Added retry traces to authenticator EAP-TLS, 4WH, and GKH

Mika Leppänen · Mika Leppänen · commit 7f7c01ac1730 · 2021-03-04T11:14:30.000+02:00
diff --git a/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c
@@ -89,7 +89,7 @@ static int8_t auth_eap_tls_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_
 static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot);
 
 static int8_t auth_eap_tls_sec_prot_message_handle(sec_prot_t *prot);
-static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state);
+static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state, bool retry);
 
 static void auth_eap_tls_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks);
 static int8_t auth_eap_tls_sec_prot_init_tls(sec_prot_t *prot);
@@ -247,7 +247,7 @@ static int8_t auth_eap_tls_sec_prot_message_handle(sec_prot_t *prot)
     return eap_tls_sec_prot_lib_message_handle(data_ptr, length, new_seq_id, &data->tls_send, &data->tls_recv);
 }
 
-static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state)
+static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_code, uint8_t eap_type, uint8_t tls_state, bool retry)
 {
     eap_tls_sec_prot_int_t *data = eap_tls_sec_prot_get(prot);
 
@@ -275,9 +275,9 @@ static int8_t auth_eap_tls_sec_prot_message_send(sec_prot_t *prot, uint8_t eap_c
         return -1;
     }
 
-    tr_info("EAP-TLS: send %s type %s id %i flags %x len %i, eui-64: %s", eap_msg_trace[eap_code - 1],
-            eap_type == EAP_IDENTITY ? "IDENTITY" : "TLS", data->eap_id_seq, flags, eapol_pdu_size,
-            trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
+    tr_info("EAP-TLS: %s %s type %s id %i flags %x len %i, eui-64: %s", retry ? "retry" : "send",
+            eap_msg_trace[eap_code - 1], eap_type == EAP_IDENTITY ? "IDENTITY" : "TLS",
+            data->eap_id_seq, flags, eapol_pdu_size, trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
 
     if (prot->send(prot, eapol_decoded_data, eapol_pdu_size + prot->header_size) < 0) {
         return -1;
@@ -418,7 +418,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             auth_eap_tls_sec_prot_seq_id_update(prot);
 
             // Sends EAP request, Identity
-            auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE);
+            auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE, false);
 
             // Start trickle timer to re-send if no response
             sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
@@ -432,7 +432,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             // On timeout
             if (sec_prot_result_timeout_check(&data->common)) {
                 // Re-sends EAP request, Identity
-                auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE);
+                auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE, true);
                 return;
             }
 
@@ -442,7 +442,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             }
 
             // Sends EAP request, TLS EAP start
-            auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
+            auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START, false);
 
             // Start trickle timer to re-send if no response
             sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
@@ -456,12 +456,13 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
 
             // On timeout
             if (sec_prot_result_timeout_check(&data->common)) {
+
                 if (sec_prot_state_get(&data->common) == EAP_TLS_STATE_RESPONSE_START) {
                     // Re-sends EAP request, TLS EAP start
-                    auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
+                    auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START, true);
                 } else {
                     // Re-sends EAP request, TLS EAP
-                    auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING);
+                    auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING, true);
                 }
                 return;
             }
@@ -475,7 +476,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
                 }
                 if (result == EAP_TLS_MSG_IDENTITY) {
                     // If received EAP response, Identity: re-sends EAP request, TLS EAP start
-                    auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
+                    auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START, true);
                     return;
                 }
 
@@ -524,7 +525,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
                 data->send_pending = false;
 
                 // Sends EAP request, TLS EAP, TLS exchange
-                auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING);
+                auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING, false);
 
                 // Start trickle timer to re-send if no response
                 sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
@@ -534,10 +535,10 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
                     // Supplicant PMK is now valid
                     sec_prot_keys_pmk_mismatch_reset(prot->sec_keys);
                     // Sends EAP success
-                    auth_eap_tls_sec_prot_message_send(prot, EAP_SUCCESS, 0, EAP_TLS_EXCHANGE_NONE);
+                    auth_eap_tls_sec_prot_message_send(prot, EAP_SUCCESS, 0, EAP_TLS_EXCHANGE_NONE, false);
                 } else {
                     // Sends EAP failure
-                    auth_eap_tls_sec_prot_message_send(prot, EAP_FAILURE, 0, EAP_TLS_EXCHANGE_NONE);
+                    auth_eap_tls_sec_prot_message_send(prot, EAP_FAILURE, 0, EAP_TLS_EXCHANGE_NONE, false);
                     sec_prot_result_set(&data->common, SEC_RESULT_ERROR);
                 }
 
diff --git a/source/Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.c b/source/Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.c
@@ -80,7 +80,7 @@ static int8_t auth_fwh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
 static fwh_sec_prot_msg_e auth_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys);
 static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot);
 
