Key update to MAC is forced when nw name changes

Mika Leppänen · Mika Leppänen · commit 50b7a641b459 · 2020-09-15T13:14:43.000+03:00
Border router now forces network key update (GAK) to MAC when
network name changes.
diff --git a/source/6LoWPAN/ws/ws_pae_auth.c b/source/6LoWPAN/ws/ws_pae_auth.c
@@ -108,7 +108,7 @@ typedef struct {
     bool gtk_new_act_time_exp: 1;                            /**< GTK new activation time expired */
 } pae_auth_t;
 
-static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth);
+static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth, bool force_install);
 static int8_t ws_pae_auth_active_gtk_set(pae_auth_t *pae_auth, uint8_t index);
 static int8_t ws_pae_auth_network_key_index_set(pae_auth_t *pae_auth, uint8_t index);
 static void ws_pae_auth_free(pae_auth_t *pae_auth);
@@ -345,7 +345,7 @@ void ws_pae_auth_start(protocol_interface_info_entry_t *interface_ptr)
     pae_auth->nw_info_updated(pae_auth->interface_ptr);
 
     // Inserts keys and updates GTK hash on stack
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
 
     // Sets active key index
     ws_pae_auth_network_key_index_set(pae_auth, index);
@@ -362,7 +362,7 @@ void ws_pae_auth_gtks_updated(protocol_interface_info_entry_t *interface_ptr)
         return;
     }
 
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
 }
 
 int8_t ws_pae_auth_nw_key_index_update(protocol_interface_info_entry_t *interface_ptr, uint8_t index)
@@ -470,7 +470,7 @@ int8_t ws_pae_auth_node_access_revoke_start(protocol_interface_info_entry_t *int
 
     // Adds new GTK
     ws_pae_auth_gtk_key_insert(pae_auth);
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
 
     // Update keys to NVM as needed
     pae_auth->nw_info_updated(pae_auth->interface_ptr);
@@ -535,8 +535,11 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u
     }
     pae_auth->pan_id = pan_id;
 
+    bool force_install = false;
     if (strlen((char *) &pae_auth->network_name) > 0 && strcmp((char *) &pae_auth->network_name, network_name) != 0) {
         update_keys = true;
+        // Force GTK install to update the new network name to GAK
+        force_install = true;
     }
     strcpy((char *) &pae_auth->network_name, network_name);
 
@@ -548,7 +551,7 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u
         pae_auth->nw_keys_remove(pae_auth->interface_ptr);
     }
 
-    ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+    ws_pae_auth_network_keys_from_gtks_set(pae_auth, force_install);
 
     int8_t index = sec_prot_keys_gtk_status_active_get(pae_auth->sec_keys_nw_info->gtks);
     if (index >= 0) {
@@ -559,7 +562,7 @@ int8_t ws_pae_auth_nw_info_set(protocol_interface_info_entry_t *interface_ptr, u
     return 0;
 }
 
-static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth)
+static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth, bool force_install)
 {
     // Authenticator keys are always fresh
     sec_prot_keys_gtk_status_all_fresh_set(pae_auth->sec_keys_nw_info->gtks);
@@ -571,7 +574,7 @@ static int8_t ws_pae_auth_network_keys_from_gtks_set(pae_auth_t *pae_auth)
     }
 
     if (pae_auth->nw_key_insert) {
-        pae_auth->nw_key_insert(pae_auth->interface_ptr, pae_auth->sec_keys_nw_info->gtks);
+        pae_auth->nw_key_insert(pae_auth->interface_ptr, pae_auth->sec_keys_nw_info->gtks, force_install);
     }
 
