When EAPOL waiting queue is full oldest entry is removed

When list is full oldest supplicant entry is deleted and purge request
(empty EAPOL message) for that supplicant is sent to LLC to remove
the LLC EAPOL entry.

Author: Mika Leppänen

source/6LoWPAN/ws/ws_pae_auth.c

@@ -44,6 +44,7 @@
 #include "Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.h"
 #include "Security/protocols/gkh_sec_prot/auth_gkh_sec_prot.h"
 #include "Security/protocols/radius_sec_prot/radius_client_sec_prot.h"
+#include "Security/protocols/msg_sec_prot/msg_sec_prot.h"
 #include "6LoWPAN/ws/ws_cfg_settings.h"
 #include "6LoWPAN/ws/ws_pae_controller.h"
 #include "6LoWPAN/ws/ws_pae_timers.h"
@@ -237,6 +238,10 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot
         goto error;
     }
 
+    if (msg_sec_prot_register(pae_auth->kmp_service) < 0) {
+        goto error;
+    }
+
     if (tasklet_id < 0) {
         tasklet_id = eventOS_event_handler_create(ws_pae_auth_tasklet_handler, PAE_TASKLET_INIT);
         if (tasklet_id < 0) {
@@ -964,10 +969,20 @@ static supp_entry_t *ws_pae_auth_waiting_supp_list_add(pae_auth_t *pae_auth, sup
         ns_list_add_to_start(&pae_auth->waiting_supp_list, supp_entry);
         pae_auth->waiting_supp_list_size++;
     } else {
-        // Create a new supplicant entry if not at limit
+        // If the waiting list if full removes the oldest entry from the list
         if (pae_auth->waiting_supp_list_size > WAITING_SUPPLICANT_LIST_MAX_SIZE) {
-            tr_info("PAE: waiting list full, eui-64: %s", trace_array(addr->eui_64, 8));
-            return NULL;
+            supp_entry_t *delete_supp = ns_list_get_last(&pae_auth->waiting_supp_list);
+            if (!delete_supp) {
+                return NULL;
+            }
+            tr_info("PAE: waiting list full, eui-64: %s, deleted eui-64: %s", trace_array(addr->eui_64, 8), trace_array(delete_supp->addr.eui_64, 8));
+            // Create new instance
+            kmp_api_t *new_kmp = ws_pae_auth_kmp_create_and_start(pae_auth->kmp_service, MSG_PROT, pae_auth->relay_socked_msg_if_instance_id, delete_supp, pae_auth->sec_cfg);
+            if (!new_kmp) {
+                return NULL;
+            }
+            kmp_api_create_request(new_kmp, MSG_PROT, &delete_supp->addr, &delete_supp->sec_keys);
+            (void) ws_pae_lib_supp_list_remove(pae_auth, &pae_auth->waiting_supp_list, delete_supp, ws_pae_auth_waiting_supp_deleted);
         }
         supp_entry = ws_pae_lib_supp_list_add(&pae_auth->waiting_supp_list, addr);
         if (!supp_entry) {
@@ -981,7 +996,7 @@ static supp_entry_t *ws_pae_auth_waiting_supp_list_add(pae_auth_t *pae_auth, sup
     // 90 percent of the EAPOL temporary entry lifetime (10 ticks per second)
     supp_entry->waiting_ticks = pae_auth->sec_cfg->timing_cfg.temp_eapol_min_timeout * 900 / 100;
 
-    tr_debug("PAE: to waiting, list size %i, retry %i, eui-64: %s", pae_auth->waiting_supp_list_size, supp_entry->waiting_ticks, trace_array(supp_entry->addr.eui_64, 8));
+    tr_info("PAE: to waiting, list size %i, retry %i, eui-64: %s", pae_auth->waiting_supp_list_size, supp_entry->waiting_ticks, trace_array(supp_entry->addr.eui_64, 8));
 
     return supp_entry;
 }

source/Security/kmp/kmp_api.h

@@ -33,6 +33,7 @@ typedef enum {
 
     IEEE_802_1X_MKA        = 1,
     RADIUS_IEEE_802_1X_MKA = 2,
+    MSG_PROT               = 5,
     IEEE_802_11_4WH        = 6,
     IEEE_802_11_GKH        = 7,
     TLS_PROT               = 8,