-static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg);
+static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg, bool retry);
 static void auth_fwh_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks);
 
 static int8_t auth_fwh_sec_prot_ptk_generate(sec_prot_t *prot, sec_prot_keys_t *sec_keys);
@@ -204,7 +204,7 @@ static fwh_sec_prot_msg_e auth_fwh_sec_prot_message_get(eapol_pdu_t *eapol_pdu,
     return msg;
 }
 
-static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg)
+static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_e msg, bool retry)
 {
     fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);
 
@@ -301,7 +301,9 @@ static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_
         return -1;
     }
 
-    tr_info("4WH: send %s, eui-64: %s", msg == FWH_MESSAGE_1 ? "Message 1" : "Message 3", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
+    tr_info("4WH: %s %s, eui-64: %s", retry ? "retry" : "send",
+            msg == FWH_MESSAGE_1 ? "Message 1" : "Message 3",
+            trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
 
     if (prot->send(prot, eapol_pdu_frame, eapol_pdu_size + prot->header_size) < 0) {
         return -1;
@@ -347,7 +349,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
 
             // Sends 4WH Message 1
             sec_prot_lib_nonce_generate(data->nonce);
-            auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1);
+            auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1, false);
 
             // Start trickle timer to re-send if no response
             sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
@@ -360,7 +362,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
             if (sec_prot_result_timeout_check(&data->common)) {
                 // Re-sends 4WH Message 1
                 sec_prot_lib_nonce_generate(data->nonce);
-                auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1);
+                auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1, true);
             } else {
                 if (data->recv_msg != FWH_MESSAGE_2) {
                     return;
@@ -375,7 +377,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
                 }
 
                 // Sends 4WH Message 3
-                auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3);
+                auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3, false);
 
                 // Start trickle timer to re-send if no response
                 sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
@@ -388,7 +390,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
         case FWH_STATE_MESSAGE_4:
             if (sec_prot_result_timeout_check(&data->common)) {
                 // Re-sends 4WH Message 3
-                auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3);
+                auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3, true);
             } else {
                 if (data->recv_msg != FWH_MESSAGE_4) {
                     return;
diff --git a/source/Security/protocols/gkh_sec_prot/auth_gkh_sec_prot.c b/source/Security/protocols/gkh_sec_prot/auth_gkh_sec_prot.c
@@ -71,7 +71,7 @@ static int8_t auth_gkh_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_t si
 static gkh_sec_prot_msg_e auth_gkh_sec_prot_message_get(eapol_pdu_t *eapol_pdu, sec_prot_keys_t *sec_keys);
 static void auth_gkh_sec_prot_state_machine(sec_prot_t *prot);
 
-static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg);
+static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg, bool retry);
 static void auth_gkh_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks);
 static int8_t auth_gkh_sec_prot_mic_validate(sec_prot_t *prot);
 
@@ -180,7 +180,7 @@ static gkh_sec_prot_msg_e auth_gkh_sec_prot_message_get(eapol_pdu_t *eapol_pdu,
     return msg;
 }
 
-static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg)
+static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_e msg, bool retry)
 {
     uint16_t kde_len = 0;
 
@@ -249,7 +249,8 @@ static int8_t auth_gkh_sec_prot_message_send(sec_prot_t *prot, gkh_sec_prot_msg_
         return -1;
     }
 
-    tr_info("GKH: send Message 1, eui-64: %s", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
+    tr_info("GKH: %s Message 1, eui-64: %s", retry ? "retry" : "send",
+            trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
 
     if (prot->send(prot, eapol_pdu_frame, eapol_pdu_size + prot->header_size) < 0) {
         return -1;
@@ -287,7 +288,7 @@ static void auth_gkh_sec_prot_state_machine(sec_prot_t *prot)
             prot->create_conf(prot, SEC_RESULT_OK);
 
             // Sends GKH Message 1
-            auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1);
+            auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1, false);
 
             // Start trickle timer to re-send if no response
             sec_prot_timer_trickle_start(&data->common, &prot->sec_cfg->prot_cfg.sec_prot_trickle_params);
@@ -303,7 +304,7 @@ static void auth_gkh_sec_prot_state_machine(sec_prot_t *prot)
 
             if (sec_prot_result_timeout_check(&data->common)) {
                 // Re-sends GKH Message 1
-                auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1);
+                auth_gkh_sec_prot_message_send(prot, GKH_MESSAGE_1, true);
             } else {
                 if (auth_gkh_sec_prot_mic_validate(prot) < 0) {
                     return;