     return 0;
@@ -716,7 +719,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
                         if (second_index < 0) {
                             tr_info("GTK new install required active index: %i, time: %"PRIu32", system time: %"PRIu32"", active_index, timer_seconds, protocol_core_monotonic_time / 10);
                             ws_pae_auth_gtk_key_insert(pae_auth);
-                            ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+                            ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
                             // Update keys to NVM as needed
                             pae_auth->nw_info_updated(pae_auth->interface_ptr);
                         } else {
@@ -744,7 +747,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
             if (timer_seconds == 0) {
                 tr_info("GTK expired index: %i, system time: %"PRIu32"", i, protocol_core_monotonic_time / 10);
                 ws_pae_auth_gtk_clear(pae_auth, i);
-                ws_pae_auth_network_keys_from_gtks_set(pae_auth);
+                ws_pae_auth_network_keys_from_gtks_set(pae_auth, false);
                 // Update keys to NVM as needed
                 pae_auth->nw_info_updated(pae_auth->interface_ptr);
             }
diff --git a/source/6LoWPAN/ws/ws_pae_auth.h b/source/6LoWPAN/ws/ws_pae_auth.h
@@ -207,12 +207,13 @@ typedef void ws_pae_auth_gtk_hash_set(protocol_interface_info_entry_t *interface
  *
  * \param interface_ptr interface
  * \param gtks group keys
+ * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks);
+typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install);
 
 /**
  * ws_pae_auth_nw_keys_remove remove network keys callback
diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c
@@ -126,7 +126,7 @@ static void ws_pae_controller_nvm_frame_counter_write(nvm_tlv_t *tlv_entry);
 static int8_t ws_pae_controller_nvm_frame_counter_read(uint32_t *restart_cnt, uint64_t *stored_time, uint16_t *pan_version, frame_counters_t *counters);
 static pae_controller_t *ws_pae_controller_get_or_create(int8_t interface_id);
 static void ws_pae_controller_gtk_hash_set(protocol_interface_info_entry_t *interface_ptr, uint8_t *gtkhash);
-static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks);
+static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install);
 static void ws_pae_controller_active_nw_key_clear(nw_key_t *nw_key);
 static void ws_pae_controller_active_nw_key_set(protocol_interface_info_entry_t *cur, uint8_t index);
 static int8_t ws_pae_controller_gak_from_gtk(uint8_t *gak, uint8_t *gtk, char *network_name);
@@ -137,6 +137,7 @@ static void ws_pae_controller_nw_key_index_check_and_set(protocol_interface_info
 static void ws_pae_controller_data_init(pae_controller_t *controller);
 static int8_t ws_pae_controller_frame_counter_read(pae_controller_t *controller);
 static void ws_pae_controller_frame_counter_reset(frame_counters_t *frame_counters);
+static void ws_pae_controller_frame_counter_index_reset(frame_counters_t *frame_counters, uint8_t index);
 static int8_t ws_pae_controller_nw_info_read(pae_controller_t *controller, sec_prot_gtk_keys_t *gtks);
 static int8_t ws_pae_controller_nvm_nw_info_write(protocol_interface_info_entry_t *interface_ptr, uint16_t pan_id, char *network_name, sec_prot_gtk_keys_t *gtks);
 static int8_t ws_pae_controller_nvm_nw_info_read(protocol_interface_info_entry_t *interface_ptr, uint16_t *pan_id, char *network_name, sec_prot_gtk_keys_t *gtks);
@@ -165,7 +166,7 @@ int8_t ws_pae_controller_authenticate(protocol_interface_info_entry_t *interface
     // In case test keys are set uses those and does not initiate authentication
     if (controller->gtks_set) {
         if (sec_prot_keys_gtks_are_updated(&controller->gtks)) {
-            ws_pae_controller_nw_key_check_and_insert(controller->interface_ptr, &controller->gtks);
+            ws_pae_controller_nw_key_check_and_insert(controller->interface_ptr, &controller->gtks, false);
             sec_prot_keys_gtks_updated_reset(&controller->gtks);
             ws_pae_supp_gtks_set(controller->interface_ptr, &controller->gtks);
         }
@@ -403,7 +404,7 @@ int8_t ws_pae_controller_nw_key_valid(protocol_interface_info_entry_t *interface
     return ws_pae_supp_nw_key_valid(interface_ptr, br_iid);
 }
 