source/Security/protocols/msg_sec_prot/msg_sec_prot.c

@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2021, Arm Limited and affiliates.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "nsconfig.h"
+#include <string.h>
+#include "ns_types.h"
+#include "ns_list.h"
+#include "ns_trace.h"
+#include "nsdynmemLIB.h"
+#include "fhss_config.h"
+#include "NWK_INTERFACE/Include/protocol.h"
+#include "6LoWPAN/ws/ws_config.h"
+#include "Security/protocols/sec_prot_cfg.h"
+#include "Security/kmp/kmp_addr.h"
+#include "Security/kmp/kmp_api.h"
+#include "Security/PANA/pana_eap_header.h"
+#include "Security/eapol/eapol_helper.h"
+#include "Security/eapol/kde_helper.h"
+#include "Security/protocols/sec_prot_certs.h"
+#include "Security/protocols/sec_prot_keys.h"
+#include "Security/protocols/sec_prot.h"
+#include "Security/protocols/sec_prot_lib.h"
+#include "Security/protocols/msg_sec_prot/msg_sec_prot.h"
+
+#ifdef HAVE_WS
+
+#define TRACE_GROUP "msep"
+
+typedef enum {
+    MSG_STATE_INIT = SEC_STATE_INIT,
+    MSG_STATE_CREATE_REQ = SEC_STATE_CREATE_REQ,
+    MSG_STATE_FINISH = SEC_STATE_FINISH,
+    MSG_STATE_FINISHED = SEC_STATE_FINISHED
+} msg_sec_prot_state_e;
+
+typedef struct {
+    sec_prot_common_t              common;       /**< Common data */
+} msg_sec_prot_int_t;
+
+static uint16_t msg_sec_prot_size(void);
+static int8_t msg_sec_prot_init(sec_prot_t *prot);
+static void msg_sec_prot_delete(sec_prot_t *prot);
+
+static void msg_sec_prot_create_request(sec_prot_t *prot, sec_prot_keys_t *sec_keys);
+static void msg_sec_prot_state_machine(sec_prot_t *prot);
+static int8_t msg_sec_prot_auth_rejected_send(sec_prot_t *prot, sec_prot_keys_t *sec_keys);
+
+#define msg_sec_prot_get(prot) (msg_sec_prot_int_t *) &prot->data
+
+int8_t msg_sec_prot_register(kmp_service_t *service)
+{
+    if (!service) {
+        return -1;
+    }
+
+    if (kmp_service_sec_protocol_register(service, MSG_PROT, msg_sec_prot_size, msg_sec_prot_init) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static uint16_t msg_sec_prot_size(void)
+{
+    return sizeof(msg_sec_prot_int_t);
+}
+
+static int8_t msg_sec_prot_init(sec_prot_t *prot)
+{
+    prot->create_req = msg_sec_prot_create_request;
+    prot->delete = msg_sec_prot_delete;
+    prot->state_machine = msg_sec_prot_state_machine;
+
+    msg_sec_prot_int_t *data = msg_sec_prot_get(prot);
+    sec_prot_init(&data->common);
+    sec_prot_state_set(prot, &data->common, MSG_STATE_INIT);
+
+    return 0;
+}
+
+static void msg_sec_prot_delete(sec_prot_t *prot)
+{
+    (void) prot;
+}
+
+static void msg_sec_prot_create_request(sec_prot_t *prot, sec_prot_keys_t *sec_keys)
+{
+    (void) sec_keys;
+
+    prot->state_machine(prot);
+}
+
+static int8_t msg_sec_prot_auth_rejected_send(sec_prot_t *prot, sec_prot_keys_t *sec_keys)
+{
+    (void) sec_keys;
+
+    uint8_t *eapol_pdu_frame = ns_dyn_mem_temporary_alloc(prot->header_size);
+
+    // Send zero length message to relay which requests LLC to remove EAPOL temporary entry based on EUI-64
+    if (prot->send(prot, eapol_pdu_frame, prot->header_size) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+static void msg_sec_prot_state_machine(sec_prot_t *prot)
+{
+    msg_sec_prot_int_t *data = msg_sec_prot_get(prot);
+
+    switch (sec_prot_state_get(&data->common)) {
+        case MSG_STATE_INIT:
+            sec_prot_state_set(prot, &data->common, MSG_STATE_CREATE_REQ);
+            break;
+        case MSG_STATE_CREATE_REQ:
+            // KMP-CREATE.confirm
+            prot->create_conf(prot, sec_prot_result_get(&data->common));
+            // Authentication rejected (will continue only after new EAPOL Initial-Key)
+            (void) msg_sec_prot_auth_rejected_send(prot, prot->sec_keys);
+            sec_prot_state_set(prot, &data->common, MSG_STATE_FINISH);
+            break;
+        case MSG_STATE_FINISH:
+            sec_prot_state_set(prot, &data->common, MSG_STATE_FINISHED);
+            /* fall through */
+        case MSG_STATE_FINISHED:
+            prot->finished(prot);
+            break;
+        default:
+            break;
+    }
+}
+
+#endif /* HAVE_WS */
+

source/Security/protocols/msg_sec_prot/msg_sec_prot.h

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2021, Arm Limited and affiliates.
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MSG_SEC_PROT_H_
+#define MSG_SEC_PROT_H_
+
+/*
+ * Message security protocol. Protocol can be used for sending messages from
+ * authenticator EAPOL components to lower layers on authenticator.
+ *
+ */
+
+/**
+ * msg_sec_prot_register register message security protocol to KMP service
+ *
+ * \param service KMP service
+ *
+ * \return < 0 failure
+ * \return >= 0 success
+ */
+int8_t msg_sec_prot_register(kmp_service_t *service);
+
+#endif /* MSG_SEC_PROT_H_ */

sources.mk

@@ -123,6 +123,7 @@ SRCS += \
 	source/Security/protocols/gkh_sec_prot/supp_gkh_sec_prot.c \
 	source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c \
 	source/Security/protocols/radius_sec_prot/avp_helper.c \
+	source/Security/protocols/msg_sec_prot/msg_sec_prot.c \
 	source/Security/protocols/tls_sec_prot/tls_sec_prot.c \
 	source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c \
 	source/Security/PANA/eap_protocol.c \