 @@ int8_t ws_pae_supp_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u
         sec_prot_keys_ptk_delete(&pae_supp->entry.sec_keys);
         sec_prot_keys_ptk_eui_64_delete(&pae_supp->entry.sec_keys);
         // Delete GTKs
-        sec_prot_keys_gtks_init(pae_supp->sec_keys_nw_info->gtks);
-        sec_prot_keys_gtks_updated_set(pae_supp->sec_keys_nw_info->gtks);
-        ws_pae_supp_nvm_update(pae_supp);
+        sec_prot_keys_gtks_clear(pae_supp->sec_keys_nw_info->gtks);
+        // If data is changed, store to NVM
+        if (sec_prot_keys_are_updated(&pae_supp->entry.sec_keys) ||
+                sec_prot_keys_gtks_are_updated(pae_supp->sec_keys_nw_info->gtks)) {
+            ws_pae_supp_nvm_update(pae_supp);
+        }
     }
-
     return 0;
 }
 
@@ -888,7 +890,7 @@ void ws_pae_supp_slow_timer(uint16_t seconds)
                 continue;
             }
             uint64_t current_time = ws_pae_current_time_get();
-            sec_prot_keys_gtk_lifetime_decrement(pae_supp->sec_keys_nw_info->gtks, i, current_time, seconds);
+            sec_prot_keys_gtk_lifetime_decrement(pae_supp->sec_keys_nw_info->gtks, i, current_time, seconds, false);
         }
 
         if (pae_supp->initial_key_timer > 0) {
diff --git a/source/Security/protocols/sec_prot_keys.c b/source/Security/protocols/sec_prot_keys.c
@@ -96,6 +96,16 @@ void sec_prot_keys_gtks_init(sec_prot_gtk_keys_t *gtks)
     gtks->updated = false;
 }
 
+void sec_prot_keys_gtks_clear(sec_prot_gtk_keys_t *gtks)
+{
+    for (uint8_t i = 0; i < GTK_NUM; i++) {
+        if (sec_prot_keys_gtk_is_set(gtks, i)) {
+            gtks->updated = true;
+        }
+    }
+    memset(gtks, 0, sizeof(sec_prot_gtk_keys_t));
+}
+
 void sec_prot_keys_gtks_delete(sec_prot_gtk_keys_t *gtks)
 {
     ns_dyn_mem_free(gtks);
@@ -113,12 +123,15 @@ void sec_prot_keys_pmk_write(sec_prot_keys_t *sec_keys, uint8_t *pmk, uint32_t p
 
 void sec_prot_keys_pmk_delete(sec_prot_keys_t *sec_keys)
 {
+    if (sec_keys->pmk_key_replay_cnt != 0 || sec_keys->pmk_key_replay_cnt_set ||
+            sec_keys->pmk_lifetime != 0 || sec_keys->pmk_set) {
+        sec_keys->updated = true;
+    }
     memset(sec_keys->pmk, 0, PMK_LEN);
     sec_keys->pmk_key_replay_cnt = 0;
     sec_keys->pmk_key_replay_cnt_set = false;
     sec_keys->pmk_lifetime = 0;
     sec_keys->pmk_set = false;
-    sec_keys->updated = true;
 }
 
 uint8_t *sec_prot_keys_pmk_get(sec_prot_keys_t *sec_keys)
@@ -222,10 +235,12 @@ void sec_prot_keys_ptk_write(sec_prot_keys_t *sec_keys, uint8_t *ptk, uint32_t p
 
 void sec_prot_keys_ptk_delete(sec_prot_keys_t *sec_keys)
 {
+    if (sec_keys->ptk_lifetime != 0 || sec_keys->ptk_set) {
+        sec_keys->updated = true;
+    }
     memset(sec_keys->ptk, 0, PTK_LEN);
     sec_keys->ptk_lifetime = 0;
     sec_keys->ptk_set = false;
-    sec_keys->updated = true;
 }
 
 uint8_t *sec_prot_keys_ptk_get(sec_prot_keys_t *sec_keys)
@@ -279,9 +294,11 @@ uint8_t *sec_prot_keys_ptk_eui_64_get(sec_prot_keys_t *sec_keys)
 
 void sec_prot_keys_ptk_eui_64_delete(sec_prot_keys_t *sec_keys)
 {
+    if (sec_keys->ptk_eui_64_set) {
+        sec_keys->updated = true;
+    }
     memset(sec_keys->ptk_eui_64, 0, 8);
     sec_keys->ptk_eui_64_set = false;
-    sec_keys->updated = true;
 }
 
 bool sec_prot_keys_ptk_lifetime_decrement(sec_prot_keys_t *sec_keys, uint8_t seconds)
@@ -490,7 +507,7 @@ uint32_t sec_prot_keys_gtk_lifetime_get(sec_prot_gtk_keys_t *gtks, uint8_t index
     return gtks->gtk[index].lifetime;
 }
 
-uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t index, uint64_t current_time, uint16_t seconds)
+uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t index, uint64_t current_time, uint16_t seconds, bool gtk_update_enable)
 {
     if (gtks->gtk[index].lifetime > seconds) {
         gtks->gtk[index].lifetime -= seconds;
@@ -508,7 +525,7 @@ uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t
         diff = expirytime - gtks->gtk[index].expirytime;
     }
     // If timestamps differ for more than 5 minutes marks field as updated (and stores to NVM)
-    if (diff > 300) {
+    if (diff > 300 && gtk_update_enable) {
         gtks->updated = true;
     }
 
@@ -588,7 +605,8 @@ int8_t sec_prot_keys_gtk_status_active_set(sec_prot_gtk_keys_t *gtks, uint8_t in
             }
         }
         gtks->gtk[index].status = GTK_STATUS_ACTIVE;
-        gtks->updated = true;
+        /* Changing fresh to active does not change the gtks updated state since active
+           keys are set to fresh on nvm read on startup */
         return 0;
     }
 
diff --git a/source/Security/protocols/sec_prot_keys.h b/source/Security/protocols/sec_prot_keys.h
@@ -200,6 +200,14 @@ sec_prot_gtk_keys_t *sec_prot_keys_gtks_create(void);
  */
 void sec_prot_keys_gtks_init(sec_prot_gtk_keys_t *gtks);
 
+/**
+ * sec_prot_keys_gtks_init clear GTK keys
+ *
+ * \param gtks GTK keys
+ *
+ */
+void sec_prot_keys_gtks_clear(sec_prot_gtk_keys_t *gtks);
+
 /**
  * sec_prot_keys_gtks_delete frees GTK keys memory
  *
@@ -616,11 +624,12 @@ uint32_t sec_prot_keys_gtk_lifetime_get(sec_prot_gtk_keys_t *gtks, uint8_t index
  * \param index index for GTK
  * \param current_time current timestamp
  * \param seconds elapsed seconds
+ * \param gtk_update_enable enable GTK status to be updated
  *
  * \return new GTK lifetime
  *
  */
-uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t index, uint64_t current_time, uint16_t seconds);
+uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t index, uint64_t current_time, uint16_t seconds, bool gtk_update_enable);
 
 /**
  * sec_prot_keys_gtk_exptime_from_lifetime_get converts GTK lifetime to expiry time.