-static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks)
+static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install)
 {
     pae_controller_t *controller = ws_pae_controller_get(interface_ptr);
     if (!controller) {
@@ -429,6 +430,13 @@ static int8_t ws_pae_controller_nw_key_check_and_insert(protocol_interface_info_
             tr_info("NW key remove: %i", i);
         }
 
+        if (force_install) {
+            // Install always
+            nw_key[i].installed = false;
+            // Frame counters are fresh
+            ws_pae_controller_frame_counter_index_reset(&controller->frame_counters, i);
+        }
+
         // If GTK key is not set, continues to next GTK
         if (!gtk) {
             continue;
@@ -798,13 +806,18 @@ static int8_t ws_pae_controller_frame_counter_read(pae_controller_t *controller)
 static void ws_pae_controller_frame_counter_reset(frame_counters_t *frame_counters)
 {
     for (uint8_t index = 0; index < GTK_NUM; index++) {
-        memset(frame_counters->counter[index].gtk, 0, GTK_LEN);
-        frame_counters->counter[index].frame_counter = 0;
-        frame_counters->counter[index].stored_frame_counter = 0;
-        frame_counters->counter[index].set = false;
+        ws_pae_controller_frame_counter_index_reset(frame_counters, index);
     }
 }
 
+static void ws_pae_controller_frame_counter_index_reset(frame_counters_t *frame_counters, uint8_t index)
+{
+    memset(frame_counters->counter[index].gtk, 0, GTK_LEN);
+    frame_counters->counter[index].frame_counter = 0;
+    frame_counters->counter[index].stored_frame_counter = 0;
+    frame_counters->counter[index].set = false;
+}
+
 static int8_t ws_pae_controller_nw_info_read(pae_controller_t *controller, sec_prot_gtk_keys_t *gtks)
 {
     if (ws_pae_controller_nvm_nw_info_read(controller->interface_ptr, &controller->sec_keys_nw_info.key_pan_id, controller->sec_keys_nw_info.network_name, gtks) < 0) {
diff --git a/source/6LoWPAN/ws/ws_pae_supp.c b/source/6LoWPAN/ws/ws_pae_supp.c
@@ -355,7 +355,7 @@ int8_t ws_pae_supp_gtk_hash_update(protocol_interface_info_entry_t *interface_pt
     }
 
     // Modify keys
-    pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks);
+    pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false);
 
     return 0;
 }
@@ -521,7 +521,7 @@ static int8_t ws_pae_supp_nw_keys_valid_check(pae_supp_t *pae_supp, uint16_t pan
             (sec_prot_keys_pmk_get(&pae_supp->entry.sec_keys) != NULL) &&
             (sec_prot_keys_ptk_get(&pae_supp->entry.sec_keys) != NULL)) {
         tr_debug("Existing keys used, counter %i", pae_supp->nw_keys_used_cnt);
-        if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks) >= 0) {
+        if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false) >= 0) {
             tr_debug("Keys inserted");
         }
         pae_supp->nw_keys_used_cnt++;
@@ -1260,7 +1260,7 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e
     if ((type == IEEE_802_11_4WH || type == IEEE_802_11_GKH) && result == KMP_RESULT_OK) {
         if (sec_keys) {
             sec_prot_keys_t *keys = sec_keys;
-            pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks);
+            pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks, false);
         }
 
         ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_OK);
diff --git a/source/6LoWPAN/ws/ws_pae_supp.h b/source/6LoWPAN/ws/ws_pae_supp.h
@@ -221,12 +221,13 @@ typedef const uint8_t *ws_pae_supp_auth_next_target(protocol_interface_info_entr
  *
  * \param interface_ptr interface
  * \param gtks group keys
+ * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed
  *
  * \return < 0 failure
  * \return >= 0 success
  *
  */
-typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks);
+typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t *interface_ptr, sec_prot_gtk_keys_t *gtks, bool force_install);
 
 /**
  * ws_pae_supp_gtk_hash_ptr_get get pointer to GTK hash storage callback

Original file line number	Diff line number	Diff line change
`@@ -207,12 +207,13 @@ typedef void ws_pae_auth_gtk_hash_set(protocol_interface_info_entry_t *interface`
`207`	`207`	`*`
`208`	`208`	`* \param interface_ptr interface`
`209`	`209`	`* \param gtks group keys`
	`210`	`+ * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed`
`210`	`211`	`*`
`211`	`212`	`* \return < 0 failure`
`212`	`213`	`* \return >= 0 success`
`213`	`214`	`*`
`214`	`215`	`*/`
`215`		`-typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t interface_ptr, sec_prot_gtk_keys_t gtks);`
	`216`	`+typedef int8_t ws_pae_auth_nw_key_insert(protocol_interface_info_entry_t interface_ptr, sec_prot_gtk_keys_t gtks, bool force_install);`
`216`	`217`
`217`	`218`	`/**`
`218`	`219`	`* ws_pae_auth_nw_keys_remove remove network keys callback`
Original file line number	Diff line number	Diff line change
`@@ -355,7 +355,7 @@ int8_t ws_pae_supp_gtk_hash_update(protocol_interface_info_entry_t *interface_pt`
`355`	`355`	`}`
`356`	`356`
`357`	`357`	`// Modify keys`
`358`		`- pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks);`
	`358`	`+ pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false);`
`359`	`359`
`360`	`360`	`return 0;`
`361`	`361`	`}`
`@@ -521,7 +521,7 @@ static int8_t ws_pae_supp_nw_keys_valid_check(pae_supp_t *pae_supp, uint16_t pan`
`521`	`521`	`(sec_prot_keys_pmk_get(&pae_supp->entry.sec_keys) != NULL) &&`
`522`	`522`	`(sec_prot_keys_ptk_get(&pae_supp->entry.sec_keys) != NULL)) {`
`523`	`523`	`tr_debug("Existing keys used, counter %i", pae_supp->nw_keys_used_cnt);`
`524`		`- if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks) >= 0) {`
	`524`	`+ if (pae_supp->nw_key_insert(pae_supp->interface_ptr, pae_supp->sec_keys_nw_info->gtks, false) >= 0) {`
`525`	`525`	`tr_debug("Keys inserted");`
`526`	`526`	`}`
`527`	`527`	`pae_supp->nw_keys_used_cnt++;`
`@@ -1260,7 +1260,7 @@ static void ws_pae_supp_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e`
`1260`	`1260`	`if ((type == IEEE_802_11_4WH \|\| type == IEEE_802_11_GKH) && result == KMP_RESULT_OK) {`
`1261`	`1261`	`if (sec_keys) {`
`1262`	`1262`	`sec_prot_keys_t *keys = sec_keys;`
`1263`		`- pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks);`
	`1263`	`+ pae_supp->nw_key_insert(pae_supp->interface_ptr, keys->gtks, false);`
`1264`	`1264`	`}`
`1265`	`1265`
`1266`	`1266`	`ws_pae_supp_authenticate_response(pae_supp, AUTH_RESULT_OK);`
Original file line number	Diff line number	Diff line change
`@@ -221,12 +221,13 @@ typedef const uint8_t *ws_pae_supp_auth_next_target(protocol_interface_info_entr`
`221`	`221`	`*`
`222`	`222`	`* \param interface_ptr interface`
`223`	`223`	`* \param gtks group keys`
	`224`	`+ * \param force_install TRUE force install keys, FALSE install keys only if GTKs has changed`
`224`	`225`	`*`
`225`	`226`	`* \return < 0 failure`
`226`	`227`	`* \return >= 0 success`
`227`	`228`	`*`
`228`	`229`	`*/`
`229`		`-typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t interface_ptr, sec_prot_gtk_keys_t gtks);`
	`230`	`+typedef int8_t ws_pae_supp_nw_key_insert(protocol_interface_info_entry_t interface_ptr, sec_prot_gtk_keys_t gtks, bool force_install);`
`230`	`231`
`231`	`232`	`/**`
`232`	`233`	`* ws_pae_supp_gtk_hash_ptr_get get pointer to GTK hash storage callback`