Original file line number	Diff line number	Diff line change
`@@ -549,11 +549,13 @@ int8_t ws_pae_supp_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u`
`549`	`549`	`sec_prot_keys_ptk_delete(&pae_supp->entry.sec_keys);`
`550`	`550`	`sec_prot_keys_ptk_eui_64_delete(&pae_supp->entry.sec_keys);`
`551`	`551`	`// Delete GTKs`
`552`		`- sec_prot_keys_gtks_init(pae_supp->sec_keys_nw_info->gtks);`
`553`		`- sec_prot_keys_gtks_updated_set(pae_supp->sec_keys_nw_info->gtks);`
`554`		`- ws_pae_supp_nvm_update(pae_supp);`
	`552`	`+ sec_prot_keys_gtks_clear(pae_supp->sec_keys_nw_info->gtks);`
	`553`	`+ // If data is changed, store to NVM`
	`554`	`+ if (sec_prot_keys_are_updated(&pae_supp->entry.sec_keys) \|\|`
	`555`	`+ sec_prot_keys_gtks_are_updated(pae_supp->sec_keys_nw_info->gtks)) {`
	`556`	`+ ws_pae_supp_nvm_update(pae_supp);`
	`557`	`+ }`
`555`	`558`	`}`
`556`		`-`
`557`	`559`	`return 0;`
`558`	`560`	`}`
`559`	`561`
`@@ -888,7 +890,7 @@ void ws_pae_supp_slow_timer(uint16_t seconds)`
`888`	`890`	`continue;`
`889`	`891`	`}`
`890`	`892`	`uint64_t current_time = ws_pae_current_time_get();`
`891`		`- sec_prot_keys_gtk_lifetime_decrement(pae_supp->sec_keys_nw_info->gtks, i, current_time, seconds);`
	`893`	`+ sec_prot_keys_gtk_lifetime_decrement(pae_supp->sec_keys_nw_info->gtks, i, current_time, seconds, false);`
`892`	`894`	`}`
`893`	`895`
`894`	`896`	`if (pae_supp->initial_key_timer > 0) {`
Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,16 @@ void sec_prot_keys_gtks_init(sec_prot_gtk_keys_t *gtks)`
`96`	`96`	`gtks->updated = false;`
`97`	`97`	`}`
`98`	`98`
	`99`	`+void sec_prot_keys_gtks_clear(sec_prot_gtk_keys_t *gtks)`
	`100`	`+{`
	`101`	`+ for (uint8_t i = 0; i < GTK_NUM; i++) {`
	`102`	`+ if (sec_prot_keys_gtk_is_set(gtks, i)) {`
	`103`	`+ gtks->updated = true;`
	`104`	`+ }`
	`105`	`+ }`
	`106`	`+ memset(gtks, 0, sizeof(sec_prot_gtk_keys_t));`
	`107`	`+}`
	`108`	`+`
`99`	`109`	`void sec_prot_keys_gtks_delete(sec_prot_gtk_keys_t *gtks)`
`100`	`110`	`{`
`101`	`111`	`ns_dyn_mem_free(gtks);`
`@@ -113,12 +123,15 @@ void sec_prot_keys_pmk_write(sec_prot_keys_t sec_keys, uint8_t pmk, uint32_t p`
`113`	`123`
`114`	`124`	`void sec_prot_keys_pmk_delete(sec_prot_keys_t *sec_keys)`
`115`	`125`	`{`
	`126`	`+ if (sec_keys->pmk_key_replay_cnt != 0 \|\| sec_keys->pmk_key_replay_cnt_set \|\|`
	`127`	`+ sec_keys->pmk_lifetime != 0 \|\| sec_keys->pmk_set) {`
	`128`	`+ sec_keys->updated = true;`
	`129`	`+ }`
`116`	`130`	`memset(sec_keys->pmk, 0, PMK_LEN);`
`117`	`131`	`sec_keys->pmk_key_replay_cnt = 0;`
`118`	`132`	`sec_keys->pmk_key_replay_cnt_set = false;`
`119`	`133`	`sec_keys->pmk_lifetime = 0;`
`120`	`134`	`sec_keys->pmk_set = false;`
`121`		`- sec_keys->updated = true;`
`122`	`135`	`}`
`123`	`136`
`124`	`137`	`uint8_t sec_prot_keys_pmk_get(sec_prot_keys_t sec_keys)`
`@@ -222,10 +235,12 @@ void sec_prot_keys_ptk_write(sec_prot_keys_t sec_keys, uint8_t ptk, uint32_t p`
`222`	`235`
`223`	`236`	`void sec_prot_keys_ptk_delete(sec_prot_keys_t *sec_keys)`
`224`	`237`	`{`
	`238`	`+ if (sec_keys->ptk_lifetime != 0 \|\| sec_keys->ptk_set) {`
	`239`	`+ sec_keys->updated = true;`
	`240`	`+ }`
`225`	`241`	`memset(sec_keys->ptk, 0, PTK_LEN);`
`226`	`242`	`sec_keys->ptk_lifetime = 0;`
`227`	`243`	`sec_keys->ptk_set = false;`
`228`		`- sec_keys->updated = true;`
`229`	`244`	`}`
`230`	`245`
`231`	`246`	`uint8_t sec_prot_keys_ptk_get(sec_prot_keys_t sec_keys)`
`@@ -279,9 +294,11 @@ uint8_t sec_prot_keys_ptk_eui_64_get(sec_prot_keys_t sec_keys)`
`279`	`294`
`280`	`295`	`void sec_prot_keys_ptk_eui_64_delete(sec_prot_keys_t *sec_keys)`
`281`	`296`	`{`
	`297`	`+ if (sec_keys->ptk_eui_64_set) {`
	`298`	`+ sec_keys->updated = true;`
	`299`	`+ }`
`282`	`300`	`memset(sec_keys->ptk_eui_64, 0, 8);`
`283`	`301`	`sec_keys->ptk_eui_64_set = false;`
`284`		`- sec_keys->updated = true;`
`285`	`302`	`}`
`286`	`303`
`287`	`304`	`bool sec_prot_keys_ptk_lifetime_decrement(sec_prot_keys_t *sec_keys, uint8_t seconds)`
`@@ -490,7 +507,7 @@ uint32_t sec_prot_keys_gtk_lifetime_get(sec_prot_gtk_keys_t *gtks, uint8_t index`
`490`	`507`	`return gtks->gtk[index].lifetime;`
`491`	`508`	`}`
`492`	`509`
`493`		`-uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t index, uint64_t current_time, uint16_t seconds)`
	`510`	`+uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t index, uint64_t current_time, uint16_t seconds, bool gtk_update_enable)`
`494`	`511`	`{`
`495`	`512`	`if (gtks->gtk[index].lifetime > seconds) {`
`496`	`513`	`gtks->gtk[index].lifetime -= seconds;`
`@@ -508,7 +525,7 @@ uint32_t sec_prot_keys_gtk_lifetime_decrement(sec_prot_gtk_keys_t *gtks, uint8_t`
`508`	`525`	`diff = expirytime - gtks->gtk[index].expirytime;`
`509`	`526`	`}`
`510`	`527`	`// If timestamps differ for more than 5 minutes marks field as updated (and stores to NVM)`
`511`		`- if (diff > 300) {`
	`528`	`+ if (diff > 300 && gtk_update_enable) {`
`512`	`529`	`gtks->updated = true;`
`513`	`530`	`}`
`514`	`531`
`@@ -588,7 +605,8 @@ int8_t sec_prot_keys_gtk_status_active_set(sec_prot_gtk_keys_t *gtks, uint8_t in`
`588`	`605`	`}`
`589`	`606`	`}`
`590`	`607`	`gtks->gtk[index].status = GTK_STATUS_ACTIVE;`
`591`		`- gtks->updated = true;`
	`608`	`+ /* Changing fresh to active does not change the gtks updated state since active`
	`609`	`+ keys are set to fresh on nvm read on startup */`
`592`	`610`	`return 0;`
`593`	`611`	`}`
`594`	`612`